Edit tour

Windows Analysis Report
ArsClip.exe

Overview

General Information

Sample Name:	ArsClip.exe
Analysis ID:	886489
MD5:	d55f25d20d06270e1ee4fb74dd520935
SHA1:	2ccfa7b5a81f6782ede89eee7a912f818218546c
SHA256:	3a43b9f506c3ece842718de4a91e9215bd84e738284e605befc0e097d684d159
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries keyboard layouts

Classification

Process Tree

System is w10x64

ArsClip.exe (PID: 5444 cmdline: C:\Users\user\Desktop\ArsClip.exe MD5: D55F25D20D06270E1EE4FB74DD520935)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ArsClip.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.543120711.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.ArsClip.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: ArsClip.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: ArsClip.exe	String found in binary or memory: http://joejoesoft.com/
Source: ArsClip.exe	String found in binary or memory: http://joejoesoft.com/cms/ac_scripts.php?page_id=
Source: ArsClip.exe	String found in binary or memory: http://joejoesoft.com/cms/update.php
Source: ArsClip.exe	String found in binary or memory: http://www.google.com/search?q=
Source: ArsClip.exe	String found in binary or memory: http://www.joejoesoft.com
Source: ArsClip.exe	String found in binary or memory: http://www.sqlite.org/copyright.html.

Source: ArsClip.exe, 00000000.00000002.555643345.000000000095A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: ArsClip.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: ArsClip.exe, 00000000.00000002.555934472.000000000270C000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs ArsClip.exe

Source: ArsClip.exe

Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows

Source: C:\Users\user\Desktop\ArsClip.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ArsClip.exe	String found in binary or memory: NATS-SEFI-ADD
Source: ArsClip.exe	String found in binary or memory: NATS-DANO-ADD
Source: ArsClip.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: ArsClip.exe	String found in binary or memory: jp-ocr-b-add
Source: ArsClip.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: ArsClip.exe	String found in binary or memory: jp-ocr-hand-add
Source: ArsClip.exe	String found in binary or memory: ISO_6937-2-add

Source: C:\Users\user\Desktop\ArsClip.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\ArsClip.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: classification engine

Classification label: clean3.winEXE@1/1@0/0

Source: Yara match	File source: ArsClip.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ArsClip.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.543120711.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\Desktop\ArsClip.exe

File created: C:\Users\user\Desktop\TestFile.txt

Jump to behavior

Source: ArsClip.exe

Static file information: File size 4961792 > 1048576

Source: ArsClip.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ArsClip.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x33be00
Source: ArsClip.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x128e00

Source: ArsClip.exe

Static PE information: More than 200 imports for user32.dll

Source: ArsClip.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\ArsClip.exe

Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\ArsClip.exe

Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	Path Interception	1 Masquerading	1 Input Capture	11 System Information Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ArsClip.exe	10%	ReversingLabs
ArsClip.exe	3%	Virustotal		Browse

Name	Source	Malicious	Reputation
http://joejoesoft.com/cms/update.php	ArsClip.exe	false	high
http://joejoesoft.com/	ArsClip.exe	false	high
http://www.google.com/search?q=	ArsClip.exe	false	high
http://joejoesoft.com/cms/ac_scripts.php?page_id=	ArsClip.exe	false	high
http://www.joejoesoft.com	ArsClip.exe	false	high
http://www.sqlite.org/copyright.html.	ArsClip.exe	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	886489
Start date and time:	2023-06-13 11:11:22 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	ArsClip.exe
Detection:	CLEAN
Classification:	clean3.winEXE@1/1@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): audiodg.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com

Process:	C:\Users\user\Desktop\ArsClip.exe
File Type:	ASCII text, with no line terminators, with overstriking
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:P:P
MD5:	8E9555A941CA09F34EDAD613FA5056F0
SHA1:	BCE700D07EA8E1A520017ADDA35694091EFF6D2A
SHA-256:	15E267C790456C7C819473CAF878B4B6B126C132385377044EC2862A3769604B
SHA-512:	39FDAE37F0FE2E483730F58517124C336CC1447ABDDCA07F197D819945B775B2B78D5ECC6C6E596CCD9DF66A1B0FEFC836790BF860D7435B70B39230AFB932AE
Malicious:	false
Reputation:	low
Preview:	@...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.572892392052099
TrID:	Win32 Executable (generic) a (10002005/4) 98.04% Inno Setup installer (109748/4) 1.08% InstallShield setup (43055/19) 0.42% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	ArsClip.exe
File size:	4961792
MD5:	d55f25d20d06270e1ee4fb74dd520935
SHA1:	2ccfa7b5a81f6782ede89eee7a912f818218546c
SHA256:	3a43b9f506c3ece842718de4a91e9215bd84e738284e605befc0e097d684d159
SHA512:	1c91bdd790fdf8cbb03f63aee513d73a9ac10b5f60daa866ce0561f64e600efebe769797933634b391c915f547e160997c7039efbbe7c8ccdce13da81744bbfa
SSDEEP:	98304:zY/zvmnWO4S41zrXjdQYaIT9WtI9pE/1ErSy/Q:zYj9zDjd9aQlpEO/Q
TLSH:	D1367D12B244643BC477167A9C67E3A5783EBF602A22DC4B2BB03D4C5F766817D2A707
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	064f5616963333cc

Static PE Info

General

Entrypoint:	0x73f350
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x5B280B58 [Mon Jun 18 19:43:20 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	8c015e65b8deee6e52ccf1cfd161c2ee

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFD0h
xor eax, eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-24h], eax
mov eax, 00734680h
call 00007FE6710563EDh
xor eax, eax
push ebp
push 0073FBFFh
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
mov byte ptr [00752DACh], 00000000h
mov eax, 00752DA8h
call 00007FE67105210Eh
call 00007FE67104E1B5h
dec eax
jne 00007FE671388BB7h
lea edx, dword ptr [ebp-30h]
mov eax, 00000001h
call 00007FE67104E205h
mov eax, dword ptr [ebp-30h]
lea edx, dword ptr [ebp-2Ch]
call 00007FE67106B26Eh
mov edx, dword ptr [ebp-2Ch]
mov eax, 00752DA8h
call 00007FE6710524C1h
lea eax, dword ptr [ebp-14h]
mov edx, dword ptr [00752DA8h]
call 00007FE6710524FBh
lea eax, dword ptr [ebp-18h]
mov edx, 0073FC18h
call 00007FE6710524EEh
mov eax, dword ptr [ebp-14h]
cmp eax, dword ptr [ebp-18h]
jne 00007FE671388B98h
mov byte ptr [ebp-19h], 00000001h
jmp 00007FE671388BB5h
cmp dword ptr [ebp-14h], 00000000h
je 00007FE671388B98h
cmp dword ptr [ebp-18h], 00000000h
jne 00007FE671388B98h
mov byte ptr [ebp-19h], 00000000h
jmp 00007FE671388BA3h
mov edx, dword ptr [ebp-18h]
mov eax, dword ptr [ebp-14h]
call 00007FE67106B36Bh
test eax, eax
sete byte ptr [ebp-19h]
cmp byte ptr [ebp-19h], 00000000h
je 00007FE671388BC6h
mov eax, dword ptr [0074CB80h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x353000	0x43d4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x39e000	0x128e00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x35b000	0x424cc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x35a000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x353c9c	0xa58	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x358000	0x88a	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x33bc9c	0x33be00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x33d000	0x31c8	0x3200	False	0.4921875	data	6.071311108040413	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x341000	0xbd90	0xbe00	False	0.5257606907894737	data	5.984114652662673	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x34d000	0x5db0	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x353000	0x43d4	0x4400	False	0.31135110294117646	data	5.082211816081088	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x358000	0x88a	0xa00	False	0.321484375	data	3.751048456423829	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x359000	0x4c	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x35a000	0x18	0x200	False	0.05078125	data	0.2108262677871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x35b000	0x424cc	0x42600	False	0.5528815030602636	data	6.702845387908835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x39e000	0x128e00	0x128e00	False	0.42487993421052633	data	6.470474015995619	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x3a04a0	0x134	data	English	United States
RT_CURSOR	0x3a05d4	0x134	data	English	United States
RT_CURSOR	0x3a0708	0x134	data	English	United States
RT_CURSOR	0x3a083c	0x134	data	English	United States
RT_CURSOR	0x3a0970	0x134	data	English	United States
RT_CURSOR	0x3a0aa4	0x134	data	English	United States
RT_CURSOR	0x3a0bd8	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States
RT_CURSOR	0x3a0d0c	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States
RT_BITMAP	0x3a0e40	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x3a1010	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States
RT_BITMAP	0x3a11f4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x3a13c4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x3a1594	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x3a1764	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x3a1934	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x3a1b04	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x3a1cd4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x3a1ea4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x3a2074	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States
RT_BITMAP	0x3a2134	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States
RT_BITMAP	0x3a2214	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States
RT_BITMAP	0x3a22f4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States
RT_BITMAP	0x3a23d4	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States
RT_BITMAP	0x3a2494	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States
RT_BITMAP	0x3a2554	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States
RT_BITMAP	0x3a2634	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States
RT_BITMAP	0x3a26f4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States
RT_BITMAP	0x3a27d4	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States
RT_BITMAP	0x3a28bc	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States
RT_BITMAP	0x3a297c	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States
RT_ICON	0x3a2a5c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors	English	United States
RT_ICON	0x3a3304	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors	English	United States
RT_ICON	0x3a386c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x3a5e14	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x3a6ebc	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_ICON	0x3a7324	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_ICON	0x3a778c	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 832	English	United States
RT_ICON	0x3a7af4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_ICON	0x3a7f5c	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 832	English	United States
RT_ICON	0x3a82c4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_ICON	0x3a872c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_ICON	0x3a8b94	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_ICON	0x3a8ffc	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States
RT_ICON	0x3a9124	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 832	English	United States
RT_ICON	0x3a948c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_ICON	0x3a98f4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_ICON	0x3a9d5c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States
RT_ICON	0x3aa604	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States
RT_ICON	0x3aab6c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x3ad114	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x3ae1bc	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_DIALOG	0x3ae624	0x52	data
RT_DIALOG	0x3ae678	0x52	data
RT_STRING	0x3ae6cc	0x308	data
RT_STRING	0x3ae9d4	0x3d8	data
RT_STRING	0x3aedac	0x2f0	data
RT_STRING	0x3af09c	0x850	data
RT_STRING	0x3af8ec	0xb20	data
RT_STRING	0x3b040c	0x424	data
RT_STRING	0x3b0830	0x408	data
RT_STRING	0x3b0c38	0x404	data
RT_STRING	0x3b103c	0x3c8	data
RT_STRING	0x3b1404	0x4ac	data
RT_STRING	0x3b18b0	0x200	data
RT_STRING	0x3b1ab0	0xc8	data
RT_STRING	0x3b1b78	0x118	data
RT_STRING	0x3b1c90	0x254	data
RT_STRING	0x3b1ee4	0x3d0	data
RT_STRING	0x3b22b4	0x3d4	data
RT_STRING	0x3b2688	0x490	data
RT_STRING	0x3b2b18	0x308	data
RT_STRING	0x3b2e20	0x428	data
RT_STRING	0x3b3248	0x47c	data
RT_STRING	0x3b36c4	0x490	data
RT_STRING	0x3b3b54	0x388	data
RT_STRING	0x3b3edc	0x404	data
RT_STRING	0x3b42e0	0x290	data
RT_STRING	0x3b4570	0xc0	data
RT_STRING	0x3b4630	0x9c	data
RT_STRING	0x3b46cc	0x334	data
RT_STRING	0x3b4a00	0x48c	data
RT_STRING	0x3b4e8c	0x354	data
RT_STRING	0x3b51e0	0x2c4	data
RT_RCDATA	0x3b54a4	0x10	data
RT_RCDATA	0x3b54b4	0xd76	ASCII text, with CRLF line terminators	English	United States
RT_RCDATA	0x3b622c	0xf14	data
RT_RCDATA	0x3b7140	0x2	data	English	United States
RT_RCDATA	0x3b7144	0xc0553	PE32 executable (DLL) (console) Intel 80386, for MS Windows	English	United States
RT_RCDATA	0x477698	0x4ad	Delphi compiled form 'TACPopupPrototype'
RT_RCDATA	0x477b48	0x3b2	Delphi compiled form 'TFrameClipDisplay'
RT_RCDATA	0x477efc	0xbae	Delphi compiled form 'TFrameImport'
RT_RCDATA	0x478aac	0xad4	Delphi compiled form 'TFramePermanentClips'
RT_RCDATA	0x479580	0x100b	Delphi compiled form 'TFrmAbout'
RT_RCDATA	0x47a58c	0x18c	Delphi compiled form 'TFrmChainWatcher'
RT_RCDATA	0x47a718	0x283	Delphi compiled form 'TFrmCheckForUpdate'
RT_RCDATA	0x47a99c	0x349d	Delphi compiled form 'TfrmClipboardBar'
RT_RCDATA	0x47de3c	0x16d4	Delphi compiled form 'TfrmClipboardManager'
RT_RCDATA	0x47f510	0xc59	Delphi compiled form 'TFrmClipMenuNew'
RT_RCDATA	0x48016c	0x1c1d6	Delphi compiled form 'TFrmConfig'
RT_RCDATA	0x49c344	0x201	Delphi compiled form 'TfrmDatabaseUpdate'
RT_RCDATA	0x49c548	0x2ff	Delphi compiled form 'TFrmDebug'
RT_RCDATA	0x49c848	0x170	Delphi compiled form 'TFrmDummyAllwaysOnTopFix'
RT_RCDATA	0x49c9b8	0x119	Delphi compiled form 'TFrmDummyInstance'
RT_RCDATA	0x49cad4	0x11d	Delphi compiled form 'TFrmDummyShellForm'
RT_RCDATA	0x49cbf4	0x1d1	Delphi compiled form 'TFrmDummyUnicodeTooltip'
RT_RCDATA	0x49cdc8	0x5e69	Delphi compiled form 'TfrmEditHistory'
RT_RCDATA	0x4a2c34	0x988	Delphi compiled form 'TFrmEditItem'
RT_RCDATA	0x4a35bc	0x1db	Delphi compiled form 'TfrmEditTextExternal'
RT_RCDATA	0x4a3798	0x444	Delphi compiled form 'TFrmHotkey'
RT_RCDATA	0x4a3bdc	0x385	Delphi compiled form 'TFrmImport'
RT_RCDATA	0x4a3f64	0x117	Delphi compiled form 'TFrmJumpList'
RT_RCDATA	0x4a407c	0xb0c1	Delphi compiled form 'TFrmMainPopup'
RT_RCDATA	0x4af140	0xa6b	Delphi compiled form 'TFrmPasteSelected'
RT_RCDATA	0x4afbac	0x38a8	Delphi compiled form 'TFrmPermanent'
RT_RCDATA	0x4b3454	0x724c	Delphi compiled form 'TFrmPermanentEdit'
RT_RCDATA	0x4ba6a0	0x19f	Delphi compiled form 'TFrmPermanentPreview'
RT_RCDATA	0x4ba840	0x140	Delphi compiled form 'TfrmPreviewPopup'
RT_RCDATA	0x4ba980	0x411	Delphi compiled form 'TFrmRatTrap'
RT_RCDATA	0x4bad94	0x496	Delphi compiled form 'TFrmReportError'
RT_RCDATA	0x4bb22c	0x506	Delphi compiled form 'TfrmSearch'
RT_RCDATA	0x4bb734	0x4ba	Delphi compiled form 'TfrmShared'
RT_RCDATA	0x4bbbf0	0x48a	Delphi compiled form 'TfrmSizeRichtext'
RT_RCDATA	0x4bc07c	0x414f	Delphi compiled form 'TfrmSysTrayMenu'
RT_RCDATA	0x4c01cc	0x72e	Delphi compiled form 'TFrmTooltipNew'
RT_RCDATA	0x4c08fc	0x4dd2	Delphi compiled form 'TFrmTriggerWindow'
RT_RCDATA	0x4c56d0	0x1036	Delphi compiled form 'TMySlide'
RT_GROUP_CURSOR	0x4c6708	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4c671c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4c6730	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4c6744	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4c6758	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4c676c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4c6780	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x4c6794	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0x4c67a8	0x4c	data	English	United States
RT_GROUP_ICON	0x4c67f4	0x14	data	English	United States
RT_GROUP_ICON	0x4c6808	0x14	data	English	United States
RT_GROUP_ICON	0x4c681c	0x14	data	English	United States
RT_GROUP_ICON	0x4c6830	0x14	data	English	United States
RT_GROUP_ICON	0x4c6844	0x4c	data	English	United States
RT_GROUP_ICON	0x4c6890	0x14	data	English	United States
RT_GROUP_ICON	0x4c68a4	0x14	data	English	United States
RT_GROUP_ICON	0x4c68b8	0x14	data	English	United States
RT_GROUP_ICON	0x4c68cc	0x30	data	English	United States
RT_GROUP_ICON	0x4c68fc	0x14	data	English	United States
RT_VERSION	0x4c6910	0x164	data	English	United States
RT_MANIFEST	0x4c6a74	0x21c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	MessageBoxA, CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, lstrcpynW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsDBCSLeadByteEx, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetConsoleOutputCP, GetConsoleCP, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, CreateDirectoryW, WriteFile, SetFilePointer, SetEndOfFile, ReadFile, GetFileType, GetFileSize, CreateFileW, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
user32.dll	SetClassLongW, GetClassLongW, SetWindowLongW, GetWindowLongW, CreateWindowExW, mouse_event, keybd_event, WindowFromPoint, WaitMessage, WaitForInputIdle, VkKeyScanW, UpdateWindow, UnregisterHotKey, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, TrackMouseEvent, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardViewer, SetClipboardData, SetCapture, SetActiveWindow, SendMessageTimeoutW, SendMessageA, SendMessageW, SendInput, SendDlgItemMessageW, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterHotKey, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, OffsetRect, NotifyWinEvent, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsClipboardFormatAvailable, IsChild, InvalidateRect, InsertMenuItemW, InsertMenuW, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetUpdateRect, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageExtraInfo, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardViewer, GetClipboardOwner, GetClipboardSequenceNumber, GetClipboardFormatNameW, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCaretPos, GetCapture, GetAsyncKeyState, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndMenu, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawStateW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIconIndirect, CreateIcon, CreateAcceleratorTableW, CountClipboardFormats, CopyRect, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, ChangeClipboardChain, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, AttachThreadInput, AdjustWindowRectEx, ActivateKeyboardLayout
msimg32.dll	GradientFill, AlphaBlend
gdi32.dll	UnrealizeObject, TextOutW, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetDCPenColor, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgnIndirect, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, CombineRgn, Chord, BitBlt, ArcTo, Arc, AngleArc, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	lstrcmpW, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualFree, VirtualAlloc, UnmapViewOfFile, TryEnterCriticalSection, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryW, ReadFile, RaiseException, QueryDosDeviceW, IsDebuggerPresent, OpenProcess, MulDiv, MoveFileW, MapViewOfFile, LockResource, LocalFree, LocalAlloc, LoadResource, LoadLibraryW, LeaveCriticalSection, IsValidLocale, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVolumeInformationW, GetVersionExW, GetVersion, GetTickCount, GetThreadPriority, GetThreadLocale, GetTempPathW, GetStdHandle, GetLongPathNameW, GetProcAddress, GetPrivateProfileStringW, GetModuleHandleW, GetModuleFileNameW, GetLogicalDriveStringsW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileTime, GetFileSize, GetFileAttributesExW, GetFileAttributesW, GetExitCodeThread, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetComputerNameW, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, InterlockedExchangeAdd, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, FindNextFileW, FindFirstFileW, FindFirstChangeNotificationW, FindCloseChangeNotification, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExpandEnvironmentStringsW, ExitProcess, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DeviceIoControl, DeleteFileW, DeleteCriticalSection, DeleteAtom, CreateThread, CreateProcessW, CreateMutexW, CreateFileMappingW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CloseHandle
advapi32.dll	RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey, OpenProcessToken, IsValidSid, GetUserNameW, GetTokenInformation, GetSidSubAuthorityCount, GetSidSubAuthority
kernel32.dll	Sleep
oleaut32.dll	GetErrorInfo, VariantInit, SysFreeString
ole32.dll	RevokeDragDrop, RegisterDragDrop, OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
msvcrt.dll	memset, memcpy
shell32.dll	ShellExecuteExW, ShellExecuteW, Shell_NotifyIconW, SHAppBarMessage, DuplicateIcon, DragQueryFileW
shell32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHGetMalloc, SHGetDesktopFolder, SHBrowseForFolderW
comdlg32.dll	ChooseFontW, FindTextW, ChooseColorW, GetSaveFileNameW, GetOpenFileNameW
winspool.drv	OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
winspool.drv	GetDefaultPrinterW
oleacc.dll	LresultFromObject
winmm.dll	sndPlaySoundW
kernel32.dll	GetProcessId
ole32.dll	DoDragDrop, OleUninitialize, OleInitialize, IsEqualGUID
shlwapi.dll	SHAutoComplete

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• ArsClip.exe

Click to jump to process

Memory Usage

• ArsClip.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	0
Start time:	11:12:19
Start date:	13/06/2023
Path:	C:\Users\user\Desktop\ArsClip.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ArsClip.exe
Imagebase:	0x400000
File size:	4961792 bytes
MD5 hash:	D55F25D20D06270E1EE4FB74DD520935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.543120711.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ArsClip.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\TestFile.txt

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: ArsClip.exePID: 5444, Parent PID: 3528

General

File Activities

File Opened

File Created

File Deleted

File Written

Windows Analysis Report
ArsClip.exe