Try VMRay Platform
Malicious
Classifications

Injector Spyware Backdoor Keylogger

Threat Names

Quasar xRAT QuasarRAT AZORult +8

Dynamic Analysis Report

Created on 2021-09-28T10:14:00

efacb905cbe59645ce57ea6ac46d32add5f48278aefd411bf4f53116ca0fb0e0.exe

Windows Exe (x86-32)
...

Remarks (2/3)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "2 minutes, 45 seconds" to "2 seconds" to reveal dormant functionality.

(0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

(0x0200003A): A task was rescheduled ahead of time to reveal dormant functionality.

Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\efacb905cbe59645ce57ea6ac46d32add5f48278aefd411bf4f53116ca0fb0e0.exe Sample File Binary
malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 2.01 MB
MD5 b0b78da613422be0de8de2e2a2d0ce68 Copy to Clipboard
SHA1 a1aea30e16b3bbf15baf1fbb78499adcc5e11d97 Copy to Clipboard
SHA256 efacb905cbe59645ce57ea6ac46d32add5f48278aefd411bf4f53116ca0fb0e0 Copy to Clipboard
SSDeep 24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYQ:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yu Copy to Clipboard
ImpHash afcdf79be1557326c854b6e20cb900a7 Copy to Clipboard
Parser Error Remark Static engine was unable to completely parse the analyzed file
AV Matches (2)
»
Threat Name Verdict
Trojan.GenericKD.41182905
malicious
AIT:Trojan.Nymeria.1811
malicious
PE Information
»
Image Base 0x400000
Entry Point 0x427dcd
Size Of Code 0x8de00
Size Of Initialized Data 0x174e00
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2019-03-12 13:38:44+00:00
Version Information (7)
»
FileDescription Adobe Download Manager
OriginalFilename Adobe Download Manager
CompanyName Adobe Systems Incorporated
FileVersion ...
LegalCopyright Copyright 2018 Adobe Incorporated. All rights reserved.
ProductName Adobe Download Manager
ProductVersion ...
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x8dcc4 0x8de00 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.68
.rdata 0x48f000 0x2e10e 0x2e200 0x8e200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.76
.data 0x4be000 0x8f74 0x5200 0xbc400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 1.2
.rsrc 0x4c7000 0x13a7f8 0x13a800 0xc1600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.62
.reloc 0x602000 0x711c 0x7200 0x1fbe00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.78
Imports (18)
»
WSOCK32.dll (23)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WSACleanup 0x74 0x48f7c8 0xbad90 0xb9f90 -
socket 0x17 0x48f7cc 0xbad94 0xb9f94 -
inet_ntoa 0xc 0x48f7d0 0xbad98 0xb9f98 -
setsockopt 0x15 0x48f7d4 0xbad9c 0xb9f9c -
ntohs 0xf 0x48f7d8 0xbada0 0xb9fa0 -
recvfrom 0x11 0x48f7dc 0xbada4 0xb9fa4 -
ioctlsocket 0xa 0x48f7e0 0xbada8 0xb9fa8 -
htons 0x9 0x48f7e4 0xbadac 0xb9fac -
WSAStartup 0x73 0x48f7e8 0xbadb0 0xb9fb0 -
__WSAFDIsSet 0x97 0x48f7ec 0xbadb4 0xb9fb4 -
select 0x12 0x48f7f0 0xbadb8 0xb9fb8 -
accept 0x1 0x48f7f4 0xbadbc 0xb9fbc -
listen 0xd 0x48f7f8 0xbadc0 0xb9fc0 -
bind 0x2 0x48f7fc 0xbadc4 0xb9fc4 -
closesocket 0x3 0x48f800 0xbadc8 0xb9fc8 -
WSAGetLastError 0x6f 0x48f804 0xbadcc 0xb9fcc -
recv 0x10 0x48f808 0xbadd0 0xb9fd0 -
sendto 0x14 0x48f80c 0xbadd4 0xb9fd4 -
send 0x13 0x48f810 0xbadd8 0xb9fd8 -
inet_addr 0xb 0x48f814 0xbaddc 0xb9fdc -
gethostbyname 0x34 0x48f818 0xbade0 0xb9fe0 -
gethostname 0x39 0x48f81c 0xbade4 0xb9fe4 -
connect 0x4 0x48f820 0xbade8 0xb9fe8 -
VERSION.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetFileVersionInfoW - 0x48f76c 0xbad34 0xb9f34 0x6
GetFileVersionInfoSizeW - 0x48f770 0xbad38 0xb9f38 0x5
VerQueryValueW - 0x48f774 0xbad3c 0xb9f3c 0xe
WINMM.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
timeGetTime - 0x48f7b8 0xbad80 0xb9f80 0x94
waveOutSetVolume - 0x48f7bc 0xbad84 0xb9f84 0xbb
mciSendStringW - 0x48f7c0 0xbad88 0xb9f88 0x32
COMCTL32.dll (11)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ImageList_ReplaceIcon - 0x48f088 0xba650 0xb9850 0x6f
ImageList_Destroy - 0x48f08c 0xba654 0xb9854 0x54
ImageList_Remove - 0x48f090 0xba658 0xb9858 0x6d
ImageList_SetDragCursorImage - 0x48f094 0xba65c 0xb985c 0x72
ImageList_BeginDrag - 0x48f098 0xba660 0xb9860 0x50
ImageList_DragEnter - 0x48f09c 0xba664 0xb9864 0x56
ImageList_DragLeave - 0x48f0a0 0xba668 0xb9868 0x57
ImageList_EndDrag - 0x48f0a4 0xba66c 0xb986c 0x5e
ImageList_DragMove - 0x48f0a8 0xba670 0xb9870 0x58
InitCommonControlsEx - 0x48f0ac 0xba674 0xb9874 0x7b
ImageList_Create - 0x48f0b0 0xba678 0xb9878 0x53
MPR.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WNetUseConnectionW - 0x48f3f8 0xba9c0 0xb9bc0 0x49
WNetCancelConnection2W - 0x48f3fc 0xba9c4 0xb9bc4 0xc
WNetGetConnectionW - 0x48f400 0xba9c8 0xb9bc8 0x24
WNetAddConnection2W - 0x48f404 0xba9cc 0xb9bcc 0x6
WININET.dll (14)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
InternetQueryDataAvailable - 0x48f77c 0xbad44 0xb9f44 0x9b
InternetCloseHandle - 0x48f780 0xbad48 0xb9f48 0x6b
InternetOpenW - 0x48f784 0xbad4c 0xb9f4c 0x9a
InternetSetOptionW - 0x48f788 0xbad50 0xb9f50 0xaf
InternetCrackUrlW - 0x48f78c 0xbad54 0xb9f54 0x74
HttpQueryInfoW - 0x48f790 0xbad58 0xb9f58 0x5a
InternetQueryOptionW - 0x48f794 0xbad5c 0xb9f5c 0x9e
HttpOpenRequestW - 0x48f798 0xbad60 0xb9f60 0x58
HttpSendRequestW - 0x48f79c 0xbad64 0xb9f64 0x5e
FtpOpenFileW - 0x48f7a0 0xbad68 0xb9f68 0x35
FtpGetFileSize - 0x48f7a4 0xbad6c 0xb9f6c 0x32
InternetOpenUrlW - 0x48f7a8 0xbad70 0xb9f70 0x99
InternetReadFile - 0x48f7ac 0xbad74 0xb9f74 0x9f
InternetConnectW - 0x48f7b0 0xbad78 0xb9f78 0x72
PSAPI.DLL (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetProcessMemoryInfo - 0x48f484 0xbaa4c 0xb9c4c 0x15
IPHLPAPI.DLL (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
IcmpCreateFile - 0x48f154 0xba71c 0xb991c 0x85
IcmpCloseHandle - 0x48f158 0xba720 0xb9920 0x84
IcmpSendEcho - 0x48f15c 0xba724 0xb9924 0x87
USERENV.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DestroyEnvironmentBlock - 0x48f750 0xbad18 0xb9f18 0x4
UnloadUserProfile - 0x48f754 0xbad1c 0xb9f1c 0x2c
CreateEnvironmentBlock - 0x48f758 0xbad20 0xb9f20 0x0
LoadUserProfileW - 0x48f75c 0xbad24 0xb9f24 0x21
UxTheme.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
IsThemeActive - 0x48f764 0xbad2c 0xb9f2c 0x3f
KERNEL32.dll (164)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DuplicateHandle - 0x48f164 0xba72c 0xb992c 0xe8
CreateThread - 0x48f168 0xba730 0xb9930 0xb5
WaitForSingleObject - 0x48f16c 0xba734 0xb9934 0x4f9
HeapAlloc - 0x48f170 0xba738 0xb9938 0x2cb
GetProcessHeap - 0x48f174 0xba73c 0xb993c 0x24a
HeapFree - 0x48f178 0xba740 0xb9940 0x2cf
Sleep - 0x48f17c 0xba744 0xb9944 0x4b2
GetCurrentThreadId - 0x48f180 0xba748 0xb9948 0x1c5
MultiByteToWideChar - 0x48f184 0xba74c 0xb994c 0x367
MulDiv - 0x48f188 0xba750 0xb9950 0x366
GetVersionExW - 0x48f18c 0xba754 0xb9954 0x2a4
IsWow64Process - 0x48f190 0xba758 0xb9958 0x30e
GetSystemInfo - 0x48f194 0xba75c 0xb995c 0x273
FreeLibrary - 0x48f198 0xba760 0xb9960 0x162
LoadLibraryA - 0x48f19c 0xba764 0xb9964 0x33c
GetProcAddress - 0x48f1a0 0xba768 0xb9968 0x245
SetErrorMode - 0x48f1a4 0xba76c 0xb996c 0x458
GetModuleFileNameW - 0x48f1a8 0xba770 0xb9970 0x214
WideCharToMultiByte - 0x48f1ac 0xba774 0xb9974 0x511
lstrcpyW - 0x48f1b0 0xba778 0xb9978 0x548
lstrlenW - 0x48f1b4 0xba77c 0xb997c 0x54e
GetModuleHandleW - 0x48f1b8 0xba780 0xb9980 0x218
QueryPerformanceCounter - 0x48f1bc 0xba784 0xb9984 0x3a7
VirtualFreeEx - 0x48f1c0 0xba788 0xb9988 0x4ed
OpenProcess - 0x48f1c4 0xba78c 0xb998c 0x380
VirtualAllocEx - 0x48f1c8 0xba790 0xb9990 0x4ea
WriteProcessMemory - 0x48f1cc 0xba794 0xb9994 0x52e
ReadProcessMemory - 0x48f1d0 0xba798 0xb9998 0x3c3
CreateFileW - 0x48f1d4 0xba79c 0xb999c 0x8f
SetFilePointerEx - 0x48f1d8 0xba7a0 0xb99a0 0x467
SetEndOfFile - 0x48f1dc 0xba7a4 0xb99a4 0x453
ReadFile - 0x48f1e0 0xba7a8 0xb99a8 0x3c0
WriteFile - 0x48f1e4 0xba7ac 0xb99ac 0x525
FlushFileBuffers - 0x48f1e8 0xba7b0 0xb99b0 0x157
TerminateProcess - 0x48f1ec 0xba7b4 0xb99b4 0x4c0
CreateToolhelp32Snapshot - 0x48f1f0 0xba7b8 0xb99b8 0xbe
Process32FirstW - 0x48f1f4 0xba7bc 0xb99bc 0x396
Process32NextW - 0x48f1f8 0xba7c0 0xb99c0 0x398
SetFileTime - 0x48f1fc 0xba7c4 0xb99c4 0x46a
GetFileAttributesW - 0x48f200 0xba7c8 0xb99c8 0x1ea
FindFirstFileW - 0x48f204 0xba7cc 0xb99cc 0x139
SetCurrentDirectoryW - 0x48f208 0xba7d0 0xb99d0 0x44d
GetLongPathNameW - 0x48f20c 0xba7d4 0xb99d4 0x20f
GetShortPathNameW - 0x48f210 0xba7d8 0xb99d8 0x261
DeleteFileW - 0x48f214 0xba7dc 0xb99dc 0xd6
FindNextFileW - 0x48f218 0xba7e0 0xb99e0 0x145
CopyFileExW - 0x48f21c 0xba7e4 0xb99e4 0x72
MoveFileW - 0x48f220 0xba7e8 0xb99e8 0x363
CreateDirectoryW - 0x48f224 0xba7ec 0xb99ec 0x81
RemoveDirectoryW - 0x48f228 0xba7f0 0xb99f0 0x403
SetSystemPowerState - 0x48f22c 0xba7f4 0xb99f4 0x48a
QueryPerformanceFrequency - 0x48f230 0xba7f8 0xb99f8 0x3a8
FindResourceW - 0x48f234 0xba7fc 0xb99fc 0x14e
LoadResource - 0x48f238 0xba800 0xb9a00 0x341
LockResource - 0x48f23c 0xba804 0xb9a04 0x354
SizeofResource - 0x48f240 0xba808 0xb9a08 0x4b1
EnumResourceNamesW - 0x48f244 0xba80c 0xb9a0c 0x102
OutputDebugStringW - 0x48f248 0xba810 0xb9a10 0x38a
GetTempPathW - 0x48f24c 0xba814 0xb9a14 0x285
GetTempFileNameW - 0x48f250 0xba818 0xb9a18 0x283
DeviceIoControl - 0x48f254 0xba81c 0xb9a1c 0xdd
GetLocalTime - 0x48f258 0xba820 0xb9a20 0x203
CompareStringW - 0x48f25c 0xba824 0xb9a24 0x64
GetCurrentProcess - 0x48f260 0xba828 0xb9a28 0x1c0
EnterCriticalSection - 0x48f264 0xba82c 0xb9a2c 0xee
LeaveCriticalSection - 0x48f268 0xba830 0xb9a30 0x339
GetStdHandle - 0x48f26c 0xba834 0xb9a34 0x264
CreatePipe - 0x48f270 0xba838 0xb9a38 0xa1
InterlockedExchange - 0x48f274 0xba83c 0xb9a3c 0x2ec
TerminateThread - 0x48f278 0xba840 0xb9a40 0x4c1
LoadLibraryExW - 0x48f27c 0xba844 0xb9a44 0x33e
FindResourceExW - 0x48f280 0xba848 0xb9a48 0x14d
CopyFileW - 0x48f284 0xba84c 0xb9a4c 0x75
VirtualFree - 0x48f288 0xba850 0xb9a50 0x4ec
FormatMessageW - 0x48f28c 0xba854 0xb9a54 0x15e
GetExitCodeProcess - 0x48f290 0xba858 0xb9a58 0x1df
GetPrivateProfileStringW - 0x48f294 0xba85c 0xb9a5c 0x242
WritePrivateProfileStringW - 0x48f298 0xba860 0xb9a60 0x52b
GetPrivateProfileSectionW - 0x48f29c 0xba864 0xb9a64 0x240
WritePrivateProfileSectionW - 0x48f2a0 0xba868 0xb9a68 0x529
GetPrivateProfileSectionNamesW - 0x48f2a4 0xba86c 0xb9a6c 0x23f
FileTimeToLocalFileTime - 0x48f2a8 0xba870 0xb9a70 0x124
FileTimeToSystemTime - 0x48f2ac 0xba874 0xb9a74 0x125
SystemTimeToFileTime - 0x48f2b0 0xba878 0xb9a78 0x4bd
LocalFileTimeToFileTime - 0x48f2b4 0xba87c 0xb9a7c 0x346
GetDriveTypeW - 0x48f2b8 0xba880 0xb9a80 0x1d3
GetDiskFreeSpaceExW - 0x48f2bc 0xba884 0xb9a84 0x1ce
GetDiskFreeSpaceW - 0x48f2c0 0xba888 0xb9a88 0x1cf
GetVolumeInformationW - 0x48f2c4 0xba88c 0xb9a8c 0x2a7
SetVolumeLabelW - 0x48f2c8 0xba890 0xb9a90 0x4a9
CreateHardLinkW - 0x48f2cc 0xba894 0xb9a94 0x93
SetFileAttributesW - 0x48f2d0 0xba898 0xb9a98 0x461
CreateEventW - 0x48f2d4 0xba89c 0xb9a9c 0x85
SetEvent - 0x48f2d8 0xba8a0 0xb9aa0 0x459
GetEnvironmentVariableW - 0x48f2dc 0xba8a4 0xb9aa4 0x1dc
SetEnvironmentVariableW - 0x48f2e0 0xba8a8 0xb9aa8 0x457
GlobalLock - 0x48f2e4 0xba8ac 0xb9aac 0x2be
GlobalUnlock - 0x48f2e8 0xba8b0 0xb9ab0 0x2c5
GlobalAlloc - 0x48f2ec 0xba8b4 0xb9ab4 0x2b3
GetFileSize - 0x48f2f0 0xba8b8 0xb9ab8 0x1f0
GlobalFree - 0x48f2f4 0xba8bc 0xb9abc 0x2ba
GlobalMemoryStatusEx - 0x48f2f8 0xba8c0 0xb9ac0 0x2c0
Beep - 0x48f2fc 0xba8c4 0xb9ac4 0x36
GetSystemDirectoryW - 0x48f300 0xba8c8 0xb9ac8 0x270
HeapReAlloc - 0x48f304 0xba8cc 0xb9acc 0x2d2
HeapSize - 0x48f308 0xba8d0 0xb9ad0 0x2d4
GetComputerNameW - 0x48f30c 0xba8d4 0xb9ad4 0x18f
GetWindowsDirectoryW - 0x48f310 0xba8d8 0xb9ad8 0x2af
GetCurrentProcessId - 0x48f314 0xba8dc 0xb9adc 0x1c1
GetProcessIoCounters - 0x48f318 0xba8e0 0xb9ae0 0x24e
CreateProcessW - 0x48f31c 0xba8e4 0xb9ae4 0xa8
GetProcessId - 0x48f320 0xba8e8 0xb9ae8 0x24c
SetPriorityClass - 0x48f324 0xba8ec 0xb9aec 0x47d
LoadLibraryW - 0x48f328 0xba8f0 0xb9af0 0x33f
VirtualAlloc - 0x48f32c 0xba8f4 0xb9af4 0x4e9
IsDebuggerPresent - 0x48f330 0xba8f8 0xb9af8 0x300
GetCurrentDirectoryW - 0x48f334 0xba8fc 0xb9afc 0x1bf
lstrcmpiW - 0x48f338 0xba900 0xb9b00 0x545
DecodePointer - 0x48f33c 0xba904 0xb9b04 0xca
GetLastError - 0x48f340 0xba908 0xb9b08 0x202
RaiseException - 0x48f344 0xba90c 0xb9b0c 0x3b1
InitializeCriticalSectionAndSpinCount - 0x48f348 0xba910 0xb9b10 0x2e3
DeleteCriticalSection - 0x48f34c 0xba914 0xb9b14 0xd1
InterlockedDecrement - 0x48f350 0xba918 0xb9b18 0x2eb
InterlockedIncrement - 0x48f354 0xba91c 0xb9b1c 0x2ef
GetCurrentThread - 0x48f358 0xba920 0xb9b20 0x1c4
CloseHandle - 0x48f35c 0xba924 0xb9b24 0x52
GetFullPathNameW - 0x48f360 0xba928 0xb9b28 0x1fb
EncodePointer - 0x48f364 0xba92c 0xb9b2c 0xea
ExitProcess - 0x48f368 0xba930 0xb9b30 0x119
GetModuleHandleExW - 0x48f36c 0xba934 0xb9b34 0x217
ExitThread - 0x48f370 0xba938 0xb9b38 0x11a
GetSystemTimeAsFileTime - 0x48f374 0xba93c 0xb9b3c 0x279
ResumeThread - 0x48f378 0xba940 0xb9b40 0x413
GetCommandLineW - 0x48f37c 0xba944 0xb9b44 0x187
IsProcessorFeaturePresent - 0x48f380 0xba948 0xb9b48 0x304
IsValidCodePage - 0x48f384 0xba94c 0xb9b4c 0x30a
GetACP - 0x48f388 0xba950 0xb9b50 0x168
GetOEMCP - 0x48f38c 0xba954 0xb9b54 0x237
GetCPInfo - 0x48f390 0xba958 0xb9b58 0x172
SetLastError - 0x48f394 0xba95c 0xb9b5c 0x473
UnhandledExceptionFilter - 0x48f398 0xba960 0xb9b60 0x4d3
SetUnhandledExceptionFilter - 0x48f39c 0xba964 0xb9b64 0x4a5
TlsAlloc - 0x48f3a0 0xba968 0xb9b68 0x4c5
TlsGetValue - 0x48f3a4 0xba96c 0xb9b6c 0x4c7
TlsSetValue - 0x48f3a8 0xba970 0xb9b70 0x4c8
TlsFree - 0x48f3ac 0xba974 0xb9b74 0x4c6
GetStartupInfoW - 0x48f3b0 0xba978 0xb9b78 0x263
GetStringTypeW - 0x48f3b4 0xba97c 0xb9b7c 0x269
SetStdHandle - 0x48f3b8 0xba980 0xb9b80 0x487
GetFileType - 0x48f3bc 0xba984 0xb9b84 0x1f3
GetConsoleCP - 0x48f3c0 0xba988 0xb9b88 0x19a
GetConsoleMode - 0x48f3c4 0xba98c 0xb9b8c 0x1ac
RtlUnwind - 0x48f3c8 0xba990 0xb9b90 0x418
ReadConsoleW - 0x48f3cc 0xba994 0xb9b94 0x3be
GetTimeZoneInformation - 0x48f3d0 0xba998 0xb9b98 0x298
GetDateFormatW - 0x48f3d4 0xba99c 0xb9b9c 0x1c8
GetTimeFormatW - 0x48f3d8 0xba9a0 0xb9ba0 0x297
LCMapStringW - 0x48f3dc 0xba9a4 0xb9ba4 0x32d
GetEnvironmentStringsW - 0x48f3e0 0xba9a8 0xb9ba8 0x1da
FreeEnvironmentStringsW - 0x48f3e4 0xba9ac 0xb9bac 0x161
WriteConsoleW - 0x48f3e8 0xba9b0 0xb9bb0 0x524
FindClose - 0x48f3ec 0xba9b4 0xb9bb4 0x12e
SetEnvironmentVariableA - 0x48f3f0 0xba9b8 0xb9bb8 0x456
USER32.dll (160)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
AdjustWindowRectEx - 0x48f4cc 0xbaa94 0xb9c94 0x3
CopyImage - 0x48f4d0 0xbaa98 0xb9c98 0x54
SetWindowPos - 0x48f4d4 0xbaa9c 0xb9c9c 0x2c6
GetCursorInfo - 0x48f4d8 0xbaaa0 0xb9ca0 0x11f
RegisterHotKey - 0x48f4dc 0xbaaa4 0xb9ca4 0x256
ClientToScreen - 0x48f4e0 0xbaaa8 0xb9ca8 0x47
GetKeyboardLayoutNameW - 0x48f4e4 0xbaaac 0xb9cac 0x141
IsCharAlphaW - 0x48f4e8 0xbaab0 0xb9cb0 0x1c4
IsCharAlphaNumericW - 0x48f4ec 0xbaab4 0xb9cb4 0x1c3
IsCharLowerW - 0x48f4f0 0xbaab8 0xb9cb8 0x1c6
IsCharUpperW - 0x48f4f4 0xbaabc 0xb9cbc 0x1c8
GetMenuStringW - 0x48f4f8 0xbaac0 0xb9cc0 0x158
GetSubMenu - 0x48f4fc 0xbaac4 0xb9cc4 0x17a
GetCaretPos - 0x48f500 0xbaac8 0xb9cc8 0x10a
IsZoomed - 0x48f504 0xbaacc 0xb9ccc 0x1e2
MonitorFromPoint - 0x48f508 0xbaad0 0xb9cd0 0x218
GetMonitorInfoW - 0x48f50c 0xbaad4 0xb9cd4 0x15f
SetWindowLongW - 0x48f510 0xbaad8 0xb9cd8 0x2c4
SetLayeredWindowAttributes - 0x48f514 0xbaadc 0xb9cdc 0x298
FlashWindow - 0x48f518 0xbaae0 0xb9ce0 0xfb
GetClassLongW - 0x48f51c 0xbaae4 0xb9ce4 0x110
TranslateAcceleratorW - 0x48f520 0xbaae8 0xb9ce8 0x2fa
IsDialogMessageW - 0x48f524 0xbaaec 0xb9cec 0x1cd
GetSysColor - 0x48f528 0xbaaf0 0xb9cf0 0x17b
InflateRect - 0x48f52c 0xbaaf4 0xb9cf4 0x1b5
DrawFocusRect - 0x48f530 0xbaaf8 0xb9cf8 0xc4
DrawTextW - 0x48f534 0xbaafc 0xb9cfc 0xd0
FrameRect - 0x48f538 0xbab00 0xb9d00 0xfd
DrawFrameControl - 0x48f53c 0xbab04 0xb9d04 0xc6
FillRect - 0x48f540 0xbab08 0xb9d08 0xf6
PtInRect - 0x48f544 0xbab0c 0xb9d0c 0x240
DestroyAcceleratorTable - 0x48f548 0xbab10 0xb9d10 0xa0
CreateAcceleratorTableW - 0x48f54c 0xbab14 0xb9d14 0x58
SetCursor - 0x48f550 0xbab18 0xb9d18 0x288
GetWindowDC - 0x48f554 0xbab1c 0xb9d1c 0x192
GetSystemMetrics - 0x48f558 0xbab20 0xb9d20 0x17e
GetActiveWindow - 0x48f55c 0xbab24 0xb9d24 0x100
CharNextW - 0x48f560 0xbab28 0xb9d28 0x31
wsprintfW - 0x48f564 0xbab2c 0xb9d2c 0x333
RedrawWindow - 0x48f568 0xbab30 0xb9d30 0x24a
DrawMenuBar - 0x48f56c 0xbab34 0xb9d34 0xc9
DestroyMenu - 0x48f570 0xbab38 0xb9d38 0xa4
SetMenu - 0x48f574 0xbab3c 0xb9d3c 0x29c
GetWindowTextLengthW - 0x48f578 0xbab40 0xb9d40 0x1a2
CreateMenu - 0x48f57c 0xbab44 0xb9d44 0x6a
IsDlgButtonChecked - 0x48f580 0xbab48 0xb9d48 0x1ce
DefDlgProcW - 0x48f584 0xbab4c 0xb9d4c 0x95
CallWindowProcW - 0x48f588 0xbab50 0xb9d50 0x1e
ReleaseCapture - 0x48f58c 0xbab54 0xb9d54 0x264
SetCapture - 0x48f590 0xbab58 0xb9d58 0x280
CreateIconFromResourceEx - 0x48f594 0xbab5c 0xb9d5c 0x66
mouse_event - 0x48f598 0xbab60 0xb9d60 0x331
ExitWindowsEx - 0x48f59c 0xbab64 0xb9d64 0xf5
SetActiveWindow - 0x48f5a0 0xbab68 0xb9d68 0x27f
FindWindowExW - 0x48f5a4 0xbab6c 0xb9d6c 0xf9
EnumThreadWindows - 0x48f5a8 0xbab70 0xb9d70 0xef
SetMenuDefaultItem - 0x48f5ac 0xbab74 0xb9d74 0x29e
InsertMenuItemW - 0x48f5b0 0xbab78 0xb9d78 0x1b9
IsMenu - 0x48f5b4 0xbab7c 0xb9d7c 0x1d2
TrackPopupMenuEx - 0x48f5b8 0xbab80 0xb9d80 0x2f7
GetCursorPos - 0x48f5bc 0xbab84 0xb9d84 0x120
DeleteMenu - 0x48f5c0 0xbab88 0xb9d88 0x9e
SetRect - 0x48f5c4 0xbab8c 0xb9d8c 0x2ae
GetMenuItemID - 0x48f5c8 0xbab90 0xb9d90 0x152
GetMenuItemCount - 0x48f5cc 0xbab94 0xb9d94 0x151
SetMenuItemInfoW - 0x48f5d0 0xbab98 0xb9d98 0x2a2
GetMenuItemInfoW - 0x48f5d4 0xbab9c 0xb9d9c 0x154
SetForegroundWindow - 0x48f5d8 0xbaba0 0xb9da0 0x293
IsIconic - 0x48f5dc 0xbaba4 0xb9da4 0x1d1
FindWindowW - 0x48f5e0 0xbaba8 0xb9da8 0xfa
MonitorFromRect - 0x48f5e4 0xbabac 0xb9dac 0x219
keybd_event - 0x48f5e8 0xbabb0 0xb9db0 0x330
SendInput - 0x48f5ec 0xbabb4 0xb9db4 0x276
GetAsyncKeyState - 0x48f5f0 0xbabb8 0xb9db8 0x107
SetKeyboardState - 0x48f5f4 0xbabbc 0xb9dbc 0x296
GetKeyboardState - 0x48f5f8 0xbabc0 0xb9dc0 0x142
GetKeyState - 0x48f5fc 0xbabc4 0xb9dc4 0x13d
VkKeyScanW - 0x48f600 0xbabc8 0xb9dc8 0x321
LoadStringW - 0x48f604 0xbabcc 0xb9dcc 0x1fa
DialogBoxParamW - 0x48f608 0xbabd0 0xb9dd0 0xac
MessageBeep - 0x48f60c 0xbabd4 0xb9dd4 0x20d
EndDialog - 0x48f610 0xbabd8 0xb9dd8 0xda
SendDlgItemMessageW - 0x48f614 0xbabdc 0xb9ddc 0x273
GetDlgItem - 0x48f618 0xbabe0 0xb9de0 0x127
SetWindowTextW - 0x48f61c 0xbabe4 0xb9de4 0x2cb
CopyRect - 0x48f620 0xbabe8 0xb9de8 0x55
ReleaseDC - 0x48f624 0xbabec 0xb9dec 0x265
GetDC - 0x48f628 0xbabf0 0xb9df0 0x121
EndPaint - 0x48f62c 0xbabf4 0xb9df4 0xdc
BeginPaint - 0x48f630 0xbabf8 0xb9df8 0xe
GetClientRect - 0x48f634 0xbabfc 0xb9dfc 0x114
GetMenu - 0x48f638 0xbac00 0xb9e00 0x14b
DestroyWindow - 0x48f63c 0xbac04 0xb9e04 0xa6
EnumWindows - 0x48f640 0xbac08 0xb9e08 0xf2
GetDesktopWindow - 0x48f644 0xbac0c 0xb9e0c 0x123
IsWindow - 0x48f648 0xbac10 0xb9e10 0x1db
IsWindowEnabled - 0x48f64c 0xbac14 0xb9e14 0x1dc
IsWindowVisible - 0x48f650 0xbac18 0xb9e18 0x1e0
EnableWindow - 0x48f654 0xbac1c 0xb9e1c 0xd8
InvalidateRect - 0x48f658 0xbac20 0xb9e20 0x1be
GetWindowLongW - 0x48f65c 0xbac24 0xb9e24 0x196
GetWindowThreadProcessId - 0x48f660 0xbac28 0xb9e28 0x1a4
AttachThreadInput - 0x48f664 0xbac2c 0xb9e2c 0xc
GetFocus - 0x48f668 0xbac30 0xb9e30 0x12c
GetWindowTextW - 0x48f66c 0xbac34 0xb9e34 0x1a3
ScreenToClient - 0x48f670 0xbac38 0xb9e38 0x26d
SendMessageTimeoutW - 0x48f674 0xbac3c 0xb9e3c 0x27b
EnumChildWindows - 0x48f678 0xbac40 0xb9e40 0xdf
CharUpperBuffW - 0x48f67c 0xbac44 0xb9e44 0x3b
GetParent - 0x48f680 0xbac48 0xb9e48 0x164
GetDlgCtrlID - 0x48f684 0xbac4c 0xb9e4c 0x126
SendMessageW - 0x48f688 0xbac50 0xb9e50 0x27c
MapVirtualKeyW - 0x48f68c 0xbac54 0xb9e54 0x208
PostMessageW - 0x48f690 0xbac58 0xb9e58 0x236
GetWindowRect - 0x48f694 0xbac5c 0xb9e5c 0x19c
SetUserObjectSecurity - 0x48f698 0xbac60 0xb9e60 0x2be
CloseDesktop - 0x48f69c 0xbac64 0xb9e64 0x4a
CloseWindowStation - 0x48f6a0 0xbac68 0xb9e68 0x4e
OpenDesktopW - 0x48f6a4 0xbac6c 0xb9e6c 0x228
SetProcessWindowStation - 0x48f6a8 0xbac70 0xb9e70 0x2aa
GetProcessWindowStation - 0x48f6ac 0xbac74 0xb9e74 0x168
OpenWindowStationW - 0x48f6b0 0xbac78 0xb9e78 0x22d
GetUserObjectSecurity - 0x48f6b4 0xbac7c 0xb9e7c 0x18c
MessageBoxW - 0x48f6b8 0xbac80 0xb9e80 0x215
DefWindowProcW - 0x48f6bc 0xbac84 0xb9e84 0x9c
SetClipboardData - 0x48f6c0 0xbac88 0xb9e88 0x286
EmptyClipboard - 0x48f6c4 0xbac8c 0xb9e8c 0xd5
CountClipboardFormats - 0x48f6c8 0xbac90 0xb9e90 0x56
CloseClipboard - 0x48f6cc 0xbac94 0xb9e94 0x49
GetClipboardData - 0x48f6d0 0xbac98 0xb9e98 0x116
IsClipboardFormatAvailable - 0x48f6d4 0xbac9c 0xb9e9c 0x1ca
OpenClipboard - 0x48f6d8 0xbaca0 0xb9ea0 0x226
BlockInput - 0x48f6dc 0xbaca4 0xb9ea4 0xf
GetMessageW - 0x48f6e0 0xbaca8 0xb9ea8 0x15d
LockWindowUpdate - 0x48f6e4 0xbacac 0xb9eac 0x1fd
DispatchMessageW - 0x48f6e8 0xbacb0 0xb9eb0 0xaf
TranslateMessage - 0x48f6ec 0xbacb4 0xb9eb4 0x2fc
PeekMessageW - 0x48f6f0 0xbacb8 0xb9eb8 0x233
UnregisterHotKey - 0x48f6f4 0xbacbc 0xb9ebc 0x308
CheckMenuRadioItem - 0x48f6f8 0xbacc0 0xb9ec0 0x40
CharLowerBuffW - 0x48f6fc 0xbacc4 0xb9ec4 0x2d
MoveWindow - 0x48f700 0xbacc8 0xb9ec8 0x21b
SetFocus - 0x48f704 0xbaccc 0xb9ecc 0x292
PostQuitMessage - 0x48f708 0xbacd0 0xb9ed0 0x237
KillTimer - 0x48f70c 0xbacd4 0xb9ed4 0x1e3
CreatePopupMenu - 0x48f710 0xbacd8 0xb9ed8 0x6b
RegisterWindowMessageW - 0x48f714 0xbacdc 0xb9edc 0x263
SetTimer - 0x48f718 0xbace0 0xb9ee0 0x2bb
ShowWindow - 0x48f71c 0xbace4 0xb9ee4 0x2df
CreateWindowExW - 0x48f720 0xbace8 0xb9ee8 0x6e
RegisterClassExW - 0x48f724 0xbacec 0xb9eec 0x24d
LoadIconW - 0x48f728 0xbacf0 0xb9ef0 0x1ed
LoadCursorW - 0x48f72c 0xbacf4 0xb9ef4 0x1eb
GetSysColorBrush - 0x48f730 0xbacf8 0xb9ef8 0x17c
GetForegroundWindow - 0x48f734 0xbacfc 0xb9efc 0x12d
MessageBoxA - 0x48f738 0xbad00 0xb9f00 0x20e
DestroyIcon - 0x48f73c 0xbad04 0xb9f04 0xa3
SystemParametersInfoW - 0x48f740 0xbad08 0xb9f08 0x2ec
LoadImageW - 0x48f744 0xbad0c 0xb9f0c 0x1ef
GetClassNameW - 0x48f748 0xbad10 0xb9f10 0x112
GDI32.dll (35)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
StrokePath - 0x48f0c4 0xba68c 0xb988c 0x2b6
DeleteObject - 0x48f0c8 0xba690 0xb9890 0xe6
GetTextExtentPoint32W - 0x48f0cc 0xba694 0xb9894 0x21e
ExtCreatePen - 0x48f0d0 0xba698 0xb9898 0x132
GetDeviceCaps - 0x48f0d4 0xba69c 0xb989c 0x1cb
EndPath - 0x48f0d8 0xba6a0 0xb98a0 0xf3
SetPixel - 0x48f0dc 0xba6a4 0xb98a4 0x29b
CloseFigure - 0x48f0e0 0xba6a8 0xb98a8 0x1e
CreateCompatibleBitmap - 0x48f0e4 0xba6ac 0xb98ac 0x2f
CreateCompatibleDC - 0x48f0e8 0xba6b0 0xb98b0 0x30
SelectObject - 0x48f0ec 0xba6b4 0xb98b4 0x277
StretchBlt - 0x48f0f0 0xba6b8 0xb98b8 0x2b3
GetDIBits - 0x48f0f4 0xba6bc 0xb98bc 0x1ca
LineTo - 0x48f0f8 0xba6c0 0xb98c0 0x236
AngleArc - 0x48f0fc 0xba6c4 0xb98c4 0x8
MoveToEx - 0x48f100 0xba6c8 0xb98c8 0x23a
Ellipse - 0x48f104 0xba6cc 0xb98cc 0xed
DeleteDC - 0x48f108 0xba6d0 0xb98d0 0xe3
GetPixel - 0x48f10c 0xba6d4 0xb98d4 0x204
CreateDCW - 0x48f110 0xba6d8 0xb98d8 0x32
GetStockObject - 0x48f114 0xba6dc 0xb98dc 0x20d
GetTextFaceW - 0x48f118 0xba6e0 0xb98e0 0x224
CreateFontW - 0x48f11c 0xba6e4 0xb98e4 0x41
SetTextColor - 0x48f120 0xba6e8 0xb98e8 0x2a6
PolyDraw - 0x48f124 0xba6ec 0xb98ec 0x250
BeginPath - 0x48f128 0xba6f0 0xb98f0 0x12
Rectangle - 0x48f12c 0xba6f4 0xb98f4 0x25f
SetViewportOrgEx - 0x48f130 0xba6f8 0xb98f8 0x2a9
GetObjectW - 0x48f134 0xba6fc 0xb98fc 0x1fd
SetBkMode - 0x48f138 0xba700 0xb9900 0x27f
RoundRect - 0x48f13c 0xba704 0xb9904 0x26a
SetBkColor - 0x48f140 0xba708 0xb9908 0x27e
CreatePen - 0x48f144 0xba70c 0xb990c 0x4b
CreateSolidBrush - 0x48f148 0xba710 0xb9910 0x54
StrokeAndFillPath - 0x48f14c 0xba714 0xb9914 0x2b5
COMDLG32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetOpenFileNameW - 0x48f0b8 0xba680 0xb9880 0xc
GetSaveFileNameW - 0x48f0bc 0xba684 0xb9884 0xe
ADVAPI32.dll (33)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetAce - 0x48f000 0xba5c8 0xb97c8 0x123
RegEnumValueW - 0x48f004 0xba5cc 0xb97cc 0x252
RegDeleteValueW - 0x48f008 0xba5d0 0xb97d0 0x248
RegDeleteKeyW - 0x48f00c 0xba5d4 0xb97d4 0x244
RegEnumKeyExW - 0x48f010 0xba5d8 0xb97d8 0x24f
RegSetValueExW - 0x48f014 0xba5dc 0xb97dc 0x27e
RegOpenKeyExW - 0x48f018 0xba5e0 0xb97e0 0x261
RegCloseKey - 0x48f01c 0xba5e4 0xb97e4 0x230
RegQueryValueExW - 0x48f020 0xba5e8 0xb97e8 0x26e
RegConnectRegistryW - 0x48f024 0xba5ec 0xb97ec 0x234
InitializeSecurityDescriptor - 0x48f028 0xba5f0 0xb97f0 0x177
InitializeAcl - 0x48f02c 0xba5f4 0xb97f4 0x176
AdjustTokenPrivileges - 0x48f030 0xba5f8 0xb97f8 0x1f
OpenThreadToken - 0x48f034 0xba5fc 0xb97fc 0x1fc
OpenProcessToken - 0x48f038 0xba600 0xb9800 0x1f7
LookupPrivilegeValueW - 0x48f03c 0xba604 0xb9804 0x197
DuplicateTokenEx - 0x48f040 0xba608 0xb9808 0xdf
CreateProcessAsUserW - 0x48f044 0xba60c 0xb980c 0x7c
CreateProcessWithLogonW - 0x48f048 0xba610 0xb9810 0x7d
GetLengthSid - 0x48f04c 0xba614 0xb9814 0x136
CopySid - 0x48f050 0xba618 0xb9818 0x76
LogonUserW - 0x48f054 0xba61c 0xb981c 0x18d
AllocateAndInitializeSid - 0x48f058 0xba620 0xb9820 0x20
CheckTokenMembership - 0x48f05c 0xba624 0xb9824 0x51
RegCreateKeyExW - 0x48f060 0xba628 0xb9828 0x239
FreeSid - 0x48f064 0xba62c 0xb982c 0x120
GetTokenInformation - 0x48f068 0xba630 0xb9830 0x15a
GetSecurityDescriptorDacl - 0x48f06c 0xba634 0xb9834 0x148
GetAclInformation - 0x48f070 0xba638 0xb9838 0x124
AddAce - 0x48f074 0xba63c 0xb983c 0x16
SetSecurityDescriptorDacl - 0x48f078 0xba640 0xb9840 0x2b6
GetUserNameW - 0x48f07c 0xba644 0xb9844 0x165
InitiateSystemShutdownExW - 0x48f080 0xba648 0xb9848 0x17d
SHELL32.dll (15)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DragQueryPoint - 0x48f48c 0xbaa54 0xb9c54 0x20
ShellExecuteExW - 0x48f490 0xbaa58 0xb9c58 0x121
DragQueryFileW - 0x48f494 0xbaa5c 0xb9c5c 0x1f
SHEmptyRecycleBinW - 0x48f498 0xbaa60 0xb9c60 0xa5
SHGetPathFromIDListW - 0x48f49c 0xbaa64 0xb9c64 0xd7
SHBrowseForFolderW - 0x48f4a0 0xbaa68 0xb9c68 0x7b
SHCreateShellItem - 0x48f4a4 0xbaa6c 0xb9c6c 0x9a
SHGetDesktopFolder - 0x48f4a8 0xbaa70 0xb9c70 0xb6
SHGetSpecialFolderLocation - 0x48f4ac 0xbaa74 0xb9c74 0xdf
SHGetFolderPathW - 0x48f4b0 0xbaa78 0xb9c78 0xc3
SHFileOperationW - 0x48f4b4 0xbaa7c 0xb9c7c 0xac
ExtractIconExW - 0x48f4b8 0xbaa80 0xb9c80 0x2a
Shell_NotifyIconW - 0x48f4bc 0xbaa84 0xb9c84 0x12e
ShellExecuteW - 0x48f4c0 0xbaa88 0xb9c88 0x122
DragFinish - 0x48f4c4 0xbaa8c 0xb9c8c 0x1b
ole32.dll (22)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CoTaskMemAlloc - 0x48f828 0xbadf0 0xb9ff0 0x67
CoTaskMemFree - 0x48f82c 0xbadf4 0xb9ff4 0x68
CLSIDFromString - 0x48f830 0xbadf8 0xb9ff8 0x8
ProgIDFromCLSID - 0x48f834 0xbadfc 0xb9ffc 0x14b
CLSIDFromProgID - 0x48f838 0xbae00 0xba000 0x6
OleSetMenuDescriptor - 0x48f83c 0xbae04 0xba004 0x147
MkParseDisplayName - 0x48f840 0xbae08 0xba008 0xd4
OleSetContainedObject - 0x48f844 0xbae0c 0xba00c 0x146
CoCreateInstance - 0x48f848 0xbae10 0xba010 0x10
IIDFromString - 0x48f84c 0xbae14 0xba014 0xcd
StringFromGUID2 - 0x48f850 0xbae18 0xba018 0x179
CreateStreamOnHGlobal - 0x48f854 0xbae1c 0xba01c 0x86
OleInitialize - 0x48f858 0xbae20 0xba020 0x132
OleUninitialize - 0x48f85c 0xbae24 0xba024 0x149
CoInitialize - 0x48f860 0xbae28 0xba028 0x3e
CoUninitialize - 0x48f864 0xbae2c 0xba02c 0x6c
GetRunningObjectTable - 0x48f868 0xbae30 0xba030 0x97
CoGetInstanceFromFile - 0x48f86c 0xbae34 0xba034 0x2d
CoGetObject - 0x48f870 0xbae38 0xba038 0x35
CoSetProxyBlanket - 0x48f874 0xbae3c 0xba03c 0x63
CoCreateInstanceEx - 0x48f878 0xbae40 0xba040 0x11
CoInitializeSecurity - 0x48f87c 0xbae44 0xba044 0x40
OLEAUT32.dll (29)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
LoadTypeLibEx 0xb7 0x48f40c 0xba9d4 0xb9bd4 -
VariantCopyInd 0xb 0x48f410 0xba9d8 0xb9bd8 -
SysReAllocString 0x3 0x48f414 0xba9dc 0xb9bdc -
SysFreeString 0x6 0x48f418 0xba9e0 0xb9be0 -
SafeArrayDestroyDescriptor 0x26 0x48f41c 0xba9e4 0xb9be4 -
SafeArrayDestroyData 0x27 0x48f420 0xba9e8 0xb9be8 -
SafeArrayUnaccessData 0x18 0x48f424 0xba9ec 0xb9bec -
SafeArrayAccessData 0x17 0x48f428 0xba9f0 0xb9bf0 -
SafeArrayAllocData 0x25 0x48f42c 0xba9f4 0xb9bf4 -
SafeArrayAllocDescriptorEx 0x29 0x48f430 0xba9f8 0xb9bf8 -
SafeArrayCreateVector 0x19b 0x48f434 0xba9fc 0xb9bfc -
RegisterTypeLib 0xa3 0x48f438 0xbaa00 0xb9c00 -
CreateStdDispatch 0x20 0x48f43c 0xbaa04 0xb9c04 -
DispCallFunc 0x92 0x48f440 0xbaa08 0xb9c08 -
VariantChangeType 0xc 0x48f444 0xbaa0c 0xb9c0c -
SysStringLen 0x7 0x48f448 0xbaa10 0xb9c10 -
VariantTimeToSystemTime 0xb9 0x48f44c 0xbaa14 0xb9c14 -
VarR8FromDec 0xdc 0x48f450 0xbaa18 0xb9c18 -
SafeArrayGetVartype 0x4d 0x48f454 0xbaa1c 0xb9c1c -
VariantCopy 0xa 0x48f458 0xbaa20 0xb9c20 -
VariantClear 0x9 0x48f45c 0xbaa24 0xb9c24 -
OleLoadPicture 0x1a2 0x48f460 0xbaa28 0xb9c28 -
QueryPathOfRegTypeLib 0xa4 0x48f464 0xbaa2c 0xb9c2c -
RegisterTypeLibForUser 0x1ba 0x48f468 0xbaa30 0xb9c30 -
UnRegisterTypeLibForUser 0x1bb 0x48f46c 0xbaa34 0xb9c34 -
UnRegisterTypeLib 0xba 0x48f470 0xbaa38 0xb9c38 -
CreateDispTypeInfo 0x1f 0x48f474 0xbaa3c 0xb9c3c -
SysAllocString 0x2 0x48f478 0xbaa40 0xb9c40 -
VariantInit 0x8 0x48f47c 0xbaa44 0xb9c44 -
Memory Dumps (28)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
efacb905cbe59645ce57ea6ac46d32add5f48278aefd411bf4f53116ca0fb0e0.exe 1 0x00F20000 0x01129FFF Relevant Image False 32-bit 0x00F43187 True True
...
buffer 1 0x00EA0000 0x00EA0FFF First Execution False 32-bit 0x00EA00BE False False
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit - True True
...
efacb905cbe59645ce57ea6ac46d32add5f48278aefd411bf4f53116ca0fb0e0.exe 5 0x00F20000 0x01129FFF Relevant Image False 32-bit - True True
...
buffer 1 0x0154CD98 0x01568F97 Image In Buffer False 32-bit - True True
...
efacb905cbe59645ce57ea6ac46d32add5f48278aefd411bf4f53116ca0fb0e0.exe 1 0x00F20000 0x01129FFF Final Dump False 32-bit 0x00F40CB9 True True
...
buffer 5 0x000D0000 0x000EFFFF First Execution False 32-bit 0x000EA1F8 True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000D329C True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000D2A94 True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000D10F8 True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000D5628 True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000D8178 True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000D94D8 True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000DA608 True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000DB15C True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000DC168 True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000DD3AC True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000DE1D4 True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000E3BAC True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000E2534 True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000E0D80 True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000E4800 True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000E5644 True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000E6DCC True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000E7218 True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000E8414 True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000D7DE0 True True
...
buffer 5 0x000D0000 0x000EFFFF Content Changed False 32-bit 0x000D6CE8 True True
...
YARA Matches (3)
»
Rule Name Rule Description Classification Score Actions
QuasarRATCommands_1_3 Quasar RAT ver 1.3 packets Backdoor, Spyware
5/5
...
Quasar_RAT_2 Quasar RAT Backdoor, Spyware
5/5
...
xrat_quasarrat xRAT malware Backdoor
5/5
...
C:\Users\RDHJ0C~1\AppData\Local\Temp\vnc.exe Dropped File Binary
malicious
...
»
Parent File C:\Users\RDhJ0CNFevzX\btpanui\SystemPropertiesPerformance.exe
MIME Type application/vnd.microsoft.portable-executable
File Size 405.50 KB
MD5 b8ba87ee4c3fc085a2fed0d839aadce1 Copy to Clipboard
SHA1 b3a2e3256406330e8b1779199bb2b9865122d766 Copy to Clipboard
SHA256 4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4 Copy to Clipboard
SSDeep 6144:k6laOx87Xnl7xKK3iDgExiOP+MrRmD+PQXhEHlIxJKqM01FloHJh7GIA4hVvi:k6YmenBMKSUlm+4arHlgJNGIA4hVvi Copy to Clipboard
ImpHash 6a003b897ae0bf62ce848978beadd8b7 Copy to Clipboard
File Reputation Information
»
Verdict
malicious
AV Matches (1)
»
Threat Name Verdict
Trojan.GenericKD.44524794
malicious
PE Information
»
Image Base 0x400000
Entry Point 0x401620
Size Of Code 0x3600
Size Of Initialized Data 0x61e00
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2019-03-12 09:52:21+00:00
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x35c2 0x3600 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.4
.rdata 0x405000 0x9fe 0xa00 0x3a00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.98
.data 0x406000 0x60e40 0x60e00 0x4400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 6.47
.reloc 0x467000 0x370 0x400 0x65200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.01
Imports (5)
»
ntdll.dll (12)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
NtQueryVirtualMemory - 0x4050c0 0x55dc 0x3fdc 0x135
RtlUnwind - 0x4050c4 0x55e0 0x3fe0 0x396
NtSetContextThread - 0x4050c8 0x55e4 0x3fe4 0x159
NtGetContextThread - 0x4050cc 0x55e8 0x3fe8 0xd0
ZwQueryInformationProcess - 0x4050d0 0x55ec 0x3fec 0x469
RtlNtStatusToDosError - 0x4050d4 0x55f0 0x3ff0 0x30b
ZwClose - 0x4050d8 0x55f4 0x3ff4 0x3e0
NtUnmapViewOfSection - 0x4050dc 0x55f8 0x3ff8 0x191
NtMapViewOfSection - 0x4050e0 0x55fc 0x3ffc 0xea
NtCreateSection - 0x4050e4 0x5600 0x4000 0xaa
memcpy - 0x4050e8 0x5604 0x4004 0x546
memset - 0x4050ec 0x5608 0x4008 0x548
SHLWAPI.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
StrChrA - 0x4050b0 0x55cc 0x3fcc 0x10f
StrRChrA - 0x4050b4 0x55d0 0x3fd0 0x136
PathCombineW - 0x4050b8 0x55d4 0x3fd4 0x3a
PSAPI.DLL (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
EnumProcessModules - 0x4050a0 0x55bc 0x3fbc 0x4
KERNEL32.dll (39)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WriteProcessMemory - 0x405000 0x551c 0x3f1c 0x52e
GetFileSize - 0x405004 0x5520 0x3f20 0x1f0
LoadLibraryA - 0x405008 0x5524 0x3f24 0x33c
FreeLibrary - 0x40500c 0x5528 0x3f28 0x162
lstrcmpA - 0x405010 0x552c 0x3f2c 0x541
LeaveCriticalSection - 0x405014 0x5530 0x3f30 0x339
EnterCriticalSection - 0x405018 0x5534 0x3f34 0xee
VirtualProtect - 0x40501c 0x5538 0x3f38 0x4ef
CreateFileA - 0x405020 0x553c 0x3f3c 0x88
GetModuleFileNameA - 0x405024 0x5540 0x3f40 0x213
lstrlenA - 0x405028 0x5544 0x3f44 0x54d
lstrcatA - 0x40502c 0x5548 0x3f48 0x53e
lstrcpyA - 0x405030 0x554c 0x3f4c 0x547
lstrcmpiA - 0x405034 0x5550 0x3f50 0x544
SetFilePointer - 0x405038 0x5554 0x3f54 0x466
GetCurrentProcess - 0x40503c 0x5558 0x3f58 0x1c0
VirtualAllocEx - 0x405040 0x555c 0x3f5c 0x4ea
LocalAlloc - 0x405044 0x5560 0x3f60 0x344
LocalFree - 0x405048 0x5564 0x3f64 0x348
CloseHandle - 0x40504c 0x5568 0x3f68 0x52
GetModuleHandleA - 0x405050 0x556c 0x3f6c 0x215
CreateProcessW - 0x405054 0x5570 0x3f70 0xa8
VirtualProtectEx - 0x405058 0x5574 0x3f74 0x4f0
OpenProcess - 0x40505c 0x5578 0x3f78 0x380
GetCurrentProcessId - 0x405060 0x557c 0x3f7c 0x1c1
SwitchToThread - 0x405064 0x5580 0x3f80 0x4bc
GetLastError - 0x405068 0x5584 0x3f84 0x202
ReadProcessMemory - 0x40506c 0x5588 0x3f88 0x3c3
VirtualFree - 0x405070 0x558c 0x3f8c 0x4ec
GetThreadContext - 0x405074 0x5590 0x3f90 0x286
SuspendThread - 0x405078 0x5594 0x3f94 0x4ba
ResumeThread - 0x40507c 0x5598 0x3f98 0x413
Sleep - 0x405080 0x559c 0x3f9c 0x4b2
GetModuleHandleW - 0x405084 0x55a0 0x3fa0 0x218
GetVersion - 0x405088 0x55a4 0x3fa4 0x2a2
CreateEventA - 0x40508c 0x55a8 0x3fa8 0x82
GetProcAddress - 0x405090 0x55ac 0x3fac 0x245
VirtualAlloc - 0x405094 0x55b0 0x3fb0 0x4e9
ReadFile - 0x405098 0x55b4 0x3fb4 0x3c0
SHELL32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SHGetFolderPathW - 0x4050a8 0x55c4 0x3fc4 0xc3
C:\Users\RDHJ0C~1\AppData\Local\Temp\windef.exe Dropped File Binary
malicious
...
»
Also Known As C:\Users\RDhJ0CNFevzX\AppData\Roaming\SubDir\winsock.exe (Dropped File)
Parent File C:\Users\RDhJ0CNFevzX\btpanui\SystemPropertiesPerformance.exe
MIME Type application/vnd.microsoft.portable-executable
File Size 349.00 KB
MD5 b4a202e03d4135484d0e730173abcc72 Copy to Clipboard
SHA1 01b30014545ea526c15a60931d676f9392ea0c70 Copy to Clipboard
SHA256 7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9 Copy to Clipboard
SSDeep 6144:8K2J10qdSlEc39HGx5yVmnKKJfotFCuHi/b25s/Wz0J:8KF6y0KKlotF3iKO/Wz0J Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
File Reputation Information
»
Verdict
malicious
AV Matches (1)
»
Threat Name Verdict
Trojan.GenericKD.43426068
malicious
PE Information
»
Image Base 0x400000
Entry Point 0x4587be
Size Of Code 0x56800
Size Of Initialized Data 0xa00
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2019-03-12 13:27:05+00:00
Version Information (7)
»
FileDescription
FileVersion 1.3.0.0
InternalName Client.exe
LegalCopyright
OriginalFilename Client.exe
ProductVersion 1.3.0.0
Assembly Version 1.3.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x402000 0x567c4 0x56800 0x200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.44
.rsrc 0x45a000 0x800 0x800 0x56a00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.71
.reloc 0x45c000 0xc 0x200 0x57200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x402000 0x58798 0x56998 0x0
YARA Matches (8)
»
Rule Name Rule Description Classification Score Actions
QuasarRATCommands_1_3 Quasar RAT ver 1.3 packets Backdoor, Spyware
5/5
...
Quasar_RAT_2 Quasar RAT Backdoor, Spyware
5/5
...
xRAT_1 xRAT malware Backdoor
5/5
...
xrat_quasarrat xRAT malware Backdoor
5/5
...
QuasarRATCommands_1_3 Quasar RAT ver 1.3 packets Backdoor, Spyware
5/5
...
Quasar_RAT_2 Quasar RAT Backdoor, Spyware
5/5
...
xRAT_1 xRAT malware Backdoor
5/5
...
xrat_quasarrat xRAT malware Backdoor
5/5
...
C:\Users\RDhJ0CNFevzX\btpanui\SystemPropertiesPerformance.exe Dropped File Binary
malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 2.01 MB
MD5 17acca61c1d0926530a6fdb22ed7bce5 Copy to Clipboard
SHA1 71d3a44d14380b2856ad45d9f5555453c8491320 Copy to Clipboard
SHA256 122e72d73d1b3a819fe2a9a7b06ca17ff20cd4f43346716de1794efa2318fdf7 Copy to Clipboard
SSDeep 24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYq:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yc Copy to Clipboard
ImpHash afcdf79be1557326c854b6e20cb900a7 Copy to Clipboard
Parser Error Remark Static engine was unable to completely parse the analyzed file
AV Matches (4)
»
Threat Name Verdict
Trojan.GenericKD.41182905
malicious
Trojan.GenericKD.44524794
malicious
Trojan.GenericKD.43426068
malicious
AIT:Trojan.Nymeria.1811
malicious
PE Information
»
Image Base 0x400000
Entry Point 0x427dcd
Size Of Code 0x8de00
Size Of Initialized Data 0x174e00
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2019-03-12 13:38:44+00:00
Version Information (7)
»
FileDescription Adobe Download Manager
OriginalFilename Adobe Download Manager
CompanyName Adobe Systems Incorporated
FileVersion ...
LegalCopyright Copyright 2018 Adobe Incorporated. All rights reserved.
ProductName Adobe Download Manager
ProductVersion ...
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x8dcc4 0x8de00 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.68
.rdata 0x48f000 0x2e10e 0x2e200 0x8e200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.76
.data 0x4be000 0x8f74 0x5200 0xbc400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 1.2
.rsrc 0x4c7000 0x13a7f8 0x13a800 0xc1600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.62
.reloc 0x602000 0x711c 0x7200 0x1fbe00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.78
Imports (18)
»
WSOCK32.dll (23)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WSACleanup 0x74 0x48f7c8 0xbad90 0xb9f90 -
socket 0x17 0x48f7cc 0xbad94 0xb9f94 -
inet_ntoa 0xc 0x48f7d0 0xbad98 0xb9f98 -
setsockopt 0x15 0x48f7d4 0xbad9c 0xb9f9c -
ntohs 0xf 0x48f7d8 0xbada0 0xb9fa0 -
recvfrom 0x11 0x48f7dc 0xbada4 0xb9fa4 -
ioctlsocket 0xa 0x48f7e0 0xbada8 0xb9fa8 -
htons 0x9 0x48f7e4 0xbadac 0xb9fac -
WSAStartup 0x73 0x48f7e8 0xbadb0 0xb9fb0 -
__WSAFDIsSet 0x97 0x48f7ec 0xbadb4 0xb9fb4 -
select 0x12 0x48f7f0 0xbadb8 0xb9fb8 -
accept 0x1 0x48f7f4 0xbadbc 0xb9fbc -
listen 0xd 0x48f7f8 0xbadc0 0xb9fc0 -
bind 0x2 0x48f7fc 0xbadc4 0xb9fc4 -
closesocket 0x3 0x48f800 0xbadc8 0xb9fc8 -
WSAGetLastError 0x6f 0x48f804 0xbadcc 0xb9fcc -
recv 0x10 0x48f808 0xbadd0 0xb9fd0 -
sendto 0x14 0x48f80c 0xbadd4 0xb9fd4 -
send 0x13 0x48f810 0xbadd8 0xb9fd8 -
inet_addr 0xb 0x48f814 0xbaddc 0xb9fdc -
gethostbyname 0x34 0x48f818 0xbade0 0xb9fe0 -
gethostname 0x39 0x48f81c 0xbade4 0xb9fe4 -
connect 0x4 0x48f820 0xbade8 0xb9fe8 -
VERSION.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetFileVersionInfoW - 0x48f76c 0xbad34 0xb9f34 0x6
GetFileVersionInfoSizeW - 0x48f770 0xbad38 0xb9f38 0x5
VerQueryValueW - 0x48f774 0xbad3c 0xb9f3c 0xe
WINMM.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
timeGetTime - 0x48f7b8 0xbad80 0xb9f80 0x94
waveOutSetVolume - 0x48f7bc 0xbad84 0xb9f84 0xbb
mciSendStringW - 0x48f7c0 0xbad88 0xb9f88 0x32
COMCTL32.dll (11)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ImageList_ReplaceIcon - 0x48f088 0xba650 0xb9850 0x6f
ImageList_Destroy - 0x48f08c 0xba654 0xb9854 0x54
ImageList_Remove - 0x48f090 0xba658 0xb9858 0x6d
ImageList_SetDragCursorImage - 0x48f094 0xba65c 0xb985c 0x72
ImageList_BeginDrag - 0x48f098 0xba660 0xb9860 0x50
ImageList_DragEnter - 0x48f09c 0xba664 0xb9864 0x56
ImageList_DragLeave - 0x48f0a0 0xba668 0xb9868 0x57
ImageList_EndDrag - 0x48f0a4 0xba66c 0xb986c 0x5e
ImageList_DragMove - 0x48f0a8 0xba670 0xb9870 0x58
InitCommonControlsEx - 0x48f0ac 0xba674 0xb9874 0x7b
ImageList_Create - 0x48f0b0 0xba678 0xb9878 0x53
MPR.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WNetUseConnectionW - 0x48f3f8 0xba9c0 0xb9bc0 0x49
WNetCancelConnection2W - 0x48f3fc 0xba9c4 0xb9bc4 0xc
WNetGetConnectionW - 0x48f400 0xba9c8 0xb9bc8 0x24
WNetAddConnection2W - 0x48f404 0xba9cc 0xb9bcc 0x6
WININET.dll (14)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
InternetQueryDataAvailable - 0x48f77c 0xbad44 0xb9f44 0x9b
InternetCloseHandle - 0x48f780 0xbad48 0xb9f48 0x6b
InternetOpenW - 0x48f784 0xbad4c 0xb9f4c 0x9a
InternetSetOptionW - 0x48f788 0xbad50 0xb9f50 0xaf
InternetCrackUrlW - 0x48f78c 0xbad54 0xb9f54 0x74
HttpQueryInfoW - 0x48f790 0xbad58 0xb9f58 0x5a
InternetQueryOptionW - 0x48f794 0xbad5c 0xb9f5c 0x9e
HttpOpenRequestW - 0x48f798 0xbad60 0xb9f60 0x58
HttpSendRequestW - 0x48f79c 0xbad64 0xb9f64 0x5e
FtpOpenFileW - 0x48f7a0 0xbad68 0xb9f68 0x35
FtpGetFileSize - 0x48f7a4 0xbad6c 0xb9f6c 0x32
InternetOpenUrlW - 0x48f7a8 0xbad70 0xb9f70 0x99
InternetReadFile - 0x48f7ac 0xbad74 0xb9f74 0x9f
InternetConnectW - 0x48f7b0 0xbad78 0xb9f78 0x72
PSAPI.DLL (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetProcessMemoryInfo - 0x48f484 0xbaa4c 0xb9c4c 0x15
IPHLPAPI.DLL (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
IcmpCreateFile - 0x48f154 0xba71c 0xb991c 0x85
IcmpCloseHandle - 0x48f158 0xba720 0xb9920 0x84
IcmpSendEcho - 0x48f15c 0xba724 0xb9924 0x87
USERENV.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DestroyEnvironmentBlock - 0x48f750 0xbad18 0xb9f18 0x4
UnloadUserProfile - 0x48f754 0xbad1c 0xb9f1c 0x2c
CreateEnvironmentBlock - 0x48f758 0xbad20 0xb9f20 0x0
LoadUserProfileW - 0x48f75c 0xbad24 0xb9f24 0x21
UxTheme.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
IsThemeActive - 0x48f764 0xbad2c 0xb9f2c 0x3f
KERNEL32.dll (164)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DuplicateHandle - 0x48f164 0xba72c 0xb992c 0xe8
CreateThread - 0x48f168 0xba730 0xb9930 0xb5
WaitForSingleObject - 0x48f16c 0xba734 0xb9934 0x4f9
HeapAlloc - 0x48f170 0xba738 0xb9938 0x2cb
GetProcessHeap - 0x48f174 0xba73c 0xb993c 0x24a
HeapFree - 0x48f178 0xba740 0xb9940 0x2cf
Sleep - 0x48f17c 0xba744 0xb9944 0x4b2
GetCurrentThreadId - 0x48f180 0xba748 0xb9948 0x1c5
MultiByteToWideChar - 0x48f184 0xba74c 0xb994c 0x367
MulDiv - 0x48f188 0xba750 0xb9950 0x366
GetVersionExW - 0x48f18c 0xba754 0xb9954 0x2a4
IsWow64Process - 0x48f190 0xba758 0xb9958 0x30e
GetSystemInfo - 0x48f194 0xba75c 0xb995c 0x273
FreeLibrary - 0x48f198 0xba760 0xb9960 0x162
LoadLibraryA - 0x48f19c 0xba764 0xb9964 0x33c
GetProcAddress - 0x48f1a0 0xba768 0xb9968 0x245
SetErrorMode - 0x48f1a4 0xba76c 0xb996c 0x458
GetModuleFileNameW - 0x48f1a8 0xba770 0xb9970 0x214
WideCharToMultiByte - 0x48f1ac 0xba774 0xb9974 0x511
lstrcpyW - 0x48f1b0 0xba778 0xb9978 0x548
lstrlenW - 0x48f1b4 0xba77c 0xb997c 0x54e
GetModuleHandleW - 0x48f1b8 0xba780 0xb9980 0x218
QueryPerformanceCounter - 0x48f1bc 0xba784 0xb9984 0x3a7
VirtualFreeEx - 0x48f1c0 0xba788 0xb9988 0x4ed
OpenProcess - 0x48f1c4 0xba78c 0xb998c 0x380
VirtualAllocEx - 0x48f1c8 0xba790 0xb9990 0x4ea
WriteProcessMemory - 0x48f1cc 0xba794 0xb9994 0x52e
ReadProcessMemory - 0x48f1d0 0xba798 0xb9998 0x3c3
CreateFileW - 0x48f1d4 0xba79c 0xb999c 0x8f
SetFilePointerEx - 0x48f1d8 0xba7a0 0xb99a0 0x467
SetEndOfFile - 0x48f1dc 0xba7a4 0xb99a4 0x453
ReadFile - 0x48f1e0 0xba7a8 0xb99a8 0x3c0
WriteFile - 0x48f1e4 0xba7ac 0xb99ac 0x525
FlushFileBuffers - 0x48f1e8 0xba7b0 0xb99b0 0x157
TerminateProcess - 0x48f1ec 0xba7b4 0xb99b4 0x4c0
CreateToolhelp32Snapshot - 0x48f1f0 0xba7b8 0xb99b8 0xbe
Process32FirstW - 0x48f1f4 0xba7bc 0xb99bc 0x396
Process32NextW - 0x48f1f8 0xba7c0 0xb99c0 0x398
SetFileTime - 0x48f1fc 0xba7c4 0xb99c4 0x46a
GetFileAttributesW - 0x48f200 0xba7c8 0xb99c8 0x1ea
FindFirstFileW - 0x48f204 0xba7cc 0xb99cc 0x139
SetCurrentDirectoryW - 0x48f208 0xba7d0 0xb99d0 0x44d
GetLongPathNameW - 0x48f20c 0xba7d4 0xb99d4 0x20f
GetShortPathNameW - 0x48f210 0xba7d8 0xb99d8 0x261
DeleteFileW - 0x48f214 0xba7dc 0xb99dc 0xd6
FindNextFileW - 0x48f218 0xba7e0 0xb99e0 0x145
CopyFileExW - 0x48f21c 0xba7e4 0xb99e4 0x72
MoveFileW - 0x48f220 0xba7e8 0xb99e8 0x363
CreateDirectoryW - 0x48f224 0xba7ec 0xb99ec 0x81
RemoveDirectoryW - 0x48f228 0xba7f0 0xb99f0 0x403
SetSystemPowerState - 0x48f22c 0xba7f4 0xb99f4 0x48a
QueryPerformanceFrequency - 0x48f230 0xba7f8 0xb99f8 0x3a8
FindResourceW - 0x48f234 0xba7fc 0xb99fc 0x14e
LoadResource - 0x48f238 0xba800 0xb9a00 0x341
LockResource - 0x48f23c 0xba804 0xb9a04 0x354
SizeofResource - 0x48f240 0xba808 0xb9a08 0x4b1
EnumResourceNamesW - 0x48f244 0xba80c 0xb9a0c 0x102
OutputDebugStringW - 0x48f248 0xba810 0xb9a10 0x38a
GetTempPathW - 0x48f24c 0xba814 0xb9a14 0x285
GetTempFileNameW - 0x48f250 0xba818 0xb9a18 0x283
DeviceIoControl - 0x48f254 0xba81c 0xb9a1c 0xdd
GetLocalTime - 0x48f258 0xba820 0xb9a20 0x203
CompareStringW - 0x48f25c 0xba824 0xb9a24 0x64
GetCurrentProcess - 0x48f260 0xba828 0xb9a28 0x1c0
EnterCriticalSection - 0x48f264 0xba82c 0xb9a2c 0xee
LeaveCriticalSection - 0x48f268 0xba830 0xb9a30 0x339
GetStdHandle - 0x48f26c 0xba834 0xb9a34 0x264
CreatePipe - 0x48f270 0xba838 0xb9a38 0xa1
InterlockedExchange - 0x48f274 0xba83c 0xb9a3c 0x2ec
TerminateThread - 0x48f278 0xba840 0xb9a40 0x4c1
LoadLibraryExW - 0x48f27c 0xba844 0xb9a44 0x33e
FindResourceExW - 0x48f280 0xba848 0xb9a48 0x14d
CopyFileW - 0x48f284 0xba84c 0xb9a4c 0x75
VirtualFree - 0x48f288 0xba850 0xb9a50 0x4ec
FormatMessageW - 0x48f28c 0xba854 0xb9a54 0x15e
GetExitCodeProcess - 0x48f290 0xba858 0xb9a58 0x1df
GetPrivateProfileStringW - 0x48f294 0xba85c 0xb9a5c 0x242
WritePrivateProfileStringW - 0x48f298 0xba860 0xb9a60 0x52b
GetPrivateProfileSectionW - 0x48f29c 0xba864 0xb9a64 0x240
WritePrivateProfileSectionW - 0x48f2a0 0xba868 0xb9a68 0x529
GetPrivateProfileSectionNamesW - 0x48f2a4 0xba86c 0xb9a6c 0x23f
FileTimeToLocalFileTime - 0x48f2a8 0xba870 0xb9a70 0x124
FileTimeToSystemTime - 0x48f2ac 0xba874 0xb9a74 0x125
SystemTimeToFileTime - 0x48f2b0 0xba878 0xb9a78 0x4bd
LocalFileTimeToFileTime - 0x48f2b4 0xba87c 0xb9a7c 0x346
GetDriveTypeW - 0x48f2b8 0xba880 0xb9a80 0x1d3
GetDiskFreeSpaceExW - 0x48f2bc 0xba884 0xb9a84 0x1ce
GetDiskFreeSpaceW - 0x48f2c0 0xba888 0xb9a88 0x1cf
GetVolumeInformationW - 0x48f2c4 0xba88c 0xb9a8c 0x2a7
SetVolumeLabelW - 0x48f2c8 0xba890 0xb9a90 0x4a9
CreateHardLinkW - 0x48f2cc 0xba894 0xb9a94 0x93
SetFileAttributesW - 0x48f2d0 0xba898 0xb9a98 0x461
CreateEventW - 0x48f2d4 0xba89c 0xb9a9c 0x85
SetEvent - 0x48f2d8 0xba8a0 0xb9aa0 0x459
GetEnvironmentVariableW - 0x48f2dc 0xba8a4 0xb9aa4 0x1dc
SetEnvironmentVariableW - 0x48f2e0 0xba8a8 0xb9aa8 0x457
GlobalLock - 0x48f2e4 0xba8ac 0xb9aac 0x2be
GlobalUnlock - 0x48f2e8 0xba8b0 0xb9ab0 0x2c5
GlobalAlloc - 0x48f2ec 0xba8b4 0xb9ab4 0x2b3
GetFileSize - 0x48f2f0 0xba8b8 0xb9ab8 0x1f0
GlobalFree - 0x48f2f4 0xba8bc 0xb9abc 0x2ba
GlobalMemoryStatusEx - 0x48f2f8 0xba8c0 0xb9ac0 0x2c0
Beep - 0x48f2fc 0xba8c4 0xb9ac4 0x36
GetSystemDirectoryW - 0x48f300 0xba8c8 0xb9ac8 0x270
HeapReAlloc - 0x48f304 0xba8cc 0xb9acc 0x2d2
HeapSize - 0x48f308 0xba8d0 0xb9ad0 0x2d4
GetComputerNameW - 0x48f30c 0xba8d4 0xb9ad4 0x18f
GetWindowsDirectoryW - 0x48f310 0xba8d8 0xb9ad8 0x2af
GetCurrentProcessId - 0x48f314 0xba8dc 0xb9adc 0x1c1
GetProcessIoCounters - 0x48f318 0xba8e0 0xb9ae0 0x24e
CreateProcessW - 0x48f31c 0xba8e4 0xb9ae4 0xa8
GetProcessId - 0x48f320 0xba8e8 0xb9ae8 0x24c
SetPriorityClass - 0x48f324 0xba8ec 0xb9aec 0x47d
LoadLibraryW - 0x48f328 0xba8f0 0xb9af0 0x33f
VirtualAlloc - 0x48f32c 0xba8f4 0xb9af4 0x4e9
IsDebuggerPresent - 0x48f330 0xba8f8 0xb9af8 0x300
GetCurrentDirectoryW - 0x48f334 0xba8fc 0xb9afc 0x1bf
lstrcmpiW - 0x48f338 0xba900 0xb9b00 0x545
DecodePointer - 0x48f33c 0xba904 0xb9b04 0xca
GetLastError - 0x48f340 0xba908 0xb9b08 0x202
RaiseException - 0x48f344 0xba90c 0xb9b0c 0x3b1
InitializeCriticalSectionAndSpinCount - 0x48f348 0xba910 0xb9b10 0x2e3
DeleteCriticalSection - 0x48f34c 0xba914 0xb9b14 0xd1
InterlockedDecrement - 0x48f350 0xba918 0xb9b18 0x2eb
InterlockedIncrement - 0x48f354 0xba91c 0xb9b1c 0x2ef
GetCurrentThread - 0x48f358 0xba920 0xb9b20 0x1c4
CloseHandle - 0x48f35c 0xba924 0xb9b24 0x52
GetFullPathNameW - 0x48f360 0xba928 0xb9b28 0x1fb
EncodePointer - 0x48f364 0xba92c 0xb9b2c 0xea
ExitProcess - 0x48f368 0xba930 0xb9b30 0x119
GetModuleHandleExW - 0x48f36c 0xba934 0xb9b34 0x217
ExitThread - 0x48f370 0xba938 0xb9b38 0x11a
GetSystemTimeAsFileTime - 0x48f374 0xba93c 0xb9b3c 0x279
ResumeThread - 0x48f378 0xba940 0xb9b40 0x413
GetCommandLineW - 0x48f37c 0xba944 0xb9b44 0x187
IsProcessorFeaturePresent - 0x48f380 0xba948 0xb9b48 0x304
IsValidCodePage - 0x48f384 0xba94c 0xb9b4c 0x30a
GetACP - 0x48f388 0xba950 0xb9b50 0x168
GetOEMCP - 0x48f38c 0xba954 0xb9b54 0x237
GetCPInfo - 0x48f390 0xba958 0xb9b58 0x172
SetLastError - 0x48f394 0xba95c 0xb9b5c 0x473
UnhandledExceptionFilter - 0x48f398 0xba960 0xb9b60 0x4d3
SetUnhandledExceptionFilter - 0x48f39c 0xba964 0xb9b64 0x4a5
TlsAlloc - 0x48f3a0 0xba968 0xb9b68 0x4c5
TlsGetValue - 0x48f3a4 0xba96c 0xb9b6c 0x4c7
TlsSetValue - 0x48f3a8 0xba970 0xb9b70 0x4c8
TlsFree - 0x48f3ac 0xba974 0xb9b74 0x4c6
GetStartupInfoW - 0x48f3b0 0xba978 0xb9b78 0x263
GetStringTypeW - 0x48f3b4 0xba97c 0xb9b7c 0x269
SetStdHandle - 0x48f3b8 0xba980 0xb9b80 0x487
GetFileType - 0x48f3bc 0xba984 0xb9b84 0x1f3
GetConsoleCP - 0x48f3c0 0xba988 0xb9b88 0x19a
GetConsoleMode - 0x48f3c4 0xba98c 0xb9b8c 0x1ac
RtlUnwind - 0x48f3c8 0xba990 0xb9b90 0x418
ReadConsoleW - 0x48f3cc 0xba994 0xb9b94 0x3be
GetTimeZoneInformation - 0x48f3d0 0xba998 0xb9b98 0x298
GetDateFormatW - 0x48f3d4 0xba99c 0xb9b9c 0x1c8
GetTimeFormatW - 0x48f3d8 0xba9a0 0xb9ba0 0x297
LCMapStringW - 0x48f3dc 0xba9a4 0xb9ba4 0x32d
GetEnvironmentStringsW - 0x48f3e0 0xba9a8 0xb9ba8 0x1da
FreeEnvironmentStringsW - 0x48f3e4 0xba9ac 0xb9bac 0x161
WriteConsoleW - 0x48f3e8 0xba9b0 0xb9bb0 0x524
FindClose - 0x48f3ec 0xba9b4 0xb9bb4 0x12e
SetEnvironmentVariableA - 0x48f3f0 0xba9b8 0xb9bb8 0x456
USER32.dll (160)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
AdjustWindowRectEx - 0x48f4cc 0xbaa94 0xb9c94 0x3
CopyImage - 0x48f4d0 0xbaa98 0xb9c98 0x54
SetWindowPos - 0x48f4d4 0xbaa9c 0xb9c9c 0x2c6
GetCursorInfo - 0x48f4d8 0xbaaa0 0xb9ca0 0x11f
RegisterHotKey - 0x48f4dc 0xbaaa4 0xb9ca4 0x256
ClientToScreen - 0x48f4e0 0xbaaa8 0xb9ca8 0x47
GetKeyboardLayoutNameW - 0x48f4e4 0xbaaac 0xb9cac 0x141
IsCharAlphaW - 0x48f4e8 0xbaab0 0xb9cb0 0x1c4
IsCharAlphaNumericW - 0x48f4ec 0xbaab4 0xb9cb4 0x1c3
IsCharLowerW - 0x48f4f0 0xbaab8 0xb9cb8 0x1c6
IsCharUpperW - 0x48f4f4 0xbaabc 0xb9cbc 0x1c8
GetMenuStringW - 0x48f4f8 0xbaac0 0xb9cc0 0x158
GetSubMenu - 0x48f4fc 0xbaac4 0xb9cc4 0x17a
GetCaretPos - 0x48f500 0xbaac8 0xb9cc8 0x10a
IsZoomed - 0x48f504 0xbaacc 0xb9ccc 0x1e2
MonitorFromPoint - 0x48f508 0xbaad0 0xb9cd0 0x218
GetMonitorInfoW - 0x48f50c 0xbaad4 0xb9cd4 0x15f
SetWindowLongW - 0x48f510 0xbaad8 0xb9cd8 0x2c4
SetLayeredWindowAttributes - 0x48f514 0xbaadc 0xb9cdc 0x298
FlashWindow - 0x48f518 0xbaae0 0xb9ce0 0xfb
GetClassLongW - 0x48f51c 0xbaae4 0xb9ce4 0x110
TranslateAcceleratorW - 0x48f520 0xbaae8 0xb9ce8 0x2fa
IsDialogMessageW - 0x48f524 0xbaaec 0xb9cec 0x1cd
GetSysColor - 0x48f528 0xbaaf0 0xb9cf0 0x17b
InflateRect - 0x48f52c 0xbaaf4 0xb9cf4 0x1b5
DrawFocusRect - 0x48f530 0xbaaf8 0xb9cf8 0xc4
DrawTextW - 0x48f534 0xbaafc 0xb9cfc 0xd0
FrameRect - 0x48f538 0xbab00 0xb9d00 0xfd
DrawFrameControl - 0x48f53c 0xbab04 0xb9d04 0xc6
FillRect - 0x48f540 0xbab08 0xb9d08 0xf6
PtInRect - 0x48f544 0xbab0c 0xb9d0c 0x240
DestroyAcceleratorTable - 0x48f548 0xbab10 0xb9d10 0xa0
CreateAcceleratorTableW - 0x48f54c 0xbab14 0xb9d14 0x58
SetCursor - 0x48f550 0xbab18 0xb9d18 0x288
GetWindowDC - 0x48f554 0xbab1c 0xb9d1c 0x192
GetSystemMetrics - 0x48f558 0xbab20 0xb9d20 0x17e
GetActiveWindow - 0x48f55c 0xbab24 0xb9d24 0x100
CharNextW - 0x48f560 0xbab28 0xb9d28 0x31
wsprintfW - 0x48f564 0xbab2c 0xb9d2c 0x333
RedrawWindow - 0x48f568 0xbab30 0xb9d30 0x24a
DrawMenuBar - 0x48f56c 0xbab34 0xb9d34 0xc9
DestroyMenu - 0x48f570 0xbab38 0xb9d38 0xa4
SetMenu - 0x48f574 0xbab3c 0xb9d3c 0x29c
GetWindowTextLengthW - 0x48f578 0xbab40 0xb9d40 0x1a2
CreateMenu - 0x48f57c 0xbab44 0xb9d44 0x6a
IsDlgButtonChecked - 0x48f580 0xbab48 0xb9d48 0x1ce
DefDlgProcW - 0x48f584 0xbab4c 0xb9d4c 0x95
CallWindowProcW - 0x48f588 0xbab50 0xb9d50 0x1e
ReleaseCapture - 0x48f58c 0xbab54 0xb9d54 0x264
SetCapture - 0x48f590 0xbab58 0xb9d58 0x280
CreateIconFromResourceEx - 0x48f594 0xbab5c 0xb9d5c 0x66
mouse_event - 0x48f598 0xbab60 0xb9d60 0x331
ExitWindowsEx - 0x48f59c 0xbab64 0xb9d64 0xf5
SetActiveWindow - 0x48f5a0 0xbab68 0xb9d68 0x27f
FindWindowExW - 0x48f5a4 0xbab6c 0xb9d6c 0xf9
EnumThreadWindows - 0x48f5a8 0xbab70 0xb9d70 0xef
SetMenuDefaultItem - 0x48f5ac 0xbab74 0xb9d74 0x29e
InsertMenuItemW - 0x48f5b0 0xbab78 0xb9d78 0x1b9
IsMenu - 0x48f5b4 0xbab7c 0xb9d7c 0x1d2
TrackPopupMenuEx - 0x48f5b8 0xbab80 0xb9d80 0x2f7
GetCursorPos - 0x48f5bc 0xbab84 0xb9d84 0x120
DeleteMenu - 0x48f5c0 0xbab88 0xb9d88 0x9e
SetRect - 0x48f5c4 0xbab8c 0xb9d8c 0x2ae
GetMenuItemID - 0x48f5c8 0xbab90 0xb9d90 0x152
GetMenuItemCount - 0x48f5cc 0xbab94 0xb9d94 0x151
SetMenuItemInfoW - 0x48f5d0 0xbab98 0xb9d98 0x2a2
GetMenuItemInfoW - 0x48f5d4 0xbab9c 0xb9d9c 0x154
SetForegroundWindow - 0x48f5d8 0xbaba0 0xb9da0 0x293
IsIconic - 0x48f5dc 0xbaba4 0xb9da4 0x1d1
FindWindowW - 0x48f5e0 0xbaba8 0xb9da8 0xfa
MonitorFromRect - 0x48f5e4 0xbabac 0xb9dac 0x219
keybd_event - 0x48f5e8 0xbabb0 0xb9db0 0x330
SendInput - 0x48f5ec 0xbabb4 0xb9db4 0x276
GetAsyncKeyState - 0x48f5f0 0xbabb8 0xb9db8 0x107
SetKeyboardState - 0x48f5f4 0xbabbc 0xb9dbc 0x296
GetKeyboardState - 0x48f5f8 0xbabc0 0xb9dc0 0x142
GetKeyState - 0x48f5fc 0xbabc4 0xb9dc4 0x13d
VkKeyScanW - 0x48f600 0xbabc8 0xb9dc8 0x321
LoadStringW - 0x48f604 0xbabcc 0xb9dcc 0x1fa
DialogBoxParamW - 0x48f608 0xbabd0 0xb9dd0 0xac
MessageBeep - 0x48f60c 0xbabd4 0xb9dd4 0x20d
EndDialog - 0x48f610 0xbabd8 0xb9dd8 0xda
SendDlgItemMessageW - 0x48f614 0xbabdc 0xb9ddc 0x273
GetDlgItem - 0x48f618 0xbabe0 0xb9de0 0x127
SetWindowTextW - 0x48f61c 0xbabe4 0xb9de4 0x2cb
CopyRect - 0x48f620 0xbabe8 0xb9de8 0x55
ReleaseDC - 0x48f624 0xbabec 0xb9dec 0x265
GetDC - 0x48f628 0xbabf0 0xb9df0 0x121
EndPaint - 0x48f62c 0xbabf4 0xb9df4 0xdc
BeginPaint - 0x48f630 0xbabf8 0xb9df8 0xe
GetClientRect - 0x48f634 0xbabfc 0xb9dfc 0x114
GetMenu - 0x48f638 0xbac00 0xb9e00 0x14b
DestroyWindow - 0x48f63c 0xbac04 0xb9e04 0xa6
EnumWindows - 0x48f640 0xbac08 0xb9e08 0xf2
GetDesktopWindow - 0x48f644 0xbac0c 0xb9e0c 0x123
IsWindow - 0x48f648 0xbac10 0xb9e10 0x1db
IsWindowEnabled - 0x48f64c 0xbac14 0xb9e14 0x1dc
IsWindowVisible - 0x48f650 0xbac18 0xb9e18 0x1e0
EnableWindow - 0x48f654 0xbac1c 0xb9e1c 0xd8
InvalidateRect - 0x48f658 0xbac20 0xb9e20 0x1be
GetWindowLongW - 0x48f65c 0xbac24 0xb9e24 0x196
GetWindowThreadProcessId - 0x48f660 0xbac28 0xb9e28 0x1a4
AttachThreadInput - 0x48f664 0xbac2c 0xb9e2c 0xc
GetFocus - 0x48f668 0xbac30 0xb9e30 0x12c
GetWindowTextW - 0x48f66c 0xbac34 0xb9e34 0x1a3
ScreenToClient - 0x48f670 0xbac38 0xb9e38 0x26d
SendMessageTimeoutW - 0x48f674 0xbac3c 0xb9e3c 0x27b
EnumChildWindows - 0x48f678 0xbac40 0xb9e40 0xdf
CharUpperBuffW - 0x48f67c 0xbac44 0xb9e44 0x3b
GetParent - 0x48f680 0xbac48 0xb9e48 0x164
GetDlgCtrlID - 0x48f684 0xbac4c 0xb9e4c 0x126
SendMessageW - 0x48f688 0xbac50 0xb9e50 0x27c
MapVirtualKeyW - 0x48f68c 0xbac54 0xb9e54 0x208
PostMessageW - 0x48f690 0xbac58 0xb9e58 0x236
GetWindowRect - 0x48f694 0xbac5c 0xb9e5c 0x19c
SetUserObjectSecurity - 0x48f698 0xbac60 0xb9e60 0x2be
CloseDesktop - 0x48f69c 0xbac64 0xb9e64 0x4a
CloseWindowStation - 0x48f6a0 0xbac68 0xb9e68 0x4e
OpenDesktopW - 0x48f6a4 0xbac6c 0xb9e6c 0x228
SetProcessWindowStation - 0x48f6a8 0xbac70 0xb9e70 0x2aa
GetProcessWindowStation - 0x48f6ac 0xbac74 0xb9e74 0x168
OpenWindowStationW - 0x48f6b0 0xbac78 0xb9e78 0x22d
GetUserObjectSecurity - 0x48f6b4 0xbac7c 0xb9e7c 0x18c
MessageBoxW - 0x48f6b8 0xbac80 0xb9e80 0x215
DefWindowProcW - 0x48f6bc 0xbac84 0xb9e84 0x9c
SetClipboardData - 0x48f6c0 0xbac88 0xb9e88 0x286
EmptyClipboard - 0x48f6c4 0xbac8c 0xb9e8c 0xd5
CountClipboardFormats - 0x48f6c8 0xbac90 0xb9e90 0x56
CloseClipboard - 0x48f6cc 0xbac94 0xb9e94 0x49
GetClipboardData - 0x48f6d0 0xbac98 0xb9e98 0x116
IsClipboardFormatAvailable - 0x48f6d4 0xbac9c 0xb9e9c 0x1ca
OpenClipboard - 0x48f6d8 0xbaca0 0xb9ea0 0x226
BlockInput - 0x48f6dc 0xbaca4 0xb9ea4 0xf
GetMessageW - 0x48f6e0 0xbaca8 0xb9ea8 0x15d
LockWindowUpdate - 0x48f6e4 0xbacac 0xb9eac 0x1fd
DispatchMessageW - 0x48f6e8 0xbacb0 0xb9eb0 0xaf
TranslateMessage - 0x48f6ec 0xbacb4 0xb9eb4 0x2fc
PeekMessageW - 0x48f6f0 0xbacb8 0xb9eb8 0x233
UnregisterHotKey - 0x48f6f4 0xbacbc 0xb9ebc 0x308
CheckMenuRadioItem - 0x48f6f8 0xbacc0 0xb9ec0 0x40
CharLowerBuffW - 0x48f6fc 0xbacc4 0xb9ec4 0x2d
MoveWindow - 0x48f700 0xbacc8 0xb9ec8 0x21b
SetFocus - 0x48f704 0xbaccc 0xb9ecc 0x292
PostQuitMessage - 0x48f708 0xbacd0 0xb9ed0 0x237
KillTimer - 0x48f70c 0xbacd4 0xb9ed4 0x1e3
CreatePopupMenu - 0x48f710 0xbacd8 0xb9ed8 0x6b
RegisterWindowMessageW - 0x48f714 0xbacdc 0xb9edc 0x263
SetTimer - 0x48f718 0xbace0 0xb9ee0 0x2bb
ShowWindow - 0x48f71c 0xbace4 0xb9ee4 0x2df
CreateWindowExW - 0x48f720 0xbace8 0xb9ee8 0x6e
RegisterClassExW - 0x48f724 0xbacec 0xb9eec 0x24d
LoadIconW - 0x48f728 0xbacf0 0xb9ef0 0x1ed
LoadCursorW - 0x48f72c 0xbacf4 0xb9ef4 0x1eb
GetSysColorBrush - 0x48f730 0xbacf8 0xb9ef8 0x17c
GetForegroundWindow - 0x48f734 0xbacfc 0xb9efc 0x12d
MessageBoxA - 0x48f738 0xbad00 0xb9f00 0x20e
DestroyIcon - 0x48f73c 0xbad04 0xb9f04 0xa3
SystemParametersInfoW - 0x48f740 0xbad08 0xb9f08 0x2ec
LoadImageW - 0x48f744 0xbad0c 0xb9f0c 0x1ef
GetClassNameW - 0x48f748 0xbad10 0xb9f10 0x112
GDI32.dll (35)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
StrokePath - 0x48f0c4 0xba68c 0xb988c 0x2b6
DeleteObject - 0x48f0c8 0xba690 0xb9890 0xe6
GetTextExtentPoint32W - 0x48f0cc 0xba694 0xb9894 0x21e
ExtCreatePen - 0x48f0d0 0xba698 0xb9898 0x132
GetDeviceCaps - 0x48f0d4 0xba69c 0xb989c 0x1cb
EndPath - 0x48f0d8 0xba6a0 0xb98a0 0xf3
SetPixel - 0x48f0dc 0xba6a4 0xb98a4 0x29b
CloseFigure - 0x48f0e0 0xba6a8 0xb98a8 0x1e
CreateCompatibleBitmap - 0x48f0e4 0xba6ac 0xb98ac 0x2f
CreateCompatibleDC - 0x48f0e8 0xba6b0 0xb98b0 0x30
SelectObject - 0x48f0ec 0xba6b4 0xb98b4 0x277
StretchBlt - 0x48f0f0 0xba6b8 0xb98b8 0x2b3
GetDIBits - 0x48f0f4 0xba6bc 0xb98bc 0x1ca
LineTo - 0x48f0f8 0xba6c0 0xb98c0 0x236
AngleArc - 0x48f0fc 0xba6c4 0xb98c4 0x8
MoveToEx - 0x48f100 0xba6c8 0xb98c8 0x23a
Ellipse - 0x48f104 0xba6cc 0xb98cc 0xed
DeleteDC - 0x48f108 0xba6d0 0xb98d0 0xe3
GetPixel - 0x48f10c 0xba6d4 0xb98d4 0x204
CreateDCW - 0x48f110 0xba6d8 0xb98d8 0x32
GetStockObject - 0x48f114 0xba6dc 0xb98dc 0x20d
GetTextFaceW - 0x48f118 0xba6e0 0xb98e0 0x224
CreateFontW - 0x48f11c 0xba6e4 0xb98e4 0x41
SetTextColor - 0x48f120 0xba6e8 0xb98e8 0x2a6
PolyDraw - 0x48f124 0xba6ec 0xb98ec 0x250
BeginPath - 0x48f128 0xba6f0 0xb98f0 0x12
Rectangle - 0x48f12c 0xba6f4 0xb98f4 0x25f
SetViewportOrgEx - 0x48f130 0xba6f8 0xb98f8 0x2a9
GetObjectW - 0x48f134 0xba6fc 0xb98fc 0x1fd
SetBkMode - 0x48f138 0xba700 0xb9900 0x27f
RoundRect - 0x48f13c 0xba704 0xb9904 0x26a
SetBkColor - 0x48f140 0xba708 0xb9908 0x27e
CreatePen - 0x48f144 0xba70c 0xb990c 0x4b
CreateSolidBrush - 0x48f148 0xba710 0xb9910 0x54
StrokeAndFillPath - 0x48f14c 0xba714 0xb9914 0x2b5
COMDLG32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetOpenFileNameW - 0x48f0b8 0xba680 0xb9880 0xc
GetSaveFileNameW - 0x48f0bc 0xba684 0xb9884 0xe
ADVAPI32.dll (33)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetAce - 0x48f000 0xba5c8 0xb97c8 0x123
RegEnumValueW - 0x48f004 0xba5cc 0xb97cc 0x252
RegDeleteValueW - 0x48f008 0xba5d0 0xb97d0 0x248
RegDeleteKeyW - 0x48f00c 0xba5d4 0xb97d4 0x244
RegEnumKeyExW - 0x48f010 0xba5d8 0xb97d8 0x24f
RegSetValueExW - 0x48f014 0xba5dc 0xb97dc 0x27e
RegOpenKeyExW - 0x48f018 0xba5e0 0xb97e0 0x261
RegCloseKey - 0x48f01c 0xba5e4 0xb97e4 0x230
RegQueryValueExW - 0x48f020 0xba5e8 0xb97e8 0x26e
RegConnectRegistryW - 0x48f024 0xba5ec 0xb97ec 0x234
InitializeSecurityDescriptor - 0x48f028 0xba5f0 0xb97f0 0x177
InitializeAcl - 0x48f02c 0xba5f4 0xb97f4 0x176
AdjustTokenPrivileges - 0x48f030 0xba5f8 0xb97f8 0x1f
OpenThreadToken - 0x48f034 0xba5fc 0xb97fc 0x1fc
OpenProcessToken - 0x48f038 0xba600 0xb9800 0x1f7
LookupPrivilegeValueW - 0x48f03c 0xba604 0xb9804 0x197
DuplicateTokenEx - 0x48f040 0xba608 0xb9808 0xdf
CreateProcessAsUserW - 0x48f044 0xba60c 0xb980c 0x7c
CreateProcessWithLogonW - 0x48f048 0xba610 0xb9810 0x7d
GetLengthSid - 0x48f04c 0xba614 0xb9814 0x136
CopySid - 0x48f050 0xba618 0xb9818 0x76
LogonUserW - 0x48f054 0xba61c 0xb981c 0x18d
AllocateAndInitializeSid - 0x48f058 0xba620 0xb9820 0x20
CheckTokenMembership - 0x48f05c 0xba624 0xb9824 0x51
RegCreateKeyExW - 0x48f060 0xba628 0xb9828 0x239
FreeSid - 0x48f064 0xba62c 0xb982c 0x120
GetTokenInformation - 0x48f068 0xba630 0xb9830 0x15a
GetSecurityDescriptorDacl - 0x48f06c 0xba634 0xb9834 0x148
GetAclInformation - 0x48f070 0xba638 0xb9838 0x124
AddAce - 0x48f074 0xba63c 0xb983c 0x16
SetSecurityDescriptorDacl - 0x48f078 0xba640 0xb9840 0x2b6
GetUserNameW - 0x48f07c 0xba644 0xb9844 0x165
InitiateSystemShutdownExW - 0x48f080 0xba648 0xb9848 0x17d
SHELL32.dll (15)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
DragQueryPoint - 0x48f48c 0xbaa54 0xb9c54 0x20
ShellExecuteExW - 0x48f490 0xbaa58 0xb9c58 0x121
DragQueryFileW - 0x48f494 0xbaa5c 0xb9c5c 0x1f
SHEmptyRecycleBinW - 0x48f498 0xbaa60 0xb9c60 0xa5
SHGetPathFromIDListW - 0x48f49c 0xbaa64 0xb9c64 0xd7
SHBrowseForFolderW - 0x48f4a0 0xbaa68 0xb9c68 0x7b
SHCreateShellItem - 0x48f4a4 0xbaa6c 0xb9c6c 0x9a
SHGetDesktopFolder - 0x48f4a8 0xbaa70 0xb9c70 0xb6
SHGetSpecialFolderLocation - 0x48f4ac 0xbaa74 0xb9c74 0xdf
SHGetFolderPathW - 0x48f4b0 0xbaa78 0xb9c78 0xc3
SHFileOperationW - 0x48f4b4 0xbaa7c 0xb9c7c 0xac
ExtractIconExW - 0x48f4b8 0xbaa80 0xb9c80 0x2a
Shell_NotifyIconW - 0x48f4bc 0xbaa84 0xb9c84 0x12e
ShellExecuteW - 0x48f4c0 0xbaa88 0xb9c88 0x122
DragFinish - 0x48f4c4 0xbaa8c 0xb9c8c 0x1b
ole32.dll (22)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CoTaskMemAlloc - 0x48f828 0xbadf0 0xb9ff0 0x67
CoTaskMemFree - 0x48f82c 0xbadf4 0xb9ff4 0x68
CLSIDFromString - 0x48f830 0xbadf8 0xb9ff8 0x8
ProgIDFromCLSID - 0x48f834 0xbadfc 0xb9ffc 0x14b
CLSIDFromProgID - 0x48f838 0xbae00 0xba000 0x6
OleSetMenuDescriptor - 0x48f83c 0xbae04 0xba004 0x147
MkParseDisplayName - 0x48f840 0xbae08 0xba008 0xd4
OleSetContainedObject - 0x48f844 0xbae0c 0xba00c 0x146
CoCreateInstance - 0x48f848 0xbae10 0xba010 0x10
IIDFromString - 0x48f84c 0xbae14 0xba014 0xcd
StringFromGUID2 - 0x48f850 0xbae18 0xba018 0x179
CreateStreamOnHGlobal - 0x48f854 0xbae1c 0xba01c 0x86
OleInitialize - 0x48f858 0xbae20 0xba020 0x132
OleUninitialize - 0x48f85c 0xbae24 0xba024 0x149
CoInitialize - 0x48f860 0xbae28 0xba028 0x3e
CoUninitialize - 0x48f864 0xbae2c 0xba02c 0x6c
GetRunningObjectTable - 0x48f868 0xbae30 0xba030 0x97
CoGetInstanceFromFile - 0x48f86c 0xbae34 0xba034 0x2d
CoGetObject - 0x48f870 0xbae38 0xba038 0x35
CoSetProxyBlanket - 0x48f874 0xbae3c 0xba03c 0x63
CoCreateInstanceEx - 0x48f878 0xbae40 0xba040 0x11
CoInitializeSecurity - 0x48f87c 0xbae44 0xba044 0x40
OLEAUT32.dll (29)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
LoadTypeLibEx 0xb7 0x48f40c 0xba9d4 0xb9bd4 -
VariantCopyInd 0xb 0x48f410 0xba9d8 0xb9bd8 -
SysReAllocString 0x3 0x48f414 0xba9dc 0xb9bdc -
SysFreeString 0x6 0x48f418 0xba9e0 0xb9be0 -
SafeArrayDestroyDescriptor 0x26 0x48f41c 0xba9e4 0xb9be4 -
SafeArrayDestroyData 0x27 0x48f420 0xba9e8 0xb9be8 -
SafeArrayUnaccessData 0x18 0x48f424 0xba9ec 0xb9bec -
SafeArrayAccessData 0x17 0x48f428 0xba9f0 0xb9bf0 -
SafeArrayAllocData 0x25 0x48f42c 0xba9f4 0xb9bf4 -
SafeArrayAllocDescriptorEx 0x29 0x48f430 0xba9f8 0xb9bf8 -
SafeArrayCreateVector 0x19b 0x48f434 0xba9fc 0xb9bfc -
RegisterTypeLib 0xa3 0x48f438 0xbaa00 0xb9c00 -
CreateStdDispatch 0x20 0x48f43c 0xbaa04 0xb9c04 -
DispCallFunc 0x92 0x48f440 0xbaa08 0xb9c08 -
VariantChangeType 0xc 0x48f444 0xbaa0c 0xb9c0c -
SysStringLen 0x7 0x48f448 0xbaa10 0xb9c10 -
VariantTimeToSystemTime 0xb9 0x48f44c 0xbaa14 0xb9c14 -
VarR8FromDec 0xdc 0x48f450 0xbaa18 0xb9c18 -
SafeArrayGetVartype 0x4d 0x48f454 0xbaa1c 0xb9c1c -
VariantCopy 0xa 0x48f458 0xbaa20 0xb9c20 -
VariantClear 0x9 0x48f45c 0xbaa24 0xb9c24 -
OleLoadPicture 0x1a2 0x48f460 0xbaa28 0xb9c28 -
QueryPathOfRegTypeLib 0xa4 0x48f464 0xbaa2c 0xb9c2c -
RegisterTypeLibForUser 0x1ba 0x48f468 0xbaa30 0xb9c30 -
UnRegisterTypeLibForUser 0x1bb 0x48f46c 0xbaa34 0xb9c34 -
UnRegisterTypeLib 0xba 0x48f470 0xbaa38 0xb9c38 -
CreateDispTypeInfo 0x1f 0x48f474 0xbaa3c 0xb9c3c -
SysAllocString 0x2 0x48f478 0xbaa40 0xb9c40 -
VariantInit 0x8 0x48f47c 0xbaa44 0xb9c44 -
YARA Matches (3)
»
Rule Name Rule Description Classification Score Actions
QuasarRATCommands_1_3 Quasar RAT ver 1.3 packets Backdoor, Spyware
5/5
...
Quasar_RAT_2 Quasar RAT Backdoor, Spyware
5/5
...
xrat_quasarrat xRAT malware Backdoor
5/5
...
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat Modified File Stream
clean
...
»
MIME Type application/octet-stream
File Size 128 Bytes
MD5 cc90851958032b8c8bbb7b24ec6271dd Copy to Clipboard
SHA1 e027ad2ea4049374a3b01af2e3626b667dc816bc Copy to Clipboard
SHA256 c2d814a34b184b7cdf10e4e7a4311ff15db99326d6dd8d328b53bf9e19ccf858 Copy to Clipboard
SSDeep 3:Fl: Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\AppData\Roaming\Logs\09-28-2021 Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 224 Bytes
MD5 8bdf3536176f57e3bebfa5a25492b1e1 Copy to Clipboard
SHA1 b1b49495b7ba73dbe15ae7e67f54df63fd6c4d8d Copy to Clipboard
SHA256 6caf73d97aee0a7b4739383f336d9631e5095e28b16500e02860af64bdfca18b Copy to Clipboard
SSDeep 6:SeZFEaAmQ6UqLaTeuox4mgk7iR/VQtFlT4rER:7LFlQ/khNgkwVQ74ER Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\pKg6lHYNlR2L.bat Dropped File Text
clean
...
»
MIME Type text/x-msdos-batch
File Size 222 Bytes
MD5 efb6904701bf720469296fe54ffb200b Copy to Clipboard
SHA1 24ad5b901aa980ed27654dbbe5d01ccc7d216a2b Copy to Clipboard
SHA256 c0ea2f4aab400d15e49413011902be62a9f1dd0efdfeff250305204291a974ab Copy to Clipboard
SSDeep 6:hC47bxrBeLuVFOOr+DE1Oc9+NaZ539dbKOZG1Oc9+N23fVtU5G:d5r+uVEOCDE5+0H3I+g9tUg Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image