8dad2f78...f3a8

Filters:

Filename	Category	Type	Severity	Actions

C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\585939.exe

Sample File

Binary

Malicious

Also Known As	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\45df4fd3-2e0d-4883-810e-1f70f9babe97\585939.exe (Dropped File)
Mime Type	application/vnd.microsoft.portable-executable
File Size	835.50 KB
MD5	2cc70c4beed0ba6db11c63bf435c6bf2
SHA1	18348a70148e1424ba4c30298b05f3f8820313cd
SHA256	8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8
SSDeep	24576:tARMZUIPP/ri1nFART87BJ8Z/2tyNkIaC8mp:GRM2IPPzwFAF87X8R2t+ao
ImpHash	2f0b2875961b1e402f411454a4347d4f

File Reputation Information

Severity	Blacklisted
Names	Mal/Generic-S

PE Information

Image Base	0x400000
Entry Point	0x40794c
Size Of Code	0x17a00
Size Of Initialized Data	0x123e00
File Type	FileType.executable
Subsystem	Subsystem.windows_gui
Machine Type	MachineType.i386
Compile Timestamp	2019-10-09 18:23:41+00:00

Sections (4)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x401000	0x17903	0x17a00	0x400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.75
.rdata	0x419000	0x538e	0x5400	0x17e00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.21
.data	0x41f000	0x100b58	0x97800	0x1d200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.91
.rsrc	0x520000	0x1c3a0	0x1c400	0xb4a00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.74

Imports (2)

KERNEL32.dll (95)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
FindAtomW	0x0	0x419000	0x1da98	0x1c898	0x12d
OpenFileMappingA	0x0	0x419004	0x1da9c	0x1c89c	0x378
GetLongPathNameW	0x0	0x419008	0x1daa0	0x1c8a0	0x20f
GetConsoleAliasesLengthW	0x0	0x41900c	0x1daa4	0x1c8a4	0x198
FlushViewOfFile	0x0	0x419010	0x1daa8	0x1c8a8	0x15a
GetNumaNodeProcessorMask	0x0	0x419014	0x1daac	0x1c8ac	0x22b
ConnectNamedPipe	0x0	0x419018	0x1dab0	0x1c8b0	0x65
CreatePipe	0x0	0x41901c	0x1dab4	0x1c8b4	0xa1
OpenProcess	0x0	0x419020	0x1dab8	0x1c8b8	0x380
GetProcessAffinityMask	0x0	0x419024	0x1dabc	0x1c8bc	0x246
GetPrivateProfileStringA	0x0	0x419028	0x1dac0	0x1c8c0	0x241
GetQueuedCompletionStatus	0x0	0x41902c	0x1dac4	0x1c8c4	0x25e
SetupComm	0x0	0x419030	0x1dac8	0x1c8c8	0x4ae
HeapAlloc	0x0	0x419034	0x1dacc	0x1c8cc	0x2cb
SetConsoleWindowInfo	0x0	0x419038	0x1dad0	0x1c8d0	0x449
GetLastError	0x0	0x41903c	0x1dad4	0x1c8d4	0x202
LocalAlloc	0x0	0x419040	0x1dad8	0x1c8d8	0x344
GetProcAddress	0x0	0x419044	0x1dadc	0x1c8dc	0x245
GetModuleHandleA	0x0	0x419048	0x1dae0	0x1c8e0	0x215
lstrcatA	0x0	0x41904c	0x1dae4	0x1c8e4	0x53e
GetThreadSelectorEntry	0x0	0x419050	0x1dae8	0x1c8e8	0x290
SetThreadExecutionState	0x0	0x419054	0x1daec	0x1c8ec	0x493
GetEnvironmentVariableW	0x0	0x419058	0x1daf0	0x1c8f0	0x1dc
BuildCommDCBAndTimeoutsA	0x0	0x41905c	0x1daf4	0x1c8f4	0x3b
GetAtomNameW	0x0	0x419060	0x1daf8	0x1c8f8	0x16e
SetConsoleScreenBufferSize	0x0	0x419064	0x1dafc	0x1c8fc	0x445
GetTickCount	0x0	0x419068	0x1db00	0x1c900	0x293
CreateMailslotW	0x0	0x41906c	0x1db04	0x1c904	0x99
SetPriorityClass	0x0	0x419070	0x1db08	0x1c908	0x47d
FindFirstVolumeMountPointW	0x0	0x419074	0x1db0c	0x1c90c	0x13e
CreateFileW	0x0	0x419078	0x1db10	0x1c910	0x8f
WriteConsoleW	0x0	0x41907c	0x1db14	0x1c914	0x524
LoadLibraryW	0x0	0x419080	0x1db18	0x1c918	0x33f
InterlockedIncrement	0x0	0x419084	0x1db1c	0x1c91c	0x2ef
InterlockedDecrement	0x0	0x419088	0x1db20	0x1c920	0x2eb
Sleep	0x0	0x41908c	0x1db24	0x1c924	0x4b2
InitializeCriticalSection	0x0	0x419090	0x1db28	0x1c928	0x2e2
DeleteCriticalSection	0x0	0x419094	0x1db2c	0x1c92c	0xd1
EnterCriticalSection	0x0	0x419098	0x1db30	0x1c930	0xee
LeaveCriticalSection	0x0	0x41909c	0x1db34	0x1c934	0x339
EncodePointer	0x0	0x4190a0	0x1db38	0x1c938	0xea
DecodePointer	0x0	0x4190a4	0x1db3c	0x1c93c	0xca
HeapFree	0x0	0x4190a8	0x1db40	0x1c940	0x2cf
RaiseException	0x0	0x4190ac	0x1db44	0x1c944	0x3b1
RtlUnwind	0x0	0x4190b0	0x1db48	0x1c948	0x418
GetCommandLineW	0x0	0x4190b4	0x1db4c	0x1c94c	0x187
HeapSetInformation	0x0	0x4190b8	0x1db50	0x1c950	0x2d3
GetStartupInfoW	0x0	0x4190bc	0x1db54	0x1c954	0x263
WideCharToMultiByte	0x0	0x4190c0	0x1db58	0x1c958	0x511
LCMapStringW	0x0	0x4190c4	0x1db5c	0x1c95c	0x32d
MultiByteToWideChar	0x0	0x4190c8	0x1db60	0x1c960	0x367
GetCPInfo	0x0	0x4190cc	0x1db64	0x1c964	0x172
IsProcessorFeaturePresent	0x0	0x4190d0	0x1db68	0x1c968	0x304
TerminateProcess	0x0	0x4190d4	0x1db6c	0x1c96c	0x4c0
GetCurrentProcess	0x0	0x4190d8	0x1db70	0x1c970	0x1c0
UnhandledExceptionFilter	0x0	0x4190dc	0x1db74	0x1c974	0x4d3
SetUnhandledExceptionFilter	0x0	0x4190e0	0x1db78	0x1c978	0x4a5
IsDebuggerPresent	0x0	0x4190e4	0x1db7c	0x1c97c	0x300
HeapCreate	0x0	0x4190e8	0x1db80	0x1c980	0x2cd
TlsAlloc	0x0	0x4190ec	0x1db84	0x1c984	0x4c5
TlsGetValue	0x0	0x4190f0	0x1db88	0x1c988	0x4c7
TlsSetValue	0x0	0x4190f4	0x1db8c	0x1c98c	0x4c8
TlsFree	0x0	0x4190f8	0x1db90	0x1c990	0x4c6
GetModuleHandleW	0x0	0x4190fc	0x1db94	0x1c994	0x218
SetLastError	0x0	0x419100	0x1db98	0x1c998	0x473
GetCurrentThreadId	0x0	0x419104	0x1db9c	0x1c99c	0x1c5
SetFilePointer	0x0	0x419108	0x1dba0	0x1c9a0	0x466
ExitProcess	0x0	0x41910c	0x1dba4	0x1c9a4	0x119
WriteFile	0x0	0x419110	0x1dba8	0x1c9a8	0x525
GetStdHandle	0x0	0x419114	0x1dbac	0x1c9ac	0x264
GetModuleFileNameW	0x0	0x419118	0x1dbb0	0x1c9b0	0x214
FreeEnvironmentStringsW	0x0	0x41911c	0x1dbb4	0x1c9b4	0x161
GetEnvironmentStringsW	0x0	0x419120	0x1dbb8	0x1c9b8	0x1da
SetHandleCount	0x0	0x419124	0x1dbbc	0x1c9bc	0x46f
InitializeCriticalSectionAndSpinCount	0x0	0x419128	0x1dbc0	0x1c9c0	0x2e3
GetFileType	0x0	0x41912c	0x1dbc4	0x1c9c4	0x1f3
QueryPerformanceCounter	0x0	0x419130	0x1dbc8	0x1c9c8	0x3a7
GetCurrentProcessId	0x0	0x419134	0x1dbcc	0x1c9cc	0x1c1
GetSystemTimeAsFileTime	0x0	0x419138	0x1dbd0	0x1c9d0	0x279
GetACP	0x0	0x41913c	0x1dbd4	0x1c9d4	0x168
GetOEMCP	0x0	0x419140	0x1dbd8	0x1c9d8	0x237
IsValidCodePage	0x0	0x419144	0x1dbdc	0x1c9dc	0x30a
GetStringTypeW	0x0	0x419148	0x1dbe0	0x1c9e0	0x269
GetLocaleInfoW	0x0	0x41914c	0x1dbe4	0x1c9e4	0x206
HeapReAlloc	0x0	0x419150	0x1dbe8	0x1c9e8	0x2d2
HeapSize	0x0	0x419154	0x1dbec	0x1c9ec	0x2d4
GetUserDefaultLCID	0x0	0x419158	0x1dbf0	0x1c9f0	0x29b
GetLocaleInfoA	0x0	0x41915c	0x1dbf4	0x1c9f4	0x204
EnumSystemLocalesA	0x0	0x419160	0x1dbf8	0x1c9f8	0x10d
IsValidLocale	0x0	0x419164	0x1dbfc	0x1c9fc	0x30c
SetStdHandle	0x0	0x419168	0x1dc00	0x1ca00	0x487
GetConsoleCP	0x0	0x41916c	0x1dc04	0x1ca04	0x19a
GetConsoleMode	0x0	0x419170	0x1dc08	0x1ca08	0x1ac
FlushFileBuffers	0x0	0x419174	0x1dc0c	0x1ca0c	0x157
CloseHandle	0x0	0x419178	0x1dc10	0x1ca10	0x52

USER32.dll (2)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetCursorInfo	0x0	0x419180	0x1dc18	0x1ca18	0x11f
ClientToScreen	0x0	0x419184	0x1dc1c	0x1ca1c	0x47

Icons (4)

Memory Dumps (43)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
585939.exe	1	0x00400000	0x0053CFFF	Relevant Image	32-bit	0x0040CAE0	... Memory Dump Actions Go to Process Go to AV Match Download Dump
buffer	1	0x00220000	0x002B0FFF	First Execution	32-bit	0x00220020	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x01E90000	0x01FA9FFF	First Execution	32-bit	0x01E90000	... Memory Dump Actions Go to Process Go to YARA Matches Download Dump
buffer	1	0x01E90000	0x01FA9FFF	Content Changed	32-bit	0x01E904F6	... Memory Dump Actions Go to Process Go to YARA Matches Download Dump
585939.exe	1	0x00400000	0x0053CFFF	Content Changed	32-bit	0x00424141	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	1	0x00400000	0x0053CFFF	Content Changed	32-bit	0x00423F84	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	1	0x00400000	0x0053CFFF	Content Changed	32-bit	0x0042C0F0	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	1	0x00400000	0x0053CFFF	Content Changed	32-bit	0x0043B021	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	1	0x00400000	0x0053CFFF	Content Changed	32-bit	0x00431F64	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	1	0x00400000	0x0053CFFF	Content Changed	32-bit	0x00421881	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	1	0x00400000	0x0053CFFF	Content Changed	32-bit	0x0042B420	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	1	0x00400000	0x0053CFFF	Content Changed	32-bit	0x004548D0	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	1	0x00400000	0x0053CFFF	Content Changed	32-bit	0x0041CC50	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	1	0x00400000	0x0053CFFF	Content Changed	32-bit	0x00419E70	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	1	0x00400000	0x0053CFFF	Content Changed	32-bit	0x0040CF10	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	1	0x00400000	0x0053CFFF	Content Changed	32-bit	0x0042B420	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	1	0x00400000	0x0053CFFF	Final Dump	32-bit	0x00430BF0	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	1	0x00400000	0x0053CFFF	Content Changed	32-bit	0x00433F99	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	1	0x00400000	0x0053CFFF	Content Changed	32-bit	0x00424081	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	1	0x00400000	0x0053CFFF	Content Changed	32-bit	0x004CA6F7	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
buffer	1	0x01E90000	0x01FA9FFF	Content Changed	32-bit	0x01E90920	... Memory Dump Actions Go to Process Go to YARA Matches Download Dump
585939.exe	1	0x00400000	0x0053CFFF	Process Termination	32-bit	-	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	6	0x00400000	0x0053CFFF	Relevant Image	32-bit	0x0040CAE0	... Memory Dump Actions Go to Process Go to AV Match Download Dump
buffer	6	0x00300000	0x00390FFF	First Execution	32-bit	0x00300020	... Memory Dump Actions Go to Process Download Dump
buffer	6	0x00720000	0x00839FFF	First Execution	32-bit	0x00720000	... Memory Dump Actions Go to Process Go to YARA Matches Download Dump
585939.exe	6	0x00400000	0x0053CFFF	Content Changed	32-bit	0x00424141	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	6	0x00400000	0x0053CFFF	Content Changed	32-bit	0x00423F84	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	6	0x00400000	0x0053CFFF	Content Changed	32-bit	0x0042C0F0	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	6	0x00400000	0x0053CFFF	Content Changed	32-bit	0x0043B021	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	6	0x00400000	0x0053CFFF	Content Changed	32-bit	0x00431F64	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	6	0x00400000	0x0053CFFF	Content Changed	32-bit	0x00421881	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	6	0x00400000	0x0053CFFF	Content Changed	32-bit	0x0042B420	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	6	0x00400000	0x0053CFFF	Content Changed	32-bit	0x004548D0	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	6	0x00400000	0x0053CFFF	Content Changed	32-bit	0x0041CC50	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	6	0x00400000	0x0053CFFF	Content Changed	32-bit	0x00419E70	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	6	0x00400000	0x0053CFFF	Content Changed	32-bit	0x0040CF10	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	6	0x00400000	0x0053CFFF	Content Changed	32-bit	0x0041B680	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	6	0x00400000	0x0053CFFF	Content Changed	32-bit	0x004490DE	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	6	0x00400000	0x0053CFFF	Content Changed	32-bit	0x0041E031	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	6	0x00400000	0x0053CFFF	Content Changed	32-bit	0x004389C2	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	6	0x00400000	0x0053CFFF	Content Changed	32-bit	0x00447F50	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	6	0x00400000	0x0053CFFF	Content Changed	32-bit	0x0041F01A	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump
585939.exe	6	0x00400000	0x0053CFFF	Content Changed	32-bit	0x00410FC0	... Memory Dump Actions Go to Process Go to AV Match Go to YARA Matches Download Dump

Local AV Matches (1)

Threat Name	Severity
Trojan.GenericKDZ.67009	Malicious

C:\Windows\System32\drivers\etc\hosts

Modified File

Text

Malicious

Mime Type	text/plain
File Size	7.92 KB
MD5	360d265eddea8679c434a205f7ade7ad
SHA1	e17d843f610e0283904e201195360525ae449a68
SHA256	5a1597c0d29dd475e33cd8889d7d848037a8c17bad0f3daa022fb889e0db7ead
SSDeep	96:vDZEurK9q3WlSyU0FXmGZll0TOHyF9fAHLmttA/ZKTKdIlMHqzoCGbXx:RrK9FU0FXmGZll06m9fAH6AhKTK9Cax
ImpHash	-

File Reputation Information

Severity	Blacklisted
Names	Mal/Generic-S

Local AV Matches (1)

Threat Name	Severity
Gen:Trojan.Qhost.1	Malicious

C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\f2685878-c1d9-47fc-b7a6-e4dee8a92594\updatewin1.exe

Downloaded File

Binary

Malicious

Also Known As	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\f2685878-c1d9-47fc-b7a6-e4dee8a92594\updatewin1.exe (Downloaded File)
Mime Type	application/vnd.microsoft.portable-executable
File Size	272.50 KB
MD5	5b4bd24d6240f467bfbc74803c9f15b0
SHA1	c17f98c182d299845c54069872e8137645768a1a
SHA256	14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e
SSDeep	6144:7qZQGv0d4dW6efSyahstfKVkW5XXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXk:2ZQGXdPe6qU6W5XXnXXfXXXWXXXXHXXE
ImpHash	0bcca924efe6e6fa741675d8e687fbb3

File Reputation Information

Severity	Blacklisted
Names	Mal/Generic-S

PE Information

Image Base	0x400000
Entry Point	0x402d76
Size Of Code	0x1c200
Size Of Initialized Data	0x2c200
File Type	FileType.executable
Subsystem	Subsystem.windows_gui
Machine Type	MachineType.i386
Compile Timestamp	2017-07-24 12:23:54+00:00

Version Information (3)

FileVersion	7.7.7.18
InternalName	rawudiyeh.exe
LegalCopyright	Copyright (C) 2018, sacuwedimufoy

Sections (5)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x401000	0x1c07e	0x1c200	0x400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.62
.rdata	0x41e000	0x463e	0x4800	0x1c600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.26
.data	0x423000	0x1c6a8	0x17400	0x20e00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	5.83
.rsrc	0x440000	0xa578	0xa600	0x38200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	6.88
.reloc	0x44b000	0x1968	0x1a00	0x42800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	6.34

Imports (4)

KERNEL32.dll (102)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
ExitThread	0x0	0x41e028	0x21afc	0x200fc	0x105
GetStartupInfoW	0x0	0x41e02c	0x21b00	0x20100	0x23a
GetLastError	0x0	0x41e030	0x21b04	0x20104	0x1e6
GetProcAddress	0x0	0x41e034	0x21b08	0x20108	0x220
CreateJobSet	0x0	0x41e038	0x21b0c	0x2010c	0x87
GlobalFree	0x0	0x41e03c	0x21b10	0x20110	0x28c
LoadLibraryA	0x0	0x41e040	0x21b14	0x20114	0x2f1
OpenWaitableTimerW	0x0	0x41e044	0x21b18	0x20118	0x339
AddAtomA	0x0	0x41e048	0x21b1c	0x2011c	0x3
FindFirstChangeNotificationA	0x0	0x41e04c	0x21b20	0x20120	0x11b
VirtualProtect	0x0	0x41e050	0x21b24	0x20124	0x45a
GetCurrentDirectoryA	0x0	0x41e054	0x21b28	0x20128	0x1a7
GetACP	0x0	0x41e058	0x21b2c	0x2012c	0x152
InterlockedPushEntrySList	0x0	0x41e05c	0x21b30	0x20130	0x2c2
CompareStringW	0x0	0x41e060	0x21b34	0x20134	0x55
CompareStringA	0x0	0x41e064	0x21b38	0x20138	0x52
CreateFileA	0x0	0x41e068	0x21b3c	0x2013c	0x78
GetTimeZoneInformation	0x0	0x41e06c	0x21b40	0x20140	0x26b
WriteConsoleW	0x0	0x41e070	0x21b44	0x20144	0x48c
GetConsoleOutputCP	0x0	0x41e074	0x21b48	0x20148	0x199
WriteConsoleA	0x0	0x41e078	0x21b4c	0x2014c	0x482
CloseHandle	0x0	0x41e07c	0x21b50	0x20150	0x43
IsValidLocale	0x0	0x41e080	0x21b54	0x20154	0x2dd
EnumSystemLocalesA	0x0	0x41e084	0x21b58	0x20158	0xf8
GetUserDefaultLCID	0x0	0x41e088	0x21b5c	0x2015c	0x26d
GetSystemTimeAdjustment	0x0	0x41e08c	0x21b60	0x20160	0x24e
GetSystemTimes	0x0	0x41e090	0x21b64	0x20164	0x250
GetTickCount	0x0	0x41e094	0x21b68	0x20168	0x266
FreeEnvironmentStringsA	0x0	0x41e098	0x21b6c	0x2016c	0x14a
GetComputerNameW	0x0	0x41e09c	0x21b70	0x20170	0x178
FindCloseChangeNotification	0x0	0x41e0a0	0x21b74	0x20174	0x11a
FindResourceExW	0x0	0x41e0a4	0x21b78	0x20178	0x138
GetCPInfo	0x0	0x41e0a8	0x21b7c	0x2017c	0x15b
SetProcessShutdownParameters	0x0	0x41e0ac	0x21b80	0x20180	0x3f9
GetModuleHandleExA	0x0	0x41e0b0	0x21b84	0x20184	0x1f7
GetDateFormatA	0x0	0x41e0b4	0x21b88	0x20188	0x1ae
GetTimeFormatA	0x0	0x41e0b8	0x21b8c	0x2018c	0x268
GetStringTypeW	0x0	0x41e0bc	0x21b90	0x20190	0x240
GetStringTypeA	0x0	0x41e0c0	0x21b94	0x20194	0x23d
LCMapStringW	0x0	0x41e0c4	0x21b98	0x20198	0x2e3
GetCommandLineA	0x0	0x41e0c8	0x21b9c	0x2019c	0x16f
GetStartupInfoA	0x0	0x41e0cc	0x21ba0	0x201a0	0x239
RaiseException	0x0	0x41e0d0	0x21ba4	0x201a4	0x35a
RtlUnwind	0x0	0x41e0d4	0x21ba8	0x201a8	0x392
TerminateProcess	0x0	0x41e0d8	0x21bac	0x201ac	0x42d
GetCurrentProcess	0x0	0x41e0dc	0x21bb0	0x201b0	0x1a9
UnhandledExceptionFilter	0x0	0x41e0e0	0x21bb4	0x201b4	0x43e
SetUnhandledExceptionFilter	0x0	0x41e0e4	0x21bb8	0x201b8	0x415
IsDebuggerPresent	0x0	0x41e0e8	0x21bbc	0x201bc	0x2d1
HeapAlloc	0x0	0x41e0ec	0x21bc0	0x201c0	0x29d
HeapFree	0x0	0x41e0f0	0x21bc4	0x201c4	0x2a1
EnterCriticalSection	0x0	0x41e0f4	0x21bc8	0x201c8	0xd9
LeaveCriticalSection	0x0	0x41e0f8	0x21bcc	0x201cc	0x2ef
SetHandleCount	0x0	0x41e0fc	0x21bd0	0x201d0	0x3e8
GetStdHandle	0x0	0x41e100	0x21bd4	0x201d4	0x23b
GetFileType	0x0	0x41e104	0x21bd8	0x201d8	0x1d7
DeleteCriticalSection	0x0	0x41e108	0x21bdc	0x201dc	0xbe
GetModuleHandleW	0x0	0x41e10c	0x21be0	0x201e0	0x1f9
Sleep	0x0	0x41e110	0x21be4	0x201e4	0x421
ExitProcess	0x0	0x41e114	0x21be8	0x201e8	0x104
WriteFile	0x0	0x41e118	0x21bec	0x201ec	0x48d
GetModuleFileNameA	0x0	0x41e11c	0x21bf0	0x201f0	0x1f4
GetEnvironmentStrings	0x0	0x41e120	0x21bf4	0x201f4	0x1bf
FreeEnvironmentStringsW	0x0	0x41e124	0x21bf8	0x201f8	0x14b
WideCharToMultiByte	0x0	0x41e128	0x21bfc	0x201fc	0x47a
GetEnvironmentStringsW	0x0	0x41e12c	0x21c00	0x20200	0x1c1
TlsGetValue	0x0	0x41e130	0x21c04	0x20204	0x434
TlsAlloc	0x0	0x41e134	0x21c08	0x20208	0x432
TlsSetValue	0x0	0x41e138	0x21c0c	0x2020c	0x435
TlsFree	0x0	0x41e13c	0x21c10	0x20210	0x433
InterlockedIncrement	0x0	0x41e140	0x21c14	0x20214	0x2c0
SetLastError	0x0	0x41e144	0x21c18	0x20218	0x3ec
GetCurrentThreadId	0x0	0x41e148	0x21c1c	0x2021c	0x1ad
InterlockedDecrement	0x0	0x41e14c	0x21c20	0x20220	0x2bc
GetCurrentThread	0x0	0x41e150	0x21c24	0x20224	0x1ac
HeapCreate	0x0	0x41e154	0x21c28	0x20228	0x29f
HeapDestroy	0x0	0x41e158	0x21c2c	0x2022c	0x2a0
VirtualFree	0x0	0x41e15c	0x21c30	0x20230	0x457
QueryPerformanceCounter	0x0	0x41e160	0x21c34	0x20234	0x354
GetCurrentProcessId	0x0	0x41e164	0x21c38	0x20238	0x1aa
GetSystemTimeAsFileTime	0x0	0x41e168	0x21c3c	0x2023c	0x24f
FatalAppExitA	0x0	0x41e16c	0x21c40	0x20240	0x10b
VirtualAlloc	0x0	0x41e170	0x21c44	0x20244	0x454
HeapReAlloc	0x0	0x41e174	0x21c48	0x20248	0x2a4
MultiByteToWideChar	0x0	0x41e178	0x21c4c	0x2024c	0x31a
ReadFile	0x0	0x41e17c	0x21c50	0x20250	0x368
InitializeCriticalSectionAndSpinCount	0x0	0x41e180	0x21c54	0x20254	0x2b5
HeapSize	0x0	0x41e184	0x21c58	0x20258	0x2a6
SetConsoleCtrlHandler	0x0	0x41e188	0x21c5c	0x2025c	0x3a7
FreeLibrary	0x0	0x41e18c	0x21c60	0x20260	0x14c
InterlockedExchange	0x0	0x41e190	0x21c64	0x20264	0x2bd
GetOEMCP	0x0	0x41e194	0x21c68	0x20268	0x213
IsValidCodePage	0x0	0x41e198	0x21c6c	0x2026c	0x2db
GetConsoleCP	0x0	0x41e19c	0x21c70	0x20270	0x183
GetConsoleMode	0x0	0x41e1a0	0x21c74	0x20274	0x195
FlushFileBuffers	0x0	0x41e1a4	0x21c78	0x20278	0x141
SetFilePointer	0x0	0x41e1a8	0x21c7c	0x2027c	0x3df
SetStdHandle	0x0	0x41e1ac	0x21c80	0x20280	0x3fc
GetLocaleInfoW	0x0	0x41e1b0	0x21c84	0x20284	0x1ea
GetLocaleInfoA	0x0	0x41e1b4	0x21c88	0x20288	0x1e8
LCMapStringA	0x0	0x41e1b8	0x21c8c	0x2028c	0x2e1
SetEnvironmentVariableA	0x0	0x41e1bc	0x21c90	0x20290	0x3d0

USER32.dll (10)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CloseClipboard	0x0	0x41e1d8	0x21cac	0x202ac	0x47
BeginPaint	0x0	0x41e1dc	0x21cb0	0x202b0	0xe
CallMsgFilterW	0x0	0x41e1e0	0x21cb4	0x202b4	0x1a
PeekMessageA	0x0	0x41e1e4	0x21cb8	0x202b8	0x21b
MapVirtualKeyExW	0x0	0x41e1e8	0x21cbc	0x202bc	0x1f1
RegisterRawInputDevices	0x0	0x41e1ec	0x21cc0	0x202c0	0x242
GetClipboardSequenceNumber	0x0	0x41e1f0	0x21cc4	0x202c4	0x113
CountClipboardFormats	0x0	0x41e1f4	0x21cc8	0x202c8	0x50
GetDialogBaseUnits	0x0	0x41e1f8	0x21ccc	0x202cc	0x11d
GetClassLongW	0x0	0x41e1fc	0x21cd0	0x202d0	0x109

GDI32.dll (9)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
PolyTextOutW	0x0	0x41e000	0x21ad4	0x200d4	0x23c
CreateCompatibleDC	0x0	0x41e004	0x21ad8	0x200d8	0x2e
Rectangle	0x0	0x41e008	0x21adc	0x200dc	0x246
SetStretchBltMode	0x0	0x41e00c	0x21ae0	0x200e0	0x289
SetPixelV	0x0	0x41e010	0x21ae4	0x200e4	0x284
GetClipBox	0x0	0x41e014	0x21ae8	0x200e8	0x1aa
CreateDiscardableBitmap	0x0	0x41e018	0x21aec	0x200ec	0x35
StrokeAndFillPath	0x0	0x41e01c	0x21af0	0x200f0	0x29c
GetBitmapBits	0x0	0x41e020	0x21af4	0x200f4	0x191

SHELL32.dll (4)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
ShellExecuteW	0x0	0x41e1c4	0x21c98	0x20298	0x118
ShellAboutW	0x0	0x41e1c8	0x21c9c	0x2029c	0x110
DuplicateIcon	0x0	0x41e1cc	0x21ca0	0x202a0	0x23
DragQueryFileA	0x0	0x41e1d0	0x21ca4	0x202a4	0x1e

Icons (1)

Local AV Matches (1)

Threat Name	Severity
Trojan.GenericKD.31534187	Malicious

C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\f2685878-c1d9-47fc-b7a6-e4dee8a92594\updatewin2.exe

Downloaded File

Binary

Malicious

Also Known As	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\f2685878-c1d9-47fc-b7a6-e4dee8a92594\updatewin2.exe (Downloaded File)
Mime Type	application/vnd.microsoft.portable-executable
File Size	274.50 KB
MD5	996ba35165bb62473d2a6743a5200d45
SHA1	52169b0b5cce95c6905873b8d12a759c234bd2e0
SHA256	5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d
SSDeep	6144:vLgbC0mVQlY+3aKn7n4CTHcXXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXXXXP:vGCtQlb3aKzvT8XXnXXfXXXWXXXXHXXf
ImpHash	5921adaaf66f8c259aeda9e22686cd4b

File Reputation Information

Severity	Blacklisted

PE Information

Image Base	0x400000
Entry Point	0x402d64
Size Of Code	0x1c200
Size Of Initialized Data	0x2c800
File Type	FileType.executable
Subsystem	Subsystem.windows_gui
Machine Type	MachineType.i386
Compile Timestamp	2017-11-21 06:08:45+00:00

Version Information (3)

FileVersion	5.3.7.82
InternalName	gigifaw.exe
LegalCopyright	Copyright (C) 2018, guvaxiz

Sections (5)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x401000	0x1c03e	0x1c200	0x400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.62
.rdata	0x41e000	0x45ec	0x4600	0x1c600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.34
.data	0x423000	0x1cde8	0x17c00	0x20c00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	5.8
.rsrc	0x440000	0xa724	0xa800	0x38800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	6.88
.reloc	0x44b000	0x195c	0x1a00	0x43000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	6.33

Imports (4)

KERNEL32.dll (98)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
ExitThread	0x0	0x41e024	0x21ae8	0x200e8	0x105
GetStartupInfoW	0x0	0x41e028	0x21aec	0x200ec	0x23a
GetLastError	0x0	0x41e02c	0x21af0	0x200f0	0x1e6
GetProcAddress	0x0	0x41e030	0x21af4	0x200f4	0x220
GlobalFree	0x0	0x41e034	0x21af8	0x200f8	0x28c
LoadLibraryA	0x0	0x41e038	0x21afc	0x200fc	0x2f1
AddAtomA	0x0	0x41e03c	0x21b00	0x20100	0x3
FindFirstChangeNotificationA	0x0	0x41e040	0x21b04	0x20104	0x11b
VirtualProtect	0x0	0x41e044	0x21b08	0x20108	0x45a
GetCurrentDirectoryA	0x0	0x41e048	0x21b0c	0x2010c	0x1a7
SetProcessShutdownParameters	0x0	0x41e04c	0x21b10	0x20110	0x3f9
GetACP	0x0	0x41e050	0x21b14	0x20114	0x152
CompareStringA	0x0	0x41e054	0x21b18	0x20118	0x52
CreateFileA	0x0	0x41e058	0x21b1c	0x2011c	0x78
GetTimeZoneInformation	0x0	0x41e05c	0x21b20	0x20120	0x26b
WriteConsoleW	0x0	0x41e060	0x21b24	0x20124	0x48c
GetConsoleOutputCP	0x0	0x41e064	0x21b28	0x20128	0x199
WriteConsoleA	0x0	0x41e068	0x21b2c	0x2012c	0x482
CloseHandle	0x0	0x41e06c	0x21b30	0x20130	0x43
IsValidLocale	0x0	0x41e070	0x21b34	0x20134	0x2dd
EnumSystemLocalesA	0x0	0x41e074	0x21b38	0x20138	0xf8
GetUserDefaultLCID	0x0	0x41e078	0x21b3c	0x2013c	0x26d
GetDateFormatA	0x0	0x41e07c	0x21b40	0x20140	0x1ae
GetTimeFormatA	0x0	0x41e080	0x21b44	0x20144	0x268
InitAtomTable	0x0	0x41e084	0x21b48	0x20148	0x2ae
GetSystemTimes	0x0	0x41e088	0x21b4c	0x2014c	0x250
GetTickCount	0x0	0x41e08c	0x21b50	0x20150	0x266
FreeEnvironmentStringsA	0x0	0x41e090	0x21b54	0x20154	0x14a
GetComputerNameW	0x0	0x41e094	0x21b58	0x20158	0x178
FindCloseChangeNotification	0x0	0x41e098	0x21b5c	0x2015c	0x11a
FindResourceExW	0x0	0x41e09c	0x21b60	0x20160	0x138
CompareStringW	0x0	0x41e0a0	0x21b64	0x20164	0x55
GetCPInfo	0x0	0x41e0a4	0x21b68	0x20168	0x15b
GetStringTypeW	0x0	0x41e0a8	0x21b6c	0x2016c	0x240
GetStringTypeA	0x0	0x41e0ac	0x21b70	0x20170	0x23d
LCMapStringW	0x0	0x41e0b0	0x21b74	0x20174	0x2e3
LCMapStringA	0x0	0x41e0b4	0x21b78	0x20178	0x2e1
GetLocaleInfoA	0x0	0x41e0b8	0x21b7c	0x2017c	0x1e8
GetCommandLineA	0x0	0x41e0bc	0x21b80	0x20180	0x16f
GetStartupInfoA	0x0	0x41e0c0	0x21b84	0x20184	0x239
RaiseException	0x0	0x41e0c4	0x21b88	0x20188	0x35a
RtlUnwind	0x0	0x41e0c8	0x21b8c	0x2018c	0x392
TerminateProcess	0x0	0x41e0cc	0x21b90	0x20190	0x42d
GetCurrentProcess	0x0	0x41e0d0	0x21b94	0x20194	0x1a9
UnhandledExceptionFilter	0x0	0x41e0d4	0x21b98	0x20198	0x43e
SetUnhandledExceptionFilter	0x0	0x41e0d8	0x21b9c	0x2019c	0x415
IsDebuggerPresent	0x0	0x41e0dc	0x21ba0	0x201a0	0x2d1
HeapAlloc	0x0	0x41e0e0	0x21ba4	0x201a4	0x29d
HeapFree	0x0	0x41e0e4	0x21ba8	0x201a8	0x2a1
EnterCriticalSection	0x0	0x41e0e8	0x21bac	0x201ac	0xd9
LeaveCriticalSection	0x0	0x41e0ec	0x21bb0	0x201b0	0x2ef
SetHandleCount	0x0	0x41e0f0	0x21bb4	0x201b4	0x3e8
GetStdHandle	0x0	0x41e0f4	0x21bb8	0x201b8	0x23b
GetFileType	0x0	0x41e0f8	0x21bbc	0x201bc	0x1d7
DeleteCriticalSection	0x0	0x41e0fc	0x21bc0	0x201c0	0xbe
GetModuleHandleW	0x0	0x41e100	0x21bc4	0x201c4	0x1f9
Sleep	0x0	0x41e104	0x21bc8	0x201c8	0x421
ExitProcess	0x0	0x41e108	0x21bcc	0x201cc	0x104
WriteFile	0x0	0x41e10c	0x21bd0	0x201d0	0x48d
GetModuleFileNameA	0x0	0x41e110	0x21bd4	0x201d4	0x1f4
GetEnvironmentStrings	0x0	0x41e114	0x21bd8	0x201d8	0x1bf
FreeEnvironmentStringsW	0x0	0x41e118	0x21bdc	0x201dc	0x14b
WideCharToMultiByte	0x0	0x41e11c	0x21be0	0x201e0	0x47a
GetEnvironmentStringsW	0x0	0x41e120	0x21be4	0x201e4	0x1c1
TlsGetValue	0x0	0x41e124	0x21be8	0x201e8	0x434
TlsAlloc	0x0	0x41e128	0x21bec	0x201ec	0x432
TlsSetValue	0x0	0x41e12c	0x21bf0	0x201f0	0x435
TlsFree	0x0	0x41e130	0x21bf4	0x201f4	0x433
InterlockedIncrement	0x0	0x41e134	0x21bf8	0x201f8	0x2c0
SetLastError	0x0	0x41e138	0x21bfc	0x201fc	0x3ec
GetCurrentThreadId	0x0	0x41e13c	0x21c00	0x20200	0x1ad
InterlockedDecrement	0x0	0x41e140	0x21c04	0x20204	0x2bc
GetCurrentThread	0x0	0x41e144	0x21c08	0x20208	0x1ac
HeapCreate	0x0	0x41e148	0x21c0c	0x2020c	0x29f
HeapDestroy	0x0	0x41e14c	0x21c10	0x20210	0x2a0
VirtualFree	0x0	0x41e150	0x21c14	0x20214	0x457
QueryPerformanceCounter	0x0	0x41e154	0x21c18	0x20218	0x354
GetCurrentProcessId	0x0	0x41e158	0x21c1c	0x2021c	0x1aa
GetSystemTimeAsFileTime	0x0	0x41e15c	0x21c20	0x20220	0x24f
FatalAppExitA	0x0	0x41e160	0x21c24	0x20224	0x10b
VirtualAlloc	0x0	0x41e164	0x21c28	0x20228	0x454
HeapReAlloc	0x0	0x41e168	0x21c2c	0x2022c	0x2a4
MultiByteToWideChar	0x0	0x41e16c	0x21c30	0x20230	0x31a
ReadFile	0x0	0x41e170	0x21c34	0x20234	0x368
InitializeCriticalSectionAndSpinCount	0x0	0x41e174	0x21c38	0x20238	0x2b5
HeapSize	0x0	0x41e178	0x21c3c	0x2023c	0x2a6
SetConsoleCtrlHandler	0x0	0x41e17c	0x21c40	0x20240	0x3a7
FreeLibrary	0x0	0x41e180	0x21c44	0x20244	0x14c
InterlockedExchange	0x0	0x41e184	0x21c48	0x20248	0x2bd
GetOEMCP	0x0	0x41e188	0x21c4c	0x2024c	0x213
IsValidCodePage	0x0	0x41e18c	0x21c50	0x20250	0x2db
GetConsoleCP	0x0	0x41e190	0x21c54	0x20254	0x183
GetConsoleMode	0x0	0x41e194	0x21c58	0x20258	0x195
FlushFileBuffers	0x0	0x41e198	0x21c5c	0x2025c	0x141
SetFilePointer	0x0	0x41e19c	0x21c60	0x20260	0x3df
SetStdHandle	0x0	0x41e1a0	0x21c64	0x20264	0x3fc
GetLocaleInfoW	0x0	0x41e1a4	0x21c68	0x20268	0x1ea
SetEnvironmentVariableA	0x0	0x41e1a8	0x21c6c	0x2026c	0x3d0

USER32.dll (12)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CloseClipboard	0x0	0x41e1c4	0x21c88	0x20288	0x47
GetSubMenu	0x0	0x41e1c8	0x21c8c	0x2028c	0x16b
LoadBitmapA	0x0	0x41e1cc	0x21c90	0x20290	0x1d0
BeginPaint	0x0	0x41e1d0	0x21c94	0x20294	0xe
CallMsgFilterW	0x0	0x41e1d4	0x21c98	0x20298	0x1a
PeekMessageA	0x0	0x41e1d8	0x21c9c	0x2029c	0x21b
MapVirtualKeyExW	0x0	0x41e1dc	0x21ca0	0x202a0	0x1f1
RegisterRawInputDevices	0x0	0x41e1e0	0x21ca4	0x202a4	0x242
SetWindowsHookExW	0x0	0x41e1e4	0x21ca8	0x202a8	0x2b0
GetClipboardSequenceNumber	0x0	0x41e1e8	0x21cac	0x202ac	0x113
GetDialogBaseUnits	0x0	0x41e1ec	0x21cb0	0x202b0	0x11d
MessageBoxIndirectA	0x0	0x41e1f0	0x21cb4	0x202b4	0x1fb

GDI32.dll (8)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CreateCompatibleDC	0x0	0x41e000	0x21ac4	0x200c4	0x2e
PlayEnhMetaFile	0x0	0x41e004	0x21ac8	0x200c8	0x230
ScaleViewportExtEx	0x0	0x41e008	0x21acc	0x200cc	0x258
SetStretchBltMode	0x0	0x41e00c	0x21ad0	0x200d0	0x289
SetPixelV	0x0	0x41e010	0x21ad4	0x200d4	0x284
CreateDiscardableBitmap	0x0	0x41e014	0x21ad8	0x200d8	0x35
AddFontResourceW	0x0	0x41e018	0x21adc	0x200dc	0x7
SetDeviceGammaRamp	0x0	0x41e01c	0x21ae0	0x200e0	0x271

SHELL32.dll (4)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
ExtractAssociatedIconA	0x0	0x41e1b0	0x21c74	0x20274	0x24
ShellExecuteW	0x0	0x41e1b4	0x21c78	0x20278	0x118
ShellAboutW	0x0	0x41e1b8	0x21c7c	0x2027c	0x110
DragQueryFileA	0x0	0x41e1bc	0x21c80	0x20280	0x1e

Icons (1)

Local AV Matches (1)

Threat Name	Severity
Trojan.AgentWDCR.SVC	Malicious

C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\f2685878-c1d9-47fc-b7a6-e4dee8a92594\5.exe

Downloaded File

Binary

Malicious

Also Known As	c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\5[1].exe (Downloaded File)
Mime Type	application/vnd.microsoft.portable-executable
File Size	503.50 KB
MD5	c413a85a03cdfb16cf76308385bbb2ae
SHA1	3adebf3ca2a599424c15615d2da6aafd526acb97
SHA256	b79c9fad7864f60bc3140bd5dca17af29db2cacfabf53d6ed8b56e513c915f8d
SSDeep	12288:Bzc7CikDv71D5qiz+gM8EjBeuQfQ1S39C9ULZb:5BzD3qrgM8EjBd1S3Y9ULZ
ImpHash	2d855eadc056c39f73e4cc04d9974913

File Reputation Information

Severity	Blacklisted
Names	Mal/Generic-S

PE Information

Image Base	0x400000
Entry Point	0x4011a5
Size Of Code	0x4a00
Size Of Initialized Data	0x2a2ec00
File Type	FileType.executable
Subsystem	Subsystem.windows_gui
Machine Type	MachineType.i386
Compile Timestamp	2019-02-08 22:20:18+00:00

Sections (4)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x401000	0x48b0	0x4a00	0x400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.54
.rdata	0x406000	0x20ae	0x2200	0x4e00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.66
.data	0x409000	0x2a1c0e0	0x68800	0x7000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.26
.rsrc	0x2e26000	0xe500	0xe600	0x6f800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	6.17

Imports (1)

KERNEL32.dll (65)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
WriteFile	0x0	0x406000	0x7ae4	0x68e4	0x525
SetCommTimeouts	0x0	0x406004	0x7ae8	0x68e8	0x426
WritePrivateProfileStringW	0x0	0x406008	0x7aec	0x68ec	0x52b
FindFirstFileExW	0x0	0x40600c	0x7af0	0x68f0	0x134
LocalAlloc	0x0	0x406010	0x7af4	0x68f4	0x344
GetTapeParameters	0x0	0x406014	0x7af8	0x68f8	0x27f
GetModuleHandleA	0x0	0x406018	0x7afc	0x68fc	0x215
VirtualProtect	0x0	0x40601c	0x7b00	0x6900	0x4ef
GetCurrentProcessId	0x0	0x406020	0x7b04	0x6904	0x1c1
LCMapStringW	0x0	0x406024	0x7b08	0x6908	0x32d
InterlockedIncrement	0x0	0x406028	0x7b0c	0x690c	0x2ef
GetLocaleInfoA	0x0	0x40602c	0x7b10	0x6910	0x204
lstrlenA	0x0	0x406030	0x7b14	0x6914	0x54d
FindResourceA	0x0	0x406034	0x7b18	0x6918	0x14b
HeapReAlloc	0x0	0x406038	0x7b1c	0x691c	0x2d2
GetLastError	0x0	0x40603c	0x7b20	0x6920	0x202
GlobalFix	0x0	0x406040	0x7b24	0x6924	0x2b8
GetCommandLineW	0x0	0x406044	0x7b28	0x6928	0x187
HeapSetInformation	0x0	0x406048	0x7b2c	0x692c	0x2d3
GetStartupInfoW	0x0	0x40604c	0x7b30	0x6930	0x263
TerminateProcess	0x0	0x406050	0x7b34	0x6934	0x4c0
GetCurrentProcess	0x0	0x406054	0x7b38	0x6938	0x1c0
UnhandledExceptionFilter	0x0	0x406058	0x7b3c	0x693c	0x4d3
SetUnhandledExceptionFilter	0x0	0x40605c	0x7b40	0x6940	0x4a5
IsDebuggerPresent	0x0	0x406060	0x7b44	0x6944	0x300
GetProcAddress	0x0	0x406064	0x7b48	0x6948	0x245
GetModuleHandleW	0x0	0x406068	0x7b4c	0x694c	0x218
ExitProcess	0x0	0x40606c	0x7b50	0x6950	0x119
DecodePointer	0x0	0x406070	0x7b54	0x6954	0xca
GetStdHandle	0x0	0x406074	0x7b58	0x6958	0x264
GetModuleFileNameW	0x0	0x406078	0x7b5c	0x695c	0x214
FreeEnvironmentStringsW	0x0	0x40607c	0x7b60	0x6960	0x161
GetEnvironmentStringsW	0x0	0x406080	0x7b64	0x6964	0x1da
SetHandleCount	0x0	0x406084	0x7b68	0x6968	0x46f
InitializeCriticalSectionAndSpinCount	0x0	0x406088	0x7b6c	0x696c	0x2e3
GetFileType	0x0	0x40608c	0x7b70	0x6970	0x1f3
DeleteCriticalSection	0x0	0x406090	0x7b74	0x6974	0xd1
EncodePointer	0x0	0x406094	0x7b78	0x6978	0xea
TlsAlloc	0x0	0x406098	0x7b7c	0x697c	0x4c5
TlsGetValue	0x0	0x40609c	0x7b80	0x6980	0x4c7
TlsSetValue	0x0	0x4060a0	0x7b84	0x6984	0x4c8
TlsFree	0x0	0x4060a4	0x7b88	0x6988	0x4c6
SetLastError	0x0	0x4060a8	0x7b8c	0x698c	0x473
GetCurrentThreadId	0x0	0x4060ac	0x7b90	0x6990	0x1c5
InterlockedDecrement	0x0	0x4060b0	0x7b94	0x6994	0x2eb
HeapCreate	0x0	0x4060b4	0x7b98	0x6998	0x2cd
QueryPerformanceCounter	0x0	0x4060b8	0x7b9c	0x699c	0x3a7
GetTickCount	0x0	0x4060bc	0x7ba0	0x69a0	0x293
GetSystemTimeAsFileTime	0x0	0x4060c0	0x7ba4	0x69a4	0x279
LeaveCriticalSection	0x0	0x4060c4	0x7ba8	0x69a8	0x339
EnterCriticalSection	0x0	0x4060c8	0x7bac	0x69ac	0xee
LoadLibraryW	0x0	0x4060cc	0x7bb0	0x69b0	0x33f
HeapFree	0x0	0x4060d0	0x7bb4	0x69b4	0x2cf
Sleep	0x0	0x4060d4	0x7bb8	0x69b8	0x4b2
GetCPInfo	0x0	0x4060d8	0x7bbc	0x69bc	0x172
GetACP	0x0	0x4060dc	0x7bc0	0x69c0	0x168
GetOEMCP	0x0	0x4060e0	0x7bc4	0x69c4	0x237
IsValidCodePage	0x0	0x4060e4	0x7bc8	0x69c8	0x30a
RtlUnwind	0x0	0x4060e8	0x7bcc	0x69cc	0x418
WideCharToMultiByte	0x0	0x4060ec	0x7bd0	0x69d0	0x511
HeapSize	0x0	0x4060f0	0x7bd4	0x69d4	0x2d4
HeapAlloc	0x0	0x4060f4	0x7bd8	0x69d8	0x2cb
IsProcessorFeaturePresent	0x0	0x4060f8	0x7bdc	0x69dc	0x304
MultiByteToWideChar	0x0	0x4060fc	0x7be0	0x69e0	0x367
GetStringTypeW	0x0	0x406100	0x7be4	0x69e4	0x269

Icons (2)

Memory Dumps (2)

Name	Process ID	Start VA	End VA	Dump Reason	PE Rebuild	Bitness	Entry Point	AV	YARA	Actions
buffer	10	0x0030F000	0x0030FFFF	First Execution		32-bit	0x0030F370			... Memory Dump Actions Go to Process Download Dump
buffer	10	0x02E40000	0x02EC8FFF	First Execution		32-bit	0x02E40000			... Memory Dump Actions Go to Process Download Dump

Local AV Matches (1)

Threat Name	Severity
Trojan.GenericKDZ.66959	Malicious

C:\SystemID\PersonalID.txt

Dropped File

Stream

Whitelisted

Mime Type	application/octet-stream
File Size	42 Bytes
MD5	c183857770364b05c2011bdebb914ed3
SHA1	040e5ac904de86328cca053a15596e118fc5da24
SHA256	094c4931fdb2f2af417c9e0322a9716006e8211fe9017f671ac6e3251300acca
SSDeep	3::
ImpHash	-

File Reputation Information

Severity	Whitelisted

c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\geo[1].json

Dropped File

Text

Unknown

Mime Type	text/plain
File Size	464 Bytes
MD5	b47f5fac6776c219c3efa2db13402fc0
SHA1	0683e3aca261efc276359fc2ffad24348a51d360
SHA256	09b30a7fb64bdcdc1b12f39f32f7486de6716331939396885098077d438a070e
SSDeep	12:Y06jmdVQVCRbwXhCdEVQVPB8yPt0fRbIRAJdxFQVyrhmXoB2SH4:Y4QVCRbwxCCQVvV0fRbI2JdxFQVyNmw6
ImpHash	-

C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1

Dropped File

Text

Unknown

Mime Type	text/x-powershell
File Size	49 Bytes
MD5	f972c62f986b5ed49ad7713d93bf6c9f
SHA1	4e157002bdb97e9526ab97bfafbf7c67e1d1efbf
SHA256	b47f85974a7ec2fd5aa82d52f08eb0f6cea7e596a98dd29e8b85b5c37beca0a8
SSDeep	3:uIHeGAFcX5wTnl:/eGgHTl
ImpHash	-

C:\Boot\Fonts\_readme.txt

Dropped File

Text

Unknown

Also Known As	C:\Users\5p5NrGJn0jS HALPmcxz\_readme.txt (Dropped File) C:\Boot\fr-FR\_readme.txt (Dropped File) C:\Boot\hu-HU\_readme.txt (Dropped File) C:\Boot\en-US\_readme.txt (Dropped File) C:\Boot\zh-TW\_readme.txt (Dropped File) C:\Boot\it-IT\_readme.txt (Dropped File) C:\Boot\el-GR\_readme.txt (Dropped File) C:\Config.Msi\_readme.txt (Dropped File) C:\Boot\nl-NL\_readme.txt (Dropped File) C:\Boot\ko-KR\_readme.txt (Dropped File) C:\Boot\de-DE\_readme.txt (Dropped File) C:\Boot\da-DK\_readme.txt (Dropped File) C:\Boot\cs-CZ\_readme.txt (Dropped File) C:\Boot\_readme.txt (Dropped File) C:\Boot\sv-SE\_readme.txt (Dropped File) C:\Boot\es-ES\_readme.txt (Dropped File) C:\Boot\ru-RU\_readme.txt (Dropped File) C:\Boot\zh-HK\_readme.txt (Dropped File) C:\Boot\tr-TR\_readme.txt (Dropped File) C:\Boot\fi-FI\_readme.txt (Dropped File) C:\Boot\pt-PT\_readme.txt (Dropped File) C:\_readme.txt (Dropped File) C:\Boot\pt-BR\_readme.txt (Dropped File) C:\Boot\pl-PL\_readme.txt (Dropped File) C:\Boot\ja-JP\_readme.txt (Dropped File) C:\Boot\nb-NO\_readme.txt (Dropped File) C:\Boot\zh-CN\_readme.txt (Dropped File)
Mime Type	text/plain
File Size	1.09 KB
MD5	ebb0cedc105d7c3ec87e444e7c756e00
SHA1	82a506fdb6be326711c1d276f3bfb1363acac49c
SHA256	4f14b4e8518086549a4686c9e1a482402653f3e8961b6c0fb4bd53abc8076f40
SSDeep	24:FSimHPnIekFQjhRe9bgnYLuWiGGmFRqrl3W4kA+GT/kF5M2/kC6qvJMbMr:NmHfv0p6Wi1PFWrDGT0f/kCPvYMr
ImpHash	-

C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\bowsakkdestx.txt

Downloaded File

Text

Unknown

Also Known As	c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\get[1].php (Downloaded File)
Mime Type	text/plain
File Size	560 Bytes
MD5	157d95011a4ee17bc03363c225dea722
SHA1	b3501a46302831f3fb4f4217f023a34aaae8e9fd
SHA256	4df818945a818ecc360a627cb4eb55bad33f2553f9de5018887cb75ee7f12ad7
SSDeep	12:YGJ68AW8KO5+Pdxa8uzKYQmkMvOpv2V5BDbMU:YgJAWhdwCuVvbMU
ImpHash	-

C:\Boot\BCD.LOG2.sqpc

Dropped File

Unknown

Not Queried

Also Known As	C:\Boot\BCD.LOG1.sqpc (Dropped File) C:\Boot\BCD.LOG1 (Dropped File) C:\Boot\BCD.LOG2 (Dropped File)
Mime Type	-
File Size	0 Bytes
MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep	3::
ImpHash	-

Remarks (2/3)

There are no files for this filter

There are no files in this analysis

WHOIS Domain Information

Before

After