d150a4ba...17a2 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification:
Spyware
Dropper
Threat Names:
DeepScan:Generic.Ransom.Amnesia.74779263
Trojan.GenericKD.40753240
DeepScan:Generic.Ransom.Amnesia.371EF7D9
...

ramqlu.exe

Windows Exe (x86-32)

Created at 2020-04-19T12:27:00

...

Remarks (1/1)

(0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Filters:
Filename Category Type Severity Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ramqlu.exe Sample File Binary
Malicious
...
»
Also Known As C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\osk.exe (Dropped File)
Mime Type application/vnd.microsoft.portable-executable
File Size 231.50 KB
MD5 f7f642888f9476ff3488e52dda012637 Copy to Clipboard
SHA1 b5bb9049398afd7aa9ea5cc58900c75d9e816bac Copy to Clipboard
SHA256 d150a4ba9d3b7c6b6978c3059b56d3034400da16164ccf1ea2dd88351b7017a2 Copy to Clipboard
SSDeep 3072:Cuaw/oz5dI4+T1Bnj9VaYqWdi+89WrjnaUksdKmi0BE7bA6RN52kyWOKoMbPF:CuajzI4y+WdwIj1dKjX7brDdd Copy to Clipboard
ImpHash 41ab3b57095526e2ac45d205061100f9 Copy to Clipboard
Parser Error Remark Static engine was unable to completely parse the analyzed file
File Reputation Information
»
Severity
Blacklisted
Names Mal/Generic-S
PE Information
»
Image Base 0x400000
Entry Point 0x437298
Size Of Code 0x35600
Size Of Initialized Data 0x4400
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2020-04-14 19:55:26+00:00
Packer BobSoft Mini Delphi -> BoB / BobSoft
Sections (8)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x350dc 0x35200 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.05
.itext 0x437000 0x2b4 0x400 0x35600 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.7
.data 0x438000 0x2cc8 0x2e00 0x35a00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.75
.bss 0x43b000 0x62d8 0x0 0x38800 IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.idata 0x442000 0x115c 0x1200 0x38800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.9
.tls 0x444000 0x8 0x0 0x39a00 IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.rdata 0x445000 0x18 0x200 0x39a00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.21
.rsrc 0x446000 0x0 0x200 0x39c00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.0
Imports (15)
»
oleaut32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SysFreeString 0x0 0x4423d8 0x42140 0x38940 0x0
SysReAllocStringLen 0x0 0x4423dc 0x42144 0x38944 0x0
SysAllocStringLen 0x0 0x4423e0 0x42148 0x38948 0x0
advapi32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegQueryValueExA 0x0 0x4423e8 0x42150 0x38950 0x0
RegOpenKeyExA 0x0 0x4423ec 0x42154 0x38954 0x0
RegCloseKey 0x0 0x4423f0 0x42158 0x38958 0x0
user32.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetKeyboardType 0x0 0x4423f8 0x42160 0x38960 0x0
DestroyWindow 0x0 0x4423fc 0x42164 0x38964 0x0
LoadStringA 0x0 0x442400 0x42168 0x38968 0x0
MessageBoxA 0x0 0x442404 0x4216c 0x3896c 0x0
CharNextA 0x0 0x442408 0x42170 0x38970 0x0
kernel32.dll (30)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetACP 0x0 0x442410 0x42178 0x38978 0x0
Sleep 0x0 0x442414 0x4217c 0x3897c 0x0
VirtualFree 0x0 0x442418 0x42180 0x38980 0x0
VirtualAlloc 0x0 0x44241c 0x42184 0x38984 0x0
GetTickCount 0x0 0x442420 0x42188 0x38988 0x0
QueryPerformanceCounter 0x0 0x442424 0x4218c 0x3898c 0x0
GetCurrentThreadId 0x0 0x442428 0x42190 0x38990 0x0
VirtualQuery 0x0 0x44242c 0x42194 0x38994 0x0
WideCharToMultiByte 0x0 0x442430 0x42198 0x38998 0x0
MultiByteToWideChar 0x0 0x442434 0x4219c 0x3899c 0x0
lstrlenA 0x0 0x442438 0x421a0 0x389a0 0x0
lstrcpynA 0x0 0x44243c 0x421a4 0x389a4 0x0
LoadLibraryExA 0x0 0x442440 0x421a8 0x389a8 0x0
GetThreadLocale 0x0 0x442444 0x421ac 0x389ac 0x0
GetStartupInfoA 0x0 0x442448 0x421b0 0x389b0 0x0
GetProcAddress 0x0 0x44244c 0x421b4 0x389b4 0x0
GetModuleHandleA 0x0 0x442450 0x421b8 0x389b8 0x0
GetModuleFileNameA 0x0 0x442454 0x421bc 0x389bc 0x0
GetLocaleInfoA 0x0 0x442458 0x421c0 0x389c0 0x0
GetCommandLineA 0x0 0x44245c 0x421c4 0x389c4 0x0
FreeLibrary 0x0 0x442460 0x421c8 0x389c8 0x0
FindFirstFileA 0x0 0x442464 0x421cc 0x389cc 0x0
FindClose 0x0 0x442468 0x421d0 0x389d0 0x0
ExitProcess 0x0 0x44246c 0x421d4 0x389d4 0x0
CreateThread 0x0 0x442470 0x421d8 0x389d8 0x0
WriteFile 0x0 0x442474 0x421dc 0x389dc 0x0
UnhandledExceptionFilter 0x0 0x442478 0x421e0 0x389e0 0x0
RtlUnwind 0x0 0x44247c 0x421e4 0x389e4 0x0
RaiseException 0x0 0x442480 0x421e8 0x389e8 0x0
GetStdHandle 0x0 0x442484 0x421ec 0x389ec 0x0
kernel32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
TlsSetValue 0x0 0x44248c 0x421f4 0x389f4 0x0
TlsGetValue 0x0 0x442490 0x421f8 0x389f8 0x0
LocalAlloc 0x0 0x442494 0x421fc 0x389fc 0x0
GetModuleHandleA 0x0 0x442498 0x42200 0x38a00 0x0
user32.dll (14)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
TranslateMessage 0x0 0x4424a0 0x42208 0x38a08 0x0
SystemParametersInfoW 0x0 0x4424a4 0x4220c 0x38a0c 0x0
PeekMessageA 0x0 0x4424a8 0x42210 0x38a10 0x0
MessageBoxA 0x0 0x4424ac 0x42214 0x38a14 0x0
LoadStringA 0x0 0x4424b0 0x42218 0x38a18 0x0
GetSystemMetrics 0x0 0x4424b4 0x4221c 0x38a1c 0x0
GetLastInputInfo 0x0 0x4424b8 0x42220 0x38a20 0x0
DispatchMessageA 0x0 0x4424bc 0x42224 0x38a24 0x0
CharNextW 0x0 0x4424c0 0x42228 0x38a28 0x0
CharLowerBuffW 0x0 0x4424c4 0x4222c 0x38a2c 0x0
CharNextA 0x0 0x4424c8 0x42230 0x38a30 0x0
CharLowerBuffA 0x0 0x4424cc 0x42234 0x38a34 0x0
CharUpperBuffA 0x0 0x4424d0 0x42238 0x38a38 0x0
CharToOemA 0x0 0x4424d4 0x4223c 0x38a3c 0x0
mpr.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WNetOpenEnumA 0x0 0x4424dc 0x42244 0x38a44 0x0
WNetEnumResourceA 0x0 0x4424e0 0x42248 0x38a48 0x0
WNetCloseEnum 0x0 0x4424e4 0x4224c 0x38a4c 0x0
kernel32.dll (63)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WriteFile 0x0 0x4424ec 0x42254 0x38a54 0x0
WinExec 0x0 0x4424f0 0x42258 0x38a58 0x0
WaitForSingleObject 0x0 0x4424f4 0x4225c 0x38a5c 0x0
VirtualQuery 0x0 0x4424f8 0x42260 0x38a60 0x0
TerminateProcess 0x0 0x4424fc 0x42264 0x38a64 0x0
SizeofResource 0x0 0x442500 0x42268 0x38a68 0x0
SetFileTime 0x0 0x442504 0x4226c 0x38a6c 0x0
SetFilePointer 0x0 0x442508 0x42270 0x38a70 0x0
SetFileAttributesW 0x0 0x44250c 0x42274 0x38a74 0x0
SetEndOfFile 0x0 0x442510 0x42278 0x38a78 0x0
ReadFile 0x0 0x442514 0x4227c 0x38a7c 0x0
OpenProcess 0x0 0x442518 0x42280 0x38a80 0x0
OpenMutexA 0x0 0x44251c 0x42284 0x38a84 0x0
MoveFileW 0x0 0x442520 0x42288 0x38a88 0x0
LockResource 0x0 0x442524 0x4228c 0x38a8c 0x0
LoadResource 0x0 0x442528 0x42290 0x38a90 0x0
LoadLibraryA 0x0 0x44252c 0x42294 0x38a94 0x0
LeaveCriticalSection 0x0 0x442530 0x42298 0x38a98 0x0
InitializeCriticalSection 0x0 0x442534 0x4229c 0x38a9c 0x0
GlobalUnlock 0x0 0x442538 0x422a0 0x38aa0 0x0
GlobalReAlloc 0x0 0x44253c 0x422a4 0x38aa4 0x0
GlobalHandle 0x0 0x442540 0x422a8 0x38aa8 0x0
GlobalLock 0x0 0x442544 0x422ac 0x38aac 0x0
GlobalFree 0x0 0x442548 0x422b0 0x38ab0 0x0
GlobalAlloc 0x0 0x44254c 0x422b4 0x38ab4 0x0
GetVersionExA 0x0 0x442550 0x422b8 0x38ab8 0x0
GetTickCount 0x0 0x442554 0x422bc 0x38abc 0x0
GetThreadLocale 0x0 0x442558 0x422c0 0x38ac0 0x0
GetStdHandle 0x0 0x44255c 0x422c4 0x38ac4 0x0
GetProcAddress 0x0 0x442560 0x422c8 0x38ac8 0x0
GetModuleHandleA 0x0 0x442564 0x422cc 0x38acc 0x0
GetModuleFileNameW 0x0 0x442568 0x422d0 0x38ad0 0x0
GetModuleFileNameA 0x0 0x44256c 0x422d4 0x38ad4 0x0
GetLocaleInfoA 0x0 0x442570 0x422d8 0x38ad8 0x0
GetLocalTime 0x0 0x442574 0x422dc 0x38adc 0x0
GetLastError 0x0 0x442578 0x422e0 0x38ae0 0x0
GetFileAttributesA 0x0 0x44257c 0x422e4 0x38ae4 0x0
GetEnvironmentVariableA 0x0 0x442580 0x422e8 0x38ae8 0x0
GetDiskFreeSpaceA 0x0 0x442584 0x422ec 0x38aec 0x0
GetDateFormatA 0x0 0x442588 0x422f0 0x38af0 0x0
GetCommandLineW 0x0 0x44258c 0x422f4 0x38af4 0x0
GetCPInfo 0x0 0x442590 0x422f8 0x38af8 0x0
FreeResource 0x0 0x442594 0x422fc 0x38afc 0x0
FreeLibrary 0x0 0x442598 0x42300 0x38b00 0x0
FormatMessageA 0x0 0x44259c 0x42304 0x38b04 0x0
FindResourceA 0x0 0x4425a0 0x42308 0x38b08 0x0
FindNextFileW 0x0 0x4425a4 0x4230c 0x38b0c 0x0
FindFirstFileW 0x0 0x4425a8 0x42310 0x38b10 0x0
FindClose 0x0 0x4425ac 0x42314 0x38b14 0x0
FileTimeToLocalFileTime 0x0 0x4425b0 0x42318 0x38b18 0x0
FileTimeToDosDateTime 0x0 0x4425b4 0x4231c 0x38b1c 0x0
ExitProcess 0x0 0x4425b8 0x42320 0x38b20 0x0
EnumCalendarInfoA 0x0 0x4425bc 0x42324 0x38b24 0x0
EnterCriticalSection 0x0 0x4425c0 0x42328 0x38b28 0x0
DeleteFileW 0x0 0x4425c4 0x4232c 0x38b2c 0x0
DeleteCriticalSection 0x0 0x4425c8 0x42330 0x38b30 0x0
CreateProcessW 0x0 0x4425cc 0x42334 0x38b34 0x0
CreateProcessA 0x0 0x4425d0 0x42338 0x38b38 0x0
CreatePipe 0x0 0x4425d4 0x4233c 0x38b3c 0x0
CreateMutexA 0x0 0x4425d8 0x42340 0x38b40 0x0
CreateFileW 0x0 0x4425dc 0x42344 0x38b44 0x0
CompareStringA 0x0 0x4425e0 0x42348 0x38b48 0x0
CloseHandle 0x0 0x4425e4 0x4234c 0x38b4c 0x0
advapi32.dll (9)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegSetValueExA 0x0 0x4425ec 0x42354 0x38b54 0x0
RegQueryValueExA 0x0 0x4425f0 0x42358 0x38b58 0x0
RegOpenKeyExA 0x0 0x4425f4 0x4235c 0x38b5c 0x0
RegEnumValueA 0x0 0x4425f8 0x42360 0x38b60 0x0
RegEnumKeyExA 0x0 0x4425fc 0x42364 0x38b64 0x0
RegDeleteValueA 0x0 0x442600 0x42368 0x38b68 0x0
RegDeleteKeyA 0x0 0x442604 0x4236c 0x38b6c 0x0
RegCreateKeyExA 0x0 0x442608 0x42370 0x38b70 0x0
RegCloseKey 0x0 0x44260c 0x42374 0x38b74 0x0
kernel32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
Sleep 0x0 0x442614 0x4237c 0x38b7c 0x0
wininet.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
InternetReadFile 0x0 0x44261c 0x42384 0x38b84 0x0
InternetOpenUrlA 0x0 0x442620 0x42388 0x38b88 0x0
InternetOpenA 0x0 0x442624 0x4238c 0x38b8c 0x0
InternetCloseHandle 0x0 0x442628 0x42390 0x38b90 0x0
shell32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ShellExecuteW 0x0 0x442630 0x42398 0x38b98 0x0
shell32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetSpecialFolderLocation 0x0 0x442638 0x423a0 0x38ba0 0x0
shell32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetPathFromIDListW 0x0 0x442640 0x423a8 0x38ba8 0x0
SHGetMalloc 0x0 0x442644 0x423ac 0x38bac 0x0
oleaut32.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SafeArrayPtrOfIndex 0x0 0x44264c 0x423b4 0x38bb4 0x0
SafeArrayGetUBound 0x0 0x442650 0x423b8 0x38bb8 0x0
SafeArrayGetLBound 0x0 0x442654 0x423bc 0x38bbc 0x0
SafeArrayCreate 0x0 0x442658 0x423c0 0x38bc0 0x0
VariantChangeType 0x0 0x44265c 0x423c4 0x38bc4 0x0
VariantCopy 0x0 0x442660 0x423c8 0x38bc8 0x0
VariantClear 0x0 0x442664 0x423cc 0x38bcc 0x0
VariantInit 0x0 0x442668 0x423d0 0x38bd0 0x0
Memory Dumps (4)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
ramqlu.exe 1 0x00400000 0x00446FFF Relevant Image True 32-bit 0x00404238 True False
...
ramqlu.exe 1 0x00400000 0x00446FFF Process Termination True 32-bit - True False
...
ramqlu.exe 3 0x00400000 0x00446FFF Relevant Image True 32-bit 0x0040D708 True False
...
ramqlu.exe 3 0x00400000 0x00446FFF Process Termination True 32-bit - True False
...
Local AV Matches (1)
»
Threat Name Severity
DeepScan:Generic.Ransom.Amnesia.74779263
Malicious
C:\Users\5P5NRG~1\AppData\Local\Temp\$TMP$001.exe Dropped File Binary
Malicious
...
»
Also Known As C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\winupmgr.exe (Dropped File)
Mime Type application/vnd.microsoft.portable-executable
File Size 43.50 KB
MD5 e603742dcae0d272ed49008790b07f7b Copy to Clipboard
SHA1 add2d1f39c5ee009f54d96e4af34f119096e67f7 Copy to Clipboard
SHA256 540d7f4889d3e95a8954632c67ba6f15b764a0166c7e3ca7bb15347d08932f4e Copy to Clipboard
SSDeep 768:/JYexV6NuL038yygBjUONACNYld/k/qWPaQJOVoQfCWeOf4BQbXz8DdSDAu/UeSC:xdVFm8yygBArCNr/qXFa7O08IDm/Ue Copy to Clipboard
ImpHash 0f7e0afc968061034b76c2f876e906c7 Copy to Clipboard
File Reputation Information
»
Severity
Blacklisted
Names Mal/Generic-S
PE Information
»
Image Base 0x400000
Entry Point 0x41f350
Size Of Code 0xb000
Size Of Initialized Data 0x1000
Size Of Uninitialized Data 0x14000
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 1992-06-19 22:22:17+00:00
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
UPX0 0x401000 0x14000 0x0 0x400 IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
UPX1 0x415000 0xb000 0xa600 0x400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 7.89
.rsrc 0x420000 0x1000 0x400 0xaa00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.48
Imports (6)
»
KERNEL32.DLL (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
LoadLibraryA 0x0 0x4202a4 0x202a4 0xaca4 0x0
GetProcAddress 0x0 0x4202a8 0x202a8 0xaca8 0x0
VirtualProtect 0x0 0x4202ac 0x202ac 0xacac 0x0
VirtualAlloc 0x0 0x4202b0 0x202b0 0xacb0 0x0
VirtualFree 0x0 0x4202b4 0x202b4 0xacb4 0x0
ExitProcess 0x0 0x4202b8 0x202b8 0xacb8 0x0
advapi32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegCloseKey 0x0 0x4202c0 0x202c0 0xacc0 0x0
gdi32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SetROP2 0x0 0x4202c8 0x202c8 0xacc8 0x0
oleaut32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
VariantCopy 0x0 0x4202d0 0x202d0 0xacd0 0x0
shell32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ShellExecuteA 0x0 0x4202d8 0x202d8 0xacd8 0x0
user32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetDC 0x0 0x4202e0 0x202e0 0xace0 0x0
Local AV Matches (1)
»
Threat Name Severity
Trojan.GenericKD.40753240
Malicious
C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT Modified File Binary
Whitelisted
...
»
Mime Type application/vnd.microsoft.portable-executable
File Size 695.89 KB
MD5 74664df957c3940d8dff961659aac1c5 Copy to Clipboard
SHA1 423071ca3fba60a9cb98aa426440fd004add1e35 Copy to Clipboard
SHA256 38ef4b871398148a86cff6f382c98dd0f965545d325431d7e6e554acfe78eaa1 Copy to Clipboard
SSDeep 12288:yTopnBnmoAcyDYo/bJuCqZ5GYLVZTSiR/vjYEsFfhs9BJTzsz44:3BnmoAcyDYo/bYCqZc2jl/vjYEsFfhs4 Copy to Clipboard
ImpHash 31d87328c86414d73c639f4ccb5974e1 Copy to Clipboard
File Reputation Information
»
Severity
Whitelisted
PE Information
»
Image Base 0x180000000
Entry Point 0x18008b124
Size Of Code 0x8c600
Size Of Initialized Data 0x20400
File Type FileType.dll
Subsystem Subsystem.windows_cui
Machine Type MachineType.amd64
Compile Timestamp 2010-02-04 11:34:49+00:00
Version Information (10)
»
CompanyName Access Softek, Inc.
FileDescription Encapsulated PostScript Graphics Filter
FileVersion 2010.1400.4740.1000
InternalName epsimp32
LegalCopyright Copyright © 2000 Access Softek, Inc.
LegalTrademarks1 Microsoft® is a registered trademark of Microsoft Corporation.
LegalTrademarks2 Windows® is a registered trademark of Microsoft Corporation.
OriginalFilename epsimp32.flt
ProductName Microsoft Office 2010
ProductVersion 2010.1400.4740.1000
Sections (6)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x180001000 0x8c5cc 0x8c600 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.32
.rdata 0x18008e000 0x156bc 0x15800 0x8ca00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.43
.data 0x1800a4000 0x4858 0x4400 0xa2200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.27
.pdata 0x1800a9000 0x4464 0x4600 0xa6600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.77
.rsrc 0x1800ae000 0xa30 0xc00 0xaac00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.78
.reloc 0x1800af000 0xfe4 0x1000 0xab800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 5.44
Imports (4)
»
GDI32.dll (60)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GdiComment 0x0 0x18008e000 0x99b60 0x98560 0x139
Escape 0x0 0x18008e008 0x99b68 0x98568 0x119
SetPolyFillMode 0x0 0x18008e010 0x99b70 0x98570 0x285
EndPath 0x0 0x18008e018 0x99b78 0x98578 0xde
PolyDraw 0x0 0x18008e020 0x99b80 0x98580 0x237
CloseFigure 0x0 0x18008e028 0x99b88 0x98588 0x1d
MoveToEx 0x0 0x18008e030 0x99b90 0x98590 0x221
BeginPath 0x0 0x18008e038 0x99b98 0x98598 0x11
CreateEnhMetaFileA 0x0 0x18008e040 0x99ba0 0x985a0 0x38
GetDeviceCaps 0x0 0x18008e048 0x99ba8 0x985a8 0x1b5
DeleteObject 0x0 0x18008e050 0x99bb0 0x985b0 0xd0
SelectObject 0x0 0x18008e058 0x99bb8 0x985b8 0x25e
CreatePen 0x0 0x18008e060 0x99bc0 0x985c0 0x49
ExtCreatePen 0x0 0x18008e068 0x99bc8 0x985c8 0x11d
SetMiterLimit 0x0 0x18008e070 0x99bd0 0x985d0 0x27f
SetWorldTransform 0x0 0x18008e078 0x99bd8 0x985d8 0x295
GetStockObject 0x0 0x18008e080 0x99be0 0x985e0 0x1f4
StrokePath 0x0 0x18008e088 0x99be8 0x985e8 0x29d
SelectClipRgn 0x0 0x18008e090 0x99bf0 0x985f0 0x25c
CreateRectRgn 0x0 0x18008e098 0x99bf8 0x985f8 0x4d
SelectClipPath 0x0 0x18008e0a0 0x99c00 0x98600 0x25b
ExtSelectClipRgn 0x0 0x18008e0a8 0x99c08 0x98608 0x121
Rectangle 0x0 0x18008e0b0 0x99c10 0x98610 0x246
DeleteEnhMetaFile 0x0 0x18008e0b8 0x99c18 0x98618 0xce
CloseEnhMetaFile 0x0 0x18008e0c0 0x99c20 0x98620 0x1c
GetWorldTransform 0x0 0x18008e0c8 0x99c28 0x98628 0x214
GetEnhMetaFileHeader 0x0 0x18008e0d0 0x99c30 0x98630 0x1be
CreateSolidBrush 0x0 0x18008e0d8 0x99c38 0x98638 0x52
StrokeAndFillPath 0x0 0x18008e0e0 0x99c40 0x98640 0x29c
GetCurrentPositionEx 0x0 0x18008e0e8 0x99c48 0x98648 0x1af
SetTextColor 0x0 0x18008e0f0 0x99c50 0x98650 0x28d
GetTextExtentPoint32A 0x0 0x18008e0f8 0x99c58 0x98658 0x204
SetGraphicsMode 0x0 0x18008e100 0x99c60 0x98660 0x274
SetTextAlign 0x0 0x18008e108 0x99c68 0x98668 0x28b
TextOutA 0x0 0x18008e110 0x99c70 0x98670 0x29f
GetTextFaceA 0x0 0x18008e118 0x99c78 0x98678 0x209
CreateFontIndirectA 0x0 0x18008e120 0x99c80 0x98680 0x3b
GetTextMetricsA 0x0 0x18008e128 0x99c88 0x98688 0x20c
GetOutlineTextMetricsA 0x0 0x18008e130 0x99c90 0x98690 0x1e5
StretchDIBits 0x0 0x18008e138 0x99c98 0x98698 0x29b
CreateMetaFileA 0x0 0x18008e140 0x99ca0 0x986a0 0x44
SetROP2 0x0 0x18008e148 0x99ca8 0x986a8 0x286
PolyPolygon 0x0 0x18008e150 0x99cb0 0x986b0 0x239
Polyline 0x0 0x18008e158 0x99cb8 0x986b8 0x23e
GetPath 0x0 0x18008e160 0x99cc0 0x986c0 0x1e8
CloseMetaFile 0x0 0x18008e168 0x99cc8 0x986c8 0x1e
SetStretchBltMode 0x0 0x18008e170 0x99cd0 0x986d0 0x289
SetBkMode 0x0 0x18008e178 0x99cd8 0x986d8 0x266
SetWindowOrgEx 0x0 0x18008e180 0x99ce0 0x986e0 0x294
SetWindowExtEx 0x0 0x18008e188 0x99ce8 0x986e8 0x293
WidenPath 0x0 0x18008e190 0x99cf0 0x986f0 0x2a7
GetTextExtentPointA 0x0 0x18008e198 0x99cf8 0x986f8 0x206
DeleteMetaFile 0x0 0x18008e1a0 0x99d00 0x98700 0xcf
GetGlyphOutlineA 0x0 0x18008e1a8 0x99d08 0x98708 0x1ca
GetDIBits 0x0 0x18008e1b0 0x99d10 0x98710 0x1b4
CreateBitmap 0x0 0x18008e1b8 0x99d18 0x98718 0x28
DeleteDC 0x0 0x18008e1c0 0x99d20 0x98720 0xcd
GetCharacterPlacementA 0x0 0x18008e1c8 0x99d28 0x98728 0x1a8
SetMapMode 0x0 0x18008e1d0 0x99d30 0x98730 0x27b
CreateCompatibleDC 0x0 0x18008e1d8 0x99d38 0x98738 0x2e
KERNEL32.dll (39)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RaiseException 0x0 0x18008e1e8 0x99d48 0x98748 0x354
CloseHandle 0x0 0x18008e1f0 0x99d50 0x98750 0x43
SetFilePointer 0x0 0x18008e1f8 0x99d58 0x98758 0x3e4
ReadFile 0x0 0x18008e200 0x99d60 0x98760 0x362
GetFileSize 0x0 0x18008e208 0x99d68 0x98768 0x1d5
CreateFileA 0x0 0x18008e210 0x99d70 0x98770 0x79
MulDiv 0x0 0x18008e218 0x99d78 0x98778 0x313
UnmapViewOfFile 0x0 0x18008e220 0x99d80 0x98780 0x445
GetTickCount 0x0 0x18008e228 0x99d88 0x98788 0x266
MapViewOfFileEx 0x0 0x18008e230 0x99d90 0x98790 0x305
CreateFileMappingA 0x0 0x18008e238 0x99d98 0x98798 0x7a
GetSystemInfo 0x0 0x18008e240 0x99da0 0x987a0 0x249
GlobalUnlock 0x0 0x18008e248 0x99da8 0x987a8 0x297
GlobalLock 0x0 0x18008e250 0x99db0 0x987b0 0x290
GlobalAlloc 0x0 0x18008e258 0x99db8 0x987b8 0x285
GlobalFree 0x0 0x18008e260 0x99dc0 0x987c0 0x28c
DeleteCriticalSection 0x0 0x18008e268 0x99dc8 0x987c8 0xbf
VirtualFree 0x0 0x18008e270 0x99dd0 0x987d0 0x45b
LeaveCriticalSection 0x0 0x18008e278 0x99dd8 0x987d8 0x2e9
EnterCriticalSection 0x0 0x18008e280 0x99de0 0x987e0 0xda
VirtualAlloc 0x0 0x18008e288 0x99de8 0x987e8 0x458
InitializeCriticalSection 0x0 0x18008e290 0x99df0 0x987f0 0x2b4
RtlLookupFunctionEntry 0x0 0x18008e298 0x99df8 0x987f8 0x390
RtlVirtualUnwind 0x0 0x18008e2a0 0x99e00 0x98800 0x397
IsDebuggerPresent 0x0 0x18008e2a8 0x99e08 0x98808 0x2cb
SetUnhandledExceptionFilter 0x0 0x18008e2b0 0x99e10 0x98810 0x419
UnhandledExceptionFilter 0x0 0x18008e2b8 0x99e18 0x98818 0x442
GetCurrentProcess 0x0 0x18008e2c0 0x99e20 0x98820 0x1aa
TerminateProcess 0x0 0x18008e2c8 0x99e28 0x98828 0x431
Sleep 0x0 0x18008e2d0 0x99e30 0x98830 0x425
GetModuleHandleW 0x0 0x18008e2d8 0x99e38 0x98838 0x1f9
GetProcAddress 0x0 0x18008e2e0 0x99e40 0x98840 0x220
GetProcessHeap 0x0 0x18008e2e8 0x99e48 0x98848 0x223
GetSystemTimeAsFileTime 0x0 0x18008e2f0 0x99e50 0x98850 0x24f
GetCurrentProcessId 0x0 0x18008e2f8 0x99e58 0x98858 0x1ab
RtlCaptureContext 0x0 0x18008e300 0x99e60 0x98860 0x389
GetCurrentThreadId 0x0 0x18008e308 0x99e68 0x98868 0x1ae
QueryPerformanceCounter 0x0 0x18008e310 0x99e70 0x98870 0x34e
VirtualProtect 0x0 0x18008e318 0x99e78 0x98878 0x45e
USER32.dll (22)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
LoadCursorA 0x0 0x18008e328 0x99e88 0x98888 0x1d6
SetCursor 0x0 0x18008e330 0x99e90 0x98890 0x276
CreateDialogParamW 0x0 0x18008e338 0x99e98 0x98898 0x5d
GetClientRect 0x0 0x18008e340 0x99ea0 0x988a0 0x10f
IsDialogMessageA 0x0 0x18008e348 0x99ea8 0x988a8 0x1bc
TranslateMessage 0x0 0x18008e350 0x99eb0 0x988b0 0x2dd
DispatchMessageA 0x0 0x18008e358 0x99eb8 0x988b8 0xa8
PeekMessageA 0x0 0x18008e360 0x99ec0 0x988c0 0x21f
GetActiveWindow 0x0 0x18008e368 0x99ec8 0x988c8 0xf9
GetDlgItem 0x0 0x18008e370 0x99ed0 0x988d0 0x121
SendMessageA 0x0 0x18008e378 0x99ed8 0x988d8 0x262
GetDlgCtrlID 0x0 0x18008e380 0x99ee0 0x988e0 0x120
SetFocus 0x0 0x18008e388 0x99ee8 0x988e8 0x27f
GetSystemMetrics 0x0 0x18008e390 0x99ef0 0x988f0 0x171
GetWindowRect 0x0 0x18008e398 0x99ef8 0x988f8 0x18c
MoveWindow 0x0 0x18008e3a0 0x99f00 0x98900 0x209
IsWindow 0x0 0x18008e3a8 0x99f08 0x98908 0x1c9
EnableWindow 0x0 0x18008e3b0 0x99f10 0x98910 0xd1
DestroyWindow 0x0 0x18008e3b8 0x99f18 0x98918 0xa0
GetDC 0x0 0x18008e3c0 0x99f20 0x98920 0x11c
ReleaseDC 0x0 0x18008e3c8 0x99f28 0x98928 0x250
SetWindowTextA 0x0 0x18008e3d0 0x99f30 0x98930 0x2b3
MSVCR90.dll (68)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
rand 0x0 0x18008e3e0 0x99f40 0x98940 0x504
_onexit 0x0 0x18008e3e8 0x99f48 0x98948 0x2e4
_lock 0x0 0x18008e3f0 0x99f50 0x98950 0x23d
__dllonexit 0x0 0x18008e3f8 0x99f58 0x98958 0x85
_unlock 0x0 0x18008e400 0x99f60 0x98960 0x3a4
_vsnprintf 0x0 0x18008e408 0x99f68 0x98968 0x3c8
exit 0x0 0x18008e410 0x99f70 0x98970 0x491
fprintf 0x0 0x18008e418 0x99f78 0x98978 0x4a4
__iob_func 0x0 0x18008e420 0x99f80 0x98980 0x92
malloc 0x0 0x18008e428 0x99f88 0x98988 0x4e5
free 0x0 0x18008e430 0x99f90 0x98990 0x4ac
_CxxThrowException 0x0 0x18008e438 0x99f98 0x98998 0x49
sqrt 0x0 0x18008e440 0x99fa0 0x989a0 0x517
tan 0x0 0x18008e448 0x99fa8 0x989a8 0x53c
sin 0x0 0x18008e450 0x99fb0 0x989b0 0x511
cos 0x0 0x18008e458 0x99fb8 0x989b8 0x48c
??3@YAXPEAX@Z 0x0 0x18008e460 0x99fc0 0x989c0 0x13
memcpy 0x0 0x18008e468 0x99fc8 0x989c8 0x4f0
??2@YAPEAX_K@Z 0x0 0x18008e470 0x99fd0 0x989d0 0x11
cosf 0x0 0x18008e478 0x99fd8 0x989d8 0x48d
sinf 0x0 0x18008e480 0x99fe0 0x989e0 0x512
sqrtf 0x0 0x18008e488 0x99fe8 0x989e8 0x518
memset 0x0 0x18008e490 0x99ff0 0x989f0 0x4f4
memmove 0x0 0x18008e498 0x99ff8 0x989f8 0x4f2
??_V@YAXPEAX@Z 0x0 0x18008e4a0 0x9a000 0x98a00 0x23
??_U@YAPEAX_K@Z 0x0 0x18008e4a8 0x9a008 0x98a08 0x21
realloc 0x0 0x18008e4b0 0x9a010 0x98a10 0x506
floor 0x0 0x18008e4b8 0x9a018 0x98a18 0x49e
_isnan 0x0 0x18008e4c0 0x9a020 0x98a20 0x218
__CxxFrameHandler3 0x0 0x18008e4c8 0x9a028 0x98a28 0x63
memcmp 0x0 0x18008e4d0 0x9a030 0x98a30 0x4ef
?_set_new_handler@@YAP6AH_K@ZP6AH0@Z@Z 0x0 0x18008e4d8 0x9a038 0x98a38 0x33
_expand 0x0 0x18008e4e0 0x9a040 0x98a40 0x147
_msize 0x0 0x18008e4e8 0x9a048 0x98a48 0x2e1
strstr 0x0 0x18008e4f0 0x9a050 0x98a50 0x531
isdigit 0x0 0x18008e4f8 0x9a058 0x98a58 0x4c6
islower 0x0 0x18008e500 0x9a060 0x98a60 0x4c9
isupper 0x0 0x18008e508 0x9a068 0x98a68 0x4cd
isalnum 0x0 0x18008e510 0x9a070 0x98a70 0x4c3
_time64 0x0 0x18008e518 0x9a078 0x98a78 0x388
srand 0x0 0x18008e520 0x9a080 0x98a80 0x519
log10f 0x0 0x18008e528 0x9a088 0x98a88 0x4e2
ceil 0x0 0x18008e530 0x9a090 0x98a90 0x487
atan2 0x0 0x18008e538 0x9a098 0x98a98 0x47c
log 0x0 0x18008e540 0x9a0a0 0x98aa0 0x4e0
__clean_type_info_names_internal 0x0 0x18008e548 0x9a0a8 0x98aa8 0x7b
memchr 0x0 0x18008e550 0x9a0b0 0x98ab0 0x4ee
strchr 0x0 0x18008e558 0x9a0b8 0x98ab8 0x51e
atof 0x0 0x18008e560 0x9a0c0 0x98ac0 0x480
ceilf 0x0 0x18008e568 0x9a0c8 0x98ac8 0x488
floorf 0x0 0x18008e570 0x9a0d0 0x98ad0 0x49f
longjmp 0x0 0x18008e578 0x9a0d8 0x98ad8 0x4e4
_setjmp 0x0 0x18008e580 0x9a0e0 0x98ae0 0x321
atan2f 0x0 0x18008e588 0x9a0e8 0x98ae8 0x47d
_finite 0x0 0x18008e590 0x9a0f0 0x98af0 0x15e
_errno 0x0 0x18008e598 0x9a0f8 0x98af8 0x13d
__C_specific_handler 0x0 0x18008e5a0 0x9a100 0x98b00 0x59
_encode_pointer 0x0 0x18008e5a8 0x9a108 0x98b08 0x137
_malloc_crt 0x0 0x18008e5b0 0x9a110 0x98b10 0x24e
_initterm 0x0 0x18008e5b8 0x9a118 0x98b18 0x1ce
_initterm_e 0x0 0x18008e5c0 0x9a120 0x98b20 0x1cf
_encoded_null 0x0 0x18008e5c8 0x9a128 0x98b28 0x138
_decode_pointer 0x0 0x18008e5d0 0x9a130 0x98b30 0x12d
_amsg_exit 0x0 0x18008e5d8 0x9a138 0x98b38 0xe2
__CppXcptFilter 0x0 0x18008e5e0 0x9a140 0x98b40 0x5a
?terminate@@YAXXZ 0x0 0x18008e5e8 0x9a148 0x98b48 0x43
__crt_debugger_hook 0x0 0x18008e5f0 0x9a150 0x98b50 0x83
?_type_info_dtor_internal_method@type_info@@QEAAXXZ 0x0 0x18008e5f8 0x9a158 0x98b58 0x38
Exports (5)
»
Api name EAT Address Ordinal
GetFilterInfo 0x2a72c 0x1
GetFilterPref 0x84cc0 0x3
ImportGr 0x2a964 0x2
RegisterPercentCallback 0x2ad14 0x4
SetFilterPref 0x2a838 0x5
Digital Signatures (2)
»
Certificate: Microsoft Corporation
»
Issued by Microsoft Corporation
Parent Certificate Microsoft Code Signing PCA
Country Name US
Valid From 2009-12-07 22:40:29+00:00
Valid Until 2011-03-07 22:40:29+00:00
Algorithm sha1_rsa
Serial Number 61 01 CF 3E 00 00 00 00 00 0F
Thumbprint 96 17 09 4A 1C FB 59 AE 7C 1F 7D FD B6 73 9E 4E 7C 40 50 8F
Certificate: Microsoft Code Signing PCA
»
Issued by Microsoft Code Signing PCA
Country Name US
Valid From 2007-08-22 22:31:02+00:00
Valid Until 2012-08-25 07:00:00+00:00
Algorithm sha1_rsa
Serial Number 2E AB 11 DC 50 FF 5C 9D CB C0
Thumbprint 30 36 E3 B2 5B 88 A5 5B 86 FC 90 E6 E9 EA AD 50 81 44 51 66
C:\Program Files\Common Files\Microsoft Shared\EQUATION\я Dropped File Stream
Whitelisted
...
»
Also Known As C:\я (Dropped File)
C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\я (Dropped File)
Mime Type application/octet-stream
File Size 1 Bytes
MD5 93b885adfe0da089cdf634904fd59f71 Copy to Clipboard
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f Copy to Clipboard
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
File Reputation Information
»
Severity
Whitelisted
C:\f4Bw=XvJqdf6BYP1mVw.scarry Dropped File Stream
Whitelisted
...
»
Also Known As C:\bootmgr (Dropped File)
Mime Type application/octet-stream
File Size 374.79 KB
MD5 259525cfb422e6ac8e87bc9777b1df73 Copy to Clipboard
SHA1 7a2ac87b31aa40a1ea92eb34410305fac9f8bc6a Copy to Clipboard
SHA256 0769a292114dfe181dc4931159c24cd7adb6a3f3823177e40eb45ee59688ea4a Copy to Clipboard
SSDeep 6144:lSjzP3sVgTkndKzy1mVsEdUISLEoad8k33TW45/vPB1dTM3BMnOb:4vPnTk89VfdUPEJBTW45X/dTM3m4 Copy to Clipboard
ImpHash -
File Reputation Information
»
Severity
Whitelisted
C:\Program Files\Common Files\Microsoft Shared\EQUATION\Cr5RDwmwHs8MynVqdU5DcZE45mqoEc8m6vr8ArB=GSpuRTe9BYpCgPmO.scarry Dropped File Stream
Whitelisted
...
»
Also Known As C:\Program Files\Common Files\Microsoft Shared\EQUATION\eqnedt32.exe.manifest (Dropped File)
Mime Type application/octet-stream
File Size 749 Bytes
MD5 ddfd9afa54d20919ae66441a744336f9 Copy to Clipboard
SHA1 32724e6f76182615e538e6eee7271051ee0a017d Copy to Clipboard
SHA256 5ee22d093851bc73da6dacfcb95436d732c09c90e009b201e0183a5b35918b50 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
File Reputation Information
»
Severity
Whitelisted
C:\Program Files\Common Files\Microsoft Shared\EQUATION\n9CDsSozE+uvBcVYS53KG0M5M9esrutb.scarry Dropped File Stream
Unknown
...
»
Also Known As C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.HLP (Modified File)
Mime Type application/octet-stream
File Size 172.36 KB
MD5 eba7d8d262288309e27870176be888b6 Copy to Clipboard
SHA1 4c5f2730fdfa5479687416cb824f111614ff9147 Copy to Clipboard
SHA256 1444bfe2f447c85e6b5595931b9de4cd0639526977eeb6ef22f954b7d7a4ac16 Copy to Clipboard
SSDeep 3072:VX3LwVcEANAsHeEiZs81WdXyrSxGjcwmv:VXkV2BeEiZs81O4SxGjcwmv Copy to Clipboard
ImpHash -
C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\CGMIMP32.FLT Modified File Stream
Unknown
...
»
Also Known As C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\pB1C1OiGbnLtERXMa2Ur8tni8FwIIIaO.scarry (Dropped File)
Mime Type application/octet-stream
File Size 316.53 KB
MD5 249d9f970269493fe87a341a827ddb26 Copy to Clipboard
SHA1 c580d80f1d2178bd269c346bee2e7db4d3f70a9c Copy to Clipboard
SHA256 62366382552c9f3c8aa68057bea08309b712cc3d8e35460c88bc2d5129c4ba51 Copy to Clipboard
SSDeep 6144:YF0S8XiWWThUDZOuOiFGR4bRStylR1TLg9gBjHnmbl0/8:a8XGThUDZLOVR4bRS+LoC8 Copy to Clipboard
ImpHash -
C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\CGMIMP32.FNT Modified File Stream
Unknown
...
»
Also Known As C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\SvG0NemYVfELxl1tDK=ZzW0vMjeeJo9P.scarry (Dropped File)
Mime Type application/octet-stream
File Size 592.04 KB
MD5 aeb03924bae1c81c8f9e11d57a7465bd Copy to Clipboard
SHA1 57b0ee5797a2c3da9448fc8676cea1d584355981 Copy to Clipboard
SHA256 96d12a19c17e3e71ca22f5c949c4876ea9eeac5d28b60eeb295168770be43bdb Copy to Clipboard
SSDeep 12288:gm8EEYHb8868cVAiZQIC6Giut8raCcqaF5NlKvffESck:r8EEmTLcugPrrbcq4+ Copy to Clipboard
ImpHash -
C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT Dropped File Text
Unknown
...
»
Also Known As C:\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT (Dropped File)
C:\Program Files\Common Files\Microsoft Shared\EQUATION\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT (Dropped File)
Mime Type text/plain
File Size 3.49 KB
MD5 b27c9adc46983fb90d61fbb69128d0b9 Copy to Clipboard
SHA1 07027514b1f2a846929831e79034baa0ca56f720 Copy to Clipboard
SHA256 7862778588860a84095f6c10fa0194aad05c5d9b46426b4ed1e9df85c0a88802 Copy to Clipboard
SSDeep 96:jWZt8B0eplz/E5t8yK/cHbr0bHbWZt8B0eT:jWcB0eDg5t/re7WcB0eT Copy to Clipboard
ImpHash -
C:\wQT5YbokHxgHQayDYCLssrH4mrekabF0.scarry Dropped File Stream
Unknown
...
»
Also Known As C:\BOOTSECT.BAK (Dropped File)
Mime Type application/octet-stream
File Size 8.18 KB
MD5 f19d12414c11d9e02d9d9c8fd4a81208 Copy to Clipboard
SHA1 5fe392a73deef2c580d53997820aa2ac5f048999 Copy to Clipboard
SHA256 2d73aed789215129137d580d9eb1b15d600fc115838daf5afd7274b7223d5cdd Copy to Clipboard
SSDeep 192:GvROG9te3VXLT350Qz9aplQ9nbMOFsZtKbuco+cPf8ick:eJ8R3q1bQJoZOo+cMk Copy to Clipboard
ImpHash -
C:\Program Files\Common Files\Microsoft Shared\EQUATION\JbFtmXNWtNN7aOjxZaYO12Z6l3wT581+.scarry Dropped File Stream
Unknown
...
»
Also Known As C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.CNT (Dropped File)
Mime Type application/octet-stream
File Size 2.68 KB
MD5 fdb7be0a48ee774468b63d7da2070c10 Copy to Clipboard
SHA1 8e4914a3ab382e59c57d2c3b6aa0f0c86c9e2098 Copy to Clipboard
SHA256 14efe15fb522db2b4f435ecb1314817dd33fe4fd834e79de193e401d275a1b58 Copy to Clipboard
SSDeep 48:CW1lVzlDP/P0WMdxnDGDUqV3PsNvELbgxa9refHQJsEapdkzhi/3/NB+ZZdqnRhX:CQVxDPH0ddxDiANvzOr/JApdkzhQVB+C Copy to Clipboard
ImpHash -
C:\Program Files\Common Files\Microsoft Shared\EQUATION\AzQX0q5p4V3C2CA2Q4gBgngW2woDnQ.scarry Dropped File Unknown
Unknown
...
»
Also Known As C:\Program Files\Common Files\Microsoft Shared\EQUATION\MTEXTRA.TTF (Dropped File)
Mime Type application/font-sfnt
File Size 7.65 KB
MD5 45ee3dde04ea2c4d4f7acc1a23177df1 Copy to Clipboard
SHA1 b5b8ead3956c531039c8e8e6afb4031f44fd468b Copy to Clipboard
SHA256 5e61a01351ed137dfcc03f1bb554a12d1b1a4da2ebd9e455f9ec7d9ce7cdb7a2 Copy to Clipboard
SSDeep 192:AJlRPcBQopfePzVjByblCnHxyazof8mLjpOe2qZNS:AZoazVw5eHxEPLZN Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image