Malicious
Classifications
Backdoor PUA Miner
Threat Names
XMRig App/Generic-AI XMRig.A
Dynamic Analysis Report
Created on 2024-10-01T19:34:08+00:00
OKLA.exe
Windows Exe (x86-32)
Remarks (1/1)
(0x0200000E): The overall sleep time of all monitored processes was truncated from "3 minutes" to "10 seconds" to reveal dormant functionality.
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\RDhJ0CNFevzX\Desktop\OKLA.exe | Sample File | Binary |
Malicious
|
...
|
»
File Reputation Information
»
Verdict |
Suspicious
|
Names | App/Generic-AI |
Classification | PUA |
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x00420790 |
Size Of Code | 0x00032E00 |
Size Of Initialized Data | 0x00040000 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2023-08-01 09:26 (UTC) |
Sections (6)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00401000 | 0x00032DCC | 0x00032E00 | 0x00000400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.71 |
.rdata | 0x00434000 | 0x0000B1D0 | 0x0000B200 | 0x00033200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.27 |
.data | 0x00440000 | 0x00024750 | 0x00001200 | 0x0003E400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.08 |
.didat | 0x00465000 | 0x000001A4 | 0x00000200 | 0x0003F600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.52 |
.rsrc | 0x00466000 | 0x0000DFF8 | 0x0000E000 | 0x0003F800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.64 |
.reloc | 0x00474000 | 0x000023DC | 0x00002400 | 0x0004D800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.67 |
Imports (3)
»
KERNEL32.dll (143)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetLastError | - | 0x00434000 | 0x0003E404 | 0x0003D604 | 0x00000202 |
SetLastError | - | 0x00434004 | 0x0003E408 | 0x0003D608 | 0x00000473 |
FormatMessageW | - | 0x00434008 | 0x0003E40C | 0x0003D60C | 0x0000015E |
GetCurrentProcess | - | 0x0043400C | 0x0003E410 | 0x0003D610 | 0x000001C0 |
DeviceIoControl | - | 0x00434010 | 0x0003E414 | 0x0003D614 | 0x000000DD |
SetFileTime | - | 0x00434014 | 0x0003E418 | 0x0003D618 | 0x0000046A |
CloseHandle | - | 0x00434018 | 0x0003E41C | 0x0003D61C | 0x00000052 |
CreateDirectoryW | - | 0x0043401C | 0x0003E420 | 0x0003D620 | 0x00000081 |
RemoveDirectoryW | - | 0x00434020 | 0x0003E424 | 0x0003D624 | 0x00000403 |
CreateFileW | - | 0x00434024 | 0x0003E428 | 0x0003D628 | 0x0000008F |
DeleteFileW | - | 0x00434028 | 0x0003E42C | 0x0003D62C | 0x000000D6 |
CreateHardLinkW | - | 0x0043402C | 0x0003E430 | 0x0003D630 | 0x00000093 |
GetShortPathNameW | - | 0x00434030 | 0x0003E434 | 0x0003D634 | 0x00000261 |
GetLongPathNameW | - | 0x00434034 | 0x0003E438 | 0x0003D638 | 0x0000020F |
MoveFileW | - | 0x00434038 | 0x0003E43C | 0x0003D63C | 0x00000363 |
GetFileType | - | 0x0043403C | 0x0003E440 | 0x0003D640 | 0x000001F3 |
GetStdHandle | - | 0x00434040 | 0x0003E444 | 0x0003D644 | 0x00000264 |
WriteFile | - | 0x00434044 | 0x0003E448 | 0x0003D648 | 0x00000525 |
ReadFile | - | 0x00434048 | 0x0003E44C | 0x0003D64C | 0x000003C0 |
FlushFileBuffers | - | 0x0043404C | 0x0003E450 | 0x0003D650 | 0x00000157 |
SetEndOfFile | - | 0x00434050 | 0x0003E454 | 0x0003D654 | 0x00000453 |
SetFilePointer | - | 0x00434054 | 0x0003E458 | 0x0003D658 | 0x00000466 |
GetCurrentProcessId | - | 0x00434058 | 0x0003E45C | 0x0003D65C | 0x000001C1 |
SetFileAttributesW | - | 0x0043405C | 0x0003E460 | 0x0003D660 | 0x00000461 |
GetFileAttributesW | - | 0x00434060 | 0x0003E464 | 0x0003D664 | 0x000001EA |
FindClose | - | 0x00434064 | 0x0003E468 | 0x0003D668 | 0x0000012E |
FindFirstFileW | - | 0x00434068 | 0x0003E46C | 0x0003D66C | 0x00000139 |
FindNextFileW | - | 0x0043406C | 0x0003E470 | 0x0003D670 | 0x00000145 |
InterlockedDecrement | - | 0x00434070 | 0x0003E474 | 0x0003D674 | 0x000002EB |
GetVersionExW | - | 0x00434074 | 0x0003E478 | 0x0003D678 | 0x000002A4 |
GetCurrentDirectoryW | - | 0x00434078 | 0x0003E47C | 0x0003D67C | 0x000001BF |
GetFullPathNameW | - | 0x0043407C | 0x0003E480 | 0x0003D680 | 0x000001FB |
FoldStringW | - | 0x00434080 | 0x0003E484 | 0x0003D684 | 0x0000015C |
GetModuleFileNameW | - | 0x00434084 | 0x0003E488 | 0x0003D688 | 0x00000214 |
GetModuleHandleW | - | 0x00434088 | 0x0003E48C | 0x0003D68C | 0x00000218 |
FindResourceW | - | 0x0043408C | 0x0003E490 | 0x0003D690 | 0x0000014E |
FreeLibrary | - | 0x00434090 | 0x0003E494 | 0x0003D694 | 0x00000162 |
GetProcAddress | - | 0x00434094 | 0x0003E498 | 0x0003D698 | 0x00000245 |
ExitProcess | - | 0x00434098 | 0x0003E49C | 0x0003D69C | 0x00000119 |
SetThreadExecutionState | - | 0x0043409C | 0x0003E4A0 | 0x0003D6A0 | 0x00000493 |
Sleep | - | 0x004340A0 | 0x0003E4A4 | 0x0003D6A4 | 0x000004B2 |
LoadLibraryW | - | 0x004340A4 | 0x0003E4A8 | 0x0003D6A8 | 0x0000033F |
GetSystemDirectoryW | - | 0x004340A8 | 0x0003E4AC | 0x0003D6AC | 0x00000270 |
CompareStringW | - | 0x004340AC | 0x0003E4B0 | 0x0003D6B0 | 0x00000064 |
AllocConsole | - | 0x004340B0 | 0x0003E4B4 | 0x0003D6B4 | 0x00000010 |
FreeConsole | - | 0x004340B4 | 0x0003E4B8 | 0x0003D6B8 | 0x0000015F |
AttachConsole | - | 0x004340B8 | 0x0003E4BC | 0x0003D6BC | 0x00000017 |
WriteConsoleW | - | 0x004340BC | 0x0003E4C0 | 0x0003D6C0 | 0x00000524 |
GetProcessAffinityMask | - | 0x004340C0 | 0x0003E4C4 | 0x0003D6C4 | 0x00000246 |
CreateThread | - | 0x004340C4 | 0x0003E4C8 | 0x0003D6C8 | 0x000000B5 |
SetThreadPriority | - | 0x004340C8 | 0x0003E4CC | 0x0003D6CC | 0x00000499 |
InitializeCriticalSection | - | 0x004340CC | 0x0003E4D0 | 0x0003D6D0 | 0x000002E2 |
EnterCriticalSection | - | 0x004340D0 | 0x0003E4D4 | 0x0003D6D4 | 0x000000EE |
LeaveCriticalSection | - | 0x004340D4 | 0x0003E4D8 | 0x0003D6D8 | 0x00000339 |
DeleteCriticalSection | - | 0x004340D8 | 0x0003E4DC | 0x0003D6DC | 0x000000D1 |
SetEvent | - | 0x004340DC | 0x0003E4E0 | 0x0003D6E0 | 0x00000459 |
ResetEvent | - | 0x004340E0 | 0x0003E4E4 | 0x0003D6E4 | 0x0000040F |
ReleaseSemaphore | - | 0x004340E4 | 0x0003E4E8 | 0x0003D6E8 | 0x000003FE |
WaitForSingleObject | - | 0x004340E8 | 0x0003E4EC | 0x0003D6EC | 0x000004F9 |
CreateEventW | - | 0x004340EC | 0x0003E4F0 | 0x0003D6F0 | 0x00000085 |
CreateSemaphoreW | - | 0x004340F0 | 0x0003E4F4 | 0x0003D6F4 | 0x000000AE |
GetSystemTime | - | 0x004340F4 | 0x0003E4F8 | 0x0003D6F8 | 0x00000277 |
SystemTimeToTzSpecificLocalTime | - | 0x004340F8 | 0x0003E4FC | 0x0003D6FC | 0x000004BE |
TzSpecificLocalTimeToSystemTime | - | 0x004340FC | 0x0003E500 | 0x0003D700 | 0x000004D0 |
SystemTimeToFileTime | - | 0x00434100 | 0x0003E504 | 0x0003D704 | 0x000004BD |
FileTimeToLocalFileTime | - | 0x00434104 | 0x0003E508 | 0x0003D708 | 0x00000124 |
LocalFileTimeToFileTime | - | 0x00434108 | 0x0003E50C | 0x0003D70C | 0x00000346 |
FileTimeToSystemTime | - | 0x0043410C | 0x0003E510 | 0x0003D710 | 0x00000125 |
GetCPInfo | - | 0x00434110 | 0x0003E514 | 0x0003D714 | 0x00000172 |
IsDBCSLeadByte | - | 0x00434114 | 0x0003E518 | 0x0003D718 | 0x000002FE |
MultiByteToWideChar | - | 0x00434118 | 0x0003E51C | 0x0003D71C | 0x00000367 |
WideCharToMultiByte | - | 0x0043411C | 0x0003E520 | 0x0003D720 | 0x00000511 |
GlobalAlloc | - | 0x00434120 | 0x0003E524 | 0x0003D724 | 0x000002B3 |
LockResource | - | 0x00434124 | 0x0003E528 | 0x0003D728 | 0x00000354 |
GlobalLock | - | 0x00434128 | 0x0003E52C | 0x0003D72C | 0x000002BE |
GlobalUnlock | - | 0x0043412C | 0x0003E530 | 0x0003D730 | 0x000002C5 |
GlobalFree | - | 0x00434130 | 0x0003E534 | 0x0003D734 | 0x000002BA |
LoadResource | - | 0x00434134 | 0x0003E538 | 0x0003D738 | 0x00000341 |
SizeofResource | - | 0x00434138 | 0x0003E53C | 0x0003D73C | 0x000004B1 |
SetCurrentDirectoryW | - | 0x0043413C | 0x0003E540 | 0x0003D740 | 0x0000044D |
GetTimeFormatW | - | 0x00434140 | 0x0003E544 | 0x0003D744 | 0x00000297 |
GetDateFormatW | - | 0x00434144 | 0x0003E548 | 0x0003D748 | 0x000001C8 |
LocalFree | - | 0x00434148 | 0x0003E54C | 0x0003D74C | 0x00000348 |
GetExitCodeProcess | - | 0x0043414C | 0x0003E550 | 0x0003D750 | 0x000001DF |
GetLocalTime | - | 0x00434150 | 0x0003E554 | 0x0003D754 | 0x00000203 |
GetTickCount | - | 0x00434154 | 0x0003E558 | 0x0003D758 | 0x00000293 |
MapViewOfFile | - | 0x00434158 | 0x0003E55C | 0x0003D75C | 0x00000357 |
UnmapViewOfFile | - | 0x0043415C | 0x0003E560 | 0x0003D760 | 0x000004D6 |
CreateFileMappingW | - | 0x00434160 | 0x0003E564 | 0x0003D764 | 0x0000008C |
OpenFileMappingW | - | 0x00434164 | 0x0003E568 | 0x0003D768 | 0x00000379 |
GetCommandLineW | - | 0x00434168 | 0x0003E56C | 0x0003D76C | 0x00000187 |
SetEnvironmentVariableW | - | 0x0043416C | 0x0003E570 | 0x0003D770 | 0x00000457 |
ExpandEnvironmentStringsW | - | 0x00434170 | 0x0003E574 | 0x0003D774 | 0x0000011D |
GetTempPathW | - | 0x00434174 | 0x0003E578 | 0x0003D778 | 0x00000285 |
MoveFileExW | - | 0x00434178 | 0x0003E57C | 0x0003D77C | 0x00000360 |
GetLocaleInfoW | - | 0x0043417C | 0x0003E580 | 0x0003D780 | 0x00000206 |
GetNumberFormatW | - | 0x00434180 | 0x0003E584 | 0x0003D784 | 0x00000233 |
DecodePointer | - | 0x00434184 | 0x0003E588 | 0x0003D788 | 0x000000CA |
SetFilePointerEx | - | 0x00434188 | 0x0003E58C | 0x0003D78C | 0x00000467 |
GetConsoleMode | - | 0x0043418C | 0x0003E590 | 0x0003D790 | 0x000001AC |
GetConsoleCP | - | 0x00434190 | 0x0003E594 | 0x0003D794 | 0x0000019A |
HeapSize | - | 0x00434194 | 0x0003E598 | 0x0003D798 | 0x000002D4 |
SetStdHandle | - | 0x00434198 | 0x0003E59C | 0x0003D79C | 0x00000487 |
GetProcessHeap | - | 0x0043419C | 0x0003E5A0 | 0x0003D7A0 | 0x0000024A |
FreeEnvironmentStringsW | - | 0x004341A0 | 0x0003E5A4 | 0x0003D7A4 | 0x00000161 |
GetEnvironmentStringsW | - | 0x004341A4 | 0x0003E5A8 | 0x0003D7A8 | 0x000001DA |
GetCommandLineA | - | 0x004341A8 | 0x0003E5AC | 0x0003D7AC | 0x00000186 |
GetOEMCP | - | 0x004341AC | 0x0003E5B0 | 0x0003D7B0 | 0x00000237 |
RaiseException | - | 0x004341B0 | 0x0003E5B4 | 0x0003D7B4 | 0x000003B1 |
GetSystemInfo | - | 0x004341B4 | 0x0003E5B8 | 0x0003D7B8 | 0x00000273 |
VirtualProtect | - | 0x004341B8 | 0x0003E5BC | 0x0003D7BC | 0x000004EF |
VirtualQuery | - | 0x004341BC | 0x0003E5C0 | 0x0003D7C0 | 0x000004F1 |
LoadLibraryExA | - | 0x004341C0 | 0x0003E5C4 | 0x0003D7C4 | 0x0000033D |
IsProcessorFeaturePresent | - | 0x004341C4 | 0x0003E5C8 | 0x0003D7C8 | 0x00000304 |
IsDebuggerPresent | - | 0x004341C8 | 0x0003E5CC | 0x0003D7CC | 0x00000300 |
UnhandledExceptionFilter | - | 0x004341CC | 0x0003E5D0 | 0x0003D7D0 | 0x000004D3 |
SetUnhandledExceptionFilter | - | 0x004341D0 | 0x0003E5D4 | 0x0003D7D4 | 0x000004A5 |
GetStartupInfoW | - | 0x004341D4 | 0x0003E5D8 | 0x0003D7D8 | 0x00000263 |
QueryPerformanceCounter | - | 0x004341D8 | 0x0003E5DC | 0x0003D7DC | 0x000003A7 |
GetCurrentThreadId | - | 0x004341DC | 0x0003E5E0 | 0x0003D7E0 | 0x000001C5 |
GetSystemTimeAsFileTime | - | 0x004341E0 | 0x0003E5E4 | 0x0003D7E4 | 0x00000279 |
InitializeSListHead | - | 0x004341E4 | 0x0003E5E8 | 0x0003D7E8 | 0x000002E7 |
TerminateProcess | - | 0x004341E8 | 0x0003E5EC | 0x0003D7EC | 0x000004C0 |
RtlUnwind | - | 0x004341EC | 0x0003E5F0 | 0x0003D7F0 | 0x00000418 |
EncodePointer | - | 0x004341F0 | 0x0003E5F4 | 0x0003D7F4 | 0x000000EA |
InitializeCriticalSectionAndSpinCount | - | 0x004341F4 | 0x0003E5F8 | 0x0003D7F8 | 0x000002E3 |
TlsAlloc | - | 0x004341F8 | 0x0003E5FC | 0x0003D7FC | 0x000004C5 |
TlsGetValue | - | 0x004341FC | 0x0003E600 | 0x0003D800 | 0x000004C7 |
TlsSetValue | - | 0x00434200 | 0x0003E604 | 0x0003D804 | 0x000004C8 |
TlsFree | - | 0x00434204 | 0x0003E608 | 0x0003D808 | 0x000004C6 |
LoadLibraryExW | - | 0x00434208 | 0x0003E60C | 0x0003D80C | 0x0000033E |
QueryPerformanceFrequency | - | 0x0043420C | 0x0003E610 | 0x0003D810 | 0x000003A8 |
GetModuleHandleExW | - | 0x00434210 | 0x0003E614 | 0x0003D814 | 0x00000217 |
GetModuleFileNameA | - | 0x00434214 | 0x0003E618 | 0x0003D818 | 0x00000213 |
GetACP | - | 0x00434218 | 0x0003E61C | 0x0003D81C | 0x00000168 |
HeapFree | - | 0x0043421C | 0x0003E620 | 0x0003D820 | 0x000002CF |
HeapReAlloc | - | 0x00434220 | 0x0003E624 | 0x0003D824 | 0x000002D2 |
HeapAlloc | - | 0x00434224 | 0x0003E628 | 0x0003D828 | 0x000002CB |
GetStringTypeW | - | 0x00434228 | 0x0003E62C | 0x0003D82C | 0x00000269 |
LCMapStringW | - | 0x0043422C | 0x0003E630 | 0x0003D830 | 0x0000032D |
FindFirstFileExA | - | 0x00434230 | 0x0003E634 | 0x0003D834 | 0x00000133 |
FindNextFileA | - | 0x00434234 | 0x0003E638 | 0x0003D838 | 0x00000143 |
IsValidCodePage | - | 0x00434238 | 0x0003E63C | 0x0003D83C | 0x0000030A |
OLEAUT32.dll (3)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SysAllocString | 0x00000002 | 0x00434240 | 0x0003E644 | 0x0003D844 | - |
SysFreeString | 0x00000006 | 0x00434244 | 0x0003E648 | 0x0003D848 | - |
VariantClear | 0x00000009 | 0x00434248 | 0x0003E64C | 0x0003D84C | - |
gdiplus.dll (9)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GdipAlloc | - | 0x00434250 | 0x0003E654 | 0x0003D854 | 0x00000021 |
GdipDisposeImage | - | 0x00434254 | 0x0003E658 | 0x0003D858 | 0x00000098 |
GdipCloneImage | - | 0x00434258 | 0x0003E65C | 0x0003D85C | 0x00000036 |
GdipCreateBitmapFromStream | - | 0x0043425C | 0x0003E660 | 0x0003D860 | 0x00000051 |
GdipCreateBitmapFromStreamICM | - | 0x00434260 | 0x0003E664 | 0x0003D864 | 0x00000052 |
GdipCreateHBITMAPFromBitmap | - | 0x00434264 | 0x0003E668 | 0x0003D868 | 0x0000005F |
GdiplusStartup | - | 0x00434268 | 0x0003E66C | 0x0003D86C | 0x00000275 |
GdiplusShutdown | - | 0x0043426C | 0x0003E670 | 0x0003D870 | 0x00000274 |
GdipFree | - | 0x00434270 | 0x0003E674 | 0x0003D874 | 0x000000ED |
Memory Dumps (2)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
okla.exe | 1 | 0x001B0000 | 0x00226FFF | Relevant Image | 32-bit | 0x001D3BEE |
...
|
||
okla.exe | 1 | 0x001B0000 | 0x00226FFF | Process Termination | 32-bit | - |
...
|
C:\Users\RDhJ0CNFevzX\Desktop\xmrig.exe | Dropped File | Binary |
Malicious
|
...
|
»
File Reputation Information
»
Verdict |
Suspicious
|
Classification | PUA |
PE Information
»
Image Base | 0x140000000 |
Entry Point | 0x1403E01A4 |
Size Of Code | 0x0041A600 |
Size Of Initialized Data | 0x00496600 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
Machine Type | IMAGE_FILE_MACHINE_AMD64 |
Compile Timestamp | 2024-08-11 18:16 (UTC) |
Version Information (7)
»
CompanyName | www.xmrig.com |
FileDescription | XMRig miner |
FileVersion | 6.22.0 |
LegalCopyright | Copyright (C) 2016-2024 xmrig.com |
OriginalFilename | xmrig.exe |
ProductName | XMRig |
ProductVersion | 6.22.0 |
Sections (10)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x140001000 | 0x0041A478 | 0x0041A600 | 0x00000400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.52 |
.rdata | 0x14041C000 | 0x001A6E22 | 0x001A7000 | 0x0041AA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.17 |
.data | 0x1405C3000 | 0x002AF4D4 | 0x00010200 | 0x005C1A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.02 |
.pdata | 0x140873000 | 0x0002A528 | 0x0002A600 | 0x005D1C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.32 |
_RANDOMX | 0x14089E000 | 0x00000C56 | 0x00000E00 | 0x005FC200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.68 |
_TEXT_CN | 0x14089F000 | 0x000026D1 | 0x00002800 | 0x005FD000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.08 |
_TEXT_CN | 0x1408A2000 | 0x00001184 | 0x00001200 | 0x005FF800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.05 |
_RDATA | 0x1408A4000 | 0x000000F4 | 0x00000200 | 0x00600A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.46 |
.rsrc | 0x1408A5000 | 0x000059C8 | 0x00005A00 | 0x00600C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.43 |
.reloc | 0x1408AB000 | 0x0000B5A0 | 0x0000B600 | 0x00606600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 5.46 |
Imports (10)
»
WS2_32.dll (36)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
WSASetLastError | 0x00000070 | 0x14041C908 | 0x005C1528 | 0x005BFF28 | - |
send | 0x00000013 | 0x14041C910 | 0x005C1530 | 0x005BFF30 | - |
recv | 0x00000010 | 0x14041C918 | 0x005C1538 | 0x005BFF38 | - |
ntohs | 0x0000000F | 0x14041C920 | 0x005C1540 | 0x005BFF40 | - |
htons | 0x00000009 | 0x14041C928 | 0x005C1548 | 0x005BFF48 | - |
htonl | 0x00000008 | 0x14041C930 | 0x005C1550 | 0x005BFF50 | - |
inet_addr | 0x0000000B | 0x14041C938 | 0x005C1558 | 0x005BFF58 | - |
inet_ntoa | 0x0000000C | 0x14041C940 | 0x005C1560 | 0x005BFF60 | - |
gethostbyaddr | 0x00000033 | 0x14041C948 | 0x005C1568 | 0x005BFF68 | - |
WSAGetLastError | 0x0000006F | 0x14041C950 | 0x005C1570 | 0x005BFF70 | - |
WSAIoctl | - | 0x14041C958 | 0x005C1578 | 0x005BFF78 | 0x0000003B |
gethostbyname | 0x00000034 | 0x14041C960 | 0x005C1580 | 0x005BFF80 | - |
WSARecvFrom | - | 0x14041C968 | 0x005C1588 | 0x005BFF88 | 0x0000004B |
WSASocketW | - | 0x14041C970 | 0x005C1590 | 0x005BFF90 | 0x00000058 |
WSASend | - | 0x14041C978 | 0x005C1598 | 0x005BFF98 | 0x0000004E |
WSARecv | - | 0x14041C980 | 0x005C15A0 | 0x005BFFA0 | 0x00000049 |
gethostname | 0x00000039 | 0x14041C988 | 0x005C15A8 | 0x005BFFA8 | - |
WSADuplicateSocketW | - | 0x14041C990 | 0x005C15B0 | 0x005BFFB0 | 0x00000027 |
getpeername | 0x00000005 | 0x14041C998 | 0x005C15B8 | 0x005BFFB8 | - |
FreeAddrInfoW | - | 0x14041C9A0 | 0x005C15C0 | 0x005BFFC0 | 0x00000002 |
GetAddrInfoW | - | 0x14041C9A8 | 0x005C15C8 | 0x005BFFC8 | 0x00000007 |
shutdown | 0x00000016 | 0x14041C9B0 | 0x005C15D0 | 0x005BFFD0 | - |
socket | 0x00000017 | 0x14041C9B8 | 0x005C15D8 | 0x005BFFD8 | - |
setsockopt | 0x00000015 | 0x14041C9C0 | 0x005C15E0 | 0x005BFFE0 | - |
listen | 0x0000000D | 0x14041C9C8 | 0x005C15E8 | 0x005BFFE8 | - |
connect | 0x00000004 | 0x14041C9D0 | 0x005C15F0 | 0x005BFFF0 | - |
closesocket | 0x00000003 | 0x14041C9D8 | 0x005C15F8 | 0x005BFFF8 | - |
bind | 0x00000002 | 0x14041C9E0 | 0x005C1600 | 0x005C0000 | - |
WSACleanup | 0x00000074 | 0x14041C9E8 | 0x005C1608 | 0x005C0008 | - |
WSAStartup | 0x00000073 | 0x14041C9F0 | 0x005C1610 | 0x005C0010 | - |
select | 0x00000012 | 0x14041C9F8 | 0x005C1618 | 0x005C0018 | - |
getsockopt | 0x00000007 | 0x14041CA00 | 0x005C1620 | 0x005C0020 | - |
getsockname | 0x00000006 | 0x14041CA08 | 0x005C1628 | 0x005C0028 | - |
ioctlsocket | 0x0000000A | 0x14041CA10 | 0x005C1630 | 0x005C0030 | - |
getservbyname | 0x00000037 | 0x14041CA18 | 0x005C1638 | 0x005C0038 | - |
getservbyport | 0x00000038 | 0x14041CA20 | 0x005C1640 | 0x005C0040 | - |
IPHLPAPI.DLL (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetAdaptersAddresses | - | 0x14041C150 | 0x005C0D70 | 0x005BF770 | 0x00000043 |
USERENV.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetUserProfileDirectoryW | - | 0x14041C8F8 | 0x005C1518 | 0x005BFF18 | 0x00000026 |
CRYPT32.dll (7)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CertFreeCertificateContext | - | 0x14041C110 | 0x005C0D30 | 0x005BF730 | 0x00000040 |
CertFindCertificateInStore | - | 0x14041C118 | 0x005C0D38 | 0x005BF738 | 0x00000035 |
CertEnumCertificatesInStore | - | 0x14041C120 | 0x005C0D40 | 0x005BF740 | 0x0000002C |
CertCloseStore | - | 0x14041C128 | 0x005C0D48 | 0x005BF748 | 0x00000012 |
CertOpenStore | - | 0x14041C130 | 0x005C0D50 | 0x005BF750 | 0x00000059 |
CertGetCertificateContextProperty | - | 0x14041C138 | 0x005C0D58 | 0x005BF758 | 0x00000046 |
CertDuplicateCertificateContext | - | 0x14041C140 | 0x005C0D60 | 0x005BF760 | 0x00000025 |
KERNEL32.dll (229)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetStringTypeW | - | 0x14041C160 | 0x005C0D80 | 0x005BF780 | 0x000002F8 |
InitializeCriticalSectionAndSpinCount | - | 0x14041C168 | 0x005C0D88 | 0x005BF788 | 0x00000386 |
WriteConsoleW | - | 0x14041C170 | 0x005C0D90 | 0x005BF790 | 0x0000064A |
SetConsoleTitleA | - | 0x14041C178 | 0x005C0D98 | 0x005BF798 | 0x00000535 |
GetStdHandle | - | 0x14041C180 | 0x005C0DA0 | 0x005BF7A0 | 0x000002F3 |
SetConsoleMode | - | 0x14041C188 | 0x005C0DA8 | 0x005BF7A8 | 0x0000052B |
GetConsoleMode | - | 0x14041C190 | 0x005C0DB0 | 0x005BF7B0 | 0x00000216 |
QueryPerformanceFrequency | - | 0x14041C198 | 0x005C0DB8 | 0x005BF7B8 | 0x00000471 |
QueryPerformanceCounter | - | 0x14041C1A0 | 0x005C0DC0 | 0x005BF7C0 | 0x00000470 |
SizeofResource | - | 0x14041C1A8 | 0x005C0DC8 | 0x005BF7C8 | 0x000005B3 |
LockResource | - | 0x14041C1B0 | 0x005C0DD0 | 0x005BF7D0 | 0x000003FE |
LoadResource | - | 0x14041C1B8 | 0x005C0DD8 | 0x005BF7D8 | 0x000003EA |
FindResourceW | - | 0x14041C1C0 | 0x005C0DE0 | 0x005BF7E0 | 0x000001B0 |
ExpandEnvironmentStringsA | - | 0x14041C1C8 | 0x005C0DE8 | 0x005BF7E8 | 0x0000017B |
GetConsoleWindow | - | 0x14041C1D0 | 0x005C0DF0 | 0x005BF7F0 | 0x00000221 |
GetSystemFirmwareTable | - | 0x14041C1D8 | 0x005C0DF8 | 0x005BF7F8 | 0x00000303 |
HeapFree | - | 0x14041C1E0 | 0x005C0E00 | 0x005BF800 | 0x00000370 |
HeapAlloc | - | 0x14041C1E8 | 0x005C0E08 | 0x005BF808 | 0x0000036C |
GetProcessHeap | - | 0x14041C1F0 | 0x005C0E10 | 0x005BF810 | 0x000002D4 |
MultiByteToWideChar | - | 0x14041C1F8 | 0x005C0E18 | 0x005BF818 | 0x00000412 |
SetPriorityClass | - | 0x14041C200 | 0x005C0E20 | 0x005BF820 | 0x0000056E |
GetCurrentProcess | - | 0x14041C208 | 0x005C0E28 | 0x005BF828 | 0x00000232 |
SetThreadPriority | - | 0x14041C210 | 0x005C0E30 | 0x005BF830 | 0x00000593 |
GetSystemPowerStatus | - | 0x14041C218 | 0x005C0E38 | 0x005BF838 | 0x00000305 |
GetCurrentThread | - | 0x14041C220 | 0x005C0E40 | 0x005BF840 | 0x00000236 |
GetProcAddress | - | 0x14041C228 | 0x005C0E48 | 0x005BF848 | 0x000002CD |
GetModuleHandleW | - | 0x14041C230 | 0x005C0E50 | 0x005BF850 | 0x00000295 |
GetTickCount | - | 0x14041C238 | 0x005C0E58 | 0x005BF858 | 0x0000032C |
CloseHandle | - | 0x14041C240 | 0x005C0E60 | 0x005BF860 | 0x00000094 |
FreeConsole | - | 0x14041C248 | 0x005C0E68 | 0x005BF868 | 0x000001C2 |
VirtualProtect | - | 0x14041C250 | 0x005C0E70 | 0x005BF870 | 0x00000605 |
VirtualFree | - | 0x14041C258 | 0x005C0E78 | 0x005BF878 | 0x00000602 |
VirtualAlloc | - | 0x14041C260 | 0x005C0E80 | 0x005BF880 | 0x000005FF |
GetLargePageMinimum | - | 0x14041C268 | 0x005C0E88 | 0x005BF888 | 0x0000027B |
LocalAlloc | - | 0x14041C270 | 0x005C0E90 | 0x005BF890 | 0x000003ED |
GetLastError | - | 0x14041C278 | 0x005C0E98 | 0x005BF898 | 0x0000027D |
LocalFree | - | 0x14041C280 | 0x005C0EA0 | 0x005BF8A0 | 0x000003F2 |
FlushInstructionCache | - | 0x14041C288 | 0x005C0EA8 | 0x005BF8A8 | 0x000001BA |
GetCurrentThreadId | - | 0x14041C290 | 0x005C0EB0 | 0x005BF8B0 | 0x00000237 |
AddVectoredExceptionHandler | - | 0x14041C298 | 0x005C0EB8 | 0x005BF8B8 | 0x00000014 |
DeviceIoControl | - | 0x14041C2A0 | 0x005C0EC0 | 0x005BF8C0 | 0x00000133 |
GetModuleFileNameW | - | 0x14041C2A8 | 0x005C0EC8 | 0x005BF8C8 | 0x00000291 |
CreateFileW | - | 0x14041C2B0 | 0x005C0ED0 | 0x005BF8D0 | 0x000000DA |
SetLastError | - | 0x14041C2B8 | 0x005C0ED8 | 0x005BF8D8 | 0x00000564 |
GetSystemTime | - | 0x14041C2C0 | 0x005C0EE0 | 0x005BF8E0 | 0x00000308 |
SystemTimeToFileTime | - | 0x14041C2C8 | 0x005C0EE8 | 0x005BF8E8 | 0x000005C0 |
GetModuleHandleExW | - | 0x14041C2D0 | 0x005C0EF0 | 0x005BF8F0 | 0x00000294 |
Sleep | - | 0x14041C2D8 | 0x005C0EF8 | 0x005BF8F8 | 0x000005B4 |
InitializeSRWLock | - | 0x14041C2E0 | 0x005C0F00 | 0x005BF900 | 0x0000038B |
ReleaseSRWLockExclusive | - | 0x14041C2E8 | 0x005C0F08 | 0x005BF908 | 0x000004D8 |
ReleaseSRWLockShared | - | 0x14041C2F0 | 0x005C0F10 | 0x005BF910 | 0x000004D9 |
AcquireSRWLockExclusive | - | 0x14041C2F8 | 0x005C0F18 | 0x005BF918 | 0x00000000 |
AcquireSRWLockShared | - | 0x14041C300 | 0x005C0F20 | 0x005BF920 | 0x00000001 |
TlsAlloc | - | 0x14041C308 | 0x005C0F28 | 0x005BF928 | 0x000005D6 |
TlsGetValue | - | 0x14041C310 | 0x005C0F30 | 0x005BF930 | 0x000005D8 |
TlsSetValue | - | 0x14041C318 | 0x005C0F38 | 0x005BF938 | 0x000005D9 |
TlsFree | - | 0x14041C320 | 0x005C0F40 | 0x005BF940 | 0x000005D7 |
GetSystemInfo | - | 0x14041C328 | 0x005C0F48 | 0x005BF948 | 0x00000304 |
SwitchToFiber | - | 0x14041C330 | 0x005C0F50 | 0x005BF950 | 0x000005BE |
DeleteFiber | - | 0x14041C338 | 0x005C0F58 | 0x005BF958 | 0x00000124 |
CreateFiberEx | - | 0x14041C340 | 0x005C0F60 | 0x005BF960 | 0x000000D0 |
FindClose | - | 0x14041C348 | 0x005C0F68 | 0x005BF968 | 0x0000018F |
FindFirstFileW | - | 0x14041C350 | 0x005C0F70 | 0x005BF970 | 0x0000019A |
FindNextFileW | - | 0x14041C358 | 0x005C0F78 | 0x005BF978 | 0x000001A6 |
WideCharToMultiByte | - | 0x14041C360 | 0x005C0F80 | 0x005BF980 | 0x00000637 |
GetSystemDirectoryA | - | 0x14041C368 | 0x005C0F88 | 0x005BF988 | 0x00000300 |
FreeLibrary | - | 0x14041C370 | 0x005C0F90 | 0x005BF990 | 0x000001C5 |
LoadLibraryA | - | 0x14041C378 | 0x005C0F98 | 0x005BF998 | 0x000003E4 |
FormatMessageA | - | 0x14041C380 | 0x005C0FA0 | 0x005BF9A0 | 0x000001C0 |
GetFileType | - | 0x14041C388 | 0x005C0FA8 | 0x005BF9A8 | 0x0000026A |
WriteFile | - | 0x14041C390 | 0x005C0FB0 | 0x005BF9B0 | 0x0000064B |
GetEnvironmentVariableW | - | 0x14041C398 | 0x005C0FB8 | 0x005BF9B8 | 0x00000255 |
GetACP | - | 0x14041C3A0 | 0x005C0FC0 | 0x005BF9C0 | 0x000001CC |
ConvertFiberToThread | - | 0x14041C3A8 | 0x005C0FC8 | 0x005BF9C8 | 0x000000B0 |
ConvertThreadToFiberEx | - | 0x14041C3B0 | 0x005C0FD0 | 0x005BF9D0 | 0x000000B4 |
GetCurrentProcessId | - | 0x14041C3B8 | 0x005C0FD8 | 0x005BF9D8 | 0x00000233 |
GetSystemTimeAsFileTime | - | 0x14041C3C0 | 0x005C0FE0 | 0x005BF9E0 | 0x0000030A |
LoadLibraryW | - | 0x14041C3C8 | 0x005C0FE8 | 0x005BF9E8 | 0x000003E7 |
ReadConsoleA | - | 0x14041C3D0 | 0x005C0FF0 | 0x005BF9F0 | 0x0000048B |
ReadConsoleW | - | 0x14041C3D8 | 0x005C0FF8 | 0x005BF9F8 | 0x00000495 |
PostQueuedCompletionStatus | - | 0x14041C3E0 | 0x005C1000 | 0x005BFA00 | 0x00000445 |
CreateFileA | - | 0x14041C3E8 | 0x005C1008 | 0x005BFA08 | 0x000000D2 |
DuplicateHandle | - | 0x14041C3F0 | 0x005C1010 | 0x005BFA10 | 0x00000141 |
SetEvent | - | 0x14041C3F8 | 0x005C1018 | 0x005BFA18 | 0x00000548 |
ResetEvent | - | 0x14041C400 | 0x005C1020 | 0x005BFA20 | 0x000004EC |
WaitForSingleObject | - | 0x14041C408 | 0x005C1028 | 0x005BFA28 | 0x00000610 |
CreateEventA | - | 0x14041C410 | 0x005C1030 | 0x005BFA30 | 0x000000CB |
QueueUserWorkItem | - | 0x14041C418 | 0x005C1038 | 0x005BFA38 | 0x0000047C |
RegisterWaitForSingleObject | - | 0x14041C420 | 0x005C1040 | 0x005BFA40 | 0x000004CE |
UnregisterWait | - | 0x14041C428 | 0x005C1048 | 0x005BFA48 | 0x000005EF |
GetNumberOfConsoleInputEvents | - | 0x14041C430 | 0x005C1050 | 0x005BFA50 | 0x000002B4 |
ReadConsoleInputW | - | 0x14041C438 | 0x005C1058 | 0x005BFA58 | 0x0000048F |
FillConsoleOutputCharacterW | - | 0x14041C440 | 0x005C1060 | 0x005BFA60 | 0x00000187 |
FillConsoleOutputAttribute | - | 0x14041C448 | 0x005C1068 | 0x005BFA68 | 0x00000185 |
GetConsoleCursorInfo | - | 0x14041C450 | 0x005C1070 | 0x005BFA70 | 0x0000020A |
SetConsoleCursorInfo | - | 0x14041C458 | 0x005C1078 | 0x005BFA78 | 0x0000051D |
GetConsoleScreenBufferInfo | - | 0x14041C460 | 0x005C1080 | 0x005BFA80 | 0x0000021C |
SetConsoleCursorPosition | - | 0x14041C468 | 0x005C1088 | 0x005BFA88 | 0x0000051F |
SetConsoleTextAttribute | - | 0x14041C470 | 0x005C1090 | 0x005BFA90 | 0x00000534 |
WriteConsoleInputW | - | 0x14041C478 | 0x005C1098 | 0x005BFA98 | 0x00000644 |
CreateDirectoryW | - | 0x14041C480 | 0x005C10A0 | 0x005BFAA0 | 0x000000C9 |
FlushFileBuffers | - | 0x14041C488 | 0x005C10A8 | 0x005BFAA8 | 0x000001B9 |
GetDiskFreeSpaceW | - | 0x14041C490 | 0x005C10B0 | 0x005BFAB0 | 0x00000245 |
GetFileAttributesW | - | 0x14041C498 | 0x005C10B8 | 0x005BFAB8 | 0x00000261 |
GetFileInformationByHandle | - | 0x14041C4A0 | 0x005C10C0 | 0x005BFAC0 | 0x00000263 |
CreateEventW | - | 0x14041C4A8 | 0x005C10C8 | 0x005BFAC8 | 0x000000CE |
RtlCaptureContext | - | 0x14041C4B0 | 0x005C10D0 | 0x005BFAD0 | 0x000004F5 |
GetFullPathNameW | - | 0x14041C4B8 | 0x005C10D8 | 0x005BFAD8 | 0x00000275 |
ReadFile | - | 0x14041C4C0 | 0x005C10E0 | 0x005BFAE0 | 0x00000498 |
RemoveDirectoryW | - | 0x14041C4C8 | 0x005C10E8 | 0x005BFAE8 | 0x000004DF |
SetFilePointerEx | - | 0x14041C4D0 | 0x005C10F0 | 0x005BFAF0 | 0x00000555 |
SetFileTime | - | 0x14041C4D8 | 0x005C10F8 | 0x005BFAF8 | 0x00000558 |
MapViewOfFile | - | 0x14041C4E0 | 0x005C1100 | 0x005BFB00 | 0x00000401 |
FlushViewOfFile | - | 0x14041C4E8 | 0x005C1108 | 0x005BFB08 | 0x000001BC |
UnmapViewOfFile | - | 0x14041C4F0 | 0x005C1110 | 0x005BFB10 | 0x000005E9 |
CreateFileMappingA | - | 0x14041C4F8 | 0x005C1118 | 0x005BFB18 | 0x000000D3 |
ReOpenFile | - | 0x14041C500 | 0x005C1120 | 0x005BFB20 | 0x0000048A |
CopyFileW | - | 0x14041C508 | 0x005C1128 | 0x005BFB28 | 0x000000BC |
MoveFileExW | - | 0x14041C510 | 0x005C1130 | 0x005BFB30 | 0x0000040B |
CreateHardLinkW | - | 0x14041C518 | 0x005C1138 | 0x005BFB38 | 0x000000DE |
GetFileInformationByHandleEx | - | 0x14041C520 | 0x005C1140 | 0x005BFB40 | 0x00000264 |
CreateSymbolicLinkW | - | 0x14041C528 | 0x005C1148 | 0x005BFB48 | 0x00000101 |
InitializeCriticalSection | - | 0x14041C530 | 0x005C1150 | 0x005BFB50 | 0x00000385 |
EnterCriticalSection | - | 0x14041C538 | 0x005C1158 | 0x005BFB58 | 0x00000149 |
LeaveCriticalSection | - | 0x14041C540 | 0x005C1160 | 0x005BFB60 | 0x000003E0 |
TryEnterCriticalSection | - | 0x14041C548 | 0x005C1168 | 0x005BFB68 | 0x000005DF |
DeleteCriticalSection | - | 0x14041C550 | 0x005C1170 | 0x005BFB70 | 0x00000123 |
InitializeConditionVariable | - | 0x14041C558 | 0x005C1178 | 0x005BFB78 | 0x00000382 |
WakeConditionVariable | - | 0x14041C560 | 0x005C1180 | 0x005BFB80 | 0x00000619 |
WakeAllConditionVariable | - | 0x14041C568 | 0x005C1188 | 0x005BFB88 | 0x00000618 |
SleepConditionVariableCS | - | 0x14041C570 | 0x005C1190 | 0x005BFB90 | 0x000005B5 |
ReleaseSemaphore | - | 0x14041C578 | 0x005C1198 | 0x005BFB98 | 0x000004DA |
ResumeThread | - | 0x14041C580 | 0x005C11A0 | 0x005BFBA0 | 0x000004F3 |
GetNativeSystemInfo | - | 0x14041C588 | 0x005C11A8 | 0x005BFBA8 | 0x000002A2 |
GetProcessAffinityMask | - | 0x14041C590 | 0x005C11B0 | 0x005BFBB0 | 0x000002CE |
SetThreadAffinityMask | - | 0x14041C598 | 0x005C11B8 | 0x005BFBB8 | 0x00000588 |
CreateSemaphoreA | - | 0x14041C5A0 | 0x005C11C0 | 0x005BFBC0 | 0x000000FA |
SetConsoleCtrlHandler | - | 0x14041C5A8 | 0x005C11C8 | 0x005BFBC8 | 0x0000051B |
GetCurrentDirectoryW | - | 0x14041C5B0 | 0x005C11D0 | 0x005BFBD0 | 0x0000022B |
GetLongPathNameW | - | 0x14041C5B8 | 0x005C11D8 | 0x005BFBD8 | 0x0000028A |
RtlUnwind | - | 0x14041C5C0 | 0x005C11E0 | 0x005BFBE0 | 0x00000502 |
CreateIoCompletionPort | - | 0x14041C5C8 | 0x005C11E8 | 0x005BFBE8 | 0x000000DF |
ReadDirectoryChangesW | - | 0x14041C5D0 | 0x005C11F0 | 0x005BFBF0 | 0x00000497 |
GetEnvironmentStringsW | - | 0x14041C5D8 | 0x005C11F8 | 0x005BFBF8 | 0x00000253 |
FreeEnvironmentStringsW | - | 0x14041C5E0 | 0x005C1200 | 0x005BFC00 | 0x000001C4 |
SetEnvironmentVariableW | - | 0x14041C5E8 | 0x005C1208 | 0x005BFC08 | 0x00000546 |
SetCurrentDirectoryW | - | 0x14041C5F0 | 0x005C1210 | 0x005BFC10 | 0x0000053B |
GetTempPathW | - | 0x14041C5F8 | 0x005C1218 | 0x005BFC18 | 0x00000319 |
GlobalMemoryStatusEx | - | 0x14041C600 | 0x005C1220 | 0x005BFC20 | 0x00000361 |
FileTimeToSystemTime | - | 0x14041C608 | 0x005C1228 | 0x005BFC28 | 0x00000184 |
K32GetProcessMemoryInfo | - | 0x14041C610 | 0x005C1230 | 0x005BFC30 | 0x000003CB |
SetHandleInformation | - | 0x14041C618 | 0x005C1238 | 0x005BFC38 | 0x0000055F |
CancelIoEx | - | 0x14041C620 | 0x005C1240 | 0x005BFC40 | 0x00000080 |
CancelIo | - | 0x14041C628 | 0x005C1248 | 0x005BFC48 | 0x0000007F |
SwitchToThread | - | 0x14041C630 | 0x005C1250 | 0x005BFC50 | 0x000005BF |
SetFileCompletionNotificationModes | - | 0x14041C638 | 0x005C1258 | 0x005BFC58 | 0x00000551 |
LoadLibraryExW | - | 0x14041C640 | 0x005C1260 | 0x005BFC60 | 0x000003E6 |
SetErrorMode | - | 0x14041C648 | 0x005C1268 | 0x005BFC68 | 0x00000547 |
GetQueuedCompletionStatus | - | 0x14041C650 | 0x005C1270 | 0x005BFC70 | 0x000002EB |
ConnectNamedPipe | - | 0x14041C658 | 0x005C1278 | 0x005BFC78 | 0x000000AB |
SetNamedPipeHandleState | - | 0x14041C660 | 0x005C1280 | 0x005BFC80 | 0x0000056D |
PeekNamedPipe | - | 0x14041C668 | 0x005C1288 | 0x005BFC88 | 0x00000443 |
CreateNamedPipeW | - | 0x14041C670 | 0x005C1290 | 0x005BFC90 | 0x000000EC |
CancelSynchronousIo | - | 0x14041C678 | 0x005C1298 | 0x005BFC98 | 0x00000081 |
GetNamedPipeHandleStateA | - | 0x14041C680 | 0x005C12A0 | 0x005BFCA0 | 0x0000029D |
GetNamedPipeClientProcessId | - | 0x14041C688 | 0x005C12A8 | 0x005BFCA8 | 0x0000029B |
GetNamedPipeServerProcessId | - | 0x14041C690 | 0x005C12B0 | 0x005BFCB0 | 0x000002A0 |
TerminateProcess | - | 0x14041C698 | 0x005C12B8 | 0x005BFCB8 | 0x000005C4 |
GetExitCodeProcess | - | 0x14041C6A0 | 0x005C12C0 | 0x005BFCC0 | 0x00000258 |
UnregisterWaitEx | - | 0x14041C6A8 | 0x005C12C8 | 0x005BFCC8 | 0x000005F0 |
LCMapStringW | - | 0x14041C6B0 | 0x005C12D0 | 0x005BFCD0 | 0x000003D4 |
DebugBreak | - | 0x14041C6B8 | 0x005C12D8 | 0x005BFCD8 | 0x00000119 |
GetModuleHandleA | - | 0x14041C6C0 | 0x005C12E0 | 0x005BFCE0 | 0x00000292 |
LoadLibraryExA | - | 0x14041C6C8 | 0x005C12E8 | 0x005BFCE8 | 0x000003E5 |
GetStartupInfoW | - | 0x14041C6D0 | 0x005C12F0 | 0x005BFCF0 | 0x000002F1 |
GetModuleFileNameA | - | 0x14041C6D8 | 0x005C12F8 | 0x005BFCF8 | 0x00000290 |
GetVersionExA | - | 0x14041C6E0 | 0x005C1300 | 0x005BFD00 | 0x00000341 |
SetProcessAffinityMask | - | 0x14041C6E8 | 0x005C1308 | 0x005BFD08 | 0x0000056F |
GetComputerNameA | - | 0x14041C6F0 | 0x005C1310 | 0x005BFD10 | 0x000001F6 |
FlsFree | - | 0x14041C6F8 | 0x005C1318 | 0x005BFD18 | 0x000001B5 |
FlsSetValue | - | 0x14041C700 | 0x005C1320 | 0x005BFD20 | 0x000001B7 |
FlsGetValue | - | 0x14041C708 | 0x005C1328 | 0x005BFD28 | 0x000001B6 |
FlsAlloc | - | 0x14041C710 | 0x005C1330 | 0x005BFD30 | 0x000001B4 |
GetCPInfo | - | 0x14041C718 | 0x005C1338 | 0x005BFD38 | 0x000001DB |
RtlLookupFunctionEntry | - | 0x14041C720 | 0x005C1340 | 0x005BFD40 | 0x000004FD |
GetFinalPathNameByHandleW | - | 0x14041C728 | 0x005C1348 | 0x005BFD48 | 0x0000026C |
RtlVirtualUnwind | - | 0x14041C730 | 0x005C1350 | 0x005BFD50 | 0x00000504 |
UnhandledExceptionFilter | - | 0x14041C738 | 0x005C1358 | 0x005BFD58 | 0x000005E6 |
SetUnhandledExceptionFilter | - | 0x14041C740 | 0x005C1360 | 0x005BFD60 | 0x000005A4 |
IsProcessorFeaturePresent | - | 0x14041C748 | 0x005C1368 | 0x005BFD68 | 0x000003A8 |
IsDebuggerPresent | - | 0x14041C750 | 0x005C1370 | 0x005BFD70 | 0x000003A0 |
InitializeSListHead | - | 0x14041C758 | 0x005C1378 | 0x005BFD78 | 0x0000038A |
RtlUnwindEx | - | 0x14041C760 | 0x005C1380 | 0x005BFD80 | 0x00000503 |
RtlPcToFileHeader | - | 0x14041C768 | 0x005C1388 | 0x005BFD88 | 0x000004FF |
RaiseException | - | 0x14041C770 | 0x005C1390 | 0x005BFD90 | 0x00000487 |
SetStdHandle | - | 0x14041C778 | 0x005C1398 | 0x005BFD98 | 0x0000057F |
GetCommandLineA | - | 0x14041C780 | 0x005C13A0 | 0x005BFDA0 | 0x000001F0 |
GetCommandLineW | - | 0x14041C788 | 0x005C13A8 | 0x005BFDA8 | 0x000001F1 |
CreateThread | - | 0x14041C790 | 0x005C13B0 | 0x005BFDB0 | 0x00000103 |
ExitThread | - | 0x14041C798 | 0x005C13B8 | 0x005BFDB8 | 0x00000179 |
FreeLibraryAndExitThread | - | 0x14041C7A0 | 0x005C13C0 | 0x005BFDC0 | 0x000001C6 |
GetDriveTypeW | - | 0x14041C7A8 | 0x005C13C8 | 0x005BFDC8 | 0x0000024B |
SystemTimeToTzSpecificLocalTime | - | 0x14041C7B0 | 0x005C13D0 | 0x005BFDD0 | 0x000005C1 |
ExitProcess | - | 0x14041C7B8 | 0x005C13D8 | 0x005BFDD8 | 0x00000178 |
GetFileAttributesExW | - | 0x14041C7C0 | 0x005C13E0 | 0x005BFDE0 | 0x0000025E |
SetFileAttributesW | - | 0x14041C7C8 | 0x005C13E8 | 0x005BFDE8 | 0x0000054F |
GetConsoleOutputCP | - | 0x14041C7D0 | 0x005C13F0 | 0x005BFDF0 | 0x0000021A |
CompareStringW | - | 0x14041C7D8 | 0x005C13F8 | 0x005BFDF8 | 0x000000AA |
GetLocaleInfoW | - | 0x14041C7E0 | 0x005C1400 | 0x005BFE00 | 0x00000281 |
IsValidLocale | - | 0x14041C7E8 | 0x005C1408 | 0x005BFE08 | 0x000003B0 |
GetUserDefaultLCID | - | 0x14041C7F0 | 0x005C1410 | 0x005BFE10 | 0x00000339 |
EnumSystemLocalesW | - | 0x14041C7F8 | 0x005C1418 | 0x005BFE18 | 0x0000016D |
HeapReAlloc | - | 0x14041C800 | 0x005C1420 | 0x005BFE20 | 0x00000373 |
GetTimeZoneInformation | - | 0x14041C808 | 0x005C1428 | 0x005BFE28 | 0x00000333 |
HeapSize | - | 0x14041C810 | 0x005C1430 | 0x005BFE30 | 0x00000375 |
SetEndOfFile | - | 0x14041C818 | 0x005C1438 | 0x005BFE38 | 0x00000542 |
FindFirstFileExW | - | 0x14041C820 | 0x005C1440 | 0x005BFE40 | 0x00000195 |
IsValidCodePage | - | 0x14041C828 | 0x005C1448 | 0x005BFE48 | 0x000003AE |
GetOEMCP | - | 0x14041C830 | 0x005C1450 | 0x005BFE50 | 0x000002B6 |
GetFileSizeEx | - | 0x14041C838 | 0x005C1458 | 0x005BFE58 | 0x00000268 |
GetShortPathNameW | - | 0x14041C840 | 0x005C1460 | 0x005BFE60 | 0x000002EE |
CompareStringEx | - | 0x14041C848 | 0x005C1468 | 0x005BFE68 | 0x000000A8 |
LCMapStringEx | - | 0x14041C850 | 0x005C1470 | 0x005BFE70 | 0x000003D3 |
InitializeCriticalSectionEx | - | 0x14041C858 | 0x005C1478 | 0x005BFE78 | 0x00000387 |
WaitForSingleObjectEx | - | 0x14041C860 | 0x005C1480 | 0x005BFE80 | 0x00000611 |
GetExitCodeThread | - | 0x14041C868 | 0x005C1488 | 0x005BFE88 | 0x00000259 |
SleepConditionVariableSRW | - | 0x14041C870 | 0x005C1490 | 0x005BFE90 | 0x000005B6 |
EncodePointer | - | 0x14041C878 | 0x005C1498 | 0x005BFE98 | 0x00000145 |
DecodePointer | - | 0x14041C880 | 0x005C14A0 | 0x005BFEA0 | 0x0000011C |
USER32.dll (10)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetLastInputInfo | - | 0x14041C8A0 | 0x005C14C0 | 0x005BFEC0 | 0x00000172 |
MessageBoxW | - | 0x14041C8A8 | 0x005C14C8 | 0x005BFEC8 | 0x0000028B |
GetProcessWindowStation | - | 0x14041C8B0 | 0x005C14D0 | 0x005BFED0 | 0x000001B0 |
TranslateMessage | - | 0x14041C8B8 | 0x005C14D8 | 0x005BFED8 | 0x000003BA |
GetUserObjectInformationW | - | 0x14041C8C0 | 0x005C14E0 | 0x005BFEE0 | 0x000001DA |
ShowWindow | - | 0x14041C8C8 | 0x005C14E8 | 0x005BFEE8 | 0x0000039A |
DispatchMessageA | - | 0x14041C8D0 | 0x005C14F0 | 0x005BFEF0 | 0x000000BC |
GetSystemMetrics | - | 0x14041C8D8 | 0x005C14F8 | 0x005BFEF8 | 0x000001C9 |
MapVirtualKeyW | - | 0x14041C8E0 | 0x005C1500 | 0x005BFF00 | 0x0000027D |
GetMessageA | - | 0x14041C8E8 | 0x005C1508 | 0x005BFF08 | 0x00000187 |
SHELL32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SHGetSpecialFolderPathA | - | 0x14041C890 | 0x005C14B0 | 0x005BFEB0 | 0x0000016D |
ole32.dll (3)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CoInitializeEx | - | 0x14041CA40 | 0x005C1660 | 0x005C0060 | 0x00000061 |
CoUninitialize | - | 0x14041CA48 | 0x005C1668 | 0x005C0068 | 0x00000091 |
CoCreateInstance | - | 0x14041CA50 | 0x005C1670 | 0x005C0070 | 0x0000002B |
ADVAPI32.dll (33)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SystemFunction036 | - | 0x14041C000 | 0x005C0C20 | 0x005BF620 | 0x00000319 |
GetUserNameW | - | 0x14041C008 | 0x005C0C28 | 0x005BF628 | 0x00000166 |
ReportEventW | - | 0x14041C010 | 0x005C0C30 | 0x005BF630 | 0x000002B6 |
RegisterEventSourceW | - | 0x14041C018 | 0x005C0C38 | 0x005BF638 | 0x000002A4 |
DeregisterEventSource | - | 0x14041C020 | 0x005C0C40 | 0x005BF640 | 0x000000ED |
CryptEnumProvidersW | - | 0x14041C028 | 0x005C0C48 | 0x005BF648 | 0x000000CF |
CryptSignHashW | - | 0x14041C030 | 0x005C0C50 | 0x005BF650 | 0x000000E5 |
CryptDestroyHash | - | 0x14041C038 | 0x005C0C58 | 0x005BF658 | 0x000000C7 |
CryptCreateHash | - | 0x14041C040 | 0x005C0C60 | 0x005BF660 | 0x000000C4 |
CryptDecrypt | - | 0x14041C048 | 0x005C0C68 | 0x005BF668 | 0x000000C5 |
CryptExportKey | - | 0x14041C050 | 0x005C0C70 | 0x005BF670 | 0x000000D0 |
CryptGetUserKey | - | 0x14041C058 | 0x005C0C78 | 0x005BF678 | 0x000000D8 |
CryptGetProvParam | - | 0x14041C060 | 0x005C0C80 | 0x005BF680 | 0x000000D7 |
CryptSetHashParam | - | 0x14041C068 | 0x005C0C88 | 0x005BF688 | 0x000000DD |
CryptDestroyKey | - | 0x14041C070 | 0x005C0C90 | 0x005BF690 | 0x000000C8 |
CryptReleaseContext | - | 0x14041C078 | 0x005C0C98 | 0x005BF698 | 0x000000DC |
CryptAcquireContextW | - | 0x14041C080 | 0x005C0CA0 | 0x005BF6A0 | 0x000000C2 |
CreateServiceW | - | 0x14041C088 | 0x005C0CA8 | 0x005BF6A8 | 0x00000091 |
QueryServiceStatus | - | 0x14041C090 | 0x005C0CB0 | 0x005BF6B0 | 0x00000246 |
CloseServiceHandle | - | 0x14041C098 | 0x005C0CB8 | 0x005BF6B8 | 0x00000065 |
OpenSCManagerW | - | 0x14041C0A0 | 0x005C0CC0 | 0x005BF6C0 | 0x0000020D |
QueryServiceConfigA | - | 0x14041C0A8 | 0x005C0CC8 | 0x005BF6C8 | 0x00000240 |
DeleteService | - | 0x14041C0B0 | 0x005C0CD0 | 0x005BF6D0 | 0x000000EC |
ControlService | - | 0x14041C0B8 | 0x005C0CD8 | 0x005BF6D8 | 0x0000006A |
StartServiceW | - | 0x14041C0C0 | 0x005C0CE0 | 0x005BF6E0 | 0x000002F1 |
OpenServiceW | - | 0x14041C0C8 | 0x005C0CE8 | 0x005BF6E8 | 0x0000020F |
LookupPrivilegeValueW | - | 0x14041C0D0 | 0x005C0CF0 | 0x005BF6F0 | 0x0000019A |
AdjustTokenPrivileges | - | 0x14041C0D8 | 0x005C0CF8 | 0x005BF6F8 | 0x0000001F |
OpenProcessToken | - | 0x14041C0E0 | 0x005C0D00 | 0x005BF700 | 0x0000020B |
LsaOpenPolicy | - | 0x14041C0E8 | 0x005C0D08 | 0x005BF708 | 0x000001C9 |
LsaAddAccountRights | - | 0x14041C0F0 | 0x005C0D10 | 0x005BF710 | 0x0000019D |
LsaClose | - | 0x14041C0F8 | 0x005C0D18 | 0x005BF718 | 0x000001A0 |
GetTokenInformation | - | 0x14041C100 | 0x005C0D20 | 0x005BF720 | 0x0000015B |
bcrypt.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
BCryptGenRandom | - | 0x14041CA30 | 0x005C1650 | 0x005C0050 | 0x0000001D |
Memory Dumps (69)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
xmrig.exe | 4 | 0x7FF68A770000 | 0x7FF68B026FFF | Relevant Image | 64-bit | 0x7FF68AB838E0 |
...
|
||
buffer | 4 | 0x147B9700000 | 0x147B971FFFF | Content Changed | 64-bit | - |
...
|
||
buffer | 4 | 0x5266FC000 | 0x5266FFFFF | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9700000 | 0x147B971FFFF | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9776F00 | 0x147B9776F7F | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9777200 | 0x147B97772F7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B97775E0 | 0x147B977765F | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B97776D0 | 0x147B9777755 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9778F60 | 0x147B9779034 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9779310 | 0x147B977938F | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B977BBC0 | 0x147B977BCB7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B977BD10 | 0x147B977BD8F | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B977D300 | 0x147B977D3A1 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B977D960 | 0x147B977DA9F | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B977E7D0 | 0x147B977E987 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B977F9C0 | 0x147B977FD87 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B977FD90 | 0x147B977FFB7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B977FFC0 | 0x147B97801BF | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B97803E0 | 0x147B978045F | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9782740 | 0x147B978284F | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9783980 | 0x147B9783AD7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B97885B0 | 0x147B9788667 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B978AD30 | 0x147B978AE2F | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B978B9F0 | 0x147B978BAF7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B978CBD0 | 0x147B978DDCF | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B978E1E0 | 0x147B978E397 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B978EBD0 | 0x147B978FBCF | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9794040 | 0x147B97941F7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9794200 | 0x147B97943B7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B97943C0 | 0x147B9794577 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9794580 | 0x147B9794737 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9794740 | 0x147B97948F7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9794900 | 0x147B9794AB7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9794AC0 | 0x147B9794C77 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9794C80 | 0x147B9794E37 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9794E40 | 0x147B9794FF7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9795000 | 0x147B97951B7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B97951C0 | 0x147B9795377 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9795380 | 0x147B9795537 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9795540 | 0x147B97956F7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9795700 | 0x147B97958B7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B97958C0 | 0x147B9795A77 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9795AD0 | 0x147B9795C87 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9795C90 | 0x147B9795E47 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9795E50 | 0x147B9796007 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9796010 | 0x147B97961C7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B97961D0 | 0x147B9796387 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9796390 | 0x147B9796547 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9796550 | 0x147B9796707 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9796710 | 0x147B97968C7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9796E60 | 0x147B9797017 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9797AA0 | 0x147B9797C57 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9797E20 | 0x147B9797FD7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9797FE0 | 0x147B9798197 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9798AA0 | 0x147B9798E2F | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9799650 | 0x147B9799747 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9799750 | 0x147B979988F | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B97998B0 | 0x147B97999A7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B97999B0 | 0x147B9799AA7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9799AB0 | 0x147B9799BA7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9799BB0 | 0x147B9799CA7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B9799CB0 | 0x147B9799DA7 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B979AED0 | 0x147B979B017 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B979B8E0 | 0x147B979BCDF | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B979C100 | 0x147B97A0167 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B97B0190 | 0x147B97B0357 | First Network Behavior | 64-bit | - |
...
|
||
buffer | 4 | 0x147B97B0360 | 0x147B97B0487 | First Network Behavior | 64-bit | - |
...
|
||
xmrig.exe | 4 | 0x7FF68A770000 | 0x7FF68B026FFF | First Network Behavior | 64-bit | 0x7FF68AB2AFB9 |
...
|
||
xmrig.exe | 4 | 0x7FF68A770000 | 0x7FF68B026FFF | Final Dump | 64-bit | - |
...
|
YARA Matches (1)
»
Rule Name | Rule Description | Classification | Score | Actions |
---|---|---|---|---|
XMRig_Miner | XMRig mining software | Miner, PUA |
5/5
|
...
|
\\?\C:\Users\RDhJ0CNFevzX\Desktop\WinRing0x64.sys | Dropped File | Binary |
Clean
Known to be clean.
|
...
|
»
File Reputation Information
»
Verdict |
Clean
Known to be clean.
|
PE Information
»
Image Base | 0x00010000 |
Entry Point | 0x00015008 |
Size Of Code | 0x00000C00 |
Size Of Initialized Data | 0x00000A00 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_NATIVE |
Machine Type | IMAGE_FILE_MACHINE_AMD64 |
Compile Timestamp | 2008-07-26 13:29 (UTC) |
Version Information (9)
»
Comments | The modified BSD license |
CompanyName | OpenLibSys.org |
FileDescription | WinRing0 |
FileVersion | 1.2.0.5 |
InternalName | WinRing0.sys |
LegalCopyright | Copyright (C) 2007-2008 OpenLibSys.org. All rights reserved. |
OriginalFilename | WinRing0.sys |
ProductName | WinRing0 |
ProductVersion | 1.2.0.5 |
Sections (6)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00011000 | 0x000006C6 | 0x00000800 | 0x00000400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.39 |
.rdata | 0x00012000 | 0x0000017C | 0x00000200 | 0x00000C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ | 3.28 |
.data | 0x00013000 | 0x00000114 | 0x00000200 | 0x00000E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.3 |
.pdata | 0x00014000 | 0x00000060 | 0x00000200 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ | 0.86 |
INIT | 0x00015000 | 0x00000222 | 0x00000400 | 0x00001200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.06 |
.rsrc | 0x00016000 | 0x000003C0 | 0x00000400 | 0x00001600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 3.13 |
Imports (2)
»
ntoskrnl.exe (10)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
IoDeleteSymbolicLink | - | 0x00012018 | 0x000050B8 | 0x000012B8 | 0x000001BE |
RtlInitUnicodeString | - | 0x00012020 | 0x000050C0 | 0x000012C0 | 0x00000515 |
IoDeleteDevice | - | 0x00012028 | 0x000050C8 | 0x000012C8 | 0x000001BC |
IoCreateDevice | - | 0x00012030 | 0x000050D0 | 0x000012D0 | 0x000001A8 |
MmMapIoSpace | - | 0x00012038 | 0x000050D8 | 0x000012D8 | 0x0000035B |
KeBugCheckEx | - | 0x00012040 | 0x000050E0 | 0x000012E0 | 0x0000028A |
IoCreateSymbolicLink | - | 0x00012048 | 0x000050E8 | 0x000012E8 | 0x000001B2 |
MmUnmapIoSpace | - | 0x00012050 | 0x000050F0 | 0x000012F0 | 0x0000037B |
IofCompleteRequest | - | 0x00012058 | 0x000050F8 | 0x000012F8 | 0x0000026B |
__C_specific_handler | - | 0x00012060 | 0x00005100 | 0x00001300 | 0x000006F9 |
HAL.dll (2)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
HalSetBusDataByOffset | - | 0x00012000 | 0x000050A0 | 0x000012A0 | 0x0000002F |
HalGetBusDataByOffset | - | 0x00012008 | 0x000050A8 | 0x000012A8 | 0x00000015 |
Digital Signature Information
»
Verification Status | Valid |
Certificate: Noriyuki MIYAZAKI
»
Issued by | Noriyuki MIYAZAKI |
Parent Certificate | GlobalSign ObjectSign CA |
Country Name | JP |
Valid From | 2007-09-24 10:50 (UTC) |
Valid Until | 2008-09-24 10:50 (UTC) |
Algorithm | sha1_rsa |
Serial Number | 01 00 00 00 00 01 15 37 24 21 A8 |
Thumbprint | CD A9 8A C4 01 94 56 09 55 93 90 2E 4B 4A 87 AC 28 3E D5 4A |
Certificate: GlobalSign ObjectSign CA
»
Issued by | GlobalSign ObjectSign CA |
Parent Certificate | GlobalSign Primary Object Publishing CA |
Country Name | BE |
Valid From | 2004-01-22 09:00 (UTC) |
Valid Until | 2014-01-27 10:00 (UTC) |
Algorithm | sha1_rsa |
Serial Number | 04 00 00 00 00 01 08 D9 61 24 48 |
Thumbprint | 4A 19 14 6D 67 BD 20 84 3A 3A 07 13 58 75 57 BF 51 92 13 CC |
Certificate: GlobalSign Primary Object Publishing CA
»
Issued by | GlobalSign Primary Object Publishing CA |
Parent Certificate | GlobalSign Root CA |
Country Name | BE |
Valid From | 1999-01-28 12:00 (UTC) |
Valid Until | 2014-01-27 11:00 (UTC) |
Algorithm | sha1_rsa |
Serial Number | 04 00 00 00 00 01 08 D9 61 1C D6 |
Thumbprint | 98 7F D0 00 DC B1 21 51 7D 72 45 3E E5 17 6E B9 2B 13 63 B9 |
Certificate: GlobalSign Root CA
»
Issued by | GlobalSign Root CA |
Country Name | BE |
Valid From | 2006-05-23 17:00 (UTC) |
Valid Until | 2016-05-23 17:10 (UTC) |
Algorithm | sha1_rsa |
Serial Number | 61 0B 7F 6B 00 00 00 00 00 19 |
Thumbprint | 3E EB 27 50 A1 99 F5 E7 B6 A8 95 24 30 BE 50 62 FE 04 E9 E5 |
\\?\C:\Users\RDhJ0CNFevzX\Desktop\1.cmd | Dropped File | Text |
Clean
|
...
|
»
c:\users\rdhj0cnfevzx\desktop\__tmp_rar_sfx_access_check_20412546 | Dropped File | Empty |
Clean
|
...
|
»
6f86849b026f0c45c0c8a1145048960bbdefdaea3beac030f114b1ff16057994 | Extracted File | Image |
Clean
|
...
|
»
File Reputation Information
»
Verdict |
Clean
Known to be clean.
|
1027b3001f02a641e63f0f8890d8c241a96ad9f9b6f51ac18f1708e0b9b153e2 | Extracted File | Image |
Clean
|
...
|
»
27d3a1a2da49dc535cc10806abaae9dfa49e4f5f44a40540ead50e065b99ca68 | Extracted File | Image |
Clean
|
...
|
»
File Reputation Information
»
Verdict |
Clean
Known to be clean.
|
a91f4373ceebadfc70b3bd0758848918f928c3c76562e3d9d531574796fd9e9c | Extracted File | Image |
Clean
Known to be clean.
|
...
|
»
File Reputation Information
»
Verdict |
Clean
Known to be clean.
|