Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe
Analysis ID:	1428706
MD5:	af1e56057951887a763d4e97670a1036
SHA1:	bc0b8c98c0fdbb805b8e8415a860be0966de30be
SHA256:	5eb65feae4e36b791ced20aa9fb912311ab3f920613857819a51df2ccba9a485
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe (PID: 3044 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe" MD5: AF1E56057951887A763D4E97670A1036)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1201641660.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000003.1233899209.000000007FD40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000003.1233899209.000000007FD40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe PID: 3044	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.0.SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

ReversingLabs: Detection: 71%

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Jump to behavior

Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Static PE information: certificate valid

Source: unknown	DNS traffic detected: query: hotnews.dftoutiao.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: report.thorzip.muxin.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: files.news.baidu.com replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: files.news.baidu.com

Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://api.map.baidu.com/telematics/v3/weather?location=%s&output=json&ak=spmMww7Eoqcmf3FXbnLyDUwL
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://api.map.baidu.com/telematics/v3/weather?location=%s&output=json&ak=spmMww7Eoqcmf3FXbnLyDUwLU
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://bsalsa.com/
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000002.1266582827.0000000000618000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.news.baidu.com/mini_new3/jjj/MiniLogo.PNG
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000002.1266582827.0000000000672000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hotnews.dftoutiao.com/
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://hotnews.dftoutiao.com/hotwordsnews/getnews?qid=%s&platform=pc&newstype=%s
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000003.1265338071.0000000002389000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://hotnews.dftoutiao.com/hotwordsnews/getnews?qid=kuaiyatitle&platform=pc&newstype=now
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://iplocation.7654.com/v1
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://news.7654.com/mini_new3/jsb/
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://news.baidu.com/mini_new3/jjj/
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://pv.sohu.com/cityjson?ie=utf-8
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000002.1266582827.0000000000618000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://report.thorzip.muxin.fun/
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000002.1266582827.0000000000618000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://report.thorzip.muxin.fun/crosoft
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000002.1266582827.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://report.thorzip.muxin.fun/eH
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000002.1266582827.0000000000686000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000003.1265338071.0000000002398000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://report.thorzip.muxin.fun/lszip/bubble_info?code=jWLGHnD6CYifDIjqc6sGs/Bbp6bCfV8bglNO
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000003.1265338071.0000000002398000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://report.thorzip.muxin.fun/lszip/bubble_info?code=jwlghnd6cyifdijqc6sgs/bbp6bcfv8bglno
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000002.1266582827.0000000000618000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://report.thorzip.muxin.fun/tart
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://s2.symcb.com0
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://ssp.7654.com/ct/m?mixData=
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://ssp.7654.com/ct?mixData=
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000003.1265338071.00000000023D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ssp.7654.com/ct?mixData=les
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://sv.symcd.com0&
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://weather.shzhanmeng.com/api/weather/%s
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://weather.shzhanmeng.com/api/weather/%sU
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://www.symauth.com/cps0(
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: http://www.symauth.com/rpa00
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: Yara match	File source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1233899209.000000007FD40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe PID: 3044, type: MEMORYSTR

Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Binary string: \device\
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Binary string: \device\x

Source: classification engine

Classification label: mal52.winEXE@1/1@7/0

Source: Yara match	File source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1201641660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1233899209.000000007FD40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Section loaded: dhcpcsvc.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

File written: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Static file information: File size 1112208 > 1048576

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

File opened: PhysicalDrive0

Jump to behavior

Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000003.1265338071.000000000236E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ]C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools2ad8eCDPUserSvc_2ad8ec_2ad8eClipboard User Service_2ad8eService_2ad8ecbdhsvc_2ad8e_2ad8eWindows Push Notifications System Servicetions System ServiceWpnServicevicePortable Device Enumerator Serviceumerator ServiceWPDBusEnumEnumWindows Overlay File System Filter DriverSystem Filter DriverWoffWindows Management Instrumentation InstrumentationWinmgmtgmtWinHTTP Web Proxy Auto-Discovery Serviceo-Discovery ServiceWinHttpAutoProxySvcoProxySvcMicrosoft Windows Trusted Runtime Secure Service Runtime Secure ServiceWindowsTrustedRTProxytedRTProxyWindows Trusted Execution Environment Class Extensionnvironment Class ExtensionWindowsTrustedRTustedRTs serviceWdf01000000Windows Connection Managertion ManagerWcmsvcvcWindows Container Isolationner IsolationwcifsfsRemote Access IP ARP DriverIP ARP DriverwanarprpVirtual WiFi Filter Driverilter DrivervwififltfltVolume driverdrivervolumemeVolume Shadow Copy driver Copy drivervolsnapnapDynamic Volume Managerme ManagervolmgrxgrxVolume Manager Driverger DrivervolmgrgrVMware VMCI Bus DriverBus DrivervmciiViddViddMicrosoft Virtual Drive EnumeratorDrive EnumeratorvdrvrootootUser ManagernagerUserManagernagerUSB xHCI Compliant Host Controller Host ControllerUSBXHCIHCIUSB Mass Storage Driverrage DriverUSBSTORTORSuperSpeed Hubed HubUSBHUB3UB3Microsoft USB Standard Hub Driverndard Hub DriverusbhububMicrosoft USB 2.0 Enhanced Host Controller Miniport Drivert Controller Miniport DriverusbehcihciMicrosoft USB Generic Parent Driverric Parent DriverusbccgpcgpUSB Role-Switch Support LibrarySupport LibraryUrsCx010001000Chipidea USB Role-Swit3.
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Binary or memory string: vmware
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000003.1265338071.000000000236E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000003.1265338071.000000000236E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Driver
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000002.1266582827.0000000000618000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000002.1266582827.0000000000618000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WcmsvcvcWindows Container Isolationner IsolationwcifsfsRemote Access IP ARP DriverIP ARP DriverwanarprpVirtual WiFi Filter Driverilter DrivervwififltfltVolume driverdrivervolumemeVolume Shadow Copy driver Copy drivervolsnapnapDynamic Volume Managerme ManagervolmgrxgrxVolume Manager Driverger DrivervolmgrgrVMware VMCI Bus DriverBus DrivervmciiViddViddMicrosoft Virtual Drive EnumeratorDrive EnumeratorvdrvrootootUser ManagernagerUserManagernagerUSB xHCI Compliant Host Controller Host ControllerUSBXHCIHCIUSB Mass Storage Driverrage DriverUSBSTORTORSuperSpeed Hubed HubUSBHUB3UB3Microsoft USB Standard Hub Driverndard Hub DriverusbhububMicrosoft USB 2.0 Enhanced Host Controller Miniport Drivert Controller Miniport DriverusbehcihciMicrosoft USB Generic Parent Driverric Parent DriverusbccgpcgpUSB Role-Switch Support LibrarySupport LibraryUrsCx010001000Chipidea USB Role-Switch Drivere-Switch DriverUrsChipideapideaUMBus Enumerator Driverator DriverumbususudfssudfssUSB Host Support Libraryort LibraryUcx01000000USB Attached SCSI (UAS) DriverI (UAS) DriverUASPStortorDistributed Link Tracking ClientTracking ClientTrkWksksWeb Account Managert ManagerTokenBrokerrokerTime BrokerrokerTimeBrokerSvckerSvcThemesesThemesesIntel(R) Telemetry Serviceetry ServiceTelemetryetryNetIO Legacy TDI Support Driver Support DrivertdxxTCP/IP Registry Compatibility Compatibilitytcpipregreg

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Process information queried: ProcessInformation

Jump to behavior

Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Binary or memory string: ProgMan
Source: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Binary or memory string: Shell_TrayWndProgManU

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	21 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	71%	ReversingLabs	Win32.Trojan.Generic
SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
report.thorzip.muxin.fun	unknown	unknown	false	unknown
hotnews.dftoutiao.com	unknown	unknown	false	unknown
files.news.baidu.com	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://ssp.7654.com/ct/m?mixData=	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	false	high
http://report.thorzip.muxin.fun/eH	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000002.1266582827.000000000065B000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://hotnews.dftoutiao.com/	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000002.1266582827.0000000000672000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://report.thorzip.muxin.fun/lszip/bubble_info?code=jWLGHnD6CYifDIjqc6sGs/Bbp6bCfV8bglNO	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000002.1266582827.0000000000686000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000003.1265338071.0000000002398000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://news.7654.com/mini_new3/jsb/	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	false	high
http://pv.sohu.com/cityjson?ie=utf-8	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	false	high
http://www.symauth.com/rpa00	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	false	high
http://hotnews.dftoutiao.com/hotwordsnews/getnews?qid=kuaiyatitle&platform=pc&newstype=now	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000003.1265338071.0000000002389000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://api.map.baidu.com/telematics/v3/weather?location=%s&output=json&ak=spmMww7Eoqcmf3FXbnLyDUwLU	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	false	high
http://files.news.baidu.com/mini_new3/jjj/MiniLogo.PNG	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000002.1266582827.0000000000618000.00000004.00000020.00020000.00000000.sdmp	false	high
http://hotnews.dftoutiao.com/hotwordsnews/getnews?qid=%s&platform=pc&newstype=%s	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	false	unknown
http://report.thorzip.muxin.fun/tart	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000002.1266582827.0000000000618000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://weather.shzhanmeng.com/api/weather/%sU	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	false	unknown
http://api.map.baidu.com/telematics/v3/weather?location=%s&output=json&ak=spmMww7Eoqcmf3FXbnLyDUwL	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	false	high
http://www.symauth.com/cps0(	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	false	high
http://report.thorzip.muxin.fun/	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000002.1266582827.0000000000618000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ssp.7654.com/ct?mixData=	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	false	high
http://ssp.7654.com/ct?mixData=les	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000003.1265338071.00000000023D8000.00000004.00001000.00020000.00000000.sdmp	false	high
http://news.baidu.com/mini_new3/jjj/	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	false	high
http://report.thorzip.muxin.fun/crosoft	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000002.1266582827.0000000000618000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://iplocation.7654.com/v1	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	false	high
http://weather.shzhanmeng.com/api/weather/%s	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	false	unknown
http://bsalsa.com/	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe	false	unknown
http://report.thorzip.muxin.fun/lszip/bubble_info?code=jwlghnd6cyifdijqc6sgs/bbp6bcfv8bglno	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe, 00000000.00000003.1265338071.0000000002398000.00000004.00001000.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428706
Start date and time:	2024-04-19 12:28:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe
Detection:	MAL
Classification:	mal52.winEXE@1/1@7/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	282
Entropy (8bit):	3.514693737970008
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
MD5:	9E36CC3537EE9EE1E3B10FA4E761045B
SHA1:	7726F55012E1E26CC762C9982E7C6C54CA7BB303
SHA-256:	4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
SHA-512:	5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.741488181478588
TrID:	Win32 Executable (generic) a (10002005/4) 98.32% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe
File size:	1'112'208 bytes
MD5:	af1e56057951887a763d4e97670a1036
SHA1:	bc0b8c98c0fdbb805b8e8415a860be0966de30be
SHA256:	5eb65feae4e36b791ced20aa9fb912311ab3f920613857819a51df2ccba9a485
SHA512:	4a778b1c6ee14ad3f790ab00b421b351d06f05b688a6c80525133a158363602f417a10adfeb09724a2f20e39736df628bbcffe03f44e145550a1cd48d7900269
SSDEEP:	24576:/ZepAVvX2Z3XFt81lUu28MMxO17zJZVtL0n31QIChuUO/vDBTo:BeyWf9HHhVOnl
TLSH:	A9359E72F7C04833D5331D399D1B93A8952ABD113E29994A3BD83E4C6F39B4139292D7
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	31ec96e89ad6c873

Static PE Info

General

Entrypoint:	0x4baca0
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x5F34BA0C [Thu Aug 13 03:57:00 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	46416c8511b63786a1666009e2ddb338

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	25/02/2020 01:00:00 25/02/2021 00:59:59
Subject Chain	CN=\u4e0a\u6d77\u7766\u6b23\u7f51\u7edc\u79d1\u6280\u6709\u9650\u516c\u53f8, OU=IT, O=\u4e0a\u6d77\u7766\u6b23\u7f51\u7edc\u79d1\u6280\u6709\u9650\u516c\u53f8, S=\u4e0a\u6d77, C=CN
Version:	3
Thumbprint MD5:	B7FB0098F484B9F0FF7BA177DA2BD9E2
Thumbprint SHA-1:	F1CC84829CECD842F8477329822C14778BC319DD
Thumbprint SHA-256:	54538B17A367F8712895D95E68227F0AED93C480074D6F0366D91021AAE13B91
Serial:	3257CFD411114333C7EF69768757C055

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFD8h
push ebx
xor eax, eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-1Ch], eax
mov eax, 004B93E4h
call 00007F32C4C4F2D5h
xor eax, eax
push ebp
push 004BAED4h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
call 00007F32C4CFFCC2h
test al, al
je 00007F32C4D02B08h
call 00007F32C4C4F59Dh
mov edx, eax
lea eax, dword ptr [ebp-1Ch]
call 00007F32C4C4CE6Bh
mov eax, dword ptr [ebp-1Ch]
mov dword ptr [ebp-18h], eax
mov eax, dword ptr [004BF184h]
mov eax, dword ptr [eax]
mov dword ptr [ebp-14h], eax
lea edx, dword ptr [ebp-18h]
mov ecx, 00000001h
mov eax, 004BAEECh
call 00007F32C4CEF831h
jmp 00007F32C4D02C7Dh
mov eax, dword ptr [004BEFF0h]
cmp byte ptr [eax], 00000000h
je 00007F32C4D02ADEh
xor eax, eax
call 00007F32C4CFF427h
jmp 00007F32C4D02C67h
push 00000000h
push 00000000h
push 00000000h
push 00000000h
push 00000000h
push 00000000h
push 00000000h
call 00007F32C4C4FF63h
mov eax, dword ptr [004BF19Ch]
mov eax, dword ptr [eax]
call 00007F32C4CAF6AFh
mov eax, dword ptr [004BF19Ch]
mov eax, dword ptr [eax]
mov dl, 01h
call 00007F32C4CB1579h
call 00007F32C4C4F524h
mov edx, eax
lea eax, dword ptr [ebp-20h]
call 00007F32C4C4CDF2h
mov eax, dword ptr [ebp-20h]
mov dword ptr [ebp-18h], eax
mov eax, dword ptr [004BF184h]
mov eax, dword ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc6000	0x38bc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd8000	0x3fa00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x10d800	0x2090	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xcc000	0xbd60	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xcb000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc6ae8	0x890	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb888c	0xb8a00	8770e4a74b05c3dc027df9d42c1b77f0	False	0.5139495704976303	data	6.590052866643412	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xba000	0xf68	0x1000	2dda39ad0b61184bac071bf88cec4c7c	False	0.5947265625	data	6.262895342213027	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xbb000	0x4440	0x4600	f23457ca3e1d367e8600cc3c1415a959	False	0.46004464285714286	data	5.1042395000718415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xc0000	0x50a4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc6000	0x38bc	0x3a00	d2dfe90d644c3fd2873923c8b6328d3e	False	0.30994073275862066	data	5.11583766335277	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xca000	0x38	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xcb000	0x18	0x200	69dbf0c74609e74a983a570cfc32ffff	False	0.052734375	data	0.20544562813451883	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xcc000	0xbd60	0xbe00	58b19b47703c68e056f2ae85cbba7ea7	False	0.6100328947368421	data	6.696396278077283	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xd8000	0x3fa00	0x3fa00	08230b26bf45d902048d40d3caaba966	False	0.4607993614931238	data	6.328319191889762	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TYPELIB	0xd9c44	0x9e8	data			0.3801261829652997
RT_CURSOR	0xda62c	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0xda760	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0xda894	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0xda9c8	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0xdaafc	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0xdac30	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0xdad64	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0xdae98	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0xdb068	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0xdb24c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0xdb41c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0xdb5ec	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0xdb7bc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0xdb98c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0xdbb5c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0xdbd2c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0xdbefc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0xdc0cc	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_ICON	0xdc1b4	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 128	Chinese	China	0.5511363636363636
RT_ICON	0xdc264	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 256	Chinese	China	0.5855263157894737
RT_ICON	0xdc394	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.5844594594594594
RT_ICON	0xdc4bc	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.5362903225806451
RT_ICON	0xdc7a4	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Chinese	China	0.4963872832369942
RT_ICON	0xdcd0c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Chinese	China	0.47518050541516244
RT_ICON	0xdd5b4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.34169793621013134
RT_ICON	0xde65c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.2674273858921162
RT_ICON	0xe0c04	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Chinese	China	0.20164147378365613
RT_ICON	0xe4e2c	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Chinese	China	0.13193540754761623
RT_ICON	0xf5654	0x93d0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Chinese	China	0.9823731501057082
RT_DIALOG	0xfea24	0x52	data			0.7682926829268293
RT_DIALOG	0xfea78	0x52	data			0.7560975609756098
RT_STRING	0xfeacc	0x2e	Matlab v4 mat-file (little endian) 3, numeric, rows 0, columns 0	Chinese	China	0.5434782608695652
RT_STRING	0xfeafc	0x530	data			0.3546686746987952
RT_STRING	0xff02c	0x258	data			0.47333333333333333
RT_STRING	0xff284	0x3f0	data			0.3948412698412698
RT_STRING	0xff674	0x304	StarOffice Gallery theme N, 1677750016 objects, 1st U			0.3756476683937824
RT_STRING	0xff978	0x2ac	data			0.4649122807017544
RT_STRING	0xffc24	0xc8	data			0.67
RT_STRING	0xffcec	0x108	data			0.6060606060606061
RT_STRING	0xffdf4	0x2a8	data			0.4764705882352941
RT_STRING	0x10009c	0x400	data			0.388671875
RT_STRING	0x10049c	0x374	data			0.40271493212669685
RT_STRING	0x100810	0x374	data			0.36877828054298645
RT_STRING	0x100b84	0x410	data			0.37403846153846154
RT_STRING	0x100f94	0xd0	data			0.5288461538461539
RT_STRING	0x101064	0xb8	data			0.6467391304347826
RT_STRING	0x10111c	0x254	data			0.4949664429530201
RT_STRING	0x101370	0x3c0	data			0.315625
RT_STRING	0x101730	0x368	data			0.37844036697247707
RT_STRING	0x101a98	0x2d0	data			0.40555555555555556
RT_RCDATA	0x101d68	0x168	PNG image data, 900 x 40, 8-bit/color RGBA, non-interlaced	English	United States	0.5277777777777778
RT_RCDATA	0x101ed0	0x3fc	PNG image data, 35 x 21, 8-bit/color RGBA, non-interlaced	English	United States	0.6696078431372549
RT_RCDATA	0x1022cc	0x327	PNG image data, 900 x 40, 8-bit/color RGBA, non-interlaced	English	United States	0.3444857496902107
RT_RCDATA	0x1025f4	0x327	PNG image data, 900 x 40, 8-bit/color RGBA, non-interlaced	English	United States	0.3444857496902107
RT_RCDATA	0x10291c	0x69d1	PNG image data, 900 x 40, 8-bit/color RGBA, non-interlaced	English	United States	0.9856768429990033
RT_RCDATA	0x1092f0	0x327	PNG image data, 900 x 40, 8-bit/color RGBA, non-interlaced	English	United States	0.3444857496902107
RT_RCDATA	0x109618	0xdb	PNG image data, 29 x 28, 8-bit/color RGBA, non-interlaced	English	United States	1.0365296803652968
RT_RCDATA	0x1096f4	0x12a	PNG image data, 29 x 28, 8-bit/color RGBA, non-interlaced	English	United States	1.0369127516778522
RT_RCDATA	0x109820	0x134	PNG image data, 29 x 28, 8-bit/color RGBA, non-interlaced	English	United States	1.0357142857142858
RT_RCDATA	0x109954	0x10	data			1.5
RT_RCDATA	0x109964	0x670	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced	English	United States	0.8228155339805825
RT_RCDATA	0x109fd4	0x1d7	PNG image data, 12 x 13, 8-bit/color RGBA, interlaced	English	United States	1.0233545647558386
RT_RCDATA	0x10a1ac	0x840	PNG image data, 80 x 20, 8-bit/color RGBA, non-interlaced	English	United States	1.0052083333333333
RT_RCDATA	0x10a9ec	0x6cd	PNG image data, 78 x 20, 8-bit/color RGBA, non-interlaced	English	United States	1.006318207926479
RT_RCDATA	0x10b0bc	0x959	PNG image data, 79 x 20, 8-bit/color RGBA, non-interlaced	English	United States	1.0045967404931049
RT_RCDATA	0x10ba18	0x7ce	PNG image data, 100 x 20, 8-bit/color RGBA, non-interlaced	English	United States	1.0055055055055055
RT_RCDATA	0x10c1e8	0x81	PNG image data, 29 x 28, 8-bit/color RGBA, non-interlaced	English	United States	0.9534883720930233
RT_RCDATA	0x10c26c	0xa9	PNG image data, 29 x 28, 8-bit/color RGBA, non-interlaced	English	United States	1.029585798816568
RT_RCDATA	0x10c318	0xa9	PNG image data, 29 x 28, 8-bit/color RGBA, non-interlaced	English	United States	1.029585798816568
RT_RCDATA	0x10c3c4	0x4d4	PNG image data, 33 x 33, 8-bit/color RGBA, interlaced	English	United States	1.0088996763754046
RT_RCDATA	0x10c898	0x4d4	PNG image data, 33 x 33, 8-bit/color RGBA, interlaced	English	United States	1.0088996763754046
RT_RCDATA	0x10cd6c	0x4d4	PNG image data, 33 x 33, 8-bit/color RGBA, interlaced	English	United States	1.0088996763754046
RT_RCDATA	0x10d240	0x43c	PNG image data, 35 x 21, 8-bit/color RGBA, non-interlaced	English	United States	0.6964944649446494
RT_RCDATA	0x10d67c	0x44a	PNG image data, 35 x 21, 8-bit/color RGB, non-interlaced	English	United States	0.7085610200364298
RT_RCDATA	0x10dac8	0x488	PNG image data, 35 x 21, 8-bit/color RGB, non-interlaced	English	United States	0.7267241379310345
RT_RCDATA	0x10df50	0x334	PNG image data, 21 x 21, 8-bit/color RGBA, interlaced	English	United States	1.0134146341463415
RT_RCDATA	0x10e284	0x334	PNG image data, 21 x 21, 8-bit/color RGBA, interlaced	English	United States	1.0134146341463415
RT_RCDATA	0x10e5b8	0x334	PNG image data, 21 x 21, 8-bit/color RGBA, interlaced	English	United States	1.0134146341463415
RT_RCDATA	0x10e8ec	0x3d7	PNG image data, 35 x 21, 8-bit/color RGBA, non-interlaced	English	United States	0.6459816887080366
RT_RCDATA	0x10ecc4	0x3d7	PNG image data, 35 x 21, 8-bit/color RGB, non-interlaced	English	United States	0.646998982706002
RT_RCDATA	0x10f09c	0x3d7	PNG image data, 35 x 21, 8-bit/color RGB, non-interlaced	English	United States	0.659206510681587
RT_RCDATA	0x10f474	0x3cd	PNG image data, 35 x 21, 8-bit/color RGBA, non-interlaced	English	United States	0.6361767728674204
RT_RCDATA	0x10f844	0x3cb	PNG image data, 35 x 21, 8-bit/color RGB, non-interlaced	English	United States	0.6405767250257467
RT_RCDATA	0x10fc10	0x3cb	PNG image data, 35 x 21, 8-bit/color RGB, non-interlaced	English	United States	0.6364572605561277
RT_RCDATA	0x10ffdc	0x14a	PNG image data, 9 x 11, 8-bit/color RGBA, interlaced	English	United States	1.0333333333333334
RT_RCDATA	0x110128	0x15d	PNG image data, 9 x 10, 8-bit/color RGBA, interlaced	English	United States	1.0315186246418337
RT_RCDATA	0x110288	0x158	PNG image data, 9 x 10, 8-bit/color RGBA, interlaced	English	United States	1.0319767441860466
RT_RCDATA	0x1103e0	0x3e5	PNG image data, 35 x 21, 8-bit/color RGBA, non-interlaced	English	United States	0.6800401203610833
RT_RCDATA	0x1107c8	0x3ea	PNG image data, 35 x 21, 8-bit/color RGB, non-interlaced	English	United States	0.6826347305389222
RT_RCDATA	0x110bb4	0x3ea	PNG image data, 35 x 21, 8-bit/color RGB, non-interlaced	English	United States	0.6816367265469062
RT_RCDATA	0x110fa0	0x1d8	PNG image data, 29 x 28, 8-bit/color RGBA, non-interlaced	English	United States	1.0233050847457628
RT_RCDATA	0x111178	0x1f9	PNG image data, 29 x 28, 8-bit/color RGBA, non-interlaced	English	United States	1.0217821782178218
RT_RCDATA	0x111374	0x1f6	PNG image data, 29 x 28, 8-bit/color RGBA, non-interlaced	English	United States	1.0219123505976095
RT_RCDATA	0x11156c	0x70c	data			0.6407982261640798
RT_RCDATA	0x111c78	0xcf5	Delphi compiled form 'TFormMain'			0.4485981308411215
RT_RCDATA	0x112970	0x2d39	Delphi compiled form 'TFormMiniReader'			0.26664939103394664
RT_RCDATA	0x1156ac	0x1c2	Delphi compiled form 'TFormSkinADBase'			0.6644444444444444
RT_RCDATA	0x115870	0xd4c	PNG image data, 134 x 40, 8-bit/color RGBA, non-interlaced	English	United States	1.0032314923619272
RT_RCDATA	0x1165bc	0x1bb	PNG image data, 29 x 28, 8-bit/color RGBA, non-interlaced	English	United States	1.0248306997742664
RT_RCDATA	0x116778	0x1be	PNG image data, 29 x 28, 8-bit/color RGBA, non-interlaced	English	United States	1.0246636771300448
RT_RCDATA	0x116938	0x1b3	PNG image data, 29 x 28, 8-bit/color RGBA, non-interlaced	English	United States	1.025287356321839
RT_GROUP_CURSOR	0x116aec	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x116b00	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x116b14	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x116b28	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x116b3c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x116b50	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x116b64	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x116b78	0xa0	data	Chinese	China	0.65625
RT_VERSION	0x116c18	0x260	data	Chinese	China	0.5328947368421053
RT_MANIFEST	0x116e78	0xa09	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.31218372907746206

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateLayeredWindow, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenuEx, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetDlgItemTextA, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageTimeoutA, SendMessageW, SendMessageA, SendInput, SendDlgItemMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MoveWindow, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadMenuA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsClipboardFormatAvailable, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextLengthA, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastInputInfo, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursorInfo, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassNameA, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowExA, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcW, CallWindowProcA, CallNextHookEx, BeginPaint, AttachThreadInput, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrlenW, lstrcpyA, WriteProcessMemory, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAllocEx, VirtualAlloc, TerminateProcess, Sleep, SizeofResource, SetThreadLocale, SetThreadAffinityMask, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, QueryDosDeviceA, OpenProcess, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVolumeInformationA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileAttributesA, GetExitCodeThread, GetEnvironmentVariableA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCommandLineA, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindFirstFileA, FindClose, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeviceIoControl, DeleteCriticalSection, CreateThread, CreateRemoteThread, CreateProcessA, CreateFileA, CreateEventA, CompareStringA, CloseHandle
advapi32.dll	RegSetValueExA, RegSetValueA, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegFlushKey, RegEnumValueA, RegEnumKeyExA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey, RegOpenCurrentUser, LookupAccountNameA, GetUserNameA
kernel32.dll	Sleep
ole32.dll	IsEqualGUID, CoTaskMemFree, StringFromCLSID, CoCreateGuid
oleaut32.dll	CreateErrorInfo, GetErrorInfo, SetErrorInfo, GetActiveObject, DispGetIDsOfNames, LoadTypeLib, SysFreeString
ole32.dll	CreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, RevokeDragDrop, RegisterDragDrop, OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
URLMON.DLL	CoInternetCreateZoneManager, CoInternetCreateSecurityManager, UrlMkGetSessionOption, UrlMkSetSessionOption
wininet.dll	InternetSetOptionA, InternetReadFile, InternetOpenA, InternetConnectA, InternetCloseHandle, HttpSendRequestA, HttpQueryInfoA, HttpOpenRequestA
shell32.dll	Shell_NotifyIconA, ShellExecuteA, ExtractIconA
shell32.dll	SHGetSpecialFolderPathA
winmm.dll	timeGetTime
wsock32.dll	send
kernel32.dll	GetProcAddress, LoadLibraryA, GetModuleHandleA
ntdll.dll	NtQuerySystemInformation, NtQueryInformationProcess
advapi32.dll	OpenSCManagerA, EnumServicesStatusA, CloseServiceHandle
Iphlpapi.dll	GetAdaptersInfo
kernel32.dll	GetVersionExW
kernel32.dll	GetComputerNameExA
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, StringFromCLSID

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	China

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 12:29:00.450416088 CEST	55846	53	192.168.2.7	1.1.1.1
Apr 19, 2024 12:29:01.462941885 CEST	55846	53	192.168.2.7	1.1.1.1
Apr 19, 2024 12:29:02.478410959 CEST	55846	53	192.168.2.7	1.1.1.1
Apr 19, 2024 12:29:03.049814939 CEST	53	55846	1.1.1.1	192.168.2.7
Apr 19, 2024 12:29:03.049834967 CEST	53	55846	1.1.1.1	192.168.2.7
Apr 19, 2024 12:29:03.049846888 CEST	53	55846	1.1.1.1	192.168.2.7
Apr 19, 2024 12:29:03.268181086 CEST	65516	53	192.168.2.7	1.1.1.1
Apr 19, 2024 12:29:03.595885992 CEST	53	65516	1.1.1.1	192.168.2.7
Apr 19, 2024 12:29:03.652626038 CEST	61859	53	192.168.2.7	1.1.1.1
Apr 19, 2024 12:29:04.650317907 CEST	61859	53	192.168.2.7	1.1.1.1
Apr 19, 2024 12:29:05.650367022 CEST	61859	53	192.168.2.7	1.1.1.1
Apr 19, 2024 12:29:06.136006117 CEST	53	61859	1.1.1.1	192.168.2.7
Apr 19, 2024 12:29:06.136070967 CEST	53	61859	1.1.1.1	192.168.2.7
Apr 19, 2024 12:29:06.136090994 CEST	53	61859	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 19, 2024 12:29:00.450416088 CEST	192.168.2.7	1.1.1.1	0xbbff	Standard query (0)	files.news.baidu.com	A (IP address)	IN (0x0001)	false
Apr 19, 2024 12:29:01.462941885 CEST	192.168.2.7	1.1.1.1	0xbbff	Standard query (0)	files.news.baidu.com	A (IP address)	IN (0x0001)	false
Apr 19, 2024 12:29:02.478410959 CEST	192.168.2.7	1.1.1.1	0xbbff	Standard query (0)	files.news.baidu.com	A (IP address)	IN (0x0001)	false
Apr 19, 2024 12:29:03.268181086 CEST	192.168.2.7	1.1.1.1	0xa7c6	Standard query (0)	hotnews.dftoutiao.com	A (IP address)	IN (0x0001)	false
Apr 19, 2024 12:29:03.652626038 CEST	192.168.2.7	1.1.1.1	0xd641	Standard query (0)	report.thorzip.muxin.fun	A (IP address)	IN (0x0001)	false
Apr 19, 2024 12:29:04.650317907 CEST	192.168.2.7	1.1.1.1	0xd641	Standard query (0)	report.thorzip.muxin.fun	A (IP address)	IN (0x0001)	false
Apr 19, 2024 12:29:05.650367022 CEST	192.168.2.7	1.1.1.1	0xd641	Standard query (0)	report.thorzip.muxin.fun	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 19, 2024 12:29:03.049814939 CEST	1.1.1.1	192.168.2.7	0xbbff	Name error (3)	files.news.baidu.com	none	none	A (IP address)	IN (0x0001)	false
Apr 19, 2024 12:29:03.049834967 CEST	1.1.1.1	192.168.2.7	0xbbff	Name error (3)	files.news.baidu.com	none	none	A (IP address)	IN (0x0001)	false
Apr 19, 2024 12:29:03.049846888 CEST	1.1.1.1	192.168.2.7	0xbbff	Name error (3)	files.news.baidu.com	none	none	A (IP address)	IN (0x0001)	false
Apr 19, 2024 12:29:03.595885992 CEST	1.1.1.1	192.168.2.7	0xa7c6	Name error (3)	hotnews.dftoutiao.com	none	none	A (IP address)	IN (0x0001)	false
Apr 19, 2024 12:29:06.136006117 CEST	1.1.1.1	192.168.2.7	0xd641	Name error (3)	report.thorzip.muxin.fun	none	none	A (IP address)	IN (0x0001)	false
Apr 19, 2024 12:29:06.136070967 CEST	1.1.1.1	192.168.2.7	0xd641	Name error (3)	report.thorzip.muxin.fun	none	none	A (IP address)	IN (0x0001)	false
Apr 19, 2024 12:29:06.136090994 CEST	1.1.1.1	192.168.2.7	0xd641	Name error (3)	report.thorzip.muxin.fun	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:28:58
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe"
Imagebase:	0x400000
File size:	1'112'208 bytes
MD5 hash:	AF1E56057951887A763D4E97670A1036
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.1201641660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.1233899209.000000007FD40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000003.1233899209.000000007FD40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\desktop.ini

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe