Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "HawkEye"
- * MalScore: 10.0
- * File Name: "HawkEye_a4e801d8c5e007c699d5e153bc6428de.exe"
- * File Size: 1000448
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "1e2754badcc7df20389ffb5a1afbbba93b506052f09ecd85254ae9ea1c7f496c"
- * MD5: "a4e801d8c5e007c699d5e153bc6428de"
- * SHA1: "6b0033718c1a6b2902bed4b1cba38329f8e621c9"
- * SHA512: "45b947369c071c519402e9427ba63b43895d61f8b9ea2b64495d034416dd557544c5f52bcbfc379df4421818e993af30e4ab73cf46bd2b7ef3fbde477e0b3f7f"
- * CRC32: "D75BA9DE"
- * SSDEEP: "12288:EINatYNKn0l+ei2Po5NazJwLfQiUdjQH7pn1o3kpibqu//P3CFRYOLoMmi8Z0y5+:3NnNLcetoiKfOdM9m30imo3CMOpmig0p"
- * Process Execution:
- "HawkEye_a4e801d8c5e007c699d5e153bc6428de.exe",
- "bobyok.exe",
- "bobyok.exe",
- "vbc.exe",
- "vbc.exe",
- "vbc.exe",
- "vbc.exe",
- "services.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "WmiPrvSE.exe",
- "svchost.exe",
- "taskeng.exe",
- "taskeng.exe",
- "msoia.exe",
- "msoia.exe",
- "taskeng.exe",
- "WMIADAP.exe",
- "lsass.exe",
- "lsass.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Roaming\\bobyeliokl\\bobyok.exe\"",
- "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" /stext \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp3631.tmp\"",
- "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" /stext \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp2554.tmp\"",
- "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" /stext \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp8F26.tmp\"",
- "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" /stext \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp7EF6.tmp\"",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding",
- "taskeng.exe CB63B63C-06DB-4BCC-A27E-E7DB55E62E8E S-1-5-18:NT AUTHORITY\\System:Service:",
- "taskeng.exe 2F377987-27CA-4BB8-BA46-0160DD96452C S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
- "taskeng.exe F7438787-719E-4B9E-9D91-9B424F5C6EBC S-1-5-18:NT AUTHORITY\\System:Service:",
- "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
- "C:\\Windows\\system32\\lsass.exe",
- "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload"
- * Signatures Detected:
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details":
- "IP": "199.168.188.2:587"
- "Description": "Creates RWX memory",
- "Details":
- "Description": "A process created a hidden window",
- "Details":
- "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Roaming\\bobyeliokl\\bobyok.exe"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
- "suspicious_request": "http://bot.whatismyipaddress.com/"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://bot.whatismyipaddress.com/"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rsrc, entropy: 7.49, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ, raw_size: 0x00079c00, virtual_size: 0x00079a08"
- "Description": "Looks up the external IP address",
- "Details":
- "domain": "bot.whatismyipaddress.com"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "bobyok.exe(3848) -> bobyok.exe(3828)"
- "Description": "Sniffs keystrokes",
- "Details":
- "SetWindowsHookExA": "Process: bobyok.exe(3828)"
- "Description": "Attempts to restart the guest VM",
- "Details":
- "Description": "A process attempted to delay the analysis task by a long amount of time.",
- "Details":
- "Process": "bobyok.exe tried to sleep 3985 seconds, actually delayed analysis time by 0 seconds"
- "Process": "taskeng.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Tries to unhook or modify Windows functions monitored by Cuckoo",
- "Details":
- "unhook": "function_name: NtCreateSection, type: modification"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 5939646 times"
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "file": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat"
- "Description": "File has been identified by 26 Antiviruses on VirusTotal as malicious",
- "Details":
- "FireEye": "Generic.mg.a4e801d8c5e007c6"
- "Cybereason": "malicious.18c1a6"
- "Invincea": "heuristic"
- "Symantec": "Packed.Generic.516"
- "APEX": "Malicious"
- "Paloalto": "generic.ml"
- "Kaspersky": "UDS:DangerousObject.Multi.Generic"
- "TrendMicro": "TrojanSpy.Win32.LOKI.SMDD.hp"
- "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.dc"
- "Trapmine": "malicious.high.ml.score"
- "Microsoft": "Trojan:Win32/Wacatac.B!ml"
- "Endgame": "malicious (high confidence)"
- "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
- "AhnLab-V3": "Win-Trojan/Delphiless.Exp"
- "Acronis": "suspicious"
- "McAfee": "Fareit-FPQ!A4E801D8C5E0"
- "Cylance": "Unsafe"
- "TrendMicro-HouseCall": "TrojanSpy.Win32.LOKI.SMDD.hp"
- "Rising": "Trojan.Injector!1.AFE3 (CLASSIC)"
- "SentinelOne": "DFI - Suspicious PE"
- "Fortinet": "W32/Injector.EHDJ!tr"
- "MaxSecure": "Trojan.Malware.300983.susgen"
- "AVG": "Win32:Malware-gen"
- "Avast": "Win32:Malware-gen"
- "CrowdStrike": "win/malicious_confidence_90% (D)"
- "Qihoo-360": "HEUR/QVM05.1.50D5.Malware.Gen"
- "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
- "Details":
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Users\\user\\AppData\\Roaming\\bobyeliokl\\bobyok.exe"
- "Description": "Harvests information related to installed instant messenger clients",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Google\\Google Talk\\Accounts"
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows Live Mail\\*.oeaccount"
- "file": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows Live Mail\\*.*"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP User"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP User"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP User"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTP User"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP User"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 User"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 User"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTP User"
- "key": "HKEY_CURRENT_USER\\Identities\\0A258175-2D14-4D69-9955-E200F247250F\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager\\Accounts"
- "key": "HKEY_CURRENT_USER\\Identities\\0A258175-2D14-4D69-9955-E200F247250F\\Software\\Microsoft\\Internet Account Manager\\Accounts"
- "Description": "Attempts to interact with an Alternate Data Stream (ADS)",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\bobyeliokl\\bobyok.exe:ZoneIdentifier"
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Timestamp on binary predates the release date of the OS version it requires by at least a year"
- * Started Service:
- "VaultSvc"
- * Mutexes:
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "4f444b86-60f0-4ef5-ac81-fd992cbc807c",
- "Global\\.net clr networking",
- "Global\\ADAP_WMI_ENTRY",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex_Flag"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\bobyeliokl\\bobyok.exe",
- "C:\\Users\\user\\AppData\\Roaming\\bobyeliokl\\bobyok.exe:ZoneIdentifier",
- "C:\\Users\\user\\AppData\\Local\\Temp\\b94934b7-e8fb-4c75-f919-f4cd31edb598",
- "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
- "\\??\\PIPE\\srvsvc",
- "\\Device\\LanmanDatagramReceiver",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "\\??\\WMIDataDevice",
- "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data",
- "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmp3631.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmp2554.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmp8F26.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmp7EF6.tmp",
- "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.h"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Roaming\\bobyeliokl\\bobyok.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmp3631.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmp2554.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmp8F26.tmp",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\bobyok_RASAPI32",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\bobyok_RASAPI32\\EnableFileTracing",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\bobyok_RASAPI32\\EnableConsoleTracing",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\bobyok_RASAPI32\\FileTracingMask",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\bobyok_RASAPI32\\ConsoleTracingMask",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\bobyok_RASAPI32\\MaxFileSize",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\bobyok_RASAPI32\\FileDirectory",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\CB63B63C-06DB-4BCC-A27E-E7DB55E62E8E",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\2F377987-27CA-4BB8-BA46-0160DD96452C",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\F7438787-719E-4B9E-9D91-9B424F5C6EBC",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\VaultSvc\\Type",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\CB63B63C-06DB-4BCC-A27E-E7DB55E62E8E\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\2F377987-27CA-4BB8-BA46-0160DD96452C\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\F7438787-719E-4B9E-9D91-9B424F5C6EBC\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\IDE\\DiskVBOX_HARDDISK___________________________1.0_____\\5&33d1638a&0&0.0.0_0-00000000-0000-0000-0000-000000000000",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\advapi32.dllMofResourceName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\en-US\\advapi32.dll.muiMofResourceName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ACPI.sysACPIMOFResource",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ACPI.sys.muiACPIMOFResource",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ndis.sysMofResourceName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ndis.sys.muiMofResourceName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\mssmbios.sysMofResource",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\mssmbios.sys.muiMofResource",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\HDAudBus.sysHDAudioMofName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\HDAudBus.sys.muiHDAudioMofName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\intelppm.sysPROCESSORWMI",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\intelppm.sys.muiPROCESSORWMI",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\portcls.SYSPortclsMof",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\en-US\\portcls.SYS.muiPortclsMof",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sysMonitorWMI"
- * Deleted Registry Keys:
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sysMonitorWMI"
- * DNS Communications:
- "type": "A",
- "request": "bot.whatismyipaddress.com",
- "answers":
- "data": "66.171.248.178",
- "type": "A"
- "type": "A",
- "request": "mail.jointexbd.com",
- "answers":
- "data": "199.168.188.2",
- "type": "A"
- "data": "jointexbd.com",
- "type": "CNAME"
- * Domains:
- "ip": "66.171.248.178",
- "domain": "bot.whatismyipaddress.com"
- "ip": "199.168.188.2",
- "domain": "mail.jointexbd.com"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "",
- "uri": "http://bot.whatismyipaddress.com/",
- "user-agent": "",
- "method": "GET",
- "host": "bot.whatismyipaddress.com",
- "version": "1.1",
- "path": "/",
- "data": "GET / HTTP/1.1\r\nHost: bot.whatismyipaddress.com\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement