74f9b8d8...0196 | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Wiper, Trojan

GottaCry.exe

Windows Exe (x86-32)

Created at 2019-05-25T08:39:00

...

Remarks (2/2)

(0x2000008): One or more processes crashed during the analysis. Analysis results may be incomplete.

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Grouped Sequential

Remarks

(0x200000c): The maximum memory dump size was exceeded. Some dumps may be missing in the report.

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xe94 Analysis Target High (Elevated) gottacry.exe "C:\Users\FD1HVy\Desktop\GottaCry.exe" -
#4 0xf08 RPC Server High (Elevated) openwith.exe C:\WINDOWS\system32\OpenWith.exe -Embedding #1

Behavior Information - Grouped by Category

Process #1: gottacry.exe
1077 0
»
Information Value
ID #1
File Name c:\users\fd1hvy\desktop\gottacry.exe
Command Line "C:\Users\FD1HVy\Desktop\GottaCry.exe"
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:00:32, Reason: Analysis Target
Unmonitor End Time: 00:04:32, Reason: Terminated by Timeout
Monitor Duration 00:04:00
OS Process Information
»
Information Value
PID 0xe94
Parent PID 0x860 (c:\windows\system32\werfault.exe)
Bitness 64-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B10
0x 7EC
0x FF4
0x ED4
0x 39C
0x F94
0x 838
0x B60
0x B0C
0x EE4
0x 58
0x FD4
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
microsoft.visualbasic.ni.dll 0x7FF910470000 0x7FF910686FFF Content Changed - 64-bit 0x7FF9104B97D8, 0x7FF9105D9820, ... False False
...
microsoft.visualbasic.ni.dll 0x7FF910470000 0x7FF910686FFF Content Changed - 64-bit 0x7FF9105E6820, 0x7FF9104B97D8 False False
...
microsoft.visualbasic.ni.dll 0x7FF910470000 0x7FF910686FFF Content Changed - 64-bit 0x7FF9104BE708 False False
...
microsoft.visualbasic.ni.dll 0x7FF910470000 0x7FF910686FFF Content Changed - 64-bit 0x7FF9105E8B30, 0x7FF9104BE708 False False
...
microsoft.visualbasic.ni.dll 0x7FF910470000 0x7FF910686FFF Content Changed - 64-bit 0x7FF9104B8EF0 False False
...
system.configuration.ni.dll 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC7E760 False False
...
system.configuration.ni.dll 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC80200 False False
...
system.configuration.ni.dll 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC86000 False False
...
system.configuration.ni.dll 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC7F000 False False
...
system.xml.ni.dll 0x7FF90C3B0000 0x7FF90CC46FFF Content Changed - 64-bit 0x7FF90C4EF000 False False
...
system.xml.ni.dll 0x7FF90C3B0000 0x7FF90CC46FFF Content Changed - 64-bit 0x7FF90C4F04C0 False False
...
system.xml.ni.dll 0x7FF90C3B0000 0x7FF90CC46FFF Content Changed - 64-bit 0x7FF90C4F1960 False False
...
system.xml.ni.dll 0x7FF90C3B0000 0x7FF90CC46FFF Content Changed - 64-bit 0x7FF90C4F4100 False False
...
system.xml.ni.dll 0x7FF90C3B0000 0x7FF90CC46FFF Content Changed - 64-bit 0x7FF90C4F2A70 False False
...
system.configuration.ni.dll 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC81B60 False False
...
system.configuration.ni.dll 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC82010 False False
...
system.configuration.ni.dll 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC8319F False False
...
system.configuration.ni.dll 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC84040 False False
...
system.configuration.ni.dll 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC890E0 False False
...
system.configuration.ni.dll 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC87000 False False
...
system.configuration.ni.dll 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC989E0 False False
...
system.configuration.ni.dll 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC88000 False False
...
system.configuration.ni.dll 0x7FF90CC50000 0x7FF90CD71FFF Content Changed - 64-bit 0x7FF90CC8ABB0 False False
...
microsoft.visualbasic.ni.dll 0x7FF910470000 0x7FF910686FFF Content Changed - 64-bit 0x7FF9104B8EF8 False False
...
microsoft.visualbasic.ni.dll 0x7FF910470000 0x7FF910686FFF Content Changed - 64-bit 0x7FF9105E7160 False False
...
microsoft.visualbasic.ni.dll 0x7FF910470000 0x7FF910686FFF Content Changed - 64-bit 0x7FF9104BCEE0 False False
...
microsoft.visualbasic.ni.dll 0x7FF910470000 0x7FF910686FFF Content Changed - 64-bit 0x7FF9105DA0A0, 0x7FF9104BCEE0 False False
...
Host Behavior
File (137)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config type = file_attributes True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config type = file_type True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config type = size, size_out = 0 True 1
Fn
Get Info C:\Users\FD1HVy\Desktop\GottaCry.exe.config type = file_attributes False 3
Fn
Get Info C:\Users\DontFuckMe type = file_attributes False 1
Fn
Get Info C:\Users\FD1HVy\Desktop type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\--L05hp3fv9.png type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\1C43JvIy2z.avi type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\6IBxX2LNqhJFYXVQYS0W.bmp type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\9N1u2btn9yPvOjA.m4a type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\9nfD.gif type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\CONgsjZCET.mp4 type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\desktop.ini type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\GottaCry.exe type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\HcPQ9aQ09Z3yq.mp4 type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\JdOHkTwIW D- 2Su4U1X.flv type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\jo51jZ-8ooS.jpg type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\JQUOsla.gif type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\kUyiUtgZT3aaZTCnGBG.wav type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\LmFV6mZwywUte2Wx.mp3 type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\LQ jOTd.mp3 type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\LUepN7ov7Oz3L7J.mp3 type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\m2XL.rtf type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\nFaIgJNWTp4mMdZ.m4a type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\NnSQ.mp3 type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\O67RCTmouURcYS_.png type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\r1t-hn57kceBTM0n.avi type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\rDiKAyzeX.pptx type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\rFDA42 soc19d.wav type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\rR1ynxjK.wav type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\S5R3CNV76ET.png type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\sCti5J-zHdiT5J.pdf type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\SvZdTz5uu_dcureKFHD.wav type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\tZdJbSC_BxXs_dGdDs.jpg type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\U uNu4WFx4W Q.wav type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\uludpfxqYRGHOoD hz.bmp type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\uoSLaSZ.ots type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\XwLYw.mp4 type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\YB67 4.wav type = file_attributes True 2
Fn
Get Info C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB type = file_attributes True 2
Fn
Read C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config size = 4096, size_out = 4096 True 8
Fn
Data
Read C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config size = 4096, size_out = 3215 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config size = 4096, size_out = 0 True 1
Fn
Delete Directory C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\--L05hp3fv9.png - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\1C43JvIy2z.avi - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\6IBxX2LNqhJFYXVQYS0W.bmp - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\9N1u2btn9yPvOjA.m4a - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\9nfD.gif - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\CONgsjZCET.mp4 - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\desktop.ini - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\GottaCry.exe - False 1
Fn
Delete C:\Users\FD1HVy\Desktop\HcPQ9aQ09Z3yq.mp4 - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\JdOHkTwIW D- 2Su4U1X.flv - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\jo51jZ-8ooS.jpg - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\JQUOsla.gif - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\kUyiUtgZT3aaZTCnGBG.wav - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\LmFV6mZwywUte2Wx.mp3 - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\LQ jOTd.mp3 - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\LUepN7ov7Oz3L7J.mp3 - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\m2XL.rtf - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\nFaIgJNWTp4mMdZ.m4a - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\NnSQ.mp3 - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\O67RCTmouURcYS_.png - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\r1t-hn57kceBTM0n.avi - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\rDiKAyzeX.pptx - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\rFDA42 soc19d.wav - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\rR1ynxjK.wav - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\S5R3CNV76ET.png - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\sCti5J-zHdiT5J.pdf - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\SvZdTz5uu_dcureKFHD.wav - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\tZdJbSC_BxXs_dGdDs.jpg - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\U uNu4WFx4W Q.wav - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\uludpfxqYRGHOoD hz.bmp - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\uoSLaSZ.ots - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\XwLYw.mp4 - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\YB67 4.wav - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\5pFwrOduO_s_E.jpg - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\EKM1o2Ttc4D0Kn.flv - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\gR5j2UyK7PW3S5L2SqLl.mp4 - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\hnSVWIs8tNNZcPDxr.wav - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\ki7IKF9ARfC_nN.m4a - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\KpW aJ73U.gif - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\ne81c0f.jpg - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\PiOj6qcCI-47.doc - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\QynV.flv - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\SrQU6.bmp - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\t1fGlG4Fb3whav_0E_.jpg - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\VWcoZ4s.m4a - True 1
Fn
Delete C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\W8 nshMTU_.m4a - True 1
Fn
Registry (13)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgJITDebugLaunchSetting, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgManagedDebugger, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = GottaCry, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings value_name = Anchor Color, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings value_name = Anchor Color, data = 0,0,255, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main value_name = Anchor Underline, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main value_name = Anchor Underline, data = yes, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = GottaCry, data = C:\Users\FD1HVy\Desktop\GottaCry.exe, size = 74, type = REG_SZ True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create https://localbitcoins.com show_window = SW_SHOWNORMAL True 1
Fn
Module (171)
»
Operation Module Additional Information Success Count Logfile
Load comctl32.dll base_address = 0x7ff90bef0000 True 1
Fn
Load comctl32.dll base_address = 0x7ff9270a0000 True 1
Fn
Get Handle comctl32.dll base_address = 0x0 False 2
Fn
Get Handle c:\windows\system32\user32.dll base_address = 0x7ff931730000 True 1
Fn
Get Handle c:\users\fd1hvy\desktop\gottacry.exe base_address = 0x350000 True 27
Fn
Get Handle c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_0e0f5dcc67adff4e\comctl32.dll base_address = 0x7ff90bef0000 True 111
Fn
Get Handle c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll base_address = 0x7ff9270a0000 True 27
Fn
Get Address c:\windows\system32\user32.dll function = DefWindowProcW, address_out = 0x7ff931fe5090 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Window (21)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Create .NET-BroadcastEventWindow.4.0.0.0.141b42a.0 class_name = .NET-BroadcastEventWindow.4.0.0.0.141b42a.0, wndproc_parameter = 0 True 1
Fn
Create TimerNativeWindow class_name = WindowsForms10.Window.0.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Create GottaCry | Windows encryptor class_name = WindowsForms10.Window.8.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.0.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Create Unlock class_name = WindowsForms10.BUTTON.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.EDIT.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Create Unlock password: class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Create All of your passwords were recovered into my servers class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Create All your desktop files were moved to my server until payment is done class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Create Contact only on discord! class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.EDIT.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Create GottaCry | Windows Decryptor 2019 © class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Create discord link (click) class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Create DISCORD: Russen#6061 class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Create All your files were encrypted class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Create 50$ bitcoin or 70$ paypal class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Create If you turn off your computer, we will leak all your passwords and will delete your computer class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Create Your computer has been encrypted class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Create Copy class_name = WindowsForms10.BUTTON.app.0.141b42a_r6_ad1, wndproc_parameter = 0 True 1
Fn
Keyboard (248)
»
Operation Additional Information Success Count Logfile
Get Info type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 True 4
Fn
Read virtual_key_code = VK_RBUTTON, result_out = 0 True 49
Fn
Read virtual_key_code = VK_MBUTTON, result_out = 0 True 49
Fn
Read virtual_key_code = VK_XBUTTON1, result_out = 0 True 49
Fn
Read virtual_key_code = VK_XBUTTON2, result_out = 0 True 49
Fn
Read virtual_key_code = VK_LBUTTON, result_out = 0 True 11
Fn
Read virtual_key_code = VK_LBUTTON, result_out = -127 True 15
Fn
Read virtual_key_code = VK_LBUTTON, result_out = 1 True 10
Fn
Read virtual_key_code = VK_LBUTTON, result_out = -128 True 12
Fn
System (451)
»
Operation Additional Information Success Count Logfile
Get window text window_text = 7464176 True 2
Fn
Get window text window_text = 7462832 True 1
Fn
Get window text window_text = 7462400 False 1
Fn
Get window text window_text = 7462272 False 1
Fn
Get window text window_text = 7462240 False 1
Fn
Get window text window_text = 7462144 False 1
Fn
Get window text window_text = 7462784 True 1
Fn
Get window text window_text = 7462864 True 1
Fn
Get window text window_text = 7460064 True 2
Fn
Get window text window_text = 7459856 True 4
Fn
Get window text window_text = 7462560 True 1
Fn
Get window text window_text = 7459424 True 5
Fn
Get window text window_text = 7459216 True 10
Fn
Get window text window_text = 7462544 True 6
Fn
Get window text window_text = 7462480 True 2
Fn
Get window text window_text = 7462448 True 2
Fn
Get window text window_text = 7462528 True 4
Fn
Get window text window_text = 7462704 False 2
Fn
Get window text window_text = 7462512 True 6
Fn
Get window text window_text = 7462400 True 2
Fn
Get window text window_text = 7457648 True 9
Fn
Get window text window_text = 7457440 True 18
Fn
Get window text window_text = 7462848 True 9
Fn
Get Cursor x_out = 443, y_out = 363 True 4
Fn
Sleep duration = 100 milliseconds (0.100 seconds) True 1
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 355
Fn
Process #4: openwith.exe
6 0
»
Information Value
ID #4
File Name c:\windows\system32\openwith.exe
Command Line C:\WINDOWS\system32\OpenWith.exe -Embedding
Initial Working Directory C:\WINDOWS\system32\
Monitor Start Time: 00:01:35, Reason: RPC Server
Unmonitor End Time: 00:01:51, Reason: Self Terminated
Monitor Duration 00:00:16
OS Process Information
»
Information Value
PID 0xf08
Parent PID 0x2b4 (c:\windows\system32\svchost.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeDebugPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 4A4
0x 9E0
0x BFC
0x 7F0
0x 7A4
0x CF0
0x 6D8
0x FD0
0x D38
0x D74
0x B64
0x 174
0x ECC
0x E80
0x E84
0x F04
0x B6C
0x 6AC
Modified Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\fd1hvy\appdata\local\microsoft\windows\explorer\iconcache_idx.db 113.77 KB MD5: ef8f2a92b695a814a831823462993327
SHA1: b2525154aa9f539c5c6ec9c3276ba5fb488c335b
SHA256: bb06660e07d9c6c11d8cbc5877a298998554abbc2f78319c39f9b18d393a79a2
SSDeep: 384:Sns0cn3yWhXKXx2QuLD/z35OqXp1OKPo7Ep+erXofe/co37qwLDeYf7Wm:SnXOakzLrz30MYWxvXofc7q8T 		False
...
c:\users\fd1hvy\appdata\local\microsoft\windows\explorer\iconcache_32.db 3.00 MB MD5: d42da5feab76d156eed14386b3ba0fc9
SHA1: e075d399a08c2a365a0f5204df10907884da7585
SHA256: 1771938a553949a51bcd766c9626947e65a3c3b4329cc0c2dd9fa9f2b6b043b7
SSDeep: 24576:EVZt4VPVJ02LPknyS5iz7ZTYqjYKqsdN7OQ:EVZt0PVu2LgiPZTYoXqsd 		False
...
Host Behavior
COM (1)
»
Operation Class Interface Additional Information Success Count Logfile
Create 94B23D4D-1040-4C4B-9081-85D8D6FA36C4 CE149B23-5941-4079-9223-52C0A991EC48 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Module (2)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\ntdll.dll base_address = 0x7ff931f40000 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = RtlDllShutdownInProgress, address_out = 0x7ff931f7cea0 True 1
Fn
Mutex (3)
»
Operation Additional Information Success Count Logfile
Create mutex_name = Local\SM0:3848:120:WilError_01, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = Local\SM0:3848:120:WilError_01 True 1
Fn
Release - True 1
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image