API tools faq
paste
paladin316

1393download_2019-09-09_16_30.txt

paladin316
Sep 9th, 2019
1,479
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 20.04 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * ID: 1393
  3. * MalFamily: "Ebdr"
  4.  
  5. * MalScore: 10.0
  6.  
  7. * File Name: "download?cid=063732C6D894FA66&resid=63732C6D894FA66!850&authkey=AAsl1K6nxMnA3Pw&em=2"
  8. * File Size: 131894
  9. * File Type: "Rich Text Format data, unknown version"
  10. * SHA256: "c4f43419d665b7725386c75dea9bc8b1b4c87c1184a4b3596f64980fc08023bf"
  11. * MD5: "9baad36c57925f7e9e952718c6daefb6"
  12. * SHA1: "3efc985d07472d793197f2f843d2f4cd039dfb37"
  13. * SHA512: "b45b916c4116bea5128eae66c92b11a8380b9619e9a2765c8abab007e5bb639c7319850c637032c4982bc47e8050491f7cae1f1254ddc4d05ef25707484a0490"
  14. * CRC32: "314D64E0"
  15. * SSDEEP: "1536:DssGh0ZiYC8tDLxNBEx2kPzFqb758NHxYkuYk+YkOYkCYkxnVzK9vq6:DcWiYC82PQ9vq6"
  16.  
  17. * Process Execution:
  18. "WINWORD.EXE",
  19. "svchost.exe",
  20. "EQNEDT32.EXE",
  21. "8976543.exe"
  22.  
  23.  
  24. * Executed Commands:
  25. "C:\\Users\\Public\\8976543.exe"
  26.  
  27.  
  28. * Signatures Detected:
  29.  
  30. "Description": "Attempts to connect to a dead IP:Port (10 unique times)",
  31. "Details":
  32.  
  33. "IP_ioc": "72.21.81.240:80"
  34.  
  35.  
  36. "IP_ioc": "77.67.127.25:80 (Germany)"
  37.  
  38.  
  39. "IP_ioc": "80.172.230.30:80 (Portugal)"
  40.  
  41.  
  42. "IP_ioc": "77.67.127.50:80"
  43.  
  44.  
  45. "IP_ioc": "5.79.72.163:443 (Netherlands)"
  46.  
  47.  
  48. "IP_ioc": "72.21.91.29:80"
  49.  
  50.  
  51. "IP_ioc": "67.199.248.10:443 (United States)"
  52.  
  53.  
  54. "IP_ioc": "52.109.2.18:443"
  55.  
  56.  
  57. "IP_ioc": "192.35.177.64:80"
  58.  
  59.  
  60. "IP_ioc": "104.18.25.243:80"
  61.  
  62.  
  63.  
  64.  
  65. "Description": "Performs some HTTP requests",
  66. "Details":
  67.  
  68. "url_iocs": "http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgQcUzd5jIdhkZfeVmYZpnCoUw%3D%3D"
  69.  
  70.  
  71. "url_iocs": "http://www.sotinmobiliario.com/cache/asia.png"
  72.  
  73.  
  74.  
  75.  
  76. "Description": "The RTF file has an unknown version",
  77. "Details":
  78.  
  79.  
  80. "Description": "A document file initiated network communications indicative of a potential exploit or payload download",
  81. "Details":
  82.  
  83. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00~\\x01\\x00\\x00z\\x03\\x01vu`@\\x82f\\xb1\\x0en\\x03p\\xc1ws\\xbd\\xc6\\xbb\\x02|\\xca4r\\xc5>\\xe4w\\xd0#\\x8c\\xf9o\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x009\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00 \\x00\\x1e\\x00\\x00\\x1broaming.officeapps.live.com\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
  84.  
  85.  
  86. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xeax\\xcb\\x07\\xf8\\xef)\\x03\\x82>\\xf5>_\\x8ce&)\\xb2if\\x9c\\x7f\\x16\r\\xb0r\\x1af\\xcc\\xe8\\xfe\\xd1\\xa8i\\xa8/u\\xe7\\xed\n\\x81\\x1d\\xa2\\x10\\x8c>\\xc3\\xf2\\xc7\\xd5\\xeew\\xf5\\xa9>\\x8a\\x057y\\x977'\\xcb\\xed\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000&\\xf3\\xca^\\xb4\\xc3!\\x0c\\x1d\\xfa\\x11\\xc6s=.\\xae\\x86\\x19|p\\xa1\\x02'\\xd8\\xb3\\x8e\\xb53:\\x18\\x86~046n\\x88\\xddk\\x0b\\x81g\\xf7gl\\xf7\\xe56"
  87.  
  88.  
  89. "http_request": "winword.exe_WSASend_get /mfewtzbnmeswstajbgurdgmcgguabbtbl0v27rvz7lbduom%2fnyb45spuewqu5z1zmijhwmys%2bghunoz7oruetfaceai4elabvpzalrznpjlrv1u%3d http/1.1\r\nconnection: keep-alive\r\naccept: */*\r\nuser-agent: microsoft-cryptoapi/6.1\r\nhost: ocsp.digicert.com\r\n\r\n"
  90.  
  91.  
  92. "http_request": "winword.exe_WSASend_get /mfqwujbqme4wtdajbgurdgmcgguabbrpc1vzt9qvn7bzy3iidtbhla4mkqquwiif1tycsck3fd7%2fhijo5ox%2f%2bn0ce3saagyvv14%2fmepdgh0aaaaabk8%3d http/1.1\r\nconnection: keep-alive\r\naccept: */*\r\nif-modified-since: sat, 23 mar 2019 17:46:18 gmt\r\nif-none-match: \"dd54d75d468"
  93.  
  94.  
  95. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x01p\\xc1\\xd2l\\xbd\\xe2\\xe0\\xeer*\\xc5\\xad\\xf1\\x88\\x8bb\\xaa\\xfc\\x0cj\\xd8i\r\\xc9\t\\x07\\x86\\x83\\xd3\\xcd9\\x0b\\xdeo\\x10`\\xc3\\xf1\\x9bh?\\x00\\x1a\\xb1\\xf2\\x0c\\xefbar\\xa5\\x95\\x9d\\xc8a9\\x81k\\x95\\x1b9\\x85\\xe2\\xb3\\xf6._ w\\x94\\xdek\\xa8m\\xa1\t\\x84\\x1d*y\\x12\\xbf\\xe2\\xe0\r\\x8b\"b\\x89e\\xdbt\\xbd.5\\a$\\xf3!dc\\xd1\\x15e\\x1a\\x87\\xab\\xd3a\\x9f\\xc5\\\\x19\\x8e\\xdd\\xf36\\x17s\r\\xfc\\xf8d\\xc5fic\\x11\\xdc\\xb5\\xd4\\x86\\x8c\\xd4\\xe0\\x93\\xea\\xfc\\x8f\\xfa\\x8bw\\xc3\\xda\\xfc0\\xf2.i\\x9b5\\xd5(\\xf9o\\xc7>\\xe1\np\\xff\\xed(\\xa6$\\xc1.\\xf7\\x08\\x84\\xdb\\xb1\\xcc\\xa3\\xc9\\xaf\\xde\\x87\\xef\\x08z\\xab\\xa8\\x1e\\x10\\xdc\\xc2rn9t\\xa9\\xf8b\\xccd\\xd5\\xf9\\x96\\xbe\\x84\\xc1\\x13\\xf5\\xd9\\xa4%\\x11$\\xa2\\xbe\\x8b\\xbb.\\xab\\xcfo\\xe2x\\x88ojg\\x9a\\xa3\\x10\\x94l|y\\x89\\xb3;\\x17\\xae\\xb3\\xd2\\xdcv\\xfc6\\xbe\\x0b\\xe6\\x8e"
  96.  
  97.  
  98. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x02 |\\xec\\x9f,z\\xaa\\x10=\\xc9\\x93\\xe8\\xe3\\xb0\\x11\\x19\\xc5\\xeffgn\\x88\\xf6\\x88\\xe47\\xd0\\xaac\\xdc8\\xeae\\xab|\\xdbh\\x8b\\xb2\\xe8\\x01\\xd8*\\x9cv;\\x80(\\xa3\\xdb\\xec-!\\xca\\xc1\\x96\\xbd\\x02\\xf2\\x13\\x88\\x89j8\\x05\\xd7\\x11\\x1f\\xa6\\xcc \\xe5\\x98\\x19<\\x11j\\xa4\\xc1\\x95\\x11\\xecvl\\xd4\\xc0\\xcd\\x93\\xe7\\xc2\\xa2\\xa8\\xf8v\\xa8\\xc89?\\x96\\x8c=\\x8b\\xb2p\\xb7\\xc4\\xe5\\xa6n|\\x89\\x19$\\x1b\\xd3`5\\x173\\xcb\\xaf\\xa5\\xe0\\xa1`&\\x8a\\x15\\x0b\\xd1\\xaem\\x93\\xfc\\xeaw\\xd2 >\\x86\\xa0j\\x7f\\xc0\\xf51\\xa4i\\xfc\\xf51\\xd4\\xc0\\xdc/\\x006tw\\x1b\\xea\\xc2\\xa3\\xebu\\xdc\\x16<o\\x1f9\\xe8h\\x14\\x82d\\xdb&:\\xe4\\xb7\\xd7_\\xf9\\xcc\\xb1\\x91\\xe4\\x10'\\x95\\xbb\\x08\\xa9\\\\x1a\\xc8tr>\\x93\\xd9=\\x9e\\x12\\xbdzs\\xa4\\x0f\\xf0\\x9b\\xfd\\x9d\\x801r`\\x92mmp\\x1e\r\\xedb\\xbcmn*\\xb0\\xa1\\xe6\\xac\\xac\\xf3h\\x10?\\xae\\xa3wa\\x95\\x11y\\xe2nn\\xf2"
  99.  
  100.  
  101.  
  102.  
  103. "Description": "The EQNEDT32 equation process created a child process likely indicative of CVE-2017-11882 Office exploit",
  104. "Details":
  105.  
  106. "created_process": "C:\\Users\\Public\\8976543.exe"
  107.  
  108.  
  109.  
  110.  
  111. "Description": "Creates a hidden or system file",
  112. "Details":
  113.  
  114. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\~$TPRCRP.doc"
  115.  
  116.  
  117.  
  118.  
  119. "Description": "File has been identified by 35 Antiviruses on VirusTotal as malicious",
  120. "Details":
  121.  
  122. "MicroWorld-eScan": "Trojan.Agent.EBDR"
  123.  
  124.  
  125. "FireEye": "Trojan.Agent.EBDR"
  126.  
  127.  
  128. "CAT-QuickHeal": "Exp.RTF.Obfus.Gen"
  129.  
  130.  
  131. "McAfee": "Exploit-CVE2017-11882.bq"
  132.  
  133.  
  134. "Arcabit": "Trojan.Agent.EBDR"
  135.  
  136.  
  137. "Symantec": "Bloodhound.RTF.12"
  138.  
  139.  
  140. "ESET-NOD32": "probably a variant of Win32/Exploit.CVE-2017-11882.C"
  141.  
  142.  
  143. "TrendMicro-HouseCall": "Trojan.W97M.CVE201711882.SMKIP"
  144.  
  145.  
  146. "Avast": "Win32:ShellCode Expl"
  147.  
  148.  
  149. "Kaspersky": "HEUR:Exploit.MSOffice.Generic"
  150.  
  151.  
  152. "BitDefender": "Trojan.Agent.EBDR"
  153.  
  154.  
  155. "NANO-Antivirus": "Exploit.Rtf.Heuristic-rtf.dinbqn"
  156.  
  157.  
  158. "Ad-Aware": "Trojan.Agent.EBDR"
  159.  
  160.  
  161. "Emsisoft": "Trojan.Agent.EBDR (B)"
  162.  
  163.  
  164. "Comodo": "Exploit.W97M.CVE2017-11882.BV@89mdmq"
  165.  
  166.  
  167. "F-Secure": "Exploit.EXP/CVE-2017-11882.Gen"
  168.  
  169.  
  170. "DrWeb": "Exploit.Siggen.25589"
  171.  
  172.  
  173. "TrendMicro": "Trojan.W97M.CVE201711882.SMKIP"
  174.  
  175.  
  176. "McAfee-GW-Edition": "Exploit-CVE2017-11882.bq"
  177.  
  178.  
  179. "Cyren": "CVE-2017-11882.C.gen!Camelot"
  180.  
  181.  
  182. "Jiangmin": "heur:Exploit.ShellCode.Gen"
  183.  
  184.  
  185. "Avira": "EXP/CVE-2017-11882.Gen"
  186.  
  187.  
  188. "MAX": "malware (ai score=82)"
  189.  
  190.  
  191. "Antiy-AVL": "TrojanExploit/RTF.Obscure.Gen"
  192.  
  193.  
  194. "Microsoft": "Trojan:Win32/Sonbokli.A!cl"
  195.  
  196.  
  197. "ZoneAlarm": "HEUR:Exploit.MSOffice.Generic"
  198.  
  199.  
  200. "GData": "Trojan.Agent.EBDR"
  201.  
  202.  
  203. "AhnLab-V3": "OLE/Cve-2017-11882.Gen"
  204.  
  205.  
  206. "ALYac": "Trojan.Agent.EBDR"
  207.  
  208.  
  209. "TACHYON": "Trojan-Exploit/RTF.CVE-2017-11882"
  210.  
  211.  
  212. "Zoner": "Probably RTFObfuscationD"
  213.  
  214.  
  215. "Ikarus": "Exploit.CVE-2017-11882"
  216.  
  217.  
  218. "Fortinet": "RTF/CVE_2017_11882.E!exploit"
  219.  
  220.  
  221. "AVG": "Win32:ShellCode Expl"
  222.  
  223.  
  224. "Qihoo-360": "virus.exp.21711882.d"
  225.  
  226.  
  227.  
  228.  
  229. "Description": "Drops a binary and executes it",
  230. "Details":
  231.  
  232. "binary": "C:\\Users\\Public\\8976543.exe"
  233.  
  234.  
  235.  
  236.  
  237.  
  238. * Started Service:
  239.  
  240. * Mutexes:
  241. "Local\\2BF388D5-6F8C-40A0-A7EE-996D005C4E14_Office15",
  242. "CicLoadWinStaWinSta0",
  243. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
  244. "Local\\!IETld!Mutex"
  245.  
  246.  
  247. * Modified Files:
  248. "C:\\Users\\user\\AppData\\Local\\Temp\\aITPRCRP.doc",
  249. "C:\\Users\\user\\AppData\\Local\\Temp\\~$TPRCRP.doc",
  250. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Office\\15.0\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=10",
  251. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRFB71F02C0-39C4-4139-BA82-E075869453A6.tmp",
  252. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRS0BAA7764-4250-4618-BD71-D8460301A73C.tmp",
  253. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRSFF5849B4-83B9-47B4-B18E-9A7C9EF9AD38.tmp",
  254. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4",
  255. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4",
  256. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\37D958F0157C4E87D39A5E7FAB3AECCC_090773D7F9DBE1D85BCB60985361F32E",
  257. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\37D958F0157C4E87D39A5E7FAB3AECCC_090773D7F9DBE1D85BCB60985361F32E",
  258. "C:\\Users\\user\\AppData\\Local\\Temp\\Cab56BE.tmp",
  259. "C:\\Users\\user\\AppData\\Local\\Temp\\Tar56BF.tmp",
  260. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619",
  261. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619",
  262. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5887976EDAA817EEF5159B09F6FCD000_27C44C895F46FF5D4FA58A15396F3021",
  263. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5887976EDAA817EEF5159B09F6FCD000_27C44C895F46FF5D4FA58A15396F3021",
  264. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bit1.txt",
  265. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
  266. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
  267. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
  268. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
  269. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08",
  270. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08",
  271. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0BF2D9777708012252ABB8B3D15F5206",
  272. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0BF2D9777708012252ABB8B3D15F5206",
  273. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\asia1.png"
  274.  
  275.  
  276. * Deleted Files:
  277. "C:\\Users\\user\\AppData\\Local\\Temp\\Cab56BE.tmp",
  278. "C:\\Users\\user\\AppData\\Local\\Temp\\Tar56BF.tmp"
  279.  
  280.  
  281. * Modified Registry Keys:
  282. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\p>a",
  283. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache",
  284. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\RemoteClearDate",
  285. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1",
  286. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\Last",
  287. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0",
  288. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\FilePath",
  289. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\StartDate",
  290. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\EndDate",
  291. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\Properties",
  292. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\Url",
  293. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\LastClean",
  294. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingConfigurableSettings",
  295. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingLastSyncTime",
  296. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingLastWriteTime",
  297. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\Trusted Documents\\LastPurgeTime",
  298. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005109E60090400000000000F01FEC\\Usage\\ProductNonBootFilesIntl_1033",
  299. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005119110000000000000000F01FEC\\Usage\\OUTLOOKFiles",
  300. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005109E60090400000000000F01FEC\\Usage\\EquationEditorFilesIntl_1033",
  301. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options"
  302.  
  303.  
  304. * Deleted Registry Keys:
  305.  
  306. * DNS Communications:
  307.  
  308. "type": "A",
  309. "request": "bit.ly",
  310. "answers":
  311.  
  312. "data": "67.199.248.11",
  313. "type": "A"
  314.  
  315.  
  316. "data": "67.199.248.10",
  317. "type": "A"
  318.  
  319.  
  320.  
  321.  
  322. "type": "A",
  323. "request": "tknk.io",
  324. "answers":
  325.  
  326. "data": "5.79.72.163",
  327. "type": "A"
  328.  
  329.  
  330.  
  331.  
  332. "type": "A",
  333. "request": "ocsp.int-x3.letsencrypt.org",
  334. "answers":
  335.  
  336. "data": "77.67.127.64",
  337. "type": "A"
  338.  
  339.  
  340. "data": "a771.dscq.akamai.net",
  341. "type": "CNAME"
  342.  
  343.  
  344. "data": "ocsp.int-x3.letsencrypt.org.edgesuite.net",
  345. "type": "CNAME"
  346.  
  347.  
  348. "data": "77.67.127.25",
  349. "type": "A"
  350.  
  351.  
  352.  
  353.  
  354. "type": "A",
  355. "request": "www.sotinmobiliario.com",
  356. "answers":
  357.  
  358. "data": "80.172.230.30",
  359. "type": "A"
  360.  
  361.  
  362. "data": "sotinmobiliario.com",
  363. "type": "CNAME"
  364.  
  365.  
  366.  
  367.  
  368.  
  369. * Domains:
  370.  
  371. "ip": "80.172.230.30",
  372. "domain": "www.sotinmobiliario.com"
  373.  
  374.  
  375. "ip": "77.67.127.64",
  376. "domain": "ocsp.int-x3.letsencrypt.org"
  377.  
  378.  
  379. "ip": "67.199.248.10",
  380. "domain": "bit.ly"
  381.  
  382.  
  383. "ip": "5.79.72.163",
  384. "domain": "tknk.io"
  385.  
  386.  
  387.  
  388. * Network Communication - ICMP:
  389.  
  390. * Network Communication - HTTP:
  391.  
  392. "count": 1,
  393. "body": "",
  394. "uri": "http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgQcUzd5jIdhkZfeVmYZpnCoUw%3D%3D",
  395. "user-agent": "Microsoft-CryptoAPI/6.1",
  396. "method": "GET",
  397. "host": "ocsp.int-x3.letsencrypt.org",
  398. "version": "1.1",
  399. "path": "/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgQcUzd5jIdhkZfeVmYZpnCoUw%3D%3D",
  400. "data": "GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgQcUzd5jIdhkZfeVmYZpnCoUw%3D%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.int-x3.letsencrypt.org\r\n\r\n",
  401. "port": 80
  402.  
  403.  
  404. "count": 1,
  405. "body": "",
  406. "uri": "http://www.sotinmobiliario.com/cache/asia.png",
  407. "user-agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
  408. "method": "GET",
  409. "host": "www.sotinmobiliario.com",
  410. "version": "1.1",
  411. "path": "/cache/asia.png",
  412. "data": "GET /cache/asia.png HTTP/1.1\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nConnection: Keep-Alive\r\nHost: www.sotinmobiliario.com\r\n\r\n",
  413. "port": 80
  414.  
  415.  
  416.  
  417. * Network Communication - SMTP:
  418.  
  419. * Network Communication - Hosts:
  420.  
  421. "country_name": "Portugal",
  422. "ip": "80.172.230.30",
  423. "inaddrarpa": "",
  424. "hostname": "www.sotinmobiliario.com"
  425.  
  426.  
  427. "country_name": "Germany",
  428. "ip": "77.67.127.25",
  429. "inaddrarpa": "",
  430. "hostname": "ocsp.int-x3.letsencrypt.org"
  431.  
  432.  
  433. "country_name": "United States",
  434. "ip": "67.199.248.10",
  435. "inaddrarpa": "",
  436. "hostname": "bit.ly"
  437.  
  438.  
  439. "country_name": "Netherlands",
  440. "ip": "5.79.72.163",
  441. "inaddrarpa": "",
  442. "hostname": "tknk.io"
  443.  
  444.  
  445.  
  446. * Network Communication - IRC:
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!