ID: 120562 Sample Name: Port Forwarding Wizard.exe Cookbook: default.jbs Time: 12:23:41 Date: 02/04/2019 Version: 25.0.0 Tiger's Eye Table of Contents
Table of Contents 2 Analysis Report Port Forwarding Wizard.exe 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 6 Signature Overview 6 Spreading: 6 Networking: 6 System Summary: 6 Data Obfuscation: 7 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 Anti Debugging: 7 Language, Device and Operating System Detection: 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Screenshots 10 Thumbnails 10 Startup 10 Created / dropped Files 10 Domains and IPs 11 Contacted Domains 11 URLs from Memory and Binaries 11 Contacted IPs 11 Static File Info 11 General 11 File Icon 11 Static PE Info 12 General 12 Entrypoint Preview 12 Rich Headers 13 Data Directories 13 Sections 13 Resources 13 Imports 19 Version Infos 20
Copyright Joe Security LLC 2019 Page 2 of 22 Possible Origin 21 Network Behavior 21 Code Manipulations 21 Statistics 21 System Behavior 21 Analysis Process: Port Forwarding Wizard.exe PID: 4144 Parent PID: 4140 21 General 21 Disassembly 22 Code Analysis 22
Copyright Joe Security LLC 2019 Page 3 of 22 Analysis Report Port Forwarding Wizard.exe
Overview
General Information
Joe Sandbox Version: 25.0.0 Tiger's Eye Analysis ID: 120562 Start date: 02.04.2019 Start time: 12:23:41 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 51s Hypervisor based Inspection enabled: false Report type: light Sample file name: Port Forwarding Wizard.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean4.winEXE@1/0@0/0 EGA Information: Failed HDC Information: Successful, ratio: 99.6% (good quality ratio 95.9%) Quality average: 83.2% Quality standard deviation: 23.9% HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe Execution Graph export aborted for target Port Forwarding Wizard.exe, PID 4144 because there are no executed function
Detection
Strategy Score Range Reporting Whitelisted Detection
Threshold 4 0 - 100 false
Confidence Copyright Joe Security LLC 2019 Page 4 of 22 Strategy Score Range Further Analysis Required? Confidence
Threshold 3 0 - 5 true
Classification
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Analysis Advice
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Copyright Joe Security LLC 2019 Page 5 of 22 Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Mitre Att&ck Matrix
Initial Privilege Credential Lateral Command and Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration Control Valid Windows Remote Winlogon Port Monitors Obfuscated Files Credential System Application Data from Local Data Standard Accounts Management Helper DLL or Information 2 Dumping Information Deployment System Compressed Cryptographic Discovery 1 3 Software Protocol 1
Signature Overview
• Spreading • Networking • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • Language, Device and Operating System Detection
Click to jump to signature section
Spreading:
Contains functionality to enumerate / list files inside a directory
Networking:
Found strings which match to known social media urls
Urls found in memory or binary data
System Summary:
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains strange resources
Tries to load missing DLLs
Classification label
Contains functionality to load and extract PE file embedded resources
PE file has an executable .text section and no other executable section
Reads software policies
Sample might require command line arguments (.Net)
PE file has a big code size
Submission file is bigger than most known malware samples
PE file has a big raw section
PE file imports many functions
PE file contains a debug data directory
Binary contains paths to debug symbols Copyright Joe Security LLC 2019 Page 6 of 22 Data Obfuscation:
Contains functionality to dynamically determine API calls
Uses code obfuscation techniques (call, push, ret)
Hooking and other Techniques for Hiding and Protection:
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Malware Analysis System Evasion:
Program does not show much activity (idle)
Contains functionality to enumerate / list files inside a directory
Contains functionality to query system information
Anti Debugging:
Contains functionality to dynamically determine API calls
Program does not show much activity (idle)
Language, Device and Operating System Detection:
Contains functionality locales information (e.g. system language)
Contains functionality to query local / system time
Contains functionality to query windows version
Behavior Graph
Copyright Joe Security LLC 2019 Page 7 of 22 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped
Is Windows Process
Behavior Graph Number of created Registry Values Number of created Files ID: 120562 Visual Basic Sample: Port Forwarding Wizard.exe Startdate: 02/04/2019 Delphi Architecture: WINDOWS Java Score: 4 .Net C# or VB.NET
C, C++ or other language
started Is malicious
Internet Port Forwarding Wizard.exe
Simulations
Behavior and APIs
No simulations
Antivirus Detection
Initial Sample
Source Detection Scanner Label Link Port Forwarding Wizard.exe 0% virustotal Browse
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Copyright Joe Security LLC 2019 Page 8 of 22 Source Detection Scanner Label Link www.port-forwarding.net 0% virustotal Browse www.port-forwarding.net 0% Avira URL Cloud safe www.port-forwarding.net/port-forwarding-software/port_tester.pl?remote_address=invalid 0% Avira URL Cloud safe www.port-forwarding.net/port-forwarding-software/port_tester.pl?remote_address= 0% Avira URL Cloud safe 127.0.0.1:unknown 0% Avira URL Cloud safe 192.168.10.10:5678 0% Avira URL Cloud safe www.port-forwarding.net/port-forwarding-software/port_tester.pl 0% virustotal Browse www.port-forwarding.net/port-forwarding-software/port_tester.pl 0% Avira URL Cloud safe www.port-forwarding.net/port-forwarding-software/port_tester.plstoprunningstop 0% Avira URL Cloud safe
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Copyright Joe Security LLC 2019 Page 9 of 22 Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Startup
System is w10x64 Port Forwarding Wizard.exe (PID: 4144 cmdline: 'C:\Users\user\Desktop\Port Forwarding Wizard.exe' MD5: 494F7CDB6174D4297CE3691F68594A73) cleanup
Created / dropped Files
No created / dropped files found
Copyright Joe Security LLC 2019 Page 10 of 22 Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Name Source Malicious Antivirus Detection Reputation www.port-forwarding.net Port Forwarding Wizard.exe false 0%, virustotal, Browse low Avira URL Cloud: safe www.port-forwarding.net/port-forwarding- Port Forwarding Wizard.exe false Avira URL Cloud: safe low software/port_tester.pl?remote_address=invalid https://secure.avangate.com/order/checkout.php? Port Forwarding Wizard.exe false high PRODS=4544012&QTY=1&CART=1 127.0.0.1: Port Forwarding Wizard.exe false high www.port-forwarding.net/port-forwarding- Port Forwarding Wizard.exe false Avira URL Cloud: safe low software/port_tester.pl?remote_address= 127.0.0.1:unknown Port Forwarding Wizard.exe false Avira URL Cloud: safe low 192.168.10.10:5678 Port Forwarding Wizard.exe false Avira URL Cloud: safe unknown schemas.xmlsoap.org/soap/encoding/ Port Forwarding Wizard.exe false high www.port-forwarding.net/port-forwarding- Port Forwarding Wizard.exe false 0%, virustotal, Browse low software/port_tester.pl Avira URL Cloud: safe www.port-forwarding.net/port-forwarding- Port Forwarding Wizard.exe false Avira URL Cloud: safe low software/port_tester.plstoprunningstop https://secure.avangate.com/order/checkout.php? Port Forwarding Wizard.exe false high PRODS=4544012&QTY=1&CART=1www.port-forwarding. schemas.xmlsoap.org/soap/envelope/ Port Forwarding Wizard.exe false high
Contacted IPs
No contacted IP infos
Static File Info
General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 6.598051574824898 TrID: Win32 Executable (generic) a (10002005/4) 99.90% Java Script embedded in Visual Basic Script (6000/0) 0.06% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: Port Forwarding Wizard.exe File size: 2244608 MD5: 494f7cdb6174d4297ce3691f68594a73 SHA1: eb4aa23315d908857d685c045a649191dfe20e88 SHA256: b713b10a36355965762525b0ad3299a016c5f6fa7446068 3df9bdd20dcf024b2 SHA512: c9fa7f46083aaadcd22a8684f8cf2206376a5ed97d97978 98ad48758e845615c350fb220ab6cf40d261d2877f30111 738d40a521b5cbc654357d566cc7e77dfa SSDEEP: 49152:4kmSy2Oo6BM1qw3G0AUy08FG0ZcH1TZ7X:4 Gyw6BM51AUIG0ZcH/7 File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... L^...?...? ...?...7...?...7...?...... ?...7...?...3..%?...7...?...(...?../....?...3 ...?...?..`<...3...?...3..^>...4...?...3...?.
File Icon
Copyright Joe Security LLC 2019 Page 11 of 22 Icon Hash: f8f0f0f0f0f0f0e8
Static PE Info
General
Entrypoint: 0x4565f5 Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED DLL Characteristics: Time Stamp: 0x51EC9476 [Mon Jul 22 02:09:58 2013 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: 04c43cca9f77c00569300c6b0d8748a5
Entrypoint Preview
Instruction push 00000060h push 00577AF8h call 00007F0D4C5F2204h mov edi, 00000094h mov eax, edi call 00007F0D4C5EE348h mov dword ptr [ebp-18h], esp mov esi, esp mov dword ptr [esi], edi push esi call dword ptr [00562304h] mov ecx, dword ptr [esi+10h] mov dword ptr [005BA6B8h], ecx mov eax, dword ptr [esi+04h] mov dword ptr [005BA6C4h], eax mov edx, dword ptr [esi+08h] mov dword ptr [005BA6C8h], edx mov esi, dword ptr [esi+0Ch] and esi, 00007FFFh mov dword ptr [005BA6BCh], esi cmp ecx, 02h je 00007F0D4C5F13EEh or esi, 00008000h mov dword ptr [005BA6BCh], esi shl eax, 08h add eax, edx mov dword ptr [005BA6C0h], eax xor esi, esi push esi mov edi, dword ptr [00562348h] call edi cmp word ptr [eax], 5A4Dh jne 00007F0D4C5F1401h mov ecx, dword ptr [eax+3Ch] add ecx, eax cmp dword ptr [ecx], 00004550h jne 00007F0D4C5F13F4h movzx eax, word ptr [ecx+18h] cmp eax, 0000010Bh Copyright Joe Security LLC 2019 Page 12 of 22 Instruction je 00007F0D4C5F1401h cmp eax, 0000020Bh je 00007F0D4C5F13E7h mov dword ptr [ebp-1Ch], esi jmp 00007F0D4C5F1409h cmp dword ptr [ecx+00000084h], 0Eh jbe 00007F0D4C5F13D4h xor eax, eax cmp dword ptr [ecx+000000F8h], esi jmp 00007F0D4C5F13F0h cmp dword ptr [ecx+74h], 0Eh jbe 00007F0D4C5F13C4h xor eax, eax cmp dword ptr [ecx+000000E8h], esi
Rich Headers
Programming Language: [ASM] VS2003 (.NET) build 3077 [RES] VS2003 (.NET) build 3077 [LNK] VS2003 (.NET) build 3077 [IMP] VS2005 build 50727 [IMP] VS2003 (.NET) SP1 build 6030 [IMP] VS2003 (.NET) build 3077 [C++] VS2003 (.NET) build 3077 [ C ] VS2003 (.NET) build 3077
Data Directories
Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x1ac8e0 0x190 .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x1bd000 0x6fd78 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x162a40 0x1c .rdata IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x198730 0x48 .rdata IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x162000 0xa34 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x1ac858 0x40 .rdata IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Sections
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x16002c 0x161000 False 0.506816572238 data 6.48164585567 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x162000 0x4da4e 0x4e000 False 0.317248222155 data 5.698991477 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .data 0x1b0000 0xcdb4 0x4000 False 0.326477050781 data 4.56326005642 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x1bd000 0x6fd78 0x70000 False 0.293995448521 data 6.33535182101 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ
Resources
Name RVA Size Type Language Country RT_CURSOR 0x1faba0 0x134 data RT_CURSOR 0x1facf0 0x134 data RT_CURSOR 0x1fae40 0x134 data RT_CURSOR 0x203030 0x134 data RT_CURSOR 0x203180 0x134 data RT_CURSOR 0x2032d0 0x134 data
Copyright Joe Security LLC 2019 Page 13 of 22 Name RVA Size Type Language Country RT_CURSOR 0x203420 0x134 data RT_CURSOR 0x203570 0x134 data RT_CURSOR 0x2036c0 0x134 data RT_CURSOR 0x203810 0x134 data RT_CURSOR 0x203960 0x134 AmigaOS bitmap font RT_CURSOR 0x203ab0 0x134 data RT_CURSOR 0x204d90 0x134 AmigaOS bitmap font RT_CURSOR 0x204ec8 0xb4 data RT_CURSOR 0x204fa8 0x134 AmigaOS bitmap font RT_CURSOR 0x2050e0 0xb4 data RT_CURSOR 0x2051c0 0x134 data RT_CURSOR 0x205310 0x134 Hitachi SH big-endian COFF object file, not stripped, 0 section, symbol offset=0x20000000, 1073741824 symbols, optional header size 256 RT_CURSOR 0x2058b0 0x134 data RT_CURSOR 0x205a00 0x134 data RT_CURSOR 0x205b50 0x134 data RT_CURSOR 0x223110 0x134 AmigaOS bitmap font RT_CURSOR 0x224de8 0x134 data RT_CURSOR 0x224f38 0x134 data RT_CURSOR 0x225088 0x134 data RT_CURSOR 0x2270f8 0x134 data English United States RT_CURSOR 0x227230 0xb4 data English United States RT_CURSOR 0x227310 0x134 AmigaOS bitmap font English United States RT_CURSOR 0x227460 0x134 data English United States RT_CURSOR 0x2275b0 0x134 data English United States RT_CURSOR 0x227700 0x134 data English United States RT_CURSOR 0x227850 0x134 data English United States RT_CURSOR 0x2279a0 0x134 data English United States RT_CURSOR 0x227af0 0x134 data English United States RT_CURSOR 0x227c40 0x134 data English United States RT_CURSOR 0x227d90 0x134 data English United States RT_CURSOR 0x227ee0 0x134 data English United States RT_CURSOR 0x228030 0x134 AmigaOS bitmap font English United States RT_CURSOR 0x228180 0x134 data English United States RT_CURSOR 0x2282d0 0x134 data English United States RT_CURSOR 0x228420 0x134 data English United States RT_BITMAP 0x1f78b0 0x1978 data RT_BITMAP 0x1f5f38 0x1978 data RT_BITMAP 0x1f9228 0x1978 data RT_BITMAP 0x1e08e8 0x220 data RT_BITMAP 0x1e0b08 0x668 data RT_BITMAP 0x1e1170 0x77a data RT_BITMAP 0x1e7b40 0x2202 data RT_BITMAP 0x1e9d48 0x2202 data RT_BITMAP 0x1f16c8 0x460 data RT_BITMAP 0x1f1b28 0x2202 data RT_BITMAP 0x1f3d30 0x2202 data RT_BITMAP 0x1e18f0 0x2202 data RT_BITMAP 0x1ebf50 0x5772 data RT_BITMAP 0x1e3af8 0x4048 data RT_BITMAP 0x1d0758 0xea8a data English United States RT_BITMAP 0x1cfb28 0xc2a data English United States RT_BITMAP 0x1df1e8 0x630 data English United States RT_BITMAP 0x1e0620 0xc8 data RT_BITMAP 0x1e06e8 0xc8 data RT_BITMAP 0x1e0400 0x220 data RT_BITMAP 0x1e07b0 0xe8 data RT_BITMAP 0x1e0898 0x50 data RT_BITMAP 0x1fd018 0x86a data RT_BITMAP 0x1fd888 0x4028 dBase IV DBT, blocks size 0, block length 16384, next free block index 40, next free block 3910960852, next used block 3910960081 RT_BITMAP 0x2018b0 0xb0 data RT_BITMAP 0x201960 0x1568 data
Copyright Joe Security LLC 2019 Page 14 of 22 Name RVA Size Type Language Country RT_BITMAP 0x202ec8 0x168 data RT_BITMAP 0x206960 0x24c data RT_BITMAP 0x206808 0x158 data RT_BITMAP 0x205ca0 0x1d0 data RT_BITMAP 0x205e70 0x7e0 data RT_BITMAP 0x206650 0x1b8 data RT_BITMAP 0x206bb0 0x158 data RT_BITMAP 0x206d08 0x158 data RT_BITMAP 0x207b30 0x2c0 data RT_BITMAP 0x207df0 0x158 data RT_BITMAP 0x207f48 0x2c0 data RT_BITMAP 0x206e60 0x668 data RT_BITMAP 0x2074c8 0x668 data RT_BITMAP 0x212ac8 0xc8 data RT_BITMAP 0x212b90 0x470 data RT_BITMAP 0x213000 0x3740 data RT_BITMAP 0x216740 0x3740 data RT_BITMAP 0x219e80 0x3740 data RT_BITMAP 0x21d5c0 0x5250 data RT_BITMAP 0x222810 0x168 data RT_BITMAP 0x222988 0x788 data RT_BITMAP 0x2240f8 0x94e data RT_BITMAP 0x224a48 0x39c data RT_BITMAP 0x2265a8 0x5a6 data RT_BITMAP 0x226b50 0x5a6 data RT_BITMAP 0x228658 0xb8 data English United States RT_BITMAP 0x228710 0x144 data English United States RT_ICON 0x1c6170 0x4c28 dBase IV DBT, blocks size 0, block length 16384, English United States next free block index 40, next free block 4059297267, next used block 4075745779 RT_ICON 0x1cad98 0xea8 data English United States RT_ICON 0x1cbc40 0x8a8 dBase IV DBT of @.DBF, block length 1024, next English United States free block index 40, next free block 16644841, next used block 16644589 RT_ICON 0x1cc4e8 0x6c8 data English United States RT_ICON 0x1ccbb0 0x568 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x1cd168 0x568 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x1cd6e8 0x8a8 dBase IV DBT of @.DBF, block length 1024, next English United States free block index 40, next free block 16644841, next used block 16644589 RT_ICON 0x1cdfa8 0x8a8 dBase IV DBT of @.DBF, block length 1024, next English United States free block index 40, next free block 16644841, next used block 16644589 RT_ICON 0x1ce868 0x8a8 dBase IV DBT of @.DBF, block length 1024, next English United States free block index 40, next free block 16644841, next used block 16644589 RT_ICON 0x1cf128 0x8a8 dBase IV DBT of @.DBF, block length 1024, next English United States free block index 40, next free block 16644841, next used block 16644589 RT_ICON 0x1cf9e8 0x128 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x205460 0xb0 data RT_ICON 0x208208 0x2e8 dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2006554519, next used block 8423575 RT_ICON 0x2084f0 0x128 GLS_BINARY_LSB_FIRST RT_ICON 0x208618 0x8a8 dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15985900, next used block 16771047 RT_ICON 0x208ec0 0x568 GLS_BINARY_LSB_FIRST RT_ICON 0x209428 0x10a8 data RT_ICON 0x20a4d0 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x20a998 0x2e8 dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3888630015, next used block 7375047 RT_ICON 0x20ac80 0x128 GLS_BINARY_LSB_FIRST RT_ICON 0x20ada8 0x8a8 dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15461354, next used block 15461357 RT_ICON 0x20b650 0x568 GLS_BINARY_LSB_FIRST RT_ICON 0x20bbb8 0x10a8 data Copyright Joe Security LLC 2019 Page 15 of 22 Name RVA Size Type Language Country RT_ICON 0x20cc60 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x20d128 0x2e8 dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1936881523, next used block 7374968 RT_ICON 0x20d410 0x128 GLS_BINARY_LSB_FIRST RT_ICON 0x20d538 0x8a8 dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16769756, next used block 14869218 RT_ICON 0x20dde0 0x568 GLS_BINARY_LSB_FIRST RT_ICON 0x20e348 0x10a8 data RT_ICON 0x20f3f0 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x20f8b8 0x2e8 dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 136, next used block 0 RT_ICON 0x20fba0 0x128 GLS_BINARY_LSB_FIRST RT_ICON 0x20fcc8 0x8a8 dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15197928, next used block 15394790 RT_ICON 0x210570 0x568 GLS_BINARY_LSB_FIRST RT_ICON 0x210ad8 0x10a8 data RT_ICON 0x211b80 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x223c78 0x468 GLS_BINARY_LSB_FIRST RT_MENU 0x1dff10 0x5e data English United States RT_MENU 0x1dff70 0x20e data English United States RT_MENU 0x1e0180 0x27a data English United States RT_MENU 0x204bc0 0x1cc data English United States RT_MENU 0x2128f8 0x1d0 data English United States RT_MENU 0x223920 0x144 data English United States RT_MENU 0x223738 0x1e2 data English United States RT_MENU 0x205528 0x222 data English United States RT_DIALOG 0x1c3038 0x328 data English United States RT_DIALOG 0x1c3360 0x7c2 data English United States RT_DIALOG 0x1c1400 0x3b2 data English United States RT_DIALOG 0x1c17b8 0x3be data English United States RT_DIALOG 0x1c1b78 0x78 data English United States RT_DIALOG 0x1c3b28 0x478 data English United States RT_DIALOG 0x1c4b90 0x13c data English United States RT_DIALOG 0x1c1bf0 0x280 data English United States RT_DIALOG 0x1c1e70 0x1c8 data English United States RT_DIALOG 0x1c2038 0x28c data English United States RT_DIALOG 0x1c22c8 0x168 data English United States RT_DIALOG 0x1c2430 0x11c data English United States RT_DIALOG 0x1c2550 0x2ea data English United States RT_DIALOG 0x1c2840 0x2dc data English United States RT_DIALOG 0x1c2b20 0x256 data English United States RT_DIALOG 0x1c2d78 0x170 data English United States RT_DIALOG 0x1c2ee8 0x150 data English United States RT_DIALOG 0x1c3fa0 0x7e0 data English United States RT_DIALOG 0x1c4780 0x410 data English United States RT_DIALOG 0x1c4cd0 0x188 data English United States RT_DIALOG 0x1c0ca0 0x604 data Chinese China RT_DIALOG 0x1c12a8 0x152 data Chinese China RT_DIALOG 0x1c4e58 0x5d2 data English United States RT_DIALOG 0x1c5430 0x6e data English United States RT_DIALOG 0x1c54a0 0x24a data English United States RT_DIALOG 0x1c56f0 0x4b2 data English United States RT_DIALOG 0x1c5ba8 0x104 data English United States RT_DIALOG 0x1c5cb0 0x4bc data English United States RT_DIALOG 0x1faf90 0x110 data English United States RT_DIALOG 0x1fb0a0 0x8a4 data English United States RT_DIALOG 0x1fb948 0x670 data English United States RT_DIALOG 0x1fbfb8 0xa78 data English United States RT_DIALOG 0x1fca30 0x3c2 data English United States RT_DIALOG 0x1fcdf8 0x21a data English United States RT_DIALOG 0x204840 0x276 data English United States RT_DIALOG 0x203c00 0x2c4 data English United States
Copyright Joe Security LLC 2019 Page 16 of 22 Name RVA Size Type Language Country RT_DIALOG 0x203ec8 0x2bc data English United States RT_DIALOG 0x204188 0x16e data English United States RT_DIALOG 0x2042f8 0x350 data English United States RT_DIALOG 0x204648 0x1f4 data English United States RT_DIALOG 0x204ab8 0x104 data English United States RT_DIALOG 0x212088 0x128 data English United States RT_DIALOG 0x2121b0 0x436 data English United States RT_DIALOG 0x2125e8 0xa0 data English United States RT_DIALOG 0x212688 0x26a data English United States RT_DIALOG 0x223260 0x4d2 data English United States RT_DIALOG 0x223a68 0x20c data English United States RT_DIALOG 0x2251d8 0x464 data English United States RT_DIALOG 0x225640 0x474 data English United States RT_DIALOG 0x225ab8 0x474 data English United States RT_DIALOG 0x226180 0x31e data English United States RT_DIALOG 0x225f30 0x24a data English United States RT_DIALOG 0x2264a0 0x108 data English United States RT_DIALOG 0x205750 0x15a data English United States RT_DIALOG 0x228570 0xe8 data English United States RT_STRING 0x228858 0x32 data English United States RT_STRING 0x228890 0x2e6 data English United States RT_STRING 0x228f40 0x11c data English United States RT_STRING 0x229060 0xd2 data English United States RT_STRING 0x228b78 0x2b0 data English United States RT_STRING 0x228e28 0x118 data English United States RT_STRING 0x229ca0 0x7a data English United States RT_STRING 0x229d20 0x126 data English United States RT_STRING 0x229138 0x2a2 AmigaOS bitmap font English United States RT_STRING 0x2293e0 0x818 data English United States RT_STRING 0x229e48 0x40 data English United States RT_STRING 0x22a268 0x12e data English United States RT_STRING 0x22a398 0x24e data English United States RT_STRING 0x22a5e8 0x260 data English United States RT_STRING 0x22a848 0x4dc data English United States RT_STRING 0x22ad28 0xb8 AmigaOS bitmap font English United States RT_STRING 0x22ade0 0xa0 data English United States RT_STRING 0x22ae80 0x62 data English United States RT_STRING 0x22aee8 0x13e data English United States RT_STRING 0x22b028 0x11e data English United States RT_STRING 0x22b148 0x8c data English United States RT_STRING 0x22b5e8 0x38 data English United States RT_STRING 0x22b1d8 0x120 data English United States RT_STRING 0x22b2f8 0xd0 data English United States RT_STRING 0x22b3c8 0x21c data English United States RT_STRING 0x22b620 0x58 data English United States RT_STRING 0x22a208 0x5e data English United States RT_STRING 0x229ec8 0x106 data English United States RT_STRING 0x229fd0 0x102 data English United States RT_STRING 0x22a0d8 0x12e AmigaOS bitmap font English United States RT_STRING 0x229e88 0x40 data English United States RT_STRING 0x229bf8 0xa6 data English United States RT_STRING 0x22b678 0x82 data English United States RT_STRING 0x22b700 0x2a data English United States RT_STRING 0x22b730 0x192 data English United States RT_STRING 0x22b8c8 0x4e2 data English United States RT_STRING 0x22c140 0x31a data English United States RT_STRING 0x22be60 0x2dc data English United States RT_STRING 0x22cca0 0x8a data English United States RT_STRING 0x22bdb0 0xac data English United States RT_STRING 0x22cb90 0xde data English United States RT_STRING 0x22c460 0x4c4 data English United States RT_STRING 0x22c928 0x264 data English United States RT_STRING 0x22cc70 0x2c data English United States RT_STRING 0x22cd30 0x42 data English United States
Copyright Joe Security LLC 2019 Page 17 of 22 Name RVA Size Type Language Country RT_GROUP_CURSOR 0x1faf78 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x1facd8 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x1fae28 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x203168 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x2032b8 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x203408 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x203a98 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x203be8 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x203558 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x2036a8 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x2037f8 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x203948 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x205c88 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x2059e8 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x205b38 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x223248 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x224f20 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x225070 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x2251c0 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x204f80 0x22 Lotus unknown worksheet or configuration, revision 0x2 RT_GROUP_CURSOR 0x205198 0x22 Lotus unknown worksheet or configuration, revision 0x2 RT_GROUP_CURSOR 0x2052f8 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x205448 0x14 Lotus unknown worksheet or configuration, revision 0x1 RT_GROUP_CURSOR 0x2272e8 0x22 Lotus unknown worksheet or configuration, revision English United States 0x2 RT_GROUP_CURSOR 0x227ad8 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x227448 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x227988 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x227838 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x228168 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x2276e8 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x227d78 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x227598 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x227c28 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x227ec8 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x228018 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x2282b8 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x228408 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1
Copyright Joe Security LLC 2019 Page 18 of 22 Name RVA Size Type Language Country RT_GROUP_CURSOR 0x228558 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_ICON 0x1cd118 0x4c data English United States RT_GROUP_ICON 0x1cd6d0 0x14 data English United States RT_GROUP_ICON 0x1cdf90 0x14 data English United States RT_GROUP_ICON 0x1ce850 0x14 data English United States RT_GROUP_ICON 0x1cf110 0x14 data English United States RT_GROUP_ICON 0x1cf9d0 0x14 data English United States RT_GROUP_ICON 0x1cfb10 0x14 data English United States RT_GROUP_ICON 0x20a938 0x5a data RT_GROUP_ICON 0x211fe8 0x5a data RT_GROUP_ICON 0x20d0c8 0x5a data RT_GROUP_ICON 0x20f858 0x5a data RT_GROUP_ICON 0x2240e0 0x14 data RT_GROUP_ICON 0x205510 0x14 data RT_VERSION 0x1df818 0x31c data English United States RT_MANIFEST 0x1dfb38 0x3d1 XML 1.0 document, ASCII text, with CRLF line English United States terminators None 0x212048 0x14 data None 0x212060 0xc data None 0x212070 0x16 data None 0x222978 0xc data
Imports
DLL Import PocoFoundation.dll ??1Random@Poco@@QAE@XZ, ?seed@Random@Poco@@QAEXI@Z, ?? 0Random@Poco@@QAE@H@Z, ?next@Random@Poco@@QAEIXZ libexpat.dll LIBEAY32.dll WINMM.dll PlaySoundA, timeGetTime SSLEAY32.dll KERNEL32.dll TlsAlloc, TlsSetValue, LocalReAlloc, TlsFree, GetCPInfo, GetOEMCP, FileTimeToSystemTime, SetErrorMode, FileTimeToLocalFileTime, GetFileTime, WritePrivateProfileStringA, GetPrivateProfileStringA, GetCurrentDirectoryA, GetTickCount, VirtualProtect, VirtualAlloc, GetSystemInfo, VirtualQuery, RtlUnwind, ExitProcess, Sleep, GetFileType, GetSystemTimeAsFileTime, GetFileInformationByHandle, PeekNamedPipe, HeapReAlloc, TerminateProcess, GetStartupInfoA, GetCommandLineA, SetStdHandle, ExitThread, HeapSize, VirtualFree, IsBadWritePtr, QueryPerformanceCounter, SetUnhandledExceptionFilter, LCMapStringA, TlsGetValue, SetHandleCount, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, IsBadReadPtr, IsBadCodePtr, GetTimeFormatA, GetDateFormatA, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, IsValidCodePage, GetExitCodeProcess, CreateProcessA, SetEnvironmentVariableA, GetLocaleInfoW, GlobalHandle, GlobalReAlloc, LocalAlloc, GlobalFlags, RaiseException, ReleaseMutex, SuspendThread, GetDriveTypeA, GetProfileIntA, LocalSize, LoadLibraryExW, LoadLibraryExA, LoadLibraryW, EnumResourceTypesA, EnumResourceNamesA, InterlockedExchange, GetACP, GetLocaleInfoA, GetThreadLocale, GetVersionExA, MultiByteToWideChar, WideCharToMultiByte, GetLastError, GetVersion, lstrcmpiA, lstrlenW, lstrlenA, CompareStringA, CompareStringW, SizeofResource, LockResource, LoadResource, FindResourceA, WinExec, EnterCriticalSection, GetProcAddress, GetModuleHandleA, CloseHandle, GetCurrentThread, HeapDestroy, HeapCreate, HeapAlloc, InterlockedIncrement, HeapFree, LCMapStringW, InterlockedDecrement, CreateThread, CreateMutexA, GetLocalTime, InitializeCriticalSection, DeleteCriticalSection, ResumeThread, SetThreadPriority, lstrcmpA, ConvertDefaultLocale, EnumResourceLanguagesA, GetFullPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, lstrcpyA, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, LoadLibraryA, FreeLibrary, lstrcatA, lstrcmpW, SetLastError, CopyFileA, MulDiv, GlobalSize, GlobalAlloc, lstrcpynA, GlobalLock, GlobalUnlock, GlobalFree, FreeResource, UnmapViewOfFile, GetFileAttributesA, CreateFileMappingA, MapViewOfFile, CreateEventA, SetEvent, TerminateThread, GetQueuedCompletionStatus, WaitForSingleObject, OpenProcess, FormatMessageA, LocalFree, PostQueuedCompletionStatus, GetExitCodeThread, CreateIoCompletionPort, GetModuleFileNameA, CreateFileA, ReadFile, GetCurrentThreadId, GetCurrentProcessId, LeaveCriticalSection
Copyright Joe Security LLC 2019 Page 19 of 22 DLL Import USER32.dll SetCursor, PostQuitMessage, MapVirtualKeyA, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, wsprintfA, SetMenuItemBitmaps, ModifyMenuA, EnableMenuItem, CheckMenuItem, GetMenuCheckMarkDimensions, MoveWindow, SetWindowTextA, IsDialogMessageA, WinHelpA, GetCapture, CreateWindowExA, SetWindowsHookExA, CallNextHookEx, GetClassLongA, GetClassInfoExA, GetClassNameA, SetPropA, ShowOwnedPopups, RemovePropA, SendDlgItemMessageA, GetFocus, SetFocus, IsChild, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, ValidateRect, TranslateMessage, GetMessageA, KillTimer, MapDialogRect, SetWindowContextHelpId, GetMenuItemInfoA, DestroyMenu, GetSysColorBrush, LoadCursorA, SetCapture, GetLastActivePopup, DispatchMessageA, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, PeekMessageA, MapWindowPoints, MessageBoxA, GetKeyState, GetScrollRange, WindowFromPoint, ReleaseCapture, DeleteMenu, DestroyIcon, CharNextA, IsRectEmpty, SetRect, SetScrollPos, GetScrollPos, ShowScrollBar, IsWindowVisible, UpdateWindow, GetMenu, AdjustWindowRectEx, ScreenToClient, EqualRect, DeferWindowPos, GetScrollInfo, SetScrollInfo, RegisterClassA, CopyAcceleratorTableA, InvalidateRgn, GetNextDlgGroupItem, MessageBeep, IsClipboardFormatAvailable, TranslateAcceleratorA, SetMenu, BringWindowToTop, SetRectEmpty, CreatePopupMenu, InsertMenuItemA, LoadAcceleratorsA, ReuseDDElParam, UnpackDDElParam, RegisterClipboardFormatA, UnionRect, PostThreadMessageA, GetDCEx, LockWindowUpdate, GetSystemMenu, SetParent, GetPropA, CharUpperA, EnableWindow, SetWindowPos, SetWindowLongA, GetWindowLongA, InflateRect, OffsetRect, TranslateMDISysAccel, DrawMenuBar, UnregisterClassA, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, IntersectRect, GetWindowPlacement, PtInRect, GetWindow, GetMenuState, GetMenuStringA, GetMenuItemID, InsertMenuA, GetMenuItemCount, GetActiveWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, IsWindowEnabled, GetNextDlgTabItem, EndDialog, GetWindowThreadProcessId, LoadImageA, TrackPopupMenu, GetCursorPos, GetSystemMetrics, LoadIconA, GetDesktopWindow, GetClientRect, IsIconic, LoadMenuA, GetSubMenu, DrawIcon, LoadBitmapA, FindWindowA, ShowWindow, SetForegroundWindow, LoadStringA, RegisterClassW, DefMDIChildProcW, DefMDIChildProcA, DefDlgProcW, DefDlgProcA, DefFrameProcW, DefFrameProcA, DefWindowProcW, CallWindowProcW, EnumWindows, IsWindowUnicode, GetWindowLongW, SetWindowLongW, GetDoubleClickTime, SetClassLongA, GetKeyboardLayoutList, GetKeyboardState, ToAsciiEx, SetCursorPos, GetWindowRgn, IsMenu, GetMenuDefaultItem, GetCursor, mouse_event, DrawEdge, CreateIconIndirect, CopyIcon, GetClassInfoA, GetDlgItem, SystemParametersInfoA, GetSysColor, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, GetParent, SetTimer, InvalidateRect, GetWindowRect, PostMessageA, FillRect, CopyRect, SendMessageA, RegisterWindowMessageA, RedrawWindow, DrawFrameControl, DrawFocusRect, InvertRect, OpenClipboard, HideCaret, ShowCaret, CloseClipboard, SetClipboardData, EmptyClipboard, GetClipboardData, DrawIconEx, EnableScrollBar, SetMenuDefaultItem, SetWindowRgn, CreateIconFromResourceEx, LookupIconIdFromDirectoryEx, SendMessageTimeoutA, DrawStateA, GetIconInfo GDI32.dll CreateDIBitmap, CreatePalette, GetTextAlign, CreatePolygonRgn, GetTextCharsetInfo, OffsetRgn, PtInRegion, GetBitmapBits, GetBoundsRect, GetViewportOrgEx, GetClipBox, SetTextColor, SetBkColor, GetObjectA, CreateBitmap, SaveDC, RestoreDC, SetBkMode, SetStretchBltMode, SetMapMode, ExcludeClipRect, LineTo, MoveToEx, SetTextAlign, DeleteObject, SelectClipRgn, GetViewportExtEx, GetWindowExtEx, GetPixel, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, ExtSelectClipRgn, DeleteDC, GetStockObject, SelectPalette, GetObjectType, CreateFontIndirectA, CreateRectRgnIndirect, SetRectRgn, CombineRgn, GetMapMode, PatBlt, DPtoLP, GetTextExtentPoint32A, GetRgnBox, StretchDIBits, CopyMetaFileA, GetDeviceCaps, BitBlt, Escape, ExtTextOutA, TextOutA, RectVisible, PtVisible, SetPixelV, GetTextColor, GetBkMode, GetBkColor, SetBrushOrgEx, GetBrushOrgEx, CreatePen, CreateSolidBrush, CreatePatternBrush, CreateFontA, GetBitmapDimensionEx, CreateCompatibleBitmap, CreateRectRgn, GetTextMetricsA, Polygon, StretchBlt, SetPixel, GetCurrentObject, CreateDIBSection, EnumFontFamiliesExA, Rectangle, ExtCreateRegion, GetDIBits, SetDIBits, CreateCompatibleDC comdlg32.dll GetOpenFileNameA, GetFileTitleA, GetSaveFileNameA WINSPOOL.DRV ClosePrinter, DocumentPropertiesA, OpenPrinterA ADVAPI32.dll RegDeleteValueA, RegSetValueExA, RegOpenKeyA, RegQueryValueExA, RegOpenKeyExA, RegDeleteKeyA, RegEnumKeyA, RegQueryValueA, RegCreateKeyExA, RegCloseKey SHELL32.dll DragQueryFileA, ShellExecuteA, Shell_NotifyIconA, DragFinish COMCTL32.dll ImageList_AddMasked, FlatSB_GetScrollProp, ImageList_GetBkColor, ImageList_DrawIndirect, ImageList_DrawEx, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetIconSize, _TrackMouseEvent, ImageList_GetImageCount, ImageList_GetIcon, ImageList_Destroy, ImageList_Create, ImageList_Draw, ImageList_GetImageInfo SHLWAPI.dll PathFindExtensionA, PathFindFileNameA, PathIsUNCA, PathStripToRootA oledlg.dll ole32.dll CoTaskMemFree, CoDisconnectObject, CoCreateInstance, CoRevokeClassObject, OleIsCurrentClipboard, OleFlushClipboard, CoGetClassObject, StgOpenStorageOnILockBytes, StgCreateDocfileOnILockBytes, CreateILockBytesOnHGlobal, CreateStreamOnHGlobal, OleUninitialize, CoTaskMemAlloc, ReleaseStgMedium, OleDuplicateData, CoFreeUnusedLibraries, OleInitialize, CLSIDFromProgID, CoRegisterMessageFilter, CLSIDFromString, CoLockObjectExternal, RevokeDragDrop, OleGetClipboard, DoDragDrop OLEAUT32.dll VariantCopy, SafeArrayDestroy, SysAllocString, VarDateFromStr, OleCreateFontIndirect, LoadTypeLib, SysStringByteLen, SysAllocStringByteLen, SysFreeString, SysAllocStringLen, VariantInit, VariantChangeType, VariantClear, VariantTimeToSystemTime, SystemTimeToVariantTime, VariantChangeTypeEx, VarUdateFromDate, VarCmp, SysStringLen WS2_32.dll ntohl, WSASend, WSARecv, WSACleanup, WSAStartup, recvfrom, ntohs, recv, sendto, send, select, accept, shutdown, ioctlsocket, setsockopt, WSAGetLastError, listen, htonl, inet_addr, htons, bind, closesocket, socket, gethostname, inet_ntoa, getsockname, gethostbyname, connect imagehlp.dll ImageDirectoryEntryToData
Version Infos
Description Data LegalCopyright upRedSun. All rights reserved. InternalName Port Forwarding Wizard.exe
Copyright Joe Security LLC 2019 Page 20 of 22 Description Data FileVersion 4.8.0.1 CompanyName upRedSun ProductName upRedSun ProductVersion 4.8.0.1 FileDescription Port Forwarding Wizard OriginalFilename Port Forwarding Wizard.exe Translation 0x4090 0x04e4
Possible Origin
Language of compilation system Country where language is spoken Map
English United States
Chinese China
Network Behavior
No network behavior found
Code Manipulations
Statistics
System Behavior
Analysis Process: Port Forwarding Wizard.exe PID: 4144 Parent PID: 4140
General
Start time: 12:24:28 Start date: 02/04/2019 Path: C:\Users\user\Desktop\Port Forwarding Wizard.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\Port Forwarding Wizard.exe' Imagebase: 0x400000 File size: 2244608 bytes MD5 hash: 494F7CDB6174D4297CE3691F68594A73 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
Copyright Joe Security LLC 2019 Page 21 of 22 Disassembly
Code Analysis
Copyright Joe Security LLC 2019 Page 22 of 22