Edit tour

Windows Analysis Report
VALUESearch.exe

Overview

General Information

Sample name:	VALUESearch.exe
Analysis ID:	1546343
MD5:	bf8e1edfd9c8b66f2056d400a532e53d
SHA1:	c71fc958d8d1bc031b85426de97e214926799f9c
SHA256:	7e0ab1acded8fb3a35517e2a9a59192a6d29e6b58fb547b20864b47444f0f6c2
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Sigma detected: Office Autorun Keys Modification

Sigma detected: Potential Persistence Via Visual Studio Tools for Office

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Classification

Process Tree

System is w10x64

VALUESearch.exe (PID: 3092 cmdline: "C:\Users\user\Desktop\VALUESearch.exe" MD5: BF8E1EDFD9C8B66F2056D400A532E53D)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\VALUESearch.exe, ProcessId: 3092, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Excel\Addins\VALUESearch.XLL\LibraryVersion

Sigma detected: Potential Persistence Via Visual Studio Tools for Office

Source: Registry Key set

Author: Bhabesh Raj: Data: Details: , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\VALUESearch.exe, ProcessId: 3092, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Excel\Addins\VALUESearch.XLL\LibraryVersion

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T19:44:46.565850+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.5	49705	TCP
2024-10-31T19:45:18.289136+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.5	60823	TCP

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T19:44:29.263045+0100	2028371	3	Unknown Traffic	192.168.2.5	49704	3.39.130.246	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: VALUESearch.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 3.39.130.246:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: VALUESearch.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 3.39.130.246:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49705
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:60823

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /files/publish/xlllibver.txt HTTP/1.1Connection: Keep-AliveAccept: application/jsonAccept-Charset: utf-8Accept-Language: ko-KRUser-Agent: Zewus AgentHost: valuesearch.co.kr

Source: global traffic

DNS traffic detected: DNS query: valuesearch.co.kr

Source: VALUESearch.exe, 00000000.00000002.3283829238.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://valuesearch.co.kr/8
Source: VALUESearch.exe	String found in binary or memory: https://valuesearch.co.kr/files/publish/
Source: VALUESearch.exe	String found in binary or memory: https://valuesearch.co.kr/files/publish/VALUESearchUpdater.exe
Source: VALUESearch.exe	String found in binary or memory: https://valuesearch.co.kr/files/publish/xlllibver.txt
Source: VALUESearch.exe, 00000000.00000002.3283829238.0000000000B25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://valuesearch.co.kr:443/files/publish/xlllibver.txt

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 3.39.130.246:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: VALUESearch.exe

Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)

Source: VALUESearch.exe

Static PE information: Number of sections : 11 > 10

Source: VALUESearch.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean4.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\VALUESearch.exe

Mutant created: \Sessions\1\BaseNamedObjects\VS

Source: C:\Users\user\Desktop\VALUESearch.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\VALUESearch.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VALUESearch.exe	String found in binary or memory: ;application/vnd.adobe.air-application-installer-package+zip
Source: VALUESearch.exe	String found in binary or memory: application/vnd.groove-help
Source: VALUESearch.exe	String found in binary or memory: "application/x-install-instructions

Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\VALUESearch.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Excel\AddIns\VALUESearch.XLL\

Jump to behavior

Source: VALUESearch.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: VALUESearch.exe

Static file information: File size 3837952 > 1048576

Source: VALUESearch.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2e0200

Source: VALUESearch.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: VALUESearch.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\VALUESearch.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\VALUESearch.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: VALUESearch.exe, 00000000.00000002.3283829238.0000000000B25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: VALUESearch.exe, 00000000.00000002.3283829238.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0v

Source: C:\Users\user\Desktop\VALUESearch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 Query Registry	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
VALUESearch.exe	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
valuesearch.co.kr	3.39.130.246	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://valuesearch.co.kr/files/publish/xlllibver.txt	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://valuesearch.co.kr/8	VALUESearch.exe, 00000000.00000002.3283829238.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://valuesearch.co.kr/files/publish/VALUESearchUpdater.exe	VALUESearch.exe	false	unknown
https://valuesearch.co.kr:443/files/publish/xlllibver.txt	VALUESearch.exe, 00000000.00000002.3283829238.0000000000B25000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://valuesearch.co.kr/files/publish/	VALUESearch.exe	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.39.130.246	valuesearch.co.kr	United States		8987	AMAZONEXPANSIONGB	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546343
Start date and time:	2024-10-31 19:43:36 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	VALUESearch.exe
Detection:	CLEAN
Classification:	clean4.winEXE@1/0@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: VALUESearch.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZONEXPANSIONGB	Fw Message from Kevin - Update on Coles Supply Chain Modernisation 31-10-24.eml	Get hash	malicious	Unknown	Browse	3.33.220.150
	Indocount Invoice Amendment.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	Statement Cargomind 2024-09-12 (K07234).exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	SWIFT.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	HT9324-25 1x40HC LDHFCLDEHAM29656 MRSU5087674.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	http://www.thearchiterra.gr/	Get hash	malicious	Unknown	Browse	52.223.34.155
	Order SO311180.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	http://www.thearchiterra.gr/	Get hash	malicious	Unknown	Browse	52.223.34.155
	#10302024.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	http://www.thearchiterra.gr/	Get hash	malicious	Unknown	Browse	52.223.34.155

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	3.39.130.246
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	3.39.130.246
	file.exe	Get hash	malicious	LummaC	Browse	3.39.130.246
	Lana_Rhoades_Photoos.js	Get hash	malicious	Unknown	Browse	3.39.130.246
	file.exe	Get hash	malicious	LummaC	Browse	3.39.130.246
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWorm	Browse	3.39.130.246
	a.hta	Get hash	malicious	DarkComet, DarkTortilla, Neshta	Browse	3.39.130.246
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	3.39.130.246
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	3.39.130.246
	Set-Up.exe	Get hash	malicious	LummaC	Browse	3.39.130.246

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.669964233328979
TrID:	Win32 Executable (generic) a (10002005/4) 99.10% InstallShield setup (43055/19) 0.43% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	VALUESearch.exe
File size:	3'837'952 bytes
MD5:	bf8e1edfd9c8b66f2056d400a532e53d
SHA1:	c71fc958d8d1bc031b85426de97e214926799f9c
SHA256:	7e0ab1acded8fb3a35517e2a9a59192a6d29e6b58fb547b20864b47444f0f6c2
SHA512:	cf919407be9b8291ebdad8b9b6fe734f743e731a069b400b5ec6167c329ac002625ec3d49c312d039dadb0abdee8e3d41fe5c56a6aa63b2a63dc7f64b837da81
SSDEEP:	49152:kgiMlpKhJOqb2v56SJht9b1+O+Hv+E7mgL7HeAX9H6O1vm3L:kgiMnKhbbaBEqgLVZ
TLSH:	A8068E53B684757EE06F1F3E5827A6F2583F7A6025468C1BE7E0089C8E397802D366D7
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	1bc96c6c39318797

Static PE Info

General

Entrypoint:	0x6e4210
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x667CFCE0 [Thu Jun 27 05:47:12 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	ef95d5d70956c16b718ca7889076cf7c

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 006D8754h
call 00007F3C9C903EC9h
push 006E42B4h
push FFFFFFFFh
push 00000000h
call 00007F3C9C9085FFh
mov dword ptr [006F8384h], eax
cmp dword ptr [006F8384h], 00000000h
je 00007F3C9CBD6292h
call 00007F3C9C908724h
test eax, eax
jnbe 00007F3C9CBD6289h
mov eax, dword ptr [006F06FCh]
mov eax, dword ptr [eax]
call 00007F3C9CAF0754h
mov eax, dword ptr [006F06FCh]
mov eax, dword ptr [eax]
mov edx, 006E42C8h
call 00007F3C9CAF017Bh
mov eax, dword ptr [006F06FCh]
mov eax, dword ptr [eax]
mov dl, 01h
call 00007F3C9CAF2721h
mov ecx, dword ptr [006F052Ch]
mov eax, dword ptr [006F06FCh]
mov eax, dword ptr [eax]
mov edx, dword ptr [006D53D4h]
call 00007F3C9CAF0735h
mov ecx, dword ptr [006F00CCh]
mov eax, dword ptr [006F06FCh]
mov eax, dword ptr [eax]
mov edx, dword ptr [006D3B60h]
call 00007F3C9CAF071Dh
mov eax, dword ptr [006F06FCh]
mov eax, dword ptr [eax]
call 00007F3C9CAF0871h
call 00007F3C9C8FBFF4h
add byte ptr [eax], al
add byte ptr [esi+00h], dl
push ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax-00FFFDFCh], dh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2fe000	0x74	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2f9000	0x3dbe	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x33f000	0x77e00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x301000	0x3d8b8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x300000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2f9aa8	0x968	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x2fd000	0xee8	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2e01c0	0x2e0200	01f80e93a3d9f02870a8faab07449581	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x2e2000	0x22f8	0x2400	ed210fdcaa6a057abfd3ab40c21c4fc6	False	0.5364583333333334	data	6.30721935317524	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x2e5000	0xba88	0xbc00	c5a00a9a0c47acff9ab297682c17a940	False	0.5461893284574468	data	6.132885221948647	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x2f1000	0x7388	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x2f9000	0x3dbe	0x3e00	556fa6ff022429b8cca966ec36014567	False	0.32963709677419356	data	5.288407720305398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x2fd000	0xee8	0x1000	d91d917a6a4d20632f0dcba685f6f8a7	False	0.33154296875	data	4.319654426366936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x2fe000	0x74	0x200	07e5b1207f7b698114650030a3a89381	False	0.185546875	data	1.3895298976923918	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x2ff000	0x5c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x300000	0x5d	0x200	dac9ee4757740a04a4ccf872642eab8b	False	0.189453125	data	1.3509693655806156	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x301000	0x3d8b8	0x3da00	4687272bfd9718bfce4d7045ef07ec87	False	0.575894555020284	data	6.723036441335	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x33f000	0x77e00	0x77e00	3a0d3ec343a23beb826deff46fa475d3	False	0.26712395724713245	data	6.46199750703396	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x340c24	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x340d58	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x340e8c	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x340fc0	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x3410f4	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x341228	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x34135c	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x341490	0x6e8	Device independent bitmap graphic, 24 x 24 x 24, image size 1728, resolution 3780 x 3780 px/m	English	United States	0.04242081447963801
RT_ICON	0x341b78	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.46365248226950356
RT_ICON	0x341fe0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States	0.3422131147540984
RT_ICON	0x342968	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.2896341463414634
RT_ICON	0x343a10	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.21141078838174274
RT_ICON	0x345fb8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.17123287671232876
RT_ICON	0x34a1e0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736	English	United States	0.16848428835489834
RT_ICON	0x34f668	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States	0.14993693504309438
RT_ICON	0x358b10	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.13972849875783747
RT_ICON	0x369338	0x5b29	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9978574795389296
RT_STRING	0x36ee64	0x628	DOS executable (COM, 0x8C-variant)			0.35406091370558374
RT_STRING	0x36f48c	0xb60	data			0.24553571428571427
RT_STRING	0x36ffec	0x464	data			0.33807829181494664
RT_STRING	0x370450	0x3e8	data			0.364
RT_STRING	0x370838	0x440	data			0.36672794117647056
RT_STRING	0x370c78	0x498	data			0.37670068027210885
RT_STRING	0x371110	0x358	data			0.3107476635514019
RT_STRING	0x371468	0x428	data			0.40883458646616544
RT_STRING	0x371890	0x134	data			0.5974025974025974
RT_STRING	0x3719c4	0xd0	data			0.6778846153846154
RT_STRING	0x371a94	0x120	data			0.6041666666666666
RT_STRING	0x371bb4	0x32c	data			0.4248768472906404
RT_STRING	0x371ee0	0x3dc	data			0.3937246963562753
RT_STRING	0x3722bc	0x3dc	data			0.3815789473684211
RT_STRING	0x372698	0x464	data			0.39234875444839856
RT_STRING	0x372afc	0x4ec	data			0.3119047619047619
RT_STRING	0x372fe8	0x300	data			0.3580729166666667
RT_STRING	0x3732e8	0x334	data			0.3804878048780488
RT_STRING	0x37361c	0x3f8	data			0.4074803149606299
RT_STRING	0x373a14	0x4b0	data			0.3491666666666667
RT_STRING	0x373ec4	0x45c	data			0.3906810035842294
RT_STRING	0x374320	0x4b4	data			0.3239202657807309
RT_STRING	0x3747d4	0x364	data			0.39400921658986177
RT_STRING	0x374b38	0x3ec	data			0.34462151394422313
RT_STRING	0x374f24	0x3d8	data			0.3546747967479675
RT_STRING	0x3752fc	0xf4	data			0.5491803278688525
RT_STRING	0x3753f0	0xc4	data			0.6275510204081632
RT_STRING	0x3754b4	0x25c	data			0.49503311258278143
RT_STRING	0x375710	0x414	data			0.34674329501915707
RT_STRING	0x375b24	0x37c	data			0.3744394618834081
RT_STRING	0x375ea0	0x2dc	data			0.38114754098360654
RT_STRING	0x37617c	0x340	data			0.3485576923076923
RT_RCDATA	0x3764bc	0xd5d	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032154340836013
RT_RCDATA	0x37721c	0xd57	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003221083455344
RT_RCDATA	0x377f74	0xcfc	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003309265944645
RT_RCDATA	0x378c70	0xcd9	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033444816053512
RT_RCDATA	0x37994c	0xd5d	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032154340836013
RT_RCDATA	0x37a6ac	0xd57	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003221083455344
RT_RCDATA	0x37b404	0xc4e	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0034920634920634
RT_RCDATA	0x37c054	0xc4e	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0034920634920634
RT_RCDATA	0x37cca4	0xcb5	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033814940055334
RT_RCDATA	0x37d95c	0xcb0	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033866995073892
RT_RCDATA	0x37e60c	0xd56	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032220269478618
RT_RCDATA	0x37f364	0xd47	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032362459546926
RT_RCDATA	0x3800ac	0xdc2	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031232254400908
RT_RCDATA	0x380e70	0xdc5	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031205673758865
RT_RCDATA	0x381c38	0xcf3	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003318250377074
RT_RCDATA	0x38292c	0xced	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033242671501965
RT_RCDATA	0x38361c	0xda9	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031455533314269
RT_RCDATA	0x3843c8	0xda6	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031482541499714
RT_RCDATA	0x385170	0xcf3	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003318250377074
RT_RCDATA	0x385e64	0xced	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033242671501965
RT_RCDATA	0x386b54	0xbfe	PNG image data, 15 x 15, 8-bit/color RGBA, non-interlaced	English	United States	1.0035830618892507
RT_RCDATA	0x387754	0xd04	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	English	United States	1.0033013205282113
RT_RCDATA	0x388458	0xc0e	PNG image data, 15 x 15, 8-bit/color RGBA, non-interlaced	English	United States	1.0035644847699288
RT_RCDATA	0x389068	0xc1b	PNG image data, 15 x 15, 8-bit/color RGBA, non-interlaced	English	United States	1.0035495321071313
RT_RCDATA	0x389c84	0xd36	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	English	United States	1.0032525133057362
RT_RCDATA	0x38a9bc	0xd0f	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	English	United States	1.003290457672749
RT_RCDATA	0x38b6cc	0xb07	PNG image data, 15 x 15, 8-bit/color RGBA, non-interlaced	English	United States	1.003896563939072
RT_RCDATA	0x38c1d4	0xb29	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	English	United States	1.0038501925096255
RT_RCDATA	0x38cd00	0xb7b	PNG image data, 15 x 15, 8-bit/color RGBA, non-interlaced	English	United States	1.0037427696495407
RT_RCDATA	0x38d87c	0xbd4	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	English	United States	1.0036327608982827
RT_RCDATA	0x38e450	0xb8d	PNG image data, 15 x 15, 8-bit/color RGBA, non-interlaced	English	United States	1.0037199864727764
RT_RCDATA	0x38efe0	0xc13	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	English	United States	1.00355871886121
RT_RCDATA	0x38fbf4	0xb1d	PNG image data, 15 x 15, 8-bit/color RGBA, non-interlaced	English	United States	1.003866432337434
RT_RCDATA	0x390714	0xb45	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	English	United States	1.0038128249566725
RT_RCDATA	0x39125c	0xb86	PNG image data, 15 x 15, 8-bit/color RGBA, non-interlaced	English	United States	1.003728813559322
RT_RCDATA	0x391de4	0xc00	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	English	United States	1.0035807291666667
RT_RCDATA	0x3929e4	0xb7a	PNG image data, 15 x 15, 8-bit/color RGBA, non-interlaced	English	United States	1.0037440435670524
RT_RCDATA	0x393560	0xbf6	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	English	United States	1.003592423252776
RT_RCDATA	0x394158	0xbeb	PNG image data, 15 x 15, 8-bit/color RGBA, non-interlaced	English	United States	1.0036053752867913
RT_RCDATA	0x394d44	0xc85	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	English	United States	1.0034321372854915
RT_RCDATA	0x3959cc	0xb83	PNG image data, 15 x 15, 8-bit/color RGBA, non-interlaced	English	United States	1.003732609433322
RT_RCDATA	0x396550	0xc03	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	English	United States	1.0035772357723578
RT_RCDATA	0x397154	0xc2c	PNG image data, 15 x 15, 8-bit/color RGBA, non-interlaced	English	United States	1.0035301668806162
RT_RCDATA	0x397d80	0xd45	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	English	United States	1.0032381513099793
RT_RCDATA	0x398ac8	0x10	data			1.5
RT_RCDATA	0x398ad8	0x148b	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0020916524054002
RT_RCDATA	0x399f64	0x111e	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0025102692834322
RT_RCDATA	0x39b084	0xd8c	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0031718569780854
RT_RCDATA	0x39be10	0x9b0	data			0.5
RT_RCDATA	0x39c7c0	0x4	data	English	United States	3.0
RT_RCDATA	0x39c7c4	0x43d1	Delphi compiled form 'TfmAlert'			0.9073210068544438
RT_RCDATA	0x3a0b98	0x456e	Delphi compiled form 'TfmLaunch'			0.8883200180038258
RT_RCDATA	0x3a5108	0x10400	Delphi compiled form 'TfmMain'			0.3766376201923077
RT_RCDATA	0x3b5508	0x31c	Delphi compiled form 'TfmProc'			0.6407035175879398
RT_RCDATA	0x3b5824	0x488	Delphi compiled form 'TLoginDialog'			0.4879310344827586
RT_RCDATA	0x3b5cac	0x3c4	Delphi compiled form 'TPasswordDialog'			0.4678423236514523
RT_GROUP_CURSOR	0x3b6070	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x3b6084	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x3b6098	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3b60ac	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3b60c0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3b60d4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3b60e8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x3b60fc	0x84	data	English	United States	0.7196969696969697
RT_VERSION	0x3b6180	0x20c	data	English	United States	0.517175572519084
RT_MANIFEST	0x3b638c	0x76d	XML 1.0 document, ASCII text, with CRLF, LF line terminators	English	United States	0.39189900052603893
RT_MANIFEST	0x3b6afc	0x154	XML 1.0 document, ASCII text, with CRLF line terminators	Korean	North Korea	0.6088235294117647
RT_MANIFEST	0x3b6afc	0x154	XML 1.0 document, ASCII text, with CRLF line terminators	Korean	South Korea	0.6088235294117647

Imports

DLL	Import
winspool.drv	DocumentPropertiesW, ClosePrinter, OpenPrinterW, GetDefaultPrinterW, EnumPrintersW
comctl32.dll	ImageList_GetImageInfo, FlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, ImageList_Copy, FlatSB_GetScrollInfo, ImageList_Write, ImageList_DrawIndirect, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Replace, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_LoadImageW, ImageList_Draw, ImageList_Remove, ImageList_ReplaceIcon, ImageList_SetOverlayImage
shell32.dll	SHGetFolderPathW, Shell_NotifyIconW, SHAppBarMessage, SHFileOperationW, ShellExecuteExW
user32.dll	CopyImage, CreateWindowExW, GetMenuItemInfoW, SetMenuItemInfoW, DefFrameProcW, GetDCEx, PeekMessageW, MonitorFromWindow, GetDlgCtrlID, GetUpdateRect, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, FrameRect, MapVirtualKeyW, OffsetRect, IsWindowUnicode, RegisterWindowMessageW, FillRect, GetMenuStringW, DispatchMessageW, CreateAcceleratorTableW, SendMessageA, DefMDIChildProcW, EnumWindows, GetClassInfoW, ShowOwnedPopups, GetSystemMenu, GetScrollRange, GetScrollPos, SetScrollPos, GetActiveWindow, SetActiveWindow, DrawEdge, GetKeyboardLayoutList, LoadBitmapW, DrawFocusRect, EnumChildWindows, GetScrollBarInfo, ReleaseCapture, UnhookWindowsHookEx, LoadCursorW, GetCapture, SetCapture, CreatePopupMenu, ScrollWindow, ShowCaret, GetMenuItemID, GetLastActivePopup, CharLowerBuffW, GetSystemMetrics, SetWindowLongW, PostMessageW, DrawMenuBar, SetParent, IsZoomed, CharUpperBuffW, GetClientRect, IsChild, ClientToScreen, GetClipboardData, SetClipboardData, SetWindowPlacement, IsIconic, CallNextHookEx, GetMonitorInfoW, ShowWindow, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, SetForegroundWindow, GetWindowTextW, EnableWindow, DestroyWindow, IsDialogMessageW, EndMenu, RegisterClassW, CharNextW, GetWindowThreadProcessId, RedrawWindow, GetDC, GetFocus, SetFocus, EndPaint, ReleaseDC, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, GetClassLongW, ActivateKeyboardLayout, GetParent, DrawTextW, SetScrollRange, MonitorFromRect, InsertMenuItemW, PeekMessageA, GetPropW, SetClassLongW, MessageBoxW, MessageBeep, SetPropW, RemovePropW, UpdateWindow, GetSubMenu, MsgWaitForMultipleObjects, DestroyMenu, DestroyIcon, SetWindowsHookExW, EmptyClipboard, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, AdjustWindowRectEx, DrawIcon, IsWindow, EnumThreadWindows, GetMessageTime, InvalidateRect, GetKeyboardState, DrawFrameControl, ScreenToClient, SetCursor, CreateIcon, CreateMenu, LoadStringW, CharLowerW, SetWindowPos, SetWindowRgn, GetMenuItemCount, RemoveMenu, GetSysColorBrush, GetKeyboardLayoutNameW, GetWindowDC, TranslateMessage, OpenClipboard, DrawTextExW, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, CloseClipboard, DestroyCursor, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, EnableScrollBar, GetSysColor, TrackPopupMenu, CopyIcon, DrawIconEx, PostQuitMessage, GetClassNameW, ShowScrollBar, EnableMenuItem, GetIconInfo, GetMessagePos, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, GetCursorPos, SetCursorPos, HideCaret, GetMenu, GetMenuState, SetMenu, SetRect, GetKeyState, FindWindowExW, MonitorFromPoint, ValidateRect, SystemParametersInfoW, LoadIconW, GetCursor, GetWindow, GetWindowLongW, GetWindowRect, InsertMenuW, KillTimer, WaitMessage, IsWindowEnabled, IsDialogMessageA, TranslateMDISysAccel, GetWindowPlacement, CreateIconIndirect, FindWindowW, DeleteMenu, GetKeyboardLayout
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
oleaut32.dll	SafeArrayPutElement, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SafeArrayAccessData, SysReAllocStringLen, SafeArrayCreate, SafeArrayGetElement, SysAllocStringLen, SafeArrayUnaccessData, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopyInd, VariantChangeType
WTSAPI32.DLL	WTSUnRegisterSessionNotification, WTSRegisterSessionNotification
advapi32.dll	RegSetValueExW, RegConnectRegistryW, OpenThreadToken, RegQueryInfoKeyW, RegUnLoadKeyW, RegSaveKeyW, IsValidSid, EqualSid, RegReplaceKeyW, GetSidSubAuthority, GetTokenInformation, RegCreateKeyExW, GetSidSubAuthorityCount, RegLoadKeyW, RegEnumKeyExW, GetSidIdentifierAuthority, RegDeleteKeyW, RegOpenKeyExW, OpenProcessToken, AllocateAndInitializeSid, FreeSid, RegDeleteValueW, RegFlushKey, RegEnumValueW, RegQueryValueExW, RegCloseKey, RegRestoreKeyW
msvcrt.dll	memcpy, memset
winhttp.dll	WinHttpGetIEProxyConfigForCurrentUser, WinHttpSetTimeouts, WinHttpSetStatusCallback, WinHttpConnect, WinHttpReceiveResponse, WinHttpQueryAuthSchemes, WinHttpGetProxyForUrl, WinHttpReadData, WinHttpCloseHandle, WinHttpQueryHeaders, WinHttpOpenRequest, WinHttpAddRequestHeaders, WinHttpOpen, WinHttpWriteData, WinHttpSetCredentials, WinHttpQueryDataAvailable, WinHttpSetOption, WinHttpSendRequest, WinHttpQueryOption
kernel32.dll	SetFileAttributesW, SetFileTime, QueryDosDeviceW, GetACP, GetExitCodeProcess, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, TerminateThread, QueryPerformanceFrequency, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, GlobalSize, GetBinaryTypeW, RtlUnwind, GetCPInfo, EnumSystemLocalesW, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToTzSpecificLocalTime, GetModuleHandleW, FreeLibrary, TryEnterCriticalSection, HeapDestroy, FileTimeToDosDateTime, ReadFile, GetUserDefaultLCID, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, GlobalAlloc, GlobalUnlock, FindResourceW, CreateThread, CompareStringW, CopyFileW, MapViewOfFile, CreateMutexW, LoadLibraryA, GetVolumeInformationW, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, MoveFileW, GlobalAddAtomW, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, GetCurrentThread, GetLogicalDrives, GetFileAttributesExW, LoadLibraryExW, TerminateProcess, LockResource, FileTimeToSystemTime, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, GlobalFindAtomW, VirtualQueryEx, GlobalFree, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, GlobalLock, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetLogicalDriveStringsW, GetVersionExW, VerifyVersionInfoW, HeapCreate, LCMapStringW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, UnmapViewOfFile, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, SystemTimeToFileTime, EnumResourceNamesW, DeleteFileW, GetLocalTime, WaitForSingleObject, GetOEMCP, WriteFile, CreateFileMappingW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, TzSpecificLocalTimeToSystemTime, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, RemoveDirectoryW, CreateEventW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
SHFolder.dll	SHGetFolderPathW
gdiplus.dll	GdipFillPath, GdipDrawArc, GdipCreateFromHDC, GdipDeletePen, GdiplusShutdown, GdipCreateSolidFill, GdipDeleteGraphics, GdipDrawPath, GdipAlloc, GdiplusStartup, GdipFree, GdipDeletePath, GdipAddPathArc, GdipAddPathLine, GdipCreatePath, GdipCreatePen1, GdipDrawLine, GdipSetSmoothingMode
ole32.dll	OleRegEnumVerbs, IsAccelerator, CoCreateInstance, CoUninitialize, IsEqualGUID, CreateStreamOnHGlobal, OleInitialize, CLSIDFromProgID, CoInitializeEx, OleUninitialize, CoGetClassObject, CoInitialize, CoTaskMemFree, OleDraw, CoTaskMemAlloc, OleSetMenuDescriptor, StringFromCLSID
gdi32.dll	Pie, SetBkMode, CreateCompatibleBitmap, GetEnhMetaFileHeader, CloseEnhMetaFile, RectVisible, AngleArc, ResizePalette, SetAbortProc, SetTextColor, StretchBlt, RoundRect, SelectClipRgn, RestoreDC, SetRectRgn, GetTextMetricsW, GetWindowOrgEx, CreatePalette, PolyBezierTo, CreateICW, CreateDCW, GetStockObject, CreateSolidBrush, Polygon, MoveToEx, PlayEnhMetaFile, Ellipse, StartPage, GetBitmapBits, StartDocW, AbortDoc, GetSystemPaletteEntries, GetEnhMetaFileBits, GetEnhMetaFilePaletteEntries, CreatePenIndirect, SetMapMode, CreateFontIndirectW, PolyBezier, LPtoDP, EndDoc, GetObjectW, GetWinMetaFileBits, SetROP2, GetEnhMetaFileDescriptionW, ArcTo, CreateEnhMetaFileW, Arc, SelectPalette, ExcludeClipRect, MaskBlt, SetWindowOrgEx, EndPage, DeleteEnhMetaFile, Chord, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, CreateBrushIndirect, PatBlt, SetEnhMetaFileBits, Rectangle, SaveDC, DeleteDC, BitBlt, FrameRgn, GetDeviceCaps, GetTextExtentPoint32W, GetClipBox, IntersectClipRect, Polyline, CreateBitmap, CombineRgn, SetWinMetaFileBits, GetStretchBltMode, CreateDIBitmap, SetStretchBltMode, GetDIBits, CreateDIBSection, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, SelectObject, DeleteObject, ExtFloodFill, UnrealizeObject, CopyEnhMetaFileW, SetBkColor, CreateCompatibleDC, GetBrushOrgEx, GetCurrentPositionEx, GetNearestPaletteIndex, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, GdiFlush, SetPixel, EnumFontFamiliesExW, StretchDIBits, GetPaletteEntries

Exports

Name	Ordinal	Address
__dbk_fcall_wrapper	2	0x411d98
dbkFCallWrapperAddr	1	0x6f4648

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Korean	North Korea
Korean	South Korea

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T19:44:29.263045+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49704	3.39.130.246	443	TCP
2024-10-31T19:44:46.565850+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.5	49705	TCP
2024-10-31T19:45:18.289136+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.5	60823	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 19:44:28.288239002 CET	49704	443	192.168.2.5	3.39.130.246
Oct 31, 2024 19:44:28.288371086 CET	443	49704	3.39.130.246	192.168.2.5
Oct 31, 2024 19:44:28.288465023 CET	49704	443	192.168.2.5	3.39.130.246
Oct 31, 2024 19:44:28.289691925 CET	49704	443	192.168.2.5	3.39.130.246
Oct 31, 2024 19:44:28.289729118 CET	443	49704	3.39.130.246	192.168.2.5
Oct 31, 2024 19:44:29.262907982 CET	443	49704	3.39.130.246	192.168.2.5
Oct 31, 2024 19:44:29.263045073 CET	49704	443	192.168.2.5	3.39.130.246
Oct 31, 2024 19:44:29.266860962 CET	49704	443	192.168.2.5	3.39.130.246
Oct 31, 2024 19:44:29.266905069 CET	443	49704	3.39.130.246	192.168.2.5
Oct 31, 2024 19:44:29.267170906 CET	443	49704	3.39.130.246	192.168.2.5
Oct 31, 2024 19:44:29.318259001 CET	49704	443	192.168.2.5	3.39.130.246
Oct 31, 2024 19:44:29.566907883 CET	49704	443	192.168.2.5	3.39.130.246
Oct 31, 2024 19:44:29.607367039 CET	443	49704	3.39.130.246	192.168.2.5
Oct 31, 2024 19:44:29.874156952 CET	443	49704	3.39.130.246	192.168.2.5
Oct 31, 2024 19:44:29.874774933 CET	443	49704	3.39.130.246	192.168.2.5
Oct 31, 2024 19:44:29.874846935 CET	49704	443	192.168.2.5	3.39.130.246
Oct 31, 2024 19:44:29.876523018 CET	49704	443	192.168.2.5	3.39.130.246
Oct 31, 2024 19:44:29.876560926 CET	443	49704	3.39.130.246	192.168.2.5
Oct 31, 2024 19:44:29.876589060 CET	49704	443	192.168.2.5	3.39.130.246
Oct 31, 2024 19:44:29.876621962 CET	443	49704	3.39.130.246	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 19:44:27.729260921 CET	50293	53	192.168.2.5	1.1.1.1
Oct 31, 2024 19:44:28.281595945 CET	53	50293	1.1.1.1	192.168.2.5
Oct 31, 2024 19:44:49.326895952 CET	53	61132	1.1.1.1	192.168.2.5
Oct 31, 2024 19:44:50.966552973 CET	53	49320	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 19:44:27.729260921 CET	192.168.2.5	1.1.1.1	0x1580	Standard query (0)	valuesearch.co.kr	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 19:44:28.281595945 CET	1.1.1.1	192.168.2.5	0x1580	No error (0)	valuesearch.co.kr		3.39.130.246	A (IP address)	IN (0x0001)	false
Oct 31, 2024 19:44:28.281595945 CET	1.1.1.1	192.168.2.5	0x1580	No error (0)	valuesearch.co.kr		3.36.251.235	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

valuesearch.co.kr

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	3.39.130.246	443	3092	C:\Users\user\Desktop\VALUESearch.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 18:44:29 UTC	192	OUT	GET /files/publish/xlllibver.txt HTTP/1.1 Connection: Keep-Alive Accept: application/json Accept-Charset: utf-8 Accept-Language: ko-KR User-Agent: Zewus Agent Host: valuesearch.co.kr
2024-10-31 18:44:29 UTC	256	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 18:44:29 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 8 Connection: close Expires: Sat, 30 Nov 2024 18:44:29 GMT Last-Modified: Wed, 30 Oct 2024 08:11:11 GMT Server: VALUESearch - 1.95.0.1581
2024-10-31 18:44:29 UTC	8	IN	Data Raw: 3e 31 2e 31 2e 36 2e 34 Data Ascii: >1.1.6.4

Target ID:	0
Start time:	14:44:26
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\VALUESearch.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\VALUESearch.exe"
Imagebase:	0xc00000
File size:	3'837'952 bytes
MD5 hash:	BF8E1EDFD9C8B66F2056D400A532E53D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VALUESearch.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
VALUESearch.exe