Try VMRay Platform
Malicious
Classifications

Spyware Injector

Threat Names

FormBook

Dynamic Analysis Report

Created on 2022-05-05T08:55:30+00:00

scrss.exe

Windows Exe (x86-32)
...

Remarks (1/1)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "7 hours, 23 minutes, 10 seconds" to "12 seconds" to reveal dormant functionality.

Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\scrss.exe Sample File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 214.30 KB
MD5 5fc986129c3d833b1c7e5ba6ff3678bc Copy to Clipboard
SHA1 2ace6bc0488df9b8592e25be3de38e6c9a0c16da Copy to Clipboard
SHA256 d02d076842cc94fa6612b13ff0d2f77e1ff9150d22607cfe3962da4234cf4ed5 Copy to Clipboard
SSDeep 3072:l1NjcVVnLpPunbD0r9X/MP5LsCIVa1aP+KQ4kFHP67DzJEhShrM/joS9zAQNgOau:HNeZmQrV/MP8XXklIiheMLPztvau Copy to Clipboard
ImpHash 56a78d55f3f7af51443e58e0ce2fb5f6 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004034F7
Size Of Code 0x00006600
Size Of Initialized Data 0x00022A00
Size Of Uninitialized Data 0x00000800
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2021-09-25 23:55 (UTC+2)
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x00006515 0x00006600 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.44
.rdata 0x00408000 0x0000139A 0x00001400 0x00006A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.15
.data 0x0040A000 0x00020338 0x00000600 0x00007E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.01
.ndata 0x0042B000 0x00010000 0x00000000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.rsrc 0x0043B000 0x00000A50 0x00000C00 0x00008400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.18
Imports (7)
»
ADVAPI32.dll (13)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegCreateKeyExW - 0x00408000 0x000085A4 0x00006FA4 0x000001D2
RegEnumKeyW - 0x00408004 0x000085A8 0x00006FA8 0x000001E0
RegQueryValueExW - 0x00408008 0x000085AC 0x00006FAC 0x000001F8
RegSetValueExW - 0x0040800C 0x000085B0 0x00006FB0 0x00000205
RegCloseKey - 0x00408010 0x000085B4 0x00006FB4 0x000001CB
RegDeleteValueW - 0x00408014 0x000085B8 0x00006FB8 0x000001D9
RegDeleteKeyW - 0x00408018 0x000085BC 0x00006FBC 0x000001D7
AdjustTokenPrivileges - 0x0040801C 0x000085C0 0x00006FC0 0x0000001C
LookupPrivilegeValueW - 0x00408020 0x000085C4 0x00006FC4 0x00000150
OpenProcessToken - 0x00408024 0x000085C8 0x00006FC8 0x000001AC
SetFileSecurityW - 0x00408028 0x000085CC 0x00006FCC 0x0000022F
RegOpenKeyExW - 0x0040802C 0x000085D0 0x00006FD0 0x000001ED
RegEnumValueW - 0x00408030 0x000085D4 0x00006FD4 0x000001E2
SHELL32.dll (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetSpecialFolderLocation - 0x00408178 0x0000871C 0x0000711C 0x000000C3
SHFileOperationW - 0x0040817C 0x00008720 0x00007120 0x0000009B
SHBrowseForFolderW - 0x00408180 0x00008724 0x00007124 0x0000007A
SHGetPathFromIDListW - 0x00408184 0x00008728 0x00007128 0x000000BD
ShellExecuteExW - 0x00408188 0x0000872C 0x0000712C 0x0000010A
SHGetFileInfoW - 0x0040818C 0x00008730 0x00007130 0x000000AD
ole32.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
OleInitialize - 0x00408298 0x0000883C 0x0000723C 0x000000EE
OleUninitialize - 0x0040829C 0x00008840 0x00007240 0x00000105
CoCreateInstance - 0x004082A0 0x00008844 0x00007244 0x00000010
IIDFromString - 0x004082A4 0x00008848 0x00007248 0x000000C6
CoTaskMemFree - 0x004082A8 0x0000884C 0x0000724C 0x00000065
COMCTL32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
None 0x00000011 0x00408038 0x000085DC 0x00006FDC -
ImageList_Create - 0x0040803C 0x000085E0 0x00006FE0 0x00000037
ImageList_Destroy - 0x00408040 0x000085E4 0x00006FE4 0x00000038
ImageList_AddMasked - 0x00408044 0x000085E8 0x00006FE8 0x00000034
USER32.dll (64)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetClientRect - 0x00408194 0x00008738 0x00007138 0x000000FF
EndPaint - 0x00408198 0x0000873C 0x0000713C 0x000000C8
DrawTextW - 0x0040819C 0x00008740 0x00007140 0x000000BF
IsWindowEnabled - 0x004081A0 0x00008744 0x00007144 0x000001AE
DispatchMessageW - 0x004081A4 0x00008748 0x00007148 0x000000A2
wsprintfA - 0x004081A8 0x0000874C 0x0000714C 0x000002D7
CharNextA - 0x004081AC 0x00008750 0x00007150 0x0000002A
CharPrevW - 0x004081B0 0x00008754 0x00007154 0x0000002F
MessageBoxIndirectW - 0x004081B4 0x00008758 0x00007158 0x000001E3
GetDlgItemTextW - 0x004081B8 0x0000875C 0x0000715C 0x00000114
SetDlgItemTextW - 0x004081BC 0x00008760 0x00007160 0x00000254
GetSystemMetrics - 0x004081C0 0x00008764 0x00007164 0x0000015D
FillRect - 0x004081C4 0x00008768 0x00007168 0x000000E2
AppendMenuW - 0x004081C8 0x0000876C 0x0000716C 0x00000009
TrackPopupMenu - 0x004081CC 0x00008770 0x00007170 0x000002A4
OpenClipboard - 0x004081D0 0x00008774 0x00007174 0x000001F6
SetClipboardData - 0x004081D4 0x00008778 0x00007178 0x0000024A
CloseClipboard - 0x004081D8 0x0000877C 0x0000717C 0x00000042
IsWindowVisible - 0x004081DC 0x00008780 0x00007180 0x000001B1
CallWindowProcW - 0x004081E0 0x00008784 0x00007184 0x0000001C
GetMessagePos - 0x004081E4 0x00008788 0x00007188 0x0000013C
CheckDlgButton - 0x004081E8 0x0000878C 0x0000718C 0x00000038
LoadCursorW - 0x004081EC 0x00008790 0x00007190 0x000001BD
SetCursor - 0x004081F0 0x00008794 0x00007194 0x0000024D
GetSysColor - 0x004081F4 0x00008798 0x00007198 0x0000015A
SetWindowPos - 0x004081F8 0x0000879C 0x0000719C 0x00000283
GetWindowLongW - 0x004081FC 0x000087A0 0x000071A0 0x0000016F
PeekMessageW - 0x00408200 0x000087A4 0x000071A4 0x00000201
SetClassLongW - 0x00408204 0x000087A8 0x000071A8 0x00000248
GetSystemMenu - 0x00408208 0x000087AC 0x000071AC 0x0000015C
EnableMenuItem - 0x0040820C 0x000087B0 0x000071B0 0x000000C2
GetWindowRect - 0x00408210 0x000087B4 0x000071B4 0x00000174
ScreenToClient - 0x00408214 0x000087B8 0x000071B8 0x00000231
EndDialog - 0x00408218 0x000087BC 0x000071BC 0x000000C6
RegisterClassW - 0x0040821C 0x000087C0 0x000071C0 0x00000219
SystemParametersInfoW - 0x00408220 0x000087C4 0x000071C4 0x0000029A
CreateWindowExW - 0x00408224 0x000087C8 0x000071C8 0x00000061
GetClassInfoW - 0x00408228 0x000087CC 0x000071CC 0x000000F9
DialogBoxParamW - 0x0040822C 0x000087D0 0x000071D0 0x0000009F
CharNextW - 0x00408230 0x000087D4 0x000071D4 0x0000002C
ExitWindowsEx - 0x00408234 0x000087D8 0x000071D8 0x000000E1
DestroyWindow - 0x00408238 0x000087DC 0x000071DC 0x00000099
CreateDialogParamW - 0x0040823C 0x000087E0 0x000071E0 0x00000056
SetTimer - 0x00408240 0x000087E4 0x000071E4 0x0000027A
SetWindowTextW - 0x00408244 0x000087E8 0x000071E8 0x00000287
PostQuitMessage - 0x00408248 0x000087EC 0x000071EC 0x00000204
SetForegroundWindow - 0x0040824C 0x000087F0 0x000071F0 0x00000257
ShowWindow - 0x00408250 0x000087F4 0x000071F4 0x00000292
wsprintfW - 0x00408254 0x000087F8 0x000071F8 0x000002D8
SendMessageTimeoutW - 0x00408258 0x000087FC 0x000071FC 0x0000023F
FindWindowExW - 0x0040825C 0x00008800 0x00007200 0x000000E5
IsWindow - 0x00408260 0x00008804 0x00007204 0x000001AD
GetDlgItem - 0x00408264 0x00008808 0x00007208 0x00000111
SetWindowLongW - 0x00408268 0x0000880C 0x0000720C 0x00000281
LoadImageW - 0x0040826C 0x00008810 0x00007210 0x000001C1
GetDC - 0x00408270 0x00008814 0x00007214 0x0000010C
ReleaseDC - 0x00408274 0x00008818 0x00007218 0x0000022A
EnableWindow - 0x00408278 0x0000881C 0x0000721C 0x000000C4
InvalidateRect - 0x0040827C 0x00008820 0x00007220 0x00000193
SendMessageW - 0x00408280 0x00008824 0x00007224 0x00000240
DefWindowProcW - 0x00408284 0x00008828 0x00007228 0x0000008F
BeginPaint - 0x00408288 0x0000882C 0x0000722C 0x0000000D
EmptyClipboard - 0x0040828C 0x00008830 0x00007230 0x000000C1
CreatePopupMenu - 0x00408290 0x00008834 0x00007234 0x0000005E
GDI32.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SetBkMode - 0x0040804C 0x000085F0 0x00006FF0 0x00000216
SetBkColor - 0x00408050 0x000085F4 0x00006FF4 0x00000215
GetDeviceCaps - 0x00408054 0x000085F8 0x00006FF8 0x0000016B
CreateFontIndirectW - 0x00408058 0x000085FC 0x00006FFC 0x0000003D
CreateBrushIndirect - 0x0040805C 0x00008600 0x00007000 0x00000029
DeleteObject - 0x00408060 0x00008604 0x00007004 0x0000008F
SetTextColor - 0x00408064 0x00008608 0x00007008 0x0000023C
SelectObject - 0x00408068 0x0000860C 0x0000700C 0x0000020E
KERNEL32.dll (65)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetExitCodeProcess - 0x00408070 0x00008614 0x00007014 0x0000015A
WaitForSingleObject - 0x00408074 0x00008618 0x00007018 0x00000390
GetModuleHandleA - 0x00408078 0x0000861C 0x0000701C 0x0000017F
GetProcAddress - 0x0040807C 0x00008620 0x00007020 0x000001A0
GetSystemDirectoryW - 0x00408080 0x00008624 0x00007024 0x000001C2
lstrcatW - 0x00408084 0x00008628 0x00007028 0x000003BE
Sleep - 0x00408088 0x0000862C 0x0000702C 0x00000356
lstrcpyA - 0x0040808C 0x00008630 0x00007030 0x000003C6
WriteFile - 0x00408090 0x00008634 0x00007034 0x000003A4
GetTempFileNameW - 0x00408094 0x00008638 0x00007038 0x000001D4
CreateFileW - 0x00408098 0x0000863C 0x0000703C 0x00000056
lstrcmpiA - 0x0040809C 0x00008640 0x00007040 0x000003C3
RemoveDirectoryW - 0x004080A0 0x00008644 0x00007044 0x000002C5
CreateProcessW - 0x004080A4 0x00008648 0x00007048 0x00000069
CreateDirectoryW - 0x004080A8 0x0000864C 0x0000704C 0x0000004E
GetLastError - 0x004080AC 0x00008650 0x00007050 0x00000171
CreateThread - 0x004080B0 0x00008654 0x00007054 0x0000006F
GlobalLock - 0x004080B4 0x00008658 0x00007058 0x00000203
GlobalUnlock - 0x004080B8 0x0000865C 0x0000705C 0x0000020A
GetDiskFreeSpaceW - 0x004080BC 0x00008660 0x00007060 0x00000150
WideCharToMultiByte - 0x004080C0 0x00008664 0x00007064 0x00000394
lstrcpynW - 0x004080C4 0x00008668 0x00007068 0x000003CA
lstrlenW - 0x004080C8 0x0000866C 0x0000706C 0x000003CD
SetErrorMode - 0x004080CC 0x00008670 0x00007070 0x00000315
GetVersionExW - 0x004080D0 0x00008674 0x00007074 0x000001EA
GetCommandLineW - 0x004080D4 0x00008678 0x00007078 0x00000111
GetTempPathW - 0x004080D8 0x0000867C 0x0000707C 0x000001D6
GetWindowsDirectoryW - 0x004080DC 0x00008680 0x00007080 0x000001F4
SetEnvironmentVariableW - 0x004080E0 0x00008684 0x00007084 0x00000314
CopyFileW - 0x004080E4 0x00008688 0x00007088 0x00000046
ExitProcess - 0x004080E8 0x0000868C 0x0000708C 0x000000B9
GetCurrentProcess - 0x004080EC 0x00008690 0x00007090 0x00000142
GetModuleFileNameW - 0x004080F0 0x00008694 0x00007094 0x0000017E
GetFileSize - 0x004080F4 0x00008698 0x00007098 0x00000163
GetTickCount - 0x004080F8 0x0000869C 0x0000709C 0x000001DF
MulDiv - 0x004080FC 0x000086A0 0x000070A0 0x00000274
SetFileAttributesW - 0x00408100 0x000086A4 0x000070A4 0x0000031A
GetFileAttributesW - 0x00408104 0x000086A8 0x000070A8 0x00000161
SetCurrentDirectoryW - 0x00408108 0x000086AC 0x000070AC 0x0000030B
MoveFileW - 0x0040810C 0x000086B0 0x000070B0 0x00000271
GetFullPathNameW - 0x00408110 0x000086B4 0x000070B4 0x0000016A
GetShortPathNameW - 0x00408114 0x000086B8 0x000070B8 0x000001B6
SearchPathW - 0x00408118 0x000086BC 0x000070BC 0x000002DC
CompareFileTime - 0x0040811C 0x000086C0 0x000070C0 0x00000039
SetFileTime - 0x00408120 0x000086C4 0x000070C4 0x0000031F
CloseHandle - 0x00408124 0x000086C8 0x000070C8 0x00000034
lstrcmpiW - 0x00408128 0x000086CC 0x000070CC 0x000003C4
lstrcmpW - 0x0040812C 0x000086D0 0x000070D0 0x000003C1
ExpandEnvironmentStringsW - 0x00408130 0x000086D4 0x000070D4 0x000000BD
GlobalFree - 0x00408134 0x000086D8 0x000070D8 0x000001FF
GlobalAlloc - 0x00408138 0x000086DC 0x000070DC 0x000001F8
GetModuleHandleW - 0x0040813C 0x000086E0 0x000070E0 0x00000182
LoadLibraryExW - 0x00408140 0x000086E4 0x000070E4 0x00000254
MoveFileExW - 0x00408144 0x000086E8 0x000070E8 0x00000270
FreeLibrary - 0x00408148 0x000086EC 0x000070EC 0x000000F8
WritePrivateProfileStringW - 0x0040814C 0x000086F0 0x000070F0 0x000003AA
GetPrivateProfileStringW - 0x00408150 0x000086F4 0x000070F4 0x0000019D
lstrlenA - 0x00408154 0x000086F8 0x000070F8 0x000003CC
MultiByteToWideChar - 0x00408158 0x000086FC 0x000070FC 0x00000275
ReadFile - 0x0040815C 0x00008700 0x00007100 0x000002B5
SetFilePointer - 0x00408160 0x00008704 0x00007104 0x0000031B
FindClose - 0x00408164 0x00008708 0x00007108 0x000000CE
FindNextFileW - 0x00408168 0x0000870C 0x0000710C 0x000000DD
FindFirstFileW - 0x0040816C 0x00008710 0x00007110 0x000000D5
DeleteFileW - 0x00408170 0x00008714 0x00007114 0x00000084
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
scrss.exe 1 0x00400000 0x0043BFFF Relevant Image False 32-bit 0x004068D4 False False
...
buffer 1 0x02464020 0x02C6401F Image In Buffer False 32-bit - False False
...
scrss.exe 1 0x00400000 0x0043BFFF Process Termination False 32-bit - False False
...
C:\Users\RDHJ0C~1\AppData\Local\Temp\rysgtozci.exe Dropped File Binary
Suspicious
...
»
Also Known As \??\C:\Users\RDHJ0C~1\AppData\Local\Temp\rysgtozci.exe (Accessed File)
MIME Type application/vnd.microsoft.portable-executable
File Size 5.50 KB
MD5 96b3c3b0f05b4cedf349797d7cb05627 Copy to Clipboard
SHA1 b2d7084dcae06676c21d0ab393c60d6480e1d03f Copy to Clipboard
SHA256 874f73e2673462859967afc64c3c33c1957d7b69915124cca91ced26dcfcd5c0 Copy to Clipboard
SSDeep 96:X5xApGY3bxCrq+M7sYx+MeBZtXIpXSdOWPmoynsx:X5xAQY3w2QweBZVIpidPPmoyn Copy to Clipboard
ImpHash 5b50209ffc5ccd137d05909624bb044c Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x00401000
Size Of Code 0x00000400
Size Of Initialized Data 0x00000E00
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2022-05-05 04:03 (UTC+2)
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0000037A 0x00000400 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.94
.rdata 0x00402000 0x000009D6 0x00000A00 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.92
.data 0x00403000 0x0000003C 0x00000200 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.02
.rsrc 0x00404000 0x000001E0 0x00000200 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.7
Imports (10)
»
SHLWAPI.dll (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
PathIsURLW - 0x004020A0 0x00002464 0x00000C64 0x00000077
UrlApplySchemeW - 0x004020A4 0x00002468 0x00000C68 0x0000015C
PathSkipRootW - 0x004020A8 0x0000246C 0x00000C6C 0x00000097
StrDupW - 0x004020AC 0x00002470 0x00000C70 0x00000131
PathIsSystemFolderW - 0x004020B0 0x00002474 0x00000C74 0x0000006F
PathStripToRootA - 0x004020B4 0x00002478 0x00000C78 0x0000009A
KERNEL32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
EnumSystemCodePagesW - 0x0040202C 0x000023F0 0x00000BF0 0x0000014C
VirtualAlloc - 0x00402030 0x000023F4 0x00000BF4 0x000005C6
GetModuleHandleW - 0x00402034 0x000023F8 0x00000BF8 0x00000278
GetStartupInfoW - 0x00402038 0x000023FC 0x00000BFC 0x000002D0
wsnmp32.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
None 0x00000068 0x00402134 0x000024F8 0x00000CF8 -
None 0x00000388 0x00402138 0x000024FC 0x00000CFC -
None 0x0000025B 0x0040213C 0x00002500 0x00000D00 -
None 0x00000259 0x00402140 0x00002504 0x00000D04 -
None 0x00000065 0x00402144 0x00002508 0x00000D08 -
None 0x00000389 0x00402148 0x0000250C 0x00000D0C -
None 0x00000190 0x0040214C 0x00002510 0x00000D10 -
RESUTILS.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ResUtilDupString - 0x00402080 0x00002444 0x00000C44 0x00000034
ResUtilGetMultiSzProperty - 0x00402084 0x00002448 0x00000C48 0x00000057
ClusWorkerCheckTerminate - 0x00402088 0x0000244C 0x00000C4C 0x00000004
ResUtilResourcesEqual - 0x0040208C 0x00002450 0x00000C50 0x00000076
ResUtilStopResourceService - 0x00402090 0x00002454 0x00000C54 0x00000088
ResUtilGetResourceNameDependency - 0x00402094 0x00002458 0x00000C58 0x00000068
ResUtilFreeParameterBlock - 0x00402098 0x0000245C 0x00000C5C 0x00000048
WINMM.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
mmioRead - 0x004020BC 0x00002480 0x00000C80 0x00000080
mixerSetControlDetails - 0x004020C0 0x00002484 0x00000C84 0x0000006E
midiStreamProperty - 0x004020C4 0x00002488 0x00000C88 0x0000005E
midiOutGetID - 0x004020C8 0x0000248C 0x00000C8C 0x0000004E
mmioRenameW - 0x004020CC 0x00002490 0x00000C90 0x00000082
waveInGetDevCapsW - 0x004020D0 0x00002494 0x00000C94 0x0000009A
waveOutReset - 0x004020D4 0x00002498 0x00000C98 0x000000B7
joyGetDevCapsA - 0x004020D8 0x0000249C 0x00000C9C 0x00000017
ole32.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
OleSetMenuDescriptor - 0x00402110 0x000024D4 0x00000CD4 0x0000018A
WriteOleStg - 0x00402114 0x000024D8 0x00000CD8 0x000001D9
UtGetDvtd32Info - 0x00402118 0x000024DC 0x00000CDC 0x000001D1
OleRegEnumVerbs - 0x0040211C 0x000024E0 0x00000CE0 0x0000017F
HENHMETAFILE_UserFree - 0x00402120 0x000024E4 0x00000CE4 0x000000D1
HACCEL_UserUnmarshal - 0x00402124 0x000024E8 0x00000CE8 0x000000C4
CreateILockBytesOnHGlobal - 0x00402128 0x000024EC 0x00000CEC 0x000000A2
StgIsStorageILockBytes - 0x0040212C 0x000024F0 0x00000CF0 0x000001BF
msi.dll (11)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
None 0x0000003E 0x004020E0 0x000024A4 0x00000CA4 -
None 0x0000007A 0x004020E4 0x000024A8 0x00000CA8 -
None 0x00000088 0x004020E8 0x000024AC 0x00000CAC -
None 0x00000007 0x004020EC 0x000024B0 0x00000CB0 -
None 0x0000006E 0x004020F0 0x000024B4 0x00000CB4 -
None 0x00000070 0x004020F4 0x000024B8 0x00000CB8 -
None 0x00000062 0x004020F8 0x000024BC 0x00000CBC -
None 0x000000A1 0x004020FC 0x000024C0 0x00000CC0 -
None 0x0000007D 0x00402100 0x000024C4 0x00000CC4 -
None 0x00000073 0x00402104 0x000024C8 0x00000CC8 -
None 0x00000040 0x00402108 0x000024CC 0x00000CCC -
GDI32.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateDiscardableBitmap - 0x0040200C 0x000023D0 0x00000BD0 0x0000003A
CreateDCA - 0x00402010 0x000023D4 0x00000BD4 0x00000032
SelectClipRgn - 0x00402014 0x000023D8 0x00000BD8 0x0000035A
SetDCPenColor - 0x00402018 0x000023DC 0x00000BDC 0x0000036B
CreateFontIndirectExW - 0x0040201C 0x000023E0 0x00000BE0 0x00000042
GetTextExtentPoint32W - 0x00402020 0x000023E4 0x00000BE4 0x000002CA
GetDeviceGammaRamp - 0x00402024 0x000023E8 0x00000BE8 0x00000277
CRYPT32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CertCreateCertificateContext - 0x00402000 0x000023C4 0x00000BC4 0x0000001C
CertFreeCertificateContext - 0x00402004 0x000023C8 0x00000BC8 0x00000040
MSVCRT.dll (15)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
__set_app_type - 0x00402040 0x00002404 0x00000C04 0x00000081
__p__fmode - 0x00402044 0x00002408 0x00000C08 0x0000006F
_controlfp - 0x00402048 0x0000240C 0x00000C0C 0x000000B7
_wfopen - 0x0040204C 0x00002410 0x00000C10 0x00000203
fread - 0x00402050 0x00002414 0x00000C14 0x0000025D
_except_handler3 - 0x00402054 0x00002418 0x00000C18 0x000000CA
_exit - 0x00402058 0x0000241C 0x00000C1C 0x000000D3
__p__commode - 0x0040205C 0x00002420 0x00000C20 0x0000006A
_adjust_fdiv - 0x00402060 0x00002424 0x00000C24 0x0000009D
__setusermatherr - 0x00402064 0x00002428 0x00000C28 0x00000083
_initterm - 0x00402068 0x0000242C 0x00000C2C 0x0000010F
__wgetmainargs - 0x0040206C 0x00002430 0x00000C30 0x0000008B
_wcmdln - 0x00402070 0x00002434 0x00000C34 0x000001E7
exit - 0x00402074 0x00002438 0x00000C38 0x00000249
_XcptFilter - 0x00402078 0x0000243C 0x00000C3C 0x00000048
Memory Dumps (18)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
rysgtozci.exe 2 0x00400000 0x00404FFF Relevant Image False 32-bit - False False
...
buffer 2 0x001F0000 0x001F1FFF First Execution False 32-bit 0x001F0000 False False
...
buffer 3 0x00400000 0x0042EFFF First Execution False 32-bit 0x0041F150 False False
...
buffer 2 0x00490000 0x004BEFFF Dump Rule: FormBookConfig False 32-bit - False False
...
buffer 2 0x001F0000 0x001F1FFF Process Termination False 32-bit - False False
...
buffer 2 0x00490000 0x004BEFFF Process Termination False 32-bit - False False
...
rysgtozci.exe 2 0x00400000 0x00404FFF Process Termination False 32-bit - False False
...
buffer 3 0x009E0000 0x00CD9FFF First Execution False 32-bit 0x00A57000 False False
...
buffer 3 0x00580000 0x00593FFF First Execution False 32-bit 0x00580000 False False
...
buffer 3 0x008D0000 0x009CDFFF Marked Executable False 32-bit - False False
...
buffer 3 0x001D0000 0x001FEFFF Dump Rule: FormBookConfig False 32-bit - False False
...
buffer 3 0x00400000 0x0042EFFF Process Termination False 32-bit - False False
...
buffer 3 0x00560000 0x00573FFF Process Termination False 32-bit - False False
...
buffer 3 0x00580000 0x00593FFF Process Termination False 32-bit - False False
...
buffer 3 0x006D0000 0x007CFFFF Process Termination False 32-bit - False False
...
buffer 3 0x009E0000 0x00CD9FFF Process Termination False 32-bit - False False
...
buffer 3 0x00530000 0x0054DFFF Image In Buffer False 32-bit - False False
...
buffer 3 0x00E70000 0x00E9EFFF Marked Executable False 32-bit - False False
...
C:\Users\RDHJ0C~1\AppData\Local\Temp\ptcgl43g463vgbr58 Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 185.00 KB
MD5 b5b1c1f4818202956b29108fb25dec20 Copy to Clipboard
SHA1 7e74a79237d3090b0dbac83b2c038d849fde6382 Copy to Clipboard
SHA256 d0da793571aa99c98e2afca3be0f3d6850aabbacf2aca4eeab8013e4ebf77a67 Copy to Clipboard
SSDeep 3072:4j17qN4Bvdkw8J7ApvkCao2zXSlae7jCc6g31Wy4iUCxNENtYVnqGPonTfLwJ8:4jNTvNuApvbaoiSl57jh6g31Y3raVnq1 Copy to Clipboard
ImpHash -
\??\C:\Users\RDhJ0CNFevzX\AppData\Roaming\-2NP6R7E\-2Nlogim.jpeg Dropped File Image
Clean
...
»
MIME Type image/jpeg
File Size 90.38 KB
MD5 e3dc95b2636eb08c2aa1eafc1bec6c48 Copy to Clipboard
SHA1 e36b7169f7fecb5eb174f2af8e658811489e9fb9 Copy to Clipboard
SHA256 e1625aa27dd1d5d658b2a743de62f8cabcf34bfb8e09c6dad9f40f9b52211b61 Copy to Clipboard
SSDeep 1536:bLCVMkselgRZHGk49wFnkgQ3SIfzj5kbkMXA2MsbEPQCg/HVMFP5ja0:C2NGk4zF7fz9kQMXA2M2EPQ7/HVMFBu0 Copy to Clipboard
ImpHash -
C:\Users\RDHJ0C~1\AppData\Local\Temp\wduqqtzg Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 5.25 KB
MD5 cea27fda9443dd5882439188c2494a7b Copy to Clipboard
SHA1 89b7f9c46c4462f37ee6e91d639ccdd3084e03cd Copy to Clipboard
SHA256 26a0ef0fe1fdab9e6dae3caecec085c3800a44d32cd5b87c182c0c0a6b559f59 Copy to Clipboard
SSDeep 96:R9mon8+8wowi4vsVmHxXTR9yprcP4b0hHryNB+3Oc02rv5FJ2EZdrH:browmYXT36r1YuIFBrv5FJXLrH Copy to Clipboard
ImpHash -
\??\C:\Users\RDhJ0CNFevzX\AppData\Roaming\-2NP6R7E\-2Nlogrc.ini Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 1.75 KB
MD5 379e86825e7490d3b41dfe9c7936adea Copy to Clipboard
SHA1 19b0b13329157c0316fd44e8f946ce435b04eac8 Copy to Clipboard
SHA256 3f20b4605a2a543557ff9f208c286aef88fd05200f0c6150d35f1402507bd228 Copy to Clipboard
SSDeep 24:YUd8adUZokH+gUca7b50WJ8abGBYt5++0dtR+t7tRBPtRl5wWSSwEMlpigXP7b5/:bdXVy3hWhILU4WhbModtE Copy to Clipboard
ImpHash -
\??\C:\Users\RDhJ0CNFevzX\AppData\Roaming\-2NP6R7E\-2Nlogrv.ini Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 40 Bytes
MD5 ba3b6bc807d4f76794c4b81b09bb9ba5 Copy to Clipboard
SHA1 24cb89501f0212ff3095ecc0aba97dd563718fb1 Copy to Clipboard
SHA256 6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507 Copy to Clipboard
SSDeep 3:AJlbeGQJhIl:tGQPY Copy to Clipboard
ImpHash -
\??\C:\Users\RDhJ0CNFevzX\AppData\Roaming\-2NP6R7E\-2Nlogri.ini Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 40 Bytes
MD5 d63a82e5d81e02e399090af26db0b9cb Copy to Clipboard
SHA1 91d0014c8f54743bba141fd60c9d963f869d76c9 Copy to Clipboard
SHA256 eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae Copy to Clipboard
SSDeep 3:+slXllAGQJhIl:dlIGQPY Copy to Clipboard
ImpHash -
C:\Users\RDHJ0C~1\AppData\Local\Temp\nsr155E.tmp Dropped File Empty
Clean
...
  • Actions
»
Also Known As C:\Users\RDHJ0C~1\AppData\Local\Temp\nsr155E.tmp\ (Accessed File)
MIME Type application/x-empty
File Size 0 Bytes
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
C:\Users\RDHJ0C~1\AppData\Local\Temp\nsjFBF.tmp Dropped File Empty
Clean
...
  • Actions
»
MIME Type application/x-empty
File Size 0 Bytes
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
c:\users\rdhj0cnfevzx\appdata\roaming\-2np6r7e\-2nlog.ini Dropped File Empty
Clean
...
  • Actions
»
MIME Type application/x-empty
File Size 0 Bytes
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
6fb704daa8756b1df1557d8d5ff07ea037ae792955d03c27e5662a7bcea42550 Downloaded File HTML
Clean
...
»
MIME Type text/html
File Size 24.42 KB
MD5 676f73d8793a9cd15069b7b3d64bc9de Copy to Clipboard
SHA1 86b56cfab4b63c868a69ee47e4cece7fd717b940 Copy to Clipboard
SHA256 6fb704daa8756b1df1557d8d5ff07ea037ae792955d03c27e5662a7bcea42550 Copy to Clipboard
SSDeep 384:CV24thvXIxTNGQ8K5M/emeoenebaekeMeOeWeoeJMdiGPGsB8H:CY4DXIxTNGQrjdiGP7B8H Copy to Clipboard
ImpHash -
e81e05d6792762b645006a9e93c236afb8fe32bd0bd6cf9bfaad3efe205668c0 Downloaded File HTML
Clean
...
»
MIME Type text/html
File Size 2.15 KB
MD5 86400b45df7dc6e4249c95a772c532c4 Copy to Clipboard
SHA1 a421e2835cc143580b2d8a4d37d36c82c35caa72 Copy to Clipboard
SHA256 e81e05d6792762b645006a9e93c236afb8fe32bd0bd6cf9bfaad3efe205668c0 Copy to Clipboard
SSDeep 48:wMQWuCOz7XOz7bOz79weYyvaEe+MtfTVm/KSK:wH4Oz7XOz7bOz7GVyvaPjfTVj Copy to Clipboard
ImpHash -
a45a2d762e763e3b0909b33d433b0c93008cadcf392122829c92c6565ad1a85b Downloaded File HTML
Clean
...
»
MIME Type text/html
File Size 1.67 KB
MD5 1ed75a9bcf71a3df259a2aed3ff67d5e Copy to Clipboard
SHA1 bb0e9bb12fa1fb8f166f0f5a02fcf322ab8b995c Copy to Clipboard
SHA256 a45a2d762e763e3b0909b33d433b0c93008cadcf392122829c92c6565ad1a85b Copy to Clipboard
SSDeep 48:wUWukgkX1VF7kxxxVFG5vaLhDoWJRsJ/KSK:wUoXJg9G5varx Copy to Clipboard
ImpHash -
3bbe72f3baa8ec61de17a1d767fca58704769684b7abe9161d0c4eaf4c8f0982 Downloaded File HTML
Clean
...
»
MIME Type text/html
File Size 707 Bytes
MD5 1304294c0823ca486542ba408ed761e3 Copy to Clipboard
SHA1 b2a70fb2d810ca13985882e6981f33998823e83e Copy to Clipboard
SHA256 3bbe72f3baa8ec61de17a1d767fca58704769684b7abe9161d0c4eaf4c8f0982 Copy to Clipboard
SSDeep 12:hYYLszHjgfkbxsjJ7QCdToh50lXQoLYlJl5M6eNsJLi334VlKk:hYYIzDIkejNQCRtgoLY95MI5634Vsk Copy to Clipboard
ImpHash -
5ba320b58f0e4bdca6a2e270d9f76834a157f6fd81f3ef620f5eb1a3b95ac4fc Downloaded File HTML
Clean
...
»
MIME Type text/html
File Size 426 Bytes
MD5 81182ff78310157ceaf650a3c4344bb7 Copy to Clipboard
SHA1 aadb252ec10edace11f939e4e65d9c2db6e17e29 Copy to Clipboard
SHA256 5ba320b58f0e4bdca6a2e270d9f76834a157f6fd81f3ef620f5eb1a3b95ac4fc Copy to Clipboard
SSDeep 6:pn0+Dy9xwol6hEr6VX16hu9nP+YG8M3N4JqQMXcWDERKRR7Jx/0DWKBFEcXaoD:J0+ox0RJWWPbRM3N4E6WDEwZyDCma+ Copy to Clipboard
ImpHash -
2baebb84d79b7542324b5349be6504bee6e55b4baffe353f9aae1c2b585e4330 Downloaded File HTML
Clean
...
»
MIME Type text/html
File Size 335 Bytes
MD5 99c04bee84c0ed0fee84021e1d24df8b Copy to Clipboard
SHA1 0528f3e972f0f8b9ec4890f5bfec98d57e92e677 Copy to Clipboard
SHA256 2baebb84d79b7542324b5349be6504bee6e55b4baffe353f9aae1c2b585e4330 Copy to Clipboard
SSDeep 6:pn0+Dy9xwol6hEr6VX16hu9nP+YG8HuRKRR7Jx/0DWKBFEcXaoD:J0+ox0RJWWPbRHtZyDCma+ Copy to Clipboard
ImpHash -
3eb8165a0647b8408bb41cc7414f0c46b7da04bfff19447259b1719350013d5c Downloaded File HTML
Clean
...
»
MIME Type text/html
File Size 291 Bytes
MD5 8a3d5f84da9ebcb3bc9275275ca6238e Copy to Clipboard
SHA1 68d96bdc2040e7724683290028c6ec2df21e3071 Copy to Clipboard
SHA256 3eb8165a0647b8408bb41cc7414f0c46b7da04bfff19447259b1719350013d5c Copy to Clipboard
SSDeep 6:hxuJzhqIwGerQWR0iYBwZGL8g0qQF7IAqM5+ECoaAEdpsjyws0nHX4QL:hY0ZrY1AS0hKcSoaAEdods0nIQL Copy to Clipboard
ImpHash -
c40c4d1ac0df1ab3cf59ebad6e2490f99e292dbf17f88d599788661d0b2d0451 Downloaded File HTML
Clean
...
»
MIME Type text/html
File Size 277 Bytes
MD5 2c2a3dbb9bfe8c98d7be7c8a8bb7e935 Copy to Clipboard
SHA1 b11999ba3098a4057a0f650ef5e2acd510d3f73c Copy to Clipboard
SHA256 c40c4d1ac0df1ab3cf59ebad6e2490f99e292dbf17f88d599788661d0b2d0451 Copy to Clipboard
SSDeep 6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoIRxnAKAPjcXaoD:J0+oxBeRmR9etdzRxGezHDndwjma+ Copy to Clipboard
ImpHash -
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a Downloaded File HTML
Clean
...
»
MIME Type text/html
File Size 162 Bytes
MD5 4f8e702cc244ec5d4de32740c0ecbd97 Copy to Clipboard
SHA1 3adb1f02d5b6054de0046e367c1d687b6cdf7aff Copy to Clipboard
SHA256 9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a Copy to Clipboard
SSDeep 3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLP61IwcWWGu:q43tISl6kXiMIWSU6XlI5LP8IpfGu Copy to Clipboard
ImpHash -
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat Modified File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 128 Bytes
MD5 cc90851958032b8c8bbb7b24ec6271dd Copy to Clipboard
SHA1 e027ad2ea4049374a3b01af2e3626b667dc816bc Copy to Clipboard
SHA256 c2d814a34b184b7cdf10e4e7a4311ff15db99326d6dd8d328b53bf9e19ccf858 Copy to Clipboard
SSDeep 3:Fl: Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image