Analysis Report · CAPE Sandbox

Analysis Details

Category	Package	Started	Completed	Duration	Logs
FILE	dll	2026-03-05 00:18:19	2026-03-05 00:22:45	266s
Reports	JSON

Analysis Log

2026-03-05 02:28:18,340 [root] INFO: Date set to: 20260305T00:18:34, timeout set to: 200
2026-03-05 00:18:34,138 [root] DEBUG: Starting analyzer from: C:\vrp2u9om
2026-03-05 00:18:34,138 [root] DEBUG: Storing results at: C:\UfnHHQPorU
2026-03-05 00:18:34,138 [root] DEBUG: Pipe server name: \\.\PIPE\kLbvnJYYvB
2026-03-05 00:18:34,138 [root] DEBUG: Python path: C:\Python310
2026-03-05 00:18:34,154 [root] INFO: analysis running as an admin
2026-03-05 00:18:34,154 [root] INFO: analysis package specified: "dll"
2026-03-05 00:18:34,154 [root] DEBUG: importing analysis package module: "modules.packages.dll"...
2026-03-05 00:18:34,154 [root] DEBUG: imported analysis package "dll"
2026-03-05 00:18:34,154 [root] DEBUG: initializing analysis package "dll"...
2026-03-05 00:18:34,154 [lib.common.common] INFO: wrapping
2026-03-05 00:18:34,154 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation
2026-03-05 00:18:34,154 [root] DEBUG: New location of moved file: C:\Users\cape\AppData\Local\Temp\sample.dll
2026-03-05 00:18:34,154 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option
2026-03-05 00:18:34,154 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option
2026-03-05 00:18:34,154 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option
2026-03-05 00:18:34,154 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option
2026-03-05 00:18:34,326 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2026-03-05 00:18:34,576 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2026-03-05 00:18:34,670 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2026-03-05 00:18:34,748 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2026-03-05 00:18:35,216 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2026-03-05 00:18:35,232 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2026-03-05 00:18:35,263 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2026-03-05 00:18:35,529 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance
2026-03-05 00:18:35,529 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2026-03-05 00:18:35,560 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2026-03-05 00:18:35,560 [root] DEBUG: Initialized auxiliary module "Browser"
2026-03-05 00:18:35,560 [root] DEBUG: attempting to configure 'Browser' from data
2026-03-05 00:18:35,592 [root] DEBUG: module Browser does not support data configuration, ignoring
2026-03-05 00:18:35,592 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2026-03-05 00:18:35,607 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2026-03-05 00:18:35,607 [root] DEBUG: Initialized auxiliary module "DigiSig"
2026-03-05 00:18:35,607 [root] DEBUG: attempting to configure 'DigiSig' from data
2026-03-05 00:18:35,607 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2026-03-05 00:18:35,623 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2026-03-05 00:18:35,623 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2026-03-05 00:18:36,169 [modules.auxiliary.digisig] DEBUG: File is not signed
2026-03-05 00:18:36,169 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2026-03-05 00:18:36,169 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2026-03-05 00:18:36,185 [root] DEBUG: Initialized auxiliary module "Disguise"
2026-03-05 00:18:36,185 [root] DEBUG: attempting to configure 'Disguise' from data
2026-03-05 00:18:36,185 [root] DEBUG: module Disguise does not support data configuration, ignoring
2026-03-05 00:18:36,185 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2026-03-05 00:18:36,185 [modules.auxiliary.disguise] INFO: Disguising GUID to fd7fc618-18f9-47ce-a04f-1a623f9008af
2026-03-05 00:18:36,185 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2026-03-05 00:18:36,185 [root] DEBUG: Initialized auxiliary module "Human"
2026-03-05 00:18:36,201 [root] DEBUG: attempting to configure 'Human' from data
2026-03-05 00:18:36,201 [root] DEBUG: module Human does not support data configuration, ignoring
2026-03-05 00:18:36,201 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2026-03-05 00:18:36,201 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2026-03-05 00:18:36,216 [root] DEBUG: Initialized auxiliary module "Screenshots"
2026-03-05 00:18:36,216 [root] DEBUG: attempting to configure 'Screenshots' from data
2026-03-05 00:18:36,216 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2026-03-05 00:18:36,216 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2026-03-05 00:18:36,216 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2026-03-05 00:18:36,216 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2026-03-05 00:18:36,216 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2026-03-05 00:18:36,232 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2026-03-05 00:18:36,232 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2026-03-05 00:18:36,232 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 656
2026-03-05 00:18:36,279 [lib.api.process] INFO: Monitor config for <Process 656 lsass.exe>: C:\vrp2u9om\dll\656.ini
2026-03-05 00:18:36,279 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2026-03-05 00:18:36,388 [lib.api.process] INFO: 64-bit DLL to inject is C:\vrp2u9om\dll\hszJQNBp.dll, loader C:\vrp2u9om\bin\xpQbvRlb.exe
2026-03-05 00:18:38,607 [root] DEBUG: Loader: Injecting process 656 with C:\vrp2u9om\dll\hszJQNBp.dll.
2026-03-05 00:18:42,873 [root] DEBUG: 656: Python path set to 'C:\Python310'.
2026-03-05 00:18:42,873 [root] DEBUG: 656: Disabling sleep skipping.
2026-03-05 00:18:42,888 [root] DEBUG: 656: TLS secret dump mode enabled.
2026-03-05 00:18:43,201 [root] DEBUG: 656: RtlInsertInvertedFunctionTable 0x00007FF97FCC090E, LdrpInvertedFunctionTableSRWLock 0x00007FF97FE1D500
2026-03-05 00:18:43,216 [root] DEBUG: 656: Monitor initialised: 64-bit capemon loaded in process 656 at 0x00007FF95DDB0000, thread 3876, image base 0x00007FF794EB0000, stack from 0x000000A2778F1000-0x000000A277900000
2026-03-05 00:18:43,216 [root] DEBUG: 656: Commandline: C:\Windows\system32\lsass.exe
2026-03-05 00:18:43,498 [root] DEBUG: 656: Hooked 5 out of 5 functions
2026-03-05 00:18:43,498 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2026-03-05 00:18:43,498 [root] DEBUG: Successfully injected DLL C:\vrp2u9om\dll\hszJQNBp.dll.
2026-03-05 00:18:43,607 [lib.api.process] INFO: Injected into 64-bit <Process 656 lsass.exe>
2026-03-05 00:18:43,607 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2026-03-05 00:18:49,529 [root] DEBUG: 656: TLS 1.2 secrets logged to: C:\UfnHHQPorU\tlsdump\tlsdump.log
2026-03-05 00:18:54,185 [root] INFO: Restarting WMI Service
2026-03-05 00:18:56,607 [root] DEBUG: package modules.packages.dll does not support configure, ignoring
2026-03-05 00:18:56,607 [root] WARNING: configuration error for package modules.packages.dll: error importing data.packages.dll: No module named 'data.packages'
2026-03-05 00:18:56,607 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation
2026-03-05 00:18:56,873 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\System32\rundll32.exe" with arguments ""C:\Users\cape\AppData\Local\Temp\sample.dll",#1" with pid 352
2026-03-05 00:18:56,888 [lib.api.process] INFO: Monitor config for <Process 352 rundll32.exe>: C:\vrp2u9om\dll\352.ini
2026-03-05 00:18:56,904 [lib.api.process] INFO: 32-bit DLL to inject is C:\vrp2u9om\dll\JcyqnZrz.dll, loader C:\vrp2u9om\bin\SlwveoB.exe
2026-03-05 00:18:57,076 [root] DEBUG: Loader: Injecting process 352 (thread 4516) with C:\vrp2u9om\dll\JcyqnZrz.dll.
2026-03-05 00:18:57,357 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-03-05 00:18:57,357 [root] DEBUG: Successfully injected DLL C:\vrp2u9om\dll\JcyqnZrz.dll.
2026-03-05 00:18:57,372 [lib.api.process] INFO: Injected into 32-bit <Process 352 rundll32.exe>
2026-03-05 00:18:59,388 [lib.api.process] INFO: Successfully resumed <Process 352 rundll32.exe>
2026-03-05 00:19:00,091 [root] DEBUG: 352: Python path set to 'C:\Python310'.
2026-03-05 00:19:00,169 [root] DEBUG: 352: Disabling sleep skipping.
2026-03-05 00:19:00,169 [root] DEBUG: 352: Dropped file limit defaulting to 100.
2026-03-05 00:19:00,357 [root] DEBUG: 352: YaraInit: Compiled 44 rule files
2026-03-05 00:19:00,357 [root] DEBUG: 352: YaraInit: Compiled rules saved to file C:\vrp2u9om\data\yara\capemon.yac
2026-03-05 00:19:00,373 [root] DEBUG: 352: YaraScan: Scanning 0x008E0000, size 0x136e8
2026-03-05 00:19:00,373 [root] DEBUG: 352: Monitor initialised: 32-bit capemon loaded in process 352 at 0x736b0000, thread 4516, image base 0x8e0000, stack from 0x7a2000-0x7b0000
2026-03-05 00:19:00,373 [root] DEBUG: 352: Commandline: "C:\Windows\System32\rundll32.exe" "C:\Users\cape\AppData\Local\Temp\sample.dll",#1
2026-03-05 00:19:00,654 [root] DEBUG: 352: hook_api: LdrpCallInitRoutine export address 0x779A2A40 obtained via GetFunctionAddress
2026-03-05 00:19:00,795 [root] DEBUG: 352: hook_api: Warning - CreateProcessA export address 0x760A2D90 differs from GetProcAddress -> 0x73A422A0 (AcLayers.DLL::0xfd9d22a0)
2026-03-05 00:19:00,810 [root] DEBUG: 352: hook_api: Warning - CreateProcessW export address 0x760888E0 differs from GetProcAddress -> 0x73A424E0 (AcLayers.DLL::0xfd9d24e0)
2026-03-05 00:19:00,810 [root] DEBUG: 352: hook_api: Warning - WinExec export address 0x760CCF20 differs from GetProcAddress -> 0x73A427A0 (AcLayers.DLL::0xfd9d27a0)
2026-03-05 00:19:01,014 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-03-05 00:19:01,029 [root] DEBUG: 352: set_hooks: Unable to hook GetCommandLineA
2026-03-05 00:19:01,045 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-03-05 00:19:01,045 [root] DEBUG: 352: set_hooks: Unable to hook GetCommandLineW
2026-03-05 00:19:01,263 [root] DEBUG: 352: Hooked 630 out of 632 functions
2026-03-05 00:19:01,310 [root] DEBUG: 352: Syscall hook installed, syscall logging level 1
2026-03-05 00:19:01,326 [root] DEBUG: 352: RestoreHeaders: Restored original import table.
2026-03-05 00:19:01,326 [root] INFO: Loaded monitor into process with pid 352
2026-03-05 00:19:01,326 [root] DEBUG: 352: caller_dispatch: Added region at 0x008E0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x008E5F1A, thread 4516).
2026-03-05 00:19:01,341 [root] DEBUG: 352: YaraScan: Scanning 0x008E0000, size 0x136e8
2026-03-05 00:19:01,341 [root] DEBUG: 352: ProcessImageBase: Main module image at 0x008E0000 unmodified (entropy change 0.000000e+00)
2026-03-05 00:19:01,638 [root] DEBUG: 352: InstrumentationCallback: Added region at 0x760924AC (base 0x76070000) to tracked regions list (thread 4516).
2026-03-05 00:19:01,654 [root] DEBUG: 352: ProcessTrackedRegion: Region at 0x76070000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\kernel32.dll is in known range, skipping
2026-03-05 00:19:02,451 [root] DEBUG: 352: InstrumentationCallback: Added region at 0x75C633EC (base 0x75B30000) to tracked regions list (thread 4516).
2026-03-05 00:19:02,451 [root] DEBUG: 352: ProcessTrackedRegion: Region at 0x75B30000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-03-05 00:19:02,763 [root] DEBUG: 352: DLL loaded at 0x73610000: C:\Windows\SYSTEM32\TextShaping (0x94000 bytes).
2026-03-05 00:19:04,123 [root] DEBUG: 352: DLL loaded at 0x740C0000: C:\Windows\system32\uxtheme (0x74000 bytes).
2026-03-05 00:19:04,357 [root] DEBUG: 352: DLL loaded at 0x75D50000: C:\Windows\System32\MSCTF (0xd4000 bytes).
2026-03-05 00:19:04,623 [root] DEBUG: 352: set_hooks_by_export_directory: Hooked 0 out of 632 functions
2026-03-05 00:19:04,638 [root] DEBUG: 352: DLL loaded at 0x74D40000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2026-03-05 00:19:04,654 [root] DEBUG: 352: DLL loaded at 0x76C00000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2026-03-05 00:19:04,716 [root] DEBUG: 352: DLL loaded at 0x73200000: C:\Windows\SYSTEM32\ntmarta (0x29000 bytes).
2026-03-05 00:19:04,732 [root] DEBUG: 352: DLL loaded at 0x73230000: C:\Windows\System32\CoreMessaging (0x9b000 bytes).
2026-03-05 00:19:04,763 [root] DEBUG: 352: DLL loaded at 0x73120000: C:\Windows\SYSTEM32\wintypes (0xdb000 bytes).
2026-03-05 00:19:04,779 [root] DEBUG: 352: DLL loaded at 0x732D0000: C:\Windows\System32\CoreUIComponents (0x27e000 bytes).
2026-03-05 00:19:04,779 [root] DEBUG: 352: DLL loaded at 0x73550000: C:\Windows\SYSTEM32\textinputframework (0xb9000 bytes).
2026-03-05 00:22:19,826 [root] INFO: Analysis timeout hit, terminating analysis
2026-03-05 00:22:19,826 [lib.api.process] INFO: Terminate event set for <Process 352 rundll32.exe>
2026-03-05 00:22:19,826 [root] DEBUG: 352: Terminate Event: Attempting to dump process 352
2026-03-05 00:22:19,826 [root] DEBUG: 352: DoProcessDump: Skipping process dump as code is identical on disk.
2026-03-05 00:22:19,842 [lib.api.process] INFO: Termination confirmed for <Process 352 rundll32.exe>
2026-03-05 00:22:19,842 [root] INFO: Terminate event set for process 352
2026-03-05 00:22:19,857 [root] INFO: Created shutdown mutex
2026-03-05 00:22:19,857 [root] DEBUG: 352: Terminate Event: monitor shutdown complete for process 352
2026-03-05 00:22:20,873 [root] INFO: Shutting down package
2026-03-05 00:22:20,873 [root] INFO: Stopping auxiliary modules
2026-03-05 00:22:20,873 [root] INFO: Stopping auxiliary module: Browser
2026-03-05 00:22:20,873 [root] INFO: Stopping auxiliary module: Human
2026-03-05 00:22:22,888 [root] INFO: Stopping auxiliary module: Screenshots
2026-03-05 00:22:23,435 [root] INFO: Finishing auxiliary modules
2026-03-05 00:22:23,435 [root] INFO: Shutting down pipe server and dumping dropped files
2026-03-05 00:22:23,451 [root] WARNING: Folder at path "C:\UfnHHQPorU\debugger" does not exist, skipping
2026-03-05 00:22:23,451 [root] INFO: Uploading files at path "C:\UfnHHQPorU\tlsdump"
2026-03-05 00:22:23,451 [lib.common.results] INFO: Uploading file C:\UfnHHQPorU\tlsdump\tlsdump.log to tlsdump\tlsdump.log; Size is 6576; Max size: 100000000
2026-03-05 00:22:23,467 [root] INFO: Analysis completed

Process Log

Pre-Script Log

During-Script Log

Machine Information

Name	Label	Manager	Started On	Shutdown On
win10x64	win10x64	KVM	2026-03-05 00:18:19	2026-03-05 00:22:45

File Details

File Information

File Name	sample.dll
File Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File Size	159744 bytes
MD5	0cf6e4d3833971977e610b59cb402522
SHA1	c226aa908267a64298beebc49f3ad03b18faf91b
SHA256	eb90ab3c6321cbe8ec6763de4b880277b4120b739c8b88ebedea51cd0e097107 VT MWDB Bazaar
SHA3-384	b4d373c5b16fc506f1e1f1a42e5252fccb87a2f00462d39a87b85161db76de3e4e16f53297b28e3c494c9c8879ec747b
CRC32	9C465382
TLSH	T10DF3F0BBFCCD50A7D1CDE17B2476A90285EE0A1005BFD1AED0E9851A7CDA4E4272C71B
Ssdeep	3072:li407ABdQi4hmUQmlOEz82seijlz9w/OFHPbICBXEEOwa/:wpiw8T5JFjrE3wa/
Yara	INDICATOR_EXE_Packed_ASPack - Detects executables packed with ASPack (ditekSHen) suspicious_packer_section - The packer/protector section names/keywords (@j0sm1) ASPackv212AlexeySolodovnikov - (malware-lu) ASProtectV2XDLLAlexeySolodovnikov - (malware-lu) IsPE32 - IsDLL - IsWindowsGUI - IsPacked - Entropy Check ASPack_v212_additional - ASPack_v21_additional - ASProtect_V2X_DLL_Alexey_Solodovnikov - ASPack_v212 - yodas_Protector_v1033_dllocx_Ashkbiz_Danehkar_h - ASPack_v211d - ASProtect_V2X_DLL_Alexey_Solodovnikov_additional - ASPack_212withouth_Poly_Solodovnikov_Alexey - ASPack_v212_Alexey_Solodovnikov -

Tools: PE Strings Gen BinGraph

VirusTotal (0/76)

Full Results

Strings

no!+d
qw\+H
@Madexcept@SysUtils_LoadPackage
@Madexcept@BcbMemcpy
Y4Sni
k)+Oe0
ShellExecuteExA
wi:!W
@Madexcept@RegisterBugReportPlugin$qqr27System@%AnsiStringT$us$i0$%t1pqqrv$20System@UnicodeStringo
mgkky
vB|fT
3H.k{0
>68:T
W<lGn
('H3vA
@Madexcept@UnregisterHiddenExceptionHandler$qqrpqqrx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v
$AGX0
b{gzr
I!=uMX^
dg6j4b
@Madexcept@RegisterBugReportPlugin$qqr27System@%AnsiStringT$us$i0$%t1pqqrx50System@%DelphiInterface$t22Madexcept@IMEException%$20System@UnicodeStringo
@$xp$23Madexcept@TExceptSource
@Madexcept@BcbExceptionHandler
comdlg32.dll
&iUS\
(e&!~
hhWAs
TextOutA
SqHgQ
fT{h;
TB[mR
@$xp$29Madnvassistant@TNVModalResult
@Madexcept@GetAllocatedMemory$qqrv
@Madexcept@CreateBugReport$qqr21Madexcept@TExceptTypep14System@TObjectpvuiuiuip8_CONTEXTo55System@%DelphiInterface$t27Madexcept@IMEModuleSettings%23Madexcept@TExceptSourcet2uit3
@Madexcept@BcbInitExceptBlockLDTC
}l\v-
@Madexcept@initialization$qqrv
@Madnvassistant@CreateAssistant$qqr27System@%AnsiStringT$us$i0$%px27System@%AnsiStringT$us$i0$%xi45System@%DelphiInterface$t17System@IInterface%
@Madnvbitmap@initialization$qqrv
Hw&YY
@Madstacktrace@StackTrace$qqrooop49System@%DynamicArray$t24Madstacktrace@TStackItem%pvoouiuit5ppvtbtb57System@%DelphiInterface$t29Madnvprgralert@IProgressAlert%uioot5popuitktjp52System@%DynamicArray$t27System@%AnsiStringT$us$i0$%%o
OjbQ=
H0RT8u
@Madexcept@DontReformatExcMsg
zMFX>
aEPW8@
=`g}zLde
X)h{p==
joJa'b
*)q:D
@Madlistprocesses@initialization$qqrv
i3f+%
pOvr`
a|X^K
D"!}Zt
> >0>88
S5Yn_
@$xp$24Madstacktrace@TStackItem
SQs(h
&Tt}!
IoorH4
N]i(F
kTUj2g
CI3'fC
,]P@k
@Madexcept@DetectConsole
@Madexcept@UnregisterExceptActionHandler$qqrynpqqr23Madexcept@TExceptActionx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v
@Madnvassistant@HandleContactFormProc
_xLIG
Gr3sW
@Madexcept@System_ExceptionHandler
MG%/V
"$32e
8%!^v
&OnhE
B)dR9I
@System@initialization$qqrv
@Madexcept@CheckExceptParams$qqrrp14System@TObjectrpvt2rp8_CONTEXT
XD4~`
)y:he
I,`\z9
,;F0s
x=6@D
ib)8G
@Madexcept@GetThreadName$qqrui
cQ)Rl
\K"]R#
4+5:mN
]>/eDr
/vN\S
@Madnvassistant@Finalization$qqrv
UWLh0)
-HRhlK
e^(D1
.rdata
pkCnT
@Madexcept@HiddenAutoMailing
_xhm,i>
USWXMTKV[\YZ]
/e!y{Ay
@Madexcept@Forms_TApplication_HandleException
@Madexcept@RegWriteStr$qqrui27System@%AnsiStringT$us$i0$%t2t2
4Z8sJ
@Madlistprocesses@GetProcessList$qqrv
@Madexcept@SaveBugReport$qqr27System@%AnsiStringT$us$i0$%ui49System@%DelphiInterface$t21Madexcept@IMESettings%
B\&p>
->:;m--9
@Madexcept@NewFields$qqrv
{SY8[
Hj* DTC
<v xp
I}V-/
@Madexcept@RegisterHiddenExceptionHandler$qqrynpqqrx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v19Madexcept@TSyncType
yEuJiC
=c,h[:
maddisasm_.bpl
@Madexcept@CGIApp_TCGIApplication_CGIHandleException
@Madexcept@ExpandVars$qqruir27System@%AnsiStringT$us$i0$%27System@%AnsiStringT$us$i0$%t3t3
R,BII
@Madexcept@HandleContactForm$qqr50System@%DelphiInterface$t22Madnvassistant@INVForm%24Madnvassistant@TNVAction50System@%DelphiInterface$t22Madnvassistant@INVItem%50System@%DelphiInterface$t22Madexcept@IMEException%
I%>F<GQA
;L|Jf VkIUW;s,/
@Madexcept@SendMapiMail$qqr27System@%AnsiStringT$us$i0$%t1t152System@%DelphiInterface$t24Madexcept@IMEAttachments%uioo49System@%DelphiInterface$t21Madexcept@IMESettings%
CreateWindowExA
wG)7m
>"ICr
?sG5sG
h|,CZ
V}"=j
M)No;
W@3iG
Y> jx
@Maddumpobj@DumpObj$qqrp14System@TObject
e!=?b
@Madexcept@Get9xResourceReport$qqrv
`jinmfe@D
<(tHW
@Madexcept@GetProgramUpTime$qqrv
@Madlistmodules@initialization$qqrv
e%a"pJ
@Madexcept@UnregisterBugReportPlugin$qqr27System@%AnsiStringT$us$i0$%
JuUOa
@\>bt!7
NN>?%
ls]se
EWlr(
[1]<{
7RQTaTt
]|0cb
0tm!z
~_"T\
L}b2#
@Madexcept@ResetFpuMode
Initialize
Oc2Xi
!"4(m 
jT1}X
@Madexcept@MxLookup$qqr27System@%AnsiStringT$us$i0$%
P\nDMrL_
ksp0u
sWB<y
%~!2ZO
@Madexcept_@@GetPackageInfoTable$qqrv
|Ql|DIf
comctl32.dll
D365m
PB,<+*
[e|C2!
@$xp$22Madexcept@Madexcept__2
@Madmapfile@GetMyProcName$qqro
X~RH?l
3^^B/
wJ"h,5
}#}Bd
-Zr&UkN)O|E
4zMlj
>k<^L
CALIBRATE
%y+$=J
\1a^.
@Madexcept@ShowBugReportKey
I|/\(
]4|S[
@$xp$26Madnvassistant@INVCheckBox
@Madexcept@HyperJumpCallstack$qqr27System@%AnsiStringT$us$i0$%
U#4Nn
BBuo@
^P,}Q
~T0&z
@Madmapfile@TMapFile@FindSegment$qqropv
H_,f;
uB$<t
ElR0M6
qn}?|
[XPi+ 
P]E'@N
@Madexcept@CalibrateCode$qqrv
KGB-!
@$xp$26Madnvassistant@TOutputType
&U[Wv/
%:9%]
"G7w<zd6Cy
@$xp$23Madmapfile@_TMapFile@_2
@Maddisasm@initialization$qqrv
;n&3 
@Madexcept@BcbThrowExceptionLDTC
Qe0ji
p^LGk
cWGBy
@Madexcept@AutoSendBugReport$qqr27System@%AnsiStringT$us$i0$%49System@%DelphiInterface$t21Madnvbitmap@INVBitmap%49System@%DelphiInterface$t21Madexcept@IMESettings%
@Madexcept@ImNotFrozen$qqrv
user32.dll
@$xp$24Madexcept@IMEAttachments
@Madexcept@ForceUtf8
N,(t&3%>
*'<4b}
@Madexcept@BcbPTerminate
@$xp$21Madnvbitmap@INVBitmap
!7#"5>
@$xp$23Madnvassistant@INVImage
XCtz*
G5*$n
>,?eL
@Madexcept@GetThreadList$qqrv
@Madlinkdisasm@initialization$qqrv
;y n}
@Madexcept@System_FinalizeUnits
@Madmapfile@TMapFile@FindLine$qqrpv
-_q_uY!
@Madexcept@System_InitUnits
@Madexcept@Qforms_TApplication_ShowException
@4v~a
@Madmapfile@Finalization$qqrv
R8I%(0
$MP(p
C/][zj
@Madexcept@CloseApplication$qqrv
@Madexcept@UnregisterHiddenExceptionHandler$qqrynpqqrx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v
LoadLibraryA
@Madexcept@DontHookThreads$qqrv
@Madexcept@MESettings$qqrpv
SHGetPathFromIDListA
ma$L{
-x.][
@3_By
H+`03
V,4Bc
/swa/t
7Lu,G
c(u4`
11-:$
AEy,(
B@!y`
.rsrc
mXURv&
@$xp$22Madnvassistant@INVItem
@Madmapfile@LoadMapFileEx$qqr27System@%AnsiStringT$us$i0$%o
wsprintfA
~M2!> z
F;M-\/
 #W}N
xgtIv
P_PRn
@Madexcept@DecryptPassword$qqr27System@%AnsiStringT$us$i0$%t1t1
GDi%`Q
I"e}TS'pz
@Madnvprgralert@Finalization$qqrv
^)*<%
ZiL~8
@Madexcept@GetMemoryStatus$qqrv
@Madexcept@GetTSClientName$qqrv
rd)yj
@Madexcept@HttpUpload$qqr27System@%AnsiStringT$us$i0$%52System@%DelphiInterface$t24Madexcept@IMEAttachments%47System@%DelphiInterface$t19Madexcept@IMEFields%t1t1uit1uioo49System@%DelphiInterface$t21Madexcept@IMESettings%
@Madmapfile@CMapFileStreamDescriptor
mm*Mi5
mtoKS;
#dB-5
psgWh
B7Xs"
%F"I,
8ZTu(
drU#f
}6F$yA
XP.YQW
3`\n)
"+^b<(
Kq^~Q
gT}e=
p'mLHWI
B/^ep2
Iz0w4M
@Madexcept@MESettings$qqrv
9XRGX
t\%47A
ei}_9
@Madexcept@ProcessMainThreadId
v@YU#'
)=}i1g
:ftxO
madExcept_.bpl
LNl/t
b[pf,_|'m
T\Iu#
;>H>mfat
@$xp$27Madexcept@IMEModuleSettings
@Madexcept@RegisterExceptActionHandler$qqrynpqqr23Madexcept@TExceptActionx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v19Madexcept@TSyncType
bEY)XH
1sD(a
fA9)-
@$xp$24Madnvassistant@TNVAction
+BK9~
KUX y
@Madexcept@GetOsVersionString$qqrv
@Madlistprocesses@Finalization$qqrv
=yw-.
YGP'~ 
#!V@_$
@Madexcept@SetTopmost$qqruio
@Variants@initialization$qqrv
jl$3:
h}!>!G<B
^|YQ^W
A"3@J
>c0F.o
c*RBG
:jhty
ysjpM
(?k%b
(* K7
@Madstacktrace@Finalization$qqrv
=+<.?V
>;%"[
+z1^0
Pr;,>MT
D4l|M
vFQS:<
nd~Od6
@Maddumpobj@Finalization$qqrv
,p2?aX
7^zWU3l;
PACKAGEOPTIONS
PrintDlgW
9i#(h
@Madexcept@GetDisplayModeString$qqrv
&+,WA
@Madexcept@PauseFreezeCheck$qqro
8pKUV
dbxsW
}_u393:x
1/3204.)+*(
"YQ2]
D$$W3
"Uw!H!8
>9#dc[
.edata
Gm;z28:F
@Madexcept@MESettings$qqrui
@Madexcept@BcbCallTerminate
apt9E
X%h?^+
&X88Z
@Madexcept@OnExceptBoxCreate
m9riV`s
kc|`b
@Madexcept@SendBugReport$qqr27System@%AnsiStringT$us$i0$%49System@%DelphiInterface$t21Madnvbitmap@INVBitmap%ui49System@%DelphiInterface$t21Madexcept@IMESettings%
 \W`0
4g,,8qGF
Ptn45E
@Madnvbitmap@LoadBitmap$qqr27System@%AnsiStringT$us$i0$%
k#U?0km:{;~
@$xp$30Madexcept@TExceptActionEventOO
@Madexcept@HttpExtensionProcNext
@Madexcept@RegisterExceptionHandler$qqrpqqrx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v19Madexcept@TSyncType22Madexcept@TExceptPhase
!+V] o
b]|{O
"LHklH
)Th*M
@+E/=
^WBWy
n'2C\q
3?dkh=
Yc |W
&0Gx|
@Madexcept@Plugins
7-7/#
-r`P+X
iw7;}.H
a,b%P
>2v^N
lnU8jZss/F
@xpZI1
r+v;V
XW&1]
@Madexcept@CloseAntiFreeze$qqrv
kernel32.dll
@Madexcept@InitAntiFreeze$qqrv
 (08@P`p
&u;w{
jxz0p_
@Madexcept@Finalization$qqrv
@Madexcept@SmtpMailFrom
9{F9z
.adata
S8U[*
~0h=UP
GetModuleHandleA
3)b/I3
}+`S3
qf{E9
3wb,-
smX6/F"
ML<Nt
@Madexcept_@@PackageUnload$qqrv
@*)]U9
@Madexcept@OpenThread$qqruiui
\)$-PO
^rK$s
.)$O4
,K6+2
iS/{M~Fd
GWwh{O3
f7!O6e
yd=7aH
C65ge
H]u~j
ENvKH
EXCEPT
q~`H 
=!G]r.
877,.)9
[=cJ"
VirtualAlloc
6M)>I
-oFYz
%$A(0e
t"VF t
.y#<<s
R~C[2
-$/L!
yw4?>vt
@Madmapfile@TMapFile@FindLine$qqrpvrpv
?+3mZI
-F_=$
l8ocaQ$1!
@Madexcept@GetThreadStackTrace$qqruiooop49System@%DynamicArray$t24Madstacktrace@TStackItem%57System@%DelphiInterface$t29Madnvprgralert@IProgressAlert%opuit8pop52System@%DynamicArray$t27System@%AnsiStringT$us$i0$%%
KrnpB
6}Bq.5
@Madexcept@PrintBugReport$qqr27System@%AnsiStringT$us$i0$%ui49System@%DelphiInterface$t21Madexcept@IMESettings%
m72y 
@Madmapfile@TMapFile@Export$qqrooo
@Madstrings@initialization$qqrv
@Madcrypt@Decode$qqr27System@%AnsiStringT$us$i0$%
ltM:f&
TvGl$/i
@Madmapfile@TMapFile@FindPublic$qqri
@Madnvprgralert@NewProgressAlert$qqr27System@%AnsiStringT$us$i0$%uit1
W`$i#
@g~Yi
.data
@Madexcept@SysUtils_ShowException
,oB7&Q6
PABqXW
\T]EX>
{=TM=
c0.}0+
GWm#9GR
V[T^N
dM.kn
@Madexcept_@@PackageLoad$qqrv
zU=jz
@Sysconst@_SModuleAccessViolation
@Madstacktrace@BcbTermination@
=L? K
@Madexcept@PauseMadExcept$qqro
Q-or.
j55)+o
.text
V3_,^
vmImOS
Es!n[
7gfZK|M
WSACleanup
8"fqP3
@Madexcept@HookThreads$qqrv
.3)_kHI:
@Madexcept@SendSmtpMail$qqr27System@%AnsiStringT$us$i0$%t1t1t152System@%DelphiInterface$t24Madexcept@IMEAttachments%t1t1t1uiuioo49System@%DelphiInterface$t21Madexcept@IMESettings%
*@D<{o
RSMJ{BTA
QE-HbN
'-G+Z
\_1rI
mW%Q|
iPW4>
Ja=2z
U8][S
a#L|T"r$%
GetProcAddress
@Madstacktrace@initialization$qqrv
mEN'=
L"d\(-[
@$xp$27Madnvassistant@INVAssistant
@$xp$19Madmapfile@TMapFile
dna<6
@Madexcept@RegisterBugReportPlugin$qqr27System@%AnsiStringT$us$i0$%t1pqqrx50System@%DelphiInterface$t22Madexcept@IMEException%$27System@%AnsiStringT$us$i0$%o
F7uR+
$]icR
TWpMzjL
;T#{#
_a7g?
madbasic_.bpl
0H16L
<C)]o
@Madexcept@Classes_CheckSynchronize
@Madexcept@HttpUploadTimeout
+?f|z
@Madexcept@RegisterHiddenExceptionHandler$qqrpqqrx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v19Madexcept@TSyncType
\`j-Nk
eda][
@Madexcept@CloseAppExitCode
6'_lD
@Madexcept@ProxyServer
.>xL-9
@Madexcept@GetThreadCreatorAddr$qqrui
@Madexcept@DumbStackTrace
B!7bFb
Ll"o[
GaE6^
@Madexcept@BcbOrgMalloc
7<}O#
rG88Gj@
lb!!4
@Madexcept@SetFreezeTimeout$qqrui
;;F,s
shell32.dll
@Madexcept@FillClipboard$qqr27System@%AnsiStringT$us$i0$%
B3bjh
O>9sU
;9f>/
@$xp$23Madnvassistant@INVLabel
JU-jZ
u?2}-/
@Madnvprgralert@initialization$qqrv
@Madnvbitmap@ScreenShot$qqro
({zs4
z&BT}
ju6x2O
dszx\^
$#o4?
@Madmapfile@TMapFile@$bctr$qqro27System@%AnsiStringT$us$i0$%uioo
@Madmapfile@FindMapFile$qqrpv
q3>':
aDq64P
)OeB@R6
aJvkz
QOil,
xC=}[
qDodI
@Madexcept@madTraceProcess$qqsi
@Madmapfile@TMapFile@
rVn_98
bR5?n
nAau=
@Madexcept@CalibrateData
SetSecurityDescriptorDacl
|fTQ8K
H<7l1 
{^2qsJ
@Madexcept@RegisterExceptActionHandler$qqrpqqr23Madexcept@TExceptActionx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v19Madexcept@TSyncType
K,?|o
\S?o&
@Madnvassistant@OnAssistantCreate
@Madexcept@GetCpuCount$qqrv
6uTN\
wwf'x
The ordinal %u could not be located in the dynamic link library %s
ohNgc
X}"6H
V?j{%hh=
r QSw
Y.9Y]]
otg,:
.reloc
<k`b9P 
@Madnvassistant@LoadAssistant$qqrui27System@%AnsiStringT$us$i0$%px27System@%AnsiStringT$us$i0$%xi45System@%DelphiInterface$t17System@IInterface%
:v/5(l
B`p-ay
IK%dO
_p}lwJ
P*0AF
#!k`Aky
6}?./
EMQ#e=k
@$xp$28Madstacktrace@BcbTermination
"oXqL
 ;F4s
PACKAGEINFO
<RNSI&
z%96W}Z
MessageBoxA
@$xp$19Madexcept@TMEDupDef
@'lHr*
*KnAB
x]~D#
The procedure entry point %s could not be located in the dynamic link library %s
pPV0Y
`2\ko
@GetPackageInfoTable
+f}t]
Yze+j{
@Madexcept@RestartApplication$qqrv
`z!~Fz
ExitProcess
@$xp$24Madexcept@TMEShowSetting
yV^X2
+./b*
@Madexcept@GetOsLanguageString$qqrv
cl8s1
UA(u+JX
8>w{,
ck4)1J
rtl120.bpl
33333K
:XDI!8T:-
@Madexcept@DisAsmFunc
JL"UEl
t*wlc
madExcept 3.0k  -  www.madshi.net
Au@D{
E!m"yq!
S6.'3
0G>4?
@$xp$22Madexcept@TExceptPhase
@Madexcept@AmHttpServer
=7'&:?
@Madexcept@RegDelVal$qqrui27System@%AnsiStringT$us$i0$%t2
j,{oBO
CC>jp
LEqHk
#`QO}
@Madexcept@RegisterBugReportPlugin$qqr27System@%AnsiStringT$us$i0$%t1pqqrv$27System@%AnsiStringT$us$i0$%o
SGo/"
02(<!
jXM6%t
0>h} 
gdi32.dll
(c2#'
@$xp$23Madmapfile@_TMapFile@_1
IuD&%
UJ&De*
AO+:f},
/.p35
N-@O_
pf'.!+qb3
2M,H)
f5H5n5
kxD'%
247QN
@$xp$19Madexcept@IMEFields
fN1>v
MlOZ&#
5@bq>\6am
@Madmapfile@TMapFile@FindPublic$qqro27System@%AnsiStringT$us$i0$%t2o
O!O=LR
@Madexcept@AddCmdLineToBugRep
DESCRIPTION
}JU>!
pvm2C
&]w4r
>6b)J
pR?~;
S_6 b
@Madexcept@SendShellMail$qqr27System@%AnsiStringT$us$i0$%t1t1
@Madnvassistant@HandleScreenshotFormProc
TMADEXCEPT
/+5h^
rn'ScLly
D=x;{cM
@$xp$24Madnvassistant@INVButton
@Madexcept@UnregisterExceptActionHandler$qqrpqqr23Madexcept@TExceptActionx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v
y=r{7!Z
@$xp$29Madnvprgralert@IProgressAlert
Pll<b)
\WwzV
3mj!g
+K1M,@
F1b#bN
advapi32.dll
c5}H^
@Madexcept@NoOnlineCheck
.itext
v=umX?SN
lrHW`$
zylBA
xH4tW
@Madexcept@SysUtils_InitializePackage
\%~dF
<T,A'
N8T<#"
Rq5s_
@Madstacktrace@InternalError$qqr27System@%AnsiStringT$us$i0$%oo
y\A[?vUi
@Madnvassistant@initialization$qqrv
Ycd3cch
x'@({
@Madstacktrace@StackAddrToStr$qqrpvoo
avHB`
6qx9Z
%/wxr#j
@$xp$19Madexcept@TSyncType
@$xp$21Madexcept@TExceptType
@Madmapfile@TMapFile@FindSegment$qqri
LOADER ERROR
,sRA~k]
cZ`l@
Ecp'HgU
|(Ri9
@$xp$22Madnvassistant@INVEdit
@$xp$30Madexcept@TBugReportCallbackOO
`5!`$
OAPvKn59
@$xp$22Madexcept@IMEException
@Madexcept@GetExceptBoxHandle$qqrv
qVJmq
uA,>\
?0rtv
@Madexcept@Ebp$qqrv
@Madexcept@HandleException$qqr21Madexcept@TExceptTypep14System@TObjectpvouiuip8_CONTEXT23Madexcept@TExceptSourcet2uip27System@%AnsiStringT$us$i0$%
>R:f{
n6pnT
EUmy0OO
]8pu,
/+J1e
@Madexcept@GetCpuName$qqrv
@Madexcept@NewException$qqr21Madexcept@TExceptTypep14System@TObjectpvouiuiuip8_CONTEXT55System@%DelphiInterface$t27Madexcept@IMEModuleSettings%23Madexcept@TExceptSourcet2uit3o
@Madtools@initialization$qqrv
@Madzip@Zip$qqr20System@UnicodeStringpx20System@UnicodeStringxix45System@%DynamicArray$t20System@UnicodeString%
@$xp$25Madstacktrace@TStackTrace
RY9x,
Up^']
>J{{{
h!y}>xi
;h1kZ
@Madexcept@GetCrashStackTrace$qqrooop49System@%DynamicArray$t24Madstacktrace@TStackItem%57System@%DelphiInterface$t29Madnvprgralert@IProgressAlert%opuit7pop52System@%DynamicArray$t27System@%AnsiStringT$us$i0$%%
aUo1M
@Madexcept@ISAPIApp_TISAPIApplication_ISAPIHandleException
=w`y<
@Madstacktrace@FastMM_LogStackTrace$qqrpvipcoooo
f*N82!
jolZeXk
JlXPj
3O'fk
m8vl+
4#}gGtc
fx.HJ
@Madlisthardware@GetHardwareList$qqrv
@Madexcept@Esp$qqrv
nvaAR]
Finalize
{ `&[
@Madexcept@Qforms_TApplication_HandleException
IFB3J
vMlNZ
99Vg6
@Madexcept@RegisterExceptionHandler$qqrynpqqrx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v19Madexcept@TSyncType22Madexcept@TExceptPhase
@$xp$23Madexcept@TExceptAction
HtzBo;C<
@Madexcept@PutAssisIntoBugReport$qqr55System@%DelphiInterface$t27Madnvassistant@INVAssistant%50System@%DelphiInterface$t22Madexcept@IMEException%
@Madmapfile@initialization$qqrv
@Madnvbitmap@Finalization$qqrv
h8KQGr
B.K0)
@$xp$24Madexcept@TExceptEventOO
$NjPZ6
a0KaI
@Madlistmodules@GetModuleList$qqrv
ZaNt|I,t
@Madexcept@Forms_TApplication_ShowException
}MaI:
@$xp$20Madmapfile@TMfPublic
K&4#d}
NCq7~;1
cdablkpohg
"0J:b
@Madexcept@DontUseProxy
ZLR.\
@Typinfo@initialization$qqrv
,$27\8
^|nl2
y+:P|
I{jME
@Maddumpobj@initialization$qqrv
itz-+
@Madexcept@BcbHelper_GetIntraWebVersion$qqrpv
nX3/&
.idata
@Madlisthardware@initialization$qqrv
1GbQ9
qacTn
@Madexcept@NewAttachments$qqrv
\~pY?
Nz"@G
R({Cv
1$W_~
@Madexcept@IsUserAdmin$qqrv
@Madexcept@BugReportHtml
RWG>_M-
d[wvj
%/sn|
@Madexcept@UnregisterExceptionHandler$qqrpqqrx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v
mE1;E
}Nks>
{C.K~
@$xp$21Madexcept@IMESettings
|ItkI
]@41U
This program must be run under Win32
@Madexcept@AmOnline$qqro
V|KP&
lNR7E
c;pSa
q+DX:
onZrB
@Madmapfile@TMapFile@FindPublic$qqrpv
h)~/.
Smb_n
%i#fe
@Madstacktrace@PrepareStackTrace$qqruiuiuipvor52System@%DynamicArray$t27Madstacktrace@TPreStackItem%
.:Bj.2Bi
x]wvN
N.?v=
@Varutils@initialization$qqrv
@Madmapfile@LoadMapFile$qqr27System@%AnsiStringT$us$i0$%o
@Madexcept@RegReadStr$qqrui27System@%AnsiStringT$us$i0$%t2
;;%uh
@Sysutils@initialization$qqrv
B-5lr6
^iFO*
^6KSV
fx{mn_
@Madlinkdisasm@Finalization$qqrv
:p;c$
jVTO_
HaDOpG7/
<d~$yh
7S;2(\
@Madexcept@IsThreadSuspended$qqruiui
Z{b{m
@Madexcept@NameThread$qqrui27System@%AnsiStringT$us$i0$%
h<6}t
@$xp$19Madexcept@TMEButton
;ZPc&
@Madmapfile@GetMapFileInfos$qqrpvr27System@%AnsiStringT$us$i0$%t2t2rpvri
UW*;}E
@Madexcept@AutoSaveBugReport$qqr27System@%AnsiStringT$us$i0$%49System@%DelphiInterface$t21Madexcept@IMESettings%
rH=L*
_JoK`u
:cV}c
@Madexcept@FormatExceptMessage$qqr27System@%AnsiStringT$us$i0$%
b7qGP
pH=aHMk
@Madexcept@PauseMeEventually$qqrv
6_(UK
3n>b7
*W1Ws
@$xp$22Madexcept@Madexcept__1
tbCnZ
(a"gydU
#_rwL*E
l,tqq
E8@gR
x-#S(
ImageList_Destroy
Hv\>M
62GSL
#(dCYP
E2'_N
T9Z'j
-~81N
7E,[F
D}ePi
@$xp$22Madnvbitmap@TPngFormat
@Madexcept@GetSystemUpTime$qqrv
|VA]&
@$xp$23Madmapfile@_TMapFile@_3
d}z/;
^}=OCd
1#@mg
VirtualFree
EJj&e
g=JJ_
@Madexcept@PatchInt$qqrpvi
Jah"T
PP&`Ey
bDkns
a?O[%
T@2ky
C|'Jo
@Madexcept@GetThreadInfos$qqruiruit2t2t2riro
]Ok4dJ
: Xmy
@Madexcept@UnregisterExceptionHandler$qqrynpqqrx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v
)8QYf
=eN[^b
Wdu,0
oaZa\
?z?CU~
H"GIs
!\ 5C
@Madlisthardware@Finalization$qqrv
V\_Y.H
/}p9rWX
@$xp$21Madmapfile@TMfSegment
@$xp$22Madnvassistant@INVForm
@Madexcept@OnExceptBoxDestroy
@Madexcept_@initialization$qqrv
@Madlistmodules@Finalization$qqrv
(#Foc
.aspack
@Madtypes@MadException@$bctr$qqrx20System@UnicodeString
@$xp$29Madstacktrace@TDAPreStackItem
3Ucu>y
1^C%.
Uw 4:
;O\LF
GYdBX
_C;z h
@Madexcept@InstallUnhandledExceptionFilter$qqrv
wsock32.dll
fdpDQ
*pU'!*
W.ml1
@Madexcept@CMadExceptVersionString
eJ^(O
U1#Wfr
dyjWb
{Ng&=
lfQVm
>2B58u
/r{aOm
@Madexcept@PatchJmp$qqrpvt1
madTraceProcess
Q"nE|
%We5l
@Madexcept@HandleScreenshotForm$qqr50System@%DelphiInterface$t22Madnvassistant@INVForm%24Madnvassistant@TNVAction50System@%DelphiInterface$t22Madnvassistant@INVItem%50System@%DelphiInterface$t22Madexcept@IMEException%
Ai&'2keV
@Madexcept@System_runErrMsg
@Madexcept@DefaultBugReportHtml$qqr27System@%AnsiStringT$us$i0$%49System@%DelphiInterface$t21Madexcept@IMESettings%

PE Information

Image Base

0x59800000

Entry Point

0x0005a001

Min OS

5.0

Compile Time

2009-09-15 16:20:46

Import Hash

ff09d2fae397b6d7a0c71974690d55d9

Name	RAW Addr	Virt Addr	Virt Size	Raw Size	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00043000	0x00019a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	8.00
.itext	0x00019e00	0x00044000	0x00001000	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	6.49
.data	0x0001a000	0x00045000	0x00001000	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	6.45
.bss	0x0001a400	0x00046000	0x00001000	0x00000000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.idata	0x0001a400	0x00047000	0x00006000	0x00001800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.77
.edata	0x0001bc00	0x0004d000	0x00004000	0x00003c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.60
.rdata	0x0001f800	0x00051000	0x00001000	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.61
.reloc	0x0001fa00	0x00052000	0x00004000	0x00002a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.87
.rsrc	0x00022400	0x00056000	0x00004000	0x00003600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.93
.aspack	0x00025a00	0x0005a000	0x00002000	0x00001600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.95
.adata	0x00027000	0x0005c000	0x00001000	0x00000000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00

Name	Offset	Size	Language	Entropy	Type
MAD	0x000561f0	0x00000014	LANG_NEUTRAL	3.54	None
MAD	0x00056204	0x000031ac	LANG_NEUTRAL	7.98	None
RT_RCDATA	0x000593b0	0x00000044	LANG_NEUTRAL	5.72	None
RT_RCDATA	0x000593f4	0x000000ec	LANG_NEUTRAL	7.00	None
RT_RCDATA	0x000594e0	0x0000009c	LANG_NEUTRAL	6.40	None
RT_RCDATA	0x0005957c	0x00000030	LANG_NEUTRAL	5.16	None

Address	Name
0x5985af5c	GetProcAddress
0x5985af60	GetModuleHandleA
0x5985af64	LoadLibraryA

Address	Name
0x5985b25b	@System@initialization$qqrv
0x5985b2c3	@Sysconst@_SModuleAccessViolation
0x5985b2db	@Typinfo@initialization$qqrv
0x5985b2e3	@Sysutils@initialization$qqrv
0x5985b2eb	@Variants@initialization$qqrv
0x5985b2f3	@Varutils@initialization$qqrv

Address	Name
0x5985b263	CreateWindowExA

Address	Name
0x5985b26b	TextOutA

Address	Name
0x5985b273	SetSecurityDescriptorDacl

Address	Name
0x5985b27b	@Madtypes@MadException@$bctr$qqrx20System@UnicodeString
0x5985b283	@Madstrings@initialization$qqrv
0x5985b293	@Madtools@initialization$qqrv

Address	Name
0x5985b28b	@Maddisasm@initialization$qqrv

Address	Name
0x5985b2ab	ImageList_Destroy

Address	Name
0x5985b2b3	PrintDlgW

Address	Name
0x5985b2bb	ShellExecuteExA
0x5985b2d3	SHGetPathFromIDListA

Address	Name
0x5985b2cb	WSACleanup

Ordinal	Address	Name
213	0x59816910	@$xp$19Madexcept@IMEFields
219	0x598166fc	@$xp$19Madexcept@TMEButton
218	0x5981679c	@$xp$19Madexcept@TMEDupDef
205	0x59816c1c	@$xp$19Madexcept@TSyncType
18	0x59802448	@$xp$19Madmapfile@TMapFile
23	0x598022fc	@$xp$20Madmapfile@TMfPublic
216	0x59816868	@$xp$21Madexcept@IMESettings
212	0x59816944	@$xp$21Madexcept@TExceptType
24	0x598022dc	@$xp$21Madmapfile@TMfSegment
45	0x5980cf78	@$xp$21Madnvbitmap@INVBitmap
208	0x59816be4	@$xp$22Madexcept@IMEException
185	0x59816e14	@$xp$22Madexcept@Madexcept__1
184	0x59816e34	@$xp$22Madexcept@Madexcept__2
210	0x59816b00	@$xp$22Madexcept@TExceptPhase
60	0x5980fc28	@$xp$22Madnvassistant@INVEdit
55	0x5980fd88	@$xp$22Madnvassistant@INVForm
63	0x5980fb80	@$xp$22Madnvassistant@INVItem
46	0x5980cf18	@$xp$22Madnvbitmap@TPngFormat
203	0x59816cc4	@$xp$23Madexcept@TExceptAction
211	0x59816988	@$xp$23Madexcept@TExceptSource
22	0x5980231c	@$xp$23Madmapfile@_TMapFile@_1
21	0x5980234c	@$xp$23Madmapfile@_TMapFile@_2
20	0x5980237c	@$xp$23Madmapfile@_TMapFile@_3
58	0x5980fc9c	@$xp$23Madnvassistant@INVImage
61	0x5980fbf0	@$xp$23Madnvassistant@INVLabel
214	0x598168d8	@$xp$24Madexcept@IMEAttachments
204	0x59816c78	@$xp$24Madexcept@TExceptEventOO
217	0x59816804	@$xp$24Madexcept@TMEShowSetting
62	0x5980fbb8	@$xp$24Madnvassistant@INVButton
56	0x5980fd28	@$xp$24Madnvassistant@TNVAction
40	0x59808500	@$xp$24Madstacktrace@TStackItem
39	0x59808530	@$xp$25Madstacktrace@TStackTrace
59	0x5980fc60	@$xp$26Madnvassistant@INVCheckBox
64	0x5980fb3c	@$xp$26Madnvassistant@TOutputType
215	0x5981689c	@$xp$27Madexcept@IMEModuleSettings
54	0x5980fdc0	@$xp$27Madnvassistant@INVAssistant
36	0x598085fc	@$xp$28Madstacktrace@BcbTermination
57	0x5980fcd4	@$xp$29Madnvassistant@TNVModalResult
28	0x59807550	@$xp$29Madnvprgralert@IProgressAlert
38	0x59808560	@$xp$29Madstacktrace@TDAPreStackItem
209	0x59816b78	@$xp$30Madexcept@TBugReportCallbackOO
202	0x59816da8	@$xp$30Madexcept@TExceptActionEventOO
242	0x598435c0	@GetPackageInfoTable
235	0x598433d4	@Maddumpobj@DumpObj$qqrp14System@TObject
234	0x59843438	@Maddumpobj@Finalization$qqrv
233	0x5984423c	@Maddumpobj@initialization$qqrv
200	0x59845054	@Madexcept@AddCmdLineToBugRep
182	0x59845090	@Madexcept@AmHttpServer
129	0x598267e8	@Madexcept@AmOnline$qqro
121	0x5982ba7c	@Madexcept@AutoSaveBugReport$qqr27System@%AnsiStringT$us$i0$%49System@%DelphiInterface$t21Madexcept@IMESettings%
119	0x5982c850	@Madexcept@AutoSendBugReport$qqr27System@%AnsiStringT$us$i0$%49System@%DelphiInterface$t21Madnvbitmap@INVBitmap%49System@%DelphiInterface$t21Madexcept@IMESettings%
159	0x598450ec	@Madexcept@BcbCallTerminate
164	0x598450d8	@Madexcept@BcbExceptionHandler
151	0x59817ea8	@Madexcept@BcbHelper_GetIntraWebVersion$qqrpv
162	0x598450e0	@Madexcept@BcbInitExceptBlockLDTC
160	0x598450e8	@Madexcept@BcbMemcpy
161	0x598450e4	@Madexcept@BcbOrgMalloc
158	0x598450f0	@Madexcept@BcbPTerminate
163	0x598450dc	@Madexcept@BcbThrowExceptionLDTC
181	0x59845094	@Madexcept@BugReportHtml
171	0x598450bc	@Madexcept@CGIApp_TCGIApplication_CGIHandleException
220	0x59845044	@Madexcept@CMadExceptVersionString
157	0x59816e54	@Madexcept@CalibrateCode$qqrv
183	0x5984508c	@Madexcept@CalibrateData
144	0x5981a598	@Madexcept@CheckExceptParams$qqrrp14System@TObjectrpvt2rp8_CONTEXT
172	0x598450b8	@Madexcept@Classes_CheckSynchronize
140	0x5981f744	@Madexcept@CloseAntiFreeze$qqrv
198	0x5984505c	@Madexcept@CloseAppExitCode
116	0x5982ce44	@Madexcept@CloseApplication$qqrv
96	0x598351cc	@Madexcept@CreateBugReport$qqr21Madexcept@TExceptTypep14System@TObjectpvuiuiuip8_CONTEXTo55System@%DelphiInterface$t27Madexcept@IMEModuleSettings%23Madexcept@TExceptSourcet2uit3
124	0x5982a944	@Madexcept@DecryptPassword$qqr27System@%AnsiStringT$us$i0$%t1t1
115	0x59832e78	@Madexcept@DefaultBugReportHtml$qqr27System@%AnsiStringT$us$i0$%49System@%DelphiInterface$t21Madexcept@IMESettings%
199	0x59845058	@Madexcept@DetectConsole
180	0x59845098	@Madexcept@DisAsmFunc
70	0x5983e05c	@Madexcept@DontHookThreads$qqrv
189	0x59845080	@Madexcept@DontReformatExcMsg
194	0x5984506c	@Madexcept@DontUseProxy
196	0x59845064	@Madexcept@DumbStackTrace
72	0x5983bed0	@Madexcept@Ebp$qqrv
73	0x5983bec8	@Madexcept@Esp$qqrv
147	0x59818ff0	@Madexcept@ExpandVars$qqruir27System@%AnsiStringT$us$i0$%27System@%AnsiStringT$us$i0$%t3t3
145	0x598199b4	@Madexcept@FillClipboard$qqr27System@%AnsiStringT$us$i0$%
66	0x598406fc	@Madexcept@Finalization$qqrv
191	0x59845078	@Madexcept@ForceUtf8
146	0x59819908	@Madexcept@FormatExceptMessage$qqr27System@%AnsiStringT$us$i0$%
179	0x5984509c	@Madexcept@Forms_TApplication_HandleException
178	0x598450a0	@Madexcept@Forms_TApplication_ShowException
86	0x59835c3c	@Madexcept@Get9xResourceReport$qqrv
84	0x59835ed4	@Madexcept@GetAllocatedMemory$qqrv
88	0x598359c8	@Madexcept@GetCpuCount$qqrv
89	0x59835918	@Madexcept@GetCpuName$qqrv
78	0x59839334	@Madexcept@GetCrashStackTrace$qqrooop49System@%DynamicArray$t24Madstacktrace@TStackItem%57System@%DelphiInterface$t29Madnvprgralert@IProgressAlert%opuit7pop52System@%DynamicArray$t27System@%AnsiStringT$us$i0$%%
85	0x59835cf8	@Madexcept@GetDisplayModeString$qqrv
76	0x5983b920	@Madexcept@GetExceptBoxHandle$qqrv
87	0x59835abc	@Madexcept@GetMemoryStatus$qqrv
92	0x59835774	@Madexcept@GetOsLanguageString$qqrv
93	0x598356c4	@Madexcept@GetOsVersionString$qqrv
90	0x59835814	@Madexcept@GetProgramUpTime$qqrv
91	0x598357bc	@Madexcept@GetSystemUpTime$qqrv
94	0x59835344	@Madexcept@GetTSClientName$qqrv
148	0x598189b8	@Madexcept@GetThreadCreatorAddr$qqrui
79	0x5983921c	@Madexcept@GetThreadInfos$qqruiruit2t2t2riro
156	0x59816f58	@Madexcept@GetThreadList$qqrv
149	0x5981898c	@Madexcept@GetThreadName$qqrui
77	0x598394a4	@Madexcept@GetThreadStackTrace$qqruiooop49System@%DynamicArray$t24Madstacktrace@TStackItem%57System@%DelphiInterface$t29Madnvprgralert@IProgressAlert%opuit8pop52System@%DynamicArray$t27System@%AnsiStringT$us$i0$%%
136	0x5981f9b8	@Madexcept@HandleContactForm$qqr50System@%DelphiInterface$t22Madnvassistant@INVForm%24Madnvassistant@TNVAction50System@%DelphiInterface$t22Madnvassistant@INVItem%50System@%DelphiInterface$t22Madexcept@IMEException%
114	0x598344f4	@Madexcept@HandleException$qqr21Madexcept@TExceptTypep14System@TObjectpvouiuip8_CONTEXT23Madexcept@TExceptSourcet2uip27System@%AnsiStringT$us$i0$%
135	0x5981ff1c	@Madexcept@HandleScreenshotForm$qqr50System@%DelphiInterface$t22Madnvassistant@INVForm%24Madnvassistant@TNVAction50System@%DelphiInterface$t22Madnvassistant@INVItem%50System@%DelphiInterface$t22Madexcept@IMEException%
190	0x5984507c	@Madexcept@HiddenAutoMailing
71	0x5983e008	@Madexcept@HookThreads$qqrv
169	0x598450c4	@Madexcept@HttpExtensionProcNext
123	0x5982a9d4	@Madexcept@HttpUpload$qqr27System@%AnsiStringT$us$i0$%52System@%DelphiInterface$t24Madexcept@IMEAttachments%47System@%DelphiInterface$t19Madexcept@IMEFields%t1t1uit1uioo49System@%DelphiInterface$t21Madexcept@IMESettings%
195	0x59845068	@Madexcept@HttpUploadTimeout
68	0x5983e5ac	@Madexcept@HyperJumpCallstack$qqr27System@%AnsiStringT$us$i0$%
170	0x598450c0	@Madexcept@ISAPIApp_TISAPIApplication_ISAPIHandleException
138	0x5981f848	@Madexcept@ImNotFrozen$qqrv
141	0x5981f6b4	@Madexcept@InitAntiFreeze$qqrv
67	0x5983e818	@Madexcept@InstallUnhandledExceptionFilter$qqrv
80	0x598391ec	@Madexcept@IsThreadSuspended$qqruiui
95	0x59835284	@Madexcept@IsUserAdmin$qqrv
133	0x59824adc	@Madexcept@MESettings$qqrpv
134	0x59824a18	@Madexcept@MESettings$qqrui
132	0x59824bfc	@Madexcept@MESettings$qqrv
126	0x59827cb0	@Madexcept@MxLookup$qqr27System@%AnsiStringT$us$i0$%
150	0x598185ac	@Madexcept@NameThread$qqrui27System@%AnsiStringT$us$i0$%
130	0x59825d10	@Madexcept@NewAttachments$qqrv
74	0x5983baf4	@Madexcept@NewException$qqr21Madexcept@TExceptTypep14System@TObjectpvouiuiuip8_CONTEXT55System@%DelphiInterface$t27Madexcept@IMEModuleSettings%23Madexcept@TExceptSourcet2uit3o
131	0x59825628	@Madexcept@NewFields$qqrv
192	0x59845074	@Madexcept@NoOnlineCheck
207	0x59845048	@Madexcept@OnExceptBoxCreate
206	0x5984504c	@Madexcept@OnExceptBoxDestroy
155	0x598172e0	@Madexcept@OpenThread$qqruiui
82	0x59836300	@Madexcept@PatchInt$qqrpvi
83	0x598362b0	@Madexcept@PatchJmp$qqrpvt1
139	0x5981f7c4	@Madexcept@PauseFreezeCheck$qqro
81	0x59836314	@Madexcept@PauseMadExcept$qqro
142	0x5981f404	@Madexcept@PauseMeEventually$qqrv
186	0x5984603c	@Madexcept@Plugins
118	0x5982c8f0	@Madexcept@PrintBugReport$qqr27System@%AnsiStringT$us$i0$%ui49System@%DelphiInterface$t21Madexcept@IMESettings%
201	0x59845050	@Madexcept@ProcessMainThreadId
193	0x59845070	@Madexcept@ProxyServer
143	0x5981e7cc	@Madexcept@PutAssisIntoBugReport$qqr55System@%DelphiInterface$t27Madnvassistant@INVAssistant%50System@%DelphiInterface$t22Madexcept@IMEException%
177	0x598450a4	@Madexcept@Qforms_TApplication_HandleException
176	0x598450a8	@Madexcept@Qforms_TApplication_ShowException
152	0x59817da4	@Madexcept@RegDelVal$qqrui27System@%AnsiStringT$us$i0$%t2
154	0x59817bc0	@Madexcept@RegReadStr$qqrui27System@%AnsiStringT$us$i0$%t2
153	0x59817cd0	@Madexcept@RegWriteStr$qqrui27System@%AnsiStringT$us$i0$%t2t2
100	0x59834e8c	@Madexcept@RegisterBugReportPlugin$qqr27System@%AnsiStringT$us$i0$%t1pqqrv$20System@UnicodeStringo
101	0x59834dc8	@Madexcept@RegisterBugReportPlugin$qqr27System@%AnsiStringT$us$i0$%t1pqqrv$27System@%AnsiStringT$us$i0$%o
98	0x59835014	@Madexcept@RegisterBugReportPlugin$qqr27System@%AnsiStringT$us$i0$%t1pqqrx50System@%DelphiInterface$t22Madexcept@IMEException%$20System@UnicodeStringo
99	0x59834f50	@Madexcept@RegisterBugReportPlugin$qqr27System@%AnsiStringT$us$i0$%t1pqqrx50System@%DelphiInterface$t22Madexcept@IMEException%$27System@%AnsiStringT$us$i0$%o
109	0x59834c74	@Madexcept@RegisterExceptActionHandler$qqrpqqr23Madexcept@TExceptActionx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v19Madexcept@TSyncType
108	0x59834c84	@Madexcept@RegisterExceptActionHandler$qqrynpqqr23Madexcept@TExceptActionx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v19Madexcept@TSyncType
113	0x59834c24	@Madexcept@RegisterExceptionHandler$qqrpqqrx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v19Madexcept@TSyncType22Madexcept@TExceptPhase
112	0x59834c34	@Madexcept@RegisterExceptionHandler$qqrynpqqrx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v19Madexcept@TSyncType22Madexcept@TExceptPhase
105	0x59834cc4	@Madexcept@RegisterHiddenExceptionHandler$qqrpqqrx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v19Madexcept@TSyncType
104	0x59834cd4	@Madexcept@RegisterHiddenExceptionHandler$qqrynpqqrx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v19Madexcept@TSyncType
197	0x59845060	@Madexcept@ResetFpuMode
117	0x5982ccf4	@Madexcept@RestartApplication$qqrv
122	0x5982b9fc	@Madexcept@SaveBugReport$qqr27System@%AnsiStringT$us$i0$%ui49System@%DelphiInterface$t21Madexcept@IMESettings%
120	0x5982c7ac	@Madexcept@SendBugReport$qqr27System@%AnsiStringT$us$i0$%49System@%DelphiInterface$t21Madnvbitmap@INVBitmap%ui49System@%DelphiInterface$t21Madexcept@IMESettings%
128	0x59826d0c	@Madexcept@SendMapiMail$qqr27System@%AnsiStringT$us$i0$%t1t152System@%DelphiInterface$t24Madexcept@IMEAttachments%uioo49System@%DelphiInterface$t21Madexcept@IMESettings%
127	0x59826f74	@Madexcept@SendShellMail$qqr27System@%AnsiStringT$us$i0$%t1t1
125	0x5982a7f0	@Madexcept@SendSmtpMail$qqr27System@%AnsiStringT$us$i0$%t1t1t152System@%DelphiInterface$t24Madexcept@IMEAttachments%t1t1t1uiuioo49System@%DelphiInterface$t21Madexcept@IMESettings%
137	0x5981f868	@Madexcept@SetFreezeTimeout$qqrui
75	0x5983b938	@Madexcept@SetTopmost$qqruio
187	0x59845088	@Madexcept@ShowBugReportKey
188	0x59845084	@Madexcept@SmtpMailFrom
173	0x598450b4	@Madexcept@SysUtils_InitializePackage
174	0x598450b0	@Madexcept@SysUtils_LoadPackage
175	0x598450ac	@Madexcept@SysUtils_ShowException
166	0x598450d0	@Madexcept@System_ExceptionHandler
167	0x598450cc	@Madexcept@System_FinalizeUnits
168	0x598450c8	@Madexcept@System_InitUnits
165	0x598450d4	@Madexcept@System_runErrMsg
97	0x598350d8	@Madexcept@UnregisterBugReportPlugin$qqr27System@%AnsiStringT$us$i0$%
107	0x59834ca0	@Madexcept@UnregisterExceptActionHandler$qqrpqqr23Madexcept@TExceptActionx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v
106	0x59834cac	@Madexcept@UnregisterExceptActionHandler$qqrynpqqr23Madexcept@TExceptActionx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v
111	0x59834c50	@Madexcept@UnregisterExceptionHandler$qqrpqqrx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v
110	0x59834c5c	@Madexcept@UnregisterExceptionHandler$qqrynpqqrx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v
103	0x59834cf0	@Madexcept@UnregisterHiddenExceptionHandler$qqrpqqrx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v
102	0x59834cfc	@Madexcept@UnregisterHiddenExceptionHandler$qqrynpqqrx50System@%DelphiInterface$t22Madexcept@IMEException%ro$v
65	0x5984409c	@Madexcept@initialization$qqrv
69	0x5983e2f0	@Madexcept@madTraceProcess$qqsi
239	0x598435c0	@Madexcept_@@GetPackageInfoTable$qqrv
238	0x598435c8	@Madexcept_@@PackageLoad$qqrv
237	0x598435d4	@Madexcept_@@PackageUnload$qqrv
236	0x59844244	@Madexcept_@initialization$qqrv
223	0x59840828	@Madlinkdisasm@Finalization$qqrv
222	0x598440ec	@Madlinkdisasm@initialization$qqrv
231	0x5984295c	@Madlisthardware@Finalization$qqrv
232	0x598426c8	@Madlisthardware@GetHardwareList$qqrv
230	0x598441bc	@Madlisthardware@initialization$qqrv
225	0x59840cec	@Madlistmodules@Finalization$qqrv
226	0x598408a8	@Madlistmodules@GetModuleList$qqrv
224	0x59844104	@Madlistmodules@initialization$qqrv
228	0x59841aac	@Madlistprocesses@Finalization$qqrv
229	0x59841690	@Madlistprocesses@GetProcessList$qqrv
227	0x5984415c	@Madlistprocesses@initialization$qqrv
17	0x59845030	@Madmapfile@CMapFileStreamDescriptor
2	0x59807504	@Madmapfile@Finalization$qqrv
7	0x59806e18	@Madmapfile@FindMapFile$qqrpv
4	0x59807048	@Madmapfile@GetMapFileInfos$qqrpvr27System@%AnsiStringT$us$i0$%t2t2rpvri
3	0x59807158	@Madmapfile@GetMyProcName$qqro
6	0x59806f90	@Madmapfile@LoadMapFile$qqr27System@%AnsiStringT$us$i0$%o
5	0x59806fec	@Madmapfile@LoadMapFileEx$qqr27System@%AnsiStringT$us$i0$%o
19	0x59802400	@Madmapfile@TMapFile@
16	0x59805c48	@Madmapfile@TMapFile@$bctr$qqro27System@%AnsiStringT$us$i0$%uioo
8	0x598068fc	@Madmapfile@TMapFile@Export$qqrooo
10	0x59806358	@Madmapfile@TMapFile@FindLine$qqrpv
9	0x59806364	@Madmapfile@TMapFile@FindLine$qqrpvrpv
11	0x5980631c	@Madmapfile@TMapFile@FindPublic$qqri
12	0x598060c4	@Madmapfile@TMapFile@FindPublic$qqro27System@%AnsiStringT$us$i0$%t2o
13	0x59805fcc	@Madmapfile@TMapFile@FindPublic$qqrpv
14	0x59805f90	@Madmapfile@TMapFile@FindSegment$qqri
15	0x59805e7c	@Madmapfile@TMapFile@FindSegment$qqropv
1	0x59844034	@Madmapfile@initialization$qqrv
50	0x59816408	@Madnvassistant@CreateAssistant$qqr27System@%AnsiStringT$us$i0$%px27System@%AnsiStringT$us$i0$%xi45System@%DelphiInterface$t17System@IInterface%
48	0x59816610	@Madnvassistant@Finalization$qqrv
52	0x5984503c	@Madnvassistant@HandleContactFormProc
51	0x59845040	@Madnvassistant@HandleScreenshotFormProc
49	0x598164a0	@Madnvassistant@LoadAssistant$qqrui27System@%AnsiStringT$us$i0$%px27System@%AnsiStringT$us$i0$%xi45System@%DelphiInterface$t17System@IInterface%
53	0x59845038	@Madnvassistant@OnAssistantCreate
47	0x59844094	@Madnvassistant@initialization$qqrv
42	0x5980fb08	@Madnvbitmap@Finalization$qqrv
44	0x5980f954	@Madnvbitmap@LoadBitmap$qqr27System@%AnsiStringT$us$i0$%
43	0x5980fa50	@Madnvbitmap@ScreenShot$qqro
41	0x5984408c	@Madnvbitmap@initialization$qqrv
26	0x598084cc	@Madnvprgralert@Finalization$qqrv
27	0x59808450	@Madnvprgralert@NewProgressAlert$qqr27System@%AnsiStringT$us$i0$%uit1
25	0x5984407c	@Madnvprgralert@initialization$qqrv
37	0x598085e8	@Madstacktrace@BcbTermination@
32	0x5980c914	@Madstacktrace@FastMM_LogStackTrace$qqrpvipcoooo
30	0x5980cec4	@Madstacktrace@Finalization$qqrv
34	0x598095cc	@Madstacktrace@InternalError$qqr27System@%AnsiStringT$us$i0$%oo
31	0x5980cdd8	@Madstacktrace@PrepareStackTrace$qqruiuiuipvor52System@%DynamicArray$t27Madstacktrace@TPreStackItem%
35	0x59809308	@Madstacktrace@StackAddrToStr$qqrpvoo
33	0x5980c2a8	@Madstacktrace@StackTrace$qqrooop49System@%DynamicArray$t24Madstacktrace@TStackItem%pvoouiuit5ppvtbtb57System@%DelphiInterface$t29Madnvprgralert@IProgressAlert%uioot5popuitktjp52System@%DynamicArray$t27System@%AnsiStringT$us$i0$%%o
29	0x59844084	@Madstacktrace@initialization$qqrv
240	0x598435d4	Finalize
241	0x598435c8	Initialize
221	0x5983e2f0	madTraceProcess

Processing 12.87s

6.788s Suricata
4.903s NetworkAnalysis
1.155s CAPE
0.015s AnalysisInfo
0.011s BehaviorAnalysis
0.001s Debug

Signatures 0.07s

0.014s network_cnc_http
0.006s ransomware_files
0.005s network_http
0.005s antiav_detectreg
0.004s antiav_detectfile
0.004s ransomware_extensions_known
0.003s infostealer_ftp
0.002s antianalysis_detectfile
0.002s antivm_vbox_files
0.002s infostealer_bitcoin
0.002s infostealer_im
0.002s infostealer_mail
0.002s masquerade_process_name
0.002s territorial_disputes_sigs
0.001s antianalysis_detectreg
0.001s antidebug_devices
0.001s antivm_vbox_keys
0.001s antivm_vmware_files
0.001s geodo_banking_trojan
0.001s browser_security
0.001s disables_backups
0.001s disables_browser_warn
0.001s disables_power_options
0.001s azorult_mutexes
0.001s echelon_files
0.001s poullight_files
0.001s qulab_files
0.001s revil_mutexes
0.001s ursnif_behavior

Reporting 0.00s

0.001s JsonDump

Signatures

Network activity detected but not expressed in monitor API logs

ip: 72.154.7.102

ip: 72.154.7.97

ip: 72.154.7.109

ip: 72.154.7.16

ip: 135.232.92.97

ip: 176.99.136.153

HTTP traffic contains suspicious features which may be indicative of malware related traffic

ip_hostname: HTTP connection was made to an IP address rather than domain name

suspicious_request: http://176.99.136.153/filestreamingservice/files/080ef4a0-be38-451d-bc0c-6f002879786f?P1=1772675240&P2=404&P3=2&P4=XulOwRGtMZzcNKQGALMkMyn4znaN%2bw51OI%2bu68BMlQC68jblctprOUDXdVXREvmHnKMSEyyKhlEqi0s4sVMbYw%3d%3d&cacheHostOrigin=4.tlu.dl.delivery.mp.microsoft.com

suspicious_request: http://176.99.136.153/filestreamingservice/files/04321851-7dec-4cfd-8c57-da0b4ae64040?P1=1772667035&P2=404&P3=2&P4=Dxm0MQ0r8wJBywFPdaaix9tzgCbtb6TMyf15OeUQLxdKnb0skxr4k68jPjJjUkyljucNAWn7tAjopIgFHNemjA%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

suspicious_request: http://176.99.136.153/filestreamingservice/files/04321851-7dec-4cfd-8c57-da0b4ae64040?P1=1772670962&P2=404&P3=2&P4=F2UM84gXZLFVtCfpoZmD50l%2bXu1tJPvEHpNo4EgEz0HwXsMbr8c7hQLQTZprkuOGmc48yIoGGdoMBNrYzK%2f0Tw%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

suspicious_request: http://176.99.136.153/filestreamingservice/files/27ca12bc-f81d-45ff-95d0-12ad79f15735/pieceshash?cacheHostOrigin=dl.delivery.mp.microsoft.com

suspicious_request: http://176.99.136.153/filestreamingservice/files/27ca12bc-f81d-45ff-95d0-12ad79f15735?P1=1772666602&P2=404&P3=2&P4=eS7Qqh1d9sSObVw%2flrorCBtugsthhvXWViejdDtr%2fbOFcNjSS3ocHC71%2btMwa7bI%2bhBJHKPJMAAFm1I%2bUQ4PQA%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

suspicious_request: http://176.99.136.153/filestreamingservice/files/2a0007f4-9769-4709-9244-a28f54f70828/pieceshash?cacheHostOrigin=dl.delivery.mp.microsoft.com

suspicious_request: http://176.99.136.153/filestreamingservice/files/2a0007f4-9769-4709-9244-a28f54f70828?P1=1772666612&P2=404&P3=2&P4=HB9aBsWjI8oT4EdcW8r5scELI1nXINxriza63jAkCkhmEW5RMuIfExHxfYu902Xmkus%2fqNy4NG%2fYzvZu25DYjA%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

suspicious_request: http://176.99.136.153/filestreamingservice/files/3b144c99-73bc-4238-bac7-a9eae26ac9ad?P1=1772667279&P2=404&P3=2&P4=jIQwoh6qn9oGHl6MytQ96iNQ%2fP9klFDj7gGNTyKq8NTxFFGuPW4MMsqlzl1M9jZLhQXKHkc%2bouzM82UWCWdEhA%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

suspicious_request: http://176.99.136.153/filestreamingservice/files/fe0cb85d-cd38-42c1-8fb5-7c913a9185ab?P1=1772667357&P2=404&P3=2&P4=luIrOy9BZwJWKiWqiAroXwvIL%2fBrxzVm7cVAl467AVaOS0fDXPF20uKWpU7VqIRrPel7tgm0QVEUUWuv8okfdw%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

Performs some HTTP requests

url: http://176.99.136.153/filestreamingservice/files/080ef4a0-be38-451d-bc0c-6f002879786f?P1=1772675240&P2=404&P3=2&P4=XulOwRGtMZzcNKQGALMkMyn4znaN%2bw51OI%2bu68BMlQC68jblctprOUDXdVXREvmHnKMSEyyKhlEqi0s4sVMbYw%3d%3d&cacheHostOrigin=4.tlu.dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/04321851-7dec-4cfd-8c57-da0b4ae64040?P1=1772667035&P2=404&P3=2&P4=Dxm0MQ0r8wJBywFPdaaix9tzgCbtb6TMyf15OeUQLxdKnb0skxr4k68jPjJjUkyljucNAWn7tAjopIgFHNemjA%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/04321851-7dec-4cfd-8c57-da0b4ae64040?P1=1772670962&P2=404&P3=2&P4=F2UM84gXZLFVtCfpoZmD50l%2bXu1tJPvEHpNo4EgEz0HwXsMbr8c7hQLQTZprkuOGmc48yIoGGdoMBNrYzK%2f0Tw%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/27ca12bc-f81d-45ff-95d0-12ad79f15735/pieceshash?cacheHostOrigin=dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/27ca12bc-f81d-45ff-95d0-12ad79f15735?P1=1772666602&P2=404&P3=2&P4=eS7Qqh1d9sSObVw%2flrorCBtugsthhvXWViejdDtr%2fbOFcNjSS3ocHC71%2btMwa7bI%2bhBJHKPJMAAFm1I%2bUQ4PQA%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/2a0007f4-9769-4709-9244-a28f54f70828/pieceshash?cacheHostOrigin=dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/2a0007f4-9769-4709-9244-a28f54f70828?P1=1772666612&P2=404&P3=2&P4=HB9aBsWjI8oT4EdcW8r5scELI1nXINxriza63jAkCkhmEW5RMuIfExHxfYu902Xmkus%2fqNy4NG%2fYzvZu25DYjA%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/3b144c99-73bc-4238-bac7-a9eae26ac9ad?P1=1772667279&P2=404&P3=2&P4=jIQwoh6qn9oGHl6MytQ96iNQ%2fP9klFDj7gGNTyKq8NTxFFGuPW4MMsqlzl1M9jZLhQXKHkc%2bouzM82UWCWdEhA%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/fe0cb85d-cd38-42c1-8fb5-7c913a9185ab?P1=1772667357&P2=404&P3=2&P4=luIrOy9BZwJWKiWqiAroXwvIL%2fBrxzVm7cVAl467AVaOS0fDXPF20uKWpU7VqIRrPel7tgm0QVEUUWuv8okfdw%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.itext', 'raw_address': '0x00019e00', 'virtual_address': '0x00044000', 'virtual_size': '0x00001000', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '6.49'}

unknown section: {'name': '.adata', 'raw_address': '0x00027000', 'virtual_address': '0x0005c000', 'virtual_size': '0x00001000', 'size_of_data': '0x00000000', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '0.00'}

The binary likely contains encrypted or compressed data

section: {'name': '.text', 'raw_address': '0x00000400', 'virtual_address': '0x00001000', 'virtual_size': '0x00043000', 'size_of_data': '0x00019a00', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '8.00'}

section: {'name': '.idata', 'raw_address': '0x0001a400', 'virtual_address': '0x00047000', 'virtual_size': '0x00006000', 'size_of_data': '0x00001800', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '7.77'}

section: {'name': '.reloc', 'raw_address': '0x0001fa00', 'virtual_address': '0x00052000', 'virtual_size': '0x00004000', 'size_of_data': '0x00002a00', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '7.87'}

section: {'name': '.rsrc', 'raw_address': '0x00022400', 'virtual_address': '0x00056000', 'virtual_size': '0x00004000', 'size_of_data': '0x00003600', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '7.93'}

Binary file triggered multiple YARA rules

Binary triggered YARA rule: INDICATOR_EXE_Packed_ASPack

Binary triggered YARA rule: suspicious_packer_section

Binary triggered YARA rule: ASPackv212AlexeySolodovnikov

Binary triggered YARA rule: ASProtectV2XDLLAlexeySolodovnikov

Binary triggered YARA rule: IsPE32

Binary triggered YARA rule: IsDLL

Binary triggered YARA rule: IsWindowsGUI

Binary triggered YARA rule: IsPacked

Binary triggered YARA rule: ASPack_v212_additional

Binary triggered YARA rule: ASPack_v21_additional

Binary triggered YARA rule: ASProtect_V2X_DLL_Alexey_Solodovnikov

Binary triggered YARA rule: ASPack_v212

Binary triggered YARA rule: yodas_Protector_v1033_dllocx_Ashkbiz_Danehkar_h

Binary triggered YARA rule: ASPack_v211d

Binary triggered YARA rule: ASProtect_V2X_DLL_Alexey_Solodovnikov_additional

Binary triggered YARA rule: ASPack_212withouth_Poly_Solodovnikov_Alexey

Binary triggered YARA rule: ASPack_v212_Alexey_Solodovnikov

Makes a suspicious HTTP request to a commonly exploitable directory with questionable file ext

url: http://176.99.136.153/filestreamingservice/files/27ca12bc-f81d-45ff-95d0-12ad79f15735/pieceshash?cacheHostOrigin=dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/2a0007f4-9769-4709-9244-a28f54f70828/pieceshash?cacheHostOrigin=dl.delivery.mp.microsoft.com

Anomalous binary characteristics

anomaly: Entrypoint of binary points to a non-executable code section

anomaly: Actual checksum does not match that reported in PE header

Screenshots

Hosts

Direct	IP	Country Name
Y	72.154.7.102 [VT]	unknown
Y	72.154.7.97 [VT]	unknown
Y	72.154.7.109 [VT]	unknown
Y	72.154.7.16 [VT]	unknown
Y	135.232.92.97 [VT]	unknown
Y	176.99.136.153 [VT]	unknown

Summary

Accessed Files Registry Keys Read Registry Keys

C:\Users\cape\AppData\Local\Temp\sample.dll.manifest
C:\Users\cape\AppData\Local\Temp\sample.dll
C:\Users\cape\AppData\Local\Temp\sample.dll.123.Manifest
C:\Users\cape\AppData\Local\Temp\sample.dll.124.Manifest
C:\Users\cape\AppData\Local\Temp\sample.dll.2.Manifest
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\Windows\System32\ru-RU\KERNELBASE.dll.mui
C:\Windows\System32\ru-RU\KERNELBASE.dll.mui
C:\Windows\sysnative\ru-RU\KERNELBASE.dll.mui
C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\Windows\System32\ru-RU\rundll32.exe.mui

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\ru-RU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\ru-RU\Latest

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\ru-RU\Latest

No results found.

No behavioral analysis data available.

Sorry! No strace.

Sorry! No tracee.

Hosts (0)
DNS (0)

Hosts

No hosts contacted.

TCP Connections

No TCP connections recorded.

UDP Connections

No UDP connections recorded.

DNS Requests

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP Traffic

No SMTP traffic performed.

IRC Traffic

No IRC requests performed.

ICMP Traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

No dropped files found.

Sorry! No process dumps.

Analysis Details

Analysis Log

Process Log

Pre-Script Log

During-Script Log

Machine Information

File Details

File Information

VirusTotal (0/76)

Strings

PE Information

Sections

Resources

Imports

kernel32

rtl120

user32

gdi32

advapi32

madbasic_

maddisasm_

comctl32

comdlg32

shell32

wsock32

Exports

Statistics 12.94s

Signatures

Screenshots

Hosts

Summary

Hosts

TCP Connections

UDP Connections

DNS Requests

HTTP Requests

SMTP Traffic

IRC Traffic

ICMP Traffic

CIF Results

Suricata Alerts

Suricata TLS

Suricata HTTP