Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-01-10 02:07:09 2019-01-10 02:10:54 225 seconds Show Options Show Log
route = internet
procdump = 1
2019-01-10 02:07:10,000 [root] INFO: Date set to: 01-10-19, time set to: 02:07:10, timeout set to: 200
2019-01-10 02:07:10,015 [root] DEBUG: Starting analyzer from: C:\qfkgiskqi
2019-01-10 02:07:10,015 [root] DEBUG: Storing results at: C:\JgsGLSR
2019-01-10 02:07:10,015 [root] DEBUG: Pipe server name: \\.\PIPE\wDMckwm
2019-01-10 02:07:10,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-01-10 02:07:10,015 [root] INFO: Automatically selected analysis package "exe"
2019-01-10 02:07:10,436 [root] DEBUG: Started auxiliary module Browser
2019-01-10 02:07:10,436 [root] DEBUG: Started auxiliary module Curtain
2019-01-10 02:07:10,436 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/
2019-01-10 02:07:10,436 [root] DEBUG: Started auxiliary module DigiSig
2019-01-10 02:07:10,436 [root] DEBUG: Started auxiliary module Disguise
2019-01-10 02:07:10,436 [root] DEBUG: Started auxiliary module Human
2019-01-10 02:07:10,436 [root] DEBUG: Started auxiliary module Screenshots
2019-01-10 02:07:10,436 [root] DEBUG: Started auxiliary module Sysmon
2019-01-10 02:07:10,436 [root] DEBUG: Started auxiliary module Usage
2019-01-10 02:07:10,436 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-01-10 02:07:10,436 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-01-10 02:07:10,608 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\2019-01-08-Monero-coinminer.exe" with arguments "" with pid 2964
2019-01-10 02:07:10,608 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 02:07:10,608 [lib.api.process] INFO: 32-bit DLL to inject is C:\qfkgiskqi\dll\ACFnaTB.dll, loader C:\qfkgiskqi\bin\jnokiZw.exe
2019-01-10 02:07:10,624 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2964
2019-01-10 02:07:12,635 [lib.api.process] INFO: Successfully resumed process with pid 2964
2019-01-10 02:07:12,635 [root] INFO: Added new process to list with pid: 2964
2019-01-10 02:07:12,683 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 02:07:12,683 [root] DEBUG: Process dumps enabled.
2019-01-10 02:07:12,683 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2964 at 0x74480000, image base 0x400000, stack from 0x186000-0x190000
2019-01-10 02:07:12,683 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\2019-01-08-Monero-coinminer.exe".
2019-01-10 02:07:12,683 [root] INFO: Monitor successfully loaded in process with pid 2964.
2019-01-10 02:07:12,697 [root] INFO: Announced 32-bit process name:  pid: 1636996
2019-01-10 02:07:12,697 [root] INFO: Added new process to list with pid: 1636996
2019-01-10 02:07:12,697 [lib.api.process] WARNING: The process with pid 1636996 is not alive, injection aborted
2019-01-10 02:07:13,650 [root] INFO: Process with pid 1636996 has terminated
2019-01-10 02:09:21,585 [root] DEBUG: set_caller_info: Adding region at 0x03760000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-01-10 02:09:21,601 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-01-10 02:09:21,617 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-01-10 02:09:21,617 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-01-10 02:09:21,632 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-01-10 02:09:21,632 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-01-10 02:09:21,632 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-01-10 02:09:21,664 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-01-10 02:09:27,622 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-01-10 02:09:27,638 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-01-10 02:09:27,732 [root] INFO: Sample attempted to remap module 'C:\Windows\SysWOW64\ntdll.dll' at 0x03B40000, returning original module address instead: 0x772F0000
2019-01-10 02:09:27,732 [root] DEBUG: DLL loaded at 0x74A90000: C:\Windows\system32\profapi (0xb000 bytes).
2019-01-10 02:09:27,732 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-01-10 02:09:27,763 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-01-10 02:09:27,795 [root] INFO: Announced 64-bit process name: notepad.exe pid: 3068
2019-01-10 02:09:27,795 [root] INFO: Added new process to list with pid: 3068
2019-01-10 02:09:27,795 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 02:09:27,795 [lib.api.process] INFO: 64-bit DLL to inject is C:\qfkgiskqi\dll\LhLfTm.dll, loader C:\qfkgiskqi\bin\uKkrGtey.exe
2019-01-10 02:09:27,795 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3068
2019-01-10 02:09:27,795 [root] INFO: Disabling sleep skipping.
2019-01-10 02:09:27,795 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 02:09:27,809 [root] DEBUG: Process dumps enabled.
2019-01-10 02:09:27,809 [root] INFO: Disabling sleep skipping.
2019-01-10 02:09:27,825 [root] WARNING: Unable to place hook on LockResource
2019-01-10 02:09:27,825 [root] WARNING: Unable to hook LockResource
2019-01-10 02:09:27,857 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3068 at 0x00000000743A0000, image base 0x0000000000400000, stack from 0x000000000028F000-0x00000000002A0000
2019-01-10 02:09:27,857 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\notepad.exe" -c "C:\ProgramData\migVCTGVwf\cfgi".
2019-01-10 02:09:27,857 [root] INFO: Monitor successfully loaded in process with pid 3068.
2019-01-10 02:09:27,904 [root] DEBUG: DLL loaded at 0x000007FEFB9C0000: C:\Windows\system32\powrprof (0x2c000 bytes).
2019-01-10 02:09:27,918 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-01-10 02:09:27,918 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-01-10 02:09:27,918 [root] DEBUG: DLL loaded at 0x000007FEFEDB0000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2019-01-10 02:09:27,918 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-01-10 02:09:27,950 [root] DEBUG: DLL loaded at 0x000007FEFC890000: C:\Windows\system32\mswsock (0x55000 bytes).
2019-01-10 02:09:27,966 [root] DEBUG: DLL loaded at 0x000007FEFC290000: C:\Windows\System32\wshtcpip (0x7000 bytes).
2019-01-10 02:09:27,966 [root] DEBUG: DLL unloaded from 0x000007FEFC290000.
2019-01-10 02:09:27,966 [root] DEBUG: DLL loaded at 0x000007FEFC880000: C:\Windows\System32\wship6 (0x7000 bytes).
2019-01-10 02:09:29,105 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-01-10 02:09:40,821 [root] INFO: Notified of termination of process with pid 3068.
2019-01-10 02:09:40,835 [root] INFO: Announced 64-bit process name: notepad.exe pid: 2784
2019-01-10 02:09:40,835 [root] INFO: Added new process to list with pid: 2784
2019-01-10 02:09:40,835 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 02:09:40,835 [lib.api.process] INFO: 64-bit DLL to inject is C:\qfkgiskqi\dll\LhLfTm.dll, loader C:\qfkgiskqi\bin\uKkrGtey.exe
2019-01-10 02:09:40,867 [root] INFO: Process with pid 3068 has terminated
2019-01-10 02:09:40,867 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2784
2019-01-10 02:09:40,898 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 02:09:40,898 [root] DEBUG: Process dumps enabled.
2019-01-10 02:09:40,930 [root] INFO: Disabling sleep skipping.
2019-01-10 02:09:40,960 [root] WARNING: Unable to place hook on LockResource
2019-01-10 02:09:40,960 [root] WARNING: Unable to hook LockResource
2019-01-10 02:09:40,992 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2784 at 0x00000000742C0000, image base 0x0000000000400000, stack from 0x000000000018F000-0x00000000001A0000
2019-01-10 02:09:40,992 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\notepad.exe" -c "C:\ProgramData\migVCTGVwf\cfg".
2019-01-10 02:09:40,992 [root] INFO: Monitor successfully loaded in process with pid 2784.
2019-01-10 02:09:41,023 [root] DEBUG: DLL loaded at 0x000007FEFB9C0000: C:\Windows\system32\powrprof (0x2c000 bytes).
2019-01-10 02:09:41,039 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-01-10 02:09:41,039 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-01-10 02:09:41,055 [root] DEBUG: DLL loaded at 0x000007FEFEDB0000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2019-01-10 02:09:41,069 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-01-10 02:09:41,085 [root] DEBUG: DLL loaded at 0x000007FEFC890000: C:\Windows\system32\mswsock (0x55000 bytes).
2019-01-10 02:09:41,101 [root] DEBUG: DLL loaded at 0x000007FEFC290000: C:\Windows\System32\wshtcpip (0x7000 bytes).
2019-01-10 02:09:41,101 [root] DEBUG: DLL unloaded from 0x000007FEFC290000.
2019-01-10 02:09:41,117 [root] DEBUG: DLL loaded at 0x000007FEFC880000: C:\Windows\System32\wship6 (0x7000 bytes).
2019-01-10 02:09:41,881 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2019-01-10 02:09:49,993 [root] INFO: Announced 32-bit process name: cmd.exe pid: 1924
2019-01-10 02:09:49,993 [root] INFO: Added new process to list with pid: 1924
2019-01-10 02:09:49,993 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 02:09:50,009 [lib.api.process] INFO: 32-bit DLL to inject is C:\qfkgiskqi\dll\ACFnaTB.dll, loader C:\qfkgiskqi\bin\jnokiZw.exe
2019-01-10 02:09:50,055 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1924
2019-01-10 02:09:50,523 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 02:09:50,555 [root] DEBUG: Process dumps enabled.
2019-01-10 02:09:50,601 [root] INFO: Disabling sleep skipping.
2019-01-10 02:09:50,601 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1924 at 0x74480000, image base 0x4aa10000, stack from 0xa3000-0x1a0000
2019-01-10 02:09:50,601 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\cmd.exe \C WScript "C:\ProgramData\migVCTGVwf\r.vbs".
2019-01-10 02:09:50,617 [root] INFO: Monitor successfully loaded in process with pid 1924.
2019-01-10 02:09:50,726 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-01-10 02:09:50,742 [root] INFO: Announced 32-bit process name: wscript.exe pid: 2132
2019-01-10 02:09:50,742 [root] INFO: Added new process to list with pid: 2132
2019-01-10 02:09:50,742 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 02:09:50,789 [lib.api.process] INFO: 32-bit DLL to inject is C:\qfkgiskqi\dll\ACFnaTB.dll, loader C:\qfkgiskqi\bin\jnokiZw.exe
2019-01-10 02:09:50,851 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2132
2019-01-10 02:09:50,882 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-01-10 02:09:50,928 [root] DEBUG: Process dumps enabled.
2019-01-10 02:09:50,976 [root] INFO: Disabling sleep skipping.
2019-01-10 02:09:50,976 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2132 at 0x74480000, image base 0x6a0000, stack from 0x2c6000-0x2d0000
2019-01-10 02:09:51,023 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\WScript  "C:\ProgramData\migVCTGVwf\r.vbs".
2019-01-10 02:09:51,053 [root] INFO: Monitor successfully loaded in process with pid 2132.
2019-01-10 02:09:51,490 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-01-10 02:09:51,538 [root] DEBUG: DLL unloaded from 0x006A0000.
2019-01-10 02:09:51,538 [root] DEBUG: DLL loaded at 0x74A10000: C:\Windows\SysWOW64\SXS (0x5f000 bytes).
2019-01-10 02:09:51,631 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-01-10 02:09:51,647 [root] DEBUG: DLL loaded at 0x74800000: C:\Windows\SysWOW64\vbscript (0x6b000 bytes).
2019-01-10 02:09:51,677 [root] DEBUG: DLL loaded at 0x75470000: C:\Windows\syswow64\WINTRUST (0x2d000 bytes).
2019-01-10 02:09:51,724 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-01-10 02:09:51,724 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-01-10 02:09:51,772 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\SysWOW64\CRYPTSP (0x16000 bytes).
2019-01-10 02:09:51,819 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-01-10 02:09:51,819 [root] DEBUG: DLL loaded at 0x74A00000: C:\Windows\SysWOW64\MSISIP (0x8000 bytes).
2019-01-10 02:09:51,865 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-01-10 02:09:51,911 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\SysWOW64\wshext (0x16000 bytes).
2019-01-10 02:09:51,959 [root] DEBUG: DLL loaded at 0x74970000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32 (0x84000 bytes).
2019-01-10 02:09:51,959 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-01-10 02:09:52,006 [root] DEBUG: DLL loaded at 0x74450000: C:\Windows\SysWOW64\scrobj (0x2d000 bytes).
2019-01-10 02:09:52,052 [root] DEBUG: DLL loaded at 0x74420000: C:\Windows\system32\mlang (0x2e000 bytes).
2019-01-10 02:09:52,052 [root] DEBUG: DLL unloaded from 0x76C00000.
2019-01-10 02:09:52,068 [root] DEBUG: DLL loaded at 0x743F0000: C:\Windows\SysWOW64\scrrun (0x2a000 bytes).
2019-01-10 02:09:52,098 [root] DEBUG: DLL unloaded from 0x74450000.
2019-01-10 02:09:52,145 [root] DEBUG: DLL unloaded from 0x743F0000.
2019-01-10 02:09:52,145 [root] DEBUG: DLL unloaded from 0x74420000.
2019-01-10 02:09:52,193 [root] DEBUG: DLL unloaded from 0x74800000.
2019-01-10 02:09:52,193 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2132
2019-01-10 02:09:52,240 [root] DEBUG: GetHookCallerBase: thread 2280 (handle 0x0), return address 0x006A2FBD, allocation base 0x006A0000.
2019-01-10 02:09:52,286 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x006A0000.
2019-01-10 02:09:52,286 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x006A0000.
2019-01-10 02:09:52,332 [root] DEBUG: DumpProcess: Module entry point VA is 0x00002F3B.
2019-01-10 02:09:52,380 [root] INFO: Added new CAPE file to list with path: C:\JgsGLSR\CAPE\2132_15830373112101210412019
2019-01-10 02:09:52,380 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x22a00.
2019-01-10 02:09:52,427 [root] DEBUG: DLL unloaded from 0x75140000.
2019-01-10 02:09:52,427 [root] INFO: Notified of termination of process with pid 2132.
2019-01-10 02:09:52,536 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1924
2019-01-10 02:09:52,536 [root] DEBUG: GetHookCallerBase: thread 1124 (handle 0x0), return address 0x4AA17302, allocation base 0x4AA10000.
2019-01-10 02:09:52,536 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x4AA10000.
2019-01-10 02:09:52,598 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x4AA10000.
2019-01-10 02:09:52,598 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000829A.
2019-01-10 02:09:52,598 [root] INFO: Added new CAPE file to list with path: C:\JgsGLSR\CAPE\1924_10636260945291210412019
2019-01-10 02:09:52,661 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x49e00.
2019-01-10 02:09:52,661 [root] DEBUG: DLL unloaded from 0x75140000.
2019-01-10 02:09:52,661 [root] INFO: Notified of termination of process with pid 1924.
2019-01-10 02:09:53,082 [root] INFO: Process with pid 1924 has terminated
2019-01-10 02:09:54,111 [root] INFO: Process with pid 2132 has terminated
2019-01-10 02:10:34,671 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-01-10 02:10:34,671 [root] INFO: Created shutdown mutex.
2019-01-10 02:10:35,686 [root] INFO: Setting terminate event for process 2964.
2019-01-10 02:10:35,686 [root] DEBUG: Terminate Event: Attempting to dump process 2964
2019-01-10 02:10:35,700 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-01-10 02:10:35,763 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-01-10 02:10:35,763 [root] DEBUG: DumpProcess: Module entry point VA is 0x00004180.
2019-01-10 02:10:35,779 [root] INFO: Added new CAPE file to list with path: C:\JgsGLSR\CAPE\2964_7273337403510210412019
2019-01-10 02:10:35,795 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xca800.
2019-01-10 02:10:36,200 [root] INFO: Setting terminate event for process 2784.
2019-01-10 02:10:36,200 [root] DEBUG: Terminate Event: Attempting to dump process 2784
2019-01-10 02:10:36,200 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x0000000000400000.
2019-01-10 02:10:36,216 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000000400000.
2019-01-10 02:10:36,216 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000102B90.
2019-01-10 02:10:36,232 [root] INFO: Added new CAPE file to list with path: C:\JgsGLSR\CAPE\2784_17380514163610210412019
2019-01-10 02:10:36,246 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x102600.
2019-01-10 02:10:36,714 [root] INFO: Shutting down package.
2019-01-10 02:10:36,714 [root] INFO: Stopping auxiliary modules.
2019-01-10 02:10:36,714 [root] INFO: Finishing auxiliary modules.
2019-01-10 02:10:36,714 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-01-10 02:10:36,714 [root] INFO: Analysis completed.

MalScore

9.6

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-01-10 02:07:10 2019-01-10 02:10:51

File Details

File Name 2019-01-08-Monero-coinminer.exe
File Size 1209856 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 a14a3a3036a1706408443e28399a15c1
SHA1 6e5cf7cbfddca89f0f8e54b7ba8f169cf6769237
SHA256 b8bf5b607b305139db81c48e96010a67768488b01edc8c615306ed303c545b0d
SHA512 1c8543384b5f8a3e21ea4a6b6b0484b838b3c9f105bd5128d4ff970884a6c91e4674bf39f718185f45dd170ab7723af20eb06eb60965cfc557d7c9af7bb437d7
CRC32 E4E5533F
Ssdeep 24576:35mjsJNJuudqiKKES942zSl3DU0pqsDnRctBfdoJJlp/5LFYgNYpp6A3:35SstuCeS942G9DU0tRkfeJ/FqWYt3
TrID
  • 34.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
  • 26.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 23.1% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 3.7% (.EXE) Win32 Executable (generic) (4508/7/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Attempts to connect to a dead IP:Port (1 unique times)
IP: 92.63.197.48:9090 (Russian Federation)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2964 trigged the Yara rule 'HeavensGate'
Hit: PID 2964 trigged the Yara rule 'UPX'
Possible date expiration check, exits too soon after checking local time
process: cmd.exe, PID 1924
Detected script timer window indicative of sleep style evasion
Window: WSH-Timer
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/AddVectoredExceptionHandler
DynamicLoader: kernel32.dll/AssignProcessToJobObject
DynamicLoader: kernel32.dll/CancelIo
DynamicLoader: kernel32.dll/CancelIoEx
DynamicLoader: kernel32.dll/CancelSynchronousIo
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/ConnectNamedPipe
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/CreateHardLinkW
DynamicLoader: kernel32.dll/CreateIoCompletionPort
DynamicLoader: kernel32.dll/CreateJobObjectW
DynamicLoader: kernel32.dll/CreateNamedPipeA
DynamicLoader: kernel32.dll/CreateNamedPipeW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/CreateSemaphoreA
DynamicLoader: kernel32.dll/CreateSemaphoreW
DynamicLoader: kernel32.dll/CreateSymbolicLinkW
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/DebugBreak
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/DeviceIoControl
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: kernel32.dll/FillConsoleOutputAttribute
DynamicLoader: kernel32.dll/FillConsoleOutputCharacterW
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/FormatMessageA
DynamicLoader: kernel32.dll/FreeConsole
DynamicLoader: kernel32.dll/GetConsoleCursorInfo
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: kernel32.dll/GetConsoleWindow
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/GetFileInformationByHandle
DynamicLoader: kernel32.dll/GetFileSizeEx
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/GetFinalPathNameByHandleW
DynamicLoader: kernel32.dll/GetHandleInformation
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetNamedPipeHandleStateA
DynamicLoader: kernel32.dll/GetNumberOfConsoleInputEvents
DynamicLoader: kernel32.dll/GetPriorityClass
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetProcessAffinityMask
DynamicLoader: kernel32.dll/GetProcessIoCounters
DynamicLoader: kernel32.dll/GetProcessTimes
DynamicLoader: kernel32.dll/GetQueuedCompletionStatusEx
DynamicLoader: kernel32.dll/GetShortPathNameW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetStartupInfoW
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/GetSystemTimeAdjustment
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/GetTempPathW
DynamicLoader: kernel32.dll/GetThreadContext
DynamicLoader: kernel32.dll/GetThreadPriority
DynamicLoader: kernel32.dll/GetThreadTimes
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: kernel32.dll/InitializeConditionVariable
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/IsDBCSLeadByteEx
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/LCMapStringW
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/MoveFileExW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OutputDebugStringA
DynamicLoader: kernel32.dll/PeekNamedPipe
DynamicLoader: kernel32.dll/PostQueuedCompletionStatus
DynamicLoader: kernel32.dll/Process32First
DynamicLoader: kernel32.dll/Process32Next
DynamicLoader: kernel32.dll/QueryPerformanceCounter
DynamicLoader: kernel32.dll/QueryPerformanceFrequency
DynamicLoader: kernel32.dll/QueueUserWorkItem
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: kernel32.dll/ReOpenFile
DynamicLoader: kernel32.dll/ReadConsoleInputW
DynamicLoader: kernel32.dll/ReadConsoleW
DynamicLoader: kernel32.dll/ReadDirectoryChangesW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/RegisterWaitForSingleObject
DynamicLoader: kernel32.dll/ReleaseSemaphore
DynamicLoader: kernel32.dll/RemoveDirectoryW
DynamicLoader: kernel32.dll/RemoveVectoredExceptionHandler
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/RtlAddFunctionTable
DynamicLoader: kernel32.dll/RtlCaptureContext
DynamicLoader: kernel32.dll/RtlLookupFunctionEntry
DynamicLoader: kernel32.dll/RtlUnwindEx
DynamicLoader: kernel32.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCursorInfo
DynamicLoader: kernel32.dll/SetConsoleCursorPosition
DynamicLoader: kernel32.dll/SetConsoleMode
DynamicLoader: kernel32.dll/SetConsoleTextAttribute
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetCurrentDirectoryW
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetFileCompletionNotificationModes
DynamicLoader: kernel32.dll/SetFilePointerEx
DynamicLoader: kernel32.dll/SetFileTime
DynamicLoader: kernel32.dll/SetHandleInformation
DynamicLoader: kernel32.dll/SetInformationJobObject
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/SetNamedPipeHandleState
DynamicLoader: kernel32.dll/SetPriorityClass
DynamicLoader: kernel32.dll/SetProcessAffinityMask
DynamicLoader: kernel32.dll/SetSystemTime
DynamicLoader: kernel32.dll/SetThreadAffinityMask
DynamicLoader: kernel32.dll/SetThreadContext
DynamicLoader: kernel32.dll/SetThreadPriority
DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/SleepConditionVariableCS
DynamicLoader: kernel32.dll/SuspendThread
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/TlsFree
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/TryEnterCriticalSection
DynamicLoader: kernel32.dll/UnhandledExceptionFilter
DynamicLoader: kernel32.dll/UnregisterWait
DynamicLoader: kernel32.dll/UnregisterWaitEx
DynamicLoader: kernel32.dll/VerSetConditionMask
DynamicLoader: kernel32.dll/VerifyVersionInfoA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: kernel32.dll/WaitForMultipleObjects
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/WaitNamedPipeW
DynamicLoader: kernel32.dll/WakeAllConditionVariable
DynamicLoader: kernel32.dll/WakeConditionVariable
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/WriteConsoleInputW
DynamicLoader: kernel32.dll/WriteConsoleW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/__C_specific_handler
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: ADVAPI32.dll/LsaAddAccountRights
DynamicLoader: ADVAPI32.dll/LsaClose
DynamicLoader: ADVAPI32.dll/LsaOpenPolicy
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/SetEntriesInAclA
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceIndexToLuid
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceLuidToNameW
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: msvcrt.dll/___lc_codepage_func
DynamicLoader: msvcrt.dll/___mb_cur_max_func
DynamicLoader: msvcrt.dll/__argv
DynamicLoader: msvcrt.dll/__doserrno
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/__initenv
DynamicLoader: msvcrt.dll/__iob_func
DynamicLoader: msvcrt.dll/__lconv_init
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/_amsg_exit
DynamicLoader: msvcrt.dll/_beginthreadex
DynamicLoader: msvcrt.dll/_cexit
DynamicLoader: msvcrt.dll/_close
DynamicLoader: msvcrt.dll/_endthreadex
DynamicLoader: msvcrt.dll/_errno
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_fdopen
DynamicLoader: msvcrt.dll/_fmode
DynamicLoader: msvcrt.dll/_get_osfhandle
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/_localtime64
DynamicLoader: msvcrt.dll/_lock
DynamicLoader: msvcrt.dll/_lseeki64
DynamicLoader: msvcrt.dll/_onexit
DynamicLoader: msvcrt.dll/_open_osfhandle
DynamicLoader: msvcrt.dll/_read
DynamicLoader: msvcrt.dll/_setjmp
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/_strdup
DynamicLoader: msvcrt.dll/_stricmp
DynamicLoader: msvcrt.dll/_strnicmp
DynamicLoader: msvcrt.dll/_time64
DynamicLoader: msvcrt.dll/_ultoa
DynamicLoader: msvcrt.dll/_umask
DynamicLoader: msvcrt.dll/_unlock
DynamicLoader: msvcrt.dll/_vsnprintf
DynamicLoader: msvcrt.dll/_wchmod
DynamicLoader: msvcrt.dll/_wcsdup
DynamicLoader: msvcrt.dll/_wcsnicmp
DynamicLoader: msvcrt.dll/_wcsrev
DynamicLoader: msvcrt.dll/_wmkdir
DynamicLoader: msvcrt.dll/_write
DynamicLoader: msvcrt.dll/_wrmdir
DynamicLoader: msvcrt.dll/abort
DynamicLoader: msvcrt.dll/atoi
DynamicLoader: msvcrt.dll/calloc
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/fflush
DynamicLoader: msvcrt.dll/fopen
DynamicLoader: msvcrt.dll/fprintf
DynamicLoader: msvcrt.dll/fputc
DynamicLoader: msvcrt.dll/fputs
DynamicLoader: msvcrt.dll/fread
DynamicLoader: msvcrt.dll/free
DynamicLoader: msvcrt.dll/fwprintf
DynamicLoader: msvcrt.dll/fwrite
DynamicLoader: msvcrt.dll/getenv
DynamicLoader: msvcrt.dll/islower
DynamicLoader: msvcrt.dll/isspace
DynamicLoader: msvcrt.dll/isupper
DynamicLoader: msvcrt.dll/localeconv
DynamicLoader: msvcrt.dll/longjmp
DynamicLoader: msvcrt.dll/malloc
DynamicLoader: msvcrt.dll/memchr
DynamicLoader: msvcrt.dll/memcmp
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: msvcrt.dll/memmove
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/printf
DynamicLoader: msvcrt.dll/qsort
DynamicLoader: msvcrt.dll/raise
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/realloc
DynamicLoader: msvcrt.dll/signal
DynamicLoader: msvcrt.dll/sprintf
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/strchr
DynamicLoader: msvcrt.dll/strcmp
DynamicLoader: msvcrt.dll/strcpy
DynamicLoader: msvcrt.dll/strerror
DynamicLoader: msvcrt.dll/strlen
DynamicLoader: msvcrt.dll/strncmp
DynamicLoader: msvcrt.dll/strncpy
DynamicLoader: msvcrt.dll/strrchr
DynamicLoader: msvcrt.dll/strstr
DynamicLoader: msvcrt.dll/strtol
DynamicLoader: msvcrt.dll/strtoul
DynamicLoader: msvcrt.dll/vfprintf
DynamicLoader: msvcrt.dll/wcschr
DynamicLoader: msvcrt.dll/wcscpy
DynamicLoader: msvcrt.dll/wcslen
DynamicLoader: msvcrt.dll/wcsncmp
DynamicLoader: msvcrt.dll/wcsncpy
DynamicLoader: msvcrt.dll/wcspbrk
DynamicLoader: msvcrt.dll/wcsrchr
DynamicLoader: msvcrt.dll/wcstombs
DynamicLoader: PSAPI.DLL/GetProcessMemoryInfo
DynamicLoader: USER32.dll/DispatchMessageA
DynamicLoader: USER32.dll/GetMessageA
DynamicLoader: USER32.dll/MapVirtualKeyW
DynamicLoader: USER32.dll/MessageBoxW
DynamicLoader: USER32.dll/ShowWindow
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USERENV.dll/GetUserProfileDirectoryW
DynamicLoader: WS2_32.dll/FreeAddrInfoW
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WS2_32.dll/WSADuplicateSocketW
DynamicLoader: WS2_32.dll/WSAGetLastError
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/WSARecv
DynamicLoader: WS2_32.dll/WSARecvFrom
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: WS2_32.dll/WSASendTo
DynamicLoader: WS2_32.dll/WSASetLastError
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/WSAStartup
DynamicLoader: WS2_32.dll/bind
DynamicLoader: WS2_32.dll/closesocket
DynamicLoader: WS2_32.dll/gethostname
DynamicLoader: WS2_32.dll/getpeername
DynamicLoader: WS2_32.dll/getsockname
DynamicLoader: WS2_32.dll/getsockopt
DynamicLoader: WS2_32.dll/htonl
DynamicLoader: WS2_32.dll/htons
DynamicLoader: WS2_32.dll/ioctlsocket
DynamicLoader: WS2_32.dll/listen
DynamicLoader: WS2_32.dll/select
DynamicLoader: WS2_32.dll/setsockopt
DynamicLoader: WS2_32.dll/shutdown
DynamicLoader: WS2_32.dll/socket
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/NtDeviceIoControlFile
DynamicLoader: ntdll.dll/NtQueryInformationFile
DynamicLoader: ntdll.dll/NtSetInformationFile
DynamicLoader: ntdll.dll/NtQueryVolumeInformationFile
DynamicLoader: ntdll.dll/NtQueryDirectoryFile
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: powrprof.dll/PowerRegisterSuspendResumeNotification
DynamicLoader: USER32.dll/SetWinEventHook
DynamicLoader: ntdll.dll/RtlGetVersion
DynamicLoader: msvcrt.dll/_localtime64_s
DynamicLoader: kernel32.dll/AddVectoredExceptionHandler
DynamicLoader: kernel32.dll/AssignProcessToJobObject
DynamicLoader: kernel32.dll/CancelIo
DynamicLoader: kernel32.dll/CancelIoEx
DynamicLoader: kernel32.dll/CancelSynchronousIo
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/ConnectNamedPipe
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/CreateHardLinkW
DynamicLoader: kernel32.dll/CreateIoCompletionPort
DynamicLoader: kernel32.dll/CreateJobObjectW
DynamicLoader: kernel32.dll/CreateNamedPipeA
DynamicLoader: kernel32.dll/CreateNamedPipeW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/CreateSemaphoreA
DynamicLoader: kernel32.dll/CreateSemaphoreW
DynamicLoader: kernel32.dll/CreateSymbolicLinkW
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/DebugBreak
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/DeviceIoControl
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: kernel32.dll/FillConsoleOutputAttribute
DynamicLoader: kernel32.dll/FillConsoleOutputCharacterW
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/FormatMessageA
DynamicLoader: kernel32.dll/FreeConsole
DynamicLoader: kernel32.dll/GetConsoleCursorInfo
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: kernel32.dll/GetConsoleWindow
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/GetFileInformationByHandle
DynamicLoader: kernel32.dll/GetFileSizeEx
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/GetFinalPathNameByHandleW
DynamicLoader: kernel32.dll/GetHandleInformation
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetNamedPipeHandleStateA
DynamicLoader: kernel32.dll/GetNumberOfConsoleInputEvents
DynamicLoader: kernel32.dll/GetPriorityClass
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetProcessAffinityMask
DynamicLoader: kernel32.dll/GetProcessIoCounters
DynamicLoader: kernel32.dll/GetProcessTimes
DynamicLoader: kernel32.dll/GetQueuedCompletionStatusEx
DynamicLoader: kernel32.dll/GetShortPathNameW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetStartupInfoW
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/GetSystemTimeAdjustment
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/GetTempPathW
DynamicLoader: kernel32.dll/GetThreadContext
DynamicLoader: kernel32.dll/GetThreadPriority
DynamicLoader: kernel32.dll/GetThreadTimes
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: kernel32.dll/InitializeConditionVariable
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/IsDBCSLeadByteEx
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/LCMapStringW
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/MoveFileExW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OutputDebugStringA
DynamicLoader: kernel32.dll/PeekNamedPipe
DynamicLoader: kernel32.dll/PostQueuedCompletionStatus
DynamicLoader: kernel32.dll/Process32First
DynamicLoader: kernel32.dll/Process32Next
DynamicLoader: kernel32.dll/QueryPerformanceCounter
DynamicLoader: kernel32.dll/QueryPerformanceFrequency
DynamicLoader: kernel32.dll/QueueUserWorkItem
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: kernel32.dll/ReOpenFile
DynamicLoader: kernel32.dll/ReadConsoleInputW
DynamicLoader: kernel32.dll/ReadConsoleW
DynamicLoader: kernel32.dll/ReadDirectoryChangesW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/RegisterWaitForSingleObject
DynamicLoader: kernel32.dll/ReleaseSemaphore
DynamicLoader: kernel32.dll/RemoveDirectoryW
DynamicLoader: kernel32.dll/RemoveVectoredExceptionHandler
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/RtlAddFunctionTable
DynamicLoader: kernel32.dll/RtlCaptureContext
DynamicLoader: kernel32.dll/RtlLookupFunctionEntry
DynamicLoader: kernel32.dll/RtlUnwindEx
DynamicLoader: kernel32.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCursorInfo
DynamicLoader: kernel32.dll/SetConsoleCursorPosition
DynamicLoader: kernel32.dll/SetConsoleMode
DynamicLoader: kernel32.dll/SetConsoleTextAttribute
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetCurrentDirectoryW
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetFileCompletionNotificationModes
DynamicLoader: kernel32.dll/SetFilePointerEx
DynamicLoader: kernel32.dll/SetFileTime
DynamicLoader: kernel32.dll/SetHandleInformation
DynamicLoader: kernel32.dll/SetInformationJobObject
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/SetNamedPipeHandleState
DynamicLoader: kernel32.dll/SetPriorityClass
DynamicLoader: kernel32.dll/SetProcessAffinityMask
DynamicLoader: kernel32.dll/SetSystemTime
DynamicLoader: kernel32.dll/SetThreadAffinityMask
DynamicLoader: kernel32.dll/SetThreadContext
DynamicLoader: kernel32.dll/SetThreadPriority
DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/SleepConditionVariableCS
DynamicLoader: kernel32.dll/SuspendThread
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/TlsFree
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/TryEnterCriticalSection
DynamicLoader: kernel32.dll/UnhandledExceptionFilter
DynamicLoader: kernel32.dll/UnregisterWait
DynamicLoader: kernel32.dll/UnregisterWaitEx
DynamicLoader: kernel32.dll/VerSetConditionMask
DynamicLoader: kernel32.dll/VerifyVersionInfoA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: kernel32.dll/WaitForMultipleObjects
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/WaitNamedPipeW
DynamicLoader: kernel32.dll/WakeAllConditionVariable
DynamicLoader: kernel32.dll/WakeConditionVariable
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/WriteConsoleInputW
DynamicLoader: kernel32.dll/WriteConsoleW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/__C_specific_handler
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/GetSecurityInfo
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: ADVAPI32.dll/LsaAddAccountRights
DynamicLoader: ADVAPI32.dll/LsaClose
DynamicLoader: ADVAPI32.dll/LsaOpenPolicy
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/SetEntriesInAclA
DynamicLoader: ADVAPI32.dll/SetSecurityInfo
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceIndexToLuid
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceLuidToNameW
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: msvcrt.dll/___lc_codepage_func
DynamicLoader: msvcrt.dll/___mb_cur_max_func
DynamicLoader: msvcrt.dll/__argv
DynamicLoader: msvcrt.dll/__doserrno
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/__initenv
DynamicLoader: msvcrt.dll/__iob_func
DynamicLoader: msvcrt.dll/__lconv_init
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/_amsg_exit
DynamicLoader: msvcrt.dll/_beginthreadex
DynamicLoader: msvcrt.dll/_cexit
DynamicLoader: msvcrt.dll/_close
DynamicLoader: msvcrt.dll/_endthreadex
DynamicLoader: msvcrt.dll/_errno
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_fdopen
DynamicLoader: msvcrt.dll/_fmode
DynamicLoader: msvcrt.dll/_get_osfhandle
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/_localtime64
DynamicLoader: msvcrt.dll/_lock
DynamicLoader: msvcrt.dll/_lseeki64
DynamicLoader: msvcrt.dll/_onexit
DynamicLoader: msvcrt.dll/_open_osfhandle
DynamicLoader: msvcrt.dll/_read
DynamicLoader: msvcrt.dll/_setjmp
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/_strdup
DynamicLoader: msvcrt.dll/_stricmp
DynamicLoader: msvcrt.dll/_strnicmp
DynamicLoader: msvcrt.dll/_time64
DynamicLoader: msvcrt.dll/_ultoa
DynamicLoader: msvcrt.dll/_umask
DynamicLoader: msvcrt.dll/_unlock
DynamicLoader: msvcrt.dll/_vsnprintf
DynamicLoader: msvcrt.dll/_wchmod
DynamicLoader: msvcrt.dll/_wcsdup
DynamicLoader: msvcrt.dll/_wcsnicmp
DynamicLoader: msvcrt.dll/_wcsrev
DynamicLoader: msvcrt.dll/_wmkdir
DynamicLoader: msvcrt.dll/_write
DynamicLoader: msvcrt.dll/_wrmdir
DynamicLoader: msvcrt.dll/abort
DynamicLoader: msvcrt.dll/atoi
DynamicLoader: msvcrt.dll/calloc
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/fflush
DynamicLoader: msvcrt.dll/fopen
DynamicLoader: msvcrt.dll/fprintf
DynamicLoader: msvcrt.dll/fputc
DynamicLoader: msvcrt.dll/fputs
DynamicLoader: msvcrt.dll/fread
DynamicLoader: msvcrt.dll/free
DynamicLoader: msvcrt.dll/fwprintf
DynamicLoader: msvcrt.dll/fwrite
DynamicLoader: msvcrt.dll/getenv
DynamicLoader: msvcrt.dll/islower
DynamicLoader: msvcrt.dll/isspace
DynamicLoader: msvcrt.dll/isupper
DynamicLoader: msvcrt.dll/localeconv
DynamicLoader: msvcrt.dll/longjmp
DynamicLoader: msvcrt.dll/malloc
DynamicLoader: msvcrt.dll/memchr
DynamicLoader: msvcrt.dll/memcmp
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: msvcrt.dll/memmove
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/printf
DynamicLoader: msvcrt.dll/qsort
DynamicLoader: msvcrt.dll/raise
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/realloc
DynamicLoader: msvcrt.dll/signal
DynamicLoader: msvcrt.dll/sprintf
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/strchr
DynamicLoader: msvcrt.dll/strcmp
DynamicLoader: msvcrt.dll/strcpy
DynamicLoader: msvcrt.dll/strerror
DynamicLoader: msvcrt.dll/strlen
DynamicLoader: msvcrt.dll/strncmp
DynamicLoader: msvcrt.dll/strncpy
DynamicLoader: msvcrt.dll/strrchr
DynamicLoader: msvcrt.dll/strstr
DynamicLoader: msvcrt.dll/strtol
DynamicLoader: msvcrt.dll/strtoul
DynamicLoader: msvcrt.dll/vfprintf
DynamicLoader: msvcrt.dll/wcschr
DynamicLoader: msvcrt.dll/wcscpy
DynamicLoader: msvcrt.dll/wcslen
DynamicLoader: msvcrt.dll/wcsncmp
DynamicLoader: msvcrt.dll/wcsncpy
DynamicLoader: msvcrt.dll/wcspbrk
DynamicLoader: msvcrt.dll/wcsrchr
DynamicLoader: msvcrt.dll/wcstombs
DynamicLoader: PSAPI.DLL/GetProcessMemoryInfo
DynamicLoader: USER32.dll/DispatchMessageA
DynamicLoader: USER32.dll/GetMessageA
DynamicLoader: USER32.dll/MapVirtualKeyW
DynamicLoader: USER32.dll/MessageBoxW
DynamicLoader: USER32.dll/ShowWindow
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USERENV.dll/GetUserProfileDirectoryW
DynamicLoader: WS2_32.dll/FreeAddrInfoW
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WS2_32.dll/WSADuplicateSocketW
DynamicLoader: WS2_32.dll/WSAGetLastError
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/WSARecv
DynamicLoader: WS2_32.dll/WSARecvFrom
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: WS2_32.dll/WSASendTo
DynamicLoader: WS2_32.dll/WSASetLastError
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/WSAStartup
DynamicLoader: WS2_32.dll/bind
DynamicLoader: WS2_32.dll/closesocket
DynamicLoader: WS2_32.dll/gethostname
DynamicLoader: WS2_32.dll/getpeername
DynamicLoader: WS2_32.dll/getsockname
DynamicLoader: WS2_32.dll/getsockopt
DynamicLoader: WS2_32.dll/htonl
DynamicLoader: WS2_32.dll/htons
DynamicLoader: WS2_32.dll/ioctlsocket
DynamicLoader: WS2_32.dll/listen
DynamicLoader: WS2_32.dll/select
DynamicLoader: WS2_32.dll/setsockopt
DynamicLoader: WS2_32.dll/shutdown
DynamicLoader: WS2_32.dll/socket
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/NtDeviceIoControlFile
DynamicLoader: ntdll.dll/NtQueryInformationFile
DynamicLoader: ntdll.dll/NtSetInformationFile
DynamicLoader: ntdll.dll/NtQueryVolumeInformationFile
DynamicLoader: ntdll.dll/NtQueryDirectoryFile
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: powrprof.dll/PowerRegisterSuspendResumeNotification
DynamicLoader: USER32.dll/SetWinEventHook
DynamicLoader: ntdll.dll/RtlGetVersion
DynamicLoader: msvcrt.dll/_localtime64_s
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
DynamicLoader: ADVAPI32.dll/SaferCloseLevel
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: OLEAUT32.dll/
Network anomalies occured during the analysis.
Anomaly: '92.63.197.48' getaddrinfo with no actual connection to the IP.
Reads data out of its own binary image
self_read: process: wscript.exe, pid: 2132, offset: 0x00000000, length: 0x00000040
self_read: process: wscript.exe, pid: 2132, offset: 0x000000f0, length: 0x00000018
self_read: process: wscript.exe, pid: 2132, offset: 0x000001e8, length: 0x00000078
self_read: process: wscript.exe, pid: 2132, offset: 0x00018000, length: 0x00000020
self_read: process: wscript.exe, pid: 2132, offset: 0x00018058, length: 0x00000018
self_read: process: wscript.exe, pid: 2132, offset: 0x000181a8, length: 0x00000018
self_read: process: wscript.exe, pid: 2132, offset: 0x00018470, length: 0x00000010
self_read: process: wscript.exe, pid: 2132, offset: 0x00018640, length: 0x00000012
A scripting utility was executed
command: C:\Windows\system32\wscript.exe WScript "C:\ProgramData\migVCTGVwf\r.vbs"
Installs itself for autorun at Windows startup
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bAUnSdlCkw.url
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bAUnSdlCkw.url
Creates a copy of itself
copy: C:\ProgramData\migVCTGVwf\winmgrcfg32
copy: C:\ProgramData\migVCTGVwf\winmgrcfg32.exe

Screenshots


Hosts

Direct IP Country Name
Y 92.63.197.48 [VT] Russian Federation

DNS

No domains contacted.


Summary

C:\Windows\sysnative\WSHTCPIP.DLL
C:\Windows\sysnative\wship6.dll
C:\Windows\sysnative\wshqos.dll
C:\ProgramData\migVCTGVwf\cfgi
C:\Windows\sysnative\tzres.dll
C:\ProgramData\migVCTGVwf\cfg
C:\Users\user\AppData\Local\Temp
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp\WScript.*
C:\Users\user\AppData\Local\Temp\WScript
C:\Windows\System32\WScript.*
C:\Windows\System32\wscript.COM
C:\Windows\System32\wscript.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Windows\SysWOW64\wscript.exe
C:\ProgramData\migVCTGVwf\r.vbs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bAUnSdlCkw.url
C:\Windows\sysnative\wship6.dll
C:\Windows\sysnative\wshqos.dll
C:\ProgramData\migVCTGVwf\cfgi
C:\Windows\sysnative\tzres.dll
C:\ProgramData\migVCTGVwf\cfg
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Windows\SysWOW64\wscript.exe
C:\ProgramData\migVCTGVwf\r.vbs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bAUnSdlCkw.url
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\Enabled
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\wscript.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\TrustPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\UseWINSAFER
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\Timeout
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\DisplayLogo
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CLASSES_ROOT\.vbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vbs\(Default)
HKEY_CLASSES_ROOT\VBSFile\ScriptEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\ScriptEngine\(Default)
HKEY_CURRENT_USER\Software\Classes\VBScript
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript\CLSID\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\TrustPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\UseWINSAFER
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\Timeout
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\DisplayLogo
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vbs\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\ScriptEngine\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript\CLSID\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
kernel32.dll.AddVectoredExceptionHandler
kernel32.dll.AssignProcessToJobObject
kernel32.dll.CancelIo
kernel32.dll.CancelIoEx
kernel32.dll.CancelSynchronousIo
kernel32.dll.CloseHandle
kernel32.dll.ConnectNamedPipe
kernel32.dll.CopyFileW
kernel32.dll.CreateDirectoryW
kernel32.dll.CreateEventA
kernel32.dll.CreateFileA
kernel32.dll.CreateFileW
kernel32.dll.CreateHardLinkW
kernel32.dll.CreateIoCompletionPort
kernel32.dll.CreateJobObjectW
kernel32.dll.CreateNamedPipeA
kernel32.dll.CreateNamedPipeW
kernel32.dll.CreateProcessW
kernel32.dll.CreateSemaphoreA
kernel32.dll.CreateSemaphoreW
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.DebugBreak
kernel32.dll.DeleteCriticalSection
kernel32.dll.DeviceIoControl
kernel32.dll.DuplicateHandle
kernel32.dll.EnterCriticalSection
kernel32.dll.FileTimeToSystemTime
kernel32.dll.FillConsoleOutputAttribute
kernel32.dll.FillConsoleOutputCharacterW
kernel32.dll.FlushFileBuffers
kernel32.dll.FormatMessageA
kernel32.dll.FreeConsole
kernel32.dll.GetConsoleCursorInfo
kernel32.dll.GetConsoleMode
kernel32.dll.GetConsoleScreenBufferInfo
kernel32.dll.GetConsoleTitleW
kernel32.dll.GetConsoleWindow
kernel32.dll.GetCurrentDirectoryW
kernel32.dll.GetCurrentProcess
kernel32.dll.GetCurrentProcessId
kernel32.dll.GetCurrentThread
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.GetExitCodeProcess
kernel32.dll.GetFileAttributesW
kernel32.dll.GetFileInformationByHandle
kernel32.dll.GetFileSizeEx
kernel32.dll.GetFileType
kernel32.dll.GetFinalPathNameByHandleW
kernel32.dll.GetHandleInformation
kernel32.dll.GetLastError
kernel32.dll.GetLongPathNameW
kernel32.dll.GetModuleFileNameW
kernel32.dll.GetModuleHandleA
kernel32.dll.GetModuleHandleW
kernel32.dll.GetNamedPipeHandleStateA
kernel32.dll.GetNumberOfConsoleInputEvents
kernel32.dll.GetPriorityClass
kernel32.dll.GetProcAddress
kernel32.dll.GetProcessAffinityMask
kernel32.dll.GetProcessIoCounters
kernel32.dll.GetProcessTimes
kernel32.dll.GetQueuedCompletionStatusEx
kernel32.dll.GetShortPathNameW
kernel32.dll.GetStartupInfoA
kernel32.dll.GetStartupInfoW
kernel32.dll.GetStdHandle
kernel32.dll.GetSystemInfo
kernel32.dll.GetSystemTimeAdjustment
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.GetTempPathW
kernel32.dll.GetThreadContext
kernel32.dll.GetThreadPriority
kernel32.dll.GetThreadTimes
kernel32.dll.GetTickCount
kernel32.dll.GlobalMemoryStatusEx
kernel32.dll.InitializeConditionVariable
kernel32.dll.InitializeCriticalSection
kernel32.dll.IsDBCSLeadByteEx
kernel32.dll.IsDebuggerPresent
kernel32.dll.LCMapStringW
kernel32.dll.LeaveCriticalSection
kernel32.dll.LoadLibraryA
kernel32.dll.LocalAlloc
kernel32.dll.LocalFree
kernel32.dll.MoveFileExW
kernel32.dll.MultiByteToWideChar
kernel32.dll.OpenProcess
kernel32.dll.OutputDebugStringA
kernel32.dll.PeekNamedPipe
kernel32.dll.PostQueuedCompletionStatus
kernel32.dll.Process32First
kernel32.dll.Process32Next
kernel32.dll.QueryPerformanceCounter
kernel32.dll.QueryPerformanceFrequency
kernel32.dll.QueueUserWorkItem
kernel32.dll.RaiseException
kernel32.dll.ReOpenFile
kernel32.dll.ReadConsoleInputW
kernel32.dll.ReadConsoleW
kernel32.dll.ReadDirectoryChangesW
kernel32.dll.ReadFile
kernel32.dll.RegisterWaitForSingleObject
kernel32.dll.ReleaseSemaphore
kernel32.dll.RemoveDirectoryW
kernel32.dll.RemoveVectoredExceptionHandler
kernel32.dll.ResetEvent
kernel32.dll.ResumeThread
kernel32.dll.RtlAddFunctionTable
kernel32.dll.RtlCaptureContext
kernel32.dll.RtlLookupFunctionEntry
kernel32.dll.RtlUnwindEx
kernel32.dll.RtlVirtualUnwind
kernel32.dll.SetConsoleCtrlHandler
kernel32.dll.SetConsoleCursorInfo
kernel32.dll.SetConsoleCursorPosition
kernel32.dll.SetConsoleMode
kernel32.dll.SetConsoleTextAttribute
kernel32.dll.SetConsoleTitleW
kernel32.dll.SetCurrentDirectoryW
kernel32.dll.SetEnvironmentVariableW
kernel32.dll.SetErrorMode
kernel32.dll.SetEvent
kernel32.dll.SetFileCompletionNotificationModes
kernel32.dll.SetFilePointerEx
kernel32.dll.SetFileTime
kernel32.dll.SetHandleInformation
kernel32.dll.SetInformationJobObject
kernel32.dll.SetLastError
kernel32.dll.SetNamedPipeHandleState
kernel32.dll.SetPriorityClass
kernel32.dll.SetProcessAffinityMask
kernel32.dll.SetSystemTime
kernel32.dll.SetThreadAffinityMask
kernel32.dll.SetThreadContext
kernel32.dll.SetThreadPriority
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.Sleep
kernel32.dll.SleepConditionVariableCS
kernel32.dll.SuspendThread
kernel32.dll.SwitchToThread
kernel32.dll.TerminateProcess
kernel32.dll.TlsAlloc
kernel32.dll.TlsFree
kernel32.dll.TlsGetValue
kernel32.dll.TlsSetValue
kernel32.dll.TryEnterCriticalSection
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.UnregisterWait
kernel32.dll.UnregisterWaitEx
kernel32.dll.VerSetConditionMask
kernel32.dll.VerifyVersionInfoA
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualFree
kernel32.dll.VirtualProtect
kernel32.dll.VirtualQuery
kernel32.dll.WaitForMultipleObjects
kernel32.dll.WaitForSingleObject
kernel32.dll.WaitNamedPipeW
kernel32.dll.WakeAllConditionVariable
kernel32.dll.WakeConditionVariable
kernel32.dll.WideCharToMultiByte
kernel32.dll.WriteConsoleInputW
kernel32.dll.WriteConsoleW
kernel32.dll.WriteFile
kernel32.dll.__C_specific_handler
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptGenRandom
advapi32.dll.CryptReleaseContext
advapi32.dll.FreeSid
advapi32.dll.GetSecurityInfo
advapi32.dll.GetTokenInformation
advapi32.dll.GetUserNameW
advapi32.dll.LookupPrivilegeValueW
advapi32.dll.LsaAddAccountRights
advapi32.dll.LsaClose
advapi32.dll.LsaOpenPolicy
advapi32.dll.OpenProcessToken
advapi32.dll.RegCloseKey
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.SetEntriesInAclA
advapi32.dll.SetSecurityInfo
iphlpapi.dll.ConvertInterfaceIndexToLuid
iphlpapi.dll.ConvertInterfaceLuidToNameW
iphlpapi.dll.GetAdaptersAddresses
msvcrt.dll.___lc_codepage_func
msvcrt.dll.___mb_cur_max_func
msvcrt.dll.__argv
msvcrt.dll.__doserrno
msvcrt.dll.__getmainargs
msvcrt.dll.__initenv
msvcrt.dll.__iob_func
msvcrt.dll.__lconv_init
msvcrt.dll.__set_app_type
msvcrt.dll.__setusermatherr
msvcrt.dll._acmdln
msvcrt.dll._amsg_exit
msvcrt.dll._beginthreadex
msvcrt.dll._cexit
msvcrt.dll._close
msvcrt.dll._endthreadex
msvcrt.dll._errno
msvcrt.dll._exit
msvcrt.dll._fdopen
msvcrt.dll._fmode
msvcrt.dll._get_osfhandle
msvcrt.dll._initterm
msvcrt.dll._localtime64
msvcrt.dll._lock
msvcrt.dll._lseeki64
msvcrt.dll._onexit
msvcrt.dll._open_osfhandle
msvcrt.dll._read
msvcrt.dll._setjmp
msvcrt.dll._snwprintf
msvcrt.dll._strdup
msvcrt.dll._stricmp
msvcrt.dll._strnicmp
msvcrt.dll._time64
msvcrt.dll._ultoa
msvcrt.dll._umask
msvcrt.dll._unlock
msvcrt.dll._vsnprintf
msvcrt.dll._wchmod
msvcrt.dll._wcsdup
msvcrt.dll._wcsnicmp
msvcrt.dll._wcsrev
msvcrt.dll._wmkdir
msvcrt.dll._write
msvcrt.dll._wrmdir
msvcrt.dll.abort
msvcrt.dll.atoi
msvcrt.dll.calloc
msvcrt.dll.exit
msvcrt.dll.fflush
msvcrt.dll.fopen
msvcrt.dll.fprintf
msvcrt.dll.fputc
msvcrt.dll.fputs
msvcrt.dll.fread
msvcrt.dll.free
msvcrt.dll.fwprintf
msvcrt.dll.fwrite
msvcrt.dll.getenv
msvcrt.dll.islower
msvcrt.dll.isspace
msvcrt.dll.isupper
msvcrt.dll.localeconv
msvcrt.dll.longjmp
msvcrt.dll.malloc
msvcrt.dll.memchr
msvcrt.dll.memcmp
msvcrt.dll.memcpy
msvcrt.dll.memmove
msvcrt.dll.memset
msvcrt.dll.printf
msvcrt.dll.qsort
msvcrt.dll.raise
msvcrt.dll.rand
msvcrt.dll.realloc
msvcrt.dll.signal
msvcrt.dll.sprintf
msvcrt.dll.srand
msvcrt.dll.strchr
msvcrt.dll.strcmp
msvcrt.dll.strcpy
msvcrt.dll.strerror
msvcrt.dll.strlen
msvcrt.dll.strncmp
msvcrt.dll.strncpy
msvcrt.dll.strrchr
msvcrt.dll.strstr
msvcrt.dll.strtol
msvcrt.dll.strtoul
msvcrt.dll.vfprintf
msvcrt.dll.wcschr
msvcrt.dll.wcscpy
msvcrt.dll.wcslen
msvcrt.dll.wcsncmp
msvcrt.dll.wcsncpy
msvcrt.dll.wcspbrk
msvcrt.dll.wcsrchr
msvcrt.dll.wcstombs
psapi.dll.GetProcessMemoryInfo
user32.dll.DispatchMessageA
user32.dll.GetMessageA
user32.dll.MapVirtualKeyW
user32.dll.MessageBoxW
user32.dll.ShowWindow
user32.dll.TranslateMessage
userenv.dll.GetUserProfileDirectoryW
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.GetAddrInfoW
ws2_32.dll.WSADuplicateSocketW
ws2_32.dll.WSAGetLastError
ws2_32.dll.WSAIoctl
ws2_32.dll.WSARecv
ws2_32.dll.WSARecvFrom
ws2_32.dll.WSASend
ws2_32.dll.WSASendTo
ws2_32.dll.WSASetLastError
ws2_32.dll.WSASocketW
ws2_32.dll.WSAStartup
ws2_32.dll.bind
ws2_32.dll.closesocket
ws2_32.dll.gethostname
ws2_32.dll.getpeername
ws2_32.dll.getsockname
ws2_32.dll.getsockopt
ws2_32.dll.htonl
ws2_32.dll.htons
ws2_32.dll.ioctlsocket
ws2_32.dll.listen
ws2_32.dll.select
ws2_32.dll.setsockopt
ws2_32.dll.shutdown
ws2_32.dll.socket
ntdll.dll.RtlNtStatusToDosError
ntdll.dll.NtDeviceIoControlFile
ntdll.dll.NtQueryInformationFile
ntdll.dll.NtSetInformationFile
ntdll.dll.NtQueryVolumeInformationFile
ntdll.dll.NtQueryDirectoryFile
ntdll.dll.NtQuerySystemInformation
user32.dll.SetWinEventHook
ntdll.dll.RtlGetVersion
msvcrt.dll._localtime64_s
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.SetConsoleInputExeNameW
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
kernel32.dll.HeapSetInformation
sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
ole32.dll.CoCreateInstance
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
ole32.dll.CLSIDFromProgIDEx
ole32.dll.CoGetClassObject
oleaut32.dll.#500
C:\Windows\system32\wscript.exe WScript "C:\ProgramData\migVCTGVwf\r.vbs"

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x0040612b
Reported Checksum 0x001328b9
Actual Checksum 0x001328b9
Minimum OS Version 5.1
Compile Time 2017-12-14 01:24:29
Import Hash 71c6ab99b3dbf86d2fc943483326b2af
Exported DLL Name \x8e\x01LookupPrivilegeNameA

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00013d9e 0x00013e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.56
.rdata 0x00015000 0x000042b2 0x00004400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.27
.data 0x0001a000 0x0010d7a8 0x0010ae00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 6.01
.rsrc 0x00128000 0x00001824 0x00001a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.83
.reloc 0x0012a000 0x000026ba 0x00002800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 3.75

Imports

Library KERNEL32.dll:
0x415028 TerminateProcess
0x41502c GetCPInfoExW
0x415030 GetLastError
0x415034 GetProcAddress
0x41503c SetCommMask
0x415044 VirtualProtect
0x41504c DuplicateHandle
0x415050 TerminateThread
0x415058 GetThreadTimes
0x41505c lstrcpyA
0x415064 CreateFileA
0x415068 GetLocaleInfoW
0x41506c LoadLibraryA
0x415070 LoadLibraryW
0x415074 GlobalAlloc
0x415078 EscapeCommFunction
0x41507c GetDriveTypeA
0x415080 GetModuleHandleW
0x415084 GetCommProperties
0x415088 GetCurrentProcess
0x415090 SetComputerNameExA
0x415094 CloseHandle
0x415098 ExitProcess
0x41509c FlushFileBuffers
0x4150a0 WriteConsoleW
0x4150a4 GetConsoleOutputCP
0x4150a8 WriteConsoleA
0x4150b4 Sleep
0x4150c8 HeapFree
0x4150d4 IsDebuggerPresent
0x4150d8 GetCommandLineA
0x4150dc GetStartupInfoA
0x4150e0 RtlUnwind
0x4150e4 RaiseException
0x4150e8 LCMapStringA
0x4150ec WideCharToMultiByte
0x4150f0 MultiByteToWideChar
0x4150f4 LCMapStringW
0x4150f8 GetCPInfo
0x4150fc HeapAlloc
0x415100 HeapCreate
0x415104 VirtualFree
0x415108 VirtualAlloc
0x41510c HeapReAlloc
0x415110 TlsGetValue
0x415114 TlsAlloc
0x415118 TlsSetValue
0x41511c TlsFree
0x415120 SetLastError
0x415124 GetCurrentThreadId
0x415128 ReadFile
0x41512c WriteFile
0x415130 GetConsoleCP
0x415134 GetConsoleMode
0x415138 GetStdHandle
0x41513c GetModuleFileNameA
0x415150 SetHandleCount
0x415154 GetFileType
0x41515c GetTickCount
0x415160 GetCurrentProcessId
0x415168 HeapSize
0x41516c GetACP
0x415170 GetOEMCP
0x415174 IsValidCodePage
0x415178 GetUserDefaultLCID
0x41517c GetLocaleInfoA
0x415180 EnumSystemLocalesA
0x415184 IsValidLocale
0x415188 GetStringTypeA
0x41518c GetStringTypeW
0x415194 SetFilePointer
0x415198 SetStdHandle
Library USER32.dll:
0x4151a8 GetScrollRange
0x4151ac GetPropW
0x4151b0 PostMessageW
0x4151b4 GetFocus
0x4151b8 SetScrollRange
Library GDI32.dll:
0x41501c EndPath
0x415020 FillPath
Library ADVAPI32.dll:
0x415004 GetUserNameA
Library MSIMG32.dll:
0x4151a0 TransparentBlt
Library WINHTTP.dll:
0x4151c0 WinHttpOpen
0x4151c4 WinHttpCloseHandle

Exports

Ordinal Address Name
101600 0x6e8500de
101601 0x74a15064
101602 0x44870068
101603 0x2e723349
101604 0xac6c64
101605 0x659302af
101606 0x63a55374
101607 0x74a97275
101608 0x73a54479
101609 0x70a97263
101610 0x43b26f74
101611 0x72b46e6f
101612 0x406c6f
101613 0x6f8c018e
101614 0x70b56b6f
101615 0x76a97250
101616 0x67a56c69
101617 0x6da14e65
101618 0x404165
101619 0x65870141
101620 0x63a55374
101621 0x74a97275
101622 0x73a54479
101623 0x70a97263
101624 0x43b26f74
101625 0x72b46e6f
101626 0x406c6f
101627 0x6587015e
101628 0x65b35574
101629 0x6da14e72
101630 0x404165
101631 0x6e890178
101632 0x61a97469
101633 0x79936574
101634 0x6da57473
101635 0x74b56853
101636 0x6eb76f64
101637 0x1820057
101638 0x53b46547
101639 0x72b56365
101640 0x44b97469
101641 0x72a37365
101642 0x6fb47069
101643 0x63a14472
101644 0x4481006c
101645 0x49904156
101646 0x646e3233
101647 0x406c6c
101648 0x72940003
101649 0x70b36e61
101650 0x6ea57261
101651 0x74ac4274
101652 0x538d0000
101653 0x33874d49
101654 0x6ca42e32
101655 0x48006c
101656 0x48ae6957
101657 0x43b07474
101658 0x65b36f6c
101659 0x64ae6148
101660 0x40656c
101661 0x69970010
101662 0x74b4486e
101663 0x65b04f70
101664 0x4997006e
101665 0x5494484e
101666 0x6ca42e50
101667 0x300006c
101668 0x65b46e49
101669 0x63af6c72
101670 0x49a4656b
101671 0x65b2636e
101672 0x74ae656d
101673 0x2fc0000
101674 0x65b46e49
101675 0x63af6c72
101676 0x44a4656b
101677 0x65b26365
101678 0x74ae656d
101679 0x4610000
101680 0x65a56c53
101681 0x2f40070
101682 0x74a96e49
101683 0x69ac6169
101684 0x7283657a
101685 0x63a97469
101686 0x65936c61
101687 0x6fa97463
101688 0xfe006e
101689 0x65ac6544
101690 0x72836574
101691 0x63a97469
101692 0x65936c61
101693 0x6fa97463
101694 0x119006e
101695 0x65b46e45
101696 0x69b24372
101697 0x61a36974
101698 0x63a5536c
101699 0x6eaf6974
101700 0x32f0000
101701 0x76a1654c
101702 0x69b24365
101703 0x61a36974
101704 0x63a5536c
101705 0x6eaf6974
101706 0x2e10000
101707 0x70a16548
101708 0x65a57246
101709 0x47e0000
101710 0x61a86e55
101711 0x65ac646e
101712 0x63b84564
101713 0x69b47065
101714 0x69866e6f
101715 0x72a5746c
101716 0x4550000
101717 0x55b46553
101718 0x6ea1686e
101719 0x64a56c64
101720 0x65a37845
101721 0x6fa97470
101722 0x6ca9466e
101723 0xb26574
101724 0x738902d1
101725 0x75a26544
101726 0x72a56767
101727 0x73a57250
101728 0xb46e65
101729 0x6587016f
101730 0x6daf4374
101731 0x64ae616d
101732 0x65ae694c
101733 0x2790041
101734 0x53b46547
101735 0x74b26174
101736 0x6e897075
101737 0x816f66
101738 0x74920392
101739 0x77ae556c
101740 0xa46e69
101741 0x6192035a
101742 0x45a57369
101743 0x70a56378
101744 0x6eaf6974
101745 0x3210000
101746 0x618d434c
101747 0x72b45370
101748 0x41a76e69
101749 0x4ba0000
101750 0x65a46957
101751 0x72a16843
101752 0x758d6f54
101753 0x42a9746c
101754 0xa57479
101755 0x758d031a
101756 0x42a9746c
101757 0x54a57479
101758 0x64a9576f
101759 0x61a84365
101760 0x3230072
101761 0x618d434c
101762 0x72b45370
101763 0x57a76e69
101764 0x19b0000
101765 0x43b46547
101766 0x66ae4950
101767 0x2dd006f
101768 0x70a16548
101769 0x6fac6c41
101770 0x2df0063
101771 0x70a16548
101772 0x61a57243
101773 0x406574
101774 0x69960457
101775 0x61b57472
101776 0x65b2466c
101777 0x4940065
101778 0x74b26956
101779 0x41ac6175
101780 0x63af6c6c
101781 0x2e40000
101782 0x70a16548
101783 0x6c816552
101784 0xa36f6c
101785 0x6c940434
101786 0x74a54773
101787 0x75ac6156
101788 0x4720065
101789 0x41b36c54
101790 0x63af6c6c
101791 0x4750000
101792 0x53b36c54
101793 0x61967465
101794 0xa5756c
101795 0x6c940433
101796 0x65b24673
101797 0x42c0065
101798 0x4cb46553
101799 0x45b47361
101800 0x72af7272
101801 0x1ed0000
101802 0x43b46547
101803 0x65b27275
101804 0x6894746e
101805 0x64a16572
101806 0x406449
101807 0x65920368
101808 0x69866461
101809 0x40656c
101810 0x7297048d
101811 0x46a57469
101812 0xa56c69
101813 0x65870183
101814 0x6eaf4374
101815 0x65ac6f73
101816 0x405043
101817 0x65870195
101818 0x6eaf4374
101819 0x65ac6f73
101820 0x65a46f4d
101821 0x27b0000
101822 0x53b46547
101823 0x61886474
101824 0x65ac646e
101825 0x2340000
101826 0x4db46547
101827 0x6cb5646f
101828 0x6ca94665
101829 0x6da14e65
101830 0x404165
101831 0x7286014a
101832 0x6e856565
101833 0x6fb26976
101834 0x6ea56d6e
101835 0x72b45374
101836 0x73a76e69
101837 0x1ff0041
101838 0x45b46547
101839 0x72a9766e
101840 0x65ad6e6f
101841 0x7493746e
101842 0x67ae6972
101843 0x18b0073
101844 0x65a57246
101845 0x69b66e45
101846 0x6dae6f72
101847 0x53b46e65
101848 0x6ea97274
101849 0x977367
101850 0x658701c1
101851 0x76ae4574
101852 0x6eaf7269
101853 0x74ae656d
101854 0x69b27453
101855 0x57b3676e
101856 0x4280000
101857 0x48b46553
101858 0x6ca46e61
101859 0x75af4365
101860 0x40746e
101861 0x658701d7
101862 0x6ca94674
101863 0x70b95465
101864 0x3940065
101865 0x72a57551
101866 0x72a55079
101867 0x6db26f66
101868 0x65a36e61
101869 0x6eb56f43
101870 0xb26574
101871 0x65870266
101872 0x63a95474
101873 0x75af436b
101874 0x40746e
101875 0x658701aa
101876 0x72b54374
101877 0x74ae6572
101878 0x63af7250
101879 0x49b37365
101880 0x28f0064
101881 0x53b46547
101882 0x65b47379
101883 0x6da9546d
101884 0x46b34165
101885 0x54a56c69
101886 0xa56d69
101887 0x658802a6
101888 0x69937061
101889 0x40657a
101890 0x65870152
101891 0x50834174
101892 0x2530000
101893 0x4fb46547
101894 0x50834d45
101895 0x31b0000
101896 0x61967349
101897 0x43a4696c
101898 0x50a5646f
101899 0xa56761
101900 0x6587026d
101901 0x65b35574
101902 0x66a54472
101903 0x74ac7561
101904 0x4489434c
101905 0x2280000
101906 0x4cb46547
101907 0x6ca1636f
101908 0x66ae4965
101909 0x40416f
101910 0x6e8500f8
101911 0x79936d75
101912 0x6da57473
101913 0x61a36f4c
101914 0x41b3656c
101915 0x31d0000
101916 0x61967349
101917 0x4ca4696c
101918 0x6ca1636f
101919 0x27d0065
101920 0x53b46547
101921 0x6ea97274
101922 0x70b95467
101923 0x404165
101924 0x65870240
101925 0x72b45374
101926 0x54a76e69
101927 0x57a57079
101928 0x2f50000
101929 0x74a96e49
101930 0x69ac6169
101931 0x7283657a
101932 0x63a97469
101933 0x65936c61
101934 0x6fa97463
101935 0x64ae416e
101936 0x6ea97053
101937 0x6eb56f43
101938 0x41f0074
101939 0x46b46553
101940 0x50a56c69
101941 0x74ae696f
101942 0x407265
101943 0x659303fc
101944 0x64b45374
101945 0x64ae6148
101946 0x40656c
101947 0x72970482
101948 0x43a57469
101949 0x6fb36e6f
101950 0x81656c
101951 0x65870199
101952 0x6eaf4374
101953 0x65ac6f73
101954 0x70b4754f
101955 0x50837475
101956 0x4cc0000
101957 0x74a97257
101958 0x6eaf4365
101959 0x65ac6f73
101960 0x1810057
101961 0x73b56c46
101962 0x6ca94668
101963 0x66b54265
101964 0x73b26566
101965 0x3310000
101966 0x64a16f4c
101967 0x72a2694c
101968 0x41b97261
101969 0x22a0000
101970 0x4cb46547
101971 0x6ca1636f
101972 0x66ae4965
101973 0x40576f
101974 0x72830078
101975 0x65b46165
101976 0x65ac6946
101977 0x400041
.text
`.rdata
@.data
.rsrc
@.reloc
Rh|uA
YQPVh
uQhTRA
QW@Ph
t hpcA
t$h0\A
;5DVR
9=lWR
9=DVR
SVWUj
Ph0VR
bad allocation
string too long
invalid string position
Unknown exception
LC_TIME
LC_NUMERIC
LC_MONETARY
LC_CTYPE
LC_COLLATE
LC_ALL
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
(null)
`h````
CorExitProcess
runtime error
Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
bad exception
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
united-states
united-kingdom
trinidad & tobago
south-korea
south-africa
south korea
south africa
slovak
puerto-rico
pr-china
pr china
new-zealand
hong-kong
holland
great britain
england
czech
china
britain
america
swiss
swedish-finland
spanish-venezuela
spanish-uruguay
spanish-puerto rico
spanish-peru
spanish-paraguay
spanish-panama
spanish-nicaragua
spanish-modern
spanish-mexican
spanish-honduras
spanish-guatemala
spanish-el salvador
spanish-ecuador
spanish-dominican republic
spanish-costa rica
spanish-colombia
spanish-chile
spanish-bolivia
spanish-argentina
portuguese-brazilian
norwegian-nynorsk
norwegian-bokmal
norwegian
italian-swiss
irish-english
german-swiss
german-luxembourg
german-lichtenstein
german-austrian
french-swiss
french-luxembourg
french-canadian
french-belgian
english-usa
english-us
english-uk
english-trinidad y tobago
english-south africa
english-nz
english-jamaica
english-ire
english-caribbean
english-can
english-belize
english-aus
english-american
dutch-belgian
chinese-traditional
chinese-singapore
chinese-simplified
chinese-hongkong
chinese
canadian
belgian
australian
american-english
american english
american
Norwegian-Nynorsk
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
bad allocation
VirtualAlloc
Module32FirstW
zebazobupuyobumetelawefibudiwu
kernel
ios_base::badbit set
ios_base::failbit set
ios_base::eofbit set
vector<T> too long
bad cast
ExitProcess
SetComputerNameExA
SetConsoleTextAttribute
GetCurrentProcess
GetCommProperties
GetModuleHandleW
EscapeCommFunction
GetDriveTypeA
GlobalAlloc
LoadLibraryW
TerminateThread
TerminateProcess
GetCPInfoExW
GetLastError
GetProcAddress
SetProcessWorkingSetSize
SetCommMask
GetProcessAffinityMask
VirtualProtect
CreateToolhelp32Snapshot
DuplicateHandle
CloseHandle
GetFileInformationByHandle
GetThreadTimes
lstrcpyA
LocalFileTimeToFileTime
KERNEL32.dll
GetPropW
GetScrollRange
SetScrollRange
GetFocus
PostMessageW
USER32.dll
FillPath
EndPath
GDI32.dll
SetSecurityDescriptorControl
LookupPrivilegeNameA
GetSecurityDescriptorControl
GetUserNameA
InitiateSystemShutdownW
GetSecurityDescriptorDacl
ADVAPI32.dll
TransparentBlt
MSIMG32.dll
WinHttpCloseHandle
WinHttpOpen
WINHTTP.dll
InterlockedIncrement
InterlockedDecrement
Sleep
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
HeapFree
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCommandLineA
GetStartupInfoA
RtlUnwind
RaiseException
LCMapStringA
WideCharToMultiByte
MultiByteToWideChar
LCMapStringW
GetCPInfo
HeapAlloc
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
GetCurrentThreadId
ReadFile
WriteFile
GetConsoleCP
GetConsoleMode
GetStdHandle
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
HeapSize
GetACP
GetOEMCP
IsValidCodePage
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
GetStringTypeA
GetStringTypeW
InitializeCriticalSectionAndSpinCount
SetFilePointer
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FlushFileBuffers
LoadLibraryA
GetLocaleInfoW
CreateFileA
.?AV_Locimp@locale@std@@
.?AVout_of_range@std@@
Copyright (c) 1992-2004 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.
.?AVtype_info@@
.?AVbad_exception@std@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AV?$ctype@D@std@@
.?AUctype_base@std@@
.?AVfacet@locale@std@@
.?AV?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.?AV?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.?AV?$basic_iostream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_istream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@
.?AV?$basic_ios@DU?$char_traits@D@std@@@std@@
.?AV?$_Iosb@H@std@@
.?AVios_base@std@@
lagobaji
kaledeticegodacegudohakomojewe hogidipo
.?AVruntime_error@std@@
.?AVexception@std@@
.?AVlogic_error@std@@
.?AVfailure@ios_base@std@@
%>.9)
.84;3
,02)>=
:<,)!
*034)
.03795'
5*>,!8-:
, )>)?
=-,"2!
4$&8#>
,2<3&
&7"07=
)425,5
)#(4(
2:*6.1
3.=?6
%240)=%
#58>$
,"7$/=$%
)8"?;5
=&3#7
>1&2=$
/1&3<+88-
*5!('
/"(*)'
72"82
?<3=:
'%$0*,
%?2 &
&>7#0<.
)78 "9
-%4-!
.*352
%,3892#646
876<07
=("</
9,<<;
6+<'?)
94?>'5
9&7#1
19<(2
$&7*+<
;,94)
/</*:
:.:.2.
?1)7>
5.,(&
+$40))
4*+/%
*<&519
/3?4#?
?2"=1%
(7536
-#&"!"-
&+1:5/
0'< #>
-06=9*'2
2!4;+$:!
?,956>-
9?!93:0
/#%/09.'#
9>-3(*
0()?/+:=
1<7,?
%=(5:
%%-$=?04;'"
31:8'+
2.$-0/2!!5
"=%>3-1
7293/
8&.3-5
+?)!=!=
6/'-+86
%$>!+2
'#-+;
>)!2?
-#%%3(7
.)">2#
*(+171
7'1)4
1?("=
06$?/$
;(6=.
8":=)
;/:-3."
&= 7:
!'?-.
#:5&;*
>&1==
&1>9$
!3):"8(#>
&".29";
(!%;",
2 . +
0>/=?0
>271.*.
2 )&2
#!9#+
)/0-?
-?*!&:;
*"5;$?
:7(='*
6%%)'"
75* (
+.230
/5*47 !6+
$)11:
<;<#<-
:.!153
8) ;'&
#?);8%
>!,%-
==,/.
$#+<()
!8!.?
=99-8
4/8?(
>6.4/!
1*"9*
&2)2*
:"+990+
=:/&43
-/17!9 (!61
-9 0?
9=0?!>
:$#-$;
;88'&
,"32',&
' &$+7=
2&#1=
8-0**2
7.*%4
=400=
2/(2.38
&8>+.
"*$9&9
*#">>4
. 7<:
*3$4?!8*8(
!;?#25
6-72'
"'$>>
:3-1<
9%6"&
1'#'#0>
66?,()
-#.#02
$95+5
05#6<+?.!;>2?9<0
/<"%($
$?-374;?
3!5?4
!8"$6).$;!%(
2.:>
&'4;+
;!9#??
#7!, )
69 5"
/=0>5
2:683
!-%!!
3/6?4
)$0<!
4-174
<352-7
&2=3"'(
3.5'9
>,).
*%1,2
8(4 <
9!")?#9
'9".63
805?'
'>8''
>;!">2
#<)*-%1
4<5"%%
)"65
,:3(4
*)-:2
%*9))
(5$</;
.87/(2'
3813(!
(7$<0:81,*$-0
-%6;3-4
"*&8?
)'19+8
*49/:
,&<=-
;"1?0
"&.=.
>%($+
571-%*
':066;
#%;+"'-'+
#%=9)3
3 ;$)
0:9)8
**,4#7
44,<1&
2*>==&%.
6,"-)
3-7:+
)0'9/
1:7>+?
88/:.$)
07;21
,.) %
;,)<0+6
2%! .
("<1-
<%4=;,.04'1
= $9)
-)9.4
<,5.<5"/&/8
$;3-(
(12!?,6
4>;189
$2- 07
46,46
?$*>=
)83%34"
! >)/1
>?!3)8
45,=9
:'*2>
*4!(!
#&,73
;,#.?-
1, (6;?
32=?9'
*($,%$
9-."#?
=? '?
0+ 3"
52*1*#.
.4=61!3"04#
0<<0/2>
,82*6
$"$/47
62.;-
4%%->
</;6)
*( 98
)983#/++
:"2 3=5*/4
&' &"
=8<=4;
85?+=)
?%'%>+8">'&3
?((0-
)-*+7#)1
<65.!
4!/,:.
)5)3?
";,/
>;2))
2:;"&
-&.60
!;+-0
":"5-(
)7);6
8545")"?
<<54,
18#3/3&#&
72&10
-#7=1-.)0
=)7$+
.;+,.
')46>
0029!
8./(3
7/$#<20=-
.%/5"
<+6=5
5( $
48%%!
;+*9.2=
%(<6=6?.
(1 ,+
1&*+!
<:*!'
>,$3$
"*':%.
-8#7$+
+0 :7+
;=.&-
5#!2(/
)'7-'%(
&!,*++
;$679)3%
27=8)
$55*>
;')>4-68
(584
82 8=
105<=*
=9>=%
"3>$1
$>'##&4
7:)&"%)-
(%89)
08"(>
.8-93&1
0; ;5#:
2$-52
="5/$
68#%#
&50*+
(:+-80
-69-402
;56":=.1*
>>/+.+9$
'5%92
)=59,=+%
+6#)<=:1
4",2*6
$3+?.
!=-&5
"+0*2!
?:6"/%* )6
*5>9+
<(%/3
,9 "3/%,
9*.1<
:.4/1;:
!6#7<2"
='&=#
9?'-$
>*./#
<''67
323!?-
&):<-
::!)7<9
-'($787
8%%/%
.$)3#
-=3>>
85,20
16,>"
(-52%2
$%%*(
"; %*
0#%:&
55!8)-0+>
#<;1-
4(2&&
%.:*84-
%>9,3.' +
7'6-, ?
>5/.79
2.6>"3
4(2:*
:&=<4<+9
!58,+
*6>':1'
?;564
'<7:'
&6=3
3"*-;
2*;9,$
<;'=""</%
8?/3?871,8
(>2&>
%75+8
4/&;5!
1, 8?
!+19!$
5 "?/
(8%:#6
"<0)/
#1(/)
9-;8:15
)?$3)=
<?%?,)4
>$&(8
?6*:98
0:<(=
=3-+9
/:""1.=>')/
<<&#7
'.$2'
1*4&'<
0."6&
/*%"'2+.
=$*!'
> ##!
&=8/9
%&2<6?
7),<-/
0+5!;
>;:8"
"41'+
6+<<:
/$:(4
+8;& ?4
=#"0?
)'6<)/:%
!4!;,*
5&1)'8
="<1?;
/!=-&
1986?5
9'%6%
&7?7;
!!#%!
>;5#
)2+'88
;.8>=
';#"9/
.46001
:<;"'&
,45$!
<<5$9
$>*8+
3=)5&*
'>7=2+09
<:! %'
2%('?
'0-.67
-590"5= >.
&>43'
-<,8'
-;1*6.<
2/%, 9-$
3!#)>3
",<#%
, 6/#&
-;3+9
2,!71
#3!08
2:='3#>,
0 944?
+7-*82>!
:#5%.
885"!
%=,$=2"
5#7 0
<?>:!("
0<),!
'66;=
,1$>+
7/&3$'
92?'0;/5
"6!""
>569,
%9,15*
-)& $7#
(/#'1'9)
*,%+34:
. (+;
>$(>9
?"#+45
4*:9!
<6$ )
2=+-=
'<&;!1/
4(68;
3<"(/+
.$.5(<-
/;45?*217;
,9/0,:
(("87!0,
>2)#)/
#9%96?:
-?>4
0419(.
>7?/,+'38
9!$,'),"7
#!"6+
.< 70:
(,1*8
6$%2!0 (%
$<6#5'7=
$10:/
;8>?/
?":.-&
) )1=
&#8(18
4$1.5
,'>+(
<.:2!
<($>6"6
!0"*/
$.4#)
,99++
=/7<:1
,>'-7
.?AVlength_error@std@@
.?AVbad_cast@std@@
.?AVbad_alloc@std@@
>J?l?
>)?I?W?\?
283@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3(<,<
=,=L=
:(:D:
KERNEL32.DLL
(null)
mscoree.dll
kernel32.dll
rasularulegafefoji xejalugivocifawi zaletexirubodoxuyebu damozigohaxafazenevidizaho
VS_VERSION_INFO
StringFileInfo
457aa56b
InternalName
mudun.exe
ProductVersion
1.10.5.31
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree

  • notepad.exe 3068 -c "C:\ProgramData\migVCTGVwf\cfgi"
  • notepad.exe 2784 -c "C:\ProgramData\migVCTGVwf\cfg"
  • cmd.exe 1924 cmd.exe /C WScript "C:\ProgramData\migVCTGVwf\r.vbs"
    • wscript.exe 2132 WScript "C:\ProgramData\migVCTGVwf\r.vbs"

notepad.exe, PID: 3068, Parent PID: 2964
Full Path: C:\Windows\notepad.exe
Command Line: "C:\Windows\notepad.exe" -c "C:\ProgramData\migVCTGVwf\cfgi"
notepad.exe, PID: 2784, Parent PID: 2964
Full Path: C:\Windows\notepad.exe
Command Line: "C:\Windows\notepad.exe" -c "C:\ProgramData\migVCTGVwf\cfg"
cmd.exe, PID: 1924, Parent PID: 2964
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: cmd.exe /C WScript "C:\ProgramData\migVCTGVwf\r.vbs"
wscript.exe, PID: 2132, Parent PID: 1924
Full Path: C:\Windows\SysWOW64\wscript.exe
Command Line: WScript "C:\ProgramData\migVCTGVwf\r.vbs"

Hosts

Direct IP Country Name
Y 92.63.197.48 [VT] Russian Federation

TCP

Source Source Port Destination Destination Port
192.168.35.21 49166 92.63.197.48 9090
192.168.35.21 49168 92.63.197.48 9090

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name cfgi
Associated Filenames
C:\ProgramData\migVCTGVwf\cfgi
File Size 796 bytes
File Type ASCII text, with very long lines, with no line terminators
MD5 ebaf862a61fb7073fe9f45fb771b4500
SHA1 fc213c17f7d1eb56619b245bcbdf9ffbe8b7592b
SHA256 da23baa96e9e8d0d2a3418d612bb6e61c290ed4d05c3eff58e4556a154c73a63
CRC32 B39E650F
Ssdeep 12:lCihPqWCTLIuoR6v7gBRM9+vz6Z6+tyOxjThSrUjPZsPkYE3C5rXshNupCPl4+WW:lCiIQRKPAaPhOUmPX0zW1pi3AJQWo
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit fileDisplay Text
ew0KCSJhbGdvIjogImNyeXB0b25pZ2h0IiwNCgkiYXV0b3NhdmUiOiBmYWxzZSwNCgkiYmFja2dyb3VuZCI6IGZhbHNlLA0KCSJjb2xvcnMiOiB0cnVlLA0KCSJyZXRyaWVzIjogNSwNCgkicmV0cnktcGF1c2UiOiA1LA0KCSJzeXNsb2ciOiBmYWxzZSwNCgkicHJpbnQtdGltZSI6IDYwLA0KCSJhdiI6IDAsDQoJInNhZmUiOiBmYWxzZSwNCgkiY3B1LXByaW9yaXR5IjogbnVsbCwNCgkiY3B1LWFmZmluaXR5IjogbnVsbCwNCgkiZG9uYXRlLWxldmVsIjogMCwNCgkidGhyZWFkcyI6IDIsDQoJInBvb2xzIjogWw0KCQl7DQoJCQkidXJsIjogIjkyLjYzLjE5Ny40ODo5MDkwIiwNCgkJCSJ1c2VyIjogImZiMjBhYTUyLTFlYzktNGQxZi1iOTIzLWY2NzA5NDk5ZTYwNCIsDQoJCQkicGFzcyI6ICJ4IiwNCgkJCSJrZWVwYWxpdmUiOiBmYWxzZSwNCgkJCSJuaWNlaGFzaCI6IGZhbHNlLA0KCQkJInZhcmlhbnQiOiAyLA0KCQkJInRscyI6IGZhbHNlLA0KCQkJInRscy1maW5nZXJwcmludCI6IG51bGwNCgkJfQ0KCV0sDQoJImFwaSI6IHsNCgkJInBvcnQiOiAwLA0KCQkiYWNjZXNzLXRva2VuIjogbnVsbCwNCgkJIndvcmtlci1pZCI6IG51bGwNCgl9DQp9AA==
File name cfg
Associated Filenames
C:\ProgramData\migVCTGVwf\cfg
File Size 796 bytes
File Type ASCII text, with very long lines, with no line terminators
MD5 385effdbfbacf088310238ed407b03f7
SHA1 b5d45516c0e132f355aa82aa67fcbcb740235afd
SHA256 a8459a8c7ff1c37d9b3731fc80219ef5802de5018061f49a3b59844c63b2f53f
CRC32 EC773836
Ssdeep 12:lCihPqWCTLIuoR6v7gBRM9+vz6Z6+tyOxjThtz0rUjPZsPkYE3C5rXshNupCPl4S:lCiIQRKPAaPhdAUmPX0zW1pi3AJQWo
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit fileDisplay Text
ew0KCSJhbGdvIjogImNyeXB0b25pZ2h0IiwNCgkiYXV0b3NhdmUiOiBmYWxzZSwNCgkiYmFja2dyb3VuZCI6IGZhbHNlLA0KCSJjb2xvcnMiOiB0cnVlLA0KCSJyZXRyaWVzIjogNSwNCgkicmV0cnktcGF1c2UiOiA1LA0KCSJzeXNsb2ciOiBmYWxzZSwNCgkicHJpbnQtdGltZSI6IDYwLA0KCSJhdiI6IDAsDQoJInNhZmUiOiBmYWxzZSwNCgkiY3B1LXByaW9yaXR5IjogbnVsbCwNCgkiY3B1LWFmZmluaXR5IjogbnVsbCwNCgkiZG9uYXRlLWxldmVsIjogMCwNCgkidGhyZWFkcyI6IDEsDQoJInBvb2xzIjogWw0KCQl7DQoJCQkidXJsIjogIjkyLjYzLjE5Ny40ODo5MDkwIiwNCgkJCSJ1c2VyIjogImZiMjBhYTUyLTFlYzktNGQxZi1iOTIzLWY2NzA5NDk5ZTYwNCIsDQoJCQkicGFzcyI6ICJ4IiwNCgkJCSJrZWVwYWxpdmUiOiBmYWxzZSwNCgkJCSJuaWNlaGFzaCI6IGZhbHNlLA0KCQkJInZhcmlhbnQiOiAyLA0KCQkJInRscyI6IGZhbHNlLA0KCQkJInRscy1maW5nZXJwcmludCI6IG51bGwNCgkJfQ0KCV0sDQoJImFwaSI6IHsNCgkJInBvcnQiOiAwLA0KCQkiYWNjZXNzLXRva2VuIjogbnVsbCwNCgkJIndvcmtlci1pZCI6IG51bGwNCgl9DQp9AA==
File name winmgrcfg32
Associated Filenames
C:\ProgramData\migVCTGVwf\winmgrcfg32
C:\ProgramData\migVCTGVwf\winmgrcfg32.exe
File Size 1209856 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 a14a3a3036a1706408443e28399a15c1
SHA1 6e5cf7cbfddca89f0f8e54b7ba8f169cf6769237
SHA256 b8bf5b607b305139db81c48e96010a67768488b01edc8c615306ed303c545b0d
CRC32 E4E5533F
Ssdeep 24576:35mjsJNJuudqiKKES942zSl3DU0pqsDnRctBfdoJJlp/5LFYgNYpp6A3:35SstuCeS942G9DU0tRkfeJ/FqWYt3
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name r.vbs
Associated Filenames
C:\ProgramData\migVCTGVwf\r.vbs
File Size 662 bytes
File Type data
MD5 d22e8b79faaa20a42f8dc75f14f5c73b
SHA1 987b6c3d701203b376afbc962d1d787d9c1ef6a8
SHA256 89ce2435a299d884d654a72fac9ac8b5fdf0c57015e8918ac129771e360ecbfc
CRC32 FA9FB6CF
Ssdeep 12:DJhvugypjBQMyoHQMJsW+jCRAbjMLiDHvhFkqy30mgZM3LCKKvbjhMzFlGFHkqm3:DJhLKyjCyjM6FNyEmgZMbaDjhMRlGFHi
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name bAUnSdlCkw.url
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bAUnSdlCkw.url
File Size 75 bytes
File Type MS Windows 95 Internet shortcut text (URL=< >), ASCII text, with CRLF line terminators
MD5 1bb370d3b6d4629347208410b8d2ae45
SHA1 b140baf8f73dc76128567f7316960a2df53658a1
SHA256 c51b1a9feae6da21da9e9005efdd2313560be5b97787aa8dd7dd01da55a1aead
CRC32 8D12CC6C
Ssdeep 3:HRAbABGQYm8h6rXZkRELWu/XGZJH:HRYFVm8hAW9iWZJ
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit fileDisplay Text
[InternetShortcut]
URL="file:///C:\ProgramData\migVCTGVwf\winmgrcfg32.exe"
Sorry! No CAPE files.
Process Name wscript.exe
PID 2132
Dump Size 141824 bytes
Module Path C:\Windows\SysWOW64\wscript.exe
Type PE image: 32-bit executable
MD5 0bee59126527cccec93fc4cc4c11754d
SHA1 575fe40ae6784c142d900b437bb4c4a7aebf35d2
SHA256 9fb252a44c1f2d9f89103fd88df2a3fc5187d6c5e00520c4776209833b7a7346
CRC32 CC06D1DD
Ssdeep 3072:/7v24IAUoFTUQNfTLymC4GqCDkc6dcLsjsm/CDkucr5Txt9x:/D24IAZrffV3cccojsmlNT5x
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 9fb252a44c1f2d9f89103fd88df2a3fc5187d6c5e00520c4776209833b7a7346
Download
Process Name cmd.exe
PID 1924
Dump Size 302592 bytes
Module Path C:\Windows\SysWOW64\cmd.exe
Type PE image: 32-bit executable
MD5 f0203d1d1890076d79609d18019a9192
SHA1 d8e87c21247ed2a0d81e530dffdb5162369faba4
SHA256 a3ec607c08ada54b9966e7a379ea2e3fbfdf760b95336481ba19b7845bef4efe
CRC32 34B76261
Ssdeep 3072:VGxOVtrey6A5tz0y9NIut9aVeBqtBbUHQkUQjyGez1c:Qx6trB5/HIAyeQBbUHQkUQmt+
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename a3ec607c08ada54b9966e7a379ea2e3fbfdf760b95336481ba19b7845bef4efe
Download
Process Name 2019-01-08-Monero-coinminer.exe
PID 2964
Dump Size 829440 bytes
Module Path C:\Users\user\AppData\Local\Temp\2019-01-08-Monero-coinminer.exe
Type PE image: 32-bit executable
MD5 145feb343029cc6d57f64020cc268deb
SHA1 1c9e743d8766c0e4c287367ad6623935fa8b6347
SHA256 0674c5cb26cb0029c4677c2944ee2b355a864001437b98cf2043c6e42319d77f
CRC32 F7A981F8
Ssdeep 12288:nSCZy/c1lM7mBVk/PIPGzOCgChc/XS3XhASs/bladqjB4txSeH1:ZDM7mBoORCh4SBAqcBaxSeV
ClamAV None
Yara
  • HeavensGate - Heaven's Gate: Switch from 32-bit to 64-mode
CAPE Yara
Dump Filename 0674c5cb26cb0029c4677c2944ee2b355a864001437b98cf2043c6e42319d77f
Download
Process Name notepad.exe
PID 2784
Dump Size 1058304 bytes
Module Path C:\Windows\notepad.exe
Type PE image: 64-bit executable
MD5 d1bde34cae7ecfda84b8e9b00f776687
SHA1 67190c935a1657e9b8c389c433311929a13197cb
SHA256 ba6ac53879ce42dc7de39ab43bf7d57c9f830f8371eec0b5d2b1a021595bcf3f
CRC32 1407C63B
Ssdeep 24576:vL8VIOFrty92FiTr1ZnGpSHS7a97O83hGi3hd7hB3Y:D8VIOFrty92Fmr1Zn6MwaM83hGkhB3Y
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename ba6ac53879ce42dc7de39ab43bf7d57c9f830f8371eec0b5d2b1a021595bcf3f
Download

Comments



No comments posted

Processing ( 14.482 seconds )

  • 6.042 BehaviorAnalysis
  • 3.269 CAPE
  • 1.825 ProcDump
  • 1.794 Static
  • 0.674 Dropped
  • 0.625 TargetInfo
  • 0.123 TrID
  • 0.076 Strings
  • 0.033 Deduplicate
  • 0.01 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.005 config_decoder
  • 0.001 Debug

Signatures ( 1.143 seconds )

  • 0.408 stealth_timeout
  • 0.384 api_spamming
  • 0.276 decoy_document
  • 0.01 antiav_detectreg
  • 0.004 malicious_dynamic_function_loading
  • 0.004 antiemu_wine_func
  • 0.004 dynamic_function_loading
  • 0.004 infostealer_ftp
  • 0.004 ransomware_files
  • 0.003 infostealer_browser_password
  • 0.003 persistence_autorun
  • 0.003 kovter_behavior
  • 0.003 antiav_detectfile
  • 0.003 ransomware_extensions
  • 0.002 exploit_getbasekerneladdress
  • 0.002 antianalysis_detectreg
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 Doppelganging
  • 0.001 stealth_file
  • 0.001 injection_createremotethread
  • 0.001 mimics_filetime
  • 0.001 exploit_gethaldispatchtable
  • 0.001 InjectionCreateRemoteThread
  • 0.001 reads_self
  • 0.001 antivm_generic_disk
  • 0.001 cerber_behavior
  • 0.001 virus
  • 0.001 ransomware_message
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn

Reporting ( 0.001 seconds )

  • 0.001 CompressResults
Task ID 29479
Mongo ID 5c36a9ccf28488708d44d265
Cuckoo release 1.3-CAPE
Delete