Edit tour

Windows Analysis Report
SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Overview

General Information

Sample name:	SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe
Analysis ID:	1429026
MD5:	b1f4de35bbe7146f49c7d99e1e3428d7
SHA1:	9327fda584f1bead79ca9e88350213cfe11d86d7
SHA256:	89d19fc31c09ba59b296449138111a40baee2e5d3d85d3ea93874e369db82604
Tags:	exe
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential time zone aware malware

Program does not show much activity (idle)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe (PID: 6752 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe" MD5: B1F4DE35BBE7146F49C7D99E1E3428D7)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2043298741.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Virustotal: Detection: 7%

Perma Link

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe, 00000000.00000000.2043298741.0000000000401000.00000020.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_0502a3fa-a

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	String found in binary or memory: http://fontawesome.io
Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	String found in binary or memory: http://fontawesome.io/license/
Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	String found in binary or memory: http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Static PE information: Number of sections : 11 > 10

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal48.winEXE@1/0@0/0

Source: Yara match	File source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2043298741.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe, 00000000.00000000.2044079750.00000000009E4000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: INSERT INTO ordentipo (CODORDTIPO, ord_tipo, ctaco_tipo, calcula_utilidad, carga_inventario, maneja_costo, dialogos_costo, maneja_puntos, maneja_iva, maneja_kardex, maneja_pagos, carga_ctaco, maneja_caja, acumula_productos, seleccionar, correlativo, tipo_correlativo, utiliza_correlativo, presenta_dialogo_pagos, presenta_precios, pago, reporte, facturacion, imprime_solo_operadas, seleccionar2, emite_recibo, reporte2, maneja_productos, modifica_costos, numero_lineas, descripcion_corta, produccion0, produccion1, utiliza_correlativo2, cambiar_bodega, modifica_precios_publico, guarda_precio_dolares, permite_utilizar_cuenta_predeterminada, tipo_producto_fisico, tipo_producto_documento, CODUNICO, activo, columna_pagos) VALUES ('TRANS_RECIBIDA', 'TRANSFERENCIA RECIBIDA', 'NO APLICA', 'NO', 'CARGA', 'COSTO', 'PCOSTO', 'NO', 'NO', 'SI', 'NO', 'NO APLICA', 'NO APLICA', 'NO', 'SI', 9, 'NULL', 'SI', 'NO', 'NO', 'NO', 'InventarioTransferenciaRecibida.fr3', 'NO', 'SI', 'NO', 'NO', 'NULL', 'SI', 'NO', 0, 'TREMR', 'CARGA', 'DESCARGA', 'SI', 'NO', 'NO', 'NO', 'NO', 'SI', '%', 31, 'SI', 'PAGOS E IMPORTE');

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Virustotal: Detection: 7%

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: compstui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: inetres.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Static file information: File size 6604800 > 1048576

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x533c00

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Static PE information: More than 200 imports for user32.dll

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Binary or memory string: Shell_TrayWndSVW
Source: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	12%	ReversingLabs
SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	7%	Virustotal		Browse

Name	Source	Malicious	Reputation
http://fontawesome.io	SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	false	high
http://fontawesome.io/license/	SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	false	high
http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens	SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1429026
Start date and time:	2024-04-20 05:31:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe
Detection:	MAL
Classification:	mal48.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.66864180726874
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe
File size:	6'604'800 bytes
MD5:	b1f4de35bbe7146f49c7d99e1e3428d7
SHA1:	9327fda584f1bead79ca9e88350213cfe11d86d7
SHA256:	89d19fc31c09ba59b296449138111a40baee2e5d3d85d3ea93874e369db82604
SHA512:	18b390a6ffc8b9f998520504e84280bc313ab12aea0f493a9a80b97377f9ce9088af4b97c87de989e899435508a25f2fac1b0978a14d3209ec411b2981d6836b
SSDEEP:	98304:8sA6oJtLXOkEhawOrbo2zJIsZrvYn7lEReWAKgf:82oJtLOkEhawOrb8qTj12f
TLSH:	03668D13B285543FD0AB1A36483F9798693FBB603A2A8D5B67F00C5C8F356817D26B47
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	0f0f1d65651f0f0f

Static PE Info

General

Entrypoint:	0x93a994
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x5FA41B1B [Thu Nov 5 15:32:43 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	c7365ceb54c7201bf3502e2b1988b288

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
push ebx
mov eax, 00928CDCh
call 00007F6160E33304h
mov eax, dword ptr [00951D78h]
mov eax, dword ptr [eax]
cmp byte ptr [eax+40h], 00000000h
je 00007F616135B9E2h
mov eax, dword ptr [00951D78h]
mov eax, dword ptr [eax]
call 00007F6161040CAFh
test al, al
je 00007F616135B9DEh
mov eax, dword ptr [00951D78h]
mov eax, dword ptr [eax]
mov edx, dword ptr [eax]
call dword ptr [edx+48h]
mov ecx, dword ptr [00951AA4h]
mov eax, dword ptr [00951D78h]
mov eax, dword ptr [eax]
mov edx, dword ptr [00928A04h]
mov ebx, dword ptr [eax]
call dword ptr [ebx+44h]
mov eax, dword ptr [00951D78h]
mov eax, dword ptr [eax]
mov edx, dword ptr [eax]
call dword ptr [edx+4Ch]
pop ebx
call 00007F6160E2BAD1h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5e2000	0xa0	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5dc000	0x4700	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64b000	0x90c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e5000	0x65284	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5e4000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5dcd40	0xae8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x5e1000	0xb0e	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x533af8	0x533c00	4c2d7f86b007507acec708e0429b4184	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x535000	0x59f8	0x5a00	4b432f63730af58acd1f5c39e593e2e4	False	0.46197916666666666	data	5.946727425075548	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x53b000	0x17438	0x17600	b8afb01465de1d29a4fb40979aefa775	False	0.6573466744652406	data	6.658850933731549	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x553000	0x886a4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5dc000	0x4700	0x4800	8b3b4df6c3a34e3601d3719fc8d4c4bf	False	0.3083767361111111	data	5.263301922913206	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x5e1000	0xb0e	0xc00	074f3b7b976d8d9ccebe93027d5aa10b	False	0.3310546875	data	3.987196740345137	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x5e2000	0xa0	0x200	f9295b5289476acc35fe1f21c02e7aa8	False	0.267578125	data	1.986654226521265	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x5e3000	0x58	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5e4000	0x5c	0x200	4dfe9679c9789aaf6be6f6643656d090	False	0.1875	data	1.3630099847922963	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5e5000	0x65284	0x65400	e26fd5601e39d912eeb123b906146665	False	0.565721450617284	data	6.719712844822282	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x64b000	0x90c00	0x90c00	b9cbf7a5da4674fd72bc446ca406639a	False	0.46383176813471505	data	6.4062212517945465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
UNICODEDATA	0x64dd58	0x723f	data			0.36769583205115053
UNICODEDATA	0x654f98	0x7ebd	data			0.42552011095700415
UNICODEDATA	0x65ce58	0x6a8	data			0.5985915492957746
UNICODEDATA	0x65d500	0xaf7d	data			0.4191430161380078
UNICODEDATA	0x668480	0xd3cf	data			0.4500857569666009
UNICODEDATA	0x675850	0x14c5	data			0.6482979123565921
RT_CURSOR	0x676d18	0x134	data	English	United States	0.2922077922077922
RT_CURSOR	0x676e4c	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x676f80	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x6770b4	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x6771e8	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x67731c	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x677450	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_CURSOR	0x677584	0x134	Targa image data 64 x 65536 x 1 +32 "\001"			0.3961038961038961
RT_CURSOR	0x6776b8	0x134	Targa image data 64 x 65536 x 1 +32 "\001"			0.31493506493506496
RT_CURSOR	0x6777ec	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_BITMAP	0x677920	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x677af0	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x677cd4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x677ea4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x678074	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x678244	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x678414	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x6785e4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x6787b4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x678984	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x678b54	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5208333333333334
RT_BITMAP	0x678c14	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42857142857142855
RT_BITMAP	0x678cf4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.4955357142857143
RT_BITMAP	0x678dd4	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.391304347826087
RT_BITMAP	0x678e30	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.532608695652174
RT_BITMAP	0x678e8c	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.4782608695652174
RT_BITMAP	0x678ee8	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.5543478260869565
RT_BITMAP	0x678f44	0x5c	Device independent bitmap graphic, 6 x 11 x 1, image size 44	English	United States	0.4673913043478261
RT_BITMAP	0x678fa0	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.328042328042328
RT_BITMAP	0x679410	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.3289241622574956
RT_BITMAP	0x679880	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.40476190476190477
RT_BITMAP	0x679cf0	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.09435626102292768
RT_BITMAP	0x67a160	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.23721340388007053
RT_BITMAP	0x67a5d0	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.29188712522045857
RT_BITMAP	0x67aa40	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.1675485008818342
RT_BITMAP	0x67aeb0	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.2892416225749559
RT_BITMAP	0x67b320	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.2751322751322751
RT_BITMAP	0x67b790	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.30776014109347444
RT_BITMAP	0x67bc00	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.2777777777777778
RT_BITMAP	0x67c070	0x46e	Device independent bitmap graphic, 28 x 13 x 24, image size 1094, resolution 2834 x 2834 px/m	English	United States	0.41887125220458554
RT_BITMAP	0x67c4e0	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.38392857142857145
RT_BITMAP	0x67c5c0	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4947916666666667
RT_BITMAP	0x67c680	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.484375
RT_BITMAP	0x67c740	0x2a4	Device independent bitmap graphic, 84 x 13 x 4, image size 572, 16 important colors			0.257396449704142
RT_BITMAP	0x67c9e4	0x128	Device independent bitmap graphic, 28 x 12 x 4, image size 192			0.5337837837837838
RT_BITMAP	0x67cb0c	0x128	Device independent bitmap graphic, 28 x 12 x 4, image size 192, 16 important colors			0.5067567567567568
RT_BITMAP	0x67cc34	0xc8	Device independent bitmap graphic, 14 x 12 x 4, image size 96, resolution 2835 x 2835 px/m, 16 important colors			0.48
RT_BITMAP	0x67ccfc	0xc8	Device independent bitmap graphic, 14 x 12 x 4, image size 96, resolution 2835 x 2835 px/m, 16 important colors			0.58
RT_BITMAP	0x67cdc4	0xc8	Device independent bitmap graphic, 14 x 12 x 4, image size 96			0.535
RT_BITMAP	0x67ce8c	0xc8	Device independent bitmap graphic, 14 x 12 x 4, image size 96, resolution 3811 x 3811 px/m, 16 important colors			0.65
RT_BITMAP	0x67cf54	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42410714285714285
RT_BITMAP	0x67d034	0xc58	Device independent bitmap graphic, 51 x 20 x 24, image size 3120	English	United States	0.45126582278481014
RT_BITMAP	0x67dc8c	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5104166666666666
RT_BITMAP	0x67dd4c	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.5
RT_BITMAP	0x67de2c	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_BITMAP	0x67df14	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4895833333333333
RT_BITMAP	0x67dfd4	0xc8	Device independent bitmap graphic, 13 x 12 x 4, image size 96	English	United States	0.445
RT_BITMAP	0x67e09c	0xc8	Device independent bitmap graphic, 13 x 12 x 4, image size 96	English	United States	0.48
RT_BITMAP	0x67e164	0x4e8	Device independent bitmap graphic, 13 x 12 x 8, image size 192	English	United States	0.39888535031847133
RT_BITMAP	0x67e64c	0xd0	Device independent bitmap graphic, 12 x 13 x 4, image size 104	English	United States	0.5625
RT_BITMAP	0x67e71c	0xd0	Device independent bitmap graphic, 12 x 13 x 4, image size 104	English	United States	0.4855769230769231
RT_BITMAP	0x67e7ec	0xd0	Device independent bitmap graphic, 12 x 13 x 4, image size 104	English	United States	0.4326923076923077
RT_BITMAP	0x67e8bc	0xd0	Device independent bitmap graphic, 12 x 13 x 4, image size 104	English	United States	0.5576923076923077
RT_BITMAP	0x67e98c	0xd0	Device independent bitmap graphic, 12 x 13 x 4, image size 104	English	United States	0.4807692307692308
RT_BITMAP	0x67ea5c	0xd0	Device independent bitmap graphic, 12 x 13 x 4, image size 104	English	United States	0.5625
RT_BITMAP	0x67eb2c	0x4e8	Device independent bitmap graphic, 13 x 12 x 8, image size 192	English	United States	0.4036624203821656
RT_BITMAP	0x67f014	0x4e8	Device independent bitmap graphic, 13 x 12 x 8, image size 192	English	United States	0.4124203821656051
RT_BITMAP	0x67f4fc	0x4e8	Device independent bitmap graphic, 13 x 12 x 8, image size 192	English	United States	0.4028662420382166
RT_BITMAP	0x67f9e4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.3794642857142857
RT_ICON	0x67fac4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.6897163120567376
RT_ICON	0x67ff2c	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.5733606557377049
RT_ICON	0x6808b4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.4896810506566604
RT_ICON	0x68195c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.38392116182572616
RT_ICON	0x683f04	0x9978	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9986000814498066
RT_DIALOG	0x68d87c	0x52	data			0.7682926829268293
RT_DIALOG	0x68d8d0	0x52	data			0.7560975609756098
RT_STRING	0x68d924	0x102	data	Russian	Russia	0.5891472868217055
RT_STRING	0x68da28	0xd0	data	English	United States	0.6105769230769231
RT_STRING	0x68daf8	0x40	data	English	United States	0.53125
RT_STRING	0x68db38	0xc4	Matlab v4 mat-file (little endian) u, numeric, rows 0, columns 0	French	France	0.6377551020408163
RT_STRING	0x68dbfc	0xa0	data	French	France	0.6375
RT_STRING	0x68dc9c	0x7c	data	German	Germany	0.7016129032258065
RT_STRING	0x68dd18	0xbe	data	German	Germany	0.6263157894736842
RT_STRING	0x68ddd8	0x150	data	Italian	Italy	0.5476190476190477
RT_STRING	0x68df28	0xde	data	Polish	Poland	0.6711711711711712
RT_STRING	0x68e008	0x46	AmigaOS bitmap font "r", 21504 elements, 2nd, 3rd	Polish	Poland	0.6285714285714286
RT_STRING	0x68e050	0xac	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	Portuguese	Portugal	0.6976744186046512
RT_STRING	0x68e0fc	0x9a	data	Portuguese	Portugal	0.6233766233766234
RT_STRING	0x68e198	0x66	data			0.6764705882352942
RT_STRING	0x68e200	0xd6	data			0.6074766355140186
RT_STRING	0x68e2d8	0x6a	data			0.5849056603773585
RT_STRING	0x68e344	0x8e	data			0.6690140845070423
RT_STRING	0x68e3d4	0x1d6	data			0.5319148936170213
RT_STRING	0x68e5ac	0x244	data			0.49482758620689654
RT_STRING	0x68e7f0	0x19a	data			0.5219512195121951
RT_STRING	0x68e98c	0x92	data			0.678082191780822
RT_STRING	0x68ea20	0x24	data			0.4166666666666667
RT_STRING	0x68ea44	0x468	data			0.3820921985815603
RT_STRING	0x68eeac	0xbac	data			0.23560910307898258
RT_STRING	0x68fa58	0x3f8	data			0.4360236220472441
RT_STRING	0x68fe50	0x884	data			0.11788990825688074
RT_STRING	0x6906d4	0x888	data			0.13873626373626374
RT_STRING	0x690f5c	0x7fc	data			0.15851272015655576
RT_STRING	0x691758	0x810	data			0.15746124031007752
RT_STRING	0x691f68	0x9b4	data			0.12077294685990338
RT_STRING	0x69291c	0x968	data			0.12666112956810632
RT_STRING	0x693284	0x3b8	data			0.40756302521008403
RT_STRING	0x69363c	0x240	data			0.3784722222222222
RT_STRING	0x69387c	0x19c	data			0.470873786407767
RT_STRING	0x693a18	0x124	data			0.5205479452054794
RT_STRING	0x693b3c	0xfc	data			0.6190476190476191
RT_STRING	0x693c38	0x144	data			0.5432098765432098
RT_STRING	0x693d7c	0x440	data			0.42371323529411764
RT_STRING	0x6941bc	0x590	data			0.34831460674157305
RT_STRING	0x69474c	0x5a4	data			0.3656509695290859
RT_STRING	0x694cf0	0x588	data			0.375
RT_STRING	0x695278	0x3e4	data			0.3493975903614458
RT_STRING	0x69565c	0x70c	data			0.21840354767184036
RT_STRING	0x695d68	0x48c	data			0.41323024054982815
RT_STRING	0x6961f4	0x404	data			0.3424124513618677
RT_STRING	0x6965f8	0x4bc	data			0.2623762376237624
RT_STRING	0x696ab4	0x400	data			0.33203125
RT_STRING	0x696eb4	0x488	data			0.41724137931034483
RT_STRING	0x69733c	0x688	data			0.30801435406698563
RT_STRING	0x6979c4	0x3d0	data			0.4108606557377049
RT_STRING	0x697d94	0x410	data			0.31826923076923075
RT_STRING	0x6981a4	0x374	data			0.4287330316742081
RT_STRING	0x698518	0x36c	data			0.4223744292237443
RT_STRING	0x698884	0x3ec	data			0.34760956175298807
RT_STRING	0x698c70	0x584	data			0.2556657223796034
RT_STRING	0x6991f4	0x4a4	data			0.35353535353535354
RT_STRING	0x699698	0x3dc	data			0.3248987854251012
RT_STRING	0x699a74	0x404	data			0.43093385214007784
RT_STRING	0x699e78	0x3f8	data			0.4124015748031496
RT_STRING	0x69a270	0x424	data			0.3650943396226415
RT_STRING	0x69a694	0x2b8	StarOffice Gallery theme l, 1677731072 objects, 1st l			0.45545977011494254
RT_STRING	0x69a94c	0xa0	data			0.7125
RT_STRING	0x69a9ec	0xe4	data			0.6359649122807017
RT_STRING	0x69aad0	0x2c4	data			0.4138418079096045
RT_STRING	0x69ad94	0x254	data			0.4865771812080537
RT_STRING	0x69afe8	0x3d0	data			0.3698770491803279
RT_STRING	0x69b3b8	0x3b8	data			0.3760504201680672
RT_STRING	0x69b770	0x444	data			0.358974358974359
RT_STRING	0x69bbb4	0x350	data			0.30778301886792453
RT_STRING	0x69bf04	0x3d8	data			0.4247967479674797
RT_STRING	0x69c2dc	0x45c	data			0.38082437275985664
RT_STRING	0x69c738	0x57c	data			0.34971509971509973
RT_STRING	0x69ccb4	0x394	data			0.38318777292576417
RT_STRING	0x69d048	0x3a0	data			0.3286637931034483
RT_STRING	0x69d3e8	0x40c	data			0.3735521235521235
RT_STRING	0x69d7f4	0xd0	data			0.5288461538461539
RT_STRING	0x69d8c4	0xb8	data			0.6467391304347826
RT_STRING	0x69d97c	0x298	data			0.4819277108433735
RT_STRING	0x69dc14	0x438	data			0.3212962962962963
RT_STRING	0x69e04c	0x344	data			0.39593301435406697
RT_STRING	0x69e390	0x2dc	data			0.38114754098360654
RT_STRING	0x69e66c	0x34c	data			0.3246445497630332
RT_RCDATA	0x69e9b8	0xcbf	PNG image data, 60 x 20, 8-bit/color RGBA, non-interlaced	English	United States	1.0033711308611708
RT_RCDATA	0x69f678	0x3a5	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	English	United States	1.0117899249732047
RT_RCDATA	0x69fa20	0x286ac	TrueType Font data, 13 tables, 1st "FFTM", 24 names, Macintosh	English	United States	0.5930183390919854
RT_RCDATA	0x6c80cc	0x10	data			1.5
RT_RCDATA	0x6c80dc	0x1394	data			0.5203511572226656
RT_RCDATA	0x6c9470	0x2	data	English	United States	5.0
RT_RCDATA	0x6c9474	0x5ea	PNG image data, 48 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.0072655217965654
RT_RCDATA	0x6c9a60	0x5c9	PNG image data, 48 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.0074274139095205
RT_RCDATA	0x6ca02c	0x314	PNG image data, 48 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.013959390862944
RT_RCDATA	0x6ca340	0xb88	PNG image data, 48 x 24, 8-bit/color RGBA, non-interlaced	English	United States	0.9088753387533876
RT_RCDATA	0x6caec8	0xabc	PNG image data, 48 x 24, 8-bit/color RGBA, non-interlaced	English	United States	0.8966521106259098
RT_RCDATA	0x6cb984	0xb4af	Delphi compiled form 'Td'			0.18999027132201923
RT_RCDATA	0x6d6e34	0x153	Delphi compiled form 'TForm2'			0.7197640117994101
RT_RCDATA	0x6d6f88	0xc3	Delphi compiled form 'Tfscarga'			0.8615384615384616
RT_RCDATA	0x6d704c	0x494	Delphi compiled form 'TLoginDialog'			0.48976109215017066
RT_RCDATA	0x6d74e0	0x3c4	Delphi compiled form 'TPasswordDialog'			0.4678423236514523
RT_RCDATA	0x6d78a4	0x572	Delphi compiled form 'TPathDialogForm'			0.5186513629842181
RT_RCDATA	0x6d7e18	0x1984	Delphi compiled form 'TsCalcForm'			0.1979485609308022
RT_RCDATA	0x6d979c	0x15b4	Delphi compiled form 'TsColorDialogForm'			0.32199424046076314
RT_RCDATA	0x6dad50	0x1c0	Delphi compiled form 'TsPopupCalendar'			0.671875
RT_GROUP_CURSOR	0x6daf10	0x14	data	English	United States	1.3
RT_GROUP_CURSOR	0x6daf24	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x6daf38	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x6daf4c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x6daf60	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x6daf74	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x6daf88	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x6daf9c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x6dafb0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x6dafc4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x6dafd8	0x4c	data	English	United States	0.7763157894736842
RT_VERSION	0x6db024	0x34c	data	English	United States	0.4537914691943128
RT_MANIFEST	0x6db370	0x69f	XML 1.0 document, ASCII text, with CRLF, LF line terminators	English	United States	0.4176991150442478

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsDBCSLeadByteEx, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetConsoleOutputCP, GetConsoleCP, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, CreateDirectoryW, WriteFile, SetFilePointer, SetEndOfFile, ReadFile, GetFileType, GetFileSize, CreateFileW, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
user32.dll	SetClassLongW, GetClassLongW, SetWindowLongW, GetWindowLongW, CreateWindowExW, WindowFromPoint, WindowFromDC, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCaretPos, SetCapture, SetActiveWindow, SendMessageA, SendMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostThreadMessageW, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, OffsetRect, NotifyWinEvent, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MoveWindow, MessageBoxIndirectW, MessageBoxA, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadImageW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsDialogMessageW, IsClipboardFormatAvailable, IsChild, IsCharAlphaNumericW, IsCharAlphaW, InvalidateRect, InsertMenuItemW, InsertMenuW, HideCaret, GetWindowThreadProcessId, GetWindowTextLengthW, GetWindowTextW, GetWindowRgn, GetWindowRect, GetWindowPlacement, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMessageExtraInfo, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemRect, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCaretPos, GetCapture, GetAsyncKeyState, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndMenu, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawStateW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIconIndirect, CreateIcon, CreateCaret, CreateAcceleratorTableW, CountClipboardFormats, CopyRect, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, CharLowerBuffA, CharUpperBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetRectRgn, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetDCPenColor, SetBrushOrgEx, SetBkMode, SetBkColor, SetBitmapBits, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, ResizePalette, RemoveFontMemResourceEx, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyPolyline, PolyBezierTo, PolyBezier, PlgBlt, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetViewportOrgEx, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStretchBltMode, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetNearestPaletteIndex, GetGlyphOutlineW, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetCurrentObject, GetClipBox, GetBrushOrgEx, GetBitmapDimensionEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExtCreatePen, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePen, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, CombineRgn, Chord, BitBlt, ArcTo, Arc, AngleArc, AddFontMemResourceEx, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	lstrcmpiA, lstrcmpW, WriteProcessMemory, WriteFile, WideCharToMultiByte, WaitNamedPipeW, WaitForSingleObject, WaitForMultipleObjectsEx, WaitForMultipleObjects, VirtualQueryEx, VirtualQuery, VirtualProtectEx, VirtualProtect, VirtualFreeEx, VirtualFree, VirtualAllocEx, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, TryEnterCriticalSection, TerminateThread, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetNamedPipeHandleState, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryW, ReleaseMutex, ReadProcessMemory, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, IsDebuggerPresent, OpenProcess, MultiByteToWideChar, MulDiv, MoveFileW, LockResource, LocalFree, LoadResource, LoadLibraryW, LoadLibraryExW, LeaveCriticalSection, IsValidLocale, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVersionExW, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStringTypeExW, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileAttributesW, GetExitCodeThread, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageW, FindResourceW, FindNextFileW, FindNextChangeNotification, FindFirstFileW, FindFirstChangeNotificationW, FindCloseChangeNotification, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateThread, CreateMutexW, CreateFileW, CreateEventW, CreateDirectoryW, CompareStringA, CompareStringW, CloseHandle
advapi32.dll	ReportEventW, RegisterEventSourceW, RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExA, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExA, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey, DeregisterEventSource
advapi32.dll	StartServiceCtrlDispatcherW, SetServiceStatus, RegisterServiceCtrlHandlerW, OpenServiceW, OpenSCManagerW, DeleteService, CreateServiceW, CloseServiceHandle
IMAGEHLP.DLL	ImageDirectoryEntryToData
kernel32.dll	Sleep
netapi32.dll	NetApiBufferFree, NetWkstaGetInfo
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
oleaut32.dll	GetErrorInfo, VariantInit, SysStringLen, SysFreeString
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID, CoCreateInstance, CoGetMalloc, CoUninitialize, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
msvcrt.dll	memset, memcpy
shell32.dll	ShellExecuteExW, ShellExecuteW, Shell_NotifyIconW, ExtractIconW
shell32.dll	SHGetSpecialFolderLocation, SHGetMalloc, SHGetDesktopFolder
winspool.drv	OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
winspool.drv	GetDefaultPrinterW
wsock32.dll	__WSAFDIsSet, WSACleanup, WSAStartup, WSAGetLastError, gethostbyname, socket, shutdown, setsockopt, send, select, recv, ntohs, listen, ioctlsocket, inet_ntoa, inet_addr, htons, getsockopt, getsockname, connect, closesocket, bind, accept
winmm.dll	sndPlaySoundW
kernel32.dll	MulDiv
oleacc.dll	LresultFromObject
kernel32.dll	GetVersionExW

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x469904
__dbk_fcall_wrapper	2	0x4121a8
dbkFCallWrapperAddr	1	0x956634

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Russian	Russia
French	France
German	Germany
Italian	Italy
Polish	Poland
Portuguese	Portugal

Target ID:	0
Start time:	05:32:02
Start date:	20/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe"
Imagebase:	0x400000
File size:	6'604'800 bytes
MD5 hash:	B1F4DE35BBE7146F49C7D99E1E3428D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.2043298741.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exePID: 6752, Parent PID: 1028

General

Chronological Activities

Disassembly

Windows Analysis Report
SecuriteInfo.com.BScope.Backdoor.Androm.14487.24591.exe