9748e28c...c471 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification:
Downloader
Ransomware
Threat Names:
Djvu
STOP
Trojan.GenericKD.33626843
...

CUsersabdoAppDataLocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75FCEB.tmp.exe

Windows Exe (x86-32)

Created at 2020-04-09T13:25:00

...

Remarks (2/3)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "1 minute, 50 seconds" to "10 seconds" to reveal dormant functionality.

(0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

(0x0200003A): 2 tasks were rescheduled ahead of time to reveal dormant functionality.

Filters:
Filename Category Type Severity Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CUsersabdoAppDataLocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75FCEB.tmp.exe Sample File Binary
Malicious
...
»
Also Known As C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\0cf16e90-25f3-4a59-b809-8330957d8bce\CUsersabdoAppDataLocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75FCEB.tmp.exe (Dropped File)
Mime Type application/vnd.microsoft.portable-executable
File Size 767.50 KB
MD5 ba9f55ce820b48d6f1c78c10e7434db7 Copy to Clipboard
SHA1 b4e5b48f0a19ff733caa0a25d4cd3930b8cee023 Copy to Clipboard
SHA256 9748e28cd2e2a1a06ed9a5125b085e3e72654aa7cfc9d2f8400b7355ecd0c471 Copy to Clipboard
SSDeep 12288:+OSzSJpSkJFVxPlySItIuTrVbOTUs/yDGzQHYX/eeS9NE6bmInNqrXWSk13c31In:Q6pSGPT2FOTU3DjHeeeANEe9ArXk3cFQ Copy to Clipboard
ImpHash 99620e57ed01ce72a65e18fd03f25b2b Copy to Clipboard
PE Information
»
Image Base 0x400000
Entry Point 0x4026ac
Size Of Code 0x9ea00
Size Of Initialized Data 0xcf600
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2019-06-13 06:45:48+00:00
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x9e8c0 0x9ea00 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.98
.rdata 0x4a0000 0x4250 0x4400 0x9ee00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.12
.data 0x4a5000 0xaec8c 0x1800 0xa3200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 2.9
.rsrc 0x554000 0x1b2b0 0x1b400 0xa4a00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.69
Imports (3)
»
KERNEL32.dll (105)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_llseek 0x0 0x4a0008 0xa3824 0xa2624 0x539
GetDefaultCommConfigW 0x0 0x4a000c 0xa3828 0xa2628 0x1ca
BuildCommDCBAndTimeoutsA 0x0 0x4a0010 0xa382c 0xa262c 0x3b
HeapAlloc 0x0 0x4a0014 0xa3830 0xa2630 0x2cb
SetConsoleTextAttribute 0x0 0x4a0018 0xa3834 0xa2634 0x446
SetConsoleScreenBufferSize 0x0 0x4a001c 0xa3838 0xa2638 0x445
SetCommBreak 0x0 0x4a0020 0xa383c 0xa263c 0x422
GetTickCount 0x0 0x4a0024 0xa3840 0xa2640 0x293
GetWindowsDirectoryA 0x0 0x4a0028 0xa3844 0xa2644 0x2ae
OpenProcess 0x0 0x4a002c 0xa3848 0xa2648 0x380
WideCharToMultiByte 0x0 0x4a0030 0xa384c 0xa264c 0x511
Sleep 0x0 0x4a0034 0xa3850 0xa2650 0x4b2
SetSystemPowerState 0x0 0x4a0038 0xa3854 0xa2654 0x48a
GetAtomNameW 0x0 0x4a003c 0xa3858 0xa2658 0x16e
GetModuleFileNameW 0x0 0x4a0040 0xa385c 0xa265c 0x214
GetVolumePathNameA 0x0 0x4a0044 0xa3860 0xa2660 0x2aa
lstrlenW 0x0 0x4a0048 0xa3864 0xa2664 0x54e
DisconnectNamedPipe 0x0 0x4a004c 0xa3868 0xa2668 0xe1
EnumSystemLocalesA 0x0 0x4a0050 0xa386c 0xa266c 0x10d
FindFirstFileExA 0x0 0x4a0054 0xa3870 0xa2670 0x133
GetLastError 0x0 0x4a0058 0xa3874 0xa2674 0x202
GetConsoleAliasesLengthW 0x0 0x4a005c 0xa3878 0xa2678 0x198
EnumDateFormatsExA 0x0 0x4a0060 0xa387c 0xa267c 0xf5
EnumSystemCodePagesW 0x0 0x4a0064 0xa3880 0xa2680 0x108
SetFileApisToOEM 0x0 0x4a0068 0xa3884 0xa2684 0x45d
ProcessIdToSessionId 0x0 0x4a006c 0xa3888 0xa2688 0x399
GetProcessWorkingSetSize 0x0 0x4a0070 0xa388c 0xa268c 0x254
LocalAlloc 0x0 0x4a0074 0xa3890 0xa2690 0x344
IsSystemResumeAutomatic 0x0 0x4a0078 0xa3894 0xa2694 0x305
SetConsoleOutputCP 0x0 0x4a007c 0xa3898 0xa2698 0x442
GetCommMask 0x0 0x4a0080 0xa389c 0xa269c 0x181
FindAtomA 0x0 0x4a0084 0xa38a0 0xa26a0 0x12c
GetModuleHandleA 0x0 0x4a0088 0xa38a4 0xa26a4 0x215
VirtualProtect 0x0 0x4a008c 0xa38a8 0xa26a8 0x4ef
FatalAppExitA 0x0 0x4a0090 0xa38ac 0xa26ac 0x120
PeekConsoleInputA 0x0 0x4a0094 0xa38b0 0xa26b0 0x38b
SetCalendarInfoA 0x0 0x4a0098 0xa38b4 0xa26b4 0x41e
GetWindowsDirectoryW 0x0 0x4a009c 0xa38b8 0xa26b8 0x2af
GetVolumeNameForVolumeMountPointW 0x0 0x4a00a0 0xa38bc 0xa26bc 0x2a9
EnumResourceLanguagesW 0x0 0x4a00a4 0xa38c0 0xa26c0 0xfe
lstrcpyW 0x0 0x4a00a8 0xa38c4 0xa26c4 0x548
GetLongPathNameW 0x0 0x4a00ac 0xa38c8 0xa26c8 0x20f
SetVolumeLabelA 0x0 0x4a00b0 0xa38cc 0xa26cc 0x4a8
GetCommandLineA 0x0 0x4a00b4 0xa38d0 0xa26d0 0x186
HeapSetInformation 0x0 0x4a00b8 0xa38d4 0xa26d4 0x2d3
GetStartupInfoW 0x0 0x4a00bc 0xa38d8 0xa26d8 0x263
TerminateProcess 0x0 0x4a00c0 0xa38dc 0xa26dc 0x4c0
GetCurrentProcess 0x0 0x4a00c4 0xa38e0 0xa26e0 0x1c0
UnhandledExceptionFilter 0x0 0x4a00c8 0xa38e4 0xa26e4 0x4d3
SetUnhandledExceptionFilter 0x0 0x4a00cc 0xa38e8 0xa26e8 0x4a5
IsDebuggerPresent 0x0 0x4a00d0 0xa38ec 0xa26ec 0x300
EnterCriticalSection 0x0 0x4a00d4 0xa38f0 0xa26f0 0xee
LeaveCriticalSection 0x0 0x4a00d8 0xa38f4 0xa26f4 0x339
InitializeCriticalSectionAndSpinCount 0x0 0x4a00dc 0xa38f8 0xa26f8 0x2e3
EncodePointer 0x0 0x4a00e0 0xa38fc 0xa26fc 0xea
DecodePointer 0x0 0x4a00e4 0xa3900 0xa2700 0xca
RtlUnwind 0x0 0x4a00e8 0xa3904 0xa2704 0x418
IsProcessorFeaturePresent 0x0 0x4a00ec 0xa3908 0xa2708 0x304
SetFilePointer 0x0 0x4a00f0 0xa390c 0xa270c 0x466
HeapFree 0x0 0x4a00f4 0xa3910 0xa2710 0x2cf
CloseHandle 0x0 0x4a00f8 0xa3914 0xa2714 0x52
GetProcAddress 0x0 0x4a00fc 0xa3918 0xa2718 0x245
GetModuleHandleW 0x0 0x4a0100 0xa391c 0xa271c 0x218
ExitProcess 0x0 0x4a0104 0xa3920 0xa2720 0x119
WriteFile 0x0 0x4a0108 0xa3924 0xa2724 0x525
GetStdHandle 0x0 0x4a010c 0xa3928 0xa2728 0x264
GetModuleFileNameA 0x0 0x4a0110 0xa392c 0xa272c 0x213
FreeEnvironmentStringsW 0x0 0x4a0114 0xa3930 0xa2730 0x161
GetEnvironmentStringsW 0x0 0x4a0118 0xa3934 0xa2734 0x1da
SetHandleCount 0x0 0x4a011c 0xa3938 0xa2738 0x46f
GetFileType 0x0 0x4a0120 0xa393c 0xa273c 0x1f3
DeleteCriticalSection 0x0 0x4a0124 0xa3940 0xa2740 0xd1
TlsAlloc 0x0 0x4a0128 0xa3944 0xa2744 0x4c5
TlsGetValue 0x0 0x4a012c 0xa3948 0xa2748 0x4c7
TlsSetValue 0x0 0x4a0130 0xa394c 0xa274c 0x4c8
TlsFree 0x0 0x4a0134 0xa3950 0xa2750 0x4c6
InterlockedIncrement 0x0 0x4a0138 0xa3954 0xa2754 0x2ef
SetLastError 0x0 0x4a013c 0xa3958 0xa2758 0x473
GetCurrentThreadId 0x0 0x4a0140 0xa395c 0xa275c 0x1c5
InterlockedDecrement 0x0 0x4a0144 0xa3960 0xa2760 0x2eb
HeapCreate 0x0 0x4a0148 0xa3964 0xa2764 0x2cd
QueryPerformanceCounter 0x0 0x4a014c 0xa3968 0xa2768 0x3a7
GetCurrentProcessId 0x0 0x4a0150 0xa396c 0xa276c 0x1c1
GetSystemTimeAsFileTime 0x0 0x4a0154 0xa3970 0xa2770 0x279
CreateFileA 0x0 0x4a0158 0xa3974 0xa2774 0x88
RaiseException 0x0 0x4a015c 0xa3978 0xa2778 0x3b1
SetStdHandle 0x0 0x4a0160 0xa397c 0xa277c 0x487
GetConsoleCP 0x0 0x4a0164 0xa3980 0xa2780 0x19a
GetConsoleMode 0x0 0x4a0168 0xa3984 0xa2784 0x1ac
FlushFileBuffers 0x0 0x4a016c 0xa3988 0xa2788 0x157
LoadLibraryW 0x0 0x4a0170 0xa398c 0xa278c 0x33f
GetCPInfo 0x0 0x4a0174 0xa3990 0xa2790 0x172
GetACP 0x0 0x4a0178 0xa3994 0xa2794 0x168
GetOEMCP 0x0 0x4a017c 0xa3998 0xa2798 0x237
IsValidCodePage 0x0 0x4a0180 0xa399c 0xa279c 0x30a
HeapReAlloc 0x0 0x4a0184 0xa39a0 0xa27a0 0x2d2
SetEndOfFile 0x0 0x4a0188 0xa39a4 0xa27a4 0x453
GetProcessHeap 0x0 0x4a018c 0xa39a8 0xa27a8 0x24a
MultiByteToWideChar 0x0 0x4a0190 0xa39ac 0xa27ac 0x367
ReadFile 0x0 0x4a0194 0xa39b0 0xa27b0 0x3c0
WriteConsoleW 0x0 0x4a0198 0xa39b4 0xa27b4 0x524
HeapSize 0x0 0x4a019c 0xa39b8 0xa27b8 0x2d4
LCMapStringW 0x0 0x4a01a0 0xa39bc 0xa27bc 0x32d
GetStringTypeW 0x0 0x4a01a4 0xa39c0 0xa27c0 0x269
CreateFileW 0x0 0x4a01a8 0xa39c4 0xa27c4 0x8f
USER32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetCaretPos 0x0 0x4a01b0 0xa39cc 0xa27cc 0x10a
ADVAPI32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
EnumServicesStatusA 0x0 0x4a0000 0xa381c 0xa261c 0xff
Exports (1)
»
Api name EAT Address Ordinal
@calcPrecision@4 0x1000 0x1
Icons (4)
»
Memory Dumps (44)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 1 0x00400000 0x0056FFFF Relevant Image True 32-bit 0x00404721 True False
...
buffer 1 0x01D70000 0x01E00FFF First Execution False 32-bit 0x01D70020 False False
...
buffer 1 0x01E10000 0x01F29FFF First Execution False 32-bit 0x01E10000 False True
...
buffer 1 0x01E10000 0x01F29FFF Content Changed False 32-bit 0x01E104F6 False True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 1 0x00400000 0x0056FFFF Content Changed True 32-bit 0x00424141 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 1 0x00400000 0x0056FFFF Content Changed True 32-bit 0x00423F84 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 1 0x00400000 0x0056FFFF Content Changed True 32-bit 0x0042C0F0 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 1 0x00400000 0x0056FFFF Content Changed True 32-bit 0x0043B021 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 1 0x00400000 0x0056FFFF Content Changed True 32-bit 0x0042D8D0 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 1 0x00400000 0x0056FFFF Content Changed True 32-bit 0x00421881 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 1 0x00400000 0x0056FFFF Content Changed True 32-bit 0x0042B420 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 1 0x00400000 0x0056FFFF Content Changed True 32-bit 0x004548D0 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 1 0x00400000 0x0056FFFF Content Changed True 32-bit 0x0041CC50 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 1 0x00400000 0x0056FFFF Content Changed True 32-bit 0x00419E70 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 1 0x00400000 0x0056FFFF Content Changed True 32-bit 0x0040CF10 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 1 0x00400000 0x0056FFFF Content Changed True 32-bit 0x0042B420 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 1 0x00400000 0x0056FFFF Final Dump True 32-bit 0x0040D240 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 1 0x00400000 0x0056FFFF Content Changed True 32-bit 0x00433F99 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 1 0x00400000 0x0056FFFF Content Changed True 32-bit 0x00424081 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 1 0x00400000 0x0056FFFF Content Changed True 32-bit 0x004CA6F7 True True
...
buffer 1 0x01E10000 0x01F29FFF Content Changed False 32-bit 0x01E10920 False True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 1 0x00400000 0x0056FFFF Process Termination True 32-bit - True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Relevant Image True 32-bit 0x00404721 True False
...
buffer 6 0x01C90000 0x01D20FFF First Execution False 32-bit 0x01C90020 False False
...
buffer 6 0x01D30000 0x01E49FFF First Execution False 32-bit 0x01D30000 False True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Content Changed True 32-bit 0x00424141 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Content Changed True 32-bit 0x00423F84 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Content Changed True 32-bit 0x0042C0F0 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Content Changed True 32-bit 0x0043B021 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Content Changed True 32-bit 0x00431F64 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Content Changed True 32-bit 0x00421881 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Content Changed True 32-bit 0x0042B420 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Content Changed True 32-bit 0x004548D0 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Content Changed True 32-bit 0x0041CC50 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Content Changed True 32-bit 0x00419E70 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Content Changed True 32-bit 0x0040CF10 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Content Changed True 32-bit 0x0041B680 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Content Changed True 32-bit 0x00425007 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Content Changed True 32-bit 0x0042E003 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Content Changed True 32-bit 0x00447F50 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Content Changed True 32-bit 0x0041F01A True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Content Changed True 32-bit 0x00410FC0 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Content Changed True 32-bit 0x0041C140 True True
...
cusersabdoappdatalocalde14c4d4-af10-40ba-b2e7-b7cd78dfba75fceb.tmp.exe 6 0x00400000 0x0056FFFF Content Changed True 32-bit 0x0041E353 True True
...
Local AV Matches (1)
»
Threat Name Severity
Trojan.GenericKD.33626843
Malicious
C:\Windows\System32\drivers\etc\hosts Modified File Text
Malicious
...
»
Mime Type text/plain
File Size 7.92 KB
MD5 360d265eddea8679c434a205f7ade7ad Copy to Clipboard
SHA1 e17d843f610e0283904e201195360525ae449a68 Copy to Clipboard
SHA256 5a1597c0d29dd475e33cd8889d7d848037a8c17bad0f3daa022fb889e0db7ead Copy to Clipboard
SSDeep 96:vDZEurK9q3WlSyU0FXmGZll0TOHyF9fAHLmttA/ZKTKdIlMHqzoCGbXx:RrK9FU0FXmGZll06m9fAH6AhKTK9Cax Copy to Clipboard
ImpHash -
File Reputation Information
»
Severity
Blacklisted
Names Mal/Generic-S
Local AV Matches (1)
»
Threat Name Severity
Gen:Trojan.Qhost.1
Malicious
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\6c6aafd4-f7f7-4f0c-8b07-1dd41571cbc8\updatewin1.exe Downloaded File Binary
Malicious
...
»
Also Known As c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\updatewin1[1].exe (Downloaded File)
Mime Type application/vnd.microsoft.portable-executable
File Size 272.50 KB
MD5 5b4bd24d6240f467bfbc74803c9f15b0 Copy to Clipboard
SHA1 c17f98c182d299845c54069872e8137645768a1a Copy to Clipboard
SHA256 14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e Copy to Clipboard
SSDeep 6144:7qZQGv0d4dW6efSyahstfKVkW5XXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXk:2ZQGXdPe6qU6W5XXnXXfXXXWXXXXHXXE Copy to Clipboard
ImpHash 0bcca924efe6e6fa741675d8e687fbb3 Copy to Clipboard
File Reputation Information
»
Severity
Blacklisted
Names Mal/Generic-S
PE Information
»
Image Base 0x400000
Entry Point 0x402d76
Size Of Code 0x1c200
Size Of Initialized Data 0x2c200
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2017-07-24 12:23:54+00:00
Version Information (3)
»
FileVersion 7.7.7.18
InternalName rawudiyeh.exe
LegalCopyright Copyright (C) 2018, sacuwedimufoy
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x1c07e 0x1c200 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.62
.rdata 0x41e000 0x463e 0x4800 0x1c600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.26
.data 0x423000 0x1c6a8 0x17400 0x20e00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 5.83
.rsrc 0x440000 0xa578 0xa600 0x38200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.88
.reloc 0x44b000 0x1968 0x1a00 0x42800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.34
Imports (4)
»
KERNEL32.dll (102)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ExitThread 0x0 0x41e028 0x21afc 0x200fc 0x105
GetStartupInfoW 0x0 0x41e02c 0x21b00 0x20100 0x23a
GetLastError 0x0 0x41e030 0x21b04 0x20104 0x1e6
GetProcAddress 0x0 0x41e034 0x21b08 0x20108 0x220
CreateJobSet 0x0 0x41e038 0x21b0c 0x2010c 0x87
GlobalFree 0x0 0x41e03c 0x21b10 0x20110 0x28c
LoadLibraryA 0x0 0x41e040 0x21b14 0x20114 0x2f1
OpenWaitableTimerW 0x0 0x41e044 0x21b18 0x20118 0x339
AddAtomA 0x0 0x41e048 0x21b1c 0x2011c 0x3
FindFirstChangeNotificationA 0x0 0x41e04c 0x21b20 0x20120 0x11b
VirtualProtect 0x0 0x41e050 0x21b24 0x20124 0x45a
GetCurrentDirectoryA 0x0 0x41e054 0x21b28 0x20128 0x1a7
GetACP 0x0 0x41e058 0x21b2c 0x2012c 0x152
InterlockedPushEntrySList 0x0 0x41e05c 0x21b30 0x20130 0x2c2
CompareStringW 0x0 0x41e060 0x21b34 0x20134 0x55
CompareStringA 0x0 0x41e064 0x21b38 0x20138 0x52
CreateFileA 0x0 0x41e068 0x21b3c 0x2013c 0x78
GetTimeZoneInformation 0x0 0x41e06c 0x21b40 0x20140 0x26b
WriteConsoleW 0x0 0x41e070 0x21b44 0x20144 0x48c
GetConsoleOutputCP 0x0 0x41e074 0x21b48 0x20148 0x199
WriteConsoleA 0x0 0x41e078 0x21b4c 0x2014c 0x482
CloseHandle 0x0 0x41e07c 0x21b50 0x20150 0x43
IsValidLocale 0x0 0x41e080 0x21b54 0x20154 0x2dd
EnumSystemLocalesA 0x0 0x41e084 0x21b58 0x20158 0xf8
GetUserDefaultLCID 0x0 0x41e088 0x21b5c 0x2015c 0x26d
GetSystemTimeAdjustment 0x0 0x41e08c 0x21b60 0x20160 0x24e
GetSystemTimes 0x0 0x41e090 0x21b64 0x20164 0x250
GetTickCount 0x0 0x41e094 0x21b68 0x20168 0x266
FreeEnvironmentStringsA 0x0 0x41e098 0x21b6c 0x2016c 0x14a
GetComputerNameW 0x0 0x41e09c 0x21b70 0x20170 0x178
FindCloseChangeNotification 0x0 0x41e0a0 0x21b74 0x20174 0x11a
FindResourceExW 0x0 0x41e0a4 0x21b78 0x20178 0x138
GetCPInfo 0x0 0x41e0a8 0x21b7c 0x2017c 0x15b
SetProcessShutdownParameters 0x0 0x41e0ac 0x21b80 0x20180 0x3f9
GetModuleHandleExA 0x0 0x41e0b0 0x21b84 0x20184 0x1f7
GetDateFormatA 0x0 0x41e0b4 0x21b88 0x20188 0x1ae
GetTimeFormatA 0x0 0x41e0b8 0x21b8c 0x2018c 0x268
GetStringTypeW 0x0 0x41e0bc 0x21b90 0x20190 0x240
GetStringTypeA 0x0 0x41e0c0 0x21b94 0x20194 0x23d
LCMapStringW 0x0 0x41e0c4 0x21b98 0x20198 0x2e3
GetCommandLineA 0x0 0x41e0c8 0x21b9c 0x2019c 0x16f
GetStartupInfoA 0x0 0x41e0cc 0x21ba0 0x201a0 0x239
RaiseException 0x0 0x41e0d0 0x21ba4 0x201a4 0x35a
RtlUnwind 0x0 0x41e0d4 0x21ba8 0x201a8 0x392
TerminateProcess 0x0 0x41e0d8 0x21bac 0x201ac 0x42d
GetCurrentProcess 0x0 0x41e0dc 0x21bb0 0x201b0 0x1a9
UnhandledExceptionFilter 0x0 0x41e0e0 0x21bb4 0x201b4 0x43e
SetUnhandledExceptionFilter 0x0 0x41e0e4 0x21bb8 0x201b8 0x415
IsDebuggerPresent 0x0 0x41e0e8 0x21bbc 0x201bc 0x2d1
HeapAlloc 0x0 0x41e0ec 0x21bc0 0x201c0 0x29d
HeapFree 0x0 0x41e0f0 0x21bc4 0x201c4 0x2a1
EnterCriticalSection 0x0 0x41e0f4 0x21bc8 0x201c8 0xd9
LeaveCriticalSection 0x0 0x41e0f8 0x21bcc 0x201cc 0x2ef
SetHandleCount 0x0 0x41e0fc 0x21bd0 0x201d0 0x3e8
GetStdHandle 0x0 0x41e100 0x21bd4 0x201d4 0x23b
GetFileType 0x0 0x41e104 0x21bd8 0x201d8 0x1d7
DeleteCriticalSection 0x0 0x41e108 0x21bdc 0x201dc 0xbe
GetModuleHandleW 0x0 0x41e10c 0x21be0 0x201e0 0x1f9
Sleep 0x0 0x41e110 0x21be4 0x201e4 0x421
ExitProcess 0x0 0x41e114 0x21be8 0x201e8 0x104
WriteFile 0x0 0x41e118 0x21bec 0x201ec 0x48d
GetModuleFileNameA 0x0 0x41e11c 0x21bf0 0x201f0 0x1f4
GetEnvironmentStrings 0x0 0x41e120 0x21bf4 0x201f4 0x1bf
FreeEnvironmentStringsW 0x0 0x41e124 0x21bf8 0x201f8 0x14b
WideCharToMultiByte 0x0 0x41e128 0x21bfc 0x201fc 0x47a
GetEnvironmentStringsW 0x0 0x41e12c 0x21c00 0x20200 0x1c1
TlsGetValue 0x0 0x41e130 0x21c04 0x20204 0x434
TlsAlloc 0x0 0x41e134 0x21c08 0x20208 0x432
TlsSetValue 0x0 0x41e138 0x21c0c 0x2020c 0x435
TlsFree 0x0 0x41e13c 0x21c10 0x20210 0x433
InterlockedIncrement 0x0 0x41e140 0x21c14 0x20214 0x2c0
SetLastError 0x0 0x41e144 0x21c18 0x20218 0x3ec
GetCurrentThreadId 0x0 0x41e148 0x21c1c 0x2021c 0x1ad
InterlockedDecrement 0x0 0x41e14c 0x21c20 0x20220 0x2bc
GetCurrentThread 0x0 0x41e150 0x21c24 0x20224 0x1ac
HeapCreate 0x0 0x41e154 0x21c28 0x20228 0x29f
HeapDestroy 0x0 0x41e158 0x21c2c 0x2022c 0x2a0
VirtualFree 0x0 0x41e15c 0x21c30 0x20230 0x457
QueryPerformanceCounter 0x0 0x41e160 0x21c34 0x20234 0x354
GetCurrentProcessId 0x0 0x41e164 0x21c38 0x20238 0x1aa
GetSystemTimeAsFileTime 0x0 0x41e168 0x21c3c 0x2023c 0x24f
FatalAppExitA 0x0 0x41e16c 0x21c40 0x20240 0x10b
VirtualAlloc 0x0 0x41e170 0x21c44 0x20244 0x454
HeapReAlloc 0x0 0x41e174 0x21c48 0x20248 0x2a4
MultiByteToWideChar 0x0 0x41e178 0x21c4c 0x2024c 0x31a
ReadFile 0x0 0x41e17c 0x21c50 0x20250 0x368
InitializeCriticalSectionAndSpinCount 0x0 0x41e180 0x21c54 0x20254 0x2b5
HeapSize 0x0 0x41e184 0x21c58 0x20258 0x2a6
SetConsoleCtrlHandler 0x0 0x41e188 0x21c5c 0x2025c 0x3a7
FreeLibrary 0x0 0x41e18c 0x21c60 0x20260 0x14c
InterlockedExchange 0x0 0x41e190 0x21c64 0x20264 0x2bd
GetOEMCP 0x0 0x41e194 0x21c68 0x20268 0x213
IsValidCodePage 0x0 0x41e198 0x21c6c 0x2026c 0x2db
GetConsoleCP 0x0 0x41e19c 0x21c70 0x20270 0x183
GetConsoleMode 0x0 0x41e1a0 0x21c74 0x20274 0x195
FlushFileBuffers 0x0 0x41e1a4 0x21c78 0x20278 0x141
SetFilePointer 0x0 0x41e1a8 0x21c7c 0x2027c 0x3df
SetStdHandle 0x0 0x41e1ac 0x21c80 0x20280 0x3fc
GetLocaleInfoW 0x0 0x41e1b0 0x21c84 0x20284 0x1ea
GetLocaleInfoA 0x0 0x41e1b4 0x21c88 0x20288 0x1e8
LCMapStringA 0x0 0x41e1b8 0x21c8c 0x2028c 0x2e1
SetEnvironmentVariableA 0x0 0x41e1bc 0x21c90 0x20290 0x3d0
USER32.dll (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CloseClipboard 0x0 0x41e1d8 0x21cac 0x202ac 0x47
BeginPaint 0x0 0x41e1dc 0x21cb0 0x202b0 0xe
CallMsgFilterW 0x0 0x41e1e0 0x21cb4 0x202b4 0x1a
PeekMessageA 0x0 0x41e1e4 0x21cb8 0x202b8 0x21b
MapVirtualKeyExW 0x0 0x41e1e8 0x21cbc 0x202bc 0x1f1
RegisterRawInputDevices 0x0 0x41e1ec 0x21cc0 0x202c0 0x242
GetClipboardSequenceNumber 0x0 0x41e1f0 0x21cc4 0x202c4 0x113
CountClipboardFormats 0x0 0x41e1f4 0x21cc8 0x202c8 0x50
GetDialogBaseUnits 0x0 0x41e1f8 0x21ccc 0x202cc 0x11d
GetClassLongW 0x0 0x41e1fc 0x21cd0 0x202d0 0x109
GDI32.dll (9)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
PolyTextOutW 0x0 0x41e000 0x21ad4 0x200d4 0x23c
CreateCompatibleDC 0x0 0x41e004 0x21ad8 0x200d8 0x2e
Rectangle 0x0 0x41e008 0x21adc 0x200dc 0x246
SetStretchBltMode 0x0 0x41e00c 0x21ae0 0x200e0 0x289
SetPixelV 0x0 0x41e010 0x21ae4 0x200e4 0x284
GetClipBox 0x0 0x41e014 0x21ae8 0x200e8 0x1aa
CreateDiscardableBitmap 0x0 0x41e018 0x21aec 0x200ec 0x35
StrokeAndFillPath 0x0 0x41e01c 0x21af0 0x200f0 0x29c
GetBitmapBits 0x0 0x41e020 0x21af4 0x200f4 0x191
SHELL32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ShellExecuteW 0x0 0x41e1c4 0x21c98 0x20298 0x118
ShellAboutW 0x0 0x41e1c8 0x21c9c 0x2029c 0x110
DuplicateIcon 0x0 0x41e1cc 0x21ca0 0x202a0 0x23
DragQueryFileA 0x0 0x41e1d0 0x21ca4 0x202a4 0x1e
Icons (1)
»
Local AV Matches (1)
»
Threat Name Severity
Trojan.GenericKD.31534187
Malicious
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\6c6aafd4-f7f7-4f0c-8b07-1dd41571cbc8\updatewin2.exe Downloaded File Binary
Malicious
...
»
Also Known As C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\6c6aafd4-f7f7-4f0c-8b07-1dd41571cbc8\updatewin2.exe (Downloaded File)
Mime Type application/vnd.microsoft.portable-executable
File Size 274.50 KB
MD5 996ba35165bb62473d2a6743a5200d45 Copy to Clipboard
SHA1 52169b0b5cce95c6905873b8d12a759c234bd2e0 Copy to Clipboard
SHA256 5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d Copy to Clipboard
SSDeep 6144:vLgbC0mVQlY+3aKn7n4CTHcXXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXXXXP:vGCtQlb3aKzvT8XXnXXfXXXWXXXXHXXf Copy to Clipboard
ImpHash 5921adaaf66f8c259aeda9e22686cd4b Copy to Clipboard
File Reputation Information
»
Severity
Blacklisted
PE Information
»
Image Base 0x400000
Entry Point 0x402d64
Size Of Code 0x1c200
Size Of Initialized Data 0x2c800
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2017-11-21 06:08:45+00:00
Version Information (3)
»
FileVersion 5.3.7.82
InternalName gigifaw.exe
LegalCopyright Copyright (C) 2018, guvaxiz
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x1c03e 0x1c200 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.62
.rdata 0x41e000 0x45ec 0x4600 0x1c600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.34
.data 0x423000 0x1cde8 0x17c00 0x20c00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 5.8
.rsrc 0x440000 0xa724 0xa800 0x38800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.88
.reloc 0x44b000 0x195c 0x1a00 0x43000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.33
Imports (4)
»
KERNEL32.dll (98)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ExitThread 0x0 0x41e024 0x21ae8 0x200e8 0x105
GetStartupInfoW 0x0 0x41e028 0x21aec 0x200ec 0x23a
GetLastError 0x0 0x41e02c 0x21af0 0x200f0 0x1e6
GetProcAddress 0x0 0x41e030 0x21af4 0x200f4 0x220
GlobalFree 0x0 0x41e034 0x21af8 0x200f8 0x28c
LoadLibraryA 0x0 0x41e038 0x21afc 0x200fc 0x2f1
AddAtomA 0x0 0x41e03c 0x21b00 0x20100 0x3
FindFirstChangeNotificationA 0x0 0x41e040 0x21b04 0x20104 0x11b
VirtualProtect 0x0 0x41e044 0x21b08 0x20108 0x45a
GetCurrentDirectoryA 0x0 0x41e048 0x21b0c 0x2010c 0x1a7
SetProcessShutdownParameters 0x0 0x41e04c 0x21b10 0x20110 0x3f9
GetACP 0x0 0x41e050 0x21b14 0x20114 0x152
CompareStringA 0x0 0x41e054 0x21b18 0x20118 0x52
CreateFileA 0x0 0x41e058 0x21b1c 0x2011c 0x78
GetTimeZoneInformation 0x0 0x41e05c 0x21b20 0x20120 0x26b
WriteConsoleW 0x0 0x41e060 0x21b24 0x20124 0x48c
GetConsoleOutputCP 0x0 0x41e064 0x21b28 0x20128 0x199
WriteConsoleA 0x0 0x41e068 0x21b2c 0x2012c 0x482
CloseHandle 0x0 0x41e06c 0x21b30 0x20130 0x43
IsValidLocale 0x0 0x41e070 0x21b34 0x20134 0x2dd
EnumSystemLocalesA 0x0 0x41e074 0x21b38 0x20138 0xf8
GetUserDefaultLCID 0x0 0x41e078 0x21b3c 0x2013c 0x26d
GetDateFormatA 0x0 0x41e07c 0x21b40 0x20140 0x1ae
GetTimeFormatA 0x0 0x41e080 0x21b44 0x20144 0x268
InitAtomTable 0x0 0x41e084 0x21b48 0x20148 0x2ae
GetSystemTimes 0x0 0x41e088 0x21b4c 0x2014c 0x250
GetTickCount 0x0 0x41e08c 0x21b50 0x20150 0x266
FreeEnvironmentStringsA 0x0 0x41e090 0x21b54 0x20154 0x14a
GetComputerNameW 0x0 0x41e094 0x21b58 0x20158 0x178
FindCloseChangeNotification 0x0 0x41e098 0x21b5c 0x2015c 0x11a
FindResourceExW 0x0 0x41e09c 0x21b60 0x20160 0x138
CompareStringW 0x0 0x41e0a0 0x21b64 0x20164 0x55
GetCPInfo 0x0 0x41e0a4 0x21b68 0x20168 0x15b
GetStringTypeW 0x0 0x41e0a8 0x21b6c 0x2016c 0x240
GetStringTypeA 0x0 0x41e0ac 0x21b70 0x20170 0x23d
LCMapStringW 0x0 0x41e0b0 0x21b74 0x20174 0x2e3
LCMapStringA 0x0 0x41e0b4 0x21b78 0x20178 0x2e1
GetLocaleInfoA 0x0 0x41e0b8 0x21b7c 0x2017c 0x1e8
GetCommandLineA 0x0 0x41e0bc 0x21b80 0x20180 0x16f
GetStartupInfoA 0x0 0x41e0c0 0x21b84 0x20184 0x239
RaiseException 0x0 0x41e0c4 0x21b88 0x20188 0x35a
RtlUnwind 0x0 0x41e0c8 0x21b8c 0x2018c 0x392
TerminateProcess 0x0 0x41e0cc 0x21b90 0x20190 0x42d
GetCurrentProcess 0x0 0x41e0d0 0x21b94 0x20194 0x1a9
UnhandledExceptionFilter 0x0 0x41e0d4 0x21b98 0x20198 0x43e
SetUnhandledExceptionFilter 0x0 0x41e0d8 0x21b9c 0x2019c 0x415
IsDebuggerPresent 0x0 0x41e0dc 0x21ba0 0x201a0 0x2d1
HeapAlloc 0x0 0x41e0e0 0x21ba4 0x201a4 0x29d
HeapFree 0x0 0x41e0e4 0x21ba8 0x201a8 0x2a1
EnterCriticalSection 0x0 0x41e0e8 0x21bac 0x201ac 0xd9
LeaveCriticalSection 0x0 0x41e0ec 0x21bb0 0x201b0 0x2ef
SetHandleCount 0x0 0x41e0f0 0x21bb4 0x201b4 0x3e8
GetStdHandle 0x0 0x41e0f4 0x21bb8 0x201b8 0x23b
GetFileType 0x0 0x41e0f8 0x21bbc 0x201bc 0x1d7
DeleteCriticalSection 0x0 0x41e0fc 0x21bc0 0x201c0 0xbe
GetModuleHandleW 0x0 0x41e100 0x21bc4 0x201c4 0x1f9
Sleep 0x0 0x41e104 0x21bc8 0x201c8 0x421
ExitProcess 0x0 0x41e108 0x21bcc 0x201cc 0x104
WriteFile 0x0 0x41e10c 0x21bd0 0x201d0 0x48d
GetModuleFileNameA 0x0 0x41e110 0x21bd4 0x201d4 0x1f4
GetEnvironmentStrings 0x0 0x41e114 0x21bd8 0x201d8 0x1bf
FreeEnvironmentStringsW 0x0 0x41e118 0x21bdc 0x201dc 0x14b
WideCharToMultiByte 0x0 0x41e11c 0x21be0 0x201e0 0x47a
GetEnvironmentStringsW 0x0 0x41e120 0x21be4 0x201e4 0x1c1
TlsGetValue 0x0 0x41e124 0x21be8 0x201e8 0x434
TlsAlloc 0x0 0x41e128 0x21bec 0x201ec 0x432
TlsSetValue 0x0 0x41e12c 0x21bf0 0x201f0 0x435
TlsFree 0x0 0x41e130 0x21bf4 0x201f4 0x433
InterlockedIncrement 0x0 0x41e134 0x21bf8 0x201f8 0x2c0
SetLastError 0x0 0x41e138 0x21bfc 0x201fc 0x3ec
GetCurrentThreadId 0x0 0x41e13c 0x21c00 0x20200 0x1ad
InterlockedDecrement 0x0 0x41e140 0x21c04 0x20204 0x2bc
GetCurrentThread 0x0 0x41e144 0x21c08 0x20208 0x1ac
HeapCreate 0x0 0x41e148 0x21c0c 0x2020c 0x29f
HeapDestroy 0x0 0x41e14c 0x21c10 0x20210 0x2a0
VirtualFree 0x0 0x41e150 0x21c14 0x20214 0x457
QueryPerformanceCounter 0x0 0x41e154 0x21c18 0x20218 0x354
GetCurrentProcessId 0x0 0x41e158 0x21c1c 0x2021c 0x1aa
GetSystemTimeAsFileTime 0x0 0x41e15c 0x21c20 0x20220 0x24f
FatalAppExitA 0x0 0x41e160 0x21c24 0x20224 0x10b
VirtualAlloc 0x0 0x41e164 0x21c28 0x20228 0x454
HeapReAlloc 0x0 0x41e168 0x21c2c 0x2022c 0x2a4
MultiByteToWideChar 0x0 0x41e16c 0x21c30 0x20230 0x31a
ReadFile 0x0 0x41e170 0x21c34 0x20234 0x368
InitializeCriticalSectionAndSpinCount 0x0 0x41e174 0x21c38 0x20238 0x2b5
HeapSize 0x0 0x41e178 0x21c3c 0x2023c 0x2a6
SetConsoleCtrlHandler 0x0 0x41e17c 0x21c40 0x20240 0x3a7
FreeLibrary 0x0 0x41e180 0x21c44 0x20244 0x14c
InterlockedExchange 0x0 0x41e184 0x21c48 0x20248 0x2bd
GetOEMCP 0x0 0x41e188 0x21c4c 0x2024c 0x213
IsValidCodePage 0x0 0x41e18c 0x21c50 0x20250 0x2db
GetConsoleCP 0x0 0x41e190 0x21c54 0x20254 0x183
GetConsoleMode 0x0 0x41e194 0x21c58 0x20258 0x195
FlushFileBuffers 0x0 0x41e198 0x21c5c 0x2025c 0x141
SetFilePointer 0x0 0x41e19c 0x21c60 0x20260 0x3df
SetStdHandle 0x0 0x41e1a0 0x21c64 0x20264 0x3fc
GetLocaleInfoW 0x0 0x41e1a4 0x21c68 0x20268 0x1ea
SetEnvironmentVariableA 0x0 0x41e1a8 0x21c6c 0x2026c 0x3d0
USER32.dll (12)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CloseClipboard 0x0 0x41e1c4 0x21c88 0x20288 0x47
GetSubMenu 0x0 0x41e1c8 0x21c8c 0x2028c 0x16b
LoadBitmapA 0x0 0x41e1cc 0x21c90 0x20290 0x1d0
BeginPaint 0x0 0x41e1d0 0x21c94 0x20294 0xe
CallMsgFilterW 0x0 0x41e1d4 0x21c98 0x20298 0x1a
PeekMessageA 0x0 0x41e1d8 0x21c9c 0x2029c 0x21b
MapVirtualKeyExW 0x0 0x41e1dc 0x21ca0 0x202a0 0x1f1
RegisterRawInputDevices 0x0 0x41e1e0 0x21ca4 0x202a4 0x242
SetWindowsHookExW 0x0 0x41e1e4 0x21ca8 0x202a8 0x2b0
GetClipboardSequenceNumber 0x0 0x41e1e8 0x21cac 0x202ac 0x113
GetDialogBaseUnits 0x0 0x41e1ec 0x21cb0 0x202b0 0x11d
MessageBoxIndirectA 0x0 0x41e1f0 0x21cb4 0x202b4 0x1fb
GDI32.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateCompatibleDC 0x0 0x41e000 0x21ac4 0x200c4 0x2e
PlayEnhMetaFile 0x0 0x41e004 0x21ac8 0x200c8 0x230
ScaleViewportExtEx 0x0 0x41e008 0x21acc 0x200cc 0x258
SetStretchBltMode 0x0 0x41e00c 0x21ad0 0x200d0 0x289
SetPixelV 0x0 0x41e010 0x21ad4 0x200d4 0x284
CreateDiscardableBitmap 0x0 0x41e014 0x21ad8 0x200d8 0x35
AddFontResourceW 0x0 0x41e018 0x21adc 0x200dc 0x7
SetDeviceGammaRamp 0x0 0x41e01c 0x21ae0 0x200e0 0x271
SHELL32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ExtractAssociatedIconA 0x0 0x41e1b0 0x21c74 0x20274 0x24
ShellExecuteW 0x0 0x41e1b4 0x21c78 0x20278 0x118
ShellAboutW 0x0 0x41e1b8 0x21c7c 0x2027c 0x110
DragQueryFileA 0x0 0x41e1bc 0x21c80 0x20280 0x1e
Icons (1)
»
Local AV Matches (1)
»
Threat Name Severity
Trojan.AgentWDCR.SVC
Malicious
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\6c6aafd4-f7f7-4f0c-8b07-1dd41571cbc8\5.exe Downloaded File Binary
Malicious
...
»
Also Known As C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\6c6aafd4-f7f7-4f0c-8b07-1dd41571cbc8\5.exe (Downloaded File)
Mime Type application/vnd.microsoft.portable-executable
File Size 434.50 KB
MD5 bd63937c9ca3c907d6e100e7107f1f66 Copy to Clipboard
SHA1 4bcb94650158006f88e99560698a64f8b99e171d Copy to Clipboard
SHA256 92a8aa2f94b814cb84731e3b948914fbdcbd40b38c0ea615a7b51820892452dd Copy to Clipboard
SSDeep 6144:F4HGZVbZQ0ckUCtFWBqFWzLfBXm+411d1SkgnJjyEhB+BfcEQWofOOMLpi6:qyVxUCrW0FWJap1u4sYkcFi Copy to Clipboard
ImpHash 36c83c23bc96c8bbc62702d703c95343 Copy to Clipboard
File Reputation Information
»
Severity
Blacklisted
PE Information
»
Image Base 0x400000
Entry Point 0x40233c
Size Of Code 0x5fe00
Size Of Initialized Data 0xb9800
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2019-10-09 04:50:19+00:00
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x5fc60 0x5fe00 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.97
.rdata 0x461000 0x3e3c 0x4000 0x60200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.18
.data 0x465000 0xad8c4 0x1400 0x64200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.26
.rsrc 0x513000 0x7380 0x7400 0x65600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.42
Imports (2)
»
KERNEL32.dll (86)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetConsoleAliasesLengthW 0x0 0x461000 0x645b8 0x637b8 0x198
GetDefaultCommConfigW 0x0 0x461004 0x645bc 0x637bc 0x1ca
GetProcessIoCounters 0x0 0x461008 0x645c0 0x637c0 0x24e
BuildCommDCBAndTimeoutsA 0x0 0x46100c 0x645c4 0x637c4 0x3b
HeapAlloc 0x0 0x461010 0x645c8 0x637c8 0x2cb
ClearCommError 0x0 0x461014 0x645cc 0x637cc 0x50
FlushConsoleInputBuffer 0x0 0x461018 0x645d0 0x637d0 0x156
GetTickCount 0x0 0x46101c 0x645d4 0x637d4 0x293
GetCommConfig 0x0 0x461020 0x645d8 0x637d8 0x180
EscapeCommFunction 0x0 0x461024 0x645dc 0x637dc 0x118
GetVolumePathNameW 0x0 0x461028 0x645e0 0x637e0 0x2ab
GetProcessHandleCount 0x0 0x46102c 0x645e4 0x637e4 0x249
EnumSystemCodePagesA 0x0 0x461030 0x645e8 0x637e8 0x107
GetModuleFileNameW 0x0 0x461034 0x645ec 0x637ec 0x214
CompareStringW 0x0 0x461038 0x645f0 0x637f0 0x64
MultiByteToWideChar 0x0 0x46103c 0x645f4 0x637f4 0x367
lstrlenW 0x0 0x461040 0x645f8 0x637f8 0x54e
DisconnectNamedPipe 0x0 0x461044 0x645fc 0x637fc 0xe1
FindFirstFileExA 0x0 0x461048 0x64600 0x63800 0x133
GetLastError 0x0 0x46104c 0x64604 0x63804 0x202
GetLongPathNameA 0x0 0x461050 0x64608 0x63808 0x20c
EnumDateFormatsExA 0x0 0x461054 0x6460c 0x6380c 0xf5
SetVolumeLabelW 0x0 0x461058 0x64610 0x63810 0x4a9
SetFileApisToOEM 0x0 0x46105c 0x64614 0x63814 0x45d
GetAtomNameA 0x0 0x461060 0x64618 0x63818 0x16d
LocalAlloc 0x0 0x461064 0x6461c 0x6381c 0x344
SetConsoleCtrlHandler 0x0 0x461068 0x64620 0x63820 0x42d
SetProcessWorkingSetSize 0x0 0x46106c 0x64624 0x63824 0x484
WTSGetActiveConsoleSessionId 0x0 0x461070 0x64628 0x63828 0x4f4
GetModuleHandleA 0x0 0x461074 0x6462c 0x6382c 0x215
VirtualProtect 0x0 0x461078 0x64630 0x63830 0x4ef
SetCalendarInfoA 0x0 0x46107c 0x64634 0x63834 0x41e
GetWindowsDirectoryW 0x0 0x461080 0x64638 0x63838 0x2af
GetVolumeNameForVolumeMountPointW 0x0 0x461084 0x6463c 0x6383c 0x2a9
lstrcpyA 0x0 0x461088 0x64640 0x63840 0x547
GetCommandLineA 0x0 0x46108c 0x64644 0x63844 0x186
HeapSetInformation 0x0 0x461090 0x64648 0x63848 0x2d3
GetStartupInfoW 0x0 0x461094 0x6464c 0x6384c 0x263
TerminateProcess 0x0 0x461098 0x64650 0x63850 0x4c0
GetCurrentProcess 0x0 0x46109c 0x64654 0x63854 0x1c0
UnhandledExceptionFilter 0x0 0x4610a0 0x64658 0x63858 0x4d3
SetUnhandledExceptionFilter 0x0 0x4610a4 0x6465c 0x6385c 0x4a5
IsDebuggerPresent 0x0 0x4610a8 0x64660 0x63860 0x300
EncodePointer 0x0 0x4610ac 0x64664 0x63864 0xea
DecodePointer 0x0 0x4610b0 0x64668 0x63868 0xca
IsProcessorFeaturePresent 0x0 0x4610b4 0x6466c 0x6386c 0x304
GetProcAddress 0x0 0x4610b8 0x64670 0x63870 0x245
GetModuleHandleW 0x0 0x4610bc 0x64674 0x63874 0x218
ExitProcess 0x0 0x4610c0 0x64678 0x63878 0x119
WriteFile 0x0 0x4610c4 0x6467c 0x6387c 0x525
GetStdHandle 0x0 0x4610c8 0x64680 0x63880 0x264
GetModuleFileNameA 0x0 0x4610cc 0x64684 0x63884 0x213
FreeEnvironmentStringsW 0x0 0x4610d0 0x64688 0x63888 0x161
WideCharToMultiByte 0x0 0x4610d4 0x6468c 0x6388c 0x511
GetEnvironmentStringsW 0x0 0x4610d8 0x64690 0x63890 0x1da
SetHandleCount 0x0 0x4610dc 0x64694 0x63894 0x46f
InitializeCriticalSectionAndSpinCount 0x0 0x4610e0 0x64698 0x63898 0x2e3
GetFileType 0x0 0x4610e4 0x6469c 0x6389c 0x1f3
DeleteCriticalSection 0x0 0x4610e8 0x646a0 0x638a0 0xd1
TlsAlloc 0x0 0x4610ec 0x646a4 0x638a4 0x4c5
TlsGetValue 0x0 0x4610f0 0x646a8 0x638a8 0x4c7
TlsSetValue 0x0 0x4610f4 0x646ac 0x638ac 0x4c8
TlsFree 0x0 0x4610f8 0x646b0 0x638b0 0x4c6
InterlockedIncrement 0x0 0x4610fc 0x646b4 0x638b4 0x2ef
SetLastError 0x0 0x461100 0x646b8 0x638b8 0x473
GetCurrentThreadId 0x0 0x461104 0x646bc 0x638bc 0x1c5
InterlockedDecrement 0x0 0x461108 0x646c0 0x638c0 0x2eb
HeapCreate 0x0 0x46110c 0x646c4 0x638c4 0x2cd
QueryPerformanceCounter 0x0 0x461110 0x646c8 0x638c8 0x3a7
GetCurrentProcessId 0x0 0x461114 0x646cc 0x638cc 0x1c1
GetSystemTimeAsFileTime 0x0 0x461118 0x646d0 0x638d0 0x279
RaiseException 0x0 0x46111c 0x646d4 0x638d4 0x3b1
LeaveCriticalSection 0x0 0x461120 0x646d8 0x638d8 0x339
EnterCriticalSection 0x0 0x461124 0x646dc 0x638dc 0xee
LoadLibraryW 0x0 0x461128 0x646e0 0x638e0 0x33f
GetCPInfo 0x0 0x46112c 0x646e4 0x638e4 0x172
GetACP 0x0 0x461130 0x646e8 0x638e8 0x168
GetOEMCP 0x0 0x461134 0x646ec 0x638ec 0x237
IsValidCodePage 0x0 0x461138 0x646f0 0x638f0 0x30a
HeapFree 0x0 0x46113c 0x646f4 0x638f4 0x2cf
Sleep 0x0 0x461140 0x646f8 0x638f8 0x4b2
RtlUnwind 0x0 0x461144 0x646fc 0x638fc 0x418
HeapSize 0x0 0x461148 0x64700 0x63900 0x2d4
LCMapStringW 0x0 0x46114c 0x64704 0x63904 0x32d
GetStringTypeW 0x0 0x461150 0x64708 0x63908 0x269
HeapReAlloc 0x0 0x461154 0x6470c 0x6390c 0x2d2
USER32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetCursorInfo 0x0 0x46115c 0x64714 0x63914 0x11f
Exports (1)
»
Api name EAT Address Ordinal
@calcPrecision@4 0x1000 0x1
Icons (1)
»
Local AV Matches (1)
»
Threat Name Severity
Trojan.GenericKD.33618877
Malicious
C:\SystemID\PersonalID.txt Dropped File Stream
Whitelisted
...
»
Mime Type application/octet-stream
File Size 42 Bytes
MD5 c183857770364b05c2011bdebb914ed3 Copy to Clipboard
SHA1 040e5ac904de86328cca053a15596e118fc5da24 Copy to Clipboard
SHA256 094c4931fdb2f2af417c9e0322a9716006e8211fe9017f671ac6e3251300acca Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
File Reputation Information
»
Severity
Whitelisted
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\geo[1].json Dropped File Text
Unknown
...
»
Mime Type text/plain
File Size 464 Bytes
MD5 b47f5fac6776c219c3efa2db13402fc0 Copy to Clipboard
SHA1 0683e3aca261efc276359fc2ffad24348a51d360 Copy to Clipboard
SHA256 09b30a7fb64bdcdc1b12f39f32f7486de6716331939396885098077d438a070e Copy to Clipboard
SSDeep 12:Y06jmdVQVCRbwXhCdEVQVPB8yPt0fRbIRAJdxFQVyrhmXoB2SH4:Y4QVCRbwxCCQVvV0fRbI2JdxFQVyNmw6 Copy to Clipboard
ImpHash -
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1 Dropped File Text
Unknown
...
»
Mime Type text/x-powershell
File Size 49 Bytes
MD5 f972c62f986b5ed49ad7713d93bf6c9f Copy to Clipboard
SHA1 4e157002bdb97e9526ab97bfafbf7c67e1d1efbf Copy to Clipboard
SHA256 b47f85974a7ec2fd5aa82d52f08eb0f6cea7e596a98dd29e8b85b5c37beca0a8 Copy to Clipboard
SSDeep 3:uIHeGAFcX5wTnl:/eGgHTl Copy to Clipboard
ImpHash -
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\bowsakkdestx.txt Downloaded File Text
Unknown
...
»
Also Known As C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\bowsakkdestx.txt (Downloaded File)
Mime Type text/plain
File Size 560 Bytes
MD5 157d95011a4ee17bc03363c225dea722 Copy to Clipboard
SHA1 b3501a46302831f3fb4f4217f023a34aaae8e9fd Copy to Clipboard
SHA256 4df818945a818ecc360a627cb4eb55bad33f2553f9de5018887cb75ee7f12ad7 Copy to Clipboard
SSDeep 12:YGJ68AW8KO5+Pdxa8uzKYQmkMvOpv2V5BDbMU:YgJAWhdwCuVvbMU Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image