Analysis Details
| Category | Package | Started | Completed | Duration | Options | Logs | ||||
|---|---|---|---|---|---|---|---|---|---|---|
| FILE | exe | 2026-06-29 11:55:03 | 2026-06-29 11:55:26 | 23s |
|
|||||
| Reports | JSON | |||||||||
Options
vnc_port=5900
Analysis Log
2026-06-28 14:55:57,752 [root] INFO: Date set to: 20260629T11:55:09, timeout set to: 250
2026-06-28 14:56:02,289 [root] DEBUG: Starting analyzer from: C:\7d7wfxi0
2026-06-28 14:56:02,295 [root] DEBUG: Storing results at: C:\dtCqEFTv
2026-06-28 14:56:02,295 [root] DEBUG: Pipe server name: \\.\PIPE\ffdHNE
2026-06-28 14:56:02,296 [root] DEBUG: Python path: C:\Users\Rajesh\AppData\Local\Programs\Python\Python314
2026-06-28 14:56:02,297 [root] INFO: analysis running as an admin
2026-06-28 14:56:02,298 [root] INFO: analysis package specified: "exe"
2026-06-28 14:56:02,299 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2026-06-28 14:56:02,312 [root] DEBUG: imported analysis package "exe"
2026-06-28 14:56:02,314 [root] DEBUG: initializing analysis package "exe"...
2026-06-28 14:56:02,315 [lib.common.common] INFO: no wrapping
2026-06-28 14:56:02,315 [lib.core.compound] INFO: C:\Users\Rajesh\AppData\Local\Temp already exists, skipping creation
2026-06-28 14:56:02,317 [root] DEBUG: New location of moved file: C:\Users\Rajesh\AppData\Local\Temp\Endermanch_BadRabbit.exe
2026-06-28 14:56:02,317 [root] INFO: Analyzer: Package modules.packages.exe does not specify a dll option
2026-06-28 14:56:02,318 [root] INFO: Analyzer: Package modules.packages.exe does not specify a dll_64 option
2026-06-28 14:56:02,318 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2026-06-28 14:56:02,318 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2026-06-28 14:56:02,386 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2026-06-28 14:56:02,403 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2026-06-28 14:56:02,552 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2026-06-28 14:56:02,635 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2026-06-28 14:56:02,647 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2026-06-28 14:56:02,648 [lib.api.screenshot] ERROR: No module named 'PIL'
2026-06-28 14:56:02,649 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2026-06-28 14:56:02,660 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2026-06-28 14:56:02,661 [root] DEBUG: Initialized auxiliary module "Browser"
2026-06-28 14:56:02,662 [root] DEBUG: attempting to configure 'Browser' from data
2026-06-28 14:56:02,665 [root] DEBUG: module Browser does not support data configuration, ignoring
2026-06-28 14:56:02,666 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2026-06-28 14:56:02,690 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2026-06-28 14:56:02,691 [root] DEBUG: Initialized auxiliary module "DigiSig"
2026-06-28 14:56:02,692 [root] DEBUG: attempting to configure 'DigiSig' from data
2026-06-28 14:56:02,693 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2026-06-28 14:56:02,693 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2026-06-28 14:56:02,693 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2026-06-28 14:56:03,361 [modules.auxiliary.digisig] DEBUG: File has an invalid signature
2026-06-28 14:56:03,362 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2026-06-28 14:56:03,377 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2026-06-28 14:56:03,378 [root] DEBUG: Initialized auxiliary module "Disguise"
2026-06-28 14:56:03,378 [root] DEBUG: attempting to configure 'Disguise' from data
2026-06-28 14:56:03,379 [root] DEBUG: module Disguise does not support data configuration, ignoring
2026-06-28 14:56:03,379 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2026-06-28 14:56:03,383 [modules.auxiliary.disguise] INFO: Launched background process notepad.exe hidden (PID: 3236)
2026-06-28 14:56:03,388 [modules.auxiliary.disguise] INFO: Disguising GUID to 1a98ac3a-16f4-4342-92b2-835bcbf61450
2026-06-28 14:56:03,388 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2026-06-28 14:56:03,388 [root] DEBUG: Initialized auxiliary module "Human"
2026-06-28 14:56:03,388 [root] DEBUG: attempting to configure 'Human' from data
2026-06-28 14:56:03,389 [root] DEBUG: module Human does not support data configuration, ignoring
2026-06-28 14:56:03,389 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2026-06-28 14:56:03,390 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2026-06-28 14:56:03,390 [root] DEBUG: Initialized auxiliary module "Screenshots"
2026-06-28 14:56:03,390 [root] DEBUG: attempting to configure 'Screenshots' from data
2026-06-28 14:56:03,390 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2026-06-28 14:56:03,390 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2026-06-28 14:56:03,396 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2026-06-28 14:56:03,396 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2026-06-28 14:56:03,422 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2026-06-28 14:56:03,422 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2026-06-28 14:56:03,426 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2026-06-28 14:56:03,427 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2026-06-28 14:56:03,431 [modules.auxiliary.tlsdump] WARNING: Unable to find lsass.exe process
2026-06-28 14:56:03,431 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2026-06-28 14:56:09,389 [root] INFO: Restarting WMI Service
2026-06-28 14:56:11,650 [root] DEBUG: package modules.packages.exe does not support configure, ignoring
2026-06-28 14:56:11,651 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'
2026-06-28 14:56:11,652 [lib.core.compound] INFO: C:\Users\Rajesh\AppData\Local\Temp already exists, skipping creation
2026-06-28 14:56:11,658 [lib.api.process] ERROR: Failed to execute process from path "C:\Users\Rajesh\AppData\Local\Temp\Endermanch_BadRabbit.exe" with arguments "None" (Error: 740)
2026-06-28 14:56:11,661 [root] ERROR: You probably submitted the job with wrong package
Traceback (most recent call last):
File "C:\7d7wfxi0/analyzer.py", line 688, in run
pids = self.package.start(self.target)
File "C:\7d7wfxi0\modules\packages\exe.py", line 47, in start
return self.execute(path, args, path)
~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "C:\7d7wfxi0\lib\common\abstracts.py", line 181, in execute
raise CuckooPackageError("Unable to execute the initial process, analysis aborted")
lib.common.exceptions.CuckooPackageError: Unable to execute the initial process, analysis aborted
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "C:\7d7wfxi0/analyzer.py", line 1598, in <module>
success = analyzer.run()
File "C:\7d7wfxi0/analyzer.py", line 692, in run
raise CuckooError(f'The package "{self.package_name}" start function raised an error: {e}') from e
lib.common.exceptions.CuckooError: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted
2026-06-28 14:56:11,766 [root] WARNING: Folder at path "C:\dtCqEFTv\debugger" does not exist, skipping
2026-06-28 14:56:11,767 [root] WARNING: Folder at path "C:\dtCqEFTv\tlsdump" does not exist, skipping
2026-06-28 14:56:11,767 [root] INFO: Analysis completed
Process Log
Pre-Script Log
During-Script Log
Machine Information
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win10 | win10 | KVM | 2026-06-29 11:55:03 | 2026-06-29 11:55:26 | internet |
File Details
| File Name |
Endermanch_BadRabbit.exe
|
|---|---|
| File Type | PE32 executable (console) Intel 80386, for MS Windows |
| File Size | 441899 bytes |
| MD5 | fbbdc39af1139aebba4da004475e8839 |
| SHA1 | de5c8d858e6e41da715dca1c019df0bfb92d32c0 |
| SHA256 | 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da VT MWDB Bazaar |
| SHA3-384 | af433e4633ca0569362eac3ee889b5348b29852f12064a945a5b4d106b1419d6502c8d9276ac97a0073ff927cbd61757 |
| CRC32 | 5FA1C9A5 |
| TLSH | T1199412426729EE92D1E1B8F84093E7CC4BB97B090FB991EF9D993485CC79B8319380D5 |
| Ssdeep | 12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63 |
Strings
PlBr8
%XsK-
_>/>N/o
qu& h
m|$s'
]z_ep]
GzAzK
[}"s&
ojOX*)=
,!0Sb
HQ$7p
j2+Y=
]ae5n
cM:pm2
1111111111111
`M,/;
z]ZPXC
uj2LO.
74tIU\(
Durbanville1
w[]Nm
121221000000Z
&.Q):
"}C8,
oq)Wsi
he7WF+
ugQ~}
QrG0XL 6
\G.d}
sby'5
040904b0
{^0B(-
l$ntA
O-u}<uZ
kK_}=#
/.))X
=Q02X
lfycrh
IiGM>nw
%56G*
l6qnk
J\bSW
W$Zph0K
+qx^3T
<C;?*H
@M1m[o
3(Qvb
Kxm<?K
$n#_S
Mv6k^
7lQy9
_;'b4
]737/|
#<Rq+O
lVEQK
;#WX;
qcIL0I
r87*!
=Pq|FJV
U%0E%
N+~0;
>*>x>
;pD-<+u
;9UEL
W#/EH
k.zA%7
f=/&
TerminateProcess
)\ZEo^m/
3aM03
~MU`?#7"a
k|iy_#\
@FR65
k=\+Ok
a/a_ak028
sf]i|
oFT;kJ~
+X'jk8zG
20170908235403Z0
F`N[j
Or;n/
"iH1R
\vnO^
r[F|V
GI!LSO
F9ZBCb
R+I.(R
7xwcQ
M_i12P
EI:Iv
[\[u6
Z0X0V
gW!1#
z}^Na
$p?ZX
xi%#g%
GsFr8
@/xJ
170908235403Z0/
TimeStamp-2048-20
?gA\:
XrA6Nq
r|r2rH9
Z'8b>
4px5p\
biFzT
=&r74e
6h?@U
Iw>*;s
&HEW"3
y"4}y
p5^\#
w(!m!@
/FL^-.X
)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
fa7G[d@s[
WuQta
OZw3(?
G,@}P
~:~^Q
Symantec Corporation0
s4sq\
h`ULQ
^H;R_
>oe:x
2s2y2
xPlLf
be2!X
r6l;D
4%FU3&j
8t>}#`o
ijs"TPv
bR{Q$
[ifk,
O%.n .
hGK~e?
5u+x<#
Pm#s4'b
X+t6>
|XL.{
~,I/w
+HUc1J2
+Symantec Time Stamping Services Signer - G40
ExrQW
O:hI+
;HPU)
hX`4p
@8ExNxCXH
[#X>)
ypl'>de
6R@z15S
7Sp}x2
ZRNg'
s'L=[
PpG_C
$DV\?L3
CaZR]
A.BS&
i**T(7J
ckk^`^
FxeT@H
OVfK8
]$D\r
/L h"
header crc mismatch
-)V9dXD
<w]T}
C\hs.
ik@E2
RHZ`&
GKq%h
y3+.{
11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
j@9t:
BBkJa+OA
D'EOD$
C-AI)
<OH63
Fz?Us
A(HMd/
!2b_&
}J!x)
GetModuleHandleW
S:{gvw
incorrect data check
yaAYI
^oEZ_
C89S(u
G~17-u
mqG<b
k3$RoE
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
+I1\$
oAp}h
0/0o1
buffer error
KPO)X
fzcF M
aW|3G
4l1x2`fM
0J|(B
JJr+2
H*0"ZOW
*mv7~n
g F0s
Symantec SHA256 TimeStamping CA0
"vf[jU
G~VSpU/!p
Ce*9b
invalid window size
0 )t(
GetFileSize
}LGY[
#Saa+L
:oXrq
k0@"90
abSMr
3-2Bf
44|A-
u.FK.
CloseHandle
EJjJXT
1wsHp
_t:lN+XBjRe'
>sK~9c
"\%_l
Mzfz=)7
(0&0$
.8y_v]
TRZHX|
image/gif0!0
J>U.5
xq!Xi
+ht9F
g`>t^iIS
1t1{1
D;IB/R
G8J-l
fh8',@
"__y
,Y{Y9
*]M[@
R1T25
n(OJ
ov;L8
B0"N#:
90705
ntelu0
#http://logo.verisign.com/vslogo.gif04
#z`!U
``45)
http://ocsp.thawte.com0
TTcJk
(LJ&%
6F'CxA
'A(W GL
'Y&Q
A%A=F
c{x3j
xw5|ds
KERNEL32.dll
,dv<A
y}k7E
5(51565<5F5O5Z5h5m5s5~5
D|w|Q
195*`Z
$YRBt
32>lS
_yHuY
9v9.9^9
Lp%\'
6b%p>
gCN=yNp
< -01
0GC~n
%K=<h8S
3Z>^(
X].a~
V]j"4
X<9p/
lOIOPI
$1%5Ob
GmPFC
9KrVip_H
W`%2HK
|4-N5
o>i(T
Thawte Timestamping CA0
zCbR2?f
*****
3$F2d
!A1oW
M %WH
AM[`#
malloc
yfy&Sk
K7K(b
F?K(ar
"{dqB
USER32.dll
9VPTp9(wD
Qkkbal
|_0&Z
0cI7Cp@
V/h%}}
_YKZkU=
`1Gek
V-!j1}ry
Z;&*9
RjIOc/
j{ZJ
S}\^#
pi[OXO
v4xUg
MG3dA
111111,,,,
$xN(8
280401235959Z0
E2{^)
0BP'.
M$~oYq
?o9(5;,
YOSSfB
</assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
MyCvU
hBWU72
dY59%ua
BrV2A
,,,,,,
)ZTSp
.nIi(n
ug[xh
*1sjY
-0+0)
.CqQ7
UcsKV
1-F?r
R1h58
*<z'&l
8!!lx:
b+B-=
uyC%:0
r#PHq
v%~Yp
CreateFileW
/http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
ml^5W
{^A_b
H[{MfyJ~M#
eMl{c
z)4!{
hF*[f
100208000000Z
r!6"Q5
]i{#\
V\"UX
[\o3q`
Is,yy
?g308'
121018000000Z
H%Hc&
fCt"K
~o>z+}
}&=bw9
V_:X1:
:T;X;\;`;d;h;l;p;t;x;|;
cAWa/a
Bw&F(
"cUC"
k\oH@k
b%LaP
){1/S
fn]5-]5i
:<U[rzi
u|${R
9#I@r
E*7tq
_5yO;^
,2;'S
</requestedPrivileges>
a_gFC
<VeriSign Class 3 Public Primary Certification Authority - G50
+x7"C
m,]Q+
EtG6#
5-f?YF
%/8D%e
E8)6#Yz
bA4i#4|C
)*"<<$*
Y)(\,
Cb$?p
"]hGul
iQ)R$
sL;/Ur>$
C4;K0v
w;l3r=
9O9i9w=
0~)%~A87o
#?Q )=
e_5 >E
2 282?2K2Z2u2|2
AZ`)>
13P;'
~ +VX(
snUw'
~.Z9r
U+Ka`
?LA!>
0/0?0F0b0s0z0
?bW)ps
PcsVQ6R
vsdrp
mslU3
]j1Wg
:Y[[v
_0]0[
Jy`A[f
STAR Security Engines1
}cKmf<
e<VXv
C<8kmt
sXV`h^P
7`[3`_pa^
4&btB
`.rdata
Symantec Trust Network1(0&
'OM.r
&J0Qm
FbhYyz
-#d)3
Pm$~cm(
JW^TP
invalid bit length repeat
em@2kg
2E5D
|kgQP
Symantec Trust Network1503
DV.{/y
180413235959Z0
cPdTZ
pR_yq
nUZ!H
i=]iL
^^9Qk
Symantec Corporation100.
M~0WnnI
[6UU=
"X0PV
X_^[]
Y}kPS
,E;4=
]',8S
(J82b
uQSDT
https://www.verisign.com/cps0*
~*w9+
Hbm0+9
;biLyf
W*sd5
FlashUtil.exe
QVx&=
d{J3E
+CsS~cw
T1d*`.2
$Xwf^-W
q:p6Lt
Bwz|z
#5s;q+ryd
(w^>#
%xZBz
'!TOd
=:_~_
SetUnhandledExceptionFilter
/PW)4!>
;sL(#=
2Z0vz
gdKMn,Y
Be.O:
m\\\]
QB526&Qrr
Q@)90j
_p[j7
s#ACq
v#f A
\OXtSU
Qp'""
q3ms
sgqY$
XBBL$
'Symantec Time Stamping Services CA - G2
5P <V
juP-_
##Y>lF
6=XB*
u[eWL
SU1B&@q8
Vai4Oz
i0g0e
>"hcS
wl`B8
E>L>I~L~C
M`+qyMD
-nX>f
f?:-v
{|/WL
O*]Ri(%
k,oumE
1h kh
111111111111111
=ERYn
jsC*,
26cCF
Player Installer/Uninstaller 27.0 r0
16.@f
H@3<^
unknown compression method
;YB4S
D&JG<2e
k./sW
MpBKxf
7hL%
)5eS\
e5Sww
nR:FF
:#wxb
*FU8LF
odd/(
BvN)c
$i2,g
too many length or distance symbols
z7uG{
Kqkspe
http://sf.symcb.com/sf.crl0W
4{x7Q
%J2'Y
3H3O3[3e3
Sz\+T
%UzR
wsprintfW
`;If
IwHqx
kl#\wst
\lERi!
?dt?/
@`<[`
KirSA
!_Z~Q
aS`UB0
`l8KN
!This program cannot be run in DOS mode.
r(~}ag3
~#Lhy
avL3!@9
+daIH aG
\$'%_8B
VeriSign Trust Network1:08
|PoPm~
g0e0*
VarFileInfo
Q-s&6
]jxdE
8[pPtG
W1j%t
~*bbr
(+ld(
@J0gE
.8&68
#C1U/G
D\7X<
OHF)+jj!o
|Y('a#
EWajj
nWrr0
1Q1X1d1s1
CI!P-
>ztm\
X]}Hq
T)EXK
n}#m;!R
A}2Ka|
^(9^$u
_~XtqX
1fVW.B
CegUI
((#3P
ProductVersion
4>v@I
HAF@;
Kf.|Vo
^6u=%C-
z4=na
#vFcJ
n1"p~
5GN~z>
@\`;;
*[Gt[
YW<$t
Sq +kw0
[hD,T
11111111111111111
%M|+K|K28/,
+Ur_>
4?3?:\
)nw:z
200207235959Z0
Pl_5N\F/
N^RV[\6yeg
:prlyH
VP uf
7eb'
eD6nuI
111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
k_6Fa
Q>K(d
N"\+X
$OIH<
0dB_P
2x*s8
\V]_&L
o;C;h
HeapFree
Z0 d<
]~&!h
https://www.verisign.com/rpa0
|Dp@w
vr36@6
Tg'[`U
5++?j
<}VfdQ
[&=d)
xLU=$,
d<zY(
C~/h~
o3Fr()
n#ps'}
x.~vHjI
^~$qL68
0 ,&t(
Gz[y|C
X3ie)
170908235402Z0#
q-FF~
1996-2017 Adobe Systems Incorporated
e>W@k
U*gU/
"=hYq#
C*S`$
@6&h\
|$v1U
[YeMN
yMZVgVV
fD#Z^
m5 QZ?
\Z^ k;
wJ@NgS
JB`WCQ
$4u'6
ukFjB$
need dictionary
%ws C:\Windows\%ws,#1 %ws
[\)b"
k;ooT
vcWR`
11111
6#NSt&
^11N_KW\s
K6/+N
#+3;CScs
DA]q_h"
Uu?TD
$0bK>
b_1<Z
>yNxcT
H^ <I
TYVXN
&EIs"EA
SymantecPKI-1-7240
h+=d%7
0N?<:Z'
/ElTD)&
c'o=Tb
ioG~4
U{v,{
pQ3}pg.
170315000000Z
1Hpx0go
J6ubI
JGM^,
pu%M
R>2m)
is./V
xlxw/
N(9N0u
1Y|&`^6
*DL=!/
-._3d
yu|U#
,$UX%
A-6c7
lPk3{
'({DZb
_Ji4D~
+g&?UH
cH9@!
W~yx|
D"`"`J
-k%y"
3mYxBGe
8f^y;"
}UBe.
0hQ.08
240721235959Z0
)kbOy
W'@cX
0Ysw-|
qxA&D
-@Ltu^
6?X 'S
data error
&LAAN
Ed,G/X
|{nr{La
S3pZ9aZ
)>Y;PS
]{[gk
Genuu8
Ltcm}]h
2t;:~_
j| d#@
vjH$.
yt"{rXx
~9NzY
2yb=LD
Vb4v0[
[XRFu
3Jz!-
L,<1
wnO?S
Symantec Trust Network110/
j)e["B
] !EN\m
51=o>g7RxQj=
MtO!:
11GDM
4!Ck\
[>4jY
-p8eg8B
QMZ:P
Bhz_I
zu1o)
/MJ^B
2Terms of use at https://www.verisign.com/rpa (c)101.0,
4<B>H=
4s/*u
eM\^_
U9M)B
.rsrc
J^BrH
&U/TH1
%VeT@
$q>fd
gY"sm
+KDqO
mj>zjZ
W\:}MO
@<p8I!;
eFrGz`0
nS$70
5s!7g
Y'mc?
P)k+k
-Xe_J
50301
Rb||c
CL;:?,a
tRZYh
http://ts-ocsp.ws.symantec.com0;
Ld1/X[)?
TEv+Y
Player Installer/Uninstaller
dt9q9<oDf7
WCS_g
t3M^/j
Y!416U
Vwnr!
OjK}bu
q=(F_
^lS}
N-2M+
x|&^2l
0\TdB
b7iYU
85MxAF
JhgMy
tQkd@
|\'&o-
#O2?1
fga{t
2lRDS
TMV1f
f(A4%
uF2qo
"t.+s
!u|FA
2#w /e
1Pa%[
PuD>t
7m~:`
~\S[-
iocoe
~\Qw]=
:;x?=
;*~KN
j]ZC5
kR[Bxw
4[6Xz
https://d.symcb.com/cps0%
$z@{H
_ntER(jNI
S@;Q s
i_Pu^r
invalid block type
%jw8`@f
,?5^luWrm
mi==m
0_xBxI
Dsi}m
\33i8zN
>du#M
8F=Gm
'4GI(P
%H+K-
(~Xt8
=R\i"
j48k2
EwQt[5
CM-#t
.9`FB
cW\OS
C9?T$*
~_@u[
}j69Z
e 9b&
<|CeSI
;81AP
#{Q=r_l
{E<Q~_
xLd$!xZe
s{6mZe+.
guU)Ni\|
3`S 0
MGml)
76j9B
!=x!l
K:D*#U
%VeriSign Class 3 Code Signing 2010 CA0
^<r-Z
z!w~V
Adobe
i4/ruR
_)9F^Ag
ineIu(
\p?^tS
`[A@Bo
{<v\l{
'L'M(
i8#VG
Ch;C\r
~H~kr
b5t>a
'M7[/
cJLfw.
9JXeb
8}ypE
p|Kd=W~
Q>i_0
gFrkS
;-L#s
o{c=&3
ProductName
137S3O4
$c=|'
0)REn
mk-kko
,&5?b
~%`r}
CVh*3`
yVU.S
_|wRJ
GGQIG5~
|z+VG
9|%ah
Kg||ZJ
%P%</vb
L",>G
6Tvb1q
oLlg{
OB#:0
gKpK5
h#r:P
U\22T<UL
#y?g$
["[?$
FileVersion
:U:`Fp;]}
3/}doz
"NF5g
Z0_%r
3&@{T$i
o_znD9
O%#H(Q
&+;]ah
Oh;BW
_Fmv@
na5K+
S@;Q(s
incorrect length check
NqclX
3O4?c
6Uy@?
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
1(c) 2006 VeriSign, Inc. - For authorized use only1E0C
V6dQV
QOOOtD
xf8nh
]5W4c
I-B(O
u\rll"
)))))))))
gSt}5
\pm2z
<6L+5v
]/pqB1C
iWmw?
LHTQl
bJ*;;
>'^y0SxV}
\}$Cb2L
#VvDt
EzE\3
[0D>|{T
fj26z
~Do7Q
!w88b7
{Z]9@|_
PqIIi4Zb>4
xr01}
_i,*)
QLJ1x
{iTtb
%VeriSign Class 3 Code Signing 2010 CA
>5ae
ExitProcess
HLe~:
InternalName
/vFo@:
%v@bwX
))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
[1"&{
]3ytE
TP'YT&
/p[A:6
invalid code lengths set
8yi"V
msvcrt.dll
GetProcessHeap
/>f:S
RR#;\]9
CreateProcessW
{GTU;
O=kEe
w@b6?
>:*`U
9&9~%
RT!Hr
+g$2&
mDfn#X
GetCurrentProcess
GrkCD
cOc*9fg
~Iiq9
0NHK<
201230235959Z0^1
^Bi5$
FiPL^
209>6
ys!WA
TEj 5
aMqpEc
y(&}E
`zgS|cBS
1`1H3T3u3
y%L!h
:d`0~
`Lj!$
U}6bU
Vp)zE
SHELL32.dll
J}&<kQ
yy~|e
00wi3nZ
80604
?N2KpwO;@
2mF6>Z
)))))))))))
zE9U?
QHKJx
"&I$s
_}pr3m
$wVp;vN
WNPNLNENS.T
PdI/?
(Symantec SHA256 TimeStamping Signer - G20
170102000000Z
Uh_@ `
>C4p{
I?y#a
[+8I+
S$P]~
]BJYl
-FjRkN
<7Dk|
U<@K\
"6xp)"
infpub.dat
xm <T
#3R T
mJzaU2
Translation
O*9y]
e<B-x
WL4'|N
A%T*-
U5)J_
,,,,,,,11111111111
f|Ml9
MB3QZ6
JtNt[T/z%
_$n?C
u-u#u
DM1AR"
,Symantec Class 3 SHA256 Code Signing CA - G20
g"lX-
!,8!>2
_"ebE
72KD&%
gl'Hm
^h$ng
2|(PB
Wzm)I
@Q+QVv
n.kG)A
FM*s~
|U?F9
\RE?^
b2)E6
O,i(B
w)#O.
yIc;o
7LJLSP
G!7I~
wI{*Q
RL[%]A
^xv0<
http://s.symcd.com0
S:sMby
5 f7!
GlKh{m
<"LX4
%UaDn
[^*g7
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,
e2 e*^
ML"]l
\x]&w,B;
F5_1b
:N1rY
-!g%h
zw4xw
/0-0+
B<i'W
8g0<-!
TimeStamp-2048-30
eC0A.}
@FRf'
,Symantec Class 3 SHA256 Code Signing CA - G2
invalid literal/length code
http://rb.symcb.com/rb.crl0W
4{2y[
M0$E1f3j
1BCNI
fc{b^~
&]mvM
\"R_d
FP3&F49
bJi]V
1(c) 2008 VeriSign, Inc. - For authorized use only1806
5qhb~
39;v&:
<requestedPrivileges>
h*"UW
vZCs_
DIx'\
m''.
111111,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
8J)I\
rXt#R
;j2</E
Dl!\}
http://sf.symcd.com0&
'C<[b6
4GM%L
]a1jtC
_0QG4
BZGF5
http://s.symcd.com06
e=.oZ
/1(0&0$0"
=Ri(czO
|p|azh
aeSWl
5 LOF
dA3rVv
`7U{X{*
G(&q}
d@4F=
z.`fM
uM3 R_
f {A${;4
1111111
"HXHHXHIH
&ce/F
k1i@I
GetCommandLineW
&)Ap:
invalid literal/lengths set
a6s-^n
zIR_n3
qg\.#
\cnGnW
D4I5E
@s}1U
h~h\U
HF+/w{O?
jyf(3
v9#z
L*a XG
@=E`z
mxfR<
3}AmoU
Symantec Corporation1402
{IGXw
6:w}a1
zR|kq
56?>?H
V(d(BW
w{/NZ
]3~F&u
I%iWL
Wm'b+
C:\Windows\infpub.dat
393qe
<saP8
Y+C4+
:c>jb
3PN{Y
X1AE~
b2=|l
/Sn4G$eX
[T%-\<
%\4*<b"]q2-
/gOK{g
Player Installer/Uninstaller 27.0
P@\/^
\t_)=
]0F~C\
klcm:
"hFPS
Thawte1
2tM%o
2PqUv*
+U5{x
N~ygP
Ugxs2*j_
wW*OfJ
"yy "@
v,#3{
Symantec SHA256 TimeStamping CA
*\62if
3'\lPFI
O+u|zC
*t}bw
Copyright
^Wk)ux
@*@=#
8\h+?
{)--)
`b`n`i`f
3#3?3
)dpo?^
.http://crl.thawte.com/ThawteTimestampingCA.crl0
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
+Ls;/
T`ga~
{'m5y
\`x*7Qw
111111
l1 x$
;?K}3}B
140722000000Z
inflate 1.2.8 Copyright 1995-2013 Mark Adler
}w_^+
%m/Dt
bVg&[
uD4JZ%
>x&A\
-Qd_E/%S
btR&F
Oee%,
;HIWc
Player
'}ouj
&N9/E
24+kR
N@fW@i
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
?0=+!
U{~NV
yF!<#;
"o~X~
:NZv)hX
V9W6}
0cWMIw
:fru8
,,,,,,,,,,,
unknown header flags set
_<9sf
uF J$
z?[c,&
4f,p9
/!!x|c
@.data
</security>
JNZ-j
47;L}
gw1)V
`"!p-
6~ZDa
%xOMv
^OY:L
XyQ'%eC
1\"s\
z-)y>
Rh@m@
nO7r-
$dq!C[
Thawte Certification1
GetModuleFileNameW
[}g(L
Duo%7L
+V\^KC
yWbzF^Lr
t>Qj'
insufficient memory
Jw>!!U
mkY4IT*
PUF!Q{
.mDk6
IaL`)
_4_FE
SQK N
d?H.ho=
)))))))
Icq5L%
M86ZV
BD*TD
W[,Qk
ovHO^d!9
=Rgm%"x
?Lfur
n!F3}
pT,_j
5hq4I}p
zuYO!
TWj(5
l\*mA
-'J;J/J'
OriginalFilename
lstrcatW
1_v=d
~=~3~
f`k\
Mcz}{
75\#r:
http://ts-ocsp.ws.symantec.com07
9|$(t
_' )d
<l#`@
<Y2O&
kKqzmq
'pCude
;o[hBv
Qgk5\o
invalid distances set
tJWj1
EOKGV
af+Pm2
~94{~
R~Ri<
-BECs
H9B42Kk
8z}#K
CompanyName
K>,=0
JQScV
4X}4wG
*HqDZ}R
stream error
D:<Vane
~1_Pwe
fg+ ?
2N>B3i
.qx&Ou,^:
OSs){
.M|\;
&PUQnpqx
)RkCg3y
uQ+&L
EPQ_##
0G0"Z
\LY20M
171217235959Z0
lOw8Ow+OW
Y:dLM
O<,r_
ojpGU
$ypuwtsl
dsO<x
k7T~^
(]%fC1
California1
;1U{X
d2{FMO
$<%p2
TCNhE
44}Oo>g
6!7/7
\8_]r
V<3,'
5T6Z6
<security>
3yVs-
/VeriSign Universal Root Certification Authority0
M}A1
\f*Y4
N27W|
m[AJdXo
]1(1>
.}xy;]Z
=-5aJl=
'/cxJ
vVq!S
ewh/?y
_j(.B
K"w4}
Eos;Y2
?pY=Yo,#
_[C`K
5P".#
:"-e3uL
)^Vi9
0Xx>efj
!UTC3
&0`T8w
@oC/"
aW^d#
,,,,,,,,,,,,,
veAg*
WDvMF
x*& =
*9^xRQ
24j\v
$0"0
Fpb&-_?W
IAgXM
fQ6p:
161216000000Z
9AZ$Jc
U/9TV
lRaiK
@=K,P
Bk\_Y
xT:pU
H1rf$
[5b1nat1n
111111,
ZFuS,
~!u ;U
zB\m!
WriteFile
cH1F{
http://rb.symcd.com0&
>?~5S;z
!<0@5
t0I7Cc
&;7MyQ
e[Nga
K8F(!
mV/aY
;\LxS
FLM`*
3538.
>?!+r
|>]7_:Lc<
noqrN
jc23={
A["u@
&c@#pl
UM=rV
}7Iz!
tR^0K7
+D$(;
B!YNk
B#Z(:
z;T0S
j(')W
G6+H4
(Symantec SHA256 TimeStamping Signer - G2
QxK%M
/v7)
6Dd11dC
~;~[o
S%W+K
e5[iG@
StringFileInfo
q']N&
-O[Bb
VhJHt>
7DN2E
KcEpq
SNyWi?J
_[`ol9%
]FgX0
http://ocsp.verisign.com0
1A26b
x BpA
siF.G.~
9_uo+
*h)74Zdu
jq9TF
ryE9,x
K)l^t
lEDa$
~M8*[
8,cSL
,,,,,,,,
!]/Bk
6gQ-dS
nj)r\Rx?Jj
XtqW]*
xVwy!
GetSystemDirectoryW
x'-LM
$3*)^
w(<6p3x0
ATbf`
NNU``
MB-"H
)qVt8u
VeriSignMPKI-2-80
hN;OOW
310111235959Z0w1
&Z5=8
r>C9;
aUQl@
wpM7z
)))))
Symantec Corporation1
{q+&$L
m1;B5
y>/{mxT
HVTT`x
T}vw#
.lQmR
8].|2
jRElC
DQz]JwL
k0i0*
incorrect header check
ak2)NGy
eC#{@
l*('_g
/Z{J_>#5
~u)|o
V(@*K?2R
.text
j#a4hjC>;
&EF%Z*
+7'9#
7)H*r}A
2}1?w)
jIgH-
m,(6Jb_3
LpH+x}k
iN;}u
QQ)Vy
mZLvGa`
VeriSign, Inc.1
>Td&/
Uf6fR=
5-WnA
\O#|V
l:`#U
3A>Y!
file error
N`bb\zi
BIVXPh
#rTb:k
[-&LMb#{'
<Fy<F
DQ2(]
(}_=D$
2N=g<7
"^:@R
sEZE#D
Fj|dp
lR,jA
VS_VERSION_INFO
my,3\
M"sU/
)!i?O
s'EtEDW@ts~L
Yv\{F
2gkCX
invalid code -- missing end-of-block
(F@Qj
^\w*J
C3PIN+
(IhE|dZ
'!Qomh
~v5Gz
h{7}.
n5LFl
0lg`X
>F~9%:{
`Pah=
2{o]Q+;
VV9HR
?$2">
PyRwqk
5'+VG
vH"!Y
0A+_!
I% Ni =%
G9^4u
<M3PY`
$;3.=
WX0B6
xkWfT
\s<(O#'L
<sxn%\
V=k/U
>#8&b55
Yzl>s
MiVIrnU\
-K|S:
`gw:tj#
https://d.symcb.com/rpa0@
5&,RL
93"%5
]*5#b7QT$
!H8K&
#FGaD
gRCr6
LAX"U
mlVrp
invalid distance too far back
Fast decoding Code from Chris Anderson
Rgn=,
$e6`2
K:;Y0
8I2j!
]2j"!!1
Jp?Jn
a'[Q6X<!D
:w(^I
mZ@\q
Ss]ni
%L[?}
Mk/B3>
CE>c7
lMmpk
6cax^
v~~tQB
$1HML
q/}Z}6
Xj;ci
Ki]j]H;"u
CIwV*
cPV<!
PR0uLK
B%8JP
j(R<o
T2h",8`I
3yk&v
%http://s.symcb.com/universal-root.crl0
;D<S<
I"H9~
n;Li/F2
Z0+|)
+N"|S!
gP"Z_
AER:L
x"pYUb
Y0oG{
3.X.-
Bo.}%
#*d&2
zd:R|
aaPlWIsV
&N4I)?
`0@8@
&0$0"
rLRNe
m&&6)T
%pc4G
WSS#:655
=ym>q
A_?_D4
0yK%?
x}7S\C
`]ujTU
fzeEL]
HeapAlloc
\qqo~
oG;o9>
];O|~
xKVgc
:p+fW
0&Q8Fd
j(st[
NJ2"v
$mq,e
!F[M|N5f
TQ.\"
pGzse
dZPLx
kU8xs
c/?<lE
<}AzaDN?s
1^$Lb
s9->L
V:D79A
#nhzh
LZbn.
6Sh~j,
; ;$;(;,;0;4;8;<;
frfVugC
#P7X8
LegalCopyright
NUA`-
KGF<Uw
t`9>Y
7Iujr
@UttA
-Bon&
4]'zc
G^[5S
+++++
6Al|{
KR]{n
E6Iz:<
V]?-m
;Q9?N
kQhxa
F|J|O
$x)x#
<x;x'
>'yWV
@oeA<
Kl?RH
LegalTrademarks
%]Vbb
<(u!M)
J_Xy)
0OzZ8h
tjWVj
0|{X,
[ YuJ
qTys>
V@huX
#}XCy
W[Jjn
https://d.symcb.com/rpa0.
wn>Jj
@5E#^
FileDescription
}AWp(
`10r83\
p6ZvvZ
K'0i0
u<^ag
1+vxR
Ydk{g(B7Hj
F]/$A
G7ez6
#uXHh
KRiD9
r,q.9$
rNCz=E_F
Ii2VU1Y
ylx6.
~~(Q$f
Km&:X
FlxGH
x3DN=
+cifu
Adobe Systems Incorporated
fQuiwMs
X63<A
,m,T*J
-- f'
wkPSQR
sjO`V
E=/~gcz
MZqJC
ReadFile
Za6X?
T=*tO:~9
UnhandledExceptionFilter
t'$hY:
1.2.8
Dtomr
https://d.symcb.com/rpa06
,[g[g
CmZNbv<
-nD{!
c4p6Kh
eNR9Y
F?D?F?M/
<requestedExecutionLevel level="highestAvailable" uiAccess="false"></requestedExecutionLevel>
rSy+vf.+
P+RcU@
KRC(c
0r0^1
22DM8
\rundll32.exe
ZbEDrxl
wcsstr
pEuI?
/http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
6._~6h
W k(;D
@[1Bf
m<{[z?)eI
[RK8q
#bML"
O#r"+)
X4EC^V.
invalid stored block lengths
}c9g"
lT%X70
++++++++++++++++++1111111,,,,,,,,,,,,,,,,,,,,,,,,,,,,
8sq@<
rvHz>7
]B=">
nnMOc
/0nB^
|Br/M
yTCR
<>3o"!
\;TV nvA
-L<vve
Bwwe>
Z]a`G
VeriSign Trust Network1;09
pHp<v
`?sD;"l
1~1H5
NXZt'
IQ0|?
-Z+.v
iwXU8Oo
o+L^k
s ,dkV
O>|"*
}4q i
5|n5E
@f[m;
" ?r?h
y3Q`9M
SY:$zHE/q
3JJ`6
</trustInfo>
<A-Mg
W^~wyx-
Pykpw
P&=D\~
Flash
g10gB
rz~CL
Mountain View1
invalid distance code
TimeStamp-2048-50
LL+!_
Western Cape1
*U`QkZ=
U9RKZY
Z2Hck
'Symantec Time Stamping Services CA - G20
la/LL
&qx%|
by~@n_
l1fj(
201229235959Z0b1
j)6G\
[><5'
?0(%%)M
-RhM%`
[jeNK
#*|DY
yE7P4z
7NuE_Mx
C?VQ!
'jC9p,
%MR6o
]m!/Dm:
%j^~[
Y&CY]a
A-:?F8
;,WE\I
00$,%
&7p}b
@.reloc
111111111,,,,,,
} |U%
".oRuQ6"
$w5jU?
http://sf.symcb.com/sf.crt0
V+s[X
,P]?p
(-#?[p(z
QR{]wr5
>DDMw
/ r;z
H+|sa
U(zaOq
w+OQvr
oK i]
HC;6R
`qgy^
,{l`KtC
TSc_m?F
`=@<V*
8Uu3;
6QzGM
wx<$@^
n6uvv
KypW:
h.`U7
%2akZ
,,,,,,,,,
.K/&>
Lby=`M
l[4V{q>
+{ *p
H~`De
dD]vjg
jVfc8\@OeU
160112000000Z
O-'^Cm1K
F'G|:ef
y5v)X
incompatible version
z8,Kd
2`B"n
)@lXu
.PP5ti'
j&mw9
ZFG(N
)'PS\
md,1{2r
|FL+7Hl
Fp@;)_X){
vQO+t
stream end
qhr_KH
TimeStamp-2048-10
ZaY9\)
[0Y0W0U
Xt3H8
W)\Mh
hr.0r!#
B!OP_
'pcrB
a ~6D
#http://crl.verisign.com/pca3-g5.crl04
' Swj>
4WggK,
sAvH!\NG
LkG&c/WG
xzcJPU
'=seM
c#o3&Q
CommandLineToArgvW
eg[{gk
u0tE'z
ybo8Pz#
3nyFy
27,0,0,170
u0`|0
HF,/^
RX&#q
5n|DB
%#QzV
R) U<
M_ P'
]qW9Z9
vK]CSK[GWO
b_C,Y
v'4|*bJ
OtBy&W+
XqX,y
F* ($,"*&.!)'
_.Rlb
FSqF"
D44PT
=0>#$
n5\}D
OA;o2
https://d.symcb.com/rpa0
http://rb.symcb.com/rb.crt0
lw+NK%
Z,8,Z
;3|[[C
{oMsd/
9a919I9
kgXM{
j|i6/{:
x9'z[>
dE$zc
+R@@G,
memcpy
LT.^E
Vx:f1f
EIa'6
J0R%T
^@C*,
Archive: overlay
| File Name |
1a7d43d26b387d2689407d643a2127dfe11ef1118204243c11498d4f2890404d
|
|---|---|
| File Type | data |
| Associated Filenames |
overlay
|
| File Size | 385067 bytes |
| MD5 | 829c177d1421b4ba42e8e205abd93f10 |
| SHA1 | b78aa273eb1cab4254dfe7dc1fe432bb3049dc0d |
| SHA256 | 1a7d43d26b387d2689407d643a2127dfe11ef1118204243c11498d4f2890404d VT MWDB Bazaar |
| SHA3-384 | 4e440eb58014c6bc43854fd49cd31c23c0f3308a8b1881d4a937059d94e04fa3c10caa147bc3f21066b65353a17a5606 |
| CRC32 | 94277587 |
| TLSH | T12784234B7B2AB835244BD5495660DEA04FB9F381AAF43EDF70F8A0D30BD83853726519 |
| Ssdeep | 6144:29IluMpvLbqWRCrHZKfE4gbPBDJyZ0pr82ee58kMGJzc3lB6qPdmCtmWWvJN:26pLbqWRKHZKfErrZJyZ0yqsGO3XR63 |
PE Information
Image Base
0x00400000
Entry Point
0x000012c0
Min OS
5.1
Compile Time
2017-10-22 02:33:58
Import Hash
e3bda9df66f1f9b2b9b7b068518f2af1
Icon Hash
4e7a653ba0759c65ebb0dea0846c6d7f
| CompanyName | Adobe Systems Incorporated |
|---|---|
| FileDescription | Adobe® Flash® Player Installer/Uninstaller 27.0 r0 |
| FileVersion | 27,0,0,170 |
| InternalName | Adobe® Flash® Player Installer/Uninstaller 27.0 |
| LegalCopyright | Copyright © 1996-2017 Adobe Systems Incorporated |
| LegalTrademarks | Adobe® Flash® Player |
| OriginalFilename | FlashUtil.exe |
| ProductName | Adobe® Flash® Player Installer/Uninstaller |
| ProductVersion | 27,0,0,170 |
| Translation | 0x0409 0x04b0 |
| Name | RAW Addr | Virt Addr | Virt Size | Raw Size | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x00002ed3 | 0x00003000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.58 |
| .rdata | 0x00003400 | 0x00004000 | 0x0000302a | 0x00003200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 7.18 |
| .data | 0x00006600 | 0x00008000 | 0x0000033c | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.18 |
| .rsrc | 0x00006800 | 0x00009000 | 0x00007088 | 0x00007200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.20 |
| .reloc | 0x0000da00 | 0x00011000 | 0x0000024e | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 3.29 |
| Name | Offset | Size | Language | Entropy | Type |
|---|---|---|---|---|---|
| RT_ICON | 0x00009254 | 0x00000ea8 | LANG_ENGLISH | 3.48 | None |
| RT_ICON | 0x0000a0fc | 0x000008a8 | LANG_ENGLISH | 3.09 | None |
| RT_ICON | 0x0000a9a4 | 0x00000568 | LANG_ENGLISH | 2.15 | None |
| RT_ICON | 0x0000af0c | 0x000010a8 | LANG_ENGLISH | 3.58 | None |
| RT_ICON | 0x0000bfb4 | 0x000025a8 | LANG_ENGLISH | 3.44 | None |
| RT_ICON | 0x0000e55c | 0x000010a8 | LANG_ENGLISH | 3.58 | None |
| RT_ICON | 0x0000f604 | 0x00000468 | LANG_ENGLISH | 4.02 | None |
| RT_GROUP_ICON | 0x0000fa6c | 0x00000068 | LANG_ENGLISH | 2.72 | None |
| RT_VERSION | 0x0000fad4 | 0x00000450 | LANG_ENGLISH | 3.43 | None |
| RT_MANIFEST | 0x0000ff24 | 0x00000161 | LANG_ENGLISH | 4.80 | None |
| Address | Name |
|---|---|
| 0x404000 | ExitProcess |
| 0x404004 | GetCommandLineW |
| 0x404008 | GetFileSize |
| 0x40400c | CreateProcessW |
| 0x404010 | HeapAlloc |
| 0x404014 | HeapFree |
| 0x404018 | GetModuleHandleW |
| 0x40401c | GetProcessHeap |
| 0x404020 | WriteFile |
| 0x404024 | GetSystemDirectoryW |
| 0x404028 | ReadFile |
| 0x40402c | GetModuleFileNameW |
| 0x404030 | CreateFileW |
| 0x404034 | lstrcatW |
| 0x404038 | CloseHandle |
| 0x40403c | UnhandledExceptionFilter |
| 0x404040 | GetCurrentProcess |
| 0x404044 | TerminateProcess |
| 0x404048 | SetUnhandledExceptionFilter |
| Address | Name |
|---|---|
| 0x404058 | wsprintfW |
| Address | Name |
|---|---|
| 0x404050 | CommandLineToArgvW |
Processing 1.43s
- 1.407s CAPE
- 0.009s AnalysisInfo
- 0.009s NetworkAnalysis
- 0.001s BehaviorAnalysis
- 0.001s Debug
Signatures 0.03s
- 0.007s ransomware_extensions_known
- 0.005s ransomware_files
- 0.002s antiav_detectreg
- 0.001s antianalysis_detectfile
- 0.001s antianalysis_detectreg
- 0.001s antiav_detectfile
- 0.001s antivm_vbox_files
- 0.001s browser_security
- 0.001s disables_backups
- 0.001s disables_browser_warn
- 0.001s infostealer_bitcoin
- 0.001s infostealer_ftp
- 0.001s infostealer_im
- 0.001s infostealer_mail
- 0.001s masquerade_process_name
- 0.001s territorial_disputes_sigs
Reporting 0.00s
- 0.002s JsonDump
Signatures
The binary likely contains encrypted or compressed data
section: {'name': '.rdata', 'raw_address': '0x00003400', 'virtual_address': '0x00004000', 'virtual_size': '0x0000302a', 'size_of_data': '0x00003200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '7.18'}
The PE file contains an overlay
overlay: Contains overlay at offset 0x0000de00 with size: 385067 bytes
Screenshots
Hosts
| Direct | IP | Country Name | ASN |
|---|---|---|---|
| Y | 66.102.1.138 [VT] | unknown | - |
| Y | 74.125.206.138 [VT] | unknown | - |
| Y | 74.125.133.95 [VT] | unknown | - |
| Y | 142.251.150.119 [VT] | unknown | - |
| Y | 142.251.168.139 [VT] | unknown | - |
| Y | 142.251.168.100 [VT] | unknown | - |
| Y | 74.125.206.101 [VT] | unknown | - |
| Y | 74.125.71.94 [VT] | unknown | - |
| Y | 142.251.16.94 [VT] | unknown | - |
No behavioral analysis data available.
Sorry! No strace.
Sorry! No tracee.
Hosts
No hosts contacted.
TCP Connections
No TCP connections recorded.
UDP Connections
No UDP connections recorded.
DNS Requests
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP Traffic
No SMTP traffic performed.
IRC Traffic
No IRC requests performed.
ICMP Traffic
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
No dropped files found.
Sorry! No process dumps.