Try VMRay Platform
Malicious
Classifications

Injector Spyware

Threat Names

Shifu C2/Generic-A C2/Simda-A Mal/Emogen-Y +2

Dynamic Analysis Report

Created on 2024-11-30T08:10:18+00:00

svchost.exe

Windows Exe (x86-32)
...

Remarks (2/3)

(0x02000008): One or more processes crashed during the analysis. Analysis results may be incomplete.

(0x0200000E): The overall sleep time of all monitored processes was truncated from "2 hours, 18 minutes, 49 seconds" to "18 seconds" to reveal dormant functionality.

(0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Filters:
File Name Category Type Verdict Actions
C:\Users\kEecfMwgj\Desktop\svchost.exe Sample File Binary
Malicious
...
»
Also Known As C:\Windows\AppPatch\svchost.exe (Accessed File)
C:\Windows\apppatch\svchost.exe (Dropped File, Accessed File)
c:\windows\apppatch\svchost.exe (Dropped File, Accessed File, Sample File)
MIME Type application/vnd.microsoft.portable-executable
File Size 217.81 KB
MD5 3b58259e7a9d4dadc465d30b4bab11ec Copy to Clipboard
SHA1 82dfaeeb9b04a74c98f640cc11ff45362e2b69c1 Copy to Clipboard
SHA256 8c5b4ac59cf8f23a450e825467902a16d9c646989598a5b0ce2fcd0d303d6a93 Copy to Clipboard
SSDeep 6144:ZrRaTyDOnlo7eM+mlkWgRXOqobzWjozm2ulYM6Y:hsTbzu1glovW4EH6Y Copy to Clipboard
ImpHash a1477f62efa130779fcb2868cf890b42 Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x00400000
Entry Point 0x00469CD7
Size Of Code 0x00003400
Size Of Initialized Data 0x00031919
Size Of Uninitialized Data 0x0014CEAF
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 1996-09-14 03:16 (UTC)
Version Information (6)
»
FileVersion 9.6.2.2
ProductVersion 2.2.1.9
FileDescription synapticula
CompanyName COMODO
LegalCopyright Glabellum
ProductName Hysterically
Sections (9)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.T 0x00401000 0x00000719 0x00000719 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.48
.gF 0x00402000 0x00066335 0x00000E00 0x00000C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.32
.HEYeA 0x00469000 0x000033FA 0x00003400 0x00001A00 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.07
.uH 0x0046D000 0x000074B4 0x00000E00 0x00004E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.01
.TqqCdb 0x00475000 0x00072688 0x00000C00 0x00005C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 5.23
.data 0x004E8000 0x0006D6F6 0x0002BC00 0x00006800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 7.99
.d 0x00556000 0x0002F948 0x00000A00 0x00032400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 5.61
.rsrc 0x00586000 0x00001EAC 0x00002000 0x00032E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.74
.reloc 0x00588000 0x00000390 0x00000400 0x00034E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.59
Imports (8)
»
kernel32.dll (42)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetVersion - 0x0046D000 0x0006D290 0x00005090 0x00000001
lstrlenW - 0x0046D004 0x0006D294 0x00005094 0x0000003A
SetLocaleInfoA - 0x0046D008 0x0006D298 0x00005098 0x00000024
GetNumberFormatA - 0x0046D00C 0x0006D29C 0x0000509C 0x00000076
OpenEventW - 0x0046D010 0x0006D2A0 0x000050A0 0x0000001A
WaitForMultipleObjects - 0x0046D014 0x0006D2A4 0x000050A4 0x0000000A
SetCalendarInfoA - 0x0046D018 0x0006D2A8 0x000050A8 0x0000003F
lstrcmpiA - 0x0046D01C 0x0006D2AC 0x000050AC 0x0000000D
EnumTimeFormatsA - 0x0046D020 0x0006D2B0 0x000050B0 0x00000061
GetLocaleInfoA - 0x0046D024 0x0006D2B4 0x000050B4 0x00000068
FreeResource - 0x0046D028 0x0006D2B8 0x000050B8 0x0000002B
lstrcatA - 0x0046D02C 0x0006D2BC 0x000050BC 0x00000067
DisconnectNamedPipe - 0x0046D030 0x0006D2C0 0x000050C0 0x00000012
LoadLibraryA - 0x0046D034 0x0006D2C4 0x000050C4 0x00000021
GetCurrentDirectoryW - 0x0046D038 0x0006D2C8 0x000050C8 0x0000003E
lstrlenA - 0x0046D03C 0x0006D2CC 0x000050CC 0x00000005
SetPriorityClass - 0x0046D040 0x0006D2D0 0x000050D0 0x00000027
GetCurrentThreadId - 0x0046D044 0x0006D2D4 0x000050D4 0x00000014
GetSystemDirectoryW - 0x0046D048 0x0006D2D8 0x000050D8 0x00000005
RemoveDirectoryW - 0x0046D04C 0x0006D2DC 0x000050DC 0x0000001C
GetTempFileNameW - 0x0046D050 0x0006D2E0 0x000050E0 0x00000052
GetModuleFileNameA - 0x0046D054 0x0006D2E4 0x000050E4 0x0000005C
lstrcmpA - 0x0046D058 0x0006D2E8 0x000050E8 0x00000057
SetComputerNameW - 0x0046D05C 0x0006D2EC 0x000050EC 0x00000051
GetLocalTime - 0x0046D060 0x0006D2F0 0x000050F0 0x0000001B
IsDebuggerPresent - 0x0046D064 0x0006D2F4 0x000050F4 0x0000004F
CreateThread - 0x0046D068 0x0006D2F8 0x000050F8 0x00000068
GetDateFormatW - 0x0046D06C 0x0006D2FC 0x000050FC 0x00000040
GetFileAttributesA - 0x0046D070 0x0006D300 0x00005100 0x0000002B
IsBadReadPtr - 0x0046D074 0x0006D304 0x00005104 0x00000042
BeginUpdateResourceA - 0x0046D078 0x0006D308 0x00005108 0x0000005E
GetCalendarInfoW - 0x0046D07C 0x0006D30C 0x0000510C 0x00000015
GetCommandLineW - 0x0046D080 0x0006D310 0x00005110 0x0000006A
FileTimeToSystemTime - 0x0046D084 0x0006D314 0x00005114 0x00000064
OpenSemaphoreW - 0x0046D088 0x0006D318 0x00005118 0x00000046
MoveFileW - 0x0046D08C 0x0006D31C 0x0000511C 0x0000005E
GetProcAddress - 0x0046D090 0x0006D320 0x00005120 0x00000041
QueryPerformanceCounter - 0x0046D094 0x0006D324 0x00005124 0x0000005D
SuspendThread - 0x0046D098 0x0006D328 0x00005128 0x00000062
GetACP - 0x0046D09C 0x0006D32C 0x0000512C 0x00000017
lstrcpynA - 0x0046D0A0 0x0006D330 0x00005130 0x0000004F
GetStartupInfoW - 0x0046D0A4 0x0006D334 0x00005134 0x0000005A
user32.dll (13)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DeleteMenu - 0x0046D0AC 0x0006D33C 0x0000513C 0x00000055
DefWindowProcW - 0x0046D0B0 0x0006D340 0x00005140 0x00000027
SendMessageA - 0x0046D0B4 0x0006D344 0x00005144 0x0000004E
DestroyCursor - 0x0046D0B8 0x0006D348 0x00005148 0x00000020
GetDlgItemTextW - 0x0046D0BC 0x0006D34C 0x0000514C 0x0000007F
FillRect - 0x0046D0C0 0x0006D350 0x00005150 0x00000034
GetActiveWindow - 0x0046D0C4 0x0006D354 0x00005154 0x00000049
CreateDialogParamW - 0x0046D0C8 0x0006D358 0x00005158 0x00000052
GetSubMenu - 0x0046D0CC 0x0006D35C 0x0000515C 0x0000006B
LoadCursorA - 0x0046D0D0 0x0006D360 0x00005160 0x0000005F
GetWindowLongA - 0x0046D0D4 0x0006D364 0x00005164 0x0000003B
GetTopWindow - 0x0046D0D8 0x0006D368 0x00005168 0x0000007E
wsprintfW - 0x0046D0DC 0x0006D36C 0x0000516C 0x0000003C
gdi32.dll (19)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetCharABCWidthsW - 0x0046D0E4 0x0006D374 0x00005174 0x00000009
CreateICA - 0x0046D0E8 0x0006D378 0x00005178 0x00000068
EndPage - 0x0046D0EC 0x0006D37C 0x0000517C 0x00000066
ExcludeClipRect - 0x0046D0F0 0x0006D380 0x00005180 0x00000003
GetGlyphOutlineW - 0x0046D0F4 0x0006D384 0x00005184 0x00000071
OffsetClipRgn - 0x0046D0F8 0x0006D388 0x00005188 0x00000076
UpdateColors - 0x0046D0FC 0x0006D38C 0x0000518C 0x00000001
Pie - 0x0046D100 0x0006D390 0x00005190 0x00000066
GetObjectW - 0x0046D104 0x0006D394 0x00005194 0x00000074
GetMetaFileBitsEx - 0x0046D108 0x0006D398 0x00005198 0x0000003E
OffsetViewportOrgEx - 0x0046D10C 0x0006D39C 0x0000519C 0x00000072
GetEnhMetaFileDescriptionA - 0x0046D110 0x0006D3A0 0x000051A0 0x00000066
InvertRgn - 0x0046D114 0x0006D3A4 0x000051A4 0x00000002
SetMapperFlags - 0x0046D118 0x0006D3A8 0x000051A8 0x0000004C
GetTextExtentExPointI - 0x0046D11C 0x0006D3AC 0x000051AC 0x00000071
CreateDCA - 0x0046D120 0x0006D3B0 0x000051B0 0x00000044
GetBkMode - 0x0046D124 0x0006D3B4 0x000051B4 0x00000047
GetEnhMetaFileA - 0x0046D128 0x0006D3B8 0x000051B8 0x00000050
GetCharABCWidthsA - 0x0046D12C 0x0006D3BC 0x000051BC 0x00000007
advapi32.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegOpenKeyA - 0x0046D134 0x0006D3C4 0x000051C4 0x00000076
RegCreateKeyExA - 0x0046D138 0x0006D3C8 0x000051C8 0x00000076
RegCreateKeyExW - 0x0046D13C 0x0006D3CC 0x000051CC 0x00000069
RegReplaceKeyW - 0x0046D140 0x0006D3D0 0x000051D0 0x00000025
RegSaveKeyA - 0x0046D144 0x0006D3D4 0x000051D4 0x0000006C
shell32.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DuplicateIcon - 0x0046D14C 0x0006D3DC 0x000051DC 0x00000037
StrChrW - 0x0046D150 0x0006D3E0 0x000051E0 0x00000064
SHGetDiskFreeSpaceExW - 0x0046D154 0x0006D3E4 0x000051E4 0x00000042
SHGetDataFromIDListW - 0x0046D158 0x0006D3E8 0x000051E8 0x00000005
StrRChrIW - 0x0046D15C 0x0006D3EC 0x000051EC 0x0000002E
SHLWAPI.DLL (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
PathIsPrefixA - 0x0046D164 0x0006D3F4 0x000051F4 0x00000077
PathIsRootW - 0x0046D168 0x0006D3F8 0x000051F8 0x0000005D
StrCmpLogicalW - 0x0046D16C 0x0006D3FC 0x000051FC 0x00000072
SHEnumValueW - 0x0046D170 0x0006D400 0x00005200 0x00000035
PathParseIconLocationW - 0x0046D174 0x0006D404 0x00005204 0x00000060
PathIsUNCServerShareW - 0x0046D178 0x0006D408 0x00005208 0x0000002C
StrCmpIW - 0x0046D17C 0x0006D40C 0x0000520C 0x00000053
PathFindSuffixArrayA - 0x0046D180 0x0006D410 0x00005210 0x00000045
StrStrNW - 0x0046D184 0x0006D414 0x00005214 0x00000071
StrToIntW - 0x0046D188 0x0006D418 0x00005218 0x00000025
wsock32.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
EnumProtocolsW - 0x0046D190 0x0006D420 0x00005220 0x0000003C
SetServiceW - 0x0046D194 0x0006D424 0x00005224 0x0000005B
WSAAsyncGetProtoByNumber - 0x0046D198 0x0006D428 0x00005228 0x0000000D
connect - 0x0046D19C 0x0006D42C 0x0000522C 0x00000063
WSAAsyncGetHostByAddr - 0x0046D1A0 0x0006D430 0x00005230 0x0000004D
CRYPT32.DLL (12)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
I_CryptFindLruEntryData - 0x0046D1A8 0x0006D438 0x00005238 0x00000032
CertDeleteCTLFromStore - 0x0046D1AC 0x0006D43C 0x0000523C 0x00000051
CertEnumCRLContextProperties - 0x0046D1B0 0x0006D440 0x00005240 0x00000076
CryptDecodeMessage - 0x0046D1B4 0x0006D444 0x00005244 0x0000005B
CertNameToStrW - 0x0046D1B8 0x0006D448 0x00005248 0x00000047
CertFindCRLInStore - 0x0046D1BC 0x0006D44C 0x0000524C 0x00000001
CertRemoveEnhancedKeyUsageIdentifier - 0x0046D1C0 0x0006D450 0x00005250 0x00000034
I_CryptCreateLruEntry - 0x0046D1C4 0x0006D454 0x00005254 0x00000041
CertGetCRLFromStore - 0x0046D1C8 0x0006D458 0x00005258 0x0000005C
CertEnumCRLsInStore - 0x0046D1CC 0x0006D45C 0x0000525C 0x0000001C
CertNameToStrA - 0x0046D1D0 0x0006D460 0x00005260 0x0000000B
CertSetEnhancedKeyUsage - 0x0046D1D4 0x0006D464 0x00005264 0x00000010
Digital Signature Information
»
Verification Status Failed
Certificate: Panda Security S.L
»
Issued by Panda Security S.L
Parent Certificate VeriSign Class 3 Code Signing 2009-2 CA
Country Name ES
Valid From 2010-04-30 00:00 (UTC)
Valid Until 2011-05-07 23:59 (UTC)
Algorithm sha1_rsa
Serial Number 89 41 8A C3 8C 1B EB E7 E3 74 57 1B DB 86 C4
Thumbprint 94 94 A5 9C AE 3B D3 54 DB A1 C1 94 12 80 DB 8E 46 39 2B 10
Certificate: VeriSign Class 3 Code Signing 2009-2 CA
»
Issued by VeriSign Class 3 Code Signing 2009-2 CA
Country Name US
Valid From 2009-05-21 00:00 (UTC)
Valid Until 2019-05-20 23:59 (UTC)
Algorithm sha1_rsa
Serial Number 65 52 26 E1 B2 2E 18 E1 59 0F 29 85 AC 22 E7 5C
Thumbprint 12 D4 87 2B C3 EF 01 9E 7E 0B 6F 13 24 80 AE 29 DB 5B 1C A3
Memory Dumps (156)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
svchost.exe 1 0x00400000 0x00588FFF Relevant Image False 32-bit 0x0046A82E False
...
buffer 1 0x00300000 0x00350FFF First Execution False 32-bit 0x00300000 False
...
svchost.exe 1 0x00400000 0x00588FFF Content Changed False 32-bit 0x00402B70 False
...
svchost.exe 1 0x00400000 0x00588FFF Process Termination False 32-bit - False
...
svchost.exe 2 0x00400000 0x00588FFF Relevant Image False 32-bit 0x0046A82E False
...
buffer 2 0x00210000 0x00260FFF First Execution False 32-bit 0x00210000 False
...
svchost.exe 2 0x00400000 0x00588FFF Content Changed False 32-bit 0x00402B70 False
...
buffer 2 0x02420000 0x024C7FFF First Execution False 32-bit 0x02421360 False
...
buffer 2 0x025D0000 0x02685FFF First Execution False 32-bit 0x025E7220 False
...
buffer 2 0x025D0000 0x02685FFF Content Changed False 32-bit 0x025F55C0 False
...
buffer 2 0x025D0000 0x02685FFF Content Changed False 32-bit 0x025F4C00 False
...
buffer 2 0x025D0000 0x02685FFF Content Changed False 32-bit 0x025E32C0 False
...
buffer 2 0x025D0000 0x02685FFF Content Changed False 32-bit 0x025D6BC0 False
...
buffer 2 0x02A90048 0x02AC6797 Image In Buffer False 32-bit - False
...
svchost.exe 2 0x00400000 0x00588FFF Final Dump False 32-bit - False
...
buffer 2 0x02A8F000 0x02A8FFFF First Network Behavior False 32-bit - False
...
buffer 2 0x0298F000 0x0298FFFF First Network Behavior False 32-bit - False
...
buffer 2 0x025CF000 0x025CFFFF First Network Behavior False 32-bit - False
...
buffer 2 0x0278D000 0x0278FFFF First Network Behavior False 32-bit - False
...
buffer 2 0x025CF000 0x025CFFFF First Network Behavior False 32-bit - False
...
buffer 2 0x0018C000 0x0018FFFF First Network Behavior False 32-bit - False
...
buffer 2 0x00210000 0x00260FFF First Network Behavior False 32-bit - False
...
buffer 2 0x003F0000 0x003F0FFF First Network Behavior False 32-bit - False
...
buffer 2 0x02420000 0x024C7FFF First Network Behavior False 32-bit - False
...
buffer 2 0x025D0000 0x02685FFF First Network Behavior False 32-bit - False
...
buffer 2 0x02A90048 0x02AC6797 First Network Behavior False 32-bit - False
...
svchost.exe 2 0x00400000 0x00588FFF First Network Behavior False 32-bit - False
...
buffer 2 0x025D0000 0x02685FFF Content Changed False 32-bit 0x025F4A5A False
...
buffer 2 0x025D0000 0x02685FFF Content Changed False 32-bit 0x025F52D0 False
...
buffer 2 0x025D0000 0x02685FFF Content Changed False 32-bit 0x025E4B85 False
...
buffer 2 0x025D0000 0x02685FFF Content Changed False 32-bit 0x025D1720 False
...
buffer 2 0x025D0000 0x02685FFF Content Changed False 32-bit 0x025F487E False
...
svchost.exe 39 0x00400000 0x00588FFF Relevant Image False 32-bit 0x0046A82E False
...
buffer 39 0x002B0000 0x00300FFF First Execution False 32-bit 0x002B0000 False
...
svchost.exe 39 0x00400000 0x00588FFF Content Changed False 32-bit 0x00402B70 False
...
svchost.exe 41 0x00400000 0x00588FFF First Execution False 32-bit 0x00402B70 False
...
buffer 41 0x00210000 0x00260FFF First Execution False 32-bit 0x00210000 False
...
buffer 39 0x023C0000 0x02467FFF First Execution False 32-bit 0x023C1360 False
...
buffer 39 0x02570000 0x02625FFF First Execution False 32-bit 0x02587220 False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x025955C0 False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x02594C00 False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x025832C0 False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x02582260 False
...
buffer 39 0x00350000 0x00350FFF Content Changed False 32-bit - False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x02589E50 False
...
buffer 39 0x00350000 0x00350FFF Marked Executable False 32-bit - False
...
buffer 39 0x003F0000 0x003F0FFF Marked Executable False 32-bit - False
...
buffer 39 0x003F0000 0x003F0FFF Content Changed False 32-bit - False
...
buffer 39 0x00350000 0x00350FFF Content Changed False 32-bit - False
...
buffer 39 0x00590000 0x00590FFF Marked Executable False 32-bit - False
...
buffer 39 0x00590000 0x00590FFF Content Changed False 32-bit - False
...
user32.dll 39 0x752F0000 0x753EFFFF Content Changed False 32-bit - False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x02585321 False
...
buffer 39 0x005A0000 0x005A0FFF Content Changed False 32-bit - False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x02589E50 False
...
buffer 39 0x005A0000 0x005A0FFF Marked Executable False 32-bit - False
...
buffer 39 0x005B0000 0x005B0FFF Marked Executable False 32-bit - False
...
buffer 39 0x005B0000 0x005B0FFF Content Changed False 32-bit - False
...
buffer 39 0x005A0000 0x005A0FFF Content Changed False 32-bit - False
...
buffer 39 0x005C0000 0x005C0FFF Marked Executable False 32-bit - False
...
buffer 39 0x005C0000 0x005C0FFF Content Changed False 32-bit - False
...
user32.dll 39 0x752F0000 0x753EFFFF Content Changed False 32-bit - False
...
buffer 39 0x005D0000 0x005D0FFF Content Changed False 32-bit - False
...
buffer 39 0x005D0000 0x005D0FFF Marked Executable False 32-bit - False
...
buffer 39 0x005E0000 0x005E0FFF Marked Executable False 32-bit - False
...
buffer 39 0x005E0000 0x005E0FFF Content Changed False 32-bit - False
...
buffer 39 0x005D0000 0x005D0FFF Content Changed False 32-bit - False
...
buffer 39 0x005F0000 0x005F0FFF Marked Executable False 32-bit - False
...
buffer 39 0x005F0000 0x005F0FFF Content Changed False 32-bit - False
...
user32.dll 39 0x752F0000 0x753EFFFF Content Changed False 32-bit - False
...
buffer 39 0x00600000 0x00600FFF Content Changed False 32-bit - False
...
buffer 39 0x00600000 0x00600FFF Marked Executable False 32-bit - False
...
buffer 39 0x00610000 0x00610FFF Marked Executable False 32-bit - False
...
buffer 39 0x00610000 0x00610FFF Content Changed False 32-bit - False
...
buffer 39 0x00600000 0x00600FFF Content Changed False 32-bit - False
...
buffer 39 0x02210000 0x02210FFF Marked Executable False 32-bit - False
...
buffer 39 0x02210000 0x02210FFF Content Changed False 32-bit - False
...
user32.dll 39 0x752F0000 0x753EFFFF First Execution False 32-bit 0x7530FDCA False
...
buffer 39 0x02220000 0x02220FFF Content Changed False 32-bit - False
...
buffer 39 0x02220000 0x02220FFF Marked Executable False 32-bit - False
...
buffer 39 0x02230000 0x02230FFF Marked Executable False 32-bit - False
...
buffer 39 0x02230000 0x02230FFF Content Changed False 32-bit - False
...
buffer 39 0x02220000 0x02220FFF Content Changed False 32-bit - False
...
buffer 39 0x02240000 0x02240FFF Marked Executable False 32-bit - False
...
buffer 39 0x02240000 0x02240FFF Content Changed False 32-bit - False
...
ntdll.dll 39 0x77590000 0x7770FFFF First Execution False 32-bit 0x775BE026 False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x02594450 False
...
buffer 39 0x02250000 0x02250FFF Content Changed False 32-bit - False
...
buffer 39 0x02250000 0x02250FFF Marked Executable False 32-bit - False
...
buffer 39 0x02360000 0x02360FFF Marked Executable False 32-bit - False
...
buffer 39 0x02360000 0x02360FFF Content Changed False 32-bit - False
...
buffer 39 0x02250000 0x02250FFF Content Changed False 32-bit - False
...
buffer 39 0x02370000 0x02370FFF Marked Executable False 32-bit - False
...
buffer 39 0x02370000 0x02370FFF Content Changed False 32-bit - False
...
user32.dll 39 0x752F0000 0x753EFFFF Content Changed False 32-bit 0x7530FDCA False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x025870EE False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x02577D50 False
...
buffer 41 0x022D0000 0x02377FFF First Execution False 32-bit 0x022D1360 False
...
buffer 41 0x025B0000 0x02665FFF First Execution False 32-bit 0x025C7220 False
...
buffer 41 0x025B0000 0x02665FFF Content Changed False 32-bit 0x025D55C0 False
...
buffer 41 0x025B0000 0x02665FFF Content Changed False 32-bit 0x025D4C00 False
...
buffer 41 0x025B0000 0x02665FFF Content Changed False 32-bit 0x025C32C0 False
...
buffer 41 0x025B0000 0x02665FFF Content Changed False 32-bit 0x025C2260 False
...
buffer 41 0x002C0000 0x002C0FFF Content Changed False 32-bit - False
...
buffer 41 0x025B0000 0x02665FFF Content Changed False 32-bit 0x025C9E50 False
...
buffer 41 0x002C0000 0x002C0FFF Marked Executable False 32-bit - False
...
buffer 41 0x003E0000 0x003E0FFF Marked Executable False 32-bit - False
...
buffer 41 0x003E0000 0x003E0FFF Content Changed False 32-bit - False
...
buffer 41 0x002C0000 0x002C0FFF Content Changed False 32-bit - False
...
buffer 41 0x003F0000 0x003F0FFF Marked Executable False 32-bit - False
...
buffer 41 0x003F0000 0x003F0FFF Content Changed False 32-bit - False
...
user32.dll 41 0x752F0000 0x753EFFFF Content Changed False 32-bit - False
...
buffer 41 0x00690000 0x00690FFF Content Changed False 32-bit - False
...
buffer 41 0x00690000 0x00690FFF Marked Executable False 32-bit - False
...
buffer 41 0x006B0000 0x006B0FFF Marked Executable False 32-bit - False
...
buffer 41 0x006B0000 0x006B0FFF Content Changed False 32-bit - False
...
buffer 41 0x00690000 0x00690FFF Content Changed False 32-bit - False
...
buffer 41 0x006C0000 0x006C0FFF Marked Executable False 32-bit - False
...
buffer 41 0x006C0000 0x006C0FFF Content Changed False 32-bit - False
...
user32.dll 41 0x752F0000 0x753EFFFF Content Changed False 32-bit - False
...
buffer 41 0x006D0000 0x006D0FFF Content Changed False 32-bit - False
...
buffer 41 0x006D0000 0x006D0FFF Marked Executable False 32-bit - False
...
buffer 41 0x006E0000 0x006E0FFF Marked Executable False 32-bit - False
...
buffer 41 0x006E0000 0x006E0FFF Content Changed False 32-bit - False
...
buffer 41 0x006D0000 0x006D0FFF Content Changed False 32-bit - False
...
buffer 41 0x006F0000 0x006F0FFF Marked Executable False 32-bit - False
...
buffer 41 0x006F0000 0x006F0FFF Content Changed False 32-bit - False
...
user32.dll 41 0x752F0000 0x753EFFFF Content Changed False 32-bit - False
...
buffer 41 0x00700000 0x00700FFF Content Changed False 32-bit - False
...
buffer 41 0x00700000 0x00700FFF Marked Executable False 32-bit - False
...
buffer 41 0x02200000 0x02200FFF Marked Executable False 32-bit - False
...
buffer 41 0x02200000 0x02200FFF Content Changed False 32-bit - False
...
buffer 41 0x00700000 0x00700FFF Content Changed False 32-bit - False
...
buffer 41 0x02210000 0x02210FFF Marked Executable False 32-bit - False
...
buffer 41 0x02210000 0x02210FFF Content Changed False 32-bit - False
...
user32.dll 41 0x752F0000 0x753EFFFF First Execution False 32-bit 0x7530FDCA False
...
buffer 41 0x02220000 0x02220FFF Content Changed False 32-bit - False
...
buffer 41 0x02220000 0x02220FFF Marked Executable False 32-bit - False
...
buffer 41 0x02230000 0x02230FFF Marked Executable False 32-bit - False
...
buffer 41 0x02230000 0x02230FFF Content Changed False 32-bit - False
...
buffer 41 0x02220000 0x02220FFF Content Changed False 32-bit - False
...
buffer 41 0x02240000 0x02240FFF Marked Executable False 32-bit - False
...
buffer 41 0x02240000 0x02240FFF Content Changed False 32-bit - False
...
ntdll.dll 41 0x77590000 0x7770FFFF First Execution False 32-bit 0x775BE026 False
...
buffer 41 0x02250000 0x02250FFF Content Changed False 32-bit - False
...
buffer 41 0x02250000 0x02250FFF Marked Executable False 32-bit - False
...
buffer 41 0x02260000 0x02260FFF Marked Executable False 32-bit - False
...
buffer 41 0x02260000 0x02260FFF Content Changed False 32-bit - False
...
buffer 41 0x02250000 0x02250FFF Content Changed False 32-bit - False
...
buffer 41 0x02270000 0x02270FFF Marked Executable False 32-bit - False
...
buffer 41 0x02270000 0x02270FFF Content Changed False 32-bit - False
...
user32.dll 41 0x752F0000 0x753EFFFF Content Changed False 32-bit 0x7530FDCA False
...
buffer 41 0x025B0000 0x02665FFF Content Changed False 32-bit 0x025BD7A0 False
...
buffer 41 0x025B0000 0x02665FFF Content Changed False 32-bit 0x025B7D50 False
...
svchost.exe 39 0x00400000 0x00588FFF Final Dump False 32-bit - False
...
svchost.exe 41 0x00400000 0x00588FFF Final Dump False 32-bit - False
...
c:\windows\apppatch\svchost.exe Dropped File Binary
Malicious
...
»
Also Known As C:\Windows\AppPatch\svchost.exe (Accessed File)
C:\Windows\apppatch\svchost.exe (Dropped File, Accessed File)
MIME Type application/vnd.microsoft.portable-executable
File Size 217.81 KB
MD5 ee88359168db82fd601d3ca2fe76848b Copy to Clipboard
SHA1 b9cd2a0b9cb740906fe806432f121d31db82e456 Copy to Clipboard
SHA256 067d79aaff45a153255599142e0856e5b6a739aaa5e406e784c52958dd84c1c2 Copy to Clipboard
SSDeep 6144:grRaTyDOnlo7eM+mlkWgRXOqobzWjozm2ulYM6Y:ysTbzu1glovW4EH6Y Copy to Clipboard
ImpHash a1477f62efa130779fcb2868cf890b42 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x00469CD7
Size Of Code 0x00003400
Size Of Initialized Data 0x00031919
Size Of Uninitialized Data 0x0014CEAF
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 1996-09-14 03:16 (UTC)
Version Information (6)
»
FileVersion 9.6.2.2
ProductVersion 2.2.1.9
FileDescription synapticula
CompanyName COMODO
LegalCopyright Glabellum
ProductName Hysterically
Sections (9)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.T 0x00401000 0x00000719 0x00000719 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.48
.gF 0x00402000 0x00066335 0x00000E00 0x00000C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.32
.HEYeA 0x00469000 0x000033FA 0x00003400 0x00001A00 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.07
.uH 0x0046D000 0x000074B4 0x00000E00 0x00004E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.01
.TqqCdb 0x00475000 0x00072688 0x00000C00 0x00005C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 5.23
.data 0x004E8000 0x0006D6F6 0x0002BC00 0x00006800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 7.99
.d 0x00556000 0x0002F948 0x00000A00 0x00032400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 5.61
.rsrc 0x00586000 0x00001EAC 0x00002000 0x00032E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.74
.reloc 0x00588000 0x00000390 0x00000400 0x00034E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.59
Imports (8)
»
kernel32.dll (42)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetVersion - 0x0046D000 0x0006D290 0x00005090 0x00000001
lstrlenW - 0x0046D004 0x0006D294 0x00005094 0x0000003A
SetLocaleInfoA - 0x0046D008 0x0006D298 0x00005098 0x00000024
GetNumberFormatA - 0x0046D00C 0x0006D29C 0x0000509C 0x00000076
OpenEventW - 0x0046D010 0x0006D2A0 0x000050A0 0x0000001A
WaitForMultipleObjects - 0x0046D014 0x0006D2A4 0x000050A4 0x0000000A
SetCalendarInfoA - 0x0046D018 0x0006D2A8 0x000050A8 0x0000003F
lstrcmpiA - 0x0046D01C 0x0006D2AC 0x000050AC 0x0000000D
EnumTimeFormatsA - 0x0046D020 0x0006D2B0 0x000050B0 0x00000061
GetLocaleInfoA - 0x0046D024 0x0006D2B4 0x000050B4 0x00000068
FreeResource - 0x0046D028 0x0006D2B8 0x000050B8 0x0000002B
lstrcatA - 0x0046D02C 0x0006D2BC 0x000050BC 0x00000067
DisconnectNamedPipe - 0x0046D030 0x0006D2C0 0x000050C0 0x00000012
LoadLibraryA - 0x0046D034 0x0006D2C4 0x000050C4 0x00000021
GetCurrentDirectoryW - 0x0046D038 0x0006D2C8 0x000050C8 0x0000003E
lstrlenA - 0x0046D03C 0x0006D2CC 0x000050CC 0x00000005
SetPriorityClass - 0x0046D040 0x0006D2D0 0x000050D0 0x00000027
GetCurrentThreadId - 0x0046D044 0x0006D2D4 0x000050D4 0x00000014
GetSystemDirectoryW - 0x0046D048 0x0006D2D8 0x000050D8 0x00000005
RemoveDirectoryW - 0x0046D04C 0x0006D2DC 0x000050DC 0x0000001C
GetTempFileNameW - 0x0046D050 0x0006D2E0 0x000050E0 0x00000052
GetModuleFileNameA - 0x0046D054 0x0006D2E4 0x000050E4 0x0000005C
lstrcmpA - 0x0046D058 0x0006D2E8 0x000050E8 0x00000057
SetComputerNameW - 0x0046D05C 0x0006D2EC 0x000050EC 0x00000051
GetLocalTime - 0x0046D060 0x0006D2F0 0x000050F0 0x0000001B
IsDebuggerPresent - 0x0046D064 0x0006D2F4 0x000050F4 0x0000004F
CreateThread - 0x0046D068 0x0006D2F8 0x000050F8 0x00000068
GetDateFormatW - 0x0046D06C 0x0006D2FC 0x000050FC 0x00000040
GetFileAttributesA - 0x0046D070 0x0006D300 0x00005100 0x0000002B
IsBadReadPtr - 0x0046D074 0x0006D304 0x00005104 0x00000042
BeginUpdateResourceA - 0x0046D078 0x0006D308 0x00005108 0x0000005E
GetCalendarInfoW - 0x0046D07C 0x0006D30C 0x0000510C 0x00000015
GetCommandLineW - 0x0046D080 0x0006D310 0x00005110 0x0000006A
FileTimeToSystemTime - 0x0046D084 0x0006D314 0x00005114 0x00000064
OpenSemaphoreW - 0x0046D088 0x0006D318 0x00005118 0x00000046
MoveFileW - 0x0046D08C 0x0006D31C 0x0000511C 0x0000005E
GetProcAddress - 0x0046D090 0x0006D320 0x00005120 0x00000041
QueryPerformanceCounter - 0x0046D094 0x0006D324 0x00005124 0x0000005D
SuspendThread - 0x0046D098 0x0006D328 0x00005128 0x00000062
GetACP - 0x0046D09C 0x0006D32C 0x0000512C 0x00000017
lstrcpynA - 0x0046D0A0 0x0006D330 0x00005130 0x0000004F
GetStartupInfoW - 0x0046D0A4 0x0006D334 0x00005134 0x0000005A
user32.dll (13)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DeleteMenu - 0x0046D0AC 0x0006D33C 0x0000513C 0x00000055
DefWindowProcW - 0x0046D0B0 0x0006D340 0x00005140 0x00000027
SendMessageA - 0x0046D0B4 0x0006D344 0x00005144 0x0000004E
DestroyCursor - 0x0046D0B8 0x0006D348 0x00005148 0x00000020
GetDlgItemTextW - 0x0046D0BC 0x0006D34C 0x0000514C 0x0000007F
FillRect - 0x0046D0C0 0x0006D350 0x00005150 0x00000034
GetActiveWindow - 0x0046D0C4 0x0006D354 0x00005154 0x00000049
CreateDialogParamW - 0x0046D0C8 0x0006D358 0x00005158 0x00000052
GetSubMenu - 0x0046D0CC 0x0006D35C 0x0000515C 0x0000006B
LoadCursorA - 0x0046D0D0 0x0006D360 0x00005160 0x0000005F
GetWindowLongA - 0x0046D0D4 0x0006D364 0x00005164 0x0000003B
GetTopWindow - 0x0046D0D8 0x0006D368 0x00005168 0x0000007E
wsprintfW - 0x0046D0DC 0x0006D36C 0x0000516C 0x0000003C
gdi32.dll (19)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetCharABCWidthsW - 0x0046D0E4 0x0006D374 0x00005174 0x00000009
CreateICA - 0x0046D0E8 0x0006D378 0x00005178 0x00000068
EndPage - 0x0046D0EC 0x0006D37C 0x0000517C 0x00000066
ExcludeClipRect - 0x0046D0F0 0x0006D380 0x00005180 0x00000003
GetGlyphOutlineW - 0x0046D0F4 0x0006D384 0x00005184 0x00000071
OffsetClipRgn - 0x0046D0F8 0x0006D388 0x00005188 0x00000076
UpdateColors - 0x0046D0FC 0x0006D38C 0x0000518C 0x00000001
Pie - 0x0046D100 0x0006D390 0x00005190 0x00000066
GetObjectW - 0x0046D104 0x0006D394 0x00005194 0x00000074
GetMetaFileBitsEx - 0x0046D108 0x0006D398 0x00005198 0x0000003E
OffsetViewportOrgEx - 0x0046D10C 0x0006D39C 0x0000519C 0x00000072
GetEnhMetaFileDescriptionA - 0x0046D110 0x0006D3A0 0x000051A0 0x00000066
InvertRgn - 0x0046D114 0x0006D3A4 0x000051A4 0x00000002
SetMapperFlags - 0x0046D118 0x0006D3A8 0x000051A8 0x0000004C
GetTextExtentExPointI - 0x0046D11C 0x0006D3AC 0x000051AC 0x00000071
CreateDCA - 0x0046D120 0x0006D3B0 0x000051B0 0x00000044
GetBkMode - 0x0046D124 0x0006D3B4 0x000051B4 0x00000047
GetEnhMetaFileA - 0x0046D128 0x0006D3B8 0x000051B8 0x00000050
GetCharABCWidthsA - 0x0046D12C 0x0006D3BC 0x000051BC 0x00000007
advapi32.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegOpenKeyA - 0x0046D134 0x0006D3C4 0x000051C4 0x00000076
RegCreateKeyExA - 0x0046D138 0x0006D3C8 0x000051C8 0x00000076
RegCreateKeyExW - 0x0046D13C 0x0006D3CC 0x000051CC 0x00000069
RegReplaceKeyW - 0x0046D140 0x0006D3D0 0x000051D0 0x00000025
RegSaveKeyA - 0x0046D144 0x0006D3D4 0x000051D4 0x0000006C
shell32.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DuplicateIcon - 0x0046D14C 0x0006D3DC 0x000051DC 0x00000037
StrChrW - 0x0046D150 0x0006D3E0 0x000051E0 0x00000064
SHGetDiskFreeSpaceExW - 0x0046D154 0x0006D3E4 0x000051E4 0x00000042
SHGetDataFromIDListW - 0x0046D158 0x0006D3E8 0x000051E8 0x00000005
StrRChrIW - 0x0046D15C 0x0006D3EC 0x000051EC 0x0000002E
SHLWAPI.DLL (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
PathIsPrefixA - 0x0046D164 0x0006D3F4 0x000051F4 0x00000077
PathIsRootW - 0x0046D168 0x0006D3F8 0x000051F8 0x0000005D
StrCmpLogicalW - 0x0046D16C 0x0006D3FC 0x000051FC 0x00000072
SHEnumValueW - 0x0046D170 0x0006D400 0x00005200 0x00000035
PathParseIconLocationW - 0x0046D174 0x0006D404 0x00005204 0x00000060
PathIsUNCServerShareW - 0x0046D178 0x0006D408 0x00005208 0x0000002C
StrCmpIW - 0x0046D17C 0x0006D40C 0x0000520C 0x00000053
PathFindSuffixArrayA - 0x0046D180 0x0006D410 0x00005210 0x00000045
StrStrNW - 0x0046D184 0x0006D414 0x00005214 0x00000071
StrToIntW - 0x0046D188 0x0006D418 0x00005218 0x00000025
wsock32.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
EnumProtocolsW - 0x0046D190 0x0006D420 0x00005220 0x0000003C
SetServiceW - 0x0046D194 0x0006D424 0x00005224 0x0000005B
WSAAsyncGetProtoByNumber - 0x0046D198 0x0006D428 0x00005228 0x0000000D
connect - 0x0046D19C 0x0006D42C 0x0000522C 0x00000063
WSAAsyncGetHostByAddr - 0x0046D1A0 0x0006D430 0x00005230 0x0000004D
CRYPT32.DLL (12)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
I_CryptFindLruEntryData - 0x0046D1A8 0x0006D438 0x00005238 0x00000032
CertDeleteCTLFromStore - 0x0046D1AC 0x0006D43C 0x0000523C 0x00000051
CertEnumCRLContextProperties - 0x0046D1B0 0x0006D440 0x00005240 0x00000076
CryptDecodeMessage - 0x0046D1B4 0x0006D444 0x00005244 0x0000005B
CertNameToStrW - 0x0046D1B8 0x0006D448 0x00005248 0x00000047
CertFindCRLInStore - 0x0046D1BC 0x0006D44C 0x0000524C 0x00000001
CertRemoveEnhancedKeyUsageIdentifier - 0x0046D1C0 0x0006D450 0x00005250 0x00000034
I_CryptCreateLruEntry - 0x0046D1C4 0x0006D454 0x00005254 0x00000041
CertGetCRLFromStore - 0x0046D1C8 0x0006D458 0x00005258 0x0000005C
CertEnumCRLsInStore - 0x0046D1CC 0x0006D45C 0x0000525C 0x0000001C
CertNameToStrA - 0x0046D1D0 0x0006D460 0x00005260 0x0000000B
CertSetEnhancedKeyUsage - 0x0046D1D4 0x0006D464 0x00005264 0x00000010
Digital Signature Information
»
Verification Status Failed
Certificate: Panda Security S.L
»
Issued by Panda Security S.L
Parent Certificate VeriSign Class 3 Code Signing 2009-2 CA
Country Name ES
Valid From 2010-04-30 00:00 (UTC)
Valid Until 2011-05-07 23:59 (UTC)
Algorithm sha1_rsa
Serial Number 89 41 8A C3 8C 1B EB E7 E3 74 57 1B DB 86 C4
Thumbprint 94 94 A5 9C AE 3B D3 54 DB A1 C1 94 12 80 DB 8E 46 39 2B 10
Certificate: VeriSign Class 3 Code Signing 2009-2 CA
»
Issued by VeriSign Class 3 Code Signing 2009-2 CA
Country Name US
Valid From 2009-05-21 00:00 (UTC)
Valid Until 2019-05-20 23:59 (UTC)
Algorithm sha1_rsa
Serial Number 65 52 26 E1 B2 2E 18 E1 59 0F 29 85 AC 22 E7 5C
Thumbprint 12 D4 87 2B C3 EF 01 9E 7E 0B 6F 13 24 80 AE 29 DB 5B 1C A3
Memory Dumps (152)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
svchost.exe 2 0x00400000 0x00588FFF Relevant Image False 32-bit 0x0046A82E False
...
buffer 2 0x00210000 0x00260FFF First Execution False 32-bit 0x00210000 False
...
svchost.exe 2 0x00400000 0x00588FFF Content Changed False 32-bit 0x00402B70 False
...
buffer 2 0x02420000 0x024C7FFF First Execution False 32-bit 0x02421360 False
...
buffer 2 0x025D0000 0x02685FFF First Execution False 32-bit 0x025E7220 False
...
buffer 2 0x025D0000 0x02685FFF Content Changed False 32-bit 0x025F55C0 False
...
buffer 2 0x025D0000 0x02685FFF Content Changed False 32-bit 0x025F4C00 False
...
buffer 2 0x025D0000 0x02685FFF Content Changed False 32-bit 0x025E32C0 False
...
buffer 2 0x025D0000 0x02685FFF Content Changed False 32-bit 0x025D6BC0 False
...
buffer 2 0x02A90048 0x02AC6797 Image In Buffer False 32-bit - False
...
svchost.exe 2 0x00400000 0x00588FFF Final Dump False 32-bit - False
...
buffer 2 0x02A8F000 0x02A8FFFF First Network Behavior False 32-bit - False
...
buffer 2 0x0298F000 0x0298FFFF First Network Behavior False 32-bit - False
...
buffer 2 0x025CF000 0x025CFFFF First Network Behavior False 32-bit - False
...
buffer 2 0x0278D000 0x0278FFFF First Network Behavior False 32-bit - False
...
buffer 2 0x025CF000 0x025CFFFF First Network Behavior False 32-bit - False
...
buffer 2 0x0018C000 0x0018FFFF First Network Behavior False 32-bit - False
...
buffer 2 0x00210000 0x00260FFF First Network Behavior False 32-bit - False
...
buffer 2 0x003F0000 0x003F0FFF First Network Behavior False 32-bit - False
...
buffer 2 0x02420000 0x024C7FFF First Network Behavior False 32-bit - False
...
buffer 2 0x025D0000 0x02685FFF First Network Behavior False 32-bit - False
...
buffer 2 0x02A90048 0x02AC6797 First Network Behavior False 32-bit - False
...
svchost.exe 2 0x00400000 0x00588FFF First Network Behavior False 32-bit - False
...
buffer 2 0x025D0000 0x02685FFF Content Changed False 32-bit 0x025F4A5A False
...
buffer 2 0x025D0000 0x02685FFF Content Changed False 32-bit 0x025F52D0 False
...
buffer 2 0x025D0000 0x02685FFF Content Changed False 32-bit 0x025E4B85 False
...
buffer 2 0x025D0000 0x02685FFF Content Changed False 32-bit 0x025D1720 False
...
buffer 2 0x025D0000 0x02685FFF Content Changed False 32-bit 0x025F487E False
...
svchost.exe 39 0x00400000 0x00588FFF Relevant Image False 32-bit 0x0046A82E False
...
buffer 39 0x002B0000 0x00300FFF First Execution False 32-bit 0x002B0000 False
...
svchost.exe 39 0x00400000 0x00588FFF Content Changed False 32-bit 0x00402B70 False
...
svchost.exe 41 0x00400000 0x00588FFF First Execution False 32-bit 0x00402B70 False
...
buffer 41 0x00210000 0x00260FFF First Execution False 32-bit 0x00210000 False
...
buffer 39 0x023C0000 0x02467FFF First Execution False 32-bit 0x023C1360 False
...
buffer 39 0x02570000 0x02625FFF First Execution False 32-bit 0x02587220 False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x025955C0 False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x02594C00 False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x025832C0 False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x02582260 False
...
buffer 39 0x00350000 0x00350FFF Content Changed False 32-bit - False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x02589E50 False
...
buffer 39 0x00350000 0x00350FFF Marked Executable False 32-bit - False
...
buffer 39 0x003F0000 0x003F0FFF Marked Executable False 32-bit - False
...
buffer 39 0x003F0000 0x003F0FFF Content Changed False 32-bit - False
...
buffer 39 0x00350000 0x00350FFF Content Changed False 32-bit - False
...
buffer 39 0x00590000 0x00590FFF Marked Executable False 32-bit - False
...
buffer 39 0x00590000 0x00590FFF Content Changed False 32-bit - False
...
user32.dll 39 0x752F0000 0x753EFFFF Content Changed False 32-bit - False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x02585321 False
...
buffer 39 0x005A0000 0x005A0FFF Content Changed False 32-bit - False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x02589E50 False
...
buffer 39 0x005A0000 0x005A0FFF Marked Executable False 32-bit - False
...
buffer 39 0x005B0000 0x005B0FFF Marked Executable False 32-bit - False
...
buffer 39 0x005B0000 0x005B0FFF Content Changed False 32-bit - False
...
buffer 39 0x005A0000 0x005A0FFF Content Changed False 32-bit - False
...
buffer 39 0x005C0000 0x005C0FFF Marked Executable False 32-bit - False
...
buffer 39 0x005C0000 0x005C0FFF Content Changed False 32-bit - False
...
user32.dll 39 0x752F0000 0x753EFFFF Content Changed False 32-bit - False
...
buffer 39 0x005D0000 0x005D0FFF Content Changed False 32-bit - False
...
buffer 39 0x005D0000 0x005D0FFF Marked Executable False 32-bit - False
...
buffer 39 0x005E0000 0x005E0FFF Marked Executable False 32-bit - False
...
buffer 39 0x005E0000 0x005E0FFF Content Changed False 32-bit - False
...
buffer 39 0x005D0000 0x005D0FFF Content Changed False 32-bit - False
...
buffer 39 0x005F0000 0x005F0FFF Marked Executable False 32-bit - False
...
buffer 39 0x005F0000 0x005F0FFF Content Changed False 32-bit - False
...
user32.dll 39 0x752F0000 0x753EFFFF Content Changed False 32-bit - False
...
buffer 39 0x00600000 0x00600FFF Content Changed False 32-bit - False
...
buffer 39 0x00600000 0x00600FFF Marked Executable False 32-bit - False
...
buffer 39 0x00610000 0x00610FFF Marked Executable False 32-bit - False
...
buffer 39 0x00610000 0x00610FFF Content Changed False 32-bit - False
...
buffer 39 0x00600000 0x00600FFF Content Changed False 32-bit - False
...
buffer 39 0x02210000 0x02210FFF Marked Executable False 32-bit - False
...
buffer 39 0x02210000 0x02210FFF Content Changed False 32-bit - False
...
user32.dll 39 0x752F0000 0x753EFFFF First Execution False 32-bit 0x7530FDCA False
...
buffer 39 0x02220000 0x02220FFF Content Changed False 32-bit - False
...
buffer 39 0x02220000 0x02220FFF Marked Executable False 32-bit - False
...
buffer 39 0x02230000 0x02230FFF Marked Executable False 32-bit - False
...
buffer 39 0x02230000 0x02230FFF Content Changed False 32-bit - False
...
buffer 39 0x02220000 0x02220FFF Content Changed False 32-bit - False
...
buffer 39 0x02240000 0x02240FFF Marked Executable False 32-bit - False
...
buffer 39 0x02240000 0x02240FFF Content Changed False 32-bit - False
...
ntdll.dll 39 0x77590000 0x7770FFFF First Execution False 32-bit 0x775BE026 False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x02594450 False
...
buffer 39 0x02250000 0x02250FFF Content Changed False 32-bit - False
...
buffer 39 0x02250000 0x02250FFF Marked Executable False 32-bit - False
...
buffer 39 0x02360000 0x02360FFF Marked Executable False 32-bit - False
...
buffer 39 0x02360000 0x02360FFF Content Changed False 32-bit - False
...
buffer 39 0x02250000 0x02250FFF Content Changed False 32-bit - False
...
buffer 39 0x02370000 0x02370FFF Marked Executable False 32-bit - False
...
buffer 39 0x02370000 0x02370FFF Content Changed False 32-bit - False
...
user32.dll 39 0x752F0000 0x753EFFFF Content Changed False 32-bit 0x7530FDCA False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x025870EE False
...
buffer 39 0x02570000 0x02625FFF Content Changed False 32-bit 0x02577D50 False
...
buffer 41 0x022D0000 0x02377FFF First Execution False 32-bit 0x022D1360 False
...
buffer 41 0x025B0000 0x02665FFF First Execution False 32-bit 0x025C7220 False
...
buffer 41 0x025B0000 0x02665FFF Content Changed False 32-bit 0x025D55C0 False
...
buffer 41 0x025B0000 0x02665FFF Content Changed False 32-bit 0x025D4C00 False
...
buffer 41 0x025B0000 0x02665FFF Content Changed False 32-bit 0x025C32C0 False
...
buffer 41 0x025B0000 0x02665FFF Content Changed False 32-bit 0x025C2260 False
...
buffer 41 0x002C0000 0x002C0FFF Content Changed False 32-bit - False
...
buffer 41 0x025B0000 0x02665FFF Content Changed False 32-bit 0x025C9E50 False
...
buffer 41 0x002C0000 0x002C0FFF Marked Executable False 32-bit - False
...
buffer 41 0x003E0000 0x003E0FFF Marked Executable False 32-bit - False
...
buffer 41 0x003E0000 0x003E0FFF Content Changed False 32-bit - False
...
buffer 41 0x002C0000 0x002C0FFF Content Changed False 32-bit - False
...
buffer 41 0x003F0000 0x003F0FFF Marked Executable False 32-bit - False
...
buffer 41 0x003F0000 0x003F0FFF Content Changed False 32-bit - False
...
user32.dll 41 0x752F0000 0x753EFFFF Content Changed False 32-bit - False
...
buffer 41 0x00690000 0x00690FFF Content Changed False 32-bit - False
...
buffer 41 0x00690000 0x00690FFF Marked Executable False 32-bit - False
...
buffer 41 0x006B0000 0x006B0FFF Marked Executable False 32-bit - False
...
buffer 41 0x006B0000 0x006B0FFF Content Changed False 32-bit - False
...
buffer 41 0x00690000 0x00690FFF Content Changed False 32-bit - False
...
buffer 41 0x006C0000 0x006C0FFF Marked Executable False 32-bit - False
...
buffer 41 0x006C0000 0x006C0FFF Content Changed False 32-bit - False
...
user32.dll 41 0x752F0000 0x753EFFFF Content Changed False 32-bit - False
...
buffer 41 0x006D0000 0x006D0FFF Content Changed False 32-bit - False
...
buffer 41 0x006D0000 0x006D0FFF Marked Executable False 32-bit - False
...
buffer 41 0x006E0000 0x006E0FFF Marked Executable False 32-bit - False
...
buffer 41 0x006E0000 0x006E0FFF Content Changed False 32-bit - False
...
buffer 41 0x006D0000 0x006D0FFF Content Changed False 32-bit - False
...
buffer 41 0x006F0000 0x006F0FFF Marked Executable False 32-bit - False
...
buffer 41 0x006F0000 0x006F0FFF Content Changed False 32-bit - False
...
user32.dll 41 0x752F0000 0x753EFFFF Content Changed False 32-bit - False
...
buffer 41 0x00700000 0x00700FFF Content Changed False 32-bit - False
...
buffer 41 0x00700000 0x00700FFF Marked Executable False 32-bit - False
...
buffer 41 0x02200000 0x02200FFF Marked Executable False 32-bit - False
...
buffer 41 0x02200000 0x02200FFF Content Changed False 32-bit - False
...
buffer 41 0x00700000 0x00700FFF Content Changed False 32-bit - False
...
buffer 41 0x02210000 0x02210FFF Marked Executable False 32-bit - False
...
buffer 41 0x02210000 0x02210FFF Content Changed False 32-bit - False
...
user32.dll 41 0x752F0000 0x753EFFFF First Execution False 32-bit 0x7530FDCA False
...
buffer 41 0x02220000 0x02220FFF Content Changed False 32-bit - False
...
buffer 41 0x02220000 0x02220FFF Marked Executable False 32-bit - False
...
buffer 41 0x02230000 0x02230FFF Marked Executable False 32-bit - False
...
buffer 41 0x02230000 0x02230FFF Content Changed False 32-bit - False
...
buffer 41 0x02220000 0x02220FFF Content Changed False 32-bit - False
...
buffer 41 0x02240000 0x02240FFF Marked Executable False 32-bit - False
...
buffer 41 0x02240000 0x02240FFF Content Changed False 32-bit - False
...
ntdll.dll 41 0x77590000 0x7770FFFF First Execution False 32-bit 0x775BE026 False
...
buffer 41 0x02250000 0x02250FFF Content Changed False 32-bit - False
...
buffer 41 0x02250000 0x02250FFF Marked Executable False 32-bit - False
...
buffer 41 0x02260000 0x02260FFF Marked Executable False 32-bit - False
...
buffer 41 0x02260000 0x02260FFF Content Changed False 32-bit - False
...
buffer 41 0x02250000 0x02250FFF Content Changed False 32-bit - False
...
buffer 41 0x02270000 0x02270FFF Marked Executable False 32-bit - False
...
buffer 41 0x02270000 0x02270FFF Content Changed False 32-bit - False
...
user32.dll 41 0x752F0000 0x753EFFFF Content Changed False 32-bit 0x7530FDCA False
...
buffer 41 0x025B0000 0x02665FFF Content Changed False 32-bit 0x025BD7A0 False
...
buffer 41 0x025B0000 0x02665FFF Content Changed False 32-bit 0x025B7D50 False
...
svchost.exe 39 0x00400000 0x00588FFF Final Dump False 32-bit - False
...
svchost.exe 41 0x00400000 0x00588FFF Final Dump False 32-bit - False
...
C:\Users\KEECFM~1\AppData\Local\Temp\57E2.tmp Dropped File Empty
Clean
...
  • Actions
»
Also Known As C:\Users\KEECFM~1\AppData\Local\Temp\64A.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\6D7.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\707.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\727.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\728.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\765A.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\768A.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\76D9.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\772.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\7783.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\77A3.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\7811.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\7812.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\7823.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\78FC.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\78FD.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\78FE.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\78FF.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\7900.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\7901.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\7902.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\7903.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\796B.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\79AB.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\7A2.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8078.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\80B6.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\80D6.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\80F6.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8115.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8116.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8117.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8118.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8119.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8124.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8127.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8128.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8153.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8154.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8155.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8221.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\827F.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\82DB.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\82DC.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8359.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\83E7.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\83E8.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\83F6.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8426.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8427.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8428.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8456.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8457.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8476.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\855E.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\855F.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8570.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8580.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8581.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\85B1.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\865B.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8800.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\885B.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\886C.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8CC7.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8E8D.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8E8E.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8E8F.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8E90.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8EBF.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8EC0.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8ED1.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8F20.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8F40.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8F51.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\8F52.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\A40.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\A41.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\A50.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\A51.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\A52.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\A61.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\A62.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\A72.tmp (Dropped File, Accessed File)
C:\Users\KEECFM~1\AppData\Local\Temp\B7B9.tmp (Dropped File, Accessed File)
MIME Type application/x-empty
File Size 0 Bytes (not extracted)
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image