Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CV_ Filipa Barbosa.exe

Overview

General Information

Sample name:CV_ Filipa Barbosa.exe
Analysis ID:1560964
MD5:09be6e97e16e41bf402daed8815e211f
SHA1:292862ebb991525b36b1d53f552203f643223017
SHA256:eba45c69ff3acfbe273712b2a7e9b4d6c1c0b07e7b6dcaf31f4b28fcebeb9612
Infos:

Detection

FormBook
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64_ra
  • CV_ Filipa Barbosa.exe (PID: 3968 cmdline: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe" MD5: 09BE6E97E16E41BF402DAED8815E211F)
    • svchost.exe (PID: 6760 cmdline: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1452011802.0000000000401000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1452204848.00000000025B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Sigma Signatures

      Sigma detected: Uncommon Svchost Parent Process
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe", CommandLine: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe", CommandLine|base64offset|contains: )b, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe", ParentImage: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe, ParentProcessId: 3968, ParentProcessName: CV_ Filipa Barbosa.exe, ProcessCommandLine: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe", ProcessId: 6760, ProcessName: svchost.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe", CommandLine: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe", CommandLine|base64offset|contains: )b, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe", ParentImage: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe, ParentProcessId: 3968, ParentProcessName: CV_ Filipa Barbosa.exe, ProcessCommandLine: "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe", ProcessId: 6760, ProcessName: svchost.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: CV_ Filipa Barbosa.exeReversingLabs: Detection: 39%
      Yara detected FormBook
      Source: Yara matchFile source: 00000002.00000002.1452011802.0000000000401000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.1452204848.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: CV_ Filipa Barbosa.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

      E-Banking Fraud

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000002.00000002.1452011802.0000000000401000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.1452204848.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: CV_ Filipa Barbosa.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
      Source: classification engineClassification label: mal68.troj.evad.winEXE@3/1@0/0
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeFile created: C:\Users\user\AppData\Local\Temp\aut571.tmp
      Source: CV_ Filipa Barbosa.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: CV_ Filipa Barbosa.exeReversingLabs: Detection: 39%
      Source: unknownProcess created: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe"
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe"
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe"
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeSection loaded: apphelp.dll
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeSection loaded: wsock32.dll
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeSection loaded: version.dll
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeSection loaded: winmm.dll
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeSection loaded: mpr.dll
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeSection loaded: wininet.dll
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeSection loaded: iphlpapi.dll
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeSection loaded: userenv.dll
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeSection loaded: uxtheme.dll
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeSection loaded: kernel.appcore.dll
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeSection loaded: ntmarta.dll
      Source: CV_ Filipa Barbosa.exeStatic file information: File size 1213952 > 1048576
      Source: CV_ Filipa Barbosa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: CV_ Filipa Barbosa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: CV_ Filipa Barbosa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: CV_ Filipa Barbosa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: CV_ Filipa Barbosa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: CV_ Filipa Barbosa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: CV_ Filipa Barbosa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: CV_ Filipa Barbosa.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: CV_ Filipa Barbosa.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: CV_ Filipa Barbosa.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: CV_ Filipa Barbosa.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: CV_ Filipa Barbosa.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeAPI/Special instruction interceptor: Address: 12F8044
      Source: C:\Windows\SysWOW64\svchost.exe TID: 6764Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformation
      Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPort

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Maps a DLL or memory area into another process
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
      Writes to foreign memory regions
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 27D8008
      Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe"

      Stealing of Sensitive Information

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000002.00000002.1452011802.0000000000401000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.1452204848.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000002.00000002.1452011802.0000000000401000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.1452204848.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading      		211
      Process Injection      		2
      Virtualization/Sandbox Evasion      		OS Credential Dumping11
      Security Software Discovery      		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		211
      Process Injection      		LSASS Memory2
      Virtualization/Sandbox Evasion      		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading      		Security Account Manager1
      Process Discovery      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS11
      System Information Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      CV_ Filipa Barbosa.exe39%ReversingLabsWin32.Trojan.AutoitInject

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1560964
      Start date and time:2024-11-22 15:02:19 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:defaultwindowsinteractivecookbook.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:12
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • EGA enabled
      Analysis Mode:stream
      Analysis stop reason:Timeout
      Sample name:CV_ Filipa Barbosa.exe
      Detection:MAL
      Classification:mal68.troj.evad.winEXE@3/1@0/0
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
      • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • VT rate limit hit for: CV_ Filipa Barbosa.exe

      Created / dropped Files

      C:\Users\user\AppData\Local\Temp\deblateration

      Download File
      Process:C:\Users\user\Desktop\CV_ Filipa Barbosa.exe
      File Type:data
      Category:dropped
      Size (bytes):287744
      Entropy (8bit):7.99399153453418
      Encrypted:true
      SSDEEP:
      MD5:ACB78C6B34547DC1736FE01928EA82C3
      SHA1:260BADB5A5082DD741ADCE3C163B90604B19C21A
      SHA-256:48A19EFEB08636D76C0256C1EB48E585707BE8024F65F21A064A208F07B789BE
      SHA-512:50A34CE7B95FD5424F354E071F67F6BAD3CEE4CD68CEED1AE69BF23E6F1FB293DA7F994487C5DD92680B0720A725CD0FD40E1323AAEEDC569D174EEB95B51B1A
      Malicious:false
      Reputation:unknown
      Preview:...2U36HOKZP..XZ.ZUL2V36.KKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HK.ZPJZG.;Z.E.w.7..j.8#'x*G52>S;.U)%%5$j6=zG/;l[8.r..k7?.1vW8PqL2V36HK2[Y.i8=.g5+.kSQ.Q..p4?./....6T.R..l*3..\9=qR1.6HKKZPJT..5Z.M3VqN..KZPJTXZ5.UN3]2=HK.^PJTXZ5ZUL.B36H[KZP:PXZ5.UL"V36JKK\PJTXZ5ZSL2V36HKK*TJTZZ5ZUL2T3v.KKJPJDXZ5ZEL2F36HKKZ@JTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36f?."$JTX.e^UL"V36.OKZ@JTXZ5ZUL2V36HKkZP*TXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJTXZ5ZUL2V36HKKZPJT

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):7.1499351724273685
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:CV_ Filipa Barbosa.exe
      File size:1'213'952 bytes
      MD5:09be6e97e16e41bf402daed8815e211f
      SHA1:292862ebb991525b36b1d53f552203f643223017
      SHA256:eba45c69ff3acfbe273712b2a7e9b4d6c1c0b07e7b6dcaf31f4b28fcebeb9612
      SHA512:e3ded9f0bd5e45f6a9c119618808e15f5edf914e7b4eacd6bb95e26bec38b7c24e49119feebb54534002324909db4ce772ff8e5aaa0b35a604372ff56d120d2b
      SSDEEP:24576:htb20pkaCqT5TBWgNQ7aUoOJhxIp9nNX8Vb/EHAk6A:yVg5tQ7aUoOdIpNNsVm5
      TLSH:8E45D01273DE8365C3B25273BA267701BEBF782506A5F86B2FD40D3DE820162525E673
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

      File Icon

      Icon Hash:aaf3e3e3938382a0

      Static PE Info

      General

      Entrypoint:0x425f74
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
      Time Stamp:0x674072A2 [Fri Nov 22 12:01:38 2024 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:5
      OS Version Minor:1
      File Version Major:5
      File Version Minor:1
      Subsystem Version Major:5
      Subsystem Version Minor:1
      Import Hash:3d95adbf13bbe79dc24dccb401c12091

      Entrypoint Preview

      Instruction
      call 00007F7A049AE3AFh
      jmp 00007F7A049A13C4h
      int3
      int3
      push edi
      push esi
      mov esi, dword ptr [esp+10h]
      mov ecx, dword ptr [esp+14h]
      mov edi, dword ptr [esp+0Ch]
      mov eax, ecx
      mov edx, ecx
      add eax, esi
      cmp edi, esi
      jbe 00007F7A049A154Ah
      cmp edi, eax
      jc 00007F7A049A18AEh
      bt dword ptr [004C0158h], 01h
      jnc 00007F7A049A1549h
      rep movsb
      jmp 00007F7A049A185Ch
      cmp ecx, 00000080h
      jc 00007F7A049A1714h
      mov eax, edi
      xor eax, esi
      test eax, 0000000Fh
      jne 00007F7A049A1550h
      bt dword ptr [004BA370h], 01h
      jc 00007F7A049A1A20h
      bt dword ptr [004C0158h], 00000000h
      jnc 00007F7A049A16EDh
      test edi, 00000003h
      jne 00007F7A049A16FEh
      test esi, 00000003h
      jne 00007F7A049A16DDh
      bt edi, 02h
      jnc 00007F7A049A154Fh
      mov eax, dword ptr [esi]
      sub ecx, 04h
      lea esi, dword ptr [esi+04h]
      mov dword ptr [edi], eax
      lea edi, dword ptr [edi+04h]
      bt edi, 03h
      jnc 00007F7A049A1553h
      movq xmm1, qword ptr [esi]
      sub ecx, 08h
      lea esi, dword ptr [esi+08h]
      movq qword ptr [edi], xmm1
      lea edi, dword ptr [edi+08h]
      test esi, 00000007h
      je 00007F7A049A15A5h
      bt esi, 03h
      jnc 00007F7A049A15F8h
      movdqa xmm1, dqword ptr [esi+00h]

      Rich Headers

      Programming Language:
      • [ C ] VS2008 SP1 build 30729
      • [IMP] VS2008 SP1 build 30729
      • [ASM] VS2012 UPD4 build 61030
      • [RES] VS2012 UPD4 build 61030
      • [LNK] VS2012 UPD4 build 61030

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5f5ac.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1240000x6c4c.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0xc40000x5f5ac0x5f6005644ed7266611beb9caaa360c3aa7d48False0.9331585845347313data7.906735837114006IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x1240000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_ICON0xc44a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
      RT_ICON0xc45c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
      RT_ICON0xc48b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
      RT_ICON0xc49d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
      RT_ICON0xc58800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
      RT_ICON0xc61280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
      RT_ICON0xc66900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
      RT_ICON0xc8c380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
      RT_ICON0xc9ce00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
      RT_STRING0xca1480x594dataEnglishGreat Britain0.3333333333333333
      RT_STRING0xca6dc0x68adataEnglishGreat Britain0.2747909199522103
      RT_STRING0xcad680x490dataEnglishGreat Britain0.3715753424657534
      RT_STRING0xcb1f80x5fcdataEnglishGreat Britain0.3087467362924282
      RT_STRING0xcb7f40x65cdataEnglishGreat Britain0.34336609336609336
      RT_STRING0xcbe500x466dataEnglishGreat Britain0.3605683836589698
      RT_STRING0xcc2b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
      RT_RCDATA0xcc4100x56c83data1.000326338621332
      RT_GROUP_ICON0x1230940x76dataEnglishGreat Britain0.6610169491525424
      RT_GROUP_ICON0x12310c0x14dataEnglishGreat Britain1.15
      RT_VERSION0x1231200xdcdataEnglishGreat Britain0.6181818181818182
      RT_MANIFEST0x1231fc0x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

      Imports

      DLLImport
      WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
      VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
      COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
      MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
      WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
      PSAPI.DLLGetProcessMemoryInfo
      IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
      USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
      UxTheme.dllIsThemeActive
      KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
      USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
      GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
      COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
      ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
      SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
      OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishGreat Britain