Create Interactive Tour
Windows
Analysis Report
lnstaller_2024.008.20535_win64_86.exe
Overview
General Information
| Sample name: | lnstaller_2024.008.20535_win64_86.exe |
| Analysis ID: | 1413381 |
| MD5: | a0543af2a8b551d1bf5b89ddedae4180 |
| SHA1: | 3c89b4550bbd1f85c8080cbebabfd9f16c6fa836 |
| SHA256: | 9419b1e9fa5741f629f61094811a4936beb2acd76bbad083ec75c7e50de9b02b |
| Infos: |  |
 | |
Detection
| Score: | 52 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Installs new ROOT certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses 32bit PE files
Classification
- System is w7x64
lnstaller_2024.008.20535_win64_86.exe (PID: 172 cmdline: "C:\Users\ user\Deskt op\lnstall er_2024.00 8.20535_wi n64_86.exe " MD5: A0543AF2A8B551D1BF5B89DDEDAE4180)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: frack113: | ||
⊘No Snort rule has matched
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • HIPS / PFW / Operating System Protection Evasion
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | JA3 fingerprint: | ||
| Source: | String found in binary or memory: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Persistence and Installation Behavior | |
|---|
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 Process Injection | 1 Modify Registry | OS Credential Dumping | 1 Query Registry | Remote Services | Data from Local System | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Install Root Certificate | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 Remote System Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 1 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 29% | ReversingLabs | Win32.Trojan.Generic |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| www.legal-tools.org | 188.166.193.143 | true | false | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 188.166.193.143 | www.legal-tools.org | Netherlands | 14061 | DIGITALOCEAN-ASNUS | false |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1413381 |
| Start date and time: | 2024-03-21 18:10:36 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 42s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | lnstaller_2024.008.20535_win64_86.exe |
| Detection: | MAL |
| Classification: | mal52.winEXE@1/0@1/1 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): dllhost.exe, WM IADAP.exe - Excluded IPs from analysis (wh
itelisted): 23.221.227.5, 23.2 21.227.15, 23.221.227.47, 23.2 21.227.17, 23.221.227.4, 23.22 1.227.21, 23.221.227.54, 23.22 1.227.7, 23.221.227.20, 104.10 2.251.17, 104.102.251.89, 104. 102.251.73 - Excluded domains from analysis
(whitelisted): ctldl.windowsu pdate.com, a767.dspw65.akamai. net, wu-bg-shim.trafficmanager .net, download.windowsupdate.c om.edgesuite.net - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found. - VT rate limit hit for: lnstal
ler_2024.008.20535_win64_86.ex e
⊘No simulations
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| DIGITALOCEAN-ASNUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai, Gafgyt | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 7dcce5b76c8b17472d024758970a406b | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 5.916559601535338 |
| TrID: |
|
| File name: | lnstaller_2024.008.20535_win64_86.exe |
| File size: | 20'215'710 bytes |
| MD5: | a0543af2a8b551d1bf5b89ddedae4180 |
| SHA1: | 3c89b4550bbd1f85c8080cbebabfd9f16c6fa836 |
| SHA256: | 9419b1e9fa5741f629f61094811a4936beb2acd76bbad083ec75c7e50de9b02b |
| SHA512: | ff8c002a324f14aac9fd8ce4021ce02fa774d26d076f836b3df7bb64429d88055e0430629da14e9895df39c88aae6b0f4d359805cf020e3df5b8209ee377ccfe |
| SSDEEP: | 196608:IXMYdiaMf2tRdH0isC0gwQwAuvs649P9D26sTA:Uxlc2tRyiGgwQfuvs1pgRM |
| TLSH: | 3E173A22F2509A36C0DE4B3A849F47115335411A4F97A78701E8DABDFD8E2912FBA74F |
| File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
 | |
| Icon Hash: | f8d8c8e4a2fce871 |
| Entrypoint: | 0x7a27b0 |
| Entrypoint Section: | .itext |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x65E2DA33 [Sat Mar 2 07:50:11 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 04b8ec0741a79333f092fa313b872402 |
| Signature Valid: | false |
| Signature Issuer: | CN=Certum Code Signing CA SHA2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 3D0B23C0158F240A7C77494C92869594 |
| Thumbprint SHA-1: | 6DFA88FEDBA957855DB938B38082378F14C7CCCC |
| Thumbprint SHA-256: | BFE1095F804D8A46A8ED956556837C75AF33CA42A843C7F4F660BEAA10AF26EA |
| Serial: | 66C5DCC14B517809C172B44B7E9784F7 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFF0h |
| mov eax, 00795A50h |
| call 00007F07609A9BE9h |
| mov eax, dword ptr [007AE190h] |
| mov eax, dword ptr [eax] |
| call 00007F0760BA9981h |
| mov eax, dword ptr [007AE190h] |
| mov eax, dword ptr [eax] |
| mov dl, 01h |
| call 00007F0760BAB963h |
| mov ecx, dword ptr [007ADEACh] |
| mov eax, dword ptr [007AE190h] |
| mov eax, dword ptr [eax] |
| mov edx, dword ptr [0078EB78h] |
| call 00007F0760BA9973h |
| mov ecx, dword ptr [007ADB14h] |
| mov eax, dword ptr [007AE190h] |
| mov eax, dword ptr [eax] |
| mov edx, dword ptr [00760930h] |
| call 00007F0760BA995Bh |
| mov ecx, dword ptr [007AE224h] |
| mov eax, dword ptr [007AE190h] |
| mov eax, dword ptr [eax] |
| mov edx, dword ptr [00779714h] |
| call 00007F0760BA9943h |
| mov ecx, dword ptr [007ADF78h] |
| mov eax, dword ptr [007AE190h] |
| mov eax, dword ptr [eax] |
| mov edx, dword ptr [00777D94h] |
| call 00007F0760BA992Bh |
| mov ecx, dword ptr [007AE414h] |
| mov eax, dword ptr [007AE190h] |
| mov eax, dword ptr [eax] |
| mov edx, dword ptr [007753ACh] |
| call 00007F0760BA9913h |
| mov ecx, dword ptr [007AE568h] |
| mov eax, dword ptr [007AE190h] |
| mov eax, dword ptr [eax] |
| mov edx, dword ptr [00774568h] |
| call 00007F0760BA98FBh |
| mov ecx, dword ptr [007ADE24h] |
| mov eax, dword ptr [007AE190h] |
| mov eax, dword ptr [eax] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x3bc000 | 0x72 | .edata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3b7000 | 0x39c0 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x40d000 | 0x199000 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x13449ee | 0x2db0 | .debug |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x3bf000 | 0x4d33c | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x5a6000 | 0x1 | .debug |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x3be000 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x3b7a2c | 0x8d8 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x3bb000 | 0xf02 | .didata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x39ec38 | 0x39ee00 | 0828ebe9d9378194a2fe0bf6fcc6ae96 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .itext | 0x3a0000 | 0x28dc | 0x2a00 | 944260412ce500865d2600dc6b88782d | False | 0.5331101190476191 | data | 6.28014145817746 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x3a3000 | 0xb63c | 0xb800 | 1f535b9dc088770ce7183e129e6cbb3e | False | 0.5688264266304348 | data | 6.124742883932662 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .bss | 0x3af000 | 0x7430 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x3b7000 | 0x39c0 | 0x3a00 | b9f7f15ce05f410c4fd15eead66c8430 | False | 0.32947198275862066 | data | 5.264262401333611 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .didata | 0x3bb000 | 0xf02 | 0x1000 | 45fb5d9464ff21bdae7500464d4c2372 | False | 0.33544921875 | data | 4.28512245038203 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .edata | 0x3bc000 | 0x72 | 0x200 | b74d6143ec210dab71ee1cba80c6574a | False | 0.181640625 | data | 1.352757698444735 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .tls | 0x3bd000 | 0x5c | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x3be000 | 0x5d | 0x200 | 97492c6a8152f8f28421d3522ff5d319 | False | 0.189453125 | data | 1.3838943752217987 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x3bf000 | 0x4d2ec | 0x4d400 | 46157e18d75436c8476f419e2ad1bdc0 | False | 0.5693770226537217 | data | 6.718850883622972 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x40d000 | 0x199000 | 0x199000 | 8747050ae801c1b7822464fb92b904b9 | False | 0.5800852880501223 | data | 6.779160208313254 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .debug | 0x5a6000 | 0xdac3ee | 0xdac3ee | ab7875a110092885dd8a4aaad682ae9e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_CURSOR | 0x40eb7c | 0x134 | Targa image data - Map 64 x 65536 x 1 +32 "\001" | English | United States | 0.38636363636363635 |
| RT_CURSOR | 0x40ecb0 | 0x134 | data | English | United States | 0.4642857142857143 |
| RT_CURSOR | 0x40ede4 | 0x134 | data | English | United States | 0.4805194805194805 |
| RT_CURSOR | 0x40ef18 | 0x134 | data | English | United States | 0.38311688311688313 |
| RT_CURSOR | 0x40f04c | 0x134 | data | English | United States | 0.36038961038961037 |
| RT_CURSOR | 0x40f180 | 0x134 | data | English | United States | 0.4090909090909091 |
| RT_CURSOR | 0x40f2b4 | 0x134 | Targa image data - RGB 64 x 65536 x 1 +32 "\001" | English | United States | 0.4967532467532468 |
| RT_BITMAP | 0x40f3e8 | 0xc0 | Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors | English | United States | 0.5208333333333334 |
| RT_BITMAP | 0x40f4a8 | 0xe0 | Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors | English | United States | 0.42857142857142855 |
| RT_BITMAP | 0x40f588 | 0xe0 | Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors | English | United States | 0.4955357142857143 |
| RT_BITMAP | 0x40f668 | 0xe0 | Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors | English | United States | 0.38392857142857145 |
| RT_BITMAP | 0x40f748 | 0xc0 | Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors | English | United States | 0.4947916666666667 |
| RT_BITMAP | 0x40f808 | 0xc0 | Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors | English | United States | 0.484375 |
| RT_BITMAP | 0x40f8c8 | 0xe0 | Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors | English | United States | 0.42410714285714285 |
| RT_BITMAP | 0x40f9a8 | 0xc0 | Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors | English | United States | 0.5104166666666666 |
| RT_BITMAP | 0x40fa68 | 0xe0 | Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors | English | United States | 0.5 |
| RT_BITMAP | 0x40fb48 | 0xc0 | Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors | English | United States | 0.4895833333333333 |
| RT_BITMAP | 0x40fc08 | 0x98 | Device independent bitmap graphic, 9 x 6 x 4, image size 48, 16 important colors | English | United States | 0.5197368421052632 |
| RT_BITMAP | 0x40fca0 | 0x98 | Device independent bitmap graphic, 9 x 6 x 4, image size 48, 16 important colors | English | United States | 0.506578947368421 |
| RT_BITMAP | 0x40fd38 | 0xe0 | Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors | English | United States | 0.3794642857142857 |
| RT_ICON | 0x40fe18 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.7854609929078015 |
| RT_ICON | 0x410280 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.7192622950819673 |
| RT_ICON | 0x410c08 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.6890243902439024 |
| RT_ICON | 0x411cb0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.6573651452282158 |
| RT_ICON | 0x414258 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States | 0.6388167217760983 |
| RT_ICON | 0x418480 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 38016 | English | United States | 0.6061856211898256 |
| RT_ICON | 0x421928 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | English | United States | 0.5782710280373832 |
| RT_ICON | 0x432150 | 0x42028 | Device independent bitmap graphic, 256 x 512 x 32, image size 270336 | English | United States | 0.5177197680267479 |
| RT_ICON | 0x474178 | 0x5ed81 | PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced | English | United States | 1.0000823721108625 |
| RT_STRING | 0x4d2efc | 0x144 | data | 0.5370370370370371 | ||
| RT_STRING | 0x4d3040 | 0x32c | data | 0.4211822660098522 | ||
| RT_STRING | 0x4d336c | 0x394 | data | 0.35262008733624456 | ||
| RT_STRING | 0x4d3700 | 0x324 | data | 0.4166666666666667 | ||
| RT_STRING | 0x4d3a24 | 0x414 | data | 0.3390804597701149 | ||
| RT_STRING | 0x4d3e38 | 0x418 | data | 0.38072519083969464 | ||
| RT_STRING | 0x4d4250 | 0x304 | data | 0.43134715025906734 | ||
| RT_STRING | 0x4d4554 | 0x3b8 | data | 0.38130252100840334 | ||
| RT_STRING | 0x4d490c | 0x41c | data | 0.3897338403041825 | ||
| RT_STRING | 0x4d4d28 | 0x52c | data | 0.39652567975830816 | ||
| RT_STRING | 0x4d5254 | 0xab8 | data | 0.25911078717201164 | ||
| RT_STRING | 0x4d5d0c | 0x96c | data | 0.2657545605306799 | ||
| RT_STRING | 0x4d6678 | 0x454 | data | 0.33574007220216606 | ||
| RT_STRING | 0x4d6acc | 0x308 | data | 0.43170103092783507 | ||
| RT_STRING | 0x4d6dd4 | 0x470 | data | 0.3899647887323944 | ||
| RT_STRING | 0x4d7244 | 0xa0 | data | 0.7 | ||
| RT_STRING | 0x4d72e4 | 0xe0 | data | 0.6473214285714286 | ||
| RT_STRING | 0x4d73c4 | 0x2bc | data | 0.4342857142857143 | ||
| RT_STRING | 0x4d7680 | 0x2b4 | data | 0.46965317919075145 | ||
| RT_STRING | 0x4d7934 | 0x3ac | data | 0.3840425531914894 | ||
| RT_STRING | 0x4d7ce0 | 0x3e0 | data | 0.3810483870967742 | ||
| RT_STRING | 0x4d80c0 | 0x46c | data | 0.3621908127208481 | ||
| RT_STRING | 0x4d852c | 0x4e4 | data | 0.31869009584664537 | ||
| RT_STRING | 0x4d8a10 | 0x21c | data | 0.26296296296296295 | ||
| RT_STRING | 0x4d8c2c | 0x468 | data | 0.4175531914893617 | ||
| RT_STRING | 0x4d9094 | 0x474 | data | 0.35175438596491226 | ||
| RT_STRING | 0x4d9508 | 0x4b4 | data | 0.3803986710963455 | ||
| RT_STRING | 0x4d99bc | 0x47c | data | 0.34146341463414637 | ||
| RT_STRING | 0x4d9e38 | 0x3e4 | data | 0.38052208835341367 | ||
| RT_STRING | 0x4da21c | 0x400 | data | 0.3623046875 | ||
| RT_STRING | 0x4da61c | 0x34c | data | 0.37796208530805686 | ||
| RT_STRING | 0x4da968 | 0xd4 | data | 0.5283018867924528 | ||
| RT_STRING | 0x4daa3c | 0xa4 | data | 0.6524390243902439 | ||
| RT_STRING | 0x4daae0 | 0x2dc | data | 0.4685792349726776 | ||
| RT_STRING | 0x4dadbc | 0x43c | data | 0.31273062730627305 | ||
| RT_STRING | 0x4db1f8 | 0x328 | data | 0.43316831683168316 | ||
| RT_STRING | 0x4db520 | 0x2f0 | data | 0.3776595744680851 | ||
| RT_STRING | 0x4db810 | 0x368 | data | 0.29243119266055045 | ||
| RT_RCDATA | 0x4dbb78 | 0xd5d | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0032154340836013 |
| RT_RCDATA | 0x4dc8d8 | 0xd57 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.003221083455344 |
| RT_RCDATA | 0x4dd630 | 0xcfc | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.003309265944645 |
| RT_RCDATA | 0x4de32c | 0xcd9 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0033444816053512 |
| RT_RCDATA | 0x4df008 | 0xd5d | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0032154340836013 |
| RT_RCDATA | 0x4dfd68 | 0xd57 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.003221083455344 |
| RT_RCDATA | 0x4e0ac0 | 0xc4e | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0034920634920634 |
| RT_RCDATA | 0x4e1710 | 0xc4e | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0034920634920634 |
| RT_RCDATA | 0x4e2360 | 0xcb5 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0033814940055334 |
| RT_RCDATA | 0x4e3018 | 0xcb0 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0033866995073892 |
| RT_RCDATA | 0x4e3cc8 | 0xd56 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0032220269478618 |
| RT_RCDATA | 0x4e4a20 | 0xd47 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0032362459546926 |
| RT_RCDATA | 0x4e5768 | 0xdc2 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0031232254400908 |
| RT_RCDATA | 0x4e652c | 0xdc5 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0031205673758865 |
| RT_RCDATA | 0x4e72f4 | 0xcf3 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.003318250377074 |
| RT_RCDATA | 0x4e7fe8 | 0xced | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0033242671501965 |
| RT_RCDATA | 0x4e8cd8 | 0xda9 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0031455533314269 |
| RT_RCDATA | 0x4e9a84 | 0xda6 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0031482541499714 |
| RT_RCDATA | 0x4ea82c | 0xcf3 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.003318250377074 |
| RT_RCDATA | 0x4eb520 | 0xced | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0033242671501965 |
| RT_RCDATA | 0x4ec210 | 0x10 | data | 1.5 | ||
| RT_RCDATA | 0x4ec220 | 0x148b | PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced | English | United States | 1.0020916524054002 |
| RT_RCDATA | 0x4ed6ac | 0x111e | PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced | English | United States | 1.0025102692834322 |
| RT_RCDATA | 0x4ee7cc | 0xd8c | PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced | English | United States | 1.0031718569780854 |
| RT_RCDATA | 0x4ef558 | 0xf28 | data | 0.4814432989690722 | ||
| RT_RCDATA | 0x4f0480 | 0x2 | data | English | United States | 5.0 |
| RT_RCDATA | 0x4f0484 | 0x274 | Delphi compiled form 'TChildForm' | 0.6321656050955414 | ||
| RT_RCDATA | 0x4f06f8 | 0x71b36 | Delphi compiled form 'TFrameChild' | 0.39567935961246936 | ||
| RT_RCDATA | 0x562230 | 0xcdcc | Delphi compiled form 'TfrmAbout' | 0.953287525624478 | ||
| RT_RCDATA | 0x56effc | 0x4e5b | Delphi compiled form 'TfrmAdBlocker' | 0.5574056533226981 | ||
| RT_RCDATA | 0x573e58 | 0x17e3 | Delphi compiled form 'TfrmAddMediaLink' | 0.685363859362224 | ||
| RT_RCDATA | 0x57563c | 0x17f1 | Delphi compiled form 'TfrmAddURL' | 0.684287812041116 | ||
| RT_RCDATA | 0x576e30 | 0x17e1 | Delphi compiled form 'TfrmAddWLURL' | 0.6832978897431703 | ||
| RT_RCDATA | 0x578614 | 0x1d4c | Delphi compiled form 'TfrmDeleteBrowserHistory' | 0.5817333333333333 | ||
| RT_RCDATA | 0x57a360 | 0x195a | Delphi compiled form 'TfrmDeleteDomainData' | 0.6496147919876734 | ||
| RT_RCDATA | 0x57bcbc | 0x86b3 | Delphi compiled form 'TfrmMediaPlayer' | 0.525244323289737 | ||
| RT_RCDATA | 0x584370 | 0x1d6f7 | Delphi compiled form 'TfrmParent' | 0.43129546227408827 | ||
| RT_RCDATA | 0x5a1a68 | 0x33be | Delphi compiled form 'TfrmSettings' | 0.37211233579948666 | ||
| RT_RCDATA | 0x5a4e28 | 0x565 | Delphi compiled form 'TTBasicUserAuthForm' | 0.49022447501810285 | ||
| RT_GROUP_CURSOR | 0x5a5390 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.25 |
| RT_GROUP_CURSOR | 0x5a53a4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.25 |
| RT_GROUP_CURSOR | 0x5a53b8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x5a53cc | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x5a53e0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x5a53f4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x5a5408 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_ICON | 0x5a541c | 0x84 | data | English | United States | 0.7045454545454546 |
| RT_VERSION | 0x5a54a0 | 0x42c | data | English | United States | 0.4297752808988764 |
| RT_MANIFEST | 0x5a58cc | 0x70b | XML 1.0 document, ASCII text, with CRLF, LF line terminators | English | United States | 0.403771491957848 |
| DLL | Import |
|---|---|
| winmm.dll | timeGetTime |
| wininet.dll | InternetGetConnectedState |
| winspool.drv | DocumentPropertiesW, ClosePrinter, OpenPrinterW, GetDefaultPrinterW, EnumPrintersW |
| comdlg32.dll | GetSaveFileNameW, GetOpenFileNameW |
| comctl32.dll | ImageList_GetImageInfo, FlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, ImageList_Copy, FlatSB_GetScrollInfo, ImageList_Write, ImageList_DrawIndirect, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Replace, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_LoadImageW, ImageList_Draw, ImageList_Remove, ImageList_ReplaceIcon, ImageList_SetOverlayImage |
| shell32.dll | Shell_NotifyIconW, SHAppBarMessage, ShellExecuteW |
| user32.dll | MoveWindow, CopyImage, SetMenuItemInfoW, GetMenuItemInfoW, SetCaretPos, GetCaretPos, DefFrameProcW, ScrollWindowEx, GetDlgCtrlID, FrameRect, RegisterWindowMessageW, GetMenuStringW, FillRect, SendMessageA, IsClipboardFormatAvailable, EnumWindows, ShowOwnedPopups, GetClassInfoW, GetScrollRange, SetActiveWindow, GetActiveWindow, DrawEdge, GetKeyboardLayoutList, LoadBitmapW, EnumChildWindows, GetScrollBarInfo, UnhookWindowsHookEx, SetCapture, GetCapture, ShowCaret, CreatePopupMenu, GetMenuItemID, DestroyCaret, CharLowerBuffW, PostMessageW, SetWindowLongW, IsZoomed, SetParent, DrawMenuBar, GetClientRect, IsChild, IsIconic, CallNextHookEx, ShowWindow, GetWindowTextW, SetForegroundWindow, IsDialogMessageW, DestroyWindow, RegisterClassW, EndMenu, CharNextW, GetFocus, GetDC, SetFocus, ReleaseDC, GetClassLongW, SetScrollRange, DrawTextW, PeekMessageA, MessageBeep, SetClassLongW, RemovePropW, GetSubMenu, DestroyIcon, IsWindowVisible, PtInRect, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, GetMessageTime, LoadStringW, CreateMenu, CharLowerW, SetWindowRgn, SetWindowPos, GetMenuItemCount, GetSysColorBrush, GetWindowDC, DrawTextExW, EnumClipboardFormats, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, GetSysColor, EnableScrollBar, TrackPopupMenu, keybd_event, DrawIconEx, GetClassNameW, GetMessagePos, GetIconInfo, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, SetCursorPos, GetCursorPos, SetMenu, GetMenuState, GetMenu, SetRect, GetKeyState, ValidateRect, IsCharAlphaW, GetCursor, KillTimer, BeginDeferWindowPos, WaitMessage, TranslateMDISysAccel, GetWindowPlacement, CreateIconIndirect, CreateWindowExW, GetDCEx, PeekMessageW, MonitorFromWindow, GetUpdateRect, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, MapVirtualKeyW, OffsetRect, IsWindowUnicode, DispatchMessageW, CreateAcceleratorTableW, DefMDIChildProcW, GetSystemMenu, SetScrollPos, GetScrollPos, InflateRect, DrawFocusRect, ReleaseCapture, LoadCursorW, ScrollWindow, GetLastActivePopup, GetSystemMetrics, CharUpperBuffW, ClientToScreen, SetClipboardData, GetClipboardData, SetWindowPlacement, GetMonitorInfoW, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, EnableWindow, GetWindowThreadProcessId, RedrawWindow, EndPaint, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, ActivateKeyboardLayout, GetParent, CreateCaret, MonitorFromRect, InsertMenuItemW, GetPropW, MessageBoxW, SetPropW, UpdateWindow, MsgWaitForMultipleObjects, DestroyMenu, SetWindowsHookExW, GetDoubleClickTime, EmptyClipboard, GetDlgItem, AdjustWindowRectEx, IsWindow, DrawIcon, EnumThreadWindows, InvalidateRect, SetKeyboardState, GetKeyboardState, ScreenToClient, DrawFrameControl, IsCharAlphaNumericW, SetCursor, CreateIcon, RemoveMenu, GetKeyboardLayoutNameW, OpenClipboard, TranslateMessage, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, CountClipboardFormats, CloseClipboard, DestroyCursor, CopyIcon, PostQuitMessage, ShowScrollBar, EnableMenuItem, DeferWindowPos, HideCaret, EndDeferWindowPos, FindWindowExW, MonitorFromPoint, LoadIconW, SystemParametersInfoW, GetWindow, GetWindowLongW, GetWindowRect, InsertMenuW, IsWindowEnabled, IsDialogMessageA, FindWindowW, GetKeyboardLayout, DeleteMenu |
| version.dll | GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW |
| oleaut32.dll | SysFreeString, VariantClear, VariantInit, GetErrorInfo, SysReAllocStringLen, SafeArrayCreate, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, VariantChangeType |
| advapi32.dll | RegSetValueExW, RegConnectRegistryW, RegEnumKeyExW, RegLoadKeyW, RegDeleteKeyW, RegOpenKeyExW, RegQueryInfoKeyW, RegUnLoadKeyW, RegSaveKeyW, RegDeleteValueW, RegReplaceKeyW, RegFlushKey, RegQueryValueExW, RegEnumValueW, RegCloseKey, RegCreateKeyExW, RegRestoreKeyW |
| msvcrt.dll | memcpy, memset |
| winhttp.dll | WinHttpGetIEProxyConfigForCurrentUser, WinHttpSetTimeouts, WinHttpSetStatusCallback, WinHttpConnect, WinHttpReceiveResponse, WinHttpQueryAuthSchemes, WinHttpGetProxyForUrl, WinHttpReadData, WinHttpCloseHandle, WinHttpQueryHeaders, WinHttpOpenRequest, WinHttpAddRequestHeaders, WinHttpOpen, WinHttpWriteData, WinHttpSetCredentials, WinHttpQueryDataAvailable, WinHttpSetOption, WinHttpSendRequest, WinHttpQueryOption |
| kernel32.dll | GetACP, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, TerminateThread, QueryPerformanceFrequency, IsDebuggerPresent, GetFullPathNameW, VirtualFree, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, GlobalSize, RtlUnwind, GetCPInfo, EnumSystemLocalesW, GetStdHandle, GetTimeZoneInformation, GetModuleHandleW, FreeLibrary, TryEnterCriticalSection, HeapDestroy, ReadFile, GetLastError, GetModuleFileNameW, SetLastError, GlobalAlloc, GlobalUnlock, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, MulDiv, FreeResource, GetVersion, RaiseException, GlobalAddAtomW, FormatMessageW, SwitchToThread, GetExitCodeThread, OutputDebugStringW, GetCurrentThread, LoadLibraryExW, SetPriorityClass, LockResource, FileTimeToSystemTime, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, GlobalFindAtomW, VirtualQueryEx, GlobalFree, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetFileSize, GetStartupInfoW, GlobalDeleteAtom, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, GlobalLock, VirtualAlloc, GetTempPathW, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, WinExec, GetVersionExW, VerifyVersionInfoW, HeapCreate, LCMapStringW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, GlobalHandle, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, EnumResourceNamesW, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, IsValidLocale, TlsSetValue, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale |
| SHFolder.dll | SHGetFolderPathW |
| ole32.dll | IsEqualGUID, OleInitialize, CoInitializeEx, OleUninitialize, CoInitialize, CoCreateInstance, CoUninitialize, CoTaskMemFree, CoTaskMemAlloc |
| gdi32.dll | Pie, SetBkMode, CreateCompatibleBitmap, GetEnhMetaFileHeader, RectVisible, AngleArc, ResizePalette, SetAbortProc, SetTextColor, StretchBlt, RoundRect, SelectClipRgn, RestoreDC, SetRectRgn, GetTextMetricsW, GetWindowOrgEx, CreatePalette, CreateDCW, PolyBezierTo, CreateICW, GetStockObject, CreateSolidBrush, Polygon, MoveToEx, PlayEnhMetaFile, Ellipse, StartPage, GetBitmapBits, StartDocW, AbortDoc, GetSystemPaletteEntries, GetEnhMetaFileBits, GetEnhMetaFilePaletteEntries, CreatePenIndirect, SetMapMode, CreateFontIndirectW, PolyBezier, ExtCreatePen, LPtoDP, EndDoc, GetObjectW, GetWinMetaFileBits, SetROP2, GetEnhMetaFileDescriptionW, ArcTo, Arc, SelectPalette, ExcludeClipRect, MaskBlt, SetWindowOrgEx, EndPage, DeleteEnhMetaFile, Chord, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, CreateBrushIndirect, PatBlt, SetEnhMetaFileBits, PlgBlt, Rectangle, SaveDC, DeleteDC, BitBlt, FrameRgn, GetDeviceCaps, GetTextExtentPoint32W, GetClipBox, IntersectClipRect, Polyline, CreateBitmap, SetWinMetaFileBits, GetStretchBltMode, CreateDIBitmap, SetStretchBltMode, GetDIBits, CreateDIBSection, LineTo, GetRgnBox, EnumFontsW, SetWindowExtEx, CreateHalftonePalette, SelectObject, DeleteObject, ExtFloodFill, UnrealizeObject, CopyEnhMetaFileW, OffsetRgn, SetBkColor, CreateCompatibleDC, GetBrushOrgEx, GetCurrentPositionEx, GetNearestPaletteIndex, CreateRoundRectRgn, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, GdiFlush, SetViewportExtEx, SetPixel, PolyPolyline, EnumFontFamiliesExW, StretchDIBits, GetPaletteEntries |
| Name | Ordinal | Address |
|---|---|---|
| __dbk_fcall_wrapper | 2 | 0x411f68 |
| dbkFCallWrapperAddr | 1 | 0x7b2648 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeDownload Network PCAP: filtered – full
- Total Packets: 9
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 21, 2024 18:17:42.236059904 CET | 49168 | 443 | 192.168.2.22 | 188.166.193.143 |
| Mar 21, 2024 18:17:42.236104012 CET | 443 | 49168 | 188.166.193.143 | 192.168.2.22 |
| Mar 21, 2024 18:17:42.236208916 CET | 49168 | 443 | 192.168.2.22 | 188.166.193.143 |
| Mar 21, 2024 18:17:42.247345924 CET | 49168 | 443 | 192.168.2.22 | 188.166.193.143 |
| Mar 21, 2024 18:17:42.247365952 CET | 443 | 49168 | 188.166.193.143 | 192.168.2.22 |
| Mar 21, 2024 18:17:42.765664101 CET | 443 | 49168 | 188.166.193.143 | 192.168.2.22 |
| Mar 21, 2024 18:17:42.765774012 CET | 49168 | 443 | 192.168.2.22 | 188.166.193.143 |
| Mar 21, 2024 18:17:42.770415068 CET | 49168 | 443 | 192.168.2.22 | 188.166.193.143 |
| Mar 21, 2024 18:17:42.770443916 CET | 443 | 49168 | 188.166.193.143 | 192.168.2.22 |
| Mar 21, 2024 18:17:42.770792007 CET | 443 | 49168 | 188.166.193.143 | 192.168.2.22 |
| Mar 21, 2024 18:17:42.770868063 CET | 49168 | 443 | 192.168.2.22 | 188.166.193.143 |
| Mar 21, 2024 18:17:42.829786062 CET | 49168 | 443 | 192.168.2.22 | 188.166.193.143 |
| Mar 21, 2024 18:17:42.829921961 CET | 443 | 49168 | 188.166.193.143 | 192.168.2.22 |
| Mar 21, 2024 18:17:42.830018044 CET | 49168 | 443 | 192.168.2.22 | 188.166.193.143 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 21, 2024 18:17:42.128926039 CET | 65510 | 53 | 192.168.2.22 | 8.8.8.8 |
| Mar 21, 2024 18:17:42.224040031 CET | 53 | 65510 | 8.8.8.8 | 192.168.2.22 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Mar 21, 2024 18:17:42.128926039 CET | 192.168.2.22 | 8.8.8.8 | 0xa9f6 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Mar 21, 2024 18:17:42.224040031 CET | 8.8.8.8 | 192.168.2.22 | 0xa9f6 | No error (0) | 188.166.193.143 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 08:17:38 |
| Start date: | 20/03/2024 |
| Path: | C:\Users\user\Desktop\lnstaller_2024.008.20535_win64_86.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 20'215'710 bytes |
| MD5 hash: | A0543AF2A8B551D1BF5B89DDEDAE4180 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Reputation: | low |
| Has exited: | true |
⊘No disassembly
