Edit tour

Windows Analysis Report
g8jiNk0ZVv.exe

Overview

General Information

Sample name:	g8jiNk0ZVv.exe renamed because original name is a hash value
Original sample name:	d3847704a6ec28a099434c383d130fdbcebe8e46.exe
Analysis ID:	1575181
MD5:	9520e99abb9f84d5a7fff2ede2fcfcfc
SHA1:	d3847704a6ec28a099434c383d130fdbcebe8e46
SHA256:	7231871fb0cdad9a4fe4467d9b6dc5db71986d5c3747c1bc52630f97714a30e6
Tags:	exeMetaQuotesSetupSUMMITRECRUITMENTLIMITEDuser-NDA0E
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect debuggers (CloseHandle check)

Tries to evade analysis by execution special instruction (VM detection)

Adds / modifies Windows certificates

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains capabilities to detect virtual machines

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Classification

Process Tree

System is w10x64

g8jiNk0ZVv.exe (PID: 6964 cmdline: "C:\Users\user\Desktop\g8jiNk0ZVv.exe" MD5: 9520E99ABB9F84D5A7FFF2EDE2FCFCFC)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: g8jiNk0ZVv.exe, 00000000.00000002.2356370316.00007FF6CF517000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_7f55c353-5

Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe

Window detected: METAQUOTES LTD. End-User License AgreementPlease read carefully the terms and conditions of this End User License Agreement (referred to collectively as the "Agreement") before proceeding with the installation or utilization of the Product installation.MetaQuotes Ltd is a software development company and does not provide any financial investment brokerage trading or data feed services nor it is involved and/or interfere in any way in any trading operations nor does it open or control real trading accounts. None of the information available in the Product is intended as investment advice. Before using this application for trading you should seek the advice of a qualified and registered securities professional and undertake your own due diligence. Exercise caution when encountering online offers promising easy income or quick money particularly through social media like Tinder WhatsApp WeChat Facebook and similar social networks.The Product may feature brokerage companies or financial institutions which may not have a regulatory license for operating in your country. When choosing a brokerage company be careful and responsible. You acknowledge and agree that MetaQuotes may not have complete and update information regarding the regulatory status of each brokerage company in your country. The Product contains contact details and basic information about each brokerage company enabling users to independently familiarize themselves with and further study the brokerage company's services before using them.MetaQuotes Ltd is not responsible for any investment decision You take. You alone are solely responsible for your investment decisions and your investment research. MetaQuotes Ltd does not guarantee the quality reliability or reputation of any brokerage company or financial organization. It is important to understand that nothing including regulation and publications can guarantee the safety or fairness of a brokerage company. MetaQuotes Ltd does not guarantee the accuracy completeness or timeliness of third-party content including advertising materials. Such content does not reflect our opinions or positions.Risk Warning: Trading with real money involves high risk of losing money rapidly. Most retail investor accounts lose money when trading financial products . You should consider whether you understand how various financial products work and whether you can afford to take the high risk of losing money.In this Agreement unless the content otherwise requires the capitalized terms used herein shall be defined as set forth in paragraph 1 of this Agreement.This Agreement is applicable to both physical persons and legal entities including authorized users representing the employer its employees or other persons using or accessing the Product on behalf of the Business.This Agreement as well as any updates hereof constitutes a legal agreement between You and MetaQu

Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Directory created: C:\Program Files\checkwritepermissions.exe			Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Directory created: C:\Program Files\checkwritepermissions.exe			Jump to behavior

Source: g8jiNk0ZVv.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\.5I]A source: g8jiNk0ZVv.exe, 00000000.00000002.2354564075.0000019B80780000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DOWNLO~1.ERRdownload.errorapi1.mql5.netcdn/files/mt5/cdn.txtcdn.txt1.PDBwinload_prod.pdbnvalid certificate source: g8jiNk0ZVv.exe, 00000000.00000002.2354564075.0000019B807A9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\.Ye source: g8jiNk0ZVv.exe, 00000000.00000002.2354564075.0000019B80780000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\workspace\MetaTrader5\Build\Installers\Distributive Core\Release64\core.pdb source: g8jiNk0ZVv.exe
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: g8jiNk0ZVv.exe, 00000000.00000003.2353533199.0000019BFDD8C000.00000004.00000020.00020000.00000000.sdmp, g8jiNk0ZVv.exe, 00000000.00000002.2355479162.0000019BFDD8C000.00000004.00000020.00020000.00000000.sdmp, g8jiNk0ZVv.exe, 00000000.00000003.2350266434.0000019BFDD8C000.00000004.00000020.00020000.00000000.sdmp, g8jiNk0ZVv.exe, 00000000.00000003.2353216616.0000019BFDD8C000.00000004.00000020.00020000.00000000.sdmp, g8jiNk0ZVv.exe, 00000000.00000003.2349628692.0000019BFDD8C000.00000004.00000020.00020000.00000000.sdmp

Source: unknown

Network traffic detected: IP country count 10

Source: Joe Sandbox View	IP Address: 78.140.180.86 78.140.180.86
Source: Joe Sandbox View	IP Address: 78.140.180.43 78.140.180.43
Source: Joe Sandbox View	IP Address: 177.154.156.125 177.154.156.125

Source: unknown	TCP traffic detected without corresponding DNS query: 117.20.41.198
Source: unknown	TCP traffic detected without corresponding DNS query: 117.20.41.198
Source: unknown	TCP traffic detected without corresponding DNS query: 117.20.41.198
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.1.241
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.1.241
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.1.241
Source: unknown	TCP traffic detected without corresponding DNS query: 88.212.232.132
Source: unknown	TCP traffic detected without corresponding DNS query: 88.212.232.132
Source: unknown	TCP traffic detected without corresponding DNS query: 88.212.232.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.166.145.86
Source: unknown	TCP traffic detected without corresponding DNS query: 104.166.145.86
Source: unknown	TCP traffic detected without corresponding DNS query: 104.166.145.86
Source: unknown	TCP traffic detected without corresponding DNS query: 156.38.206.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.38.206.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.38.206.18
Source: unknown	TCP traffic detected without corresponding DNS query: 142.215.208.235
Source: unknown	TCP traffic detected without corresponding DNS query: 142.215.208.235
Source: unknown	TCP traffic detected without corresponding DNS query: 142.215.208.235
Source: unknown	TCP traffic detected without corresponding DNS query: 177.154.156.125
Source: unknown	TCP traffic detected without corresponding DNS query: 177.154.156.125
Source: unknown	TCP traffic detected without corresponding DNS query: 177.154.156.125
Source: unknown	TCP traffic detected without corresponding DNS query: 199.254.199.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.254.199.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.254.199.227
Source: unknown	TCP traffic detected without corresponding DNS query: 185.252.31.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.252.31.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.252.31.15
Source: unknown	TCP traffic detected without corresponding DNS query: 27.111.161.152
Source: unknown	TCP traffic detected without corresponding DNS query: 27.111.161.152
Source: unknown	TCP traffic detected without corresponding DNS query: 27.111.161.152
Source: unknown	TCP traffic detected without corresponding DNS query: 66.203.112.227
Source: unknown	TCP traffic detected without corresponding DNS query: 66.203.112.227
Source: unknown	TCP traffic detected without corresponding DNS query: 66.203.112.227
Source: unknown	TCP traffic detected without corresponding DNS query: 148.66.53.10
Source: unknown	TCP traffic detected without corresponding DNS query: 148.66.53.10
Source: unknown	TCP traffic detected without corresponding DNS query: 148.66.53.10
Source: unknown	TCP traffic detected without corresponding DNS query: 88.212.232.132
Source: unknown	TCP traffic detected without corresponding DNS query: 177.154.156.125
Source: unknown	TCP traffic detected without corresponding DNS query: 142.215.208.235
Source: unknown	TCP traffic detected without corresponding DNS query: 27.111.161.152
Source: unknown	TCP traffic detected without corresponding DNS query: 104.166.145.86
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.1.241
Source: unknown	TCP traffic detected without corresponding DNS query: 199.254.199.227
Source: unknown	TCP traffic detected without corresponding DNS query: 156.38.206.18
Source: unknown	TCP traffic detected without corresponding DNS query: 148.66.53.10
Source: unknown	TCP traffic detected without corresponding DNS query: 177.154.156.125
Source: unknown	TCP traffic detected without corresponding DNS query: 117.20.41.198
Source: unknown	TCP traffic detected without corresponding DNS query: 104.166.145.86
Source: unknown	TCP traffic detected without corresponding DNS query: 142.215.208.235
Source: unknown	TCP traffic detected without corresponding DNS query: 66.203.112.227

Source: global traffic	HTTP traffic detected: GET /cdn/dns/dns.dat HTTP/1.1Host: download.mql5.comAccept: /Accept-Encoding: gzip, deflateAccept-Language: en;q=0.5User-Agent: MetaTrader Setup/5.4660 (Windows NT 10.0.19045; x64)Cookie: _fz_uniq=4984628598967703521;tid=0C2F8E26ED0CAEB169246B73455AE8DF;Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /tr?event=MetaTrader%205%20Desktop+Install+Begin&id=acoaoprbuhxvkfywgweedlovptddahwozl&utm_website=install.metatrader5.com&model=desktop&scr_res=1280x1024&cpu=2&memory=8192&l=en&model_vendor=Bjroer%20Inc&model_device=Bjroer20%201&fv_date=1734190561&signature=ec8382ba1add4f3ee8f4b45ec3907836617111734190562 HTTP/1.1Host: content.mql5.comAccept: /Accept-Encoding: gzip, deflateAccept-Language: en;q=0.5User-Agent: MetaTrader Setup/5.4660 (Windows NT 10.0.19045; x64)Cookie: _fz_uniq=4984628598967703521;tid=0C2F8E26ED0CAEB169246B73455AE8DF;Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /tr?event=MetaTrader%205%20Desktop+Install+CPU&id=acoaoprbuhxvkfywgweedlovptddahwozl&utm_website=install.metatrader5.com&model=desktop&scr_res=1280x1024&cpu=2&memory=8192&l=en&model_vendor=Bjroer%20Inc&model_device=Bjroer20%201&fv_date=1734190561&value=Intel+Core2++6600+@+2.40+GHz&unit=cpu&signature=9ef3f19c721fc37266fb9cf15529845e321771734190577 HTTP/1.1Host: content.mql5.comAccept: /Accept-Encoding: gzip, deflateAccept-Language: en;q=0.5User-Agent: MetaTrader Setup/5.4660 (Windows NT 10.0.19045; x64)Cookie: _fz_uniq=4984628598967703521;tid=0C2F8E26ED0CAEB169246B73455AE8DF;Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /tr?event=MetaTrader%205%20Desktop+Install+CPU+Cores&id=acoaoprbuhxvkfywgweedlovptddahwozl&utm_website=install.metatrader5.com&model=desktop&scr_res=1280x1024&cpu=2&memory=8192&l=en&model_vendor=Bjroer%20Inc&model_device=Bjroer20%201&fv_date=1734190561&value=2&unit=cores&signature=5b827fe991c9a163ddeea0717033acea134061734190579 HTTP/1.1Host: content.mql5.comAccept: /Accept-Encoding: gzip, deflateAccept-Language: en;q=0.5User-Agent: MetaTrader Setup/5.4660 (Windows NT 10.0.19045; x64)Cookie: _fz_uniq=4984628598967703521;tid=0C2F8E26ED0CAEB169246B73455AE8DF;Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /tr?event=MetaTrader%205%20Desktop+Install+OS&id=acoaoprbuhxvkfywgweedlovptddahwozl&utm_website=install.metatrader5.com&model=desktop&scr_res=1280x1024&cpu=2&memory=8192&l=en&model_vendor=Bjroer%20Inc&model_device=Bjroer20%201&fv_date=1734190561&value=Windows+10+build+19045&unit=os&signature=d50dc294f0ec91abae3b7a951d6b05a8527111734190581 HTTP/1.1Host: content.mql5.comAccept: /Accept-Encoding: gzip, deflateAccept-Language: en;q=0.5User-Agent: MetaTrader Setup/5.4660 (Windows NT 10.0.19045; x64)Cookie: _fz_uniq=4984628598967703521;tid=0C2F8E26ED0CAEB169246B73455AE8DF;Connection: keep-alive

Source: global traffic	DNS traffic detected: DNS query: download.mql5.com
Source: global traffic	DNS traffic detected: DNS query: content.finteza.com
Source: global traffic	DNS traffic detected: DNS query: api14.mql5.net
Source: global traffic	DNS traffic detected: DNS query: api16.mql5.net
Source: global traffic	DNS traffic detected: DNS query: content.mql5.com

Source: g8jiNk0ZVv.exe, 00000000.00000002.2354564075.0000019B80780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: g8jiNk0ZVv.exe, 00000000.00000002.2354564075.0000019B80780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: g8jiNk0ZVv.exe, 00000000.00000002.2354564075.0000019B80780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0?
Source: g8jiNk0ZVv.exe, 00000000.00000002.2356370316.00007FF6CF517000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api%%u.mql5.net/cdn/files/mt%d%s/cdn.txtGeoCountrymt=5&lang=en&signature=%Shttps://%s/api/us
Source: g8jiNk0ZVv.exe, 00000000.00000002.2356370316.00007FF6CF517000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://download.mql5.com/cdn/dns/dns.dathttps://download.metatrader.com/cdn/dns/dns.dat
Source: g8jiNk0ZVv.exe, 00000000.00000002.2356370316.00007FF6CF517000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://download.mql5.com/cdn/web/components/%svalue=%s&unit=fileInstall
Source: g8jiNk0ZVv.exe, 00000000.00000002.2360460502.00007FF6D3A84000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.metaquotes.net.
Source: g8jiNk0ZVv.exe	String found in binary or memory: https://www.metaquotes.net
Source: g8jiNk0ZVv.exe, 00000000.00000003.2163528533.0000019B81359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.metaquotes.net&
Source: g8jiNk0ZVv.exe, 00000000.00000002.2360460502.00007FF6D3A84000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.metaquotes.net.
Source: g8jiNk0ZVv.exe, 00000000.00000002.2356370316.00007FF6CF517000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.metaquotes.net/
Source: g8jiNk0ZVv.exe, 00000000.00000002.2354564075.0000019B807A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.metaquotes.net/en/legal/policies
Source: g8jiNk0ZVv.exe, 00000000.00000002.2354564075.0000019B807A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.metaquotes.net/en/legal/policies692161
Source: g8jiNk0ZVv.exe, 00000000.00000003.2163464111.0000019B8137D000.00000004.00000020.00020000.00000000.sdmp, g8jiNk0ZVv.exe, 00000000.00000003.2222509448.0000019B81383000.00000004.00000020.00020000.00000000.sdmp, g8jiNk0ZVv.exe, 00000000.00000003.2257492937.0000019B81383000.00000004.00000020.00020000.00000000.sdmp, g8jiNk0ZVv.exe, 00000000.00000002.2360460502.00007FF6D3A84000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.metaquotes.net/legal/.
Source: g8jiNk0ZVv.exe, 00000000.00000002.2356370316.00007FF6CF517000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.metaquotes.netHelpLinkUrlInfoAboutUninstallString5.00DisplayVersion5MajorVersion0MinorVe
Source: g8jiNk0ZVv.exe, 00000000.00000002.2356370316.00007FF6CF517000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mql5.com/
Source: g8jiNk0ZVv.exe, 00000000.00000002.2356370316.00007FF6CF517000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mql5.comhttps://www.mql5.com/?utm_campaign=mql5.welcome.open&utm_medium=special&utm_sour
Source: g8jiNk0ZVv.exe, 00000000.00000002.2354564075.0000019B80780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ssl.com/repository0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: g8jiNk0ZVv.exe

Static PE information: invalid certificate

Source: g8jiNk0ZVv.exe, 00000000.00000000.2110572049.00007FF6D3A84000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSetup, vs g8jiNk0ZVv.exe
Source: g8jiNk0ZVv.exe, 00000000.00000002.2360460502.00007FF6D3A84000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSetup, vs g8jiNk0ZVv.exe
Source: g8jiNk0ZVv.exe	Binary or memory string: OriginalFilenameSetup, vs g8jiNk0ZVv.exe

Source: classification engine

Classification label: mal60.evad.winEXE@1/1@5/16

Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe

File created: C:\Program Files\checkwritepermissions.exe

Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Section loaded: oledlg.dll	Jump to behavior

Source: g8jiNk0ZVv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: g8jiNk0ZVv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: g8jiNk0ZVv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: g8jiNk0ZVv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: g8jiNk0ZVv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: g8jiNk0ZVv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: g8jiNk0ZVv.exe	Static PE information: section name: .fptable
Source: g8jiNk0ZVv.exe	Static PE information: section name: .cod0
Source: g8jiNk0ZVv.exe	Static PE information: section name: .cod1
Source: g8jiNk0ZVv.exe	Static PE information: section name: .cod2

Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Memory written: PID: 6964 base: 7FFDB459000D value: E9 BB CB EC FF			Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Memory written: PID: 6964 base: 7FFDB445CBC0 value: E9 5A 34 13 00			Jump to behavior

Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT			Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Window / User API: threadDelayed 540	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Window / User API: threadDelayed 2015	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Window / User API: threadDelayed 422	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Window / User API: threadDelayed 3700	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Window / User API: threadDelayed 1012	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Window / User API: threadDelayed 1862	Jump to behavior

Source: g8jiNk0ZVv.exe, 00000000.00000002.2356370316.00007FF6CF517000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Windows NT %u.%u.%uWindows Server %u.%u.%ukernel32IsWow64Process2; x64; ARM64HARDWARE\DESCRIPTION\SystemVMWBOCHSAMAZONAWS%S-%S%SXENSRC XenVMware VMwareVirtIO KVMVBOX Hyper-VSystemBiosVersionHardware\Description\SystemVBOXVirtualBox; .
Source: g8jiNk0ZVv.exe, 00000000.00000003.2352855548.0000019BFDD67000.00000004.00000020.00020000.00000000.sdmp, g8jiNk0ZVv.exe, 00000000.00000003.2349628692.0000019BFDD5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	NtProtectVirtualMemory: Direct from: 0x7FF6D3649185	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	NtProtectVirtualMemory: Direct from: 0x7FF6D3629143	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	NtProtectVirtualMemory: Direct from: 0x7FF6D362E1F2	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	NtProtectVirtualMemory: Direct from: 0x7FF6D37D2225	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	NtQueryInformationProcess: Direct from: 0x7FF6D39A00D0	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	NtProtectVirtualMemory: Direct from: 0x7FF6D3640C25	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	NtSetInformationThread: Direct from: 0x7FF6D3641AAF	Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	NtProtectVirtualMemory: Direct from: 0x7FF6D37A7298	Jump to behavior

Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId			Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId			Jump to behavior

Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\g8jiNk0ZVv.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	3 Masquerading	1 Credential API Hooking	1 Query Registry	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	331 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	13 Virtualization/Sandbox Evasion	Security Account Manager	13 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Disable or Modify Tools	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Abuse Elevation Control Mechanism	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	144 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Source	Detection	Scanner	Label	Link
g8jiNk0ZVv.exe	3%	Virustotal		Browse
g8jiNk0ZVv.exe	5%	ReversingLabs	Win64.Trojan.LummaStealer

Source	Detection	Scanner	Label
https://www.metaquotes.net	0%	Avira URL Cloud	safe
https://www.mql5.comhttps://www.mql5.com/?utm_campaign=mql5.welcome.open&utm_medium=special&utm_sour	0%	Avira URL Cloud	safe
https://api%%u.mql5.net/cdn/files/mt%d%s/cdn.txtGeoCountrymt=5&lang=en&signature=%Shttps://%s/api/us	0%	Avira URL Cloud	safe
https://www.metaquotes.netHelpLinkUrlInfoAboutUninstallString5.00DisplayVersion5MajorVersion0MinorVe	0%	Avira URL Cloud	safe
https://www.metaquotes.net.	0%	Avira URL Cloud	safe
https://support.metaquotes.net.	0%	Avira URL Cloud	safe
https://www.metaquotes.net/legal/.	0%	Avira URL Cloud	safe
https://www.metaquotes.net/	0%	Avira URL Cloud	safe
https://www.metaquotes.net/en/legal/policies692161	0%	Avira URL Cloud	safe
https://www.metaquotes.net/en/legal/policies	0%	Avira URL Cloud	safe
https://www.metaquotes.net&	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
download.mql5.com	78.140.180.43	true	false	high
sa.as.content.mql5.com	78.140.180.86	true	false	unknown
api14.mql5.net	157.90.219.141	true	false	high
content.finteza.com	unknown	unknown	false	high
content.mql5.com	unknown	unknown	false	high
api16.mql5.net	unknown	unknown	false	unknown

Name	Malicious	Reputation
https://content.mql5.com/tr?event=MetaTrader%205%20Desktop+Install+CPU&id=acoaoprbuhxvkfywgweedlovptddahwozl&utm_website=install.metatrader5.com&model=desktop&scr_res=1280x1024&cpu=2&memory=8192&l=en&model_vendor=Bjroer%20Inc&model_device=Bjroer20%201&fv_date=1734190561&value=Intel+Core2++6600+@+2.40+GHz&unit=cpu&signature=9ef3f19c721fc37266fb9cf15529845e321771734190577	false	high
https://content.mql5.com/tr?event=MetaTrader%205%20Desktop+Install+OS&id=acoaoprbuhxvkfywgweedlovptddahwozl&utm_website=install.metatrader5.com&model=desktop&scr_res=1280x1024&cpu=2&memory=8192&l=en&model_vendor=Bjroer%20Inc&model_device=Bjroer20%201&fv_date=1734190561&value=Windows+10+build+19045&unit=os&signature=d50dc294f0ec91abae3b7a951d6b05a8527111734190581	false	high
https://content.mql5.com/tr?event=MetaTrader%205%20Desktop+Install+CPU+Cores&id=acoaoprbuhxvkfywgweedlovptddahwozl&utm_website=install.metatrader5.com&model=desktop&scr_res=1280x1024&cpu=2&memory=8192&l=en&model_vendor=Bjroer%20Inc&model_device=Bjroer20%201&fv_date=1734190561&value=2&unit=cores&signature=5b827fe991c9a163ddeea0717033acea134061734190579	false	high
https://content.mql5.com/tr?event=MetaTrader%205%20Desktop+Install+Begin&id=acoaoprbuhxvkfywgweedlovptddahwozl&utm_website=install.metatrader5.com&model=desktop&scr_res=1280x1024&cpu=2&memory=8192&l=en&model_vendor=Bjroer%20Inc&model_device=Bjroer20%201&fv_date=1734190561&signature=ec8382ba1add4f3ee8f4b45ec3907836617111734190562	false	high
https://download.mql5.com/cdn/dns/dns.dat	false	high

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.metaquotes.net/legal/.	g8jiNk0ZVv.exe, 00000000.00000003.2163464111.0000019B8137D000.00000004.00000020.00020000.00000000.sdmp, g8jiNk0ZVv.exe, 00000000.00000003.2222509448.0000019B81383000.00000004.00000020.00020000.00000000.sdmp, g8jiNk0ZVv.exe, 00000000.00000003.2257492937.0000019B81383000.00000004.00000020.00020000.00000000.sdmp, g8jiNk0ZVv.exe, 00000000.00000002.2360460502.00007FF6D3A84000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.mql5.com/	g8jiNk0ZVv.exe, 00000000.00000002.2356370316.00007FF6CF517000.00000002.00000001.01000000.00000003.sdmp	false		high
https://api%%u.mql5.net/cdn/files/mt%d%s/cdn.txtGeoCountrymt=5&lang=en&signature=%Shttps://%s/api/us	g8jiNk0ZVv.exe, 00000000.00000002.2356370316.00007FF6CF517000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	g8jiNk0ZVv.exe, 00000000.00000002.2354564075.0000019B80780000.00000004.00000020.00020000.00000000.sdmp	false		high
https://download.mql5.com/cdn/web/components/%svalue=%s&unit=fileInstall	g8jiNk0ZVv.exe, 00000000.00000002.2356370316.00007FF6CF517000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.metaquotes.net/en/legal/policies	g8jiNk0ZVv.exe, 00000000.00000002.2354564075.0000019B807A9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.metaquotes.netHelpLinkUrlInfoAboutUninstallString5.00DisplayVersion5MajorVersion0MinorVe	g8jiNk0ZVv.exe, 00000000.00000002.2356370316.00007FF6CF517000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ssl.com/repository0	g8jiNk0ZVv.exe, 00000000.00000002.2354564075.0000019B80780000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsps.ssl.com0?	g8jiNk0ZVv.exe, 00000000.00000002.2354564075.0000019B80780000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.metaquotes.net	g8jiNk0ZVv.exe	false	Avira URL Cloud: safe	unknown
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	g8jiNk0ZVv.exe, 00000000.00000002.2354564075.0000019B80780000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.metaquotes.net/en/legal/policies692161	g8jiNk0ZVv.exe, 00000000.00000002.2354564075.0000019B807A9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.metaquotes.net/	g8jiNk0ZVv.exe, 00000000.00000002.2356370316.00007FF6CF517000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.metaquotes.net.	g8jiNk0ZVv.exe, 00000000.00000002.2360460502.00007FF6D3A84000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://download.mql5.com/cdn/dns/dns.dathttps://download.metatrader.com/cdn/dns/dns.dat	g8jiNk0ZVv.exe, 00000000.00000002.2356370316.00007FF6CF517000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.mql5.comhttps://www.mql5.com/?utm_campaign=mql5.welcome.open&utm_medium=special&utm_sour	g8jiNk0ZVv.exe, 00000000.00000002.2356370316.00007FF6CF517000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://support.metaquotes.net.	g8jiNk0ZVv.exe, 00000000.00000002.2360460502.00007FF6D3A84000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.metaquotes.net&	g8jiNk0ZVv.exe, 00000000.00000003.2163528533.0000019B81359000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

IP	Domain	Country	ASN	ASN Name	Malicious
27.111.161.152	unknown	Hong Kong	17819	ASN-EQUINIX-APEquinixAsiaPacificSG	false
78.140.180.86	sa.as.content.mql5.com	Netherlands	35415	WEBZILLANL	false
78.140.180.43	download.mql5.com	Netherlands	35415	WEBZILLANL	false
177.154.156.125	unknown	Brazil	16397	EQUINIXBRASILBR	false
199.254.199.227	unknown	United States	20001	TWC-20001-PACWESTUS	false
148.113.1.241	unknown	United States	396982	GOOGLE-PRIVATE-CLOUDUS	false
185.252.31.15	unknown	Iran (ISLAMIC Republic Of)	201295	MHOSTIR	false
195.201.80.82	unknown	Germany	24940	HETZNER-ASDE	false
66.203.112.227	unknown	United States	396356	MAXIHOSTUS	false
88.212.232.132	unknown	Russian Federation	7979	SERVERS-COMUS	false
104.166.145.86	unknown	United States	7352	WECOM-INCUS	false
156.38.206.18	unknown	South Africa	37153	xneeloZA	false
157.90.219.141	api14.mql5.net	United States	766	REDIRISRedIRISAutonomousSystemES	false
148.66.53.10	unknown	Hong Kong	45753	NETSEC-HKNETSECHK	false
117.20.41.198	unknown	Singapore	14636	INTERNAP-BLK4US	false
142.215.208.235	unknown	Canada	32156	HUMBER-COLLEGECA	false

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575181
Start date and time:	2024-12-14 16:35:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	g8jiNk0ZVv.exe renamed because original name is a hash value
Original Sample Name:	d3847704a6ec28a099434c383d130fdbcebe8e46.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@1/1@5/16
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report g8jiNk0ZVv.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\MetaQuotes\Terminal\Community\dns.dat

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

Windows Analysis Report
g8jiNk0ZVv.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
27.111.161.152	https://download.metatrader.com/cdn/web/gvd.markets.capital/mt5/gvdmarkets5setup.exe	Get hash	malicious	LummaC Stealer	Browse
	mt4setup.exe	Get hash	malicious	Unknown	Browse
	mt4setup.exe	Get hash	malicious	Unknown	Browse
78.140.180.86	https://download.metatrader.com/cdn/web/gvd.markets.capital/mt5/gvdmarkets5setup.exe	Get hash	malicious	LummaC Stealer	Browse
	http://itsdigitalshiva.com	Get hash	malicious	Unknown	Browse
	http://abesolan.top	Get hash	malicious	Unknown	Browse
	https://abesolan.top/	Get hash	malicious	Unknown	Browse
	http://cutt.ly/rwrjW3FP	Get hash	malicious	Unknown	Browse
	https://thementornetwork.ukit.me/	Get hash	malicious	Unknown	Browse
	mt4setup.exe	Get hash	malicious	Unknown	Browse
	mt4setup.exe	Get hash	malicious	Unknown	Browse
	http://pingclock.net	Get hash	malicious	Unknown	Browse
	2h9dabRpee.exe	Get hash	malicious	Unknown	Browse
78.140.180.43	https://download.metatrader.com/cdn/web/gvd.markets.capital/mt5/gvdmarkets5setup.exe	Get hash	malicious	LummaC Stealer	Browse
	metaeditor.exe	Get hash	malicious	Unknown	Browse
	mt4setup.exe	Get hash	malicious	Unknown	Browse
	mt4setup.exe	Get hash	malicious	Unknown	Browse
	2h9dabRpee.exe	Get hash	malicious	Unknown	Browse
	umoworldcorp4setup.exe	Get hash	malicious	Unknown	Browse
	mt5setup.exe	Get hash	malicious	Unknown	Browse
	roboforex4multisetup.exe	Get hash	malicious	Unknown	Browse
	fortrade4setup.exe	Get hash	malicious	Unknown	Browse
177.154.156.125	https://download.metatrader.com/cdn/web/gvd.markets.capital/mt5/gvdmarkets5setup.exe	Get hash	malicious	LummaC Stealer	Browse
	mt4setup.exe	Get hash	malicious	Unknown	Browse
	mt4setup.exe	Get hash	malicious	Unknown	Browse
	umoworldcorp4setup.exe	Get hash	malicious	Unknown	Browse
	mt5setup.exe	Get hash	malicious	Unknown	Browse
	roboforex4multisetup.exe	Get hash	malicious	Unknown	Browse
	fortrade4setup.exe	Get hash	malicious	Unknown	Browse
199.254.199.227	https://download.metatrader.com/cdn/web/gvd.markets.capital/mt5/gvdmarkets5setup.exe	Get hash	malicious	LummaC Stealer	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
EQUINIXBRASILBR	m68k.elf	Get hash	malicious	Mirai	Browse	177.154.143.138
	RIBFTXw15k.exe	Get hash	malicious	Unknown	Browse	200.150.150.50
	sora.arm.elf	Get hash	malicious	Mirai	Browse	177.154.143.131
	https://download.metatrader.com/cdn/web/gvd.markets.capital/mt5/gvdmarkets5setup.exe	Get hash	malicious	LummaC Stealer	Browse	177.154.156.125
	https://www.mundodomarketing.com.br/	Get hash	malicious	HTMLPhisher	Browse	177.184.22.148
	https://www.mundodomarketing.com.br/	Get hash	malicious	HTMLPhisher	Browse	177.184.22.148
	counter.exe	Get hash	malicious	Bdaejec	Browse	201.20.45.207
	https://app.adjust.com/97grly?bwkblabel=2ch_002&redirect=//minhaclaro.dtmmkt.com.br%2Feffectivemail/redirecionaclique.aspx?idabordagem=5252932746%2526idlink=126090168=%0A66%2526endereco=//tubest%E3%80%82com%E3%80%82tr/toro/ybk5/Z3JhaGFtLmR1ZmZAbWxjaW5zdXJhbmNlLmNvbS5hdQ==&$	Get hash	malicious	HTMLPhisher	Browse	177.47.17.235
	https://app.adjust.com/97grly?joiylabel=2ch_002&redirect=//minhaclaro.dtmmkt.com.br%2Feffectivemail/redirecionaclique.aspx?idabordagem=5252932746%25%32%36idlink=126090168=%0A66%25%32%36endereco=//tubest%E3%80%82com%E3%80%82tr/toro/4exq/YnJlbmRhYmFrZXJAYmFrZXJzZWxkZXJsYXcuY29t&$	Get hash	malicious	HTMLPhisher	Browse	177.47.17.238
	http://minhaclaro.dtmmkt.com.br/effectivemail/redirecionaclique.aspx?idabordagem=5252932746&idlink=12609016866&endereco=//act4change.co.ke/userr/hvhbjbjbjbjknk/cHJvcGVydGllc0BmYWRpbmd3ZXN0LmNvbQ==	Get hash	malicious	ReCaptcha Phish	Browse	177.47.17.235
WEBZILLANL	http://www.thehorizondispatch.com	Get hash	malicious	Unknown	Browse	185.49.145.45
	http://doctifyblog.com	Get hash	malicious	Unknown	Browse	188.72.219.35
	sora.ppc.elf	Get hash	malicious	Mirai	Browse	88.85.75.48
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	188.72.245.36
	jmhgeojeri.elf	Get hash	malicious	Unknown	Browse	88.85.75.32
	meerkat.arm.elf	Get hash	malicious	Mirai	Browse	88.85.75.45
	https://hianime.to	Get hash	malicious	Unknown	Browse	185.49.145.45
	Pending invoices.exe	Get hash	malicious	FormBook	Browse	78.140.140.218
	https://img1.wsimg.com/blobby/go/0fb15fac-f667-4c74-8a1e-27661514d143/downloads/87458256888.pdf	Get hash	malicious	Unknown	Browse	188.72.236.196
	cho6043ijz.000	Get hash	malicious	Unknown	Browse	188.72.236.196
ASN-EQUINIX-APEquinixAsiaPacificSG	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	133.152.150.244
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	183.177.8.89
	teste.arm.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	119.27.138.17
	botx.m68k.elf	Get hash	malicious	Mirai	Browse	119.27.138.11
	http://www.swpartners.com.au	Get hash	malicious	Unknown	Browse	103.19.61.169
	sora.ppc.elf	Get hash	malicious	Mirai	Browse	133.152.175.196
	ppc.elf	Get hash	malicious	Mirai, Gafgyt	Browse	133.152.215.211
	na.elf	Get hash	malicious	Gafgyt	Browse	103.195.163.8
	2qWIvXORVU.elf	Get hash	malicious	Mirai, Moobot	Browse	103.31.20.215
	https://download.metatrader.com/cdn/web/gvd.markets.capital/mt5/gvdmarkets5setup.exe	Get hash	malicious	LummaC Stealer	Browse	27.111.161.152
WEBZILLANL	http://www.thehorizondispatch.com	Get hash	malicious	Unknown	Browse	185.49.145.45
	http://doctifyblog.com	Get hash	malicious	Unknown	Browse	188.72.219.35
	sora.ppc.elf	Get hash	malicious	Mirai	Browse	88.85.75.48
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	188.72.245.36
	jmhgeojeri.elf	Get hash	malicious	Unknown	Browse	88.85.75.32
	meerkat.arm.elf	Get hash	malicious	Mirai	Browse	88.85.75.45
	https://hianime.to	Get hash	malicious	Unknown	Browse	185.49.145.45
	Pending invoices.exe	Get hash	malicious	FormBook	Browse	78.140.140.218
	https://img1.wsimg.com/blobby/go/0fb15fac-f667-4c74-8a1e-27661514d143/downloads/87458256888.pdf	Get hash	malicious	Unknown	Browse	188.72.236.196
	cho6043ijz.000	Get hash	malicious	Unknown	Browse	188.72.236.196

Process:	C:\Users\user\Desktop\g8jiNk0ZVv.exe
File Type:	data
Category:	dropped
Size (bytes):	16448
Entropy (8bit):	7.972364061862209
Encrypted:	false
SSDEEP:	384:4hRhQzXLfuxncNC9Vn9dLfhqzXLfzTQxJRRxQhRITwILfNJ7k9VVr9YLfErRRWaH:4hyyckh9dGfT0JqhuTJBubmM2CX8PJw1
MD5:	338C1F99B8634B0510ADF06FF7742007
SHA1:	911E81406A62AD4631CB2B2D3A57CB5769D11BD3
SHA-256:	B81BEB70609F9D82AE299507FE80E40A6E88F3F9E59285C617E47834E5015C96
SHA-512:	D6F5D89195BB824675B470CF4ABDAE192FD046F38296FAF7529245C6ED9886D5BDEBBC0FAE575B49900650848F97221AEBF71C233744F78F8176B88ECF559FB5
Malicious:	false
Reputation:	low
Preview:	....C.o.p.y.r.i.g.h.t. .2.0.0.0.-.2.0.2.3.,. .M.e.t.a.Q.u.o.t.e.s. .L.t.d...........................................................D.N.S................................................19.B.%.(0p..py................................................ .2......:sq.w.-..8......J75"..v.m.D\|.x. Ya_.;\|...J.....~.....2s)..8D4a....<.8...^....:s{y.U../.d............L.C..R^N{./75V.R..4.....N.......h...q}Z..;CAb.^...,....`....{..U....&.C.......r.i.@x.t..U][\|7x...F.....z......o%..4@0]....8.4...Z....6owu.Q..+.`............H.?..NZJw.+31R.N...t....P....k..E.z....3.......b.Y.0htd..EMKl'h...6.....j......_...$0 M....(.$\|.s.J..~.&_ge.A....P...........8y/..>J:g..#!B.>...d....@y...[..5.j....#.......R.I. XdT..5=;\.X..&~...Z....u..O.... .=.......l.c.:r~n..OWUv1r...@.....t.....(i....:W....2....}.T....0iqo.K..%.Z...........B.9..HTDq.%-+L.H...n....J....e..?.t....-.......\.S.bn^..?GEf!b.t&.J..~. .2......:pn.\.H..A......Q<:/.+..z.Q....-fnl.H..".W...........?.6..EQAn."(I.E...k....G....b..<.q....*

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.991304284271182
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	g8jiNk0ZVv.exe
File size:	25'039'544 bytes
MD5:	9520e99abb9f84d5a7fff2ede2fcfcfc
SHA1:	d3847704a6ec28a099434c383d130fdbcebe8e46
SHA256:	7231871fb0cdad9a4fe4467d9b6dc5db71986d5c3747c1bc52630f97714a30e6
SHA512:	e8f998678a03f6a464e8e4a3acffce81860273a877067892cd7cd9db1a9df2c05d99d04fd9ba67a10d449df791ea07648adb5fc1a0da446582e8a4cf924013d0
SSDEEP:	393216:PRRx1kg0M65DOa6tTSY4W0sBXTkiwe2SOchMLkTqXzKGJE6oGdHIpaqlVHslMrCc:PLf0Mq6Gts2kDmVZxIvzslLy
TLSH:	444733C3D9854C55DFF48339A1CDAEC876D83955DA943C0B2AD12C6329B3A1A330B6ED
File Content Preview:	MZ......................@...........}.Q.....................0...........!..L.!This program cannot be run in DOS mode....$........%H..D&..D&..D&...#..D&...%..D&...%..D&..."..D&..."..D&...#..D&...#..D&.S.'..D&..."..D&... ..D&..D'.YE&...'..D&.../..D&......D&

Entrypoint:	0x1443f8215
Entrypoint Section:	.cod2
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x515C00 [Tue Mar 3 17:06:08 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	f6248a43502620057f6e602167998f6e

Signature Valid:	false
Signature Issuer:	CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	A certificate was explicitly revoked by its issuer
Error Number:	-2146762484
Not Before, Not After	09/12/2024 09:36:38 09/12/2025 09:36:38
Subject Chain	OID.1.3.6.1.4.1.311.60.2.1.3=GB, OID.2.5.4.15=Private Organization, CN=SUMMIT RECRUITMENT LIMITED, SERIALNUMBER=09304744, O=SUMMIT RECRUITMENT LIMITED, L=Southampton, C=GB
Version:	3
Thumbprint MD5:	06A4A9CF0CF04CE26850ECBB5E9CD7CA
Thumbprint SHA-1:	94C21E6384F2FFB72BD856C1C40B788F314B5298
Thumbprint SHA-256:	A174F78759EB83B43CE99080CA0B3D74B7B25834C358ABDB98B0EF1B5FBC1BAB
Serial:	3A9C76F8304F77BD271921D9982F1AB6

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4429e58	0x12c	.cod2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x46e4000	0x19ba2e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x46d0920	0x11c4c	.cod2
IMAGE_DIRECTORY_ENTRY_SECURITY	0x17dec60	0x2658	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x46e3000	0x50	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x46d08c0	0x54	.cod2
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4423f10	0x28	.cod2
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x46d02c0	0x140	.cod2
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x41f3000	0xf70	.cod1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x175800	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x177000	0xb855a	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x230000	0x3d9b524	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x3fcc000	0xf24c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fptable	0x3fdc000	0x100	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.cod0	0x3fdd000	0x215416	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.cod1	0x41f3000	0x12e0	0x1400	cbbe70450ae5569ac13182ae53cd137b	False	0.3357421875	data	3.1886875342982948	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.cod2	0x41f5000	0x4ed56c	0x4ed600	2d0a6292a7b1f2aecb6267c82d817dc0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x46e3000	0x50	0x200	6ccdfeeb8d75e743d8e6644534e55d56	False	0.169921875	data	0.9689370899022755	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x46e4000	0x19ba2e	0x26c00	3a7e929d1dad89391509472556e48e51	False	0.5922316028225807	data	5.713239700449305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x470aa60	0x2	data			5.0
AFX_DIALOG_LAYOUT	0x470aa68	0x2	data			5.0
AFX_DIALOG_LAYOUT	0x470aa70	0x2	data			5.0
AFX_DIALOG_LAYOUT	0x470aa78	0x2	data			5.0
AFX_DIALOG_LAYOUT	0x470aa80	0x2	data			5.0
AFX_DIALOG_LAYOUT	0x470aa88	0x2	data			5.0
FILE	0x470aa90	0x2fe15	data			0.035326086956521736
FILE	0x473a8a8	0x2f0f8	empty			0
FILE	0x47699a0	0x31b12	empty			0
LNG	0x479b4b8	0x18cfe	empty			0
LNG	0x47b41b8	0x1a2c8	empty			0
LNG	0x47ce480	0x141f2	empty			0
LNG	0x47e2678	0x151c2	empty			0
LNG	0x47f7840	0x14f88	empty			0
LNG	0x480c7c8	0x14fc4	empty			0
LNG	0x4821790	0x14f70	empty			0
RT_BITMAP	0x4836700	0x302a	empty			0
RT_BITMAP	0x4839730	0x1d4ea	empty			0
RT_BITMAP	0x4856c20	0x242a	empty			0
RT_ICON	0x46e53c8	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors			0.5363187588152327
RT_ICON	0x46e69f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors			0.628731343283582
RT_ICON	0x46e7898	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors			0.766245487364621
RT_ICON	0x46e8140	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors			0.8110599078341014
RT_ICON	0x46e8808	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors			0.6307803468208093
RT_ICON	0x46e8d70	0x3228	Device independent bitmap graphic, 64 x 128 x 24, image size 12288			0.6175233644859813
RT_ICON	0x46ebf98	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 6912			0.6170937840785169
RT_ICON	0x46edc40	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3072			0.6706790123456791
RT_ICON	0x46ee8e8	0x748	Device independent bitmap graphic, 24 x 48 x 24, image size 1728			0.6888412017167382
RT_ICON	0x46ef030	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 768			0.7110091743119266
RT_ICON	0x46ef398	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.5643599433160132
RT_ICON	0x46f35c0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.5982365145228216
RT_ICON	0x46f5b68	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.672373358348968
RT_ICON	0x46f6c10	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.7262295081967213
RT_ICON	0x46f7598	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.7579787234042553
RT_ICON	0x46f7a00	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors			0.5430183356840621
RT_ICON	0x46f9028	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors			0.6273987206823027
RT_ICON	0x46f9ed0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors			0.7671480144404332
RT_ICON	0x46fa778	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors			0.8283410138248848
RT_ICON	0x46fae40	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors			0.5534682080924855
RT_ICON	0x46fb3a8	0x3228	Device independent bitmap graphic, 64 x 128 x 24, image size 12288			0.6107476635514019
RT_ICON	0x46fe5d0	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 6912			0.6232279171210469
RT_ICON	0x4700278	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3072			0.6623456790123456
RT_ICON	0x4700f20	0x748	Device independent bitmap graphic, 24 x 48 x 24, image size 1728			0.7006437768240343
RT_ICON	0x4701668	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 768			0.6857798165137615
RT_ICON	0x47019d0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.5653046764289088
RT_ICON	0x4705bf8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.6025933609958506
RT_ICON	0x47081a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.6639305816135085
RT_ICON	0x4709248	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.7270491803278688
RT_ICON	0x4709bd0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.7322695035460993
RT_DIALOG	0x4859050	0xb8	empty			0
RT_DIALOG	0x4859108	0x106	empty			0
RT_DIALOG	0x4859210	0x304	empty			0
RT_DIALOG	0x4859518	0x1a0	empty			0
RT_DIALOG	0x48596b8	0x376	empty			0
RT_DIALOG	0x4859a30	0x260	empty			0
RT_STRING	0x4859c90	0xcc	empty			0
RT_STRING	0x4859d60	0x272	empty			0
RT_STRING	0x4859fd8	0x1da	empty			0
RT_STRING	0x485a1b8	0xca	empty			0
RT_STRING	0x485a288	0x130	empty			0
RT_ACCELERATOR	0x485a3b8	0x30	empty			0
RT_RCDATA	0x485a3e8	0x114a	empty			0
RT_RCDATA	0x485b538	0xa30	empty			0
RT_RCDATA	0x485bf68	0x15d6	empty			0
RT_RCDATA	0x485d540	0x145e	empty			0
RT_RCDATA	0x485e9a0	0x1380	empty			0
RT_RCDATA	0x485fd20	0xd5e	empty			0
RT_RCDATA	0x4860a80	0x135e	empty			0
RT_RCDATA	0x4861de0	0x135e	empty			0
RT_RCDATA	0x4863140	0x12d0	empty			0
RT_RCDATA	0x4864410	0x13f8	empty			0
RT_RCDATA	0x4865808	0x12a2	empty			0
RT_RCDATA	0x4866ab0	0x12dc	empty			0
RT_RCDATA	0x4867d90	0x13ca	empty			0
RT_RCDATA	0x4869160	0x12e6	empty			0
RT_RCDATA	0x486a448	0xa34	empty			0
RT_RCDATA	0x486ae80	0x1256	empty			0
RT_RCDATA	0x486c0d8	0x1152	empty			0
RT_RCDATA	0x486d230	0x1246	empty			0
RT_RCDATA	0x486e478	0x148a	empty			0
RT_RCDATA	0x486f908	0x12ee	empty			0
RT_RCDATA	0x4870bf8	0x1028	empty			0
RT_RCDATA	0x4871c20	0x1104	empty			0
RT_RCDATA	0x4872d28	0x1268	empty			0
RT_RCDATA	0x4873f90	0x12c6	empty			0
RT_RCDATA	0x4875258	0x137a	empty			0
RT_RCDATA	0x48765d8	0xc58	empty			0
RT_RCDATA	0x4877230	0x13ae	empty			0
RT_RCDATA	0x48785e0	0x1326	empty			0
RT_RCDATA	0x4879908	0x12c4	empty			0
RT_RCDATA	0x487abd0	0x13aa	empty			0
RT_RCDATA	0x487bf80	0x1442	empty			0
RT_RCDATA	0x487d3c8	0x136c	empty			0
RT_RCDATA	0x487e738	0x12f6	empty			0
RT_GROUP_ICON	0x470a038	0xd8	data			0.5787037037037037
RT_GROUP_ICON	0x470a110	0xd8	data			0.5879629629629629
RT_VERSION	0x470a1e8	0x378	data			0.42567567567567566
RT_MANIFEST	0x470a560	0x4fc	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1216), with CRLF line terminators	English	United States	0.45141065830721006

DLL	Import
WS2_32.dll	WSARecv, WSASend, WSAGetLastError, shutdown, WSAConnect, setsockopt, bind, WSASocketW, htons, WSAStartup, WSACleanup, ioctlsocket, recv, select, GetAddrInfoW, FreeAddrInfoW, InetPtonW, closesocket, send
CRYPT32.dll	CertGetNameStringW
KERNEL32.dll	FileTimeToSystemTime, FindFirstFileW, FindClose, FindNextFileW, GetTimeZoneInformation, SystemTimeToTzSpecificLocalTime, FileTimeToDosDateTime, lstrcmpiW, SizeofResource, LoadResource, FindResourceW, InitializeCriticalSectionEx, RaiseException, GetCurrentProcessId, Thread32Next, ReadProcessMemory, ResumeThread, GetThreadContext, SuspendThread, OpenThread, Thread32First, CreateToolhelp32Snapshot, GetCurrentThread, Module32NextW, LockResource, FindResourceExW, Module32FirstW, GetProcessHandleCount, GetLogicalProcessorInformationEx, GetLocalTime, K32GetProcessMemoryInfo, GetEnvironmentVariableW, AddVectoredExceptionHandler, SetUnhandledExceptionFilter, LocalFree, DecodePointer, OpenProcess, HeapSize, GetProcessHeap, CompareStringW, lstrlenW, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, IsValidCodePage, EnumResourceNamesW, CreateProcessW, MoveFileExW, GetFileSize, CopyFileW, SetLastError, GetDiskFreeSpaceExW, RemoveDirectoryW, GetExitCodeThread, TerminateThread, Process32FirstW, K32GetProcessImageFileNameW, Process32NextW, lstrcmpW, RtlUnwindEx, DosDateTimeToFileTime, IsProcessorFeaturePresent, GetStartupInfoW, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, SleepConditionVariableSRW, WakeAllConditionVariable, VirtualQuery, LoadLibraryExA, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, InitializeSListHead, EncodePointer, OutputDebugStringW, IsDebuggerPresent, TlsFree, CreateThread, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetFileType, GetStdHandle, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, VirtualProtect, HeapReAlloc, HeapFree, HeapAlloc, GetModuleHandleW, GetCurrentProcess, DeviceIoControl, TlsSetValue, LoadLibraryExW, GetProcAddress, FreeLibrary, GetSystemDirectoryW, GetVolumeInformationW, GetSystemInfo, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetCPInfo, GetStringTypeW, GetACP, GetOEMCP, SetFilePointerEx, GetConsoleMode, ReadConsoleW, FlushFileBuffers, GetVersionExW, EnterCriticalSection, GetUserDefaultUILanguage, GlobalMemoryStatusEx, GetModuleFileNameW, WaitForSingleObject, CloseHandle, DeleteCriticalSection, InitializeCriticalSection, ReleaseSRWLockExclusive, GetActiveProcessorCount, GetTickCount64, AcquireSRWLockExclusive, GetSystemTimeAsFileTime, GetFileAttributesExW, GetConsoleOutputCP, HeapDestroy, GetFileAttributesW, CreateDirectoryW, SetFileAttributesW, HeapCreate, WriteFile, SetEndOfFile, SetFilePointer, QueryPerformanceCounter, QueryPerformanceFrequency, SystemTimeToFileTime, WideCharToMultiByte, GetCurrentThreadId, SetThreadStackGuarantee, DeleteFileW, CreateFileW, GetFileSizeEx, ReadFile, MultiByteToWideChar, GetLastError, VirtualAlloc, VirtualFree, Sleep, TerminateProcess, LeaveCriticalSection, SetStdHandle, HeapQueryInformation, FindFirstFileExW, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, WriteConsoleW, RtlPcToFileHeader, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, GetTempPathW
USER32.dll	MessageBoxW, SetForegroundWindow, ShowWindow, MoveWindow, BringWindowToTop, GetDlgItem, SetClassLongPtrW, PostQuitMessage, MapWindowPoints, GetMonitorInfoW, MonitorFromWindow, EnableWindow, LoadIconW, DialogBoxParamW, SetWindowTextW, GetWindow, LoadStringW, RegisterClassExW, GetWindowRect, GetClassInfoExW, PostMessageW, IsWindowVisible, LoadImageW, SetTimer, LoadBitmapW, GetClassNameW, SetWindowPos, LoadCursorW, SystemParametersInfoW, CreateWindowExW, GetWindowTextLengthW, GetWindowTextW, BeginPaint, EndPaint, FillRect, IsWindowEnabled, GetFocus, DrawFocusRect, SetCursor, TrackMouseEvent, GetCapture, ReleaseCapture, GetCursorPos, ScreenToClient, UpdateWindow, IsWindow, GetDC, ReleaseDC, GetWindowLongW, OffsetRect, InvalidateRect, CallWindowProcW, GetWindowLongPtrW, SetWindowLongPtrW, DefWindowProcW, DrawTextW, SetRectEmpty, GetSysColor, PtInRect, SetFocus, SetCapture, GetParent, SendMessageW, GetDlgCtrlID, GetClientRect, UnregisterClassW, DestroyWindow, GetActiveWindow, CharLowerW, CharNextW, PostMessageA, GetSystemMetrics, MessageBeep, EndDialog, GetTopWindow, GetWindowThreadProcessId, KillTimer, SetWindowLongW
GDI32.dll	SetBkMode, SetTextColor, ExtTextOutW, SetBkColor, GetStockObject, CreateFontIndirectW, GetObjectW, DeleteDC, DeleteObject, GetTextExtentPoint32W, CreateSolidBrush, CreateCompatibleDC, CreateCompatibleBitmap, GdiGradientFill, BitBlt, GetTextExtentPointW, TextOutW, RestoreDC, SaveDC, CreateFontW, EnumFontFamiliesExW, CreateDIBitmap, SelectObject, GetDIBits
ADVAPI32.dll	FreeSid, GetTokenInformation, GetFileSecurityW, GetSecurityDescriptorDacl, GetAclInformation, GetAce, EqualSid, RegDeleteValueW, RegEnumKeyExW, RegQueryInfoKeyW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, RegOpenKeyExW, RegQueryValueExW, RegCloseKey, SetNamedSecurityInfoW, SetEntriesInAclW, AllocateAndInitializeSid, RegDeleteKeyExW, RegEnumKeyW, OpenSCManagerW, EnumServicesStatusW, CloseServiceHandle, OpenServiceW, QueryServiceStatus, ControlService, QueryServiceConfigW, RegQueryValueW, OpenProcessToken
SHELL32.dll	SHGetPathFromIDListW, SHGetFolderPathW, SHBrowseForFolderW, SHGetSpecialFolderLocation, SHGetFileInfoW, ShellExecuteW, SHGetSpecialFolderPathW, ShellExecuteExW, SHChangeNotify
ole32.dll	CreateStreamOnHGlobal, CoUninitialize, CoInitializeSecurity, CoTaskMemFree, CoTaskMemRealloc, CoTaskMemAlloc, CoCreateInstance, CoSetProxyBlanket, CoInitializeEx
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear, VarUI4FromStr
SHLWAPI.dll	PathCanonicalizeW, PathFindExtensionW
COMCTL32.dll	DestroyPropertySheetPage, PropertySheetW, ImageList_GetImageCount, ImageList_GetImageInfo, ImageList_Create, ImageList_SetBkColor, ImageList_AddMasked, ImageList_Draw, ImageList_Destroy, InitCommonControlsEx, CreatePropertySheetPageW
gdiplus.dll	GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdipFree, GdipCloneImage, GdipAlloc, GdipDisposeImage, GdiplusStartup, GdiplusShutdown
WINTRUST.dll	WTHelperGetProvSignerFromChain, WTHelperGetProvCertFromChain, WinVerifyTrust, WTHelperProvDataFromStateData
KERNEL32.dll	GetSystemTimeAsFileTime, CreateEventA, GetModuleHandleA, TerminateProcess, GetCurrentProcess, CreateToolhelp32Snapshot, Thread32First, GetCurrentProcessId, GetCurrentThreadId, OpenThread, Thread32Next, CloseHandle, SuspendThread, ResumeThread, WriteProcessMemory, GetSystemInfo, VirtualAlloc, VirtualProtect, VirtualFree, GetProcessAffinityMask, SetProcessAffinityMask, GetCurrentThread, SetThreadAffinityMask, Sleep, LoadLibraryA, FreeLibrary, GetTickCount, SystemTimeToFileTime, FileTimeToSystemTime, GlobalFree, HeapAlloc, HeapFree, GetProcAddress, ExitProcess, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, MultiByteToWideChar, GetModuleHandleW, LoadResource, FindResourceExW, FindResourceExA, WideCharToMultiByte, GetThreadLocale, GetUserDefaultLCID, GetSystemDefaultLCID, EnumResourceNamesA, EnumResourceNamesW, EnumResourceLanguagesA, EnumResourceLanguagesW, EnumResourceTypesA, EnumResourceTypesW, CreateFileW, LoadLibraryW, GetLastError, FlushFileBuffers, FlsSetValue, GetCommandLineA, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, EncodePointer, DecodePointer, FlsGetValue, FlsFree, SetLastError, FlsAlloc, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, RaiseException, RtlPcToFileHeader, RtlUnwindEx, LCMapStringA, LCMapStringW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapSetInformation, HeapCreate, HeapDestroy, QueryPerformanceCounter, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, WriteFile, SetFilePointer, GetConsoleCP, GetConsoleMode, HeapReAlloc, InitializeCriticalSectionAndSpinCount, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA