Windows
Analysis Report
PR.exe
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- PR.exe (PID: 6128 cmdline:
C:\Users\u ser\Deskto p\PR.exe MD5: 4D32FA0EE0E0BF3E02F9C951B62F10D1)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_004012DE |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_00404620 | |
Source: | Code function: | 0_2_0042E0BF | |
Source: | Code function: | 0_2_004BD30F | |
Source: | Code function: | 0_2_004063B0 | |
Source: | Code function: | 0_2_00430904 | |
Source: | Code function: | 0_2_00406AA0 | |
Source: | Code function: | 0_2_00405C10 | |
Source: | Code function: | 0_2_00427D70 | |
Source: | Code function: | 0_2_00404EED |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: | ||
Source: | Metadefender: |
Source: | Key opened: | Jump to behavior |
Source: | Code function: | 0_2_00401000 |
Source: | Code function: | 0_2_004018BE |
Source: | Command line argument: | 0_2_00403344 | |
Source: | Command line argument: | 0_2_00403344 | |
Source: | Command line argument: | 0_2_00403344 | |
Source: | Command line argument: | 0_2_00403344 |
Source: | File created: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Classification label: |
Source: | Code function: | 0_2_00401A2A |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_004B68C0 | |
Source: | Code function: | 0_2_0082852A | |
Source: | Code function: | 0_2_0073BFBB | |
Source: | Code function: | 0_2_0083309E | |
Source: | Code function: | 0_2_0063509E | |
Source: | Code function: | 0_2_00832925 | |
Source: | Code function: | 0_2_00832930 | |
Source: | Code function: | 0_2_0073E03C | |
Source: | Code function: | 0_2_00639E60 | |
Source: | Code function: | 0_2_0043106A | |
Source: | Code function: | 0_2_00424066 | |
Source: | Code function: | 0_2_00424090 | |
Source: | Code function: | 0_2_0083120C | |
Source: | Code function: | 0_2_0042168E | |
Source: | Code function: | 0_2_004290BC | |
Source: | Code function: | 0_2_0042168E | |
Source: | Code function: | 0_2_0073C081 | |
Source: | Code function: | 0_2_0043106E | |
Source: | Code function: | 0_2_008330D7 | |
Source: | Code function: | 0_2_00431082 | |
Source: | Code function: | 0_2_004220E5 | |
Source: | Code function: | 0_2_00833C7C | |
Source: | Code function: | 0_2_0042027D | |
Source: | Code function: | 0_2_00641690 | |
Source: | Code function: | 0_2_00828115 | |
Source: | Code function: | 0_2_006331DF | |
Source: | Code function: | 0_2_008282AD | |
Source: | Code function: | 0_2_00831E2B | |
Source: | Code function: | 0_2_0042168E | |
Source: | Code function: | 0_2_008282AD | |
Source: | Code function: | 0_2_0043102D |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_0042EACC |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Evasive API call chain: | graph_0-25233 |
Source: | Code function: | 0_2_00740025 |
Source: | Process information queried: | Jump to behavior |
Source: | System information queried: | Jump to behavior |
Source: | Code function: | 0_2_004012DE |
Source: | API call chain: | graph_0-25485 | ||
Source: | API call chain: | graph_0-25158 |
Anti Debugging |
---|
Source: | Thread information set: | Jump to behavior |
Source: | Code function: | 0_2_0040707A |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 0_2_0042EACC |
Source: | Code function: | 0_2_004014D8 |
Source: | Code function: | 0_2_00740025 |
Source: | Code function: | 0_2_00424944 |
Source: | Code function: | 0_2_0040D057 | |
Source: | Code function: | 0_2_0040707A | |
Source: | Code function: | 0_2_0042B08C | |
Source: | Code function: | 0_2_00409537 | |
Source: | Code function: | 0_2_0042E826 | |
Source: | Code function: | 0_2_0042AEE9 |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Code function: | 0_2_00401000 |
Source: | Code function: | 0_2_00402025 |
Source: | Code function: | 0_2_00430543 |
Source: | Code function: | 0_2_00409A25 |
Source: | Code function: | 0_2_00402B22 |
Source: | Code function: | 0_2_00407846 |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 3 Command and Scripting Interpreter | Path Interception | 1 Process Injection | 11 Virtualization/Sandbox Evasion | 1 Credential API Hooking | 2 System Time Discovery | Remote Services | 1 Credential API Hooking | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 2 Native API | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Process Injection | LSASS Memory | 14 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 21 Obfuscated Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 11 Software Packing | NTDS | 12 Process Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 14 System Information Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
46% | ReversingLabs | Win32.PUA.ExpressDownloader | ||
44% | Virustotal | Browse | ||
24% | Metadefender | Browse | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
2% | ReversingLabs | |||
1% | Virustotal | Browse | ||
5% | Metadefender | Browse |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen | Download File |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 723837 |
Start date and time: | 2022-10-15 19:00:33 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 15s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | PR.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 12 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal64.evad.winEXE@1/1@0/0 |
EGA Information: |
|
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): fs.microsoft.com
- Not all processes where analyzed, report is missing behavior information
Process: | C:\Users\user\Desktop\PR.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 936960 |
Entropy (8bit): | 7.924513528423757 |
Encrypted: | false |
SSDEEP: | 12288:b3nqQ3krBXVXoxwXjND3iZ8baxfSelRmMimfwoCFSkylHu8DL6y47KYuLB3KikSQ:bM91XjQikAmf/T1Huc747KhgtSTEyY |
MD5: | A55B82103A202C20717F45C201EC4553 |
SHA1: | C6607F6201793A20131281F3C5F612F38AE024D5 |
SHA-256: | C7EAAE39F8DAF00F43FEE614EF0FC4A4797252C409AF1A5E36AF439E7165FC05 |
SHA-512: | 993891C388570612D1A6834489FCB80A32AB23A3E59859C0BFD9B60903CE240ACE1058E0F062F3C8A415505F85EF28D29D1C6DF7477E30A2BBB2D7F66F455F65 |
Malicious: | false |
Antivirus: | |
Joe Sandbox View: |
|
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.885963019060166 |
TrID: |
|
File name: | PR.exe |
File size: | 4721272 |
MD5: | 4d32fa0ee0e0bf3e02f9c951b62f10d1 |
SHA1: | 55924e7ed2192b0d6cadfa327bf9271833a18f53 |
SHA256: | 31c5cfa7a0f0a0632b3c4b9edec97c1644d992fc6b16a7e772d09ad8f73c3c70 |
SHA512: | 274ef06aee2958556af786613568378f2567a77521b3367cec58567132f362f05a0cde474fc769983e3be9b1a36ffa0889f1fc6582d07abdde696fb15296db2a |
SSDEEP: | 98304:fY9Aw2AWi+v+iPP2sq3pfe+amFFMj1INPtm:97vvP2sq31eDmy1gPQ |
TLSH: | 6C2623927275C032C0430E7DE861C0FDAD78AC54EB7088C776D83E6B76F26956A3A356 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(.r.l...l...l.......m...w...Y.......o...e...o...e...}...l.......w...y...w.......w...c...w...m...w...m...Richl.................. |
Icon Hash: | 2d0c2f8b0e0d1307 |
Entrypoint: | 0x84554f |
Entrypoint Section: | .p1 |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x4EF9E421 [Tue Dec 27 15:28:33 2011 UTC] |
TLS Callbacks: | 0x83b609 |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 8a72f9325ccba2e6d83699ae4ce47f63 |
Signature Valid: | true |
Signature Issuer: | CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 65650DB9F1757E4030C150B4C95BCE6D |
Thumbprint SHA-1: | D76FF3FA2EB22BF49CB793A7BCB814CC54ADDB16 |
Thumbprint SHA-256: | 3201389CCD8D95CB2C9CAFF84FB21957393031D240BEF84023ED4220B5264522 |
Serial: | 00DD2A4BBB66262A8FB4E084560573E908 |
Instruction |
---|
push A03511A6h |
pushfd |
push dword ptr [esp+04h] |
mov byte ptr [esp], al |
mov dword ptr [esp+08h], 12043840h |
jmp 00007F5A50DF77C9h |
add byte ptr [eax], al |
inc esp |
jne 00007F5A50DFB7D2h |
insb |
imul esp, dword ptr [ebx+61h], 6F546574h |
imul esp, dword ptr [ebp+6Eh], 45h |
js 00007F5A50DFB762h |
cmc |
jmp 00007F5A50DF6856h |
clc |
push dword ptr [edi] |
pop dword ptr [esp+0Ch] |
cmp dl, FFFFFFD9h |
clc |
cmp edi, ebx |
mov byte ptr [esp+08h], 00000074h |
pushad |
mov byte ptr [esp], FFFFFFB7h |
pushfd |
lea esp, dword ptr [esp+30h] |
ja 00007F5A50DF334Ch |
clc |
call 00007F5A50DFC12Eh |
inc esi |
pushad |
inc edi |
mov byte ptr [esp+08h], cl |
lea esp, dword ptr [esp+24h] |
jmp 00007F5A50DF7FDDh |
add byte ptr [eax], al |
push ebp |
outsb |
push 6C646E61h |
inc ebp |
js 00007F5A50DFB7C5h |
jo 00007F5A50DFB7D7h |
imul ebp, dword ptr [edi+6Eh], 746C6946h |
jc 00007F5A50DFB763h |
mov dword ptr [esp+24h], 0083A459h |
push 5B4C937Bh |
push edi |
jmp 00007F5A50DF0778h |
out dx, eax |
jno 00007F5A50DFB7DDh |
add dword ptr [ecx], edi |
push ds |
mov ds, word ptr [eax] |
xchg esp, eax |
cmp dl, byte ptr [ebx+ebp*8-0D0B5DD0h] |
test byte ptr [edx], dl |
xchg eax, esp |
xlatb |
fsubr qword ptr [esi+08h] |
aas |
push esp |
mov ebx, BEB87608h |
pushad |
scasb |
nop |
fcom dword ptr [edi-59F54D6Eh] |
or ebp, dword ptr [ebp-51h] |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x437922 | 0xc50 | .p0 |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x43b4ac | 0x104 | .p1 |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x44a000 | 0x3b6c1 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x47f000 | 0x1a78 | .rsrc |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x43cc68 | 0x20 | .p1 |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x43ddd4 | 0x420 | .p1 |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x11c2b | 0x11e00 | False | 0.5970962631118881 | data | 6.598860248501709 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x13000 | 0x77c0 | 0x7800 | False | 0.5557942708333333 | data | 6.160344874513789 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x1b000 | 0x3084 | 0x1200 | False | 0.2133246527777778 | data | 2.5802933454414196 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.p0 | 0x1f000 | 0x419572 | 0x419600 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0x439000 | 0x18 | 0x200 | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.p1 | 0x43a000 | 0xf2c8 | 0xf400 | False | 0.8702612704918032 | data | 7.632325075524795 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x44a000 | 0x3b6c1 | 0x3b800 | False | 0.0679695706407563 | data | 2.5785919717396517 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x44a548 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | ||
RT_ICON | 0x44a9b0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | ||
RT_ICON | 0x44b338 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | ||
RT_ICON | 0x44c3e0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | ||
RT_ICON | 0x44e988 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | ||
RT_ICON | 0x452bb0 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | ||
RT_ICON | 0x4633d8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | ||
RT_ICON | 0x463840 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | ||
RT_ICON | 0x4641c8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | ||
RT_ICON | 0x465270 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | ||
RT_ICON | 0x467818 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | ||
RT_ICON | 0x46ba40 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | ||
RT_GROUP_ICON | 0x47c268 | 0x5a | data | ||
RT_GROUP_ICON | 0x47c2c4 | 0x5a | data | ||
RT_VERSION | 0x47c320 | 0x378 | data | ||
RT_HTML | 0x47c698 | 0xa8a | HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | ||
RT_HTML | 0x47d124 | 0x377c | HTML document, Unicode text, UTF-8 (with BOM) text, with very long lines (1102), with CRLF line terminators | ||
RT_HTML | 0x4808a0 | 0x34bf | HTML document, Unicode text, UTF-8 (with BOM) text, with very long lines (1102), with CRLF line terminators | ||
RT_HTML | 0x483d60 | 0x967 | HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | ||
RT_HTML | 0x4846c8 | 0x767 | HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | ||
RT_HTML | 0x484e30 | 0x64b | HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | ||
RT_MANIFEST | 0x48547c | 0x245 | ASCII text, with very long lines (364), with CRLF line terminators | English | United States |
DLL | Import |
---|---|
RPCRT4.dll | UuidToStringW, RpcStringFreeW |
SHLWAPI.dll | SHSetValueW, PathFindFileNameW, SHGetValueA, SHSetValueA, SHGetValueW, SHDeleteValueW, SHDeleteKeyW, StrCmpIW, PathRemoveExtensionW |
USER32.dll | CreateWindowExW, GetMessageW, DispatchMessageW, GetWindowRect, PostQuitMessage, DefWindowProcW, ShowWindow, MessageBoxW, GetWindowThreadProcessId, GetShellWindow, LoadIconW, RegisterClassExW, LoadCursorW, GetSystemMetrics, TranslateMessage |
KERNEL32.dll | GetStringTypeW, GetConsoleMode, GetConsoleCP, QueryPerformanceCounter, HeapCreate, GetFileType, InitializeCriticalSectionAndSpinCount, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetModuleFileNameA, GetStdHandle, IsProcessorFeaturePresent, ExitProcess, HeapSize, Sleep, LCMapStringW, TlsFree, TlsSetValue, TlsGetValue, GetFileSize, FindFirstFileW, SetFilePointer, VirtualQuery, VirtualFree, WriteFile, OpenProcess, WideCharToMultiByte, TerminateProcess, ReadFile, CreateFileW, MultiByteToWideChar, GetLastError, FindClose, Process32FirstW, RemoveDirectoryW, Process32NextW, FindNextFileW, CreateToolhelp32Snapshot, CloseHandle, DeleteFileW, GetCurrentProcessId, CreateProcessW, HeapAlloc, HeapFree, GetProcessHeap, SetLastError, GetProcAddress, GetModuleHandleA, FindResourceA, FreeResource, LoadResource, LoadLibraryW, SizeofResource, GetTempPathW, LockResource, CreateMutexW, CreateDirectoryW, CopyFileW, GetModuleFileNameW, FindResourceW, GetVersionExW, InitializeCriticalSection, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, GetTickCount, MapViewOfFile, SetEvent, SetEnvironmentVariableA, OpenFileMappingA, MoveFileExW, GetModuleHandleW, GetCurrentThreadId, RtlUnwind, HeapReAlloc, SetStdHandle, WriteConsoleW, FlushFileBuffers, CompareStringW, VirtualAlloc, OpenEventA, TlsAlloc, IsValidCodePage, GetOEMCP, GetACP, InterlockedDecrement, InterlockedIncrement, GetCPInfo, GetTimeZoneInformation, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, GetStartupInfoW, HeapSetInformation, GetCommandLineA, LocalAlloc, FreeLibrary, InterlockedExchange, LoadLibraryA, RaiseException, GetSystemTimeAsFileTime, EncodePointer, DecodePointer |
ADVAPI32.dll | SetSecurityDescriptorDacl, InitializeSecurityDescriptor, SetSecurityDescriptorGroup, DuplicateTokenEx, GetTokenInformation, GetSidSubAuthorityCount, GetSidSubAuthority, OpenProcessToken, SetSecurityDescriptorSacl |
SHELL32.dll | SHGetSpecialFolderPathW, SHChangeNotify, ShellExecuteW |
ole32.dll | CoCreateInstance, CoInitialize, CoCreateGuid, CoUninitialize |
OLEAUT32.dll | SysFreeString, SysAllocString |
KERNEL32.dll | InitializeCriticalSection, GetModuleFileNameW, GetModuleHandleW, TerminateProcess, GetCurrentProcess, DeleteCriticalSection, LoadLibraryW, CreateEventW, CompareStringW, SetLastError, GetModuleHandleA, VirtualProtect, GetTickCount, EnterCriticalSection, LeaveCriticalSection, VirtualFree, VirtualAlloc, WriteProcessMemory, CreateToolhelp32Snapshot, GetCurrentProcessId, GetCurrentThreadId, Thread32First, OpenThread, Thread32Next, CloseHandle, SuspendThread, ResumeThread, GetSystemInfo, FreeLibrary, LoadResource, MultiByteToWideChar, WideCharToMultiByte, FindResourceExW, FindResourceExA, GetThreadLocale, GetUserDefaultLCID, GetSystemDefaultLCID, EnumResourceNamesA, EnumResourceNamesW, EnumResourceLanguagesA, EnumResourceLanguagesW, EnumResourceTypesA, EnumResourceTypesW, HeapAlloc, HeapFree, HeapDestroy, HeapCreate, GetSystemTime, GetLocalTime, SystemTimeToFileTime, CompareFileTime, GetCommandLineA, GetLastError, RaiseException, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, WriteFile, GetStdHandle, GetModuleFileNameA, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, InterlockedDecrement, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, Sleep, ExitProcess, SetHandleCount, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetSystemTimeAsFileTime, HeapReAlloc, HeapSize, LoadLibraryA, GetLocaleInfoA, RtlUnwind, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, InitializeCriticalSectionAndSpinCount, VirtualQuery |
USER32.dll | MessageBoxW, CharUpperBuffW, wsprintfW |
KERNEL32.dll | GetModuleFileNameW |
KERNEL32.dll | GetModuleHandleA, LoadLibraryA, LocalAlloc, LocalFree, GetModuleFileNameA, ExitProcess |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Target ID: | 0 |
Start time: | 19:01:20 |
Start date: | 15/10/2022 |
Path: | C:\Users\user\Desktop\PR.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 4721272 bytes |
MD5 hash: | 4D32FA0EE0E0BF3E02F9C951B62F10D1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Execution Graph
Execution Coverage: | 3% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 5.7% |
Total number of Nodes: | 662 |
Total number of Limit Nodes: | 35 |
Graph
Function 00403344 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 151windowCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004018BE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70fileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404EED Relevance: 2.1, Strings: 1, Instructions: 811COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403FBE Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 103windowregistryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403784 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 196windowCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401738 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 124memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404167 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402A05 Relevance: 7.6, APIs: 5, Instructions: 61windowCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040196E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48libraryCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404520 Relevance: 4.6, APIs: 3, Instructions: 109COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00429BD4 Relevance: 4.5, APIs: 3, Instructions: 34COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004010C3 Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401166 Relevance: 3.8, APIs: 3, Instructions: 45memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404E1D Relevance: 1.6, APIs: 1, Instructions: 112COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040F7F2 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0042D560 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402025 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 90windowCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004012DE Relevance: 12.1, APIs: 8, Instructions: 143fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401000 Relevance: 9.0, APIs: 6, Instructions: 48processCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405C10 Relevance: 8.1, Strings: 6, Instructions: 579COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004063B0 Relevance: 2.9, Strings: 2, Instructions: 390COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401A2A Relevance: 1.5, APIs: 1, Instructions: 37comCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040D057 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00740025 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004BD30F Relevance: .3, Instructions: 274COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00427D70 Relevance: .3, Instructions: 256COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406AA0 Relevance: .2, Instructions: 179COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00424944 Relevance: .0, Instructions: 29COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402126 Relevance: 86.0, APIs: 21, Strings: 28, Instructions: 216fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004015CE Relevance: 42.1, APIs: 20, Strings: 4, Instructions: 144libraryloaderprocessCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040B180 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401BCD Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 166synchronizationwindowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0042B50F Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 57libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406E3F Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 206libraryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403A4F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 47fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040AF0A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004124FD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0042C45A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004032CF Relevance: 6.3, APIs: 5, Instructions: 51COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00424BE0 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0064188E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42threadCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00412276 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |