Try VMRay Platform
Malicious
Classifications

Spyware

Threat Names

Lokibot Lokibot.v2 C2/Generic-A

Dynamic Analysis Report

Created on 2022-05-04T15:19:12+00:00

bb36f0ab95d6422a20e81221adeb4033ebdbd7b20337a2557f3f5c3de0a77596.exe

Windows Exe (x86-32)
...

Remarks (1/1)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "1 minute" to "10 seconds" to reveal dormant functionality.

Remarks

(0x0200004A): 4 dump(s) were skipped because they exceeded the maximum dump size of 7 MB. The largest one was 8 MB.

Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\bb36f0ab95d6422a20e81221adeb4033ebdbd7b20337a2557f3f5c3de0a77596.exe Sample File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 122.89 KB
MD5 5c5d4e3e0dadff03da7b9878acf3e706 Copy to Clipboard
SHA1 38a387d18c147245078db39a82f8531816c9d726 Copy to Clipboard
SHA256 bb36f0ab95d6422a20e81221adeb4033ebdbd7b20337a2557f3f5c3de0a77596 Copy to Clipboard
SSDeep 3072:l1NjcVVnLpPunbxOP+E6zXX3BeTZpqiJ5OboPYtfyr/cDA:HNeZmE29oT5bRYlyr/z Copy to Clipboard
ImpHash 56a78d55f3f7af51443e58e0ce2fb5f6 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004034F7
Size Of Code 0x00006600
Size Of Initialized Data 0x00022A00
Size Of Uninitialized Data 0x00000800
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2021-09-25 23:55 (UTC+2)
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x00006515 0x00006600 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.44
.rdata 0x00408000 0x0000139A 0x00001400 0x00006A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.15
.data 0x0040A000 0x00020338 0x00000600 0x00007E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.01
.ndata 0x0042B000 0x00010000 0x00000000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.rsrc 0x0043B000 0x00000A50 0x00000C00 0x00008400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.18
Imports (7)
»
ADVAPI32.dll (13)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegCreateKeyExW - 0x00408000 0x000085A4 0x00006FA4 0x000001D2
RegEnumKeyW - 0x00408004 0x000085A8 0x00006FA8 0x000001E0
RegQueryValueExW - 0x00408008 0x000085AC 0x00006FAC 0x000001F8
RegSetValueExW - 0x0040800C 0x000085B0 0x00006FB0 0x00000205
RegCloseKey - 0x00408010 0x000085B4 0x00006FB4 0x000001CB
RegDeleteValueW - 0x00408014 0x000085B8 0x00006FB8 0x000001D9
RegDeleteKeyW - 0x00408018 0x000085BC 0x00006FBC 0x000001D7
AdjustTokenPrivileges - 0x0040801C 0x000085C0 0x00006FC0 0x0000001C
LookupPrivilegeValueW - 0x00408020 0x000085C4 0x00006FC4 0x00000150
OpenProcessToken - 0x00408024 0x000085C8 0x00006FC8 0x000001AC
SetFileSecurityW - 0x00408028 0x000085CC 0x00006FCC 0x0000022F
RegOpenKeyExW - 0x0040802C 0x000085D0 0x00006FD0 0x000001ED
RegEnumValueW - 0x00408030 0x000085D4 0x00006FD4 0x000001E2
SHELL32.dll (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetSpecialFolderLocation - 0x00408178 0x0000871C 0x0000711C 0x000000C3
SHFileOperationW - 0x0040817C 0x00008720 0x00007120 0x0000009B
SHBrowseForFolderW - 0x00408180 0x00008724 0x00007124 0x0000007A
SHGetPathFromIDListW - 0x00408184 0x00008728 0x00007128 0x000000BD
ShellExecuteExW - 0x00408188 0x0000872C 0x0000712C 0x0000010A
SHGetFileInfoW - 0x0040818C 0x00008730 0x00007130 0x000000AD
ole32.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
OleInitialize - 0x00408298 0x0000883C 0x0000723C 0x000000EE
OleUninitialize - 0x0040829C 0x00008840 0x00007240 0x00000105
CoCreateInstance - 0x004082A0 0x00008844 0x00007244 0x00000010
IIDFromString - 0x004082A4 0x00008848 0x00007248 0x000000C6
CoTaskMemFree - 0x004082A8 0x0000884C 0x0000724C 0x00000065
COMCTL32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
None 0x00000011 0x00408038 0x000085DC 0x00006FDC -
ImageList_Create - 0x0040803C 0x000085E0 0x00006FE0 0x00000037
ImageList_Destroy - 0x00408040 0x000085E4 0x00006FE4 0x00000038
ImageList_AddMasked - 0x00408044 0x000085E8 0x00006FE8 0x00000034
USER32.dll (64)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetClientRect - 0x00408194 0x00008738 0x00007138 0x000000FF
EndPaint - 0x00408198 0x0000873C 0x0000713C 0x000000C8
DrawTextW - 0x0040819C 0x00008740 0x00007140 0x000000BF
IsWindowEnabled - 0x004081A0 0x00008744 0x00007144 0x000001AE
DispatchMessageW - 0x004081A4 0x00008748 0x00007148 0x000000A2
wsprintfA - 0x004081A8 0x0000874C 0x0000714C 0x000002D7
CharNextA - 0x004081AC 0x00008750 0x00007150 0x0000002A
CharPrevW - 0x004081B0 0x00008754 0x00007154 0x0000002F
MessageBoxIndirectW - 0x004081B4 0x00008758 0x00007158 0x000001E3
GetDlgItemTextW - 0x004081B8 0x0000875C 0x0000715C 0x00000114
SetDlgItemTextW - 0x004081BC 0x00008760 0x00007160 0x00000254
GetSystemMetrics - 0x004081C0 0x00008764 0x00007164 0x0000015D
FillRect - 0x004081C4 0x00008768 0x00007168 0x000000E2
AppendMenuW - 0x004081C8 0x0000876C 0x0000716C 0x00000009
TrackPopupMenu - 0x004081CC 0x00008770 0x00007170 0x000002A4
OpenClipboard - 0x004081D0 0x00008774 0x00007174 0x000001F6
SetClipboardData - 0x004081D4 0x00008778 0x00007178 0x0000024A
CloseClipboard - 0x004081D8 0x0000877C 0x0000717C 0x00000042
IsWindowVisible - 0x004081DC 0x00008780 0x00007180 0x000001B1
CallWindowProcW - 0x004081E0 0x00008784 0x00007184 0x0000001C
GetMessagePos - 0x004081E4 0x00008788 0x00007188 0x0000013C
CheckDlgButton - 0x004081E8 0x0000878C 0x0000718C 0x00000038
LoadCursorW - 0x004081EC 0x00008790 0x00007190 0x000001BD
SetCursor - 0x004081F0 0x00008794 0x00007194 0x0000024D
GetSysColor - 0x004081F4 0x00008798 0x00007198 0x0000015A
SetWindowPos - 0x004081F8 0x0000879C 0x0000719C 0x00000283
GetWindowLongW - 0x004081FC 0x000087A0 0x000071A0 0x0000016F
PeekMessageW - 0x00408200 0x000087A4 0x000071A4 0x00000201
SetClassLongW - 0x00408204 0x000087A8 0x000071A8 0x00000248
GetSystemMenu - 0x00408208 0x000087AC 0x000071AC 0x0000015C
EnableMenuItem - 0x0040820C 0x000087B0 0x000071B0 0x000000C2
GetWindowRect - 0x00408210 0x000087B4 0x000071B4 0x00000174
ScreenToClient - 0x00408214 0x000087B8 0x000071B8 0x00000231
EndDialog - 0x00408218 0x000087BC 0x000071BC 0x000000C6
RegisterClassW - 0x0040821C 0x000087C0 0x000071C0 0x00000219
SystemParametersInfoW - 0x00408220 0x000087C4 0x000071C4 0x0000029A
CreateWindowExW - 0x00408224 0x000087C8 0x000071C8 0x00000061
GetClassInfoW - 0x00408228 0x000087CC 0x000071CC 0x000000F9
DialogBoxParamW - 0x0040822C 0x000087D0 0x000071D0 0x0000009F
CharNextW - 0x00408230 0x000087D4 0x000071D4 0x0000002C
ExitWindowsEx - 0x00408234 0x000087D8 0x000071D8 0x000000E1
DestroyWindow - 0x00408238 0x000087DC 0x000071DC 0x00000099
CreateDialogParamW - 0x0040823C 0x000087E0 0x000071E0 0x00000056
SetTimer - 0x00408240 0x000087E4 0x000071E4 0x0000027A
SetWindowTextW - 0x00408244 0x000087E8 0x000071E8 0x00000287
PostQuitMessage - 0x00408248 0x000087EC 0x000071EC 0x00000204
SetForegroundWindow - 0x0040824C 0x000087F0 0x000071F0 0x00000257
ShowWindow - 0x00408250 0x000087F4 0x000071F4 0x00000292
wsprintfW - 0x00408254 0x000087F8 0x000071F8 0x000002D8
SendMessageTimeoutW - 0x00408258 0x000087FC 0x000071FC 0x0000023F
FindWindowExW - 0x0040825C 0x00008800 0x00007200 0x000000E5
IsWindow - 0x00408260 0x00008804 0x00007204 0x000001AD
GetDlgItem - 0x00408264 0x00008808 0x00007208 0x00000111
SetWindowLongW - 0x00408268 0x0000880C 0x0000720C 0x00000281
LoadImageW - 0x0040826C 0x00008810 0x00007210 0x000001C1
GetDC - 0x00408270 0x00008814 0x00007214 0x0000010C
ReleaseDC - 0x00408274 0x00008818 0x00007218 0x0000022A
EnableWindow - 0x00408278 0x0000881C 0x0000721C 0x000000C4
InvalidateRect - 0x0040827C 0x00008820 0x00007220 0x00000193
SendMessageW - 0x00408280 0x00008824 0x00007224 0x00000240
DefWindowProcW - 0x00408284 0x00008828 0x00007228 0x0000008F
BeginPaint - 0x00408288 0x0000882C 0x0000722C 0x0000000D
EmptyClipboard - 0x0040828C 0x00008830 0x00007230 0x000000C1
CreatePopupMenu - 0x00408290 0x00008834 0x00007234 0x0000005E
GDI32.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SetBkMode - 0x0040804C 0x000085F0 0x00006FF0 0x00000216
SetBkColor - 0x00408050 0x000085F4 0x00006FF4 0x00000215
GetDeviceCaps - 0x00408054 0x000085F8 0x00006FF8 0x0000016B
CreateFontIndirectW - 0x00408058 0x000085FC 0x00006FFC 0x0000003D
CreateBrushIndirect - 0x0040805C 0x00008600 0x00007000 0x00000029
DeleteObject - 0x00408060 0x00008604 0x00007004 0x0000008F
SetTextColor - 0x00408064 0x00008608 0x00007008 0x0000023C
SelectObject - 0x00408068 0x0000860C 0x0000700C 0x0000020E
KERNEL32.dll (65)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetExitCodeProcess - 0x00408070 0x00008614 0x00007014 0x0000015A
WaitForSingleObject - 0x00408074 0x00008618 0x00007018 0x00000390
GetModuleHandleA - 0x00408078 0x0000861C 0x0000701C 0x0000017F
GetProcAddress - 0x0040807C 0x00008620 0x00007020 0x000001A0
GetSystemDirectoryW - 0x00408080 0x00008624 0x00007024 0x000001C2
lstrcatW - 0x00408084 0x00008628 0x00007028 0x000003BE
Sleep - 0x00408088 0x0000862C 0x0000702C 0x00000356
lstrcpyA - 0x0040808C 0x00008630 0x00007030 0x000003C6
WriteFile - 0x00408090 0x00008634 0x00007034 0x000003A4
GetTempFileNameW - 0x00408094 0x00008638 0x00007038 0x000001D4
CreateFileW - 0x00408098 0x0000863C 0x0000703C 0x00000056
lstrcmpiA - 0x0040809C 0x00008640 0x00007040 0x000003C3
RemoveDirectoryW - 0x004080A0 0x00008644 0x00007044 0x000002C5
CreateProcessW - 0x004080A4 0x00008648 0x00007048 0x00000069
CreateDirectoryW - 0x004080A8 0x0000864C 0x0000704C 0x0000004E
GetLastError - 0x004080AC 0x00008650 0x00007050 0x00000171
CreateThread - 0x004080B0 0x00008654 0x00007054 0x0000006F
GlobalLock - 0x004080B4 0x00008658 0x00007058 0x00000203
GlobalUnlock - 0x004080B8 0x0000865C 0x0000705C 0x0000020A
GetDiskFreeSpaceW - 0x004080BC 0x00008660 0x00007060 0x00000150
WideCharToMultiByte - 0x004080C0 0x00008664 0x00007064 0x00000394
lstrcpynW - 0x004080C4 0x00008668 0x00007068 0x000003CA
lstrlenW - 0x004080C8 0x0000866C 0x0000706C 0x000003CD
SetErrorMode - 0x004080CC 0x00008670 0x00007070 0x00000315
GetVersionExW - 0x004080D0 0x00008674 0x00007074 0x000001EA
GetCommandLineW - 0x004080D4 0x00008678 0x00007078 0x00000111
GetTempPathW - 0x004080D8 0x0000867C 0x0000707C 0x000001D6
GetWindowsDirectoryW - 0x004080DC 0x00008680 0x00007080 0x000001F4
SetEnvironmentVariableW - 0x004080E0 0x00008684 0x00007084 0x00000314
CopyFileW - 0x004080E4 0x00008688 0x00007088 0x00000046
ExitProcess - 0x004080E8 0x0000868C 0x0000708C 0x000000B9
GetCurrentProcess - 0x004080EC 0x00008690 0x00007090 0x00000142
GetModuleFileNameW - 0x004080F0 0x00008694 0x00007094 0x0000017E
GetFileSize - 0x004080F4 0x00008698 0x00007098 0x00000163
GetTickCount - 0x004080F8 0x0000869C 0x0000709C 0x000001DF
MulDiv - 0x004080FC 0x000086A0 0x000070A0 0x00000274
SetFileAttributesW - 0x00408100 0x000086A4 0x000070A4 0x0000031A
GetFileAttributesW - 0x00408104 0x000086A8 0x000070A8 0x00000161
SetCurrentDirectoryW - 0x00408108 0x000086AC 0x000070AC 0x0000030B
MoveFileW - 0x0040810C 0x000086B0 0x000070B0 0x00000271
GetFullPathNameW - 0x00408110 0x000086B4 0x000070B4 0x0000016A
GetShortPathNameW - 0x00408114 0x000086B8 0x000070B8 0x000001B6
SearchPathW - 0x00408118 0x000086BC 0x000070BC 0x000002DC
CompareFileTime - 0x0040811C 0x000086C0 0x000070C0 0x00000039
SetFileTime - 0x00408120 0x000086C4 0x000070C4 0x0000031F
CloseHandle - 0x00408124 0x000086C8 0x000070C8 0x00000034
lstrcmpiW - 0x00408128 0x000086CC 0x000070CC 0x000003C4
lstrcmpW - 0x0040812C 0x000086D0 0x000070D0 0x000003C1
ExpandEnvironmentStringsW - 0x00408130 0x000086D4 0x000070D4 0x000000BD
GlobalFree - 0x00408134 0x000086D8 0x000070D8 0x000001FF
GlobalAlloc - 0x00408138 0x000086DC 0x000070DC 0x000001F8
GetModuleHandleW - 0x0040813C 0x000086E0 0x000070E0 0x00000182
LoadLibraryExW - 0x00408140 0x000086E4 0x000070E4 0x00000254
MoveFileExW - 0x00408144 0x000086E8 0x000070E8 0x00000270
FreeLibrary - 0x00408148 0x000086EC 0x000070EC 0x000000F8
WritePrivateProfileStringW - 0x0040814C 0x000086F0 0x000070F0 0x000003AA
GetPrivateProfileStringW - 0x00408150 0x000086F4 0x000070F4 0x0000019D
lstrlenA - 0x00408154 0x000086F8 0x000070F8 0x000003CC
MultiByteToWideChar - 0x00408158 0x000086FC 0x000070FC 0x00000275
ReadFile - 0x0040815C 0x00008700 0x00007100 0x000002B5
SetFilePointer - 0x00408160 0x00008704 0x00007104 0x0000031B
FindClose - 0x00408164 0x00008708 0x00007108 0x000000CE
FindNextFileW - 0x00408168 0x0000870C 0x0000710C 0x000000DD
FindFirstFileW - 0x0040816C 0x00008710 0x00007110 0x000000D5
DeleteFileW - 0x00408170 0x00008714 0x00007114 0x00000084
Memory Dumps (2)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
bb36f0ab95d6422a20e81221adeb4033ebdbd7b20337a2557f3f5c3de0a77596.exe 1 0x00400000 0x0043BFFF Relevant Image False 32-bit 0x004068D4 False
...
bb36f0ab95d6422a20e81221adeb4033ebdbd7b20337a2557f3f5c3de0a77596.exe 1 0x00400000 0x0043BFFF Process Termination False 32-bit - False
...
C:\Users\RDHJ0C~1\AppData\Local\Temp\dehbibhar.exe Dropped File Binary
Malicious
...
»
Also Known As C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.exe (Dropped File, Accessed File)
MIME Type application/vnd.microsoft.portable-executable
File Size 4.00 KB
MD5 99df91cf3e9775be40fe27fefa10c203 Copy to Clipboard
SHA1 dbda94e51f0f783e4c169d2d838d3377550450ac Copy to Clipboard
SHA256 a2fc8b5ddf220b7d9df0e7fcc88f2eba533698f3d178af97a93788b614c64014 Copy to Clipboard
SSDeep 48:qDXboBaPMMlGIB2hnhY+q12GKgG5CeDb+X949gvRuqS:+XEoMme6MzVROthJx Copy to Clipboard
ImpHash 5a831b1b060898b0ad7110c61c19378b Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x00401000
Size Of Code 0x00000200
Size Of Initialized Data 0x00000A00
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2022-05-02 01:53 (UTC+2)
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0000015E 0x00000200 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 3.53
.rdata 0x00402000 0x00000696 0x00000800 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.14
.rsrc 0x00403000 0x000001E0 0x00000200 0x00000E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.7
Imports (10)
»
SHLWAPI.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
UrlHashA - 0x00402078 0x0000231C 0x0000091C 0x0000016C
PathIsFileSpecA - 0x0040207C 0x00002320 0x00000920 0x00000060
SHEnumKeyExW - 0x00402080 0x00002324 0x00000924 0x000000BE
PathMatchSpecA - 0x00402084 0x00002328 0x00000928 0x0000007C
KERNEL32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
EnumDateFormatsA - 0x00402038 0x000022DC 0x000008DC 0x00000138
GetCommandLineW - 0x0040203C 0x000022E0 0x000008E0 0x000001D7
VirtualAlloc - 0x00402040 0x000022E4 0x000008E4 0x000005C6
WSOCK32.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ntohs 0x0000000F 0x004020A0 0x00002344 0x00000944 -
ntohl 0x0000000E 0x004020A4 0x00002348 0x00000948 -
ord1115 0x0000045B 0x004020A8 0x0000234C 0x0000094C -
ord1142 0x00000476 0x004020AC 0x00002350 0x00000950 -
ord1112 0x00000458 0x004020B0 0x00002354 0x00000954 -
WININET.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
HttpSendRequestA - 0x0040208C 0x00002330 0x00000930 0x0000007F
CreateUrlCacheContainerW - 0x00402090 0x00002334 0x00000934 0x00000017
HttpEndRequestW - 0x00402094 0x00002338 0x00000938 0x00000072
SetUrlCacheEntryGroup - 0x00402098 0x0000233C 0x0000093C 0x00000104
COMDLG32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
PrintDlgExW - 0x00402000 0x000022A4 0x000008A4 0x00000014
ReplaceTextA - 0x00402004 0x000022A8 0x000008A8 0x00000016
PrintDlgA - 0x00402008 0x000022AC 0x000008AC 0x00000012
PrintDlgExA - 0x0040200C 0x000022B0 0x000008B0 0x00000013
loadperf.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
LoadPerfCounterTextStringsA - 0x004020B8 0x0000235C 0x0000095C 0x00000003
UnloadPerfCounterTextStringsA - 0x004020BC 0x00002360 0x00000960 0x0000000A
GDI32.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetWinMetaFileBits - 0x00402014 0x000022B8 0x000008B8 0x000002D6
CreateScalableFontResourceA - 0x00402018 0x000022BC 0x000008BC 0x00000056
CloseEnhMetaFile - 0x0040201C 0x000022C0 0x000008C0 0x0000001D
GdiGetPageCount - 0x00402020 0x000022C4 0x000008C4 0x0000021F
GetLayout - 0x00402024 0x000022C8 0x000008C8 0x00000298
GetDIBColorTable - 0x00402028 0x000022CC 0x000008CC 0x00000274
GdiDeleteSpoolFileHandle - 0x0040202C 0x000022D0 0x000008D0 0x000001FC
CreateBrushIndirect - 0x00402030 0x000022D4 0x000008D4 0x0000002D
RESUTILS.dll (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ResUtilSetSzValue - 0x00402054 0x000022F8 0x000008F8 0x00000084
ClusWorkerCreate - 0x00402058 0x000022FC 0x000008FC 0x00000005
ResUtilFindDwordProperty - 0x0040205C 0x00002300 0x00000900 0x0000003F
ResUtilIsPathValid - 0x00402060 0x00002304 0x00000904 0x0000006D
ResUtilVerifyPrivatePropertyList - 0x00402064 0x00002308 0x00000908 0x0000008B
ResUtilFindSzProperty - 0x00402068 0x0000230C 0x0000090C 0x00000045
SHELL32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CommandLineToArgvW - 0x00402070 0x00002314 0x00000914 0x00000007
MSVCRT.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
fread - 0x00402048 0x000022EC 0x000008EC 0x0000025D
_wfopen - 0x0040204C 0x000022F0 0x000008F0 0x00000203
Memory Dumps (26)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
dehbibhar.exe 2 0x00400000 0x00403FFF Relevant Image False 32-bit - False
...
buffer 2 0x001E0000 0x001E1FFF First Execution False 32-bit 0x001E0000 False
...
buffer 3 0x00400000 0x004A1FFF First Execution False 32-bit 0x004139DE False
...
buffer 2 0x001E0000 0x001E1FFF Process Termination False 32-bit - False
...
buffer 2 0x00510000 0x00529FFF Process Termination False 32-bit - False
...
dehbibhar.exe 2 0x00400000 0x00403FFF Process Termination False 32-bit - False
...
buffer 3 0x00400000 0x004A1FFF Content Changed False 32-bit 0x00414059 False
...
buffer 3 0x00400000 0x004A1FFF Content Changed False 32-bit 0x00412FEB False
...
buffer 3 0x00400000 0x004A1FFF Content Changed False 32-bit 0x0040C9C2 False
...
buffer 3 0x00400000 0x004A1FFF Content Changed False 32-bit 0x00407AA2 False
...
buffer 3 0x00400000 0x004A1FFF Content Changed False 32-bit 0x00408952 False
...
buffer 3 0x00400000 0x004A1FFF Content Changed False 32-bit 0x0040DB78 False
...
buffer 3 0x00400000 0x004A1FFF Content Changed False 32-bit 0x00410676 False
...
buffer 3 0x00400000 0x004A1FFF Content Changed False 32-bit 0x0040F44A False
...
buffer 3 0x00400000 0x004A1FFF Content Changed False 32-bit 0x0040ED17 False
...
buffer 3 0x00400000 0x004A1FFF Content Changed False 32-bit 0x00411954 False
...
buffer 3 0x00400000 0x004A1FFF Content Changed False 32-bit 0x0040E60D False
...
buffer 3 0x00400000 0x004A1FFF Content Changed False 32-bit 0x00401BBD False
...
buffer 3 0x0019B000 0x0019FFFF First Network Behavior False 32-bit - False
...
buffer 3 0x00400000 0x004A1FFF First Network Behavior False 32-bit - False
...
buffer 3 0x00793DC8 0x00793FCF First Network Behavior False 32-bit - False
...
buffer 3 0x00794FE8 0x0079636F First Network Behavior False 32-bit - False
...
buffer 3 0x00798120 0x00798327 First Network Behavior False 32-bit - False
...
buffer 3 0x0079A550 0x0079A6F4 First Network Behavior False 32-bit - False
...
buffer 3 0x0079B520 0x0079C8A7 First Network Behavior False 32-bit - False
...
buffer 3 0x0079D290 0x0079D4A1 First Network Behavior False 32-bit - False
...
C:\Users\RDHJ0C~1\AppData\Local\Temp\ptq0vlz6htg Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 104.00 KB
MD5 92b8f8d79d15063fe55f13d98069fd80 Copy to Clipboard
SHA1 46ea07994665e3560a6fe9b38483d47b8527b6dd Copy to Clipboard
SHA256 92336a96341d13c5b45a82ee508a85eae3c907ddf9e2c62dd99f5db2ca59d9ce Copy to Clipboard
SSDeep 1536:hYYUu04hEOBzupNyyKiYjPFvrNHzNwZWOzLqJW0bvivVEPq80H46I:hYYVhEO+AFvlSkOzuJDudEy/H+ Copy to Clipboard
ImpHash -
C:\Users\RDHJ0C~1\AppData\Local\Temp\efnvpl Dropped File Binary
Clean
...
»
MIME Type application/x-dosexec
File Size 4.82 KB
MD5 e2ffabc730a2cf170a16934f49e1b05e Copy to Clipboard
SHA1 09299351820381199c6cee30062dfc5be0a3e9a6 Copy to Clipboard
SHA256 07a69d2284b659076040725425497d4da10adb891a5f3d54a10c707d2a74fb01 Copy to Clipboard
SSDeep 96:Fp8h7t+r4zx4jrGP0VqcfWKcirH1BAbK6S6DWZlBy9FWGPZNQB2jK4CsBDL1:+tA4zx4jywfTOXUBKQ4XCstL1 Copy to Clipboard
ImpHash -
c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f-8c0f-c90408af5778 Dropped File Stream
Clean
Known to be clean.
...
»
MIME Type application/octet-stream
File Size 53 Bytes
MD5 eca0470178275ac94e5de381969ed232 Copy to Clipboard
SHA1 d6de27e734eec57d1dda73489b4a6d6eecae3038 Copy to Clipboard
SHA256 353fd628b7f6e7d426e5d6a27d1bc3ac22fa7f812e7594cf2ec5ca1175785b50 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Clean
Known to be clean.
c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f-8c0f-c90408af5778 Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 53 Bytes
MD5 9c3c1a69a3c43835d6a2579570e6aa0d Copy to Clipboard
SHA1 8af2c3b90473b35f1bb936de12a8bf72fe658468 Copy to Clipboard
SHA256 e641ff8107a4197ded9f558d1891e716811e9a7f109f14e876f5a8394844dc34 Copy to Clipboard
SSDeep 3:/l4l5mrc9l:e4rc9l Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.hdb Dropped File Text
Clean
...
»
MIME Type text/plain
File Size 4 Bytes
MD5 90f2527e58191a885a8cc35c99b89ba8 Copy to Clipboard
SHA1 10455ce0eb31eead75481e75dcba232d28c7e4c7 Copy to Clipboard
SHA256 859ffdca62ee0971821a4b2dedfc023d0f9a021391b5ac336ddb49d53d28330e Copy to Clipboard
SSDeep 3:Kn:Kn Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.lck Dropped File Stream
Clean
Known to be clean.
...
»
MIME Type application/octet-stream
File Size 1 Bytes
MD5 c4ca4238a0b923820dcc509a6f75849b Copy to Clipboard
SHA1 356a192b7913b04c54574d18c28d46e6395428ab Copy to Clipboard
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b Copy to Clipboard
SSDeep 3:U:U Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Clean
Known to be clean.
C:\Users\RDHJ0C~1\AppData\Local\Temp\nsvA0D.tmp Dropped File Empty
Clean
...
  • Actions
»
MIME Type application/x-empty
File Size 0 Bytes
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
C:\Users\RDHJ0C~1\AppData\Local\Temp\nsjD9C8.tmp Dropped File Empty
Clean
...
  • Actions
»
Also Known As C:\Users\RDHJ0C~1\AppData\Local\Temp\nsjD9C8.tmp\ (Accessed File)
MIME Type application/x-empty
File Size 0 Bytes
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
c64510503435c2143bad854faba7891308b4b089d140449ceb903620fea45d6a Downloaded File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 23 Bytes
MD5 f74f0c674b6a20bbb1a7afac774bcfde Copy to Clipboard
SHA1 07a2ca2822e69fcd2a70c73cc83dd553b8b97235 Copy to Clipboard
SHA256 c64510503435c2143bad854faba7891308b4b089d140449ceb903620fea45d6a Copy to Clipboard
SSDeep 3:1lMgne9n:Ewe9n Copy to Clipboard
ImpHash -
b14395003e5efba733d717f89486aee8222abf00b33190ea2d34e7b68d2bca73 Downloaded File Text
Clean
Known to be clean.
...
»
MIME Type text/plain
File Size 15 Bytes
MD5 003b3bb995c2451098869088630871df Copy to Clipboard
SHA1 5d24783bc3514543ed9bd164e49f027d77b501f5 Copy to Clipboard
SHA256 b14395003e5efba733d717f89486aee8222abf00b33190ea2d34e7b68d2bca73 Copy to Clipboard
SSDeep 3:8gne9n:8we9n Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Clean
Known to be clean.
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image