Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Overview

General Information

Sample name:Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Analysis ID:1438600
MD5:b543ca28c1fc8be534a8a701a0a96964
SHA1:df7680b5721f14631bd12aa7511171e5dd36e2e9
SHA256:bdb793b89f3ac3487cac8d5333d12ce2969c22de97941eab01a2c55b9f97b4f9
Infos:

Detection

Score:3
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Drops PE files
File is packed with WinRar
Found dropped PE file which has not been started or loaded
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

  • System is w10x64_ra
  • Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe (PID: 6148 cmdline: "C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe" MD5: B543CA28C1FC8BE534A8A701A0A96964)
    • setup.exe (PID: 6192 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe" /w MD5: 3CBE75E9FCC9FA789A84FF883867CD90)
      • msiexec.exe (PID: 6320 cmdline: MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\RarSFX0\Lakes Environmental WRPLOT View - Freeware V.8.0.2.msi" SETUPEXEDIR="C:\Users\user\AppData\Local\Temp\RarSFX0" SETUPEXENAME="setup.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 6400 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 1996 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F87BDED09FA11A60C7FEB9A0B8A11B7C C MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Windows\System32\msiexec.exeFile opened: z:
Source: C:\Windows\System32\msiexec.exeFile opened: x:
Source: C:\Windows\System32\msiexec.exeFile opened: v:
Source: C:\Windows\System32\msiexec.exeFile opened: t:
Source: C:\Windows\System32\msiexec.exeFile opened: r:
Source: C:\Windows\System32\msiexec.exeFile opened: p:
Source: C:\Windows\System32\msiexec.exeFile opened: n:
Source: C:\Windows\System32\msiexec.exeFile opened: l:
Source: C:\Windows\System32\msiexec.exeFile opened: j:
Source: C:\Windows\System32\msiexec.exeFile opened: h:
Source: C:\Windows\System32\msiexec.exeFile opened: f:
Source: C:\Windows\System32\msiexec.exeFile opened: b:
Source: C:\Windows\System32\msiexec.exeFile opened: y:
Source: C:\Windows\System32\msiexec.exeFile opened: w:
Source: C:\Windows\System32\msiexec.exeFile opened: u:
Source: C:\Windows\System32\msiexec.exeFile opened: s:
Source: C:\Windows\System32\msiexec.exeFile opened: q:
Source: C:\Windows\System32\msiexec.exeFile opened: o:
Source: C:\Windows\System32\msiexec.exeFile opened: m:
Source: C:\Windows\System32\msiexec.exeFile opened: k:
Source: C:\Windows\System32\msiexec.exeFile opened: i:
Source: C:\Windows\System32\msiexec.exeFile opened: g:
Source: C:\Windows\System32\msiexec.exeFile opened: e:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:
Source: C:\Windows\System32\msiexec.exeFile opened: a:
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean3.winEXE@8/8@0/0
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeFile read: C:\Windows\win.ini
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeFile read: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: unknownProcess created: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe "C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe"
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe" /w
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\RarSFX0\Lakes Environmental WRPLOT View - Freeware V.8.0.2.msi" SETUPEXEDIR="C:\Users\user\AppData\Local\Temp\RarSFX0" SETUPEXENAME="setup.exe"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F87BDED09FA11A60C7FEB9A0B8A11B7C C
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe" /w
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\RarSFX0\Lakes Environmental WRPLOT View - Freeware V.8.0.2.msi" SETUPEXEDIR="C:\Users\user\AppData\Local\Temp\RarSFX0" SETUPEXENAME="setup.exe"
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F87BDED09FA11A60C7FEB9A0B8A11B7C C
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: apphelp.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: aclayers.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: mpr.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: sfc.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: sfc_os.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: riched32.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: riched20.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: usp10.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: msls31.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: textshaping.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: wintypes.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: wintypes.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: wintypes.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: wldp.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: propsys.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: profapi.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: edputil.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: urlmon.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: iertutil.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: srvcli.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: netutils.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: sspicli.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: appresolver.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: slc.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: sppc.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeSection loaded: textshaping.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: oleacc.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowscodecs.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeFile written: C:\Users\user\AppData\Local\Temp\RarSFX0\0x0409.ini
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeWindow found: window name: RichEdit
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeFile opened: C:\Windows\SysWOW64\riched32.dll
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeStatic file information: File size 21640831 > 1048576
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_5079359
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\instmsiw.exeJump to dropped file
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\instmsia.exeJump to dropped file
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI9A55.tmpJump to dropped file
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\instmsiw.exeJump to dropped file
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\instmsia.exeJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9A55.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe" /w
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		Windows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Software Packing		OS Credential Dumping11
Peripheral Device Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory2
File and Directory Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe4%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\MSI9A55.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\instmsia.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\instmsiw.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1438600
Start date and time:2024-05-08 21:59:55 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:17
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample name:Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Detection:CLEAN
Classification:clean3.winEXE@8/8@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • VT rate limit hit for: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Created / dropped Files

C:\Users\user\AppData\Local\Temp\MSI9A55.tmp

Download File
Process:C:\Windows\SysWOW64\msiexec.exe
File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):99648
Entropy (8bit):5.499169965794945
Encrypted:false
SSDEEP:
MD5:30C906DDC7AEE8899414F98FE9034132
SHA1:171F5D3379779EE165B4EF614638B75CF44F29A8
SHA-256:2AC85D37DCACE83FE72F960BAC4BA4DFCAC65DED2242C63261D227C9A7A22E4D
SHA-512:B2EADC0AC2D4C0C8787E6AEAFB526B6E8A96E987B5BD22B5BAE5FC932B0A9EA05A929FA807F48A8929B7C00184601C5D73AFBE5971295F1FC373178F583F5754
Malicious:false
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............zk..zk..zk..fe..zk..ea..zk..e`..zk.IYw..zk..XN..zk.iYr..zk..zj..zk..Y`..zk.T|m..zk.lZo..zk.Rich.zk.................PE..L......H...........!................3d..............................................................................0................`.. ............p..@....p.......................................................................................text...f........................... ..`.rdata........... ..................@..@.data....R.......@..................@....rsrc... ....`.......@..............@..@.reloc..t....p... ...P..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\0x0409.ini

Download File
Process:C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):13660
Entropy (8bit):3.486384074808718
Encrypted:false
SSDEEP:
MD5:758747727E96A23C7C5A5BBB011656E4
SHA1:51CC637E7EB3451D6DFA9465D949D6DFB2CD65C9
SHA-256:BAD3B2E854149DF9413F06E6C1C7B7C875545393877F59B59907F6B083CE5825
SHA-512:21FF9D365BEB1B7809B89D540F41BF330515F05F6211C8327BE43BAF1F050E46ECC1654B0696E7C82A2A803267E38D780FFD83DEA7448861F6E3B84838685627
Malicious:false
Reputation:unknown
Preview:......[.0.x.0.4.0.9.].....T.I.T.L.E.=.C.h.o.o.s.e. .S.e.t.u.p. .L.a.n.g.u.a.g.e.....D.E.S.C.R.I.P.T.I.O.N.=.S.e.l.e.c.t. .t.h.e. .l.a.n.g.u.a.g.e. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .f.r.o.m. .t.h.e. .c.h.o.i.c.e.s. .b.e.l.o.w.......R.E.B.O.O.T.M.E.S.S.A.G.E.=.T.h.e. .i.n.s.t.a.l.l.e.r. .m.u.s.t. .r.e.s.t.a.r.t. .y.o.u.r. .s.y.s.t.e.m. .t.o. .c.o.m.p.l.e.t.e. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .s.e.r.v.i.c.e... . .C.l.i.c.k. .Y.e.s. .t.o. .r.e.s.t.a.r.t. .n.o.w. .o.r. .N.o. .i.f. .y.o.u. .p.l.a.n. .t.o. .r.e.s.t.a.r.t. .l.a.t.e.r.......O.N.U.P.G.R.A.D.E.=.T.h.i.s. .s.e.t.u.p. .w.i.l.l. .p.e.r.f.o.r.m. .a.n. .u.p.g.r.a.d.e. .o.f. .'.%.s.'... .D.o. .y.o.u. .w.a.n.t. .t.o. .c.o.n.t.i.n.u.e.?.....L.A.T.E.R.V.E.R.S.I.O.N.I.N.S.T.A.L.L.E.D.=.A. .l.a.t.e.r. .v.e.r.s.i.o.n. .o.f. .'.%.s.'. .i.s. .a.l.r.e.a.d.y. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .m.a.c.h.i.n.e... .T.h.e. .s.e.t.u.p. .c.a.n.n.o.t. .c.o.n.t.i.n.u.e.......O.K.=.O.K.....C.a.n.c.e.l.=.C.a.

C:\Users\user\AppData\Local\Temp\RarSFX0\Data1.cab

Download File
Process:C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
File Type:Microsoft Cabinet archive data, many, 14538947 bytes, 19 files, at 0x5c +A "_05552B74CCDE077E19276A4B56E61CF6", iFolder 0x1 +A "_B05A2AB076DDA62641C63DBF405CBA38", 7 cffolders, ID 1111, number 1, 105 datablocks, 0x1 compression
Category:dropped
Size (bytes):14538947
Entropy (8bit):7.9977814426964215
Encrypted:true
SSDEEP:
MD5:D798790881E6663275B0DEB78C5E1389
SHA1:6B2A904076565024122722EA6B91A525995F8BC3
SHA-256:30EC64EABACC6112DE2643E277F1660FC47EE5CEF3DC2F739E8137F63B66AC72
SHA-512:6E9DFEC5D84035165EB4633974085323BD825D63DF9F60320E8540398A9E7A3AC445C8129845EE7E7BFE1338AC58CEEA80F55A0927251AD1379F6EC6F6707728
Malicious:false
Reputation:unknown
Preview:MSCF............\...............W...B...i...r04.....x........4..l...cY..4............`..W....j4.......kI. ._05552B74CCDE077E19276A4B56E61CF6............G.` _B05A2AB076DDA62641C63DBF405CBA38...........uL.Z .wrplot_view.exe..rc........Ja0 .LAKES_INSTALL_DIR_1.LibXLModule_libxl.dll.x..........D.. .LAKES_INSTALL_DIR_1.MidasModule_MIDAS.DLL.....x.....$9.T .LAKES_INSTALL_DIR_1.peGraphModule6_pegrp32d.dll...........%+.. .gdiplus_dll_2_____X86.3643236F_FC70_11D3_A536_0090278A1BB8.(_.........&... huswo.hus2...B.(_....%*... td_3505.dat2.....4UR....(.w. isc_met.met2..w....Y....(.X. samson.sam2...........f+.b. uswx_decoded_obs.txt2.`..........(M.. scram.dat2..w..'.....B9.s. lakes_format.txt2..^.........)k.. carb.txt2..Z..U......(.v. aer_surf.sfc2.p....>.....(.v. aer_prof.pfl2.....I' ........ cd_144.dat2......$+...5<.j .generic.csv2.V..[.=..CK.\.xS.>i.J...R.........P(T:IkA.q<MN.S..xN...J:S,.,.R..C..B.*p.E...W.|..O......o.v....\..}.{_v)...^kOk...Nz2..3...y..j.o.p....1..7...?....4.....[...

C:\Users\user\AppData\Local\Temp\RarSFX0\Lakes Environmental WRPLOT View - Freeware V.8.0.2.MSI

Download File
Process:C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Author: InstallShield Software Corporation, Keywords: Installer,MSI,Database, Comments: Contact: Your local administrator, Template: Intel;1033, Last Saved By: InstallShield, Revision Number: {79A894FC-A5C1-4F47-BD8C-296A0B8F9A34}, Last Printed: Wed Mar 21 11:30:00 2018, Create Time/Date: Wed Mar 21 11:30:00 2018, Last Saved Time/Date: Wed Mar 21 11:30:00 2018, Number of Pages: 200, Number of Words: 0, Number of Characters: 0, Name of Creating Application: InstallShield 2009 - Express Edition 15, Security: 1
Category:dropped
Size (bytes):2834432
Entropy (8bit):4.043447572238817
Encrypted:false
SSDEEP:
MD5:B876CC0991FC55A4C7CC5B9B48BDBA86
SHA1:9D3A8891AE4578C86523663B6D6326E9CF08206E
SHA-256:668D4EA8050A6FC3B6165F23D489615F8ADED2B50BE376B0B3FF5E4414705116
SHA-512:B4F76B293DC85EAAC4B859E0FABA377289169466DBA363A00D85D0C42E8CC158B37F0DC6E2C0C0DA0AB672493885D40D9B2F941C5DDC76DCF7DC98CED602F246
Malicious:false
Reputation:unknown
Preview:......................>...................,...........................................p.......2...............................................................N...O...P...Q...R...S...T...............A.......................................R...S...T................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.ini

Download File
Process:C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
File Type:Generic INItialization configuration [Startup]
Category:dropped
Size (bytes):2934
Entropy (8bit):5.443046971636431
Encrypted:false
SSDEEP:
MD5:497073452F115176668260571049BC75
SHA1:EC94F04B9F31F5D5C08AA501E8D8CAE7D956A2B3
SHA-256:261DFAC64E66DD36740DEA1464C70146225C38B9B31C67713652D90D3DF4E0F2
SHA-512:3690B68AA52F0FE7FB11C62917131F0A69CF6DAC7D9F08F9364EBB0B70F0044A4A83A3FF0FD00BBFDD8C182113A9EB3E6A0DCE3DFE10A3FC6D3C2CB8B015A872
Malicious:false
Reputation:unknown
Preview:[Info]..Name=INTL..Version=1.00.000..DiskSpace=8000.;DiskSpace requirement in KB....[Startup]..CmdLine=..SuppressWrongOS=Y..ScriptDriven=0..ScriptVer=1.0.0.1..DotNetOptionalInstallIfSilent=N..OnUpgrade=0..RequireExactLangMatch=0404,0804..RTLLangs=0401,040d..Product=Lakes Environmental WRPLOT View - Freeware V.8.0.2..PackageName=Lakes Environmental WRPLOT View - Freeware V.8.0.2.msi..EnableLangDlg=Y..LogResults=N..DoMaintenance=N..ProductCode={EBAF9671-C21C-49FE-8A05-EA53C74CA8C2}..ProductVersion=8.0.2..SuppressReboot=Y..LauncherName=setup.exe..PackageCode={79A894FC-A5C1-4F47-BD8C-296A0B8F9A34}....[MsiVersion]..2.0.2600.0=SupportOS..[SupportOSMsi11] ;Supported platforms for MSI 1.1..Win95=1..Win98=1..WinNT4SP3=1..[SupportOSMsi12] ;Supported platforms for MSI 1.2..Win95=1..Win98=1..WinME=1..WinNT4SP3=1..[SupportOS] ;Supported platforms for MSI 2.0..Win95=1..Win98=1..WinME=1..WinNT4SP6=1..Win2K=1..[SupportOSMsi30] ;Supported platforms for MSI 3.0..Win2KSP3=1..WinXP=1..Win2003Server=1....[

C:\Users\user\AppData\Local\Temp\RarSFX0\instmsia.exe

Download File
Process:C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
Category:dropped
Size (bytes):1708856
Entropy (8bit):7.985483438485467
Encrypted:false
SSDEEP:
MD5:43F7305C2E5DD4A8F3C5ABEB2FFE4833
SHA1:03BDA624AB7F0D7CB9ADA41A960C35C0152F98FD
SHA-256:267304EFCC831E35927C1F25D610D36FB64121D108A6F4FF0168C53DF01E2B16
SHA-512:E24072F1B5B102FBD52126396854463FF07D8D0EFCE1D922ED99ACD0369CFF163E415ABC1FAEAF559EF7898E5F82945DB544A0F425DB0DB42696282D0ACD7C7C
Malicious:false
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(..I...I...I...j...I...I...I...@...I...j...I...j...I..Rich.I..................PE..L.....:.....................p.......Z.......................................0......V{...................................................k..............8............................................................................................text.............................. ..`.data...............................@....rsrc....k.......l..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\instmsiw.exe

Download File
Process:C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
Category:dropped
Size (bytes):1822520
Entropy (8bit):7.987680667971462
Encrypted:false
SSDEEP:
MD5:61A5FB191AE2AE876DB31DCCE75E4183
SHA1:751669C38B666C7435B2A65A5C6FE40435D59AAA
SHA-256:B93FDCD1136FAA9A8CB73A329B2F1F5F430A150DDCEC35DE916E3A1539F09351
SHA-512:76ED473FF370255E7B09A931C10E1AEA7D9D84B4655D85E9AD28FAA5F143BB9063C363829A28614FB89CD00C4755E825268123E5F6F4849A0DB9328297811FFC
Malicious:false
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(..I...I...I...j...I...I...I...@...I...j...I...j...I..Rich.I..................PE..L.....:.....................,.......Z...............................................&...................................................'..............8............................................................................................text.............................. ..`.data...............................@....rsrc....0.......(..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Download File
Process:C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):626784
Entropy (8bit):6.6378258026818
Encrypted:false
SSDEEP:
MD5:3CBE75E9FCC9FA789A84FF883867CD90
SHA1:6D46C9922839ADACB2CFEF7332D82F3D5DB67047
SHA-256:59B670AA56C597DD5206A71C00431688B51D54473B7CD5321B62C8BB5C80EDD6
SHA-512:0B298AEADC895E1EBCD5F703407954C40B41631E50CACCC2D7301FE354C241CD34A4A569739CB662A92F1B3C685183E5B59D41EDF6D7661354A12C4A4885DE22
Malicious:false
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Y..........................,.........+.................u......G..............U.............h......Rich............PE..L....-.H.............................j............@.........................................................................p............A......................................................................................@....................text....y.......................... ..`.rdata........... ..................@..@.data...............................@....rsrc....A.......P...@..............@..@................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
Entropy (8bit):7.7277869861460955
TrID:
  • Win32 Executable (generic) a (10002005/4) 96.68%
  • Microsoft Update - Self Extracting Cabinet (339566/5) 3.28%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
File size:21'640'831 bytes
MD5:b543ca28c1fc8be534a8a701a0a96964
SHA1:df7680b5721f14631bd12aa7511171e5dd36e2e9
SHA256:bdb793b89f3ac3487cac8d5333d12ce2969c22de97941eab01a2c55b9f97b4f9
SHA512:b8577e322ccb9fbf011a7965ac99cbdc941e5cf7c3acd8269de80f531b8afec85fb6526a29e2a6a8e746663d03fc15861066ad9fcdf44e8c7045e15ec9415ec4
SSDEEP:393216:uxIq4jHe3fR8SVcvN5wGRwyz2yMBMG+tBZHlI7xseJWGhrr26oXoEoXom:4aHeCSVcvLwGWph+9FqxQGhboXoEoXom
TLSH:3E2723B226A15D77D1231530687D0322A6B8FC205F25A7EFB34DFD5819F3A52093BB29
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9.o.9.o.9.o..a..1.o..a..*.o.9.n...o.'...<.o.0...8.o.0.....o.0...8.o.'...8.o.0...8.o.Rich9.o.........PE..L....'dJ...........

File Icon

Icon Hash:2775250905472797

Static PE Info

General

Entrypoint:0x40a794
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:0x4A6427AF [Mon Jul 20 08:15:43 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:0
File Version Major:5
File Version Minor:0
Subsystem Version Major:5
Subsystem Version Minor:0
Import Hash:50610e34092d6ce13e51e7c9d5197081

Entrypoint Preview

Instruction
call 00007F3D346BEF18h
xor eax, eax
push eax
push eax
push eax
push eax
call 00007F3D346C1B89h
ret
push esi
push edi
mov edi, dword ptr [esp+0Ch]
mov esi, ecx
mov ecx, edi
mov dword ptr [esi], edi
call 00007F3D346B9817h
mov dword ptr [esi+08h], eax
mov dword ptr [esi+0Ch], edx
mov eax, dword ptr [edi+00000C1Ch]
mov dword ptr [esi+10h], eax
pop edi
mov eax, esi
pop esi
retn 0004h
mov eax, ecx
mov ecx, dword ptr [eax]
mov edx, dword ptr [eax+10h]
cmp edx, dword ptr [ecx+00000C1Ch]
jne 00007F3D346BF03Fh
push 00000000h
push dword ptr [eax+0Ch]
push dword ptr [eax+08h]
call 00007F3D346B9CF6h
ret
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
xor esi, esi
push esi
push esi
push esi
push esi
lea eax, dword ptr [ebp-1Ch]
push eax
call dword ptr [00412230h]
test eax, eax
je 00007F3D346BF053h
push esi
push esi
push esi
lea eax, dword ptr [ebp-1Ch]
push eax
call dword ptr [00412234h]
lea eax, dword ptr [ebp-1Ch]
push eax
call dword ptr [00412280h]
lea eax, dword ptr [ebp-1Ch]
push eax
call dword ptr [00412238h]
pop esi
leave
ret
push ebp
mov ebp, esp
sub esp, 64h
push 00000064h
lea eax, dword ptr [ebp-64h]
push eax
push 0000000Fh
push 00000400h
call dword ptr [004120C8h]
movsx eax, byte ptr [ebp-64h]
leave
ret
push ebp
mov ebp, esp
sub esp, 34h
push ebx
xor ebx, ebx
push esi
push edi
cmp dword ptr [004140B0h], ebx
jne 00007F3D346BF04Ch
call 00007F3D346BF0FEh

Rich Headers

Programming Language:
  • [ C ] VS2005 build 50727
  • [IMP] VS2005 build 50727
  • [ASM] VS2008 build 21022
  • [ C ] VS2008 SP1 build 30729
  • [C++] VS2008 SP1 build 30729
  • [EXP] VS2008 SP1 build 30729
  • [RES] VS2008 build 21022
  • [LNK] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x137500x33.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x128dc0xc8.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x210000x3e60.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x122a00x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x120000x2a0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x1067c0x1080069179a2ddb5ddb2aed3f724a98950dc7False0.6345584753787878data6.560869808804803IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x120000x17d50x180099f53b7cce8f0e5e290cb103afbe327eFalse0.4837239583333333data5.509092726674668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x140000xbff40x2002821477811bfd11f4acd2c1da2aba6daFalse0.509765625data3.5434406280093995IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0x200000x100x200324bcdad78da9eab2e1651550291e550False0.044921875data0.21310128450968063IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x210000x3e600x4000cf437d4894a449115cb977a950609e7dFalse0.3485107421875data4.663193628915761IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_BITMAP0x226f00xbb6Device independent bitmap graphic, 93 x 302 x 4, 2 compression, image size 2894, resolution 2835 x 2835 px/mEnglishUnited States0.2581721147431621
RT_ICON0x214900x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.6047297297297297
RT_ICON0x215b80x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.4703757225433526
RT_ICON0x21b200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.4986559139784946
RT_ICON0x21e080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.4444945848375451
RT_DIALOG0x23b500x282dataEnglishUnited States0.5062305295950156
RT_DIALOG0x239300x136dataEnglishUnited States0.6064516129032258
RT_DIALOG0x23a680xe8dataEnglishUnited States0.6939655172413793
RT_DIALOG0x238000x12adataEnglishUnited States0.587248322147651
RT_DIALOG0x234c80x334dataEnglishUnited States0.43414634146341463
RT_DIALOG0x232a80x21edataEnglishUnited States0.5645756457564576
RT_STRING0x243900x22cdataEnglishUnited States0.420863309352518
RT_STRING0x245c00x3b2dataEnglishUnited States0.3964059196617336
RT_STRING0x249780x212dataEnglishUnited States0.4339622641509434
RT_STRING0x24b900x27edataEnglishUnited States0.4122257053291536
RT_STRING0x24e100x4cdataEnglishUnited States0.631578947368421
RT_GROUP_ICON0x226b00x3edataEnglishUnited States0.8387096774193549
RT_MANIFEST0x23dd80x5b8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4385245901639344

Imports

DLLImport
COMCTL32.dll
KERNEL32.dllDeleteFileA, DeleteFileW, CreateDirectoryA, CreateDirectoryW, FindClose, FindNextFileA, FindFirstFileA, FindNextFileW, FindFirstFileW, GetTickCount, WideCharToMultiByte, MultiByteToWideChar, GetVersionExA, GlobalAlloc, lstrlenA, GetModuleFileNameA, FindResourceA, GetModuleHandleA, HeapAlloc, GetProcessHeap, HeapFree, HeapReAlloc, CompareStringA, ExitProcess, GetLocaleInfoA, GetNumberFormatA, GetProcAddress, DosDateTimeToFileTime, GetDateFormatA, GetTimeFormatA, FileTimeToSystemTime, FileTimeToLocalFileTime, ExpandEnvironmentStringsA, WaitForSingleObject, SetCurrentDirectoryA, Sleep, GetTempPathA, MoveFileExA, GetModuleFileNameW, SetEnvironmentVariableA, GetCommandLineA, LocalFileTimeToFileTime, SystemTimeToFileTime, GetSystemTime, IsDBCSLeadByte, GetCPInfo, FreeLibrary, LoadLibraryA, GetCurrentDirectoryA, GetFullPathNameA, SetFileAttributesW, SetFileAttributesA, GetFileAttributesW, GetFileAttributesA, WriteFile, GetStdHandle, ReadFile, SetLastError, CreateFileW, CreateFileA, GetFileType, SetEndOfFile, SetFilePointer, MoveFileA, SetFileTime, GetCurrentProcess, CloseHandle, GetLastError, lstrcmpiA
USER32.dllReleaseDC, GetDC, SendMessageA, wsprintfA, SetDlgItemTextA, EndDialog, DestroyIcon, SendDlgItemMessageA, GetDlgItemTextA, DialogBoxParamA, IsWindowVisible, WaitForInputIdle, GetSysColor, PostMessageA, SetMenu, SetFocus, LoadBitmapA, LoadIconA, CharToOemA, OemToCharA, GetClassNameA, CharUpperA, GetWindowRect, GetParent, MapWindowPoints, CreateWindowExA, UpdateWindow, SetWindowTextA, LoadCursorA, RegisterClassExA, SetWindowLongA, GetWindowLongA, DefWindowProcA, PeekMessageA, GetMessageA, DispatchMessageA, DestroyWindow, GetClientRect, CopyRect, IsWindow, MessageBoxA, ShowWindow, GetDlgItem, EnableWindow, FindWindowExA, wvsprintfA, CharToOemBuffA, LoadStringA, SetWindowPos, GetWindowTextA, GetWindow, GetSystemMetrics, OemToCharBuffA, TranslateMessage
GDI32.dllGetDeviceCaps, GetObjectA, CreateCompatibleBitmap, SelectObject, StretchBlt, CreateCompatibleDC, DeleteObject, DeleteDC
COMDLG32.dllGetSaveFileNameA, CommDlgExtendedError, GetOpenFileNameA
ADVAPI32.dllLookupPrivilegeValueA, RegOpenKeyExA, RegQueryValueExA, RegCreateKeyExA, RegSetValueExA, RegCloseKey, SetFileSecurityW, SetFileSecurityA, OpenProcessToken, AdjustTokenPrivileges
SHELL32.dllShellExecuteExA, SHFileOperationA, SHGetFileInfoA, SHGetSpecialFolderLocation, SHGetMalloc, SHBrowseForFolderA, SHGetPathFromIDListA, SHChangeNotify
ole32.dllCreateStreamOnHGlobal, OleInitialize, CoCreateInstance, OleUninitialize, CLSIDFromString
OLEAUT32.dllVariantInit

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States