Edit tour

Windows Analysis Report
m6tly2Aqw4.exe

Overview

General Information

Sample name:	m6tly2Aqw4.exe renamed because original name is a hash value
Original sample name:	0f54220218afb5d0ea00fb8033509c773e3e8b3d.exe
Analysis ID:	1546803
MD5:	51d4e15fa77cf644ee90f42269bced3b
SHA1:	0f54220218afb5d0ea00fb8033509c773e3e8b3d
SHA256:	cc05a4b105428e0c1bd13525c5cab229e67a9eb9ec77b92b158fe6fe419929f6
Tags:	exeReversingLabsuser-NDA0E
Infos:

Detection

FloodFix

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FloodFix

AI detected suspicious sample

Allows loading of unsigned dll using appinit_dll

Creates an undocumented autostart registry key

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has nameless sections

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Sigma detected: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

m6tly2Aqw4.exe (PID: 3252 cmdline: "C:\Users\user\Desktop\m6tly2Aqw4.exe" MD5: 51D4E15FA77CF644EE90F42269BCED3B)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Program Files\Common Files\System\symsrv.dll	JoeSecurity_FloodFix	Yara detected FloodFix	Joe Security
C:\Program Files\Common Files\System\symsrv.dll	MAL_Floxif_Generic	Detects Floxif Malware	Florian Roth
C:\Program Files\Common Files\System\symsrv.dll	MALWARE_Win_FloodFix	Detects FloodFix	ditekSHen

Unpacked PEs

Source	Rule	Description	Author
0.2.m6tly2Aqw4.exe.10000000.3.unpack	JoeSecurity_FloodFix	Yara detected FloodFix	Joe Security
0.2.m6tly2Aqw4.exe.10000000.3.unpack	MAL_Floxif_Generic	Detects Floxif Malware	Florian Roth
0.2.m6tly2Aqw4.exe.10000000.3.unpack	MALWARE_Win_FloodFix	Detects FloodFix	ditekSHen

Sigma Signatures

System Summary

Sigma detected: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\PROGRA~1\COMMON~1\System\symsrv.dll, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\m6tly2Aqw4.exe, ProcessId: 3252, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: m6tly2Aqw4.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files\Common Files\System\symsrv.dll

Avira: detection malicious, Label: TR/Floxif.BB

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Common Files\System\symsrv.dll

ReversingLabs: Detection: 100%

Multi AV Scanner detection for submitted file

Source: m6tly2Aqw4.exe

ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files\Common Files\System\symsrv.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: m6tly2Aqw4.exe

Joe Sandbox ML: detected

Source: m6tly2Aqw4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\m6tly2Aqw4.exe

Directory created: C:\Program Files\Common Files\System\symsrv.dll

Jump to behavior

Spreading

Yara detected FloodFix

Source: Yara match	File source: 0.2.m6tly2Aqw4.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED

Source: m6tly2Aqw4.exe, 00000000.00000003.2074705008.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5isohu.com/
Source: m6tly2Aqw4.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: m6tly2Aqw4.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: m6tly2Aqw4.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: m6tly2Aqw4.exe, 00000000.00000003.2074705008.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aieov.com/
Source: m6tly2Aqw4.exe, 00000000.00000003.2074705008.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aieov.com/#

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.m6tly2Aqw4.exe.10000000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Floxif Malware Author: Florian Roth
Source: 0.2.m6tly2Aqw4.exe.10000000.3.unpack, type: UNPACKEDPE	Matched rule: Detects FloodFix Author: ditekSHen
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED	Matched rule: Detects Floxif Malware Author: Florian Roth
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED	Matched rule: Detects FloodFix Author: ditekSHen

PE file has nameless sections

Source: m6tly2Aqw4.exe	Static PE information: section name:
Source: m6tly2Aqw4.exe	Static PE information: section name:
Source: m6tly2Aqw4.exe	Static PE information: section name:
Source: m6tly2Aqw4.exe	Static PE information: section name:
Source: m6tly2Aqw4.exe	Static PE information: section name:
Source: m6tly2Aqw4.exe	Static PE information: section name:

Source: Joe Sandbox View

Dropped File: C:\Program Files\Common Files\System\symsrv.dll DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085

Source: C:\Users\user\Desktop\m6tly2Aqw4.exe

Code function: String function: 006E8EEC appears 77 times

Source: m6tly2Aqw4.exe, 00000000.00000003.2074705008.00000000015A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: originalfilename cintanotes.exe 6 vs m6tly2Aqw4.exe
Source: m6tly2Aqw4.exe, 00000000.00000002.2122138799.00000000006AF000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecintanotes.exe6 vs m6tly2Aqw4.exe
Source: m6tly2Aqw4.exe, 00000000.00000002.2124690859.000000001002F000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameLanguagePack vs m6tly2Aqw4.exe
Source: m6tly2Aqw4.exe, 00000000.00000003.2074648577.0000000003AC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLanguagePack vs m6tly2Aqw4.exe
Source: m6tly2Aqw4.exe	Binary or memory string: OriginalFilenamecintanotes.exe6 vs m6tly2Aqw4.exe

Source: m6tly2Aqw4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.m6tly2Aqw4.exe.10000000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Floxif_Generic date = 2018-05-11, author = Florian Roth, description = Detects Floxif Malware, score = de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.m6tly2Aqw4.exe.10000000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_FloodFix author = ditekSHen, description = Detects FloodFix
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED	Matched rule: MAL_Floxif_Generic date = 2018-05-11, author = Florian Roth, description = Detects Floxif Malware, score = de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED	Matched rule: MALWARE_Win_FloodFix author = ditekSHen, description = Detects FloodFix

Source: m6tly2Aqw4.exe	Static PE information: Section: ZLIB complexity 1.0001057103737114
Source: m6tly2Aqw4.exe	Static PE information: Section: ZLIB complexity 0.9927026098901099

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\m6tly2Aqw4.exe

File created: C:\Program Files\Common Files\System\symsrv.dll

Jump to behavior

Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\m6tly2Aqw4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: m6tly2Aqw4.exe

ReversingLabs: Detection: 92%

Source: C:\Users\user\Desktop\m6tly2Aqw4.exe

File read: C:\Users\user\Desktop\m6tly2Aqw4.exe

Jump to behavior

Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Section loaded: ws2help.dll	Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\m6tly2Aqw4.exe

Directory created: C:\Program Files\Common Files\System\symsrv.dll

Jump to behavior

Source: m6tly2Aqw4.exe

Static PE information: More than 223 > 100 exports found

Source: m6tly2Aqw4.exe

Static file information: File size 4594535 > 1048576

Source: m6tly2Aqw4.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x1a9200
Source: m6tly2Aqw4.exe	Static PE information: Raw size of .textTh is bigger than: 0x100000 < 0x1fca00

Source: symsrv.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x1f436
Source: m6tly2Aqw4.exe	Static PE information: real checksum: 0x457c41 should be: 0x4658e3

Source: m6tly2Aqw4.exe	Static PE information: section name:
Source: m6tly2Aqw4.exe	Static PE information: section name:
Source: m6tly2Aqw4.exe	Static PE information: section name:
Source: m6tly2Aqw4.exe	Static PE information: section name:
Source: m6tly2Aqw4.exe	Static PE information: section name:
Source: m6tly2Aqw4.exe	Static PE information: section name:
Source: m6tly2Aqw4.exe	Static PE information: section name: .textTh

Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006FF020 push ecx; mov dword ptr [esp], edx	0_2_006FF022
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006EC0AC push 006EC1C8h; ret	0_2_006EC1C0
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006FE0A4 push ecx; mov dword ptr [esp], ecx	0_2_006FE0A9
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006F3168 push ecx; mov dword ptr [esp], edx	0_2_006F316D
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006EB148 push 006EB199h; ret	0_2_006EB191
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006FB1F8 push 006FB258h; ret	0_2_006FB250
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006FB2AE push 006FB3C4h; ret	0_2_006FB3BC
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006FC349 push esp; ret	0_2_006FC351
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006EB43C push 006EB468h; ret	0_2_006EB460
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006EB402 push 006EB430h; ret	0_2_006EB428
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_0070369F push 007036E3h; ret	0_2_007036DB
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_007038D4 push 00703900h; ret	0_2_007038F8
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_00703890 push 007038BCh; ret	0_2_007038B4
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_0070292C push ecx; mov dword ptr [esp], edx	0_2_00702931
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006FC9FA push esp; retf 006Fh	0_2_006FCA09
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006FCA28 push esp; retf 006Fh	0_2_006FCA29
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006F3A0A push 006F3A7Bh; ret	0_2_006F3A73
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006FBB60 push 006FBBADh; ret	0_2_006FBBA5
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006ECB34 pushad ; retf	0_2_006ECB35
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006FCB1C push ecx; mov dword ptr [esp], edx	0_2_006FCB21
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_00701B04 push ecx; mov dword ptr [esp], edx	0_2_00701B06
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006EBBD4 push 006EBC00h; ret	0_2_006EBBF8
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006F3B8E push 006F3BBCh; ret	0_2_006F3BB4
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_00702C56 push 00702D03h; ret	0_2_00702CFB
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006EBC54 push 006EBC80h; ret	0_2_006EBC78
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006EBC1A push 006EBC48h; ret	0_2_006EBC40
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006FACBE push 006FAD3Dh; ret	0_2_006FAD35
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006E7CB0 push eax; ret	0_2_006E7CEC
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006EBD5D push 006EBD88h; ret	0_2_006EBD80
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_00702D08 push 00702D98h; ret	0_2_00702D90
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Code function: 0_2_006FCD10 push ecx; mov dword ptr [esp], edx	0_2_006FCD15

Source: m6tly2Aqw4.exe	Static PE information: section name: entropy: 7.999484842813451
Source: m6tly2Aqw4.exe	Static PE information: section name: entropy: 7.986548844569612
Source: m6tly2Aqw4.exe	Static PE information: section name: entropy: 7.965397455300278

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\m6tly2Aqw4.exe

File created: C:\Program Files\Common Files\System\symsrv.dll

Jump to dropped file

Boot Survival

Allows loading of unsigned dll using appinit_dll

Source: C:\Users\user\Desktop\m6tly2Aqw4.exe

Registry value created: RequireSignedAppInit_DLLs 0

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs			Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows LoadAppInit_DLLs			Jump to behavior

Source: C:\Users\user\Desktop\m6tly2Aqw4.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\m6tly2Aqw4.exe

Dropped PE file which has not been started: C:\Program Files\Common Files\System\symsrv.dll

Jump to dropped file

Source: C:\Users\user\Desktop\m6tly2Aqw4.exe TID: 2716

Thread sleep count: 289 > 30

Jump to behavior

Source: m6tly2Aqw4.exe, 00000000.00000002.2122169113.00000000006E5000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VBoxService.exe
Source: m6tly2Aqw4.exe, 00000000.00000002.2122169113.000000000078E000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: m6tly2Aqw4.exe, 00000000.00000002.2122169113.000000000078E000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: m6tly2Aqw4.exe, 00000000.00000002.2122169113.00000000006E5000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VMWare
Source: m6tly2Aqw4.exe, 00000000.00000002.2122169113.000000000078E000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\m6tly2Aqw4.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Users\user\Desktop\m6tly2Aqw4.exe

Process token adjusted: Debug

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	21 Software Packing	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
m6tly2Aqw4.exe	92%	ReversingLabs	Win32.Virus.Floxif
m6tly2Aqw4.exe	100%	Avira	W32/Infector.Gen4
m6tly2Aqw4.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\Common Files\System\symsrv.dll	100%	Avira	TR/Floxif.BB
C:\Program Files\Common Files\System\symsrv.dll	100%	Joe Sandbox ML
C:\Program Files\Common Files\System\symsrv.dll	100%	ReversingLabs	Win32.Trojan.Floxif

Name	Source	Malicious	Reputation
http://5isohu.com/	m6tly2Aqw4.exe, 00000000.00000003.2074705008.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.aieov.com/#	m6tly2Aqw4.exe, 00000000.00000003.2074705008.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.aieov.com/	m6tly2Aqw4.exe, 00000000.00000003.2074705008.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546803
Start date and time:	2024-11-01 15:59:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	m6tly2Aqw4.exe renamed because original name is a hash value
Original Sample Name:	0f54220218afb5d0ea00fb8033509c773e3e8b3d.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/1@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target m6tly2Aqw4.exe, PID 3252 because it is empty
VT rate limit hit for: m6tly2Aqw4.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\Common Files\System\symsrv.dll	2hp5ee36OS.exe	Get hash	malicious	FloodFix	Browse
	9dePCvDX8X.exe	Get hash	malicious	FloodFix	Browse
	ZYlsAQi8bj.exe	Get hash	malicious	FloodFix	Browse
	4g33Ui2SbU.exe	Get hash	malicious	FloodFix	Browse
	4afG8b79X5.exe	Get hash	malicious	FloodFix	Browse
	c9DQdpQLKz.exe	Get hash	malicious	FloodFix	Browse
	n64NG4zCN2.exe	Get hash	malicious	FloodFix	Browse
	0vJrK0NCd1.exe	Get hash	malicious	Remcos, DBatLoader, FloodFix	Browse
	jpeg_12.dll	Get hash	malicious	FloodFix	Browse
	DHL_Shipping_Docs00945_pdf.exe	Get hash	malicious	FloodFix	Browse

Created / dropped Files

C:\Program Files\Common Files\System\symsrv.dll

Download File

Process:	C:\Users\user\Desktop\m6tly2Aqw4.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	69337
Entropy (8bit):	7.734269834755614
Encrypted:	false
SSDEEP:	1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZL:c8y93KQjy7G55riF1cMo03V
MD5:	7574CF2C64F35161AB1292E2F532AABF
SHA1:	14BA3FA927A06224DFE587014299E834DEF4644F
SHA-256:	DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
SHA-512:	4DB19F2D8D5BC1C7BBB812D3FA9C43B80FA22140B346D2760F090B73AED8A5177EDB4BDDC647A6EBD5A2DB8565BE5A1A36A602B0D759E38540D9A584BA5896AB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_FloodFix, Description: Yara detected FloodFix, Source: C:\Program Files\Common Files\System\symsrv.dll, Author: Joe Security Rule: MAL_Floxif_Generic, Description: Detects Floxif Malware, Source: C:\Program Files\Common Files\System\symsrv.dll, Author: Florian Roth Rule: MALWARE_Win_FloodFix, Description: Detects FloodFix, Source: C:\Program Files\Common Files\System\symsrv.dll, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Joe Sandbox View:	Filename: 2hp5ee36OS.exe, Detection: malicious, Browse Filename: 9dePCvDX8X.exe, Detection: malicious, Browse Filename: ZYlsAQi8bj.exe, Detection: malicious, Browse Filename: 4g33Ui2SbU.exe, Detection: malicious, Browse Filename: 4afG8b79X5.exe, Detection: malicious, Browse Filename: c9DQdpQLKz.exe, Detection: malicious, Browse Filename: n64NG4zCN2.exe, Detection: malicious, Browse Filename: 0vJrK0NCd1.exe, Detection: malicious, Browse Filename: jpeg_12.dll, Detection: malicious, Browse Filename: DHL_Shipping_Docs00945_pdf.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.'...I...I...I.i.E...I.$.B...I..G...I.$.C.{.I.}.B...I.p.Z...I...H..I...B...I...O...I...M...I.Rich..I.................PE..L......P...........!................................................................................................(.......L...........L...........................................................................................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................................................2.03.UPX!....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.934926885361668
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	m6tly2Aqw4.exe
File size:	4'594'535 bytes
MD5:	51d4e15fa77cf644ee90f42269bced3b
SHA1:	0f54220218afb5d0ea00fb8033509c773e3e8b3d
SHA256:	cc05a4b105428e0c1bd13525c5cab229e67a9eb9ec77b92b158fe6fe419929f6
SHA512:	e9472cce353b50936567f0ab02dfa12566442041b87a4838ecd5ddee0debedba95057336e440c6338e9209bebb2bc298b307cbec014bf00cf50b49096b580caf
SSDEEP:	98304:5OkDYUJQk3X/IRjWt76alE6b3Dg/eELhyYu7ftc0URBT:XM6UalF38/eENdAbU/T
TLSH:	6A262345F284DF69E0648032E40DD6F256F2BC2F8599AB43B6D17E4B3C7C602AEA351D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........N .. s.. s.. s%..s.. s...s.. s..Ms.. s...s.. s..[s.. s..!st. s...se. s...s.. s...s.. s...s.. s...s.. sRich.. s...............

File Icon


Icon Hash:	2c160f25079f33e7

Static PE Info

General

Entrypoint:	0x54575a
Entrypoint Section:
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x5992E826 [Tue Aug 15 12:25:10 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	fdeaa73e8c8dc60422bfb11854692202

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
jmp 00007F19D47CD49Eh
jmp 00007F19D488613Eh
push 0044BB60h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [00466ECCh]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
int3
int3
int3
add esp, 04h
jmp 00007F19D5673A21h
adc al, DDh
arpl word ptr [esi+6E628653h], ax
jle 00007F19D48862ABh
jnbe 00007F19D48862DFh
mov esp, A4889840h
daa
or eax, 156D9686h
call 00007F199EA6C74Fh
pop ds
and dword ptr [esi], D2248D79h
or dl, cl

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[EXP] VS2008 SP1 build 30729
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xd39020	0x1b49	.textTh
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd3ab6c	0x438	.textTh
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x65f000	0x35d80	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x44be00	0x2ba0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x400000	0x1a9200	dd54c32df0b7037e8a7176305bea9d2a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x401000	0x13f000	0x61000	64850dc371d3cb479ffd93495941c05d	False	1.0001057103737114	data	7.999484842813451	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x540000	0x8c000	0xb600	1430c0f1582d2d9550e3e847890ec300	False	0.9927026098901099	data	7.986548844569612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x5cc000	0x3a000	0x3800	fd7c40b074f72cfa8a61ccaa02cbf43b	False	0.9884207589285714	data	7.965397455300278	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x606000	0x59000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x65f000	0x36000	0x35e00	56bc576258b413d7d3f115a802d248f9	False	0.2353311702436195	data	4.086740603679486	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x695000	0x6a4000	0x200	2a0cf4a4bf89ba6ecc21c4be8cb65707	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.textTh	0xd39000	0x1fd000	0x1fca00	30709ae1e581438ced1821997192dc3f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
JPG	0x5cedc0	0x3381	data	English	United States	0.9416920731707317
RT_ICON	0x661dc0	0x5a96	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9898663216903838
RT_ICON	0x667858	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.30684647302904566
RT_ICON	0x669e00	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.40619136960600377
RT_ICON	0x66aea8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.41024590163934427
RT_ICON	0x66b830	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.6099290780141844
RT_ICON	0x66bc98	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.11054913294797687
RT_ICON	0x66c200	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.6114864864864865
RT_ICON	0x66c328	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.3547297297297297
RT_ICON	0x66c450	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.46170520231213874
RT_ICON	0x66c9b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.05053191489361702
RT_ICON	0x66ce20	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.3885135135135135
RT_ICON	0x66cf48	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.46170520231213874
RT_ICON	0x66d4b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.05053191489361702
RT_ICON	0x66d918	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.40202702702702703
RT_ICON	0x66da40	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.46170520231213874
RT_ICON	0x66dfa8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.05053191489361702
RT_ICON	0x66e410	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.3885135135135135
RT_ICON	0x66e538	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.4595375722543353
RT_ICON	0x66eaa0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.04964539007092199
RT_ICON	0x66ef08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.38513513513513514
RT_ICON	0x66f030	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.46170520231213874
RT_ICON	0x66f598	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.05053191489361702
RT_ICON	0x66fa00	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.3716216216216216
RT_ICON	0x66fb28	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.46170520231213874
RT_ICON	0x670090	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.05053191489361702
RT_ICON	0x6704f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.375
RT_ICON	0x670620	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.46098265895953755
RT_ICON	0x670b88	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.05053191489361702
RT_ICON	0x670ff0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.34797297297297297
RT_ICON	0x671118	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.4602601156069364
RT_ICON	0x671680	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.04964539007092199
RT_ICON	0x671ae8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.44594594594594594
RT_ICON	0x671c10	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.5007225433526011
RT_ICON	0x672178	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.11170212765957446
RT_ICON	0x6725e0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	United States	0.3277027027027027
RT_ICON	0x672708	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors	English	United States	0.09005376344086022
RT_ICON	0x6729f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	United States	0.3310810810810811
RT_ICON	0x672b18	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors	English	United States	0.09005376344086022
RT_ICON	0x672e00	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	United States	0.34797297297297297
RT_ICON	0x672f28	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors	English	United States	0.09005376344086022
RT_ICON	0x673210	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.46283783783783783
RT_ICON	0x673338	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.5245664739884393
RT_ICON	0x6738a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.15868794326241134
RT_ICON	0x673d08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.3783783783783784
RT_ICON	0x673e30	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.5570809248554913
RT_ICON	0x674398	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.22074468085106383
RT_ICON	0x674800	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.3716216216216216
RT_ICON	0x674928	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.4841040462427746
RT_ICON	0x674e90	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.09219858156028368
RT_ICON	0x6752f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.3885135135135135
RT_ICON	0x675420	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.48916184971098264
RT_ICON	0x675988	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.10283687943262411
RT_ICON	0x675df0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.47297297297297297
RT_ICON	0x675f18	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.5498554913294798
RT_ICON	0x676480	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.19680851063829788
RT_ICON	0x6768e8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.2695035460992908
RT_ICON	0x676d50	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.26063829787234044
RT_ICON	0x6771b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.2632978723404255
RT_ICON	0x677620	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.46621621621621623
RT_ICON	0x677748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.5932080924855492
RT_ICON	0x677cb0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.28634751773049644
RT_ICON	0x678118	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.38513513513513514
RT_ICON	0x678240	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.48627167630057805
RT_ICON	0x6787a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.09397163120567376
RT_ICON	0x678c10	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.18351063829787234
RT_ICON	0x679078	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.14378612716763006
RT_ICON	0x6795e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.17375886524822695
RT_ICON	0x679a48	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.35135135135135137
RT_ICON	0x679b70	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.10549132947976879
RT_ICON	0x67a0d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.13439306358381503
RT_ICON	0x67a640	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.07092198581560284
RT_ICON	0x67aaa8	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 0	English	United States	0.08371559633027523
RT_ICON	0x67ae10	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.0673758865248227
RT_ICON	0x67b278	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 0	English	United States	0.08944954128440367
RT_ICON	0x67b5e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.07092198581560284
RT_ICON	0x67ba48	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.38513513513513514
RT_ICON	0x67bb70	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.49277456647398843
RT_ICON	0x67c0d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.0975177304964539
RT_ICON	0x67c540	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.38513513513513514
RT_ICON	0x67c668	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.4920520231213873
RT_ICON	0x67cbd0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.09840425531914894
RT_ICON	0x67d038	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.4624277456647399
RT_ICON	0x67d5a0	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 0	English	United States	0.06536697247706422
RT_ICON	0x67d908	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.1125886524822695
RT_ICON	0x67dd70	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.10372340425531915
RT_ICON	0x67e1d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.09131205673758866
RT_ICON	0x67e640	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.10904255319148937
RT_ICON	0x67eaa8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.11170212765957446
RT_ICON	0x67ef10	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.13829787234042554
RT_ICON	0x67f378	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.06213872832369942
RT_ICON	0x67f8e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.09485815602836879
RT_ICON	0x67fd48	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.4734042553191489
RT_ICON	0x6801b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.10017730496453901
RT_ICON	0x680618	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.3952702702702703
RT_ICON	0x680740	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.49421965317919075
RT_ICON	0x680ca8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.09663120567375887
RT_ICON	0x681110	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.3952702702702703
RT_ICON	0x681238	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.4949421965317919
RT_ICON	0x6817a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.09485815602836879
RT_ICON	0x681c08	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.0888728323699422
RT_ICON	0x682170	0x488	Device independent bitmap graphic, 8 x 16 x 8, image size 0	English	United States	0.0603448275862069
RT_ICON	0x6825f8	0x488	Device independent bitmap graphic, 8 x 16 x 8, image size 0	English	United States	0.08017241379310344
RT_ICON	0x682a80	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.5088652482269503
RT_ICON	0x682ee8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.05202312138728324
RT_ICON	0x683450	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.05202312138728324
RT_ICON	0x6839b8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.06864161849710983
RT_ICON	0x683f20	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.05635838150289017
RT_ICON	0x684488	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.05563583815028902
RT_ICON	0x6849f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.0476878612716763
RT_ICON	0x684f58	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.17198581560283688
RT_ICON	0x6853c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.16843971631205673
RT_ICON	0x685828	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.12427745664739884
RT_ICON	0x685d90	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.6076589595375722
RT_ICON	0x6862f8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.5620567375886525
RT_ICON	0x686760	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.19418386491557224
RT_ICON	0x687808	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.274822695035461
RT_ICON	0x687c70	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.1870567375886525
RT_ICON	0x6880d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.1950354609929078
RT_ICON	0x688540	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.07092198581560284
RT_ICON	0x6889a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.1976950354609929
RT_ICON	0x688e10	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.10332369942196531
RT_ICON	0x689378	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.09896810506566604
RT_ICON	0x68a420	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.2553191489361702
RT_ICON	0x68a888	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.25975177304964536
RT_ICON	0x68acf0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.04552023121387283
RT_ICON	0x68b258	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.04552023121387283
RT_ICON	0x68b7c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.225177304964539
RT_ICON	0x68bc28	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.13583815028901733
RT_ICON	0x68c190	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.04878048780487805
RT_ICON	0x68d238	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.14804964539007093
RT_ICON	0x68d6a0	0x1e0	Device independent bitmap graphic, 10 x 20 x 32, image size 0	English	United States	0.31666666666666665
RT_ICON	0x68d880	0x1e0	Device independent bitmap graphic, 10 x 20 x 32, image size 0	English	United States	0.37083333333333335
RT_ICON	0x68da60	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.46283783783783783
RT_ICON	0x68db88	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.5382947976878613
RT_ICON	0x68e0f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.16666666666666666
RT_ICON	0x68e558	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.49324324324324326
RT_ICON	0x68e680	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.5643063583815029
RT_ICON	0x68ebe8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.20921985815602837
RT_ICON	0x68f050	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.5878378378378378
RT_ICON	0x68f178	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.5953757225433526
RT_ICON	0x68f6e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.3617021276595745
RT_ICON	0x68fb48	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.4527027027027027
RT_ICON	0x68fc70	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.49783236994219654
RT_ICON	0x6901d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.1099290780141844
RT_ICON	0x690640	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.4479768786127168
RT_ICON	0x690ba8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.0700354609929078
RT_ICON	0x691010	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.43858381502890176
RT_ICON	0x691578	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.06560283687943262
RT_ICON	0x6919e0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.2702702702702703
RT_ICON	0x691b08	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.45809248554913296
RT_ICON	0x692070	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.04875886524822695
RT_ICON	0x6924d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.5416666666666666
RT_ICON	0x692940	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.1099290780141844
RT_ICON	0x692da8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.1099290780141844
RT_ICON	0x693210	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.05491329479768786
RT_ICON	0x693778	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.05563583815028902
RT_GROUP_ICON	0x693ce0	0x5a	data	English	United States	0.7888888888888889
RT_GROUP_ICON	0x693d3c	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x693d6c	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x693d9c	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x693dcc	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x693dfc	0x22	data	English	United States	1.0294117647058822
RT_GROUP_ICON	0x693e20	0x22	data	English	United States	1.0294117647058822
RT_GROUP_ICON	0x693e44	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x693e74	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x693e88	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x693e9c	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x693eb0	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x693ec4	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x693ed8	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x693eec	0x22	data	English	United States	1.0588235294117647
RT_GROUP_ICON	0x693f10	0x30	data	English	United States	0.9375
RT_GROUP_ICON	0x693f40	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x693f70	0x30	data	English	United States	0.9375
RT_GROUP_ICON	0x693fa0	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x693fd0	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x694000	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x694030	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x694060	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x694090	0x30	data	English	United States	0.9375
RT_GROUP_ICON	0x6940c0	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x6940f0	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x694104	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x694134	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x694164	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x694194	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x6941c4	0x30	data	English	United States	0.6666666666666666
RT_GROUP_ICON	0x6941f4	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x694224	0x22	data	English	United States	1.0294117647058822
RT_GROUP_ICON	0x694248	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x694278	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x69428c	0x30	data	English	United States	0.8541666666666666
RT_GROUP_ICON	0x6942bc	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x6942d0	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x6942e4	0x22	data	English	United States	1.0588235294117647
RT_GROUP_ICON	0x694308	0x22	data	English	United States	1.0588235294117647
RT_GROUP_ICON	0x69432c	0x22	data	English	United States	1.0588235294117647
RT_GROUP_ICON	0x694350	0x22	data	English	United States	1.0294117647058822
RT_GROUP_ICON	0x694374	0x22	data	English	United States	1.0294117647058822
RT_GROUP_ICON	0x694398	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x6943c8	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x6943f8	0x22	data	English	United States	1.0294117647058822
RT_GROUP_ICON	0x69441c	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x694430	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x694444	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x694458	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x69446c	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x694480	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x694494	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x6944a8	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x6944bc	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x6944ec	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x69451c	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x694530	0x14	data	English	United States	1.2
RT_GROUP_ICON	0x694544	0x14	data	English	United States	1.2
RT_GROUP_ICON	0x694558	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x69456c	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x694580	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x694594	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x6945a8	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x6945bc	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x6945d0	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x6945e4	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x6945f8	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x69460c	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x694620	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x694634	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x694648	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x69465c	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x694670	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x694684	0x22	data	English	United States	1.0294117647058822
RT_GROUP_ICON	0x6946a8	0x22	data	English	United States	1.0588235294117647
RT_GROUP_ICON	0x6946cc	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x6946e0	0x22	data	English	United States	0.8529411764705882
RT_GROUP_ICON	0x694704	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x694718	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x69472c	0x22	data	English	United States	1.0294117647058822
RT_GROUP_ICON	0x694750	0x22	data	English	United States	1.0588235294117647
RT_VERSION	0x694774	0x2f0	SysEx File - IDP	English	United States	0.4574468085106383
RT_MANIFEST	0x694a64	0x31c	ASCII text, with very long lines (599), with CRLF line terminators	English	United States	0.49246231155778897

Imports

DLL	Import
kernel32.dll	GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
user32.dll	MessageBoxA
advapi32.dll	RegCloseKey
oleaut32.dll	SysFreeString
gdi32.dll	CreateFontA
shell32.dll	ShellExecuteA
version.dll	GetFileVersionInfoA
COMCTL32.dll
COMDLG32.dll	ChooseColorW
MSIMG32.dll	AlphaBlend
WINMM.dll	timeSetEvent
WS2_32.dll	setsockopt
ole32.dll	ReleaseStgMedium
PSAPI.DLL	GetModuleInformation
SHLWAPI.dll	PathRemoveArgsW
WININET.dll	InternetQueryOptionW
DNSAPI.dll	DnsFree
WTSAPI32.dll	WTSUnRegisterSessionNotification

Exports

Name	Ordinal	Address
sqlite3_activate_see	1	0x41979c
sqlite3_aggregate_context	2	0x66a676
sqlite3_aggregate_count	3	0x65b3df
sqlite3_auto_extension	4	0x68652b
sqlite3_backup_finish	5	0x690ecb
sqlite3_backup_init	6	0x68fd82
sqlite3_backup_pagecount	7	0x65a724
sqlite3_backup_remaining	8	0x65a71c
sqlite3_backup_step	9	0x68dc41
sqlite3_bind_blob	10	0x679cec
sqlite3_bind_double	11	0x679d0a
sqlite3_bind_int	12	0x68066b
sqlite3_bind_int64	13	0x679d4d
sqlite3_bind_null	14	0x679d8f
sqlite3_bind_parameter_count	15	0x65b46e
sqlite3_bind_parameter_index	16	0x65b4f8
sqlite3_bind_parameter_name	17	0x65b47e
sqlite3_bind_text	18	0x679db4
sqlite3_bind_text16	19	0x679dd2
sqlite3_bind_value	20	0x680683
sqlite3_bind_zeroblob	21	0x679df0
sqlite3_blob_bytes	22	0x65b71a
sqlite3_blob_close	23	0x691613
sqlite3_blob_open	24	0x69bc1e
sqlite3_blob_read	25	0x691717
sqlite3_blob_reopen	26	0x691757
sqlite3_blob_write	27	0x691737
sqlite3_busy_handler	28	0x65e9dd
sqlite3_busy_timeout	29	0x65ea65
sqlite3_cancel_auto_extension	30	0x65cde4
sqlite3_changes	31	0x65e83a
sqlite3_clear_bindings	32	0x65b27c
sqlite3_close	33	0x692287
sqlite3_close_v2	34	0x692294
sqlite3_collation_needed	35	0x65ec9c
sqlite3_collation_needed16	36	0x65ecd2
sqlite3_column_blob	37	0x6799db
sqlite3_column_bytes	38	0x6799ff
sqlite3_column_bytes16	39	0x679a23
sqlite3_column_count	40	0x65b3ea
sqlite3_column_database_name	41	0x66e51b
sqlite3_column_database_name16	42	0x66e535
sqlite3_column_decltype	43	0x66e4e7
sqlite3_column_decltype16	44	0x66e501
sqlite3_column_double	45	0x679a47
sqlite3_column_int	46	0x679a71
sqlite3_column_int64	47	0x679a95
sqlite3_column_name	48	0x66e4b3
sqlite3_column_name16	49	0x66e4cd
sqlite3_column_origin_name	50	0x66e583
sqlite3_column_origin_name16	51	0x66e59d
sqlite3_column_table_name	52	0x66e54f
sqlite3_column_table_name16	53	0x66e569
sqlite3_column_text	54	0x679abf
sqlite3_column_text16	55	0x679b19
sqlite3_column_type	56	0x679b3d
sqlite3_column_value	57	0x679ae3
sqlite3_commit_hook	58	0x65eb18
sqlite3_compileoption_get	59	0x656224
sqlite3_compileoption_used	60	0x66249c
sqlite3_complete	61	0x65e4f4
sqlite3_complete16	62	0x686705
sqlite3_config	63	0x67e936
sqlite3_context_db_handle	64	0x65b3a4
sqlite3_create_collation	65	0x67f02c
sqlite3_create_collation16	66	0x67f0a9
sqlite3_create_collation_v2	67	0x67f06a
sqlite3_create_function	68	0x683c22
sqlite3_create_function16	69	0x67ed6a
sqlite3_create_function_v2	70	0x67ecd4
sqlite3_create_module	71	0x67c6ac
sqlite3_create_module_v2	72	0x67c6c7
sqlite3_data_count	73	0x65b3fa
sqlite3_data_directory	74	0x9c7dac
sqlite3_db_config	75	0x66833f
sqlite3_db_filename	76	0x65edea
sqlite3_db_handle	77	0x65b5b4
sqlite3_db_mutex	78	0x65e71a
sqlite3_db_readonly	79	0x65ee04
sqlite3_db_release_memory	80	0x65e722
sqlite3_db_status	81	0x66c32c
sqlite3_declare_vtab	82	0x6920a9
sqlite3_enable_load_extension	83	0x65cdb2
sqlite3_enable_shared_cache	84	0x65a055
sqlite3_errcode	85	0x67eea1
sqlite3_errmsg	86	0x67ee36
sqlite3_errmsg16	87	0x67738f
sqlite3_errstr	88	0x65ebec
sqlite3_exec	89	0x6917dc
sqlite3_expired	90	0x65b267
sqlite3_extended_errcode	91	0x67eed5
sqlite3_extended_result_codes	92	0x65ed11
sqlite3_extension_init	93	0x6b03ea
sqlite3_file_control	94	0x6683f1
sqlite3_finalize	95	0x691491
sqlite3_free	96	0x656aca
sqlite3_free_table	97	0x65d46d
sqlite3_get_autocommit	98	0x65ed08
sqlite3_get_auxdata	99	0x65b3ac
sqlite3_get_table	100	0x691b8c
sqlite3_global_recover	101	0x5296fe
sqlite3_initialize	102	0x6854d1
sqlite3_interrupt	103	0x65ea9f
sqlite3_key	104	0x66eca4
sqlite3_key_v2	105	0x66dad0
sqlite3_last_insert_rowid	106	0x65e82f
sqlite3_libversion	107	0x65e704
sqlite3_libversion_number	108	0x65e710
sqlite3_limit	109	0x65ec6c
sqlite3_load_extension	110	0x67b910
sqlite3_log	111	0x67024e
sqlite3_malloc	112	0x6856ee
sqlite3_memory_alarm	113	0x656a24
sqlite3_memory_highwater	114	0x677eeb
sqlite3_memory_used	115	0x677ee4
sqlite3_mprintf	116	0x6701c3
sqlite3_mutex_alloc	117	0x6568fa
sqlite3_mutex_enter	118	0x656933
sqlite3_mutex_free	119	0x656925
sqlite3_mutex_leave	120	0x656951
sqlite3_mutex_try	121	0x656941
sqlite3_next_stmt	122	0x65b5f6
sqlite3_open	123	0x6a4404
sqlite3_open16	124	0x6a441e
sqlite3_open_v2	125	0x6a4419
sqlite3_os_end	126	0x5296fe
sqlite3_os_init	127	0x678563
sqlite3_overload_function	128	0x67edcb
sqlite3_prepare	129	0x65cec1
sqlite3_prepare16	130	0x6aa8f9
sqlite3_prepare16_v2	131	0x6aa917
sqlite3_prepare_v2	132	0x65cee1
sqlite3_profile	133	0x65eae3
sqlite3_progress_handler	134	0x65ea1a
sqlite3_randomness	135	0x662e63
sqlite3_realloc	136	0x662aa1
sqlite3_rekey	137	0x690eb1
sqlite3_rekey_v2	138	0x68f2ea
sqlite3_release_memory	139	0x5296fe
sqlite3_reset	140	0x6914d8
sqlite3_reset_auto_extension	141	0x6865a7
sqlite3_result_blob	142	0x67193e
sqlite3_result_double	143	0x65b314
sqlite3_result_error	144	0x66e415
sqlite3_result_error16	145	0x66e439
sqlite3_result_error_code	146	0x66e460
sqlite3_result_error_nomem	147	0x65b378
sqlite3_result_error_toobig	148	0x66e48d
sqlite3_result_int	149	0x65b32c
sqlite3_result_int64	150	0x65b342
sqlite3_result_null	151	0x65b359
sqlite3_result_text	152	0x67195a
sqlite3_result_text16	153	0x671976
sqlite3_result_text16be	154	0x671992
sqlite3_result_text16le	155	0x671976
sqlite3_result_value	156	0x66c764
sqlite3_result_zeroblob	157	0x65b368
sqlite3_rollback_hook	158	0x65eb82
sqlite3_set_authorizer	159	0x65c2a7
sqlite3_set_auxdata	160	0x66a6d7
sqlite3_shutdown	161	0x68675c
sqlite3_sleep	162	0x6683ca
sqlite3_snprintf	163	0x662e49
sqlite3_soft_heap_limit	164	0x6856d9
sqlite3_soft_heap_limit64	165	0x685664
sqlite3_sourceid	166	0x65e70a
sqlite3_sql	167	0x65aab7
sqlite3_status	168	0x6777e0
sqlite3_step	169	0x6aa935
sqlite3_stmt_busy	170	0x65b5d8
sqlite3_stmt_readonly	171	0x65b5c2
sqlite3_stmt_status	172	0x65b623
sqlite3_strglob	173	0x65cc10
sqlite3_stricmp	174	0x656ce1
sqlite3_strnicmp	175	0x656d24
sqlite3_table_column_metadata	176	0x6934b7
sqlite3_temp_directory	177	0x9c7da8
sqlite3_test_control	178	0x686bd8
sqlite3_thread_cleanup	179	0x41979c
sqlite3_threadsafe	180	0x65e716
sqlite3_total_changes	181	0x65e842
sqlite3_trace	182	0x65eaae
sqlite3_transfer_bindings	183	0x65b562
sqlite3_unicode_collate	184	0x6b027d
sqlite3_unicode_fold	185	0x6afabb
sqlite3_unicode_free	186	0x6b040a
sqlite3_unicode_init	187	0x6b02e8
sqlite3_unicode_load	188	0x6b03fe
sqlite3_unicode_lower	189	0x6afb11
sqlite3_update_hook	190	0x65eb4d
sqlite3_uri_boolean	191	0x668462
sqlite3_uri_int64	192	0x66848d
sqlite3_uri_parameter	193	0x65ed41
sqlite3_user_data	194	0x65b39a
sqlite3_value_blob	195	0x6718f3
sqlite3_value_bytes	196	0x66e3ce
sqlite3_value_bytes16	197	0x66e3db
sqlite3_value_double	198	0x65b2ef
sqlite3_value_int	199	0x65b2f8
sqlite3_value_int64	200	0x65b2f8
sqlite3_value_numeric_type	201	0x65b69e
sqlite3_value_text	202	0x66e3e8
sqlite3_value_text16	203	0x66e406
sqlite3_value_text16be	204	0x66e3f7
sqlite3_value_text16le	205	0x66e406
sqlite3_value_type	206	0x65b301
sqlite3_version	207	0x86ad28
sqlite3_vfs_find	208	0x6625da
sqlite3_vfs_register	209	0x66264c
sqlite3_vfs_unregister	210	0x66269f
sqlite3_vmprintf	211	0x670153
sqlite3_vsnprintf	212	0x662e00
sqlite3_vtab_config	213	0x67c6d0
sqlite3_vtab_on_conflict	214	0x65d7de
sqlite3_wal_autocheckpoint	215	0x690e8d
sqlite3_wal_checkpoint	216	0x68f2d4
sqlite3_wal_checkpoint_v2	217	0x68f237
sqlite3_wal_hook	218	0x65ebb7
sqlite3_win32_is_nt	219	0x657cae
sqlite3_win32_mbcs_to_utf8	220	0x6634e2
sqlite3_win32_set_directory	221	0x6856ff
sqlite3_win32_sleep	222	0x657ca3
sqlite3_win32_utf8_to_mbcs	223	0x663557
sqlite3_win32_write_debug	224	0x657c2c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	11:00:51
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\m6tly2Aqw4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\m6tly2Aqw4.exe"
Imagebase:	0x50000
File size:	4'594'535 bytes
MD5 hash:	51D4E15FA77CF644EE90F42269BCED3B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report m6tly2Aqw4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Common Files\System\symsrv.dll

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
m6tly2Aqw4.exe