Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Jw1Ua7eGIy

Overview

General Information

Sample name:	Jw1Ua7eGIy renamed because original name is a hash value
Original sample name:	339755fa1ea64f3f0f7ce7950d8186ef008655369fbe527750eccabe9aaeb3e8
Analysis ID:	1598458
MD5:	81f58e67dcf91406a7f0f2aa59f0cf26
SHA1:	9b820051894cd024b5ebb72c019fba0eca85d55e
SHA256:	339755fa1ea64f3f0f7ce7950d8186ef008655369fbe527750eccabe9aaeb3e8
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Renames NTDLL to bypass HIPS

Drops PE files

Enables debug privileges

Enables driver privileges

Enables security privileges

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

×

Process Tree

System is w10x64_ra

Jw1Ua7eGIy.exe (PID: 5992 cmdline: "C:\Users\user\Desktop\Jw1Ua7eGIy.exe" MD5: 81F58E67DCF91406A7F0F2AA59F0CF26)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Jw1Ua7eGIy	ReversingLabs: Detection: 83%
Source: Jw1Ua7eGIy	Virustotal: Detection: 73%			Perma Link

Source: Jw1Ua7eGIy

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: global traffic	HTTP traffic detected: HEAD / HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: zh-cnReferer: http://www.baidu.com/User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)Host: www.baidu.com
Source: global traffic	HTTP traffic detected: HEAD / HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: zh-cnReferer: http://www.baidu.com/User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)Host: www.baidu.com
Source: global traffic	HTTP traffic detected: HEAD / HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: zh-cnReferer: http://www.baidu.com/User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)Host: www.baidu.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: www.baidu.com

Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe

Process token adjusted: Load Driver

Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe

Process token adjusted: Security

Source: Jw1Ua7eGIy

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal52.evad.win@1/4@3/23

Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe

File created: C:\Users\user\Desktop\ \

Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe

File created: C:\Users\user\AppData\Local\Temp\5cd9c6.tmp

Source: Jw1Ua7eGIy

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe

File read: C:\Users\user\Desktop\ \ .ini

Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Jw1Ua7eGIy	ReversingLabs: Detection: 83%
Source: Jw1Ua7eGIy	Virustotal: Detection: 73%

Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: winhttpcom.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: sxs.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: webio.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Section loaded: iertutil.dll

Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32

Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe

File written: C:\Users\user\Desktop\ \ .ini

Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe

Window found: window name: SysTabControl32

Source: Jw1Ua7eGIy

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Jw1Ua7eGIy

Static file information: File size 1966080 > 1048576

Source: Jw1Ua7eGIy

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x128000

Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	File created: C:\Users\user\AppData\Local\Temp\5cd9c6.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	File created: C:\Users\user\AppData\Local\Temp\5cda33.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Renames NTDLL to bypass HIPS

Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	File opened: C:\Windows\SysWOW64\ntdll.dll
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	File opened: C:\Windows\SysWOW64\ntdll.dll

Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5cd9c6.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5cda33.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe TID: 6344	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe TID: 6400	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe TID: 6348	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe TID: 6344	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Jw1Ua7eGIy.exe	Process token adjusted: Debug

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 LSASS Driver	1 LSASS Driver	1 Masquerading	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	11 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Jw1Ua7eGIy	83%	ReversingLabs	Win32.PUA.Packunwan
Jw1Ua7eGIy	74%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\5cd9c6.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\5cd9c6.tmp	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\5cda33.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\5cda33.tmp	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.wshifen.com	103.235.47.188	true	false		high
www.baidu.com	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.235.47.188	www.wshifen.com	Hong Kong		55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	false
103.235.46.96	unknown	Hong Kong		55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1598458
Start date and time:	2025-01-24 10:05:34 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	Jw1Ua7eGIy renamed because original name is a hash value
Original Sample Name:	339755fa1ea64f3f0f7ce7950d8186ef008655369fbe527750eccabe9aaeb3e8
Detection:	MAL
Classification:	mal52.evad.win@1/4@3/23

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information

Created / dropped Files

C:\Users\user\AppData\Local\Temp\5cd9c6.tmp

Process:	C:\Users\user\Desktop\Jw1Ua7eGIy.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5cda33.tmp

Process:	C:\Users\user\Desktop\Jw1Ua7eGIy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\ \ .ini

Process:	C:\Users\user\Desktop\Jw1Ua7eGIy.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	modified
Size (bytes):	848
Entropy (8bit):	4.848891775683341
Encrypted:	false
SSDEEP:
MD5:	5DC802E89EC0DEB285F71E6FE6170FA0
SHA1:	C29A45FA276E7A482960E6408AFB901B04CCCFE1
SHA-256:	C02D1415BE3BB27FC215C30C450354D0B059A6A706CCF97900B8BAFEDB2B5253
SHA-512:	55013E5D4DC402E28BC9CD60628C8C146BF724F0E806309FD43666DBE8B75771CB020E50B229192CD9D38E87B4E242DFDB516580550A98D46D5BBCD5AA5695E6
Malicious:	false
Reputation:	unknown
Preview:	[....]...........=32..........13=............13=...........13=..........14=............14=...........14=..........15=............15=...........15=..........16=............16=...........16=..........9=............9=...........9=..........10=............10=...........10=..........11=............11=...........11=..........12=............12=...........12=..........5=............5=...........5=..........6=............6=...........6=..........7=............7=...........7=..........8=............8=...........8=..........4=............4=...........4=..........3=............3=...........3=..........2=............2=...........2=............1=...........1=..........1=..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.518213571267381
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Jw1Ua7eGIy
File size:	1'966'080 bytes
MD5:	81f58e67dcf91406a7f0f2aa59f0cf26
SHA1:	9b820051894cd024b5ebb72c019fba0eca85d55e
SHA256:	339755fa1ea64f3f0f7ce7950d8186ef008655369fbe527750eccabe9aaeb3e8
SHA512:	a41c9f7a762ddbbbb859fc66c374a8d43a2f7d27c102446979c4d505e8b9f46f6a7ef739494fcd7705a2f70fb2a3b6f5520b7472579d0cdd92f646e4e60b8791
SSDEEP:	24576:dFH6RN4saziteyzMVkbkc+/PrP7W4VW5eKz5ohGHbVdCHBIZ740Q5yv49s:dMZHzc7MeK+iJdChqQG
TLSH:	B8958D23B103C0B2E11A1EF291A51B78ADB44B692C78D69BFBE0DD657C72432D77620D
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........+.r.Jr!.Jr!.Jr!.Uy!.Jr!.Ux!.Jr!.V\|!.Jr!.V~!.Jr!.Ua!.Jr!.Ua!.Jr!.Js!.Hr!.B/!.Jr!.ly!.Jr!.lx!OJr!pUy!.Jr!pUx!.Jr!.Jr!.Jr!_Lt!.Jr

File Icon


Icon Hash:	9eb3c18c2ceea99a

Static PE Info

General

Entrypoint:	0x508081
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x675B0EEA [Thu Dec 12 16:27:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1842a2bea56f918ab8efc402aa0c88e7

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 005B6F18h
push 0050B254h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [00529184h]
xor edx, edx
mov dl, ah
mov dword ptr [00607494h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [00607490h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0060748Ch], ecx
shr eax, 10h
mov dword ptr [00607488h], eax
push 00000001h
call 00007F387C6C805Ch
pop ecx
test eax, eax
jne 00007F387C6C2DCAh
push 0000001Ch
call 00007F387C6C2E88h
pop ecx
call 00007F387C6C7E07h
test eax, eax
jne 00007F387C6C2DCAh
push 00000010h
call 00007F387C6C2E77h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F387C6C7C35h
call dword ptr [00529324h]
mov dword ptr [0060C6C4h], eax
call 00007F387C6C7AF3h
mov dword ptr [00607400h], eax
call 00007F387C6C789Ch
call 00007F387C6C77DEh
call 00007F387C6C6A95h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [005291B0h]
call 00007F387C6C776Fh
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F387C6C2DC8h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168
[ C ] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1befe8	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x20d000	0x5958	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x129000	0x728	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1275be	0x128000	0512cd3a237dfcd6cf4cc21edf9d374a	False	0.4221974965688345	data	6.447154656554235	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x129000	0x98470	0x99000	37877205610508fc966267d5d4989dca	False	0.5766984528186274	data	6.6148385786976895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1c2000	0x4a6ca	0x18000	dc162f5d39a0ccb6ff040fd8bce7a3ad	False	0.2975565592447917	data	5.020245712398399	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x20d000	0x5958	0x6000	528ca5b2cec3665728cc3ed6a9aaab74	False	0.2978515625	data	4.822628667004094	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TEXTINCLUDE	0x20dbfc	0xb	ASCII text, with no line terminators	Chinese	China	1.7272727272727273
TEXTINCLUDE	0x20dc08	0x16	data	Chinese	China	1.3636363636363635
TEXTINCLUDE	0x20dc20	0x151	C source, ASCII text, with CRLF line terminators	Chinese	China	0.6201780415430267
RT_CURSOR	0x20dd74	0x134	data	Chinese	China	0.5811688311688312
RT_CURSOR	0x20dea8	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	Chinese	China	0.37662337662337664
RT_CURSOR	0x20dfdc	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Chinese	China	0.4805194805194805
RT_CURSOR	0x20e110	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Chinese	China	0.7
RT_BITMAP	0x20e1c4	0x248	Device independent bitmap graphic, 64 x 15 x 4, image size 480	Chinese	China	0.3407534246575342
RT_BITMAP	0x20e40c	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.4444444444444444
RT_BITMAP	0x20e550	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.26453488372093026
RT_BITMAP	0x20e6a8	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2616279069767442
RT_BITMAP	0x20e800	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2441860465116279
RT_BITMAP	0x20e958	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.24709302325581395
RT_BITMAP	0x20eab0	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2238372093023256
RT_BITMAP	0x20ec08	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.19476744186046513
RT_BITMAP	0x20ed60	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.20930232558139536
RT_BITMAP	0x20eeb8	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.18895348837209303
RT_BITMAP	0x20f010	0x5e4	Device independent bitmap graphic, 70 x 39 x 4, image size 1404	Chinese	China	0.34615384615384615
RT_BITMAP	0x20f5f4	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Chinese	China	0.44565217391304346
RT_BITMAP	0x20f6ac	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	Chinese	China	0.28296703296703296
RT_BITMAP	0x20f818	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.37962962962962965
RT_ICON	0x20f95c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.26344086021505375
RT_ICON	0x20fc44	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.41216216216216217
RT_ICON	0x20fd6c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192			0.3885135135135135
RT_ICON	0x20fe94	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.33198924731182794
RT_ICON	0x21017c	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536			0.22378048780487805
RT_MENU	0x2107e4	0xc	data	Chinese	China	1.5
RT_MENU	0x2107f0	0x284	data	Chinese	China	0.5
RT_DIALOG	0x210a74	0x98	data	Chinese	China	0.7171052631578947
RT_DIALOG	0x210b0c	0x17a	data	Chinese	China	0.5185185185185185
RT_DIALOG	0x210c88	0xfa	data	Chinese	China	0.696
RT_DIALOG	0x210d84	0xea	data	Chinese	China	0.6239316239316239
RT_DIALOG	0x210e70	0x8ae	data	Chinese	China	0.39603960396039606
RT_DIALOG	0x211720	0xb2	data	Chinese	China	0.7359550561797753
RT_DIALOG	0x2117d4	0xcc	data	Chinese	China	0.7647058823529411
RT_DIALOG	0x2118a0	0xb2	data	Chinese	China	0.6629213483146067
RT_DIALOG	0x211954	0xe2	data	Chinese	China	0.6637168141592921
RT_DIALOG	0x211a38	0x18c	data	Chinese	China	0.5227272727272727
RT_STRING	0x211bc4	0x50	data	Chinese	China	0.85
RT_STRING	0x211c14	0x2c	data	Chinese	China	0.5909090909090909
RT_STRING	0x211c40	0x78	data	Chinese	China	0.925
RT_STRING	0x211cb8	0x1c4	data	Chinese	China	0.8141592920353983
RT_STRING	0x211e7c	0x12a	data	Chinese	China	0.5201342281879194
RT_STRING	0x211fa8	0x146	data	Chinese	China	0.6288343558282209
RT_STRING	0x2120f0	0x40	data	Chinese	China	0.65625
RT_STRING	0x212130	0x64	data	Chinese	China	0.73
RT_STRING	0x212194	0x1d8	data	Chinese	China	0.6758474576271186
RT_STRING	0x21236c	0x114	data	Chinese	China	0.6376811594202898
RT_STRING	0x212480	0x24	data	Chinese	China	0.4444444444444444
RT_GROUP_CURSOR	0x2124a4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x2124b8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x2124cc	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China	1.0294117647058822
RT_GROUP_ICON	0x2124f0	0x30	data			0.9166666666666666
RT_GROUP_ICON	0x212520	0x14	data	Chinese	China	1.2
RT_GROUP_ICON	0x212534	0x14	data	Chinese	China	1.25
RT_VERSION	0x212548	0x240	data	Chinese	China	0.5642361111111112
RT_MANIFEST	0x212788	0x1cd	XML 1.0 document, ASCII text, with very long lines (461), with no line terminators			0.5878524945770065

Imports

DLL	Import
WINMM.dll	midiStreamOut, midiOutPrepareHeader, waveOutWrite, waveOutPause, waveOutReset, waveOutClose, waveOutGetNumDevs, waveOutOpen, midiOutUnprepareHeader, midiStreamOpen, midiStreamProperty, midiStreamStop, midiOutReset, midiStreamClose, midiStreamRestart, waveOutUnprepareHeader, waveOutRestart, waveOutPrepareHeader
WS2_32.dll	WSACleanup, inet_ntoa, closesocket, getpeername, accept, ntohl, WSAAsyncSelect, recvfrom, ioctlsocket, recv
KERNEL32.dll	GetCurrentProcess, TerminateProcess, SetLastError, GetTimeZoneInformation, GetVersion, CreateMutexA, ReleaseMutex, GetFileSize, SuspendThread, GetACP, HeapSize, RaiseException, GetLocalTime, GetSystemTime, RtlUnwind, GetStartupInfoA, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GlobalFlags, GetCurrentThread, GetFileTime, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, lstrcmpA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcmpiA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, DuplicateHandle, lstrcpynA, FileTimeToLocalFileTime, FileTimeToSystemTime, LocalFree, InterlockedDecrement, InterlockedIncrement, SetFilePointer, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, lstrlenW, GetModuleFileNameA, WideCharToMultiByte, MultiByteToWideChar, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, InterlockedExchange, FindNextFileA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetUserDefaultLCID, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, GetPrivateProfileStringA, CreateThread, CreateEventA, Sleep, ExpandEnvironmentStringsA, GlobalAlloc, GlobalLock, GlobalUnlock, FindFirstFileA, FindClose, GetFileAttributesA, DeleteFileA, CreateDirectoryA, SetCurrentDirectoryA, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, GetCommandLineA, GetTickCount, WaitForSingleObject, CloseHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, SetEnvironmentVariableA, LCMapStringA, LCMapStringW, VirtualAlloc, IsBadWritePtr, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, CompareStringA, CompareStringW, IsBadReadPtr, IsBadCodePtr, SetStdHandle, TerminateThread
USER32.dll	DestroyAcceleratorTable, GetWindow, GetActiveWindow, SetFocus, IsIconic, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, GetSysColorBrush, IsZoomed, PostQuitMessage, CopyAcceleratorTableA, GetKeyState, TranslateAcceleratorA, IsWindowEnabled, ShowWindow, SystemParametersInfoA, LoadImageA, EnumDisplaySettingsA, ClientToScreen, EnableMenuItem, GetSubMenu, GetDlgCtrlID, CreateAcceleratorTableA, CreateMenu, ModifyMenuA, AppendMenuA, DrawIconEx, CreateIconFromResource, CreateIconFromResourceEx, RegisterClipboardFormatA, CopyRect, LoadBitmapA, WinHelpA, SetRectEmpty, SetTimer, ReleaseCapture, GetCapture, SetCapture, GetScrollRange, SetScrollRange, SetScrollPos, SetRect, LoadStringA, GetMenuCheckMarkDimensions, GetMenuState, SetMenuItemBitmaps, InflateRect, IntersectRect, DestroyIcon, PtInRect, OffsetRect, IsWindowVisible, PeekMessageA, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, SetCursorPos, LoadCursorA, SetCursor, GetDC, FillRect, IsRectEmpty, ReleaseDC, IsChild, DestroyMenu, SetForegroundWindow, GetWindowRect, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBoxA, GetCursorPos, GetSystemMetrics, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, SetMenu, GetMenu, DispatchMessageA, GetMessageA, WindowFromPoint, DrawFocusRect, DrawEdge, DrawFrameControl, TranslateMessage, LoadIconA, GetKeyboardLayout, VkKeyScanExA, GetDesktopWindow, GetClassNameA, keybd_event, GetDlgItem, GetWindowTextA, DeleteMenu, GetSystemMenu, DefWindowProcA, EnableWindow, GetClassInfoA, KillTimer, UnregisterClassA, CreatePopupMenu, GetWindowTextLengthA, CharUpperA, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, DestroyWindow, CreateDialogIndirectParamA, EndDialog, GetNextDlgTabItem, GetWindowPlacement, RegisterWindowMessageA, GetForegroundWindow, GetLastActivePopup, GetMessageTime, RemovePropA, CallWindowProcA, GetPropA, UnhookWindowsHookEx, SetPropA, GetClassLongA, CallNextHookEx, SetWindowsHookExA, CreateWindowExA, GetMenuItemID, GetMenuItemCount, RegisterClassA, GetScrollPos, AdjustWindowRectEx, MapWindowPoints, SendDlgItemMessageA, ScrollWindowEx, IsDialogMessageA, SetWindowTextA, MoveWindow, CheckMenuItem
GDI32.dll	TextOutA, RectVisible, PtVisible, GetViewportExtEx, ExtSelectClipRgn, LineTo, MoveToEx, ExcludeClipRect, GetObjectA, EndPage, EndDoc, DeleteDC, StartDocA, StartPage, BitBlt, CreateCompatibleDC, Ellipse, Rectangle, LPtoDP, ExtTextOutA, GetCurrentObject, RoundRect, GetTextExtentPoint32A, GetDeviceCaps, CreateDIBitmap, DeleteObject, SelectClipRgn, CreatePolygonRgn, GetClipRgn, SetStretchBltMode, CreateRectRgnIndirect, SetBkColor, GetClipBox, ScaleWindowExtEx, SetWindowExtEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SetMapMode, SetTextColor, SetROP2, Escape, GetTextMetricsA, GetStockObject, CreateFontIndirectA, CreateSolidBrush, FillRgn, CreateRectRgn, CombineRgn, PatBlt, CreatePen, SelectObject, CreateBitmap, CreateDCA, CreateCompatibleBitmap, GetPolyFillMode, GetStretchBltMode, GetROP2, GetBkColor, GetBkMode, GetTextColor, CreateRoundRectRgn, CreateEllipticRgn, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, PathToRegion, EndPath, BeginPath, GetWindowOrgEx, GetViewportOrgEx, GetWindowExtEx, GetDIBits, RealizePalette, GetSystemPaletteEntries, StretchBlt, DPtoLP, SelectPalette, CreatePalette
WINSPOOL.DRV	OpenPrinterA, DocumentPropertiesA, ClosePrinter
ADVAPI32.dll	RegQueryValueExA, RegOpenKeyExA, RegSetValueExA, RegQueryValueA, RegCreateKeyExA, RegCloseKey
SHELL32.dll	ShellExecuteA, Shell_NotifyIconA
ole32.dll	CLSIDFromProgID, OleRun, CoCreateInstance, CLSIDFromString, OleUninitialize, OleInitialize
OLEAUT32.dll	UnRegisterTypeLib, LoadTypeLib, LHashValOfNameSys, RegisterTypeLib, SafeArrayPutElement, SafeArrayCreate, SafeArrayDestroy, SysAllocString, VariantInit, VariantCopyInd, SafeArrayGetElement, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayGetDim, SafeArrayGetLBound, SafeArrayGetUBound, VariantChangeType, VariantClear
COMCTL32.dll	ImageList_Destroy
comdlg32.dll	ChooseColorA, GetFileTitleA, GetSaveFileNameA, GetOpenFileNameA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China