Edit tour
Windows
Analysis Report
MP_TLK4EE_M_01G_Rev_E.exe
Overview
General Information
| Sample name: | MP_TLK4EE_M_01G_Rev_E.exe |
| Analysis ID: | 1530954 |
| MD5: | f1dd6bc64a726d4ecd808ce54c6dee6f |
| SHA1: | 45248f50638d1419b227afa2596340a757d736a3 |
| SHA256: | 9637c20db05893ed94aef7fa8e5bbb6e55cee7b77c18e1c7fdca89171acef042 |
| Infos: |  |
 | |
Detection
| Score: | 10 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 60% |
Signatures
Checks for kernel debuggers (COM1)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Uses 32bit PE files
Classification
- System is w10x64
MP_TLK4EE_M_01G_Rev_E.exe (PID: 7740 cmdline: "C:\Users\ user\Deskt op\MP_TLK4 EE_M_01G_R ev_E.exe" MD5: F1DD6BC64A726D4ECD808CE54C6DEE6F)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | Static PE information: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Window detected: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
Anti Debugging |   |
|---|
| Source: | File opened: | Jump to behavior | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 11 Security Software Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 1 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| s-part-0017.t-0009.t-msedge.net | 13.107.246.45 | true | false | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|
| IP |
|---|
| 127.0.0.1 |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1530954 |
| Start date and time: | 2024-10-10 18:13:52 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 3m 44s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | MP_TLK4EE_M_01G_Rev_E.exe |
| Detection: | CLEAN |
| Classification: | clean10.evad.winEXE@1/0@0/1 |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: MP_TLK4EE_M_01G_Rev_E.exe
⊘No simulations
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| s-part-0017.t-0009.t-msedge.net | Get hash | malicious | HTMLPhisher | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
|
⊘No context
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.522231277785134 |
| TrID: |
|
| File name: | MP_TLK4EE_M_01G_Rev_E.exe |
| File size: | 2'429'952 bytes |
| MD5: | f1dd6bc64a726d4ecd808ce54c6dee6f |
| SHA1: | 45248f50638d1419b227afa2596340a757d736a3 |
| SHA256: | 9637c20db05893ed94aef7fa8e5bbb6e55cee7b77c18e1c7fdca89171acef042 |
| SHA512: | c62679408e7052c3bef8cd7b8ed73f0df18d2486eba66e502041079d375ac66811ca690fb8f18958f6079bbcc905f1144fe3c22de6eaa0317dab70ca95833e93 |
| SSDEEP: | 24576:GzXwkFWOfsaLRdsLPuHcacaqXcXa6Zue+6Qxp5AaqfzM2gQS1sKuBy4HB/BNl7BE:cdj9VdHt1a6g6Qpuyg2sK4//0e3cjuf |
| TLSH: | 65B5E026B2838036C11B12B04C6B5B3E9A3BFE103B34E19757F5295C5FB879179162EB |
| File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
 | |
| Icon Hash: | aba9236263372626 |
| Entrypoint: | 0x4013cc |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | |
| Time Stamp: | 0x5B2A5BE5 [Wed Jun 20 13:51:33 2018 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | fc89dec0f42d6a9b40797db8229922e9 |
| Instruction |
|---|
| jmp 00007FC250DBA452h |
| bound di, dword ptr [edx] |
| inc ebx |
| sub ebp, dword ptr [ebx] |
| dec eax |
| dec edi |
| dec edi |
| dec ebx |
| nop |
| jmp 00007FC2512C24DDh |
| mov eax, dword ptr [0050808Bh] |
| shl eax, 02h |
| mov dword ptr [0050808Fh], eax |
| push edx |
| push 00000000h |
| call 00007FC250EBF95Ch |
| mov edx, eax |
| call 00007FC250E9C0BBh |
| pop edx |
| call 00007FC250E9C019h |
| call 00007FC250E9C0F0h |
| push 00000000h |
| call 00007FC250E9D7F1h |
| pop ecx |
| push 00508034h |
| push 00000000h |
| call 00007FC250EBF936h |
| mov dword ptr [00508093h], eax |
| push 00000000h |
| jmp 00007FC250EA78E8h |
| jmp 00007FC250E9D81Fh |
| xor eax, eax |
| mov al, byte ptr [0050807Dh] |
| ret |
| mov eax, dword ptr [00508093h] |
| ret |
| pushad |
| mov ebx, BCB05000h |
| push ebx |
| push 00000BADh |
| ret |
| mov ecx, 0000026Ch |
| or ecx, ecx |
| je 00007FC250DBA48Fh |
| cmp dword ptr [0050808Bh], 00000000h |
| jnc 00007FC250DBA44Ch |
| mov eax, 000000FEh |
| call 00007FC250DBA41Ch |
| mov ecx, 0000026Ch |
| push ecx |
| push 00000008h |
| call 00007FC250EBF8F9h |
| push eax |
| call 00007FC250EBF97Dh |
| or eax, eax |
| jne 00007FC250DBA44Ch |
| mov eax, 000000FDh |
| call 00007FC250DBA3FBh |
| push eax |
| push eax |
| push dword ptr [0050808Bh] |
| call 00007FC250EA7AB2h |
| push dword ptr [0050808Bh] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x14f000 | 0x158 | .edata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x14c000 | 0x2b5d | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x150000 | 0x11840c | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x269000 | 0xec10 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x14b000 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x107000 | 0x106200 | 67bd78885d0fe9160d0bca7e065ca1c5 | False | 0.48972863018597995 | data | 6.584006784746428 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x108000 | 0x42000 | 0x20400 | 65fbbc677e21dddca2e58a5c273e37b0 | False | 0.28558775436046513 | data | 5.531343197326775 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x14a000 | 0x1000 | 0x400 | 0f343b0931126a20f133d67c2b018a3b | False | 0.0166015625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x14b000 | 0x1000 | 0x200 | 861223d5fe91108772b247c0273de960 | False | 0.0546875 | data | 0.2147325177871819 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| .idata | 0x14c000 | 0x3000 | 0x2c00 | 61de5cfacc1ab0dc0d937d1870a80c36 | False | 0.3280362215909091 | data | 5.216491594441706 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .edata | 0x14f000 | 0x1000 | 0x200 | fa77f06274bddcf2d1112c8948741eb0 | False | 0.453125 | data | 3.8654590554576145 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x150000 | 0x11840c | 0x118600 | 663b52d22e64373d3d4f4e6a5860d845 | False | 0.895078090169416 | data | 7.989273671471123 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x269000 | 0xf000 | 0xee00 | 19ab1502ffc4d42b8d19a5d15f7bf7dc | False | 0.6578092174369747 | data | 6.705049900055149 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_CURSOR | 0x150b28 | 0x134 | Targa image data - Map 64 x 65536 x 1 +32 "\001" | 0.38636363636363635 | ||
| RT_CURSOR | 0x150c5c | 0x134 | data | 0.4642857142857143 | ||
| RT_CURSOR | 0x150d90 | 0x134 | data | 0.4805194805194805 | ||
| RT_CURSOR | 0x150ec4 | 0x134 | data | 0.38311688311688313 | ||
| RT_CURSOR | 0x150ff8 | 0x134 | data | 0.36038961038961037 | ||
| RT_CURSOR | 0x15112c | 0x134 | data | 0.4090909090909091 | ||
| RT_CURSOR | 0x151260 | 0x134 | Targa image data - RGB 64 x 65536 x 1 +32 "\001" | 0.4967532467532468 | ||
| RT_BITMAP | 0x151394 | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | 0.43103448275862066 | ||
| RT_BITMAP | 0x151564 | 0x1e4 | Device independent bitmap graphic, 36 x 19 x 4, image size 380 | 0.46487603305785125 | ||
| RT_BITMAP | 0x151748 | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | 0.43103448275862066 | ||
| RT_BITMAP | 0x151918 | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | 0.39870689655172414 | ||
| RT_BITMAP | 0x151ae8 | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | 0.4245689655172414 | ||
| RT_BITMAP | 0x151cb8 | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | 0.5021551724137931 | ||
| RT_BITMAP | 0x151e88 | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | 0.5064655172413793 | ||
| RT_BITMAP | 0x152058 | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | 0.39655172413793105 | ||
| RT_BITMAP | 0x152228 | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | 0.5344827586206896 | ||
| RT_BITMAP | 0x1523f8 | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | 0.39655172413793105 | ||
| RT_BITMAP | 0x1525c8 | 0xe8 | Device independent bitmap graphic, 16 x 16 x 4, image size 128 | 0.4870689655172414 | ||
| RT_ICON | 0x1526b0 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | Finnish | Finland | 0.25806451612903225 |
| RT_DIALOG | 0x152998 | 0x52 | data | 0.7682926829268293 | ||
| RT_STRING | 0x1529ec | 0x42 | data | 0.6666666666666666 | ||
| RT_STRING | 0x152a30 | 0x2fc | data | 0.4489528795811518 | ||
| RT_STRING | 0x152d2c | 0xc0 | data | 0.6041666666666666 | ||
| RT_STRING | 0x152dec | 0xfc | data | 0.5873015873015873 | ||
| RT_STRING | 0x152ee8 | 0x120 | data | 0.5729166666666666 | ||
| RT_STRING | 0x153008 | 0x49c | data | 0.38305084745762713 | ||
| RT_STRING | 0x1534a4 | 0x398 | data | 0.4108695652173913 | ||
| RT_STRING | 0x15383c | 0xf0 | data | 0.4666666666666667 | ||
| RT_STRING | 0x15392c | 0xd8 | data | 0.5740740740740741 | ||
| RT_STRING | 0x153a04 | 0x274 | data | 0.4745222929936306 | ||
| RT_STRING | 0x153c78 | 0x390 | data | 0.31359649122807015 | ||
| RT_STRING | 0x154008 | 0x3ac | data | 0.3819148936170213 | ||
| RT_STRING | 0x1543b4 | 0x2bc | data | 0.42857142857142855 | ||
| RT_STRING | 0x154670 | 0x3a4 | data | 0.3551502145922747 | ||
| RT_STRING | 0x154a14 | 0x43c | data | 0.3856088560885609 | ||
| RT_RCDATA | 0x154e50 | 0x10 | data | 1.5 | ||
| RT_RCDATA | 0x154e60 | 0x2351 | exported SGML document, Unicode text, UTF-8 text, with CRLF line terminators | 0.22807211591638094 | ||
| RT_RCDATA | 0x1571b4 | 0xb1 | ASCII text, with no line terminators | 0.6836158192090396 | ||
| RT_RCDATA | 0x157268 | 0x10c36d | data | 0.9080820083618164 | ||
| RT_RCDATA | 0x2635d8 | 0x4b0a | Delphi compiled form 'TForm1' | 0.9162935970848516 | ||
| RT_RCDATA | 0x2680e4 | 0x288 | Delphi compiled form 'TPasswordDlg' | 0.5941358024691358 | ||
| RT_GROUP_CURSOR | 0x26836c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.25 | ||
| RT_GROUP_CURSOR | 0x268380 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.25 | ||
| RT_GROUP_CURSOR | 0x268394 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
| RT_GROUP_CURSOR | 0x2683a8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
| RT_GROUP_CURSOR | 0x2683bc | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
| RT_GROUP_CURSOR | 0x2683d0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
| RT_GROUP_CURSOR | 0x2683e4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
| RT_GROUP_ICON | 0x2683f8 | 0x14 | data | Finnish | Finland | 1.2 |
| DLL | Import |
|---|---|
| WININET.DLL | HttpEndRequestA, HttpOpenRequestA, HttpSendRequestA, HttpSendRequestExA, InternetCloseHandle, InternetConnectA, InternetOpenA, InternetReadFile, InternetSetStatusCallback, InternetWriteFile |
| WTSAPI32.DLL | WTSEnumerateProcessesA, WTSFreeMemory |
| ADVAPI32.DLL | RegCloseKey, RegOpenKeyExA, RegQueryValueExA |
| KERNEL32.DLL | Beep, BeginUpdateResourceA, CloseHandle, CompareStringA, CreateEventA, CreateFileA, CreateFileW, CreateMutexA, CreateSemaphoreA, CreateThread, DeleteCriticalSection, DeleteFileA, EndUpdateResourceA, EnterCriticalSection, EnumCalendarInfoA, ExitProcess, FileTimeToLocalFileTime, FileTimeToSystemTime, FindClose, FindFirstFileA, FindResourceA, FormatMessageA, FreeLibrary, FreeResource, GetACP, GetCPInfo, GetCommState, GetCommandLineA, GetCurrentDirectoryA, GetCurrentProcessId, GetCurrentThreadId, GetDateFormatA, GetDiskFreeSpaceA, GetDriveTypeA, GetEnvironmentStrings, GetFileAttributesA, GetFileAttributesW, GetFileSize, GetFileType, GetFullPathNameA, GetLastError, GetLocalTime, GetLocaleInfoA, GetLogicalDrives, GetModuleFileNameA, GetModuleHandleA, GetOEMCP, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetStdHandle, GetStringTypeA, GetStringTypeExA, GetStringTypeW, GetSystemDefaultLangID, GetSystemInfo, GetThreadLocale, GetTickCount, GetTimeZoneInformation, GetUserDefaultLCID, GetVersion, GetVersionExA, GlobalAddAtomA, GlobalAlloc, GlobalDeleteAtom, GlobalFindAtomA, GlobalFree, GlobalHandle, GlobalLock, GlobalReAlloc, GlobalUnlock, HeapAlloc, HeapFree, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, IsValidLocale, LCMapStringA, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadResource, LocalAlloc, LocalFree, LockResource, MulDiv, MultiByteToWideChar, RaiseException, ReadFile, ReleaseMutex, ReleaseSemaphore, ResetEvent, RtlUnwind, SetCommMask, SetCommState, SetCommTimeouts, SetConsoleCtrlHandler, SetEndOfFile, SetErrorMode, SetEvent, SetFilePointer, SetHandleCount, SetLastError, SetNamedPipeHandleState, SetThreadLocale, SizeofResource, Sleep, TerminateThread, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, UpdateResourceA, VirtualAlloc, VirtualFree, VirtualQuery, WaitCommEvent, WaitForSingleObject, WideCharToMultiByte, WriteFile, lstrcmpA, lstrcpyA, lstrcpynA, lstrlenA |
| VERSION.DLL | GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA |
| WSOCK32.DLL | WSACleanup, WSAGetLastError, WSAStartup, __WSAFDIsSet, closesocket, connect, gethostbyname, getsockopt, htons, inet_ntoa, ntohs, recv, select, send, socket |
| COMCTL32.DLL | ImageList_Add, ImageList_BeginDrag, ImageList_Create, ImageList_Destroy, ImageList_DragEnter, ImageList_DragLeave, ImageList_DragMove, ImageList_DragShowNolock, ImageList_Draw, ImageList_DrawEx, ImageList_EndDrag, ImageList_GetBkColor, ImageList_GetDragImage, ImageList_GetIconSize, ImageList_GetImageCount, ImageList_Read, ImageList_Remove, ImageList_ReplaceIcon, ImageList_SetBkColor, ImageList_SetDragCursorImage, ImageList_SetIconSize, ImageList_Write |
| COMDLG32.DLL | GetOpenFileNameA, GetSaveFileNameA |
| GDI32.DLL | BitBlt, CombineRgn, CopyEnhMetaFileA, CreateBitmap, CreateBrushIndirect, CreateCompatibleBitmap, CreateCompatibleDC, CreateDIBSection, CreateDIBitmap, CreateFontIndirectA, CreateHalftonePalette, CreatePalette, CreatePenIndirect, CreateRectRgn, CreateSolidBrush, DeleteDC, DeleteEnhMetaFile, DeleteObject, ExcludeClipRect, ExtTextOutA, GdiFlush, GetBitmapBits, GetBrushOrgEx, GetClipBox, GetCurrentPositionEx, GetDCOrgEx, GetDIBColorTable, GetDIBits, GetDeviceCaps, GetEnhMetaFileBits, GetEnhMetaFileHeader, GetEnhMetaFilePaletteEntries, GetObjectA, GetPaletteEntries, GetPixel, GetRgnBox, GetStockObject, GetSystemPaletteEntries, GetTextExtentPoint32A, GetTextMetricsA, GetWinMetaFileBits, GetWindowOrgEx, IntersectClipRect, LineTo, MaskBlt, MoveToEx, PatBlt, PlayEnhMetaFile, RealizePalette, RectVisible, Rectangle, RestoreDC, SaveDC, SelectObject, SelectPalette, SetBkColor, SetBkMode, SetBrushOrgEx, SetDIBColorTable, SetEnhMetaFileBits, SetPixel, SetROP2, SetStretchBltMode, SetTextColor, SetViewportOrgEx, SetWinMetaFileBits, SetWindowOrgEx, StretchBlt, UnrealizeObject |
| SHELL32.DLL | SHBrowseForFolderA, ShellExecuteA, SHGetPathFromIDListA |
| USER32.DLL | ActivateKeyboardLayout, AdjustWindowRectEx, BeginPaint, CallNextHookEx, CallWindowProcA, CharLowerA, CharLowerBuffA, CharNextA, CheckMenuItem, ChildWindowFromPoint, ClientToScreen, CreateIcon, CreateMenu, CreatePopupMenu, CreateWindowExA, DefFrameProcA, DefMDIChildProcA, DefWindowProcA, DeleteMenu, DestroyCursor, DestroyIcon, DestroyMenu, DestroyWindow, DispatchMessageA, DrawEdge, DrawFocusRect, DrawFrameControl, DrawIcon, DrawIconEx, DrawMenuBar, DrawTextA, EnableMenuItem, EnableScrollBar, EnableWindow, EndPaint, EnumThreadWindows, EnumWindows, EqualRect, FillRect, FindWindowA, FrameRect, GetActiveWindow, GetCapture, GetClassInfoA, GetClassNameA, GetClientRect, GetClipboardData, GetCursor, GetCursorPos, GetDC, GetDCEx, GetDesktopWindow, GetDlgItem, GetFocus, GetForegroundWindow, GetIconInfo, GetKeyNameTextA, GetKeyState, GetKeyboardLayout, GetKeyboardLayoutList, GetKeyboardState, GetKeyboardType, GetLastActivePopup, GetMenu, GetMenuItemCount, GetMenuItemID, GetMenuItemInfoA, GetMenuState, GetMenuStringA, GetMessagePos, GetParent, GetPropA, GetScrollInfo, GetScrollPos, GetScrollRange, GetSubMenu, GetSystemMenu, GetSystemMetrics, GetTopWindow, GetWindow, GetWindowDC, GetWindowLongA, GetWindowPlacement, GetWindowRect, GetWindowTextA, GetWindowThreadProcessId, InflateRect, InsertMenuA, InsertMenuItemA, IntersectRect, InvalidateRect, IsChild, IsDialogMessageA, IsIconic, IsRectEmpty, IsWindow, IsWindowEnabled, IsWindowVisible, IsZoomed, KillTimer, LoadBitmapA, LoadCursorA, LoadIconA, LoadKeyboardLayoutA, LoadStringA, MapVirtualKeyA, MapWindowPoints, MessageBoxA, OemToCharA, OffsetRect, PeekMessageA, PostMessageA, PostQuitMessage, PtInRect, RedrawWindow, RegisterClassA, RegisterClipboardFormatA, RegisterWindowMessageA, ReleaseCapture, ReleaseDC, RemoveMenu, RemovePropA, ScreenToClient, ScrollWindow, SendMessageA, SetActiveWindow, SetCapture, SetClassLongA, SetCursor, SetFocus, SetForegroundWindow, SetMenu, SetMenuItemInfoA, SetPropA, SetRect, SetScrollInfo, SetScrollPos, SetScrollRange, SetTimer, SetWindowLongA, SetWindowPlacement, SetWindowPos, SetWindowTextA, SetWindowsHookExA, ShowCursor, ShowOwnedPopups, ShowScrollBar, ShowWindow, SystemParametersInfoA, TrackPopupMenu, TranslateMDISysAccel, TranslateMessage, UnhookWindowsHookEx, UnregisterClassA, UpdateWindow, WaitMessage, WinHelpA, WindowFromPoint, wsprintfA, GetSysColor |
| OLE32.DLL | CoCreateInstance, CoInitializeEx, CoInitializeSecurity, CoSetProxyBlanket, CoUninitialize |
| OLEAUT32.DLL | SafeArrayCreate, SafeArrayGetElement, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayRedim, SysAllocStringLen, SysFreeString, SysReAllocStringLen, VariantChangeType, VariantClear, VariantCopy, VariantCopyInd, VariantInit |
| Name | Ordinal | Address |
|---|---|---|
| @@Maidcomutil@Finalize | 5 | 0x4118d8 |
| @@Maidcomutil@Initialize | 4 | 0x4118c8 |
| @@Main_form@Finalize | 3 | 0x40c818 |
| @@Main_form@Initialize | 2 | 0x40c800 |
| @@Wininet_post@Finalize | 7 | 0x412988 |
| @@Wininet_post@Initialize | 6 | 0x412978 |
| _Form1 | 9 | 0x528268 |
| _PasswordDlg | 10 | 0x543980 |
| __GetExceptDLLinfo | 1 | 0x401425 |
| ___CPPdebugHook | 8 | 0x508098 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Finnish | Finland |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 10, 2024 18:14:40.039271116 CEST | 1.1.1.1 | 192.168.2.9 | 0xf402 | No error (0) | s-part-0017.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Oct 10, 2024 18:14:40.039271116 CEST | 1.1.1.1 | 192.168.2.9 | 0xf402 | No error (0) | 13.107.246.45 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 12:14:41 |
| Start date: | 10/10/2024 |
| Path: | C:\Users\user\Desktop\MP_TLK4EE_M_01G_Rev_E.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 2'429'952 bytes |
| MD5 hash: | F1DD6BC64A726D4ECD808CE54C6DEE6F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
⊘No disassembly