API tools faq
paste
Advertisement
paladin316

1181Exes_e327c2543c22c48eabc61713fde9f869_exe_2019-09-05_11_30.txt

paladin316
Sep 5th, 2019
2,216
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 26.11 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * ID: 1181
  3. * MalFamily: "Ursnif"
  4.  
  5. * MalScore: 10.0
  6.  
  7. * File Name: "Exes_e327c2543c22c48eabc61713fde9f869.exe"
  8. * File Size: 225616
  9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  10. * SHA256: "dafe1fadb20503d0c486e6f3c6888c14e8ec1565d9fb61aa837822793ce1e9f1"
  11. * MD5: "e327c2543c22c48eabc61713fde9f869"
  12. * SHA1: "f3b88ef474e60dcedcc212aa4569a455e06f9db0"
  13. * SHA512: "a29424860127b6638e5e2c8b4254dbab9f7530f8dd6570194083d38b53dbf4e6c1a158dc7203370b14db5330f098e591aed11655ea0e4ee5279916a0ab3f6f2a"
  14. * CRC32: "CDA0D746"
  15. * SSDEEP: "6144:CV+2UYTe6HispNQGJ/rjpqtXrviR5N9YqwPi/:CV+/YxHisXJ/rFqZTizkxA"
  16.  
  17. * Process Execution:
  18. "920qrmN.exe",
  19. "920qrmN.exe",
  20. "svchost.exe",
  21. "WmiPrvSE.exe",
  22. "iexplore.exe",
  23. "iexplore.exe",
  24. "iexplore.exe",
  25. "iexplore.exe",
  26. "iexplore.exe",
  27. "iexplore.exe",
  28. "svchost.exe",
  29. "explorer.exe"
  30.  
  31.  
  32. * Executed Commands:
  33. "\"C:\\Users\\user\\AppData\\Local\\Temp\\920qrmN.exe\"",
  34. "C:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding",
  35. "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" -Embedding",
  36. "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" SCODEF:2304 CREDAT:79873",
  37. "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" SCODEF:2468 CREDAT:79873",
  38. "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" SCODEF:2468 CREDAT:145409",
  39. "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" SCODEF:2468 CREDAT:276481"
  40.  
  41.  
  42. * Signatures Detected:
  43.  
  44. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  45. "Details":
  46.  
  47.  
  48. "Description": "Behavioural detection: Executable code extraction",
  49. "Details":
  50.  
  51.  
  52. "Description": "Attempts to connect to a dead IP:Port (2 unique times)",
  53. "Details":
  54.  
  55. "IP_ioc": "204.79.197.200:80"
  56.  
  57.  
  58. "IP_ioc": "8.208.25.248:80 (United States)"
  59.  
  60.  
  61.  
  62.  
  63. "Description": "Guard pages use detected - possible anti-debugging.",
  64. "Details":
  65.  
  66.  
  67. "Description": "A process attempted to delay the analysis task.",
  68. "Details":
  69.  
  70. "Process": "920qrmN.exe tried to sleep 782 seconds, actually delayed analysis time by 0 seconds"
  71.  
  72.  
  73. "Process": "WmiPrvSE.exe tried to sleep 480 seconds, actually delayed analysis time by 0 seconds"
  74.  
  75.  
  76.  
  77.  
  78. "Description": "A process created a hidden window",
  79. "Details":
  80.  
  81. "Process": "920qrmN.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\920qrmN.exe"
  82.  
  83.  
  84.  
  85.  
  86. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
  87. "Details":
  88.  
  89. "post_no_referer": "HTTP traffic contains a POST request with no referer header"
  90.  
  91.  
  92. "suspicious_request_iocs": "http://cdn5.inmax.at/index.htm"
  93.  
  94.  
  95. "suspicious_request_iocs": "http://u2.inmax.at/index.htm"
  96.  
  97.  
  98. "suspicious_request_iocs": "http://api.fiho.at/index.htm"
  99.  
  100.  
  101. "suspicious_request_iocs": "http://t2.fiho.at/index.htm"
  102.  
  103.  
  104.  
  105.  
  106. "Description": "Performs some HTTP requests",
  107. "Details":
  108.  
  109. "url_iocs": "http://cdn5.inmax.at/index.htm"
  110.  
  111.  
  112. "url_iocs": "http://u2.inmax.at/index.htm"
  113.  
  114.  
  115. "url_iocs": "http://api.fiho.at/index.htm"
  116.  
  117.  
  118. "url_iocs": "http://t2.fiho.at/index.htm"
  119.  
  120.  
  121.  
  122.  
  123. "Description": "Uses Windows utilities for basic functionality",
  124. "Details":
  125.  
  126. "command": "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" -Embedding"
  127.  
  128.  
  129. "command": "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" SCODEF:2304 CREDAT:79873"
  130.  
  131.  
  132. "command": "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" SCODEF:2468 CREDAT:79873"
  133.  
  134.  
  135. "command": "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" SCODEF:2468 CREDAT:145409"
  136.  
  137.  
  138. "command": "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" SCODEF:2468 CREDAT:276481"
  139.  
  140.  
  141.  
  142.  
  143. "Description": "Stack pivoting was detected when using a critical API",
  144. "Details":
  145.  
  146. "process": "iexplore.exe:2468"
  147.  
  148.  
  149. "process": "920qrmN.exe:616"
  150.  
  151.  
  152. "process": "svchost.exe:2272"
  153.  
  154.  
  155.  
  156.  
  157. "Description": "Creates a hidden or system file",
  158. "Details":
  159.  
  160. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low"
  161.  
  162.  
  163.  
  164.  
  165. "Description": "File has been identified by 30 Antiviruses on VirusTotal as malicious",
  166. "Details":
  167.  
  168. "MicroWorld-eScan": "Trojan.GenericKD.32384942"
  169.  
  170.  
  171. "McAfee": "RDN/Generic.grp"
  172.  
  173.  
  174. "Cylance": "Unsafe"
  175.  
  176.  
  177. "CrowdStrike": "win/malicious_confidence_90% (W)"
  178.  
  179.  
  180. "BitDefender": "Trojan.GenericKD.32384942"
  181.  
  182.  
  183. "Symantec": "ML.Attribute.HighConfidence"
  184.  
  185.  
  186. "ESET-NOD32": "a variant of Generik.KZBZWVU"
  187.  
  188.  
  189. "Paloalto": "generic.ml"
  190.  
  191.  
  192. "GData": "Trojan.GenericKD.32384942"
  193.  
  194.  
  195. "Kaspersky": "Trojan-Banker.Win32.Gozi.enm"
  196.  
  197.  
  198. "NANO-Antivirus": "Trojan.Win32.Gozi.fyemyd"
  199.  
  200.  
  201. "Avast": "Win32:Trojan-gen"
  202.  
  203.  
  204. "Endgame": "malicious (high confidence)"
  205.  
  206.  
  207. "Sophos": "Mal/Generic-S"
  208.  
  209.  
  210. "DrWeb": "Trojan.Gozi.570"
  211.  
  212.  
  213. "Invincea": "heuristic"
  214.  
  215.  
  216. "McAfee-GW-Edition": "Artemis!Trojan"
  217.  
  218.  
  219. "FireEye": "Generic.mg.e327c2543c22c48e"
  220.  
  221.  
  222. "Emsisoft": "Trojan.GenericKD.32384942 (B)"
  223.  
  224.  
  225. "Ikarus": "Trojan.SuspectCRC"
  226.  
  227.  
  228. "Microsoft": "Trojan:Win32/Tiggre!plock"
  229.  
  230.  
  231. "Arcabit": "Trojan.Generic.D1EE27AE"
  232.  
  233.  
  234. "AegisLab": "Trojan.Win32.Gozi.7!c"
  235.  
  236.  
  237. "ZoneAlarm": "Trojan-Banker.Win32.Gozi.enm"
  238.  
  239.  
  240. "MAX": "malware (ai score=88)"
  241.  
  242.  
  243. "SentinelOne": "DFI - Malicious PE"
  244.  
  245.  
  246. "AVG": "Win32:Trojan-gen"
  247.  
  248.  
  249. "Cybereason": "malicious.474e60"
  250.  
  251.  
  252. "Panda": "Trj/GdSda.A"
  253.  
  254.  
  255. "Qihoo-360": "Win32/Trojan.19c"
  256.  
  257.  
  258.  
  259.  
  260. "Description": "Attempts to modify proxy settings",
  261. "Details":
  262.  
  263.  
  264. "Description": "Anomalous binary characteristics",
  265. "Details":
  266.  
  267. "anomaly": "Actual checksum does not match that reported in PE header"
  268.  
  269.  
  270.  
  271.  
  272.  
  273. * Started Service:
  274.  
  275. * Mutexes:
  276. "Local\\9510B8B7-82F5-2171-7207-FC794AD1C6EA",
  277. "Local\\_!MSFTHISTORY!_",
  278. "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
  279. "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
  280. "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
  281. "Local\\WininetStartupMutex",
  282. "Local\\WininetConnectionMutex",
  283. "Local\\WininetProxyRegistryMutex",
  284. "Local\\!IETld!Mutex",
  285. "Local\\!BrowserEmulation!SharedMemory!Mutex",
  286. "Local\\ZoneAttributeCacheCounterMutex",
  287. "Local\\ZonesCacheCounterMutex",
  288. "Local\\ZonesLockedCacheCounterMutex",
  289. "ConnHashTable<2304>_HashTable_Mutex",
  290. "Local\\ZonesCounterMutex",
  291. "DefaultTabtip-MainUI",
  292. "Global\\C::Users:user:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterMutex",
  293. "Global\\C::Users:user:AppData:Local:Microsoft:Windows:Explorer:thumbcache_32.db!dfMaintainer",
  294. "Global\\C::Users:user:AppData:Local:Microsoft:Windows:Explorer:thumbcache_96.db!dfMaintainer",
  295. "Global\\C::Users:user:AppData:Local:Microsoft:Windows:Explorer:thumbcache_256.db!dfMaintainer",
  296. "Global\\C::Users:user:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1024.db!dfMaintainer",
  297. "Global\\C::Users:user:AppData:Local:Microsoft:Windows:Explorer:thumbcache_sr.db!dfMaintainer",
  298. "Global\\C::Users:user:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!ThumbnailCacheInit",
  299. "ConnHashTable<2468>_HashTable_Mutex",
  300. "Local\\RSS Eventing Connection Database Mutex 000009a4",
  301. "Local\\Feed Eventing Shared Memory Mutex S-1-5-21-0000000000-0000000000-0000000000-1000",
  302. "Local\\c:!users!user!appdata!local!microsoft!feeds cache!",
  303. "CicLoadWinStaWinSta0",
  304. "Local\\MSCTF.CtfMonitorInstMutexDefault1"
  305.  
  306.  
  307. * Modified Files:
  308. "\\??\\PIPE\\samr",
  309. "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
  310. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
  311. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
  312. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
  313. "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
  314. "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
  315. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
  316. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
  317. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
  318. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
  319. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
  320. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.CE721091-CFC9-11E9-8070-18C086CD4729.dat",
  321. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF8123270DF54827B0.TMP",
  322. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db",
  323. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.164E7139-CFCA-11E9-8070-18C086CD4729.dat",
  324. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF08034510F99D069C.TMP",
  325. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\164E713A-CFCA-11E9-8070-18C086CD4729.dat",
  326. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF43012A769F1C95C5.TMP",
  327. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\favicon1.ico",
  328. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\favicon2.ico",
  329. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\favicon3.ico",
  330. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\favicon4.ico",
  331. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\1DFB02EF-CFCA-11E9-8070-18C086CD4729.dat",
  332. "C:\\Users\\user\\AppData\\Local\\Temp\\~DFE5D8D94084697202.TMP",
  333. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\1DFB0367-CFCA-11E9-8070-18C086CD4729.dat",
  334. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF5921F97A43FC0E41.TMP",
  335. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\259E0B2E-CFCA-11E9-8070-18C086CD4729.dat",
  336. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF1CE07C563E33B2DC.TMP",
  337. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat"
  338.  
  339.  
  340. * Deleted Files:
  341. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_0633EE93-D776-472f-A0FF-E1416B8B2E3A.ico"
  342.  
  343.  
  344. * Modified Registry Keys:
  345. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
  346. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
  347. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
  348. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
  349. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
  350. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
  351. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
  352. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider",
  353. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Microsoft\\Internet Explorer\\Main\\IE10RunOnceLastShown",
  354. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Microsoft\\Internet Explorer\\Main\\IE10RunOnceLastShown_TIMESTAMP",
  355. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Microsoft\\Internet Explorer\\Main\\IE8RunOnceLastShown",
  356. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Microsoft\\Internet Explorer\\Main\\IE8RunOnceLastShown_TIMESTAMP",
  357. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Microsoft\\Internet Explorer\\Main\\Check_Associations",
  358. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\31D09BA0-12F5-4CCE-BE8A-2923E76605DA\\VerCache",
  359. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\B4F3A835-0E21-4959-BA22-42B3008E02FF\\VerCache",
  360. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF\\VerCache",
  361. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\CompatibilityFlags",
  362. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  363. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  364. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\SecuritySafe",
  365. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable",
  366. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer",
  367. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\SavedLegacySettings",
  368. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery\\AdminActive\\CE721091-CFC9-11E9-8070-18C086CD4729",
  369. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\2670000A-7350-4F3C-8081-5663EE0C6C49\\iexplore\\Type",
  370. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\2670000A-7350-4F3C-8081-5663EE0C6C49\\iexplore\\Count",
  371. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\2670000A-7350-4F3C-8081-5663EE0C6C49\\iexplore\\Time",
  372. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\31D09BA0-12F5-4CCE-BE8A-2923E76605DA\\iexplore\\Type",
  373. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\31D09BA0-12F5-4CCE-BE8A-2923E76605DA\\iexplore\\Count",
  374. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\31D09BA0-12F5-4CCE-BE8A-2923E76605DA\\iexplore\\Time",
  375. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\789FE86F-6FC4-46A1-9849-EDE0DB0C95CA\\iexplore\\Type",
  376. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\789FE86F-6FC4-46A1-9849-EDE0DB0C95CA\\iexplore\\Count",
  377. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\789FE86F-6FC4-46A1-9849-EDE0DB0C95CA\\iexplore\\Time",
  378. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FullScreen",
  379. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
  380. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
  381. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
  382. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery\\AdminActive\\164E7139-CFCA-11E9-8070-18C086CD4729",
  383. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder\\Favorites\\Links\\Order",
  384. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LinksBar\\ItemCache\\0\\Path",
  385. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LinksBar\\ItemCache\\0\\Handler",
  386. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LinksBar\\ItemCache\\0\\FeedUrl",
  387. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LinksBar\\ItemCache\\0\\DisplayName",
  388. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LinksBar\\ItemCache\\0\\ErrorState",
  389. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LinksBar\\ItemCache\\0\\DisplayMask",
  390. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LinksBar\\ItemCache\\1\\Path",
  391. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LinksBar\\ItemCache\\1\\Handler",
  392. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LinksBar\\ItemCache\\1\\FeedUrl",
  393. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LinksBar\\ItemCache\\1\\DisplayName",
  394. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LinksBar\\ItemCache\\1\\ErrorState",
  395. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LinksBar\\ItemCache\\1\\DisplayMask",
  396. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\Window_Placement",
  397. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\User Preferences\\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977",
  398. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\SearchScopes\\DefaultScope",
  399. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\User Preferences\\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81",
  400. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LinksBar\\ItemCache\\0\\Expiration",
  401. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LinksBar\\ItemCache\\1\\Expiration",
  402. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\31D09BA0-12F5-4CCE-BE8A-2923E76605DA\\iexplore\\LoadTime",
  403. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\B4F3A835-0E21-4959-BA22-42B3008E02FF\\iexplore\\Type",
  404. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\B4F3A835-0E21-4959-BA22-42B3008E02FF\\iexplore\\Count",
  405. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\B4F3A835-0E21-4959-BA22-42B3008E02FF\\iexplore\\Time",
  406. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\B4F3A835-0E21-4959-BA22-42B3008E02FF\\iexplore\\LoadTime",
  407. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF\\iexplore\\Type",
  408. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF\\iexplore\\Count",
  409. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF\\iexplore\\Time",
  410. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF\\iexplore\\LoadTime"
  411.  
  412.  
  413. * Deleted Registry Keys:
  414. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  415. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  416. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  417. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  418. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyOverride",
  419. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL",
  420. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LinksBar\\ItemCache\\0\\Expiration",
  421. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LinksBar\\ItemCache\\1\\Expiration"
  422.  
  423.  
  424. * DNS Communications:
  425.  
  426. "type": "A",
  427. "request": "cdn5.inmax.at",
  428. "answers":
  429.  
  430. "data": "8.208.25.248",
  431. "type": "A"
  432.  
  433.  
  434.  
  435.  
  436. "type": "A",
  437. "request": "u2.inmax.at",
  438. "answers":
  439.  
  440.  
  441. "type": "A",
  442. "request": "api.fiho.at",
  443. "answers":
  444.  
  445.  
  446. "type": "A",
  447. "request": "t2.fiho.at",
  448. "answers":
  449.  
  450.  
  451.  
  452. * Domains:
  453.  
  454. "ip": "8.208.25.248",
  455. "domain": "api.fiho.at"
  456.  
  457.  
  458. "ip": "8.208.25.248",
  459. "domain": "u2.inmax.at"
  460.  
  461.  
  462. "ip": "8.208.25.248",
  463. "domain": "cdn5.inmax.at"
  464.  
  465.  
  466. "ip": "8.208.25.248",
  467. "domain": "t2.fiho.at"
  468.  
  469.  
  470.  
  471. * Network Communication - ICMP:
  472.  
  473. * Network Communication - HTTP:
  474.  
  475. "count": 1,
  476. "body": "",
  477. "uri": "http://cdn5.inmax.at/index.htm",
  478. "user-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",
  479. "method": "POST",
  480. "host": "cdn5.inmax.at",
  481. "version": "1.1",
  482. "path": "/index.htm",
  483. "data": "POST /index.htm HTTP/1.1\r\nCache-Control: no-cache\r\nConnection: Keep-Alive\r\nPragma: no-cache\r\nContent-Type: multipart/form-data; boundary=fdb07bdffe2a9bd6\r\nHost: cdn5.inmax.at\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko\r\nContent-Length: 311\r\n\r\n",
  484. "port": 80
  485.  
  486.  
  487. "count": 1,
  488. "body": "--fd2af82ffe2a9bd6\r\nContent-Disposition: form-data; name=\"jfjb\"\r\n\r\n9JsiMioL_2B/9w8_2B_2/FzpcCDDq/PUhdI35TGwxZc7/CiQ3u8d3/ntzNyGyKdBW7UWZF_2B/8SmoqRXwKhkCo_2BCk_2Byy/31p3xBOnL0z/SCDN2d0G/gw35_2FvcVxBNb/2xXxzkt4pIdY0Zt/uuEO4F8CBkgJ/7hZZsVZ33JEHyy4xxwue/fud5_2FF/fEwsu2kuSwAkcKi0ps/wX7ZuV3cx/LO\r\n--fd2af82ffe2a9bd6--\r\n",
  489. "uri": "http://u2.inmax.at/index.htm",
  490. "user-agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
  491. "method": "POST",
  492. "host": "u2.inmax.at",
  493. "version": "1.1",
  494. "path": "/index.htm",
  495. "data": "POST /index.htm HTTP/1.1\r\nAccept: */*\r\nHost: u2.inmax.at\r\nContent-Type: multipart/form-data; boundary=fd2af82ffe2a9bd6\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nAccept-Encoding: gzip, deflate\r\nContent-Length: 315\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--fd2af82ffe2a9bd6\r\nContent-Disposition: form-data; name=\"jfjb\"\r\n\r\n9JsiMioL_2B/9w8_2B_2/FzpcCDDq/PUhdI35TGwxZc7/CiQ3u8d3/ntzNyGyKdBW7UWZF_2B/8SmoqRXwKhkCo_2BCk_2Byy/31p3xBOnL0z/SCDN2d0G/gw35_2FvcVxBNb/2xXxzkt4pIdY0Zt/uuEO4F8CBkgJ/7hZZsVZ33JEHyy4xxwue/fud5_2FF/fEwsu2kuSwAkcKi0ps/wX7ZuV3cx/LO\r\n--fd2af82ffe2a9bd6--\r\n",
  496. "port": 80
  497.  
  498.  
  499. "count": 1,
  500. "body": "",
  501. "uri": "http://api.fiho.at/index.htm",
  502. "user-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",
  503. "method": "POST",
  504. "host": "api.fiho.at",
  505. "version": "1.1",
  506. "path": "/index.htm",
  507. "data": "POST /index.htm HTTP/1.1\r\nCache-Control: no-cache\r\nConnection: Keep-Alive\r\nPragma: no-cache\r\nContent-Type: multipart/form-data; boundary=d740f2f9fe2a9bd6\r\nHost: api.fiho.at\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko\r\nContent-Length: 305\r\n\r\n",
  508. "port": 80
  509.  
  510.  
  511. "count": 1,
  512. "body": "",
  513. "uri": "http://t2.fiho.at/index.htm",
  514. "user-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",
  515. "method": "POST",
  516. "host": "t2.fiho.at",
  517. "version": "1.1",
  518. "path": "/index.htm",
  519. "data": "POST /index.htm HTTP/1.1\r\nCache-Control: no-cache\r\nConnection: Keep-Alive\r\nPragma: no-cache\r\nContent-Type: multipart/form-data; boundary=b31000cdfe2a9bd6\r\nHost: t2.fiho.at\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko\r\nContent-Length: 299\r\n\r\n",
  520. "port": 80
  521.  
  522.  
  523. "count": 1,
  524. "body": "",
  525. "uri": "http://cdn5.inmax.at/index.htm",
  526. "user-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",
  527. "method": "POST",
  528. "host": "cdn5.inmax.at",
  529. "version": "1.1",
  530. "path": "/index.htm",
  531. "data": "POST /index.htm HTTP/1.1\r\nCache-Control: no-cache\r\nConnection: Keep-Alive\r\nPragma: no-cache\r\nContent-Type: multipart/form-data; boundary=5d76f397fe2a9bd6\r\nHost: cdn5.inmax.at\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko\r\nContent-Length: 310\r\n\r\n",
  532. "port": 80
  533.  
  534.  
  535.  
  536. * Network Communication - SMTP:
  537.  
  538. * Network Communication - Hosts:
  539.  
  540. "country_name": "United States",
  541. "ip": "8.208.25.248",
  542. "inaddrarpa": "",
  543. "hostname": "api.fiho.at"
  544.  
  545.  
  546. "country_name": "Germany",
  547. "ip": "172.104.136.243",
  548. "inaddrarpa": "",
  549. "hostname": ""
  550.  
  551.  
  552.  
  553. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!