Loading ...

Play interactive tourEdit tour

Analysis Report vZa4pPYmtP

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:128773
Start date:03.05.2019
Start time:23:56:46
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 24s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:vZa4pPYmtP (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal52.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 93%)
  • Quality average: 75.5%
  • Quality standard deviation: 29.7%
HCA Information:
  • Successful, ratio: 98%
  • Number of executed functions: 22
  • Number of non-executed functions: 81
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Stop behavior analysis, all processes terminated

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold520 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsSoftware Packing1Credential DumpingSecurity Software Discovery2Application Deployment SoftwareData from Local SystemData CompressedStandard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesObfuscated Files or Information2Network SniffingSystem Information Discovery21Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: vZa4pPYmtP.exevirustotal: Detection: 11%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.2.vZa4pPYmtP.exe.9b0000.0.unpackJoe Sandbox ML: detected
Source: 0.0.vZa4pPYmtP.exe.9b0000.0.unpackJoe Sandbox ML: detected
Source: 0.1.vZa4pPYmtP.exe.9b0000.0.unpackJoe Sandbox ML: detected

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009DCC51 FindFirstFileExA,0_2_009DCC51

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: vZa4pPYmtP.exeString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: vZa4pPYmtP.exeString found in binary or memory: http://t2.symcb.com0
Source: vZa4pPYmtP.exeString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: vZa4pPYmtP.exeString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: vZa4pPYmtP.exeString found in binary or memory: http://tl.symcd.com0&
Source: vZa4pPYmtP.exeString found in binary or memory: https://www.thawte.com/cps0/
Source: vZa4pPYmtP.exeString found in binary or memory: https://www.thawte.com/repository0W

System Summary:

barindex
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009BB0900_2_009BB090
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009BD8D00_2_009BD8D0
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009BB8F00_2_009BB8F0
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009C30100_2_009C3010
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009C18700_2_009C1870
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009D71890_2_009D7189
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009DB1D90_2_009DB1D9
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009CC1E90_2_009CC1E9
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009B99200_2_009B9920
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009BB2900_2_009BB290
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009C02000_2_009C0200
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009D0A450_2_009D0A45
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009BFA600_2_009BFA60
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009CBBCD0_2_009CBBCD
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009CBB200_2_009CBB20
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009CC4B00_2_009CC4B0
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009B84D00_2_009B84D0
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009E041A0_2_009E041A
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009BD5900_2_009BD590
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009C25D00_2_009C25D0
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009BE5200_2_009BE520
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009C1E100_2_009C1E10
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009C8E7B0_2_009C8E7B
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009BB7F00_2_009BB7F0
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009D37000_2_009D3700
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009CBF3F0_2_009CBF3F
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009CC76B0_2_009CC76B
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: String function: 009CA430 appears 43 times
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal52.winEXE@1/0@0/0
PE file has an executable .text section and no other executable sectionShow sources
Source: vZa4pPYmtP.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: vZa4pPYmtP.exevirustotal: Detection: 11%
PE file contains a mix of data directories often seen in goodwareShow sources
Source: vZa4pPYmtP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: vZa4pPYmtP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: vZa4pPYmtP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: vZa4pPYmtP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: vZa4pPYmtP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: vZa4pPYmtP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: vZa4pPYmtP.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: vZa4pPYmtP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains a valid data directory to section mappingShow sources
Source: vZa4pPYmtP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: vZa4pPYmtP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: vZa4pPYmtP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: vZa4pPYmtP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: vZa4pPYmtP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009CA476 push ecx; ret 0_2_009CA489
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009C9EC2 push ecx; ret 0_2_009C9ED5

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009C8E7B GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009C8E7B

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009DCC51 FindFirstFileExA,0_2_009DCC51

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009CA1EF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009CA1EF
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009D4BDA mov eax, dword ptr fs:[00000030h]0_2_009D4BDA
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009B5020 GetProcessHeap,HeapFree,0_2_009B5020
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009CA382 SetUnhandledExceptionFilter,0_2_009CA382
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009C999F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_009C999F
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009CA1EF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009CA1EF
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009CE450 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009CE450

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_009DF894
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: GetLocaleInfoW,0_2_009DF99B
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_009DF130
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_009DFA68
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: EnumSystemLocalesW,0_2_009DA39C
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: EnumSystemLocalesW,0_2_009DF3A8
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: EnumSystemLocalesW,0_2_009DF3F3
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: EnumSystemLocalesW,0_2_009DF48E
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_009DF51B
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: GetLocaleInfoW,0_2_009DA741
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: GetLocaleInfoW,0_2_009DF76B
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009CA48B cpuid 0_2_009CA48B
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009CA0E9 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_009CA0E9

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\vZa4pPYmtP.exeCode function: 0_2_009B1480 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_009B1480

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 128773 Sample: vZa4pPYmtP Startdate: 03/05/2019 Architecture: WINDOWS Score: 52 7 Multi AV Scanner detection for submitted file 2->7 9 Antivirus or Machine Learning detection for unpacked file 2->9 5 vZa4pPYmtP.exe 2->5         started        process3

Simulations

Behavior and APIs

No simulations

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
vZa4pPYmtP.exe11%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.vZa4pPYmtP.exe.9b0000.0.unpack100%Joe Sandbox MLDownload File
0.0.vZa4pPYmtP.exe.9b0000.0.unpack100%Joe Sandbox MLDownload File
0.1.vZa4pPYmtP.exe.9b0000.0.unpack100%Joe Sandbox MLDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Startup

  • System is w10x64
  • vZa4pPYmtP.exe (PID: 3652 cmdline: 'C:\Users\user\Desktop\vZa4pPYmtP.exe' MD5: BCD5275B17FA251E764CC654F27A348B)
  • cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://www.thawte.com/cps0/vZa4pPYmtP.exefalse
    high
    https://www.thawte.com/repository0WvZa4pPYmtP.exefalse
      high

      Contacted IPs

      No contacted IP infos

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):7.753376194916838
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:vZa4pPYmtP.exe
      File size:901104
      MD5:bcd5275b17fa251e764cc654f27a348b
      SHA1:ba79b583b6a35dd38f25afd28055cce1835fffd3
      SHA256:11f7bb37dd425150e6b095a8d1f3a347ee83e604302a4d9bb201900e74a81d73
      SHA512:28fc8eb9d3acc66e85c9c99556eaee496d60c4967a6514a42242c2c5dd10f955e1461e911fef9ac22cf8f0618eecfe4f866d383e2b86dd167a3e3b48dd5680ff
      SSDEEP:24576:QF78RE7pJSKBUUoyusymwzLAPbUxpKZrLDF2o:s4y7+C3uIwoPbqurLX
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~,..:M..:M..:M......7M.......M......'M..h%..,M..h%...M..h%...M..35c.?M..:M..RM...$..2M...$..$M...$..8M...$..;M...$..;M..Rich:M.

      File Icon

      Icon Hash:00828e8e8686b000

      Static PE Info

      General

      Entrypoint:0x41993f
      Entrypoint Section:.text
      Digitally signed:true
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
      DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Time Stamp:0x5CC221D6 [Thu Apr 25 21:08:38 2019 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:5
      OS Version Minor:1
      File Version Major:5
      File Version Minor:1
      Subsystem Version Major:5
      Subsystem Version Minor:1
      Import Hash:81da9241b26f498f1f7a1123ab76bb9d

      Authenticode Signature

      Signature Valid:false
      Signature Issuer:CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US
      Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
      Error Number:-2146762495
      Not Before, Not After
      • 3/14/2019 5:00:00 PM 3/14/2020 4:59:59 PM
      Subject Chain
      • CN=3AN LIMITED, O=3AN LIMITED, L=ROMFORD, C=GB
      Version:3
      Thumbprint MD5:FC72F2C4E044F2BFF22594E31FB50353
      Thumbprint SHA-1:60974F5CC654E6F6C0A7332A9733E42F19186FBB
      Thumbprint SHA-256:46A77F3D305C6FDF4F44CDE469C8B13C4E279F1F85932453E41524574A774252
      Serial:04C7CDCC1698E25B493EB4338D5E2F8B

      Entrypoint Preview

      Instruction
      call 00007F30046D1CA7h
      jmp 00007F30046D132Fh
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      push ecx
      lea ecx, dword ptr [esp+04h]
      sub ecx, eax
      sbb eax, eax
      not eax
      and ecx, eax
      mov eax, esp
      and eax, FFFFF000h
      cmp ecx, eax
      jc 00007F30046D14BEh
      mov eax, ecx
      pop ecx
      xchg eax, esp
      mov eax, dword ptr [eax]
      mov dword ptr [esp], eax
      ret
      sub eax, 00001000h
      test dword ptr [eax], eax
      jmp 00007F30046D1499h
      int3
      int3
      int3
      cmp cl, 00000040h
      jnc 00007F30046D14C7h
      cmp cl, 00000020h
      jnc 00007F30046D14B8h
      shld edx, eax, cl
      shl eax, cl
      ret
      mov edx, eax
      xor eax, eax
      and cl, 0000001Fh
      shl edx, cl
      ret
      xor eax, eax
      xor edx, edx
      ret
      push ebp
      mov ebp, esp
      push 00000000h
      call dword ptr [0043408Ch]
      push dword ptr [ebp+08h]
      call dword ptr [00434088h]
      push C0000409h
      call dword ptr [00434090h]
      push eax
      call dword ptr [00434094h]
      pop ebp
      ret
      push ebp
      mov ebp, esp
      sub esp, 00000324h
      push 00000017h
      call 00007F30046EA6A7h
      test eax, eax
      je 00007F30046D14B7h
      push 00000002h
      pop ecx
      int 29h
      mov dword ptr [004DB770h], eax
      mov dword ptr [004DB76Ch], ecx
      mov dword ptr [004DB768h], edx
      mov dword ptr [004DB764h], ebx
      mov dword ptr [004DB760h], esi
      mov dword ptr [004DB75Ch], edi
      mov word ptr [00000088h], ss

      Rich Headers

      Programming Language:
      • [IMP] VS2008 SP1 build 30729

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0xd78140x28.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0xdd0000x1e8.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0xdb4000xbf0.data
      IMAGE_DIRECTORY_ENTRY_BASERELOC0xde0000x2bac.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0xd51000x1c.rdata
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xd51200x40.rdata
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x340000x138.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x32e230x33000False0.539660883885data6.66577328306IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .rdata0x340000xa3efc0xa4000False0.940115579745data7.88649097065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0xd80000x415c0x1200False0.208116319444data3.53319002901IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
      .rsrc0xdd0000x1e80x200False0.54296875data4.76259508362IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0xde0000x2bac0x2c00False0.730823863636data6.5863202636IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_MANIFEST0xdd0600x188XML 1.0 document textEnglishUnited States

      Imports

      DLLImport
      KERNEL32.dllVirtualProtect, HeapAlloc, HeapFree, GetProcessHeap, SetLastError, VirtualFree, LoadLibraryA, IsBadReadPtr, HeapSize, VirtualAlloc, GetProcAddress, GetNativeSystemInfo, FreeLibrary, GetLastError, WideCharToMultiByte, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetModuleHandleW, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringW, GetLocaleInfoW, GetStringTypeW, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, RaiseException, LoadLibraryExW, ReadFile, GetStdHandle, WriteFile, GetModuleFileNameA, ExitProcess, GetModuleHandleExW, GetACP, HeapReAlloc, GetFileType, CloseHandle, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleCP, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FlushFileBuffers, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, CreateFileW, WriteConsoleW

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      No network behavior found

      Code Manipulations

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      System Behavior

      General

      Start time:23:57:44
      Start date:03/05/2019
      Path:C:\Users\user\Desktop\vZa4pPYmtP.exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\user\Desktop\vZa4pPYmtP.exe'
      Imagebase:0x9b0000
      File size:901104 bytes
      MD5 hash:BCD5275B17FA251E764CC654F27A348B
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Disassembly

      Code Analysis

      Reset < >