Lokibot | extracting-configuration-of-lokibot

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\RDhJ0CNFevzX\Desktop\e524d7c7a6d4ade2651a65b9d0c5e162532a70495b957b9a5d34dcaaace571fe.exe

Sample File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	236.42 KB
MD5	9632628f4b25e22bf57a5fb1010daf4e
SHA1	339706d04fbc6c4a0e3cad9c8a12d7b88a8a0dcb
SHA256	e524d7c7a6d4ade2651a65b9d0c5e162532a70495b957b9a5d34dcaaace571fe
SSDeep	6144:QBn1PO9HgFIUgwXVH/7/Gf5emejH+PgDSD9LV9Gj4WhwW:gPOhCXVf7/GJnPFDosW
ImpHash	ab6770b0a8635b9d92a5838920cfe770

File Reputation Information

Verdict	Malicious
Names	Mal/Generic-S

PE Information

Image Base	0x00400000
Entry Point	0x0040324F
Size Of Code	0x00005E00
Size Of Initialized Data	0x0001D600
Size Of Uninitialized Data	0x00000400
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2015-12-27 06:38 (UTC+1)

Sections (5)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00401000	0x00005C4A	0x00005E00	0x00000400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.41
.rdata	0x00407000	0x0000115E	0x00001200	0x00006200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.14
.data	0x00409000	0x0001B078	0x00000600	0x00007400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.23
.ndata	0x00425000	0x00008000	0x00000000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.0
.rsrc	0x0042D000	0x000009E0	0x00000A00	0x00007A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.51

Imports (7)

KERNEL32.dll (59)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
SetFileAttributesA	-	0x00407064	0x000074D0	0x000066D0	0x00000319
GetShortPathNameA	-	0x00407068	0x000074D4	0x000066D4	0x000001B5
GetFullPathNameA	-	0x0040706C	0x000074D8	0x000066D8	0x00000169
MoveFileA	-	0x00407070	0x000074DC	0x000066DC	0x0000026E
SetCurrentDirectoryA	-	0x00407074	0x000074E0	0x000066E0	0x0000030A
GetFileAttributesA	-	0x00407078	0x000074E4	0x000066E4	0x0000015E
GetLastError	-	0x0040707C	0x000074E8	0x000066E8	0x00000171
CompareFileTime	-	0x00407080	0x000074EC	0x000066EC	0x00000039
SearchPathA	-	0x00407084	0x000074F0	0x000066F0	0x000002DB
Sleep	-	0x00407088	0x000074F4	0x000066F4	0x00000356
GetTickCount	-	0x0040708C	0x000074F8	0x000066F8	0x000001DF
CreateFileA	-	0x00407090	0x000074FC	0x000066FC	0x00000053
GetFileSize	-	0x00407094	0x00007500	0x00006700	0x00000163
GetModuleFileNameA	-	0x00407098	0x00007504	0x00006704	0x0000017D
GetCurrentProcess	-	0x0040709C	0x00007508	0x00006708	0x00000142
CopyFileA	-	0x004070A0	0x0000750C	0x0000670C	0x00000043
CreateDirectoryA	-	0x004070A4	0x00007510	0x00006710	0x0000004B
lstrcmpiA	-	0x004070A8	0x00007514	0x00006714	0x000003C3
GetTempPathA	-	0x004070AC	0x00007518	0x00006718	0x000001D5
GetCommandLineA	-	0x004070B0	0x0000751C	0x0000671C	0x00000110
GetVersion	-	0x004070B4	0x00007520	0x00006720	0x000001E8
SetErrorMode	-	0x004070B8	0x00007524	0x00006724	0x00000315
lstrcpynA	-	0x004070BC	0x00007528	0x00006728	0x000003C9
GetDiskFreeSpaceA	-	0x004070C0	0x0000752C	0x0000672C	0x0000014D
GlobalUnlock	-	0x004070C4	0x00007530	0x00006730	0x0000020A
GlobalLock	-	0x004070C8	0x00007534	0x00006734	0x00000203
CreateThread	-	0x004070CC	0x00007538	0x00006738	0x0000006F
CreateProcessA	-	0x004070D0	0x0000753C	0x0000673C	0x00000066
RemoveDirectoryA	-	0x004070D4	0x00007540	0x00006740	0x000002C4
GetTempFileNameA	-	0x004070D8	0x00007544	0x00006744	0x000001D3
lstrlenA	-	0x004070DC	0x00007548	0x00006748	0x000003CC
lstrcatA	-	0x004070E0	0x0000754C	0x0000674C	0x000003BD
GetSystemDirectoryA	-	0x004070E4	0x00007550	0x00006750	0x000001C1
LoadLibraryA	-	0x004070E8	0x00007554	0x00006754	0x00000252
SetFileTime	-	0x004070EC	0x00007558	0x00006758	0x0000031F
CloseHandle	-	0x004070F0	0x0000755C	0x0000675C	0x00000034
GlobalFree	-	0x004070F4	0x00007560	0x00006760	0x000001FF
lstrcmpA	-	0x004070F8	0x00007564	0x00006764	0x000003C0
ExpandEnvironmentStringsA	-	0x004070FC	0x00007568	0x00006768	0x000000BC
GetExitCodeProcess	-	0x00407100	0x0000756C	0x0000676C	0x0000015A
GlobalAlloc	-	0x00407104	0x00007570	0x00006770	0x000001F8
WaitForSingleObject	-	0x00407108	0x00007574	0x00006774	0x00000390
ExitProcess	-	0x0040710C	0x00007578	0x00006778	0x000000B9
GetWindowsDirectoryA	-	0x00407110	0x0000757C	0x0000677C	0x000001F3
GetProcAddress	-	0x00407114	0x00007580	0x00006780	0x000001A0
FindFirstFileA	-	0x00407118	0x00007584	0x00006784	0x000000D2
FindNextFileA	-	0x0040711C	0x00007588	0x00006788	0x000000DC
DeleteFileA	-	0x00407120	0x0000758C	0x0000678C	0x00000083
SetFilePointer	-	0x00407124	0x00007590	0x00006790	0x0000031B
ReadFile	-	0x00407128	0x00007594	0x00006794	0x000002B5
FindClose	-	0x0040712C	0x00007598	0x00006798	0x000000CE
GetPrivateProfileStringA	-	0x00407130	0x0000759C	0x0000679C	0x0000019C
WritePrivateProfileStringA	-	0x00407134	0x000075A0	0x000067A0	0x000003A9
WriteFile	-	0x00407138	0x000075A4	0x000067A4	0x000003A4
MulDiv	-	0x0040713C	0x000075A8	0x000067A8	0x00000274
LoadLibraryExA	-	0x00407140	0x000075AC	0x000067AC	0x00000253
GetModuleHandleA	-	0x00407144	0x000075B0	0x000067B0	0x0000017F
MultiByteToWideChar	-	0x00407148	0x000075B4	0x000067B4	0x00000275
FreeLibrary	-	0x0040714C	0x000075B8	0x000067B8	0x000000F8

USER32.dll (62)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetWindowRect	-	0x00407170	0x000075DC	0x000067DC	0x00000174
EnableMenuItem	-	0x00407174	0x000075E0	0x000067E0	0x000000C2
GetSystemMenu	-	0x00407178	0x000075E4	0x000067E4	0x0000015C
ScreenToClient	-	0x0040717C	0x000075E8	0x000067E8	0x00000231
SetClassLongA	-	0x00407180	0x000075EC	0x000067EC	0x00000247
IsWindowEnabled	-	0x00407184	0x000075F0	0x000067F0	0x000001AE
SetWindowPos	-	0x00407188	0x000075F4	0x000067F4	0x00000283
GetSysColor	-	0x0040718C	0x000075F8	0x000067F8	0x0000015A
GetWindowLongA	-	0x00407190	0x000075FC	0x000067FC	0x0000016E
SetCursor	-	0x00407194	0x00007600	0x00006800	0x0000024D
LoadCursorA	-	0x00407198	0x00007604	0x00006804	0x000001BA
CheckDlgButton	-	0x0040719C	0x00007608	0x00006808	0x00000038
GetMessagePos	-	0x004071A0	0x0000760C	0x0000680C	0x0000013C
LoadBitmapA	-	0x004071A4	0x00007610	0x00006810	0x000001B8
CallWindowProcA	-	0x004071A8	0x00007614	0x00006814	0x0000001B
IsWindowVisible	-	0x004071AC	0x00007618	0x00006818	0x000001B1
CloseClipboard	-	0x004071B0	0x0000761C	0x0000681C	0x00000042
SetForegroundWindow	-	0x004071B4	0x00007620	0x00006820	0x00000257
PostQuitMessage	-	0x004071B8	0x00007624	0x00006824	0x00000204
RegisterClassA	-	0x004071BC	0x00007628	0x00006828	0x00000216
EndDialog	-	0x004071C0	0x0000762C	0x0000682C	0x000000C6
AppendMenuA	-	0x004071C4	0x00007630	0x00006830	0x00000008
CreatePopupMenu	-	0x004071C8	0x00007634	0x00006834	0x0000005E
GetSystemMetrics	-	0x004071CC	0x00007638	0x00006838	0x0000015D
SetDlgItemTextA	-	0x004071D0	0x0000763C	0x0000683C	0x00000253
GetDlgItemTextA	-	0x004071D4	0x00007640	0x00006840	0x00000113
MessageBoxIndirectA	-	0x004071D8	0x00007644	0x00006844	0x000001E2
CharPrevA	-	0x004071DC	0x00007648	0x00006848	0x0000002D
DispatchMessageA	-	0x004071E0	0x0000764C	0x0000684C	0x000000A1
PeekMessageA	-	0x004071E4	0x00007650	0x00006850	0x00000200
EnableWindow	-	0x004071E8	0x00007654	0x00006854	0x000000C4
InvalidateRect	-	0x004071EC	0x00007658	0x00006858	0x00000193
SendMessageA	-	0x004071F0	0x0000765C	0x0000685C	0x0000023B
DefWindowProcA	-	0x004071F4	0x00007660	0x00006860	0x0000008E
BeginPaint	-	0x004071F8	0x00007664	0x00006864	0x0000000D
GetClientRect	-	0x004071FC	0x00007668	0x00006868	0x000000FF
FillRect	-	0x00407200	0x0000766C	0x0000686C	0x000000E2
DrawTextA	-	0x00407204	0x00007670	0x00006870	0x000000BC
EndPaint	-	0x00407208	0x00007674	0x00006874	0x000000C8
SystemParametersInfoA	-	0x0040720C	0x00007678	0x00006878	0x00000299
CreateWindowExA	-	0x00407210	0x0000767C	0x0000687C	0x00000060
GetClassInfoA	-	0x00407214	0x00007680	0x00006880	0x000000F6
DialogBoxParamA	-	0x00407218	0x00007684	0x00006884	0x0000009E
CharNextA	-	0x0040721C	0x00007688	0x00006888	0x0000002A
ExitWindowsEx	-	0x00407220	0x0000768C	0x0000688C	0x000000E1
DestroyWindow	-	0x00407224	0x00007690	0x00006890	0x00000099
OpenClipboard	-	0x00407228	0x00007694	0x00006894	0x000001F6
TrackPopupMenu	-	0x0040722C	0x00007698	0x00006898	0x000002A4
SendMessageTimeoutA	-	0x00407230	0x0000769C	0x0000689C	0x0000023E
GetDC	-	0x00407234	0x000076A0	0x000068A0	0x0000010C
LoadImageA	-	0x00407238	0x000076A4	0x000068A4	0x000001C0
GetDlgItem	-	0x0040723C	0x000076A8	0x000068A8	0x00000111
FindWindowExA	-	0x00407240	0x000076AC	0x000068AC	0x000000E4
IsWindow	-	0x00407244	0x000076B0	0x000068B0	0x000001AD
SetClipboardData	-	0x00407248	0x000076B4	0x000068B4	0x0000024A
SetWindowLongA	-	0x0040724C	0x000076B8	0x000068B8	0x00000280
EmptyClipboard	-	0x00407250	0x000076BC	0x000068BC	0x000000C1
SetTimer	-	0x00407254	0x000076C0	0x000068C0	0x0000027A
CreateDialogParamA	-	0x00407258	0x000076C4	0x000068C4	0x00000055
wsprintfA	-	0x0040725C	0x000076C8	0x000068C8	0x000002D7
ShowWindow	-	0x00407260	0x000076CC	0x000068CC	0x00000292
SetWindowTextA	-	0x00407264	0x000076D0	0x000068D0	0x00000286

GDI32.dll (8)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
SelectObject	-	0x00407040	0x000074AC	0x000066AC	0x0000020E
SetBkMode	-	0x00407044	0x000074B0	0x000066B0	0x00000216
CreateFontIndirectA	-	0x00407048	0x000074B4	0x000066B4	0x0000003A
SetTextColor	-	0x0040704C	0x000074B8	0x000066B8	0x0000023C
DeleteObject	-	0x00407050	0x000074BC	0x000066BC	0x0000008F
GetDeviceCaps	-	0x00407054	0x000074C0	0x000066C0	0x0000016B
CreateBrushIndirect	-	0x00407058	0x000074C4	0x000066C4	0x00000029
SetBkColor	-	0x0040705C	0x000074C8	0x000066C8	0x00000215

SHELL32.dll (6)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
SHGetSpecialFolderLocation	-	0x00407154	0x000075C0	0x000067C0	0x000000C3
SHGetPathFromIDListA	-	0x00407158	0x000075C4	0x000067C4	0x000000BC
SHBrowseForFolderA	-	0x0040715C	0x000075C8	0x000067C8	0x00000079
SHGetFileInfoA	-	0x00407160	0x000075CC	0x000067CC	0x000000AC
ShellExecuteA	-	0x00407164	0x000075D0	0x000067D0	0x00000107
SHFileOperationA	-	0x00407168	0x000075D4	0x000067D4	0x0000009A

ADVAPI32.dll (10)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
RegDeleteValueA	-	0x00407000	0x0000746C	0x0000666C	0x000001D8
SetFileSecurityA	-	0x00407004	0x00007470	0x00006670	0x0000022E
RegOpenKeyExA	-	0x00407008	0x00007474	0x00006674	0x000001EC
RegDeleteKeyA	-	0x0040700C	0x00007478	0x00006678	0x000001D4
RegEnumValueA	-	0x00407010	0x0000747C	0x0000667C	0x000001E1
RegCloseKey	-	0x00407014	0x00007480	0x00006680	0x000001CB
RegCreateKeyExA	-	0x00407018	0x00007484	0x00006684	0x000001D1
RegSetValueExA	-	0x0040701C	0x00007488	0x00006688	0x00000204
RegQueryValueExA	-	0x00407020	0x0000748C	0x0000668C	0x000001F7
RegEnumKeyA	-	0x00407024	0x00007490	0x00006690	0x000001DD

COMCTL32.dll (4)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
ImageList_Create	-	0x0040702C	0x00007498	0x00006698	0x00000037
ImageList_Destroy	-	0x00407030	0x0000749C	0x0000669C	0x00000038
None	0x00000011	0x00407034	0x000074A0	0x000066A0	-
ImageList_AddMasked	-	0x00407038	0x000074A4	0x000066A4	0x00000034

ole32.dll (4)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
OleUninitialize	-	0x0040726C	0x000076D8	0x000068D8	0x00000105
OleInitialize	-	0x00407270	0x000076DC	0x000068DC	0x000000EE
CoTaskMemFree	-	0x00407274	0x000076E0	0x000068E0	0x00000065
CoCreateInstance	-	0x00407278	0x000076E4	0x000068E4	0x00000010

Memory Dumps (2)

Name	Process ID	Start VA	End VA	Dump Reason	PE Rebuild	Bitness	Entry Point	YARA	Actions
e524d7c7a6d4ade2651a65b9d0c5e162532a70495b957b9a5d34dcaaace571fe.exe	1	0x00400000	0x0042DFFF	Relevant Image		32-bit	0x00406087		... Actions Go to Process Download Dump
e524d7c7a6d4ade2651a65b9d0c5e162532a70495b957b9a5d34dcaaace571fe.exe	1	0x00400000	0x0042DFFF	Process Termination		32-bit	-		... Actions Go to Process Download Dump

C:\Users\RDHJ0C~1\AppData\Local\Temp\rvtzlpyrgs.exe

Dropped File

Binary

Also Known As	C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.exe (Accessed File, Dropped File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	320.50 KB
MD5	f9208502b7624ba032dc4dd818b30c30
SHA1	cd76be3e4b437988d0bad4325a4da179e7e127bb
SHA256	0c49cef3f60cf1a48b60dfc066053c709b54ac83a5c39ca3f182f073d54a569e
SSDeep	6144:FH2zGub2FIfcnC3c7WtCb1FyxFTurNnNAb9UuzSICOKB879w3:FH2Cm2qcnC3c7WtCb1+FTANNAb9Uuzu5
ImpHash	6fa41e554b29cfd392c09f25fab6521d

PE Information

Image Base	0x00400000
Entry Point	0x00407A2D
Size Of Code	0x00044800
Size Of Initialized Data	0x00019C00
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_CUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2022-11-25 00:28 (UTC+1)

Sections (5)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00401000	0x0004473B	0x00044800	0x00000400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.58
.rdata	0x00446000	0x00009126	0x00009200	0x00044C00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.21
.data	0x00450000	0x000104F8	0x00002000	0x0004DE00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.5
.gfids	0x00461000	0x00000168	0x00000200	0x0004FE00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	2.09
.rsrc	0x00462000	0x000001E0	0x00000200	0x00050000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.7

Imports (12)

SHLWAPI.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
StrChrW	-	0x00446230	0x0004E3D0	0x0004CFD0	0x0000011E

KERNEL32.dll (112)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetCommandLineW	-	0x00446010	0x0004E1B0	0x0004CDB0	0x000001D7
GetEnvironmentVariableW	-	0x00446014	0x0004E1B4	0x0004CDB4	0x00000239
SetEnvironmentVariableW	-	0x00446018	0x0004E1B8	0x0004CDB8	0x00000514
ExpandEnvironmentStringsW	-	0x0044601C	0x0004E1BC	0x0004CDBC	0x00000162
SetCurrentDirectoryW	-	0x00446020	0x0004E1C0	0x0004CDC0	0x00000509
GetCurrentDirectoryW	-	0x00446024	0x0004E1C4	0x0004CDC4	0x00000211
SearchPathW	-	0x00446028	0x0004E1C8	0x0004CDC8	0x000004D8
CreateFileW	-	0x0044602C	0x0004E1CC	0x0004CDCC	0x000000CB
FindClose	-	0x00446030	0x0004E1D0	0x0004CDD0	0x00000175
FindFirstFileW	-	0x00446034	0x0004E1D4	0x0004CDD4	0x00000180
GetFileAttributesW	-	0x00446038	0x0004E1D8	0x0004CDD8	0x00000245
GetFileSize	-	0x0044603C	0x0004E1DC	0x0004CDDC	0x0000024B
GetFullPathNameW	-	0x00446040	0x0004E1E0	0x0004CDE0	0x00000259
GetTempFileNameW	-	0x00446044	0x0004E1E4	0x0004CDE4	0x000002F4
ReadFile	-	0x00446048	0x0004E1E8	0x0004CDE8	0x00000473
SetFilePointer	-	0x0044604C	0x0004E1EC	0x0004CDEC	0x00000522
WriteFile	-	0x00446050	0x0004E1F0	0x0004CDF0	0x00000612
GetTempPathW	-	0x00446054	0x0004E1F4	0x0004CDF4	0x000002F6
CloseHandle	-	0x00446058	0x0004E1F8	0x0004CDF8	0x00000086
DuplicateHandle	-	0x0044605C	0x0004E1FC	0x0004CDFC	0x0000012B
GetLastError	-	0x00446060	0x0004E200	0x0004CE00	0x00000261
WaitForSingleObject	-	0x00446064	0x0004E204	0x0004CE04	0x000005D7
GetCurrentProcess	-	0x00446068	0x0004E208	0x0004CE08	0x00000217
ExitProcess	-	0x0044606C	0x0004E20C	0x0004CE0C	0x0000015E
GetExitCodeProcess	-	0x00446070	0x0004E210	0x0004CE10	0x0000023C
CreateProcessW	-	0x00446074	0x0004E214	0x0004CE14	0x000000E5
GetStartupInfoW	-	0x00446078	0x0004E218	0x0004CE18	0x000002D0
GetSystemDirectoryW	-	0x0044607C	0x0004E21C	0x0004CE1C	0x000002E0
VirtualAlloc	-	0x00446080	0x0004E220	0x0004CE20	0x000005C6
GetModuleHandleW	-	0x00446084	0x0004E224	0x0004CE24	0x00000278
LocalAlloc	-	0x00446088	0x0004E228	0x0004CE28	0x000003CA
LocalFree	-	0x0044608C	0x0004E22C	0x0004CE2C	0x000003CF
FormatMessageW	-	0x00446090	0x0004E230	0x0004CE30	0x000001A7
lstrcmpiW	-	0x00446094	0x0004E234	0x0004CE34	0x00000633
lstrcpynW	-	0x00446098	0x0004E238	0x0004CE38	0x00000639
lstrcpyW	-	0x0044609C	0x0004E23C	0x0004CE3C	0x00000636
lstrcatW	-	0x004460A0	0x0004E240	0x0004CE40	0x0000062D
lstrlenW	-	0x004460A4	0x0004E244	0x0004CE44	0x0000063C
IsBadStringPtrW	-	0x004460A8	0x0004E248	0x0004CE48	0x00000378
GetDateFormatW	-	0x004460AC	0x0004E24C	0x0004CE4C	0x00000221
GetTimeFormatW	-	0x004460B0	0x0004E250	0x0004CE50	0x0000030C
CompareStringW	-	0x004460B4	0x0004E254	0x0004CE54	0x0000009B
SetStdHandle	-	0x004460B8	0x0004E258	0x0004CE58	0x0000054A
WideCharToMultiByte	-	0x004460BC	0x0004E25C	0x0004CE5C	0x000005FE
EnumSystemCodePagesW	-	0x004460C0	0x0004E260	0x0004CE60	0x0000014C
GetConsoleCP	-	0x004460C4	0x0004E264	0x0004CE64	0x000001EA
GetConsoleOutputCP	-	0x004460C8	0x0004E268	0x0004CE68	0x00000200
ReadConsoleW	-	0x004460CC	0x0004E26C	0x0004CE6C	0x00000470
WriteConsoleW	-	0x004460D0	0x0004E270	0x0004CE70	0x00000611
GetConsoleScreenBufferInfo	-	0x004460D4	0x0004E274	0x0004CE74	0x00000202
SetConsoleTitleW	-	0x004460D8	0x0004E278	0x0004CE78	0x00000504
GetConsoleWindow	-	0x004460DC	0x0004E27C	0x0004CE7C	0x00000207
EncodePointer	-	0x004460E0	0x0004E280	0x0004CE80	0x0000012D
GetConsoleMode	-	0x004460E4	0x0004E284	0x0004CE84	0x000001FC
FlushFileBuffers	-	0x004460E8	0x0004E288	0x0004CE88	0x0000019F
HeapReAlloc	-	0x004460EC	0x0004E28C	0x0004CE8C	0x0000034C
HeapSize	-	0x004460F0	0x0004E290	0x0004CE90	0x0000034E
SetFilePointerEx	-	0x004460F4	0x0004E294	0x0004CE94	0x00000523
GetFileSizeEx	-	0x004460F8	0x0004E298	0x0004CE98	0x0000024C
SetConsoleCtrlHandler	-	0x004460FC	0x0004E29C	0x0004CE9C	0x000004E9
GetProcessHeap	-	0x00446100	0x0004E2A0	0x0004CEA0	0x000002B4
GetStringTypeW	-	0x00446104	0x0004E2A4	0x0004CEA4	0x000002D7
FreeEnvironmentStringsW	-	0x00446108	0x0004E2A8	0x0004CEA8	0x000001AA
GetEnvironmentStringsW	-	0x0044610C	0x0004E2AC	0x0004CEAC	0x00000237
GetCPInfo	-	0x00446110	0x0004E2B0	0x0004CEB0	0x000001C1
GetOEMCP	-	0x00446114	0x0004E2B4	0x0004CEB4	0x00000297
GetACP	-	0x00446118	0x0004E2B8	0x0004CEB8	0x000001B2
IsValidCodePage	-	0x0044611C	0x0004E2BC	0x0004CEBC	0x0000038B
FindNextFileW	-	0x00446120	0x0004E2C0	0x0004CEC0	0x0000018C
FindFirstFileExW	-	0x00446124	0x0004E2C4	0x0004CEC4	0x0000017B
OutputDebugStringW	-	0x00446128	0x0004E2C8	0x0004CEC8	0x00000419
IsDebuggerPresent	-	0x0044612C	0x0004E2CC	0x0004CECC	0x0000037F
InitializeSListHead	-	0x00446130	0x0004E2D0	0x0004CED0	0x00000363
GetSystemTimeAsFileTime	-	0x00446134	0x0004E2D4	0x0004CED4	0x000002E9
GetCurrentThreadId	-	0x00446138	0x0004E2D8	0x0004CED8	0x0000021C
GetCurrentProcessId	-	0x0044613C	0x0004E2DC	0x0004CEDC	0x00000218
GetFileType	-	0x00446140	0x0004E2E0	0x0004CEE0	0x0000024E
GetCurrentThread	-	0x00446144	0x0004E2E4	0x0004CEE4	0x0000021B
EnumSystemLocalesW	-	0x00446148	0x0004E2E8	0x0004CEE8	0x00000154
GetUserDefaultLCID	-	0x0044614C	0x0004E2EC	0x0004CEEC	0x00000312
IsValidLocale	-	0x00446150	0x0004E2F0	0x0004CEF0	0x0000038D
GetLocaleInfoW	-	0x00446154	0x0004E2F4	0x0004CEF4	0x00000265
LCMapStringW	-	0x00446158	0x0004E2F8	0x0004CEF8	0x000003B1
QueryPerformanceCounter	-	0x0044615C	0x0004E2FC	0x0004CEFC	0x0000044D
GetStdHandle	-	0x00446160	0x0004E300	0x0004CF00	0x000002D2
DecodePointer	-	0x00446164	0x0004E304	0x0004CF04	0x00000109
MultiByteToWideChar	-	0x00446168	0x0004E308	0x0004CF08	0x000003EF
RaiseException	-	0x0044616C	0x0004E30C	0x0004CF0C	0x00000462
SetUnhandledExceptionFilter	-	0x00446170	0x0004E310	0x0004CF10	0x0000056D
IsProcessorFeaturePresent	-	0x00446174	0x0004E314	0x0004CF14	0x00000386
TerminateProcess	-	0x00446178	0x0004E318	0x0004CF18	0x0000058C
InterlockedPushEntrySList	-	0x0044617C	0x0004E31C	0x0004CF1C	0x0000036F
InterlockedFlushSList	-	0x00446180	0x0004E320	0x0004CF20	0x0000036C
RtlUnwind	-	0x00446184	0x0004E324	0x0004CF24	0x000004D3
SetLastError	-	0x00446188	0x0004E328	0x0004CF28	0x00000532
HeapAlloc	-	0x0044618C	0x0004E32C	0x0004CF2C	0x00000345
HeapFree	-	0x00446190	0x0004E330	0x0004CF30	0x00000349
GetCommandLineA	-	0x00446194	0x0004E334	0x0004CF34	0x000001D6
GetModuleHandleExW	-	0x00446198	0x0004E338	0x0004CF38	0x00000277
GetModuleFileNameW	-	0x0044619C	0x0004E33C	0x0004CF3C	0x00000274
LoadLibraryExW	-	0x004461A0	0x0004E340	0x0004CF40	0x000003C3
GetProcAddress	-	0x004461A4	0x0004E344	0x0004CF44	0x000002AE
FreeLibrary	-	0x004461A8	0x0004E348	0x0004CF48	0x000001AB
TlsFree	-	0x004461AC	0x0004E34C	0x0004CF4C	0x0000059F
TlsSetValue	-	0x004461B0	0x0004E350	0x0004CF50	0x000005A1
TlsGetValue	-	0x004461B4	0x0004E354	0x0004CF54	0x000005A0
TlsAlloc	-	0x004461B8	0x0004E358	0x0004CF58	0x0000059E
InitializeCriticalSectionAndSpinCount	-	0x004461BC	0x0004E35C	0x0004CF5C	0x0000035F
DeleteCriticalSection	-	0x004461C0	0x0004E360	0x0004CF60	0x00000110
LeaveCriticalSection	-	0x004461C4	0x0004E364	0x0004CF64	0x000003BD
EnterCriticalSection	-	0x004461C8	0x0004E368	0x0004CF68	0x00000131
UnhandledExceptionFilter	-	0x004461CC	0x0004E36C	0x0004CF6C	0x000005AD

pdh.dll (8)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
PdhSelectDataSourceA	-	0x004462AC	0x0004E44C	0x0004D04C	0x00000061
PdhVbGetDoubleCounterValue	-	0x004462B0	0x0004E450	0x0004D050	0x00000077
PdhMakeCounterPathW	-	0x004462B4	0x0004E454	0x0004D054	0x00000051
PdhOpenQuery	-	0x004462B8	0x0004E458	0x0004D058	0x00000054
PdhOpenQueryW	-	0x004462BC	0x0004E45C	0x0004D05C	0x00000057
PdhGetFormattedCounterValue	-	0x004462C0	0x0004E460	0x0004D060	0x00000041
PdhVbCreateCounterPathList	-	0x004462C4	0x0004E464	0x0004D064	0x00000074
PdhSetQueryTimeRange	-	0x004462C8	0x0004E468	0x0004D068	0x00000067

rtutils.dll (4)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
LogEventA	-	0x004462D0	0x0004E470	0x0004D070	0x00000002
TraceVprintfExA	-	0x004462D4	0x0004E474	0x0004D074	0x00000027
TraceVprintfExW	-	0x004462D8	0x0004E478	0x0004D078	0x00000028
TracePrintfW	-	0x004462DC	0x0004E47C	0x0004D07C	0x00000022

loadperf.dll (4)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
UnloadPerfCounterTextStringsW	-	0x00446270	0x0004E410	0x0004D010	0x0000000B
LoadPerfCounterTextStringsW	-	0x00446274	0x0004E414	0x0004D014	0x00000004
UnloadPerfCounterTextStringsA	-	0x00446278	0x0004E418	0x0004D018	0x0000000A
LoadPerfCounterTextStringsA	-	0x0044627C	0x0004E41C	0x0004D01C	0x00000003

MAPI32.dll (4)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
None	0x00000029	0x004461D4	0x0004E374	0x0004CF74	-
None	0x000000C4	0x004461D8	0x0004E378	0x0004CF78	-
None	0x00000013	0x004461DC	0x0004E37C	0x0004CF7C	-
None	0x00000080	0x004461E0	0x0004E380	0x0004CF80	-

WINSPOOL.DRV (6)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetPrinterDataA	-	0x00446254	0x0004E3F4	0x0004CFF4	0x00000081
None	0x000000D2	0x00446258	0x0004E3F8	0x0004CFF8	-
AddPrinterDriverA	-	0x0044625C	0x0004E3FC	0x0004CFFC	0x00000015
SetFormA	-	0x00446260	0x0004E400	0x0004D000	0x000000AA
GetPrinterDriverW	-	0x00446264	0x0004E404	0x0004D004	0x0000008C
AdvancedDocumentPropertiesW	-	0x00446268	0x0004E408	0x0004D008	0x0000001B

ODBC32.dll (11)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
None	0x0000012D	0x004461E8	0x0004E388	0x0004CF88	-
None	0x0000003E	0x004461EC	0x0004E38C	0x0004CF8C	-
None	0x0000001D	0x004461F0	0x0004E390	0x0004CF90	-
None	0x000000FC	0x004461F4	0x0004E394	0x0004CF94	-
ODBCInternalConnectW	-	0x004461F8	0x0004E398	0x0004CF98	0x0000000A
None	0x00000021	0x004461FC	0x0004E39C	0x0004CF9C	-
None	0x00000001	0x00446200	0x0004E3A0	0x0004CFA0	-
None	0x0000000E	0x00446204	0x0004E3A4	0x0004CFA4	-
None	0x0000010F	0x00446208	0x0004E3A8	0x0004CFA8	-
None	0x00000030	0x0044620C	0x0004E3AC	0x0004CFAC	-
None	0x0000007F	0x00446210	0x0004E3B0	0x0004CFB0	-

mscms.dll (9)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CreateMultiProfileTransform	-	0x00446284	0x0004E424	0x0004D024	0x00000028
IsColorProfileTagPresent	-	0x00446288	0x0004E428	0x0004D028	0x0000005B
GetStandardColorSpaceProfileW	-	0x0044628C	0x0004E42C	0x0004D02C	0x00000046
RegisterCMMW	-	0x00446290	0x0004E430	0x0004D030	0x00000061
CreateColorTransformA	-	0x00446294	0x0004E434	0x0004D034	0x00000025
GetColorDirectoryA	-	0x00446298	0x0004E438	0x0004D038	0x0000003A
DisassociateColorProfileFromDeviceW	-	0x0044629C	0x0004E43C	0x0004D03C	0x00000033
SetColorProfileElementSize	-	0x004462A0	0x0004E440	0x0004D040	0x00000065
RegisterCMMA	-	0x004462A4	0x0004E444	0x0004D044	0x00000060

SHELL32.dll (5)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
FindExecutableA	-	0x00446218	0x0004E3B8	0x0004CFB8	0x00000035
SHQueryRecycleBinW	-	0x0044621C	0x0004E3BC	0x0004CFBC	0x00000192
Shell_NotifyIconA	-	0x00446220	0x0004E3C0	0x0004CFC0	0x000001C1
FindExecutableW	-	0x00446224	0x0004E3C4	0x0004CFC4	0x00000036
SHGetFileInfoW	-	0x00446228	0x0004E3C8	0x0004CFC8	0x00000152

USER32.dll (6)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
ShowWindow	-	0x00446238	0x0004E3D8	0x0004CFD8	0x00000380
CharUpperBuffW	-	0x0044623C	0x0004E3DC	0x0004CFDC	0x0000003E
IsCharAlphaW	-	0x00446240	0x0004E3E0	0x0004CFE0	0x00000222
IsCharAlphaNumericW	-	0x00446244	0x0004E3E4	0x0004CFE4	0x00000221
wsprintfW	-	0x00446248	0x0004E3E8	0x0004CFE8	0x000003DD
LoadStringW	-	0x0044624C	0x0004E3EC	0x0004CFEC	0x00000261

ADVAPI32.dll (3)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
RegCloseKey	-	0x00446000	0x0004E1A0	0x0004CDA0	0x0000025B
RegQueryValueExW	-	0x00446004	0x0004E1A4	0x0004CDA4	0x00000299
RegOpenKeyExW	-	0x00446008	0x0004E1A8	0x0004CDA8	0x0000028C

Memory Dumps (87)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
rvtzlpyrgs.exe	2	0x00400000	0x00462FFF	Relevant Image	32-bit	0x004098B6	... Actions Go to Process Download Dump
buffer	2	0x001E0000	0x001E1FFF	First Execution	32-bit	0x001E0000	... Actions Go to Process Download Dump
buffer	2	0x001E0000	0x001E1FFF	Process Termination	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x004B0000	0x004C9FFF	Process Termination	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x004EF560	0x004EF5DF	Process Termination	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x004F20D8	0x004F21AD	Process Termination	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x004F3960	0x004F39EF	Process Termination	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x004F43D0	0x004F449F	Process Termination	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x004FB070	0x004FB1B3	Process Termination	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x004FCF90	0x004FDD8F	Process Termination	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x004FDD98	0x004FDFB7	Process Termination	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x004FDFC0	0x004FE7BF	Process Termination	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x004FF518	0x004FF5A7	Process Termination	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x01F77020	0x0234791F	Process Termination	32-bit	-	... Actions Go to Process Download Dump
rvtzlpyrgs.exe	2	0x00400000	0x00462FFF	Process Termination	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00400000	0x004A1FFF	First Execution	32-bit	0x004139DE	... Actions Go to Process Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00414059	... Actions Go to Process Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00412FEB	... Actions Go to Process Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x004092CC	... Actions Go to Process Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x0040C9C2	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00407AA2	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00408952	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x0040DB78	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00410676	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x0040F44A	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x0040ED17	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00411954	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00401BBD	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x004A0000	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x0019B000	0x0019FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00633ED0	0x006340D7	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00635178	0x006364FF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x006382B0	0x006384B7	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x0063A6E0	0x0063A884	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x0063B6B0	0x0063CA37	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x0063D420	0x0063D631	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00404EE8	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00412FEB	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x0040F980	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00410000	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x004A0000	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00406489	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x004048AE	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00404EA5	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00412F30	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x004048AE	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00404EE8	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00412F30	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00404EE8	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00412F30	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x004048AE	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00412F30	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00404EE8	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00412F30	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00404EE8	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00412F30	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00404EE8	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x004031E5	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00404EE8	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x004031E5	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00414167	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00412F30	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00404EE8	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x004031E5	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00404EE8	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x004031E5	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00404EE8	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00412F30	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00404EE8	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00412F30	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x004048AE	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00404EE8	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x004031E5	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00404EE8	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00412F30	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00402BAB	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x004067C4	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x0040311C	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x004048AE	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x00400000	0x004A1FFF	Content Changed	32-bit	0x00412F30	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x004F0000	0x004F1FFF	Final Dump	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00633ED0	0x006340D7	Final Dump	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x006382B0	0x006384B7	Final Dump	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x0063D420	0x0063D627	Final Dump	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x006421E0	0x0064249B	Final Dump	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00645858	0x00645A69	Final Dump	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00646D70	0x00647D3F	Final Dump	32-bit	-	... Actions Go to Process Download Dump

C:\Users\RDHJ0C~1\AppData\Local\Temp\nsv74D6.tmp

Dropped File

Stream

MIME Type	application/octet-stream
File Size	438.16 KB
MD5	1fcc9a83e0cd21105eb23c0e2e0debdf
SHA1	b42448aac9681577cf9411a37c62a27422042fca
SHA256	393b378fb154a276fcdf2e8f8b9426cb3dabc0ddd63e59dd83f08e22c76d9af2
SSDeep	12288:XAoIQgOy2H2Cm2qcnC3c7WtCb1+FTANNAb9UuzuOKBX:X9VgOXTm2Nb1+yAbquzG
ImpHash	-

C:\Users\RDHJ0C~1\AppData\Local\Temp\aqqlknbytl.sm

Dropped File

Stream

MIME Type	application/octet-stream
File Size	104.00 KB
MD5	11b231b1b7306b70ef25d54fac84fe3a
SHA1	f4492882af9358497ebb649ce135869fdbb78e89
SHA256	86a2b6783a599185d30db5e9a8a232d453a2310497b82d09ae7ee7601f0cafcd
SSDeep	1536:b8sM7LgcztbYAZznZ5BL39MrhUml3bFPuxdZhh9ZkL+QoI6SO0Brr:b8HgSiiL3mrhUI3mhh9hQf6SOUrr
ImpHash	-

C:\Users\RDHJ0C~1\AppData\Local\Temp\xdnyr.wb

Dropped File

Stream

MIME Type	application/octet-stream
File Size	5.35 KB
MD5	3dec0845b56f914840219608229b6c46
SHA1	46a2e4e0c26f36f3297c0feaf17b28256bbe4f1f
SHA256	6b5a1ee266b6c954b473b361cbe526819de00c6d4bbfbab513ecf7ed7ec96885
SSDeep	96:+vTpiU6nxej6pDyNJOfK7Sy++qO2KwXhPqME3uQfmrtIVobnSi2XV:+vliUakgyNJm+wXZqffmrt92XV
ImpHash	-

c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f-8c0f-c90408af5778

Dropped File

Stream

MIME Type	application/octet-stream
File Size	53 Bytes
MD5	9c3c1a69a3c43835d6a2579570e6aa0d
SHA1	8af2c3b90473b35f1bb936de12a8bf72fe658468
SHA256	e641ff8107a4197ded9f558d1891e716811e9a7f109f14e876f5a8394844dc34
SSDeep	3:/l4l5mrc9l:e4rc9l
ImpHash	-

c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f-8c0f-c90408af5778

Dropped File

Stream

MIME Type	application/octet-stream
File Size	53 Bytes
MD5	eca0470178275ac94e5de381969ed232
SHA1	d6de27e734eec57d1dda73489b4a6d6eecae3038
SHA256	353fd628b7f6e7d426e5d6a27d1bc3ac22fa7f812e7594cf2ec5ca1175785b50
SSDeep	3::
ImpHash	-

File Reputation Information

Verdict

Clean

C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.hdb

Dropped File

Text

MIME Type	text/plain
File Size	4 Bytes
MD5	90f2527e58191a885a8cc35c99b89ba8
SHA1	10455ce0eb31eead75481e75dcba232d28c7e4c7
SHA256	859ffdca62ee0971821a4b2dedfc023d0f9a021391b5ac336ddb49d53d28330e
SSDeep	3:Kn:Kn
ImpHash	-

C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.lck

Dropped File

Stream

MIME Type	application/octet-stream
File Size	1 Bytes
MD5	c4ca4238a0b923820dcc509a6f75849b
SHA1	356a192b7913b04c54574d18c28d46e6395428ab
SHA256	6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SSDeep	3:U:U
ImpHash	-

File Reputation Information

Verdict

Clean

C:\Users\RDHJ0C~1\AppData\Local\Temp\nsg74C6.tmp

Dropped File

Empty

MIME Type	application/x-empty
File Size	0 Bytes
MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep	3::
ImpHash	-

C:\Users\RDHJ0C~1\AppData\Local\Temp\nsg75B2.tmp

Dropped File

Empty

Also Known As	C:\Users\RDHJ0C~1\AppData\Local\Temp\nsg75B2.tmp\ (Accessed File)
MIME Type	application/x-empty
File Size	0 Bytes
MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep	3::
ImpHash	-

6d8780de0d47117b257766c0da10356e59790bb7253ce479594550f975a0454a

Downloaded File

Stream

MIME Type	application/octet-stream
File Size	288 Bytes
MD5	4975a33da32129fe059599bc6a7b96eb
SHA1	ac32ac7d8acb9e72c255c84d0acc01f3440d0cf4
SHA256	6d8780de0d47117b257766c0da10356e59790bb7253ce479594550f975a0454a
SSDeep	6:v0OYlHyNUMDccxcVE2lOC4KjQg3Zenk6KKiGRYx5f0RdWKsDTxzJfd6BUFxRVn:v0llHyK4cQcVE2/4K0g3ZencKR2ZtTZf
ImpHash	-

ccf6aadc1539596860d96eaee2fbfb4d1f6f52d361be1ff807a27f814c374616

Downloaded File

Stream

MIME Type	application/octet-stream
File Size	186 Bytes
MD5	af382c52b2e64eb3246e0d3592cf7a7a
SHA1	8f61a3e39b9a71cf3f1b6e27bb757d66e4b53b84
SHA256	ccf6aadc1539596860d96eaee2fbfb4d1f6f52d361be1ff807a27f814c374616
SSDeep	3:v0OEhlHyflUMDcPkxcPFv/s2ljL+l/llMljQg3Zenk6KKiDgOylll:v0OYlHyNUMDccxcVE2lqkjQg3Zenk6K0
ImpHash	-

f158aa8b7a32a64eae6a34384322ffafbb21fa59bd7deeb7fe2a7cc7364ce8f3

Downloaded File

Stream

MIME Type	application/octet-stream
File Size	159 Bytes
MD5	aa2b28f6586b464e04e621998816b5d5
SHA1	372a785803e4523b27c26a76492abf2c37fc89d6
SHA256	f158aa8b7a32a64eae6a34384322ffafbb21fa59bd7deeb7fe2a7cc7364ce8f3
SSDeep	3:wOOEhlHyflUMDcPkxcPFv/s2ll+ldljQg3Zenk6KKiDn:wOOYlHyNUMDccxcVE2lsljQg3Zenk6Kj
ImpHash	-

c64510503435c2143bad854faba7891308b4b089d140449ceb903620fea45d6a

Downloaded File

Stream

MIME Type	application/octet-stream
File Size	23 Bytes
MD5	f74f0c674b6a20bbb1a7afac774bcfde
SHA1	07a2ca2822e69fcd2a70c73cc83dd553b8b97235
SHA256	c64510503435c2143bad854faba7891308b4b089d140449ceb903620fea45d6a
SSDeep	3:1lMgne9n:Ewe9n
ImpHash	-

b14395003e5efba733d717f89486aee8222abf00b33190ea2d34e7b68d2bca73

Downloaded File

Text

MIME Type	text/plain
File Size	15 Bytes
MD5	003b3bb995c2451098869088630871df
SHA1	5d24783bc3514543ed9bd164e49f027d77b501f5
SHA256	b14395003e5efba733d717f89486aee8222abf00b33190ea2d34e7b68d2bca73
SSDeep	3:8gne9n:8we9n
ImpHash	-

File Reputation Information

Verdict

Clean

Remarks (1/1)

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information