Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1376168
MD5:	27b6f3b8e8bdce591e5164edba28584d
SHA1:	3a150c9db17a94feddec8268073336d030b97dad
SHA256:	46d06d06984466e0e8082f8bba8d274c37145ec71f26da0904dd93ea2e7f3087
Tags:	exe
Infos:

Detection

Score:	23
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries keyboard layouts

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

file.exe (PID: 6516 cmdline: C:\Users\user\Desktop\file.exe MD5: 27B6F3B8E8BDCE591E5164EDBA28584D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1989063116.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.file.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: file.exe

Static PE information: certificate valid

Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.exe	String found in binary or memory: http://epscd.catcert.net/crl/ec-acc.crl0.
Source: file.exe	String found in binary or memory: http://epscd2.catcert.net/crl/ec-acc.crl0
Source: file.exe	String found in binary or memory: http://madExcept.comU
Source: file.exe	String found in binary or memory: http://ocsp.catcert.cat0
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: file.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: file.exe	String found in binary or memory: http://www.catcert.cat/descarrega/acc.crt0#
Source: file.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe	String found in binary or memory: https://stats.reportcpanel.com/iusage_v2.php
Source: file.exe	String found in binary or memory: https://www.catcert.cat/verCIT-10
Source: file.exe	String found in binary or memory: https://www.catcert.net/verarrel
Source: file.exe	String found in binary or memory: https://www.itopvpn.com/ied-surveryf

Source: file.exe

Static PE information: Number of sections : 11 > 10

Source: file.exe, 00000000.00000000.1989063116.0000000000447000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs file.exe
Source: file.exe, 00000000.00000000.1989063116.0000000000447000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: LegalTrademarks OriginalFileName vs file.exe
Source: file.exe, 00000000.00000000.1989407994.0000000000769000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIEDSurvey.exeF vs file.exe
Source: file.exe	Binary or memory string: OriginalFileName vs file.exe
Source: file.exe	Binary or memory string: LegalTrademarks OriginalFileName vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameIEDSurvey.exeF vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: sus23.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1974
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\DPMHelper

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\file.madExcept

Jump to behavior

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1989063116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 250-STARTTLS

Source: file.exe

Static PE information: certificate valid

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 3955760 > 1048576

Source: file.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x305a00

Source: file.exe	Static PE information: More than 200 imports for user32.dll
Source: file.exe	Static PE information: More than 200 imports for kernel32.dll

Source: file.exe

Static PE information: section name: .didata

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 57B484 value: E9 F3 D3 11 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 57AE58 value: E9 0B D8 11 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 56DE98 value: E9 5F F8 12 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 56DEBC value: E9 BF F8 12 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 56DECC value: E9 37 FA 12 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 575FC0 value: E9 0B 7B 12 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 60C8CC value: E9 73 1A 0B 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 664260 value: E9 DB 9B 04 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 59C1B8 value: E9 AF 62 11 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 59C084 value: E9 9B 60 11 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 59BFF4 value: E9 03 60 11 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 59DA54 value: E9 EF 44 11 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 59F7A4 value: E9 CB DB 11 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 59F694 value: E9 77 DE 11 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 59CB8C value: E9 FF 65 11 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 59BA0C value: E9 3B 27 11 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 59BAD0 value: E9 CF 24 11 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 59BF10 value: E9 4F 1F 11 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 59BF30 value: E9 B3 1F 11 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 59E838 value: E9 F7 F9 10 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 59E93C value: E9 13 FC 10 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 59E558 value: E9 07 FE 10 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 59E8F8 value: E9 3B FB 10 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 5A3914 value: E9 03 BD 10 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 5A3A00 value: E9 B7 BA 10 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 59EC20 value: E9 C7 F6 10 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 59B7B8 value: E9 D3 7B 11 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 65D2E4 value: E9 DB 14 05 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 59A9A8 value: E9 73 3F 11 00	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6516 base: 5A2470 value: E9 B3 C4 10 00	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: file.exe	Binary or memory string: Shell_TrayWndUser32GetDpiForWindow
Source: file.exe	Binary or memory string: Progman

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Process Injection	1 Credential API Hooking	2 Process Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	Data Obfuscation	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	11 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.catcert.net/verarrel	0%	URL Reputation	safe
https://stats.reportcpanel.com/iusage_v2.php	0%	Avira URL Cloud	safe
https://www.itopvpn.com/ied-surveryf	0%	Avira URL Cloud	safe
https://www.catcert.cat/verCIT-10	0%	Avira URL Cloud	safe
http://epscd2.catcert.net/crl/ec-acc.crl0	0%	Avira URL Cloud	safe
http://madExcept.comU	0%	Avira URL Cloud	safe
http://ocsp.catcert.cat0	0%	Avira URL Cloud	safe
http://www.catcert.cat/descarrega/acc.crt0#	0%	Avira URL Cloud	safe
http://epscd.catcert.net/crl/ec-acc.crl0.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.catcert.cat/descarrega/acc.crt0#	file.exe	false	Avira URL Cloud: safe	unknown
https://stats.reportcpanel.com/iusage_v2.php	file.exe	false	Avira URL Cloud: safe	unknown
https://www.itopvpn.com/ied-surveryf	file.exe	false	Avira URL Cloud: safe	unknown
http://ocsp.catcert.cat0	file.exe	false	Avira URL Cloud: safe	unknown
https://www.catcert.net/verarrel	file.exe	false	URL Reputation: safe	unknown
http://epscd.catcert.net/crl/ec-acc.crl0.	file.exe	false	Avira URL Cloud: safe	unknown
https://www.catcert.cat/verCIT-10	file.exe	false	Avira URL Cloud: safe	unknown
http://epscd2.catcert.net/crl/ec-acc.crl0	file.exe	false	Avira URL Cloud: safe	unknown
http://madExcept.comU	file.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	file.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1376168
Start date and time:	2024-01-17 16:58:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	SUS
Classification:	sus23.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target file.exe, PID 6516 because there are no executed function
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.770270000311977
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	file.exe
File size:	3'955'760 bytes
MD5:	27b6f3b8e8bdce591e5164edba28584d
SHA1:	3a150c9db17a94feddec8268073336d030b97dad
SHA256:	46d06d06984466e0e8082f8bba8d274c37145ec71f26da0904dd93ea2e7f3087
SHA512:	f91aea8e4dc987703926fef287178fc680d450597ad524ea0ca44255c7e3e7127c5dce8362be2f241d7a7aace2b7760467bdfc6117ce467d2bc1459045bb842f
SSDEEP:	49152:QDdgK6jyazbFza8IBn2cpi7cSgWVh07Z2GBc024xF6QKRTTzLAUd+JOugbW:+OK62azbMB2kZ2rUF6QKR3Vd+JAb
TLSH:	04066C23F345A43BD0671A3A987793A0983FBB316956AC577EF41C4C4F39A81293B607
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	4dececfccccccc01

Static PE Info

General

Entrypoint:	0x708e4c
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x653882A1 [Wed Oct 25 02:51:13 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	d616587ce45db3428d976ab19d1f3438

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	25/10/2023 02:00:00 27/10/2026 00:59:59
Subject Chain	CN=ORANGE VIEW LIMITED, O=ORANGE VIEW LIMITED, L=Kowloon, C=HK, SERIALNUMBER=2770852, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=HK
Version:	3
Thumbprint MD5:	6BEDBA3AAEEB1A50C5025F4F56DC18F3
Thumbprint SHA-1:	354338515A6E3E631093C2F922405132FA9A2DBB
Thumbprint SHA-256:	38C85F29040D4C184D4E4F6D3126496F15A5E5F196433C10E99E21563CDADFCB
Serial:	0A249111115AEF70A2800BAA9217EF6D

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov ecx, 00000005h
push 00000000h
push 00000000h
dec ecx
jne 00007F4170DCA5BBh
push ebx
mov eax, 006FF49Ch
call 00007F4170AD0467h
xor eax, eax
push ebp
push 00709005h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
push 00709014h
push FFFFFFFFh
push 00000000h
call 00007F4170AD4277h
mov ebx, eax
lea edx, dword ptr [ebp-28h]
xor eax, eax
call 00007F4170AC803Fh
mov eax, dword ptr [ebp-28h]
lea edx, dword ptr [ebp-24h]
call 00007F4170B13DA0h
lea eax, dword ptr [ebp-24h]
mov edx, 00709034h
call 00007F4170ACC4EFh
mov eax, dword ptr [ebp-24h]
xor edx, edx
call 00007F4170D971C1h
test al, al
je 00007F4170DCA5CCh
mov eax, 006E4EF4h
call 00007F4170D9768Bh
call 00007F4170DC0866h
test al, al
jne 00007F4170DCA6E5h
call 00007F4170AD44ADh
cmp eax, 000000B7h
je 00007F4170DCA6CFh
lea eax, dword ptr [ebp-14h]
mov edx, 00709070h
call 00007F4170ACB765h
lea edx, dword ptr [ebp-18h]
mov eax, 00000001h
call 00007F4170AC7FD8h
mov eax, dword ptr [ebp-14h]
cmp eax, dword ptr [ebp-18h]
jne 00007F4170DCA5C6h
mov al, 01h
jmp 00007F4170DCA5E2h
cmp dword ptr [ebp-14h], 00000000h
je 00007F4170DCA5C8h
cmp dword ptr [ebp-18h], 00000000h
jne 00007F4170DCA5C6h
xor eax, eax
jmp 00007F4170DCA5D2h
mov edx, dword ptr [ebp-18h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x366000	0x50	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x360000	0x4488	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3a5000	0x69410	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3c0e00	0x4e30	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x369000	0x3ba34	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x368000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x360bb4	0xa9c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x365000	0x944	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x305834	0x305a00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x307000	0x209c	0x2200	False	0.5314797794117647	data	6.211533774923295	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x30a000	0xe6ac	0xe800	False	0.5351730872844828	data	6.19157612897437	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x319000	0x46a54	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x360000	0x4488	0x4600	False	0.30362723214285714	PDP-11 overlaid pure executable	5.20156645904221	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x365000	0x944	0xa00	False	0.351171875	data	4.069790185331062	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x366000	0x50	0x200	False	0.13671875	data	0.8942524260212368	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x367000	0x65c	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x368000	0x18	0x200	False	0.0546875	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x369000	0x3ba34	0x3bc00	False	0.5838250196129707	data	6.735654485203693	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x3a5000	0x69410	0x69600	False	0.5443866770462633	data	7.126317927760289	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
MAD	0x3a63a4	0x14	data			1.25
MAD	0x3a63b8	0x286b4	data			1.000368455386697
RT_CURSOR	0x3cea6c	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x3ceba0	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x3cecd4	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x3cee08	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x3cef3c	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x3cf070	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x3cf1a4	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x3cf2d8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x3cf4a8	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x3cf68c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x3cf85c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x3cfa2c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x3cfbfc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x3cfdcc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x3cff9c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x3d016c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x3d033c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x3d050c	0x1028	Device independent bitmap graphic, 32 x 32 x 32, image size 4096			0.41392649903288203
RT_BITMAP	0x3d1534	0x428	Device independent bitmap graphic, 16 x 16 x 32, image size 1024			0.2161654135338346
RT_BITMAP	0x3d195c	0x428	Device independent bitmap graphic, 16 x 16 x 32, image size 1024			0.5018796992481203
RT_BITMAP	0x3d1d84	0x428	Device independent bitmap graphic, 16 x 16 x 32, image size 1024			0.3167293233082707
RT_BITMAP	0x3d21ac	0x1028	Device independent bitmap graphic, 32 x 32 x 32, image size 4096			0.5548839458413927
RT_BITMAP	0x3d31d4	0x428	Device independent bitmap graphic, 16 x 16 x 32, image size 1024			0.5582706766917294
RT_BITMAP	0x3d35fc	0x428	Device independent bitmap graphic, 16 x 16 x 32, image size 1024			0.48402255639097747
RT_BITMAP	0x3d3a24	0x428	Device independent bitmap graphic, 16 x 16 x 32, image size 1024			0.5469924812030075
RT_BITMAP	0x3d3e4c	0x428	Device independent bitmap graphic, 16 x 16 x 32, image size 1024			0.4906015037593985
RT_BITMAP	0x3d4274	0x1028	Device independent bitmap graphic, 32 x 32 x 32, image size 4096			0.3034332688588008
RT_BITMAP	0x3d529c	0x428	Device independent bitmap graphic, 16 x 16 x 32, image size 1024			0.48872180451127817
RT_ICON	0x3d56c4	0x2774	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9957425742574257
RT_ICON	0x3d7e38	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.11229740920383297
RT_ICON	0x3e8660	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.1606842547824259
RT_ICON	0x3f1b08	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.21104436229205176
RT_ICON	0x3f6f90	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.2375413320736892
RT_ICON	0x3fb1b8	0x3a48	Device independent bitmap graphic, 60 x 120 x 32, image size 14880	English	United States	0.26005361930294907
RT_ICON	0x3fec00	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.3196058091286307
RT_ICON	0x4011a8	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720	English	United States	0.36863905325443785
RT_ICON	0x402c10	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.4892120075046904
RT_ICON	0x403cb8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6012295081967213
RT_ICON	0x404640	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680	English	United States	0.6813953488372093
RT_ICON	0x404cf8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5416666666666666
RT_STRING	0x405160	0x3fc	data			0.40588235294117647
RT_STRING	0x40555c	0xb5c	data			0.24793672627235214
RT_STRING	0x4060b8	0x448	data			0.36496350364963503
RT_STRING	0x406500	0x38c	data			0.31167400881057267
RT_STRING	0x40688c	0x3cc	data			0.4434156378600823
RT_STRING	0x406c58	0x324	data			0.44402985074626866
RT_STRING	0x406f7c	0xac	data			0.7209302325581395
RT_STRING	0x407028	0xec	data			0.6398305084745762
RT_STRING	0x407114	0x198	data			0.5294117647058824
RT_STRING	0x4072ac	0x3e8	data			0.38
RT_STRING	0x407694	0x3f0	data			0.3888888888888889
RT_STRING	0x407a84	0x4f0	data			0.30063291139240506
RT_STRING	0x407f74	0x2ac	data			0.3654970760233918
RT_STRING	0x408220	0x408	data			0.39825581395348836
RT_STRING	0x408628	0x680	data			0.3251201923076923
RT_STRING	0x408ca8	0x4b4	data			0.3089700996677741
RT_STRING	0x40915c	0x300	data			0.40625
RT_STRING	0x40945c	0x36c	data			0.363013698630137
RT_STRING	0x4097c8	0x3e0	data			0.40524193548387094
RT_STRING	0x409ba8	0x290	data			0.4024390243902439
RT_STRING	0x409e38	0xc0	data			0.625
RT_STRING	0x409ef8	0x9c	data			0.6282051282051282
RT_STRING	0x409f94	0x338	data			0.4368932038834951
RT_STRING	0x40a2cc	0x48c	data			0.2920962199312715
RT_STRING	0x40a758	0x354	data			0.4107981220657277
RT_STRING	0x40aaac	0x2c4	data			0.4392655367231638
RT_RCDATA	0x40ad70	0x10	data			1.5
RT_RCDATA	0x40ad80	0x8fc	data			0.5543478260869565
RT_RCDATA	0x40b67c	0x2	data	English	United States	5.0
RT_RCDATA	0x40b680	0xb65	Delphi compiled form 'TMadExcept'			0.46726088447034625
RT_RCDATA	0x40c1e8	0x34e	Delphi compiled form 'TMEContactForm'			0.43498817966903075
RT_RCDATA	0x40c538	0x22d	Delphi compiled form 'TMEDetailsForm'			0.5457809694793537
RT_RCDATA	0x40c768	0x2a3	Delphi compiled form 'TMEScrShotForm'			0.5333333333333333
RT_RCDATA	0x40ca0c	0xe2a	Delphi compiled form 'TSurveyForm'			0.3808604522890237
RT_GROUP_CURSOR	0x40d838	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x40d84c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x40d860	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x40d874	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x40d888	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x40d89c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x40d8b0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x40d8c4	0xae	data	English	United States	0.7126436781609196
RT_VERSION	0x40d974	0x2f8	data	English	United States	0.45921052631578946
RT_MANIFEST	0x40dc6c	0x7a2	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3556806550665302

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit, GetErrorInfo
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey, SetSecurityDescriptorDacl, RegUnLoadKeyW, RegSetValueExA, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExA, RegQueryInfoKeyA, RegQueryInfoKeyW, RegOpenKeyExA, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyA, RegEnumKeyExW, RegDeleteValueA, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExA, RegCreateKeyExW, RegConnectRegistryW, OpenProcessToken, InitializeSecurityDescriptor, GetUserNameA, GetUserNameW, GetTokenInformation, FreeSid, AllocateAndInitializeSid
user32.dll	MessageBoxA, CharNextW, LoadStringW, SetClassLongW, GetClassLongW, SetWindowLongW, GetWindowLongW, CreateWindowExA, CreateWindowExW, WindowFromPoint, WaitMessage, ValidateRect, UpdateLayeredWindow, UpdateWindow, UnregisterClassA, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextA, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCapture, SetActiveWindow, SendMessageTimeoutA, SendMessageA, SendMessageW, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassA, RegisterClassW, RedrawWindow, PtInRect, PostThreadMessageA, PostThreadMessageW, PostQuitMessage, PostMessageA, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, OffsetRect, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadKeyboardLayoutW, LoadImageA, LoadImageW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, InsertMenuItemW, InsertMenuW, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextA, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageExtraInfo, GetMessageA, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowA, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EndMenu, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextA, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CreateAcceleratorTableW, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CharUpperBuffW, CharUpperW, CharLowerBuffW, CharLowerW, CallWindowProcA, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, AttachThreadInput, AdjustWindowRectEx, ActivateKeyboardLayout, EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow, GetWindowRgnBox
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, lstrcpynW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsDBCSLeadByteEx, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetConsoleOutputCP, GetConsoleCP, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, SetCurrentDirectoryW, GetCurrentDirectoryW, WriteFile, SetFilePointer, SetEndOfFile, ReadFile, GetFileType, GetFileSize, CreateFileW, GetStdHandle, CloseHandle, LoadLibraryA, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, lstrcmpiW, lstrcmpA, lstrcmpW, WriteProcessMemory, WritePrivateProfileStringW, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualProtect, UnmapViewOfFile, TryEnterCriticalSection, TerminateThread, TerminateProcess, SystemTimeToFileTime, SuspendThread, SizeofResource, SetUnhandledExceptionFilter, SetThreadPriority, SetLastError, SetFileAttributesA, SetFileAttributesW, SetEvent, SetErrorMode, ResumeThread, ResetEvent, RemoveDirectoryA, RemoveDirectoryW, ReleaseMutex, ReadProcessMemory, QueryPerformanceFrequency, QueryDosDeviceW, IsDebuggerPresent, OutputDebugStringW, OpenProcess, OpenFileMappingA, OpenFileMappingW, MulDiv, MoveFileW, MapViewOfFile, LockResource, LocalSize, LoadResource, LoadLibraryExA, LoadLibraryW, IsBadReadPtr, IsBadCodePtr, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalMemoryStatus, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetWindowsDirectoryA, GetVolumeInformationW, GetVersionExA, GetVersionExW, GetThreadPriority, GetThreadLocale, GetThreadContext, GetTempPathA, GetTempPathW, GetSystemTime, GetSystemTimes, GetSystemDirectoryW, GetPrivateProfileStringW, GetPriorityClass, GetModuleHandleA, GetModuleFileNameA, GetLogicalDriveStringsW, GetLocaleInfoA, GetLocalTime, GetFullPathNameW, GetFileTime, GetFileAttributesA, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceA, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryA, GetComputerNameA, GetComputerNameW, GetCommandLineA, GetCPInfoExW, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FormatMessageA, FormatMessageW, FlushInstructionCache, FindResourceA, FindResourceW, FindNextFileA, FindNextFileW, FindFirstFileA, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExpandEnvironmentStringsA, ExpandEnvironmentStringsW, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, DuplicateHandle, DeleteFileA, DeleteFileW, CreateProcessA, CreateProcessW, CreatePipe, CreateMutexA, CreateMutexW, CreateFileMappingA, CreateFileMappingW, CreateFileA, CreateEventA, CreateEventW, CreateDirectoryA, CreateDirectoryW, CopyFileA, CopyFileW, CompareStringA, Beep, VerSetConditionMask, VerifyVersionInfoW
gdi32.dll	UnrealizeObject, TextOutA, TextOutW, StretchDIBits, StretchBlt, StartPage, StartDocA, StartDocW, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixelV, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBitsToDevice, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, OffsetViewportOrgEx, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetViewportOrgEx, GetTextMetricsW, GetTextFaceA, GetTextExtentPointW, GetTextExtentPoint32A, GetTextExtentPoint32W, GetTextExtentExPointW, GetTextColor, GetTextAlign, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetROP2, GetPixel, GetPaletteEntries, GetObjectType, GetObjectW, GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetCurrentObject, GetClipBox, GetBrushOrgEx, GetBkMode, GetBkColor, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgnIndirect, CreateRectRgn, CreatePenIndirect, CreatePen, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateFontA, CreateFontW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, CombineRgn, Chord, BitBlt, ArcTo, Arc, AngleArc, AbortDoc
version.dll	VerQueryValueA, VerQueryValueW, GetFileVersionInfoSizeA, GetFileVersionInfoSizeW, GetFileVersionInfoA, GetFileVersionInfoW
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
shell32.dll	SHGetFileInfoW, ShellExecuteExA, ShellExecuteExW, ShellExecuteA, ShellExecuteW, Shell_NotifyIconW, SHGetSpecialFolderPathW, SHGetPathFromIDListA, SHGetSpecialFolderLocation, SHGetMalloc
comdlg32.dll	PrintDlgW, GetSaveFileNameA, GetSaveFileNameW
wsock32.dll	WSACleanup, WSAStartup, WSAGetLastError, gethostbyname, socket, setsockopt, sendto, send, select, recvfrom, recv, ioctlsocket, inet_addr, htons, connect, closesocket, bind
msvcrt.dll	memset, memcpy
winspool.drv	OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter, GetDefaultPrinterW

Exports

Name	Ordinal	Address
madTraceProcess	1	0x4a7004

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• file.exe

Click to jump to process

Memory Usage

• file.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

System Behavior

Analysis Process: file.exePID: 6516, Parent PID: 1028

Function Logs

General

Target ID:	0
Start time:	16:58:51
Start date:	17/01/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	3'955'760 bytes
MD5 hash:	27B6F3B8E8BDCE591E5164EDBA28584D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.1989063116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Created

File Read

File Attributes Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Information Set

Process Terminated

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Read

Memory Written

Memory Allocated

Memory Protection Changed

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 6516, Parent PID: 1028

General

File Activities

File Opened

File Created

Windows Analysis Report
file.exe