PESCAN.IO - Analysis Report Valid Code |
|||||
| File Structure: | |||||
|
|||||
| Information: |
Icon: Size: 14,16 MBSHA-256 Hash: A0CBEAC56781EA87CE4F76790D8F7F7A26320B9C2A2AE820488D5F1D6C768F4D SHA-1 Hash: 8F689C28BB5A6269C8A224944360ADC2606988F2 MD5 Hash: 05FCBD57220C6F7D5FFC030C050B4B4D Imphash: 5A594319A0D69DBC452E748BCF05892E MajorOSVersion: 6 CheckSum: 00C36929 EntryPoint (rva): B5EEC SizeOfHeaders: 400 SizeOfImage: D9000 ImageBase: 400000 Architecture: x86 ExportTable: C4000 ImportTable: C2000 Characteristics: 818F TimeDateStamp: 5F5DDFC3 Date: 13/09/2020 9:00:51 File Type: EXE Number Of Sections: 10 ASLR: Enabled Section Names: .text, .itext, .data, .bss, .idata, .didata, .edata, .tls, .rdata, .rsrc Number Of Executable Sections: 2 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info: |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| .text | 60000020 (Executable) | 400 | B3800 | 1000 | B361C |
| .itext | 60000020 (Executable) | B3C00 | 1800 | B5000 | 1688 |
| .data | C0000040 (Writeable) | B5400 | 3800 | B7000 | 37A4 |
| .bss | C0000000 (Writeable) | 0 | 0 | BB000 | 6DE8 |
| .idata | C0000040 (Writeable) | B8C00 | 1000 | C2000 | F36 |
| .didata | C0000040 (Writeable) | B9C00 | 200 | C3000 | 1A4 |
| .edata | 40000040 | B9E00 | 200 | C4000 | 9A |
| .tls | C0000000 (Writeable) | 0 | 0 | C5000 | 18 |
| .rdata | 40000040 | BA000 | 200 | C6000 | 5D |
| .rsrc | 40000040 | BA200 | 12000 | C7000 | 11FC0 |
| Description: |
| LegalCopyright: Heiko Sommerfeldt ProductName: Phoner |
| Binder/Joiner/Crypter: |
| 2 Executable files found Dropper code detected (EOF) - 13,31 MB |
| Entry Point: |
| The section number (2) - (.itext) have the Entry Point Information -> EntryPoint (calculated) - B4AEC Code -> 558BEC83C4A453565733C08945C48945C08945A48945D08945C88945CC8945D48945D88945ECB8F0104B00E8B072F5FF33C0 • PUSH EBP • MOV EBP, ESP • ADD ESP, -0X5C • PUSH EBX • PUSH ESI • PUSH EDI • XOR EAX, EAX • MOV DWORD PTR [EBP - 0X3C], EAX • MOV DWORD PTR [EBP - 0X40], EAX • MOV DWORD PTR [EBP - 0X5C], EAX • MOV DWORD PTR [EBP - 0X30], EAX • MOV DWORD PTR [EBP - 0X38], EAX • MOV DWORD PTR [EBP - 0X34], EAX • MOV DWORD PTR [EBP - 0X2C], EAX • MOV DWORD PTR [EBP - 0X28], EAX • MOV DWORD PTR [EBP - 0X14], EAX • MOV EAX, 0X4B10F0 • CALL 0XFFF582E0 • XOR EAX, EAX |
| Signatures: |
| CheckSum Integrity Problem: • Header: 12806441 • Calculated: 14912801 Certificate - Digital Signature: • The file is signed but has been modified |
| Packer/Compiler: |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE: installer: Inno Setup Module(6.1.0)[unicode] • PE: compiler: Embarcadero Delphi(10.3 Rio)[-] • PE: linker: Turbo Linker(2.25*,Delphi)[EXE32,signed] • PE: overlay: Inno Setup Installer data(-)[-] • Entropy: 7.79805 |
| Suspicious Functions: |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetProcAddress | Possible Call API By Name | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateMutexW | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | CopyFileW | Copies an existing file to a new file. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| SHELL32.DLL | ShellExecuteW | Performs a run operation on a specific file. |
| SHELL32.DLL | ShellExecuteExW | Performs a run operation on a specific file. |
| Windows REG (UNICODE): |
| Software\Microsoft\Windows\CurrentVersion Software\Microsoft\Windows\CurrentVersion\RunOnce Software\Microsoft\Windows NT\CurrentVersion\Fonts Software\Microsoft\Windows\CurrentVersion\Fonts Software\Microsoft\Windows\CurrentVersion\SharedDLLs Software\Borland\Delphi\Locales Software\Borland\Locales Software\CodeGear\Locales Software\Embarcadero\Locales SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced SOFTWARE\Microsoft\.NETFramework SOFTWARE\Microsoft\.NETFramework\Policy\v4.0 SOFTWARE\Microsoft\.NETFramework\Policy\v2.0 SOFTWARE\Microsoft\.NETFramework\Policy\v1.1 SOFTWARE\Microsoft\NET Framework Setup\NDP\ Software\Microsoft\Windows\CurrentVersion\App Paths\ Software\Microsoft\Windows\CurrentVersion\Uninstall SOFTWARE\Microsoft\Windows NT\CurrentVersion SYSTEM\CurrentControlSet\Control\Session Manager SYSTEM\CurrentControlSet\Control\Keyboard Layouts\ System\CurrentControlSet\Control\Keyboard Layouts\%.8x System\CurrentControlSet\Control\Windows System\CurrentControlSet\Control\ProductOptions Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| File Access: |
| Setup.exe TTask.Exe TTask.Exe SetupLdr.exe version.dll netutils.dll netapi32.dll mpr.dll OLEAUT32.dll SHELL32.dll ADVAPI32.dll KERNEL32.dll SHLWAPI.dll COMCTL32.dll Crypt32.dll Shcore.dll DWMAPI.DLL imm32.dll uxtheme.dll msimg32.dll user32.dll wtsapi32.dll gdi32.dll ole32.dll winhttp.dll msvcrt.dll comdlg32.dll ISCrypt.dll isunzlib.dll DWinapi.MsI Winapi.PenInputPanelWinapi.MsI dSystem.Sys System.Sys SysInitSystemSystem.RTLConstsSystem.RttiSystem.Sys TaskDialogSystem.TypInfoSystem.Sys System.Sys ?System.Sys Int64EmSystem.SysUtilsSystemSystem.Internal.ExcUtilsSystem.Sys Int64EmSystem.Sys System.Ini Vcl.GraphUtilSystem.ZLibSystem.Win.CrtlVcl.GraphicsSystem.UIConstsSystem.Win.RegistrySystem.Ini Temp WinDir AppData |
| File Access (UNICODE): |
| kernel32.dll Proxy.dll HeapDump.dll GetLogicalProcessorInformationkernel32.dll oleaut32.dll uxtheme.dll comctl32.dll user32.dll advapi32.dll oleacc.dll shell32.dll userenv.dll setupapi.dll apphelp.dll propsys.dll dwmapi.dll cryptbase.dll version.dll profapi.dll comres.dll clbcatq.dll ntmarta.dll exe,*.dll RuntimeUi.dll DesignerContract.dll Interfaces.dll VersionControl.dll ole32.dll Msctf.dll imm32.dll shlwapi.dll sfc.dll Rstrtmgr.dll Fusion.dll shfolder.dll _isetup\_isdecmp.dll _isetup\_iscrypt.dll winhttp.dll UI.exe cmd.exe regsvr32.exe *.exe 3u.txt Desktop.ini desktop.ini Temp ProgramFiles AppData UserProfile |
| Interest's Words: |
| fuck - }:) PADDINGX ToolBar Encrypt Encryption PassWord exec attrib start pause hostname shutdown systeminfo ping expand replace route |
| Interest's Words (UNICODE): |
| ToolBar Encrypt PassWord exec regsvr32 netsh attrib start pause shutdown systeminfo at.exe ping expand replace route |
| URLs: |
| http://schemas.microsoft.com/SMI/2005/WindowsSettings http://crl.certum.pl/ctnca.crl http://subca.ocsp-certum.com http://repository.certum.pl/ctnca.cer http://www.cer http://crl.certum.pl/cscasha2.crl http://cscasha2.ocsp-certum.com http://repository.certum.pl/cscasha2.cer http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt http://ocsp.usertrust.com http://crl.sectigo.com/SectigoRSATimeStampingCA.crl http://crt.sectigo.com/SectigoRSATimeStampingCA.crt http://ocsp.sectigo.com http://ocsp.digicert.com http://cacerts.digicert.com/DigiCertTrustedRootG4.crt http://crl3.digicert.com/DigiCertTrustedRootG4.crl http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://www.digicert.com/CPS0 http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl https://www.cer https://sectigo.com/CPS0D https://jrsoftware.org0 https://jrsoftware.org/ |
| URLs (UNICODE): |
| http://direct:80 https://jrsoftware.org/ishelp/index.php?topic=setupcmdline https://www.innosetup.com/ https://www.remobjects.com/ps |
| IP Addresses: |
| 1.3.2.128 1.3.2.128 |
| PE Carving: |
| Start Offset Header | End Offset | Size (Bytes) |
|---|---|---|
| 0 | B2D70B | B2D70B |
| B2D70B | B34A4B | 7340 |
| B34A4B | B35D5F | 1314 |
| B35D5F | E1C73F | 2E69E0 |
| E1C73F | E292A3 | CB64 |
| Strings/Hex Code Found With The File Rules: |
| • Rule Text (Unicode): WinAPI Sockets (accept) • Rule Text (Ascii): WinAPI Sockets (connect) • Rule Text (Unicode): WinAPI Sockets (connect) • Rule Text (Unicode): WinAPI Sockets (send) • Rule Text (Ascii): Registry (RegCreateKeyEx) • Rule Text (Unicode): Registry (RegCreateKeyEx) • Rule Text (Ascii): Registry (RegOpenKeyEx) • Rule Text (Unicode): Registry (RegOpenKeyEx) • Rule Text (Ascii): Registry (RegSetValueEx) • Rule Text (Unicode): Registry (RegSetValueEx) • Rule Text (Unicode): Registry (RegDeleteKeyEx) • Rule Text (Ascii): Registry (RegGetValue) • Rule Text (Ascii): File (CopyFile) • Rule Text (Ascii): File (CreateFile) • Rule Text (Unicode): File (CreateFile) • Rule Text (Ascii): File (WriteFile) • Rule Text (Ascii): File (ReadFile) • Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent) • Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo) • Rule Text (Ascii): Anti-Analysis VM (GetVersion) • Rule Text (Unicode): Anti-Analysis VM (GetVersion) • Rule Text (Ascii): Stealth (VirtualAlloc) • Rule Text (Ascii): Stealth (VirtualProtect) • Rule Text (Ascii): Execution (CreateProcessW) • Rule Text (Ascii): Execution (ShellExecute) • Rule Text (Unicode): Execution (ShellExecute) • Rule Text (Ascii): Execution (ResumeThread) • Rule Text (Unicode): Privileges (SeShutdownPrivilege) • Rule Text (Unicode): Keyboard Key (Alt+) • Rule Text (Ascii): Keyboard Key (Scroll) • Rule Text (Unicode): Keyboard Key (Scroll) • Rule Text (Unicode): Keyboard Key (UpArrow) • Rule Text (Ascii): Keyboard Key (PageDown) • Rule Text (Ascii): Keyboard Key (PageUp) • Rule Text (Ascii): Information used to authenticate a users identity (Credential) • Rule Text (Unicode): Information used to authenticate a users identity (Credential) • Rule Text (Ascii): Ability of malware to remain on a system after a reboot (Persistence) • Rule Text (Ascii): Process of gathering information about network resources (Enumeration) • Rule Text (Ascii): Information used for user authentication (Credential) • Rule Text (Unicode): Information used for user authentication (Credential) • Rule Text (Ascii): Malicious rerouting of traffic to an attacker-controlled site (Redirect) • Rule Text (Unicode): Malicious rerouting of traffic to an attacker-controlled site (Redirect) • Rule Text (Ascii): Technique used to capture communications between systems (Intercept) • EP Rules: Borland Delphi 4.0 • EP Rules: fasm -> Tomasz Grysztar |
| Resources: |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1033 | C7558 | 2F3 | BA758 | 89504E470D0A1A0A0000000D49484452000000100000001008060000001FF3FF61000002BA49444154789C5D533D4C144114 | .PNG........IHDR................a....IDATx.]S=L.A. |
| \ICON\2\1033 | C784C | 508 | BAA4C | 89504E470D0A1A0A0000000D4948445200000018000000180806000000E0773DF8000004CF49444154789C9D565D8C534514 | .PNG........IHDR..............w=.....IDATx..V].SE. |
| \ICON\3\1033 | C7D54 | 6FD | BAF54 | 89504E470D0A1A0A0000000D4948445200000020000000200806000000737A7AF4000006C449444154789C9D575B6C9CC515 | .PNG........IHDR... ... .....szz.....IDATx..W[l... |
| \ICON\4\1033 | C8454 | BEF | BB654 | 89504E470D0A1A0A0000000D49484452000000300000003008060000005702F98700000BB649444154789CAD5A6B6C1CD515 | .PNG........IHDR...0...0.....W.......IDATx..Zkl... |
| \ICON\5\1033 | C9044 | 13CB | BC244 | 89504E470D0A1A0A0000000D4948445200000040000000400806000000AA6971DE0000139249444154789CC53B698C5DD579 | .PNG........IHDR...@...@......iq.....IDATx..;i.].y |
| \ICON\6\1033 | CA410 | 41A8 | BD610 | 89504E470D0A1A0A0000000D4948445200000080000000800806000000C33E61CB0000416F49444154789CE57D09B81D4775 | .PNG........IHDR..............>a...AoIDATx..}...Gu |
| \ICON\7\1033 | CE5B8 | 7A8B | C17B8 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A86600007A5249444154789CEDBD09B8245959 | .PNG........IHDR.............\r.f..zRIDATx.....$YY |
| \STRING\4086\0 | D6044 | 360 | C9244 | 0B00570069006E0064006F0077007300200038002E0031000A00570069006E0064006F007700730020003100300019004F00 | ..W.i.n.d.o.w.s. .8...1...W.i.n.d.o.w.s. .1.0...O. |
| \STRING\4087\0 | D63A4 | 260 | C95A4 | 3A00250073002000530065007200760069006300650020005000610063006B002000250034003A0064002000280056006500 | :.%.s. .S.e.r.v.i.c.e. .P.a.c.k. .%.4.:.d. .(.V.e. |
| \STRING\4088\0 | D6604 | 45C | C9804 | 1500500072006F0070006500720074007900200069007300200072006500610064002D006F006E006C007900170025007300 | ..P.r.o.p.e.r.t.y. .i.s. .r.e.a.d.-.o.n.l.y...%.s. |
| \STRING\4089\0 | D6A60 | 40C | C9C60 | 1A00430061006E006E006F0074002000610073007300690067006E0020006100200025007300200074006F00200061002000 | ..C.a.n.n.o.t. .a.s.s.i.g.n. .a. .%.s. .t.o. .a. . |
| \STRING\4090\0 | D6E6C | 2D4 | CA06C | 06004D006F006E006400610079000700540075006500730064006100790009005700650064006E0065007300640061007900 | ..M.o.n.d.a.y...T.u.e.s.d.a.y...W.e.d.n.e.s.d.a.y. |
| \STRING\4091\0 | D7140 | B8 | CA340 | 03004D006100790004004A0075006E00650004004A0075006C00790006004100750067007500730074000900530065007000 | ..M.a.y...J.u.n.e...J.u.l.y...A.u.g.u.s.t...S.e.p. |
| \STRING\4092\0 | D71F8 | 9C | CA3F8 | 03004A0061006E00030046006500620003004D0061007200030041007000720003004D006100790003004A0075006E000300 | ..J.a.n...F.e.b...M.a.r...A.p.r...M.a.y...J.u.n... |
| \STRING\4093\0 | D7294 | 374 | CA494 | 140049006E00760061006C00690064002000760061007200690061006E0074002000740079007000650017004F0070006500 | ..I.n.v.a.l.i.d. .v.a.r.i.a.n.t. .t.y.p.e...O.p.e. |
| \STRING\4094\0 | D7608 | 398 | CA808 | 2200560061007200690061006E00740020006D006500740068006F0064002000630061006C006C00730020006E006F007400 | ".V.a.r.i.a.n.t. .m.e.t.h.o.d. .c.a.l.l.s. .n.o.t. |
| \STRING\4095\0 | D79A0 | 368 | CABA0 | 200049006E00760061006C0069006400200066006C006F006100740069006E006700200070006F0069006E00740020006F00 | .I.n.v.a.l.i.d. .f.l.o.a.t.i.n.g. .p.o.i.n.t. .o. |
| \STRING\4096\0 | D7D08 | 2A4 | CAF08 | 2100270025007300270020006900730020006E006F007400200061002000760061006C0069006400200069006E0074006500 | !.'.%.s.'. .i.s. .n.o.t. .a. .v.a.l.i.d. .i.n.t.e. |
| \RCDATA\DVCLAL\0 | D7FAC | 10 | CB1AC | A28CDF987B3C3A7926713F090F2A2517000010CC000000002F000000010A53657475704C64720010574D4435000081537973 | ....{<:y&q?..*%........./.....SetupLdr..WMD5...Sys |
| \RCDATA\PACKAGEINFO\0 | D7FBC | 2C4 | CB1BC | 000010CC000000002F000000010A53657475704C64720010574D4435000081537973496E69740000C753797374656D001C0F | ......../.....SetupLdr..WMD5...SysInit...System... |
| \RCDATA\11111\0 | D8280 | 2C | CB480 | 72446C507453CDE6D77B0B2A01000000133FE200525DB30000D62E003B6ADE09CFDEB10000C20C00350E3999000001000700 | rDlPtS...{.*.....?..R]......;j..........5.9....... |
| \GROUP_ICON\MAINICON\1033 | D82AC | 68 | CB4AC | 0000010007001010000000002000F3020000010018180000000020000805000002002020000000002000FD06000003003030 | ............ ............. ....... .... .......00 |
| \VERSION\1\1033 | D8314 | 584 | CB514 | 840534000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000300 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | D8898 | 726 | CBA98 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String: |
| • :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U • user32.dll • kernel32.dll • shell32.dll • comctl32.dll • winhttp.dll • uxtheme.dll • .msg • advapi32.dll • .dat • .lst • .exe • target.lnk • .tmp • System.Net.HttpClient.Win • .lnk • .pif • WININIT.INI • c:\directory • oleacc.dll • ole32.dll • TaskDialogIndirect • <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware> • oleaut32.dll • version.dll • ntmarta.dll • clbcatq.dll • comres.dll • profapi.dll • cryptbase.dll • dwmapi.dll • propsys.dll • apphelp.dll • setupapi.dll • userenv.dll • NTDLL.DLL • @.tls • .bss • x:\dirname" • For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline • GetThreadLocalecomctl32.dll • SafeArrayCreatenetapi32.dll • MessageBoxAkernel32.dll • *.exe,*.dll • C:\APP • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\boost_python-vc90-mt-1_47.dll • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\CfApiShellExtensions.dll • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\deployJava1.dll • F3FFD8BA-3EEE-4175-963B-45F054B0C318}\DiagnosticsHub.StandardCollector.Proxy.dll • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\FxCopCommon.dll • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\libdca_plugin.dll • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\libGLESv2.dll • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\libssl-3-x64.dll • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\libwingdi_plugin.dll • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\Microsoft.Diagnostics.HeapDump.dll • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\Microsoft.Office.BusinessApplications.RuntimeUi.dll • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\Microsoft.VisualStudio.DesignTools.DesignerContract.dll • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\Microsoft.VisualStudio.Progression.Interfaces.dll • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\Microsoft.VisualStudio.TeamFoundation.VersionControl.dll • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\MSSP7EN.DLL • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\TbsCIapi.dll • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\bin\acountry.exe • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\bin\ahost.exe • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\bin\bunzip2.exe • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\bin\bzcat.exe • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\bin\git-credential-manager.exe • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\bin\GitHub.UI.exe • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\bin\gss-server.exe • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\bin\kcpytkt.exe • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\bin\sexp-conv.exe • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\bin\WhoUses.exe • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\bin\wish.exe • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\bin\xzcat.exe • {userappdata}\{{33FFD8BA-3EEE-4175-963B-45F054B0C318}\hydraulicity.exe • c:\zlib-dll\Release\isunzlib.pdb • HE-TLoginCredentialService.TLoginCredentialEventSenderTObjectCallbackTLoginCredentialService.TLoginEventSuccessBoolean@GE • 3TLoginCredentialService.TLoginCredentialEventObject:HGCreate • TLoginCredentialServiceM|GRegisterLoginHandler • OlGUnregi6xsterLoginHandler • X(LlGetLoginCredentials • H(LlGetLoginCredentials • Z(LlGetLoginCredentials • j(LlGetLoginCredentials • Msctf.dll • imm32.dll • LoginEvent • bTLoginEventUsrPw • shlwapi.dll • MSFTEDIT.DLL • RICHED20.DLL • sfc.dll • .bat • .cmd • cmd.exe" /C " • COMMAND.COM" /C • %s Log %s %.3u.txt • %s-%d.bin • %s-%d%s.bin • Rstrtmgr.dll • OLEAUT32.DLL • \\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x • Fusion.dll • .hlp • .gid • .fts • .chm • .chw • http://direct:80 • desktop.ini • .url • Desktop.ini • runas • cmd.exe • COMMAND.COM • \_setup64.tmp • shfolder.dll • _isetup\_isdecmp.dll • _isetup\_iscrypt.dll • -0.bin • https://www.remobjects.com/ps • /SECONDPHASE="%s" /FIRSTPHASEWND=$%x • isRS-???.tmp • isRS-%.3u.tmp • mpr.dll • GetKeyboardLayoutversion.dll • msvcrt.dll • SetThreadLocaleole32.dll • MessageBoxAwtsapi32.dll • msimg32.dll • DWMAPI.DLL • Crypt32.dll • RadioButton%d • COMCTL32.dll |
| Extra 4n4lysis: |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 9909187 | 66,7345% |
| Null Byte Code | 853369 | 5,7471% |
© 2025 All rights reserved.