m2.dat

First submission 2024-10-17 16:53:04

File details

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	3854.94 KB (3947462 bytes)
Compile time:	2019-12-05 08:37:27
MD5:	9f764608bb066354b8c39e3c8ac55596
SHA1:	16364eaf46e7bb534711c08153f2d15df3a98152
SHA256:	21690a716f4d4f3af3ad00504dfd41ef4d11a5663ff96c3365838896ffcaedd7
Import Hash :	e2a1496c94d52a035fe47259ee6587b7
Sections 7	.text .rdata .data .pdata .gfids .rsrc .reloc
Directories 5	import export resource debug relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	57/79 VT report date: 2024-04-08 10:13:20
Malware Type 3	trojan miner downloader
Threat Type 3	starter aemwb malxmr

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://k2ygoods.top/m2.dat	k2ygoods.top	2024-10-17 16:53:04

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x35924	219648	3ec2416895f04233fa51cf93dc74a663432e9836	dbbb91fb85476329768d95854847b7e0
.rdata	0x37000	0xfeca	65536	38102f50bfbb0809281d6653624ca9badc51e857	af799b024d43a13d663facb579b323e8
.data	0x47000	0x24904	5632	14d545b7ae51d299fe7152f449f7c9e704dbb4ff	03d3b2e088cb0dbd0ccc77a7c100f526
.pdata	0x6c000	0x28e0	10752	e61aa6606f56023f86e3ee72f975c869cf7a833c	e034e40e9a2720458b41a860f0c5bdd3
.gfids	0x6f000	0xd0	512	a997e7cd64e9c915e2730b8a17a16ff87bca1b7e	1a6cc10a0b8e60577205ebd1d2848ed1
.rsrc	0x70000	0xd2b0	54272	56d5f235bcba7d2236537ee3c049742d12eefe1c	0754521f52da0db04bbea1067478c639
.reloc	0x7e000	0x8c0	2560	2c03932ec097134406bd36a6b0254acffabe761a	d5c22281658a38a62475c3e9db27753d

PE Resources 6

Name	Language	Sublanguage	Offset	Size	Data
PNG	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0x7118c	5545	PE Resource: PNG - Data PNG IHDR\)gAMAa cHRMz&u0`:pQ< pHYs~bKGDC IDATxs}]K (oRNP_IUqRQl,(o,%)b8.%7.@bg{[}eX$R! \.C@p!\."Bp!\.DBp)\.! PH\ D1Bp!b.Ye@C@p!\."Bp!U\ D1Bp!b.e``u#6;_~ov`Td?1s^RBm@]jAV5;,P4^ \6HYM?\^ Q+A[_L!:_Z?ardO/\f zSPPIJd"m\ y_^K.p\p<YpK .y e7g6[? O+. .[+h5?:+%j.\UDR+;.pK5[\tj.p\.p\2[\tj.p\.p\2[\tj.p\.p\2[\tj.p\.p\[\tj.p\B"p"$s2\\enz.>Z'\|.j\d"U.EE=.pQNe.3EE'5}si?\>.{\|%.T.pQP\qqI-[jE>y,H%\/K'y[.-M..'{-\<1SmO+\|?pIZQmE.\.\w\\|?\6QyE>Aw:qkr&F=($l#qc$AA%(qc$GJ2Psuv t]l.s]=@l~+pG%#Cd[G9xT28FXKT#~&f?+sF#~7o6\?P]oK22fYQ2[cH59k y/orzDF=)gHL"e.wQRc:%=U.Ev,RrzGG}\$te$1jpQ\Q8\G\Q\AJ^p\$r[&1vpQMG\(\)1\|pQ#JGvEG \]D+0IrQs\!.s=zNj`Q H52Qd(P%H#\E\I\h%Hy.MR}kjEG1j)\Tz@ r=1E5 aKwbX(\@jp1pQM\&.\\qYp[`\|YX"ih!rE.@/2yF.MeI0p {Pj ..O40p <^%<ap%@k,.R.]Fv:\T3pQn%H}lx^7E=9q\%eEhwrF.y^&. zG&.W;V4s(7xK^.3d4%@lxQ6pQm'3e2d%@J^t.AKL \lxoe2+pQm%H5&.401pQm /\e1^J~ \KL\$o1CpQm0E99Bb 9Bb!1Ip P'wptLoBFdI6TEqjrGlE5f fM\&UL+ \;L\;j .595\TPyCoceIJ.3j/N/\|?J+[6_La\N/X3Qsh)tF^a#"L<{"F1sr<c"RSv.09+7+WsEr r3#,0sX#;3z.g-]`=ie2\/Q \,]`Y`tpXPI 1yZ\`n2XY`%_e^"&k9`jrFP-oL]uryNFHf]\|nJ',\`2E&Xi{5Xs.0XqK%`pXN[E-Sm EzzF-Q m\ ;q[`yS7sqcE:3g3,0H-y{7om\^\p-0rk"y7%aEnwgR9tDU.qk^gq}9(mL'L}_!vIUk,0q]y/-Z`)^UpvT"j+MTC.A9Htr.,0zHs^y/@.Uk<MgV<v.//Y`nh"p`QXq{VShBrqeW\$fX_11~\$1L1Y`.c\T;+j6/2. Pn-YCT\358swX` r}cmpI\rIo!\'r%\|^^(k;cS\rX$wNN4/0?'HOI+pw;&tw7X`"/e5$$5eX`yi!Sc10d/0qK^X`Yn @.s\eK59w0\;1e%\$E;(\4b\|2fxuQb$i}\_vd6s;5=#F.0OAtn2K\wWbhmcmbz.d}+p13ni\,1r;V9(G\lbsc-xf;4lXM?kNb\u1I;Kp1Ev'1;j&F^l=a&2\NN#\ c61SYc61rqEbMHbxgA3ONM:uf,0r,;s"p6yvg9.scXi~1u$XI'KX.Vt8g&UXS[FX.l{\|z}%tv],kbSu_Agr,z"ULe\.[$Oj#/58OLwAEK-0.vuLKe^ScpieD&K6pvO{4}hse.ujBRW{gM;sZVbehQkkr$^vG KoHr.vf/D-2\lS-.i\^mGwWbqF {kv{}.w~3nNc7J\|fJLd}_7pqGyk-7oe:TrS kFI^p=93 y.1HNpCx6noA\\)jg+a/00: _e6y3&T.G9Hq4Q,F~G.i/R4+pM&qX%o5)\b /41S?4h:5&UA\+{L:YtO!=/\bsc"&=2\b3{^&OK \|{p.ZK<#Cse.Pc. icLbZyL8M}ybd' siwvPU]L)enxF\7jeblVb%+K9sSE262$j%spBL[epIBVt=2 C$g2;#G2W`NL &@.QMqs$Gv&F~2.QM~2^~.QMy.V-&c:NJ1u?aca9%Bu$$:1K6\5$0$FKuO><F3 yW &\o2T9O+net<D%vq%NJbxrNJMfrKp1{T\^ywm'Bq@vbklpl'F~MIml}IbRD_"\(@GizG2+2p!vu^)'/<4t;-5r@bgr\(@p!\.\.C\(bp!\.\.BBp!Bp!\.Dp!\.\.b%["R.Bp!Bp!\Bp!\."\..flIENDB`
RT_ICON	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0x77ea8	15729	PE Resource: RT_ICON - Data PNG IHDR\rf=8IDATxkdIV'3^nzzz ` hxhi1<,X22 Ke0>KIKF,`Xb\|sbCyd{3{nkE=yNDcqq/.cj V \@bb`m16E,3mqf3;drWR!_.ecMbl>+6dI/Xab6l^{1BhTi&}L,l'y:qs+/m<s mc\{+\@XiXXm\LdO WeW^=E{\iISWG5KpRtis@bc!1Mk$F$ hLF_}LwGo\|=Fs5.yM5Z7ZF cC5G:4iab6B1 41&0@js{\|G{\|Om4jHd<qDU2 E X `L< p.<~u?w~X;X{x w2\|Wmav.0i94s\U" $A@a+ (MLl47K:?ow+o;<!P!f6G]E,b $cMc}DLcCUBovnak 5 x'd{eOrzp8'a?AHDh 44!+`{bH4@Z`Z`6!M4?/Cw;?v=MwZnCC4\|WrT}-TI@cZ67k%9$@l5t{z_~{^O\zs#{.E]\|r)K/CU_$mb1/Gu xO<A$[ @Mo~s\|f{I6.zaHQ2yMU+ZBOM $ b~`'$aS.KK`/w1+K%kI?+?f+wN?E Br/y:4WlBZ1@j`i&A ({z7E;9s-x^?\|Lw@pyzK!^sJ?@5_i"L@~~<1 .;v=46@\aTL%Cq(Nhh) a45\|eF :/"4p"W.^`e~@9mkGo})7^{0LBO#[}Y)IoM%) Z+C.`C9;}M_jp4:]4B ?8HiB%x&P@}z0$y6 IW\rv_64 4yg8r k#?P0$ARxJrF\l!fEsc/ ^h(w~ed$yz/F;;-T?1JR:~:z7,)0@AGMMl:j87L-5S+ @A,ttpAye\|sHS4BxeW4~LP-z@xJQEN.DNUCroS?Su{Z9-V\|g6Oi5SO$j)\IR%A"HA{VlkgkB^c~$Y#B$-[oQqVmJZ5DZG7S/~/la@Q{;/uV_h82SF?c98T.Souh!WPhY)tDO= 4]#%f5.\|<?RQ2.P 2hBvF>#:UpGkg8iad9C X~"g6hMi`jt.13AM HiB6OU O/A&I?ac@m KY/ZE!o]QqC/P#Z '($uRp+]O&"yS)F,A5Y XUjWyq9jh2 9B 6 DOjD VF(_.) ca w0A?x sqW86:YDcQ!I.cBFuh'Gsh04<UA' y>`>NZQT9'_8Wz~t]a?o_W2oKdiy:)gPRJW(:02JA-(`X,bH;x +Dt?~+X5X5$jIHH0#^ #%{[xXx$'MC#,Zx/Bx(_;G.Hf 7 tAfd?ANQF63Rg5h'a[8L#S\|p2[,>R;If!G7PLFr\6$Ol:]d<)R&xL) #B_+)LRx jcJ21db1bvC924])kGH"W99 P5uJ7GmZX)&Z640yit5Q$I~ ]WUn<^~BPWzI6Nmco:q,&HMLqTSz+-'l71\+b)^/Sdgu;{oHr2%!db=K $ GD 'Ap06-D/T2y3<Rr\ \"\_E.[da0 ^aFCa(;CFroO7 dFaQ B+y<BDh}s_jy-uGwy#\|CPGR5 nnmm;qg27o>W_^I1FQ#5i\Lt"m1lbQ\kDV2.?}1cBbhA'=}!+/ -a0DBZoL`X,I<^X?h:cp<o\|_N)_y;M!(]GTAZ4eoAs4 X4,NK =mG~sho6n* j$\|XavxC"2%&\|\z/~\|CAa\|F\oP#o}_>+O]):/FhKRU>Nri#=XD+1!-\|cml`\|"hkr$l?:_pCEWdC%9f[h5KSze{'w:\|c>o'Si:q5 ;G9/?hf^>}okJcnin@[/;j~4^[>9lP Gk7f 8bp}:]e0ZGOFgNzv:pw!C0~_wUSAy60^.3g\|}xE{`SU} b)9 Ip)yQwzf)y\|:]N ]{e\|wFM]7u?<,3Ugm)X6k)\|t^$ fzx5)_sAr`,80oJ55C^H us\|m_&7KGorrw` `DnW+T S2#D Q$q$-G~6HS4FSFS/OrS]GUQr4I,-:6uxO+y<v\|5[f,_]Z$\mnpW5b!Bf%\"?^)bJ"dfHrM2t~O/GS$w#:Ky IN&y'PZ1i"v}&/1=he=al.CNrc?+)x ~~v)\|V3" RF]8'48oO[{^XOjc? pz~86L)a)' );KAwCgHTQE)=w.Vj_9ZzY"bb3C[9d6%"MjsmquVz/A?pfd b>L0)(@k634x\`LS<zB3hT[?6Pezv3 1 OZNnp06M)B'~-1_`<$x1 (HwmL?B&$a1VQ!NqET0XXI bVw>G~VcI2Hd;b%9@Z^k bInec5~_q0il+H+q6rb`,c7Pvx#>M'0"Ao->Et(,KT$66Q\v>7Heb_bz;/iEi13<;AHL&kjXCP?mTC2(Q!>) Pv_(Tsq9s :R (m<5\}!JEV)# X6E$,B^NOuC` g!TSRe >2BTJv$"W-r`BbU08?O]ID}-9Vs,9hnnWgoZ/b j5#+XCt2B& dz99: &iOqCevj %u.?/[D9Ed"GgiO B2~q6REP`?!B/@@C;GR/H\|JpHyR5'W?M`jha;D-X7dwp:(2a!O) B [B.1@B_:2ae.NTmEf!'{dml1llPV.!F6R+B\|!KbH#6BM@S G]0trIs86IhITT"dUD`m^nkkB$.D& ''< :$1KML\|5_\S)WeH_~p''8l\|Phk-A6OSX $BmG@k-})ZX4,TyU]j[S%:e5A m:uEd,,DlrY.N'(SmU19AR}o9Ujub`#+c$@ YO#{r&}}}+AX^'&6?~R@XBCCD 4q?<< ]) \|PRiE:W.CK"ph/Hewbb ke%pQ,X/RGEi+4}@~'HY :ve,;UlFSHD %\|4~'an f<7# )vm!<1u!VgO-)/}}(CjJ5?,GGXl"C)t kG\#{f-2z8 ~s?3}^7~j[HZX!S/c `Ql{}6>WC9oLv#{5_fztLi]ka `fm(gk2pLY^iy#~9&Oo7/@<oYE4'~\|3/vq(xHOg3W Ne#("dMQ ]yLKF' 4iETU7~g;>MOEZaqcIpRn kL'}f TUDO?^V&J3eOXW65P,#Z0F@=g.zD5u$V!E~Ywg:T7y9<>'!8y_Q)<G mZ"gb\O#,xHz-%foBNf<#p0'cGoq~rVq `YL-%MiJ]2`=Qv?=h]p[a;Q/a!qzE=SXC8a.Q<+nSpXdN^gkH8^6;osG'YhrCe~d=~Hi7U? ,'XsZ?8kU+1W8n>C [Y_}>Q1#3otd3Yd8jB!$'hh;IqoT\tt{u{lk!w>_ f.{\|[3#"K&fxp&\WXo?u8}c_-jf\|Bsf1-M}t=r)q8R&8 plCTS._XXfHf ]r7G9t[\Ssg,z2Y<kK'{/7i\|agkHV3z{1pj/kHq:53=o<E;.f?^F1}9!.:W^=uQ\ED/{<kF<wCq Cpa=r=)UQ+2jxF}._&_Ng~OJedu`kX#MGz}Xs\KU,"b`+=_U>r%ZeCDDo#"TDg.]>/l=:!7[U<v]p%@Dnw "XjWM1M~Y"bzO= 1~_IlX /urU\]U-"b=s[;`n\m~R51>1~w;/.L/H#k\|K#_^N SDDi:}Tb:}DdRx4Fb=b o/\` #-K!_ "CvoPlc/3oL1/^g)RNf g~_'cXyS?fsab:JI[A01<@%72y/Zf"">^E{ctCrU;OYV>]#6,;uU3}:1:"+n+?XF&F:aaQ?Ya1t){M @]VDND#,`0v@Xl#o.Lg^bo/JB__Kycl,U~;ak0`ap_<UrD{y)lFyb5#N99L !M9uu,VgoEd#_[9aa_/'t& `)7_dw/T!FD,\|n@\|ycXKeiwrk8uF)5)$ C_Dt(yes1.aN70!hD{Rbi%igMM1vTnoF/JdaAF{,s\|7kc3<ux.\g7VZ 5 @-B~jQY =ZRF3!iX:]G3:3 RzYhR\|paom!r4Ut4wZ0WxE+"aWi4.@\|]x !'kbO21)\|Eku 5@#t"X?,`C}?"&2x&vbg Ub0&Gt 'NlbXv9!~\|`[Cw^ {bi)ivo,<gh<Ew~PN"pR wcff0 B01 wq]pHY3> c~l(~B(1!( l~]+XW2;f!e '54# A?_9ypsvpZL1-2avx5p]aC\|?IbaNQPS `sbiFB'3x[b\|ec 9\|Q3A:O=t$WrJm +r$Fr#]cPe~u:qD`W6r[m<r2ED=ml_<a.9r);s`{1^5$1A4[NG~M[()(Rw "Mcr;\jKoE`{\| i9Lj=d,#_{?1,q"UhQJ;@>^y >3"tKbllS wy/Op?$_41bK(&e@c w;SD2/<]y15#$"\|w^7s1aUPJ)-8ix' sSLIwY 6j5Lk#Wg`:P0~4+c?s""N^`g/fMo.En/<Y?".UepTRv;{p^ZJmqdJD)iy9 Fv=sDAa$ZKf-.>\|n _]D ^"6'wB#`nx-#nv@X9V_>2P1;av;;)bit;c-I2kJ-x\+Wb~ ~pf?l1aJ:R8_@!F Qk,gO&Lm+W~q#5i"O"B}~BBi)a8Y=fI;]Gf/gw&>?Wc {O9PKp{758bMp+bvlDy3c(\|,=(F `:wrF+a84uSg_]D=hY7j1?s}6.m7Q&?{J9ch6ng^~SWbp J//0l?x}g"e.s9?=I:^/>s7M/>.u j]u@"B>"bD#40.PA^* &^}Hsx14= h&mdU A0O>DBiF`Az%q&/^WEi?[a=(7`_9.y\>/UFDNbi#3,Twr1g]7D Y0o5 .`c,G?q\~z@Xe %h}W&]7_GWD]a?<MF1rg1'nfJn\ /H[^M{ @ lpY54pkp2qNA#PXg![ u$$IEsc&fSjkl#!\|'~;o5 @D/Mk2\jY15QEUv"CA3Cu!jVak:>eTyx[>+@DoT1)F`_E:T$6e3!THz;Y zHaBKj{S k=6CBUABkh6!&)9c-9TUA5vfEXOhwz!&XLI9Khez}[#_i_V#O7po)5H5/`N\|ryue:yFh``+"&IQ~6IBTYQ]`g! &?k&$& F:hi0ty[ F>4[O;Kga` )i47a&`-#8`Y6lwa?}SFK/il4 \4W\"G"TccD@9 ,zuO#%`ooO?P/ _'/uiF=#PPkNin4,gRcNu;pB E9X]xhzM?,wDfG_7s{3[P akHl2/!oK# G\; aZUFZ-0u=.S4I;].<w//x/(k-UZMl2(+X y.+mQgqstvQx-AS9~{,Y;4/^?$X"_!vqY^ %2[-l-/R# DKhJFRnrJh%]l~_7?tOMJl~u4!`_tRI 6j1Uvdow$OSs ck4heqgZ~~$Y`O(I3jJ+aRKFGdooyW~0LYPTlrA`+? <{IyjvCa?gsaMK I4S+l5o `sl?oQ{@M6ef"tbP @rbIUM ~K.?hM~5t\AJP+$ CM5F94~&4[4:}A5\yY7\wQ)` b-yFEDcD8q "#@D9F$sH""1"DDcD8q "#@D9F$sH""1"DDcD8q "#@D9F$sH""1"DDcD8q "#@D9F$sH""1"DDcD8q "#@D9F$sS"J'j#iuq<L~N~uHV8~ 27S+^jO-Ov!h:c= Z_^%+^LZl#N;T?`Y%zSmPjR74t$j5fc>BwtB5OsPigB)Ge@OOA(\|_A~o?`Z\|gtF_q\HCEc0p~@\|'5_=I;@ECqO;KFZK!dp:\| F..T$P<\|Ha4"8j}_K,/?jv 'hBohDX0\,u#u- ?N>G:#,.PN;K5^$S5,Z?j(21=\B=z(?oj?,ytoAhMvS oKl/5X&8?@>&ca9`D `$p(F(tT@ <z8^@boF?rBq`) #dp4tgD, ` Dp>4AU?#^uH@I: E?~\|.@kSX#P6Iz>`-LOsr$ CYA+#VH(5:le X=OzbR ^PTIo"zm_IV:9!UVl[TbpR#D5]jirL`hZ=+ 2T%VB+-+&1bsUd9T: Q@V~DAYADUgBn`IXC'lX < \8sd90Z Lu, 0UArI 5BjYAN]h:TIq V@?(?hT! c6TEqV @rnU?ja b8i(c8+ Bojz`'k'A)`+JC=ZWuYg/N+X`] W/oVD^5;""iQ-YI_H5(#DP?oSRG</ ~DD/pj8""%V-C6bIENDB`
RT_DIALOG	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0x7c288	462
RT_STRING	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0x7cb9c	106
RT_GROUP_ICON	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0x7cc08	104
RT_MANIFEST	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0x7cc70	1600	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="" name="WinRAR SFX" type="win32"/> <description>WinRAR SFX module</description> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="*"/> </dependentAssembly> </dependency> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!--The ID below indicates application support for Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!--The ID below indicates application support for Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!--The ID below indicates application support for Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"> <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly>

Packers detected 1

Microsoft Visual C++ 8.0 (DLL)

Anti debug functions 6

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

Bochs & QEmu CPUID Trick

Strings analysis - File found

Temporary
%s.%d.tmp
winrarsfxmappingfile.tmp
Registry
m/server.reg
m/server2.reg
Library
Crypt32.dll
peerdist.dll
msasn1.dll
profapi.dll
RpcRtRemote.dll
sfc_os.dll
XmlLite.dll
USERENV.dll
ntmarta.dll
rasadhlp.dll
mscoree.dll
mlang.dll
cryptsp.dll
linkinfo.dll
UxTheme.dll
imageres.dll
VERSION.dll
cscapi.dll
usp10.dll
wkscli.dll
devrtl.dll
secur32.dll
wintrust.dll
atl.dll
WINNSI.DLL
rsaenh.dll
riched20.dll
comres.dll
cryptui.dll
ntshrui.dll
slc.dll
oleaccrc.dll
PSAPI.DLL
propsys.dll
NETAPI32.dll
aclui.dll
dhcpcsvc6.dll
cryptbase.dll
ws2help.dll
SHELL32.dll
samlib.dll
KERNEL32.dll
shdocvw.dll
dwmapi.dll
cabinet.dll
MPR.dll
WS2_32.dll
WindowsCodecs.dll
dnsapi.dll
SSPICLI.DLL
samcli.dll
apphelp.dll
dfscli.dll
DXGIDebug.dll
dsrole.dll
ieframe.dll
lpk.dll
netutils.dll
clbcatq.dll
dhcpcsvc.dll
IPHLPAPI.DLL
srvcli.dll
browcli.dll
SETUPAPI.dll
ADVAPI32.dll
USER32.dll
COMCTL32.dll
Fole32.dll
SHLWAPI.dll
gdiplus.dll
COMDLG32.dll
GDI32.dll

Strings analysis - Possible URLs found 1

http://schemas.microsoft.com/SMI/2005/WindowsSettings

Import functions

KERNEL32.dll 144 gdiplus.dll 8

Function	Address	Souspicious	Anti Debug
GetLastError	0x140037000
SetLastError	0x140037008
FormatMessageW	0x140037010
GetCurrentProcess	0x140037018
DeviceIoControl	0x140037020
SetFileTime	0x140037028
CloseHandle	0x140037030
CreateDirectoryW	0x140037038
RemoveDirectoryW	0x140037040
CreateFileW	0x140037048
DeleteFileW	0x140037050
CreateHardLinkW	0x140037058
GetShortPathNameW	0x140037060
GetLongPathNameW	0x140037068
MoveFileW	0x140037070
GetFileType	0x140037078
GetStdHandle	0x140037080
WriteFile	0x140037088
ReadFile	0x140037090
FlushFileBuffers	0x140037098
SetEndOfFile	0x1400370a0
SetFilePointer	0x1400370a8
SetFileAttributesW	0x1400370b0
GetFileAttributesW	0x1400370b8
FindClose	0x1400370c0
FindFirstFileW	0x1400370c8
FindNextFileW	0x1400370d0
GetVersionExW	0x1400370d8
GetCurrentDirectoryW	0x1400370e0
GetFullPathNameW	0x1400370e8
FoldStringW	0x1400370f0
GetModuleFileNameW	0x1400370f8
GetModuleHandleW	0x140037100
FindResourceW	0x140037108
FreeLibrary	0x140037110
GetProcAddress	0x140037118
GetCurrentProcessId	0x140037120
ExitProcess	0x140037128
SetThreadExecutionState	0x140037130
Sleep	0x140037138
LoadLibraryW	0x140037140
GetSystemDirectoryW	0x140037148
CompareStringW	0x140037150
AllocConsole	0x140037158
FreeConsole	0x140037160
AttachConsole	0x140037168
WriteConsoleW	0x140037170
GetProcessAffinityMask	0x140037178
CreateThread	0x140037180
SetThreadPriority	0x140037188
InitializeCriticalSection	0x140037190
EnterCriticalSection	0x140037198
LeaveCriticalSection	0x1400371a0
DeleteCriticalSection	0x1400371a8
SetEvent	0x1400371b0
ResetEvent	0x1400371b8
ReleaseSemaphore	0x1400371c0
WaitForSingleObject	0x1400371c8
CreateEventW	0x1400371d0
CreateSemaphoreW	0x1400371d8
GetSystemTime	0x1400371e0
SystemTimeToTzSpecificLocalTime	0x1400371e8
TzSpecificLocalTimeToSystemTime	0x1400371f0
SystemTimeToFileTime	0x1400371f8
FileTimeToLocalFileTime	0x140037200
LocalFileTimeToFileTime	0x140037208
FileTimeToSystemTime	0x140037210
GetCPInfo	0x140037218
IsDBCSLeadByte	0x140037220
MultiByteToWideChar	0x140037228
WideCharToMultiByte	0x140037230
GlobalAlloc	0x140037238
LockResource	0x140037240
GlobalLock	0x140037248
GlobalUnlock	0x140037250
GlobalFree	0x140037258
LoadResource	0x140037260
SizeofResource	0x140037268
SetCurrentDirectoryW	0x140037270
GetExitCodeProcess	0x140037278
GetLocalTime	0x140037280
GetTickCount	0x140037288
MapViewOfFile	0x140037290
UnmapViewOfFile	0x140037298
CreateFileMappingW	0x1400372a0
OpenFileMappingW	0x1400372a8
GetCommandLineW	0x1400372b0
SetEnvironmentVariableW	0x1400372b8
ExpandEnvironmentStringsW	0x1400372c0
GetTempPathW	0x1400372c8
MoveFileExW	0x1400372d0
GetLocaleInfoW	0x1400372d8
GetTimeFormatW	0x1400372e0
GetDateFormatW	0x1400372e8
GetNumberFormatW	0x1400372f0
SetFilePointerEx	0x1400372f8
GetConsoleMode	0x140037300
GetConsoleCP	0x140037308
HeapSize	0x140037310
SetStdHandle	0x140037318
GetProcessHeap	0x140037320
FreeEnvironmentStringsW	0x140037328
RaiseException	0x140037330
GetSystemInfo	0x140037338
VirtualProtect	0x140037340
VirtualQuery	0x140037348
LoadLibraryExA	0x140037350
RtlCaptureContext	0x140037358
RtlLookupFunctionEntry	0x140037360
RtlVirtualUnwind	0x140037368
IsDebuggerPresent	0x140037370
UnhandledExceptionFilter	0x140037378
SetUnhandledExceptionFilter	0x140037380
GetStartupInfoW	0x140037388
IsProcessorFeaturePresent	0x140037390
QueryPerformanceCounter	0x140037398
GetCurrentThreadId	0x1400373a0
GetSystemTimeAsFileTime	0x1400373a8
InitializeSListHead	0x1400373b0
RtlUnwindEx	0x1400373b8
RtlPcToFileHeader	0x1400373c0
EncodePointer	0x1400373c8
InitializeCriticalSectionAndSpinCount	0x1400373d0
TlsAlloc	0x1400373d8
TlsGetValue	0x1400373e0
TlsSetValue	0x1400373e8
TlsFree	0x1400373f0
LoadLibraryExW	0x1400373f8
QueryPerformanceFrequency	0x140037400
TerminateProcess	0x140037408
GetModuleHandleExW	0x140037410
GetModuleFileNameA	0x140037418
GetACP	0x140037420
HeapFree	0x140037428
HeapAlloc	0x140037430
HeapReAlloc	0x140037438
GetStringTypeW	0x140037440
LCMapStringW	0x140037448
FindFirstFileExA	0x140037450
FindNextFileA	0x140037458
IsValidCodePage	0x140037460
GetOEMCP	0x140037468
GetCommandLineA	0x140037470
GetEnvironmentStringsW	0x140037478

Function	Address	Souspicious	Anti Debug
GdiplusShutdown	0x140037488
GdiplusStartup	0x140037490
GdipCreateHBITMAPFromBitmap	0x140037498
GdipCreateBitmapFromStream	0x1400374a0
GdipDisposeImage	0x1400374a8
GdipCloneImage	0x1400374b0
GdipFree	0x1400374b8
GdipAlloc	0x1400374c0

Name	Latest seen	MD5
mac42.exe	2022-11-16 19:40:09	f1ffc56cb65c03961aadcca3e736f466

m2.dat

File details

File features detected

OSINT Enrichments

URLs, FQDN and IP indicators 1

PE Sections 0 suspicious

PE Resources 6

Packers detected 1

Anti debug functions 6

Anti debug functions 1

Strings analysis - File found

Strings analysis - Possible URLs found 1

Import functions

Related files by ImpHash 1 e2a1496c94d52a035fe47259ee6587b7