SecondWrite DeepView - 0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e

Malicious

This predictive confidence of maliciousness for this sample is 98%.

0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e

528.4 kB

Size

2020-07-12 00:23:01

First seen 16 days ago

Windows PE32 Executable

Classification

Full Detail

Ransomware

Low

Trojan

Low

Virus

Low

Banker

Low

Bot

Low

Rat

Medium

Adware

Low

Infostealer

Low

Worm

Low

Spyware

Low

Indicators

Expand All

DeepView™ Indicators

Forced Code Execution

Automatic Sequence Detection

Program Level Indicators

Anti-Analysis

Attempts to repeatedly call a single API many times in order to delay analysis time

Anti-Av

Attempts to identify installed AV products by registry key

Anti-Vm

Queries for the computername

PID	API	Arguments
2312	GetComputerNameW	computer_name: VIRTUAL-PC
2312	GetComputerNameW	computer_name: VIRTUAL-PC

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available

PID	API	Arguments
1512	GlobalMemoryStatusEx	N/A

Detects VMWare through the in instruction feature

PID	API	Arguments
2496	__exception__	stacktrace: [u'0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e+0x3f07 @ 0x403f07', u'0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e+0x1b25 @ 0x401b25', u'BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x7dd733ca', u'RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2', u'RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5'] exception: {u'instruction_r': u'ed 89 5d e4 89 4d e0 5a 59 5b 58 83 4d fc ff eb', u'symbol': u'0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e+0x3449', u'instruction': u'in eax, dx', u'module': u'0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e.exe', u'exception_code': u'0xc0000096', u'offset': 13385, u'address': u'0x403449'} registers: {u'esp': 1637624, u'edi': 0, u'eax': 1447909480, u'ebp': 1637684, u'edx': 22104, u'ebx': 1, u'esi': 5542000, u'ecx': 10}
2496	__exception__	stacktrace: [u'0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e+0x3f10 @ 0x403f10', u'0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e+0x1b25 @ 0x401b25', u'BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x7dd733ca', u'RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2', u'RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5'] exception: {u'instruction_r': u'ed 89 45 e4 5a 59 5b 58 83 4d fc ff eb 11 33 c0', u'symbol': u'0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e+0x34e2', u'instruction': u'in eax, dx', u'module': u'0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e.exe', u'exception_code': u'0xc0000096', u'offset': 13538, u'address': u'0x4034e2'} registers: {u'esp': 1637628, u'edi': 0, u'eax': 1447909480, u'ebp': 1637684, u'edx': 22104, u'ebx': 1, u'esi': 5542000, u'ecx': 20}

Generic

This executable is signed

Creates executable files on the filesystem

Reads data out of its own binary image

Injection

Executed a process and injected code into it, probably while unpacking

PID	API	Arguments
2356	CreateProcessInternalW	thread_identifier: 2548 thread_handle: 0x00000140 process_identifier: 2544 current_directory: filepath: track: 1 command_line: C:\Users\Virtual\AppData\Local\Temp\0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e.exe /C filepath_r: stack_pivoted: 0 creation_flags: 134217728 inherit_handles: 0 process_handle: 0x00000144
2356	CreateProcessInternalW	thread_identifier: 3024 thread_handle: 0x00000248 process_identifier: 3020 current_directory: C:\Users\Virtual\AppData\Local\Temp filepath: C:\Windows\System32\cscript.exe track: 1 command_line: "C:\Windows\System32\cscript.exe" "C:\Users\Virtual\nmaunfyqjxpnqtoz.vbs" filepath_r: C:\Windows\System32\cscript.exe stack_pivoted: 0 creation_flags: 67634192 inherit_handles: 0 process_handle: 0x00000264
2356	CreateProcessInternalW	thread_identifier: 2216 thread_handle: 0x00000298 process_identifier: 2220 current_directory: C:\Users\Virtual\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Virtual\AppData\Local\Temp\0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e.exe" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 inherit_handles: 0 process_handle: 0x000002a8
2220	CreateProcessInternalW	thread_identifier: 2364 thread_handle: 0x00000080 process_identifier: 2368 current_directory: C:\Users\Virtual\AppData\Local\Temp filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping.exe -n 6 127.0.0.1 filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 inherit_handles: 1 process_handle: 0x00000084
2264	CreateProcessInternalW	thread_identifier: 1536 thread_handle: 0x00000144 process_identifier: 1064 current_directory: filepath: track: 1 command_line: C:\Windows\SysWOW64\explorer.exe filepath_r: stack_pivoted: 0 creation_flags: 4 inherit_handles: 0 process_handle: 0x00000148
2264	NtMapViewOfSection	section_handle: 0x00000150 process_identifier: 1064 commit_size: 0 win32_protect: 64 buffer: base_address: 0x00130000 allocation_type: 0 section_offset: 0 view_size: 241664 process_handle: 0x00000148
2264	NtGetContextThread	thread_handle: 0x00000144
2264	NtResumeThread	thread_handle: 0x00000144 suspend_count: 1 process_identifier: 1064
2368	NtResumeThread	thread_handle: 0x000000d4 suspend_count: 1 process_identifier: 2368
1064	CreateProcessInternalW	thread_identifier: 1032 thread_handle: 0x000001fc process_identifier: 1036 current_directory: filepath: track: 1 command_line: "C:\Users\Virtual\AppData\Local\Temp\0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e.exe" /W filepath_r: stack_pivoted: 0 creation_flags: 134217728 inherit_handles: 0 process_handle: 0x00000200

Origin

Unconventionial language used in binary resources

Packer

The executable has PE anomalies (could be a false positive)

Allocates read-write-execute memory (usually to unpack itself)

PID	API	Arguments
2312	NtAllocateVirtualMemory	process_identifier: 2312 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x002c0000 allocation_type: 12288 process_handle: 0xffffffff
2312	NtAllocateVirtualMemory	process_identifier: 2312 region_size: 225280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00760000 allocation_type: 12288 process_handle: 0xffffffff

Creates a suspicious process

The binary likely contains encrypted or compressed data.

Persistence

Installs itself for autorun at Windows startup

Rat

Creates known SpyNet files, registry changes and/or mutexes.

Static

This sample contains high entropy sections

Anomalous binary characteristics

Strings possibly contain hardcoded URLs

Stealth

A process created a hidden window

Wmi

Executes one or more WMI queries

Yara

Yara Pattern Name	Description
IsPE32	No Description Available
HasOverlay	Overlay Check
HasDigitalSignature	DigitalSignature Check
anti_dbg	Checks if being debugged
win_registry	Affect system registries
win_files_operation	Affect private profile

Static Analysis

Version Infos

LegalCopyright:: Copyright(C) Gretech Corp. All rights reserved. Since 2003
InternalName:: GrLaunch.exe
FileVersion:: 2.1.0.7
CompanyName:: Gretech Corporation
ProductName:: GrLauncher
ProductVersion:: 2.1.0.7
FileDescription:: GrLauncher
OriginalFilename:: GrLaunch.exe
Translation:: 0x0412 0x04b0

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00001000	0x000403a4	0x00040400	7.45092704364
.data	0x00042000	0x000016e8	0x00001800	5.23751741637
ggga32	0x00044000	0x000003f2	0x00000400	6.2580220042
a322	0x00045000	0x0002e6bb	0x0002e800	6.21898207466
.rsrc	0x00074000	0x0000ff18	0x00010000	5.29262649608

Resources

Name	Offset	Size	Language	Sub-language	File type
BINARY	0x00077580	0x000014e4	LANG_KOREAN	SUBLANG_KOREAN	None
BINARY	0x00077580	0x000014e4	LANG_KOREAN	SUBLANG_KOREAN	None
BINARY	0x00077580	0x000014e4	LANG_KOREAN	SUBLANG_KOREAN	None
BINARY	0x00077580	0x000014e4	LANG_KOREAN	SUBLANG_KOREAN	None
RT_ICON	0x000834dc	0x00000468	LANG_KOREAN	SUBLANG_KOREAN	None
RT_ICON	0x000834dc	0x00000468	LANG_KOREAN	SUBLANG_KOREAN	None
RT_ICON	0x000834dc	0x00000468	LANG_KOREAN	SUBLANG_KOREAN	None
RT_ICON	0x000834dc	0x00000468	LANG_KOREAN	SUBLANG_KOREAN	None
RT_ICON	0x000834dc	0x00000468	LANG_KOREAN	SUBLANG_KOREAN	None
RT_ICON	0x000834dc	0x00000468	LANG_KOREAN	SUBLANG_KOREAN	None
RT_ICON	0x000834dc	0x00000468	LANG_KOREAN	SUBLANG_KOREAN	None
RT_ICON	0x000834dc	0x00000468	LANG_KOREAN	SUBLANG_KOREAN	None
RT_ICON	0x000834dc	0x00000468	LANG_KOREAN	SUBLANG_KOREAN	None
RT_ICON	0x000834dc	0x00000468	LANG_KOREAN	SUBLANG_KOREAN	None
RT_ICON	0x000834dc	0x00000468	LANG_KOREAN	SUBLANG_KOREAN	None
RT_ICON	0x000834dc	0x00000468	LANG_KOREAN	SUBLANG_KOREAN	None
RT_DIALOG	0x00083944	0x000000b0	LANG_KOREAN	SUBLANG_KOREAN	None
RT_RCDATA	0x000839f4	0x0000014e	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_GROUP_ICON	0x00083ba0	0x0000005a	LANG_KOREAN	SUBLANG_KOREAN	None
RT_GROUP_ICON	0x00083ba0	0x0000005a	LANG_KOREAN	SUBLANG_KOREAN	None
RT_VERSION	0x00083bfc	0x0000031c	LANG_KOREAN	SUBLANG_KOREAN	None

Imports

Library KERNEL32.dll:

CloseHandle
CreateDirectoryW
CreateEventW
CreateFileA
CreateFileW
CreateSemaphoreW
CreateThread
DecodePointer
DeleteCriticalSection
DeleteFileW
EncodePointer
EnterCriticalSection
ExitProcess
ExitThread
FindResourceExW
FindResourceW
FlushFileBuffers
FreeLibrary
GetACP
GetCommandLineW
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetFileAttributesW
GetFileSizeEx
GetLastError
GetLocaleInfoA
GetLocalTime
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTimeAsFileTime
GetTempFileNameW
GetTickCount
GetVersionExW
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSetInformation
HeapSize
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedCompareExchange
InterlockedExchange
IsDebuggerPresent
IsValidCodePage
LCMapStringA
LCMapStringW
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
LoadResource
LocalAlloc
LocalFileTimeToFileTime
LocalFree
LockResource
lstrcmpA
lstrcmpiA
lstrcpynW
lstrlenA
MultiByteToWideChar
OutputDebugStringW
QueryPerformanceCounter
QueryPerformanceFrequency
RaiseException
ReadFile
ReleaseMutex
ReleaseSemaphore
ResetEvent
RtlUnwind
SetErrorMode
SetEvent
SetFilePointerEx
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
SizeofResource
Sleep
SystemTimeToFileTime
TerminateProcess
TerminateThread
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnhandledExceptionFilter
VirtualAlloc
VirtualAllocEx
VirtualFree
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WriteConsoleA
WriteConsoleW
WriteFile

Library USER32.dll:

CharLowerW
CloseClipboard
CloseWindow
GetCapture
GetClipboardOwner
GetClipboardViewer
GetDlgCtrlID
GetForegroundWindow
GetMenuContextHelpId
GetMenuItemCount
GetMessagePos
GetMessageTime
GetOpenClipboardWindow
IsCharUpperA
IsCharUpperW
IsGUIThread
LoadCursorFromFileA
LoadIconW
ShowCaret

Library GDI32.dll:

AbortPath
CancelDC
CloseFigure
CloseMetaFile
CreateCompatibleDC
CreateHalftonePalette
CreateMetaFileA
CreateMetaFileW
CreatePatternBrush
CreateSolidBrush
DeleteColorSpace
DeleteDC
DeleteEnhMetaFile
DeleteMetaFile
DeleteObject
EndDoc
EndPage
EndPath
FillPath
FlattenPath
GetBkMode
GetColorSpace
GetEnhMetaFileW
GetFontLanguageInfo
GetPixelFormat
GetStockObject
GetTextAlign
RealizePalette
StrokePath
SwapBuffers

Library ADVAPI32.dll:

RegOpenKeyW
RegQueryValueExA

Strings

!This program cannot be run in DOS mode.
`.data
ggga32
@t)Nu
nqh=I`
lLGH_M
Aa:5$/
ct"Y1D
!tVW"`
AqJM;a
sQQPmVW(
YlOt"T
,UW[7X
.UjvOu
*\_^:r
Ru8jf+EY 4
0lTtAj
l]t]zh
E)/@Thh
v|Y3!G
tK2Z9}u
Y*X_^:
l)ZYj]
@q5Poe
RvtPSh
PvsHja*
QW2xjD
tQ"D$9
OKL~w'
}u?0j1?
Ni_D$U-L
IVWBZ9==
^YYTcU
vx\[*e
.o\]"q
`gW3vg
t$U"E$Us
L$%}z$
in>Axi
n $8o^
V_YY.)
RNhqS>
A1$=l/
reNW_M
\TPVQ]Q<
U+EI+M
+B$y&Z$yZr$
D}sPSv
@aQr$=Q
Y$%Qr$
[YYb\u
Mjv5eK
8G[K(E(w
\IZ6PvmC^
M2mH}
$l@mJ+H
u6=ggs
u6=Zna
q5CeuT
NfFT'k
jgjnz[
NLFT'b
N>M\Lr
N@M\Lw
NER]'N
rDRl^S.
Aoh>ht
?iik3Dx
b=BrL?qe8>rt@>bea
Id33~al
=dTf`og?f
QH^4qF
QemYmD
gdtmIsiBIOe>5rtcEMrVNdr
RiQUA]MI
.se]>me^
_WdeE._rPWx
UaHYCocxhnN1dOC/dc
%B`d%,_r
nGqMFHtl<L`nM0dAq
"0ns<L`nM0d
VQo$Wit
nHqEGIhrFAle
,`bEH@
:`p/Qde
i9`prPda}9
VicVta5eilFC
Ee]dhlLshzL
ESqrRAmi
Te3BhnPUdP
Rlam'nn>
@QdM,Tdxq
.CqEI'qCFDdP
chl|ihm
Lnd|+dF
nDqShRqeDHkf
bDqEGUhrF-le
rTda}ALu}AuA
=Aom8(`tLZer<Ea
ArLEqe]&oe@*
@`l]&le
E,ba5coeL
EPqrRUxWq
CrswCle`
SS\n22
R8`r-mdr_+be28ol-+rp@8bhLN@
E`n})dr
e*nk\S@cR*tn=nhdN
'oy8)co*(xWq
fRdnQPnc
SrT6+dn
^AqSH&RuS]ttY/oi
Roi}6Aer@oiq5nr
bBqSL@trH5xDLPbrXQqo
`DSAAG22w$il
D#lca7
keDQdta
R8rt|,Qid$Qoo(ie](le
.$qSHRqeDShm<
h>-!cJ
x[aZgV/
Wb*pMd5
cXOq[a
$pc.o7
Zo*}e*
]X4qXQ
UoZq:]
a9RKLz\&
h<2f[n
f*k\9s
A]rAY9]
p'O+cv
H|b+"P
nL[^xk
w+J>jE"
M=%L#7
$h]]b2
UK%Vjg
=d1xT-
2gv_UI'A
C3byhC4HqN
sI^t&1
#QuB~7}f
XjW"yOR*
P7U`pZ
&#V+Ek
4!fGIbC
h*,dXW
q38}=I
-yw^.;
1|ULo;
.rH"3|v
Ia}*iw
'oRz:Qu
_g=v#5
as_#VP
sP@1A#
*S0;]@
=DE:[T
14Qiba<
} '0Gne
8I; Zc
0?8tl 5x
\d|n$z
Wx<g5{
@Hg7z>
%%B(8=mQ
Ctm!#MEg&
"(}/RB
`92KO,
oHl['R
^YmL}cA
`cYD8x
edfwc(
3fHeh}FDOc
Kh/c]$
}Y"1/o
MUz_r'
f(FvVd
[z'>X-
8UhV@
{2M%t4
6pb&RH
s@*VmO
%:<8~nA'
l$)?Cz
NUlYC
s+g\LL
#/ }A-H
.fmVjJF
9DVs`c
kD.Q^!
Ki quwV
'+$ W;2W
%sbdR
`s5zWv
GM+ ~3
Gj?@2r
ZV[1Cys
u$ni'b
AMKri3
|Z1lLV
tn,FJ4
1Yjgwz
$-H1H,
X0"~oa
t@2CGC
bgJVD.
CmYF(j
Gf5AOF
h2om]j
tX1w0d
(Yij/.
WIgkn]
aXgs7$
m;]6V?
}cc~)(
]WyQUZ
>oLw+T
ZPx/.*
*oF*i%F
~@"=I0
m?zehR
:,}8!zk
SY[j:
(Ip,jva
fj!gOj
QDzu5;|
Iy,!)
a81RQp
GWo\JY
`})ku~#
'E654'
+>o?1F
M*gq?"
@nl^23
%j5J8
z+2+#)h
iV9=Fy}
73=/V-f
5+mjLK
T&<8K7
U9BfpD
/ArG4y
BZ1Tn{-6
[4B%4\
wV=Bw4
ANTNIqo
%g8&h4
Ar\?JE
OB!et_
@ysY]
cOGnpb#
J9T'rv
OEb<4B
Ivk[Ur
LUNd?W
z@3=^`
4Ff|^>
l8XOD.
M^r6*
x^I8qtlBj
.S&!cy7
q'c[Kv
H}n-6M
eK.=Wt
Set]R/
A&oo{4
>kF@5W
aq*(ju}
;?0=/Qa
OR -Gs*/n
=idJVuv
E&oTxR
$&MJl}
Yo^vykb
}2rKgV0
-`H?u~J
-'}kF4
+T`fr:H
q{x'a)
~"Ys-<
*\e*x(
~%UP0Sl
`_+fN
Y|>y9B
U9;209
I4$A28
=;k0S%d
NHdr7<
xy!V&O,
L9n$u?
=RM<R.
(jYu[c
(o*%F\
6j[*/G
ob!=LE8_
TAQ()K
Cj)@D(
j?Z7N9
vVn\^&
}KH1eD
G$4c:cG
$mwSx_
5V@0UC
Zkt2olJN7
T'hk[a
u'z_^Y
*X9XDO
S6\#cs
cVy#S)0
@*9Q9k
F#?cva8BgUf3
t` Thj
lU^]Q`W
/|j:z2
f%wXaB
B4z'{LL
!E f?[
e'_^,xh6
[UAiv&7
~<qGFU
'O-Cp
jqTN.?
:sm>l%
uWG;]4
0T|;Ozf
`c%eK(%$
_a^)[1s
Zc[~)^QZ
FQo-!@`
@kvC>R
7_ 1vA
%u}{c-1
ddy_,F
x_-GUv$;
D))<Wpf
\Q;SCl
],y,g
[mmY7t
GXO){9
^=9kss
*{[pe|<<
G#Fb-%
gf)WDkeO~
K5Poud
3~wKKT/
)jQ;WF
"3lN=_G
\&;aeb
SC{Ai'
8.SLG-
ARk6r!
~W<t9,
_'Jp>_
_ [w}`h&
7~"t"~
LPm:vOK
lppNQ#
Esrx0L.
}PJ:pi
rUn^OM
sp=+9X
(n_xNo
44,4Sz
[b7EDF
&jw] ]
n=J{lv
7KM#<T
e&s;a `
-T;0L
YczkrV
@|Cn:l
kjQujncah
PPLziBGt N
kyukVh IKU
fpyHaWg Wr
jXqbJVMDfF
cjXwxSdvnQ
FPSXhSPrVe
wZOOQMaPDU
NlaABodwca
eeNpptuLAG
fSvCHvvtGU
QvXNjRTVcg
vVTisYWsbR
LwqoWZCWl
BXFSVmyxaM
I UtlBTsyJ
xbXxcIuITH
IyawkHtI U
MartxxSJos
ckUkHjgxZE
OzZuQfoOVp
namLwOnOsH
utjaSCTsm
vRdWQCtKfW
RtJBHpB Jy
LMhgWYFTDw
iKPEnCXlJE
XBfgRUshCv
sEcCIsDFyr
VpyblnTFqu
BKQECIiPYD
66263623523
zFiRXyjCnu
zFiRXyjCnu
GetLastError
kernel32
GetVersionExW
GetCurrentThreadId
GetCurrentProcessId
GetProcAddress
GetModuleHandleW
MultiByteToWideChar
WideCharToMultiByte
FreeLibrary
CloseHandle
LocalFree
FindResourceExW
FindResourceW
LoadResource
LockResource
GetModuleFileNameA
GetStdHandle
HeapCreate
VirtualAlloc
VirtualFree
ExitProcess
FlushFileBuffers
TlsFree
SetFilePointerEx
LocalFileTimeToFileTime
SystemTimeToFileTime
lstrlenA
lstrcmpiA
TlsSetValue
TlsAlloc
TlsGetValue
lstrcmpA
CreateFileA
SetStdHandle
IsValidCodePage
GetOEMCP
GetACP
GetStringTypeW
GetCPInfo
LCMapStringW
LCMapStringA
RtlUnwind
CreateThread
ExitThread
GetStartupInfoW
GetSystemTimeAsFileTime
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
InterlockedExchange
GetProcessHeap
HeapSize
HeapReAlloc
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
InitializeCriticalSectionAndSpinCount
GetStringTypeA
GetLocaleInfoA
SizeofResource
GetCommandLineW
HeapFree
HeapAlloc
CreateEventW
DeleteFileW
TerminateThread
ReleaseMutex
TerminateProcess
LoadLibraryA
OutputDebugStringW
SetEvent
HeapDestroy
ResetEvent
SetLastError
ReadFile
InterlockedCompareExchange
LocalAlloc
QueryPerformanceFrequency
EncodePointer
QueryPerformanceCounter
GetFileAttributesW
lstrcpynW
HeapSetInformation
GetTickCount
RaiseException
WaitForMultipleObjects
DecodePointer
GetTempFileNameW
GetCurrentProcess
CreateDirectoryW
WaitForSingleObject
LoadLibraryW
CreateFileW
GetLastError
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
ReleaseSemaphore
CreateSemaphoreW
DeleteCriticalSection
WriteFile
GetModuleFileNameW
GetFileSizeEx
GetLocalTime
SetErrorMode
GetModuleHandleA
VirtualAllocEx
KERNEL32.dll
LoadIconW
LoadCursorFromFileA
GetOpenClipboardWindow
CloseClipboard
GetMenuItemCount
GetMessagePos
IsGUIThread
GetForegroundWindow
ShowCaret
CloseWindow
GetClipboardViewer
GetCapture
GetClipboardOwner
IsCharUpperA
IsCharUpperW
GetMessageTime
GetDlgCtrlID
GetMenuContextHelpId
CharLowerW
USER32.dll
CreateSolidBrush
EndDoc
CreateMetaFileA
CloseMetaFile
FlattenPath
DeleteMetaFile
CloseFigure
DeleteColorSpace
DeleteObject
CreateHalftonePalette
EndPath
FillPath
CreateCompatibleDC
DeleteDC
DeleteEnhMetaFile
EndPage
CreatePatternBrush
CreateMetaFileW
GetColorSpace
RealizePalette
GetStockObject
CancelDC
GetFontLanguageInfo
AbortPath
SwapBuffers
StrokePath
GetPixelFormat
GetBkMode
GetTextAlign
GetEnhMetaFileW
GDI32.dll
RegOpenKeyW
RegQueryValueExA
ADVAPI32.dll
\1SmF?
`~6C+9
1>,Wf9
4ced*F
%<p]+qA
Y=+AJ|n
|17a#K
4SQs(km3
LPMf^[
O0mGwc
H*yXA'
nM-G6e
jB$-0<
s9ZJpO4
>Z>ZYV
Epy1=o
}BVa 1A
R8h^Z}
iF78i*
iU;u3%|
{8>ft,
(sOp I
BIekvn
RE\:G$]
)R)_{
b."px9W
t/|M!~
l"ceBnNt
~(:B%x
\{nSVbq_7
9mZ*cm
mS;g-/
&Zv*e[ueO
mee!e
+m1Lyfu4
W+hoR4
37BHu&
,~EodVy
pBl?EapH#
RMiYph
*ajs[D
ZAy7:,T
I}Kd6(X
kY%*pb*
RVw168
w*/snIz
\9WQ @
@^Yb^-k @
eWb[?E
q|H/ ~xu
sE?>5p;;x
jHw-/OA
VA<:_H
s+-Lb5%
>T_!`wW @
6}AvZK@
fYou @
:s>6 @
aJM:"<X
<|g(OU
@Lb:
G3_TP1g
B|V3tT
-9i @l
@}Djl
EFs"n:
JrKg"*s
2_ySCM
[VD @
xtF;dVp&q @+
k>Y#-Q
@G~*d#
`}w @dD
Uf[C;OH4T
s7P<4v
"DdaoL
7M[+Ii
h]4g+D
"T'KRD
"DJ@N^m
"DF]*H
"DB4sb);
UPunhr
ci'60!
yec#WbD
"D6D;D
:K-75UZ
*.}.,+
e+C0|Q
Tfs/BiEj
2A={ G
~s\3$a+
|WAFZci
nlFjU?oI
&J5"?m
') 8'$
:S(|vY/
pC2!LUS
dJwA$$
`P1mN^
+@W}w6 ]g
g*\J!)
}%`I1<
|v5f;q
WC* -l
fWeMK_jodE
.Hx$])
BheMn5P
RRz7W!
amNNXL
PYN2sVh
,IqkXw
/%DGL
A'eJnz#0
~,f[B-
tL=n}_
2,+Y}|
M)o}djX
//{{NO_DEPENDENCIES}}
// Microsoft Visual C++
// resource.rc
#define DEFAULT_FONT_NAME 39
#define GMESSAGEBOX_TEXT_OK 40
#define GMESSAGEBOX_TEXT_CANCEL 41
#define GMESSAGEBOX_TEXT_YES 42
#define GMESSAGEBOX_TEXT_NO 43
#define IDI_GRLAUNCHER 101
#define IDR_MAINFRAME 102
#define IDR_LANG_ENG 105
#define IDR_LANG_KOR 106
#define IDR_RESHEADER 108
#define IDR_LANG_JPN 109
#define IDD_MAIN 129
#define IDC_PROGRESS_RECV 1000
#define IDC_STATIC_MESSAGE 1001
// Next default values for new objects
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 109
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1000
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif
0W0f0D0~0Y0
0k01YWeW0~0W0_0
0n0MOn
0L0puj0
0L0puj0
`1XL0puj0
0k01YWeW0~0W0_0
0L0puj0
0g0W0_0
0k01YWeW0~0W0_0
NW0~0W0_0
k01YWeW0~0W0_0
mW0~0Y0K0
Q0~0[0
0g0W0_0
O1YWe.
0L0zvuW0~0W0_0
k01YWeW0~0W0_0
D0D0H0
mW0~0W0_0
0L0zvuW0~0W0_0
0W0f0O0`0U0D0
O(ug0M0~0[0
c0f0O0`0U0D0
D0D0H0(
VVVVVVVVVV
HHHHHHHH
TT T
TT4444444TT
T444444444444T
HT44444444444444444T
T4444444444444444444(t(
T444444444444444444444(ttt
T444444444
444Wttt4
T44444444
UUUU
4444444
HT44444444
xxxxko.
4444444T
V+HT4444444
444444TH
4444444
444444
V+HT4444444 ._
: 444444TH
H4444444
444444
ViHT4444444
_fUU UUf$
: 444444T
HT444444d
X 444444T
U4ddM?GGQ\X
444444TH+V
KKK4 :$
444444 H+iVVi+'
g7Q)6;K4 :$
444444H
4444444H
iVV&e|
4444444H
+VVee|
44444444H
+VVee|
4444444H
4444444H
4444444H
444444TH+-VVP
wAAGGGA1[X
X^@d44444Tr!
*'AAGGGGGwy
>=p)))p=[
X#y@d4444T^*
Em?MMM??J1
$CQp))pQ7
@MdddddM@C:::C1Qppp01
V+HT44L44ddM@]
wJppppp=>_
33LOOOOLLL4dM??GGppppQ[g_
cNNNFFOOOLdd
6GGpppQ=[g`
oU q?w\
Va..{{{NNNNFOK4d
n3 qOFFL
_t{FFO4d
GGGppAw1]:o 5OFNN3+e,V
_tWNFKd
GGGp??@@ ~5OFN{N
GGAA?dd44OFNN{N
{NFLdd?GGAd44LONN{{s
{NOLdMmAA4LOFN{{N~*ee
{FL4M??AOFNN{Nc
{FO4d??AN{NNc
/XXof:
VVVVVVVVVV
!!!!!!!!
!!!iiHHHHii!!!
TT
T4444444T
T444444444444THi!
44444444444444ttjH+!
4444444444444444TH+!
4444443a
aT444444THi!
T44444H/2xxxx2
T44444T
4444a2$
344444Hi!
!iT44444a2
T4444Ti!
444KT
xa44444 H!
!i MGGG
$/4444Hi!!
44444Hi!!-|
44444Hi!!
44444H
44444H
$/44444Hi!!
T4444HV!!uEwAGGG
$b}M444YP!
444d@''
C%FOOOKKd
{NNNFOKd
GGppM3
_{NOd?GA
W{FLdmGAN
Wttj3e
NOdM?AW(tt
jXN%4M?wtj
!!!!!!!!
!!!!!!
!!4KK4!!
4KKddKK
>99>@KK
odKH!!
KH!!|p
odKH!!'G
!sO.LMQ
LMG6cF]
!!!!!!
,,&(CCHMUXzy^c
BHmr))+I
::4!TU`V^c
WWT>_d
^ayf[b
VVVVVVVVVV
HHHHHHHH
TT T
TT4444444TT
T444444444444T
HT44444444444444444T
T4444444444444444444(t(
T444444444444444444444(ttt
T444444444
444Wttt4
T44444444
UUUU
4444444
HT44444444
xxxxko.
4444444T
V+HT4444444
444444TH
4444444
444444
V+HT4444444 ._
: 444444TH
H4444444
444444
ViHT4444444
_fUU UUf$
: 444444T
HT444444d
X 444444T
U4ddM?GGQ\X
444444TH+V
KKK4 :$
444444 H+iVVi+'
g7Q)6;K4 :$
444444H
4444444H
iVV&e|
4444444H
+VVee|
44444444H
+VVee|
4444444H
4444444H
4444444H
444444TH+-VVP
wAAGGGA1[X
X^@d44444Tr!
*'AAGGGGGwy
>=p)))p=[
X#y@d4444T^*
Em?MMM??J1
$CQp))pQ7
@MdddddM@C:::C1Qppp01
V+HT44L44ddM@]
wJppppp=>_
33LOOOOLLL4dM??GGppppQ[g_
cNNNFFOOOLdd
6GGpppQ=[g`
oU q?w\
Va..{{{NNNNFOK4d
n3 qOFFL
_t{FFO4d
GGGppAw1]:o 5OFNN3+e,V
_tWNFKd
GGGp??@@ ~5OFN{N
GGAA?dd44OFNN{N
{NFLdd?GGAd44LONN{{s
{NOLdMmAA4LOFN{{N~*ee
{FL4M??AOFNN{Nc
{FO4d??AN{NNc
/XXof:
VVVVVVVVVV
!!!!!!!!
!!!iiHHHHii!!!
TT
T4444444T
T444444444444THi!
44444444444444ttjH+!
4444444444444444TH+!
4444443a
aT444444THi!
T44444H/2xxxx2
T44444T
4444a2$
344444Hi!
!iT44444a2
T4444Ti!
444KT
xa44444 H!
!i MGGG
$/4444Hi!!
44444Hi!!-|
44444Hi!!
44444H
44444H
$/44444Hi!!
T4444HV!!uEwAGGG
$b}M444YP!
444d@''
C%FOOOKKd
{NNNFOKd
GGppM3
_{NOd?GA
W{FLdmGAN
Wttj3e
NOdM?AW(tt
jXN%4M?wtj
!!!!!!!!
!!!!!!
!!4KK4!!
4KKddKK
>99>@KK
odKH!!
KH!!|p
odKH!!'G
!sO.LMQ
LMG6cF]
!!!!!!
,,&(CCHMUXzy^c
BHmr))+I
::4!TU`V^c
WWT>_d
^ayf[b
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
}foB|/;B
CSHOESOAXYRSFUTCIK0
200708055400Z
391231235959Z0
CSHOESOAXYRSFUTCIK0
CSHOESOAXYRSFUTCIK
CSHOESOAXYRSFUTCIK
"/V];%
D333erfacE\{b196b287-bab4-101a-b69c-00aa00341d07}
MqxBTWWMBf
OIMlHuLBrO
HmbEpiVjNQ
fHwUxkDeIr
qwrvWjueDE
af VeySAWV
naPBAvjIIz
hDXyXMUiKH
myAPGiCBpm
HAXxaebWMu
uNKgfArnur
x jtwwnKQv
WaxeFOOLeT
NZfWkwooTC
i cvUiSYJr
HRrkiWflou
VGAvvAswhs
GmZZFypmFO
IelEENYnXN
zMCJqAlYAR
uHOMqTQxMJ
DSiDlDoGMD
WDVHbZxrFq
jRoYWilqzE
ElfqFbyMFr
O y xsllU
tj8uh5nt9uy23g4b8tuyg23tryg7yq
BINARY
[STRING_RES]
IDS_DOWNLOADING_PROGRAM
= Downloading Program...
IDS_APP_NAME
= GR Launcher
IDS_INVALID_PARAMETER
= Parameter error
IDS_INVALID_PARAM_TAG
= Parameter tag error
IDS_INVALID_COMMAND_PARAM
= Command Parameter error
IDS_FAILED_TO_UPDATE
= Update failure.
IDS_FAILED_TO_LAUNCH_PROGRAM
= Program running failure
IDS_INVALID_REG_POSITION
= Wrong registry settings
IDS_CANT_GET_PROGRAM_PATH
= Can not find the correct program path.
IDS_NO_PROGRAM_EXE_NAME
= There is no executable file.
IDS_NO_PROGRAM_INI_FILE_NAME
= There is no setup file name.
IDS_INVALID_LOCAL_PROGRAM_VERSION
= Wrong local program version.
IDS_INVALID_SERVER_PROGRAM_VERSION
= Wrong server side program version.
IDS_INVALID_PROGRAM_INSTALL_INFO
= Wrong setup information.
IDS_FAILED_TO_SETUP
= Failed to install the program.
IDS_INVALID_PROGRAM_ID
= Program ID Parameter error
IDS_FAILED_TO_CHECK_VERSION
= Version check failure
IDS_INVALID_LAUNCHER_VERSION
= The version of the launcher is not the correcnt version. You have to download the latest version.
IDS_PROGRAM_IS_NOT_INSTALLED
= The program is not installed.
IDS_OLD_VERSION_INSTALLED
= Previous version is installed already.
IDS_OLD_MINOR_VERSION_INSTALLED
= Previous version(minor version) is already installed.
IDS_OLD_BUILD_VERSION_INSTALLED
= A previous version (build) was already installed.
IDS_LATEST_VERSION_INSTALLED
= The latest version is already installed.
IDS_FAIL_TO_INSTALL_LASTEST_VERSION
= Failed to install the latest version.
IDS_SETUP_COMPLETED
= Installation is completed.
IDS_FAILED_TOP_LAUNCH_PROGRAM
= Failed to run the program.
IDS_CHECK_VERSION_FAILED
= Version check failure
IDS_MAINDLG_CANCEL_TRANSFER
= Do you want to cancel the transfer?
IDS_MAINDLG_START_TRANSFER
= Start File Transfer.
IDS_MAINDLG_CANTOPEN_FILE
= Unable to open the file.
IDS_MAINDLG_STARTDOWN
= Start downloading..
IDS_MAINDLG_DOWNLOADING
= Downloading : %s bytes
IDS_MAINDLG_FAILED_TO_START_TRANSFER
= File Transfer failed.
IDS_MAINDLG_ERR_WHILE_TRANSFER
= There was an error during the file transfer.
IDS_MAINDLG_TRANSFER_COMPLETED
= File transfer complete.
IDS_MAINDLG_INSTALLING_S
= %s Installing..
IDS_MAINDLG_INSTALLING
= Installing..
IDS_MAINDLG_FAILED_TOP_LAUNCH_SETUP
= Failed to run the installation manager.\r\nPlease download the files from our website and install manually.
DEFAULT_FONT_NAME
= Arial
GMESSAGEBOX_TEXT_OK
= Confirm
GMESSAGEBOX_TEXT_CANCEL
= Cancel
GMESSAGEBOX_TEXT_YES
GMESSAGEBOX_TEXT_NO
IDS_USER_CANCELED
= Installation Cancelled.
IDS_INVALID_SERVER_VERSIONFILE
= Version File Error.
IDS_MAINDLG_ERR_WHILE_TRANSFER2
= An error occurred while downloading the files. Please download the files directly from our website.
IDS_DISABLED_VERSION
= This version is no longer supported. Please update to the latest version.
IDS_OK
IDS_CANCEL
= Cancel
IDS_STOP
= Stop
IDS_RETRY
= Retry(&R)
IDS_IGNORE
= Ignore(&I)
IDS_YES
= Yes(&Y)
IDS_NO
= No(&N)
[STRING_RES]
IDS_DOWNLOADING_PROGRAM
IDS_APP_NAME
IDS_INVALID_PARAMETER
IDS_INVALID_PARAM_TAG
IDS_INVALID_COMMAND_PARAM
IDS_FAILED_TO_UPDATE
IDS_FAILED_TO_LAUNCH_PROGRAM
IDS_INVALID_REG_POSITION
IDS_CANT_GET_PROGRAM_PATH
IDS_NO_PROGRAM_EXE_NAME
IDS_NO_PROGRAM_INI_FILE_NAME
IDS_INVALID_LOCAL_PROGRAM_VERSION
IDS_INVALID_SERVER_PROGRAM_VERSION
IDS_INVALID_PROGRAM_INSTALL_INFO
IDS_FAILED_TO_SETUP
IDS_INVALID_PROGRAM_ID
IDS_FAILED_TO_CHECK_VERSION
IDS_INVALID_LAUNCHER_VERSION
IDS_PROGRAM_IS_NOT_INSTALLED
IDS_OLD_VERSION_INSTALLED
IDS_OLD_MINOR_VERSION_INSTALLED
IDS_OLD_BUILD_VERSION_INSTALLED =
IDS_LATEST_VERSION_INSTALLED
IDS_FAIL_TO_INSTALL_LASTEST_VERSION
IDS_SETUP_COMPLETED
IDS_FAILED_TOP_LAUNCH_PROGRAM
IDS_CHECK_VERSION_FAILED
IDS_MAINDLG_CANCEL_TRANSFER
IDS_MAINDLG_START_TRANSFER
IDS_MAINDLG_CANTOPEN_FILE
IDS_MAINDLG_STARTDOWN
IDS_MAINDLG_DOWNLOADING
: %s
IDS_MAINDLG_FAILED_TO_START_TRANSFER
IDS_MAINDLG_ERR_WHILE_TRANSFER
IDS_MAINDLG_TRANSFER_COMPLETED
IDS_MAINDLG_INSTALLING_S
IDS_MAINDLG_INSTALLING
IDS_MAINDLG_FAILED_TOP_LAUNCH_SETUP
DEFAULT_FONT_NAME
GMESSAGEBOX_TEXT_OK
GMESSAGEBOX_TEXT_CANCEL
GMESSAGEBOX_TEXT_YES
GMESSAGEBOX_TEXT_NO
IDS_USER_CANCELED
IDS_INVALID_SERVER_VERSIONFILE
IDS_MAINDLG_ERR_WHILE_TRANSFER2
IDS_DISABLED_VERSION
IDS_OK
IDS_CANCEL
IDS_STOP
IDS_RETRY
IDS_IGNORE
IDS_YES
IDS_NO
[STRING_RES]
IDS_DOWNLOADING_PROGRAM
IDS_APP_NAME
IDS_INVALID_PARAMETER
IDS_INVALID_PARAM_TAG
IDS_INVALID_COMMAND_PARAM
IDS_FAILED_TO_UPDATE
IDS_FAILED_TO_LAUNCH_PROGRAM
IDS_INVALID_REG_POSITION
IDS_CANT_GET_PROGRAM_PATH
IDS_NO_PROGRAM_EXE_NAME
IDS_NO_PROGRAM_INI_FILE_NAME
IDS_INVALID_LOCAL_PROGRAM_VERSION =
IDS_INVALID_SERVER_PROGRAM_VERSION =
IDS_INVALID_PROGRAM_INSTALL_INFO =
IDS_FAILED_TO_SETUP
IDS_INVALID_PROGRAM_ID
IDS_FAILED_TO_CHECK_VERSION
IDS_INVALID_LAUNCHER_VERSION =
IDS_PROGRAM_IS_NOT_INSTALLED
IDS_OLD_VERSION_INSTALLED =
IDS_OLD_MINOR_VERSION_INSTALLED =
IDS_OLD_BUILD_VERSION_INSTALLED =
IDS_LATEST_VERSION_INSTALLED =
IDS_FAIL_TO_INSTALL_LASTEST_VERSION =
IDS_SETUP_COMPLETED
IDS_FAILED_TOP_LAUNCH_PROGRAM
IDS_CHECK_VERSION_FAILED
IDS_MAINDLG_CANCEL_TRANSFER
IDS_MAINDLG_START_TRANSFER
IDS_MAINDLG_CANTOPEN_FILE
IDS_MAINDLG_STARTDOWN
IDS_MAINDLG_DOWNLOADING
IDS_MAINDLG_FAILED_TO_START_TRANSFER
IDS_MAINDLG_ERR_WHILE_TRANSFER
IDS_MAINDLG_TRANSFER_COMPLETED
IDS_MAINDLG_INSTALLING_S
IDS_MAINDLG_INSTALLING
IDS_MAINDLG_FAILED_TOP_LAUNCH_SETUP =
DEFAULT_FONT_NAME
GMESSAGEBOX_TEXT_OK
GMESSAGEBOX_TEXT_CANCEL
GMESSAGEBOX_TEXT_YES
GMESSAGEBOX_TEXT_NO
IDS_USER_CANCELED
IDS_INVALID_SERVER_VERSIONFILE
IDS_MAINDLG_ERR_WHILE_TRANSFER2 =
IDS_DISABLED_VERSION
IDS_OK
IDS_CANCEL
IDS_STOP
IDS_RETRY
IDS_IGNORE
IDS_YES
IDS_NO
msctls_progress32
VS_VERSION_INFO
StringFileInfo
041204B0
CompanyName
Gretech Corporation
FileDescription
GrLauncher
FileVersion
2.1.0.7
InternalName
GrLaunch.exe
LegalCopyright
Copyright(C) Gretech Corp. All rights reserved. Since 2003
OriginalFilename
GrLaunch.exe
ProductName
GrLauncher
ProductVersion
2.1.0.7
VarFileInfo
Translation
<<<Obsolete>>

Dropped Files

80c10ee5f21f92f8_0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e.exe

Name: 80c10ee5f21f92f8_0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e.exe
Size: 776.2 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 60b7c0fead45f2066e5b805a91f4f0fc
SHA1: 9018a7d6cdbe859a430e8794e73381f77c840be0
SHA256: 80c10ee5f21f92f89cbc293a59d2fd4c01c7958aacad15642558db700943fa22
SHA512: 68b9f9c00fc64df946684ce81a72a2624f0fc07e07c0c8b3db2fae8c9c0415bd1b4a03ad7ffa96985af0cc5e0410f6c5e29a30200efff21ab4b01369a3c59b58
Ssdeep: 6144:Jv7Wc4dyC7dXNBzn68YoC+6VoQSkgrpZHqk61peBN1L+I8pfezYeWHMzyy14pL1k:JvSbJxPRC+XQSxb6Dc7RwIWHeGL7GOK

Network

Hosts Involved

IP Address	Country of Origin
23.215.99.17	US

Geolocation

Destination Country

US:: 100%

File

Type: PE32 executable (GUI) Intel 80386, for MS Windows
CRC32: 7CDB24A5
MD5: be2e7edc14cfb351d1407d452616780f
SHA1: 44f004943846e690b43471f286a74c452e18a592
SHA256: 0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e
SHA512: 59938f475dda37f69a92d6871527df025f5ff99f6d064c8bacefc1be95453f751de130cdbd1201437b85b092abab0df1fdd757dabcdb876afba3ed8460250889
Ssdeep: 12288:mTvx/ieOO4bKeDKnEFbgo3mTBxVWbv+OE5p0ZfS:Ovx/im6drbgo3mjWdfS
PEiD: None matched

Screenshots

Behavior Summary

File-Read

\\?\PIPE\samr

File-Written

\\?\PIPE\samr

File-Opened

C:\
C:\Users\
C:\Users\Virtual\
C:\Users\Virtual\AppData\
C:\Users\Virtual\AppData\Local\
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
\\?\PIPE\samr
c:\

Network-Resolves URL

127.0.0.1

Directory-Enumerated

C:\Python27\Scripts\ping.exe
C:\Python27\Scripts\ping.exe.*
C:\Python27\ping.exe
C:\Python27\ping.exe.*
C:\Users\Virtual\AppData\Local\Temp\ping.exe
C:\Users\Virtual\AppData\Local\Temp\ping.exe.*
C:\Windows\System32\PING.EXE

Registry Key-Opened

HKEY_CLASSES_ROOT\interfacE\{b196b287-bab4-101a-b69c-00aa00341d07}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{94956483-9236-11e5-a874-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{94956484-9236-11e5-a874-806e6f6e6963}\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\System\Setup

Registry Key-Read

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{94956483-9236-11e5-a874-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{94956483-9236-11e5-a874-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{94956484-9236-11e5-a874-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{94956484-9236-11e5-a874-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B196B287-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorSystemHeapIsPrivate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorUseSystemHeap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet\SpyNetReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Winsock\Mapping
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultTTL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\HelperDllName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\Mapping
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MaxSockaddrLength
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MinSockaddrLength
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\UseDelayedAcceptance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Parameters\Transports
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip\WinSock 2.0 Provider ID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress

Registry Key-Written

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet\SpyNetReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent

Mutex-Accessed

evkifdqn

Processes

Process Name

PID

Parent PID

0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e.exe 2312 2256

Time	API	Arguments	Result
1594524005.49	SearchPathW	searchpath: "" filename: "zFiRXyjCnu" extension: "" filepath: ""	Status FAILURE
1594524005.52	GetForegroundWindow		Return Value 65592 Status SUCCESS
1594524005.54	RegOpenKeyExW	regkey_r: "SOFTWARE\Microsoft\OLE" base_handle: "0x80000002" key_handle: "0x00000070" options: 0 access: "0x00020019" regkey: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE"	Status SUCCESS
1594524005.54	RegQueryValueExW	key_handle: "0x00000070" regkey_r: "PageAllocatorUseSystemHeap" reg_type: 0 value: "" regkey: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorUseSystemHeap"	Return Value 2 Status FAILURE
1594524005.54	RegCloseKey	key_handle: "0x00000070"	Status SUCCESS
1594524005.54	RegOpenKeyExW	regkey_r: "SOFTWARE\Microsoft\OLE" base_handle: "0x80000002" key_handle: "0x00000070" options: 0 access: "0x00020019" regkey: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE"	Status SUCCESS
1594524005.54	RegQueryValueExW	key_handle: "0x00000070" regkey_r: "PageAllocatorSystemHeapIsPrivate" reg_type: 0 value: "" regkey: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorSystemHeapIsPrivate"	Return Value 2 Status FAILURE
1594524005.54	RegCloseKey	key_handle: "0x00000070"	Status SUCCESS
1594524005.54	GetSystemInfo	processor_count: 1	Status SUCCESS
1594524005.54	LdrGetDllHandle	module_name: "rpcrt4.dll" module_address: "0x7db50000" stack_pivoted: 0	Status SUCCESS

0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e.exe 2496 2312

Time	API	Arguments	Result
1594524057.39	SearchPathW	searchpath: "" filename: "zFiRXyjCnu" extension: "" filepath: ""	Status FAILURE
1594524057.42	GetForegroundWindow		Return Value 65592 Status SUCCESS
1594524057.44	RegOpenKeyExW	regkey_r: "SOFTWARE\Microsoft\OLE" base_handle: "0x80000002" key_handle: "0x00000068" options: 0 access: "0x00020019" regkey: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE"	Status SUCCESS
1594524057.44	RegQueryValueExW	key_handle: "0x00000068" regkey_r: "PageAllocatorUseSystemHeap" reg_type: 0 value: "" regkey: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorUseSystemHeap"	Return Value 2 Status FAILURE
1594524057.44	RegCloseKey	key_handle: "0x00000068"	Status SUCCESS
1594524057.44	RegOpenKeyExW	regkey_r: "SOFTWARE\Microsoft\OLE" base_handle: "0x80000002" key_handle: "0x00000068" options: 0 access: "0x00020019" regkey: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE"	Status SUCCESS
1594524057.44	RegQueryValueExW	key_handle: "0x00000068" regkey_r: "PageAllocatorSystemHeapIsPrivate" reg_type: 0 value: "" regkey: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorSystemHeapIsPrivate"	Return Value 2 Status FAILURE
1594524057.44	RegCloseKey	key_handle: "0x00000068"	Status SUCCESS
1594524057.44	GetSystemInfo	processor_count: 1	Status SUCCESS
1594524057.44	LdrGetDllHandle	module_name: "rpcrt4.dll" module_address: "0x7db50000" stack_pivoted: 0	Status SUCCESS

reg.exe 3020 2312

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1594524097.49		GetSystemTimeAsFileTime		Status SUCCESS
1594524097.49		SetUnhandledExceptionFilter		Status FAILURE
1594524097.49		LdrLoadDll	module_name: "kernel32.dll" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x0000000078d20000"	Status SUCCESS
1594524097.49	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x0000000078d38220" function_name: "SortGetHandle" module: "kernel32" module_address: "0x0000000078d20000"	Status SUCCESS
1594524097.49		NtCreateFile	create_disposition: 1 file_handle: "0x000000000000005c" filepath: "C:\Windows\Globalization\Sorting\sortdefault.nls" desired_access: "0x80100080" file_attributes: 128 filepath_r: "\??\C:\Windows\Globalization\Sorting\sortdefault.nls" create_options: 96 status_info: 1 share_access: 1	Status SUCCESS
1594524097.49		NtCreateSection	file_handle: "0x000000000000005c" object_handle: "0x0000000000000000" desired_access: "0x000f0005" protection: 2 section_name: "" section_handle: "0x0000000000000060"	Status SUCCESS
1594524097.49		NtMapViewOfSection	section_handle: "0x0000000000000060" process_identifier: 3020 commit_size: 0 win32_protect: 2 buffer: "" base_address: "0x0000000001c00000" allocation_type: 0 section_offset: 0 view_size: 2945024 process_handle: "0xffffffffffffffff"	Status SUCCESS
1594524097.49	3	NtClose	handle: "0x0000000000000060"	Status SUCCESS
1594524097.49		NtOpenKey	key_handle: "0x000000000000005c" desired_access: "0x02000000" regkey: "HKEY_CURRENT_USER"	Status SUCCESS
1594524097.49		NtQueryKey	key_handle: "0x000000000000005c" buffer: "" regkey: "HKEY_CURRENT_USER" information_class: 7	Status SUCCESS

Showing 1 to 10 of 40 entries

Previous1 2 3 4Next

reg.exe 1924 2312

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1594524097.77		GetSystemTimeAsFileTime		Status SUCCESS
1594524097.77		SetUnhandledExceptionFilter		Status FAILURE
1594524097.77		LdrLoadDll	module_name: "kernel32.dll" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x0000000078d20000"	Status SUCCESS
1594524097.77	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x0000000078d38220" function_name: "SortGetHandle" module: "kernel32" module_address: "0x0000000078d20000"	Status SUCCESS
1594524097.77		NtCreateFile	create_disposition: 1 file_handle: "0x000000000000005c" filepath: "C:\Windows\Globalization\Sorting\sortdefault.nls" desired_access: "0x80100080" file_attributes: 128 filepath_r: "\??\C:\Windows\Globalization\Sorting\sortdefault.nls" create_options: 96 status_info: 1 share_access: 1	Status SUCCESS
1594524097.77		NtCreateSection	file_handle: "0x000000000000005c" object_handle: "0x0000000000000000" desired_access: "0x000f0005" protection: 2 section_name: "" section_handle: "0x0000000000000060"	Status SUCCESS
1594524097.77		NtMapViewOfSection	section_handle: "0x0000000000000060" process_identifier: 1924 commit_size: 0 win32_protect: 2 buffer: "" base_address: "0x0000000001c50000" allocation_type: 0 section_offset: 0 view_size: 2945024 process_handle: "0xffffffffffffffff"	Status SUCCESS
1594524097.78	3	NtClose	handle: "0x0000000000000060"	Status SUCCESS
1594524097.78		NtOpenKey	key_handle: "0x000000000000005c" desired_access: "0x02000000" regkey: "HKEY_CURRENT_USER"	Status SUCCESS
1594524097.78		NtQueryKey	key_handle: "0x000000000000005c" buffer: "" regkey: "HKEY_CURRENT_USER" information_class: 7	Status SUCCESS

Showing 1 to 10 of 40 entries

Previous1 2 3 4Next

reg.exe 1608 2312

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1594524098.08		GetSystemTimeAsFileTime		Status SUCCESS
1594524098.08		SetUnhandledExceptionFilter		Status FAILURE
1594524098.08		LdrLoadDll	module_name: "kernel32.dll" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x0000000078d20000"	Status SUCCESS
1594524098.08	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x0000000078d38220" function_name: "SortGetHandle" module: "kernel32" module_address: "0x0000000078d20000"	Status SUCCESS
1594524098.08		NtCreateFile	create_disposition: 1 file_handle: "0x000000000000005c" filepath: "C:\Windows\Globalization\Sorting\sortdefault.nls" desired_access: "0x80100080" file_attributes: 128 filepath_r: "\??\C:\Windows\Globalization\Sorting\sortdefault.nls" create_options: 96 status_info: 1 share_access: 1	Status SUCCESS
1594524098.08		NtCreateSection	file_handle: "0x000000000000005c" object_handle: "0x0000000000000000" desired_access: "0x000f0005" protection: 2 section_name: "" section_handle: "0x0000000000000060"	Status SUCCESS
1594524098.08		NtMapViewOfSection	section_handle: "0x0000000000000060" process_identifier: 1608 commit_size: 0 win32_protect: 2 buffer: "" base_address: "0x0000000001c00000" allocation_type: 0 section_offset: 0 view_size: 2945024 process_handle: "0xffffffffffffffff"	Status SUCCESS
1594524098.08	3	NtClose	handle: "0x0000000000000060"	Status SUCCESS
1594524098.08		NtOpenKey	key_handle: "0x000000000000005c" desired_access: "0x02000000" regkey: "HKEY_CURRENT_USER"	Status SUCCESS
1594524098.08		NtQueryKey	key_handle: "0x000000000000005c" buffer: "" regkey: "HKEY_CURRENT_USER" information_class: 7	Status SUCCESS

Showing 1 to 10 of 40 entries

Previous1 2 3 4Next

reg.exe 2200 2312

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1594524098.31		GetSystemTimeAsFileTime		Status SUCCESS
1594524098.31		SetUnhandledExceptionFilter		Status FAILURE
1594524098.31		LdrLoadDll	module_name: "kernel32.dll" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x0000000078d20000"	Status SUCCESS
1594524098.31	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x0000000078d38220" function_name: "SortGetHandle" module: "kernel32" module_address: "0x0000000078d20000"	Status SUCCESS
1594524098.33		NtCreateFile	create_disposition: 1 file_handle: "0x000000000000005c" filepath: "C:\Windows\Globalization\Sorting\sortdefault.nls" desired_access: "0x80100080" file_attributes: 128 filepath_r: "\??\C:\Windows\Globalization\Sorting\sortdefault.nls" create_options: 96 status_info: 1 share_access: 1	Status SUCCESS
1594524098.33		NtCreateSection	file_handle: "0x000000000000005c" object_handle: "0x0000000000000000" desired_access: "0x000f0005" protection: 2 section_name: "" section_handle: "0x0000000000000060"	Status SUCCESS
1594524098.33		NtMapViewOfSection	section_handle: "0x0000000000000060" process_identifier: 2200 commit_size: 0 win32_protect: 2 buffer: "" base_address: "0x0000000001c20000" allocation_type: 0 section_offset: 0 view_size: 2945024 process_handle: "0xffffffffffffffff"	Status SUCCESS
1594524098.33	3	NtClose	handle: "0x0000000000000060"	Status SUCCESS
1594524098.33		NtOpenKey	key_handle: "0x000000000000005c" desired_access: "0x02000000" regkey: "HKEY_CURRENT_USER"	Status SUCCESS
1594524098.33		NtQueryKey	key_handle: "0x000000000000005c" buffer: "" regkey: "HKEY_CURRENT_USER" information_class: 7	Status SUCCESS

Showing 1 to 10 of 40 entries

Previous1 2 3 4Next

reg.exe 2216 2312

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1594524098.55		GetSystemTimeAsFileTime		Status SUCCESS
1594524098.55		SetUnhandledExceptionFilter		Status FAILURE
1594524098.55		LdrLoadDll	module_name: "kernel32.dll" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x0000000078d20000"	Status SUCCESS
1594524098.55	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x0000000078d38220" function_name: "SortGetHandle" module: "kernel32" module_address: "0x0000000078d20000"	Status SUCCESS
1594524098.55		NtCreateFile	create_disposition: 1 file_handle: "0x000000000000005c" filepath: "C:\Windows\Globalization\Sorting\sortdefault.nls" desired_access: "0x80100080" file_attributes: 128 filepath_r: "\??\C:\Windows\Globalization\Sorting\sortdefault.nls" create_options: 96 status_info: 1 share_access: 1	Status SUCCESS
1594524098.55		NtCreateSection	file_handle: "0x000000000000005c" object_handle: "0x0000000000000000" desired_access: "0x000f0005" protection: 2 section_name: "" section_handle: "0x0000000000000060"	Status SUCCESS
1594524098.55		NtMapViewOfSection	section_handle: "0x0000000000000060" process_identifier: 2216 commit_size: 0 win32_protect: 2 buffer: "" base_address: "0x0000000001c00000" allocation_type: 0 section_offset: 0 view_size: 2945024 process_handle: "0xffffffffffffffff"	Status SUCCESS
1594524098.55	3	NtClose	handle: "0x0000000000000060"	Status SUCCESS
1594524098.55		NtOpenKey	key_handle: "0x000000000000005c" desired_access: "0x02000000" regkey: "HKEY_CURRENT_USER"	Status SUCCESS
1594524098.55		NtQueryKey	key_handle: "0x000000000000005c" buffer: "" regkey: "HKEY_CURRENT_USER" information_class: 7	Status SUCCESS

Showing 1 to 10 of 40 entries

Previous1 2 3 4Next

reg.exe 2308 2312

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1594524098.77		GetSystemTimeAsFileTime		Status SUCCESS
1594524098.77		SetUnhandledExceptionFilter		Status FAILURE
1594524098.77		LdrLoadDll	module_name: "kernel32.dll" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x0000000078d20000"	Status SUCCESS
1594524098.77	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x0000000078d38220" function_name: "SortGetHandle" module: "kernel32" module_address: "0x0000000078d20000"	Status SUCCESS
1594524098.77		NtCreateFile	create_disposition: 1 file_handle: "0x000000000000005c" filepath: "C:\Windows\Globalization\Sorting\sortdefault.nls" desired_access: "0x80100080" file_attributes: 128 filepath_r: "\??\C:\Windows\Globalization\Sorting\sortdefault.nls" create_options: 96 status_info: 1 share_access: 1	Status SUCCESS
1594524098.77		NtCreateSection	file_handle: "0x000000000000005c" object_handle: "0x0000000000000000" desired_access: "0x000f0005" protection: 2 section_name: "" section_handle: "0x0000000000000060"	Status SUCCESS
1594524098.77		NtMapViewOfSection	section_handle: "0x0000000000000060" process_identifier: 2308 commit_size: 0 win32_protect: 2 buffer: "" base_address: "0x0000000001c00000" allocation_type: 0 section_offset: 0 view_size: 2945024 process_handle: "0xffffffffffffffff"	Status SUCCESS
1594524098.77	3	NtClose	handle: "0x0000000000000060"	Status SUCCESS
1594524098.77		NtOpenKey	key_handle: "0x000000000000005c" desired_access: "0x02000000" regkey: "HKEY_CURRENT_USER"	Status SUCCESS
1594524098.77		NtQueryKey	key_handle: "0x000000000000005c" buffer: "" regkey: "HKEY_CURRENT_USER" information_class: 7	Status SUCCESS

Showing 1 to 10 of 40 entries

Previous1 2 3 4Next

reg.exe 2136 2312

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1594524099.0		GetSystemTimeAsFileTime		Status SUCCESS
1594524099.0		SetUnhandledExceptionFilter		Status FAILURE
1594524099.0		LdrLoadDll	module_name: "kernel32.dll" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x0000000078d20000"	Status SUCCESS
1594524099.0	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x0000000078d38220" function_name: "SortGetHandle" module: "kernel32" module_address: "0x0000000078d20000"	Status SUCCESS
1594524099.0		NtCreateFile	create_disposition: 1 file_handle: "0x000000000000005c" filepath: "C:\Windows\Globalization\Sorting\sortdefault.nls" desired_access: "0x80100080" file_attributes: 128 filepath_r: "\??\C:\Windows\Globalization\Sorting\sortdefault.nls" create_options: 96 status_info: 1 share_access: 1	Status SUCCESS
1594524099.0		NtCreateSection	file_handle: "0x000000000000005c" object_handle: "0x0000000000000000" desired_access: "0x000f0005" protection: 2 section_name: "" section_handle: "0x0000000000000060"	Status SUCCESS
1594524099.0		NtMapViewOfSection	section_handle: "0x0000000000000060" process_identifier: 2136 commit_size: 0 win32_protect: 2 buffer: "" base_address: "0x0000000001c00000" allocation_type: 0 section_offset: 0 view_size: 2945024 process_handle: "0xffffffffffffffff"	Status SUCCESS
1594524099.0	3	NtClose	handle: "0x0000000000000060"	Status SUCCESS
1594524099.0		NtOpenKey	key_handle: "0x000000000000005c" desired_access: "0x02000000" regkey: "HKEY_CURRENT_USER"	Status SUCCESS
1594524099.0		NtQueryKey	key_handle: "0x000000000000005c" buffer: "" regkey: "HKEY_CURRENT_USER" information_class: 7	Status SUCCESS

Showing 1 to 10 of 39 entries

Previous1 2 3 4Next

reg.exe 1580 2312

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1594524099.28		GetSystemTimeAsFileTime		Status SUCCESS
1594524099.28		SetUnhandledExceptionFilter		Status FAILURE
1594524099.28		LdrLoadDll	module_name: "kernel32.dll" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x0000000078d20000"	Status SUCCESS
1594524099.28	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x0000000078d38220" function_name: "SortGetHandle" module: "kernel32" module_address: "0x0000000078d20000"	Status SUCCESS
1594524099.28		NtCreateFile	create_disposition: 1 file_handle: "0x000000000000005c" filepath: "C:\Windows\Globalization\Sorting\sortdefault.nls" desired_access: "0x80100080" file_attributes: 128 filepath_r: "\??\C:\Windows\Globalization\Sorting\sortdefault.nls" create_options: 96 status_info: 1 share_access: 1	Status SUCCESS
1594524099.31		NtCreateSection	file_handle: "0x000000000000005c" object_handle: "0x0000000000000000" desired_access: "0x000f0005" protection: 2 section_name: "" section_handle: "0x0000000000000060"	Status SUCCESS
1594524099.31		NtMapViewOfSection	section_handle: "0x0000000000000060" process_identifier: 1580 commit_size: 0 win32_protect: 2 buffer: "" base_address: "0x0000000001c00000" allocation_type: 0 section_offset: 0 view_size: 2945024 process_handle: "0xffffffffffffffff"	Status SUCCESS
1594524099.31	3	NtClose	handle: "0x0000000000000060"	Status SUCCESS
1594524099.33		NtOpenKey	key_handle: "0x000000000000005c" desired_access: "0x02000000" regkey: "HKEY_CURRENT_USER"	Status SUCCESS
1594524099.33		NtQueryKey	key_handle: "0x000000000000005c" buffer: "" regkey: "HKEY_CURRENT_USER" information_class: 7	Status SUCCESS

Showing 1 to 10 of 40 entries

Previous1 2 3 4Next

Time	API	Arguments	Result
1594524100.09	GetSystemTimeAsFileTime		Status SUCCESS
1594524100.09	SetUnhandledExceptionFilter		Status FAILURE
1594524100.12	WSAStartup	wVersionRequested: 2	Status SUCCESS
1594524100.12	RegOpenKeyExA	regkey_r: "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" base_handle: "0xffffffff80000002" key_handle: "0x0000000000000068" options: 0 access: "0x00000001" regkey: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"	Status SUCCESS
1594524100.12	RegQueryValueExA	key_handle: "0x0000000000000068" regkey_r: "DefaultTTL" reg_type: 0 value: "" regkey: "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultTTL"	Return Value 2 Status FAILURE
1594524100.12	RegCloseKey	key_handle: "0x0000000000000068"	Status SUCCESS
1594524100.12	getaddrinfo	service_name: "" hostname: "127.0.0.1"	Status SUCCESS
1594524100.12	LdrLoadDll	module_name: "rpcrt4.dll" basename: "rpcrt4" stack_pivoted: 0 flags: 0 module_address: "0x000007ff7fde0000"	Status SUCCESS
1594524100.12	NtQuerySystemInformation	information_class: 0	Status SUCCESS
1594524100.12	NtQueryKey	key_handle: "0x0000000000000024" buffer: "" regkey: "HKEY_LOCAL_MACHINE" information_class: 7	Status SUCCESS

Classification

Indicators

Yara

Static Analysis

Version Infos

Sections

Resources

Imports

Library KERNEL32.dll:

Library USER32.dll:

Library GDI32.dll:

Library ADVAPI32.dll:

Strings

Dropped Files

80c10ee5f21f92f8_0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e.exe

Network

Hosts Involved

Geolocation

Destination Country

File

Screenshots

Behavior Summary

File-Read

File-Written

File-Opened

Network-Resolves URL

Directory-Enumerated

Registry Key-Opened

Registry Key-Read

Registry Key-Written

Mutex-Accessed

Processes

0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e.exe23122256

0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e.exe24962312

reg.exe30202312

reg.exe19242312

reg.exe16082312

reg.exe22002312

reg.exe22162312

reg.exe23082312

reg.exe21362312

reg.exe15802312

cmd.exe18082312

PING.EXE15121808

0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e.exe 2312 2256

0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e.exe 2496 2312

reg.exe 3020 2312

reg.exe 1924 2312

reg.exe 1608 2312

reg.exe 2200 2312

reg.exe 2216 2312

reg.exe 2308 2312

reg.exe 2136 2312

reg.exe 1580 2312

cmd.exe 1808 2312

PING.EXE 1512 1808