Create Interactive Tour

Windows Analysis Report
SIHClient.exe

Overview

General Information

Sample Name:SIHClient.exe
Analysis ID:601286
MD5:8aee6ed82e9c28de53abf8c95767d49a
SHA1:8df79adeeefe41c118fc518fc33719a953207d77
SHA256:d970ddc3faf1d1d4bdd194210aaa952e4ee4b33fa242c6569e5e415122e8b430
Infos:

Detection

Score:5
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
PE file contains sections with non-standard names
Binary contains a suspicious time stamp
Detected potential crypto function
Found potential string decryption / allocating functions
Uses Microsoft's Enhanced Cryptographic Provider
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • SIHClient.exe (PID: 5084 cmdline: "C:\Users\user\Desktop\SIHClient.exe" -install MD5: 8AEE6ED82E9C28DE53ABF8C95767D49A)
  • SIHClient.exe (PID: 6292 cmdline: "C:\Users\user\Desktop\SIHClient.exe" /install MD5: 8AEE6ED82E9C28DE53ABF8C95767D49A)
  • SIHClient.exe (PID: 1100 cmdline: "C:\Users\user\Desktop\SIHClient.exe" /load MD5: 8AEE6ED82E9C28DE53ABF8C95767D49A)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619586C6C GetLastError,ReadFile,CryptHashData,CryptHashData,GetLastError,GetLastError,GetLastError,CloseHandle,
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619586EAC CryptDestroyHash,CryptDestroyHash,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,CryptDestroyHash,CryptCreateHash,CryptReleaseContext,CryptAcquireContextW,CryptDestroyHash,CryptCreateHash,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,GetLastError,GetLastError,
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619584634 CryptHashPublicKeyInfo,GetLastError,GetLastError,memcmp,CompareStringA,CertGetEnhancedKeyUsage,CertGetEnhancedKeyUsage,CompareStringA,
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF6195877A4 CryptReleaseContext,
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF6195877D4 CryptDestroyHash,
Source: SIHClient.exeStatic PE information: certificate valid
Source: SIHClient.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: SIHClient.pdbGCTL source: SIHClient.exe
Source: Binary string: SIHClient.pdb source: SIHClient.exe
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61955E830 FindFirstFileW,GetLastError,
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF6195532A0
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61955EA38
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619587254
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619585198
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619567A18
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61957D220
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619554A34
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619584210
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF6195824A0
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61958348C
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61956A46C
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619553C6C
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619588528
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619559CD8
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF6195854C0
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61957F41C
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61958042C
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61956FBDC
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF6195693F0
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619581BBC
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619586EAC
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619569E78
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61956BE8C
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619554734
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61957DED8
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619585E1C
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619583E24
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619584634
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619570844
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61957F850
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF6195540F8
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61955D8F8
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61957B0DC
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF6195860D8
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF6195760C0
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619586778
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61957D794
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF6195857C8
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619552FD4
Source: C:\Users\user\Desktop\SIHClient.exeCode function: String function: 00007FF619558438 appears 31 times
Source: C:\Users\user\Desktop\SIHClient.exeCode function: String function: 00007FF619561D18 appears 42 times
Source: C:\Users\user\Desktop\SIHClient.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\Desktop\SIHClient.exe "C:\Users\user\Desktop\SIHClient.exe" -install
Source: unknownProcess created: C:\Users\user\Desktop\SIHClient.exe "C:\Users\user\Desktop\SIHClient.exe" /install
Source: unknownProcess created: C:\Users\user\Desktop\SIHClient.exe "C:\Users\user\Desktop\SIHClient.exe" /load
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61955A888 FindResourceW,LoadResource,GetLastError,
Source: SIHClient.exeString found in binary or memory: api-ms-win-stateseparation-helpers-l1-1-0.dll
Source: SIHClient.exeString found in binary or memory: DnsRemoveNrptRuleUEtwTraceMessageVaapi-ms-win-core-registry-l1-1-0.dllapi-ms-win-core-processenvironment-l1-1-0.dllapi-ms-win-core-sysinfo-l1-2-0.dllOLEAUT32.dllapi-ms-win-stateseparation-helpers-l1-1-0.dllapi-ms-win-core-timezone-l1-1-0.dllapi-ms-win-security-base-l1-1-0.dllapi-ms-win-security-sddl-l1-1-0.dllapi-ms-win-core-heap-l2-1-0.dllapi-ms-win-core-file-l1-1-0.dllapi-ms-win-core-version-l1-1-0.dllapi-ms-win-core-libraryloader-l1-2-1.dllapi-ms-win-core-kernel32-legacy-l1-1-0.dllapi-ms-win-core-synch-l1-1-0.dllapi-ms-win-core-localization-l1-2-0.dllapi-ms-win-core-handle-l1-1-0.dllapi-ms-win-core-file-l2-1-0.dllapi-ms-win-core-shlwapi-legacy-l1-1-0.dllapi-ms-win-shell-shdirectory-l1-1-0.dllapi-ms-win-eventing-controller-l1-1-0.dllapi-ms-win-core-file-l1-2-1.dllapi-ms-win-eventing-consumer-l1-1-0.dllapi-ms-win-core-shlwapi-obsolete-l1-1-0.dllapi-ms-win-core-namespace-l1-1-0.dllWINHTTP.dllWS2_32.dllDNSAPI.dlll
Source: classification engineClassification label: clean5.winEXE@3/0@0/0
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619588528 CoCreateInstance,#6,CoTaskMemFree,#2,#6,#6,#8,#2,#9,#6,#6,#8,#6,#2,#6,#2,#9,#6,#6,#6,#6,#6,#6,#6,
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF6195622BC GetDiskFreeSpaceW,GetLastError,
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
Source: SIHClient.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: SIHClient.exeStatic PE information: certificate valid
Source: SIHClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SIHClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SIHClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SIHClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SIHClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SIHClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SIHClient.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: SIHClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: SIHClient.pdbGCTL source: SIHClient.exe
Source: Binary string: SIHClient.pdb source: SIHClient.exe
Source: SIHClient.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SIHClient.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SIHClient.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SIHClient.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SIHClient.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: SIHClient.exeStatic PE information: section name: .wpp_sf
Source: SIHClient.exeStatic PE information: section name: .didat
Source: SIHClient.exeStatic PE information: 0x6FF0BBED [Fri Jul 6 15:55:25 2029 UTC]
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61958042C GetSystemTimeAsFileTime followed by cmp: cmp r13d, 02h and CTI: jne 00007FF619580D31h
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF6195760C0 rdtsc
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61955E830 FindFirstFileW,GetLastError,
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61955C178 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61955AA74 GetProcessHeap,HeapAlloc,HeapReAlloc,
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF6195760C0 rdtsc
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619589720 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619589E30 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619589FE8 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619568F68 IsValidSid,GetLengthSid,InitializeAcl,AddAccessAllowedAceEx,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalFree,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,LocalFree,_CxxThrowException,
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF61955F6F4 AllocateAndInitializeSid,GetLastError,FreeSid,
Source: C:\Users\user\Desktop\SIHClient.exeCode function: _o_wcstoul,memset,GetLocaleInfoW,
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619581798 memset,GetVersionExW,GetLastError,memset,
Source: C:\Users\user\Desktop\SIHClient.exeCode function: 1_2_00007FF619562204 GetLocalTime,
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Command and Scripting Interpreter
Path Interception1
Process Injection
1
Process Injection
OS Credential Dumping11
System Time Discovery
Remote Services1
Archive Collected Data
Exfiltration Over Other Network Medium2
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Deobfuscate/Decode Files or Information
LSASS Memory3
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Timestomp
Security Account Manager1
File and Directory Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Obfuscated Files or Information
NTDS14
System Information Discovery
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 601286 Sample: SIHClient.exe Startdate: 01/04/2022 Architecture: WINDOWS Score: 5 4 SIHClient.exe 2->4         started        6 SIHClient.exe 2->6         started        8 SIHClient.exe 2->8         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
SIHClient.exe0%VirustotalBrowse
SIHClient.exe0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:601286
Start date and time:2022-04-01 07:44:50 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 15s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:SIHClient.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:Cmdline fuzzy
Number of analysed new started processes analysed:19
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean5.winEXE@3/0@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 99.9% (good quality ratio 55.2%)
  • Quality average: 34.1%
  • Quality standard deviation: 36%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
  • Execution Graph export aborted for target SIHClient.exe, PID 5084 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):6.291367203090324
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:SIHClient.exe
File size:363728
MD5:8aee6ed82e9c28de53abf8c95767d49a
SHA1:8df79adeeefe41c118fc518fc33719a953207d77
SHA256:d970ddc3faf1d1d4bdd194210aaa952e4ee4b33fa242c6569e5e415122e8b430
SHA512:55abdc4b0908413cd6aeeea6fef677e0b6c9f53868b992bb9d555ac997ff10ae3319a6fe769b6a514d6ccbdfeee0b287dc42cc7ae946aebe20b77bbd2b58fb18
SSDEEP:6144:bEz/gXy/yq1bPid3Qk6Sa+0ej9bv9gOlS4OeAWjDpMSEXK+00teFkTMjFr:bEDKy0CtlG1veOUZQ2a+58WTYr
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:...~.y.~.y.~.y.w.....y.j.}.l.y.j.z.}.y.~.x...y.j.x.}.y.j.q...y.j.|.[.y.j.....y.j.....y.j.{...y.Rich~.y........................
Icon Hash:00828e8e8686b000
Entrypoint:0x1400395d0
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:0x6FF0BBED [Fri Jul 6 15:55:25 2029 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:8a9daf162bb80653251f03ba60c68346
Signature Valid:true
Signature Issuer:CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 4/29/2021 12:15:49 PM 4/28/2022 12:15:49 PM
Subject Chain
  • CN=Microsoft Windows Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:3
Thumbprint MD5:02268E6FDDE7F2D06838DFDB7B75889B
Thumbprint SHA-1:7B2177E03D07812A5A5842565A647DB565F77BB8
Thumbprint SHA-256:9BBDE7210C366F12F75022F81F39BFB13547B2A32BEB7B0E6959DB964AD2E84E
Serial:33000002F49E469C54137B85E00000000002F4
Instruction
dec eax
sub esp, 28h
call 00007FADE8AB470Ch
dec eax
add esp, 28h
jmp 00007FADE8AB3E73h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [0001C439h]
jne 00007FADE8AB4025h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007FADE8AB4015h
ret
dec eax
ror ecx, 10h
jmp 00007FADE8AB4184h
int3
int3
int3
int3
int3
int3
int3
jmp 00007FADE8AB4ABCh
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 38h
dec eax
mov dword ptr [esp+20h], FFFFFFFEh
call 00007FADE8AB40ABh
nop
jmp 00007FADE8AB4014h
xor eax, eax
dec eax
add esp, 38h
ret
int3
int3
int3
int3
int3
int3
int3
int3
dec esp
mov dword ptr [esp+18h], eax
dec esp
mov dword ptr [esp+20h], ecx
push ebx
push ebp
push esi
push edi
dec eax
sub esp, 38h
dec ecx
mov esi, eax
dec eax
lea ebp, dword ptr [esp+78h]
dec eax
mov ebx, edx
dec eax
mov edi, ecx
call 00007FADE8AB3C64h
dec eax
mov dword ptr [esp+28h], ebp
dec esp
mov ecx, esi
dec eax
and dword ptr [esp+20h], 00000000h
dec esp
mov eax, ebx
dec eax
mov edx, edi
dec eax
mov ecx, dword ptr [eax]
call 00007FADE8AB4E12h
Programming Language:
  • [IMP] VS2008 SP1 build 30729
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x513400x474.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x5b0000x500.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x570000x231c.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x55a000x32d0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x5c0000x298.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x4a9300x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3f8b00x118.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x3f9c80xb00.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x510a80xc0.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x3c3790x3c400False0.501604642116data6.3091707051IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.wpp_sf0x3e0000x860x200False0.255859375data1.95295120882IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x3f0000x151ae0x15200False0.357572115385data4.85475408256IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x550000x16180xe00False0.313616071429data3.71460427153IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata0x570000x231c0x2400False0.518988715278data5.50748530651IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat0x5a0000x780x200False0.1015625data0.791454022548IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x5b0000x5000x600False0.384114583333data2.91484619843IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x5c0000x2980x400False0.458984375data4.06111320428IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountry
MUI0x5b4380xc8dataEnglishUnited States
RT_VERSION0x5b0b00x388dataEnglishUnited States
DLLImport
msvcp_win.dll?_Xinvalid_argument@std@@YAXPEBD@Z, ?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z, ?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ, ?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z, ?_Xout_of_range@std@@YAXPEBD@Z, ?_Xbad_function_call@std@@YAXXZ, ?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z, ?id@?$codecvt@GDU_Mbstatet@@@std@@2V0locale@2@A, ??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z, ??1?$codecvt@GDU_Mbstatet@@@std@@MEAA@XZ, ??0?$codecvt@GDU_Mbstatet@@@std@@QEAA@_K@Z, ?_Incref@facet@locale@std@@UEAAXXZ, ?out@?$codecvt@GDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBG1AEAPEBGPEAD3AEAPEAD@Z, ??Bid@locale@std@@QEAA_KXZ, ?_Xlength_error@std@@YAXPEBD@Z
api-ms-win-crt-runtime-l1-1-0.dll_c_exit, _initterm_e, _initterm, _register_thread_local_exe_atexit_callback
api-ms-win-crt-private-l1-1-0.dll_o__register_onexit_function, _o__seh_filter_exe, _o__set_app_type, _o__set_errno, _o__set_fmode, _o__set_new_mode, memmove, _o__wsplitpath_s, _o__wtoi, _o__wtoi64, _o__wtol, _o_exit, _o_free, _o_iswalnum, _o_iswalpha, _o_malloc, _o_qsort, _o_rand, _o_srand, _o_strncpy_s, _o_strtol, _o_terminate, _o_towlower, _o_wcscpy_s, _o_wcstoul, __C_specific_handler, __CxxFrameHandler3, _o__get_initial_wide_environment, _CxxThrowException, wcsrchr, _o__exit, _o__invalid_parameter_noinfo_noreturn, _o__errno, _o__invalid_parameter_noinfo, _o__initialize_wide_environment, _o__initialize_onexit_table, _o__crt_atexit, _o__configure_wide_argv, _o__configthreadlocale, _o__cexit, _o__callnewh, _o___stdio_common_vswprintf, _o___stdio_common_vsprintf_s, _o___stdio_common_vsnprintf_s, _o___std_exception_destroy, _o___std_exception_copy, _o___p__commode, _o___p___wargv, _o___p___argc, strchr, __std_terminate, __CxxFrameHandler4, memcmp, wcsstr, memcpy
api-ms-win-crt-string-l1-1-0.dllmemset
RPCRT4.dllRpcStringFreeA, UuidCreate, UuidToStringA, UuidFromStringW
api-ms-win-core-com-l1-1-0.dllStringFromGUID2, CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoCreateGuid, CoInitializeEx, IIDFromString, CoTaskMemFree
ntdll.dllRtlGetDeviceFamilyInfoEnum, EtwTraceMessageVa, RtlIsStateSeparationEnabled
api-ms-win-core-processthreads-l1-1-3.dllGetProcessInformation
api-ms-win-core-processthreads-l1-1-0.dllGetCurrentThreadId, TerminateProcess, GetCurrentProcess, GetCurrentProcessId
api-ms-win-core-synch-l1-2-0.dllSleep
api-ms-win-eventing-provider-l1-1-0.dllEventRegister, EventUnregister, EventSetInformation, EventWriteTransfer
api-ms-win-core-debug-l1-1-0.dllDebugBreak, IsDebuggerPresent, OutputDebugStringW
api-ms-win-core-errorhandling-l1-1-0.dllSetUnhandledExceptionFilter, GetLastError, SetLastError, UnhandledExceptionFilter
api-ms-win-core-string-l1-1-0.dllWideCharToMultiByte, MultiByteToWideChar, CompareStringW
api-ms-win-core-rtlsupport-l1-1-0.dllRtlVirtualUnwind, RtlCaptureContext, RtlLookupFunctionEntry
api-ms-win-core-processthreads-l1-1-1.dllIsProcessorFeaturePresent
api-ms-win-core-profile-l1-1-0.dllQueryPerformanceCounter
api-ms-win-core-sysinfo-l1-1-0.dllGetLocalTime, GetSystemDirectoryW, GetSystemTimeAsFileTime, GetSystemTime, GetTickCount64, GetSystemWindowsDirectoryW, GetVersionExW
api-ms-win-core-interlocked-l1-1-0.dllInitializeSListHead
api-ms-win-core-libraryloader-l1-2-0.dllGetModuleHandleW, FreeLibrary, GetModuleHandleExW, GetProcAddress, GetModuleFileNameA, LoadResource
api-ms-win-core-heap-l1-1-0.dllHeapFree, HeapAlloc, GetProcessHeap, HeapReAlloc
api-ms-win-core-memory-l1-1-0.dllUnmapViewOfFile, CreateFileMappingW, MapViewOfFileEx, MapViewOfFile
api-ms-win-core-registry-l1-1-0.dllRegDeleteValueW, RegQueryValueExW, RegEnumValueW, RegQueryInfoKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, RegCloseKey, RegOpenKeyExW
api-ms-win-core-processenvironment-l1-1-0.dllExpandEnvironmentStringsW
api-ms-win-core-sysinfo-l1-2-0.dllGetNativeSystemInfo, GetProductInfo
OLEAUT32.dllSysStringLen, VariantInit, SysFreeString, SysAllocStringLen, SysAllocString, VariantClear
api-ms-win-stateseparation-helpers-l1-1-0.dllGetPersistedRegistryLocationW
api-ms-win-core-timezone-l1-1-0.dllFileTimeToSystemTime, SystemTimeToFileTime
api-ms-win-security-base-l1-1-0.dllCopySid, SetSecurityDescriptorDacl, CheckTokenMembership, DuplicateTokenEx, FreeSid, AllocateAndInitializeSid, RevertToSelf, InitializeSecurityDescriptor, ImpersonateLoggedOnUser, CreateWellKnownSid, IsValidSid, GetTokenInformation, InitializeAcl, GetLengthSid, AddAccessAllowedAceEx
api-ms-win-security-sddl-l1-1-0.dllConvertSidToStringSidW, ConvertStringSidToSidW
api-ms-win-core-heap-l2-1-0.dllLocalAlloc, LocalFree
api-ms-win-core-file-l1-1-0.dllGetFileTime, CreateDirectoryW, FindNextFileW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetFileAttributesW, DeleteFileW, FindClose, GetDriveTypeW, GetFileType, SetFileTime, GetFinalPathNameByHandleW, GetFileSize, GetFileInformationByHandle, SetFileAttributesW, LocalFileTimeToFileTime, GetVolumePathNameW, ReadFile, SetFilePointer, SetFileInformationByHandle, WriteFile, CompareFileTime, GetFileSizeEx, CreateFileW, GetVolumeInformationW, FindFirstFileW, GetFileAttributesExW, GetTempFileNameW
api-ms-win-core-version-l1-1-0.dllGetFileVersionInfoExW, GetFileVersionInfoSizeExW, VerQueryValueW
api-ms-win-core-libraryloader-l1-2-1.dllLoadLibraryW, FindResourceW
api-ms-win-core-kernel32-legacy-l1-1-0.dllDosDateTimeToFileTime
api-ms-win-core-synch-l1-1-0.dllWaitForSingleObjectEx, CreateMutexW, ReleaseMutex, CreateSemaphoreExW, LeaveCriticalSection, CreateMutexExW, WaitForSingleObject, EnterCriticalSection, ReleaseSemaphore, DeleteCriticalSection, OpenMutexW, InitializeCriticalSection, OpenSemaphoreW
api-ms-win-core-localization-l1-2-0.dllGetLocaleInfoW, FormatMessageW
api-ms-win-core-handle-l1-1-0.dllCloseHandle
api-ms-win-core-file-l2-1-0.dllMoveFileExW
api-ms-win-core-shlwapi-legacy-l1-1-0.dllPathIsUNCW, PathStripToRootW, PathIsRelativeW, PathIsRootW
api-ms-win-shell-shdirectory-l1-1-0.dll
api-ms-win-eventing-controller-l1-1-0.dllControlTraceW, StartTraceW, EnableTraceEx2
api-ms-win-core-file-l1-2-1.dllGetCompressedFileSizeW
api-ms-win-eventing-consumer-l1-1-0.dllCloseTrace
api-ms-win-core-shlwapi-obsolete-l1-1-0.dllStrChrW, StrRChrW
api-ms-win-core-namespace-l1-1-0.dllCreateBoundaryDescriptorW, OpenPrivateNamespaceW, CreatePrivateNamespaceW, AddSIDToBoundaryDescriptor, DeleteBoundaryDescriptor, ClosePrivateNamespace
WINHTTP.dllWinHttpConnect, WinHttpReadData, WinHttpAddRequestHeaders, WinHttpQueryAuthSchemes, WinHttpOpenRequest, WinHttpOpen, WinHttpSetOption, WinHttpQueryOption, WinHttpReceiveResponse, WinHttpSetTimeouts, WinHttpQueryHeaders, WinHttpCrackUrl, WinHttpCloseHandle, WinHttpSetStatusCallback, WinHttpSendRequest
WS2_32.dllinet_addr, getnameinfo
DNSAPI.dllDnsSetNrptRules, DnsRemoveNrptRule, DnsFreeNrptRuleNamesList, DnsGetNrptRuleNamesList, DnsQuery_W, DnsFree, DnsFreeNrptRule
api-ms-win-core-apiquery-l1-1-0.dllApiSetQueryApiSetPresence
Cabinet.dll
api-ms-win-core-localization-obsolete-l1-2-0.dllCompareStringA, EnumUILanguagesW
CRYPT32.dllCertGetCertificateChain, CertFreeCertificateChain, CryptHashPublicKeyInfo, CertFindCertificateInStore, CertOpenStore, CertVerifyCertificateChainPolicy, CertCloseStore, CertGetCertificateContextProperty, CertGetEnhancedKeyUsage, CertControlStore, CertFreeCertificateContext
api-ms-win-security-cryptoapi-l1-1-0.dllCryptAcquireContextW, CryptDestroyHash, CryptReleaseContext, CryptGetHashParam, CryptCreateHash, CryptHashData
api-ms-win-core-delayload-l1-1-1.dllResolveDelayLoadedAPI
api-ms-win-core-delayload-l1-1-0.dllDelayLoadFailureHook
DescriptionData
LegalCopyright Microsoft Corporation. All rights reserved.
InternalNameSIH Client
FileVersion10.0.19041.1503 (WinBuild.160101.0800)
CompanyNameMicrosoft Corporation
ProductNameMicrosoft Windows Operating System
ProductVersion10.0.19041.1503
FileDescriptionSIH Client
OriginalFilenamesihclient.exe
Translation0x0409 0x04b0
Language of compilation systemCountry where language is spokenMap
EnglishUnited States
No network behavior found
Target ID:1
Start time:09:45:57
Start date:01/04/2022
Path:C:\Users\user\Desktop\SIHClient.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\SIHClient.exe" -install
Imagebase:0x7ff619550000
File size:363728 bytes
MD5 hash:8AEE6ED82E9C28DE53ABF8C95767D49A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Target ID:4
Start time:09:46:00
Start date:01/04/2022
Path:C:\Users\user\Desktop\SIHClient.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\SIHClient.exe" /install
Imagebase:0x7ff619550000
File size:363728 bytes
MD5 hash:8AEE6ED82E9C28DE53ABF8C95767D49A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Target ID:6
Start time:09:46:03
Start date:01/04/2022
Path:C:\Users\user\Desktop\SIHClient.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\SIHClient.exe" /load
Imagebase:0x7ff619550000
File size:363728 bytes
MD5 hash:8AEE6ED82E9C28DE53ABF8C95767D49A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

No disassembly