keynote.exe
This report is generated from a file or URL submitted to this webservice on April 12th 2019 03:46:47 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Spyware
-
Contains ability to open the clipboard
Contains ability to open the clipboard
Contains ability to retrieve keyboard strokes
Found a string that may be used as part of an injection method - Fingerprint
-
Contains ability to query information about shared network resources
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
MITRE ATT&CK™ Techniques Detection
Additional Context
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 6/37 Antivirus vendors marked sample as malicious (16% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
- "<Input Sample>" checked file "C:"
- source
- API Call
- relevance
- 5/10
-
Checks for a resource fork (ADS) file
-
Suspicious Indicators 23
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "<Input Sample>" at 00122924-00000480-00000105-13389789309
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
- details
-
Found 47 calls to GetProcAddress@kernel32.dll (Show Stream)
Found 11 calls to GetProcAddress@kernel32.dll (Show Stream)
Found 12 calls to GetProcAddress@kernel32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "Blowfish" (Indicator: "blowfish"; File: "keynote.exe.bin")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Contains ability to query information about shared network resources
- details
-
EnumPrintersA@winspool.drv (Show Stream)
EnumPrintersA@winspool.drv (Show Stream)
EnumPrintersA@winspool.drv (Show Stream)
EnumPrintersA@WINSPOOL.DRV from keynote.exe (PID: 480) (Show Stream)
EnumPrintersA@WINSPOOL.DRV from keynote.exe (PID: 480) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query information about shared network resources
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LockResource@kernel32.dll (Show Stream)
SizeofResource@kernel32.dll (Show Stream)
LoadResource@kernel32.dll (Show Stream)
FindResourceA@kernel32.dll (Show Stream)
FreeResource@kernel32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"<Input Sample>" read file "%APPDATA%\Microsoft\Windows\Recent\desktop.ini"
"<Input Sample>" read file "%USERPROFILE%\Favorites\desktop.ini"
"<Input Sample>" read file "C:\Users\%USERNAME%\desktop.ini"
"<Input Sample>" read file "C:\Users\%USERNAME%\Libraries\desktop.ini"
"<Input Sample>" read file "%WINDIR%\win.ini"
"<Input Sample>" read file "C:\Users\%USERNAME%\Desktop\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "<Input Sample>" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Scans for the windows taskbar (may be used for explorer injection)
- details
- "<Input Sample>" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a string that may be used as part of an injection method
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"255.255.255.255"
"1.7.9.8" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
Spyware/Information Retrieval
-
Contains ability to open the clipboard
- details
- OpenClipboard@user32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1115 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to retrieve keyboard strokes
- details
- GetKeyboardState@user32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 8/10
- ATT&CK ID
- T1056 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to open the clipboard
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegDeleteKeyA
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegEnumKeyExA
CreateFileMappingA
GetFileAttributesA
GetDriveTypeA
FindFirstFileW
GetFileAttributesW
UnhandledExceptionFilter
OpenFileMappingA
GetTempPathA
WriteFile
OutputDebugStringA
CopyFileW
GetModuleFileNameA
LoadLibraryExA
CreateThread
ExitThread
LoadLibraryW
GetTickCount
VirtualProtect
GetVersionExA
LoadLibraryA
GetStartupInfoA
GetFileSize
CreateDirectoryA
DeleteFileA
DeleteFileW
GetProcAddress
FindNextFileW
GetComputerNameA
FindNextFileA
CreateFileW
CreateFileA
LockResource
GetCommandLineA
MapViewOfFile
GetModuleHandleA
FindFirstFileA
CreateProcessA
SleepEx
Sleep
FindResourceA
VirtualAlloc
ShellExecuteW
ShellExecuteExW
ShellExecuteA
GetCursorPos
SetWindowsHookExW
GetLastActivePopup
SetKeyboardState
SetWindowsHookExA
FindWindowA
GetWindowThreadProcessId
GetUpdateRect
EnumPrintersA - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"<Input Sample>" wrote bytes "75dca675273ea67551c1a475ee9ca4759498a4750fb3aa751099a4759097a4750000000042c69977152e9977c0d999771bf79977c1089b77e0c2997736da997730c69977d5d9997786c4997700000000" to virtual address "0x7332E000" (part of module "MSLS31.DLL")
"<Input Sample>" wrote bytes "c04e817720548277e0658277b53883770000000000d0997700000000c5ea99770000000088ea997700000000e968937582288377ee29837700000000d2699375000000007dbb99770000000009be937500000000ba18997700000000" to virtual address "0x77941000" (part of module "NSI.DLL")
"<Input Sample>" wrote bytes "e9c39b1600" to virtual address "0x00408334" (part of module "KEYNOTE.EXE")
"<Input Sample>" wrote bytes "e997161500" to virtual address "0x00422444" (part of module "KEYNOTE.EXE") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports suspicious APIs
-
Hiding 5 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 19
-
Anti-Reverse Engineering
-
PE file contains zero-size sections
- details
-
Raw size of ".bss" is zero
Raw size of ".tls" is zero - source
- Static Parser
- relevance
- 10/10
-
PE file contains zero-size sections
-
Environment Awareness
-
Contains ability to query machine time
- details
- GetLocalTime@kernel32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine timezone
- details
-
GetTimeZoneInformation@kernel32.dll (Show Stream)
GetTimeZoneInformation@kernel32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersion@kernel32.dll (Show Stream)
GetVersion@kernel32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
EnumSystemLocalesA@kernel32.dll (Show Stream)
GetUserDefaultLCID@kernel32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceA@kernel32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@kernel32.dll directly followed by "cmp ax, 0004h" and "jc 00463D05h" (Show Stream)
Found API call GetTimeZoneInformation@kernel32.dll directly followed by "cmp eax, FFFFFFFFh" and "jne 0055E4D4h" (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Reads the registry for installed applications
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\KEYNOTE.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\KEYNOTE.EXE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/65 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains ability to register hotkeys
- details
-
UnregisterHotKey@user32.dll (Show Stream)
RegisterHotKey@user32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\GFKeyNote10"
"\Sessions\1\BaseNamedObjects\Local\Shell.CMruPidlList"
"Local\Shell.CMruPidlList"
"Global\C::Users:wEKHDMz:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterMutex"
"GFKeyNote10"
"Global\C::Users:wEKHDMz:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1024.db!dfMaintainer"
"Global\C::Users:wEKHDMz:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs"
"Global\C::Users:wEKHDMz:AppData:Local:Microsoft:Windows:Explorer:thumbcache_32.db!dfMaintainer"
"Global\C::Users:wEKHDMz:AppData:Local:Microsoft:Windows:Explorer:thumbcache_sr.db!dfMaintainer"
"Global\C::Users:wEKHDMz:AppData:Local:Microsoft:Windows:Explorer:thumbcache_256.db!dfMaintainer"
"Global\C::Users:wEKHDMz:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!ThumbnailCacheInit"
"Global\C::Users:wEKHDMz:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!044c0"
"Global\C::Users:wEKHDMz:AppData:Local:Microsoft:Windows:Explorer:thumbcache_96.db!dfMaintainer"
"\Sessions\1\BaseNamedObjects\Global\C::Users:wEKHDMz:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterMutex"
"\Sessions\1\BaseNamedObjects\Global\C::Users:wEKHDMz:AppData:Local:Microsoft:Windows:Explorer:thumbcache_32.db!dfMaintainer"
"\Sessions\1\BaseNamedObjects\Global\C::Users:wEKHDMz:AppData:Local:Microsoft:Windows:Explorer:thumbcache_96.db!dfMaintainer"
"\Sessions\1\BaseNamedObjects\Global\C::Users:wEKHDMz:AppData:Local:Microsoft:Windows:Explorer:thumbcache_256.db!dfMaintainer"
"\Sessions\1\BaseNamedObjects\Global\C::Users:wEKHDMz:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1024.db!dfMaintainer"
"\Sessions\1\BaseNamedObjects\Global\C::Users:wEKHDMz:AppData:Local:Microsoft:Windows:Explorer:thumbcache_sr.db!dfMaintainer"
"\Sessions\1\BaseNamedObjects\Global\C::Users:wEKHDMz:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!ThumbnailCacheInit" - source
- Created Mutant
- relevance
- 3/10
-
Overview of unique CLSIDs touched in registry
- details
-
"<Input Sample>" touched "Share Manager" (Path: "HKCU\CLSID\{EDB5F444-CB8D-445A-A523-EC5AB6EA33C7}")
"<Input Sample>" touched "Computer" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"<Input Sample>" touched "Memory Mapped Cache Mgr" (Path: "HKCU\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")
"<Input Sample>" touched "Enhanced Storage Icon Overlay Handler Class" (Path: "HKCU\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\INPROCSERVER32")
"<Input Sample>" touched "Sharing Overlay (Private)" (Path: "HKCU\CLSID\{08244EE6-92F0-47F2-9FC9-929BAA2E7235}\INPROCSERVER32")
"<Input Sample>" touched "File Save Dialog Legacy" (Path: "HKCU\CLSID\{AF02484C-A0A9-4669-9051-058AB12B9195}\TREATAS")
"<Input Sample>" touched "MruLongList" (Path: "HKCU\CLSID\{53BD6B4E-3780-4693-AFC3-7161C2F3EE9C}\TREATAS")
"<Input Sample>" touched "Microsoft Shell Folder AutoComplete List" (Path: "HKCU\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\TREATAS")
"<Input Sample>" touched "Microsoft AutoComplete" (Path: "HKCU\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"<Input Sample>" touched "Microsoft TipAutoCompleteClient Control" (Path: "HKCU\CLSID\{807C1E6C-1D00-453F-B920-B61BB7CDD997}\TREATAS")
"<Input Sample>" touched "Recent Places Folder" (Path: "HKCU\CLSID\{22877A6D-37A1-461A-91B0-DBDA5AAEBC99}\SHELLFOLDER")
"<Input Sample>" touched "UsersLibraries" (Path: "HKCU\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\SHELLFOLDER")
"<Input Sample>" touched "Computers and Devices" (Path: "HKCU\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\SHELLFOLDER")
"<Input Sample>" touched "Explorer Browser" (Path: "HKCU\CLSID\{71F96385-DDD6-48D3-A0C1-AE06E8B055FB}\TREATAS")
"<Input Sample>" touched "Browser Progress Aggregator" (Path: "HKCU\CLSID\{104846AB-42B1-4E38-A80D-136F78C3F258}\TREATAS")
"<Input Sample>" touched "Background Task Scheduler" (Path: "HKCU\CLSID\{603D3800-BD81-11D0-A3A5-00C04FD706EC}\TREATAS")
"<Input Sample>" touched "MruPidlList" (Path: "HKCU\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\TREATAS")
"<Input Sample>" touched "Property System Apartment Class Factory" (Path: "HKCU\CLSID\{9CFC2DF3-6BA3-46EF-A836-E519E81F0EC4}\TREATAS")
"<Input Sample>" touched "Property System Both Class Factory" (Path: "HKCU\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\TREATAS")
"<Input Sample>" touched "Property System" (Path: "HKCU\CLSID\{B8967F85-58AE-4F46-9FB2-5D7904798F4B}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Scanning for window names
- details
-
"<Input Sample>" searching for class "GFKeyNote10.UnicodeClass"
"<Input Sample>" searching for class "Shell_TrayWnd" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to register hotkeys
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\System32\spool\drivers\w32x86\3\sendtoonenote.BUD"
"<Input Sample>" touched file "C:\Windows\System32\spool\drivers\w32x86\3\sendtoonenote.gpd"
"<Input Sample>" touched file "C:\Windows\System32\spool\drivers\w32x86\3\stdnames.gpd"
"<Input Sample>" touched file "C:\Windows\System32\spool\drivers\w32x86\3\SendToOneNoteNames.gpd"
"<Input Sample>" touched file "C:\Windows\System32\spool\drivers\w32x86\3\SendToOneNoteFilter.gpd"
"<Input Sample>" touched file "C:\Windows\System32\spool\drivers\w32x86\3\SendToOneNote.ini"
"<Input Sample>" touched file "C:\Windows\Fonts\StaticCache.dat"
"<Input Sample>" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_en-us_020378a8991bbcc2\comctl32.dll.mui"
"<Input Sample>" touched file "C:\Windows\System32\imageres.dll" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://code.google.com/p/keynote-nf/"
Heuristic match: "dprado.keynote@gmail.com"
Heuristic match: "marekjed@users.sourceforge.net"
Pattern match: "https://github.com/dpradov/keynote-nf"
Pattern match: "https://github.com/dpradov/keynote-nf/issues"
Pattern match: "http://www.flashpeak.com/ushell/ushell.htm"
Pattern match: "http://www.embarcadero.com"
Heuristic match: "rekjed@users.sourceforge.net" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Found Delphi 4 - Delphi 2006 artifact
- details
- "keynote.exe.bin" has a PE timestamp using the buggy magic timestamp 0x2A425E19.
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
- details
- "keynote.exe.bin" was detected as "BobSoft Mini Delphi -> BoB / BobSoft"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Found Delphi 4 - Delphi 2006 artifact
File Details
keynote.exe
- Filename
- keynote.exe
- Size
- 2.5MiB (2631168 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- e2cb1e7abd8d2eb92a13827fefc87c19fa80a928e3d55c90618553d367512447
- MD5
- 364b0fc95d24d8e3541a1b64df06374d
- SHA1
- d09bd83088968891a5148cde20389eee718dd795
- ssdeep
- 49152:Gy50LqIMOrJXcUdWO5Z+FKEZ9Qv7sFiITT5U/tl+Z:Gy5xOrJXxdz5ZzE4YgiZ
- imphash
- 01d6f8f0b7fb8a49e4accc0125afa280
- authentihash
- ce3e74828386a3f0a6d55fed7affa8fd9ef787c100a87e68e83ff1945b7314bf
- Compiler/Packer
- BobSoft Mini Delphi -> BoB / BobSoft
Version Info
- LegalCopyright
- (c) Daniel Prado 2007-17 (c) Marek Jedlinski, 2000-05
- InternalName
- KeyNote NF
- FileVersion
- 1.7.9.8
- CompanyName
- -
- LegalTrademarks
- Free software, MPL 2.0
- Comments
- Improvements over version 1.6.5 of Marek's KeyNote
- ProductName
- KeyNote NF
- X-MAILTO
- dprado.keynote@gmail.com
- ProductVersion
- 1.7.9 Beta 8 (30/04/17)
- FileDescription
- KeyNote NF (New Features)
- X-URL
- http://code.google.com/p/keynote-nf/
- OriginalFilename
- keynote.exe
- X-Fnord
- -
- Translation
- 0x0409 0x04e4
Classification (TrID)
- 89.2% (.EXE) Win32 Executable Borland Delphi 7
- 5.7% (.EXE) InstallShield setup
- 1.9% (.EXE) Win32 Executable Delphi generic
- 1.3% (.EXE) DOS Borland compiled Executable (generic)
- 0.6% (.EXE) Win32 Executable (generic)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- keynote.exe (PID: 480) 6/88
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
1.7.9.8 | Domain/IP reference | 00122924-00000480-24073-1354-005E0CE8 |
https://github.com/dpradov/keynote-nf | Domain/IP reference | 00122924-00000480-24073-784-005C8C98 |
255.255.255.255 | Domain/IP reference | 8572-11912-00555558 |
http://www.embarcadero.com | Domain/IP reference | 8572-23329-005C99C8 |
http://www.flashpeak.com/ushell/ushell.htm | Domain/IP reference | 8572-12446-0057E4D8 |
gmail.com | Domain/IP reference | 00122924-00000480-24073-784-005C8C98 |
https://github.com/dpradov/keynote-nf/issues | Domain/IP reference | 8572-12696-005B28D0 |
users.sourceforge.net | Domain/IP reference | 00122924-00000480-24073-784-005C8C98 |
txt.rtf.ini.log.pas.c.h.bas.pl | Domain/IP reference | 00122924-00000480-24073-344-005E05E0 |
Extracted Strings
Extracted Files
No significant files were extracted.
Notifications
-
Runtime
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-72" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report