File name:

lodop64.exe

Full analysis: https://app.any.run/tasks/bba99459-43a0-484c-826c-17e7de8266b5
Verdict: Malicious activity
Analysis date: May 04, 2021, 06:51:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

54C8BD44BAC2DFDECF15D90EAECA4761

SHA1:

EDF2872ED12CD877098D5D9540446C2260B7C0A9

SHA256:

EED7A742941551A3718849911439D9390B7BCCC7DBFC6CAC124BAC098DA87176

SSDEEP:

49152:8Xi++FrcxNzyaH+qrTHL8xrx/4PA3UpcJMhVbOVBtAfK:Z4Rh/S1QPcJMh4VHA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • lodop64.exe (PID: 2480)

    • Actions looks like stealing of personal data

      • lodop64.exe (PID: 2480)

    • Steals credentials from Web Browsers

      • lodop64.exe (PID: 2480)

  • SUSPICIOUS

    • Creates a directory in Program Files

      • lodop64.exe (PID: 2480)

    • Starts Internet Explorer

      • lodop64.exe (PID: 2480)

    • Creates files in the program directory

      • lodop64.exe (PID: 2480)

    • Executable content was dropped or overwritten

      • lodop64.exe (PID: 2480)

    • Creates files in the user directory

      • lodop64.exe (PID: 2480)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 1072)

    • Changes settings of System certificates

      • iexplore.exe (PID: 668)

    • Changes internet zones settings

      • iexplore.exe (PID: 1072)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 668)

    • Creates files in the user directory

      • iexplore.exe (PID: 668)

    • Reads internet explorer settings

      • iexplore.exe (PID: 668)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 668)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (38.2)
.exe | Win32 EXE Yoda's Crypter (37.5)
.dll | Win32 Dynamic Link Library (generic) (9.2)
.exe | Win32 Executable (generic) (6.3)
.exe | Win16/32 Executable Delphi generic (2.9)

EXIF

EXE

Comments: 梦泰尔软件工作室 MTSoftware(CN)
ProductVersion: 6.1
ProductName: Lodop(劳道谱) Install
OriginalFileName: Install_lodop64.exe
LegalTrademarks: Lodop
LegalCopyright: 梦泰尔软件工作室 MTSoftware(CN)
InternalName: Lodop(劳道谱) Install
FileVersion: 6.1.8.5
FileDescription: Print Control Lodop(64-bit) Install
CompanyName: MTSoftware(CN)
CharacterSet: Windows, Chinese (Simplified)
LanguageCode: Chinese (Simplified)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 6.1.8.5
FileVersionNumber: 6.1.8.5
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x864e20
UninitializedDataSize: 6270976
InitializedDataSize: 8192
CodeSize: 2531328
LinkerVersion: 2.25
PEType: PE32
TimeStamp: 2014:06:11 15:54:46+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 11-Jun-2014 13:54:46
Detected languages:
  • Chinese - PRC
  • English - United States
CompanyName: MTSoftware(CN)
FileDescription: Print Control Lodop(64-bit) Install
FileVersion: 6.1.8.5
InternalName: Lodop(劳道谱) Install
LegalCopyright: 梦泰尔软件工作室 MTSoftware(CN)
LegalTrademarks: Lodop
OriginalFilename: Install_lodop64.exe
ProductName: Lodop(劳道谱) Install
ProductVersion: 6.1
Comments: 梦泰尔软件工作室 MTSoftware(CN)

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 11-Jun-2014 13:54:46
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x005FB000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x005FC000
0x0026A000
0x00269200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.93287
.rsrc
0x00866000
0x00002000
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.5616

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.69587
920
UNKNOWN
Chinese - PRC
RT_VERSION
2
6.71942
308
UNKNOWN
English - United States
RT_CURSOR
3
6.88429
308
UNKNOWN
English - United States
RT_CURSOR
4
6.8253
308
UNKNOWN
English - United States
RT_CURSOR
5
6.99228
308
UNKNOWN
English - United States
RT_CURSOR
6
5.99068
308
UNKNOWN
English - United States
RT_CURSOR
7
6.30468
308
UNKNOWN
English - United States
RT_CURSOR
4080
3.36165
64
UNKNOWN
UNKNOWN
RT_STRING
4081
7.16976
900
UNKNOWN
UNKNOWN
RT_STRING
4082
6.7299
172
UNKNOWN
UNKNOWN
RT_STRING

Imports

KERNEL32.DLL
advapi32.dll
comctl32.dll
gdi32.dll
msimg32.dll
ole32.dll
oleaut32.dll
shell32.dll
user32.dll
version.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start lodop64.exe iexplore.exe iexplore.exe lodop64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
668"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1072 CREDAT:275457 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
1072"C:\Program Files\Internet Explorer\iexplore.exe" http://blog.sina.com.cn/s/blog_721e77e50100ovnl.htmlC:\Program Files\Internet Explorer\iexplore.exe
lodop64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2372"C:\Users\admin\AppData\Local\Temp\lodop64.exe" C:\Users\admin\AppData\Local\Temp\lodop64.exeexplorer.exe
User:
admin
Company:
MTSoftware(CN)
Integrity Level:
MEDIUM
Description:
Print Control Lodop(64-bit) Install
Exit code:
3221226540
Version:
6.1.8.5
Modules
Images
c:\users\admin\appdata\local\temp\lodop64.exe
c:\systemroot\system32\ntdll.dll
2480"C:\Users\admin\AppData\Local\Temp\lodop64.exe" C:\Users\admin\AppData\Local\Temp\lodop64.exe
explorer.exe
User:
admin
Company:
MTSoftware(CN)
Integrity Level:
HIGH
Description:
Print Control Lodop(64-bit) Install
Exit code:
0
Version:
6.1.8.5
Modules
Images
c:\users\admin\appdata\local\temp\lodop64.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
550
Read events
431
Write events
119
Delete events
0

Modification events

(PID) Process:(2480) lodop64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2105C259-1E0C-4534-8141-A753534CB4CA}\iexplore\AllowedDomains\*
Operation:writeName:(default)
Value:
(PID) Process:(2480) lodop64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
Operation:writeName:iexplore.exe
Value:
0
(PID) Process:(2480) lodop64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{17FE9752-0B5A-4665-84CD-569794602F5C} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF
Value:
010000000000000066D58606B240D701
(PID) Process:(1072) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
411218500
(PID) Process:(1072) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30884018
(PID) Process:(1072) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1072) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1072) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1072) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1072) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
Executable files
2
Suspicious files
7
Text files
63
Unknown types
36

Dropped files

PID
Process
Filename
Type
2480lodop64.exeC:\Program Files\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop64.ocxexecutable
MD5:
SHA256:
2480lodop64.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferencestext
MD5:
SHA256:
668iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\article[1].csstext
MD5:
SHA256:
668iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\blog_721e77e50100ovnl[1].htmhtml
MD5:
SHA256:
2480lodop64.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\user.jstext
MD5:779799783AF20E34E17F78483BF56D07
SHA256:B75269AC534D81ABEFFB3127DFE7BEDC994B50898819A58C8265CCCD079F4C67
668iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\blog[2].csstext
MD5:
SHA256:
668iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\BXM22CI8.txttext
MD5:
SHA256:
668iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\blog[1].csstext
MD5:16EC770EAD94ACD20E93EE28937DFDB2
SHA256:E4810A292FB83892714943DD7DF7818209C8AAECB0920D256BF56581A433FAED
668iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\loading[1].gifimage
MD5:618A14F4DCA4F51100CD2400E7F9049C
SHA256:CAAE15EEC8BD2AF1F0EE84B9AABEF62A6FB1A2305F65FF4EB5D56773B159187F
668iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\t[1].csstext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
55
TCP/UDP connections
44
DNS requests
22
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
668
iexplore.exe
GET
200
2.16.186.27:80
http://simg.sinajs.cn/blog7style/css/module/common/blog.css
unknown
text
12.1 Kb
whitelisted
668
iexplore.exe
GET
200
123.126.45.92:80
http://blog.sina.com.cn/main_v5/ria/blank2.html
CN
html
569 b
suspicious
668
iexplore.exe
GET
200
123.126.45.92:80
http://blog.sina.com.cn/s/blog_721e77e50100ovnl.html
CN
html
9.26 Kb
suspicious
668
iexplore.exe
GET
200
2.16.186.27:80
http://simg.sinajs.cn/blog7style/css/conf/blog/article.css
unknown
text
42.5 Kb
whitelisted
668
iexplore.exe
GET
200
2.16.186.27:80
http://simg.sinajs.cn/blog7newtpl/image/16/16_8/images/sg_newsp.png
unknown
image
4.46 Kb
whitelisted
668
iexplore.exe
GET
200
2.16.186.27:80
http://simg.sinajs.cn/blog7newtpl/image/16/16_8/images/sinablogb.jpg
unknown
image
106 Kb
whitelisted
668
iexplore.exe
GET
200
2.16.186.27:80
http://simg.sinajs.cn/blog7newtpl/image/16/16_8/images/modelbody.png
unknown
image
150 b
whitelisted
668
iexplore.exe
GET
200
2.16.186.27:80
http://simg.sinajs.cn/blog7style/css/common/common.css
unknown
text
63.2 Kb
whitelisted
668
iexplore.exe
GET
200
2.16.186.27:80
http://simg.sinajs.cn/blog7style/images/common/loading.gif
unknown
image
722 b
whitelisted
668
iexplore.exe
GET
200
2.16.186.27:80
http://simg.sinajs.cn/blog7style/images/common/topbar/topbar_logo.gif
unknown
image
1.42 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
668
iexplore.exe
2.16.186.27:80
simg.sinajs.cn
Akamai International B.V.
whitelisted
668
iexplore.exe
163.181.56.228:80
d1.sina.com.cn
US
suspicious
1072
iexplore.exe
131.253.33.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
668
iexplore.exe
123.126.45.92:80
blog.sina.com.cn
China Unicom Beijing Province Network
CN
malicious
163.181.56.228:80
d1.sina.com.cn
US
suspicious
49.7.36.113:80
control.blog.sina.com.cn
CN
unknown
668
iexplore.exe
163.181.56.226:80
news.sina.com.cn
US
unknown
668
iexplore.exe
49.7.37.59:80
hs.blog.sina.com.cn
CN
unknown
668
iexplore.exe
47.246.43.223:443
d1.sina.com.cn
US
malicious
668
iexplore.exe
47.246.43.225:80
d1.sina.com.cn
US
malicious

DNS requests

Domain
IP
Reputation
blog.sina.com.cn
  • 123.126.45.92
suspicious
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
simg.sinajs.cn
  • 2.16.186.27
  • 2.16.186.26
whitelisted
d1.sina.com.cn
  • 163.181.56.228
  • 47.246.43.223
  • 47.246.43.225
  • 47.246.43.228
  • 47.246.43.229
  • 47.246.43.230
  • 47.246.43.224
  • 47.246.43.227
  • 47.246.43.226
  • 163.181.56.231
  • 163.181.56.232
  • 163.181.56.225
whitelisted
sjs.sinajs.cn
  • 2.16.186.27
  • 2.16.186.26
whitelisted
i.sso.sina.com.cn
  • 163.181.56.228
  • 47.246.43.223
  • 47.246.43.225
  • 47.246.43.228
  • 47.246.43.229
  • 47.246.43.230
  • 47.246.43.224
  • 47.246.43.227
  • 47.246.43.226
  • 163.181.56.231
  • 163.181.56.232
  • 163.181.56.225
whitelisted
d5.sina.com.cn
  • 163.181.56.228
  • 47.246.43.223
  • 47.246.43.225
  • 47.246.43.228
  • 47.246.43.229
  • 47.246.43.230
  • 47.246.43.224
  • 47.246.43.227
  • 47.246.43.226
  • 163.181.56.231
  • 163.181.56.232
  • 163.181.56.225
whitelisted
control.blog.sina.com.cn
  • 49.7.36.113
unknown
d9.sina.com.cn
  • 47.246.43.223
  • 47.246.43.225
  • 47.246.43.228
  • 47.246.43.227
  • 47.246.43.226
  • 47.246.43.229
  • 47.246.43.230
  • 163.181.56.225
  • 163.181.56.232
  • 163.181.56.230
  • 163.181.56.229
  • 47.246.43.224
whitelisted

Threats

PID
Process
Class
Message
668
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY Outdated Flash Version M1
668
iexplore.exe
Potential Corporate Privacy Violation
ET INFO Observed Interesting Content-Type Inbound (application/x-sh)
668
iexplore.exe
Potential Corporate Privacy Violation
ET INFO Observed Interesting Content-Type Inbound (application/x-sh)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
lodop64.exe