Try VMRay Platform
Malicious
Classifications

Downloader Injector Backdoor

Threat Names

Warzone SmokeLoader Mal/Generic-S RedNet +3

Dynamic Analysis Report

Created on 2023-05-05T15:57:14+00:00

558944fc2adfcd051a2f55cf18141d0b6e70282d51bb425e4035c09d39aac49a.exe

Windows Exe (x86-32)
...

Remarks (2/3)

(0x02000008): One or more processes crashed during the analysis. Analysis results may be incomplete.

(0x0200000E): The overall sleep time of all monitored processes was truncated from "7 minutes, 17 seconds" to "20 seconds" to reveal dormant functionality.

(0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Remarks

(0x0200004A): 3 dump(s) were skipped because they exceeded the maximum dump size of 16 MB. The largest one was 512 MB.

Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\558944fc2adfcd051a2f55cf18141d0b6e70282d51bb425e4035c09d39aac49a.exe Sample File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 6.00 KB
MD5 0f7b882782215a347db43e0d23faa659 Copy to Clipboard
SHA1 232b7b5d0ddaf74290eb4255df89ec9c97d10679 Copy to Clipboard
SHA256 558944fc2adfcd051a2f55cf18141d0b6e70282d51bb425e4035c09d39aac49a Copy to Clipboard
SSDeep 48:6SlzmldOWI5yAHN39fK0FplFcXJhyPFlL/J3th+kYvd4YgW3gp6cOulavTqXSfbi:FEOIQNVjrXcWD7RtwkYv1op7svNzNt Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x00400000
Entry Point 0x00402C5E
Size Of Code 0x00000E00
Size Of Initialized Data 0x00000800
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2023-05-05 07:03 (UTC+2)
Version Information (7)
»
FileDescription
FileVersion 0.0.0.0
InternalName a.exe
LegalCopyright
OriginalFilename a.exe
ProductVersion 0.0.0.0
Assembly Version 0.0.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00402000 0x00000C64 0x00000E00 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.87
.rsrc 0x00404000 0x000004C0 0x00000600 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.66
.reloc 0x00406000 0x0000000C 0x00000200 0x00001600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.08
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x00402000 0x00002C2C 0x00000E2C 0x00000000
Memory Dumps (5)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
558944fc2adfcd051a2f55cf18141d0b6e70282d51bb425e4035c09d39aac49a.exe 1 0x009A0000 0x009A7FFF Relevant Image False 64-bit - False
...
buffer 1 0x1A6AD000 0x1A6AFFFF First Network Behavior False 64-bit - False
...
buffer 1 0x00145000 0x0014FFFF First Network Behavior False 64-bit - False
...
558944fc2adfcd051a2f55cf18141d0b6e70282d51bb425e4035c09d39aac49a.exe 1 0x009A0000 0x009A7FFF First Network Behavior False 64-bit - False
...
558944fc2adfcd051a2f55cf18141d0b6e70282d51bb425e4035c09d39aac49a.exe 1 0x009A0000 0x009A7FFF Final Dump False 64-bit - False
...
C:\Users\RDhJ0CNFevzX\Desktop\a\malwr.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 10.00 MB
MD5 7b74323b4bc40adec1159fd1d4874a61 Copy to Clipboard
SHA1 b9e69e25dfa4ad6a5da0bc5e7d26640da0c0af79 Copy to Clipboard
SHA256 b0ad2b4c12d0e7b300bec8d3eeb7c80a163050c36d7519a926a2bcf11e8ad919 Copy to Clipboard
SSDeep 196608:uN3BHnYqBfKV3IU25SynlGTGdJBgJOG1OU:oHfBOID5Synwid3gJV4U Copy to Clipboard
ImpHash -
PE Information
»
Image Base 0x00400000
Entry Point 0x0046E500
Size Of Code 0x00348600
Size Of Initialized Data 0x000AA200
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Machine Type IMAGE_FILE_MACHINE_AMD64
Compile Timestamp 1970-01-01 01:00 (UTC+1)
Sections (13)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x003485B4 0x00348600 0x00000600 IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.91
.rdata 0x0074A000 0x004084A8 0x00408600 0x00348C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.92
.data 0x00B53000 0x000F8C30 0x000AA200 0x00751200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 5.35
/4 0x00C4C000 0x00000119 0x00000200 0x007FB400 IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 4.83
/19 0x00C4D000 0x00079A51 0x00079C00 0x007FB600 IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 8.0
/32 0x00CC7000 0x000181E6 0x00018200 0x00875200 IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 7.94
/46 0x00CE0000 0x00000030 0x00000200 0x0088D400 IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.86
/65 0x00CE1000 0x000D77ED 0x000D7800 0x0088D600 IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 8.0
/78 0x00DB9000 0x0008132C 0x00081400 0x00964E00 IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 8.0
/90 0x00E3B000 0x0002CD4F 0x0002CE00 0x009E6200 IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 7.83
.idata 0x00E68000 0x00000476 0x00000600 0x00A13000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.reloc 0x00E69000 0x0001BFEE 0x0001C000 0x00A13600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.0
.symtab 0x00E85000 0x0006E50F 0x0006E600 0x00A2F600 IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.0
Memory Dumps (33)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
malwr.exe 11 0x00220000 0x00D13FFF Relevant Image False 64-bit 0x0028E69E False
...
buffer 11 0xC000000000 0xC0003FFFFF Final Dump False 64-bit - False
...
buffer 11 0x216C0770000 0x216C077FFFF Final Dump False 64-bit - False
...
buffer 11 0x216C1EB0000 0x216C1EEFFFF Final Dump False 64-bit - False
...
buffer 11 0x216C1EF0000 0x216C1F0FFFF Final Dump False 64-bit - False
...
buffer 11 0x216C4840000 0x216C4840FFF Final Dump False 64-bit - False
...
buffer 11 0x216D6990000 0x216D6990FFF Final Dump False 64-bit - False
...
buffer 11 0x216E6810000 0x216E700FFFF Final Dump False 64-bit - False
...
buffer 11 0x216E7010000 0x216E7031FFF Final Dump False 64-bit - False
...
buffer 11 0x216E7040000 0x216E713FFFF Final Dump False 64-bit - False
...
buffer 11 0x216E7140000 0x216E714FFFF Final Dump False 64-bit - False
...
buffer 11 0x216E7150000 0x216E718FFFF Final Dump False 64-bit - False
...
buffer 11 0x216E7190000 0x216E71CFFFF Final Dump False 64-bit - False
...
buffer 11 0x216E71D0000 0x216E720FFFF Final Dump False 64-bit - False
...
buffer 11 0x216E7210000 0x216E736FFFF Final Dump False 64-bit - False
...
malwr.exe 11 0x00220000 0x00D13FFF Final Dump False 64-bit 0x00255B13 False
...
buffer 11 0xC000000000 0xC0003FFFFF Process Termination False 64-bit - False
...
buffer 11 0x216C0770000 0x216C077FFFF Process Termination False 64-bit - False
...
buffer 11 0x216C1EB0000 0x216C1EEFFFF Process Termination False 64-bit - False
...
buffer 11 0x216C1EF0000 0x216C1F0FFFF Process Termination False 64-bit - False
...
buffer 11 0x216C1F10000 0x216C200FFFF Process Termination False 64-bit - False
...
buffer 11 0x216C2010000 0x216C280FFFF Process Termination False 64-bit - False
...
buffer 11 0x216C4840000 0x216C4840FFF Process Termination False 64-bit - False
...
buffer 11 0x216D6990000 0x216D6990FFF Process Termination False 64-bit - False
...
buffer 11 0x216E6810000 0x216E700FFFF Process Termination False 64-bit - False
...
buffer 11 0x216E7010000 0x216E7031FFF Process Termination False 64-bit - False
...
buffer 11 0x216E7040000 0x216E713FFFF Process Termination False 64-bit - False
...
buffer 11 0x216E7140000 0x216E714FFFF Process Termination False 64-bit - False
...
buffer 11 0x216E7150000 0x216E718FFFF Process Termination False 64-bit - False
...
buffer 11 0x216E7190000 0x216E71CFFFF Process Termination False 64-bit - False
...
buffer 11 0x216E71D0000 0x216E720FFFF Process Termination False 64-bit - False
...
buffer 11 0x216E7210000 0x216E736FFFF Process Termination False 64-bit - False
...
malwr.exe 11 0x00220000 0x00D13FFF Process Termination False 64-bit - False
...
C:\Users\RDhJ0CNFevzX\Desktop\a\photo_560.exe Dropped File Binary
Malicious
Raised based on a child artifact.
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 479.50 KB
MD5 238ebd453738791c553206e3144494af Copy to Clipboard
SHA1 927e6ff5d29ae1546490fd45f06655337362b830 Copy to Clipboard
SHA256 ec602134a5ed715c21d80744f37765389731fe2f082a84854419d2b3297a3b95 Copy to Clipboard
SSDeep 12288:dMrJy906HneaKVR3jb4zzUN1exfKBS300Cso3:4y5KVNEzC1Ct8so3 Copy to Clipboard
ImpHash 646167cce332c1c252cdcb1839e0cf48 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x00406A60
Size Of Code 0x00006400
Size Of Initialized Data 0x00071600
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2022-05-25 00:49 (UTC+2)
Version Information (8)
»
CompanyName Microsoft Corporation
FileDescription Win32 Cabinet Self-Extractor
FileVersion 11.00.17763.1 (WinBuild.160101.0800)
InternalName Wextract
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename WEXTRACT.EXE .MUI
ProductName Internet Explorer
ProductVersion 11.00.17763.1
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x00006314 0x00006400 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.31
.data 0x00408000 0x00001A48 0x00000200 0x00006800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.97
.idata 0x0040A000 0x00001052 0x00001200 0x00006A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.03
.rsrc 0x0040C000 0x00070000 0x0006F800 0x00007C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 7.86
.reloc 0x0047C000 0x00000888 0x00000A00 0x00077400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.22
Imports (8)
»
ADVAPI32.dll (14)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetTokenInformation - 0x0040A000 0x0000A340 0x00006D40 0x00000170
RegDeleteValueA - 0x0040A004 0x0000A344 0x00006D44 0x00000272
RegOpenKeyExA - 0x0040A008 0x0000A348 0x00006D48 0x0000028B
RegQueryInfoKeyA - 0x0040A00C 0x0000A34C 0x00006D4C 0x00000292
FreeSid - 0x0040A010 0x0000A350 0x00006D50 0x00000134
OpenProcessToken - 0x0040A014 0x0000A354 0x00006D54 0x00000215
RegSetValueExA - 0x0040A018 0x0000A358 0x00006D58 0x000002A8
RegCreateKeyExA - 0x0040A01C 0x0000A35C 0x00006D5C 0x00000263
LookupPrivilegeValueA - 0x0040A020 0x0000A360 0x00006D60 0x000001AE
AllocateAndInitializeSid - 0x0040A024 0x0000A364 0x00006D64 0x00000020
RegQueryValueExA - 0x0040A028 0x0000A368 0x00006D68 0x00000298
EqualSid - 0x0040A02C 0x0000A36C 0x00006D6C 0x0000011A
RegCloseKey - 0x0040A030 0x0000A370 0x00006D70 0x0000025B
AdjustTokenPrivileges - 0x0040A034 0x0000A374 0x00006D74 0x0000001F
KERNEL32.dll (81)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_lopen - 0x0040A060 0x0000A3A0 0x00006DA0 0x00000628
_llseek - 0x0040A064 0x0000A3A4 0x00006DA4 0x00000627
CompareStringA - 0x0040A068 0x0000A3A8 0x00006DA8 0x00000098
GetLastError - 0x0040A06C 0x0000A3AC 0x00006DAC 0x00000261
GetFileAttributesA - 0x0040A070 0x0000A3B0 0x00006DB0 0x00000240
GetSystemDirectoryA - 0x0040A074 0x0000A3B4 0x00006DB4 0x000002DF
LoadLibraryA - 0x0040A078 0x0000A3B8 0x00006DB8 0x000003C1
DeleteFileA - 0x0040A07C 0x0000A3BC 0x00006DBC 0x00000112
GlobalAlloc - 0x0040A080 0x0000A3C0 0x00006DC0 0x0000032D
GlobalFree - 0x0040A084 0x0000A3C4 0x00006DC4 0x00000334
CloseHandle - 0x0040A088 0x0000A3C8 0x00006DC8 0x00000086
WritePrivateProfileStringA - 0x0040A08C 0x0000A3CC 0x00006DCC 0x00000617
IsDBCSLeadByte - 0x0040A090 0x0000A3D0 0x00006DD0 0x0000037D
GetWindowsDirectoryA - 0x0040A094 0x0000A3D4 0x00006DD4 0x00000325
SetFileAttributesA - 0x0040A098 0x0000A3D8 0x00006DD8 0x0000051A
GetProcAddress - 0x0040A09C 0x0000A3DC 0x00006DDC 0x000002AE
GlobalLock - 0x0040A0A0 0x0000A3E0 0x00006DE0 0x00000338
LocalFree - 0x0040A0A4 0x0000A3E4 0x00006DE4 0x000003CF
RemoveDirectoryA - 0x0040A0A8 0x0000A3E8 0x00006DE8 0x000004B6
FreeLibrary - 0x0040A0AC 0x0000A3EC 0x00006DEC 0x000001AB
_lclose - 0x0040A0B0 0x0000A3F0 0x00006DF0 0x00000625
CreateDirectoryA - 0x0040A0B4 0x0000A3F4 0x00006DF4 0x000000B5
GetPrivateProfileIntA - 0x0040A0B8 0x0000A3F8 0x00006DF8 0x000002A4
GetPrivateProfileStringA - 0x0040A0BC 0x0000A3FC 0x00006DFC 0x000002AA
GlobalUnlock - 0x0040A0C0 0x0000A400 0x00006E00 0x0000033F
ReadFile - 0x0040A0C4 0x0000A404 0x00006E04 0x00000473
SizeofResource - 0x0040A0C8 0x0000A408 0x00006E08 0x0000057C
WriteFile - 0x0040A0CC 0x0000A40C 0x00006E0C 0x00000612
GetDriveTypeA - 0x0040A0D0 0x0000A410 0x00006E10 0x0000022E
lstrcmpA - 0x0040A0D4 0x0000A414 0x00006E14 0x0000062F
SetFileTime - 0x0040A0D8 0x0000A418 0x00006E18 0x00000526
SetFilePointer - 0x0040A0DC 0x0000A41C 0x00006E1C 0x00000522
FindResourceA - 0x0040A0E0 0x0000A420 0x00006E20 0x00000193
CreateMutexA - 0x0040A0E4 0x0000A424 0x00006E24 0x000000D7
GetVolumeInformationA - 0x0040A0E8 0x0000A428 0x00006E28 0x0000031C
ExpandEnvironmentStringsA - 0x0040A0EC 0x0000A42C 0x00006E2C 0x00000161
GetCurrentDirectoryA - 0x0040A0F0 0x0000A430 0x00006E30 0x00000210
FreeResource - 0x0040A0F4 0x0000A434 0x00006E34 0x000001AF
GetVersion - 0x0040A0F8 0x0000A438 0x00006E38 0x00000319
SetCurrentDirectoryA - 0x0040A0FC 0x0000A43C 0x00006E3C 0x00000508
GetTempPathA - 0x0040A100 0x0000A440 0x00006E40 0x000002F5
LocalFileTimeToFileTime - 0x0040A104 0x0000A444 0x00006E44 0x000003CC
CreateFileA - 0x0040A108 0x0000A448 0x00006E48 0x000000C3
SetEvent - 0x0040A10C 0x0000A44C 0x00006E4C 0x00000516
TerminateThread - 0x0040A110 0x0000A450 0x00006E50 0x0000058D
GetVersionExA - 0x0040A114 0x0000A454 0x00006E54 0x0000031A
LockResource - 0x0040A118 0x0000A458 0x00006E58 0x000003DB
GetSystemInfo - 0x0040A11C 0x0000A45C 0x00006E5C 0x000002E3
CreateThread - 0x0040A120 0x0000A460 0x00006E60 0x000000F3
ResetEvent - 0x0040A124 0x0000A464 0x00006E64 0x000004C6
LoadResource - 0x0040A128 0x0000A468 0x00006E68 0x000003C7
ExitProcess - 0x0040A12C 0x0000A46C 0x00006E6C 0x0000015E
GetModuleHandleW - 0x0040A130 0x0000A470 0x00006E70 0x00000278
CreateProcessA - 0x0040A134 0x0000A474 0x00006E74 0x000000E0
FormatMessageA - 0x0040A138 0x0000A478 0x00006E78 0x000001A6
GetTempFileNameA - 0x0040A13C 0x0000A47C 0x00006E7C 0x000002F3
DosDateTimeToFileTime - 0x0040A140 0x0000A480 0x00006E80 0x00000126
CreateEventA - 0x0040A144 0x0000A484 0x00006E84 0x000000BC
GetExitCodeProcess - 0x0040A148 0x0000A488 0x00006E88 0x0000023C
FindNextFileA - 0x0040A14C 0x0000A48C 0x00006E8C 0x0000018A
LocalAlloc - 0x0040A150 0x0000A490 0x00006E90 0x000003CA
GetShortPathNameA - 0x0040A154 0x0000A494 0x00006E94 0x000002CC
MulDiv - 0x0040A158 0x0000A498 0x00006E98 0x000003EE
GetDiskFreeSpaceA - 0x0040A15C 0x0000A49C 0x00006E9C 0x00000226
EnumResourceLanguagesA - 0x0040A160 0x0000A4A0 0x00006EA0 0x0000013F
GetTickCount - 0x0040A164 0x0000A4A4 0x00006EA4 0x00000307
GetSystemTimeAsFileTime - 0x0040A168 0x0000A4A8 0x00006EA8 0x000002E9
GetCurrentThreadId - 0x0040A16C 0x0000A4AC 0x00006EAC 0x0000021C
GetCurrentProcessId - 0x0040A170 0x0000A4B0 0x00006EB0 0x00000218
QueryPerformanceCounter - 0x0040A174 0x0000A4B4 0x00006EB4 0x0000044D
TerminateProcess - 0x0040A178 0x0000A4B8 0x00006EB8 0x0000058C
SetUnhandledExceptionFilter - 0x0040A17C 0x0000A4BC 0x00006EBC 0x0000056D
UnhandledExceptionFilter - 0x0040A180 0x0000A4C0 0x00006EC0 0x000005AD
GetStartupInfoW - 0x0040A184 0x0000A4C4 0x00006EC4 0x000002D0
Sleep - 0x0040A188 0x0000A4C8 0x00006EC8 0x0000057D
FindClose - 0x0040A18C 0x0000A4CC 0x00006ECC 0x00000175
GetCurrentProcess - 0x0040A190 0x0000A4D0 0x00006ED0 0x00000217
FindFirstFileA - 0x0040A194 0x0000A4D4 0x00006ED4 0x00000179
WaitForSingleObject - 0x0040A198 0x0000A4D8 0x00006ED8 0x000005D7
GetModuleFileNameA - 0x0040A19C 0x0000A4DC 0x00006EDC 0x00000273
LoadLibraryExA - 0x0040A1A0 0x0000A4E0 0x00006EE0 0x000003C2
GDI32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetDeviceCaps - 0x0040A058 0x0000A398 0x00006D98 0x00000275
USER32.dll (30)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SetWindowLongA - 0x0040A1A8 0x0000A4E8 0x00006EE8 0x00000373
GetDlgItemTextA - 0x0040A1AC 0x0000A4EC 0x00006EEC 0x0000014B
DialogBoxIndirectParamA - 0x0040A1B0 0x0000A4F0 0x00006EF0 0x000000B5
ShowWindow - 0x0040A1B4 0x0000A4F4 0x00006EF4 0x00000387
MsgWaitForMultipleObjects - 0x0040A1B8 0x0000A4F8 0x00006EF8 0x00000297
SetWindowPos - 0x0040A1BC 0x0000A4FC 0x00006EFC 0x00000376
GetDC - 0x0040A1C0 0x0000A500 0x00006F00 0x0000013F
GetWindowRect - 0x0040A1C4 0x0000A504 0x00006F04 0x000001E6
DispatchMessageA - 0x0040A1C8 0x0000A508 0x00006F08 0x000000BB
GetDesktopWindow - 0x0040A1CC 0x0000A50C 0x00006F0C 0x00000142
CharUpperA - 0x0040A1D0 0x0000A510 0x00006F10 0x0000003B
SetDlgItemTextA - 0x0040A1D4 0x0000A514 0x00006F14 0x00000332
ExitWindowsEx - 0x0040A1D8 0x0000A518 0x00006F18 0x0000010E
MessageBeep - 0x0040A1DC 0x0000A51C 0x00006F1C 0x00000288
EndDialog - 0x0040A1E0 0x0000A520 0x00006F20 0x000000F1
CharPrevA - 0x0040A1E4 0x0000A524 0x00006F24 0x00000034
LoadStringA - 0x0040A1E8 0x0000A528 0x00006F28 0x0000025B
CharNextA - 0x0040A1EC 0x0000A52C 0x00006F2C 0x00000031
EnableWindow - 0x0040A1F0 0x0000A530 0x00006F30 0x000000EE
ReleaseDC - 0x0040A1F4 0x0000A534 0x00006F34 0x000002FE
SetForegroundWindow - 0x0040A1F8 0x0000A538 0x00006F38 0x00000337
PeekMessageA - 0x0040A1FC 0x0000A53C 0x00006F3C 0x000002AE
GetDlgItem - 0x0040A200 0x0000A540 0x00006F40 0x00000149
SendMessageA - 0x0040A204 0x0000A544 0x00006F44 0x00000314
SendDlgItemMessageA - 0x0040A208 0x0000A548 0x00006F48 0x0000030F
MessageBoxA - 0x0040A20C 0x0000A54C 0x00006F4C 0x00000289
SetWindowTextA - 0x0040A210 0x0000A550 0x00006F50 0x0000037A
GetWindowLongA - 0x0040A214 0x0000A554 0x00006F54 0x000001DE
CallWindowProcA - 0x0040A218 0x0000A558 0x00006F58 0x0000001F
GetSystemMetrics - 0x0040A21C 0x0000A55C 0x00006F5C 0x000001BF
msvcrt.dll (20)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_controlfp - 0x0040A234 0x0000A574 0x00006F74 0x00000137
?terminate@@YAXXZ - 0x0040A238 0x0000A578 0x00006F78 0x00000035
_acmdln - 0x0040A23C 0x0000A57C 0x00006F7C 0x000000F7
_initterm - 0x0040A240 0x0000A580 0x00006F80 0x000001E8
__setusermatherr - 0x0040A244 0x0000A584 0x00006F84 0x000000E4
_except_handler4_common - 0x0040A248 0x0000A588 0x00006F88 0x0000016A
memcpy - 0x0040A24C 0x0000A58C 0x00006F8C 0x00000509
_ismbblead - 0x0040A250 0x0000A590 0x00006F90 0x00000207
__p__fmode - 0x0040A254 0x0000A594 0x00006F94 0x000000CE
_cexit - 0x0040A258 0x0000A598 0x00006F98 0x00000124
_exit - 0x0040A25C 0x0000A59C 0x00006F9C 0x00000173
exit - 0x0040A260 0x0000A5A0 0x00006FA0 0x000004AE
__set_app_type - 0x0040A264 0x0000A5A4 0x00006FA4 0x000000E2
__getmainargs - 0x0040A268 0x0000A5A8 0x00006FA8 0x000000A1
_amsg_exit - 0x0040A26C 0x0000A5AC 0x00006FAC 0x00000111
__p__commode - 0x0040A270 0x0000A5B0 0x00006FB0 0x000000C9
_XcptFilter - 0x0040A274 0x0000A5B4 0x00006FB4 0x0000006F
memcpy_s - 0x0040A278 0x0000A5B8 0x00006FB8 0x0000050A
_vsnprintf - 0x0040A27C 0x0000A5BC 0x00006FBC 0x000003E6
memset - 0x0040A280 0x0000A5C0 0x00006FC0 0x0000050D
COMCTL32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
None 0x00000011 0x0040A03C 0x0000A37C 0x00006D7C -
Cabinet.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
None 0x00000016 0x0040A044 0x0000A384 0x00006D84 -
None 0x00000017 0x0040A048 0x0000A388 0x00006D88 -
None 0x00000015 0x0040A04C 0x0000A38C 0x00006D8C -
None 0x00000014 0x0040A050 0x0000A390 0x00006D90 -
VERSION.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetFileVersionInfoA - 0x0040A224 0x0000A564 0x00006F64 0x00000000
VerQueryValueA - 0x0040A228 0x0000A568 0x00006F68 0x0000000F
GetFileVersionInfoSizeA - 0x0040A22C 0x0000A56C 0x00006F6C 0x00000004
Memory Dumps (1)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
photo_560.exe 27 0x00DE0000 0x00E5CFFF Relevant Image False 32-bit 0x00DE2BFB False
...
C:\Users\RDhJ0CNFevzX\Desktop\a\foto0183.exe Dropped File Binary
Malicious
Raised based on a child artifact.
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 479.50 KB
MD5 7b02bd3509e63995c0f1dc65e660b4fb Copy to Clipboard
SHA1 6abcb12480476e4e0c926ab38b8802b7074a7e4f Copy to Clipboard
SHA256 72e43e93c2d0af29585fc4e210b7394dcd3622d870a2ccc0e16b67887702b53d Copy to Clipboard
SSDeep 12288:OMruy90DSKa8GwuvM0JS9eLYTEKXEi49JPq:0yX8GwKlxSEtY Copy to Clipboard
ImpHash 646167cce332c1c252cdcb1839e0cf48 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x00406A60
Size Of Code 0x00006400
Size Of Initialized Data 0x00071600
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2022-05-25 00:49 (UTC+2)
Version Information (8)
»
CompanyName Microsoft Corporation
FileDescription Win32 Cabinet Self-Extractor
FileVersion 11.00.17763.1 (WinBuild.160101.0800)
InternalName Wextract
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename WEXTRACT.EXE .MUI
ProductName Internet Explorer
ProductVersion 11.00.17763.1
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x00006314 0x00006400 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.31
.data 0x00408000 0x00001A48 0x00000200 0x00006800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.97
.idata 0x0040A000 0x00001052 0x00001200 0x00006A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.03
.rsrc 0x0040C000 0x00070000 0x0006F800 0x00007C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 7.86
.reloc 0x0047C000 0x00000888 0x00000A00 0x00077400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.22
Imports (8)
»
ADVAPI32.dll (14)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetTokenInformation - 0x0040A000 0x0000A340 0x00006D40 0x00000170
RegDeleteValueA - 0x0040A004 0x0000A344 0x00006D44 0x00000272
RegOpenKeyExA - 0x0040A008 0x0000A348 0x00006D48 0x0000028B
RegQueryInfoKeyA - 0x0040A00C 0x0000A34C 0x00006D4C 0x00000292
FreeSid - 0x0040A010 0x0000A350 0x00006D50 0x00000134
OpenProcessToken - 0x0040A014 0x0000A354 0x00006D54 0x00000215
RegSetValueExA - 0x0040A018 0x0000A358 0x00006D58 0x000002A8
RegCreateKeyExA - 0x0040A01C 0x0000A35C 0x00006D5C 0x00000263
LookupPrivilegeValueA - 0x0040A020 0x0000A360 0x00006D60 0x000001AE
AllocateAndInitializeSid - 0x0040A024 0x0000A364 0x00006D64 0x00000020
RegQueryValueExA - 0x0040A028 0x0000A368 0x00006D68 0x00000298
EqualSid - 0x0040A02C 0x0000A36C 0x00006D6C 0x0000011A
RegCloseKey - 0x0040A030 0x0000A370 0x00006D70 0x0000025B
AdjustTokenPrivileges - 0x0040A034 0x0000A374 0x00006D74 0x0000001F
KERNEL32.dll (81)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_lopen - 0x0040A060 0x0000A3A0 0x00006DA0 0x00000628
_llseek - 0x0040A064 0x0000A3A4 0x00006DA4 0x00000627
CompareStringA - 0x0040A068 0x0000A3A8 0x00006DA8 0x00000098
GetLastError - 0x0040A06C 0x0000A3AC 0x00006DAC 0x00000261
GetFileAttributesA - 0x0040A070 0x0000A3B0 0x00006DB0 0x00000240
GetSystemDirectoryA - 0x0040A074 0x0000A3B4 0x00006DB4 0x000002DF
LoadLibraryA - 0x0040A078 0x0000A3B8 0x00006DB8 0x000003C1
DeleteFileA - 0x0040A07C 0x0000A3BC 0x00006DBC 0x00000112
GlobalAlloc - 0x0040A080 0x0000A3C0 0x00006DC0 0x0000032D
GlobalFree - 0x0040A084 0x0000A3C4 0x00006DC4 0x00000334
CloseHandle - 0x0040A088 0x0000A3C8 0x00006DC8 0x00000086
WritePrivateProfileStringA - 0x0040A08C 0x0000A3CC 0x00006DCC 0x00000617
IsDBCSLeadByte - 0x0040A090 0x0000A3D0 0x00006DD0 0x0000037D
GetWindowsDirectoryA - 0x0040A094 0x0000A3D4 0x00006DD4 0x00000325
SetFileAttributesA - 0x0040A098 0x0000A3D8 0x00006DD8 0x0000051A
GetProcAddress - 0x0040A09C 0x0000A3DC 0x00006DDC 0x000002AE
GlobalLock - 0x0040A0A0 0x0000A3E0 0x00006DE0 0x00000338
LocalFree - 0x0040A0A4 0x0000A3E4 0x00006DE4 0x000003CF
RemoveDirectoryA - 0x0040A0A8 0x0000A3E8 0x00006DE8 0x000004B6
FreeLibrary - 0x0040A0AC 0x0000A3EC 0x00006DEC 0x000001AB
_lclose - 0x0040A0B0 0x0000A3F0 0x00006DF0 0x00000625
CreateDirectoryA - 0x0040A0B4 0x0000A3F4 0x00006DF4 0x000000B5
GetPrivateProfileIntA - 0x0040A0B8 0x0000A3F8 0x00006DF8 0x000002A4
GetPrivateProfileStringA - 0x0040A0BC 0x0000A3FC 0x00006DFC 0x000002AA
GlobalUnlock - 0x0040A0C0 0x0000A400 0x00006E00 0x0000033F
ReadFile - 0x0040A0C4 0x0000A404 0x00006E04 0x00000473
SizeofResource - 0x0040A0C8 0x0000A408 0x00006E08 0x0000057C
WriteFile - 0x0040A0CC 0x0000A40C 0x00006E0C 0x00000612
GetDriveTypeA - 0x0040A0D0 0x0000A410 0x00006E10 0x0000022E
lstrcmpA - 0x0040A0D4 0x0000A414 0x00006E14 0x0000062F
SetFileTime - 0x0040A0D8 0x0000A418 0x00006E18 0x00000526
SetFilePointer - 0x0040A0DC 0x0000A41C 0x00006E1C 0x00000522
FindResourceA - 0x0040A0E0 0x0000A420 0x00006E20 0x00000193
CreateMutexA - 0x0040A0E4 0x0000A424 0x00006E24 0x000000D7
GetVolumeInformationA - 0x0040A0E8 0x0000A428 0x00006E28 0x0000031C
ExpandEnvironmentStringsA - 0x0040A0EC 0x0000A42C 0x00006E2C 0x00000161
GetCurrentDirectoryA - 0x0040A0F0 0x0000A430 0x00006E30 0x00000210
FreeResource - 0x0040A0F4 0x0000A434 0x00006E34 0x000001AF
GetVersion - 0x0040A0F8 0x0000A438 0x00006E38 0x00000319
SetCurrentDirectoryA - 0x0040A0FC 0x0000A43C 0x00006E3C 0x00000508
GetTempPathA - 0x0040A100 0x0000A440 0x00006E40 0x000002F5
LocalFileTimeToFileTime - 0x0040A104 0x0000A444 0x00006E44 0x000003CC
CreateFileA - 0x0040A108 0x0000A448 0x00006E48 0x000000C3
SetEvent - 0x0040A10C 0x0000A44C 0x00006E4C 0x00000516
TerminateThread - 0x0040A110 0x0000A450 0x00006E50 0x0000058D
GetVersionExA - 0x0040A114 0x0000A454 0x00006E54 0x0000031A
LockResource - 0x0040A118 0x0000A458 0x00006E58 0x000003DB
GetSystemInfo - 0x0040A11C 0x0000A45C 0x00006E5C 0x000002E3
CreateThread - 0x0040A120 0x0000A460 0x00006E60 0x000000F3
ResetEvent - 0x0040A124 0x0000A464 0x00006E64 0x000004C6
LoadResource - 0x0040A128 0x0000A468 0x00006E68 0x000003C7
ExitProcess - 0x0040A12C 0x0000A46C 0x00006E6C 0x0000015E
GetModuleHandleW - 0x0040A130 0x0000A470 0x00006E70 0x00000278
CreateProcessA - 0x0040A134 0x0000A474 0x00006E74 0x000000E0
FormatMessageA - 0x0040A138 0x0000A478 0x00006E78 0x000001A6
GetTempFileNameA - 0x0040A13C 0x0000A47C 0x00006E7C 0x000002F3
DosDateTimeToFileTime - 0x0040A140 0x0000A480 0x00006E80 0x00000126
CreateEventA - 0x0040A144 0x0000A484 0x00006E84 0x000000BC
GetExitCodeProcess - 0x0040A148 0x0000A488 0x00006E88 0x0000023C
FindNextFileA - 0x0040A14C 0x0000A48C 0x00006E8C 0x0000018A
LocalAlloc - 0x0040A150 0x0000A490 0x00006E90 0x000003CA
GetShortPathNameA - 0x0040A154 0x0000A494 0x00006E94 0x000002CC
MulDiv - 0x0040A158 0x0000A498 0x00006E98 0x000003EE
GetDiskFreeSpaceA - 0x0040A15C 0x0000A49C 0x00006E9C 0x00000226
EnumResourceLanguagesA - 0x0040A160 0x0000A4A0 0x00006EA0 0x0000013F
GetTickCount - 0x0040A164 0x0000A4A4 0x00006EA4 0x00000307
GetSystemTimeAsFileTime - 0x0040A168 0x0000A4A8 0x00006EA8 0x000002E9
GetCurrentThreadId - 0x0040A16C 0x0000A4AC 0x00006EAC 0x0000021C
GetCurrentProcessId - 0x0040A170 0x0000A4B0 0x00006EB0 0x00000218
QueryPerformanceCounter - 0x0040A174 0x0000A4B4 0x00006EB4 0x0000044D
TerminateProcess - 0x0040A178 0x0000A4B8 0x00006EB8 0x0000058C
SetUnhandledExceptionFilter - 0x0040A17C 0x0000A4BC 0x00006EBC 0x0000056D
UnhandledExceptionFilter - 0x0040A180 0x0000A4C0 0x00006EC0 0x000005AD
GetStartupInfoW - 0x0040A184 0x0000A4C4 0x00006EC4 0x000002D0
Sleep - 0x0040A188 0x0000A4C8 0x00006EC8 0x0000057D
FindClose - 0x0040A18C 0x0000A4CC 0x00006ECC 0x00000175
GetCurrentProcess - 0x0040A190 0x0000A4D0 0x00006ED0 0x00000217
FindFirstFileA - 0x0040A194 0x0000A4D4 0x00006ED4 0x00000179
WaitForSingleObject - 0x0040A198 0x0000A4D8 0x00006ED8 0x000005D7
GetModuleFileNameA - 0x0040A19C 0x0000A4DC 0x00006EDC 0x00000273
LoadLibraryExA - 0x0040A1A0 0x0000A4E0 0x00006EE0 0x000003C2
GDI32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetDeviceCaps - 0x0040A058 0x0000A398 0x00006D98 0x00000275
USER32.dll (30)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SetWindowLongA - 0x0040A1A8 0x0000A4E8 0x00006EE8 0x00000373
GetDlgItemTextA - 0x0040A1AC 0x0000A4EC 0x00006EEC 0x0000014B
DialogBoxIndirectParamA - 0x0040A1B0 0x0000A4F0 0x00006EF0 0x000000B5
ShowWindow - 0x0040A1B4 0x0000A4F4 0x00006EF4 0x00000387
MsgWaitForMultipleObjects - 0x0040A1B8 0x0000A4F8 0x00006EF8 0x00000297
SetWindowPos - 0x0040A1BC 0x0000A4FC 0x00006EFC 0x00000376
GetDC - 0x0040A1C0 0x0000A500 0x00006F00 0x0000013F
GetWindowRect - 0x0040A1C4 0x0000A504 0x00006F04 0x000001E6
DispatchMessageA - 0x0040A1C8 0x0000A508 0x00006F08 0x000000BB
GetDesktopWindow - 0x0040A1CC 0x0000A50C 0x00006F0C 0x00000142
CharUpperA - 0x0040A1D0 0x0000A510 0x00006F10 0x0000003B
SetDlgItemTextA - 0x0040A1D4 0x0000A514 0x00006F14 0x00000332
ExitWindowsEx - 0x0040A1D8 0x0000A518 0x00006F18 0x0000010E
MessageBeep - 0x0040A1DC 0x0000A51C 0x00006F1C 0x00000288
EndDialog - 0x0040A1E0 0x0000A520 0x00006F20 0x000000F1
CharPrevA - 0x0040A1E4 0x0000A524 0x00006F24 0x00000034
LoadStringA - 0x0040A1E8 0x0000A528 0x00006F28 0x0000025B
CharNextA - 0x0040A1EC 0x0000A52C 0x00006F2C 0x00000031
EnableWindow - 0x0040A1F0 0x0000A530 0x00006F30 0x000000EE
ReleaseDC - 0x0040A1F4 0x0000A534 0x00006F34 0x000002FE
SetForegroundWindow - 0x0040A1F8 0x0000A538 0x00006F38 0x00000337
PeekMessageA - 0x0040A1FC 0x0000A53C 0x00006F3C 0x000002AE
GetDlgItem - 0x0040A200 0x0000A540 0x00006F40 0x00000149
SendMessageA - 0x0040A204 0x0000A544 0x00006F44 0x00000314
SendDlgItemMessageA - 0x0040A208 0x0000A548 0x00006F48 0x0000030F
MessageBoxA - 0x0040A20C 0x0000A54C 0x00006F4C 0x00000289
SetWindowTextA - 0x0040A210 0x0000A550 0x00006F50 0x0000037A
GetWindowLongA - 0x0040A214 0x0000A554 0x00006F54 0x000001DE
CallWindowProcA - 0x0040A218 0x0000A558 0x00006F58 0x0000001F
GetSystemMetrics - 0x0040A21C 0x0000A55C 0x00006F5C 0x000001BF
msvcrt.dll (20)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_controlfp - 0x0040A234 0x0000A574 0x00006F74 0x00000137
?terminate@@YAXXZ - 0x0040A238 0x0000A578 0x00006F78 0x00000035
_acmdln - 0x0040A23C 0x0000A57C 0x00006F7C 0x000000F7
_initterm - 0x0040A240 0x0000A580 0x00006F80 0x000001E8
__setusermatherr - 0x0040A244 0x0000A584 0x00006F84 0x000000E4
_except_handler4_common - 0x0040A248 0x0000A588 0x00006F88 0x0000016A
memcpy - 0x0040A24C 0x0000A58C 0x00006F8C 0x00000509
_ismbblead - 0x0040A250 0x0000A590 0x00006F90 0x00000207
__p__fmode - 0x0040A254 0x0000A594 0x00006F94 0x000000CE
_cexit - 0x0040A258 0x0000A598 0x00006F98 0x00000124
_exit - 0x0040A25C 0x0000A59C 0x00006F9C 0x00000173
exit - 0x0040A260 0x0000A5A0 0x00006FA0 0x000004AE
__set_app_type - 0x0040A264 0x0000A5A4 0x00006FA4 0x000000E2
__getmainargs - 0x0040A268 0x0000A5A8 0x00006FA8 0x000000A1
_amsg_exit - 0x0040A26C 0x0000A5AC 0x00006FAC 0x00000111
__p__commode - 0x0040A270 0x0000A5B0 0x00006FB0 0x000000C9
_XcptFilter - 0x0040A274 0x0000A5B4 0x00006FB4 0x0000006F
memcpy_s - 0x0040A278 0x0000A5B8 0x00006FB8 0x0000050A
_vsnprintf - 0x0040A27C 0x0000A5BC 0x00006FBC 0x000003E6
memset - 0x0040A280 0x0000A5C0 0x00006FC0 0x0000050D
COMCTL32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
None 0x00000011 0x0040A03C 0x0000A37C 0x00006D7C -
Cabinet.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
None 0x00000016 0x0040A044 0x0000A384 0x00006D84 -
None 0x00000017 0x0040A048 0x0000A388 0x00006D88 -
None 0x00000015 0x0040A04C 0x0000A38C 0x00006D8C -
None 0x00000014 0x0040A050 0x0000A390 0x00006D90 -
VERSION.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetFileVersionInfoA - 0x0040A224 0x0000A564 0x00006F64 0x00000000
VerQueryValueA - 0x0040A228 0x0000A568 0x00006F68 0x0000000F
GetFileVersionInfoSizeA - 0x0040A22C 0x0000A56C 0x00006F6C 0x00000004
C:\Users\RDHJ0C~1\AppData\Local\Temp\IXP000.TMP\v6852231.exe Dropped File Binary
Malicious
Raised based on a child artifact.
...
»
Also Known As v6852231.exe (Miscellaneous File, Archive File)
Parent File 2f63ec50c7c778c7c0b9c4d26fe23f6b13a4bdb3214eda6242620e85ca46d1ef
MIME Type application/vnd.microsoft.portable-executable
File Size 308.50 KB
MD5 c111c002dc5f8508b474bb22ee06b045 Copy to Clipboard
SHA1 2c104aa919e5c55119f4eda57ac474c34a33b6e0 Copy to Clipboard
SHA256 84e4e10d7d0f1a4c0ce28e6435e75be850407bf3c150415c826c02ace4ab391b Copy to Clipboard
SSDeep 6144:Ksy+bnr+jp0yN90QEwlEY+zbPsM4Jq1eUB0HvarMFauraSPuc:UMrTy906b+zzeq1exaKaSh Copy to Clipboard
ImpHash 646167cce332c1c252cdcb1839e0cf48 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x00406A60
Size Of Code 0x00006400
Size Of Initialized Data 0x00046A00
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2022-05-25 00:49 (UTC+2)
Version Information (8)
»
CompanyName Microsoft Corporation
FileDescription Win32 Cabinet Self-Extractor
FileVersion 11.00.17763.1 (WinBuild.160101.0800)
InternalName Wextract
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename WEXTRACT.EXE .MUI
ProductName Internet Explorer
ProductVersion 11.00.17763.1
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x00006314 0x00006400 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.31
.data 0x00408000 0x00001A48 0x00000200 0x00006800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.97
.idata 0x0040A000 0x00001052 0x00001200 0x00006A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.03
.rsrc 0x0040C000 0x00045000 0x00044C00 0x00007C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 7.72
.reloc 0x00451000 0x00000888 0x00000A00 0x0004C800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.22
Imports (8)
»
ADVAPI32.dll (14)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetTokenInformation - 0x0040A000 0x0000A340 0x00006D40 0x00000170
RegDeleteValueA - 0x0040A004 0x0000A344 0x00006D44 0x00000272
RegOpenKeyExA - 0x0040A008 0x0000A348 0x00006D48 0x0000028B
RegQueryInfoKeyA - 0x0040A00C 0x0000A34C 0x00006D4C 0x00000292
FreeSid - 0x0040A010 0x0000A350 0x00006D50 0x00000134
OpenProcessToken - 0x0040A014 0x0000A354 0x00006D54 0x00000215
RegSetValueExA - 0x0040A018 0x0000A358 0x00006D58 0x000002A8
RegCreateKeyExA - 0x0040A01C 0x0000A35C 0x00006D5C 0x00000263
LookupPrivilegeValueA - 0x0040A020 0x0000A360 0x00006D60 0x000001AE
AllocateAndInitializeSid - 0x0040A024 0x0000A364 0x00006D64 0x00000020
RegQueryValueExA - 0x0040A028 0x0000A368 0x00006D68 0x00000298
EqualSid - 0x0040A02C 0x0000A36C 0x00006D6C 0x0000011A
RegCloseKey - 0x0040A030 0x0000A370 0x00006D70 0x0000025B
AdjustTokenPrivileges - 0x0040A034 0x0000A374 0x00006D74 0x0000001F
KERNEL32.dll (81)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_lopen - 0x0040A060 0x0000A3A0 0x00006DA0 0x00000628
_llseek - 0x0040A064 0x0000A3A4 0x00006DA4 0x00000627
CompareStringA - 0x0040A068 0x0000A3A8 0x00006DA8 0x00000098
GetLastError - 0x0040A06C 0x0000A3AC 0x00006DAC 0x00000261
GetFileAttributesA - 0x0040A070 0x0000A3B0 0x00006DB0 0x00000240
GetSystemDirectoryA - 0x0040A074 0x0000A3B4 0x00006DB4 0x000002DF
LoadLibraryA - 0x0040A078 0x0000A3B8 0x00006DB8 0x000003C1
DeleteFileA - 0x0040A07C 0x0000A3BC 0x00006DBC 0x00000112
GlobalAlloc - 0x0040A080 0x0000A3C0 0x00006DC0 0x0000032D
GlobalFree - 0x0040A084 0x0000A3C4 0x00006DC4 0x00000334
CloseHandle - 0x0040A088 0x0000A3C8 0x00006DC8 0x00000086
WritePrivateProfileStringA - 0x0040A08C 0x0000A3CC 0x00006DCC 0x00000617
IsDBCSLeadByte - 0x0040A090 0x0000A3D0 0x00006DD0 0x0000037D
GetWindowsDirectoryA - 0x0040A094 0x0000A3D4 0x00006DD4 0x00000325
SetFileAttributesA - 0x0040A098 0x0000A3D8 0x00006DD8 0x0000051A
GetProcAddress - 0x0040A09C 0x0000A3DC 0x00006DDC 0x000002AE
GlobalLock - 0x0040A0A0 0x0000A3E0 0x00006DE0 0x00000338
LocalFree - 0x0040A0A4 0x0000A3E4 0x00006DE4 0x000003CF
RemoveDirectoryA - 0x0040A0A8 0x0000A3E8 0x00006DE8 0x000004B6
FreeLibrary - 0x0040A0AC 0x0000A3EC 0x00006DEC 0x000001AB
_lclose - 0x0040A0B0 0x0000A3F0 0x00006DF0 0x00000625
CreateDirectoryA - 0x0040A0B4 0x0000A3F4 0x00006DF4 0x000000B5
GetPrivateProfileIntA - 0x0040A0B8 0x0000A3F8 0x00006DF8 0x000002A4
GetPrivateProfileStringA - 0x0040A0BC 0x0000A3FC 0x00006DFC 0x000002AA
GlobalUnlock - 0x0040A0C0 0x0000A400 0x00006E00 0x0000033F
ReadFile - 0x0040A0C4 0x0000A404 0x00006E04 0x00000473
SizeofResource - 0x0040A0C8 0x0000A408 0x00006E08 0x0000057C
WriteFile - 0x0040A0CC 0x0000A40C 0x00006E0C 0x00000612
GetDriveTypeA - 0x0040A0D0 0x0000A410 0x00006E10 0x0000022E
lstrcmpA - 0x0040A0D4 0x0000A414 0x00006E14 0x0000062F
SetFileTime - 0x0040A0D8 0x0000A418 0x00006E18 0x00000526
SetFilePointer - 0x0040A0DC 0x0000A41C 0x00006E1C 0x00000522
FindResourceA - 0x0040A0E0 0x0000A420 0x00006E20 0x00000193
CreateMutexA - 0x0040A0E4 0x0000A424 0x00006E24 0x000000D7
GetVolumeInformationA - 0x0040A0E8 0x0000A428 0x00006E28 0x0000031C
ExpandEnvironmentStringsA - 0x0040A0EC 0x0000A42C 0x00006E2C 0x00000161
GetCurrentDirectoryA - 0x0040A0F0 0x0000A430 0x00006E30 0x00000210
FreeResource - 0x0040A0F4 0x0000A434 0x00006E34 0x000001AF
GetVersion - 0x0040A0F8 0x0000A438 0x00006E38 0x00000319
SetCurrentDirectoryA - 0x0040A0FC 0x0000A43C 0x00006E3C 0x00000508
GetTempPathA - 0x0040A100 0x0000A440 0x00006E40 0x000002F5
LocalFileTimeToFileTime - 0x0040A104 0x0000A444 0x00006E44 0x000003CC
CreateFileA - 0x0040A108 0x0000A448 0x00006E48 0x000000C3
SetEvent - 0x0040A10C 0x0000A44C 0x00006E4C 0x00000516
TerminateThread - 0x0040A110 0x0000A450 0x00006E50 0x0000058D
GetVersionExA - 0x0040A114 0x0000A454 0x00006E54 0x0000031A
LockResource - 0x0040A118 0x0000A458 0x00006E58 0x000003DB
GetSystemInfo - 0x0040A11C 0x0000A45C 0x00006E5C 0x000002E3
CreateThread - 0x0040A120 0x0000A460 0x00006E60 0x000000F3
ResetEvent - 0x0040A124 0x0000A464 0x00006E64 0x000004C6
LoadResource - 0x0040A128 0x0000A468 0x00006E68 0x000003C7
ExitProcess - 0x0040A12C 0x0000A46C 0x00006E6C 0x0000015E
GetModuleHandleW - 0x0040A130 0x0000A470 0x00006E70 0x00000278
CreateProcessA - 0x0040A134 0x0000A474 0x00006E74 0x000000E0
FormatMessageA - 0x0040A138 0x0000A478 0x00006E78 0x000001A6
GetTempFileNameA - 0x0040A13C 0x0000A47C 0x00006E7C 0x000002F3
DosDateTimeToFileTime - 0x0040A140 0x0000A480 0x00006E80 0x00000126
CreateEventA - 0x0040A144 0x0000A484 0x00006E84 0x000000BC
GetExitCodeProcess - 0x0040A148 0x0000A488 0x00006E88 0x0000023C
FindNextFileA - 0x0040A14C 0x0000A48C 0x00006E8C 0x0000018A
LocalAlloc - 0x0040A150 0x0000A490 0x00006E90 0x000003CA
GetShortPathNameA - 0x0040A154 0x0000A494 0x00006E94 0x000002CC
MulDiv - 0x0040A158 0x0000A498 0x00006E98 0x000003EE
GetDiskFreeSpaceA - 0x0040A15C 0x0000A49C 0x00006E9C 0x00000226
EnumResourceLanguagesA - 0x0040A160 0x0000A4A0 0x00006EA0 0x0000013F
GetTickCount - 0x0040A164 0x0000A4A4 0x00006EA4 0x00000307
GetSystemTimeAsFileTime - 0x0040A168 0x0000A4A8 0x00006EA8 0x000002E9
GetCurrentThreadId - 0x0040A16C 0x0000A4AC 0x00006EAC 0x0000021C
GetCurrentProcessId - 0x0040A170 0x0000A4B0 0x00006EB0 0x00000218
QueryPerformanceCounter - 0x0040A174 0x0000A4B4 0x00006EB4 0x0000044D
TerminateProcess - 0x0040A178 0x0000A4B8 0x00006EB8 0x0000058C
SetUnhandledExceptionFilter - 0x0040A17C 0x0000A4BC 0x00006EBC 0x0000056D
UnhandledExceptionFilter - 0x0040A180 0x0000A4C0 0x00006EC0 0x000005AD
GetStartupInfoW - 0x0040A184 0x0000A4C4 0x00006EC4 0x000002D0
Sleep - 0x0040A188 0x0000A4C8 0x00006EC8 0x0000057D
FindClose - 0x0040A18C 0x0000A4CC 0x00006ECC 0x00000175
GetCurrentProcess - 0x0040A190 0x0000A4D0 0x00006ED0 0x00000217
FindFirstFileA - 0x0040A194 0x0000A4D4 0x00006ED4 0x00000179
WaitForSingleObject - 0x0040A198 0x0000A4D8 0x00006ED8 0x000005D7
GetModuleFileNameA - 0x0040A19C 0x0000A4DC 0x00006EDC 0x00000273
LoadLibraryExA - 0x0040A1A0 0x0000A4E0 0x00006EE0 0x000003C2
GDI32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetDeviceCaps - 0x0040A058 0x0000A398 0x00006D98 0x00000275
USER32.dll (30)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SetWindowLongA - 0x0040A1A8 0x0000A4E8 0x00006EE8 0x00000373
GetDlgItemTextA - 0x0040A1AC 0x0000A4EC 0x00006EEC 0x0000014B
DialogBoxIndirectParamA - 0x0040A1B0 0x0000A4F0 0x00006EF0 0x000000B5
ShowWindow - 0x0040A1B4 0x0000A4F4 0x00006EF4 0x00000387
MsgWaitForMultipleObjects - 0x0040A1B8 0x0000A4F8 0x00006EF8 0x00000297
SetWindowPos - 0x0040A1BC 0x0000A4FC 0x00006EFC 0x00000376
GetDC - 0x0040A1C0 0x0000A500 0x00006F00 0x0000013F
GetWindowRect - 0x0040A1C4 0x0000A504 0x00006F04 0x000001E6
DispatchMessageA - 0x0040A1C8 0x0000A508 0x00006F08 0x000000BB
GetDesktopWindow - 0x0040A1CC 0x0000A50C 0x00006F0C 0x00000142
CharUpperA - 0x0040A1D0 0x0000A510 0x00006F10 0x0000003B
SetDlgItemTextA - 0x0040A1D4 0x0000A514 0x00006F14 0x00000332
ExitWindowsEx - 0x0040A1D8 0x0000A518 0x00006F18 0x0000010E
MessageBeep - 0x0040A1DC 0x0000A51C 0x00006F1C 0x00000288
EndDialog - 0x0040A1E0 0x0000A520 0x00006F20 0x000000F1
CharPrevA - 0x0040A1E4 0x0000A524 0x00006F24 0x00000034
LoadStringA - 0x0040A1E8 0x0000A528 0x00006F28 0x0000025B
CharNextA - 0x0040A1EC 0x0000A52C 0x00006F2C 0x00000031
EnableWindow - 0x0040A1F0 0x0000A530 0x00006F30 0x000000EE
ReleaseDC - 0x0040A1F4 0x0000A534 0x00006F34 0x000002FE
SetForegroundWindow - 0x0040A1F8 0x0000A538 0x00006F38 0x00000337
PeekMessageA - 0x0040A1FC 0x0000A53C 0x00006F3C 0x000002AE
GetDlgItem - 0x0040A200 0x0000A540 0x00006F40 0x00000149
SendMessageA - 0x0040A204 0x0000A544 0x00006F44 0x00000314
SendDlgItemMessageA - 0x0040A208 0x0000A548 0x00006F48 0x0000030F
MessageBoxA - 0x0040A20C 0x0000A54C 0x00006F4C 0x00000289
SetWindowTextA - 0x0040A210 0x0000A550 0x00006F50 0x0000037A
GetWindowLongA - 0x0040A214 0x0000A554 0x00006F54 0x000001DE
CallWindowProcA - 0x0040A218 0x0000A558 0x00006F58 0x0000001F
GetSystemMetrics - 0x0040A21C 0x0000A55C 0x00006F5C 0x000001BF
msvcrt.dll (20)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_controlfp - 0x0040A234 0x0000A574 0x00006F74 0x00000137
?terminate@@YAXXZ - 0x0040A238 0x0000A578 0x00006F78 0x00000035
_acmdln - 0x0040A23C 0x0000A57C 0x00006F7C 0x000000F7
_initterm - 0x0040A240 0x0000A580 0x00006F80 0x000001E8
__setusermatherr - 0x0040A244 0x0000A584 0x00006F84 0x000000E4
_except_handler4_common - 0x0040A248 0x0000A588 0x00006F88 0x0000016A
memcpy - 0x0040A24C 0x0000A58C 0x00006F8C 0x00000509
_ismbblead - 0x0040A250 0x0000A590 0x00006F90 0x00000207
__p__fmode - 0x0040A254 0x0000A594 0x00006F94 0x000000CE
_cexit - 0x0040A258 0x0000A598 0x00006F98 0x00000124
_exit - 0x0040A25C 0x0000A59C 0x00006F9C 0x00000173
exit - 0x0040A260 0x0000A5A0 0x00006FA0 0x000004AE
__set_app_type - 0x0040A264 0x0000A5A4 0x00006FA4 0x000000E2
__getmainargs - 0x0040A268 0x0000A5A8 0x00006FA8 0x000000A1
_amsg_exit - 0x0040A26C 0x0000A5AC 0x00006FAC 0x00000111
__p__commode - 0x0040A270 0x0000A5B0 0x00006FB0 0x000000C9
_XcptFilter - 0x0040A274 0x0000A5B4 0x00006FB4 0x0000006F
memcpy_s - 0x0040A278 0x0000A5B8 0x00006FB8 0x0000050A
_vsnprintf - 0x0040A27C 0x0000A5BC 0x00006FBC 0x000003E6
memset - 0x0040A280 0x0000A5C0 0x00006FC0 0x0000050D
COMCTL32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
None 0x00000011 0x0040A03C 0x0000A37C 0x00006D7C -
Cabinet.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
None 0x00000016 0x0040A044 0x0000A384 0x00006D84 -
None 0x00000017 0x0040A048 0x0000A388 0x00006D88 -
None 0x00000015 0x0040A04C 0x0000A38C 0x00006D8C -
None 0x00000014 0x0040A050 0x0000A390 0x00006D90 -
VERSION.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetFileVersionInfoA - 0x0040A224 0x0000A564 0x00006F64 0x00000000
VerQueryValueA - 0x0040A228 0x0000A568 0x00006F68 0x0000000F
GetFileVersionInfoSizeA - 0x0040A22C 0x0000A56C 0x00006F6C 0x00000004
C:\Users\RDHJ0C~1\AppData\Local\Temp\IXP000.TMP\d6121125.exe Dropped File Binary
Malicious
...
»
Also Known As d6121125.exe (Miscellaneous File, Archive File)
i7977054.exe (Miscellaneous File, Archive File)
Parent File bdba3bc3d48f9f416e759d00b67deeb4e1c2feb33272e3598ed5f9ee7c6a7899
MIME Type application/vnd.microsoft.portable-executable
File Size 204.50 KB
MD5 c14869045ea50a4368e015350d349b81 Copy to Clipboard
SHA1 f0515e00463d02b8cd9404a0b2b4ba21e2155fac Copy to Clipboard
SHA256 454da82a4921c2826b942421cfd4c066242abbb6bb079f9be478c10026640196 Copy to Clipboard
SSDeep 3072:mhMCsw9/w+A4cwP+5OzutpHKGruONM4QuZA+67bi83eILfbq5kmh:5Cswq+AXYu7HGOSuZAlAILjq Copy to Clipboard
ImpHash f8cc61ade86cb7277d0ab974de6323cb Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
PE Information
»
Image Base 0x00400000
Entry Point 0x004155DF
Size Of Code 0x00027400
Size Of Initialized Data 0x0000C800
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2023-05-02 18:45 (UTC+2)
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x000273FD 0x00027400 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.44
.rdata 0x00429000 0x00007C74 0x00007E00 0x00027800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.99
.data 0x00431000 0x00002468 0x00001800 0x0002F600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 1.37
.rsrc 0x00434000 0x000001E0 0x00000200 0x00030E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.72
.reloc 0x00435000 0x000020DC 0x00002200 0x00031000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.57
Imports (4)
»
KERNEL32.dll (105)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetFileAttributesA - 0x00429024 0x00030160 0x0002E960 0x00000240
CreateFileA - 0x00429028 0x00030164 0x0002E964 0x000000C3
CloseHandle - 0x0042902C 0x00030168 0x0002E968 0x00000086
GetSystemInfo - 0x00429030 0x0003016C 0x0002E96C 0x000002E3
CreateThread - 0x00429034 0x00030170 0x0002E970 0x000000F3
HeapAlloc - 0x00429038 0x00030174 0x0002E974 0x00000345
GetThreadContext - 0x0042903C 0x00030178 0x0002E978 0x000002F7
GetProcAddress - 0x00429040 0x0003017C 0x0002E97C 0x000002AE
VirtualAllocEx - 0x00429044 0x00030180 0x0002E980 0x000005C7
LocalFree - 0x00429048 0x00030184 0x0002E984 0x000003CF
GetLastError - 0x0042904C 0x00030188 0x0002E988 0x00000261
ReadProcessMemory - 0x00429050 0x0003018C 0x0002E98C 0x00000476
GetProcessHeap - 0x00429054 0x00030190 0x0002E990 0x000002B4
CreateProcessA - 0x00429058 0x00030194 0x0002E994 0x000000E0
CreateDirectoryA - 0x0042905C 0x00030198 0x0002E998 0x000000B5
SetThreadContext - 0x00429060 0x0003019C 0x0002E99C 0x00000554
WriteConsoleW - 0x00429064 0x000301A0 0x0002E9A0 0x00000611
ReadConsoleW - 0x00429068 0x000301A4 0x0002E9A4 0x00000470
SetEndOfFile - 0x0042906C 0x000301A8 0x0002E9A8 0x00000510
SetFilePointerEx - 0x00429070 0x000301AC 0x0002E9AC 0x00000523
GetTempPathA - 0x00429074 0x000301B0 0x0002E9B0 0x000002F5
Sleep - 0x00429078 0x000301B4 0x0002E9B4 0x0000057D
SetCurrentDirectoryA - 0x0042907C 0x000301B8 0x0002E9B8 0x00000508
GetModuleHandleA - 0x00429080 0x000301BC 0x0002E9BC 0x00000275
GetComputerNameExW - 0x00429084 0x000301C0 0x0002E9C0 0x000001DE
ResumeThread - 0x00429088 0x000301C4 0x0002E9C4 0x000004CD
GetVersionExW - 0x0042908C 0x000301C8 0x0002E9C8 0x0000031B
CreateMutexA - 0x00429090 0x000301CC 0x0002E9CC 0x000000D7
VirtualAlloc - 0x00429094 0x000301D0 0x0002E9D0 0x000005C6
WriteFile - 0x00429098 0x000301D4 0x0002E9D4 0x00000612
VirtualFree - 0x0042909C 0x000301D8 0x0002E9D8 0x000005C9
HeapFree - 0x004290A0 0x000301DC 0x0002E9DC 0x00000349
WriteProcessMemory - 0x004290A4 0x000301E0 0x0002E9E0 0x0000061B
GetModuleFileNameA - 0x004290A8 0x000301E4 0x0002E9E4 0x00000273
RemoveDirectoryA - 0x004290AC 0x000301E8 0x0002E9E8 0x000004B6
ReadFile - 0x004290B0 0x000301EC 0x0002E9EC 0x00000473
HeapReAlloc - 0x004290B4 0x000301F0 0x0002E9F0 0x0000034C
HeapSize - 0x004290B8 0x000301F4 0x0002E9F4 0x0000034E
GetTimeZoneInformation - 0x004290BC 0x000301F8 0x0002E9F8 0x0000030E
GetConsoleMode - 0x004290C0 0x000301FC 0x0002E9FC 0x000001FC
GetConsoleCP - 0x004290C4 0x00030200 0x0002EA00 0x000001EA
FlushFileBuffers - 0x004290C8 0x00030204 0x0002EA04 0x0000019F
GetStringTypeW - 0x004290CC 0x00030208 0x0002EA08 0x000002D7
SetEnvironmentVariableW - 0x004290D0 0x0003020C 0x0002EA0C 0x00000514
FreeEnvironmentStringsW - 0x004290D4 0x00030210 0x0002EA10 0x000001AA
GetEnvironmentStringsW - 0x004290D8 0x00030214 0x0002EA14 0x00000237
WideCharToMultiByte - 0x004290DC 0x00030218 0x0002EA18 0x000005FE
GetCPInfo - 0x004290E0 0x0003021C 0x0002EA1C 0x000001C1
GetOEMCP - 0x004290E4 0x00030220 0x0002EA20 0x00000297
GetACP - 0x004290E8 0x00030224 0x0002EA24 0x000001B2
IsValidCodePage - 0x004290EC 0x00030228 0x0002EA28 0x0000038B
FindNextFileW - 0x004290F0 0x0003022C 0x0002EA2C 0x0000018C
FindFirstFileExW - 0x004290F4 0x00030230 0x0002EA30 0x0000017B
FindClose - 0x004290F8 0x00030234 0x0002EA34 0x00000175
SetStdHandle - 0x004290FC 0x00030238 0x0002EA38 0x0000054A
GetFullPathNameW - 0x00429100 0x0003023C 0x0002EA3C 0x00000259
GetCurrentDirectoryW - 0x00429104 0x00030240 0x0002EA40 0x00000211
DeleteFileW - 0x00429108 0x00030244 0x0002EA44 0x00000115
LCMapStringW - 0x0042910C 0x00030248 0x0002EA48 0x000003B1
EnterCriticalSection - 0x00429110 0x0003024C 0x0002EA4C 0x00000131
LeaveCriticalSection - 0x00429114 0x00030250 0x0002EA50 0x000003BD
InitializeCriticalSectionAndSpinCount - 0x00429118 0x00030254 0x0002EA54 0x0000035F
DeleteCriticalSection - 0x0042911C 0x00030258 0x0002EA58 0x00000110
SetEvent - 0x00429120 0x0003025C 0x0002EA5C 0x00000516
ResetEvent - 0x00429124 0x00030260 0x0002EA60 0x000004C6
WaitForSingleObjectEx - 0x00429128 0x00030264 0x0002EA64 0x000005D8
CreateEventW - 0x0042912C 0x00030268 0x0002EA68 0x000000BF
GetModuleHandleW - 0x00429130 0x0003026C 0x0002EA6C 0x00000278
UnhandledExceptionFilter - 0x00429134 0x00030270 0x0002EA70 0x000005AD
SetUnhandledExceptionFilter - 0x00429138 0x00030274 0x0002EA74 0x0000056D
GetCurrentProcess - 0x0042913C 0x00030278 0x0002EA78 0x00000217
TerminateProcess - 0x00429140 0x0003027C 0x0002EA7C 0x0000058C
IsProcessorFeaturePresent - 0x00429144 0x00030280 0x0002EA80 0x00000386
IsDebuggerPresent - 0x00429148 0x00030284 0x0002EA84 0x0000037F
GetStartupInfoW - 0x0042914C 0x00030288 0x0002EA88 0x000002D0
QueryPerformanceCounter - 0x00429150 0x0003028C 0x0002EA8C 0x0000044D
GetCurrentProcessId - 0x00429154 0x00030290 0x0002EA90 0x00000218
GetCurrentThreadId - 0x00429158 0x00030294 0x0002EA94 0x0000021C
GetSystemTimeAsFileTime - 0x0042915C 0x00030298 0x0002EA98 0x000002E9
InitializeSListHead - 0x00429160 0x0003029C 0x0002EA9C 0x00000363
RaiseException - 0x00429164 0x000302A0 0x0002EAA0 0x00000462
SetLastError - 0x00429168 0x000302A4 0x0002EAA4 0x00000532
RtlUnwind - 0x0042916C 0x000302A8 0x0002EAA8 0x000004D3
TlsAlloc - 0x00429170 0x000302AC 0x0002EAAC 0x0000059E
TlsGetValue - 0x00429174 0x000302B0 0x0002EAB0 0x000005A0
TlsSetValue - 0x00429178 0x000302B4 0x0002EAB4 0x000005A1
TlsFree - 0x0042917C 0x000302B8 0x0002EAB8 0x0000059F
FreeLibrary - 0x00429180 0x000302BC 0x0002EABC 0x000001AB
LoadLibraryExW - 0x00429184 0x000302C0 0x0002EAC0 0x000003C3
ExitProcess - 0x00429188 0x000302C4 0x0002EAC4 0x0000015E
GetModuleHandleExW - 0x0042918C 0x000302C8 0x0002EAC8 0x00000277
CreateFileW - 0x00429190 0x000302CC 0x0002EACC 0x000000CB
GetDriveTypeW - 0x00429194 0x000302D0 0x0002EAD0 0x0000022F
GetFileInformationByHandle - 0x00429198 0x000302D4 0x0002EAD4 0x00000247
GetFileType - 0x0042919C 0x000302D8 0x0002EAD8 0x0000024E
PeekNamedPipe - 0x004291A0 0x000302DC 0x0002EADC 0x00000422
SystemTimeToTzSpecificLocalTime - 0x004291A4 0x000302E0 0x0002EAE0 0x00000589
FileTimeToSystemTime - 0x004291A8 0x000302E4 0x0002EAE4 0x0000016A
GetModuleFileNameW - 0x004291AC 0x000302E8 0x0002EAE8 0x00000274
GetStdHandle - 0x004291B0 0x000302EC 0x0002EAEC 0x000002D2
GetCommandLineA - 0x004291B4 0x000302F0 0x0002EAF0 0x000001D6
GetCommandLineW - 0x004291B8 0x000302F4 0x0002EAF4 0x000001D7
MultiByteToWideChar - 0x004291BC 0x000302F8 0x0002EAF8 0x000003EF
CompareStringW - 0x004291C0 0x000302FC 0x0002EAFC 0x0000009B
DecodePointer - 0x004291C4 0x00030300 0x0002EB00 0x00000109
ADVAPI32.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegCloseKey - 0x00429000 0x0003013C 0x0002E93C 0x0000025B
RegQueryValueExA - 0x00429004 0x00030140 0x0002E940 0x00000298
GetUserNameA - 0x00429008 0x00030144 0x0002E944 0x0000017A
RegSetValueExA - 0x0042900C 0x00030148 0x0002E948 0x000002A8
RegOpenKeyExA - 0x00429010 0x0003014C 0x0002E94C 0x0000028B
ConvertSidToStringSidW - 0x00429014 0x00030150 0x0002E950 0x0000007B
GetUserNameW - 0x00429018 0x00030154 0x0002E954 0x0000017B
LookupAccountNameW - 0x0042901C 0x00030158 0x0002E958 0x000001A7
SHELL32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetFolderPathA - 0x004291CC 0x00030308 0x0002EB08 0x00000154
ShellExecuteA - 0x004291D0 0x0003030C 0x0002EB0C 0x000001B3
None 0x000002A8 0x004291D4 0x00030310 0x0002EB10 -
SHFileOperationA - 0x004291D8 0x00030314 0x0002EB14 0x00000140
WININET.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
HttpOpenRequestA - 0x004291E0 0x0003031C 0x0002EB1C 0x00000078
InternetReadFile - 0x004291E4 0x00030320 0x0002EB20 0x000000CE
InternetConnectA - 0x004291E8 0x00030324 0x0002EB24 0x0000009B
HttpSendRequestA - 0x004291EC 0x00030328 0x0002EB28 0x0000007F
InternetCloseHandle - 0x004291F0 0x0003032C 0x0002EB2C 0x00000095
InternetOpenA - 0x004291F4 0x00030330 0x0002EB30 0x000000C6
InternetOpenW - 0x004291F8 0x00030334 0x0002EB34 0x000000C9
InternetOpenUrlA - 0x004291FC 0x00030338 0x0002EB38 0x000000C7
C:\Users\RDHJ0C~1\AppData\Local\Temp\nsvA2D.tmp\graaj.dll Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 12.50 KB
MD5 efcaa4781922783ffdda3336fe6336f9 Copy to Clipboard
SHA1 20917d68b0cd5cdc11230617c193c423d4bb90ee Copy to Clipboard
SHA256 2f723a0d2623062f009f74fe6395caa45345b3bf274ffcdffd766c019deb1bd9 Copy to Clipboard
SSDeep 192:rQWDl74xLyLyTeWxL2SETZrip4pYgH06tSzGZQKWVAzNT+g:kWyxLyLyB+ZUQ3ZdWAU Copy to Clipboard
ImpHash 6eee0c386b26d7da0deb47988b854f66 Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x10000000
Size Of Code 0x00001E00
Size Of Initialized Data 0x00001000
File Type IMAGE_FILE_DLL
Subsystem IMAGE_SUBSYSTEM_NATIVE
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2023-05-05 07:46 (UTC+2)
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x10001000 0x00001CAB 0x00001E00 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.53
.rdata 0x10003000 0x00000A5A 0x00000C00 0x00002200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.69
.data 0x10004000 0x000000CC 0x00000200 0x00002E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 2.03
.reloc 0x10005000 0x00000174 0x00000200 0x00003000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 5.18
Imports (8)
»
SHLWAPI.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
StrToIntW - 0x10003070 0x000035F4 0x000027F4 0x00000158
StrCSpnA - 0x10003074 0x000035F8 0x000027F8 0x00000111
StrRChrIA - 0x10003078 0x000035FC 0x000027FC 0x00000141
StrCmpNIA - 0x1000307C 0x00003600 0x00002800 0x00000128
KERNEL32.dll (21)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetProcessHeap - 0x10003010 0x00003594 0x00002794 0x000002CD
SearchPathA - 0x10003014 0x00003598 0x00002798 0x000004F9
CreateFileA - 0x10003018 0x0000359C 0x0000279C 0x000000D2
CreateFileW - 0x1000301C 0x000035A0 0x000027A0 0x000000DA
GetFileSize - 0x10003020 0x000035A4 0x000027A4 0x00000260
ReadFile - 0x10003024 0x000035A8 0x000027A8 0x00000494
SetEndOfFile - 0x10003028 0x000035AC 0x000027AC 0x00000532
SetFilePointer - 0x1000302C 0x000035B0 0x000027B0 0x00000544
WriteFile - 0x10003030 0x000035B4 0x000027B4 0x0000063A
CloseHandle - 0x10003034 0x000035B8 0x000027B8 0x00000094
SetLastError - 0x10003038 0x000035BC 0x000027BC 0x00000555
EnumResourceTypesA - 0x1000303C 0x000035C0 0x000027C0 0x0000015B
HeapFree - 0x10003040 0x000035C4 0x000027C4 0x00000367
HeapAlloc - 0x10003044 0x000035C8 0x000027C8 0x00000363
VirtualAlloc - 0x10003048 0x000035CC 0x000027CC 0x000005EE
CreateFileMappingW - 0x1000304C 0x000035D0 0x000027D0 0x000000D7
MapViewOfFile - 0x10003050 0x000035D4 0x000027D4 0x000003FE
UnmapViewOfFile - 0x10003054 0x000035D8 0x000027D8 0x000005D8
GetModuleHandleW - 0x10003058 0x000035DC 0x000027DC 0x0000028F
GetProcAddress - 0x1000305C 0x000035E0 0x000027E0 0x000002C6
CreateFileMappingA - 0x10003060 0x000035E4 0x000027E4 0x000000D3
SHELL32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DragFinish - 0x10003068 0x000035EC 0x000027EC 0x00000026
pdh.dll (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
PdhVbGetOneCounterPath - 0x100030BC 0x00003640 0x00002840 0x0000006F
PdhEnumObjectItemsA - 0x100030C0 0x00003644 0x00002844 0x0000001C
PdhConnectMachineA - 0x100030C4 0x00003648 0x00002848 0x00000012
PdhVbIsGoodStatus - 0x100030C8 0x0000364C 0x0000284C 0x00000070
PdhEnumObjectItemsW - 0x100030CC 0x00003650 0x00002850 0x0000001F
PdhVbGetCounterPathFromList - 0x100030D0 0x00003654 0x00002854 0x0000006C
WININET.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SetUrlCacheEntryGroup - 0x10003084 0x00003608 0x00002808 0x00000105
FtpFindFirstFileW - 0x10003088 0x0000360C 0x0000280C 0x00000045
HttpEndRequestA - 0x1000308C 0x00003610 0x00002810 0x00000071
IsHostInProxyBypassList - 0x10003090 0x00003614 0x00002814 0x000000F3
InternetReadFile - 0x10003094 0x00003618 0x00002818 0x000000CE
CreateUrlCacheGroup - 0x10003098 0x0000361C 0x0000281C 0x0000001B
GetUrlCacheConfigInfoW - 0x1000309C 0x00003620 0x00002820 0x00000059
wsnmp32.dll (9)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
None 0x000000CA 0x100030D8 0x0000365C 0x0000285C -
None 0x00000065 0x100030DC 0x00003660 0x00002860 -
None 0x0000025A 0x100030E0 0x00003664 0x00002864 -
None 0x00000386 0x100030E4 0x00003668 0x00002868 -
None 0x000000C8 0x100030E8 0x0000366C 0x0000286C -
None 0x0000025E 0x100030EC 0x00003670 0x00002870 -
None 0x000001F6 0x100030F0 0x00003674 0x00002874 -
None 0x0000006B 0x100030F4 0x00003678 0x00002878 -
None 0x000000CB 0x100030F8 0x0000367C 0x0000287C -
ole32.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateFileMoniker - 0x100030A4 0x00003628 0x00002828 0x000000A1
WriteFmtUserTypeStg - 0x100030A8 0x0000362C 0x0000282C 0x000001D9
SNB_UserSize - 0x100030AC 0x00003630 0x00002830 0x000001A5
StgCreatePropStg - 0x100030B0 0x00003634 0x00002834 0x000001BB
OleRun - 0x100030B4 0x00003638 0x00002838 0x00000184
CRYPT32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CertVerifyCTLUsage - 0x10003000 0x00003584 0x00002784 0x00000075
CertAddEncodedCertificateToSystemStoreA - 0x10003004 0x00003588 0x00002788 0x00000009
CertGetSubjectCertificateFromStore - 0x10003008 0x0000358C 0x0000278C 0x0000004F
Exports (22)
»
API Name EAT Address Ordinal
_BindImage@12 0x00001000 0x00000001
_BindImageEx@20 0x00001020 0x00000002
_GetImageConfigInformation@8 0x000011E0 0x00000003
_GetImageUnusedHeaderBytes@8 0x000011E0 0x00000004
_ImageAddCertificate@12 0x00001A10 0x00000005
_ImageEnumerateCertificates@20 0x00001C80 0x00000006
_ImageGetCertificateData@16 0x00001DE0 0x00000007
_ImageGetCertificateHeader@12 0x00001EC0 0x00000008
_ImageGetDigestStream@16 0x00001F60 0x00000009
_ImageLoad@8 0x00002230 0x0000000A
_ImageRemoveCertificate@8 0x000022C0 0x0000000B
_ImageUnload@4 0x00002520 0x0000000C
_MapAndLoad@20 0x000025C0 0x0000000D
_MapFileAndCheckSumA@12 0x000027F0 0x0000000E
_MapFileAndCheckSumW@12 0x000028E0 0x0000000F
_ReBaseImage@44 0x000029D0 0x00000010
_SetImageConfigInformation@8 0x000011E0 0x00000011
_SplitSymbols@16 0x000029F0 0x00000012
_UnMapAndLoad@4 0x00002A10 0x00000013
_UpdateDebugInfoFile@16 0x000029F0 0x00000014
_UpdateDebugInfoFileEx@20 0x00002A60 0x00000015
eIxo 0x00002A80 0x00000016
C:\Users\RDhJ0CNFevzX\Desktop\a\vbc.exe Downloaded File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 1.59 MB
MD5 1d559db083653055d70931df9ba4386c Copy to Clipboard
SHA1 09209a796d48336fed8aa6dd63490133edf3e3ab Copy to Clipboard
SHA256 d62eb89c78bac4e922311ddaac060e97a17ef7af8bde84008d6ec43195607c6f Copy to Clipboard
SSDeep 24576:xP60nw+la4zgaJdYnyb8cdvVa+OQkKUT9d0aSLODQXWrqrKPXLBiJXA:5w+dgOz8aa+OKafyLWQSv7BiJXA Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x00400000
Entry Point 0x005869DE
Size Of Code 0x00184A00
Size Of Initialized Data 0x00013800
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2023-05-04 09:41 (UTC+2)
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00402000 0x001849E4 0x00184A00 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.95
.rsrc 0x00588000 0x00013600 0x00013600 0x00184C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 7.63
.reloc 0x0059C000 0x0000000C 0x00000200 0x00198200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x00402000 0x001869B8 0x00184BB8 0x00000000
Memory Dumps (5)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
vbc.exe 3 0x00800000 0x0099DFFF Relevant Image False 32-bit - False
...
buffer 3 0x04AD0000 0x04BEFFFF Reflectively Loaded .NET Assembly False 32-bit - False
...
vbc.exe 3 0x00800000 0x0099DFFF Final Dump False 32-bit - False
...
buffer 3 0x04900000 0x04942FFF Reflectively Loaded .NET Assembly False 32-bit - False
...
buffer 3 0x04CF0000 0x04D7EFFF Reflectively Loaded .NET Assembly False 32-bit - False
...
C:\Users\RDhJ0CNFevzX\Desktop\a\Had.exe Downloaded File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 645.35 KB
MD5 c978e71f7e75fef5062a57d11ee2fae8 Copy to Clipboard
SHA1 7bcbc46699f6068a560cdcb51f1d53d4d8cb7d5d Copy to Clipboard
SHA256 3f3a756e029dd0cfbf8104950a863162e31f7223997f936866ca214827b59666 Copy to Clipboard
SSDeep 12288:Tu0vL1IiM1gXIh+sQYKtTKHWfO3M6sELfJEbz55sq:TuELsNhtKeHWfwM6BLfJqd Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x00400000
Size Of Code 0x0008EDFF
Size Of Initialized Data 0x00010C80
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_AMD64
Compile Timestamp 2052-08-03 15:48 (UTC+2)
Version Information (11)
»
Comments 浮点数计算器
CompanyName Kerwis Team
FileDescription IEEE754Calculator
FileVersion 0.3.1.0
InternalName IEEE754Calculator.exe
LegalCopyright -
LegalTrademarks -
OriginalFilename IEEE754Calculator.exe
ProductName IEEE754Calculator
ProductVersion 0.3.1.0
Assembly Version 0.3.1.0
Sections (2)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00402000 0x0008EDFF 0x0008EE00 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.59
.rsrc 0x00492000 0x00010C80 0x00010E00 0x0008F000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 1.27
Digital Signature Information
»
Verification Status Valid
Certificate: solimba Ltd
»
Issued by solimba Ltd
Country Name CN
Valid From 2023-05-04 20:52 (UTC+2)
Valid Until 2024-05-04 20:52 (UTC+2)
Algorithm sha256_rsa
Serial Number C7 A2 08 B7 E4 50 88 B3 46 11 DF 15 1D 58 A0 FD
Thumbprint 4A 51 74 CF 98 A5 57 FC 31 3C 7F A1 94 A4 82 B9 DF D9 E4 5E
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
had.exe 19 0x21F2EF00000 0x21F2EFA3FFF Final Dump False 64-bit - False
...
amsi.dll 19 0x7FFD22EF0000 0x7FFD22EFFFFF Content Changed False 64-bit - False
...
amsi.dll 19 0x7FFD22EF0000 0x7FFD22EFFFFF Content Changed False 64-bit - False
...
C:\Users\RDhJ0CNFevzX\Desktop\a\miner.exe Downloaded File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 568.00 KB
MD5 c6808ca5fac7b8bc9fd63a1c381e7872 Copy to Clipboard
SHA1 351a1849eb84f27ce97e7fe07ac16b7d16da2562 Copy to Clipboard
SHA256 e718bac761f1620f87f08505b8b5c7e94178ed0c978cd85f6d6172c0d59e8f96 Copy to Clipboard
SSDeep 12288:4V8YHzQpCUguZn8hwD5VF7bHUdKe8qTXuXF5w/jPDtLkaH0TQW6kbt3:FCzobV8hwDbF7b0dKWzqw/jPDtLkaUc8 Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x140000000
Size Of Code 0x0008D800
Size Of Initialized Data 0x00000600
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_AMD64
Compile Timestamp 2077-11-18 21:21 (UTC+1)
Version Information (11)
»
Comments -
CompanyName -
FileDescription -
FileVersion 1.0.0.0
InternalName miner.exe
LegalCopyright -
LegalTrademarks -
OriginalFilename miner.exe
ProductName -
ProductVersion 1.0.0.0
Assembly Version 1.0.0.0
Sections (2)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x140002000 0x0008D6C0 0x0008D800 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 8.0
.rsrc 0x140090000 0x0000055C 0x00000600 0x0008DA00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.9
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
miner.exe 2 0x00E60000 0x00EF1FFF Relevant Image False 64-bit - False
...
buffer 2 0x00D30000 0x00E06FFF Reflectively Loaded .NET Assembly False 64-bit - False
...
miner.exe 2 0x00E60000 0x00EF1FFF Final Dump False 64-bit - False
...
C:\Users\RDhJ0CNFevzX\Desktop\a\Lyla131.exe Downloaded File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 423.06 KB
MD5 17e36437bd558374106622b7327a2aca Copy to Clipboard
SHA1 1045c084017277b8991e41d29ee101cf962f620a Copy to Clipboard
SHA256 6966f92616bae9252b96f666136667076c6368f00778670c530708648631443b Copy to Clipboard
SSDeep 6144:Q8dNXSEmZt3bs5f7krvBM/0XuS+6JJ+dYiaxRt7b6UGQXifRAB10GTgjyBk:zmvrsyrvNeiyYiaJfZzxB1qyO Copy to Clipboard
ImpHash e160ef8e55bb9d162da4e266afd9eef3 Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x00400000
Entry Point 0x004030E2
Size Of Code 0x00005E00
Size Of Initialized Data 0x00027C00
Size Of Uninitialized Data 0x00000400
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2014-10-07 06:40 (UTC+2)
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x00005DF4 0x00005E00 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.51
.rdata 0x00407000 0x000012DA 0x00001400 0x00006200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.1
.data 0x00409000 0x000254B8 0x00000400 0x00007600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 5.13
.ndata 0x0042F000 0x00013000 0x00000000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.rsrc 0x00442000 0x00001A30 0x00001C00 0x00007A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.85
Imports (8)
»
KERNEL32.dll (61)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetTickCount - 0x00407060 0x000075C4 0x000067C4 0x000001DF
GetFullPathNameA - 0x00407064 0x000075C8 0x000067C8 0x00000169
MoveFileA - 0x00407068 0x000075CC 0x000067CC 0x0000026E
SetCurrentDirectoryA - 0x0040706C 0x000075D0 0x000067D0 0x0000030A
GetFileAttributesA - 0x00407070 0x000075D4 0x000067D4 0x0000015E
GetLastError - 0x00407074 0x000075D8 0x000067D8 0x00000171
CreateDirectoryA - 0x00407078 0x000075DC 0x000067DC 0x0000004B
SetFileAttributesA - 0x0040707C 0x000075E0 0x000067E0 0x00000319
SearchPathA - 0x00407080 0x000075E4 0x000067E4 0x000002DB
GetShortPathNameA - 0x00407084 0x000075E8 0x000067E8 0x000001B5
GetFileSize - 0x00407088 0x000075EC 0x000067EC 0x00000163
GetModuleFileNameA - 0x0040708C 0x000075F0 0x000067F0 0x0000017D
GetCurrentProcess - 0x00407090 0x000075F4 0x000067F4 0x00000142
CopyFileA - 0x00407094 0x000075F8 0x000067F8 0x00000043
ExitProcess - 0x00407098 0x000075FC 0x000067FC 0x000000B9
SetEnvironmentVariableA - 0x0040709C 0x00007600 0x00006800 0x00000313
GetWindowsDirectoryA - 0x004070A0 0x00007604 0x00006804 0x000001F3
GetTempPathA - 0x004070A4 0x00007608 0x00006808 0x000001D5
Sleep - 0x004070A8 0x0000760C 0x0000680C 0x00000356
CloseHandle - 0x004070AC 0x00007610 0x00006810 0x00000034
LoadLibraryA - 0x004070B0 0x00007614 0x00006814 0x00000252
lstrlenA - 0x004070B4 0x00007618 0x00006818 0x000003CC
lstrcpynA - 0x004070B8 0x0000761C 0x0000681C 0x000003C9
GetDiskFreeSpaceA - 0x004070BC 0x00007620 0x00006820 0x0000014D
GlobalUnlock - 0x004070C0 0x00007624 0x00006824 0x0000020A
GlobalLock - 0x004070C4 0x00007628 0x00006828 0x00000203
CreateThread - 0x004070C8 0x0000762C 0x0000682C 0x0000006F
CreateProcessA - 0x004070CC 0x00007630 0x00006830 0x00000066
RemoveDirectoryA - 0x004070D0 0x00007634 0x00006834 0x000002C4
CreateFileA - 0x004070D4 0x00007638 0x00006838 0x00000053
GetTempFileNameA - 0x004070D8 0x0000763C 0x0000683C 0x000001D3
ReadFile - 0x004070DC 0x00007640 0x00006840 0x000002B5
lstrcpyA - 0x004070E0 0x00007644 0x00006844 0x000003C6
lstrcatA - 0x004070E4 0x00007648 0x00006848 0x000003BD
GetSystemDirectoryA - 0x004070E8 0x0000764C 0x0000684C 0x000001C1
GetVersion - 0x004070EC 0x00007650 0x00006850 0x000001E8
GetProcAddress - 0x004070F0 0x00007654 0x00006854 0x000001A0
GlobalAlloc - 0x004070F4 0x00007658 0x00006858 0x000001F8
CompareFileTime - 0x004070F8 0x0000765C 0x0000685C 0x00000039
SetFileTime - 0x004070FC 0x00007660 0x00006860 0x0000031F
ExpandEnvironmentStringsA - 0x00407100 0x00007664 0x00006864 0x000000BC
lstrcmpiA - 0x00407104 0x00007668 0x00006868 0x000003C3
lstrcmpA - 0x00407108 0x0000766C 0x0000686C 0x000003C0
WaitForSingleObject - 0x0040710C 0x00007670 0x00006870 0x00000390
GlobalFree - 0x00407110 0x00007674 0x00006874 0x000001FF
GetExitCodeProcess - 0x00407114 0x00007678 0x00006878 0x0000015A
GetModuleHandleA - 0x00407118 0x0000767C 0x0000687C 0x0000017F
SetErrorMode - 0x0040711C 0x00007680 0x00006880 0x00000315
GetCommandLineA - 0x00407120 0x00007684 0x00006884 0x00000110
LoadLibraryExA - 0x00407124 0x00007688 0x00006888 0x00000253
FindFirstFileA - 0x00407128 0x0000768C 0x0000688C 0x000000D2
FindNextFileA - 0x0040712C 0x00007690 0x00006890 0x000000DC
DeleteFileA - 0x00407130 0x00007694 0x00006894 0x00000083
SetFilePointer - 0x00407134 0x00007698 0x00006898 0x0000031B
WriteFile - 0x00407138 0x0000769C 0x0000689C 0x000003A4
FindClose - 0x0040713C 0x000076A0 0x000068A0 0x000000CE
WritePrivateProfileStringA - 0x00407140 0x000076A4 0x000068A4 0x000003A9
MultiByteToWideChar - 0x00407144 0x000076A8 0x000068A8 0x00000275
MulDiv - 0x00407148 0x000076AC 0x000068AC 0x00000274
GetPrivateProfileStringA - 0x0040714C 0x000076B0 0x000068B0 0x0000019C
FreeLibrary - 0x00407150 0x000076B4 0x000068B4 0x000000F8
USER32.dll (63)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateWindowExA - 0x00407174 0x000076D8 0x000068D8 0x00000060
EndDialog - 0x00407178 0x000076DC 0x000068DC 0x000000C6
ScreenToClient - 0x0040717C 0x000076E0 0x000068E0 0x00000231
GetWindowRect - 0x00407180 0x000076E4 0x000068E4 0x00000174
EnableMenuItem - 0x00407184 0x000076E8 0x000068E8 0x000000C2
GetSystemMenu - 0x00407188 0x000076EC 0x000068EC 0x0000015C
SetClassLongA - 0x0040718C 0x000076F0 0x000068F0 0x00000247
IsWindowEnabled - 0x00407190 0x000076F4 0x000068F4 0x000001AE
SetWindowPos - 0x00407194 0x000076F8 0x000068F8 0x00000283
GetSysColor - 0x00407198 0x000076FC 0x000068FC 0x0000015A
GetWindowLongA - 0x0040719C 0x00007700 0x00006900 0x0000016E
SetCursor - 0x004071A0 0x00007704 0x00006904 0x0000024D
LoadCursorA - 0x004071A4 0x00007708 0x00006908 0x000001BA
CheckDlgButton - 0x004071A8 0x0000770C 0x0000690C 0x00000038
GetMessagePos - 0x004071AC 0x00007710 0x00006910 0x0000013C
LoadBitmapA - 0x004071B0 0x00007714 0x00006914 0x000001B8
CallWindowProcA - 0x004071B4 0x00007718 0x00006918 0x0000001B
IsWindowVisible - 0x004071B8 0x0000771C 0x0000691C 0x000001B1
CloseClipboard - 0x004071BC 0x00007720 0x00006920 0x00000042
GetDC - 0x004071C0 0x00007724 0x00006924 0x0000010C
SystemParametersInfoA - 0x004071C4 0x00007728 0x00006928 0x00000299
RegisterClassA - 0x004071C8 0x0000772C 0x0000692C 0x00000216
TrackPopupMenu - 0x004071CC 0x00007730 0x00006930 0x000002A4
AppendMenuA - 0x004071D0 0x00007734 0x00006934 0x00000008
CreatePopupMenu - 0x004071D4 0x00007738 0x00006938 0x0000005E
GetSystemMetrics - 0x004071D8 0x0000773C 0x0000693C 0x0000015D
SetDlgItemTextA - 0x004071DC 0x00007740 0x00006940 0x00000253
GetDlgItemTextA - 0x004071E0 0x00007744 0x00006944 0x00000113
MessageBoxIndirectA - 0x004071E4 0x00007748 0x00006948 0x000001E2
CharPrevA - 0x004071E8 0x0000774C 0x0000694C 0x0000002D
DispatchMessageA - 0x004071EC 0x00007750 0x00006950 0x000000A1
PeekMessageA - 0x004071F0 0x00007754 0x00006954 0x00000200
ReleaseDC - 0x004071F4 0x00007758 0x00006958 0x0000022A
EnableWindow - 0x004071F8 0x0000775C 0x0000695C 0x000000C4
InvalidateRect - 0x004071FC 0x00007760 0x00006960 0x00000193
SendMessageA - 0x00407200 0x00007764 0x00006964 0x0000023B
DefWindowProcA - 0x00407204 0x00007768 0x00006968 0x0000008E
BeginPaint - 0x00407208 0x0000776C 0x0000696C 0x0000000D
GetClientRect - 0x0040720C 0x00007770 0x00006970 0x000000FF
FillRect - 0x00407210 0x00007774 0x00006974 0x000000E2
DrawTextA - 0x00407214 0x00007778 0x00006978 0x000000BC
GetClassInfoA - 0x00407218 0x0000777C 0x0000697C 0x000000F6
DialogBoxParamA - 0x0040721C 0x00007780 0x00006980 0x0000009E
CharNextA - 0x00407220 0x00007784 0x00006984 0x0000002A
ExitWindowsEx - 0x00407224 0x00007788 0x00006988 0x000000E1
DestroyWindow - 0x00407228 0x0000778C 0x0000698C 0x00000099
CreateDialogParamA - 0x0040722C 0x00007790 0x00006990 0x00000055
SetTimer - 0x00407230 0x00007794 0x00006994 0x0000027A
GetDlgItem - 0x00407234 0x00007798 0x00006998 0x00000111
wsprintfA - 0x00407238 0x0000779C 0x0000699C 0x000002D7
SetForegroundWindow - 0x0040723C 0x000077A0 0x000069A0 0x00000257
ShowWindow - 0x00407240 0x000077A4 0x000069A4 0x00000292
IsWindow - 0x00407244 0x000077A8 0x000069A8 0x000001AD
LoadImageA - 0x00407248 0x000077AC 0x000069AC 0x000001C0
SetWindowLongA - 0x0040724C 0x000077B0 0x000069B0 0x00000280
SetClipboardData - 0x00407250 0x000077B4 0x000069B4 0x0000024A
EmptyClipboard - 0x00407254 0x000077B8 0x000069B8 0x000000C1
OpenClipboard - 0x00407258 0x000077BC 0x000069BC 0x000001F6
EndPaint - 0x0040725C 0x000077C0 0x000069C0 0x000000C8
PostQuitMessage - 0x00407260 0x000077C4 0x000069C4 0x00000204
FindWindowExA - 0x00407264 0x000077C8 0x000069C8 0x000000E4
SendMessageTimeoutA - 0x00407268 0x000077CC 0x000069CC 0x0000023E
SetWindowTextA - 0x0040726C 0x000077D0 0x000069D0 0x00000286
GDI32.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SelectObject - 0x0040703C 0x000075A0 0x000067A0 0x0000020E
SetBkMode - 0x00407040 0x000075A4 0x000067A4 0x00000216
CreateFontIndirectA - 0x00407044 0x000075A8 0x000067A8 0x0000003A
SetTextColor - 0x00407048 0x000075AC 0x000067AC 0x0000023C
DeleteObject - 0x0040704C 0x000075B0 0x000067B0 0x0000008F
GetDeviceCaps - 0x00407050 0x000075B4 0x000067B4 0x0000016B
CreateBrushIndirect - 0x00407054 0x000075B8 0x000067B8 0x00000029
SetBkColor - 0x00407058 0x000075BC 0x000067BC 0x00000215
SHELL32.dll (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetSpecialFolderLocation - 0x00407158 0x000076BC 0x000068BC 0x000000C3
SHGetPathFromIDListA - 0x0040715C 0x000076C0 0x000068C0 0x000000BC
SHBrowseForFolderA - 0x00407160 0x000076C4 0x000068C4 0x00000079
SHGetFileInfoA - 0x00407164 0x000076C8 0x000068C8 0x000000AC
ShellExecuteA - 0x00407168 0x000076CC 0x000068CC 0x00000107
SHFileOperationA - 0x0040716C 0x000076D0 0x000068D0 0x0000009A
ADVAPI32.dll (9)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegCloseKey - 0x00407000 0x00007564 0x00006764 0x000001CB
RegOpenKeyExA - 0x00407004 0x00007568 0x00006768 0x000001EC
RegDeleteKeyA - 0x00407008 0x0000756C 0x0000676C 0x000001D4
RegDeleteValueA - 0x0040700C 0x00007570 0x00006770 0x000001D8
RegEnumValueA - 0x00407010 0x00007574 0x00006774 0x000001E1
RegCreateKeyExA - 0x00407014 0x00007578 0x00006778 0x000001D1
RegSetValueExA - 0x00407018 0x0000757C 0x0000677C 0x00000204
RegQueryValueExA - 0x0040701C 0x00007580 0x00006780 0x000001F7
RegEnumKeyA - 0x00407020 0x00007584 0x00006784 0x000001DD
COMCTL32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ImageList_Create - 0x00407028 0x0000758C 0x0000678C 0x00000037
ImageList_AddMasked - 0x0040702C 0x00007590 0x00006790 0x00000034
ImageList_Destroy - 0x00407030 0x00007594 0x00006794 0x00000038
None 0x00000011 0x00407034 0x00007598 0x00006798 -
ole32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CoCreateInstance - 0x00407284 0x000077E8 0x000069E8 0x00000010
CoTaskMemFree - 0x00407288 0x000077EC 0x000069EC 0x00000065
OleInitialize - 0x0040728C 0x000077F0 0x000069F0 0x000000EE
OleUninitialize - 0x00407290 0x000077F4 0x000069F4 0x00000105
VERSION.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetFileVersionInfoSizeA - 0x00407274 0x000077D8 0x000069D8 0x00000001
GetFileVersionInfoA - 0x00407278 0x000077DC 0x000069DC 0x00000000
VerQueryValueA - 0x0040727C 0x000077E0 0x000069E0 0x0000000A
Digital Signature Information
»
Verification Status Valid
Certificate: Lucky Joe
»
Issued by Lucky Joe
Country Name US
Valid From 2023-03-01 09:35 (UTC+1)
Valid Until 2024-02-29 09:35 (UTC+1)
Algorithm sha256_rsa
Serial Number 01 04 05 03
Thumbprint BA F1 66 D8 6A 1D E6 C8 8B AE 50 66 51 54 67 57 5D 2C C4 33
Memory Dumps (30)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
lyla131.exe 13 0x00400000 0x00443FFF Relevant Image False 32-bit 0x0040311B False
...
system.dll 13 0x10000000 0x10005FFF First Execution False 32-bit 0x100016DA False
...
killprocdll.dll 13 0x005B0000 0x005B2FFF First Execution False 32-bit 0x005B16BA False
...
killprocdll.dll 13 0x005B0000 0x005B2FFF Content Changed False 32-bit 0x005B16BA False
...
buffer 13 0x0075FC90 0x0076008F Final Dump False 32-bit - False
...
buffer 13 0x00765B58 0x0076CAED Final Dump False 32-bit - False
...
buffer 13 0x0076EE18 0x0076FE17 Final Dump False 32-bit - False
...
buffer 13 0x00772B00 0x00773AFF Final Dump False 32-bit - False
...
buffer 13 0x00781430 0x0078182F Final Dump False 32-bit - False
...
buffer 13 0x00781838 0x00781C37 Final Dump False 32-bit - False
...
buffer 13 0x00782450 0x0078284F Final Dump False 32-bit - False
...
buffer 13 0x00782858 0x00782C57 Final Dump False 32-bit - False
...
buffer 13 0x00782C60 0x0078305F Final Dump False 32-bit - False
...
buffer 13 0x00783068 0x00783467 Final Dump False 32-bit - False
...
buffer 13 0x00784088 0x00784487 Final Dump False 32-bit - False
...
buffer 13 0x007850A8 0x007854A7 Final Dump False 32-bit - False
...
buffer 13 0x007854B0 0x007858AF Final Dump False 32-bit - False
...
buffer 13 0x00785CC0 0x007860BF Final Dump False 32-bit - False
...
buffer 13 0x007864D0 0x007868CF Final Dump False 32-bit - False
...
buffer 13 0x007868D8 0x00786CD7 Final Dump False 32-bit - False
...
buffer 13 0x007870E8 0x007874E7 Final Dump False 32-bit - False
...
buffer 13 0x007874F0 0x007878EF Final Dump False 32-bit - False
...
buffer 13 0x007878F8 0x00787CF7 Final Dump False 32-bit - False
...
buffer 13 0x00787D00 0x007880FF Final Dump False 32-bit - False
...
buffer 13 0x00788108 0x00788507 Final Dump False 32-bit - False
...
buffer 13 0x00788510 0x0078890F Final Dump False 32-bit - False
...
buffer 13 0x027D1340 0x027D1B3F Final Dump False 32-bit - False
...
lyla131.exe 13 0x00400000 0x00443FFF Final Dump False 32-bit 0x00405382 False
...
system.dll 13 0x10000000 0x10005FFF Final Dump False 32-bit 0x100026C2 False
...
math.dll 13 0x01F60000 0x01F79FFF First Execution False 32-bit 0x01F6461E False
...
C:\Users\RDhJ0CNFevzX\Desktop\a\5_6232986114823555269.exe Downloaded File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 387.81 KB
MD5 454de28853ea54861c14acf6b2520bab Copy to Clipboard
SHA1 2a6774af921e3e3a03fd22714059cbdc33ac6e53 Copy to Clipboard
SHA256 bb5d251130efb47c960fa6b622a603ed4c53e91494f8ebaceefcd65899b02d6a Copy to Clipboard
SSDeep 6144:L8dNXSEm8t107G59ZLNokDCW4KwNLl4fn6wRPFDdL6qnoz1+vv8UoGfaD2H:gmU107GVWWCNPLl3Muq++HFomaD2H Copy to Clipboard
ImpHash e160ef8e55bb9d162da4e266afd9eef3 Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x00400000
Entry Point 0x004030E2
Size Of Code 0x00005E00
Size Of Initialized Data 0x00027C00
Size Of Uninitialized Data 0x00000400
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2014-10-07 06:40 (UTC+2)
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x00005DF4 0x00005E00 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.51
.rdata 0x00407000 0x000012DA 0x00001400 0x00006200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.1
.data 0x00409000 0x000254B8 0x00000400 0x00007600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 5.13
.ndata 0x0042F000 0x00013000 0x00000000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.rsrc 0x00442000 0x00001A30 0x00001C00 0x00007A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.85
Imports (8)
»
KERNEL32.dll (61)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetTickCount - 0x00407060 0x000075C4 0x000067C4 0x000001DF
GetFullPathNameA - 0x00407064 0x000075C8 0x000067C8 0x00000169
MoveFileA - 0x00407068 0x000075CC 0x000067CC 0x0000026E
SetCurrentDirectoryA - 0x0040706C 0x000075D0 0x000067D0 0x0000030A
GetFileAttributesA - 0x00407070 0x000075D4 0x000067D4 0x0000015E
GetLastError - 0x00407074 0x000075D8 0x000067D8 0x00000171
CreateDirectoryA - 0x00407078 0x000075DC 0x000067DC 0x0000004B
SetFileAttributesA - 0x0040707C 0x000075E0 0x000067E0 0x00000319
SearchPathA - 0x00407080 0x000075E4 0x000067E4 0x000002DB
GetShortPathNameA - 0x00407084 0x000075E8 0x000067E8 0x000001B5
GetFileSize - 0x00407088 0x000075EC 0x000067EC 0x00000163
GetModuleFileNameA - 0x0040708C 0x000075F0 0x000067F0 0x0000017D
GetCurrentProcess - 0x00407090 0x000075F4 0x000067F4 0x00000142
CopyFileA - 0x00407094 0x000075F8 0x000067F8 0x00000043
ExitProcess - 0x00407098 0x000075FC 0x000067FC 0x000000B9
SetEnvironmentVariableA - 0x0040709C 0x00007600 0x00006800 0x00000313
GetWindowsDirectoryA - 0x004070A0 0x00007604 0x00006804 0x000001F3
GetTempPathA - 0x004070A4 0x00007608 0x00006808 0x000001D5
Sleep - 0x004070A8 0x0000760C 0x0000680C 0x00000356
CloseHandle - 0x004070AC 0x00007610 0x00006810 0x00000034
LoadLibraryA - 0x004070B0 0x00007614 0x00006814 0x00000252
lstrlenA - 0x004070B4 0x00007618 0x00006818 0x000003CC
lstrcpynA - 0x004070B8 0x0000761C 0x0000681C 0x000003C9
GetDiskFreeSpaceA - 0x004070BC 0x00007620 0x00006820 0x0000014D
GlobalUnlock - 0x004070C0 0x00007624 0x00006824 0x0000020A
GlobalLock - 0x004070C4 0x00007628 0x00006828 0x00000203
CreateThread - 0x004070C8 0x0000762C 0x0000682C 0x0000006F
CreateProcessA - 0x004070CC 0x00007630 0x00006830 0x00000066
RemoveDirectoryA - 0x004070D0 0x00007634 0x00006834 0x000002C4
CreateFileA - 0x004070D4 0x00007638 0x00006838 0x00000053
GetTempFileNameA - 0x004070D8 0x0000763C 0x0000683C 0x000001D3
ReadFile - 0x004070DC 0x00007640 0x00006840 0x000002B5
lstrcpyA - 0x004070E0 0x00007644 0x00006844 0x000003C6
lstrcatA - 0x004070E4 0x00007648 0x00006848 0x000003BD
GetSystemDirectoryA - 0x004070E8 0x0000764C 0x0000684C 0x000001C1
GetVersion - 0x004070EC 0x00007650 0x00006850 0x000001E8
GetProcAddress - 0x004070F0 0x00007654 0x00006854 0x000001A0
GlobalAlloc - 0x004070F4 0x00007658 0x00006858 0x000001F8
CompareFileTime - 0x004070F8 0x0000765C 0x0000685C 0x00000039
SetFileTime - 0x004070FC 0x00007660 0x00006860 0x0000031F
ExpandEnvironmentStringsA - 0x00407100 0x00007664 0x00006864 0x000000BC
lstrcmpiA - 0x00407104 0x00007668 0x00006868 0x000003C3
lstrcmpA - 0x00407108 0x0000766C 0x0000686C 0x000003C0
WaitForSingleObject - 0x0040710C 0x00007670 0x00006870 0x00000390
GlobalFree - 0x00407110 0x00007674 0x00006874 0x000001FF
GetExitCodeProcess - 0x00407114 0x00007678 0x00006878 0x0000015A
GetModuleHandleA - 0x00407118 0x0000767C 0x0000687C 0x0000017F
SetErrorMode - 0x0040711C 0x00007680 0x00006880 0x00000315
GetCommandLineA - 0x00407120 0x00007684 0x00006884 0x00000110
LoadLibraryExA - 0x00407124 0x00007688 0x00006888 0x00000253
FindFirstFileA - 0x00407128 0x0000768C 0x0000688C 0x000000D2
FindNextFileA - 0x0040712C 0x00007690 0x00006890 0x000000DC
DeleteFileA - 0x00407130 0x00007694 0x00006894 0x00000083
SetFilePointer - 0x00407134 0x00007698 0x00006898 0x0000031B
WriteFile - 0x00407138 0x0000769C 0x0000689C 0x000003A4
FindClose - 0x0040713C 0x000076A0 0x000068A0 0x000000CE
WritePrivateProfileStringA - 0x00407140 0x000076A4 0x000068A4 0x000003A9
MultiByteToWideChar - 0x00407144 0x000076A8 0x000068A8 0x00000275
MulDiv - 0x00407148 0x000076AC 0x000068AC 0x00000274
GetPrivateProfileStringA - 0x0040714C 0x000076B0 0x000068B0 0x0000019C
FreeLibrary - 0x00407150 0x000076B4 0x000068B4 0x000000F8
USER32.dll (63)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateWindowExA - 0x00407174 0x000076D8 0x000068D8 0x00000060
EndDialog - 0x00407178 0x000076DC 0x000068DC 0x000000C6
ScreenToClient - 0x0040717C 0x000076E0 0x000068E0 0x00000231
GetWindowRect - 0x00407180 0x000076E4 0x000068E4 0x00000174
EnableMenuItem - 0x00407184 0x000076E8 0x000068E8 0x000000C2
GetSystemMenu - 0x00407188 0x000076EC 0x000068EC 0x0000015C
SetClassLongA - 0x0040718C 0x000076F0 0x000068F0 0x00000247
IsWindowEnabled - 0x00407190 0x000076F4 0x000068F4 0x000001AE
SetWindowPos - 0x00407194 0x000076F8 0x000068F8 0x00000283
GetSysColor - 0x00407198 0x000076FC 0x000068FC 0x0000015A
GetWindowLongA - 0x0040719C 0x00007700 0x00006900 0x0000016E
SetCursor - 0x004071A0 0x00007704 0x00006904 0x0000024D
LoadCursorA - 0x004071A4 0x00007708 0x00006908 0x000001BA
CheckDlgButton - 0x004071A8 0x0000770C 0x0000690C 0x00000038
GetMessagePos - 0x004071AC 0x00007710 0x00006910 0x0000013C
LoadBitmapA - 0x004071B0 0x00007714 0x00006914 0x000001B8
CallWindowProcA - 0x004071B4 0x00007718 0x00006918 0x0000001B
IsWindowVisible - 0x004071B8 0x0000771C 0x0000691C 0x000001B1
CloseClipboard - 0x004071BC 0x00007720 0x00006920 0x00000042
GetDC - 0x004071C0 0x00007724 0x00006924 0x0000010C
SystemParametersInfoA - 0x004071C4 0x00007728 0x00006928 0x00000299
RegisterClassA - 0x004071C8 0x0000772C 0x0000692C 0x00000216
TrackPopupMenu - 0x004071CC 0x00007730 0x00006930 0x000002A4
AppendMenuA - 0x004071D0 0x00007734 0x00006934 0x00000008
CreatePopupMenu - 0x004071D4 0x00007738 0x00006938 0x0000005E
GetSystemMetrics - 0x004071D8 0x0000773C 0x0000693C 0x0000015D
SetDlgItemTextA - 0x004071DC 0x00007740 0x00006940 0x00000253
GetDlgItemTextA - 0x004071E0 0x00007744 0x00006944 0x00000113
MessageBoxIndirectA - 0x004071E4 0x00007748 0x00006948 0x000001E2
CharPrevA - 0x004071E8 0x0000774C 0x0000694C 0x0000002D
DispatchMessageA - 0x004071EC 0x00007750 0x00006950 0x000000A1
PeekMessageA - 0x004071F0 0x00007754 0x00006954 0x00000200
ReleaseDC - 0x004071F4 0x00007758 0x00006958 0x0000022A
EnableWindow - 0x004071F8 0x0000775C 0x0000695C 0x000000C4
InvalidateRect - 0x004071FC 0x00007760 0x00006960 0x00000193
SendMessageA - 0x00407200 0x00007764 0x00006964 0x0000023B
DefWindowProcA - 0x00407204 0x00007768 0x00006968 0x0000008E
BeginPaint - 0x00407208 0x0000776C 0x0000696C 0x0000000D
GetClientRect - 0x0040720C 0x00007770 0x00006970 0x000000FF
FillRect - 0x00407210 0x00007774 0x00006974 0x000000E2
DrawTextA - 0x00407214 0x00007778 0x00006978 0x000000BC
GetClassInfoA - 0x00407218 0x0000777C 0x0000697C 0x000000F6
DialogBoxParamA - 0x0040721C 0x00007780 0x00006980 0x0000009E
CharNextA - 0x00407220 0x00007784 0x00006984 0x0000002A
ExitWindowsEx - 0x00407224 0x00007788 0x00006988 0x000000E1
DestroyWindow - 0x00407228 0x0000778C 0x0000698C 0x00000099
CreateDialogParamA - 0x0040722C 0x00007790 0x00006990 0x00000055
SetTimer - 0x00407230 0x00007794 0x00006994 0x0000027A
GetDlgItem - 0x00407234 0x00007798 0x00006998 0x00000111
wsprintfA - 0x00407238 0x0000779C 0x0000699C 0x000002D7
SetForegroundWindow - 0x0040723C 0x000077A0 0x000069A0 0x00000257
ShowWindow - 0x00407240 0x000077A4 0x000069A4 0x00000292
IsWindow - 0x00407244 0x000077A8 0x000069A8 0x000001AD
LoadImageA - 0x00407248 0x000077AC 0x000069AC 0x000001C0
SetWindowLongA - 0x0040724C 0x000077B0 0x000069B0 0x00000280
SetClipboardData - 0x00407250 0x000077B4 0x000069B4 0x0000024A
EmptyClipboard - 0x00407254 0x000077B8 0x000069B8 0x000000C1
OpenClipboard - 0x00407258 0x000077BC 0x000069BC 0x000001F6
EndPaint - 0x0040725C 0x000077C0 0x000069C0 0x000000C8
PostQuitMessage - 0x00407260 0x000077C4 0x000069C4 0x00000204
FindWindowExA - 0x00407264 0x000077C8 0x000069C8 0x000000E4
SendMessageTimeoutA - 0x00407268 0x000077CC 0x000069CC 0x0000023E
SetWindowTextA - 0x0040726C 0x000077D0 0x000069D0 0x00000286
GDI32.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SelectObject - 0x0040703C 0x000075A0 0x000067A0 0x0000020E
SetBkMode - 0x00407040 0x000075A4 0x000067A4 0x00000216
CreateFontIndirectA - 0x00407044 0x000075A8 0x000067A8 0x0000003A
SetTextColor - 0x00407048 0x000075AC 0x000067AC 0x0000023C
DeleteObject - 0x0040704C 0x000075B0 0x000067B0 0x0000008F
GetDeviceCaps - 0x00407050 0x000075B4 0x000067B4 0x0000016B
CreateBrushIndirect - 0x00407054 0x000075B8 0x000067B8 0x00000029
SetBkColor - 0x00407058 0x000075BC 0x000067BC 0x00000215
SHELL32.dll (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetSpecialFolderLocation - 0x00407158 0x000076BC 0x000068BC 0x000000C3
SHGetPathFromIDListA - 0x0040715C 0x000076C0 0x000068C0 0x000000BC
SHBrowseForFolderA - 0x00407160 0x000076C4 0x000068C4 0x00000079
SHGetFileInfoA - 0x00407164 0x000076C8 0x000068C8 0x000000AC
ShellExecuteA - 0x00407168 0x000076CC 0x000068CC 0x00000107
SHFileOperationA - 0x0040716C 0x000076D0 0x000068D0 0x0000009A
ADVAPI32.dll (9)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegCloseKey - 0x00407000 0x00007564 0x00006764 0x000001CB
RegOpenKeyExA - 0x00407004 0x00007568 0x00006768 0x000001EC
RegDeleteKeyA - 0x00407008 0x0000756C 0x0000676C 0x000001D4
RegDeleteValueA - 0x0040700C 0x00007570 0x00006770 0x000001D8
RegEnumValueA - 0x00407010 0x00007574 0x00006774 0x000001E1
RegCreateKeyExA - 0x00407014 0x00007578 0x00006778 0x000001D1
RegSetValueExA - 0x00407018 0x0000757C 0x0000677C 0x00000204
RegQueryValueExA - 0x0040701C 0x00007580 0x00006780 0x000001F7
RegEnumKeyA - 0x00407020 0x00007584 0x00006784 0x000001DD
COMCTL32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ImageList_Create - 0x00407028 0x0000758C 0x0000678C 0x00000037
ImageList_AddMasked - 0x0040702C 0x00007590 0x00006790 0x00000034
ImageList_Destroy - 0x00407030 0x00007594 0x00006794 0x00000038
None 0x00000011 0x00407034 0x00007598 0x00006798 -
ole32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CoCreateInstance - 0x00407284 0x000077E8 0x000069E8 0x00000010
CoTaskMemFree - 0x00407288 0x000077EC 0x000069EC 0x00000065
OleInitialize - 0x0040728C 0x000077F0 0x000069F0 0x000000EE
OleUninitialize - 0x00407290 0x000077F4 0x000069F4 0x00000105
VERSION.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetFileVersionInfoSizeA - 0x00407274 0x000077D8 0x000069D8 0x00000001
GetFileVersionInfoA - 0x00407278 0x000077DC 0x000069DC 0x00000000
VerQueryValueA - 0x0040727C 0x000077E0 0x000069E0 0x0000000A
Digital Signature Information
»
Verification Status Valid
Certificate: Lucky Joe
»
Issued by Lucky Joe
Country Name US
Valid From 2023-03-01 09:35 (UTC+1)
Valid Until 2024-02-29 09:35 (UTC+1)
Algorithm sha256_rsa
Serial Number 01 04 05 03
Thumbprint BA F1 66 D8 6A 1D E6 C8 8B AE 50 66 51 54 67 57 5D 2C C4 33
Memory Dumps (4)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
5_6232986114823555269.exe 23 0x00400000 0x00443FFF Relevant Image False 32-bit 0x00405ECF False
...
system.dll 23 0x10000000 0x10005FFF First Execution False 32-bit 0x100016DA False
...
killprocdll.dll 23 0x01EE0000 0x01EE2FFF First Execution False 32-bit 0x01EE16BA False
...
killprocdll.dll 23 0x01EE0000 0x01EE2FFF Content Changed False 32-bit 0x01EE16BA False
...
C:\Users\RDhJ0CNFevzX\Desktop\a\portable.exe Downloaded File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 263.50 KB
MD5 8f05b8ea15b88c441219cf8310010df0 Copy to Clipboard
SHA1 c6103c7ab1d4cf68affe76506e9fe0d7a1d533c5 Copy to Clipboard
SHA256 cd0226a2b9c38ab99f2bbe4461b7fc9d4b07faafbe1ccc53d92bf08d1903a8ae Copy to Clipboard
SSDeep 3072:2tJRzZQmjtdVHIV+wd/NmtzZYyfwwDGQvj5bZ0N2pnJ2E0/Z9c:gLS+7VH2+wmtzF5y0dIsJj0h Copy to Clipboard
ImpHash 2ae78f9a1d4a7f418a7ddb8a7520182b Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x00400000
Entry Point 0x00408945
Size Of Code 0x00015400
Size Of Initialized Data 0x002AAE00
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2022-01-09 21:57 (UTC+1)
Version Information (5)
»
InternalName HypnoSniffer.exe
LegalCopyrights Night bizon inc.
LegalTrademarks2 odjfngisdf
ProductName WhereIsTall
ProductVersion 80.37.77.11
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x00015342 0x00015400 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.42
.data 0x00417000 0x00290364 0x00015200 0x00015800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 7.47
.xeb 0x006A8000 0x000016A8 0x00001800 0x0002AA00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.rsrc 0x006AA000 0x00015AC0 0x00015C00 0x0002C200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.24
Imports (1)
»
KERNEL32.dll (122)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SearchPathW - 0x00401000 0x00015820 0x00014C20 0x0000041D
GetStringTypeA - 0x00401004 0x00015824 0x00014C24 0x00000266
GetDriveTypeW - 0x00401008 0x00015828 0x00014C28 0x000001D3
GetProfileIntW - 0x0040100C 0x0001582C 0x00014C2C 0x00000259
GetNumberOfConsoleInputEvents - 0x00401010 0x00015830 0x00014C30 0x00000235
BuildCommDCBAndTimeoutsA - 0x00401014 0x00015834 0x00014C34 0x0000003B
InterlockedIncrement - 0x00401018 0x00015838 0x00014C38 0x000002EF
EnumCalendarInfoW - 0x0040101C 0x0001583C 0x00014C3C 0x000000F3
SetDefaultCommConfigW - 0x00401020 0x00015840 0x00014C40 0x0000044F
InitializeSListHead - 0x00401024 0x00015844 0x00014C44 0x000002E7
GetProfileSectionA - 0x00401028 0x00015848 0x00014C48 0x0000025A
SetComputerNameW - 0x0040102C 0x0001584C 0x00014C4C 0x0000042A
CallNamedPipeW - 0x00401030 0x00015850 0x00014C50 0x0000003F
MoveFileWithProgressA - 0x00401034 0x00015854 0x00014C54 0x00000364
GetTickCount - 0x00401038 0x00015858 0x00014C58 0x00000293
ReadConsoleW - 0x0040103C 0x0001585C 0x00014C5C 0x000003BE
SetCommState - 0x00401040 0x00015860 0x00014C60 0x00000425
GetDriveTypeA - 0x00401044 0x00015864 0x00014C64 0x000001D2
GetVolumePathNameW - 0x00401048 0x00015868 0x00014C68 0x000002AB
GetPrivateProfileIntA - 0x0040104C 0x0001586C 0x00014C6C 0x0000023B
AddRefActCtx - 0x00401050 0x00015870 0x00014C70 0x0000000A
LoadLibraryW - 0x00401054 0x00015874 0x00014C74 0x0000033F
FreeConsole - 0x00401058 0x00015878 0x00014C78 0x0000015F
GetConsoleAliasExesLengthW - 0x0040105C 0x0001587C 0x00014C7C 0x00000193
GetFileAttributesA - 0x00401060 0x00015880 0x00014C80 0x000001E5
GetOverlappedResult - 0x00401064 0x00015884 0x00014C84 0x00000238
GetStdHandle - 0x00401068 0x00015888 0x00014C88 0x00000264
GetCurrentDirectoryW - 0x0040106C 0x0001588C 0x00014C8C 0x000001BF
GetProcAddress - 0x00401070 0x00015890 0x00014C90 0x00000245
BeginUpdateResourceW - 0x00401074 0x00015894 0x00014C94 0x00000038
SetFirmwareEnvironmentVariableW - 0x00401078 0x00015898 0x00014C98 0x0000046D
RemoveDirectoryA - 0x0040107C 0x0001589C 0x00014C9C 0x00000400
VerLanguageNameW - 0x00401080 0x000158A0 0x00014CA0 0x000004E3
PrepareTape - 0x00401084 0x000158A4 0x00014CA4 0x00000392
LoadLibraryA - 0x00401088 0x000158A8 0x00014CA8 0x0000033C
WriteConsoleA - 0x0040108C 0x000158AC 0x00014CAC 0x0000051A
UnhandledExceptionFilter - 0x00401090 0x000158B0 0x00014CB0 0x000004D3
LocalAlloc - 0x00401094 0x000158B4 0x00014CB4 0x00000344
SetCalendarInfoW - 0x00401098 0x000158B8 0x00014CB8 0x0000041F
FindFirstVolumeMountPointW - 0x0040109C 0x000158BC 0x00014CBC 0x0000013E
AddAtomW - 0x004010A0 0x000158C0 0x00014CC0 0x00000004
GlobalWire - 0x004010A4 0x000158C4 0x00014CC4 0x000002C6
GetModuleFileNameA - 0x004010A8 0x000158C8 0x00014CC8 0x00000213
FindNextFileA - 0x004010AC 0x000158CC 0x00014CCC 0x00000143
EnumDateFormatsA - 0x004010B0 0x000158D0 0x00014CD0 0x000000F4
GetModuleHandleA - 0x004010B4 0x000158D4 0x00014CD4 0x00000215
SetLocaleInfoW - 0x004010B8 0x000158D8 0x00014CD8 0x00000478
lstrcatW - 0x004010BC 0x000158DC 0x00014CDC 0x0000053F
FreeEnvironmentStringsW - 0x004010C0 0x000158E0 0x00014CE0 0x00000161
GetStringTypeW - 0x004010C4 0x000158E4 0x00014CE4 0x00000269
SetThreadAffinityMask - 0x004010C8 0x000158E8 0x00014CE8 0x00000490
SetFileShortNameA - 0x004010CC 0x000158EC 0x00014CEC 0x00000468
GetVolumeNameForVolumeMountPointW - 0x004010D0 0x000158F0 0x00014CF0 0x000002A9
DeleteFileW - 0x004010D4 0x000158F4 0x00014CF4 0x000000D6
DebugBreak - 0x004010D8 0x000158F8 0x00014CF8 0x000000C7
GlobalReAlloc - 0x004010DC 0x000158FC 0x00014CFC 0x000002C1
EnumSystemLocalesW - 0x004010E0 0x00015900 0x00014D00 0x0000010F
DeleteFileA - 0x004010E4 0x00015904 0x00014D04 0x000000D3
WideCharToMultiByte - 0x004010E8 0x00015908 0x00014D08 0x00000511
InterlockedDecrement - 0x004010EC 0x0001590C 0x00014D0C 0x000002EB
InterlockedCompareExchange - 0x004010F0 0x00015910 0x00014D10 0x000002E9
InterlockedExchange - 0x004010F4 0x00015914 0x00014D14 0x000002EC
MultiByteToWideChar - 0x004010F8 0x00015918 0x00014D18 0x00000367
EncodePointer - 0x004010FC 0x0001591C 0x00014D1C 0x000000EA
DecodePointer - 0x00401100 0x00015920 0x00014D20 0x000000CA
Sleep - 0x00401104 0x00015924 0x00014D24 0x000004B2
InitializeCriticalSection - 0x00401108 0x00015928 0x00014D28 0x000002E2
DeleteCriticalSection - 0x0040110C 0x0001592C 0x00014D2C 0x000000D1
EnterCriticalSection - 0x00401110 0x00015930 0x00014D30 0x000000EE
LeaveCriticalSection - 0x00401114 0x00015934 0x00014D34 0x00000339
GetLastError - 0x00401118 0x00015938 0x00014D38 0x00000202
MoveFileA - 0x0040111C 0x0001593C 0x00014D3C 0x0000035E
HeapFree - 0x00401120 0x00015940 0x00014D40 0x000002CF
HeapAlloc - 0x00401124 0x00015944 0x00014D44 0x000002CB
GetModuleHandleW - 0x00401128 0x00015948 0x00014D48 0x00000218
ExitProcess - 0x0040112C 0x0001594C 0x00014D4C 0x00000119
GetCommandLineA - 0x00401130 0x00015950 0x00014D50 0x00000186
HeapSetInformation - 0x00401134 0x00015954 0x00014D54 0x000002D3
GetStartupInfoW - 0x00401138 0x00015958 0x00014D58 0x00000263
GetCPInfo - 0x0040113C 0x0001595C 0x00014D5C 0x00000172
RaiseException - 0x00401140 0x00015960 0x00014D60 0x000003B1
RtlUnwind - 0x00401144 0x00015964 0x00014D64 0x00000418
LCMapStringW - 0x00401148 0x00015968 0x00014D68 0x0000032D
SetUnhandledExceptionFilter - 0x0040114C 0x0001596C 0x00014D6C 0x000004A5
IsDebuggerPresent - 0x00401150 0x00015970 0x00014D70 0x00000300
TerminateProcess - 0x00401154 0x00015974 0x00014D74 0x000004C0
GetCurrentProcess - 0x00401158 0x00015978 0x00014D78 0x000001C0
HeapCreate - 0x0040115C 0x0001597C 0x00014D7C 0x000002CD
WriteFile - 0x00401160 0x00015980 0x00014D80 0x00000525
GetModuleFileNameW - 0x00401164 0x00015984 0x00014D84 0x00000214
HeapSize - 0x00401168 0x00015988 0x00014D88 0x000002D4
CloseHandle - 0x0040116C 0x0001598C 0x00014D8C 0x00000052
InitializeCriticalSectionAndSpinCount - 0x00401170 0x00015990 0x00014D90 0x000002E3
GetLocaleInfoW - 0x00401174 0x00015994 0x00014D94 0x00000206
TlsAlloc - 0x00401178 0x00015998 0x00014D98 0x000004C5
TlsGetValue - 0x0040117C 0x0001599C 0x00014D9C 0x000004C7
TlsSetValue - 0x00401180 0x000159A0 0x00014DA0 0x000004C8
TlsFree - 0x00401184 0x000159A4 0x00014DA4 0x000004C6
SetLastError - 0x00401188 0x000159A8 0x00014DA8 0x00000473
GetCurrentThreadId - 0x0040118C 0x000159AC 0x00014DAC 0x000001C5
GetEnvironmentStringsW - 0x00401190 0x000159B0 0x00014DB0 0x000001DA
SetHandleCount - 0x00401194 0x000159B4 0x00014DB4 0x0000046F
GetFileType - 0x00401198 0x000159B8 0x00014DB8 0x000001F3
QueryPerformanceCounter - 0x0040119C 0x000159BC 0x00014DBC 0x000003A7
GetCurrentProcessId - 0x004011A0 0x000159C0 0x00014DC0 0x000001C1
GetSystemTimeAsFileTime - 0x004011A4 0x000159C4 0x00014DC4 0x00000279
IsProcessorFeaturePresent - 0x004011A8 0x000159C8 0x00014DC8 0x00000304
GetACP - 0x004011AC 0x000159CC 0x00014DCC 0x00000168
GetOEMCP - 0x004011B0 0x000159D0 0x00014DD0 0x00000237
IsValidCodePage - 0x004011B4 0x000159D4 0x00014DD4 0x0000030A
GetUserDefaultLCID - 0x004011B8 0x000159D8 0x00014DD8 0x0000029B
GetLocaleInfoA - 0x004011BC 0x000159DC 0x00014DDC 0x00000204
EnumSystemLocalesA - 0x004011C0 0x000159E0 0x00014DE0 0x0000010D
IsValidLocale - 0x004011C4 0x000159E4 0x00014DE4 0x0000030C
HeapReAlloc - 0x004011C8 0x000159E8 0x00014DE8 0x000002D2
SetStdHandle - 0x004011CC 0x000159EC 0x00014DEC 0x00000487
GetConsoleCP - 0x004011D0 0x000159F0 0x00014DF0 0x0000019A
GetConsoleMode - 0x004011D4 0x000159F4 0x00014DF4 0x000001AC
FlushFileBuffers - 0x004011D8 0x000159F8 0x00014DF8 0x00000157
WriteConsoleW - 0x004011DC 0x000159FC 0x00014DFC 0x00000524
SetFilePointer - 0x004011E0 0x00015A00 0x00014E00 0x00000466
CreateFileW - 0x004011E4 0x00015A04 0x00014E04 0x0000008F
Memory Dumps (13)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
portable.exe 9 0x00400000 0x006BFFFF Relevant Image False 32-bit 0x0040B850 False
...
buffer 9 0x00931F30 0x00943B87 First Execution False 32-bit 0x00936ABC False
...
buffer 9 0x00790000 0x00798FFF First Execution False 32-bit 0x00790000 False
...
portable.exe 9 0x00400000 0x006BFFFF Content Changed False 32-bit 0x0040321C False
...
portable.exe 9 0x00400000 0x006BFFFF Content Changed False 32-bit 0x0040191C False
...
portable.exe 9 0x00400000 0x006BFFFF Content Changed False 32-bit 0x00401619 False
...
portable.exe 9 0x00400000 0x006BFFFF Content Changed False 32-bit 0x00402F83 False
...
buffer 9 0x00790000 0x00798FFF Process Termination False 32-bit - False
...
buffer 9 0x00931F30 0x00943B87 Process Termination False 32-bit - False
...
buffer 9 0x00C11F00 0x00C11F7F Process Termination False 32-bit - False
...
buffer 9 0x00C11F88 0x00C12787 Process Termination False 32-bit - False
...
portable.exe 9 0x00400000 0x006BFFFF Process Termination False 32-bit - False
...
buffer 9 0x007C0000 0x007D5FFF Image In Buffer False 32-bit - False
...
C:\Users\RDhJ0CNFevzX\AppData\Roaming\wwgclluqqajjf\okktdyyhqq.exe Downloaded File Binary
Malicious
...
»
Also Known As C:\Users\RDhJ0CNFevzX\Desktop\a\ostaj2.1.exe (Accessed File)
MIME Type application/vnd.microsoft.portable-executable
File Size 153.88 KB
MD5 c544c36f9031c1c13c9444edc245f55f Copy to Clipboard
SHA1 b1612c0b6e8ad7fcfd8bf44fdbeb08e88ac52b57 Copy to Clipboard
SHA256 ed5f71edcd297159229c6f8eb7894d5df258826136a6631f9107381da63f678b Copy to Clipboard
SSDeep 3072:XfY/TU9fE9PEtu6Vbhf/zEGFdZAONTd27zqAtzyD7oGY2XAn62twE13dh:PYa6ghBFH16XqAZyoB2ebn13n Copy to Clipboard
ImpHash 61259b55b8912888e90f516ca08dc514 Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x00400000
Entry Point 0x00403640
Size Of Code 0x00006800
Size Of Initialized Data 0x00022A00
Size Of Uninitialized Data 0x00000800
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2021-09-25 23:56 (UTC+2)
Version Information (5)
»
CompanyName atheromata
FileDescription Parmenidean
FileVersion 10.73.8.14
LegalCopyright Copyright peripteral
ProductName 10.73.8.14
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x00006676 0x00006800 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.42
.rdata 0x00408000 0x0000139A 0x00001400 0x00006C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.14
.data 0x0040A000 0x00020378 0x00000600 0x00008000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.11
.ndata 0x0042B000 0x00010000 0x00000000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.rsrc 0x0043B000 0x00000CC8 0x00000E00 0x00008600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.2
Imports (7)
»
ADVAPI32.dll (13)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegCreateKeyExW - 0x00408000 0x000085A4 0x000071A4 0x000001D2
RegEnumKeyW - 0x00408004 0x000085A8 0x000071A8 0x000001E0
RegQueryValueExW - 0x00408008 0x000085AC 0x000071AC 0x000001F8
RegSetValueExW - 0x0040800C 0x000085B0 0x000071B0 0x00000205
RegCloseKey - 0x00408010 0x000085B4 0x000071B4 0x000001CB
RegDeleteValueW - 0x00408014 0x000085B8 0x000071B8 0x000001D9
RegDeleteKeyW - 0x00408018 0x000085BC 0x000071BC 0x000001D7
AdjustTokenPrivileges - 0x0040801C 0x000085C0 0x000071C0 0x0000001C
LookupPrivilegeValueW - 0x00408020 0x000085C4 0x000071C4 0x00000150
OpenProcessToken - 0x00408024 0x000085C8 0x000071C8 0x000001AC
SetFileSecurityW - 0x00408028 0x000085CC 0x000071CC 0x0000022F
RegOpenKeyExW - 0x0040802C 0x000085D0 0x000071D0 0x000001ED
RegEnumValueW - 0x00408030 0x000085D4 0x000071D4 0x000001E2
SHELL32.dll (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetSpecialFolderLocation - 0x00408178 0x0000871C 0x0000731C 0x000000C3
SHFileOperationW - 0x0040817C 0x00008720 0x00007320 0x0000009B
SHBrowseForFolderW - 0x00408180 0x00008724 0x00007324 0x0000007A
SHGetPathFromIDListW - 0x00408184 0x00008728 0x00007328 0x000000BD
ShellExecuteExW - 0x00408188 0x0000872C 0x0000732C 0x0000010A
SHGetFileInfoW - 0x0040818C 0x00008730 0x00007330 0x000000AD
ole32.dll (5)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
OleInitialize - 0x00408298 0x0000883C 0x0000743C 0x000000EE
OleUninitialize - 0x0040829C 0x00008840 0x00007440 0x00000105
CoCreateInstance - 0x004082A0 0x00008844 0x00007444 0x00000010
IIDFromString - 0x004082A4 0x00008848 0x00007448 0x000000C6
CoTaskMemFree - 0x004082A8 0x0000884C 0x0000744C 0x00000065
COMCTL32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
None 0x00000011 0x00408038 0x000085DC 0x000071DC -
ImageList_Create - 0x0040803C 0x000085E0 0x000071E0 0x00000037
ImageList_Destroy - 0x00408040 0x000085E4 0x000071E4 0x00000038
ImageList_AddMasked - 0x00408044 0x000085E8 0x000071E8 0x00000034
USER32.dll (64)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetClientRect - 0x00408194 0x00008738 0x00007338 0x000000FF
EndPaint - 0x00408198 0x0000873C 0x0000733C 0x000000C8
DrawTextW - 0x0040819C 0x00008740 0x00007340 0x000000BF
IsWindowEnabled - 0x004081A0 0x00008744 0x00007344 0x000001AE
DispatchMessageW - 0x004081A4 0x00008748 0x00007348 0x000000A2
wsprintfA - 0x004081A8 0x0000874C 0x0000734C 0x000002D7
CharNextA - 0x004081AC 0x00008750 0x00007350 0x0000002A
CharPrevW - 0x004081B0 0x00008754 0x00007354 0x0000002F
MessageBoxIndirectW - 0x004081B4 0x00008758 0x00007358 0x000001E3
GetDlgItemTextW - 0x004081B8 0x0000875C 0x0000735C 0x00000114
SetDlgItemTextW - 0x004081BC 0x00008760 0x00007360 0x00000254
GetSystemMetrics - 0x004081C0 0x00008764 0x00007364 0x0000015D
FillRect - 0x004081C4 0x00008768 0x00007368 0x000000E2
AppendMenuW - 0x004081C8 0x0000876C 0x0000736C 0x00000009
TrackPopupMenu - 0x004081CC 0x00008770 0x00007370 0x000002A4
OpenClipboard - 0x004081D0 0x00008774 0x00007374 0x000001F6
SetClipboardData - 0x004081D4 0x00008778 0x00007378 0x0000024A
CloseClipboard - 0x004081D8 0x0000877C 0x0000737C 0x00000042
IsWindowVisible - 0x004081DC 0x00008780 0x00007380 0x000001B1
CallWindowProcW - 0x004081E0 0x00008784 0x00007384 0x0000001C
GetMessagePos - 0x004081E4 0x00008788 0x00007388 0x0000013C
CheckDlgButton - 0x004081E8 0x0000878C 0x0000738C 0x00000038
LoadCursorW - 0x004081EC 0x00008790 0x00007390 0x000001BD
SetCursor - 0x004081F0 0x00008794 0x00007394 0x0000024D
GetSysColor - 0x004081F4 0x00008798 0x00007398 0x0000015A
SetWindowPos - 0x004081F8 0x0000879C 0x0000739C 0x00000283
GetWindowLongW - 0x004081FC 0x000087A0 0x000073A0 0x0000016F
PeekMessageW - 0x00408200 0x000087A4 0x000073A4 0x00000201
SetClassLongW - 0x00408204 0x000087A8 0x000073A8 0x00000248
GetSystemMenu - 0x00408208 0x000087AC 0x000073AC 0x0000015C
EnableMenuItem - 0x0040820C 0x000087B0 0x000073B0 0x000000C2
GetWindowRect - 0x00408210 0x000087B4 0x000073B4 0x00000174
ScreenToClient - 0x00408214 0x000087B8 0x000073B8 0x00000231
EndDialog - 0x00408218 0x000087BC 0x000073BC 0x000000C6
RegisterClassW - 0x0040821C 0x000087C0 0x000073C0 0x00000219
SystemParametersInfoW - 0x00408220 0x000087C4 0x000073C4 0x0000029A
CreateWindowExW - 0x00408224 0x000087C8 0x000073C8 0x00000061
GetClassInfoW - 0x00408228 0x000087CC 0x000073CC 0x000000F9
DialogBoxParamW - 0x0040822C 0x000087D0 0x000073D0 0x0000009F
CharNextW - 0x00408230 0x000087D4 0x000073D4 0x0000002C
ExitWindowsEx - 0x00408234 0x000087D8 0x000073D8 0x000000E1
DestroyWindow - 0x00408238 0x000087DC 0x000073DC 0x00000099
CreateDialogParamW - 0x0040823C 0x000087E0 0x000073E0 0x00000056
SetTimer - 0x00408240 0x000087E4 0x000073E4 0x0000027A
SetWindowTextW - 0x00408244 0x000087E8 0x000073E8 0x00000287
PostQuitMessage - 0x00408248 0x000087EC 0x000073EC 0x00000204
SetForegroundWindow - 0x0040824C 0x000087F0 0x000073F0 0x00000257
ShowWindow - 0x00408250 0x000087F4 0x000073F4 0x00000292
wsprintfW - 0x00408254 0x000087F8 0x000073F8 0x000002D8
SendMessageTimeoutW - 0x00408258 0x000087FC 0x000073FC 0x0000023F
FindWindowExW - 0x0040825C 0x00008800 0x00007400 0x000000E5
IsWindow - 0x00408260 0x00008804 0x00007404 0x000001AD
GetDlgItem - 0x00408264 0x00008808 0x00007408 0x00000111
SetWindowLongW - 0x00408268 0x0000880C 0x0000740C 0x00000281
LoadImageW - 0x0040826C 0x00008810 0x00007410 0x000001C1
GetDC - 0x00408270 0x00008814 0x00007414 0x0000010C
ReleaseDC - 0x00408274 0x00008818 0x00007418 0x0000022A
EnableWindow - 0x00408278 0x0000881C 0x0000741C 0x000000C4
InvalidateRect - 0x0040827C 0x00008820 0x00007420 0x00000193
SendMessageW - 0x00408280 0x00008824 0x00007424 0x00000240
DefWindowProcW - 0x00408284 0x00008828 0x00007428 0x0000008F
BeginPaint - 0x00408288 0x0000882C 0x0000742C 0x0000000D
EmptyClipboard - 0x0040828C 0x00008830 0x00007430 0x000000C1
CreatePopupMenu - 0x00408290 0x00008834 0x00007434 0x0000005E
GDI32.dll (8)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SetBkMode - 0x0040804C 0x000085F0 0x000071F0 0x00000216
SetBkColor - 0x00408050 0x000085F4 0x000071F4 0x00000215
GetDeviceCaps - 0x00408054 0x000085F8 0x000071F8 0x0000016B
CreateFontIndirectW - 0x00408058 0x000085FC 0x000071FC 0x0000003D
CreateBrushIndirect - 0x0040805C 0x00008600 0x00007200 0x00000029
DeleteObject - 0x00408060 0x00008604 0x00007204 0x0000008F
SetTextColor - 0x00408064 0x00008608 0x00007208 0x0000023C
SelectObject - 0x00408068 0x0000860C 0x0000720C 0x0000020E
KERNEL32.dll (65)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetExitCodeProcess - 0x00408070 0x00008614 0x00007214 0x0000015A
WaitForSingleObject - 0x00408074 0x00008618 0x00007218 0x00000390
GetModuleHandleA - 0x00408078 0x0000861C 0x0000721C 0x0000017F
GetProcAddress - 0x0040807C 0x00008620 0x00007220 0x000001A0
GetSystemDirectoryW - 0x00408080 0x00008624 0x00007224 0x000001C2
lstrcatW - 0x00408084 0x00008628 0x00007228 0x000003BE
Sleep - 0x00408088 0x0000862C 0x0000722C 0x00000356
lstrcpyA - 0x0040808C 0x00008630 0x00007230 0x000003C6
WriteFile - 0x00408090 0x00008634 0x00007234 0x000003A4
GetTempFileNameW - 0x00408094 0x00008638 0x00007238 0x000001D4
lstrcmpiA - 0x00408098 0x0000863C 0x0000723C 0x000003C3
RemoveDirectoryW - 0x0040809C 0x00008640 0x00007240 0x000002C5
CreateProcessW - 0x004080A0 0x00008644 0x00007244 0x00000069
CreateDirectoryW - 0x004080A4 0x00008648 0x00007248 0x0000004E
GetLastError - 0x004080A8 0x0000864C 0x0000724C 0x00000171
CreateThread - 0x004080AC 0x00008650 0x00007250 0x0000006F
GlobalLock - 0x004080B0 0x00008654 0x00007254 0x00000203
GlobalUnlock - 0x004080B4 0x00008658 0x00007258 0x0000020A
GetDiskFreeSpaceW - 0x004080B8 0x0000865C 0x0000725C 0x00000150
WideCharToMultiByte - 0x004080BC 0x00008660 0x00007260 0x00000394
lstrcpynW - 0x004080C0 0x00008664 0x00007264 0x000003CA
lstrlenW - 0x004080C4 0x00008668 0x00007268 0x000003CD
SetErrorMode - 0x004080C8 0x0000866C 0x0000726C 0x00000315
GetVersionExW - 0x004080CC 0x00008670 0x00007270 0x000001EA
GetCommandLineW - 0x004080D0 0x00008674 0x00007274 0x00000111
GetTempPathW - 0x004080D4 0x00008678 0x00007278 0x000001D6
GetWindowsDirectoryW - 0x004080D8 0x0000867C 0x0000727C 0x000001F4
SetEnvironmentVariableW - 0x004080DC 0x00008680 0x00007280 0x00000314
CopyFileW - 0x004080E0 0x00008684 0x00007284 0x00000046
ExitProcess - 0x004080E4 0x00008688 0x00007288 0x000000B9
GetCurrentProcess - 0x004080E8 0x0000868C 0x0000728C 0x00000142
GetModuleFileNameW - 0x004080EC 0x00008690 0x00007290 0x0000017E
GetFileSize - 0x004080F0 0x00008694 0x00007294 0x00000163
CreateFileW - 0x004080F4 0x00008698 0x00007298 0x00000056
GetTickCount - 0x004080F8 0x0000869C 0x0000729C 0x000001DF
MulDiv - 0x004080FC 0x000086A0 0x000072A0 0x00000274
SetFileAttributesW - 0x00408100 0x000086A4 0x000072A4 0x0000031A
GetFileAttributesW - 0x00408104 0x000086A8 0x000072A8 0x00000161
SetCurrentDirectoryW - 0x00408108 0x000086AC 0x000072AC 0x0000030B
MoveFileW - 0x0040810C 0x000086B0 0x000072B0 0x00000271
GetFullPathNameW - 0x00408110 0x000086B4 0x000072B4 0x0000016A
GetShortPathNameW - 0x00408114 0x000086B8 0x000072B8 0x000001B6
SearchPathW - 0x00408118 0x000086BC 0x000072BC 0x000002DC
CompareFileTime - 0x0040811C 0x000086C0 0x000072C0 0x00000039
SetFileTime - 0x00408120 0x000086C4 0x000072C4 0x0000031F
CloseHandle - 0x00408124 0x000086C8 0x000072C8 0x00000034
lstrcmpiW - 0x00408128 0x000086CC 0x000072CC 0x000003C4
lstrcmpW - 0x0040812C 0x000086D0 0x000072D0 0x000003C1
ExpandEnvironmentStringsW - 0x00408130 0x000086D4 0x000072D4 0x000000BD
GlobalFree - 0x00408134 0x000086D8 0x000072D8 0x000001FF
GlobalAlloc - 0x00408138 0x000086DC 0x000072DC 0x000001F8
GetModuleHandleW - 0x0040813C 0x000086E0 0x000072E0 0x00000182
LoadLibraryExW - 0x00408140 0x000086E4 0x000072E4 0x00000254
MoveFileExW - 0x00408144 0x000086E8 0x000072E8 0x00000270
FreeLibrary - 0x00408148 0x000086EC 0x000072EC 0x000000F8
WritePrivateProfileStringW - 0x0040814C 0x000086F0 0x000072F0 0x000003AA
GetPrivateProfileStringW - 0x00408150 0x000086F4 0x000072F4 0x0000019D
lstrlenA - 0x00408154 0x000086F8 0x000072F8 0x000003CC
MultiByteToWideChar - 0x00408158 0x000086FC 0x000072FC 0x00000275
ReadFile - 0x0040815C 0x00008700 0x00007300 0x000002B5
SetFilePointer - 0x00408160 0x00008704 0x00007304 0x0000031B
FindClose - 0x00408164 0x00008708 0x00007308 0x000000CE
FindNextFileW - 0x00408168 0x0000870C 0x0000730C 0x000000DD
FindFirstFileW - 0x0040816C 0x00008710 0x00007310 0x000000D5
DeleteFileW - 0x00408170 0x00008714 0x00007314 0x00000084
Memory Dumps (10)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
ostaj2.1.exe 15 0x00400000 0x0043BFFF Relevant Image False 32-bit 0x00406A35 False
...
buffer 15 0x00880000 0x00881FFF First Execution False 32-bit 0x00880000 False
...
buffer 15 0x00524048 0x00525B45 Final Dump False 32-bit - False
...
buffer 15 0x00525B50 0x005329BB Final Dump False 32-bit - False
...
buffer 15 0x00880000 0x00881FFF Final Dump False 32-bit 0x0088113C False
...
buffer 15 0x02611020 0x02E1101F Final Dump False 32-bit - False
...
ostaj2.1.exe 15 0x00400000 0x0043BFFF Final Dump False 32-bit - False
...
graaj.dll 15 0x6DC30000 0x6DC35FFF Final Dump False 32-bit - False
...
buffer 15 0x020D0000 0x020E8FFF Image In Buffer False 32-bit - False
...
buffer 15 0x1AC60000 0x1ACF9FFF Image In Buffer False 32-bit - False
...
C:\Users\RDhJ0CNFevzX\Desktop\a\file.exe Downloaded File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 141.49 KB
MD5 b392d04cf1c1d1f456d4c98db918adf7 Copy to Clipboard
SHA1 8b6485f29a5416d19085ce42c414367f61ab3717 Copy to Clipboard
SHA256 3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d Copy to Clipboard
SSDeep 3072:2bbfPwSEsGVqwkwDapiUlhK0fOWIOGPk4HWGTH+x9:2bbfPwPqyaq/WIm42GL+L Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x00400000
Entry Point 0x0041FF1A
Size Of Code 0x0001E000
Size Of Initialized Data 0x00003200
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2073-12-03 12:44 (UTC+1)
Version Information (11)
»
Comments -
CompanyName -
FileDescription Update
FileVersion 1.0.0.0
InternalName NKSSD.exe
LegalCopyright Copyright © 2023
LegalTrademarks -
OriginalFilename NKSSD.exe
ProductName Update
ProductVersion 1.0.0.0
Assembly Version 1.0.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00402000 0x0001DF20 0x0001E000 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.99
.rsrc 0x00420000 0x00002EA0 0x00003000 0x0001E200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.88
.reloc 0x00424000 0x0000000C 0x00000200 0x00021200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x00402000 0x0001FEED 0x0001E0ED 0x00000000
Digital Signature Information
»
Verification Status Failed
Certificate: DigiCert, Inc.
»
Issued by DigiCert, Inc.
Parent Certificate DigiCert EV Code Signing CA (SHA2)
Country Name US
Valid From 2018-08-29 02:00 (UTC+2)
Valid Until 2021-09-01 14:00 (UTC+2)
Algorithm sha256_rsa
Serial Number 0B 46 9B 37 35 F5 86 9C E9 34 F2 59 EA F1 CA 43
Thumbprint 84 7B 53 FE 49 F2 96 AD AB 4F ED FB 92 1C BA AE A9 54 EA B4
Certificate: DigiCert EV Code Signing CA (SHA2)
»
Issued by DigiCert EV Code Signing CA (SHA2)
Parent Certificate DigiCert High Assurance EV Root CA
Country Name US
Valid From 2012-04-18 14:00 (UTC+2)
Valid Until 2027-04-18 14:00 (UTC+2)
Algorithm sha256_rsa
Serial Number 03 F1 B4 E1 5F 3A 82 F1 14 96 78 B3 D7 D8 47 5C
Thumbprint 60 EE 3F C5 3D 4B DF D1 69 7A E5 BE AE 1C AB 1C 0F 3A D4 E3
Certificate: DigiCert High Assurance EV Root CA
»
Issued by DigiCert High Assurance EV Root CA
Country Name US
Valid From 2006-11-10 01:00 (UTC+1)
Valid Until 2031-11-10 01:00 (UTC+1)
Algorithm sha1_rsa
Serial Number 02 AC 5C 26 6A 0B 40 9B 8F 0B 79 F2 AE 46 25 77
Thumbprint 5F B7 EE 06 33 E2 59 DB AD 0C 4C 9A E6 D3 8F 1A 61 C7 DC 25
Memory Dumps (1)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
file.exe 21 0x006B0000 0x006D5FFF Relevant Image False 64-bit - False
...
bdba3bc3d48f9f416e759d00b67deeb4e1c2feb33272e3598ed5f9ee7c6a7899 Extracted File CAB
Malicious
Raised based on a child artifact.
...
»
Parent File C:\Users\RDhJ0CNFevzX\Desktop\a\foto0183.exe
MIME Type application/vnd.ms-cab-compressed
File Size 336.51 KB
MD5 a6dfffe5600e6566729d882de7ef2551 Copy to Clipboard
SHA1 4e1619a821213339ad9fb20789d913b9b0c16263 Copy to Clipboard
SHA256 bdba3bc3d48f9f416e759d00b67deeb4e1c2feb33272e3598ed5f9ee7c6a7899 Copy to Clipboard
SSDeep 6144:A+S50M3tTgRKlfwjruIel5jQ0Juq+lBreLXoTToKD23+EUCNB3y48ydvPL:HSKa8GwuvM0JS9eLYTEKXEi49JPL Copy to Clipboard
ImpHash -
Archive Information
»
Number of Files 2
Number of Folders 0
Size of Packed Archive Contents 512.50 KB
Size of Unpacked Archive Contents 512.50 KB
File Format cab
Contents (2)
»
File Name Packed Size Unpacked Size Compression Is Encrypted Modify Time Verdict Recursively Submitted Actions
i7977054.exe 204.50 KB 204.50 KB LZX:21 False 2023-05-05 17:58 (UTC+2)
Malicious
-
...
x0104907.exe 308.00 KB 308.00 KB LZX:21 False 2023-05-05 17:58 (UTC+2)
Malicious
Raised based on a child artifact.
-
...
2f63ec50c7c778c7c0b9c4d26fe23f6b13a4bdb3214eda6242620e85ca46d1ef Extracted File CAB
Malicious
Raised based on a child artifact.
...
»
Parent File C:\Users\RDhJ0CNFevzX\Desktop\a\photo_560.exe
MIME Type application/vnd.ms-cab-compressed
File Size 336.46 KB
MD5 6cae5eb02d28dd25e146f670a658d034 Copy to Clipboard
SHA1 b1ac49aa0be90e0d2525d30290e65d53c1dce09a Copy to Clipboard
SHA256 2f63ec50c7c778c7c0b9c4d26fe23f6b13a4bdb3214eda6242620e85ca46d1ef Copy to Clipboard
SSDeep 6144:G/fm2eaKUAHVRoMjlEY4zbPsMqJN1eUB0HvDrMFaurBSPAu00CjAJoFWmArc:GHneaKVR3jb4zzUN1exfKBS300CsoL Copy to Clipboard
ImpHash -
Archive Information
»
Number of Files 2
Number of Folders 0
Size of Packed Archive Contents 513.00 KB
Size of Unpacked Archive Contents 513.00 KB
File Format cab
Contents (2)
»
File Name Packed Size Unpacked Size Compression Is Encrypted Modify Time Verdict Recursively Submitted Actions
d6121125.exe 204.50 KB 204.50 KB LZX:21 False 2023-05-05 17:58 (UTC+2)
Malicious
-
...
v6852231.exe 308.50 KB 308.50 KB LZX:21 False 2023-05-05 17:58 (UTC+2)
Malicious
Raised based on a child artifact.
-
...
x0104907.exe Archive File Binary
Malicious
Raised based on a child artifact.
...
»
Parent File bdba3bc3d48f9f416e759d00b67deeb4e1c2feb33272e3598ed5f9ee7c6a7899
MIME Type application/vnd.microsoft.portable-executable
File Size 308.00 KB
MD5 f9ba5cf9efd788186eb780825a72f290 Copy to Clipboard
SHA1 0caa2c6daf77f115f8091be993c8379189996b6f Copy to Clipboard
SHA256 b5c1643b41f8e24ba325238390934b0039d202c68122e34269b47b86b34ac48e Copy to Clipboard
SSDeep 6144:KDy+bnr+Rp0yN90QExD30rtVKQD7UUANlK37uqSvBrcLdoTKoKL:FMr1y903DMVn/UnNI37A9cLKTXKL Copy to Clipboard
ImpHash 646167cce332c1c252cdcb1839e0cf48 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x00406A60
Size Of Code 0x00006400
Size Of Initialized Data 0x00046800
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2022-05-25 00:49 (UTC+2)
Version Information (8)
»
CompanyName Microsoft Corporation
FileDescription Win32 Cabinet Self-Extractor
FileVersion 11.00.17763.1 (WinBuild.160101.0800)
InternalName Wextract
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename WEXTRACT.EXE .MUI
ProductName Internet Explorer
ProductVersion 11.00.17763.1
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x00006314 0x00006400 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.31
.data 0x00408000 0x00001A48 0x00000200 0x00006800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.97
.idata 0x0040A000 0x00001052 0x00001200 0x00006A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.03
.rsrc 0x0040C000 0x00045000 0x00044A00 0x00007C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 7.72
.reloc 0x00451000 0x00000888 0x00000A00 0x0004C600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.22
Imports (8)
»
ADVAPI32.dll (14)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetTokenInformation - 0x0040A000 0x0000A340 0x00006D40 0x00000170
RegDeleteValueA - 0x0040A004 0x0000A344 0x00006D44 0x00000272
RegOpenKeyExA - 0x0040A008 0x0000A348 0x00006D48 0x0000028B
RegQueryInfoKeyA - 0x0040A00C 0x0000A34C 0x00006D4C 0x00000292
FreeSid - 0x0040A010 0x0000A350 0x00006D50 0x00000134
OpenProcessToken - 0x0040A014 0x0000A354 0x00006D54 0x00000215
RegSetValueExA - 0x0040A018 0x0000A358 0x00006D58 0x000002A8
RegCreateKeyExA - 0x0040A01C 0x0000A35C 0x00006D5C 0x00000263
LookupPrivilegeValueA - 0x0040A020 0x0000A360 0x00006D60 0x000001AE
AllocateAndInitializeSid - 0x0040A024 0x0000A364 0x00006D64 0x00000020
RegQueryValueExA - 0x0040A028 0x0000A368 0x00006D68 0x00000298
EqualSid - 0x0040A02C 0x0000A36C 0x00006D6C 0x0000011A
RegCloseKey - 0x0040A030 0x0000A370 0x00006D70 0x0000025B
AdjustTokenPrivileges - 0x0040A034 0x0000A374 0x00006D74 0x0000001F
KERNEL32.dll (81)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_lopen - 0x0040A060 0x0000A3A0 0x00006DA0 0x00000628
_llseek - 0x0040A064 0x0000A3A4 0x00006DA4 0x00000627
CompareStringA - 0x0040A068 0x0000A3A8 0x00006DA8 0x00000098
GetLastError - 0x0040A06C 0x0000A3AC 0x00006DAC 0x00000261
GetFileAttributesA - 0x0040A070 0x0000A3B0 0x00006DB0 0x00000240
GetSystemDirectoryA - 0x0040A074 0x0000A3B4 0x00006DB4 0x000002DF
LoadLibraryA - 0x0040A078 0x0000A3B8 0x00006DB8 0x000003C1
DeleteFileA - 0x0040A07C 0x0000A3BC 0x00006DBC 0x00000112
GlobalAlloc - 0x0040A080 0x0000A3C0 0x00006DC0 0x0000032D
GlobalFree - 0x0040A084 0x0000A3C4 0x00006DC4 0x00000334
CloseHandle - 0x0040A088 0x0000A3C8 0x00006DC8 0x00000086
WritePrivateProfileStringA - 0x0040A08C 0x0000A3CC 0x00006DCC 0x00000617
IsDBCSLeadByte - 0x0040A090 0x0000A3D0 0x00006DD0 0x0000037D
GetWindowsDirectoryA - 0x0040A094 0x0000A3D4 0x00006DD4 0x00000325
SetFileAttributesA - 0x0040A098 0x0000A3D8 0x00006DD8 0x0000051A
GetProcAddress - 0x0040A09C 0x0000A3DC 0x00006DDC 0x000002AE
GlobalLock - 0x0040A0A0 0x0000A3E0 0x00006DE0 0x00000338
LocalFree - 0x0040A0A4 0x0000A3E4 0x00006DE4 0x000003CF
RemoveDirectoryA - 0x0040A0A8 0x0000A3E8 0x00006DE8 0x000004B6
FreeLibrary - 0x0040A0AC 0x0000A3EC 0x00006DEC 0x000001AB
_lclose - 0x0040A0B0 0x0000A3F0 0x00006DF0 0x00000625
CreateDirectoryA - 0x0040A0B4 0x0000A3F4 0x00006DF4 0x000000B5
GetPrivateProfileIntA - 0x0040A0B8 0x0000A3F8 0x00006DF8 0x000002A4
GetPrivateProfileStringA - 0x0040A0BC 0x0000A3FC 0x00006DFC 0x000002AA
GlobalUnlock - 0x0040A0C0 0x0000A400 0x00006E00 0x0000033F
ReadFile - 0x0040A0C4 0x0000A404 0x00006E04 0x00000473
SizeofResource - 0x0040A0C8 0x0000A408 0x00006E08 0x0000057C
WriteFile - 0x0040A0CC 0x0000A40C 0x00006E0C 0x00000612
GetDriveTypeA - 0x0040A0D0 0x0000A410 0x00006E10 0x0000022E
lstrcmpA - 0x0040A0D4 0x0000A414 0x00006E14 0x0000062F
SetFileTime - 0x0040A0D8 0x0000A418 0x00006E18 0x00000526
SetFilePointer - 0x0040A0DC 0x0000A41C 0x00006E1C 0x00000522
FindResourceA - 0x0040A0E0 0x0000A420 0x00006E20 0x00000193
CreateMutexA - 0x0040A0E4 0x0000A424 0x00006E24 0x000000D7
GetVolumeInformationA - 0x0040A0E8 0x0000A428 0x00006E28 0x0000031C
ExpandEnvironmentStringsA - 0x0040A0EC 0x0000A42C 0x00006E2C 0x00000161
GetCurrentDirectoryA - 0x0040A0F0 0x0000A430 0x00006E30 0x00000210
FreeResource - 0x0040A0F4 0x0000A434 0x00006E34 0x000001AF
GetVersion - 0x0040A0F8 0x0000A438 0x00006E38 0x00000319
SetCurrentDirectoryA - 0x0040A0FC 0x0000A43C 0x00006E3C 0x00000508
GetTempPathA - 0x0040A100 0x0000A440 0x00006E40 0x000002F5
LocalFileTimeToFileTime - 0x0040A104 0x0000A444 0x00006E44 0x000003CC
CreateFileA - 0x0040A108 0x0000A448 0x00006E48 0x000000C3
SetEvent - 0x0040A10C 0x0000A44C 0x00006E4C 0x00000516
TerminateThread - 0x0040A110 0x0000A450 0x00006E50 0x0000058D
GetVersionExA - 0x0040A114 0x0000A454 0x00006E54 0x0000031A
LockResource - 0x0040A118 0x0000A458 0x00006E58 0x000003DB
GetSystemInfo - 0x0040A11C 0x0000A45C 0x00006E5C 0x000002E3
CreateThread - 0x0040A120 0x0000A460 0x00006E60 0x000000F3
ResetEvent - 0x0040A124 0x0000A464 0x00006E64 0x000004C6
LoadResource - 0x0040A128 0x0000A468 0x00006E68 0x000003C7
ExitProcess - 0x0040A12C 0x0000A46C 0x00006E6C 0x0000015E
GetModuleHandleW - 0x0040A130 0x0000A470 0x00006E70 0x00000278
CreateProcessA - 0x0040A134 0x0000A474 0x00006E74 0x000000E0
FormatMessageA - 0x0040A138 0x0000A478 0x00006E78 0x000001A6
GetTempFileNameA - 0x0040A13C 0x0000A47C 0x00006E7C 0x000002F3
DosDateTimeToFileTime - 0x0040A140 0x0000A480 0x00006E80 0x00000126
CreateEventA - 0x0040A144 0x0000A484 0x00006E84 0x000000BC
GetExitCodeProcess - 0x0040A148 0x0000A488 0x00006E88 0x0000023C
FindNextFileA - 0x0040A14C 0x0000A48C 0x00006E8C 0x0000018A
LocalAlloc - 0x0040A150 0x0000A490 0x00006E90 0x000003CA
GetShortPathNameA - 0x0040A154 0x0000A494 0x00006E94 0x000002CC
MulDiv - 0x0040A158 0x0000A498 0x00006E98 0x000003EE
GetDiskFreeSpaceA - 0x0040A15C 0x0000A49C 0x00006E9C 0x00000226
EnumResourceLanguagesA - 0x0040A160 0x0000A4A0 0x00006EA0 0x0000013F
GetTickCount - 0x0040A164 0x0000A4A4 0x00006EA4 0x00000307
GetSystemTimeAsFileTime - 0x0040A168 0x0000A4A8 0x00006EA8 0x000002E9
GetCurrentThreadId - 0x0040A16C 0x0000A4AC 0x00006EAC 0x0000021C
GetCurrentProcessId - 0x0040A170 0x0000A4B0 0x00006EB0 0x00000218
QueryPerformanceCounter - 0x0040A174 0x0000A4B4 0x00006EB4 0x0000044D
TerminateProcess - 0x0040A178 0x0000A4B8 0x00006EB8 0x0000058C
SetUnhandledExceptionFilter - 0x0040A17C 0x0000A4BC 0x00006EBC 0x0000056D
UnhandledExceptionFilter - 0x0040A180 0x0000A4C0 0x00006EC0 0x000005AD
GetStartupInfoW - 0x0040A184 0x0000A4C4 0x00006EC4 0x000002D0
Sleep - 0x0040A188 0x0000A4C8 0x00006EC8 0x0000057D
FindClose - 0x0040A18C 0x0000A4CC 0x00006ECC 0x00000175
GetCurrentProcess - 0x0040A190 0x0000A4D0 0x00006ED0 0x00000217
FindFirstFileA - 0x0040A194 0x0000A4D4 0x00006ED4 0x00000179
WaitForSingleObject - 0x0040A198 0x0000A4D8 0x00006ED8 0x000005D7
GetModuleFileNameA - 0x0040A19C 0x0000A4DC 0x00006EDC 0x00000273
LoadLibraryExA - 0x0040A1A0 0x0000A4E0 0x00006EE0 0x000003C2
GDI32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetDeviceCaps - 0x0040A058 0x0000A398 0x00006D98 0x00000275
USER32.dll (30)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SetWindowLongA - 0x0040A1A8 0x0000A4E8 0x00006EE8 0x00000373
GetDlgItemTextA - 0x0040A1AC 0x0000A4EC 0x00006EEC 0x0000014B
DialogBoxIndirectParamA - 0x0040A1B0 0x0000A4F0 0x00006EF0 0x000000B5
ShowWindow - 0x0040A1B4 0x0000A4F4 0x00006EF4 0x00000387
MsgWaitForMultipleObjects - 0x0040A1B8 0x0000A4F8 0x00006EF8 0x00000297
SetWindowPos - 0x0040A1BC 0x0000A4FC 0x00006EFC 0x00000376
GetDC - 0x0040A1C0 0x0000A500 0x00006F00 0x0000013F
GetWindowRect - 0x0040A1C4 0x0000A504 0x00006F04 0x000001E6
DispatchMessageA - 0x0040A1C8 0x0000A508 0x00006F08 0x000000BB
GetDesktopWindow - 0x0040A1CC 0x0000A50C 0x00006F0C 0x00000142
CharUpperA - 0x0040A1D0 0x0000A510 0x00006F10 0x0000003B
SetDlgItemTextA - 0x0040A1D4 0x0000A514 0x00006F14 0x00000332
ExitWindowsEx - 0x0040A1D8 0x0000A518 0x00006F18 0x0000010E
MessageBeep - 0x0040A1DC 0x0000A51C 0x00006F1C 0x00000288
EndDialog - 0x0040A1E0 0x0000A520 0x00006F20 0x000000F1
CharPrevA - 0x0040A1E4 0x0000A524 0x00006F24 0x00000034
LoadStringA - 0x0040A1E8 0x0000A528 0x00006F28 0x0000025B
CharNextA - 0x0040A1EC 0x0000A52C 0x00006F2C 0x00000031
EnableWindow - 0x0040A1F0 0x0000A530 0x00006F30 0x000000EE
ReleaseDC - 0x0040A1F4 0x0000A534 0x00006F34 0x000002FE
SetForegroundWindow - 0x0040A1F8 0x0000A538 0x00006F38 0x00000337
PeekMessageA - 0x0040A1FC 0x0000A53C 0x00006F3C 0x000002AE
GetDlgItem - 0x0040A200 0x0000A540 0x00006F40 0x00000149
SendMessageA - 0x0040A204 0x0000A544 0x00006F44 0x00000314
SendDlgItemMessageA - 0x0040A208 0x0000A548 0x00006F48 0x0000030F
MessageBoxA - 0x0040A20C 0x0000A54C 0x00006F4C 0x00000289
SetWindowTextA - 0x0040A210 0x0000A550 0x00006F50 0x0000037A
GetWindowLongA - 0x0040A214 0x0000A554 0x00006F54 0x000001DE
CallWindowProcA - 0x0040A218 0x0000A558 0x00006F58 0x0000001F
GetSystemMetrics - 0x0040A21C 0x0000A55C 0x00006F5C 0x000001BF
msvcrt.dll (20)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_controlfp - 0x0040A234 0x0000A574 0x00006F74 0x00000137
?terminate@@YAXXZ - 0x0040A238 0x0000A578 0x00006F78 0x00000035
_acmdln - 0x0040A23C 0x0000A57C 0x00006F7C 0x000000F7
_initterm - 0x0040A240 0x0000A580 0x00006F80 0x000001E8
__setusermatherr - 0x0040A244 0x0000A584 0x00006F84 0x000000E4
_except_handler4_common - 0x0040A248 0x0000A588 0x00006F88 0x0000016A
memcpy - 0x0040A24C 0x0000A58C 0x00006F8C 0x00000509
_ismbblead - 0x0040A250 0x0000A590 0x00006F90 0x00000207
__p__fmode - 0x0040A254 0x0000A594 0x00006F94 0x000000CE
_cexit - 0x0040A258 0x0000A598 0x00006F98 0x00000124
_exit - 0x0040A25C 0x0000A59C 0x00006F9C 0x00000173
exit - 0x0040A260 0x0000A5A0 0x00006FA0 0x000004AE
__set_app_type - 0x0040A264 0x0000A5A4 0x00006FA4 0x000000E2
__getmainargs - 0x0040A268 0x0000A5A8 0x00006FA8 0x000000A1
_amsg_exit - 0x0040A26C 0x0000A5AC 0x00006FAC 0x00000111
__p__commode - 0x0040A270 0x0000A5B0 0x00006FB0 0x000000C9
_XcptFilter - 0x0040A274 0x0000A5B4 0x00006FB4 0x0000006F
memcpy_s - 0x0040A278 0x0000A5B8 0x00006FB8 0x0000050A
_vsnprintf - 0x0040A27C 0x0000A5BC 0x00006FBC 0x000003E6
memset - 0x0040A280 0x0000A5C0 0x00006FC0 0x0000050D
COMCTL32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
None 0x00000011 0x0040A03C 0x0000A37C 0x00006D7C -
Cabinet.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
None 0x00000016 0x0040A044 0x0000A384 0x00006D84 -
None 0x00000017 0x0040A048 0x0000A388 0x00006D88 -
None 0x00000015 0x0040A04C 0x0000A38C 0x00006D8C -
None 0x00000014 0x0040A050 0x0000A390 0x00006D90 -
VERSION.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetFileVersionInfoA - 0x0040A224 0x0000A564 0x00006F64 0x00000000
VerQueryValueA - 0x0040A228 0x0000A568 0x00006F68 0x0000000F
GetFileVersionInfoSizeA - 0x0040A22C 0x0000A56C 0x00006F6C 0x00000004
a4873807.exe Archive File Binary
Malicious
...
»
Parent File 9efd3d128b5dddbd78b39d710cfd2bd059f49e717e5de622e8e4adb3c011e482
MIME Type application/vnd.microsoft.portable-executable
File Size 175.10 KB
MD5 2fc9b7174512102985f105fb1a895716 Copy to Clipboard
SHA1 0df4fb0a87360d44d03a46b7911d8c314e96c0c3 Copy to Clipboard
SHA256 379fa525b28dd997421395eda06c6cdd9c7150d9004ad35b4bd04d4e8afd6428 Copy to Clipboard
SSDeep 3072:/DKW1LgppLRHMY0TBfJvjcTp5XDElD5PbUXukcu/9mN:/DKW1Lgbdl0TBBvjc/IlhU+kcu1 Copy to Clipboard
ImpHash bf5a4aa99e5b160f8521cadd6bfe73b8 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x0040CD2F
Size Of Code 0x00019800
Size Of Initialized Data 0x00012000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2012-07-14 00:47 (UTC+2)
Version Information (11)
»
Comments -
CompanyName -
FileDescription Healer
FileVersion 1.0.0.0
InternalName Healer.exe
LegalCopyright Copyright © 2023
LegalTrademarks -
OriginalFilename Healer.exe
ProductName Healer
ProductVersion 1.0.0.0
Assembly Version 1.0.0.0
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x00019718 0x00019800 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.75
.rdata 0x0041B000 0x00006DB4 0x00006E00 0x00019C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.44
.data 0x00422000 0x000030C0 0x00001600 0x00020A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.26
.rsrc 0x00426000 0x00009B64 0x00009C00 0x00022000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 7.97
Imports (3)
»
KERNEL32.dll (84)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RaiseException - 0x0041B000 0x00021604 0x00020204 0x0000035A
GetLastError - 0x0041B004 0x00021608 0x00020208 0x000001E6
MultiByteToWideChar - 0x0041B008 0x0002160C 0x0002020C 0x0000031A
lstrlenA - 0x0041B00C 0x00021610 0x00020210 0x000004B5
InterlockedDecrement - 0x0041B010 0x00021614 0x00020214 0x000002BC
GetProcAddress - 0x0041B014 0x00021618 0x00020218 0x00000220
LoadLibraryA - 0x0041B018 0x0002161C 0x0002021C 0x000002F1
FreeResource - 0x0041B01C 0x00021620 0x00020220 0x0000014F
SizeofResource - 0x0041B020 0x00021624 0x00020224 0x00000420
LockResource - 0x0041B024 0x00021628 0x00020228 0x00000307
LoadResource - 0x0041B028 0x0002162C 0x0002022C 0x000002F6
FindResourceA - 0x0041B02C 0x00021630 0x00020230 0x00000136
GetModuleHandleA - 0x0041B030 0x00021634 0x00020234 0x000001F6
Module32Next - 0x0041B034 0x00021638 0x00020238 0x0000030F
CloseHandle - 0x0041B038 0x0002163C 0x0002023C 0x00000043
Module32First - 0x0041B03C 0x00021640 0x00020240 0x0000030D
CreateToolhelp32Snapshot - 0x0041B040 0x00021644 0x00020244 0x000000AC
GetCurrentProcessId - 0x0041B044 0x00021648 0x00020248 0x000001AA
SetEndOfFile - 0x0041B048 0x0002164C 0x0002024C 0x000003CD
GetStringTypeW - 0x0041B04C 0x00021650 0x00020250 0x00000240
GetStringTypeA - 0x0041B050 0x00021654 0x00020254 0x0000023D
LCMapStringW - 0x0041B054 0x00021658 0x00020258 0x000002E3
LCMapStringA - 0x0041B058 0x0002165C 0x0002025C 0x000002E1
GetLocaleInfoA - 0x0041B05C 0x00021660 0x00020260 0x000001E8
HeapFree - 0x0041B060 0x00021664 0x00020264 0x000002A1
GetProcessHeap - 0x0041B064 0x00021668 0x00020268 0x00000223
HeapAlloc - 0x0041B068 0x0002166C 0x0002026C 0x0000029D
GetCommandLineA - 0x0041B06C 0x00021670 0x00020270 0x0000016F
HeapCreate - 0x0041B070 0x00021674 0x00020274 0x0000029F
VirtualFree - 0x0041B074 0x00021678 0x00020278 0x00000457
DeleteCriticalSection - 0x0041B078 0x0002167C 0x0002027C 0x000000BE
LeaveCriticalSection - 0x0041B07C 0x00021680 0x00020280 0x000002EF
EnterCriticalSection - 0x0041B080 0x00021684 0x00020284 0x000000D9
VirtualAlloc - 0x0041B084 0x00021688 0x00020288 0x00000454
HeapReAlloc - 0x0041B088 0x0002168C 0x0002028C 0x000002A4
HeapSize - 0x0041B08C 0x00021690 0x00020290 0x000002A6
TerminateProcess - 0x0041B090 0x00021694 0x00020294 0x0000042D
GetCurrentProcess - 0x0041B094 0x00021698 0x00020298 0x000001A9
UnhandledExceptionFilter - 0x0041B098 0x0002169C 0x0002029C 0x0000043E
SetUnhandledExceptionFilter - 0x0041B09C 0x000216A0 0x000202A0 0x00000415
IsDebuggerPresent - 0x0041B0A0 0x000216A4 0x000202A4 0x000002D1
GetModuleHandleW - 0x0041B0A4 0x000216A8 0x000202A8 0x000001F9
Sleep - 0x0041B0A8 0x000216AC 0x000202AC 0x00000421
ExitProcess - 0x0041B0AC 0x000216B0 0x000202B0 0x00000104
WriteFile - 0x0041B0B0 0x000216B4 0x000202B4 0x0000048D
GetStdHandle - 0x0041B0B4 0x000216B8 0x000202B8 0x0000023B
GetModuleFileNameA - 0x0041B0B8 0x000216BC 0x000202BC 0x000001F4
WideCharToMultiByte - 0x0041B0BC 0x000216C0 0x000202C0 0x0000047A
GetConsoleCP - 0x0041B0C0 0x000216C4 0x000202C4 0x00000183
GetConsoleMode - 0x0041B0C4 0x000216C8 0x000202C8 0x00000195
ReadFile - 0x0041B0C8 0x000216CC 0x000202CC 0x00000368
TlsGetValue - 0x0041B0CC 0x000216D0 0x000202D0 0x00000434
TlsAlloc - 0x0041B0D0 0x000216D4 0x000202D4 0x00000432
TlsSetValue - 0x0041B0D4 0x000216D8 0x000202D8 0x00000435
TlsFree - 0x0041B0D8 0x000216DC 0x000202DC 0x00000433
InterlockedIncrement - 0x0041B0DC 0x000216E0 0x000202E0 0x000002C0
SetLastError - 0x0041B0E0 0x000216E4 0x000202E4 0x000003EC
GetCurrentThreadId - 0x0041B0E4 0x000216E8 0x000202E8 0x000001AD
FlushFileBuffers - 0x0041B0E8 0x000216EC 0x000202EC 0x00000141
SetFilePointer - 0x0041B0EC 0x000216F0 0x000202F0 0x000003DF
SetHandleCount - 0x0041B0F0 0x000216F4 0x000202F4 0x000003E8
GetFileType - 0x0041B0F4 0x000216F8 0x000202F8 0x000001D7
GetStartupInfoA - 0x0041B0F8 0x000216FC 0x000202FC 0x00000239
RtlUnwind - 0x0041B0FC 0x00021700 0x00020300 0x00000392
FreeEnvironmentStringsA - 0x0041B100 0x00021704 0x00020304 0x0000014A
GetEnvironmentStrings - 0x0041B104 0x00021708 0x00020308 0x000001BF
FreeEnvironmentStringsW - 0x0041B108 0x0002170C 0x0002030C 0x0000014B
GetEnvironmentStringsW - 0x0041B10C 0x00021710 0x00020310 0x000001C1
QueryPerformanceCounter - 0x0041B110 0x00021714 0x00020314 0x00000354
GetTickCount - 0x0041B114 0x00021718 0x00020318 0x00000266
GetSystemTimeAsFileTime - 0x0041B118 0x0002171C 0x0002031C 0x0000024F
InitializeCriticalSectionAndSpinCount - 0x0041B11C 0x00021720 0x00020320 0x000002B5
GetCPInfo - 0x0041B120 0x00021724 0x00020324 0x0000015B
GetACP - 0x0041B124 0x00021728 0x00020328 0x00000152
GetOEMCP - 0x0041B128 0x0002172C 0x0002032C 0x00000213
IsValidCodePage - 0x0041B12C 0x00021730 0x00020330 0x000002DB
CompareStringA - 0x0041B130 0x00021734 0x00020334 0x00000052
CompareStringW - 0x0041B134 0x00021738 0x00020338 0x00000055
SetEnvironmentVariableA - 0x0041B138 0x0002173C 0x0002033C 0x000003D0
WriteConsoleA - 0x0041B13C 0x00021740 0x00020340 0x00000482
GetConsoleOutputCP - 0x0041B140 0x00021744 0x00020344 0x00000199
WriteConsoleW - 0x0041B144 0x00021748 0x00020348 0x0000048C
SetStdHandle - 0x0041B148 0x0002174C 0x0002034C 0x000003FC
CreateFileA - 0x0041B14C 0x00021750 0x00020350 0x00000078
ole32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
OleInitialize - 0x0041B17C 0x00021780 0x00020380 0x000000F4
OLEAUT32.dll (9)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SafeArrayCreate 0x0000000F 0x0041B154 0x00021758 0x00020358 -
SafeArrayAccessData 0x00000017 0x0041B158 0x0002175C 0x0002035C -
SafeArrayUnaccessData 0x00000018 0x0041B15C 0x00021760 0x00020360 -
SafeArrayDestroy 0x00000010 0x0041B160 0x00021764 0x00020364 -
SafeArrayCreateVector 0x0000019B 0x0041B164 0x00021768 0x00020368 -
VariantClear 0x00000009 0x0041B168 0x0002176C 0x0002036C -
VariantInit 0x00000008 0x0041B16C 0x00021770 0x00020370 -
SysFreeString 0x00000006 0x0041B170 0x00021774 0x00020374 -
SysAllocString 0x00000002 0x0041B174 0x00021778 0x00020378 -
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
Packer_RedNet Packer used to distribute malware -
5/5
...
h2309517.exe Archive File Binary
Malicious
...
»
Parent File 3503661d08745adb6c21bbe0be8551afe6c477877be2b93c49daf00216873b59
MIME Type application/vnd.microsoft.portable-executable
File Size 175.09 KB
MD5 c8a10fb35a392b3927678ff11f4f4bfc Copy to Clipboard
SHA1 a7efbec1b38fa6e1bba065f0cfe03fca4c1a6188 Copy to Clipboard
SHA256 a5b5d932a8a7e81a269c25fc1a60059b06cc886e23112817fb3e0ad99635e239 Copy to Clipboard
SSDeep 3072:/DKW1LgppLRHMY0TBfJvjcTp5XDElD5PbUXukcu/9mN:/DKW1Lgbdl0TBBvjc/IlhU+kcu1 Copy to Clipboard
ImpHash bf5a4aa99e5b160f8521cadd6bfe73b8 Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x00400000
Entry Point 0x0040CD2F
Size Of Code 0x00019800
Size Of Initialized Data 0x00012000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2012-07-14 00:47 (UTC+2)
Version Information (11)
»
Comments -
CompanyName -
FileDescription Healer
FileVersion 1.0.0.0
InternalName Healer.exe
LegalCopyright Copyright © 2023
LegalTrademarks -
OriginalFilename Healer.exe
ProductName Healer
ProductVersion 1.0.0.0
Assembly Version 1.0.0.0
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x00019718 0x00019800 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.75
.rdata 0x0041B000 0x00006DB4 0x00006E00 0x00019C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.44
.data 0x00422000 0x000030C0 0x00001600 0x00020A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.26
.rsrc 0x00426000 0x00009B64 0x00009C00 0x00022000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 7.97
Imports (3)
»
KERNEL32.dll (84)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RaiseException - 0x0041B000 0x00021604 0x00020204 0x0000035A
GetLastError - 0x0041B004 0x00021608 0x00020208 0x000001E6
MultiByteToWideChar - 0x0041B008 0x0002160C 0x0002020C 0x0000031A
lstrlenA - 0x0041B00C 0x00021610 0x00020210 0x000004B5
InterlockedDecrement - 0x0041B010 0x00021614 0x00020214 0x000002BC
GetProcAddress - 0x0041B014 0x00021618 0x00020218 0x00000220
LoadLibraryA - 0x0041B018 0x0002161C 0x0002021C 0x000002F1
FreeResource - 0x0041B01C 0x00021620 0x00020220 0x0000014F
SizeofResource - 0x0041B020 0x00021624 0x00020224 0x00000420
LockResource - 0x0041B024 0x00021628 0x00020228 0x00000307
LoadResource - 0x0041B028 0x0002162C 0x0002022C 0x000002F6
FindResourceA - 0x0041B02C 0x00021630 0x00020230 0x00000136
GetModuleHandleA - 0x0041B030 0x00021634 0x00020234 0x000001F6
Module32Next - 0x0041B034 0x00021638 0x00020238 0x0000030F
CloseHandle - 0x0041B038 0x0002163C 0x0002023C 0x00000043
Module32First - 0x0041B03C 0x00021640 0x00020240 0x0000030D
CreateToolhelp32Snapshot - 0x0041B040 0x00021644 0x00020244 0x000000AC
GetCurrentProcessId - 0x0041B044 0x00021648 0x00020248 0x000001AA
SetEndOfFile - 0x0041B048 0x0002164C 0x0002024C 0x000003CD
GetStringTypeW - 0x0041B04C 0x00021650 0x00020250 0x00000240
GetStringTypeA - 0x0041B050 0x00021654 0x00020254 0x0000023D
LCMapStringW - 0x0041B054 0x00021658 0x00020258 0x000002E3
LCMapStringA - 0x0041B058 0x0002165C 0x0002025C 0x000002E1
GetLocaleInfoA - 0x0041B05C 0x00021660 0x00020260 0x000001E8
HeapFree - 0x0041B060 0x00021664 0x00020264 0x000002A1
GetProcessHeap - 0x0041B064 0x00021668 0x00020268 0x00000223
HeapAlloc - 0x0041B068 0x0002166C 0x0002026C 0x0000029D
GetCommandLineA - 0x0041B06C 0x00021670 0x00020270 0x0000016F
HeapCreate - 0x0041B070 0x00021674 0x00020274 0x0000029F
VirtualFree - 0x0041B074 0x00021678 0x00020278 0x00000457
DeleteCriticalSection - 0x0041B078 0x0002167C 0x0002027C 0x000000BE
LeaveCriticalSection - 0x0041B07C 0x00021680 0x00020280 0x000002EF
EnterCriticalSection - 0x0041B080 0x00021684 0x00020284 0x000000D9
VirtualAlloc - 0x0041B084 0x00021688 0x00020288 0x00000454
HeapReAlloc - 0x0041B088 0x0002168C 0x0002028C 0x000002A4
HeapSize - 0x0041B08C 0x00021690 0x00020290 0x000002A6
TerminateProcess - 0x0041B090 0x00021694 0x00020294 0x0000042D
GetCurrentProcess - 0x0041B094 0x00021698 0x00020298 0x000001A9
UnhandledExceptionFilter - 0x0041B098 0x0002169C 0x0002029C 0x0000043E
SetUnhandledExceptionFilter - 0x0041B09C 0x000216A0 0x000202A0 0x00000415
IsDebuggerPresent - 0x0041B0A0 0x000216A4 0x000202A4 0x000002D1
GetModuleHandleW - 0x0041B0A4 0x000216A8 0x000202A8 0x000001F9
Sleep - 0x0041B0A8 0x000216AC 0x000202AC 0x00000421
ExitProcess - 0x0041B0AC 0x000216B0 0x000202B0 0x00000104
WriteFile - 0x0041B0B0 0x000216B4 0x000202B4 0x0000048D
GetStdHandle - 0x0041B0B4 0x000216B8 0x000202B8 0x0000023B
GetModuleFileNameA - 0x0041B0B8 0x000216BC 0x000202BC 0x000001F4
WideCharToMultiByte - 0x0041B0BC 0x000216C0 0x000202C0 0x0000047A
GetConsoleCP - 0x0041B0C0 0x000216C4 0x000202C4 0x00000183
GetConsoleMode - 0x0041B0C4 0x000216C8 0x000202C8 0x00000195
ReadFile - 0x0041B0C8 0x000216CC 0x000202CC 0x00000368
TlsGetValue - 0x0041B0CC 0x000216D0 0x000202D0 0x00000434
TlsAlloc - 0x0041B0D0 0x000216D4 0x000202D4 0x00000432
TlsSetValue - 0x0041B0D4 0x000216D8 0x000202D8 0x00000435
TlsFree - 0x0041B0D8 0x000216DC 0x000202DC 0x00000433
InterlockedIncrement - 0x0041B0DC 0x000216E0 0x000202E0 0x000002C0
SetLastError - 0x0041B0E0 0x000216E4 0x000202E4 0x000003EC
GetCurrentThreadId - 0x0041B0E4 0x000216E8 0x000202E8 0x000001AD
FlushFileBuffers - 0x0041B0E8 0x000216EC 0x000202EC 0x00000141
SetFilePointer - 0x0041B0EC 0x000216F0 0x000202F0 0x000003DF
SetHandleCount - 0x0041B0F0 0x000216F4 0x000202F4 0x000003E8
GetFileType - 0x0041B0F4 0x000216F8 0x000202F8 0x000001D7
GetStartupInfoA - 0x0041B0F8 0x000216FC 0x000202FC 0x00000239
RtlUnwind - 0x0041B0FC 0x00021700 0x00020300 0x00000392
FreeEnvironmentStringsA - 0x0041B100 0x00021704 0x00020304 0x0000014A
GetEnvironmentStrings - 0x0041B104 0x00021708 0x00020308 0x000001BF
FreeEnvironmentStringsW - 0x0041B108 0x0002170C 0x0002030C 0x0000014B
GetEnvironmentStringsW - 0x0041B10C 0x00021710 0x00020310 0x000001C1
QueryPerformanceCounter - 0x0041B110 0x00021714 0x00020314 0x00000354
GetTickCount - 0x0041B114 0x00021718 0x00020318 0x00000266
GetSystemTimeAsFileTime - 0x0041B118 0x0002171C 0x0002031C 0x0000024F
InitializeCriticalSectionAndSpinCount - 0x0041B11C 0x00021720 0x00020320 0x000002B5
GetCPInfo - 0x0041B120 0x00021724 0x00020324 0x0000015B
GetACP - 0x0041B124 0x00021728 0x00020328 0x00000152
GetOEMCP - 0x0041B128 0x0002172C 0x0002032C 0x00000213
IsValidCodePage - 0x0041B12C 0x00021730 0x00020330 0x000002DB
CompareStringA - 0x0041B130 0x00021734 0x00020334 0x00000052
CompareStringW - 0x0041B134 0x00021738 0x00020338 0x00000055
SetEnvironmentVariableA - 0x0041B138 0x0002173C 0x0002033C 0x000003D0
WriteConsoleA - 0x0041B13C 0x00021740 0x00020340 0x00000482
GetConsoleOutputCP - 0x0041B140 0x00021744 0x00020344 0x00000199
WriteConsoleW - 0x0041B144 0x00021748 0x00020348 0x0000048C
SetStdHandle - 0x0041B148 0x0002174C 0x0002034C 0x000003FC
CreateFileA - 0x0041B14C 0x00021750 0x00020350 0x00000078
ole32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
OleInitialize - 0x0041B17C 0x00021780 0x00020380 0x000000F4
OLEAUT32.dll (9)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SafeArrayCreate 0x0000000F 0x0041B154 0x00021758 0x00020358 -
SafeArrayAccessData 0x00000017 0x0041B158 0x0002175C 0x0002035C -
SafeArrayUnaccessData 0x00000018 0x0041B15C 0x00021760 0x00020360 -
SafeArrayDestroy 0x00000010 0x0041B160 0x00021764 0x00020364 -
SafeArrayCreateVector 0x0000019B 0x0041B164 0x00021768 0x00020368 -
VariantClear 0x00000009 0x0041B168 0x0002176C 0x0002036C -
VariantInit 0x00000008 0x0041B16C 0x00021770 0x00020370 -
SysFreeString 0x00000006 0x0041B170 0x00021774 0x00020374 -
SysAllocString 0x00000002 0x0041B174 0x00021778 0x00020378 -
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
Packer_RedNet Packer used to distribute malware -
5/5
...
9efd3d128b5dddbd78b39d710cfd2bd059f49e717e5de622e8e4adb3c011e482 Extracted File CAB
Malicious
Raised based on a child artifact.
...
»
Parent File C:\Users\RDHJ0C~1\AppData\Local\Temp\IXP000.TMP\v6852231.exe
MIME Type application/vnd.ms-cab-compressed
File Size 165.27 KB
MD5 85353880054e0fdbc18aab98e8d56ce8 Copy to Clipboard
SHA1 26261914abb13416781722b55cd4286a7dd59201 Copy to Clipboard
SHA256 9efd3d128b5dddbd78b39d710cfd2bd059f49e717e5de622e8e4adb3c011e482 Copy to Clipboard
SSDeep 3072:FnQnlz4YqilozbAUsy5tlUt7g/OUee/B0TbvarM2qauraSScjknMdj1:mlEY+zbPsM4Jq1eUB0HvarMFauraSPu4 Copy to Clipboard
ImpHash -
Archive Information
»
Number of Files 2
Number of Folders 0
Size of Packed Archive Contents 311.62 KB
Size of Unpacked Archive Contents 311.62 KB
File Format cab
Contents (2)
»
File Name Packed Size Unpacked Size Compression Is Encrypted Modify Time Verdict Recursively Submitted Actions
a4873807.exe 175.10 KB 175.10 KB LZX:21 False 2023-05-05 17:58 (UTC+2)
Malicious
-
...
b4224466.exe 136.52 KB 136.52 KB LZX:21 False 2023-05-05 17:58 (UTC+2)
Clean
-
...
3503661d08745adb6c21bbe0be8551afe6c477877be2b93c49daf00216873b59 Extracted File CAB
Malicious
Raised based on a child artifact.
...
»
Parent File x0104907.exe
MIME Type application/vnd.ms-cab-compressed
File Size 164.62 KB
MD5 02c5f3cde07cc2e44a1116aeb138b5d6 Copy to Clipboard
SHA1 c588dad8a3ff97948483187861280c0c4e1c6fc4 Copy to Clipboard
SHA256 3503661d08745adb6c21bbe0be8551afe6c477877be2b93c49daf00216873b59 Copy to Clipboard
SSDeep 3072:DDqu1Hl0nrtVKQD135DUUANlK37uqQGmNVBww+vXLF+wcXRRhKoKQVei:DD30rtVKQD7UUANlK37uqSvBrcLdoTKY Copy to Clipboard
ImpHash -
Archive Information
»
Number of Files 2
Number of Folders 0
Size of Packed Archive Contents 311.65 KB
Size of Unpacked Archive Contents 311.65 KB
File Format cab
Contents (2)
»
File Name Packed Size Unpacked Size Compression Is Encrypted Modify Time Verdict Recursively Submitted Actions
h2309517.exe 175.09 KB 175.09 KB LZX:21 False 2023-05-05 17:58 (UTC+2)
Malicious
-
...
g3220746.exe 136.55 KB 136.55 KB LZX:21 False 2023-05-05 17:58 (UTC+2)
Clean
-
...
021d01fe3793879f57a2942664fc7c096710e94e87ad13dc21467c12edf61546 Extracted File Binary
Malicious
Raised based on a child artifact.
...
»
Parent File afc3bc769c8f816b61b706ba0d928ba4dacddda5be510542b4326964005bfa08
MIME Type application/vnd.microsoft.portable-executable
File Size 11.00 KB
MD5 ad9fd1564dd1c6be54747e84444b8f55 Copy to Clipboard
SHA1 001495af4af443265200340a08b5e07dc2a32553 Copy to Clipboard
SHA256 021d01fe3793879f57a2942664fc7c096710e94e87ad13dc21467c12edf61546 Copy to Clipboard
SSDeep 96:bF2LOYFGrf4msMbe5r3NyTWrAZt7zd54fMVgYncY67AEA3dbwQNKSbuVmyVx9X:ALKf4my3ssAnktY67AN3BwQbqVx9X Copy to Clipboard
ImpHash 74112afb67d4cb152ebd8ee76f449460 Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
PE Information
»
Image Base 0x00400000
Entry Point 0x00401450
Size Of Code 0x00000800
Size Of Initialized Data 0x00002E00
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2018-08-05 01:55 (UTC+2)
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x000006BA 0x00000800 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.88
.rdata 0x00402000 0x00000994 0x00000A00 0x00000C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.79
.data 0x00403000 0x00000F78 0x00000200 0x00001600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.16
.rsrc 0x00404000 0x00001270 0x00001400 0x00001800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.31
Imports (4)
»
KERNEL32.dll (21)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WaitForSingleObject - 0x00402000 0x000026D0 0x000012D0 0x000004F9
CreateFileW - 0x00402004 0x000026D4 0x000012D4 0x0000008F
GetSystemDirectoryW - 0x00402008 0x000026D8 0x000012D8 0x00000270
lstrcatW - 0x0040200C 0x000026DC 0x000012DC 0x0000053F
LockResource - 0x00402010 0x000026E0 0x000012E0 0x00000354
CloseHandle - 0x00402014 0x000026E4 0x000012E4 0x00000052
LoadLibraryW - 0x00402018 0x000026E8 0x000012E8 0x0000033F
GetTempPathW - 0x0040201C 0x000026EC 0x000012EC 0x00000285
FindResourceW - 0x00402020 0x000026F0 0x000012F0 0x0000014E
GetWindowsDirectoryW - 0x00402024 0x000026F4 0x000012F4 0x000002AF
GetProcAddress - 0x00402028 0x000026F8 0x000012F8 0x00000245
ExitProcess - 0x0040202C 0x000026FC 0x000012FC 0x00000119
TerminateProcess - 0x00402030 0x00002700 0x00001300 0x000004C0
GetCurrentProcess - 0x00402034 0x00002704 0x00001304 0x000001C0
IsProcessorFeaturePresent - 0x00402038 0x00002708 0x00001308 0x00000304
GetModuleFileNameW - 0x0040203C 0x0000270C 0x0000130C 0x00000214
WriteFile - 0x00402040 0x00002710 0x00001310 0x00000525
LoadResource - 0x00402044 0x00002714 0x00001314 0x00000341
SizeofResource - 0x00402048 0x00002718 0x00001318 0x000004B1
SetUnhandledExceptionFilter - 0x0040204C 0x0000271C 0x0000131C 0x000004A5
UnhandledExceptionFilter - 0x00402050 0x00002720 0x00001320 0x000004D3
USER32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
MessageBoxW - 0x00402068 0x00002738 0x00001338 0x00000215
SHELL32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
None 0x000002A8 0x00402058 0x00002728 0x00001328 -
SHCreateItemFromParsingName - 0x0040205C 0x0000272C 0x0000132C 0x00000090
ShellExecuteExW - 0x00402060 0x00002730 0x00001330 0x00000121
ole32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CoCreateInstance - 0x00402070 0x00002740 0x00001340 0x00000010
CoUninitialize - 0x00402074 0x00002744 0x00001344 0x0000006C
CoInitialize - 0x00402078 0x00002748 0x00001348 0x0000003E
CoGetObject - 0x0040207C 0x0000274C 0x0000134C 0x00000035
fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c Extracted File Binary
Malicious
...
»
Parent File 021d01fe3793879f57a2942664fc7c096710e94e87ad13dc21467c12edf61546
MIME Type application/vnd.microsoft.portable-executable
File Size 4.50 KB
MD5 6b906764a35508a7fd266cdd512e46b1 Copy to Clipboard
SHA1 2a943b5868de4facf52d4f4c1b63f83eacd882a2 Copy to Clipboard
SHA256 fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c Copy to Clipboard
SSDeep 48:qWIV48ko/+ewQN8ZScb2uftoX4PGhFOy445J6TBI+K29jak5P:LA3dbwQNKSbuVmyVx9X Copy to Clipboard
ImpHash 2b5bb5688a1c045931a1afeb35f00c7d Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
PE Information
»
Image Base 0x10000000
Entry Point 0x10001000
Size Of Code 0x00000400
Size Of Initialized Data 0x00000C00
File Type IMAGE_FILE_DLL
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2018-08-05 01:55 (UTC+2)
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x10001000 0x0000037E 0x00000400 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.14
.rdata 0x10002000 0x000004AE 0x00000600 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.52
.data 0x10003000 0x0000032C 0x00000200 0x00000E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.16
.reloc 0x10004000 0x00000084 0x00000200 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 1.89
Imports (3)
»
KERNEL32.dll (15)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateToolhelp32Snapshot - 0x10002010 0x000022C4 0x00000AC4 0x000000FA
Process32NextW - 0x10002014 0x000022C8 0x00000AC8 0x00000427
Process32FirstW - 0x10002018 0x000022CC 0x00000ACC 0x00000425
OpenProcess - 0x1000201C 0x000022D0 0x00000AD0 0x00000406
ExitProcess - 0x10002020 0x000022D4 0x00000AD4 0x0000015C
CreateProcessW - 0x10002024 0x000022D8 0x00000AD8 0x000000E4
lstrcmpW - 0x10002028 0x000022DC 0x00000ADC 0x00000628
IsProcessorFeaturePresent - 0x1000202C 0x000022E0 0x00000AE0 0x00000381
TerminateProcess - 0x10002030 0x000022E4 0x00000AE4 0x00000584
ExpandEnvironmentStringsW - 0x10002034 0x000022E8 0x00000AE8 0x00000160
CloseHandle - 0x10002038 0x000022EC 0x00000AEC 0x00000086
GetStartupInfoW - 0x1000203C 0x000022F0 0x00000AF0 0x000002CC
GetCurrentProcess - 0x10002040 0x000022F4 0x00000AF4 0x00000215
SetUnhandledExceptionFilter - 0x10002044 0x000022F8 0x00000AF8 0x00000565
UnhandledExceptionFilter - 0x10002048 0x000022FC 0x00000AFC 0x000005A5
ADVAPI32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RegOpenKeyExW - 0x10002000 0x000022B4 0x00000AB4 0x0000028C
RegQueryValueExW - 0x10002004 0x000022B8 0x00000AB8 0x00000299
RegCloseKey - 0x10002008 0x000022BC 0x00000ABC 0x0000025B
SHLWAPI.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
PathFindFileNameW - 0x10002050 0x00002304 0x00000B04 0x0000004D
27c70c9a9d57efc798b4844fcae67a35364e3fbc74aa445cbbdb43e1fb43ecef PCAP File PCAP
Malicious
Raised based on a child artifact.
...
»
MIME Type application/vnd.tcpdump.pcap
File Size 18.59 MB
MD5 84b1065a3b1aea4179891b9ab3b87a4c Copy to Clipboard
SHA1 bcd3eaf9b4da3f1070f81db369bf47da02f69dcf Copy to Clipboard
SHA256 27c70c9a9d57efc798b4844fcae67a35364e3fbc74aa445cbbdb43e1fb43ecef Copy to Clipboard
SSDeep 393216:HjOO3tzcOcdilBLtcVneAcvFud5gDPRtS+95j:HbADi7RcVneAcvl7Rtfv Copy to Clipboard
ImpHash -
afc3bc769c8f816b61b706ba0d928ba4dacddda5be510542b4326964005bfa08 Memory Dump Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 100.00 KB
MD5 07f719ace63710b601c47b0c27097666 Copy to Clipboard
SHA1 ae603195cad25c7a6e86a07189e6cfcc63b62c8f Copy to Clipboard
SHA256 afc3bc769c8f816b61b706ba0d928ba4dacddda5be510542b4326964005bfa08 Copy to Clipboard
SSDeep 1536:5Csejmb+6BQyusX1UjtA0uWRf/eloc/9T1jVEyp:AtD6jSm0uWRfCogTjVEG Copy to Clipboard
ImpHash b76aafdc988ade2ab3db3b02fa4c6d00 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x00405738
Size Of Code 0x00010400
Size Of Initialized Data 0x00009600
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-03-13 01:37 (UTC+1)
Sections (6)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x00010314 0x00010400 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.49
.rdata 0x00412000 0x00003AF2 0x00003C00 0x00010800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.29
.data 0x00416000 0x00001D40 0x00000600 0x00014400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 5.12
.rsrc 0x00418000 0x00002C70 0x00002E00 0x00014A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.96
.reloc 0x0041B000 0x00000D64 0x00000E00 0x00017800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.58
.bss 0x0041C000 0x00001000 0x00000200 0x00018600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.62
Imports (13)
»
KERNEL32.dll (99)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetProcAddress - 0x0041207C 0x00014AF0 0x000132F0 0x00000245
ExitProcess - 0x00412080 0x00014AF4 0x000132F4 0x00000119
GetCommandLineA - 0x00412084 0x00014AF8 0x000132F8 0x00000186
GetStartupInfoA - 0x00412088 0x00014AFC 0x000132FC 0x00000262
HeapFree - 0x0041208C 0x00014B00 0x00013300 0x000002CF
VirtualFree - 0x00412090 0x00014B04 0x00013304 0x000004EC
VirtualAlloc - 0x00412094 0x00014B08 0x00013308 0x000004E9
HeapReAlloc - 0x00412098 0x00014B0C 0x0001330C 0x000002D2
VirtualQuery - 0x0041209C 0x00014B10 0x00013310 0x000004F1
TerminateThread - 0x004120A0 0x00014B14 0x00013314 0x000004C1
CreateThread - 0x004120A4 0x00014B18 0x00013318 0x000000B5
WriteFile - 0x004120A8 0x00014B1C 0x0001331C 0x00000525
CreateFileW - 0x004120AC 0x00014B20 0x00013320 0x0000008F
LoadLibraryW - 0x004120B0 0x00014B24 0x00013324 0x0000033F
GetLocalTime - 0x004120B4 0x00014B28 0x00013328 0x00000203
GetCurrentThreadId - 0x004120B8 0x00014B2C 0x0001332C 0x000001C5
GetCurrentProcessId - 0x004120BC 0x00014B30 0x00013330 0x000001C1
ReadFile - 0x004120C0 0x00014B34 0x00013334 0x000003C0
FindFirstFileA - 0x004120C4 0x00014B38 0x00013338 0x00000132
GetBinaryTypeW - 0x004120C8 0x00014B3C 0x0001333C 0x00000171
FindNextFileA - 0x004120CC 0x00014B40 0x00013340 0x00000143
GetFullPathNameA - 0x004120D0 0x00014B44 0x00013344 0x000001F8
GetTempPathW - 0x004120D4 0x00014B48 0x00013348 0x00000285
GetPrivateProfileStringW - 0x004120D8 0x00014B4C 0x0001334C 0x00000242
CreateFileA - 0x004120DC 0x00014B50 0x00013350 0x00000088
GlobalAlloc - 0x004120E0 0x00014B54 0x00013354 0x000002B3
GetCurrentDirectoryW - 0x004120E4 0x00014B58 0x00013358 0x000001BF
SetCurrentDirectoryW - 0x004120E8 0x00014B5C 0x0001335C 0x0000044D
LocalFree - 0x004120EC 0x00014B60 0x00013360 0x00000348
GetFileSize - 0x004120F0 0x00014B64 0x00013364 0x000001F0
FreeLibrary - 0x004120F4 0x00014B68 0x00013368 0x00000162
WaitForSingleObject - 0x004120F8 0x00014B6C 0x0001336C 0x000004F9
GetCurrentProcess - 0x004120FC 0x00014B70 0x00013370 0x000001C0
WaitForMultipleObjects - 0x00412100 0x00014B74 0x00013374 0x000004F7
CreatePipe - 0x00412104 0x00014B78 0x00013378 0x000000A1
PeekNamedPipe - 0x00412108 0x00014B7C 0x0001337C 0x0000038D
DuplicateHandle - 0x0041210C 0x00014B80 0x00013380 0x000000E8
Sleep - 0x00412110 0x00014B84 0x00013384 0x000004B2
CreateProcessW - 0x00412114 0x00014B88 0x00013388 0x000000A8
CreateEventA - 0x00412118 0x00014B8C 0x0001338C 0x00000082
GetModuleFileNameW - 0x0041211C 0x00014B90 0x00013390 0x00000214
LoadResource - 0x00412120 0x00014B94 0x00013394 0x00000341
FindResourceW - 0x00412124 0x00014B98 0x00013398 0x0000014E
LoadLibraryA - 0x00412128 0x00014B9C 0x0001339C 0x0000033C
LoadLibraryExW - 0x0041212C 0x00014BA0 0x000133A0 0x0000033E
FindFirstFileW - 0x00412130 0x00014BA4 0x000133A4 0x00000139
FindNextFileW - 0x00412134 0x00014BA8 0x000133A8 0x00000145
SetFilePointer - 0x00412138 0x00014BAC 0x000133AC 0x00000466
GetLogicalDriveStringsW - 0x0041213C 0x00014BB0 0x000133B0 0x00000208
DeleteFileW - 0x00412140 0x00014BB4 0x000133B4 0x000000D6
CopyFileW - 0x00412144 0x00014BB8 0x000133B8 0x00000075
GetDriveTypeW - 0x00412148 0x00014BBC 0x000133BC 0x000001D3
EnterCriticalSection - 0x0041214C 0x00014BC0 0x000133C0 0x000000EE
LeaveCriticalSection - 0x00412150 0x00014BC4 0x000133C4 0x00000339
InitializeCriticalSection - 0x00412154 0x00014BC8 0x000133C8 0x000002E2
DeleteCriticalSection - 0x00412158 0x00014BCC 0x000133CC 0x000000D1
CreateMutexA - 0x0041215C 0x00014BD0 0x000133D0 0x0000009B
ReleaseMutex - 0x00412160 0x00014BD4 0x000133D4 0x000003FA
TerminateProcess - 0x00412164 0x00014BD8 0x000133D8 0x000004C0
OpenProcess - 0x00412168 0x00014BDC 0x000133DC 0x00000380
CreateToolhelp32Snapshot - 0x0041216C 0x00014BE0 0x000133E0 0x000000BE
Process32NextW - 0x00412170 0x00014BE4 0x000133E4 0x00000398
lstrcmpW - 0x00412174 0x00014BE8 0x000133E8 0x00000542
VirtualProtectEx - 0x00412178 0x00014BEC 0x000133EC 0x000004F0
CreateProcessA - 0x0041217C 0x00014BF0 0x000133F0 0x000000A4
SizeofResource - 0x00412180 0x00014BF4 0x000133F4 0x000004B1
VirtualProtect - 0x00412184 0x00014BF8 0x000133F8 0x000004EF
LockResource - 0x00412188 0x00014BFC 0x000133FC 0x00000354
GetWindowsDirectoryW - 0x0041218C 0x00014C00 0x00013400 0x000002AF
Process32First - 0x00412190 0x00014C04 0x00013404 0x00000395
WriteProcessMemory - 0x00412194 0x00014C08 0x00013408 0x0000052E
Process32Next - 0x00412198 0x00014C0C 0x0001340C 0x00000397
GetWindowsDirectoryA - 0x0041219C 0x00014C10 0x00013410 0x000002AE
VirtualAllocEx - 0x004121A0 0x00014C14 0x00013414 0x000004EA
CreateRemoteThread - 0x004121A4 0x00014C18 0x00013418 0x000000A9
IsWow64Process - 0x004121A8 0x00014C1C 0x0001341C 0x0000030E
GetTempPathA - 0x004121AC 0x00014C20 0x00013420 0x00000284
GetTickCount - 0x004121B0 0x00014C24 0x00013424 0x00000293
lstrcpyW - 0x004121B4 0x00014C28 0x00013428 0x00000548
WideCharToMultiByte - 0x004121B8 0x00014C2C 0x0001342C 0x00000511
lstrcpyA - 0x004121BC 0x00014C30 0x00013430 0x00000547
MultiByteToWideChar - 0x004121C0 0x00014C34 0x00013434 0x00000367
lstrcatA - 0x004121C4 0x00014C38 0x00013438 0x0000053E
GetProcessHeap - 0x004121C8 0x00014C3C 0x0001343C 0x0000024A
HeapAlloc - 0x004121CC 0x00014C40 0x00013440 0x000002CB
GetComputerNameW - 0x004121D0 0x00014C44 0x00013444 0x0000018F
lstrcmpA - 0x004121D4 0x00014C48 0x00013448 0x00000541
lstrlenA - 0x004121D8 0x00014C4C 0x0001344C 0x0000054D
ExpandEnvironmentStringsW - 0x004121DC 0x00014C50 0x00013450 0x0000011D
lstrlenW - 0x004121E0 0x00014C54 0x00013454 0x0000054E
CloseHandle - 0x004121E4 0x00014C58 0x00013458 0x00000052
lstrcatW - 0x004121E8 0x00014C5C 0x0001345C 0x0000053F
GetLastError - 0x004121EC 0x00014C60 0x00013460 0x00000202
GetModuleHandleA - 0x004121F0 0x00014C64 0x00013464 0x00000215
SetLastError - 0x004121F4 0x00014C68 0x00013468 0x00000473
GetModuleFileNameA - 0x004121F8 0x00014C6C 0x0001346C 0x00000213
CreateDirectoryW - 0x004121FC 0x00014C70 0x00013470 0x00000081
SetEvent - 0x00412200 0x00014C74 0x00013474 0x00000459
Process32FirstW - 0x00412204 0x00014C78 0x00013478 0x00000396
USER32.dll (22)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
MessageBoxA - 0x00412264 0x00014CD8 0x000134D8 0x0000020E
GetKeyState - 0x00412268 0x00014CDC 0x000134DC 0x0000013D
GetMessageA - 0x0041226C 0x00014CE0 0x000134E0 0x00000159
DispatchMessageA - 0x00412270 0x00014CE4 0x000134E4 0x000000AE
CreateWindowExW - 0x00412274 0x00014CE8 0x000134E8 0x0000006E
CallNextHookEx - 0x00412278 0x00014CEC 0x000134EC 0x0000001C
GetAsyncKeyState - 0x0041227C 0x00014CF0 0x000134F0 0x00000107
SetWindowsHookExA - 0x00412280 0x00014CF4 0x000134F4 0x000002CE
RegisterClassW - 0x00412284 0x00014CF8 0x000134F8 0x0000024E
GetRawInputData - 0x00412288 0x00014CFC 0x000134FC 0x0000016E
MapVirtualKeyA - 0x0041228C 0x00014D00 0x00013500 0x00000205
GetForegroundWindow - 0x00412290 0x00014D04 0x00013504 0x0000012D
DefWindowProcA - 0x00412294 0x00014D08 0x00013508 0x0000009B
RegisterRawInputDevices - 0x00412298 0x00014D0C 0x0001350C 0x0000025A
GetLastInputInfo - 0x0041229C 0x00014D10 0x00013510 0x00000145
ToUnicode - 0x004122A0 0x00014D14 0x00013514 0x000002F3
GetKeyNameTextW - 0x004122A4 0x00014D18 0x00013518 0x0000013C
PostQuitMessage - 0x004122A8 0x00014D1C 0x0001351C 0x00000237
GetWindowTextW - 0x004122AC 0x00014D20 0x00013520 0x000001A3
TranslateMessage - 0x004122B0 0x00014D24 0x00013524 0x000002FC
wsprintfA - 0x004122B4 0x00014D28 0x00013528 0x00000332
wsprintfW - 0x004122B8 0x00014D2C 0x0001352C 0x00000333
ADVAPI32.dll (27)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
FreeSid - 0x00412000 0x00014A74 0x00013274 0x00000120
LookupAccountSidW - 0x00412004 0x00014A78 0x00013278 0x00000191
GetTokenInformation - 0x00412008 0x00014A7C 0x0001327C 0x0000015A
CloseServiceHandle - 0x0041200C 0x00014A80 0x00013280 0x00000057
OpenSCManagerW - 0x00412010 0x00014A84 0x00013284 0x000001F9
RegCreateKeyExA - 0x00412014 0x00014A88 0x00013288 0x00000238
RegSetValueExW - 0x00412018 0x00014A8C 0x0001328C 0x0000027E
StartServiceW - 0x0041201C 0x00014A90 0x00013290 0x000002C9
EnumServicesStatusExW - 0x00412020 0x00014A94 0x00013294 0x00000101
RegSetValueExA - 0x00412024 0x00014A98 0x00013298 0x0000027D
RegCreateKeyExW - 0x00412028 0x00014A9C 0x0001329C 0x00000239
RegDeleteKeyW - 0x0041202C 0x00014AA0 0x000132A0 0x00000244
LookupPrivilegeValueW - 0x00412030 0x00014AA4 0x000132A4 0x00000197
AdjustTokenPrivileges - 0x00412034 0x00014AA8 0x000132A8 0x0000001F
AllocateAndInitializeSid - 0x00412038 0x00014AAC 0x000132AC 0x00000020
OpenProcessToken - 0x0041203C 0x00014AB0 0x000132B0 0x000001F7
RegQueryValueExW - 0x00412040 0x00014AB4 0x000132B4 0x0000026E
RegOpenKeyExW - 0x00412044 0x00014AB8 0x000132B8 0x00000261
RegOpenKeyExA - 0x00412048 0x00014ABC 0x000132BC 0x00000260
RegEnumKeyExW - 0x0041204C 0x00014AC0 0x000132C0 0x0000024F
RegQueryValueExA - 0x00412050 0x00014AC4 0x000132C4 0x0000026D
RegQueryInfoKeyW - 0x00412054 0x00014AC8 0x000132C8 0x00000268
RegCloseKey - 0x00412058 0x00014ACC 0x000132CC 0x00000230
OpenServiceW - 0x0041205C 0x00014AD0 0x000132D0 0x000001FB
ChangeServiceConfigW - 0x00412060 0x00014AD4 0x000132D4 0x00000050
QueryServiceConfigW - 0x00412064 0x00014AD8 0x000132D8 0x00000224
RegDeleteValueW - 0x00412068 0x00014ADC 0x000132DC 0x00000248
SHELL32.dll (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetSpecialFolderPathW - 0x00412228 0x00014C9C 0x0001349C 0x000000E1
SHCreateDirectoryExW - 0x0041222C 0x00014CA0 0x000134A0 0x0000008D
SHGetFolderPathW - 0x00412230 0x00014CA4 0x000134A4 0x000000C3
ShellExecuteW - 0x00412234 0x00014CA8 0x000134A8 0x00000122
None 0x000002A8 0x00412238 0x00014CAC 0x000134AC -
ShellExecuteExA - 0x0041223C 0x00014CB0 0x000134B0 0x00000120
urlmon.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
URLDownloadToFileW - 0x00412334 0x00014DA8 0x000135A8 0x00000068
WS2_32.dll (16)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
freeaddrinfo - 0x004122DC 0x00014D50 0x00013550 0x00000088
htons 0x00000009 0x004122E0 0x00014D54 0x00013554 -
recv 0x00000010 0x004122E4 0x00014D58 0x00013558 -
connect 0x00000004 0x004122E8 0x00014D5C 0x0001355C -
socket 0x00000017 0x004122EC 0x00014D60 0x00013560 -
send 0x00000013 0x004122F0 0x00014D64 0x00013564 -
WSAStartup 0x00000073 0x004122F4 0x00014D68 0x00013568 -
getaddrinfo - 0x004122F8 0x00014D6C 0x0001356C 0x00000089
shutdown 0x00000016 0x004122FC 0x00014D70 0x00013570 -
closesocket 0x00000003 0x00412300 0x00014D74 0x00013574 -
WSACleanup 0x00000074 0x00412304 0x00014D78 0x00013578 -
ioctlsocket 0x0000000A 0x00412308 0x00014D7C 0x0001357C -
ntohs 0x0000000F 0x0041230C 0x00014D80 0x00013580 -
gethostbyname 0x00000034 0x00412310 0x00014D84 0x00013584 -
inet_addr 0x0000000B 0x00412314 0x00014D88 0x00013588 -
setsockopt 0x00000015 0x00412318 0x00014D8C 0x0001358C -
ole32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CoCreateInstance - 0x00412320 0x00014D94 0x00013594 0x00000010
CoUninitialize - 0x00412324 0x00014D98 0x00013598 0x0000006C
CoInitialize - 0x00412328 0x00014D9C 0x0001359C 0x0000003E
CoTaskMemFree - 0x0041232C 0x00014DA0 0x000135A0 0x00000068
SHLWAPI.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
StrStrW - 0x00412244 0x00014CB8 0x000134B8 0x00000148
PathRemoveFileSpecA - 0x00412248 0x00014CBC 0x000134BC 0x0000008A
StrStrA - 0x0041224C 0x00014CC0 0x000134C0 0x00000143
PathCombineA - 0x00412250 0x00014CC4 0x000134C4 0x00000039
PathFindFileNameW - 0x00412254 0x00014CC8 0x000134C8 0x00000049
PathFindExtensionW - 0x00412258 0x00014CCC 0x000134CC 0x00000047
PathFileExistsW - 0x0041225C 0x00014CD0 0x000134D0 0x00000045
NETAPI32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
NetLocalGroupAddMembers - 0x0041220C 0x00014C80 0x00013480 0x000000A7
NetUserAdd - 0x00412210 0x00014C84 0x00013484 0x000000FA
OLEAUT32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
VariantInit 0x00000008 0x00412218 0x00014C8C 0x0001348C -
CRYPT32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CryptStringToBinaryA - 0x00412070 0x00014AE4 0x000132E4 0x000000D8
CryptUnprotectData - 0x00412074 0x00014AE8 0x000132E8 0x000000DB
PSAPI.DLL (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetModuleFileNameExW - 0x00412220 0x00014C94 0x00013494 0x00000010
WININET.dll (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
InternetQueryDataAvailable - 0x004122C0 0x00014D34 0x00013534 0x0000009B
InternetOpenUrlW - 0x004122C4 0x00014D38 0x00013538 0x00000099
InternetOpenW - 0x004122C8 0x00014D3C 0x0001353C 0x0000009A
InternetCloseHandle - 0x004122CC 0x00014D40 0x00013540 0x0000006B
InternetReadFile - 0x004122D0 0x00014D44 0x00013544 0x0000009F
InternetCheckConnectionW - 0x004122D4 0x00014D48 0x00013548 0x00000069
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
WarzoneRAT Warzone RAT Backdoor
5/5
...
0c4e54bbc609b2ec85fd7397371dde6cca920985398dcf5042531629e7556e80 Memory Dump Stream
Malicious
...
»
MIME Type application/octet-stream
File Size 88.00 KB
MD5 ce5ba76d5744bb0d7b51e17802bb849e Copy to Clipboard
SHA1 f192d1f89881dbb996314ac6a1af36e53cf1783d Copy to Clipboard
SHA256 0c4e54bbc609b2ec85fd7397371dde6cca920985398dcf5042531629e7556e80 Copy to Clipboard
SSDeep 768:gbpW4SkFSrrtqXhRLtIpGSIfCmfbYhZAKj4H:4pxcQXZInO Copy to Clipboard
ImpHash -
36d9f9ebbd2644f0e98bd879fa2d1f92a1e35c19cfcbf67bc6745d47b6014cfe Memory Dump Stream
Malicious
...
»
MIME Type application/octet-stream
File Size 88.00 KB
MD5 4489b96006787353390f3b8601cb64fe Copy to Clipboard
SHA1 9a23b39f1184c2a14fabf401729ce2fe9079e3d7 Copy to Clipboard
SHA256 36d9f9ebbd2644f0e98bd879fa2d1f92a1e35c19cfcbf67bc6745d47b6014cfe Copy to Clipboard
SSDeep 768:zGNMoitSiRap/KHtvUsoGtcmDbkTVjweb:zGItRo5QvUitp Copy to Clipboard
ImpHash -
24b1aaea1e010f20dcb6d57a8de7a9ff01e20d0d8e1253897f4c736b4af76feb Memory Dump Unknown
Malicious
...
»
MIME Type application/x-dbt
File Size 24.00 KB
MD5 0b17d61bb72a006ed2c173aa27472d94 Copy to Clipboard
SHA1 f1a752b89bf911afa8f1a88d1939954ba123350a Copy to Clipboard
SHA256 24b1aaea1e010f20dcb6d57a8de7a9ff01e20d0d8e1253897f4c736b4af76feb Copy to Clipboard
SSDeep 384:Q3QtEyRiMoitSiRahfAOKpM2NtAaZtEsopYtTQ5ezDbkTdTjejeae:PGtMoitSiRap/KHtvUsoGtcmDbkTVjwi Copy to Clipboard
ImpHash -
C:\Program Files (x86)\LuckyWheel\LuckyWheel.exe Dropped File Binary
Suspicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 71.29 KB
MD5 ad0fae3ce90330539b1b2c1c0099413a Copy to Clipboard
SHA1 a426043079df5cdff3fd3e3eebd308c0578aa81e Copy to Clipboard
SHA256 ff1d3374ba65efc8c8a262df619a4416b48235ef9b15dc80a30248384fc222a1 Copy to Clipboard
SSDeep 1536:M7SGJpfA29oENZq1zz1hsJCu+7CbJfNnzcP9IzlzCU4OY+CPxq:MCu+7CbJlnzcP9IzlzCUnY+Oxq Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
PE Information
»
Image Base 0x11000000
Entry Point 0x1100D3C2
Size Of Code 0x0000C000
Size Of Initialized Data 0x00003000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2023-04-12 19:04 (UTC+2)
Version Information (11)
»
Comments -
CompanyName -
FileDescription -
FileVersion 1.0.8502.40636
InternalName TrayPopupDemo.exe
LegalCopyright -
LegalTrademarks -
OriginalFilename TrayPopupDemo.exe
ProductName -
ProductVersion 1.0.8502.40636
Assembly Version 1.0.8502.40636
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x11002000 0x0000B3C8 0x0000C000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.98
.rsrc 0x1100E000 0x00001F7C 0x00002000 0x0000D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.73
.reloc 0x11010000 0x0000000C 0x00001000 0x0000F000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.01
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x11002000 0x0000D398 0x0000C398 0x00000000
Digital Signature Information
»
Verification Status Valid
Certificate: Lucky Joe
»
Issued by Lucky Joe
Country Name US
Valid From 2023-03-01 09:35 (UTC+1)
Valid Until 2024-02-29 09:35 (UTC+1)
Algorithm sha256_rsa
Serial Number 01 04 05 03
Thumbprint BA F1 66 D8 6A 1D E6 C8 8B AE 50 66 51 54 67 57 5D 2C C4 33
Memory Dumps (2)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
luckywheel.exe 42 0x1E48C230000 0x1E48C241FFF Relevant Image False 64-bit - False
...
luckywheel.exe 42 0x1E48C230000 0x1E48C241FFF Final Dump False 64-bit - False
...
C:\Program Files (x86)\LuckyWheel\WindowsServices.exe Dropped File Binary
Suspicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 15.79 KB
MD5 4a2bf6186cf2a3ed615818c2bcad3cc1 Copy to Clipboard
SHA1 1297ad695b91a8aae908b743a0f16406b71711cc Copy to Clipboard
SHA256 b1726a2424c6046cc3d14de79767c0dbbc2fe13082db3d5cc44f87885b52cfe6 Copy to Clipboard
SSDeep 384:fID9CteXlmFU6TlRBfTWsvMINyb8E9VFDPxSkJq:fIDuRHtEJPxU Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004036FA
Size Of Code 0x00001800
Size Of Initialized Data 0x00000800
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2023-04-12 06:04 (UTC+2)
Version Information (11)
»
Comments -
CompanyName Microsoft
FileDescription WindowsServices
FileVersion 1.0.0.0
InternalName WindowsServices.exe
LegalCopyright Copyright © Microsoft 2013
LegalTrademarks -
OriginalFilename WindowsServices.exe
ProductName WindowsServices
ProductVersion 1.0.0.0
Assembly Version 1.0.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00402000 0x00001700 0x00001800 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.33
.rsrc 0x00404000 0x00000600 0x00000600 0x00001A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.2
.reloc 0x00406000 0x0000000C 0x00000200 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.08
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x00402000 0x000036D0 0x000018D0 0x00000000
Digital Signature Information
»
Verification Status Valid
Certificate: Lucky Joe
»
Issued by Lucky Joe
Country Name US
Valid From 2023-03-01 09:35 (UTC+1)
Valid Until 2024-02-29 09:35 (UTC+1)
Algorithm sha256_rsa
Serial Number 01 04 05 03
Thumbprint BA F1 66 D8 6A 1D E6 C8 8B AE 50 66 51 54 67 57 5D 2C C4 33
C:\Users\RDhJ0CNFevzX\Desktop\a\toolspub2.exe Downloaded File Binary
Suspicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 292.00 KB
MD5 f796977d832ad7da34ef8e9e61773ae4 Copy to Clipboard
SHA1 420a4d1b8a9d4aaecd4e964075df228052495285 Copy to Clipboard
SHA256 cb1e3f0f81406aabaddfe1dc11d5efca54cc48cb367087aaebc59a4dc0d9a0c4 Copy to Clipboard
SSDeep 3072:zFzOgbrYwI3NKaDDFh027WXbQ8T98MZxQzid/jQL0J0ziyMVlp2ZC2K:pdfI3NDT3cSfY/jQW0z4KC2K Copy to Clipboard
ImpHash 5d1142e6b5dd917186b13ffa418932e3 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x0040954B
Size Of Code 0x0001B600
Size Of Initialized Data 0x002AC200
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2022-11-06 11:57 (UTC+1)
Version Information (5)
»
InternalName AssSniffer.exe
LegalCopyrights Night bizon inc.
LegalTrademarks2 odjfngisdf
ProductName WhereIsTall
ProductVersion 80.37.72.11
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0001B4B8 0x0001B600 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.53
.data 0x0041D000 0x002915A8 0x00016400 0x0001BA00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 7.32
.dipuhiy 0x006AF000 0x000016A8 0x00001800 0x00031E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.rsrc 0x006B1000 0x00015998 0x00015A00 0x00033600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.23
Imports (1)
»
KERNEL32.dll (127)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SetLocaleInfoA - 0x00401000 0x0001B92C 0x0001AD2C 0x00000477
GetDriveTypeW - 0x00401004 0x0001B930 0x0001AD30 0x000001D3
GetNumberOfConsoleInputEvents - 0x00401008 0x0001B934 0x0001AD34 0x00000235
GetConsoleAliasExesLengthA - 0x0040100C 0x0001B938 0x0001AD38 0x00000192
InterlockedIncrement - 0x00401010 0x0001B93C 0x0001AD3C 0x000002EF
SystemTimeToFileTime - 0x00401014 0x0001B940 0x0001AD40 0x000004BD
EnumCalendarInfoW - 0x00401018 0x0001B944 0x0001AD44 0x000000F3
SetDefaultCommConfigW - 0x0040101C 0x0001B948 0x0001AD48 0x0000044F
GetProfileSectionA - 0x00401020 0x0001B94C 0x0001AD4C 0x0000025A
SetComputerNameW - 0x00401024 0x0001B950 0x0001AD50 0x0000042A
CallNamedPipeW - 0x00401028 0x0001B954 0x0001AD54 0x0000003F
MoveFileWithProgressA - 0x0040102C 0x0001B958 0x0001AD58 0x00000364
GetTickCount - 0x00401030 0x0001B95C 0x0001AD5C 0x00000293
ReadConsoleW - 0x00401034 0x0001B960 0x0001AD60 0x000003BE
SetCommState - 0x00401038 0x0001B964 0x0001AD64 0x00000425
GetDriveTypeA - 0x0040103C 0x0001B968 0x0001AD68 0x000001D2
SetHandleCount - 0x00401040 0x0001B96C 0x0001AD6C 0x0000046F
GetVolumePathNameW - 0x00401044 0x0001B970 0x0001AD70 0x000002AB
GetPrivateProfileIntA - 0x00401048 0x0001B974 0x0001AD74 0x0000023B
LoadLibraryW - 0x0040104C 0x0001B978 0x0001AD78 0x0000033F
IsProcessInJob - 0x00401050 0x0001B97C 0x0001AD7C 0x00000303
FreeConsole - 0x00401054 0x0001B980 0x0001AD80 0x0000015F
InterlockedPopEntrySList - 0x00401058 0x0001B984 0x0001AD84 0x000002F0
GetFileAttributesA - 0x0040105C 0x0001B988 0x0001AD88 0x000001E5
CreateFileW - 0x00401060 0x0001B98C 0x0001AD8C 0x0000008F
GetOverlappedResult - 0x00401064 0x0001B990 0x0001AD90 0x00000238
CompareStringW - 0x00401068 0x0001B994 0x0001AD94 0x00000064
GetStringTypeExA - 0x0040106C 0x0001B998 0x0001AD98 0x00000267
EnumSystemLocalesA - 0x00401070 0x0001B99C 0x0001AD9C 0x0000010D
GetProfileIntA - 0x00401074 0x0001B9A0 0x0001ADA0 0x00000258
ReleaseActCtx - 0x00401078 0x0001B9A4 0x0001ADA4 0x000003F9
GetStdHandle - 0x0040107C 0x0001B9A8 0x0001ADA8 0x00000264
GetCurrentDirectoryW - 0x00401080 0x0001B9AC 0x0001ADAC 0x000001BF
GetProcAddress - 0x00401084 0x0001B9B0 0x0001ADB0 0x00000245
BeginUpdateResourceW - 0x00401088 0x0001B9B4 0x0001ADB4 0x00000038
SetFirmwareEnvironmentVariableW - 0x0040108C 0x0001B9B8 0x0001ADB8 0x0000046D
RemoveDirectoryA - 0x00401090 0x0001B9BC 0x0001ADBC 0x00000400
VerLanguageNameW - 0x00401094 0x0001B9C0 0x0001ADC0 0x000004E3
SearchPathA - 0x00401098 0x0001B9C4 0x0001ADC4 0x0000041C
PrepareTape - 0x0040109C 0x0001B9C8 0x0001ADC8 0x00000392
GetTempFileNameA - 0x004010A0 0x0001B9CC 0x0001ADCC 0x00000282
LoadLibraryA - 0x004010A4 0x0001B9D0 0x0001ADD0 0x0000033C
WriteConsoleA - 0x004010A8 0x0001B9D4 0x0001ADD4 0x0000051A
UnhandledExceptionFilter - 0x004010AC 0x0001B9D8 0x0001ADD8 0x000004D3
LocalAlloc - 0x004010B0 0x0001B9DC 0x0001ADDC 0x00000344
BuildCommDCBAndTimeoutsW - 0x004010B4 0x0001B9E0 0x0001ADE0 0x0000003C
FindFirstVolumeMountPointW - 0x004010B8 0x0001B9E4 0x0001ADE4 0x0000013E
AddAtomW - 0x004010BC 0x0001B9E8 0x0001ADE8 0x00000004
AddAtomA - 0x004010C0 0x0001B9EC 0x0001ADEC 0x00000003
GlobalWire - 0x004010C4 0x0001B9F0 0x0001ADF0 0x000002C6
GetModuleFileNameA - 0x004010C8 0x0001B9F4 0x0001ADF4 0x00000213
FindNextFileA - 0x004010CC 0x0001B9F8 0x0001ADF8 0x00000143
EnumDateFormatsA - 0x004010D0 0x0001B9FC 0x0001ADFC 0x000000F4
GetModuleHandleA - 0x004010D4 0x0001BA00 0x0001AE00 0x00000215
lstrcatW - 0x004010D8 0x0001BA04 0x0001AE04 0x0000053F
FreeEnvironmentStringsW - 0x004010DC 0x0001BA08 0x0001AE08 0x00000161
GetConsoleTitleW - 0x004010E0 0x0001BA0C 0x0001AE0C 0x000001B6
SetCalendarInfoA - 0x004010E4 0x0001BA10 0x0001AE10 0x0000041E
SetThreadAffinityMask - 0x004010E8 0x0001BA14 0x0001AE14 0x00000490
SetFileShortNameA - 0x004010EC 0x0001BA18 0x0001AE18 0x00000468
GetVolumeNameForVolumeMountPointW - 0x004010F0 0x0001BA1C 0x0001AE1C 0x000002A9
DeleteFileW - 0x004010F4 0x0001BA20 0x0001AE20 0x000000D6
DebugBreak - 0x004010F8 0x0001BA24 0x0001AE24 0x000000C7
GlobalReAlloc - 0x004010FC 0x0001BA28 0x0001AE28 0x000002C1
EnumSystemLocalesW - 0x00401100 0x0001BA2C 0x0001AE2C 0x0000010F
AreFileApisANSI - 0x00401104 0x0001BA30 0x0001AE30 0x00000015
InterlockedDecrement - 0x00401108 0x0001BA34 0x0001AE34 0x000002EB
EncodePointer - 0x0040110C 0x0001BA38 0x0001AE38 0x000000EA
DecodePointer - 0x00401110 0x0001BA3C 0x0001AE3C 0x000000CA
Sleep - 0x00401114 0x0001BA40 0x0001AE40 0x000004B2
InitializeCriticalSection - 0x00401118 0x0001BA44 0x0001AE44 0x000002E2
DeleteCriticalSection - 0x0040111C 0x0001BA48 0x0001AE48 0x000000D1
EnterCriticalSection - 0x00401120 0x0001BA4C 0x0001AE4C 0x000000EE
LeaveCriticalSection - 0x00401124 0x0001BA50 0x0001AE50 0x00000339
GetLastError - 0x00401128 0x0001BA54 0x0001AE54 0x00000202
MoveFileA - 0x0040112C 0x0001BA58 0x0001AE58 0x0000035E
HeapFree - 0x00401130 0x0001BA5C 0x0001AE5C 0x000002CF
HeapAlloc - 0x00401134 0x0001BA60 0x0001AE60 0x000002CB
DeleteFileA - 0x00401138 0x0001BA64 0x0001AE64 0x000000D3
GetModuleHandleW - 0x0040113C 0x0001BA68 0x0001AE68 0x00000218
ExitProcess - 0x00401140 0x0001BA6C 0x0001AE6C 0x00000119
GetCommandLineA - 0x00401144 0x0001BA70 0x0001AE70 0x00000186
HeapSetInformation - 0x00401148 0x0001BA74 0x0001AE74 0x000002D3
GetStartupInfoW - 0x0040114C 0x0001BA78 0x0001AE78 0x00000263
RaiseException - 0x00401150 0x0001BA7C 0x0001AE7C 0x000003B1
RtlUnwind - 0x00401154 0x0001BA80 0x0001AE80 0x00000418
WideCharToMultiByte - 0x00401158 0x0001BA84 0x0001AE84 0x00000511
LCMapStringW - 0x0040115C 0x0001BA88 0x0001AE88 0x0000032D
MultiByteToWideChar - 0x00401160 0x0001BA8C 0x0001AE8C 0x00000367
GetCPInfo - 0x00401164 0x0001BA90 0x0001AE90 0x00000172
SetUnhandledExceptionFilter - 0x00401168 0x0001BA94 0x0001AE94 0x000004A5
IsDebuggerPresent - 0x0040116C 0x0001BA98 0x0001AE98 0x00000300
TerminateProcess - 0x00401170 0x0001BA9C 0x0001AE9C 0x000004C0
GetCurrentProcess - 0x00401174 0x0001BAA0 0x0001AEA0 0x000001C0
IsProcessorFeaturePresent - 0x00401178 0x0001BAA4 0x0001AEA4 0x00000304
HeapCreate - 0x0040117C 0x0001BAA8 0x0001AEA8 0x000002CD
WriteFile - 0x00401180 0x0001BAAC 0x0001AEAC 0x00000525
GetModuleFileNameW - 0x00401184 0x0001BAB0 0x0001AEB0 0x00000214
HeapSize - 0x00401188 0x0001BAB4 0x0001AEB4 0x000002D4
TlsAlloc - 0x0040118C 0x0001BAB8 0x0001AEB8 0x000004C5
TlsGetValue - 0x00401190 0x0001BABC 0x0001AEBC 0x000004C7
TlsSetValue - 0x00401194 0x0001BAC0 0x0001AEC0 0x000004C8
TlsFree - 0x00401198 0x0001BAC4 0x0001AEC4 0x000004C6
SetLastError - 0x0040119C 0x0001BAC8 0x0001AEC8 0x00000473
GetCurrentThreadId - 0x004011A0 0x0001BACC 0x0001AECC 0x000001C5
CloseHandle - 0x004011A4 0x0001BAD0 0x0001AED0 0x00000052
InitializeCriticalSectionAndSpinCount - 0x004011A8 0x0001BAD4 0x0001AED4 0x000002E3
GetLocaleInfoW - 0x004011AC 0x0001BAD8 0x0001AED8 0x00000206
GetEnvironmentStringsW - 0x004011B0 0x0001BADC 0x0001AEDC 0x000001DA
GetFileType - 0x004011B4 0x0001BAE0 0x0001AEE0 0x000001F3
QueryPerformanceCounter - 0x004011B8 0x0001BAE4 0x0001AEE4 0x000003A7
GetCurrentProcessId - 0x004011BC 0x0001BAE8 0x0001AEE8 0x000001C1
GetSystemTimeAsFileTime - 0x004011C0 0x0001BAEC 0x0001AEEC 0x00000279
GetACP - 0x004011C4 0x0001BAF0 0x0001AEF0 0x00000168
GetOEMCP - 0x004011C8 0x0001BAF4 0x0001AEF4 0x00000237
IsValidCodePage - 0x004011CC 0x0001BAF8 0x0001AEF8 0x0000030A
GetUserDefaultLCID - 0x004011D0 0x0001BAFC 0x0001AEFC 0x0000029B
GetLocaleInfoA - 0x004011D4 0x0001BB00 0x0001AF00 0x00000204
IsValidLocale - 0x004011D8 0x0001BB04 0x0001AF04 0x0000030C
GetStringTypeW - 0x004011DC 0x0001BB08 0x0001AF08 0x00000269
HeapReAlloc - 0x004011E0 0x0001BB0C 0x0001AF0C 0x000002D2
SetStdHandle - 0x004011E4 0x0001BB10 0x0001AF10 0x00000487
GetConsoleCP - 0x004011E8 0x0001BB14 0x0001AF14 0x0000019A
GetConsoleMode - 0x004011EC 0x0001BB18 0x0001AF18 0x000001AC
FlushFileBuffers - 0x004011F0 0x0001BB1C 0x0001AF1C 0x00000157
SetFilePointer - 0x004011F4 0x0001BB20 0x0001AF20 0x00000466
WriteConsoleW - 0x004011F8 0x0001BB24 0x0001AF24 0x00000524
Memory Dumps (18)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
toolspub2.exe 17 0x00400000 0x006C6FFF Relevant Image False 32-bit 0x0040D930 False
...
buffer 17 0x00B61F00 0x00B61F7F Final Dump False 32-bit - False
...
buffer 17 0x00B61F88 0x00B62787 Final Dump False 32-bit - False
...
toolspub2.exe 17 0x00400000 0x006C6FFF Final Dump False 32-bit 0x00416070 False
...
buffer 17 0x008D1F58 0x008E3ED7 First Execution False 32-bit 0x008D6F97 False
...
buffer 17 0x006E0000 0x006E8FFF First Execution False 32-bit 0x006E0000 False
...
buffer 22 0x00400000 0x00408FFF First Execution False 32-bit 0x00402DD8 False
...
buffer 17 0x006E0000 0x006E8FFF Process Termination False 32-bit - False
...
buffer 17 0x00700000 0x00700FFF Process Termination False 32-bit - False
...
buffer 17 0x008D1F58 0x008E3ED7 Process Termination False 32-bit - False
...
buffer 17 0x00B61F00 0x00B61F7F Process Termination False 32-bit - False
...
buffer 17 0x00B61F88 0x00B62787 Process Termination False 32-bit - False
...
toolspub2.exe 17 0x00400000 0x006C6FFF Process Termination False 32-bit - False
...
buffer 22 0x00400000 0x00408FFF Content Changed False 32-bit 0x00402454 False
...
buffer 22 0x00400000 0x00408FFF Content Changed False 32-bit 0x00401849 False
...
buffer 22 0x00400000 0x00408FFF Process Termination False 32-bit - False
...
buffer 22 0x004E0000 0x004E5FFF Process Termination False 32-bit - False
...
buffer 22 0x00500000 0x00515FFF Image In Buffer False 32-bit - False
...
C:\Users\RDhJ0CNFevzX\Desktop\a\word.exe Downloaded File Binary
Suspicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 256.89 KB
MD5 92439028dde5d36916b9321eb24f6018 Copy to Clipboard
SHA1 6ac772e81b74c1971ce6ad29ee4a74c2e8ce5576 Copy to Clipboard
SHA256 f7548621b6d62c258f6e33c3280ad8229be0782f7bd97af2e55cfd0252eef2b1 Copy to Clipboard
SSDeep 3072:LvywOyGHRSMjVsmToazuJ5hKVqOhw/WAL6/e69+GqO4IfPrjWoY46FUIVa/fzcda:fOfx7jVsmnzevKVwj6/D18Pohakzka Copy to Clipboard
ImpHash 3c103011fb46cb386569483d1abc67ee Copy to Clipboard
PE Information
»
Image Base 0x140000000
Entry Point 0x140005D60
Size Of Code 0x00023E00
Size Of Initialized Data 0x0001B600
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Machine Type IMAGE_FILE_MACHINE_AMD64
Compile Timestamp 2023-04-26 11:07 (UTC+2)
Sections (6)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x140001000 0x00023D60 0x00023E00 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.5
.rdata 0x140025000 0x000158BC 0x00015A00 0x00024200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.96
.data 0x14003B000 0x00002A0C 0x00001200 0x00039C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 2.99
.pdata 0x14003E000 0x00001F20 0x00002000 0x0003AE00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.27
.rsrc 0x140040000 0x000001E0 0x00000200 0x0003CE00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.7
.reloc 0x140041000 0x00000CC8 0x00000E00 0x0003D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 5.28
Imports (3)
»
KERNEL32.dll (88)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
Process32First - 0x140025000 0x00039F28 0x00039128 0x0000042E
HeapFree - 0x140025008 0x00039F30 0x00039130 0x00000352
InitializeCriticalSectionEx - 0x140025010 0x00039F38 0x00039138 0x00000369
HeapSize - 0x140025018 0x00039F40 0x00039140 0x00000357
CreateToolhelp32Snapshot - 0x140025020 0x00039F48 0x00039148 0x000000FB
Sleep - 0x140025028 0x00039F50 0x00039150 0x0000058B
GetLastError - 0x140025030 0x00039F58 0x00039158 0x00000267
LoadLibraryA - 0x140025038 0x00039F60 0x00039160 0x000003C4
Process32Next - 0x140025040 0x00039F68 0x00039168 0x00000430
HeapReAlloc - 0x140025048 0x00039F70 0x00039170 0x00000355
CloseHandle - 0x140025050 0x00039F78 0x00039178 0x00000086
RaiseException - 0x140025058 0x00039F80 0x00039180 0x00000466
HeapAlloc - 0x140025060 0x00039F88 0x00039188 0x0000034E
DecodePointer - 0x140025068 0x00039F90 0x00039190 0x0000010A
GetProcAddress - 0x140025070 0x00039F98 0x00039198 0x000002B5
DeleteCriticalSection - 0x140025078 0x00039FA0 0x000391A0 0x00000111
GetProcessHeap - 0x140025080 0x00039FA8 0x000391A8 0x000002BB
SetEndOfFile - 0x140025088 0x00039FB0 0x000391B0 0x0000051E
WriteConsoleW - 0x140025090 0x00039FB8 0x000391B8 0x00000620
CreateFileW - 0x140025098 0x00039FC0 0x000391C0 0x000000CB
SetStdHandle - 0x1400250A0 0x00039FC8 0x000391C8 0x00000557
SetEnvironmentVariableW - 0x1400250A8 0x00039FD0 0x000391D0 0x00000522
FreeEnvironmentStringsW - 0x1400250B0 0x00039FD8 0x000391D8 0x000001B0
WideCharToMultiByte - 0x1400250B8 0x00039FE0 0x000391E0 0x0000060D
EnterCriticalSection - 0x1400250C0 0x00039FE8 0x000391E8 0x00000135
LeaveCriticalSection - 0x1400250C8 0x00039FF0 0x000391F0 0x000003C0
SetLastError - 0x1400250D0 0x00039FF8 0x000391F8 0x0000053F
InitializeCriticalSectionAndSpinCount - 0x1400250D8 0x0003A000 0x00039200 0x00000368
CreateEventW - 0x1400250E0 0x0003A008 0x00039208 0x000000BF
SwitchToThread - 0x1400250E8 0x0003A010 0x00039210 0x00000595
TlsAlloc - 0x1400250F0 0x0003A018 0x00039218 0x000005AC
TlsGetValue - 0x1400250F8 0x0003A020 0x00039220 0x000005AE
TlsSetValue - 0x140025100 0x0003A028 0x00039228 0x000005AF
TlsFree - 0x140025108 0x0003A030 0x00039230 0x000005AD
GetSystemTimeAsFileTime - 0x140025110 0x0003A038 0x00039238 0x000002F0
GetModuleHandleW - 0x140025118 0x0003A040 0x00039240 0x0000027E
EncodePointer - 0x140025120 0x0003A048 0x00039248 0x00000131
MultiByteToWideChar - 0x140025128 0x0003A050 0x00039250 0x000003F2
CompareStringW - 0x140025130 0x0003A058 0x00039258 0x0000009B
LCMapStringW - 0x140025138 0x0003A060 0x00039260 0x000003B4
GetLocaleInfoW - 0x140025140 0x0003A068 0x00039268 0x0000026B
GetStringTypeW - 0x140025148 0x0003A070 0x00039270 0x000002DE
GetCPInfo - 0x140025150 0x0003A078 0x00039278 0x000001C7
IsDebuggerPresent - 0x140025158 0x0003A080 0x00039280 0x00000382
OutputDebugStringW - 0x140025160 0x0003A088 0x00039288 0x0000041C
RtlCaptureContext - 0x140025168 0x0003A090 0x00039290 0x000004D3
RtlLookupFunctionEntry - 0x140025170 0x0003A098 0x00039298 0x000004DA
RtlVirtualUnwind - 0x140025178 0x0003A0A0 0x000392A0 0x000004E1
UnhandledExceptionFilter - 0x140025180 0x0003A0A8 0x000392A8 0x000005BC
SetUnhandledExceptionFilter - 0x140025188 0x0003A0B0 0x000392B0 0x0000057B
GetCurrentProcess - 0x140025190 0x0003A0B8 0x000392B8 0x0000021D
TerminateProcess - 0x140025198 0x0003A0C0 0x000392C0 0x0000059A
IsProcessorFeaturePresent - 0x1400251A0 0x0003A0C8 0x000392C8 0x00000389
GetStartupInfoW - 0x1400251A8 0x0003A0D0 0x000392D0 0x000002D7
QueryPerformanceCounter - 0x1400251B0 0x0003A0D8 0x000392D8 0x00000450
GetCurrentProcessId - 0x1400251B8 0x0003A0E0 0x000392E0 0x0000021E
GetCurrentThreadId - 0x1400251C0 0x0003A0E8 0x000392E8 0x00000222
InitializeSListHead - 0x1400251C8 0x0003A0F0 0x000392F0 0x0000036C
RtlUnwindEx - 0x1400251D0 0x0003A0F8 0x000392F8 0x000004E0
RtlPcToFileHeader - 0x1400251D8 0x0003A100 0x00039300 0x000004DC
FreeLibrary - 0x1400251E0 0x0003A108 0x00039308 0x000001B1
LoadLibraryExW - 0x1400251E8 0x0003A110 0x00039310 0x000003C6
ExitProcess - 0x1400251F0 0x0003A118 0x00039318 0x00000164
GetModuleHandleExW - 0x1400251F8 0x0003A120 0x00039320 0x0000027D
GetModuleFileNameW - 0x140025200 0x0003A128 0x00039328 0x0000027A
GetStdHandle - 0x140025208 0x0003A130 0x00039330 0x000002D9
WriteFile - 0x140025210 0x0003A138 0x00039338 0x00000621
GetCommandLineA - 0x140025218 0x0003A140 0x00039340 0x000001DC
GetCommandLineW - 0x140025220 0x0003A148 0x00039348 0x000001DD
GetFileSizeEx - 0x140025228 0x0003A150 0x00039350 0x00000253
SetFilePointerEx - 0x140025230 0x0003A158 0x00039358 0x00000531
GetFileType - 0x140025238 0x0003A160 0x00039360 0x00000255
IsValidLocale - 0x140025240 0x0003A168 0x00039368 0x00000390
GetUserDefaultLCID - 0x140025248 0x0003A170 0x00039370 0x0000031B
EnumSystemLocalesW - 0x140025250 0x0003A178 0x00039378 0x00000159
FlushFileBuffers - 0x140025258 0x0003A180 0x00039380 0x000001A5
GetConsoleCP - 0x140025260 0x0003A188 0x00039388 0x000001F0
GetConsoleMode - 0x140025268 0x0003A190 0x00039390 0x00000202
ReadFile - 0x140025270 0x0003A198 0x00039398 0x00000477
ReadConsoleW - 0x140025278 0x0003A1A0 0x000393A0 0x00000474
FindClose - 0x140025280 0x0003A1A8 0x000393A8 0x0000017B
FindFirstFileExW - 0x140025288 0x0003A1B0 0x000393B0 0x00000181
FindNextFileW - 0x140025290 0x0003A1B8 0x000393B8 0x00000192
IsValidCodePage - 0x140025298 0x0003A1C0 0x000393C0 0x0000038E
GetACP - 0x1400252A0 0x0003A1C8 0x000393C8 0x000001B8
GetOEMCP - 0x1400252A8 0x0003A1D0 0x000393D0 0x0000029E
GetEnvironmentStringsW - 0x1400252B0 0x0003A1D8 0x000393D8 0x0000023E
RtlUnwind - 0x1400252B8 0x0003A1E0 0x000393E0 0x000004DF
USER32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CharLowerBuffA - 0x1400252C8 0x0003A1F0 0x000393F0 0x0000002E
WININET.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DeleteUrlCacheEntry - 0x1400252D8 0x0003A200 0x00039400 0x0000001F
Digital Signature Information
»
Verification Status Failed
Certificate: Telegram FZ-LLC
»
Issued by Telegram FZ-LLC
Parent Certificate GlobalSign GCC R45 EV CodeSigning CA 2020
Country Name AE
Valid From 2022-07-29 09:15 (UTC+2)
Valid Until 2025-07-29 09:15 (UTC+2)
Algorithm sha256_rsa
Serial Number 7A E2 B5 02 13 71 F0 92 A9 04 B6 FA
Thumbprint 71 AB 79 E1 C8 FF 15 58 38 C3 7A 52 99 AE 21 5C 52 BF 6D 1D
Certificate: GlobalSign GCC R45 EV CodeSigning CA 2020
»
Issued by GlobalSign GCC R45 EV CodeSigning CA 2020
Country Name BE
Valid From 2020-07-28 02:00 (UTC+2)
Valid Until 2030-07-28 02:00 (UTC+2)
Algorithm sha256_rsa
Serial Number 77 BD 0E 05 B7 59 0B B6 1D 47 61 53 1E 3F 75 ED
Thumbprint C1 0B B7 6A D4 EE 81 52 42 40 6A 1E 3E 11 17 FF EC 74 3D 4F
Memory Dumps (6)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
word.exe 6 0x7FF6AE430000 0x7FF6AE471FFF Relevant Image False 64-bit 0x7FF6AE454680 False
...
buffer 6 0x1E7E4428B50 0x1E7E4428BF1 Process Termination False 64-bit - False
...
buffer 6 0x1E7E4429530 0x1E7E4429647 Process Termination False 64-bit - False
...
buffer 6 0x1E7E44316E0 0x1E7E44328DF Process Termination False 64-bit - False
...
buffer 6 0x1E7E44328F0 0x1E7E4432B17 Process Termination False 64-bit - False
...
word.exe 6 0x7FF6AE430000 0x7FF6AE471FFF Process Termination False 64-bit - False
...
C:\Users\RDhJ0CNFevzX\Desktop\a\360.exe Downloaded File Binary
Suspicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 214.30 KB
MD5 1f4fa87cf4803f50667872e14eb43554 Copy to Clipboard
SHA1 2f0b46d2f87bca8c7493d2f812591f5347a6a43c Copy to Clipboard
SHA256 aefe8a2a1c6f7593c06aba391333253d25ddcd74e8c539052cd9dd6737b1eb4d Copy to Clipboard
SSDeep 3072:AbWqYPquvBzGBPap6UAqNnpBqJe24NENCySZLURqXgdulEi483AhU8zAQz6l+aVR:ASrtUHC5bGRNCyAXHAh3Ae6l+6EkT Copy to Clipboard
ImpHash 8f938254f23972d30c118dec976e61d0 Copy to Clipboard
File Reputation Information
»
Verdict
Suspicious
Names App/Generic-CP
Classification PUA
PE Information
»
Image Base 0x00400000
Entry Point 0x00491AE0
Size Of Code 0x0002F000
Size Of Initialized Data 0x00004000
Size Of Uninitialized Data 0x00062000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2023-05-05 00:43 (UTC+2)
Packer UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
Version Information (8)
»
CompanyName AC
FileDescription CA
FileVersion 1.0.0.1
InternalName AC
LegalCopyright Copyright (C) 2023
OriginalFilename CA
ProductName CA
ProductVersion 1.0.0.1
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
UPX0 0x00401000 0x00062000 0x00000000 0x00000400 IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
UPX1 0x00463000 0x0002F000 0x0002EE00 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 7.93
.rsrc 0x00492000 0x00004000 0x00003C00 0x0002F200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.37
Imports (2)
»
KERNEL32.DLL (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
LoadLibraryA - 0x00495A60 0x00095A60 0x00032C60 0x00000000
ExitProcess - 0x00495A64 0x00095A64 0x00032C64 0x00000000
GetProcAddress - 0x00495A68 0x00095A68 0x00032C68 0x00000000
VirtualProtect - 0x00495A6C 0x00095A6C 0x00032C6C 0x00000000
ole32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CoTaskMemAlloc - 0x00495A74 0x00095A74 0x00032C74 0x00000000
Digital Signature Information
»
Verification Status Failed
Certificate: Beijing Huorong Network Technology Co., Ltd.
»
Issued by Beijing Huorong Network Technology Co., Ltd.
Parent Certificate Sectigo RSA Code Signing CA
Country Name CN
Valid From 2021-03-01 01:00 (UTC+1)
Valid Until 2024-03-01 00:59 (UTC+1)
Algorithm sha256_rsa
Serial Number 7B 49 49 3C C1 D5 E7 3E 4F A9 EB A4 CD BA 3F D6
Thumbprint BB 4A E0 B7 58 DA A2 EE 32 B8 8A AB 28 78 A2 F0 0C B1 36 7C
Certificate: Sectigo RSA Code Signing CA
»
Issued by Sectigo RSA Code Signing CA
Parent Certificate USERTrust RSA Certification Authority
Country Name GB
Valid From 2018-11-02 01:00 (UTC+1)
Valid Until 2031-01-01 00:59 (UTC+1)
Algorithm sha384_rsa
Serial Number 1D A2 48 30 6F 9B 26 18 D0 82 E0 96 7D 33 D3 6A
Thumbprint 94 C9 5D A1 E8 50 BD 85 20 9A 4A 2A F3 E1 FB 16 04 F9 BB 66
Certificate: USERTrust RSA Certification Authority
»
Issued by USERTrust RSA Certification Authority
Country Name US
Valid From 2019-03-12 01:00 (UTC+1)
Valid Until 2029-01-01 00:59 (UTC+1)
Algorithm sha384_rsa
Serial Number 39 72 44 3A F9 22 B7 51 D7 D3 6C 10 DD 31 35 95
Thumbprint D8 9E 3B D4 3D 5D 90 9B 47 A1 89 77 AA 9D 5C E3 6C EE 18 4C
Memory Dumps (1)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
360.exe 5 0x00400000 0x00495FFF First Execution False 32-bit 0x00491AE0 False
...
C:\Program Files (x86)\LuckyWheel\Newtonsoft.Json.dll Dropped File Binary
Clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 690.79 KB
MD5 da5033255da26654935f7840def3c6a0 Copy to Clipboard
SHA1 f420e2935ec83c15fdf642c1d02e42fabe53a774 Copy to Clipboard
SHA256 7cbb3f382970b9b830529cb943f83ff35d817ba45f4d260b9330fe8f5095b277 Copy to Clipboard
SSDeep 12288:vBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUk:vBjk38WuBcAbwoA/BkjSHXP36RMGR Copy to Clipboard
ImpHash dae02f32a21e03ce65412f6e56942daa Copy to Clipboard
PE Information
»
Image Base 0x10000000
Entry Point 0x100AC042
Size Of Code 0x000AA400
Size Of Initialized Data 0x00000800
File Type IMAGE_FILE_DLL
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2067-06-04 01:17 (UTC+2)
Version Information (11)
»
Comments Json.NET is a popular high-performance JSON framework for .NET
CompanyName Newtonsoft
FileDescription Json.NET .NET 4.5
FileVersion 13.0.3.27908
InternalName Newtonsoft.Json.dll
LegalCopyright Copyright © James Newton-King 2008
LegalTrademarks -
OriginalFilename Newtonsoft.Json.dll
ProductName Json.NET
ProductVersion 13.0.3+0a2e291c0d9c0c7675d445703e51750363a549ef
Assembly Version 13.0.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x10002000 0x000AA310 0x000AA400 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.93
.rsrc 0x100AE000 0x000004B4 0x00000600 0x000AA600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.8
.reloc 0x100B0000 0x0000000C 0x00000200 0x000AAC00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorDllMain - 0x10002000 0x000AC018 0x000AA218 0x00000000
Digital Signature Information
»
Verification Status Valid
Certificate: Lucky Joe
»
Issued by Lucky Joe
Country Name US
Valid From 2023-03-01 09:35 (UTC+1)
Valid Until 2024-02-29 09:35 (UTC+1)
Algorithm sha256_rsa
Serial Number 01 04 05 03
Thumbprint BA F1 66 D8 6A 1D E6 C8 8B AE 50 66 51 54 67 57 5D 2C C4 33
C:\Program Files (x86)\LuckyWheel\Newtonsoft.Json.dll Dropped File Binary
Clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 690.79 KB
MD5 c748f82584423805b9c3f65d368d0da6 Copy to Clipboard
SHA1 cfca5ebd7dd8c4e9ef0807fc5c78de499e298e59 Copy to Clipboard
SHA256 7b97bd6176b98c5d68f5e90ba9b043c9c988fb932a6d953a30f2622d19f64904 Copy to Clipboard
SSDeep 12288:WBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUNd:WBjk38WuBcAbwoA/BkjSHXP36RMGS Copy to Clipboard
ImpHash dae02f32a21e03ce65412f6e56942daa Copy to Clipboard
PE Information
»
Image Base 0x10000000
Entry Point 0x100AC042
Size Of Code 0x000AA400
Size Of Initialized Data 0x00000800
File Type IMAGE_FILE_DLL
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2067-06-04 01:17 (UTC+2)
Version Information (11)
»
Comments Json.NET is a popular high-performance JSON framework for .NET
CompanyName Newtonsoft
FileDescription Json.NET .NET 4.5
FileVersion 13.0.3.27908
InternalName Newtonsoft.Json.dll
LegalCopyright Copyright © James Newton-King 2008
LegalTrademarks -
OriginalFilename Newtonsoft.Json.dll
ProductName Json.NET
ProductVersion 13.0.3+0a2e291c0d9c0c7675d445703e51750363a549ef
Assembly Version 13.0.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x10002000 0x000AA310 0x000AA400 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.93
.rsrc 0x100AE000 0x000004B4 0x00000600 0x000AA600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.8
.reloc 0x100B0000 0x0000000C 0x00000200 0x000AAC00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorDllMain - 0x10002000 0x000AC018 0x000AA218 0x00000000
Digital Signature Information
»
Verification Status Valid
Certificate: Lucky Joe
»
Issued by Lucky Joe
Country Name US
Valid From 2023-03-01 09:35 (UTC+1)
Valid Until 2024-02-29 09:35 (UTC+1)
Algorithm sha256_rsa
Serial Number 01 04 05 03
Thumbprint BA F1 66 D8 6A 1D E6 C8 8B AE 50 66 51 54 67 57 5D 2C C4 33
C:\Users\RDHJ0C~1\AppData\Local\Temp\nsuE1F3.tmp\Math.dll Dropped File Binary
Clean
Known to be clean.
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 66.00 KB
MD5 32f26ffa5c4d87c2074f95114bafe34b Copy to Clipboard
SHA1 250d984cd9042d558b3e7a9f6835840cfe88de2e Copy to Clipboard
SHA256 851ce1013420608baa53301de5302fbc1b772c5ac4be30df684d2ed9306ba7e7 Copy to Clipboard
SSDeep 1536:tP43W1MUl6koam+2MwRmLeqFVvboUhZjITt:twI6kJVsU7ct Copy to Clipboard
ImpHash 6a7dba1ca35af83a9a3593fbf002fb1e Copy to Clipboard
File Reputation Information
»
Verdict
Clean
Known to be clean.
PE Information
»
Image Base 0x10000000
Entry Point 0x1000461E
Size Of Code 0x0000B800
Size Of Initialized Data 0x0000BE00
File Type IMAGE_FILE_DLL
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2013-07-14 22:09 (UTC+2)
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x10001000 0x0000B676 0x0000B800 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.72
.rdata 0x1000D000 0x00000D22 0x00000E00 0x0000BC00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.29
.data 0x1000E000 0x0000A2C4 0x00003200 0x0000CA00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 1.62
.reloc 0x10019000 0x00000B5C 0x00000C00 0x0000FC00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 5.85
Imports (1)
»
KERNEL32.dll (50)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
HeapFree - 0x1000D000 0x0000D8B8 0x0000C4B8 0x00000216
lstrcmpA - 0x1000D004 0x0000D8BC 0x0000C4BC 0x000003C0
lstrlenA - 0x1000D008 0x0000D8C0 0x0000C4C0 0x000003CC
GlobalFree - 0x1000D00C 0x0000D8C4 0x0000C4C4 0x000001FF
lstrcatA - 0x1000D010 0x0000D8C8 0x0000C4C8 0x000003BD
GlobalAlloc - 0x1000D014 0x0000D8CC 0x0000C4CC 0x000001F8
lstrcpynA - 0x1000D018 0x0000D8D0 0x0000C4D0 0x000003C9
MultiByteToWideChar - 0x1000D01C 0x0000D8D4 0x0000C4D4 0x00000275
WideCharToMultiByte - 0x1000D020 0x0000D8D8 0x0000C4D8 0x00000394
FreeEnvironmentStringsA - 0x1000D024 0x0000D8DC 0x0000C4DC 0x000000F6
FreeEnvironmentStringsW - 0x1000D028 0x0000D8E0 0x0000C4E0 0x000000F7
GetCommandLineA - 0x1000D02C 0x0000D8E4 0x0000C4E4 0x00000110
GetVersion - 0x1000D030 0x0000D8E8 0x0000C4E8 0x000001E8
RaiseException - 0x1000D034 0x0000D8EC 0x0000C4EC 0x000002A7
GetProcAddress - 0x1000D038 0x0000D8F0 0x0000C4F0 0x000001A0
GetModuleHandleA - 0x1000D03C 0x0000D8F4 0x0000C4F4 0x0000017F
ExitProcess - 0x1000D040 0x0000D8F8 0x0000C4F8 0x000000B9
TerminateProcess - 0x1000D044 0x0000D8FC 0x0000C4FC 0x0000035E
GetCurrentProcess - 0x1000D048 0x0000D900 0x0000C500 0x00000142
GetModuleFileNameA - 0x1000D04C 0x0000D904 0x0000C504 0x0000017D
GetEnvironmentVariableA - 0x1000D050 0x0000D908 0x0000C508 0x00000158
GetVersionExA - 0x1000D054 0x0000D90C 0x0000C50C 0x000001E9
HeapDestroy - 0x1000D058 0x0000D910 0x0000C510 0x00000214
HeapCreate - 0x1000D05C 0x0000D914 0x0000C514 0x00000212
VirtualFree - 0x1000D060 0x0000D918 0x0000C518 0x00000383
lstrcpyA - 0x1000D064 0x0000D91C 0x0000C51C 0x000003C6
SetHandleCount - 0x1000D068 0x0000D920 0x0000C520 0x00000324
GetStdHandle - 0x1000D06C 0x0000D924 0x0000C524 0x000001B9
GetFileType - 0x1000D070 0x0000D928 0x0000C528 0x00000166
GetStartupInfoA - 0x1000D074 0x0000D92C 0x0000C52C 0x000001B7
GetCPInfo - 0x1000D078 0x0000D930 0x0000C530 0x00000104
GetACP - 0x1000D07C 0x0000D934 0x0000C534 0x000000FD
GetEnvironmentStrings - 0x1000D080 0x0000D938 0x0000C538 0x00000155
GetEnvironmentStringsW - 0x1000D084 0x0000D93C 0x0000C53C 0x00000157
WriteFile - 0x1000D088 0x0000D940 0x0000C540 0x000003A4
GetLastError - 0x1000D08C 0x0000D944 0x0000C544 0x00000171
SetFilePointer - 0x1000D090 0x0000D948 0x0000C548 0x0000031B
HeapAlloc - 0x1000D094 0x0000D94C 0x0000C54C 0x00000210
VirtualAlloc - 0x1000D098 0x0000D950 0x0000C550 0x00000381
HeapReAlloc - 0x1000D09C 0x0000D954 0x0000C554 0x0000021A
LCMapStringA - 0x1000D0A0 0x0000D958 0x0000C558 0x00000244
GetStringTypeW - 0x1000D0A4 0x0000D95C 0x0000C55C 0x000001BD
GetOEMCP - 0x1000D0A8 0x0000D960 0x0000C560 0x00000193
LoadLibraryA - 0x1000D0AC 0x0000D964 0x0000C564 0x00000252
GetStringTypeA - 0x1000D0B0 0x0000D968 0x0000C568 0x000001BA
FlushFileBuffers - 0x1000D0B4 0x0000D96C 0x0000C56C 0x000000EE
CloseHandle - 0x1000D0B8 0x0000D970 0x0000C570 0x00000034
LCMapStringW - 0x1000D0BC 0x0000D974 0x0000C574 0x00000245
SetStdHandle - 0x1000D0C0 0x0000D978 0x0000C578 0x00000337
RtlUnwind - 0x1000D0C4 0x0000D97C 0x0000C57C 0x000002D7
Exports (1)
»
API Name EAT Address Ordinal
Script 0x00002AAA 0x00000001
C:\Program Files (x86)\LuckyWheel\ADSSTrayPopup.dll Dropped File Binary
Clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 55.29 KB
MD5 70a32060d62ef3deea9b6379d0d9cf88 Copy to Clipboard
SHA1 d6318cbf4adcb05231b2c47c09ce1e98ba75eb28 Copy to Clipboard
SHA256 55500b33b33924ec35754cb25f72cc5bac3ade0d68234212bb5c6b72c5c8cdb0 Copy to Clipboard
SSDeep 768:OPfUW8k9tt8r2+UR659Ry7DsqfK9H9Sf7WmrzYcHe+Z+EJPxu:OnUVk9+2d65XyPsJNqX6+NPxu Copy to Clipboard
ImpHash dae02f32a21e03ce65412f6e56942daa Copy to Clipboard
PE Information
»
Image Base 0x11000000
Entry Point 0x11009F0E
Size Of Code 0x00008000
Size Of Initialized Data 0x00003000
File Type IMAGE_FILE_DLL
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2023-04-12 19:04 (UTC+2)
Version Information (11)
»
Comments -
CompanyName -
FileDescription -
FileVersion 1.0.8502.40635
InternalName ADSSTrayPopup.dll
LegalCopyright -
LegalTrademarks -
OriginalFilename ADSSTrayPopup.dll
ProductName -
ProductVersion 1.0.8502.40635
Assembly Version 1.0.8502.40635
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x11002000 0x00007F14 0x00008000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.79
.rsrc 0x1100A000 0x00001F7C 0x00002000 0x00009000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.73
.reloc 0x1100C000 0x0000000C 0x00001000 0x0000B000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.01
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorDllMain - 0x11002000 0x00009EE4 0x00008EE4 0x00000000
Digital Signature Information
»
Verification Status Valid
Certificate: Lucky Joe
»
Issued by Lucky Joe
Country Name US
Valid From 2023-03-01 09:35 (UTC+1)
Valid Until 2024-02-29 09:35 (UTC+1)
Algorithm sha256_rsa
Serial Number 01 04 05 03
Thumbprint BA F1 66 D8 6A 1D E6 C8 8B AE 50 66 51 54 67 57 5D 2C C4 33
C:\Program Files (x86)\LuckyWheel\ADSSTrayPopup.dll Dropped File Binary
Clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 55.29 KB
MD5 8c92e0740a0d72ee81f113ef625c984e Copy to Clipboard
SHA1 ecf277620678359023e2a6f6842a117b666e4321 Copy to Clipboard
SHA256 091a8c575b8a3f6e88b682c9f9aa1388ff8ff0d03c15eb97bdb043901e1f639e Copy to Clipboard
SSDeep 768:mPfUW8k9tt8r2+UR659Ry7DWqfK9H9vf7af7zYcHe+Z6EJPxq6:mnUVk9+2d65XyPWJN1iK+pPxq6 Copy to Clipboard
ImpHash dae02f32a21e03ce65412f6e56942daa Copy to Clipboard
PE Information
»
Image Base 0x11000000
Entry Point 0x11009F0E
Size Of Code 0x00008000
Size Of Initialized Data 0x00003000
File Type IMAGE_FILE_DLL
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2023-04-20 17:20 (UTC+2)
Version Information (11)
»
Comments -
CompanyName -
FileDescription -
FileVersion 1.0.8510.37509
InternalName ADSSTrayPopup.dll
LegalCopyright -
LegalTrademarks -
OriginalFilename ADSSTrayPopup.dll
ProductName -
ProductVersion 1.0.8510.37509
Assembly Version 1.0.8510.37509
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x11002000 0x00007F14 0x00008000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.79
.rsrc 0x1100A000 0x00001F7C 0x00002000 0x00009000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.73
.reloc 0x1100C000 0x0000000C 0x00001000 0x0000B000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.01
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorDllMain - 0x11002000 0x00009EE4 0x00008EE4 0x00000000
Digital Signature Information
»
Verification Status Valid
Certificate: Lucky Joe
»
Issued by Lucky Joe
Country Name US
Valid From 2023-03-01 09:35 (UTC+1)
Valid Until 2024-02-29 09:35 (UTC+1)
Algorithm sha256_rsa
Serial Number 01 04 05 03
Thumbprint BA F1 66 D8 6A 1D E6 C8 8B AE 50 66 51 54 67 57 5D 2C C4 33
C:\Users\RDHJ0C~1\AppData\Local\Temp\nsuE1F3.tmp\System.dll Dropped File Binary
Clean
Known to be clean.
...
»
Also Known As C:\Users\RDHJ0C~1\AppData\Local\Temp\nsy9FB5.tmp\System.dll (Accessed File)
MIME Type application/vnd.microsoft.portable-executable
File Size 11.00 KB
MD5 cf85183b87314359488b850f9e97a698 Copy to Clipboard
SHA1 6b6c790037eec7ebea4d05590359cb4473f19aea Copy to Clipboard
SHA256 3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac Copy to Clipboard
SSDeep 96:3IsUxO9udx4qYp7AJb76BykUbQMtHUOA5Iv+RnsrqeXV+d1g2IW9t2c+cEwF9oug:YVL7ikJb76BQUoUm+RnyXVYO2RvHoug Copy to Clipboard
ImpHash 8c8a576201f68de1a3f26fc723b9f30f Copy to Clipboard
File Reputation Information
»
Verdict
Clean
Known to be clean.
PE Information
»
Image Base 0x10000000
Entry Point 0x100026C2
Size Of Code 0x00001E00
Size Of Initialized Data 0x00000A00
File Type IMAGE_FILE_DLL
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2013-07-14 22:09 (UTC+2)
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x10001000 0x00001D0F 0x00001E00 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.37
.rdata 0x10003000 0x00000343 0x00000400 0x00002200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.9
.data 0x10004000 0x00000068 0x00000200 0x00002600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.35
.reloc 0x10005000 0x00000248 0x00000400 0x00002800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 3.55
Imports (3)
»
KERNEL32.dll (16)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
MultiByteToWideChar - 0x10003000 0x000030E4 0x000022E4 0x00000275
GlobalFree - 0x10003004 0x000030E8 0x000022E8 0x000001FF
GlobalSize - 0x10003008 0x000030EC 0x000022EC 0x00000207
lstrcpynA - 0x1000300C 0x000030F0 0x000022F0 0x000003C9
lstrcpyA - 0x10003010 0x000030F4 0x000022F4 0x000003C6
GetProcAddress - 0x10003014 0x000030F8 0x000022F8 0x000001A0
VirtualFree - 0x10003018 0x000030FC 0x000022FC 0x00000383
FreeLibrary - 0x1000301C 0x00003100 0x00002300 0x000000F8
lstrlenA - 0x10003020 0x00003104 0x00002304 0x000003CC
LoadLibraryA - 0x10003024 0x00003108 0x00002308 0x00000252
GetModuleHandleA - 0x10003028 0x0000310C 0x0000230C 0x0000017F
GlobalAlloc - 0x1000302C 0x00003110 0x00002310 0x000001F8
WideCharToMultiByte - 0x10003030 0x00003114 0x00002314 0x00000394
VirtualAlloc - 0x10003034 0x00003118 0x00002318 0x00000381
VirtualProtect - 0x10003038 0x0000311C 0x0000231C 0x00000386
GetLastError - 0x1000303C 0x00003120 0x00002320 0x00000171
USER32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
wsprintfA - 0x10003044 0x00003128 0x00002328 0x000002D7
ole32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
StringFromGUID2 - 0x1000304C 0x00003130 0x00002330 0x00000135
CLSIDFromString - 0x10003050 0x00003134 0x00002334 0x00000008
Exports (8)
»
API Name EAT Address Ordinal
Alloc 0x00001000 0x00000001
Call 0x000016DA 0x00000002
Copy 0x00001058 0x00000003
Free 0x000015D0 0x00000004
Get 0x00001637 0x00000005
Int64Op 0x0000182A 0x00000006
Store 0x000010E0 0x00000007
StrAlloc 0x0000103D 0x00000008
C:\Users\RDHJ0C~1\AppData\Local\Temp\nsuE1F3.tmp\KillProcDLL.dll Dropped File Binary
Clean
Known to be clean.
...
»
Also Known As C:\Users\RDHJ0C~1\AppData\Local\Temp\nsy9FB5.tmp\KillProcDLL.dll (Accessed File)
MIME Type application/vnd.microsoft.portable-executable
File Size 4.00 KB
MD5 99f345cf51b6c3c317d20a81acb11012 Copy to Clipboard
SHA1 b3d0355f527c536ea14a8ff51741c8739d66f727 Copy to Clipboard
SHA256 c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93 Copy to Clipboard
SSDeep 48:a7+k73bgAa4QYAg3c2hdmskKX9ZOk4IHxov1F7ym7p5rAGJcFuEv7O3kT:y7b+4Lnms5ZGhtlyZ2I7O3kT Copy to Clipboard
ImpHash 153027ec3b10bcea606b777657dd3402 Copy to Clipboard
File Reputation Information
»
Verdict
Clean
Known to be clean.
PE Information
»
Image Base 0x10000000
Entry Point 0x100016BA
Size Of Code 0x00000A00
Size Of Initialized Data 0x00000200
File Type IMAGE_FILE_DLL
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2007-01-15 09:48 (UTC+1)
Sections (2)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x10001000 0x000009BB 0x00000A00 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 5.82
.reloc 0x10002000 0x000000AC 0x00000200 0x00000E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 2.01
Imports (2)
»
KERNEL32.dll (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetVersionExA - 0x10001000 0x000017E4 0x00000BE4 0x000001DF
TerminateProcess - 0x10001004 0x000017E8 0x00000BE8 0x00000351
OpenProcess - 0x10001008 0x000017EC 0x00000BEC 0x0000027C
LoadLibraryA - 0x1000100C 0x000017F0 0x00000BF0 0x00000248
CloseHandle - 0x10001010 0x000017F4 0x00000BF4 0x0000002E
GetProcAddress - 0x10001014 0x000017F8 0x00000BF8 0x00000198
FreeLibrary - 0x10001018 0x000017FC 0x00000BFC 0x000000EF
GlobalFree - 0x1000101C 0x00001800 0x00000C00 0x000001F5
lstrcpyA - 0x10001020 0x00001804 0x00000C04 0x000003B9
DisableThreadLibraryCalls - 0x10001024 0x00001808 0x00000C08 0x00000084
MSVCRT.dll (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
strcmp - 0x1000102C 0x00001810 0x00000C10 0x000002B8
_strupr - 0x10001030 0x00001814 0x00000C14 0x000001CB
toupper - 0x10001034 0x00001818 0x00000C18 0x000002D4
strlen - 0x10001038 0x0000181C 0x00000C1C 0x000002BE
free - 0x1000103C 0x00001820 0x00000C20 0x0000025E
_initterm - 0x10001040 0x00001824 0x00000C24 0x0000010F
malloc - 0x10001044 0x00001828 0x00000C28 0x00000291
_adjust_fdiv - 0x10001048 0x0000182C 0x00000C2C 0x0000009D
strcpy - 0x1000104C 0x00001830 0x00000C30 0x000002BA
_itoa - 0x10001050 0x00001834 0x00000C34 0x00000134
Exports (1)
»
API Name EAT Address Ordinal
KillProc 0x00001507 0x00000001
C:\Users\RDHJ0C~1\AppData\Local\Temp\nsuE1F3.tmp\UserInfo.dll Dropped File Binary
Clean
Known to be clean.
...
»
Also Known As C:\Users\RDHJ0C~1\AppData\Local\Temp\nsy9FB5.tmp\UserInfo.dll (Accessed File)
MIME Type application/vnd.microsoft.portable-executable
File Size 4.00 KB
MD5 d41cf0e4d88c60408f3d5b97f49d40c0 Copy to Clipboard
SHA1 1aa117b1ef998993f495833a08dd8cb12356be0f Copy to Clipboard
SHA256 2dbdb3abd5652302254466aefa0f40048832f2a39fbb8a63c97fda8116021ff9 Copy to Clipboard
SSDeep 48:qKw4n2rZ4vuXXqQr1wH+zL/o0o/X/3MVyjlZSU15gaoFU:5Z4ZxKQruHkJwvcVyL4FU Copy to Clipboard
ImpHash cce05dea98cbac3a9d486b233588f528 Copy to Clipboard
File Reputation Information
»
Verdict
Clean
Known to be clean.
PE Information
»
Image Base 0x10000000
Entry Point 0x10001269
Size Of Code 0x00000400
Size Of Initialized Data 0x00000800
File Type IMAGE_FILE_DLL
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2013-07-14 22:09 (UTC+2)
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x10001000 0x000002B4 0x00000400 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.54
.rdata 0x10002000 0x000002A1 0x00000400 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.46
.data 0x10003000 0x00000078 0x00000200 0x00000C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 1.2
.reloc 0x10004000 0x000000F0 0x00000200 0x00000E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 1.61
Imports (2)
»
KERNEL32.dll (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetVersion - 0x10002020 0x000020A8 0x000008A8 0x000001E8
GetCurrentProcess - 0x10002024 0x000020AC 0x000008AC 0x00000142
GlobalAlloc - 0x10002028 0x000020B0 0x000008B0 0x000001F8
GetCurrentThread - 0x1000202C 0x000020B4 0x000008B4 0x00000145
GetModuleHandleA - 0x10002030 0x000020B8 0x000008B8 0x0000017F
GetProcAddress - 0x10002034 0x000020BC 0x000008BC 0x000001A0
GetLastError - 0x10002038 0x000020C0 0x000008C0 0x00000171
GlobalFree - 0x1000203C 0x000020C4 0x000008C4 0x000001FF
CloseHandle - 0x10002040 0x000020C8 0x000008C8 0x00000034
lstrcpynA - 0x10002044 0x000020CC 0x000008CC 0x000003C9
ADVAPI32.dll (7)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
OpenThreadToken - 0x10002000 0x00002088 0x00000888 0x000001B1
OpenProcessToken - 0x10002004 0x0000208C 0x0000088C 0x000001AC
GetTokenInformation - 0x10002008 0x00002090 0x00000890 0x0000011A
AllocateAndInitializeSid - 0x1000200C 0x00002094 0x00000894 0x0000001D
EqualSid - 0x10002010 0x00002098 0x00000898 0x000000D9
FreeSid - 0x10002014 0x0000209C 0x0000089C 0x000000E2
GetUserNameA - 0x10002018 0x000020A0 0x000008A0 0x00000124
Exports (3)
»
API Name EAT Address Ordinal
GetAccountType 0x00001215 0x00000001
GetName 0x00001000 0x00000002
GetOriginalAccountType 0x0000123F 0x00000003
C:\Users\RDHJ0C~1\AppData\Local\Temp\hjimyfgtw.igq Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 118.33 KB
MD5 b0d6317bb5b2a509b218408e0435e84c Copy to Clipboard
SHA1 39ddbfb81e26e7b3286c6e557e7226c96cef654e Copy to Clipboard
SHA256 635523cb176c4b93d0a3e78987673520282ff8f2121f2503b5485f1d01929a03 Copy to Clipboard
SSDeep 3072:HOMkX8DeZDxLlvw9jUsBOE8kQMQymtSYy6lZD:48DgD/vw1/BOv/ZFy6PD Copy to Clipboard
ImpHash -
C:\Users\RDHJ0C~1\AppData\Local\Temp\ejlibvt.x Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 7.98 KB
MD5 511637745f2cd794724a275fba9c39a1 Copy to Clipboard
SHA1 9afa2bcdf746160cf6a8f8dd4a6f941e9da6313d Copy to Clipboard
SHA256 55dc48e9b0471350885ab6636c68b2870b3c0a6d05fc88453381d1b20a37f21e Copy to Clipboard
SSDeep 192:darcitQvArWiPvYQb9pmuh+IOPhtyyxWBcLTLDf0v63LtNI7ypzV:uCYrNPvYCezPhty0WuLDc6JNI7q Copy to Clipboard
ImpHash -
C:\Program Files (x86)\LuckyWheel\kill.bat Dropped File Text
Clean
...
»
MIME Type text/plain
File Size 67 Bytes
MD5 726d7c3de305b23f9343f987e40d366f Copy to Clipboard
SHA1 16647d939d7059400cfc675eb09c8c530f8d6319 Copy to Clipboard
SHA256 1964710bc970a45c261bd74df63981684822e72f2c744c4690b1a86e787d36d6 Copy to Clipboard
SSDeep 3:nnWTQGWAdAoKAnWIMAltn:nWTQGL/WW Copy to Clipboard
ImpHash -
C:\Users\RDHJ0C~1\AppData\Local\Temp\IXP000.TMP\TMP4351$.TMP Dropped File Empty File
Clean
...
  • Actions
»
Also Known As C:\Users\RDHJ0C~1\AppData\Local\Temp\nsc9B8E.tmp (Accessed File, Dropped File)
C:\Users\RDHJ0C~1\AppData\Local\Temp\nseDFC0.tmp (Accessed File, Dropped File)
C:\Users\RDHJ0C~1\AppData\Local\Temp\nsi384.tmp (Accessed File, Dropped File)
C:\Users\RDHJ0C~1\AppData\Local\Temp\nsi385.tmp (Accessed File, Dropped File)
C:\Users\RDHJ0C~1\AppData\Local\Temp\nsuE1F3.tmp (Accessed File, Dropped File)
C:\Users\RDHJ0C~1\AppData\Local\Temp\nsvA2D.tmp (Accessed File, Dropped File)
C:\Users\RDHJ0C~1\AppData\Local\Temp\nsy9FB5.tmp (Accessed File, Dropped File)
C:\Users\RDhJ0CNFevzX\Desktop\a\poweroff.exe (Accessed File)
C:\Users\RDhJ0CNFevzX\Desktop\a\s.exe (Accessed File)
MIME Type inode/x-empty
File Size 0 Bytes (not extracted)
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\Desktop\a\KK.exe Downloaded File Binary
Clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 216.00 KB
MD5 02c0e8cc77b11b8e3a451aeedad86773 Copy to Clipboard
SHA1 ddb461103fb8957ffe2dfb076a73bd3a77d1729f Copy to Clipboard
SHA256 23ac3303ad2a7ecb1d4e320f24602d821dc3d4f6d8ae5c6bfa86457b08c509e6 Copy to Clipboard
SSDeep 3072:x/2HwxfzsKAGfCMYYrA1hwnp8WtJzspCmamRHBQHkfnffJAg0Fujour/ZvwVLp1x:xEwxfGM2YkespCcAOdjZvUFqi Copy to Clipboard
ImpHash 2f980a014ec672a0c98f78f9b9549c7b Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x00409D2E
Size Of Code 0x00021200
Size Of Initialized Data 0x00017000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2023-05-02 22:18 (UTC+2)
Version Information (8)
»
CompanyName aa
FileDescription aa
FileVersion 1.0.0.1
InternalName aa
LegalCopyright aa
OriginalFilename aa
ProductName aa
ProductVersion 1.0.0.1
Sections (7)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002112D 0x00021200 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.63
.rdata 0x00423000 0x0000F0CC 0x0000F200 0x00021600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.34
.data 0x00433000 0x00003518 0x00001000 0x00030800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.38
.gfids 0x00437000 0x00000218 0x00000400 0x00031800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.22
.tls 0x00438000 0x00000009 0x00000200 0x00031C00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.02
.rsrc 0x00439000 0x000015B8 0x00001600 0x00031E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.47
.reloc 0x0043B000 0x00002B48 0x00002C00 0x00033400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.61
Imports (2)
»
KERNEL32.dll (80)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
VirtualProtect - 0x00423000 0x00031990 0x0002FF90 0x000005A1
HeapFree - 0x00423004 0x00031994 0x0002FF94 0x00000333
InitializeCriticalSectionEx - 0x00423008 0x00031998 0x0002FF98 0x00000349
HeapSize - 0x0042300C 0x0003199C 0x0002FF9C 0x00000338
GetLastError - 0x00423010 0x000319A0 0x0002FFA0 0x00000250
HeapReAlloc - 0x00423014 0x000319A4 0x0002FFA4 0x00000336
RaiseException - 0x00423018 0x000319A8 0x0002FFA8 0x00000440
HeapAlloc - 0x0042301C 0x000319AC 0x0002FFAC 0x0000032F
DecodePointer - 0x00423020 0x000319B0 0x0002FFB0 0x000000FE
DeleteCriticalSection - 0x00423024 0x000319B4 0x0002FFB4 0x00000105
GetProcessHeap - 0x00423028 0x000319B8 0x0002FFB8 0x000002A2
CreateFileW - 0x0042302C 0x000319BC 0x0002FFBC 0x000000C2
ReadConsoleW - 0x00423030 0x000319C0 0x0002FFC0 0x0000044E
WriteConsoleW - 0x00423034 0x000319C4 0x0002FFC4 0x000005E0
SetStdHandle - 0x00423038 0x000319C8 0x0002FFC8 0x00000522
WideCharToMultiByte - 0x0042303C 0x000319CC 0x0002FFCC 0x000005CD
EnterCriticalSection - 0x00423040 0x000319D0 0x0002FFD0 0x00000125
LeaveCriticalSection - 0x00423044 0x000319D4 0x0002FFD4 0x000003A2
EncodePointer - 0x00423048 0x000319D8 0x0002FFD8 0x00000121
MultiByteToWideChar - 0x0042304C 0x000319DC 0x0002FFDC 0x000003D1
SetLastError - 0x00423050 0x000319E0 0x0002FFE0 0x0000050B
InitializeCriticalSectionAndSpinCount - 0x00423054 0x000319E4 0x0002FFE4 0x00000348
CreateEventW - 0x00423058 0x000319E8 0x0002FFE8 0x000000B6
TlsAlloc - 0x0042305C 0x000319EC 0x0002FFEC 0x00000573
TlsGetValue - 0x00423060 0x000319F0 0x0002FFF0 0x00000575
TlsSetValue - 0x00423064 0x000319F4 0x0002FFF4 0x00000576
TlsFree - 0x00423068 0x000319F8 0x0002FFF8 0x00000574
GetSystemTimeAsFileTime - 0x0042306C 0x000319FC 0x0002FFFC 0x000002D6
GetModuleHandleW - 0x00423070 0x00031A00 0x00030000 0x00000267
GetProcAddress - 0x00423074 0x00031A04 0x00030004 0x0000029D
CompareStringW - 0x00423078 0x00031A08 0x00030008 0x00000093
LCMapStringW - 0x0042307C 0x00031A0C 0x0003000C 0x00000396
GetLocaleInfoW - 0x00423080 0x00031A10 0x00030010 0x00000254
GetStringTypeW - 0x00423084 0x00031A14 0x00030014 0x000002C5
GetCPInfo - 0x00423088 0x00031A18 0x00030018 0x000001B3
IsDebuggerPresent - 0x0042308C 0x00031A1C 0x0003001C 0x00000367
OutputDebugStringW - 0x00423090 0x00031A20 0x00030020 0x000003FA
CloseHandle - 0x00423094 0x00031A24 0x00030024 0x0000007F
SetEvent - 0x00423098 0x00031A28 0x00030028 0x000004F0
ResetEvent - 0x0042309C 0x00031A2C 0x0003002C 0x000004A2
WaitForSingleObjectEx - 0x004230A0 0x00031A30 0x00030030 0x000005AC
UnhandledExceptionFilter - 0x004230A4 0x00031A34 0x00030034 0x00000582
SetUnhandledExceptionFilter - 0x004230A8 0x00031A38 0x00030038 0x00000543
GetCurrentProcess - 0x004230AC 0x00031A3C 0x0003003C 0x00000209
TerminateProcess - 0x004230B0 0x00031A40 0x00030040 0x00000561
IsProcessorFeaturePresent - 0x004230B4 0x00031A44 0x00030044 0x0000036D
GetStartupInfoW - 0x004230B8 0x00031A48 0x00030048 0x000002BE
QueryPerformanceCounter - 0x004230BC 0x00031A4C 0x0003004C 0x0000042D
GetCurrentProcessId - 0x004230C0 0x00031A50 0x00030050 0x0000020A
GetCurrentThreadId - 0x004230C4 0x00031A54 0x00030054 0x0000020E
InitializeSListHead - 0x004230C8 0x00031A58 0x00030058 0x0000034B
RtlUnwind - 0x004230CC 0x00031A5C 0x0003005C 0x000004AD
FreeLibrary - 0x004230D0 0x00031A60 0x00030060 0x0000019E
LoadLibraryExW - 0x004230D4 0x00031A64 0x00030064 0x000003A7
ExitProcess - 0x004230D8 0x00031A68 0x00030068 0x00000151
GetModuleHandleExW - 0x004230DC 0x00031A6C 0x0003006C 0x00000266
GetModuleFileNameA - 0x004230E0 0x00031A70 0x00030070 0x00000262
GetStdHandle - 0x004230E4 0x00031A74 0x00030074 0x000002C0
WriteFile - 0x004230E8 0x00031A78 0x00030078 0x000005E1
GetCommandLineA - 0x004230EC 0x00031A7C 0x0003007C 0x000001C8
GetCommandLineW - 0x004230F0 0x00031A80 0x00030080 0x000001C9
GetACP - 0x004230F4 0x00031A84 0x00030084 0x000001A4
IsValidLocale - 0x004230F8 0x00031A88 0x00030088 0x00000374
GetUserDefaultLCID - 0x004230FC 0x00031A8C 0x0003008C 0x000002FC
EnumSystemLocalesW - 0x00423100 0x00031A90 0x00030090 0x00000147
GetFileType - 0x00423104 0x00031A94 0x00030094 0x0000023E
FlushFileBuffers - 0x00423108 0x00031A98 0x00030098 0x00000192
GetConsoleCP - 0x0042310C 0x00031A9C 0x0003009C 0x000001DC
GetConsoleMode - 0x00423110 0x00031AA0 0x000300A0 0x000001EE
ReadFile - 0x00423114 0x00031AA4 0x000300A4 0x00000450
SetFilePointerEx - 0x00423118 0x00031AA8 0x000300A8 0x000004FD
FindClose - 0x0042311C 0x00031AAC 0x000300AC 0x00000168
FindFirstFileExA - 0x00423120 0x00031AB0 0x000300B0 0x0000016D
FindNextFileA - 0x00423124 0x00031AB4 0x000300B4 0x0000017D
IsValidCodePage - 0x00423128 0x00031AB8 0x000300B8 0x00000372
GetOEMCP - 0x0042312C 0x00031ABC 0x000300BC 0x00000286
GetEnvironmentStringsW - 0x00423130 0x00031AC0 0x000300C0 0x00000227
FreeEnvironmentStringsW - 0x00423134 0x00031AC4 0x000300C4 0x0000019D
SetEnvironmentVariableA - 0x00423138 0x00031AC8 0x000300C8 0x000004ED
SetEndOfFile - 0x0042313C 0x00031ACC 0x000300CC 0x000004EA
ole32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CoTaskMemAlloc - 0x00423144 0x00031AD4 0x000300D4 0x0000007A
Memory Dumps (6)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
kk.exe 4 0x00870000 0x008ADFFF Relevant Image False 32-bit 0x0087E1A6 False
...
buffer 4 0x00A30240 0x00A302CF Process Termination False 32-bit - False
...
buffer 4 0x00A31C08 0x00A31E27 Process Termination False 32-bit - False
...
buffer 4 0x00A332C0 0x00A33361 Process Termination False 32-bit - False
...
buffer 4 0x00A343A0 0x00A34F9F Process Termination False 32-bit - False
...
kk.exe 4 0x00870000 0x008ADFFF Process Termination False 32-bit - False
...
297324326941c3f771755a56482bcf4699266cc65a5e74c8d7a578d6843fd195 Downloaded File Text
Clean
...
»
MIME Type text/plain
File Size 276.38 KB
MD5 13ea45df9201898460667d2102153e0e Copy to Clipboard
SHA1 c7984e756424c6bb2bfc76143daab15ca9db65b1 Copy to Clipboard
SHA256 297324326941c3f771755a56482bcf4699266cc65a5e74c8d7a578d6843fd195 Copy to Clipboard
SSDeep 6144:U9XajJStbJSY97hUwg9/1MHwg6Ng7p89bLY9YocTcmid7oY+3gLC4rbyytCN/ePQ:gXajJWJSY97hUwg9/1MHwg6Ng7p89bLv Copy to Clipboard
ImpHash -
bf9a5e0d87a3b6205653170173b435ff3e657bdb55c300e51b42c2c45b30fc82 Downloaded File Text
Clean
...
»
MIME Type text/xml
File Size 351 Bytes
MD5 e5b0ad2c02b62e5715f16c4a819dce65 Copy to Clipboard
SHA1 c8dac0f94aa779ea6da505ae330ce840785de282 Copy to Clipboard
SHA256 bf9a5e0d87a3b6205653170173b435ff3e657bdb55c300e51b42c2c45b30fc82 Copy to Clipboard
SSDeep 6:TMVBd/ZbZjZvKtWnFIzwVSDdM6EQlzLMDHmRyjm8nnZsxjCKEwROLwjYUURO15Nr:TMHd9BZKtWnFI8MLyHmRgnZTOOsUXaNr Copy to Clipboard
ImpHash -
g3220746.exe Archive File Binary
Clean
...
»
Parent File 3503661d08745adb6c21bbe0be8551afe6c477877be2b93c49daf00216873b59
MIME Type application/vnd.microsoft.portable-executable
File Size 136.55 KB
MD5 d1f3eed444e84ed39c9c1459fa3505df Copy to Clipboard
SHA1 3aeb7a6621a5ff2df5e9159ada6e8f9295177e01 Copy to Clipboard
SHA256 e0c6f404a4a40a2aa68088b612c003f937d25a4d237cab787f801336503e6039 Copy to Clipboard
SSDeep 1536:BMi4rQ8qOCqm36k0BXlObJt6fh4C5hbV/hN0sA9sYgibfbFDKsRj:OxrQ8qOTF8d64GJd/0sAyYgafJlj Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x0041A6DE
Size Of Code 0x00018800
Size Of Initialized Data 0x00009800
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2059-01-31 21:49 (UTC+1)
Version Information (10)
»
Comments Tools for control bio tech
CompanyName BioTech
FileDescription Recycle Bio Lab Tool
FileVersion 3.2.1
InternalName Ennoble.exe
LegalCopyright BioTech Corp. 2022
OriginalFilename Ennoble.exe
ProductName -
ProductVersion 3.2.1
Assembly Version 32.23.2.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00402000 0x000186E4 0x00018800 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.19
.rsrc 0x0041C000 0x000094FE 0x00009600 0x00018A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.7
.reloc 0x00426000 0x0000000C 0x00000200 0x00022000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x00402000 0x0001A6B0 0x000188B0 0x00000000
b4224466.exe Archive File Binary
Clean
...
»
Parent File 9efd3d128b5dddbd78b39d710cfd2bd059f49e717e5de622e8e4adb3c011e482
MIME Type application/vnd.microsoft.portable-executable
File Size 136.52 KB
MD5 72cfd04a579e42cd3b35d5a2ef5aebe7 Copy to Clipboard
SHA1 dde14dd9b167bc53dcc3151ba5b5983907b7f3d7 Copy to Clipboard
SHA256 5be708f8b612af2db37e93f06963788b2dd5459a28f01ab727d3d7ad11b2c737 Copy to Clipboard
SSDeep 1536:axQzpWeDzwP9FxCqW35rsG/LRSoh4q5VbVBhNwF+XsYgibfbFDKsRC:axleDzwP9FwYGDd4ulX/wF+cYgafJlC Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x0041A6CE
Size Of Code 0x00018800
Size Of Initialized Data 0x00009800
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2048-02-05 10:07 (UTC+1)
Version Information (10)
»
Comments Tools for control bio tech
CompanyName BioTech
FileDescription Recycle Bio Lab Tool
FileVersion 3.2.1
InternalName Clearway.exe
LegalCopyright BioTech Corp. 2022
OriginalFilename Clearway.exe
ProductName -
ProductVersion 3.2.1
Assembly Version 32.23.2.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00402000 0x000186D4 0x00018800 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.19
.rsrc 0x0041C000 0x00009506 0x00009600 0x00018A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.7
.reloc 0x00426000 0x0000000C 0x00000200 0x00022000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x00402000 0x0001A6A4 0x000188A4 0x00000000
f169eed8248d8f9efd20dd716790f2b3bb0547687546811b4137be21b5c63b71 Extracted File Image
Clean
...
»
Parent File C:\Users\RDhJ0CNFevzX\Desktop\a\foto0183.exe
MIME Type image/png
File Size 54.45 KB
MD5 d58effc60f9809303be37c9da12ec938 Copy to Clipboard
SHA1 5f5d1459f715b6d7ac0c9f5e6c86112d02c611a8 Copy to Clipboard
SHA256 f169eed8248d8f9efd20dd716790f2b3bb0547687546811b4137be21b5c63b71 Copy to Clipboard
SSDeep 1536:gcK4zqhNCcVqUFdjtzty9jeal9G6Mb1tBab:gcKAArDZz4N9Ghbkb Copy to Clipboard
ImpHash -
188df2308bc511f28c65bad6a665e75e7096a421c5ba65441e4041a0495c30a0 Extracted File Image
Clean
Known to be clean.
...
»
Parent File C:\Users\RDhJ0CNFevzX\Desktop\a\vbc.exe
MIME Type image/png
File Size 53.56 KB
MD5 f0682aba8bc697c135a18a2d67275e08 Copy to Clipboard
SHA1 b7bfacd9084c39837674a68df663279adb90f1d8 Copy to Clipboard
SHA256 188df2308bc511f28c65bad6a665e75e7096a421c5ba65441e4041a0495c30a0 Copy to Clipboard
SSDeep 1536:sB7Kgql2UlsrfMdmvorGrl/bfkBfdfgZU8UlF1lV/OxQi4ttZ:duU2rfnGGrlzvO8Ul/lV/1tj Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Clean
Known to be clean.
1b3c7ebbfea448daa433e1e4ded39631b4c14c64e6dbf7e7de6624717bfdb186 Extracted File Image
Clean
...
»
Parent File C:\Users\RDhJ0CNFevzX\AppData\Roaming\wwgclluqqajjf\okktdyyhqq.exe
MIME Type image/png
File Size 767 Bytes
MD5 2e93c2a1242418209e56ce2bd16a15c8 Copy to Clipboard
SHA1 7c70d0345abe97061b1cb5999bff71c469296f20 Copy to Clipboard
SHA256 1b3c7ebbfea448daa433e1e4ded39631b4c14c64e6dbf7e7de6624717bfdb186 Copy to Clipboard
SSDeep 12:6v/7i+M2yMnanpbThLbTdnfrLwsrmwO3XjW9ITF4UxKKPJ/x42juNFB1mzrBqRoh:81apbThRnwAmwO3TmCXx5lKB1m0oySn Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image