Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
WP.exe

Overview

General Information

Sample Name:WP.exe
Analysis ID:1334521
MD5:e9c001647c67e12666f27f9984778ad6
SHA1:51961af0a52a2cc3ff2c4149f8d7011490051977
SHA256:7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Uses 32bit PE files
Found dropped PE file which has not been started or loaded
Drops PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64_ra
  • WP.exe (PID: 2588 cmdline: C:\Users\user\Desktop\WP.exe MD5: E9C001647C67E12666F27F9984778AD6)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: WP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\WP.exeWindow detected: I &AgreeCancelNullsoft Install System v3.0 Nullsoft Install System v3.0License AgreementPlease review the license terms before installing WinPcap (BMC TrueSight Meter) 4.1.3.Press Page Down to see the rest of the agreement.Copyright (c) 1999 - 2005 NetGroup Politecnico di Torino (Italy).Copyright (c) 2005 - 2010 CACE Technologies Davis (userfornia).Copyright (c) 2010 - 2013 Riverbed Technology San Francisco (userfornia).All rights reserved.Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the Politecnico di Torino CACE Technologies Riverbed Technology nor the names of their contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE DATA OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.This product includes software developed by the University of userfornia Lawrence Berkeley Laboratory and its contributors. This product includes software developed by the Kungliga Tekniska Hgskolan and its contributors.This product includes software developed by Yen Yen Lim and North Dakota State University.------------------------------------------Portions Copyright (c) 1990 1991 1992 1993 1994 1995 1996 1997 The Regents of the University of userfornia. All rights reserved.Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes software develope
Source: C:\Users\user\Desktop\WP.exeWindow detected: I &AgreeCancelNullsoft Install System v3.0 Nullsoft Install System v3.0License AgreementPlease review the license terms before installing WinPcap (BMC TrueSight Meter) 4.1.3.Press Page Down to see the rest of the agreement.Copyright (c) 1999 - 2005 NetGroup Politecnico di Torino (Italy).Copyright (c) 2005 - 2010 CACE Technologies Davis (userfornia).Copyright (c) 2010 - 2013 Riverbed Technology San Francisco (userfornia).All rights reserved.Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the Politecnico di Torino CACE Technologies Riverbed Technology nor the names of their contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE DATA OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.This product includes software developed by the University of userfornia Lawrence Berkeley Laboratory and its contributors. This product includes software developed by the Kungliga Tekniska Hgskolan and its contributors.This product includes software developed by Yen Yen Lim and North Dakota State University.------------------------------------------Portions Copyright (c) 1990 1991 1992 1993 1994 1995 1996 1997 The Regents of the University of userfornia. All rights reserved.Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes software develope
Source: WP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: WP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\WP.exeFile read: C:\Users\user\Desktop\WP.exe
Source: C:\Users\user\Desktop\WP.exeFile created: C:\Users\user\AppData\Local\Temp\nsoDDFA.tmp
Source: WP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\WP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\WP.exeFile written: C:\Users\user\AppData\Local\Temp\nstDE1B.tmp\options.ini
Source: classification engineClassification label: clean1.winEXE@1/4@0/0
Source: C:\Users\user\Desktop\WP.exeFile read: C:\Users\desktop.ini
Source: C:\Users\user\Desktop\WP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Source: C:\Users\user\Desktop\WP.exeWindow detected: I &AgreeCancelNullsoft Install System v3.0 Nullsoft Install System v3.0License AgreementPlease review the license terms before installing WinPcap (BMC TrueSight Meter) 4.1.3.Press Page Down to see the rest of the agreement.Copyright (c) 1999 - 2005 NetGroup Politecnico di Torino (Italy).Copyright (c) 2005 - 2010 CACE Technologies Davis (userfornia).Copyright (c) 2010 - 2013 Riverbed Technology San Francisco (userfornia).All rights reserved.Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the Politecnico di Torino CACE Technologies Riverbed Technology nor the names of their contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE DATA OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.This product includes software developed by the University of userfornia Lawrence Berkeley Laboratory and its contributors. This product includes software developed by the Kungliga Tekniska Hgskolan and its contributors.This product includes software developed by Yen Yen Lim and North Dakota State University.------------------------------------------Portions Copyright (c) 1990 1991 1992 1993 1994 1995 1996 1997 The Regents of the University of userfornia. All rights reserved.Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes software develope
Source: C:\Users\user\Desktop\WP.exeWindow detected: I &AgreeCancelNullsoft Install System v3.0 Nullsoft Install System v3.0License AgreementPlease review the license terms before installing WinPcap (BMC TrueSight Meter) 4.1.3.Press Page Down to see the rest of the agreement.Copyright (c) 1999 - 2005 NetGroup Politecnico di Torino (Italy).Copyright (c) 2005 - 2010 CACE Technologies Davis (userfornia).Copyright (c) 2010 - 2013 Riverbed Technology San Francisco (userfornia).All rights reserved.Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the Politecnico di Torino CACE Technologies Riverbed Technology nor the names of their contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE DATA OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.This product includes software developed by the University of userfornia Lawrence Berkeley Laboratory and its contributors. This product includes software developed by the Kungliga Tekniska Hgskolan and its contributors.This product includes software developed by Yen Yen Lim and North Dakota State University.------------------------------------------Portions Copyright (c) 1990 1991 1992 1993 1994 1995 1996 1997 The Regents of the University of userfornia. All rights reserved.Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes software develope
Source: WP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\WP.exeFile created: C:\Users\user\AppData\Local\Temp\nstDE1B.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\WP.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WP.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstDE1B.tmp\System.dllJump to dropped file

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping2
File and Directory Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
System Information Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
WP.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\nstDE1B.tmp\System.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:38.0.0 Ammolite
Analysis ID:1334521
Start date and time:2023-10-30 21:13:22 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample file name:WP.exe
Detection:CLEAN
Classification:clean1.winEXE@1/4@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: WP.exe

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsoDDFB.tmp

Download File
Process:C:\Users\user\Desktop\WP.exe
File Type:data
Category:dropped
Size (bytes):53039
Entropy (8bit):5.464289378965327
Encrypted:false
SSDEEP:
MD5:82015157B6BB7418681E35A6FD2989D6
SHA1:FC96BE0AA453EC940D846CAD446D0847E61729FF
SHA-256:8C07F0CA3E49EA8B3BDF78B3087BA852B883ACE17B3E45CDB2AD0969F0F0E91B
SHA-512:9BB6441F70DF034A3B393DB0C0C780AAE834693B4C4217E78758533B43499384A995948188BF78B9858CF6517441BC13D73D05AD32EC6B828D60EC56237A1871
Malicious:false
Reputation:low
Preview:........,.......l................9.......~......................................................................:...........7...'............................................................................................................................................................................D..f.......................3.......................................j.......................3.......................................................................................................................!.......................................................,.......9................................................6..........q...U.......................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nstDE1B.tmp\System.dll

Download File
Process:C:\Users\user\Desktop\WP.exe
File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):11264
Entropy (8bit):5.770803561213006
Encrypted:false
SSDEEP:
MD5:2AE993A2FFEC0C137EB51C8832691BCB
SHA1:98E0B37B7C14890F8A599F35678AF5E9435906E1
SHA-256:681382F3134DE5C6272A49DD13651C8C201B89C247B471191496E7335702FA59
SHA-512:2501371EB09C01746119305BA080F3B8C41E64535FF09CEE4F51322530366D0BD5322EA5290A466356598027E6CDA8AB360CAEF62DCAF560D630742E2DD9BCD9
Malicious:false
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:low
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L...tc.W...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..`....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nstDE1B.tmp\final.ini

Download File
Process:C:\Users\user\Desktop\WP.exe
File Type:Generic INItialization configuration [Field 1]
Category:dropped
Size (bytes):308
Entropy (8bit):4.986676471593965
Encrypted:false
SSDEEP:
MD5:02E833B68F13A3E664638DD789A92013
SHA1:0280B754A7B28FA0045764C1A2F20D2BE73E8AAC
SHA-256:607D674DEF21A808337FC7B54C335A0E5479A8E7A678D85C7CEC011CCA455860
SHA-512:815483E616330BE42B657D6DD61FD277DCB5D6F586D257F2924964C615BE0F7CC4AE22C94BD0CF1C0784603F00DFAD0115B7E7528E3D6A8309141F3751E28F2D
Malicious:false
Reputation:low
Preview:[Settings]..NumFields=2..BackEnabled=0..NextButtonText=Finish..RTL=0....[Field 1]..Type=Label..Left=10..Right=-1..Top=10..Bottom=18..Text=WinPcap has been installed on your computer...State=0....[Field 2]..Type=Label..Left=10..Right=-1..Top=30..Bottom=38..Text=Click Finish to close this wizard...State=0....

C:\Users\user\AppData\Local\Temp\nstDE1B.tmp\options.ini

Download File
Process:C:\Users\user\Desktop\WP.exe
File Type:Generic INItialization configuration [Field 1]
Category:dropped
Size (bytes):313
Entropy (8bit):5.071276102547683
Encrypted:false
SSDEEP:
MD5:32CE7EB671731B5046E48C9819E387D2
SHA1:5EA0DC317A329F37B93189673F0AB8D3A400CE91
SHA-256:A308787B5EA86626CA77F60468E8BD644EE85D6DB6DD6137AB7861C2BD705886
SHA-512:325392C07E5243E72A50B5F6ED44A671FC0423968C597CB9F7F0F296A881E6DC22C6024104A07C57DEB1881EFD41FD636D4419219E34B303DEC18BB3E3FEE23D
Malicious:false
Reputation:low
Preview:[Settings]..NumFields=2..RTL=0....[Field 1]..Type=CheckBox..Left=10..Right=-1..Top=20..Bottom=28..Text=Start the WinPcap service 'NPF' at startup (recommended on Windows 7, 8 and Vista)..State=1....[Field 2]..Type=CheckBox..Left=10..Right=-1..Top=10..Bottom=18..Text=Start the WinPcap service 'NPF' now..State=1..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):7.93667752939838
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:WP.exe
File size:434'493 bytes
MD5:e9c001647c67e12666f27f9984778ad6
SHA1:51961af0a52a2cc3ff2c4149f8d7011490051977
SHA256:7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA512:56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
SSDEEP:6144:QMfCdwTjPBATlmSfB0KYljf/ZH/6xNEN3MUFPuprkjUhUmpqV/TW6cDBvKasW6B:tCdM9AhHfTYexNYeFkyU/JTg1KRp
TLSH:9E9423875E8EE477E48509711DFB5B58A3B363310D26AB032F55AF7F38242079F28629
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L....c.W.................^.........

File Icon

Icon Hash:0771ccf8d84d2907

Static PE Info

General

Entrypoint:0x40322b
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:0x57956393 [Mon Jul 25 00:55:47 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:4f67aeda01a0484282e8c59006b0b352
Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407120h]
call dword ptr [004070ACh]
cmp ax, 00000006h
je 00007FA3F84CDB63h
push ebx
call 00007FA3F84D0AE9h
cmp eax, ebx
je 00007FA3F84CDB59h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007FA3F84D0A65h
push esi
call dword ptr [004070A8h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007FA3F84CDB3Dh
push ebp
push 00000009h
call 00007FA3F84D0ABCh
push 00000007h
call 00007FA3F84D0AB5h
mov dword ptr [00423724h], eax
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [004237D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECF0h
call dword ptr [00407174h]
push 004091ECh
push 00422F20h
call 00007FA3F84D06DFh
call dword ptr [004070A4h]
mov ebp, 00429000h
push eax
push ebp
call 00007FA3F84D06CDh
push ebx
call dword ptr [00407154h]
Programming Language:
  • [EXP] VC++ 6.0 SP5 build 8804
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x74280xa0.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x2e0000x44f8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x5dc50x5e00False0.6685089760638298data6.47110609300208IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x70000x12460x1400False0.4271484375data5.0003960999706765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x90000x1a8180x400False0.6474609375data5.220595003364983IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata0x240000xa0000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x2e0000x44f80x4600False0.6140066964285714data5.900509311227258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x2e3580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.7213883677298312
RT_ICON0x2f4000xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colorsEnglishUnited States0.6751066098081023
RT_ICON0x302a80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colorsEnglishUnited States0.7851985559566786
RT_ICON0x30b500x568Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colorsEnglishUnited States0.6560693641618497
RT_ICON0x310b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.8031914893617021
RT_ICON0x315200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.3118279569892473
RT_ICON0x318080x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.36824324324324326
RT_DIALOG0x319300xb4dataEnglishUnited States0.6111111111111112
RT_DIALOG0x319e80x202dataEnglishUnited States0.4085603112840467
RT_DIALOG0x31bf00xf8dataEnglishUnited States0.6290322580645161
RT_DIALOG0x31ce80xa0dataEnglishUnited States0.60625
RT_DIALOG0x31d880xeedataEnglishUnited States0.6260504201680672
RT_GROUP_ICON0x31e780x68dataEnglishUnited States0.6634615384615384
RT_VERSION0x31ee00x1e8dataEnglishUnited States0.5512295081967213
RT_MANIFEST0x320c80x42dXML 1.0 document, ASCII text, with very long lines (1069), with no line terminatorsEnglishUnited States0.5126286248830683
DLLImport
KERNEL32.dllCopyFileA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetFileAttributesA, SetFileAttributesA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, GetCurrentProcess, GetFullPathNameA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, lstrcpynA, SetErrorMode, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dllRegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States