Category Archives: Compromise Detection

Beyond good ol’ Run key, Part 4

Posted on by

Last three articles about various startup/autostart methods covered a lot of different well- and less-known techniques for ‘staying alive’. Many of them are actively used by malware and ‘normal’ software; some are just ideas that are worth describing because… luck favors a prepared mind. If you haven’t read them previously, you can do so by visiting these links: Part 1, Part 2, Part 3.

In today’s post I will cover some more techniques including hijacking of various debuggers and some more obscure ways of ‘survival’. I think this is probably the lamest part of the series so far, because the techniques are old-school and amateurish, but luckily it is not the last one, so stay tuned for Part 5 🙂

Hijacking debuggers

The list of debuggers one can replace on the system is as follows:

  • Standalone Debugger (32- and 64- bit)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\AeDebug]
Debugger = PATH

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\
Windows NT\CurrentVersion\AeDebug]
Debugger = PATH
  • .NET Debugger (32- and 64- bit)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework]
DbgManagedDebugger = PATH 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework]
DbgManagedDebugger = PATH
  • Script Debugger
[HKEY_CLASSES_ROOT\CLSID\
{834128A2-51F4-11D0-8F20-00805F2CD064}\LocalServer32]
@=PATH

Registering itself as a Script Debugger
The Windows Script Debugger (WSD) is a standalone tool that one can use to actively debug their scripts (e.g. vbs). Once installed, a developer can run one of the following commands:

  • cscript /x script.vbs

or

  • wscript /x script.vbs

to debug the script.

The name of the executable that is used as a debugger is stored inside the following key

  • [HKEY_CLASSES_ROOT\CLSID\
{834128A2-51F4-11D0-8F20-00805F2CD064}\LocalServer32]

and on a system where the WSD is installed may look like this:

  • [HKEY_CLASSES_ROOT\CLSID\
{834128A2-51F4-11D0-8F20-00805F2CD064}\LocalServer32]
@="C:\\Program Files\\Microsoft Script Debugger\\msscrdbg.exe"

One could replace the script debugger path to lead its own executable anytime the debugger is launched and this way making it kinda persistent on the system. Kinda, as the .exe will be executed only on rare occasion when the debugger is actually being installed (developer’s or power user’s machine).

Other issue is that the launching of the script debugger takes more steps than just looking up the value n the registry and launching the appropriate application.

When VBScript tries to find the debugger it talks to few COM components first (e.g. Process Debug Manager) so in order to make it work, one would need to also register these COM components (if you want to know more details, install WSD and see registry changes associated with the installation).

Hijacking Process Debug Manager

The alternative persistence mechanism could hijack one of these COM components that VBScript ‘talks to’ and replace its server path to point to a malicious file. The DLL does not even need to implement any COM functionality and it’s enough for it to be a simple, loadable library. The Process Debug Manager that I mentioned earlier could do the trick here. Its CLSID’s value on a system where WSD is installed is shown below:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{78A51822-51F4-11D0-8F20-00805F2CD064}\InprocServer32]
@="C:\\WINDOWS\\system32\\pdm.dll"

Pointing InprocServer32 to a malicious DLL would load anytime VBScript (or any other module) is ‘consulting’ ProcessDebugManager.

ServiceDll Hijack

Many entries under

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]

can be hijacked by swapping their ServiceDll parameter to point to a malicious entry. e.g. the Remote Access Service registry entry

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RemoteAccess\Parameters]

normally points to

  • %SystemRoot%\System32\mprdim.dll

but it can be changed to point to a malicious component. There are many default services that could be hijacked this way.

Mapi32 Stub Library

Older versions of Outlook 2007 allowed to add extra functionality to Outlook by means of installing a custom version of mapi32.dll in the system directory as explained in this article.

The relevant Mapi32.dll Stub Registry Settings are provided in the Registry in the following location:

  • [HKEY_LOCAL_MACHINE\Software\Clients\Mail::(default)]
    • DLLPath

      Full path to the Simple MAPI provider DLL.

    • DLLPathEx

      Full path to the MAPI provider DLL. Provider DLLs that support both Simple MAPI and MAPI must have both keys set.

Obviously, this mechanism is a perfect target for abuse.

Hijacking Client executables

The Registering Programs with Client Types article from Microsoft explains on ‘how to register a program in the Windows registry as one of the following client types: browser, email, media playback, instant messaging, or virtual machine for Java.’. Looking at the registry entries associated with these registration we can find the following key:

  • [HKEY_LOCAL_MACHINE\Software\Clients\]

Many applications listed under this key can be hijacked e.g. Mail program contain keys that point to executables::

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Windows Mail\InstallInfo]
    • HideIconsCommand
    • ReinstallCommand
    • ShowIconsCommand

Windows 2000 Welcome

Installation of Windows 2000 always ends up with the “Getting Started with Windows 2000” window shown on the screen after the system restarts. User has an option to disable it, but the box is ticked ON by default.

The window shows up as a result of welcome.exe being executed from the following location:

  • C:\WINNT\Welcome.exe

The flag that determines whether the welcome.exe is executed or not is stored in the following Registry location:

  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
tips\Show: 0x00000001]

Replacing welcome.exe and ensuring the value of Show is equal to 1 will make the C:\WINNT\Welcome.exe execute every time system starts.

Well, not quite.

If the file is replaced, it will be ‘magically’ restored from the following location:

  • c:\WINNT\system32\dllcache\welcome.exe

So, the malware needs to be copied into 2 locations, and… the Windows File Protection needs to be disabled as well 🙂

Thanks for reading and see you in the Part 5.

Clustering and Batch Analysis of APT1 sampleset

Posted on by

Part 1, Part 2, Part 3

As I mentioned in my previous post, I was toying around with various samplesets (e.g. zero access, APT1, etc.) and since the APT1 sampleset is all over the news, I took a stab at it and sandboxed the samples + attempted to cluster the results to see if I any patterns emerge…

The sampleset – batch analysis

Encryption

Some of the samples use DES and the following passwords:

  • Hello@)!0
  • !b=z&7?cc,MQ
  • 1b=z7/lx+WK!
  • !b=z&7?cc,MQ>

File names / locations:

  • %USERPROFILE%\Application Data\Adobe8.0.0\update.exe
  • %USERPROFILE%\Application Data\Adobe\Reader 9.0\Esl\reader_sl.exe
  • %USERPROFILE%\Application Data\Adobe\reader_sl.exe
  • %USERPROFILE%\Application Data\Help\svchost.exe
  • %USERPROFILE%\Local Settings\Application Data\Microsoft\svchost.exe
  • %USERPROFILE%\Local Settings\Application Data\Microsoft\wuauclt.exe
  • %USERPROFILE%\Local Settings\spoolsvr.exe
  • %USERPROFILE%\Local Settings\Temp\AcroRD32.exe
  • %USERPROFILE%\Local Settings\Temp\AdobeARM.exe
  • %USERPROFILE%\LOCALS~1\Temp\17DC75.dmp
  • %USERPROFILE%\LOCALS~1\Temp\17DC85.dmp
  • %USERPROFILE%\LOCALS~1\Temp\17DD6F.dmp
  • %USERPROFILE%\LOCALS~1\Temp\17DD9E.dmp
  • %USERPROFILE%\LOCALS~1\Temp\17DDEC.dmp
  • %USERPROFILE%\LOCALS~1\Temp\17E7CF.dmp
  • %USERPROFILE%\LOCALS~1\Temp\17EE48.dmp
  • %USERPROFILE%\LOCALS~1\Temp\AdobeUpdate.exe
  • %USERPROFILE%\LOCALS~1\Temp\AdobeUpdater.exe
  • %USERPROFILE%\LOCALS~1\Temp\BP Makes Two Gas Discoveries in Egypt’s Nile Delta.doc
  • %USERPROFILE%\LOCALS~1\Temp\ctfmon.exe
  • %USERPROFILE%\LOCALS~1\Temp\ctfmon.exe\svchost.exe
  • %USERPROFILE%\LOCALS~1\Temp\em.exe
  • %USERPROFILE%\LOCALS~1\Temp\Halliburton to Present at Dahlman Rose & Co. Ultimate Oil Services And E&P Conference.pdf
  • %USERPROFILE%\LOCALS~1\Temp\iTunesHelper.exe
  • %USERPROFILE%\LOCALS~1\Temp\Material Type Ore 20160605.pdf
  • %USERPROFILE%\LOCALS~1\Temp\Open letter of Dow Corning Corp.pdf
  • %USERPROFILE%\LOCALS~1\Temp\POWER_GEN_2012.pdf
  • %USERPROFILE%\LOCALS~1\Temp\runinfo.exe
  • %USERPROFILE%\LOCALS~1\Temp\svchost.exe
  • %USERPROFILE%\LOCALS~1\Temp\Top Stock Alerts for Day Traders – Facebook, Freeport-McMoRan Copper & Gold, Fastenal, Research In Motion, EnCana, and Dollar General.doc
  • %USERPROFILE%\LOCALS~1\Temp\US hesitant in condemning North Korean launch.pdf
  • %USERPROFILE%\LOCALS~1\Temp\WINWORD.EXE
  • %USERPROFILE%\Start Menu\Programs\Startup\adobe_sl.lnk
  • %USERPROFILE%\Start Menu\Programs\Startup\AdobeRe.exe
  • %USERPROFILE%\Start Menu\Programs\Startup\ctfmon.exe
  • %USERPROFILE%\Templates\adobe_sl.exe
  • c:\WINDOWS\ntshrui.dll
  • C:\WINDOWS\ntshrui.dll1
  • C:\WINDOWS\svchost.exe
  • C:\WINDOWS\System32\Nwsapagent.dll
  • C:\WINDOWS\system\ersvc.dll
  • c:\WINDOWS\system\ersvc.dll

Mutexes:

  • !@ADS@#$
  • 1234
  • 1qaz@WSX
  • COPYRIGHTMM2011V2
  • fire
  • Geman.do
  • Global\AdobeReaderX
  • GLOBAL\ADR32
  • GLOBAL\ADR64
  • GLOBAL\MSFT64
  • Globxxxxxxxxssssseeeeeeal\ADReeeerrttyyyy64
  • hackersuck
  • ijnrfv
  • letusgohtppmmv1.0
  • letusgohtppmmv2.0.0.1

Services:

  • .Net CLR (Microsoft .Net Framework COM+ Support)
  • DevFS (Device File System)
  • DevFS (Device File System)
  • DevSec (Rpc Device Management)
  • InfMon (Infrared Monitor)
  • Nwsapagent (Gateway Service for Netware)
  • RasAuto (Remote Access Auto Connection Manager)
  • tcpguard (tcpguard)

Connections (note, may contain clean IPs/URLs):

  • 10.166.1.182
  • 127.0.0.1
  • 140.116.70.8
  • 143.89.35.19
  • 202.105.39.39
  • 202.39.61.136
  • 202.6.235.83
  • 203.200.205.245
  • 204.111.73.150
  • 205.159.83.91
  • 208.239.156.123
  • 209.124.51.194
  • 209.124.51.219
  • 209.151.145.185
  • 209.161.249.125
  • 209.208.114.83
  • 209.233.16.84
  • 209.253.17.229
  • 211.232.57.235
  • 212.130.19.154
  • 216.15.210.68
  • 218.232.105.200
  • 218.232.66.12
  • 218.233.206.2
  • 218.234.17.30
  • 24.73.192.154
  • 60.248.52.95
  • 61.219.67.1
  • 64.80.153.108
  • 65.105.157.228
  • 65.110.1.32
  • 65.114.195.226
  • 65.89.173.68
  • 66.151.16.30
  • 66.155.114.145
  • 66.170.3.43
  • 66.228.132.53
  • 68.17.104.162
  • 68.96.31.136
  • 69.20.5.219
  • 69.25.50.10
  • 69.28.168.10
  • 69.74.43.87
  • 69.90.123.6
  • 69.90.18.22
  • 69.90.18.23
  • 69.90.65.240
  • 70.62.232.98
  • 74.86.197.56
  • 75.145.139.18
  • admin.datastorage01.org
  • AdobeFlash.info.tm
  • cas.ibooks.tk
  • cas.m-e.org.ru
  • code.mcafeepaying.com
  • Colville.com
  • conference.ddns.us
  • ctcs.bigdepression.net
  • ctx.comrepair.net
  • dev.teamattire.com
  • documents.downloadsite.me
  • eclipsecti.infobusinessus.org
  • exactearth.info.tm
  • fasa.arrowservice.net
  • fasa.bigish.net
  • fasa.newsonet.net
  • flash.aoldaily.com
  • flash.aunewsonline.com
  • flash.cnndaily.com
  • flash.mcafeepaying.com
  • flash.usnewssite.com
  • fni.bigish.net
  • help.purpledaily.com
  • hint.happyforever.com
  • hojutsu.com
  • japan.yahoodaily.com
  • jimnaugle.com
  • johnford985.appspot.com
  • ks.aoldaily.com
  • ks.cnndaily.com
  • ks.jaimeastorga.mx
  • ks.manguvaljak.ee
  • ks.petrotdl.com.ar
  • ks.utworld.ch
  • media.finanstalk.ru
  • meeting.toh.info
  • moto.purpledaily.com
  • moto1.newsonet.net
  • moto2.earthsolution.org
  • news.canadatvsite.com
  • news.micyuisyahooapis.com
  • news.msnhome.org
  • olmusic100.com
  • portal.itsaol.com
  • public.ddns.us
  • qhun-mons.businessformars.com
  • report.crabdance.com
  • safety.canadatvsite.com
  • share.canoedaily.com
  • software.myftp.info
  • sports.canoedaily.com
  • stratos.aoldaily.com
  • stratos.mcafeepaying.com
  • tcw.homier.com
  • thecrownsgolf.org
  • time.mediaxsds.net
  • ttl.tfxdccssl.net
  • un.linuxd.org
  • update.dnepr.com
  • update.sektori.org
  • update.slowblog.com
  • us.gnpes.org
  • vop.earthsolution.org
  • wikileaks.ddns.us
  • www.bigish.net
  • www.bluecoate.com
  • www.businessformars.com
  • www.competrip.com
  • www.cvba.com
  • www.deebeedesigns.ca
  • www.doversolutions.co.in
  • www.drgeorges.com
  • www.dsds.co.kr
  • www.fbrshop.com
  • www.freelanceindy.com
  • www.gobroadreach.com
  • www.heliospartners.com
  • www.jiangmin.com.tw
  • www.kayauto.net
  • www.keenathomas.com
  • www.microsoft.com
  • www.mountainvalley.americanunfinished.com
  • www.mwa.net
  • www.newsesport.com
  • www.olmusic100.com
  • www.omegalogos.org
  • www.pastorsrest.com
  • www.pcs157.com
  • www.rbaparts.com
  • www.smilecare.com
  • www.spmiller.org
  • www.uszzcs.com
  • www.vwrm.com
  • www.woodagency.com
  • zh.lksoftvc.net

URLs and URL-like patterns (from static analysis; may contain errors)

  • 2.earthsolution.org
  • AdobeFlash.info.tm
  • www.mevatec.com
  • Colville.com
  • americanunfinished.com
  • aoldaily.com
  • appspot.com
  • aunewsonline.com
  • bigdepression.net
  • bluecoate.com
  • businessformars.com
  • canadatvsite.com
  • canoedaily.com
  • cnndaily.com
  • colville.com
  • com.tw
  • competrip.com
  • crabdance.com
  • cvba.com
  • datastorage01.org
  • ddns.us
  • deebeedesigns.ca
  • dnepr.com
  • doversolutions.co.in
  • drgeorges.com
  • dsds.co.kr
  • earthsolution.org
  • fbrshop.com
  • finanstalk.ru
  • freelanceindy.com
  • gnpes.org
  • gobroadreach.com
  • happyforever.com
  • hojutsu.com
  • homier.com
  • ibooks.tk
  • info.tm
  • itsaol.com
  • jimnaugle.com
  • kayauto.net
  • keenathomas.com
  • lksoftvc.net
  • mcafeepaying.com
  • mediaxsds.net
  • microsoft.com
  • micyuisyahooapis.com
  • msnhome.org
  • mwa.net
  • newsesport.com
  • newsonet.net
  • omegalogos.org
  • org.ru
  • pastorsrest.com
  • pcs157.com
  • purpledaily.com
  • rbaparts.com
  • sektori.org
  • slowblog.com
  • smilecare.com
  • spmiller.org
  • teamattire.com
  • tfxdccssl.net
  • thecrownsgolf.org
  • toh.info
  • usnewssite.com
  • uszzcs.com
  • vwrm.com
  • woodagency.com
  • yahoodaily.com
  • Hojutsu.com
  • Colville.com
  • Hojutsu.com
  • admin.datastorage01.org
  • cas.ibooks.tk
  • conference.ddns.us
  • ctcs.bigdepression.net
  • dev.teamattire.com
  • fasa.arrowservice.net
  • fasa.newsonet.net
  • fni.bigish.net
  • japan.yahoodaily.com
  • jimnaugle.com
  • media.finanstalk.ru
  • meeting.toh.info
  • moto.purpledaily.com
  • moto2.earthsolution.org
  • news.canadatvsite.com
  • news.micyuisyahooapis.com
  • news.msnhome.org
  • public.ddns.us
  • safety.canadatvsite.com
  • share.canoedaily.com
  • thecrownsgolf.org
  • time.mediaxsds.net
  • ttl.tfxdccssl.net
  • un.linuxd.org
  • update.dnepr.com
  • update.sektori.org
  • update.slowblog.com
  • us.gnpes.org
  • wikileaks.ddns.us
  • www.BusinessForMars.com
  • www.bigish.net
  • www.bluecoate.com
  • www.competrip.com
  • www.cvba.com
  • www.deebeedesigns.ca
  • www.doversolutions.co.in
  • www.drgeorges.com
  • www.dsds.co.kr
  • www.fbrshop.com
  • www.freelanceindy.com
  • www.gobroadreach.com
  • www.kayauto.net
  • www.keenathomas.com
  • www.microsoft.com
  • www.mountainvalley.americanunfinished.com
  • www.mwa.net
  • www.omegalogos.org
  • www.pastorsrest.com
  • www.rbaparts.com
  • www.smilecare.com
  • www.spmiller.org
  • www.vwrm.com
  • www.woodagency.com
  • zh.lksoftvc.net
  • K4Pu.ht
  • Olmusic100.com
  • Sdv.gf
  • Sh.sd
  • americanunfinished.com
  • aoldaily.com
  • appspot.com
  • aunewsonline.com
  • bigdepression.net
  • bluecoate.com
  • businessformars.com
  • canadatvsite.com
  • canoedaily.com
  • cnndaily.com
  • colville.com
  • com.tw
  • competrip.com
  • crabdance.com
  • cvba.com
  • datastorage01.org
  • ddns.us
  • deebeedesigns.ca
  • dnepr.com
  • doversolutions.co.in
  • drgeorges.com
  • dsds.co.kr
  • earthsolution.org
  • fbrshop.com
  • finanstalk.ru
  • freelanceindy.com
  • gnpes.org
  • gobroadreach.com
  • happyforever.com
  • hojutsu.com
  • homier.com
  • ibooks.tk
  • info.tm
  • itsaol.com
  • jimnaugle.com
  • kayauto.net
  • keenathomas.com
  • lksoftvc.net
  • mcafeepaying.com
  • mediaxsds.net
  • microsoft.com
  • micyuisyahooapis.com
  • msnhome.org
  • mwa.net
  • newsesport.com
  • newsonet.net
  • omegalogos.org
  • org.ru
  • pastorsrest.com
  • pcs157.com
  • purpledaily.com
  • rbaparts.com
  • sektori.org
  • slowblog.com
  • smilecare.com
  • spmiller.org
  • teamattire.com
  • tfxdccssl.net
  • thecrownsgolf.org
  • toh.info
  • usnewssite.com
  • uszzcs.com
  • vwrm.com
  • woodagency.com
  • yahoodaily.com
  • X:\command.com
  • admin.datastorage01.org
  • adobeflash.info.tm
  • asa.bigish.net
  • aspjk07@hotmail.com
  • att.infosupports.com
  • augle.com
  • bigdepression.net
  • bluecoate.com
  • businessus.org
  • canadatvsite.com
  • cas.ibooks.tk
  • cas.m-e.org.ru
  • code.mcafeepaying.com
  • colville.com
  • command.com
  • competrip.com
  • conference.ddns.us
  • content.ie
  • crz.dnsweb.org
  • ctcs.bigdepression.net
  • ctcs.earthsolution.org
  • ctx.comrepair.net
  • deebeedesigns.ca
  • dev.teamattire.com
  • dns.progammerli.com
  • dove.blackcake.net
  • drgeorges.com
  • e.canoedaily.com
  • eclipsecti.infobusinessus.org
  • eds1.infosupports.com
  • erence.ddns.us
  • essformars.com
  • exactearth.info.tm
  • fasa.arrowservice.net
  • fasa.bigish.net
  • fasa.newsonet.net
  • fbrshop.com
  • fetch.py
  • flash.aoldaily.com
  • flash.aunewsonline.com
  • flash.cnndaily.com
  • flash.mcafeepaying.com
  • flash.usnewssite.com
  • fni.bigish.net
  • freelanceindy.com
  • gateway.messenger.hotmail.com
  • gobroadreach.com
  • gro.sepng.su
  • h.lk
  • h:mm:ss.tt
  • help.purpledaily.com
  • hint.happyforever.com
  • hojutsu.co
  • hojutsu.com
  • hotmail.com
  • safety.canadatvsite.com
  • www.microsoft.com
  • admin.datastorage01.org
  • adobeflash.info.tm
  • cas.ibooks.tk
  • cas.m-e.org.ru
  • colville.com
  • conference.ddns.us
  • dev.teamattire.com
  • hint.happyforever.com
  • hojutsu.com
  • japan.yahoodaily.com
  • jimnaugle.com
  • media.finanstalk.ru
  • meeting.toh.info
  • news.canadatvsite.com
  • news.micyuisyahooapis.com
  • news.msnhome.org
  • portal.itsaol.com
  • public.ddns.us
  • report.crabdance.com
  • safety.canadatvsite.com
  • share.canoedaily.com
  • sports.canoedaily.com
  • tcw.homier.com
  • thecrownsgolf.org
  • time.mediaxsds.net
  • ttl.tfxdccssl.net
  • update.dnepr.com
  • update.sektori.org
  • update.slowblog.com
  • us.gnpes.org
  • wikileaks.ddns.us
  • www.bluecoate.com
  • www.businessformars.com
  • www.competrip.com
  • www.cvba.com
  • www.deebeedesigns.ca
  • www.doversolutions.co.in
  • www.drgeorges.com
  • www.dsds.co.kr
  • www.fbrshop.com
  • www.freelanceindy.com
  • www.gobroadreach.com
  • www.jiangmin.com.tw
  • www.kayauto.net
  • www.keenathomas.com
  • www.microsoft.com
  • www.mountainvalley.americanunfinished.com
  • www.mwa.net
  • www.newsesport.com
  • www.omegalogos.org
  • www.pastorsrest.com
  • www.pcs157.com
  • www.rbaparts.com
  • www.smilecare.com
  • www.spmiller.org
  • www.uszzcs.com
  • www.vwrm.com
  • www.woodagency.com
  • zh.lksoftvc.net
  • johnford985.appspot.com/fetch.py
  • code.mcafeepaying.com
  • ctcs.bigdepression.net
  • flash.aoldaily.com
  • flash.aunewsonline.com
  • flash.cnndaily.com
  • flash.mcafeepaying.com
  • flash.usnewssite.com
  • johnford985.appspot.com
  • ks.cnndaily.com
  • moto.purpledaily.com
  • moto1.newsonet.net
  • moto2.earthsolution.org
  • stratos.aoldaily.com
  • stratos.mcafeepaying.com
  • ic.ddns.us
  • ice.net
  • ille.com
  • ily.com
  • ing.toh.info
  • japan.yahoodaily.com
  • jimnaugle.com
  • johnford985.appspot.com
  • k.ca
  • kayauto.net
  • keenathomas.com
  • ks.aoldaily.com
  • ks.cnndaily.com
  • ks.jaimeastorga.mx
  • ks.manguvaljak.ee
  • ks.petrotdl.com.ar
  • ks.utworld.ch
  • m.ms
  • media.finanstalk.ru
  • meeting.toh.info
  • messenger.hotmail.com
  • microsoft.com
  • micyuisyahooapis.com
  • moc.yliadnnc.sk
  • moto.purpledaily.com
  • moto1.newsonet.net
  • moto2.earthsolution.org
  • mountainvalley.americanunfinished.com
  • msn.com
  • msnhome.org
  • mwa.net
  • n.datastorage01.org
  • n.linuxd.org
  • n.yahoodaily.com
  • news.canadatvsite.com
  • news.micyuisyahooapis.com
  • news.msnhome.org
  • nexus.passport.com
  • ni.bigish.net
  • nic.safalife.com
  • ntdetect.com
  • olmusic100.com
  • omegalogos.org
  • owservice.ne
  • pastorsrest.com
  • portal.itsaol.com
  • public.ddns.us
  • purpledaily.com
  • qhun-mons.businessformars.com
  • qusc12.infosupports.com
  • rbaparts.com
  • report.crabdance.com
  • rownsgolf.org
  • s.org
  • safety.canadatvsite.com
  • share.canoedaily.com
  • smilecare.com
  • sonet.net
  • sports.canoedaily.com
  • sra.blackcake.net
  • sra.infosupports.com
  • ssus.org
  • stratos.aoldaily.com
  • stratos.mcafeepaying.com
  • tcw.homier.com
  • te.dnepr.com
  • teamattire.com
  • thecrownsgolf.org
  • time.mediaxsds.net
  • tsu.com
  • ttl.tfxdccssl.net
  • ty.canadatvsite.com
  • un.linuxd.org
  • update.dnepr.com
  • update.mcafeepaying.com
  • update.sektori.org
  • update.slowblog.com
  • us.gnpes.org
  • usc12.blackcake.net
  • vop.earthsolution.org
  • vwrm.com
  • w.com
  • us.gn
  • wikileaks.ddns.us
  • woodagency.com
  • ww.bigish.net
  • www.BusinessForMars.com
  • www.bigish.net
  • www.bluecoate.com
  • www.businessformars.com
  • www.competrip.com
  • www.cvba.com
  • www.deebeedesigns.ca
  • www.doversolutions.co.in
  • www.drgeorges.com
  • www.dsds.co.kr
  • www.fbrshop.com
  • www.freelanceindy.com
  • www.gobroadreach.com
  • www.heliospartners.com
  • www.holdent.com.au
  • www.inkscape.org
  • www.jiangmin.com.tw
  • www.kayauto.net
  • www.keenathomas.com
  • www.microsoft.com
  • www.mountainvalley.americanunfinished.com
  • www.mwa.ne
  • www.mwa.net
  • www.newsesport.com
  • www.olmusic100.com
  • www.omegalogos.org
  • www.pastorsrest.com
  • www.pcs157.com
  • www.rbaparts.com
  • www.smilecare.com
  • www.spmiller.org
  • www.uszzcs.com
  • www.vwrm.com
  • www.woodagency.com
  • zh.lksoftvc.net

HTTP Requests:

  • CONNECT  HTTP/1.0
  • CONNECT /index.asp HTTP/1.1
  • GET  HTTP/1.1
  • GET /1.asp?rands=FXMJVXGOJJ&acc=&str=select id from tab_online where regcode = ‘FXMJVXGOJJ’ HTTP/1.0
  • GET /197.1.16.3_7.html HTTP/1.1
  • GET /2011/n325423.shtml?pvid=fAAAACIkAOyJMGjxiYadwRyN9buY2MAeOtQPGgD7e0CsZAFTwA8txDliAAA= HTTP/1.0
  • GET /2651.asp HTTP/1.1
  • GET /3491.asp HTTP/1.1
  • GET /4823.asp HTTP/1.1
  • GET /4981.asp HTTP/1.1
  • GET /5310.asp HTTP/1.1
  • GET /5712.html HTTP/1.1
  • GET /6212.html HTTP/1.1
  • GET /6958.html HTTP/1.1
  • GET /_borders/top.htm HTTP/1.1
  • GET /A2/front/lm/mini/noborder/?AQB=1&ndh=1&t=480&lv=VDipXNKF&pageName=About&ss=ipWHkqSl&g=Council&cid=225&v1=c25&hp=N&tal=&AQE=1 HTTP/1.0
  • GET /aboutus_ohs.html HTTP/1.1
  • GET /adobe.html HTTP/1.1
  • GET /api/get_attention_num/adfshow?slot=7cLLvm4e&p=F&may=128&g=4363&n=0&i=Home HTTP/1.0
  • GET /aspnet_client/system_web/1_0_3705_0/SmartNav.jpg HTTP/1.1
  • GET /attachments/C262-240.jpg HTTP/1.1
  • GET /bbs/db/1.asp?rands=KKIJLONGAP&acc=&str=select id from tab_online where regcode = ‘KKIJLONGAP’ order by id asc HTTP/1.0
  • GET /bbs/db/1.asp?rands=SEXGJLSSXM&acc=&str=select id from tab_online where regcode = ‘SEXGJLSSXM’ order by id asc HTTP/1.0
  • GET /BerwickFire/rental.html HTTP/1.1
  • GET /css/about.htm HTTP/1.1
  • GET /css/style.html HTTP/1.1
  • GET /Default.aspx?INDEX=CGPEHQURTR HTTP/1.1
  • GET /Default.aspx?INDEX=EIGHIZHOMM HTTP/1.1
  • GET /Default.aspx?INDEX=EYZALCJEKE HTTP/1.1
  • GET /Default.aspx?INDEX=GIOJJREGBY HTTP/1.1
  • GET /Default.aspx?INDEX=IHPSYRANKA HTTP/1.1
  • GET /Default.aspx?INDEX=IPESEDUTED HTTP/1.1
  • GET /Default.aspx?INDEX=JBVUQETDVA HTTP/1.1
  • GET /Default.aspx?INDEX=MAJVUXJDAQ HTTP/1.1
  • GET /Default.aspx?INDEX=QFBMPJCWAL HTTP/1.1
  • GET /Default.aspx?INDEX=XMDOFYNHDY HTTP/1.1
  • GET /default.htm HTTP/1.1
  • GET /default.html HTTP/1.1
  • GET /download.htm HTTP/1.1
  • GET /download/confere.html HTTP/1.1
  • GET /download/device_ad.asp?device_t=2928269924&key=dxrqdgct&device_id=ad&cv=dxrqdgctnynmgjjfn HTTP/1.0
  • GET /downloadsoft.htm HTTP/1.1
  • GET /fax.html HTTP/1.1
  • GET /file/yahootemp.html HTTP/1.1
  • GET /Gallery/Winterfest/2.jpg HTTP/1.1
  • GET /html/proe_tcp.html HTTP/1.1
  • GET /images/1.asp?rands=HOWBTFQLOZ&acc=&str=select id from tab_online where regcode = ‘HOWBTFQLOZ’ order by id asc HTTP/1.0
  • GET /images/_vti_img/index.asp HTTP/1.1
  • GET /images/bs.gif HTTP/1.1
  • GET /images/btn_info.jpg HTTP/1.1
  • GET /images/button.jpg HTTP/1.1
  • GET /images/colt_defense.jpg HTTP/1.1
  • GET /images/db/1.asp?rands=BWFIMNAJEE&acc=&str=select id from tab_online where regcode = ‘BWFIMNAJEE’ order by id asc HTTP/1.0
  • GET /images/device_index.asp?device_t=5962704463&key=odnnmvgr&device_id=index&cv=odnnmvgrmftvujsyg HTTP/1.0
  • GET /images/error.jpg HTTP/1.1
  • GET /images/head_left.jpg HTTP/1.1
  • GET /images/icons/3224?meth=gc&tid=2005614&cqe=3884550&inif=tLu3v8eD3Lu+vqjHy8PI1MvMwtTCytTLycnct7uosceUkZzXgNy1qarHz9TL3LK+qbTHy8+fnw==&syun=250 HTTP/1.1
  • GET /images/index_0_02.jpg HTTP/1.1
  • GET /images/leftnav_prog_bg.jpg HTTP/1.1
  • GET /images/li.gif HTTP/1.1
  • GET /images/logo.png HTTP/1.1
  • GET /images/reach1.jpg HTTP/1.1
  • GET /images/record.asp?device_t=3134688572&key=ywbyftdd&device_id=index&cv=ywbyftddoirafvbak&result=no%20command%0D%0A%0D%0ANext%3ASun%20Feb%2024%2009%3A50%3A15%202013%0Adelay%3A3600%20sec%0D%0A HTTP/1.0
  • GET /images/title.png HTTP/1.1
  • GET /index.htm HTTP/1.1
  • GET /index.html HTTP/1.1
  • GET /index.html HTTP/1.1
  • GET /index/default.htm HTTP/1.1
  • GET /index01.htm HTTP/1.1
  • GET /info/2013.html?1361695580 HTTP/1.0
  • GET /info/2013.html?1361695600 HTTP/1.0
  • GET /info/sh1/search.asp HTTP/1.1
  • GET /info/sh3/search.asp HTTP/1.1
  • GET /java/careers.html HTTP/1.1
  • GET /loa/database3/sun.html?a=1317&b=10043&typ=ntWVDtQM&user=home_page|homepage_2nd_banner_820x90&pagei=/8LfwOjw&border=0&local=yes&psi=170&f=1&form=&h=&i=100 HTTP/1.0
  • GET /logo.html HTTP/1.1
  • GET /logs/login.asp HTTP/1.1
  • GET /M&A_alliances.htm HTTP/1.1
  • GET /main/1.asp?rands=TGPJQNYBQY&acc=&str=select id from tab_online where regcode = ‘TGPJQNYBQY’ order by id asc HTTP/1.0
  • GET /marq.htm HTTP/1.1
  • GET /NET/kappa.jpg HTTP/1.1
  • GET /order.htm HTTP/1.1
  • GET /Ouo4f045.asp HTTP/1.1
  • GET /pop.htm HTTP/1.1
  • GET /postinfo.html?1361694906 HTTP/1.0
  • GET /postinfo.html HTTP/1.1
  • GET /pp/core/cgi/wor.asp?category=qiu&ace=i9t2&newText=&amer=160&eur=&mm=love HTTP/1.0
  • GET /public.html HTTP/1.1
  • GET /report/news.html HTTP/1.1
  • GET /Resource/device_Tr.asp?device_t=1626586307&key=wuagysqk&device_id=Tr&cv=wuagysqkptijnsayv HTTP/1.0
  • GET /Resource/record.asp?device_t=2620185844&key=majccsyr&device_id=Tr&cv=majccsyrufwyqrdkg&result=no%20command%0D%0A%0D%0ANext%3ASun%20Feb%2024%2009%3A57%3A53%202013%0Adelay%3A3600%20sec%0D%0A HTTP/1.0
  • GET /Rossini.jpg HTTP/1.1
  • GET /s/asp?XAAAANoRA_U9K_o8YmGncEcjfW7mNjAHjrUDxoA8sgB_SAA=p=1 HTTP/1.0
  • GET /safe/1.asp?rands=LYWWLWYPSW&acc=&str=select id from tab_online where regcode = ‘LYWWLWYPSW’ order by id asc HTTP/1.0
  • GET /saler.gif HTTP/1.1
  • GET /staff.htm HTTP/1.1
  • GET /study.htm HTTP/1.1
  • GET /sun/moto.htm HTTP/1.1
  • GET /top.htm HTTP/1.1
  • GET /uc/myshow/blog/misc/gif/show.asp?a=mmRCP0L&p=2Fregion2F&u=n5vh8rmrnlopo1ec&b=vY6HjJ2C&n=0&c=233&x=400&y=4153&e=&wt=30q00dn00ei76hc9 HTTP/1.0
  • GET /update.jpg HTTP/1.1
  • GET /update.jpg HTTP/1.1
  • GET /update.png HTTP/1.1
  • GET /uwire/index.html HTTP/1.1
  • GET /windows.html HTTP/1.1
  • GET /word/display.asp HTTP/1.1
  • GET /worlda.html HTTP/1.1
  • GET /worldb.html HTTP/1.1
  • GET /Y/ HTTP/1.1
  • GET Default.asp HTTP/1.1
  • GET Default.asp?uid=86893&do=friend&view=41&_lgmode=pri&from=bkT7i2 HTTP/1.1
  • GET Default.asp?uid=86893&do=friend&view=toms HTTP/1.1
  • GET index.html HTTP/1.1
  • GET  HTTP/1.1
  • POST /fetch.py HTTP/1.1
  • POST 404error.asp HTTP/1.1
  • POST aspnet_client/report.asp HTTP/1.1
  • POST aspnet_client/system_web/1_0_3705_0/addCats.asp HTTP/1.1
  • POST index.asp HTTP/1.1

User Agents:

  • 08:52:09+[HOSTNAME]
  • 08:52:27+[HOSTNAME]
  • 10:03:44+[HOSTNAME]
  • 10:04:02+[HOSTNAME]
  • 5.1 04:15 [HOSTNAME]\[USERNAME]
  • 5.1 04:19 [HOSTNAME]\[USERNAME]
  • 5.1 04:45 [HOSTNAME]\[USERNAME]
  • 5.1 04:46 [HOSTNAME]\[USERNAME]
  • 5.1 04:47 [HOSTNAME]\[USERNAME]
  • 5.1 07:43 [HOSTNAME]\[USERNAME]
  • 5.1 09:35 [HOSTNAME]\[USERNAME]
  • 5.1 09:36 [HOSTNAME]\[USERNAME]
  • 5.1 09:38 [HOSTNAME]\[USERNAME]
  • 5.1 09:39 [HOSTNAME]\[USERNAME]
  • Google+page
  • HTTP 1.1
  • HTTP Mozilla/5.0(compatible+MSIE
  • IPHONE8.5(host:[HOSTNAME],ip:[IP]
  • IPHONE8.5(host:[HOSTNAME],ip:[IP]ct:Sun Feb 24 08:46:20 2013
  • IPHONE8.5(host:[HOSTNAME],ip:[IP]ct:Sun Feb 24 08:46:40 2013
  • Internet SurfBear
  • Microsoft Internet Explorer 6.0
  • Microsoft Internet Explorer Exelon [HOSTNAME]
  • Mozilla/4.0 (compatible;
  • Mozilla/4.0 (compatible; MSIE 6.0; Win32
  • Mozilla/4.0 (compatible; MSIE 6.0; Win32–[HOSTNAME]
  • Mozilla/4.0 (compatible; MSIE 6.0; Win32;
  • Mozilla/4.0 (compatible; MSIE 6.0; Win32;Ali;
  • Mozilla/4.0 (compatible; MSIE 6.0; Win32;Fly;
  • Mozilla/4.0 (compatible; MSIE 6.0; Win32;Google;
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EmbeddedWB 14.52 from
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727
  • Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1
  • Mozilla/4.0 (compatible; MSIE 8.0; Win32
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Cxdp.BMWCN
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Cxdp.BMWUS
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Cxdp.NSF
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.004:48
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.008:36
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.008:37
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.008:47
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.008:48
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.009:07
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.009:13
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.009:27
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.009:50
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.010:19
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0
  • Mozilla/4.0 (compatible; MSIE7.0; Windows NT 5.1
  • Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0
  • Mozilla/4.0
  • Mozilla/5.0 (compatible; MSIE 7.1; Windows NT 5.1; SV1
  • Mozilla/5.0 (compatible; MSIE 8.0; Win32
  • Mozilla/5.0
  • Win32
  • [HOSTNAME]+Mozilla/4.0 (compatible; MSIE 8.0; Win32
  • [HOSTNAME]
  • yahoo html

Delays in ms

  • 100
  • 1000
  • 2000
  • 3000
  • 4000
  • 5000
  • 6000
  • 10000
  • 30000
  • 60000
  • 100000
  • 120000
  • 127000
  • 300000
  • 600000
  • 900000
  • 1500000
  • 1620000
  • 174000
  • 1740000
  • 1800000
  • 2100000

Compilation timestamps:

  • 2001-07-17 00:22:56 Tuesday 995329376
  • 2003-08-06 18:34:23 Wednesday 1060194863
  • 2003-10-16 03:41:02 Thursday 1066275662
  • 2004-01-23 23:39:42 Friday 1074901182
  • 2004-05-15 01:06:23 Saturday 1084583183
  • 2004-07-07 02:17:12 Wednesday 1089166632
  • 2004-08-04 06:02:53 Wednesday 1091599373
  • 2004-08-04 06:10:04 Wednesday 1091599804
  • 2004-08-04 06:14:22 Wednesday 1091600062
  • 2004-08-04 06:14:38 Wednesday 1091600078
  • 2004-08-04 07:56:01 Wednesday 1091606161
  • 2004-08-04 07:56:07 Wednesday 1091606167
  • 2004-08-04 07:56:21 Wednesday 1091606181
  • 2004-08-04 07:56:23 Wednesday 1091606183
  • 2004-08-04 07:56:26 Wednesday 1091606186
  • 2004-08-04 07:56:30 Wednesday 1091606190
  • 2004-08-04 07:56:36 Wednesday 1091606196
  • 2004-08-04 07:56:37 Wednesday 1091606197
  • 2004-08-04 07:56:39 Wednesday 1091606199
  • 2004-08-04 07:56:40 Wednesday 1091606200
  • 2004-08-04 07:56:42 Wednesday 1091606202
  • 2004-08-04 07:56:44 Wednesday 1091606204
  • 2004-08-04 07:56:58 Wednesday 1091606218
  • 2004-08-04 07:57:08 Wednesday 1091606228
  • 2004-08-04 07:57:38 Wednesday 1091606258
  • 2004-08-04 07:59:14 Wednesday 1091606354
  • 2006-08-03 12:45:02 Thursday 1154609102
  • 2006-09-13 18:20:18 Wednesday 1158171618
  • 2006-09-14 02:28:46 Thursday 1158200926
  • 2007-06-29 15:18:22 Friday 1183130302
  • 2007-07-25 17:44:33 Wednesday 1185385473
  • 2007-08-08 03:16:50 Wednesday 1186543010
  • 2007-09-17 09:21:03 Monday 1190020863
  • 2007-11-18 23:50:13 Sunday 1195429813
  • 2008-03-12 12:39:30 Wednesday 1205325570
  • 2008-04-13 19:14:55 Sunday 1208114095
  • 2008-06-17 01:20:04 Tuesday 1213665604
  • 2008-07-30 03:25:13 Wednesday 1217388313
  • 2008-08-22 00:43:16 Friday 1219365796
  • 2008-08-27 08:41:19 Wednesday 1219826479
  • 2008-09-16 08:40:03 Tuesday 1221554403
  • 2008-09-16 08:42:05 Tuesday 1221554525
  • 2008-09-16 09:20:31 Tuesday 1221556831
  • 2008-10-22 00:12:21 Wednesday 1224634341
  • 2008-10-27 02:18:16 Monday 1225073896
  • 2008-10-27 08:31:43 Monday 1225096303
  • 2008-10-27 13:48:37 Monday 1225115317
  • 2008-11-10 08:29:48 Monday 1226305788
  • 2008-11-10 08:30:00 Monday 1226305800
  • 2008-11-21 07:46:32 Friday 1227253592
  • 2009-01-07 08:09:33 Wednesday 1231315773
  • 2009-01-15 03:30:11 Thursday 1231990211
  • 2009-02-05 07:14:01 Thursday 1233818041
  • 2009-02-05 07:16:28 Thursday 1233818188
  • 2009-02-05 07:20:22 Thursday 1233818422
  • 2009-02-17 09:40:38 Tuesday 1234863638
  • 2009-03-02 09:52:20 Monday 1235987540
  • 2009-03-06 14:10:18 Friday 1236348618
  • 2009-03-16 13:30:51 Monday 1237210251
  • 2009-03-17 03:34:24 Tuesday 1237260864
  • 2009-03-17 13:21:25 Tuesday 1237296085
  • 2009-03-25 13:11:56 Wednesday 1237986716
  • 2009-04-12 09:14:38 Sunday 1239527678
  • 2009-05-14 17:12:40 Thursday 1242321160
  • 2009-05-26 07:37:57 Tuesday 1243323477
  • 2009-06-08 10:17:38 Monday 1244456258
  • 2009-07-08 13:30:46 Wednesday 1247059846
  • 2009-07-16 15:04:29 Thursday 1247756669
  • 2009-07-20 08:33:01 Monday 1248078781
  • 2009-07-20 09:02:46 Monday 1248080566
  • 2009-07-25 03:44:04 Saturday 1248493444
  • 2009-07-29 14:34:24 Wednesday 1248878064
  • 2009-07-30 09:20:04 Thursday 1248945604
  • 2009-08-03 08:29:29 Monday 1249288169
  • 2009-08-11 08:38:40 Tuesday 1249979920
  • 2009-08-16 11:05:43 Sunday 1250420743
  • 2009-08-24 13:16:23 Monday 1251119783
  • 2009-08-28 02:17:30 Friday 1251425850
  • 2009-11-11 06:33:02 Wednesday 1257921182
  • 2009-11-17 22:13:19 Tuesday 1258495999
  • 2009-12-01 00:40:09 Tuesday 1259628009
  • 2009-12-21 01:39:02 Monday 1261359542
  • 2010-01-15 17:20:56 Friday 1263576056
  • 2010-02-03 08:22:33 Wednesday 1265185353
  • 2010-02-03 08:22:50 Wednesday 1265185370
  • 2010-02-09 08:29:43 Tuesday 1265704183
  • 2010-02-11 03:27:04 Thursday 1265858824
  • 2010-02-11 06:44:46 Thursday 1265870686
  • 2010-02-25 00:49:53 Thursday 1267058993
  • 2010-03-15 06:27:58 Monday 1268634478
  • 2010-04-12 09:09:29 Monday 1271063369
  • 2010-04-14 17:18:20 Wednesday 1271265500
  • 2010-04-20 03:39:27 Tuesday 1271734767
  • 2010-04-23 07:51:28 Friday 1272009088
  • 2010-05-20 07:01:21 Thursday 1274338881
  • 2010-06-23 01:24:31 Wednesday 1277256271
  • 2010-06-25 09:26:47 Friday 1277458007
  • 2010-06-29 00:31:41 Tuesday 1277771501
  • 2010-08-23 02:17:20 Monday 1282529840
  • 2010-09-19 08:34:11 Sunday 1284885251
  • 2010-09-27 02:06:31 Monday 1285553191
  • 2010-09-28 01:00:25 Tuesday 1285635625
  • 2010-09-28 08:09:41 Tuesday 1285661381
  • 2010-10-19 08:15:54 Tuesday 1287476154
  • 2010-10-21 06:51:09 Thursday 1287643869
  • 2010-10-29 06:50:40 Friday 1288335040
  • 2010-10-29 06:51:08 Friday 1288335068
  • 2010-11-02 08:35:56 Tuesday 1288686956
  • 2010-11-04 06:07:11 Thursday 1288850831
  • 2010-11-06 08:08:37 Saturday 1289030917
  • 2010-11-17 13:37:00 Wednesday 1290001020
  • 2010-11-18 01:54:57 Thursday 1290045297
  • 2010-12-02 08:05:26 Thursday 1291277126
  • 2010-12-16 03:14:07 Thursday 1292469247
  • 2010-12-16 03:16:48 Thursday 1292469408
  • 2010-12-18 08:10:11 Saturday 1292659811
  • 2010-12-22 08:02:25 Wednesday 1293004945
  • 2011-01-11 02:12:48 Tuesday 1294711968
  • 2011-01-11 02:24:30 Tuesday 1294712670
  • 2011-01-11 03:22:02 Tuesday 1294716122
  • 2011-03-02 07:40:24 Wednesday 1299051624
  • 2011-03-03 13:41:14 Thursday 1299159674
  • 2011-03-07 09:42:59 Monday 1299490979
  • 2011-03-08 02:36:50 Tuesday 1299551810
  • 2011-03-16 19:26:23 Wednesday 1300303583
  • 2011-03-22 12:59:55 Tuesday 1300798795
  • 2011-03-23 14:34:10 Wednesday 1300890850
  • 2011-03-23 14:36:19 Wednesday 1300890979
  • 2011-03-28 13:35:35 Monday 1301319335
  • 2011-03-29 08:40:16 Tuesday 1301388016
  • 2011-04-02 09:07:51 Saturday 1301735271
  • 2011-04-08 08:04:50 Friday 1302249890
  • 2011-04-20 13:13:08 Wednesday 1303305188
  • 2011-04-21 07:16:51 Thursday 1303370211
  • 2011-04-21 07:51:21 Thursday 1303372281
  • 2011-04-26 01:53:58 Tuesday 1303782838
  • 2011-04-28 01:22:03 Thursday 1303953723
  • 2011-05-17 07:45:35 Tuesday 1305618335
  • 2011-05-17 12:37:22 Tuesday 1305635842
  • 2011-05-20 01:14:53 Friday 1305854093
  • 2011-05-30 08:29:29 Monday 1306744169
  • 2011-06-28 22:39:19 Tuesday 1309300759
  • 2011-07-11 03:38:22 Monday 1310355502
  • 2011-07-18 03:10:56 Monday 1310958656
  • 2011-07-19 01:55:13 Tuesday 1311040513
  • 2011-07-28 04:50:57 Thursday 1311828657
  • 2011-07-28 14:49:46 Thursday 1311864586
  • 2011-07-29 07:10:31 Friday 1311923431
  • 2011-08-09 08:15:29 Tuesday 1312877729
  • 2011-08-11 13:15:49 Thursday 1313068549
  • 2011-08-19 02:34:16 Friday 1313721256
  • 2011-08-19 03:07:37 Friday 1313723257
  • 2011-09-20 03:40:51 Tuesday 1316490051
  • 2011-09-20 03:50:48 Tuesday 1316490648
  • 2011-09-25 13:42:51 Sunday 1316958171
  • 2011-09-25 13:43:28 Sunday 1316958208
  • 2011-09-27 13:07:55 Tuesday 1317128875
  • 2011-09-27 13:09:16 Tuesday 1317128956
  • 2011-10-10 14:16:57 Monday 1318256217
  • 2011-10-11 13:02:38 Tuesday 1318338158
  • 2011-10-12 01:58:10 Wednesday 1318384690
  • 2011-10-13 08:47:13 Thursday 1318495633
  • 2011-10-14 08:42:16 Friday 1318581736
  • 2011-10-14 11:58:04 Friday 1318593484
  • 2011-10-18 00:58:17 Tuesday 1318899497
  • 2011-10-19 09:16:10 Wednesday 1319015770
  • 2011-10-19 09:17:10 Wednesday 1319015830
  • 2011-10-19 09:19:09 Wednesday 1319015949
  • 2011-10-24 08:19:05 Monday 1319444345
  • 2011-11-01 02:43:26 Tuesday 1320115406
  • 2011-11-05 09:27:34 Saturday 1320485254
  • 2011-11-07 14:59:20 Monday 1320677960
  • 2011-11-17 07:22:44 Thursday 1321514564
  • 2011-11-21 12:36:14 Monday 1321878974
  • 2011-11-21 12:36:51 Monday 1321879011
  • 2011-11-22 01:15:22 Tuesday 1321924522
  • 2011-11-28 12:32:07 Monday 1322483527
  • 2011-12-12 03:28:15 Monday 1323660495
  • 2011-12-20 02:23:38 Tuesday 1324347818
  • 2012-01-19 00:50:11 Thursday 1326934211
  • 2012-01-20 03:14:28 Friday 1327029268
  • 2012-02-09 00:47:28 Thursday 1328748448
  • 2012-02-09 00:47:52 Thursday 1328748472
  • 2012-02-16 08:22:06 Thursday 1329380526
  • 2012-02-17 14:55:21 Friday 1329490521
  • 2012-02-23 07:20:31 Thursday 1329981631
  • 2012-02-28 11:48:43 Tuesday 1330429723
  • 2012-02-28 15:35:51 Tuesday 1330443351
  • 2012-03-02 06:27:21 Friday 1330669641
  • 2012-03-02 07:20:27 Friday 1330672827
  • 2012-03-02 08:45:11 Friday 1330677911
  • 2012-03-07 08:41:30 Wednesday 1331109690
  • 2012-03-12 01:34:56 Monday 1331516096
  • 2012-03-13 02:21:54 Tuesday 1331605314
  • 2012-03-13 03:47:57 Tuesday 1331610477
  • 2012-03-16 07:10:50 Friday 1331881850
  • 2012-03-20 09:24:33 Tuesday 1332235473
  • 2012-03-22 08:45:38 Thursday 1332405938
  • 2012-03-28 15:39:00 Wednesday 1332949140
  • 2012-04-12 15:02:26 Thursday 1334242946
  • 2012-04-17 08:29:00 Tuesday 1334651340
  • 2012-04-17 08:30:01 Tuesday 1334651401
  • 2012-04-17 09:32:54 Tuesday 1334655174
  • 2012-04-24 08:24:45 Tuesday 1335255885
  • 2012-05-07 03:19:17 Monday 1336360757
  • 2012-05-14 14:16:53 Monday 1337005013
  • 2012-05-28 08:12:40 Monday 1338192760
  • 2012-05-29 14:39:47 Tuesday 1338302387
  • 2012-06-04 12:57:35 Monday 1338814655
  • 2012-06-09 13:19:49 Saturday 1339247989
  • 2012-06-09 13:19:53 Saturday 1339247993
  • 2012-06-11 12:37:20 Monday 1339418240
  • 2012-06-26 03:30:05 Tuesday 1340681405
  • 2012-08-08 23:27:53 Wednesday 1344468473
  • 2012-08-10 02:10:53 Friday 1344564653
  • 2012-08-16 07:53:11 Thursday 1345103591
  • 2012-08-20 12:56:12 Monday 1345467372
  • 2012-08-20 12:59:08 Monday 1345467548
  • 2012-08-20 14:06:56 Monday 1345471616
  • 2012-08-20 15:16:12 Monday 1345475772
  • 2012-08-21 13:46:15 Tuesday 1345556775
  • 2012-08-22 15:50:16 Wednesday 1345650616
  • 2012-08-28 07:34:32 Tuesday 1346139272
  • 2012-08-28 13:40:13 Tuesday 1346161213
  • 2012-08-30 13:06:09 Thursday 1346331969
  • 2012-09-06 15:34:30 Thursday 1346945670
  • 2012-09-10 14:25:34 Monday 1347287134
  • 2012-11-07 14:12:48 Wednesday 1352297568
  • 2012-11-13 14:55:39 Tuesday 1352818539
  • 2012-11-14 07:58:27 Wednesday 1352879907
  • 2012-11-16 07:35:22 Friday 1353051322
  • 2012-12-06 13:09:40 Thursday 1354799380
  • 2012-12-25 13:07:50 Tuesday 1356440870

 

The sampleset – clustering

Quite frankly, there is not so much to write about it here.

I do not find obvious distribution or significant spikes of specific patterns and the results are not very presentable – to provide a few specific examples – out of 285 samples:

The following samples use DES:

  • 0CF9E999C574EC89595263446978DC9F
  • 24259AE8B0018B0CE9992FB1D9B69E2A
  • 468FF2C12CFFC7E5B2FE0EE6BB3B239E
  • 476FEA8761A03BEF16E322996C2F6666
  • 7AECB34616245EB6B2906358151BE55B
  • 7F1A4BC267ACE340A5AA7A0B79CBF349
  • 8E8622C393D7E832D39E620EAD5D3B49
  • 929802A27737CEBC59D19DA724FDF30A
  • C04C796EF126AD7429BE7D55720FE392
  • CF9C2D5A8FBDD1C5ADC20CFC5E663C21
  • D0D5A20C5A6C4FDDAB4D43B85632B6A9
  • D34E357461C55D90C52309C1FF952B4C
  • DD21D1EA2146861A4219B1CBDAEFE59B

The following files run runinfo.exe:

  • 09531F851EF74A7238685FD287A395BD
  • 0CA6E2AD69826C8E3287FC8576112814
  • C3E5603A38E700274D1AB30CE93D08B9

The following samples use mutex !@ADS@#$

  • 6B3D19CC86D82B06F5DB3AE9D5BA8A5F
  • 831A67DC75E2D4505180888747BC8EA9

The following samples connect to 69.28.168.10:443

  • 1F2EB7B090018D975E6D9B40868C94CA
  • D9FBF759F527AF373E34673DC3ACA462

The conclusion?

Diplomatically speaking – my clustering efforts are far from being actionable at this stage :-).

Sandboxing samples provides a good data for toying around, but w/o some normalization of this data and w/o ability to establish links between smaller clusters, it’s hard to draw any significant conclusion.

Sad, but watch this space 🙂