Create Interactive Tour

Windows Analysis Report
Integrator.exe

Overview

General Information

Sample name:	Integrator.exe
Analysis ID:	1613128
MD5:	7fe445d2b5df4b0e2ab87543f0109ae3
SHA1:	58bdeed8ab97eca14e68259c9762fb34bb65196c
SHA256:	083773cf97871bc504f12f16a11c3391bea3a7b7427f20958920a089edcc2d77
Tags:	exeI2PRATuser-plebourhis
Infos:

Detection

Score:	60
Range:	0 - 100
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for submitted file

Joe Sandbox ML detected suspicious sample

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential time zone aware malware

Program does not show much activity (idle)

Queries keyboard layouts

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Integrator.exe (PID: 1748 cmdline: "C:\Users\user\Desktop\Integrator.exe" MD5: 7FE445D2B5DF4B0E2AB87543F0109AE3)

Integrator.exe (PID: 1420 cmdline: C:\Users\user\Desktop\Integrator.exe MD5: 7FE445D2B5DF4B0E2AB87543F0109AE3)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Integrator.exe	Virustotal: Detection: 51%			Perma Link
Source: Integrator.exe	ReversingLabs: Detection: 43%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.2% probability

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\Integrator.exe

Unpacked PE file: 0.2.Integrator.exe.2810000.0.unpack

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 45.200.148.158:1129

Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158

Source: C:\Users\user\Desktop\Integrator.exe	Code function: 0_2_02CD53EA
Source: C:\Users\user\Desktop\Integrator.exe	Code function: 0_2_02CC4B4A
Source: C:\Users\user\Desktop\Integrator.exe	Code function: 0_2_02CC5B3E
Source: C:\Users\user\Desktop\Integrator.exe	Code function: 0_2_02CC60CE
Source: C:\Users\user\Desktop\Integrator.exe	Code function: 0_2_02CD701E
Source: C:\Users\user\Desktop\Integrator.exe	Code function: 0_2_02CDD122
Source: C:\Users\user\Desktop\Integrator.exe	Code function: 0_2_02CC7F2E
Source: C:\Users\user\Desktop\Integrator.exe	Code function: 0_2_02CC9CF6
Source: C:\Users\user\Desktop\Integrator.exe	Code function: 0_2_02CCCDA6

Source: Integrator.exe

Static PE information: Number of sections : 11 > 10

Source: Integrator.exe, 00000000.00000002.1679039047.0000000002734000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs Integrator.exe
Source: Integrator.exe, 00000001.00000002.3540888724.00000000026A4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs Integrator.exe

Source: classification engine

Classification label: mal60.evad.winEXE@3/0@0/1

Source: Integrator.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Integrator.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\Integrator.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\Integrator.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\Integrator.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\Integrator.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Integrator.exe	Virustotal: Detection: 51%
Source: Integrator.exe	ReversingLabs: Detection: 43%

Source: Integrator.exe	String found in binary or memory: ;application/vnd.adobe.air-application-installer-package+zip
Source: Integrator.exe	String found in binary or memory: application/vnd.groove-help
Source: Integrator.exe	String found in binary or memory: "application/x-install-instructions

Source: unknown	Process created: C:\Users\user\Desktop\Integrator.exe "C:\Users\user\Desktop\Integrator.exe"
Source: unknown	Process created: C:\Users\user\Desktop\Integrator.exe C:\Users\user\Desktop\Integrator.exe
Source: C:\Users\user\Desktop\Integrator.exe	Process created: C:\Users\user\Desktop\Integrator.exe C:\Users\user\Desktop\Integrator.exe

Source: C:\Users\user\Desktop\Integrator.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Integrator.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Integrator.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\Integrator.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Integrator.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Integrator.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\Integrator.exe	Section loaded: winsta.dll
Source: C:\Users\user\Desktop\Integrator.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Integrator.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\Integrator.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Integrator.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Integrator.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\Integrator.exe	Section loaded: winsta.dll
Source: C:\Users\user\Desktop\Integrator.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\Integrator.exe	Section loaded: cryptbase.dll

Source: Integrator.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Integrator.exe

Static file information: File size 6747648 > 1048576

Source: Integrator.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x518200

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\Integrator.exe

Unpacked PE file: 0.2.Integrator.exe.2810000.0.unpack

Source: Integrator.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\Integrator.exe	Code function: 0_2_02CDF262 push es; retf
Source: C:\Users\user\Desktop\Integrator.exe	Code function: 0_2_02CC675D push esi; ret
Source: C:\Users\user\Desktop\Integrator.exe	Code function: 0_2_02CC3D4E push eax; iretd

Source: C:\Users\user\Desktop\Integrator.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Integrator.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\Integrator.exe TID: 3852

Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\Integrator.exe	System information queried: CurrentTimeZoneInformation
Source: C:\Users\user\Desktop\Integrator.exe	System information queried: CurrentTimeZoneInformation

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Integrator.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\Desktop\Integrator.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Users\user\Desktop\Integrator.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\Desktop\Integrator.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809

Source: Integrator.exe, 00000001.00000002.3540758587.0000000000B03000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Integrator.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Integrator.exe

Process token adjusted: Debug

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Software Packing	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	11 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Integrator.exe	51%	Virustotal		Browse
Integrator.exe	43%	ReversingLabs	Win64.Trojan.Generic

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.200.148.158	unknown	Seychelles		328608	Africa-on-Cloud-ASZA	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1613128
Start date and time:	2025-02-12 14:42:40 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 49s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Integrator.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@3/0@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Integrator.exe, PID 1748 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.046180956201426
TrID:	Win64 Executable GUI (202006/5) 92.64% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% VXD Driver (31/22) 0.01%
File name:	Integrator.exe
File size:	6'747'648 bytes
MD5:	7fe445d2b5df4b0e2ab87543f0109ae3
SHA1:	58bdeed8ab97eca14e68259c9762fb34bb65196c
SHA256:	083773cf97871bc504f12f16a11c3391bea3a7b7427f20958920a089edcc2d77
SHA512:	0a428fa95313ceb7358eb5ea91b9f828846379473cb78b4a75e552994713fc70296f14221e927f302db1b491e5fc4c266a63b06c40ecbdf20d6ade9cd7983d53
SSDEEP:	49152:8M/r94yWpEWQQCc6WF3Pk4RhGSA4t4BZvL7V59EhdB39/fX1u+Ln77bRCRX:8BmEn1LLFCRX
TLSH:	8866183F72A5926EC15DC53EC4A7CF20E433727E1B33C6E7129105A98A468C99E7F264
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7.......................................................................................................................................

File Icon


Icon Hash:	6ab06e9aaaba8e50

Static PE Info

General

Entrypoint:	0x9190e0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:	0x677BC2E4 [Mon Jan 6 11:47:48 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	15a57eff2eea7f2b4295f65e6617ea62

Entrypoint Preview

Instruction
push ebp
dec eax
sub esp, 20h
dec eax
mov ebp, esp
nop
dec eax
lea ecx, dword ptr [FFFEE5D8h]
call 00007F1AC88C8E00h
dec eax
mov eax, dword ptr [00073554h]
dec eax
mov ecx, dword ptr [eax]
call 00007F1AC8B6E861h
dec eax
mov eax, dword ptr [00073545h]
dec eax
mov ecx, dword ptr [eax]
mov dl, 01h
call 00007F1AC8B71510h
dec eax
mov eax, dword ptr [00073534h]
dec eax
mov ecx, dword ptr [eax]
dec eax
mov edx, dword ptr [FFFEDF2Ah]
dec esp
mov eax, dword ptr [00073A2Bh]
call 00007F1AC8B6E863h
dec eax
mov eax, dword ptr [00073517h]
dec eax
mov ecx, dword ptr [eax]
call 00007F1AC8B6EA74h
call 00007F1AC88C0B9Fh
jmp 00007F1AC8DCBAFAh
nop
nop
call 00007F1AC88C0D96h
nop
dec eax
lea esp, dword ptr [ebp+20h]
pop ebp
ret
dec eax
nop
dec eax
lea eax, dword ptr [00000000h+eax]
dec eax
sub esp, 28h
call 00007F1AC88C032Ch
dec eax
add esp, 28h
ret
int3
int3
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x59f000	0x9b	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x598000	0x499a	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x631000	0x4fc00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x5e8000	0x48f00	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5a2000	0x45300	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5a1000	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5992f0	0x1148	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x59d000	0x1002	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x518170	0x518200	7f555e6daba01caa7ffa5fc1257d1511	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x51a000	0x72e60	0x73000	e92bd7a82129b648d25530080f7e3eb3	False	0.22730553668478262	data	4.693262875622966	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x58d000	0xacd4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x598000	0x499a	0x4a00	2b781cff2c47a9ff59ccec62c25be2b6	False	0.24625211148648649	data	4.393089225157633	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x59d000	0x1002	0x1200	18a361fcb521fccc1563d7db2dec5d75	False	0.23741319444444445	data	3.1136340359203962	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x59f000	0x9b	0x200	cacfbc3043ff15547297a7ac2c4be2ed	False	0.259765625	data	1.922020435714979	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x5a0000	0x1e4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5a1000	0x6d	0x200	7503743c998ca34caa84f518c708126a	False	0.1953125	data	1.350403427829831	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5a2000	0x45300	0x45400	e16b1aa7cf68c8829873012a38f59640	False	0.4722613944043321	data	6.469497922016864	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.pdata	0x5e8000	0x48f00	0x49000	5cfbbd8b4b902a2e5c0f14dd061c47e6	False	0.4915319991438356	data	6.412831355465122	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x631000	0x4fc00	0x4fc00	8dffff08c5682ea4a771a3165ef691a9	False	0.5985930152821317	data	6.692798232467158	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x631c48	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x631d7c	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x631eb0	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x631fe4	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x632118	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x63224c	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x632380	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_ICON	0x6324b4	0x4c28	Device independent bitmap graphic, 128 x 256 x 8, image size 0			0.20460607304062373
RT_ICON	0x6370dc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.4031791907514451
RT_ICON	0x637644	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.6814079422382672
RT_ICON	0x637eec	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.517590618336887
RT_ICON	0x638d94	0x5c70	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9795892494929006
RT_STRING	0x63ea04	0x1f8	data			0.4880952380952381
RT_STRING	0x63ebfc	0x34c	data			0.40165876777251186
RT_STRING	0x63ef48	0x390	data			0.3355263157894737
RT_STRING	0x63f2d8	0x288	data			0.4737654320987654
RT_STRING	0x63f560	0x430	data			0.332089552238806
RT_STRING	0x63f990	0x364	data			0.4066820276497696
RT_STRING	0x63fcf4	0xf4	data			0.5368852459016393
RT_STRING	0x63fde8	0xec	data			0.4067796610169492
RT_STRING	0x63fed4	0xe8	AmigaOS bitmap font "n", 18688 elements, 2nd, 3rd			0.43103448275862066
RT_STRING	0x63ffbc	0x1f8	data			0.4880952380952381
RT_STRING	0x6401b4	0x4c8	data			0.3831699346405229
RT_STRING	0x64067c	0x5cc	data			0.29514824797843664
RT_STRING	0x640c48	0x4d8	data			0.3782258064516129
RT_STRING	0x641120	0x454	data			0.33574007220216606
RT_STRING	0x641574	0x368	data			0.411697247706422
RT_STRING	0x6418dc	0x2fc	data			0.4476439790575916
RT_STRING	0x641bd8	0xbc	data			0.6861702127659575
RT_STRING	0x641c94	0xe0	data			0.65625
RT_STRING	0x641d74	0x3b8	data			0.39810924369747897
RT_STRING	0x64212c	0x400	data			0.3642578125
RT_STRING	0x64252c	0x3e4	data			0.40963855421686746
RT_STRING	0x642910	0x3f4	data			0.28952569169960474
RT_STRING	0x642d04	0x3d0	data			0.41905737704918034
RT_STRING	0x6430d4	0x410	data			0.3817307692307692
RT_STRING	0x6434e4	0x514	data			0.39076923076923076
RT_STRING	0x6439f8	0x3b8	data			0.36239495798319327
RT_STRING	0x643db0	0x398	data			0.34456521739130436
RT_STRING	0x644148	0x458	data			0.3839928057553957
RT_STRING	0x6445a0	0x148	data			0.5152439024390244
RT_STRING	0x6446e8	0xcc	data			0.6127450980392157
RT_STRING	0x6447b4	0x1f8	data			0.5357142857142857
RT_STRING	0x6449ac	0x40c	data			0.36003861003861004
RT_STRING	0x644db8	0x384	data			0.3688888888888889
RT_STRING	0x64513c	0x310	data			0.37755102040816324
RT_STRING	0x64544c	0x328	data			0.3551980198019802
RT_RCDATA	0x645774	0x10	data			1.5
RT_RCDATA	0x645784	0xc2c	data			0.46630295250320924
RT_RCDATA	0x6463b0	0x151	Delphi compiled form 'TForm1'			0.7210682492581603
RT_RCDATA	0x646504	0x3a205	data	English	United States	0.6415397862108071
RT_GROUP_CURSOR	0x68070c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x680720	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x680734	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x680748	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x68075c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x680770	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x680784	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x680798	0x4c	data			0.8289473684210527
RT_VERSION	0x6807e4	0x314	data	Chinese	China	0.45558375634517767

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwindEx, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
user32.dll	SetClassLongPtrW, GetClassLongPtrW, SetWindowLongPtrW, GetWindowLongPtrW, CreateWindowExW, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCapture, SetActiveWindow, SendMessageA, SendMessageW, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, InsertMenuItemW, InsertMenuW, HideCaret, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageExtraInfo, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EndMenu, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CreateAcceleratorTableW, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetRectRgn, SetROP2, SetPixel, SetMetaRgn, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, Chord, BitBlt, ArcTo, Arc, AngleArc, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, TryEnterCriticalSection, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, IsDebuggerPresent, MulDiv, LockResource, LocalFree, LoadResource, LoadLibraryW, LeaveCriticalSection, LCMapStringW, IsValidLocale, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVersionExW, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetTempPathW, GetSystemDirectoryW, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeThread, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageW, FindResourceW, FileTimeToSystemTime, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileW, CreateEventW, CompareStringW, CloseHandle
advapi32.dll	RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
shell32.dll	Shell_NotifyIconW
winspool.drv	OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
winspool.drv	GetDefaultPrinterW
winhttp.dll	WinHttpWriteData, WinHttpSetOption, WinHttpSetCredentials, WinHttpSendRequest, WinHttpReceiveResponse, WinHttpReadData, WinHttpQueryOption, WinHttpQueryHeaders, WinHttpQueryDataAvailable, WinHttpQueryAuthSchemes, WinHttpOpenRequest, WinHttpOpen, WinHttpCrackUrl, WinHttpConnect, WinHttpCloseHandle, WinHttpAddRequestHeaders

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x494050
__dbk_fcall_wrapper	2	0x4160b0
dbkFCallWrapperAddr	1	0x991f58

Version Infos

Description	Data
CompanyName	Glarysoft Ltd
FileDescription	Glary Utilities 5
FileVersion	5, 71, 0, 92
InternalName	Integrator.exe
LegalCopyright	Copyright (c) 2003-2017 Glarysoft Ltd
OriginalFilename	Integrator.exe
ProductName	Glary Utilities
ProductVersion	5, 0, 0, 0
Translation	0x0009 0x03a8

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	China

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 12, 2025 14:43:32.695741892 CET	49731	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:43:32.700637102 CET	1129	49731	45.200.148.158	192.168.2.4
Feb 12, 2025 14:43:32.700716972 CET	49731	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:43:32.701119900 CET	49731	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:43:32.705924034 CET	1129	49731	45.200.148.158	192.168.2.4
Feb 12, 2025 14:43:54.042649031 CET	1129	49731	45.200.148.158	192.168.2.4
Feb 12, 2025 14:43:54.042720079 CET	49731	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:43:54.042762995 CET	49731	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:43:54.050795078 CET	1129	49731	45.200.148.158	192.168.2.4
Feb 12, 2025 14:44:04.109778881 CET	49738	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:44:04.116797924 CET	1129	49738	45.200.148.158	192.168.2.4
Feb 12, 2025 14:44:04.116878986 CET	49738	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:44:04.122555017 CET	49738	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:44:04.128972054 CET	1129	49738	45.200.148.158	192.168.2.4
Feb 12, 2025 14:44:25.481806040 CET	1129	49738	45.200.148.158	192.168.2.4
Feb 12, 2025 14:44:25.486215115 CET	49738	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:44:25.491156101 CET	49738	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:44:25.495990992 CET	1129	49738	45.200.148.158	192.168.2.4
Feb 12, 2025 14:44:35.499376059 CET	49776	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:44:35.506386995 CET	1129	49776	45.200.148.158	192.168.2.4
Feb 12, 2025 14:44:35.506478071 CET	49776	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:44:35.506520033 CET	49776	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:44:35.511533976 CET	1129	49776	45.200.148.158	192.168.2.4
Feb 12, 2025 14:44:56.874731064 CET	1129	49776	45.200.148.158	192.168.2.4
Feb 12, 2025 14:44:56.874799013 CET	49776	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:44:56.874861002 CET	49776	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:44:56.879576921 CET	1129	49776	45.200.148.158	192.168.2.4
Feb 12, 2025 14:45:06.889764071 CET	49976	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:45:06.895374060 CET	1129	49976	45.200.148.158	192.168.2.4
Feb 12, 2025 14:45:06.895453930 CET	49976	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:45:06.895490885 CET	49976	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:45:06.902264118 CET	1129	49976	45.200.148.158	192.168.2.4
Feb 12, 2025 14:45:28.250036001 CET	1129	49976	45.200.148.158	192.168.2.4
Feb 12, 2025 14:45:28.250204086 CET	49976	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:45:28.250281096 CET	49976	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:45:28.258410931 CET	1129	49976	45.200.148.158	192.168.2.4
Feb 12, 2025 14:45:38.265307903 CET	50008	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:45:38.270149946 CET	1129	50008	45.200.148.158	192.168.2.4
Feb 12, 2025 14:45:38.270401955 CET	50008	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:45:38.270448923 CET	50008	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:45:38.275191069 CET	1129	50008	45.200.148.158	192.168.2.4
Feb 12, 2025 14:45:59.637846947 CET	1129	50008	45.200.148.158	192.168.2.4
Feb 12, 2025 14:45:59.637984037 CET	50008	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:45:59.638186932 CET	50008	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:45:59.642956018 CET	1129	50008	45.200.148.158	192.168.2.4
Feb 12, 2025 14:46:09.656186104 CET	50009	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:46:09.661297083 CET	1129	50009	45.200.148.158	192.168.2.4
Feb 12, 2025 14:46:09.661389112 CET	50009	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:46:09.661504984 CET	50009	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:46:09.666343927 CET	1129	50009	45.200.148.158	192.168.2.4
Feb 12, 2025 14:46:31.045969963 CET	1129	50009	45.200.148.158	192.168.2.4
Feb 12, 2025 14:46:31.046052933 CET	50009	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:46:31.046093941 CET	50009	1129	192.168.2.4	45.200.148.158
Feb 12, 2025 14:46:31.051003933 CET	1129	50009	45.200.148.158	192.168.2.4

Statistics

Behavior

All data are 0.

System Behavior

Analysis Process: Integrator.exePID: 1748, Parent PID: 2580

General

Target ID:	0
Start time:	08:43:31
Start date:	12/02/2025
Path:	C:\Users\user\Desktop\Integrator.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Integrator.exe"
Imagebase:	0x400000
File size:	6'747'648 bytes
MD5 hash:	7FE445D2B5DF4B0E2AB87543F0109AE3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Analysis Process: Integrator.exePID: 1420, Parent PID: 552

General

Target ID:	1
Start time:	08:43:31
Start date:	12/02/2025
Path:	C:\Users\user\Desktop\Integrator.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Integrator.exe
Imagebase:	0x400000
File size:	6'747'648 bytes
MD5 hash:	7FE445D2B5DF4B0E2AB87543F0109AE3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Integrator.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

TCP Packets

Statistics

Behavior

System Behavior

Analysis Process: Integrator.exePID: 1748, Parent PID: 2580

General

Analysis Process: Integrator.exePID: 1420, Parent PID: 552

General

Disassembly

Windows Analysis Report
Integrator.exe