Static | ZeroBOX

PE Compile Time

2021-10-07 17:23:59

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00002000 0x0003c984 0x0003ca00 6.65745242657
.rsrc 0x00040000 0x000004e0 0x00000600 3.72942803267

Resources

Name Offset Size Language Sub-language File type
RT_VERSION 0x000400a0 0x0000024c LANG_NEUTRAL SUBLANG_NEUTRAL data
RT_MANIFEST 0x000402f0 0x000001ea LANG_NEUTRAL SUBLANG_NEUTRAL XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

!This program cannot be run in DOS mode.
`.rsrc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
!This program cannot be run in DOS mode.
P`.data
.eh_fram
0@.bss
.edata
0@.idata
.reloc
T4 C2W
l$,;T$(
D$(;D$|}9
D$,tt1
D$2b/B
D$@b/B
#D$ ;D$
D$(;\$(
D$"x64
D$(t61
D$,t41
9L$Dr@
9D$H~M;|$P}G
L$8<Uu
D$0;D$Pr
D$0;D$Pr
T$4;t$,
L$,9L$ }
|$09|$$
;t$ }3A
D$(9D$`
D$`9D$(s6
D$FBMf
t/;L$
;|$4}6
T$8T$
T$(9T$,
C0;C4s
C0;C4s
C0;C4s
C0;C4s
{0;{4s
K0;K4s
K0;K4s
C0;C4s
K0;K4s
K0;K4s
K0;K4s
S0;S4s
S0;S4s
+C@;C$
S0;S4s
S0;S4s
+S@;S$
C0;C4s
C0;C4s
S0;S4s
S0;S4s
C0;C4s
{0;{4s
C0;C4s
C0;C4s
{0;{4s
S89D$
T$,;T$4
D).9D$ s_
D$,3L$03D$4
9L$@v.
\$09\$(
9L$Pv,
9L$Hv.
\$09\$(
t$L9t$$
td+D$(9
D$<fHy
C(;D$\
L$ 9L$$tl
|$4+|$
9|$@tb
|$4+|$
t$Rf;7
D$,9D$$
D$(9D$ v
u59D$0u/
|$T9D$(v"
T$ +T$
\$(9\$
D$<9D$$
|$4)t$
D$89D$
D$$;D$<
D$89D$ v
T$L)D$
D$h)D$(
t59[Duy
S<9D$h
#D$p#T$t
V<9D$`
L$4)T$
U<9D$<
tD;t$8s
V<9D$8
%s\%s.%s
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
8ccccc/Bcccccccccccccccccccccccccccccccccccccc
%8DmgM
#7@Qhq\1@NWgyxeH\_bpdgc%.2d/%.2d/%d %.2d:%.2d:%.2d
_BqwHaF8TkKDMfOzQASx4VuXdZibUIeylJWhj0m5o2ErLt6vGRN9sY1n3Ppc7g-C%.4d-%.2d-%.2d %.2d:%.2d:%.2d
socks=
#j/ev
http://%s%s
%.2d/%.2d/%d %.2d:%.2d:%.2d
%c%.8x%s
%s @ %s
%6\%6.dfd
iphlpapi.dll
psapi.dll
kernel32.dll
Ed5jf5dRSdSqYsqCVid
Ed5jf5dRSdSuSsqCVid
Ed590WYd66XlCnd_4idLCldD
PiW6dS
m465dR4Rn...
MvL MdR5
MvL rdYd42dS
j65CVi46IdS
_4R UC45 (G)
_4R UC45 (h)
PiW6d UC45
PiW64Rn...
mC65 DPH
q4ld UC45
adid5d qPc
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
?456789:;<=
 !"#$%&'()*+,-./0123
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
!&.37<
"%/28;=#$019:>?
PTLLjPq %6:%S -qq9/G.y
R-W65: %6:%S
200 OK
mWYCi a46w
%s (%s)
filenames.txt
%s\*.*
U4R-55sTsdR
winhttp.dll
U4R-55sEd590WfZ_W0u0i
U4R-55sEd5Xj90WfZPWR84n_W0PQ00dR5u6d0
MT_qUDrj\F4Y0W6W85\U4RSWg6\PQ00dR5zd064WR\rQR\
MT_qUDrj\F4Y0W6W85\DY542d Md5Qs\XR65CiidS PWlsWRdR56
NetWire
SOFTWARE\
HostId
SOFTWARE\NetWire
%Rand%
Install Date
-m "%s"
MT_qUDrj\F4Y0W6W85\DY542d Md5Qs\XR65CiidS PWlsWRdR56\%6
M5QV9C5I
GET %s HTTP/1.1
Host: %s
User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8
Connection: close
200 OK
%s%.2d-%.2d-%.4d
[%.2d/%.2d/%d %.2d:%.2d:%.2d]
[cCYw6sCYd]
[jR5d0]
[D00Wg md85]
[D00Wg us]
[D00Wg r4nI5]
[D00Wg aWgR]
[-Wld]
[9Cnd us]
[9Cnd aWgR]
[c0dCw]
[adid5d]
[XR6d05]
[904R5 MY0ddR]
[MY0Wii mWYw]
[PCs6 mWYw]
[Ctrl+%s]
[P50i+%Y]
rdn465d0rCgXRsQ5ad24Yd6
user32.dll
Ed5rCgXRsQ5aC5C
%.2d-%.2d-%.4d
MdYQ0Nh.Sii
m6CEd5mWnWRMd664WRaC5C
m6C_0ddrd5Q0RcQ88d0
m6CjRQld0C5dmWnWRMd664WR6
Default=
MT_qUDrj\FWk4iiC\%6\
PQ00dR5zd064WR
MT_qUDrj\FWk4iiC\%6\%6\FC4R
XR65Cii a40dY5W0Z
lWkQ54i6.Sii
lWkniQd.Sii
lWk67i45dN.Sii
Mozilla Firefox
APPDATA
%6\FWk4iiC\_40d8Wf\s0W84id6.4R4
%6\FWk4iiC\_40d8Wf\%6
Mozilla Thunderbird
%6\qIQRSd0V40S\s0W84id6.4R4
%6\qIQRSd0V40S\%6
SeaMonkey
%6\FWk4iiC\MdCFWRwdZ\s0W84id6.4R4
%6\FWk4iiC\MdCFWRwdZ\%6
%6\64nRWR6.67i45d
%6\iWn4R6.e6WR
NSS_Init
9HGGpEd5XR5d0RCiHdZMiW5
9HGGpDQ5IdR54YC5d
9mpcC6doOadYWSd
MjPXqjFpx80ddX5dl
9HGGMarpadY0Zs5
9HGGp_0ddMiW5
LMMpMIQ5SWgR
67i45dNpWsdR
67i45dNpYiW6d
67i45dNps0dsC0dp2h
67i45dNp65ds
67i45dNpYWiQlRp5df5
6didY5 * 80Wl lWkpiWn4R6
hostname
encryptedUsername
encryptedPassword
IW65RCld
%6\Tsd0C\Tsd0C\gCRS.SC5
%6\Tsd0C\Tsd0C\s0W84id\gCRS.SC5
%6\.sQ0sid\CYYWQR56.fli
<s0W5WYWi>
<RCld>
<sC66gW0S>
9T9N u6d0
9T9N Md02d0
9T9N 9C66gW0S
XFD9 u6d0
XFD9 Md02d0
XFD9 9C66gW0S
-qq9 u6d0
-qq9 Md02d0
-qq9 9C66gW0S
MFq9 u6d0
MFq9 Md02d0
MFq9 9C66gW0S
jDM u6d0
jDM Md02d0 urm
jDM 9C66gW0S
%c%c%S
%c%c%s
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Y0Zs5Nh.Sii
P0Zs5uRs0W5dY5aC5C
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
%s\*.*
4RSdf.SC5
2CQi5Yi4.Sii
zCQi5TsdRzCQi5
zCQi5PiW6dzCQi5
zCQi5jRQld0C5dX5dl6
zCQi5Ed5X5dl
zCQi5_0dd
History
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
0x%02hhX
encrypted_key
LOCALAPPDATA
%6\EWWnid\PI0Wld\u6d0 aC5C\ad8CQi5\mWn4R aC5C
%s\Google\Chrome\User Data\Default\Login Data
%s\Google\Chrome\User Data\Local State
%6\PI0Wl4Ql\u6d0 aC5C\ad8CQi5\mWn4R aC5C
%s\Chromium\User Data\Default\Login Data
%s\Chromium\User Data\Local State
%6\PWlWSW\a0CnWR\u6d0 aC5C\ad8CQi5\mWn4R aC5C
%s\Comodo\Dragon\User Data\Default\Login Data
%s\Comodo\Dragon\User Data\Local State
%6\vCRSdf\vCRSdfc0Wg6d0\u6d0 aC5C\ad8CQi5\mWn4R aC5C
%s\Yandex\YandexBrowser\User Data\Default\Login Data
%s\Yandex\YandexBrowser\User Data\Local State
%s\BraveSoftware\Brave-Browser\User Data\Default\Login Data
%s\BraveSoftware\Brave-Browser\User Data\Local State
%s\360Chrome\Chrome\User Data\Default\Login Data
Chrome\Chrome\User Data\Default\Login Data
%s\360Chrome\Chrome\User Data\Local State
%6\Tsd0C MW85gC0d\Tsd0C M5CVid\mWn4R aC5C
l62Y0Gyy.Sii
l62YsGyy.Sii
l62Y0Ghy.Sii
l62YsGhy.Sii
Cs43l63g4R3YW0d354ldkWRd3iG3G3y.Sii
Cs43l63g4R3YW0d384id3iG3G3y.Sii
Cs43l63g4R3YW0d384id3ih3G3y.Sii
Cs43l63g4R3YW0d3iWYCi4kC54WR3iG3h3y.Sii
Cs43l63g4R3YW0d36ZRYI3iG3h3y.Sii
Cs43l63g4R3YW0d3s0WYd665I0dCS63iG3G3G.Sii
Cs43l63g4R3YW0d384id3iG3h3y.Sii
Cs43l63g4R3Y0530QR54ld3iG3G3y.Sii
Cs43l63g4R3Y0536504Rn3iG3G3y.Sii
Cs43l63g4R3Y053IdCs3iG3G3y.Sii
Cs43l63g4R3Y05365S4W3iG3G3y.Sii
Cs43l63g4R3Y053YWR2d053iG3G3y.Sii
Cs43l63g4R3Y053iWYCid3iG3G3y.Sii
Cs43l63g4R3Y053lC5I3iG3G3y.Sii
Cs43l63g4R3Y053lQi54VZ5d3iG3G3y.Sii
Cs43l63g4R3Y05354ld3iG3G3y.Sii
Cs43l63g4R3Y05384id6Z65dl3iG3G3y.Sii
Cs43l63g4R3Y053dR240WRldR53iG3G3y.Sii
Cs43l63g4R3Y053Q54i45Z3iG3G3y.Sii
Cs43l63g4R3YW0d36504Rn3iG3G3y.Sii
Cs43l63g4R3YW0d3RCldSs4sd3iG3G3y.Sii
Cs43l63g4R3YW0d3ICRSid3iG3G3y.Sii
Cs43l63g4R3YW0d3IdCs3iG3G3y.Sii
Cs43l63g4R3YW0d3i4V0C0ZiWCSd03iG3G3y.Sii
Cs43l63g4R3YW0d36ZRYI3iG3G3y.Sii
Cs43l63g4R3YW0d3s0WYd665I0dCS63iG3G3y.Sii
Cs43l63g4R3YW0d3s0WYd66dR240WRldR53iG3G3y.Sii
Cs43l63g4R3YW0d3SC5d54ld3iG3G3y.Sii
Cs43l63g4R3YW0d36Z64R8W3iG3G3y.Sii
Cs43l63g4R3YW0d3YWR6Wid3iG3G3y.Sii
Cs43l63g4R3YW0d3SdVQn3iG3G3y.Sii
Cs43l63g4R3YW0d3s0W84id3iG3G3y.Sii
Cs43l63g4R3YW0d3ldlW0Z3iG3G3y.Sii
Cs43l63g4R3YW0d3Q54i3iG3G3y.Sii
Cs43l63g4R3YW0d305i6QssW053iG3G3y.Sii
Cs43l63g4R3YW0d34R5d0iWYwdS3iG3G3y.Sii
QY05VC6d.Sii
2Y0QR54ldGOy.Sii
l62YsGOy.Sii
lWkY05Gt.Sii
67i45dN.Sii
R6s0O.Sii
siYO.Sii
siS6O.Sii
R66Q54iN.Sii
R66N.Sii
6W85WwRN.Sii
R66SVlN.Sii
Ed5FWSQid_4idLCldjfD
psapi.dll
kernel32.dll
%.2d/%.2d/%d %.2d:%.2d:%.2d
0x%.8X (%d)
0x%.16llX (%I64d)
%c%.8x%s
%c%.8x%s%s
%c%.8x%s\%s
%c%.8x%s\%s
ComSpec
WINDIR
%6\6Z65dlNh\YlS.dfd
localhost
Unknown
Ed5LC542dMZ65dlXR8W
wd0RdiNh.Sii
EiWVCiFdlW0ZM5C5Q6jf
kernel32.dll
-DraUDrj\ajMPrX9qXTL\MZ65dl\PdR50Ci90WYd66W0\y
ProcessorNameString
DiiWYC5dDRSXR454Ci4kdM4S
advapi32.dll
PIdYwqWwdRFdlVd06I4s
_0ddM4S
WINDIR
%d:%s%s;
%d:%I64u:%s%s;
%c%llu
bits <= ((1U << len) - 1U)
code < TDEFL_MAX_HUFF_SYMBOLS_2
d->m_huff_code_sizes[0][s_tdefl_len_sym[match_len]]
d->m_huff_code_sizes[0][lit]
!d->m_output_flush_remaining
d->m_pOutput_buf < d->m_pOutput_buf_end
pArray->m_element_size
9.1.15
(cur_match_len >= TDEFL_MIN_MATCH_LEN) && (cur_match_dist >= 1) && (cur_match_dist <= TDEFL_LZ_DICT_SIZE)
lookahead_size >= cur_match_len
max_match_len <= TDEFL_MAX_MATCH_LEN
(match_len >= TDEFL_MIN_MATCH_LEN) && (match_dist >= 1) && (match_dist <= TDEFL_LZ_DICT_SIZE)
d->m_lookahead_size >= len_to_move
d->m_pPut_buf_func
(local_dir_header_ofs & (pZip->m_file_offset_alignment - 1)) == 0
(zip->entry.header_offset & (pzip->m_file_offset_alignment - 1)) == 0
stream end
need dictionary
file error
stream error
data error
out of memory
buf error
version error
parameter error
../nettle-3.5.1/aes-encrypt.c
!(length % AES_BLOCK_SIZE)
L&&jl66Z~??A
Oh44\Q
sb11S*
uB!!c
D""fT**~;
;d22Vt::N
J%%o\..r8
gg}V++
jL&&Zl66A~??
Sb11?*
tX,,.4
RRMv;;a
MMUf33
PPDx<<
cB!!0
~~Gz==
fD""~T**
Vd22Nt::
xxoJ%%r\..$8
tt!>
ppB|>>
aa_j55
UUxP((z
&jL&6Zl6?A~?
~=Gz=d
"fD"*~T*
2Vd2:Nt:
x%oJ%.r\.
t!>K
a5_j5W
=&&jL66Zl??A~
g99KrJJ
==Gzdd
""fD**~T
22Vd::Nt
$$lH\\
77Ynmm
%%oJ..r\
!>KK
55_jWW
:,../nettle-3.5.1/gcm.c
ctx->auth_size % GCM_BLOCK_SIZE == 0
ctx->data_size == 0
ctx->data_size % GCM_BLOCK_SIZE == 0
length <= GCM_BLOCK_SIZE
../nettle-3.5.1/memxor.c
n == 1
../nettle-3.5.1/memxor3.c
n == 1
../nettle-3.5.1/aes-set-key-internal.c
nk != 0
../nettle-3.5.1/ctr16.c
length < 16
length - i < CTR_BUFFER_LIMIT
GCC: (Rev3, Built by MSYS2 project) 9.1.0
GCC: (Rev3, Built by MSYS2 project) 9.1.0
GCC: (Rev3, Built by MSYS2 project) 9.1.0
GCC: (Rev3, Built by MSYS2 project) 9.1.0
GCC: (Rev3, Built by MSYS2 project) 9.1.0
GCC: (Rev3, Built by MSYS2 project) 9.1.0
GCC: (Rev3, Built by MSYS2 project) 9.1.0
GCC: (Rev3, Built by MSYS2 project) 9.1.0
GCC: (Rev3, Built by MSYS2 project) 9.1.0
Host.exe
CryptAcquireContextA
CryptCreateHash
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptReleaseContext
GetUserNameW
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
CryptUnprotectData
BitBlt
CreateCompatibleBitmap
CreateCompatibleDC
DeleteDC
DeleteObject
GetDIBits
SelectObject
CloseHandle
CreateDirectoryW
CreateFileW
CreateMutexA
CreatePipe
CreateProcessA
CreateToolhelp32Snapshot
DeleteFileW
EnterCriticalSection
ExitProcess
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FreeLibrary
GetCommandLineA
GetComputerNameW
GetCurrentProcessId
GetCurrentThreadId
GetDiskFreeSpaceExA
GetDriveTypeA
GetFileAttributesExW
GetFileAttributesW
GetLastError
GetLocalTime
GetLogicalDriveStringsA
GetModuleFileNameW
GetProcAddress
GetProcessTimes
GetStartupInfoA
GetSystemInfo
GetSystemTime
GetTickCount
GetVersionExA
GetVolumeInformationA
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
LocalFree
MoveFileW
MultiByteToWideChar
OpenProcess
PeekNamedPipe
Process32First
Process32Next
ReadFile
ReleaseMutex
ResumeThread
SetErrorMode
SetFileAttributesW
SetFilePointer
TerminateProcess
WideCharToMultiByte
WriteFile
_assert
_beginthreadex
_errno
_filelengthi64
_mkdir
_snwprintf
_vscprintf
_vsnprintf
_wfopen
calloc
fclose
fflush
fgetpos
freopen
fsetpos
fwprintf
fwrite
getenv
localtime
malloc
memcmp
mktime
realloc
remove
sprintf
strcat
strchr
strcmp
strcpy
strncpy
wcscat
NetApiBufferFree
NetWkstaGetInfo
SHFileOperationW
ShellExecuteA
ShellExecuteW
CreateWindowExW
DefWindowProcW
DispatchMessageA
EnumWindows
GetDesktopWindow
GetForegroundWindow
GetKeyNameTextW
GetKeyState
GetKeyboardState
GetLastInputInfo
GetMessageW
GetSystemMetrics
GetWindowTextW
IsWindowVisible
MapVirtualKeyW
PostQuitMessage
RegisterClassExW
ReleaseDC
SendMessageA
SendMessageW
SetCursorPos
SetWindowTextW
ShowWindow
ToUnicode
TranslateMessage
keybd_event
mouse_event
WSACleanup
WSAGetLastError
WSAIoctl
WSAStartup
__WSAFDIsSet
closesocket
connect
gethostbyname
inet_ntoa
ioctlsocket
select
setsockopt
shutdown
socket
ADVAPI32.DLL
CRYPT32.DLL
GDI32.dll
KERNEL32.dll
msvcrt.dll
NETAPI32.DLL
SHELL32.DLL
USER32.dll
WS2_32.dll
0 0+010;0E0
2%313|3
4[4S5.6
5P6\6l6|6
?(?0?7?>?P?[?b?i?
1%1;1E1[1b1v1
2+252K2R2d2n2}2
3#353u3
424m4w4
646;6V6`6p6w6
7%7?7I7P7[7k7y7
8,8D8R8n8
0)0M0f0
2&2-282A2H2U2\2i2r2y2
444A4M4d4q4~4
9W9^9e9q9x9
:7:J:P:f:r:w:}:
; ;\;d;~;
;><K<R<W<c<j<q<%=4=C=
> >1>@>O>^>m>|>
?4?9?Y?f?
1-151=1D1d1
;';@;H;M;Z;
><>C>_>y>
9c:G;b;
3&6.7g7
3*464U4a4
6*616?6
72888N8U8f8
9959<9
:::G:l:
;1;L;d;|;
<$<<<T<
=(=X=^=i=
=3>9>Y>l>
?6?>?c?
102=2c2
7@7[7c7r7w7
<V=c=r=
=2>j>}>
3#3Z3b3q3
4L4S4h4}4
5,5F5f5
7#787[7n7
78R8m8
8/8C8m;J<
+0?0S0&222
8#?/?O?[?
2 212N2[2k2|2
2`243@3
5%6?6M6g6u6
9 :A:W:|:
112[2$4
878>8|8
.858a8
9"9t={=
4&4.464>4F4N4V4^4f4n4v4~4
5&5.565>5F5N5V5^5f5n5v5~5
6&6.666>6F6N6V6^6f6n6v6~6
7&7.767>7F7N7V7^7f7n7v7~7
8&8.868>8F8N8V8^8f8n8v8~8
9&9.969>9F9N9V9^9f9n9v9
;N;U;[;
;.<5<;<
2!2'2?2F2L2
2:3g3n3t3
4L5S5Y5
6E8L8R8
/2K2U2g2q2
3!5(5.5F5M5S5
9 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;
d=h=l=p=t=x=|=
4L4P4T4X4\4`4T7X7\7`7d7h7l7p7t7x7|7
8 8$8(8D=L=T=\=d=l=t=|=
!This program cannot be run in DOS mode.
`.rsrc
:&K,iN
H M|cJ
r)v#$s
zfVua9
jP(<P(
>`fkI!
EoR(1/g
I]@J4]
k/u/)6Q
xQF'h#
8i].uC
(Jb8J!!
{-ElR=
&*NEvp
bU FkFGg
t([y(@
ppR/'O
NU~K.p
}Tf""dZNo<
i"U^Ht
;DAY{A
pRR!eW
j\mn:4
EK~Y2\
!(kTe;d
U)7VsJ
'(wukBq3
ne[HT7
l<0cj`kwh
D5wQ8u
i7}Xs{
v7KmnU
`Bu2[[,t
r8{o1V6F$yz
SI4*>t
CVb8Ak
Tj-eei
G7CGm@,
?i6VA*
sORN1
Wx6EEc
=tnr_B
$ffH|TPw
(`$>i|>
;(s@Ua
MjZ aK
O[PGZ
v4.0.30319
#Strings
#Strings
#Schema
Class1
kernel32
RunPENyan32
ToUInt32
ReadInt32
WriteInt32
ToInt32
_CONTEXT_AMD64
_IMAGE_OPTIONAL_HEADER64
_IMAGE_NT_HEADERS64
ReadInt64
WriteInt64
ToInt64
Tiny64
ReadInt16
ToInt16
get_UTF8
<Module>
LoadLibraryA
GetHINSTANCE
System.IO
_IMAGE_FILE_HEADER
_IMAGE_OPTIONAL_HEADER
_IMAGE_SECTION_HEADER
_IMAGE_DOS_HEADER
_IMAGE_NT_HEADERS
_CONTEXT
SizeOfRawData
PointerToRawData
mscorlib
e_magic
GetProcessById
bytesRead
hThread
get_CurrentThread
NtGetContextThread
NtSetContextThread
thread
payload
get_IsAttached
set_IsBackground
GetMethod
CreateInstance
SizeOfImage
EndInvoke
BeginInvoke
RuntimeFieldHandle
RuntimeTypeHandle
GetTypeFromHandle
handle
get_Module
get_Name
get_FullyQualifiedName
get_FullName
applicationName
GetDirectoryName
commandLine
tiny_runpe
ValueType
GetElementType
Signature
MethodBase
ImageBase
NtClose
MulticastDelegate
SetApartmentState
GuidAttribute
UnverifiableCodeAttribute
DebuggableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
SuppressIldasmAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
Execute
ReadByte
get_IsAlive
add_AssemblyResolve
get_Size
bufferSize
SizeOf
System.Threading
Encoding
IsLogging
System.Runtime.Versioning
GetString
get_Length
length
AsyncCallback
callback
AllocHGlobal
FreeHGlobal
Marshal
System.ComponentModel
advapi32.dll
kernel32.dll
tiny_runpe.dll
ntdll.dll
MemoryStream
System
bytesWritten
AppDomain
get_CurrentDomain
get_Location
processInformation
ZwUnmapViewOfSection
System.Reflection
Win32Exception
Intern
MethodInfo
startupInfo
ParameterInfo
ProcessInfo
FileHeader
OptionalHeader
payloadBuffer
buffer
Debugger
ResolveEventHandler
CreateProcessAsUser
GetDelegateForFunctionPointer
BitConverter
.cctor
IntPtr
System.Diagnostics
System.Runtime.InteropServices
System.Runtime.CompilerServices
DebuggingModes
inheritHandles
threadAttributes
processAttributes
GetBytes
creationFlags
ContextFlags
ResolveEventArgs
Equals
NumberOfSections
get_Chars
SizeOfHeaders
RuntimeHelpers
GetParameters
parameters
NtResumeProcess
hProcess
process
GetProcAddress
baseAddress
VirtualAddress
address
Concat
Object
object
VirtualProtect
protect
Is64Bit
op_Explicit
IAsyncResult
result
Environment
environment
get_EntryPoint
AddressOfEntryPoint
ParameterizedThreadStart
Convert
FailFast
System.Text
context
e_lfanew
VirtualAllocEx
InitializeArray
GetCallingAssembly
GetExecutingAssembly
GetEntryAssembly
BlockCopy
ZwWriteVirtualMemory
GetCurrentDirectory
currentDirectory
op_Equality
System.Security
IsNullOrEmpty
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
SkipVerification
WrapNonExceptionThrows
tiny_runpe
Copyright
2021
$34837aa7-adb5-418c-9936-9508f10a4178
1.0.0.0
.NETFramework,Version=v4.0
FrameworkDisplayName
.NET Framework 4
v4.0.30319
#Strings
<Module>
mscorlib
Microsoft.VisualBasic
MyApplication
MyComputer
MyProject
MyWebServices
ThreadSafeObjectProvider`1
MiniProcess
ProcessEvents
CustomDelegate
Microsoft.VisualBasic.ApplicationServices
ApplicationBase
Microsoft.VisualBasic.Devices
Computer
System
Object
.cctor
get_Computer
m_ComputerObjectProvider
get_Application
m_AppObjectProvider
get_User
m_UserObjectProvider
get_WebServices
m_MyWebServicesObjectProvider
Application
WebServices
Equals
GetHashCode
GetType
ToString
Create__Instance__
instance
Dispose__Instance__
get_GetInstance
m_ThreadStaticValue
GetInstance
DebugMode
ResourceBaseName
EnableInstallation
EnableStartup
EnablePersistence
_FileAttributes
_FolderAttributes
InstallationFolder
InstallationFileName
InstallationSubFolder
InstallationDestination
InstallationDestinationProtection
MessageEnabled
MessageRunOnce
MessageText
MessageCaption
System.Windows.Forms
MessageBoxButtons
MessageButtons
MessageBoxIcon
MessageIcon
Runpename
RandomInt
PersistencePrep
System.Collections.Generic
List`1
protectList
Persistence
ResponsiveSleep
execute
resourceName
runOnce
fileUseRunPE
localInject
debugName
ShowMessageBox
Install
HasBeenInstalled
IsDebugEnabled
RunDotNet
HashString
HashFile
ExecutablePath
add_ProcessCreationEvent
ProcessCreationEventEvent
remove_ProcessCreationEvent
add_ProcessDeletionEvent
ProcessDeletionEventEvent
remove_ProcessDeletionEvent
_QueryStatement
__InstanceCreationEvent
__InstanceDeletionEvent
__InstanceModificationEvent
__InstanceOperationEvent
System.Management
ManagementEventWatcher
_Watcher
EventArrivedEventArgs
ProcessCreationWatcher_Arrived
sender
OnProcessDeletion
ActiveProcessCount
fullPath
ProcessCreationEvent
ProcessDeletionEvent
value__
SHA256
SHA384
SHA512
MulticastDelegate
TargetObject
TargetMethod
IAsyncResult
AsyncCallback
BeginInvoke
process
DelegateCallback
DelegateAsyncState
EndInvoke
DelegateAsyncResult
Invoke
System.ComponentModel
EditorBrowsableAttribute
EditorBrowsableState
System.CodeDom.Compiler
GeneratedCodeAttribute
System.Diagnostics
DebuggerHiddenAttribute
Microsoft.VisualBasic.CompilerServices
StandardModuleAttribute
HideModuleNameAttribute
System.ComponentModel.Design
HelpKeywordAttribute
System.Runtime.CompilerServices
RuntimeHelpers
GetObjectValue
RuntimeTypeHandle
GetTypeFromHandle
Activator
CreateInstance
MyGroupCollectionAttribute
System.Runtime.InteropServices
ComVisibleAttribute
ThreadStaticAttribute
CompilerGeneratedAttribute
Environment
SpecialFolder
GetFolderPath
System.IO
Combine
Random
Exception
DateTime
TimeSpan
get_UtcNow
op_Subtraction
get_TotalSeconds
get_ExecutablePath
Operators
CompareString
ProjectData
SetProjectError
ClearProjectError
FileAttributes
SetAttributes
Process
ProcessStartInfo
ProcessWindowStyle
NewLateBinding
LateSet
LateCall
get_Message
String
Concat
Enumerator
ConditionalCompareObjectGreater
ConcatenateObject
Conversions
GetCommandLineArgs
LateIndexGet
GetEnumerator
get_Current
MoveNext
IDisposable
Dispose
get_Count
System.Threading
Thread
DoEvents
System.Resources
ResourceManager
System.Reflection
Assembly
GetExecutingAssembly
GetObject
Boolean
LateGet
ChangeType
MessageBox
DialogResult
Contains
Exists
Delete
Directory
DirectoryInfo
CreateDirectory
Microsoft.Win32
Registry
RegistryKey
CurrentUser
OpenSubKey
RegistryKeyPermissionCheck
ParameterizedThreadStart
ApartmentState
SetApartmentState
MethodInfo
get_EntryPoint
MethodBase
ParameterInfo
GetParameters
System.Security.Cryptography
MD5CryptoServiceProvider
SHA1Managed
SHA256Managed
SHA384Managed
SHA512Managed
System.Text
Encoding
get_ASCII
GetBytes
HashAlgorithm
ComputeHash
Conversion
Strings
FileStream
FileMode
FileAccess
FileShare
Stream
get_Hash
STAThreadAttribute
Delegate
Remove
EventArrivedEventHandler
add_EventArrived
ManagementBaseObject
get_NewEvent
get_Item
ToUInteger
ManagementPath
get_ClassPath
get_ClassName
GetFileNameWithoutExtension
GetProcesses
get_ProcessName
ProcessModuleCollection
get_Modules
ProcessModule
get_FileName
AddObject
ToInteger
cryptercore1.resources
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
zXuSFnZc
zXuSFnZc.exe
MyTemplate
14.0.0.0
My.Computer
My.Application
My.WebServices
My.User
4System.Web.Services.Protocols.SoapHttpClientProtocol
Create__Instance__
Dispose__Instance__
WrapNonExceptionThrows
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
InternetProxy
http://www.yandex.com
ssdaClass
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
FileDescription
tiny_runpe
FileVersion
1.0.0.0
InternalName
tiny_runpe.dll
LegalCopyright
Copyright
2021
LegalTrademarks
OriginalFilename
tiny_runpe.dll
ProductName
tiny_runpe
ProductVersion
1.0.0.0
Assembly Version
1.0.0.0
cryptercore1
dlt.exe
svchost.exe
Some message
Title - Run Once
Peristence MODE
Core is running
exception while running win bypass
C:\Windows\SysWOW64\explorer.exe
file.exe
persistence prep...
Persistence is Disabled, Exit
Installation has been disabled, exit
current file is not in install location, exiting persistence prep
Main process, start persistence process
WindowStyle
FileName
Arguments
StartInfo
Error running sister process:
persistence done checking count for InstallationDestinationProtection
Already have more than 1 existing persistence process, dont start process, count:
We dont have more than 1 active process
Protect:
protect list count < 1, exiting persistence
before processWatcher.Start()
after processWatcher.Start(), starting responsive sleep
Error persistence start:
File already been installed, skipping execution of:
execute: getting file bytes for:
native file execution
we have the runPE bytes now
asm load
CreateInstance
tiny_runpe.Class1
asm CreateInstance
native execution success
native execution failed
managed file execution
managed execution success
managed execution failed
Show Message is not enabled, exiting
File has already been installed, not showing message again
Installation is not enabled, exiting
Already installed, skipping installation
Installing file...
Couldn't delete existing destination file
Copying file to destination location
Couldn't copy file to destination, ending the rest of execution, ex:
Setting Folder attribues -
Attributes
Couldn't set Folder attributes, something went wrong:
Setting File attribues -
Couldn't set File attributes, something went wrong:
Writing registry key
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SetValue
CreateSubKey
Installation Error:
Information
SELECT * FROM __InstanceOperationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'
TargetInstance
ProcessId
ExecutablePath
__InstanceCreationEvent
__InstanceDeletionEvent
Process Killed:
Already have an existing process, dont start process, count:
Start Process
Error checking ActiveProcessCount for killed process:
__InstanceCreationEvent
__InstanceDeletionEvent
__InstanceModificationEvent
__InstanceOperationEvent
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
FileDescription
FileVersion
0.0.0.0
InternalName
zXuSFnZc.exe
LegalCopyright
OriginalFilename
zXuSFnZc.exe
ProductVersion
0.0.0.0
Assembly Version
0.0.0.0
Antivirus Signature
Bkav Clean
Lionic Clean
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Generic.30292007
FireEye Generic.mg.6a4e8dbad4bd5845
CAT-QuickHeal Clean
ALYac Trojan.Generic.30292007
Cylance Unsafe
VIPRE Clean
Sangfor Trojan.Win32.Save.a
K7AntiVirus Clean
BitDefender Clean
K7GW Clean
CrowdStrike win/malicious_confidence_90% (W)
Arcabit Clean
BitDefenderTheta Clean
Cyren W64/MSIL_Kryptik.FSR.gen!Eldorado
Symantec Trojan.Gen.MBT
ESET-NOD32 a variant of Win32/Agent.ACBZ
Baidu Clean
APEX Malicious
Paloalto Clean
ClamAV Win.Dropper.NetWire-8025706-0
Kaspersky Backdoor.Win32.NetWiredRC.lac
Alibaba Clean
NANO-Antivirus Clean
ViRobot Clean
Tencent Clean
Ad-Aware Clean
TACHYON Clean
Sophos Troj/Recam-HB
Comodo Clean
F-Secure Clean
DrWeb Trojan.PackedNET.335
Zillya Clean
TrendMicro Clean
McAfee-GW-Edition Artemis!Trojan
CMC Clean
Emsisoft Clean
Ikarus Trojan.Win32.Agent
Jiangmin Clean
eGambit Unsafe.AI_Score_99%
Avira TR/Spy.Gen
Antiy-AVL Clean
Kingsoft Clean
Gridinsoft Clean
Microsoft Trojan:Win32/Woreflint.A!cl
SUPERAntiSpyware Clean
ZoneAlarm Clean
GData Clean
Cynet Malicious (score: 99)
AhnLab-V3 Win-Trojan/MSILKrypt14.Exp
Acronis Clean
McAfee Artemis!6A4E8DBAD4BD
MAX Clean
VBA32 Clean
Malwarebytes Malware.AI.4040733249
Panda Clean
Zoner Clean
TrendMicro-HouseCall Clean
Rising Backdoor.NetWire!1.C98D (CLASSIC)
Yandex Clean
SentinelOne Static AI - Malicious PE
MaxSecure Clean
Fortinet MSIL/Agent.ACBZ!tr
Webroot Clean
AVG Win32:RATX-gen [Trj]
Cybereason malicious.6ecb7d
Avast Win32:RATX-gen [Trj]
No IRMA results available.