Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Q7Ct3eA5NE.exe

Overview

General Information

Sample name:Q7Ct3eA5NE.exe
(renamed file extension from tmp to exe, renamed because original name is a hash value)
Original sample name:180d57b6af9e76cb88320bd6754ca571e054b2f9f193d2700e724c1fd584b235.tmp
Analysis ID:1428859
MD5:59fa1a478f284afac139920f0d64bdcc
SHA1:a42e353a3718f1eb56174ff68e77db2c3c841ac5
SHA256:180d57b6af9e76cb88320bd6754ca571e054b2f9f193d2700e724c1fd584b235

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Queries keyboard layouts
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample reads itself and does not show any behavior, likely it performs some host environment checks which are compared to an embedded key

Process Tree

  • System is w10x64
  • Q7Ct3eA5NE.exe (PID: 5896 cmdline: "C:\Users\user\Desktop\Q7Ct3eA5NE.exe" MD5: 59FA1A478F284AFAC139920F0D64BDCC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Q7Ct3eA5NE.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: Q7Ct3eA5NE.exeString found in binary or memory: http://restools.hanzify.org/
Source: Q7Ct3eA5NE.exeString found in binary or memory: http://www.innosetup.com/
Source: Q7Ct3eA5NE.exeString found in binary or memory: http://www.remobjects.com/ps
Source: Q7Ct3eA5NE.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Q7Ct3eA5NE.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: Q7Ct3eA5NE.exe, 00000000.00000000.2052230073.0000000000569000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs Q7Ct3eA5NE.exe
Source: Q7Ct3eA5NE.exeBinary or memory string: OriginalFilenameshfolder.dll~/ vs Q7Ct3eA5NE.exe
Source: Q7Ct3eA5NE.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engineClassification label: clean2.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Q7Ct3eA5NE.exeString found in binary or memory: -Helper process exited with failure code: 0x%x
Source: Q7Ct3eA5NE.exeString found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
Source: Q7Ct3eA5NE.exeString found in binary or memory: /LoadInf=
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeFile read: C:\Users\user\Desktop\Q7Ct3eA5NE.exeJump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeSection loaded: textshaping.dllJump to behavior
Source: Q7Ct3eA5NE.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: Q7Ct3eA5NE.exeStatic file information: File size 1486848 > 1048576
Source: Q7Ct3eA5NE.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x148200
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Users\user\Desktop\Q7Ct3eA5NE.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping12
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Q7Ct3eA5NE.exe4%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.remobjects.com/ps0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.innosetup.com/Q7Ct3eA5NE.exefalse
    		unknown
    http://restools.hanzify.org/Q7Ct3eA5NE.exefalse
      		unknown
      http://www.remobjects.com/psQ7Ct3eA5NE.exefalse
      • URL Reputation: safe
      		unknown

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1428859
      Start date and time:2024-04-19 18:18:43 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 2m 9s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:2
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:Q7Ct3eA5NE.exe
      (renamed file extension from tmp to exe, renamed because original name is a hash value)
      Original Sample Name:180d57b6af9e76cb88320bd6754ca571e054b2f9f193d2700e724c1fd584b235.tmp
      Detection:CLEAN
      Classification:clean2.winEXE@1/0@0/0
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Stop behavior analysis, all processes terminated

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe
      • VT rate limit hit for: Q7Ct3eA5NE.exe

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):6.3954052093134015
      TrID:
      • Win32 Executable (generic) a (10002005/4) 97.20%
      • Windows ActiveX control (116523/4) 1.13%
      • Inno Setup installer (109748/4) 1.07%
      • InstallShield setup (43055/19) 0.42%
      • Windows Screen Saver (13104/52) 0.13%
      File name:Q7Ct3eA5NE.exe
      File size:1'486'848 bytes
      MD5:59fa1a478f284afac139920f0d64bdcc
      SHA1:a42e353a3718f1eb56174ff68e77db2c3c841ac5
      SHA256:180d57b6af9e76cb88320bd6754ca571e054b2f9f193d2700e724c1fd584b235
      SHA512:e8c964976cf73bddff590c075245c0f68288e0ab86042773077a546c8428a1eefa88bd8055d97c191563afaa1063d6f066983cfa5f5f0af20652bd8dc3a63abb
      SSDEEP:24576:kCBq/5WxgBsS4lhpCqKkJ98hCPVaXJa9cHBZOFEw0cCu3FnbQkWqAOM2xtA:CxJsFZKCuJQkO2cC2Ue
      TLSH:24654B12A2E28833E5733F358D2B86946C367D652E64949B3FF45E0C0E39B41BD39792
      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

      File Icon

      Icon Hash:2d2e3797b32b2b99

      Static PE Info

      General

      Entrypoint:0x54b07c
      Entrypoint Section:.itext
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
      DLL Characteristics:TERMINAL_SERVER_AWARE
      Time Stamp:0x4EF6EA3C [Sun Dec 25 09:17:48 2011 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:5
      OS Version Minor:0
      File Version Major:5
      File Version Minor:0
      Subsystem Version Major:5
      Subsystem Version Minor:0
      Import Hash:ab2499e0e72dfad09db9c131cd20670f

      Entrypoint Preview

      Instruction
      push ebp
      mov ebp, esp
      add esp, FFFFFFF0h
      push ebx
      push esi
      push edi
      mov eax, 00548B60h
      call 00007F57597A1ECAh
      push FFFFFFECh
      mov eax, dword ptr [0054F1FCh]
      mov eax, dword ptr [eax]
      mov ebx, dword ptr [eax+00000170h]
      push ebx
      call 00007F57597A2E5Dh
      and eax, FFFFFF7Fh
      push eax
      push FFFFFFECh
      mov eax, dword ptr [0054F1FCh]
      push ebx
      call 00007F57597A30BAh
      xor eax, eax
      push ebp
      push 0054B0F7h
      push dword ptr fs:[eax]
      mov dword ptr fs:[eax], esp
      push 00000001h
      call 00007F57597A277Dh
      call 00007F57598E1628h
      mov eax, dword ptr [00548798h]
      push eax
      push 005487FCh
      mov eax, dword ptr [0054F1FCh]
      mov eax, dword ptr [eax]
      call 00007F57598BADD5h
      call 00007F57598E167Ch
      xor eax, eax
      pop edx
      pop ecx
      pop ecx
      mov dword ptr fs:[eax], edx
      jmp 00007F57598E3E6Bh
      jmp 00007F575979D601h
      call 00007F57598E13F8h
      mov eax, 00000001h
      call 00007F575979E0C2h
      call 00007F575979DA45h
      mov eax, dword ptr [0054F1FCh]
      mov eax, dword ptr [eax]
      mov edx, 0054B28Ch
      call 00007F57598BA898h
      push 00000005h
      mov eax, dword ptr [0054F1FCh]
      mov eax, dword ptr [eax]
      mov eax, dword ptr [eax+00000170h]
      push eax
      call 00007F57597A307Bh
      mov eax, dword ptr [0054F1FCh]
      mov eax, dword ptr [eax]
      mov edx, dword ptr [004D7EF4h]

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x1570000x3b60.idata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x15d0000x1a200.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x15c0000x18.rdata
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x157b140x90c.idata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x1480280x148200c67dcc9577c7d26fb3213014481b8eb1False0.4730535714285714data6.464197222589196IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .itext0x14a0000x12980x1400c0c9f0e982ea484aa4611702887a35a7False0.51953125data5.778044308334974IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .data0x14c0000x34700x3600cbd5e402d1a2fe1e8aff761ffee72839False0.4126880787037037data4.241668276697779IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .bss0x1500000x60f40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .idata0x1570000x3b600x3c0033154e6362b7b3346a4772337cc7d377False0.31490885416666664data5.236592358677999IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .tls0x15b0000x3c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rdata0x15c0000x180x2006b0370927ff8becba9c5da9a1b6933cdFalse0.052734375data0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .rsrc0x15d0000x1a2000x1a2007d0d26d9d349a84f2d40719db25ef52cFalse0.24324349581339713data4.8633654343293955IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_CURSOR0x15dcd40x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
      RT_CURSOR0x15de080x134dataEnglishUnited States0.4642857142857143
      RT_CURSOR0x15df3c0x134dataEnglishUnited States0.4805194805194805
      RT_CURSOR0x15e0700x134dataEnglishUnited States0.38311688311688313
      RT_CURSOR0x15e1a40x134dataEnglishUnited States0.36038961038961037
      RT_CURSOR0x15e2d80x134dataEnglishUnited States0.4090909090909091
      RT_CURSOR0x15e40c0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
      RT_BITMAP0x15e5400x4e8Device independent bitmap graphic, 48 x 48 x 4, image size 11520.2945859872611465
      RT_BITMAP0x15ea280xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.521551724137931
      RT_ICON0x15eb100x128Device independent bitmap graphic, 16 x 32 x 4, image size 192ChineseChina0.5675675675675675
      RT_ICON0x15ec380x568Device independent bitmap graphic, 16 x 32 x 8, image size 320ChineseChina0.4486994219653179
      RT_ICON0x15f1a00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640ChineseChina0.4637096774193548
      RT_ICON0x15f4880x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152ChineseChina0.3935018050541516
      RT_STRING0x15fd300xc4data0.6224489795918368
      RT_STRING0x15fdf40x258data0.475
      RT_STRING0x16004c0x250data0.46621621621621623
      RT_STRING0x16029c0x470data0.39348591549295775
      RT_STRING0x16070c0x470data0.3829225352112676
      RT_STRING0x160b7c0x2a4data0.48668639053254437
      RT_STRING0x160e200xc0data0.6666666666666666
      RT_STRING0x160ee00x210data0.5037878787878788
      RT_STRING0x1610f00x3d0data0.382172131147541
      RT_STRING0x1614c00x3d8data0.366869918699187
      RT_STRING0x1618980x5ecdata0.3087071240105541
      RT_STRING0x161e840x32cdata0.41995073891625617
      RT_STRING0x1621b00x344data0.3827751196172249
      RT_STRING0x1624f40x3bcdata0.39435146443514646
      RT_STRING0x1628b00xd0data0.5288461538461539
      RT_STRING0x1629800xb8data0.6467391304347826
      RT_STRING0x162a380x274data0.48089171974522293
      RT_STRING0x162cac0x3f0data0.314484126984127
      RT_STRING0x16309c0x314data0.434010152284264
      RT_STRING0x1633b00x2c0data0.421875
      RT_RCDATA0x1636700x82e8dataEnglishUnited States0.11261637622344235
      RT_RCDATA0x16b9580x10data1.5
      RT_RCDATA0x16b9680x1800PE32+ executable (console) x86-64, for MS WindowsEnglishUnited States0.3826497395833333
      RT_RCDATA0x16d1680x720data0.6392543859649122
      RT_RCDATA0x16d8880x5b10PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS WindowsEnglishUnited States0.3255404941660947
      RT_RCDATA0x1733980x147Delphi compiled form 'TMainForm'0.746177370030581
      RT_RCDATA0x1734e00x3a2Delphi compiled form 'TNewDiskForm'0.524731182795699
      RT_RCDATA0x1738840x320Delphi compiled form 'TSelectFolderForm'0.53625
      RT_RCDATA0x173ba40x300Delphi compiled form 'TSelectLanguageForm'0.5703125
      RT_RCDATA0x173ea40x5d9Delphi compiled form 'TUninstallProgressForm'0.4562458249832999
      RT_RCDATA0x1744800x461Delphi compiled form 'TUninstSharedFileForm'0.4335414808206958
      RT_RCDATA0x1748e40x1fafDelphi compiled form 'TWizardForm'0.23018123535938848
      RT_GROUP_CURSOR0x1768940x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
      RT_GROUP_CURSOR0x1768a80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
      RT_GROUP_CURSOR0x1768bc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
      RT_GROUP_CURSOR0x1768d00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
      RT_GROUP_CURSOR0x1768e40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
      RT_GROUP_CURSOR0x1768f80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
      RT_GROUP_CURSOR0x17690c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
      RT_GROUP_ICON0x1769200x3edataChineseChina0.8387096774193549
      RT_VERSION0x1769600x15cdataEnglishUnited States0.5689655172413793
      RT_MANIFEST0x176abc0x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4251453488372093

      Imports

      DLLImport
      oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
      advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
      user32.dllGetKeyboardType, LoadStringW, MessageBoxA, CharNextW
      kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryW, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCurrentDirectoryW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringW, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
      kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
      user32.dllCreateWindowExW, WindowFromPoint, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongW, SetCapture, SetActiveWindow, SendNotifyMessageW, SendMessageTimeoutW, SendMessageA, SendMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, ReplyMessage, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OffsetRect, OemToCharBuffA, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MoveWindow, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassNameW, GetClassLongW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, ExitWindowsEx, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CreateAcceleratorTableW, CopyIcon, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CharUpperBuffW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, AppendMenuW, CharToOemBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
      msimg32.dllAlphaBlend
      gdi32.dllUnrealizeObject, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetTextAlign, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, RemoveFontResourceW, Rectangle, RectVisible, RealizePalette, Polyline, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, LineDDA, IntersectClipRect, GetWindowOrgEx, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, Chord, BitBlt, Arc, AddFontResourceW
      version.dllVerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
      mpr.dllWNetOpenEnumW, WNetGetUniversalNameW, WNetGetConnectionW, WNetEnumResourceW, WNetCloseEnum
      kernel32.dlllstrcpyW, lstrcmpW, WriteProfileStringW, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualFree, VirtualAlloc, TransactNamedPipe, TerminateProcess, SwitchToThread, SizeofResource, SignalObjectAndWait, SetThreadLocale, SetNamedPipeHandleState, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryW, ResumeThread, ResetEvent, RemoveDirectoryW, ReleaseMutex, ReadFile, QueryPerformanceCounter, OpenProcess, OpenMutexW, MultiByteToWideChar, MulDiv, MoveFileExW, MoveFileW, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryExW, LoadLibraryW, LeaveCriticalSection, IsDBCSLeadByte, IsBadWritePtr, InitializeCriticalSection, GlobalUnlock, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetTickCount, GetThreadLocale, GetSystemTimeAsFileTime, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetShortPathNameW, GetProfileStringW, GetProcAddress, GetPrivateProfileStringW, GetOverlappedResult, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryW, GetComputerNameW, GetCommandLineW, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FlushFileBuffers, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, EnumCalendarInfoW, EnterCriticalSection, DeviceIoControl, DeleteFileW, DeleteCriticalSection, CreateThread, CreateProcessW, CreateNamedPipeW, CreateMutexW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CompareFileTime, CloseHandle
      advapi32.dllRegSetValueExW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, GetUserNameW, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
      oleaut32.dllGetErrorInfo, GetActiveObject, RegisterTypeLib, LoadTypeLib, SysFreeString
      ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CLSIDFromProgID, CLSIDFromString, StringFromCLSID, CoCreateInstance, CoFreeUnusedLibraries, CoUninitialize, CoInitialize, IsEqualGUID
      comctl32.dllInitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
      kernel32.dllSleep
      oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
      winspool.drvOpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
      winspool.drvGetDefaultPrinterW
      shell32.dllShellExecuteExW, ShellExecuteW, SHGetFileInfoW, ExtractIconW
      shell32.dllSHGetPathFromIDListW, SHGetMalloc, SHChangeNotify, SHBrowseForFolderW
      comdlg32.dllGetSaveFileNameW, GetOpenFileNameW
      ole32.dllCoDisconnectObject
      advapi32.dllAdjustTokenPrivileges
      oleaut32.dllSysFreeString

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States
      ChineseChina

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      System Behavior

      General

      Target ID:0
      Start time:18:19:34
      Start date:19/04/2024
      Path:C:\Users\user\Desktop\Q7Ct3eA5NE.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\Q7Ct3eA5NE.exe"
      Imagebase:0x400000
      File size:1'486'848 bytes
      MD5 hash:59FA1A478F284AFAC139920F0D64BDCC
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:low
      Has exited:true

      Disassembly

      No disassembly