Edit tour
Windows
Analysis Report
wRhEMj1swo.exe
Overview
General Information
| Sample name: | wRhEMj1swo.exerenamed because original name is a hash value |
| Original sample name: | d7ae3392a9ce8d10923040dd4c3ef0af.exe |
| Analysis ID: | 1585798 |
| MD5: | d7ae3392a9ce8d10923040dd4c3ef0af |
| SHA1: | 37c5b3cf8831a841c5ed87a4129595c8a721302e |
| SHA256: | dbac017142912cc3bef0a236b80857511776be8119f7abd64253cccd23ebd6e4 |
| Tags: | exeuser-abuse_ch |
| Infos: |  |
 | |
Detection
| Score: | 88 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Yara detected aPLib compressed binary
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
wRhEMj1swo.exe (PID: 6480 cmdline: "C:\Users\ user\Deskt op\wRhEMj1 swo.exe" MD5: D7AE3392A9CE8D10923040DD4C3EF0AF)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_aPLib_compressed_binary | Yara detected aPLib compressed binary | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| CN_Honker_WordpressScanner | Sample from CN Honker Pentest Toolset - file WordpressScanner.exe | Florian Roth |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_aPLib_compressed_binary | Yara detected aPLib compressed binary | Joe Security | ||
| JoeSecurity_aPLib_compressed_binary | Yara detected aPLib compressed binary | Joe Security | ||
| JoeSecurity_aPLib_compressed_binary | Yara detected aPLib compressed binary | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_aPLib_compressed_binary | Yara detected aPLib compressed binary | Joe Security | ||
| JoeSecurity_aPLib_compressed_binary | Yara detected aPLib compressed binary | Joe Security | ||
| JoeSecurity_aPLib_compressed_binary | Yara detected aPLib compressed binary | Joe Security | ||
| JoeSecurity_aPLib_compressed_binary | Yara detected aPLib compressed binary | Joe Security | ||
| JoeSecurity_aPLib_compressed_binary | Yara detected aPLib compressed binary | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-08T09:46:58.963117+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49704 | 103.235.47.188 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_004119E8 | |
| Source: | Code function: | 0_2_004175E6 | |
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00401BFE | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | File written: | Jump to behavior | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_005E4C20 | |
| Source: | Code function: | 0_2_005DB166 | |
| Source: | Code function: | 0_2_005D8C7E | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_005E4C20 | |
| Source: | Code function: | 0_2_0044086C | |
| Source: | Code function: | 0_2_004222F3 | |
| Source: | Code function: | 0_2_0047FB4C | |
| Source: | Code function: | 0_2_00421EEC | |
| Source: | Code function: | 0_2_0043E797 | |
| Source: | Code function: | 0_2_004706E8 | |
| Source: | Code function: | 0_2_004200FF | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_005DD4AC | |
| Source: | Key value queried: | Jump to behavior | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Masquerading | OS Credential Dumping | 121 Security Software Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 2 Virtualization/Sandbox Evasion | LSASS Memory | 2 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 12 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Obfuscated Files or Information | NTDS | 2 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 33 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 54% | ReversingLabs | Win32.Ransomware.Generic | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML | |||
| 37% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| www.wshifen.com | 103.235.47.188 | true | false | high | |
| www.baidu.com | unknown | unknown | false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 103.235.47.188 | www.wshifen.com | Hong Kong | 55967 | BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1585798 |
| Start date and time: | 2025-01-08 09:45:57 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 29s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 4 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | wRhEMj1swo.exerenamed because original name is a hash value |
| Original Sample Name: | d7ae3392a9ce8d10923040dd4c3ef0af.exe |
| Detection: | MAL |
| Classification: | mal88.evad.winEXE@1/3@1/1 |
| EGA Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 103.235.47.188 | Get hash | malicious | BlackMoon | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | BlackMoon, XRed | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | BlackMoon | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Bdaejec | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| www.wshifen.com | Get hash | malicious | ValleyRAT | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | ValleyRAT | Browse |
| ||
| Get hash | malicious | ValleyRAT | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | BlackMoon | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd | Get hash | malicious | ValleyRAT | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai, Gafgyt | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, PureLog Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\wRhEMj1swo.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 434 |
| Entropy (8bit): | 3.99579928616557 |
| Encrypted: | false |
| SSDEEP: | 12:QZsiL5wmHOlDmo0qmWvclLwv2G4wmDg86uCEuyLyn:QCGwv4o0BlLweTV6uuyW |
| MD5: | 0BB7D8A5E92F0E36B8ECF8FE6D8EC231 |
| SHA1: | B2B271FAB543C3C9D94FCB655F0DB2047256F4E3 |
| SHA-256: | F96E2B45F8B28D4708B5977297A772FC6CD40435D7924E90B3607A9B4D03E337 |
| SHA-512: | 8F4AD1530D8FA8CDA49FD25C0302283D7BFB59B262593AAF31823B9943F34BFF1F12976B0DFF168C8CAB278348DBF8B1F24CD6D625850D37C6A8EC82D1569BBB |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\wRhEMj1swo.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 954368 |
| Entropy (8bit): | 6.344965617584001 |
| Encrypted: | false |
| SSDEEP: | 24576:YvtI2D6CEhvugYa3EZfup4jflORg0RBQI:YevLEZ7cRg0RJ |
| MD5: | 8A619EBB79546DD4487F312B9C57934F |
| SHA1: | 6986759E032DB2694D625C85EC5C8B4AD74A689B |
| SHA-256: | 0C274B149400E89EBC0F6335A9181005B4249CABEFA8EC8B47C1D56710B2D3EF |
| SHA-512: | AB29923B35AA1D21813F9D6B012979385F7C4B161FEE51C28A4987768B93297C81E88EAA969B9F491F0A359FD18F3515CC19C694ABD95413A575053C5BA29C7B |
| Malicious: | true |
| Yara Hits: |
|
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\wRhEMj1swo.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 67646 |
| Entropy (8bit): | 5.7039139970238075 |
| Encrypted: | false |
| SSDEEP: | 1536:vrpcQaRJlr5a3QEC2ADfYVmqpPZf++r7MJsEzlDtr66Evbag:vrpcQaGHVmOhf++razdtYp |
| MD5: | 19CAD721B59B09B208B5A7E2F6387843 |
| SHA1: | 7AB6F085A11E86D5514E182BF0DF1C96723C8901 |
| SHA-256: | F9DFF22EF297227202F34343DA1BA9585F843B3AA0834B1074F273C9D9542252 |
| SHA-512: | E6DB461CB85A7B4C9F44019678E49562B68B820FFF6F0EE82A7533F710858C7AA7DF72FE57E4FE0A6A8291C33AAD819C5DCD7B75F9A55CFF12AF12344A555E81 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.061578692374249 |
| TrID: |
|
| File name: | wRhEMj1swo.exe |
| File size: | 5'660'160 bytes |
| MD5: | d7ae3392a9ce8d10923040dd4c3ef0af |
| SHA1: | 37c5b3cf8831a841c5ed87a4129595c8a721302e |
| SHA256: | dbac017142912cc3bef0a236b80857511776be8119f7abd64253cccd23ebd6e4 |
| SHA512: | 731bee53652b0f6190ff9df76417f7f30193c939f635b023bf58a464ee2428535daf153e937fd591aa94d06999dd3db7fa86c3daf211b65416ab9d0046b1bf8e |
| SSDEEP: | 98304:HdxNmK4FEV5TEZ7ce0Rg52Pw8B4DgXUtJBAUZLn:HtaV0RgYPxoKWJV7 |
| TLSH: | B346BF23F042C0B2D5261AF032B6573CA9759FA11A35C983EBE4FEB5ED33162979510E |
| File Content Preview: | MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........D.}ID.}ID.}I+.vIM.}I+.wIB.}I?.qIA.}I..nIh.}I.. IF.}I..sIh.}ID.|I..}I&.nI[.}IM..IE.}I..oIN.}Ir.vI..}Ir.wI..}I..vI*.}I..wIt.} |
 | |
| Icon Hash: | 2731d28aae6e218f |
| Entrypoint: | 0x5d7650 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | |
| Time Stamp: | 0x677CD3FB [Tue Jan 7 07:12:59 2025 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 1841bc7befa66af3a16d317711e55a7e |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| push FFFFFFFFh |
| push 00860868h |
| push 005DA5B4h |
| mov eax, dword ptr fs:[00000000h] |
| push eax |
| mov dword ptr fs:[00000000h], esp |
| sub esp, 58h |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [ebp-18h], esp |
| call dword ptr [006071C8h] |
| xor edx, edx |
| mov dl, ah |
| mov dword ptr [009BC1D4h], edx |
| mov ecx, eax |
| and ecx, 000000FFh |
| mov dword ptr [009BC1D0h], ecx |
| shl ecx, 08h |
| add ecx, edx |
| mov dword ptr [009BC1CCh], ecx |
| shr eax, 10h |
| mov dword ptr [009BC1C8h], eax |
| push 00000001h |
| call 00007FAE94BEF4BBh |
| pop ecx |
| test eax, eax |
| jne 00007FAE94BE957Ah |
| push 0000001Ch |
| call 00007FAE94BE9638h |
| pop ecx |
| call 00007FAE94BEF266h |
| test eax, eax |
| jne 00007FAE94BE957Ah |
| push 00000010h |
| call 00007FAE94BE9627h |
| pop ecx |
| xor esi, esi |
| mov dword ptr [ebp-04h], esi |
| call 00007FAE94BEF094h |
| call dword ptr [006073F0h] |
| mov dword ptr [009C1444h], eax |
| call 00007FAE94BEEF52h |
| mov dword ptr [009BC140h], eax |
| call 00007FAE94BEECFBh |
| call 00007FAE94BEEC3Dh |
| call 00007FAE94BECAEEh |
| mov dword ptr [ebp-30h], esi |
| lea eax, dword ptr [ebp-5Ch] |
| push eax |
| call dword ptr [00607260h] |
| call 00007FAE94BEEBCEh |
| mov dword ptr [ebp-64h], eax |
| test byte ptr [ebp-30h], 00000001h |
| je 00007FAE94BE9578h |
| movzx eax, word ptr [ebp+00h] |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x532738 | 0x168 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5c2000 | 0x791c | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x207000 | 0x80c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x205b5e | 0x205c00 | 50aeeeb9ec9474888a2b10d9199f7d4b | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x207000 | 0x32e0c0 | 0x32e200 | 1a465cc638bc8f7704c968afb5dde86d | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x536000 | 0x8b44a | 0x2a200 | 0c1683502fdca9c65eabe46d3c312c96 | False | 0.3508844120919881 | data | 5.9722288998144375 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x5c2000 | 0x791c | 0x7a00 | b0d5482a2c2286e7ebd7b631f9302e7d | False | 0.44041367827868855 | data | 5.292361705762094 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| TEXTINCLUDE | 0x5c2d9c | 0xb | ASCII text, with no line terminators | Chinese | China | 1.7272727272727273 |
| TEXTINCLUDE | 0x5c2da8 | 0x16 | data | Chinese | China | 1.3636363636363635 |
| TEXTINCLUDE | 0x5c2dc0 | 0x151 | C source, ASCII text, with CRLF line terminators | Chinese | China | 0.6201780415430267 |
| WAVE | 0x5c2f14 | 0x1448 | RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 22050 Hz | Chinese | China | 0.8330123266563945 |
| RT_CURSOR | 0x5c435c | 0x134 | data | Chinese | China | 0.5811688311688312 |
| RT_CURSOR | 0x5c4490 | 0x134 | Targa image data - Map 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.37662337662337664 |
| RT_CURSOR | 0x5c45c4 | 0x134 | Targa image data - RGB 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.4805194805194805 |
| RT_CURSOR | 0x5c46f8 | 0xb4 | Targa image data - Map 32 x 65536 x 1 +16 "\001" | Chinese | China | 0.7 |
| RT_CURSOR | 0x5c47ac | 0x134 | AmigaOS bitmap font "(", fc_YSize 4294967292, 3840 elements, 2nd "\377\370\017\377\377\374\037\377\377\376?\377\377\377\177\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd | Chinese | China | 0.32792207792207795 |
| RT_CURSOR | 0x5c48e0 | 0x134 | AmigaOS bitmap font "(", fc_YSize 4294967288, 3840 elements, 2nd "\377\370\037\377\377\370\037\377\377\370\037\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd | Chinese | China | 0.3246753246753247 |
| RT_BITMAP | 0x5c4a14 | 0x16c | Device independent bitmap graphic, 39 x 13 x 4, image size 260 | Chinese | China | 0.3598901098901099 |
| RT_BITMAP | 0x5c4b80 | 0x248 | Device independent bitmap graphic, 64 x 15 x 4, image size 480 | Chinese | China | 0.3407534246575342 |
| RT_BITMAP | 0x5c4dc8 | 0x144 | Device independent bitmap graphic, 33 x 11 x 4, image size 220 | Chinese | China | 0.4444444444444444 |
| RT_BITMAP | 0x5c4f0c | 0x158 | Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m | Chinese | China | 0.26453488372093026 |
| RT_BITMAP | 0x5c5064 | 0x158 | Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m | Chinese | China | 0.2616279069767442 |
| RT_BITMAP | 0x5c51bc | 0x158 | Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m | Chinese | China | 0.2441860465116279 |
| RT_BITMAP | 0x5c5314 | 0x158 | Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m | Chinese | China | 0.24709302325581395 |
| RT_BITMAP | 0x5c546c | 0x158 | Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m | Chinese | China | 0.2238372093023256 |
| RT_BITMAP | 0x5c55c4 | 0x158 | Device independent bitmap graphic, 20 x 20 x 4, image size 240 | Chinese | China | 0.19476744186046513 |
| RT_BITMAP | 0x5c571c | 0x158 | Device independent bitmap graphic, 20 x 20 x 4, image size 240 | Chinese | China | 0.20930232558139536 |
| RT_BITMAP | 0x5c5874 | 0x158 | Device independent bitmap graphic, 20 x 20 x 4, image size 240 | Chinese | China | 0.18895348837209303 |
| RT_BITMAP | 0x5c59cc | 0x5e4 | Device independent bitmap graphic, 70 x 39 x 4, image size 1404 | Chinese | China | 0.34615384615384615 |
| RT_BITMAP | 0x5c5fb0 | 0xb8 | Device independent bitmap graphic, 12 x 10 x 4, image size 80 | Chinese | China | 0.44565217391304346 |
| RT_BITMAP | 0x5c6068 | 0x16c | Device independent bitmap graphic, 39 x 13 x 4, image size 260 | Chinese | China | 0.28296703296703296 |
| RT_BITMAP | 0x5c61d4 | 0x144 | Device independent bitmap graphic, 33 x 11 x 4, image size 220 | Chinese | China | 0.37962962962962965 |
| RT_ICON | 0x5c6318 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | Chinese | China | 0.26344086021505375 |
| RT_ICON | 0x5c6600 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | Chinese | China | 0.41216216216216217 |
| RT_ICON | 0x5c6728 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | 0.5215759849906192 | ||
| RT_MENU | 0x5c77d0 | 0xc | data | Chinese | China | 1.5 |
| RT_MENU | 0x5c77dc | 0x284 | data | Chinese | China | 0.5 |
| RT_DIALOG | 0x5c7a60 | 0x98 | data | Chinese | China | 0.7171052631578947 |
| RT_DIALOG | 0x5c7af8 | 0x17a | data | Chinese | China | 0.5185185185185185 |
| RT_DIALOG | 0x5c7c74 | 0xfa | data | Chinese | China | 0.696 |
| RT_DIALOG | 0x5c7d70 | 0xea | data | Chinese | China | 0.6239316239316239 |
| RT_DIALOG | 0x5c7e5c | 0x8ae | data | Chinese | China | 0.39603960396039606 |
| RT_DIALOG | 0x5c870c | 0xb2 | data | Chinese | China | 0.7359550561797753 |
| RT_DIALOG | 0x5c87c0 | 0xcc | data | Chinese | China | 0.7647058823529411 |
| RT_DIALOG | 0x5c888c | 0xb2 | data | Chinese | China | 0.6629213483146067 |
| RT_DIALOG | 0x5c8940 | 0xe2 | data | Chinese | China | 0.6637168141592921 |
| RT_DIALOG | 0x5c8a24 | 0x18c | data | Chinese | China | 0.5227272727272727 |
| RT_STRING | 0x5c8bb0 | 0x50 | data | Chinese | China | 0.85 |
| RT_STRING | 0x5c8c00 | 0x2c | data | Chinese | China | 0.5909090909090909 |
| RT_STRING | 0x5c8c2c | 0x78 | data | Chinese | China | 0.925 |
| RT_STRING | 0x5c8ca4 | 0x1c4 | data | Chinese | China | 0.8141592920353983 |
| RT_STRING | 0x5c8e68 | 0x12a | data | Chinese | China | 0.5201342281879194 |
| RT_STRING | 0x5c8f94 | 0x146 | data | Chinese | China | 0.6288343558282209 |
| RT_STRING | 0x5c90dc | 0x40 | data | Chinese | China | 0.65625 |
| RT_STRING | 0x5c911c | 0x64 | data | Chinese | China | 0.73 |
| RT_STRING | 0x5c9180 | 0x1d8 | data | Chinese | China | 0.6758474576271186 |
| RT_STRING | 0x5c9358 | 0x114 | data | Chinese | China | 0.6376811594202898 |
| RT_STRING | 0x5c946c | 0x24 | data | Chinese | China | 0.4444444444444444 |
| RT_GROUP_CURSOR | 0x5c9490 | 0x14 | data | Chinese | China | 1.4 |
| RT_GROUP_CURSOR | 0x5c94a4 | 0x14 | data | Chinese | China | 1.4 |
| RT_GROUP_CURSOR | 0x5c94b8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.25 |
| RT_GROUP_CURSOR | 0x5c94cc | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.25 |
| RT_GROUP_CURSOR | 0x5c94e0 | 0x22 | Lotus unknown worksheet or configuration, revision 0x2 | Chinese | China | 1.0294117647058822 |
| RT_GROUP_ICON | 0x5c9504 | 0x14 | data | 1.2 | ||
| RT_GROUP_ICON | 0x5c9518 | 0x14 | data | Chinese | China | 1.2 |
| RT_GROUP_ICON | 0x5c952c | 0x14 | data | Chinese | China | 1.25 |
| RT_VERSION | 0x5c9540 | 0x20c | data | Chinese | China | 0.5534351145038168 |
| RT_MANIFEST | 0x5c974c | 0x1cd | XML 1.0 document, ASCII text, with very long lines (461), with no line terminators | 0.5878524945770065 |
| DLL | Import |
|---|---|
| MSVFW32.dll | DrawDibDraw |
| AVIFIL32.dll | AVIStreamGetFrame, AVIStreamInfoA |
| iphlpapi.dll | GetAdaptersInfo |
| WINMM.dll | midiStreamRestart, midiStreamClose, midiOutReset, midiStreamStop, waveOutRestart, waveOutUnprepareHeader, waveOutPrepareHeader, waveOutWrite, waveOutPause, waveOutReset, waveOutClose, midiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutGetNumDevs, PlaySoundA |
| WS2_32.dll | inet_ntoa, WSAStartup, WSACleanup, select, send, closesocket, WSAAsyncSelect, recvfrom, ioctlsocket, recv, getpeername, accept, ntohl |
| RASAPI32.dll | RasGetConnectStatusA, RasHangUpA |
| KERNEL32.dll | GetVersion, FileTimeToSystemTime, TerminateThread, VirtualAlloc, VirtualFree, CreateMutexA, ReleaseMutex, SuspendThread, InterlockedIncrement, InterlockedDecrement, LocalFree, FileTimeToLocalFileTime, lstrcpynA, DuplicateHandle, FlushFileBuffers, LockFile, UnlockFile, SetEndOfFile, lstrcmpiA, GlobalDeleteAtom, GlobalFindAtomA, GlobalAddAtomA, GlobalGetAtomNameA, lstrcmpA, LocalAlloc, TlsAlloc, GlobalHandle, TlsFree, TlsSetValue, LocalReAlloc, TlsGetValue, GetFileTime, GetCurrentThread, GlobalFlags, SetErrorMode, GetProcessVersion, GetCPInfo, GetOEMCP, GetStartupInfoA, RtlUnwind, GetSystemTime, GetLocalTime, RaiseException, HeapSize, GetACP, SetStdHandle, GetFileType, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetEnvironmentVariableA, HeapDestroy, HeapCreate, SetEnvironmentVariableA, LCMapStringA, LCMapStringW, IsBadWritePtr, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, CompareStringA, CompareStringW, IsBadReadPtr, IsBadCodePtr, SetLastError, GetSystemDirectoryA, GetWindowsDirectoryA, TerminateProcess, GetCurrentProcess, GetFileSize, SetFilePointer, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, lstrlenW, RemoveDirectoryA, GetModuleFileNameA, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetUserDefaultLCID, MultiByteToWideChar, WideCharToMultiByte, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, CreateThread, CreateEventA, Sleep, GlobalAlloc, GlobalLock, GlobalUnlock, GetTempPathA, FindFirstFileA, FindClose, SetFileAttributesA, GetFileAttributesA, MoveFileA, DeleteFileA, CopyFileA, CreateDirectoryA, SetCurrentDirectoryA, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, SetLocalTime, GetCommandLineA, GetTickCount, WaitForSingleObject, CloseHandle, InterlockedExchange, GetTimeZoneInformation |
| USER32.dll | GetSysColorBrush, GetMenuCheckMarkDimensions, GetMenuState, SetMenuItemBitmaps, CheckMenuItem, MoveWindow, IsDialogMessageA, ScrollWindowEx, SendDlgItemMessageA, MapWindowPoints, AdjustWindowRectEx, GetScrollPos, RegisterClassA, GetMenuItemCount, GetMenuItemID, SetWindowsHookExA, CallNextHookEx, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, RemovePropA, GetMessageTime, GetLastActivePopup, RegisterWindowMessageA, GetWindowPlacement, EndDialog, CreateDialogIndirectParamA, DestroyWindow, GrayStringA, DrawTextA, TabbedTextOutA, EndPaint, BeginPaint, GetWindowDC, CharUpperA, GetWindowTextLengthA, SetWindowTextA, GetForegroundWindow, UnregisterHotKey, RegisterHotKey, CreateWindowExA, CallWindowProcA, GetWindowTextA, GetDlgItem, GetClassNameA, GetDesktopWindow, DrawStateA, FrameRect, GetNextDlgTabItem, LoadIconA, TranslateMessage, DrawFrameControl, DrawEdge, DrawFocusRect, WindowFromPoint, GetMessageA, DispatchMessageA, SetRectEmpty, RegisterClipboardFormatA, CreateIconFromResourceEx, DrawIconEx, CreatePopupMenu, AppendMenuA, ModifyMenuA, CreateMenu, CreateAcceleratorTableA, GetDlgCtrlID, GetSubMenu, EnableMenuItem, ClientToScreen, EnumDisplaySettingsA, LoadImageA, SystemParametersInfoA, ShowWindow, IsWindowEnabled, TranslateAcceleratorA, GetKeyState, CopyAcceleratorTableA, PostQuitMessage, IsZoomed, GetClassInfoA, DefWindowProcA, GetSystemMenu, DeleteMenu, GetMenu, SetMenu, PeekMessageA, IsIconic, SetFocus, GetActiveWindow, GetWindow, DestroyAcceleratorTable, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, WinHelpA, KillTimer, SetTimer, ReleaseCapture, GetCapture, SetCapture, GetScrollRange, SetScrollRange, SetScrollPos, SetRect, InflateRect, DestroyIcon, PtInRect, OffsetRect, IsWindowVisible, EnableWindow, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, SetCursorPos, LoadCursorA, SetCursor, GetDC, FillRect, IsRectEmpty, ReleaseDC, IsChild, TrackPopupMenu, DestroyMenu, SetForegroundWindow, GetWindowRect, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBoxA, GetCursorPos, GetSystemMetrics, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, LoadStringA, CreateIconFromResource, IntersectRect, UnregisterClassA |
| GDI32.dll | CreateSolidBrush, FillRgn, CreateRectRgn, CombineRgn, PatBlt, CreatePen, SelectObject, CreatePatternBrush, CreateBitmap, CreateDCA, CreateCompatibleBitmap, GetPolyFillMode, GetStretchBltMode, GetROP2, GetBkColor, GetBkMode, GetTextColor, CreateRoundRectRgn, CreateEllipticRgn, PathToRegion, EndPath, BeginPath, GetWindowOrgEx, GetViewportOrgEx, GetWindowExtEx, TranslateCharsetInfo, SaveDC, RestoreDC, SetROP2, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, GetClipBox, ExcludeClipRect, MoveToEx, CreateFontIndirectA, ExtSelectClipRgn, GetViewportExtEx, PtVisible, RectVisible, ExtTextOutA, Escape, GetTextMetricsA, SetDIBitsToDevice, SetTextColor, SetBkMode, TextOutA, SetBkColor, CreateRectRgnIndirect, CreateDIBSection, SetStretchBltMode, GetClipRgn, CreatePolygonRgn, SelectClipRgn, DeleteObject, CreateDIBitmap, GetSystemPaletteEntries, CreatePalette, StretchBlt, SelectPalette, RealizePalette, GetDIBits, Ellipse, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, CreateFontA, GetStockObject, GetObjectA, EndPage, EndDoc, DeleteDC, StartDocA, StartPage, BitBlt, GetPixel, CreateCompatibleDC, GetTextExtentPoint32A, LineTo, SetPolyFillMode, GetDeviceCaps |
| WINSPOOL.DRV | DocumentPropertiesA, ClosePrinter, OpenPrinterA |
| comdlg32.dll | ChooseColorA, ChooseFontA, GetOpenFileNameA, GetSaveFileNameA, GetFileTitleA |
| ADVAPI32.dll | RegCreateKeyExA, RegQueryValueA, RegSetValueExA, RegOpenKeyExA, RegCloseKey |
| SHELL32.dll | DragAcceptFiles, DragQueryFileA, ShellExecuteA, Shell_NotifyIconA, SHGetSpecialFolderPathA, DragFinish |
| ole32.dll | CLSIDFromProgID, OleInitialize, CLSIDFromString, CoCreateInstance, OleRun, OleUninitialize |
| OLEAUT32.dll | VariantChangeType, VariantCopy, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetDim, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetElement, VariantCopyInd, VariantClear, SysAllocString, SafeArrayDestroy, SafeArrayCreate, SafeArrayPutElement, RegisterTypeLib, LHashValOfNameSys, LoadTypeLib, UnRegisterTypeLib, VariantInit |
| COMCTL32.dll | ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_Destroy, ImageList_Create, ImageList_BeginDrag, ImageList_DragShowNolock, _TrackMouseEvent, ImageList_SetBkColor, ImageList_GetImageCount, ImageList_EndDrag, ImageList_Read, ImageList_Duplicate, ImageList_Add |
| WININET.dll | InternetCrackUrlA, HttpOpenRequestA, HttpSendRequestA, HttpQueryInfoA, InternetReadFile, InternetConnectA, InternetSetOptionA, InternetOpenA, InternetCloseHandle, InternetCanonicalizeUrlA |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Chinese | China |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-08T09:46:58.963117+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49704 | 103.235.47.188 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 8, 2025 09:46:57.714818954 CET | 49704 | 443 | 192.168.2.5 | 103.235.47.188 |
| Jan 8, 2025 09:46:57.714865923 CET | 443 | 49704 | 103.235.47.188 | 192.168.2.5 |
| Jan 8, 2025 09:46:57.714931011 CET | 49704 | 443 | 192.168.2.5 | 103.235.47.188 |
| Jan 8, 2025 09:46:57.716160059 CET | 49704 | 443 | 192.168.2.5 | 103.235.47.188 |
| Jan 8, 2025 09:46:57.716173887 CET | 443 | 49704 | 103.235.47.188 | 192.168.2.5 |
| Jan 8, 2025 09:46:58.962982893 CET | 443 | 49704 | 103.235.47.188 | 192.168.2.5 |
| Jan 8, 2025 09:46:58.963116884 CET | 49704 | 443 | 192.168.2.5 | 103.235.47.188 |
| Jan 8, 2025 09:46:58.963150978 CET | 443 | 49704 | 103.235.47.188 | 192.168.2.5 |
| Jan 8, 2025 09:46:58.964112043 CET | 49704 | 443 | 192.168.2.5 | 103.235.47.188 |
| Jan 8, 2025 09:46:58.973225117 CET | 49704 | 443 | 192.168.2.5 | 103.235.47.188 |
| Jan 8, 2025 09:46:58.973242044 CET | 443 | 49704 | 103.235.47.188 | 192.168.2.5 |
| Jan 8, 2025 09:46:58.973474979 CET | 443 | 49704 | 103.235.47.188 | 192.168.2.5 |
| Jan 8, 2025 09:46:59.023049116 CET | 49704 | 443 | 192.168.2.5 | 103.235.47.188 |
| Jan 8, 2025 09:46:59.067336082 CET | 443 | 49704 | 103.235.47.188 | 192.168.2.5 |
| Jan 8, 2025 09:46:59.348737001 CET | 443 | 49704 | 103.235.47.188 | 192.168.2.5 |
| Jan 8, 2025 09:46:59.348799944 CET | 443 | 49704 | 103.235.47.188 | 192.168.2.5 |
| Jan 8, 2025 09:46:59.348931074 CET | 49704 | 443 | 192.168.2.5 | 103.235.47.188 |
| Jan 8, 2025 09:46:59.350016117 CET | 49704 | 443 | 192.168.2.5 | 103.235.47.188 |
| Jan 8, 2025 09:46:59.350063086 CET | 443 | 49704 | 103.235.47.188 | 192.168.2.5 |
| Jan 8, 2025 09:46:59.350106955 CET | 49704 | 443 | 192.168.2.5 | 103.235.47.188 |
| Jan 8, 2025 09:46:59.350121975 CET | 443 | 49704 | 103.235.47.188 | 192.168.2.5 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 8, 2025 09:46:57.703538895 CET | 52230 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 8, 2025 09:46:57.710165977 CET | 53 | 52230 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 8, 2025 09:46:57.703538895 CET | 192.168.2.5 | 1.1.1.1 | 0x1723 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 8, 2025 09:46:57.710165977 CET | 1.1.1.1 | 192.168.2.5 | 0x1723 | No error (0) | www.a.shifen.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Jan 8, 2025 09:46:57.710165977 CET | 1.1.1.1 | 192.168.2.5 | 0x1723 | No error (0) | www.wshifen.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Jan 8, 2025 09:46:57.710165977 CET | 1.1.1.1 | 192.168.2.5 | 0x1723 | No error (0) | 103.235.47.188 | A (IP address) | IN (0x0001) | false | ||
| Jan 8, 2025 09:46:57.710165977 CET | 1.1.1.1 | 192.168.2.5 | 0x1723 | No error (0) | 103.235.46.96 | A (IP address) | IN (0x0001) | false |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49704 | 103.235.47.188 | 443 | 6480 | C:\Users\user\Desktop\wRhEMj1swo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-08 08:46:59 UTC | 271 | OUT | |
| 2025-01-08 08:46:59 UTC | 327 | IN |
| Target ID: | 0 |
| Start time: | 03:46:57 |
| Start date: | 08/01/2025 |
| Path: | C:\Users\user\Desktop\wRhEMj1swo.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 5'660'160 bytes |
| MD5 hash: | D7AE3392A9CE8D10923040DD4C3EF0AF |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 3.3% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 0.5% |
| Total number of Nodes: | 191 |
| Total number of Limit Nodes: | 16 |
Graph
Function 00401BFE Relevance: .5, Instructions: 534COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004119E8 Relevance: .2, Instructions: 224COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005FF6A1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005DD5F4 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005FA81A Relevance: 3.0, APIs: 2, Instructions: 27threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005D9E16 Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005D8F95 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005D8E6E Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005FB616 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004175E6 Relevance: 22.2, Strings: 17, Instructions: 951COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005E4C20 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044086C Relevance: .1, Instructions: 54COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004222F3 Relevance: .1, Instructions: 54COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00421EEC Relevance: .1, Instructions: 54COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043E797 Relevance: .1, Instructions: 54COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004706E8 Relevance: .0, Instructions: 48COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0047FB4C Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004200FF Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005E0BB4 Relevance: 13.7, APIs: 9, Instructions: 177COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005DD68A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005E434A Relevance: 9.1, APIs: 6, Instructions: 117COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005FF810 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00600366 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005DD1F5 Relevance: 7.6, APIs: 5, Instructions: 150COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005DD418 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005E19CC Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005D7650 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005E152A Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0060077F Relevance: 5.0, APIs: 4, Instructions: 36COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 005DFC8B Relevance: 5.0, APIs: 4, Instructions: 12COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|