Try VMRay Platform
Malicious
Classifications

Spyware

Threat Names

Trojan.GenericKDZ.76753 Gen:Variant.Mikey.113998

Dynamic Analysis Report

Created on 2021-09-28T10:12:00

7500211dd9ce4e45664ae07e4eb58ca361c4551f1c2b52d00bb0da547e9cdc2a.exe.dll

Windows DLL (x86-64)
...

Remarks (2/2)

(0x02000009): DLL files normally need to be submitted with an appropriate loader. Analysis result may be incomplete if an appropriate loader was not submitted.

(0x0200000E): The overall sleep time of all monitored processes was truncated from "5 hours, 20 seconds" to "4 minutes, 40 seconds" to reveal dormant functionality.

Filters:
File Name Category Type Verdict Actions
C:\Users\kEecfMwgj\Desktop\7500211dd9ce4e45664ae07e4eb58ca361c4551f1c2b52d00bb0da547e9cdc2a.exe.dll Sample File Binary
malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 2.01 MB
MD5 a75be08d11b5028b6e0fa8be59676599 Copy to Clipboard
SHA1 c47a48e04dc10641df07dba7dbbb73602e6615aa Copy to Clipboard
SHA256 7500211dd9ce4e45664ae07e4eb58ca361c4551f1c2b52d00bb0da547e9cdc2a Copy to Clipboard
SSDeep 12288:LVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:KfP7fWsK5z9A+WGAW+V5SB6Ct4bnb Copy to Clipboard
ImpHash 6668be91e2c948b183827f040944057f Copy to Clipboard
AV Matches (1)
»
Threat Name Verdict
Trojan.GenericKDZ.76753
malicious
PE Information
»
Image Base 0x140000000
Entry Point 0x140041070
Size Of Code 0x41000
Size Of Initialized Data 0x1c0000
File Type FileType.dll
Subsystem Subsystem.windows_cui
Machine Type MachineType.amd64
Compile Timestamp 2020-02-20 08:35:24+00:00
Version Information (8)
»
CompanyName Microsoft Corporati
FileDescription Background Intellig
FileVersion 7.5.7600.16385 (win7_rtm.090713-
InternalName bitsp
LegalCopyright © Microsoft Corporation. All rights reserv
OriginalFilename kbdy
ProductName Microsoft® Windows® Operating S
ProductVersion 6.1.7600
Sections (40)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x140001000 0x40796 0x41000 0x1000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.73
.rdata 0x140042000 0x64f2c 0x65000 0x42000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 7.87
.data 0x1400a7000 0x178b8 0x18000 0xa7000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.32
.pdata 0x1400bf000 0x12c 0x1000 0xbf000 IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.58
.rsrc 0x1400c0000 0x880 0x1000 0xc0000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 1.24
.reloc 0x1400c1000 0x2324 0x3000 0xc1000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 4.65
.qkm 0x1400c4000 0x74a 0x1000 0xc4000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.cvjb 0x1400c5000 0x1e66 0x2000 0xc5000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.tlmkv 0x1400c7000 0xbde 0x1000 0xc7000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wucsxe 0x1400c8000 0x45174 0x46000 0xc8000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.fltwtj 0x14010e000 0x1267 0x2000 0x10e000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.sfplio 0x140110000 0x736 0x1000 0x110000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.rpg 0x140111000 0x45174 0x46000 0x111000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.bewzc 0x140157000 0x1124 0x2000 0x157000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.vksvaw 0x140159000 0x736 0x1000 0x159000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wmhg 0x14015a000 0x1278 0x2000 0x15a000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.kswemc 0x14015c000 0x36d 0x1000 0x15c000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.kaxfk 0x14015d000 0x197d 0x2000 0x15d000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wualk 0x14015f000 0xbde 0x1000 0x15f000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.qwqp 0x140160000 0x389 0x1000 0x160000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.txp 0x140161000 0x8fe 0x1000 0x161000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.ezxpm 0x140162000 0x13e 0x1000 0x162000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.kdkmc 0x140163000 0x736 0x1000 0x163000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.vwqjj 0x140164000 0x23b 0x1000 0x164000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.ute 0x140165000 0x9cd 0x1000 0x165000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.hzotrb 0x140166000 0x3ba 0x1000 0x166000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.mkb 0x140167000 0x1278 0x2000 0x167000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.plbi 0x140169000 0x23b 0x1000 0x169000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.dmwl 0x14016a000 0x2da 0x1000 0x16a000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.qorltm 0x14016b000 0x141 0x1000 0x16b000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.ubg 0x14016c000 0xbde 0x1000 0x16c000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.lhm 0x14016d000 0x1f2a 0x2000 0x16d000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wojiyd 0x14016f000 0x736 0x1000 0x16f000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.ekv 0x140170000 0x389 0x1000 0x170000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.vmf 0x140171000 0x13e 0x1000 0x171000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.rqv 0x140172000 0x197d 0x2000 0x172000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.rseab 0x140174000 0x543 0x1000 0x174000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.pxtlo 0x140175000 0x45174 0x46000 0x175000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.nri 0x1401bb000 0x45174 0x46000 0x1bb000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.fcbpa 0x140201000 0x9cd 0x1000 0x201000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.03
Imports (7)
»
USER32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
LookupIconIdFromDirectoryEx - 0x140042098 0xa64c8 0xa64c8 0x205
WaitForInputIdle - 0x1400420a0 0xa64d0 0xa64d0 0x32e
GetParent - 0x1400420a8 0xa64d8 0xa64d8 0x166
GetFocus - 0x1400420b0 0xa64e0 0xa64e0 0x12e
SETUPAPI.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CM_Get_Resource_Conflict_DetailsW - 0x140042078 0xa64a8 0xa64a8 0x8a
KERNEL32.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DeleteCriticalSection - 0x140042038 0xa6468 0xa6468 0xd2
DeleteTimerQueue - 0x140042040 0xa6470 0xa6470 0xd9
TerminateJobObject - 0x140042048 0xa6478 0xa6478 0x4cd
GetFileInformationByHandle - 0x140042050 0xa6480 0xa6480 0x1f3
GetThreadLocale - 0x140042058 0xa6488 0xa6488 0x293
GetNamedPipeServerProcessId - 0x140042060 0xa6490 0xa6490 0x229
GetConsoleFontSize - 0x140042068 0xa6498 0xa6498 0x1aa
GDI32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateBitmapIndirect - 0x140042020 0xa6450 0xa6450 0x2b
GetPolyFillMode - 0x140042028 0xa6458 0xa6458 0x206
CRYPT32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CertGetCTLContextProperty - 0x140042010 0xa6440 0xa6440 0x44
ADVAPI32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
AddAccessDeniedObjectAce - 0x140042000 0xa6430 0xa6430 0x15
SHLWAPI.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ChrCmpIW - 0x140042088 0xa64b8 0xa64b8 0xa
Exports (138)
»
Api name EAT Address Ordinal
BeginBufferedAnimation 0xe1c4 0x25
BeginBufferedPaint 0x34960 0x26
BeginPanningFeedback 0xdde8 0x5
BufferedPaintClear 0x3e2a0 0x27
BufferedPaintInit 0x11420 0x28
BufferedPaintRenderAnimation 0x27838 0x29
BufferedPaintSetAlpha 0x3c940 0x2a
BufferedPaintStopAllAnimations 0xd880 0x33
BufferedPaintUnInit 0xc8e8 0x34
CloseThemeData 0x2b608 0x35
DrawThemeBackground 0x333ec 0x36
DrawThemeBackgroundEx 0x377b0 0x2f
DrawThemeEdge 0x3fa10 0x37
DrawThemeIcon 0x182a8 0x38
DrawThemeParentBackground 0x278c 0x39
DrawThemeParentBackgroundEx 0x13d80 0x3a
DrawThemeText 0x13a38 0x3b
DrawThemeTextEx 0x5e30 0x46
EnableThemeDialogTexture 0xd0a0 0x47
EnableTheming 0x1596c 0x57
EndBufferedAnimation 0x1da4 0x58
EndBufferedPaint 0x22970 0x59
EndPanningFeedback 0x7acc 0x6
GetBufferedPaintBits 0x25dbc 0x5a
GetBufferedPaintDC 0x9a64 0x5b
GetBufferedPaintTargetDC 0x116c8 0x5c
GetBufferedPaintTargetRect 0xac90 0x5d
GetCurrentThemeName 0x1e7dc 0x5e
GetThemeAppProperties 0xe1e8 0x5f
GetThemeBackgroundContentRect 0x3c528 0x60
GetThemeBackgroundExtent 0x16f60 0x61
GetThemeBackgroundRegion 0x325d0 0x62
GetThemeBitmap 0xefcc 0x63
GetThemeBool 0x253cc 0x64
GetThemeColor 0x1af54 0x65
GetThemeDocumentationProperty 0x7628 0x66
GetThemeEnumValue 0x34af4 0x67
GetThemeFilename 0x1d0a4 0x68
GetThemeFont 0x446c 0x69
GetThemeInt 0x243b4 0x6a
GetThemeIntList 0x12d4c 0x6b
GetThemeMargins 0x3ddf0 0x6c
GetThemeMetric 0x31c30 0x6d
GetThemePartSize 0x1aa3c 0x6e
GetThemePosition 0x27f54 0x6f
GetThemePropertyOrigin 0x207b0 0x70
GetThemeRect 0xbb50 0x71
GetThemeStream 0x1e4bc 0x72
GetThemeString 0x3f730 0x73
GetThemeSysBool 0x32c84 0x74
GetThemeSysColor 0x1a024 0x75
GetThemeSysColorBrush 0x9020 0x76
GetThemeSysFont 0x251f0 0x77
GetThemeSysInt 0x11e80 0x78
GetThemeSysSize 0x21080 0x79
GetThemeSysString 0x2c904 0x7a
GetThemeTextExtent 0x288cc 0x7b
GetThemeTextMetrics 0xdb14 0x7c
GetThemeTransitionDuration 0x28b0 0x7d
GetWindowTheme 0x2f9c0 0x7e
HitTestThemeBackground 0x338b8 0x7f
IsAppThemed 0x1ae64 0x80
IsCompositionActive 0x2754c 0x81
IsThemeActive 0x2da10 0x82
IsThemeBackgroundPartiallyTransparent 0x14d68 0x83
IsThemeDialogTextureEnabled 0x14cac 0x84
IsThemePartDefined 0x1c1c 0x85
OpenThemeData 0x1d6c0 0x86
OpenThemeDataEx 0x21568 0x3d
SetThemeAppProperties 0x140a4 0x87
SetWindowTheme 0x1dd7c 0x88
SetWindowThemeAttribute 0x2b344 0x89
ThemeInitApiHook 0x1a594 0x8a
UpdatePanningFeedback 0x11150 0xc
(by ordinal) 0x2d28 0x1
(by ordinal) 0x40ff0 0x2
(by ordinal) 0x5f8c 0x3
(by ordinal) 0x20040 0x4
(by ordinal) 0x1e9c8 0x7
(by ordinal) 0x22218 0x8
(by ordinal) 0x1a3c8 0x9
(by ordinal) 0xbcd8 0xa
(by ordinal) 0x24ac4 0xb
(by ordinal) 0xff0c 0xd
(by ordinal) 0x4d98 0xe
(by ordinal) 0x2d784 0xf
(by ordinal) 0x3b768 0x10
(by ordinal) 0x2f888 0x11
(by ordinal) 0x194dc 0x12
(by ordinal) 0x9760 0x13
(by ordinal) 0xf23c 0x14
(by ordinal) 0x27b7c 0x15
(by ordinal) 0x336b4 0x16
(by ordinal) 0x2aec 0x17
(by ordinal) 0x27b0 0x18
(by ordinal) 0x1717c 0x19
(by ordinal) 0x29388 0x1a
(by ordinal) 0x26fb8 0x1b
(by ordinal) 0x1b7e8 0x1c
(by ordinal) 0x6d2c 0x1d
(by ordinal) 0x2f080 0x1e
(by ordinal) 0x9760 0x1f
(by ordinal) 0x1eb98 0x20
(by ordinal) 0xe378 0x21
(by ordinal) 0x1ae8c 0x22
(by ordinal) 0x8904 0x23
(by ordinal) 0x3eba0 0x24
(by ordinal) 0xef3c 0x2b
(by ordinal) 0x33624 0x2c
(by ordinal) 0xdd00 0x2d
(by ordinal) 0x16930 0x2e
(by ordinal) 0x31794 0x30
(by ordinal) 0x1a258 0x31
(by ordinal) 0x3558c 0x32
(by ordinal) 0x27b98 0x3c
(by ordinal) 0x1dca0 0x3e
(by ordinal) 0x35814 0x3f
(by ordinal) 0x1bbfc 0x40
(by ordinal) 0x25e08 0x41
(by ordinal) 0x348c0 0x42
(by ordinal) 0x40488 0x43
(by ordinal) 0x2b2f0 0x44
(by ordinal) 0x1d70 0x45
(by ordinal) 0x4010c 0x48
(by ordinal) 0x301a8 0x49
(by ordinal) 0x98a0 0x4a
(by ordinal) 0x16934 0x4b
(by ordinal) 0x1f978 0x4c
(by ordinal) 0x1074 0x4d
(by ordinal) 0x26170 0x4e
(by ordinal) 0x17158 0x4f
(by ordinal) 0x1d710 0x50
(by ordinal) 0x306d0 0x51
(by ordinal) 0x3f3ec 0x52
(by ordinal) 0x21158 0x53
(by ordinal) 0xe9a8 0x54
(by ordinal) 0x1d7d8 0x55
(by ordinal) 0x4054c 0x56
C:\Users\kEecfMwgj\AppData\Local\fg0b\VERSION.dll Dropped File Binary
malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 2.01 MB
MD5 d664762a3192245f257a7df006de4ce4 Copy to Clipboard
SHA1 cd2ef971f58baa85b190e77a31b131adde21aaab Copy to Clipboard
SHA256 9f2e7cb50c729b34f490422bbadfbd10487505abc90a124221dfe34e9727c628 Copy to Clipboard
SSDeep 12288:TVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:CfP7fWsK5z9A+WGAW+V5SB6Ct4bnb Copy to Clipboard
ImpHash 6668be91e2c948b183827f040944057f Copy to Clipboard
AV Matches (1)
»
Threat Name Verdict
Trojan.GenericKDZ.76753
malicious
PE Information
»
Image Base 0x140000000
Entry Point 0x140041070
Size Of Code 0x41000
Size Of Initialized Data 0x1c1000
File Type FileType.dll
Subsystem Subsystem.windows_cui
Machine Type MachineType.amd64
Compile Timestamp 2020-02-20 08:35:24+00:00
Version Information (8)
»
CompanyName Microsoft Corporati
FileDescription Background Intellig
FileVersion 7.5.7600.16385 (win7_rtm.090713-
InternalName bitsp
LegalCopyright © Microsoft Corporation. All rights reserv
OriginalFilename kbdy
ProductName Microsoft® Windows® Operating S
ProductVersion 6.1.7600
Sections (41)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x140001000 0x40796 0x41000 0x1000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.73
.rdata 0x140042000 0x64f2c 0x65000 0x42000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 7.87
.data 0x1400a7000 0x178b8 0x18000 0xa7000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.32
.pdata 0x1400bf000 0x12c 0x1000 0xbf000 IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.58
.rsrc 0x1400c0000 0x880 0x1000 0xc0000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 1.24
.reloc 0x1400c1000 0x2324 0x3000 0xc1000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 4.65
.qkm 0x1400c4000 0x74a 0x1000 0xc4000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.cvjb 0x1400c5000 0x1e66 0x2000 0xc5000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.tlmkv 0x1400c7000 0xbde 0x1000 0xc7000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wucsxe 0x1400c8000 0x45174 0x46000 0xc8000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.fltwtj 0x14010e000 0x1267 0x2000 0x10e000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.sfplio 0x140110000 0x736 0x1000 0x110000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.rpg 0x140111000 0x45174 0x46000 0x111000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.bewzc 0x140157000 0x1124 0x2000 0x157000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.vksvaw 0x140159000 0x736 0x1000 0x159000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wmhg 0x14015a000 0x1278 0x2000 0x15a000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.kswemc 0x14015c000 0x36d 0x1000 0x15c000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.kaxfk 0x14015d000 0x197d 0x2000 0x15d000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wualk 0x14015f000 0xbde 0x1000 0x15f000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.qwqp 0x140160000 0x389 0x1000 0x160000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.txp 0x140161000 0x8fe 0x1000 0x161000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.ezxpm 0x140162000 0x13e 0x1000 0x162000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.kdkmc 0x140163000 0x736 0x1000 0x163000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.vwqjj 0x140164000 0x23b 0x1000 0x164000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.ute 0x140165000 0x9cd 0x1000 0x165000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.hzotrb 0x140166000 0x3ba 0x1000 0x166000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.mkb 0x140167000 0x1278 0x2000 0x167000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.plbi 0x140169000 0x23b 0x1000 0x169000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.dmwl 0x14016a000 0x2da 0x1000 0x16a000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.qorltm 0x14016b000 0x141 0x1000 0x16b000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.ubg 0x14016c000 0xbde 0x1000 0x16c000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.lhm 0x14016d000 0x1f2a 0x2000 0x16d000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wojiyd 0x14016f000 0x736 0x1000 0x16f000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.ekv 0x140170000 0x389 0x1000 0x170000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.vmf 0x140171000 0x13e 0x1000 0x171000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.rqv 0x140172000 0x197d 0x2000 0x172000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.rseab 0x140174000 0x543 0x1000 0x174000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.pxtlo 0x140175000 0x45174 0x46000 0x175000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.nri 0x1401bb000 0x45174 0x46000 0x1bb000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.fcbpa 0x140201000 0x9cd 0x1000 0x201000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.rcidgv 0x140202000 0x1f7 0x1000 0x202000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 1.0
Imports (7)
»
USER32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
LookupIconIdFromDirectoryEx - 0x140042098 0xa64c8 0xa64c8 0x205
WaitForInputIdle - 0x1400420a0 0xa64d0 0xa64d0 0x32e
GetParent - 0x1400420a8 0xa64d8 0xa64d8 0x166
GetFocus - 0x1400420b0 0xa64e0 0xa64e0 0x12e
SETUPAPI.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CM_Get_Resource_Conflict_DetailsW - 0x140042078 0xa64a8 0xa64a8 0x8a
KERNEL32.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DeleteCriticalSection - 0x140042038 0xa6468 0xa6468 0xd2
DeleteTimerQueue - 0x140042040 0xa6470 0xa6470 0xd9
TerminateJobObject - 0x140042048 0xa6478 0xa6478 0x4cd
GetFileInformationByHandle - 0x140042050 0xa6480 0xa6480 0x1f3
GetThreadLocale - 0x140042058 0xa6488 0xa6488 0x293
GetNamedPipeServerProcessId - 0x140042060 0xa6490 0xa6490 0x229
GetConsoleFontSize - 0x140042068 0xa6498 0xa6498 0x1aa
GDI32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateBitmapIndirect - 0x140042020 0xa6450 0xa6450 0x2b
GetPolyFillMode - 0x140042028 0xa6458 0xa6458 0x206
CRYPT32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CertGetCTLContextProperty - 0x140042010 0xa6440 0xa6440 0x44
ADVAPI32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
AddAccessDeniedObjectAce - 0x140042000 0xa6430 0xa6430 0x15
SHLWAPI.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ChrCmpIW - 0x140042088 0xa64b8 0xa64b8 0xa
Exports (15)
»
Api name EAT Address Ordinal
GetFileVersionInfoA 0x12a34 0x1
GetFileVersionInfoByHandle 0x3cfc0 0x2
GetFileVersionInfoExW 0x18294 0x3
GetFileVersionInfoSizeA 0x5824 0x4
GetFileVersionInfoSizeExW 0x8594 0x5
GetFileVersionInfoSizeW 0x2e530 0x6
GetFileVersionInfoW 0x3ade0 0x7
VerFindFileA 0x19014 0x8
VerFindFileW 0x2f358 0x9
VerInstallFileA 0x18fe4 0xa
VerInstallFileW 0xd4e0 0xb
VerLanguageNameA 0x1abd0 0xc
VerLanguageNameW 0x2a5e0 0xd
VerQueryValueA 0x2082c 0xe
VerQueryValueW 0x315f0 0xf
C:\Users\kEecfMwgj\AppData\Local\dOFgn\VERSION.dll Dropped File Binary
malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 2.01 MB
MD5 783c659975e53e4362d06d7c501a3d0e Copy to Clipboard
SHA1 ad69c5e442c73974a565f2c9fe8f304bbda3e53c Copy to Clipboard
SHA256 6747894733b6d3a4ba11585dc5c7b14fec22babd70dea0d19124a6c2210a6a8f Copy to Clipboard
SSDeep 12288:xVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:AfP7fWsK5z9A+WGAW+V5SB6Ct4bnb Copy to Clipboard
ImpHash 6668be91e2c948b183827f040944057f Copy to Clipboard
AV Matches (1)
»
Threat Name Verdict
Trojan.GenericKDZ.76753
malicious
PE Information
»
Image Base 0x140000000
Entry Point 0x140041070
Size Of Code 0x41000
Size Of Initialized Data 0x1c1000
File Type FileType.dll
Subsystem Subsystem.windows_cui
Machine Type MachineType.amd64
Compile Timestamp 2020-02-20 08:35:24+00:00
Version Information (8)
»
CompanyName Microsoft Corporati
FileDescription Background Intellig
FileVersion 7.5.7600.16385 (win7_rtm.090713-
InternalName bitsp
LegalCopyright © Microsoft Corporation. All rights reserv
OriginalFilename kbdy
ProductName Microsoft® Windows® Operating S
ProductVersion 6.1.7600
Sections (41)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x140001000 0x40796 0x41000 0x1000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.73
.rdata 0x140042000 0x64f2c 0x65000 0x42000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 7.87
.data 0x1400a7000 0x178b8 0x18000 0xa7000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.32
.pdata 0x1400bf000 0x12c 0x1000 0xbf000 IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.58
.rsrc 0x1400c0000 0x880 0x1000 0xc0000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 1.24
.reloc 0x1400c1000 0x2324 0x3000 0xc1000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 4.65
.qkm 0x1400c4000 0x74a 0x1000 0xc4000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.cvjb 0x1400c5000 0x1e66 0x2000 0xc5000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.tlmkv 0x1400c7000 0xbde 0x1000 0xc7000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wucsxe 0x1400c8000 0x45174 0x46000 0xc8000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.fltwtj 0x14010e000 0x1267 0x2000 0x10e000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.sfplio 0x140110000 0x736 0x1000 0x110000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.rpg 0x140111000 0x45174 0x46000 0x111000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.bewzc 0x140157000 0x1124 0x2000 0x157000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.vksvaw 0x140159000 0x736 0x1000 0x159000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wmhg 0x14015a000 0x1278 0x2000 0x15a000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.kswemc 0x14015c000 0x36d 0x1000 0x15c000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.kaxfk 0x14015d000 0x197d 0x2000 0x15d000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wualk 0x14015f000 0xbde 0x1000 0x15f000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.qwqp 0x140160000 0x389 0x1000 0x160000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.txp 0x140161000 0x8fe 0x1000 0x161000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.ezxpm 0x140162000 0x13e 0x1000 0x162000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.kdkmc 0x140163000 0x736 0x1000 0x163000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.vwqjj 0x140164000 0x23b 0x1000 0x164000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.ute 0x140165000 0x9cd 0x1000 0x165000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.hzotrb 0x140166000 0x3ba 0x1000 0x166000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.mkb 0x140167000 0x1278 0x2000 0x167000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.plbi 0x140169000 0x23b 0x1000 0x169000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.dmwl 0x14016a000 0x2da 0x1000 0x16a000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.qorltm 0x14016b000 0x141 0x1000 0x16b000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.ubg 0x14016c000 0xbde 0x1000 0x16c000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.lhm 0x14016d000 0x1f2a 0x2000 0x16d000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wojiyd 0x14016f000 0x736 0x1000 0x16f000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.ekv 0x140170000 0x389 0x1000 0x170000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.vmf 0x140171000 0x13e 0x1000 0x171000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.rqv 0x140172000 0x197d 0x2000 0x172000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.rseab 0x140174000 0x543 0x1000 0x174000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.pxtlo 0x140175000 0x45174 0x46000 0x175000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.nri 0x1401bb000 0x45174 0x46000 0x1bb000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.fcbpa 0x140201000 0x9cd 0x1000 0x201000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.xjiyqt 0x140202000 0x1f7 0x1000 0x202000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.99
Imports (7)
»
USER32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
LookupIconIdFromDirectoryEx - 0x140042098 0xa64c8 0xa64c8 0x205
WaitForInputIdle - 0x1400420a0 0xa64d0 0xa64d0 0x32e
GetParent - 0x1400420a8 0xa64d8 0xa64d8 0x166
GetFocus - 0x1400420b0 0xa64e0 0xa64e0 0x12e
SETUPAPI.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CM_Get_Resource_Conflict_DetailsW - 0x140042078 0xa64a8 0xa64a8 0x8a
KERNEL32.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DeleteCriticalSection - 0x140042038 0xa6468 0xa6468 0xd2
DeleteTimerQueue - 0x140042040 0xa6470 0xa6470 0xd9
TerminateJobObject - 0x140042048 0xa6478 0xa6478 0x4cd
GetFileInformationByHandle - 0x140042050 0xa6480 0xa6480 0x1f3
GetThreadLocale - 0x140042058 0xa6488 0xa6488 0x293
GetNamedPipeServerProcessId - 0x140042060 0xa6490 0xa6490 0x229
GetConsoleFontSize - 0x140042068 0xa6498 0xa6498 0x1aa
GDI32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateBitmapIndirect - 0x140042020 0xa6450 0xa6450 0x2b
GetPolyFillMode - 0x140042028 0xa6458 0xa6458 0x206
CRYPT32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CertGetCTLContextProperty - 0x140042010 0xa6440 0xa6440 0x44
ADVAPI32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
AddAccessDeniedObjectAce - 0x140042000 0xa6430 0xa6430 0x15
SHLWAPI.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ChrCmpIW - 0x140042088 0xa64b8 0xa64b8 0xa
Exports (15)
»
Api name EAT Address Ordinal
GetFileVersionInfoA 0x384b0 0x1
GetFileVersionInfoByHandle 0x17c78 0x2
GetFileVersionInfoExW 0x208f4 0x3
GetFileVersionInfoSizeA 0x26e70 0x4
GetFileVersionInfoSizeExW 0x338f0 0x5
GetFileVersionInfoSizeW 0x40a84 0x6
GetFileVersionInfoW 0x2d4e8 0x7
VerFindFileA 0x78e0 0x8
VerFindFileW 0x1d464 0x9
VerInstallFileA 0x20b08 0xa
VerInstallFileW 0x31b3c 0xb
VerLanguageNameA 0x3dc2c 0xc
VerLanguageNameW 0x11804 0xd
VerQueryValueA 0xff44 0xe
VerQueryValueW 0x1b834 0xf
C:\Users\kEecfMwgj\AppData\Local\CtP9RYDd\VERSION.dll Dropped File Binary
malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 2.01 MB
MD5 8d72313d8aad05291308a3d5bcf29f50 Copy to Clipboard
SHA1 6228458bfe7c9152d1ccc49481b0dc6439a9f570 Copy to Clipboard
SHA256 6db6518c8bddc3986a8d19aadfa6594239f5a332d7405802a7a77afb9844b56c Copy to Clipboard
SSDeep 12288:/VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:2fP7fWsK5z9A+WGAW+V5SB6Ct4bnb Copy to Clipboard
ImpHash 6668be91e2c948b183827f040944057f Copy to Clipboard
AV Matches (1)
»
Threat Name Verdict
Trojan.GenericKDZ.76753
malicious
PE Information
»
Image Base 0x140000000
Entry Point 0x140041070
Size Of Code 0x41000
Size Of Initialized Data 0x1c1000
File Type FileType.dll
Subsystem Subsystem.windows_cui
Machine Type MachineType.amd64
Compile Timestamp 2020-02-20 08:35:24+00:00
Version Information (8)
»
CompanyName Microsoft Corporati
FileDescription Background Intellig
FileVersion 7.5.7600.16385 (win7_rtm.090713-
InternalName bitsp
LegalCopyright © Microsoft Corporation. All rights reserv
OriginalFilename kbdy
ProductName Microsoft® Windows® Operating S
ProductVersion 6.1.7600
Sections (41)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x140001000 0x40796 0x41000 0x1000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.73
.rdata 0x140042000 0x64f2c 0x65000 0x42000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 7.87
.data 0x1400a7000 0x178b8 0x18000 0xa7000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.32
.pdata 0x1400bf000 0x12c 0x1000 0xbf000 IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.58
.rsrc 0x1400c0000 0x880 0x1000 0xc0000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 1.24
.reloc 0x1400c1000 0x2324 0x3000 0xc1000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 4.65
.qkm 0x1400c4000 0x74a 0x1000 0xc4000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.cvjb 0x1400c5000 0x1e66 0x2000 0xc5000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.tlmkv 0x1400c7000 0xbde 0x1000 0xc7000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wucsxe 0x1400c8000 0x45174 0x46000 0xc8000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.fltwtj 0x14010e000 0x1267 0x2000 0x10e000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.sfplio 0x140110000 0x736 0x1000 0x110000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.rpg 0x140111000 0x45174 0x46000 0x111000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.bewzc 0x140157000 0x1124 0x2000 0x157000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.vksvaw 0x140159000 0x736 0x1000 0x159000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wmhg 0x14015a000 0x1278 0x2000 0x15a000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.kswemc 0x14015c000 0x36d 0x1000 0x15c000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.kaxfk 0x14015d000 0x197d 0x2000 0x15d000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wualk 0x14015f000 0xbde 0x1000 0x15f000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.qwqp 0x140160000 0x389 0x1000 0x160000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.txp 0x140161000 0x8fe 0x1000 0x161000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.ezxpm 0x140162000 0x13e 0x1000 0x162000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.kdkmc 0x140163000 0x736 0x1000 0x163000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.vwqjj 0x140164000 0x23b 0x1000 0x164000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.ute 0x140165000 0x9cd 0x1000 0x165000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.hzotrb 0x140166000 0x3ba 0x1000 0x166000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.mkb 0x140167000 0x1278 0x2000 0x167000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.plbi 0x140169000 0x23b 0x1000 0x169000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.dmwl 0x14016a000 0x2da 0x1000 0x16a000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.qorltm 0x14016b000 0x141 0x1000 0x16b000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.ubg 0x14016c000 0xbde 0x1000 0x16c000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.lhm 0x14016d000 0x1f2a 0x2000 0x16d000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.wojiyd 0x14016f000 0x736 0x1000 0x16f000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.ekv 0x140170000 0x389 0x1000 0x170000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.vmf 0x140171000 0x13e 0x1000 0x171000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.rqv 0x140172000 0x197d 0x2000 0x172000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.rseab 0x140174000 0x543 0x1000 0x174000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.pxtlo 0x140175000 0x45174 0x46000 0x175000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.nri 0x1401bb000 0x45174 0x46000 0x1bb000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.fcbpa 0x140201000 0x9cd 0x1000 0x201000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.kdcwn 0x140202000 0x1f7 0x1000 0x202000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.99
Imports (7)
»
USER32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
LookupIconIdFromDirectoryEx - 0x140042098 0xa64c8 0xa64c8 0x205
WaitForInputIdle - 0x1400420a0 0xa64d0 0xa64d0 0x32e
GetParent - 0x1400420a8 0xa64d8 0xa64d8 0x166
GetFocus - 0x1400420b0 0xa64e0 0xa64e0 0x12e
SETUPAPI.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CM_Get_Resource_Conflict_DetailsW - 0x140042078 0xa64a8 0xa64a8 0x8a
KERNEL32.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DeleteCriticalSection - 0x140042038 0xa6468 0xa6468 0xd2
DeleteTimerQueue - 0x140042040 0xa6470 0xa6470 0xd9
TerminateJobObject - 0x140042048 0xa6478 0xa6478 0x4cd
GetFileInformationByHandle - 0x140042050 0xa6480 0xa6480 0x1f3
GetThreadLocale - 0x140042058 0xa6488 0xa6488 0x293
GetNamedPipeServerProcessId - 0x140042060 0xa6490 0xa6490 0x229
GetConsoleFontSize - 0x140042068 0xa6498 0xa6498 0x1aa
GDI32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateBitmapIndirect - 0x140042020 0xa6450 0xa6450 0x2b
GetPolyFillMode - 0x140042028 0xa6458 0xa6458 0x206
CRYPT32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CertGetCTLContextProperty - 0x140042010 0xa6440 0xa6440 0x44
ADVAPI32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
AddAccessDeniedObjectAce - 0x140042000 0xa6430 0xa6430 0x15
SHLWAPI.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ChrCmpIW - 0x140042088 0xa64b8 0xa64b8 0xa
Exports (15)
»
Api name EAT Address Ordinal
GetFileVersionInfoA 0xadbc 0x1
GetFileVersionInfoByHandle 0x2180c 0x2
GetFileVersionInfoExW 0x1449c 0x3
GetFileVersionInfoSizeA 0xfd1c 0x4
GetFileVersionInfoSizeExW 0x29c80 0x5
GetFileVersionInfoSizeW 0x36b98 0x6
GetFileVersionInfoW 0x3969c 0x7
VerFindFileA 0x239c8 0x8
VerFindFileW 0x2dd30 0x9
VerInstallFileA 0xfcc0 0xa
VerInstallFileW 0x10638 0xb
VerLanguageNameA 0x395a8 0xc
VerLanguageNameW 0x3756c 0xd
VerQueryValueA 0x2bd78 0xe
VerQueryValueW 0x21c1c 0xf
\\?\C:\Windows \system32\WindowsAnytimeUpgrade.exe Dropped File Binary
suspicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 251.50 KB
MD5 b43e389b4654ae92e5d0ce96b918c8bd Copy to Clipboard
SHA1 72c0f463e1435db164c6ac37ff6df65c58b01fbc Copy to Clipboard
SHA256 1018c9e81abe5a4a5eada97fc92a6561e3be13bf5a8eaa1be6d7226cbc9e9f7e Copy to Clipboard
SSDeep 6144:uFWOHVQ73GpKQAWGP6iRgjhuYp7OlB8YXGuv:ZdGpJA3VDYtZEGuv Copy to Clipboard
ImpHash 4ec1c1d5958befa2d31bcf6170031dce Copy to Clipboard
PE Information
»
Image Base 0x100000000
Entry Point 0x100008804
Size Of Code 0xa000
Size Of Initialized Data 0x35000
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.amd64
Compile Timestamp 2009-07-13 23:56:05+00:00
Version Information (8)
»
CompanyName Microsoft Corporation
FileDescription Windows Anytime Upgrade
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
InternalName Windows Anytime Upgrade
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename WindowsAnytimeUpgrade.exe
ProductName Microsoft® Windows® Operating System
ProductVersion 6.1.7600.16385
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x100001000 0x9e2c 0xa000 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.57
.data 0x10000b000 0x918 0x400 0xa400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 1.24
.pdata 0x10000c000 0x36c 0x400 0xa800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.67
.rsrc 0x10000d000 0x33ea8 0x34000 0xac00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.05
.reloc 0x100041000 0x1ec 0x200 0x3ec00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.8
Imports (9)
»
ADVAPI32.dll (19)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegOpenKeyExW - 0x100001000 0xa2e8 0x96e8 0x261
RegQueryValueExW - 0x100001008 0xa2f0 0x96f0 0x26e
RegCloseKey - 0x100001010 0xa2f8 0x96f8 0x230
RegCreateKeyExW - 0x100001018 0xa300 0x9700 0x239
RegSetValueExW - 0x100001020 0xa308 0x9708 0x27e
OpenProcessToken - 0x100001028 0xa310 0x9710 0x1f7
LookupPrivilegeValueW - 0x100001030 0xa318 0x9718 0x197
AdjustTokenPrivileges - 0x100001038 0xa320 0x9720 0x1f
InitializeSecurityDescriptor - 0x100001040 0xa328 0x9728 0x177
CreateWellKnownSid - 0x100001048 0xa330 0x9730 0x83
SetEntriesInAclW - 0x100001050 0xa338 0x9738 0x2a6
SetSecurityDescriptorOwner - 0x100001058 0xa340 0x9740 0x2b8
SetSecurityDescriptorGroup - 0x100001060 0xa348 0x9748 0x2b7
SetSecurityDescriptorDacl - 0x100001068 0xa350 0x9750 0x2b6
GetTraceEnableLevel - 0x100001070 0xa358 0x9758 0x15c
UnregisterTraceGuids - 0x100001078 0xa360 0x9760 0x302
GetTraceLoggerHandle - 0x100001080 0xa368 0x9768 0x15d
GetTraceEnableFlags - 0x100001088 0xa370 0x9770 0x15b
RegisterTraceGuidsW - 0x100001090 0xa378 0x9778 0x28a
KERNEL32.dll (36)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetProductInfo - 0x1000010a0 0xa388 0x9788 0x25e
CreateEventW - 0x1000010a8 0xa390 0x9790 0x85
GetLocalTime - 0x1000010b0 0xa398 0x9798 0x209
SetLastError - 0x1000010b8 0xa3a0 0x97a0 0x480
WideCharToMultiByte - 0x1000010c0 0xa3a8 0x97a8 0x520
WriteFile - 0x1000010c8 0xa3b0 0x97b0 0x534
InitializeCriticalSection - 0x1000010d0 0xa3b8 0x97b8 0x2ea
DeleteCriticalSection - 0x1000010d8 0xa3c0 0x97c0 0xd2
CloseHandle - 0x1000010e0 0xa3c8 0x97c8 0x52
GetCurrentProcess - 0x1000010e8 0xa3d0 0x97d0 0x1c6
FreeLibrary - 0x1000010f0 0xa3d8 0x97d8 0x168
GetProcAddress - 0x1000010f8 0xa3e0 0x97e0 0x24c
LoadLibraryW - 0x100001100 0xa3e8 0x97e8 0x341
ExpandEnvironmentStringsW - 0x100001108 0xa3f0 0x97f0 0x123
GetLastError - 0x100001110 0xa3f8 0x97f8 0x208
MultiByteToWideChar - 0x100001118 0xa400 0x9800 0x369
LocalFree - 0x100001120 0xa408 0x9808 0x34a
Sleep - 0x100001128 0xa410 0x9810 0x4c0
GetStartupInfoW - 0x100001130 0xa418 0x9818 0x26a
SetUnhandledExceptionFilter - 0x100001138 0xa420 0x9820 0x4b3
GetModuleHandleW - 0x100001140 0xa428 0x9828 0x21e
QueryPerformanceCounter - 0x100001148 0xa430 0x9830 0x3a9
GetTickCount - 0x100001150 0xa438 0x9838 0x29a
GetCurrentThreadId - 0x100001158 0xa440 0x9840 0x1cb
GetCurrentProcessId - 0x100001160 0xa448 0x9848 0x1c7
GetSystemTimeAsFileTime - 0x100001168 0xa450 0x9850 0x280
TerminateProcess - 0x100001170 0xa458 0x9858 0x4ce
UnhandledExceptionFilter - 0x100001178 0xa460 0x9860 0x4e2
HeapAlloc - 0x100001180 0xa468 0x9868 0x2d3
GetProcessHeap - 0x100001188 0xa470 0x9870 0x251
HeapFree - 0x100001190 0xa478 0x9878 0x2d7
CreateFileW - 0x100001198 0xa480 0x9880 0x8f
GetVersionExW - 0x1000011a0 0xa488 0x9888 0x2ac
SetFilePointer - 0x1000011a8 0xa490 0x9890 0x474
lstrlenA - 0x1000011b0 0xa498 0x9898 0x560
CreateDirectoryW - 0x1000011b8 0xa4a0 0x98a0 0x81
USER32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
FindWindowW - 0x1000011e0 0xa4c8 0x98c8 0xfa
LoadStringW - 0x1000011e8 0xa4d0 0x98d0 0x1fe
PostMessageW - 0x1000011f0 0xa4d8 0x98d8 0x23a
ExitWindowsEx - 0x1000011f8 0xa4e0 0x98e0 0xf5
msvcrt.dll (28)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
memmove - 0x100001208 0xa4f0 0x98f0 0x482
_onexit - 0x100001210 0xa4f8 0x98f8 0x27f
_lock - 0x100001218 0xa500 0x9900 0x1d5
__dllonexit - 0x100001220 0xa508 0x9908 0x6d
_unlock - 0x100001228 0xa510 0x9910 0x330
?terminate@@YAXXZ - 0x100001230 0xa518 0x9918 0x30
_fmode - 0x100001238 0xa520 0x9920 0x118
_commode - 0x100001240 0xa528 0x9928 0xc4
__setusermatherr - 0x100001248 0xa530 0x9930 0x82
_amsg_exit - 0x100001250 0xa538 0x9938 0xa0
_initterm - 0x100001258 0xa540 0x9940 0x16c
_acmdln - 0x100001260 0xa548 0x9948 0x94
exit - 0x100001268 0xa550 0x9950 0x420
_cexit - 0x100001270 0xa558 0x9958 0xb3
_ismbblead - 0x100001278 0xa560 0x9960 0x188
_exit - 0x100001280 0xa568 0x9968 0xff
_XcptFilter - 0x100001288 0xa570 0x9970 0x52
__C_specific_handler - 0x100001290 0xa578 0x9978 0x53
__getmainargs - 0x100001298 0xa580 0x9980 0x71
__CxxFrameHandler3 - 0x1000012a0 0xa588 0x9988 0x57
??1type_info@@UEAA@XZ - 0x1000012a8 0xa590 0x9990 0x12
_CxxThrowException - 0x1000012b0 0xa598 0x9998 0x4c
memset - 0x1000012b8 0xa5a0 0x99a0 0x484
__set_app_type - 0x1000012c0 0xa5a8 0x99a8 0x80
??3@YAXPEAX@Z - 0x1000012c8 0xa5b0 0x99b0 0x15
_vsnwprintf - 0x1000012d0 0xa5b8 0x99b8 0x358
wcschr - 0x1000012d8 0xa5c0 0x99c0 0x4ef
memcpy - 0x1000012e0 0xa5c8 0x99c8 0x480
ntdll.dll (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RtlVirtualUnwind - 0x1000012f0 0xa5d8 0x99d8 0x4f0
RtlLookupFunctionEntry - 0x1000012f8 0xa5e0 0x99e0 0x401
RtlCaptureContext - 0x100001300 0xa5e8 0x99e8 0x27b
WinSqmStartSession - 0x100001308 0xa5f0 0x99f0 0x583
WinSqmSetDWORD - 0x100001310 0xa5f8 0x99f8 0x57d
WinSqmIsOptedIn - 0x100001318 0xa600 0x9a00 0x57b
WinSqmEndSession - 0x100001320 0xa608 0x9a08 0x575
WinSqmSetString - 0x100001328 0xa610 0x9a10 0x582
RtlFreeHeap - 0x100001330 0xa618 0x9a18 0x34a
RtlAllocateHeap - 0x100001338 0xa620 0x9a20 0x265
ole32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CoCreateInstance - 0x100001348 0xa630 0x9a30 0x14
CoInitializeSecurity - 0x100001350 0xa638 0x9a38 0x44
CoInitializeEx - 0x100001358 0xa640 0x9a40 0x43
CoUninitialize - 0x100001360 0xa648 0x9a48 0x70
OLEAUT32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SysFreeString 0x6 0x1000011c8 0xa4b0 0x98b0 -
SysAllocString 0x2 0x1000011d0 0xa4b8 0x98b8 -
pidgenx.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
PidGenX - 0x100001370 0xa658 0x9a58 0x0
slc.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SLGetWindowsInformationDWORD - 0x100001380 0xa668 0x9a68 0x17
Memory Dumps (1)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
windowsanytimeupgrade.exe 152 0xFF750000 0xFF791FFF Relevant Image False 64-bit - False False
...
C:\Users\kEecfMwgj\AppData\Local\fg0b\spreview.exe Dropped File Binary
suspicious
Lowered to Suspicious because the artifact is known to be Clean or Trusted.
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 294.50 KB
MD5 704cd4cac010e8e6d8de9b778ed17773 Copy to Clipboard
SHA1 81856abf70640f102b8b3defe2cf65669fe8e165 Copy to Clipboard
SHA256 4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208 Copy to Clipboard
SSDeep 6144:sbaH+MHxMrU+sCmK3Rve4bA2it3GpqG3CZRfq2EDhzhiac1OMxm+u5hu6E5WBPRi:qMHxMbQMNry6Xkbrl0 Copy to Clipboard
ImpHash 2e8ca881ce57ea39ec6fefdcb5cb5367 Copy to Clipboard
PE Information
»
Image Base 0x100000000
Entry Point 0x10003ebc4
Size Of Code 0x46a00
Size Of Initialized Data 0x3800
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.amd64
Compile Timestamp 2010-11-20 09:45:06+00:00
Version Information (8)
»
CompanyName Microsoft Corporation
FileDescription SP Reviewer
FileVersion 6.1.7601.17514 (win7sp1_rtm.101119-1850)
InternalName SPReview.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename SPReview.exe
ProductName Microsoft® Windows® Operating System
ProductVersion 6.1.7601.17514
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x100001000 0x46982 0x46a00 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.16
.data 0x100048000 0x1290 0x800 0x46e00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 5.51
.pdata 0x10004a000 0x13f8 0x1400 0x47600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.43
.rsrc 0x10004c000 0x960 0xa00 0x48a00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.63
.reloc 0x10004d000 0x416 0x600 0x49400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.87
Imports (13)
»
ADVAPI32.dll (16)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CryptAcquireContextW - 0x100001000 0x467f0 0x45bf0 0xb1
CryptGenRandom - 0x100001008 0x467f8 0x45bf8 0xc1
CryptReleaseContext - 0x100001010 0x46800 0x45c00 0xcb
RegOpenKeyExW - 0x100001018 0x46808 0x45c08 0x261
RegCreateKeyExW - 0x100001020 0x46810 0x45c10 0x239
RegSetValueExW - 0x100001028 0x46818 0x45c18 0x27e
RegDeleteValueW - 0x100001030 0x46820 0x45c20 0x248
RegCloseKey - 0x100001038 0x46828 0x45c28 0x230
RegQueryValueExW - 0x100001040 0x46830 0x45c30 0x26e
OpenProcessToken - 0x100001048 0x46838 0x45c38 0x1f7
LookupPrivilegeValueW - 0x100001050 0x46840 0x45c40 0x197
AdjustTokenPrivileges - 0x100001058 0x46848 0x45c48 0x1f
GetTokenInformation - 0x100001060 0x46850 0x45c50 0x15a
RegEnumKeyExW - 0x100001068 0x46858 0x45c58 0x24f
EventUnregister - 0x100001070 0x46860 0x45c60 0x10f
EventWrite - 0x100001078 0x46868 0x45c68 0x110
KERNEL32.dll (72)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
FormatMessageW - 0x100001088 0x46878 0x45c78 0x164
LocalFree - 0x100001090 0x46880 0x45c80 0x34b
Sleep - 0x100001098 0x46888 0x45c88 0x4c1
lstrlenW - 0x1000010a0 0x46890 0x45c90 0x562
GetCurrentProcess - 0x1000010a8 0x46898 0x45c98 0x1c6
CreateFileW - 0x1000010b0 0x468a0 0x45ca0 0x8f
ReadFile - 0x1000010b8 0x468a8 0x45ca8 0x3c3
CreateProcessW - 0x1000010c0 0x468b0 0x45cb0 0xa8
WaitForSingleObject - 0x1000010c8 0x468b8 0x45cb8 0x509
GetExitCodeProcess - 0x1000010d0 0x468c0 0x45cc0 0x1e6
HeapAlloc - 0x1000010d8 0x468c8 0x45cc8 0x2d4
GetProcessHeap - 0x1000010e0 0x468d0 0x45cd0 0x24f
HeapReAlloc - 0x1000010e8 0x468d8 0x45cd8 0x2db
HeapFree - 0x1000010f0 0x468e0 0x45ce0 0x2d8
LoadLibraryW - 0x1000010f8 0x468e8 0x45ce8 0x342
GetProcAddress - 0x100001100 0x468f0 0x45cf0 0x24a
FreeLibrary - 0x100001108 0x468f8 0x45cf8 0x168
GlobalFree - 0x100001110 0x46900 0x45d00 0x2c3
GetFullPathNameW - 0x100001118 0x46908 0x45d08 0x200
WideCharToMultiByte - 0x100001120 0x46910 0x45d10 0x521
CreateMutexW - 0x100001128 0x46918 0x45d18 0x9e
ReleaseMutex - 0x100001130 0x46920 0x45d20 0x3fd
SetEvent - 0x100001138 0x46928 0x45d28 0x467
MultiByteToWideChar - 0x100001140 0x46930 0x45d30 0x369
OutputDebugStringA - 0x100001148 0x46938 0x45d38 0x38b
SetLastError - 0x100001150 0x46940 0x45d40 0x47f
FindFirstFileW - 0x100001158 0x46948 0x45d48 0x13f
FindNextFileW - 0x100001160 0x46950 0x45d50 0x14b
FindClose - 0x100001168 0x46958 0x45d58 0x134
SetFilePointer - 0x100001170 0x46960 0x45d60 0x473
SetEndOfFile - 0x100001178 0x46968 0x45d68 0x461
WriteFile - 0x100001180 0x46970 0x45d70 0x535
GetCommandLineW - 0x100001188 0x46978 0x45d78 0x18d
GetTempPathW - 0x100001190 0x46980 0x45d80 0x28b
GetVersionExA - 0x100001198 0x46988 0x45d88 0x2ab
DeleteCriticalSection - 0x1000011a0 0x46990 0x45d90 0xd2
InitializeCriticalSection - 0x1000011a8 0x46998 0x45d98 0x2ec
LeaveCriticalSection - 0x1000011b0 0x469a0 0x45da0 0x33c
EnterCriticalSection - 0x1000011b8 0x469a8 0x45da8 0xf2
RaiseException - 0x1000011c0 0x469b0 0x45db0 0x3b4
HeapSize - 0x1000011c8 0x469b8 0x45db8 0x2dd
HeapDestroy - 0x1000011d0 0x469c0 0x45dc0 0x2d7
CloseHandle - 0x1000011d8 0x469c8 0x45dc8 0x52
CreateThread - 0x1000011e0 0x469d0 0x45dd0 0xb4
CreateEventW - 0x1000011e8 0x469d8 0x45dd8 0x85
GetModuleHandleW - 0x1000011f0 0x469e0 0x45de0 0x21c
GetSystemWindowsDirectoryW - 0x1000011f8 0x469e8 0x45de8 0x282
FindResourceExW - 0x100001200 0x469f0 0x45df0 0x153
FindResourceW - 0x100001208 0x469f8 0x45df8 0x154
LoadResource - 0x100001210 0x46a00 0x45e00 0x344
LockResource - 0x100001218 0x46a08 0x45e08 0x356
GetEnvironmentVariableW - 0x100001220 0x46a10 0x45e10 0x1e3
SetUnhandledExceptionFilter - 0x100001228 0x46a18 0x45e18 0x4b3
QueryPerformanceCounter - 0x100001230 0x46a20 0x45e20 0x3a9
GetTickCount - 0x100001238 0x46a28 0x45e28 0x299
GetCurrentThreadId - 0x100001240 0x46a30 0x45e30 0x1cb
GetCurrentProcessId - 0x100001248 0x46a38 0x45e38 0x1c7
GetSystemTimeAsFileTime - 0x100001250 0x46a40 0x45e40 0x27f
TerminateProcess - 0x100001258 0x46a48 0x45e48 0x4cf
UnhandledExceptionFilter - 0x100001260 0x46a50 0x45e50 0x4e3
MoveFileExW - 0x100001268 0x46a58 0x45e58 0x362
CompareFileTime - 0x100001270 0x46a60 0x45e60 0x60
SetFileTime - 0x100001278 0x46a68 0x45e68 0x477
DeleteFileW - 0x100001280 0x46a70 0x45e70 0xd7
GetSystemTime - 0x100001288 0x46a78 0x45e78 0x27d
SizeofResource - 0x100001290 0x46a80 0x45e80 0x4c0
GetModuleFileNameW - 0x100001298 0x46a88 0x45e88 0x218
GetLastError - 0x1000012a0 0x46a90 0x45e90 0x206
CreateDirectoryW - 0x1000012a8 0x46a98 0x45e98 0x81
GetFileAttributesW - 0x1000012b0 0x46aa0 0x45ea0 0x1ef
GetWindowsDirectoryW - 0x1000012b8 0x46aa8 0x45ea8 0x2b7
GetFileAttributesExW - 0x1000012c0 0x46ab0 0x45eb0 0x1ec
USER32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
UnregisterClassA - 0x100001308 0x46af8 0x45ef8 0x30d
msvcrt.dll (48)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_XcptFilter - 0x100001358 0x46b48 0x45f48 0x52
_exit - 0x100001360 0x46b50 0x45f50 0xff
_vsnprintf - 0x100001368 0x46b58 0x45f58 0x352
__C_specific_handler - 0x100001370 0x46b60 0x45f60 0x53
memset - 0x100001378 0x46b68 0x45f68 0x484
_cexit - 0x100001380 0x46b70 0x45f70 0xb3
__wgetmainargs - 0x100001388 0x46b78 0x45f78 0x8f
wcsspn - 0x100001390 0x46b80 0x45f80 0x501
wcscspn - 0x100001398 0x46b88 0x45f88 0x4f4
vsprintf_s - 0x1000013a0 0x46b90 0x45f90 0x4e6
_vscprintf - 0x1000013a8 0x46b98 0x45f98 0x34c
vswprintf_s - 0x1000013b0 0x46ba0 0x45fa0 0x4e8
_vscwprintf - 0x1000013b8 0x46ba8 0x45fa8 0x34f
_resetstkoflw - 0x1000013c0 0x46bb0 0x45fb0 0x297
??2@YAPEAX_K@Z - 0x1000013c8 0x46bb8 0x45fb8 0x13
malloc - 0x1000013d0 0x46bc0 0x45fc0 0x474
_wtoi - 0x1000013d8 0x46bc8 0x45fc8 0x3f3
iswdigit - 0x1000013e0 0x46bd0 0x45fd0 0x461
_wcsicmp - 0x1000013e8 0x46bd8 0x45fd8 0x379
??1type_info@@UEAA@XZ - 0x1000013f0 0x46be0 0x45fe0 0x12
__set_app_type - 0x1000013f8 0x46be8 0x45fe8 0x80
_fmode - 0x100001400 0x46bf0 0x45ff0 0x118
_commode - 0x100001408 0x46bf8 0x45ff8 0xc4
__setusermatherr - 0x100001410 0x46c00 0x46000 0x82
exit - 0x100001418 0x46c08 0x46008 0x420
_initterm - 0x100001420 0x46c10 0x46010 0x16c
wcsstr - 0x100001428 0x46c18 0x46018 0x502
_amsg_exit - 0x100001430 0x46c20 0x46020 0xa0
wcstoul - 0x100001438 0x46c28 0x46028 0x509
calloc - 0x100001440 0x46c30 0x46030 0x413
free - 0x100001448 0x46c38 0x46038 0x43a
_vsnwprintf - 0x100001450 0x46c40 0x46040 0x358
wcschr - 0x100001458 0x46c48 0x46048 0x4ef
_wcsnicmp - 0x100001460 0x46c50 0x46050 0x383
memmove_s - 0x100001468 0x46c58 0x46058 0x483
memcpy_s - 0x100001470 0x46c60 0x46060 0x481
??_U@YAPEAX_K@Z - 0x100001478 0x46c68 0x46068 0x22
??_V@YAXPEAX@Z - 0x100001480 0x46c70 0x46070 0x24
??3@YAXPEAX@Z - 0x100001488 0x46c78 0x46078 0x15
__CxxFrameHandler3 - 0x100001490 0x46c80 0x46080 0x57
_CxxThrowException - 0x100001498 0x46c88 0x46088 0x4c
?terminate@@YAXXZ - 0x1000014a0 0x46c90 0x46090 0x30
_onexit - 0x1000014a8 0x46c98 0x46098 0x27f
_lock - 0x1000014b0 0x46ca0 0x460a0 0x1d5
__dllonexit - 0x1000014b8 0x46ca8 0x460a8 0x6d
_unlock - 0x1000014c0 0x46cb0 0x460b0 0x330
wcsrchr - 0x1000014c8 0x46cb8 0x460b8 0x4fe
memcpy - 0x1000014d0 0x46cc0 0x460c0 0x480
SHELL32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHFileOperationW - 0x1000012d0 0x46ac0 0x45ec0 0xac
ole32.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CoCreateInstance - 0x100001500 0x46cf0 0x460f0 0x14
CoGetMalloc - 0x100001508 0x46cf8 0x460f8 0x36
CoInitializeEx - 0x100001510 0x46d00 0x46100 0x43
CoInitializeSecurity - 0x100001518 0x46d08 0x46108 0x44
CoUninitialize - 0x100001520 0x46d10 0x46110 0x70
VERSION.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
VerQueryValueW - 0x100001328 0x46b18 0x45f18 0xe
GetFileVersionInfoW - 0x100001330 0x46b20 0x45f20 0x6
GetFileVersionInfoSizeW - 0x100001338 0x46b28 0x45f28 0x5
ntdll.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RtlVirtualUnwind - 0x1000014e0 0x46cd0 0x460d0 0x4f1
RtlLookupFunctionEntry - 0x1000014e8 0x46cd8 0x460d8 0x402
RtlCaptureContext - 0x1000014f0 0x46ce0 0x460e0 0x27b
USERENV.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
UnloadUserProfile - 0x100001318 0x46b08 0x45f08 0x2c
SpWizUI.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SPInstallSucceeded - 0x1000012f0 0x46ae0 0x45ee0 0x1
SPInstallFailed - 0x1000012f8 0x46ae8 0x45ee8 0x0
SpError.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetErrorDescription - 0x1000012e0 0x46ad0 0x45ed0 0x0
sqmapi.dll (14)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SqmReadSharedMachineId - 0x100001530 0x46d20 0x46120 0x1c
SqmCreateNewId - 0x100001538 0x46d28 0x46128 0xe
SqmWriteSharedMachineId - 0x100001540 0x46d30 0x46130 0x39
SqmSet - 0x100001548 0x46d38 0x46138 0x1e
SqmAddToStreamV - 0x100001550 0x46d40 0x46140 0x5
SqmIsWindowsOptedIn - 0x100001558 0x46d48 0x46148 0x1a
SqmGetSession - 0x100001560 0x46d50 0x46150 0x16
SqmSetEnabled - 0x100001568 0x46d58 0x46158 0x25
SqmSetAppId - 0x100001570 0x46d60 0x46160 0x1f
SqmEndSession - 0x100001578 0x46d68 0x46168 0xf
SqmStartUpload - 0x100001580 0x46d70 0x46170 0x2e
SqmWaitForUploadComplete - 0x100001588 0x46d78 0x46178 0x38
SqmSetString - 0x100001590 0x46d80 0x46180 0x2b
SqmSetMachineId - 0x100001598 0x46d88 0x46188 0x2a
WINBRAND.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
BrandingFormatString - 0x100001348 0x46b38 0x45f38 0x0
Memory Dumps (4)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
spreview.exe 135 0xFF540000 0xFF58DFFF Relevant Image False 64-bit - False False
...
buffer 135 0x00300000 0x00306FFF First Execution False 64-bit 0x0030297E False False
...
buffer 135 0x00260000 0x002F9FFF Image In Buffer False 64-bit - False False
...
buffer 135 0x00440000 0x004D9FFF Image In Buffer False 64-bit - True False
...
C:\Users\kEecfMwgj\AppData\Local\dOFgn\cmstp.exe Dropped File Binary
suspicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 90.00 KB
MD5 74c6da5522f420c394ae34b2d3d677e3 Copy to Clipboard
SHA1 ba135738ef1fb2f4c2c6c610be2c4e855a526668 Copy to Clipboard
SHA256 51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6 Copy to Clipboard
SSDeep 1536:NrF87MkwsSAb7BsYtVGvU2DsOILIpWkVgEo8JNggoww/xHC+E:9G7MkwsSAZrtEvUepW9EXbggA/xxE Copy to Clipboard
ImpHash c1f7d007115c28362e68e98bb0db4c9e Copy to Clipboard
PE Information
»
Image Base 0x100000000
Entry Point 0x100013830
Size Of Code 0x14800
Size Of Initialized Data 0x2800
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.amd64
Compile Timestamp 2010-11-20 10:52:18+00:00
Version Information (8)
»
CompanyName Microsoft Corporation
FileDescription Microsoft Connection Manager Profile Installer
FileVersion 7.02.7601.17514 (win7sp1_rtm.101119-1850)
InternalName CMSTP
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename CMSTP.EXE
ProductName Microsoft(R) Connection Manager
ProductVersion 7.02.7601.17514
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x100001000 0x146c2 0x14800 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.97
.data 0x100016000 0x10a8 0x600 0x14c00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.93
.pdata 0x100018000 0x5c4 0x600 0x15200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.88
.rsrc 0x100019000 0xdb0 0xe00 0x15800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.53
.reloc 0x10001a000 0x1d4 0x200 0x16600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 2.47
Imports (8)
»
ADVAPI32.dll (17)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegQueryValueExW - 0x100001000 0x148f0 0x13cf0 0x26e
RegOpenKeyExW - 0x100001008 0x148f8 0x13cf8 0x261
RegCloseKey - 0x100001010 0x14900 0x13d00 0x230
OpenProcessToken - 0x100001018 0x14908 0x13d08 0x1f7
RegQueryInfoKeyW - 0x100001020 0x14910 0x13d10 0x268
RegDeleteKeyW - 0x100001028 0x14918 0x13d18 0x244
RegEnumKeyExW - 0x100001030 0x14920 0x13d20 0x24f
RegCreateKeyW - 0x100001038 0x14928 0x13d28 0x23c
RegCreateKeyExW - 0x100001040 0x14930 0x13d30 0x239
LookupPrivilegeValueW - 0x100001048 0x14938 0x13d38 0x197
RegDeleteValueW - 0x100001050 0x14940 0x13d40 0x248
AllocateAndInitializeSid - 0x100001058 0x14948 0x13d48 0x20
FreeSid - 0x100001060 0x14950 0x13d50 0x120
AdjustTokenPrivileges - 0x100001068 0x14958 0x13d58 0x1f
InitiateSystemShutdownW - 0x100001070 0x14960 0x13d60 0x17e
RegSetValueExW - 0x100001078 0x14968 0x13d68 0x27e
RegEnumValueW - 0x100001080 0x14970 0x13d70 0x252
KERNEL32.dll (60)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetCurrentProcessId - 0x100001090 0x14980 0x13d80 0x1c7
FindFirstFileW - 0x100001098 0x14988 0x13d88 0x13f
GetCurrentProcess - 0x1000010a0 0x14990 0x13d90 0x1c6
WritePrivateProfileSectionW - 0x1000010a8 0x14998 0x13d98 0x539
CreateFileW - 0x1000010b0 0x149a0 0x13da0 0x8f
CompareStringW - 0x1000010b8 0x149a8 0x13da8 0x64
lstrcmpW - 0x1000010c0 0x149b0 0x13db0 0x556
lstrlenW - 0x1000010c8 0x149b8 0x13db8 0x562
WritePrivateProfileStringW - 0x1000010d0 0x149c0 0x13dc0 0x53b
GetPrivateProfileIntW - 0x1000010d8 0x149c8 0x13dc8 0x241
GetLastError - 0x1000010e0 0x149d0 0x13dd0 0x206
FindClose - 0x1000010e8 0x149d8 0x13dd8 0x134
lstrcmpiW - 0x1000010f0 0x149e0 0x13de0 0x559
FindNextFileW - 0x1000010f8 0x149e8 0x13de8 0x14b
CloseHandle - 0x100001100 0x149f0 0x13df0 0x52
GetWindowsDirectoryW - 0x100001108 0x149f8 0x13df8 0x2b7
GetPrivateProfileSectionW - 0x100001110 0x14a00 0x13e00 0x245
SetFileAttributesW - 0x100001118 0x14a08 0x13e08 0x46e
lstrlenA - 0x100001120 0x14a10 0x13e10 0x561
GetProcAddress - 0x100001128 0x14a18 0x13e18 0x24a
GetWindowsDirectoryA - 0x100001130 0x14a20 0x13e20 0x2b6
GetSystemDirectoryW - 0x100001138 0x14a28 0x13e28 0x276
LoadLibraryW - 0x100001140 0x14a30 0x13e30 0x342
CopyFileW - 0x100001148 0x14a38 0x13e38 0x75
GetModuleHandleA - 0x100001150 0x14a40 0x13e40 0x219
LoadLibraryExA - 0x100001158 0x14a48 0x13e48 0x340
LocalFree - 0x100001160 0x14a50 0x13e50 0x34b
ExpandEnvironmentStringsW - 0x100001168 0x14a58 0x13e58 0x123
CreateMutexW - 0x100001170 0x14a60 0x13e60 0x9e
WaitForSingleObject - 0x100001178 0x14a68 0x13e68 0x509
ReleaseMutex - 0x100001180 0x14a70 0x13e70 0x3fd
Sleep - 0x100001188 0x14a78 0x13e78 0x4c1
HeapFree - 0x100001190 0x14a80 0x13e80 0x2d8
HeapAlloc - 0x100001198 0x14a88 0x13e88 0x2d4
GetSystemInfo - 0x1000011a0 0x14a90 0x13e90 0x279
GetVersionExW - 0x1000011a8 0x14a98 0x13e98 0x2ac
SetCurrentDirectoryW - 0x1000011b0 0x14aa0 0x13ea0 0x45b
CreateDirectoryW - 0x1000011b8 0x14aa8 0x13ea8 0x81
LocalAlloc - 0x1000011c0 0x14ab0 0x13eb0 0x347
LoadLibraryA - 0x1000011c8 0x14ab8 0x13eb8 0x33f
WideCharToMultiByte - 0x1000011d0 0x14ac0 0x13ec0 0x521
UnhandledExceptionFilter - 0x1000011d8 0x14ac8 0x13ec8 0x4e3
TerminateProcess - 0x1000011e0 0x14ad0 0x13ed0 0x4cf
GetSystemTimeAsFileTime - 0x1000011e8 0x14ad8 0x13ed8 0x27f
GetCurrentThreadId - 0x1000011f0 0x14ae0 0x13ee0 0x1cb
GetTickCount - 0x1000011f8 0x14ae8 0x13ee8 0x299
QueryPerformanceCounter - 0x100001200 0x14af0 0x13ef0 0x3a9
SetUnhandledExceptionFilter - 0x100001208 0x14af8 0x13ef8 0x4b3
RtlCaptureContext - 0x100001210 0x14b00 0x13f00 0x418
RtlLookupFunctionEntry - 0x100001218 0x14b08 0x13f08 0x41f
RtlVirtualUnwind - 0x100001220 0x14b10 0x13f10 0x426
GetStartupInfoW - 0x100001228 0x14b18 0x13f18 0x269
GetCurrentDirectoryW - 0x100001230 0x14b20 0x13f20 0x1c5
GetModuleHandleW - 0x100001238 0x14b28 0x13f28 0x21c
LoadLibraryExW - 0x100001240 0x14b30 0x13f30 0x341
FreeLibrary - 0x100001248 0x14b38 0x13f38 0x168
GetCommandLineW - 0x100001250 0x14b40 0x13f40 0x18d
GetPrivateProfileStringW - 0x100001258 0x14b48 0x13f48 0x247
GetFileType - 0x100001260 0x14b50 0x13f50 0x1f8
GetProcessHeap - 0x100001268 0x14b58 0x13f58 0x24f
USER32.dll (15)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
EndDialog - 0x1000012c0 0x14bb0 0x13fb0 0xda
CheckDlgButton - 0x1000012c8 0x14bb8 0x13fb8 0x3e
SetFocus - 0x1000012d0 0x14bc0 0x13fc0 0x298
DialogBoxParamW - 0x1000012d8 0x14bc8 0x13fc8 0xac
IsDlgButtonChecked - 0x1000012e0 0x14bd0 0x13fd0 0x1d2
IsWindow - 0x1000012e8 0x14bd8 0x13fd8 0x1df
CheckRadioButton - 0x1000012f0 0x14be0 0x13fe0 0x41
GetDlgItemTextW - 0x1000012f8 0x14be8 0x13fe8 0x12c
SetWindowTextW - 0x100001300 0x14bf0 0x13ff0 0x2d3
MessageBoxExW - 0x100001308 0x14bf8 0x13ff8 0x214
CharNextW - 0x100001310 0x14c00 0x14000 0x31
GetDlgItem - 0x100001318 0x14c08 0x14008 0x129
MessageBoxW - 0x100001320 0x14c10 0x14010 0x219
CharPrevW - 0x100001328 0x14c18 0x14018 0x34
LoadStringW - 0x100001330 0x14c20 0x14020 0x1fe
msvcrt.dll (19)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_XcptFilter - 0x1000013a0 0x14c90 0x14090 0x52
__C_specific_handler - 0x1000013a8 0x14c98 0x14098 0x53
?terminate@@YAXXZ - 0x1000013b0 0x14ca0 0x140a0 0x30
__getmainargs - 0x1000013b8 0x14ca8 0x140a8 0x71
_vsnwprintf - 0x1000013c0 0x14cb0 0x140b0 0x358
memset - 0x1000013c8 0x14cb8 0x140b8 0x484
memcpy - 0x1000013d0 0x14cc0 0x140c0 0x480
_exit - 0x1000013d8 0x14cc8 0x140c8 0xff
__set_app_type - 0x1000013e0 0x14cd0 0x140d0 0x80
_fmode - 0x1000013e8 0x14cd8 0x140d8 0x118
_commode - 0x1000013f0 0x14ce0 0x140e0 0xc4
__setusermatherr - 0x1000013f8 0x14ce8 0x140e8 0x82
_amsg_exit - 0x100001400 0x14cf0 0x140f0 0xa0
_initterm - 0x100001408 0x14cf8 0x140f8 0x16c
_acmdln - 0x100001410 0x14d00 0x14100 0x94
exit - 0x100001418 0x14d08 0x14108 0x420
_cexit - 0x100001420 0x14d10 0x14110 0xb3
_ismbblead - 0x100001428 0x14d18 0x14118 0x188
_vsnprintf - 0x100001430 0x14d20 0x14120 0x352
cmutil.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CmRealloc - 0x100001360 0x14c50 0x14050 0x76
WzToSzWithAlloc - 0x100001368 0x14c58 0x14058 0x96
GetOSMajorVersion - 0x100001370 0x14c60 0x14060 0x8c
GetOSVersion - 0x100001378 0x14c68 0x14068 0x8e
CmFree - 0x100001380 0x14c70 0x14070 0x69
CmMalloc - 0x100001388 0x14c78 0x14078 0x74
SzToWzWithAlloc - 0x100001390 0x14c80 0x14080 0x94
ole32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CoUninitialize - 0x100001440 0x14d30 0x14130 0x70
CoInitialize - 0x100001448 0x14d38 0x14138 0x42
SHELL32.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHFileOperationW - 0x100001278 0x14b68 0x13f68 0xac
SHGetFolderPathW - 0x100001280 0x14b70 0x13f70 0xc3
SHGetSpecialFolderLocation - 0x100001288 0x14b78 0x13f78 0xdf
SHGetMalloc - 0x100001290 0x14b80 0x13f80 0xcf
SHGetPathFromIDListW - 0x100001298 0x14b88 0x13f88 0xd7
SHGetDesktopFolder - 0x1000012a0 0x14b90 0x13f90 0xb6
ShellExecuteExW - 0x1000012a8 0x14b98 0x13f98 0x121
SHChangeNotify - 0x1000012b0 0x14ba0 0x13fa0 0x7f
VERSION.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetFileVersionInfoSizeA - 0x100001340 0x14c30 0x14030 0x3
VerQueryValueA - 0x100001348 0x14c38 0x14038 0xd
GetFileVersionInfoA - 0x100001350 0x14c40 0x14040 0x0
Memory Dumps (4)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
cmstp.exe 161 0xFFB20000 0xFFB3AFFF Relevant Image False 64-bit - False False
...
buffer 161 0x000E0000 0x000E6FFF First Execution False 64-bit 0x000E297E False False
...
buffer 161 0x01AC0000 0x01B59FFF Image In Buffer False 64-bit - False False
...
buffer 161 0x01B60000 0x01BF9FFF Image In Buffer False 64-bit - True False
...
C:\Users\kEecfMwgj\AppData\Local\CtP9RYDd\UI0Detect.exe Dropped File Binary
suspicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 40.00 KB
MD5 3cbdec8d06b9968aba702eba076364a1 Copy to Clipboard
SHA1 6e0fcaccadbdb5e3293aa3523ec1006d92191c58 Copy to Clipboard
SHA256 b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b Copy to Clipboard
SSDeep 768:VWp0fszQ7gGuiwJ8mQOsO+ueYuD+UYySV73q0OvObxziMMNpa8zOjFMMNv0/vM+J:lsU7ge4X6ZVC/VbqXGbxGMMW7MMs0+2w Copy to Clipboard
ImpHash fa9004a0c2db80200c505e2349a9bc4f Copy to Clipboard
PE Information
»
Image Base 0x100000000
Entry Point 0x10000504c
Size Of Code 0x5e00
Size Of Initialized Data 0x4800
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.amd64
Compile Timestamp 2009-07-13 23:52:35+00:00
Version Information (8)
»
CompanyName Microsoft Corporation
FileDescription Interactive services detection
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
InternalName UI0Detect.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename UI0Detect.exe
ProductName Microsoft® Windows® Operating System
ProductVersion 6.1.7600.16385
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x100001000 0x5cba 0x5e00 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.11
.data 0x100007000 0xb20 0x200 0x6200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 1.21
.pdata 0x100008000 0x2b8 0x400 0x6400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.11
.rsrc 0x100009000 0x3490 0x3600 0x6800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.23
.reloc 0x10000d000 0xd4 0x200 0x9e00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 1.32
Imports (11)
»
ADVAPI32.dll (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CheckTokenMembership - 0x100001000 0x5d78 0x5178 0x51
StartServiceCtrlDispatcherW - 0x100001008 0x5d80 0x5180 0x2c8
SetServiceStatus - 0x100001010 0x5d88 0x5188 0x2c0
RegisterEventSourceW - 0x100001018 0x5d90 0x5190 0x283
ReportEventW - 0x100001020 0x5d98 0x5198 0x28f
RegisterServiceCtrlHandlerW - 0x100001028 0x5da0 0x51a0 0x288
DeregisterEventSource - 0x100001030 0x5da8 0x51a8 0xdb
ImpersonateLoggedOnUser - 0x100001038 0x5db0 0x51b0 0x173
CreateProcessAsUserW - 0x100001040 0x5db8 0x51b8 0x7c
RevertToSelf - 0x100001048 0x5dc0 0x51c0 0x290
KERNEL32.dll (39)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
HeapAlloc - 0x100001068 0x5de0 0x51e0 0x2d3
GetProcessHeap - 0x100001070 0x5de8 0x51e8 0x251
HeapFree - 0x100001078 0x5df0 0x51f0 0x2d7
GetLastError - 0x100001080 0x5df8 0x51f8 0x208
Sleep - 0x100001088 0x5e00 0x5200 0x4c0
CreateFileMappingW - 0x100001090 0x5e08 0x5208 0x8c
MapViewOfFile - 0x100001098 0x5e10 0x5210 0x359
DuplicateHandle - 0x1000010a0 0x5e18 0x5218 0xec
GetCurrentProcess - 0x1000010a8 0x5e20 0x5220 0x1c6
UnmapViewOfFile - 0x1000010b0 0x5e28 0x5228 0x4e5
CloseHandle - 0x1000010b8 0x5e30 0x5230 0x52
GetSystemTimeAsFileTime - 0x1000010c0 0x5e38 0x5238 0x280
CompareStringW - 0x1000010c8 0x5e40 0x5240 0x64
CompareFileTime - 0x1000010d0 0x5e48 0x5248 0x60
K32EnumProcessModules - 0x1000010d8 0x5e50 0x5250 0x315
K32GetModuleInformation - 0x1000010e0 0x5e58 0x5258 0x322
K32GetModuleBaseNameW - 0x1000010e8 0x5e60 0x5260 0x31f
lstrcmpW - 0x1000010f0 0x5e68 0x5268 0x555
GetCurrentProcessId - 0x1000010f8 0x5e70 0x5270 0x1c7
OpenProcess - 0x100001100 0x5e78 0x5278 0x382
K32GetModuleFileNameExW - 0x100001108 0x5e80 0x5280 0x321
SetLastError - 0x100001110 0x5e88 0x5288 0x480
GetTickCount - 0x100001118 0x5e90 0x5290 0x29a
GetCurrentThreadId - 0x100001120 0x5e98 0x5298 0x1cb
GetModuleHandleW - 0x100001128 0x5ea0 0x52a0 0x21e
FormatMessageW - 0x100001130 0x5ea8 0x52a8 0x164
LocalFree - 0x100001138 0x5eb0 0x52b0 0x34a
CreateEventW - 0x100001140 0x5eb8 0x52b8 0x85
FreeLibrary - 0x100001148 0x5ec0 0x52c0 0x168
GetProcAddress - 0x100001150 0x5ec8 0x52c8 0x24c
LoadLibraryExA - 0x100001158 0x5ed0 0x52d0 0x33f
DelayLoadFailureHook - 0x100001160 0x5ed8 0x52d8 0xcf
HeapSetInformation - 0x100001168 0x5ee0 0x52e0 0x2db
lstrlenW - 0x100001170 0x5ee8 0x52e8 0x561
TerminateProcess - 0x100001178 0x5ef0 0x52f0 0x4ca
GetStartupInfoW - 0x100001180 0x5ef8 0x52f8 0x269
QueryPerformanceCounter - 0x100001188 0x5f00 0x5300 0x3a6
SetUnhandledExceptionFilter - 0x100001190 0x5f08 0x5308 0x4af
UnhandledExceptionFilter - 0x100001198 0x5f10 0x5310 0x4de
GDI32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateSolidBrush - 0x100001058 0x5dd0 0x51d0 0x54
USER32.dll (43)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetWindowThreadProcessId - 0x1000011c8 0x5f40 0x5340 0x1a8
PostMessageW - 0x1000011d0 0x5f48 0x5348 0x23a
GetWindow - 0x1000011d8 0x5f50 0x5350 0x190
RegisterWindowMessageW - 0x1000011e0 0x5f58 0x5358 0x267
SetWindowLongPtrW - 0x1000011e8 0x5f60 0x5360 0x2cb
RegisterShellHookWindow - 0x1000011f0 0x5f68 0x5368 0x261
SetTimer - 0x1000011f8 0x5f70 0x5370 0x2c1
EnumWindows - 0x100001200 0x5f78 0x5378 0xf2
PostQuitMessage - 0x100001208 0x5f80 0x5380 0x23b
GetLastInputInfo - 0x100001210 0x5f88 0x5388 0x147
IsWindow - 0x100001218 0x5f90 0x5390 0x1df
DestroyWindow - 0x100001220 0x5f98 0x5398 0xa6
MoveWindow - 0x100001228 0x5fa0 0x53a0 0x21f
GetSystemMetrics - 0x100001230 0x5fa8 0x53a8 0x180
KillTimer - 0x100001238 0x5fb0 0x53b0 0x1e7
DefWindowProcW - 0x100001240 0x5fb8 0x53b8 0x9c
LoadCursorW - 0x100001248 0x5fc0 0x53c0 0x1ef
RegisterClassW - 0x100001250 0x5fc8 0x53c8 0x252
CreateWindowExW - 0x100001258 0x5fd0 0x53d0 0x6e
GetWindowTextW - 0x100001260 0x5fd8 0x53d8 0x1a7
SystemParametersInfoW - 0x100001268 0x5fe0 0x53e0 0x2f4
SetShellWindow - 0x100001270 0x5fe8 0x53e8 0x2b9
GetProcessWindowStation - 0x100001278 0x5ff0 0x53f0 0x16a
GetThreadDesktop - 0x100001280 0x5ff8 0x53f8 0x184
GetUserObjectInformationW - 0x100001288 0x6000 0x5400 0x18d
GetMessageW - 0x100001290 0x6008 0x5408 0x15f
DispatchMessageW - 0x100001298 0x6010 0x5410 0xaf
UnregisterClassW - 0x1000012a0 0x6018 0x5418 0x30e
LoadStringW - 0x1000012a8 0x6020 0x5420 0x1fe
LoadIconW - 0x1000012b0 0x6028 0x5428 0x1f1
DestroyIcon - 0x1000012b8 0x6030 0x5430 0xa3
FlashWindowEx - 0x1000012c0 0x6038 0x5438 0xfc
GetWindowRect - 0x1000012c8 0x6040 0x5440 0x1a0
GetWindowInfo - 0x1000012d0 0x6048 0x5448 0x196
GetClassNameW - 0x1000012d8 0x6050 0x5450 0x114
GetClassLongPtrW - 0x1000012e0 0x6058 0x5458 0x111
GetWindowLongPtrW - 0x1000012e8 0x6060 0x5460 0x199
FindWindowW - 0x1000012f0 0x6068 0x5468 0xfa
ShowWindow - 0x1000012f8 0x6070 0x5470 0x2e7
GetWindowTextLengthW - 0x100001300 0x6078 0x5478 0x1a6
SendMessageW - 0x100001308 0x6080 0x5480 0x280
GetClassLongW - 0x100001310 0x6088 0x5488 0x112
SetTaskmanWindow - 0x100001318 0x6090 0x5490 0x2bf
msvcrt.dll (19)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_vsnwprintf - 0x100001390 0x6108 0x5508 0x358
wcsrchr - 0x100001398 0x6110 0x5510 0x4fe
_atoi64 - 0x1000013a0 0x6118 0x5518 0xa6
__getmainargs - 0x1000013a8 0x6120 0x5520 0x71
__C_specific_handler - 0x1000013b0 0x6128 0x5528 0x53
_exit - 0x1000013b8 0x6130 0x5530 0xff
_ismbblead - 0x1000013c0 0x6138 0x5538 0x188
_cexit - 0x1000013c8 0x6140 0x5540 0xb3
memset - 0x1000013d0 0x6148 0x5548 0x484
exit - 0x1000013d8 0x6150 0x5550 0x420
?terminate@@YAXXZ - 0x1000013e0 0x6158 0x5558 0x30
__set_app_type - 0x1000013e8 0x6160 0x5560 0x80
_fmode - 0x1000013f0 0x6168 0x5568 0x118
__setusermatherr - 0x1000013f8 0x6170 0x5570 0x82
_commode - 0x100001400 0x6178 0x5578 0xc4
_amsg_exit - 0x100001408 0x6180 0x5580 0xa0
_initterm - 0x100001410 0x6188 0x5588 0x16c
_XcptFilter - 0x100001418 0x6190 0x5590 0x52
_acmdln - 0x100001420 0x6198 0x5598 0x94
ntdll.dll (13)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RtlLookupFunctionEntry - 0x100001430 0x61a8 0x55a8 0x401
RtlVirtualUnwind - 0x100001438 0x61b0 0x55b0 0x4f0
WinSqmAddToAverageDWORD - 0x100001440 0x61b8 0x55b8 0x569
WinSqmIncrementDWORD - 0x100001448 0x61c0 0x55c0 0x57a
WinSqmAddToStream - 0x100001450 0x61c8 0x55c8 0x56a
WinSqmEndSession - 0x100001458 0x61d0 0x55d0 0x575
WinSqmSetDWORD - 0x100001460 0x61d8 0x55d8 0x57d
WinSqmSetString - 0x100001468 0x61e0 0x55e0 0x582
WinSqmStartSession - 0x100001470 0x61e8 0x55e8 0x583
WinSqmIsOptedIn - 0x100001478 0x61f0 0x55f0 0x57b
RtlFreeSid - 0x100001480 0x61f8 0x55f8 0x34d
RtlAllocateAndInitializeSid - 0x100001488 0x6200 0x5600 0x263
RtlCaptureContext - 0x100001490 0x6208 0x5608 0x27b
WTSAPI32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WTSDisconnectSession - 0x100001368 0x60e0 0x54e0 0x5
WTSRegisterSessionNotification - 0x100001370 0x60e8 0x54e8 0x23
WTSUnRegisterSessionNotification - 0x100001378 0x60f0 0x54f0 0x32
WTSQueryUserToken - 0x100001380 0x60f8 0x54f8 0x22
VERSION.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetFileVersionInfoW - 0x100001328 0x60a0 0x54a0 0x6
GetFileVersionInfoSizeW - 0x100001330 0x60a8 0x54a8 0x5
VerQueryValueW - 0x100001338 0x60b0 0x54b0 0xe
WINSTA.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WinStationRevertFromServicesSession - 0x100001348 0x60c0 0x54c0 0x5c
WinStationSwitchToServicesSession - 0x100001350 0x60c8 0x54c8 0x68
WinStationGetSessionIds - 0x100001358 0x60d0 0x54d0 0x36
SHELL32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetFolderPathW - 0x1000011a8 0x5f20 0x5320 0xc3
SHLWAPI.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
(by ordinal) 0x162 0x1000011b8 0x5f30 0x5330 -
Memory Dumps (4)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
ui0detect.exe 189 0xFF0A0000 0xFF0ADFFF Relevant Image False 64-bit - False False
...
buffer 189 0x00300000 0x00306FFF First Execution False 64-bit 0x0030297E False False
...
buffer 189 0x000E0000 0x00179FFF Image In Buffer False 64-bit - False False
...
buffer 189 0x01B50000 0x01BE9FFF Image In Buffer False 64-bit - True False
...
c:\users\keecfmwgj\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-4219442223-4223814209-3835049652-1000\4fe4574abf1bcb0f6ed6a78aa750fb2c_b9c8f16e-2e51-4052-9ecb-f86ae5d96ef6 Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 50 Bytes
MD5 bbe4a6fe547225203dffbf784b4b8086 Copy to Clipboard
SHA1 9393217e27903a99d5a36b630becf408c05b85ad Copy to Clipboard
SHA256 2d970fea1e7ebc4c9bae287309fa032cb2ac90323c0cdb49ca9593dc7d074c98 Copy to Clipboard
SSDeep 3:/lvlPoSMl:QJl Copy to Clipboard
ImpHash -
\\?\C:\Windows \system32\slc.dll Dropped File Binary
clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 30.00 KB
MD5 d2323188c00f39f2b7529780c6a19e23 Copy to Clipboard
SHA1 3aa7285fb13b8cd5f7bbcb5410a0e889f23a1fab Copy to Clipboard
SHA256 ecfd25bf4e556beb43cac72ec30a7b3de318dc950994bd5480514605f31b2ef2 Copy to Clipboard
SSDeep 384:F92GRoZNa5G4duUgO6A9EswgYHi+l1na5h2l9X5igb/aUTkXY+AGx0H4YFZ8oUG8:Hw4YUmUEFHiGnai5iiV+pOZ8ocvR Copy to Clipboard
ImpHash 6a5a31c99a1562b9e5e10f4b4445be95 Copy to Clipboard
PE Information
»
Image Base 0x7ff70190000
Entry Point 0x7ff70194f8c
Size Of Code 0x5e00
Size Of Initialized Data 0x1c00
File Type FileType.dll
Subsystem Subsystem.windows_cui
Machine Type MachineType.amd64
Compile Timestamp 2009-07-14 01:33:23+00:00
Version Information (8)
»
CompanyName Microsoft Corporation
FileDescription Software Licensing Client Dll
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
InternalName slcdll.dll
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename slcdll.dll
ProductName Microsoft® Windows® Operating System
ProductVersion 6.1.7600.16385
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x7ff70191000 0x5d5d 0x5e00 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.34
.data 0x7ff70197000 0xe68 0xa00 0x6200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.69
.pdata 0x7ff70198000 0x324 0x400 0x6c00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.59
.rsrc 0x7ff70199000 0x520 0x600 0x7000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.98
.reloc 0x7ff7019a000 0x10e 0x200 0x7600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 1.14
Imports (3)
»
msvcrt.dll (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
memcpy - 0x7ff701910c8 0x6110 0x5510 0x480
__C_specific_handler - 0x7ff701910d0 0x6118 0x5518 0x53
_amsg_exit - 0x7ff701910d8 0x6120 0x5520 0xa0
free - 0x7ff701910e0 0x6128 0x5528 0x43a
_initterm - 0x7ff701910e8 0x6130 0x5530 0x16c
malloc - 0x7ff701910f0 0x6138 0x5538 0x474
_XcptFilter - 0x7ff701910f8 0x6140 0x5540 0x52
memmove - 0x7ff70191100 0x6148 0x5548 0x482
wcschr - 0x7ff70191108 0x6150 0x5550 0x4ef
memset - 0x7ff70191110 0x6158 0x5558 0x484
ntdll.dll (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RtlLookupFunctionEntry - 0x7ff70191120 0x6168 0x5568 0x401
RtlVirtualUnwind - 0x7ff70191128 0x6170 0x5570 0x4f0
RtlGetProductInfo - 0x7ff70191130 0x6178 0x5578 0x37d
NtQueryLicenseValue - 0x7ff70191138 0x6180 0x5580 0x19a
RtlInitUnicodeString - 0x7ff70191140 0x6188 0x5588 0x3a2
RtlCaptureContext - 0x7ff70191148 0x6190 0x5590 0x27b
KERNEL32.dll (24)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetProcessHeap - 0x7ff70191000 0x6048 0x5448 0x251
GetCurrentThreadId - 0x7ff70191008 0x6050 0x5450 0x1cb
GetTickCount - 0x7ff70191010 0x6058 0x5458 0x29a
QueryPerformanceCounter - 0x7ff70191018 0x6060 0x5460 0x3a9
Sleep - 0x7ff70191020 0x6068 0x5468 0x4c0
DelayLoadFailureHook - 0x7ff70191028 0x6070 0x5470 0xcf
LoadLibraryExA - 0x7ff70191030 0x6078 0x5478 0x33f
LocalFree - 0x7ff70191038 0x6080 0x5480 0x34a
GetVersionExW - 0x7ff70191040 0x6088 0x5488 0x2ac
GetProcAddress - 0x7ff70191048 0x6090 0x5490 0x24c
LoadLibraryW - 0x7ff70191050 0x6098 0x5498 0x341
FreeLibrary - 0x7ff70191058 0x60a0 0x54a0 0x168
LocalAlloc - 0x7ff70191060 0x60a8 0x54a8 0x346
GetLastError - 0x7ff70191068 0x60b0 0x54b0 0x208
HeapFree - 0x7ff70191070 0x60b8 0x54b8 0x2d7
SetUnhandledExceptionFilter - 0x7ff70191078 0x60c0 0x54c0 0x4b3
UnhandledExceptionFilter - 0x7ff70191080 0x60c8 0x54c8 0x4e2
GetCurrentProcess - 0x7ff70191088 0x60d0 0x54d0 0x1c6
TerminateProcess - 0x7ff70191090 0x60d8 0x54d8 0x4ce
GetSystemTimeAsFileTime - 0x7ff70191098 0x60e0 0x54e0 0x280
DisableThreadLibraryCalls - 0x7ff701910a0 0x60e8 0x54e8 0xe2
SetLastError - 0x7ff701910a8 0x60f0 0x54f0 0x480
HeapAlloc - 0x7ff701910b0 0x60f8 0x54f8 0x2d3
GetCurrentProcessId - 0x7ff701910b8 0x6100 0x5500 0x1c7
Exports (42)
»
Api name EAT Address Ordinal
SLClose 0x6799 0x8
SLConsumeRight 0x67b5 0x9
SLConsumeWindowsRight 0x25ac 0xa
SLDepositOfflineConfirmationId 0x67fe 0xb
SLFireEvent 0x682e 0xc
SLGenerateOfflineInstallationId 0x685f 0xd
SLGetApplicationInformation 0x68a0 0xe
SLGetGenuineInformation 0x68d9 0xf
SLGetInstalledProductKeyIds 0x6912 0x10
SLGetInstalledSAMLicenseApplications 0x6689 0x1
SLGetLicense 0x6940 0x11
SLGetLicenseFileId 0x6965 0x12
SLGetLicenseInformation 0x6995 0x13
SLGetLicensingStatusInformation 0x69d2 0x14
SLGetPKeyId 0x6a03 0x15
SLGetPKeyInformation 0x6a29 0x16
SLGetPolicyInformation 0x6a5a 0x17
SLGetPolicyInformationDWORD 0x6a92 0x18
SLGetProductSkuInformation 0x6ace 0x19
SLGetSAMLicense 0x66c4 0x2
SLGetSLIDList 0x6afc 0x1a
SLGetServiceInformation 0x6b27 0x1b
SLGetWindowsInformation 0x2244 0x1c
SLGetWindowsInformationDWORD 0x239c 0x1d
SLInstallLicense 0x6b8a 0x1e
SLInstallProofOfPurchase 0x6bb9 0x1f
SLInstallSAMLicense 0x66ee 0x3
SLIsWindowsGenuineLocal 0x2914 0x20
SLOpen 0x6bf6 0x21
SLReArmWindows 0x2520 0x22
SLRegisterEvent 0x6c21 0x23
SLRegisterWindowsEvent 0x2440 0x24
SLSetCurrentProductKey 0x6c64 0x25
SLSetGenuineInformation 0x6c98 0x26
SLUninstallLicense 0x6cc8 0x27
SLUninstallProofOfPurchase 0x6cfb 0x28
SLUninstallSAMLicense 0x671e 0x4
SLUnregisterEvent 0x6d2d 0x29
SLUnregisterWindowsEvent 0x24b0 0x2a
SLpCheckProductKey 0x2768 0x5
SLpGetGenuineLocal 0x6760 0x6
SLpUpdateComponentTokens 0x27cc 0x7
\\?\C:\Windows \system32\ReAgent.dll Dropped File Binary
clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 306.50 KB
MD5 09c6b9c0add24c459631250bf031a382 Copy to Clipboard
SHA1 101e1b838c316265ca56a4610ff9a7e9e3ba6e56 Copy to Clipboard
SHA256 e2b09cfdead0313843c3dbf5233833c1d9c80a33078bf4739760b64fb1fd524a Copy to Clipboard
SSDeep 6144:pBqIMuKSUaAK76t3PTnqXVM0uOLzUeEnma1u9ft:VKSzAKmRqXXuEUe8j1+ Copy to Clipboard
ImpHash bc460506e7d6e6d7b645e8100287fad8 Copy to Clipboard
PE Information
»
Image Base 0x7ff35ba0000
Entry Point 0x7ff35bc9a74
Size Of Code 0x48000
Size Of Initialized Data 0x4e00
File Type FileType.dll
Subsystem Subsystem.windows_cui
Machine Type MachineType.amd64
Compile Timestamp 2010-11-20 13:13:39+00:00
Version Information (8)
»
CompanyName Microsoft Corporation
FileDescription Microsoft Windows Recovery Agent DLL
FileVersion 6.1.7601.17514 (win7sp1_rtm.101119-1850)
InternalName reagent.dll
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename reagent.dll
ProductName Microsoft® Windows® Operating System
ProductVersion 6.1.7601.17514
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x7ff35ba1000 0x47eae 0x48000 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.39
.data 0x7ff35be9000 0x8f8 0x200 0x48400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.95
.pdata 0x7ff35bea000 0x1d34 0x1e00 0x48600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.56
.rsrc 0x7ff35bec000 0x1ac8 0x1c00 0x4a400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.41
.reloc 0x7ff35bee000 0x9ec 0xa00 0x4c000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 2.04
Imports (11)
»
msvcrt.dll (32)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_atoi64 - 0x7ff35ba13b0 0x47a18 0x46e18 0xa6
atol - 0x7ff35ba13b8 0x47a20 0x46e20 0x40f
_wcsicmp - 0x7ff35ba13c0 0x47a28 0x46e28 0x379
_vsnprintf - 0x7ff35ba13c8 0x47a30 0x46e30 0x352
malloc - 0x7ff35ba13d0 0x47a38 0x46e38 0x474
_initterm - 0x7ff35ba13d8 0x47a40 0x46e40 0x16c
free - 0x7ff35ba13e0 0x47a48 0x46e48 0x43a
_amsg_exit - 0x7ff35ba13e8 0x47a50 0x46e50 0xa0
??3@YAXPEAX@Z - 0x7ff35ba13f0 0x47a58 0x46e58 0x15
_vsnwprintf - 0x7ff35ba13f8 0x47a60 0x46e60 0x358
memset - 0x7ff35ba1400 0x47a68 0x46e68 0x484
_snwscanf_s - 0x7ff35ba1408 0x47a70 0x46e70 0x2ca
_wcslwr - 0x7ff35ba1410 0x47a78 0x46e78 0x37d
_wcsupr - 0x7ff35ba1418 0x47a80 0x46e80 0x394
__C_specific_handler - 0x7ff35ba1420 0x47a88 0x46e88 0x53
memcpy - 0x7ff35ba1428 0x47a90 0x46e90 0x480
memcmp - 0x7ff35ba1430 0x47a98 0x46e98 0x47f
??2@YAPEAX_K@Z - 0x7ff35ba1438 0x47aa0 0x46ea0 0x13
_purecall - 0x7ff35ba1440 0x47aa8 0x46ea8 0x28d
_XcptFilter - 0x7ff35ba1448 0x47ab0 0x46eb0 0x52
swprintf_s - 0x7ff35ba1450 0x47ab8 0x46eb8 0x4ca
memmove - 0x7ff35ba1458 0x47ac0 0x46ec0 0x482
wcstoul - 0x7ff35ba1460 0x47ac8 0x46ec8 0x509
_wcsnicmp - 0x7ff35ba1468 0x47ad0 0x46ed0 0x383
wcscat_s - 0x7ff35ba1470 0x47ad8 0x46ed8 0x4ee
wcscpy_s - 0x7ff35ba1478 0x47ae0 0x46ee0 0x4f3
wcschr - 0x7ff35ba1480 0x47ae8 0x46ee8 0x4ef
_ultow_s - 0x7ff35ba1488 0x47af0 0x46ef0 0x32a
wcsrchr - 0x7ff35ba1490 0x47af8 0x46ef8 0x4fe
wcsstr - 0x7ff35ba1498 0x47b00 0x46f00 0x502
strncmp - 0x7ff35ba14a0 0x47b08 0x46f08 0x4bb
wcsnlen - 0x7ff35ba14a8 0x47b10 0x46f10 0x4fc
ntdll.dll (56)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
NtSetValueKey - 0x7ff35ba14b8 0x47b20 0x46f20 0x20b
RtlCaptureContext - 0x7ff35ba14c0 0x47b28 0x46f28 0x27b
RtlLookupFunctionEntry - 0x7ff35ba14c8 0x47b30 0x46f30 0x402
RtlVirtualUnwind - 0x7ff35ba14d0 0x47b38 0x46f38 0x4f1
RtlNtStatusToDosError - 0x7ff35ba14d8 0x47b40 0x46f40 0x415
RtlGUIDFromString - 0x7ff35ba14e0 0x47b48 0x46f48 0x352
RtlStringFromGUID - 0x7ff35ba14e8 0x47b50 0x46f50 0x4aa
NtQuerySystemInformation - 0x7ff35ba14f0 0x47b58 0x46f58 0x1aa
RtlFreeHeap - 0x7ff35ba14f8 0x47b60 0x46f60 0x34b
RtlInitUnicodeString - 0x7ff35ba1500 0x47b68 0x46f68 0x3a3
RtlFreeUnicodeString - 0x7ff35ba1508 0x47b70 0x46f70 0x350
RtlAllocateHeap - 0x7ff35ba1510 0x47b78 0x46f78 0x265
NtOpenFile - 0x7ff35ba1518 0x47b80 0x46f80 0x158
NtDeviceIoControlFile - 0x7ff35ba1520 0x47b88 0x46f88 0x10f
NtWaitForSingleObject - 0x7ff35ba1528 0x47b90 0x46f90 0x22c
NtCreateEvent - 0x7ff35ba1530 0x47b98 0x46f98 0xe4
NtQueryKey - 0x7ff35ba1538 0x47ba0 0x46fa0 0x199
NtEnumerateKey - 0x7ff35ba1540 0x47ba8 0x46fa8 0x118
NtQueryAttributesFile - 0x7ff35ba1548 0x47bb0 0x46fb0 0x17e
NtOpenKey - 0x7ff35ba1550 0x47bb8 0x46fb8 0x15b
RtlCreateAcl - 0x7ff35ba1558 0x47bc0 0x46fc0 0x2ac
NtUnloadKey - 0x7ff35ba1560 0x47bc8 0x46fc8 0x221
RtlFreeSid - 0x7ff35ba1568 0x47bd0 0x46fd0 0x34e
RtlSetDaclSecurityDescriptor - 0x7ff35ba1570 0x47bd8 0x46fd8 0x480
NtDeleteValueKey - 0x7ff35ba1578 0x47be0 0x46fe0 0x10e
NtLoadKey - 0x7ff35ba1580 0x47be8 0x46fe8 0x141
NtOpenThreadToken - 0x7ff35ba1588 0x47bf0 0x46ff0 0x16c
NtCreateKey - 0x7ff35ba1590 0x47bf8 0x46ff8 0xea
RtlLengthSecurityDescriptor - 0x7ff35ba1598 0x47c00 0x47000 0x3ed
RtlAddAccessAllowedAceEx - 0x7ff35ba15a0 0x47c08 0x47008 0x24b
NtOpenProcessToken - 0x7ff35ba15a8 0x47c10 0x47010 0x164
NtSetSecurityObject - 0x7ff35ba15b0 0x47c18 0x47018 0x200
NtQueryValueKey - 0x7ff35ba15b8 0x47c20 0x47020 0x1af
NtAdjustPrivilegesToken - 0x7ff35ba15c0 0x47c28 0x47028 0xb0
NtDeleteKey - 0x7ff35ba15c8 0x47c30 0x47030 0x10b
RtlAllocateAndInitializeSid - 0x7ff35ba15d0 0x47c38 0x47038 0x263
RtlLengthSid - 0x7ff35ba15d8 0x47c40 0x47040 0x3ee
RtlCreateSecurityDescriptor - 0x7ff35ba15e0 0x47c48 0x47048 0x2bd
RtlSetOwnerSecurityDescriptor - 0x7ff35ba15e8 0x47c50 0x47050 0x48d
NtAllocateUuids - 0x7ff35ba15f0 0x47c58 0x47058 0xb6
RtlInitAnsiString - 0x7ff35ba15f8 0x47c60 0x47060 0x39a
NtOpenSymbolicLinkObject - 0x7ff35ba1600 0x47c68 0x47068 0x16a
LdrGetProcedureAddress - 0x7ff35ba1608 0x47c70 0x47070 0x74
NtQuerySymbolicLinkObject - 0x7ff35ba1610 0x47c78 0x47078 0x1a7
LdrGetDllHandle - 0x7ff35ba1618 0x47c80 0x47080 0x6d
NtResetEvent - 0x7ff35ba1620 0x47c88 0x47088 0x1d1
NtYieldExecution - 0x7ff35ba1628 0x47c90 0x47090 0x235
DbgPrintEx - 0x7ff35ba1630 0x47c98 0x47098 0x21
RtlReAllocateHeap - 0x7ff35ba1638 0x47ca0 0x470a0 0x44b
RtlDowncaseUnicodeChar - 0x7ff35ba1640 0x47ca8 0x470a8 0x306
RtlCompareMemory - 0x7ff35ba1648 0x47cb0 0x470b0 0x28b
RtlRaiseStatus - 0x7ff35ba1650 0x47cb8 0x470b8 0x448
NtClose - 0x7ff35ba1658 0x47cc0 0x470c0 0xd6
WinSqmSetString - 0x7ff35ba1660 0x47cc8 0x470c8 0x583
WinSqmSetDWORD - 0x7ff35ba1668 0x47cd0 0x470d0 0x57e
WinSqmIncrementDWORD - 0x7ff35ba1670 0x47cd8 0x470d8 0x57b
KERNEL32.dll (71)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
HeapAlloc - 0x7ff35ba10f8 0x47760 0x46b60 0x2d4
GetVersionExW - 0x7ff35ba1100 0x47768 0x46b68 0x2ac
GetLastError - 0x7ff35ba1108 0x47770 0x46b70 0x206
HeapFree - 0x7ff35ba1110 0x47778 0x46b78 0x2d8
CreateFileW - 0x7ff35ba1118 0x47780 0x46b80 0x8f
CloseHandle - 0x7ff35ba1120 0x47788 0x46b88 0x52
GetSystemDirectoryW - 0x7ff35ba1128 0x47790 0x46b90 0x276
InitializeCriticalSection - 0x7ff35ba1130 0x47798 0x46b98 0x2ec
TlsAlloc - 0x7ff35ba1138 0x477a0 0x46ba0 0x4d4
TlsSetValue - 0x7ff35ba1140 0x477a8 0x46ba8 0x4d7
DeleteCriticalSection - 0x7ff35ba1148 0x477b0 0x46bb0 0xd2
TlsFree - 0x7ff35ba1150 0x477b8 0x46bb8 0x4d5
SetLastError - 0x7ff35ba1158 0x477c0 0x46bc0 0x47f
DeleteFileW - 0x7ff35ba1160 0x477c8 0x46bc8 0xd7
GetFileAttributesExW - 0x7ff35ba1168 0x477d0 0x46bd0 0x1ec
MultiByteToWideChar - 0x7ff35ba1170 0x477d8 0x46bd8 0x369
EnterCriticalSection - 0x7ff35ba1178 0x477e0 0x46be0 0xf2
LeaveCriticalSection - 0x7ff35ba1180 0x477e8 0x46be8 0x33c
GetFileSize - 0x7ff35ba1188 0x477f0 0x46bf0 0x1f5
ReadFile - 0x7ff35ba1190 0x477f8 0x46bf8 0x3c3
SetEndOfFile - 0x7ff35ba1198 0x47800 0x46c00 0x461
WriteFile - 0x7ff35ba11a0 0x47808 0x46c08 0x535
GetCurrentProcess - 0x7ff35ba11a8 0x47810 0x46c10 0x1c6
SetFileAttributesW - 0x7ff35ba11b0 0x47818 0x46c18 0x46e
TlsGetValue - 0x7ff35ba11b8 0x47820 0x46c20 0x4d6
GetFileAttributesW - 0x7ff35ba11c0 0x47828 0x46c28 0x1ef
GetFullPathNameW - 0x7ff35ba11c8 0x47830 0x46c30 0x200
GetProcessHeap - 0x7ff35ba11d0 0x47838 0x46c38 0x24f
GetVolumeNameForVolumeMountPointW - 0x7ff35ba11d8 0x47840 0x46c40 0x2b1
DeviceIoControl - 0x7ff35ba11e0 0x47848 0x46c48 0xe1
FindFirstVolumeW - 0x7ff35ba11e8 0x47850 0x46c50 0x145
GetDriveTypeW - 0x7ff35ba11f0 0x47858 0x46c58 0x1da
GetDiskFreeSpaceExW - 0x7ff35ba11f8 0x47860 0x46c60 0x1d5
FindNextVolumeW - 0x7ff35ba1200 0x47868 0x46c68 0x150
FindVolumeClose - 0x7ff35ba1208 0x47870 0x46c70 0x156
GetFileInformationByHandle - 0x7ff35ba1210 0x47878 0x46c78 0x1f1
CreateDirectoryW - 0x7ff35ba1218 0x47880 0x46c80 0x81
CopyFileW - 0x7ff35ba1220 0x47888 0x46c88 0x75
MoveFileExW - 0x7ff35ba1228 0x47890 0x46c90 0x362
RemoveDirectoryW - 0x7ff35ba1230 0x47898 0x46c98 0x406
CreateFileMappingW - 0x7ff35ba1238 0x478a0 0x46ca0 0x8c
MapViewOfFile - 0x7ff35ba1240 0x478a8 0x46ca8 0x359
UnmapViewOfFile - 0x7ff35ba1248 0x478b0 0x46cb0 0x4e6
GetVolumePathNamesForVolumeNameW - 0x7ff35ba1250 0x478b8 0x46cb8 0x2b5
SetErrorMode - 0x7ff35ba1258 0x478c0 0x46cc0 0x466
FindFirstFileW - 0x7ff35ba1260 0x478c8 0x46cc8 0x13f
CopyFileExW - 0x7ff35ba1268 0x478d0 0x46cd0 0x72
FindNextFileW - 0x7ff35ba1270 0x478d8 0x46cd8 0x14b
FindClose - 0x7ff35ba1278 0x478e0 0x46ce0 0x134
GetModuleFileNameW - 0x7ff35ba1280 0x478e8 0x46ce8 0x218
GetModuleHandleW - 0x7ff35ba1288 0x478f0 0x46cf0 0x21c
CreateActCtxW - 0x7ff35ba1290 0x478f8 0x46cf8 0x78
ActivateActCtx - 0x7ff35ba1298 0x47900 0x46d00 0x2
DeactivateActCtx - 0x7ff35ba12a0 0x47908 0x46d08 0xc5
ReleaseActCtx - 0x7ff35ba12a8 0x47910 0x46d10 0x3fc
GetVolumePathNameW - 0x7ff35ba12b0 0x47918 0x46d18 0x2b3
QueryPerformanceCounter - 0x7ff35ba12b8 0x47920 0x46d20 0x3a9
GetTickCount - 0x7ff35ba12c0 0x47928 0x46d28 0x299
GetCurrentThreadId - 0x7ff35ba12c8 0x47930 0x46d30 0x1cb
GetCurrentProcessId - 0x7ff35ba12d0 0x47938 0x46d38 0x1c7
GetSystemTimeAsFileTime - 0x7ff35ba12d8 0x47940 0x46d40 0x27f
TerminateProcess - 0x7ff35ba12e0 0x47948 0x46d48 0x4cf
UnhandledExceptionFilter - 0x7ff35ba12e8 0x47950 0x46d50 0x4e3
SetUnhandledExceptionFilter - 0x7ff35ba12f0 0x47958 0x46d58 0x4b3
Sleep - 0x7ff35ba12f8 0x47960 0x46d60 0x4c1
FreeLibrary - 0x7ff35ba1300 0x47968 0x46d68 0x168
VirtualAlloc - 0x7ff35ba1308 0x47970 0x46d70 0x4f9
VirtualFree - 0x7ff35ba1310 0x47978 0x46d78 0x4fc
GetCurrentThread - 0x7ff35ba1318 0x47980 0x46d80 0x1ca
GetProcAddress - 0x7ff35ba1320 0x47988 0x46d88 0x24a
LoadLibraryW - 0x7ff35ba1328 0x47990 0x46d90 0x342
ADVAPI32.dll (28)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
EventRegister - 0x7ff35ba1000 0x47668 0x46a68 0x10e
SetThreadToken - 0x7ff35ba1008 0x47670 0x46a70 0x2c1
OpenThreadToken - 0x7ff35ba1010 0x47678 0x46a78 0x1fc
UnregisterTraceGuids - 0x7ff35ba1018 0x47680 0x46a80 0x302
RegisterTraceGuidsW - 0x7ff35ba1020 0x47688 0x46a88 0x28a
GetTraceEnableFlags - 0x7ff35ba1028 0x47690 0x46a90 0x15b
GetTraceEnableLevel - 0x7ff35ba1030 0x47698 0x46a98 0x15c
GetTraceLoggerHandle - 0x7ff35ba1038 0x476a0 0x46aa0 0x15d
EventUnregister - 0x7ff35ba1040 0x476a8 0x46aa8 0x10f
EventWrite - 0x7ff35ba1048 0x476b0 0x46ab0 0x110
DuplicateTokenEx - 0x7ff35ba1050 0x476b8 0x46ab8 0xdf
ConvertStringSecurityDescriptorToSecurityDescriptorW - 0x7ff35ba1058 0x476c0 0x46ac0 0x72
FreeSid - 0x7ff35ba1060 0x476c8 0x46ac8 0x120
SetNamedSecurityInfoW - 0x7ff35ba1068 0x476d0 0x46ad0 0x2b1
AddAccessAllowedAceEx - 0x7ff35ba1070 0x476d8 0x46ad8 0x11
InitializeAcl - 0x7ff35ba1078 0x476e0 0x46ae0 0x176
GetLengthSid - 0x7ff35ba1080 0x476e8 0x46ae8 0x136
AllocateAndInitializeSid - 0x7ff35ba1088 0x476f0 0x46af0 0x20
AdjustTokenPrivileges - 0x7ff35ba1090 0x476f8 0x46af8 0x1f
LookupPrivilegeValueW - 0x7ff35ba1098 0x47700 0x46b00 0x197
OpenProcessToken - 0x7ff35ba10a0 0x47708 0x46b08 0x1f7
RegSetValueExW - 0x7ff35ba10a8 0x47710 0x46b10 0x27e
RegQueryValueExW - 0x7ff35ba10b0 0x47718 0x46b18 0x26e
RegDeleteKeyW - 0x7ff35ba10b8 0x47720 0x46b20 0x244
RegCloseKey - 0x7ff35ba10c0 0x47728 0x46b28 0x230
RegCreateKeyExW - 0x7ff35ba10c8 0x47730 0x46b30 0x239
RegOpenKeyExW - 0x7ff35ba10d0 0x47738 0x46b38 0x261
TraceMessage - 0x7ff35ba10d8 0x47740 0x46b40 0x2f6
USER32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SendMessageW - 0x7ff35ba1370 0x479d8 0x46dd8 0x280
COMCTL32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
(by ordinal) 0x159 0x7ff35ba10e8 0x47750 0x46b50 -
imagehlp.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ImageNtHeader - 0x7ff35ba13a0 0x47a08 0x46e08 0x19
ole32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CoCreateInstance - 0x7ff35ba1680 0x47ce8 0x470e8 0x14
CoUninitialize - 0x7ff35ba1688 0x47cf0 0x470f0 0x70
CoInitializeEx - 0x7ff35ba1690 0x47cf8 0x470f8 0x43
OLEAUT32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SysAllocString 0x2 0x7ff35ba1338 0x479a0 0x46da0 -
VariantClear 0x9 0x7ff35ba1340 0x479a8 0x46da8 -
SysFreeString 0x6 0x7ff35ba1348 0x479b0 0x46db0 -
VariantInit 0x8 0x7ff35ba1350 0x479b8 0x46db8 -
SHELL32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ShellExecuteExW - 0x7ff35ba1360 0x479c8 0x46dc8 0x121
WDSCORE.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WdsSetupLogMessageW - 0x7ff35ba1380 0x479e8 0x46de8 0x97
CurrentIP - 0x7ff35ba1388 0x479f0 0x46df0 0x46
ConstructPartialMsgVW - 0x7ff35ba1390 0x479f8 0x46df8 0x45
Exports (24)
»
Api name EAT Address Ordinal
WinRE_Generalize 0xbe04 0x1
WinReAddLogFile 0x1684c 0x2
WinReCompleteRecovery 0x175c8 0x3
WinReCopyLogFilesToRamdisk 0x16b34 0x4
WinReCopySetupFiles 0x15284 0x5
WinReCreateLogInstance 0x162c4 0x6
WinReCreateLogInstanceEx 0x162f0 0x7
WinReDeleteLogFiles 0x16604 0x8
WinReGetConfig 0xa464 0x9
WinReGetGroupPolicies 0x99f8 0xa
WinReGetLogFile 0x29e70 0xb
WinReGetWIMInfo 0xbfe8 0xc
WinReInstall 0xb518 0xd
WinReIsInstallMedia 0x14d38 0xe
WinReOpenLogInstance 0x163d0 0xf
WinRePostRecovery 0x16e6c 0x10
WinReRestoreLogFiles 0x16b64 0x11
WinReSetConfig 0xab00 0x12
WinReSetRecoveryAction 0xa7a8 0x13
WinReSetRecoveryActionEx 0xa7b8 0x14
WinReUnInstall 0xbdbc 0x15
WinReUpdateLogInstance 0x16680 0x16
winreFindInstallMedia 0x14af0 0x17
winreGetBinaryArch 0x149a4 0x18
\\?\C:\Windows \system32\recdisc.exe Dropped File Binary
clean
Known to be clean.
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 232.50 KB
MD5 f3b306179f1840c0813dc6771b018358 Copy to Clipboard
SHA1 dec7ce3c13f7a684cb52ae6007c99cf03afef005 Copy to Clipboard
SHA256 dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0 Copy to Clipboard
SSDeep 6144:D7h5wk5lJ5OP4jCT6l1WwEAFegEv+2VU:D7TBXoP4b9eg+n Copy to Clipboard
ImpHash 08dd025610e19fc7ab2cb36bb94cbce9 Copy to Clipboard
PE Information
»
Image Base 0x100000000
Entry Point 0x1000244b0
Size Of Code 0x27000
Size Of Initialized Data 0x13600
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.amd64
Compile Timestamp 2010-11-20 09:46:54+00:00
Version Information (8)
»
CompanyName Microsoft Corporation
FileDescription Microsoft® Windows Repair Disc
FileVersion 6.1.7601.17514 (win7sp1_rtm.101119-1850)
InternalName recdisc.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename recdisc.exe
ProductName Microsoft® Windows® Operating System
ProductVersion 6.1.7601.17514
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x100001000 0x26ff6 0x27000 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.59
.data 0x100028000 0x1620 0x1000 0x27400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 1.62
.pdata 0x10002a000 0xf00 0x1000 0x28400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.15
.rsrc 0x10002b000 0x10730 0x10800 0x29400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 7.14
.reloc 0x10003c000 0x402 0x600 0x39c00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 2.07
Imports (12)
»
ADVAPI32.dll (20)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
TraceMessage - 0x100001000 0x26918 0x25d18 0x2f6
GetTraceLoggerHandle - 0x100001008 0x26920 0x25d20 0x15d
GetTraceEnableLevel - 0x100001010 0x26928 0x25d28 0x15c
GetTraceEnableFlags - 0x100001018 0x26930 0x25d30 0x15b
RegisterTraceGuidsW - 0x100001020 0x26938 0x25d38 0x28a
ConvertStringSecurityDescriptorToSecurityDescriptorW - 0x100001028 0x26940 0x25d40 0x72
RegOpenKeyExW - 0x100001030 0x26948 0x25d48 0x261
CloseTrace - 0x100001038 0x26950 0x25d50 0x59
OpenProcessToken - 0x100001040 0x26958 0x25d58 0x1f7
RegCloseKey - 0x100001048 0x26960 0x25d60 0x230
RegCreateKeyExW - 0x100001050 0x26968 0x25d68 0x239
DuplicateToken - 0x100001058 0x26970 0x25d70 0xde
RegSetValueExW - 0x100001060 0x26978 0x25d78 0x27e
RegQueryValueExW - 0x100001068 0x26980 0x25d80 0x26e
CreateWellKnownSid - 0x100001070 0x26988 0x25d88 0x83
GetTokenInformation - 0x100001078 0x26990 0x25d90 0x15a
CheckTokenMembership - 0x100001080 0x26998 0x25d98 0x51
EnableTrace - 0x100001088 0x269a0 0x25da0 0xf5
StartTraceW - 0x100001090 0x269a8 0x25da8 0x2cb
ControlTraceW - 0x100001098 0x269b0 0x25db0 0x60
KERNEL32.dll (50)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateThread - 0x1000010d8 0x269f0 0x25df0 0xb4
GetVolumePathNameW - 0x1000010e0 0x269f8 0x25df8 0x2b3
GetVolumePathNamesForVolumeNameW - 0x1000010e8 0x26a00 0x25e00 0x2b5
LoadLibraryExW - 0x1000010f0 0x26a08 0x25e08 0x341
GetDiskFreeSpaceExW - 0x1000010f8 0x26a10 0x25e10 0x1d5
GetDriveTypeW - 0x100001100 0x26a18 0x25e18 0x1da
MoveFileExW - 0x100001108 0x26a20 0x25e20 0x362
DeviceIoControl - 0x100001110 0x26a28 0x25e28 0xe1
WakeAllConditionVariable - 0x100001118 0x26a30 0x25e30 0x511
GetLogicalDriveStringsW - 0x100001120 0x26a38 0x25e38 0x20c
GetTempPathW - 0x100001128 0x26a40 0x25e40 0x28b
CreateFileW - 0x100001130 0x26a48 0x25e48 0x8f
FindClose - 0x100001138 0x26a50 0x25e50 0x134
FindNextFileW - 0x100001140 0x26a58 0x25e58 0x14b
FindFirstFileW - 0x100001148 0x26a60 0x25e60 0x13f
FormatMessageW - 0x100001150 0x26a68 0x25e68 0x164
GetVolumeNameForVolumeMountPointW - 0x100001158 0x26a70 0x25e70 0x2b1
GetFileMUIPath - 0x100001160 0x26a78 0x25e78 0x1f4
lstrlenW - 0x100001168 0x26a80 0x25e80 0x562
CreateEventW - 0x100001170 0x26a88 0x25e88 0x85
DeleteCriticalSection - 0x100001178 0x26a90 0x25e90 0xd2
InitializeCriticalSectionAndSpinCount - 0x100001180 0x26a98 0x25e98 0x2ed
InitializeConditionVariable - 0x100001188 0x26aa0 0x25ea0 0x2ea
EnterCriticalSection - 0x100001190 0x26aa8 0x25ea8 0xf2
LeaveCriticalSection - 0x100001198 0x26ab0 0x25eb0 0x33c
ExpandEnvironmentStringsW - 0x1000011a0 0x26ab8 0x25eb8 0x123
VerifyVersionInfoW - 0x1000011a8 0x26ac0 0x25ec0 0x4f8
VerSetConditionMask - 0x1000011b0 0x26ac8 0x25ec8 0x4f4
GetNativeSystemInfo - 0x1000011b8 0x26ad0 0x25ed0 0x229
CloseHandle - 0x1000011c0 0x26ad8 0x25ed8 0x52
TerminateProcess - 0x1000011c8 0x26ae0 0x25ee0 0x4cf
SetErrorMode - 0x1000011d0 0x26ae8 0x25ee8 0x466
GetCurrentProcess - 0x1000011d8 0x26af0 0x25ef0 0x1c6
GetCommandLineW - 0x1000011e0 0x26af8 0x25ef8 0x18d
LocalFree - 0x1000011e8 0x26b00 0x25f00 0x34b
GetLastError - 0x1000011f0 0x26b08 0x25f08 0x206
CreateDirectoryW - 0x1000011f8 0x26b10 0x25f10 0x81
DeleteFileW - 0x100001200 0x26b18 0x25f18 0xd7
GetFileAttributesW - 0x100001208 0x26b20 0x25f20 0x1ef
FreeLibrary - 0x100001210 0x26b28 0x25f28 0x168
Sleep - 0x100001218 0x26b30 0x25f30 0x4c1
GetStartupInfoW - 0x100001220 0x26b38 0x25f38 0x269
SetUnhandledExceptionFilter - 0x100001228 0x26b40 0x25f40 0x4b3
GetModuleHandleW - 0x100001230 0x26b48 0x25f48 0x21c
QueryPerformanceCounter - 0x100001238 0x26b50 0x25f50 0x3a9
GetTickCount - 0x100001240 0x26b58 0x25f58 0x299
GetCurrentThreadId - 0x100001248 0x26b60 0x25f60 0x1cb
GetCurrentProcessId - 0x100001250 0x26b68 0x25f68 0x1c7
GetSystemTimeAsFileTime - 0x100001258 0x26b70 0x25f70 0x27f
UnhandledExceptionFilter - 0x100001260 0x26b78 0x25f78 0x4e3
USER32.dll (21)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ChangeWindowMessageFilterEx - 0x100001330 0x26c48 0x26048 0x2a
RegisterWindowMessageW - 0x100001338 0x26c50 0x26050 0x267
SetWindowLongPtrW - 0x100001340 0x26c58 0x26058 0x2cb
GetWindowLongPtrW - 0x100001348 0x26c60 0x26060 0x199
DialogBoxParamW - 0x100001350 0x26c68 0x26068 0xac
GetDlgItem - 0x100001358 0x26c70 0x26070 0x129
DestroyIcon - 0x100001360 0x26c78 0x26078 0xa3
SendMessageW - 0x100001368 0x26c80 0x26080 0x280
GetSystemMetrics - 0x100001370 0x26c88 0x26088 0x180
GetWindowLongW - 0x100001378 0x26c90 0x26090 0x19a
IsWindow - 0x100001380 0x26c98 0x26098 0x1df
SetWindowTextW - 0x100001388 0x26ca0 0x260a0 0x2d3
ShowWindow - 0x100001390 0x26ca8 0x260a8 0x2e7
MessageBoxW - 0x100001398 0x26cb0 0x260b0 0x219
EndDialog - 0x1000013a0 0x26cb8 0x260b8 0xda
GetLastActivePopup - 0x1000013a8 0x26cc0 0x260c0 0x146
SetFocus - 0x1000013b0 0x26cc8 0x260c8 0x298
PostMessageW - 0x1000013b8 0x26cd0 0x260d0 0x23a
EnableWindow - 0x1000013c0 0x26cd8 0x260d8 0xd8
LoadIconW - 0x1000013c8 0x26ce0 0x260e0 0x1f1
LoadStringW - 0x1000013d0 0x26ce8 0x260e8 0x1fe
msvcrt.dll (41)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
??_V@YAXPEAX@Z - 0x1000013e0 0x26cf8 0x260f8 0x24
??3@YAXPEAX@Z - 0x1000013e8 0x26d00 0x26100 0x15
??_U@YAPEAX_K@Z - 0x1000013f0 0x26d08 0x26108 0x22
_wcsnicmp - 0x1000013f8 0x26d10 0x26110 0x383
wcschr - 0x100001400 0x26d18 0x26118 0x4ef
_vsnwprintf - 0x100001408 0x26d20 0x26120 0x358
memmove - 0x100001410 0x26d28 0x26128 0x482
wcsstr - 0x100001418 0x26d30 0x26130 0x502
wcsrchr - 0x100001420 0x26d38 0x26138 0x4fe
_vscwprintf - 0x100001428 0x26d40 0x26140 0x34f
iswspace - 0x100001430 0x26d48 0x26148 0x466
__setusermatherr - 0x100001438 0x26d50 0x26150 0x82
_commode - 0x100001440 0x26d58 0x26158 0xc4
_fmode - 0x100001448 0x26d60 0x26160 0x118
__set_app_type - 0x100001450 0x26d68 0x26168 0x80
?terminate@@YAXXZ - 0x100001458 0x26d70 0x26170 0x30
memcpy - 0x100001460 0x26d78 0x26178 0x480
memcmp - 0x100001468 0x26d80 0x26180 0x47f
_snwscanf_s - 0x100001470 0x26d88 0x26188 0x2ca
_wcslwr - 0x100001478 0x26d90 0x26190 0x37d
_wcsupr - 0x100001480 0x26d98 0x26198 0x394
wcsnlen - 0x100001488 0x26da0 0x261a0 0x4fc
strncmp - 0x100001490 0x26da8 0x261a8 0x4bb
_ultow_s - 0x100001498 0x26db0 0x261b0 0x32a
wcscpy_s - 0x1000014a0 0x26db8 0x261b8 0x4f3
wcscat_s - 0x1000014a8 0x26dc0 0x261c0 0x4ee
wcstoul - 0x1000014b0 0x26dc8 0x261c8 0x509
swprintf_s - 0x1000014b8 0x26dd0 0x261d0 0x4ca
??2@YAPEAX_K@Z - 0x1000014c0 0x26dd8 0x261d8 0x13
_wcsicmp - 0x1000014c8 0x26de0 0x261e0 0x379
__getmainargs - 0x1000014d0 0x26de8 0x261e8 0x71
__C_specific_handler - 0x1000014d8 0x26df0 0x261f0 0x53
_XcptFilter - 0x1000014e0 0x26df8 0x261f8 0x52
_exit - 0x1000014e8 0x26e00 0x26200 0xff
_ismbblead - 0x1000014f0 0x26e08 0x26208 0x188
_cexit - 0x1000014f8 0x26e10 0x26210 0xb3
exit - 0x100001500 0x26e18 0x26218 0x420
_acmdln - 0x100001508 0x26e20 0x26220 0x94
_initterm - 0x100001510 0x26e28 0x26228 0x16c
memset - 0x100001518 0x26e30 0x26230 0x484
_amsg_exit - 0x100001520 0x26e38 0x26238 0xa0
SHELL32.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetDesktopFolder - 0x1000012c0 0x26bd8 0x25fd8 0xb6
(by ordinal) 0x9b 0x1000012c8 0x26be0 0x25fe0 -
SHParseDisplayName - 0x1000012d0 0x26be8 0x25fe8 0xf6
SHGetFileInfoW - 0x1000012d8 0x26bf0 0x25ff0 0xbd
CommandLineToArgvW - 0x1000012e0 0x26bf8 0x25ff8 0x6
ole32.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CoCreateInstance - 0x1000016d8 0x26ff0 0x263f0 0x14
CoCreateGuid - 0x1000016e0 0x26ff8 0x263f8 0x13
CoWaitForMultipleHandles - 0x1000016e8 0x27000 0x26400 0x77
CoInitializeEx - 0x1000016f0 0x27008 0x26408 0x43
CoUninitialize - 0x1000016f8 0x27010 0x26410 0x70
CoTaskMemFree - 0x100001700 0x27018 0x26418 0x6c
CoTaskMemAlloc - 0x100001708 0x27020 0x26420 0x6b
CoTaskMemRealloc - 0x100001710 0x27028 0x26428 0x6d
OLEAUT32.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SysAllocStringLen 0x4 0x100001270 0x26b88 0x25f88 -
SysStringLen 0x7 0x100001278 0x26b90 0x25f90 -
SysAllocString 0x2 0x100001280 0x26b98 0x25f98 -
VariantClear 0x9 0x100001288 0x26ba0 0x25fa0 -
LoadRegTypeLib 0xa2 0x100001290 0x26ba8 0x25fa8 -
DispCallFunc 0x92 0x100001298 0x26bb0 0x25fb0 -
SysFreeString 0x6 0x1000012a0 0x26bb8 0x25fb8 -
ntdll.dll (52)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RtlGetLastNtStatus - 0x100001530 0x26e48 0x26248 0x36e
NtQuerySystemInformation - 0x100001538 0x26e50 0x26250 0x1aa
WinSqmAddToStream - 0x100001540 0x26e58 0x26258 0x56b
RtlInitUnicodeString - 0x100001548 0x26e60 0x26260 0x3a3
RtlNtStatusToDosError - 0x100001550 0x26e68 0x26268 0x415
EtwTraceMessage - 0x100001558 0x26e70 0x26270 0x4f
RtlCaptureContext - 0x100001560 0x26e78 0x26278 0x27b
RtlLookupFunctionEntry - 0x100001568 0x26e80 0x26280 0x402
RtlVirtualUnwind - 0x100001570 0x26e88 0x26288 0x4f1
NtSetInformationFile - 0x100001578 0x26e90 0x26290 0x1ee
NtAllocateUuids - 0x100001580 0x26e98 0x26298 0xb6
NtResetEvent - 0x100001588 0x26ea0 0x262a0 0x1d1
LdrGetDllHandle - 0x100001590 0x26ea8 0x262a8 0x6d
NtQueryInformationFile - 0x100001598 0x26eb0 0x262b0 0x18c
NtClose - 0x1000015a0 0x26eb8 0x262b8 0xd6
RtlAllocateHeap - 0x1000015a8 0x26ec0 0x262c0 0x265
NtOpenFile - 0x1000015b0 0x26ec8 0x262c8 0x158
RtlStringFromGUID - 0x1000015b8 0x26ed0 0x262d0 0x4aa
RtlFreeUnicodeString - 0x1000015c0 0x26ed8 0x262d8 0x350
RtlGUIDFromString - 0x1000015c8 0x26ee0 0x262e0 0x352
NtDeviceIoControlFile - 0x1000015d0 0x26ee8 0x262e8 0x10f
NtWaitForSingleObject - 0x1000015d8 0x26ef0 0x262f0 0x22c
NtCreateEvent - 0x1000015e0 0x26ef8 0x262f8 0xe4
NtQueryKey - 0x1000015e8 0x26f00 0x26300 0x199
NtEnumerateKey - 0x1000015f0 0x26f08 0x26308 0x118
NtQueryAttributesFile - 0x1000015f8 0x26f10 0x26310 0x17e
NtOpenKey - 0x100001600 0x26f18 0x26318 0x15b
RtlCreateAcl - 0x100001608 0x26f20 0x26320 0x2ac
NtUnloadKey - 0x100001610 0x26f28 0x26328 0x221
RtlFreeSid - 0x100001618 0x26f30 0x26330 0x34e
RtlSetDaclSecurityDescriptor - 0x100001620 0x26f38 0x26338 0x480
NtDeleteValueKey - 0x100001628 0x26f40 0x26340 0x10e
NtLoadKey - 0x100001630 0x26f48 0x26348 0x141
NtOpenThreadToken - 0x100001638 0x26f50 0x26350 0x16c
NtCreateKey - 0x100001640 0x26f58 0x26358 0xea
RtlLengthSecurityDescriptor - 0x100001648 0x26f60 0x26360 0x3ed
RtlAddAccessAllowedAceEx - 0x100001650 0x26f68 0x26368 0x24b
NtOpenProcessToken - 0x100001658 0x26f70 0x26370 0x164
NtSetSecurityObject - 0x100001660 0x26f78 0x26378 0x200
NtQueryValueKey - 0x100001668 0x26f80 0x26380 0x1af
NtSetValueKey - 0x100001670 0x26f88 0x26388 0x20b
NtAdjustPrivilegesToken - 0x100001678 0x26f90 0x26390 0xb0
NtDeleteKey - 0x100001680 0x26f98 0x26398 0x10b
RtlAllocateAndInitializeSid - 0x100001688 0x26fa0 0x263a0 0x263
RtlLengthSid - 0x100001690 0x26fa8 0x263a8 0x3ee
RtlCreateSecurityDescriptor - 0x100001698 0x26fb0 0x263b0 0x2bd
RtlSetOwnerSecurityDescriptor - 0x1000016a0 0x26fb8 0x263b8 0x48d
RtlInitAnsiString - 0x1000016a8 0x26fc0 0x263c0 0x39a
NtOpenSymbolicLinkObject - 0x1000016b0 0x26fc8 0x263c8 0x16a
LdrGetProcedureAddress - 0x1000016b8 0x26fd0 0x263d0 0x74
NtQuerySymbolicLinkObject - 0x1000016c0 0x26fd8 0x263d8 0x1a7
RtlFreeHeap - 0x1000016c8 0x26fe0 0x263e0 0x34b
COMCTL32.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ImageList_ReplaceIcon - 0x1000010a8 0x269c0 0x25dc0 0x70
ImageList_Create - 0x1000010b0 0x269c8 0x25dc8 0x54
ImageList_Destroy - 0x1000010b8 0x269d0 0x25dd0 0x55
(by ordinal) 0x159 0x1000010c0 0x269d8 0x25dd8 -
(by ordinal) 0x158 0x1000010c8 0x269e0 0x25de0 -
SPP.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SxTracerShouldTrackFailure - 0x100001310 0x26c28 0x26028 0xb
SxTracerGetThreadContextRetail - 0x100001318 0x26c30 0x26030 0xa
SxTracerDebuggerBreak - 0x100001320 0x26c38 0x26038 0x8
SHLWAPI.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
StrRetToBufW - 0x1000012f0 0x26c08 0x26008 0x13e
SHCreateStreamOnFileEx - 0x1000012f8 0x26c10 0x26010 0xaa
SHCreateStreamOnFileW - 0x100001300 0x26c18 0x26018 0xab
ReAgent.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WinReGetConfig - 0x1000012b0 0x26bc8 0x25fc8 0x8
c:\users\keecfmwgj\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-4219442223-4223814209-3835049652-1000\4fe4574abf1bcb0f6ed6a78aa750fb2c_b9c8f16e-2e51-4052-9ecb-f86ae5d96ef6 Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 1.40 KB
MD5 18464d105c32b486338bde441a79f30b Copy to Clipboard
SHA1 1ae3edb6771afe5916b6e5617d8eac1c2f2dd34e Copy to Clipboard
SHA256 64c30ee40b2e18bf9bb8e389a20668dc5e24ce51ff2ca38d5cdf6c8a2719056f Copy to Clipboard
SSDeep 24:gIr/HmTUDlmoBbQ/KltMyEV47BdJit84023JILQTOwGNrrlCuCBaMKDGkAgtvN:gIqTUDldm/KYy5BdMtp02HawOCBaVDs0 Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-4219442223-4223814209-3835049652-1000\4fe4574abf1bcb0f6ed6a78aa750fb2c_b9c8f16e-2e51-4052-9ecb-f86ae5d96ef6 Dropped File Stream
clean
Known to be clean.
...
»
MIME Type application/octet-stream
File Size 1.40 KB
MD5 47004e9476902c9edf00a876de754c18 Copy to Clipboard
SHA1 35601f97b68e8526c97fc6e7622b8b4fb1af9592 Copy to Clipboard
SHA256 72275404c470b62a5ff49013e3f952d9480afd5c7e45b6c504235823da4894ae Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-4219442223-4223814209-3835049652-1000\4fe4574abf1bcb0f6ed6a78aa750fb2c_b9c8f16e-2e51-4052-9ecb-f86ae5d96ef6 Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 1.42 KB
MD5 c03eabb80020413b92fde70ab4e714c7 Copy to Clipboard
SHA1 26d145038ba2dbd94ad683fee5e52283954cbd97 Copy to Clipboard
SHA256 cad9b90b73aef995edf234d8d02852519dc40d938f9fcf75d664ca69c19826fb Copy to Clipboard
SSDeep 24:wIr/HmTUD5fFxe2c1oYDOlAyJ9rDRkzhURmt+w8PJX7pxDJ7td:wIqTUD3xeydlASriFURmM3ZDJ7td Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image