Edit tour

Windows Analysis Report
KRoMX2011.exe

Overview

General Information

Sample name:	KRoMX2011.exe
Analysis ID:	1562272
MD5:	ab4715b9fecfb81df1f1eabfb6fcc2ae
SHA1:	0fed69a507959b8d4e53beedc84412ba76618622
SHA256:	51a9c8fb452d0037be2fdb423126b58ced8ac23bc43a043afa531d47c69aa21d

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

PE file contains sections with non-standard names

Queries keyboard layouts

Uses 32bit PE files

Classification

Process Tree

System is w10x64_ra

KRoMX2011.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\KRoMX2011.exe" MD5: AB4715B9FECFB81DF1F1EABFB6FCC2AE)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: KRoMX2011.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: KRoMX2011.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: clean1.winEXE@1/0@0/0

Source: KRoMX2011.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KRoMX2011.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\KRoMX2011.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\KRoMX2011.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'A03' WHERE MAG = 'A-3';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO S_CERT (NAZWA) VALUES ('Global Gap');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO SL_WOJEWODZTW (ID, NAZWA) VALUES (16, 'zachodniopomorskie');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'A10' WHERE MAG = 'A-10';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO FORMA_WLASN (ID, NAZWA) VALUES ('G', 'Gospodarstwo Rodzinne');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO S_PJ (ID_S_PJ, NAZWA) VALUES ( 6, 'NO3');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'B09' WHERE MAG = 'B-9';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'A09' WHERE MAG = 'A-9';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'B03' WHERE MAG = 'B-3';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO SL_WOJEWODZTW (ID, NAZWA) VALUES (10, 'podlaskie');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO SL_WOJEWODZTW (ID, NAZWA) VALUES (15, 'wielkopolskie');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO S_PJ (ID_S_PJ, NAZWA) VALUES ( 7, 'Obicia');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO S_JAKOSC_DST (ID, NAZWA) VALUES (0, 'Brak wyboru');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO S_PJ (ID_S_PJ, NAZWA) VALUES (12, 'Test');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO S_PJ (ID_S_PJ, NAZWA) VALUES (14, 'UWG');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO S_PJ (ID_S_PJ, NAZWA) VALUES ( 1, 'CUKRY');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'B06' WHERE MAG = 'B-6';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'A06' WHERE MAG = 'A-6';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO PA_PRD_ZAST (ID_TYP, NAZWA) VALUES (3, 'DW');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE BUNKRY SET NAZWA = 'P1' WHERE ID_BUNKRA = 1;
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'A07' WHERE MAG = 'A-7';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO BUNKRY (NAZWA) VALUES ('P4');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'A04' WHERE MAG = 'A-4';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'B04' WHERE MAG = 'B-4';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE KONTRAH SET NIP_P = ' ' WHERE NIP_P IS NULL;
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE BUNKRY SET NAZWA = 'P2' WHERE ID_BUNKRA = 2;
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO S_PJ (ID_S_PJ, NAZWA) VALUES (15, 'Zanieczyszczenia');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO BUNKRY (NAZWA) VALUES ('B1');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'B07' WHERE MAG = 'B-7';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO S_PROD (NAZWA) VALUES ('Przysnacki');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO S_PROD (NAZWA) VALUES ('standard');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO SL_WOJEWODZTW (ID, NAZWA) VALUES (11, 'pomorskie');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO S_CERT (NAZWA) VALUES ('Brak');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE BUNKRY SET NAZWA = 'P3' WHERE ID_BUNKRA = 3;
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO FORMA_WLASN (ID, NAZWA) VALUES ('P', 'Grupa Producencka');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO SL_WOJEWODZTW (ID, NAZWA) VALUES ( 4, 'lubuskie');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO SL_WOJEWODZTW (ID, NAZWA) VALUES ( 7, 'mazowieckie');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO ST_DOCEL(ID_ST_DOCEL, NAZWA, ID_KONTRAH, MAG) VALUES(0, 'BRAK WYBORU', '000', 'NPP');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO PREF_CENNIKI(ID, NAZWA) VALUES (0, 'Kontrahenci preferowani');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO S_PJ (ID_S_PJ, NAZWA) VALUES (11, 'Parch');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO S_PROD (NAZWA) VALUES ('Lidl');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'B01' WHERE MAG = 'B-1';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO BUNKRY (NAZWA) VALUES ('B2');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'A08' WHERE MAG = 'A-8';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'A01' WHERE MAG = 'A-1';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'B08' WHERE MAG = 'B-8';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO SL_WOJEWODZTW (ID, NAZWA) VALUES ( 9, 'podkarpackie');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO SL_WOJEWODZTW (ID, NAZWA) VALUES ( 3, 'lubelskie');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'B10' WHERE MAG = 'B-10';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO SL_WOJEWODZTW (ID, NAZWA) VALUES ( 8, 'opolskie');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO PA_PRD_ZAST (ID_TYP, NAZWA) VALUES (2, 'O');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO PA_PRD_ZAST (ID_TYP, NAZWA) VALUES (4, 'DW (tylko ryflowane)');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO S_CERT (NAZWA) VALUES ('HACCP');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'B02' WHERE MAG = 'B-2';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'A02' WHERE MAG = 'A-2';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO S_PJ (ID_S_PJ, NAZWA) VALUES ( 4, 'Mycie');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO SL_WOJEWODZTW (ID, NAZWA) VALUES ( 2, 'kujawsko-pomorskie');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO S_PJ (ID_S_PJ, NAZWA) VALUES ( 8, 'Obite pow 10%');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'A05' WHERE MAG = 'A-5';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO BUNKRY (NAZWA) VALUES ('B3');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO PA_PRD_ZAST (ID_TYP, NAZWA) VALUES (1, 'Z');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE GAZOWANIE SET MAG = 'B05' WHERE MAG = 'B-5';
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO S_PROD (NAZWA) VALUES ('Kettle');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO S_PJ (ID_S_PJ, NAZWA) VALUES ( 5, 'NO2');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO TYP_ROL(ID_TYP_ROL, NAZWA) VALUES('V', 'Vatowiec');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO PREF_CENNIKI(ID, NAZWA) VALUES (1, 'Kontrahenci niepreferowani');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO TERM_SKLADOW (ID, NAZWA) VALUES ('1', 'tymczasowe');
Source: KRoMX2011.exe, 00000000.00000000.1176246230.0000000000A9F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO S_CERT (NAZWA) VALUES ('Euro Gap');

Source: KRoMX2011.exe	String found in binary or memory: NATS-SEFI-ADD
Source: KRoMX2011.exe	String found in binary or memory: NATS-DANO-ADD
Source: KRoMX2011.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: KRoMX2011.exe	String found in binary or memory: jp-ocr-b-add
Source: KRoMX2011.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: KRoMX2011.exe	String found in binary or memory: jp-ocr-hand-add
Source: KRoMX2011.exe	String found in binary or memory: ISO_6937-2-add

Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Section loaded: dxcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\KRoMX2011.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000514-0000-0010-8000-00AA006D2EA4}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\KRoMX2011.exe

Window found: window name: TComboBox

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: KRoMX2011.exe

Static PE information: More than 275 > 100 exports found

Source: KRoMX2011.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: KRoMX2011.exe

Static file information: File size 11163648 > 1048576

Source: KRoMX2011.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x69e000
Source: KRoMX2011.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x11b600
Source: KRoMX2011.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x255a00

Source: KRoMX2011.exe

Static PE information: More than 200 imports for USER32.DLL

Source: KRoMX2011.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\KRoMX2011.exe

Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\KRoMX2011.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\Desktop\KRoMX2011.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: KRoMX2011.exe, 00000000.00000003.1817661816.000000000124A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562272
Start date and time:	2024-11-25 12:52:51 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KRoMX2011.exe
Detection:	CLEAN
Classification:	clean1.winEXE@1/0@0/0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: KRoMX2011.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.727127180473803
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	KRoMX2011.exe
File size:	11'163'648 bytes
MD5:	ab4715b9fecfb81df1f1eabfb6fcc2ae
SHA1:	0fed69a507959b8d4e53beedc84412ba76618622
SHA256:	51a9c8fb452d0037be2fdb423126b58ced8ac23bc43a043afa531d47c69aa21d
SHA512:	1e9fa7d480dbd37c122474b476624505c85bcfa9ef088857b29e12494e5e16e355e6017277a90d501782aec4028155e94a22f4cd52b7507b10c6036a2bf0bda7
SSDEEP:	98304:SvaWYwHG/tQ2NbppBvOCsTO0E5vVigWYcE5fAYnsGGj2+Q2qtgqmv4KZNYhqC:FWYwmy0bj5vdW9u9IFqqqRONY
TLSH:	26B66C1AB6469435C11A4B328D2BFF59203BB6B5AE318943BBF86F0D4FF16406D36247
File Content Preview:	MZP.....................@......Pjr......................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2c0f0909490dced2

Static PE Info

General

Entrypoint:	0x402f2c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x66AA2AD0 [Wed Jul 31 12:15:12 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a340ebfe404142c752d716d96a3103da

Entrypoint Preview

Instruction
jmp 00007F69C87EF442h
bound di, dword ptr [edx]
inc ebx
sub ebp, dword ptr [ebx]
dec eax
dec edi
dec edi
dec ebx
nop
jmp 00007F69C928E4E1h
mov eax, dword ptr [00A9F09Fh]
shl eax, 02h
mov dword ptr [00A9F0A3h], eax
push edx
push 00000000h
call 00007F69C8E8A260h
mov edx, eax
call 00007F69C8E77C1Bh
pop edx
call 00007F69C8E77B3Dh
call 00007F69C8E77D6Ch
push 00000000h
call 00007F69C8E79ACDh
pop ecx
push 00A9F048h
push 00000000h
call 00007F69C8E8A23Ah
mov dword ptr [00A9F0A7h], eax
push 00000000h
jmp 00007F69C8E84628h
jmp 00007F69C8E79AFFh
xor eax, eax
mov al, byte ptr [00A9F091h]
ret
mov eax, dword ptr [00A9F0A7h]
ret
pushad
mov ebx, BCB05000h
push ebx
push 00000BADh
ret
mov ecx, 00000140h
or ecx, ecx
je 00007F69C87EF47Fh
cmp dword ptr [00A9F09Fh], 00000000h
jnc 00007F69C87EF43Ch
mov eax, 000000FEh
call 00007F69C87EF40Ch
mov ecx, 00000140h
push ecx
push 00000008h
call 00007F69C8E8A203h
push eax
call 00007F69C8E8A2C3h
or eax, eax
jne 00007F69C87EF43Ch
mov eax, 000000FDh
call 00007F69C87EF3EBh
push eax
push eax
push dword ptr [00A9F09Fh]
call 00007F69C8E84816h
push dword ptr [00A9F09Fh]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x7e4000	0x1f8f	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7df000	0x3f89	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7e6000	0x255a00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa3c000	0x8f3c4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x7de000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x7e3000	0x9ff	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x69e000	0x69e000	dcf63415f8bacd9e7f418028ff6a219e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x69f000	0x13e000	0x11b600	8269dfbca368bc7a07b1b16ff4672cfe	False	0.21815122546316718	data	5.584003321197942	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x7dd000	0x1000	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x7de000	0x1000	0x200	0246e50196a7598e27a8f97aa6b23612	False	0.056640625	data	0.2147325177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.idata	0x7df000	0x4000	0x4000	3933eb4a186f7ab38d0df1f90ced2234	False	0.31146240234375	COM executable for DOS	5.291034282785684	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didata	0x7e3000	0x1000	0xa00	79982fd1cc5b371d07a9133ce664b535	False	0.4046875	data	4.742187595087048	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x7e4000	0x2000	0x2000	82ddd38f7af6426b8c1a5c6e26d3c130	False	0.353759765625	data	5.610243176084246	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x7e6000	0x256000	0x255a00	f54e5093a80e2e92f5991880bd9d720c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa3c000	0x90000	0x8f400	063610dbb3b33d8d29eb9c4d5b599b1f	False	0.6000559009598604	data	6.678681194083161	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x7e9ae8	0x134	data	English	United States	0.43506493506493504
RT_CURSOR	0x7e9c1c	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x7e9d50	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x7e9e84	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x7e9fb8	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x7ea0ec	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x7ea220	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_CURSOR	0x7ea354	0x134	data	Russian	Russia	0.38311688311688313
RT_CURSOR	0x7ea488	0x134	data	Russian	Russia	0.3961038961038961
RT_CURSOR	0x7ea5bc	0x134	data	Russian	Russia	0.3181818181818182
RT_CURSOR	0x7ea6f0	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_BITMAP	0x7ea824	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x7ea9f4	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x7eabd8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x7eada8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x7eaf78	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x7eb148	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x7eb318	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x7eb4e8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x7eb6b8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x7eb888	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x7eba58	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5208333333333334
RT_BITMAP	0x7ebb18	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42857142857142855
RT_BITMAP	0x7ebbf8	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.4955357142857143
RT_BITMAP	0x7ebcd8	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.391304347826087
RT_BITMAP	0x7ebd34	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.532608695652174
RT_BITMAP	0x7ebd90	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.4782608695652174
RT_BITMAP	0x7ebdec	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.5543478260869565
RT_BITMAP	0x7ebe48	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.4673913043478261
RT_BITMAP	0x7ebea4	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.328042328042328
RT_BITMAP	0x7ec314	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.3289241622574956
RT_BITMAP	0x7ec784	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.40476190476190477
RT_BITMAP	0x7ecbf4	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.09435626102292768
RT_BITMAP	0x7ed064	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.23721340388007053
RT_BITMAP	0x7ed4d4	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.29188712522045857
RT_BITMAP	0x7ed944	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.1675485008818342
RT_BITMAP	0x7eddb4	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.2892416225749559
RT_BITMAP	0x7ee224	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.2751322751322751
RT_BITMAP	0x7ee694	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.30776014109347444
RT_BITMAP	0x7eeb04	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.2777777777777778
RT_BITMAP	0x7eef74	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.41887125220458554
RT_BITMAP	0x7ef3e4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.38392857142857145
RT_BITMAP	0x7ef4c4	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4947916666666667
RT_BITMAP	0x7ef584	0xc8	Device independent bitmap graphic, 15 x 12 x 4, image size 96			0.48
RT_BITMAP	0x7ef64c	0x268	Device independent bitmap graphic, 32 x 32 x 4, image size 512	Russian	Russia	0.12012987012987013
RT_BITMAP	0x7ef8b4	0xc8	Device independent bitmap graphic, 15 x 12 x 4, image size 96			0.5
RT_BITMAP	0x7ef97c	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.484375
RT_BITMAP	0x7efa3c	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42410714285714285
RT_BITMAP	0x7efb1c	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5104166666666666
RT_BITMAP	0x7efbdc	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.5
RT_BITMAP	0x7efcbc	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_BITMAP	0x7efda4	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4895833333333333
RT_BITMAP	0x7efe64	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.3794642857142857
RT_ICON	0x7eff44	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.42473118279569894
RT_DIALOG	0x7f022c	0x52	data			0.7682926829268293
RT_DIALOG	0x7f0280	0x52	data			0.7560975609756098
RT_STRING	0x7f02d4	0x40c	data			0.38706563706563707
RT_STRING	0x7f06e0	0x43c	data			0.4086715867158672
RT_STRING	0x7f0b1c	0x360	data			0.40625
RT_STRING	0x7f0e7c	0x3bc	data			0.33472803347280333
RT_STRING	0x7f1238	0x284	data			0.4798136645962733
RT_STRING	0x7f14bc	0x434	data			0.39776951672862454
RT_STRING	0x7f18f0	0x3fc	data			0.4068627450980392
RT_STRING	0x7f1cec	0x424	data			0.37169811320754714
RT_STRING	0x7f2110	0x870	data			0.2986111111111111
RT_STRING	0x7f2980	0x430	data			0.37033582089552236
RT_STRING	0x7f2db0	0x43c	data			0.3662361623616236
RT_STRING	0x7f31ec	0x338	data			0.4211165048543689
RT_STRING	0x7f3524	0x4a4	data			0.4132996632996633
RT_STRING	0x7f39c8	0x3f8	data			0.35236220472440943
RT_STRING	0x7f3dc0	0x388	data			0.37831858407079644
RT_STRING	0x7f4148	0x438	data			0.32314814814814813
RT_STRING	0x7f4580	0x4a8	data			0.33053691275167785
RT_STRING	0x7f4a28	0x284	data			0.4782608695652174
RT_STRING	0x7f4cac	0x238	data			0.40669014084507044
RT_STRING	0x7f4ee4	0x48c	data			0.36769759450171824
RT_STRING	0x7f5370	0xb28	data			0.2706582633053221
RT_STRING	0x7f5e98	0x7e4	data			0.2881188118811881
RT_STRING	0x7f667c	0x58c	data			0.4070422535211268
RT_STRING	0x7f6c08	0x41c	data			0.3602661596958175
RT_STRING	0x7f7024	0x530	data			0.2748493975903614
RT_STRING	0x7f7554	0x448	data			0.3302919708029197
RT_STRING	0x7f799c	0x470	data			0.3653169014084507
RT_STRING	0x7f7e0c	0x3e0	data			0.31048387096774194
RT_STRING	0x7f81ec	0x350	data			0.39622641509433965
RT_STRING	0x7f853c	0x380	Targa image data - Color 99 x 107 x 32 +68 +111 "z"			0.43080357142857145
RT_STRING	0x7f88bc	0x34c	data			0.4431279620853081
RT_STRING	0x7f8c08	0xbc	data			0.6170212765957447
RT_STRING	0x7f8cc4	0x16c	data			0.5384615384615384
RT_STRING	0x7f8e30	0x2b8	data			0.4224137931034483
RT_STRING	0x7f90e8	0x308	data			0.42396907216494845
RT_STRING	0x7f93f0	0x438	data			0.36018518518518516
RT_STRING	0x7f9828	0x370	data			0.37727272727272726
RT_STRING	0x7f9b98	0x304	data			0.3393782383419689
RT_STRING	0x7f9e9c	0xe0	data			0.5535714285714286
RT_STRING	0x7f9f7c	0xbc	data			0.526595744680851
RT_STRING	0x7fa038	0x370	data			0.42045454545454547
RT_STRING	0x7fa3a8	0x4c8	data			0.27532679738562094
RT_STRING	0x7fa870	0x330	data			0.4227941176470588
RT_STRING	0x7faba0	0x2e0	data			0.37907608695652173
RT_STRING	0x7fae80	0x4d0	data			0.273538961038961
RT_STRING	0x7fb350	0x328	data			0.375
RT_STRING	0x7fb678	0x410	data			0.3971153846153846
RT_STRING	0x7fba88	0x6f8	data			0.32230941704035876
RT_STRING	0x7fc180	0x478	AmigaOS bitmap font "t", fc_YSize 29184, 21248 elements, 2nd "r", 3rd " "			0.3269230769230769
RT_STRING	0x7fc5f8	0x388	data			0.39601769911504425
RT_STRING	0x7fc980	0x330	data			0.36764705882352944
RT_STRING	0x7fccb0	0x48c	data			0.38917525773195877
RT_RCDATA	0x7fd13c	0x10	data			1.5
RT_RCDATA	0x7fd14c	0x2	data	English	United States	5.0
RT_RCDATA	0x7fd150	0x1601	gzip compressed data, was "1", last modified: Fri May 12 13:25:59 2006, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 19254	Russian	Russia	1.0019527782709037
RT_RCDATA	0x7fe754	0x801	Delphi compiled form 'TADOParamFrm'			0.3411420204978038
RT_RCDATA	0x7fef58	0x219f	Delphi compiled form 'TAUAccessFrm'			0.32276054374346463
RT_RCDATA	0x8010f8	0x295e	Delphi compiled form 'TBOFrm'			0.30056657223796035
RT_RCDATA	0x803a58	0x9aa	Delphi compiled form 'TDMFrm'			0.26475343573160875
RT_RCDATA	0x804404	0x31e6	Delphi compiled form 'TDMMagFrm'			0.23602630342883982
RT_RCDATA	0x8075ec	0x7283	Delphi compiled form 'TDMRozladFrm'			0.21807948149411563
RT_RCDATA	0x80e870	0x3d24	Delphi compiled form 'TDostawaFrm'			0.23223869154101712
RT_RCDATA	0x812594	0x130	Delphi compiled form 'TfrxDialogForm'			0.7730263157894737
RT_RCDATA	0x8126c4	0x46a2	Delphi compiled form 'TfrxInheritErrorForm'			0.14130074106846588
RT_RCDATA	0x816d68	0x1162	Delphi compiled form 'TfrxPageSettingsForm'			0.3195505617977528
RT_RCDATA	0x817ecc	0x1c06	Delphi compiled form 'TfrxPasswordForm'			0.3826317256760524
RT_RCDATA	0x819ad4	0x13cd	Delphi compiled form 'TfrxPDFExportDialog'			0.3355691457881239
RT_RCDATA	0x81aea4	0xe44	Delphi compiled form 'TfrxPreviewForm'			0.37349397590361444
RT_RCDATA	0x81bce8	0x1aca8	Delphi compiled form 'TfrxPrintDialog'			0.025406429977400308
RT_RCDATA	0x836990	0x3c5	Delphi compiled form 'TfrxProgress'			0.49844559585492226
RT_RCDATA	0x836d58	0x8c6	Delphi compiled form 'TfrxRTFExportDialog'			0.4536954585930543
RT_RCDATA	0x837620	0x5fb	Delphi compiled form 'TfrxSearchDialog'			0.44546048334421945
RT_RCDATA	0x837c1c	0x1f1f	Delphi compiled form 'TGazNaglSzFrm'			0.2967239864440818
RT_RCDATA	0x839b3c	0x2945	Delphi compiled form 'TGazSzFrm'			0.29417889256980595
RT_RCDATA	0x83c484	0x4b0	Delphi compiled form 'TGetDTFrm'			0.49
RT_RCDATA	0x83c934	0x2d9d	Delphi compiled form 'TKontrahHDZDstOLstFrm'			0.36267877023208017
RT_RCDATA	0x83f6d4	0x156f0	Delphi compiled form 'TKontrahHDZFrm'			0.18188445416438856
RT_RCDATA	0x854dc4	0x239d	Delphi compiled form 'TKontrahHDZPomLstFrm'			0.41724251398486345
RT_RCDATA	0x857164	0x3fec	Delphi compiled form 'TKontrahHDZPowielFrm'			0.26515521877291615
RT_RCDATA	0x85b150	0x4e4b	Delphi compiled form 'TKontrahHDZSzFrm'			0.22681235344010378
RT_RCDATA	0x85ff9c	0x1a036	Delphi compiled form 'TKontrahKDOFrm'			0.1532238385734397
RT_RCDATA	0x879fd4	0xdd29	Delphi compiled form 'TKontrahMagFrm'			0.18886553508663476
RT_RCDATA	0x887d00	0x8424	Delphi compiled form 'TKontrahOCNFrm'			0.2523944661227386
RT_RCDATA	0x890124	0xd334	Delphi compiled form 'TKontrahPolaFrm'			0.1892061848043205
RT_RCDATA	0x89d458	0x8ab2	Delphi compiled form 'TKontrahRDJFrm'			0.2681518616571847
RT_RCDATA	0x8a5f0c	0xb7e6	Delphi compiled form 'TKontraktacjaFrm'			0.20559497004970476
RT_RCDATA	0x8b16f4	0x494	Delphi compiled form 'TLoginDialog'			0.48976109215017066
RT_RCDATA	0x8b1b88	0x23b75	Delphi compiled form 'TMagFrm'			0.14520175264708496
RT_RCDATA	0x8d5700	0x20ee	Delphi compiled form 'TMainDPSzFrm'			0.2908659549228944
RT_RCDATA	0x8d77f0	0x2c57	Delphi compiled form 'TMainFrm'			0.32164566998502336
RT_RCDATA	0x8da448	0xb18a	Delphi compiled form 'TMainRapFrm'			0.20433443344334434
RT_RCDATA	0x8e55d4	0x5b9d	Delphi compiled form 'TMenuRapFrm'			0.2699015051379354
RT_RCDATA	0x8eb174	0x48f6	Delphi compiled form 'TOProgramieFrm'			0.6100760252703715
RT_RCDATA	0x8efa6c	0x3c4	Delphi compiled form 'TPasswordDialog'			0.4678423236514523
RT_RCDATA	0x8efe30	0x33c68	Delphi compiled form 'TRaportViewFrm'			0.12260458712135501
RT_RCDATA	0x923a98	0x9b3b	Delphi compiled form 'TRDJLabSzFrm'			0.2603991041546088
RT_RCDATA	0x92d5d4	0x514c	Delphi compiled form 'TRealizKontrRapFrm'			0.2769556025369979
RT_RCDATA	0x932720	0x539f	Delphi compiled form 'TRKontrahFrm'			0.2953706731442986
RT_RCDATA	0x937ac0	0x294dc	Delphi compiled form 'TRKontrahRepFrm'			0.10573353824329117
RT_RCDATA	0x960f9c	0x7c60	Delphi compiled form 'TRKontrahSzFrm'			0.23222361809045225
RT_RCDATA	0x968bfc	0x28c1	Delphi compiled form 'TRolDstOdPJSzFrm'			0.25860251126234063
RT_RCDATA	0x96b4c0	0x68dd	Delphi compiled form 'TRolDstOdSzFrm'			0.2692493946731235
RT_RCDATA	0x971da0	0x256d	Delphi compiled form 'TRolKtrDodSzFrm'			0.2807640121072957
RT_RCDATA	0x974310	0x31f7	Delphi compiled form 'TRolKtrPozSzFrm'			0.2521304041904464
RT_RCDATA	0x977508	0x2980	Delphi compiled form 'TRolKtrSzFrm'			0.28557981927710846
RT_RCDATA	0x979e88	0x5f6c	Delphi compiled form 'TRolMagKtrSzFrm'			0.25257900769608643
RT_RCDATA	0x97fdf4	0x3a8e	Delphi compiled form 'TRolMagSzFrm'			0.2541694462975317
RT_RCDATA	0x983884	0x3b03	Delphi compiled form 'TRolOcenaSzFrm'			0.24604487985701992
RT_RCDATA	0x987388	0x630e	Delphi compiled form 'TRolPolaKtrSzFrm'			0.2758103951415727
RT_RCDATA	0x98d698	0x27d5	Delphi compiled form 'TRolPolaSzFrm'			0.28939884279690103
RT_RCDATA	0x98fe70	0xa3c0	Delphi compiled form 'TRozladFrm'			0.18556774809160306
RT_RCDATA	0x99a230	0x2608	Delphi compiled form 'TRozladKatPDSzFrm'			0.3146055875102712
RT_RCDATA	0x99c838	0x2264	Delphi compiled form 'TRozladKLstFrm'			0.43866424352567013
RT_RCDATA	0x99ea9c	0x14291	Delphi compiled form 'TRozladSzFrm'			0.15764680237838624
RT_RCDATA	0x9b2d30	0x7233	Delphi compiled form 'TRParJakNFrm'			0.2590046177526937
RT_RCDATA	0x9b9f64	0x2521	Delphi compiled form 'TRParJakNSzFrm'			0.2905839032088375
RT_RCDATA	0x9bc488	0x1fa3	Delphi compiled form 'TRParJakPCSzFrm'			0.29596246450179037
RT_RCDATA	0x9be42c	0xa6b7	Delphi compiled form 'TRParJakPFrm'			0.16994306333325523
RT_RCDATA	0x9c8ae4	0x2d96	Delphi compiled form 'TRParJakPPSzFrm'			0.2686375321336761
RT_RCDATA	0x9cb87c	0x3525	Delphi compiled form 'TRSrGazFrm'			0.3298787210584344
RT_RCDATA	0x9ceda4	0x1dc2	Delphi compiled form 'TRSrGazSzFrm'			0.30598582305066946
RT_RCDATA	0x9d0b68	0xe4f	Delphi compiled form 'TRUpdateFrm'			0.6464646464646465
RT_RCDATA	0x9d19b8	0x2354	Delphi compiled form 'TSCenPrzechFrm'			0.44803184431667403
RT_RCDATA	0x9d3d0c	0x4736	Delphi compiled form 'TSDodOpFrm'			0.30235874931431705
RT_RCDATA	0x9d8444	0x2680	Delphi compiled form 'TSDodOpSzFrm'			0.27617694805194803
RT_RCDATA	0x9daac4	0x41db	Delphi compiled form 'TSKatWarPFrm'			0.3153805089269826
RT_RCDATA	0x9deca0	0x1da9	Delphi compiled form 'TSKatWarPSzFrm'			0.30212037402871067
RT_RCDATA	0x9e0a4c	0x5f2b	Delphi compiled form 'TSKodyTowFrm'			0.2601485859705291
RT_RCDATA	0x9e6978	0x33c3	Delphi compiled form 'TSKodyTowSzFrm'			0.2495660704852464
RT_RCDATA	0x9e9d3c	0x1b21	Delphi compiled form 'TSLogFrm'			0.36688264938804893
RT_RCDATA	0x9eb860	0x3545	Delphi compiled form 'TSMcaDostFrm'			0.3289579819608418
RT_RCDATA	0x9eeda8	0x1d98	Delphi compiled form 'TSMcaDostSzFrm'			0.30174234424498414
RT_RCDATA	0x9f0b40	0x4e24	Delphi compiled form 'TSNazwPJFrm'			0.29154169166166766
RT_RCDATA	0x9f5964	0x2abe	Delphi compiled form 'TSNazwPJSzFrm'			0.27472125753975507
RT_RCDATA	0x9f8424	0x2bfd	Delphi compiled form 'TSplashFrm'			0.9561317822573484
RT_RCDATA	0x9fb024	0x42d6	Delphi compiled form 'TSPrefCenFrm'			0.3108708357685564
RT_RCDATA	0x9ff2fc	0x1cfb	Delphi compiled form 'TSPrefCenSzFrm'			0.3154063890012131
RT_RCDATA	0xa00ff8	0x41b1	Delphi compiled form 'TSRGlebFrm'			0.3133139085449248
RT_RCDATA	0xa051ac	0x1db9	Delphi compiled form 'TSRGlebSzFrm'			0.30555920620318044
RT_RCDATA	0xa06f68	0x4192	Delphi compiled form 'TSRKlasFrm'			0.3129989276778268
RT_RCDATA	0xa0b0fc	0x1db3	Delphi compiled form 'TSRKlasSzFrm'			0.30606339602788374
RT_RCDATA	0xa0ceb0	0x4206	Delphi compiled form 'TSRolKlasaFrm'			0.31339486451307536
RT_RCDATA	0xa110b8	0x1dcb	Delphi compiled form 'TSRolKlasaSzFrm'			0.3057558673134915
RT_RCDATA	0xa12e84	0x3695	Delphi compiled form 'TSRRyzykFrm'			0.334573820940385
RT_RCDATA	0xa1651c	0x1bba	Delphi compiled form 'TSRRyzykSzFrm'			0.31882220343758805
RT_RCDATA	0xa180d8	0x4422	Delphi compiled form 'TSStDocelFrm'			0.30673087948629746
RT_RCDATA	0xa1c4fc	0x1ffe	Delphi compiled form 'TSStDocelSzFrm'			0.2937728937728938
RT_RCDATA	0xa1e4fc	0x41c1	Delphi compiled form 'TSTypProdFrm'			0.3149171270718232
RT_RCDATA	0xa226c0	0x1bb8	Delphi compiled form 'TSTypProdSzFrm'			0.318489289740699
RT_RCDATA	0xa24278	0x2cc7	Delphi compiled form 'TSZrodelFrm'			0.39038646078687955
RT_RCDATA	0xa26f40	0x1cf7	Delphi compiled form 'TSZrodelSzFrm'			0.3122049898853675
RT_RCDATA	0xa28c38	0x78bb	Delphi compiled form 'TUsersFrm'			0.22234445271297765
RT_RCDATA	0xa304f4	0x2865	Delphi compiled form 'TUsersSzFrm'			0.24968571704864134
RT_RCDATA	0xa32d5c	0x1fe9	Delphi compiled form 'TWprMaseFrm'			0.41963520626759704
RT_RCDATA	0xa34d48	0xebc	Delphi compiled form 'TWprNrDokFrm'			0.4217921527041357
RT_RCDATA	0xa35c04	0x1a70	Delphi compiled form 'TWprNumKDOFrm'			0.2575354609929078
RT_RCDATA	0xa37674	0x385d	Delphi compiled form 'TWprUbytkiFrm'			0.3417423244854113
RT_GROUP_CURSOR	0xa3aed4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0xa3aee8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Russian	Russia	1.3
RT_GROUP_CURSOR	0xa3aefc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Russian	Russia	1.3
RT_GROUP_CURSOR	0xa3af10	0x14	Lotus unknown worksheet or configuration, revision 0x1	Russian	Russia	1.3
RT_GROUP_CURSOR	0xa3af24	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xa3af38	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0xa3af4c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xa3af60	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xa3af74	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xa3af88	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xa3af9c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0xa3afb0	0x14	data	English	United States	1.2
RT_VERSION	0xa3afc4	0x59c	data	English	United States	0.4192200557103064
RT_MANIFEST	0xa3b560	0x2ca	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5028011204481793

Imports

DLL	Import
ADVAPI32.DLL	InitializeSecurityDescriptor, RegCloseKey, RegConnectRegistryW, RegCreateKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegFlushKey, RegLoadKeyW, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegReplaceKeyW, RegRestoreKeyW, RegSaveKeyW, RegSetValueExW, RegUnLoadKeyW, SetSecurityDescriptorDacl
KERNEL32.DLL	CloseHandle, CompareStringA, CompareStringW, CopyFileW, CreateEventW, CreateFileA, CreateFileMappingW, CreateFileW, CreateMutexW, CreateThread, DeleteCriticalSection, DeleteFileA, DeleteFileW, EnterCriticalSection, EnumCalendarInfoW, EnumResourceNamesW, EnumSystemLocalesW, ExitProcess, ExitThread, FileTimeToDosDateTime, FileTimeToLocalFileTime, FileTimeToSystemTime, FindClose, FindFirstFileW, FindNextFileW, FindResourceW, FormatMessageW, FreeLibrary, FreeResource, GetACP, GetCPInfo, GetCPInfoExW, GetCommandLineW, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDateFormatW, GetDiskFreeSpaceW, GetDriveTypeW, GetEnvironmentStrings, GetEnvironmentStringsW, GetExitCodeThread, GetFileAttributesA, GetFileAttributesW, GetFileSize, GetFileType, GetFullPathNameW, GetLastError, GetLocalTime, GetLocaleInfoA, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetOEMCP, GetPrivateProfileStringW, GetProcAddress, GetProcessHeap, GetProfileStringW, GetStartupInfoA, GetStartupInfoW, GetStdHandle, GetStringTypeA, GetStringTypeW, GetSystemDefaultLangID, GetSystemDefaultUILanguage, GetSystemInfo, GetSystemTimes, GetTempFileNameW, GetTempPathW, GetThreadLocale, GetThreadPriority, GetTickCount, GetTimeZoneInformation, GetUserDefaultLCID, GetUserDefaultUILanguage, GetVersion, GetVersionExA, GetVersionExW, GetVolumeInformationW, GlobalAddAtomW, GlobalAlloc, GlobalDeleteAtom, GlobalFindAtomW, GlobalFree, GlobalHandle, GlobalLock, GlobalSize, GlobalUnlock, HeapAlloc, HeapCreate, HeapDestroy, HeapFree, HeapSize, InitializeCriticalSection, InterlockedCompareExchange, InterlockedDecrement, InterlockedExchange, InterlockedIncrement, IsDBCSLeadByte, IsDBCSLeadByteEx, IsDebuggerPresent, IsValidLocale, LCMapStringA, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LoadResource, LocalAlloc, LocalFree, LockResource, MapViewOfFile, MoveFileW, MulDiv, MultiByteToWideChar, OpenEventW, OpenFileMappingW, OpenMutexW, QueryPerformanceCounter, RaiseException, ReadFile, ReleaseMutex, RemoveDirectoryW, ResetEvent, ResumeThread, RtlUnwind, SetConsoleCtrlHandler, SetCurrentDirectoryW, SetEndOfFile, SetErrorMode, SetEvent, SetFilePointer, SetHandleCount, SetLastError, SetThreadLocale, SetThreadPriority, SizeofResource, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnhandledExceptionFilter, UnmapViewOfFile, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, VirtualQueryEx, WaitForMultipleObjectsEx, WaitForSingleObject, WideCharToMultiByte, WriteFile, WritePrivateProfileStringW, lstrcmpW, lstrlenW
VERSION.DLL	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
WSOCK32.DLL	WSACleanup, WSAStartup, gethostbyname, gethostname, inet_addr
WINSPOOL.DRV	ClosePrinter, DeviceCapabilitiesW, DocumentPropertiesW, EndDocPrinter, EndPagePrinter, EnumPrintersW, OpenPrinterW, StartDocPrinterW, StartPagePrinter, WritePrinter
COMCTL32.DLL	FlatSB_GetScrollInfo, FlatSB_GetScrollPos, FlatSB_SetScrollInfo, FlatSB_SetScrollPos, FlatSB_SetScrollProp, ImageList_Add, ImageList_BeginDrag, ImageList_Copy, ImageList_Create, ImageList_Destroy, ImageList_DragEnter, ImageList_DragLeave, ImageList_DragMove, ImageList_DragShowNolock, ImageList_Draw, ImageList_DrawEx, ImageList_EndDrag, ImageList_GetBkColor, ImageList_GetDragImage, ImageList_GetIcon, ImageList_GetIconSize, ImageList_GetImageCount, ImageList_GetImageInfo, ImageList_LoadImageW, ImageList_Read, ImageList_Remove, ImageList_Replace, ImageList_ReplaceIcon, ImageList_SetBkColor, ImageList_SetIconSize, ImageList_SetImageCount, ImageList_SetOverlayImage, ImageList_Write, InitializeFlatSB, _TrackMouseEvent
COMDLG32.DLL	ChooseColorW, ChooseFontW, GetSaveFileNameW, PrintDlgW, GetOpenFileNameW
GDI32.DLL	AbortDoc, AngleArc, Arc, ArcTo, BitBlt, Chord, CloseEnhMetaFile, CombineRgn, CopyEnhMetaFileW, CreateBitmap, CreateBrushIndirect, CreateCompatibleBitmap, CreateCompatibleDC, CreateDCW, CreateDIBSection, CreateDIBitmap, CreateEnhMetaFileW, CreateFontIndirectW, CreateHalftonePalette, CreateHatchBrush, CreateICW, CreatePalette, CreatePen, CreatePenIndirect, CreateRectRgn, CreateRoundRectRgn, CreateSolidBrush, DeleteDC, DeleteEnhMetaFile, DeleteObject, Ellipse, EndDoc, EndPage, EnumEnhMetaFile, EnumFontFamiliesExW, EnumFontsW, ExcludeClipRect, ExtCreatePen, ExtCreateRegion, ExtFloodFill, ExtTextOutA, ExtTextOutW, FrameRgn, GdiFlush, GetBitmapBits, GetBrushOrgEx, GetClipBox, GetClipRgn, GetCurrentObject, GetCurrentPositionEx, GetDIBColorTable, GetDIBits, GetDeviceCaps, GetEnhMetaFileBits, GetEnhMetaFileDescriptionW, GetEnhMetaFileHeader, GetEnhMetaFilePaletteEntries, GetFontData, GetNearestColor, GetNearestPaletteIndex, GetObjectW, GetOutlineTextMetricsA, GetOutlineTextMetricsW, GetPaletteEntries, GetPixel, GetRgnBox, GetStockObject, GetSystemPaletteEntries, GetTextColor, GetTextExtentExPointA, GetTextExtentExPointW, GetTextExtentPoint32A, GetTextExtentPoint32W, GetTextExtentPointW, GetTextMetricsW, GetViewportOrgEx, GetWinMetaFileBits, GetWindowOrgEx, IntersectClipRect, LineTo, MaskBlt, MoveToEx, PatBlt, Pie, PlayEnhMetaFile, PolyBezier, PolyBezierTo, PolyPolyline, Polygon, Polyline, RealizePalette, RectVisible, Rectangle, ResetDCW, ResizePalette, RestoreDC, RoundRect, SaveDC, SelectClipRgn, SelectObject, SelectPalette, SetAbortProc, SetBkColor, SetBkMode, SetBrushOrgEx, SetDIBColorTable, SetDIBits, SetEnhMetaFileBits, SetMapMode, SetMetaRgn, SetPixel, SetROP2, SetStretchBltMode, SetTextColor, SetViewportExtEx, SetViewportOrgEx, SetWinMetaFileBits, SetWindowExtEx, SetWindowOrgEx, StartDocW, StartPage, StretchBlt, StretchDIBits, TranslateCharsetInfo, UnrealizeObject
SHELL32.DLL	ShellExecuteExW, ShellExecuteW, Shell_NotifyIconW
USER32.DLL	ActivateKeyboardLayout, AdjustWindowRectEx, BeginPaint, CallNextHookEx, CallWindowProcW, CharLowerBuffW, CharLowerW, CharNextW, CharUpperBuffA, CharUpperBuffW, CharUpperW, CheckMenuItem, ChildWindowFromPoint, ClientToScreen, CloseClipboard, CopyIcon, CopyImage, CountClipboardFormats, CreateAcceleratorTableW, CreateCaret, CreateIcon, CreateMenu, CreatePopupMenu, CreateWindowExW, DefFrameProcW, DefMDIChildProcW, DefWindowProcW, DeleteMenu, DestroyCaret, DestroyCursor, DestroyIcon, DestroyMenu, DestroyWindow, DispatchMessageA, DispatchMessageW, DrawEdge, DrawFocusRect, DrawFrameControl, DrawIcon, DrawIconEx, DrawMenuBar, DrawTextExW, DrawTextW, EmptyClipboard, EnableMenuItem, EnableScrollBar, EnableWindow, EndMenu, EndPaint, EnumChildWindows, EnumClipboardFormats, EnumDisplayMonitors, EnumThreadWindows, EnumWindows, FillRect, FindWindowExW, FindWindowW, FrameRect, GetActiveWindow, GetCapture, GetCaretPos, GetClassInfoExW, GetClassInfoW, GetClassLongW, GetClassNameW, GetClientRect, GetClipboardData, GetCursor, GetCursorPos, GetDC, GetDCEx, GetDesktopWindow, GetDlgCtrlID, GetDlgItem, GetDoubleClickTime, GetFocus, GetForegroundWindow, GetIconInfo, GetKeyNameTextW, GetKeyState, GetKeyboardLayout, GetKeyboardLayoutList, GetKeyboardLayoutNameW, GetKeyboardState, GetLastActivePopup, GetMenu, GetMenuItemCount, GetMenuItemID, GetMenuItemInfoW, GetMenuState, GetMenuStringW, GetMessageExtraInfo, GetMessagePos, GetMessageTime, GetMonitorInfoW, GetParent, GetPropW, GetScrollBarInfo, GetScrollInfo, GetScrollPos, GetScrollRange, GetSubMenu, GetSysColor, GetSysColorBrush, GetSystemMenu, GetSystemMetrics, GetTopWindow, GetUpdateRect, GetWindow, GetWindowDC, GetWindowLongW, GetWindowPlacement, GetWindowRect, GetWindowTextW, GetWindowThreadProcessId, HideCaret, InflateRect, InsertMenuItemW, InsertMenuW, InvalidateRect, IsCharAlphaNumericW, IsCharAlphaW, IsChild, IsClipboardFormatAvailable, IsDialogMessageA, IsDialogMessageW, IsIconic, IsWindow, IsWindowEnabled, IsWindowUnicode, IsWindowVisible, IsZoomed, KillTimer, LoadBitmapW, LoadCursorW, LoadIconW, LoadKeyboardLayoutW, LoadStringW, LockWindowUpdate, MapVirtualKeyW, MapWindowPoints, MessageBeep, MessageBoxA, MessageBoxW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow, MoveWindow, MsgWaitForMultipleObjects, MsgWaitForMultipleObjectsEx, OemToCharBuffA, OffsetRect, OpenClipboard, PeekMessageA, PeekMessageW, PostMessageW, PostQuitMessage, PtInRect, RedrawWindow, RegisterClassW, RegisterClipboardFormatW, RegisterWindowMessageW, ReleaseCapture, ReleaseDC, RemoveMenu, RemovePropW, ScreenToClient, ScrollWindow, ScrollWindowEx, SendDlgItemMessageW, SendMessageA, SendMessageW, SetActiveWindow, SetCapture, SetCaretPos, SetClassLongW, SetClipboardData, SetCursor, SetCursorPos, SetFocus, SetForegroundWindow, SetKeyboardState, SetMenu, SetMenuItemInfoW, SetParent, SetPropW, SetRect, SetScrollInfo, SetScrollPos, SetScrollRange, SetTimer, SetWindowLongW, SetWindowPlacement, SetWindowPos, SetWindowRgn, SetWindowTextW, SetWindowsHookExW, ShowCaret, ShowOwnedPopups, ShowScrollBar, ShowWindow, SystemParametersInfoW, TrackMouseEvent, TrackPopupMenu, TranslateMDISysAccel, TranslateMessage, UnhookWindowsHookEx, UnregisterClassW, UpdateWindow, ValidateRect, WaitMessage, WindowFromPoint, wsprintfA
OLE32.DLL	CLSIDFromProgID, CoCreateGuid, CoCreateInstance, CoGetMalloc, CoInitialize, CoTaskMemAlloc, CoTaskMemFree, CoUninitialize, IsEqualGUID, OleInitialize, OleUninitialize, StringFromCLSID, StringFromGUID2
OLEAUT32.DLL	CreateErrorInfo, GetErrorInfo, SafeArrayAccessData, SafeArrayCreate, SafeArrayGetElement, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayRedim, SafeArrayUnaccessData, SetErrorInfo, SysAllocStringLen, SysFreeString, SysReAllocStringLen, SysStringLen, VariantChangeType, VariantClear, VariantCopy, VariantCopyInd, VariantInit

Exports

Name	Ordinal	Address
@@Adoparam@Finalize	3	0x4089bc
@@Adoparam@Initialize	2	0x4089ac
@@Auaccess@Finalize	5	0x40a1a4
@@Auaccess@Initialize	4	0x40a194
@@Bo@Finalize	7	0x40b0f0
@@Bo@Initialize	6	0x40b0e0
@@Dm@Finalize	9	0x40b2a4
@@Dm@Initialize	8	0x40b294
@@Dmmag@Finalize	11	0x40b3fc
@@Dmmag@Initialize	10	0x40b3ec
@@Dmrozlad@Finalize	13	0x40b560
@@Dmrozlad@Initialize	12	0x40b550
@@Dostawa@Finalize	15	0x40f7cc
@@Dostawa@Initialize	14	0x40f7bc
@@Gaznaglsz@Finalize	17	0x41003c
@@Gaznaglsz@Initialize	16	0x41002c
@@Gazsz@Finalize	19	0x411164
@@Gazsz@Initialize	18	0x411154
@@Getdt@Finalize	21	0x411a28
@@Getdt@Initialize	20	0x411a18
@@Kontrahhdz@Finalize	23	0x4168e4
@@Kontrahhdz@Initialize	22	0x4168d4
@@Kontrahhdzdstolst@Finalize	25	0x416ecc
@@Kontrahhdzdstolst@Initialize	24	0x416ebc
@@Kontrahhdzpomlst@Finalize	27	0x4178c4
@@Kontrahhdzpomlst@Initialize	26	0x4178b4
@@Kontrahhdzpowiel@Finalize	29	0x4183cc
@@Kontrahhdzpowiel@Initialize	28	0x4183bc
@@Kontrahhdzsz@Finalize	31	0x41b18c
@@Kontrahhdzsz@Initialize	30	0x41b17c
@@Kontrahkdo@Finalize	33	0x4207ec
@@Kontrahkdo@Initialize	32	0x4207dc
@@Kontrahmag@Finalize	35	0x424f60
@@Kontrahmag@Initialize	34	0x424f50
@@Kontrahocn@Finalize	37	0x42715c
@@Kontrahocn@Initialize	36	0x42714c
@@Kontrahpola@Finalize	39	0x42b618
@@Kontrahpola@Initialize	38	0x42b608
@@Kontrahrdj@Finalize	41	0x42d728
@@Kontrahrdj@Initialize	40	0x42d718
@@Kontraktacja@Finalize	43	0x4303d4
@@Kontraktacja@Initialize	42	0x4303c4
@@Magazyny@Finalize	45	0x445b0c
@@Magazyny@Initialize	44	0x445afc
@@Main@Finalize	47	0x44a638
@@Main@Initialize	46	0x44a628
@@Maindpsz@Finalize	49	0x44ac14
@@Maindpsz@Initialize	48	0x44ac04
@@Mainrap@Finalize	51	0x4566c0
@@Mainrap@Initialize	50	0x4566b0
@@Menurap@Finalize	53	0x47b328
@@Menurap@Initialize	52	0x47b318
@@Oprogramiew@Finalize	55	0x47b500
@@Oprogramiew@Initialize	54	0x47b4f0
@@Raportview@Finalize	57	0x48895c
@@Raportview@Initialize	56	0x48894c
@@Rdjlabsz@Finalize	59	0x48e188
@@Rdjlabsz@Initialize	58	0x48e178
@@Realizkontrrap@Finalize	61	0x49209c
@@Realizkontrrap@Initialize	60	0x49208c
@@Rkontrah@Finalize	63	0x493fd8
@@Rkontrah@Initialize	62	0x493fc8
@@Rkontrahrep@Finalize	65	0x497664
@@Rkontrahrep@Initialize	64	0x497654
@@Rkontrahsz@Finalize	67	0x498ad4
@@Rkontrahsz@Initialize	66	0x498ac4
@@Roldstodpjsz@Finalize	69	0x498f48
@@Roldstodpjsz@Initialize	68	0x498f38
@@Roldstodsz@Finalize	71	0x49a8f8
@@Roldstodsz@Initialize	70	0x49a8e8
@@Rolktrdodsz@Finalize	73	0x49b420
@@Rolktrdodsz@Initialize	72	0x49b410
@@Rolktrpozsz@Finalize	75	0x49c088
@@Rolktrpozsz@Initialize	74	0x49c078
@@Rolktrsz@Finalize	77	0x49de50
@@Rolktrsz@Initialize	76	0x49de40
@@Rolmagktrsz@Finalize	79	0x4a11b4
@@Rolmagktrsz@Initialize	78	0x4a11a4
@@Rolmagsz@Finalize	81	0x4a2a84
@@Rolmagsz@Initialize	80	0x4a2a74
@@Rolocenasz@Finalize	83	0x4a45b0
@@Rolocenasz@Initialize	82	0x4a45a0
@@Rolpolaktrsz@Finalize	85	0x4a715c
@@Rolpolaktrsz@Initialize	84	0x4a714c
@@Rolpolasz@Finalize	87	0x4a7bf4
@@Rolpolasz@Initialize	86	0x4a7be4
@@Rozlad@Finalize	89	0x4b5a3c
@@Rozlad@Initialize	88	0x4b5a2c
@@Rozladkatpdsz@Finalize	91	0x4b5f14
@@Rozladkatpdsz@Initialize	90	0x4b5f04
@@Rozladklst@Finalize	93	0x4b6d24
@@Rozladklst@Initialize	92	0x4b6d14
@@Rozladsz@Finalize	95	0x4c8f04
@@Rozladsz@Initialize	94	0x4c8ef4
@@Rparjakn@Finalize	97	0x4cb800
@@Rparjakn@Initialize	96	0x4cb7f0
@@Rparjaknsz@Finalize	99	0x4cc06c
@@Rparjaknsz@Initialize	98	0x4cc05c
@@Rparjakp@Finalize	101	0x4cea9c
@@Rparjakp@Initialize	100	0x4cea8c
@@Rparjakpcsz@Finalize	103	0x4cef10
@@Rparjakpcsz@Initialize	102	0x4cef00
@@Rparjakppsz@Finalize	105	0x4cf4c0
@@Rparjakppsz@Initialize	104	0x4cf4b0
@@Rsrgaz@Finalize	107	0x4cfb30
@@Rsrgaz@Initialize	106	0x4cfb20
@@Rsrgazsz@Finalize	109	0x4cff98
@@Rsrgazsz@Initialize	108	0x4cff88
@@Rupdate@Finalize	111	0x4d0168
@@Rupdate@Initialize	110	0x4d0158
@@Scenprzech@Finalize	113	0x4d192c
@@Scenprzech@Initialize	112	0x4d191c
@@Sdodop@Finalize	115	0x4d2c78
@@Sdodop@Initialize	114	0x4d2c68
@@Sdodopsz@Finalize	117	0x4d37bc
@@Sdodopsz@Initialize	116	0x4d37ac
@@Skatwarp@Finalize	119	0x4d46ac
@@Skatwarp@Initialize	118	0x4d469c
@@Skatwarpsz@Finalize	121	0x4d4b1c
@@Skatwarpsz@Initialize	120	0x4d4b0c
@@Skodytow@Finalize	123	0x4d58f8
@@Skodytow@Initialize	122	0x4d58e8
@@Skodytowsz@Finalize	125	0x4d624c
@@Skodytowsz@Initialize	124	0x4d623c
@@Slog@Finalize	127	0x4d65b8
@@Slog@Initialize	126	0x4d65a8
@@Smcadost@Finalize	129	0x4d6c30
@@Smcadost@Initialize	128	0x4d6c20
@@Smcadostsz@Finalize	131	0x4d70a0
@@Smcadostsz@Initialize	130	0x4d7090
@@Snazwpj@Finalize	133	0x4d8148
@@Snazwpj@Initialize	132	0x4d8138
@@Snazwpjsz@Finalize	135	0x4d8640
@@Snazwpjsz@Initialize	134	0x4d8630
@@Splash@Finalize	137	0x4d86f8
@@Splash@Initialize	136	0x4d86e8
@@Sprefcen@Finalize	139	0x4d96c4
@@Sprefcen@Initialize	138	0x4d96b4
@@Sprefcensz@Finalize	141	0x4d9c34
@@Sprefcensz@Initialize	140	0x4d9c24
@@Srgleb@Finalize	143	0x4daa50
@@Srgleb@Initialize	142	0x4daa40
@@Srglebsz@Finalize	145	0x4daeb8
@@Srglebsz@Initialize	144	0x4daea8
@@Srklas@Finalize	147	0x4dbeb4
@@Srklas@Initialize	146	0x4dbea4
@@Srklassz@Finalize	149	0x4dc31c
@@Srklassz@Initialize	148	0x4dc30c
@@Srolklasa@Finalize	151	0x4dd34c
@@Srolklasa@Initialize	150	0x4dd33c
@@Srolklasasz@Finalize	153	0x4dd7c0
@@Srolklasasz@Initialize	152	0x4dd7b0
@@Srryzyk@Finalize	155	0x4de4c0
@@Srryzyk@Initialize	154	0x4de4b0
@@Srryzyksz@Finalize	157	0x4de92c
@@Srryzyksz@Initialize	156	0x4de91c
@@Sstdocel@Finalize	159	0x4df814
@@Sstdocel@Initialize	158	0x4df804
@@Sstdocelsz@Finalize	161	0x4dfc84
@@Sstdocelsz@Initialize	160	0x4dfc74
@@Stypprod@Finalize	163	0x4e08bc
@@Stypprod@Initialize	162	0x4e08ac
@@Stypprodsz@Finalize	165	0x4e0d2c
@@Stypprodsz@Initialize	164	0x4e0d1c
@@Szrodel@Finalize	167	0x4e1338
@@Szrodel@Initialize	166	0x4e1328
@@Szrodelsz@Finalize	169	0x4e17a4
@@Szrodelsz@Initialize	168	0x4e1794
@@Upddb@Finalize	171	0x52bfd4
@@Upddb@Initialize	170	0x52bfc4
@@Users@Finalize	173	0x52ea94
@@Users@Initialize	172	0x52ea84
@@Userssz@Finalize	175	0x52f9d8
@@Userssz@Initialize	174	0x52f9c8
@@Wprmase@Finalize	177	0x52ff90
@@Wprmase@Initialize	176	0x52ff80
@@Wprnrdok@Finalize	179	0x530434
@@Wprnrdok@Initialize	178	0x530424
@@Wprnumkdo@Finalize	181	0x530628
@@Wprnumkdo@Initialize	180	0x530618
@@Wprubytki@Finalize	183	0x532e40
@@Wprubytki@Initialize	182	0x532e30
@@Wspolne@Finalize	185	0x54b16c
@@Wspolne@Initialize	184	0x54b154
_ADOParamFrm	187	0xbba594
_AUAccessFrm	188	0xbba59c
_BOFrm	189	0xbba5a4
_DMFrm	190	0xbba5ac
_DMMagFrm	191	0xbba5b4
_DMRozladFrm	192	0xbba5bc
_DostawaFrm	193	0xbba5c4
_GazNaglSzFrm	194	0xbba5cc
_GazSzFrm	195	0xbba5d4
_GetDTFrm	196	0xbba5dc
_KontrahHDZDstOLstFrm	198	0xbba5ec
_KontrahHDZFrm	197	0xbba5e4
_KontrahHDZPomLstFrm	199	0xbba5f4
_KontrahHDZPowielFrm	200	0xbba5fc
_KontrahHDZSzFrm	201	0xbba604
_KontrahKDOFrm	202	0xbba60c
_KontrahMagFrm	203	0xbba614
_KontrahOCNFrm	204	0xbba61c
_KontrahPolaFrm	205	0xbba624
_KontrahRDJFrm	206	0xbba62c
_KontraktacjaFrm	207	0xbba634
_MagFrm	208	0xbba63c
_MainDPSzFrm	210	0xbba64c
_MainFrm	209	0xbba644
_MainRapFrm	211	0xbba654
_MenuRapFrm	212	0xbba65c
_OProgramieFrm	213	0xbba664
_RDJLabSzFrm	215	0xbba674
_RKontrahFrm	217	0xbba684
_RKontrahRepFrm	218	0xbba68c
_RKontrahSzFrm	219	0xbba694
_RParJakNFrm	234	0xbba70c
_RParJakNSzFrm	235	0xbba714
_RParJakPCSzFrm	237	0xbba724
_RParJakPFrm	236	0xbba71c
_RParJakPPSzFrm	238	0xbba72c
_RSrGazFrm	239	0xbba734
_RSrGazSzFrm	240	0xbba73c
_RUpdateFrm	241	0xbba744
_RaportViewFrm	214	0xbba66c
_RealizKontrRapFrm	216	0xbba67c
_RolDstOdPJSzFrm	220	0xbba69c
_RolDstOdSzFrm	221	0xbba6a4
_RolKtrDodSzFrm	222	0xbba6ac
_RolKtrPozSzFrm	223	0xbba6b4
_RolKtrSzFrm	224	0xbba6bc
_RolMagKtrSzFrm	225	0xbba6c4
_RolMagSzFrm	226	0xbba6cc
_RolOcenaSzFrm	227	0xbba6d4
_RolPolaKtrSzFrm	228	0xbba6dc
_RolPolaSzFrm	229	0xbba6e4
_RozladFrm	230	0xbba6ec
_RozladKLstFrm	232	0xbba6fc
_RozladKatPDSzFrm	231	0xbba6f4
_RozladSzFrm	233	0xbba704
_SCenPrzechFrm	242	0xbba74c
_SDodOpFrm	243	0xbba754
_SDodOpSzFrm	244	0xbba75c
_SKatWarPFrm	245	0xbba764
_SKatWarPSzFrm	246	0xbba76c
_SKodyTowFrm	247	0xbba774
_SKodyTowSzFrm	248	0xbba77c
_SLogFrm	249	0xbba784
_SMcaDostFrm	250	0xbba78c
_SMcaDostSzFrm	251	0xbba794
_SNazwPJFrm	252	0xbba79c
_SNazwPJSzFrm	253	0xbba7a4
_SPrefCenFrm	255	0xbba7b4
_SPrefCenSzFrm	256	0xbba7bc
_SRGlebFrm	257	0xbba7c4
_SRGlebSzFrm	258	0xbba7cc
_SRKlasFrm	259	0xbba7d4
_SRKlasSzFrm	260	0xbba7dc
_SRRyzykFrm	263	0xbba7f4
_SRRyzykSzFrm	264	0xbba7fc
_SRolKlasaFrm	261	0xbba7e4
_SRolKlasaSzFrm	262	0xbba7ec
_SStDocelFrm	265	0xbba804
_SStDocelSzFrm	266	0xbba80c
_STypProdFrm	267	0xbba814
_STypProdSzFrm	268	0xbba81c
_SZrodelFrm	269	0xbba824
_SZrodelSzFrm	270	0xbba82c
_SplashFrm	254	0xbba7ac
_UsersFrm	271	0xbba838
_UsersSzFrm	272	0xbba840
_WprMaseFrm	273	0xbba848
_WprNrDokFrm	274	0xbba850
_WprNumKDOFrm	275	0xbba858
_WprUbytkiFrm	276	0xbba860
__GetExceptDLLinfo	1	0x402f85
___CPPdebugHook	186	0xa9f0ac

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Russian	Russia

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: KRoMX2011.exePID: 6984, Parent PID: 4380

General

Target ID:	0
Start time:	06:53:20
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\KRoMX2011.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\KRoMX2011.exe"
Imagebase:	0x400000
File size:	11'163'648 bytes
MD5 hash:	AB4715B9FECFB81DF1F1EABFB6FCC2AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KRoMX2011.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: KRoMX2011.exePID: 6984, Parent PID: 4380

General

Chronological Activities

Disassembly

Windows Analysis Report
KRoMX2011.exe