zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe
This report is generated from a file or URL submitted to this webservice on April 1st 2016 17:21:33 (UTC) and action script Random desktop theme
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v3.41 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Incident Response
Risk Assessment
- Remote Access
- Contains ability to listen for incoming connections
- Persistence
- Modifies auto-execute functionality by setting/creating a value in the registry
- Fingerprint
-
Contains ability to lookup the windows account name
Reads the active computer name
Reads the cryptographic machine GUID - Network Behavior
- Contacts 1 host. View all details
Additional Context
Related Sandbox Artifacts
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 6
-
Anti-Detection/Stealthyness
-
Modifies file/console tracing settings (often used to hide footprints on system)
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "ENABLEFILETRACING"; Value: "00000000")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "ENABLECONSOLETRACING"; Value: "00000000")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "FILETRACINGMASK"; Value: "0000FFFF")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "CONSOLETRACINGMASK"; Value: "0000FFFF") - source
- Registry Access
- relevance
- 5/10
-
Modifies file/console tracing settings (often used to hide footprints on system)
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
-
51/57 Antivirus vendors marked sample as malicious (89% detection rate)
25/41 Antivirus vendors marked sample as malicious (60% detection rate) - source
- Anti-Virus Test Result
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
-
51/57 Antivirus vendors marked sample as malicious (89% detection rate)
25/41 Antivirus vendors marked sample as malicious (60% detection rate) - source
- Anti-Virus Test Result
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "5.199.171.47" (ASN: 59642, Owner: UAB DUOMENU CENTRAS): ...
URL: http://5.199.171.47/zConfig/2066/ (AV positives: 4/66 scanned on 02/06/2016 12:01:10)
URL: http://5.199.171.47/zImprimer/611452191-aCJ4HPPFGm1nDyPYUTPL-12181RFUjKW5GyLMjkAhK3PpPRNiVdqTfB/ (AV positives: 4/66 scanned on 02/06/2016 11:59:10)
URL: http://5.199.171.47/zImprimer/611452191-aCJ4HPPFGm1nDyPYUTPL-12181RFUjKW5GyLMjkAhK3PpPRNiVdqTfB (AV positives: 4/66 scanned on 02/03/2016 13:42:21)
URL: http://5.199.171.47/zConfig/2066 (AV positives: 3/66 scanned on 02/03/2016 14:12:27)
URL: http://5.199.171.47/zImprimer/3236852531-FnhhSOMLRZ142iIVYfuZ-12181RFUjKW5GyLMjkAhK3PpPRNiVdqTfB/ (AV positives: 4/66 scanned on 01/29/2016 12:20:56)
File SHA256: cb179b026f8918881f887ae247360f11884b024da7d5752fdf48626e43e1fb58 (AV positives: 6/54 scanned on 12/01/2014 17:20:41)
File SHA256: 066c349354a1e137aeb3275b4e513841608a8057ff7ac239fc4ea80aecea61b1 (AV positives: 8/53 scanned on 08/27/2014 22:32:18)
File SHA256: cb847493c88dcf0fabf645959f064142ae51fe1105008f93ae1b555a4532e528 (AV positives: 21/54 scanned on 08/13/2014 01:19:25)
File SHA256: e9111c2acf3e8625f505561fe095c63f0bd937f91828baa3e3a3ebe3ff20f00a (AV positives: 3/54 scanned on 07/15/2014 18:18:27)
File SHA256: 4fdd5232ab64a17237bc1c2dfafd867acb031602fb0fc998d0567e45638b6f53 (AV positives: 16/54 scanned on 07/05/2014 18:55:39) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Contains native function calls
- details
- NtSetSystemInformation@NTDLL.DLL at 00117734-00001976-779F228D-163984
- source
- StaticStream (Disassembly)
- relevance
- 5/10
-
Contains native function calls
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 17
-
Anti-Detection/Stealthyness
-
Contains ability to open a service
- details
-
OpenServiceW@SECHOST.DLL at 00117734-00001976-779F228D-157766
OpenServiceA@SECHOST.DLL at 00117734-00001976-779F228D-162581
OpenServiceA@SECHOST.DLL at 00117734-00001976-779F228D-162582 - source
- StaticStream (Disassembly)
- relevance
- 8/10
-
Queries kernel debugger information
- details
- "<Input Sample>" at 00117734-00001976-779D61F8-123860
- source
- API Call
- relevance
- 6/10
-
Sets the process error mode to suppress error box
- details
- "<Input Sample>" set its error mode to SEM_NOOPENFILEERRORBOX
- source
- API Call
- relevance
- 8/10
-
Contains ability to open a service
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- source
- API Call
- relevance
- 10/10
-
PE file has unusual entropy sections
- details
- .text with unusual entropies 7.7915567536
- source
- Static Parser
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Contains ability to query the machine version
- details
- RasRpcGetVersion@RASMAN.DLL at 00117734-00001976-779F228D-162129
- source
- StaticStream (Disassembly)
- relevance
- 1/10
-
Reads the cryptographic machine GUID
- details
- "<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Contains ability to query the machine version
-
Installation/Persistance
-
Creates/touches files in windows directory
- details
-
"<Input Sample>" created file "%WINDIR%\assembly\pubpol15.dat"
"<Input Sample>" created file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\config\machine.config"
"<Input Sample>" created file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll"
"<Input Sample>" created file "%WINDIR%\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp"
"<Input Sample>" created file "%WINDIR%\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp"
"<Input Sample>" created file "%WINDIR%\system32\rsaenh.dll"
"<Input Sample>" created file "%WINDIR%\FONTS\TAHOMA.TTF"
"<Input Sample>" created file "%WINDIR%\FONTS\MSJH.TTF"
"<Input Sample>" created file "%WINDIR%\FONTS\MSYH.TTF"
"<Input Sample>" created file "%WINDIR%\FONTS\MALGUN.TTF"
"<Input Sample>" created file "%WINDIR%\FONTS\MICROSS.TTF" - source
- API Call
- relevance
- 7/10
-
Modifies auto-execute functionality by setting/creating a value in the registry
- details
- "<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"; Key: "FILERESCUE"; Value: "C:\ZeroLocker\ZeroRescue.exe")
- source
- Registry Access
- relevance
- 8/10
-
Creates/touches files in windows directory
-
Network Related
-
Contains ability to listen for incoming connections
- details
- RasPortListen@RASMAN.DLL at 00117734-00001976-779F228D-161891
- source
- StaticStream (Disassembly)
- relevance
- 5/10
-
Found potential IP address in binary/memory
- details
- "3.23.12.12"
- source
- String
- relevance
- 3/10
-
Contains ability to listen for incoming connections
-
System Destruction
-
Marks file for deletion
- details
-
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\ZeroLocker\ZeroRescue.exe" for deletion
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\ZeroLocker\temp.dat" for deletion
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\$Recycle.Bin\S-1-5-21-4162757579-3804539371-4239455898-1000\desktop.ini" for deletion
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\MSOCache\All Users\{90120000-0015-0407-0000-0000000FF1CE}-C\AccessMUI.msi" for deletion
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\MSOCache\All Users\{90120000-0015-0407-0000-0000000FF1CE}-C\AccessMUI.xml" for deletion
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\MSOCache\All Users\{90120000-0015-0407-0000-0000000FF1CE}-C\Setup.xml" for deletion
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\MSOCache\All Users\{90120000-0016-0407-0000-0000000FF1CE}-C\ExcelLR.cab" for deletion
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\MSOCache\All Users\{90120000-0016-0407-0000-0000000FF1CE}-C\ExcelMUI.msi" for deletion
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\MSOCache\All Users\{90120000-0016-0407-0000-0000000FF1CE}-C\ExcelMUI.xml" for deletion
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\MSOCache\All Users\{90120000-0016-0407-0000-0000000FF1CE}-C\Setup.xml" for deletion
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\MSOCache\All Users\{90120000-0018-0407-0000-0000000FF1CE}-C\PowerPointMUI.msi" for deletion
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\MSOCache\All Users\{90120000-0018-0407-0000-0000000FF1CE}-C\PowerPointMUI.xml" for deletion
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\MSOCache\All Users\{90120000-0018-0407-0000-0000000FF1CE}-C\PptLR.cab" for deletion
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\MSOCache\All Users\{90120000-0018-0407-0000-0000000FF1CE}-C\Setup.xml" for deletion
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\MSOCache\All Users\{90120000-0019-0407-0000-0000000FF1CE}-C\PublisherMUI.msi" for deletion
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\MSOCache\All Users\{90120000-0019-0407-0000-0000000FF1CE}-C\PublisherMUI.xml" for deletion
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\MSOCache\All Users\{90120000-0019-0407-0000-0000000FF1CE}-C\PubLR.cab" for deletion
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\MSOCache\All Users\{90120000-0019-0407-0000-0000000FF1CE}-C\Setup.xml" for deletion
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\MSOCache\All Users\{90120000-001A-0407-0000-0000000FF1CE}-C\OutlkLR.cab" for deletion
"%SAMPLEDIR%\zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe" marked "%SAMPLEDIR%\MSOCache\All Users\{90120000-001A-0407-0000-0000000FF1CE}-C\OutlookMUI.msi" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "C:\ZeroLocker\ZeroRescue.exe" with delete access
"<Input Sample>" opened "C:\ZeroLocker\temp.dat" with delete access
"<Input Sample>" opened "C:\$Recycle.Bin\S-1-5-21-4162757579-3804539371-4239455898-1000\desktop.ini" with delete access
"<Input Sample>" opened "C:\MSOCache\All Users\{90120000-0015-0407-0000-0000000FF1CE}-C\AccessMUI.msi" with delete access
"<Input Sample>" opened "C:\MSOCache\All Users\{90120000-0015-0407-0000-0000000FF1CE}-C\AccessMUI.xml" with delete access
"<Input Sample>" opened "C:\MSOCache\All Users\{90120000-0015-0407-0000-0000000FF1CE}-C\Setup.xml" with delete access
"<Input Sample>" opened "C:\MSOCache\All Users\{90120000-0016-0407-0000-0000000FF1CE}-C\ExcelLR.cab" with delete access
"<Input Sample>" opened "C:\MSOCache\All Users\{90120000-0016-0407-0000-0000000FF1CE}-C\ExcelMUI.msi" with delete access
"<Input Sample>" opened "C:\MSOCache\All Users\{90120000-0016-0407-0000-0000000FF1CE}-C\ExcelMUI.xml" with delete access
"<Input Sample>" opened "C:\MSOCache\All Users\{90120000-0016-0407-0000-0000000FF1CE}-C\Setup.xml" with delete access
"<Input Sample>" opened "C:\MSOCache\All Users\{90120000-0018-0407-0000-0000000FF1CE}-C\PowerPointMUI.msi" with delete access
"<Input Sample>" opened "C:\MSOCache\All Users\{90120000-0018-0407-0000-0000000FF1CE}-C\PowerPointMUI.xml" with delete access
"<Input Sample>" opened "C:\MSOCache\All Users\{90120000-0018-0407-0000-0000000FF1CE}-C\PptLR.cab" with delete access
"<Input Sample>" opened "C:\MSOCache\All Users\{90120000-0018-0407-0000-0000000FF1CE}-C\Setup.xml" with delete access
"<Input Sample>" opened "C:\MSOCache\All Users\{90120000-0019-0407-0000-0000000FF1CE}-C\PublisherMUI.msi" with delete access
"<Input Sample>" opened "C:\MSOCache\All Users\{90120000-0019-0407-0000-0000000FF1CE}-C\PublisherMUI.xml" with delete access
"<Input Sample>" opened "C:\MSOCache\All Users\{90120000-0019-0407-0000-0000000FF1CE}-C\PubLR.cab" with delete access
"<Input Sample>" opened "C:\MSOCache\All Users\{90120000-0019-0407-0000-0000000FF1CE}-C\Setup.xml" with delete access
"<Input Sample>" opened "C:\MSOCache\All Users\{90120000-001A-0407-0000-0000000FF1CE}-C\OutlkLR.cab" with delete access
"<Input Sample>" opened "C:\MSOCache\All Users\{90120000-001A-0407-0000-0000000FF1CE}-C\OutlookMUI.msi" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
- "<Input Sample>" wrote bytes "C0EE0817" to virtual address "0x69871FDC" (part of module "MSCORWKS.DLL")
- source
- Hooks
- relevance
- 10/10
-
Reads information about supported languages
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
Installs hooks/patches the running process
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 9
-
General
-
Contacts server
- details
- "5.199.171.47:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
- "%USERPROFILE%\Desktop\Projects\ZeroLocker\Testing Stuff\Testing Stuff\obj\Debug\Task Manager.pdb"
- source
- String
- relevance
- 1/10
-
Creates mutants
- details
- "Global\.net clr networking"
- source
- Created Mutant
- relevance
- 3/10
-
Loads modules at runtime
- details
-
"<Input Sample>" loaded module "%WINDIR%\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CULTURE.DLL" at base 60340000
"<Input Sample>" loaded module "%WINDIR%\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM\9E0A3B9B9F457233A335D7FBA8F95419\SYSTEM.NI.DLL" at base 6A1A0000
"<Input Sample>" loaded module "CRYPTSP.DLL" at base 75560000
"<Input Sample>" loaded module "%WINDIR%\SYSTEM32\RSAENH.DLL" at base 75300000
"<Input Sample>" loaded module "ADVAPI32.DLL" at base 77080000
"<Input Sample>" loaded module "CRYPTBASE.DLL" at base 75A30000
"<Input Sample>" loaded module "%WINDIR%\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALBAS#\08D608378AA405ADC844F3CF36974B8C\MICROSOFT.VISUALBASIC.NI.DLL" at base 6BB40000
"<Input Sample>" loaded module "%WINDIR%\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.DRAWING\DBFE8642A8ED7B2B103AD28E0C96418A\SYSTEM.DRAWING.NI.DLL" at base 69640000
"<Input Sample>" loaded module "%WINDIR%\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.WINDOWS.FORMS\3AFCD5168C7A6CB02EAB99D7FD71E102\SYSTEM.WINDOWS.FORMS.NI.DLL" at base 68A60000
"<Input Sample>" loaded module "USER32.DLL" at base 75E70000
"<Input Sample>" loaded module "GDI32.DLL" at base 76240000
"<Input Sample>" loaded module "%WINDIR%\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.RUNTIME.REMO#\5CAE93D923C8378370758489E5535820\SYSTEM.RUNTIME.REMOTING.NI.DLL" at base 68990000
"<Input Sample>" loaded module "UXTHEME.DLL" at base 74820000
"<Input Sample>" loaded module "MSCOREE.DLL" at base 6B710000
"<Input Sample>" loaded module "GDIPLUS.DLL" at base 74690000
"<Input Sample>" loaded module "%WINDIR%\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.7601.17514_NONE_72D18A4386696C80\GDIPLUS.DLL" at base 74690000
"<Input Sample>" loaded module "API-MS-WIN-CORE-LOCALREGISTRY-L1-1-0.DLL" at base 77430000
"<Input Sample>" loaded module "WINDOWSCODECS.DLL" at base 742F0000 - source
- API Call
- relevance
- 1/10
-
Loads the .NET runtime environment
- details
- "<Input Sample>" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll" at 6A940000
- source
- Loaded Module
-
Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)
- details
-
"LoadLibraryShim_RetAddr@mscoreei.dll"
"LoadLibraryShim@mscoreei.dll"
"ConvertLangIdToCultureName@culture.dll"
"CryptAcquireContextW@CRYPTSP.dll"
"CPAcquireContext@rsaenh.dll"
"CPReleaseContext@rsaenh.dll"
"CPGenKey@rsaenh.dll"
"CPDeriveKey@rsaenh.dll"
"CPDestroyKey@rsaenh.dll"
"CPSetKeyParam@rsaenh.dll"
"CPGetKeyParam@rsaenh.dll"
"CPExportKey@rsaenh.dll"
"CPImportKey@rsaenh.dll"
"CPEncrypt@rsaenh.dll"
"CPDecrypt@rsaenh.dll"
"CPCreateHash@rsaenh.dll"
"CPHashData@rsaenh.dll"
"CPHashSessionKey@rsaenh.dll"
"CPDestroyHash@rsaenh.dll"
"CPSignHash@rsaenh.dll" - source
- API Call
- relevance
- 1/10
-
Contacts server
-
Installation/Persistance
-
Contains ability to lookup the windows account name
- details
- LookupAccountNameLocalW@SECHOST.DLL at 00117734-00001976-779F228D-166025
- source
- StaticStream (Disassembly)
- relevance
- 5/10
-
Dropped files
- details
-
"address.dat" has type "UTF-8 Unicode (with BOM) text with no line terminators"
"AccessMUI.msi.encrypt" has type "data"
"AccessMUI.xml.encrypt" has type "data"
"Setup.xml.encrypt" has type "data"
"ExcelMUI.msi.encrypt" has type "data"
"ExcelMUI.xml.encrypt" has type "data"
"PowerPointMUI.msi.encrypt" has type "data"
"PowerPointMUI.xml.encrypt" has type "data"
"PublisherMUI.msi.encrypt" has type "data"
"PublisherMUI.xml.encrypt" has type "data"
"OutlookMUI.msi.encrypt" has type "data"
"OutlookMUI.xml.encrypt" has type "data"
"WordMUI.msi.encrypt" has type "data"
"WordMUI.xml.encrypt" has type "data"
"Proofing.msi.encrypt" has type "data"
"Proofing.xml.encrypt" has type "data"
"Proof.msi.encrypt" has type "data"
"Proof.xml.encrypt" has type "data"
"branding.xml.encrypt" has type "data"
"DW20.EXE.encrypt" has type "data" - source
- Dropped File
- relevance
- 3/10
-
Contains ability to lookup the windows account name
-
Network Related
-
Found potential URL in binary/memory
- details
- Heuristic match: "TaskManager.My"
- source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe
- Filename
- zerolocker_d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe
- Size
- 398KiB (407552 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- Architecture
- WINDOWS
- SHA256
- d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa
- MD5
- bd0a3c308a6d3372817a474b7c653097
- SHA1
- 5ed36132872be3d5d94627b89f15a7369f68fba1
- ssdeep
- 6144:tYcn3ge+gqzsSALff2TRLz1lTl8TFPUW+8sSZJMidVmXmVcXHU:ttQe+PzsfX2Tpz1daaWnVIgcE
- imphash
- f34d5f2d4577ed6d9ceec516c1f5a744
- authentihash
- da65f12236b46ce6b13530296a128a723ad66df46ea7ba592acfcd1e3af0086c
Version Info
- Translation
- 0x0000 0x04b0
- LegalCopyright
- Copyright 2014
- Assembly Version
- 3.23.12.12
- InternalName
- Task Manager.exe
- FileVersion
- 3.23.12.12
- ProductName
- Task Manager
- ProductVersion
- 3.23.12.12
- FileDescription
- Task Manager
- OriginalFilename
- Task Manager.exe
Classification (TrID)
- 56.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.)
- 21.4% (.EXE) Win64 Executable (generic)
- 10.1% (.SCR) Windows Screen Saver
- 5.0% (.DLL) Win32 Dynamic Link Library (generic)
- 3.4% (.EXE) Win32 Executable (generic)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
5.199.171.47 |
80
TCP |
- |
Lithuania
ASN: 59642 (UAB DUOMENU CENTRAS) |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 20 extracted file(s). The remaining 17 file(s) are available in the full version and XML/JSON reports.
-
Informative 20
-
-
AccessMUI.msi.encrypt
- Size
- 1.6MiB (1660432 bytes)
- Type
- data
- MD5
- ea6a13191e264f8186da7ba0cfc5ab55
- SHA1
- 719e8801768ef287edfbcf7d391b28eab0aa4f0b
- SHA256
- 745498986df58fef861a4b7b336f31f1bfb272d68c1b8eb7d99b5b2470cf1274
-
AccessMUI.xml.encrypt
- Size
- 1.3KiB (1360 bytes)
- Type
- data
- MD5
- 35f7afb86a5969eb284776cd3198bb7b
- SHA1
- 8b0f28e11daf0ef8011f3360e80d8c6aead5fa96
- SHA256
- 9722954e29304a6658ecc3dbbdd3c51e79bb5d0fbaaa2db751d34fa6392facb4
-
Setup.xml.encrypt
- Size
- 31KiB (31680 bytes)
- Type
- data
- MD5
- c4439ca559e046f961f1f8b2ab99c285
- SHA1
- 2c5c523cd6ce6ed55498293e1b4fa310fc581f41
- SHA256
- a9cbb79092fd621abe7b869933c5112f64625a9e6f13a559f2ce598194144fcf
-
ExcelMUI.msi.encrypt
- Size
- 1.7MiB (1756176 bytes)
- Type
- data
- MD5
- 21896b718649aba4fa5ab7bb797e0403
- SHA1
- 2a9896b4199c260ffad60aedd1e69fe01f8ecc36
- SHA256
- 798ed57f52bfb0e5a8106983943cf8b3f9f8ce93eeb1c7045f50d01b853c62fb
-
ExcelMUI.xml.encrypt
- Size
- 1.9KiB (1936 bytes)
- Type
- data
- MD5
- 11f2a853cccda63e6b960bc0720f3b7b
- SHA1
- e8b765eb37cf61db2e9c6e381503fac66a7d007c
- SHA256
- c69e2018ca98f41e749308329cd4f1e1b0496840015c4b3d02a6364e6bbdad4e
-
PowerPointMUI.msi.encrypt
- Size
- 1.6MiB (1648144 bytes)
- Type
- data
- MD5
- 6b930bf2886f6130fbf11caa047f44a6
- SHA1
- 941ba884d7ceecaf246f695a8deda25b4d867304
- SHA256
- d363e976ee04a36928aa75bd2b7d9af26be156aa9c4d1ef76521837ce82cb079
-
PowerPointMUI.xml.encrypt
- Size
- 1.5KiB (1568 bytes)
- Type
- data
- MD5
- 303ed18f5d128a3be42d1ef79553e2e0
- SHA1
- 9da73ae3b0be1022044a7da3e6b96ba5aedc6f10
- SHA256
- afbde5902dd5dd30181e6e4767c238f7dc8b39417bfa21d29c9285a26b81b40b
-
PublisherMUI.msi.encrypt
- Size
- 1.6MiB (1658896 bytes)
- Type
- data
- MD5
- 84b2d0e2b9ae21c55f5fd6a032ad0c25
- SHA1
- f3edd640c29c4a33784e53638486fde0536ddbdb
- SHA256
- 4e0201aa6f8d33ea5453ac0aeda75d68bb6f2fd138661835a2dfca2e1cf2ad01
-
PublisherMUI.xml.encrypt
- Size
- 1.4KiB (1472 bytes)
- Type
- data
- MD5
- 2f5339b725c14e98f98709e2d63d04eb
- SHA1
- 7d9035e18d184df804c98aec1ccf12d5d9344c87
- SHA256
- 404fe436abfee2b5ff564e5ff44bfb5377f1461d71cdee3f06cee198bd7f969c
-
OutlookMUI.msi.encrypt
- Size
- 1.9MiB (2030096 bytes)
- Type
- data
- MD5
- adc5901ce62acfbb1a9fcf99284841f4
- SHA1
- 5fe383436e860d82c2c5d134591b5262507e97d8
- SHA256
- 4499a17bedaf6adef738feea7558ab05ed96cafcc55e08b034901125e5b45b6d
-
OutlookMUI.xml.encrypt
- Size
- 2.9KiB (2960 bytes)
- Type
- data
- MD5
- 87cebb4e4e56897d462caddf3cc8ec4c
- SHA1
- acb4ac603d693874e7743bf58594cfb3502786a9
- SHA256
- 3acd0229c77a5ff45934e5aedc1835049c7cc08133b4f4f053d6eb2ef018c5ec
-
WordMUI.msi.encrypt
- Size
- 1.6MiB (1659920 bytes)
- Type
- data
- MD5
- 5b18c2cd30a350f983fbeeb0a400e25a
- SHA1
- e4830afd42bc90e47676c2048b89b0bb9af1a807
- SHA256
- ca9a80fe504f8c85e0a7c8f90a8867f2cba59fa108a33733a3102a431350813f
-
WordMUI.xml.encrypt
- Size
- 1.8KiB (1808 bytes)
- Type
- data
- MD5
- ac67880fc47cb4b884a646e74301c93c
- SHA1
- a2f89d9ffed86347a6de61459e988406b80b56ef
- SHA256
- 8ae9b3db3f0b1ee4b2a091f366363b6fa8cf2510aa15639f425fa09d46dad4cf
-
Proof.msi.encrypt
- Size
- 2MiB (2054720 bytes)
- Type
- data
- MD5
- 4e7d5900be5c50c3eb0e1ffbd2b39913
- SHA1
- 3ffd7864e6989f210c7e866b3c03f54462f7d2bf
- SHA256
- af3213aeb24ad13685687970b4e4d1de1d5b803d69e2c450ccbe2775b72dadf1
-
Proof.xml.encrypt
- Size
- 5.6KiB (5776 bytes)
- Type
- data
- MD5
- 1b77b1a6fb744bcf7f5df30126578c12
- SHA1
- c75573d42c3dfa850be37aedba4a9133548e191e
- SHA256
- 4c64a3873d297da1f4f57410232e9bcb834d673cea796c300c5ad452282a23ab
-
Proofing.msi.encrypt
- Size
- 495KiB (506896 bytes)
- Type
- data
- MD5
- cbe08865ff4787c48bf8619698e4a6e5
- SHA1
- 978792a25110dbae9536e4bc5c0d57a5d63f05ac
- SHA256
- b7cb96fea11ab0af156018c5b937ece1771ea38e5a3196de77b064273b8fa3aa
-
Proofing.xml.encrypt
- Size
- 816B (816 bytes)
- Type
- data
- MD5
- 26fb1ecf642aa3be60d65e55afd217b2
- SHA1
- 4344a153fcdb029b081533f16f86eb55e7c70fd9
- SHA256
- 12d90efdcd359f430bbebb6364d3f3798390f78a3185eda147013b57e3da4e47
-
dwintl20.dll.encrypt
- Size
- 110KiB (112480 bytes)
-
DW20.EXE.encrypt
- Size
- 794KiB (813392 bytes)
- Type
- data
- MD5
- 15a031fdab6b668e643a0855cb3e4bc1
- SHA1
- 97375c41d69c1a815cb31697ad57f956a0f46012
- SHA256
- 908afbed0e9586cc65f6226f7849eda6cf6a5cb219d10ee09455eb03acfebf05
-
Microsoft.VC80.CRT.manifest.encrypt
- Size
- 528B (528 bytes)
-
Notifications
-
Runtime
- Not all sources for signature ID "api-25" are available in the report
- Not all sources for signature ID "api-26" are available in the report
- Not all sources for signature ID "api-38" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "api-7" are available in the report
- Not all sources for signature ID "api-8" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Parsed the maximum number of dropped files (20), report might not contain information about some dropped files
Anonymous commented 5 years ago updated