a188e147...91f4 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification:
Dropper
Pua
Threat Names:
Gen:Heur.Ransom.Imps.1
Gen:Variant.Razy.551027
App/Generic-CE

locker.exe

Windows Exe (x86-32)

Created at 2020-10-28T12:51:00

...

Remarks (1/1)

(0x0200003A): A task was rescheduled ahead of time to reveal dormant functionality.

Filters:
Filename Category Type Severity Actions
C:\Users\FD1HVy\Desktop\locker.exe Sample File Binary
Malicious
...
»
Mime Type application/vnd.microsoft.portable-executable
File Size 483.00 KB
MD5 3265b2b0afc6d2ad0bdd55af8edb9b37 Copy to Clipboard
SHA1 24272beb676d956ec8a65b95a2615c9075fa9869 Copy to Clipboard
SHA256 a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4 Copy to Clipboard
SSDeep 12288:JF+dRkCGjzKd5Ik6ZDEyyq8Me0KzYB3IvClBTn:JF+deC2+d5AZLde0KcBU4BT Copy to Clipboard
ImpHash 9941c7dfdbc8c641189a02ae72628db8 Copy to Clipboard
File Reputation Information
»
Severity
Suspicious
Names App/Generic-CE
Families -
PE Information
»
Image Base 0x400000
Entry Point 0x418f55
Size Of Code 0x4e200
Size Of Initialized Data 0x2b800
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2020-10-23 09:56:46+00:00
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x4e1e8 0x4e200 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.63
.rdata 0x450000 0x19506 0x19600 0x4e600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.3
.data 0x46a000 0x3b80 0x2a00 0x67c00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.56
.rsrc 0x46e000 0x9870 0x9a00 0x6a600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.35
.reloc 0x478000 0x4a1c 0x4c00 0x74000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.55
Imports (10)
»
RstrtMgr.DLL (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RmEndSession 0x0 0x4502e8 0x685a8 0x66ba8 0x2
RmGetList 0x0 0x4502ec 0x685ac 0x66bac 0x4
RmStartSession 0x0 0x4502f0 0x685b0 0x66bb0 0xb
RmRegisterResources 0x0 0x4502f4 0x685b4 0x66bb4 0x6
VirtDisk.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
AttachVirtualDisk 0x0 0x450314 0x685d4 0x66bd4 0x0
GetVirtualDiskPhysicalPath 0x0 0x450318 0x685d8 0x66bd8 0x8
OpenVirtualDisk 0x0 0x45031c 0x685dc 0x66bdc 0xa
IPHLPAPI.DLL (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
IcmpCreateFile 0x0 0x450040 0x68300 0x66900 0x85
IcmpSendEcho 0x0 0x450044 0x68304 0x66904 0x87
GetAdaptersInfo 0x0 0x450048 0x68308 0x66908 0x3f
NETAPI32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
NetServerEnum 0x0 0x4502d8 0x68598 0x66b98 0xda
NetShareEnum 0x0 0x4502dc 0x6859c 0x66b9c 0xef
NetApiBufferFree 0x0 0x4502e0 0x685a0 0x66ba0 0x65
WS2_32.dll (12)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WSACleanup 0x74 0x450324 0x685e4 0x66be4 -
inet_addr 0xb 0x450328 0x685e8 0x66be8 -
WSAStartup 0x73 0x45032c 0x685ec 0x66bec -
socket 0x17 0x450330 0x685f0 0x66bf0 -
closesocket 0x3 0x450334 0x685f4 0x66bf4 -
connect 0x4 0x450338 0x685f8 0x66bf8 -
gethostbyname 0x34 0x45033c 0x685fc 0x66bfc -
recv 0x10 0x450340 0x68600 0x66c00 -
gethostbyaddr 0x33 0x450344 0x68604 0x66c04 -
send 0x13 0x450348 0x68608 0x66c08 -
inet_ntoa 0xc 0x45034c 0x6860c 0x66c0c -
htons 0x9 0x450350 0x68610 0x66c10 -
CRYPT32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CryptImportPublicKeyInfo 0x0 0x450030 0x682f0 0x668f0 0xa4
CryptStringToBinaryA 0x0 0x450034 0x682f4 0x668f4 0xd8
CryptDecodeObjectEx 0x0 0x450038 0x682f8 0x668f8 0x83
KERNEL32.dll (161)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
FlushFileBuffers 0x0 0x450050 0x68310 0x66910 0x157
GetFileType 0x0 0x450054 0x68314 0x66914 0x1f3
EnumSystemLocalesW 0x0 0x450058 0x68318 0x66918 0x10f
GetUserDefaultLCID 0x0 0x45005c 0x6831c 0x6691c 0x29b
GetConsoleMode 0x0 0x450060 0x68320 0x66920 0x1ac
ReadFile 0x0 0x450064 0x68324 0x66924 0x3c0
ReadConsoleW 0x0 0x450068 0x68328 0x66928 0x3be
SetFilePointerEx 0x0 0x45006c 0x6832c 0x6692c 0x467
GetVersion 0x0 0x450070 0x68330 0x66930 0x2a2
GetLastError 0x0 0x450074 0x68334 0x66934 0x202
Sleep 0x0 0x450078 0x68338 0x66938 0x4b2
GetTickCount 0x0 0x45007c 0x6833c 0x6693c 0x293
GetModuleFileNameA 0x0 0x450080 0x68340 0x66940 0x213
GetSystemDirectoryA 0x0 0x450084 0x68344 0x66944 0x26f
CreateFileA 0x0 0x450088 0x68348 0x66948 0x88
SetFileAttributesA 0x0 0x45008c 0x6834c 0x6694c 0x45e
GetFileAttributesW 0x0 0x450090 0x68350 0x66950 0x1ea
ReadDirectoryChangesW 0x0 0x450094 0x68354 0x66954 0x3bf
SetUnhandledExceptionFilter 0x0 0x450098 0x68358 0x66958 0x4a5
SetErrorMode 0x0 0x45009c 0x6835c 0x6695c 0x458
ReleaseMutex 0x0 0x4500a0 0x68360 0x66960 0x3fa
WaitForSingleObject 0x0 0x4500a4 0x68364 0x66964 0x4f9
CloseHandle 0x0 0x4500a8 0x68368 0x66968 0x52
CreateMutexA 0x0 0x4500ac 0x6836c 0x6696c 0x9b
GetModuleHandleA 0x0 0x4500b0 0x68370 0x66970 0x215
GetCurrentProcess 0x0 0x4500b4 0x68374 0x66974 0x1c0
GetCurrentProcessId 0x0 0x4500b8 0x68378 0x66978 0x1c1
GetFileSize 0x0 0x4500bc 0x6837c 0x6697c 0x1f0
GetOEMCP 0x0 0x4500c0 0x68380 0x66980 0x237
FindClose 0x0 0x4500c4 0x68384 0x66984 0x12e
SetFileTime 0x0 0x4500c8 0x68388 0x66988 0x46a
GetLocalTime 0x0 0x4500cc 0x6838c 0x6698c 0x203
GetLogicalDriveStringsA 0x0 0x4500d0 0x68390 0x66990 0x207
GetDriveTypeA 0x0 0x4500d4 0x68394 0x66994 0x1d2
GetDiskFreeSpaceExA 0x0 0x4500d8 0x68398 0x66998 0x1cd
CreateFileW 0x0 0x4500dc 0x6839c 0x6699c 0x8f
FindNextFileA 0x0 0x4500e0 0x683a0 0x669a0 0x143
GetVolumeInformationA 0x0 0x4500e4 0x683a4 0x669a4 0x2a5
GetComputerNameA 0x0 0x4500e8 0x683a8 0x669a8 0x18c
FindFirstVolumeA 0x0 0x4500ec 0x683ac 0x669ac 0x13c
FindFirstVolumeW 0x0 0x4500f0 0x683b0 0x669b0 0x13f
FindNextVolumeA 0x0 0x4500f4 0x683b4 0x669b4 0x147
FindNextVolumeW 0x0 0x4500f8 0x683b8 0x669b8 0x14a
FindVolumeClose 0x0 0x4500fc 0x683bc 0x669bc 0x150
SetVolumeMountPointA 0x0 0x450100 0x683c0 0x669c0 0x4aa
GetVolumePathNamesForVolumeNameA 0x0 0x450104 0x683c4 0x669c4 0x2ac
GetVolumePathNamesForVolumeNameW 0x0 0x450108 0x683c8 0x669c8 0x2ad
MultiByteToWideChar 0x0 0x45010c 0x683cc 0x669cc 0x367
WideCharToMultiByte 0x0 0x450110 0x683d0 0x669d0 0x511
CreateToolhelp32Snapshot 0x0 0x450114 0x683d4 0x669d4 0xbe
Process32FirstW 0x0 0x450118 0x683d8 0x669d8 0x396
Process32NextW 0x0 0x45011c 0x683dc 0x669dc 0x398
Process32First 0x0 0x450120 0x683e0 0x669e0 0x395
Process32Next 0x0 0x450124 0x683e4 0x669e4 0x397
GlobalAlloc 0x0 0x450128 0x683e8 0x669e8 0x2b3
GlobalFree 0x0 0x45012c 0x683ec 0x669ec 0x2ba
LockResource 0x0 0x450130 0x683f0 0x669f0 0x354
GetProcAddress 0x0 0x450134 0x683f4 0x669f4 0x245
TerminateThread 0x0 0x450138 0x683f8 0x669f8 0x4c1
LoadResource 0x0 0x45013c 0x683fc 0x669fc 0x341
SizeofResource 0x0 0x450140 0x68400 0x66a00 0x4b1
LoadLibraryA 0x0 0x450144 0x68404 0x66a04 0x33c
FindResourceA 0x0 0x450148 0x68408 0x66a08 0x14b
IsValidLocale 0x0 0x45014c 0x6840c 0x66a0c 0x30c
GetCommandLineA 0x0 0x450150 0x68410 0x66a10 0x186
GetCommandLineW 0x0 0x450154 0x68414 0x66a14 0x187
GetEnvironmentStringsW 0x0 0x450158 0x68418 0x66a18 0x1da
GetConsoleCP 0x0 0x45015c 0x6841c 0x66a1c 0x19a
FindFirstFileExA 0x0 0x450160 0x68420 0x66a20 0x133
IsValidCodePage 0x0 0x450164 0x68424 0x66a24 0x30a
FreeEnvironmentStringsW 0x0 0x450168 0x68428 0x66a28 0x161
SetEnvironmentVariableA 0x0 0x45016c 0x6842c 0x66a2c 0x456
GetProcessHeap 0x0 0x450170 0x68430 0x66a30 0x24a
SetStdHandle 0x0 0x450174 0x68434 0x66a34 0x487
WriteConsoleW 0x0 0x450178 0x68438 0x66a38 0x524
HeapSize 0x0 0x45017c 0x6843c 0x66a3c 0x2d4
SetEndOfFile 0x0 0x450180 0x68440 0x66a40 0x453
DeviceIoControl 0x0 0x450184 0x68444 0x66a44 0xdd
GetCurrentThreadId 0x0 0x450188 0x68448 0x66a48 0x1c5
HeapFree 0x0 0x45018c 0x6844c 0x66a4c 0x2cf
HeapReAlloc 0x0 0x450190 0x68450 0x66a50 0x2d2
HeapAlloc 0x0 0x450194 0x68454 0x66a54 0x2cb
GetACP 0x0 0x450198 0x68458 0x66a58 0x168
FormatMessageW 0x0 0x45019c 0x6845c 0x66a5c 0x15e
DuplicateHandle 0x0 0x4501a0 0x68460 0x66a60 0xe8
WaitForSingleObjectEx 0x0 0x4501a4 0x68464 0x66a64 0x4fa
SwitchToThread 0x0 0x4501a8 0x68468 0x66a68 0x4bc
GetCurrentThread 0x0 0x4501ac 0x6846c 0x66a6c 0x1c4
GetExitCodeThread 0x0 0x4501b0 0x68470 0x66a70 0x1e0
EnterCriticalSection 0x0 0x4501b4 0x68474 0x66a74 0xee
LeaveCriticalSection 0x0 0x4501b8 0x68478 0x66a78 0x339
TryEnterCriticalSection 0x0 0x4501bc 0x6847c 0x66a7c 0x4ce
DeleteCriticalSection 0x0 0x4501c0 0x68480 0x66a80 0xd1
FindFirstFileExW 0x0 0x4501c4 0x68484 0x66a84 0x134
FindNextFileW 0x0 0x4501c8 0x68488 0x66a88 0x145
GetFileAttributesExW 0x0 0x4501cc 0x6848c 0x66a8c 0x1e7
GetFileInformationByHandle 0x0 0x4501d0 0x68490 0x66a90 0x1ec
AreFileApisANSI 0x0 0x4501d4 0x68494 0x66a94 0x15
SetLastError 0x0 0x4501d8 0x68498 0x66a98 0x473
GetModuleHandleW 0x0 0x4501dc 0x6849c 0x66a9c 0x218
MoveFileExW 0x0 0x4501e0 0x684a0 0x66aa0 0x360
QueryPerformanceCounter 0x0 0x4501e4 0x684a4 0x66aa4 0x3a7
EncodePointer 0x0 0x4501e8 0x684a8 0x66aa8 0xea
DecodePointer 0x0 0x4501ec 0x684ac 0x66aac 0xca
InitializeCriticalSectionAndSpinCount 0x0 0x4501f0 0x684b0 0x66ab0 0x2e3
CreateEventW 0x0 0x4501f4 0x684b4 0x66ab4 0x85
TlsAlloc 0x0 0x4501f8 0x684b8 0x66ab8 0x4c5
TlsGetValue 0x0 0x4501fc 0x684bc 0x66abc 0x4c7
TlsSetValue 0x0 0x450200 0x684c0 0x66ac0 0x4c8
TlsFree 0x0 0x450204 0x684c4 0x66ac4 0x4c6
GetSystemTimeAsFileTime 0x0 0x450208 0x684c8 0x66ac8 0x279
CompareStringW 0x0 0x45020c 0x684cc 0x66acc 0x64
LCMapStringW 0x0 0x450210 0x684d0 0x66ad0 0x32d
GetLocaleInfoW 0x0 0x450214 0x684d4 0x66ad4 0x206
GetStringTypeW 0x0 0x450218 0x684d8 0x66ad8 0x269
GetCPInfo 0x0 0x45021c 0x684dc 0x66adc 0x172
SetEvent 0x0 0x450220 0x684e0 0x66ae0 0x459
IsProcessorFeaturePresent 0x0 0x450224 0x684e4 0x66ae4 0x304
IsDebuggerPresent 0x0 0x450228 0x684e8 0x66ae8 0x300
UnhandledExceptionFilter 0x0 0x45022c 0x684ec 0x66aec 0x4d3
GetStartupInfoW 0x0 0x450230 0x684f0 0x66af0 0x263
InitializeSListHead 0x0 0x450234 0x684f4 0x66af4 0x2e7
TerminateProcess 0x0 0x450238 0x684f8 0x66af8 0x4c0
CreateTimerQueue 0x0 0x45023c 0x684fc 0x66afc 0xbc
SignalObjectAndWait 0x0 0x450240 0x68500 0x66b00 0x4b0
CreateThread 0x0 0x450244 0x68504 0x66b04 0xb5
SetThreadPriority 0x0 0x450248 0x68508 0x66b08 0x499
GetThreadPriority 0x0 0x45024c 0x6850c 0x66b0c 0x28e
GetLogicalProcessorInformation 0x0 0x450250 0x68510 0x66b10 0x20a
CreateTimerQueueTimer 0x0 0x450254 0x68514 0x66b14 0xbd
ChangeTimerQueueTimer 0x0 0x450258 0x68518 0x66b18 0x48
DeleteTimerQueueTimer 0x0 0x45025c 0x6851c 0x66b1c 0xda
GetNumaHighestNodeNumber 0x0 0x450260 0x68520 0x66b20 0x229
GetProcessAffinityMask 0x0 0x450264 0x68524 0x66b24 0x246
SetThreadAffinityMask 0x0 0x450268 0x68528 0x66b28 0x490
RegisterWaitForSingleObject 0x0 0x45026c 0x6852c 0x66b2c 0x3f5
UnregisterWait 0x0 0x450270 0x68530 0x66b30 0x4da
GetThreadTimes 0x0 0x450274 0x68534 0x66b34 0x291
FreeLibrary 0x0 0x450278 0x68538 0x66b38 0x162
FreeLibraryAndExitThread 0x0 0x45027c 0x6853c 0x66b3c 0x163
GetModuleFileNameW 0x0 0x450280 0x68540 0x66b40 0x214
LoadLibraryExW 0x0 0x450284 0x68544 0x66b44 0x33e
GetVersionExW 0x0 0x450288 0x68548 0x66b48 0x2a4
VirtualAlloc 0x0 0x45028c 0x6854c 0x66b4c 0x4e9
VirtualProtect 0x0 0x450290 0x68550 0x66b50 0x4ef
VirtualFree 0x0 0x450294 0x68554 0x66b54 0x4ec
ReleaseSemaphore 0x0 0x450298 0x68558 0x66b58 0x3fe
InterlockedPopEntrySList 0x0 0x45029c 0x6855c 0x66b5c 0x2f0
InterlockedPushEntrySList 0x0 0x4502a0 0x68560 0x66b60 0x2f1
InterlockedFlushSList 0x0 0x4502a4 0x68564 0x66b64 0x2ee
QueryDepthSList 0x0 0x4502a8 0x68568 0x66b68 0x39e
UnregisterWaitEx 0x0 0x4502ac 0x6856c 0x66b6c 0x4db
LoadLibraryW 0x0 0x4502b0 0x68570 0x66b70 0x33f
RtlUnwind 0x0 0x4502b4 0x68574 0x66b74 0x418
RaiseException 0x0 0x4502b8 0x68578 0x66b78 0x3b1
ExitThread 0x0 0x4502bc 0x6857c 0x66b7c 0x11a
ResumeThread 0x0 0x4502c0 0x68580 0x66b80 0x413
GetModuleHandleExW 0x0 0x4502c4 0x68584 0x66b84 0x217
ExitProcess 0x0 0x4502c8 0x68588 0x66b88 0x119
GetStdHandle 0x0 0x4502cc 0x6858c 0x66b8c 0x264
WriteFile 0x0 0x4502d0 0x68590 0x66b90 0x525
USER32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
MessageBoxA 0x0 0x45030c 0x685cc 0x66bcc 0x20e
ADVAPI32.dll (11)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetUserNameA 0x0 0x450000 0x682c0 0x668c0 0x164
RegSetValueExA 0x0 0x450004 0x682c4 0x668c4 0x27d
RegOpenKeyA 0x0 0x450008 0x682c8 0x668c8 0x25f
RegDeleteValueA 0x0 0x45000c 0x682cc 0x668cc 0x247
RegCloseKey 0x0 0x450010 0x682d0 0x668d0 0x230
CryptEncrypt 0x0 0x450014 0x682d4 0x668d4 0xba
CryptImportKey 0x0 0x450018 0x682d8 0x668d8 0xca
CryptSetKeyParam 0x0 0x45001c 0x682dc 0x668dc 0xcd
CryptDestroyKey 0x0 0x450020 0x682e0 0x668e0 0xb7
CryptReleaseContext 0x0 0x450024 0x682e4 0x668e4 0xcb
CryptAcquireContextA 0x0 0x450028 0x682e8 0x668e8 0xb0
SHELL32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetSpecialFolderPathA 0x0 0x4502fc 0x685bc 0x66bbc 0xe0
SHEmptyRecycleBinA 0x0 0x450300 0x685c0 0x66bc0 0xa4
ShellExecuteA 0x0 0x450304 0x685c4 0x66bc4 0x11e
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
locker.exe 1 0x00320000 0x0039CFFF Relevant Image True 32-bit 0x00351821 True False
...
locker.exe 1 0x00320000 0x0039CFFF Final Dump True 32-bit 0x0032E809 True False
...
locker.exe 14 0x00320000 0x0039CFFF Relevant Image True 32-bit 0x00351821 True False
...
Local AV Matches (1)
»
Threat Name Severity
Gen:Heur.Ransom.Imps.1
Malicious
C:\Users\FD1HVy\Desktop\tor-lib.dll Dropped File Binary
Malicious
...
»
Mime Type application/vnd.microsoft.portable-executable
File Size 38.00 KB
MD5 dc7e564809d6c2a2f3457c3c9b91f22b Copy to Clipboard
SHA1 f28c63fc7ac58162c27428a179d2113200814e7e Copy to Clipboard
SHA256 9969c1e4cf32d1fe6140d6fabf63b6b093a6c6ff7045a187b14175d46cfb74a0 Copy to Clipboard
SSDeep 768:DzC4MphX0qphDmlRUoPLs2IgHi3QcD2vZc22BGkiAi2:DzC4MpvhCRto5gCxyy22gAV Copy to Clipboard
ImpHash a196521e00cc7c7721162af535893af8 Copy to Clipboard
PE Information
»
Image Base 0x10000000
Entry Point 0x100027ff
Size Of Code 0x7c00
Size Of Initialized Data 0x1a00
File Type FileType.dll
Subsystem Subsystem.windows_cui
Machine Type MachineType.i386
Compile Timestamp 2020-09-19 08:22:33+00:00
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x10001000 0x7a5a 0x7c00 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.42
.rdata 0x10009000 0xe02 0x1000 0x8000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.0
.data 0x1000a000 0x340 0x200 0x9000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.18
.reloc 0x1000b000 0x500 0x600 0x9200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 5.95
Imports (6)
»
CRYPT32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CryptDecodeObject 0x0 0x10009038 0x9968 0x8968 0x82
CryptBinaryToStringA 0x0 0x1000903c 0x996c 0x896c 0x7c
CryptStringToBinaryA 0x0 0x10009040 0x9970 0x8970 0xd8
WS2_32.dll (11)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
recv 0x10 0x100090ac 0x99dc 0x89dc -
inet_addr 0xb 0x100090b0 0x99e0 0x89e0 -
inet_ntoa 0xc 0x100090b4 0x99e4 0x89e4 -
WSACleanup 0x74 0x100090b8 0x99e8 0x89e8 -
closesocket 0x3 0x100090bc 0x99ec 0x89ec -
gethostbyname 0x34 0x100090c0 0x99f0 0x89f0 -
WSAStartup 0x73 0x100090c4 0x99f4 0x89f4 -
send 0x13 0x100090c8 0x99f8 0x89f8 -
socket 0x17 0x100090cc 0x99fc 0x89fc -
connect 0x4 0x100090d0 0x9a00 0x8a00 -
htons 0x9 0x100090d4 0x9a04 0x8a04 -
Secur32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
InitSecurityInterfaceA 0x0 0x100090a4 0x99d4 0x89d4 0x22
KERNEL32.dll (22)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetTickCount 0x0 0x10009048 0x9978 0x8978 0x293
GetEnvironmentVariableA 0x0 0x1000904c 0x997c 0x897c 0x1db
LoadLibraryA 0x0 0x10009050 0x9980 0x8980 0x33c
ReadFile 0x0 0x10009054 0x9984 0x8984 0x3c0
WriteFile 0x0 0x10009058 0x9988 0x8988 0x525
SetFilePointer 0x0 0x1000905c 0x998c 0x898c 0x466
GetFileAttributesA 0x0 0x10009060 0x9990 0x8990 0x1e5
CreateFileA 0x0 0x10009064 0x9994 0x8994 0x88
CloseHandle 0x0 0x10009068 0x9998 0x8998 0x52
GetFileSize 0x0 0x1000906c 0x999c 0x899c 0x1f0
FlushFileBuffers 0x0 0x10009070 0x99a0 0x89a0 0x157
WaitForMultipleObjects 0x0 0x10009074 0x99a4 0x89a4 0x4f7
WaitForSingleObject 0x0 0x10009078 0x99a8 0x89a8 0x4f9
SetEvent 0x0 0x1000907c 0x99ac 0x89ac 0x459
CreateEventA 0x0 0x10009080 0x99b0 0x89b0 0x82
EnterCriticalSection 0x0 0x10009084 0x99b4 0x89b4 0xee
LeaveCriticalSection 0x0 0x10009088 0x99b8 0x89b8 0x339
InitializeCriticalSection 0x0 0x1000908c 0x99bc 0x89bc 0x2e2
DeleteCriticalSection 0x0 0x10009090 0x99c0 0x89c0 0xd1
Sleep 0x0 0x10009094 0x99c4 0x89c4 0x4b2
TerminateThread 0x0 0x10009098 0x99c8 0x89c8 0x4c1
CreateThread 0x0 0x1000909c 0x99cc 0x89cc 0xb5
ADVAPI32.dll (13)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CryptImportKey 0x0 0x10009000 0x9930 0x8930 0xca
CryptAcquireContextA 0x0 0x10009004 0x9934 0x8934 0xb0
CryptGenRandom 0x0 0x10009008 0x9938 0x8938 0xc1
CryptGetHashParam 0x0 0x1000900c 0x993c 0x893c 0xc4
CryptDestroyHash 0x0 0x10009010 0x9940 0x8940 0xb6
CryptExportKey 0x0 0x10009014 0x9944 0x8944 0xbf
CryptDuplicateHash 0x0 0x10009018 0x9948 0x8948 0xb8
CryptEncrypt 0x0 0x1000901c 0x994c 0x894c 0xba
CryptSetKeyParam 0x0 0x10009020 0x9950 0x8950 0xcd
CryptReleaseContext 0x0 0x10009024 0x9954 0x8954 0xcb
CryptDestroyKey 0x0 0x10009028 0x9958 0x8958 0xb7
CryptCreateHash 0x0 0x1000902c 0x995c 0x895c 0xb3
CryptHashData 0x0 0x10009030 0x9960 0x8960 0xc8
msvcrt.dll (13)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
sscanf 0x0 0x100090dc 0x9a0c 0x8a0c 0x14
atexit 0x0 0x100090e0 0x9a10 0x8a10 0x5
vsprintf_s 0x0 0x100090e4 0x9a14 0x8a14 0x19
free 0x0 0x100090e8 0x9a18 0x8a18 0x8
malloc 0x0 0x100090ec 0x9a1c 0x8a1c 0x9
_vscprintf 0x0 0x100090f0 0x9a20 0x8a20 0x3
_mkgmtime 0x0 0x100090f4 0x9a24 0x8a24 0x2
time 0x0 0x100090f8 0x9a28 0x8a28 0x17
memmove 0x0 0x100090fc 0x9a2c 0x8a2c 0xd
memchr 0x0 0x10009100 0x9a30 0x8a30 0xa
memcmp 0x0 0x10009104 0x9a34 0x8a34 0xb
memcpy 0x0 0x10009108 0x9a38 0x8a38 0xc
memset 0x0 0x1000910c 0x9a3c 0x8a3c 0xe
Exports (2)
»
Api name EAT Address Ordinal
tor_send_get 0x1e0c 0x1
tor_send_post 0x1e72 0x2
Local AV Matches (1)
»
Threat Name Severity
Gen:Variant.Razy.551027
Malicious
C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log Modified File Stream
Unknown
...
»
Also Known As C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log.mouse (Dropped File)
Mime Type application/octet-stream
File Size 41.69 KB
MD5 58e9cf75159feceea966e27f81e7b0aa Copy to Clipboard
SHA1 e88f24d61974fc8dc2c6dce87d8b10aed97823ab Copy to Clipboard
SHA256 8bc3c934432719ca502bc639f646609730dff3c50dab36ba946f7d320377af86 Copy to Clipboard
SSDeep 768:NwMYRpX3Dh67oF+YxCn1pLQzfz+4Sh+zWqLo9uyegDWAPV5teZIUSJbBG7H0qwUN:IpXTh67oF+YMn1pLQzfz+4Sh+zWqLoUL Copy to Clipboard
ImpHash -
C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log.mouse Dropped File Stream
Unknown
...
»
Also Known As C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log (Modified File)
Mime Type application/octet-stream
File Size 5.88 KB
MD5 0fdb81b6bd5e27795b226de493135dc7 Copy to Clipboard
SHA1 0838b36835c232e6faa501acf361f42a21d92dca Copy to Clipboard
SHA256 81fe513fa9599ce71d489cc1c981bc714c405227acab4fb5b73999c832f0835f Copy to Clipboard
SSDeep 96:IvOHcZQZkXmjxgHceCUD/i6e5oL0HHHlK/3/O/F3/T/dw/W/f/ZP:ILmkWVgHLDiignHlKfmB7y+X9 Copy to Clipboard
ImpHash -
C:\$GetCurrent\Logs\PartnerSetupCompleteResult.log.mouse Dropped File Stream
Unknown
...
»
Also Known As C:\$GetCurrent\Logs\PartnerSetupCompleteResult.log (Modified File)
Mime Type application/octet-stream
File Size 48 Bytes
MD5 0945d0ce93ca19ba7f5a986a44d318b2 Copy to Clipboard
SHA1 8302c3d35470b51141bd64e5de216c68e14c4754 Copy to Clipboard
SHA256 a90851533631cb85d1674ceed61f444cdde8dc5a6c9db5d3f835405397183053 Copy to Clipboard
SSDeep 3:eD9I2kcioUzt8NuxT:gIHou7J Copy to Clipboard
ImpHash -
C:\$GetCurrent\SafeOS\GetCurrentOOBE.dll.mouse Dropped File Stream
Unknown
...
»
Also Known As C:\$GetCurrent\SafeOS\GetCurrentOOBE.dll (Modified File)
Mime Type application/octet-stream
File Size 140.71 KB
MD5 d6a42a4aecb61cda822f9b99f0678aaf Copy to Clipboard
SHA1 f5cb66a723903ed0e0dd71692d6f238b3a62ce4f Copy to Clipboard
SHA256 c299050abbe35dffe8029d370a7030130ea6131381763afb484ffb890b02d73b Copy to Clipboard
SSDeep 3072:uuWjpPR52dCJOnMjilG61JjqnsdvY6NKe2r:ySEj4jqnGY02r Copy to Clipboard
ImpHash -
C:\$GetCurrent\SafeOS\GetCurrentRollback.ini Modified File Stream
Unknown
...
»
Also Known As C:\$GetCurrent\SafeOS\GetCurrentRollback.ini.mouse (Dropped File)
Mime Type application/octet-stream
File Size 160 Bytes
MD5 0d8db4f9179da16f619d941b84e30ff6 Copy to Clipboard
SHA1 9940b56c7e599bcec96ad02d5f5d0445e9bb598c Copy to Clipboard
SHA256 11daf35cdc11381d5f015504f6aaf131ab2aee4b835e5723e6e703a2379a41ba Copy to Clipboard
SSDeep 3:m+99wJd4UpHXwI7StCzRFbGc6R5B5CpKxYf4671rxR2jZLlsbv1p:mg9wvNHX4t6vGc65r1A4nZL2L1p Copy to Clipboard
ImpHash -
C:\$GetCurrent\SafeOS\PartnerSetupComplete.cmd Modified File Batch
Unknown
...
»
Also Known As C:\$GetCurrent\SafeOS\PartnerSetupComplete.cmd.mouse (Dropped File)
Mime Type application/x-bat
File Size 592 Bytes
MD5 ff2bdee4c2e0fe5728358667ee9facf9 Copy to Clipboard
SHA1 f03f75d40647a337d9b4ecad4647b9830afb5f9b Copy to Clipboard
SHA256 c10f389c3e49138e813138412be788f3d947227715da4e13e8cede3b3eff5655 Copy to Clipboard
SSDeep 12:SxHCU4Zq8Ph3TFtLk2QIOYxrl64l8Yl8tIsR/a1J2+ukFlJyEkyPMN:SxHCUUXbk2LxB6Cet//a17tlJbPq Copy to Clipboard
ImpHash -
C:\$GetCurrent\SafeOS\preoobe.cmd Modified File Batch
Unknown
...
»
Also Known As C:\$GetCurrent\SafeOS\preoobe.cmd.mouse (Dropped File)
Mime Type application/x-bat
File Size 80 Bytes
MD5 09e700aa0a7c55a063932c83b1109ee4 Copy to Clipboard
SHA1 72322e176224744c1ed74d6862ac34ff9188c9c7 Copy to Clipboard
SHA256 5891b33b893334a4cdb6c41bd6e31d8cd30af219c7707dea325d25ebb47bab91 Copy to Clipboard
SSDeep 3:GB5shogAmLqIlidZdm9vklHYs/k0cu:GB5HFmmIlua9clHYs/Gu Copy to Clipboard
ImpHash -
C:\$GetCurrent\SafeOS\SetupComplete.cmd.mouse Dropped File Batch
Unknown
...
»
Also Known As C:\$GetCurrent\SafeOS\SetupComplete.cmd (Modified File)
Mime Type application/x-bat
File Size 320 Bytes
MD5 c1a844c14b4cf90a6e800384da4f1c7e Copy to Clipboard
SHA1 8dded266345846c8cf8df99022538c4922473c98 Copy to Clipboard
SHA256 93bd55924f248387c2fa11c5d1b7651ccb870d06e414b8ae3ab90cc7389c5a99 Copy to Clipboard
SSDeep 6:SxHtAVwm9RvAMX01TrAwkH4YTL3oOP8npftrb9kNOC5MX01X8KKjOPvMW049TGaY:SxHGwm/YMX0VrFkH4iWFrb9EjMX0V8K8 Copy to Clipboard
ImpHash -
C:\$Recycle.Bin\S-1-5-21-1051304884-625712362-2192934891-1000\desktop.ini Modified File Stream
Unknown
...
»
Also Known As C:\$Recycle.Bin\S-1-5-18\desktop.ini.mouse (Dropped File)
C:\$Recycle.Bin\S-1-5-18\desktop.ini (Modified File)
C:\$Recycle.Bin\S-1-5-21-1051304884-625712362-2192934891-1000\desktop.ini.mouse (Dropped File)
Mime Type application/octet-stream
File Size 144 Bytes
MD5 8cc162be409eac6514a36627b79a7027 Copy to Clipboard
SHA1 d7b3672574876bf5e8e41fe85e9555d8a875eee0 Copy to Clipboard
SHA256 6073f0e85bcd53393cee8103feb9d727a7461d69addab9f8d4a7505d23007c35 Copy to Clipboard
SSDeep 3:rE6I9neXPyjWyzG8h1e5oz5xuXxEPBTzykS0AN3QzltNCJdsFwRC5n:rE60byO/1e5ojuXx4BV9CJdmL5n Copy to Clipboard
ImpHash -
C:\Users\FD1HVy\Desktop\locker.log Dropped File Text
Unknown
...
»
Mime Type text/plain
File Size 495 Bytes
MD5 538b4b85516a21f96befc699e981efa7 Copy to Clipboard
SHA1 cdb76caf3e4aec68ad8519accc9ec3ce9923d789 Copy to Clipboard
SHA256 df9cfda927e3dbc2f2a6bc935b09279d7d539e2f855665c14522ec38739b2c49 Copy to Clipboard
SSDeep 12:++mt6XxDmqBYHe+SVUmluwkleiSFUcw3iVPZSFUcwy:JmM5mqaTSGcuwkwiSESVhSEy Copy to Clipboard
ImpHash -
C:\$GetCurrent\SafeOS\HOW TO RESTORE FILES.TXT Dropped File Text
Unknown
...
»
Also Known As C:\\HOW TO RESTORE FILES.TXT (Dropped File)
C:\$GetCurrent\Logs\HOW TO RESTORE FILES.TXT (Dropped File)
C:\$Recycle.Bin\S-1-5-21-1051304884-625712362-2192934891-1000\HOW TO RESTORE FILES.TXT (Dropped File)
C:\$Recycle.Bin\S-1-5-18\HOW TO RESTORE FILES.TXT (Dropped File)
Mime Type text/plain
File Size 113 Bytes
MD5 15c7ec57eec8de8b9097484245a1eb2b Copy to Clipboard
SHA1 6aec30132f63cc8755c42c20f11feac2387ce793 Copy to Clipboard
SHA256 28f5666512ea706b5dbc1b904d851ba631d9b987ed188a6f426da0befdc220eb Copy to Clipboard
SSDeep 3:aJAL9XFc5QJACE6LLRAg1RFfWlfAalLZ0XKgAIVKdI:ak925xCEgLmghsfGooKK Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image