Windows
Analysis Report
Q7Ct3eA5NE.exe
Overview
General Information
Sample name: | Q7Ct3eA5NE.exe (renamed file extension from tmp to exe, renamed because original name is a hash value) |
Original sample name: | 180d57b6af9e76cb88320bd6754ca571e054b2f9f193d2700e724c1fd584b235.tmp |
Analysis ID: | 1428859 |
MD5: | 59fa1a478f284afac139920f0d64bdcc |
SHA1: | a42e353a3718f1eb56174ff68e77db2c3c841ac5 |
SHA256: | 180d57b6af9e76cb88320bd6754ca571e054b2f9f193d2700e724c1fd584b235 |
Detection
Score: | 2 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 40% |
Signatures
Classification
Analysis Advice
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") |
Sample reads itself and does not show any behavior, likely it performs some host environment checks which are compared to an embedded key |
- System is w10x64
- Q7Ct3eA5NE.exe (PID: 5896 cmdline:
"C:\Users\ user\Deskt op\Q7Ct3eA 5NE.exe" MD5: 59FA1A478F284AFAC139920F0D64BDCC)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Key opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File read: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 12 System Information Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
4% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false | unknown | |||
false |
| unknown |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1428859 |
Start date and time: | 2024-04-19 18:18:43 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 2m 9s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Q7Ct3eA5NE.exe (renamed file extension from tmp to exe, renamed because original name is a hash value) |
Original Sample Name: | 180d57b6af9e76cb88320bd6754ca571e054b2f9f193d2700e724c1fd584b235.tmp |
Detection: | CLEAN |
Classification: | clean2.winEXE@1/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- VT rate limit hit for: Q7Ct3eA5NE.exe
File type: | |
Entropy (8bit): | 6.3954052093134015 |
TrID: |
|
File name: | Q7Ct3eA5NE.exe |
File size: | 1'486'848 bytes |
MD5: | 59fa1a478f284afac139920f0d64bdcc |
SHA1: | a42e353a3718f1eb56174ff68e77db2c3c841ac5 |
SHA256: | 180d57b6af9e76cb88320bd6754ca571e054b2f9f193d2700e724c1fd584b235 |
SHA512: | e8c964976cf73bddff590c075245c0f68288e0ab86042773077a546c8428a1eefa88bd8055d97c191563afaa1063d6f066983cfa5f5f0af20652bd8dc3a63abb |
SSDEEP: | 24576:kCBq/5WxgBsS4lhpCqKkJ98hCPVaXJa9cHBZOFEw0cCu3FnbQkWqAOM2xtA:CxJsFZKCuJQkO2cC2Ue |
TLSH: | 24654B12A2E28833E5733F358D2B86946C367D652E64949B3FF45E0C0E39B41BD39792 |
File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | 2d2e3797b32b2b99 |
Entrypoint: | 0x54b07c |
Entrypoint Section: | .itext |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x4EF6EA3C [Sun Dec 25 09:17:48 2011 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | ab2499e0e72dfad09db9c131cd20670f |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFF0h |
push ebx |
push esi |
push edi |
mov eax, 00548B60h |
call 00007F57597A1ECAh |
push FFFFFFECh |
mov eax, dword ptr [0054F1FCh] |
mov eax, dword ptr [eax] |
mov ebx, dword ptr [eax+00000170h] |
push ebx |
call 00007F57597A2E5Dh |
and eax, FFFFFF7Fh |
push eax |
push FFFFFFECh |
mov eax, dword ptr [0054F1FCh] |
push ebx |
call 00007F57597A30BAh |
xor eax, eax |
push ebp |
push 0054B0F7h |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
push 00000001h |
call 00007F57597A277Dh |
call 00007F57598E1628h |
mov eax, dword ptr [00548798h] |
push eax |
push 005487FCh |
mov eax, dword ptr [0054F1FCh] |
mov eax, dword ptr [eax] |
call 00007F57598BADD5h |
call 00007F57598E167Ch |
xor eax, eax |
pop edx |
pop ecx |
pop ecx |
mov dword ptr fs:[eax], edx |
jmp 00007F57598E3E6Bh |
jmp 00007F575979D601h |
call 00007F57598E13F8h |
mov eax, 00000001h |
call 00007F575979E0C2h |
call 00007F575979DA45h |
mov eax, dword ptr [0054F1FCh] |
mov eax, dword ptr [eax] |
mov edx, 0054B28Ch |
call 00007F57598BA898h |
push 00000005h |
mov eax, dword ptr [0054F1FCh] |
mov eax, dword ptr [eax] |
mov eax, dword ptr [eax+00000170h] |
push eax |
call 00007F57597A307Bh |
mov eax, dword ptr [0054F1FCh] |
mov eax, dword ptr [eax] |
mov edx, dword ptr [004D7EF4h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x157000 | 0x3b60 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x15d000 | 0x1a200 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x15c000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x157b14 | 0x90c | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x148028 | 0x148200 | c67dcc9577c7d26fb3213014481b8eb1 | False | 0.4730535714285714 | data | 6.464197222589196 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.itext | 0x14a000 | 0x1298 | 0x1400 | c0c9f0e982ea484aa4611702887a35a7 | False | 0.51953125 | data | 5.778044308334974 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x14c000 | 0x3470 | 0x3600 | cbd5e402d1a2fe1e8aff761ffee72839 | False | 0.4126880787037037 | data | 4.241668276697779 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.bss | 0x150000 | 0x60f4 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0x157000 | 0x3b60 | 0x3c00 | 33154e6362b7b3346a4772337cc7d377 | False | 0.31490885416666664 | data | 5.236592358677999 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0x15b000 | 0x3c | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x15c000 | 0x18 | 0x200 | 6b0370927ff8becba9c5da9a1b6933cd | False | 0.052734375 | data | 0.2108262677871819 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x15d000 | 0x1a200 | 0x1a200 | 7d0d26d9d349a84f2d40719db25ef52c | False | 0.24324349581339713 | data | 4.8633654343293955 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_CURSOR | 0x15dcd4 | 0x134 | Targa image data - Map 64 x 65536 x 1 +32 "\001" | English | United States | 0.38636363636363635 |
RT_CURSOR | 0x15de08 | 0x134 | data | English | United States | 0.4642857142857143 |
RT_CURSOR | 0x15df3c | 0x134 | data | English | United States | 0.4805194805194805 |
RT_CURSOR | 0x15e070 | 0x134 | data | English | United States | 0.38311688311688313 |
RT_CURSOR | 0x15e1a4 | 0x134 | data | English | United States | 0.36038961038961037 |
RT_CURSOR | 0x15e2d8 | 0x134 | data | English | United States | 0.4090909090909091 |
RT_CURSOR | 0x15e40c | 0x134 | Targa image data - RGB 64 x 65536 x 1 +32 "\001" | English | United States | 0.4967532467532468 |
RT_BITMAP | 0x15e540 | 0x4e8 | Device independent bitmap graphic, 48 x 48 x 4, image size 1152 | 0.2945859872611465 | ||
RT_BITMAP | 0x15ea28 | 0xe8 | Device independent bitmap graphic, 16 x 16 x 4, image size 128 | 0.521551724137931 | ||
RT_ICON | 0x15eb10 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | Chinese | China | 0.5675675675675675 |
RT_ICON | 0x15ec38 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | Chinese | China | 0.4486994219653179 |
RT_ICON | 0x15f1a0 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | Chinese | China | 0.4637096774193548 |
RT_ICON | 0x15f488 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | Chinese | China | 0.3935018050541516 |
RT_STRING | 0x15fd30 | 0xc4 | data | 0.6224489795918368 | ||
RT_STRING | 0x15fdf4 | 0x258 | data | 0.475 | ||
RT_STRING | 0x16004c | 0x250 | data | 0.46621621621621623 | ||
RT_STRING | 0x16029c | 0x470 | data | 0.39348591549295775 | ||
RT_STRING | 0x16070c | 0x470 | data | 0.3829225352112676 | ||
RT_STRING | 0x160b7c | 0x2a4 | data | 0.48668639053254437 | ||
RT_STRING | 0x160e20 | 0xc0 | data | 0.6666666666666666 | ||
RT_STRING | 0x160ee0 | 0x210 | data | 0.5037878787878788 | ||
RT_STRING | 0x1610f0 | 0x3d0 | data | 0.382172131147541 | ||
RT_STRING | 0x1614c0 | 0x3d8 | data | 0.366869918699187 | ||
RT_STRING | 0x161898 | 0x5ec | data | 0.3087071240105541 | ||
RT_STRING | 0x161e84 | 0x32c | data | 0.41995073891625617 | ||
RT_STRING | 0x1621b0 | 0x344 | data | 0.3827751196172249 | ||
RT_STRING | 0x1624f4 | 0x3bc | data | 0.39435146443514646 | ||
RT_STRING | 0x1628b0 | 0xd0 | data | 0.5288461538461539 | ||
RT_STRING | 0x162980 | 0xb8 | data | 0.6467391304347826 | ||
RT_STRING | 0x162a38 | 0x274 | data | 0.48089171974522293 | ||
RT_STRING | 0x162cac | 0x3f0 | data | 0.314484126984127 | ||
RT_STRING | 0x16309c | 0x314 | data | 0.434010152284264 | ||
RT_STRING | 0x1633b0 | 0x2c0 | data | 0.421875 | ||
RT_RCDATA | 0x163670 | 0x82e8 | data | English | United States | 0.11261637622344235 |
RT_RCDATA | 0x16b958 | 0x10 | data | 1.5 | ||
RT_RCDATA | 0x16b968 | 0x1800 | PE32+ executable (console) x86-64, for MS Windows | English | United States | 0.3826497395833333 |
RT_RCDATA | 0x16d168 | 0x720 | data | 0.6392543859649122 | ||
RT_RCDATA | 0x16d888 | 0x5b10 | PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows | English | United States | 0.3255404941660947 |
RT_RCDATA | 0x173398 | 0x147 | Delphi compiled form 'TMainForm' | 0.746177370030581 | ||
RT_RCDATA | 0x1734e0 | 0x3a2 | Delphi compiled form 'TNewDiskForm' | 0.524731182795699 | ||
RT_RCDATA | 0x173884 | 0x320 | Delphi compiled form 'TSelectFolderForm' | 0.53625 | ||
RT_RCDATA | 0x173ba4 | 0x300 | Delphi compiled form 'TSelectLanguageForm' | 0.5703125 | ||
RT_RCDATA | 0x173ea4 | 0x5d9 | Delphi compiled form 'TUninstallProgressForm' | 0.4562458249832999 | ||
RT_RCDATA | 0x174480 | 0x461 | Delphi compiled form 'TUninstSharedFileForm' | 0.4335414808206958 | ||
RT_RCDATA | 0x1748e4 | 0x1faf | Delphi compiled form 'TWizardForm' | 0.23018123535938848 | ||
RT_GROUP_CURSOR | 0x176894 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.25 |
RT_GROUP_CURSOR | 0x1768a8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.25 |
RT_GROUP_CURSOR | 0x1768bc | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_CURSOR | 0x1768d0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_CURSOR | 0x1768e4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_CURSOR | 0x1768f8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_CURSOR | 0x17690c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_ICON | 0x176920 | 0x3e | data | Chinese | China | 0.8387096774193549 |
RT_VERSION | 0x176960 | 0x15c | data | English | United States | 0.5689655172413793 |
RT_MANIFEST | 0x176abc | 0x560 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.4251453488372093 |
DLL | Import |
---|---|
oleaut32.dll | SysFreeString, SysReAllocStringLen, SysAllocStringLen |
advapi32.dll | RegQueryValueExW, RegOpenKeyExW, RegCloseKey |
user32.dll | GetKeyboardType, LoadStringW, MessageBoxA, CharNextW |
kernel32.dll | GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryW, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCurrentDirectoryW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringW, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle |
kernel32.dll | TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW |
user32.dll | CreateWindowExW, WindowFromPoint, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongW, SetCapture, SetActiveWindow, SendNotifyMessageW, SendMessageTimeoutW, SendMessageA, SendMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, ReplyMessage, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OffsetRect, OemToCharBuffA, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MoveWindow, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassNameW, GetClassLongW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, ExitWindowsEx, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CreateAcceleratorTableW, CopyIcon, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CharUpperBuffW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, AppendMenuW, CharToOemBuffA, AdjustWindowRectEx, ActivateKeyboardLayout |
msimg32.dll | AlphaBlend |
gdi32.dll | UnrealizeObject, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetTextAlign, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, RemoveFontResourceW, Rectangle, RectVisible, RealizePalette, Polyline, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, LineDDA, IntersectClipRect, GetWindowOrgEx, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, Chord, BitBlt, Arc, AddFontResourceW |
version.dll | VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW |
mpr.dll | WNetOpenEnumW, WNetGetUniversalNameW, WNetGetConnectionW, WNetEnumResourceW, WNetCloseEnum |
kernel32.dll | lstrcpyW, lstrcmpW, WriteProfileStringW, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualFree, VirtualAlloc, TransactNamedPipe, TerminateProcess, SwitchToThread, SizeofResource, SignalObjectAndWait, SetThreadLocale, SetNamedPipeHandleState, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryW, ResumeThread, ResetEvent, RemoveDirectoryW, ReleaseMutex, ReadFile, QueryPerformanceCounter, OpenProcess, OpenMutexW, MultiByteToWideChar, MulDiv, MoveFileExW, MoveFileW, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryExW, LoadLibraryW, LeaveCriticalSection, IsDBCSLeadByte, IsBadWritePtr, InitializeCriticalSection, GlobalUnlock, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetTickCount, GetThreadLocale, GetSystemTimeAsFileTime, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetShortPathNameW, GetProfileStringW, GetProcAddress, GetPrivateProfileStringW, GetOverlappedResult, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryW, GetComputerNameW, GetCommandLineW, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FlushFileBuffers, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, EnumCalendarInfoW, EnterCriticalSection, DeviceIoControl, DeleteFileW, DeleteCriticalSection, CreateThread, CreateProcessW, CreateNamedPipeW, CreateMutexW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CompareFileTime, CloseHandle |
advapi32.dll | RegSetValueExW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, GetUserNameW, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid |
oleaut32.dll | GetErrorInfo, GetActiveObject, RegisterTypeLib, LoadTypeLib, SysFreeString |
ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CLSIDFromProgID, CLSIDFromString, StringFromCLSID, CoCreateInstance, CoFreeUnusedLibraries, CoUninitialize, CoInitialize, IsEqualGUID |
comctl32.dll | InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls |
kernel32.dll | Sleep |
oleaut32.dll | SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit |
winspool.drv | OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter |
winspool.drv | GetDefaultPrinterW |
shell32.dll | ShellExecuteExW, ShellExecuteW, SHGetFileInfoW, ExtractIconW |
shell32.dll | SHGetPathFromIDListW, SHGetMalloc, SHChangeNotify, SHBrowseForFolderW |
comdlg32.dll | GetSaveFileNameW, GetOpenFileNameW |
ole32.dll | CoDisconnectObject |
advapi32.dll | AdjustTokenPrivileges |
oleaut32.dll | SysFreeString |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States | |
Chinese | China |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 18:19:34 |
Start date: | 19/04/2024 |
Path: | C:\Users\user\Desktop\Q7Ct3eA5NE.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 1'486'848 bytes |
MD5 hash: | 59FA1A478F284AFAC139920F0D64BDCC |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Borland Delphi |
Reputation: | low |
Has exited: | true |