Malicious
Classifications
Spyware
Threat Names
Trojan.GenericKDZ.76753 Gen:Variant.Mikey.113998
Dynamic Analysis Report
Created on 2021-09-28T10:38:00
2f10b593a5e04506d8050ebe39e28619199958a4f4bae0b9f3a1ee2af3d74862.exe.dll
Windows DLL (x86-64)
Remarks (2/3)
(0x02000009): DLL files normally need to be submitted with an appropriate loader. Analysis result may be incomplete if an appropriate loader was not submitted.
(0x0200000E): The overall sleep time of all monitored processes was truncated from "3 hours, 36 minutes, 24 seconds" to "8 minutes, 30 seconds" to reveal dormant functionality.
(0x0200003A): A task was rescheduled ahead of time to reveal dormant functionality.
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
| Filters: |
There are no files for this filter
There are no files in this analysis
| File Name | Category | Type | Verdict | Actions |
|---|
| C:\Users\kEecfMwgj\Desktop\2f10b593a5e04506d8050ebe39e28619199958a4f4bae0b9f3a1ee2af3d74862.exe.dll | Sample File | Binary |
malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 1.18 MB |
| MD5 |
94f8317b419e9476120b14a29d9b05d2
|
| SHA1 |
f2b03dd4441f3808468bdbb8b26273cfb41b5298
|
| SHA256 |
2f10b593a5e04506d8050ebe39e28619199958a4f4bae0b9f3a1ee2af3d74862
|
| SSDeep |
12288:+VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:jfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
|
| ImpHash |
6668be91e2c948b183827f040944057f
|
AV Matches (1)
»
| Threat Name | Verdict |
|---|---|
| Trojan.GenericKDZ.76753 |
malicious
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x140041070 |
| Size Of Code | 0x41000 |
| Size Of Initialized Data | 0xec000 |
| File Type | FileType.dll |
| Subsystem | Subsystem.windows_cui |
| Machine Type | MachineType.amd64 |
| Compile Timestamp | 2020-02-20 08:35:24+00:00 |
Version Information (8)
»
| CompanyName | Microsoft Corporati |
| FileDescription | Background Intellig |
| FileVersion | 7.5.7600.16385 (win7_rtm.090713- |
| InternalName | bitsp |
| LegalCopyright | © Microsoft Corporation. All rights reserv |
| OriginalFilename | kbdy |
| ProductName | Microsoft® Windows® Operating S |
| ProductVersion | 6.1.7600 |
Sections (39)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x140001000 | 0x40796 | 0x41000 | 0x1000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.73 |
| .rdata | 0x140042000 | 0x64fcb | 0x65000 | 0x42000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.87 |
| .data | 0x1400a7000 | 0x178b8 | 0x18000 | 0xa7000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.32 |
| .pdata | 0x1400bf000 | 0x12c | 0x1000 | 0xbf000 | IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.58 |
| .rsrc | 0x1400c0000 | 0x880 | 0x1000 | 0xc0000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.24 |
| .reloc | 0x1400c1000 | 0x2324 | 0x3000 | 0xc1000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 4.65 |
| .qkm | 0x1400c4000 | 0x74a | 0x1000 | 0xc4000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .cvjb | 0x1400c5000 | 0x1e66 | 0x2000 | 0xc5000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .tlmkv | 0x1400c7000 | 0xbde | 0x1000 | 0xc7000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .wucsxe | 0x1400c8000 | 0x45174 | 0x46000 | 0xc8000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .wnx | 0x14010e000 | 0x8fe | 0x1000 | 0x10e000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .weqy | 0x14010f000 | 0x8fe | 0x1000 | 0x10f000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .yby | 0x140110000 | 0x1278 | 0x2000 | 0x110000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ormx | 0x140112000 | 0xbde | 0x1000 | 0x112000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .dhclu | 0x140113000 | 0x23b | 0x1000 | 0x113000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .xmiul | 0x140114000 | 0x23b | 0x1000 | 0x114000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .tlwcxe | 0x140115000 | 0x13e | 0x1000 | 0x115000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .get | 0x140116000 | 0xbde | 0x1000 | 0x116000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .hzrd | 0x140117000 | 0x1124 | 0x2000 | 0x117000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .qzu | 0x140119000 | 0x736 | 0x1000 | 0x119000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .nhglos | 0x14011a000 | 0x1af | 0x1000 | 0x11a000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .itzo | 0x14011b000 | 0x23b | 0x1000 | 0x11b000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .nmsaom | 0x14011c000 | 0x23b | 0x1000 | 0x11c000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .rvhi | 0x14011d000 | 0x1af | 0x1000 | 0x11d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ucrzce | 0x14011e000 | 0x389 | 0x1000 | 0x11e000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ijc | 0x14011f000 | 0xbf6 | 0x1000 | 0x11f000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ohvs | 0x140120000 | 0x13e | 0x1000 | 0x120000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .rlvrc | 0x140121000 | 0x1ee | 0x1000 | 0x121000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .yjv | 0x140122000 | 0xbde | 0x1000 | 0x122000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .clbcyy | 0x140123000 | 0x13e | 0x1000 | 0x123000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .xcyn | 0x140124000 | 0x8fe | 0x1000 | 0x124000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .boqx | 0x140125000 | 0x389 | 0x1000 | 0x125000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .rnlia | 0x140126000 | 0x389 | 0x1000 | 0x126000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ctip | 0x140127000 | 0x5a7 | 0x1000 | 0x127000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .fkv | 0x140128000 | 0x1124 | 0x2000 | 0x128000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .pczrv | 0x14012a000 | 0x23b | 0x1000 | 0x12a000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ibglr | 0x14012b000 | 0x3fe | 0x1000 | 0x12b000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .uirkq | 0x14012c000 | 0x3ba | 0x1000 | 0x12c000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .xmo | 0x14012d000 | 0x1af | 0x1000 | 0x12d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.88 |
Imports (7)
»
USER32.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| LookupIconIdFromDirectoryEx | - | 0x140042098 | 0xa64c8 | 0xa64c8 | 0x205 |
| WaitForInputIdle | - | 0x1400420a0 | 0xa64d0 | 0xa64d0 | 0x32e |
| GetParent | - | 0x1400420a8 | 0xa64d8 | 0xa64d8 | 0x166 |
| GetFocus | - | 0x1400420b0 | 0xa64e0 | 0xa64e0 | 0x12e |
SETUPAPI.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CM_Get_Resource_Conflict_DetailsW | - | 0x140042078 | 0xa64a8 | 0xa64a8 | 0x8a |
KERNEL32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| DeleteCriticalSection | - | 0x140042038 | 0xa6468 | 0xa6468 | 0xd2 |
| DeleteTimerQueue | - | 0x140042040 | 0xa6470 | 0xa6470 | 0xd9 |
| TerminateJobObject | - | 0x140042048 | 0xa6478 | 0xa6478 | 0x4cd |
| GetFileInformationByHandle | - | 0x140042050 | 0xa6480 | 0xa6480 | 0x1f3 |
| GetThreadLocale | - | 0x140042058 | 0xa6488 | 0xa6488 | 0x293 |
| GetNamedPipeServerProcessId | - | 0x140042060 | 0xa6490 | 0xa6490 | 0x229 |
| GetConsoleFontSize | - | 0x140042068 | 0xa6498 | 0xa6498 | 0x1aa |
GDI32.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CreateBitmapIndirect | - | 0x140042020 | 0xa6450 | 0xa6450 | 0x2b |
| GetPolyFillMode | - | 0x140042028 | 0xa6458 | 0xa6458 | 0x206 |
CRYPT32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CertGetCTLContextProperty | - | 0x140042010 | 0xa6440 | 0xa6440 | 0x44 |
ADVAPI32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AddAccessDeniedObjectAce | - | 0x140042000 | 0xa6430 | 0xa6430 | 0x15 |
SHLWAPI.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ChrCmpIW | - | 0x140042088 | 0xa64b8 | 0xa64b8 | 0xa |
Exports (10)
»
| Api name | EAT Address | Ordinal |
|---|---|---|
| DisplaySYSDMCPL | 0x186ec | 0x1 |
| EditEnvironmentVariables | 0x14580 | 0x2 |
| EditUserProfiles | 0x1768 | 0x3 |
| EnableExecuteProtectionSupportW | 0x37da0 | 0x4 |
| ModifyExecuteProtectionSupportW | 0x30704 | 0x5 |
| NoExecuteAddFileOptOutList | 0x2a1c0 | 0x6 |
| NoExecuteAddFileOptOutListW | 0x35ddc | 0x7 |
| NoExecuteProcessExceptionW | 0x164c4 | 0x8 |
| NoExecuteRemoveFileOptOutList | 0x15998 | 0x9 |
| NoExecuteRemoveFileOptOutListW | 0x1a104 | 0xa |
| C:\Users\kEecfMwgj\AppData\Local\j6EpPJ\OLEACC.dll | Dropped File | Binary |
malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 1.18 MB |
| MD5 |
1786d6d4a4a15f5c7cc7788aa6e8043d
|
| SHA1 |
1a7d9bdd0f67da5e1d7af4b4226499dc9a2e1914
|
| SHA256 |
8a2cc9a59220bfafa0ab618dc08f3760f516f0697fc24ad4a5d1f00eba4b01f9
|
| SSDeep |
12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
|
| ImpHash |
6668be91e2c948b183827f040944057f
|
AV Matches (1)
»
| Threat Name | Verdict |
|---|---|
| Trojan.GenericKDZ.76753 |
malicious
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x140041070 |
| Size Of Code | 0x41000 |
| Size Of Initialized Data | 0xed000 |
| File Type | FileType.dll |
| Subsystem | Subsystem.windows_cui |
| Machine Type | MachineType.amd64 |
| Compile Timestamp | 2020-02-20 08:35:24+00:00 |
Version Information (8)
»
| CompanyName | Microsoft Corporati |
| FileDescription | Background Intellig |
| FileVersion | 7.5.7600.16385 (win7_rtm.090713- |
| InternalName | bitsp |
| LegalCopyright | © Microsoft Corporation. All rights reserv |
| OriginalFilename | kbdy |
| ProductName | Microsoft® Windows® Operating S |
| ProductVersion | 6.1.7600 |
Sections (40)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x140001000 | 0x40796 | 0x41000 | 0x1000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.73 |
| .rdata | 0x140042000 | 0x64fcb | 0x65000 | 0x42000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.87 |
| .data | 0x1400a7000 | 0x178b8 | 0x18000 | 0xa7000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.32 |
| .pdata | 0x1400bf000 | 0x12c | 0x1000 | 0xbf000 | IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.58 |
| .rsrc | 0x1400c0000 | 0x880 | 0x1000 | 0xc0000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.24 |
| .reloc | 0x1400c1000 | 0x2324 | 0x3000 | 0xc1000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 4.65 |
| .qkm | 0x1400c4000 | 0x74a | 0x1000 | 0xc4000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .cvjb | 0x1400c5000 | 0x1e66 | 0x2000 | 0xc5000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .tlmkv | 0x1400c7000 | 0xbde | 0x1000 | 0xc7000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .wucsxe | 0x1400c8000 | 0x45174 | 0x46000 | 0xc8000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .wnx | 0x14010e000 | 0x8fe | 0x1000 | 0x10e000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .weqy | 0x14010f000 | 0x8fe | 0x1000 | 0x10f000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .yby | 0x140110000 | 0x1278 | 0x2000 | 0x110000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ormx | 0x140112000 | 0xbde | 0x1000 | 0x112000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .dhclu | 0x140113000 | 0x23b | 0x1000 | 0x113000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .xmiul | 0x140114000 | 0x23b | 0x1000 | 0x114000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .tlwcxe | 0x140115000 | 0x13e | 0x1000 | 0x115000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .get | 0x140116000 | 0xbde | 0x1000 | 0x116000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .hzrd | 0x140117000 | 0x1124 | 0x2000 | 0x117000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .qzu | 0x140119000 | 0x736 | 0x1000 | 0x119000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .nhglos | 0x14011a000 | 0x1af | 0x1000 | 0x11a000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .itzo | 0x14011b000 | 0x23b | 0x1000 | 0x11b000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .nmsaom | 0x14011c000 | 0x23b | 0x1000 | 0x11c000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .rvhi | 0x14011d000 | 0x1af | 0x1000 | 0x11d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ucrzce | 0x14011e000 | 0x389 | 0x1000 | 0x11e000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ijc | 0x14011f000 | 0xbf6 | 0x1000 | 0x11f000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ohvs | 0x140120000 | 0x13e | 0x1000 | 0x120000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .rlvrc | 0x140121000 | 0x1ee | 0x1000 | 0x121000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .yjv | 0x140122000 | 0xbde | 0x1000 | 0x122000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .clbcyy | 0x140123000 | 0x13e | 0x1000 | 0x123000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .xcyn | 0x140124000 | 0x8fe | 0x1000 | 0x124000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .boqx | 0x140125000 | 0x389 | 0x1000 | 0x125000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .rnlia | 0x140126000 | 0x389 | 0x1000 | 0x126000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ctip | 0x140127000 | 0x5a7 | 0x1000 | 0x127000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .fkv | 0x140128000 | 0x1124 | 0x2000 | 0x128000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .pczrv | 0x14012a000 | 0x23b | 0x1000 | 0x12a000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ibglr | 0x14012b000 | 0x3fe | 0x1000 | 0x12b000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .uirkq | 0x14012c000 | 0x3ba | 0x1000 | 0x12c000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .xmo | 0x14012d000 | 0x1af | 0x1000 | 0x12d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .veb | 0x14012e000 | 0x322 | 0x1000 | 0x12e000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.57 |
Imports (7)
»
USER32.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| LookupIconIdFromDirectoryEx | - | 0x140042098 | 0xa64c8 | 0xa64c8 | 0x205 |
| WaitForInputIdle | - | 0x1400420a0 | 0xa64d0 | 0xa64d0 | 0x32e |
| GetParent | - | 0x1400420a8 | 0xa64d8 | 0xa64d8 | 0x166 |
| GetFocus | - | 0x1400420b0 | 0xa64e0 | 0xa64e0 | 0x12e |
SETUPAPI.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CM_Get_Resource_Conflict_DetailsW | - | 0x140042078 | 0xa64a8 | 0xa64a8 | 0x8a |
KERNEL32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| DeleteCriticalSection | - | 0x140042038 | 0xa6468 | 0xa6468 | 0xd2 |
| DeleteTimerQueue | - | 0x140042040 | 0xa6470 | 0xa6470 | 0xd9 |
| TerminateJobObject | - | 0x140042048 | 0xa6478 | 0xa6478 | 0x4cd |
| GetFileInformationByHandle | - | 0x140042050 | 0xa6480 | 0xa6480 | 0x1f3 |
| GetThreadLocale | - | 0x140042058 | 0xa6488 | 0xa6488 | 0x293 |
| GetNamedPipeServerProcessId | - | 0x140042060 | 0xa6490 | 0xa6490 | 0x229 |
| GetConsoleFontSize | - | 0x140042068 | 0xa6498 | 0xa6498 | 0x1aa |
GDI32.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CreateBitmapIndirect | - | 0x140042020 | 0xa6450 | 0xa6450 | 0x2b |
| GetPolyFillMode | - | 0x140042028 | 0xa6458 | 0xa6458 | 0x206 |
CRYPT32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CertGetCTLContextProperty | - | 0x140042010 | 0xa6440 | 0xa6440 | 0x44 |
ADVAPI32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AddAccessDeniedObjectAce | - | 0x140042000 | 0xa6430 | 0xa6430 | 0x15 |
SHLWAPI.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ChrCmpIW | - | 0x140042088 | 0xa64b8 | 0xa64b8 | 0xa |
Exports (24)
»
| Api name | EAT Address | Ordinal |
|---|---|---|
| AccessibleChildren | 0x3635c | 0x3 |
| AccessibleObjectFromEvent | 0x24668 | 0x4 |
| AccessibleObjectFromPoint | 0x411f8 | 0x5 |
| AccessibleObjectFromWindow | 0x1b33c | 0x6 |
| CreateStdAccessibleObject | 0xf8b0 | 0x7 |
| CreateStdAccessibleProxyA | 0x3f6e8 | 0x8 |
| CreateStdAccessibleProxyW | 0x4d24 | 0x9 |
| DllCanUnloadNow | 0x25dc4 | 0xa |
| DllGetClassObject | 0x2b90c | 0xb |
| DllRegisterServer | 0x361c | 0x1 |
| DllUnregisterServer | 0x3c120 | 0x2 |
| GetOleaccVersionInfo | 0x28c7c | 0xc |
| GetProcessHandleFromHwnd | 0x2e9a8 | 0xd |
| GetRoleTextA | 0x26c20 | 0xe |
| GetRoleTextW | 0x2aac | 0xf |
| GetStateTextA | 0x201a0 | 0x10 |
| GetStateTextW | 0x223b0 | 0x11 |
| IID_IAccessible | 0x21fd8 | 0x12 |
| IID_IAccessibleHandler | 0x2d918 | 0x13 |
| LIBID_Accessibility | 0x13784 | 0x14 |
| LresultFromObject | 0x27b08 | 0x15 |
| ObjectFromLresult | 0x674c | 0x16 |
| PropMgrClient_LookupProp | 0x22aa8 | 0x17 |
| WindowFromAccessibleObject | 0x15e34 | 0x18 |
| C:\Users\kEecfMwgj\AppData\Local\aAlRi\WTSAPI32.dll | Dropped File | Binary |
malicious
|
...
|
»
| Also Known As | C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\Office\CuPXu597CI\WTSAPI32.dll (Dropped File) |
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 1.18 MB |
| MD5 |
d144ed236202957b2a94b76bb139610c
|
| SHA1 |
75290684b47028d132d323be62b988e51bd371eb
|
| SHA256 |
f82f912c345800653932585fb15f0991a16b1347daf7cfdf1e36270ca8e6868f
|
| SSDeep |
12288:tVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:0fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
|
| ImpHash |
6668be91e2c948b183827f040944057f
|
AV Matches (1)
»
| Threat Name | Verdict |
|---|---|
| Trojan.GenericKDZ.76753 |
malicious
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x140041070 |
| Size Of Code | 0x41000 |
| Size Of Initialized Data | 0xed000 |
| File Type | FileType.dll |
| Subsystem | Subsystem.windows_cui |
| Machine Type | MachineType.amd64 |
| Compile Timestamp | 2020-02-20 08:35:24+00:00 |
Version Information (8)
»
| CompanyName | Microsoft Corporati |
| FileDescription | Background Intellig |
| FileVersion | 7.5.7600.16385 (win7_rtm.090713- |
| InternalName | bitsp |
| LegalCopyright | © Microsoft Corporation. All rights reserv |
| OriginalFilename | kbdy |
| ProductName | Microsoft® Windows® Operating S |
| ProductVersion | 6.1.7600 |
Sections (40)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x140001000 | 0x40796 | 0x41000 | 0x1000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.73 |
| .rdata | 0x140042000 | 0x64fcb | 0x65000 | 0x42000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.87 |
| .data | 0x1400a7000 | 0x178b8 | 0x18000 | 0xa7000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.32 |
| .pdata | 0x1400bf000 | 0x12c | 0x1000 | 0xbf000 | IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.58 |
| .rsrc | 0x1400c0000 | 0x880 | 0x1000 | 0xc0000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.24 |
| .reloc | 0x1400c1000 | 0x2324 | 0x3000 | 0xc1000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 4.65 |
| .qkm | 0x1400c4000 | 0x74a | 0x1000 | 0xc4000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .cvjb | 0x1400c5000 | 0x1e66 | 0x2000 | 0xc5000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .tlmkv | 0x1400c7000 | 0xbde | 0x1000 | 0xc7000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .wucsxe | 0x1400c8000 | 0x45174 | 0x46000 | 0xc8000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .wnx | 0x14010e000 | 0x8fe | 0x1000 | 0x10e000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .weqy | 0x14010f000 | 0x8fe | 0x1000 | 0x10f000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .yby | 0x140110000 | 0x1278 | 0x2000 | 0x110000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ormx | 0x140112000 | 0xbde | 0x1000 | 0x112000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .dhclu | 0x140113000 | 0x23b | 0x1000 | 0x113000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .xmiul | 0x140114000 | 0x23b | 0x1000 | 0x114000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .tlwcxe | 0x140115000 | 0x13e | 0x1000 | 0x115000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .get | 0x140116000 | 0xbde | 0x1000 | 0x116000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .hzrd | 0x140117000 | 0x1124 | 0x2000 | 0x117000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .qzu | 0x140119000 | 0x736 | 0x1000 | 0x119000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .nhglos | 0x14011a000 | 0x1af | 0x1000 | 0x11a000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .itzo | 0x14011b000 | 0x23b | 0x1000 | 0x11b000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .nmsaom | 0x14011c000 | 0x23b | 0x1000 | 0x11c000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .rvhi | 0x14011d000 | 0x1af | 0x1000 | 0x11d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ucrzce | 0x14011e000 | 0x389 | 0x1000 | 0x11e000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ijc | 0x14011f000 | 0xbf6 | 0x1000 | 0x11f000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ohvs | 0x140120000 | 0x13e | 0x1000 | 0x120000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .rlvrc | 0x140121000 | 0x1ee | 0x1000 | 0x121000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .yjv | 0x140122000 | 0xbde | 0x1000 | 0x122000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .clbcyy | 0x140123000 | 0x13e | 0x1000 | 0x123000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .xcyn | 0x140124000 | 0x8fe | 0x1000 | 0x124000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .boqx | 0x140125000 | 0x389 | 0x1000 | 0x125000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .rnlia | 0x140126000 | 0x389 | 0x1000 | 0x126000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ctip | 0x140127000 | 0x5a7 | 0x1000 | 0x127000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .fkv | 0x140128000 | 0x1124 | 0x2000 | 0x128000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .pczrv | 0x14012a000 | 0x23b | 0x1000 | 0x12a000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ibglr | 0x14012b000 | 0x3fe | 0x1000 | 0x12b000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .uirkq | 0x14012c000 | 0x3ba | 0x1000 | 0x12c000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .xmo | 0x14012d000 | 0x1af | 0x1000 | 0x12d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ziy | 0x14012e000 | 0x7fd | 0x1000 | 0x12e000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.39 |
Imports (7)
»
USER32.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| LookupIconIdFromDirectoryEx | - | 0x140042098 | 0xa64c8 | 0xa64c8 | 0x205 |
| WaitForInputIdle | - | 0x1400420a0 | 0xa64d0 | 0xa64d0 | 0x32e |
| GetParent | - | 0x1400420a8 | 0xa64d8 | 0xa64d8 | 0x166 |
| GetFocus | - | 0x1400420b0 | 0xa64e0 | 0xa64e0 | 0x12e |
SETUPAPI.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CM_Get_Resource_Conflict_DetailsW | - | 0x140042078 | 0xa64a8 | 0xa64a8 | 0x8a |
KERNEL32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| DeleteCriticalSection | - | 0x140042038 | 0xa6468 | 0xa6468 | 0xd2 |
| DeleteTimerQueue | - | 0x140042040 | 0xa6470 | 0xa6470 | 0xd9 |
| TerminateJobObject | - | 0x140042048 | 0xa6478 | 0xa6478 | 0x4cd |
| GetFileInformationByHandle | - | 0x140042050 | 0xa6480 | 0xa6480 | 0x1f3 |
| GetThreadLocale | - | 0x140042058 | 0xa6488 | 0xa6488 | 0x293 |
| GetNamedPipeServerProcessId | - | 0x140042060 | 0xa6490 | 0xa6490 | 0x229 |
| GetConsoleFontSize | - | 0x140042068 | 0xa6498 | 0xa6498 | 0x1aa |
GDI32.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CreateBitmapIndirect | - | 0x140042020 | 0xa6450 | 0xa6450 | 0x2b |
| GetPolyFillMode | - | 0x140042028 | 0xa6458 | 0xa6458 | 0x206 |
CRYPT32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CertGetCTLContextProperty | - | 0x140042010 | 0xa6440 | 0xa6440 | 0x44 |
ADVAPI32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AddAccessDeniedObjectAce | - | 0x140042000 | 0xa6430 | 0xa6430 | 0x15 |
SHLWAPI.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ChrCmpIW | - | 0x140042088 | 0xa64b8 | 0xa64b8 | 0xa |
Exports (61)
»
| Api name | EAT Address | Ordinal |
|---|---|---|
| WTSCloseServer | 0xbec0 | 0x1 |
| WTSConnectSessionA | 0x171d8 | 0x2 |
| WTSConnectSessionW | 0x344b0 | 0x3 |
| WTSCreateListenerA | 0x33c44 | 0x4 |
| WTSCreateListenerW | 0xefa8 | 0x5 |
| WTSDisconnectSession | 0x7590 | 0x6 |
| WTSEnumerateListenersA | 0x29d74 | 0x7 |
| WTSEnumerateListenersW | 0xf8a8 | 0x8 |
| WTSEnumerateProcessesA | 0x20710 | 0x9 |
| WTSEnumerateProcessesExA | 0x3863c | 0xa |
| WTSEnumerateProcessesExW | 0xc2a8 | 0xb |
| WTSEnumerateProcessesW | 0x20a20 | 0xc |
| WTSEnumerateServersA | 0xf384 | 0xd |
| WTSEnumerateServersW | 0xae24 | 0xe |
| WTSEnumerateSessionsA | 0x3520 | 0xf |
| WTSEnumerateSessionsExA | 0x2a590 | 0x10 |
| WTSEnumerateSessionsExW | 0x8d7c | 0x11 |
| WTSEnumerateSessionsW | 0x1f710 | 0x12 |
| WTSFreeMemory | 0x9238 | 0x13 |
| WTSFreeMemoryExA | 0x37924 | 0x14 |
| WTSFreeMemoryExW | 0x1b1b0 | 0x15 |
| WTSGetListenerSecurityA | 0x3f590 | 0x16 |
| WTSGetListenerSecurityW | 0x3cb54 | 0x17 |
| WTSLogoffSession | 0x1c270 | 0x18 |
| WTSOpenServerA | 0x5894 | 0x19 |
| WTSOpenServerExA | 0x1758c | 0x1a |
| WTSOpenServerExW | 0x262a4 | 0x1b |
| WTSOpenServerW | 0x28d9c | 0x1c |
| WTSQueryListenerConfigA | 0x103b4 | 0x1d |
| WTSQueryListenerConfigW | 0x2c9d0 | 0x1e |
| WTSQuerySessionInformationA | 0x39a6c | 0x1f |
| WTSQuerySessionInformationW | 0x1d3d0 | 0x20 |
| WTSQueryUserConfigA | 0xe250 | 0x21 |
| WTSQueryUserConfigW | 0x309e8 | 0x22 |
| WTSQueryUserToken | 0x7714 | 0x23 |
| WTSRegisterSessionNotification | 0x37650 | 0x24 |
| WTSRegisterSessionNotificationEx | 0x34a24 | 0x25 |
| WTSSendMessageA | 0x26894 | 0x26 |
| WTSSendMessageW | 0xab80 | 0x27 |
| WTSSetListenerSecurityA | 0x10088 | 0x28 |
| WTSSetListenerSecurityW | 0x1f338 | 0x29 |
| WTSSetSessionInformationA | 0x132fc | 0x2a |
| WTSSetSessionInformationW | 0x3a908 | 0x2b |
| WTSSetUserConfigA | 0x2c654 | 0x2c |
| WTSSetUserConfigW | 0x2db54 | 0x2d |
| WTSShutdownSystem | 0x2d0dc | 0x2e |
| WTSStartRemoteControlSessionA | 0x1654 | 0x2f |
| WTSStartRemoteControlSessionW | 0x186e0 | 0x30 |
| WTSStopRemoteControlSession | 0x3f860 | 0x31 |
| WTSTerminateProcess | 0x21f68 | 0x32 |
| WTSUnRegisterSessionNotification | 0x36204 | 0x33 |
| WTSUnRegisterSessionNotificationEx | 0x9348 | 0x34 |
| WTSVirtualChannelClose | 0x7770 | 0x35 |
| WTSVirtualChannelOpen | 0x1aaac | 0x36 |
| WTSVirtualChannelOpenEx | 0x31038 | 0x37 |
| WTSVirtualChannelPurgeInput | 0xff70 | 0x38 |
| WTSVirtualChannelPurgeOutput | 0x1d248 | 0x39 |
| WTSVirtualChannelQuery | 0x3b2e0 | 0x3a |
| WTSVirtualChannelRead | 0x6c18 | 0x3b |
| WTSVirtualChannelWrite | 0x1d498 | 0x3c |
| WTSWaitSystemEvent | 0xac34 | 0x3d |
| C:\Users\kEecfMwgj\AppData\Local\kza5B6\slc.dll | Dropped File | Binary |
malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 1.18 MB |
| MD5 |
b9c6e94a82057c0c785ac37f57dc8ed6
|
| SHA1 |
78feee91ce87ede75bc7e2fcd36c963b0b71d9f3
|
| SHA256 |
b5e85d4434bbdc83c020f4d1bc70908b76643e8b6a9b8b51c3942d8a6db500c1
|
| SSDeep |
12288:mVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Ot:7fP7fWsK5z9A+WGAW+V5SB6Ct4bnbOt
|
| ImpHash |
6668be91e2c948b183827f040944057f
|
AV Matches (1)
»
| Threat Name | Verdict |
|---|---|
| Trojan.GenericKDZ.76753 |
malicious
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x140041070 |
| Size Of Code | 0x41000 |
| Size Of Initialized Data | 0xed000 |
| File Type | FileType.dll |
| Subsystem | Subsystem.windows_cui |
| Machine Type | MachineType.amd64 |
| Compile Timestamp | 2020-02-20 08:35:24+00:00 |
Version Information (8)
»
| CompanyName | Microsoft Corporati |
| FileDescription | Background Intellig |
| FileVersion | 7.5.7600.16385 (win7_rtm.090713- |
| InternalName | bitsp |
| LegalCopyright | © Microsoft Corporation. All rights reserv |
| OriginalFilename | kbdy |
| ProductName | Microsoft® Windows® Operating S |
| ProductVersion | 6.1.7600 |
Sections (40)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x140001000 | 0x40796 | 0x41000 | 0x1000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.73 |
| .rdata | 0x140042000 | 0x64fcb | 0x65000 | 0x42000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.87 |
| .data | 0x1400a7000 | 0x178b8 | 0x18000 | 0xa7000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.32 |
| .pdata | 0x1400bf000 | 0x12c | 0x1000 | 0xbf000 | IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.58 |
| .rsrc | 0x1400c0000 | 0x880 | 0x1000 | 0xc0000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.24 |
| .reloc | 0x1400c1000 | 0x2324 | 0x3000 | 0xc1000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 4.65 |
| .qkm | 0x1400c4000 | 0x74a | 0x1000 | 0xc4000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .cvjb | 0x1400c5000 | 0x1e66 | 0x2000 | 0xc5000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .tlmkv | 0x1400c7000 | 0xbde | 0x1000 | 0xc7000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .wucsxe | 0x1400c8000 | 0x45174 | 0x46000 | 0xc8000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .wnx | 0x14010e000 | 0x8fe | 0x1000 | 0x10e000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .weqy | 0x14010f000 | 0x8fe | 0x1000 | 0x10f000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .yby | 0x140110000 | 0x1278 | 0x2000 | 0x110000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ormx | 0x140112000 | 0xbde | 0x1000 | 0x112000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .dhclu | 0x140113000 | 0x23b | 0x1000 | 0x113000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .xmiul | 0x140114000 | 0x23b | 0x1000 | 0x114000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .tlwcxe | 0x140115000 | 0x13e | 0x1000 | 0x115000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .get | 0x140116000 | 0xbde | 0x1000 | 0x116000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .hzrd | 0x140117000 | 0x1124 | 0x2000 | 0x117000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .qzu | 0x140119000 | 0x736 | 0x1000 | 0x119000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .nhglos | 0x14011a000 | 0x1af | 0x1000 | 0x11a000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .itzo | 0x14011b000 | 0x23b | 0x1000 | 0x11b000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .nmsaom | 0x14011c000 | 0x23b | 0x1000 | 0x11c000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .rvhi | 0x14011d000 | 0x1af | 0x1000 | 0x11d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ucrzce | 0x14011e000 | 0x389 | 0x1000 | 0x11e000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ijc | 0x14011f000 | 0xbf6 | 0x1000 | 0x11f000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ohvs | 0x140120000 | 0x13e | 0x1000 | 0x120000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .rlvrc | 0x140121000 | 0x1ee | 0x1000 | 0x121000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .yjv | 0x140122000 | 0xbde | 0x1000 | 0x122000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .clbcyy | 0x140123000 | 0x13e | 0x1000 | 0x123000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .xcyn | 0x140124000 | 0x8fe | 0x1000 | 0x124000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .boqx | 0x140125000 | 0x389 | 0x1000 | 0x125000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .rnlia | 0x140126000 | 0x389 | 0x1000 | 0x126000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ctip | 0x140127000 | 0x5a7 | 0x1000 | 0x127000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .fkv | 0x140128000 | 0x1124 | 0x2000 | 0x128000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .pczrv | 0x14012a000 | 0x23b | 0x1000 | 0x12a000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ibglr | 0x14012b000 | 0x3fe | 0x1000 | 0x12b000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .uirkq | 0x14012c000 | 0x3ba | 0x1000 | 0x12c000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .xmo | 0x14012d000 | 0x1af | 0x1000 | 0x12d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .moggq | 0x14012e000 | 0x573 | 0x1000 | 0x12e000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.5 |
Imports (7)
»
USER32.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| LookupIconIdFromDirectoryEx | - | 0x140042098 | 0xa64c8 | 0xa64c8 | 0x205 |
| WaitForInputIdle | - | 0x1400420a0 | 0xa64d0 | 0xa64d0 | 0x32e |
| GetParent | - | 0x1400420a8 | 0xa64d8 | 0xa64d8 | 0x166 |
| GetFocus | - | 0x1400420b0 | 0xa64e0 | 0xa64e0 | 0x12e |
SETUPAPI.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CM_Get_Resource_Conflict_DetailsW | - | 0x140042078 | 0xa64a8 | 0xa64a8 | 0x8a |
KERNEL32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| DeleteCriticalSection | - | 0x140042038 | 0xa6468 | 0xa6468 | 0xd2 |
| DeleteTimerQueue | - | 0x140042040 | 0xa6470 | 0xa6470 | 0xd9 |
| TerminateJobObject | - | 0x140042048 | 0xa6478 | 0xa6478 | 0x4cd |
| GetFileInformationByHandle | - | 0x140042050 | 0xa6480 | 0xa6480 | 0x1f3 |
| GetThreadLocale | - | 0x140042058 | 0xa6488 | 0xa6488 | 0x293 |
| GetNamedPipeServerProcessId | - | 0x140042060 | 0xa6490 | 0xa6490 | 0x229 |
| GetConsoleFontSize | - | 0x140042068 | 0xa6498 | 0xa6498 | 0x1aa |
GDI32.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CreateBitmapIndirect | - | 0x140042020 | 0xa6450 | 0xa6450 | 0x2b |
| GetPolyFillMode | - | 0x140042028 | 0xa6458 | 0xa6458 | 0x206 |
CRYPT32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CertGetCTLContextProperty | - | 0x140042010 | 0xa6440 | 0xa6440 | 0x44 |
ADVAPI32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AddAccessDeniedObjectAce | - | 0x140042000 | 0xa6430 | 0xa6430 | 0x15 |
SHLWAPI.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ChrCmpIW | - | 0x140042088 | 0xa64b8 | 0xa64b8 | 0xa |
Exports (42)
»
| Api name | EAT Address | Ordinal |
|---|---|---|
| SLClose | 0x64b0 | 0x8 |
| SLConsumeRight | 0x93fc | 0x9 |
| SLConsumeWindowsRight | 0x12ce0 | 0xa |
| SLDepositOfflineConfirmationId | 0x30bd4 | 0xb |
| SLFireEvent | 0x174cc | 0xc |
| SLGenerateOfflineInstallationId | 0x2e59c | 0xd |
| SLGetApplicationInformation | 0x4190 | 0xe |
| SLGetGenuineInformation | 0x20658 | 0xf |
| SLGetInstalledProductKeyIds | 0x315fc | 0x10 |
| SLGetInstalledSAMLicenseApplications | 0x3e268 | 0x1 |
| SLGetLicense | 0x38a10 | 0x11 |
| SLGetLicenseFileId | 0x3705c | 0x12 |
| SLGetLicenseInformation | 0xfcdc | 0x13 |
| SLGetLicensingStatusInformation | 0xe7cc | 0x14 |
| SLGetPKeyId | 0x1f290 | 0x15 |
| SLGetPKeyInformation | 0x8d74 | 0x16 |
| SLGetPolicyInformation | 0x1c440 | 0x17 |
| SLGetPolicyInformationDWORD | 0x3bc4c | 0x18 |
| SLGetProductSkuInformation | 0x410bc | 0x19 |
| SLGetSAMLicense | 0x235e4 | 0x2 |
| SLGetSLIDList | 0x3d29c | 0x1a |
| SLGetServiceInformation | 0x11d00 | 0x1b |
| SLGetWindowsInformation | 0x10ba0 | 0x1c |
| SLGetWindowsInformationDWORD | 0x2c1a0 | 0x1d |
| SLInstallLicense | 0x31e5c | 0x1e |
| SLInstallProofOfPurchase | 0x29e4c | 0x1f |
| SLInstallSAMLicense | 0x28388 | 0x3 |
| SLIsWindowsGenuineLocal | 0x360e0 | 0x20 |
| SLOpen | 0x333a8 | 0x21 |
| SLReArmWindows | 0x273ac | 0x22 |
| SLRegisterEvent | 0x2cf54 | 0x23 |
| SLRegisterWindowsEvent | 0x2c85c | 0x24 |
| SLSetCurrentProductKey | 0x1c200 | 0x25 |
| SLSetGenuineInformation | 0x3c27c | 0x26 |
| SLUninstallLicense | 0x18a8 | 0x27 |
| SLUninstallProofOfPurchase | 0xe7ec | 0x28 |
| SLUninstallSAMLicense | 0x3b1a8 | 0x4 |
| SLUnregisterEvent | 0x3150 | 0x29 |
| SLUnregisterWindowsEvent | 0xff94 | 0x2a |
| SLpCheckProductKey | 0x36a60 | 0x5 |
| SLpGetGenuineLocal | 0x11974 | 0x6 |
| SLpUpdateComponentTokens | 0x40a8 | 0x7 |
| C:\Users\kEecfMwgj\AppData\Local\j6EpPJ\SnippingTool.exe | Dropped File | Binary |
suspicious
Lowered to Suspicious because the artifact is known to be Clean or Trusted.
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 421.00 KB |
| MD5 |
7633f554eeafde7f144b41c2fcaf5f63
|
| SHA1 |
44497c3d6fada0066598a6170b90c53e28ddf96c
|
| SHA256 |
890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78
|
| SSDeep |
6144:ul073J3gYx1K4ttO9r3DWso3T+cbJ5JIJAbW0we3:z3JwYHKoqz5oCIJ5MZ0w
|
| ImpHash |
d1884757532ce7b0014241f40262c929
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x1400247ac |
| Size Of Code | 0x29600 |
| Size Of Initialized Data | 0x42200 |
| File Type | FileType.executable |
| Subsystem | Subsystem.windows_gui |
| Machine Type | MachineType.amd64 |
| Compile Timestamp | 2009-07-14 00:03:19+00:00 |
Version Information (8)
»
| CompanyName | Microsoft Corporation |
| FileDescription | Snipping Tool |
| FileVersion | 6.1.7600.16385 (win7_rtm.090713-1255) |
| InternalName | SnippingTool |
| LegalCopyright | © Microsoft Corporation. All rights reserved. |
| OriginalFilename | SnippingTool.exe |
| ProductName | Microsoft® Windows® Operating System |
| ProductVersion | 6.1.7600.16385 |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x140001000 | 0x29454 | 0x29600 | 0x600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.23 |
| .data | 0x14002b000 | 0x2c60 | 0x400 | 0x29c00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.14 |
| .pdata | 0x14002e000 | 0x135c | 0x1400 | 0x2a000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.25 |
| .rsrc | 0x140030000 | 0x3d9e8 | 0x3da00 | 0x2b400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.1 |
| .reloc | 0x14006e000 | 0x5ce | 0x600 | 0x68e00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 1.74 |
Imports (16)
»
ADVAPI32.dll (12)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| TraceMessage | - | 0x140001000 | 0x28578 | 0x27b78 | 0x2f6 |
| GetTraceLoggerHandle | - | 0x140001008 | 0x28580 | 0x27b80 | 0x15d |
| GetTraceEnableLevel | - | 0x140001010 | 0x28588 | 0x27b88 | 0x15c |
| GetTraceEnableFlags | - | 0x140001018 | 0x28590 | 0x27b90 | 0x15b |
| RegisterTraceGuidsW | - | 0x140001020 | 0x28598 | 0x27b98 | 0x28a |
| UnregisterTraceGuids | - | 0x140001028 | 0x285a0 | 0x27ba0 | 0x302 |
| TraceEvent | - | 0x140001030 | 0x285a8 | 0x27ba8 | 0x2f4 |
| RegSetValueExW | - | 0x140001038 | 0x285b0 | 0x27bb0 | 0x27e |
| RegCloseKey | - | 0x140001040 | 0x285b8 | 0x27bb8 | 0x230 |
| RegOpenKeyExW | - | 0x140001048 | 0x285c0 | 0x27bc0 | 0x261 |
| RegQueryValueExW | - | 0x140001050 | 0x285c8 | 0x27bc8 | 0x26e |
| RegCreateKeyExW | - | 0x140001058 | 0x285d0 | 0x27bd0 | 0x239 |
KERNEL32.dll (53)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| GetTickCount | - | 0x140001178 | 0x286f0 | 0x27cf0 | 0x29a |
| QueryPerformanceCounter | - | 0x140001180 | 0x286f8 | 0x27cf8 | 0x3a9 |
| GetModuleHandleW | - | 0x140001188 | 0x28700 | 0x27d00 | 0x21e |
| SetUnhandledExceptionFilter | - | 0x140001190 | 0x28708 | 0x27d08 | 0x4b3 |
| GetStartupInfoW | - | 0x140001198 | 0x28710 | 0x27d10 | 0x26a |
| GetVersionExA | - | 0x1400011a0 | 0x28718 | 0x27d18 | 0x2ab |
| GetProcessHeap | - | 0x1400011a8 | 0x28720 | 0x27d20 | 0x251 |
| HeapSize | - | 0x1400011b0 | 0x28728 | 0x27d28 | 0x2dc |
| HeapReAlloc | - | 0x1400011b8 | 0x28730 | 0x27d30 | 0x2da |
| HeapFree | - | 0x1400011c0 | 0x28738 | 0x27d38 | 0x2d7 |
| HeapAlloc | - | 0x1400011c8 | 0x28740 | 0x27d40 | 0x2d3 |
| HeapDestroy | - | 0x1400011d0 | 0x28748 | 0x27d48 | 0x2d6 |
| DeleteCriticalSection | - | 0x1400011d8 | 0x28750 | 0x27d50 | 0xd2 |
| InitializeCriticalSection | - | 0x1400011e0 | 0x28758 | 0x27d58 | 0x2ea |
| GetCurrentProcessId | - | 0x1400011e8 | 0x28760 | 0x27d60 | 0x1c7 |
| GetSystemTimeAsFileTime | - | 0x1400011f0 | 0x28768 | 0x27d68 | 0x280 |
| TerminateProcess | - | 0x1400011f8 | 0x28770 | 0x27d70 | 0x4ce |
| GetCurrentProcess | - | 0x140001200 | 0x28778 | 0x27d78 | 0x1c6 |
| UnhandledExceptionFilter | - | 0x140001208 | 0x28780 | 0x27d80 | 0x4e2 |
| OutputDebugStringA | - | 0x140001210 | 0x28788 | 0x27d88 | 0x38b |
| CreateMutexW | - | 0x140001218 | 0x28790 | 0x27d90 | 0x9e |
| lstrlenA | - | 0x140001220 | 0x28798 | 0x27d98 | 0x560 |
| MultiByteToWideChar | - | 0x140001228 | 0x287a0 | 0x27da0 | 0x369 |
| ReleaseMutex | - | 0x140001230 | 0x287a8 | 0x27da8 | 0x3fd |
| GetVersionExW | - | 0x140001238 | 0x287b0 | 0x27db0 | 0x2ac |
| GetSystemDefaultUILanguage | - | 0x140001240 | 0x287b8 | 0x27db8 | 0x275 |
| Sleep | - | 0x140001248 | 0x287c0 | 0x27dc0 | 0x4c0 |
| CloseHandle | - | 0x140001250 | 0x287c8 | 0x27dc8 | 0x52 |
| WriteFile | - | 0x140001258 | 0x287d0 | 0x27dd0 | 0x534 |
| lstrlenW | - | 0x140001260 | 0x287d8 | 0x27dd8 | 0x561 |
| CreateFileW | - | 0x140001268 | 0x287e0 | 0x27de0 | 0x8f |
| FindResourceExW | - | 0x140001270 | 0x287e8 | 0x27de8 | 0x153 |
| FindResourceW | - | 0x140001278 | 0x287f0 | 0x27df0 | 0x154 |
| LoadResource | - | 0x140001280 | 0x287f8 | 0x27df8 | 0x343 |
| LockResource | - | 0x140001288 | 0x28800 | 0x27e00 | 0x356 |
| SizeofResource | - | 0x140001290 | 0x28808 | 0x27e08 | 0x4bf |
| EnterCriticalSection | - | 0x140001298 | 0x28810 | 0x27e10 | 0xf2 |
| LeaveCriticalSection | - | 0x1400012a0 | 0x28818 | 0x27e18 | 0x33b |
| RegisterApplicationRestart | - | 0x1400012a8 | 0x28820 | 0x27e20 | 0x3f3 |
| HeapSetInformation | - | 0x1400012b0 | 0x28828 | 0x27e28 | 0x2db |
| DeleteFileW | - | 0x1400012b8 | 0x28830 | 0x27e30 | 0xd7 |
| GetTempPathW | - | 0x1400012c0 | 0x28838 | 0x27e38 | 0x28c |
| FreeLibrary | - | 0x1400012c8 | 0x28840 | 0x27e40 | 0x168 |
| WideCharToMultiByte | - | 0x1400012d0 | 0x28848 | 0x27e48 | 0x520 |
| GetProcAddress | - | 0x1400012d8 | 0x28850 | 0x27e50 | 0x24c |
| LoadLibraryW | - | 0x1400012e0 | 0x28858 | 0x27e58 | 0x341 |
| ExpandEnvironmentStringsW | - | 0x1400012e8 | 0x28860 | 0x27e60 | 0x123 |
| RaiseException | - | 0x1400012f0 | 0x28868 | 0x27e68 | 0x3b4 |
| GlobalDeleteAtom | - | 0x1400012f8 | 0x28870 | 0x27e70 | 0x2bd |
| GlobalAddAtomW | - | 0x140001300 | 0x28878 | 0x27e78 | 0x2ba |
| GetLastError | - | 0x140001308 | 0x28880 | 0x27e80 | 0x208 |
| GetCurrentThreadId | - | 0x140001310 | 0x28888 | 0x27e88 | 0x1cb |
| SetLastError | - | 0x140001318 | 0x28890 | 0x27e90 | 0x480 |
GDI32.dll (26)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CreateCompatibleBitmap | - | 0x1400010a0 | 0x28618 | 0x27c18 | 0x2f |
| CreatePen | - | 0x1400010a8 | 0x28620 | 0x27c20 | 0x4b |
| CreateRectRgnIndirect | - | 0x1400010b0 | 0x28628 | 0x27c28 | 0x50 |
| CreateRectRgn | - | 0x1400010b8 | 0x28630 | 0x27c30 | 0x4f |
| CombineRgn | - | 0x1400010c0 | 0x28638 | 0x27c38 | 0x22 |
| GetStockObject | - | 0x1400010c8 | 0x28640 | 0x27c40 | 0x20d |
| Rectangle | - | 0x1400010d0 | 0x28648 | 0x27c48 | 0x25f |
| SelectObject | - | 0x1400010d8 | 0x28650 | 0x27c50 | 0x277 |
| GetDeviceCaps | - | 0x1400010e0 | 0x28658 | 0x27c58 | 0x1cb |
| DeleteObject | - | 0x1400010e8 | 0x28660 | 0x27c60 | 0xe6 |
| SetTextColor | - | 0x1400010f0 | 0x28668 | 0x27c68 | 0x2a6 |
| SetBkMode | - | 0x1400010f8 | 0x28670 | 0x27c70 | 0x27f |
| GetLayout | - | 0x140001100 | 0x28678 | 0x27c78 | 0x1ed |
| GetClipRgn | - | 0x140001108 | 0x28680 | 0x27c80 | 0x1c1 |
| SelectClipRgn | - | 0x140001110 | 0x28688 | 0x27c88 | 0x275 |
| GetObjectW | - | 0x140001118 | 0x28690 | 0x27c90 | 0x1fd |
| CreatePolygonRgn | - | 0x140001120 | 0x28698 | 0x27c98 | 0x4e |
| OffsetRgn | - | 0x140001128 | 0x286a0 | 0x27ca0 | 0x23d |
| FillRgn | - | 0x140001130 | 0x286a8 | 0x27ca8 | 0x142 |
| PatBlt | - | 0x140001138 | 0x286b0 | 0x27cb0 | 0x246 |
| CreateCompatibleDC | - | 0x140001140 | 0x286b8 | 0x27cb8 | 0x30 |
| DeleteDC | - | 0x140001148 | 0x286c0 | 0x27cc0 | 0xe3 |
| CreateDIBSection | - | 0x140001150 | 0x286c8 | 0x27cc8 | 0x35 |
| BitBlt | - | 0x140001158 | 0x286d0 | 0x27cd0 | 0x13 |
| SetLayout | - | 0x140001160 | 0x286d8 | 0x27cd8 | 0x291 |
| CreateSolidBrush | - | 0x140001168 | 0x286e0 | 0x27ce0 | 0x54 |
USER32.dll (97)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| MapWindowPoints | - | 0x140001408 | 0x28980 | 0x27f80 | 0x20d |
| GetMonitorInfoW | - | 0x140001410 | 0x28988 | 0x27f88 | 0x161 |
| CopyRect | - | 0x140001418 | 0x28990 | 0x27f90 | 0x55 |
| UnregisterClassA | - | 0x140001420 | 0x28998 | 0x27f98 | 0x30d |
| DeferWindowPos | - | 0x140001428 | 0x289a0 | 0x27fa0 | 0x9d |
| BeginDeferWindowPos | - | 0x140001430 | 0x289a8 | 0x27fa8 | 0xd |
| SetCursor | - | 0x140001438 | 0x289b0 | 0x27fb0 | 0x28e |
| GetIconInfo | - | 0x140001440 | 0x289b8 | 0x27fb8 | 0x135 |
| GetWindowTextW | - | 0x140001448 | 0x289c0 | 0x27fc0 | 0x1a7 |
| CallWindowProcW | - | 0x140001450 | 0x289c8 | 0x27fc8 | 0x1e |
| DrawIconEx | - | 0x140001458 | 0x289d0 | 0x27fd0 | 0xc8 |
| OffsetRect | - | 0x140001460 | 0x289d8 | 0x27fd8 | 0x229 |
| GetWindowRgnBox | - | 0x140001468 | 0x289e0 | 0x27fe0 | 0x1a2 |
| UnregisterHotKey | - | 0x140001470 | 0x289e8 | 0x27fe8 | 0x310 |
| GetWindowLongW | - | 0x140001478 | 0x289f0 | 0x27ff0 | 0x19a |
| GetForegroundWindow | - | 0x140001480 | 0x289f8 | 0x27ff8 | 0x12f |
| DestroyMenu | - | 0x140001488 | 0x28a00 | 0x28000 | 0xa4 |
| CheckMenuRadioItem | - | 0x140001490 | 0x28a08 | 0x28008 | 0x40 |
| GetSystemMetrics | - | 0x140001498 | 0x28a10 | 0x28010 | 0x180 |
| IsWindowVisible | - | 0x1400014a0 | 0x28a18 | 0x28018 | 0x1e4 |
| ShowWindow | - | 0x1400014a8 | 0x28a20 | 0x28020 | 0x2e7 |
| ReleaseDC | - | 0x1400014b0 | 0x28a28 | 0x28028 | 0x269 |
| LoadCursorW | - | 0x1400014b8 | 0x28a30 | 0x28030 | 0x1ef |
| RegisterClassW | - | 0x1400014c0 | 0x28a38 | 0x28038 | 0x252 |
| GetWindowLongPtrW | - | 0x1400014c8 | 0x28a40 | 0x28040 | 0x199 |
| SetWindowLongPtrW | - | 0x1400014d0 | 0x28a48 | 0x28048 | 0x2cb |
| BeginPaint | - | 0x1400014d8 | 0x28a50 | 0x28050 | 0xe |
| LoadMenuW | - | 0x1400014e0 | 0x28a58 | 0x28058 | 0x1fb |
| SetCapture | - | 0x1400014e8 | 0x28a60 | 0x28060 | 0x284 |
| ReleaseCapture | - | 0x1400014f0 | 0x28a68 | 0x28068 | 0x268 |
| UnionRect | - | 0x1400014f8 | 0x28a70 | 0x28070 | 0x309 |
| InvalidateRect | - | 0x140001500 | 0x28a78 | 0x28078 | 0x1c2 |
| GetPropW | - | 0x140001508 | 0x28a80 | 0x28080 | 0x16d |
| SetPropW | - | 0x140001510 | 0x28a88 | 0x28088 | 0x2b3 |
| IntersectRect | - | 0x140001518 | 0x28a90 | 0x28090 | 0x1c1 |
| EnumDisplayMonitors | - | 0x140001520 | 0x28a98 | 0x28098 | 0xe6 |
| IsIconic | - | 0x140001528 | 0x28aa0 | 0x280a0 | 0x1d5 |
| PtInRect | - | 0x140001530 | 0x28aa8 | 0x280a8 | 0x244 |
| GetWindow | - | 0x140001538 | 0x28ab0 | 0x280b0 | 0x190 |
| LogicalToPhysicalPoint | - | 0x140001540 | 0x28ab8 | 0x280b8 | 0x203 |
| SetRect | - | 0x140001548 | 0x28ac0 | 0x280c0 | 0x2b4 |
| CloseClipboard | - | 0x140001550 | 0x28ac8 | 0x280c8 | 0x49 |
| OpenClipboard | - | 0x140001558 | 0x28ad0 | 0x280d0 | 0x22a |
| EmptyClipboard | - | 0x140001560 | 0x28ad8 | 0x280d8 | 0xd5 |
| SetClipboardData | - | 0x140001568 | 0x28ae0 | 0x280e0 | 0x28c |
| GetClassNameW | - | 0x140001570 | 0x28ae8 | 0x280e8 | 0x114 |
| GetParent | - | 0x140001578 | 0x28af0 | 0x280f0 | 0x166 |
| LoadAcceleratorsW | - | 0x140001580 | 0x28af8 | 0x280f8 | 0x1e9 |
| GetWindowRect | - | 0x140001588 | 0x28b00 | 0x28100 | 0x1a0 |
| TranslateAcceleratorW | - | 0x140001590 | 0x28b08 | 0x28108 | 0x302 |
| LoadStringW | - | 0x140001598 | 0x28b10 | 0x28110 | 0x1fe |
| CreateWindowExW | - | 0x1400015a0 | 0x28b18 | 0x28118 | 0x6e |
| AdjustWindowRect | - | 0x1400015a8 | 0x28b20 | 0x28120 | 0x2 |
| RegisterHotKey | - | 0x1400015b0 | 0x28b28 | 0x28128 | 0x25a |
| DestroyWindow | - | 0x1400015b8 | 0x28b30 | 0x28130 | 0xa6 |
| MonitorFromWindow | - | 0x1400015c0 | 0x28b38 | 0x28138 | 0x21e |
| EndDeferWindowPos | - | 0x1400015c8 | 0x28b40 | 0x28140 | 0xd9 |
| LoadIconW | - | 0x1400015d0 | 0x28b48 | 0x28148 | 0x1f1 |
| GetSubMenu | - | 0x1400015d8 | 0x28b50 | 0x28150 | 0x17c |
| LoadImageW | - | 0x1400015e0 | 0x28b58 | 0x28158 | 0x1f3 |
| SetClassLongPtrW | - | 0x1400015e8 | 0x28b60 | 0x28160 | 0x289 |
| SetWindowTextW | - | 0x1400015f0 | 0x28b68 | 0x28168 | 0x2d3 |
| IsZoomed | - | 0x1400015f8 | 0x28b70 | 0x28170 | 0x1e6 |
| DialogBoxParamW | - | 0x140001600 | 0x28b78 | 0x28178 | 0xac |
| CheckDlgButton | - | 0x140001608 | 0x28b80 | 0x28180 | 0x3e |
| IsDlgButtonChecked | - | 0x140001610 | 0x28b88 | 0x28188 | 0x1d2 |
| GetClientRect | - | 0x140001618 | 0x28b90 | 0x28190 | 0x116 |
| DrawFocusRect | - | 0x140001620 | 0x28b98 | 0x28198 | 0xc4 |
| DrawTextW | - | 0x140001628 | 0x28ba0 | 0x281a0 | 0xd0 |
| GetProcessDefaultLayout | - | 0x140001630 | 0x28ba8 | 0x281a8 | 0x169 |
| TrackPopupMenuEx | - | 0x140001638 | 0x28bb0 | 0x281b0 | 0x2ff |
| SetScrollInfo | - | 0x140001640 | 0x28bb8 | 0x281b8 | 0x2b6 |
| GetScrollInfo | - | 0x140001648 | 0x28bc0 | 0x281c0 | 0x177 |
| SetFocus | - | 0x140001650 | 0x28bc8 | 0x281c8 | 0x298 |
| DefWindowProcW | - | 0x140001658 | 0x28bd0 | 0x281d0 | 0x9c |
| PostMessageW | - | 0x140001660 | 0x28bd8 | 0x281d8 | 0x23a |
| GetMessageW | - | 0x140001668 | 0x28be0 | 0x281e0 | 0x15f |
| TranslateMessage | - | 0x140001670 | 0x28be8 | 0x281e8 | 0x304 |
| DispatchMessageW | - | 0x140001678 | 0x28bf0 | 0x281f0 | 0xaf |
| EndPaint | - | 0x140001680 | 0x28bf8 | 0x281f8 | 0xdc |
| AdjustWindowRectEx | - | 0x140001688 | 0x28c00 | 0x28200 | 0x3 |
| InflateRect | - | 0x140001690 | 0x28c08 | 0x28208 | 0x1b9 |
| FillRect | - | 0x140001698 | 0x28c10 | 0x28210 | 0xf6 |
| SendMessageW | - | 0x1400016a0 | 0x28c18 | 0x28218 | 0x280 |
| EndDialog | - | 0x1400016a8 | 0x28c20 | 0x28220 | 0xda |
| GetDlgItem | - | 0x1400016b0 | 0x28c28 | 0x28228 | 0x129 |
| GetDC | - | 0x1400016b8 | 0x28c30 | 0x28230 | 0x123 |
| SetForegroundWindow | - | 0x1400016c0 | 0x28c38 | 0x28238 | 0x299 |
| OpenIcon | - | 0x1400016c8 | 0x28c40 | 0x28240 | 0x22d |
| FindWindowW | - | 0x1400016d0 | 0x28c48 | 0x28248 | 0xfa |
| MessageBoxW | - | 0x1400016d8 | 0x28c50 | 0x28250 | 0x219 |
| GetSysColor | - | 0x1400016e0 | 0x28c58 | 0x28258 | 0x17d |
| SetWindowPos | - | 0x1400016e8 | 0x28c60 | 0x28260 | 0x2ce |
| GetWindowDC | - | 0x1400016f0 | 0x28c68 | 0x28268 | 0x194 |
| GetDesktopWindow | - | 0x1400016f8 | 0x28c70 | 0x28270 | 0x125 |
| PostQuitMessage | - | 0x140001700 | 0x28c78 | 0x28278 | 0x23b |
| SystemParametersInfoW | - | 0x140001708 | 0x28c80 | 0x28280 | 0x2f4 |
msvcrt.dll (41)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __CxxFrameHandler3 | - | 0x140001840 | 0x28db8 | 0x283b8 | 0x57 |
| ??3@YAXPEAX@Z | - | 0x140001848 | 0x28dc0 | 0x283c0 | 0x15 |
| ??_V@YAXPEAX@Z | - | 0x140001850 | 0x28dc8 | 0x283c8 | 0x24 |
| free | - | 0x140001858 | 0x28dd0 | 0x283d0 | 0x43a |
| _vsnwprintf | - | 0x140001860 | 0x28dd8 | 0x283d8 | 0x358 |
| ??_U@YAPEAX_K@Z | - | 0x140001868 | 0x28de0 | 0x283e0 | 0x22 |
| ??2@YAPEAX_K@Z | - | 0x140001870 | 0x28de8 | 0x283e8 | 0x13 |
| _wcsicmp | - | 0x140001878 | 0x28df0 | 0x283f0 | 0x379 |
| memcpy_s | - | 0x140001880 | 0x28df8 | 0x283f8 | 0x481 |
| wcscspn | - | 0x140001888 | 0x28e00 | 0x28400 | 0x4f4 |
| wcsspn | - | 0x140001890 | 0x28e08 | 0x28408 | 0x501 |
| memmove_s | - | 0x140001898 | 0x28e10 | 0x28410 | 0x483 |
| malloc | - | 0x1400018a0 | 0x28e18 | 0x28418 | 0x474 |
| _resetstkoflw | - | 0x1400018a8 | 0x28e20 | 0x28420 | 0x297 |
| strstr | - | 0x1400018b0 | 0x28e28 | 0x28428 | 0x4c2 |
| _vscwprintf | - | 0x1400018b8 | 0x28e30 | 0x28430 | 0x34f |
| _onexit | - | 0x1400018c0 | 0x28e38 | 0x28438 | 0x27f |
| _lock | - | 0x1400018c8 | 0x28e40 | 0x28440 | 0x1d5 |
| __dllonexit | - | 0x1400018d0 | 0x28e48 | 0x28448 | 0x6d |
| _unlock | - | 0x1400018d8 | 0x28e50 | 0x28450 | 0x330 |
| ??1type_info@@UEAA@XZ | - | 0x1400018e0 | 0x28e58 | 0x28458 | 0x12 |
| _errno | - | 0x1400018e8 | 0x28e60 | 0x28460 | 0xf6 |
| realloc | - | 0x1400018f0 | 0x28e68 | 0x28468 | 0x497 |
| ?terminate@@YAXXZ | - | 0x1400018f8 | 0x28e70 | 0x28470 | 0x30 |
| __set_app_type | - | 0x140001900 | 0x28e78 | 0x28478 | 0x80 |
| _fmode | - | 0x140001908 | 0x28e80 | 0x28480 | 0x118 |
| _commode | - | 0x140001910 | 0x28e88 | 0x28488 | 0xc4 |
| __setusermatherr | - | 0x140001918 | 0x28e90 | 0x28490 | 0x82 |
| _amsg_exit | - | 0x140001920 | 0x28e98 | 0x28498 | 0xa0 |
| _initterm | - | 0x140001928 | 0x28ea0 | 0x284a0 | 0x16c |
| _acmdln | - | 0x140001930 | 0x28ea8 | 0x284a8 | 0x94 |
| exit | - | 0x140001938 | 0x28eb0 | 0x284b0 | 0x420 |
| _cexit | - | 0x140001940 | 0x28eb8 | 0x284b8 | 0xb3 |
| _ismbblead | - | 0x140001948 | 0x28ec0 | 0x284c0 | 0x188 |
| _exit | - | 0x140001950 | 0x28ec8 | 0x284c8 | 0xff |
| _XcptFilter | - | 0x140001958 | 0x28ed0 | 0x284d0 | 0x52 |
| __getmainargs | - | 0x140001960 | 0x28ed8 | 0x284d8 | 0x71 |
| memset | - | 0x140001968 | 0x28ee0 | 0x284e0 | 0x484 |
| __C_specific_handler | - | 0x140001970 | 0x28ee8 | 0x284e8 | 0x53 |
| vswprintf_s | - | 0x140001978 | 0x28ef0 | 0x284f0 | 0x4e8 |
| _CxxThrowException | - | 0x140001980 | 0x28ef8 | 0x284f8 | 0x4c |
ntdll.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WinSqmIncrementDWORD | - | 0x140001990 | 0x28f08 | 0x28508 | 0x57a |
| RtlVirtualUnwind | - | 0x140001998 | 0x28f10 | 0x28510 | 0x4f0 |
| RtlLookupFunctionEntry | - | 0x1400019a0 | 0x28f18 | 0x28518 | 0x401 |
| RtlCaptureContext | - | 0x1400019a8 | 0x28f20 | 0x28520 | 0x27b |
| EtwTraceMessage | - | 0x1400019b0 | 0x28f28 | 0x28528 | 0x4f |
| WinSqmIsOptedIn | - | 0x1400019b8 | 0x28f30 | 0x28530 | 0x57b |
gdiplus.dll (31)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| GdipSaveImageToStream | - | 0x140001730 | 0x28ca8 | 0x282a8 | 0x1f1 |
| GdipMeasureString | - | 0x140001738 | 0x28cb0 | 0x282b0 | 0x1bb |
| GdipSetStringFormatFlags | - | 0x140001740 | 0x28cb8 | 0x282b8 | 0x24d |
| GdipSetStringFormatLineAlign | - | 0x140001748 | 0x28cc0 | 0x282c0 | 0x24f |
| GdipSetStringFormatAlign | - | 0x140001750 | 0x28cc8 | 0x282c8 | 0x24b |
| GdipCreateStringFormat | - | 0x140001758 | 0x28cd0 | 0x282d0 | 0x84 |
| GdipCreateFontFromLogfontW | - | 0x140001760 | 0x28cd8 | 0x282d8 | 0x5a |
| GdipDeleteStringFormat | - | 0x140001768 | 0x28ce0 | 0x282e0 | 0x97 |
| GdipDeleteFont | - | 0x140001770 | 0x28ce8 | 0x282e8 | 0x8e |
| GdipDrawString | - | 0x140001778 | 0x28cf0 | 0x282f0 | 0xc8 |
| GdipFillRectangle | - | 0x140001780 | 0x28cf8 | 0x282f8 | 0xe4 |
| GdipCreateLineBrushFromRect | - | 0x140001788 | 0x28d00 | 0x28300 | 0x65 |
| GdipGetImageEncodersSize | - | 0x140001790 | 0x28d08 | 0x28308 | 0x11f |
| GdipCreateBitmapFromScan0 | - | 0x140001798 | 0x28d10 | 0x28310 | 0x50 |
| GdipCreateBitmapFromHBITMAP | - | 0x1400017a0 | 0x28d18 | 0x28318 | 0x4d |
| GdipCloneImage | - | 0x1400017a8 | 0x28d20 | 0x28320 | 0x36 |
| GdipDisposeImage | - | 0x1400017b0 | 0x28d28 | 0x28328 | 0x98 |
| GdipSaveImageToFile | - | 0x1400017b8 | 0x28d30 | 0x28330 | 0x1f0 |
| GdipFillEllipseI | - | 0x1400017c0 | 0x28d38 | 0x28338 | 0xdc |
| GdipSetSmoothingMode | - | 0x1400017c8 | 0x28d40 | 0x28340 | 0x249 |
| GdiplusStartup | - | 0x1400017d0 | 0x28d48 | 0x28348 | 0x275 |
| GdiplusShutdown | - | 0x1400017d8 | 0x28d50 | 0x28350 | 0x274 |
| GdipDeleteGraphics | - | 0x1400017e0 | 0x28d58 | 0x28358 | 0x90 |
| GdipFillRectangleI | - | 0x1400017e8 | 0x28d60 | 0x28360 | 0xe5 |
| GdipCloneBrush | - | 0x1400017f0 | 0x28d68 | 0x28368 | 0x32 |
| GdipDeleteBrush | - | 0x1400017f8 | 0x28d70 | 0x28370 | 0x8a |
| GdipCreateSolidFill | - | 0x140001800 | 0x28d78 | 0x28378 | 0x82 |
| GdipCreateFromHDC | - | 0x140001808 | 0x28d80 | 0x28380 | 0x5b |
| GdipFree | - | 0x140001810 | 0x28d88 | 0x28388 | 0xed |
| GdipAlloc | - | 0x140001818 | 0x28d90 | 0x28390 | 0x21 |
| GdipGetImageEncoders | - | 0x140001820 | 0x28d98 | 0x28398 | 0x11e |
COMCTL32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ImageList_Create | - | 0x140001068 | 0x285e0 | 0x27be0 | 0x54 |
| ImageList_Add | - | 0x140001070 | 0x285e8 | 0x27be8 | 0x4e |
| (by ordinal) | 0x17c | 0x140001078 | 0x285f0 | 0x27bf0 | - |
| ImageList_Destroy | - | 0x140001080 | 0x285f8 | 0x27bf8 | 0x55 |
| (by ordinal) | 0x159 | 0x140001088 | 0x28600 | 0x27c00 | - |
| InitCommonControlsEx | - | 0x140001090 | 0x28608 | 0x27c08 | 0x7c |
SHLWAPI.dll (10)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| UrlCreateFromPathW | - | 0x1400013b0 | 0x28928 | 0x27f28 | 0x15a |
| PathFindExtensionW | - | 0x1400013b8 | 0x28930 | 0x27f30 | 0x47 |
| StrStrA | - | 0x1400013c0 | 0x28938 | 0x27f38 | 0x143 |
| PathIsURLW | - | 0x1400013c8 | 0x28940 | 0x27f40 | 0x73 |
| StrChrW | - | 0x1400013d0 | 0x28948 | 0x27f48 | 0x114 |
| (by ordinal) | 0x1e7 | 0x1400013d8 | 0x28950 | 0x27f50 | - |
| PathFindFileNameW | - | 0x1400013e0 | 0x28958 | 0x27f58 | 0x49 |
| (by ordinal) | 0x9e | 0x1400013e8 | 0x28960 | 0x27f60 | - |
| SHRegGetUSValueW | - | 0x1400013f0 | 0x28968 | 0x27f68 | 0xe6 |
| PathRemoveExtensionW | - | 0x1400013f8 | 0x28970 | 0x27f70 | 0x89 |
SHELL32.dll (3)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShellAboutW | - | 0x140001390 | 0x28908 | 0x27f08 | 0x11a |
| (by ordinal) | 0x4b | 0x140001398 | 0x28910 | 0x27f10 | - |
| SHCreateItemInKnownFolder | - | 0x1400013a0 | 0x28918 | 0x27f18 | 0x92 |
ole32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CoTaskMemFree | - | 0x1400019c8 | 0x28f40 | 0x28540 | 0x6c |
| StringFromCLSID | - | 0x1400019d0 | 0x28f48 | 0x28548 | 0x1b4 |
| CoInitialize | - | 0x1400019d8 | 0x28f50 | 0x28550 | 0x42 |
| CoCreateInstance | - | 0x1400019e0 | 0x28f58 | 0x28558 | 0x14 |
| CreateStreamOnHGlobal | - | 0x1400019e8 | 0x28f60 | 0x28560 | 0x8a |
| CoCreateGuid | - | 0x1400019f0 | 0x28f68 | 0x28568 | 0x13 |
| CoUninitialize | - | 0x1400019f8 | 0x28f70 | 0x28570 | 0x70 |
OLEAUT32.dll (10)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| SafeArrayGetElement | 0x19 | 0x140001338 | 0x288b0 | 0x27eb0 | - |
| SafeArrayGetUBound | 0x13 | 0x140001340 | 0x288b8 | 0x27eb8 | - |
| VarBstrCat | 0x139 | 0x140001348 | 0x288c0 | 0x27ec0 | - |
| SysAllocStringLen | 0x4 | 0x140001350 | 0x288c8 | 0x27ec8 | - |
| SysStringLen | 0x7 | 0x140001358 | 0x288d0 | 0x27ed0 | - |
| SysAllocString | 0x2 | 0x140001360 | 0x288d8 | 0x27ed8 | - |
| VariantClear | 0x9 | 0x140001368 | 0x288e0 | 0x27ee0 | - |
| VariantInit | 0x8 | 0x140001370 | 0x288e8 | 0x27ee8 | - |
| SysFreeString | 0x6 | 0x140001378 | 0x288f0 | 0x27ef0 | - |
| SafeArrayPutElement | 0x1a | 0x140001380 | 0x288f8 | 0x27ef8 | - |
UxTheme.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| GetThemeSysFont | - | 0x140001718 | 0x28c90 | 0x28290 | 0x34 |
| GetThemeSysColor | - | 0x140001720 | 0x28c98 | 0x28298 | 0x32 |
OLEACC.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AccessibleObjectFromWindow | - | 0x140001328 | 0x288a0 | 0x27ea0 | 0x3 |
slc.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| SLGetWindowsInformationDWORD | - | 0x140001a08 | 0x28f80 | 0x28580 | 0x17 |
msdrm.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| DRMIsWindowProtected | - | 0x140001830 | 0x28da8 | 0x283a8 | 0x45 |
Memory Dumps (4)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|---|
| snippingtool.exe | 97 | 0x13FEE0000 | 0x13FF4EFFF | Relevant Image |
|
64-bit | - |
|
|
...
|
| buffer | 97 | 0x00280000 | 0x00286FFF | First Execution |
|
64-bit | 0x0028297E |
|
|
...
|
| buffer | 97 | 0x01AC0000 | 0x01B59FFF | Image In Buffer |
|
64-bit | - |
|
|
...
|
| buffer | 97 | 0x01B60000 | 0x01BF9FFF | Image In Buffer |
|
64-bit | - |
|
|
...
|
| C:\Users\kEecfMwgj\AppData\Local\aAlRi\psr.exe | Dropped File | Binary |
suspicious
Lowered to Suspicious because the artifact is known to be Clean or Trusted.
|
...
|
»
| Also Known As | C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\Office\CuPXu597CI\psr.exe (Dropped File) |
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 715.50 KB |
| MD5 |
a80527109d75cba125d940b007eea151
|
| SHA1 |
facf32a9ede6abfaa09368bfdfcfec8554107272
|
| SHA256 |
68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495
|
| SSDeep |
12288:CwtKLXYdO6i1IqB+ltXEZCcD8pellpco/zENOeQiV1u:X+Cy+lGrApeCoAYeXV
|
| ImpHash |
54a4a8876d1423c6fa95d6828708dd32
|
PE Information
»
| Image Base | 0x100000000 |
| Entry Point | 0x100033288 |
| Size Of Code | 0x38800 |
| Size Of Initialized Data | 0x80400 |
| File Type | FileType.executable |
| Subsystem | Subsystem.windows_gui |
| Machine Type | MachineType.amd64 |
| Compile Timestamp | 2009-07-13 23:33:04+00:00 |
Version Information (8)
»
| CompanyName | Microsoft Corporation |
| FileDescription | Problem Steps Recorder |
| FileVersion | 6.1.7600.16385 (win7_rtm.090713-1255) |
| InternalName | psr.exe |
| LegalCopyright | © Microsoft Corporation. All rights reserved. |
| OriginalFilename | psr.exe |
| ProductName | Microsoft® Windows® Operating System |
| ProductVersion | 6.1.7600.16385 |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x100001000 | 0x38788 | 0x38800 | 0x600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.34 |
| .data | 0x10003a000 | 0x7c24 | 0x1a00 | 0x38e00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.73 |
| .pdata | 0x100042000 | 0x1560 | 0x1600 | 0x3a800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.39 |
| .rsrc | 0x100044000 | 0x76448 | 0x76600 | 0x3be00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.14 |
| .reloc | 0x1000bb000 | 0x810 | 0xa00 | 0xb2400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 1.09 |
Imports (18)
»
ADVAPI32.dll (33)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| TraceMessage | - | 0x100001000 | 0x36cf8 | 0x362f8 | 0x2f6 |
| EventRegister | - | 0x100001008 | 0x36d00 | 0x36300 | 0x10e |
| EventUnregister | - | 0x100001010 | 0x36d08 | 0x36308 | 0x10f |
| StartTraceW | - | 0x100001018 | 0x36d10 | 0x36310 | 0x2cb |
| EnableTrace | - | 0x100001020 | 0x36d18 | 0x36318 | 0xf5 |
| ControlTraceW | - | 0x100001028 | 0x36d20 | 0x36320 | 0x60 |
| EventWriteString | - | 0x100001030 | 0x36d28 | 0x36328 | 0x114 |
| OpenTraceW | - | 0x100001038 | 0x36d30 | 0x36330 | 0x1ff |
| ProcessTrace | - | 0x100001040 | 0x36d38 | 0x36338 | 0x21c |
| CloseTrace | - | 0x100001048 | 0x36d40 | 0x36340 | 0x59 |
| RegCloseKey | - | 0x100001050 | 0x36d48 | 0x36348 | 0x230 |
| RegQueryInfoKeyW | - | 0x100001058 | 0x36d50 | 0x36350 | 0x268 |
| RegEnumKeyExW | - | 0x100001060 | 0x36d58 | 0x36358 | 0x24f |
| RegOpenKeyExW | - | 0x100001068 | 0x36d60 | 0x36360 | 0x261 |
| RegSetValueExW | - | 0x100001070 | 0x36d68 | 0x36368 | 0x27e |
| RegCreateKeyExW | - | 0x100001078 | 0x36d70 | 0x36370 | 0x239 |
| RegDeleteValueW | - | 0x100001080 | 0x36d78 | 0x36378 | 0x248 |
| GetTraceLoggerHandle | - | 0x100001088 | 0x36d80 | 0x36380 | 0x15d |
| GetTraceEnableLevel | - | 0x100001090 | 0x36d88 | 0x36388 | 0x15c |
| GetTraceEnableFlags | - | 0x100001098 | 0x36d90 | 0x36390 | 0x15b |
| RegisterTraceGuidsW | - | 0x1000010a0 | 0x36d98 | 0x36398 | 0x28a |
| UnregisterTraceGuids | - | 0x1000010a8 | 0x36da0 | 0x363a0 | 0x302 |
| RegGetValueW | - | 0x1000010b0 | 0x36da8 | 0x363a8 | 0x256 |
| GetNamedSecurityInfoW | - | 0x1000010b8 | 0x36db0 | 0x363b0 | 0x142 |
| SetNamedSecurityInfoW | - | 0x1000010c0 | 0x36db8 | 0x363b8 | 0x2b1 |
| LookupAccountNameW | - | 0x1000010c8 | 0x36dc0 | 0x363c0 | 0x18f |
| EqualSid | - | 0x1000010d0 | 0x36dc8 | 0x363c8 | 0x107 |
| GetTokenInformation | - | 0x1000010d8 | 0x36dd0 | 0x363d0 | 0x15a |
| OpenThreadToken | - | 0x1000010e0 | 0x36dd8 | 0x363d8 | 0x1fc |
| OpenProcessToken | - | 0x1000010e8 | 0x36de0 | 0x363e0 | 0x1f7 |
| RegQueryValueExW | - | 0x1000010f0 | 0x36de8 | 0x363e8 | 0x26e |
| RegOpenKeyW | - | 0x1000010f8 | 0x36df0 | 0x363f0 | 0x264 |
| SetEntriesInAclW | - | 0x100001100 | 0x36df8 | 0x363f8 | 0x2a6 |
KERNEL32.dll (117)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WideCharToMultiByte | - | 0x1000011d8 | 0x36ed0 | 0x364d0 | 0x520 |
| LoadLibraryW | - | 0x1000011e0 | 0x36ed8 | 0x364d8 | 0x341 |
| FreeLibrary | - | 0x1000011e8 | 0x36ee0 | 0x364e0 | 0x168 |
| ExpandEnvironmentStringsW | - | 0x1000011f0 | 0x36ee8 | 0x364e8 | 0x123 |
| DeleteFileW | - | 0x1000011f8 | 0x36ef0 | 0x364f0 | 0xd7 |
| GetModuleFileNameW | - | 0x100001200 | 0x36ef8 | 0x364f8 | 0x21a |
| CreateDirectoryW | - | 0x100001208 | 0x36f00 | 0x36500 | 0x81 |
| OpenEventW | - | 0x100001210 | 0x36f08 | 0x36508 | 0x377 |
| SetEvent | - | 0x100001218 | 0x36f10 | 0x36510 | 0x467 |
| RemoveDirectoryW | - | 0x100001220 | 0x36f18 | 0x36518 | 0x406 |
| RegisterWaitForSingleObject | - | 0x100001228 | 0x36f20 | 0x36520 | 0x3f8 |
| UnregisterWait | - | 0x100001230 | 0x36f28 | 0x36528 | 0x4e9 |
| lstrlenW | - | 0x100001238 | 0x36f30 | 0x36530 | 0x561 |
| lstrcmpiW | - | 0x100001240 | 0x36f38 | 0x36538 | 0x558 |
| GetSystemTime | - | 0x100001248 | 0x36f40 | 0x36540 | 0x27e |
| SizeofResource | - | 0x100001250 | 0x36f48 | 0x36548 | 0x4bf |
| LoadResource | - | 0x100001258 | 0x36f50 | 0x36550 | 0x343 |
| FindResourceW | - | 0x100001260 | 0x36f58 | 0x36558 | 0x154 |
| LoadLibraryExW | - | 0x100001268 | 0x36f60 | 0x36560 | 0x340 |
| HeapSetInformation | - | 0x100001270 | 0x36f68 | 0x36568 | 0x2db |
| IsWow64Process | - | 0x100001278 | 0x36f70 | 0x36570 | 0x310 |
| GetCurrentProcess | - | 0x100001280 | 0x36f78 | 0x36578 | 0x1c6 |
| Wow64DisableWow64FsRedirection | - | 0x100001288 | 0x36f80 | 0x36580 | 0x522 |
| GetCommandLineW | - | 0x100001290 | 0x36f88 | 0x36588 | 0x18d |
| GetSystemDirectoryW | - | 0x100001298 | 0x36f90 | 0x36590 | 0x277 |
| CreateProcessW | - | 0x1000012a0 | 0x36f98 | 0x36598 | 0xa8 |
| GetCurrentThreadId | - | 0x1000012a8 | 0x36fa0 | 0x365a0 | 0x1cb |
| DeleteCriticalSection | - | 0x1000012b0 | 0x36fa8 | 0x365a8 | 0xd2 |
| CreateThread | - | 0x1000012b8 | 0x36fb0 | 0x365b0 | 0xb4 |
| LocalFree | - | 0x1000012c0 | 0x36fb8 | 0x365b8 | 0x34a |
| FindClose | - | 0x1000012c8 | 0x36fc0 | 0x365c0 | 0x134 |
| FindNextFileW | - | 0x1000012d0 | 0x36fc8 | 0x365c8 | 0x14b |
| FindFirstFileW | - | 0x1000012d8 | 0x36fd0 | 0x365d0 | 0x13f |
| GetTimeFormatW | - | 0x1000012e0 | 0x36fd8 | 0x365d8 | 0x29e |
| SystemTimeToTzSpecificLocalTime | - | 0x1000012e8 | 0x36fe0 | 0x365e0 | 0x4cc |
| FileTimeToSystemTime | - | 0x1000012f0 | 0x36fe8 | 0x365e8 | 0x12b |
| GetProductInfo | - | 0x1000012f8 | 0x36ff0 | 0x365f0 | 0x25e |
| GetVersionExW | - | 0x100001300 | 0x36ff8 | 0x365f8 | 0x2ac |
| MoveFileExW | - | 0x100001308 | 0x37000 | 0x36600 | 0x362 |
| MultiByteToWideChar | - | 0x100001310 | 0x37008 | 0x36608 | 0x369 |
| WaitForMultipleObjects | - | 0x100001318 | 0x37010 | 0x36610 | 0x506 |
| FileTimeToLocalFileTime | - | 0x100001320 | 0x37018 | 0x36618 | 0x12a |
| GetCurrentProcessId | - | 0x100001328 | 0x37020 | 0x36620 | 0x1c7 |
| QueryFullProcessImageNameW | - | 0x100001330 | 0x37028 | 0x36628 | 0x3a4 |
| ReadProcessMemory | - | 0x100001338 | 0x37030 | 0x36630 | 0x3c6 |
| RaiseException | - | 0x100001340 | 0x37038 | 0x36638 | 0x3b4 |
| GetSystemTimeAsFileTime | - | 0x100001348 | 0x37040 | 0x36640 | 0x280 |
| FindNextFileA | - | 0x100001350 | 0x37048 | 0x36648 | 0x149 |
| FindFirstFileA | - | 0x100001358 | 0x37050 | 0x36650 | 0x138 |
| GetDriveTypeA | - | 0x100001360 | 0x37058 | 0x36658 | 0x1d9 |
| SetFileAttributesW | - | 0x100001368 | 0x37060 | 0x36660 | 0x46f |
| GetFileInformationByHandle | - | 0x100001370 | 0x37068 | 0x36668 | 0x1f3 |
| GetFileAttributesExW | - | 0x100001378 | 0x37070 | 0x36670 | 0x1ee |
| ReplaceFileW | - | 0x100001380 | 0x37078 | 0x36678 | 0x40e |
| GetFileAttributesExA | - | 0x100001388 | 0x37080 | 0x36680 | 0x1ed |
| SetFilePointer | - | 0x100001390 | 0x37088 | 0x36688 | 0x474 |
| CreateFileA | - | 0x100001398 | 0x37090 | 0x36690 | 0x88 |
| IsDBCSLeadByte | - | 0x1000013a0 | 0x37098 | 0x36698 | 0x300 |
| ReadFile | - | 0x1000013a8 | 0x370a0 | 0x366a0 | 0x3c3 |
| lstrcmpA | - | 0x1000013b0 | 0x370a8 | 0x366a8 | 0x554 |
| GlobalReAlloc | - | 0x1000013b8 | 0x370b0 | 0x366b0 | 0x2c9 |
| GlobalLock | - | 0x1000013c0 | 0x370b8 | 0x366b8 | 0x2c6 |
| FileTimeToDosDateTime | - | 0x1000013c8 | 0x370c0 | 0x366c0 | 0x129 |
| TlsFree | - | 0x1000013d0 | 0x370c8 | 0x366c8 | 0x4d4 |
| TlsAlloc | - | 0x1000013d8 | 0x370d0 | 0x366d0 | 0x4d3 |
| GlobalHandle | - | 0x1000013e0 | 0x370d8 | 0x366d8 | 0x2c5 |
| GlobalFree | - | 0x1000013e8 | 0x370e0 | 0x366e0 | 0x2c2 |
| GlobalUnlock | - | 0x1000013f0 | 0x370e8 | 0x366e8 | 0x2cd |
| GlobalAlloc | - | 0x1000013f8 | 0x370f0 | 0x366f0 | 0x2bb |
| TlsSetValue | - | 0x100001400 | 0x370f8 | 0x366f8 | 0x4d6 |
| TlsGetValue | - | 0x100001408 | 0x37100 | 0x36700 | 0x4d5 |
| DeleteFileA | - | 0x100001410 | 0x37108 | 0x36708 | 0xd4 |
| SetCurrentDirectoryW | - | 0x100001418 | 0x37110 | 0x36710 | 0x45b |
| GetCurrentDirectoryW | - | 0x100001420 | 0x37118 | 0x36718 | 0x1c5 |
| LockResource | - | 0x100001428 | 0x37120 | 0x36720 | 0x356 |
| CreateFileMappingW | - | 0x100001430 | 0x37128 | 0x36728 | 0x8c |
| WriteFile | - | 0x100001438 | 0x37130 | 0x36730 | 0x534 |
| UnmapViewOfFile | - | 0x100001440 | 0x37138 | 0x36738 | 0x4e5 |
| MapViewOfFile | - | 0x100001448 | 0x37140 | 0x36740 | 0x359 |
| GetFileSize | - | 0x100001450 | 0x37148 | 0x36748 | 0x1f7 |
| GetDateFormatW | - | 0x100001458 | 0x37150 | 0x36750 | 0x1cf |
| DuplicateHandle | - | 0x100001460 | 0x37158 | 0x36758 | 0xec |
| SetLastError | - | 0x100001468 | 0x37160 | 0x36760 | 0x480 |
| WakeConditionVariable | - | 0x100001470 | 0x37168 | 0x36768 | 0x511 |
| GetThreadPriority | - | 0x100001478 | 0x37170 | 0x36770 | 0x295 |
| WakeAllConditionVariable | - | 0x100001480 | 0x37178 | 0x36778 | 0x510 |
| ResetEvent | - | 0x100001488 | 0x37180 | 0x36780 | 0x412 |
| SetThreadPriority | - | 0x100001490 | 0x37188 | 0x36788 | 0x4a6 |
| InitializeConditionVariable | - | 0x100001498 | 0x37190 | 0x36790 | 0x2e9 |
| GetCurrentThread | - | 0x1000014a0 | 0x37198 | 0x36798 | 0x1ca |
| SleepConditionVariableCS | - | 0x1000014a8 | 0x371a0 | 0x367a0 | 0x4c1 |
| CreateFileW | - | 0x1000014b0 | 0x371a8 | 0x367a8 | 0x8f |
| Sleep | - | 0x1000014b8 | 0x371b0 | 0x367b0 | 0x4c0 |
| CreateEventW | - | 0x1000014c0 | 0x371b8 | 0x367b8 | 0x85 |
| GetFileAttributesW | - | 0x1000014c8 | 0x371c0 | 0x367c0 | 0x1f1 |
| OpenProcess | - | 0x1000014d0 | 0x371c8 | 0x367c8 | 0x382 |
| GetModuleHandleW | - | 0x1000014d8 | 0x371d0 | 0x367d0 | 0x21e |
| CloseHandle | - | 0x1000014e0 | 0x371d8 | 0x367d8 | 0x52 |
| GetProcAddress | - | 0x1000014e8 | 0x371e0 | 0x367e0 | 0x24c |
| GetLastError | - | 0x1000014f0 | 0x371e8 | 0x367e8 | 0x208 |
| WaitForSingleObject | - | 0x1000014f8 | 0x371f0 | 0x367f0 | 0x508 |
| HeapAlloc | - | 0x100001500 | 0x371f8 | 0x367f8 | 0x2d3 |
| GetProcessHeap | - | 0x100001508 | 0x37200 | 0x36800 | 0x251 |
| HeapFree | - | 0x100001510 | 0x37208 | 0x36808 | 0x2d7 |
| GetTickCount | - | 0x100001518 | 0x37210 | 0x36810 | 0x29a |
| LeaveCriticalSection | - | 0x100001520 | 0x37218 | 0x36818 | 0x33b |
| EnterCriticalSection | - | 0x100001528 | 0x37220 | 0x36820 | 0xf2 |
| InitializeCriticalSection | - | 0x100001530 | 0x37228 | 0x36828 | 0x2ea |
| OutputDebugStringA | - | 0x100001538 | 0x37230 | 0x36830 | 0x388 |
| UnhandledExceptionFilter | - | 0x100001540 | 0x37238 | 0x36838 | 0x4de |
| TerminateProcess | - | 0x100001548 | 0x37240 | 0x36840 | 0x4ca |
| QueryPerformanceCounter | - | 0x100001550 | 0x37248 | 0x36848 | 0x3a6 |
| SetUnhandledExceptionFilter | - | 0x100001558 | 0x37250 | 0x36850 | 0x4af |
| GetStartupInfoW | - | 0x100001560 | 0x37258 | 0x36858 | 0x269 |
| lstrlenA | - | 0x100001568 | 0x37260 | 0x36860 | 0x55c |
| lstrcmpiA | - | 0x100001570 | 0x37268 | 0x36868 | 0x553 |
| GetVersionExA | - | 0x100001578 | 0x37270 | 0x36870 | 0x2aa |
GDI32.dll (16)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CreateCompatibleBitmap | - | 0x100001150 | 0x36e48 | 0x36448 | 0x2f |
| ExcludeClipRect | - | 0x100001158 | 0x36e50 | 0x36450 | 0x131 |
| BitBlt | - | 0x100001160 | 0x36e58 | 0x36458 | 0x13 |
| CreateSolidBrush | - | 0x100001168 | 0x36e60 | 0x36460 | 0x54 |
| GetObjectW | - | 0x100001170 | 0x36e68 | 0x36468 | 0x1fd |
| StretchBlt | - | 0x100001178 | 0x36e70 | 0x36470 | 0x2b3 |
| CreateCompatibleDC | - | 0x100001180 | 0x36e78 | 0x36478 | 0x30 |
| CreateDIBSection | - | 0x100001188 | 0x36e80 | 0x36480 | 0x35 |
| GetCurrentObject | - | 0x100001190 | 0x36e88 | 0x36488 | 0x1c4 |
| DeleteDC | - | 0x100001198 | 0x36e90 | 0x36490 | 0xe3 |
| Rectangle | - | 0x1000011a0 | 0x36e98 | 0x36498 | 0x25f |
| GetStockObject | - | 0x1000011a8 | 0x36ea0 | 0x364a0 | 0x20d |
| SelectObject | - | 0x1000011b0 | 0x36ea8 | 0x364a8 | 0x277 |
| CreatePen | - | 0x1000011b8 | 0x36eb0 | 0x364b0 | 0x4b |
| DeleteObject | - | 0x1000011c0 | 0x36eb8 | 0x364b8 | 0xe6 |
| CreateDCW | - | 0x1000011c8 | 0x36ec0 | 0x364c0 | 0x32 |
USER32.dll (112)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| GetMessageW | - | 0x100001728 | 0x37420 | 0x36a20 | 0x15f |
| CharUpperW | - | 0x100001730 | 0x37428 | 0x36a28 | 0x3c |
| PostThreadMessageW | - | 0x100001738 | 0x37430 | 0x36a30 | 0x23d |
| IsRectEmpty | - | 0x100001740 | 0x37438 | 0x36a38 | 0x1d8 |
| SetWindowLongPtrW | - | 0x100001748 | 0x37440 | 0x36a40 | 0x2cb |
| ReleaseCapture | - | 0x100001750 | 0x37448 | 0x36a48 | 0x268 |
| SetProcessDefaultLayout | - | 0x100001758 | 0x37450 | 0x36a50 | 0x2af |
| CreateDialogParamW | - | 0x100001760 | 0x37458 | 0x36a58 | 0x63 |
| GetCursorPos | - | 0x100001768 | 0x37460 | 0x36a60 | 0x122 |
| GetWindowTextW | - | 0x100001770 | 0x37468 | 0x36a68 | 0x1a7 |
| InvalidateRect | - | 0x100001778 | 0x37470 | 0x36a70 | 0x1c2 |
| IsDialogMessageW | - | 0x100001780 | 0x37478 | 0x36a78 | 0x1d1 |
| BeginPaint | - | 0x100001788 | 0x37480 | 0x36a80 | 0xe |
| LoadCursorW | - | 0x100001790 | 0x37488 | 0x36a88 | 0x1ef |
| SetCapture | - | 0x100001798 | 0x37490 | 0x36a90 | 0x284 |
| DispatchMessageW | - | 0x1000017a0 | 0x37498 | 0x36a98 | 0xaf |
| GetWindowRect | - | 0x1000017a8 | 0x374a0 | 0x36aa0 | 0x1a0 |
| GetClassNameW | - | 0x1000017b0 | 0x374a8 | 0x36aa8 | 0x114 |
| FillRect | - | 0x1000017b8 | 0x374b0 | 0x36ab0 | 0xf6 |
| GetWindowTextLengthW | - | 0x1000017c0 | 0x374b8 | 0x36ab8 | 0x1a6 |
| GetCursorInfo | - | 0x1000017c8 | 0x374c0 | 0x36ac0 | 0x121 |
| GetIconInfo | - | 0x1000017d0 | 0x374c8 | 0x36ac8 | 0x135 |
| DrawIcon | - | 0x1000017d8 | 0x374d0 | 0x36ad0 | 0xc7 |
| GetDC | - | 0x1000017e0 | 0x374d8 | 0x36ad8 | 0x123 |
| ReleaseDC | - | 0x1000017e8 | 0x374e0 | 0x36ae0 | 0x269 |
| ClientToScreen | - | 0x1000017f0 | 0x374e8 | 0x36ae8 | 0x47 |
| EndPaint | - | 0x1000017f8 | 0x374f0 | 0x36af0 | 0xdc |
| SetLayeredWindowAttributes | - | 0x100001800 | 0x374f8 | 0x36af8 | 0x29e |
| MsgWaitForMultipleObjectsEx | - | 0x100001808 | 0x37500 | 0x36b00 | 0x221 |
| PeekMessageW | - | 0x100001810 | 0x37508 | 0x36b08 | 0x237 |
| CharNextW | - | 0x100001818 | 0x37510 | 0x36b10 | 0x31 |
| SetCursorPos | - | 0x100001820 | 0x37518 | 0x36b18 | 0x290 |
| FindWindowW | - | 0x100001828 | 0x37520 | 0x36b20 | 0xfa |
| SendInput | - | 0x100001830 | 0x37528 | 0x36b28 | 0x27a |
| SetMenuItemInfoW | - | 0x100001838 | 0x37530 | 0x36b30 | 0x2a8 |
| SetMenuInfo | - | 0x100001840 | 0x37538 | 0x36b38 | 0x2a5 |
| TrackPopupMenu | - | 0x100001848 | 0x37540 | 0x36b40 | 0x2fe |
| EnableMenuItem | - | 0x100001850 | 0x37548 | 0x36b48 | 0xd6 |
| InternalGetWindowText | - | 0x100001858 | 0x37550 | 0x36b50 | 0x1c0 |
| GetParent | - | 0x100001860 | 0x37558 | 0x36b58 | 0x166 |
| GetWindowLongPtrW | - | 0x100001868 | 0x37560 | 0x36b60 | 0x199 |
| GetKeyState | - | 0x100001870 | 0x37568 | 0x36b68 | 0x13f |
| GetKeyNameTextW | - | 0x100001878 | 0x37570 | 0x36b70 | 0x13e |
| MapVirtualKeyW | - | 0x100001880 | 0x37578 | 0x36b78 | 0x20c |
| GetWindowInfo | - | 0x100001888 | 0x37580 | 0x36b80 | 0x196 |
| PtInRect | - | 0x100001890 | 0x37588 | 0x36b88 | 0x244 |
| GetAsyncKeyState | - | 0x100001898 | 0x37590 | 0x36b90 | 0x107 |
| LoadImageW | - | 0x1000018a0 | 0x37598 | 0x36b98 | 0x1f3 |
| GetSystemMetrics | - | 0x1000018a8 | 0x375a0 | 0x36ba0 | 0x180 |
| SetWindowTextW | - | 0x1000018b0 | 0x375a8 | 0x36ba8 | 0x2d3 |
| MessageBoxW | - | 0x1000018b8 | 0x375b0 | 0x36bb0 | 0x219 |
| LoadStringW | - | 0x1000018c0 | 0x375b8 | 0x36bb8 | 0x1fe |
| GetDesktopWindow | - | 0x1000018c8 | 0x375c0 | 0x36bc0 | 0x125 |
| IsHungAppWindow | - | 0x1000018d0 | 0x375c8 | 0x36bc8 | 0x1d4 |
| UnregisterClassA | - | 0x1000018d8 | 0x375d0 | 0x36bd0 | 0x30d |
| CharLowerA | - | 0x1000018e0 | 0x375d8 | 0x36bd8 | 0x2b |
| TranslateMessage | - | 0x1000018e8 | 0x375e0 | 0x36be0 | 0x304 |
| CopyImage | - | 0x1000018f0 | 0x375e8 | 0x36be8 | 0x54 |
| EnumChildWindows | - | 0x1000018f8 | 0x375f0 | 0x36bf0 | 0xdf |
| DispatchMessageA | - | 0x100001900 | 0x375f8 | 0x36bf8 | 0xae |
| PeekMessageA | - | 0x100001908 | 0x37600 | 0x36c00 | 0x236 |
| CharNextA | - | 0x100001910 | 0x37608 | 0x36c08 | 0x2f |
| OemToCharBuffA | - | 0x100001918 | 0x37610 | 0x36c10 | 0x226 |
| CharToOemBuffA | - | 0x100001920 | 0x37618 | 0x36c18 | 0x36 |
| CharUpperBuffA | - | 0x100001928 | 0x37620 | 0x36c20 | 0x3a |
| CharPrevA | - | 0x100001930 | 0x37628 | 0x36c28 | 0x32 |
| GetDoubleClickTime | - | 0x100001938 | 0x37630 | 0x36c30 | 0x12d |
| UnhookWindowsHookEx | - | 0x100001940 | 0x37638 | 0x36c38 | 0x308 |
| SetWindowsHookExW | - | 0x100001948 | 0x37640 | 0x36c40 | 0x2d7 |
| CallNextHookEx | - | 0x100001950 | 0x37648 | 0x36c48 | 0x1c |
| PostQuitMessage | - | 0x100001958 | 0x37650 | 0x36c50 | 0x23b |
| GetGUIThreadInfo | - | 0x100001960 | 0x37658 | 0x36c58 | 0x130 |
| WindowFromPoint | - | 0x100001968 | 0x37660 | 0x36c60 | 0x334 |
| GetWindowThreadProcessId | - | 0x100001970 | 0x37668 | 0x36c68 | 0x1a8 |
| DestroyWindow | - | 0x100001978 | 0x37670 | 0x36c70 | 0xa6 |
| GetSysColorBrush | - | 0x100001980 | 0x37678 | 0x36c78 | 0x17e |
| RegisterClassExW | - | 0x100001988 | 0x37680 | 0x36c80 | 0x251 |
| SystemParametersInfoW | - | 0x100001990 | 0x37688 | 0x36c88 | 0x2f4 |
| CreateWindowExW | - | 0x100001998 | 0x37690 | 0x36c90 | 0x6e |
| ShowWindow | - | 0x1000019a0 | 0x37698 | 0x36c98 | 0x2e7 |
| SetWindowPos | - | 0x1000019a8 | 0x376a0 | 0x36ca0 | 0x2ce |
| GetProcessDefaultLayout | - | 0x1000019b0 | 0x376a8 | 0x36ca8 | 0x169 |
| SendMessageW | - | 0x1000019b8 | 0x376b0 | 0x36cb0 | 0x280 |
| GetClientRect | - | 0x1000019c0 | 0x376b8 | 0x36cb8 | 0x116 |
| MoveWindow | - | 0x1000019c8 | 0x376c0 | 0x36cc0 | 0x21f |
| DestroyMenu | - | 0x1000019d0 | 0x376c8 | 0x36cc8 | 0xa4 |
| GetSubMenu | - | 0x1000019d8 | 0x376d0 | 0x36cd0 | 0x17c |
| LoadMenuW | - | 0x1000019e0 | 0x376d8 | 0x36cd8 | 0x1fb |
| MapWindowPoints | - | 0x1000019e8 | 0x376e0 | 0x36ce0 | 0x20d |
| DestroyIcon | - | 0x1000019f0 | 0x376e8 | 0x36ce8 | 0xa3 |
| GetDlgItemTextW | - | 0x1000019f8 | 0x376f0 | 0x36cf0 | 0x12c |
| GetDlgItemInt | - | 0x100001a00 | 0x376f8 | 0x36cf8 | 0x12a |
| EndDialog | - | 0x100001a08 | 0x37700 | 0x36d00 | 0xda |
| SetFocus | - | 0x100001a10 | 0x37708 | 0x36d08 | 0x298 |
| SetDlgItemTextW | - | 0x100001a18 | 0x37710 | 0x36d10 | 0x296 |
| GetDlgItem | - | 0x100001a20 | 0x37718 | 0x36d18 | 0x129 |
| EnableWindow | - | 0x100001a28 | 0x37720 | 0x36d20 | 0xd8 |
| SetDlgItemInt | - | 0x100001a30 | 0x37728 | 0x36d28 | 0x294 |
| SendDlgItemMessageW | - | 0x100001a38 | 0x37730 | 0x36d30 | 0x277 |
| DialogBoxParamW | - | 0x100001a40 | 0x37738 | 0x36d38 | 0xac |
| LoadIconW | - | 0x100001a48 | 0x37740 | 0x36d40 | 0x1f1 |
| RedrawWindow | - | 0x100001a50 | 0x37748 | 0x36d48 | 0x24e |
| SetForegroundWindow | - | 0x100001a58 | 0x37750 | 0x36d50 | 0x299 |
| PostMessageW | - | 0x100001a60 | 0x37758 | 0x36d58 | 0x23a |
| DefWindowProcW | - | 0x100001a68 | 0x37760 | 0x36d60 | 0x9c |
| UnregisterClassW | - | 0x100001a70 | 0x37768 | 0x36d68 | 0x30e |
| UpdateWindow | - | 0x100001a78 | 0x37770 | 0x36d70 | 0x319 |
| KillTimer | - | 0x100001a80 | 0x37778 | 0x36d78 | 0x1e7 |
| SetTimer | - | 0x100001a88 | 0x37780 | 0x36d80 | 0x2c1 |
| IsWindowVisible | - | 0x100001a90 | 0x37788 | 0x36d88 | 0x1e4 |
| SetParent | - | 0x100001a98 | 0x37790 | 0x36d90 | 0x2ac |
| AdjustWindowRect | - | 0x100001aa0 | 0x37798 | 0x36d98 | 0x2 |
msvcrt.dll (56)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _vsnwprintf | - | 0x100001b60 | 0x37858 | 0x36e58 | 0x358 |
| _wcsicmp | - | 0x100001b68 | 0x37860 | 0x36e60 | 0x379 |
| _vsnprintf | - | 0x100001b70 | 0x37868 | 0x36e68 | 0x352 |
| memcpy | - | 0x100001b78 | 0x37870 | 0x36e70 | 0x480 |
| wcstoul | - | 0x100001b80 | 0x37878 | 0x36e78 | 0x509 |
| _wcstoui64 | - | 0x100001b88 | 0x37880 | 0x36e80 | 0x391 |
| wcstol | - | 0x100001b90 | 0x37888 | 0x36e88 | 0x506 |
| _wcsupr | - | 0x100001b98 | 0x37890 | 0x36e90 | 0x394 |
| wcsstr | - | 0x100001ba0 | 0x37898 | 0x36e98 | 0x502 |
| wcsncpy_s | - | 0x100001ba8 | 0x378a0 | 0x36ea0 | 0x4fb |
| _itow_s | - | 0x100001bb0 | 0x378a8 | 0x36ea8 | 0x1c9 |
| strncmp | - | 0x100001bb8 | 0x378b0 | 0x36eb0 | 0x4bb |
| malloc | - | 0x100001bc0 | 0x378b8 | 0x36eb8 | 0x474 |
| __CxxFrameHandler3 | - | 0x100001bc8 | 0x378c0 | 0x36ec0 | 0x57 |
| _onexit | - | 0x100001bd0 | 0x378c8 | 0x36ec8 | 0x27f |
| _lock | - | 0x100001bd8 | 0x378d0 | 0x36ed0 | 0x1d5 |
| __dllonexit | - | 0x100001be0 | 0x378d8 | 0x36ed8 | 0x6d |
| _unlock | - | 0x100001be8 | 0x378e0 | 0x36ee0 | 0x330 |
| _errno | - | 0x100001bf0 | 0x378e8 | 0x36ee8 | 0xf6 |
| realloc | - | 0x100001bf8 | 0x378f0 | 0x36ef0 | 0x497 |
| ??1type_info@@UEAA@XZ | - | 0x100001c00 | 0x378f8 | 0x36ef8 | 0x12 |
| ?terminate@@YAXXZ | - | 0x100001c08 | 0x37900 | 0x36f00 | 0x30 |
| __set_app_type | - | 0x100001c10 | 0x37908 | 0x36f08 | 0x80 |
| _fmode | - | 0x100001c18 | 0x37910 | 0x36f10 | 0x118 |
| _commode | - | 0x100001c20 | 0x37918 | 0x36f18 | 0xc4 |
| __setusermatherr | - | 0x100001c28 | 0x37920 | 0x36f20 | 0x82 |
| _amsg_exit | - | 0x100001c30 | 0x37928 | 0x36f28 | 0xa0 |
| _initterm | - | 0x100001c38 | 0x37930 | 0x36f30 | 0x16c |
| _wcmdln | - | 0x100001c40 | 0x37938 | 0x36f38 | 0x371 |
| exit | - | 0x100001c48 | 0x37940 | 0x36f40 | 0x420 |
| _cexit | - | 0x100001c50 | 0x37948 | 0x36f48 | 0xb3 |
| _exit | - | 0x100001c58 | 0x37950 | 0x36f50 | 0xff |
| _XcptFilter | - | 0x100001c60 | 0x37958 | 0x36f58 | 0x52 |
| __wgetmainargs | - | 0x100001c68 | 0x37960 | 0x36f60 | 0x8f |
| calloc | - | 0x100001c70 | 0x37968 | 0x36f68 | 0x413 |
| __C_specific_handler | - | 0x100001c78 | 0x37970 | 0x36f70 | 0x53 |
| memset | - | 0x100001c80 | 0x37978 | 0x36f78 | 0x484 |
| _callnewh | - | 0x100001c88 | 0x37980 | 0x36f80 | 0xb1 |
| _purecall | - | 0x100001c90 | 0x37988 | 0x36f88 | 0x28d |
| wcscat_s | - | 0x100001c98 | 0x37990 | 0x36f90 | 0x4ee |
| wcscpy_s | - | 0x100001ca0 | 0x37998 | 0x36f98 | 0x4f3 |
| _wtoi | - | 0x100001ca8 | 0x379a0 | 0x36fa0 | 0x3f3 |
| memcpy_s | - | 0x100001cb0 | 0x379a8 | 0x36fa8 | 0x481 |
| free | - | 0x100001cb8 | 0x379b0 | 0x36fb0 | 0x43a |
| _CxxThrowException | - | 0x100001cc0 | 0x379b8 | 0x36fb8 | 0x4c |
| wcschr | - | 0x100001cc8 | 0x379c0 | 0x36fc0 | 0x4ef |
| _vscwprintf | - | 0x100001cd0 | 0x379c8 | 0x36fc8 | 0x34f |
| strstr | - | 0x100001cd8 | 0x379d0 | 0x36fd0 | 0x4c2 |
| _mktemp | - | 0x100001ce0 | 0x379d8 | 0x36fd8 | 0x277 |
| memmove | - | 0x100001ce8 | 0x379e0 | 0x36fe0 | 0x482 |
| qsort | - | 0x100001cf0 | 0x379e8 | 0x36fe8 | 0x492 |
| gmtime | - | 0x100001cf8 | 0x379f0 | 0x36ff0 | 0x44f |
| localtime | - | 0x100001d00 | 0x379f8 | 0x36ff8 | 0x46e |
| time | - | 0x100001d08 | 0x37a00 | 0x37000 | 0x4d2 |
| _getdrive | - | 0x100001d10 | 0x37a08 | 0x37008 | 0x154 |
| memcmp | - | 0x100001d18 | 0x37a10 | 0x37010 | 0x47f |
ntdll.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| RtlVirtualUnwind | - | 0x100001d28 | 0x37a20 | 0x37020 | 0x4f0 |
| RtlLookupFunctionEntry | - | 0x100001d30 | 0x37a28 | 0x37028 | 0x401 |
| RtlCaptureContext | - | 0x100001d38 | 0x37a30 | 0x37030 | 0x27b |
| EtwEventRegister | - | 0x100001d40 | 0x37a38 | 0x37038 | 0x37 |
| EtwEventUnregister | - | 0x100001d48 | 0x37a40 | 0x37040 | 0x38 |
| EtwEventWrite | - | 0x100001d50 | 0x37a48 | 0x37048 | 0x39 |
| NtQueryInformationProcess | - | 0x100001d58 | 0x37a50 | 0x37050 | 0x18f |
OLEAUT32.dll (11)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| LoadTypeLib | 0xa1 | 0x1000015c0 | 0x372b8 | 0x368b8 | - |
| VariantInit | 0x8 | 0x1000015c8 | 0x372c0 | 0x368c0 | - |
| LoadRegTypeLib | 0xa2 | 0x1000015d0 | 0x372c8 | 0x368c8 | - |
| VarUI4FromStr | 0x115 | 0x1000015d8 | 0x372d0 | 0x368d0 | - |
| SysAllocString | 0x2 | 0x1000015e0 | 0x372d8 | 0x368d8 | - |
| VariantClear | 0x9 | 0x1000015e8 | 0x372e0 | 0x368e0 | - |
| RegisterTypeLib | 0xa3 | 0x1000015f0 | 0x372e8 | 0x368e8 | - |
| SysStringLen | 0x7 | 0x1000015f8 | 0x372f0 | 0x368f0 | - |
| UnRegisterTypeLib | 0xba | 0x100001600 | 0x372f8 | 0x368f8 | - |
| VariantChangeType | 0xc | 0x100001608 | 0x37300 | 0x36900 | - |
| SysFreeString | 0x6 | 0x100001610 | 0x37308 | 0x36908 | - |
ole32.dll (11)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CoCreateGuid | - | 0x100001d68 | 0x37a60 | 0x37060 | 0x13 |
| CoTaskMemRealloc | - | 0x100001d70 | 0x37a68 | 0x37068 | 0x6d |
| CoCreateInstance | - | 0x100001d78 | 0x37a70 | 0x37070 | 0x14 |
| StringFromGUID2 | - | 0x100001d80 | 0x37a78 | 0x37078 | 0x1b5 |
| CoUninitialize | - | 0x100001d88 | 0x37a80 | 0x37080 | 0x70 |
| CoInitializeEx | - | 0x100001d90 | 0x37a88 | 0x37088 | 0x43 |
| CoTaskMemAlloc | - | 0x100001d98 | 0x37a90 | 0x37090 | 0x6b |
| CoRegisterClassObject | - | 0x100001da0 | 0x37a98 | 0x37098 | 0x57 |
| CoInitialize | - | 0x100001da8 | 0x37aa0 | 0x370a0 | 0x42 |
| CoRevokeClassObject | - | 0x100001db0 | 0x37aa8 | 0x370a8 | 0x63 |
| CoTaskMemFree | - | 0x100001db8 | 0x37ab0 | 0x370b0 | 0x6c |
OLEACC.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AccessibleObjectFromPoint | - | 0x100001598 | 0x37290 | 0x36890 | 0x2 |
| GetRoleTextW | - | 0x1000015a0 | 0x37298 | 0x36898 | 0xe |
| WindowFromAccessibleObject | - | 0x1000015a8 | 0x372a0 | 0x368a0 | 0x17 |
| AccessibleObjectFromWindow | - | 0x1000015b0 | 0x372a8 | 0x368a8 | 0x3 |
COMCTL32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ImageList_ReplaceIcon | - | 0x100001110 | 0x36e08 | 0x36408 | 0x70 |
| ImageList_GetIcon | - | 0x100001118 | 0x36e10 | 0x36410 | 0x63 |
| ImageList_Destroy | - | 0x100001120 | 0x36e18 | 0x36418 | 0x55 |
| InitCommonControlsEx | - | 0x100001128 | 0x36e20 | 0x36420 | 0x7c |
| ImageList_Create | - | 0x100001130 | 0x36e28 | 0x36428 | 0x54 |
| HIMAGELIST_QueryInterface | - | 0x100001138 | 0x36e30 | 0x36430 | 0x4c |
| (by ordinal) | 0x17d | 0x100001140 | 0x36e38 | 0x36438 | - |
SHLWAPI.dll (22)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| PathGetArgsW | - | 0x100001670 | 0x37368 | 0x36968 | 0x51 |
| PathUnquoteSpacesW | - | 0x100001678 | 0x37370 | 0x36970 | 0x9f |
| PathRemoveArgsW | - | 0x100001680 | 0x37378 | 0x36978 | 0x83 |
| PathIsDirectoryW | - | 0x100001688 | 0x37380 | 0x36980 | 0x5b |
| PathAppendW | - | 0x100001690 | 0x37388 | 0x36988 | 0x34 |
| (by ordinal) | 0xc5 | 0x100001698 | 0x37390 | 0x36990 | - |
| SHAutoComplete | - | 0x1000016a0 | 0x37398 | 0x36998 | 0xa4 |
| PathFindFileNameA | - | 0x1000016a8 | 0x373a0 | 0x369a0 | 0x48 |
| PathRemoveBlanksW | - | 0x1000016b0 | 0x373a8 | 0x369a8 | 0x87 |
| PathRemoveBackslashW | - | 0x1000016b8 | 0x373b0 | 0x369b0 | 0x85 |
| SHCreateStreamOnFileEx | - | 0x1000016c0 | 0x373b8 | 0x369b8 | 0xaa |
| PathCombineW | - | 0x1000016c8 | 0x373c0 | 0x369c0 | 0x3a |
| PathAddExtensionW | - | 0x1000016d0 | 0x373c8 | 0x369c8 | 0x32 |
| PathRemoveExtensionW | - | 0x1000016d8 | 0x373d0 | 0x369d0 | 0x89 |
| PathFindFileNameW | - | 0x1000016e0 | 0x373d8 | 0x369d8 | 0x49 |
| PathFileExistsW | - | 0x1000016e8 | 0x373e0 | 0x369e0 | 0x45 |
| PathRemoveFileSpecW | - | 0x1000016f0 | 0x373e8 | 0x369e8 | 0x8b |
| PathFindExtensionW | - | 0x1000016f8 | 0x373f0 | 0x369f0 | 0x47 |
| (by ordinal) | 0xd8 | 0x100001700 | 0x373f8 | 0x369f8 | - |
| (by ordinal) | 0xda | 0x100001708 | 0x37400 | 0x36a00 | - |
| PathIsSameRootW | - | 0x100001710 | 0x37408 | 0x36a08 | 0x69 |
| PathMatchSpecExA | - | 0x100001718 | 0x37410 | 0x36a10 | 0x79 |
SHELL32.dll (9)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| (by ordinal) | 0xf5 | 0x100001620 | 0x37318 | 0x36918 | - |
| (by ordinal) | 0xab | 0x100001628 | 0x37320 | 0x36920 | - |
| CommandLineToArgvW | - | 0x100001630 | 0x37328 | 0x36928 | 0x6 |
| SHGetSpecialFolderPathW | - | 0x100001638 | 0x37330 | 0x36930 | 0xe1 |
| ShellExecuteExW | - | 0x100001640 | 0x37338 | 0x36938 | 0x121 |
| ShellAboutW | - | 0x100001648 | 0x37340 | 0x36940 | 0x11a |
| SHCreateItemInKnownFolder | - | 0x100001650 | 0x37348 | 0x36948 | 0x92 |
| SHCreateItemFromParsingName | - | 0x100001658 | 0x37350 | 0x36950 | 0x90 |
| (by ordinal) | 0x2d7 | 0x100001660 | 0x37358 | 0x36958 | - |
msdrm.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| DRMIsWindowProtected | - | 0x100001b50 | 0x37848 | 0x36e48 | 0x45 |
XmlLite.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CreateXmlWriter | - | 0x100001ae8 | 0x377e0 | 0x36de0 | 0x3 |
gdiplus.dll (10)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| GdipFree | - | 0x100001af8 | 0x377f0 | 0x36df0 | 0xed |
| GdipCloneImage | - | 0x100001b00 | 0x377f8 | 0x36df8 | 0x36 |
| GdipGetImageEncoders | - | 0x100001b08 | 0x37800 | 0x36e00 | 0x11e |
| GdipGetImageEncodersSize | - | 0x100001b10 | 0x37808 | 0x36e08 | 0x11f |
| GdiplusStartup | - | 0x100001b18 | 0x37810 | 0x36e10 | 0x275 |
| GdipSaveImageToFile | - | 0x100001b20 | 0x37818 | 0x36e18 | 0x1f0 |
| GdipAlloc | - | 0x100001b28 | 0x37820 | 0x36e20 | 0x21 |
| GdipDisposeImage | - | 0x100001b30 | 0x37828 | 0x36e28 | 0x98 |
| GdiplusShutdown | - | 0x100001b38 | 0x37830 | 0x36e30 | 0x274 |
| GdipCreateBitmapFromHBITMAP | - | 0x100001b40 | 0x37838 | 0x36e38 | 0x4d |
VERSION.dll (3)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| VerQueryValueW | - | 0x100001ab0 | 0x377a8 | 0x36da8 | 0xe |
| GetFileVersionInfoW | - | 0x100001ab8 | 0x377b0 | 0x36db0 | 0x6 |
| GetFileVersionInfoSizeW | - | 0x100001ac0 | 0x377b8 | 0x36db8 | 0x5 |
MSIMG32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AlphaBlend | - | 0x100001588 | 0x37280 | 0x36880 | 0x0 |
WTSAPI32.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WTSFreeMemory | - | 0x100001ad0 | 0x377c8 | 0x36dc8 | 0x12 |
| WTSQuerySessionInformationW | - | 0x100001ad8 | 0x377d0 | 0x36dd0 | 0x1f |
Memory Dumps (5)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|---|
| psr.exe | 106 | 0xFF060000 | 0xFF11BFFF | Relevant Image |
|
64-bit | - |
|
|
...
|
| buffer | 106 | 0x00100000 | 0x00106FFF | First Execution |
|
64-bit | 0x0010297E |
|
|
...
|
| wtsapi32.dll | 106 | 0x140000000 | 0x14012EFFF | First Execution |
|
64-bit | 0x140036F30 |
|
|
...
|
| psr.exe | 106 | 0xFF060000 | 0xFF11BFFF | Content Changed |
|
64-bit | - |
|
|
...
|
| buffer | 106 | 0x01F10000 | 0x01FA9FFF | Image In Buffer |
|
64-bit | - |
|
|
...
|
| \\?\C:\Windows \system32\recdisc.exe | Dropped File | Binary |
suspicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 232.50 KB |
| MD5 |
f3b306179f1840c0813dc6771b018358
|
| SHA1 |
dec7ce3c13f7a684cb52ae6007c99cf03afef005
|
| SHA256 |
dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0
|
| SSDeep |
6144:D7h5wk5lJ5OP4jCT6l1WwEAFegEv+2VU:D7TBXoP4b9eg+n
|
| ImpHash |
08dd025610e19fc7ab2cb36bb94cbce9
|
PE Information
»
| Image Base | 0x100000000 |
| Entry Point | 0x1000244b0 |
| Size Of Code | 0x27000 |
| Size Of Initialized Data | 0x13600 |
| File Type | FileType.executable |
| Subsystem | Subsystem.windows_gui |
| Machine Type | MachineType.amd64 |
| Compile Timestamp | 2010-11-20 09:46:54+00:00 |
Version Information (8)
»
| CompanyName | Microsoft Corporation |
| FileDescription | Microsoft® Windows Repair Disc |
| FileVersion | 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
| InternalName | recdisc.exe |
| LegalCopyright | © Microsoft Corporation. All rights reserved. |
| OriginalFilename | recdisc.exe |
| ProductName | Microsoft® Windows® Operating System |
| ProductVersion | 6.1.7601.17514 |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x100001000 | 0x26ff6 | 0x27000 | 0x400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.59 |
| .data | 0x100028000 | 0x1620 | 0x1000 | 0x27400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.62 |
| .pdata | 0x10002a000 | 0xf00 | 0x1000 | 0x28400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.15 |
| .rsrc | 0x10002b000 | 0x10730 | 0x10800 | 0x29400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.14 |
| .reloc | 0x10003c000 | 0x402 | 0x600 | 0x39c00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 2.07 |
Imports (12)
»
ADVAPI32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| TraceMessage | - | 0x100001000 | 0x26918 | 0x25d18 | 0x2f6 |
| GetTraceLoggerHandle | - | 0x100001008 | 0x26920 | 0x25d20 | 0x15d |
| GetTraceEnableLevel | - | 0x100001010 | 0x26928 | 0x25d28 | 0x15c |
| GetTraceEnableFlags | - | 0x100001018 | 0x26930 | 0x25d30 | 0x15b |
| RegisterTraceGuidsW | - | 0x100001020 | 0x26938 | 0x25d38 | 0x28a |
| ConvertStringSecurityDescriptorToSecurityDescriptorW | - | 0x100001028 | 0x26940 | 0x25d40 | 0x72 |
| RegOpenKeyExW | - | 0x100001030 | 0x26948 | 0x25d48 | 0x261 |
| CloseTrace | - | 0x100001038 | 0x26950 | 0x25d50 | 0x59 |
| OpenProcessToken | - | 0x100001040 | 0x26958 | 0x25d58 | 0x1f7 |
| RegCloseKey | - | 0x100001048 | 0x26960 | 0x25d60 | 0x230 |
| RegCreateKeyExW | - | 0x100001050 | 0x26968 | 0x25d68 | 0x239 |
| DuplicateToken | - | 0x100001058 | 0x26970 | 0x25d70 | 0xde |
| RegSetValueExW | - | 0x100001060 | 0x26978 | 0x25d78 | 0x27e |
| RegQueryValueExW | - | 0x100001068 | 0x26980 | 0x25d80 | 0x26e |
| CreateWellKnownSid | - | 0x100001070 | 0x26988 | 0x25d88 | 0x83 |
| GetTokenInformation | - | 0x100001078 | 0x26990 | 0x25d90 | 0x15a |
| CheckTokenMembership | - | 0x100001080 | 0x26998 | 0x25d98 | 0x51 |
| EnableTrace | - | 0x100001088 | 0x269a0 | 0x25da0 | 0xf5 |
| StartTraceW | - | 0x100001090 | 0x269a8 | 0x25da8 | 0x2cb |
| ControlTraceW | - | 0x100001098 | 0x269b0 | 0x25db0 | 0x60 |
KERNEL32.dll (50)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CreateThread | - | 0x1000010d8 | 0x269f0 | 0x25df0 | 0xb4 |
| GetVolumePathNameW | - | 0x1000010e0 | 0x269f8 | 0x25df8 | 0x2b3 |
| GetVolumePathNamesForVolumeNameW | - | 0x1000010e8 | 0x26a00 | 0x25e00 | 0x2b5 |
| LoadLibraryExW | - | 0x1000010f0 | 0x26a08 | 0x25e08 | 0x341 |
| GetDiskFreeSpaceExW | - | 0x1000010f8 | 0x26a10 | 0x25e10 | 0x1d5 |
| GetDriveTypeW | - | 0x100001100 | 0x26a18 | 0x25e18 | 0x1da |
| MoveFileExW | - | 0x100001108 | 0x26a20 | 0x25e20 | 0x362 |
| DeviceIoControl | - | 0x100001110 | 0x26a28 | 0x25e28 | 0xe1 |
| WakeAllConditionVariable | - | 0x100001118 | 0x26a30 | 0x25e30 | 0x511 |
| GetLogicalDriveStringsW | - | 0x100001120 | 0x26a38 | 0x25e38 | 0x20c |
| GetTempPathW | - | 0x100001128 | 0x26a40 | 0x25e40 | 0x28b |
| CreateFileW | - | 0x100001130 | 0x26a48 | 0x25e48 | 0x8f |
| FindClose | - | 0x100001138 | 0x26a50 | 0x25e50 | 0x134 |
| FindNextFileW | - | 0x100001140 | 0x26a58 | 0x25e58 | 0x14b |
| FindFirstFileW | - | 0x100001148 | 0x26a60 | 0x25e60 | 0x13f |
| FormatMessageW | - | 0x100001150 | 0x26a68 | 0x25e68 | 0x164 |
| GetVolumeNameForVolumeMountPointW | - | 0x100001158 | 0x26a70 | 0x25e70 | 0x2b1 |
| GetFileMUIPath | - | 0x100001160 | 0x26a78 | 0x25e78 | 0x1f4 |
| lstrlenW | - | 0x100001168 | 0x26a80 | 0x25e80 | 0x562 |
| CreateEventW | - | 0x100001170 | 0x26a88 | 0x25e88 | 0x85 |
| DeleteCriticalSection | - | 0x100001178 | 0x26a90 | 0x25e90 | 0xd2 |
| InitializeCriticalSectionAndSpinCount | - | 0x100001180 | 0x26a98 | 0x25e98 | 0x2ed |
| InitializeConditionVariable | - | 0x100001188 | 0x26aa0 | 0x25ea0 | 0x2ea |
| EnterCriticalSection | - | 0x100001190 | 0x26aa8 | 0x25ea8 | 0xf2 |
| LeaveCriticalSection | - | 0x100001198 | 0x26ab0 | 0x25eb0 | 0x33c |
| ExpandEnvironmentStringsW | - | 0x1000011a0 | 0x26ab8 | 0x25eb8 | 0x123 |
| VerifyVersionInfoW | - | 0x1000011a8 | 0x26ac0 | 0x25ec0 | 0x4f8 |
| VerSetConditionMask | - | 0x1000011b0 | 0x26ac8 | 0x25ec8 | 0x4f4 |
| GetNativeSystemInfo | - | 0x1000011b8 | 0x26ad0 | 0x25ed0 | 0x229 |
| CloseHandle | - | 0x1000011c0 | 0x26ad8 | 0x25ed8 | 0x52 |
| TerminateProcess | - | 0x1000011c8 | 0x26ae0 | 0x25ee0 | 0x4cf |
| SetErrorMode | - | 0x1000011d0 | 0x26ae8 | 0x25ee8 | 0x466 |
| GetCurrentProcess | - | 0x1000011d8 | 0x26af0 | 0x25ef0 | 0x1c6 |
| GetCommandLineW | - | 0x1000011e0 | 0x26af8 | 0x25ef8 | 0x18d |
| LocalFree | - | 0x1000011e8 | 0x26b00 | 0x25f00 | 0x34b |
| GetLastError | - | 0x1000011f0 | 0x26b08 | 0x25f08 | 0x206 |
| CreateDirectoryW | - | 0x1000011f8 | 0x26b10 | 0x25f10 | 0x81 |
| DeleteFileW | - | 0x100001200 | 0x26b18 | 0x25f18 | 0xd7 |
| GetFileAttributesW | - | 0x100001208 | 0x26b20 | 0x25f20 | 0x1ef |
| FreeLibrary | - | 0x100001210 | 0x26b28 | 0x25f28 | 0x168 |
| Sleep | - | 0x100001218 | 0x26b30 | 0x25f30 | 0x4c1 |
| GetStartupInfoW | - | 0x100001220 | 0x26b38 | 0x25f38 | 0x269 |
| SetUnhandledExceptionFilter | - | 0x100001228 | 0x26b40 | 0x25f40 | 0x4b3 |
| GetModuleHandleW | - | 0x100001230 | 0x26b48 | 0x25f48 | 0x21c |
| QueryPerformanceCounter | - | 0x100001238 | 0x26b50 | 0x25f50 | 0x3a9 |
| GetTickCount | - | 0x100001240 | 0x26b58 | 0x25f58 | 0x299 |
| GetCurrentThreadId | - | 0x100001248 | 0x26b60 | 0x25f60 | 0x1cb |
| GetCurrentProcessId | - | 0x100001250 | 0x26b68 | 0x25f68 | 0x1c7 |
| GetSystemTimeAsFileTime | - | 0x100001258 | 0x26b70 | 0x25f70 | 0x27f |
| UnhandledExceptionFilter | - | 0x100001260 | 0x26b78 | 0x25f78 | 0x4e3 |
USER32.dll (21)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ChangeWindowMessageFilterEx | - | 0x100001330 | 0x26c48 | 0x26048 | 0x2a |
| RegisterWindowMessageW | - | 0x100001338 | 0x26c50 | 0x26050 | 0x267 |
| SetWindowLongPtrW | - | 0x100001340 | 0x26c58 | 0x26058 | 0x2cb |
| GetWindowLongPtrW | - | 0x100001348 | 0x26c60 | 0x26060 | 0x199 |
| DialogBoxParamW | - | 0x100001350 | 0x26c68 | 0x26068 | 0xac |
| GetDlgItem | - | 0x100001358 | 0x26c70 | 0x26070 | 0x129 |
| DestroyIcon | - | 0x100001360 | 0x26c78 | 0x26078 | 0xa3 |
| SendMessageW | - | 0x100001368 | 0x26c80 | 0x26080 | 0x280 |
| GetSystemMetrics | - | 0x100001370 | 0x26c88 | 0x26088 | 0x180 |
| GetWindowLongW | - | 0x100001378 | 0x26c90 | 0x26090 | 0x19a |
| IsWindow | - | 0x100001380 | 0x26c98 | 0x26098 | 0x1df |
| SetWindowTextW | - | 0x100001388 | 0x26ca0 | 0x260a0 | 0x2d3 |
| ShowWindow | - | 0x100001390 | 0x26ca8 | 0x260a8 | 0x2e7 |
| MessageBoxW | - | 0x100001398 | 0x26cb0 | 0x260b0 | 0x219 |
| EndDialog | - | 0x1000013a0 | 0x26cb8 | 0x260b8 | 0xda |
| GetLastActivePopup | - | 0x1000013a8 | 0x26cc0 | 0x260c0 | 0x146 |
| SetFocus | - | 0x1000013b0 | 0x26cc8 | 0x260c8 | 0x298 |
| PostMessageW | - | 0x1000013b8 | 0x26cd0 | 0x260d0 | 0x23a |
| EnableWindow | - | 0x1000013c0 | 0x26cd8 | 0x260d8 | 0xd8 |
| LoadIconW | - | 0x1000013c8 | 0x26ce0 | 0x260e0 | 0x1f1 |
| LoadStringW | - | 0x1000013d0 | 0x26ce8 | 0x260e8 | 0x1fe |
msvcrt.dll (41)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ??_V@YAXPEAX@Z | - | 0x1000013e0 | 0x26cf8 | 0x260f8 | 0x24 |
| ??3@YAXPEAX@Z | - | 0x1000013e8 | 0x26d00 | 0x26100 | 0x15 |
| ??_U@YAPEAX_K@Z | - | 0x1000013f0 | 0x26d08 | 0x26108 | 0x22 |
| _wcsnicmp | - | 0x1000013f8 | 0x26d10 | 0x26110 | 0x383 |
| wcschr | - | 0x100001400 | 0x26d18 | 0x26118 | 0x4ef |
| _vsnwprintf | - | 0x100001408 | 0x26d20 | 0x26120 | 0x358 |
| memmove | - | 0x100001410 | 0x26d28 | 0x26128 | 0x482 |
| wcsstr | - | 0x100001418 | 0x26d30 | 0x26130 | 0x502 |
| wcsrchr | - | 0x100001420 | 0x26d38 | 0x26138 | 0x4fe |
| _vscwprintf | - | 0x100001428 | 0x26d40 | 0x26140 | 0x34f |
| iswspace | - | 0x100001430 | 0x26d48 | 0x26148 | 0x466 |
| __setusermatherr | - | 0x100001438 | 0x26d50 | 0x26150 | 0x82 |
| _commode | - | 0x100001440 | 0x26d58 | 0x26158 | 0xc4 |
| _fmode | - | 0x100001448 | 0x26d60 | 0x26160 | 0x118 |
| __set_app_type | - | 0x100001450 | 0x26d68 | 0x26168 | 0x80 |
| ?terminate@@YAXXZ | - | 0x100001458 | 0x26d70 | 0x26170 | 0x30 |
| memcpy | - | 0x100001460 | 0x26d78 | 0x26178 | 0x480 |
| memcmp | - | 0x100001468 | 0x26d80 | 0x26180 | 0x47f |
| _snwscanf_s | - | 0x100001470 | 0x26d88 | 0x26188 | 0x2ca |
| _wcslwr | - | 0x100001478 | 0x26d90 | 0x26190 | 0x37d |
| _wcsupr | - | 0x100001480 | 0x26d98 | 0x26198 | 0x394 |
| wcsnlen | - | 0x100001488 | 0x26da0 | 0x261a0 | 0x4fc |
| strncmp | - | 0x100001490 | 0x26da8 | 0x261a8 | 0x4bb |
| _ultow_s | - | 0x100001498 | 0x26db0 | 0x261b0 | 0x32a |
| wcscpy_s | - | 0x1000014a0 | 0x26db8 | 0x261b8 | 0x4f3 |
| wcscat_s | - | 0x1000014a8 | 0x26dc0 | 0x261c0 | 0x4ee |
| wcstoul | - | 0x1000014b0 | 0x26dc8 | 0x261c8 | 0x509 |
| swprintf_s | - | 0x1000014b8 | 0x26dd0 | 0x261d0 | 0x4ca |
| ??2@YAPEAX_K@Z | - | 0x1000014c0 | 0x26dd8 | 0x261d8 | 0x13 |
| _wcsicmp | - | 0x1000014c8 | 0x26de0 | 0x261e0 | 0x379 |
| __getmainargs | - | 0x1000014d0 | 0x26de8 | 0x261e8 | 0x71 |
| __C_specific_handler | - | 0x1000014d8 | 0x26df0 | 0x261f0 | 0x53 |
| _XcptFilter | - | 0x1000014e0 | 0x26df8 | 0x261f8 | 0x52 |
| _exit | - | 0x1000014e8 | 0x26e00 | 0x26200 | 0xff |
| _ismbblead | - | 0x1000014f0 | 0x26e08 | 0x26208 | 0x188 |
| _cexit | - | 0x1000014f8 | 0x26e10 | 0x26210 | 0xb3 |
| exit | - | 0x100001500 | 0x26e18 | 0x26218 | 0x420 |
| _acmdln | - | 0x100001508 | 0x26e20 | 0x26220 | 0x94 |
| _initterm | - | 0x100001510 | 0x26e28 | 0x26228 | 0x16c |
| memset | - | 0x100001518 | 0x26e30 | 0x26230 | 0x484 |
| _amsg_exit | - | 0x100001520 | 0x26e38 | 0x26238 | 0xa0 |
SHELL32.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| SHGetDesktopFolder | - | 0x1000012c0 | 0x26bd8 | 0x25fd8 | 0xb6 |
| (by ordinal) | 0x9b | 0x1000012c8 | 0x26be0 | 0x25fe0 | - |
| SHParseDisplayName | - | 0x1000012d0 | 0x26be8 | 0x25fe8 | 0xf6 |
| SHGetFileInfoW | - | 0x1000012d8 | 0x26bf0 | 0x25ff0 | 0xbd |
| CommandLineToArgvW | - | 0x1000012e0 | 0x26bf8 | 0x25ff8 | 0x6 |
ole32.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CoCreateInstance | - | 0x1000016d8 | 0x26ff0 | 0x263f0 | 0x14 |
| CoCreateGuid | - | 0x1000016e0 | 0x26ff8 | 0x263f8 | 0x13 |
| CoWaitForMultipleHandles | - | 0x1000016e8 | 0x27000 | 0x26400 | 0x77 |
| CoInitializeEx | - | 0x1000016f0 | 0x27008 | 0x26408 | 0x43 |
| CoUninitialize | - | 0x1000016f8 | 0x27010 | 0x26410 | 0x70 |
| CoTaskMemFree | - | 0x100001700 | 0x27018 | 0x26418 | 0x6c |
| CoTaskMemAlloc | - | 0x100001708 | 0x27020 | 0x26420 | 0x6b |
| CoTaskMemRealloc | - | 0x100001710 | 0x27028 | 0x26428 | 0x6d |
OLEAUT32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| SysAllocStringLen | 0x4 | 0x100001270 | 0x26b88 | 0x25f88 | - |
| SysStringLen | 0x7 | 0x100001278 | 0x26b90 | 0x25f90 | - |
| SysAllocString | 0x2 | 0x100001280 | 0x26b98 | 0x25f98 | - |
| VariantClear | 0x9 | 0x100001288 | 0x26ba0 | 0x25fa0 | - |
| LoadRegTypeLib | 0xa2 | 0x100001290 | 0x26ba8 | 0x25fa8 | - |
| DispCallFunc | 0x92 | 0x100001298 | 0x26bb0 | 0x25fb0 | - |
| SysFreeString | 0x6 | 0x1000012a0 | 0x26bb8 | 0x25fb8 | - |
ntdll.dll (52)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| RtlGetLastNtStatus | - | 0x100001530 | 0x26e48 | 0x26248 | 0x36e |
| NtQuerySystemInformation | - | 0x100001538 | 0x26e50 | 0x26250 | 0x1aa |
| WinSqmAddToStream | - | 0x100001540 | 0x26e58 | 0x26258 | 0x56b |
| RtlInitUnicodeString | - | 0x100001548 | 0x26e60 | 0x26260 | 0x3a3 |
| RtlNtStatusToDosError | - | 0x100001550 | 0x26e68 | 0x26268 | 0x415 |
| EtwTraceMessage | - | 0x100001558 | 0x26e70 | 0x26270 | 0x4f |
| RtlCaptureContext | - | 0x100001560 | 0x26e78 | 0x26278 | 0x27b |
| RtlLookupFunctionEntry | - | 0x100001568 | 0x26e80 | 0x26280 | 0x402 |
| RtlVirtualUnwind | - | 0x100001570 | 0x26e88 | 0x26288 | 0x4f1 |
| NtSetInformationFile | - | 0x100001578 | 0x26e90 | 0x26290 | 0x1ee |
| NtAllocateUuids | - | 0x100001580 | 0x26e98 | 0x26298 | 0xb6 |
| NtResetEvent | - | 0x100001588 | 0x26ea0 | 0x262a0 | 0x1d1 |
| LdrGetDllHandle | - | 0x100001590 | 0x26ea8 | 0x262a8 | 0x6d |
| NtQueryInformationFile | - | 0x100001598 | 0x26eb0 | 0x262b0 | 0x18c |
| NtClose | - | 0x1000015a0 | 0x26eb8 | 0x262b8 | 0xd6 |
| RtlAllocateHeap | - | 0x1000015a8 | 0x26ec0 | 0x262c0 | 0x265 |
| NtOpenFile | - | 0x1000015b0 | 0x26ec8 | 0x262c8 | 0x158 |
| RtlStringFromGUID | - | 0x1000015b8 | 0x26ed0 | 0x262d0 | 0x4aa |
| RtlFreeUnicodeString | - | 0x1000015c0 | 0x26ed8 | 0x262d8 | 0x350 |
| RtlGUIDFromString | - | 0x1000015c8 | 0x26ee0 | 0x262e0 | 0x352 |
| NtDeviceIoControlFile | - | 0x1000015d0 | 0x26ee8 | 0x262e8 | 0x10f |
| NtWaitForSingleObject | - | 0x1000015d8 | 0x26ef0 | 0x262f0 | 0x22c |
| NtCreateEvent | - | 0x1000015e0 | 0x26ef8 | 0x262f8 | 0xe4 |
| NtQueryKey | - | 0x1000015e8 | 0x26f00 | 0x26300 | 0x199 |
| NtEnumerateKey | - | 0x1000015f0 | 0x26f08 | 0x26308 | 0x118 |
| NtQueryAttributesFile | - | 0x1000015f8 | 0x26f10 | 0x26310 | 0x17e |
| NtOpenKey | - | 0x100001600 | 0x26f18 | 0x26318 | 0x15b |
| RtlCreateAcl | - | 0x100001608 | 0x26f20 | 0x26320 | 0x2ac |
| NtUnloadKey | - | 0x100001610 | 0x26f28 | 0x26328 | 0x221 |
| RtlFreeSid | - | 0x100001618 | 0x26f30 | 0x26330 | 0x34e |
| RtlSetDaclSecurityDescriptor | - | 0x100001620 | 0x26f38 | 0x26338 | 0x480 |
| NtDeleteValueKey | - | 0x100001628 | 0x26f40 | 0x26340 | 0x10e |
| NtLoadKey | - | 0x100001630 | 0x26f48 | 0x26348 | 0x141 |
| NtOpenThreadToken | - | 0x100001638 | 0x26f50 | 0x26350 | 0x16c |
| NtCreateKey | - | 0x100001640 | 0x26f58 | 0x26358 | 0xea |
| RtlLengthSecurityDescriptor | - | 0x100001648 | 0x26f60 | 0x26360 | 0x3ed |
| RtlAddAccessAllowedAceEx | - | 0x100001650 | 0x26f68 | 0x26368 | 0x24b |
| NtOpenProcessToken | - | 0x100001658 | 0x26f70 | 0x26370 | 0x164 |
| NtSetSecurityObject | - | 0x100001660 | 0x26f78 | 0x26378 | 0x200 |
| NtQueryValueKey | - | 0x100001668 | 0x26f80 | 0x26380 | 0x1af |
| NtSetValueKey | - | 0x100001670 | 0x26f88 | 0x26388 | 0x20b |
| NtAdjustPrivilegesToken | - | 0x100001678 | 0x26f90 | 0x26390 | 0xb0 |
| NtDeleteKey | - | 0x100001680 | 0x26f98 | 0x26398 | 0x10b |
| RtlAllocateAndInitializeSid | - | 0x100001688 | 0x26fa0 | 0x263a0 | 0x263 |
| RtlLengthSid | - | 0x100001690 | 0x26fa8 | 0x263a8 | 0x3ee |
| RtlCreateSecurityDescriptor | - | 0x100001698 | 0x26fb0 | 0x263b0 | 0x2bd |
| RtlSetOwnerSecurityDescriptor | - | 0x1000016a0 | 0x26fb8 | 0x263b8 | 0x48d |
| RtlInitAnsiString | - | 0x1000016a8 | 0x26fc0 | 0x263c0 | 0x39a |
| NtOpenSymbolicLinkObject | - | 0x1000016b0 | 0x26fc8 | 0x263c8 | 0x16a |
| LdrGetProcedureAddress | - | 0x1000016b8 | 0x26fd0 | 0x263d0 | 0x74 |
| NtQuerySymbolicLinkObject | - | 0x1000016c0 | 0x26fd8 | 0x263d8 | 0x1a7 |
| RtlFreeHeap | - | 0x1000016c8 | 0x26fe0 | 0x263e0 | 0x34b |
COMCTL32.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ImageList_ReplaceIcon | - | 0x1000010a8 | 0x269c0 | 0x25dc0 | 0x70 |
| ImageList_Create | - | 0x1000010b0 | 0x269c8 | 0x25dc8 | 0x54 |
| ImageList_Destroy | - | 0x1000010b8 | 0x269d0 | 0x25dd0 | 0x55 |
| (by ordinal) | 0x159 | 0x1000010c0 | 0x269d8 | 0x25dd8 | - |
| (by ordinal) | 0x158 | 0x1000010c8 | 0x269e0 | 0x25de0 | - |
SPP.dll (3)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| SxTracerShouldTrackFailure | - | 0x100001310 | 0x26c28 | 0x26028 | 0xb |
| SxTracerGetThreadContextRetail | - | 0x100001318 | 0x26c30 | 0x26030 | 0xa |
| SxTracerDebuggerBreak | - | 0x100001320 | 0x26c38 | 0x26038 | 0x8 |
SHLWAPI.dll (3)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| StrRetToBufW | - | 0x1000012f0 | 0x26c08 | 0x26008 | 0x13e |
| SHCreateStreamOnFileEx | - | 0x1000012f8 | 0x26c10 | 0x26010 | 0xaa |
| SHCreateStreamOnFileW | - | 0x100001300 | 0x26c18 | 0x26018 | 0xab |
ReAgent.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WinReGetConfig | - | 0x1000012b0 | 0x26bc8 | 0x25fc8 | 0x8 |
Memory Dumps (1)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|---|
| recdisc.exe | 108 | 0xFFCD0000 | 0xFFD0CFFF | Relevant Image |
|
64-bit | - |
|
|
...
|
| c:\users\keecfmwgj\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-4219442223-4223814209-3835049652-1000\4fe4574abf1bcb0f6ed6a78aa750fb2c_b9c8f16e-2e51-4052-9ecb-f86ae5d96ef6 | Dropped File | Stream |
clean
|
...
|
»
| MIME Type | application/octet-stream |
| File Size | 50 Bytes |
| MD5 |
bbe4a6fe547225203dffbf784b4b8086
|
| SHA1 |
9393217e27903a99d5a36b630becf408c05b85ad
|
| SHA256 |
2d970fea1e7ebc4c9bae287309fa032cb2ac90323c0cdb49ca9593dc7d074c98
|
| SSDeep |
3:/lvlPoSMl:QJl
|
| ImpHash | - |
| \\?\C:\Windows \system32\ReAgent.dll | Dropped File | Binary |
clean
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 306.50 KB |
| MD5 |
09c6b9c0add24c459631250bf031a382
|
| SHA1 |
101e1b838c316265ca56a4610ff9a7e9e3ba6e56
|
| SHA256 |
e2b09cfdead0313843c3dbf5233833c1d9c80a33078bf4739760b64fb1fd524a
|
| SSDeep |
6144:pBqIMuKSUaAK76t3PTnqXVM0uOLzUeEnma1u9ft:VKSzAKmRqXXuEUe8j1+
|
| ImpHash |
bc460506e7d6e6d7b645e8100287fad8
|
PE Information
»
| Image Base | 0x7ff35ba0000 |
| Entry Point | 0x7ff35bc9a74 |
| Size Of Code | 0x48000 |
| Size Of Initialized Data | 0x4e00 |
| File Type | FileType.dll |
| Subsystem | Subsystem.windows_cui |
| Machine Type | MachineType.amd64 |
| Compile Timestamp | 2010-11-20 13:13:39+00:00 |
Version Information (8)
»
| CompanyName | Microsoft Corporation |
| FileDescription | Microsoft Windows Recovery Agent DLL |
| FileVersion | 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
| InternalName | reagent.dll |
| LegalCopyright | © Microsoft Corporation. All rights reserved. |
| OriginalFilename | reagent.dll |
| ProductName | Microsoft® Windows® Operating System |
| ProductVersion | 6.1.7601.17514 |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x7ff35ba1000 | 0x47eae | 0x48000 | 0x400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.39 |
| .data | 0x7ff35be9000 | 0x8f8 | 0x200 | 0x48400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.95 |
| .pdata | 0x7ff35bea000 | 0x1d34 | 0x1e00 | 0x48600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.56 |
| .rsrc | 0x7ff35bec000 | 0x1ac8 | 0x1c00 | 0x4a400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.41 |
| .reloc | 0x7ff35bee000 | 0x9ec | 0xa00 | 0x4c000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 2.04 |
Imports (11)
»
msvcrt.dll (32)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _atoi64 | - | 0x7ff35ba13b0 | 0x47a18 | 0x46e18 | 0xa6 |
| atol | - | 0x7ff35ba13b8 | 0x47a20 | 0x46e20 | 0x40f |
| _wcsicmp | - | 0x7ff35ba13c0 | 0x47a28 | 0x46e28 | 0x379 |
| _vsnprintf | - | 0x7ff35ba13c8 | 0x47a30 | 0x46e30 | 0x352 |
| malloc | - | 0x7ff35ba13d0 | 0x47a38 | 0x46e38 | 0x474 |
| _initterm | - | 0x7ff35ba13d8 | 0x47a40 | 0x46e40 | 0x16c |
| free | - | 0x7ff35ba13e0 | 0x47a48 | 0x46e48 | 0x43a |
| _amsg_exit | - | 0x7ff35ba13e8 | 0x47a50 | 0x46e50 | 0xa0 |
| ??3@YAXPEAX@Z | - | 0x7ff35ba13f0 | 0x47a58 | 0x46e58 | 0x15 |
| _vsnwprintf | - | 0x7ff35ba13f8 | 0x47a60 | 0x46e60 | 0x358 |
| memset | - | 0x7ff35ba1400 | 0x47a68 | 0x46e68 | 0x484 |
| _snwscanf_s | - | 0x7ff35ba1408 | 0x47a70 | 0x46e70 | 0x2ca |
| _wcslwr | - | 0x7ff35ba1410 | 0x47a78 | 0x46e78 | 0x37d |
| _wcsupr | - | 0x7ff35ba1418 | 0x47a80 | 0x46e80 | 0x394 |
| __C_specific_handler | - | 0x7ff35ba1420 | 0x47a88 | 0x46e88 | 0x53 |
| memcpy | - | 0x7ff35ba1428 | 0x47a90 | 0x46e90 | 0x480 |
| memcmp | - | 0x7ff35ba1430 | 0x47a98 | 0x46e98 | 0x47f |
| ??2@YAPEAX_K@Z | - | 0x7ff35ba1438 | 0x47aa0 | 0x46ea0 | 0x13 |
| _purecall | - | 0x7ff35ba1440 | 0x47aa8 | 0x46ea8 | 0x28d |
| _XcptFilter | - | 0x7ff35ba1448 | 0x47ab0 | 0x46eb0 | 0x52 |
| swprintf_s | - | 0x7ff35ba1450 | 0x47ab8 | 0x46eb8 | 0x4ca |
| memmove | - | 0x7ff35ba1458 | 0x47ac0 | 0x46ec0 | 0x482 |
| wcstoul | - | 0x7ff35ba1460 | 0x47ac8 | 0x46ec8 | 0x509 |
| _wcsnicmp | - | 0x7ff35ba1468 | 0x47ad0 | 0x46ed0 | 0x383 |
| wcscat_s | - | 0x7ff35ba1470 | 0x47ad8 | 0x46ed8 | 0x4ee |
| wcscpy_s | - | 0x7ff35ba1478 | 0x47ae0 | 0x46ee0 | 0x4f3 |
| wcschr | - | 0x7ff35ba1480 | 0x47ae8 | 0x46ee8 | 0x4ef |
| _ultow_s | - | 0x7ff35ba1488 | 0x47af0 | 0x46ef0 | 0x32a |
| wcsrchr | - | 0x7ff35ba1490 | 0x47af8 | 0x46ef8 | 0x4fe |
| wcsstr | - | 0x7ff35ba1498 | 0x47b00 | 0x46f00 | 0x502 |
| strncmp | - | 0x7ff35ba14a0 | 0x47b08 | 0x46f08 | 0x4bb |
| wcsnlen | - | 0x7ff35ba14a8 | 0x47b10 | 0x46f10 | 0x4fc |
ntdll.dll (56)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| NtSetValueKey | - | 0x7ff35ba14b8 | 0x47b20 | 0x46f20 | 0x20b |
| RtlCaptureContext | - | 0x7ff35ba14c0 | 0x47b28 | 0x46f28 | 0x27b |
| RtlLookupFunctionEntry | - | 0x7ff35ba14c8 | 0x47b30 | 0x46f30 | 0x402 |
| RtlVirtualUnwind | - | 0x7ff35ba14d0 | 0x47b38 | 0x46f38 | 0x4f1 |
| RtlNtStatusToDosError | - | 0x7ff35ba14d8 | 0x47b40 | 0x46f40 | 0x415 |
| RtlGUIDFromString | - | 0x7ff35ba14e0 | 0x47b48 | 0x46f48 | 0x352 |
| RtlStringFromGUID | - | 0x7ff35ba14e8 | 0x47b50 | 0x46f50 | 0x4aa |
| NtQuerySystemInformation | - | 0x7ff35ba14f0 | 0x47b58 | 0x46f58 | 0x1aa |
| RtlFreeHeap | - | 0x7ff35ba14f8 | 0x47b60 | 0x46f60 | 0x34b |
| RtlInitUnicodeString | - | 0x7ff35ba1500 | 0x47b68 | 0x46f68 | 0x3a3 |
| RtlFreeUnicodeString | - | 0x7ff35ba1508 | 0x47b70 | 0x46f70 | 0x350 |
| RtlAllocateHeap | - | 0x7ff35ba1510 | 0x47b78 | 0x46f78 | 0x265 |
| NtOpenFile | - | 0x7ff35ba1518 | 0x47b80 | 0x46f80 | 0x158 |
| NtDeviceIoControlFile | - | 0x7ff35ba1520 | 0x47b88 | 0x46f88 | 0x10f |
| NtWaitForSingleObject | - | 0x7ff35ba1528 | 0x47b90 | 0x46f90 | 0x22c |
| NtCreateEvent | - | 0x7ff35ba1530 | 0x47b98 | 0x46f98 | 0xe4 |
| NtQueryKey | - | 0x7ff35ba1538 | 0x47ba0 | 0x46fa0 | 0x199 |
| NtEnumerateKey | - | 0x7ff35ba1540 | 0x47ba8 | 0x46fa8 | 0x118 |
| NtQueryAttributesFile | - | 0x7ff35ba1548 | 0x47bb0 | 0x46fb0 | 0x17e |
| NtOpenKey | - | 0x7ff35ba1550 | 0x47bb8 | 0x46fb8 | 0x15b |
| RtlCreateAcl | - | 0x7ff35ba1558 | 0x47bc0 | 0x46fc0 | 0x2ac |
| NtUnloadKey | - | 0x7ff35ba1560 | 0x47bc8 | 0x46fc8 | 0x221 |
| RtlFreeSid | - | 0x7ff35ba1568 | 0x47bd0 | 0x46fd0 | 0x34e |
| RtlSetDaclSecurityDescriptor | - | 0x7ff35ba1570 | 0x47bd8 | 0x46fd8 | 0x480 |
| NtDeleteValueKey | - | 0x7ff35ba1578 | 0x47be0 | 0x46fe0 | 0x10e |
| NtLoadKey | - | 0x7ff35ba1580 | 0x47be8 | 0x46fe8 | 0x141 |
| NtOpenThreadToken | - | 0x7ff35ba1588 | 0x47bf0 | 0x46ff0 | 0x16c |
| NtCreateKey | - | 0x7ff35ba1590 | 0x47bf8 | 0x46ff8 | 0xea |
| RtlLengthSecurityDescriptor | - | 0x7ff35ba1598 | 0x47c00 | 0x47000 | 0x3ed |
| RtlAddAccessAllowedAceEx | - | 0x7ff35ba15a0 | 0x47c08 | 0x47008 | 0x24b |
| NtOpenProcessToken | - | 0x7ff35ba15a8 | 0x47c10 | 0x47010 | 0x164 |
| NtSetSecurityObject | - | 0x7ff35ba15b0 | 0x47c18 | 0x47018 | 0x200 |
| NtQueryValueKey | - | 0x7ff35ba15b8 | 0x47c20 | 0x47020 | 0x1af |
| NtAdjustPrivilegesToken | - | 0x7ff35ba15c0 | 0x47c28 | 0x47028 | 0xb0 |
| NtDeleteKey | - | 0x7ff35ba15c8 | 0x47c30 | 0x47030 | 0x10b |
| RtlAllocateAndInitializeSid | - | 0x7ff35ba15d0 | 0x47c38 | 0x47038 | 0x263 |
| RtlLengthSid | - | 0x7ff35ba15d8 | 0x47c40 | 0x47040 | 0x3ee |
| RtlCreateSecurityDescriptor | - | 0x7ff35ba15e0 | 0x47c48 | 0x47048 | 0x2bd |
| RtlSetOwnerSecurityDescriptor | - | 0x7ff35ba15e8 | 0x47c50 | 0x47050 | 0x48d |
| NtAllocateUuids | - | 0x7ff35ba15f0 | 0x47c58 | 0x47058 | 0xb6 |
| RtlInitAnsiString | - | 0x7ff35ba15f8 | 0x47c60 | 0x47060 | 0x39a |
| NtOpenSymbolicLinkObject | - | 0x7ff35ba1600 | 0x47c68 | 0x47068 | 0x16a |
| LdrGetProcedureAddress | - | 0x7ff35ba1608 | 0x47c70 | 0x47070 | 0x74 |
| NtQuerySymbolicLinkObject | - | 0x7ff35ba1610 | 0x47c78 | 0x47078 | 0x1a7 |
| LdrGetDllHandle | - | 0x7ff35ba1618 | 0x47c80 | 0x47080 | 0x6d |
| NtResetEvent | - | 0x7ff35ba1620 | 0x47c88 | 0x47088 | 0x1d1 |
| NtYieldExecution | - | 0x7ff35ba1628 | 0x47c90 | 0x47090 | 0x235 |
| DbgPrintEx | - | 0x7ff35ba1630 | 0x47c98 | 0x47098 | 0x21 |
| RtlReAllocateHeap | - | 0x7ff35ba1638 | 0x47ca0 | 0x470a0 | 0x44b |
| RtlDowncaseUnicodeChar | - | 0x7ff35ba1640 | 0x47ca8 | 0x470a8 | 0x306 |
| RtlCompareMemory | - | 0x7ff35ba1648 | 0x47cb0 | 0x470b0 | 0x28b |
| RtlRaiseStatus | - | 0x7ff35ba1650 | 0x47cb8 | 0x470b8 | 0x448 |
| NtClose | - | 0x7ff35ba1658 | 0x47cc0 | 0x470c0 | 0xd6 |
| WinSqmSetString | - | 0x7ff35ba1660 | 0x47cc8 | 0x470c8 | 0x583 |
| WinSqmSetDWORD | - | 0x7ff35ba1668 | 0x47cd0 | 0x470d0 | 0x57e |
| WinSqmIncrementDWORD | - | 0x7ff35ba1670 | 0x47cd8 | 0x470d8 | 0x57b |
KERNEL32.dll (71)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| HeapAlloc | - | 0x7ff35ba10f8 | 0x47760 | 0x46b60 | 0x2d4 |
| GetVersionExW | - | 0x7ff35ba1100 | 0x47768 | 0x46b68 | 0x2ac |
| GetLastError | - | 0x7ff35ba1108 | 0x47770 | 0x46b70 | 0x206 |
| HeapFree | - | 0x7ff35ba1110 | 0x47778 | 0x46b78 | 0x2d8 |
| CreateFileW | - | 0x7ff35ba1118 | 0x47780 | 0x46b80 | 0x8f |
| CloseHandle | - | 0x7ff35ba1120 | 0x47788 | 0x46b88 | 0x52 |
| GetSystemDirectoryW | - | 0x7ff35ba1128 | 0x47790 | 0x46b90 | 0x276 |
| InitializeCriticalSection | - | 0x7ff35ba1130 | 0x47798 | 0x46b98 | 0x2ec |
| TlsAlloc | - | 0x7ff35ba1138 | 0x477a0 | 0x46ba0 | 0x4d4 |
| TlsSetValue | - | 0x7ff35ba1140 | 0x477a8 | 0x46ba8 | 0x4d7 |
| DeleteCriticalSection | - | 0x7ff35ba1148 | 0x477b0 | 0x46bb0 | 0xd2 |
| TlsFree | - | 0x7ff35ba1150 | 0x477b8 | 0x46bb8 | 0x4d5 |
| SetLastError | - | 0x7ff35ba1158 | 0x477c0 | 0x46bc0 | 0x47f |
| DeleteFileW | - | 0x7ff35ba1160 | 0x477c8 | 0x46bc8 | 0xd7 |
| GetFileAttributesExW | - | 0x7ff35ba1168 | 0x477d0 | 0x46bd0 | 0x1ec |
| MultiByteToWideChar | - | 0x7ff35ba1170 | 0x477d8 | 0x46bd8 | 0x369 |
| EnterCriticalSection | - | 0x7ff35ba1178 | 0x477e0 | 0x46be0 | 0xf2 |
| LeaveCriticalSection | - | 0x7ff35ba1180 | 0x477e8 | 0x46be8 | 0x33c |
| GetFileSize | - | 0x7ff35ba1188 | 0x477f0 | 0x46bf0 | 0x1f5 |
| ReadFile | - | 0x7ff35ba1190 | 0x477f8 | 0x46bf8 | 0x3c3 |
| SetEndOfFile | - | 0x7ff35ba1198 | 0x47800 | 0x46c00 | 0x461 |
| WriteFile | - | 0x7ff35ba11a0 | 0x47808 | 0x46c08 | 0x535 |
| GetCurrentProcess | - | 0x7ff35ba11a8 | 0x47810 | 0x46c10 | 0x1c6 |
| SetFileAttributesW | - | 0x7ff35ba11b0 | 0x47818 | 0x46c18 | 0x46e |
| TlsGetValue | - | 0x7ff35ba11b8 | 0x47820 | 0x46c20 | 0x4d6 |
| GetFileAttributesW | - | 0x7ff35ba11c0 | 0x47828 | 0x46c28 | 0x1ef |
| GetFullPathNameW | - | 0x7ff35ba11c8 | 0x47830 | 0x46c30 | 0x200 |
| GetProcessHeap | - | 0x7ff35ba11d0 | 0x47838 | 0x46c38 | 0x24f |
| GetVolumeNameForVolumeMountPointW | - | 0x7ff35ba11d8 | 0x47840 | 0x46c40 | 0x2b1 |
| DeviceIoControl | - | 0x7ff35ba11e0 | 0x47848 | 0x46c48 | 0xe1 |
| FindFirstVolumeW | - | 0x7ff35ba11e8 | 0x47850 | 0x46c50 | 0x145 |
| GetDriveTypeW | - | 0x7ff35ba11f0 | 0x47858 | 0x46c58 | 0x1da |
| GetDiskFreeSpaceExW | - | 0x7ff35ba11f8 | 0x47860 | 0x46c60 | 0x1d5 |
| FindNextVolumeW | - | 0x7ff35ba1200 | 0x47868 | 0x46c68 | 0x150 |
| FindVolumeClose | - | 0x7ff35ba1208 | 0x47870 | 0x46c70 | 0x156 |
| GetFileInformationByHandle | - | 0x7ff35ba1210 | 0x47878 | 0x46c78 | 0x1f1 |
| CreateDirectoryW | - | 0x7ff35ba1218 | 0x47880 | 0x46c80 | 0x81 |
| CopyFileW | - | 0x7ff35ba1220 | 0x47888 | 0x46c88 | 0x75 |
| MoveFileExW | - | 0x7ff35ba1228 | 0x47890 | 0x46c90 | 0x362 |
| RemoveDirectoryW | - | 0x7ff35ba1230 | 0x47898 | 0x46c98 | 0x406 |
| CreateFileMappingW | - | 0x7ff35ba1238 | 0x478a0 | 0x46ca0 | 0x8c |
| MapViewOfFile | - | 0x7ff35ba1240 | 0x478a8 | 0x46ca8 | 0x359 |
| UnmapViewOfFile | - | 0x7ff35ba1248 | 0x478b0 | 0x46cb0 | 0x4e6 |
| GetVolumePathNamesForVolumeNameW | - | 0x7ff35ba1250 | 0x478b8 | 0x46cb8 | 0x2b5 |
| SetErrorMode | - | 0x7ff35ba1258 | 0x478c0 | 0x46cc0 | 0x466 |
| FindFirstFileW | - | 0x7ff35ba1260 | 0x478c8 | 0x46cc8 | 0x13f |
| CopyFileExW | - | 0x7ff35ba1268 | 0x478d0 | 0x46cd0 | 0x72 |
| FindNextFileW | - | 0x7ff35ba1270 | 0x478d8 | 0x46cd8 | 0x14b |
| FindClose | - | 0x7ff35ba1278 | 0x478e0 | 0x46ce0 | 0x134 |
| GetModuleFileNameW | - | 0x7ff35ba1280 | 0x478e8 | 0x46ce8 | 0x218 |
| GetModuleHandleW | - | 0x7ff35ba1288 | 0x478f0 | 0x46cf0 | 0x21c |
| CreateActCtxW | - | 0x7ff35ba1290 | 0x478f8 | 0x46cf8 | 0x78 |
| ActivateActCtx | - | 0x7ff35ba1298 | 0x47900 | 0x46d00 | 0x2 |
| DeactivateActCtx | - | 0x7ff35ba12a0 | 0x47908 | 0x46d08 | 0xc5 |
| ReleaseActCtx | - | 0x7ff35ba12a8 | 0x47910 | 0x46d10 | 0x3fc |
| GetVolumePathNameW | - | 0x7ff35ba12b0 | 0x47918 | 0x46d18 | 0x2b3 |
| QueryPerformanceCounter | - | 0x7ff35ba12b8 | 0x47920 | 0x46d20 | 0x3a9 |
| GetTickCount | - | 0x7ff35ba12c0 | 0x47928 | 0x46d28 | 0x299 |
| GetCurrentThreadId | - | 0x7ff35ba12c8 | 0x47930 | 0x46d30 | 0x1cb |
| GetCurrentProcessId | - | 0x7ff35ba12d0 | 0x47938 | 0x46d38 | 0x1c7 |
| GetSystemTimeAsFileTime | - | 0x7ff35ba12d8 | 0x47940 | 0x46d40 | 0x27f |
| TerminateProcess | - | 0x7ff35ba12e0 | 0x47948 | 0x46d48 | 0x4cf |
| UnhandledExceptionFilter | - | 0x7ff35ba12e8 | 0x47950 | 0x46d50 | 0x4e3 |
| SetUnhandledExceptionFilter | - | 0x7ff35ba12f0 | 0x47958 | 0x46d58 | 0x4b3 |
| Sleep | - | 0x7ff35ba12f8 | 0x47960 | 0x46d60 | 0x4c1 |
| FreeLibrary | - | 0x7ff35ba1300 | 0x47968 | 0x46d68 | 0x168 |
| VirtualAlloc | - | 0x7ff35ba1308 | 0x47970 | 0x46d70 | 0x4f9 |
| VirtualFree | - | 0x7ff35ba1310 | 0x47978 | 0x46d78 | 0x4fc |
| GetCurrentThread | - | 0x7ff35ba1318 | 0x47980 | 0x46d80 | 0x1ca |
| GetProcAddress | - | 0x7ff35ba1320 | 0x47988 | 0x46d88 | 0x24a |
| LoadLibraryW | - | 0x7ff35ba1328 | 0x47990 | 0x46d90 | 0x342 |
ADVAPI32.dll (28)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| EventRegister | - | 0x7ff35ba1000 | 0x47668 | 0x46a68 | 0x10e |
| SetThreadToken | - | 0x7ff35ba1008 | 0x47670 | 0x46a70 | 0x2c1 |
| OpenThreadToken | - | 0x7ff35ba1010 | 0x47678 | 0x46a78 | 0x1fc |
| UnregisterTraceGuids | - | 0x7ff35ba1018 | 0x47680 | 0x46a80 | 0x302 |
| RegisterTraceGuidsW | - | 0x7ff35ba1020 | 0x47688 | 0x46a88 | 0x28a |
| GetTraceEnableFlags | - | 0x7ff35ba1028 | 0x47690 | 0x46a90 | 0x15b |
| GetTraceEnableLevel | - | 0x7ff35ba1030 | 0x47698 | 0x46a98 | 0x15c |
| GetTraceLoggerHandle | - | 0x7ff35ba1038 | 0x476a0 | 0x46aa0 | 0x15d |
| EventUnregister | - | 0x7ff35ba1040 | 0x476a8 | 0x46aa8 | 0x10f |
| EventWrite | - | 0x7ff35ba1048 | 0x476b0 | 0x46ab0 | 0x110 |
| DuplicateTokenEx | - | 0x7ff35ba1050 | 0x476b8 | 0x46ab8 | 0xdf |
| ConvertStringSecurityDescriptorToSecurityDescriptorW | - | 0x7ff35ba1058 | 0x476c0 | 0x46ac0 | 0x72 |
| FreeSid | - | 0x7ff35ba1060 | 0x476c8 | 0x46ac8 | 0x120 |
| SetNamedSecurityInfoW | - | 0x7ff35ba1068 | 0x476d0 | 0x46ad0 | 0x2b1 |
| AddAccessAllowedAceEx | - | 0x7ff35ba1070 | 0x476d8 | 0x46ad8 | 0x11 |
| InitializeAcl | - | 0x7ff35ba1078 | 0x476e0 | 0x46ae0 | 0x176 |
| GetLengthSid | - | 0x7ff35ba1080 | 0x476e8 | 0x46ae8 | 0x136 |
| AllocateAndInitializeSid | - | 0x7ff35ba1088 | 0x476f0 | 0x46af0 | 0x20 |
| AdjustTokenPrivileges | - | 0x7ff35ba1090 | 0x476f8 | 0x46af8 | 0x1f |
| LookupPrivilegeValueW | - | 0x7ff35ba1098 | 0x47700 | 0x46b00 | 0x197 |
| OpenProcessToken | - | 0x7ff35ba10a0 | 0x47708 | 0x46b08 | 0x1f7 |
| RegSetValueExW | - | 0x7ff35ba10a8 | 0x47710 | 0x46b10 | 0x27e |
| RegQueryValueExW | - | 0x7ff35ba10b0 | 0x47718 | 0x46b18 | 0x26e |
| RegDeleteKeyW | - | 0x7ff35ba10b8 | 0x47720 | 0x46b20 | 0x244 |
| RegCloseKey | - | 0x7ff35ba10c0 | 0x47728 | 0x46b28 | 0x230 |
| RegCreateKeyExW | - | 0x7ff35ba10c8 | 0x47730 | 0x46b30 | 0x239 |
| RegOpenKeyExW | - | 0x7ff35ba10d0 | 0x47738 | 0x46b38 | 0x261 |
| TraceMessage | - | 0x7ff35ba10d8 | 0x47740 | 0x46b40 | 0x2f6 |
USER32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| SendMessageW | - | 0x7ff35ba1370 | 0x479d8 | 0x46dd8 | 0x280 |
COMCTL32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| (by ordinal) | 0x159 | 0x7ff35ba10e8 | 0x47750 | 0x46b50 | - |
imagehlp.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ImageNtHeader | - | 0x7ff35ba13a0 | 0x47a08 | 0x46e08 | 0x19 |
ole32.dll (3)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CoCreateInstance | - | 0x7ff35ba1680 | 0x47ce8 | 0x470e8 | 0x14 |
| CoUninitialize | - | 0x7ff35ba1688 | 0x47cf0 | 0x470f0 | 0x70 |
| CoInitializeEx | - | 0x7ff35ba1690 | 0x47cf8 | 0x470f8 | 0x43 |
OLEAUT32.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| SysAllocString | 0x2 | 0x7ff35ba1338 | 0x479a0 | 0x46da0 | - |
| VariantClear | 0x9 | 0x7ff35ba1340 | 0x479a8 | 0x46da8 | - |
| SysFreeString | 0x6 | 0x7ff35ba1348 | 0x479b0 | 0x46db0 | - |
| VariantInit | 0x8 | 0x7ff35ba1350 | 0x479b8 | 0x46db8 | - |
SHELL32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShellExecuteExW | - | 0x7ff35ba1360 | 0x479c8 | 0x46dc8 | 0x121 |
WDSCORE.dll (3)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WdsSetupLogMessageW | - | 0x7ff35ba1380 | 0x479e8 | 0x46de8 | 0x97 |
| CurrentIP | - | 0x7ff35ba1388 | 0x479f0 | 0x46df0 | 0x46 |
| ConstructPartialMsgVW | - | 0x7ff35ba1390 | 0x479f8 | 0x46df8 | 0x45 |
Exports (24)
»
| Api name | EAT Address | Ordinal |
|---|---|---|
| WinRE_Generalize | 0xbe04 | 0x1 |
| WinReAddLogFile | 0x1684c | 0x2 |
| WinReCompleteRecovery | 0x175c8 | 0x3 |
| WinReCopyLogFilesToRamdisk | 0x16b34 | 0x4 |
| WinReCopySetupFiles | 0x15284 | 0x5 |
| WinReCreateLogInstance | 0x162c4 | 0x6 |
| WinReCreateLogInstanceEx | 0x162f0 | 0x7 |
| WinReDeleteLogFiles | 0x16604 | 0x8 |
| WinReGetConfig | 0xa464 | 0x9 |
| WinReGetGroupPolicies | 0x99f8 | 0xa |
| WinReGetLogFile | 0x29e70 | 0xb |
| WinReGetWIMInfo | 0xbfe8 | 0xc |
| WinReInstall | 0xb518 | 0xd |
| WinReIsInstallMedia | 0x14d38 | 0xe |
| WinReOpenLogInstance | 0x163d0 | 0xf |
| WinRePostRecovery | 0x16e6c | 0x10 |
| WinReRestoreLogFiles | 0x16b64 | 0x11 |
| WinReSetConfig | 0xab00 | 0x12 |
| WinReSetRecoveryAction | 0xa7a8 | 0x13 |
| WinReSetRecoveryActionEx | 0xa7b8 | 0x14 |
| WinReUnInstall | 0xbdbc | 0x15 |
| WinReUpdateLogInstance | 0x16680 | 0x16 |
| winreFindInstallMedia | 0x14af0 | 0x17 |
| winreGetBinaryArch | 0x149a4 | 0x18 |
| C:\Users\kEecfMwgj\AppData\Local\kza5B6\unregmp2.exe | Dropped File | Binary |
clean
Known to be clean.
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 316.00 KB |
| MD5 |
64b328d52dfc8cda123093e3f6e4c37c
|
| SHA1 |
f68f45b21b911906f3aa982e64504e662a92e5ab
|
| SHA256 |
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1
|
| SSDeep |
3072:6XTKwu6WC4nYQmojQgnOGJjah5LB4Oznf2S0zMjPMO1L:gkiajJnOmS4OzfjhB
|
| ImpHash |
495250ba60f511e105fd8b294cf70a49
|
PE Information
»
| Image Base | 0x100000000 |
| Entry Point | 0x1000475cc |
| Size Of Code | 0x48e00 |
| Size Of Initialized Data | 0x7200 |
| File Type | FileType.executable |
| Subsystem | Subsystem.windows_gui |
| Machine Type | MachineType.amd64 |
| Compile Timestamp | 2009-07-14 00:23:55+00:00 |
Version Information (8)
»
| CompanyName | Microsoft Corporation |
| FileDescription | Microsoft Windows Media Player Setup Utility |
| FileVersion | 12.0.7600.16385 (win7_rtm.090713-1255) |
| InternalName | unregmp2.exe |
| LegalCopyright | © Microsoft Corporation. All rights reserved. |
| OriginalFilename | unregmp2.exe |
| ProductName | Microsoft® Windows® Operating System |
| ProductVersion | 12.0.7600.16385 |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x100001000 | 0x48ce6 | 0x48e00 | 0x400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 4.98 |
| .data | 0x10004a000 | 0x3c70 | 0x2a00 | 0x49200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.14 |
| .pdata | 0x10004e000 | 0x7a4 | 0x800 | 0x4bc00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.13 |
| .rsrc | 0x10004f000 | 0xbe0 | 0xc00 | 0x4c400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.32 |
| .reloc | 0x100050000 | 0x1ebe | 0x2000 | 0x4d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 5.16 |
Imports (11)
»
ADVAPI32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CloseServiceHandle | - | 0x100001000 | 0x48b78 | 0x47f78 | 0x57 |
| OpenSCManagerW | - | 0x100001008 | 0x48b80 | 0x47f80 | 0x1f9 |
| OpenServiceW | - | 0x100001010 | 0x48b88 | 0x47f88 | 0x1fb |
| RegCreateKeyExW | - | 0x100001018 | 0x48b90 | 0x47f90 | 0x239 |
| RegQueryValueExW | - | 0x100001020 | 0x48b98 | 0x47f98 | 0x26e |
| RegDeleteKeyW | - | 0x100001028 | 0x48ba0 | 0x47fa0 | 0x244 |
| QueryServiceStatus | - | 0x100001030 | 0x48ba8 | 0x47fa8 | 0x228 |
| RegDeleteValueW | - | 0x100001038 | 0x48bb0 | 0x47fb0 | 0x248 |
| ChangeServiceConfigW | - | 0x100001040 | 0x48bb8 | 0x47fb8 | 0x50 |
| RegEnumValueW | - | 0x100001048 | 0x48bc0 | 0x47fc0 | 0x252 |
| RegOpenKeyExW | - | 0x100001050 | 0x48bc8 | 0x47fc8 | 0x261 |
| ControlService | - | 0x100001058 | 0x48bd0 | 0x47fd0 | 0x5c |
| RegEnumKeyExW | - | 0x100001060 | 0x48bd8 | 0x47fd8 | 0x24f |
| QueryServiceConfigW | - | 0x100001068 | 0x48be0 | 0x47fe0 | 0x224 |
| RegCloseKey | - | 0x100001070 | 0x48be8 | 0x47fe8 | 0x230 |
| RegSetValueExW | - | 0x100001078 | 0x48bf0 | 0x47ff0 | 0x27e |
| RegEnumKeyW | - | 0x100001080 | 0x48bf8 | 0x47ff8 | 0x250 |
| RegQueryValueExA | - | 0x100001088 | 0x48c00 | 0x48000 | 0x26d |
| RegQueryInfoKeyW | - | 0x100001090 | 0x48c08 | 0x48008 | 0x268 |
| RegOpenKeyExA | - | 0x100001098 | 0x48c10 | 0x48010 | 0x260 |
KERNEL32.dll (73)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| SetLastError | - | 0x1000010a8 | 0x48c20 | 0x48020 | 0x480 |
| FindClose | - | 0x1000010b0 | 0x48c28 | 0x48028 | 0x134 |
| CreateHardLinkW | - | 0x1000010b8 | 0x48c30 | 0x48030 | 0x93 |
| HeapSetInformation | - | 0x1000010c0 | 0x48c38 | 0x48038 | 0x2db |
| CloseHandle | - | 0x1000010c8 | 0x48c40 | 0x48040 | 0x52 |
| DeleteFileW | - | 0x1000010d0 | 0x48c48 | 0x48048 | 0xd7 |
| SetFileAttributesW | - | 0x1000010d8 | 0x48c50 | 0x48050 | 0x46f |
| Sleep | - | 0x1000010e0 | 0x48c58 | 0x48058 | 0x4c0 |
| GetShortPathNameW | - | 0x1000010e8 | 0x48c60 | 0x48060 | 0x268 |
| FindFirstFileExW | - | 0x1000010f0 | 0x48c68 | 0x48068 | 0x13a |
| lstrcmpW | - | 0x1000010f8 | 0x48c70 | 0x48070 | 0x555 |
| lstrlenW | - | 0x100001100 | 0x48c78 | 0x48078 | 0x561 |
| GetCurrentDirectoryW | - | 0x100001108 | 0x48c80 | 0x48080 | 0x1c5 |
| SetCurrentDirectoryW | - | 0x100001110 | 0x48c88 | 0x48088 | 0x45b |
| RemoveDirectoryW | - | 0x100001118 | 0x48c90 | 0x48090 | 0x406 |
| FindNextFileW | - | 0x100001120 | 0x48c98 | 0x48098 | 0x14b |
| ExpandEnvironmentStringsW | - | 0x100001128 | 0x48ca0 | 0x480a0 | 0x123 |
| SetUnhandledExceptionFilter | - | 0x100001130 | 0x48ca8 | 0x480a8 | 0x4b3 |
| GetStartupInfoW | - | 0x100001138 | 0x48cb0 | 0x480b0 | 0x26a |
| GetLastError | - | 0x100001140 | 0x48cb8 | 0x480b8 | 0x208 |
| GetTempPathA | - | 0x100001148 | 0x48cc0 | 0x480c0 | 0x28b |
| GetLocalTime | - | 0x100001150 | 0x48cc8 | 0x480c8 | 0x209 |
| GetWindowsDirectoryA | - | 0x100001158 | 0x48cd0 | 0x480d0 | 0x2b6 |
| SetFilePointer | - | 0x100001160 | 0x48cd8 | 0x480d8 | 0x474 |
| GetFileSize | - | 0x100001168 | 0x48ce0 | 0x480e0 | 0x1f7 |
| CreateFileA | - | 0x100001170 | 0x48ce8 | 0x480e8 | 0x88 |
| GetVersionExA | - | 0x100001178 | 0x48cf0 | 0x480f0 | 0x2ab |
| GetFileTime | - | 0x100001180 | 0x48cf8 | 0x480f8 | 0x1f9 |
| MoveFileW | - | 0x100001188 | 0x48d00 | 0x48100 | 0x365 |
| GetProcAddress | - | 0x100001190 | 0x48d08 | 0x48108 | 0x24c |
| CreateDirectoryA | - | 0x100001198 | 0x48d10 | 0x48110 | 0x7c |
| GetTempPathW | - | 0x1000011a0 | 0x48d18 | 0x48118 | 0x28c |
| GetTimeZoneInformation | - | 0x1000011a8 | 0x48d20 | 0x48120 | 0x29f |
| GetModuleFileNameW | - | 0x1000011b0 | 0x48d28 | 0x48128 | 0x21a |
| FileTimeToSystemTime | - | 0x1000011b8 | 0x48d30 | 0x48130 | 0x12b |
| GetFileAttributesA | - | 0x1000011c0 | 0x48d38 | 0x48138 | 0x1ec |
| GetVersionExW | - | 0x1000011c8 | 0x48d40 | 0x48140 | 0x2ac |
| CopyFileW | - | 0x1000011d0 | 0x48d48 | 0x48148 | 0x75 |
| LoadLibraryW | - | 0x1000011d8 | 0x48d50 | 0x48150 | 0x341 |
| GetSystemWindowsDirectoryW | - | 0x1000011e0 | 0x48d58 | 0x48158 | 0x283 |
| MoveFileExW | - | 0x1000011e8 | 0x48d60 | 0x48160 | 0x362 |
| FreeLibrary | - | 0x1000011f0 | 0x48d68 | 0x48168 | 0x168 |
| GetSystemDefaultLangID | - | 0x1000011f8 | 0x48d70 | 0x48170 | 0x273 |
| GetWindowsDirectoryW | - | 0x100001200 | 0x48d78 | 0x48178 | 0x2b7 |
| WriteProfileStringW | - | 0x100001208 | 0x48d80 | 0x48180 | 0x541 |
| WritePrivateProfileStringW | - | 0x100001210 | 0x48d88 | 0x48188 | 0x53a |
| RaiseException | - | 0x100001218 | 0x48d90 | 0x48190 | 0x3b4 |
| CreateFileW | - | 0x100001220 | 0x48d98 | 0x48198 | 0x8f |
| GetFileAttributesW | - | 0x100001228 | 0x48da0 | 0x481a0 | 0x1f1 |
| SizeofResource | - | 0x100001230 | 0x48da8 | 0x481a8 | 0x4bf |
| GetSystemDirectoryW | - | 0x100001238 | 0x48db0 | 0x481b0 | 0x277 |
| GetPrivateProfileStringW | - | 0x100001240 | 0x48db8 | 0x481b8 | 0x249 |
| GetProfileStringW | - | 0x100001248 | 0x48dc0 | 0x481c0 | 0x264 |
| RtlCaptureContext | - | 0x100001250 | 0x48dc8 | 0x481c8 | 0x418 |
| RtlLookupFunctionEntry | - | 0x100001258 | 0x48dd0 | 0x481d0 | 0x41f |
| RegisterApplicationRestart | - | 0x100001260 | 0x48dd8 | 0x481d8 | 0x3f3 |
| WriteFile | - | 0x100001268 | 0x48de0 | 0x481e0 | 0x534 |
| GetTickCount | - | 0x100001270 | 0x48de8 | 0x481e8 | 0x29a |
| GetUserDefaultLCID | - | 0x100001278 | 0x48df0 | 0x481f0 | 0x2a3 |
| CreateDirectoryW | - | 0x100001280 | 0x48df8 | 0x481f8 | 0x81 |
| LoadResource | - | 0x100001288 | 0x48e00 | 0x48200 | 0x343 |
| FindResourceW | - | 0x100001290 | 0x48e08 | 0x48208 | 0x154 |
| LCIDToLocaleName | - | 0x100001298 | 0x48e10 | 0x48210 | 0x32c |
| QueryPerformanceCounter | - | 0x1000012a0 | 0x48e18 | 0x48218 | 0x3a9 |
| GetCurrentThreadId | - | 0x1000012a8 | 0x48e20 | 0x48220 | 0x1cb |
| FindFirstFileW | - | 0x1000012b0 | 0x48e28 | 0x48228 | 0x13f |
| GetCurrentProcessId | - | 0x1000012b8 | 0x48e30 | 0x48230 | 0x1c7 |
| GetSystemTimeAsFileTime | - | 0x1000012c0 | 0x48e38 | 0x48238 | 0x280 |
| TerminateProcess | - | 0x1000012c8 | 0x48e40 | 0x48240 | 0x4ce |
| GetCurrentProcess | - | 0x1000012d0 | 0x48e48 | 0x48248 | 0x1c6 |
| UnhandledExceptionFilter | - | 0x1000012d8 | 0x48e50 | 0x48250 | 0x4e2 |
| RtlVirtualUnwind | - | 0x1000012e0 | 0x48e58 | 0x48258 | 0x426 |
| GetModuleHandleW | - | 0x1000012e8 | 0x48e60 | 0x48260 | 0x21e |
USER32.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| LoadStringW | - | 0x1000013c0 | 0x48f38 | 0x48338 | 0x1fe |
| CharNextA | - | 0x1000013c8 | 0x48f40 | 0x48340 | 0x2f |
msvcrt.dll (40)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _onexit | - | 0x100001408 | 0x48f80 | 0x48380 | 0x27f |
| _lock | - | 0x100001410 | 0x48f88 | 0x48388 | 0x1d5 |
| __dllonexit | - | 0x100001418 | 0x48f90 | 0x48390 | 0x6d |
| _unlock | - | 0x100001420 | 0x48f98 | 0x48398 | 0x330 |
| ?terminate@@YAXXZ | - | 0x100001428 | 0x48fa0 | 0x483a0 | 0x30 |
| __set_app_type | - | 0x100001430 | 0x48fa8 | 0x483a8 | 0x80 |
| _fmode | - | 0x100001438 | 0x48fb0 | 0x483b0 | 0x118 |
| _commode | - | 0x100001440 | 0x48fb8 | 0x483b8 | 0xc4 |
| __setusermatherr | - | 0x100001448 | 0x48fc0 | 0x483c0 | 0x82 |
| _initterm | - | 0x100001450 | 0x48fc8 | 0x483c8 | 0x16c |
| _acmdln | - | 0x100001458 | 0x48fd0 | 0x483d0 | 0x94 |
| exit | - | 0x100001460 | 0x48fd8 | 0x483d8 | 0x420 |
| _cexit | - | 0x100001468 | 0x48fe0 | 0x483e0 | 0xb3 |
| _ismbblead | - | 0x100001470 | 0x48fe8 | 0x483e8 | 0x188 |
| _exit | - | 0x100001478 | 0x48ff0 | 0x483f0 | 0xff |
| _XcptFilter | - | 0x100001480 | 0x48ff8 | 0x483f8 | 0x52 |
| __C_specific_handler | - | 0x100001488 | 0x49000 | 0x48400 | 0x53 |
| __getmainargs | - | 0x100001490 | 0x49008 | 0x48408 | 0x71 |
| free | - | 0x100001498 | 0x49010 | 0x48410 | 0x43a |
| _wtol | - | 0x1000014a0 | 0x49018 | 0x48418 | 0x3f7 |
| _vsnwprintf | - | 0x1000014a8 | 0x49020 | 0x48420 | 0x358 |
| ??_V@YAXPEAX@Z | - | 0x1000014b0 | 0x49028 | 0x48428 | 0x24 |
| wcsstr | - | 0x1000014b8 | 0x49030 | 0x48430 | 0x502 |
| wcsrchr | - | 0x1000014c0 | 0x49038 | 0x48438 | 0x4fe |
| _wcslwr | - | 0x1000014c8 | 0x49040 | 0x48440 | 0x37d |
| _wcsnicmp | - | 0x1000014d0 | 0x49048 | 0x48448 | 0x383 |
| ??_U@YAPEAX_K@Z | - | 0x1000014d8 | 0x49050 | 0x48450 | 0x22 |
| mbstowcs | - | 0x1000014e0 | 0x49058 | 0x48458 | 0x47b |
| _wcsicmp | - | 0x1000014e8 | 0x49060 | 0x48460 | 0x379 |
| wcschr | - | 0x1000014f0 | 0x49068 | 0x48468 | 0x4ef |
| memset | - | 0x1000014f8 | 0x49070 | 0x48470 | 0x484 |
| _amsg_exit | - | 0x100001500 | 0x49078 | 0x48478 | 0xa0 |
| iswalpha | - | 0x100001508 | 0x49080 | 0x48480 | 0x45d |
| iswalnum | - | 0x100001510 | 0x49088 | 0x48488 | 0x45c |
| swscanf | - | 0x100001518 | 0x49090 | 0x48490 | 0x4cb |
| _wtoi | - | 0x100001520 | 0x49098 | 0x48498 | 0x3f3 |
| malloc | - | 0x100001528 | 0x490a0 | 0x484a0 | 0x474 |
| _vsnprintf | - | 0x100001530 | 0x490a8 | 0x484a8 | 0x352 |
| _itow | - | 0x100001538 | 0x490b0 | 0x484b0 | 0x1c8 |
| memcpy | - | 0x100001540 | 0x490b8 | 0x484b8 | 0x480 |
ole32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CoUninitialize | - | 0x100001550 | 0x490c8 | 0x484c8 | 0x70 |
| StringFromGUID2 | - | 0x100001558 | 0x490d0 | 0x484d0 | 0x1b5 |
| CoInitialize | - | 0x100001560 | 0x490d8 | 0x484d8 | 0x42 |
| CoCreateGuid | - | 0x100001568 | 0x490e0 | 0x484e0 | 0x13 |
| PropVariantClear | - | 0x100001570 | 0x490e8 | 0x484e8 | 0x184 |
| CoCreateInstance | - | 0x100001578 | 0x490f0 | 0x484f0 | 0x14 |
OLEAUT32.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| SysAllocString | 0x2 | 0x1000012f8 | 0x48e70 | 0x48270 | - |
| VariantClear | 0x9 | 0x100001300 | 0x48e78 | 0x48278 | - |
| SysFreeString | 0x6 | 0x100001308 | 0x48e80 | 0x48280 | - |
| SystemTimeToVariantTime | 0xb8 | 0x100001310 | 0x48e88 | 0x48288 | - |
| VariantTimeToSystemTime | 0xb9 | 0x100001318 | 0x48e90 | 0x48290 | - |
VERSION.dll (3)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| GetFileVersionInfoW | - | 0x1000013d8 | 0x48f50 | 0x48350 | 0x6 |
| GetFileVersionInfoSizeW | - | 0x1000013e0 | 0x48f58 | 0x48358 | 0x5 |
| VerQueryValueW | - | 0x1000013e8 | 0x48f60 | 0x48360 | 0xe |
SHELL32.dll (10)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| SHGetPathFromIDListA | - | 0x100001328 | 0x48ea0 | 0x482a0 | 0xd5 |
| SHGetSpecialFolderPathW | - | 0x100001330 | 0x48ea8 | 0x482a8 | 0xe1 |
| SHCreateItemFromParsingName | - | 0x100001338 | 0x48eb0 | 0x482b0 | 0x90 |
| SHGetPathFromIDListW | - | 0x100001340 | 0x48eb8 | 0x482b8 | 0xd7 |
| ShellExecuteW | - | 0x100001348 | 0x48ec0 | 0x482c0 | 0x122 |
| SHGetMalloc | - | 0x100001350 | 0x48ec8 | 0x482c8 | 0xcf |
| SHGetSpecialFolderLocation | - | 0x100001358 | 0x48ed0 | 0x482d0 | 0xdf |
| SHGetFolderPathW | - | 0x100001360 | 0x48ed8 | 0x482d8 | 0xc3 |
| SHChangeNotify | - | 0x100001368 | 0x48ee0 | 0x482e0 | 0x7f |
| SHSetLocalizedName | - | 0x100001370 | 0x48ee8 | 0x482e8 | 0x108 |
SHLWAPI.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| PathUnExpandEnvStringsW | - | 0x100001380 | 0x48ef8 | 0x482f8 | 0x99 |
| PathAddBackslashW | - | 0x100001388 | 0x48f00 | 0x48300 | 0x30 |
| PathIsDirectoryW | - | 0x100001390 | 0x48f08 | 0x48308 | 0x5b |
| PathRemoveFileSpecW | - | 0x100001398 | 0x48f10 | 0x48310 | 0x8b |
| PathRemoveBlanksW | - | 0x1000013a0 | 0x48f18 | 0x48318 | 0x87 |
| PathAppendW | - | 0x1000013a8 | 0x48f20 | 0x48320 | 0x34 |
| PathAddBackslashA | - | 0x1000013b0 | 0x48f28 | 0x48328 | 0x2f |
slc.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| SLGetWindowsInformationDWORD | - | 0x100001588 | 0x49100 | 0x48500 | 0x17 |
WMDRMSDK.DLL (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WMDRMCreateProvider | - | 0x1000013f8 | 0x48f70 | 0x48370 | 0x5 |
| c:\users\keecfmwgj\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-4219442223-4223814209-3835049652-1000\4fe4574abf1bcb0f6ed6a78aa750fb2c_b9c8f16e-2e51-4052-9ecb-f86ae5d96ef6 | Dropped File | Stream |
clean
|
...
|
»
| MIME Type | application/octet-stream |
| File Size | 1.40 KB |
| MD5 |
4f99679ff726380c97ece181f816ccb5
|
| SHA1 |
3692554b58dbff6a71be17c27ebff7c9948348ef
|
| SHA256 |
edc6261c01e8e88b2a9b225e36582e88791b1ca755237819b5d143a5e2a11a91
|
| SSDeep |
24:gIYeLPfFnRUDOx4B2KdQ+gbeRTrmebdFth+176TUI5yqGPPDbMD+J:gIYw9RUDRPg0TVbdlA7Mn5MPDAD+J
|
| ImpHash | - |
| c:\users\keecfmwgj\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-4219442223-4223814209-3835049652-1000\4fe4574abf1bcb0f6ed6a78aa750fb2c_b9c8f16e-2e51-4052-9ecb-f86ae5d96ef6 | Dropped File | Stream |
clean
Known to be clean.
|
...
|
»
| MIME Type | application/octet-stream |
| File Size | 1.40 KB |
| MD5 |
47004e9476902c9edf00a876de754c18
|
| SHA1 |
35601f97b68e8526c97fc6e7622b8b4fb1af9592
|
| SHA256 |
72275404c470b62a5ff49013e3f952d9480afd5c7e45b6c504235823da4894ae
|
| SSDeep |
3::
|
| ImpHash | - |
| c:\users\keecfmwgj\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-4219442223-4223814209-3835049652-1000\4fe4574abf1bcb0f6ed6a78aa750fb2c_b9c8f16e-2e51-4052-9ecb-f86ae5d96ef6 | Dropped File | Stream |
clean
|
...
|
»
| MIME Type | application/octet-stream |
| File Size | 1.42 KB |
| MD5 |
7d648ab0547964cd66b64cd0cddec45d
|
| SHA1 |
51a1cf184726277b03c25167c23ffed46e01a92a
|
| SHA256 |
a650f61765d668cb35df7c2a2f08112f67ef6b5011a14290922cbc7eca79bd3c
|
| SSDeep |
24:wIYeLPfFnRUDQeFlriaV7JuNVzXK9twUraKHLpVpsgDORSkIuLDD5F0pVNztv+:wIYw9RUDBrXuHzXWtw+aILpVpB4LDD5d
|
| ImpHash | - |
