Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6Sy6PrInNl.exe

Overview

General Information

Sample Name:6Sy6PrInNl.exe
Analysis ID:708240
MD5:cd1ffe7c30311659ea1be07ed7923d65
SHA1:310fcf3a43286785eb88d742f5deeae150c661e9
SHA256:842342b4db7bbc84d8e4da35f8d79d8b76a52815b7a22272f331ba906d2dba6c
Tags:exemorpheuspwtorun
Infos:

Detection

Score:36
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Multi AV Scanner detection for submitted file
Uses 32bit PE files
Tries to load missing DLLs
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
File is packed with WinRar
Found evasive API chain (date check)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample reads itself and does not show any behavior, likely it performs some host environment checks which are compared to an embedded key
  • System is w10x64
  • 6Sy6PrInNl.exe (PID: 2800 cmdline: "C:\Users\user\Desktop\6Sy6PrInNl.exe" MD5: CD1FFE7C30311659EA1BE07ED7923D65)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: 6Sy6PrInNl.exeReversingLabs: Detection: 27%
Source: 6Sy6PrInNl.exeVirustotal: Detection: 30%Perma Link
Source: 6Sy6PrInNl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 6Sy6PrInNl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 6Sy6PrInNl.exe
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011DA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011FB348 FindFirstFileExA,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
Source: 6Sy6PrInNl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: dxgidebug.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011D848E
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011E7153
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011F51C9
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011E4088
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011E00B7
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011D40FE
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011E43BF
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011E62CA
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011D32F7
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011DC426
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011FD440
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011DF461
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011E77EF
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011DE9B7
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_012019F4
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011D286B
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011FD8EE
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011E6CDC
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011F4F9A
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011DEFE2
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011E3E0B
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: String function: 011EEB78 appears 39 times
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: String function: 011EF5F0 appears 31 times
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: String function: 011EEC50 appears 56 times
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011D6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,
Source: 6Sy6PrInNl.exeReversingLabs: Detection: 27%
Source: 6Sy6PrInNl.exeVirustotal: Detection: 30%
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeFile read: C:\Users\user\Desktop\6Sy6PrInNl.exeJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011D6C74 GetLastError,FormatMessageW,
Source: 6Sy6PrInNl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCommand line argument: sfxname
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCommand line argument: sfxstime
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCommand line argument: STARTDLG
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_7003046Jump to behavior
Source: classification engineClassification label: sus36.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 6Sy6PrInNl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 6Sy6PrInNl.exe
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EF640 push ecx; ret
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EEB78 push eax; ret
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_7003046Jump to behavior
Source: 6Sy6PrInNl.exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeEvasive API call chain: GetLocalTime,DecisionNodes
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EE6A3 VirtualQuery,GetSystemInfo,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011DA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011FB348 FindFirstFileExA,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011F7DEE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011FC030 GetProcessHeap,
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EF9D5 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011F8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: GetLocaleInfoW,GetNumberFormatW,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011E0723 cpuid
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011DB146 GetVersionExW,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_011EDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,CloseHandle,
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
DLL Side-Loading
1
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts1
Native API
Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Deobfuscate/Decode Files or Information
LSASS Memory2
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information
Security Account Manager2
File and Directory Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Software Packing
NTDS25
System Information Discovery
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
6Sy6PrInNl.exe28%ReversingLabsWin32.Trojan.Generic
6Sy6PrInNl.exe30%VirustotalBrowse
6Sy6PrInNl.exe11%MetadefenderBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:708240
Start date and time:2022-09-23 07:56:16 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 57s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:6Sy6PrInNl.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:SUS
Classification:sus36.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 99.7% (good quality ratio 92%)
  • Quality average: 78.4%
  • Quality standard deviation: 29.8%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
  • Excluded domains from analysis (whitelisted): login.live.com, displaycatalog.mp.microsoft.com, arc.msn.com
  • Not all processes where analyzed, report is missing behavior information
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.143158241689354
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:6Sy6PrInNl.exe
File size:788504
MD5:cd1ffe7c30311659ea1be07ed7923d65
SHA1:310fcf3a43286785eb88d742f5deeae150c661e9
SHA256:842342b4db7bbc84d8e4da35f8d79d8b76a52815b7a22272f331ba906d2dba6c
SHA512:588e21a2cefabfa2d20364e7b62d9d3448cc3c7295b34fffb481b64837ef49cb36510c36a75a300338d0d2f4b8ac42120ef26e4dab30ec2b946ceaf60f560170
SSDEEP:12288:zToPWBv/cpGrU3yKszraraEoMgF/FEJJSJx:zTbBv5rUazram5MIx
TLSH:8BF4E10EBAC198B2D073D9321A356725A53CB9201F668ADFE3DC465FDB215C0E7317A2
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.
Icon Hash:008039c4c4384000
Entrypoint:0x41f530
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:12e12319f1029ec4f8fcbed7e82df162
Instruction
call 00007F2D8070A4FBh
jmp 00007F2D80709E0Dh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2D806FCC57h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007F2D8070D29Fh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007F2D80709F9Ch
push 0000000Ch
push esi
call 00007F2D80709559h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F2D806FCBD2h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F2D8070CD59h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F2D80709F18h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F2D8070CD3Ch
int3
jmp 00007F2D8070E7D7h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]
Programming Language:
  • [ C ] VS2008 SP1 build 30729
  • [IMP] VS2008 SP1 build 30729
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000x4698c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xab0000x233c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x31bdc0x31c00False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x330000xaec00xb000False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x3e0000x247200x1000False0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat0x630000x1900x200False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x640000x4698c0x46a00False0.07180586283185841data2.00213285276512IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xab0000x233c0x2400False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountry
PNG0x645240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States
PNG0x6506c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States
RT_ICON0x666180x42028data
RT_DIALOG0xa86400x286dataEnglishUnited States
RT_DIALOG0xa88c80x13adataEnglishUnited States
RT_DIALOG0xa8a040xecdataEnglishUnited States
RT_DIALOG0xa8af00x12edataEnglishUnited States
RT_DIALOG0xa8c200x338dataEnglishUnited States
RT_DIALOG0xa8f580x252dataEnglishUnited States
RT_STRING0xa91ac0x1e2dataEnglishUnited States
RT_STRING0xa93900x1ccdataEnglishUnited States
RT_STRING0xa955c0x1b8dataEnglishUnited States
RT_STRING0xa97140x146Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500EnglishUnited States
RT_STRING0xa985c0x46cdataEnglishUnited States
RT_STRING0xa9cc80x166dataEnglishUnited States
RT_STRING0xa9e300x152dataEnglishUnited States
RT_STRING0xa9f840x10adataEnglishUnited States
RT_STRING0xaa0900xbcdataEnglishUnited States
RT_STRING0xaa14c0xd6dataEnglishUnited States
RT_GROUP_ICON0xaa2240x14data
RT_MANIFEST0xaa2380x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States
DLLImport
KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree
Language of compilation systemCountry where language is spokenMap
EnglishUnited States
No network behavior found
No statistics
Target ID:0
Start time:07:57:12
Start date:23/09/2022
Path:C:\Users\user\Desktop\6Sy6PrInNl.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\6Sy6PrInNl.exe"
Imagebase:0x11d0000
File size:788504 bytes
MD5 hash:CD1FFE7C30311659EA1BE07ED7923D65
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

No disassembly