IMG_4095.scr

First submission 2024-02-07 20:43:03

File details

File type: PE32 executable (GUI) Intel 80386, for MS Windows
Mime type: application/x-dosexec
File size: 1832.34 KB (1876320 bytes)
Compile time: 1992-06-20 00:22:17
MD5: 337e300721c80ee6c114cc38b2ed786a
SHA1: c6403b50de536acd4b7b90a4173ebe86bb86a001
SHA256: 500670f00b1e99426a3f5a49634475b69e3bca76442f7ad6db3b082fd094aecb
Import Hash : 1a2eb0e54e5f6eee98b9fbbf0ab60255
Sections 10 CODE DATA BSS .idata .tls .rdata .reloc .rsrc .reloc f,
Directories 5 import resource tls relocation security
Virus Total:

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXps://cdn-staging.livechat-files.com/api/file/lc/att/1520/ec2dd918e031a799e65292f82148018b/IMG_4095.scr VirusTotal Report cdn-staging.livechat-files.com VirusTotal Report 2024-02-07 20:43:03

PE Sections 4 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
CODE 0x1000 0x13b8e0 1292800 6a2d89f753d57e9ebc761a2c96bcb6d510c538ae 53a3bd8c476dbeb65d6350f57c1ebe62
DATA 0x13d000 0x3450 13824 7f7215e1a8f61ea558096a37ff2442f27777e473 22c591a44ab33614f059dc3bebdb2305
BSS 0x141000 0x12ed 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.idata 0x143000 0x2e7e 12288 e70cce53d9f0b7b799ee0162fa8aa94bad0cad5f 505b0fa7ac6467104e7e39beffd2f040
.tls 0x146000 0x10 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x147000 0x18 512 66e16365c82bbc7dc31e02d842149923bbbff831 80d3765e26ae11300ec626bf8fdfe68f
.reloc 0x148000 0x164e4 91648 5174c7574b90b3451745e18099fd1688ea5599cb 24d720f16f894f46b683d89fb55ce426
.rsrc 0x15f000 0x3ac00 240640 49b7e31b00a0888209c03c13f977680729795aa4 06b3824a4e4138f3a9bdbd9930665d8b
.reloc 0x19a000 0x33c0b 212480 daae0cf0b8daeda2d0e1d01e4cfa36bd62184476 4966e4bfd4cb5b87cb024acdb25d7e7d
f, 0x1ce000 0x200 512 75ed314bf7055489a10305eaa64e56a54506bc56 7da80bc72c743e21315fe749ad6e4568

PE Resources 9

Name Language Sublanguage Offset Size Data
RT_CURSOR LANG_NEUTRAL SUBLANG_NEUTRAL 0x161ee0 308
RT_BITMAP LANG_NEUTRAL SUBLANG_NEUTRAL 0x166e00 224
RT_ICON LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0x166ee0 4264
RT_DIALOG LANG_NEUTRAL SUBLANG_NEUTRAL 0x167f88 82
RT_STRING LANG_NEUTRAL SUBLANG_NEUTRAL 0x16e850 808
RT_RCDATA LANG_NEUTRAL SUBLANG_NEUTRAL 0x1993d0 1047
RT_GROUP_CURSOR LANG_NEUTRAL SUBLANG_NEUTRAL 0x19989c 20
RT_GROUP_ICON LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0x1998b0 20
RT_VERSION LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0x1998c4 792

Meta infos 11

LegalCopyright: softcows.com
InternalName: Quick Memory Editor
FileVersion: 5.5.0.0
CompanyName: softcows.com
LegalTrademarks:
Comments:
ProductName: Quick Memory Editor
ProductVersion: 5.5
FileDescription: Quick Memory Editor
Translation: 0x0409 0x04e4
OriginalFilename: MemEditor

Packers detected 3

Borland Delphi 3.0 (???)
Borland Delphi 4.0
Borland Delphi v6.0 - v7.0

Anti debug functions 5

FindWindowA
GetLastError
GetWindowThreadProcessId
RaiseException
UnhandledExceptionFilter

Anti debug functions 1

VMCheck.dll

File signature

MD5 SHA1 Block size Virtual Address
a369087f0d15ea2db8702800fb4a151e 44090fbaec8de675275a09d4ecb5921f375fcbd3 10592 1865728

Strings analysis - File found

Binary
Dump of %s.bin
Data
memory.dat
Library
Invalid owner %s is already associated with %sE%d is an invalid PageIndex value. PageIndex must be between 0 and %d=This control requires version 4.70 or greater of COMCTL32.DLL
MAPI32.dll
MemEditor.dll
COMCTL32.dll
ole32.dll
ADVAPI32.dll
IMM32.dll
USER32.dll
GDI32.dll
OLEAUT32.dll
idapi32.DLL
KERNEL32.dll
vcltest3.dll
VERSION.dll
COMDLG32.dll
SHELL32.dll

Strings analysis - Possible URLs found 20

http://crl.globalsign.com/root-r6.crl0G
http://www.lazygame.com
http://www.softcows.com/memory_editor_flash_demo.htm
http://www.qmacro.com
http://www.softcows.com/files/templet1.save
https://www.globalsign.com/repository/0
http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
http://www.softcows.com
http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
http://www.lazygame.com/memfile.html
https://www.regsoft.net/regsoft/vieworderpage.php3?productid=48321
http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
http://ocsp2.globalsign.com/rootr606
http://ocsp.globalsign.com/codesigningrootr450F
http://crl.globalsign.com/codesigningrootr45.crl0U
http://www.softcows.com/speed_gear.htm
http://ocsp.globalsign.com/ca/gstsacasha384g40C
http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
http://crl.globalsign.com/ca/gstsacasha384g4.crl0
http://secure.globalsign.com/cacert/gstsacasha384g4.crt0

Import functions