Excel File Drops Malicious Payload (2018-02-13) | Sequential Behavior
Try VMRay Analyzer
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files (x86)\microsoft office\office12\excel.exe |
| Command Line | "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:34, Reason: Analysis Target |
| Unmonitor | End Time: 00:03:39, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:05 |
| Information | Value |
|---|---|
| PID | 0x930 |
| Parent PID | 0x44c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9B4
0x
9B0
0x
9AC
0x
9A8
0x
9A4
0x
9A0
0x
99C
0x
998
0x
994
0x
990
0x
98C
0x
988
0x
980
0x
97C
0x
974
0x
964
0x
95C
0x
958
0x
950
0x
94C
0x
948
0x
944
0x
934
0x
9C8
0x
9CC
0x
9D0
0x
9D4
0x
9D8
0x
9DC
0x
9E0
0x
9E4
0x
A38
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\kft6utqw\appdata\local\temp\heidi.exe | 717.50 KB (734720 bytes) |
MD5:
a6a97f17880e37067c822e14a75bb3af
SHA1: 1aab183abb65685af92b201a2e47ba3d9ce0856e SHA256: b1eeec190113584579fe9376b88933d5e1871b3e8fdc86d8a490db4d044196ac |
|
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\kft6utqw\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\val[1].exe | 717.50 KB (734720 bytes) |
MD5:
a6a97f17880e37067c822e14a75bb3af
SHA1: 1aab183abb65685af92b201a2e47ba3d9ce0856e SHA256: b1eeec190113584579fe9376b88933d5e1871b3e8fdc86d8a490db4d044196ac |
|
|
| c:\users\kft6utqw\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat | 96.00 KB (98304 bytes) |
MD5:
86b0d3bf293c31bdeff2b05ab254a73d
SHA1: 12ba75e806dfe5dcbca7823687f346fa2472ae4e SHA256: 8c96bbdc62be3d2d80f68c2b2a1bf722bed33b74215ede1b5f49eaca3012eced |
|
|
| c:\users\kft6utqw\appdata\roaming\microsoft\windows\cookies\index.dat | 32.00 KB (32768 bytes) |
MD5:
7c83dbeeb7811a904009ba7d48993c65
SHA1: 2923612b74c7443ffe8a54f4b2d1fe0bd6dae0bb SHA256: 33e7b8ec336fc1fc62e773ae74239f51b20e756958af32dbfc193a7cfa5f929b |
|
|
| c:\users\kft6utqw\appdata\local\microsoft\windows\history\history.ie5\index.dat | 48.00 KB (49152 bytes) |
MD5:
ef02ff50bdc43aeed96d1da34418794b
SHA1: fc6b4901d1575a9c013db2d9e2f3932d8a86b35f SHA256: 4e6dccaa3e91b08212ec5adef0881a0f13b739e8811d13a8bb75df85e2ee54c0 |
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Filename | process_name = c:\program files (x86)\microsoft office\office12\excel.exe, file_name_orig = C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL, size = 260 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
56 | |
| System | Get Time | type = Local Time, time = 2018-02-14 02:17:01 (Local Time) |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
3 | |
| System | Get Time | type = Local Time, time = 2018-02-14 02:17:01 (Local Time) |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
2 | |
| System | Get Time | type = Local Time, time = 2018-02-14 02:17:01 (Local Time) |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
3 | |
| System | Get Time | type = Local Time, time = 2018-02-14 02:17:01 (Local Time) |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-02-14 02:17:01 (Local Time) |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
5 | |
| Module | Get Address | module_name = Unknown module name, function = HeapCreate, address_out = 0x76e04a2d |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = HeapAlloc, address_out = 0x77b8e026 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = RtlMoveMemory, address_out = 0x77bc3c40 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = EnumPropsA, address_out = 0x7598863e |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = ExitProcess, address_out = 0x76e07a10 |
|
1 | |
| Module | Load | module_name = Urlmon, base_address = 0x77170000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = URLDownloadToFileW, address_out = 0x772066f6 |
|
1 | |
| Module | Load | module_name = Shell32, base_address = 0x76100000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = ShellExecuteW, address_out = 0x76113c71 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = ExpandEnvironmentStringsW, address_out = 0x76e04173 |
|
1 | |
| URL | Download | url = http://kdotraky.com/kat/val.exe, filename = C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe |
|
1 | |
| File | Create | filename = C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Process | Create | process_name = C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe, show_window = SW_SHOWNORMAL |
|
1 |
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\users\kft6utqw\appdata\local\temp\heidi.exe |
| Command Line | "C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe" |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:03:39, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:36 |
| Information | Value |
|---|---|
| PID | 0xa3c |
| Parent PID | 0x930 (c:\program files (x86)\microsoft office\office12\excel.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A40
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\users\kft6utqw\appdata\local\temp\heidi.exe, base_address = 0x400000 |
|
1 | |
| Keyboard | Get Info | type = 0, result_out = 4 |
|
1 | |
| System | Get Info | type = Operating System |
|
2 | |
| Module | Get Filename | module_name = c:\users\kft6utqw\appdata\local\temp\heidi.exe, process_name = c:\users\kft6utqw\appdata\local\temp\heidi.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe, size = 261 |
|
1 | |
| Module | Get Filename | process_name = c:\users\kft6utqw\appdata\local\temp\heidi.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe, size = 261 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Borland\Locales |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Borland\Locales |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
|
1 | |
| Module | Load | module_name = C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.ENU, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.EN, base_address = 0x0 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76df0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceExA, address_out = 0x76e8434f |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\oleaut32.dll, base_address = 0x757f0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VariantChangeTypeEx, address_out = 0x757f4c28 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarNeg, address_out = 0x7586c802 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarNot, address_out = 0x7586ec66 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarAdd, address_out = 0x75815934 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarSub, address_out = 0x7586d332 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarMul, address_out = 0x7586dbd4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarDiv, address_out = 0x7586e405 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarIdiv, address_out = 0x7586f00a |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarMod, address_out = 0x7586f15e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarAnd, address_out = 0x75815a98 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarOr, address_out = 0x7586ecfa |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarXor, address_out = 0x7586ee2e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarCmp, address_out = 0x7580b0dc |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarI4FromStr, address_out = 0x75806fab |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarR4FromStr, address_out = 0x758101a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarR8FromStr, address_out = 0x7580699e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarDateFromStr, address_out = 0x75816ba7 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarCyFromStr, address_out = 0x75836c12 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarBoolFromStr, address_out = 0x7580dbd1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromCy, address_out = 0x75817fdc |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromDate, address_out = 0x75807a2a |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromBool, address_out = 0x75810355 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x75930000 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetMonitorInfoA, address_out = 0x75954413 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x75947d2f |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = EnumDisplayMonitors, address_out = 0x7595451a |
|
1 | |
| Module | Get Filename | module_name = c:\users\kft6utqw\appdata\local\temp\heidi.exe, process_name = c:\users\kft6utqw\appdata\local\temp\heidi.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe, size = 256 |
|
1 | |
| Window | Create | window_name = heidi, class_name = TApplication, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = heidi, class_name = TApplication, index = 18446744073709551612, new_long = 1708015 |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x75930000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = AnimateWindow, address_out = 0x7595b531 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, base_address = 0x73af0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitializeFlatSB, address_out = 0x73b2266f |
|
1 | |
| Module | Get Address | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = UninitializeFlatSB, address_out = 0x73b22542 |
|
1 | |
| Module | Get Address | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollProp, address_out = 0x73b21d29 |
|
1 | |
| Module | Get Address | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollProp, address_out = 0x73b2238d |
|
1 | |
| Module | Get Address | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_EnableScrollBar, address_out = 0x73b220c9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_ShowScrollBar, address_out = 0x73b21fdb |
|
1 | |
| Module | Get Address | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollRange, address_out = 0x73b21e8d |
|
1 | |
| Module | Get Address | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollInfo, address_out = 0x73b21f0f |
|
1 | |
| Module | Get Address | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollPos, address_out = 0x73b21ccd |
|
1 | |
| Module | Get Address | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollPos, address_out = 0x73b2216d |
|
1 | |
| Module | Get Address | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollInfo, address_out = 0x73b222be |
|
1 | |
| Module | Get Address | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollRange, address_out = 0x73b221e2 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x75930000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = SetLayeredWindowAttributes, address_out = 0x7596ec88 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ole32.dll, base_address = 0x75e10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoCreateInstanceEx, address_out = 0x75e59d4e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoInitializeEx, address_out = 0x75e509ad |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoAddRefServerProcess, address_out = 0x75e73cf3 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoReleaseServerProcess, address_out = 0x75e74314 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoResumeClassObjects, address_out = 0x75e1ea02 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoSuspendClassObjects, address_out = 0x75e7bb02 |
|
1 | |
| Module | Load | module_name = olepro32.dll, base_address = 0x75270000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\olepro32.dll, function = OleCreatePropertyFrame, address_out = 0x752720ea |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\olepro32.dll, function = OleCreateFontIndirect, address_out = 0x752720b7 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\olepro32.dll, function = OleCreatePictureIndirect, address_out = 0x752720c8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\olepro32.dll, function = OleLoadPicture, address_out = 0x752720d9 |
|
1 | |
| System | Get Cursor | x_out = 1404, y_out = 317 |
|
2 | |
| System | Sleep | duration = 18 milliseconds (0.018 seconds) |
|
1 | |
| System | Sleep | duration = 206 milliseconds (0.206 seconds) |
|
1 | |
| System | Get Cursor | x_out = 1404, y_out = 317 |
|
1 | |
| System | Sleep | duration = 18 milliseconds (0.018 seconds) |
|
1 | |
| System | Sleep | duration = 206 milliseconds (0.206 seconds) |
|
1 | |
| System | Get Cursor | x_out = 1404, y_out = 317 |
|
1 | |
| System | Sleep | duration = 18 milliseconds (0.018 seconds) |
|
1 | |
| System | Sleep | duration = 206 milliseconds (0.206 seconds) |
|
1 | |
| System | Get Cursor | x_out = 1404, y_out = 317 |
|
1 | |
| System | Sleep | duration = 18 milliseconds (0.018 seconds) |
|
1 | |
| System | Sleep | duration = 206 milliseconds (0.206 seconds) |
|
1 | |
| System | Get Cursor | x_out = 1404, y_out = 317 |
|
1 | |
| System | Sleep | duration = 18 milliseconds (0.018 seconds) |
|
1 | |
| System | Sleep | duration = 206 milliseconds (0.206 seconds) |
|
1 | |
| System | Get Cursor | x_out = 1404, y_out = 317 |
|
1 | |
| System | Sleep | duration = 18 milliseconds (0.018 seconds) |
|
1 | |
| System | Sleep | duration = 206 milliseconds (0.206 seconds) |
|
1 | |
| System | Get Cursor | x_out = 1404, y_out = 317 |
|
1 | |
| System | Sleep | duration = 18 milliseconds (0.018 seconds) |
|
1 | |
| System | Sleep | duration = 206 milliseconds (0.206 seconds) |
|
1 | |
| System | Get Cursor | x_out = 1404, y_out = 317 |
|
1 | |
| System | Sleep | duration = 18 milliseconds (0.018 seconds) |
|
1 | |
| System | Sleep | duration = 206 milliseconds (0.206 seconds) |
|
1 | |
| System | Get Cursor | x_out = 1404, y_out = 317 |
|
1 | |
| System | Sleep | duration = 18 milliseconds (0.018 seconds) |
|
1 | |
| System | Sleep | duration = 206 milliseconds (0.206 seconds) |
|
1 | |
| System | Get Cursor | x_out = 1404, y_out = 317 |
|
1 | |
| System | Sleep | duration = 18 milliseconds (0.018 seconds) |
|
1 | |
| System | Sleep | duration = 206 milliseconds (0.206 seconds) |
|
1 | |
| System | Get Cursor | x_out = 1404, y_out = 317 |
|
1 | |
| System | Sleep | duration = 18 milliseconds (0.018 seconds) |
|
1 | |
| Module | Load | module_name = shell32, base_address = 0x76100000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = advapi32, base_address = 0x77330000 |
|
1 | |
| Module | Get Filename | module_name = C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.EN, process_name = c:\users\kft6utqw\appdata\local\temp\heidi.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe, size = 260 |
|
1 | |
| Debug | Check for Presence | c:\users\kft6utqw\appdata\local\temp\heidi.exe |
|
1 | |
| Debug | Check for Presence | c:\users\kft6utqw\appdata\local\temp\heidi.exe |
|
1 | |
| Module | Get Handle | module_name = c:\users\kft6utqw\appdata\local\temp\heidi.exe, base_address = 0x400000 |
|
237 | |
| Module | Unmap | - |
|
1 | |
| Module | Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1636264 |
|
1 | |
| Module | Map | process_name = c:\users\kft6utqw\appdata\local\temp\heidi.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1ed0000 |
|
1 | |
| Module | Map | protection = PAGE_EXECUTE_READWRITE, address_out = 0x400000 |
|
1 | |
| Module | Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1636264 |
|
1 | |
| Module | Map | protection = PAGE_EXECUTE_READWRITE, address_out = 0x1a0000 |
|
1 | |
| Module | Map | process_name = c:\users\kft6utqw\appdata\local\temp\heidi.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1c70000 |
|
1 |
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\users\kft6utqw\appdata\local\temp\heidi.exe |
| Command Line | "C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe" |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:02:13, Reason: Child Process |
| Unmonitor | End Time: 00:03:39, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:26 |
| Information | Value |
|---|---|
| PID | 0xa70 |
| Parent PID | 0xa3c (c:\users\kft6utqw\appdata\local\temp\heidi.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A74
0x
A90
0x
A98
0x
A9C
0x
AEC
0x
B7C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|
|
|
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | Readable |
|
|
|
|
| rsaenh.dll | 0x00220000 | 0x0025bfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| tzres.dll | 0x00230000 | 0x00230fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000230000 | 0x00230000 | 0x00234fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000230000 | 0x00230000 | 0x00230fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000240000 | 0x00240000 | 0x00246fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000250000 | 0x00250000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000250000 | 0x00250000 | 0x00251fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000260000 | 0x00260000 | 0x002dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
|
| heidi.exe | 0x00400000 | 0x004b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000400000 | 0x00400000 | 0x004a1fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000004b0000 | 0x004b0000 | 0x0055ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000520000 | 0x00520000 | 0x0055ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000560000 | 0x00560000 | 0x0065ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x00970fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000980000 | 0x00980000 | 0x01d7ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x01d80000 | 0x0204efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002050000 | 0x02050000 | 0x0214ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002150000 | 0x02150000 | 0x02250fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002150000 | 0x02150000 | 0x0224ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002150000 | 0x02150000 | 0x021cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002200000 | 0x02200000 | 0x022fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002300000 | 0x02300000 | 0x026f2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000002700000 | 0x02700000 | 0x02800fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002700000 | 0x02700000 | 0x027fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002800000 | 0x02800000 | 0x028fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002900000 | 0x02900000 | 0x02b2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002900000 | 0x02900000 | 0x029fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002af0000 | 0x02af0000 | 0x02b2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002b30000 | 0x02b30000 | 0x02c2ffff | Private Memory | Readable, Writable |
|
|
|
|
| wow64cpu.dll | 0x74ef0000 | 0x74ef7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x74f00000 | 0x74f5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74f60000 | 0x74f9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| freebl3.dll | 0x75140000 | 0x7518efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nssdbm3.dll | 0x75190000 | 0x751a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| softokn3.dll | 0x751b0000 | 0x751d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcp100.dll | 0x751e0000 | 0x75248fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mozglue.dll | 0x75250000 | 0x75271fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcr100.dll | 0x75280000 | 0x7533efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x75340000 | 0x75346fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x75350000 | 0x75381fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wshtcpip.dll | 0x75350000 | 0x75354fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wship6.dll | 0x75360000 | 0x75365fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasadhlp.dll | 0x75370000 | 0x75375fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fwpuclnt.dll | 0x75380000 | 0x753b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nss3.dll | 0x75390000 | 0x75544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x753c0000 | 0x753c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x753d0000 | 0x753ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dnsapi.dll | 0x753f0000 | 0x75433fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mswsock.dll | 0x75440000 | 0x7547bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x75480000 | 0x75496fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| samlib.dll | 0x754a0000 | 0x754b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| samcli.dll | 0x754c0000 | 0x754cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x754d0000 | 0x754defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x754e0000 | 0x754f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x75500000 | 0x75508fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x75510000 | 0x75520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x75530000 | 0x7553afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| vaultcli.dll | 0x75540000 | 0x7554bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x75550000 | 0x7558afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x75590000 | 0x755a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756b0000 | 0x756bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756c0000 | 0x7571ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75720000 | 0x757ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x757f0000 | 0x7587efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75930000 | 0x75a2ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x75a60000 | 0x75abffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x75b90000 | 0x75cacfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x75e00000 | 0x75e0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x75e10000 | 0x75f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76010000 | 0x760fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x76100000 | 0x76d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76d50000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76df0000 | 0x76efffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76f00000 | 0x76f09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76f10000 | 0x76f66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x77330000 | 0x773cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x773d0000 | 0x77415fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77420000 | 0x774affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x774b0000 | 0x7755bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77700000 | 0x77718fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77720000 | 0x77754fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077760000 | 0x77760000 | 0x77859fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077860000 | 0x77860000 | 0x7797efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77980000 | 0x77b28fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x77b30000 | 0x77b35fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b60000 | 0x77cdffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #3: c:\users\kft6utqw\appdata\local\temp\heidi.exe | 0xa40 | address = 0x400000, size = 663552 |
|
1 | |
| Modify Memory | #3: c:\users\kft6utqw\appdata\local\temp\heidi.exe | 0xa40 | address = 0x1a0000, size = 4096 |
|
1 | |
| Modify Control Flow | #3: c:\users\kft6utqw\appdata\local\temp\heidi.exe | 0xa40 | os_tid = 0xa74, address = 0x1c70000 |
|
1 |
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\kft6utqw\appdata\roaming\98e541\12eef2.exe | 717.50 KB (734720 bytes) |
MD5:
a6a97f17880e37067c822e14a75bb3af
SHA1: 1aab183abb65685af92b201a2e47ba3d9ce0856e SHA256: b1eeec190113584579fe9376b88933d5e1871b3e8fdc86d8a490db4d044196ac |
|
|
| c:\users\kft6utqw\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1534390919-4215197118-2202912847-1000\31665589e43aaafc284e70c59b175d25_7c68ff26-a003-470d-b2af-255a5acd32f2 | 0.05 KB (49 bytes) |
MD5:
884bb48a55da67b4812805cb8905277d
SHA1: 6b3d33e00f5b9deae2826f80644cb4f6e78b7401 SHA256: 78877fa898f0b4c45c9c33ae941e40617ad7c8657a307db62bc5691f92f4f60e |
|
|
| c:\users\kft6utqw\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1534390919-4215197118-2202912847-1000\31665589e43aaafc284e70c59b175d25_7c68ff26-a003-470d-b2af-255a5acd32f2 | 0.05 KB (49 bytes) |
MD5:
5c2c94ca91d5485579b54b3a7b19b805
SHA1: 2c83b907fabea29308a58c94b3a9a128acd48ceb SHA256: 3cdf206ecf28d38a849329a7ff4e3acf3edc35a83f7692ef0074984dcbedb326 |
|
|
| c:\users\kft6utqw\appdata\roaming\98e541\12eef2.hdb | 0.00 KB (4 bytes) |
MD5:
aced026ed487b5cbb298f9ab09e6f1c1
SHA1: 1ceff0fbc90b0f2c6fab37bcde68f2a9170a7cf8 SHA256: c22bcce160e0645d030b554a30a0671bc2b2f30b1654dcd4111d871bb9c8e6bf |
|
|
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = SHELL32, base_address = 0x76100000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = OLEAUT32.dll, base_address = 0x757f0000 |
|
1 | |
| Module | Load | module_name = ws2_32.dll, base_address = 0x77720000 |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x75e10000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography, value_name = MachineGuid, data = 55 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
7 | |
| Mutex | Create | mutex_name = 73EE9CC98E5412EEF2B9A336 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox, value_name = CurrentVersion |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main, value_name = Install Directory |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
2 | |
| Environment | Set Environment String | name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Mozilla Firefox |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, base_address = 0x75390000 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x7544d70b |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x7544d13c |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x753e3c51 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x753e3333 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x753cd3ca |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x753e00a7 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_CheckUserPassword, address_out = 0x753ccbc4 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = SECITEM_FreeItem, address_out = 0x7544e656 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, base_address = 0x75390000 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_finalize, address_out = 0x754c9f60 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_step, address_out = 0x754e5200 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_close, address_out = 0x754cbde0 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_column_text, address_out = 0x7549d400 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_open16, address_out = 0x754f1cd0 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_prepare_v2, address_out = 0x7547cea0 |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x76100000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile0, key_name = Path, data_out = Profiles/p7ap74gw.default |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
2 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile1, key_name = Path |
|
1 | |
| Environment | Set Environment String | name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\Setup, value_name = SetupPath |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\Safari, value_name = InstallDir |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon, value_name = CurrentVersion |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey, value_name = CurrentVersion |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey, value_name = CurrentVersion |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock, value_name = CurrentVersion |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x76100000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x76100000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| File | Create | filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Login Data, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Login Data, size = 18432, size_out = 18432 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
13 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| System | Get Computer Name | result_out = XABNCPUWKW |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = NETAPI32, base_address = 0x75510000 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NetUserGetInfo, address_out = 0x754c1be2 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
3 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
5 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
2 | |
| DNS | Resolve Name | host = kdotraky.com, address_out = 101.99.75.184, service = 80 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 101.99.75.184, remote_port = 80 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 248, size_out = 248 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = kdotraky.com, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /temp/Panel/five/fre.php |
|
1 | |
| Inet | Send HTTP Request | headers = content-length: 266, content-key: 1B8D0678, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: kdotraky.com, content-type: application/octet-stream, url = kdotraky.com/temp/Panel/five/fre.php |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 266, size_out = 266 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4048, size_out = 179 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| File | Delete | filename = C:\Users\kFT6uTQW\AppData\Roaming\98E541\12EEF2.hdb |
|
1 | |
| File | Create | filename = C:\Users\kFT6uTQW\AppData\Roaming\98E541\12EEF2.hdb, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\kFT6uTQW\AppData\Roaming\98E541\12EEF2.hdb, size = 4 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
2 | |
| File | Delete | filename = C:\Users\kFT6uTQW\AppData\Roaming\98E541\12EEF2.lck |
|
1 | |
| System | Get Computer Name | result_out = XABNCPUWKW |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = NETAPI32, base_address = 0x75510000 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NetUserGetInfo, address_out = 0x754c1be2 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
3 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
5 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
3 | |
| DNS | Resolve Name | host = ÅÐÐÑÐЯÐÐÑ, service = 80 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
5 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
2 | |
| DNS | Resolve Name | host = kdotraky.com, address_out = 101.99.75.184, service = 80 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 101.99.75.184, remote_port = 80 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 248, size_out = 248 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = kdotraky.com, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /temp/Panel/five/fre.php |
|
1 | |
| Inet | Send HTTP Request | headers = content-length: 194, content-key: 1B8D0678, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: kdotraky.com, content-type: application/octet-stream, url = kdotraky.com/temp/Panel/five/fre.php |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 194, size_out = 194 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4048, size_out = 179 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| File | Move | source_filename = C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe, destination_filename = C:\Users\kFT6uTQW\AppData\Roaming\98E541\12EEF2.exe, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
7 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\������Д�������ќ��Ћ���Я����Й���Й��я��, value_name = 98E541, data = C:\Users\kFT6uTQW\AppData\Roaming\98E541\12EEF2.exe |
|
1 | |
| System | Get Computer Name | result_out = XABNCPUWKW |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x75930000 |
|
1 | |
| Module | Load | module_name = NETAPI32, base_address = 0x75510000 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NetUserGetInfo, address_out = 0x754c1be2 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
3 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
5 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
2 | |
| DNS | Resolve Name | host = kdotraky.com, address_out = 101.99.75.184, service = 80 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 101.99.75.184, remote_port = 80 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 248, size_out = 248 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = kdotraky.com, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /temp/Panel/five/fre.php |
|
1 | |
| Inet | Send HTTP Request | headers = content-length: 167, content-key: 1B8D0678, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: kdotraky.com, content-type: application/octet-stream, url = kdotraky.com/temp/Panel/five/fre.php |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 167, size_out = 167 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4048, size_out = 157 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
5 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
3 | |
| DNS | Resolve Name | host = ÅÐÐÑÐЯÐÐÑ, service = 80 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x77330000 |
|
5 | |
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
2 | |
| DNS | Resolve Name | host = kdotraky.com, address_out = 101.99.75.184, service = 80 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 101.99.75.184, remote_port = 80 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 248, size_out = 248 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = kdotraky.com, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /temp/Panel/five/fre.php |
|
1 | |
| Inet | Send HTTP Request | headers = content-length: 167, content-key: 1B8D0678, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: kdotraky.com, content-type: application/octet-stream, url = kdotraky.com/temp/Panel/five/fre.php |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 167, size_out = 167 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4048, size_out = 157 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x76f10000 |
|
1 |
