Try VMRay Platform
Malicious
Classifications

Backdoor Miner PUA

Threat Names

XMRig App/Generic-GD XMRig.A

Remarks (1/1)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "3 minutes" to "10 seconds" to reveal dormant functionality.

Remarks

(0x0200004A): 1 dump(s) were skipped because they exceeded the maximum dump size of 16 MB. The largest one was 256 MB.

Filters:
File Name Category Type Verdict Actions
C:\Users\OqXZRaykm\Desktop\OKLA.exe Sample File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 2.40 MB
MD5 4379963b0db3cf12eb6d98cf99309530 Copy to Clipboard
SHA1 63c16beb848298bee79917d07acef355ab201eab Copy to Clipboard
SHA256 edc3533b754041cd2d716a3f353342264b1075e68074c010b20bee3c73cb7452 Copy to Clipboard
SSDeep 49152:nILLyvOacuT9fbDxw6++uxp+NqiurJoP6rZ0B1qxtVujoiJ67XoifXUGOOnx:nxzfaJ+uxp+8rZ9t8JQfEQx Copy to Clipboard
ImpHash 0ae9e38912ff6bd742a1b9e5c003576a Copy to Clipboard
File Reputation Information
»
Verdict
Suspicious
Names App/Generic-GD
Classification PUA
PE Information
»
Image Base 0x00400000
Entry Point 0x00420790
Size Of Code 0x00032E00
Size Of Initialized Data 0x00040000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2023-08-01 11:26 (UTC+2)
Sections (6)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x00032DCC 0x00032E00 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.71
.rdata 0x00434000 0x0000B1D0 0x0000B200 0x00033200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.27
.data 0x00440000 0x00024750 0x00001200 0x0003E400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.08
.didat 0x00465000 0x000001A4 0x00000200 0x0003F600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.52
.rsrc 0x00466000 0x0000DFF8 0x0000E000 0x0003F800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.64
.reloc 0x00474000 0x000023DC 0x00002400 0x0004D800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.67
Imports (3)
»
KERNEL32.dll (143)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetLastError - 0x00434000 0x0003E404 0x0003D604 0x00000202
SetLastError - 0x00434004 0x0003E408 0x0003D608 0x00000473
FormatMessageW - 0x00434008 0x0003E40C 0x0003D60C 0x0000015E
GetCurrentProcess - 0x0043400C 0x0003E410 0x0003D610 0x000001C0
DeviceIoControl - 0x00434010 0x0003E414 0x0003D614 0x000000DD
SetFileTime - 0x00434014 0x0003E418 0x0003D618 0x0000046A
CloseHandle - 0x00434018 0x0003E41C 0x0003D61C 0x00000052
CreateDirectoryW - 0x0043401C 0x0003E420 0x0003D620 0x00000081
RemoveDirectoryW - 0x00434020 0x0003E424 0x0003D624 0x00000403
CreateFileW - 0x00434024 0x0003E428 0x0003D628 0x0000008F
DeleteFileW - 0x00434028 0x0003E42C 0x0003D62C 0x000000D6
CreateHardLinkW - 0x0043402C 0x0003E430 0x0003D630 0x00000093
GetShortPathNameW - 0x00434030 0x0003E434 0x0003D634 0x00000261
GetLongPathNameW - 0x00434034 0x0003E438 0x0003D638 0x0000020F
MoveFileW - 0x00434038 0x0003E43C 0x0003D63C 0x00000363
GetFileType - 0x0043403C 0x0003E440 0x0003D640 0x000001F3
GetStdHandle - 0x00434040 0x0003E444 0x0003D644 0x00000264
WriteFile - 0x00434044 0x0003E448 0x0003D648 0x00000525
ReadFile - 0x00434048 0x0003E44C 0x0003D64C 0x000003C0
FlushFileBuffers - 0x0043404C 0x0003E450 0x0003D650 0x00000157
SetEndOfFile - 0x00434050 0x0003E454 0x0003D654 0x00000453
SetFilePointer - 0x00434054 0x0003E458 0x0003D658 0x00000466
GetCurrentProcessId - 0x00434058 0x0003E45C 0x0003D65C 0x000001C1
SetFileAttributesW - 0x0043405C 0x0003E460 0x0003D660 0x00000461
GetFileAttributesW - 0x00434060 0x0003E464 0x0003D664 0x000001EA
FindClose - 0x00434064 0x0003E468 0x0003D668 0x0000012E
FindFirstFileW - 0x00434068 0x0003E46C 0x0003D66C 0x00000139
FindNextFileW - 0x0043406C 0x0003E470 0x0003D670 0x00000145
InterlockedDecrement - 0x00434070 0x0003E474 0x0003D674 0x000002EB
GetVersionExW - 0x00434074 0x0003E478 0x0003D678 0x000002A4
GetCurrentDirectoryW - 0x00434078 0x0003E47C 0x0003D67C 0x000001BF
GetFullPathNameW - 0x0043407C 0x0003E480 0x0003D680 0x000001FB
FoldStringW - 0x00434080 0x0003E484 0x0003D684 0x0000015C
GetModuleFileNameW - 0x00434084 0x0003E488 0x0003D688 0x00000214
GetModuleHandleW - 0x00434088 0x0003E48C 0x0003D68C 0x00000218
FindResourceW - 0x0043408C 0x0003E490 0x0003D690 0x0000014E
FreeLibrary - 0x00434090 0x0003E494 0x0003D694 0x00000162
GetProcAddress - 0x00434094 0x0003E498 0x0003D698 0x00000245
ExitProcess - 0x00434098 0x0003E49C 0x0003D69C 0x00000119
SetThreadExecutionState - 0x0043409C 0x0003E4A0 0x0003D6A0 0x00000493
Sleep - 0x004340A0 0x0003E4A4 0x0003D6A4 0x000004B2
LoadLibraryW - 0x004340A4 0x0003E4A8 0x0003D6A8 0x0000033F
GetSystemDirectoryW - 0x004340A8 0x0003E4AC 0x0003D6AC 0x00000270
CompareStringW - 0x004340AC 0x0003E4B0 0x0003D6B0 0x00000064
AllocConsole - 0x004340B0 0x0003E4B4 0x0003D6B4 0x00000010
FreeConsole - 0x004340B4 0x0003E4B8 0x0003D6B8 0x0000015F
AttachConsole - 0x004340B8 0x0003E4BC 0x0003D6BC 0x00000017
WriteConsoleW - 0x004340BC 0x0003E4C0 0x0003D6C0 0x00000524
GetProcessAffinityMask - 0x004340C0 0x0003E4C4 0x0003D6C4 0x00000246
CreateThread - 0x004340C4 0x0003E4C8 0x0003D6C8 0x000000B5
SetThreadPriority - 0x004340C8 0x0003E4CC 0x0003D6CC 0x00000499
InitializeCriticalSection - 0x004340CC 0x0003E4D0 0x0003D6D0 0x000002E2
EnterCriticalSection - 0x004340D0 0x0003E4D4 0x0003D6D4 0x000000EE
LeaveCriticalSection - 0x004340D4 0x0003E4D8 0x0003D6D8 0x00000339
DeleteCriticalSection - 0x004340D8 0x0003E4DC 0x0003D6DC 0x000000D1
SetEvent - 0x004340DC 0x0003E4E0 0x0003D6E0 0x00000459
ResetEvent - 0x004340E0 0x0003E4E4 0x0003D6E4 0x0000040F
ReleaseSemaphore - 0x004340E4 0x0003E4E8 0x0003D6E8 0x000003FE
WaitForSingleObject - 0x004340E8 0x0003E4EC 0x0003D6EC 0x000004F9
CreateEventW - 0x004340EC 0x0003E4F0 0x0003D6F0 0x00000085
CreateSemaphoreW - 0x004340F0 0x0003E4F4 0x0003D6F4 0x000000AE
GetSystemTime - 0x004340F4 0x0003E4F8 0x0003D6F8 0x00000277
SystemTimeToTzSpecificLocalTime - 0x004340F8 0x0003E4FC 0x0003D6FC 0x000004BE
TzSpecificLocalTimeToSystemTime - 0x004340FC 0x0003E500 0x0003D700 0x000004D0
SystemTimeToFileTime - 0x00434100 0x0003E504 0x0003D704 0x000004BD
FileTimeToLocalFileTime - 0x00434104 0x0003E508 0x0003D708 0x00000124
LocalFileTimeToFileTime - 0x00434108 0x0003E50C 0x0003D70C 0x00000346
FileTimeToSystemTime - 0x0043410C 0x0003E510 0x0003D710 0x00000125
GetCPInfo - 0x00434110 0x0003E514 0x0003D714 0x00000172
IsDBCSLeadByte - 0x00434114 0x0003E518 0x0003D718 0x000002FE
MultiByteToWideChar - 0x00434118 0x0003E51C 0x0003D71C 0x00000367
WideCharToMultiByte - 0x0043411C 0x0003E520 0x0003D720 0x00000511
GlobalAlloc - 0x00434120 0x0003E524 0x0003D724 0x000002B3
LockResource - 0x00434124 0x0003E528 0x0003D728 0x00000354
GlobalLock - 0x00434128 0x0003E52C 0x0003D72C 0x000002BE
GlobalUnlock - 0x0043412C 0x0003E530 0x0003D730 0x000002C5
GlobalFree - 0x00434130 0x0003E534 0x0003D734 0x000002BA
LoadResource - 0x00434134 0x0003E538 0x0003D738 0x00000341
SizeofResource - 0x00434138 0x0003E53C 0x0003D73C 0x000004B1
SetCurrentDirectoryW - 0x0043413C 0x0003E540 0x0003D740 0x0000044D
GetTimeFormatW - 0x00434140 0x0003E544 0x0003D744 0x00000297
GetDateFormatW - 0x00434144 0x0003E548 0x0003D748 0x000001C8
LocalFree - 0x00434148 0x0003E54C 0x0003D74C 0x00000348
GetExitCodeProcess - 0x0043414C 0x0003E550 0x0003D750 0x000001DF
GetLocalTime - 0x00434150 0x0003E554 0x0003D754 0x00000203
GetTickCount - 0x00434154 0x0003E558 0x0003D758 0x00000293
MapViewOfFile - 0x00434158 0x0003E55C 0x0003D75C 0x00000357
UnmapViewOfFile - 0x0043415C 0x0003E560 0x0003D760 0x000004D6
CreateFileMappingW - 0x00434160 0x0003E564 0x0003D764 0x0000008C
OpenFileMappingW - 0x00434164 0x0003E568 0x0003D768 0x00000379
GetCommandLineW - 0x00434168 0x0003E56C 0x0003D76C 0x00000187
SetEnvironmentVariableW - 0x0043416C 0x0003E570 0x0003D770 0x00000457
ExpandEnvironmentStringsW - 0x00434170 0x0003E574 0x0003D774 0x0000011D
GetTempPathW - 0x00434174 0x0003E578 0x0003D778 0x00000285
MoveFileExW - 0x00434178 0x0003E57C 0x0003D77C 0x00000360
GetLocaleInfoW - 0x0043417C 0x0003E580 0x0003D780 0x00000206
GetNumberFormatW - 0x00434180 0x0003E584 0x0003D784 0x00000233
DecodePointer - 0x00434184 0x0003E588 0x0003D788 0x000000CA
SetFilePointerEx - 0x00434188 0x0003E58C 0x0003D78C 0x00000467
GetConsoleMode - 0x0043418C 0x0003E590 0x0003D790 0x000001AC
GetConsoleCP - 0x00434190 0x0003E594 0x0003D794 0x0000019A
HeapSize - 0x00434194 0x0003E598 0x0003D798 0x000002D4
SetStdHandle - 0x00434198 0x0003E59C 0x0003D79C 0x00000487
GetProcessHeap - 0x0043419C 0x0003E5A0 0x0003D7A0 0x0000024A
FreeEnvironmentStringsW - 0x004341A0 0x0003E5A4 0x0003D7A4 0x00000161
GetEnvironmentStringsW - 0x004341A4 0x0003E5A8 0x0003D7A8 0x000001DA
GetCommandLineA - 0x004341A8 0x0003E5AC 0x0003D7AC 0x00000186
GetOEMCP - 0x004341AC 0x0003E5B0 0x0003D7B0 0x00000237
RaiseException - 0x004341B0 0x0003E5B4 0x0003D7B4 0x000003B1
GetSystemInfo - 0x004341B4 0x0003E5B8 0x0003D7B8 0x00000273
VirtualProtect - 0x004341B8 0x0003E5BC 0x0003D7BC 0x000004EF
VirtualQuery - 0x004341BC 0x0003E5C0 0x0003D7C0 0x000004F1
LoadLibraryExA - 0x004341C0 0x0003E5C4 0x0003D7C4 0x0000033D
IsProcessorFeaturePresent - 0x004341C4 0x0003E5C8 0x0003D7C8 0x00000304
IsDebuggerPresent - 0x004341C8 0x0003E5CC 0x0003D7CC 0x00000300
UnhandledExceptionFilter - 0x004341CC 0x0003E5D0 0x0003D7D0 0x000004D3
SetUnhandledExceptionFilter - 0x004341D0 0x0003E5D4 0x0003D7D4 0x000004A5
GetStartupInfoW - 0x004341D4 0x0003E5D8 0x0003D7D8 0x00000263
QueryPerformanceCounter - 0x004341D8 0x0003E5DC 0x0003D7DC 0x000003A7
GetCurrentThreadId - 0x004341DC 0x0003E5E0 0x0003D7E0 0x000001C5
GetSystemTimeAsFileTime - 0x004341E0 0x0003E5E4 0x0003D7E4 0x00000279
InitializeSListHead - 0x004341E4 0x0003E5E8 0x0003D7E8 0x000002E7
TerminateProcess - 0x004341E8 0x0003E5EC 0x0003D7EC 0x000004C0
RtlUnwind - 0x004341EC 0x0003E5F0 0x0003D7F0 0x00000418
EncodePointer - 0x004341F0 0x0003E5F4 0x0003D7F4 0x000000EA
InitializeCriticalSectionAndSpinCount - 0x004341F4 0x0003E5F8 0x0003D7F8 0x000002E3
TlsAlloc - 0x004341F8 0x0003E5FC 0x0003D7FC 0x000004C5
TlsGetValue - 0x004341FC 0x0003E600 0x0003D800 0x000004C7
TlsSetValue - 0x00434200 0x0003E604 0x0003D804 0x000004C8
TlsFree - 0x00434204 0x0003E608 0x0003D808 0x000004C6
LoadLibraryExW - 0x00434208 0x0003E60C 0x0003D80C 0x0000033E
QueryPerformanceFrequency - 0x0043420C 0x0003E610 0x0003D810 0x000003A8
GetModuleHandleExW - 0x00434210 0x0003E614 0x0003D814 0x00000217
GetModuleFileNameA - 0x00434214 0x0003E618 0x0003D818 0x00000213
GetACP - 0x00434218 0x0003E61C 0x0003D81C 0x00000168
HeapFree - 0x0043421C 0x0003E620 0x0003D820 0x000002CF
HeapReAlloc - 0x00434220 0x0003E624 0x0003D824 0x000002D2
HeapAlloc - 0x00434224 0x0003E628 0x0003D828 0x000002CB
GetStringTypeW - 0x00434228 0x0003E62C 0x0003D82C 0x00000269
LCMapStringW - 0x0043422C 0x0003E630 0x0003D830 0x0000032D
FindFirstFileExA - 0x00434230 0x0003E634 0x0003D834 0x00000133
FindNextFileA - 0x00434234 0x0003E638 0x0003D838 0x00000143
IsValidCodePage - 0x00434238 0x0003E63C 0x0003D83C 0x0000030A
OLEAUT32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SysAllocString 0x00000002 0x00434240 0x0003E644 0x0003D844 -
SysFreeString 0x00000006 0x00434244 0x0003E648 0x0003D848 -
VariantClear 0x00000009 0x00434248 0x0003E64C 0x0003D84C -
gdiplus.dll (9)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GdipAlloc - 0x00434250 0x0003E654 0x0003D854 0x00000021
GdipDisposeImage - 0x00434254 0x0003E658 0x0003D858 0x00000098
GdipCloneImage - 0x00434258 0x0003E65C 0x0003D85C 0x00000036
GdipCreateBitmapFromStream - 0x0043425C 0x0003E660 0x0003D860 0x00000051
GdipCreateBitmapFromStreamICM - 0x00434260 0x0003E664 0x0003D864 0x00000052
GdipCreateHBITMAPFromBitmap - 0x00434264 0x0003E668 0x0003D868 0x0000005F
GdiplusStartup - 0x00434268 0x0003E66C 0x0003D86C 0x00000275
GdiplusShutdown - 0x0043426C 0x0003E670 0x0003D870 0x00000274
GdipFree - 0x00434270 0x0003E674 0x0003D874 0x000000ED
Memory Dumps (2)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
okla.exe 1 0x00FE0000 0x01056FFF Relevant Image False 32-bit 0x01003BEE False
okla.exe 1 0x00FE0000 0x01056FFF Process Termination False 32-bit - False
C:\Users\OqXZRaykm\Desktop\xmrig.exe Dropped File Binary
Malicious
»
Also Known As \\?\C:\Users\OqXZRaykm\Desktop\xmrig.exe (Accessed File)
xmrig.exe (Accessed File)
MIME Type application/vnd.microsoft.portable-executable
File Size 6.06 MB
MD5 5fba8ae226b096da3b31de0e17496735 Copy to Clipboard
SHA1 d532a01254cf9e0229d3c5803b78ff7c9b0cb8d3 Copy to Clipboard
SHA256 ca28f4aeaa5e16d216cd828b67454a56f3c7feeb242412d26ed914fadff20d40 Copy to Clipboard
SSDeep 98304:iONmXliGgyduIy7bWynX75rfdRZqOXmvFubCY9yxl5TtX8Ao0Ezae6B:GXlivZqOXmtubmxl5ppvEzT6 Copy to Clipboard
ImpHash 12806e48b853545b536463546db4baa1 Copy to Clipboard
File Reputation Information
»
Verdict
Suspicious
Classification PUA
PE Information
»
Image Base 0x140000000
Entry Point 0x1403E01A4
Size Of Code 0x0041A600
Size Of Initialized Data 0x00496600
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Machine Type IMAGE_FILE_MACHINE_AMD64
Compile Timestamp 2024-08-11 20:16 (UTC+2)
Version Information (7)
»
CompanyName www.xmrig.com
FileDescription XMRig miner
FileVersion 6.22.0
LegalCopyright Copyright (C) 2016-2024 xmrig.com
OriginalFilename xmrig.exe
ProductName XMRig
ProductVersion 6.22.0
Sections (10)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x140001000 0x0041A478 0x0041A600 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.52
.rdata 0x14041C000 0x001A6E22 0x001A7000 0x0041AA00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.17
.data 0x1405C3000 0x002AF4D4 0x00010200 0x005C1A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.02
.pdata 0x140873000 0x0002A528 0x0002A600 0x005D1C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.32
_RANDOMX 0x14089E000 0x00000C56 0x00000E00 0x005FC200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.68
_TEXT_CN 0x14089F000 0x000026D1 0x00002800 0x005FD000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.08
_TEXT_CN 0x1408A2000 0x00001184 0x00001200 0x005FF800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.05
_RDATA 0x1408A4000 0x000000F4 0x00000200 0x00600A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
.rsrc 0x1408A5000 0x000059C8 0x00005A00 0x00600C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.43
.reloc 0x1408AB000 0x0000B5A0 0x0000B600 0x00606600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 5.46
Imports (10)
»
WS2_32.dll (36)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WSASetLastError 0x00000070 0x14041C908 0x005C1528 0x005BFF28 -
send 0x00000013 0x14041C910 0x005C1530 0x005BFF30 -
recv 0x00000010 0x14041C918 0x005C1538 0x005BFF38 -
ntohs 0x0000000F 0x14041C920 0x005C1540 0x005BFF40 -
htons 0x00000009 0x14041C928 0x005C1548 0x005BFF48 -
htonl 0x00000008 0x14041C930 0x005C1550 0x005BFF50 -
inet_addr 0x0000000B 0x14041C938 0x005C1558 0x005BFF58 -
inet_ntoa 0x0000000C 0x14041C940 0x005C1560 0x005BFF60 -
gethostbyaddr 0x00000033 0x14041C948 0x005C1568 0x005BFF68 -
WSAGetLastError 0x0000006F 0x14041C950 0x005C1570 0x005BFF70 -
WSAIoctl - 0x14041C958 0x005C1578 0x005BFF78 0x0000003B
gethostbyname 0x00000034 0x14041C960 0x005C1580 0x005BFF80 -
WSARecvFrom - 0x14041C968 0x005C1588 0x005BFF88 0x0000004B
WSASocketW - 0x14041C970 0x005C1590 0x005BFF90 0x00000058
WSASend - 0x14041C978 0x005C1598 0x005BFF98 0x0000004E
WSARecv - 0x14041C980 0x005C15A0 0x005BFFA0 0x00000049
gethostname 0x00000039 0x14041C988 0x005C15A8 0x005BFFA8 -
WSADuplicateSocketW - 0x14041C990 0x005C15B0 0x005BFFB0 0x00000027
getpeername 0x00000005 0x14041C998 0x005C15B8 0x005BFFB8 -
FreeAddrInfoW - 0x14041C9A0 0x005C15C0 0x005BFFC0 0x00000002
GetAddrInfoW - 0x14041C9A8 0x005C15C8 0x005BFFC8 0x00000007
shutdown 0x00000016 0x14041C9B0 0x005C15D0 0x005BFFD0 -
socket 0x00000017 0x14041C9B8 0x005C15D8 0x005BFFD8 -
setsockopt 0x00000015 0x14041C9C0 0x005C15E0 0x005BFFE0 -
listen 0x0000000D 0x14041C9C8 0x005C15E8 0x005BFFE8 -
connect 0x00000004 0x14041C9D0 0x005C15F0 0x005BFFF0 -
closesocket 0x00000003 0x14041C9D8 0x005C15F8 0x005BFFF8 -
bind 0x00000002 0x14041C9E0 0x005C1600 0x005C0000 -
WSACleanup 0x00000074 0x14041C9E8 0x005C1608 0x005C0008 -
WSAStartup 0x00000073 0x14041C9F0 0x005C1610 0x005C0010 -
select 0x00000012 0x14041C9F8 0x005C1618 0x005C0018 -
getsockopt 0x00000007 0x14041CA00 0x005C1620 0x005C0020 -
getsockname 0x00000006 0x14041CA08 0x005C1628 0x005C0028 -
ioctlsocket 0x0000000A 0x14041CA10 0x005C1630 0x005C0030 -
getservbyname 0x00000037 0x14041CA18 0x005C1638 0x005C0038 -
getservbyport 0x00000038 0x14041CA20 0x005C1640 0x005C0040 -
IPHLPAPI.DLL (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetAdaptersAddresses - 0x14041C150 0x005C0D70 0x005BF770 0x00000043
USERENV.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetUserProfileDirectoryW - 0x14041C8F8 0x005C1518 0x005BFF18 0x00000026
CRYPT32.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CertFreeCertificateContext - 0x14041C110 0x005C0D30 0x005BF730 0x00000040
CertFindCertificateInStore - 0x14041C118 0x005C0D38 0x005BF738 0x00000035
CertEnumCertificatesInStore - 0x14041C120 0x005C0D40 0x005BF740 0x0000002C
CertCloseStore - 0x14041C128 0x005C0D48 0x005BF748 0x00000012
CertOpenStore - 0x14041C130 0x005C0D50 0x005BF750 0x00000059
CertGetCertificateContextProperty - 0x14041C138 0x005C0D58 0x005BF758 0x00000046
CertDuplicateCertificateContext - 0x14041C140 0x005C0D60 0x005BF760 0x00000025
KERNEL32.dll (229)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetStringTypeW - 0x14041C160 0x005C0D80 0x005BF780 0x000002F8
InitializeCriticalSectionAndSpinCount - 0x14041C168 0x005C0D88 0x005BF788 0x00000386
WriteConsoleW - 0x14041C170 0x005C0D90 0x005BF790 0x0000064A
SetConsoleTitleA - 0x14041C178 0x005C0D98 0x005BF798 0x00000535
GetStdHandle - 0x14041C180 0x005C0DA0 0x005BF7A0 0x000002F3
SetConsoleMode - 0x14041C188 0x005C0DA8 0x005BF7A8 0x0000052B
GetConsoleMode - 0x14041C190 0x005C0DB0 0x005BF7B0 0x00000216
QueryPerformanceFrequency - 0x14041C198 0x005C0DB8 0x005BF7B8 0x00000471
QueryPerformanceCounter - 0x14041C1A0 0x005C0DC0 0x005BF7C0 0x00000470
SizeofResource - 0x14041C1A8 0x005C0DC8 0x005BF7C8 0x000005B3
LockResource - 0x14041C1B0 0x005C0DD0 0x005BF7D0 0x000003FE
LoadResource - 0x14041C1B8 0x005C0DD8 0x005BF7D8 0x000003EA
FindResourceW - 0x14041C1C0 0x005C0DE0 0x005BF7E0 0x000001B0
ExpandEnvironmentStringsA - 0x14041C1C8 0x005C0DE8 0x005BF7E8 0x0000017B
GetConsoleWindow - 0x14041C1D0 0x005C0DF0 0x005BF7F0 0x00000221
GetSystemFirmwareTable - 0x14041C1D8 0x005C0DF8 0x005BF7F8 0x00000303
HeapFree - 0x14041C1E0 0x005C0E00 0x005BF800 0x00000370
HeapAlloc - 0x14041C1E8 0x005C0E08 0x005BF808 0x0000036C
GetProcessHeap - 0x14041C1F0 0x005C0E10 0x005BF810 0x000002D4
MultiByteToWideChar - 0x14041C1F8 0x005C0E18 0x005BF818 0x00000412
SetPriorityClass - 0x14041C200 0x005C0E20 0x005BF820 0x0000056E
GetCurrentProcess - 0x14041C208 0x005C0E28 0x005BF828 0x00000232
SetThreadPriority - 0x14041C210 0x005C0E30 0x005BF830 0x00000593
GetSystemPowerStatus - 0x14041C218 0x005C0E38 0x005BF838 0x00000305
GetCurrentThread - 0x14041C220 0x005C0E40 0x005BF840 0x00000236
GetProcAddress - 0x14041C228 0x005C0E48 0x005BF848 0x000002CD
GetModuleHandleW - 0x14041C230 0x005C0E50 0x005BF850 0x00000295
GetTickCount - 0x14041C238 0x005C0E58 0x005BF858 0x0000032C
CloseHandle - 0x14041C240 0x005C0E60 0x005BF860 0x00000094
FreeConsole - 0x14041C248 0x005C0E68 0x005BF868 0x000001C2
VirtualProtect - 0x14041C250 0x005C0E70 0x005BF870 0x00000605
VirtualFree - 0x14041C258 0x005C0E78 0x005BF878 0x00000602
VirtualAlloc - 0x14041C260 0x005C0E80 0x005BF880 0x000005FF
GetLargePageMinimum - 0x14041C268 0x005C0E88 0x005BF888 0x0000027B
LocalAlloc - 0x14041C270 0x005C0E90 0x005BF890 0x000003ED
GetLastError - 0x14041C278 0x005C0E98 0x005BF898 0x0000027D
LocalFree - 0x14041C280 0x005C0EA0 0x005BF8A0 0x000003F2
FlushInstructionCache - 0x14041C288 0x005C0EA8 0x005BF8A8 0x000001BA
GetCurrentThreadId - 0x14041C290 0x005C0EB0 0x005BF8B0 0x00000237
AddVectoredExceptionHandler - 0x14041C298 0x005C0EB8 0x005BF8B8 0x00000014
DeviceIoControl - 0x14041C2A0 0x005C0EC0 0x005BF8C0 0x00000133
GetModuleFileNameW - 0x14041C2A8 0x005C0EC8 0x005BF8C8 0x00000291
CreateFileW - 0x14041C2B0 0x005C0ED0 0x005BF8D0 0x000000DA
SetLastError - 0x14041C2B8 0x005C0ED8 0x005BF8D8 0x00000564
GetSystemTime - 0x14041C2C0 0x005C0EE0 0x005BF8E0 0x00000308
SystemTimeToFileTime - 0x14041C2C8 0x005C0EE8 0x005BF8E8 0x000005C0
GetModuleHandleExW - 0x14041C2D0 0x005C0EF0 0x005BF8F0 0x00000294
Sleep - 0x14041C2D8 0x005C0EF8 0x005BF8F8 0x000005B4
InitializeSRWLock - 0x14041C2E0 0x005C0F00 0x005BF900 0x0000038B
ReleaseSRWLockExclusive - 0x14041C2E8 0x005C0F08 0x005BF908 0x000004D8
ReleaseSRWLockShared - 0x14041C2F0 0x005C0F10 0x005BF910 0x000004D9
AcquireSRWLockExclusive - 0x14041C2F8 0x005C0F18 0x005BF918 0x00000000
AcquireSRWLockShared - 0x14041C300 0x005C0F20 0x005BF920 0x00000001
TlsAlloc - 0x14041C308 0x005C0F28 0x005BF928 0x000005D6
TlsGetValue - 0x14041C310 0x005C0F30 0x005BF930 0x000005D8
TlsSetValue - 0x14041C318 0x005C0F38 0x005BF938 0x000005D9
TlsFree - 0x14041C320 0x005C0F40 0x005BF940 0x000005D7
GetSystemInfo - 0x14041C328 0x005C0F48 0x005BF948 0x00000304
SwitchToFiber - 0x14041C330 0x005C0F50 0x005BF950 0x000005BE
DeleteFiber - 0x14041C338 0x005C0F58 0x005BF958 0x00000124
CreateFiberEx - 0x14041C340 0x005C0F60 0x005BF960 0x000000D0
FindClose - 0x14041C348 0x005C0F68 0x005BF968 0x0000018F
FindFirstFileW - 0x14041C350 0x005C0F70 0x005BF970 0x0000019A
FindNextFileW - 0x14041C358 0x005C0F78 0x005BF978 0x000001A6
WideCharToMultiByte - 0x14041C360 0x005C0F80 0x005BF980 0x00000637
GetSystemDirectoryA - 0x14041C368 0x005C0F88 0x005BF988 0x00000300
FreeLibrary - 0x14041C370 0x005C0F90 0x005BF990 0x000001C5
LoadLibraryA - 0x14041C378 0x005C0F98 0x005BF998 0x000003E4
FormatMessageA - 0x14041C380 0x005C0FA0 0x005BF9A0 0x000001C0
GetFileType - 0x14041C388 0x005C0FA8 0x005BF9A8 0x0000026A
WriteFile - 0x14041C390 0x005C0FB0 0x005BF9B0 0x0000064B
GetEnvironmentVariableW - 0x14041C398 0x005C0FB8 0x005BF9B8 0x00000255
GetACP - 0x14041C3A0 0x005C0FC0 0x005BF9C0 0x000001CC
ConvertFiberToThread - 0x14041C3A8 0x005C0FC8 0x005BF9C8 0x000000B0
ConvertThreadToFiberEx - 0x14041C3B0 0x005C0FD0 0x005BF9D0 0x000000B4
GetCurrentProcessId - 0x14041C3B8 0x005C0FD8 0x005BF9D8 0x00000233
GetSystemTimeAsFileTime - 0x14041C3C0 0x005C0FE0 0x005BF9E0 0x0000030A
LoadLibraryW - 0x14041C3C8 0x005C0FE8 0x005BF9E8 0x000003E7
ReadConsoleA - 0x14041C3D0 0x005C0FF0 0x005BF9F0 0x0000048B
ReadConsoleW - 0x14041C3D8 0x005C0FF8 0x005BF9F8 0x00000495
PostQueuedCompletionStatus - 0x14041C3E0 0x005C1000 0x005BFA00 0x00000445
CreateFileA - 0x14041C3E8 0x005C1008 0x005BFA08 0x000000D2
DuplicateHandle - 0x14041C3F0 0x005C1010 0x005BFA10 0x00000141
SetEvent - 0x14041C3F8 0x005C1018 0x005BFA18 0x00000548
ResetEvent - 0x14041C400 0x005C1020 0x005BFA20 0x000004EC
WaitForSingleObject - 0x14041C408 0x005C1028 0x005BFA28 0x00000610
CreateEventA - 0x14041C410 0x005C1030 0x005BFA30 0x000000CB
QueueUserWorkItem - 0x14041C418 0x005C1038 0x005BFA38 0x0000047C
RegisterWaitForSingleObject - 0x14041C420 0x005C1040 0x005BFA40 0x000004CE
UnregisterWait - 0x14041C428 0x005C1048 0x005BFA48 0x000005EF
GetNumberOfConsoleInputEvents - 0x14041C430 0x005C1050 0x005BFA50 0x000002B4
ReadConsoleInputW - 0x14041C438 0x005C1058 0x005BFA58 0x0000048F
FillConsoleOutputCharacterW - 0x14041C440 0x005C1060 0x005BFA60 0x00000187
FillConsoleOutputAttribute - 0x14041C448 0x005C1068 0x005BFA68 0x00000185
GetConsoleCursorInfo - 0x14041C450 0x005C1070 0x005BFA70 0x0000020A
SetConsoleCursorInfo - 0x14041C458 0x005C1078 0x005BFA78 0x0000051D
GetConsoleScreenBufferInfo - 0x14041C460 0x005C1080 0x005BFA80 0x0000021C
SetConsoleCursorPosition - 0x14041C468 0x005C1088 0x005BFA88 0x0000051F
SetConsoleTextAttribute - 0x14041C470 0x005C1090 0x005BFA90 0x00000534
WriteConsoleInputW - 0x14041C478 0x005C1098 0x005BFA98 0x00000644
CreateDirectoryW - 0x14041C480 0x005C10A0 0x005BFAA0 0x000000C9
FlushFileBuffers - 0x14041C488 0x005C10A8 0x005BFAA8 0x000001B9
GetDiskFreeSpaceW - 0x14041C490 0x005C10B0 0x005BFAB0 0x00000245
GetFileAttributesW - 0x14041C498 0x005C10B8 0x005BFAB8 0x00000261
GetFileInformationByHandle - 0x14041C4A0 0x005C10C0 0x005BFAC0 0x00000263
CreateEventW - 0x14041C4A8 0x005C10C8 0x005BFAC8 0x000000CE
RtlCaptureContext - 0x14041C4B0 0x005C10D0 0x005BFAD0 0x000004F5
GetFullPathNameW - 0x14041C4B8 0x005C10D8 0x005BFAD8 0x00000275
ReadFile - 0x14041C4C0 0x005C10E0 0x005BFAE0 0x00000498
RemoveDirectoryW - 0x14041C4C8 0x005C10E8 0x005BFAE8 0x000004DF
SetFilePointerEx - 0x14041C4D0 0x005C10F0 0x005BFAF0 0x00000555
SetFileTime - 0x14041C4D8 0x005C10F8 0x005BFAF8 0x00000558
MapViewOfFile - 0x14041C4E0 0x005C1100 0x005BFB00 0x00000401
FlushViewOfFile - 0x14041C4E8 0x005C1108 0x005BFB08 0x000001BC
UnmapViewOfFile - 0x14041C4F0 0x005C1110 0x005BFB10 0x000005E9
CreateFileMappingA - 0x14041C4F8 0x005C1118 0x005BFB18 0x000000D3
ReOpenFile - 0x14041C500 0x005C1120 0x005BFB20 0x0000048A
CopyFileW - 0x14041C508 0x005C1128 0x005BFB28 0x000000BC
MoveFileExW - 0x14041C510 0x005C1130 0x005BFB30 0x0000040B
CreateHardLinkW - 0x14041C518 0x005C1138 0x005BFB38 0x000000DE
GetFileInformationByHandleEx - 0x14041C520 0x005C1140 0x005BFB40 0x00000264
CreateSymbolicLinkW - 0x14041C528 0x005C1148 0x005BFB48 0x00000101
InitializeCriticalSection - 0x14041C530 0x005C1150 0x005BFB50 0x00000385
EnterCriticalSection - 0x14041C538 0x005C1158 0x005BFB58 0x00000149
LeaveCriticalSection - 0x14041C540 0x005C1160 0x005BFB60 0x000003E0
TryEnterCriticalSection - 0x14041C548 0x005C1168 0x005BFB68 0x000005DF
DeleteCriticalSection - 0x14041C550 0x005C1170 0x005BFB70 0x00000123
InitializeConditionVariable - 0x14041C558 0x005C1178 0x005BFB78 0x00000382
WakeConditionVariable - 0x14041C560 0x005C1180 0x005BFB80 0x00000619
WakeAllConditionVariable - 0x14041C568 0x005C1188 0x005BFB88 0x00000618
SleepConditionVariableCS - 0x14041C570 0x005C1190 0x005BFB90 0x000005B5
ReleaseSemaphore - 0x14041C578 0x005C1198 0x005BFB98 0x000004DA
ResumeThread - 0x14041C580 0x005C11A0 0x005BFBA0 0x000004F3
GetNativeSystemInfo - 0x14041C588 0x005C11A8 0x005BFBA8 0x000002A2
GetProcessAffinityMask - 0x14041C590 0x005C11B0 0x005BFBB0 0x000002CE
SetThreadAffinityMask - 0x14041C598 0x005C11B8 0x005BFBB8 0x00000588
CreateSemaphoreA - 0x14041C5A0 0x005C11C0 0x005BFBC0 0x000000FA
SetConsoleCtrlHandler - 0x14041C5A8 0x005C11C8 0x005BFBC8 0x0000051B
GetCurrentDirectoryW - 0x14041C5B0 0x005C11D0 0x005BFBD0 0x0000022B
GetLongPathNameW - 0x14041C5B8 0x005C11D8 0x005BFBD8 0x0000028A
RtlUnwind - 0x14041C5C0 0x005C11E0 0x005BFBE0 0x00000502
CreateIoCompletionPort - 0x14041C5C8 0x005C11E8 0x005BFBE8 0x000000DF
ReadDirectoryChangesW - 0x14041C5D0 0x005C11F0 0x005BFBF0 0x00000497
GetEnvironmentStringsW - 0x14041C5D8 0x005C11F8 0x005BFBF8 0x00000253
FreeEnvironmentStringsW - 0x14041C5E0 0x005C1200 0x005BFC00 0x000001C4
SetEnvironmentVariableW - 0x14041C5E8 0x005C1208 0x005BFC08 0x00000546
SetCurrentDirectoryW - 0x14041C5F0 0x005C1210 0x005BFC10 0x0000053B
GetTempPathW - 0x14041C5F8 0x005C1218 0x005BFC18 0x00000319
GlobalMemoryStatusEx - 0x14041C600 0x005C1220 0x005BFC20 0x00000361
FileTimeToSystemTime - 0x14041C608 0x005C1228 0x005BFC28 0x00000184
K32GetProcessMemoryInfo - 0x14041C610 0x005C1230 0x005BFC30 0x000003CB
SetHandleInformation - 0x14041C618 0x005C1238 0x005BFC38 0x0000055F
CancelIoEx - 0x14041C620 0x005C1240 0x005BFC40 0x00000080
CancelIo - 0x14041C628 0x005C1248 0x005BFC48 0x0000007F
SwitchToThread - 0x14041C630 0x005C1250 0x005BFC50 0x000005BF
SetFileCompletionNotificationModes - 0x14041C638 0x005C1258 0x005BFC58 0x00000551
LoadLibraryExW - 0x14041C640 0x005C1260 0x005BFC60 0x000003E6
SetErrorMode - 0x14041C648 0x005C1268 0x005BFC68 0x00000547
GetQueuedCompletionStatus - 0x14041C650 0x005C1270 0x005BFC70 0x000002EB
ConnectNamedPipe - 0x14041C658 0x005C1278 0x005BFC78 0x000000AB
SetNamedPipeHandleState - 0x14041C660 0x005C1280 0x005BFC80 0x0000056D
PeekNamedPipe - 0x14041C668 0x005C1288 0x005BFC88 0x00000443
CreateNamedPipeW - 0x14041C670 0x005C1290 0x005BFC90 0x000000EC
CancelSynchronousIo - 0x14041C678 0x005C1298 0x005BFC98 0x00000081
GetNamedPipeHandleStateA - 0x14041C680 0x005C12A0 0x005BFCA0 0x0000029D
GetNamedPipeClientProcessId - 0x14041C688 0x005C12A8 0x005BFCA8 0x0000029B
GetNamedPipeServerProcessId - 0x14041C690 0x005C12B0 0x005BFCB0 0x000002A0
TerminateProcess - 0x14041C698 0x005C12B8 0x005BFCB8 0x000005C4
GetExitCodeProcess - 0x14041C6A0 0x005C12C0 0x005BFCC0 0x00000258
UnregisterWaitEx - 0x14041C6A8 0x005C12C8 0x005BFCC8 0x000005F0
LCMapStringW - 0x14041C6B0 0x005C12D0 0x005BFCD0 0x000003D4
DebugBreak - 0x14041C6B8 0x005C12D8 0x005BFCD8 0x00000119
GetModuleHandleA - 0x14041C6C0 0x005C12E0 0x005BFCE0 0x00000292
LoadLibraryExA - 0x14041C6C8 0x005C12E8 0x005BFCE8 0x000003E5
GetStartupInfoW - 0x14041C6D0 0x005C12F0 0x005BFCF0 0x000002F1
GetModuleFileNameA - 0x14041C6D8 0x005C12F8 0x005BFCF8 0x00000290
GetVersionExA - 0x14041C6E0 0x005C1300 0x005BFD00 0x00000341
SetProcessAffinityMask - 0x14041C6E8 0x005C1308 0x005BFD08 0x0000056F
GetComputerNameA - 0x14041C6F0 0x005C1310 0x005BFD10 0x000001F6
FlsFree - 0x14041C6F8 0x005C1318 0x005BFD18 0x000001B5
FlsSetValue - 0x14041C700 0x005C1320 0x005BFD20 0x000001B7
FlsGetValue - 0x14041C708 0x005C1328 0x005BFD28 0x000001B6
FlsAlloc - 0x14041C710 0x005C1330 0x005BFD30 0x000001B4
GetCPInfo - 0x14041C718 0x005C1338 0x005BFD38 0x000001DB
RtlLookupFunctionEntry - 0x14041C720 0x005C1340 0x005BFD40 0x000004FD
GetFinalPathNameByHandleW - 0x14041C728 0x005C1348 0x005BFD48 0x0000026C
RtlVirtualUnwind - 0x14041C730 0x005C1350 0x005BFD50 0x00000504
UnhandledExceptionFilter - 0x14041C738 0x005C1358 0x005BFD58 0x000005E6
SetUnhandledExceptionFilter - 0x14041C740 0x005C1360 0x005BFD60 0x000005A4
IsProcessorFeaturePresent - 0x14041C748 0x005C1368 0x005BFD68 0x000003A8
IsDebuggerPresent - 0x14041C750 0x005C1370 0x005BFD70 0x000003A0
InitializeSListHead - 0x14041C758 0x005C1378 0x005BFD78 0x0000038A
RtlUnwindEx - 0x14041C760 0x005C1380 0x005BFD80 0x00000503
RtlPcToFileHeader - 0x14041C768 0x005C1388 0x005BFD88 0x000004FF
RaiseException - 0x14041C770 0x005C1390 0x005BFD90 0x00000487
SetStdHandle - 0x14041C778 0x005C1398 0x005BFD98 0x0000057F
GetCommandLineA - 0x14041C780 0x005C13A0 0x005BFDA0 0x000001F0
GetCommandLineW - 0x14041C788 0x005C13A8 0x005BFDA8 0x000001F1
CreateThread - 0x14041C790 0x005C13B0 0x005BFDB0 0x00000103
ExitThread - 0x14041C798 0x005C13B8 0x005BFDB8 0x00000179
FreeLibraryAndExitThread - 0x14041C7A0 0x005C13C0 0x005BFDC0 0x000001C6
GetDriveTypeW - 0x14041C7A8 0x005C13C8 0x005BFDC8 0x0000024B
SystemTimeToTzSpecificLocalTime - 0x14041C7B0 0x005C13D0 0x005BFDD0 0x000005C1
ExitProcess - 0x14041C7B8 0x005C13D8 0x005BFDD8 0x00000178
GetFileAttributesExW - 0x14041C7C0 0x005C13E0 0x005BFDE0 0x0000025E
SetFileAttributesW - 0x14041C7C8 0x005C13E8 0x005BFDE8 0x0000054F
GetConsoleOutputCP - 0x14041C7D0 0x005C13F0 0x005BFDF0 0x0000021A
CompareStringW - 0x14041C7D8 0x005C13F8 0x005BFDF8 0x000000AA
GetLocaleInfoW - 0x14041C7E0 0x005C1400 0x005BFE00 0x00000281
IsValidLocale - 0x14041C7E8 0x005C1408 0x005BFE08 0x000003B0
GetUserDefaultLCID - 0x14041C7F0 0x005C1410 0x005BFE10 0x00000339
EnumSystemLocalesW - 0x14041C7F8 0x005C1418 0x005BFE18 0x0000016D
HeapReAlloc - 0x14041C800 0x005C1420 0x005BFE20 0x00000373
GetTimeZoneInformation - 0x14041C808 0x005C1428 0x005BFE28 0x00000333
HeapSize - 0x14041C810 0x005C1430 0x005BFE30 0x00000375
SetEndOfFile - 0x14041C818 0x005C1438 0x005BFE38 0x00000542
FindFirstFileExW - 0x14041C820 0x005C1440 0x005BFE40 0x00000195
IsValidCodePage - 0x14041C828 0x005C1448 0x005BFE48 0x000003AE
GetOEMCP - 0x14041C830 0x005C1450 0x005BFE50 0x000002B6
GetFileSizeEx - 0x14041C838 0x005C1458 0x005BFE58 0x00000268
GetShortPathNameW - 0x14041C840 0x005C1460 0x005BFE60 0x000002EE
CompareStringEx - 0x14041C848 0x005C1468 0x005BFE68 0x000000A8
LCMapStringEx - 0x14041C850 0x005C1470 0x005BFE70 0x000003D3
InitializeCriticalSectionEx - 0x14041C858 0x005C1478 0x005BFE78 0x00000387
WaitForSingleObjectEx - 0x14041C860 0x005C1480 0x005BFE80 0x00000611
GetExitCodeThread - 0x14041C868 0x005C1488 0x005BFE88 0x00000259
SleepConditionVariableSRW - 0x14041C870 0x005C1490 0x005BFE90 0x000005B6
EncodePointer - 0x14041C878 0x005C1498 0x005BFE98 0x00000145
DecodePointer - 0x14041C880 0x005C14A0 0x005BFEA0 0x0000011C
USER32.dll (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetLastInputInfo - 0x14041C8A0 0x005C14C0 0x005BFEC0 0x00000172
MessageBoxW - 0x14041C8A8 0x005C14C8 0x005BFEC8 0x0000028B
GetProcessWindowStation - 0x14041C8B0 0x005C14D0 0x005BFED0 0x000001B0
TranslateMessage - 0x14041C8B8 0x005C14D8 0x005BFED8 0x000003BA
GetUserObjectInformationW - 0x14041C8C0 0x005C14E0 0x005BFEE0 0x000001DA
ShowWindow - 0x14041C8C8 0x005C14E8 0x005BFEE8 0x0000039A
DispatchMessageA - 0x14041C8D0 0x005C14F0 0x005BFEF0 0x000000BC
GetSystemMetrics - 0x14041C8D8 0x005C14F8 0x005BFEF8 0x000001C9
MapVirtualKeyW - 0x14041C8E0 0x005C1500 0x005BFF00 0x0000027D
GetMessageA - 0x14041C8E8 0x005C1508 0x005BFF08 0x00000187
SHELL32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetSpecialFolderPathA - 0x14041C890 0x005C14B0 0x005BFEB0 0x0000016D
ole32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CoInitializeEx - 0x14041CA40 0x005C1660 0x005C0060 0x00000061
CoUninitialize - 0x14041CA48 0x005C1668 0x005C0068 0x00000091
CoCreateInstance - 0x14041CA50 0x005C1670 0x005C0070 0x0000002B
ADVAPI32.dll (33)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SystemFunction036 - 0x14041C000 0x005C0C20 0x005BF620 0x00000319
GetUserNameW - 0x14041C008 0x005C0C28 0x005BF628 0x00000166
ReportEventW - 0x14041C010 0x005C0C30 0x005BF630 0x000002B6
RegisterEventSourceW - 0x14041C018 0x005C0C38 0x005BF638 0x000002A4
DeregisterEventSource - 0x14041C020 0x005C0C40 0x005BF640 0x000000ED
CryptEnumProvidersW - 0x14041C028 0x005C0C48 0x005BF648 0x000000CF
CryptSignHashW - 0x14041C030 0x005C0C50 0x005BF650 0x000000E5
CryptDestroyHash - 0x14041C038 0x005C0C58 0x005BF658 0x000000C7
CryptCreateHash - 0x14041C040 0x005C0C60 0x005BF660 0x000000C4
CryptDecrypt - 0x14041C048 0x005C0C68 0x005BF668 0x000000C5
CryptExportKey - 0x14041C050 0x005C0C70 0x005BF670 0x000000D0
CryptGetUserKey - 0x14041C058 0x005C0C78 0x005BF678 0x000000D8
CryptGetProvParam - 0x14041C060 0x005C0C80 0x005BF680 0x000000D7
CryptSetHashParam - 0x14041C068 0x005C0C88 0x005BF688 0x000000DD
CryptDestroyKey - 0x14041C070 0x005C0C90 0x005BF690 0x000000C8
CryptReleaseContext - 0x14041C078 0x005C0C98 0x005BF698 0x000000DC
CryptAcquireContextW - 0x14041C080 0x005C0CA0 0x005BF6A0 0x000000C2
CreateServiceW - 0x14041C088 0x005C0CA8 0x005BF6A8 0x00000091
QueryServiceStatus - 0x14041C090 0x005C0CB0 0x005BF6B0 0x00000246
CloseServiceHandle - 0x14041C098 0x005C0CB8 0x005BF6B8 0x00000065
OpenSCManagerW - 0x14041C0A0 0x005C0CC0 0x005BF6C0 0x0000020D
QueryServiceConfigA - 0x14041C0A8 0x005C0CC8 0x005BF6C8 0x00000240
DeleteService - 0x14041C0B0 0x005C0CD0 0x005BF6D0 0x000000EC
ControlService - 0x14041C0B8 0x005C0CD8 0x005BF6D8 0x0000006A
StartServiceW - 0x14041C0C0 0x005C0CE0 0x005BF6E0 0x000002F1
OpenServiceW - 0x14041C0C8 0x005C0CE8 0x005BF6E8 0x0000020F
LookupPrivilegeValueW - 0x14041C0D0 0x005C0CF0 0x005BF6F0 0x0000019A
AdjustTokenPrivileges - 0x14041C0D8 0x005C0CF8 0x005BF6F8 0x0000001F
OpenProcessToken - 0x14041C0E0 0x005C0D00 0x005BF700 0x0000020B
LsaOpenPolicy - 0x14041C0E8 0x005C0D08 0x005BF708 0x000001C9
LsaAddAccountRights - 0x14041C0F0 0x005C0D10 0x005BF710 0x0000019D
LsaClose - 0x14041C0F8 0x005C0D18 0x005BF718 0x000001A0
GetTokenInformation - 0x14041C100 0x005C0D20 0x005BF720 0x0000015B
bcrypt.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
BCryptGenRandom - 0x14041CA30 0x005C1650 0x005C0050 0x0000001D
Memory Dumps (43)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
xmrig.exe 6 0x7FF6E3230000 0x7FF6E3AE6FFF Relevant Image False 64-bit 0x7FF6E36438E0 False
buffer 6 0x001D0000 0x001EFFFF Content Changed False 64-bit - False
buffer 6 0x0014C000 0x0014FFFF First Network Behavior False 64-bit - False
buffer 6 0x001D0000 0x001EFFFF First Network Behavior False 64-bit - False
buffer 6 0x004C0750 0x004C07CF First Network Behavior False 64-bit - False
buffer 6 0x004C7790 0x004C780F First Network Behavior False 64-bit - False
buffer 6 0x004C7A50 0x004C7B45 First Network Behavior False 64-bit - False
buffer 6 0x004C7B80 0x004C7BFF First Network Behavior False 64-bit - False
buffer 6 0x004C9840 0x004C98C5 First Network Behavior False 64-bit - False
buffer 6 0x004CDBA0 0x004CDD9F First Network Behavior False 64-bit - False
buffer 6 0x004CE780 0x004CE854 First Network Behavior False 64-bit - False
buffer 6 0x004CF470 0x004CF697 First Network Behavior False 64-bit - False
buffer 6 0x004D09B0 0x004D0D77 First Network Behavior False 64-bit - False
buffer 6 0x004D0D80 0x004D0ED7 First Network Behavior False 64-bit - False
buffer 6 0x004D1C80 0x004D1CFF First Network Behavior False 64-bit - False
buffer 6 0x004D3360 0x004D34B7 First Network Behavior False 64-bit - False
buffer 6 0x004E01C0 0x004E02BF First Network Behavior False 64-bit - False
buffer 6 0x004E1CA0 0x004E2E9F First Network Behavior False 64-bit - False
buffer 6 0x004E2EB0 0x004E3EAF First Network Behavior False 64-bit - False
buffer 6 0x004EF4D0 0x004EF5DF First Network Behavior False 64-bit - False
buffer 6 0x004EF5F0 0x004EF97F First Network Behavior False 64-bit - False
buffer 6 0x004EF990 0x004EFA87 First Network Behavior False 64-bit - False
buffer 6 0x004EFA90 0x004EFB87 First Network Behavior False 64-bit - False
buffer 6 0x004EFB90 0x004EFCCF First Network Behavior False 64-bit - False
buffer 6 0x004EFCF0 0x004EFDE7 First Network Behavior False 64-bit - False
buffer 6 0x004EFDF0 0x004EFEE7 First Network Behavior False 64-bit - False
buffer 6 0x004F0F00 0x004F0FF7 First Network Behavior False 64-bit - False
buffer 6 0x004F1000 0x004F10F7 First Network Behavior False 64-bit - False
buffer 6 0x004F1100 0x004F11F7 First Network Behavior False 64-bit - False
buffer 6 0x004F1200 0x004F12F7 First Network Behavior False 64-bit - False
buffer 6 0x004F2490 0x004F250F First Network Behavior False 64-bit - False
buffer 6 0x004F2520 0x004F291F First Network Behavior False 64-bit - False
xmrig.exe 6 0x7FF6E3230000 0x7FF6E3AE6FFF First Network Behavior False 64-bit 0x7FF6E360F570 False
buffer 6 0x00460000 0x0047FFFF First Execution False 64-bit 0x00460EC0 False
buffer 6 0x00460000 0x0047FFFF Content Changed False 64-bit 0x00460EC0 False
buffer 6 0x00460000 0x0047FFFF Content Changed False 64-bit 0x004619A4 False
buffer 6 0x00460000 0x0047FFFF Content Changed False 64-bit 0x004692D7 False
buffer 6 0x00460000 0x0047FFFF Content Changed False 64-bit 0x00460EC0 False
buffer 6 0x00460000 0x0047FFFF Content Changed False 64-bit 0x0046D000 False
buffer 6 0x00460000 0x0047FFFF Content Changed False 64-bit 0x0046A000 False
buffer 6 0x00460000 0x0047FFFF Content Changed False 64-bit 0x00461B61 False
buffer 6 0x00460000 0x0047FFFF Content Changed False 64-bit 0x00469000 False
xmrig.exe 6 0x7FF6E3230000 0x7FF6E3AE6FFF Final Dump False 64-bit 0x7FF6E33A9E40 False
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
XMRig_Miner XMRig mining software Miner, PUA
5/5
\\?\C:\Users\OqXZRaykm\Desktop\WinRing0x64.sys Dropped File Binary
Clean
Known to be clean.
»
Also Known As (Accessed File)
WinRing0x64.sys (Accessed File)
MIME Type application/vnd.microsoft.portable-executable
File Size 14.20 KB
MD5 0c0195c48b6b8582fa6f6373032118da Copy to Clipboard
SHA1 d25340ae8e92a6d29f599fef426a2bc1b5217299 Copy to Clipboard
SHA256 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 Copy to Clipboard
SSDeep 192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ Copy to Clipboard
ImpHash d41fa95d4642dc981f10de36f4dc8cd7 Copy to Clipboard
File Reputation Information
»
Verdict
Clean
Known to be clean.
PE Information
»
Image Base 0x00010000
Entry Point 0x00015008
Size Of Code 0x00000C00
Size Of Initialized Data 0x00000A00
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_NATIVE
Machine Type IMAGE_FILE_MACHINE_AMD64
Compile Timestamp 2008-07-26 15:29 (UTC+2)
Version Information (9)
»
Comments The modified BSD license
CompanyName OpenLibSys.org
FileDescription WinRing0
FileVersion 1.2.0.5
InternalName WinRing0.sys
LegalCopyright Copyright (C) 2007-2008 OpenLibSys.org. All rights reserved.
OriginalFilename WinRing0.sys
ProductName WinRing0
ProductVersion 1.2.0.5
Sections (6)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00011000 0x000006C6 0x00000800 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.39
.rdata 0x00012000 0x0000017C 0x00000200 0x00000C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ 3.28
.data 0x00013000 0x00000114 0x00000200 0x00000E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.3
.pdata 0x00014000 0x00000060 0x00000200 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ 0.86
INIT 0x00015000 0x00000222 0x00000400 0x00001200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.06
.rsrc 0x00016000 0x000003C0 0x00000400 0x00001600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 3.13
Imports (2)
»
ntoskrnl.exe (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
IoDeleteSymbolicLink - 0x00012018 0x000050B8 0x000012B8 0x000001BE
RtlInitUnicodeString - 0x00012020 0x000050C0 0x000012C0 0x00000515
IoDeleteDevice - 0x00012028 0x000050C8 0x000012C8 0x000001BC
IoCreateDevice - 0x00012030 0x000050D0 0x000012D0 0x000001A8
MmMapIoSpace - 0x00012038 0x000050D8 0x000012D8 0x0000035B
KeBugCheckEx - 0x00012040 0x000050E0 0x000012E0 0x0000028A
IoCreateSymbolicLink - 0x00012048 0x000050E8 0x000012E8 0x000001B2
MmUnmapIoSpace - 0x00012050 0x000050F0 0x000012F0 0x0000037B
IofCompleteRequest - 0x00012058 0x000050F8 0x000012F8 0x0000026B
__C_specific_handler - 0x00012060 0x00005100 0x00001300 0x000006F9
HAL.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
HalSetBusDataByOffset - 0x00012000 0x000050A0 0x000012A0 0x0000002F
HalGetBusDataByOffset - 0x00012008 0x000050A8 0x000012A8 0x00000015
Digital Signature Information
»
Verification Status Valid
Certificate: Noriyuki MIYAZAKI
»
Issued by Noriyuki MIYAZAKI
Parent Certificate GlobalSign ObjectSign CA
Country Name JP
Valid From 2007-09-24 12:50 (UTC+2)
Valid Until 2008-09-24 12:50 (UTC+2)
Algorithm sha1_rsa
Serial Number 01 00 00 00 00 01 15 37 24 21 A8
Thumbprint CD A9 8A C4 01 94 56 09 55 93 90 2E 4B 4A 87 AC 28 3E D5 4A
Certificate: GlobalSign ObjectSign CA
»
Issued by GlobalSign ObjectSign CA
Parent Certificate GlobalSign Primary Object Publishing CA
Country Name BE
Valid From 2004-01-22 10:00 (UTC+1)
Valid Until 2014-01-27 11:00 (UTC+1)
Algorithm sha1_rsa
Serial Number 04 00 00 00 00 01 08 D9 61 24 48
Thumbprint 4A 19 14 6D 67 BD 20 84 3A 3A 07 13 58 75 57 BF 51 92 13 CC
Certificate: GlobalSign Primary Object Publishing CA
»
Issued by GlobalSign Primary Object Publishing CA
Parent Certificate GlobalSign Root CA
Country Name BE
Valid From 1999-01-28 13:00 (UTC+1)
Valid Until 2014-01-27 12:00 (UTC+1)
Algorithm sha1_rsa
Serial Number 04 00 00 00 00 01 08 D9 61 1C D6
Thumbprint 98 7F D0 00 DC B1 21 51 7D 72 45 3E E5 17 6E B9 2B 13 63 B9
Certificate: GlobalSign Root CA
»
Issued by GlobalSign Root CA
Country Name BE
Valid From 2006-05-23 19:00 (UTC+2)
Valid Until 2016-05-23 19:10 (UTC+2)
Algorithm sha1_rsa
Serial Number 61 0B 7F 6B 00 00 00 00 00 19
Thumbprint 3E EB 27 50 A1 99 F5 E7 B6 A8 95 24 30 BE 50 62 FE 04 E9 E5
c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\notifications\wpndatabase.db-wal Dropped File Stream
Clean
»
MIME Type application/octet-stream
File Size 2.93 MB
MD5 d57bc3d970d7d9350d1d74e9a9abbcf4 Copy to Clipboard
SHA1 35233267e66b8831fd849cb8cfe46da7ff8ea4b9 Copy to Clipboard
SHA256 4d1dd315b78b6d3ab1a6bbd64acd522231215c4cf7e6e9356fe23672f267b4c4 Copy to Clipboard
SSDeep 6144:aCY86dlS7yq64Ffg7VZSDaeQZDve4qtMjjOzjaXgQjeXlUqzECA2y4n9TnR+gEyt:Edksj+j8jzuR+gEyo05W+O6 Copy to Clipboard
ImpHash -
c:\programdata\microsoft\network\downloader\edb.log Dropped File Stream
Clean
»
MIME Type application/octet-stream
File Size 1.25 MB
MD5 e3a6fa5787d5bb684129446ad50a0d5b Copy to Clipboard
SHA1 f5ec8f94f01f3fbd7e34b656e9ac26a22dc03a7f Copy to Clipboard
SHA256 b27b2a975ad467a735c2680270c10afbbaaf04a8b38a2a5c7e369eedf457160e Copy to Clipboard
SSDeep 1536:xJPOR1dPEBmHlvDul3u/ia+ciyzkOsK+4rO1P+9V4/56A:xJPORnDTDy1q4/56A Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\application.evtx Dropped File Stream
Clean
»
MIME Type application/octet-stream
File Size 1.06 MB
MD5 3b320e94bd472e160c143faffa825d50 Copy to Clipboard
SHA1 21a72ddaa705b021c638331fae8d7c008b8bd761 Copy to Clipboard
SHA256 b405130193b5c3e21954b931fc9c38f4d8d4cfc49a0ea0a5ed282599297f2b09 Copy to Clipboard
SSDeep 3072:Xz6/3lAzcocqcmL/olxcNcyVcFmMcKcNcViGBcTcNcrytLC8KAwcukc+cOcWMc8d:Z/olw Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\system.evtx Dropped File Stream
Clean
»
MIME Type application/octet-stream
File Size 1.06 MB
MD5 4235aac945e6ea33cc9fce33efe38365 Copy to Clipboard
SHA1 32dea66fb598be4235030d6608b1a9f795032ce7 Copy to Clipboard
SHA256 e44b9feeddca3d2ea3c08f0e39822f448226b96069a953d0d82bb73ae9ccdd22 Copy to Clipboard
SSDeep 1536:gkW/blLiCyjIr+76fSmacynEGxWZhRbd6a/wXh2S9qjKpaOt7xe6i1xfK2XyM91S:gkkblLiCyEprL/WzNxiFLTUIfxl6 Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\microsoft-windows-storage-storport%4health.evtx Dropped File Stream
Clean
»
MIME Type application/octet-stream
File Size 1.06 MB
MD5 706b506a09d178d7e61eec2f03fa566d Copy to Clipboard
SHA1 797388a74bc008c54591990fe46a8979d29dc0e7 Copy to Clipboard
SHA256 3d0f0e88e804ea98635b235aa732601dc2ebbf2c20738d2c1407cd5a00170d40 Copy to Clipboard
SSDeep 384:/th8pIQpBqpB1pBupBVpBopBLpBmpB5LpB+pBbpBGpBVpBopB3pBapB/pBspBLp1:VOhGHJePiqRBFWrspq Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\microsoft-windows-storage-storport%4operational.evtx Dropped File Stream
Clean
»
MIME Type application/octet-stream
File Size 1.06 MB
MD5 80fd613e0c81d0c07c381650335598b7 Copy to Clipboard
SHA1 f79744483c0734244e4305a48cdc909e767d6b87 Copy to Clipboard
SHA256 700e87284bf8d632e151f8010248b1b0e4c7d75f2184504f15dd463c83798a6e Copy to Clipboard
SSDeep 1536:IuDRUFi+dPFIMK2sQaQQuq2o0GrUjzD+iVtM+q5LvUjzD+iVtM:2FI9r Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\microsoft-windows-wmi-activity%4operational.evtx Dropped File Stream
Clean
»
MIME Type application/octet-stream
File Size 1.00 MB
MD5 dc9ba83a3e0e5901b08bf05eeb0697ef Copy to Clipboard
SHA1 440b6279d32d1144de86ae7789052f7e0314a5cc Copy to Clipboard
SHA256 eb6662b420b9913a884263376b0cddac1ad9a60c8502d959235d2176241c1e0d Copy to Clipboard
SSDeep 384://h4RFRRObx3RurDRkmR51RdRjRxRSzvRhRnR9x6RgRqYRZxRRRaR7RDRLRWRaR0:Xthlhziooz1gLNjWKLrWO36+sB5T Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\microsoft-windows-wcmsvc%4operational.evtx Dropped File Stream
Clean
»
MIME Type application/octet-stream
File Size 1.00 MB
MD5 e9870105a43c47aa566e3fbb26a4f9a0 Copy to Clipboard
SHA1 4312c75592c386dd3d50727e231f6d29bf75d6d4 Copy to Clipboard
SHA256 52a36e9b8b80b0051e87dcb935a274d4d03e19df86e57b605364a58ee6b58130 Copy to Clipboard
SSDeep 384:1ZhHhPhThAhVh4hqhNnbhthn+hBhyhVhrhUhohYh3hmhhh7h+h/hkhzhDhq/hw47:LWnBeWHgJsFkGNL0hsFk Copy to Clipboard
ImpHash -
c:\windows\system32\perfstringbackup.ini Dropped File Stream
Clean
»
Also Known As c:\windows\system32\perfstringbackup.tmp (Dropped File)
MIME Type application/octet-stream
File Size 777.08 KB
MD5 4dd537f1ea92c248c3ee76e94eeaa7de Copy to Clipboard
SHA1 d5a1afdd6e856fc15d54f09509544cc2148f503d Copy to Clipboard
SHA256 34d047689cb731eead66c75e1daf1f2e0c6fd68155dd53dfd4fc352c39a4aa81 Copy to Clipboard
SSDeep 3072:NJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc76:A1nqgsp2gOKihb Copy to Clipboard
ImpHash -
c:\programdata\microsoft\network\downloader\qmgr.db Dropped File Unknown
Clean
»
MIME Type application/x-ms-ese
File Size 768.00 KB
MD5 1ae3665dbfccacc965a5b5a91545ca8b Copy to Clipboard
SHA1 924c504147434a7439cc39434d9b11e13975e798 Copy to Clipboard
SHA256 368434202c8c3e41feced015f7e55c16694a204689a08695684451ee98d9db74 Copy to Clipboard
SSDeep 384:ZvtW0StseCJ48jL4fW0StseCJ48jMTSjlK/wXsC1r:ZvJSB2iSB2ISjlK/wXsC1r Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\microsoft-windows-resource-exhaustion-detector%4operational.evtx Dropped File Stream
Clean
»
MIME Type application/octet-stream
File Size 68.00 KB
MD5 2b0aa16d4b1823a121cb005c5b9fc443 Copy to Clipboard
SHA1 623926f69d802e7a9cdc34dcef7fb8267b8ccdca Copy to Clipboard
SHA256 a32073074e7c98a97ad5e73cf3a923f114ab66993e9a1732ca4d40faca55d0ee Copy to Clipboard
SSDeep 384:kHBhav2vEvuvsvBv2vavevMv3v1vrvovMv4vivzvfvUvnvHvPvzvRv6oHvVwvPvD:sB4 Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\microsoft-windows-security-spp-ux-notifications%4actioncenter.evtx Dropped File Stream
Clean
»
MIME Type application/octet-stream
File Size 68.00 KB
MD5 a1c735a307bb89613b7cbeedf967c56c Copy to Clipboard
SHA1 5f3b78e33bf615de4f50b766cf0e3d51c0a6cdee Copy to Clipboard
SHA256 bf43158c8a3bfeebb7bf1066e1e6cd5ff315feb45021fa88a9e91c268930c037 Copy to Clipboard
SSDeep 1536:0wVRFnaMVpk0klzXCVwYi6eCh15K39K+: Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\microsoft-windows-taskscheduler%4maintenance.evtx Dropped File Stream
Clean
»
MIME Type application/octet-stream
File Size 68.00 KB
MD5 809cf0b51706446b168e8d5552885ba3 Copy to Clipboard
SHA1 e9f7ebb36a5da468bbbff75a8b58b92e32558adb Copy to Clipboard
SHA256 79937c02c94cb6162edb647a1f29d3c6617d292f4ced22b263f93396b742a1ae Copy to Clipboard
SSDeep 1536:RKCKAKsKjKJK3KYKVKMKyKCKyKjKEKwK/KhKiKGKUKmKKKkKNKnKSeKYKuUKicKV:RKCKAKsKjKJK3KYKVKMKyKCKyKjKEKwF Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\microsoft-windows-diagnosis-dps%4operational.evtx Dropped File Stream
Clean
»
MIME Type application/octet-stream
File Size 68.00 KB
MD5 71c1ddba45b5394e7479c1c758ec446e Copy to Clipboard
SHA1 37c145a8183df2033eff43cc6040b97035f7d22d Copy to Clipboard
SHA256 ba1b2f4cbbb9edd38138d1c183143652cac8e1bee29e7517470f7c35c5b5c316 Copy to Clipboard
SSDeep 768:UTeUe1hnjAfJ8g7VJZB7JTROECWcjukdqe+ysAHLAwAeGYlj9ZdD:q Copy to Clipboard
ImpHash -
c:\windows\system32\winevt\logs\microsoft-windows-kernel-pnp%4driver watchdog.evtx Dropped File Stream
Clean
»
MIME Type application/octet-stream
File Size 68.00 KB
MD5 540b65dc57148f0d0faa8a3346bb68ce Copy to Clipboard
SHA1 b5a6155e744701d266af0d26a128af58b146df8c Copy to Clipboard
SHA256 8534891ff8f28d1628a922310641fcaf6d77bcfb976bdda9fe6774eaef5e91af Copy to Clipboard
SSDeep 3:MgAWl1l0cQ7MfaltpRTtPl2tVRl/l:Mk8vMijRM Copy to Clipboard
ImpHash -
c:\windows\inf\wmiaprpl\wmiaprpl.ini Dropped File Text
Clean
Known to be clean.
»
Also Known As c:\windows\system32\wbem\performance\wmiaprpl.ini (Dropped File)
c:\windows\system32\wbem\performance\wmiaprpl_new.ini (Dropped File)
MIME Type text/plain
File Size 29.03 KB
MD5 ffdeea82ba4a5a65585103dd2a922dfe Copy to Clipboard
SHA1 094c3794503245cc7dfa9e222d3504f449a5400b Copy to Clipboard
SHA256 c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390 Copy to Clipboard
SSDeep 384:eso3V1/z21+byTLVh4+rCop/g4kg4491T91XFrw4G4xvrtZ9dyu+2V0DrtcYkcTu:esoW/g4kg4oG4J Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Clean
Known to be clean.
c:\programdata\microsoft\network\downloader\qmgr.jfm Dropped File Stream
Clean
»
MIME Type application/octet-stream
File Size 16.00 KB
MD5 0f6caffdf84908c32130ba09a161ed14 Copy to Clipboard
SHA1 bfb49b3813b4fcc866f4fe9f1285041cae232b42 Copy to Clipboard
SHA256 cef3995a37b8c6bee82e7948fd548135b08dec35ba71e8fb40b1668df27fcecc Copy to Clipboard
SSDeep 3:hlXppIDjtlu//7ZMkkvZyJigmANy//alleillllXl:h1pKj7uLZMkkvZyJigmANyeQid Copy to Clipboard
ImpHash -
c:\windows\inf\wmiaprpl\wmiaprpl.h Dropped File Text
Clean
Known to be clean.
»
MIME Type text/plain
File Size 3.36 KB
MD5 b133a676d139032a27de3d9619e70091 Copy to Clipboard
SHA1 1248aa89938a13640252a79113930ede2f26f1fa Copy to Clipboard
SHA256 ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15 Copy to Clipboard
SSDeep 48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Clean
Known to be clean.
C:\Users\OqXZRaykm\Desktop\1.cmd Dropped File Text
Clean
»
Also Known As 1.cmd (Accessed File)
\\?\C:\Users\OqXZRaykm\Desktop\1.cmd (Accessed File)
MIME Type text/x-msdos-batch
File Size 183 Bytes
MD5 25dd5e79a650043821b67f5acd70ff92 Copy to Clipboard
SHA1 91ae7ca0f1f03ab364add8fed7b76b82c130405b Copy to Clipboard
SHA256 c0b8774d6bdb8fe949a1e03352f43f7725399171adbd12bd6d8557a9bfb2c9ad Copy to Clipboard
SSDeep 3:mKDDVBF//IyXI7ghKTEQfhX0dcVLKaEndoFemPkgU7rKtIMInvuZv:hyEIJT5fhXvVLKlQemFU7Oavgv Copy to Clipboard
ImpHash -
c:\users\oqxzraykm\desktop\__tmp_rar_sfx_access_check_13795656 Dropped File Empty
Clean
»
Also Known As __tmp_rar_sfx_access_check_13795656 (Accessed File, Dropped File)
MIME Type application/x-empty
File Size 0 Bytes (not extracted)
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
c:\windows\system32\perfh009.dat Modified File Stream
Clean
»
MIME Type application/octet-stream
File Size 659.38 KB
MD5 c146afddee532240a480e79429e42d4c Copy to Clipboard
SHA1 1e1ffe476cf77929da882bdff7ce417c6771b5ba Copy to Clipboard
SHA256 b072e19af57494727c1fa78e2e6bd8fea07567b6d570fb1fba52e311736b5779 Copy to Clipboard
SSDeep 3072:NUdGNuowE4j0PrRZnpETMDZ8M6d0PHHx643/A5BK9YXdhPHlVziwC4ALWI1dnmRa:78M6d0w+WB6X Copy to Clipboard
ImpHash -
c:\windows\system32\perfh009.dat Modified File Stream
Clean
»
MIME Type application/octet-stream
File Size 646.33 KB
MD5 e40274085a7456e341b393828a83a204 Copy to Clipboard
SHA1 b37899dbd6dc8da64b8ceb2afee684ee4471317c Copy to Clipboard
SHA256 a4bbd4981bf03910e2a7ab2e87bd8b3415afbf371b56dd04ead9a4e6d9e10668 Copy to Clipboard
SSDeep 3072:NUdGNuowE4j0PrRZnpETMDZ8M6d0PHHx643/A5BK9YXdhPHlVziwC4ALWI1dnmRJ:78M6d0w+WB6Q Copy to Clipboard
ImpHash -
c:\windows\system32\perfc009.dat Modified File Stream
Clean
»
MIME Type application/octet-stream
File Size 122.47 KB
MD5 a1c55f2a9c41899549af8593bf5e4ce7 Copy to Clipboard
SHA1 d8d4ca6afedc87e1bec3f819dba897095b6fea8e Copy to Clipboard
SHA256 a57660cb5ec3beec908ee2fb8cbafded9afb23bd91d0273ccf31f17fe206ef1f Copy to Clipboard
SSDeep 3072:XBnfw8ld9+mRDaUR28oV7TY+7S0bCDhUHL:c Copy to Clipboard
ImpHash -
c:\windows\system32\perfc009.dat Modified File Stream
Clean
»
MIME Type application/octet-stream
File Size 118.55 KB
MD5 ba6c49f98e2451a28974da13c598d0ea Copy to Clipboard
SHA1 de82a1fcdd6b98c421a9cf36f4eb9dde6fe26859 Copy to Clipboard
SHA256 5d8988f2bcf7284cd96510e6735d7be5371103a83c85d04168d01f793becc960 Copy to Clipboard
SSDeep 1536:X1i4nfw8ld9+mRDaUR28oV7TYfXLi7NwrgSwQ:XBnfw8ld9+mRDaUR28oV7TY+7S0bQ Copy to Clipboard
ImpHash -
c:\programdata\microsoft\network\downloader\edb.chk Modified File Stream
Clean
»
MIME Type application/octet-stream
File Size 8.00 KB
MD5 f197f20530d397bf3bd8cd11dc296e9f Copy to Clipboard
SHA1 9e25b90677f8ef81cf0955d11f9ba861a7d2e370 Copy to Clipboard
SHA256 f55911caf9f7fcebaef124d63942a6753027370ec04f8842485505c71761af71 Copy to Clipboard
SSDeep 12:zLaaD0JcaaD0JwQQHvLaaD0JcaaD0JwQQH:zLtgJctgJwXLtgJctgJw Copy to Clipboard
ImpHash -
c:\programdata\microsoft\network\downloader\edb.chk Modified File Stream
Clean
»
MIME Type application/octet-stream
File Size 8.00 KB
MD5 a10e3769953977afb54b32e6307034b1 Copy to Clipboard
SHA1 bfabd6644ceee1715e91fd7847ccc929e733e8fe Copy to Clipboard
SHA256 278a78e763bf40bf51eea886688c19e71959b93205a42721fd1efc18a0117394 Copy to Clipboard
SSDeep 12:1LaaD0JcaaD0JwQQlhLaaD0JcaaD0JwQQl:1LtgJctgJwzLtgJctgJw Copy to Clipboard
ImpHash -
c:\programdata\microsoft\network\downloader\edb.chk Modified File Stream
Clean
»
MIME Type application/octet-stream
File Size 8.00 KB
MD5 8a6968f1c3d8332b906f81637fdb41a7 Copy to Clipboard
SHA1 7ccf6f07c01686d149c8a4441652378de15df656 Copy to Clipboard
SHA256 f4ccb76f8aa67b88212ad905153cfd4f7432c326a453eadf6f458c8ba6dbb913 Copy to Clipboard
SSDeep 12:JLaaD0JcaaD0JwQQRdLaaD0JcaaD0JwQQR:JLtgJctgJwnLtgJctgJw Copy to Clipboard
ImpHash -
c:\windows\system32\tasks\microsoft\windows\softwareprotectionplatform\svcrestarttask Modified File Text
Clean
»
MIME Type text/xml
File Size 4.57 KB
MD5 3e95905b4b81d4962de058a04a26efb0 Copy to Clipboard
SHA1 cecafac27e9e3b23d6f3afaf4442aafb6e4b363b Copy to Clipboard
SHA256 1c3bb1a35e8514323bd820b6e04969b5e4b5a593e977ef626b1da3eb6a672a31 Copy to Clipboard
SSDeep 96:pYMguQII4i26h4aGdinipV9ll7UY5HAmzQ+:9A42/xne7HO+ Copy to Clipboard
ImpHash -
6f86849b026f0c45c0c8a1145048960bbdefdaea3beac030f114b1ff16057994 Extracted File Image
Clean
»
Parent File C:\Users\OqXZRaykm\Desktop\OKLA.exe
MIME Type image/png
File Size 15.36 KB
MD5 7b678b6cb96c363d9e0adc3a1b3b4893 Copy to Clipboard
SHA1 c7e817672b686eb66bf5907da1efaef1dec8e06e Copy to Clipboard
SHA256 6f86849b026f0c45c0c8a1145048960bbdefdaea3beac030f114b1ff16057994 Copy to Clipboard
SSDeep 384:cCVOnt2MQzUHLz8NE/IEToowoF9VCN6eqiRYSSSSHDNMPi:wZuMv8EIETxryMZDN3 Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Clean
Known to be clean.
1027b3001f02a641e63f0f8890d8c241a96ad9f9b6f51ac18f1708e0b9b153e2 Extracted File Image
Clean
»
Parent File C:\Users\OqXZRaykm\Desktop\xmrig.exe
MIME Type image/png
File Size 6.24 KB
MD5 d2b3b44dd5992d99b061cec9f87c5e3b Copy to Clipboard
SHA1 694991076e6bd92f29800d5f4fd4b136e9583a03 Copy to Clipboard
SHA256 1027b3001f02a641e63f0f8890d8c241a96ad9f9b6f51ac18f1708e0b9b153e2 Copy to Clipboard
SSDeep 192:cpIADVqc29SUu1hqr2QTLpaNfnVWnvK4NhzC5Zaw4819E:cpBDEpIU8hqrtv4N4to5Zaw4819E Copy to Clipboard
ImpHash -
27d3a1a2da49dc535cc10806abaae9dfa49e4f5f44a40540ead50e065b99ca68 Extracted File Image
Clean
»
Parent File C:\Users\OqXZRaykm\Desktop\OKLA.exe
MIME Type image/png
File Size 5.41 KB
MD5 e6ccfb6d9ffd4e1a907a47761c64bd79 Copy to Clipboard
SHA1 d6a2994dedae3527a878140aa60dcaa087b90445 Copy to Clipboard
SHA256 27d3a1a2da49dc535cc10806abaae9dfa49e4f5f44a40540ead50e065b99ca68 Copy to Clipboard
SSDeep 96:ioA0HldODFNSZCbgEZohRodU3vMg2vLWT3m5RQgVH0SmAMPzzZ2OC9vd/GrW4jD/:FlkDFNSWggWf3ILWTeMPzzZc9vd/yWe Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Clean
Known to be clean.
a91f4373ceebadfc70b3bd0758848918f928c3c76562e3d9d531574796fd9e9c Extracted File Image
Clean
Known to be clean.
»
Parent File C:\Users\OqXZRaykm\Desktop\OKLA.exe
MIME Type image/png
File Size 2.81 KB
MD5 63486a769bbe3f49d5848b9c69734a25 Copy to Clipboard
SHA1 e48bd36c2f23c238206bdddf3ebb6d6862905710 Copy to Clipboard
SHA256 a91f4373ceebadfc70b3bd0758848918f928c3c76562e3d9d531574796fd9e9c Copy to Clipboard
SSDeep 48:Tppthbcpv0j+3MIG68XIZm2iVAMd+1pzX7JGkVdxU6UPyoarDZICZXBIYB8bn0eP:7bev0j+3r0JCM8zb7JGkhU68yoanZHZc Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Clean
Known to be clean.
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image