Try VMRay Platform
Malicious
Classifications

Backdoor PUA Miner

Threat Names

XMRig App/Generic-MM XMRig.A

Dynamic Analysis Report

Created on 2024-10-01T19:35:22+00:00

OKLA.exe

Windows Exe (x86-32)
...

Remarks (1/1)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "3 minutes" to "10 seconds" to reveal dormant functionality.

Remarks

(0x0200004A): 1 dump(s) were skipped because they exceeded the maximum dump size of 16 MB. The largest one was 256 MB.

Filters:
File Name Category Type Verdict Actions
C:\Users\OqXZRaykm\Desktop\OKLA.exe Sample File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 2.40 MB
MD5 bf6a432fedd9b27af14379c6c566676d Copy to Clipboard
SHA1 cc0805ebbac42ee05b4e046014040a426580bc36 Copy to Clipboard
SHA256 520ff5c9f793f5d7abe6bb80c6420dcb797cc25bd3b73e8e82105f9f89b02335 Copy to Clipboard
SSDeep 49152:nILLyvOacuT9fbDxw6++uxp+NqiurJoP6rZ0B1qxtVujoiJ67XoifXUGOOnx:nxzfaJ+uxp+8rZ9t8JQfEQx Copy to Clipboard
ImpHash 0ae9e38912ff6bd742a1b9e5c003576a Copy to Clipboard
File Reputation Information
»
Verdict
Suspicious
Names App/Generic-MM
Classification PUA
PE Information
»
Image Base 0x00400000
Entry Point 0x00420790
Size Of Code 0x00032E00
Size Of Initialized Data 0x00040000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2023-08-01 09:26 (UTC)
Sections (6)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x00032DCC 0x00032E00 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.71
.rdata 0x00434000 0x0000B1D0 0x0000B200 0x00033200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.27
.data 0x00440000 0x00024750 0x00001200 0x0003E400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.08
.didat 0x00465000 0x000001A4 0x00000200 0x0003F600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.52
.rsrc 0x00466000 0x0000DFF8 0x0000E000 0x0003F800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.64
.reloc 0x00474000 0x000023DC 0x00002400 0x0004D800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.67
Imports (3)
»
KERNEL32.dll (143)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetLastError - 0x00434000 0x0003E404 0x0003D604 0x00000202
SetLastError - 0x00434004 0x0003E408 0x0003D608 0x00000473
FormatMessageW - 0x00434008 0x0003E40C 0x0003D60C 0x0000015E
GetCurrentProcess - 0x0043400C 0x0003E410 0x0003D610 0x000001C0
DeviceIoControl - 0x00434010 0x0003E414 0x0003D614 0x000000DD
SetFileTime - 0x00434014 0x0003E418 0x0003D618 0x0000046A
CloseHandle - 0x00434018 0x0003E41C 0x0003D61C 0x00000052
CreateDirectoryW - 0x0043401C 0x0003E420 0x0003D620 0x00000081
RemoveDirectoryW - 0x00434020 0x0003E424 0x0003D624 0x00000403
CreateFileW - 0x00434024 0x0003E428 0x0003D628 0x0000008F
DeleteFileW - 0x00434028 0x0003E42C 0x0003D62C 0x000000D6
CreateHardLinkW - 0x0043402C 0x0003E430 0x0003D630 0x00000093
GetShortPathNameW - 0x00434030 0x0003E434 0x0003D634 0x00000261
GetLongPathNameW - 0x00434034 0x0003E438 0x0003D638 0x0000020F
MoveFileW - 0x00434038 0x0003E43C 0x0003D63C 0x00000363
GetFileType - 0x0043403C 0x0003E440 0x0003D640 0x000001F3
GetStdHandle - 0x00434040 0x0003E444 0x0003D644 0x00000264
WriteFile - 0x00434044 0x0003E448 0x0003D648 0x00000525
ReadFile - 0x00434048 0x0003E44C 0x0003D64C 0x000003C0
FlushFileBuffers - 0x0043404C 0x0003E450 0x0003D650 0x00000157
SetEndOfFile - 0x00434050 0x0003E454 0x0003D654 0x00000453
SetFilePointer - 0x00434054 0x0003E458 0x0003D658 0x00000466
GetCurrentProcessId - 0x00434058 0x0003E45C 0x0003D65C 0x000001C1
SetFileAttributesW - 0x0043405C 0x0003E460 0x0003D660 0x00000461
GetFileAttributesW - 0x00434060 0x0003E464 0x0003D664 0x000001EA
FindClose - 0x00434064 0x0003E468 0x0003D668 0x0000012E
FindFirstFileW - 0x00434068 0x0003E46C 0x0003D66C 0x00000139
FindNextFileW - 0x0043406C 0x0003E470 0x0003D670 0x00000145
InterlockedDecrement - 0x00434070 0x0003E474 0x0003D674 0x000002EB
GetVersionExW - 0x00434074 0x0003E478 0x0003D678 0x000002A4
GetCurrentDirectoryW - 0x00434078 0x0003E47C 0x0003D67C 0x000001BF
GetFullPathNameW - 0x0043407C 0x0003E480 0x0003D680 0x000001FB
FoldStringW - 0x00434080 0x0003E484 0x0003D684 0x0000015C
GetModuleFileNameW - 0x00434084 0x0003E488 0x0003D688 0x00000214
GetModuleHandleW - 0x00434088 0x0003E48C 0x0003D68C 0x00000218
FindResourceW - 0x0043408C 0x0003E490 0x0003D690 0x0000014E
FreeLibrary - 0x00434090 0x0003E494 0x0003D694 0x00000162
GetProcAddress - 0x00434094 0x0003E498 0x0003D698 0x00000245
ExitProcess - 0x00434098 0x0003E49C 0x0003D69C 0x00000119
SetThreadExecutionState - 0x0043409C 0x0003E4A0 0x0003D6A0 0x00000493
Sleep - 0x004340A0 0x0003E4A4 0x0003D6A4 0x000004B2
LoadLibraryW - 0x004340A4 0x0003E4A8 0x0003D6A8 0x0000033F
GetSystemDirectoryW - 0x004340A8 0x0003E4AC 0x0003D6AC 0x00000270
CompareStringW - 0x004340AC 0x0003E4B0 0x0003D6B0 0x00000064
AllocConsole - 0x004340B0 0x0003E4B4 0x0003D6B4 0x00000010
FreeConsole - 0x004340B4 0x0003E4B8 0x0003D6B8 0x0000015F
AttachConsole - 0x004340B8 0x0003E4BC 0x0003D6BC 0x00000017
WriteConsoleW - 0x004340BC 0x0003E4C0 0x0003D6C0 0x00000524
GetProcessAffinityMask - 0x004340C0 0x0003E4C4 0x0003D6C4 0x00000246
CreateThread - 0x004340C4 0x0003E4C8 0x0003D6C8 0x000000B5
SetThreadPriority - 0x004340C8 0x0003E4CC 0x0003D6CC 0x00000499
InitializeCriticalSection - 0x004340CC 0x0003E4D0 0x0003D6D0 0x000002E2
EnterCriticalSection - 0x004340D0 0x0003E4D4 0x0003D6D4 0x000000EE
LeaveCriticalSection - 0x004340D4 0x0003E4D8 0x0003D6D8 0x00000339
DeleteCriticalSection - 0x004340D8 0x0003E4DC 0x0003D6DC 0x000000D1
SetEvent - 0x004340DC 0x0003E4E0 0x0003D6E0 0x00000459
ResetEvent - 0x004340E0 0x0003E4E4 0x0003D6E4 0x0000040F
ReleaseSemaphore - 0x004340E4 0x0003E4E8 0x0003D6E8 0x000003FE
WaitForSingleObject - 0x004340E8 0x0003E4EC 0x0003D6EC 0x000004F9
CreateEventW - 0x004340EC 0x0003E4F0 0x0003D6F0 0x00000085
CreateSemaphoreW - 0x004340F0 0x0003E4F4 0x0003D6F4 0x000000AE
GetSystemTime - 0x004340F4 0x0003E4F8 0x0003D6F8 0x00000277
SystemTimeToTzSpecificLocalTime - 0x004340F8 0x0003E4FC 0x0003D6FC 0x000004BE
TzSpecificLocalTimeToSystemTime - 0x004340FC 0x0003E500 0x0003D700 0x000004D0
SystemTimeToFileTime - 0x00434100 0x0003E504 0x0003D704 0x000004BD
FileTimeToLocalFileTime - 0x00434104 0x0003E508 0x0003D708 0x00000124
LocalFileTimeToFileTime - 0x00434108 0x0003E50C 0x0003D70C 0x00000346
FileTimeToSystemTime - 0x0043410C 0x0003E510 0x0003D710 0x00000125
GetCPInfo - 0x00434110 0x0003E514 0x0003D714 0x00000172
IsDBCSLeadByte - 0x00434114 0x0003E518 0x0003D718 0x000002FE
MultiByteToWideChar - 0x00434118 0x0003E51C 0x0003D71C 0x00000367
WideCharToMultiByte - 0x0043411C 0x0003E520 0x0003D720 0x00000511
GlobalAlloc - 0x00434120 0x0003E524 0x0003D724 0x000002B3
LockResource - 0x00434124 0x0003E528 0x0003D728 0x00000354
GlobalLock - 0x00434128 0x0003E52C 0x0003D72C 0x000002BE
GlobalUnlock - 0x0043412C 0x0003E530 0x0003D730 0x000002C5
GlobalFree - 0x00434130 0x0003E534 0x0003D734 0x000002BA
LoadResource - 0x00434134 0x0003E538 0x0003D738 0x00000341
SizeofResource - 0x00434138 0x0003E53C 0x0003D73C 0x000004B1
SetCurrentDirectoryW - 0x0043413C 0x0003E540 0x0003D740 0x0000044D
GetTimeFormatW - 0x00434140 0x0003E544 0x0003D744 0x00000297
GetDateFormatW - 0x00434144 0x0003E548 0x0003D748 0x000001C8
LocalFree - 0x00434148 0x0003E54C 0x0003D74C 0x00000348
GetExitCodeProcess - 0x0043414C 0x0003E550 0x0003D750 0x000001DF
GetLocalTime - 0x00434150 0x0003E554 0x0003D754 0x00000203
GetTickCount - 0x00434154 0x0003E558 0x0003D758 0x00000293
MapViewOfFile - 0x00434158 0x0003E55C 0x0003D75C 0x00000357
UnmapViewOfFile - 0x0043415C 0x0003E560 0x0003D760 0x000004D6
CreateFileMappingW - 0x00434160 0x0003E564 0x0003D764 0x0000008C
OpenFileMappingW - 0x00434164 0x0003E568 0x0003D768 0x00000379
GetCommandLineW - 0x00434168 0x0003E56C 0x0003D76C 0x00000187
SetEnvironmentVariableW - 0x0043416C 0x0003E570 0x0003D770 0x00000457
ExpandEnvironmentStringsW - 0x00434170 0x0003E574 0x0003D774 0x0000011D
GetTempPathW - 0x00434174 0x0003E578 0x0003D778 0x00000285
MoveFileExW - 0x00434178 0x0003E57C 0x0003D77C 0x00000360
GetLocaleInfoW - 0x0043417C 0x0003E580 0x0003D780 0x00000206
GetNumberFormatW - 0x00434180 0x0003E584 0x0003D784 0x00000233
DecodePointer - 0x00434184 0x0003E588 0x0003D788 0x000000CA
SetFilePointerEx - 0x00434188 0x0003E58C 0x0003D78C 0x00000467
GetConsoleMode - 0x0043418C 0x0003E590 0x0003D790 0x000001AC
GetConsoleCP - 0x00434190 0x0003E594 0x0003D794 0x0000019A
HeapSize - 0x00434194 0x0003E598 0x0003D798 0x000002D4
SetStdHandle - 0x00434198 0x0003E59C 0x0003D79C 0x00000487
GetProcessHeap - 0x0043419C 0x0003E5A0 0x0003D7A0 0x0000024A
FreeEnvironmentStringsW - 0x004341A0 0x0003E5A4 0x0003D7A4 0x00000161
GetEnvironmentStringsW - 0x004341A4 0x0003E5A8 0x0003D7A8 0x000001DA
GetCommandLineA - 0x004341A8 0x0003E5AC 0x0003D7AC 0x00000186
GetOEMCP - 0x004341AC 0x0003E5B0 0x0003D7B0 0x00000237
RaiseException - 0x004341B0 0x0003E5B4 0x0003D7B4 0x000003B1
GetSystemInfo - 0x004341B4 0x0003E5B8 0x0003D7B8 0x00000273
VirtualProtect - 0x004341B8 0x0003E5BC 0x0003D7BC 0x000004EF
VirtualQuery - 0x004341BC 0x0003E5C0 0x0003D7C0 0x000004F1
LoadLibraryExA - 0x004341C0 0x0003E5C4 0x0003D7C4 0x0000033D
IsProcessorFeaturePresent - 0x004341C4 0x0003E5C8 0x0003D7C8 0x00000304
IsDebuggerPresent - 0x004341C8 0x0003E5CC 0x0003D7CC 0x00000300
UnhandledExceptionFilter - 0x004341CC 0x0003E5D0 0x0003D7D0 0x000004D3
SetUnhandledExceptionFilter - 0x004341D0 0x0003E5D4 0x0003D7D4 0x000004A5
GetStartupInfoW - 0x004341D4 0x0003E5D8 0x0003D7D8 0x00000263
QueryPerformanceCounter - 0x004341D8 0x0003E5DC 0x0003D7DC 0x000003A7
GetCurrentThreadId - 0x004341DC 0x0003E5E0 0x0003D7E0 0x000001C5
GetSystemTimeAsFileTime - 0x004341E0 0x0003E5E4 0x0003D7E4 0x00000279
InitializeSListHead - 0x004341E4 0x0003E5E8 0x0003D7E8 0x000002E7
TerminateProcess - 0x004341E8 0x0003E5EC 0x0003D7EC 0x000004C0
RtlUnwind - 0x004341EC 0x0003E5F0 0x0003D7F0 0x00000418
EncodePointer - 0x004341F0 0x0003E5F4 0x0003D7F4 0x000000EA
InitializeCriticalSectionAndSpinCount - 0x004341F4 0x0003E5F8 0x0003D7F8 0x000002E3
TlsAlloc - 0x004341F8 0x0003E5FC 0x0003D7FC 0x000004C5
TlsGetValue - 0x004341FC 0x0003E600 0x0003D800 0x000004C7
TlsSetValue - 0x00434200 0x0003E604 0x0003D804 0x000004C8
TlsFree - 0x00434204 0x0003E608 0x0003D808 0x000004C6
LoadLibraryExW - 0x00434208 0x0003E60C 0x0003D80C 0x0000033E
QueryPerformanceFrequency - 0x0043420C 0x0003E610 0x0003D810 0x000003A8
GetModuleHandleExW - 0x00434210 0x0003E614 0x0003D814 0x00000217
GetModuleFileNameA - 0x00434214 0x0003E618 0x0003D818 0x00000213
GetACP - 0x00434218 0x0003E61C 0x0003D81C 0x00000168
HeapFree - 0x0043421C 0x0003E620 0x0003D820 0x000002CF
HeapReAlloc - 0x00434220 0x0003E624 0x0003D824 0x000002D2
HeapAlloc - 0x00434224 0x0003E628 0x0003D828 0x000002CB
GetStringTypeW - 0x00434228 0x0003E62C 0x0003D82C 0x00000269
LCMapStringW - 0x0043422C 0x0003E630 0x0003D830 0x0000032D
FindFirstFileExA - 0x00434230 0x0003E634 0x0003D834 0x00000133
FindNextFileA - 0x00434234 0x0003E638 0x0003D838 0x00000143
IsValidCodePage - 0x00434238 0x0003E63C 0x0003D83C 0x0000030A
OLEAUT32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SysAllocString 0x00000002 0x00434240 0x0003E644 0x0003D844 -
SysFreeString 0x00000006 0x00434244 0x0003E648 0x0003D848 -
VariantClear 0x00000009 0x00434248 0x0003E64C 0x0003D84C -
gdiplus.dll (9)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GdipAlloc - 0x00434250 0x0003E654 0x0003D854 0x00000021
GdipDisposeImage - 0x00434254 0x0003E658 0x0003D858 0x00000098
GdipCloneImage - 0x00434258 0x0003E65C 0x0003D85C 0x00000036
GdipCreateBitmapFromStream - 0x0043425C 0x0003E660 0x0003D860 0x00000051
GdipCreateBitmapFromStreamICM - 0x00434260 0x0003E664 0x0003D864 0x00000052
GdipCreateHBITMAPFromBitmap - 0x00434264 0x0003E668 0x0003D868 0x0000005F
GdiplusStartup - 0x00434268 0x0003E66C 0x0003D86C 0x00000275
GdiplusShutdown - 0x0043426C 0x0003E670 0x0003D870 0x00000274
GdipFree - 0x00434270 0x0003E674 0x0003D874 0x000000ED
Memory Dumps (2)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
okla.exe 1 0x001A0000 0x00216FFF Relevant Image False 32-bit 0x001C3BEE False
...
okla.exe 1 0x001A0000 0x00216FFF Process Termination False 32-bit - False
...
\\?\C:\Users\OqXZRaykm\Desktop\xmrig.exe Dropped File Binary
Malicious
...
»
Also Known As C:\Users\OqXZRaykm\Desktop\xmrig.exe (Accessed File)
xmrig.exe (Accessed File)
MIME Type application/vnd.microsoft.portable-executable
File Size 6.06 MB
MD5 5fba8ae226b096da3b31de0e17496735 Copy to Clipboard
SHA1 d532a01254cf9e0229d3c5803b78ff7c9b0cb8d3 Copy to Clipboard
SHA256 ca28f4aeaa5e16d216cd828b67454a56f3c7feeb242412d26ed914fadff20d40 Copy to Clipboard
SSDeep 98304:iONmXliGgyduIy7bWynX75rfdRZqOXmvFubCY9yxl5TtX8Ao0Ezae6B:GXlivZqOXmtubmxl5ppvEzT6 Copy to Clipboard
ImpHash 12806e48b853545b536463546db4baa1 Copy to Clipboard
File Reputation Information
»
Verdict
Suspicious
Classification PUA
PE Information
»
Image Base 0x140000000
Entry Point 0x1403E01A4
Size Of Code 0x0041A600
Size Of Initialized Data 0x00496600
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Machine Type IMAGE_FILE_MACHINE_AMD64
Compile Timestamp 2024-08-11 18:16 (UTC)
Version Information (7)
»
CompanyName www.xmrig.com
FileDescription XMRig miner
FileVersion 6.22.0
LegalCopyright Copyright (C) 2016-2024 xmrig.com
OriginalFilename xmrig.exe
ProductName XMRig
ProductVersion 6.22.0
Sections (10)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x140001000 0x0041A478 0x0041A600 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.52
.rdata 0x14041C000 0x001A6E22 0x001A7000 0x0041AA00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.17
.data 0x1405C3000 0x002AF4D4 0x00010200 0x005C1A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.02
.pdata 0x140873000 0x0002A528 0x0002A600 0x005D1C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.32
_RANDOMX 0x14089E000 0x00000C56 0x00000E00 0x005FC200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.68
_TEXT_CN 0x14089F000 0x000026D1 0x00002800 0x005FD000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.08
_TEXT_CN 0x1408A2000 0x00001184 0x00001200 0x005FF800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.05
_RDATA 0x1408A4000 0x000000F4 0x00000200 0x00600A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
.rsrc 0x1408A5000 0x000059C8 0x00005A00 0x00600C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.43
.reloc 0x1408AB000 0x0000B5A0 0x0000B600 0x00606600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 5.46
Imports (10)
»
WS2_32.dll (36)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WSASetLastError 0x00000070 0x14041C908 0x005C1528 0x005BFF28 -
send 0x00000013 0x14041C910 0x005C1530 0x005BFF30 -
recv 0x00000010 0x14041C918 0x005C1538 0x005BFF38 -
ntohs 0x0000000F 0x14041C920 0x005C1540 0x005BFF40 -
htons 0x00000009 0x14041C928 0x005C1548 0x005BFF48 -
htonl 0x00000008 0x14041C930 0x005C1550 0x005BFF50 -
inet_addr 0x0000000B 0x14041C938 0x005C1558 0x005BFF58 -
inet_ntoa 0x0000000C 0x14041C940 0x005C1560 0x005BFF60 -
gethostbyaddr 0x00000033 0x14041C948 0x005C1568 0x005BFF68 -
WSAGetLastError 0x0000006F 0x14041C950 0x005C1570 0x005BFF70 -
WSAIoctl - 0x14041C958 0x005C1578 0x005BFF78 0x0000003B
gethostbyname 0x00000034 0x14041C960 0x005C1580 0x005BFF80 -
WSARecvFrom - 0x14041C968 0x005C1588 0x005BFF88 0x0000004B
WSASocketW - 0x14041C970 0x005C1590 0x005BFF90 0x00000058
WSASend - 0x14041C978 0x005C1598 0x005BFF98 0x0000004E
WSARecv - 0x14041C980 0x005C15A0 0x005BFFA0 0x00000049
gethostname 0x00000039 0x14041C988 0x005C15A8 0x005BFFA8 -
WSADuplicateSocketW - 0x14041C990 0x005C15B0 0x005BFFB0 0x00000027
getpeername 0x00000005 0x14041C998 0x005C15B8 0x005BFFB8 -
FreeAddrInfoW - 0x14041C9A0 0x005C15C0 0x005BFFC0 0x00000002
GetAddrInfoW - 0x14041C9A8 0x005C15C8 0x005BFFC8 0x00000007
shutdown 0x00000016 0x14041C9B0 0x005C15D0 0x005BFFD0 -
socket 0x00000017 0x14041C9B8 0x005C15D8 0x005BFFD8 -
setsockopt 0x00000015 0x14041C9C0 0x005C15E0 0x005BFFE0 -
listen 0x0000000D 0x14041C9C8 0x005C15E8 0x005BFFE8 -
connect 0x00000004 0x14041C9D0 0x005C15F0 0x005BFFF0 -
closesocket 0x00000003 0x14041C9D8 0x005C15F8 0x005BFFF8 -
bind 0x00000002 0x14041C9E0 0x005C1600 0x005C0000 -
WSACleanup 0x00000074 0x14041C9E8 0x005C1608 0x005C0008 -
WSAStartup 0x00000073 0x14041C9F0 0x005C1610 0x005C0010 -
select 0x00000012 0x14041C9F8 0x005C1618 0x005C0018 -
getsockopt 0x00000007 0x14041CA00 0x005C1620 0x005C0020 -
getsockname 0x00000006 0x14041CA08 0x005C1628 0x005C0028 -
ioctlsocket 0x0000000A 0x14041CA10 0x005C1630 0x005C0030 -
getservbyname 0x00000037 0x14041CA18 0x005C1638 0x005C0038 -
getservbyport 0x00000038 0x14041CA20 0x005C1640 0x005C0040 -
IPHLPAPI.DLL (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetAdaptersAddresses - 0x14041C150 0x005C0D70 0x005BF770 0x00000043
USERENV.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetUserProfileDirectoryW - 0x14041C8F8 0x005C1518 0x005BFF18 0x00000026
CRYPT32.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CertFreeCertificateContext - 0x14041C110 0x005C0D30 0x005BF730 0x00000040
CertFindCertificateInStore - 0x14041C118 0x005C0D38 0x005BF738 0x00000035
CertEnumCertificatesInStore - 0x14041C120 0x005C0D40 0x005BF740 0x0000002C
CertCloseStore - 0x14041C128 0x005C0D48 0x005BF748 0x00000012
CertOpenStore - 0x14041C130 0x005C0D50 0x005BF750 0x00000059
CertGetCertificateContextProperty - 0x14041C138 0x005C0D58 0x005BF758 0x00000046
CertDuplicateCertificateContext - 0x14041C140 0x005C0D60 0x005BF760 0x00000025
KERNEL32.dll (229)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetStringTypeW - 0x14041C160 0x005C0D80 0x005BF780 0x000002F8
InitializeCriticalSectionAndSpinCount - 0x14041C168 0x005C0D88 0x005BF788 0x00000386
WriteConsoleW - 0x14041C170 0x005C0D90 0x005BF790 0x0000064A
SetConsoleTitleA - 0x14041C178 0x005C0D98 0x005BF798 0x00000535
GetStdHandle - 0x14041C180 0x005C0DA0 0x005BF7A0 0x000002F3
SetConsoleMode - 0x14041C188 0x005C0DA8 0x005BF7A8 0x0000052B
GetConsoleMode - 0x14041C190 0x005C0DB0 0x005BF7B0 0x00000216
QueryPerformanceFrequency - 0x14041C198 0x005C0DB8 0x005BF7B8 0x00000471
QueryPerformanceCounter - 0x14041C1A0 0x005C0DC0 0x005BF7C0 0x00000470
SizeofResource - 0x14041C1A8 0x005C0DC8 0x005BF7C8 0x000005B3
LockResource - 0x14041C1B0 0x005C0DD0 0x005BF7D0 0x000003FE
LoadResource - 0x14041C1B8 0x005C0DD8 0x005BF7D8 0x000003EA
FindResourceW - 0x14041C1C0 0x005C0DE0 0x005BF7E0 0x000001B0
ExpandEnvironmentStringsA - 0x14041C1C8 0x005C0DE8 0x005BF7E8 0x0000017B
GetConsoleWindow - 0x14041C1D0 0x005C0DF0 0x005BF7F0 0x00000221
GetSystemFirmwareTable - 0x14041C1D8 0x005C0DF8 0x005BF7F8 0x00000303
HeapFree - 0x14041C1E0 0x005C0E00 0x005BF800 0x00000370
HeapAlloc - 0x14041C1E8 0x005C0E08 0x005BF808 0x0000036C
GetProcessHeap - 0x14041C1F0 0x005C0E10 0x005BF810 0x000002D4
MultiByteToWideChar - 0x14041C1F8 0x005C0E18 0x005BF818 0x00000412
SetPriorityClass - 0x14041C200 0x005C0E20 0x005BF820 0x0000056E
GetCurrentProcess - 0x14041C208 0x005C0E28 0x005BF828 0x00000232
SetThreadPriority - 0x14041C210 0x005C0E30 0x005BF830 0x00000593
GetSystemPowerStatus - 0x14041C218 0x005C0E38 0x005BF838 0x00000305
GetCurrentThread - 0x14041C220 0x005C0E40 0x005BF840 0x00000236
GetProcAddress - 0x14041C228 0x005C0E48 0x005BF848 0x000002CD
GetModuleHandleW - 0x14041C230 0x005C0E50 0x005BF850 0x00000295
GetTickCount - 0x14041C238 0x005C0E58 0x005BF858 0x0000032C
CloseHandle - 0x14041C240 0x005C0E60 0x005BF860 0x00000094
FreeConsole - 0x14041C248 0x005C0E68 0x005BF868 0x000001C2
VirtualProtect - 0x14041C250 0x005C0E70 0x005BF870 0x00000605
VirtualFree - 0x14041C258 0x005C0E78 0x005BF878 0x00000602
VirtualAlloc - 0x14041C260 0x005C0E80 0x005BF880 0x000005FF
GetLargePageMinimum - 0x14041C268 0x005C0E88 0x005BF888 0x0000027B
LocalAlloc - 0x14041C270 0x005C0E90 0x005BF890 0x000003ED
GetLastError - 0x14041C278 0x005C0E98 0x005BF898 0x0000027D
LocalFree - 0x14041C280 0x005C0EA0 0x005BF8A0 0x000003F2
FlushInstructionCache - 0x14041C288 0x005C0EA8 0x005BF8A8 0x000001BA
GetCurrentThreadId - 0x14041C290 0x005C0EB0 0x005BF8B0 0x00000237
AddVectoredExceptionHandler - 0x14041C298 0x005C0EB8 0x005BF8B8 0x00000014
DeviceIoControl - 0x14041C2A0 0x005C0EC0 0x005BF8C0 0x00000133
GetModuleFileNameW - 0x14041C2A8 0x005C0EC8 0x005BF8C8 0x00000291
CreateFileW - 0x14041C2B0 0x005C0ED0 0x005BF8D0 0x000000DA
SetLastError - 0x14041C2B8 0x005C0ED8 0x005BF8D8 0x00000564
GetSystemTime - 0x14041C2C0 0x005C0EE0 0x005BF8E0 0x00000308
SystemTimeToFileTime - 0x14041C2C8 0x005C0EE8 0x005BF8E8 0x000005C0
GetModuleHandleExW - 0x14041C2D0 0x005C0EF0 0x005BF8F0 0x00000294
Sleep - 0x14041C2D8 0x005C0EF8 0x005BF8F8 0x000005B4
InitializeSRWLock - 0x14041C2E0 0x005C0F00 0x005BF900 0x0000038B
ReleaseSRWLockExclusive - 0x14041C2E8 0x005C0F08 0x005BF908 0x000004D8
ReleaseSRWLockShared - 0x14041C2F0 0x005C0F10 0x005BF910 0x000004D9
AcquireSRWLockExclusive - 0x14041C2F8 0x005C0F18 0x005BF918 0x00000000
AcquireSRWLockShared - 0x14041C300 0x005C0F20 0x005BF920 0x00000001
TlsAlloc - 0x14041C308 0x005C0F28 0x005BF928 0x000005D6
TlsGetValue - 0x14041C310 0x005C0F30 0x005BF930 0x000005D8
TlsSetValue - 0x14041C318 0x005C0F38 0x005BF938 0x000005D9
TlsFree - 0x14041C320 0x005C0F40 0x005BF940 0x000005D7
GetSystemInfo - 0x14041C328 0x005C0F48 0x005BF948 0x00000304
SwitchToFiber - 0x14041C330 0x005C0F50 0x005BF950 0x000005BE
DeleteFiber - 0x14041C338 0x005C0F58 0x005BF958 0x00000124
CreateFiberEx - 0x14041C340 0x005C0F60 0x005BF960 0x000000D0
FindClose - 0x14041C348 0x005C0F68 0x005BF968 0x0000018F
FindFirstFileW - 0x14041C350 0x005C0F70 0x005BF970 0x0000019A
FindNextFileW - 0x14041C358 0x005C0F78 0x005BF978 0x000001A6
WideCharToMultiByte - 0x14041C360 0x005C0F80 0x005BF980 0x00000637
GetSystemDirectoryA - 0x14041C368 0x005C0F88 0x005BF988 0x00000300
FreeLibrary - 0x14041C370 0x005C0F90 0x005BF990 0x000001C5
LoadLibraryA - 0x14041C378 0x005C0F98 0x005BF998 0x000003E4
FormatMessageA - 0x14041C380 0x005C0FA0 0x005BF9A0 0x000001C0
GetFileType - 0x14041C388 0x005C0FA8 0x005BF9A8 0x0000026A
WriteFile - 0x14041C390 0x005C0FB0 0x005BF9B0 0x0000064B
GetEnvironmentVariableW - 0x14041C398 0x005C0FB8 0x005BF9B8 0x00000255
GetACP - 0x14041C3A0 0x005C0FC0 0x005BF9C0 0x000001CC
ConvertFiberToThread - 0x14041C3A8 0x005C0FC8 0x005BF9C8 0x000000B0
ConvertThreadToFiberEx - 0x14041C3B0 0x005C0FD0 0x005BF9D0 0x000000B4
GetCurrentProcessId - 0x14041C3B8 0x005C0FD8 0x005BF9D8 0x00000233
GetSystemTimeAsFileTime - 0x14041C3C0 0x005C0FE0 0x005BF9E0 0x0000030A
LoadLibraryW - 0x14041C3C8 0x005C0FE8 0x005BF9E8 0x000003E7
ReadConsoleA - 0x14041C3D0 0x005C0FF0 0x005BF9F0 0x0000048B
ReadConsoleW - 0x14041C3D8 0x005C0FF8 0x005BF9F8 0x00000495
PostQueuedCompletionStatus - 0x14041C3E0 0x005C1000 0x005BFA00 0x00000445
CreateFileA - 0x14041C3E8 0x005C1008 0x005BFA08 0x000000D2
DuplicateHandle - 0x14041C3F0 0x005C1010 0x005BFA10 0x00000141
SetEvent - 0x14041C3F8 0x005C1018 0x005BFA18 0x00000548
ResetEvent - 0x14041C400 0x005C1020 0x005BFA20 0x000004EC
WaitForSingleObject - 0x14041C408 0x005C1028 0x005BFA28 0x00000610
CreateEventA - 0x14041C410 0x005C1030 0x005BFA30 0x000000CB
QueueUserWorkItem - 0x14041C418 0x005C1038 0x005BFA38 0x0000047C
RegisterWaitForSingleObject - 0x14041C420 0x005C1040 0x005BFA40 0x000004CE
UnregisterWait - 0x14041C428 0x005C1048 0x005BFA48 0x000005EF
GetNumberOfConsoleInputEvents - 0x14041C430 0x005C1050 0x005BFA50 0x000002B4
ReadConsoleInputW - 0x14041C438 0x005C1058 0x005BFA58 0x0000048F
FillConsoleOutputCharacterW - 0x14041C440 0x005C1060 0x005BFA60 0x00000187
FillConsoleOutputAttribute - 0x14041C448 0x005C1068 0x005BFA68 0x00000185
GetConsoleCursorInfo - 0x14041C450 0x005C1070 0x005BFA70 0x0000020A
SetConsoleCursorInfo - 0x14041C458 0x005C1078 0x005BFA78 0x0000051D
GetConsoleScreenBufferInfo - 0x14041C460 0x005C1080 0x005BFA80 0x0000021C
SetConsoleCursorPosition - 0x14041C468 0x005C1088 0x005BFA88 0x0000051F
SetConsoleTextAttribute - 0x14041C470 0x005C1090 0x005BFA90 0x00000534
WriteConsoleInputW - 0x14041C478 0x005C1098 0x005BFA98 0x00000644
CreateDirectoryW - 0x14041C480 0x005C10A0 0x005BFAA0 0x000000C9
FlushFileBuffers - 0x14041C488 0x005C10A8 0x005BFAA8 0x000001B9
GetDiskFreeSpaceW - 0x14041C490 0x005C10B0 0x005BFAB0 0x00000245
GetFileAttributesW - 0x14041C498 0x005C10B8 0x005BFAB8 0x00000261
GetFileInformationByHandle - 0x14041C4A0 0x005C10C0 0x005BFAC0 0x00000263
CreateEventW - 0x14041C4A8 0x005C10C8 0x005BFAC8 0x000000CE
RtlCaptureContext - 0x14041C4B0 0x005C10D0 0x005BFAD0 0x000004F5
GetFullPathNameW - 0x14041C4B8 0x005C10D8 0x005BFAD8 0x00000275
ReadFile - 0x14041C4C0 0x005C10E0 0x005BFAE0 0x00000498
RemoveDirectoryW - 0x14041C4C8 0x005C10E8 0x005BFAE8 0x000004DF
SetFilePointerEx - 0x14041C4D0 0x005C10F0 0x005BFAF0 0x00000555
SetFileTime - 0x14041C4D8 0x005C10F8 0x005BFAF8 0x00000558
MapViewOfFile - 0x14041C4E0 0x005C1100 0x005BFB00 0x00000401
FlushViewOfFile - 0x14041C4E8 0x005C1108 0x005BFB08 0x000001BC
UnmapViewOfFile - 0x14041C4F0 0x005C1110 0x005BFB10 0x000005E9
CreateFileMappingA - 0x14041C4F8 0x005C1118 0x005BFB18 0x000000D3
ReOpenFile - 0x14041C500 0x005C1120 0x005BFB20 0x0000048A
CopyFileW - 0x14041C508 0x005C1128 0x005BFB28 0x000000BC
MoveFileExW - 0x14041C510 0x005C1130 0x005BFB30 0x0000040B
CreateHardLinkW - 0x14041C518 0x005C1138 0x005BFB38 0x000000DE
GetFileInformationByHandleEx - 0x14041C520 0x005C1140 0x005BFB40 0x00000264
CreateSymbolicLinkW - 0x14041C528 0x005C1148 0x005BFB48 0x00000101
InitializeCriticalSection - 0x14041C530 0x005C1150 0x005BFB50 0x00000385
EnterCriticalSection - 0x14041C538 0x005C1158 0x005BFB58 0x00000149
LeaveCriticalSection - 0x14041C540 0x005C1160 0x005BFB60 0x000003E0
TryEnterCriticalSection - 0x14041C548 0x005C1168 0x005BFB68 0x000005DF
DeleteCriticalSection - 0x14041C550 0x005C1170 0x005BFB70 0x00000123
InitializeConditionVariable - 0x14041C558 0x005C1178 0x005BFB78 0x00000382
WakeConditionVariable - 0x14041C560 0x005C1180 0x005BFB80 0x00000619
WakeAllConditionVariable - 0x14041C568 0x005C1188 0x005BFB88 0x00000618
SleepConditionVariableCS - 0x14041C570 0x005C1190 0x005BFB90 0x000005B5
ReleaseSemaphore - 0x14041C578 0x005C1198 0x005BFB98 0x000004DA
ResumeThread - 0x14041C580 0x005C11A0 0x005BFBA0 0x000004F3
GetNativeSystemInfo - 0x14041C588 0x005C11A8 0x005BFBA8 0x000002A2
GetProcessAffinityMask - 0x14041C590 0x005C11B0 0x005BFBB0 0x000002CE
SetThreadAffinityMask - 0x14041C598 0x005C11B8 0x005BFBB8 0x00000588
CreateSemaphoreA - 0x14041C5A0 0x005C11C0 0x005BFBC0 0x000000FA
SetConsoleCtrlHandler - 0x14041C5A8 0x005C11C8 0x005BFBC8 0x0000051B
GetCurrentDirectoryW - 0x14041C5B0 0x005C11D0 0x005BFBD0 0x0000022B
GetLongPathNameW - 0x14041C5B8 0x005C11D8 0x005BFBD8 0x0000028A
RtlUnwind - 0x14041C5C0 0x005C11E0 0x005BFBE0 0x00000502
CreateIoCompletionPort - 0x14041C5C8 0x005C11E8 0x005BFBE8 0x000000DF
ReadDirectoryChangesW - 0x14041C5D0 0x005C11F0 0x005BFBF0 0x00000497
GetEnvironmentStringsW - 0x14041C5D8 0x005C11F8 0x005BFBF8 0x00000253
FreeEnvironmentStringsW - 0x14041C5E0 0x005C1200 0x005BFC00 0x000001C4
SetEnvironmentVariableW - 0x14041C5E8 0x005C1208 0x005BFC08 0x00000546
SetCurrentDirectoryW - 0x14041C5F0 0x005C1210 0x005BFC10 0x0000053B
GetTempPathW - 0x14041C5F8 0x005C1218 0x005BFC18 0x00000319
GlobalMemoryStatusEx - 0x14041C600 0x005C1220 0x005BFC20 0x00000361
FileTimeToSystemTime - 0x14041C608 0x005C1228 0x005BFC28 0x00000184
K32GetProcessMemoryInfo - 0x14041C610 0x005C1230 0x005BFC30 0x000003CB
SetHandleInformation - 0x14041C618 0x005C1238 0x005BFC38 0x0000055F
CancelIoEx - 0x14041C620 0x005C1240 0x005BFC40 0x00000080
CancelIo - 0x14041C628 0x005C1248 0x005BFC48 0x0000007F
SwitchToThread - 0x14041C630 0x005C1250 0x005BFC50 0x000005BF
SetFileCompletionNotificationModes - 0x14041C638 0x005C1258 0x005BFC58 0x00000551
LoadLibraryExW - 0x14041C640 0x005C1260 0x005BFC60 0x000003E6
SetErrorMode - 0x14041C648 0x005C1268 0x005BFC68 0x00000547
GetQueuedCompletionStatus - 0x14041C650 0x005C1270 0x005BFC70 0x000002EB
ConnectNamedPipe - 0x14041C658 0x005C1278 0x005BFC78 0x000000AB
SetNamedPipeHandleState - 0x14041C660 0x005C1280 0x005BFC80 0x0000056D
PeekNamedPipe - 0x14041C668 0x005C1288 0x005BFC88 0x00000443
CreateNamedPipeW - 0x14041C670 0x005C1290 0x005BFC90 0x000000EC
CancelSynchronousIo - 0x14041C678 0x005C1298 0x005BFC98 0x00000081
GetNamedPipeHandleStateA - 0x14041C680 0x005C12A0 0x005BFCA0 0x0000029D
GetNamedPipeClientProcessId - 0x14041C688 0x005C12A8 0x005BFCA8 0x0000029B
GetNamedPipeServerProcessId - 0x14041C690 0x005C12B0 0x005BFCB0 0x000002A0
TerminateProcess - 0x14041C698 0x005C12B8 0x005BFCB8 0x000005C4
GetExitCodeProcess - 0x14041C6A0 0x005C12C0 0x005BFCC0 0x00000258
UnregisterWaitEx - 0x14041C6A8 0x005C12C8 0x005BFCC8 0x000005F0
LCMapStringW - 0x14041C6B0 0x005C12D0 0x005BFCD0 0x000003D4
DebugBreak - 0x14041C6B8 0x005C12D8 0x005BFCD8 0x00000119
GetModuleHandleA - 0x14041C6C0 0x005C12E0 0x005BFCE0 0x00000292
LoadLibraryExA - 0x14041C6C8 0x005C12E8 0x005BFCE8 0x000003E5
GetStartupInfoW - 0x14041C6D0 0x005C12F0 0x005BFCF0 0x000002F1
GetModuleFileNameA - 0x14041C6D8 0x005C12F8 0x005BFCF8 0x00000290
GetVersionExA - 0x14041C6E0 0x005C1300 0x005BFD00 0x00000341
SetProcessAffinityMask - 0x14041C6E8 0x005C1308 0x005BFD08 0x0000056F
GetComputerNameA - 0x14041C6F0 0x005C1310 0x005BFD10 0x000001F6
FlsFree - 0x14041C6F8 0x005C1318 0x005BFD18 0x000001B5
FlsSetValue - 0x14041C700 0x005C1320 0x005BFD20 0x000001B7
FlsGetValue - 0x14041C708 0x005C1328 0x005BFD28 0x000001B6
FlsAlloc - 0x14041C710 0x005C1330 0x005BFD30 0x000001B4
GetCPInfo - 0x14041C718 0x005C1338 0x005BFD38 0x000001DB
RtlLookupFunctionEntry - 0x14041C720 0x005C1340 0x005BFD40 0x000004FD
GetFinalPathNameByHandleW - 0x14041C728 0x005C1348 0x005BFD48 0x0000026C
RtlVirtualUnwind - 0x14041C730 0x005C1350 0x005BFD50 0x00000504
UnhandledExceptionFilter - 0x14041C738 0x005C1358 0x005BFD58 0x000005E6
SetUnhandledExceptionFilter - 0x14041C740 0x005C1360 0x005BFD60 0x000005A4
IsProcessorFeaturePresent - 0x14041C748 0x005C1368 0x005BFD68 0x000003A8
IsDebuggerPresent - 0x14041C750 0x005C1370 0x005BFD70 0x000003A0
InitializeSListHead - 0x14041C758 0x005C1378 0x005BFD78 0x0000038A
RtlUnwindEx - 0x14041C760 0x005C1380 0x005BFD80 0x00000503
RtlPcToFileHeader - 0x14041C768 0x005C1388 0x005BFD88 0x000004FF
RaiseException - 0x14041C770 0x005C1390 0x005BFD90 0x00000487
SetStdHandle - 0x14041C778 0x005C1398 0x005BFD98 0x0000057F
GetCommandLineA - 0x14041C780 0x005C13A0 0x005BFDA0 0x000001F0
GetCommandLineW - 0x14041C788 0x005C13A8 0x005BFDA8 0x000001F1
CreateThread - 0x14041C790 0x005C13B0 0x005BFDB0 0x00000103
ExitThread - 0x14041C798 0x005C13B8 0x005BFDB8 0x00000179
FreeLibraryAndExitThread - 0x14041C7A0 0x005C13C0 0x005BFDC0 0x000001C6
GetDriveTypeW - 0x14041C7A8 0x005C13C8 0x005BFDC8 0x0000024B
SystemTimeToTzSpecificLocalTime - 0x14041C7B0 0x005C13D0 0x005BFDD0 0x000005C1
ExitProcess - 0x14041C7B8 0x005C13D8 0x005BFDD8 0x00000178
GetFileAttributesExW - 0x14041C7C0 0x005C13E0 0x005BFDE0 0x0000025E
SetFileAttributesW - 0x14041C7C8 0x005C13E8 0x005BFDE8 0x0000054F
GetConsoleOutputCP - 0x14041C7D0 0x005C13F0 0x005BFDF0 0x0000021A
CompareStringW - 0x14041C7D8 0x005C13F8 0x005BFDF8 0x000000AA
GetLocaleInfoW - 0x14041C7E0 0x005C1400 0x005BFE00 0x00000281
IsValidLocale - 0x14041C7E8 0x005C1408 0x005BFE08 0x000003B0
GetUserDefaultLCID - 0x14041C7F0 0x005C1410 0x005BFE10 0x00000339
EnumSystemLocalesW - 0x14041C7F8 0x005C1418 0x005BFE18 0x0000016D
HeapReAlloc - 0x14041C800 0x005C1420 0x005BFE20 0x00000373
GetTimeZoneInformation - 0x14041C808 0x005C1428 0x005BFE28 0x00000333
HeapSize - 0x14041C810 0x005C1430 0x005BFE30 0x00000375
SetEndOfFile - 0x14041C818 0x005C1438 0x005BFE38 0x00000542
FindFirstFileExW - 0x14041C820 0x005C1440 0x005BFE40 0x00000195
IsValidCodePage - 0x14041C828 0x005C1448 0x005BFE48 0x000003AE
GetOEMCP - 0x14041C830 0x005C1450 0x005BFE50 0x000002B6
GetFileSizeEx - 0x14041C838 0x005C1458 0x005BFE58 0x00000268
GetShortPathNameW - 0x14041C840 0x005C1460 0x005BFE60 0x000002EE
CompareStringEx - 0x14041C848 0x005C1468 0x005BFE68 0x000000A8
LCMapStringEx - 0x14041C850 0x005C1470 0x005BFE70 0x000003D3
InitializeCriticalSectionEx - 0x14041C858 0x005C1478 0x005BFE78 0x00000387
WaitForSingleObjectEx - 0x14041C860 0x005C1480 0x005BFE80 0x00000611
GetExitCodeThread - 0x14041C868 0x005C1488 0x005BFE88 0x00000259
SleepConditionVariableSRW - 0x14041C870 0x005C1490 0x005BFE90 0x000005B6
EncodePointer - 0x14041C878 0x005C1498 0x005BFE98 0x00000145
DecodePointer - 0x14041C880 0x005C14A0 0x005BFEA0 0x0000011C
USER32.dll (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetLastInputInfo - 0x14041C8A0 0x005C14C0 0x005BFEC0 0x00000172
MessageBoxW - 0x14041C8A8 0x005C14C8 0x005BFEC8 0x0000028B
GetProcessWindowStation - 0x14041C8B0 0x005C14D0 0x005BFED0 0x000001B0
TranslateMessage - 0x14041C8B8 0x005C14D8 0x005BFED8 0x000003BA
GetUserObjectInformationW - 0x14041C8C0 0x005C14E0 0x005BFEE0 0x000001DA
ShowWindow - 0x14041C8C8 0x005C14E8 0x005BFEE8 0x0000039A
DispatchMessageA - 0x14041C8D0 0x005C14F0 0x005BFEF0 0x000000BC
GetSystemMetrics - 0x14041C8D8 0x005C14F8 0x005BFEF8 0x000001C9
MapVirtualKeyW - 0x14041C8E0 0x005C1500 0x005BFF00 0x0000027D
GetMessageA - 0x14041C8E8 0x005C1508 0x005BFF08 0x00000187
SHELL32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetSpecialFolderPathA - 0x14041C890 0x005C14B0 0x005BFEB0 0x0000016D
ole32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CoInitializeEx - 0x14041CA40 0x005C1660 0x005C0060 0x00000061
CoUninitialize - 0x14041CA48 0x005C1668 0x005C0068 0x00000091
CoCreateInstance - 0x14041CA50 0x005C1670 0x005C0070 0x0000002B
ADVAPI32.dll (33)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SystemFunction036 - 0x14041C000 0x005C0C20 0x005BF620 0x00000319
GetUserNameW - 0x14041C008 0x005C0C28 0x005BF628 0x00000166
ReportEventW - 0x14041C010 0x005C0C30 0x005BF630 0x000002B6
RegisterEventSourceW - 0x14041C018 0x005C0C38 0x005BF638 0x000002A4
DeregisterEventSource - 0x14041C020 0x005C0C40 0x005BF640 0x000000ED
CryptEnumProvidersW - 0x14041C028 0x005C0C48 0x005BF648 0x000000CF
CryptSignHashW - 0x14041C030 0x005C0C50 0x005BF650 0x000000E5
CryptDestroyHash - 0x14041C038 0x005C0C58 0x005BF658 0x000000C7
CryptCreateHash - 0x14041C040 0x005C0C60 0x005BF660 0x000000C4
CryptDecrypt - 0x14041C048 0x005C0C68 0x005BF668 0x000000C5
CryptExportKey - 0x14041C050 0x005C0C70 0x005BF670 0x000000D0
CryptGetUserKey - 0x14041C058 0x005C0C78 0x005BF678 0x000000D8
CryptGetProvParam - 0x14041C060 0x005C0C80 0x005BF680 0x000000D7
CryptSetHashParam - 0x14041C068 0x005C0C88 0x005BF688 0x000000DD
CryptDestroyKey - 0x14041C070 0x005C0C90 0x005BF690 0x000000C8
CryptReleaseContext - 0x14041C078 0x005C0C98 0x005BF698 0x000000DC
CryptAcquireContextW - 0x14041C080 0x005C0CA0 0x005BF6A0 0x000000C2
CreateServiceW - 0x14041C088 0x005C0CA8 0x005BF6A8 0x00000091
QueryServiceStatus - 0x14041C090 0x005C0CB0 0x005BF6B0 0x00000246
CloseServiceHandle - 0x14041C098 0x005C0CB8 0x005BF6B8 0x00000065
OpenSCManagerW - 0x14041C0A0 0x005C0CC0 0x005BF6C0 0x0000020D
QueryServiceConfigA - 0x14041C0A8 0x005C0CC8 0x005BF6C8 0x00000240
DeleteService - 0x14041C0B0 0x005C0CD0 0x005BF6D0 0x000000EC
ControlService - 0x14041C0B8 0x005C0CD8 0x005BF6D8 0x0000006A
StartServiceW - 0x14041C0C0 0x005C0CE0 0x005BF6E0 0x000002F1
OpenServiceW - 0x14041C0C8 0x005C0CE8 0x005BF6E8 0x0000020F
LookupPrivilegeValueW - 0x14041C0D0 0x005C0CF0 0x005BF6F0 0x0000019A
AdjustTokenPrivileges - 0x14041C0D8 0x005C0CF8 0x005BF6F8 0x0000001F
OpenProcessToken - 0x14041C0E0 0x005C0D00 0x005BF700 0x0000020B
LsaOpenPolicy - 0x14041C0E8 0x005C0D08 0x005BF708 0x000001C9
LsaAddAccountRights - 0x14041C0F0 0x005C0D10 0x005BF710 0x0000019D
LsaClose - 0x14041C0F8 0x005C0D18 0x005BF718 0x000001A0
GetTokenInformation - 0x14041C100 0x005C0D20 0x005BF720 0x0000015B
bcrypt.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
BCryptGenRandom - 0x14041CA30 0x005C1650 0x005C0050 0x0000001D
Memory Dumps (44)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
xmrig.exe 6 0x7FF67CF40000 0x7FF67D7F6FFF Relevant Image False 64-bit 0x7FF67D3538E0 False
...
buffer 6 0x001D0000 0x001EFFFF Content Changed False 64-bit - False
...
buffer 6 0x0014C000 0x0014FFFF First Network Behavior False 64-bit - False
...
buffer 6 0x001D0000 0x001EFFFF First Network Behavior False 64-bit - False
...
buffer 6 0x004A77A0 0x004A781F First Network Behavior False 64-bit - False
...
buffer 6 0x004A7A60 0x004A7B55 First Network Behavior False 64-bit - False
...
buffer 6 0x004A7B90 0x004A7C0F First Network Behavior False 64-bit - False
...
buffer 6 0x004A9850 0x004A98CF First Network Behavior False 64-bit - False
...
buffer 6 0x004A9AF0 0x004A9B75 First Network Behavior False 64-bit - False
...
buffer 6 0x004A9DB0 0x004A9EA7 First Network Behavior False 64-bit - False
...
buffer 6 0x004A9F30 0x004AA027 First Network Behavior False 64-bit - False
...
buffer 6 0x004AA220 0x004AA29F First Network Behavior False 64-bit - False
...
buffer 6 0x004AD6E0 0x004AD75F First Network Behavior False 64-bit - False
...
buffer 6 0x004AE3E0 0x004AE4EF First Network Behavior False 64-bit - False
...
buffer 6 0x004AED20 0x004AEF1F First Network Behavior False 64-bit - False
...
buffer 6 0x004AF090 0x004AF164 First Network Behavior False 64-bit - False
...
buffer 6 0x004AF2A0 0x004AF397 First Network Behavior False 64-bit - False
...
buffer 6 0x004AF4E0 0x004AF707 First Network Behavior False 64-bit - False
...
buffer 6 0x004B0A20 0x004B0DE7 First Network Behavior False 64-bit - False
...
buffer 6 0x004B0DF0 0x004B0F47 First Network Behavior False 64-bit - False
...
buffer 6 0x004B1BE0 0x004B1CD7 First Network Behavior False 64-bit - False
...
buffer 6 0x004B2D00 0x004B2E57 First Network Behavior False 64-bit - False
...
buffer 6 0x004C2240 0x004C233F First Network Behavior False 64-bit - False
...
buffer 6 0x004C3020 0x004C421F First Network Behavior False 64-bit - False
...
buffer 6 0x004C4230 0x004C522F First Network Behavior False 64-bit - False
...
buffer 6 0x004CFAA0 0x004CFE2F First Network Behavior False 64-bit - False
...
buffer 6 0x004CFE40 0x004CFF37 First Network Behavior False 64-bit - False
...
buffer 6 0x004CFF40 0x004D007F First Network Behavior False 64-bit - False
...
buffer 6 0x004D00A0 0x004D0197 First Network Behavior False 64-bit - False
...
buffer 6 0x004D11B0 0x004D12A7 First Network Behavior False 64-bit - False
...
buffer 6 0x004D12B0 0x004D13A7 First Network Behavior False 64-bit - False
...
buffer 6 0x004D2540 0x004D293F First Network Behavior False 64-bit - False
...
xmrig.exe 6 0x7FF67CF40000 0x7FF67D7F6FFF First Network Behavior False 64-bit 0x7FF67D2FAFB9 False
...
buffer 6 0x00460000 0x0047FFFF First Execution False 64-bit 0x00460EC0 False
...
buffer 6 0x00460000 0x0047FFFF Content Changed False 64-bit 0x0046D000 False
...
buffer 6 0x00460000 0x0047FFFF Content Changed False 64-bit 0x0046B000 False
...
buffer 6 0x00460000 0x0047FFFF Content Changed False 64-bit 0x00460EC0 False
...
buffer 6 0x00460000 0x0047FFFF Content Changed False 64-bit 0x00468EC0 False
...
buffer 6 0x00460000 0x0047FFFF Content Changed False 64-bit 0x00470DC0 False
...
buffer 6 0x00460000 0x0047FFFF Content Changed False 64-bit 0x0046A000 False
...
buffer 6 0x00460000 0x0047FFFF Content Changed False 64-bit 0x0046D000 False
...
buffer 6 0x00460000 0x0047FFFF Content Changed False 64-bit 0x00469000 False
...
buffer 6 0x00460000 0x0047FFFF Content Changed False 64-bit 0x00460EC0 False
...
buffer 6 0x00460000 0x0047FFFF Content Changed False 64-bit 0x00468EC0 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
XMRig_Miner XMRig mining software Miner, PUA
5/5
...
\\?\C:\Users\OqXZRaykm\Desktop\WinRing0x64.sys Dropped File Binary
Clean
Known to be clean.
...
»
Also Known As (Accessed File)
WinRing0x64.sys (Accessed File)
MIME Type application/vnd.microsoft.portable-executable
File Size 14.20 KB
MD5 0c0195c48b6b8582fa6f6373032118da Copy to Clipboard
SHA1 d25340ae8e92a6d29f599fef426a2bc1b5217299 Copy to Clipboard
SHA256 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 Copy to Clipboard
SSDeep 192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ Copy to Clipboard
ImpHash d41fa95d4642dc981f10de36f4dc8cd7 Copy to Clipboard
File Reputation Information
»
Verdict
Clean
Known to be clean.
PE Information
»
Image Base 0x00010000
Entry Point 0x00015008
Size Of Code 0x00000C00
Size Of Initialized Data 0x00000A00
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_NATIVE
Machine Type IMAGE_FILE_MACHINE_AMD64
Compile Timestamp 2008-07-26 13:29 (UTC)
Version Information (9)
»
Comments The modified BSD license
CompanyName OpenLibSys.org
FileDescription WinRing0
FileVersion 1.2.0.5
InternalName WinRing0.sys
LegalCopyright Copyright (C) 2007-2008 OpenLibSys.org. All rights reserved.
OriginalFilename WinRing0.sys
ProductName WinRing0
ProductVersion 1.2.0.5
Sections (6)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00011000 0x000006C6 0x00000800 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.39
.rdata 0x00012000 0x0000017C 0x00000200 0x00000C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ 3.28
.data 0x00013000 0x00000114 0x00000200 0x00000E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.3
.pdata 0x00014000 0x00000060 0x00000200 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ 0.86
INIT 0x00015000 0x00000222 0x00000400 0x00001200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.06
.rsrc 0x00016000 0x000003C0 0x00000400 0x00001600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 3.13
Imports (2)
»
ntoskrnl.exe (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
IoDeleteSymbolicLink - 0x00012018 0x000050B8 0x000012B8 0x000001BE
RtlInitUnicodeString - 0x00012020 0x000050C0 0x000012C0 0x00000515
IoDeleteDevice - 0x00012028 0x000050C8 0x000012C8 0x000001BC
IoCreateDevice - 0x00012030 0x000050D0 0x000012D0 0x000001A8
MmMapIoSpace - 0x00012038 0x000050D8 0x000012D8 0x0000035B
KeBugCheckEx - 0x00012040 0x000050E0 0x000012E0 0x0000028A
IoCreateSymbolicLink - 0x00012048 0x000050E8 0x000012E8 0x000001B2
MmUnmapIoSpace - 0x00012050 0x000050F0 0x000012F0 0x0000037B
IofCompleteRequest - 0x00012058 0x000050F8 0x000012F8 0x0000026B
__C_specific_handler - 0x00012060 0x00005100 0x00001300 0x000006F9
HAL.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
HalSetBusDataByOffset - 0x00012000 0x000050A0 0x000012A0 0x0000002F
HalGetBusDataByOffset - 0x00012008 0x000050A8 0x000012A8 0x00000015
Digital Signature Information
»
Verification Status Valid
Certificate: Noriyuki MIYAZAKI
»
Issued by Noriyuki MIYAZAKI
Parent Certificate GlobalSign ObjectSign CA
Country Name JP
Valid From 2007-09-24 10:50 (UTC)
Valid Until 2008-09-24 10:50 (UTC)
Algorithm sha1_rsa
Serial Number 01 00 00 00 00 01 15 37 24 21 A8
Thumbprint CD A9 8A C4 01 94 56 09 55 93 90 2E 4B 4A 87 AC 28 3E D5 4A
Certificate: GlobalSign ObjectSign CA
»
Issued by GlobalSign ObjectSign CA
Parent Certificate GlobalSign Primary Object Publishing CA
Country Name BE
Valid From 2004-01-22 09:00 (UTC)
Valid Until 2014-01-27 10:00 (UTC)
Algorithm sha1_rsa
Serial Number 04 00 00 00 00 01 08 D9 61 24 48
Thumbprint 4A 19 14 6D 67 BD 20 84 3A 3A 07 13 58 75 57 BF 51 92 13 CC
Certificate: GlobalSign Primary Object Publishing CA
»
Issued by GlobalSign Primary Object Publishing CA
Parent Certificate GlobalSign Root CA
Country Name BE
Valid From 1999-01-28 12:00 (UTC)
Valid Until 2014-01-27 11:00 (UTC)
Algorithm sha1_rsa
Serial Number 04 00 00 00 00 01 08 D9 61 1C D6
Thumbprint 98 7F D0 00 DC B1 21 51 7D 72 45 3E E5 17 6E B9 2B 13 63 B9
Certificate: GlobalSign Root CA
»
Issued by GlobalSign Root CA
Country Name BE
Valid From 2006-05-23 17:00 (UTC)
Valid Until 2016-05-23 17:10 (UTC)
Algorithm sha1_rsa
Serial Number 61 0B 7F 6B 00 00 00 00 00 19
Thumbprint 3E EB 27 50 A1 99 F5 E7 B6 A8 95 24 30 BE 50 62 FE 04 E9 E5
c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\notifications\wpndatabase.db-wal Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 2.77 MB
MD5 8bdd83eac01e01a7dc779f0100c6baaf Copy to Clipboard
SHA1 0b820cc2df8e76e5ffb2e34886a19fea1b05e1f3 Copy to Clipboard
SHA256 1466821ae8a19d75f2f14ff0da58062b3a6fe3261f53a3559b77962cc77257c8 Copy to Clipboard
SSDeep 6144:aCY86dlS7yq64Ffg7VZSDaeQZDve4qtMjjOzjaXgQjeXlUqzECA2y4n9TnR+gEyG:Edksj+j8jzuR+gEyo05W+O6 Copy to Clipboard
ImpHash -
c:\programdata\microsoft\network\downloader\edb.log Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 1.25 MB
MD5 f553aa1b257ba06b681dcdb6f4687045 Copy to Clipboard
SHA1 0cf200d1081a485af433a551573141ab3a8032da Copy to Clipboard
SHA256 2d4836d14580f7f7029d4e12b18b854df38322ff85e44aa78958adc16da40bb6 Copy to Clipboard
SSDeep 1536:xJPOR1dPEBmHlvDul3u/ia+ciyzkOsK+4rO1P+9V01IV:xJPORnDTDy1q01IV Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\system.evtx Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 1.06 MB
MD5 047e1bd0998cab9d21ff5bf2d78e6da6 Copy to Clipboard
SHA1 e350b27bc99139798b91d69ecff7e150423e9a48 Copy to Clipboard
SHA256 0869d3e9e5380c9e058ff79fded21261297899e4f1a84c11f5cf62fa88a0a65f Copy to Clipboard
SSDeep 1536:8kW/blLiCyjIr+76fSmacynEGxWZhRbd6a/wXh2S9qjKpaOt7xx6KtuKVmflXF9X:8kkblLiCyEprL/WzNxclrSXjT5P Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\application.evtx Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 1.06 MB
MD5 f6f06d84fb9d8b0af83e228a8596c8d5 Copy to Clipboard
SHA1 24002137bc661a0e0374e06851c9dabeaa59bd10 Copy to Clipboard
SHA256 afd964ced57f8e50995ef4d239b63ed6b0141bbd2a5c3b43d30ec6e53db8ed35 Copy to Clipboard
SSDeep 3072:0z6/3lAzcocqcmL/olxcNcyVcFmMcKcNcViGBcTcccgM8cpcx0RPTh5aKaxcpccc:0/olweaKa Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\microsoft-windows-wmi-activity%4operational.evtx Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 1.00 MB
MD5 19d51139154382e0f2d31c30770ea7b5 Copy to Clipboard
SHA1 824f563e0824c244236040a809d8465613c38aa7 Copy to Clipboard
SHA256 a5fbc033290d6be3d2af1bfeace9d3b3798188270ffa6e06e5851ad6bf3e78e0 Copy to Clipboard
SSDeep 384:B3h4RFRRObx3RurDRkmR51RdRjRxRSzvRhRnR9x6RgRqYRZxRRRaR7RDRLRWRaRP:lthlhziooz1gLNjWKLZWOs Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\microsoft-windows-pushnotification-platform%4operational.evtx Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 1.00 MB
MD5 4be1bdacfac1d300c62db13a582178a5 Copy to Clipboard
SHA1 d182c4812b66ad47c9f5310c504beeab8acc291a Copy to Clipboard
SHA256 1d28be66536bfb7508e218d759c69f11d036837545b7754da8bab89bdbcab155 Copy to Clipboard
SSDeep 6144:iYQcXZLJcOjICjO95nrISLL9vttPhoaPEWxZBu7nBl5YGfP8D5w3L1/Wxxs3cyxN:XF Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\microsoft-windows-appxdeployment%4operational.evtx Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 1.00 MB
MD5 a09a17f06f048add70fdf46eb5430f80 Copy to Clipboard
SHA1 516e62456bd0a0d2c8615afa7eb20289cec14127 Copy to Clipboard
SHA256 c47e77b09b269aef7213f5ea1dba9c5c4c0c800fe14b909924b47b916466b1d0 Copy to Clipboard
SSDeep 768:cToJoquY2efqu8OYH+quU809yMaG9umqHDS/Y34LzV2OBy/rUHoIC:SoWquLefquw+quEY49u6nLx2HYX Copy to Clipboard
ImpHash -
c:\windows\system32\perfstringbackup.ini Dropped File Stream
Clean
...
»
Also Known As c:\windows\system32\perfstringbackup.tmp (Dropped File)
MIME Type application/octet-stream
File Size 777.08 KB
MD5 4dd537f1ea92c248c3ee76e94eeaa7de Copy to Clipboard
SHA1 d5a1afdd6e856fc15d54f09509544cc2148f503d Copy to Clipboard
SHA256 34d047689cb731eead66c75e1daf1f2e0c6fd68155dd53dfd4fc352c39a4aa81 Copy to Clipboard
SSDeep 3072:NJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc76:A1nqgsp2gOKihb Copy to Clipboard
ImpHash -
c:\programdata\microsoft\network\downloader\qmgr.db Dropped File Unknown
Clean
...
»
MIME Type application/x-ms-ese
File Size 768.00 KB
MD5 ca93b1f731964faaccb37247f3feb757 Copy to Clipboard
SHA1 9658229afe477ab4ca96ea05824a7df9932007a8 Copy to Clipboard
SHA256 9801ba911831343861799b4f086bd61e72199d9b89d2b8202d19f9037a2dae74 Copy to Clipboard
SSDeep 384:LW0StseCJ48jL4fW0StseCJ48jMTSjlK/wXsC1r:LSB2iSB2ISjlK/wXsC1r Copy to Clipboard
ImpHash -
c:\windows\logs\cbs\cbs.log Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 255.82 KB
MD5 a259708896a19a57208c81f03f2dabb3 Copy to Clipboard
SHA1 71c21d3bb6f7e255c9db2d200517502c236110ae Copy to Clipboard
SHA256 9599c91fec4ce1c770a95e4fe4eddf8e45df962e51297786970ca78090907c45 Copy to Clipboard
SSDeep 384:RwVe3S5+VQSmzVeO5PBgzM5+sx7ruvr8uI4JvDQRo3nTV7wJD:RGei5+VnmzVeOvgzM5+sx8VQRo3nTV Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\microsoft-windows-bits-client%4operational.evtx Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 68.00 KB
MD5 75c784044f0814af3107eeccf6d41ffa Copy to Clipboard
SHA1 296e7e03fd11795224f5746f9c93fe73acb1d8ae Copy to Clipboard
SHA256 e1a2e097970f1e18402cb3c9a2bbe971329f7e98f91553979874e1094ceff3a8 Copy to Clipboard
SSDeep 384:3xhnGjGahbVXGVkGnGogGqXbGIVGaGGk4G8Gz1GkGnhG8GTDG8G1RGAGaBGjGJGO:B6QTAXtg3OWC Copy to Clipboard
ImpHash -
c:\windows\inf\wmiaprpl\wmiaprpl.ini Dropped File Text
Clean
Known to be clean.
...
»
Also Known As c:\windows\system32\wbem\performance\wmiaprpl.ini (Dropped File)
c:\windows\system32\wbem\performance\wmiaprpl_new.ini (Dropped File)
MIME Type text/plain
File Size 29.03 KB
MD5 ffdeea82ba4a5a65585103dd2a922dfe Copy to Clipboard
SHA1 094c3794503245cc7dfa9e222d3504f449a5400b Copy to Clipboard
SHA256 c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390 Copy to Clipboard
SSDeep 384:eso3V1/z21+byTLVh4+rCop/g4kg4491T91XFrw4G4xvrtZ9dyu+2V0DrtcYkcTu:esoW/g4kg4oG4J Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Clean
Known to be clean.
c:\programdata\microsoft\network\downloader\qmgr.jfm Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 16.00 KB
MD5 02d1f4b7ec8f79b89ba058f015860c1d Copy to Clipboard
SHA1 8cfbdaa116188022cc5b189aaab871f729fb782a Copy to Clipboard
SHA256 e84f7cff73b90af098b82944cae7cebffe4058ece7e7323238d7d027e9bbe067 Copy to Clipboard
SSDeep 3:tmjpIYD1M2mlllTWADBYZMvSbllllHtHvhlllalleillllXl:Aox/IoBYqvSb/VHvh/AQid Copy to Clipboard
ImpHash -
c:\windows\inf\wmiaprpl\wmiaprpl.h Dropped File Text
Clean
Known to be clean.
...
»
MIME Type text/plain
File Size 3.36 KB
MD5 b133a676d139032a27de3d9619e70091 Copy to Clipboard
SHA1 1248aa89938a13640252a79113930ede2f26f1fa Copy to Clipboard
SHA256 ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15 Copy to Clipboard
SSDeep 48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Clean
Known to be clean.
C:\Users\OqXZRaykm\Desktop\1.cmd Dropped File Text
Clean
...
»
Also Known As 1.cmd (Accessed File)
\\?\C:\Users\OqXZRaykm\Desktop\1.cmd (Accessed File)
MIME Type text/x-msdos-batch
File Size 183 Bytes
MD5 25dd5e79a650043821b67f5acd70ff92 Copy to Clipboard
SHA1 91ae7ca0f1f03ab364add8fed7b76b82c130405b Copy to Clipboard
SHA256 c0b8774d6bdb8fe949a1e03352f43f7725399171adbd12bd6d8557a9bfb2c9ad Copy to Clipboard
SSDeep 3:mKDDVBF//IyXI7ghKTEQfhX0dcVLKaEndoFemPkgU7rKtIMInvuZv:hyEIJT5fhXvVLKlQemFU7Oavgv Copy to Clipboard
ImpHash -
c:\users\oqxzraykm\desktop\__tmp_rar_sfx_access_check_23361906 Dropped File Empty
Clean
...
  • Actions
»
Also Known As __tmp_rar_sfx_access_check_23361906 (Accessed File, Dropped File)
MIME Type application/x-empty
File Size 0 Bytes (not extracted)
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
c:\windows\system32\perfh009.dat Modified File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 659.38 KB
MD5 c146afddee532240a480e79429e42d4c Copy to Clipboard
SHA1 1e1ffe476cf77929da882bdff7ce417c6771b5ba Copy to Clipboard
SHA256 b072e19af57494727c1fa78e2e6bd8fea07567b6d570fb1fba52e311736b5779 Copy to Clipboard
SSDeep 3072:NUdGNuowE4j0PrRZnpETMDZ8M6d0PHHx643/A5BK9YXdhPHlVziwC4ALWI1dnmRa:78M6d0w+WB6X Copy to Clipboard
ImpHash -
c:\windows\system32\perfh009.dat Modified File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 646.33 KB
MD5 e40274085a7456e341b393828a83a204 Copy to Clipboard
SHA1 b37899dbd6dc8da64b8ceb2afee684ee4471317c Copy to Clipboard
SHA256 a4bbd4981bf03910e2a7ab2e87bd8b3415afbf371b56dd04ead9a4e6d9e10668 Copy to Clipboard
SSDeep 3072:NUdGNuowE4j0PrRZnpETMDZ8M6d0PHHx643/A5BK9YXdhPHlVziwC4ALWI1dnmRJ:78M6d0w+WB6Q Copy to Clipboard
ImpHash -
c:\windows\prefetch\agapplaunch.db Modified File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 326.33 KB
MD5 269f389b2ee5576a9f920c0866ee7a23 Copy to Clipboard
SHA1 feb9d7e5f2b02ea1840afd8fdad6b136af73d090 Copy to Clipboard
SHA256 00f950c25f0c32fbb93b7f91c1dcd99011d248c24db440a594b2bd22d59f1a34 Copy to Clipboard
SSDeep 24:ANZZ31MTLYTR41KGbRViLzyIB+cuOyrP5fMMM+cuOyrP5iRVyMM+E:AB3aKK1K+VX0LuXFMMMLuXKVyMM Copy to Clipboard
ImpHash -
c:\windows\system32\perfc009.dat Modified File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 122.47 KB
MD5 a1c55f2a9c41899549af8593bf5e4ce7 Copy to Clipboard
SHA1 d8d4ca6afedc87e1bec3f819dba897095b6fea8e Copy to Clipboard
SHA256 a57660cb5ec3beec908ee2fb8cbafded9afb23bd91d0273ccf31f17fe206ef1f Copy to Clipboard
SSDeep 3072:XBnfw8ld9+mRDaUR28oV7TY+7S0bCDhUHL:c Copy to Clipboard
ImpHash -
c:\windows\system32\perfc009.dat Modified File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 118.55 KB
MD5 ba6c49f98e2451a28974da13c598d0ea Copy to Clipboard
SHA1 de82a1fcdd6b98c421a9cf36f4eb9dde6fe26859 Copy to Clipboard
SHA256 5d8988f2bcf7284cd96510e6735d7be5371103a83c85d04168d01f793becc960 Copy to Clipboard
SSDeep 1536:X1i4nfw8ld9+mRDaUR28oV7TYfXLi7NwrgSwQ:XBnfw8ld9+mRDaUR28oV7TY+7S0bQ Copy to Clipboard
ImpHash -
c:\programdata\microsoft\windows\apprepository\staterepository-deployment.srd-shm Modified File Stream
Clean
Known to be clean.
...
»
MIME Type application/octet-stream
File Size 32.00 KB
MD5 bb7df04e1b0a2570657527a7e108ae23 Copy to Clipboard
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b Copy to Clipboard
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Clean
Known to be clean.
c:\programdata\microsoft\network\downloader\edb.chk Modified File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 8.00 KB
MD5 cc21a393cfe53b36e339b3d1c50b622f Copy to Clipboard
SHA1 c4870f9f2baf41e8d7c3e378cf71701e3bbcca7c Copy to Clipboard
SHA256 58c2a465ccaf743b18c6771011b970fd7962ef3800a12dd04febd0fac1c2165d Copy to Clipboard
SSDeep 12:KLaaD0JcaaD0JwQQQeLaaD0JcaaD0JwQQQ:KLtgJctgJwnLtgJctgJw Copy to Clipboard
ImpHash -
c:\programdata\microsoft\network\downloader\edb.chk Modified File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 8.00 KB
MD5 471ac3982bee99948e5646022f9d8d08 Copy to Clipboard
SHA1 c5f05927438f2e9c40113136e4cb855f65a68fa9 Copy to Clipboard
SHA256 85829b875bfa7398880e5121711bd2dacf9a95bedb558ea274a30e51ebbc5d1b Copy to Clipboard
SSDeep 12:BQLaaD0JcaaD0JwQQTsdQLaaD0JcaaD0JwQQTs:+LtgJctgJwbDLtgJctgJwb Copy to Clipboard
ImpHash -
c:\programdata\microsoft\network\downloader\edb.chk Modified File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 8.00 KB
MD5 2eb1251ecda3304c2fac0a89e0a66ccf Copy to Clipboard
SHA1 d7371e08c129dc443dd0cf12ebbfe50755c487c1 Copy to Clipboard
SHA256 b960f13e2856ed37c0dddd6429acd6a7ae2a0f450e0539b71b1e74dcd88c712d Copy to Clipboard
SSDeep 12:ELaaD0JcaaD0JwQQaQLaaD0JcaaD0JwQQa:ELtgJctgJwHLtgJctgJw Copy to Clipboard
ImpHash -
c:\windows\system32\tasks\microsoft\windows\softwareprotectionplatform\svcrestarttask Modified File Text
Clean
...
»
MIME Type text/xml
File Size 4.57 KB
MD5 1a9285e1b5fc525b0218a94cbf170ed7 Copy to Clipboard
SHA1 a59bf331878323c6db5997062ee5d14556bca3cc Copy to Clipboard
SHA256 76df716ec217bddbb005673483524f59d4ac6704e5dcbe82109c78df48cb47c6 Copy to Clipboard
SSDeep 96:pYMguQII4iz6h4aGdinipV9ll7UY5HAmzQ+:9A4r/xne7HO+ Copy to Clipboard
ImpHash -
6f86849b026f0c45c0c8a1145048960bbdefdaea3beac030f114b1ff16057994 Extracted File Image
Clean
Known to be clean.
...
»
Parent File C:\Users\OqXZRaykm\Desktop\OKLA.exe
MIME Type image/png
File Size 15.36 KB
MD5 7b678b6cb96c363d9e0adc3a1b3b4893 Copy to Clipboard
SHA1 c7e817672b686eb66bf5907da1efaef1dec8e06e Copy to Clipboard
SHA256 6f86849b026f0c45c0c8a1145048960bbdefdaea3beac030f114b1ff16057994 Copy to Clipboard
SSDeep 384:cCVOnt2MQzUHLz8NE/IEToowoF9VCN6eqiRYSSSSHDNMPi:wZuMv8EIETxryMZDN3 Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Clean
Known to be clean.
1027b3001f02a641e63f0f8890d8c241a96ad9f9b6f51ac18f1708e0b9b153e2 Extracted File Image
Clean
...
»
Parent File \\?\C:\Users\OqXZRaykm\Desktop\xmrig.exe
MIME Type image/png
File Size 6.24 KB
MD5 d2b3b44dd5992d99b061cec9f87c5e3b Copy to Clipboard
SHA1 694991076e6bd92f29800d5f4fd4b136e9583a03 Copy to Clipboard
SHA256 1027b3001f02a641e63f0f8890d8c241a96ad9f9b6f51ac18f1708e0b9b153e2 Copy to Clipboard
SSDeep 192:cpIADVqc29SUu1hqr2QTLpaNfnVWnvK4NhzC5Zaw4819E:cpBDEpIU8hqrtv4N4to5Zaw4819E Copy to Clipboard
ImpHash -
27d3a1a2da49dc535cc10806abaae9dfa49e4f5f44a40540ead50e065b99ca68 Extracted File Image
Clean
...
»
Parent File C:\Users\OqXZRaykm\Desktop\OKLA.exe
MIME Type image/png
File Size 5.41 KB
MD5 e6ccfb6d9ffd4e1a907a47761c64bd79 Copy to Clipboard
SHA1 d6a2994dedae3527a878140aa60dcaa087b90445 Copy to Clipboard
SHA256 27d3a1a2da49dc535cc10806abaae9dfa49e4f5f44a40540ead50e065b99ca68 Copy to Clipboard
SSDeep 96:ioA0HldODFNSZCbgEZohRodU3vMg2vLWT3m5RQgVH0SmAMPzzZ2OC9vd/GrW4jD/:FlkDFNSWggWf3ILWTeMPzzZc9vd/yWe Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Clean
Known to be clean.
a91f4373ceebadfc70b3bd0758848918f928c3c76562e3d9d531574796fd9e9c Extracted File Image
Clean
...
»
Parent File C:\Users\OqXZRaykm\Desktop\OKLA.exe
MIME Type image/png
File Size 2.81 KB
MD5 63486a769bbe3f49d5848b9c69734a25 Copy to Clipboard
SHA1 e48bd36c2f23c238206bdddf3ebb6d6862905710 Copy to Clipboard
SHA256 a91f4373ceebadfc70b3bd0758848918f928c3c76562e3d9d531574796fd9e9c Copy to Clipboard
SSDeep 48:Tppthbcpv0j+3MIG68XIZm2iVAMd+1pzX7JGkVdxU6UPyoarDZICZXBIYB8bn0eP:7bev0j+3r0JCM8zb7JGkhU68yoanZHZc Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Clean
Known to be clean.
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image