ZeroCleare Wiper Malware | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification:
Dropper
Trojan
Pua
Threat Names:
RawDisk
Trojan.GenericKD.32949123
Trojan.Agent.EJCG
...

ClientUpdate.exe

Windows Exe (x86-64)

Created at 2020-01-17T20:49:00

...
Filters:
Filename Category Type Severity Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ClientUpdate.exe Sample File Binary
Malicious
...
»
Also Known As ClientUpdate.exe (Embedded File)
Mime Type application/vnd.microsoft.portable-executable
File Size 451.50 KB
MD5 1a69a02b0cd10b1764521fec4b7376c9 Copy to Clipboard
SHA1 0d0b9299674868dbec74317c9c20de0c6c5a0549 Copy to Clipboard
SHA256 becb74a8a71a324c78625aa589e77631633d0f15af1473dfe34eca06e7ec6b86 Copy to Clipboard
SSDeep 6144:HwDOaOGnrViaqj8qxA5ZmDvHBGTVdEolim6U9iceu:Ho3q5vhGTXj Copy to Clipboard
ImpHash bbe6985c2fe1daabb9a70eb12e8b1eb9 Copy to Clipboard
File Reputation Information
»
Severity
Blacklisted
First Seen 2020-01-16 03:37 (UTC+1)
Last Seen 2020-01-16 22:47 (UTC+1)
Names Win64.Trojan.Zeroclear
Families Zeroclear
Classification Trojan
PE Information
»
Image Base 0x140000000
Entry Point 0x140003920
Size Of Code 0x31600
Size Of Initialized Data 0x1423000
File Type FileType.executable
Subsystem Subsystem.windows_cui
Machine Type MachineType.amd64
Compile Timestamp 2019-06-15 10:47:12+00:00
Sections (6)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x140001000 0x31564 0x31600 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.4
.rdata 0x140033000 0x1465a 0x14800 0x31a00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.57
.data 0x140048000 0x1409d7c 0x2400 0x46200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.95
.pdata 0x141452000 0x387c 0x3a00 0x48600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.38
.rsrc 0x141456000 0x1e0 0x200 0x4c000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.72
.reloc 0x141457000 0xc6c 0xe00 0x4c200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 5.19
Imports (1)
»
KERNEL32.dll (117)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DeviceIoControl 0x0 0x140033000 0x469b0 0x453b0 0x121
GetLogicalDrives 0x0 0x140033008 0x469b8 0x453b8 0x26e
CreateProcessA 0x0 0x140033010 0x469c0 0x453c0 0xe0
GetStdHandle 0x0 0x140033018 0x469c8 0x453c8 0x2d9
GetProcessHeap 0x0 0x140033020 0x469d0 0x453d0 0x2bb
HeapSize 0x0 0x140033028 0x469d8 0x453d8 0x357
HeapReAlloc 0x0 0x140033030 0x469e0 0x453e0 0x355
HeapFree 0x0 0x140033038 0x469e8 0x453e8 0x352
HeapAlloc 0x0 0x140033040 0x469f0 0x453f0 0x34e
WaitForSingleObject 0x0 0x140033048 0x469f8 0x453f8 0x5e6
CreateFileW 0x0 0x140033050 0x46a00 0x45400 0xcb
CloseHandle 0x0 0x140033058 0x46a08 0x45408 0x86
GetSystemDirectoryW 0x0 0x140033060 0x46a10 0x45410 0x2e7
DecodePointer 0x0 0x140033068 0x46a18 0x45418 0x10a
DeleteCriticalSection 0x0 0x140033070 0x46a20 0x45420 0x111
EnterCriticalSection 0x0 0x140033078 0x46a28 0x45428 0x135
LeaveCriticalSection 0x0 0x140033080 0x46a30 0x45430 0x3c0
InitializeCriticalSectionAndSpinCount 0x0 0x140033088 0x46a38 0x45438 0x368
SetEvent 0x0 0x140033090 0x46a40 0x45440 0x524
WaitForSingleObjectEx 0x0 0x140033098 0x46a48 0x45448 0x5e7
CreateEventW 0x0 0x1400330a0 0x46a50 0x45450 0xbf
GetModuleHandleW 0x0 0x1400330a8 0x46a58 0x45458 0x27e
GetProcAddress 0x0 0x1400330b0 0x46a60 0x45460 0x2b5
RtlCaptureContext 0x0 0x1400330b8 0x46a68 0x45468 0x4d3
RtlLookupFunctionEntry 0x0 0x1400330c0 0x46a70 0x45470 0x4da
RtlVirtualUnwind 0x0 0x1400330c8 0x46a78 0x45478 0x4e1
UnhandledExceptionFilter 0x0 0x1400330d0 0x46a80 0x45480 0x5bc
SetUnhandledExceptionFilter 0x0 0x1400330d8 0x46a88 0x45488 0x57b
GetCurrentProcess 0x0 0x1400330e0 0x46a90 0x45490 0x21d
TerminateProcess 0x0 0x1400330e8 0x46a98 0x45498 0x59a
IsProcessorFeaturePresent 0x0 0x1400330f0 0x46aa0 0x454a0 0x389
IsDebuggerPresent 0x0 0x1400330f8 0x46aa8 0x454a8 0x382
GetStartupInfoW 0x0 0x140033100 0x46ab0 0x454b0 0x2d7
QueryPerformanceCounter 0x0 0x140033108 0x46ab8 0x454b8 0x450
GetCurrentProcessId 0x0 0x140033110 0x46ac0 0x454c0 0x21e
GetCurrentThreadId 0x0 0x140033118 0x46ac8 0x454c8 0x222
GetSystemTimeAsFileTime 0x0 0x140033120 0x46ad0 0x454d0 0x2f0
InitializeSListHead 0x0 0x140033128 0x46ad8 0x454d8 0x36c
DuplicateHandle 0x0 0x140033130 0x46ae0 0x454e0 0x12f
Sleep 0x0 0x140033138 0x46ae8 0x454e8 0x58b
SwitchToThread 0x0 0x140033140 0x46af0 0x454f0 0x595
GetCurrentThread 0x0 0x140033148 0x46af8 0x454f8 0x221
GetExitCodeThread 0x0 0x140033150 0x46b00 0x45500 0x244
TryEnterCriticalSection 0x0 0x140033158 0x46b08 0x45508 0x5b5
FormatMessageW 0x0 0x140033160 0x46b10 0x45510 0x1ad
WideCharToMultiByte 0x0 0x140033168 0x46b18 0x45518 0x60d
SetLastError 0x0 0x140033170 0x46b20 0x45520 0x53f
TlsAlloc 0x0 0x140033178 0x46b28 0x45528 0x5ac
TlsGetValue 0x0 0x140033180 0x46b30 0x45530 0x5ae
TlsSetValue 0x0 0x140033188 0x46b38 0x45538 0x5af
TlsFree 0x0 0x140033190 0x46b40 0x45540 0x5ad
GetTickCount 0x0 0x140033198 0x46b48 0x45548 0x30e
OutputDebugStringW 0x0 0x1400331a0 0x46b50 0x45550 0x41c
InitializeCriticalSectionEx 0x0 0x1400331a8 0x46b58 0x45558 0x369
FreeLibrary 0x0 0x1400331b0 0x46b60 0x45560 0x1b1
LoadLibraryW 0x0 0x1400331b8 0x46b68 0x45568 0x3c7
MultiByteToWideChar 0x0 0x1400331c0 0x46b70 0x45570 0x3f2
WriteFile 0x0 0x1400331c8 0x46b78 0x45578 0x621
FindNextFileW 0x0 0x1400331d0 0x46b80 0x45580 0x192
GetVersionExW 0x0 0x1400331d8 0x46b88 0x45588 0x324
RtlUnwindEx 0x0 0x1400331e0 0x46b90 0x45590 0x4e0
RtlPcToFileHeader 0x0 0x1400331e8 0x46b98 0x45598 0x4dc
InterlockedPushEntrySList 0x0 0x1400331f0 0x46ba0 0x455a0 0x372
InterlockedFlushSList 0x0 0x1400331f8 0x46ba8 0x455a8 0x370
EncodePointer 0x0 0x140033200 0x46bb0 0x455b0 0x131
LoadLibraryExW 0x0 0x140033208 0x46bb8 0x455b8 0x3c6
ExitProcess 0x0 0x140033210 0x46bc0 0x455c0 0x164
GetModuleHandleExW 0x0 0x140033218 0x46bc8 0x455c8 0x27d
GetModuleFileNameW 0x0 0x140033220 0x46bd0 0x455d0 0x27a
GetCommandLineA 0x0 0x140033228 0x46bd8 0x455d8 0x1dc
GetCommandLineW 0x0 0x140033230 0x46be0 0x455e0 0x1dd
CreateThread 0x0 0x140033238 0x46be8 0x455e8 0xf2
ExitThread 0x0 0x140033240 0x46bf0 0x455f0 0x165
FreeLibraryAndExitThread 0x0 0x140033248 0x46bf8 0x455f8 0x1b2
FindClose 0x0 0x140033250 0x46c00 0x45600 0x17b
FindFirstFileExW 0x0 0x140033258 0x46c08 0x45608 0x181
IsValidCodePage 0x0 0x140033260 0x46c10 0x45610 0x38e
GetACP 0x0 0x140033268 0x46c18 0x45618 0x1b8
GetOEMCP 0x0 0x140033270 0x46c20 0x45620 0x29e
GetCPInfo 0x0 0x140033278 0x46c28 0x45628 0x1c7
GetEnvironmentStringsW 0x0 0x140033280 0x46c30 0x45630 0x23e
FreeEnvironmentStringsW 0x0 0x140033288 0x46c38 0x45638 0x1b0
SetEnvironmentVariableW 0x0 0x140033290 0x46c40 0x45640 0x522
CompareStringW 0x0 0x140033298 0x46c48 0x45648 0x9b
LCMapStringW 0x0 0x1400332a0 0x46c50 0x45650 0x3b4
GetFileType 0x0 0x1400332a8 0x46c58 0x45658 0x255
SetStdHandle 0x0 0x1400332b0 0x46c60 0x45660 0x557
GetStringTypeW 0x0 0x1400332b8 0x46c68 0x45668 0x2de
SetFilePointerEx 0x0 0x1400332c0 0x46c70 0x45670 0x531
FlushFileBuffers 0x0 0x1400332c8 0x46c78 0x45678 0x1a5
GetConsoleCP 0x0 0x1400332d0 0x46c80 0x45680 0x1f0
GetConsoleMode 0x0 0x1400332d8 0x46c88 0x45688 0x202
WriteConsoleW 0x0 0x1400332e0 0x46c90 0x45690 0x620
CreateTimerQueue 0x0 0x1400332e8 0x46c98 0x45698 0xf9
SignalObjectAndWait 0x0 0x1400332f0 0x46ca0 0x456a0 0x589
SetThreadPriority 0x0 0x1400332f8 0x46ca8 0x456a8 0x56b
GetThreadPriority 0x0 0x140033300 0x46cb0 0x456b0 0x308
GetLogicalProcessorInformation 0x0 0x140033308 0x46cb8 0x456b8 0x26f
CreateTimerQueueTimer 0x0 0x140033310 0x46cc0 0x456c0 0xfa
ChangeTimerQueueTimer 0x0 0x140033318 0x46cc8 0x456c8 0x78
DeleteTimerQueueTimer 0x0 0x140033320 0x46cd0 0x456d0 0x11b
GetNumaHighestNodeNumber 0x0 0x140033328 0x46cd8 0x456d8 0x290
GetProcessAffinityMask 0x0 0x140033330 0x46ce0 0x456e0 0x2b6
SetThreadAffinityMask 0x0 0x140033338 0x46ce8 0x456e8 0x560
RegisterWaitForSingleObject 0x0 0x140033340 0x46cf0 0x456f0 0x4ad
UnregisterWait 0x0 0x140033348 0x46cf8 0x456f8 0x5c5
GetThreadTimes 0x0 0x140033350 0x46d00 0x45700 0x30c
GetModuleHandleA 0x0 0x140033358 0x46d08 0x45708 0x27b
VirtualAlloc 0x0 0x140033360 0x46d10 0x45710 0x5d5
VirtualProtect 0x0 0x140033368 0x46d18 0x45718 0x5db
VirtualFree 0x0 0x140033370 0x46d20 0x45720 0x5d8
ReleaseSemaphore 0x0 0x140033378 0x46d28 0x45728 0x4b8
InterlockedPopEntrySList 0x0 0x140033380 0x46d30 0x45730 0x371
QueryDepthSList 0x0 0x140033388 0x46d38 0x45738 0x446
UnregisterWaitEx 0x0 0x140033390 0x46d40 0x45740 0x5c6
GetLastError 0x0 0x140033398 0x46d48 0x45748 0x267
RaiseException 0x0 0x1400333a0 0x46d50 0x45750 0x466
Local AV Matches (1)
»
Threat Name Severity
Trojan.GenericKD.32949123
Malicious
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\elrawdsk.sys Dropped File Binary
Malicious
...
»
Mime Type application/vnd.microsoft.portable-executable
File Size 24.00 KB
MD5 993e9cb95301126debdea7dd66b9e121 Copy to Clipboard
SHA1 a7133c316c534d1331c801bbcd3f4c62141013a1 Copy to Clipboard
SHA256 36a4e35abf2217887e97041e3e0b17483aa4d2c1aee6feadd48ef448bf1b9e6c Copy to Clipboard
SSDeep 384:9a5MM0mSc80J0sES5EGr7Btpqu1Ehc+PGhzgWdSLSbf/V+23HzirUJ2R8mf:9i3SAHOoz1a2clLST/zzixl Copy to Clipboard
ImpHash 6863bacaac5428e1e55a107a613c0717 Copy to Clipboard
PE Information
»
Image Base 0x10000
Entry Point 0x191c0
Size Of Code 0x4600
Size Of Initialized Data 0x1600
File Type FileType.executable
Subsystem Subsystem.native
Machine Type MachineType.amd64
Compile Timestamp 2012-10-14 07:43:19+00:00
Version Information (12)
»
Comments -
CompanyName EldoS Corporation
FileDescription RawDisk Driver. Allows write access to files and raw disk sectors for user mode applications in Windows 2000 and later.
FileVersion 3, 0, 31, 121
InternalName elrawdsk.sys
LegalCopyright Copyright (C) 2007-2012, EldoS Corporation
LegalTrademarks -
OriginalFilename elrawdsk.sys
PrivateBuild -
ProductName RawDisk
ProductVersion 3, 0, 31, 0
SpecialBuild -
Sections (8)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x11000 0x75a 0x800 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.73
.rdata 0x12000 0x60c 0x800 0xc00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ 3.62
.data 0x13000 0x360 0x400 0x1400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.23
.pdata 0x14000 0x1a4 0x200 0x1800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ 3.49
PAGE 0x15000 0x3067 0x3200 0x1a00 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.16
INIT 0x19000 0xa48 0xc00 0x4c00 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.89
.rsrc 0x1a000 0x4c0 0x600 0x5800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 2.8
.reloc 0x1b000 0x24 0x200 0x5e00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.15
Imports (1)
»
ntoskrnl.exe (63)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
MmSystemRangeStart 0x0 0x12000 0x92c8 0x4ec8 0x2ea
ExAllocatePoolWithTag 0x0 0x12008 0x92d0 0x4ed0 0x46
ExRaiseStatus 0x0 0x12010 0x92d8 0x4ed8 0x79
IoBuildDeviceIoControlRequest 0x0 0x12018 0x92e0 0x4ee0 0x13c
IoDeleteSymbolicLink 0x0 0x12020 0x92e8 0x4ee8 0x161
ExFreePoolWithTag 0x0 0x12028 0x92f0 0x4ef0 0x58
PsLookupProcessByProcessId 0x0 0x12030 0x92f8 0x4ef8 0x3a9
IoBuildSynchronousFsdRequest 0x0 0x12038 0x9300 0x4f00 0x13e
RtlInitUnicodeString 0x0 0x12040 0x9308 0x4f08 0x43e
IoDeleteDevice 0x0 0x12048 0x9310 0x4f10 0x15f
KeSetEvent 0x0 0x12050 0x9318 0x4f18 0x278
MmGetSystemRoutineAddress 0x0 0x12058 0x9320 0x4f20 0x2c2
KeInitializeEvent 0x0 0x12060 0x9328 0x4f28 0x22e
RtlUnicodeStringToAnsiString 0x0 0x12068 0x9330 0x4f30 0x4b2
IoFreeMdl 0x0 0x12070 0x9338 0x4f38 0x172
KeUnstackDetachProcess 0x0 0x12078 0x9340 0x4f40 0x28e
MmMapLockedPagesSpecifyCache 0x0 0x12080 0x9348 0x4f48 0x2d2
IoBuildAsynchronousFsdRequest 0x0 0x12088 0x9350 0x4f50 0x13b
RtlPrefixUnicodeString 0x0 0x12090 0x9358 0x4f58 0x484
ZwClose 0x0 0x12098 0x9360 0x4f60 0x525
IofCompleteRequest 0x0 0x120a0 0x9368 0x4f68 0x1f6
ObReferenceObjectByHandle 0x0 0x120a8 0x9370 0x4f70 0x34a
KeWaitForSingleObject 0x0 0x120b0 0x9378 0x4f78 0x294
IoFreeIrp 0x0 0x120b8 0x9380 0x4f80 0x171
RtlFreeAnsiString 0x0 0x120c0 0x9388 0x4f88 0x421
MmProbeAndLockPages 0x0 0x120c8 0x9390 0x4f90 0x2de
PsGetVersion 0x0 0x120d0 0x9398 0x4f98 0x3a0
RtlCompareUnicodeString 0x0 0x120d8 0x93a0 0x4fa0 0x3e4
MmUnlockPages 0x0 0x120e0 0x93a8 0x4fa8 0x2ed
ZwQueryInformationProcess 0x0 0x120e8 0x93b0 0x4fb0 0x566
IoCreateSymbolicLink 0x0 0x120f0 0x93b8 0x4fb8 0x155
PsGetCurrentProcessId 0x0 0x120f8 0x93c0 0x4fc0 0x375
ObfDereferenceObject 0x0 0x12100 0x93c8 0x4fc8 0x352
IoCreateDevice 0x0 0x12108 0x93d0 0x4fd0 0x14c
ZwOpenFile 0x0 0x12110 0x93d8 0x4fd8 0x54d
FsRtlIsNtstatusExpected 0x0 0x12118 0x93e0 0x4fe0 0xd8
ObOpenObjectByPointer 0x0 0x12120 0x93e8 0x4fe8 0x347
KeStackAttachProcess 0x0 0x12128 0x93f0 0x4ff0 0x286
IoAllocateMdl 0x0 0x12130 0x93f8 0x4ff8 0x133
IofCallDriver 0x0 0x12138 0x9400 0x5000 0x1f5
ExReleaseFastMutexUnsafe 0x0 0x12140 0x9408 0x5008 0x7f
KeLeaveCriticalRegion 0x0 0x12148 0x9410 0x5010 0x243
IoGetAttachedDevice 0x0 0x12150 0x9418 0x5018 0x174
IoGetRelatedDeviceObject 0x0 0x12158 0x9420 0x5020 0x187
IoIs32bitProcess 0x0 0x12160 0x9428 0x5028 0x192
KeEnterCriticalRegion 0x0 0x12168 0x9430 0x5030 0x21e
ExAcquireFastMutexUnsafe 0x0 0x12170 0x9438 0x5038 0x38
ZwWaitForSingleObject 0x0 0x12178 0x9440 0x5040 0x593
ZwDeviceIoControlFile 0x0 0x12180 0x9448 0x5048 0x535
ObfReferenceObject 0x0 0x12188 0x9450 0x5050 0x353
ExAcquireResourceExclusiveLite 0x0 0x12190 0x9458 0x5058 0x39
IoReuseIrp 0x0 0x12198 0x9460 0x5060 0x1be
KeResetEvent 0x0 0x121a0 0x9468 0x5068 0x26f
CcPurgeCacheSection 0x0 0x121a8 0x9470 0x5070 0x1a
CcFlushCache 0x0 0x121b0 0x9478 0x5078 0x9
ZwCreateFile 0x0 0x121b8 0x9480 0x5080 0x52a
ExReleaseResourceLite 0x0 0x121c0 0x9488 0x5088 0x83
IoAllocateIrp 0x0 0x121c8 0x9490 0x5090 0x132
RtlCompareMemory 0x0 0x121d0 0x9498 0x5098 0x3e1
MmUnmapIoSpace 0x0 0x121d8 0x94a0 0x50a0 0x2ee
MmMapIoSpace 0x0 0x121e0 0x94a8 0x50a8 0x2d0
KeBugCheckEx 0x0 0x121e8 0x94b0 0x50b0 0x213
__C_specific_handler 0x0 0x121f0 0x94b8 0x50b8 0x596
Local AV Matches (1)
»
Threat Name Severity
Trojan.Agent.EJCG
Malicious
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
RawDisk RawDisk: provides direct access to files, disks and partitions; used by wiper malware -
3/5
...
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\saddrv.sys Dropped File Binary
Suspicious
...
»
Mime Type application/vnd.microsoft.portable-executable
File Size 66.69 KB
MD5 eaea9ccb40c82af8f3867cd0f4dd5e9d Copy to Clipboard
SHA1 7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c Copy to Clipboard
SHA256 cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986 Copy to Clipboard
SSDeep 768:mkD7TfQS7D8ueMKxp0pO/Qw+FKebe3vFQFftSJfghVotiTAlLwJidG:33d38uezp0Dw+49tKMgVxAlIiw Copy to Clipboard
ImpHash b262e8d078ede007ebd0aa71b9152863 Copy to Clipboard
File Reputation Information
»
Severity
Suspicious
First Seen 2014-03-04 17:12 (UTC+1)
Last Seen 2020-01-17 10:22 (UTC+1)
Names Win64.PUA.Sigoverrider
Families Sigoverrider
Classification Pua
PE Information
»
Image Base 0x140000000
Entry Point 0x140000d40
Size Of Code 0x8bc0
Size Of Initialized Data 0x6020
File Type FileType.executable
Subsystem Subsystem.native
Machine Type MachineType.amd64
Compile Timestamp 2008-05-31 02:18:53+00:00
Sections (7)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x140000320 0x856e 0x8580 0x320 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.2
.rdata 0x1400088a0 0x2a58 0x2a60 0x88a0 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ 5.6
.data 0x14000b300 0x1d00 0x1d00 0xb300 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 1.97
.pdata 0x14000d000 0xcf0 0xd00 0xd000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ 4.66
.edata 0x14000dd00 0xa72 0xa80 0xdd00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.33
INIT 0x14000e780 0x638 0x640 0xe780 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.86
.reloc 0x14000edc0 0x13c 0x140 0xedc0 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 3.71
Imports (1)
»
ntoskrnl.exe (52)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
IofCompleteRequest 0x0 0x1400088a0 0xe7a8 0xe7a8 0x1f6
DbgPrint 0x0 0x1400088a8 0xe7b0 0xe7b0 0x31
IoIs32bitProcess 0x0 0x1400088b0 0xe7b8 0xe7b8 0x192
MmFreeContiguousMemory 0x0 0x1400088b8 0xe7c0 0xe7c0 0x2bb
IoFreeMdl 0x0 0x1400088c0 0xe7c8 0xe7c8 0x172
MmGetSystemRoutineAddress 0x0 0x1400088c8 0xe7d0 0xe7d0 0x2c2
RtlInitUnicodeString 0x0 0x1400088d0 0xe7d8 0xe7d8 0x43e
KeCancelTimer 0x0 0x1400088d8 0xe7e0 0xe7e0 0x214
KeInsertQueueDpc 0x0 0x1400088e0 0xe7e8 0xe7e8 0x23d
__C_specific_handler 0x0 0x1400088e8 0xe7f0 0xe7f0 0x596
MmMapLockedPagesSpecifyCache 0x0 0x1400088f0 0xe7f8 0xe7f8 0x2d2
MmUnmapLockedPages 0x0 0x1400088f8 0xe800 0xe800 0x2ef
KeSetTimerEx 0x0 0x140008900 0xe808 0xe808 0x284
ExSetTimerResolution 0x0 0x140008908 0xe810 0xe810 0x8c
IoDeleteDevice 0x0 0x140008910 0xe818 0xe818 0x15f
IoDeleteSymbolicLink 0x0 0x140008918 0xe820 0xe820 0x161
KeSetTargetProcessorDpc 0x0 0x140008920 0xe828 0xe828 0x281
KeSetImportanceDpc 0x0 0x140008928 0xe830 0xe830 0x27c
KeInitializeDpc 0x0 0x140008930 0xe838 0xe838 0x22d
KeInitializeTimerEx 0x0 0x140008938 0xe840 0xe840 0x237
MmGetPhysicalAddress 0x0 0x140008940 0xe848 0xe848 0x2c0
KeQueryActiveProcessors 0x0 0x140008948 0xe850 0xe850 0x24a
MmBuildMdlForNonPagedPool 0x0 0x140008950 0xe858 0xe858 0x2b2
IoAllocateMdl 0x0 0x140008958 0xe860 0xe860 0x133
MmAllocateContiguousMemory 0x0 0x140008960 0xe868 0xe868 0x2ac
IoCreateSymbolicLink 0x0 0x140008968 0xe870 0xe870 0x155
IoCreateDevice 0x0 0x140008970 0xe878 0xe878 0x14c
memchr 0x0 0x140008978 0xe880 0xe880 0x5bb
strncmp 0x0 0x140008980 0xe888 0xe888 0x5ca
PsGetCurrentProcessId 0x0 0x140008988 0xe890 0xe890 0x375
IoGetCurrentProcess 0x0 0x140008990 0xe898 0xe898 0x179
ExFreePoolWithTag 0x0 0x140008998 0xe8a0 0xe8a0 0x58
ExAllocatePoolWithTag 0x0 0x1400089a0 0xe8a8 0xe8a8 0x46
KeDelayExecutionThread 0x0 0x1400089a8 0xe8b0 0xe8b0 0x218
ZwYieldExecution 0x0 0x1400089b0 0xe8b8 0xe8b8 0x595
KeAcquireSpinLockRaiseToDpc 0x0 0x1400089b8 0xe8c0 0xe8c0 0x20c
KeReleaseSpinLock 0x0 0x1400089c0 0xe8c8 0xe8c8 0x265
KeInitializeEvent 0x0 0x1400089c8 0xe8d0 0xe8d0 0x22e
KeSetEvent 0x0 0x1400089d0 0xe8d8 0xe8d8 0x279
KeResetEvent 0x0 0x1400089d8 0xe8e0 0xe8e0 0x26f
KeWaitForSingleObject 0x0 0x1400089e0 0xe8e8 0xe8e8 0x295
ExAcquireFastMutex 0x0 0x1400089e8 0xe8f0 0xe8f0 0x37
ExReleaseFastMutex 0x0 0x1400089f0 0xe8f8 0xe8f8 0x7e
MmUnmapIoSpace 0x0 0x1400089f8 0xe900 0xe900 0x2ee
MmUnlockPages 0x0 0x140008a00 0xe908 0xe908 0x2ed
MmFreePagesFromMdl 0x0 0x140008a08 0xe910 0xe910 0x2bf
MmUnsecureVirtualMemory 0x0 0x140008a10 0xe918 0xe918 0x2f5
MmProtectMdlSystemAddress 0x0 0x140008a18 0xe920 0xe920 0x2e1
MmAllocatePagesForMdl 0x0 0x140008a20 0xe928 0xe928 0x2b0
MmSecureVirtualMemory 0x0 0x140008a28 0xe930 0xe930 0x2e6
MmProbeAndLockPages 0x0 0x140008a30 0xe938 0xe938 0x2de
MmMapIoSpace 0x0 0x140008a38 0xe940 0xe940 0x2d0
Exports (96)
»
Api name EAT Address Ordinal
AssertMsg1 0x860 0x1
RTAssertDoBreakpoint 0x8700 0x2
RTErrConvertFromNtStatus 0x7710 0x3
RTLogDefaultInstance 0x2be0 0x4
RTLogLogger 0x2c10 0x5
RTLogLoggerEx 0x2c20 0x6
RTLogLoggerExV 0x2c30 0x7
RTLogPrintf 0x2c40 0x8
RTLogPrintfV 0x2c50 0x9
RTLogRelDefaultInstance 0x2bf0 0xa
RTLogSetDefaultInstanceThread 0x2c00 0xb
RTMemAlloc 0x74e0 0xc
RTMemAllocZ 0x7500 0xd
RTMemContAlloc 0x8760 0xe
RTMemContFree 0x87f0 0xf
RTMemExecAlloc 0x7560 0x10
RTMemExecFree 0x7590 0x11
RTMemFree 0x7540 0x12
RTMemRealloc 0x7630 0x13
RTMemTmpAlloc 0x75b0 0x14
RTMemTmpAllocZ 0x75d0 0x15
RTMemTmpFree 0x7610 0x16
RTMpCpuId 0x5540 0x17
RTMpCpuIdFromSetIndex 0x5560 0x18
RTMpCpuIdToSetIndex 0x5550 0x19
RTMpDoesCpuExist 0x55b0 0x1a
RTMpGetCount 0x5cd0 0x1b
RTMpGetMaxCpuId 0x5570 0x1c
RTMpGetOnlineCount 0x5600 0x1d
RTMpGetOnlineSet 0x55e0 0x1e
RTMpGetSet 0x5cb0 0x1f
RTMpIsCpuOnline 0x5580 0x20
RTMpOnAll 0x5860 0x21
RTMpOnOthers 0x5a00 0x22
RTMpOnSpecific 0x5b70 0x23
RTProcSelf 0x5500 0x24
RTR0MemObjAddress 0x6790 0x25
RTR0MemObjAddressR3 0x67e0 0x26
RTR0MemObjAllocCont 0x6cd0 0x27
RTR0MemObjAllocLow 0x6c70 0x28
RTR0MemObjAllocPage 0x6c10 0x29
RTR0MemObjAllocPhys 0x6e90 0x2a
RTR0MemObjAllocPhysNC 0x6f00 0x2b
RTR0MemObjEnterPhys 0x6f70 0x2c
RTR0MemObjFree 0x6930 0x2d
RTR0MemObjGetPagePhysAddr 0x68b0 0x2e
RTR0MemObjIsMapping 0x6740 0x2f
RTR0MemObjLockKernel 0x6e00 0x30
RTR0MemObjLockUser 0x6d30 0x31
RTR0MemObjMapKernel 0x7180 0x32
RTR0MemObjMapUser 0x7310 0x33
RTR0MemObjReserveKernel 0x6ff0 0x34
RTR0MemObjReserveUser 0x7090 0x35
RTR0MemObjSize 0x6860 0x36
RTR0ProcHandleSelf 0x5510 0x37
RTSemEventCreate 0x61a0 0x38
RTSemEventDestroy 0x6200 0x39
RTSemEventMultiCreate 0x5ed0 0x3a
RTSemEventMultiDestroy 0x5f30 0x3b
RTSemEventMultiReset 0x6010 0x3c
RTSemEventMultiSignal 0x5fb0 0x3d
RTSemEventMultiWait 0x6180 0x3e
RTSemEventMultiWaitNoResume 0x6190 0x3f
RTSemEventSignal 0x6250 0x40
RTSemEventWait 0x6370 0x41
RTSemEventWaitNoResume 0x6450 0x42
RTSemFastMutexCreate 0x6530 0x43
RTSemFastMutexDestroy 0x65a0 0x44
RTSemFastMutexRelease 0x6600 0x45
RTSemFastMutexRequest 0x65d0 0x46
RTSpinlockAcquire 0x5ea0 0x47
RTSpinlockAcquireNoInts 0x5e30 0x48
RTSpinlockCreate 0x5dc0 0x49
RTSpinlockDestroy 0x5e00 0x4a
RTSpinlockRelease 0x5ec0 0x4b
RTSpinlockReleaseNoInts 0x5e60 0x4c
RTThreadNativeSelf 0x5d10 0x4d
RTThreadSleep 0x5d20 0x4e
RTThreadYield 0x5d80 0x4f
SUPR0ContAlloc 0x3240 0x50
SUPR0ContFree 0x33d0 0x51
SUPR0GipMap 0x1c30 0x52
SUPR0GipUnmap 0x1de0 0x53
SUPR0LockMem 0x3020 0x54
SUPR0LowAlloc 0x3420 0x55
SUPR0LowFree 0x35d0 0x56
SUPR0MemAlloc 0x3620 0x57
SUPR0MemFree 0x37d0 0x58
SUPR0MemGetPhys 0x1870 0x59
SUPR0ObjAddRef 0x1460 0x5a
SUPR0ObjRegister 0x12a0 0x5b
SUPR0ObjRelease 0x15e0 0x5c
SUPR0ObjVerifyAccess 0x17a0 0x5d
SUPR0PageAlloc 0x3820 0x5e
SUPR0PageFree 0x3a00 0x5f
SUPR0UnlockMem 0x31b0 0x60
Digital Signatures (4)
»
Certificate: innotek GmbH
»
Issued by innotek GmbH
Parent Certificate GlobalSign ObjectSign CA
Country Name DE
Valid From 2007-12-27 14:37:17+00:00
Valid Until 2010-12-27 14:37:17+00:00
Algorithm sha1_rsa
Serial Number 01 00 00 00 00 01 17 1C 09 26 65
Thumbprint 32 FA AD EE BF F3 79 AB 63 DE 10 B8 63 6A 9A 93 68 74 32 54
Certificate: GlobalSign ObjectSign CA
»
Issued by GlobalSign ObjectSign CA
Parent Certificate GlobalSign Primary Object Publishing CA
Country Name BE
Valid From 2004-01-22 09:00:00+00:00
Valid Until 2014-01-27 10:00:00+00:00
Algorithm sha1_rsa
Serial Number 04 00 00 00 00 01 08 D9 61 24 48
Thumbprint 4A 19 14 6D 67 BD 20 84 3A 3A 07 13 58 75 57 BF 51 92 13 CC
Certificate: GlobalSign Primary Object Publishing CA
»
Issued by GlobalSign Primary Object Publishing CA
Parent Certificate GlobalSign Root CA
Country Name BE
Valid From 1999-01-28 12:00:00+00:00
Valid Until 2014-01-27 11:00:00+00:00
Algorithm sha1_rsa
Serial Number 04 00 00 00 00 01 08 D9 61 1C D6
Thumbprint 98 7F D0 00 DC B1 21 51 7D 72 45 3E E5 17 6E B9 2B 13 63 B9
Certificate: GlobalSign Root CA
»
Issued by GlobalSign Root CA
Country Name BE
Valid From 2006-05-23 17:00:51+00:00
Valid Until 2016-05-23 17:10:51+00:00
Algorithm sha1_rsa
Serial Number 61 0B 7F 6B 00 00 00 00 00 19
Thumbprint 3E EB 27 50 A1 99 F5 E7 B6 A8 95 24 30 BE 50 62 FE 04 E9 E5
Local AV Matches (1)
»
Threat Name Severity
Application.Agent.IHX
Suspicious
c:\windows\temp\tmp000000024081e925e0804278 Dropped File Stream
Whitelisted
...
»
Mime Type application/octet-stream
File Size 512.00 KB
MD5 59071590099d21dd439896592338bf95 Copy to Clipboard
SHA1 6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c Copy to Clipboard
SHA256 07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash None Copy to Clipboard
File Reputation Information
»
Severity
Whitelisted
First Seen 2013-03-07 02:43 (UTC+1)
Last Seen 2019-04-17 13:50 (UTC+2)
c:\windows\system32\wbem\performance\wmiaprpl.h Dropped File Text
Whitelisted
...
»
Also Known As c:\windows\system32\wbem\performance\wmiaprpl_new.h (Dropped File)
Mime Type text/plain
File Size 3.36 KB
MD5 b133a676d139032a27de3d9619e70091 Copy to Clipboard
SHA1 1248aa89938a13640252a79113930ede2f26f1fa Copy to Clipboard
SHA256 ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15 Copy to Clipboard
SSDeep 48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW Copy to Clipboard
ImpHash None Copy to Clipboard
File Reputation Information
»
Severity
Whitelisted
First Seen 2013-03-17 16:07 (UTC+1)
Last Seen 2019-04-17 13:50 (UTC+2)
c:\programdata\microsoft\rac\statedata\racmetadata.dat Dropped File Stream
Whitelisted
...
»
Mime Type application/octet-stream
File Size 8 Bytes
MD5 896dd6374259bc9338e1665164458347 Copy to Clipboard
SHA1 19e89499b3c82ba0d87cf09cc3f03cdf1965a854 Copy to Clipboard
SHA256 3465c2b485a4bf81275339119be1a79c7313fc900d2e29ff93cde1bdffc64404 Copy to Clipboard
SSDeep 3:1N5:P5 Copy to Clipboard
ImpHash None Copy to Clipboard
File Reputation Information
»
Severity
Whitelisted
First Seen 2012-07-10 08:37 (UTC+2)
Last Seen 2019-04-17 11:47 (UTC+2)
c:\windows\prefetch\consent.exe-65f6206d.pf Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 84.46 KB
MD5 7d5ec96e826ec1de7457d7093193d4c5 Copy to Clipboard
SHA1 f538592e647cb07dcb3a7050e9cf23ec5e37c0ee Copy to Clipboard
SHA256 4e3a47327a991c8ca95f9af1dc88fe9af8073ebb2e54b423597263ffb3941d29 Copy to Clipboard
SSDeep 1536:Zv+ywZ3A3aG8RpfWM6x+HwDsp3IqlPyqVljQw:XgizUHyc Copy to Clipboard
ImpHash None Copy to Clipboard
c:\windows\prefetch\cmd.exe-89305d47.pf Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 8.90 KB
MD5 329e65bf16f57b320a5ffd25a43e828d Copy to Clipboard
SHA1 e730665dfde2edaea9001f659edad8d95416924c Copy to Clipboard
SHA256 a2962be905b7e2ee3321fff258c0510ade265b270fb0647cdd5373bec0e2d6a7 Copy to Clipboard
SSDeep 192:dZ6og49uX8z4v8IHO89ktlxrMhCAzDzCLKcsZa:dkvwuK4xOekCz2KcT Copy to Clipboard
ImpHash None Copy to Clipboard
c:\windows\prefetch\dllhost.exe-893ddf55.pf Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 17.08 KB
MD5 dac60d1609df1b1b7f2f8eb62f80f077 Copy to Clipboard
SHA1 a3e05bb9e237c64a0a6f51a0c41bf9e1d0ff4507 Copy to Clipboard
SHA256 193c58ca67e04677a9d12c4b09f0e6cc1796c32adbb3c5930a3a067231a2788b Copy to Clipboard
SSDeep 192:t/E+qG6hCXtXHWdVun3G09suXDqOxbtb8WlRbbF5OERXtv6dID+V+csWeaO8JaOZ:tBDzdG743EuX3fb8InFbvaIDE+cGyb Copy to Clipboard
ImpHash None Copy to Clipboard
c:\windows\prefetch\dllhost.exe-893ddf55.pf Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 17.08 KB
MD5 caf54eac50575f9c17fcb86d064c41a1 Copy to Clipboard
SHA1 fd50f3b304c4bb3789707bdece78c568206b6e3a Copy to Clipboard
SHA256 709640c13234ec4c9e0c01089ab8bdd227d763ec1de53214c257503f811d2224 Copy to Clipboard
SSDeep 192:C/F+qG6TCGtsHceun3G09suXDqOxitb8WlRbbF5iGERXtv6dIGuFjcsWEaOeJaOZ:CoDxiW43EuX3Mb8InFo5vaIGIccYb Copy to Clipboard
ImpHash None Copy to Clipboard
c:\windows\prefetch\wmiadap.exe-369df1cd.pf Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 18.94 KB
MD5 beaea81bfa044fa0e49648cc46e0969f Copy to Clipboard
SHA1 e9bfba3d5328631e665a51fc6f66c139928e58d2 Copy to Clipboard
SHA256 4efc853c5a53ff2733df528ff395c8928b80fb8cf7e125234c39388363a84242 Copy to Clipboard
SSDeep 384:eED3vjP4ARQiIqvIbfUHbrIu1nDFw+vkMOfxcLax:bLLi8Ibf0fIu1nDBMM0xcc Copy to Clipboard
ImpHash None Copy to Clipboard
c:\windows\system32\winevt\logs\microsoft-windows-reliabilityanalysiscomponent%4operational.evtx Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 68.00 KB
MD5 0073ef821f9726dc2d72828493a5ee8a Copy to Clipboard
SHA1 66758bfeaaf170f65eccf8f2315eab826657c6d2 Copy to Clipboard
SHA256 4047b59986d05387db1c36feba739af8769d9a785612b0a4995679f3c3753ad4 Copy to Clipboard
SSDeep 384:3hu5q65Z5o5MP5S5v5X5Q5Y5l5p5V5A5W5t5k525Y5l53v5k5j5P5A5F5z555l5B:3rdVncAuMFkusi4m2N+KO5en+93RQ Copy to Clipboard
ImpHash None Copy to Clipboard
c:\programdata\microsoft\rac\statedata\racwmidatabookmarks.dat Dropped File Image
Unknown
...
»
Mime Type image/x-tga
File Size 16.03 KB
MD5 0953358568aac2b57f03c84bdf3c3f8e Copy to Clipboard
SHA1 adce0e4a32d04d498a1e981763c9904a0758e160 Copy to Clipboard
SHA256 639a73952a0655dfd8add7668a4bd1dcb91c9e3bab768cf803439d8666d697e4 Copy to Clipboard
SSDeep 12:2iEv0ylGLqmQEXe1+p1IqAkQye1+hUWlkA3MTaFHj:2VMmrEXS+pUkbS+hL3MTaFD Copy to Clipboard
ImpHash None Copy to Clipboard
c:\programdata\microsoft\rac\statedata\racwmidatabookmarks.dat Dropped File Image
Unknown
...
»
Mime Type image/x-tga
File Size 16.03 KB
MD5 20659bbe0742ab12a2bff2236491bf84 Copy to Clipboard
SHA1 9ba4c18a5c5c32a48147b43e4b4ebd8ed38a7ecd Copy to Clipboard
SHA256 c0edd2bf1561cf84a6dffb9b1b075e322e6ea0a7e1922afcd802b50260e995e8 Copy to Clipboard
SSDeep 12:2iEvUWQ1ylGLqmQEXe1+p1IqAkQye1+hUWlkA3MTaFHj:2Vs1mrEXS+pUkbS+hL3MTaFD Copy to Clipboard
ImpHash None Copy to Clipboard
c:\programdata\microsoft\rac\statedata\racwmieventdata.dat Dropped File Image
Unknown
...
»
Mime Type image/x-tga
File Size 32.03 KB
MD5 0eba518608b2456c902acb51d2d71937 Copy to Clipboard
SHA1 e038fe5e7086f91a9f4da1dfd59ace114eede3e0 Copy to Clipboard
SHA256 ebdab49f3a5889e5342bb9a2e171d0a9a46ddba15dd10e61b3004a201552a097 Copy to Clipboard
SSDeep 384:i2iXcAMBlQYtjS3lVoPFSgZPYKpcyvbPl2oS+5r:it4Ji1g1YK2Ab Copy to Clipboard
ImpHash None Copy to Clipboard
c:\programdata\microsoft\rac\publisheddata\racwmidatabase.sdf Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 276.00 KB
MD5 d76821bf2bec9b21393bf820b8a8ccc6 Copy to Clipboard
SHA1 6a856f19d6e915180ec264ca4b1aa5ccdfed9473 Copy to Clipboard
SHA256 13e4c516de91d279e8312d366238adbb53edb3f29d988e3701ab548ba6cfe3ba Copy to Clipboard
SSDeep 768:gUU9HO/hV8naFy6FcPu58EmVKAHaJBxq3/2UBb57Fxl1RmX49hqCZ2ik:gUU9O/kaFDJCFg Copy to Clipboard
ImpHash None Copy to Clipboard
c:\programdata\microsoft\rac\temp\sql448f.tmp Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 20.00 KB
MD5 89b376277dd724dff0de6c2908552037 Copy to Clipboard
SHA1 1cc7bfda59e382bea4b16890e955983ddfe40ded Copy to Clipboard
SHA256 a6784231bc525e8a55dd3040e8db7b53326b4dc7254f14e7f87bf3549c7d34fe Copy to Clipboard
SSDeep 3:19l//cI0/klsl7ulI/l/1nExWl1t/dlRht5Bl9lztlUI1Xlldl0lcNklltlwzl4O:hUuEK231tpht7lH4I10cAe Copy to Clipboard
ImpHash None Copy to Clipboard
c:\programdata\microsoft\rac\statedata\racdatabase.sdf Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 532.00 KB
MD5 c3cdebb982c49b348c18b2ce84a1ce6e Copy to Clipboard
SHA1 67c914d59ea85d6bca10f1728a9564c7ed981619 Copy to Clipboard
SHA256 9c86cb5b78f382c5c7e5ad03a3f4e2bb2f39c545384551b61184d4008f605d6d Copy to Clipboard
SSDeep 768:3MYekt1LFp+lB0JktO+hktdL3Q2fSAa4jNO4ksl/+sM5+GPof0sApkth/G:ZprvCE/lG Copy to Clipboard
ImpHash None Copy to Clipboard
c:\programdata\microsoft\rac\temp\sql447e.tmp Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 20.00 KB
MD5 ebfc610a9e946f1ce044bc87f5783ce5 Copy to Clipboard
SHA1 9ea0997265042366d74ccca97b3d74b57e35c39d Copy to Clipboard
SHA256 eaf5f1b7ce4432ae916c85dac671ac4d3b18336f9b7cf3a63e59faa8f426a321 Copy to Clipboard
SSDeep 3:zvcI0/klsl7ulI/l/1nExWl1t/dlwOlGI1Xlldl0lcNklltlwzl4hR/mll:zEuEK231t7GI10cAe Copy to Clipboard
ImpHash None Copy to Clipboard
c:\windows\system32\winevt\logs\microsoft-windows-windows defender%4whc.evtx Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 68.00 KB
MD5 d4e7b4baf49953c51674f43ab5cdea8e Copy to Clipboard
SHA1 4a3b81d2bb2fccc059101eed1d50336af5b8f1ea Copy to Clipboard
SHA256 c862432260d68be5d0499fcd0a0848b1d2ea4b1645fb3e69f2f5205e0f62960b Copy to Clipboard
SSDeep 384:lhxfoNfyfKfNfXfef3fYf5fAfffZhfMfVfhfYfSfWfyfVfVfefZpfNfkfJfXf4fg:lco Copy to Clipboard
ImpHash None Copy to Clipboard
c:\windows\system32\winevt\logs\security.evtx Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 1.07 MB
MD5 bf455551ab6f79cebd3616fec6b7aca5 Copy to Clipboard
SHA1 ba510aab82f9977e9a6758ad9c5a37179bf72cdb Copy to Clipboard
SHA256 c13f288c49027fb9bd655773a0106aaf39513e0c40d9cdebd9da13124867be1c Copy to Clipboard
SSDeep 3072:gLO7IqpT9tOervMEDrPJVtHJLv3BaHDUH:RGervMEpVtHJL/ Copy to Clipboard
ImpHash None Copy to Clipboard
c:\windows\system32\winevt\logs\system.evtx Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 2.07 MB
MD5 16043a3b147a7a798f11435ea3e6b85f Copy to Clipboard
SHA1 0c2999b8402633315477073619c646cd3b272dc2 Copy to Clipboard
SHA256 a6898ae74eb0afc9ce82dd8a0ff969e18ecf75eb77a88628f2108011c55e1b83 Copy to Clipboard
SSDeep 3072:NoTv/6mL9hPV6qtyN1md1uk0aBKUPRXeEFEvP0+qylefLd9TyTLzG/EW9QebZOno:ag1wz0VgGjS Copy to Clipboard
ImpHash None Copy to Clipboard
c:\windows\system32\winevt\logs\microsoft-windows-networkprofile%4operational.evtx Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 1.00 MB
MD5 7a370f7e9a85e41417f01e2d5507a0c4 Copy to Clipboard
SHA1 bfa3eb61b670887e6cc2e89a6530846ed416e667 Copy to Clipboard
SHA256 fcd74d4711295a34d2033eacda26d828cd616af6322d42d5a304509cc845951f Copy to Clipboard
SSDeep 384:nh91N1QDB101U1k1+1g141r171A1G1T1N1b1y161R1J1e1i1E1hX1S31F1l1h1aO:neDOgcdxdY8vlgrLLlyT Copy to Clipboard
ImpHash None Copy to Clipboard
c:\windows\system32\winevt\logs\microsoft-windows-windows firewall with advanced security%4firewall.evtx Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 1.00 MB
MD5 a5a2ab1ab10abf66bae61577d782810a Copy to Clipboard
SHA1 0959291f47a2dec2755494ec26a8a9b1d2dd788c Copy to Clipboard
SHA256 ecc457c398d6dfd5af3b7d8d25dcb75056f40ab55a4b121c407d96e4d0ba0674 Copy to Clipboard
SSDeep 384:2hNBwBrmBwBABwBbIbEBwBEBwBeBwBHBwBFBwBtWBwBUBwB9BwBaBwBuEBwBFwBl:2aIb/hkSr8PGhro13g1KQbZ0Rg Copy to Clipboard
ImpHash None Copy to Clipboard
c:\windows\system32\winevt\logs\microsoft-windows-dhcpv6-client%4admin.evtx Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 68.00 KB
MD5 017d02e05324cb0c2af4aa7d542c7487 Copy to Clipboard
SHA1 9a6eb8baddc73e4ee0efaabfc8e892558326d6a9 Copy to Clipboard
SHA256 e587655776534c8e51c34294d6d93e3cdeb86ee37df301da269057cf2c34c777 Copy to Clipboard
SSDeep 384:AhdtKDtotS/tSPtS7tSKtSTtSntS/tSntSNtSlptSbtSbtSPtS2tS7tSRtS7tSeO:AoAH Copy to Clipboard
ImpHash None Copy to Clipboard
c:\windows\serviceprofiles\localservice\appdata\local\lastalive0.dat Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 2.00 KB
MD5 7b0eac445e0f5d9368b0b7570918e100 Copy to Clipboard
SHA1 2d3906e63dc5e2123603e2d92068c5519c007d53 Copy to Clipboard
SHA256 2be019294c541494ed360d336df2dc827c9a76f5b81f11d53f17918f62f5d906 Copy to Clipboard
SSDeep 3:Alylcl/ts/l/l/Gj/:6/sGj Copy to Clipboard
ImpHash None Copy to Clipboard
c:\windows\system32\winevt\logs\microsoft-windows-windowsbackup%4actioncenter.evtx Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 68.00 KB
MD5 a288ae113dfd9cf4dffdbb48158bd7b3 Copy to Clipboard
SHA1 d4b80c7cbe620e389d96b9d5f641ff92b3c2fa55 Copy to Clipboard
SHA256 f93638e9f65d3b5ab4c5289d2b477df5feff363bccfe2bd0aee0a1b6a647a1bb Copy to Clipboard
SSDeep 384:4ghVIbI5IVF5IXIHIRIGIrIHIbI2IwIeITI:4g Copy to Clipboard
ImpHash None Copy to Clipboard
c:\windows\windowsupdate.log Dropped File Text
Unknown
...
»
Mime Type text/plain
File Size 124.35 KB
MD5 04bee204c291075b50b2c61c172aabd1 Copy to Clipboard
SHA1 9fa7ce6187efae6e07d3e20fca952f77353bc81d Copy to Clipboard
SHA256 bae3b38f26053adc3ea4a47e953fab696d23c6b2a4e95ceb42bbc3f57c45434e Copy to Clipboard
SSDeep 1536:Zsg7dbDb2V2Hx9Lpb5GK/7rH4ANQicMh/eYyw/v6NNVZa93:GK/7UYyu Copy to Clipboard
ImpHash None Copy to Clipboard
c:\programdata\microsoft\windows defender\support\mplog-07132009-221054.log Dropped File Text
Unknown
...
»
Mime Type text/plain
File Size 196.60 KB
MD5 2751e73038ce8c9a3a467c3218648b12 Copy to Clipboard
SHA1 e953abcdb8be6fca88cc25e3971424da6bcd95d7 Copy to Clipboard
SHA256 ddffb69a5ca450d71bb62030ef62d6b802bc115a705e3d990997d29f566f7271 Copy to Clipboard
SSDeep 384:jlf+97bKwrfuwPDzABzmsFXTRbcQ1wL8Oi2BoeyWk97tzE285pFmc47D4qxKptTH:kPDzABzmsFXV+ROBzEZ5pJDKx9XiIKhJ Copy to Clipboard
ImpHash None Copy to Clipboard
c:\windows\system32\winevt\logs\microsoft-windows-windowsupdateclient%4operational.evtx Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 68.00 KB
MD5 59ad9bde61c9adaddaf15af9b3fcb7b0 Copy to Clipboard
SHA1 4d3bf4b32ec8b47db019d7880cca82542d19d562 Copy to Clipboard
SHA256 99e8fa6415f448ddbeba2745fe7b0668c5970c53c04c3687230f7d6055c3f453 Copy to Clipboard
SSDeep 384:0gh0jxj6jRjFjijqjOjKjUajIjIijOrjyIj4qjujNjij4kjlEjz9jGpj4jjPjAj4:0gRdi+OChL+3GA Copy to Clipboard
ImpHash None Copy to Clipboard
c:\windows\serviceprofiles\localservice\appdata\local\lastalive1.dat Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 2.00 KB
MD5 06ec0861a16d0404719c0245bd4a985d Copy to Clipboard
SHA1 b4114acc407ddeb1e9f5060d4627ed082e4b4ed1 Copy to Clipboard
SHA256 6ee21e2e035c7b3aab0ef97213539816bc77d94a15b8474b840071260298d59d Copy to Clipboard
SSDeep 3:AlzMRl/l/s/l/l/g1:Gw/sg Copy to Clipboard
ImpHash None Copy to Clipboard
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image