Malicious
Classifications
Injector Backdoor
Threat Names
AsyncRAT Gen:Trojan.Heur.IEC.908d4036d15 Gen:Variant.Graftor.946163
Dynamic Analysis Report
Created on 2021-09-28T05:39:00
de0cb500125d733becbdeb53cf7b3f1bace4dc91e54805007718970124ef6797.exe
Windows Exe (x86-32)
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
| Filters: |
There are no files for this filter
There are no files in this analysis
| File Name | Category | Type | Verdict | Actions |
|---|
| C:\Users\RDhJ0CNFevzX\Desktop\de0cb500125d733becbdeb53cf7b3f1bace4dc91e54805007718970124ef6797.exe | Sample File | Binary |
malicious
|
...
|
»
| Also Known As | C:\Users\RDhJ0CNFevzX\AppData\Roaming\cf\ct.exe (Dropped File) |
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 650.41 KB |
| MD5 |
133c10454108aa86301f79a03aa24046
|
| SHA1 |
21439179cb8700406d57332079ab311d08b0c9bf
|
| SHA256 |
de0cb500125d733becbdeb53cf7b3f1bace4dc91e54805007718970124ef6797
|
| SSDeep |
6144:Xsh7P4K387yYg9ihPBJ1G08ozfjqXXTewGJX/MHeKPwE+8sS6rU8jcxJ8:8h7l38OKJBWkzfwS/M+KGtLHX
|
| ImpHash |
835f485ca718411734d873f35af1695e
|
AV Matches (1)
»
| Threat Name | Verdict |
|---|---|
| Gen:Trojan.Heur.IEC.908d4036d15 |
malicious
|
PE Information
»
| Image Base | 0x400000 |
| Entry Point | 0x4034f0 |
| Size Of Code | 0x81000 |
| Size Of Initialized Data | 0x19000 |
| File Type | FileType.executable |
| Subsystem | Subsystem.windows_gui |
| Machine Type | MachineType.i386 |
| Compile Timestamp | 2021-09-25 12:15:50+00:00 |
Version Information (5)
»
| ProductName | ExtendedRTFDemo |
| FileVersion | 1.00 |
| ProductVersion | 1.00 |
| InternalName | a |
| OriginalFilename | a.exe |
Sections (3)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x401000 | 0x801c8 | 0x81000 | 0x1000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.22 |
| .data | 0x482000 | 0x4a48 | 0x1000 | 0x82000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0 |
| .rsrc | 0x487000 | 0x133f8 | 0x14000 | 0x83000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.03 |
Imports (1)
»
MSVBVM60.DLL (216)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __vbaVarTstGt | - | 0x401000 | 0x8037c | 0x8037c | 0x195 |
| (by ordinal) | 0x246 | 0x401004 | 0x80380 | 0x80380 | - |
| __vbaVarSub | - | 0x401008 | 0x80384 | 0x80384 | 0x184 |
| (by ordinal) | 0x247 | 0x40100c | 0x80388 | 0x80388 | - |
| __vbaStrI2 | - | 0x401010 | 0x8038c | 0x8038c | 0x13c |
| __vbaNextEachAry | - | 0x401014 | 0x80390 | 0x80390 | 0xf8 |
| _CIcos | - | 0x401018 | 0x80394 | 0x80394 | 0x53 |
| _adj_fptan | - | 0x40101c | 0x80398 | 0x80398 | 0x1b3 |
| __vbaVarMove | - | 0x401020 | 0x8039c | 0x8039c | 0x178 |
| __vbaStrI4 | - | 0x401024 | 0x803a0 | 0x803a0 | 0x13d |
| __vbaVarVargNofree | - | 0x401028 | 0x803a4 | 0x803a4 | 0x199 |
| __vbaAryMove | - | 0x40102c | 0x803a8 | 0x803a8 | 0x5f |
| __vbaFreeVar | - | 0x401030 | 0x803ac | 0x803ac | 0xb1 |
| __vbaLineInputStr | - | 0x401034 | 0x803b0 | 0x803b0 | 0xed |
| __vbaLateIdCall | - | 0x401038 | 0x803b4 | 0x803b4 | 0xd5 |
| __vbaStrVarMove | - | 0x40103c | 0x803b8 | 0x803b8 | 0x148 |
| (by ordinal) | 0x24c | 0x401040 | 0x803bc | 0x803bc | - |
| __vbaLenBstr | - | 0x401044 | 0x803c0 | 0x803c0 | 0xe9 |
| __vbaFreeVarList | - | 0x401048 | 0x803c4 | 0x803c4 | 0xb2 |
| __vbaEnd | - | 0x40104c | 0x803c8 | 0x803c8 | 0x88 |
| _adj_fdiv_m64 | - | 0x401050 | 0x803cc | 0x803cc | 0x1aa |
| __vbaFpCDblR8 | - | 0x401054 | 0x803d0 | 0x803d0 | 0xa3 |
| (by ordinal) | 0x26c | 0x401058 | 0x803d4 | 0x803d4 | - |
| __vbaVarIndexStore | - | 0x40105c | 0x803d8 | 0x803d8 | 0x16d |
| __vbaNextEachVar | - | 0x401060 | 0x803dc | 0x803dc | 0xfc |
| __vbaLineInputVar | - | 0x401064 | 0x803e0 | 0x803e0 | 0xee |
| __vbaFreeObjList | - | 0x401068 | 0x803e4 | 0x803e4 | 0xae |
| (by ordinal) | 0x204 | 0x40106c | 0x803e8 | 0x803e8 | - |
| __vbaStrErrVarCopy | - | 0x401070 | 0x803ec | 0x803ec | 0x13a |
| __vbaVarIndexLoadRef | - | 0x401074 | 0x803f0 | 0x803f0 | 0x16b |
| (by ordinal) | 0x205 | 0x401078 | 0x803f4 | 0x803f4 | - |
| _adj_fprem1 | - | 0x40107c | 0x803f8 | 0x803f8 | 0x1b2 |
| __vbaRecAnsiToUni | - | 0x401080 | 0x803fc | 0x803fc | 0x11e |
| (by ordinal) | 0x207 | 0x401084 | 0x80400 | 0x80400 | - |
| __vbaI2Abs | - | 0x401088 | 0x80404 | 0x80404 | 0xc1 |
| __vbaStrCat | - | 0x40108c | 0x80408 | 0x80408 | 0x133 |
| __vbaWriteFile | - | 0x401090 | 0x8040c | 0x8040c | 0x1a6 |
| __vbaRecDestruct | - | 0x401094 | 0x80410 | 0x80410 | 0x120 |
| __vbaSetSystemError | - | 0x401098 | 0x80414 | 0x80414 | 0x12d |
| __vbaHresultCheckObj | - | 0x40109c | 0x80418 | 0x80418 | 0xc0 |
| (by ordinal) | 0x22c | 0x4010a0 | 0x8041c | 0x8041c | - |
| (by ordinal) | 0x299 | 0x4010a4 | 0x80420 | 0x80420 | - |
| __vbaLenVar | - | 0x4010a8 | 0x80424 | 0x80424 | 0xeb |
| __vbaVargVarCopy | - | 0x4010ac | 0x80428 | 0x80428 | 0x1a2 |
| _adj_fdiv_m32 | - | 0x4010b0 | 0x8042c | 0x8042c | 0x1a8 |
| (by ordinal) | 0x29a | 0x4010b4 | 0x80430 | 0x80430 | - |
| __vbaAryVar | - | 0x4010b8 | 0x80434 | 0x80434 | 0x64 |
| __vbaVarTstLe | - | 0x4010bc | 0x80438 | 0x80438 | 0x196 |
| (by ordinal) | 0x29b | 0x4010c0 | 0x8043c | 0x8043c | - |
| __vbaAryDestruct | - | 0x4010c4 | 0x80440 | 0x80440 | 0x5d |
| __vbaVarIndexLoadRefLock | - | 0x4010c8 | 0x80444 | 0x80444 | 0x16c |
| __vbaLateMemSt | - | 0x4010cc | 0x80448 | 0x80448 | 0xe5 |
| __vbaVarForInit | - | 0x4010d0 | 0x8044c | 0x8044c | 0x166 |
| __vbaForEachCollObj | - | 0x4010d4 | 0x80450 | 0x80450 | 0x9f |
| (by ordinal) | 0x251 | 0x4010d8 | 0x80454 | 0x80454 | - |
| __vbaExitProc | - | 0x4010dc | 0x80458 | 0x80458 | 0x92 |
| (by ordinal) | 0x12c | 0x4010e0 | 0x8045c | 0x8045c | - |
| __vbaObjSet | - | 0x4010e4 | 0x80460 | 0x80460 | 0xff |
| __vbaOnError | - | 0x4010e8 | 0x80464 | 0x80464 | 0x102 |
| (by ordinal) | 0x253 | 0x4010ec | 0x80468 | 0x80468 | - |
| _adj_fdiv_m16i | - | 0x4010f0 | 0x8046c | 0x8046c | 0x1a7 |
| (by ordinal) | 0x12f | 0x4010f4 | 0x80470 | 0x80470 | - |
| __vbaObjSetAddref | - | 0x4010f8 | 0x80474 | 0x80474 | 0x100 |
| _adj_fdivr_m16i | - | 0x4010fc | 0x80478 | 0x80478 | 0x1ac |
| (by ordinal) | 0x256 | 0x401100 | 0x8047c | 0x8047c | - |
| __vbaVarIndexLoad | - | 0x401104 | 0x80480 | 0x80480 | 0x16a |
| __vbaCyStr | - | 0x401108 | 0x80484 | 0x80484 | 0x7e |
| __vbaFpR4 | - | 0x40110c | 0x80488 | 0x80488 | 0xaa |
| (by ordinal) | 0x132 | 0x401110 | 0x8048c | 0x8048c | - |
| __vbaBoolVar | - | 0x401114 | 0x80490 | 0x80490 | 0x68 |
| (by ordinal) | 0x135 | 0x401118 | 0x80494 | 0x80494 | - |
| __vbaVargVar | - | 0x40111c | 0x80498 | 0x80498 | 0x1a1 |
| __vbaVarTstLt | - | 0x401120 | 0x8049c | 0x8049c | 0x197 |
| (by ordinal) | 0x20b | 0x401124 | 0x804a0 | 0x804a0 | - |
| __vbaRefVarAry | - | 0x401128 | 0x804a4 | 0x804a4 | 0x129 |
| __vbaFpR8 | - | 0x40112c | 0x804a8 | 0x804a8 | 0xab |
| __vbaBoolVarNull | - | 0x401130 | 0x804ac | 0x804ac | 0x69 |
| _CIsin | - | 0x401134 | 0x804b0 | 0x804b0 | 0x56 |
| __vbaErase | - | 0x401138 | 0x804b4 | 0x804b4 | 0x89 |
| (by ordinal) | 0x277 | 0x40113c | 0x804b8 | 0x804b8 | - |
| (by ordinal) | 0x278 | 0x401140 | 0x804bc | 0x804bc | - |
| (by ordinal) | 0x20d | 0x401144 | 0x804c0 | 0x804c0 | - |
| __vbaVarZero | - | 0x401148 | 0x804c4 | 0x804c4 | 0x19b |
| __vbaNextEachCollObj | - | 0x40114c | 0x804c8 | 0x804c8 | 0xfa |
| __vbaVargVarMove | - | 0x401150 | 0x804cc | 0x804cc | 0x1a3 |
| __vbaVarCmpGt | - | 0x401154 | 0x804d0 | 0x804d0 | 0x15b |
| __vbaChkstk | - | 0x401158 | 0x804d4 | 0x804d4 | 0x6f |
| (by ordinal) | 0x20e | 0x40115c | 0x804d8 | 0x804d8 | - |
| __vbaFileClose | - | 0x401160 | 0x804dc | 0x804dc | 0x97 |
| EVENT_SINK_AddRef | - | 0x401164 | 0x804e0 | 0x804e0 | 0x11 |
| (by ordinal) | 0x20f | 0x401168 | 0x804e4 | 0x804e4 | - |
| __vbaGenerateBoundsError | - | 0x40116c | 0x804e8 | 0x804e8 | 0xb4 |
| __vbaGet3 | - | 0x401170 | 0x804ec | 0x804ec | 0xb5 |
| (by ordinal) | 0x211 | 0x401174 | 0x804f0 | 0x804f0 | - |
| __vbaStrCmp | - | 0x401178 | 0x804f4 | 0x804f4 | 0x134 |
| __vbaAryConstruct2 | - | 0x40117c | 0x804f8 | 0x804f8 | 0x5b |
| __vbaVarTstEq | - | 0x401180 | 0x804fc | 0x804fc | 0x193 |
| (by ordinal) | 0x230 | 0x401184 | 0x80500 | 0x80500 | - |
| __vbaObjVar | - | 0x401188 | 0x80504 | 0x80504 | 0x101 |
| (by ordinal) | 0x231 | 0x40118c | 0x80508 | 0x80508 | - |
| __vbaI2I4 | - | 0x401190 | 0x8050c | 0x8050c | 0xc5 |
| DllFunctionCall | - | 0x401194 | 0x80510 | 0x80510 | 0xb |
| __vbaVarLateMemSt | - | 0x401198 | 0x80514 | 0x80514 | 0x173 |
| __vbaCastObjVar | - | 0x40119c | 0x80518 | 0x80518 | 0x6c |
| __vbaStrR4 | - | 0x4011a0 | 0x8051c | 0x8051c | 0x140 |
| __vbaLbound | - | 0x4011a4 | 0x80520 | 0x80520 | 0xe7 |
| __vbaRedimPreserve | - | 0x4011a8 | 0x80524 | 0x80524 | 0x124 |
| _adj_fpatan | - | 0x4011ac | 0x80528 | 0x80528 | 0x1b0 |
| __vbaR4Var | - | 0x4011b0 | 0x8052c | 0x8052c | 0x112 |
| __vbaLateIdCallLd | - | 0x4011b4 | 0x80530 | 0x80530 | 0xd6 |
| __vbaStrR8 | - | 0x4011b8 | 0x80534 | 0x80534 | 0x141 |
| __vbaRedim | - | 0x4011bc | 0x80538 | 0x80538 | 0x123 |
| __vbaRecUniToAnsi | - | 0x4011c0 | 0x8053c | 0x8053c | 0x122 |
| EVENT_SINK_Release | - | 0x4011c4 | 0x80540 | 0x80540 | 0x15 |
| __vbaUI1I2 | - | 0x4011c8 | 0x80544 | 0x80544 | 0x14c |
| _CIsqrt | - | 0x4011cc | 0x80548 | 0x80548 | 0x57 |
| __vbaObjIs | - | 0x4011d0 | 0x8054c | 0x8054c | 0xfe |
| __vbaRedimVar | - | 0x4011d4 | 0x80550 | 0x80550 | 0x127 |
| __vbaVarAnd | - | 0x4011d8 | 0x80554 | 0x80554 | 0x157 |
| EVENT_SINK_QueryInterface | - | 0x4011dc | 0x80558 | 0x80558 | 0x14 |
| (by ordinal) | 0x2c6 | 0x4011e0 | 0x8055c | 0x8055c | - |
| __vbaVarMul | - | 0x4011e4 | 0x80560 | 0x80560 | 0x179 |
| __vbaExceptHandler | - | 0x4011e8 | 0x80564 | 0x80564 | 0x8e |
| (by ordinal) | 0x2c7 | 0x4011ec | 0x80568 | 0x80568 | - |
| __vbaPrintFile | - | 0x4011f0 | 0x8056c | 0x8056c | 0x105 |
| (by ordinal) | 0x2c8 | 0x4011f4 | 0x80570 | 0x80570 | - |
| __vbaStrToUnicode | - | 0x4011f8 | 0x80574 | 0x80574 | 0x145 |
| __vbaExitEachAry | - | 0x4011fc | 0x80578 | 0x80578 | 0x8f |
| (by ordinal) | 0x25e | 0x401200 | 0x8057c | 0x8057c | - |
| (by ordinal) | 0x2c9 | 0x401204 | 0x80580 | 0x80580 | - |
| _adj_fprem | - | 0x401208 | 0x80584 | 0x80584 | 0x1b1 |
| _adj_fdivr_m64 | - | 0x40120c | 0x80588 | 0x80588 | 0x1af |
| (by ordinal) | 0x25f | 0x401210 | 0x8058c | 0x8058c | - |
| __vbaI2Str | - | 0x401214 | 0x80590 | 0x80590 | 0xc7 |
| __vbaVarDiv | - | 0x401218 | 0x80594 | 0x80594 | 0x161 |
| (by ordinal) | 0x2cc | 0x40121c | 0x80598 | 0x80598 | - |
| __vbaFPException | - | 0x401220 | 0x8059c | 0x8059c | 0x93 |
| __vbaInStrVar | - | 0x401224 | 0x805a0 | 0x805a0 | 0xd2 |
| (by ordinal) | 0x2cd | 0x401228 | 0x805a4 | 0x805a4 | - |
| __vbaUbound | - | 0x40122c | 0x805a8 | 0x805a8 | 0x151 |
| __vbaStrVarVal | - | 0x401230 | 0x805ac | 0x805ac | 0x149 |
| (by ordinal) | 0x216 | 0x401234 | 0x805b0 | 0x805b0 | - |
| __vbaVarCat | - | 0x401238 | 0x805b4 | 0x805b4 | 0x158 |
| __vbaCheckType | - | 0x40123c | 0x805b8 | 0x805b8 | 0x6d |
| __vbaI2Var | - | 0x401240 | 0x805bc | 0x805bc | 0xc8 |
| (by ordinal) | 0x219 | 0x401244 | 0x805c0 | 0x805c0 | - |
| (by ordinal) | 0x284 | 0x401248 | 0x805c4 | 0x805c4 | - |
| (by ordinal) | 0x285 | 0x40124c | 0x805c8 | 0x805c8 | - |
| _CIlog | - | 0x401250 | 0x805cc | 0x805cc | 0x55 |
| __vbaErrorOverflow | - | 0x401254 | 0x805d0 | 0x805d0 | 0x8d |
| __vbaFileOpen | - | 0x401258 | 0x805d4 | 0x805d4 | 0x9a |
| __vbaR8Str | - | 0x40125c | 0x805d8 | 0x805d8 | 0x11b |
| (by ordinal) | 0x23a | 0x401260 | 0x805dc | 0x805dc | - |
| __vbaVar2Vec | - | 0x401264 | 0x805e0 | 0x805e0 | 0x154 |
| (by ordinal) | 0x288 | 0x401268 | 0x805e4 | 0x805e4 | - |
| __vbaInStr | - | 0x40126c | 0x805e8 | 0x805e8 | 0xd0 |
| __vbaNew2 | - | 0x401270 | 0x805ec | 0x805ec | 0xf7 |
| (by ordinal) | 0x23b | 0x401274 | 0x805f0 | 0x805f0 | - |
| _adj_fdiv_m32i | - | 0x401278 | 0x805f4 | 0x805f4 | 0x1a9 |
| _adj_fdivr_m32i | - | 0x40127c | 0x805f8 | 0x805f8 | 0x1ae |
| __vbaStrCopy | - | 0x401280 | 0x805fc | 0x805fc | 0x137 |
| (by ordinal) | 0x2a9 | 0x401284 | 0x80600 | 0x80600 | - |
| __vbaI4Str | - | 0x401288 | 0x80604 | 0x80604 | 0xce |
| __vbaVarCmpLt | - | 0x40128c | 0x80608 | 0x80608 | 0x15d |
| __vbaFreeStrList | - | 0x401290 | 0x8060c | 0x8060c | 0xb0 |
| __vbaVarNot | - | 0x401294 | 0x80610 | 0x80610 | 0x17b |
| (by ordinal) | 0x240 | 0x401298 | 0x80614 | 0x80614 | - |
| _adj_fdivr_m32 | - | 0x40129c | 0x80618 | 0x80618 | 0x1ad |
| _adj_fdiv_r | - | 0x4012a0 | 0x8061c | 0x8061c | 0x1ab |
| (by ordinal) | 0x2ad | 0x4012a4 | 0x80620 | 0x80620 | - |
| (by ordinal) | 0x64 | 0x4012a8 | 0x80624 | 0x80624 | - |
| __vbaVarTstNe | - | 0x4012ac | 0x80628 | 0x80628 | 0x198 |
| __vbaVarSetVar | - | 0x4012b0 | 0x8062c | 0x8062c | 0x182 |
| __vbaI4Var | - | 0x4012b4 | 0x80630 | 0x80630 | 0xcf |
| __vbaForEachAry | - | 0x4012b8 | 0x80634 | 0x80634 | 0x9d |
| __vbaVarCmpEq | - | 0x4012bc | 0x80638 | 0x80638 | 0x159 |
| __vbaVarAdd | - | 0x4012c0 | 0x8063c | 0x8063c | 0x156 |
| __vbaAryLock | - | 0x4012c4 | 0x80640 | 0x80640 | 0x5e |
| __vbaLateMemCall | - | 0x4012c8 | 0x80644 | 0x80644 | 0xde |
| __vbaStrToAnsi | - | 0x4012cc | 0x80648 | 0x80648 | 0x144 |
| __vbaVarDup | - | 0x4012d0 | 0x8064c | 0x8064c | 0x162 |
| __vbaFpI2 | - | 0x4012d4 | 0x80650 | 0x80650 | 0xa8 |
| (by ordinal) | 0x268 | 0x4012d8 | 0x80654 | 0x80654 | - |
| __vbaVarLateMemCallLd | - | 0x4012dc | 0x80658 | 0x80658 | 0x170 |
| __vbaVarCopy | - | 0x4012e0 | 0x8065c | 0x8065c | 0x15f |
| __vbaFpI4 | - | 0x4012e4 | 0x80660 | 0x80660 | 0xa9 |
| __vbaRecDestructAnsi | - | 0x4012e8 | 0x80664 | 0x80664 | 0x121 |
| (by ordinal) | 0x269 | 0x4012ec | 0x80668 | 0x80668 | - |
| __vbaVarSetObjAddref | - | 0x4012f0 | 0x8066c | 0x8066c | 0x17f |
| __vbaR8IntI2 | - | 0x4012f4 | 0x80670 | 0x80670 | 0x118 |
| __vbaLateMemCallLd | - | 0x4012f8 | 0x80674 | 0x80674 | 0xdf |
| _CIatan | - | 0x4012fc | 0x80678 | 0x80678 | 0x52 |
| __vbaAryCopy | - | 0x401300 | 0x8067c | 0x8067c | 0x5c |
| __vbaI2ErrVar | - | 0x401304 | 0x80680 | 0x80680 | 0xc3 |
| (by ordinal) | 0x26a | 0x401308 | 0x80684 | 0x80684 | - |
| __vbaStrMove | - | 0x40130c | 0x80688 | 0x80688 | 0x13f |
| __vbaCastObj | - | 0x401310 | 0x8068c | 0x8068c | 0x6b |
| __vbaI4Cy | - | 0x401314 | 0x80690 | 0x80690 | 0xca |
| __vbaForEachVar | - | 0x401318 | 0x80694 | 0x80694 | 0xa1 |
| __vbaStrVarCopy | - | 0x40131c | 0x80698 | 0x80698 | 0x147 |
| __vbaR8IntI4 | - | 0x401320 | 0x8069c | 0x8069c | 0x119 |
| _allmul | - | 0x401324 | 0x806a0 | 0x806a0 | 0x1b4 |
| __vbaLateIdSt | - | 0x401328 | 0x806a4 | 0x806a4 | 0xdc |
| __vbaLateMemCallSt | - | 0x40132c | 0x806a8 | 0x806a8 | 0xe0 |
| _CItan | - | 0x401330 | 0x806ac | 0x806ac | 0x58 |
| __vbaFPInt | - | 0x401334 | 0x806b0 | 0x806b0 | 0x95 |
| __vbaAryUnlock | - | 0x401338 | 0x806b4 | 0x806b4 | 0x63 |
| __vbaVarForNext | - | 0x40133c | 0x806b8 | 0x806b8 | 0x167 |
| _CIexp | - | 0x401340 | 0x806bc | 0x806bc | 0x54 |
| __vbaStrCy | - | 0x401344 | 0x806c0 | 0x806c0 | 0x138 |
| __vbaMidStmtBstr | - | 0x401348 | 0x806c4 | 0x806c4 | 0xf1 |
| (by ordinal) | 0x244 | 0x40134c | 0x806c8 | 0x806c8 | - |
| __vbaI4ErrVar | - | 0x401350 | 0x806cc | 0x806cc | 0xcb |
| __vbaFreeStr | - | 0x401354 | 0x806d0 | 0x806d0 | 0xaf |
| __vbaFreeObj | - | 0x401358 | 0x806d4 | 0x806d4 | 0xad |
| (by ordinal) | 0x245 | 0x40135c | 0x806d8 | 0x806d8 | - |
Memory Dumps (5)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|---|
| de0cb500125d733becbdeb53cf7b3f1bace4dc91e54805007718970124ef6797.exe | 1 | 0x00400000 | 0x0049AFFF | Relevant Image |
|
32-bit | 0x004034F0 |
|
|
...
|
| buffer | 1 | 0x004B0000 | 0x004BFFFF | Marked Executable |
|
32-bit | - |
|
|
...
|
| buffer | 1 | 0x004B0000 | 0x004BFFFF | First Execution |
|
32-bit | 0x004B6ED8 |
|
|
...
|
| de0cb500125d733becbdeb53cf7b3f1bace4dc91e54805007718970124ef6797.exe | 1 | 0x00400000 | 0x0049AFFF | Final Dump |
|
32-bit | 0x00479C39 |
|
|
...
|
| de0cb500125d733becbdeb53cf7b3f1bace4dc91e54805007718970124ef6797.exe | 1 | 0x00400000 | 0x0049AFFF | Process Termination |
|
32-bit | - |
|
|
...
|
| d9c17df04c721f2aa4bccdca72fb2624d25dda1c22fbf90329f2979e2d21db0b | Embedded File | Binary |
clean
Known to be clean.
|
...
|
»
| Parent File | C:\Users\RDhJ0CNFevzX\Desktop\de0cb500125d733becbdeb53cf7b3f1bace4dc91e54805007718970124ef6797.exe |
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 52.50 KB |
| MD5 |
85228ad12f953079d7d0e3e22986013d
|
| SHA1 |
084fc036c5b403c08c0bb54c6fd419b3a0cbb585
|
| SHA256 |
d9c17df04c721f2aa4bccdca72fb2624d25dda1c22fbf90329f2979e2d21db0b
|
| SSDeep |
768:p053TrLlzWPEMfLQE9L5f8yDkHzXJpz7eDKiZWEHSNuzpRt:pADrwEAF8yDWz5pvMKi1yNuzrt
|
| ImpHash |
8cc82c721174b206d0bdb2c34ed3f9ca
|
PE Information
»
| Image Base | 0x180000000 |
| Entry Point | 0x1800071a0 |
| Size Of Code | 0x7200 |
| Size Of Initialized Data | 0x6400 |
| File Type | FileType.dll |
| Subsystem | Subsystem.windows_gui |
| Machine Type | MachineType.amd64 |
| Compile Timestamp | 1978-05-30 22:41:10+00:00 |
Version Information (8)
»
| CompanyName | Microsoft Corporation |
| FileDescription | System Settings Telemetry Common |
| FileVersion | 10.0.19041.1151 (WinBuild.160101.0800) |
| InternalName | Telemetry.Common |
| LegalCopyright | © Microsoft Corporation. All rights reserved. |
| OriginalFilename | Telemetry.Common.dll |
| ProductName | Microsoft® Windows® Operating System |
| ProductVersion | 10.0.19041.1151 |
Sections (6)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x180001000 | 0x7162 | 0x7200 | 0x400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.18 |
| .rdata | 0x180009000 | 0x40c6 | 0x4200 | 0x7600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.75 |
| .data | 0x18000e000 | 0xff8 | 0x800 | 0xb800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.73 |
| .pdata | 0x18000f000 | 0x924 | 0xa00 | 0xc000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.13 |
| .rsrc | 0x180010000 | 0x430 | 0x600 | 0xca00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.53 |
| .reloc | 0x180011000 | 0x148 | 0x200 | 0xd000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 3.89 |
Imports (23)
»
api-ms-win-core-libraryloader-l1-2-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| GetModuleHandleExW | - | 0x1800090a0 | 0xbc20 | 0xa220 | 0x13 |
| GetProcAddress | - | 0x1800090a8 | 0xbc28 | 0xa228 | 0x15 |
| GetModuleHandleW | - | 0x1800090b0 | 0xbc30 | 0xa230 | 0x14 |
| GetModuleFileNameA | - | 0x1800090b8 | 0xbc38 | 0xa238 | 0xf |
| DisableThreadLibraryCalls | - | 0x1800090c0 | 0xbc40 | 0xa240 | 0x1 |
api-ms-win-eventing-provider-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| EventWriteTransfer | - | 0x180009328 | 0xbea8 | 0xa4a8 | 0x9 |
| EventSetInformation | - | 0x180009330 | 0xbeb0 | 0xa4b0 | 0x4 |
| EventRegister | - | 0x180009338 | 0xbeb8 | 0xa4b8 | 0x3 |
| EventUnregister | - | 0x180009340 | 0xbec0 | 0xa4c0 | 0x5 |
api-ms-win-core-synch-l1-2-0.dll (3)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| InitOnceExecuteOnce | - | 0x1800091b8 | 0xbd38 | 0xa338 | 0x15 |
| InitOnceBeginInitialize | - | 0x1800091c0 | 0xbd40 | 0xa340 | 0x13 |
| InitOnceComplete | - | 0x1800091c8 | 0xbd48 | 0xa348 | 0x14 |
api-ms-win-core-debug-l1-1-0.dll (3)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| OutputDebugStringW | - | 0x180009018 | 0xbb98 | 0xa198 | 0x7 |
| DebugBreak | - | 0x180009020 | 0xbba0 | 0xa1a0 | 0x4 |
| IsDebuggerPresent | - | 0x180009028 | 0xbba8 | 0xa1a8 | 0x5 |
api-ms-win-core-processthreads-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| GetCurrentProcessId | - | 0x1800090e0 | 0xbc60 | 0xa260 | 0xd |
| GetCurrentThreadId | - | 0x1800090e8 | 0xbc68 | 0xa268 | 0x11 |
| GetCurrentProcess | - | 0x1800090f0 | 0xbc70 | 0xa270 | 0xc |
| TerminateProcess | - | 0x1800090f8 | 0xbc78 | 0xa278 | 0x4f |
api-ms-win-core-localization-l1-2-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| FormatMessageW | - | 0x1800090d0 | 0xbc50 | 0xa250 | 0x9 |
api-ms-win-core-synch-l1-1-0.dll (13)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CreateSemaphoreExW | - | 0x180009148 | 0xbcc8 | 0xa2c8 | 0xb |
| WaitForSingleObject | - | 0x180009150 | 0xbcd0 | 0xa2d0 | 0x36 |
| ReleaseSRWLockExclusive | - | 0x180009158 | 0xbcd8 | 0xa2d8 | 0x24 |
| AcquireSRWLockExclusive | - | 0x180009160 | 0xbce0 | 0xa2e0 | 0x0 |
| CreateMutexExW | - | 0x180009168 | 0xbce8 | 0xa2e8 | 0x9 |
| ReleaseMutex | - | 0x180009170 | 0xbcf0 | 0xa2f0 | 0x23 |
| ReleaseSemaphore | - | 0x180009178 | 0xbcf8 | 0xa2f8 | 0x26 |
| WaitForSingleObjectEx | - | 0x180009180 | 0xbd00 | 0xa300 | 0x37 |
| EnterCriticalSection | - | 0x180009188 | 0xbd08 | 0xa308 | 0x11 |
| LeaveCriticalSection | - | 0x180009190 | 0xbd10 | 0xa310 | 0x1d |
| DeleteCriticalSection | - | 0x180009198 | 0xbd18 | 0xa318 | 0xf |
| InitializeCriticalSectionEx | - | 0x1800091a0 | 0xbd20 | 0xa320 | 0x1a |
| OpenSemaphoreW | - | 0x1800091a8 | 0xbd28 | 0xa328 | 0x21 |
api-ms-win-core-heap-l1-1-0.dll (3)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| HeapAlloc | - | 0x180009070 | 0xbbf0 | 0xa1f0 | 0x2 |
| HeapFree | - | 0x180009078 | 0xbbf8 | 0xa1f8 | 0x6 |
| GetProcessHeap | - | 0x180009080 | 0xbc00 | 0xa200 | 0x0 |
api-ms-win-core-errorhandling-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| SetUnhandledExceptionFilter | - | 0x180009038 | 0xbbb8 | 0xa1b8 | 0xf |
| UnhandledExceptionFilter | - | 0x180009040 | 0xbbc0 | 0xa1c0 | 0x11 |
| GetLastError | - | 0x180009048 | 0xbbc8 | 0xa1c8 | 0x5 |
| SetLastError | - | 0x180009050 | 0xbbd0 | 0xa1d0 | 0xd |
api-ms-win-core-handle-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CloseHandle | - | 0x180009060 | 0xbbe0 | 0xa1e0 | 0x0 |
api-ms-win-core-com-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CoCreateGuid | - | 0x180009000 | 0xbb80 | 0xa180 | 0x8 |
| CoCreateFreeThreadedMarshaler | - | 0x180009008 | 0xbb88 | 0xa188 | 0x7 |
wincorlib.DLL (32)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ?AllocateException@Heap@Details@Platform@@SAPEAX_K0@Z | - | 0x180009350 | 0xbed0 | 0xa4d0 | 0x56 |
| ?ReleaseTarget@ControlBlock@Details@Platform@@AEAAXXZ | - | 0x180009358 | 0xbed8 | 0xa4d8 | 0xb9 |
| ?CreateException@Exception@Platform@@SAPE$AAV12@HPE$AAVString@2@@Z | - | 0x180009360 | 0xbee0 | 0xa4e0 | 0x5b |
| ?get@Message@Exception@Platform@@QE$AAAPE$AAVString@3@XZ | - | 0x180009368 | 0xbee8 | 0xa4e8 | 0xf9 |
| ?__abi_WinRTraiseDisconnectedException@@YAXXZ | - | 0x180009370 | 0xbef0 | 0xa4f0 | 0xe2 |
| ?__abi_WinRTraiseFailureException@@YAXXZ | - | 0x180009378 | 0xbef8 | 0xa4f8 | 0xe3 |
| ?__abi_WinRTraiseOperationCanceledException@@YAXXZ | - | 0x180009380 | 0xbf00 | 0xa500 | 0xe9 |
| ?Free@Heap@Details@Platform@@SAXPEAX@Z | - | 0x180009388 | 0xbf08 | 0xa508 | 0x7d |
| ?__abi_WinRTraiseInvalidArgumentException@@YAXXZ | - | 0x180009390 | 0xbf10 | 0xa510 | 0xe4 |
| ?__abi_WinRTraiseInvalidCastException@@YAXXZ | - | 0x180009398 | 0xbf18 | 0xa518 | 0xe5 |
| ?__abi_WinRTraiseCOMException@@YAXJ@Z | - | 0x1800093a0 | 0xbf20 | 0xa520 | 0xdf |
| ?__abi_WinRTraiseNullReferenceException@@YAXXZ | - | 0x1800093a8 | 0xbf28 | 0xa528 | 0xe7 |
| ?__abi_WinRTraiseChangedStateException@@YAXXZ | - | 0x1800093b0 | 0xbf30 | 0xa530 | 0xe0 |
| ?__abi_WinRTraiseOutOfBoundsException@@YAXXZ | - | 0x1800093b8 | 0xbf38 | 0xa538 | 0xea |
| ?__abi_WinRTraiseWrongThreadException@@YAXXZ | - | 0x1800093c0 | 0xbf40 | 0xa540 | 0xec |
| ?__abi_WinRTraiseOutOfMemoryException@@YAXXZ | - | 0x1800093c8 | 0xbf48 | 0xa548 | 0xeb |
| ?AlignedFree@Heap@Details@Platform@@SAXPEAX@Z | - | 0x1800093d0 | 0xbf50 | 0xa550 | 0x52 |
| ?Allocate@Heap@Details@Platform@@SAPEAX_K0@Z | - | 0x1800093d8 | 0xbf58 | 0xa558 | 0x54 |
| ??0Object@Platform@@QE$AAA@XZ | - | 0x1800093e0 | 0xbf60 | 0xa560 | 0x21 |
| ??0NotImplementedException@Platform@@QE$AAA@XZ | - | 0x1800093e8 | 0xbf68 | 0xa568 | 0x1e |
| ?__abi_WinRTraiseAccessDeniedException@@YAXXZ | - | 0x1800093f0 | 0xbf70 | 0xa570 | 0xde |
| ?GetIidsFn@@YAJHPEAKPEBU__s_GUID@@PEAPEAVGuid@Platform@@@Z | - | 0x1800093f8 | 0xbf78 | 0xa578 | 0x9b |
| ?InitializeData@Details@Platform@@YAJH@Z | - | 0x180009400 | 0xbf80 | 0xa580 | 0xaf |
| ?UninitializeData@Details@Platform@@YAXH@Z | - | 0x180009408 | 0xbf88 | 0xa588 | 0xd5 |
| ?__abi_FailFast@@YAXXZ | - | 0x180009410 | 0xbf90 | 0xa590 | 0xdb |
| ?ReCreateFromException@Details@Platform@@YAJPE$AAVException@2@@Z | - | 0x180009418 | 0xbf98 | 0xa598 | 0xb4 |
| ?__abi_WinRTraiseObjectDisposedException@@YAXXZ | - | 0x180009420 | 0xbfa0 | 0xa5a0 | 0xe8 |
| ??0InvalidArgumentException@Platform@@QE$AAA@XZ | - | 0x180009428 | 0xbfa8 | 0xa5a8 | 0x19 |
| ?TerminateModule@Details@Platform@@YA_NPEAVModuleBase@1WRL@Microsoft@@@Z | - | 0x180009430 | 0xbfb0 | 0xa5b0 | 0xbd |
| ?__abi_WinRTraiseNotImplementedException@@YAXXZ | - | 0x180009438 | 0xbfb8 | 0xa5b8 | 0xe6 |
| ?GetActivationFactory@Details@Platform@@YAJPEAVModuleBase@1WRL@Microsoft@@PEAUHSTRING__@@PEAPEAUIActivationFactory@@@Z | - | 0x180009440 | 0xbfc0 | 0xa5c0 | 0x7f |
| ?__abi_WinRTraiseClassNotRegisteredException@@YAXXZ | - | 0x180009448 | 0xbfc8 | 0xa5c8 | 0xe1 |
api-ms-win-crt-string-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| wcslen | - | 0x180009310 | 0xbe90 | 0xa490 | 0xa3 |
| memset | - | 0x180009318 | 0xbe98 | 0xa498 | 0x83 |
api-ms-win-crt-private-l1-1-0.dll (23)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _o___std_exception_copy | - | 0x180009238 | 0xbdb8 | 0xa3b8 | 0x5e |
| _o___std_exception_destroy | - | 0x180009240 | 0xbdc0 | 0xa3c0 | 0x5f |
| _o___std_type_info_destroy_list | - | 0x180009248 | 0xbdc8 | 0xa3c8 | 0x60 |
| _o___stdio_common_vsnprintf_s | - | 0x180009250 | 0xbdd0 | 0xa3d0 | 0x6a |
| _o___stdio_common_vswprintf | - | 0x180009258 | 0xbdd8 | 0xa3d8 | 0x70 |
| _o__cexit | - | 0x180009260 | 0xbde0 | 0xa3e0 | 0x93 |
| _o__configure_narrow_argv | - | 0x180009268 | 0xbde8 | 0xa3e8 | 0xa0 |
| _o__crt_atexit | - | 0x180009270 | 0xbdf0 | 0xa3f0 | 0xa7 |
| _o__errno | - | 0x180009278 | 0xbdf8 | 0xa3f8 | 0xc0 |
| _o__execute_onexit_table | - | 0x180009280 | 0xbe00 | 0xa400 | 0xc2 |
| _o__initialize_narrow_environment | - | 0x180009288 | 0xbe08 | 0xa408 | 0x13c |
| _o__initialize_onexit_table | - | 0x180009290 | 0xbe10 | 0xa410 | 0x13d |
| _o__invalid_parameter_noinfo | - | 0x180009298 | 0xbe18 | 0xa418 | 0x13f |
| _o__register_onexit_function | - | 0x1800092a0 | 0xbe20 | 0xa420 | 0x251 |
| _o__seh_filter_dll | - | 0x1800092a8 | 0xbe28 | 0xa428 | 0x259 |
| _o_free | - | 0x1800092b0 | 0xbe30 | 0xa430 | 0x38c |
| __CxxFrameHandler4 | - | 0x1800092b8 | 0xbe38 | 0xa438 | 0x13 |
| __std_terminate | - | 0x1800092c0 | 0xbe40 | 0xa440 | 0x2a |
| wcsstr | - | 0x1800092c8 | 0xbe48 | 0xa448 | 0x46c |
| _CxxThrowException | - | 0x1800092d0 | 0xbe50 | 0xa450 | 0x1 |
| __CxxFrameHandler3 | - | 0x1800092d8 | 0xbe58 | 0xa458 | 0x12 |
| __C_specific_handler | - | 0x1800092e0 | 0xbe60 | 0xa460 | 0xc |
| memcpy | - | 0x1800092e8 | 0xbe68 | 0xa468 | 0x462 |
api-ms-win-core-winrt-string-l1-1-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WindowsGetStringRawBuffer | - | 0x180009208 | 0xbd88 | 0xa388 | 0x10 |
| WindowsDeleteString | - | 0x180009210 | 0xbd90 | 0xa390 | 0xc |
| WindowsCreateStringReference | - | 0x180009218 | 0xbd98 | 0xa398 | 0xb |
| WindowsDuplicateString | - | 0x180009220 | 0xbda0 | 0xa3a0 | 0xe |
| WindowsCreateString | - | 0x180009228 | 0xbda8 | 0xa3a8 | 0xa |
api-ms-win-core-winrt-error-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| RoOriginateError | - | 0x1800091f8 | 0xbd78 | 0xa378 | 0x4 |
api-ms-win-core-util-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| DecodePointer | - | 0x1800091e8 | 0xbd68 | 0xa368 | 0x1 |
api-ms-win-core-rtlsupport-l1-1-0.dll (3)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| RtlCaptureContext | - | 0x180009128 | 0xbca8 | 0xa2a8 | 0x2f3 |
| RtlLookupFunctionEntry | - | 0x180009130 | 0xbcb0 | 0xa2b0 | 0x4ea |
| RtlVirtualUnwind | - | 0x180009138 | 0xbcb8 | 0xa2b8 | 0x629 |
api-ms-win-core-processthreads-l1-1-1.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| IsProcessorFeaturePresent | - | 0x180009108 | 0xbc88 | 0xa288 | 0x2f |
api-ms-win-core-profile-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| QueryPerformanceCounter | - | 0x180009118 | 0xbc98 | 0xa298 | 0x0 |
api-ms-win-core-sysinfo-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| GetSystemTimeAsFileTime | - | 0x1800091d8 | 0xbd58 | 0xa358 | 0x16 |
api-ms-win-core-interlocked-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| InitializeSListHead | - | 0x180009090 | 0xbc10 | 0xa210 | 0x0 |
api-ms-win-crt-runtime-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _initterm_e | - | 0x1800092f8 | 0xbe78 | 0xa478 | 0x37 |
| _initterm | - | 0x180009300 | 0xbe80 | 0xa480 | 0x36 |
Exports (2)
»
| Api name | EAT Address | Ordinal |
|---|---|---|
| DllCanUnloadNow | 0x7820 | 0x1 |
| DllGetActivationFactory | 0x7840 | 0x2 |
