Loading ...

Play interactive tourEdit tour

Analysis Report PC21-270421.exe

Overview

General Information

Sample Name:PC21-270421.exe
Analysis ID:430961
MD5:140733109e3a3b3de2ae1aaf164178da
SHA1:5f8685572c91386045a5f458b298ee8c6934277c
SHA256:4bb04df120eb27c3f5b3a46a54891b927fe4232fdaf75b9ecaddc2f24d61533c
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:57
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains capabilities to detect virtual machines
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains strange resources
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PC21-270421.exe (PID: 6376 cmdline: 'C:\Users\user\Desktop\PC21-270421.exe' MD5: 140733109E3A3B3DE2AE1AAF164178DA)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1IyeIvFG2j6rM8MkH-OGyKJbMY3m1XbJ6"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
PC21-270421.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: PC21-270421.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1IyeIvFG2j6rM8MkH-OGyKJbMY3m1XbJ6"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: PC21-270421.exeVirustotal: Detection: 33%Perma Link
    Source: PC21-270421.exeReversingLabs: Detection: 17%
    Source: PC21-270421.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1IyeIvFG2j6rM8MkH-OGyKJbMY3m1XbJ6

    System Summary:

    barindex
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_004014B8
    Source: PC21-270421.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: PC21-270421.exe, 00000000.00000000.658336766.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameINDFRELSENS.exe vs PC21-270421.exe
    Source: PC21-270421.exe, 00000000.00000002.685380233.00000000021E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PC21-270421.exe
    Source: PC21-270421.exeBinary or memory string: OriginalFilenameINDFRELSENS.exe vs PC21-270421.exe
    Source: PC21-270421.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal57.rans.troj.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\PC21-270421.exeFile created: C:\Users\user\Desktop\BortdsledesJump to behavior
    Source: PC21-270421.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\PC21-270421.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: C:\Users\user\Desktop\PC21-270421.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\PC21-270421.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: PC21-270421.exeVirustotal: Detection: 33%
    Source: PC21-270421.exeReversingLabs: Detection: 17%
    Source: C:\Users\user\Desktop\PC21-270421.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
    Source: C:\Users\user\Desktop\PC21-270421.exeAutomated click: OK
    Source: C:\Users\user\Desktop\PC21-270421.exeAutomated click: OK
    Source: C:\Users\user\Desktop\PC21-270421.exeAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: PC21-270421.exe, type: SAMPLE
    Source: Yara matchFile source: 0.0.PC21-270421.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PC21-270421.exe.400000.0.unpack, type: UNPACKEDPE
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_00410040 push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040D844 push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040F844 push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040B04B push ebx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0041004C push ebx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040E050 push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_00415051 push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0041105B push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040785C push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_00410861 push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040F862 push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040C066 push ebx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040D870 push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040B874 push ebx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_00408078 push ebx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040A008 push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040B809 push ebx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040900F push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0041601A push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_00406021 push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040F025 push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_00414028 push edi; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0041402A push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_00407034 push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_00410038 push ebx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_004078D4 push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_004068D4 push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_004090DC push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_004090E4 push ebx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_004080E9 push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_004108ED push edx; iretd
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PC21-270421.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: C:\Users\user\Desktop\PC21-270421.exeAPI coverage: 0.6 %
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\PC21-270421.exeQueries volume information: unknown VolumeInformation

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionMasquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    PC21-270421.exe33%VirustotalBrowse
    PC21-270421.exe17%ReversingLabsWin32.Infostealer.VBodius

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:32.0.0 Black Diamond
    Analysis ID:430961
    Start date:08.06.2021
    Start time:09:38:59
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 3m 27s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:PC21-270421.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:6
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal57.rans.troj.winEXE@1/0@0/0
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 2.9% (good quality ratio 0.6%)
    • Quality average: 12.4%
    • Quality standard deviation: 25%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    • Stop behavior analysis, all processes terminated
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):4.5836210897416745
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:PC21-270421.exe
    File size:147456
    MD5:140733109e3a3b3de2ae1aaf164178da
    SHA1:5f8685572c91386045a5f458b298ee8c6934277c
    SHA256:4bb04df120eb27c3f5b3a46a54891b927fe4232fdaf75b9ecaddc2f24d61533c
    SHA512:4877a2f6b11143837daa69527b42307c1381e0aec14ada161157937ad4bed29dbf9e5c27734d976c11bc37d3caf901066e84d4f0d041092c71dace2010d613c7
    SSDEEP:1536:ELaMxQEBAFJaW5RmJjug+YbhRjurq7NxYZMvkastkn23U:EGOImpu5eRjurq7NuZM8aslk
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...`..`.....................0............... ....@................

    File Icon

    Icon Hash:20047c7c70f0e004

    Static PE Info

    General

    Entrypoint:0x4014b8
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x60BDFA60 [Mon Jun 7 10:52:16 2021 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:b1d5215cf0ff1abab4dacdc311d642d4

    Entrypoint Preview

    Instruction
    push 00401768h
    call 00007F7AF8997755h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    inc eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [edx], dl
    cmp eax, 5CE0EAF8h
    fisttp word ptr [eax-65h]
    mov ebx, 5C7651BAh
    cmpsb
    sub byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ecx], al
    add byte ptr [eax], al
    add byte ptr [edx+00h], al
    xchg byte ptr [eax-7Dh], dl
    add dword ptr [ebp+64h], edx
    jnc 00007F7AF89977CDh
    jc 00007F7AF89977C3h
    bound ebp, dword ptr [esi+69h]
    outsb
    jnc 00007F7AF8997763h
    sub dword ptr [edx], edx
    add eax, dword ptr [eax]
    add byte ptr [eax], al
    add bh, bh
    int3
    xor dword ptr [eax], eax
    or byte ptr [ecx], dh
    hlt
    mov byte ptr [8C30EA80h], al
    inc esi
    mov edi, 55DE3260h
    mov esp, 829DFCC8h
    inc eax
    insd
    inc byte ptr [ecx-59h]
    dec esp
    mov seg?, cx
    outsd
    fsub dword ptr [ebx]
    mov ebx, 4F3AB413h
    lodsd
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    movsd
    add dword ptr [eax], eax
    add byte ptr [esi+00h], dl
    add byte ptr [eax], al
    add byte ptr [eax+eax], cl
    inc esp
    popad
    outsb
    jnc 00007F7AF89977CDh
    jbe 00007F7AF89977C3h
    outsb
    jc 00007F7AF89977D7h
    add byte ptr [54000E01h], cl
    add byte ptr [bx+si], al

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x20c340x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x240000xa04.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x154.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x201ac0x21000False0.324573863636data4.82414979296IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x220000x12340x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x240000xa040x1000False0.182373046875data2.19382824201IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_ICON0x248d40x130data
    RT_ICON0x245ec0x2e8data
    RT_ICON0x244c40x128GLS_BINARY_LSB_FIRST
    RT_GROUP_ICON0x244940x30data
    RT_VERSION0x241500x344dataSesotho (Sutu)South Africa

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaHresultCheck, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaR4Str, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

    Version Infos

    DescriptionData
    Translation0x0430 0x04b0
    LegalCopyrightYonyou Network
    InternalNameINDFRELSENS
    FileVersion1.00
    CompanyNameYonyou Network
    LegalTrademarksYonyou Network
    CommentsYonyou Network
    ProductNameYonyou Network
    ProductVersion1.00
    FileDescriptionYonyou Network
    OriginalFilenameINDFRELSENS.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    Sesotho (Sutu)South Africa

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    System Behavior

    General

    Start time:09:39:52
    Start date:08/06/2021
    Path:C:\Users\user\Desktop\PC21-270421.exe
    Wow64 process (32bit):true
    Commandline:'C:\Users\user\Desktop\PC21-270421.exe'
    Imagebase:0x400000
    File size:147456 bytes
    MD5 hash:140733109E3A3B3DE2AE1AAF164178DA
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >