Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SetupPSRCloud_5.0.2.exe

Overview

General Information

Sample name:SetupPSRCloud_5.0.2.exe
Analysis ID:1427669
MD5:3f0aa516242d152f76d1151b6524c9c6
SHA1:e7974e9135d24357764c6f578a726e0ae145f3c2
SHA256:a0fa184a9104b4488e40de447615e464ebbf79bd8b6fd916c34a610eb0c8bfdb
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Drops PE files
PE file contains sections with non-standard names
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64_ra
  • SetupPSRCloud_5.0.2.exe (PID: 7012 cmdline: "C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exe" MD5: 3F0AA516242D152F76D1151B6524C9C6)
    • SetupPSRCloud_5.0.2.tmp (PID: 4248 cmdline: "C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmp" /SL5="$603B2,23154778,874496,C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exe" MD5: 5D664AEC526669352BA36F80A5C8843B)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: SetupPSRCloud_5.0.2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: SetupPSRCloud_5.0.2.exeStatic PE information: certificate valid
Source: SetupPSRCloud_5.0.2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SetupPSRCloud_5.0.2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engineClassification label: clean1.winEXE@3/1@0/0
Source: C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp
Source: C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exeFile read: C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exe
Source: unknownProcess created: C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exe "C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exe"
Source: C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmp" /SL5="$603B2,23154778,874496,C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exe"
Source: C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmp" /SL5="$603B2,23154778,874496,C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exe"
Source: C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exeSection loaded: version.dll
Source: C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exeSection loaded: netapi32.dll
Source: C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exeSection loaded: netutils.dll
Source: C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpSection loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpSection loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpSection loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpSection loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpWindow found: window name: TSelectLanguageForm
Source: SetupPSRCloud_5.0.2.exeStatic PE information: certificate valid
Source: SetupPSRCloud_5.0.2.exeStatic file information: File size 24045024 > 1048576
Source: SetupPSRCloud_5.0.2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SetupPSRCloud_5.0.2.exeStatic PE information: section name: .didata
Source: C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpJump to dropped file
Source: C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SetupPSRCloud_5.0.2.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1427669
Start date and time:2024-04-17 23:12:27 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample name:SetupPSRCloud_5.0.2.exe
Detection:CLEAN
Classification:clean1.winEXE@3/1@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: SetupPSRCloud_5.0.2.exe

Created / dropped Files

C:\Users\user\AppData\Local\Temp\is-SE40O.tmp\SetupPSRCloud_5.0.2.tmp

Download File
Process:C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):3230272
Entropy (8bit):6.395805168562771
Encrypted:false
SSDEEP:
MD5:5D664AEC526669352BA36F80A5C8843B
SHA1:E5A1857D2949EE6FC6690F57E63E710B6AF5215C
SHA-256:13743F9FBBD84C21D186059949FDF3FD6A7BA57908A888BABAE4101A891594D7
SHA-512:3BE1124FF9BAF5218B6153A84C494D7FAD66F19147F0469E341A731106E2539BC7E80817353B2341A67A3A3DAD7E5E501BA106B5B396A7DC82DD10FD4E2D51D2
Malicious:false
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,.........hf,......p,...@...........................1.......1...@......@....................-.......-..9....................0.@L...........................................................-.......-......................text.... ,......",................. ..`.itext...(...@,..*...&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......*-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc.................-.............@..@..............1.......0.............@..@........................................................

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.992226810369233
TrID:
  • Win32 Executable (generic) a (10002005/4) 98.04%
  • Inno Setup installer (109748/4) 1.08%
  • InstallShield setup (43055/19) 0.42%
  • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
  • Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:SetupPSRCloud_5.0.2.exe
File size:24'045'024 bytes
MD5:3f0aa516242d152f76d1151b6524c9c6
SHA1:e7974e9135d24357764c6f578a726e0ae145f3c2
SHA256:a0fa184a9104b4488e40de447615e464ebbf79bd8b6fd916c34a610eb0c8bfdb
SHA512:1ebc736ddc094d4f453b42cb6f21ad84876764e09849d4d399f792a7d4e56328718c61efbc988b2e4a9e86776b86bfc8566847795f02f0080a621dce6edffe5c
SSDEEP:393216:T/DoJAghMA29qscUkpFzqFVxHbRUadxPxV8CMKNt/+pAHExcI4hsMiHn17zq6K2l:oJAlA29qZT+dbRUpZKNc9tzqy
TLSH:FC37332FB2A8A53EC55E0B31987382509973BE61F41A8C4F13F4B90DEFB74601E7A615
File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon

Icon Hash:159111c1e5dc521f

Static PE Info

General

Entrypoint:0x4b5eec
Entrypoint Section:.itext
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x63ECF218 [Wed Feb 15 14:54:16 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:e569e6f445d32ba23766ad67d1e3787f

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 19/06/2023 02:00:00 22/06/2024 01:59:59
Subject Chain
  • CN=PSR SOLUCOES E CONSULTORIA EM ENERGIA LTDA., O=PSR SOLUCOES E CONSULTORIA EM ENERGIA LTDA., L=RIO DE JANEIRO, S=Rio de Janeiro, C=BR, SERIALNUMBER=09.305.983/0001-49, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=BR
Version:3
Thumbprint MD5:B014B8F3BC6C9B9DD7335E70ED39364D
Thumbprint SHA-1:FB42F027D18652D93D49983DC5A9D1C4C35DC487
Thumbprint SHA-256:5109F8DD3AC39B5950F0640606BFAC7895E4A23EB097A4A119DD35DD28F78542
Serial:043069749EF322A9B2EB3F53A625F92C

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004B14B8h
call 00007FD0C86F9E15h
xor eax, eax
push ebp
push 004B65E2h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004B659Eh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004BE634h]
call 00007FD0C879C907h
call 00007FD0C879C45Ah
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007FD0C870F8B4h
mov edx, dword ptr [ebp-14h]
mov eax, 004C1D84h
call 00007FD0C86F4A07h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004C1D84h]
mov dl, 01h
mov eax, dword ptr [004238ECh]
call 00007FD0C8710A37h
mov dword ptr [004C1D88h], eax
xor edx, edx
push ebp
push 004B654Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007FD0C879C98Fh
mov dword ptr [004C1D90h], eax
mov eax, dword ptr [004C1D90h]
cmp dword ptr [eax+0Ch], 01h
jne 00007FD0C87A2BAAh
mov eax, dword ptr [004C1D90h]
mov edx, 00000028h
call 00007FD0C871132Ch
mov edx, dword ptr [004C1D90h]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xfdc.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x1b310.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x16e99a00x4c40
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xc22f40x254.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xb39e40xb3a0043af0a9476ca224d8e8461f1e22c94daFalse0.34525867693110646data6.357635049994181IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext0xb50000x16880x1800185e04b9a1f554e31f7f848515dc890cFalse0.54443359375data5.971425428435973IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0xb70000x37a40x3800cab2107c933b696aa5cf0cc6c3fd3980False0.36097935267857145data5.048648594372454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss0xbb0000x6de80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0xc20000xfdc0x1000e7d1635e2624b124cfdce6c360ac21cdFalse0.3798828125data5.029087481102678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata0xc30000x1a40x2008ced971d8a7705c98b173e255d8c9aa7False0.345703125data2.7509822285969876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata0xc40000x9a0x2008d4e1e508031afe235bf121c80fd7d5fFalse0.2578125data1.877162954504408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls0xc50000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0xc60000x5d0x2008f2f090acd9622c88a6a852e72f94e96False0.189453125data1.3838943752217987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0xc70000x1b3100x1b40098e1ed6bccc084d61f65f9f20b683e90False0.3785210005733945data5.609956067310018IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0xc76780x668Device independent bitmap graphic, 48 x 96 x 4, image size 0EnglishUnited States0.26951219512195124
RT_ICON0xc7ce00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.37768817204301075
RT_ICON0xc7fc80x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 0EnglishUnited States0.44672131147540983
RT_ICON0xc81b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.5067567567567568
RT_ICON0xc82d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.5900852878464818
RT_ICON0xc91800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.7608303249097473
RT_ICON0xc9a280x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0EnglishUnited States0.7914746543778802
RT_ICON0xca0f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.6726878612716763
RT_ICON0xca6580x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.3201673961907015
RT_ICON0xdae800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.4534232365145228
RT_ICON0xdd4280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.525328330206379
RT_ICON0xde4d00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.5885245901639344
RT_ICON0xdee580x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.7136524822695035
RT_STRING0xdf2c00x360data0.34375
RT_STRING0xdf6200x260data0.3256578947368421
RT_STRING0xdf8800x45cdata0.4068100358422939
RT_STRING0xdfcdc0x40cdata0.3754826254826255
RT_STRING0xe00e80x2d4data0.39226519337016574
RT_STRING0xe03bc0xb8data0.6467391304347826
RT_STRING0xe04740x9cdata0.6410256410256411
RT_STRING0xe05100x374data0.4230769230769231
RT_STRING0xe08840x398data0.3358695652173913
RT_STRING0xe0c1c0x368data0.3795871559633027
RT_STRING0xe0f840x2a4data0.4275147928994083
RT_RCDATA0xe12280x10data1.5
RT_RCDATA0xe12380x2c4data0.6384180790960452
RT_RCDATA0xe14fc0x2cdata1.2045454545454546
RT_GROUP_ICON0xe15280xbcdataEnglishUnited States0.6276595744680851
RT_VERSION0xe15e40x584dataEnglishUnited States0.2556657223796034
RT_MANIFEST0xe1b680x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

Imports

DLLImport
kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dllInitCommonControls
version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dllNetWkstaGetInfo, NetApiBufferFree
advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Exports

NameOrdinalAddress
TMethodImplementationIntercept30x4541a8
__dbk_fcall_wrapper20x40d0a0
dbkFCallWrapperAddr10x4be63c

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States