| File details Download PDF Report | |
|---|---|
| File type: | PE32 executable (GUI) Intel 80386, for MS Windows |
| File size: | 2496.00 KB (2555904 bytes) |
| Compile time: | 2020-08-19 04:42:21 |
| MD5: | eb8900ff6473c43bd391693b90696237 |
| SHA1: | e74bf9ad42088ec4d29a1cbff5b8772e5d62657a |
| SHA256: | 622db933ac90e44d8e45ac0fdcfecfcea9dfc6df63fe2516462ce17cae4053cd |
| Import hash: | 27486c609cb57a1a09dec1e9956e0189 |
| Sections 11 | .text��� .itext�� .data��� .bss���� .idata�� .didata� .edata�� .tls���� .rdata�� .reloc�� .rsrc��� |
| Directories 5 | import export resource tls relocation |
| First submission: | 2022-03-01 04:51:10 |
| Last submission: | 2022-03-01 04:51:10 |
| Filename detected: |
- inst2_20.exe (1) |
| URL file hosting |
|---|
hXXp://download.xp666.com/xzqswf/app/inst2_20.exe |
| Antivirus Report | |||
|---|---|---|---|
| Report Date | Detection Ratio | Permalink | Update |
| No report available | |||
| PE Sections 2 suspicious | |||||
|---|---|---|---|---|---|
| Name | VAddress | VSize | Size | MD5 | SHA1 |
| .text��� | 0x1000 | 0x22148c | 2233856 | 44190e4a8c0fdff925ec6177ae55d056 | 2ce276259b53141dc6ca64d843ad828f8cebe2fb |
| .itext�� | 0x223000 | 0x206c | 8704 | d3ccb5fb62c90c5f986d8d744f76dc02 | 7788346f353c3d29f4ddbb67bd53f90343e2f39a |
| .data��� | 0x226000 | 0x73d0 | 29696 | 91b35a5b8adbd3e2201ceeee78554909 | 3ac4ae25cd4fafa1a7af9840f126e00ba3e87d99 |
| .bss���� | 0x22e000 | 0x59e8 | 0 | d41d8cd98f00b204e9800998ecf8427e | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| .idata�� | 0x234000 | 0x325e | 13312 | 07df07d788fe16b8def4cf9b13bfc9c2 | cafd5347697666072fd4891a8c5803fc4a0c944e |
| .didata� | 0x238000 | 0x87a | 2560 | 365b2096bdad405c416bd288e9b83e8b | e8bcd05a355cba5a1547dab425c002c902607113 |
| .edata�� | 0x239000 | 0x5b | 512 | d81dd4f35489bdf63ceb74d9a9333168 | 015efb0d8f64e941856f7326a378dc881605cffc |
| .tls���� | 0x23a000 | 0x3c | 0 | d41d8cd98f00b204e9800998ecf8427e | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| .rdata�� | 0x23b000 | 0x5d | 512 | 8332579de888fa768b095f3d408933eb | f9596e898976301a7f972e199db59755e19062cf |
| .reloc�� | 0x23c000 | 0x350b0 | 217600 | 96f7973def1337211701e3ce67e88846 | 04281bc696d07d26c07cbf84a500d8359206b5a1 |
| .rsrc��� | 0x272000 | 0xbc00 | 48128 | 88c5b12b666f149db13eef5fc45ba135 | fb3e805f8a544291eb68a07ed7c97611029c5df5 |
- API Alert
- Anti Debug
| Meta Info | |
|---|---|
| No Meta found in this file | |
| XOR | |
|---|---|
| No XOR informations found in this file. | |
| Signature | |
|---|---|
| This file isn't digitally signed | |
| Packer(s) | |
|---|---|
| Borland Delphi 3.0 (???) | |
| Borland Delphi 4.0 | |
| Borland Delphi v3.0 | |
| Borland Delphi v6.0 - v7.0 | |
| BobSoft Mini Delphi -> BoB / BobSoft | |
| File found | |
|---|---|
| FIle type: Library | |
| USER32.dll | |
| secur32.dll | |
| ssleay32.dll | |
| KERNEL32.dll | |
| UxTheme.dll | |
| security.dll | |
| mswsock.dll | |
| libeay32.dll | |
| IPHLPAPI.DLL | |
| normaliz.dll | |
| Fwpuclnt.dll | |
| IdnDL.dll | |
| comctl32.dll | |
| wship6.dll | |
| ole32.dll | |
| libssl32.dll | |
| IMM32.dll | |
| OLEAUT32.dll | |
| WS2_32.DLL | |
| urlmon.dll | |
| WININET.dll | |
| WSOCK32.dll | |
| MSVCRT.dll | |
| Netapi32.dll | |
| ADVAPI32.dll | |
| GDI32.dll | |
| dwmapi.dll | |
| WTSAPI32.dll | |
| VERSION.dll | |
| SHELL32.dll | |
| MSIMG32.dll | |
| FIle type: Web Page | |
| http://t.duote.com/duote/index.php | |
| IP Found | |
|---|---|
| 0.0.0.1 | |
| 127.0.0.1 | |
| URL(s) | |
|---|---|
| http://www.indyproject.org/ | |
| http://t.duote.com/duote/index.php | |
| http://download.xp666.com/xzqswf/cof/inst_cfg | |
| http://api.xp666.com/get_server_limit.php?type=oper | |
| Behavior analysis details | |||||
|---|---|---|---|---|---|
| Machine name | Machine label | Machine manager | Started | Ended | Duration |
| Seven06_64 | Seven06_64 | VirtualBox | 2022-03-01 04:41:33 | 2022-03-01 04:44:43 | 190 |
7 Behaviors detected by system signatures
Deletes its original binary from disk
Severity: High
Confidence: Very High
Creates RWX memory
Severity: Medium
Confidence: Medium
Possible date expiration check, exits too soon after checking local time
Severity: Medium
Confidence: Medium
- process: inst2_20.exe, PID 2396
Dynamic (imported) function loading detected
Severity: Medium
Confidence: Very High
- DynamicLoader: kernel32.dll/GetNativeSystemInfo
- DynamicLoader: kernel32.dll/GetDiskFreeSpaceExW
- DynamicLoader: kernel32.dll/GetLogicalProcessorInformation
- DynamicLoader: kernel32.dll/GetLogicalProcessorInformation
- DynamicLoader: oleaut32.dll/VariantChangeTypeEx
- DynamicLoader: oleaut32.dll/VarNeg
- DynamicLoader: oleaut32.dll/VarNot
- DynamicLoader: oleaut32.dll/VarAdd
- DynamicLoader: oleaut32.dll/VarSub
- DynamicLoader: oleaut32.dll/VarMul
- DynamicLoader: oleaut32.dll/VarDiv
- DynamicLoader: oleaut32.dll/VarIdiv
- DynamicLoader: oleaut32.dll/VarMod
- DynamicLoader: oleaut32.dll/VarAnd
- DynamicLoader: oleaut32.dll/VarOr
- DynamicLoader: oleaut32.dll/VarXor
- DynamicLoader: oleaut32.dll/VarCmp
- DynamicLoader: oleaut32.dll/VarI4FromStr
- DynamicLoader: oleaut32.dll/VarR4FromStr
- DynamicLoader: oleaut32.dll/VarR8FromStr
- DynamicLoader: oleaut32.dll/VarDateFromStr
- DynamicLoader: oleaut32.dll/VarCyFromStr
- DynamicLoader: oleaut32.dll/VarBoolFromStr
- DynamicLoader: oleaut32.dll/VarBstrFromCy
- DynamicLoader: oleaut32.dll/VarBstrFromDate
- DynamicLoader: oleaut32.dll/VarBstrFromBool
- DynamicLoader: kernel32.dll/InitializeConditionVariable
- DynamicLoader: kernel32.dll/WakeConditionVariable
- DynamicLoader: kernel32.dll/WakeAllConditionVariable
- DynamicLoader: kernel32.dll/SleepConditionVariableCS
- DynamicLoader: ole32.dll/CoCreateInstanceEx
- DynamicLoader: ole32.dll/CoInitializeEx
- DynamicLoader: ole32.dll/CoAddRefServerProcess
- DynamicLoader: ole32.dll/CoReleaseServerProcess
- DynamicLoader: ole32.dll/CoResumeClassObjects
- DynamicLoader: ole32.dll/CoSuspendClassObjects
- DynamicLoader: CRYPTBASE.dll/SystemFunction036
- DynamicLoader: dwmapi.dll/DwmIsCompositionEnabled
- DynamicLoader: wtsapi32.dll/WTSRegisterSessionNotification
- DynamicLoader: USER32.dll/IsWindow
- DynamicLoader: USER32.dll/GetWindowThreadProcessId
- DynamicLoader: WINSTA.dll/WinStationRegisterConsoleNotification
- DynamicLoader: ADVAPI32.dll/LookupAccountSidW
- DynamicLoader: sechost.dll/LookupAccountSidLocalW
- DynamicLoader: ADVAPI32.dll/CreateWellKnownSid
- DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
- DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
- DynamicLoader: RPCRT4.dll/RpcStringFreeW
- DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
- DynamicLoader: sechost.dll/LookupAccountNameLocalW
- DynamicLoader: RPCRT4.dll/RpcAsyncInitializeHandle
- DynamicLoader: RPCRT4.dll/NdrClientCall2
- DynamicLoader: RPCRT4.dll/NdrAsyncClientCall
- DynamicLoader: uxtheme.dll/BufferedPaintInit
- DynamicLoader: GDI32.dll/GetLayout
- DynamicLoader: GDI32.dll/GdiRealizationInfo
- DynamicLoader: GDI32.dll/FontIsLinked
- DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
- DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
- DynamicLoader: GDI32.dll/GetTextFaceAliasW
- DynamicLoader: ADVAPI32.dll/RegEnumValueW
- DynamicLoader: ADVAPI32.dll/RegCloseKey
- DynamicLoader: ADVAPI32.dll/RegQueryValueExW
- DynamicLoader: ADVAPI32.dll/RegQueryValueExW
- DynamicLoader: GDI32.dll/GetFontAssocStatus
- DynamicLoader: ADVAPI32.dll/RegQueryValueExA
- DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
- DynamicLoader: GDI32.dll/GetTextFaceAliasW
- DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
- DynamicLoader: IMM32.DLL/ImmIsIME
- DynamicLoader: USER32.dll/AnimateWindow
- DynamicLoader: comctl32.dll/InitializeFlatSB
- DynamicLoader: comctl32.dll/UninitializeFlatSB
- DynamicLoader: comctl32.dll/FlatSB_GetScrollProp
- DynamicLoader: comctl32.dll/FlatSB_SetScrollProp
- DynamicLoader: comctl32.dll/FlatSB_EnableScrollBar
- DynamicLoader: comctl32.dll/FlatSB_ShowScrollBar
- DynamicLoader: comctl32.dll/FlatSB_GetScrollRange
- DynamicLoader: comctl32.dll/FlatSB_GetScrollInfo
- DynamicLoader: comctl32.dll/FlatSB_GetScrollPos
- DynamicLoader: comctl32.dll/FlatSB_SetScrollPos
- DynamicLoader: comctl32.dll/FlatSB_SetScrollInfo
- DynamicLoader: comctl32.dll/FlatSB_SetScrollRange
- DynamicLoader: USER32.dll/SetLayeredWindowAttributes
- DynamicLoader: kernel32.dll/GetFileSizeEx
- DynamicLoader: kernel32.dll/SortGetHandle
- DynamicLoader: kernel32.dll/SortCloseHandle
- DynamicLoader: security.dll/InitSecurityInterfaceW
- DynamicLoader: comctl32.dll/HIMAGELIST_QueryInterface
- DynamicLoader: comctl32.dll/DrawShadowText
- DynamicLoader: comctl32.dll/DrawSizeBox
- DynamicLoader: comctl32.dll/DrawScrollBar
- DynamicLoader: comctl32.dll/SizeBoxHwnd
- DynamicLoader: comctl32.dll/ScrollBar_MouseMove
- DynamicLoader: comctl32.dll/ScrollBar_Menu
- DynamicLoader: comctl32.dll/HandleScrollCmd
- DynamicLoader: comctl32.dll/DetachScrollBars
- DynamicLoader: comctl32.dll/AttachScrollBars
- DynamicLoader: comctl32.dll/CCSetScrollInfo
- DynamicLoader: comctl32.dll/CCGetScrollInfo
- DynamicLoader: comctl32.dll/CCEnableScrollBar
- DynamicLoader: comctl32.dll/QuerySystemGestureStatus
- DynamicLoader: uxtheme.dll/
- DynamicLoader: uxtheme.dll/CloseThemeData
- DynamicLoader: uxtheme.dll/OpenThemeData
- DynamicLoader: uxtheme.dll/CloseThemeData
- DynamicLoader: uxtheme.dll/DrawThemeBackground
- DynamicLoader: uxtheme.dll/DrawThemeText
- DynamicLoader: uxtheme.dll/GetThemeBackgroundContentRect
- DynamicLoader: uxtheme.dll/GetThemeBackgroundExtent
- DynamicLoader: uxtheme.dll/GetThemePartSize
- DynamicLoader: uxtheme.dll/GetThemeTextExtent
- DynamicLoader: uxtheme.dll/GetThemeTextMetrics
- DynamicLoader: uxtheme.dll/GetThemeBackgroundRegion
- DynamicLoader: uxtheme.dll/HitTestThemeBackground
- DynamicLoader: uxtheme.dll/DrawThemeEdge
- DynamicLoader: uxtheme.dll/DrawThemeIcon
- DynamicLoader: uxtheme.dll/IsThemePartDefined
- DynamicLoader: uxtheme.dll/IsThemeBackgroundPartiallyTransparent
- DynamicLoader: uxtheme.dll/GetThemeColor
- DynamicLoader: uxtheme.dll/GetThemeMetric
- DynamicLoader: uxtheme.dll/GetThemeString
- DynamicLoader: uxtheme.dll/GetThemeBool
- DynamicLoader: uxtheme.dll/GetThemeInt
- DynamicLoader: uxtheme.dll/GetThemeEnumValue
- DynamicLoader: uxtheme.dll/GetThemePosition
- DynamicLoader: uxtheme.dll/GetThemeFont
- DynamicLoader: uxtheme.dll/GetThemeRect
- DynamicLoader: uxtheme.dll/GetThemeMargins
- DynamicLoader: uxtheme.dll/GetThemeIntList
- DynamicLoader: uxtheme.dll/GetThemePropertyOrigin
- DynamicLoader: uxtheme.dll/SetWindowTheme
- DynamicLoader: uxtheme.dll/GetThemeFilename
- DynamicLoader: uxtheme.dll/GetThemeSysColor
- DynamicLoader: uxtheme.dll/GetThemeSysColorBrush
- DynamicLoader: uxtheme.dll/GetThemeSysBool
- DynamicLoader: uxtheme.dll/GetThemeSysSize
- DynamicLoader: uxtheme.dll/GetThemeSysFont
- DynamicLoader: uxtheme.dll/GetThemeSysString
- DynamicLoader: uxtheme.dll/GetThemeSysInt
- DynamicLoader: uxtheme.dll/IsThemeActive
- DynamicLoader: uxtheme.dll/IsAppThemed
- DynamicLoader: uxtheme.dll/GetWindowTheme
- DynamicLoader: uxtheme.dll/EnableThemeDialogTexture
- DynamicLoader: uxtheme.dll/IsThemeDialogTextureEnabled
- DynamicLoader: uxtheme.dll/GetThemeAppProperties
- DynamicLoader: uxtheme.dll/SetThemeAppProperties
- DynamicLoader: uxtheme.dll/GetCurrentThemeName
- DynamicLoader: uxtheme.dll/GetThemeDocumentationProperty
- DynamicLoader: uxtheme.dll/DrawThemeParentBackground
- DynamicLoader: uxtheme.dll/EnableTheming
- DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
- DynamicLoader: kernel32.dll/Heap32ListFirst
- DynamicLoader: kernel32.dll/Heap32ListNext
- DynamicLoader: kernel32.dll/Heap32First
- DynamicLoader: kernel32.dll/Heap32Next
- DynamicLoader: kernel32.dll/Toolhelp32ReadProcessMemory
- DynamicLoader: kernel32.dll/Process32First
- DynamicLoader: kernel32.dll/Process32Next
- DynamicLoader: kernel32.dll/Process32FirstW
- DynamicLoader: kernel32.dll/Process32NextW
- DynamicLoader: kernel32.dll/Process32FirstW
- DynamicLoader: kernel32.dll/Process32NextW
- DynamicLoader: kernel32.dll/Thread32First
- DynamicLoader: kernel32.dll/Thread32Next
- DynamicLoader: kernel32.dll/Module32First
- DynamicLoader: kernel32.dll/Module32Next
- DynamicLoader: kernel32.dll/Module32FirstW
- DynamicLoader: kernel32.dll/Module32NextW
- DynamicLoader: kernel32.dll/Module32FirstW
- DynamicLoader: kernel32.dll/Module32NextW
- DynamicLoader: WS2_32.dll/WSAStartup
- DynamicLoader: WS2_32.dll/GetAddrInfoW
- DynamicLoader: WS2_32.dll/GetNameInfoW
- DynamicLoader: WS2_32.dll/FreeAddrInfoW
- DynamicLoader: WS2_32.dll/InetPtonW
- DynamicLoader: WS2_32.dll/InetNtopW
- DynamicLoader: WS2_32.dll/GetAddrInfoExW
- DynamicLoader: WS2_32.dll/SetAddrInfoExW
- DynamicLoader: WS2_32.dll/FreeAddrInfoExW
- DynamicLoader: Fwpuclnt.dll/WSASetSocketPeerTargetName
- DynamicLoader: Fwpuclnt.dll/WSADeleteSocketPeerTargetName
- DynamicLoader: Fwpuclnt.dll/WSAImpersonateSocketPeer
- DynamicLoader: Fwpuclnt.dll/WSAQuerySocketSecurity
- DynamicLoader: Fwpuclnt.dll/WSARevertImpersonation
- DynamicLoader: IdnDL.dll/DownlevelGetLocaleScripts
- DynamicLoader: IdnDL.dll/DownlevelGetStringScripts
- DynamicLoader: IdnDL.dll/DownlevelVerifyScripts
- DynamicLoader: Normaliz.dll/IdnToUnicode
- DynamicLoader: Normaliz.dll/IdnToNameprepUnicode
- DynamicLoader: Normaliz.dll/IdnToAscii
- DynamicLoader: Normaliz.dll/IsNormalizedString
- DynamicLoader: Normaliz.dll/NormalizeString
- DynamicLoader: WS2_32.dll/socket
- DynamicLoader: WS2_32.dll/getsockopt
- DynamicLoader: WS2_32.dll/setsockopt
- DynamicLoader: WS2_32.dll/htons
- DynamicLoader: WS2_32.dll/bind
- DynamicLoader: WS2_32.dll/getsockname
- DynamicLoader: WS2_32.dll/ntohs
- DynamicLoader: WS2_32.dll/connect
- DynamicLoader: WS2_32.dll/getpeername
- DynamicLoader: WS2_32.dll/send
- DynamicLoader: WS2_32.dll/select
- DynamicLoader: WS2_32.dll/recv
- DynamicLoader: WS2_32.dll/shutdown
- DynamicLoader: WS2_32.dll/closesocket
- DynamicLoader: WS2_32.dll/WSACleanup
- DynamicLoader: wtsapi32.dll/WTSUnRegisterSessionNotification
- DynamicLoader: WINSTA.dll/WinStationUnRegisterConsoleNotification
- DynamicLoader: RPCRT4.dll/RpcAsyncGetCallStatus
- DynamicLoader: RPCRT4.dll/RpcAsyncCancelCall
- DynamicLoader: RPCRT4.dll/RpcAsyncCompleteCall
- DynamicLoader: RPCRT4.dll/RpcBindingFree
- DynamicLoader: uxtheme.dll/BufferedPaintUnInit
- DynamicLoader: oleaut32.dll/
- DynamicLoader: kernel32.dll/SetThreadUILanguage
- DynamicLoader: kernel32.dll/CopyFileExW
- DynamicLoader: kernel32.dll/IsDebuggerPresent
- DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
- DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
- DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
- DynamicLoader: ADVAPI32.dll/SaferCloseLevel
Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
Severity: Medium
Confidence: Very High
Performs some HTTP requests
Severity: Medium
Confidence: Low
- url: http://download.xp666.com/xzqswf/cof/inst_cfg
SetUnhandledExceptionFilter detected (possible anti-debug)
Severity: Low
Confidence: Very High
| Behavior analysis details | |||||
|---|---|---|---|---|---|
| Machine name | Machine label | Machine manager | Started | Ended | Duration |
| Seven06_64 | Seven06_64 | VirtualBox | 2022-03-01 04:41:33 | 2022-03-01 04:44:43 | 190 |
8 Summary items with data
Files
C:\Users\Seven01\AppData\Local\Temp\inst2_20.it-IT C:\Users\Seven01\AppData\Local\Temp\inst2_20.it C:\Users\Seven01\AppData\Local\Temp\inst2_20.ITA C:\Users\Seven01\AppData\Local\Temp\inst2_20.IT \Device\KsecDD C:\Windows\Fonts\staticcache.dat C:\Windows\SysWOW64\it-IT\USER32.dll.mui C:\Windows\Globalization\Sorting\sortdefault.nls C:\Windows\System32\uxtheme.dll.Config C:\Windows\System32\uxtheme.dll C:\Users\Seven01\AppData\Local\Temp\inst2_20.exe.Local\ C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2 C:\Users\Seven01\AppData\Local\Temp\libeay32.dll C:\Windows\System32\libeay32.dll C:\Windows\system\libeay32.dll C:\Windows\libeay32.dll C:\ProgramData\Oracle\Java\javapath\libeay32.dll C:\Windows\System32\wbem\libeay32.dll C:\Windows\System32\WindowsPowerShell\v1.0\libeay32.dll C:\Windows\System32\tzres.dll C:\Windows\System32\it-IT\tzres.dll.mui C:\Users\Seven01\AppData\Local\Temp\_deleteme.bat C:\Users\Seven01\AppData\Local\Temp C:\Users C:\Users\Seven01 C:\Users\Seven01\AppData C:\Users\Seven01\AppData\Local C:\ C:\Users\Seven01\AppData\Local\Temp\inst2_20.exe
Read Files
\Device\KsecDD C:\Windows\Fonts\staticcache.dat C:\Windows\SysWOW64\it-IT\USER32.dll.mui C:\Windows\Globalization\Sorting\sortdefault.nls C:\Windows\System32\uxtheme.dll.Config C:\Windows\System32\uxtheme.dll C:\Windows\System32\tzres.dll C:\Windows\System32\it-IT\tzres.dll.mui C:\Users\Seven01\AppData\Local\Temp\_deleteme.bat
Write Files
C:\Users\Seven01\AppData\Local\Temp\_deleteme.bat
Delete Files
C:\Users\Seven01\AppData\Local\Temp\inst2_20.exe C:\Users\Seven01\AppData\Local\Temp\_deleteme.bat
Keys
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT HKEY_CURRENT_USER\Software\Embarcadero\Locales HKEY_LOCAL_MACHINE\Software\Embarcadero\Locales HKEY_CURRENT_USER\Software\CodeGear\Locales HKEY_LOCAL_MACHINE\Software\CodeGear\Locales HKEY_CURRENT_USER\Software\Borland\Locales HKEY_CURRENT_USER\Software\Borland\Delphi\Locales HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04100410 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
Read Keys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
Write Keys
Nothing to display
Delete Keys
Nothing to display
Mutexes
Resolved APIs
kernel32.dll.GetThreadPreferredUILanguages kernel32.dll.SetThreadPreferredUILanguages kernel32.dll.GetThreadUILanguage kernel32.dll.GetNativeSystemInfo kernel32.dll.GetDiskFreeSpaceExW kernel32.dll.GetLogicalProcessorInformation oleaut32.dll.VariantChangeTypeEx oleaut32.dll.VarNeg oleaut32.dll.VarNot oleaut32.dll.VarAdd oleaut32.dll.VarSub oleaut32.dll.VarMul oleaut32.dll.VarDiv oleaut32.dll.VarIdiv oleaut32.dll.VarMod oleaut32.dll.VarAnd oleaut32.dll.VarOr oleaut32.dll.VarXor oleaut32.dll.VarCmp oleaut32.dll.VarI4FromStr oleaut32.dll.VarR4FromStr oleaut32.dll.VarR8FromStr oleaut32.dll.VarDateFromStr oleaut32.dll.VarCyFromStr oleaut32.dll.VarBoolFromStr oleaut32.dll.VarBstrFromCy oleaut32.dll.VarBstrFromDate oleaut32.dll.VarBstrFromBool kernel32.dll.InitializeConditionVariable kernel32.dll.WakeConditionVariable kernel32.dll.WakeAllConditionVariable kernel32.dll.SleepConditionVariableCS ole32.dll.CoCreateInstanceEx ole32.dll.CoInitializeEx ole32.dll.CoAddRefServerProcess ole32.dll.CoReleaseServerProcess ole32.dll.CoResumeClassObjects ole32.dll.CoSuspendClassObjects cryptbase.dll.SystemFunction036 dwmapi.dll.DwmIsCompositionEnabled wtsapi32.dll.WTSRegisterSessionNotification user32.dll.IsWindow user32.dll.GetWindowThreadProcessId winsta.dll.WinStationRegisterConsoleNotification advapi32.dll.LookupAccountSidW sechost.dll.LookupAccountSidLocalW advapi32.dll.CreateWellKnownSid rpcrt4.dll.RpcStringBindingComposeW rpcrt4.dll.RpcBindingFromStringBindingW rpcrt4.dll.RpcStringFreeW rpcrt4.dll.RpcBindingSetAuthInfoExW sechost.dll.LookupAccountNameLocalW rpcrt4.dll.RpcAsyncInitializeHandle rpcrt4.dll.NdrClientCall2 rpcrt4.dll.NdrAsyncClientCall uxtheme.dll.BufferedPaintInit gdi32.dll.GetLayout gdi32.dll.GdiRealizationInfo gdi32.dll.FontIsLinked advapi32.dll.RegOpenKeyExW advapi32.dll.RegQueryInfoKeyW gdi32.dll.GetTextFaceAliasW advapi32.dll.RegEnumValueW advapi32.dll.RegCloseKey advapi32.dll.RegQueryValueExW gdi32.dll.GetFontAssocStatus advapi32.dll.RegQueryValueExA advapi32.dll.RegEnumKeyExW gdi32.dll.GdiIsMetaPrintDC imm32.dll.ImmIsIME user32.dll.AnimateWindow comctl32.dll.InitializeFlatSB comctl32.dll.UninitializeFlatSB comctl32.dll.FlatSB_GetScrollProp comctl32.dll.FlatSB_SetScrollProp comctl32.dll.FlatSB_EnableScrollBar comctl32.dll.FlatSB_ShowScrollBar comctl32.dll.FlatSB_GetScrollRange comctl32.dll.FlatSB_GetScrollInfo comctl32.dll.FlatSB_GetScrollPos comctl32.dll.FlatSB_SetScrollPos comctl32.dll.FlatSB_SetScrollInfo comctl32.dll.FlatSB_SetScrollRange user32.dll.SetLayeredWindowAttributes kernel32.dll.GetFileSizeEx kernel32.dll.SortGetHandle kernel32.dll.SortCloseHandle security.dll.InitSecurityInterfaceW comctl32.dll.HIMAGELIST_QueryInterface comctl32.dll.DrawShadowText comctl32.dll.DrawSizeBox comctl32.dll.DrawScrollBar comctl32.dll.SizeBoxHwnd comctl32.dll.ScrollBar_MouseMove comctl32.dll.ScrollBar_Menu comctl32.dll.HandleScrollCmd comctl32.dll.DetachScrollBars comctl32.dll.AttachScrollBars comctl32.dll.CCSetScrollInfo comctl32.dll.CCGetScrollInfo comctl32.dll.CCEnableScrollBar comctl32.dll.QuerySystemGestureStatus uxtheme.dll.#49 uxtheme.dll.CloseThemeData uxtheme.dll.OpenThemeData uxtheme.dll.DrawThemeBackground uxtheme.dll.DrawThemeText uxtheme.dll.GetThemeBackgroundContentRect uxtheme.dll.GetThemeBackgroundExtent uxtheme.dll.GetThemePartSize uxtheme.dll.GetThemeTextExtent uxtheme.dll.GetThemeTextMetrics uxtheme.dll.GetThemeBackgroundRegion uxtheme.dll.HitTestThemeBackground uxtheme.dll.DrawThemeEdge uxtheme.dll.DrawThemeIcon uxtheme.dll.IsThemePartDefined uxtheme.dll.IsThemeBackgroundPartiallyTransparent uxtheme.dll.GetThemeColor uxtheme.dll.GetThemeMetric uxtheme.dll.GetThemeString uxtheme.dll.GetThemeBool uxtheme.dll.GetThemeInt uxtheme.dll.GetThemeEnumValue uxtheme.dll.GetThemePosition uxtheme.dll.GetThemeFont uxtheme.dll.GetThemeRect uxtheme.dll.GetThemeMargins uxtheme.dll.GetThemeIntList uxtheme.dll.GetThemePropertyOrigin uxtheme.dll.SetWindowTheme uxtheme.dll.GetThemeFilename uxtheme.dll.GetThemeSysColor uxtheme.dll.GetThemeSysColorBrush uxtheme.dll.GetThemeSysBool uxtheme.dll.GetThemeSysSize uxtheme.dll.GetThemeSysFont uxtheme.dll.GetThemeSysString uxtheme.dll.GetThemeSysInt uxtheme.dll.IsThemeActive uxtheme.dll.IsAppThemed uxtheme.dll.GetWindowTheme uxtheme.dll.EnableThemeDialogTexture uxtheme.dll.IsThemeDialogTextureEnabled uxtheme.dll.GetThemeAppProperties uxtheme.dll.SetThemeAppProperties uxtheme.dll.GetCurrentThemeName uxtheme.dll.GetThemeDocumentationProperty uxtheme.dll.DrawThemeParentBackground uxtheme.dll.EnableTheming kernel32.dll.CreateToolhelp32Snapshot kernel32.dll.Heap32ListFirst kernel32.dll.Heap32ListNext kernel32.dll.Heap32First kernel32.dll.Heap32Next kernel32.dll.Toolhelp32ReadProcessMemory kernel32.dll.Process32First kernel32.dll.Process32Next kernel32.dll.Process32FirstW kernel32.dll.Process32NextW kernel32.dll.Thread32First kernel32.dll.Thread32Next kernel32.dll.Module32First kernel32.dll.Module32Next kernel32.dll.Module32FirstW kernel32.dll.Module32NextW ws2_32.dll.WSAStartup ws2_32.dll.GetAddrInfoW ws2_32.dll.GetNameInfoW ws2_32.dll.FreeAddrInfoW ws2_32.dll.InetPtonW ws2_32.dll.InetNtopW ws2_32.dll.GetAddrInfoExW ws2_32.dll.SetAddrInfoExW ws2_32.dll.FreeAddrInfoExW fwpuclnt.dll.WSASetSocketPeerTargetName fwpuclnt.dll.WSADeleteSocketPeerTargetName fwpuclnt.dll.WSAImpersonateSocketPeer fwpuclnt.dll.WSAQuerySocketSecurity fwpuclnt.dll.WSARevertImpersonation idndl.dll.DownlevelGetLocaleScripts idndl.dll.DownlevelGetStringScripts idndl.dll.DownlevelVerifyScripts normaliz.dll.IdnToUnicode normaliz.dll.IdnToNameprepUnicode normaliz.dll.IdnToAscii normaliz.dll.IsNormalizedString normaliz.dll.NormalizeString ws2_32.dll.socket ws2_32.dll.getsockopt ws2_32.dll.setsockopt ws2_32.dll.htons ws2_32.dll.bind ws2_32.dll.getsockname ws2_32.dll.ntohs ws2_32.dll.connect ws2_32.dll.getpeername ws2_32.dll.send ws2_32.dll.select ws2_32.dll.recv ws2_32.dll.shutdown ws2_32.dll.closesocket ws2_32.dll.WSACleanup wtsapi32.dll.WTSUnRegisterSessionNotification winsta.dll.WinStationUnRegisterConsoleNotification rpcrt4.dll.RpcAsyncGetCallStatus rpcrt4.dll.RpcAsyncCancelCall rpcrt4.dll.RpcAsyncCompleteCall rpcrt4.dll.RpcBindingFree uxtheme.dll.BufferedPaintUnInit oleaut32.dll.#500 kernel32.dll.SetThreadUILanguage kernel32.dll.CopyFileExW kernel32.dll.IsDebuggerPresent kernel32.dll.SetConsoleInputExeNameW advapi32.dll.SaferIdentifyLevel advapi32.dll.SaferComputeTokenFromLevel advapi32.dll.SaferCloseLevel
Execute Commands
C:\Users\Seven01\AppData\Local\Temp\_deleteme.bat
Started Services
Nothing to display
Created Services
Nothing to display
| Behavior analysis details | |||||
|---|---|---|---|---|---|
| Machine name | Machine label | Machine manager | Started | Ended | Duration |
| Seven06_64 | Seven06_64 | VirtualBox | 2022-03-01 04:41:33 | 2022-03-01 04:44:43 | 190 |
1 HTTP Request(s) detected
http://download.xp666.com/xzqswf/cof/inst_cfg
- Hostname: download.xp666.com
- IP Address:
- Port: 80
- Count: 1
GET /xzqswf/cof/inst_cfg HTTP/1.1 Host: download.xp666.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
Detected family: #Snojan
TheSystem Itself @ 2022-03-01 04:57:03
#infosec #automation
TheSystem Itself @ 2022-03-01 04:51:12