7713cce5...c671 | Files
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Downloader, Dropper, Trojan

Remarks (2/2)

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

(0x200003a): 2 tasks were rescheduled ahead of time to reveal dormant functionality.

Filters:
Filename Category Type Severity Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EB54.tmp.exe Sample File Binary
Malicious
»
Also Known As C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\e7a330f2-5311-4ef8-8fe9-e63e989b94ee\EB54.tmp.exe (Dropped File)
Mime Type application/vnd.microsoft.portable-executable
File Size 442.50 KB
MD5 241f592a445513811b3bc3f104ffb2a8 Copy to Clipboard
SHA1 578c0a16e2428764c928db50738db2d843ca6c2f Copy to Clipboard
SHA256 7713cce5768ed6d8250d01a006e26b5cfab3ff296f8c6dd8684a5142cc54c671 Copy to Clipboard
SSDeep 6144:3z2W1PSKq67m+2xgx08t3tmrFLLgjIv5+dHgSnSppJlV3/jKGKYoezUtyB:/u6sxgK8t9mrFL0jougpJL3/jKGxN9 Copy to Clipboard
ImpHash 8d3acf51068be57a00101493a8206aa2 Copy to Clipboard
File Reputation Information
»
Severity
Suspicious
First Seen 2019-05-08 13:51 (UTC+2)
Last Seen 2019-05-11 14:03 (UTC+2)
Names Win32.Trojan.Kryptik
Families Kryptik
Classification Trojan
PE Information
»
Image Base 0x400000
Entry Point 0x40311a
Size Of Code 0x9200
Size Of Initialized Data 0xc1600
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2018-01-13 04:32:05+00:00
Version Information (4)
»
FileVersion 1.0.0.1
InternalName odngetun.mhi
LegalCopyright Copyright (C) 2018, cfgjdyj
ProductVersion 1.0.0.1
Sections (7)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x90a0 0x9200 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.67
.rdata 0x40b000 0x442b6 0x44400 0x9600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.12
.data 0x450000 0x5e760 0x2600 0x4da00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 1.08
.version 0x4af000 0x400 0x400 0x50000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
.version 0x4b0000 0x1001 0x400 0x50400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 0.01
.rsrc 0x4b2000 0x1c670 0x1c800 0x50800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.86
.reloc 0x4cf000 0x1876 0x1a00 0x6d000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 2.97
Imports (2)
»
KERNEL32.dll (82)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GlobalAlloc 0x0 0x40b000 0x4ea88 0x4d088 0x285
LoadLibraryW 0x0 0x40b004 0x4ea8c 0x4d08c 0x2f4
TerminateThread 0x0 0x40b008 0x4ea90 0x4d090 0x42e
WritePrivateProfileStructW 0x0 0x40b00c 0x4ea94 0x4d094 0x495
TerminateProcess 0x0 0x40b010 0x4ea98 0x4d098 0x42d
GetThreadPriorityBoost 0x0 0x40b014 0x4ea9c 0x4d09c 0x262
GetStdHandle 0x0 0x40b018 0x4eaa0 0x4d0a0 0x23b
GetLastError 0x0 0x40b01c 0x4eaa4 0x4d0a4 0x1e6
SetLastError 0x0 0x40b020 0x4eaa8 0x4d0a8 0x3ec
GetProcAddress 0x0 0x40b024 0x4eaac 0x4d0ac 0x220
LoadLibraryA 0x0 0x40b028 0x4eab0 0x4d0b0 0x2f1
LocalAlloc 0x0 0x40b02c 0x4eab4 0x4d0b4 0x2f9
GetProfileStringA 0x0 0x40b030 0x4eab8 0x4d0b8 0x233
CreateIoCompletionPort 0x0 0x40b034 0x4eabc 0x4d0bc 0x84
GetCommTimeouts 0x0 0x40b038 0x4eac0 0x4d0c0 0x16e
VirtualProtect 0x0 0x40b03c 0x4eac4 0x4d0c4 0x45a
SetDefaultCommConfigW 0x0 0x40b040 0x4eac8 0x4d0c8 0x3c9
CloseHandle 0x0 0x40b044 0x4eacc 0x4d0cc 0x43
GetCurrentProcessId 0x0 0x40b048 0x4ead0 0x4d0d0 0x1aa
lstrcpyA 0x0 0x40b04c 0x4ead4 0x4d0d4 0x4af
GetStringTypeW 0x0 0x40b050 0x4ead8 0x4d0d8 0x240
GetStringTypeA 0x0 0x40b054 0x4eadc 0x4d0dc 0x23d
LCMapStringW 0x0 0x40b058 0x4eae0 0x4d0e0 0x2e3
LCMapStringA 0x0 0x40b05c 0x4eae4 0x4d0e4 0x2e1
GetCurrentProcess 0x0 0x40b060 0x4eae8 0x4d0e8 0x1a9
GetDriveTypeW 0x0 0x40b064 0x4eaec 0x4d0ec 0x1bb
DuplicateHandle 0x0 0x40b068 0x4eaf0 0x4d0f0 0xd4
GlobalMemoryStatus 0x0 0x40b06c 0x4eaf4 0x4d0f4 0x291
GetModuleHandleW 0x0 0x40b070 0x4eaf8 0x4d0f8 0x1f9
Sleep 0x0 0x40b074 0x4eafc 0x4d0fc 0x421
ExitProcess 0x0 0x40b078 0x4eb00 0x4d100 0x104
GetCommandLineA 0x0 0x40b07c 0x4eb04 0x4d104 0x16f
GetStartupInfoA 0x0 0x40b080 0x4eb08 0x4d108 0x239
UnhandledExceptionFilter 0x0 0x40b084 0x4eb0c 0x4d10c 0x43e
SetUnhandledExceptionFilter 0x0 0x40b088 0x4eb10 0x4d110 0x415
IsDebuggerPresent 0x0 0x40b08c 0x4eb14 0x4d114 0x2d1
WriteFile 0x0 0x40b090 0x4eb18 0x4d118 0x48d
WideCharToMultiByte 0x0 0x40b094 0x4eb1c 0x4d11c 0x47a
GetConsoleCP 0x0 0x40b098 0x4eb20 0x4d120 0x183
GetConsoleMode 0x0 0x40b09c 0x4eb24 0x4d124 0x195
FlushFileBuffers 0x0 0x40b0a0 0x4eb28 0x4d128 0x141
DeleteCriticalSection 0x0 0x40b0a4 0x4eb2c 0x4d12c 0xbe
LeaveCriticalSection 0x0 0x40b0a8 0x4eb30 0x4d130 0x2ef
EnterCriticalSection 0x0 0x40b0ac 0x4eb34 0x4d134 0xd9
SetHandleCount 0x0 0x40b0b0 0x4eb38 0x4d138 0x3e8
GetFileType 0x0 0x40b0b4 0x4eb3c 0x4d13c 0x1d7
RtlUnwind 0x0 0x40b0b8 0x4eb40 0x4d140 0x392
HeapFree 0x0 0x40b0bc 0x4eb44 0x4d144 0x2a1
TlsGetValue 0x0 0x40b0c0 0x4eb48 0x4d148 0x434
TlsAlloc 0x0 0x40b0c4 0x4eb4c 0x4d14c 0x432
TlsSetValue 0x0 0x40b0c8 0x4eb50 0x4d150 0x435
TlsFree 0x0 0x40b0cc 0x4eb54 0x4d154 0x433
InterlockedIncrement 0x0 0x40b0d0 0x4eb58 0x4d158 0x2c0
GetCurrentThreadId 0x0 0x40b0d4 0x4eb5c 0x4d15c 0x1ad
InterlockedDecrement 0x0 0x40b0d8 0x4eb60 0x4d160 0x2bc
GetModuleFileNameA 0x0 0x40b0dc 0x4eb64 0x4d164 0x1f4
InitializeCriticalSectionAndSpinCount 0x0 0x40b0e0 0x4eb68 0x4d168 0x2b5
FreeEnvironmentStringsA 0x0 0x40b0e4 0x4eb6c 0x4d16c 0x14a
GetEnvironmentStrings 0x0 0x40b0e8 0x4eb70 0x4d170 0x1bf
FreeEnvironmentStringsW 0x0 0x40b0ec 0x4eb74 0x4d174 0x14b
GetEnvironmentStringsW 0x0 0x40b0f0 0x4eb78 0x4d178 0x1c1
HeapCreate 0x0 0x40b0f4 0x4eb7c 0x4d17c 0x29f
VirtualFree 0x0 0x40b0f8 0x4eb80 0x4d180 0x457
QueryPerformanceCounter 0x0 0x40b0fc 0x4eb84 0x4d184 0x354
GetTickCount 0x0 0x40b100 0x4eb88 0x4d188 0x266
GetSystemTimeAsFileTime 0x0 0x40b104 0x4eb8c 0x4d18c 0x24f
SetFilePointer 0x0 0x40b108 0x4eb90 0x4d190 0x3df
GetCPInfo 0x0 0x40b10c 0x4eb94 0x4d194 0x15b
GetACP 0x0 0x40b110 0x4eb98 0x4d198 0x152
GetOEMCP 0x0 0x40b114 0x4eb9c 0x4d19c 0x213
IsValidCodePage 0x0 0x40b118 0x4eba0 0x4d1a0 0x2db
WriteConsoleA 0x0 0x40b11c 0x4eba4 0x4d1a4 0x482
GetConsoleOutputCP 0x0 0x40b120 0x4eba8 0x4d1a8 0x199
WriteConsoleW 0x0 0x40b124 0x4ebac 0x4d1ac 0x48c
MultiByteToWideChar 0x0 0x40b128 0x4ebb0 0x4d1b0 0x31a
SetStdHandle 0x0 0x40b12c 0x4ebb4 0x4d1b4 0x3fc
CreateFileA 0x0 0x40b130 0x4ebb8 0x4d1b8 0x78
HeapAlloc 0x0 0x40b134 0x4ebbc 0x4d1bc 0x29d
VirtualAlloc 0x0 0x40b138 0x4ebc0 0x4d1c0 0x454
HeapReAlloc 0x0 0x40b13c 0x4ebc4 0x4d1c4 0x2a4
HeapSize 0x0 0x40b140 0x4ebc8 0x4d1c8 0x2a6
GetLocaleInfoA 0x0 0x40b144 0x4ebcc 0x4d1cc 0x1e8
USER32.dll (11)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
EndPaint 0x0 0x40b14c 0x4ebd4 0x4d1d4 0xd5
ReplyMessage 0x0 0x40b150 0x4ebd8 0x4d1d8 0x251
EnumDisplaySettingsA 0x0 0x40b154 0x4ebdc 0x4d1dc 0xe0
DrawTextExW 0x0 0x40b158 0x4ebe0 0x4d1e0 0xc7
ModifyMenuW 0x0 0x40b15c 0x4ebe4 0x4d1e4 0x201
GetScrollRange 0x0 0x40b160 0x4ebe8 0x4d1e8 0x168
SetPropA 0x0 0x40b164 0x4ebec 0x4d1ec 0x28f
ShowScrollBar 0x0 0x40b168 0x4ebf0 0x4d1f0 0x2b5
LoadImageA 0x0 0x40b16c 0x4ebf4 0x4d1f4 0x1d8
DestroyIcon 0x0 0x40b170 0x4ebf8 0x4d1f8 0x9d
ValidateRect 0x0 0x40b174 0x4ebfc 0x4d1fc 0x2f2
Icons (5)
»
Memory Dumps (2)
»
Name Process ID Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
eb54.tmp.exe 1 0x00400000 0x004D0FFF Relevant Image - 32-bit - False False
eb54.tmp.exe 1 0x00400000 0x004D0FFF Process Termination - 32-bit - True False
Local AV Matches (1)
»
Threat Name Severity
Trojan.GenericKD.41271436
Malicious
C:\Windows\System32\drivers\etc\hosts Modified File Text
Malicious
»
Mime Type text/plain
File Size 7.92 KB
MD5 360d265eddea8679c434a205f7ade7ad Copy to Clipboard
SHA1 e17d843f610e0283904e201195360525ae449a68 Copy to Clipboard
SHA256 5a1597c0d29dd475e33cd8889d7d848037a8c17bad0f3daa022fb889e0db7ead Copy to Clipboard
SSDeep 96:vDZEurK9q3WlSyU0FXmGZll0TOHyF9fAHLmttA/ZKTKdIlMHqzoCGbXx:RrK9FU0FXmGZll06m9fAH6AhKTK9Cax Copy to Clipboard
File Reputation Information
»
Severity
Suspicious
First Seen 2018-11-13 17:14 (UTC+1)
Last Seen 2019-04-05 17:42 (UTC+2)
Names Script-BAT.Trojan.Qhost
Families Qhost
Classification Trojan
Local AV Matches (1)
»
Threat Name Severity
Gen:Trojan.Qhost.1
Malicious
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe Downloaded File Binary
Malicious
»
Also Known As c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\updatewin1[1].exe (Downloaded File)
Mime Type application/vnd.microsoft.portable-executable
File Size 272.50 KB
MD5 5b4bd24d6240f467bfbc74803c9f15b0 Copy to Clipboard
SHA1 c17f98c182d299845c54069872e8137645768a1a Copy to Clipboard
SHA256 14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e Copy to Clipboard
SSDeep 6144:7qZQGv0d4dW6efSyahstfKVkW5XXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXk:2ZQGXdPe6qU6W5XXnXXfXXXWXXXXHXXE Copy to Clipboard
ImpHash 0bcca924efe6e6fa741675d8e687fbb3 Copy to Clipboard
File Reputation Information
»
Severity
Suspicious
First Seen 2019-01-16 22:21 (UTC+1)
Last Seen 2019-05-02 03:15 (UTC+2)
Names Win32.Trojan.Kryptik
Families Kryptik
Classification Trojan
PE Information
»
Image Base 0x400000
Entry Point 0x402d76
Size Of Code 0x1c200
Size Of Initialized Data 0x2c200
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2017-07-24 12:23:54+00:00
Version Information (3)
»
FileVersion 7.7.7.18
InternalName rawudiyeh.exe
LegalCopyright Copyright (C) 2018, sacuwedimufoy
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x1c07e 0x1c200 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.62
.rdata 0x41e000 0x463e 0x4800 0x1c600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.26
.data 0x423000 0x1c6a8 0x17400 0x20e00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 5.83
.rsrc 0x440000 0xa578 0xa600 0x38200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.88
.reloc 0x44b000 0x1968 0x1a00 0x42800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.34
Imports (4)
»
KERNEL32.dll (102)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ExitThread 0x0 0x41e028 0x21afc 0x200fc 0x105
GetStartupInfoW 0x0 0x41e02c 0x21b00 0x20100 0x23a
GetLastError 0x0 0x41e030 0x21b04 0x20104 0x1e6
GetProcAddress 0x0 0x41e034 0x21b08 0x20108 0x220
CreateJobSet 0x0 0x41e038 0x21b0c 0x2010c 0x87
GlobalFree 0x0 0x41e03c 0x21b10 0x20110 0x28c
LoadLibraryA 0x0 0x41e040 0x21b14 0x20114 0x2f1
OpenWaitableTimerW 0x0 0x41e044 0x21b18 0x20118 0x339
AddAtomA 0x0 0x41e048 0x21b1c 0x2011c 0x3
FindFirstChangeNotificationA 0x0 0x41e04c 0x21b20 0x20120 0x11b
VirtualProtect 0x0 0x41e050 0x21b24 0x20124 0x45a
GetCurrentDirectoryA 0x0 0x41e054 0x21b28 0x20128 0x1a7
GetACP 0x0 0x41e058 0x21b2c 0x2012c 0x152
InterlockedPushEntrySList 0x0 0x41e05c 0x21b30 0x20130 0x2c2
CompareStringW 0x0 0x41e060 0x21b34 0x20134 0x55
CompareStringA 0x0 0x41e064 0x21b38 0x20138 0x52
CreateFileA 0x0 0x41e068 0x21b3c 0x2013c 0x78
GetTimeZoneInformation 0x0 0x41e06c 0x21b40 0x20140 0x26b
WriteConsoleW 0x0 0x41e070 0x21b44 0x20144 0x48c
GetConsoleOutputCP 0x0 0x41e074 0x21b48 0x20148 0x199
WriteConsoleA 0x0 0x41e078 0x21b4c 0x2014c 0x482
CloseHandle 0x0 0x41e07c 0x21b50 0x20150 0x43
IsValidLocale 0x0 0x41e080 0x21b54 0x20154 0x2dd
EnumSystemLocalesA 0x0 0x41e084 0x21b58 0x20158 0xf8
GetUserDefaultLCID 0x0 0x41e088 0x21b5c 0x2015c 0x26d
GetSystemTimeAdjustment 0x0 0x41e08c 0x21b60 0x20160 0x24e
GetSystemTimes 0x0 0x41e090 0x21b64 0x20164 0x250
GetTickCount 0x0 0x41e094 0x21b68 0x20168 0x266
FreeEnvironmentStringsA 0x0 0x41e098 0x21b6c 0x2016c 0x14a
GetComputerNameW 0x0 0x41e09c 0x21b70 0x20170 0x178
FindCloseChangeNotification 0x0 0x41e0a0 0x21b74 0x20174 0x11a
FindResourceExW 0x0 0x41e0a4 0x21b78 0x20178 0x138
GetCPInfo 0x0 0x41e0a8 0x21b7c 0x2017c 0x15b
SetProcessShutdownParameters 0x0 0x41e0ac 0x21b80 0x20180 0x3f9
GetModuleHandleExA 0x0 0x41e0b0 0x21b84 0x20184 0x1f7
GetDateFormatA 0x0 0x41e0b4 0x21b88 0x20188 0x1ae
GetTimeFormatA 0x0 0x41e0b8 0x21b8c 0x2018c 0x268
GetStringTypeW 0x0 0x41e0bc 0x21b90 0x20190 0x240
GetStringTypeA 0x0 0x41e0c0 0x21b94 0x20194 0x23d
LCMapStringW 0x0 0x41e0c4 0x21b98 0x20198 0x2e3
GetCommandLineA 0x0 0x41e0c8 0x21b9c 0x2019c 0x16f
GetStartupInfoA 0x0 0x41e0cc 0x21ba0 0x201a0 0x239
RaiseException 0x0 0x41e0d0 0x21ba4 0x201a4 0x35a
RtlUnwind 0x0 0x41e0d4 0x21ba8 0x201a8 0x392
TerminateProcess 0x0 0x41e0d8 0x21bac 0x201ac 0x42d
GetCurrentProcess 0x0 0x41e0dc 0x21bb0 0x201b0 0x1a9
UnhandledExceptionFilter 0x0 0x41e0e0 0x21bb4 0x201b4 0x43e
SetUnhandledExceptionFilter 0x0 0x41e0e4 0x21bb8 0x201b8 0x415
IsDebuggerPresent 0x0 0x41e0e8 0x21bbc 0x201bc 0x2d1
HeapAlloc 0x0 0x41e0ec 0x21bc0 0x201c0 0x29d
HeapFree 0x0 0x41e0f0 0x21bc4 0x201c4 0x2a1
EnterCriticalSection 0x0 0x41e0f4 0x21bc8 0x201c8 0xd9
LeaveCriticalSection 0x0 0x41e0f8 0x21bcc 0x201cc 0x2ef
SetHandleCount 0x0 0x41e0fc 0x21bd0 0x201d0 0x3e8
GetStdHandle 0x0 0x41e100 0x21bd4 0x201d4 0x23b
GetFileType 0x0 0x41e104 0x21bd8 0x201d8 0x1d7
DeleteCriticalSection 0x0 0x41e108 0x21bdc 0x201dc 0xbe
GetModuleHandleW 0x0 0x41e10c 0x21be0 0x201e0 0x1f9
Sleep 0x0 0x41e110 0x21be4 0x201e4 0x421
ExitProcess 0x0 0x41e114 0x21be8 0x201e8 0x104
WriteFile 0x0 0x41e118 0x21bec 0x201ec 0x48d
GetModuleFileNameA 0x0 0x41e11c 0x21bf0 0x201f0 0x1f4
GetEnvironmentStrings 0x0 0x41e120 0x21bf4 0x201f4 0x1bf
FreeEnvironmentStringsW 0x0 0x41e124 0x21bf8 0x201f8 0x14b
WideCharToMultiByte 0x0 0x41e128 0x21bfc 0x201fc 0x47a
GetEnvironmentStringsW 0x0 0x41e12c 0x21c00 0x20200 0x1c1
TlsGetValue 0x0 0x41e130 0x21c04 0x20204 0x434
TlsAlloc 0x0 0x41e134 0x21c08 0x20208 0x432
TlsSetValue 0x0 0x41e138 0x21c0c 0x2020c 0x435
TlsFree 0x0 0x41e13c 0x21c10 0x20210 0x433
InterlockedIncrement 0x0 0x41e140 0x21c14 0x20214 0x2c0
SetLastError 0x0 0x41e144 0x21c18 0x20218 0x3ec
GetCurrentThreadId 0x0 0x41e148 0x21c1c 0x2021c 0x1ad
InterlockedDecrement 0x0 0x41e14c 0x21c20 0x20220 0x2bc
GetCurrentThread 0x0 0x41e150 0x21c24 0x20224 0x1ac
HeapCreate 0x0 0x41e154 0x21c28 0x20228 0x29f
HeapDestroy 0x0 0x41e158 0x21c2c 0x2022c 0x2a0
VirtualFree 0x0 0x41e15c 0x21c30 0x20230 0x457
QueryPerformanceCounter 0x0 0x41e160 0x21c34 0x20234 0x354
GetCurrentProcessId 0x0 0x41e164 0x21c38 0x20238 0x1aa
GetSystemTimeAsFileTime 0x0 0x41e168 0x21c3c 0x2023c 0x24f
FatalAppExitA 0x0 0x41e16c 0x21c40 0x20240 0x10b
VirtualAlloc 0x0 0x41e170 0x21c44 0x20244 0x454
HeapReAlloc 0x0 0x41e174 0x21c48 0x20248 0x2a4
MultiByteToWideChar 0x0 0x41e178 0x21c4c 0x2024c 0x31a
ReadFile 0x0 0x41e17c 0x21c50 0x20250 0x368
InitializeCriticalSectionAndSpinCount 0x0 0x41e180 0x21c54 0x20254 0x2b5
HeapSize 0x0 0x41e184 0x21c58 0x20258 0x2a6
SetConsoleCtrlHandler 0x0 0x41e188 0x21c5c 0x2025c 0x3a7
FreeLibrary 0x0 0x41e18c 0x21c60 0x20260 0x14c
InterlockedExchange 0x0 0x41e190 0x21c64 0x20264 0x2bd
GetOEMCP 0x0 0x41e194 0x21c68 0x20268 0x213
IsValidCodePage 0x0 0x41e198 0x21c6c 0x2026c 0x2db
GetConsoleCP 0x0 0x41e19c 0x21c70 0x20270 0x183
GetConsoleMode 0x0 0x41e1a0 0x21c74 0x20274 0x195
FlushFileBuffers 0x0 0x41e1a4 0x21c78 0x20278 0x141
SetFilePointer 0x0 0x41e1a8 0x21c7c 0x2027c 0x3df
SetStdHandle 0x0 0x41e1ac 0x21c80 0x20280 0x3fc
GetLocaleInfoW 0x0 0x41e1b0 0x21c84 0x20284 0x1ea
GetLocaleInfoA 0x0 0x41e1b4 0x21c88 0x20288 0x1e8
LCMapStringA 0x0 0x41e1b8 0x21c8c 0x2028c 0x2e1
SetEnvironmentVariableA 0x0 0x41e1bc 0x21c90 0x20290 0x3d0
USER32.dll (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CloseClipboard 0x0 0x41e1d8 0x21cac 0x202ac 0x47
BeginPaint 0x0 0x41e1dc 0x21cb0 0x202b0 0xe
CallMsgFilterW 0x0 0x41e1e0 0x21cb4 0x202b4 0x1a
PeekMessageA 0x0 0x41e1e4 0x21cb8 0x202b8 0x21b
MapVirtualKeyExW 0x0 0x41e1e8 0x21cbc 0x202bc 0x1f1
RegisterRawInputDevices 0x0 0x41e1ec 0x21cc0 0x202c0 0x242
GetClipboardSequenceNumber 0x0 0x41e1f0 0x21cc4 0x202c4 0x113
CountClipboardFormats 0x0 0x41e1f4 0x21cc8 0x202c8 0x50
GetDialogBaseUnits 0x0 0x41e1f8 0x21ccc 0x202cc 0x11d
GetClassLongW 0x0 0x41e1fc 0x21cd0 0x202d0 0x109
GDI32.dll (9)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
PolyTextOutW 0x0 0x41e000 0x21ad4 0x200d4 0x23c
CreateCompatibleDC 0x0 0x41e004 0x21ad8 0x200d8 0x2e
Rectangle 0x0 0x41e008 0x21adc 0x200dc 0x246
SetStretchBltMode 0x0 0x41e00c 0x21ae0 0x200e0 0x289
SetPixelV 0x0 0x41e010 0x21ae4 0x200e4 0x284
GetClipBox 0x0 0x41e014 0x21ae8 0x200e8 0x1aa
CreateDiscardableBitmap 0x0 0x41e018 0x21aec 0x200ec 0x35
StrokeAndFillPath 0x0 0x41e01c 0x21af0 0x200f0 0x29c
GetBitmapBits 0x0 0x41e020 0x21af4 0x200f4 0x191
SHELL32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ShellExecuteW 0x0 0x41e1c4 0x21c98 0x20298 0x118
ShellAboutW 0x0 0x41e1c8 0x21c9c 0x2029c 0x110
DuplicateIcon 0x0 0x41e1cc 0x21ca0 0x202a0 0x23
DragQueryFileA 0x0 0x41e1d0 0x21ca4 0x202a4 0x1e
Icons (1)
»
Memory Dumps (4)
»
Name Process ID Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
updatewin1.exe 6 0x00400000 0x0044CFFF Relevant Image - 32-bit - False False
buffer 6 0x00505000 0x00505FFF Marked Executable - 32-bit - False False
updatewin1.exe 6 0x00400000 0x0044CFFF Process Termination - 32-bit - False False
buffer 8 0x002D5000 0x002D5FFF Marked Executable - 32-bit - False False
Local AV Matches (1)
»
Threat Name Severity
Trojan.GenericKD.31534187
Malicious
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin2.exe Downloaded File Binary
Malicious
»
Also Known As c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\updatewin2[1].exe (Downloaded File)
Mime Type application/vnd.microsoft.portable-executable
File Size 274.50 KB
MD5 996ba35165bb62473d2a6743a5200d45 Copy to Clipboard
SHA1 52169b0b5cce95c6905873b8d12a759c234bd2e0 Copy to Clipboard
SHA256 5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d Copy to Clipboard
SSDeep 6144:vLgbC0mVQlY+3aKn7n4CTHcXXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXXXXP:vGCtQlb3aKzvT8XXnXXfXXXWXXXXHXXf Copy to Clipboard
ImpHash 5921adaaf66f8c259aeda9e22686cd4b Copy to Clipboard
Parser Error Remark Static analyzer was unable to completely parse the analyzed file
File Reputation Information
»
Severity
Suspicious
First Seen 2019-01-16 22:21 (UTC+1)
Last Seen 2019-05-11 02:58 (UTC+2)
Names Win32.Trojan.Kryptik
Families Kryptik
Classification Trojan
PE Information
»
Image Base 0x400000
Entry Point 0x402d64
Size Of Code 0x1c200
Size Of Initialized Data 0x2c800
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2017-11-21 06:08:45+00:00
Version Information (3)
»
FileVersion 5.3.7.82
InternalName gigifaw.exe
LegalCopyright Copyright (C) 2018, guvaxiz
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x1c03e 0x1c200 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.62
.rdata 0x41e000 0x45ec 0x4600 0x1c600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.34
.data 0x423000 0x1cde8 0x17c00 0x20c00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 5.8
.rsrc 0x440000 0xa724 0xa800 0x38800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.88
.reloc 0x44b000 0x195c 0x1a00 0x43000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.33
Imports (4)
»
KERNEL32.dll (98)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ExitThread 0x0 0x41e024 0x21ae8 0x200e8 0x105
GetStartupInfoW 0x0 0x41e028 0x21aec 0x200ec 0x23a
GetLastError 0x0 0x41e02c 0x21af0 0x200f0 0x1e6
GetProcAddress 0x0 0x41e030 0x21af4 0x200f4 0x220
GlobalFree 0x0 0x41e034 0x21af8 0x200f8 0x28c
LoadLibraryA 0x0 0x41e038 0x21afc 0x200fc 0x2f1
AddAtomA 0x0 0x41e03c 0x21b00 0x20100 0x3
FindFirstChangeNotificationA 0x0 0x41e040 0x21b04 0x20104 0x11b
VirtualProtect 0x0 0x41e044 0x21b08 0x20108 0x45a
GetCurrentDirectoryA 0x0 0x41e048 0x21b0c 0x2010c 0x1a7
SetProcessShutdownParameters 0x0 0x41e04c 0x21b10 0x20110 0x3f9
GetACP 0x0 0x41e050 0x21b14 0x20114 0x152
CompareStringA 0x0 0x41e054 0x21b18 0x20118 0x52
CreateFileA 0x0 0x41e058 0x21b1c 0x2011c 0x78
GetTimeZoneInformation 0x0 0x41e05c 0x21b20 0x20120 0x26b
WriteConsoleW 0x0 0x41e060 0x21b24 0x20124 0x48c
GetConsoleOutputCP 0x0 0x41e064 0x21b28 0x20128 0x199
WriteConsoleA 0x0 0x41e068 0x21b2c 0x2012c 0x482
CloseHandle 0x0 0x41e06c 0x21b30 0x20130 0x43
IsValidLocale 0x0 0x41e070 0x21b34 0x20134 0x2dd
EnumSystemLocalesA 0x0 0x41e074 0x21b38 0x20138 0xf8
GetUserDefaultLCID 0x0 0x41e078 0x21b3c 0x2013c 0x26d
GetDateFormatA 0x0 0x41e07c 0x21b40 0x20140 0x1ae
GetTimeFormatA 0x0 0x41e080 0x21b44 0x20144 0x268
InitAtomTable 0x0 0x41e084 0x21b48 0x20148 0x2ae
GetSystemTimes 0x0 0x41e088 0x21b4c 0x2014c 0x250
GetTickCount 0x0 0x41e08c 0x21b50 0x20150 0x266
FreeEnvironmentStringsA 0x0 0x41e090 0x21b54 0x20154 0x14a
GetComputerNameW 0x0 0x41e094 0x21b58 0x20158 0x178
FindCloseChangeNotification 0x0 0x41e098 0x21b5c 0x2015c 0x11a
FindResourceExW 0x0 0x41e09c 0x21b60 0x20160 0x138
CompareStringW 0x0 0x41e0a0 0x21b64 0x20164 0x55
GetCPInfo 0x0 0x41e0a4 0x21b68 0x20168 0x15b
GetStringTypeW 0x0 0x41e0a8 0x21b6c 0x2016c 0x240
GetStringTypeA 0x0 0x41e0ac 0x21b70 0x20170 0x23d
LCMapStringW 0x0 0x41e0b0 0x21b74 0x20174 0x2e3
LCMapStringA 0x0 0x41e0b4 0x21b78 0x20178 0x2e1
GetLocaleInfoA 0x0 0x41e0b8 0x21b7c 0x2017c 0x1e8
GetCommandLineA 0x0 0x41e0bc 0x21b80 0x20180 0x16f
GetStartupInfoA 0x0 0x41e0c0 0x21b84 0x20184 0x239
RaiseException 0x0 0x41e0c4 0x21b88 0x20188 0x35a
RtlUnwind 0x0 0x41e0c8 0x21b8c 0x2018c 0x392
TerminateProcess 0x0 0x41e0cc 0x21b90 0x20190 0x42d
GetCurrentProcess 0x0 0x41e0d0 0x21b94 0x20194 0x1a9
UnhandledExceptionFilter 0x0 0x41e0d4 0x21b98 0x20198 0x43e
SetUnhandledExceptionFilter 0x0 0x41e0d8 0x21b9c 0x2019c 0x415
IsDebuggerPresent 0x0 0x41e0dc 0x21ba0 0x201a0 0x2d1
HeapAlloc 0x0 0x41e0e0 0x21ba4 0x201a4 0x29d
HeapFree 0x0 0x41e0e4 0x21ba8 0x201a8 0x2a1
EnterCriticalSection 0x0 0x41e0e8 0x21bac 0x201ac 0xd9
LeaveCriticalSection 0x0 0x41e0ec 0x21bb0 0x201b0 0x2ef
SetHandleCount 0x0 0x41e0f0 0x21bb4 0x201b4 0x3e8
GetStdHandle 0x0 0x41e0f4 0x21bb8 0x201b8 0x23b
GetFileType 0x0 0x41e0f8 0x21bbc 0x201bc 0x1d7
DeleteCriticalSection 0x0 0x41e0fc 0x21bc0 0x201c0 0xbe
GetModuleHandleW 0x0 0x41e100 0x21bc4 0x201c4 0x1f9
Sleep 0x0 0x41e104 0x21bc8 0x201c8 0x421
ExitProcess 0x0 0x41e108 0x21bcc 0x201cc 0x104
WriteFile 0x0 0x41e10c 0x21bd0 0x201d0 0x48d
GetModuleFileNameA 0x0 0x41e110 0x21bd4 0x201d4 0x1f4
GetEnvironmentStrings 0x0 0x41e114 0x21bd8 0x201d8 0x1bf
FreeEnvironmentStringsW 0x0 0x41e118 0x21bdc 0x201dc 0x14b
WideCharToMultiByte 0x0 0x41e11c 0x21be0 0x201e0 0x47a
GetEnvironmentStringsW 0x0 0x41e120 0x21be4 0x201e4 0x1c1
TlsGetValue 0x0 0x41e124 0x21be8 0x201e8 0x434
TlsAlloc 0x0 0x41e128 0x21bec 0x201ec 0x432
TlsSetValue 0x0 0x41e12c 0x21bf0 0x201f0 0x435
TlsFree 0x0 0x41e130 0x21bf4 0x201f4 0x433
InterlockedIncrement 0x0 0x41e134 0x21bf8 0x201f8 0x2c0
SetLastError 0x0 0x41e138 0x21bfc 0x201fc 0x3ec
GetCurrentThreadId 0x0 0x41e13c 0x21c00 0x20200 0x1ad
InterlockedDecrement 0x0 0x41e140 0x21c04 0x20204 0x2bc
GetCurrentThread 0x0 0x41e144 0x21c08 0x20208 0x1ac
HeapCreate 0x0 0x41e148 0x21c0c 0x2020c 0x29f
HeapDestroy 0x0 0x41e14c 0x21c10 0x20210 0x2a0
VirtualFree 0x0 0x41e150 0x21c14 0x20214 0x457
QueryPerformanceCounter 0x0 0x41e154 0x21c18 0x20218 0x354
GetCurrentProcessId 0x0 0x41e158 0x21c1c 0x2021c 0x1aa
GetSystemTimeAsFileTime 0x0 0x41e15c 0x21c20 0x20220 0x24f
FatalAppExitA 0x0 0x41e160 0x21c24 0x20224 0x10b
VirtualAlloc 0x0 0x41e164 0x21c28 0x20228 0x454
HeapReAlloc 0x0 0x41e168 0x21c2c 0x2022c 0x2a4
MultiByteToWideChar 0x0 0x41e16c 0x21c30 0x20230 0x31a
ReadFile 0x0 0x41e170 0x21c34 0x20234 0x368
InitializeCriticalSectionAndSpinCount 0x0 0x41e174 0x21c38 0x20238 0x2b5
HeapSize 0x0 0x41e178 0x21c3c 0x2023c 0x2a6
SetConsoleCtrlHandler 0x0 0x41e17c 0x21c40 0x20240 0x3a7
FreeLibrary 0x0 0x41e180 0x21c44 0x20244 0x14c
InterlockedExchange 0x0 0x41e184 0x21c48 0x20248 0x2bd
GetOEMCP 0x0 0x41e188 0x21c4c 0x2024c 0x213
IsValidCodePage 0x0 0x41e18c 0x21c50 0x20250 0x2db
GetConsoleCP 0x0 0x41e190 0x21c54 0x20254 0x183
GetConsoleMode 0x0 0x41e194 0x21c58 0x20258 0x195
FlushFileBuffers 0x0 0x41e198 0x21c5c 0x2025c 0x141
SetFilePointer 0x0 0x41e19c 0x21c60 0x20260 0x3df
SetStdHandle 0x0 0x41e1a0 0x21c64 0x20264 0x3fc
GetLocaleInfoW 0x0 0x41e1a4 0x21c68 0x20268 0x1ea
SetEnvironmentVariableA 0x0 0x41e1a8 0x21c6c 0x2026c 0x3d0
USER32.dll (12)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CloseClipboard 0x0 0x41e1c4 0x21c88 0x20288 0x47
GetSubMenu 0x0 0x41e1c8 0x21c8c 0x2028c 0x16b
LoadBitmapA 0x0 0x41e1cc 0x21c90 0x20290 0x1d0
BeginPaint 0x0 0x41e1d0 0x21c94 0x20294 0xe
CallMsgFilterW 0x0 0x41e1d4 0x21c98 0x20298 0x1a
PeekMessageA 0x0 0x41e1d8 0x21c9c 0x2029c 0x21b
MapVirtualKeyExW 0x0 0x41e1dc 0x21ca0 0x202a0 0x1f1
RegisterRawInputDevices 0x0 0x41e1e0 0x21ca4 0x202a4 0x242
SetWindowsHookExW 0x0 0x41e1e4 0x21ca8 0x202a8 0x2b0
GetClipboardSequenceNumber 0x0 0x41e1e8 0x21cac 0x202ac 0x113
GetDialogBaseUnits 0x0 0x41e1ec 0x21cb0 0x202b0 0x11d
MessageBoxIndirectA 0x0 0x41e1f0 0x21cb4 0x202b4 0x1fb
GDI32.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateCompatibleDC 0x0 0x41e000 0x21ac4 0x200c4 0x2e
PlayEnhMetaFile 0x0 0x41e004 0x21ac8 0x200c8 0x230
ScaleViewportExtEx 0x0 0x41e008 0x21acc 0x200cc 0x258
SetStretchBltMode 0x0 0x41e00c 0x21ad0 0x200d0 0x289
SetPixelV 0x0 0x41e010 0x21ad4 0x200d4 0x284
CreateDiscardableBitmap 0x0 0x41e014 0x21ad8 0x200d8 0x35
AddFontResourceW 0x0 0x41e018 0x21adc 0x200dc 0x7
SetDeviceGammaRamp 0x0 0x41e01c 0x21ae0 0x200e0 0x271
SHELL32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ExtractAssociatedIconA 0x0 0x41e1b0 0x21c74 0x20274 0x24
ShellExecuteW 0x0 0x41e1b4 0x21c78 0x20278 0x118
ShellAboutW 0x0 0x41e1b8 0x21c7c 0x2027c 0x110
DragQueryFileA 0x0 0x41e1bc 0x21c80 0x20280 0x1e
Icons (1)
»
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
buffer 7 0x005C5000 0x005C5FFF Marked Executable - 32-bit - False False
updatewin2.exe 7 0x00400000 0x0044CFFF Relevant Image - 32-bit - False False
updatewin2.exe 7 0x00400000 0x0044CFFF Process Termination - 32-bit - False False
Local AV Matches (1)
»
Threat Name Severity
DeepScan:Generic.Zamg.8.B9502EF1
Malicious
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin.exe Downloaded File Binary
Malicious
»
Also Known As c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\updatewin[1].exe (Downloaded File)
Mime Type application/vnd.microsoft.portable-executable
File Size 277.50 KB
MD5 e3083483121cd288264f8c5624fb2cd1 Copy to Clipboard
SHA1 144a1dd6714ff4b5675c32f428d1899e500140a5 Copy to Clipboard
SHA256 114ccacb7ca57c01f3540611fdf49e68416544da8d8077f5896434a4b71b01dd Copy to Clipboard
SSDeep 6144:JMLLGApbfLsx8TsvD6OD61XXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXXXX56:JMLdpMdhDyXXnXXfXXXWXXXXHXXXXBXK Copy to Clipboard
ImpHash 1755b6d950f72981fdcd1be68f24e7b3 Copy to Clipboard
Parser Error Remark Static analyzer was unable to completely parse the analyzed file
File Reputation Information
»
Severity
Suspicious
First Seen 2019-01-16 22:21 (UTC+1)
Last Seen 2019-05-02 03:15 (UTC+2)
Names Win32.Trojan.Kryptik
Families Kryptik
Classification Trojan
PE Information
»
Image Base 0x400000
Entry Point 0x402d7c
Size Of Code 0x1c200
Size Of Initialized Data 0x2d400
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2018-02-19 08:26:47+00:00
Version Information (3)
»
FileVersion 8.8.10.11
InternalName sutazaxidi.exe
LegalCopyright Copyright (C) 2018, huxonulow
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x1c09e 0x1c200 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.62
.rdata 0x41e000 0x4636 0x4800 0x1c600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.25
.data 0x423000 0x1d5a8 0x18400 0x20e00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 5.8
.rsrc 0x441000 0xa826 0xaa00 0x39200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.84
.reloc 0x44c000 0x1974 0x1a00 0x43c00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.34
Imports (4)
»
KERNEL32.dll (100)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ExitThread 0x0 0x41e020 0x21af4 0x200f4 0x105
GetStartupInfoW 0x0 0x41e024 0x21af8 0x200f8 0x23a
GetConsoleAliasesW 0x0 0x41e028 0x21afc 0x200fc 0x182
GetLastError 0x0 0x41e02c 0x21b00 0x20100 0x1e6
GetProcAddress 0x0 0x41e030 0x21b04 0x20104 0x220
BackupWrite 0x0 0x41e034 0x21b08 0x20108 0x18
GlobalFree 0x0 0x41e038 0x21b0c 0x2010c 0x28c
LoadLibraryA 0x0 0x41e03c 0x21b10 0x20110 0x2f1
GetNumberFormatW 0x0 0x41e040 0x21b14 0x20114 0x20f
AddAtomA 0x0 0x41e044 0x21b18 0x20118 0x3
FindFirstChangeNotificationA 0x0 0x41e048 0x21b1c 0x2011c 0x11b
GetStringTypeW 0x0 0x41e04c 0x21b20 0x20120 0x240
VirtualProtect 0x0 0x41e050 0x21b24 0x20124 0x45a
GetACP 0x0 0x41e054 0x21b28 0x20128 0x152
SetProcessShutdownParameters 0x0 0x41e058 0x21b2c 0x2012c 0x3f9
CompareStringW 0x0 0x41e05c 0x21b30 0x20130 0x55
CompareStringA 0x0 0x41e060 0x21b34 0x20134 0x52
CreateFileA 0x0 0x41e064 0x21b38 0x20138 0x78
GetTimeZoneInformation 0x0 0x41e068 0x21b3c 0x2013c 0x26b
WriteConsoleW 0x0 0x41e06c 0x21b40 0x20140 0x48c
GetConsoleOutputCP 0x0 0x41e070 0x21b44 0x20144 0x199
WriteConsoleA 0x0 0x41e074 0x21b48 0x20148 0x482
CloseHandle 0x0 0x41e078 0x21b4c 0x2014c 0x43
IsValidLocale 0x0 0x41e07c 0x21b50 0x20150 0x2dd
EnumSystemLocalesA 0x0 0x41e080 0x21b54 0x20154 0xf8
GetUserDefaultLCID 0x0 0x41e084 0x21b58 0x20158 0x26d
GetDateFormatA 0x0 0x41e088 0x21b5c 0x2015c 0x1ae
GetSystemTimes 0x0 0x41e08c 0x21b60 0x20160 0x250
GetTickCount 0x0 0x41e090 0x21b64 0x20164 0x266
FreeEnvironmentStringsA 0x0 0x41e094 0x21b68 0x20168 0x14a
GetComputerNameW 0x0 0x41e098 0x21b6c 0x2016c 0x178
FindCloseChangeNotification 0x0 0x41e09c 0x21b70 0x20170 0x11a
FindResourceExW 0x0 0x41e0a0 0x21b74 0x20174 0x138
GetCurrentDirectoryA 0x0 0x41e0a4 0x21b78 0x20178 0x1a7
GetCPInfo 0x0 0x41e0a8 0x21b7c 0x2017c 0x15b
GetTimeFormatA 0x0 0x41e0ac 0x21b80 0x20180 0x268
GetStringTypeA 0x0 0x41e0b0 0x21b84 0x20184 0x23d
LCMapStringW 0x0 0x41e0b4 0x21b88 0x20188 0x2e3
LCMapStringA 0x0 0x41e0b8 0x21b8c 0x2018c 0x2e1
GetLocaleInfoA 0x0 0x41e0bc 0x21b90 0x20190 0x1e8
GetLocaleInfoW 0x0 0x41e0c0 0x21b94 0x20194 0x1ea
SetStdHandle 0x0 0x41e0c4 0x21b98 0x20198 0x3fc
SetFilePointer 0x0 0x41e0c8 0x21b9c 0x2019c 0x3df
GetCommandLineA 0x0 0x41e0cc 0x21ba0 0x201a0 0x16f
GetStartupInfoA 0x0 0x41e0d0 0x21ba4 0x201a4 0x239
RaiseException 0x0 0x41e0d4 0x21ba8 0x201a8 0x35a
RtlUnwind 0x0 0x41e0d8 0x21bac 0x201ac 0x392
TerminateProcess 0x0 0x41e0dc 0x21bb0 0x201b0 0x42d
GetCurrentProcess 0x0 0x41e0e0 0x21bb4 0x201b4 0x1a9
UnhandledExceptionFilter 0x0 0x41e0e4 0x21bb8 0x201b8 0x43e
SetUnhandledExceptionFilter 0x0 0x41e0e8 0x21bbc 0x201bc 0x415
IsDebuggerPresent 0x0 0x41e0ec 0x21bc0 0x201c0 0x2d1
HeapAlloc 0x0 0x41e0f0 0x21bc4 0x201c4 0x29d
HeapFree 0x0 0x41e0f4 0x21bc8 0x201c8 0x2a1
EnterCriticalSection 0x0 0x41e0f8 0x21bcc 0x201cc 0xd9
LeaveCriticalSection 0x0 0x41e0fc 0x21bd0 0x201d0 0x2ef
SetHandleCount 0x0 0x41e100 0x21bd4 0x201d4 0x3e8
GetStdHandle 0x0 0x41e104 0x21bd8 0x201d8 0x23b
GetFileType 0x0 0x41e108 0x21bdc 0x201dc 0x1d7
DeleteCriticalSection 0x0 0x41e10c 0x21be0 0x201e0 0xbe
GetModuleHandleW 0x0 0x41e110 0x21be4 0x201e4 0x1f9
Sleep 0x0 0x41e114 0x21be8 0x201e8 0x421
ExitProcess 0x0 0x41e118 0x21bec 0x201ec 0x104
WriteFile 0x0 0x41e11c 0x21bf0 0x201f0 0x48d
GetModuleFileNameA 0x0 0x41e120 0x21bf4 0x201f4 0x1f4
GetEnvironmentStrings 0x0 0x41e124 0x21bf8 0x201f8 0x1bf
FreeEnvironmentStringsW 0x0 0x41e128 0x21bfc 0x201fc 0x14b
WideCharToMultiByte 0x0 0x41e12c 0x21c00 0x20200 0x47a
GetEnvironmentStringsW 0x0 0x41e130 0x21c04 0x20204 0x1c1
TlsGetValue 0x0 0x41e134 0x21c08 0x20208 0x434
TlsAlloc 0x0 0x41e138 0x21c0c 0x2020c 0x432
TlsSetValue 0x0 0x41e13c 0x21c10 0x20210 0x435
TlsFree 0x0 0x41e140 0x21c14 0x20214 0x433
InterlockedIncrement 0x0 0x41e144 0x21c18 0x20218 0x2c0
SetLastError 0x0 0x41e148 0x21c1c 0x2021c 0x3ec
GetCurrentThreadId 0x0 0x41e14c 0x21c20 0x20220 0x1ad
InterlockedDecrement 0x0 0x41e150 0x21c24 0x20224 0x2bc
GetCurrentThread 0x0 0x41e154 0x21c28 0x20228 0x1ac
HeapCreate 0x0 0x41e158 0x21c2c 0x2022c 0x29f
HeapDestroy 0x0 0x41e15c 0x21c30 0x20230 0x2a0
VirtualFree 0x0 0x41e160 0x21c34 0x20234 0x457
QueryPerformanceCounter 0x0 0x41e164 0x21c38 0x20238 0x354
GetCurrentProcessId 0x0 0x41e168 0x21c3c 0x2023c 0x1aa
GetSystemTimeAsFileTime 0x0 0x41e16c 0x21c40 0x20240 0x24f
FatalAppExitA 0x0 0x41e170 0x21c44 0x20244 0x10b
VirtualAlloc 0x0 0x41e174 0x21c48 0x20248 0x454
HeapReAlloc 0x0 0x41e178 0x21c4c 0x2024c 0x2a4
MultiByteToWideChar 0x0 0x41e17c 0x21c50 0x20250 0x31a
ReadFile 0x0 0x41e180 0x21c54 0x20254 0x368
InitializeCriticalSectionAndSpinCount 0x0 0x41e184 0x21c58 0x20258 0x2b5
HeapSize 0x0 0x41e188 0x21c5c 0x2025c 0x2a6
SetConsoleCtrlHandler 0x0 0x41e18c 0x21c60 0x20260 0x3a7
FreeLibrary 0x0 0x41e190 0x21c64 0x20264 0x14c
InterlockedExchange 0x0 0x41e194 0x21c68 0x20268 0x2bd
GetOEMCP 0x0 0x41e198 0x21c6c 0x2026c 0x213
IsValidCodePage 0x0 0x41e19c 0x21c70 0x20270 0x2db
GetConsoleCP 0x0 0x41e1a0 0x21c74 0x20274 0x183
GetConsoleMode 0x0 0x41e1a4 0x21c78 0x20278 0x195
FlushFileBuffers 0x0 0x41e1a8 0x21c7c 0x2027c 0x141
SetEnvironmentVariableA 0x0 0x41e1ac 0x21c80 0x20280 0x3d0
USER32.dll (11)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CloseClipboard 0x0 0x41e1d4 0x21ca8 0x202a8 0x47
SendNotifyMessageA 0x0 0x41e1d8 0x21cac 0x202ac 0x264
BeginPaint 0x0 0x41e1dc 0x21cb0 0x202b0 0xe
CallMsgFilterW 0x0 0x41e1e0 0x21cb4 0x202b4 0x1a
PeekMessageA 0x0 0x41e1e4 0x21cb8 0x202b8 0x21b
MapVirtualKeyExW 0x0 0x41e1e8 0x21cbc 0x202bc 0x1f1
RegisterRawInputDevices 0x0 0x41e1ec 0x21cc0 0x202c0 0x242
GetClipboardSequenceNumber 0x0 0x41e1f0 0x21cc4 0x202c4 0x113
SetUserObjectInformationA 0x0 0x41e1f4 0x21cc8 0x202c8 0x29f
GetDialogBaseUnits 0x0 0x41e1f8 0x21ccc 0x202cc 0x11d
GetMessageW 0x0 0x41e1fc 0x21cd0 0x202d0 0x14e
GDI32.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreatePolyPolygonRgn 0x0 0x41e000 0x21ad4 0x200d4 0x4b
CreateCompatibleDC 0x0 0x41e004 0x21ad8 0x200d8 0x2e
SetStretchBltMode 0x0 0x41e008 0x21adc 0x200dc 0x289
SetPixelV 0x0 0x41e00c 0x21ae0 0x200e0 0x284
GetCharWidth32A 0x0 0x41e010 0x21ae4 0x200e4 0x1a0
CreateDiscardableBitmap 0x0 0x41e014 0x21ae8 0x200e8 0x35
BitBlt 0x0 0x41e018 0x21aec 0x200ec 0x12
SHELL32.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ShellExecuteW 0x0 0x41e1b4 0x21c88 0x20288 0x118
ShellAboutW 0x0 0x41e1b8 0x21c8c 0x2028c 0x110
ExtractIconA 0x0 0x41e1bc 0x21c90 0x20290 0x28
ShellExecuteExA 0x0 0x41e1c0 0x21c94 0x20294 0x116
FindExecutableA 0x0 0x41e1c4 0x21c98 0x20298 0x2d
DragQueryFileA 0x0 0x41e1c8 0x21c9c 0x2029c 0x1e
ExtractIconW 0x0 0x41e1cc 0x21ca0 0x202a0 0x2c
Icons (1)
»
Memory Dumps (2)
»
Name Process ID Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
updatewin.exe 9 0x00400000 0x0044DFFF Relevant Image - 32-bit - False False
buffer 9 0x00555000 0x00555FFF Marked Executable - 32-bit - False False
Local AV Matches (1)
»
Threat Name Severity
DeepScan:Generic.Zamg.8.C0B90587
Malicious
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\5.exe Downloaded File Binary
Malicious
»
Also Known As c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\5[1].exe (Downloaded File)
Mime Type application/vnd.microsoft.portable-executable
File Size 192.00 KB
MD5 7637e83def3c66546bb4a6ee5e963b03 Copy to Clipboard
SHA1 a108e7bc6008a541dfbf0921839a75dd2e2831c5 Copy to Clipboard
SHA256 48417c1248dfbde668a1118f1d1178ccd0a29612035f25f5724c10a2d6e98fcd Copy to Clipboard
SSDeep 3072:HZBj7PK5clI62E9+v81gl6GH0g8NKKkbGcsRwMfPNHXyfhfwE8bOLT7Pu5dFY:HzGcw6+816pKxwMXwYElnPM Copy to Clipboard
ImpHash 9f4e78ff6bea93a17a87c24dbc2f190b Copy to Clipboard
File Reputation Information
»
Severity
Blacklisted
First Seen 2019-04-04 12:13 (UTC+2)
Last Seen 2019-05-07 17:31 (UTC+2)
Names Win32.Trojan.Kryptik
Families Kryptik
Classification Trojan
PE Information
»
Image Base 0x400000
Entry Point 0x19d59a0
Size Of Code 0x2b000
Size Of Initialized Data 0x5000
Size Of Uninitialized Data 0x15aa000
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2018-07-08 03:21:15+00:00
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
UPX0 0x401000 0x15aa000 0x0 0x400 IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
UPX1 0x19ab000 0x2b000 0x2ac00 0x400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 7.77
.rsrc 0x19d6000 0x5000 0x5000 0x2b000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 5.32
Imports (8)
»
ADVAPI32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegEnumKeyW 0x0 0x19dad70 0x15dad70 0x2fd70 0x0
GDI32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
PolyDraw 0x0 0x19dad78 0x15dad78 0x2fd78 0x0
KERNEL32.DLL (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
LoadLibraryA 0x0 0x19dad80 0x15dad80 0x2fd80 0x0
ExitProcess 0x0 0x19dad84 0x15dad84 0x2fd84 0x0
GetProcAddress 0x0 0x19dad88 0x15dad88 0x2fd88 0x0
VirtualProtect 0x0 0x19dad8c 0x15dad8c 0x2fd8c 0x0
ole32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CoRevertToSelf 0x0 0x19dad94 0x15dad94 0x2fd94 0x0
SHELL32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DuplicateIcon 0x0 0x19dad9c 0x15dad9c 0x2fd9c 0x0
USER32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ToAscii 0x0 0x19dada4 0x15dada4 0x2fda4 0x0
WINHTTP.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WinHttpCrackUrl 0x0 0x19dadac 0x15dadac 0x2fdac 0x0
WINSPOOL.DRV (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DeviceCapabilitiesA 0x0 0x19dadb4 0x15dadb4 0x2fdb4 0x0
Icons (1)
»
Memory Dumps (2)
»
Name Process ID Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
buffer 10 0x01B1C1F0 0x01B3195F Marked Executable - 32-bit - False False
buffer 10 0x01B1C1F0 0x01B3195F Content Changed - 32-bit 0x01B1D004, 0x01B1C1F0 False False
Local AV Matches (1)
»
Threat Name Severity
Trojan.GenericKD.31898868
Malicious
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-console-l1-1-0.dll Dropped File Binary
Whitelisted
»
Mime Type application/vnd.microsoft.portable-executable
File Size 18.30 KB
MD5 502263c56f931df8440d7fd2fa7b7c00 Copy to Clipboard
SHA1 523a3d7c3f4491e67fc710575d8e23314db2c1a2 Copy to Clipboard
SHA256 94a5df1227818edbfd0d5091c6a48f86b4117c38550343f780c604eee1cd6231 Copy to Clipboard
SSDeep 192:3jBMWIghWGZiKedXe123Ouo+Uggs/nGfe4pBjS/uBmWh0txKdmVWQ4GWDZoiyqnP:GWPhWVXYi00GftpBjSemTltcwpS Copy to Clipboard
File Reputation Information
»
Severity
Whitelisted
First Seen 2017-10-12 00:29 (UTC+2)
Last Seen 2018-11-10 11:22 (UTC+1)
PE Information
»
Image Base 0x10000000
Size Of Code 0x600
Size Of Initialized Data 0x400
File Type FileType.dll
Subsystem Subsystem.windows_cui
Machine Type MachineType.i386
Compile Timestamp 2061-07-07 10:18:41+00:00
Version Information (8)
»
CompanyName Microsoft Corporation
FileDescription ApiSet Stub DLL
FileVersion 10.0.16299.15 (WinBuild.160101.0800)
InternalName apisetstub
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename apisetstub
ProductName Microsoft® Windows® Operating System
ProductVersion 10.0.16299.15
Sections (2)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x10001000 0x42b 0x600 0x200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 3.84
.rsrc 0x10002000 0x3f0 0x400 0x800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.3
Exports (14)
»
Api name EAT Address Ordinal
AllocConsole 0x11e4 0x1
GetConsoleCP 0x1207 0x2
GetConsoleMode 0x122c 0x3
GetConsoleOutputCP 0x1257 0x4
GetNumberOfConsoleInputEvents 0x1291 0x5
PeekConsoleInputA 0x12ca 0x6
ReadConsoleA 0x12f2 0x7
ReadConsoleInputA 0x131a 0x8
ReadConsoleInputW 0x1347 0x9
ReadConsoleW 0x136f 0xa
SetConsoleCtrlHandler 0x139b 0xb
SetConsoleMode 0x13c9 0xc
WriteConsoleA 0x13ef 0xd
WriteConsoleW 0x1414 0xe
Digital Signatures (2)
»
Certificate: Microsoft Corporation
»
Issued by Microsoft Corporation
Parent Certificate Microsoft Code Signing PCA
Country Name US
Valid From 2017-08-11 20:11:15+00:00
Valid Until 2018-08-11 20:11:15+00:00
Algorithm sha1_rsa
Serial Number 33 00 00 01 78 25 5A B5 CD 23 C6 5F 95 00 01 00 00 01 78
Thumbprint 49 D5 9D 86 50 5D 82 94 2A 07 63 88 69 3F 4F B7 B2 12 54 EE
Certificate: Microsoft Code Signing PCA
»
Issued by Microsoft Code Signing PCA
Country Name US
Valid From 2010-08-31 22:19:32+00:00
Valid Until 2020-08-31 22:29:32+00:00
Algorithm sha1_rsa
Serial Number 61 33 26 1A 00 00 00 00 00 31
Thumbprint 3C AF 9B A2 DB 55 70 CA F7 69 42 FF 99 10 1B 99 38 88 E2 57
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\geo[1].json Dropped File Text
Unknown
»
Also Known As c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\geo[1].json (Dropped File)
Mime Type text/plain
File Size 465 bytes
MD5 d6727470681ecc2ca56bbd0486b4fa97 Copy to Clipboard
SHA1 693756ab251ef2d82a91d94a2e5b78a9604d8bac Copy to Clipboard
SHA256 8b37ae3083eb3bb497d0de9aa0f48e4fa2b893726e2a9787e6dad0ecd40d9613 Copy to Clipboard
SSDeep 12:YCJcjmdVQVCRbwXhCdEVQVPB8yPt0fRbIRAJdxFQVyrhmXoB2SH4:YODQVCRbwxCCQVvV0fRbI2JdxFQVyNm5 Copy to Clipboard
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1 Dropped File Text
Unknown
»
Mime Type text/x-powershell
File Size 49 bytes
MD5 f972c62f986b5ed49ad7713d93bf6c9f Copy to Clipboard
SHA1 4e157002bdb97e9526ab97bfafbf7c67e1d1efbf Copy to Clipboard
SHA256 b47f85974a7ec2fd5aa82d52f08eb0f6cea7e596a98dd29e8b85b5c37beca0a8 Copy to Clipboard
SSDeep 3:uIHeGAFcX5wTnl:/eGgHTl Copy to Clipboard
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image