edb1ff25...3eb9 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 97/100
Target: win7_32_sp1 | exe
Classification: Trojan, Dropper, Pua

edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9 (SHA256)

OlympicDestroyer.exe

Windows Exe (x86-32)

Created at 2018-03-15 15:14:00

...

Notifications (1/1)

The overall sleep time of all monitored processes was truncated from "1 hour" to "10 seconds" to reveal dormant functionality.

Files Information

Number of sample files submitted for analysis 1
Number of files created and extracted during analysis 8
Number of files modified and extracted during analysis 0
c:\users\eebsym5\desktop\OlympicDestroyer.exe, ...
Blacklisted
»
File Properties
Names c:\users\eebsym5\desktop\OlympicDestroyer.exe (Sample File)
c:\users\eebsym5\appdata\local\temp\_tqo.exe (Created File)
Size 1.78 MB
Hash Values MD5: cfdd16225e67471f5ef54cab9b3a5558
SHA1: 26de43cc558a4e0e60eddd4dc9321bcb5a0a181c
SHA256: edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9
Actions
...
File Reputation Information
»
Information Value
Severity
Blacklisted
Names Win32.Trojan.Olympicdestroyer
Families Olympicdestroyer
Classification Trojan
PE Information
»
Information Value
Image Base 0x400000
Entry Point 0x40ae66
Size Of Code 0x1d600
Size Of Initialized Data 0x1a9a00
Size Of Uninitialized Data 0x0
Format x86
Type Executable
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2017-12-27 12:44:47
Compiler/Packer Unknown
Sections (6)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x1d4ac 0x1d600 0x400 CNT_CODE, MEM_EXECUTE, MEM_READ 6.65
.rdata 0x41f000 0x8bac 0x8c00 0x1da00 CNT_INITIALIZED_DATA, MEM_READ 5.46
.data 0x428000 0x96fc 0x8c00 0x26600 CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE 0.89
.gfids 0x432000 0x134 0x200 0x2f200 CNT_INITIALIZED_DATA, MEM_READ 2.38
.rsrc 0x433000 0x195b88 0x195c00 0x2f400 CNT_INITIALIZED_DATA, MEM_READ 8.0
.reloc 0x5c9000 0x1644 0x1800 0x1c5000 CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ 6.4
Imports (148)
»
KERNEL32.dll (108)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
GetVersionExW 0x0 0x41f044 0x26f14 0x25914
GetModuleHandleA 0x0 0x41f048 0x26f18 0x25918
CreateEventW 0x0 0x41f04c 0x26f1c 0x2591c
MultiByteToWideChar 0x0 0x41f050 0x26f20 0x25920
Sleep 0x0 0x41f054 0x26f24 0x25924
GetTempPathA 0x0 0x41f058 0x26f28 0x25928
CopyFileA 0x0 0x41f05c 0x26f2c 0x2592c
GetLastError 0x0 0x41f060 0x26f30 0x25930
GetFileAttributesA 0x0 0x41f064 0x26f34 0x25934
CreateFileA 0x0 0x41f068 0x26f38 0x25938
SetEvent 0x0 0x41f06c 0x26f3c 0x2593c
TerminateThread 0x0 0x41f070 0x26f40 0x25940
DeleteFileW 0x0 0x41f074 0x26f44 0x25944
CloseHandle 0x0 0x41f078 0x26f48 0x25948
LoadLibraryW 0x0 0x41f07c 0x26f4c 0x2594c
CreateThread 0x0 0x41f080 0x26f50 0x25950
GetOverlappedResult 0x0 0x41f084 0x26f54 0x25954
VirtualProtectEx 0x0 0x41f088 0x26f58 0x25958
GetWindowsDirectoryW 0x0 0x41f08c 0x26f5c 0x2595c
GetProcAddress 0x0 0x41f090 0x26f60 0x25960
VirtualAllocEx 0x0 0x41f094 0x26f64 0x25964
LocalFree 0x0 0x41f098 0x26f68 0x25968
GetFileSize 0x0 0x41f09c 0x26f6c 0x2596c
DeleteCriticalSection 0x0 0x41f0a0 0x26f70 0x25970
ExitProcess 0x0 0x41f0a4 0x26f74 0x25974
GetCurrentProcessId 0x0 0x41f0a8 0x26f78 0x25978
CreateProcessW 0x0 0x41f0ac 0x26f7c 0x2597c
GetModuleHandleW 0x0 0x41f0b0 0x26f80 0x25980
CreateRemoteThread 0x0 0x41f0b4 0x26f84 0x25984
CreateProcessA 0x0 0x41f0b8 0x26f88 0x25988
CreateEventA 0x0 0x41f0bc 0x26f8c 0x2598c
ConnectNamedPipe 0x0 0x41f0c0 0x26f90 0x25990
GetComputerNameA 0x0 0x41f0c4 0x26f94 0x25994
GetFileAttributesW 0x0 0x41f0c8 0x26f98 0x25998
HeapFree 0x0 0x41f0cc 0x26f9c 0x2599c
HeapAlloc 0x0 0x41f0d0 0x26fa0 0x259a0
GetProcessHeap 0x0 0x41f0d4 0x26fa4 0x259a4
GetTempPathW 0x0 0x41f0d8 0x26fa8 0x259a8
GetTickCount 0x0 0x41f0dc 0x26fac 0x259ac
SizeofResource 0x0 0x41f0e0 0x26fb0 0x259b0
LockResource 0x0 0x41f0e4 0x26fb4 0x259b4
LoadResource 0x0 0x41f0e8 0x26fb8 0x259b8
FindResourceW 0x0 0x41f0ec 0x26fbc 0x259bc
FindFirstFileExW 0x0 0x41f0f0 0x26fc0 0x259c0
CreateFileW 0x0 0x41f0f4 0x26fc4 0x259c4
LocalAlloc 0x0 0x41f0f8 0x26fc8 0x259c8
WaitForSingleObject 0x0 0x41f0fc 0x26fcc 0x259cc
InitializeCriticalSection 0x0 0x41f100 0x26fd0 0x259d0
LeaveCriticalSection 0x0 0x41f104 0x26fd4 0x259d4
WaitForMultipleObjects 0x0 0x41f108 0x26fd8 0x259d8
CreateNamedPipeW 0x0 0x41f10c 0x26fdc 0x259dc
GetModuleFileNameW 0x0 0x41f110 0x26fe0 0x259e0
TerminateProcess 0x0 0x41f114 0x26fe4 0x259e4
InterlockedDecrement 0x0 0x41f118 0x26fe8 0x259e8
WriteFile 0x0 0x41f11c 0x26fec 0x259ec
ReadFile 0x0 0x41f120 0x26ff0 0x259f0
GetCurrentProcess 0x0 0x41f124 0x26ff4 0x259f4
GetCommandLineW 0x0 0x41f128 0x26ff8 0x259f8
EnterCriticalSection 0x0 0x41f12c 0x26ffc 0x259fc
WriteProcessMemory 0x0 0x41f130 0x27000 0x25a00
CancelIo 0x0 0x41f134 0x27004 0x25a04
FindClose 0x0 0x41f138 0x27008 0x25a08
DecodePointer 0x0 0x41f13c 0x2700c 0x25a0c
SetEndOfFile 0x0 0x41f140 0x27010 0x25a10
HeapSize 0x0 0x41f144 0x27014 0x25a14
WriteConsoleW 0x0 0x41f148 0x27018 0x25a18
FlushFileBuffers 0x0 0x41f14c 0x2701c 0x25a1c
GetStringTypeW 0x0 0x41f150 0x27020 0x25a20
SetStdHandle 0x0 0x41f154 0x27024 0x25a24
ReadConsoleW 0x0 0x41f158 0x27028 0x25a28
SetFilePointerEx 0x0 0x41f15c 0x2702c 0x25a2c
GetModuleFileNameA 0x0 0x41f160 0x27030 0x25a30
FreeLibrary 0x0 0x41f164 0x27034 0x25a34
FreeEnvironmentStringsW 0x0 0x41f168 0x27038 0x25a38
GetEnvironmentStringsW 0x0 0x41f16c 0x2703c 0x25a3c
GetCommandLineA 0x0 0x41f170 0x27040 0x25a40
GetCPInfo 0x0 0x41f174 0x27044 0x25a44
GetOEMCP 0x0 0x41f178 0x27048 0x25a48
IsValidCodePage 0x0 0x41f17c 0x2704c 0x25a4c
LCMapStringW 0x0 0x41f180 0x27050 0x25a50
UnhandledExceptionFilter 0x0 0x41f184 0x27054 0x25a54
SetUnhandledExceptionFilter 0x0 0x41f188 0x27058 0x25a58
IsProcessorFeaturePresent 0x0 0x41f18c 0x2705c 0x25a5c
QueryPerformanceCounter 0x0 0x41f190 0x27060 0x25a60
GetCurrentThreadId 0x0 0x41f194 0x27064 0x25a64
GetSystemTimeAsFileTime 0x0 0x41f198 0x27068 0x25a68
InitializeSListHead 0x0 0x41f19c 0x2706c 0x25a6c
IsDebuggerPresent 0x0 0x41f1a0 0x27070 0x25a70
GetStartupInfoW 0x0 0x41f1a4 0x27074 0x25a74
WideCharToMultiByte 0x0 0x41f1a8 0x27078 0x25a78
EncodePointer 0x0 0x41f1ac 0x2707c 0x25a7c
RaiseException 0x0 0x41f1b0 0x27080 0x25a80
RtlUnwind 0x0 0x41f1b4 0x27084 0x25a84
SetLastError 0x0 0x41f1b8 0x27088 0x25a88
InitializeCriticalSectionAndSpinCount 0x0 0x41f1bc 0x2708c 0x25a8c
TlsAlloc 0x0 0x41f1c0 0x27090 0x25a90
TlsGetValue 0x0 0x41f1c4 0x27094 0x25a94
TlsSetValue 0x0 0x41f1c8 0x27098 0x25a98
TlsFree 0x0 0x41f1cc 0x2709c 0x25a9c
LoadLibraryExW 0x0 0x41f1d0 0x270a0 0x25aa0
GetStdHandle 0x0 0x41f1d4 0x270a4 0x25aa4
GetModuleHandleExW 0x0 0x41f1d8 0x270a8 0x25aa8
GetACP 0x0 0x41f1dc 0x270ac 0x25aac
HeapReAlloc 0x0 0x41f1e0 0x270b0 0x25ab0
GetConsoleCP 0x0 0x41f1e4 0x270b4 0x25ab4
GetConsoleMode 0x0 0x41f1e8 0x270b8 0x25ab8
GetFileType 0x0 0x41f1ec 0x270bc 0x25abc
FindNextFileW 0x0 0x41f1f0 0x270c0 0x25ac0
USER32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
wsprintfW 0x0 0x41f230 0x27100 0x25b00
ADVAPI32.dll (14)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
CryptAcquireContextW 0x0 0x41f000 0x26ed0 0x258d0
CryptReleaseContext 0x0 0x41f004 0x26ed4 0x258d4
LookupPrivilegeValueW 0x0 0x41f008 0x26ed8 0x258d8
AdjustTokenPrivileges 0x0 0x41f00c 0x26edc 0x258dc
CryptGenRandom 0x0 0x41f010 0x26ee0 0x258e0
LookupPrivilegeNameW 0x0 0x41f014 0x26ee4 0x258e4
CopySid 0x0 0x41f018 0x26ee8 0x258e8
IsValidSid 0x0 0x41f01c 0x26eec 0x258ec
LogonUserA 0x0 0x41f020 0x26ef0 0x258f0
OpenProcessToken 0x0 0x41f024 0x26ef4 0x258f4
ConvertSidToStringSidW 0x0 0x41f028 0x26ef8 0x258f8
GetLengthSid 0x0 0x41f02c 0x26efc 0x258fc
LookupAccountSidW 0x0 0x41f030 0x26f00 0x25900
GetTokenInformation 0x0 0x41f034 0x26f04 0x25904
SHELL32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
SHGetSpecialFolderPathW 0x0 0x41f224 0x270f4 0x25af4
CommandLineToArgvW 0x0 0x41f228 0x270f8 0x25af8
ole32.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
CoCreateGuid 0x0 0x41f258 0x27128 0x25b28
CoTaskMemFree 0x0 0x41f25c 0x2712c 0x25b2c
CoSetProxyBlanket 0x0 0x41f260 0x27130 0x25b30
CoInitializeEx 0x0 0x41f264 0x27134 0x25b34
CoInitializeSecurity 0x0 0x41f268 0x27138 0x25b38
CoCreateInstance 0x0 0x41f26c 0x2713c 0x25b3c
CoUninitialize 0x0 0x41f270 0x27140 0x25b40
OLEAUT32.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
SysFreeString 0x6 0x41f204 0x270d4 0x25ad4
SysAllocString 0x2 0x41f208 0x270d8 0x25ad8
SysStringLen 0x7 0x41f20c 0x270dc 0x25adc
SafeArrayUnaccessData 0x18 0x41f210 0x270e0 0x25ae0
SafeArrayAccessData 0x17 0x41f214 0x270e4 0x25ae4
VariantClear 0x9 0x41f218 0x270e8 0x25ae8
SafeArrayCreate 0xf 0x41f21c 0x270ec 0x25aec
IPHLPAPI.DLL (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
GetIpNetTable 0x0 0x41f03c 0x26f0c 0x2590c
WS2_32.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
FreeAddrInfoW 0x0 0x41f238 0x27108 0x25b08
GetAddrInfoW 0x0 0x41f23c 0x2710c 0x25b0c
WSACleanup 0x74 0x41f240 0x27110 0x25b10
WSAStartup 0x73 0x41f244 0x27114 0x25b14
ntohl 0xe 0x41f248 0x27118 0x25b18
credui.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
CredUIParseUserNameW 0x0 0x41f250 0x27120 0x25b20
NETAPI32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
NetApiBufferFree 0x0 0x41f1f8 0x270c8 0x25ac8
NetGetDCName 0x0 0x41f1fc 0x270cc 0x25acc
c:\users\eebsym5\appdata\local\temp\xtbrb.exe
Blacklisted
»
File Properties
Names c:\users\eebsym5\appdata\local\temp\xtbrb.exe (Created File)
Size 751.50 KB
Hash Values MD5: 4f43f03783f9789f804dcf9b9474fa6d
SHA1: 492d4a4a74099074e26b5dffd0d15434009ccfd9
SHA256: 19ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea
Actions
...
File Reputation Information
»
Information Value
Severity
Blacklisted
Names Win32.Trojan.Olympicdestroyer
Families Olympicdestroyer
Classification Trojan
PE Information
»
Information Value
Image Base 0x400000
Entry Point 0x4040f1
Size Of Code 0xee00
Size Of Initialized Data 0xad600
Size Of Uninitialized Data 0x0
Format x86
Type Executable
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2017-12-27 12:44:30
Compiler/Packer Unknown
Sections (6)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0xecbe 0xee00 0x400 CNT_CODE, MEM_EXECUTE, MEM_READ 6.65
.rdata 0x410000 0x67fe 0x6800 0xf200 CNT_INITIALIZED_DATA, MEM_READ 5.09
.data 0x417000 0x1398 0xa00 0x15a00 CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE 2.28
.gfids 0x419000 0x11c 0x200 0x16400 CNT_INITIALIZED_DATA, MEM_READ 2.05
.rsrc 0x41a000 0xa4430 0xa4600 0x16600 CNT_INITIALIZED_DATA, MEM_READ 8.0
.reloc 0x4bf000 0x10c8 0x1200 0xbac00 CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ 6.35
Imports (77)
»
KERNEL32.dll (72)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
FreeLibrary 0x0 0x410014 0x16120 0x15320
CreateFileW 0x0 0x410018 0x16124 0x15324
CloseHandle 0x0 0x41001c 0x16128 0x15328
WriteFile 0x0 0x410020 0x1612c 0x1532c
HeapFree 0x0 0x410024 0x16130 0x15330
HeapAlloc 0x0 0x410028 0x16134 0x15334
GetProcessHeap 0x0 0x41002c 0x16138 0x15338
GetCurrentProcess 0x0 0x410030 0x1613c 0x1533c
GetProcAddress 0x0 0x410034 0x16140 0x15340
LockResource 0x0 0x410038 0x16144 0x15344
LoadResource 0x0 0x41003c 0x16148 0x15348
FindResourceW 0x0 0x410040 0x1614c 0x1534c
GetModuleHandleW 0x0 0x410044 0x16150 0x15350
GetCommandLineW 0x0 0x410048 0x16154 0x15354
WriteConsoleW 0x0 0x41004c 0x16158 0x15358
LoadLibraryA 0x0 0x410050 0x1615c 0x1535c
VirtualAlloc 0x0 0x410054 0x16160 0x15360
VirtualFree 0x0 0x410058 0x16164 0x15364
SizeofResource 0x0 0x41005c 0x16168 0x15368
VirtualProtect 0x0 0x410060 0x1616c 0x1536c
HeapReAlloc 0x0 0x410064 0x16170 0x15370
HeapSize 0x0 0x410068 0x16174 0x15374
UnhandledExceptionFilter 0x0 0x41006c 0x16178 0x15378
SetUnhandledExceptionFilter 0x0 0x410070 0x1617c 0x1537c
TerminateProcess 0x0 0x410074 0x16180 0x15380
IsProcessorFeaturePresent 0x0 0x410078 0x16184 0x15384
QueryPerformanceCounter 0x0 0x41007c 0x16188 0x15388
GetCurrentProcessId 0x0 0x410080 0x1618c 0x1538c
GetCurrentThreadId 0x0 0x410084 0x16190 0x15390
GetSystemTimeAsFileTime 0x0 0x410088 0x16194 0x15394
InitializeSListHead 0x0 0x41008c 0x16198 0x15398
IsDebuggerPresent 0x0 0x410090 0x1619c 0x1539c
GetStartupInfoW 0x0 0x410094 0x161a0 0x153a0
EncodePointer 0x0 0x410098 0x161a4 0x153a4
RaiseException 0x0 0x41009c 0x161a8 0x153a8
GetLastError 0x0 0x4100a0 0x161ac 0x153ac
SetLastError 0x0 0x4100a4 0x161b0 0x153b0
RtlUnwind 0x0 0x4100a8 0x161b4 0x153b4
EnterCriticalSection 0x0 0x4100ac 0x161b8 0x153b8
LeaveCriticalSection 0x0 0x4100b0 0x161bc 0x153bc
DeleteCriticalSection 0x0 0x4100b4 0x161c0 0x153c0
InitializeCriticalSectionAndSpinCount 0x0 0x4100b8 0x161c4 0x153c4
TlsAlloc 0x0 0x4100bc 0x161c8 0x153c8
TlsGetValue 0x0 0x4100c0 0x161cc 0x153cc
TlsSetValue 0x0 0x4100c4 0x161d0 0x153d0
TlsFree 0x0 0x4100c8 0x161d4 0x153d4
LoadLibraryExW 0x0 0x4100cc 0x161d8 0x153d8
MultiByteToWideChar 0x0 0x4100d0 0x161dc 0x153dc
WideCharToMultiByte 0x0 0x4100d4 0x161e0 0x153e0
GetStdHandle 0x0 0x4100d8 0x161e4 0x153e4
GetModuleFileNameW 0x0 0x4100dc 0x161e8 0x153e8
ExitProcess 0x0 0x4100e0 0x161ec 0x153ec
GetModuleHandleExW 0x0 0x4100e4 0x161f0 0x153f0
GetACP 0x0 0x4100e8 0x161f4 0x153f4
SetFilePointerEx 0x0 0x4100ec 0x161f8 0x153f8
GetFileType 0x0 0x4100f0 0x161fc 0x153fc
GetConsoleMode 0x0 0x4100f4 0x16200 0x15400
FindClose 0x0 0x4100f8 0x16204 0x15404
FindFirstFileExW 0x0 0x4100fc 0x16208 0x15408
FindNextFileW 0x0 0x410100 0x1620c 0x1540c
IsValidCodePage 0x0 0x410104 0x16210 0x15410
GetOEMCP 0x0 0x410108 0x16214 0x15414
GetCPInfo 0x0 0x41010c 0x16218 0x15418
GetCommandLineA 0x0 0x410110 0x1621c 0x1541c
GetEnvironmentStringsW 0x0 0x410114 0x16220 0x15420
FreeEnvironmentStringsW 0x0 0x410118 0x16224 0x15424
LCMapStringW 0x0 0x41011c 0x16228 0x15428
SetStdHandle 0x0 0x410120 0x1622c 0x1542c
GetStringTypeW 0x0 0x410124 0x16230 0x15430
FlushFileBuffers 0x0 0x410128 0x16234 0x15434
GetConsoleCP 0x0 0x41012c 0x16238 0x15438
DecodePointer 0x0 0x410130 0x1623c 0x1543c
ADVAPI32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
LookupPrivilegeNameW 0x0 0x410000 0x1610c 0x1530c
OpenProcessToken 0x0 0x410004 0x16110 0x15310
GetTokenInformation 0x0 0x410008 0x16114 0x15314
AdjustTokenPrivileges 0x0 0x41000c 0x16118 0x15318
SHELL32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
CommandLineToArgvW 0x0 0x410138 0x16244 0x15444
c:\users\eebsym5\appdata\local\temp\ilvai.exe
Blacklisted
»
File Properties
Names c:\users\eebsym5\appdata\local\temp\ilvai.exe (Created File)
Size 226.00 KB
Hash Values MD5: 6e0ebeeea1cb00192b074b288a4f9cfe
SHA1: 21ca710ed3bc536bd5394f0bff6d6140809156cf
SHA256: a52af66a4438c5517870c503ac1e0515af44d3994aa62c7d818b6eef46cfbb2d
Actions
...
File Reputation Information
»
Information Value
Severity
Blacklisted
Names Win32.Trojan.Occamy
Families Occamy
Classification Trojan
PE Information
»
Information Value
Image Base 0x400000
Entry Point 0x4014c1
Size Of Code 0x11200
Size Of Initialized Data 0x27e00
Size Of Uninitialized Data 0x0
Format x86
Type Executable
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2017-12-27 12:44:40
Compiler/Packer Unknown
Sections (6)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x110f3 0x11200 0x400 CNT_CODE, MEM_EXECUTE, MEM_READ 6.68
.rdata 0x413000 0x68c2 0x6a00 0x11600 CNT_INITIALIZED_DATA, MEM_READ 5.04
.data 0x41a000 0x14d0 0xa00 0x18000 CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE 2.47
.gfids 0x41c000 0x11c 0x200 0x18a00 CNT_INITIALIZED_DATA, MEM_READ 2.02
.rsrc 0x41d000 0x1e830 0x1ea00 0x18c00 CNT_INITIALIZED_DATA, MEM_READ 8.0
.reloc 0x43c000 0x11d8 0x1200 0x37600 CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ 6.54
Imports (79)
»
KERNEL32.dll (74)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
FreeLibrary 0x0 0x413014 0x191c0 0x177c0
CreateFileW 0x0 0x413018 0x191c4 0x177c4
CloseHandle 0x0 0x41301c 0x191c8 0x177c8
ReadFile 0x0 0x413020 0x191cc 0x177cc
WriteFile 0x0 0x413024 0x191d0 0x177d0
HeapFree 0x0 0x413028 0x191d4 0x177d4
HeapAlloc 0x0 0x41302c 0x191d8 0x177d8
GetProcessHeap 0x0 0x413030 0x191dc 0x177dc
GetCurrentProcess 0x0 0x413034 0x191e0 0x177e0
GetProcAddress 0x0 0x413038 0x191e4 0x177e4
LockResource 0x0 0x41303c 0x191e8 0x177e8
LoadResource 0x0 0x413040 0x191ec 0x177ec
FindResourceW 0x0 0x413044 0x191f0 0x177f0
GetModuleHandleW 0x0 0x413048 0x191f4 0x177f4
GetCommandLineW 0x0 0x41304c 0x191f8 0x177f8
WriteConsoleW 0x0 0x413050 0x191fc 0x177fc
LoadLibraryA 0x0 0x413054 0x19200 0x17800
VirtualAlloc 0x0 0x413058 0x19204 0x17804
VirtualFree 0x0 0x41305c 0x19208 0x17808
SizeofResource 0x0 0x413060 0x1920c 0x1780c
VirtualProtect 0x0 0x413064 0x19210 0x17810
HeapReAlloc 0x0 0x413068 0x19214 0x17814
HeapSize 0x0 0x41306c 0x19218 0x17818
UnhandledExceptionFilter 0x0 0x413070 0x1921c 0x1781c
SetUnhandledExceptionFilter 0x0 0x413074 0x19220 0x17820
TerminateProcess 0x0 0x413078 0x19224 0x17824
IsProcessorFeaturePresent 0x0 0x41307c 0x19228 0x17828
QueryPerformanceCounter 0x0 0x413080 0x1922c 0x1782c
GetCurrentProcessId 0x0 0x413084 0x19230 0x17830
GetCurrentThreadId 0x0 0x413088 0x19234 0x17834
GetSystemTimeAsFileTime 0x0 0x41308c 0x19238 0x17838
InitializeSListHead 0x0 0x413090 0x1923c 0x1783c
IsDebuggerPresent 0x0 0x413094 0x19240 0x17840
GetStartupInfoW 0x0 0x413098 0x19244 0x17844
EncodePointer 0x0 0x41309c 0x19248 0x17848
RaiseException 0x0 0x4130a0 0x1924c 0x1784c
GetLastError 0x0 0x4130a4 0x19250 0x17850
SetLastError 0x0 0x4130a8 0x19254 0x17854
RtlUnwind 0x0 0x4130ac 0x19258 0x17858
EnterCriticalSection 0x0 0x4130b0 0x1925c 0x1785c
LeaveCriticalSection 0x0 0x4130b4 0x19260 0x17860
DeleteCriticalSection 0x0 0x4130b8 0x19264 0x17864
InitializeCriticalSectionAndSpinCount 0x0 0x4130bc 0x19268 0x17868
TlsAlloc 0x0 0x4130c0 0x1926c 0x1786c
TlsGetValue 0x0 0x4130c4 0x19270 0x17870
TlsSetValue 0x0 0x4130c8 0x19274 0x17874
TlsFree 0x0 0x4130cc 0x19278 0x17878
LoadLibraryExW 0x0 0x4130d0 0x1927c 0x1787c
MultiByteToWideChar 0x0 0x4130d4 0x19280 0x17880
WideCharToMultiByte 0x0 0x4130d8 0x19284 0x17884
GetStdHandle 0x0 0x4130dc 0x19288 0x17888
GetModuleFileNameW 0x0 0x4130e0 0x1928c 0x1788c
ExitProcess 0x0 0x4130e4 0x19290 0x17890
GetModuleHandleExW 0x0 0x4130e8 0x19294 0x17894
GetACP 0x0 0x4130ec 0x19298 0x17898
SetFilePointerEx 0x0 0x4130f0 0x1929c 0x1789c
GetFileType 0x0 0x4130f4 0x192a0 0x178a0
GetConsoleMode 0x0 0x4130f8 0x192a4 0x178a4
ReadConsoleW 0x0 0x4130fc 0x192a8 0x178a8
FindClose 0x0 0x413100 0x192ac 0x178ac
FindFirstFileExW 0x0 0x413104 0x192b0 0x178b0
FindNextFileW 0x0 0x413108 0x192b4 0x178b4
IsValidCodePage 0x0 0x41310c 0x192b8 0x178b8
GetOEMCP 0x0 0x413110 0x192bc 0x178bc
GetCPInfo 0x0 0x413114 0x192c0 0x178c0
GetCommandLineA 0x0 0x413118 0x192c4 0x178c4
GetEnvironmentStringsW 0x0 0x41311c 0x192c8 0x178c8
FreeEnvironmentStringsW 0x0 0x413120 0x192cc 0x178cc
LCMapStringW 0x0 0x413124 0x192d0 0x178d0
SetStdHandle 0x0 0x413128 0x192d4 0x178d4
GetStringTypeW 0x0 0x41312c 0x192d8 0x178d8
FlushFileBuffers 0x0 0x413130 0x192dc 0x178dc
GetConsoleCP 0x0 0x413134 0x192e0 0x178e0
DecodePointer 0x0 0x413138 0x192e4 0x178e4
ADVAPI32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
LookupPrivilegeNameW 0x0 0x413000 0x191ac 0x177ac
OpenProcessToken 0x0 0x413004 0x191b0 0x177b0
GetTokenInformation 0x0 0x413008 0x191b4 0x177b4
AdjustTokenPrivileges 0x0 0x41300c 0x191b8 0x177b8
SHELL32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
CommandLineToArgvW 0x0 0x413140 0x192ec 0x178ec
c:\users\eebsym5\appdata\local\temp\_aaq.exe
Blacklisted
»
File Properties
Names c:\users\eebsym5\appdata\local\temp\_aaq.exe (Created File)
Size 36.00 KB
Hash Values MD5: 3c0d740347b0362331c882c2dee96dbf
SHA1: 8350e06f52e5c660bb416b03edb6a5ddc50c3a59
SHA256: ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85
Actions
...
File Reputation Information
»
Information Value
Severity
Blacklisted
Names Win32.Trojan.Deshacop
Families Deshacop
Classification Trojan
PE Information
»
Information Value
Image Base 0x400000
Entry Point 0x40198f
Size Of Code 0x4c00
Size Of Initialized Data 0x4000
Size Of Uninitialized Data 0x0
Format x86
Type Executable
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2017-12-27 10:03:48
Compiler/Packer Unknown
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x4bc2 0x4c00 0x400 CNT_CODE, MEM_EXECUTE, MEM_READ 6.49
.rdata 0x406000 0x263e 0x2800 0x5000 CNT_INITIALIZED_DATA, MEM_READ 4.62
.data 0x409000 0x18c0 0xc00 0x7800 CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE 2.45
.rsrc 0x40b000 0x1b4 0x200 0x8400 CNT_INITIALIZED_DATA, MEM_READ 5.1
.reloc 0x40c000 0x85c 0xa00 0x8600 CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ 4.99
Imports (93)
»
KERNEL32.dll (74)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
GlobalAlloc 0x0 0x40602c 0x7dd0 0x6dd0
GetSystemDirectoryW 0x0 0x406030 0x7dd4 0x6dd4
Sleep 0x0 0x406034 0x7dd8 0x6dd8
Wow64DisableWow64FsRedirection 0x0 0x406038 0x7ddc 0x6ddc
Wow64RevertWow64FsRedirection 0x0 0x40603c 0x7de0 0x6de0
CreateFileW 0x0 0x406040 0x7de4 0x6de4
SetThreadPriority 0x0 0x406044 0x7de8 0x6de8
FlushFileBuffers 0x0 0x406048 0x7dec 0x6dec
GetFileSizeEx 0x0 0x40604c 0x7df0 0x6df0
WriteFile 0x0 0x406050 0x7df4 0x6df4
GlobalFree 0x0 0x406054 0x7df8 0x6df8
FindClose 0x0 0x406058 0x7dfc 0x6dfc
FindNextFileW 0x0 0x40605c 0x7e00 0x6e00
CloseHandle 0x0 0x406060 0x7e04 0x6e04
CreateThread 0x0 0x406064 0x7e08 0x6e08
HeapReAlloc 0x0 0x406068 0x7e0c 0x6e0c
GetStringTypeW 0x0 0x40606c 0x7e10 0x6e10
GetProcessHeap 0x0 0x406070 0x7e14 0x6e14
GetCurrentThread 0x0 0x406074 0x7e18 0x6e18
WaitForSingleObject 0x0 0x406078 0x7e1c 0x6e1c
HeapFree 0x0 0x40607c 0x7e20 0x6e20
GetCurrentProcess 0x0 0x406080 0x7e24 0x6e24
HeapAlloc 0x0 0x406084 0x7e28 0x6e28
CreateProcessW 0x0 0x406088 0x7e2c 0x6e2c
SetFilePointer 0x0 0x40608c 0x7e30 0x6e30
FindFirstFileW 0x0 0x406090 0x7e34 0x6e34
GetLastError 0x0 0x406094 0x7e38 0x6e38
ExitProcess 0x0 0x406098 0x7e3c 0x6e3c
MultiByteToWideChar 0x0 0x40609c 0x7e40 0x6e40
LCMapStringW 0x0 0x4060a0 0x7e44 0x6e44
HeapSize 0x0 0x4060a4 0x7e48 0x6e48
RtlUnwind 0x0 0x4060a8 0x7e4c 0x6e4c
IsValidCodePage 0x0 0x4060ac 0x7e50 0x6e50
GetOEMCP 0x0 0x4060b0 0x7e54 0x6e54
GetACP 0x0 0x4060b4 0x7e58 0x6e58
GetCPInfo 0x0 0x4060b8 0x7e5c 0x6e5c
LoadLibraryW 0x0 0x4060bc 0x7e60 0x6e60
GetCommandLineA 0x0 0x4060c0 0x7e64 0x6e64
HeapSetInformation 0x0 0x4060c4 0x7e68 0x6e68
GetStartupInfoW 0x0 0x4060c8 0x7e6c 0x6e6c
TerminateProcess 0x0 0x4060cc 0x7e70 0x6e70
UnhandledExceptionFilter 0x0 0x4060d0 0x7e74 0x6e74
SetUnhandledExceptionFilter 0x0 0x4060d4 0x7e78 0x6e78
IsDebuggerPresent 0x0 0x4060d8 0x7e7c 0x6e7c
GetProcAddress 0x0 0x4060dc 0x7e80 0x6e80
GetModuleHandleW 0x0 0x4060e0 0x7e84 0x6e84
DecodePointer 0x0 0x4060e4 0x7e88 0x6e88
GetStdHandle 0x0 0x4060e8 0x7e8c 0x6e8c
GetModuleFileNameW 0x0 0x4060ec 0x7e90 0x6e90
GetModuleFileNameA 0x0 0x4060f0 0x7e94 0x6e94
FreeEnvironmentStringsW 0x0 0x4060f4 0x7e98 0x6e98
WideCharToMultiByte 0x0 0x4060f8 0x7e9c 0x6e9c
GetEnvironmentStringsW 0x0 0x4060fc 0x7ea0 0x6ea0
SetHandleCount 0x0 0x406100 0x7ea4 0x6ea4
InitializeCriticalSectionAndSpinCount 0x0 0x406104 0x7ea8 0x6ea8
GetFileType 0x0 0x406108 0x7eac 0x6eac
DeleteCriticalSection 0x0 0x40610c 0x7eb0 0x6eb0
EncodePointer 0x0 0x406110 0x7eb4 0x6eb4
TlsAlloc 0x0 0x406114 0x7eb8 0x6eb8
TlsGetValue 0x0 0x406118 0x7ebc 0x6ebc
TlsSetValue 0x0 0x40611c 0x7ec0 0x6ec0
TlsFree 0x0 0x406120 0x7ec4 0x6ec4
InterlockedIncrement 0x0 0x406124 0x7ec8 0x6ec8
SetLastError 0x0 0x406128 0x7ecc 0x6ecc
GetCurrentThreadId 0x0 0x40612c 0x7ed0 0x6ed0
InterlockedDecrement 0x0 0x406130 0x7ed4 0x6ed4
HeapCreate 0x0 0x406134 0x7ed8 0x6ed8
QueryPerformanceCounter 0x0 0x406138 0x7edc 0x6edc
GetTickCount 0x0 0x40613c 0x7ee0 0x6ee0
GetCurrentProcessId 0x0 0x406140 0x7ee4 0x6ee4
GetSystemTimeAsFileTime 0x0 0x406144 0x7ee8 0x6ee8
LeaveCriticalSection 0x0 0x406148 0x7eec 0x6eec
EnterCriticalSection 0x0 0x40614c 0x7ef0 0x6ef0
IsProcessorFeaturePresent 0x0 0x406150 0x7ef4 0x6ef4
USER32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
wsprintfW 0x0 0x406180 0x7f24 0x6f24
ADVAPI32.dll (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
InitiateSystemShutdownExW 0x0 0x406000 0x7da4 0x6da4
AdjustTokenPrivileges 0x0 0x406004 0x7da8 0x6da8
EnumServicesStatusW 0x0 0x406008 0x7dac 0x6dac
ChangeServiceConfigW 0x0 0x40600c 0x7db0 0x6db0
LookupPrivilegeValueW 0x0 0x406010 0x7db4 0x6db4
OpenServiceW 0x0 0x406014 0x7db8 0x6db8
OpenSCManagerW 0x0 0x406018 0x7dbc 0x6dbc
OpenProcessToken 0x0 0x40601c 0x7dc0 0x6dc0
CloseServiceHandle 0x0 0x406020 0x7dc4 0x6dc4
QueryServiceConfigW 0x0 0x406024 0x7dc8 0x6dc8
SHLWAPI.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
(by ordinal) 0x9c 0x406170 0x7f14 0x6f14
PathAppendW 0x0 0x406174 0x7f18 0x6f18
PathRemoveArgsW 0x0 0x406178 0x7f1c 0x6f1c
MPR.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
WNetEnumResourceW 0x0 0x406158 0x7efc 0x6efc
WNetAddConnection2W 0x0 0x40615c 0x7f00 0x6f00
WNetCancelConnection2W 0x0 0x406160 0x7f04 0x6f04
WNetOpenEnumW 0x0 0x406164 0x7f08 0x6f08
WNetCloseEnum 0x0 0x406168 0x7f0c 0x6f0c
c:\users\eebsym5\appdata\local\temp\_kog.exe
Suspicious
»
File Properties
Names c:\users\eebsym5\appdata\local\temp\_kog.exe (Created File)
Size 331.15 KB
Hash Values MD5: 27304b246c7d5b4e149124d5f93c5b01
SHA1: e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA256: 3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
Actions
...
File Reputation Information
»
Information Value
Severity
Suspicious
Names Unknown.PUA.Psexec
Families Psexec
Classification Pua
PE Information
»
Information Value
Image Base 0x400000
Entry Point 0x409de6
Size Of Code 0x18600
Size Of Initialized Data 0x61e00
Size Of Uninitialized Data 0x0
Format x86
Type Executable
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2016-06-28 20:43:09
Compiler/Packer Unknown
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x184c4 0x18600 0x400 CNT_CODE, MEM_EXECUTE, MEM_READ 6.59
.rdata 0x41a000 0xe62a 0xe800 0x18a00 CNT_INITIALIZED_DATA, MEM_READ 4.6
.data 0x429000 0x2dd9c 0x2400 0x27200 CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE 2.18
.rsrc 0x457000 0x23f18 0x24000 0x29600 CNT_INITIALIZED_DATA, MEM_READ 6.38
.reloc 0x47b000 0x1750 0x1800 0x4d600 CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ 6.63
Imports (159)
»
VERSION.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
GetFileVersionInfoSizeW 0x0 0x41a274 0x27a8c 0x2648c
GetFileVersionInfoW 0x0 0x41a278 0x27a90 0x26490
VerQueryValueW 0x0 0x41a27c 0x27a94 0x26494
NETAPI32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
NetServerEnum 0x0 0x41a268 0x27a80 0x26480
NetApiBufferFree 0x0 0x41a26c 0x27a84 0x26484
WS2_32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
gethostname 0x39 0x41a284 0x27a9c 0x2649c
WSAStartup 0x73 0x41a288 0x27aa0 0x264a0
inet_ntoa 0xc 0x41a28c 0x27aa4 0x264a4
gethostbyname 0x34 0x41a290 0x27aa8 0x264a8
MPR.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
WNetCancelConnection2W 0x0 0x41a25c 0x27a74 0x26474
WNetAddConnection2W 0x0 0x41a260 0x27a78 0x26478
KERNEL32.dll (104)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
GetExitCodeProcess 0x0 0x41a0b8 0x278d0 0x262d0
ResumeThread 0x0 0x41a0bc 0x278d4 0x262d4
WaitForMultipleObjects 0x0 0x41a0c0 0x278d8 0x262d8
GetFileTime 0x0 0x41a0c4 0x278dc 0x262dc
DuplicateHandle 0x0 0x41a0c8 0x278e0 0x262e0
DisconnectNamedPipe 0x0 0x41a0cc 0x278e4 0x262e4
SetNamedPipeHandleState 0x0 0x41a0d0 0x278e8 0x262e8
TransactNamedPipe 0x0 0x41a0d4 0x278ec 0x262ec
CreateEventW 0x0 0x41a0d8 0x278f0 0x262f0
GetCurrentProcessId 0x0 0x41a0dc 0x278f4 0x262f4
GetFullPathNameW 0x0 0x41a0e0 0x278f8 0x262f8
SetFileAttributesW 0x0 0x41a0e4 0x278fc 0x262fc
GetFileAttributesW 0x0 0x41a0e8 0x27900 0x26300
CopyFileW 0x0 0x41a0ec 0x27904 0x26304
WaitNamedPipeW 0x0 0x41a0f0 0x27908 0x26308
SetConsoleCtrlHandler 0x0 0x41a0f4 0x2790c 0x2630c
SetConsoleTitleW 0x0 0x41a0f8 0x27910 0x26310
ReadConsoleW 0x0 0x41a0fc 0x27914 0x26314
GetVersion 0x0 0x41a100 0x27918 0x26318
SetProcessAffinityMask 0x0 0x41a104 0x2791c 0x2631c
ReadFile 0x0 0x41a108 0x27920 0x26320
GetConsoleScreenBufferInfo 0x0 0x41a10c 0x27924 0x26324
MultiByteToWideChar 0x0 0x41a110 0x27928 0x26328
GetComputerNameW 0x0 0x41a114 0x2792c 0x2632c
DeleteFileW 0x0 0x41a118 0x27930 0x26330
CreateFileW 0x0 0x41a11c 0x27934 0x26334
GetSystemDirectoryW 0x0 0x41a120 0x27938 0x26338
FindResourceW 0x0 0x41a124 0x2793c 0x2633c
LoadLibraryExW 0x0 0x41a128 0x27940 0x26340
FormatMessageA 0x0 0x41a12c 0x27944 0x26344
GetTickCount 0x0 0x41a130 0x27948 0x26348
CloseHandle 0x0 0x41a134 0x2794c 0x2634c
WriteFile 0x0 0x41a138 0x27950 0x26350
SizeofResource 0x0 0x41a13c 0x27954 0x26354
LoadResource 0x0 0x41a140 0x27958 0x26358
Sleep 0x0 0x41a144 0x2795c 0x2635c
WaitForSingleObject 0x0 0x41a148 0x27960 0x26360
SetEndOfFile 0x0 0x41a14c 0x27964 0x26364
SetEvent 0x0 0x41a150 0x27968 0x26368
SetLastError 0x0 0x41a154 0x2796c 0x2636c
GetLastError 0x0 0x41a158 0x27970 0x26370
GetCurrentProcess 0x0 0x41a15c 0x27974 0x26374
FreeLibrary 0x0 0x41a160 0x27978 0x26378
LockResource 0x0 0x41a164 0x2797c 0x2637c
SetPriorityClass 0x0 0x41a168 0x27980 0x26380
GetModuleFileNameW 0x0 0x41a16c 0x27984 0x26384
GetCommandLineW 0x0 0x41a170 0x27988 0x26388
GetModuleHandleW 0x0 0x41a174 0x2798c 0x2638c
LoadLibraryW 0x0 0x41a178 0x27990 0x26390
GetStdHandle 0x0 0x41a17c 0x27994 0x26394
GetFileType 0x0 0x41a180 0x27998 0x26398
LocalFree 0x0 0x41a184 0x2799c 0x2639c
LocalAlloc 0x0 0x41a188 0x279a0 0x263a0
GetProcAddress 0x0 0x41a18c 0x279a4 0x263a4
FreeEnvironmentStringsW 0x0 0x41a190 0x279a8 0x263a8
LCMapStringW 0x0 0x41a194 0x279ac 0x263ac
OutputDebugStringW 0x0 0x41a198 0x279b0 0x263b0
HeapSize 0x0 0x41a19c 0x279b4 0x263b4
HeapReAlloc 0x0 0x41a1a0 0x279b8 0x263b8
SetFilePointerEx 0x0 0x41a1a4 0x279bc 0x263bc
WriteConsoleW 0x0 0x41a1a8 0x279c0 0x263c0
GetEnvironmentVariableW 0x0 0x41a1ac 0x279c4 0x263c4
RaiseException 0x0 0x41a1b0 0x279c8 0x263c8
LoadLibraryExA 0x0 0x41a1b4 0x279cc 0x263cc
EncodePointer 0x0 0x41a1b8 0x279d0 0x263d0
DecodePointer 0x0 0x41a1bc 0x279d4 0x263d4
ExitProcess 0x0 0x41a1c0 0x279d8 0x263d8
GetModuleHandleExW 0x0 0x41a1c4 0x279dc 0x263dc
WideCharToMultiByte 0x0 0x41a1c8 0x279e0 0x263e0
HeapFree 0x0 0x41a1cc 0x279e4 0x263e4
HeapAlloc 0x0 0x41a1d0 0x279e8 0x263e8
GetConsoleMode 0x0 0x41a1d4 0x279ec 0x263ec
ReadConsoleInputA 0x0 0x41a1d8 0x279f0 0x263f0
SetConsoleMode 0x0 0x41a1dc 0x279f4 0x263f4
EnterCriticalSection 0x0 0x41a1e0 0x279f8 0x263f8
LeaveCriticalSection 0x0 0x41a1e4 0x279fc 0x263fc
SetStdHandle 0x0 0x41a1e8 0x27a00 0x26400
CreateThread 0x0 0x41a1ec 0x27a04 0x26404
GetCurrentThreadId 0x0 0x41a1f0 0x27a08 0x26408
ExitThread 0x0 0x41a1f4 0x27a0c 0x2640c
IsDebuggerPresent 0x0 0x41a1f8 0x27a10 0x26410
IsProcessorFeaturePresent 0x0 0x41a1fc 0x27a14 0x26414
GetStringTypeW 0x0 0x41a200 0x27a18 0x26418
IsValidCodePage 0x0 0x41a204 0x27a1c 0x2641c
GetACP 0x0 0x41a208 0x27a20 0x26420
GetOEMCP 0x0 0x41a20c 0x27a24 0x26424
GetCPInfo 0x0 0x41a210 0x27a28 0x26428
DeleteCriticalSection 0x0 0x41a214 0x27a2c 0x2642c
UnhandledExceptionFilter 0x0 0x41a218 0x27a30 0x26430
SetUnhandledExceptionFilter 0x0 0x41a21c 0x27a34 0x26434
InitializeCriticalSectionAndSpinCount 0x0 0x41a220 0x27a38 0x26438
TerminateProcess 0x0 0x41a224 0x27a3c 0x2643c
TlsAlloc 0x0 0x41a228 0x27a40 0x26440
TlsGetValue 0x0 0x41a22c 0x27a44 0x26444
TlsSetValue 0x0 0x41a230 0x27a48 0x26448
TlsFree 0x0 0x41a234 0x27a4c 0x2644c
GetStartupInfoW 0x0 0x41a238 0x27a50 0x26450
GetProcessHeap 0x0 0x41a23c 0x27a54 0x26454
FlushFileBuffers 0x0 0x41a240 0x27a58 0x26458
GetConsoleCP 0x0 0x41a244 0x27a5c 0x2645c
RtlUnwind 0x0 0x41a248 0x27a60 0x26460
QueryPerformanceCounter 0x0 0x41a24c 0x27a64 0x26464
GetSystemTimeAsFileTime 0x0 0x41a250 0x27a68 0x26468
GetEnvironmentStringsW 0x0 0x41a254 0x27a6c 0x2646c
COMDLG32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
PrintDlgW 0x0 0x41a0b0 0x278c8 0x262c8
ADVAPI32.dll (43)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
LsaClose 0x0 0x41a000 0x27818 0x26218
CreateProcessAsUserW 0x0 0x41a004 0x2781c 0x2621c
CryptHashData 0x0 0x41a008 0x27820 0x26220
CryptCreateHash 0x0 0x41a00c 0x27824 0x26224
CryptDecrypt 0x0 0x41a010 0x27828 0x26228
CryptEncrypt 0x0 0x41a014 0x2782c 0x2622c
CryptImportKey 0x0 0x41a018 0x27830 0x26230
CryptExportKey 0x0 0x41a01c 0x27834 0x26234
CryptDestroyKey 0x0 0x41a020 0x27838 0x26238
CryptDeriveKey 0x0 0x41a024 0x2783c 0x2623c
CryptGenKey 0x0 0x41a028 0x27840 0x26240
CryptReleaseContext 0x0 0x41a02c 0x27844 0x26244
CryptAcquireContextW 0x0 0x41a030 0x27848 0x26248
StartServiceW 0x0 0x41a034 0x2784c 0x2624c
QueryServiceStatus 0x0 0x41a038 0x27850 0x26250
OpenServiceW 0x0 0x41a03c 0x27854 0x26254
OpenSCManagerW 0x0 0x41a040 0x27858 0x26258
DeleteService 0x0 0x41a044 0x2785c 0x2625c
CreateServiceW 0x0 0x41a048 0x27860 0x26260
ControlService 0x0 0x41a04c 0x27864 0x26264
CloseServiceHandle 0x0 0x41a050 0x27868 0x26268
OpenProcessToken 0x0 0x41a054 0x2786c 0x2626c
LsaEnumerateAccountRights 0x0 0x41a058 0x27870 0x26270
LsaOpenPolicy 0x0 0x41a05c 0x27874 0x26274
LsaFreeMemory 0x0 0x41a060 0x27878 0x26278
SetSecurityInfo 0x0 0x41a064 0x2787c 0x2627c
GetSecurityInfo 0x0 0x41a068 0x27880 0x26280
LookupPrivilegeValueW 0x0 0x41a06c 0x27884 0x26284
AddAccessAllowedAce 0x0 0x41a070 0x27888 0x26288
GetAce 0x0 0x41a074 0x2788c 0x2628c
AddAce 0x0 0x41a078 0x27890 0x26290
InitializeAcl 0x0 0x41a07c 0x27894 0x26294
GetLengthSid 0x0 0x41a080 0x27898 0x26298
FreeSid 0x0 0x41a084 0x2789c 0x2629c
AllocateAndInitializeSid 0x0 0x41a088 0x278a0 0x262a0
SetTokenInformation 0x0 0x41a08c 0x278a4 0x262a4
GetTokenInformation 0x0 0x41a090 0x278a8 0x262a8
RegSetValueExW 0x0 0x41a094 0x278ac 0x262ac
RegQueryValueExW 0x0 0x41a098 0x278b0 0x262b0
RegOpenKeyExW 0x0 0x41a09c 0x278b4 0x262b4
RegOpenKeyW 0x0 0x41a0a0 0x278b8 0x262b8
RegCreateKeyW 0x0 0x41a0a4 0x278bc 0x262bc
RegCloseKey 0x0 0x41a0a8 0x278c0 0x262c0
Digital Signatures (2)
»
Signature Properties
LegalCopyright Copyright (C) 2001-2016 Mark Russinovich
InternalName PsExec
FileVersion 2.2
CompanyName Sysinternals - www.sysinternals.com
ProductName Sysinternals PsExec
ProductVersion 2.2
FileDescription Execute processes remotely
OriginalFilename psexec.c
Signature verification True
Certificate: Microsoft Time-Stamp Service
»
Certificate Properties
Issued by Microsoft Time-Stamp PCA
Valid from 2016-03-30 19:21
Valid to 2017-06-30 19:21
Algorithm SHA-1 with RSA Encryption
Serial number 33 00 00 00 98 04 58 CB 7F 23 09 B0 9E 00 00 00 00 00 98
Issuer Certificate: Microsoft Time-Stamp PCA
»
Certificate Properties
Issued by Microsoft Root Certificate Authority
Valid from 2007-04-03 12:53
Valid to 2021-04-03 13:03
Algorithm SHA-1 with RSA Encryption
Serial number 61 16 68 34 00 00 00 00 00 1C
Certificate: Microsoft Corporation
»
Certificate Properties
Issued by Microsoft Code Signing PCA
Valid from 2015-06-04 17:42
Valid to 2016-09-04 17:42
Algorithm SHA-1 with RSA Encryption
Serial number 33 00 00 01 0A 2C 79 AE D7 79 7B A6 AC 00 01 00 00 01 0A
Issuer Certificate: Microsoft Code Signing PCA
»
Certificate Properties
Issued by Microsoft Root Certificate Authority
Valid from 2010-08-31 22:19
Valid to 2020-08-31 22:29
Algorithm SHA-1 with RSA Encryption
Serial number 61 33 26 1A 00 00 00 00 00 31
c:\users\public\5712465812cbddbc332de65cbaaaf3eb, ...
»
File Properties
Names c:\users\public\5712465812cbddbc332de65cbaaaf3eb (Created File)
c:\users\eebsym5\appdata\local\temp\chr79e0.tmp (Created File)
c:\users\eebsym5\appdata\local\temp\_tqo.exe (Created File)
Size 0.00 KB
Hash Values MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
c:\users\eebsym5\appdata\local\temp\chr79e0.tmp
»
File Properties
Names c:\users\eebsym5\appdata\local\temp\chr79e0.tmp (Created File)
Size 18.00 KB
Hash Values MD5: 29844404ae855e9df054833f71888eb1
SHA1: 3e86f08def08fc14ddec0227d0643319562666db
SHA256: c381401ea96dfe9b926126dcbbc0dd6ab541dbf549732cc6c66f20096b1f663e
Actions
...
c:\users\eebsym5\appdata\local\temp\_tqo.exe
»
File Properties
Names c:\users\eebsym5\appdata\local\temp\_tqo.exe (Created File)
Size 1.78 MB
Hash Values MD5: 99e6fa0641c7fb15bb95e9b333c92cf4
SHA1: 5c4c4191542a49052f91f71500f67b353c0cbabb
SHA256: 700ff9959ee79cc40c79f89eb544ea2e7fe5450e8b8d284c5e3c87c82b6dc20f
Actions
...
PE Information
»
Information Value
Image Base 0x400000
Entry Point 0x40ae66
Size Of Code 0x1d600
Size Of Initialized Data 0x1a9a00
Size Of Uninitialized Data 0x0
Format x86
Type Executable
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2017-12-27 12:44:47
Compiler/Packer Unknown
Sections (6)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x1d4ac 0x1d600 0x400 CNT_CODE, MEM_EXECUTE, MEM_READ 6.65
.rdata 0x41f000 0x8bac 0x8c00 0x1da00 CNT_INITIALIZED_DATA, MEM_READ 5.46
.data 0x428000 0x96fc 0x8c00 0x26600 CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE 0.89
.gfids 0x432000 0x134 0x200 0x2f200 CNT_INITIALIZED_DATA, MEM_READ 2.38
.rsrc 0x433000 0x195b88 0x195c00 0x2f400 CNT_INITIALIZED_DATA, MEM_READ 8.0
.reloc 0x5c9000 0x1644 0x1800 0x1c5000 CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ 6.4
Imports (148)
»
KERNEL32.dll (108)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
GetVersionExW 0x0 0x41f044 0x26f14 0x25914
GetModuleHandleA 0x0 0x41f048 0x26f18 0x25918
CreateEventW 0x0 0x41f04c 0x26f1c 0x2591c
MultiByteToWideChar 0x0 0x41f050 0x26f20 0x25920
Sleep 0x0 0x41f054 0x26f24 0x25924
GetTempPathA 0x0 0x41f058 0x26f28 0x25928
CopyFileA 0x0 0x41f05c 0x26f2c 0x2592c
GetLastError 0x0 0x41f060 0x26f30 0x25930
GetFileAttributesA 0x0 0x41f064 0x26f34 0x25934
CreateFileA 0x0 0x41f068 0x26f38 0x25938
SetEvent 0x0 0x41f06c 0x26f3c 0x2593c
TerminateThread 0x0 0x41f070 0x26f40 0x25940
DeleteFileW 0x0 0x41f074 0x26f44 0x25944
CloseHandle 0x0 0x41f078 0x26f48 0x25948
LoadLibraryW 0x0 0x41f07c 0x26f4c 0x2594c
CreateThread 0x0 0x41f080 0x26f50 0x25950
GetOverlappedResult 0x0 0x41f084 0x26f54 0x25954
VirtualProtectEx 0x0 0x41f088 0x26f58 0x25958
GetWindowsDirectoryW 0x0 0x41f08c 0x26f5c 0x2595c
GetProcAddress 0x0 0x41f090 0x26f60 0x25960
VirtualAllocEx 0x0 0x41f094 0x26f64 0x25964
LocalFree 0x0 0x41f098 0x26f68 0x25968
GetFileSize 0x0 0x41f09c 0x26f6c 0x2596c
DeleteCriticalSection 0x0 0x41f0a0 0x26f70 0x25970
ExitProcess 0x0 0x41f0a4 0x26f74 0x25974
GetCurrentProcessId 0x0 0x41f0a8 0x26f78 0x25978
CreateProcessW 0x0 0x41f0ac 0x26f7c 0x2597c
GetModuleHandleW 0x0 0x41f0b0 0x26f80 0x25980
CreateRemoteThread 0x0 0x41f0b4 0x26f84 0x25984
CreateProcessA 0x0 0x41f0b8 0x26f88 0x25988
CreateEventA 0x0 0x41f0bc 0x26f8c 0x2598c
ConnectNamedPipe 0x0 0x41f0c0 0x26f90 0x25990
GetComputerNameA 0x0 0x41f0c4 0x26f94 0x25994
GetFileAttributesW 0x0 0x41f0c8 0x26f98 0x25998
HeapFree 0x0 0x41f0cc 0x26f9c 0x2599c
HeapAlloc 0x0 0x41f0d0 0x26fa0 0x259a0
GetProcessHeap 0x0 0x41f0d4 0x26fa4 0x259a4
GetTempPathW 0x0 0x41f0d8 0x26fa8 0x259a8
GetTickCount 0x0 0x41f0dc 0x26fac 0x259ac
SizeofResource 0x0 0x41f0e0 0x26fb0 0x259b0
LockResource 0x0 0x41f0e4 0x26fb4 0x259b4
LoadResource 0x0 0x41f0e8 0x26fb8 0x259b8
FindResourceW 0x0 0x41f0ec 0x26fbc 0x259bc
FindFirstFileExW 0x0 0x41f0f0 0x26fc0 0x259c0
CreateFileW 0x0 0x41f0f4 0x26fc4 0x259c4
LocalAlloc 0x0 0x41f0f8 0x26fc8 0x259c8
WaitForSingleObject 0x0 0x41f0fc 0x26fcc 0x259cc
InitializeCriticalSection 0x0 0x41f100 0x26fd0 0x259d0
LeaveCriticalSection 0x0 0x41f104 0x26fd4 0x259d4
WaitForMultipleObjects 0x0 0x41f108 0x26fd8 0x259d8
CreateNamedPipeW 0x0 0x41f10c 0x26fdc 0x259dc
GetModuleFileNameW 0x0 0x41f110 0x26fe0 0x259e0
TerminateProcess 0x0 0x41f114 0x26fe4 0x259e4
InterlockedDecrement 0x0 0x41f118 0x26fe8 0x259e8
WriteFile 0x0 0x41f11c 0x26fec 0x259ec
ReadFile 0x0 0x41f120 0x26ff0 0x259f0
GetCurrentProcess 0x0 0x41f124 0x26ff4 0x259f4
GetCommandLineW 0x0 0x41f128 0x26ff8 0x259f8
EnterCriticalSection 0x0 0x41f12c 0x26ffc 0x259fc
WriteProcessMemory 0x0 0x41f130 0x27000 0x25a00
CancelIo 0x0 0x41f134 0x27004 0x25a04
FindClose 0x0 0x41f138 0x27008 0x25a08
DecodePointer 0x0 0x41f13c 0x2700c 0x25a0c
SetEndOfFile 0x0 0x41f140 0x27010 0x25a10
HeapSize 0x0 0x41f144 0x27014 0x25a14
WriteConsoleW 0x0 0x41f148 0x27018 0x25a18
FlushFileBuffers 0x0 0x41f14c 0x2701c 0x25a1c
GetStringTypeW 0x0 0x41f150 0x27020 0x25a20
SetStdHandle 0x0 0x41f154 0x27024 0x25a24
ReadConsoleW 0x0 0x41f158 0x27028 0x25a28
SetFilePointerEx 0x0 0x41f15c 0x2702c 0x25a2c
GetModuleFileNameA 0x0 0x41f160 0x27030 0x25a30
FreeLibrary 0x0 0x41f164 0x27034 0x25a34
FreeEnvironmentStringsW 0x0 0x41f168 0x27038 0x25a38
GetEnvironmentStringsW 0x0 0x41f16c 0x2703c 0x25a3c
GetCommandLineA 0x0 0x41f170 0x27040 0x25a40
GetCPInfo 0x0 0x41f174 0x27044 0x25a44
GetOEMCP 0x0 0x41f178 0x27048 0x25a48
IsValidCodePage 0x0 0x41f17c 0x2704c 0x25a4c
LCMapStringW 0x0 0x41f180 0x27050 0x25a50
UnhandledExceptionFilter 0x0 0x41f184 0x27054 0x25a54
SetUnhandledExceptionFilter 0x0 0x41f188 0x27058 0x25a58
IsProcessorFeaturePresent 0x0 0x41f18c 0x2705c 0x25a5c
QueryPerformanceCounter 0x0 0x41f190 0x27060 0x25a60
GetCurrentThreadId 0x0 0x41f194 0x27064 0x25a64
GetSystemTimeAsFileTime 0x0 0x41f198 0x27068 0x25a68
InitializeSListHead 0x0 0x41f19c 0x2706c 0x25a6c
IsDebuggerPresent 0x0 0x41f1a0 0x27070 0x25a70
GetStartupInfoW 0x0 0x41f1a4 0x27074 0x25a74
WideCharToMultiByte 0x0 0x41f1a8 0x27078 0x25a78
EncodePointer 0x0 0x41f1ac 0x2707c 0x25a7c
RaiseException 0x0 0x41f1b0 0x27080 0x25a80
RtlUnwind 0x0 0x41f1b4 0x27084 0x25a84
SetLastError 0x0 0x41f1b8 0x27088 0x25a88
InitializeCriticalSectionAndSpinCount 0x0 0x41f1bc 0x2708c 0x25a8c
TlsAlloc 0x0 0x41f1c0 0x27090 0x25a90
TlsGetValue 0x0 0x41f1c4 0x27094 0x25a94
TlsSetValue 0x0 0x41f1c8 0x27098 0x25a98
TlsFree 0x0 0x41f1cc 0x2709c 0x25a9c
LoadLibraryExW 0x0 0x41f1d0 0x270a0 0x25aa0
GetStdHandle 0x0 0x41f1d4 0x270a4 0x25aa4
GetModuleHandleExW 0x0 0x41f1d8 0x270a8 0x25aa8
GetACP 0x0 0x41f1dc 0x270ac 0x25aac
HeapReAlloc 0x0 0x41f1e0 0x270b0 0x25ab0
GetConsoleCP 0x0 0x41f1e4 0x270b4 0x25ab4
GetConsoleMode 0x0 0x41f1e8 0x270b8 0x25ab8
GetFileType 0x0 0x41f1ec 0x270bc 0x25abc
FindNextFileW 0x0 0x41f1f0 0x270c0 0x25ac0
USER32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
wsprintfW 0x0 0x41f230 0x27100 0x25b00
ADVAPI32.dll (14)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
CryptAcquireContextW 0x0 0x41f000 0x26ed0 0x258d0
CryptReleaseContext 0x0 0x41f004 0x26ed4 0x258d4
LookupPrivilegeValueW 0x0 0x41f008 0x26ed8 0x258d8
AdjustTokenPrivileges 0x0 0x41f00c 0x26edc 0x258dc
CryptGenRandom 0x0 0x41f010 0x26ee0 0x258e0
LookupPrivilegeNameW 0x0 0x41f014 0x26ee4 0x258e4
CopySid 0x0 0x41f018 0x26ee8 0x258e8
IsValidSid 0x0 0x41f01c 0x26eec 0x258ec
LogonUserA 0x0 0x41f020 0x26ef0 0x258f0
OpenProcessToken 0x0 0x41f024 0x26ef4 0x258f4
ConvertSidToStringSidW 0x0 0x41f028 0x26ef8 0x258f8
GetLengthSid 0x0 0x41f02c 0x26efc 0x258fc
LookupAccountSidW 0x0 0x41f030 0x26f00 0x25900
GetTokenInformation 0x0 0x41f034 0x26f04 0x25904
SHELL32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
SHGetSpecialFolderPathW 0x0 0x41f224 0x270f4 0x25af4
CommandLineToArgvW 0x0 0x41f228 0x270f8 0x25af8
ole32.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
CoCreateGuid 0x0 0x41f258 0x27128 0x25b28
CoTaskMemFree 0x0 0x41f25c 0x2712c 0x25b2c
CoSetProxyBlanket 0x0 0x41f260 0x27130 0x25b30
CoInitializeEx 0x0 0x41f264 0x27134 0x25b34
CoInitializeSecurity 0x0 0x41f268 0x27138 0x25b38
CoCreateInstance 0x0 0x41f26c 0x2713c 0x25b3c
CoUninitialize 0x0 0x41f270 0x27140 0x25b40
OLEAUT32.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
SysFreeString 0x6 0x41f204 0x270d4 0x25ad4
SysAllocString 0x2 0x41f208 0x270d8 0x25ad8
SysStringLen 0x7 0x41f20c 0x270dc 0x25adc
SafeArrayUnaccessData 0x18 0x41f210 0x270e0 0x25ae0
SafeArrayAccessData 0x17 0x41f214 0x270e4 0x25ae4
VariantClear 0x9 0x41f218 0x270e8 0x25ae8
SafeArrayCreate 0xf 0x41f21c 0x270ec 0x25aec
IPHLPAPI.DLL (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
GetIpNetTable 0x0 0x41f03c 0x26f0c 0x2590c
WS2_32.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
FreeAddrInfoW 0x0 0x41f238 0x27108 0x25b08
GetAddrInfoW 0x0 0x41f23c 0x2710c 0x25b0c
WSACleanup 0x74 0x41f240 0x27110 0x25b10
WSAStartup 0x73 0x41f244 0x27114 0x25b14
ntohl 0xe 0x41f248 0x27118 0x25b18
credui.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
CredUIParseUserNameW 0x0 0x41f250 0x27120 0x25b20
NETAPI32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset
NetApiBufferFree 0x0 0x41f1f8 0x270c8 0x25ac8
NetGetDCName 0x0 0x41f1fc 0x270cc 0x25acc
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image