aa6df2cc...b41d | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification:
Dropper
Threat Names:
Gen:Variant.Ulise.95762
Generic.Ransom.Buhtrap.B55F719F
Gen:Variant.Symmi.3037
...

234561.exe

Windows Exe (x86-32)

Created at 2020-01-20T20:01:00

...

Remarks (2/2)

(0x02000008): One or more processes crashed during the analysis. Analysis results may be incomplete.

(0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Filters:
Filename Category Type Severity Actions
C:\Users\FD1HVy\Desktop\234561.exe Sample File Binary
Malicious
...
»
Mime Type application/vnd.microsoft.portable-executable
File Size 709.50 KB
MD5 59f9a71bd907118170585d68226be5de Copy to Clipboard
SHA1 6782f1c721418dfcb3a64c98262ee2cb67f87f46 Copy to Clipboard
SHA256 aa6df2cc9b5fdee4eed4790d28c1af963cf93f9ee99c754c7c71885057f7b41d Copy to Clipboard
SSDeep 12288:pVUYYy3gzR4lyLt11Xhdw+Q6qX1TIi5vRKpHUpkG:LUYYy3mNL1Xhdwj6qXZXZR60WG Copy to Clipboard
ImpHash 17ca1c6cf714667bf462b3156f33cacf Copy to Clipboard
PE Information
»
Image Base 0x400000
Entry Point 0x40fb00
Size Of Code 0x36000
Size Of Initialized Data 0xf000
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2020-01-14 11:46:49+00:00
Packer InstallShield 2000
Version Information (11)
»
Comments dsfdsfsf hergh43 3 t3t
CompanyName hrthrtfnfgn
FileDescription egeehrthrt
FileVersion fnfsgnsnfgn
InternalName fgnsnfgsfgsn
LegalCopyright snsfn
LegalTrademarks fnfsnfn
OriginalFilename gnfsnfgn
PrivateBuild fgsnfgn
ProductName nfgnfgn
ProductVersion fgsnfgngsfnsfnfsfg
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x409000 0x35fb9 0x36000 0x9000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.39
.rdata 0x43f000 0x7ee4 0x8000 0x3f000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.54
.data 0x447000 0x3f64 0x3000 0x47000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.86
.idata 0x44b000 0x1097 0x2000 0x4a000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 2.87
.rsrc 0x44d000 0xb4c 0x1000 0x4c000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 1.8
Imports (4)
»
KERNEL32.dll (99)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetVersionExA 0x0 0x44b374 0x4b09c 0x4a09c 0x1df
RaiseException 0x0 0x44b378 0x4b0a0 0x4a0a0 0x29b
DeleteCriticalSection 0x0 0x44b37c 0x4b0a4 0x4a0a4 0x7a
lstrcpyA 0x0 0x44b380 0x4b0a8 0x4a0a8 0x3b6
LoadLibraryA 0x0 0x44b384 0x4b0ac 0x4a0ac 0x248
GetProcAddress 0x0 0x44b388 0x4b0b0 0x4a0b0 0x198
GetSystemTimeAsFileTime 0x0 0x44b38c 0x4b0b4 0x4a0b4 0x1c0
SetUnhandledExceptionFilter 0x0 0x44b390 0x4b0b8 0x4a0b8 0x33b
GetThreadLocale 0x0 0x44b394 0x4b0bc 0x4a0bc 0x1d0
IsBadWritePtr 0x0 0x44b398 0x4b0c0 0x4a0c0 0x22c
IsBadReadPtr 0x0 0x44b39c 0x4b0c4 0x4a0c4 0x229
HeapValidate 0x0 0x44b3a0 0x4b0c8 0x4a0c8 0x216
DebugBreak 0x0 0x44b3a4 0x4b0cc 0x4a0cc 0x73
GetStdHandle 0x0 0x44b3a8 0x4b0d0 0x4a0d0 0x1b1
WriteFile 0x0 0x44b3ac 0x4b0d4 0x4a0d4 0x394
InterlockedDecrement 0x0 0x44b3b0 0x4b0d8 0x4a0d8 0x21e
OutputDebugStringA 0x0 0x44b3b4 0x4b0dc 0x4a0dc 0x281
InterlockedIncrement 0x0 0x44b3b8 0x4b0e0 0x4a0e0 0x222
GetModuleFileNameA 0x0 0x44b3bc 0x4b0e4 0x4a0e4 0x175
GetModuleHandleA 0x0 0x44b3c0 0x4b0e8 0x4a0e8 0x177
GetStartupInfoA 0x0 0x44b3c4 0x4b0ec 0x4a0ec 0x1af
GetCommandLineA 0x0 0x44b3c8 0x4b0f0 0x4a0f0 0x108
EnterCriticalSection 0x0 0x44b3cc 0x4b0f4 0x4a0f4 0x8f
LeaveCriticalSection 0x0 0x44b3d0 0x4b0f8 0x4a0f8 0x247
FatalAppExitA 0x0 0x44b3d4 0x4b0fc 0x4a0fc 0xb7
HeapFree 0x0 0x44b3d8 0x4b100 0x4a100 0x20c
RtlUnwind 0x0 0x44b3dc 0x4b104 0x4a104 0x2ca
HeapAlloc 0x0 0x44b3e0 0x4b108 0x4a108 0x206
HeapReAlloc 0x0 0x44b3e4 0x4b10c 0x4a10c 0x210
GetLastError 0x0 0x44b3e8 0x4b110 0x4a110 0x169
HeapDestroy 0x0 0x44b3ec 0x4b114 0x4a114 0x20a
HeapCreate 0x0 0x44b3f0 0x4b118 0x4a118 0x208
VirtualFree 0x0 0x44b3f4 0x4b11c 0x4a11c 0x376
TerminateProcess 0x0 0x44b3f8 0x4b120 0x4a120 0x34f
GetCurrentProcess 0x0 0x44b3fc 0x4b124 0x4a124 0x13a
ExitProcess 0x0 0x44b400 0x4b128 0x4a128 0xaf
VirtualAlloc 0x0 0x44b404 0x4b12c 0x4a12c 0x373
TlsAlloc 0x0 0x44b408 0x4b130 0x4a130 0x354
GetCurrentThreadId 0x0 0x44b40c 0x4b134 0x4a134 0x13e
TlsFree 0x0 0x44b410 0x4b138 0x4a138 0x355
TlsSetValue 0x0 0x44b414 0x4b13c 0x4a13c 0x357
TlsGetValue 0x0 0x44b418 0x4b140 0x4a140 0x356
SetLastError 0x0 0x44b41c 0x4b144 0x4a144 0x31b
GetCurrentThread 0x0 0x44b420 0x4b148 0x4a148 0x13d
SetConsoleCtrlHandler 0x0 0x44b424 0x4b14c 0x4a14c 0x2e1
UnhandledExceptionFilter 0x0 0x44b428 0x4b150 0x4a150 0x360
GetLocaleInfoA 0x0 0x44b42c 0x4b154 0x4a154 0x16c
GetEnvironmentStrings 0x0 0x44b430 0x4b158 0x4a158 0x14d
FreeEnvironmentStringsW 0x0 0x44b434 0x4b15c 0x4a15c 0xee
WideCharToMultiByte 0x0 0x44b438 0x4b160 0x4a160 0x387
GetEnvironmentStringsW 0x0 0x44b43c 0x4b164 0x4a164 0x14f
SetHandleCount 0x0 0x44b440 0x4b168 0x4a168 0x317
GetFileType 0x0 0x44b444 0x4b16c 0x4a16c 0x15e
InitializeCriticalSection 0x0 0x44b448 0x4b170 0x4a170 0x219
VirtualQuery 0x0 0x44b44c 0x4b174 0x4a174 0x37b
GetTimeFormatA 0x0 0x44b450 0x4b178 0x4a178 0x1d6
GetDateFormatA 0x0 0x44b454 0x4b17c 0x4a17c 0x13f
GetCPInfo 0x0 0x44b458 0x4b180 0x4a180 0xfc
MultiByteToWideChar 0x0 0x44b45c 0x4b184 0x4a184 0x26b
GetStringTypeA 0x0 0x44b460 0x4b188 0x4a188 0x1b2
GetStringTypeW 0x0 0x44b464 0x4b18c 0x4a18c 0x1b5
IsValidLocale 0x0 0x44b468 0x4b190 0x4a190 0x237
IsValidCodePage 0x0 0x44b46c 0x4b194 0x4a194 0x235
EnumSystemLocalesA 0x0 0x44b470 0x4b198 0x4a198 0xa5
GetUserDefaultLCID 0x0 0x44b474 0x4b19c 0x4a19c 0x1d9
GetOEMCP 0x0 0x44b478 0x4b1a0 0x4a1a0 0x18b
QueryPerformanceCounter 0x0 0x44b47c 0x4b1a4 0x4a1a4 0x297
GetTickCount 0x0 0x44b480 0x4b1a8 0x4a1a8 0x1d5
GetCurrentProcessId 0x0 0x44b484 0x4b1ac 0x4a1ac 0x13b
GetTimeZoneInformation 0x0 0x44b488 0x4b1b0 0x4a1b0 0x1d8
VirtualProtect 0x0 0x44b48c 0x4b1b4 0x4a1b4 0x379
GetSystemInfo 0x0 0x44b490 0x4b1b8 0x4a1b8 0x1bb
LCMapStringA 0x0 0x44b494 0x4b1bc 0x4a1bc 0x23a
LCMapStringW 0x0 0x44b498 0x4b1c0 0x4a1c0 0x23b
SetFilePointer 0x0 0x44b49c 0x4b1c4 0x4a1c4 0x30e
GetLocaleInfoW 0x0 0x44b4a0 0x4b1c8 0x4a1c8 0x16d
SetStdHandle 0x0 0x44b4a4 0x4b1cc 0x4a1cc 0x32a
FlushFileBuffers 0x0 0x44b4a8 0x4b1d0 0x4a1d0 0xe5
CompareStringA 0x0 0x44b4ac 0x4b1d4 0x4a1d4 0x34
CompareStringW 0x0 0x44b4b0 0x4b1d8 0x4a1d8 0x35
SetEnvironmentVariableA 0x0 0x44b4b4 0x4b1dc 0x4a1dc 0x306
CloseHandle 0x0 0x44b4b8 0x4b1e0 0x4a1e0 0x2e
WaitForSingleObject 0x0 0x44b4bc 0x4b1e4 0x4a1e4 0x383
SetEvent 0x0 0x44b4c0 0x4b1e8 0x4a1e8 0x309
OpenEventA 0x0 0x44b4c4 0x4b1ec 0x4a1ec 0x271
lstrlenA 0x0 0x44b4c8 0x4b1f0 0x4a1f0 0x3bc
lstrcpyW 0x0 0x44b4cc 0x4b1f4 0x4a1f4 0x3b7
OutputDebugStringW 0x0 0x44b4d0 0x4b1f8 0x4a1f8 0x282
lstrcpynW 0x0 0x44b4d4 0x4b1fc 0x4a1fc 0x3ba
UnmapViewOfFile 0x0 0x44b4d8 0x4b200 0x4a200 0x363
MapViewOfFile 0x0 0x44b4dc 0x4b204 0x4a204 0x25e
CreateFileMappingA 0x0 0x44b4e0 0x4b208 0x4a208 0x4e
GetVersion 0x0 0x44b4e4 0x4b20c 0x4a20c 0x1de
OpenFileMappingA 0x0 0x44b4e8 0x4b210 0x4a210 0x274
GetModuleFileNameW 0x0 0x44b4ec 0x4b214 0x4a214 0x176
GetACP 0x0 0x44b4f0 0x4b218 0x4a218 0xf5
FreeEnvironmentStringsA 0x0 0x44b4f4 0x4b21c 0x4a21c 0xed
InterlockedExchange 0x0 0x44b4f8 0x4b220 0x4a220 0x21f
IsBadCodePtr 0x0 0x44b4fc 0x4b224 0x4a224 0x226
USER32.dll (9)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetMessageW 0x0 0x44b578 0x4b2a0 0x4a2a0 0x13e
IsWindowUnicode 0x0 0x44b57c 0x4b2a4 0x4a2a4 0x1b0
PeekMessageA 0x0 0x44b580 0x4b2a8 0x4a2a8 0x1ff
MsgWaitForMultipleObjects 0x0 0x44b584 0x4b2ac 0x4a2ac 0x1ec
TranslateMessage 0x0 0x44b588 0x4b2b0 0x4a2b0 0x2aa
DispatchMessageW 0x0 0x44b58c 0x4b2b4 0x4a2b4 0xa2
DispatchMessageA 0x0 0x44b590 0x4b2b8 0x4a2b8 0xa1
GetMessageA 0x0 0x44b594 0x4b2bc 0x4a2bc 0x13a
UnregisterClassA 0x0 0x44b598 0x4b2c0 0x4a2c0 0x2b3
ADVAPI32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SetThreadToken 0x0 0x44b33c 0x4b064 0x4a064 0x23a
OpenThreadToken 0x0 0x44b340 0x4b068 0x4a068 0x1af
RevertToSelf 0x0 0x44b344 0x4b06c 0x4a06c 0x20b
ole32.dll (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CoUnmarshalInterface 0x0 0x44b5cc 0x4b2f4 0x4a2f4 0x6b
CoRevokeClassObject 0x0 0x44b5d0 0x4b2f8 0x4a2f8 0x5b
CoRegisterClassObject 0x0 0x44b5d4 0x4b2fc 0x4a2fc 0x4f
CoMarshalInterface 0x0 0x44b5d8 0x4b300 0x4a300 0x46
CoReleaseMarshalData 0x0 0x44b5dc 0x4b304 0x4a304 0x56
CreateStreamOnHGlobal 0x0 0x44b5e0 0x4b308 0x4a308 0x82
Memory Dumps (7)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
234561.exe 1 0x00400000 0x0044DFFF Relevant Image True 32-bit 0x00419A10 True False
...
buffer 2 0x00400000 0x004E0FFF First Execution True 32-bit 0x00404393 True False
...
buffer 1 0x04210000 0x04306FFF Image In Buffer False 32-bit - False False
...
234561.exe 1 0x00400000 0x0044DFFF Process Termination True 32-bit - True False
...
buffer 2 0x00400000 0x004E0FFF Content Changed True 32-bit 0x004022F1 True False
...
buffer 2 0x00400000 0x004E0FFF Content Changed True 32-bit 0x0040115A True False
...
buffer 2 0x00400000 0x004E0FFF Content Changed True 32-bit 0x0040424F True False
...
Local AV Matches (1)
»
Threat Name Severity
Gen:Variant.Ulise.95762
Malicious
C:\Users\FD1HVy\AppData\Roaming\Microsoft\Windows\explorer.exe Dropped File Binary
Malicious
...
»
Also Known As C:\Users\FD1HVy\AppData\Local\Temp\svsxchost.exe (Dropped File)
Mime Type application/vnd.microsoft.portable-executable
File Size 378.86 KB
MD5 f9b3b185b1538fa9c5b0c4e43b05f396 Copy to Clipboard
SHA1 fc5eb4f7d59ab7ac7a542fd383d252c31f3c91e0 Copy to Clipboard
SHA256 d51fa8b0bd6f3f95c54c44c5c35c0a12ad6b9a8a573d9488168e40a98c439135 Copy to Clipboard
SSDeep 6144:2ia1vcaEre+HPsKSAzG44DQFu/U3buRKlemZ9DnGAeWBJR1+Gd:2HcthvzSAx4DQFu/U3buRKlemZ9DnGA3 Copy to Clipboard
ImpHash 8acb34bed3caa60cae3f08f75d53f727 Copy to Clipboard
PE Information
»
Image Base 0x400000
Entry Point 0x4305dc
Size Of Code 0x2ea00
Size Of Initialized Data 0x8400
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2020-01-16 01:10:38+00:00
Packer BobSoft Mini Delphi -> BoB / BobSoft
Sections (9)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x2d3c0 0x2d400 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.61
.itext 0x42f000 0x15f8 0x1600 0x2d800 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.78
.data 0x431000 0x1754 0x1800 0x2ee00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.08
.bss 0x433000 0x104d4c 0x0 0x30600 IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.idata 0x538000 0x14e6 0x1600 0x30600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.91
.tls 0x53a000 0xc 0x0 0x31c00 IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.rdata 0x53b000 0x18 0x200 0x31c00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.21
.reloc 0x53c000 0x2930 0x2a00 0x31e00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.65
.rsrc 0x53f000 0x29dc 0x2a00 0x34800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.1
Imports (15)
»
oleaut32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SysFreeString 0x0 0x538458 0x138140 0x30740 0x0
SysReAllocStringLen 0x0 0x53845c 0x138144 0x30744 0x0
SysAllocStringLen 0x0 0x538460 0x138148 0x30748 0x0
advapi32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegQueryValueExA 0x0 0x538468 0x138150 0x30750 0x0
RegOpenKeyExA 0x0 0x53846c 0x138154 0x30754 0x0
RegCloseKey 0x0 0x538470 0x138158 0x30758 0x0
user32.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetKeyboardType 0x0 0x538478 0x138160 0x30760 0x0
DestroyWindow 0x0 0x53847c 0x138164 0x30764 0x0
LoadStringA 0x0 0x538480 0x138168 0x30768 0x0
MessageBoxA 0x0 0x538484 0x13816c 0x3076c 0x0
CharNextA 0x0 0x538488 0x138170 0x30770 0x0
kernel32.dll (33)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetACP 0x0 0x538490 0x138178 0x30778 0x0
Sleep 0x0 0x538494 0x13817c 0x3077c 0x0
VirtualFree 0x0 0x538498 0x138180 0x30780 0x0
VirtualAlloc 0x0 0x53849c 0x138184 0x30784 0x0
GetTickCount 0x0 0x5384a0 0x138188 0x30788 0x0
QueryPerformanceCounter 0x0 0x5384a4 0x13818c 0x3078c 0x0
GetCurrentThreadId 0x0 0x5384a8 0x138190 0x30790 0x0
InterlockedDecrement 0x0 0x5384ac 0x138194 0x30794 0x0
InterlockedIncrement 0x0 0x5384b0 0x138198 0x30798 0x0
VirtualQuery 0x0 0x5384b4 0x13819c 0x3079c 0x0
WideCharToMultiByte 0x0 0x5384b8 0x1381a0 0x307a0 0x0
MultiByteToWideChar 0x0 0x5384bc 0x1381a4 0x307a4 0x0
lstrlenA 0x0 0x5384c0 0x1381a8 0x307a8 0x0
lstrcpynA 0x0 0x5384c4 0x1381ac 0x307ac 0x0
LoadLibraryExA 0x0 0x5384c8 0x1381b0 0x307b0 0x0
GetThreadLocale 0x0 0x5384cc 0x1381b4 0x307b4 0x0
GetStartupInfoA 0x0 0x5384d0 0x1381b8 0x307b8 0x0
GetProcAddress 0x0 0x5384d4 0x1381bc 0x307bc 0x0
GetModuleHandleA 0x0 0x5384d8 0x1381c0 0x307c0 0x0
GetModuleFileNameA 0x0 0x5384dc 0x1381c4 0x307c4 0x0
GetLocaleInfoA 0x0 0x5384e0 0x1381c8 0x307c8 0x0
GetCommandLineA 0x0 0x5384e4 0x1381cc 0x307cc 0x0
FreeLibrary 0x0 0x5384e8 0x1381d0 0x307d0 0x0
FindFirstFileA 0x0 0x5384ec 0x1381d4 0x307d4 0x0
FindClose 0x0 0x5384f0 0x1381d8 0x307d8 0x0
ExitProcess 0x0 0x5384f4 0x1381dc 0x307dc 0x0
ExitThread 0x0 0x5384f8 0x1381e0 0x307e0 0x0
CreateThread 0x0 0x5384fc 0x1381e4 0x307e4 0x0
WriteFile 0x0 0x538500 0x1381e8 0x307e8 0x0
UnhandledExceptionFilter 0x0 0x538504 0x1381ec 0x307ec 0x0
RtlUnwind 0x0 0x538508 0x1381f0 0x307f0 0x0
RaiseException 0x0 0x53850c 0x1381f4 0x307f4 0x0
GetStdHandle 0x0 0x538510 0x1381f8 0x307f8 0x0
kernel32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
TlsSetValue 0x0 0x538518 0x138200 0x30800 0x0
TlsGetValue 0x0 0x53851c 0x138204 0x30804 0x0
LocalAlloc 0x0 0x538520 0x138208 0x30808 0x0
GetModuleHandleA 0x0 0x538524 0x13820c 0x3080c 0x0
user32.dll (14)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
TranslateMessage 0x0 0x53852c 0x138214 0x30814 0x0
PeekMessageA 0x0 0x538530 0x138218 0x30818 0x0
MsgWaitForMultipleObjects 0x0 0x538534 0x13821c 0x3081c 0x0
MessageBoxA 0x0 0x538538 0x138220 0x30820 0x0
LoadStringA 0x0 0x53853c 0x138224 0x30824 0x0
GetSystemMetrics 0x0 0x538540 0x138228 0x30828 0x0
DispatchMessageA 0x0 0x538544 0x13822c 0x3082c 0x0
CharNextW 0x0 0x538548 0x138230 0x30830 0x0
CharLowerBuffW 0x0 0x53854c 0x138234 0x30834 0x0
CharNextA 0x0 0x538550 0x138238 0x30838 0x0
CharLowerBuffA 0x0 0x538554 0x13823c 0x3083c 0x0
CharLowerA 0x0 0x538558 0x138240 0x30840 0x0
CharUpperA 0x0 0x53855c 0x138244 0x30844 0x0
CharToOemA 0x0 0x538560 0x138248 0x30848 0x0
mpr.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WNetOpenEnumW 0x0 0x538568 0x138250 0x30850 0x0
WNetEnumResourceW 0x0 0x53856c 0x138254 0x30854 0x0
WNetCloseEnum 0x0 0x538570 0x138258 0x30858 0x0
kernel32.dll (82)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WriteProcessMemory 0x0 0x538578 0x138260 0x30860 0x0
WriteFile 0x0 0x53857c 0x138264 0x30864 0x0
WaitForSingleObject 0x0 0x538580 0x138268 0x30868 0x0
VirtualQuery 0x0 0x538584 0x13826c 0x3086c 0x0
VirtualAllocEx 0x0 0x538588 0x138270 0x30870 0x0
TerminateThread 0x0 0x53858c 0x138274 0x30874 0x0
TerminateProcess 0x0 0x538590 0x138278 0x30878 0x0
SetLastError 0x0 0x538594 0x13827c 0x3087c 0x0
SetFileTime 0x0 0x538598 0x138280 0x30880 0x0
SetFilePointer 0x0 0x53859c 0x138284 0x30884 0x0
SetFileAttributesW 0x0 0x5385a0 0x138288 0x30888 0x0
SetEvent 0x0 0x5385a4 0x13828c 0x3088c 0x0
SetEndOfFile 0x0 0x5385a8 0x138290 0x30890 0x0
ResumeThread 0x0 0x5385ac 0x138294 0x30894 0x0
ResetEvent 0x0 0x5385b0 0x138298 0x30898 0x0
ReadFile 0x0 0x5385b4 0x13829c 0x3089c 0x0
OpenProcess 0x0 0x5385b8 0x1382a0 0x308a0 0x0
MoveFileW 0x0 0x5385bc 0x1382a4 0x308a4 0x0
LoadLibraryA 0x0 0x5385c0 0x1382a8 0x308a8 0x0
LeaveCriticalSection 0x0 0x5385c4 0x1382ac 0x308ac 0x0
InitializeCriticalSection 0x0 0x5385c8 0x1382b0 0x308b0 0x0
GlobalUnlock 0x0 0x5385cc 0x1382b4 0x308b4 0x0
GlobalReAlloc 0x0 0x5385d0 0x1382b8 0x308b8 0x0
GlobalHandle 0x0 0x5385d4 0x1382bc 0x308bc 0x0
GlobalLock 0x0 0x5385d8 0x1382c0 0x308c0 0x0
GlobalFree 0x0 0x5385dc 0x1382c4 0x308c4 0x0
GlobalAlloc 0x0 0x5385e0 0x1382c8 0x308c8 0x0
GetVersionExA 0x0 0x5385e4 0x1382cc 0x308cc 0x0
GetUserDefaultLangID 0x0 0x5385e8 0x1382d0 0x308d0 0x0
GetTickCount 0x0 0x5385ec 0x1382d4 0x308d4 0x0
GetThreadLocale 0x0 0x5385f0 0x1382d8 0x308d8 0x0
GetStdHandle 0x0 0x5385f4 0x1382dc 0x308dc 0x0
GetProcAddress 0x0 0x5385f8 0x1382e0 0x308e0 0x0
GetModuleHandleA 0x0 0x5385fc 0x1382e4 0x308e4 0x0
GetModuleFileNameW 0x0 0x538600 0x1382e8 0x308e8 0x0
GetModuleFileNameA 0x0 0x538604 0x1382ec 0x308ec 0x0
GetLocaleInfoA 0x0 0x538608 0x1382f0 0x308f0 0x0
GetLocalTime 0x0 0x53860c 0x1382f4 0x308f4 0x0
GetLastError 0x0 0x538610 0x1382f8 0x308f8 0x0
GetFullPathNameA 0x0 0x538614 0x1382fc 0x308fc 0x0
GetFileAttributesW 0x0 0x538618 0x138300 0x30900 0x0
GetFileAttributesA 0x0 0x53861c 0x138304 0x30904 0x0
GetExitCodeThread 0x0 0x538620 0x138308 0x30908 0x0
GetEnvironmentVariableW 0x0 0x538624 0x13830c 0x3090c 0x0
GetEnvironmentVariableA 0x0 0x538628 0x138310 0x30910 0x0
GetDriveTypeA 0x0 0x53862c 0x138314 0x30914 0x0
GetDiskFreeSpaceA 0x0 0x538630 0x138318 0x30918 0x0
GetDateFormatA 0x0 0x538634 0x13831c 0x3091c 0x0
GetCurrentThreadId 0x0 0x538638 0x138320 0x30920 0x0
GetCurrentProcess 0x0 0x53863c 0x138324 0x30924 0x0
GetCommandLineW 0x0 0x538640 0x138328 0x30928 0x0
GetCPInfo 0x0 0x538644 0x13832c 0x3092c 0x0
InterlockedIncrement 0x0 0x538648 0x138330 0x30930 0x0
InterlockedExchange 0x0 0x53864c 0x138334 0x30934 0x0
InterlockedDecrement 0x0 0x538650 0x138338 0x30938 0x0
FreeLibrary 0x0 0x538654 0x13833c 0x3093c 0x0
FormatMessageA 0x0 0x538658 0x138340 0x30940 0x0
FindNextFileW 0x0 0x53865c 0x138344 0x30944 0x0
FindFirstFileW 0x0 0x538660 0x138348 0x30948 0x0
FindClose 0x0 0x538664 0x13834c 0x3094c 0x0
FileTimeToLocalFileTime 0x0 0x538668 0x138350 0x30950 0x0
FileTimeToDosDateTime 0x0 0x53866c 0x138354 0x30954 0x0
ExitThread 0x0 0x538670 0x138358 0x30958 0x0
ExitProcess 0x0 0x538674 0x13835c 0x3095c 0x0
EnumCalendarInfoA 0x0 0x538678 0x138360 0x30960 0x0
EnterCriticalSection 0x0 0x53867c 0x138364 0x30964 0x0
DuplicateHandle 0x0 0x538680 0x138368 0x30968 0x0
DeleteFileW 0x0 0x538684 0x13836c 0x3096c 0x0
DeleteCriticalSection 0x0 0x538688 0x138370 0x30970 0x0
CreateThread 0x0 0x53868c 0x138374 0x30974 0x0
CreateRemoteThread 0x0 0x538690 0x138378 0x30978 0x0
CreateProcessW 0x0 0x538694 0x13837c 0x3097c 0x0
CreateProcessA 0x0 0x538698 0x138380 0x30980 0x0
CreatePipe 0x0 0x53869c 0x138384 0x30984 0x0
CreateFileW 0x0 0x5386a0 0x138388 0x30988 0x0
CreateFileA 0x0 0x5386a4 0x13838c 0x3098c 0x0
CreateEventA 0x0 0x5386a8 0x138390 0x30990 0x0
CreateDirectoryW 0x0 0x5386ac 0x138394 0x30994 0x0
CopyFileW 0x0 0x5386b0 0x138398 0x30998 0x0
CompareStringW 0x0 0x5386b4 0x13839c 0x3099c 0x0
CompareStringA 0x0 0x5386b8 0x1383a0 0x309a0 0x0
CloseHandle 0x0 0x5386bc 0x1383a4 0x309a4 0x0
advapi32.dll (15)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegSetValueExW 0x0 0x5386c4 0x1383ac 0x309ac 0x0
RegSetValueExA 0x0 0x5386c8 0x1383b0 0x309b0 0x0
RegQueryValueExW 0x0 0x5386cc 0x1383b4 0x309b4 0x0
RegQueryValueExA 0x0 0x5386d0 0x1383b8 0x309b8 0x0
RegOpenKeyExW 0x0 0x5386d4 0x1383bc 0x309bc 0x0
RegOpenKeyExA 0x0 0x5386d8 0x1383c0 0x309c0 0x0
RegEnumKeyExA 0x0 0x5386dc 0x1383c4 0x309c4 0x0
RegDeleteValueA 0x0 0x5386e0 0x1383c8 0x309c8 0x0
RegDeleteKeyA 0x0 0x5386e4 0x1383cc 0x309cc 0x0
RegCreateKeyExW 0x0 0x5386e8 0x1383d0 0x309d0 0x0
RegCreateKeyExA 0x0 0x5386ec 0x1383d4 0x309d4 0x0
RegCloseKey 0x0 0x5386f0 0x1383d8 0x309d8 0x0
OpenProcessToken 0x0 0x5386f4 0x1383dc 0x309dc 0x0
LookupPrivilegeValueA 0x0 0x5386f8 0x1383e0 0x309e0 0x0
AdjustTokenPrivileges 0x0 0x5386fc 0x1383e4 0x309e4 0x0
kernel32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
Sleep 0x0 0x538704 0x1383ec 0x309ec 0x0
wininet.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
InternetReadFile 0x0 0x53870c 0x1383f4 0x309f4 0x0
InternetOpenUrlA 0x0 0x538710 0x1383f8 0x309f8 0x0
InternetOpenA 0x0 0x538714 0x1383fc 0x309fc 0x0
InternetConnectA 0x0 0x538718 0x138400 0x30a00 0x0
InternetCloseHandle 0x0 0x53871c 0x138404 0x30a04 0x0
HttpSendRequestA 0x0 0x538720 0x138408 0x30a08 0x0
HttpOpenRequestA 0x0 0x538724 0x13840c 0x30a0c 0x0
HttpAddRequestHeadersA 0x0 0x538728 0x138410 0x30a10 0x0
shell32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ShellExecuteW 0x0 0x538730 0x138418 0x30a18 0x0
shell32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetSpecialFolderLocation 0x0 0x538738 0x138420 0x30a20 0x0
shell32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetPathFromIDListW 0x0 0x538740 0x138428 0x30a28 0x0
SHGetMalloc 0x0 0x538744 0x13842c 0x30a2c 0x0
oleaut32.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SafeArrayPtrOfIndex 0x0 0x53874c 0x138434 0x30a34 0x0
SafeArrayGetUBound 0x0 0x538750 0x138438 0x30a38 0x0
SafeArrayGetLBound 0x0 0x538754 0x13843c 0x30a3c 0x0
SafeArrayCreate 0x0 0x538758 0x138440 0x30a40 0x0
VariantChangeType 0x0 0x53875c 0x138444 0x30a44 0x0
VariantCopy 0x0 0x538760 0x138448 0x30a48 0x0
VariantClear 0x0 0x538764 0x13844c 0x30a4c 0x0
VariantInit 0x0 0x538768 0x138450 0x30a50 0x0
Icons (1)
»
Memory Dumps (1)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
explorer.exe 7 0x012B0000 0x013F1FFF Relevant Image True 32-bit 0x012B43F4 True False
...
Local AV Matches (1)
»
Threat Name Severity
Generic.Ransom.Buhtrap.B55F719F
Malicious
C:\Users\FD1HVy\AppData\Local\Temp\11457D20.zeppelin Dropped File Stream
Whitelisted
...
»
Also Known As C:\Users\FD1HVy\AppData\Local\Temp\7549B699.zeppelin (Dropped File)
Mime Type application/octet-stream
File Size 1 Bytes
MD5 93b885adfe0da089cdf634904fd59f71 Copy to Clipboard
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f Copy to Clipboard
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash None Copy to Clipboard
File Reputation Information
»
Severity
Whitelisted
First Seen 2011-05-31 22:44 (UTC+2)
Last Seen 2020-01-13 09:28 (UTC+1)
C:\Users\FD1HVy\AppData\Local\Temp\svsxchost.exe Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 378.86 KB
MD5 e7dd86c9ebf1635b936b09913ffae511 Copy to Clipboard
SHA1 4c2aad1149e6b725439d74c937fa98c39a434866 Copy to Clipboard
SHA256 d9f42de03c5df5a5fbcdf8fc3484c498d309933b206c5a5930c5fa6c575adcab Copy to Clipboard
SSDeep 6144:vhKgiOqSj7Ew8nftrS2oEXciryIfitJ+Fr7s0cA:vhKgidYIw6rSjriv6tJ8L Copy to Clipboard
ImpHash None Copy to Clipboard
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
svsxchost.exe 4 0x00D60000 0x00EA1FFF Relevant Image True 32-bit 0x00D643F4 True False
...
svsxchost.exe 4 0x00D60000 0x00EA1FFF Final Dump True 32-bit 0x00D89547 True False
...
svsxchost.exe 4 0x00D60000 0x00EA1FFF Process Termination True 32-bit - True False
...
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image