Windows
Analysis Report
Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Overview
General Information
Detection
Score: | 3 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 40% |
Signatures
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
- System is w10x64_ra
- Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe (PID: 6148 cmdline:
"C:\Users\ user\Deskt op\Lakes_E nvironment al_WRPLOT_ View_Freew are_V.8.0. 2.exe" MD5: B543CA28C1FC8BE534A8A701A0A96964) - setup.exe (PID: 6192 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\RarSFX 0\setup.ex e" /w MD5: 3CBE75E9FCC9FA789A84FF883867CD90) - msiexec.exe (PID: 6320 cmdline:
MSIEXEC.EX E /i "C:\U sers\user\ AppData\Lo cal\Temp\R arSFX0\Lak es Environ mental WRP LOT View - Freeware V.8.0.2.ms i" SETUPEX EDIR="C:\U sers\user\ AppData\Lo cal\Temp\R arSFX0" SE TUPEXENAME ="setup.ex e" MD5: 9D09DC1EDA745A5F87553048E57620CF)
- msiexec.exe (PID: 6400 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 1996 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng F87BDED 09FA11A60C 7FEB9A0B8A 11B7C C MD5: 9D09DC1EDA745A5F87553048E57620CF)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: |
Source: | Static PE information: |
Source: | File read: |
Source: | Key opened: |
Source: | File read: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Key value queried: |
Source: | File written: |
Source: | Window found: |
Source: | File opened: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | File created: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | File Volume queried: | ||
Source: | File Volume queried: | ||
Source: | File Volume queried: | ||
Source: | File Volume queried: | ||
Source: | File Volume queried: | ||
Source: | File Volume queried: |
Source: | Process created: |
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | 1 Replication Through Removable Media | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Software Packing | OS Credential Dumping | 11 Peripheral Device Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Process Injection | LSASS Memory | 2 File and Directory Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 12 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
4% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1438600 |
Start date and time: | 2024-05-08 21:59:55 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 17 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | stream |
Analysis stop reason: | Timeout |
Sample name: | Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe |
Detection: | CLEAN |
Classification: | clean3.winEXE@8/8@0/0 |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Process: | C:\Windows\SysWOW64\msiexec.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 99648 |
Entropy (8bit): | 5.499169965794945 |
Encrypted: | false |
SSDEEP: | |
MD5: | 30C906DDC7AEE8899414F98FE9034132 |
SHA1: | 171F5D3379779EE165B4EF614638B75CF44F29A8 |
SHA-256: | 2AC85D37DCACE83FE72F960BAC4BA4DFCAC65DED2242C63261D227C9A7A22E4D |
SHA-512: | B2EADC0AC2D4C0C8787E6AEAFB526B6E8A96E987B5BD22B5BAE5FC932B0A9EA05A929FA807F48A8929B7C00184601C5D73AFBE5971295F1FC373178F583F5754 |
Malicious: | false |
Antivirus: |
|
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 13660 |
Entropy (8bit): | 3.486384074808718 |
Encrypted: | false |
SSDEEP: | |
MD5: | 758747727E96A23C7C5A5BBB011656E4 |
SHA1: | 51CC637E7EB3451D6DFA9465D949D6DFB2CD65C9 |
SHA-256: | BAD3B2E854149DF9413F06E6C1C7B7C875545393877F59B59907F6B083CE5825 |
SHA-512: | 21FF9D365BEB1B7809B89D540F41BF330515F05F6211C8327BE43BAF1F050E46ECC1654B0696E7C82A2A803267E38D780FFD83DEA7448861F6E3B84838685627 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 14538947 |
Entropy (8bit): | 7.9977814426964215 |
Encrypted: | true |
SSDEEP: | |
MD5: | D798790881E6663275B0DEB78C5E1389 |
SHA1: | 6B2A904076565024122722EA6B91A525995F8BC3 |
SHA-256: | 30EC64EABACC6112DE2643E277F1660FC47EE5CEF3DC2F739E8137F63B66AC72 |
SHA-512: | 6E9DFEC5D84035165EB4633974085323BD825D63DF9F60320E8540398A9E7A3AC445C8129845EE7E7BFE1338AC58CEEA80F55A0927251AD1379F6EC6F6707728 |
Malicious: | false |
Reputation: | unknown |
Preview: |
C:\Users\user\AppData\Local\Temp\RarSFX0\Lakes Environmental WRPLOT View - Freeware V.8.0.2.MSI
Download File
Process: | C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2834432 |
Entropy (8bit): | 4.043447572238817 |
Encrypted: | false |
SSDEEP: | |
MD5: | B876CC0991FC55A4C7CC5B9B48BDBA86 |
SHA1: | 9D3A8891AE4578C86523663B6D6326E9CF08206E |
SHA-256: | 668D4EA8050A6FC3B6165F23D489615F8ADED2B50BE376B0B3FF5E4414705116 |
SHA-512: | B4F76B293DC85EAAC4B859E0FABA377289169466DBA363A00D85D0C42E8CC158B37F0DC6E2C0C0DA0AB672493885D40D9B2F941C5DDC76DCF7DC98CED602F246 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2934 |
Entropy (8bit): | 5.443046971636431 |
Encrypted: | false |
SSDEEP: | |
MD5: | 497073452F115176668260571049BC75 |
SHA1: | EC94F04B9F31F5D5C08AA501E8D8CAE7D956A2B3 |
SHA-256: | 261DFAC64E66DD36740DEA1464C70146225C38B9B31C67713652D90D3DF4E0F2 |
SHA-512: | 3690B68AA52F0FE7FB11C62917131F0A69CF6DAC7D9F08F9364EBB0B70F0044A4A83A3FF0FD00BBFDD8C182113A9EB3E6A0DCE3DFE10A3FC6D3C2CB8B015A872 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1708856 |
Entropy (8bit): | 7.985483438485467 |
Encrypted: | false |
SSDEEP: | |
MD5: | 43F7305C2E5DD4A8F3C5ABEB2FFE4833 |
SHA1: | 03BDA624AB7F0D7CB9ADA41A960C35C0152F98FD |
SHA-256: | 267304EFCC831E35927C1F25D610D36FB64121D108A6F4FF0168C53DF01E2B16 |
SHA-512: | E24072F1B5B102FBD52126396854463FF07D8D0EFCE1D922ED99ACD0369CFF163E415ABC1FAEAF559EF7898E5F82945DB544A0F425DB0DB42696282D0ACD7C7C |
Malicious: | false |
Antivirus: |
|
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1822520 |
Entropy (8bit): | 7.987680667971462 |
Encrypted: | false |
SSDEEP: | |
MD5: | 61A5FB191AE2AE876DB31DCCE75E4183 |
SHA1: | 751669C38B666C7435B2A65A5C6FE40435D59AAA |
SHA-256: | B93FDCD1136FAA9A8CB73A329B2F1F5F430A150DDCEC35DE916E3A1539F09351 |
SHA-512: | 76ED473FF370255E7B09A931C10E1AEA7D9D84B4655D85E9AD28FAA5F143BB9063C363829A28614FB89CD00C4755E825268123E5F6F4849A0DB9328297811FFC |
Malicious: | false |
Antivirus: |
|
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 626784 |
Entropy (8bit): | 6.6378258026818 |
Encrypted: | false |
SSDEEP: | |
MD5: | 3CBE75E9FCC9FA789A84FF883867CD90 |
SHA1: | 6D46C9922839ADACB2CFEF7332D82F3D5DB67047 |
SHA-256: | 59B670AA56C597DD5206A71C00431688B51D54473B7CD5321B62C8BB5C80EDD6 |
SHA-512: | 0B298AEADC895E1EBCD5F703407954C40B41631E50CACCC2D7301FE354C241CD34A4A569739CB662A92F1B3C685183E5B59D41EDF6D7661354A12C4A4885DE22 |
Malicious: | false |
Antivirus: |
|
Reputation: | unknown |
Preview: |
File type: | |
Entropy (8bit): | 7.7277869861460955 |
TrID: |
|
File name: | Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe |
File size: | 21'640'831 bytes |
MD5: | b543ca28c1fc8be534a8a701a0a96964 |
SHA1: | df7680b5721f14631bd12aa7511171e5dd36e2e9 |
SHA256: | bdb793b89f3ac3487cac8d5333d12ce2969c22de97941eab01a2c55b9f97b4f9 |
SHA512: | b8577e322ccb9fbf011a7965ac99cbdc941e5cf7c3acd8269de80f531b8afec85fb6526a29e2a6a8e746663d03fc15861066ad9fcdf44e8c7045e15ec9415ec4 |
SSDEEP: | 393216:uxIq4jHe3fR8SVcvN5wGRwyz2yMBMG+tBZHlI7xseJWGhrr26oXoEoXom:4aHeCSVcvLwGWph+9FqxQGhboXoEoXom |
TLSH: | 3E2723B226A15D77D1231530687D0322A6B8FC205F25A7EFB34DFD5819F3A52093BB29 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9.o.9.o.9.o..a..1.o..a..*.o.9.n...o.'...<.o.0...8.o.0.....o.0...8.o.'...8.o.0...8.o.Rich9.o.........PE..L....'dJ........... |
Icon Hash: | 2775250905472797 |
Entrypoint: | 0x40a794 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x4A6427AF [Mon Jul 20 08:15:43 2009 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | 50610e34092d6ce13e51e7c9d5197081 |
Instruction |
---|
call 00007F3D346BEF18h |
xor eax, eax |
push eax |
push eax |
push eax |
push eax |
call 00007F3D346C1B89h |
ret |
push esi |
push edi |
mov edi, dword ptr [esp+0Ch] |
mov esi, ecx |
mov ecx, edi |
mov dword ptr [esi], edi |
call 00007F3D346B9817h |
mov dword ptr [esi+08h], eax |
mov dword ptr [esi+0Ch], edx |
mov eax, dword ptr [edi+00000C1Ch] |
mov dword ptr [esi+10h], eax |
pop edi |
mov eax, esi |
pop esi |
retn 0004h |
mov eax, ecx |
mov ecx, dword ptr [eax] |
mov edx, dword ptr [eax+10h] |
cmp edx, dword ptr [ecx+00000C1Ch] |
jne 00007F3D346BF03Fh |
push 00000000h |
push dword ptr [eax+0Ch] |
push dword ptr [eax+08h] |
call 00007F3D346B9CF6h |
ret |
push ebp |
mov ebp, esp |
sub esp, 1Ch |
push esi |
xor esi, esi |
push esi |
push esi |
push esi |
push esi |
lea eax, dword ptr [ebp-1Ch] |
push eax |
call dword ptr [00412230h] |
test eax, eax |
je 00007F3D346BF053h |
push esi |
push esi |
push esi |
lea eax, dword ptr [ebp-1Ch] |
push eax |
call dword ptr [00412234h] |
lea eax, dword ptr [ebp-1Ch] |
push eax |
call dword ptr [00412280h] |
lea eax, dword ptr [ebp-1Ch] |
push eax |
call dword ptr [00412238h] |
pop esi |
leave |
ret |
push ebp |
mov ebp, esp |
sub esp, 64h |
push 00000064h |
lea eax, dword ptr [ebp-64h] |
push eax |
push 0000000Fh |
push 00000400h |
call dword ptr [004120C8h] |
movsx eax, byte ptr [ebp-64h] |
leave |
ret |
push ebp |
mov ebp, esp |
sub esp, 34h |
push ebx |
xor ebx, ebx |
push esi |
push edi |
cmp dword ptr [004140B0h], ebx |
jne 00007F3D346BF04Ch |
call 00007F3D346BF0FEh |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x13750 | 0x33 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x128dc | 0xc8 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x21000 | 0x3e60 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x122a0 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x12000 | 0x2a0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1067c | 0x10800 | 69179a2ddb5ddb2aed3f724a98950dc7 | False | 0.6345584753787878 | data | 6.560869808804803 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x12000 | 0x17d5 | 0x1800 | 99f53b7cce8f0e5e290cb103afbe327e | False | 0.4837239583333333 | data | 5.509092726674668 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x14000 | 0xbff4 | 0x200 | 2821477811bfd11f4acd2c1da2aba6da | False | 0.509765625 | data | 3.5434406280093995 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.CRT | 0x20000 | 0x10 | 0x200 | 324bcdad78da9eab2e1651550291e550 | False | 0.044921875 | data | 0.21310128450968063 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x21000 | 0x3e60 | 0x4000 | cf437d4894a449115cb977a950609e7d | False | 0.3485107421875 | data | 4.663193628915761 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_BITMAP | 0x226f0 | 0xbb6 | Device independent bitmap graphic, 93 x 302 x 4, 2 compression, image size 2894, resolution 2835 x 2835 px/m | English | United States | 0.2581721147431621 |
RT_ICON | 0x21490 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | United States | 0.6047297297297297 |
RT_ICON | 0x215b8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | English | United States | 0.4703757225433526 |
RT_ICON | 0x21b20 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | United States | 0.4986559139784946 |
RT_ICON | 0x21e08 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | English | United States | 0.4444945848375451 |
RT_DIALOG | 0x23b50 | 0x282 | data | English | United States | 0.5062305295950156 |
RT_DIALOG | 0x23930 | 0x136 | data | English | United States | 0.6064516129032258 |
RT_DIALOG | 0x23a68 | 0xe8 | data | English | United States | 0.6939655172413793 |
RT_DIALOG | 0x23800 | 0x12a | data | English | United States | 0.587248322147651 |
RT_DIALOG | 0x234c8 | 0x334 | data | English | United States | 0.43414634146341463 |
RT_DIALOG | 0x232a8 | 0x21e | data | English | United States | 0.5645756457564576 |
RT_STRING | 0x24390 | 0x22c | data | English | United States | 0.420863309352518 |
RT_STRING | 0x245c0 | 0x3b2 | data | English | United States | 0.3964059196617336 |
RT_STRING | 0x24978 | 0x212 | data | English | United States | 0.4339622641509434 |
RT_STRING | 0x24b90 | 0x27e | data | English | United States | 0.4122257053291536 |
RT_STRING | 0x24e10 | 0x4c | data | English | United States | 0.631578947368421 |
RT_GROUP_ICON | 0x226b0 | 0x3e | data | English | United States | 0.8387096774193549 |
RT_MANIFEST | 0x23dd8 | 0x5b8 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.4385245901639344 |
DLL | Import |
---|---|
COMCTL32.dll | |
KERNEL32.dll | DeleteFileA, DeleteFileW, CreateDirectoryA, CreateDirectoryW, FindClose, FindNextFileA, FindFirstFileA, FindNextFileW, FindFirstFileW, GetTickCount, WideCharToMultiByte, MultiByteToWideChar, GetVersionExA, GlobalAlloc, lstrlenA, GetModuleFileNameA, FindResourceA, GetModuleHandleA, HeapAlloc, GetProcessHeap, HeapFree, HeapReAlloc, CompareStringA, ExitProcess, GetLocaleInfoA, GetNumberFormatA, GetProcAddress, DosDateTimeToFileTime, GetDateFormatA, GetTimeFormatA, FileTimeToSystemTime, FileTimeToLocalFileTime, ExpandEnvironmentStringsA, WaitForSingleObject, SetCurrentDirectoryA, Sleep, GetTempPathA, MoveFileExA, GetModuleFileNameW, SetEnvironmentVariableA, GetCommandLineA, LocalFileTimeToFileTime, SystemTimeToFileTime, GetSystemTime, IsDBCSLeadByte, GetCPInfo, FreeLibrary, LoadLibraryA, GetCurrentDirectoryA, GetFullPathNameA, SetFileAttributesW, SetFileAttributesA, GetFileAttributesW, GetFileAttributesA, WriteFile, GetStdHandle, ReadFile, SetLastError, CreateFileW, CreateFileA, GetFileType, SetEndOfFile, SetFilePointer, MoveFileA, SetFileTime, GetCurrentProcess, CloseHandle, GetLastError, lstrcmpiA |
USER32.dll | ReleaseDC, GetDC, SendMessageA, wsprintfA, SetDlgItemTextA, EndDialog, DestroyIcon, SendDlgItemMessageA, GetDlgItemTextA, DialogBoxParamA, IsWindowVisible, WaitForInputIdle, GetSysColor, PostMessageA, SetMenu, SetFocus, LoadBitmapA, LoadIconA, CharToOemA, OemToCharA, GetClassNameA, CharUpperA, GetWindowRect, GetParent, MapWindowPoints, CreateWindowExA, UpdateWindow, SetWindowTextA, LoadCursorA, RegisterClassExA, SetWindowLongA, GetWindowLongA, DefWindowProcA, PeekMessageA, GetMessageA, DispatchMessageA, DestroyWindow, GetClientRect, CopyRect, IsWindow, MessageBoxA, ShowWindow, GetDlgItem, EnableWindow, FindWindowExA, wvsprintfA, CharToOemBuffA, LoadStringA, SetWindowPos, GetWindowTextA, GetWindow, GetSystemMetrics, OemToCharBuffA, TranslateMessage |
GDI32.dll | GetDeviceCaps, GetObjectA, CreateCompatibleBitmap, SelectObject, StretchBlt, CreateCompatibleDC, DeleteObject, DeleteDC |
COMDLG32.dll | GetSaveFileNameA, CommDlgExtendedError, GetOpenFileNameA |
ADVAPI32.dll | LookupPrivilegeValueA, RegOpenKeyExA, RegQueryValueExA, RegCreateKeyExA, RegSetValueExA, RegCloseKey, SetFileSecurityW, SetFileSecurityA, OpenProcessToken, AdjustTokenPrivileges |
SHELL32.dll | ShellExecuteExA, SHFileOperationA, SHGetFileInfoA, SHGetSpecialFolderLocation, SHGetMalloc, SHBrowseForFolderA, SHGetPathFromIDListA, SHChangeNotify |
ole32.dll | CreateStreamOnHGlobal, OleInitialize, CoCreateInstance, OleUninitialize, CLSIDFromString |
OLEAUT32.dll | VariantInit |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |