Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
ArsClip.exe

Overview

General Information

Sample Name:ArsClip.exe
Analysis ID:886489
MD5:d55f25d20d06270e1ee4fb74dd520935
SHA1:2ccfa7b5a81f6782ede89eee7a912f818218546c
SHA256:3a43b9f506c3ece842718de4a91e9215bd84e738284e605befc0e097d684d159
Infos:

Detection

Score:3
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries keyboard layouts

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • ArsClip.exe (PID: 5444 cmdline: C:\Users\user\Desktop\ArsClip.exe MD5: D55F25D20D06270E1EE4FB74DD520935)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ArsClip.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.543120711.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.0.ArsClip.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        • Compliance
        • Networking
        • Key, Mouse, Clipboard, Microphone and Screen Capturing
        • System Summary
        • Data Obfuscation
        • Hooking and other Techniques for Hiding and Protection
        • Malware Analysis System Evasion

        Click to jump to signature section

        Show All Signature Results

        There are no malicious signatures, click here to show all signatures.

        Source: ArsClip.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: ArsClip.exeString found in binary or memory: http://joejoesoft.com/
        Source: ArsClip.exeString found in binary or memory: http://joejoesoft.com/cms/ac_scripts.php?page_id=
        Source: ArsClip.exeString found in binary or memory: http://joejoesoft.com/cms/update.php
        Source: ArsClip.exeString found in binary or memory: http://www.google.com/search?q=
        Source: ArsClip.exeString found in binary or memory: http://www.joejoesoft.com
        Source: ArsClip.exeString found in binary or memory: http://www.sqlite.org/copyright.html.
        Source: ArsClip.exe, 00000000.00000002.555643345.000000000095A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: ArsClip.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: ArsClip.exe, 00000000.00000002.555934472.000000000270C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs ArsClip.exe
        Source: ArsClip.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
        Source: C:\Users\user\Desktop\ArsClip.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: ArsClip.exeString found in binary or memory: NATS-SEFI-ADD
        Source: ArsClip.exeString found in binary or memory: NATS-DANO-ADD
        Source: ArsClip.exeString found in binary or memory: JIS_C6229-1984-b-add
        Source: ArsClip.exeString found in binary or memory: jp-ocr-b-add
        Source: ArsClip.exeString found in binary or memory: JIS_C6229-1984-hand-add
        Source: ArsClip.exeString found in binary or memory: jp-ocr-hand-add
        Source: ArsClip.exeString found in binary or memory: ISO_6937-2-add
        Source: C:\Users\user\Desktop\ArsClip.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\Desktop\ArsClip.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: classification engineClassification label: clean3.winEXE@1/1@0/0
        Source: Yara matchFile source: ArsClip.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.ArsClip.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000000.543120711.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
        Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
        Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
        Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
        Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
        Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
        Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
        Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
        Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
        Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
        Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
        Source: ArsClip.exe, 00000000.00000000.543822370.000000000075B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
        Source: C:\Users\user\Desktop\ArsClip.exeFile created: C:\Users\user\Desktop\TestFile.txtJump to behavior
        Source: ArsClip.exeStatic file information: File size 4961792 > 1048576
        Source: ArsClip.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: ArsClip.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x33be00
        Source: ArsClip.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x128e00
        Source: ArsClip.exeStatic PE information: More than 200 imports for user32.dll
        Source: ArsClip.exeStatic PE information: section name: .didata
        Source: C:\Users\user\Desktop\ArsClip.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ArsClip.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts2
        Command and Scripting Interpreter        		Path InterceptionPath Interception1
        Masquerading        		1
        Input Capture        		11
        System Information Discovery        		Remote Services1
        Input Capture        		Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 process2 2 Behavior Graph ID: 886489 Sample: ArsClip.exe Startdate: 13/06/2023 Architecture: WINDOWS Score: 3 4 ArsClip.exe 1 2->4         started       

        Screenshots

        Download Video

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        ArsClip.exe10%ReversingLabs
        ArsClip.exe3%VirustotalBrowse

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        No contacted domains info
        NameSourceMaliciousAntivirus DetectionReputation
        http://joejoesoft.com/cms/update.phpArsClip.exefalse
          		high
          http://joejoesoft.com/ArsClip.exefalse
            		high
            http://www.google.com/search?q=ArsClip.exefalse
              		high
              http://joejoesoft.com/cms/ac_scripts.php?page_id=ArsClip.exefalse
                		high
                http://www.joejoesoft.comArsClip.exefalse
                  		high
                  http://www.sqlite.org/copyright.html.ArsClip.exefalse
                    		high

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox Version:37.1.0 Beryl
                    Analysis ID:886489
                    Start date and time:2023-06-13 11:11:22 +02:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 5m 39s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Run name:Potential for more IOCs and behavior
                    Number of analysed new started processes analysed:2
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample file name:ArsClip.exe
                    Detection:CLEAN
                    Classification:clean3.winEXE@1/1@0/0
                    EGA Information:Failed
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Exclude process from analysis (whitelisted): audiodg.exe
                    • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\Desktop\TestFile.txt

                    Download File
                    Process:C:\Users\user\Desktop\ArsClip.exe
                    File Type:ASCII text, with no line terminators, with overstriking
                    Category:dropped
                    Size (bytes):4
                    Entropy (8bit):1.5
                    Encrypted:false
                    SSDEEP:3:P:P
                    MD5:8E9555A941CA09F34EDAD613FA5056F0
                    SHA1:BCE700D07EA8E1A520017ADDA35694091EFF6D2A
                    SHA-256:15E267C790456C7C819473CAF878B4B6B126C132385377044EC2862A3769604B
                    SHA-512:39FDAE37F0FE2E483730F58517124C336CC1447ABDDCA07F197D819945B775B2B78D5ECC6C6E596CCD9DF66A1B0FEFC836790BF860D7435B70B39230AFB932AE
                    Malicious:false
                    Reputation:low
                    Preview:@...

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):6.572892392052099
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 98.04%
                    • Inno Setup installer (109748/4) 1.08%
                    • InstallShield setup (43055/19) 0.42%
                    • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                    • Win16/32 Executable Delphi generic (2074/23) 0.02%
                    File name:ArsClip.exe
                    File size:4961792
                    MD5:d55f25d20d06270e1ee4fb74dd520935
                    SHA1:2ccfa7b5a81f6782ede89eee7a912f818218546c
                    SHA256:3a43b9f506c3ece842718de4a91e9215bd84e738284e605befc0e097d684d159
                    SHA512:1c91bdd790fdf8cbb03f63aee513d73a9ac10b5f60daa866ce0561f64e600efebe769797933634b391c915f547e160997c7039efbbe7c8ccdce13da81744bbfa
                    SSDEEP:98304:zY/zvmnWO4S41zrXjdQYaIT9WtI9pE/1ErSy/Q:zYj9zDjd9aQlpEO/Q
                    TLSH:D1367D12B244643BC477167A9C67E3A5783EBF602A22DC4B2BB03D4C5F766817D2A707
                    File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                    File Icon

                    Icon Hash:064f5616963333cc

                    Static PE Info

                    General

                    Entrypoint:0x73f350
                    Entrypoint Section:.itext
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    DLL Characteristics:
                    Time Stamp:0x5B280B58 [Mon Jun 18 19:43:20 2018 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:0
                    File Version Major:5
                    File Version Minor:0
                    Subsystem Version Major:5
                    Subsystem Version Minor:0
                    Import Hash:8c015e65b8deee6e52ccf1cfd161c2ee
                    Instruction
                    push ebp
                    mov ebp, esp
                    add esp, FFFFFFD0h
                    xor eax, eax
                    mov dword ptr [ebp-2Ch], eax
                    mov dword ptr [ebp-30h], eax
                    mov dword ptr [ebp-14h], eax
                    mov dword ptr [ebp-18h], eax
                    mov dword ptr [ebp-20h], eax
                    mov dword ptr [ebp-24h], eax
                    mov eax, 00734680h
                    call 00007FE6710563EDh
                    xor eax, eax
                    push ebp
                    push 0073FBFFh
                    push dword ptr fs:[eax]
                    mov dword ptr fs:[eax], esp
                    mov byte ptr [00752DACh], 00000000h
                    mov eax, 00752DA8h
                    call 00007FE67105210Eh
                    call 00007FE67104E1B5h
                    dec eax
                    jne 00007FE671388BB7h
                    lea edx, dword ptr [ebp-30h]
                    mov eax, 00000001h
                    call 00007FE67104E205h
                    mov eax, dword ptr [ebp-30h]
                    lea edx, dword ptr [ebp-2Ch]
                    call 00007FE67106B26Eh
                    mov edx, dword ptr [ebp-2Ch]
                    mov eax, 00752DA8h
                    call 00007FE6710524C1h
                    lea eax, dword ptr [ebp-14h]
                    mov edx, dword ptr [00752DA8h]
                    call 00007FE6710524FBh
                    lea eax, dword ptr [ebp-18h]
                    mov edx, 0073FC18h
                    call 00007FE6710524EEh
                    mov eax, dword ptr [ebp-14h]
                    cmp eax, dword ptr [ebp-18h]
                    jne 00007FE671388B98h
                    mov byte ptr [ebp-19h], 00000001h
                    jmp 00007FE671388BB5h
                    cmp dword ptr [ebp-14h], 00000000h
                    je 00007FE671388B98h
                    cmp dword ptr [ebp-18h], 00000000h
                    jne 00007FE671388B98h
                    mov byte ptr [ebp-19h], 00000000h
                    jmp 00007FE671388BA3h
                    mov edx, dword ptr [ebp-18h]
                    mov eax, dword ptr [ebp-14h]
                    call 00007FE67106B36Bh
                    test eax, eax
                    sete byte ptr [ebp-19h]
                    cmp byte ptr [ebp-19h], 00000000h
                    je 00007FE671388BC6h
                    mov eax, dword ptr [0074CB80h]
                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x3530000x43d4.idata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x39e0000x128e00.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x35b0000x424cc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x35a0000x18.rdata
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x353c9c0xa58.idata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3580000x88a.didata
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x33bc9c0x33be00unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .itext0x33d0000x31c80x3200False0.4921875data6.071311108040413IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .data0x3410000xbd900xbe00False0.5257606907894737data5.984114652662673IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .bss0x34d0000x5db00x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .idata0x3530000x43d40x4400False0.31135110294117646data5.082211816081088IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .didata0x3580000x88a0xa00False0.321484375data3.751048456423829IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .tls0x3590000x4c0x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rdata0x35a0000x180x200False0.05078125data0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x35b0000x424cc0x42600False0.5528815030602636data6.702845387908835IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                    .rsrc0x39e0000x128e000x128e00False0.42487993421052633data6.470474015995619IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    NameRVASizeTypeLanguageCountry
                    RT_CURSOR0x3a04a00x134dataEnglishUnited States
                    RT_CURSOR0x3a05d40x134dataEnglishUnited States
                    RT_CURSOR0x3a07080x134dataEnglishUnited States
                    RT_CURSOR0x3a083c0x134dataEnglishUnited States
                    RT_CURSOR0x3a09700x134dataEnglishUnited States
                    RT_CURSOR0x3a0aa40x134dataEnglishUnited States
                    RT_CURSOR0x3a0bd80x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States
                    RT_CURSOR0x3a0d0c0x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States
                    RT_BITMAP0x3a0e400x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States
                    RT_BITMAP0x3a10100x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States
                    RT_BITMAP0x3a11f40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States
                    RT_BITMAP0x3a13c40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States
                    RT_BITMAP0x3a15940x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States
                    RT_BITMAP0x3a17640x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States
                    RT_BITMAP0x3a19340x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States
                    RT_BITMAP0x3a1b040x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States
                    RT_BITMAP0x3a1cd40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States
                    RT_BITMAP0x3a1ea40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States
                    RT_BITMAP0x3a20740xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States
                    RT_BITMAP0x3a21340xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States
                    RT_BITMAP0x3a22140xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States
                    RT_BITMAP0x3a22f40xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States
                    RT_BITMAP0x3a23d40xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States
                    RT_BITMAP0x3a24940xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States
                    RT_BITMAP0x3a25540xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States
                    RT_BITMAP0x3a26340xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States
                    RT_BITMAP0x3a26f40xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States
                    RT_BITMAP0x3a27d40xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States
                    RT_BITMAP0x3a28bc0xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States
                    RT_BITMAP0x3a297c0xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States
                    RT_ICON0x3a2a5c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colorsEnglishUnited States
                    RT_ICON0x3a33040x568Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colorsEnglishUnited States
                    RT_ICON0x3a386c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States
                    RT_ICON0x3a5e140x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
                    RT_ICON0x3a6ebc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                    RT_ICON0x3a73240x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                    RT_ICON0x3a778c0x368Device independent bitmap graphic, 16 x 32 x 24, image size 832EnglishUnited States
                    RT_ICON0x3a7af40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                    RT_ICON0x3a7f5c0x368Device independent bitmap graphic, 16 x 32 x 24, image size 832EnglishUnited States
                    RT_ICON0x3a82c40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                    RT_ICON0x3a872c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                    RT_ICON0x3a8b940x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                    RT_ICON0x3a8ffc0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States
                    RT_ICON0x3a91240x368Device independent bitmap graphic, 16 x 32 x 24, image size 832EnglishUnited States
                    RT_ICON0x3a948c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                    RT_ICON0x3a98f40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                    RT_ICON0x3a9d5c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States
                    RT_ICON0x3aa6040x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States
                    RT_ICON0x3aab6c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States
                    RT_ICON0x3ad1140x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
                    RT_ICON0x3ae1bc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                    RT_DIALOG0x3ae6240x52data
                    RT_DIALOG0x3ae6780x52data
                    RT_STRING0x3ae6cc0x308data
                    RT_STRING0x3ae9d40x3d8data
                    RT_STRING0x3aedac0x2f0data
                    RT_STRING0x3af09c0x850data
                    RT_STRING0x3af8ec0xb20data
                    RT_STRING0x3b040c0x424data
                    RT_STRING0x3b08300x408data
                    RT_STRING0x3b0c380x404data
                    RT_STRING0x3b103c0x3c8data
                    RT_STRING0x3b14040x4acdata
                    RT_STRING0x3b18b00x200data
                    RT_STRING0x3b1ab00xc8data
                    RT_STRING0x3b1b780x118data
                    RT_STRING0x3b1c900x254data
                    RT_STRING0x3b1ee40x3d0data
                    RT_STRING0x3b22b40x3d4data
                    RT_STRING0x3b26880x490data
                    RT_STRING0x3b2b180x308data
                    RT_STRING0x3b2e200x428data
                    RT_STRING0x3b32480x47cdata
                    RT_STRING0x3b36c40x490data
                    RT_STRING0x3b3b540x388data
                    RT_STRING0x3b3edc0x404data
                    RT_STRING0x3b42e00x290data
                    RT_STRING0x3b45700xc0data
                    RT_STRING0x3b46300x9cdata
                    RT_STRING0x3b46cc0x334data
                    RT_STRING0x3b4a000x48cdata
                    RT_STRING0x3b4e8c0x354data
                    RT_STRING0x3b51e00x2c4data
                    RT_RCDATA0x3b54a40x10data
                    RT_RCDATA0x3b54b40xd76ASCII text, with CRLF line terminatorsEnglishUnited States
                    RT_RCDATA0x3b622c0xf14data
                    RT_RCDATA0x3b71400x2dataEnglishUnited States
                    RT_RCDATA0x3b71440xc0553PE32 executable (DLL) (console) Intel 80386, for MS WindowsEnglishUnited States
                    RT_RCDATA0x4776980x4adDelphi compiled form 'TACPopupPrototype'
                    RT_RCDATA0x477b480x3b2Delphi compiled form 'TFrameClipDisplay'
                    RT_RCDATA0x477efc0xbaeDelphi compiled form 'TFrameImport'
                    RT_RCDATA0x478aac0xad4Delphi compiled form 'TFramePermanentClips'
                    RT_RCDATA0x4795800x100bDelphi compiled form 'TFrmAbout'
                    RT_RCDATA0x47a58c0x18cDelphi compiled form 'TFrmChainWatcher'
                    RT_RCDATA0x47a7180x283Delphi compiled form 'TFrmCheckForUpdate'
                    RT_RCDATA0x47a99c0x349dDelphi compiled form 'TfrmClipboardBar'
                    RT_RCDATA0x47de3c0x16d4Delphi compiled form 'TfrmClipboardManager'
                    RT_RCDATA0x47f5100xc59Delphi compiled form 'TFrmClipMenuNew'
                    RT_RCDATA0x48016c0x1c1d6Delphi compiled form 'TFrmConfig'
                    RT_RCDATA0x49c3440x201Delphi compiled form 'TfrmDatabaseUpdate'
                    RT_RCDATA0x49c5480x2ffDelphi compiled form 'TFrmDebug'
                    RT_RCDATA0x49c8480x170Delphi compiled form 'TFrmDummyAllwaysOnTopFix'
                    RT_RCDATA0x49c9b80x119Delphi compiled form 'TFrmDummyInstance'
                    RT_RCDATA0x49cad40x11dDelphi compiled form 'TFrmDummyShellForm'
                    RT_RCDATA0x49cbf40x1d1Delphi compiled form 'TFrmDummyUnicodeTooltip'
                    RT_RCDATA0x49cdc80x5e69Delphi compiled form 'TfrmEditHistory'
                    RT_RCDATA0x4a2c340x988Delphi compiled form 'TFrmEditItem'
                    RT_RCDATA0x4a35bc0x1dbDelphi compiled form 'TfrmEditTextExternal'
                    RT_RCDATA0x4a37980x444Delphi compiled form 'TFrmHotkey'
                    RT_RCDATA0x4a3bdc0x385Delphi compiled form 'TFrmImport'
                    RT_RCDATA0x4a3f640x117Delphi compiled form 'TFrmJumpList'
                    RT_RCDATA0x4a407c0xb0c1Delphi compiled form 'TFrmMainPopup'
                    RT_RCDATA0x4af1400xa6bDelphi compiled form 'TFrmPasteSelected'
                    RT_RCDATA0x4afbac0x38a8Delphi compiled form 'TFrmPermanent'
                    RT_RCDATA0x4b34540x724cDelphi compiled form 'TFrmPermanentEdit'
                    RT_RCDATA0x4ba6a00x19fDelphi compiled form 'TFrmPermanentPreview'
                    RT_RCDATA0x4ba8400x140Delphi compiled form 'TfrmPreviewPopup'
                    RT_RCDATA0x4ba9800x411Delphi compiled form 'TFrmRatTrap'
                    RT_RCDATA0x4bad940x496Delphi compiled form 'TFrmReportError'
                    RT_RCDATA0x4bb22c0x506Delphi compiled form 'TfrmSearch'
                    RT_RCDATA0x4bb7340x4baDelphi compiled form 'TfrmShared'
                    RT_RCDATA0x4bbbf00x48aDelphi compiled form 'TfrmSizeRichtext'
                    RT_RCDATA0x4bc07c0x414fDelphi compiled form 'TfrmSysTrayMenu'
                    RT_RCDATA0x4c01cc0x72eDelphi compiled form 'TFrmTooltipNew'
                    RT_RCDATA0x4c08fc0x4dd2Delphi compiled form 'TFrmTriggerWindow'
                    RT_RCDATA0x4c56d00x1036Delphi compiled form 'TMySlide'
                    RT_GROUP_CURSOR0x4c67080x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                    RT_GROUP_CURSOR0x4c671c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                    RT_GROUP_CURSOR0x4c67300x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                    RT_GROUP_CURSOR0x4c67440x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                    RT_GROUP_CURSOR0x4c67580x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                    RT_GROUP_CURSOR0x4c676c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                    RT_GROUP_CURSOR0x4c67800x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                    RT_GROUP_CURSOR0x4c67940x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                    RT_GROUP_ICON0x4c67a80x4cdataEnglishUnited States
                    RT_GROUP_ICON0x4c67f40x14dataEnglishUnited States
                    RT_GROUP_ICON0x4c68080x14dataEnglishUnited States
                    RT_GROUP_ICON0x4c681c0x14dataEnglishUnited States
                    RT_GROUP_ICON0x4c68300x14dataEnglishUnited States
                    RT_GROUP_ICON0x4c68440x4cdataEnglishUnited States
                    RT_GROUP_ICON0x4c68900x14dataEnglishUnited States
                    RT_GROUP_ICON0x4c68a40x14dataEnglishUnited States
                    RT_GROUP_ICON0x4c68b80x14dataEnglishUnited States
                    RT_GROUP_ICON0x4c68cc0x30dataEnglishUnited States
                    RT_GROUP_ICON0x4c68fc0x14dataEnglishUnited States
                    RT_VERSION0x4c69100x164dataEnglishUnited States
                    RT_MANIFEST0x4c6a740x21cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States
                    DLLImport
                    oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                    advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
                    user32.dllMessageBoxA, CharNextW, LoadStringW
                    kernel32.dllSleep, VirtualFree, VirtualAlloc, lstrlenW, lstrcpynW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsDBCSLeadByteEx, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetConsoleOutputCP, GetConsoleCP, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, CreateDirectoryW, WriteFile, SetFilePointer, SetEndOfFile, ReadFile, GetFileType, GetFileSize, CreateFileW, GetStdHandle, CloseHandle
                    kernel32.dllGetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
                    user32.dllSetClassLongW, GetClassLongW, SetWindowLongW, GetWindowLongW, CreateWindowExW, mouse_event, keybd_event, WindowFromPoint, WaitMessage, WaitForInputIdle, VkKeyScanW, UpdateWindow, UnregisterHotKey, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, TrackMouseEvent, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardViewer, SetClipboardData, SetCapture, SetActiveWindow, SendMessageTimeoutW, SendMessageA, SendMessageW, SendInput, SendDlgItemMessageW, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterHotKey, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, OffsetRect, NotifyWinEvent, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsClipboardFormatAvailable, IsChild, InvalidateRect, InsertMenuItemW, InsertMenuW, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetUpdateRect, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageExtraInfo, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardViewer, GetClipboardOwner, GetClipboardSequenceNumber, GetClipboardFormatNameW, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCaretPos, GetCapture, GetAsyncKeyState, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndMenu, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawStateW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIconIndirect, CreateIcon, CreateAcceleratorTableW, CountClipboardFormats, CopyRect, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, ChangeClipboardChain, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, AttachThreadInput, AdjustWindowRectEx, ActivateKeyboardLayout
                    msimg32.dllGradientFill, AlphaBlend
                    gdi32.dllUnrealizeObject, TextOutW, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetDCPenColor, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgnIndirect, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, CombineRgn, Chord, BitBlt, ArcTo, Arc, AngleArc, AbortDoc
                    version.dllVerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
                    kernel32.dlllstrcmpW, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualFree, VirtualAlloc, UnmapViewOfFile, TryEnterCriticalSection, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryW, ReadFile, RaiseException, QueryDosDeviceW, IsDebuggerPresent, OpenProcess, MulDiv, MoveFileW, MapViewOfFile, LockResource, LocalFree, LocalAlloc, LoadResource, LoadLibraryW, LeaveCriticalSection, IsValidLocale, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVolumeInformationW, GetVersionExW, GetVersion, GetTickCount, GetThreadPriority, GetThreadLocale, GetTempPathW, GetStdHandle, GetLongPathNameW, GetProcAddress, GetPrivateProfileStringW, GetModuleHandleW, GetModuleFileNameW, GetLogicalDriveStringsW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileTime, GetFileSize, GetFileAttributesExW, GetFileAttributesW, GetExitCodeThread, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetComputerNameW, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, InterlockedExchangeAdd, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, FindNextFileW, FindFirstFileW, FindFirstChangeNotificationW, FindCloseChangeNotification, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExpandEnvironmentStringsW, ExitProcess, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DeviceIoControl, DeleteFileW, DeleteCriticalSection, DeleteAtom, CreateThread, CreateProcessW, CreateMutexW, CreateFileMappingW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CloseHandle
                    advapi32.dllRegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey, OpenProcessToken, IsValidSid, GetUserNameW, GetTokenInformation, GetSidSubAuthorityCount, GetSidSubAuthority
                    kernel32.dllSleep
                    oleaut32.dllGetErrorInfo, VariantInit, SysFreeString
                    ole32.dllRevokeDragDrop, RegisterDragDrop, OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
                    oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                    comctl32.dllInitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                    user32.dllEnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
                    msvcrt.dllmemset, memcpy
                    shell32.dllShellExecuteExW, ShellExecuteW, Shell_NotifyIconW, SHAppBarMessage, DuplicateIcon, DragQueryFileW
                    shell32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHGetMalloc, SHGetDesktopFolder, SHBrowseForFolderW
                    comdlg32.dllChooseFontW, FindTextW, ChooseColorW, GetSaveFileNameW, GetOpenFileNameW
                    winspool.drvOpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
                    winspool.drvGetDefaultPrinterW
                    oleacc.dllLresultFromObject
                    winmm.dllsndPlaySoundW
                    kernel32.dllGetProcessId
                    ole32.dllDoDragDrop, OleUninitialize, OleInitialize, IsEqualGUID
                    shlwapi.dllSHAutoComplete

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    No network behavior found

                    Statistics

                    CPU Usage

                    050100s020406080100

                    Click to jump to process

                    Memory Usage

                    050100s0.0051015MB

                    Click to jump to process

                    High Level Behavior Distribution

                    • File
                    • Registry

                    Click to dive into process behavior distribution

                    System Behavior

                    General

                    Target ID:0
                    Start time:11:12:19
                    Start date:13/06/2023
                    Path:C:\Users\user\Desktop\ArsClip.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\Desktop\ArsClip.exe
                    Imagebase:0x400000
                    File size:4961792 bytes
                    MD5 hash:D55F25D20D06270E1EE4FB74DD520935
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:Borland Delphi
                    Yara matches:
                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.543120711.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                    Reputation:low
                    Show Windows behavior

                    File Activities

                    Show Windows behavior

                    Section Activities

                    Show Windows behavior

                    Registry Activities

                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    Show Windows behavior

                    Process Activities

                    Show Windows behavior

                    Thread Activities

                    Show Windows behavior

                    Memory Activities

                    Show Windows behavior

                    System Activities

                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    Show Windows behavior

                    Windows UI Activities

                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                    Disassembly

                    No disassembly