Edit tour

Windows Analysis Report
Vh5fpQFekQ.exe

Overview

General Information

Sample name:	Vh5fpQFekQ.exe renamed because original name is a hash value
Original sample name:	c004f036648d61fccb863fa52daee51eab9767654d38e2a44b9ef72fc2b70c68.exe
Analysis ID:	1562122
MD5:	600942b31377727cac9ca8f41b9d74c1
SHA1:	7116295c1f08155da6db552a94c3f355050546e9
SHA256:	c004f036648d61fccb863fa52daee51eab9767654d38e2a44b9ef72fc2b70c68
Tags:	exeTRADETRUSTLLCuser-JAMESWT_MHT
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

PE / OLE file has an invalid certificate

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential time zone aware malware

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

Vh5fpQFekQ.exe (PID: 1464 cmdline: "C:\Users\user\Desktop\Vh5fpQFekQ.exe" MD5: 600942B31377727CAC9CA8F41B9D74C1)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Vh5fpQFekQ.exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.cer0
Source: Vh5fpQFekQ.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.crl0
Source: Vh5fpQFekQ.exe	String found in binary or memory: http://crls.ssl.com/ssl.com-EVecc-RootCA.crl0
Source: Vh5fpQFekQ.exe	String found in binary or memory: http://ocsps.ssl.com0
Source: Vh5fpQFekQ.exe	String found in binary or memory: http://ocsps.ssl.com0P
Source: Vh5fpQFekQ.exe	String found in binary or memory: http://www.indyproject.org/
Source: Vh5fpQFekQ.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-ECC-384-R1.crt0
Source: Vh5fpQFekQ.exe	String found in binary or memory: https://www.ssl.com/repository0

Source: Vh5fpQFekQ.exe

Static PE information: invalid certificate

Source: Vh5fpQFekQ.exe

Static PE information: Number of sections : 11 > 10

Source: Vh5fpQFekQ.exe, 00000000.00000000.1247097503.0000000000CC5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCRProcessMonitor .exe. vs Vh5fpQFekQ.exe
Source: Vh5fpQFekQ.exe, 00000000.00000002.1252067099.0000000002AC6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs Vh5fpQFekQ.exe
Source: Vh5fpQFekQ.exe, 00000000.00000000.1246176284.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs Vh5fpQFekQ.exe
Source: Vh5fpQFekQ.exe, 00000000.00000002.1252067099.0000000002AA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCRProcessMonitor .exe. vs Vh5fpQFekQ.exe
Source: Vh5fpQFekQ.exe	Binary or memory string: OriginalFileName vs Vh5fpQFekQ.exe
Source: Vh5fpQFekQ.exe	Binary or memory string: OriginalFilenameCRProcessMonitor .exe. vs Vh5fpQFekQ.exe

Source: classification engine

Classification label: clean3.winEXE@1/0@0/0

Source: Vh5fpQFekQ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Vh5fpQFekQ.exe	String found in binary or memory: pbe-help.chm
Source: Vh5fpQFekQ.exe	String found in binary or memory: NATS-SEFI-ADD
Source: Vh5fpQFekQ.exe	String found in binary or memory: NATS-DANO-ADD
Source: Vh5fpQFekQ.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: Vh5fpQFekQ.exe	String found in binary or memory: jp-ocr-b-add
Source: Vh5fpQFekQ.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: Vh5fpQFekQ.exe	String found in binary or memory: jp-ocr-hand-add
Source: Vh5fpQFekQ.exe	String found in binary or memory: ISO_6937-2-add

Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe

Window found: window name: TMainForm

Jump to behavior

Source: Vh5fpQFekQ.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Vh5fpQFekQ.exe

Static file information: File size 23192776 > 1048576

Source: Vh5fpQFekQ.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x5a6a00
Source: Vh5fpQFekQ.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x222c00

Source: Vh5fpQFekQ.exe

Static PE information: More than 200 imports for user32.dll

Source: Vh5fpQFekQ.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Vh5fpQFekQ.exe

Code function: 0_2_00416170 GetSystemInfo,

0_2_00416170

Source: Vh5fpQFekQ.exe, 00000000.00000002.1251546012.0000000000D9C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Vh5fpQFekQ.exe	3%	ReversingLabs	Win64.Malware.Generic

Source	Detection	Scanner	Label	Link
http://ocsps.ssl.com0P	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://cert.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.cer0	Vh5fpQFekQ.exe	false		high
http://www.ssl.com/repository/SSLcom-RootCA-EV-ECC-384-R1.crt0	Vh5fpQFekQ.exe	false		high
http://ocsps.ssl.com0	Vh5fpQFekQ.exe	false		high
http://crls.ssl.com/ssl.com-EVecc-RootCA.crl0	Vh5fpQFekQ.exe	false		high
http://crls.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.crl0	Vh5fpQFekQ.exe	false		high
http://www.indyproject.org/	Vh5fpQFekQ.exe	false		high
https://www.ssl.com/repository0	Vh5fpQFekQ.exe	false		high
http://ocsps.ssl.com0P	Vh5fpQFekQ.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562122
Start date and time:	2024-11-25 08:32:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Vh5fpQFekQ.exe renamed because original name is a hash value
Original Sample Name:	c004f036648d61fccb863fa52daee51eab9767654d38e2a44b9ef72fc2b70c68.exe
Detection:	CLEAN
Classification:	clean3.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ocsps.ssl.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: Vh5fpQFekQ.exe

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.617898644418564
TrID:	Win64 Executable GUI (202006/5) 92.64% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% VXD Driver (31/22) 0.01%
File name:	Vh5fpQFekQ.exe
File size:	23'192'776 bytes
MD5:	600942b31377727cac9ca8f41b9d74c1
SHA1:	7116295c1f08155da6db552a94c3f355050546e9
SHA256:	c004f036648d61fccb863fa52daee51eab9767654d38e2a44b9ef72fc2b70c68
SHA512:	3831c85e741e7b6633bd00fcff6acbfbe293cb0eac05fdcdb8e17efc65ef10847211edbfdec4e934f0466f795d39820133d072061cc1b05029814320fc514d61
SSDEEP:	393216:J+4bm9A0J2Hx3e0u6pUjAoNcwpgEMmEkg/:Vbt1OUUjx+Ew/
TLSH:	8337D02B7E649129C15DC13AE0A38F40EB33F4B53B37C6E7525136695E25FC06E3AA60
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7.......................................................................................................................................

File Icon


Icon Hash:	74509878e0f8b0f0

Static PE Info

General

Entrypoint:	0x9a7770
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:	0x6714DC97 [Sun Oct 20 10:33:59 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	e6156dcd76a0d53396ce89a61d187cbf

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=SSL.com EV Code Signing Intermediate CA ECC R2, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Error Number:	-2146762495
Not Before, Not After	18/11/2024 04:47:36 18/11/2025 04:47:36
Subject Chain	OID.1.3.6.1.4.1.311.60.2.1.3=UA, OID.2.5.4.15=Private Organization, CN=TRADE TRUST LLC, SERIALNUMBER=37058412, O=TRADE TRUST LLC, L=Dnipro, C=UA
Version:	3
Thumbprint MD5:	534B9DBCF3BB2DFA2DAD06DA0709841E
Thumbprint SHA-1:	FEA61825376A364886B5236EFCB3EDD1B23E9441
Thumbprint SHA-256:	BD193172C9C4775190F1C906FF5B47D9FB1A342DB35AC211A1A4AC8A9B07B914
Serial:	4C46DCF5B0C4357F05806830DBA932FD

Entrypoint Preview

Instruction
push ebp
dec eax
sub esp, 40h
dec eax
mov ebp, esp
dec eax
mov dword ptr [ebp+38h], 00000000h
nop
dec eax
lea ecx, dword ptr [FFFEBAE0h]
call 00007F957017A128h
nop
dec eax
mov ecx, dword ptr [FFBED663h]
call 00007F95702C528Bh
dec eax
lea ecx, dword ptr [ebp+38h]
dec eax
lea edx, dword ptr [000001B7h]
call 00007F95705984EBh
dec eax
lea eax, dword ptr [000001FFh]
dec eax
mov dword ptr [ebp+28h], eax
dec eax
lea eax, dword ptr [00000214h]
dec eax
mov dword ptr [ebp+30h], eax
dec eax
mov ecx, dword ptr [ebp+38h]
dec eax
lea edx, dword ptr [000001B9h]
dec esp
lea eax, dword ptr [ebp+28h]
inc ecx
mov ecx, 00000001h
call 00007F95704E3A3Ah
dec eax
mov eax, dword ptr [0007E0BEh]
dec eax
mov ecx, dword ptr [eax]
call 00007F95704B526Bh
dec eax
mov eax, dword ptr [0007E0AFh]
dec eax
mov ecx, dword ptr [eax]
mov dl, 01h
call 00007F95704B7F1Ah
dec eax
mov eax, dword ptr [0007E09Eh]
dec eax
mov ecx, dword ptr [eax]
dec eax
mov edx, dword ptr [FFFDD2B4h]
dec esp
mov eax, dword ptr [0007D26Dh]
call 00007F95704B526Dh
dec eax
mov eax, dword ptr [0007E081h]
dec eax
mov ecx, dword ptr [eax]
dec eax
mov edx, dword ptr [FFFD687Fh]
dec esp
mov eax, dword ptr [0007D5A8h]
call 00007F95704B5250h
dec eax
mov eax, dword ptr [00000000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x64e000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x647000	0x5a0a	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6e0000	0x222b27	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x697000	0x48948	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x161db20	0x9a8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x651000	0x453ec
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x650000	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x648728	0x14f8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x64d000	0xeec	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5a69dc	0x5a6a00	9b1933f59fab80ba145baedf05a68b3a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x5a8000	0x7e518	0x7e600	24ea68b321e0b3f0d2d4a5a507aa657f	False	0.28498431318001977	data	5.117382099407564	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x627000	0x1f074	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x647000	0x5a0a	0x5c00	29c20ce50235d76e49821e0265b78669	False	0.23976732336956522	data	4.314398224913193	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x64d000	0xeec	0x1000	37bc73588743189ff9f069cc2f52da80	False	0.255126953125	data	3.186467782525383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x64e000	0x9a	0x200	ab621f9be16857d0949b11b5ce9633db	False	0.2578125	data	1.883689399194428	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x64f000	0x270	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x650000	0x6d	0x200	bd431c9bdb7d81300e42e5c4b5b774bf	False	0.197265625	data	1.366430590113611	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x651000	0x453e4	0x45400	412f73f471abe67d77eb4667f5a27fc9	False	0.4629258799638989	data	6.455582329429224	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.pdata	0x697000	0x48948	0x48a00	ae52ad1677d2b07246b485fc2dd33524	False	0.4974619459982788	data	6.436138706846121	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x6e0000	0x222b27	0x222c00	90a134d3c054ce2fa22b763371544e7a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
REER	0x6e2944	0x121991	PNG image data, 4176 x 800, 8-bit/color RGB, non-interlaced	English	United States	0.9935159683227539
VCLSTYLE	0x8042d8	0x15f30	data	English	United States	0.9376001067805659
VCLSTYLE	0x81a208	0x83a7	data	English	United States	0.8488858558585289
RT_CURSOR	0x8225b0	0x134	data	English	United States	0.43506493506493504
RT_CURSOR	0x8226e4	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x822818	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x82294c	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x822a80	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x822bb4	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x822ce8	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_CURSOR	0x822e1c	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_BITMAP	0x822f50	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x823120	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x823304	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x8234d4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x8236a4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x823874	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x823a44	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x823c14	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x823de4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x823fb4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x824184	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5208333333333334
RT_BITMAP	0x824244	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42857142857142855
RT_BITMAP	0x824324	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.4955357142857143
RT_BITMAP	0x824404	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.38392857142857145
RT_BITMAP	0x8244e4	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4947916666666667
RT_BITMAP	0x8245a4	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.484375
RT_BITMAP	0x824664	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42410714285714285
RT_BITMAP	0x824744	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5104166666666666
RT_BITMAP	0x824804	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.5
RT_BITMAP	0x8248e4	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4895833333333333
RT_BITMAP	0x8249a4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.3794642857142857
RT_ICON	0x824a84	0x26126	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9963255569378359
RT_STRING	0x84abac	0xa00	data			0.2734375
RT_STRING	0x84b5ac	0x80c	data			0.29514563106796116
RT_STRING	0x84bdb8	0x378	data			0.3536036036036036
RT_STRING	0x84c130	0x18c	data			0.398989898989899
RT_STRING	0x84c2bc	0x1a4	data			0.5261904761904762
RT_STRING	0x84c460	0x184	data			0.45618556701030927
RT_STRING	0x84c5e4	0x394	data			0.4126637554585153
RT_STRING	0x84c978	0x3bc	data			0.3912133891213389
RT_STRING	0x84cd34	0x460	data			0.36875
RT_STRING	0x84d194	0x398	data			0.425
RT_STRING	0x84d52c	0x390	AmigaOS bitmap font "e", fc_YSize 18176, 20992 elements, 2nd "\034", 3rd "x"			0.4309210526315789
RT_STRING	0x84d8bc	0x320	data			0.42375
RT_STRING	0x84dbdc	0x4a0	data			0.3918918918918919
RT_STRING	0x84e07c	0x38c	data			0.44162995594713655
RT_STRING	0x84e408	0x398	data			0.3423913043478261
RT_STRING	0x84e7a0	0x2ac	data			0.46345029239766083
RT_STRING	0x84ea4c	0x384	data			0.3888888888888889
RT_STRING	0x84edd0	0x398	data			0.4326086956521739
RT_STRING	0x84f168	0x3a4	data			0.4055793991416309
RT_STRING	0x84f50c	0x2b0	data			0.4796511627906977
RT_STRING	0x84f7bc	0x350	data			0.3561320754716981
RT_STRING	0x84fb0c	0x358	data			0.38434579439252337
RT_STRING	0x84fe64	0x45c	data			0.36200716845878134
RT_STRING	0x8502c0	0x42c	data			0.351123595505618
RT_STRING	0x8506ec	0x390	data			0.3848684210526316
RT_STRING	0x850a7c	0x3f8	data			0.4094488188976378
RT_STRING	0x850e74	0x200	data			0.51171875
RT_STRING	0x851074	0xc8	data			0.675
RT_STRING	0x85113c	0x24c	data			0.445578231292517
RT_STRING	0x851388	0x13c	data			0.5917721518987342
RT_STRING	0x8514c4	0x3d0	data			0.38524590163934425
RT_STRING	0x851894	0x414	data			0.3726053639846743
RT_STRING	0x851ca8	0x424	data			0.3867924528301887
RT_STRING	0x8520cc	0x3f0	data			0.2916666666666667
RT_STRING	0x8524bc	0x3bc	data			0.41422594142259417
RT_STRING	0x852878	0x3f8	data			0.3838582677165354
RT_STRING	0x852c70	0x6c0	data			0.33738425925925924
RT_STRING	0x853330	0x458	AmigaOS bitmap font "t", fc_YSize 29184, 21248 elements, 2nd "r", 3rd " "			0.33363309352517984
RT_STRING	0x853788	0x368	data			0.40940366972477066
RT_STRING	0x853af0	0x344	data			0.3827751196172249
RT_STRING	0x853e34	0x428	data			0.3966165413533835
RT_STRING	0x85425c	0x138	data			0.5064102564102564
RT_STRING	0x854394	0xcc	data			0.6127450980392157
RT_STRING	0x854460	0x1f8	data			0.5357142857142857
RT_STRING	0x854658	0x40c	data			0.36003861003861004
RT_STRING	0x854a64	0x384	data			0.3688888888888889
RT_STRING	0x854de8	0x318	data			0.3787878787878788
RT_STRING	0x855100	0x31c	data			0.34296482412060303
RT_RCDATA	0x85541c	0x10	data			1.5
RT_RCDATA	0x85542c	0x12e8	data			0.48863636363636365
RT_RCDATA	0x856714	0x2	data	English	United States	5.0
RT_RCDATA	0x856718	0x1d0a	Delphi compiled form 'TAdvancedScheduleDialog'			0.3892924401398978
RT_RCDATA	0x858424	0x10fd	Delphi compiled form 'TCharTableDialog'			0.4304437801793516
RT_RCDATA	0x859524	0x2002	Delphi compiled form 'TDesktopIconDialog'			0.3688064437393215
RT_RCDATA	0x85b528	0x3998	Delphi compiled form 'TEditHistListDialog'			0.18326098752034725
RT_RCDATA	0x85eec0	0x112e	Delphi compiled form 'TErrorActionDialog'			0.4297407912687585
RT_RCDATA	0x85fff0	0x9b3	Delphi compiled form 'TfrmShow'			0.4812726540475232
RT_RCDATA	0x8609a4	0x169f	Delphi compiled form 'TInputStringDialog'			0.4113279226385771
RT_RCDATA	0x862044	0x16ee	Delphi compiled form 'TInputTextDialog'			0.4131175468483816
RT_RCDATA	0x863734	0x239	Delphi compiled form 'TListSelectDialog'			0.6414762741652021
RT_RCDATA	0x863970	0x1c16	Delphi compiled form 'TLogonDialog'			0.40486787204450625
RT_RCDATA	0x865588	0x7230	Delphi compiled form 'TMailDialog'			0.22400109469074986
RT_RCDATA	0x86c7b8	0xb697	Delphi compiled form 'TMailTestDialog'			0.2569368675523608
RT_RCDATA	0x877e50	0x1585e	Delphi compiled form 'TMainForm'			0.2409537421447855
RT_RCDATA	0x88d6b0	0x10ab	Delphi compiled form 'TMemoDialog'			0.4391844387157253
RT_RCDATA	0x88e75c	0x19f7	Delphi compiled form 'TNewPwdDialog'			0.3344365879344065
RT_RCDATA	0x890154	0x255f	Delphi compiled form 'TPasswordDialog'			0.3123236124176858
RT_RCDATA	0x8926b4	0x2352	Delphi compiled form 'TPlaceHolderDialog'			0.33244857332448574
RT_RCDATA	0x894a08	0x9773	Delphi compiled form 'TSelectDialog'			0.18944571973898017
RT_RCDATA	0x89e17c	0x6495	Delphi compiled form 'TSelectFromListDialog'			0.1580643908501301
RT_RCDATA	0x8a4614	0x101b	Delphi compiled form 'TSelectProfileDialog'			0.4387581857870483
RT_RCDATA	0x8a5630	0x7b36	Delphi compiled form 'TSelectSchedTaskDialog'			0.24307272842559127
RT_RCDATA	0x8ad168	0x10888	Delphi compiled form 'TShellDirDialog'			0.35952451269935026
RT_RCDATA	0x8bd9f0	0x1499	Delphi compiled form 'TShortcutDialog'			0.43371894557178076
RT_RCDATA	0x8bee8c	0x10d6	Delphi compiled form 'TShowFilesDialog'			0.4294663573085847
RT_RCDATA	0x8bff64	0xbbd0	Delphi compiled form 'TShowMsgDialog'			0.23047004991680534
RT_RCDATA	0x8cbb34	0xb179	Delphi compiled form 'TShowTextDialog'			0.22344991525983315
RT_RCDATA	0x8d6cb0	0xa54	Delphi compiled form 'TStatusWindow'			0.44175491679273826
RT_RCDATA	0x8d7704	0xc67e	Delphi compiled form 'TTaskScheduleDialog'			0.16831975439839414
RT_RCDATA	0x8e3d84	0x1179	PNG image data, 1800 x 24, 8-bit/color RGBA, non-interlaced	English	United States	0.9579700424770847
RT_RCDATA	0x8e4f00	0x176c	PNG image data, 2400 x 32, 8-bit/color RGBA, non-interlaced	English	United States	0.9412941961307538
RT_RCDATA	0x8e666c	0x2cf0	PNG image data, 3600 x 48, 8-bit/color RGBA, non-interlaced	English	United States	0.9631432545201669
RT_RCDATA	0x8e935c	0x3970	PNG image data, 4800 x 64, 8-bit/color RGBA, non-interlaced	English	United States	0.9263465723612623
RT_RCDATA	0x8ecccc	0x1403	PNG image data, 1800 x 24, 8-bit/color RGBA, non-interlaced	English	United States	0.96213156353699
RT_RCDATA	0x8ee0d0	0x18ad	PNG image data, 2400 x 32, 8-bit/color RGBA, non-interlaced	English	United States	0.9377869241728669
RT_RCDATA	0x8ef980	0x343f	PNG image data, 3600 x 48, 8-bit/color RGBA, non-interlaced	English	United States	0.9486355140186916
RT_RCDATA	0x8f2dc0	0x3ea6	PNG image data, 4800 x 64, 8-bit/color RGBA, non-interlaced	English	United States	0.9183189923930665
RT_RCDATA	0x8f6c68	0x509	PNG image data, 192 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.008533747090768
RT_RCDATA	0x8f7174	0x64e	PNG image data, 256 x 32, 8-bit/color RGBA, non-interlaced	English	United States	1.006815365551425
RT_RCDATA	0x8f77c4	0xb62	PNG image data, 384 x 48, 8-bit/color RGBA, non-interlaced	English	United States	0.9982841455044612
RT_RCDATA	0x8f8328	0xe43	PNG image data, 512 x 64, 8-bit/color RGBA, non-interlaced	English	United States	0.9726102437688304
RT_RCDATA	0x8f916c	0x62f	PNG image data, 192 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.0069488313329122
RT_RCDATA	0x8f979c	0x6d3	PNG image data, 256 x 32, 8-bit/color RGBA, non-interlaced	English	United States	1.0062965082999427
RT_RCDATA	0x8f9e70	0xe13	PNG image data, 384 x 48, 8-bit/color RGBA, non-interlaced	English	United States	0.9988898140438524
RT_RCDATA	0x8fac84	0xf5b	PNG image data, 512 x 64, 8-bit/color RGBA, non-interlaced	English	United States	0.9722716865937421
RT_RCDATA	0x8fbbe0	0x26e	PNG image data, 96 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.017684887459807
RT_RCDATA	0x8fbe50	0x303	PNG image data, 96 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.014267185473411
RT_RCDATA	0x8fc154	0x644	PNG image data, 384 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.006857855361596
RT_RCDATA	0x8fc798	0x823	PNG image data, 512 x 32, 8-bit/color RGBA, non-interlaced	English	United States	1.00144023043687
RT_RCDATA	0x8fcfbc	0xe08	PNG image data, 768 x 48, 8-bit/color RGBA, non-interlaced	English	United States	0.9618596881959911
RT_RCDATA	0x8fddc4	0x117c	PNG image data, 1024 x 64, 8-bit/color RGBA, non-interlaced	English	United States	0.9159964253798034
RT_RCDATA	0x8fef40	0x787	PNG image data, 384 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.00570835495589
RT_RCDATA	0x8ff6c8	0x89c	PNG image data, 512 x 32, 8-bit/color RGBA, non-interlaced	English	United States	1.000453720508167
RT_RCDATA	0x8fff64	0x1189	PNG image data, 768 x 48, 8-bit/color RGBA, non-interlaced	English	United States	0.9607930496769882
RT_RCDATA	0x9010f0	0x1251	PNG image data, 1024 x 64, 8-bit/color RGBA, non-interlaced	English	United States	0.9117082533589251
RT_GROUP_CURSOR	0x902344	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x902358	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x90236c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x902380	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x902394	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x9023a8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x9023bc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x9023d0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x9023e4	0x14	data	English	United States	1.1
RT_VERSION	0x9023f8	0x380	data	English	United States	0.4497767857142857
RT_MANIFEST	0x902778	0x3af	XML 1.0 document, ASCII text, with CRLF, LF line terminators	English	United States	0.47613997879109227

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwindEx, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, SetCurrentDirectoryW, GetCurrentDirectoryW, WriteFile, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
user32.dll	SetClassLongPtrW, GetClassLongPtrW, SetWindowLongPtrW, GetWindowLongPtrW, CreateWindowExW, WindowFromPoint, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCaretPos, SetCapture, SetActiveWindow, SendMessageA, SendMessageW, SendDlgItemMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, OffsetRect, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MoveWindow, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsDialogMessageW, IsClipboardFormatAvailable, IsChild, IsCharAlphaNumericW, IsCharAlphaW, InvalidateRect, InsertMenuItemW, InsertMenuW, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMessageExtraInfo, GetMenuStringW, GetMenuState, GetMenuItemRect, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgItem, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetComboBoxInfo, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, ExitWindowsEx, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndMenu, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DeferWindowPos, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIconIndirect, CreateIcon, CreateCaret, CreateAcceleratorTableW, CountClipboardFormats, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, BeginDeferWindowPos, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWorldTransform, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetRectRgn, SetROP2, SetPixel, SetMapMode, SetGraphicsMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyPolyline, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWindowExtEx, GetWinMetaFileBits, GetViewportOrgEx, GetViewportExtEx, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetTextColor, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetCurrentObject, GetClipBox, GetBrushOrgEx, GetBkMode, GetBitmapBits, GdiFlush, FrameRgn, FillRgn, ExtTextOutW, ExtFloodFill, ExtCreateRegion, ExtCreatePen, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRoundRectRgn, CreateRectRgn, CreatePolygonRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, CombineRgn, Chord, BitBlt, ArcTo, Arc, AngleArc, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
mpr.dll	WNetCancelConnection2W
kernel32.dll	lstrlenA, lstrcmpW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, WaitForMultipleObjects, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, UnmapViewOfFile, TryEnterCriticalSection, SystemTimeToFileTime, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryW, ResumeThread, ResetEvent, RemoveDirectoryW, ReleaseMutex, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, QueryDosDeviceW, IsDebuggerPresent, OpenProcess, MulDiv, MapViewOfFile, LockResource, LocalFree, LoadResource, LoadLibraryW, LeaveCriticalSection, LCMapStringW, IsValidLocale, IsValidCodePage, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetWindowsDirectoryW, GetVolumeInformationW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetUserDefaultLCID, GetUserDefaultUILanguage, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetTempPathW, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLogicalDriveStringsW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesExW, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryW, GetComputerNameW, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageW, FindResourceW, FindNextFileW, FindNextChangeNotification, FindFirstFileW, FindFirstChangeNotificationW, FindCloseChangeNotification, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExpandEnvironmentStringsW, EnumSystemLocalesW, EnumSystemCodePagesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DeviceIoControl, DeleteFileW, DeleteCriticalSection, CreateThread, CreateProcessW, CreateMutexW, CreateFileMappingW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CloseHandle
advapi32.dll	RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW, GetUserNameW, AdjustTokenPrivileges
kernel32.dll	Sleep
netapi32.dll	NetWkstaGetInfo
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID, CoCreateInstance, CoInitializeSecurity, CoUninitialize, CoInitializeEx, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
msvcrt.dll	memset, memcpy
shell32.dll	SHGetFileInfoW, SHFileOperationW, ShellExecuteExW, ShellExecuteW, Shell_NotifyIconW
shell32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHGetMalloc, SHGetDesktopFolder, SHChangeNotify
comdlg32.dll	PrintDlgW, ChooseFontW, FindTextW, GetOpenFileNameW
winspool.drv	OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
winspool.drv	GetDefaultPrinterW
advapi32.dll	QueryServiceStatus, OpenServiceW, OpenSCManagerW, CloseServiceHandle
advapi32.dll	InitiateSystemShutdownExW
kernel32.dll	MulDiv

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4985a0
__dbk_fcall_wrapper	2	0x417d60
dbkFCallWrapperAddr	1	0xa2bf58

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	02:33:08
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\Vh5fpQFekQ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Vh5fpQFekQ.exe"
Imagebase:	0x400000
File size:	23'192'776 bytes
MD5 hash:	600942B31377727CAC9CA8F41B9D74C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.1%
Total number of Nodes:	14
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00416170 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 00416179

Memory Dump Source

Source File: 00000000.00000002.1250836504.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00416000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_416000_Vh5fpQFekQ.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 67c87a944072bca4b55ec9f888a612c3bf4a403d472a9758f7da641f0fcfc9d4
Instruction ID: 4648ade987ffc944fde31bf39686638241399731d1bca306219cf037b42e6670
Opcode Fuzzy Hash: 67c87a944072bca4b55ec9f888a612c3bf4a403d472a9758f7da641f0fcfc9d4
Instruction Fuzzy Hash: EFB09236868DC847CA02B724C84248A72B2BA90708F80061DF48A92190ED2D9A2886C6

Function 00435AB0 Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE ref: 00435ACB

Memory Dump Source

Source File: 00000000.00000002.1250861428.0000000000435000.00000040.00000001.01000000.00000003.sdmp, Offset: 00435000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_435000_Vh5fpQFekQ.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e08d200c9f1f223935816db6f1d9b899c311444ac5ca32d48981cc9231302692
Instruction ID: a33dc3493900b81525197066af353c5ec7ce5cb30a31a3fff1a0f86a84c996f9
Opcode Fuzzy Hash: e08d200c9f1f223935816db6f1d9b899c311444ac5ca32d48981cc9231302692
Instruction Fuzzy Hash: 1111D330224D484ADB28AB7D44553AFA1C1FB4C3A8F643A2FE41FC73D1D62CD886561A

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Vh5fpQFekQ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: Vh5fpQFekQ.exePID: 1464, Parent PID: 4056

General

Chronological Activities

Disassembly

Analysis Process: Vh5fpQFekQ.exePID: 1464, Parent PID: 4056COMMON

Execution Graph

Graph

Callgraph

Executed Functions

Function 00416170 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Windows Analysis Report
Vh5fpQFekQ.exe

Function 00416170 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Function 00435AB0 Relevance: 1.6, APIs: 1, Instructions: 86
COMMON