Shifu | 653aaf2f2172

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\RDhJ0CNFevzX\Desktop\SWADeuXYd4aFDlHb.exe

Sample File

Binary

Also Known As	C:\Users\RDHJ0C~1\AppData\Local\Temp\3620.tmp (Dropped File, Accessed File) C:\Windows\apppatch\svchost.exe (Dropped File, Accessed File) c:\windows\apppatch\svchost.exe (Dropped File, Accessed File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	244.00 KB
MD5	eb0e4e01b04903bc280f77bafd5f419b
SHA1	7ef0ec986c6884b1c3e18be106b00fccbcc9de49
SHA256	653aaf2f217299f4b29e45ee3551b2e3c92219456f5ad75382cba93c0e4ad67b
SSDeep	6144:kEXlSylvFuWaS54hIAv/QhuA7HY8pPZ0FP6BzxM5EmX:RAylvv5YRwh9HYd61xhmX
ImpHash	25724a12bec6f765c371201f99ac92be

File Reputation Information

Verdict	Malicious
Names	Mal/Generic-S

PE Information

Image Base	0x00400000
Entry Point	0x00401000
Size Of Code	0x00002A00
Size Of Initialized Data	0x00037E00
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	1996-01-22 18:41 (UTC+1)

Version Information (6)

FileVersion	0.2.3.1
ProductVersion	6.3.1.0
FileDescription	Sarmatic
CompanyName	Symantec Corporation
LegalCopyright	Anatox
ProductName	unrepellent

Sections (8)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.<9;kn%	0x00401000	0x000031A0	0x00002A00	0x00000400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.14
.E	0x00405000	0x000078A4	0x00000600	0x00002E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	0.59
.0<+'	0x0040D000	0x00000EA4	0x00001000	0x00003400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	6.99
.<	0x0040E000	0x00002137	0x00000400	0x00004400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	1.34
.FpFJb	0x00411000	0x0000CF7D	0x00000C00	0x00004800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.01
.(c1$7	0x0041E000	0x00000FD9	0x00000400	0x00005400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.99
.rsrc	0x0041F000	0x00034EDC	0x00035000	0x00005800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	6.05
.reloc	0x00454000	0x00015000	0x00000400	0x0003A800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	6.09

Imports (5)

kernel32.dll (50)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetNumberFormatA	-	0x00411000	0x0001121C	0x00004A1C	0x00000035
SetEvent	-	0x00411004	0x00011220	0x00004A20	0x0000006E
FindResourceA	-	0x00411008	0x00011224	0x00004A24	0x0000002B
GetExpandedNameW	-	0x0041100C	0x00011228	0x00004A28	0x0000000C
GetFileTime	-	0x00411010	0x0001122C	0x00004A2C	0x0000007F
RaiseException	-	0x00411014	0x00011230	0x00004A30	0x00000031
GetTempPathW	-	0x00411018	0x00011234	0x00004A34	0x00000052
FileTimeToDosDateTime	-	0x0041101C	0x00011238	0x00004A38	0x0000001B
GetStringTypeA	-	0x00411020	0x0001123C	0x00004A3C	0x0000001E
SearchPathW	-	0x00411024	0x00011240	0x00004A40	0x00000045
GetTempPathA	-	0x00411028	0x00011244	0x00004A44	0x00000006
GetFileAttributesW	-	0x0041102C	0x00011248	0x00004A48	0x00000056
SetCalendarInfoA	-	0x00411030	0x0001124C	0x00004A4C	0x00000079
GetVersion	-	0x00411034	0x00011250	0x00004A50	0x0000004F
CreateMailslotW	-	0x00411038	0x00011254	0x00004A54	0x0000004C
lstrlenA	-	0x0041103C	0x00011258	0x00004A58	0x00000030
EnumTimeFormatsW	-	0x00411040	0x0001125C	0x00004A5C	0x00000049
VirtualAlloc	-	0x00411044	0x00011260	0x00004A60	0x0000006C
EnumCalendarInfoA	-	0x00411048	0x00011264	0x00004A64	0x00000005
GetEnvironmentStringsW	-	0x0041104C	0x00011268	0x00004A68	0x0000003D
SetLastError	-	0x00411050	0x0001126C	0x00004A6C	0x0000000D
GetCurrentProcess	-	0x00411054	0x00011270	0x00004A70	0x00000055
ConnectNamedPipe	-	0x00411058	0x00011274	0x00004A74	0x0000004D
GetModuleFileNameW	-	0x0041105C	0x00011278	0x00004A78	0x0000002D
lstrcpynA	-	0x00411060	0x0001127C	0x00004A7C	0x00000041
GetCurrentThread	-	0x00411064	0x00011280	0x00004A80	0x00000044
WaitForSingleObject	-	0x00411068	0x00011284	0x00004A84	0x00000032
GlobalGetAtomNameA	-	0x0041106C	0x00011288	0x00004A88	0x00000013
OpenFile	-	0x00411070	0x0001128C	0x00004A8C	0x0000006F
GetTempFileNameW	-	0x00411074	0x00011290	0x00004A90	0x0000005B
ReplaceFileA	-	0x00411078	0x00011294	0x00004A94	0x00000003
OpenMutexW	-	0x0041107C	0x00011298	0x00004A98	0x00000025
CreateDirectoryA	-	0x00411080	0x0001129C	0x00004A9C	0x00000044
AddAtomW	-	0x00411084	0x000112A0	0x00004AA0	0x00000009
GetCurrentProcessId	-	0x00411088	0x000112A4	0x00004AA4	0x00000050
GetStringTypeW	-	0x0041108C	0x000112A8	0x00004AA8	0x00000010
OpenMutexA	-	0x00411090	0x000112AC	0x00004AAC	0x00000029
GetLongPathNameA	-	0x00411094	0x000112B0	0x00004AB0	0x0000007F
CreateFiber	-	0x00411098	0x000112B4	0x00004AB4	0x00000049
GetCurrentDirectoryW	-	0x0041109C	0x000112B8	0x00004AB8	0x00000052
CreateEventA	-	0x004110A0	0x000112BC	0x00004ABC	0x0000007A
SystemTimeToFileTime	-	0x004110A4	0x000112C0	0x00004AC0	0x0000000F
GlobalDeleteAtom	-	0x004110A8	0x000112C4	0x00004AC4	0x00000030
InitializeCriticalSection	-	0x004110AC	0x000112C8	0x00004AC8	0x00000005
SuspendThread	-	0x004110B0	0x000112CC	0x00004ACC	0x0000005B
GetDiskFreeSpaceW	-	0x004110B4	0x000112D0	0x00004AD0	0x00000036
GetCurrentThreadId	-	0x004110B8	0x000112D4	0x00004AD4	0x0000006F
CreateThread	-	0x004110BC	0x000112D8	0x00004AD8	0x0000005F
SetComputerNameW	-	0x004110C0	0x000112DC	0x00004ADC	0x0000005D
IsBadStringPtrA	-	0x004110C4	0x000112E0	0x00004AE0	0x00000041

user32.dll (21)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
InsertMenuItemW	-	0x004110CC	0x000112E8	0x00004AE8	0x0000001A
ChildWindowFromPoint	-	0x004110D0	0x000112EC	0x00004AEC	0x0000006C
GetMessageA	-	0x004110D4	0x000112F0	0x00004AF0	0x00000079
GetWindowRgn	-	0x004110D8	0x000112F4	0x00004AF4	0x00000048
DrawTextW	-	0x004110DC	0x000112F8	0x00004AF8	0x0000002E
GetDC	-	0x004110E0	0x000112FC	0x00004AFC	0x0000005C
IsDlgButtonChecked	-	0x004110E4	0x00011300	0x00004B00	0x00000024
GetClassInfoA	-	0x004110E8	0x00011304	0x00004B04	0x00000061
LoadCursorA	-	0x004110EC	0x00011308	0x00004B08	0x00000028
CreateDialogParamW	-	0x004110F0	0x0001130C	0x00004B0C	0x0000004D
CheckRadioButton	-	0x004110F4	0x00011310	0x00004B10	0x0000006E
SetCursorPos	-	0x004110F8	0x00011314	0x00004B14	0x0000002A
LoadImageA	-	0x004110FC	0x00011318	0x00004B18	0x0000006E
SetWindowLongA	-	0x00411100	0x0001131C	0x00004B1C	0x00000046
LoadMenuIndirectA	-	0x00411104	0x00011320	0x00004B20	0x00000076
SetCapture	-	0x00411108	0x00011324	0x00004B24	0x0000002B
CreateMenu	-	0x0041110C	0x00011328	0x00004B28	0x00000063
EnableMenuItem	-	0x00411110	0x0001132C	0x00004B2C	0x0000003C
CharNextW	-	0x00411114	0x00011330	0x00004B30	0x0000000D
CheckDlgButton	-	0x00411118	0x00011334	0x00004B34	0x0000006D
OpenWindowStationA	-	0x0041111C	0x00011338	0x00004B38	0x00000005

GDI32.DLL (18)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetColorSpace	-	0x00411124	0x00011340	0x00004B40	0x00000043
DeleteColorSpace	-	0x00411128	0x00011344	0x00004B44	0x00000013
GetKerningPairsA	-	0x0041112C	0x00011348	0x00004B48	0x00000005
CreateMetaFileA	-	0x00411130	0x0001134C	0x00004B4C	0x0000004A
ColorCorrectPalette	-	0x00411134	0x00011350	0x00004B50	0x00000031
GetCharWidthI	-	0x00411138	0x00011354	0x00004B54	0x00000035
GetTextExtentExPointW	-	0x0041113C	0x00011358	0x00004B58	0x0000006A
GetDCOrgEx	-	0x00411140	0x0001135C	0x00004B5C	0x00000078
EnumFontFamiliesExW	-	0x00411144	0x00011360	0x00004B60	0x00000022
GetClipRgn	-	0x00411148	0x00011364	0x00004B64	0x00000042
GetCharWidth32W	-	0x0041114C	0x00011368	0x00004B68	0x0000002D
CombineRgn	-	0x00411150	0x0001136C	0x00004B6C	0x0000002C
GetEnhMetaFileDescriptionA	-	0x00411154	0x00011370	0x00004B70	0x0000002C
SelectObject	-	0x00411158	0x00011374	0x00004B74	0x00000021
UpdateICMRegKeyA	-	0x0041115C	0x00011378	0x00004B78	0x0000003A
GetClipBox	-	0x00411160	0x0001137C	0x00004B7C	0x0000002F
CreateDIBPatternBrushPt	-	0x00411164	0x00011380	0x00004B80	0x00000055
GetTextMetricsW	-	0x00411168	0x00011384	0x00004B84	0x00000077

advapi32.dll (4)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
IsValidAcl	-	0x00411170	0x0001138C	0x00004B8C	0x00000040
RegDeleteValueW	-	0x00411174	0x00011390	0x00004B90	0x0000004A
RegRestoreKeyA	-	0x00411178	0x00011394	0x00004B94	0x0000002C
RegOpenKeyW	-	0x0041117C	0x00011398	0x00004B98	0x0000005B

ole32.dll (7)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CoGetPSClsid	-	0x00411184	0x000113A0	0x00004BA0	0x00000051
CoDeactivateObject	-	0x00411188	0x000113A4	0x00004BA4	0x00000047
OleCreateEx	-	0x0041118C	0x000113A8	0x00004BA8	0x0000003F
CLSIDFromProgID	-	0x00411190	0x000113AC	0x00004BAC	0x00000024
CoGetCallerTID	-	0x00411194	0x000113B0	0x00004BB0	0x00000076
OleUninitialize	-	0x00411198	0x000113B4	0x00004BB4	0x0000002B
CreateFileMoniker	-	0x0041119C	0x000113B8	0x00004BB8	0x0000003C

Digital Signature Information

Verification Status

Failed

Certificate: BITDEFENDER LLC

Issued by	BITDEFENDER LLC
Parent Certificate	VeriSign Class 3 Code Signing 2009-2 CA
Country Name	US
Valid From	2010-01-20 01:00 (UTC+1)
Valid Until	2012-01-25 00:59 (UTC+1)
Algorithm	sha1_rsa
Serial Number	1C 2D D6 1A 35 E6 5D F6 29 97 01 FF 9B E5 CA 44
Thumbprint	67 06 86 73 74 A5 CB 35 51 4C 8C 61 A6 3D 46 B4 F6 74 AF E5

Certificate: VeriSign Class 3 Code Signing 2009-2 CA

Issued by	VeriSign Class 3 Code Signing 2009-2 CA
Parent Certificate	None
Country Name	US
Valid From	2009-05-21 02:00 (UTC+2)
Valid Until	2019-05-21 01:59 (UTC+2)
Algorithm	sha1_rsa
Serial Number	65 52 26 E1 B2 2E 18 E1 59 0F 29 85 AC 22 E7 5C
Thumbprint	12 D4 87 2B C3 EF 01 9E 7E 0B 6F 13 24 80 AE 29 DB 5B 1C A3

Certificate: None

Issued by	None
Country Name	US
Valid From	1996-01-29 01:00 (UTC+1)
Valid Until	2028-08-02 01:59 (UTC+2)
Algorithm	md2_rsa
Serial Number	70 BA E4 1D 10 D9 29 34 B6 38 CA 7B 03 CC BA BF
Thumbprint	74 2C 31 92 E6 07 E4 24 EB 45 49 54 2B E1 BB C5 3E 61 74 E2

Memory Dumps (72)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
swadeuxyd4afdlhb.exe	1	0x00400000	0x00468FFF	Relevant Image	32-bit	0x00402294	... Actions Go to Process Download Dump
buffer	1	0x00540000	0x005A7FFF	First Execution	32-bit	0x00540000	... Actions Go to Process Download Dump
swadeuxyd4afdlhb.exe	1	0x00400000	0x00468FFF	Content Changed	32-bit	0x00402780	... Actions Go to Process Go to YARA Match Download Dump
swadeuxyd4afdlhb.exe	1	0x00400000	0x00468FFF	Process Termination	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
svchost.exe	2	0x00400000	0x00468FFF	Relevant Image	32-bit	0x00402294	... Actions Go to Process Download Dump
buffer	2	0x00530000	0x00597FFF	First Execution	32-bit	0x00530000	... Actions Go to Process Download Dump
svchost.exe	2	0x00400000	0x00468FFF	Content Changed	32-bit	0x00402780	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02020000	0x02069FFF	First Execution	32-bit	0x02021360	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02110000	0x02167FFF	First Execution	32-bit	0x02122A80	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02110000	0x02167FFF	Content Changed	32-bit	0x0212F7B0	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02110000	0x02167FFF	Content Changed	32-bit	0x0214A588	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02110000	0x02167FFF	Content Changed	32-bit	0x0211F850	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02110000	0x02167FFF	Content Changed	32-bit	0x02120920	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02DF8000	0x02DFFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x02CF8000	0x02CFFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x02BF8000	0x02BFFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x02AF8000	0x02AFFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x028F8000	0x028FFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x029F8000	0x029FFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00197000	0x0019FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00530000	0x00597FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00723C58	0x00723D87	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x02020000	0x02069FFF	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02110000	0x02167FFF	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02E01000	0x02E3E00F	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
svchost.exe	2	0x00400000	0x00468FFF	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
svchost.exe	2	0x00400000	0x00468FFF	Final Dump	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02110000	0x02167FFF	Content Changed	32-bit	0x0212098E	... Actions Go to Process Go to YARA Match Download Dump
svchost.exe	18	0x00400000	0x00468FFF	Relevant Image	32-bit	0x00402294	... Actions Go to Process Download Dump
buffer	18	0x00470000	0x004D7FFF	First Execution	32-bit	0x00470000	... Actions Go to Process Download Dump
svchost.exe	18	0x00400000	0x00468FFF	Content Changed	32-bit	0x00402780	... Actions Go to Process Go to YARA Match Download Dump
buffer	18	0x02020000	0x02069FFF	First Execution	32-bit	0x02021360	... Actions Go to Process Go to YARA Match Download Dump
buffer	18	0x02110000	0x02167FFF	First Execution	32-bit	0x02122A80	... Actions Go to Process Go to YARA Match Download Dump
buffer	18	0x02110000	0x02167FFF	Content Changed	32-bit	0x0214A588	... Actions Go to Process Go to YARA Match Download Dump
buffer	18	0x02110000	0x02167FFF	Content Changed	32-bit	0x021224F4	... Actions Go to Process Go to YARA Match Download Dump
buffer	18	0x02110000	0x02167FFF	Content Changed	32-bit	0x0211F850	... Actions Go to Process Go to YARA Match Download Dump
buffer	18	0x02110000	0x02167FFF	Content Changed	32-bit	0x0211E900	... Actions Go to Process Go to YARA Match Download Dump
buffer	18	0x006E0000	0x006E0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x006E0000	0x006E0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x006F0000	0x006F0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x006F0000	0x006F0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x006E0000	0x006E0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x020F0000	0x020F0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x020F0000	0x020F0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
user32.dll	18	0x75E30000	0x75F76FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x02170000	0x02170FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x02170000	0x02170FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x02190000	0x02190FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x02190000	0x02190FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x02170000	0x02170FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021A0000	0x021A0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021A0000	0x021A0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
user32.dll	18	0x75E30000	0x75F76FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021B0000	0x021B0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021B0000	0x021B0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021C0000	0x021C0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021C0000	0x021C0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021B0000	0x021B0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021D0000	0x021D0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021D0000	0x021D0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
user32.dll	18	0x75E30000	0x75F76FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021E0000	0x021E0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021E0000	0x021E0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021F0000	0x021F0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021F0000	0x021F0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021E0000	0x021E0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x02640000	0x02640FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x02640000	0x02640FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
user32.dll	18	0x75E30000	0x75F76FFF	First Execution	32-bit	0x75E64EF0	... Actions Go to Process Download Dump
buffer	18	0x02110000	0x02167FFF	Content Changed	32-bit	0x02119FF0	... Actions Go to Process Go to YARA Match Download Dump
buffer	18	0x02110000	0x02167FFF	Content Changed	32-bit	0x021149A0	... Actions Go to Process Go to YARA Match Download Dump
svchost.exe	18	0x00400000	0x00468FFF	Final Dump	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump

C:\Windows\apppatch\svchost.exe

Dropped File

Binary

Also Known As	c:\windows\apppatch\svchost.exe (Dropped File, Accessed File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	244.00 KB
MD5	da8c3be4d58ad047970c788e7bb49024
SHA1	e7e0a3e4132950475d6f0486ad363351777a64b3
SHA256	2e2c0c7259f18dfe6d12999fac24fae3d56a9d9989a72afdceed123c891197eb
SSDeep	6144:xEXlSylvFuWaS54hIAv/QhuA7HY8pPZ0FP6BzxM5EmX:iAylvv5YRwh9HYd61xhmX
ImpHash	25724a12bec6f765c371201f99ac92be

PE Information

Image Base	0x00400000
Entry Point	0x00401000
Size Of Code	0x00002A00
Size Of Initialized Data	0x00037E00
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	1996-01-22 18:41 (UTC+1)

Version Information (6)

FileVersion	0.2.3.1
ProductVersion	6.3.1.0
FileDescription	Sarmatic
CompanyName	Symantec Corporation
LegalCopyright	Anatox
ProductName	unrepellent

Sections (8)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.<9;kn%	0x00401000	0x000031A0	0x00002A00	0x00000400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.14
.E	0x00405000	0x000078A4	0x00000600	0x00002E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	0.59
.0<+'	0x0040D000	0x00000EA4	0x00001000	0x00003400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	6.99
.<	0x0040E000	0x00002137	0x00000400	0x00004400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	1.34
.FpFJb	0x00411000	0x0000CF7D	0x00000C00	0x00004800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.01
.(c1$7	0x0041E000	0x00000FD9	0x00000400	0x00005400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.99
.rsrc	0x0041F000	0x00034EDC	0x00035000	0x00005800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	6.05
.reloc	0x00454000	0x00015000	0x00000400	0x0003A800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	6.09

Imports (5)

kernel32.dll (50)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetNumberFormatA	-	0x00411000	0x0001121C	0x00004A1C	0x00000035
SetEvent	-	0x00411004	0x00011220	0x00004A20	0x0000006E
FindResourceA	-	0x00411008	0x00011224	0x00004A24	0x0000002B
GetExpandedNameW	-	0x0041100C	0x00011228	0x00004A28	0x0000000C
GetFileTime	-	0x00411010	0x0001122C	0x00004A2C	0x0000007F
RaiseException	-	0x00411014	0x00011230	0x00004A30	0x00000031
GetTempPathW	-	0x00411018	0x00011234	0x00004A34	0x00000052
FileTimeToDosDateTime	-	0x0041101C	0x00011238	0x00004A38	0x0000001B
GetStringTypeA	-	0x00411020	0x0001123C	0x00004A3C	0x0000001E
SearchPathW	-	0x00411024	0x00011240	0x00004A40	0x00000045
GetTempPathA	-	0x00411028	0x00011244	0x00004A44	0x00000006
GetFileAttributesW	-	0x0041102C	0x00011248	0x00004A48	0x00000056
SetCalendarInfoA	-	0x00411030	0x0001124C	0x00004A4C	0x00000079
GetVersion	-	0x00411034	0x00011250	0x00004A50	0x0000004F
CreateMailslotW	-	0x00411038	0x00011254	0x00004A54	0x0000004C
lstrlenA	-	0x0041103C	0x00011258	0x00004A58	0x00000030
EnumTimeFormatsW	-	0x00411040	0x0001125C	0x00004A5C	0x00000049
VirtualAlloc	-	0x00411044	0x00011260	0x00004A60	0x0000006C
EnumCalendarInfoA	-	0x00411048	0x00011264	0x00004A64	0x00000005
GetEnvironmentStringsW	-	0x0041104C	0x00011268	0x00004A68	0x0000003D
SetLastError	-	0x00411050	0x0001126C	0x00004A6C	0x0000000D
GetCurrentProcess	-	0x00411054	0x00011270	0x00004A70	0x00000055
ConnectNamedPipe	-	0x00411058	0x00011274	0x00004A74	0x0000004D
GetModuleFileNameW	-	0x0041105C	0x00011278	0x00004A78	0x0000002D
lstrcpynA	-	0x00411060	0x0001127C	0x00004A7C	0x00000041
GetCurrentThread	-	0x00411064	0x00011280	0x00004A80	0x00000044
WaitForSingleObject	-	0x00411068	0x00011284	0x00004A84	0x00000032
GlobalGetAtomNameA	-	0x0041106C	0x00011288	0x00004A88	0x00000013
OpenFile	-	0x00411070	0x0001128C	0x00004A8C	0x0000006F
GetTempFileNameW	-	0x00411074	0x00011290	0x00004A90	0x0000005B
ReplaceFileA	-	0x00411078	0x00011294	0x00004A94	0x00000003
OpenMutexW	-	0x0041107C	0x00011298	0x00004A98	0x00000025
CreateDirectoryA	-	0x00411080	0x0001129C	0x00004A9C	0x00000044
AddAtomW	-	0x00411084	0x000112A0	0x00004AA0	0x00000009
GetCurrentProcessId	-	0x00411088	0x000112A4	0x00004AA4	0x00000050
GetStringTypeW	-	0x0041108C	0x000112A8	0x00004AA8	0x00000010
OpenMutexA	-	0x00411090	0x000112AC	0x00004AAC	0x00000029
GetLongPathNameA	-	0x00411094	0x000112B0	0x00004AB0	0x0000007F
CreateFiber	-	0x00411098	0x000112B4	0x00004AB4	0x00000049
GetCurrentDirectoryW	-	0x0041109C	0x000112B8	0x00004AB8	0x00000052
CreateEventA	-	0x004110A0	0x000112BC	0x00004ABC	0x0000007A
SystemTimeToFileTime	-	0x004110A4	0x000112C0	0x00004AC0	0x0000000F
GlobalDeleteAtom	-	0x004110A8	0x000112C4	0x00004AC4	0x00000030
InitializeCriticalSection	-	0x004110AC	0x000112C8	0x00004AC8	0x00000005
SuspendThread	-	0x004110B0	0x000112CC	0x00004ACC	0x0000005B
GetDiskFreeSpaceW	-	0x004110B4	0x000112D0	0x00004AD0	0x00000036
GetCurrentThreadId	-	0x004110B8	0x000112D4	0x00004AD4	0x0000006F
CreateThread	-	0x004110BC	0x000112D8	0x00004AD8	0x0000005F
SetComputerNameW	-	0x004110C0	0x000112DC	0x00004ADC	0x0000005D
IsBadStringPtrA	-	0x004110C4	0x000112E0	0x00004AE0	0x00000041

user32.dll (21)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
InsertMenuItemW	-	0x004110CC	0x000112E8	0x00004AE8	0x0000001A
ChildWindowFromPoint	-	0x004110D0	0x000112EC	0x00004AEC	0x0000006C
GetMessageA	-	0x004110D4	0x000112F0	0x00004AF0	0x00000079
GetWindowRgn	-	0x004110D8	0x000112F4	0x00004AF4	0x00000048
DrawTextW	-	0x004110DC	0x000112F8	0x00004AF8	0x0000002E
GetDC	-	0x004110E0	0x000112FC	0x00004AFC	0x0000005C
IsDlgButtonChecked	-	0x004110E4	0x00011300	0x00004B00	0x00000024
GetClassInfoA	-	0x004110E8	0x00011304	0x00004B04	0x00000061
LoadCursorA	-	0x004110EC	0x00011308	0x00004B08	0x00000028
CreateDialogParamW	-	0x004110F0	0x0001130C	0x00004B0C	0x0000004D
CheckRadioButton	-	0x004110F4	0x00011310	0x00004B10	0x0000006E
SetCursorPos	-	0x004110F8	0x00011314	0x00004B14	0x0000002A
LoadImageA	-	0x004110FC	0x00011318	0x00004B18	0x0000006E
SetWindowLongA	-	0x00411100	0x0001131C	0x00004B1C	0x00000046
LoadMenuIndirectA	-	0x00411104	0x00011320	0x00004B20	0x00000076
SetCapture	-	0x00411108	0x00011324	0x00004B24	0x0000002B
CreateMenu	-	0x0041110C	0x00011328	0x00004B28	0x00000063
EnableMenuItem	-	0x00411110	0x0001132C	0x00004B2C	0x0000003C
CharNextW	-	0x00411114	0x00011330	0x00004B30	0x0000000D
CheckDlgButton	-	0x00411118	0x00011334	0x00004B34	0x0000006D
OpenWindowStationA	-	0x0041111C	0x00011338	0x00004B38	0x00000005

GDI32.DLL (18)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetColorSpace	-	0x00411124	0x00011340	0x00004B40	0x00000043
DeleteColorSpace	-	0x00411128	0x00011344	0x00004B44	0x00000013
GetKerningPairsA	-	0x0041112C	0x00011348	0x00004B48	0x00000005
CreateMetaFileA	-	0x00411130	0x0001134C	0x00004B4C	0x0000004A
ColorCorrectPalette	-	0x00411134	0x00011350	0x00004B50	0x00000031
GetCharWidthI	-	0x00411138	0x00011354	0x00004B54	0x00000035
GetTextExtentExPointW	-	0x0041113C	0x00011358	0x00004B58	0x0000006A
GetDCOrgEx	-	0x00411140	0x0001135C	0x00004B5C	0x00000078
EnumFontFamiliesExW	-	0x00411144	0x00011360	0x00004B60	0x00000022
GetClipRgn	-	0x00411148	0x00011364	0x00004B64	0x00000042
GetCharWidth32W	-	0x0041114C	0x00011368	0x00004B68	0x0000002D
CombineRgn	-	0x00411150	0x0001136C	0x00004B6C	0x0000002C
GetEnhMetaFileDescriptionA	-	0x00411154	0x00011370	0x00004B70	0x0000002C
SelectObject	-	0x00411158	0x00011374	0x00004B74	0x00000021
UpdateICMRegKeyA	-	0x0041115C	0x00011378	0x00004B78	0x0000003A
GetClipBox	-	0x00411160	0x0001137C	0x00004B7C	0x0000002F
CreateDIBPatternBrushPt	-	0x00411164	0x00011380	0x00004B80	0x00000055
GetTextMetricsW	-	0x00411168	0x00011384	0x00004B84	0x00000077

advapi32.dll (4)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
IsValidAcl	-	0x00411170	0x0001138C	0x00004B8C	0x00000040
RegDeleteValueW	-	0x00411174	0x00011390	0x00004B90	0x0000004A
RegRestoreKeyA	-	0x00411178	0x00011394	0x00004B94	0x0000002C
RegOpenKeyW	-	0x0041117C	0x00011398	0x00004B98	0x0000005B

ole32.dll (7)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CoGetPSClsid	-	0x00411184	0x000113A0	0x00004BA0	0x00000051
CoDeactivateObject	-	0x00411188	0x000113A4	0x00004BA4	0x00000047
OleCreateEx	-	0x0041118C	0x000113A8	0x00004BA8	0x0000003F
CLSIDFromProgID	-	0x00411190	0x000113AC	0x00004BAC	0x00000024
CoGetCallerTID	-	0x00411194	0x000113B0	0x00004BB0	0x00000076
OleUninitialize	-	0x00411198	0x000113B4	0x00004BB4	0x0000002B
CreateFileMoniker	-	0x0041119C	0x000113B8	0x00004BB8	0x0000003C

Digital Signature Information

Verification Status

Failed

Certificate: BITDEFENDER LLC

Issued by	BITDEFENDER LLC
Parent Certificate	VeriSign Class 3 Code Signing 2009-2 CA
Country Name	US
Valid From	2010-01-20 01:00 (UTC+1)
Valid Until	2012-01-25 00:59 (UTC+1)
Algorithm	sha1_rsa
Serial Number	1C 2D D6 1A 35 E6 5D F6 29 97 01 FF 9B E5 CA 44
Thumbprint	67 06 86 73 74 A5 CB 35 51 4C 8C 61 A6 3D 46 B4 F6 74 AF E5

Certificate: VeriSign Class 3 Code Signing 2009-2 CA

Issued by	VeriSign Class 3 Code Signing 2009-2 CA
Parent Certificate	None
Country Name	US
Valid From	2009-05-21 02:00 (UTC+2)
Valid Until	2019-05-21 01:59 (UTC+2)
Algorithm	sha1_rsa
Serial Number	65 52 26 E1 B2 2E 18 E1 59 0F 29 85 AC 22 E7 5C
Thumbprint	12 D4 87 2B C3 EF 01 9E 7E 0B 6F 13 24 80 AE 29 DB 5B 1C A3

Certificate: None

Issued by	None
Country Name	US
Valid From	1996-01-29 01:00 (UTC+1)
Valid Until	2028-08-02 01:59 (UTC+2)
Algorithm	md2_rsa
Serial Number	70 BA E4 1D 10 D9 29 34 B6 38 CA 7B 03 CC BA BF
Thumbprint	74 2C 31 92 E6 07 E4 24 EB 45 49 54 2B E1 BB C5 3E 61 74 E2

Memory Dumps (68)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
svchost.exe	2	0x00400000	0x00468FFF	Relevant Image	32-bit	0x00402294	... Actions Go to Process Download Dump
buffer	2	0x00530000	0x00597FFF	First Execution	32-bit	0x00530000	... Actions Go to Process Download Dump
svchost.exe	2	0x00400000	0x00468FFF	Content Changed	32-bit	0x00402780	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02020000	0x02069FFF	First Execution	32-bit	0x02021360	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02110000	0x02167FFF	First Execution	32-bit	0x02122A80	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02110000	0x02167FFF	Content Changed	32-bit	0x0212F7B0	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02110000	0x02167FFF	Content Changed	32-bit	0x0214A588	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02110000	0x02167FFF	Content Changed	32-bit	0x0211F850	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02110000	0x02167FFF	Content Changed	32-bit	0x02120920	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02DF8000	0x02DFFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x02CF8000	0x02CFFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x02BF8000	0x02BFFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x02AF8000	0x02AFFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x028F8000	0x028FFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x029F8000	0x029FFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00197000	0x0019FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00530000	0x00597FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00723C58	0x00723D87	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x02020000	0x02069FFF	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02110000	0x02167FFF	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02E01000	0x02E3E00F	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
svchost.exe	2	0x00400000	0x00468FFF	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
svchost.exe	2	0x00400000	0x00468FFF	Final Dump	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02110000	0x02167FFF	Content Changed	32-bit	0x0212098E	... Actions Go to Process Go to YARA Match Download Dump
svchost.exe	18	0x00400000	0x00468FFF	Relevant Image	32-bit	0x00402294	... Actions Go to Process Download Dump
buffer	18	0x00470000	0x004D7FFF	First Execution	32-bit	0x00470000	... Actions Go to Process Download Dump
svchost.exe	18	0x00400000	0x00468FFF	Content Changed	32-bit	0x00402780	... Actions Go to Process Go to YARA Match Download Dump
buffer	18	0x02020000	0x02069FFF	First Execution	32-bit	0x02021360	... Actions Go to Process Go to YARA Match Download Dump
buffer	18	0x02110000	0x02167FFF	First Execution	32-bit	0x02122A80	... Actions Go to Process Go to YARA Match Download Dump
buffer	18	0x02110000	0x02167FFF	Content Changed	32-bit	0x0214A588	... Actions Go to Process Go to YARA Match Download Dump
buffer	18	0x02110000	0x02167FFF	Content Changed	32-bit	0x021224F4	... Actions Go to Process Go to YARA Match Download Dump
buffer	18	0x02110000	0x02167FFF	Content Changed	32-bit	0x0211F850	... Actions Go to Process Go to YARA Match Download Dump
buffer	18	0x02110000	0x02167FFF	Content Changed	32-bit	0x0211E900	... Actions Go to Process Go to YARA Match Download Dump
buffer	18	0x006E0000	0x006E0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x006E0000	0x006E0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x006F0000	0x006F0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x006F0000	0x006F0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x006E0000	0x006E0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x020F0000	0x020F0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x020F0000	0x020F0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
user32.dll	18	0x75E30000	0x75F76FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x02170000	0x02170FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x02170000	0x02170FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x02190000	0x02190FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x02190000	0x02190FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x02170000	0x02170FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021A0000	0x021A0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021A0000	0x021A0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
user32.dll	18	0x75E30000	0x75F76FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021B0000	0x021B0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021B0000	0x021B0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021C0000	0x021C0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021C0000	0x021C0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021B0000	0x021B0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021D0000	0x021D0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021D0000	0x021D0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
user32.dll	18	0x75E30000	0x75F76FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021E0000	0x021E0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021E0000	0x021E0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021F0000	0x021F0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021F0000	0x021F0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x021E0000	0x021E0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x02640000	0x02640FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	18	0x02640000	0x02640FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
user32.dll	18	0x75E30000	0x75F76FFF	First Execution	32-bit	0x75E64EF0	... Actions Go to Process Download Dump
buffer	18	0x02110000	0x02167FFF	Content Changed	32-bit	0x02119FF0	... Actions Go to Process Go to YARA Match Download Dump
buffer	18	0x02110000	0x02167FFF	Content Changed	32-bit	0x021149A0	... Actions Go to Process Go to YARA Match Download Dump
svchost.exe	18	0x00400000	0x00468FFF	Final Dump	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump

a6b3385495f984f97fa17f7dc5c909d0c3321e0f60a4062b9c3c274a025e1439

Downloaded File

Stream

MIME Type	application/octet-stream
File Size	100 Bytes
MD5	5da777be698326a898b41ce2fd0ff9ed
SHA1	526500d049225d0947b1eef018a9e2ec92d1f610
SHA256	a6b3385495f984f97fa17f7dc5c909d0c3321e0f60a4062b9c3c274a025e1439
SSDeep	3:TxJp6dPCAmGyBK4sF/a4tpiTmrN4QpAKSOObAey:UnmGkK4sFS4/iTmrN1scey
ImpHash	-

e3592d0443cb72377ae15ca74b120113608d13c1dfa86a035e9faa07810573d3

Downloaded File

Stream

MIME Type	application/octet-stream
File Size	85 Bytes
MD5	d636d62d95a00d0cc157814d079cff7c
SHA1	eb5b42f9ca8ec8e0404b6d55fa87b1c6290a3176
SHA256	e3592d0443cb72377ae15ca74b120113608d13c1dfa86a035e9faa07810573d3
SSDeep	3:fItO9Yn8V0ziVjmdVEz32/0Z8jKn:gtEn7cWzo0UKn
ImpHash	-

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat

Modified File

Stream

MIME Type	application/octet-stream
File Size	128 Bytes
MD5	0c867aa43e5361f08a042bf95af1ee82
SHA1	152cb9fb7cf8f9e972036e17b5d6bef471a21903
SHA256	576a886c58290258cb3dbc3ee2bca0dfc7d8c0c0c7a8d388204819eed36c5253
SSDeep	3:Bl1Vl:
ImpHash	-

Remarks (2/3)

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information