Edit tour

Windows Analysis Report
WEBEX.exe

Overview

General Information

Sample name:	WEBEX.exe
Analysis ID:	1377264
MD5:	d78f6f3417ecd210bcb5ac89af6189d9
SHA1:	b6cffa91d664ab7b66a211b59d53278f6a3d00e1
SHA256:	14a4578d6e4ec9d68c953b9c2fd5b2bd7c08b9afd88de63608222eec18187474
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Queries the volume information (name, serial number etc) of a device

Tries to load missing DLLs

Uses 32bit PE files

Classification

Analysis Advice

Sample searches for specific file, try point organization specific fake files to the analysis machine

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

WEBEX.exe (PID: 6252 cmdline: C:\Users\user\Desktop\WEBEX.exe MD5: D78F6F3417ECD210BCB5AC89AF6189D9)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
WEBEX.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2080833239.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.WEBEX.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\Desktop\WEBEX.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION WEBEX.exe			Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION WEBEX.exe			Jump to behavior

Source: WEBEX.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\WEBEX.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini	Jump to behavior

Source: WEBEX.exe	String found in binary or memory: http://active.macromedia.com/flash2/cabs/swflash.cab#version=3
Source: WEBEX.exe	String found in binary or memory: http://www.example/webex/download/WEBEX999.exe
Source: WEBEX.exe	String found in binary or memory: http://www.example/webex/index.html
Source: WEBEX.exe	String found in binary or memory: http://www.lorriman.com
Source: WEBEX.exe	String found in binary or memory: http://www.macromedia.com/jp/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash
Source: WEBEX.exe	String found in binary or memory: http://www.sitemaps.org/schemas/sitemap/0.9
Source: WEBEX.exe	String found in binary or memory: http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd
Source: WEBEX.exe	String found in binary or memory: http://www.website_explorer.com/search?

Source: C:\Users\user\Desktop\WEBEX.exe

Section loaded: svrapi.dll

Jump to behavior

Source: WEBEX.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: clean2.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\WEBEX.exe

File created: C:\Users\user\Desktop\WEBEX.ini

Jump to behavior

Source: C:\Users\user\Desktop\WEBEX.exe

Mutant created: \Sessions\1\BaseNamedObjects\hWEBEX

Source: Yara match	File source: WEBEX.exe, type: SAMPLE
Source: Yara match	File source: 0.0.WEBEX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2080833239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\WEBEX.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\6.0\FileFormat			Jump to behavior

Source: C:\Users\user\Desktop\WEBEX.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\WEBEX.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WEBEX.exe	String found in binary or memory: <html><head><META http-equiv=Content-Type content="text/html; charset=utf-8"></head><body><!--StartFragment-->
Source: WEBEX.exe	String found in binary or memory: n<html><head><META http-equiv=Content-Type content="text/html; charset=utf-8"></head><body><!--StartFragment-->
Source: WEBEX.exe	String found in binary or memory: /Address family not supported by protocol family
Source: WEBEX.exe	String found in binary or memory: Start/Stop Count
Source: WEBEX.exe	String found in binary or memory: Start/Stop Count

Source: C:\Users\user\Desktop\WEBEX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\WEBEX.exe

File written: C:\Users\user\Desktop\WEBEX.ini

Jump to behavior

Source: C:\Users\user\Desktop\WEBEX.exe

Window found: window name: TComboBox

Jump to behavior

Source: C:\Users\user\Desktop\WEBEX.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: WEBEX.exe

Static file information: File size 5708800 > 1048576

Source: WEBEX.exe	Static PE information: Raw size of CODE is bigger than: 0x100000 < 0x2f5c00
Source: WEBEX.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x243c00

Source: WEBEX.exe

Static PE information: More than 200 imports for user32.dll

Source: C:\Users\user\Desktop\WEBEX.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\WEBEX.exe	Memory allocated: 62E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Memory allocated: 55D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Memory allocated: 66F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Memory allocated: 6710000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Memory allocated: 6730000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Memory allocated: 6750000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Memory allocated: 5C70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Memory allocated: 5F40000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Memory allocated: 60C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Memory allocated: 6100000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Memory allocated: A7B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Memory allocated: A7D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Memory allocated: 50F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\WEBEX.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini	Jump to behavior

Source: WEBEX.exe	Binary or memory string: Microsoft Hyper-V Server
Source: WEBEX.exe	Binary or memory string: ;Server Standard Edition without Hyper-V (full installation)
Source: WEBEX.exe	Binary or memory string: Server Datacenter Edition without Hyper-V (core installation)
Source: WEBEX.exe	Binary or memory string: =Server Enterprise Edition without Hyper-V (core installation)
Source: WEBEX.exe	Binary or memory string: Server Enterprise Edition without Hyper-V (full installation)
Source: WEBEX.exe	Binary or memory string: Server Standard Edition without Hyper-V (core installation)
Source: WEBEX.exe	Binary or memory string: Server Datacenter Edition without Hyper-V (full installation)
Source: WEBEX.exe	Binary or memory string: ;Server Standard Edition without Hyper-V (core installation)
Source: WEBEX.exe	Binary or memory string: =Server Datacenter Edition without Hyper-V (full installation)
Source: WEBEX.exe	Binary or memory string: =Server Enterprise Edition without Hyper-V (full installation)
Source: WEBEX.exe	Binary or memory string: =Server Datacenter Edition without Hyper-V (core installation)
Source: WEBEX.exe	Binary or memory string: Server Enterprise Edition without Hyper-V (core installation)
Source: WEBEX.exe	Binary or memory string: Windows Server 2008 without Hyper-V for Windows Essential Server Solutions
Source: WEBEX.exe	Binary or memory string: JWindows Server 2008 without Hyper-V for Windows Essential Server Solutions
Source: WEBEX.exe	Binary or memory string: Server Standard Edition without Hyper-V (full installation)

Source: C:\Users\user\Desktop\WEBEX.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\WEBEX.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION			Jump to behavior
Source: C:\Users\user\Desktop\WEBEX.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	1 Scripting	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Modify Registry	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Scripting	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WEBEX.exe	0%	ReversingLabs
WEBEX.exe	3%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://www.lorriman.com	0%	Avira URL Cloud	safe
http://www.example/webex/download/WEBEX999.exe	0%	Avira URL Cloud	safe
http://www.example/webex/index.html	0%	Avira URL Cloud	safe
http://www.lorriman.com	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.sitemaps.org/schemas/sitemap/0.9	WEBEX.exe	false		high
http://www.example/webex/index.html	WEBEX.exe	false	Avira URL Cloud: safe	unknown
http://www.lorriman.com	WEBEX.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://active.macromedia.com/flash2/cabs/swflash.cab#version=3	WEBEX.exe	false		high
http://www.macromedia.com/jp/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash	WEBEX.exe	false		high
http://www.example/webex/download/WEBEX999.exe	WEBEX.exe	false	Avira URL Cloud: safe	unknown
http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd	WEBEX.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1377264
Start date and time:	2024-01-19 08:09:49 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WEBEX.exe
Detection:	CLEAN
Classification:	clean2.winEXE@1/1@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target WEBEX.exe, PID 6252 because there are no executed function
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:11:10	API Interceptor	47x Sleep call for process: WEBEX.exe modified

Process:	C:\Users\user\Desktop\WEBEX.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	87
Entropy (8bit):	5.231929168994807
Encrypted:	false
SSDEEP:	3:mALjVwKW8QOQJAPIKKRLVFUZER2FomcMsgyn:3dwKWBBy9QVFU6y6dn
MD5:	AA5DA47ADF412A61EFEA1809F31A4B62
SHA1:	E77E45AB80CEB9598DCBF45F775A19D7E3F2B8CA
SHA-256:	2A302501AD50D132210A79771838544E4A891ABFE33C2D11E46E081C759DF8EB
SHA-512:	ADFFC959F224FBC013C7DB62450C4822FB041F06F1D0EFCD1D32EE4FA8E4809378B37AF047160A57AEFD49B1A16DD4E6555A1C67488428B7262B1BB4BE3CB7E1
Malicious:	false
Reputation:	low
Preview:	[Agent Names]..WXplr/0.9.9.25=Default..Mozilla/4.0 (compatible; MSIE 8.0; Win32)=MSIE..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.361196716081152
TrID:	Win32 Executable (generic) a (10002005/4) 89.11% Win32 Executable Borland Delphi 7 (665061/41) 5.93% Win32 Executable Borland Delphi 5 (451725/56) 4.02% InstallShield setup (43055/19) 0.38% Win32 EXE PECompact compressed (generic) (41571/9) 0.37%
File name:	WEBEX.exe
File size:	5'708'800 bytes
MD5:	d78f6f3417ecd210bcb5ac89af6189d9
SHA1:	b6cffa91d664ab7b66a211b59d53278f6a3d00e1
SHA256:	14a4578d6e4ec9d68c953b9c2fd5b2bd7c08b9afd88de63608222eec18187474
SHA512:	d7f4dbe455c42fca0c5f9413eb94139d469b4effb3b14e635429ba276a5ae037dd0ff61da86150ec81f8755a347bfeed3d03edaffa19b121aea287ba37ff790c
SSDEEP:	98304:QpL4lWxpTDTeyG9TiCpalKuOoW/zoIr3auQLm:SL4lWxlTesmalKu3B
TLSH:	BC46C51175D1C83ED02639F48F06B2A85658E9F79B34594336A82ECDFBB828179F1D83
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	c4b2b278cece0182

Static PE Info

General

Entrypoint:	0x6f6220
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	0219b3a53ff723e6b009101fd8a5c72e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov ecx, 00000005h
push 00000000h
push 00000000h
dec ecx
jne 00007F2FA8F99C8Bh
push ebx
push esi
push edi
mov eax, 006F5A18h
call 00007F2FA8CAB281h
xor eax, eax
push ebp
push 006F6825h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
lea edx, dword ptr [ebp-18h]
mov eax, dword ptr [00701B28h]
mov eax, dword ptr [eax]
call 00007F2FA8D27538h
mov eax, dword ptr [ebp-18h]
lea edx, dword ptr [ebp-14h]
call 00007F2FA8CAEB85h
lea eax, dword ptr [ebp-14h]
mov edx, 006F683Ch
call 00007F2FA8CA8C70h
mov ecx, dword ptr [ebp-14h]
mov dl, 01h
mov eax, dword ptr [00485038h]
call 00007F2FA8D28AFDh
mov dword ptr [00703B18h], eax
xor eax, eax
push ebp
push 006F62BBh
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
push 00000000h
mov ecx, 006F6850h
mov edx, 006F6868h
mov eax, dword ptr [00703B18h]
mov ebx, dword ptr [eax]
call dword ptr [ebx+10h]
mov edx, dword ptr [00701994h]
mov byte ptr [edx], al
xor eax, eax
pop edx
pop ecx
pop ecx
mov dword ptr fs:[eax], edx
jmp 00007F2FA8F99CA6h
jmp 00007F2FA8CA7F1Dh
mov eax, dword ptr [00703B18h]
call 00007F2FA8CA7A33h
call 00007F2FA8CA833Ah
push 006F6870h
push 00000000h
push 001F0001h
call 00007F2FA8CAB9ADh
mov dword ptr [00703B14h], eax
mov eax, dword ptr [00001994h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x304000	0x3d14	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x334000	0x243c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x30a000	0x29078	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x309000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x2f5a60	0x2f5c00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x2f7000	0xade0	0xae00	False	0.5573590158045977	data	6.0906486090952034	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x302000	0x1b29	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x304000	0x3d14	0x3e00	False	0.35590977822580644	data	4.899457897574988	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x308000	0x94	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x309000	0x18	0x200	False	0.048828125	data	0.2005819074398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x30a000	0x29078	0x29200	False	0.5793598024316109	data	6.708017301041456	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x334000	0x243c00	0x243c00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AVI	0x336d20	0xc99	RIFF (little-endian) data, AVI, 41 x 32, 15.00 fps, video: RLE 8bpp			0.19689922480620156
AVI	0x3379bc	0x593c	RIFF (little-endian) data, AVI, 24 x 25, 10.00 fps, video:			0.3083960777447032
AVI	0x33d2f8	0x548b	RIFF (little-endian) data, AVI, 65 x 64, 10.00 fps, video: RLE 8bpp			0.19756965300559073
WAVE	0x342784	0x26504	RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz	Japanese	Japan	0.8796548823694339
WAVE	0x368c88	0x26504	RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz	Japanese	Japan	0.8796485101827544
RT_CURSOR	0x38f18c	0x134	data			0.44805194805194803
RT_CURSOR	0x38f2c0	0x134	data	Japanese	Japan	0.4642857142857143
RT_CURSOR	0x38f3f4	0x134	data	Japanese	Japan	0.4805194805194805
RT_CURSOR	0x38f528	0x134	data	Japanese	Japan	0.38311688311688313
RT_CURSOR	0x38f65c	0x134	data	Japanese	Japan	0.36038961038961037
RT_CURSOR	0x38f790	0x134	data	Japanese	Japan	0.4090909090909091
RT_CURSOR	0x38f8c4	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Japanese	Japan	0.4967532467532468
RT_CURSOR	0x38f9f8	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.19385026737967914
RT_CURSOR	0x38fce4	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.18716577540106952
RT_CURSOR	0x38ffd0	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.2179144385026738
RT_CURSOR	0x3902bc	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.21122994652406418
RT_CURSOR	0x3905a8	0x134	AmigaOS bitmap font "(", fc_YSize 4294967064, 3584 elements, 2nd "\377\270w\377\377\370\177\377\377\370\177\377\377\370\177\377\377\370\177\377\377\370\177\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	German	Germany	0.32792207792207795
RT_CURSOR	0x3906dc	0x134	data			0.37337662337662336
RT_CURSOR	0x390810	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.32792207792207795
RT_CURSOR	0x390944	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	German	Germany	0.5292207792207793
RT_CURSOR	0x390a78	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.18983957219251338
RT_CURSOR	0x390d64	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.19117647058823528
RT_CURSOR	0x391050	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.19786096256684493
RT_CURSOR	0x39133c	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.18983957219251338
RT_CURSOR	0x391628	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.19518716577540107
RT_CURSOR	0x391914	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.19518716577540107
RT_CURSOR	0x391c00	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	Japanese	Japan	0.38636363636363635
RT_BITMAP	0x391d34	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	Japanese	Japan	0.43103448275862066
RT_BITMAP	0x391f04	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	Japanese	Japan	0.46487603305785125
RT_BITMAP	0x3920e8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	Japanese	Japan	0.43103448275862066
RT_BITMAP	0x3922b8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	Japanese	Japan	0.39870689655172414
RT_BITMAP	0x392488	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	Japanese	Japan	0.4245689655172414
RT_BITMAP	0x392658	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	Japanese	Japan	0.5021551724137931
RT_BITMAP	0x392828	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	Japanese	Japan	0.5064655172413793
RT_BITMAP	0x3929f8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	Japanese	Japan	0.39655172413793105
RT_BITMAP	0x392bc8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	Japanese	Japan	0.5344827586206896
RT_BITMAP	0x392d98	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	Japanese	Japan	0.39655172413793105
RT_BITMAP	0x392f68	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	Japanese	Japan	0.5208333333333334
RT_BITMAP	0x393028	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	Japanese	Japan	0.42857142857142855
RT_BITMAP	0x393108	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	Japanese	Japan	0.4955357142857143
RT_BITMAP	0x3931e8	0x94	Device independent bitmap graphic, 8 x 11 x 4, image size 44, 16 important colors			0.5472972972972973
RT_BITMAP	0x39327c	0x94	Device independent bitmap graphic, 8 x 11 x 4, image size 44, 16 important colors			0.527027027027027
RT_BITMAP	0x393310	0x94	Device independent bitmap graphic, 8 x 11 x 4, image size 44, 16 important colors			0.6148648648648649
RT_BITMAP	0x3933a4	0x94	Device independent bitmap graphic, 8 x 11 x 4, image size 44, 16 important colors			0.5945945945945946
RT_BITMAP	0x393438	0x94	Device independent bitmap graphic, 8 x 11 x 4, image size 44, 16 important colors			0.581081081081081
RT_BITMAP	0x3934cc	0x94	Device independent bitmap graphic, 8 x 11 x 4, image size 44, 16 important colors			0.6013513513513513
RT_BITMAP	0x393560	0x94	Device independent bitmap graphic, 8 x 11 x 4, image size 44, 16 important colors			0.581081081081081
RT_BITMAP	0x3935f4	0x94	Device independent bitmap graphic, 8 x 11 x 4, image size 44, 16 important colors			0.5675675675675675
RT_BITMAP	0x393688	0x94	Device independent bitmap graphic, 8 x 11 x 4, image size 44, 16 important colors			0.5472972972972973
RT_BITMAP	0x39371c	0x94	Device independent bitmap graphic, 8 x 11 x 4, image size 44, 16 important colors			0.6013513513513513
RT_BITMAP	0x3937b0	0xb0	Device independent bitmap graphic, 9 x 9 x 4, image size 72	English	United States	0.3977272727272727
RT_BITMAP	0x393860	0xb0	Device independent bitmap graphic, 9 x 9 x 4, image size 72	English	United States	0.42613636363636365
RT_BITMAP	0x393910	0xa28	Device independent bitmap graphic, 96 x 16 x 8, image size 1536			0.24884615384615386
RT_BITMAP	0x394338	0xc0	Device independent bitmap graphic, 11 x 11 x 4, image size 88, 16 important colors			0.3958333333333333
RT_BITMAP	0x3943f8	0xc0	Device independent bitmap graphic, 11 x 11 x 4, image size 88, 16 important colors			0.4791666666666667
RT_BITMAP	0x3944b8	0xc0	Device independent bitmap graphic, 11 x 11 x 4, image size 88, 16 important colors			0.5052083333333334
RT_BITMAP	0x394578	0xc0	Device independent bitmap graphic, 11 x 11 x 4, image size 88, 16 important colors			0.421875
RT_BITMAP	0x394638	0xc0	Device independent bitmap graphic, 11 x 11 x 4, image size 88, 16 important colors			0.4322916666666667
RT_BITMAP	0x3946f8	0xc0	Device independent bitmap graphic, 11 x 11 x 4, image size 88, 16 important colors			0.46875
RT_BITMAP	0x3947b8	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	Japanese	Japan	0.38392857142857145
RT_BITMAP	0x394898	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	Japanese	Japan	0.4947916666666667
RT_BITMAP	0x394958	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	Japanese	Japan	0.484375
RT_BITMAP	0x394a18	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	Japanese	Japan	0.42410714285714285
RT_BITMAP	0x394af8	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	Japanese	Japan	0.5104166666666666
RT_BITMAP	0x394bb8	0xc8	Device independent bitmap graphic, 12 x 12 x 4, image size 96	Japanese	Japan	0.29
RT_BITMAP	0x394c80	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	Japanese	Japan	0.5
RT_BITMAP	0x394d60	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	Japanese	Japan	0.4870689655172414
RT_BITMAP	0x394e48	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	Japanese	Japan	0.4895833333333333
RT_BITMAP	0x394f08	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.31896551724137934
RT_BITMAP	0x394ff0	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.3275862068965517
RT_BITMAP	0x3950d8	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288	Japanese	Japan	0.3877551020408163
RT_BITMAP	0x395260	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288	Chinese	China	0.3673469387755102
RT_BITMAP	0x3953e8	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288	Chinese	China	0.41836734693877553
RT_BITMAP	0x395570	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288	Chinese	China	0.37755102040816324
RT_BITMAP	0x3956f8	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288	Chinese	China	0.461734693877551
RT_BITMAP	0x395880	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288	Chinese	China	0.3852040816326531
RT_BITMAP	0x395a08	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288	Chinese	China	0.3622448979591837
RT_BITMAP	0x395b90	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288	Chinese	China	0.3826530612244898
RT_BITMAP	0x395d18	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288	Italian	Italy	0.32142857142857145
RT_BITMAP	0x395ea0	0xc8	Device independent bitmap graphic, 12 x 12 x 4, image size 96	Japanese	Japan	0.49
RT_BITMAP	0x395f68	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	Japanese	Japan	0.3794642857142857
RT_BITMAP	0x396048	0xce8	Device independent bitmap graphic, 400 x 16 x 4, image size 3200			0.1089588377723971
RT_BITMAP	0x396d30	0xce8	Device independent bitmap graphic, 400 x 16 x 4, image size 3200			0.10714285714285714
RT_BITMAP	0x397a18	0xce8	Device independent bitmap graphic, 400 x 16 x 4, image size 3200			0.0950363196125908
RT_BITMAP	0x398700	0x268	Device independent bitmap graphic, 32 x 32 x 4, image size 512			0.21266233766233766
RT_BITMAP	0x398968	0x268	Device independent bitmap graphic, 32 x 32 x 4, image size 512			0.17207792207792208
RT_BITMAP	0x398bd0	0x268	Device independent bitmap graphic, 32 x 32 x 4, image size 512			0.1672077922077922
RT_BITMAP	0x398e38	0xce8	Device independent bitmap graphic, 400 x 16 x 4, image size 3200			0.11955205811138014
RT_BITMAP	0x399b20	0xce8	Device independent bitmap graphic, 400 x 16 x 4, image size 3200			0.11561743341404358
RT_BITMAP	0x39a808	0xd28	Device independent bitmap graphic, 144 x 16 x 8, image size 2304			0.23634204275534443
RT_BITMAP	0x39b530	0x4b2a	Device independent bitmap graphic, 400 x 16 x 24, image size 0, resolution 2834 x 2834 px/m			0.2749194470429269
RT_BITMAP	0x3a005c	0x126	Device independent bitmap graphic, 9 x 9 x 24, image size 0, resolution 2834 x 2834 px/m			0.5850340136054422
RT_BITMAP	0x3a0184	0x126	Device independent bitmap graphic, 9 x 9 x 24, image size 0, resolution 2834 x 2834 px/m			0.5918367346938775
RT_ICON	0x3a02ac	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Japanese	Japan	0.32526881720430106
RT_ICON	0x3a0594	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Japanese	Japan	0.3790322580645161
RT_DIALOG	0x3a087c	0x52	data			0.7682926829268293
RT_STRING	0x3a08d0	0x88	data			0.47794117647058826
RT_STRING	0x3a0958	0x320	data			0.41875
RT_STRING	0x3a0c78	0x484	data			0.356401384083045
RT_STRING	0x3a10fc	0x334	data			0.41097560975609754
RT_STRING	0x3a1430	0x334	data			0.41585365853658535
RT_STRING	0x3a1764	0x424	data			0.5330188679245284
RT_STRING	0x3a1b88	0x568	data			0.4393063583815029
RT_STRING	0x3a20f0	0x390	data			0.5427631578947368
RT_STRING	0x3a2480	0x318	data			0.6123737373737373
RT_STRING	0x3a2798	0x170	data			0.720108695652174
RT_STRING	0x3a2908	0xf0	data			0.65
RT_STRING	0x3a29f8	0x124	data			0.7945205479452054
RT_STRING	0x3a2b1c	0x1e0	data			0.6625
RT_STRING	0x3a2cfc	0x348	AmigaOS bitmap font "\3410\3740\2700n0n\177M0\333cH0L0g0M0~0[0\2230\031", fc_YSize 32304, 42032 elements			0.5869047619047619
RT_STRING	0x3a3044	0x2d4	data			0.611878453038674
RT_STRING	0x3a3318	0x250	data			0.6199324324324325
RT_STRING	0x3a3568	0x240	data			0.53125
RT_STRING	0x3a37a8	0x1d4	data			0.655982905982906
RT_STRING	0x3a397c	0xec	data			0.5550847457627118
RT_STRING	0x3a3a68	0x148	data			0.7347560975609756
RT_STRING	0x3a3bb0	0x230	data			0.625
RT_STRING	0x3a3de0	0x1f0	data			0.6612903225806451
RT_STRING	0x3a3fd0	0x218	AmigaOS bitmap font "%", fc_YSize 4294947725, 9984 elements, 2nd "~0[0\2230\014", 3rd ""			0.5522388059701493
RT_RCDATA	0x3a41e8	0x10	data			1.5
RT_RCDATA	0x3a41f8	0xb28	data			0.6435574229691877
RT_RCDATA	0x3a4d20	0x17bb	Delphi compiled form 'TCalculator'			0.36263374485596706
RT_RCDATA	0x3a64dc	0x342	Delphi compiled form 'TDataSave'			0.6690647482014388
RT_RCDATA	0x3a6820	0x4f9	Delphi compiled form 'TDestAppli'			0.5765907305577376
RT_RCDATA	0x3a6d1c	0x261	Delphi compiled form 'TDLWin'			0.7126436781609196
RT_RCDATA	0x3a6f80	0xa491b	Delphi compiled form 'TDL_status'			0.18298408930756963
RT_RCDATA	0x44b89c	0x56d	Delphi compiled form 'TFormSearch'			0.5449964002879769
RT_RCDATA	0x44be0c	0x421	Delphi compiled form 'THintWin'			0.5742667928098392
RT_RCDATA	0x44c230	0x596b0	Delphi compiled form 'Tinvitation'			0.7400697872526321
RT_RCDATA	0x4a58e0	0x131e	Delphi compiled form 'TLinkData'			0.4113199836534532
RT_RCDATA	0x4a6c00	0x290	Delphi compiled form 'Tloading'			0.6341463414634146
RT_RCDATA	0x4a6e90	0x84417	Delphi compiled form 'TMain'			0.11935708365407158
RT_RCDATA	0x52b2a8	0x26a	Delphi compiled form 'TMakeExcel'			0.7200647249190939
RT_RCDATA	0x52b514	0x2658c	Delphi compiled form 'TOuterLinks'			0.10055517355540275
RT_RCDATA	0x551aa0	0x5f7	Delphi compiled form 'TPageProp'			0.5134250163719711
RT_RCDATA	0x552098	0x217d	Delphi compiled form 'TPI'			0.35891753178583924
RT_RCDATA	0x554218	0x6f3	Delphi compiled form 'TPrepareSMP'			0.49409780775716694
RT_RCDATA	0x55490c	0x64d	Delphi compiled form 'TPropWin'			0.45629262244265345
RT_RCDATA	0x554f5c	0x53b	Delphi compiled form 'Tready'			0.4981329350261389
RT_RCDATA	0x555498	0x173a	Delphi compiled form 'TReadyToRestart'			0.16717120753447695
RT_RCDATA	0x556bd4	0x955	Delphi compiled form 'TRenamer'			0.4047718710757639
RT_RCDATA	0x55752c	0x27f	Delphi compiled form 'TRestoreWin'			0.7323943661971831
RT_RCDATA	0x5577ac	0x180b	Delphi compiled form 'TsapportDlg'			0.38456539398862716
RT_RCDATA	0x558fb8	0xdc0	Delphi compiled form 'Tsaved_list'			0.3286931818181818
RT_RCDATA	0x559d78	0x7a0	Delphi compiled form 'Tsaveform'			0.4405737704918033
RT_RCDATA	0x55a518	0x84c	Delphi compiled form 'TSearchWin'			0.4675141242937853
RT_RCDATA	0x55ad64	0x47bd	Delphi compiled form 'TSetWin'			0.29599782194391505
RT_RCDATA	0x55f524	0x2511	Delphi compiled form 'TSitemapXML'			0.3312256296764675
RT_RCDATA	0x561a38	0x2ea	Delphi compiled form 'Tsitescan'			0.6541554959785523
RT_RCDATA	0x561d24	0xf240	Delphi compiled form 'TSouceView'			0.21420278637770898
RT_RCDATA	0x570f64	0xf58	Delphi compiled form 'TTreeMap'			0.3760183299389002
RT_RCDATA	0x571ebc	0xcde	Delphi compiled form 'TVersion'			0.4326047358834244
RT_RCDATA	0x572b9c	0x595	Delphi compiled form 'TViewWindow'			0.46815955213435967
RT_RCDATA	0x573134	0x11d2	Delphi compiled form 'TWebEccoder'			0.4090311266988163
RT_RCDATA	0x574308	0x2152	Delphi compiled form 'Twizard'			0.3227432590855803
RT_RCDATA	0x57645c	0xb51	Delphi compiled form 'TXL'			0.37452537107352435
RT_RCDATA	0x576fb0	0x3a5	Delphi compiled form 'TXMLFormat'			0.6280814576634512
RT_GROUP_CURSOR	0x577358	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x57736c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x577380	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x577394	0x14	data			1.4
RT_GROUP_CURSOR	0x5773a8	0x14	data			1.4
RT_GROUP_CURSOR	0x5773bc	0x14	data			1.4
RT_GROUP_CURSOR	0x5773d0	0x14	data			1.4
RT_GROUP_CURSOR	0x5773e4	0x14	data			1.4
RT_GROUP_CURSOR	0x5773f8	0x14	data			1.4
RT_GROUP_CURSOR	0x57740c	0x14	data			1.4
RT_GROUP_CURSOR	0x577420	0x14	data			1.4
RT_GROUP_CURSOR	0x577434	0x14	data			1.4
RT_GROUP_CURSOR	0x577448	0x14	data			1.4
RT_GROUP_CURSOR	0x57745c	0x14	data			1.4
RT_GROUP_CURSOR	0x577470	0x14	data			1.4
RT_GROUP_CURSOR	0x577484	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_CURSOR	0x577498	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.25
RT_GROUP_CURSOR	0x5774ac	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_CURSOR	0x5774c0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_CURSOR	0x5774d4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_CURSOR	0x5774e8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_CURSOR	0x5774fc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_ICON	0x577510	0x14	data	Japanese	Japan	1.2
RT_GROUP_ICON	0x577524	0x14	data	Japanese	Japan	1.25
RT_VERSION	0x577538	0x30c	data	Japanese	Japan	0.517948717948718
RT_MANIFEST	0x577844	0x296	XML 1.0 document, ASCII text, with CRLF line terminators			0.4954682779456193

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExA, RegQueryValueExW, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegFlushKey, RegEnumKeyExA, RegCreateKeyExA, RegCloseKey, OpenThreadToken, OpenProcessToken, IsValidSid, GetUserNameA, GetTokenInformation, GetSidSubAuthorityCount, GetSidSubAuthority, GetSidIdentifierAuthority, FreeSid, EqualSid, AllocateAndInitializeSid
kernel32.dll	lstrlenW, lstrlenA, lstrcpyA, lstrcmpiA, lstrcmpA, WritePrivateProfileStringA, WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TerminateProcess, SystemTimeToFileTime, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLocaleInfoA, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryA, ReleaseMutex, ReadFile, PeekNamedPipe, OutputDebugStringA, OpenMutexA, MultiByteToWideChar, MulDiv, MoveFileA, LockResource, LocalFileTimeToFileTime, LoadResource, LoadLibraryA, LeaveCriticalSection, IsValidCodePage, InitializeCriticalSection, HeapFree, HeapAlloc, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalMemoryStatus, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetTempPathA, GetSystemTime, GetSystemInfo, GetSystemDirectoryA, GetSystemDefaultLangID, GetStringTypeExA, GetStdHandle, GetStartupInfoA, GetProfileStringA, GetProcessHeap, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLocalTime, GetLastError, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetEnvironmentVariableA, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitThread, EnumCalendarInfoA, EnterCriticalSection, DuplicateHandle, DosDateTimeToFileTime, DeviceIoControl, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreatePipe, CreateMutexA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, TextOutA, StretchDIBits, StretchBlt, StartPage, StartDocA, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetTextAlign, SetStretchBltMode, SetRectRgn, SetROP2, SetPixelV, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PlayEnhMetaFile, Pie, PatBlt, OffsetRgn, OffsetClipRgn, MoveToEx, MaskBlt, LineTo, LineDDA, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32W, GetTextExtentPoint32A, GetTextColor, GetTextAlign, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectType, GetObjectA, GetNearestColor, GetMapMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetCurrentObject, GetClipRgn, GetClipBox, GetBrushOrgEx, GetBkColor, GetBitmapBits, GdiFlush, ExtTextOutW, ExtTextOutA, ExcludeClipRect, EnumFontsA, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRoundRectRgn, CreateRectRgnIndirect, CreateRectRgn, CreatePenIndirect, CreatePen, CreatePatternBrush, CreatePalette, CreateICA, CreateHalftonePalette, CreateFontIndirectA, CreateFontA, CreateEnhMetaFileA, CreateEllipticRgn, CreateDIBitmap, CreateDIBSection, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CombineRgn, CloseEnhMetaFile, BitBlt, Arc, AngleArc
user32.dll	keybd_event, WindowFromPoint, WinHelpA, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenuEx, TrackPopupMenu, ToAscii, SystemParametersInfoA, SubtractRect, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCaretPos, SetCapture, SetActiveWindow, SendNotifyMessageA, SendMessageA, SendDlgItemMessageA, ScrollWindowEx, ScrollWindow, ScrollDC, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxW, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LockWindowUpdate, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsClipboardFormatAvailable, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuItemA, InsertMenuA, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetUpdateRect, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMessageA, GetMenuStringA, GetMenuState, GetMenuItemRect, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenuDefaultItem, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardFormatNameA, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCaretPos, GetCapture, GetAsyncKeyState, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExA, DrawTextW, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DrawCaption, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DeferWindowPos, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, CreateCaret, CopyImage, CloseClipboard, ClipCursor, ClientToScreen, ChildWindowFromPointEx, ChildWindowFromPoint, CheckMenuItem, CallWindowProcA, CallNextHookEx, BringWindowToTop, BeginPaint, BeginDeferWindowPos, AttachThreadInput, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeTypeEx, VariantCopyInd, VariantCopy, VariantClear, VariantInit
ole32.dll	CreateStreamOnHGlobal, IsAccelerator, ReleaseStgMedium, OleDraw, OleSetMenuDescriptor, OleGetClipboard, OleSetClipboard, DoDragDrop, RevokeDragDrop, RegisterDragDrop, OleUninitialize, OleInitialize, CreateDataAdviseHolder, CoTaskMemFree, CoTaskMemAlloc, CLSIDFromProgID, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoDisconnectObject, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll	GetErrorInfo, GetActiveObject, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_LoadImageA, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
imm32.dll	ImmGetVirtualKey, ImmGetCompositionStringA, ImmReleaseContext, ImmGetContext
winspool.drv	OpenPrinterA, EnumPrintersA, DocumentPropertiesA, ClosePrinter
shell32.dll	Shell_NotifyIconA, ShellExecuteExA, ShellExecuteA, SHGetFileInfoA, SHFileOperationA, SHAppBarMessage, ExtractIconA
wininet.dll	InternetSetOptionA, InternetReadFile, InternetQueryOptionA, InternetOpenUrlA, InternetOpenA, InternetGetLastResponseInfoA, InternetFindNextFileA, InternetConnectA, InternetCombineUrlA, InternetCloseHandle, InternetCanonicalizeUrlA, HttpSendRequestA, HttpQueryInfoA, HttpOpenRequestA, FtpSetCurrentDirectoryA, FtpGetCurrentDirectoryA, FtpFindFirstFileA, FindNextUrlCacheEntryA, FindFirstUrlCacheEntryA, DeleteUrlCacheEntry
URLMON.DLL	URLDownloadToFileA
shell32.dll	SHGetSpecialFolderPathA, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHGetDesktopFolder, SHGetDataFromIDListA, SHBrowseForFolderA
comdlg32.dll	ChooseFontA, FindTextA, ChooseColorA, GetSaveFileNameA, GetOpenFileNameA
winmm.dll	timeGetTime, timeEndPeriod, timeBeginPeriod, sndPlaySoundA, PlaySoundA
GDI32.DLL	GetRandomRgn
MSVFW32.DLL	GetOpenFileNamePreview
wsock32.dll	WSACleanup, WSAStartup, WSAGetLastError, WSACancelAsyncRequest, WSAAsyncGetHostByName, gethostname, gethostbyname, gethostbyaddr, inet_ntoa, inet_addr
ole32.dll	CoCreateGuid
shlwapi.dll	SHAutoComplete, AssocQueryStringA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Japanese	Japan
German	Germany
English	United States
Chinese	China
Italian	Italy

• WEBEX.exe

Click to jump to process

Memory Usage

• WEBEX.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	0
Start time:	08:10:36
Start date:	19/01/2024
Path:	C:\Users\user\Desktop\WEBEX.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\WEBEX.exe
Imagebase:	0x400000
File size:	5'708'800 bytes
MD5 hash:	D78F6F3417ECD210BCB5AC89AF6189D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.2080833239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WEBEX.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Bitcoin Miner

Compliance

Spreading

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\WEBEX.ini

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: WEBEX.exePID: 6252, Parent PID: 4004

General

File Activities

File Opened

Windows Analysis Report
WEBEX.exe