SecondWrite DeepView - 4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f

Malicious

This predictive confidence of maliciousness for this sample is 98%.

4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f

400.9 kB

Size

2020-04-22 01:23:03

First seen 7 days ago

Windows PE32 Executable

Classification

Full Detail

Ransomware

Low

Trojan

High

Virus

Low

Banker

Low

Bot

Low

Rat

Low

Adware

Medium

Infostealer

Low

Worm

Low

Spyware

Low

Indicators

Expand All

SecondWrite Indicators

Forced Code Execution

Automatic Sequence Detection

Program Level Indicators

Adware

Attempts to modify Internet Explorer's start page

Anti-Analysis

Attempts to repeatedly call a single API many times in order to delay analysis time

Anti-Debug

Checks for the presence of known windows from debuggers and forensic tools

PID	API	Arguments
2092	FindWindowA	class_name: TApplication window_name: eyoorun

Anti-Sandbox

Likely virus infection of existing system binary

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Anti-Vm

Queries for the computername

PID	API	Arguments
1172	GetComputerNameA	computer_name: VIRTUAL-PC

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation

PID	API	Arguments
1064	GetDiskFreeSpaceExW	total_number_of_free_bytes: 0 free_bytes_available: 5239369728 root_path: C:\Users\Virtual\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0
1064	GetDiskFreeSpaceExW	total_number_of_free_bytes: 0 free_bytes_available: 5239894016 root_path: C:\Users\Virtual\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0
1064	GetDiskFreeSpaceExW	total_number_of_free_bytes: 0 free_bytes_available: 5239894016 root_path: C:\Users\Virtual\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0

Detects VMWare through the in instruction feature

PID	API	Arguments
2676	__exception__	stacktrace: [u'qgnjqwpn+0x9c1ee @ 0xdb8c1ee', u'qgnjqwpn+0x9d337 @ 0xdb8d337', u'qgnjqwpn+0x232bf @ 0xdb132bf', u'qgnjqwpn+0x4872 @ 0xdaf4872', u'BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x7dd733ca', u'RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2', u'RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5'] exception: {u'instruction_r': u'ed 81 fb 68 58 4d 56 0f 94 45 ff 5b 59 5a 33 c0', u'instruction': u'in eax, dx', u'exception_code': u'0xc0000096', u'symbol': u'qgnjqwpn+0xbea7c', u'address': u'0xdbaea7c'} registers: {u'esp': 236125248, u'edi': 0, u'eax': 1447909480, u'ebp': 236125288, u'edx': 22104, u'ebx': 0, u'esi': 0, u'ecx': 10}
2420	__exception__	stacktrace: [u'yowfgx+0x9c1ee @ 0x33cc1ee', u'yowfgx+0x9d337 @ 0x33cd337', u'yowfgx+0x232bf @ 0x33532bf', u'yowfgx+0x4872 @ 0x3334872', u'BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x7dd733ca', u'RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2', u'RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5'] exception: {u'instruction_r': u'ed 81 fb 68 58 4d 56 0f 94 45 ff 5b 59 5a 33 c0', u'instruction': u'in eax, dx', u'exception_code': u'0xc0000096', u'symbol': u'yowfgx+0xbea7c', u'address': u'0x33eea7c'} registers: {u'esp': 53148736, u'edi': 0, u'eax': 1447909480, u'ebp': 53148776, u'edx': 22104, u'ebx': 0, u'esi': 0, u'ecx': 10}

Av-Tools

One or more AV tool detects this sample as malicious: Trojan:Win32/Asacky!rfn

Bind

Starts servers listening

PID	API	Arguments
2676	bind	ip_address: 0.0.0.0 socket: 532 port: 0
2676	bind	ip_address: 0.0.0.0 socket: 612 port: 0
2676	bind	ip_address: 0.0.0.0 socket: 612 port: 0
2676	bind	ip_address: 0.0.0.0 socket: 612 port: 0
2676	bind	ip_address: 0.0.0.0 socket: 636 port: 0
2676	bind	ip_address: 0.0.0.0 socket: 776 port: 6986
2676	bind	ip_address: 0.0.0.0 socket: 784 port: 31223
2676	bind	ip_address: 0.0.0.0 socket: 784 port: 31223
2676	listen	socket: 784 backlog: 15
2756	bind	ip_address: 0.0.0.0 socket: 524 port: 0
2756	bind	ip_address: 0.0.0.0 socket: 604 port: 0
2756	bind	ip_address: 0.0.0.0 socket: 604 port: 0
2756	bind	ip_address: 0.0.0.0 socket: 604 port: 0
2756	bind	ip_address: 0.0.0.0 socket: 416 port: 0
2756	bind	ip_address: 0.0.0.0 socket: 568 port: 0
2536	bind	ip_address: 0.0.0.0 socket: 512 port: 0
2536	bind	ip_address: 0.0.0.0 socket: 512 port: 0
2536	bind	ip_address: 0.0.0.0 socket: 612 port: 0
2536	bind	ip_address: 0.0.0.0 socket: 620 port: 0
2420	bind	ip_address: 0.0.0.0 socket: 512 port: 0
2420	bind	ip_address: 0.0.0.0 socket: 512 port: 0
2420	bind	ip_address: 0.0.0.0 socket: 624 port: 0
2420	bind	ip_address: 0.0.0.0 socket: 692 port: 6986
2420	bind	ip_address: 0.0.0.0 socket: 716 port: 62835
2420	bind	ip_address: 0.0.0.0 socket: 716 port: 62835
2420	listen	socket: 716 backlog: 15
2420	accept	ip_address: 10.152.152.103 socket: 716 port: 49253
1448	bind	ip_address: 0.0.0.0 socket: 512 port: 0
1448	bind	ip_address: 0.0.0.0 socket: 512 port: 0
1448	bind	ip_address: 0.0.0.0 socket: 612 port: 0
1448	bind	ip_address: 0.0.0.0 socket: 620 port: 0
1904	bind	ip_address: 0.0.0.0 socket: 512 port: 0
1904	bind	ip_address: 0.0.0.0 socket: 512 port: 0
1904	bind	ip_address: 0.0.0.0 socket: 612 port: 0
1852	bind	ip_address: 0.0.0.0 socket: 512 port: 0
1852	bind	ip_address: 0.0.0.0 socket: 512 port: 0
1852	bind	ip_address: 0.0.0.0 socket: 612 port: 0
1852	bind	ip_address: 0.0.0.0 socket: 620 port: 0
1800	bind	ip_address: 0.0.0.0 socket: 512 port: 0
1800	bind	ip_address: 0.0.0.0 socket: 512 port: 0
1800	bind	ip_address: 0.0.0.0 socket: 612 port: 0
1800	bind	ip_address: 0.0.0.0 socket: 620 port: 0
2092	bind	ip_address: 0.0.0.0 socket: 512 port: 0
2092	bind	ip_address: 0.0.0.0 socket: 512 port: 0

Starts servers listening on 0.0.0.0:31223, 0.0.0.0:62835

Browser

Tries to locate where the browsers are installed

Attempts to create or modify system certificates

Generic

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Creates executable files on the filesystem

Repeatedly searches for a not-found process, you may want to run a web browser during analysis

PID	API	Arguments
2092	Process32NextW	snapshot_handle: 0x00000260 process_name: 4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe process_identifier: 2248
2092	Process32NextW	snapshot_handle: 0x00000230 process_name: taskhost.exe process_identifier: 2512
2092	Process32NextW	snapshot_handle: 0x00000230 process_name: taskhost.exe process_identifier: 2512

Reads data out of its own binary image

Sample writes a large amount of files (Over 100)

Expresses interest in specific running processes

One or more of the buffers contains an embedded PE file

Http

Performs some HTTP requests

Network

Sample contacts servers at uncommon ports

Attempts to connect to dead IP:Port(s)

Performs some DNS requests

Drops a binary and executes it

Origin

Unconventionial language used in binary resources

Packer

The executable has PE anomalies (could be a false positive)

Allocates read-write-execute memory (usually to unpack itself)

PID	API	Arguments
1172	NtAllocateVirtualMemory	process_identifier: 840 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x002e0000 allocation_type: 4096 process_handle: 0xffffffff

The binary likely contains encrypted or compressed data.

Creates a slightly modified copy of itself

Program-Level-Features

More than %50 of the external calls do not go through the import address table

Service

Creates a service

PID	API	Arguments
2676	CreateServiceW	service_start_name: start_type: 3 password: display_name: jOaVQkJPay filepath: C:\Windows\SysWOW64\Cmgthnj6o8.sys service_name: jOaVQkJPay filepath_r: C:\Windows\syswow64\Cmgthnj6o8.sys desired_access: 983551 service_handle: 0x00901a38 error_control: 1 service_type: 1 service_manager_handle: 0x009018f8

Static

This sample contains high entropy sections

Anomalous binary characteristics

Presents an Authenticode digital signature

Yara

Yara Pattern Name	Description
Str_Win32_Winsock2_Library	Match Winsock 2 API library declaration
IsPE32	No Description Available
HasOverlay	Overlay Check
keylogger	Run a keylogger
win_registry	Affect system registries
suspicious_packer_section	The packer/protector section names/keywords

Static Analysis

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
CODE	0x00001000	0x0005e000	0x0001ee00	7.99743961639
.rsrc	0x0005f000	0x00002000	0x00001600	6.85238217113

Resources

Name	Offset	Size	Language	Sub-language	File type
RT_STRING	0x0005d858	0x000002d4	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0005d858	0x000002d4	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0005d858	0x000002d4	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0005d858	0x000002d4	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0005d858	0x000002d4	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0005d858	0x000002d4	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0005d858	0x000002d4	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0005d858	0x000002d4	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0005d858	0x000002d4	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0005d858	0x000002d4	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0005d858	0x000002d4	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0005d858	0x000002d4	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0005d858	0x000002d4	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0005d858	0x000002d4	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_RCDATA	0x0005db40	0x00000514	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_RCDATA	0x0005db40	0x00000514	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_MANIFEST	0x0005f3b8	0x0000015d	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	None

Imports

Library kernel32.dll:

GetProcAddress
LoadLibraryA
VirtualAlloc
VirtualFree

Library user32.dll:

GetKeyboardType

Library advapi32.dll:

RegQueryValueExA

Library oleaut32.dll:

SysFreeString

Library version.dll:

VerQueryValueA

Library ntdll.dll:

RtlGetNtVersionNumbers

Library URLMON.DLL:

UrlMkGetSessionOption

Library shell32.dll:

SHGetSpecialFolderLocation

Library wsock32.dll:

WSACleanup

Library Rpcrt4.dll:

UuidCreateSequential

Strings

This program must be run under Win32
PEC2^O
PECompact2
$.lB!y#
_k"ZRaWXW_
~3FrsW
}UbE H
~W*~O
CKt e}:
;$f<HL
C7UXJ@
yl+_}
m}LJx.
hiV4x0@4
^P*llf
zgk2{K}.
P*as:%T
_Tm !~}Ps$3
ml/si#
.(q&Qm
*^@ [isf
P111q
]WS;VBZf
QR@$GF
TM;]PI&
Nj5o8\v
{(;k<d
$95KI:
}Z9-s
o.x RiX
B$Oimp#
L68_i~
Yb9^5yF
H"i;cuG
q~WYqz
,`UlDv
zi6Niv
Qp'X^&
_Uxcc,%'
[q!evE~!
R+,Ih=
w4YMTp
U9ff<:
`VfxW|
/B]S|=(C
oJu:x?
(uJ,\;/{
Sw:F/Z
+HVhk/Z
#0#wZpF)i
l`#AcC
<L2J:)
nczd!+
-cA\L
Y^m{N/
0E#_&dj
54G|\N
tp_y(v
&Ume=q
#%QVpR
Oof6x;
f,Gt$.
rvgwQs
7DPn41
<qZ9BzV
8<3Y v
jq9jC_
Z*>2G3
NFM[;o
"^NuqS
Fudu>q6
0{sf/*o(FY
[4VuaK
K6pj1%iy
]Ub<7B
W`klGK
fH%3d/
iRs|Hz
~0Qhyv
xX!f>v
5pj%WM
(pXsWO0
{_O9I
Zt 0]R
nq5U],
+)"9E*
9:3**@
HpM^e]
vI~c2X
t +gLS
f.-(rk]U
?[-ANI
jJ)qW+
[G'+gq
?|y_C
xSTmE_~
:ARx40
3.M#=F!
8qCF*W
L\uyS?V)52*
5S8mvU
fDHU50
xmub@u
ZM}awO
tx%nFr
qoHBf1[r
KtLP53
hOsBtc
+-#Hn: [T
E3dTbS
5HQQ#jT
6eqm=[
]w=5a]s0_
=Z61lm
-@@?^s
P^Vx/`
0MnJzV
~=Y{4P
c?}bEB?!
nd,1G]
n<6q3Js_^
sM2o$n
Y^l\Ph
tWB1hk
cx"l@r^Iz
*_"1iF
c)Pe*u
\He{G&
Z|m3a2n:
-kv}9~
p@yEvuA@n
pN,!>yu
_P<=!u
>>?29tR
/Bo(X]
,^UWCd
vsoHKoc
/q1#N
~,A7(vh_p@
WMKwAd
213,F\
8P\Em_H3
K2P-;O
?/kc@w
7]G&{H
xRAdl{+7Os
f(6:{>
63jf/x
-o<Hu1l
2+s%OQ
c7el5U
X8O0-Z
lP M1j
Xcx1orQ
_d:pI)G
F:~Mqkq
/)JM4<
)~=Xpj
L b@a[
\G/3Lk
."]"MF
MwEx@w,!
d1qr=k
|9a5|4)
9~tbVN
#uIc1D
8&M3LUc
xZn0J[~[
`ZUIBA
^up[Ms
>"04{HZ
5oc#Q{
uzpLQ&
|.)QSkU
@M%<{m
MB0zG]
3KE8di
m8C^zZT[
~2Ee"Vi
Ee8^z,
/oSdgc
Q2rI8)
%X'4r.+
}'*D<EAzi~IW
%wv[-YV
fBfXf9
QXc#Uj
`m5KjJ
MP3`AW
&(*3GC
RlO(d'
pgBf=n
7nLcp:
gT{1[/bK
l+-wBo
t)}i@Fn
[;l\NQ
,9rj4/
R/@@7E@_
`H8wVTi
-d*UKUNZ
"3|5K:
ukgECDs
7V{p]U<0SD
-)yfq;!9
EJ%FH]
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
kernel32.dll
LoadLibraryA
GetProcAddress
VirtualAlloc
VirtualFree
user32.dll
GetKeyboardType
advapi32.dll
RegQueryValueExA
oleaut32.dll
SysFreeString
version.dll
VerQueryValueA
ntdll.dll
RtlGetNtVersionNumbers
URLMON.DLL
UrlMkGetSessionOption
shell32.dll
SHGetSpecialFolderLocation
wsock32.dll
WSACleanup
Rpcrt4.dll
UuidCreateSequential
Ta!]hE
T#`{+<
D%@uCL
&PnH+x
:dMZh0]o
msvb]x
ApAlicat
3^p*vu
Bo8xA=w
?ExitPI
`|Virt
USQWVR
Z^_Y[]
DVCLAL
PACKAGEINFO

Dropped Files

00950c02053bc91a_4b08f1847d1356be5a729869a2a73d67fc98350513d05a505c430d888ad1f9f.exe

Name: 00950c02053bc91a_4b08f1847d1356be5a729869a2a73d67fc98350513d05a505c430d888ad1f9f.exe
Size: 406.5 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5: f37e8be152ec747e58889bd072e9a869
SHA1: 7e841ac84e17ea17f373d471fdf0fe4c0162f19f
SHA256: 00950c02053bc91a65a9425a6a01e75815310859114dfeb36638cb785e0cbf96
SHA512: 82a581d9e631916dd97fe6a11f54d0bac94efc6bcf622d398c56b99dce8640568bbafd3f59aa242a6214ea820d21d4c7a13e568dfa2b1e4bd41314fd54c2411a
Ssdeep: 3072:sw5rSWAkQfza8JvIoPvSIe6oy/uPy3mm0RiEBoQ:s/WYRJvnCPWQmJEBoQ

037c9be93a3486b5_QgNJqwpN.dll

Name: 037c9be93a3486b5_QgNJqwpN.dll
Size: 1.4 MB
Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5: 290856a872c70ff3c4bdae7b5a4bbc58
SHA1: b3a53951cfbfee2d89ebb06a916b9b29edcf640a
SHA256: 037c9be93a3486b5b4307ed3d1f8866e908cbab56141ce16f8e194d11ecdcfb6
SHA512: 1908f663cb70dfa639794a65b6f6d08d534d3b3398a71195e9785277290185240583ed1a1cfc32c3c7aa25f2cba0e19492bed93eb01d69aac81dcaa5b04ef911
Ssdeep: 24576:rh1HHPSU7ZopIfvathhVEsBQE6Tm1cWSkjCExL+22RTRJ2bSa5IsBe80Fnk:91nPSUFopIeVvBTWeBrL+2QJra2sB30

055579e65b1c4c26_4b08f1847d1356be5a729869a2a3d67fcc98350513d05a505c430d888ad1f9f.exe

Name: 055579e65b1c4c26_4b08f1847d1356be5a729869a2a3d67fcc98350513d05a505c430d888ad1f9f.exe
Size: 406.5 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5: c37e00ce6bfd5e5f77ff29bdb130bb74
SHA1: 3a44622399e765a1a80cf1277f1dfffaba9c4879
SHA256: 055579e65b1c4c26faae158099734cb0183432829a58f4ad0c723ad5e3acaf23
SHA512: cd6e8bca74b30854e5f0251ab6e0278f1b776fa89a192c0bea84ad35e6e895d23fc554a3dc1b34578862bae38f66a8f0dcd7611e2fd72f3cd5d9ecdc835898ef
Ssdeep: 3072:Iw5rSWAkQfza8JvIoPvSIe6oy/uPy3mm0RiEBoQ:I/WYRJvnCPWQmJEBoQ

2d377a0c2b5f519a_UYtjTvl.dll

Name: 2d377a0c2b5f519a_UYtjTvl.dll
Size: 4.7 kB
Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5: 5485fc61206fe70dcb99015ebdbf9ccb
SHA1: 66493a63c724f8060f4f048293585ed9e2c0d55a
SHA256: 2d377a0c2b5f519a4a511a6777cfacee207da8f29c449a4f7e81c2c98e0bf9c9
SHA512: 8671fa5053f0a0a055af3546fb301e2f7acfcdf6cab9fffbe2852dcb440c7a5f8c26ba2ba8b7cb4f3c753dc7a7d8bce0e1ed64b3f1f214fc4f4e6e1253b55ca1
Ssdeep: 48:aD81qEqevmVglLXkPbIVwhMXrDhMveiJMwKMRuqSOB:ZqevmVGgPkVwyDQeiJMwKsxr

36df908d7bd7477a_4b08f1847d356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe

Name: 36df908d7bd7477a_4b08f1847d356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
Size: 408.8 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5: 37c3c8d2a7e4c220184d660252668a4e
SHA1: a9b803cd06fc1053bda63bb260b025f6f1346137
SHA256: 36df908d7bd7477a4a1d89f011c594499d34bee787f9b6c130027ad062d7e327
SHA512: adca0e55c3723ded8a910b4c8301a7a7c4290cd4fa4b7daf9f39aeb8bb90932fdcb34bdf523b8b10d1af663583f0337b1f3bb68051b0eaf1910f73b5428b236c
Ssdeep: 3072:9w5rSWAkQfza8JvIoPvSIe6oy/uPy3mm0RiEBoQ:9/WYRJvnCPWQmJEBoQ

3d309778d94ae8d2_IdmvegSS.dll

Name: 3d309778d94ae8d2_IdmvegSS.dll
Size: 7.0 kB
Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5: 123b8df182337ba7173de8b89d09e31e
SHA1: c6d843928d6beb975d124a55f196f893b1818a65
SHA256: 3d309778d94ae8d2187a0d01b66abb3f01aff56d976a882d6e7bd5403781a54a
SHA512: cff8a64e6b350ee3a056584ed7044e95ee70bf7891b23a4aa13dcea811dc17e0d634d9108fba619586644ad91efaa4b02bcd2aaae0bc35a6acd251bbafdff25b
Ssdeep: 48:aDA1qEqevmVglLXkPbIVwhMXrDhMveiJMwKMRuqSOB:tqevmVGgPkVwyDQeiJMwKsxr

410c3d25f6f501f9_vtrrNi.dll

Name: 410c3d25f6f501f9_vtrrNi.dll
Size: 8.9 kB
Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5: 1fa3cba60a9490da76721e0be303f2ab
SHA1: 40313d56bddac530b25ddb978472b789a38c3dfc
SHA256: 410c3d25f6f501f929c625f34118ce6ff582beb5549e4cbc63f5fb483416be59
SHA512: b166363aff57a437e6437ffa83845c5f8d367822feca2594d072de354526ec364f0ab203bfc011128eddaca465caaa5cb63bcb286dda25b2266ce5d8e7c5442c
Ssdeep: 48:aD41qEqevmVglLXkPbIVwhMXrDhMveiJMwKMRuqSOB:JqevmVGgPkVwyDQeiJMwKsxr

590e028cf82c6a86_hadWVvI.dll

Name: 590e028cf82c6a86_hadWVvI.dll
Size: 7.0 kB
Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5: 53d5106c58d5d9a7419877d40d7f1fb7
SHA1: 8a01e5269d4b58171aecf1c5a52b68e22ae17a85
SHA256: 590e028cf82c6a86b8c4a413756e53e7b2972db30e20d714a71f3530d4d43cf4
SHA512: a3ecf6a4504ab580929e4806b3e0840b9f34a12b5b2413269c7a988588a192ec6295e88e8ad812c947a0198eacdb63e64863918d4c827f9bfd384851270ea57e
Ssdeep: 48:aD71qEqevmVglLXkPbIVwhMXrDhMveiJMwKMRuqSOB:cqevmVGgPkVwyDQeiJMwKsxr

70ac68a4d211fb9a_4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888a1f9f.exe

Name: 70ac68a4d211fb9a_4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888a1f9f.exe
Size: 402.7 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5: 46228b81bc28b7856b75540cad3b8123
SHA1: abe58cb4cf77d1bfc8115f3b23458b9326d0f2d5
SHA256: 70ac68a4d211fb9a4b1f66f23c08a2734c123a5083eca7561da7757287a12933
SHA512: 59ecda973eb06327bf401142ec716cc369d2ec25a37a3a850703a2ed8916210c6939d360c4ff090f8d952b9cef02a76c5e46b5c9e637c2204c5c3e146836fa88
Ssdeep: 3072:/w5rSWAkQfza8JvIoPvSIe6oy/uPy3mm0RiEBoQ://WYRJvnCPWQmJEBoQ

78c31b79779718a5_HVvKIAYd.dll

Name: 78c31b79779718a5_HVvKIAYd.dll
Size: 9.1 kB
Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5: 4ee6dd739e6f59a9e1846173c1869778
SHA1: 8ceb3c00f68494e6589e841eeba4684432a0908b
SHA256: 78c31b79779718a5ca5ced6afb974bd268aa25c93a97669fedd901e2b533ae33
SHA512: 59c1c944ce51548656d2d2a3205a7fbaecdbc7ac66ff2b26f6e361f966585c00313910948ed583f583addc20ec07e3e3911e296eab791a63fa8690047e5c5c02
Ssdeep: 48:aDh1qEqevmVglLXkPbIVwhMXrDhMveiJMwKMRuqSOB:CqevmVGgPkVwyDQeiJMwKsxr

7a8f59fbc878c84a_yiKmpY.dll

Name: 7a8f59fbc878c84a_yiKmpY.dll
Size: 8.5 kB
Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5: c4838ffd793dc89d0679429b41efa6e7
SHA1: 8b18abb18eea93571ca50825803ab98d2743f743
SHA256: 7a8f59fbc878c84aa8e02ebcfad618a19c49860959dcce8aa7c7994f7f12d460
SHA512: 44cd5a4404650b62b3bcb949057c7517e803a3190b2004409276a79b2f23d2dca738f9210cba8205eaa69953dddd0920545bfeef305d93d9d8551cd48d16057d
Ssdeep: 48:aDE1qEqevmVglLXkPbIVwhMXrDhMveiJMwKMRuqSOB:VqevmVGgPkVwyDQeiJMwKsxr

a23f5382f38f8568_4b08f1847d1356be5a729869a2a73d67cc98350513d05a505c430d888a1f9f.exe

Name: a23f5382f38f8568_4b08f1847d1356be5a729869a2a73d67cc98350513d05a505c430d888a1f9f.exe
Size: 407.3 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5: 2c0ae83eff7e6f98f75fee82f75ebcf9
SHA1: 255c07cc72c03ef04646e68700920cc922d8803d
SHA256: a23f5382f38f8568b00477efef8d046d2fc2dc58ddfa642566ffdf75977fe25b
SHA512: 77db9fe010ff38101348609c6a84b7bf9121ea4da7f3cc62019333a18be4e6e1caf2584d3063ac3a71e39f9bf6353868df2b4b0faf2202ff7c4dfa41e9ef1a48
Ssdeep: 3072:5w5rSWAkQfza8JvIoPvSIe6oy/uPy3mm0RiEBoQ:5/WYRJvnCPWQmJEBoQ

b9ce2e4aab5d79a8_4b08f1847d1356be5729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe

Name: b9ce2e4aab5d79a8_4b08f1847d1356be5729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
Size: 408.4 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5: 0aaa731b19b1dd9330c8164efb4acf1b
SHA1: 607334a69961bb0a85e640a0a3fb02bbe9e2fb70
SHA256: b9ce2e4aab5d79a817bd9704d8af199e4df3cdddbddf4fa1486f6362f208756a
SHA512: 5462c3f16e411f2ffb398f9baca3c3ef453e77fb7d39e94911b9eada135264db60d50a19e58317ad98d2cab169af00b9e3b8cbccba9aebb57e61156cc278c74e
Ssdeep: 3072:mw5rSWAkQfza8JvIoPvSIe6oy/uPy3mm0RiEBoQ:m/WYRJvnCPWQmJEBoQ

be3b120fdf081c04_4b081847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe

Name: be3b120fdf081c04_4b081847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
Size: 403.8 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5: 685e355aaaaa925c482dc994c617661f
SHA1: 2696c3d5adfb03bd6185267cec98f8d5d6159bcb
SHA256: be3b120fdf081c047b3bbba2517bb1a736ea48aec6a72aedddcbae81a705c9e6
SHA512: 6d30ca70d3ef254ce668909ddd05d1aded07ccefb150a9e86860c14b429e3443ecc2a5f0470afa21e74f3533b385553de7735dff18cba4c4af2cf21f71dab9c1
Ssdeep: 3072:lw5rSWAkQfza8JvIoPvSIe6oy/uPy3mm0RiEBoQ:l/WYRJvnCPWQmJEBoQ

c3f145f1028735c0_4b08f1847d1356be5a729869a2a73d6fcc98350513d05a505c430d888ad1f9f.exe

Name: c3f145f1028735c0_4b08f1847d1356be5a729869a2a73d6fcc98350513d05a505c430d888ad1f9f.exe
Size: 401.3 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5: 57bae561bffdc4efa59f2fcdca208240
SHA1: 8d2c6161cc7bb701d20613512b2dfffb235b6c7b
SHA256: c3f145f1028735c0dec7ec5e2c7e9336e71bc352218b77e79954aefa215b0e2e
SHA512: f72676d0d817e87ae8bd1fa55e5cf05390de286dea03b191bda0dab31f5497552603c0e18098b7099c324080958fd46ed110ca968b45bca5a461d69e5d71ddcb
Ssdeep: 3072:fw5rSWAkQfza8JvIoPvSIe6oy/uPy3mm0RiEBoQ:f/WYRJvnCPWQmJEBoQ

c556a9d75aacb550_4b08f1847d1356be5a729869a2a7d67fcc98350513d05a505c430d888ad1f9f.exe

Name: c556a9d75aacb550_4b08f1847d1356be5a729869a2a7d67fcc98350513d05a505c430d888ad1f9f.exe
Size: 402.3 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5: 98941febc62ac9e498809358b193624c
SHA1: 5ae329d4a768f47cd0b51ab343153e50d914ffee
SHA256: c556a9d75aacb550bd1f24b5dcb55806a1360f00293261af73c09c04da4393bb
SHA512: 774c1e273d497abde222fdfbe22172dad593693ba90053d3abe02a7145dce8cb8fa78eba99b640f293f8c61c6fdaa3add4acb3146aac72bc35c6e73aab1f9840
Ssdeep: 3072:ww5rSWAkQfza8JvIoPvSIe6oy/uPy3mm0RiEBoQ:w/WYRJvnCPWQmJEBoQ

c6c5a264ba347634_4b08f1847d1356be5a729869a2a7367fcc98350513d05a505c430d888ad1f9f.exe

Name: c6c5a264ba347634_4b08f1847d1356be5a729869a2a7367fcc98350513d05a505c430d888ad1f9f.exe
Size: 406.0 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5: 37f0ee4acf49a8edfce14ceb39582b07
SHA1: 6e2c1c49960432f5a53664cac5d81210b3b4b6df
SHA256: c6c5a264ba3476341af63f3e7c9fa080966dd7a5a2c534e70241729dfe9f0375
SHA512: ee73722a3d0849ddc67d12acf404664b9a7bc70e58b0463878fe3661e250677c2101a869e23e94bd9a2467c5841daebad685cc6ed71c1560965513e2bff9ee87
Ssdeep: 3072:3w5rSWAkQfza8JvIoPvSIe6oy/uPy3mm0RiEBoQ:3/WYRJvnCPWQmJEBoQ

dd1f1d969dfd7ded_4b8f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe

Name: dd1f1d969dfd7ded_4b8f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
Size: 406.3 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5: f482e530a23b2a08fdadb9d5d9a85637
SHA1: 279c08cd25768035516b39d562e26a5bcc9187a0
SHA256: dd1f1d969dfd7ded356b6fd64f4683fadd5f395a88166d6f4f6cdd78c25f571a
SHA512: 87c945dec3b3439946e60e8e6fdd005ca8db70b498f03bbf5aed54ac6873d95cbfb2921c95175ecd61dff83f91fb672f15f04add1fabe194f83a0a891c130257
Ssdeep: 3072:3w5rSWAkQfza8JvIoPvSIe6oy/uPy3mm0RiEBoQ:3/WYRJvnCPWQmJEBoQ

f1fffcede9c16144_VMJHSiBU.dll

Name: f1fffcede9c16144_VMJHSiBU.dll
Size: 5.7 kB
Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5: 0cd09396aa51523483c26d4fb261a90d
SHA1: dcda1c01bd85755230082c6d635d6062c13ab6db
SHA256: f1fffcede9c16144cdc1d626411270ebc35116e5747bd3b2d2dedda67b61063e
SHA512: bc94dc8b5cc7951117fc70f38cb1629d450c8fbbe8ff5b149172213319108af33359638b568c7ad67ee9f6594792b2f9dd85a0295fec323fce87a34571858edf
Ssdeep: 48:aDn1qEqevmVglLXkPbIVwhMXrDhMveiJMwKMRuqSOB:IqevmVGgPkVwyDQeiJMwKsxr

f23f947442dcbe26_YCQugj.dll

Name: f23f947442dcbe26_YCQugj.dll
Size: 9.4 kB
Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5: 0a4b32ebd6f667ad89b77183378b5687
SHA1: 548f9e429a00ae9397f635322d2fe831cf626931
SHA256: f23f947442dcbe26fd19b51fcb9772f7553cd608178e09de7f86fb93078b920d
SHA512: 38eda60436739d565eda563b12f4dea21069938ac606f9ff7bf962debd9c97f841d39343594b84e1796f17888713d256e624dd6197ac68e04b60ac7afb0dcf44
Ssdeep: 48:aD9t1qEqevmVglLXkPbIVwhMXrDhMveiJMwKMRuqSOB:gqevmVGgPkVwyDQeiJMwKsxr

f2c3252ff85af01f_Cmgthnj6o8.sys

Name: f2c3252ff85af01f_Cmgthnj6o8.sys
Size: 577.5 kB
Type: PE32+ executable (native) x86-64, for MS Windows
MD5: 5f9d831ec24500ccac4629b627d3dc9e
SHA1: 412c0a001c498ed800503841ce2ef2d12a19a2cf
SHA256: f2c3252ff85af01fb62e99f6e2f5b5dbc81fa4e26f7f954d7d5994cc58f43720
SHA512: 507f9d6b9351e5e01da1d9d50f5e0e35439c5ef58f81ef070cbf5fac82c3390a81be78f2484df71790cc90a4cf028f7bf0c8a11a1c4549a3448af0414dba63af
Ssdeep: 12288:dbe7VbvOYGSO+AApYZ7gEQIAs2vMB4MMVSvcfJtKC4xRlRYq:cpFldS5QIsEB4MM8kB7Cqq

f85435d4bc10c244_408f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe

Name: f85435d4bc10c244_408f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
Size: 402.4 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5: 798bff5ec56504df9b0d390f686a03e0
SHA1: 46a1dc10215219eae0a87ac8efb9fd912ba4637c
SHA256: f85435d4bc10c24439f9ad3b619a404a7799612d3bdf42af99aa649253a49cc8
SHA512: d432472f83b36ec91f0672db0b1dc9dba972d394f0bcbab2b0fa03b451b3887911a3eec597f130fd7f69ccfc6704a554f9c33880cdaaff957271598ec9375914
Ssdeep: 3072:Hw5rSWAkQfza8JvIoPvSIe6oy/uPy3mm0RiEBoQ:H/WYRJvnCPWQmJEBoQ

fe05779673f4176d_LMHkbQAO.dll

Name: fe05779673f4176d_LMHkbQAO.dll
Size: 8.6 kB
Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5: d448ebaee1cda41513463af3e2a63181
SHA1: 43f29f7eedab7c5afcaa3b025fdb35e10d4051fd
SHA256: fe05779673f4176d5b6d408d5dbb40bfb54b12920eda471c725dcec650eb1894
SHA512: 8f85449b9012b08d9a90ecfd4b43fb933d8f7c7ce748b14f1fdb83adcab159b38a7f71cfc983b7a34ecd5fcad0dafd2e6be5f5342a702de3bcad7e492e673863
Ssdeep: 48:aDj1qEqevmVglLXkPbIVwhMXrDhMveiJMwKMRuqSOB:0qevmVGgPkVwyDQeiJMwKsxr

Network

DNS Requests

Domain	IP Address	Destination Location
bk.957wan.com	119.97.143.25	CN
ip.catr.cn	36.110.182.56	CN
www.ip138.com	157.185.144.122	US
gc.wb51.com		Not Available
cfg.jipinwan.com	119.97.143.25	CN
cmps.58sky.com	119.97.143.59	CN
wdx.go890.com	119.97.174.198	CN
www.go890.com	119.97.174.198	CN
cmps.58sky.com	119.97.143.19	CN
cfg.jipinwan.com	119.97.143.18	CN
dld.jxwan.com	157.185.144.122	US
cmps.58sky.com		Not Available

HTTP Requests

http://cfg.jipinwan.com/index/getcfg?id=42592

GET /index/getcfg?id=42592 HTTP/1.1
Host: cfg.jipinwan.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://ip.catr.cn/

GET / HTTP/1.1
Host: ip.catr.cn
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

http://gc.wb51.com/index/getcfg?id=43578

GET /index/getcfg?id=43578 HTTP/1.1
Host: gc.wb51.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://cfg.jipinwan.com/index/getcfg?id=41200

GET /index/getcfg?id=41200 HTTP/1.1
Host: cfg.jipinwan.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://www.ip138.com/

GET / HTTP/1.1
Host: www.ip138.com
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

http://cfg.jipinwan.com/index/getcfg?id=43578

GET /index/getcfg?id=43578 HTTP/1.1
Host: cfg.jipinwan.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://gc.wb51.com/index/getcfg?id=42592

GET /index/getcfg?id=42592 HTTP/1.1
Host: gc.wb51.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://cmps.58sky.com/index/getcfg?id=41200

GET /index/getcfg?id=41200 HTTP/1.1
Host: cmps.58sky.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://bk.957wan.com/index/getcfg?id=43578

GET /index/getcfg?id=43578 HTTP/1.1
Host: bk.957wan.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://gc.wb51.com/index/getcfg?id=41200

GET /index/getcfg?id=41200 HTTP/1.1
Host: gc.wb51.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://cmps.58sky.com/index/getcfg?id=42592

GET /index/getcfg?id=42592 HTTP/1.1
Host: cmps.58sky.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://www.go890.com/d2/CDClient.dll

GET /d2/CDClient.dll HTTP/1.1
Host: www.go890.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://wdx.go890.com/d2/CDClient.dll

GET /d2/CDClient.dll HTTP/1.1
Host: wdx.go890.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://bk.957wan.com/index/getcfg?id=42592

GET /index/getcfg?id=42592 HTTP/1.1
Host: bk.957wan.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://cmps.58sky.com/index/getcfg?id=43578

GET /index/getcfg?id=43578 HTTP/1.1
Host: cmps.58sky.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://bk.957wan.com/index/getcfg?id=41200

GET /index/getcfg?id=41200 HTTP/1.1
Host: bk.957wan.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://bk.957wan.com/index/getcfg?id=48028

GET /index/getcfg?id=48028 HTTP/1.1
Host: bk.957wan.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://dld.jxwan.com/d2/CDClient.dll

GET /d2/CDClient.dll HTTP/1.1
Host: dld.jxwan.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://bk.957wan.com/index/getcfg?id=48096

GET /index/getcfg?id=48096 HTTP/1.1
Host: bk.957wan.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://www.ip138.com/

GET / HTTP/1.1
Host: www.ip138.com
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

http://cfg.jipinwan.com/index/getcfg?id=43578

GET /index/getcfg?id=43578 HTTP/1.1
Host: cfg.jipinwan.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://ip.catr.cn/

GET / HTTP/1.1
Host: ip.catr.cn
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

http://cfg.jipinwan.com/index/getcfg?id=48096

GET /index/getcfg?id=48096 HTTP/1.1
Host: cfg.jipinwan.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://gc.wb51.com/index/getcfg?id=48028

GET /index/getcfg?id=48028 HTTP/1.1
Host: gc.wb51.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://cfg.jipinwan.com/index/getcfg?id=48028

GET /index/getcfg?id=48028 HTTP/1.1
Host: cfg.jipinwan.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://cmps.58sky.com/index/getcfg?id=43578

GET /index/getcfg?id=43578 HTTP/1.1
Host: cmps.58sky.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://gc.wb51.com/index/getcfg?id=48096

GET /index/getcfg?id=48096 HTTP/1.1
Host: gc.wb51.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://ip.catr.cn/

GET / HTTP/1.1
Host: ip.catr.cn
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

http://gc.wb51.com/index/getcfg?id=43578

GET /index/getcfg?id=43578 HTTP/1.1
Host: gc.wb51.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://www.ip138.com/

GET / HTTP/1.1
Host: www.ip138.com
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

http://cfg.jipinwan.com/index/getcfg?id=43578

GET /index/getcfg?id=43578 HTTP/1.1
Host: cfg.jipinwan.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://bk.957wan.com/index/getcfg?id=43578

GET /index/getcfg?id=43578 HTTP/1.1
Host: bk.957wan.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://www.go890.com/d2/CDClient.dll

GET /d2/CDClient.dll HTTP/1.1
Host: www.go890.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://wdx.go890.com/d2/CDClient.dll

GET /d2/CDClient.dll HTTP/1.1
Host: wdx.go890.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)

http://cmps.58sky.com/index/getcfg?id=43578

GET /index/getcfg?id=43578 HTTP/1.1
Host: cmps.58sky.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)

Hosts Involved

IP Address	Country of Origin
163.171.134.109	SE
119.97.174.198	CN
119.97.143.18	CN
36.110.182.56	CN
119.97.143.25	CN
119.97.143.56	CN
163.171.132.119	DE
119.97.143.19	CN
163.171.128.148	DE
157.185.172.22	US

Geolocation

Destination Country

CN:: 72%
US:: 11%
DE:: 11%
SE:: 6%

File

Type

PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed

CRC32

C70CD94D

MD5

e0921a77b4b7a14f665908d9facf696a

SHA1

aeef32caf8273795c81f94dd7b9444c10d5e6fe4

SHA256

4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f

SHA512

a39311221c4f5972649516e6629181f317248038d8414d2a35cd2e3b517ac45759068f87b9d6b7ceff006b5b9b413e34c0b1c269d29e3c724b60dbfc4f963c76

Ssdeep

3072:5w5rSWAkQfza8JvIoPvSIe6oy/uPy3mm0RiEBoQ:5/WYRJvnCPWQmJEBoQ

PEiD

PECompact 2.xx --> BitSum Technologies

Screenshots

Behavior Summary

File-Read

C:\Program Files (x86)\NPtMBCTw\4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888a1f9f.exe
C:\Program Files (x86)\PUONprK\4b08f1847d1356be5a729869a2a73d67fc98350513d05a505c430d888ad1f9f.exe
C:\Program Files (x86)\jTTBVKU\4b08f1847d1356be5a729869a2a7d67fcc98350513d05a505c430d888ad1f9f.exe
C:\ProgramData\sLKuLHqo\4b08f1847d1356be5729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
C:\Users\Virtual\AppData\Local\Temp\4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
C:\Users\Virtual\AppData\Local\Temp\lGvcpu\408f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
C:\Users\Virtual\AppData\Local\bPCpUN\4b08f1847d1356be5a729869a2a3d67fcc98350513d05a505c430d888ad1f9f.exe
C:\Windows\SysWOW64\LmDjWvQ\4b081847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
C:\Windows\SysWOW64\tVjUuoyE\4b08f1847d1356be5a729869a2a73d6fcc98350513d05a505c430d888ad1f9f.exe
C:\Windows\SysWOW64\twXTum\4b08f1847d1356be5a729869a2a73d67cc98350513d05a505c430d888a1f9f.exe
C:\Windows\System32\drivers\etc\hosts
C:\Windows\aOlsoUBA\4b08f1847d356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
C:\Windows\gUePIRbl\4b08f1847d1356be5a729869a2a7367fcc98350513d05a505c430d888ad1f9f.exe

File-Written

C:\BpArLwj.txt
C:\GDFcPID.txt
C:\GxARNG.txt
C:\JEUXjw.txt
C:\Program Files (x86)\NPtMBCTw\4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888a1f9f.exe
C:\QSKDMcl.txt
C:\RJmIaCKT.txt
C:\Windows\CMygHGeP.dll
C:\Windows\FHiOKQd.dll
C:\Windows\GVysND.dll
C:\Windows\MAGLXgNR.dll
C:\Windows\SysWOW64\twXTum\4b08f1847d1356be5a729869a2a73d67cc98350513d05a505c430d888a1f9f.exe
C:\Windows\VuBvJn.dll
C:\Windows\YPsDJEpg.dll
C:\Windows\bgFQKgXB.dll
C:\Windows\dSDeiF\HxCCaAnH.dll
C:\Windows\hLndEv.dll
C:\Windows\jKRDDt\IhsgPgWH.dll
C:\Windows\lXbufWnb.dll
C:\Windows\qUpbeWk.dll
C:\Windows\qWIssmt.dll
C:\Windows\vgvaxNcn.dll
C:\nogqAkh.txt
C:\skVbOg.txt
C:\soGxYU.txt

File-Deleted

C:\Windows\CMygHGeP.dll
C:\Windows\FHiOKQd.dll
C:\Windows\GVysND.dll
C:\Windows\MAGLXgNR.dll
C:\Windows\VuBvJn.dll
C:\Windows\YPsDJEpg.dll
C:\Windows\bgFQKgXB.dll
C:\Windows\dSDeiF\HxCCaAnH.dll
C:\Windows\hLndEv.dll
C:\Windows\jKRDDt\IhsgPgWH.dll
C:\Windows\lXbufWnb.dll
C:\Windows\qUpbeWk.dll
C:\Windows\qWIssmt.dll
C:\Windows\vgvaxNcn.dll

File-Opened

C:\
C:\Program Files (x86)\NPtMBCTw\4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888a1f9f.exe
C:\Program Files (x86)\PUONprK\4b08f1847d1356be5a729869a2a73d67fc98350513d05a505c430d888ad1f9f.exe
C:\Program Files (x86)\jTTBVKU\4b08f1847d1356be5a729869a2a7d67fcc98350513d05a505c430d888ad1f9f.exe
C:\ProgramData\sLKuLHqo\4b08f1847d1356be5729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
C:\Users\Virtual\AppData\Local\Temp\4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
C:\Users\Virtual\AppData\Local\Temp\lGvcpu\408f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
C:\Users\Virtual\AppData\Local\bPCpUN\4b08f1847d1356be5a729869a2a3d67fcc98350513d05a505c430d888ad1f9f.exe
C:\Windows\SysWOW64\LmDjWvQ\4b081847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\SysWOW64\tVjUuoyE\4b08f1847d1356be5a729869a2a73d6fcc98350513d05a505c430d888ad1f9f.exe
C:\Windows\SysWOW64\twXTum\4b08f1847d1356be5a729869a2a73d67cc98350513d05a505c430d888a1f9f.exe
C:\Windows\System32\drivers\etc\hosts
C:\Windows\aOlsoUBA\4b08f1847d356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
C:\Windows\gUePIRbl\4b08f1847d1356be5a729869a2a7367fcc98350513d05a505c430d888ad1f9f.exe

File-Copied

C:\Program Files (x86)\NPtMBCTw\4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888a1f9f.exe -> C:\Windows\SysWOW64\twXTum\4b08f1847d1356be5a729869a2a73d67cc98350513d05a505c430d888a1f9f.exe
C:\Users\Virtual\AppData\Local\Temp\4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe -> C:\Program Files (x86)\NPtMBCTw\4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888a1f9f.exe

Network-Connects IP

10.152.152.101
119.97.143.18
119.97.143.25
119.97.143.56
119.97.174.198
163.171.134.109
36.110.182.56

Directory-Created

C:\Program Files (x86)\NPtMBCTw\
C:\Windows\GUgTNGH\
C:\Windows\HGcMEitR\
C:\Windows\LaLCWemV\
C:\Windows\PFeIKOoQ\
C:\Windows\SysWOW64\twXTum\
C:\Windows\UjdIHew\
C:\Windows\Yjtndg\
C:\Windows\cIeLps\
C:\Windows\dSDeiF\
C:\Windows\jKRDDt\
C:\Windows\jwQAKcTf\
C:\Windows\ouPFgVmu\
C:\Windows\teraLJGS\

Directory-Enumerated

C:\Windows\CMygHGeP.dll
C:\Windows\FHiOKQd.dll
C:\Windows\GVysND.dll
C:\Windows\MAGLXgNR.dll
C:\Windows\SysWOW64\RsClient.exe
C:\Windows\SysWOW64\UDO.exe
C:\Windows\SysWOW64\drivers\EYPCHelper.sys
C:\Windows\SysWOW64\drivers\hxdnetmon.sys
C:\Windows\SysWOW64\drivers\imfilter.sys
C:\Windows\SysWOW64\rwyNCMc.exe
C:\Windows\System32\drivers\etc\hosts
C:\Windows\VuBvJn.dll
C:\Windows\YPsDJEpg.dll
C:\Windows\bgFQKgXB.dll
C:\Windows\hLndEv.dll
C:\Windows\lXbufWnb.dll
C:\Windows\qUpbeWk.dll
C:\Windows\qWIssmt.dll
C:\Windows\vgvaxNcn.dll

Registry Key-Opened

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
HKEY_CURRENT_USER\Software\Borland\Locales
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{94956483-9236-11e5-a874-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{94956484-9236-11e5-a874-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Pre Platform
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Pre Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Pre Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\UA Tokens
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ebpro
HKEY_LOCAL_MACHINE\SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards
HKEY_LOCAL_MACHINE\SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards\8
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\Software\Borland\Locales
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsCache\Parameters
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters

Registry Key-Read

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{94956483-9236-11e5-a874-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{94956483-9236-11e5-a874-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{94956484-9236-11e5-a874-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{94956484-9236-11e5-a874-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Compatible
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Platform
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Version
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\8\ServiceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\*
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\408f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\4b081847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\4b08f1847d1356be5729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\4b08f1847d1356be5a729869a2a3d67fcc98350513d05a505c430d888ad1f9f.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\4b08f1847d1356be5a729869a2a7367fcc98350513d05a505c430d888ad1f9f.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\4b08f1847d1356be5a729869a2a73d67cc98350513d05a505c430d888a1f9f.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\4b08f1847d1356be5a729869a2a73d67fc98350513d05a505c430d888ad1f9f.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\4b08f1847d1356be5a729869a2a73d6fcc98350513d05a505c430d888ad1f9f.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\4b08f1847d1356be5a729869a2a7d67fcc98350513d05a505c430d888ad1f9f.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\4b08f1847d356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Compatible
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Version
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname

Mutex-Accessed

Global\10F169CA7C2A168C0B20

Processes

Process Name

PID

Parent PID

4b08f1847d1356be5a729869a2a73d6fcc98350513d05a505c430d888ad1f9f.exe 2092 1268

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1587529207.71		__exception__	stacktrace: ["RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2", "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5"] exception: {"address": "0x401016", "exception_code": "0xc0000005", "instruction": "mov dword ptr [eax], ecx", "instruction_r": "89 08 50 45 43 6f 6d 70 61 63 74 32 00 e6 fe 63", "module": "4b08f1847d1356be5a729869a2a73d6fcc98350513d05a505c430d888ad1f9f.exe", "offset": 4118, "symbol": "4b08f1847d1356be5a729869a2a73d6fcc98350513d05a505c430d888ad1f9f+0x1016"} registers: {"eax": 0, "ebp": 1638292, "ebx": 2130567168, "ecx": 0, "edi": 0, "edx": 4198400, "esi": 0, "esp": 1638276}	Status SUCCESS
1587529207.71		NtAllocateVirtualMemory	process_identifier: 2092 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: "0x01c60000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529207.71		LdrLoadDll	module_name: "kernel32" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x7dd60000"	Status SUCCESS
1587529207.71	5	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd77a10" function_name: "ExitProcess" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1587529207.71		LdrLoadDll	module_name: "user32" basename: "user32" stack_pivoted: 0 flags: 0 module_address: "0x7dc50000"	Status SUCCESS
1587529207.71	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dcbfd1e" function_name: "MessageBoxA" module: "user32" module_address: "0x7dc50000"	Status SUCCESS
1587529207.71	2	NtAllocateVirtualMemory	process_identifier: 2092 region_size: 339968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x01c70000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529207.71		NtFreeVirtualMemory	free_type: 32768 base_address: "0x01cd0000" process_identifier: 2092 process_handle: "0xffffffff" size: 81920	Status SUCCESS
1587529207.71		LdrGetDllHandle	module_name: "kernel32.dll" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1587529207.71	38	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dea45f5" function_name: "DeleteCriticalSection" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS

Showing 1 to 10 of 666 entries

Previous1 2 3 4 5…67Next

4b08f1847d1356be5a729869a2a7367fcc98350513d05a505c430d888ad1f9f.exe 2208 2128

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1587529208.21		__exception__	stacktrace: ["RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2", "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5"] exception: {"address": "0x401016", "exception_code": "0xc0000005", "instruction": "mov dword ptr [eax], ecx", "instruction_r": "89 08 50 45 43 6f 6d 70 61 63 74 32 00 e6 fe 63", "module": "4b08f1847d1356be5a729869a2a7367fcc98350513d05a505c430d888ad1f9f.exe", "offset": 4118, "symbol": "4b08f1847d1356be5a729869a2a7367fcc98350513d05a505c430d888ad1f9f+0x1016"} registers: {"eax": 0, "ebp": 1638292, "ebx": 2130567168, "ecx": 0, "edi": 0, "edx": 4198400, "esi": 0, "esp": 1638276}	Status SUCCESS
1587529208.21		NtAllocateVirtualMemory	process_identifier: 2208 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: "0x00340000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529208.21		LdrLoadDll	module_name: "kernel32" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x7dd60000"	Status SUCCESS
1587529208.21	5	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd77a10" function_name: "ExitProcess" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1587529208.21		LdrLoadDll	module_name: "user32" basename: "user32" stack_pivoted: 0 flags: 0 module_address: "0x7dc50000"	Status SUCCESS
1587529208.21	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dcbfd1e" function_name: "MessageBoxA" module: "user32" module_address: "0x7dc50000"	Status SUCCESS
1587529208.21	2	NtAllocateVirtualMemory	process_identifier: 2208 region_size: 339968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x00350000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529208.21		NtFreeVirtualMemory	free_type: 32768 base_address: "0x003d0000" process_identifier: 2208 process_handle: "0xffffffff" size: 81920	Status SUCCESS
1587529208.21		LdrGetDllHandle	module_name: "kernel32.dll" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1587529208.21	38	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dea45f5" function_name: "DeleteCriticalSection" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS

Showing 1 to 10 of 915 entries

Previous1 2 3 4 5…92Next

4b08f1847d1356be5a729869a2a3d67fcc98350513d05a505c430d888ad1f9f.exe 2136 2064

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1587529278.98		__exception__	stacktrace: ["RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2", "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5"] exception: {"address": "0x401016", "exception_code": "0xc0000005", "instruction": "mov dword ptr [eax], ecx", "instruction_r": "89 08 50 45 43 6f 6d 70 61 63 74 32 00 e6 fe 63", "module": "4b08f1847d1356be5a729869a2a3d67fcc98350513d05a505c430d888ad1f9f.exe", "offset": 4118, "symbol": "4b08f1847d1356be5a729869a2a3d67fcc98350513d05a505c430d888ad1f9f+0x1016"} registers: {"eax": 0, "ebp": 1638292, "ebx": 2130567168, "ecx": 0, "edi": 0, "edx": 4198400, "esi": 0, "esp": 1638276}	Status SUCCESS
1587529278.98		NtAllocateVirtualMemory	process_identifier: 2136 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: "0x00340000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529278.98		LdrLoadDll	module_name: "kernel32" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x7dd60000"	Status SUCCESS
1587529278.98	5	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd77a10" function_name: "ExitProcess" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1587529278.98		LdrLoadDll	module_name: "user32" basename: "user32" stack_pivoted: 0 flags: 0 module_address: "0x7dc50000"	Status SUCCESS
1587529278.98	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dcbfd1e" function_name: "MessageBoxA" module: "user32" module_address: "0x7dc50000"	Status SUCCESS
1587529278.98	2	NtAllocateVirtualMemory	process_identifier: 2136 region_size: 339968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x00470000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529278.98		NtFreeVirtualMemory	free_type: 32768 base_address: "0x003d0000" process_identifier: 2136 process_handle: "0xffffffff" size: 81920	Status SUCCESS
1587529278.98		LdrGetDllHandle	module_name: "kernel32.dll" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1587529278.98	38	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dea45f5" function_name: "DeleteCriticalSection" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS

Showing 1 to 10 of 771 entries

Previous1 2 3 4 5…78Next

4b08f1847d356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe 1784 776

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1587529281.98		__exception__	stacktrace: ["RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2", "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5"] exception: {"address": "0x401016", "exception_code": "0xc0000005", "instruction": "mov dword ptr [eax], ecx", "instruction_r": "89 08 50 45 43 6f 6d 70 61 63 74 32 00 e6 fe 63", "module": "4b08f1847d356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe", "offset": 4118, "symbol": "4b08f1847d356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f+0x1016"} registers: {"eax": 0, "ebp": 1638292, "ebx": 2130567168, "ecx": 0, "edi": 0, "edx": 4198400, "esi": 0, "esp": 1638276}	Status SUCCESS
1587529281.98		NtAllocateVirtualMemory	process_identifier: 1784 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: "0x003d0000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529281.98		LdrLoadDll	module_name: "kernel32" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x7dd60000"	Status SUCCESS
1587529281.98	5	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd77a10" function_name: "ExitProcess" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1587529281.98		LdrLoadDll	module_name: "user32" basename: "user32" stack_pivoted: 0 flags: 0 module_address: "0x7dc50000"	Status SUCCESS
1587529281.98	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dcbfd1e" function_name: "MessageBoxA" module: "user32" module_address: "0x7dc50000"	Status SUCCESS
1587529281.98	2	NtAllocateVirtualMemory	process_identifier: 1784 region_size: 339968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x00470000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529282.0		NtFreeVirtualMemory	free_type: 32768 base_address: "0x003e0000" process_identifier: 1784 process_handle: "0xffffffff" size: 81920	Status SUCCESS
1587529282.0		LdrGetDllHandle	module_name: "kernel32.dll" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1587529282.0	38	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dea45f5" function_name: "DeleteCriticalSection" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS

Showing 1 to 10 of 670 entries

Previous1 2 3 4 5…67Next

4b08f1847d1356be5a729869a2a73d67fc98350513d05a505c430d888ad1f9f.exe 1696 1956

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1587529288.67		__exception__	stacktrace: ["RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2", "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5"] exception: {"address": "0x401016", "exception_code": "0xc0000005", "instruction": "mov dword ptr [eax], ecx", "instruction_r": "89 08 50 45 43 6f 6d 70 61 63 74 32 00 e6 fe 63", "module": "4b08f1847d1356be5a729869a2a73d67fc98350513d05a505c430d888ad1f9f.exe", "offset": 4118, "symbol": "4b08f1847d1356be5a729869a2a73d67fc98350513d05a505c430d888ad1f9f+0x1016"} registers: {"eax": 0, "ebp": 1638292, "ebx": 2130567168, "ecx": 0, "edi": 0, "edx": 4198400, "esi": 0, "esp": 1638276}	Status SUCCESS
1587529288.67		NtAllocateVirtualMemory	process_identifier: 1696 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: "0x003d0000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529288.67		LdrLoadDll	module_name: "kernel32" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x7dd60000"	Status SUCCESS
1587529288.67	5	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd77a10" function_name: "ExitProcess" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1587529288.67		LdrLoadDll	module_name: "user32" basename: "user32" stack_pivoted: 0 flags: 0 module_address: "0x7dc50000"	Status SUCCESS
1587529288.67	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dcbfd1e" function_name: "MessageBoxA" module: "user32" module_address: "0x7dc50000"	Status SUCCESS
1587529288.67	2	NtAllocateVirtualMemory	process_identifier: 1696 region_size: 339968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x00470000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529288.67		NtFreeVirtualMemory	free_type: 32768 base_address: "0x003e0000" process_identifier: 1696 process_handle: "0xffffffff" size: 81920	Status SUCCESS
1587529288.67		LdrGetDllHandle	module_name: "kernel32.dll" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1587529288.67	38	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dea45f5" function_name: "DeleteCriticalSection" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS

Showing 1 to 10 of 672 entries

Previous1 2 3 4 5…68Next

4b081847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe 2800 2648

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1587529289.44		__exception__	stacktrace: ["RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2", "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5"] exception: {"address": "0x401016", "exception_code": "0xc0000005", "instruction": "mov dword ptr [eax], ecx", "instruction_r": "89 08 50 45 43 6f 6d 70 61 63 74 32 00 e6 fe 63", "module": "4b081847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe", "offset": 4118, "symbol": "4b081847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f+0x1016"} registers: {"eax": 0, "ebp": 1638292, "ebx": 2130567168, "ecx": 0, "edi": 0, "edx": 4198400, "esi": 0, "esp": 1638276}	Status SUCCESS
1587529289.44		NtAllocateVirtualMemory	process_identifier: 2800 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: "0x003c0000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529289.44		LdrLoadDll	module_name: "kernel32" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x7dd60000"	Status SUCCESS
1587529289.44	5	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd77a10" function_name: "ExitProcess" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1587529289.44		LdrLoadDll	module_name: "user32" basename: "user32" stack_pivoted: 0 flags: 0 module_address: "0x7dc50000"	Status SUCCESS
1587529289.44	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dcbfd1e" function_name: "MessageBoxA" module: "user32" module_address: "0x7dc50000"	Status SUCCESS
1587529289.44	2	NtAllocateVirtualMemory	process_identifier: 2800 region_size: 339968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x00470000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529289.44		NtFreeVirtualMemory	free_type: 32768 base_address: "0x003d0000" process_identifier: 2800 process_handle: "0xffffffff" size: 81920	Status SUCCESS
1587529289.44		LdrGetDllHandle	module_name: "kernel32.dll" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1587529289.44	38	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dea45f5" function_name: "DeleteCriticalSection" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS

Showing 1 to 10 of 668 entries

Previous1 2 3 4 5…67Next

4b08f1847d1356be5a729869a2a7d67fcc98350513d05a505c430d888ad1f9f.exe 1488 1880

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1587529290.12		__exception__	stacktrace: ["RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2", "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5"] exception: {"address": "0x401016", "exception_code": "0xc0000005", "instruction": "mov dword ptr [eax], ecx", "instruction_r": "89 08 50 45 43 6f 6d 70 61 63 74 32 00 e6 fe 63", "module": "4b08f1847d1356be5a729869a2a7d67fcc98350513d05a505c430d888ad1f9f.exe", "offset": 4118, "symbol": "4b08f1847d1356be5a729869a2a7d67fcc98350513d05a505c430d888ad1f9f+0x1016"} registers: {"eax": 0, "ebp": 1638292, "ebx": 2130567168, "ecx": 0, "edi": 0, "edx": 4198400, "esi": 0, "esp": 1638276}	Status SUCCESS
1587529290.12		NtAllocateVirtualMemory	process_identifier: 1488 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: "0x003c0000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529290.12		LdrLoadDll	module_name: "kernel32" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x7dd60000"	Status SUCCESS
1587529290.12	5	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd77a10" function_name: "ExitProcess" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1587529290.12		LdrLoadDll	module_name: "user32" basename: "user32" stack_pivoted: 0 flags: 0 module_address: "0x7dc50000"	Status SUCCESS
1587529290.12	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dcbfd1e" function_name: "MessageBoxA" module: "user32" module_address: "0x7dc50000"	Status SUCCESS
1587529290.12	2	NtAllocateVirtualMemory	process_identifier: 1488 region_size: 339968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x00470000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529290.12		NtFreeVirtualMemory	free_type: 32768 base_address: "0x003d0000" process_identifier: 1488 process_handle: "0xffffffff" size: 81920	Status SUCCESS
1587529290.12		LdrGetDllHandle	module_name: "kernel32.dll" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1587529290.12	38	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dea45f5" function_name: "DeleteCriticalSection" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS

Showing 1 to 10 of 672 entries

Previous1 2 3 4 5…68Next

4b08f1847d1356be5729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe 2104 2504

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1587529290.76		__exception__	stacktrace: ["RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2", "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5"] exception: {"address": "0x401016", "exception_code": "0xc0000005", "instruction": "mov dword ptr [eax], ecx", "instruction_r": "89 08 50 45 43 6f 6d 70 61 63 74 32 00 e6 fe 63", "module": "4b08f1847d1356be5729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe", "offset": 4118, "symbol": "4b08f1847d1356be5729869a2a73d67fcc98350513d05a505c430d888ad1f9f+0x1016"} registers: {"eax": 0, "ebp": 1638292, "ebx": 2130567168, "ecx": 0, "edi": 0, "edx": 4198400, "esi": 0, "esp": 1638276}	Status SUCCESS
1587529290.76		NtAllocateVirtualMemory	process_identifier: 2104 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: "0x00750000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529290.76		LdrLoadDll	module_name: "kernel32" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x7dd60000"	Status SUCCESS
1587529290.76	5	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd77a10" function_name: "ExitProcess" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1587529290.76		LdrLoadDll	module_name: "user32" basename: "user32" stack_pivoted: 0 flags: 0 module_address: "0x7dc50000"	Status SUCCESS
1587529290.76	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dcbfd1e" function_name: "MessageBoxA" module: "user32" module_address: "0x7dc50000"	Status SUCCESS
1587529290.76	2	NtAllocateVirtualMemory	process_identifier: 2104 region_size: 339968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x00760000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529290.76		NtFreeVirtualMemory	free_type: 32768 base_address: "0x007c0000" process_identifier: 2104 process_handle: "0xffffffff" size: 81920	Status SUCCESS
1587529290.76		LdrGetDllHandle	module_name: "kernel32.dll" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1587529290.76	38	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dea45f5" function_name: "DeleteCriticalSection" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS

Showing 1 to 10 of 671 entries

Previous1 2 3 4 5…68Next

4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe 1172 772

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1587529291.03		__exception__	stacktrace: ["RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2", "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5"] exception: {"address": "0x401016", "exception_code": "0xc0000005", "instruction": "mov dword ptr [eax], ecx", "instruction_r": "89 08 50 45 43 6f 6d 70 61 63 74 32 00 e6 fe 63", "module": "4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe", "offset": 4118, "symbol": "4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f+0x1016"} registers: {"eax": 0, "ebp": 1638292, "ebx": 2130567168, "ecx": 0, "edi": 0, "edx": 4198400, "esi": 0, "esp": 1638276}	Status SUCCESS
1587529291.03		NtAllocateVirtualMemory	process_identifier: 1172 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: "0x002e0000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529291.03		LdrLoadDll	module_name: "kernel32" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x7dd60000"	Status SUCCESS
1587529291.03	5	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd77a10" function_name: "ExitProcess" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1587529291.03		LdrLoadDll	module_name: "user32" basename: "user32" stack_pivoted: 0 flags: 0 module_address: "0x7dc50000"	Status SUCCESS
1587529291.03	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dcbfd1e" function_name: "MessageBoxA" module: "user32" module_address: "0x7dc50000"	Status SUCCESS
1587529291.03	2	NtAllocateVirtualMemory	process_identifier: 1172 region_size: 339968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x00580000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529291.04		NtFreeVirtualMemory	free_type: 32768 base_address: "0x002f0000" process_identifier: 1172 process_handle: "0xffffffff" size: 81920	Status SUCCESS
1587529291.04		LdrGetDllHandle	module_name: "kernel32.dll" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1587529291.04	38	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dea45f5" function_name: "DeleteCriticalSection" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS

Showing 1 to 10 of 742 entries

Previous1 2 3 4 5…75Next

4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888a1f9f.exe 240 1172

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1587529291.32		__exception__	stacktrace: ["RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2", "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5"] exception: {"address": "0x401016", "exception_code": "0xc0000005", "instruction": "mov dword ptr [eax], ecx", "instruction_r": "89 08 50 45 43 6f 6d 70 61 63 74 32 00 e6 fe 63", "module": "4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888a1f9f.exe", "offset": 4118, "symbol": "4b08f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888a1f9f+0x1016"} registers: {"eax": 0, "ebp": 1638292, "ebx": 2130567168, "ecx": 0, "edi": 0, "edx": 4198400, "esi": 0, "esp": 1638276}	Status SUCCESS
1587529291.32		NtAllocateVirtualMemory	process_identifier: 240 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: "0x003c0000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529291.32		LdrLoadDll	module_name: "kernel32" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x7dd60000"	Status SUCCESS
1587529291.32	5	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd77a10" function_name: "ExitProcess" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1587529291.32		LdrLoadDll	module_name: "user32" basename: "user32" stack_pivoted: 0 flags: 0 module_address: "0x7dc50000"	Status SUCCESS
1587529291.32	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dcbfd1e" function_name: "MessageBoxA" module: "user32" module_address: "0x7dc50000"	Status SUCCESS
1587529291.32	2	NtAllocateVirtualMemory	process_identifier: 240 region_size: 339968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x00470000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529291.34		NtFreeVirtualMemory	free_type: 32768 base_address: "0x003d0000" process_identifier: 240 process_handle: "0xffffffff" size: 81920	Status SUCCESS
1587529291.34		LdrGetDllHandle	module_name: "kernel32.dll" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1587529291.34	38	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dea45f5" function_name: "DeleteCriticalSection" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS

Showing 1 to 10 of 240 entries

Previous1 2 3 4 5…24Next

4b08f1847d1356be5a729869a2a73d67cc98350513d05a505c430d888a1f9f.exe 1064 240

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1587529291.64		__exception__	stacktrace: ["RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2", "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5"] exception: {"address": "0x401016", "exception_code": "0xc0000005", "instruction": "mov dword ptr [eax], ecx", "instruction_r": "89 08 50 45 43 6f 6d 70 61 63 74 32 00 e6 fe 63", "module": "4b08f1847d1356be5a729869a2a73d67cc98350513d05a505c430d888a1f9f.exe", "offset": 4118, "symbol": "4b08f1847d1356be5a729869a2a73d67cc98350513d05a505c430d888a1f9f+0x1016"} registers: {"eax": 0, "ebp": 1638292, "ebx": 2130567168, "ecx": 0, "edi": 0, "edx": 4198400, "esi": 0, "esp": 1638276}	Status SUCCESS
1587529291.64		NtAllocateVirtualMemory	process_identifier: 1064 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: "0x00340000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529291.64		LdrLoadDll	module_name: "kernel32" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x7dd60000"	Status SUCCESS
1587529291.64	5	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd77a10" function_name: "ExitProcess" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1587529291.64		LdrLoadDll	module_name: "user32" basename: "user32" stack_pivoted: 0 flags: 0 module_address: "0x7dc50000"	Status SUCCESS
1587529291.64	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dcbfd1e" function_name: "MessageBoxA" module: "user32" module_address: "0x7dc50000"	Status SUCCESS
1587529291.64	2	NtAllocateVirtualMemory	process_identifier: 1064 region_size: 339968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x00380000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529291.65		NtFreeVirtualMemory	free_type: 32768 base_address: "0x00350000" process_identifier: 1064 process_handle: "0xffffffff" size: 81920	Status SUCCESS
1587529291.65		LdrGetDllHandle	module_name: "kernel32.dll" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1587529291.65	38	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dea45f5" function_name: "DeleteCriticalSection" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS

Showing 1 to 10 of 670 entries

Previous1 2 3 4 5…67Next

408f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe 520 1148

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1587529346.35		__exception__	stacktrace: ["RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2", "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5"] exception: {"address": "0x401016", "exception_code": "0xc0000005", "instruction": "mov dword ptr [eax], ecx", "instruction_r": "89 08 50 45 43 6f 6d 70 61 63 74 32 00 e6 fe 63", "module": "408f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f.exe", "offset": 4118, "symbol": "408f1847d1356be5a729869a2a73d67fcc98350513d05a505c430d888ad1f9f+0x1016"} registers: {"eax": 0, "ebp": 1638292, "ebx": 2130567168, "ecx": 0, "edi": 0, "edx": 4198400, "esi": 0, "esp": 1638276}	Status SUCCESS
1587529346.35		NtAllocateVirtualMemory	process_identifier: 520 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: "0x003d0000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529346.35		LdrLoadDll	module_name: "kernel32" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x7dd60000"	Status SUCCESS
1587529346.35	5	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd77a10" function_name: "ExitProcess" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1587529346.35		LdrLoadDll	module_name: "user32" basename: "user32" stack_pivoted: 0 flags: 0 module_address: "0x7dc50000"	Status SUCCESS
1587529346.35	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dcbfd1e" function_name: "MessageBoxA" module: "user32" module_address: "0x7dc50000"	Status SUCCESS
1587529346.35	2	NtAllocateVirtualMemory	process_identifier: 520 region_size: 339968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x00470000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1587529346.35		NtFreeVirtualMemory	free_type: 32768 base_address: "0x003e0000" process_identifier: 520 process_handle: "0xffffffff" size: 81920	Status SUCCESS
1587529346.35		LdrGetDllHandle	module_name: "kernel32.dll" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1587529346.35	38	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dea45f5" function_name: "DeleteCriticalSection" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS

Showing 1 to 10 of 463 entries

Previous1 2 3 4 5…47Next