splwow64_1.exe

First submission 2024-09-27 16:32:02 Last sumbission 2024-10-13 07:38:01

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	1348.77 KB (1381143 bytes)
Compile time:	2012-02-24 20:19:43
MD5:	2b01c9b0c69f13da5ee7889a4b17c45e
SHA1:	27f0c1ae0ddeddc9efac38bc473476b103fef043
SHA256:	d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29
Import Hash :	be41bf7b8cc010b614bd36bbca606973
Sections 6	.text .rdata .data .ndata .rsrc .reloc
Directories 3	import resource relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	57/77 VT report date: 2024-09-26 13:58:01
Malware Type 3	trojan dropper pua
Threat Type 3	autoit znyonm r002c0dik24

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://185.215.113.16/dobre/splwow64_1.exe	185.215.113.16	2024-10-13 07:38:04

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x6f1c	28672	189dda88a6c847f2561d302faa3a43c92aef4329	64fef99d80ead9051b6e85267342c734
.rdata	0x8000	0x2a62	11264	05985b7f60a664d2595e9406ae3b208c97597bbc	07990aaa54c3bc638bb87a87f3fb13e3
.data	0xb000	0x3e66dc	512	03dcf00e29427359059c911b4ef21794fc8e9237	f8e9fc8c226177087968ccda63fbab7d
.ndata	0x3f2000	0x81000	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.rsrc	0x473000	0x729e	29696	8232378728275d4ce02f4a7c8044cd9b9b26f07a	c417e41b10ac8a471723e921d9939e52
.reloc	0x47b000	0x320e	13312	8f4333c1c263674262cffaf6abf754f8d891f437	1f866e89ee649ce440be9acadbbf8430

PE Resources 5

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x478840	4392	PE Resource: RT_ICON - Data ( @ "K#%(~W8---qLLL%%&& .447hgfgklnz[qooghid$EPTV\|_xLP:33' !<==,7899vbuKDK(I;"7(122yyyjkkj`\XdazngQ;;2&+);?Aadgwwwvvwzzz:::.YXXwxyE@DVKDC0,!::;^`cggg>>> 554uuusssffgkZZZWZ\xxxSSS888,,,---333666666)))777tuuqqqsss000WWWi}}}aaaJJJ@@@CCCJJJNNNOOONNNLLLKKKIIIEEEEEEOOOxxyppqqqqZ[[LKLjnroqppUUU[[\aaacccddddddcccbbbaaa___\\\ZZZeeeddd]]]zzypqq~~~III3zzzpppttuwwwwwwwwwwwwuuusssppppppxxxwwwwwwqqqxxxLLLFEDeXXWYXVyMJGX# _\Y{fii ZVSqZ =;8L(&5 :==ggg*&))mhhh11179MLLYYYf ]]]===a ? KKK[kkkOOOe333D'
RT_DIALOG	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x479b84	96
RT_GROUP_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x479be4	34
RT_VERSION	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x479c08	960	PE Resource: RT_VERSION - Data 4VS_VERSION_INFO X]X X]X StringFileInfo040904B0NCompanyNameMicrosoft Corporationn#FileDescriptionPrint driver host for applicationsn'FileVersion10.0.22621.3672 (WinBuild.160101.0800): InternalNamesplwow64.exe/LegalCopyright Microsoft Corporation. All rights reserved.B OriginalFilenamesplwow64.exel&ProductNameMicrosoft Windows Operating SystemDProductVersion10.0.22621.3672DVarFileInfo$Translation
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x479fc8	726	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

Meta infos 9

LegalCopyright:	\xa9 Mic\x1drosoft Corporation. All rights reserved.
InternalName:	splwow64.exe
FileVersion:	10.0.22621.3672 (WinBuild.160101.0800)
CompanyName:	Mic\x1drosoft Corporation
ProductVersion:	10.0.22621.3672
FileDescription:	Print driver host for applications
Translation:	0x0409 0x04b0
OriginalFilename:	splwow64.exe
ProductName:	Mic\x1drosoft\xae Windows\xae Operating System

Packers detected 1

Nullsoft PiMP Stub -> SFX

Anti debug functions 2

FindWindowExW
GetLastError

Strings analysis - File found

Log
install.log
Temporary
~nsu.tmp
Library
ADVAPI32.dll
VERSION.dll
SHELL32.dll
PSAPI.DLL
COMCTL32.dll
ole32.dll
KERNEL32.dll
USER32.dll
GDI32.dll

Strings analysis - Possible URLs found 1

http://nsis.sf.net/NSIS_Error

Import functions

VERSION.dll 3 GDI32.dll 8 ADVAPI32.dll 9 KERNEL32.dll 70 SHELL32.dll 6 ole32.dll 4 USER32.dll 68 COMCTL32.dll 4

Function	Address	Souspicious	Anti Debug
GetFileVersionInfoSizeW	0x4082ac
GetFileVersionInfoW	0x4082b0
VerQueryValueW	0x4082b4

Function	Address	Souspicious	Anti Debug
SetBkColor	0x40803c
GetDeviceCaps	0x408040
DeleteObject	0x408044
CreateBrushIndirect	0x408048
CreateFontIndirectW	0x40804c
SetBkMode	0x408050
SetTextColor	0x408054
SelectObject	0x408058

Function	Address	Souspicious	Anti Debug
RegEnumKeyW	0x408000
RegOpenKeyExW	0x408004
RegCloseKey	0x408008
RegDeleteKeyW	0x40800c
RegDeleteValueW	0x408010
RegCreateKeyExW	0x408014
RegSetValueExW	0x408018
RegQueryValueExW	0x40801c
RegEnumValueW	0x408020

Function	Address	Souspicious	Anti Debug
SetFileTime	0x408060
CompareFileTime	0x408064
SearchPathW	0x408068
GetShortPathNameW	0x40806c
GetFullPathNameW	0x408070
MoveFileW	0x408074
SetCurrentDirectoryW	0x408078
GetFileAttributesW	0x40807c
GetLastError	0x408080
CreateDirectoryW	0x408084
SetFileAttributesW	0x408088
Sleep	0x40808c
GetTickCount	0x408090
GetFileSize	0x408094
GetModuleFileNameW	0x408098
GetCurrentProcess	0x40809c
CopyFileW	0x4080a0
ExitProcess	0x4080a4
GetWindowsDirectoryW	0x4080a8
GetTempPathW	0x4080ac
GetCommandLineW	0x4080b0
SetErrorMode	0x4080b4
lstrcpynA	0x4080b8
CloseHandle	0x4080bc
lstrcpynW	0x4080c0
GetDiskFreeSpaceW	0x4080c4
GlobalUnlock	0x4080c8
GlobalLock	0x4080cc
CreateThread	0x4080d0
LoadLibraryW	0x4080d4
CreateProcessW	0x4080d8
lstrcmpiA	0x4080dc
CreateFileW	0x4080e0
GetTempFileNameW	0x4080e4
lstrcatW	0x4080e8
GetProcAddress	0x4080ec
LoadLibraryA	0x4080f0
GetModuleHandleA	0x4080f4
OpenProcess	0x4080f8
lstrcpyW	0x4080fc
GetVersionExW	0x408100
GetSystemDirectoryW	0x408104
GetVersion	0x408108
lstrcpyA	0x40810c
RemoveDirectoryW	0x408110
lstrcmpA	0x408114
lstrcmpiW	0x408118
lstrcmpW	0x40811c
ExpandEnvironmentStringsW	0x408120
GlobalAlloc	0x408124
WaitForSingleObject	0x408128
GetExitCodeProcess	0x40812c
GlobalFree	0x408130
GetModuleHandleW	0x408134
LoadLibraryExW	0x408138
FreeLibrary	0x40813c
WritePrivateProfileStringW	0x408140
GetPrivateProfileStringW	0x408144
WideCharToMultiByte	0x408148
lstrlenA	0x40814c
MulDiv	0x408150
WriteFile	0x408154
ReadFile	0x408158
MultiByteToWideChar	0x40815c
SetFilePointer	0x408160
FindClose	0x408164
FindNextFileW	0x408168
FindFirstFileW	0x40816c
DeleteFileW	0x408170
lstrlenW	0x408174

Function	Address	Souspicious	Anti Debug
SHBrowseForFolderW	0x40817c
SHGetPathFromIDListW	0x408180
SHGetFileInfoW	0x408184
ShellExecuteW	0x408188
SHFileOperationW	0x40818c
SHGetSpecialFolderLocation	0x408190

Function	Address	Souspicious	Anti Debug
CoTaskMemFree	0x4082bc
OleInitialize	0x4082c0
OleUninitialize	0x4082c4
CoCreateInstance	0x4082c8

Function	Address	Souspicious	Anti Debug
GetAsyncKeyState	0x408198
IsDlgButtonChecked	0x40819c
ScreenToClient	0x4081a0
GetMessagePos	0x4081a4
CallWindowProcW	0x4081a8
IsWindowVisible	0x4081ac
LoadBitmapW	0x4081b0
CloseClipboard	0x4081b4
SetClipboardData	0x4081b8
EmptyClipboard	0x4081bc
OpenClipboard	0x4081c0
TrackPopupMenu	0x4081c4
GetWindowRect	0x4081c8
AppendMenuW	0x4081cc
CreatePopupMenu	0x4081d0
GetSystemMetrics	0x4081d4
EndDialog	0x4081d8
EnableMenuItem	0x4081dc
GetSystemMenu	0x4081e0
SetClassLongW	0x4081e4
IsWindowEnabled	0x4081e8
SetWindowPos	0x4081ec
DialogBoxParamW	0x4081f0
CheckDlgButton	0x4081f4
CreateWindowExW	0x4081f8
SystemParametersInfoW	0x4081fc
RegisterClassW	0x408200
SetDlgItemTextW	0x408204
GetDlgItemTextW	0x408208
MessageBoxIndirectW	0x40820c
CharNextA	0x408210
CharUpperW	0x408214
CharPrevW	0x408218
wvsprintfW	0x40821c
DispatchMessageW	0x408220
PeekMessageW	0x408224
wsprintfA	0x408228
DestroyWindow	0x40822c
CreateDialogParamW	0x408230
SetTimer	0x408234
SetWindowTextW	0x408238
PostQuitMessage	0x40823c
SetForegroundWindow	0x408240
ShowWindow	0x408244
wsprintfW	0x408248
SendMessageTimeoutW	0x40824c
LoadCursorW	0x408250
SetCursor	0x408254
GetWindowLongW	0x408258
GetSysColor	0x40825c
CharNextW	0x408260
GetClassInfoW	0x408264
ExitWindowsEx	0x408268
IsWindow	0x40826c
GetDlgItem	0x408270
SetWindowLongW	0x408274
LoadImageW	0x408278
GetDC	0x40827c
EnableWindow	0x408280
InvalidateRect	0x408284
SendMessageW	0x408288
DefWindowProcW	0x40828c
BeginPaint	0x408290
GetClientRect	0x408294
FillRect	0x408298
DrawTextW	0x40829c
EndPaint	0x4082a0
FindWindowExW	0x4082a4

Function	Address	Souspicious	Anti Debug
ImageList_AddMasked	0x408028
ImageList_Destroy	0x40802c
None	0x408030
ImageList_Create	0x408034

Name	Latest seen	MD5
HrNQKzxJSJyBHMe.exe	2022-09-11 14:15:10	5fd7895ad8c6f4cbafeb0877637027ad
smartsoftsignew.exe	2024-05-31 21:25:02	66a5a529386533e25316942993772042
AdaptorOvernight.exe	2024-07-08 12:58:05	e0d29de6e2fa7590f857f1ef825c943c
ComeDraft.exe	2024-07-20 07:35:02	5f661bce27073f4b496277cbc2fa246d
InfluencedNervous.exe	2024-09-01 22:05:22	1b0fe9739ef19752cb12647b6a4ba97b
PharmaciesDetection.exe	2024-09-02 01:57:02	569720e2c07b1d34bac1366bf2b1c97a
BallsClassified.exe	2024-07-26 23:07:02	b74b4dc696daa20dccd7f743c8c1e1a2
HostelCurves.exe	2024-07-28 15:40:03	9512f65eed44bccd7da4ca3d8adb397d
AnneSalt.exe	2024-08-25 13:11:02	0dac2872a9c5b21289499db3dcd2f18d
ConsiderableWinners.exe	2024-08-25 13:24:03	a23837debdc8f0e9fce308bff036f18f
SemiconductorNot.exe	2024-09-02 03:09:02	7adfc6a2e7a5daa59d291b6e434a59f3
NorthSperm.exe	2024-08-27 15:01:02	ff83471ce09ebbe0da07d3001644b23c
66d08591035ef_AttachmentDaughters.exe	2024-10-07 21:42:02	abb713cf90e8345c0b6b79345cbdc9d6
66d0c13d2f0ed_ImpressedHub.exe	2024-10-06 10:14:02	2f5226b4116ce79afb6dcb32fa647954
66d1b31955f50_SunshineSolving.exe	2024-10-05 10:57:02	0a34380175bb4da2cce136e0cb3d3e04
updataxx3264.exe	2024-09-03 15:34:06	0885bc5d9c2aa1895ebd5fcad13b53be
66d60cd3ce002_SeparatelyDied.exe	2024-10-05 12:10:05	1959ce1e98b798963f8b7d04bfb71e69
TikTokTool24.exe	2024-09-05 09:50:04	3c0bc60ec3907224b9720d80bf799281
66ed8059174df_ConsiderMilfs.exe	2024-09-20 16:34:02	12860c8f39570ea1a7256b7ed9dabccf
66e86c030044f_UniversityGradually.exe	2024-10-05 13:56:02	8bc957246166f6b5d99c1b63d34dd663
file.exe	2024-09-21 17:32:02	9b990bb6a27b497a1a19b8665b02b557
file1.exe	2024-09-21 18:41:03	bfc3d290228830fb01f0238e5ade7803
pic4.jpg	2024-09-22 13:35:03	2881d62826eb02ac92a022b2155e4007
66f19da1b85de_cryotr.exe#kiscrypt	2024-10-07 20:47:06	8f13e73a3c7d22ee7c1730cf8821f7ac
66f25393e0294_STcryotr.exe	2024-10-08 05:02:02	e457e6ce6ea00506eec98fab4ab49f74
66f5726937cd7_AngryBaths.exe	2024-09-26 16:59:01	dcf197da548e85d911ce6d40222b3592
66f5920e5f6b9_PoliciesCups.exe#angry	2024-09-26 19:29:02	db5245aa66c7883d72b0f718467c842b
66f5a3dbd9df9_ParentingContractor.exe	2024-10-05 10:58:02	4f3ddd6692d604ecf2bd37d93d0f2387
VidsUsername.exe	2024-09-27 19:34:02	081c87c612e074a69ed34d7102543bbc
KeyFormed.exe	2024-09-27 20:27:02	a823c6a042891f63236b8ae3d9c13ba3
66e5f96b41510_GageEpa.exe#111us	2024-10-05 12:55:02	43044a8822f069feddd9c02fe36d8517
66daf6d8ac980_PeakSports.exe#pend	2024-09-28 01:47:02	bdefc54e5fe6f091f968a28aa63783ba
66e01056bf2b0_crymeta.exe#kiscrmeta	2024-09-28 02:19:03	0675a6d25449fba8a9a04fae80448789
66e08d1814f75_BrickAaron.exe	2024-10-07 23:02:02	5673f47783f3a8e794f6863f1a7c3c7d
66f8f23776c09_DisplayedScreensavers.exe	2024-10-04 01:36:02	659535a3135886f39da6baf90e54ad98
BlankOffense.exe	2024-09-30 08:43:02	1bec0616f2e4dc133175566d1c6bd6dd
66fad513a308f_SubstituteAgain.exe	2024-10-08 01:42:02	35bab7028aa376556c3236b773506a9b
66fbd9a4db4c9_GovernmentalSa.exe#abd	2024-10-01 14:44:02	5e55a47b6d7053f9d1ff19539863b8c2
66f98113b83e6_BellyVary.exe	2024-10-02 02:45:01	db7b43084f7a44e3290774e36d49ce41
66bc8193eca9e_Setup.exe	2024-10-03 12:38:12	02edfdc2fb2ff2725436b7646b7f06ad
66b11f4cc8fbf_MarriageWriters.exe	2024-10-09 01:25:02	9347630d9d6b626d7fefbbdea5d20fe9
PkContent.exe	2024-10-03 21:25:02	87c051a77edc0cc77a4d791ef72367d1
DeliciousPart.exe	2024-10-03 21:26:02	8432070440b9827f88a75bef7e65dd60
66fd8d779da5e_EscortsRadios.exe	2024-10-05 12:40:02	9f2aa036b01b51f6ce185d8c2410c22a
66d4be7ccdf92_UniformDaniel.exe	2024-10-07 21:23:02	edafae4e89866d79921eabe87af81458
1.exe	2024-10-05 02:51:02	774c8215da3cb73644d36ca3f60e676b
66f69a884f4b8_PossessionInfo.exe	2024-10-05 13:38:02	24fb3edc746f33e554573ca372828c24
66b7a4a075311_AsianAsp.exe	2024-10-09 19:55:02	4f92aec3cd981658d5311657bee27d9a
67024df52de10_ElliottProtocols_nopump.exe#stealckiscrypto	2024-10-06 21:54:02	1e31ae89e90ab1a25e4d578b19154bd7
66d97e79cfb65_CnnWebster.exe	2024-10-08 00:42:02	5b977a760bd1fee841927a01bfff0991
InstallSetup.exe	2024-10-08 09:48:02	e6dd6a25125edd4c21fe5cf7bafcd2bb
6705797d4437e_game_bench.exe	2024-10-08 22:41:02	888da0597b89d2a8dfc4c5d7dfb22dfd
Bundicut.exe	2024-10-13 01:26:06	c065ba22909fc8dbded4ea0eebb24ad5