The following table concerns the file elements we found.

The original file is a UPX-packed Win32 executable file.

The UPX unpacked version gives us this new information about the file:

The program maps an unknown PE file using process hollowing. This PE file contains the following information:

A file downloaded from https://raw.githubusercontent.com/PacktPublishing/Mastering-Reverse-Engineering/master/ch12/manginasal is stored in a file as unknown. Here is the file's information:

The unknown file was decrypted and stored using the filename "imagine", containing the following file information:

To recap what behaviors it executed, here is a step-by-step process:

1. Displays a message box: "How did you get here?"
2. Decrypts a PE image from the resource section
3. Uses process hollowing to replace "calc" with a decrypted PE image

4. Displays a message box: "Learning reversing is fun. For educational purposes only. This is not a malware."
5. Sleeps for 5 minutes
6. Checks the connection to the "mcdo.thecyberdung.net:9999" server
7. Downloads the file from raw.githubusercontent.com
8. Decrypts the downloaded file and outputs of result to a PNG image file.
9. Retrieves the default internet browser path
10. Displays the PNG image file using the default internet browser