Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UmiDataServer v1.0.1.1.exe

Overview

General Information

Sample name:UmiDataServer v1.0.1.1.exe
Analysis ID:1417094
MD5:75c876a06f5679e880e91897c83789b1
SHA1:13703a9cac7af619e4e79f3dde2dc7890277b448
SHA256:258fd554afd7aaf894c069a35b2e1ba65fb9f0dd5bb11f9573d800088f18277e
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Drops PE files
Found dropped PE file which has not been started or loaded
PE file contains sections with non-standard names
Tries to load missing DLLs
Uses 32bit PE files

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

  • System is w10x64_ra
  • UmiDataServer v1.0.1.1.exe (PID: 2624 cmdline: "C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exe" MD5: 75C876A06F5679E880E91897C83789B1)
    • UmiDataServer v1.0.1.1.tmp (PID: 1544 cmdline: "C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmp" /SL5="$4036E,4640132,832512,C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exe" MD5: B55AB2B088236C1B8E96319049824AAA)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: UmiDataServer v1.0.1.1.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: UmiDataServer v1.0.1.1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exeSection loaded: version.dll
Source: C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exeSection loaded: netapi32.dll
Source: C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exeSection loaded: netutils.dll
Source: C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpSection loaded: dwmapi.dll
Source: UmiDataServer v1.0.1.1.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engineClassification label: clean2.winEXE@3/2@0/0
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpFile created: C:\Users\user\AppData\Local\Programs
Source: C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp
Source: C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
Source: C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exeFile read: C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exe
Source: unknownProcess created: C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exe "C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exe"
Source: C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmp "C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmp" /SL5="$4036E,4640132,832512,C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exe"
Source: C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmp "C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmp" /SL5="$4036E,4640132,832512,C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exe"
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpWindow found: window name: TMainForm
Source: UmiDataServer v1.0.1.1.exeStatic file information: File size 5481832 > 1048576
Source: UmiDataServer v1.0.1.1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: UmiDataServer v1.0.1.1.exeStatic PE information: section name: .didata
Source: C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-IKNN5.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IKNN5.tmp\_isetup\_setup64.tmpJump to dropped file

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping2
System Owner/User Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-IKNN5.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-IKNN5.tmp\_isetup\_setup64.tmp0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1417094
Start date and time:2024-03-28 15:54:09 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample name:UmiDataServer v1.0.1.1.exe
Detection:CLEAN
Classification:clean2.winEXE@3/2@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Created / dropped Files

C:\Users\user\AppData\Local\Temp\is-IKNN5.tmp\_isetup\_setup64.tmp

Download File
Process:C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmp
File Type:PE32+ executable (console) x86-64, for MS Windows
Category:dropped
Size (bytes):6144
Entropy (8bit):4.720366600008286
Encrypted:false
SSDEEP:
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:false
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
  • Antivirus: Virustotal, Detection: 0%, Browse
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-IUSS4.tmp\UmiDataServer v1.0.1.1.tmp

Download File
Process:C:\Users\user\Desktop\UmiDataServer v1.0.1.1.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):3199488
Entropy (8bit):6.325051083907163
Encrypted:false
SSDEEP:
MD5:B55AB2B088236C1B8E96319049824AAA
SHA1:6A86BB9499B9753C17BFEFB27C0902A4BBD0A6D2
SHA-256:EA28E21CD84A550B9390B3AE8663A497B4663B7233082230DD6B0812A01F7FAF
SHA-512:DD742F5B7A64F41977F81FA3E07F1B984D9D3C55B8C4F0C9BEE76F94ECB11A4830BDE2DDF25643FC48A1E9A16D1C7D04F249D35A16DEC475DD2F23C4C52A32E7
Malicious:false
Reputation:unknown
Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,.........hf,......p,...@...........................1...........@......@....................-.......-..9...................................................................................-.......-......................text.... ,......",................. ..`.itext...(...@,..*...&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......*-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc.................-.............@..@..............1.......0.............@..@........................................................

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.906497587104928
TrID:
  • Win32 Executable (generic) a (10002005/4) 98.04%
  • Inno Setup installer (109748/4) 1.08%
  • InstallShield setup (43055/19) 0.42%
  • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
  • Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:UmiDataServer v1.0.1.1.exe
File size:5'481'832 bytes
MD5:75c876a06f5679e880e91897c83789b1
SHA1:13703a9cac7af619e4e79f3dde2dc7890277b448
SHA256:258fd554afd7aaf894c069a35b2e1ba65fb9f0dd5bb11f9573d800088f18277e
SHA512:c0a494c82b46f1c126d4e228d8255621f33c4f18732afac522c05d55e587d956e3249c16a9a548228dde24413d2eb3d3164f4cf480b9701a06ba06d160a5c5ad
SSDEEP:98304:ykLHPnPTX9HH3jYFaJRZtQrgQp9rrtyomB1JlptFQeK4t29s4C1eH9Q:dXTFH3C5htyomhlptW4t5o9Q
TLSH:8546123FF298A13EC4AE1A3205B39250997BBE61781A8C1E07FC744DCF765601E3B656
File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon

Icon Hash:0c0c2d33ceec80aa

Static PE Info

General

Entrypoint:0x4b5eec
Entrypoint Section:.itext
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x63ECF218 [Wed Feb 15 14:54:16 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:e569e6f445d32ba23766ad67d1e3787f

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004B14B8h
call 00007F740476AAD5h
xor eax, eax
push ebp
push 004B65E2h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004B659Eh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004BE634h]
call 00007F740480D5C7h
call 00007F740480D11Ah
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F7404780574h
mov edx, dword ptr [ebp-14h]
mov eax, 004C1D84h
call 00007F74047656C7h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004C1D84h]
mov dl, 01h
mov eax, dword ptr [004238ECh]
call 00007F74047816F7h
mov dword ptr [004C1D88h], eax
xor edx, edx
push ebp
push 004B654Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F740480D64Fh
mov dword ptr [004C1D90h], eax
mov eax, dword ptr [004C1D90h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F740481386Ah
mov eax, dword ptr [004C1D90h]
mov edx, 00000028h
call 00007F7404781FECh
mov edx, dword ptr [004C1D90h]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xfdc.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x11000.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xc22f40x254.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xb39e40xb3a0043af0a9476ca224d8e8461f1e22c94daFalse0.34525867693110646data6.357635049994181IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext0xb50000x16880x1800185e04b9a1f554e31f7f848515dc890cFalse0.54443359375data5.971425428435973IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0xb70000x37a40x3800cab2107c933b696aa5cf0cc6c3fd3980False0.36097935267857145data5.048648594372454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss0xbb0000x6de80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0xc20000xfdc0x1000e7d1635e2624b124cfdce6c360ac21cdFalse0.3798828125data5.029087481102678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata0xc30000x1a40x2008ced971d8a7705c98b173e255d8c9aa7False0.345703125data2.7509822285969876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata0xc40000x9a0x2008d4e1e508031afe235bf121c80fd7d5fFalse0.2578125data1.877162954504408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls0xc50000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0xc60000x5d0x2008f2f090acd9622c88a6a852e72f94e96False0.189453125data1.3838943752217987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0xc70000x110000x11000f1d6259d63d2064f227baadaf623edbcFalse0.18622185202205882data3.694167466103365IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0xc76780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
RT_ICON0xc80e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
RT_ICON0xc87480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
RT_ICON0xc8a300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
RT_ICON0xc8b580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
RT_ICON0xca1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
RT_ICON0xcb0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
RT_ICON0xcb8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
RT_ICON0xcbe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
RT_ICON0xcd1200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
RT_ICON0xd13480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
RT_ICON0xd38f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
RT_ICON0xd49980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
RT_STRING0xd4e000x360data0.34375
RT_STRING0xd51600x260data0.3256578947368421
RT_STRING0xd53c00x45cdata0.4068100358422939
RT_STRING0xd581c0x40cdata0.3754826254826255
RT_STRING0xd5c280x2d4data0.39226519337016574
RT_STRING0xd5efc0xb8data0.6467391304347826
RT_STRING0xd5fb40x9cdata0.6410256410256411
RT_STRING0xd60500x374data0.4230769230769231
RT_STRING0xd63c40x398data0.3358695652173913
RT_STRING0xd675c0x368data0.3795871559633027
RT_STRING0xd6ac40x2a4data0.4275147928994083
RT_RCDATA0xd6d680x10data1.5
RT_RCDATA0xd6d780x2c4data0.6384180790960452
RT_RCDATA0xd703c0x2cdata1.2045454545454546
RT_GROUP_ICON0xd70680xbcdataEnglishUnited States0.6170212765957447
RT_VERSION0xd71240x584dataEnglishUnited States0.27407932011331443
RT_MANIFEST0xd76a80x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

Imports

DLLImport
kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dllInitCommonControls
version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dllNetWkstaGetInfo, NetApiBufferFree
advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Exports

NameOrdinalAddress
TMethodImplementationIntercept30x4541a8
__dbk_fcall_wrapper20x40d0a0
dbkFCallWrapperAddr10x4be63c

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States