Malicious
Classifications
Spyware Injector Downloader
Threat Names
SmokeLoader RedNet Mal/HTMLGen-A C2/Generic-A +6
Dynamic Analysis Report
Created on 2021-11-09T22:13:00
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3.exe
Windows Exe (x86-32)
Remarks (2/2)
(0x0200000E): The overall sleep time of all monitored processes was truncated from "15 minutes, 18 seconds" to "3 seconds" to reveal dormant functionality.
(0x0200003A): A task was rescheduled ahead of time to reveal dormant functionality.
Remarks
(0x0200004A): 11 dumps were skipped because they exceeded the maximum dump size of 16 MB. The largest one was 39 MB.
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
| Filters: |
There are no files for this filter
There are no files in this analysis
| File Name | Category | Type | Verdict | Actions |
|---|
| C:\Users\RDhJ0CNFevzX\Desktop\433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3.exe | Sample File | Binary |
malicious
|
...
|
»
| Also Known As | C:\Users\RDhJ0CNFevzX\AppData\Roaming\bcatcih (Dropped File) |
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 286.00 KB |
| MD5 |
db2ef30e8f821c8f00456941f5944849
|
| SHA1 |
01a08a69f1e8e6d822ece577a9ebe84a0c7f5f60
|
| SHA256 |
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3
|
| SSDeep |
3072:6zyig02ASl6xXrDXa23CiVfcC5DBoLtJaIC4CrraxIsgUUirwX0m5Sl5nTk5DItT:6xxXoiVfcGB0vaIC4CrrqR3rC0z5+k
|
| ImpHash |
a5effb4de201aefae267d5eef9a314ac
|
| Parser Error Remark | Static engine was unable to completely parse the analyzed file |
File Reputation Information
»
| Verdict |
malicious
|
PE Information
»
| Image Base | 0x400000 |
| Entry Point | 0x418260 |
| Size Of Code | 0x31400 |
| Size Of Initialized Data | 0x270a600 |
| File Type | FileType.executable |
| Subsystem | Subsystem.windows_gui |
| Machine Type | MachineType.i386 |
| Compile Timestamp | 2020-12-14 13:10:37+00:00 |
Sections (4)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x401000 | 0x312a8 | 0x31400 | 0x400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.03 |
| .data | 0x433000 | 0x26f642c | 0x1200 | 0x31800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.16 |
| .rsrc | 0x2b2a000 | 0x4210 | 0x4400 | 0x32a00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.22 |
| .reloc | 0x2b2f000 | 0x109c8 | 0x10a00 | 0x36e00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 1.0 |
Imports (3)
»
KERNEL32.dll (116)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| SetDllDirectoryW | - | 0x401008 | 0x31744 | 0x30b44 | 0x451 |
| _lwrite | - | 0x40100c | 0x31748 | 0x30b48 | 0x53c |
| InterlockedDecrement | - | 0x401010 | 0x3174c | 0x30b4c | 0x2eb |
| GetNamedPipeHandleStateA | - | 0x401014 | 0x31750 | 0x30b50 | 0x220 |
| SetHandleInformation | - | 0x401018 | 0x31754 | 0x30b54 | 0x470 |
| SetConsoleScreenBufferSize | - | 0x40101c | 0x31758 | 0x30b58 | 0x445 |
| CancelWaitableTimer | - | 0x401020 | 0x3175c | 0x30b5c | 0x47 |
| SetVolumeMountPointW | - | 0x401024 | 0x31760 | 0x30b60 | 0x4ab |
| FindFirstFileExW | - | 0x401028 | 0x31764 | 0x30b64 | 0x134 |
| FreeEnvironmentStringsA | - | 0x40102c | 0x31768 | 0x30b68 | 0x160 |
| GetModuleHandleW | - | 0x401030 | 0x3176c | 0x30b6c | 0x218 |
| GetSystemTimeAsFileTime | - | 0x401034 | 0x31770 | 0x30b70 | 0x279 |
| GetPrivateProfileStringW | - | 0x401038 | 0x31774 | 0x30b74 | 0x242 |
| ReadConsoleW | - | 0x40103c | 0x31778 | 0x30b78 | 0x3be |
| GetSystemWow64DirectoryA | - | 0x401040 | 0x3177c | 0x30b7c | 0x27d |
| QueryActCtxW | - | 0x401044 | 0x31780 | 0x30b80 | 0x39d |
| CreateActCtxW | - | 0x401048 | 0x31784 | 0x30b84 | 0x78 |
| ActivateActCtx | - | 0x40104c | 0x31788 | 0x30b88 | 0x2 |
| GlobalAlloc | - | 0x401050 | 0x3178c | 0x30b8c | 0x2b3 |
| GlobalFindAtomA | - | 0x401054 | 0x31790 | 0x30b90 | 0x2b6 |
| LoadLibraryW | - | 0x401058 | 0x31794 | 0x30b94 | 0x33f |
| GetConsoleMode | - | 0x40105c | 0x31798 | 0x30b98 | 0x1ac |
| ReadConsoleInputA | - | 0x401060 | 0x3179c | 0x30b9c | 0x3b5 |
| SizeofResource | - | 0x401064 | 0x317a0 | 0x30ba0 | 0x4b1 |
| GetSystemWindowsDirectoryA | - | 0x401068 | 0x317a4 | 0x30ba4 | 0x27b |
| SetConsoleMode | - | 0x40106c | 0x317a8 | 0x30ba8 | 0x43d |
| HeapValidate | - | 0x401070 | 0x317ac | 0x30bac | 0x2d7 |
| GetVolumePathNamesForVolumeNameW | - | 0x401074 | 0x317b0 | 0x30bb0 | 0x2ad |
| IsDBCSLeadByte | - | 0x401078 | 0x317b4 | 0x30bb4 | 0x2fe |
| GetModuleFileNameW | - | 0x40107c | 0x317b8 | 0x30bb8 | 0x214 |
| GetSystemDirectoryA | - | 0x401080 | 0x317bc | 0x30bbc | 0x26f |
| CompareStringW | - | 0x401084 | 0x317c0 | 0x30bc0 | 0x64 |
| GetStartupInfoW | - | 0x401088 | 0x317c4 | 0x30bc4 | 0x263 |
| TlsGetValue | - | 0x40108c | 0x317c8 | 0x30bc8 | 0x4c7 |
| GetLastError | - | 0x401090 | 0x317cc | 0x30bcc | 0x202 |
| SetLastError | - | 0x401094 | 0x317d0 | 0x30bd0 | 0x473 |
| GetProcAddress | - | 0x401098 | 0x317d4 | 0x30bd4 | 0x245 |
| SetFirmwareEnvironmentVariableW | - | 0x40109c | 0x317d8 | 0x30bd8 | 0x46d |
| CreateNamedPipeA | - | 0x4010a0 | 0x317dc | 0x30bdc | 0x9f |
| IsValidCodePage | - | 0x4010a4 | 0x317e0 | 0x30be0 | 0x30a |
| CopyFileA | - | 0x4010a8 | 0x317e4 | 0x30be4 | 0x70 |
| GlobalGetAtomNameA | - | 0x4010ac | 0x317e8 | 0x30be8 | 0x2bb |
| SearchPathA | - | 0x4010b0 | 0x317ec | 0x30bec | 0x41c |
| GetPrivateProfileStringA | - | 0x4010b4 | 0x317f0 | 0x30bf0 | 0x241 |
| OpenWaitableTimerA | - | 0x4010b8 | 0x317f4 | 0x30bf4 | 0x387 |
| WritePrivateProfileStringA | - | 0x4010bc | 0x317f8 | 0x30bf8 | 0x52a |
| WTSGetActiveConsoleSessionId | - | 0x4010c0 | 0x317fc | 0x30bfc | 0x4f4 |
| SetConsoleCursorInfo | - | 0x4010c4 | 0x31800 | 0x30c00 | 0x42f |
| GetProcessShutdownParameters | - | 0x4010c8 | 0x31804 | 0x30c04 | 0x251 |
| BuildCommDCBA | - | 0x4010cc | 0x31808 | 0x30c08 | 0x3a |
| GetCurrentDirectoryA | - | 0x4010d0 | 0x3180c | 0x30c0c | 0x1be |
| GetFileTime | - | 0x4010d4 | 0x31810 | 0x30c10 | 0x1f2 |
| GetVersionExA | - | 0x4010d8 | 0x31814 | 0x30c14 | 0x2a3 |
| GetWindowsDirectoryW | - | 0x4010dc | 0x31818 | 0x30c18 | 0x2af |
| FileTimeToLocalFileTime | - | 0x4010e0 | 0x3181c | 0x30c1c | 0x124 |
| TlsFree | - | 0x4010e4 | 0x31820 | 0x30c20 | 0x4c6 |
| GetProfileSectionW | - | 0x4010e8 | 0x31824 | 0x30c24 | 0x25b |
| CommConfigDialogW | - | 0x4010ec | 0x31828 | 0x30c28 | 0x5e |
| LocalFileTimeToFileTime | - | 0x4010f0 | 0x3182c | 0x30c2c | 0x346 |
| GetConsoleAliasesLengthW | - | 0x4010f4 | 0x31830 | 0x30c30 | 0x198 |
| VerifyVersionInfoW | - | 0x4010f8 | 0x31834 | 0x30c34 | 0x4e8 |
| DeleteFileA | - | 0x4010fc | 0x31838 | 0x30c38 | 0xd3 |
| GetCommandLineA | - | 0x401100 | 0x3183c | 0x30c3c | 0x186 |
| HeapSetInformation | - | 0x401104 | 0x31840 | 0x30c40 | 0x2d3 |
| EnterCriticalSection | - | 0x401108 | 0x31844 | 0x30c44 | 0xee |
| LeaveCriticalSection | - | 0x40110c | 0x31848 | 0x30c48 | 0x339 |
| DecodePointer | - | 0x401110 | 0x3184c | 0x30c4c | 0xca |
| TerminateProcess | - | 0x401114 | 0x31850 | 0x30c50 | 0x4c0 |
| GetCurrentProcess | - | 0x401118 | 0x31854 | 0x30c54 | 0x1c0 |
| UnhandledExceptionFilter | - | 0x40111c | 0x31858 | 0x30c58 | 0x4d3 |
| SetUnhandledExceptionFilter | - | 0x401120 | 0x3185c | 0x30c5c | 0x4a5 |
| IsDebuggerPresent | - | 0x401124 | 0x31860 | 0x30c60 | 0x300 |
| EncodePointer | - | 0x401128 | 0x31864 | 0x30c64 | 0xea |
| SetHandleCount | - | 0x40112c | 0x31868 | 0x30c68 | 0x46f |
| GetStdHandle | - | 0x401130 | 0x3186c | 0x30c6c | 0x264 |
| InitializeCriticalSectionAndSpinCount | - | 0x401134 | 0x31870 | 0x30c70 | 0x2e3 |
| GetFileType | - | 0x401138 | 0x31874 | 0x30c74 | 0x1f3 |
| DeleteCriticalSection | - | 0x40113c | 0x31878 | 0x30c78 | 0xd1 |
| QueryPerformanceCounter | - | 0x401140 | 0x3187c | 0x30c7c | 0x3a7 |
| GetTickCount | - | 0x401144 | 0x31880 | 0x30c80 | 0x293 |
| GetCurrentThreadId | - | 0x401148 | 0x31884 | 0x30c84 | 0x1c5 |
| GetCurrentProcessId | - | 0x40114c | 0x31888 | 0x30c88 | 0x1c1 |
| InterlockedIncrement | - | 0x401150 | 0x3188c | 0x30c8c | 0x2ef |
| ExitProcess | - | 0x401154 | 0x31890 | 0x30c90 | 0x119 |
| GetModuleFileNameA | - | 0x401158 | 0x31894 | 0x30c94 | 0x213 |
| FreeEnvironmentStringsW | - | 0x40115c | 0x31898 | 0x30c98 | 0x161 |
| WideCharToMultiByte | - | 0x401160 | 0x3189c | 0x30c9c | 0x511 |
| GetEnvironmentStringsW | - | 0x401164 | 0x318a0 | 0x30ca0 | 0x1da |
| IsBadReadPtr | - | 0x401168 | 0x318a4 | 0x30ca4 | 0x2f7 |
| TlsAlloc | - | 0x40116c | 0x318a8 | 0x30ca8 | 0x4c5 |
| TlsSetValue | - | 0x401170 | 0x318ac | 0x30cac | 0x4c8 |
| HeapCreate | - | 0x401174 | 0x318b0 | 0x30cb0 | 0x2cd |
| WriteFile | - | 0x401178 | 0x318b4 | 0x30cb4 | 0x525 |
| GetACP | - | 0x40117c | 0x318b8 | 0x30cb8 | 0x168 |
| GetOEMCP | - | 0x401180 | 0x318bc | 0x30cbc | 0x237 |
| GetCPInfo | - | 0x401184 | 0x318c0 | 0x30cc0 | 0x172 |
| OutputDebugStringA | - | 0x401188 | 0x318c4 | 0x30cc4 | 0x389 |
| WriteConsoleW | - | 0x40118c | 0x318c8 | 0x30cc8 | 0x524 |
| OutputDebugStringW | - | 0x401190 | 0x318cc | 0x30ccc | 0x38a |
| RtlUnwind | - | 0x401194 | 0x318d0 | 0x30cd0 | 0x418 |
| SetFilePointer | - | 0x401198 | 0x318d4 | 0x30cd4 | 0x466 |
| GetConsoleCP | - | 0x40119c | 0x318d8 | 0x30cd8 | 0x19a |
| HeapAlloc | - | 0x4011a0 | 0x318dc | 0x30cdc | 0x2cb |
| HeapReAlloc | - | 0x4011a4 | 0x318e0 | 0x30ce0 | 0x2d2 |
| HeapSize | - | 0x4011a8 | 0x318e4 | 0x30ce4 | 0x2d4 |
| HeapQueryInformation | - | 0x4011ac | 0x318e8 | 0x30ce8 | 0x2d1 |
| HeapFree | - | 0x4011b0 | 0x318ec | 0x30cec | 0x2cf |
| FlushFileBuffers | - | 0x4011b4 | 0x318f0 | 0x30cf0 | 0x157 |
| GetStringTypeW | - | 0x4011b8 | 0x318f4 | 0x30cf4 | 0x269 |
| LCMapStringW | - | 0x4011bc | 0x318f8 | 0x30cf8 | 0x32d |
| MultiByteToWideChar | - | 0x4011c0 | 0x318fc | 0x30cfc | 0x367 |
| IsProcessorFeaturePresent | - | 0x4011c4 | 0x31900 | 0x30d00 | 0x304 |
| SetStdHandle | - | 0x4011c8 | 0x31904 | 0x30d04 | 0x487 |
| CloseHandle | - | 0x4011cc | 0x31908 | 0x30d08 | 0x52 |
| CreateFileW | - | 0x4011d0 | 0x3190c | 0x30d0c | 0x8f |
| RaiseException | - | 0x4011d4 | 0x31910 | 0x30d10 | 0x3b1 |
USER32.dll (3)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| GetMenuInfo | - | 0x4011dc | 0x31918 | 0x30d18 | 0x150 |
| GetMessageTime | - | 0x4011e0 | 0x3191c | 0x30d1c | 0x15c |
| GetListBoxInfo | - | 0x4011e4 | 0x31920 | 0x30d20 | 0x147 |
GDI32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| GetBitmapBits | - | 0x401000 | 0x3173c | 0x30b3c | 0x1a7 |
Memory Dumps (3)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|---|
| buffer | 1 | 0x02ED1EC8 | 0x02EE1697 | First Execution |
|
32-bit | 0x02ED5BA0 |
|
|
...
|
| buffer | 1 | 0x02C10000 | 0x02C18FFF | First Execution |
|
32-bit | 0x02C10000 |
|
|
...
|
| buffer | 2 | 0x00400000 | 0x00407FFF | First Execution |
|
32-bit | 0x00402DC6 |
|
|
...
|
| C:\Users\RDHJ0C~1\AppData\Local\Temp\2E7B.exe | Downloaded File | Binary |
malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 140.50 KB |
| MD5 |
df90b2e12b0377db82d6a1cdcf3b8ad8
|
| SHA1 |
84c9316a004ec33e5a049583091c1ec1c31b76fb
|
| SHA256 |
f071bb54ef89464b10aec76d59532d8eb0087b32508a584fbf7a9e3f78cff9d0
|
| SSDeep |
3072:DokUrHT0ex88T3EujO/UXQ5HDwu6i/tKAz/IO4hblzvuPL1zJ:DokUDT0rg3EcO/UX0suTIO0zvuPL1z
|
| ImpHash | - |
PE Information
»
| Image Base | 0x140000000 |
| Size Of Code | 0x22a00 |
| Size Of Initialized Data | 0x600 |
| File Type | FileType.executable |
| Subsystem | Subsystem.windows_gui |
| Machine Type | MachineType.amd64 |
| Compile Timestamp | 2021-11-09 10:30:38+00:00 |
Version Information (10)
»
| Comments | desc |
| CompanyName | comp |
| FileDescription | |
| FileVersion | 1.2.3.4 |
| InternalName | QBtYsSH.exe |
| LegalCopyright | |
| OriginalFilename | QBtYsSH.exe |
| ProductName | Prod |
| ProductVersion | 1.2.3.4 |
| Assembly Version | 1.2.3.4 |
Sections (2)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x140002000 | 0x2285c | 0x22a00 | 0x200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.67 |
| .rsrc | 0x140026000 | 0x54a | 0x600 | 0x22c00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.98 |
Memory Dumps (1)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|---|
| 2e7b.exe | 5 | 0x140000000 | 0x140027FFF | Relevant Image |
|
64-bit | - |
|
|
...
|
| C:\Users\RDHJ0C~1\AppData\Local\Temp\64BE.exe | Downloaded File | Binary |
malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 554.00 KB |
| MD5 |
5bade93f97c6a1c400773eb05a653ec1
|
| SHA1 |
1eaddbeb895ff8480c4197cba7172e220e7fe76f
|
| SHA256 |
52f0387abaa5763ce2d9fd13388660c3c7bb256c7715c37b434abab63dda3717
|
| SSDeep |
12288:4diWJ9Ql3IqOcSB/FoMqbxOE4SYwiV2lD8FAxCgZ4:vIw+/WtNnYwF/4
|
| ImpHash |
f34d5f2d4577ed6d9ceec516c1f5a744
|
AV Matches (1)
»
| Threat Name | Verdict |
|---|---|
| Gen:Variant.Cerbu.113972 |
malicious
|
PE Information
»
| Image Base | 0x400000 |
| Entry Point | 0x48bc4e |
| Size Of Code | 0x89e00 |
| Size Of Initialized Data | 0x800 |
| File Type | FileType.executable |
| Subsystem | Subsystem.windows_gui |
| Machine Type | MachineType.i386 |
| Compile Timestamp | 2021-11-09 17:09:35+00:00 |
Version Information (7)
»
| FileDescription | |
| FileVersion | 0.0.0.0 |
| InternalName | New Project 1.exe |
| LegalCopyright | |
| OriginalFilename | New Project 1.exe |
| ProductVersion | 0.0.0.0 |
| Assembly Version | 0.0.0.0 |
Sections (3)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .null | 0x402000 | 0x89c54 | 0x89e00 | 0x200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.25 |
| .fear | 0x48c000 | 0x5c0 | 0x600 | 0x8a000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.51 |
| .where | 0x48e000 | 0xc | 0x200 | 0x8a600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
Imports (1)
»
mscoree.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _CorExeMain | - | 0x402000 | 0x8bc28 | 0x89e28 | 0x0 |
Memory Dumps (2)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|---|
| 64be.exe | 7 | 0x00400000 | 0x0048FFFF | Relevant Image |
|
32-bit | - |
|
|
...
|
| 64be.exe | 7 | 0x00400000 | 0x0048FFFF | Content Changed |
|
32-bit | - |
|
|
...
|
YARA Matches (3)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| MultipleNetObfuscatorAttributes | .NET file contains multiple obfuscator attributes | - |
2/5
|
...
|
| BabelObfuscatorAttributes | Babel Obfuscator Attributes | - |
1/5
|
...
|
| YanoObfuscatorAttributes | Yano Obfuscator Attributes | - |
1/5
|
...
|
| C:\Users\RDHJ0C~1\AppData\Local\Temp\892F.exe | Downloaded File | Binary |
malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 393.50 KB |
| MD5 |
ff5f9201e8bca81a126ea15a536e5eed
|
| SHA1 |
9c009acb34a16c0a185df24d362da1b690003978
|
| SHA256 |
efa0c9fc855126fffc9e80bf8de21fa10ab736e14d1956d025b450969a38450c
|
| SSDeep |
12288:kIwlYT0hcOMX2DL9ZCQQysz5ok+WwRVk+4Yl/PZqtM+gA2:kIqYTocOMG/nCdZB5
|
| ImpHash |
a5effb4de201aefae267d5eef9a314ac
|
| Parser Error Remark | Static engine was unable to completely parse the analyzed file |
PE Information
»
| Image Base | 0x400000 |
| Entry Point | 0x4331a0 |
| Size Of Code | 0x4c200 |
| Size Of Initialized Data | 0x270a600 |
| File Type | FileType.executable |
| Subsystem | Subsystem.windows_gui |
| Machine Type | MachineType.i386 |
| Compile Timestamp | 2020-06-17 16:32:53+00:00 |
Sections (4)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x401000 | 0x4c1e8 | 0x4c200 | 0x400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.51 |
| .data | 0x44e000 | 0x26f642c | 0x1200 | 0x4c600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.17 |
| .rsrc | 0x2b45000 | 0x4210 | 0x4400 | 0x4d800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.22 |
| .reloc | 0x2b4a000 | 0x109c8 | 0x10a00 | 0x51c00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 1.01 |
Imports (3)
»
KERNEL32.dll (116)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| SetDllDirectoryW | - | 0x401008 | 0x4c684 | 0x4ba84 | 0x451 |
| _lwrite | - | 0x40100c | 0x4c688 | 0x4ba88 | 0x53c |
| InterlockedDecrement | - | 0x401010 | 0x4c68c | 0x4ba8c | 0x2eb |
| GetNamedPipeHandleStateA | - | 0x401014 | 0x4c690 | 0x4ba90 | 0x220 |
| SetHandleInformation | - | 0x401018 | 0x4c694 | 0x4ba94 | 0x470 |
| SetConsoleScreenBufferSize | - | 0x40101c | 0x4c698 | 0x4ba98 | 0x445 |
| CancelWaitableTimer | - | 0x401020 | 0x4c69c | 0x4ba9c | 0x47 |
| SetVolumeMountPointW | - | 0x401024 | 0x4c6a0 | 0x4baa0 | 0x4ab |
| FindFirstFileExW | - | 0x401028 | 0x4c6a4 | 0x4baa4 | 0x134 |
| FreeEnvironmentStringsA | - | 0x40102c | 0x4c6a8 | 0x4baa8 | 0x160 |
| GetModuleHandleW | - | 0x401030 | 0x4c6ac | 0x4baac | 0x218 |
| GetSystemTimeAsFileTime | - | 0x401034 | 0x4c6b0 | 0x4bab0 | 0x279 |
| GetPrivateProfileStringW | - | 0x401038 | 0x4c6b4 | 0x4bab4 | 0x242 |
| ReadConsoleW | - | 0x40103c | 0x4c6b8 | 0x4bab8 | 0x3be |
| GetSystemWow64DirectoryA | - | 0x401040 | 0x4c6bc | 0x4babc | 0x27d |
| QueryActCtxW | - | 0x401044 | 0x4c6c0 | 0x4bac0 | 0x39d |
| CreateActCtxW | - | 0x401048 | 0x4c6c4 | 0x4bac4 | 0x78 |
| ActivateActCtx | - | 0x40104c | 0x4c6c8 | 0x4bac8 | 0x2 |
| GlobalAlloc | - | 0x401050 | 0x4c6cc | 0x4bacc | 0x2b3 |
| GlobalFindAtomA | - | 0x401054 | 0x4c6d0 | 0x4bad0 | 0x2b6 |
| LoadLibraryW | - | 0x401058 | 0x4c6d4 | 0x4bad4 | 0x33f |
| GetConsoleMode | - | 0x40105c | 0x4c6d8 | 0x4bad8 | 0x1ac |
| ReadConsoleInputA | - | 0x401060 | 0x4c6dc | 0x4badc | 0x3b5 |
| SizeofResource | - | 0x401064 | 0x4c6e0 | 0x4bae0 | 0x4b1 |
| GetSystemWindowsDirectoryA | - | 0x401068 | 0x4c6e4 | 0x4bae4 | 0x27b |
| SetConsoleMode | - | 0x40106c | 0x4c6e8 | 0x4bae8 | 0x43d |
| HeapValidate | - | 0x401070 | 0x4c6ec | 0x4baec | 0x2d7 |
| GetVolumePathNamesForVolumeNameW | - | 0x401074 | 0x4c6f0 | 0x4baf0 | 0x2ad |
| IsDBCSLeadByte | - | 0x401078 | 0x4c6f4 | 0x4baf4 | 0x2fe |
| GetModuleFileNameW | - | 0x40107c | 0x4c6f8 | 0x4baf8 | 0x214 |
| GetSystemDirectoryA | - | 0x401080 | 0x4c6fc | 0x4bafc | 0x26f |
| CompareStringW | - | 0x401084 | 0x4c700 | 0x4bb00 | 0x64 |
| GetStartupInfoW | - | 0x401088 | 0x4c704 | 0x4bb04 | 0x263 |
| TlsGetValue | - | 0x40108c | 0x4c708 | 0x4bb08 | 0x4c7 |
| GetLastError | - | 0x401090 | 0x4c70c | 0x4bb0c | 0x202 |
| SetLastError | - | 0x401094 | 0x4c710 | 0x4bb10 | 0x473 |
| GetProcAddress | - | 0x401098 | 0x4c714 | 0x4bb14 | 0x245 |
| SetFirmwareEnvironmentVariableW | - | 0x40109c | 0x4c718 | 0x4bb18 | 0x46d |
| CreateNamedPipeA | - | 0x4010a0 | 0x4c71c | 0x4bb1c | 0x9f |
| IsValidCodePage | - | 0x4010a4 | 0x4c720 | 0x4bb20 | 0x30a |
| CopyFileA | - | 0x4010a8 | 0x4c724 | 0x4bb24 | 0x70 |
| GlobalGetAtomNameA | - | 0x4010ac | 0x4c728 | 0x4bb28 | 0x2bb |
| SearchPathA | - | 0x4010b0 | 0x4c72c | 0x4bb2c | 0x41c |
| GetPrivateProfileStringA | - | 0x4010b4 | 0x4c730 | 0x4bb30 | 0x241 |
| OpenWaitableTimerA | - | 0x4010b8 | 0x4c734 | 0x4bb34 | 0x387 |
| WritePrivateProfileStringA | - | 0x4010bc | 0x4c738 | 0x4bb38 | 0x52a |
| WTSGetActiveConsoleSessionId | - | 0x4010c0 | 0x4c73c | 0x4bb3c | 0x4f4 |
| SetConsoleCursorInfo | - | 0x4010c4 | 0x4c740 | 0x4bb40 | 0x42f |
| GetProcessShutdownParameters | - | 0x4010c8 | 0x4c744 | 0x4bb44 | 0x251 |
| BuildCommDCBA | - | 0x4010cc | 0x4c748 | 0x4bb48 | 0x3a |
| GetCurrentDirectoryA | - | 0x4010d0 | 0x4c74c | 0x4bb4c | 0x1be |
| GetFileTime | - | 0x4010d4 | 0x4c750 | 0x4bb50 | 0x1f2 |
| GetVersionExA | - | 0x4010d8 | 0x4c754 | 0x4bb54 | 0x2a3 |
| GetWindowsDirectoryW | - | 0x4010dc | 0x4c758 | 0x4bb58 | 0x2af |
| FileTimeToLocalFileTime | - | 0x4010e0 | 0x4c75c | 0x4bb5c | 0x124 |
| TlsFree | - | 0x4010e4 | 0x4c760 | 0x4bb60 | 0x4c6 |
| GetProfileSectionW | - | 0x4010e8 | 0x4c764 | 0x4bb64 | 0x25b |
| CommConfigDialogW | - | 0x4010ec | 0x4c768 | 0x4bb68 | 0x5e |
| LocalFileTimeToFileTime | - | 0x4010f0 | 0x4c76c | 0x4bb6c | 0x346 |
| GetConsoleAliasesLengthW | - | 0x4010f4 | 0x4c770 | 0x4bb70 | 0x198 |
| VerifyVersionInfoW | - | 0x4010f8 | 0x4c774 | 0x4bb74 | 0x4e8 |
| DeleteFileA | - | 0x4010fc | 0x4c778 | 0x4bb78 | 0xd3 |
| GetCommandLineA | - | 0x401100 | 0x4c77c | 0x4bb7c | 0x186 |
| HeapSetInformation | - | 0x401104 | 0x4c780 | 0x4bb80 | 0x2d3 |
| EnterCriticalSection | - | 0x401108 | 0x4c784 | 0x4bb84 | 0xee |
| LeaveCriticalSection | - | 0x40110c | 0x4c788 | 0x4bb88 | 0x339 |
| DecodePointer | - | 0x401110 | 0x4c78c | 0x4bb8c | 0xca |
| TerminateProcess | - | 0x401114 | 0x4c790 | 0x4bb90 | 0x4c0 |
| GetCurrentProcess | - | 0x401118 | 0x4c794 | 0x4bb94 | 0x1c0 |
| UnhandledExceptionFilter | - | 0x40111c | 0x4c798 | 0x4bb98 | 0x4d3 |
| SetUnhandledExceptionFilter | - | 0x401120 | 0x4c79c | 0x4bb9c | 0x4a5 |
| IsDebuggerPresent | - | 0x401124 | 0x4c7a0 | 0x4bba0 | 0x300 |
| EncodePointer | - | 0x401128 | 0x4c7a4 | 0x4bba4 | 0xea |
| SetHandleCount | - | 0x40112c | 0x4c7a8 | 0x4bba8 | 0x46f |
| GetStdHandle | - | 0x401130 | 0x4c7ac | 0x4bbac | 0x264 |
| InitializeCriticalSectionAndSpinCount | - | 0x401134 | 0x4c7b0 | 0x4bbb0 | 0x2e3 |
| GetFileType | - | 0x401138 | 0x4c7b4 | 0x4bbb4 | 0x1f3 |
| DeleteCriticalSection | - | 0x40113c | 0x4c7b8 | 0x4bbb8 | 0xd1 |
| QueryPerformanceCounter | - | 0x401140 | 0x4c7bc | 0x4bbbc | 0x3a7 |
| GetTickCount | - | 0x401144 | 0x4c7c0 | 0x4bbc0 | 0x293 |
| GetCurrentThreadId | - | 0x401148 | 0x4c7c4 | 0x4bbc4 | 0x1c5 |
| GetCurrentProcessId | - | 0x40114c | 0x4c7c8 | 0x4bbc8 | 0x1c1 |
| InterlockedIncrement | - | 0x401150 | 0x4c7cc | 0x4bbcc | 0x2ef |
| ExitProcess | - | 0x401154 | 0x4c7d0 | 0x4bbd0 | 0x119 |
| GetModuleFileNameA | - | 0x401158 | 0x4c7d4 | 0x4bbd4 | 0x213 |
| FreeEnvironmentStringsW | - | 0x40115c | 0x4c7d8 | 0x4bbd8 | 0x161 |
| WideCharToMultiByte | - | 0x401160 | 0x4c7dc | 0x4bbdc | 0x511 |
| GetEnvironmentStringsW | - | 0x401164 | 0x4c7e0 | 0x4bbe0 | 0x1da |
| IsBadReadPtr | - | 0x401168 | 0x4c7e4 | 0x4bbe4 | 0x2f7 |
| TlsAlloc | - | 0x40116c | 0x4c7e8 | 0x4bbe8 | 0x4c5 |
| TlsSetValue | - | 0x401170 | 0x4c7ec | 0x4bbec | 0x4c8 |
| HeapCreate | - | 0x401174 | 0x4c7f0 | 0x4bbf0 | 0x2cd |
| WriteFile | - | 0x401178 | 0x4c7f4 | 0x4bbf4 | 0x525 |
| GetACP | - | 0x40117c | 0x4c7f8 | 0x4bbf8 | 0x168 |
| GetOEMCP | - | 0x401180 | 0x4c7fc | 0x4bbfc | 0x237 |
| GetCPInfo | - | 0x401184 | 0x4c800 | 0x4bc00 | 0x172 |
| OutputDebugStringA | - | 0x401188 | 0x4c804 | 0x4bc04 | 0x389 |
| WriteConsoleW | - | 0x40118c | 0x4c808 | 0x4bc08 | 0x524 |
| OutputDebugStringW | - | 0x401190 | 0x4c80c | 0x4bc0c | 0x38a |
| RtlUnwind | - | 0x401194 | 0x4c810 | 0x4bc10 | 0x418 |
| SetFilePointer | - | 0x401198 | 0x4c814 | 0x4bc14 | 0x466 |
| GetConsoleCP | - | 0x40119c | 0x4c818 | 0x4bc18 | 0x19a |
| HeapAlloc | - | 0x4011a0 | 0x4c81c | 0x4bc1c | 0x2cb |
| HeapReAlloc | - | 0x4011a4 | 0x4c820 | 0x4bc20 | 0x2d2 |
| HeapSize | - | 0x4011a8 | 0x4c824 | 0x4bc24 | 0x2d4 |
| HeapQueryInformation | - | 0x4011ac | 0x4c828 | 0x4bc28 | 0x2d1 |
| HeapFree | - | 0x4011b0 | 0x4c82c | 0x4bc2c | 0x2cf |
| FlushFileBuffers | - | 0x4011b4 | 0x4c830 | 0x4bc30 | 0x157 |
| GetStringTypeW | - | 0x4011b8 | 0x4c834 | 0x4bc34 | 0x269 |
| LCMapStringW | - | 0x4011bc | 0x4c838 | 0x4bc38 | 0x32d |
| MultiByteToWideChar | - | 0x4011c0 | 0x4c83c | 0x4bc3c | 0x367 |
| IsProcessorFeaturePresent | - | 0x4011c4 | 0x4c840 | 0x4bc40 | 0x304 |
| SetStdHandle | - | 0x4011c8 | 0x4c844 | 0x4bc44 | 0x487 |
| CloseHandle | - | 0x4011cc | 0x4c848 | 0x4bc48 | 0x52 |
| CreateFileW | - | 0x4011d0 | 0x4c84c | 0x4bc4c | 0x8f |
| RaiseException | - | 0x4011d4 | 0x4c850 | 0x4bc50 | 0x3b1 |
USER32.dll (3)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| GetMenuInfo | - | 0x4011dc | 0x4c858 | 0x4bc58 | 0x150 |
| GetMessageTime | - | 0x4011e0 | 0x4c85c | 0x4bc5c | 0x15c |
| GetListBoxInfo | - | 0x4011e4 | 0x4c860 | 0x4bc60 | 0x147 |
GDI32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| GetBitmapBits | - | 0x401000 | 0x4c67c | 0x4ba7c | 0x1a7 |
Memory Dumps (3)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|---|
| buffer | 8 | 0x02C71C28 | 0x02C9C33F | First Execution |
|
32-bit | 0x02C71C28 |
|
|
...
|
| buffer | 8 | 0x04580000 | 0x045B8FFF | First Execution |
|
32-bit | 0x04580000 |
|
|
...
|
| buffer | 8 | 0x047C5190 | 0x047F219D | Image In Buffer |
|
32-bit | - |
|
|
...
|
| C:\Users\RDHJ0C~1\AppData\Local\Temp\892F.tmp | Dropped File | Unknown |
clean
|
...
|
»
| MIME Type | - |
| File Size | 0 Bytes |
| MD5 |
d41d8cd98f00b204e9800998ecf8427e
|
| SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709
|
| SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
| SSDeep |
3::
|
| ImpHash | - |
