Play interactive tour

Edit tour

Windows Analysis Report setup.exe

Overview

General Information

Sample Name:	setup.exe
Analysis ID:	502663
MD5:	fe5c2e1333b4477d029dedc9c1b5dd4d
SHA1:	ce7e5a597b98eb1ec36a48e4368997b787228544
SHA256:	fc91558efb40b16dd9f6b0e93c972a0f1ff85cad3ddefdd7028c2628d75a9ab9
Infos:
Most interesting Screenshot:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Uses 32bit PE files

PE file contains strange resources

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

PE file contains executable resources (Code or Archives)

Classification

Process Tree

System is w10x64

setup.exe (PID: 7152 cmdline: 'C:\Users\user\Desktop\setup.exe' MD5: FE5C2E1333B4477D029DEDC9C1B5DD4D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: setup.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, RELOCS_STRIPPED

Source:

Binary string: c:\P4\NIInstallers\trunk\17.5\src\MetaInstaller\Unicode_Release\setup.pdb source: setup.exe, 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_00531CB0 FindFirstFileW,FindClose,

Source: setup.exe	String found in binary or memory: http://apache.org/xml/UknownNS
Source: setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp	String found in binary or memory: http://apache.org/xml/UknownNSUCS4UCS-4UCS_4UCS-4
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/calculate-src-ofs
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/disable-default-entity-resolution
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/dom-has-psvi-info
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/dom/byte-order-mark
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/dom/user-adopts-DOMDocument
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/schema/ignore-annotations
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validate-annotations
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validation-error-as-fatal
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validation/cache-grammarFromParse
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validation/dynamic
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validation/identity-constraint-checking
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validation/ignoreCachedDTD
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validation/schema
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validation/schema/skip-dtd-validation
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/validation/use-cachedGrammarInParse
Source: setup.exe	String found in binary or memory: http://apache.org/xml/messages/XML4CErrors
Source: setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp	String found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI
Source: setup.exe	String found in binary or memory: http://apache.org/xml/messages/XMLDOMMsg
Source: setup.exe	String found in binary or memory: http://apache.org/xml/messages/XMLErrors
Source: setup.exe	String found in binary or memory: http://apache.org/xml/messages/XMLValidity
Source: setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp	String found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHxmlxml
Source: setup.exe	String found in binary or memory: http://apache.org/xml/parser-use-DOMDocument-from-Implementation
Source: setup.exe	String found in binary or memory: http://apache.org/xml/properties/scannerName
Source: setup.exe	String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation
Source: setup.exe	String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation
Source: setup.exe	String found in binary or memory: http://apache.org/xml/properties/security-manager
Source: setup.exe, setup.exe, 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp	String found in binary or memory: http://digital.ni.com/express.nsf/bycode/WinFastStartup
Source: setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp	String found in binary or memory: http://digital.ni.com/express.nsf/bycode/WinFastStartupSOFTWARE
Source: setup.exe, setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp	String found in binary or memory: http://digital.ni.com/express.nsf/bycode/exke86
Source: setup.exe	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: setup.exe	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: setup.exe	String found in binary or memory: http://xml.org/sax/features/validation

Source: setup.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, RELOCS_STRIPPED

Source: setup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: setup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: setup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_005780FA
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_005713F0
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_00587710

Source: setup.exe	Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: setup.exe	Static PE information: Resource name: RT_GROUP_CURSOR type: unicos (cray) executable

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_005F67C0 FormatMessageW,GetLastError,

Source: C:\Users\user\Desktop\setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_0053F498 FindResourceW,LoadResource,LockResource,FreeResource,

Source: setup.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: setup.exe	String found in binary or memory: jp-ocr-b-add
Source: setup.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: setup.exe	String found in binary or memory: jp-ocr-hand-add
Source: setup.exe	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: setup.exe	String found in binary or memory: pre-install
Source: setup.exe	String found in binary or memory: ISO_6937-2-add
Source: setup.exe	String found in binary or memory: The host/address '{0}' could not be resolved
Source: setup.exe	String found in binary or memory: "%s" -startDir "%s" -xmlPath "%s"
Source: setup.exe	String found in binary or memory: NATS-SEFI-ADD
Source: setup.exe	String found in binary or memory: NATS-DANO-ADD
Source: setup.exe	String found in binary or memory: "%s" -v -startDir "%s" -xmlPath "%s"
Source: setup.exe	String found in binary or memory: "%s" -filePath "%s" -startDir "%s" -xmlPath "%s"
Source: setup.exe	String found in binary or memory: User agreed to pre-install.
Source: setup.exe	String found in binary or memory: .NET 3.5 pre-install is needed, but user denied the prompt to install. Cannot continue - exiting.
Source: setup.exe	String found in binary or memory: .NET 3.5 pre-install is disabled via command-line or setup.ini flag -- nothing to do.
Source: setup.exe	String found in binary or memory: .NET 3.5 pre-install is not required on this OS -- nothing to do.
Source: setup.exe	String found in binary or memory: .NET 3.5 not in distribution or pre-install disabled -- nothing to do.
Source: setup.exe	String found in binary or memory: .NET 4.0 pre-install is needed, but user denied the prompt to install. Cannot continue - exiting.
Source: setup.exe	String found in binary or memory: .NET 4.x pre-install is disabled via command-line or setup.ini flag -- nothing to do.
Source: setup.exe	String found in binary or memory: .NET 4.5.x or 4.6.x install requested, but we are on Server 2003 or XP. Skipping pre-install so that the distribution launch (or m
Source: setup.exe	String found in binary or memory: .NET 4.x not in distribution or pre-install disabled -- nothing to do.

Source: classification engine

Classification label: clean5.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\setup.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Source: setup.exe

Static file information: File size 1466368 > 1048576

Source: setup.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x144200

Source:

Binary string: c:\P4\NIInstallers\trunk\17.5\src\MetaInstaller\Unicode_Release\setup.pdb source: setup.exe, 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0057683A push ecx; ret
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_00576B39 push ecx; ret

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_0058D233 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_00538C8C MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,

Source: C:\Users\user\Desktop\setup.exe

Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\setup.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\setup.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_00531CB0 FindFirstFileW,FindClose,

Source: setup.exe

Binary or memory string: hGfsu

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_00570867 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\setup.exe

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_00570867 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0056F98F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\setup.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\Desktop\setup.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\setup.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\Desktop\setup.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\Desktop\setup.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
Source: C:\Users\user\Desktop\setup.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\Desktop\setup.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_005319A0 GetVersionExW,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Path Interception	Software Packing1	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API2	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information11	LSASS Memory	Application Window Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery12	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
setup.exe	1%	Virustotal	Browse
setup.exe	5%	Metadefender	Browse
setup.exe	7%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://apache.org/xml/parser-use-DOMDocument-from-Implementation	setup.exe	false	high
http://apache.org/xml/messages/XMLValidity	setup.exe	false	high
http://apache.org/xml/features/validation/dynamic	setup.exe	false	high
http://apache.org/xml/features/continue-after-fatal-error	setup.exe	false	high
http://apache.org/xml/features/standard-uri-conformant	setup.exe	false	high
http://apache.org/xml/properties/schema/external-schemaLocation	setup.exe	false	high
http://apache.org/xml/features/dom-has-psvi-info	setup.exe	false	high
http://apache.org/xml/features/validation/identity-constraint-checking	setup.exe	false	high
http://apache.org/xml/UknownNSUCS4UCS-4UCS_4UCS-4	setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp	false	high
http://apache.org/xml/features/validate-annotations	setup.exe	false	high
http://apache.org/xml/features/dom/byte-order-mark	setup.exe	false	high
http://xml.org/sax/features/namespaces	setup.exe	false	high
http://apache.org/xml/features/dom/user-adopts-DOMDocument	setup.exe	false	high
http://apache.org/xml/features/nonvalidating/load-external-dtd	setup.exe	false	high
http://apache.org/xml/features/validation/schema-full-checking	setup.exe	false	high
http://apache.org/xml/features/schema/ignore-annotations	setup.exe	false	high
http://xml.org/sax/features/namespace-prefixes	setup.exe	false	high
http://apache.org/xml/features/generate-synthetic-annotations	setup.exe	false	high
http://apache.org/xml/UknownNS	setup.exe	false	high
http://apache.org/xml/features/validation-error-as-fatal	setup.exe	false	high
http://apache.org/xml/features/calculate-src-ofs	setup.exe	false	high
http://apache.org/xml/features/validation/cache-grammarFromParse	setup.exe	false	high
http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation	setup.exe	false	high
http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHxmlxml	setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp	false	high
http://xml.org/sax/features/validation	setup.exe	false	high
http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI	setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp	false	high
http://apache.org/xml/features/validation/use-cachedGrammarInParse	setup.exe	false	high
http://apache.org/xml/messages/XML4CErrors	setup.exe	false	high
http://apache.org/xml/properties/security-manager	setup.exe	false	high
http://apache.org/xml/features/validation/schema/skip-dtd-validation	setup.exe	false	high
http://apache.org/xml/properties/scannerName	setup.exe	false	high
http://apache.org/xml/features/disable-default-entity-resolution	setup.exe	false	high
http://apache.org/xml/features/validation/schema	setup.exe	false	high
http://apache.org/xml/features/validation/ignoreCachedDTD	setup.exe	false	high
http://apache.org/xml/messages/XMLDOMMsg	setup.exe	false	high
http://apache.org/xml/messages/XMLErrors	setup.exe	false	high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	502663
Start date:	14.10.2021
Start time:	08:36:46
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 4s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	setup.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean5.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 26.7% (good quality ratio 25%) Quality average: 73.1% Quality standard deviation: 28.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.50.102.62, 20.54.110.249, 40.112.88.60, 2.20.178.56, 2.20.178.10, 8.247.248.249, 8.247.248.223, 8.247.244.249, 20.199.120.182, 2.20.178.24, 2.20.178.33, 95.100.216.89 Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.907283747504906
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	setup.exe
File size:	1466368
MD5:	fe5c2e1333b4477d029dedc9c1b5dd4d
SHA1:	ce7e5a597b98eb1ec36a48e4368997b787228544
SHA256:	fc91558efb40b16dd9f6b0e93c972a0f1ff85cad3ddefdd7028c2628d75a9ab9
SHA512:	04892dfb3d356952a3bd4cac9026a3fac52b220af6b8a6371e81293483dbdeb76f08e8182ae0301dedef4d2904a6c113d02d8d48307fe498a428b595b0ec03b4
SSDEEP:	24576:wJx22KNk+2ygEZZU6xUohcGGopn9iWsq/A9fzIDODmJfbtvyYtQEnRA2S/Y:w+29+2yn5+ohcGHpn97s7JzIa6dY4/RC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l...(.pA(.pA(.pA-./A,.pA...A+.pA!..A..pA!..A..pA6..A+.pA.K.A..pA.K.A7.pA(.qA..pA!..A..pA!..A).pA6..A).pA!..A).pARich(.pA.......

File Icon


Icon Hash:	80b0a4b4a4e4e4e4

Static PE Info

General
Entrypoint:	0x90cf20
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x59E4BE15 [Mon Oct 16 14:11:33 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	ab8c7e344596e3e6d6c6a5375f98bde9

Entrypoint Preview

Instruction
pushad
mov esi, 007C9000h
lea edi, dword ptr [esi-003C8000h]
push edi
or ebp, FFFFFFFFh
jmp 00007FA984BCF942h
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FA984BCF939h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA984BCF91Fh
mov eax, 00000001h
add ebx, ebx
jne 00007FA984BCF939h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FA984BCF93Dh
jne 00007FA984BCF95Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA984BCF951h
dec eax
add ebx, ebx
jne 00007FA984BCF939h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007FA984BCF906h
add ebx, ebx
jne 00007FA984BCF939h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007FA984BCF984h
xor ecx, ecx
sub eax, 03h
jc 00007FA984BCF943h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FA984BCF9A7h
sar eax, 1
mov ebp, eax
jmp 00007FA984BCF93Dh
add ebx, ebx
jne 00007FA984BCF939h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA984BCF8FEh
inc ecx
add ebx, ebx
jne 00007FA984BCF939h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA984BCF8F0h
add ebx, ebx
jne 00007FA984BCF939h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FA984BCF921h
jne 00007FA984BCF93Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FA984BCF916h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [eax+eax]

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[C++] VS2008 build 21022
[EXP] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[ C ] VS2003 (.NET) build 3077
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x52f79c	0x6c	.rsrc
IMAGE_DIRECTORY_ENTRY_IMPORT	0x52f41c	0x380	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x50e000	0x2141c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x50d0cc	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x46e4ec	0xc0	UPX1
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x3c8000	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0x3c9000	0x145000	0x144200	False	0.985229162649	data	7.92638129371	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x50e000	0x22000	0x21a00	False	0.829874825743	data	7.3682539138	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x4b2700	0x134	data	English	United States
RT_CURSOR	0x4b2834	0xb4	data	English	United States
RT_CURSOR	0x4b28e8	0x134	data	English	United States
RT_CURSOR	0x4b2a1c	0x134	data	English	United States
RT_CURSOR	0x4b2b50	0x134	data	English	United States
RT_CURSOR	0x4b2c84	0x134	data	English	United States
RT_CURSOR	0x4b2db8	0x134	data	English	United States
RT_CURSOR	0x4b2eec	0x134	data	English	United States
RT_CURSOR	0x4b3020	0x134	data	English	United States
RT_CURSOR	0x4b3154	0x134	data	English	United States
RT_CURSOR	0x4b3288	0x134	data	English	United States
RT_CURSOR	0x4b33bc	0x134	data	English	United States
RT_CURSOR	0x4b34f0	0x134	data	English	United States
RT_CURSOR	0x4b3624	0x134	data	English	United States
RT_CURSOR	0x4b3758	0x134	data	English	United States
RT_CURSOR	0x4b388c	0x134	data	English	United States
RT_BITMAP	0x4b39c0	0x3e8	data	English	United States
RT_BITMAP	0x4b3da8	0x3e8	data	English	United States
RT_BITMAP	0x4b4190	0x1328	data	English	United States
RT_BITMAP	0x4b54b8	0x1328	data	English	United States
RT_BITMAP	0x4b67e0	0x3e8	data	English	United States
RT_BITMAP	0x4b6bc8	0x1328	data	English	United States
RT_BITMAP	0x4b7ef0	0x1328	data	English	United States
RT_BITMAP	0x4b9218	0x1328	data	English	United States
RT_BITMAP	0x4ba540	0x1328	data	English	United States
RT_BITMAP	0x4bb868	0x3e8	data	English	United States
RT_BITMAP	0x4bbc50	0xb8	data	English	United States
RT_BITMAP	0x4bbd08	0x144	data	English	United States
RT_ICON	0x511704	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x511830	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x4bc4dc	0x8a8	data	English	United States
RT_ICON	0x4bcd84	0x568	data	English	United States
RT_ICON	0x4bd2ec	0xca8	data	English	United States
RT_ICON	0x4bdf94	0x368	data	English	United States
RT_ICON	0x4be2fc	0x1a8	data	English	United States
RT_ICON	0x4be4a4	0x1a8	MPEG-4 LOAS, 4 or more streams, 8 or more streams	English	United States
RT_ICON	0x4be64c	0x1a8	data	English	United States
RT_ICON	0x4be7f4	0x1a8	data	English	United States
RT_ICON	0x4be99c	0x1a8	data	English	United States
RT_ICON	0x4beb44	0x1a8	data	English	United States
RT_ICON	0x4becec	0x1a8	data	English	United States
RT_ICON	0x4bee94	0x1a8	data	English	United States
RT_ICON	0x4bf03c	0x1a8	data	English	United States
RT_ICON	0x4bf1e4	0x1a8	data	English	United States
RT_ICON	0x4bf38c	0x1a8	data	English	United States
RT_ICON	0x4bf534	0x1a8	data	English	United States
RT_ICON	0x4bf6dc	0x1a8	data	English	United States
RT_ICON	0x4bf884	0x1a8	data	English	United States
RT_ICON	0x4bfa2c	0x2e8	data	English	United States
RT_ICON	0x4bfd14	0x128	data	English	United States
RT_ICON	0x4bfe3c	0x568	data	English	United States
RT_ICON	0x4c03a4	0x1a8	data	English	United States
RT_ICON	0x4c054c	0x2e8	data	English	United States
RT_ICON	0x4c0834	0x128	data	English	United States
RT_ICON	0x4c095c	0x568	data	English	United States
RT_ICON	0x4c0ec4	0x1a8	data	English	United States
RT_ICON	0x4c106c	0x1a8	data	English	United States
RT_ICON	0x4c1214	0x2e8	data	English	United States
RT_ICON	0x4c14fc	0x1ca8	data	English	United States
RT_ICON	0x4c31a4	0xca8	data	English	United States
RT_ICON	0x4c3e4c	0x668	data	English	United States
RT_ICON	0x4c44b4	0x1ca8	COM executable for DOS	English	United States
RT_ICON	0x4c615c	0xca8	data	English	United States
RT_ICON	0x4c6e04	0x668	data	English	United States
RT_ICON	0x4c746c	0x1ca8	data	English	United States
RT_ICON	0x4c9114	0xca8	data	English	United States
RT_ICON	0x4c9dbc	0x668	data	English	United States
RT_ICON	0x4ca424	0x668	data	English	United States
RT_ICON	0x4caa8c	0x668	data	English	United States
RT_ICON	0x4cb0f4	0x668	data	English	United States
RT_ICON	0x4cb75c	0x668	data	English	United States
RT_ICON	0x4cbdc4	0x668	data	English	United States
RT_ICON	0x4cc42c	0xca8	data	English	United States
RT_ICON	0x4cd0d4	0x1a8	data	English	United States
RT_ICON	0x4cd27c	0x1a8	data	English	United States
RT_ICON	0x4cd424	0x1a8	data	English	United States
RT_ICON	0x4cd5cc	0x1a8	data	English	United States
RT_ICON	0x4cd774	0x468	data	English	United States
RT_ICON	0x4cdbdc	0xca8	data	English	United States
RT_ICON	0x511d9c	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2391312520, next used block 2005436558	English	United States
RT_ICON	0x512088	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15134197, next used block 14939634	English	United States
RT_ICON	0x512934	0x668	data	English	United States
RT_ICON	0x512fa0	0xea8	data	English	United States
RT_ICON	0x513e4c	0x54f3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x519344	0x9381	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x5226cc	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x522b38	0x10a8	data	English	United States
RT_ICON	0x523be4	0x25a8	data	English	United States
RT_ICON	0x526190	0x88fb	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_DIALOG	0x4eb550	0x1e0	data	English	United States
RT_DIALOG	0x4eb730	0xe8	data	English	United States
RT_DIALOG	0x4eb818	0x64	PGP\011Secret Sub-key -	English	United States
RT_DIALOG	0x4eb87c	0x302	data	English	United States
RT_DIALOG	0x4ebb80	0x20	data	English	United States
RT_DIALOG	0x4ebba0	0x18	data	English	United States
RT_DIALOG	0x4ebbb8	0x144	data	English	United States
RT_DIALOG	0x4ebcfc	0x136	SysEx File -	English	United States
RT_DIALOG	0x4ebe34	0x32	data	English	United States
RT_DIALOG	0x4ebe68	0x1a4	data	English	United States
RT_DIALOG	0x4ec00c	0x296	data	English	United States
RT_DIALOG	0x4ec2a4	0x220	data	English	United States
RT_DIALOG	0x4ec4c4	0xc0	data	English	United States
RT_DIALOG	0x4ec584	0x238	data	English	United States
RT_DIALOG	0x4ec7bc	0x17e	data	English	United States
RT_DIALOG	0x4ec93c	0xe2	data	English	United States
RT_DIALOG	0x4eca20	0xd4	data	English	United States
RT_DIALOG	0x4ecaf4	0xe2	data	English	United States
RT_DIALOG	0x4ecbd8	0x114	data	English	United States
RT_DIALOG	0x4eccec	0x8c	data	English	United States
RT_DIALOG	0x4ecd78	0xd8	data	English	United States
RT_DIALOG	0x4ece50	0xca	data	English	United States
RT_DIALOG	0x4ecf1c	0x49e	data	English	United States
RT_DIALOG	0x4ed3bc	0x5f8	data	English	United States
RT_DIALOG	0x4ed9b4	0xe8	data	English	United States
RT_DIALOG	0x4eda9c	0x34	data	English	United States
RT_STRING	0x4edad0	0x5b4	data	English	United States
RT_STRING	0x4ee084	0x974	data	English	United States
RT_STRING	0x4ee9f8	0x86a	data	English	United States
RT_STRING	0x4ef264	0x358	data	English	United States
RT_STRING	0x4ef5bc	0x616	data	English	United States
RT_STRING	0x4efbd4	0x2ca	data	English	United States
RT_STRING	0x4efea0	0x446	data	English	United States
RT_STRING	0x4f02e8	0x44a	data	English	United States
RT_STRING	0x4f0734	0x3e6	SysEx File - Passport	English	United States
RT_STRING	0x4f0b1c	0x662	data	English	United States
RT_STRING	0x4f1180	0x90e	data	English	United States
RT_STRING	0x4f1a90	0x67e	data	English	United States
RT_STRING	0x4f2110	0x5da	data	English	United States
RT_STRING	0x4f26ec	0x7e6	data	English	United States
RT_STRING	0x4f2ed4	0x79c	data	English	United States
RT_STRING	0x4f3670	0x59e	data	English	United States
RT_STRING	0x4f3c10	0x540	data	English	United States
RT_STRING	0x4f4150	0x580	data	English	United States
RT_STRING	0x4f46d0	0xde	data	English	United States
RT_STRING	0x4f47b0	0x2f2	data	English	United States
RT_STRING	0x4f4aa4	0x4d2	data	English	United States
RT_STRING	0x4f4f78	0x288	data	German	Germany
RT_STRING	0x4f5200	0x20e	data	English	United States
RT_STRING	0x4f5410	0x252	data	French	France
RT_STRING	0x4f5664	0x148	data	Japanese	Japan
RT_STRING	0x4f57ac	0x14a	data	Korean	North Korea
RT_STRING	0x4f57ac	0x14a	data	Korean	South Korea
RT_STRING	0x4f58f8	0xe8	data	Chinese	China
RT_STRING	0x4f59e0	0x438	data	German	Germany
RT_STRING	0x4f5e18	0x33a	data	English	United States
RT_STRING	0x4f6154	0x418	data	French	France
RT_STRING	0x4f656c	0x22e	data	Japanese	Japan
RT_STRING	0x4f679c	0x232	data	Korean	North Korea
RT_STRING	0x4f679c	0x232	data	Korean	South Korea
RT_STRING	0x4f69d0	0x172	data	Chinese	China
RT_STRING	0x4f6b44	0x124	data	German	Germany
RT_STRING	0x4f6c68	0xf0	data	English	United States
RT_STRING	0x4f6d58	0x142	data	French	France
RT_STRING	0x4f6e9c	0x9a	data	Japanese	Japan
RT_STRING	0x4f6f38	0xb2	data	Korean	North Korea
RT_STRING	0x4f6f38	0xb2	data	Korean	South Korea
RT_STRING	0x4f6fec	0x6e	data	Chinese	China
RT_STRING	0x4f705c	0x166	data	German	Germany
RT_STRING	0x4f71c4	0x10a	data	English	United States
RT_STRING	0x4f72d0	0x14a	data	French	France
RT_STRING	0x4f741c	0xb2	data	Japanese	Japan
RT_STRING	0x4f74d0	0xb4	data	Korean	North Korea
RT_STRING	0x4f74d0	0xb4	data	Korean	South Korea
RT_STRING	0x4f7584	0x6e	data	Chinese	China
RT_STRING	0x4f75f4	0x1a0	data	German	Germany
RT_STRING	0x4f7794	0x16e	data	English	United States
RT_STRING	0x4f7904	0x1c6	data	French	France
RT_STRING	0x4f7acc	0xcc	data	Japanese	Japan
RT_STRING	0x4f7b98	0xd0	data	Korean	North Korea
RT_STRING	0x4f7b98	0xd0	data	Korean	South Korea
RT_STRING	0x4f7c68	0x78	data	Chinese	China
RT_STRING	0x4f7ce0	0x37e	data	German	Germany
RT_STRING	0x4f8060	0x294	data	English	United States
RT_STRING	0x4f82f4	0x35e	data	French	France
RT_STRING	0x4f8654	0x184	data	Japanese	Japan
RT_STRING	0x4f87d8	0x190	data	Korean	North Korea
RT_STRING	0x4f87d8	0x190	data	Korean	South Korea
RT_STRING	0x4f8968	0xdc	data	Chinese	China
RT_STRING	0x4f8a44	0x3b6	data	German	Germany
RT_STRING	0x4f8dfc	0x33a	data	English	United States
RT_STRING	0x4f9138	0x428	data	French	France
RT_STRING	0x4f9560	0x1ee	data	Japanese	Japan
RT_STRING	0x4f9750	0x1ee	data	Korean	North Korea
RT_STRING	0x4f9750	0x1ee	data	Korean	South Korea
RT_STRING	0x4f9940	0x134	data	Chinese	China
RT_STRING	0x4f9a74	0xb4	data	German	Germany
RT_STRING	0x4f9b28	0x88	data	English	United States
RT_STRING	0x4f9bb0	0xa0	data	French	France
RT_STRING	0x4f9c50	0x4c	data	Japanese	Japan
RT_STRING	0x4f9c9c	0x54	data	Korean	North Korea
RT_STRING	0x4f9c9c	0x54	data	Korean	South Korea
RT_STRING	0x4f9cf0	0x3c	data	Chinese	China
RT_STRING	0x4f9d2c	0x50	data	German	Germany
RT_STRING	0x4f9d7c	0x48	data	English	United States
RT_STRING	0x4f9dc4	0x50	PGP\011Secret Key -	French	France
RT_STRING	0x4f9e14	0x3e	data	Japanese	Japan
RT_STRING	0x4f9e54	0x46	data	Korean	North Korea
RT_STRING	0x4f9e54	0x46	data	Korean	South Korea
RT_STRING	0x4f9e9c	0x32	data	Chinese	China
RT_STRING	0x4f9ed0	0x47c	data	German	Germany
RT_STRING	0x4fa34c	0x380	data	English	United States
RT_STRING	0x4fa6cc	0x4f2	data	French	France
RT_STRING	0x4fabc0	0x2b6	data	Japanese	Japan
RT_STRING	0x4fae78	0x2aa	data	Korean	North Korea
RT_STRING	0x4fae78	0x2aa	data	Korean	South Korea
RT_STRING	0x4fb124	0x180	data	Chinese	China
RT_STRING	0x4fb2a4	0xa88	data	German	Germany
RT_STRING	0x4fbd2c	0x98c	data	English	United States
RT_STRING	0x4fc6b8	0xb36	data	French	France
RT_STRING	0x4fd1f0	0x524	data	Japanese	Japan
RT_STRING	0x4fd714	0x5ee	data	Korean	North Korea
RT_STRING	0x4fd714	0x5ee	data	Korean	South Korea
RT_STRING	0x4fdd04	0x390	data	Chinese	China
RT_STRING	0x4fe094	0x1dc	data	German	Germany
RT_STRING	0x4fe270	0x18c	data	English	United States
RT_STRING	0x4fe3fc	0x202	data	French	France
RT_STRING	0x4fe600	0xd8	data	Japanese	Japan
RT_STRING	0x4fe6d8	0xc6	data	Korean	North Korea
RT_STRING	0x4fe6d8	0xc6	data	Korean	South Korea
RT_STRING	0x4fe7a0	0x80	data	Chinese	China
RT_STRING	0x4fe820	0xa6	data	German	Germany
RT_STRING	0x4fe8c8	0x8c	data	English	United States
RT_STRING	0x4fe954	0xa6	data	French	France
RT_STRING	0x4fe9fc	0x6e	data	Japanese	Japan
RT_STRING	0x4fea6c	0x72	data	Korean	North Korea
RT_STRING	0x4fea6c	0x72	data	Korean	South Korea
RT_STRING	0x4feae0	0x40	data	Chinese	China
RT_STRING	0x4feb20	0x136	data	German	Germany
RT_STRING	0x4fec58	0x11e	data	English	United States
RT_STRING	0x4fed78	0x11e	data	French	France
RT_STRING	0x4fee98	0x11e	data	Japanese	Japan
RT_STRING	0x4fefb8	0xf4	data	Korean	North Korea
RT_STRING	0x4fefb8	0xf4	data	Korean	South Korea
RT_STRING	0x4ff0ac	0x11e	data	Chinese	China
RT_STRING	0x4ff1cc	0x5a	data	German	Germany
RT_STRING	0x4ff228	0x52	data	English	United States
RT_STRING	0x4ff27c	0x52	data	French	France
RT_STRING	0x4ff2d0	0x52	data	Japanese	Japan
RT_STRING	0x4ff324	0x44	data	Korean	North Korea
RT_STRING	0x4ff324	0x44	data	Korean	South Korea
RT_STRING	0x4ff368	0x52	data	Chinese	China
RT_STRING	0x4ff3bc	0x68	data	German	Germany
RT_STRING	0x4ff424	0x6a	data	English	United States
RT_STRING	0x4ff490	0x70	data	French	France
RT_STRING	0x4ff500	0x48	data	Japanese	Japan
RT_STRING	0x4ff548	0x4a	data	Korean	North Korea
RT_STRING	0x4ff548	0x4a	data	Korean	South Korea
RT_STRING	0x4ff594	0x38	data	Chinese	China
RT_STRING	0x4ff5cc	0x21a	data	German	Germany
RT_STRING	0x4ff7e8	0x222	data	English	United States
RT_STRING	0x4ffa0c	0x286	data	French	France
RT_STRING	0x4ffc94	0x11c	data	Japanese	Japan
RT_STRING	0x4ffdb0	0x174	data	Korean	North Korea
RT_STRING	0x4ffdb0	0x174	data	Korean	South Korea
RT_STRING	0x4fff24	0xcc	data	Chinese	China
RT_STRING	0x4ffff0	0x2d6	data	German	Germany
RT_STRING	0x5002c8	0x270	data	English	United States
RT_STRING	0x500538	0x2ce	data	French	France
RT_STRING	0x500808	0x168	data	Japanese	Japan
RT_STRING	0x500970	0x198	data	Korean	North Korea
RT_STRING	0x500970	0x198	data	Korean	South Korea
RT_STRING	0x500b08	0xde	data	Chinese	China
RT_STRING	0x500be8	0x1e0	data	German	Germany
RT_STRING	0x500dc8	0x12a	data	English	United States
RT_STRING	0x500ef4	0x17e	data	French	France
RT_STRING	0x501074	0xec	data	Japanese	Japan
RT_STRING	0x501160	0xe6	data	Korean	North Korea
RT_STRING	0x501160	0xe6	data	Korean	South Korea
RT_STRING	0x501248	0x98	data	Chinese	China
RT_STRING	0x5012e0	0x96	data	German	Germany
RT_STRING	0x501378	0x6c	data	English	United States
RT_STRING	0x5013e4	0x80	data	French	France
RT_STRING	0x501464	0x4a	data	Japanese	Japan
RT_STRING	0x5014b0	0x48	data	Korean	North Korea
RT_STRING	0x5014b0	0x48	data	Korean	South Korea
RT_STRING	0x5014f8	0x3a	data	Chinese	China
RT_STRING	0x501534	0x1f2	data	German	Germany
RT_STRING	0x501728	0x196	data	English	United States
RT_STRING	0x5018c0	0x21a	data	French	France
RT_STRING	0x501adc	0x132	data	Japanese	Japan
RT_STRING	0x501c10	0x11c	data	Korean	North Korea
RT_STRING	0x501c10	0x11c	data	Korean	South Korea
RT_STRING	0x501d2c	0xe2	data	Chinese	China
RT_STRING	0x501e10	0x50	data	German	Germany
RT_STRING	0x501e60	0x44	data	English	United States
RT_STRING	0x501ea4	0x42	data	French	France
RT_STRING	0x501ee8	0x2a	data	Japanese	Japan
RT_STRING	0x501f14	0x2e	data	Korean	North Korea
RT_STRING	0x501f14	0x2e	data	Korean	South Korea
RT_STRING	0x501f44	0x28	data	Chinese	China
RT_STRING	0x501f6c	0x4ae	data	English	United States
RT_STRING	0x50241c	0x3f0	data	English	United States
RT_STRING	0x50280c	0x3e2	data	English	United States
RT_STRING	0x502bf0	0x6c	data	English	United States
RT_STRING	0x502c5c	0xbe6	PGP\011Secret Sub-key -	English	United States
RT_STRING	0x503844	0x18a2	data	English	United States
RT_STRING	0x5050e8	0x478	data	English	United States
RT_STRING	0x505560	0x148	data	English	United States
RT_STRING	0x5056a8	0x2e8	data	English	United States
RT_STRING	0x505990	0x220	data	English	United States
RT_STRING	0x505bb0	0x22a	data	English	United States
RT_STRING	0x505ddc	0x82	data	English	United States
RT_STRING	0x505e60	0x2a	data	English	United States
RT_STRING	0x505e8c	0x184	data	English	United States
RT_STRING	0x506010	0x4e6	data	English	United States
RT_STRING	0x5064f8	0x264	data	English	United States
RT_STRING	0x50675c	0x2da	data	English	United States
RT_STRING	0x506a38	0x8a	data	English	United States
RT_STRING	0x506ac4	0xac	data	English	United States
RT_STRING	0x506b70	0xde	data	English	United States
RT_STRING	0x506c50	0x4a8	data	English	United States
RT_STRING	0x5070f8	0x228	data	English	United States
RT_STRING	0x507320	0x2c	data	English	United States
RT_STRING	0x50734c	0x42	data	English	United States
RT_ACCELERATOR	0x507390	0x10	Non-ISO extended-ASCII text, with NEL line terminators	English	United States
RT_GROUP_CURSOR	0x5073a0	0x22	data	English	United States
RT_GROUP_CURSOR	0x5073c4	0x14	data	English	United States
RT_GROUP_CURSOR	0x5073d8	0x14	data	English	United States
RT_GROUP_CURSOR	0x5073ec	0x14	data	English	United States
RT_GROUP_CURSOR	0x507400	0x14	data	English	United States
RT_GROUP_CURSOR	0x507414	0x14	Non-ISO extended-ASCII text, with LF, NEL line terminators	English	United States
RT_GROUP_CURSOR	0x507428	0x14	data	English	United States
RT_GROUP_CURSOR	0x50743c	0x14	data	English	United States
RT_GROUP_CURSOR	0x507450	0x14	data	English	United States
RT_GROUP_CURSOR	0x507464	0x14	data	English	United States
RT_GROUP_CURSOR	0x507478	0x14	data	English	United States
RT_GROUP_CURSOR	0x50748c	0x14	data	English	United States
RT_GROUP_CURSOR	0x5074a0	0x14	unicos (cray) executable	English	United States
RT_GROUP_CURSOR	0x5074b4	0x14	Non-ISO extended-ASCII text, with no line terminators, with escape sequences	English	United States
RT_GROUP_CURSOR	0x5074c8	0x14	data	English	United States
RT_GROUP_ICON	0x52ea90	0xae	data	English	United States
RT_GROUP_ICON	0x50758c	0x3e	data	English	United States
RT_GROUP_ICON	0x5075cc	0x14	data	English	United States
RT_GROUP_ICON	0x5075e0	0x14	data	English	United States
RT_GROUP_ICON	0x5075f4	0x14	data	English	United States
RT_GROUP_ICON	0x507608	0x14	data	English	United States
RT_GROUP_ICON	0x50761c	0x14	data	English	United States
RT_GROUP_ICON	0x507630	0x14	data	English	United States
RT_GROUP_ICON	0x507644	0x14	data	English	United States
RT_GROUP_ICON	0x507658	0x14	data	English	United States
RT_GROUP_ICON	0x50766c	0x14	data	English	United States
RT_GROUP_ICON	0x507680	0x14	data	English	United States
RT_GROUP_ICON	0x507694	0x14	data	English	United States
RT_GROUP_ICON	0x5076a8	0x14	data	English	United States
RT_GROUP_ICON	0x5076bc	0x14	data	English	United States
RT_GROUP_ICON	0x5076d0	0x14	data	English	United States
RT_GROUP_ICON	0x5076e4	0x30	data	English	United States
RT_GROUP_ICON	0x507714	0x30	data	English	United States
RT_GROUP_ICON	0x507744	0x14	data	English	United States
RT_GROUP_ICON	0x507758	0x14	data	English	United States
RT_GROUP_ICON	0x50776c	0x14	data	English	United States
RT_GROUP_ICON	0x507780	0x14	data	English	United States
RT_GROUP_ICON	0x507794	0x14	data	English	United States
RT_GROUP_ICON	0x5077a8	0x22	data	English	United States
RT_GROUP_ICON	0x5077cc	0x3e	data	English	United States
RT_GROUP_ICON	0x50780c	0x22	data	English	United States
RT_GROUP_ICON	0x507830	0x3e	data	English	United States
RT_GROUP_ICON	0x507870	0x30	data	English	United States
RT_GROUP_ICON	0x5078a0	0x14	data	English	United States
RT_GROUP_ICON	0x5078b4	0x14	data	English	United States
RT_GROUP_ICON	0x5078c8	0x14	data	English	United States
RT_GROUP_ICON	0x5078dc	0x14	data	English	United States
RT_GROUP_ICON	0x5078f0	0x14	data	English	United States
RT_VERSION	0x52eb44	0x2f8	data	English	United States
RT_MANIFEST	0x52ee40	0x5dc	ASCII text, with very long lines, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
COMDLG32.dll	GetFileTitleW
GDI32.dll	ArcTo
MPR.dll	WNetGetUserW
ole32.dll	CoInitialize
OLEAUT32.dll	SafeArrayPutElement
PSAPI.DLL	GetModuleFileNameExW
RPCRT4.dll	UuidCreate
SHELL32.dll	DragFinish
USER32.dll	GetDC
VERSION.dll	VerQueryValueW
WININET.dll	InternetCheckConnectionW
WINSPOOL.DRV	GetJobW
WS2_32.dll	closesocket
WTSAPI32.dll	WTSFreeMemory

Exports

Name	Ordinal	Address
NI_MetaToolbox_MetaOutput_GetSharedGlobalData	1	0x61f710

Version Infos

Description	Data
LegalCopyright	Copyright 2003-2017. All Rights Reserved.
InternalName	MetaInstaller
FileVersion	17.5.0.170
CompanyName
ProductName	National Instruments Installer
ProductVersion	17.5.0
FileDescription	Installer
OriginalFilename	Setup.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
German	Germany
French	France
Japanese	Japan
Korean	North Korea
Korean	South Korea
Chinese	China

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: setup.exe PID: 7152 Parent PID: 4616

General

Start time:	08:37:47
Start date:	14/10/2021
Path:	C:\Users\user\Desktop\setup.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\setup.exe'
Imagebase:	0x400000
File size:	1466368 bytes
MD5 hash:	FE5C2E1333B4477D029DEDC9C1B5DD4D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

System Behavior

Analysis Process: setup.exe PID: 7152 Parent PID: 4616

General

Disassembly

Code Analysis