Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UltraVNC_1_4_20_X64_Setup.exe

Overview

General Information

Sample Name:UltraVNC_1_4_20_X64_Setup.exe
Analysis ID:849845
MD5:cb68cb54c38d053f83da53e386e37113
SHA1:2d86c3b061090c52c9c9b12404643e90ef09378c
SHA256:73d3523558b9177185f782e690d1219d7c4ed12124ea962ca7bb37df46bd0741
Infos:

Detection

Score:10
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Obfuscated command line found
Uses 32bit PE files
Drops PE files
PE file contains sections with non-standard names

Classification

Process Tree

  • System is w10x64_ra
  • UltraVNC_1_4_20_X64_Setup.exe (PID: 7136 cmdline: C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exe MD5: CB68CB54C38D053F83DA53E386E37113)
    • UltraVNC_1_4_20_X64_Setup.tmp (PID: 3624 cmdline: "C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmp" /SL5="$3025A,4425789,1073152,C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exe" MD5: 1E199F2650A289BF0503864D6AC0DE9E)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: UltraVNC_1_4_20_X64_Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: UltraVNC_1_4_20_X64_Setup.exeStatic PE information: certificate valid
Source: UltraVNC_1_4_20_X64_Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 52.109.8.44
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 52.109.32.24
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 52.109.32.24
Source: unknownTCP traffic detected without corresponding DNS query: 52.109.8.44
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: UltraVNC_1_4_20_X64_Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exeFile read: C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exe
Source: C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exeFile created: C:\Users\user\AppData\Local\Temp\is-4O65A.tmp
Source: C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: classification engineClassification label: clean10.winEXE@3/3@0/15
Source: unknownProcess created: C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exe C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exe
Source: C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmp" /SL5="$3025A,4425789,1073152,C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exe"
Source: C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmp" /SL5="$3025A,4425789,1073152,C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exe"
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\Feedback
Source: C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmpWindow found: window name: TSelectLanguageForm
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: UltraVNC_1_4_20_X64_Setup.exeStatic file information: File size 5358040 > 1048576
Source: UltraVNC_1_4_20_X64_Setup.exeStatic PE information: certificate valid
Source: UltraVNC_1_4_20_X64_Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Obfuscated command line found
Source: C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmp" /SL5="$3025A,4425789,1073152,C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exe"
Source: C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmp" /SL5="$3025A,4425789,1073152,C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exe"
Source: UltraVNC_1_4_20_X64_Setup.exeStatic PE information: section name: .didata
Source: C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exeFile created: C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmpJump to dropped file
Source: C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Command and Scripting Interpreter		Path Interception1
Process Injection		1
Masquerading		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network Medium2
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Process Injection		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Application Layer Protocol		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
UltraVNC_1_4_20_X64_Setup.exe3%ReversingLabs
UltraVNC_1_4_20_X64_Setup.exe5%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmp0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
52.109.32.24
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
52.109.8.44
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
192.229.221.95
unknownUnited States
15133EDGECASTUSfalse

General Information

Joe Sandbox Version:37.0.0 Beryl
Analysis ID:849845
Start date and time:2023-04-19 16:33:41 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:1
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample file name:UltraVNC_1_4_20_X64_Setup.exe
Detection:CLEAN
Classification:clean10.winEXE@3/3@0/15
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): login.live.com

Created / dropped Files

C:\Users\user\AppData\Local\Temp\is-4O65A.tmp\UltraVNC_1_4_20_X64_Setup.tmp

Download File
Process:C:\Users\user\Desktop\UltraVNC_1_4_20_X64_Setup.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):3414984
Entropy (8bit):6.382783556411566
Encrypted:false
SSDEEP:
MD5:1E199F2650A289BF0503864D6AC0DE9E
SHA1:5E45ED8EE42402F017A4BD5571EC07753A51FB47
SHA-256:A8C8B556B400249934DC958F0AC075B92A113783762801D26541BC40987662DE
SHA-512:AA8BD2E983FC8B3C2272CE64FA9257636843448E39A3E01868EF4089F57EDA0B421EDB778E8913D406F5A3CABD93E92286029AEF14B7A218F1805C0CDF5F96AD
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
  • Antivirus: Virustotal, Detection: 0%, Browse
Reputation:low
Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,.........`F,......P,...@...........................4......4...@......@....................-......p-.29....-.0.............3..'....................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc...0.....-.......-.............@..@..............1.......0.............@..@........................................................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File
File Type:data
Category:dropped
Size (bytes):576
Entropy (8bit):5.059635826240281
Encrypted:false
SSDEEP:
MD5:7EC2D1C016B14977DDF379F339D946A5
SHA1:E26F146E618B64736E8FCA33A65C8D2C6EDC48E2
SHA-256:85788E6549A95B1C550A24A695E0DA22CE597936822A0218DFBDE3E509F47B70
SHA-512:2408F251C034630174A446B6E127058A0F49C25FA60CA469D472DCEEEA76D72257510FAE791003120B15ED566CD93F1AFFCDD618A93FA5FCAFCE163D898C9358
Malicious:false
Reputation:low
Preview:.6...AAAAAAA...AAAAA...A.A.A/ALAAAAAAAAAAAbA5AtA.!.AGA.A.bbA.A`A.].A%A.A...A AHA...AVA.A.n.AKA.A6d.A.A.A6.A~AEA...6.A.A..Ab.A...A...A...An.LA..bA...A..bA..#A..bA5..A...6#.qA.^tA..&A.5.6..A..bA..A...6`.~A.G.6N..A..bA2..A...A6#.A.-.A.#.A...A.#cA...6*#.A.*bA..A...An..A...A..A..bA..A. bA..A.tbA.SAA.AbA.S.A.6.AF..A.L.A`..A...AN.A...A..(A.}.A...A.1.A...A..A...A...AV..A..AQ.yA._.AE.MA...A|.A...AU..A...6...A...6...A.?.6...A.H.A..A.9bAK.XA...A...A...A..DA..A...A.%bAZ.A.;b.q..A.#b...7A...Aw..A68.AAA.AtA.6...........................................................

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.853456231667099
TrID:
  • Win32 Executable (generic) a (10002005/4) 98.04%
  • Inno Setup installer (109748/4) 1.08%
  • InstallShield setup (43055/19) 0.42%
  • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
  • Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:UltraVNC_1_4_20_X64_Setup.exe
File size:5358040
MD5:cb68cb54c38d053f83da53e386e37113
SHA1:2d86c3b061090c52c9c9b12404643e90ef09378c
SHA256:73d3523558b9177185f782e690d1219d7c4ed12124ea962ca7bb37df46bd0741
SHA512:206bfc88bb1dd98dcf2f96a717373b27a4ca5bf584da5e386f6ee4fbcff7849a6b0cfc85cce4430b68bd5ea479f2a0c0f24fadd2570958279d28c559babc6c54
SSDEEP:98304:BSi+Jol0atLxLZ63PwDH3CZYNavF51RQ16gxjdiTavfeta3wig:cJolLlQuXAsM5zgHga2agig
TLSH:1346012BB734693ED45A06711072CBB0963BAE5225258D2A17F07C1FFF3A5E11E2B217
File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon

Icon Hash:d0ce8ecccc8ef0c4

Static PE Info

General

Entrypoint:0x4b5eec
Entrypoint Section:.itext
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x60B88E27 [Thu Jun 3 08:09:11 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:5a594319a0d69dbc452e748bcf05892e

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 9/23/2022 2:00:00 AM 9/23/2025 1:59:59 AM
Subject Chain
  • CN=uvnc bvba, O=uvnc bvba, S=Antwerpen, C=BE
Version:3
Thumbprint MD5:9DD4D820F2BD4C1E19D0B58E87D2E5E8
Thumbprint SHA-1:ADC749D2F75F158C8218857FF187F81B97B3872A
Thumbprint SHA-256:CAB069B8C7CB68F49FA0E8DCF3BECFDE320F4A241E571C2741B701EB0EC1B833
Serial:4C03670A31E62B9FACB9D2D37039BD07

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004B10F0h
call 00007F2154DA2715h
xor eax, eax
push ebp
push 004B65E2h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004B659Eh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004BE634h]
call 00007F2154E44E3Fh
call 00007F2154E44992h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F2154DB8188h
mov edx, dword ptr [ebp-14h]
mov eax, 004C1D84h
call 00007F2154D9D307h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004C1D84h]
mov dl, 01h
mov eax, dword ptr [004237A4h]
call 00007F2154DB91EFh
mov dword ptr [004C1D88h], eax
xor edx, edx
push ebp
push 004B654Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F2154E44EC7h
mov dword ptr [004C1D90h], eax
mov eax, dword ptr [004C1D90h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F2154E4B4AAh
mov eax, dword ptr [004C1D90h]
mov edx, 00000028h
call 00007F2154DB9AE4h
mov edx, dword ptr [004C1D90h]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xf36.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x4bd38.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x519a100x27c8
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xc22e40x244.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xb361c0xb3800False0.3448639341051532data6.356058204328091IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext0xb50000x16880x1800False0.544921875data5.972750055221053IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0xb70000x37a40x3800False0.36097935267857145data5.044400562007734IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss0xbb0000x6de80x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0xc20000xf360x1000False0.3681640625data4.8987046479600425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata0xc30000x1a40x200False0.345703125data2.7563628682496506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata0xc40000x9a0x200False0.2578125data1.8722228665884297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls0xc50000x180x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0xc60000x5d0x200False0.189453125data1.3838943752217987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0xc70000x4bd380x4be00False0.17498970345963757data5.165168911096991IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_ICON0xc75b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States
RT_ICON0xc84600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States
RT_ICON0xc8d080x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States
RT_ICON0xc93d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States
RT_ICON0xc99380x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishUnited States
RT_ICON0x10b9600x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States
RT_ICON0x10df080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
RT_ICON0x10efb00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States
RT_ICON0x10f9380x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
RT_STRING0x10fda00x360data
RT_STRING0x1101000x260data
RT_STRING0x1103600x45cdata
RT_STRING0x1107bc0x40cdata
RT_STRING0x110bc80x2d4data
RT_STRING0x110e9c0xb8data
RT_STRING0x110f540x9cdata
RT_STRING0x110ff00x374data
RT_STRING0x1113640x398data
RT_STRING0x1116fc0x368data
RT_STRING0x111a640x2a4data
RT_RCDATA0x111d080x10data
RT_RCDATA0x111d180x2c4data
RT_RCDATA0x111fdc0x2cdata
RT_GROUP_ICON0x1120080x84dataEnglishUnited States
RT_VERSION0x11208c0x584dataEnglishUnited States
RT_MANIFEST0x1126100x726XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

Imports

DLLImport
kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dllInitCommonControls
version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dllNetWkstaGetInfo, NetApiBufferFree
advapi32.dllRegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Exports

NameOrdinalAddress
TMethodImplementationIntercept30x454060
__dbk_fcall_wrapper20x40d0a0
dbkFCallWrapperAddr10x4be63c

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States