VTI SCORE: 100/100
| Target: | Windows 7 (SP1, 64-bit), MS Office 2016 (64-bit) | ms_office |
| Classification: | Trojan, Dropper, Exploit, Downloader |
ca0da220f7691059b3174b2de14bd41ddb96bf3f02a2824b2b8c103215c7403c (SHA256)
Sales invoice Z12_01 copy.iqy.iqy
Excel Document
Created at 2018-06-06 09:51:00
Notifications (2/2)
The overall sleep time of all monitored processes was truncated from "3 minutes, 21 seconds" to "2 seconds" to reveal dormant functionality.
Files Information
| Number of sample files submitted for analysis | 1 |
| Number of files created and extracted during analysis | 5 |
| Number of files modified and extracted during analysis | 0 |
c:\users\qj4sukboe\appdata\local\temp\cmd_.exe
Suspicious
»
| File Properties | |
|---|---|
| Names | c:\users\qj4sukboe\appdata\local\temp\cmd_.exe (Created File) |
| Size | 174.00 KB |
| Hash Values |
MD5: 3e3d2e9fe0976c4c8d4c6be03f5d7c79
SHA1: b079b7235ac9ce53d564e8e81e1419f870fb7550 SHA256: 30e2f8e905e4596946e651627c450e3cc574fdf58ea6e41cdad1f06190a05216 |
| Actions |
...
|
File Reputation Information
»
| Information | Value |
|---|---|
| Severity |
Suspicious
|
| Names | Win32.Trojan.Dalexis |
| Families | Dalexis |
| Classification | Trojan |
PE Information
»
| Information | Value |
|---|---|
| Image Base | 0x400000 |
| Entry Point | 0x401304 |
| Size Of Code | 0x7000 |
| Size Of Initialized Data | 0x24400 |
| Size Of Uninitialized Data | 0x0 |
| Format | x86 |
| Type | Executable |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Machine Type | IMAGE_FILE_MACHINE_I386 |
| Compile Timestamp | 2017-04-09 19:42:27 |
| Compiler/Packer | Unknown |
Sections (4)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x401000 | 0x6f03 | 0x7000 | 0x400 | MEM_EXECUTE | 5.48 |
| .jdata | 0x408000 | 0xea0 | 0x1000 | 0x7400 | CNT_INITIALIZED_DATA, MEM_READ | 6.21 |
| .jdata | 0x409000 | 0x3cd | 0x400 | 0x8400 | CNT_INITIALIZED_DATA, CNT_UNINITIALIZED_DATA, MEM_READ, MEM_WRITE | 1.25 |
| .rsrc | 0x40a000 | 0x22ec0 | 0x23000 | 0x8800 | CNT_INITIALIZED_DATA, CNT_UNINITIALIZED_DATA, MEM_READ | 7.86 |
Imports (73)
»
kernel32.dll (25)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| lstrcmpi | 0x0 | 0x408004 | 0x81d2 | 0x75d2 |
| GetStartupInfoW | 0x0 | 0x408008 | 0x81d6 | 0x75d6 |
| WriteConsoleA | 0x0 | 0x40800c | 0x81da | 0x75da |
| GetProcAddress | 0x0 | 0x408010 | 0x81de | 0x75de |
| LoadLibraryA | 0x0 | 0x408014 | 0x81e2 | 0x75e2 |
| GetLocalTime | 0x0 | 0x408018 | 0x81e6 | 0x75e6 |
| lstrcmpi | 0x0 | 0x40801c | 0x81ea | 0x75ea |
| GetTickCount | 0x0 | 0x408020 | 0x81ee | 0x75ee |
| lstrcmpi | 0x0 | 0x408024 | 0x81f2 | 0x75f2 |
| GetSystemDirectoryW | 0x0 | 0x408028 | 0x81f6 | 0x75f6 |
| DeleteFileA | 0x0 | 0x40802c | 0x81fa | 0x75fa |
| lstrcmpi | 0x0 | 0x408030 | 0x81fe | 0x75fe |
| lstrcmpi | 0x0 | 0x408034 | 0x8202 | 0x7602 |
| GetTempPathW | 0x0 | 0x408038 | 0x8206 | 0x7606 |
| GetStringTypeA | 0x0 | 0x40803c | 0x820a | 0x760a |
| LeaveCriticalSection | 0x0 | 0x408040 | 0x820e | 0x760e |
| GetLogicalDriveStringsW | 0x0 | 0x408044 | 0x8212 | 0x7612 |
| GetModuleHandleW | 0x0 | 0x408048 | 0x8216 | 0x7616 |
| OpenMutexA | 0x0 | 0x40804c | 0x821a | 0x761a |
| CreateFileW | 0x0 | 0x408050 | 0x821e | 0x761e |
| lstrcmpi | 0x0 | 0x408054 | 0x8222 | 0x7622 |
| GetCurrentThreadId | 0x0 | 0x408058 | 0x8226 | 0x7626 |
| LoadLibraryExA | 0x0 | 0x40805c | 0x822a | 0x762a |
| FindFirstFileW | 0x0 | 0x408060 | 0x822e | 0x762e |
| OpenFileMappingA | 0x0 | 0x408064 | 0x8232 | 0x7632 |
advapi32.dll (13)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| RegReplaceKeyA | 0x0 | 0x40806c | 0x823a | 0x763a |
| LogonUserA | 0x0 | 0x408070 | 0x823e | 0x763e |
| RegRestoreKeyW | 0x0 | 0x408074 | 0x8242 | 0x7642 |
| RegDeleteValueA | 0x0 | 0x408078 | 0x8246 | 0x7646 |
| OpenEventLogA | 0x0 | 0x40807c | 0x824a | 0x764a |
| RegEnumKeyA | 0x0 | 0x408080 | 0x824e | 0x764e |
| OpenServiceA | 0x0 | 0x408084 | 0x8252 | 0x7652 |
| RegSaveKeyW | 0x0 | 0x408088 | 0x8256 | 0x7656 |
| InitializeAcl | 0x0 | 0x40808c | 0x825a | 0x765a |
| RegLoadKeyW | 0x0 | 0x408090 | 0x825e | 0x765e |
| RegCreateKeyExW | 0x0 | 0x408094 | 0x8262 | 0x7662 |
| CryptSignHashA | 0x0 | 0x408098 | 0x8266 | 0x7666 |
| RegCloseKey | 0x0 | 0x40809c | 0x826a | 0x766a |
certcli.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| CADeleteCA | 0x0 | 0x4080a4 | 0x8272 | 0x7672 |
| CACloseCertType | 0x0 | 0x4080a8 | 0x8276 | 0x7676 |
cryptdll.dll (3)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| CDBuildVect | 0x0 | 0x4080b0 | 0x827e | 0x767e |
| MD5Final | 0x0 | 0x4080b4 | 0x8282 | 0x7682 |
| CDLocateRng | 0x0 | 0x4080b8 | 0x8286 | 0x7686 |
shell32.dll (17)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| ShellMessageBoxW | 0x0 | 0x4080c0 | 0x828e | 0x768e |
| SHGetDesktopFolder | 0x0 | 0x4080c4 | 0x8292 | 0x7692 |
| DragQueryPoint | 0x0 | 0x4080c8 | 0x8296 | 0x7696 |
| DragQueryFileW | 0x0 | 0x4080cc | 0x829a | 0x769a |
| SHDefExtractIconW | 0x0 | 0x4080d0 | 0x829e | 0x769e |
| FindExecutableA | 0x0 | 0x4080d4 | 0x82a2 | 0x76a2 |
| ShellAboutW | 0x0 | 0x4080d8 | 0x82a6 | 0x76a6 |
| SHQueryRecycleBinW | 0x0 | 0x4080dc | 0x82aa | 0x76aa |
| SHGetFileInfoW | 0x0 | 0x4080e0 | 0x82ae | 0x76ae |
| SHGetFolderPathW | 0x0 | 0x4080e4 | 0x82b2 | 0x76b2 |
| DllGetClassObject | 0x0 | 0x4080e8 | 0x82b6 | 0x76b6 |
| SHFileOperationW | 0x0 | 0x4080ec | 0x82ba | 0x76ba |
| DllRegisterServer | 0x0 | 0x4080f0 | 0x82be | 0x76be |
| SHGetSettings | 0x0 | 0x4080f4 | 0x82c2 | 0x76c2 |
| SHChangeNotify | 0x0 | 0x4080f8 | 0x82c6 | 0x76c6 |
| ShellExecuteA | 0x0 | 0x4080fc | 0x82ca | 0x76ca |
| SHGetMalloc | 0x0 | 0x408100 | 0x82ce | 0x76ce |
user32.dll (13)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| DialogBoxParamW | 0x0 | 0x408108 | 0x82d6 | 0x76d6 |
| PeekMessageW | 0x0 | 0x40810c | 0x82da | 0x76da |
| DrawStateW | 0x0 | 0x408110 | 0x82de | 0x76de |
| FlashWindow | 0x0 | 0x408114 | 0x82e2 | 0x76e2 |
| InsertMenuW | 0x0 | 0x408118 | 0x82e6 | 0x76e6 |
| LoadIconW | 0x0 | 0x40811c | 0x82ea | 0x76ea |
| DispatchMessageA | 0x0 | 0x408120 | 0x82ee | 0x76ee |
| IsDialogMessageA | 0x0 | 0x408124 | 0x82f2 | 0x76f2 |
| IsCharLowerA | 0x0 | 0x408128 | 0x82f6 | 0x76f6 |
| wsprintfW | 0x0 | 0x40812c | 0x82fa | 0x76fa |
| GetPropW | 0x0 | 0x408130 | 0x82fe | 0x76fe |
| GetMessageW | 0x0 | 0x408134 | 0x8302 | 0x7702 |
| GetDlgItemTextA | 0x0 | 0x408138 | 0x8306 | 0x7706 |
c:\programdata\settings\wsus.exe
Suspicious
»
| File Properties | |
|---|---|
| Names | c:\programdata\settings\wsus.exe (Created File) |
| Size | 646.50 KB |
| Hash Values |
MD5: 0be249bf01a6b8380ab31aa3f75e62d3
SHA1: 1caef216eccbc07949836f814dcd9818a4c75d6d SHA256: 7f61258418b89942aa8e7bf2563ce11a05402d3ccf405a18e3d0a4d7a7f9ee41 |
| Actions |
...
|
File Reputation Information
»
| Information | Value |
|---|---|
| Severity |
Suspicious
|
| Names | Unknown.Exploit.Bscope rabased |
| Families | Bscope rabased |
| Classification | Exploit |
PE Information
»
| Information | Value |
|---|---|
| Image Base | 0x400000 |
| Entry Point | 0x44ee3c |
| Size Of Code | 0x75a00 |
| Size Of Initialized Data | 0x2bc00 |
| Size Of Uninitialized Data | 0x0 |
| Format | x86 |
| Type | Executable |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Machine Type | IMAGE_FILE_MACHINE_I386 |
| Compile Timestamp | 2018-05-30 22:04:01 |
| Compiler/Packer | Unknown |
Sections (7)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x401000 | 0x7585e | 0x75a00 | 0x400 | CNT_CODE, MEM_EXECUTE, MEM_READ | 6.63 |
| .rdata | 0x477000 | 0x1f29a | 0x1f400 | 0x75e00 | CNT_INITIALIZED_DATA, MEM_READ | 5.37 |
| .data | 0x497000 | 0x9068 | 0x2a00 | 0x95200 | CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE | 4.44 |
| .gfids | 0x4a1000 | 0x2f0 | 0x400 | 0x97c00 | CNT_INITIALIZED_DATA, MEM_READ | 3.04 |
| .tls | 0x4a2000 | 0x9 | 0x200 | 0x98000 | CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE | 0.02 |
| .rsrc | 0x4a3000 | 0x2f08 | 0x3000 | 0x98200 | CNT_INITIALIZED_DATA, MEM_READ | 3.77 |
| .reloc | 0x4a6000 | 0x6648 | 0x6800 | 0x9b200 | CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ | 6.64 |
Imports (448)
»
Secur32.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| FreeContextBuffer | 0x0 | 0x47747c | 0x940b8 | 0x92eb8 |
| QuerySecurityPackageInfoW | 0x0 | 0x477480 | 0x940bc | 0x92ebc |
| AcquireCredentialsHandleW | 0x0 | 0x477484 | 0x940c0 | 0x92ec0 |
| FreeCredentialsHandle | 0x0 | 0x477488 | 0x940c4 | 0x92ec4 |
| InitializeSecurityContextW | 0x0 | 0x47748c | 0x940c8 | 0x92ec8 |
| GetUserNameExW | 0x0 | 0x477490 | 0x940cc | 0x92ecc |
| GetUserNameExA | 0x0 | 0x477494 | 0x940d0 | 0x92ed0 |
| CompleteAuthToken | 0x0 | 0x477498 | 0x940d4 | 0x92ed4 |
WinSCard.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| SCardReleaseContext | 0x0 | 0x477700 | 0x9433c | 0x9313c |
| SCardListReadersW | 0x0 | 0x477704 | 0x94340 | 0x93140 |
| SCardGetStatusChangeW | 0x0 | 0x477708 | 0x94344 | 0x93144 |
| SCardEstablishContext | 0x0 | 0x47770c | 0x94348 | 0x93148 |
WS2_32.dll (17)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| WSAStartup | 0x73 | 0x4776b0 | 0x942ec | 0x930ec |
| __WSAFDIsSet | 0x97 | 0x4776b4 | 0x942f0 | 0x930f0 |
| WSAIoctl | 0x0 | 0x4776b8 | 0x942f4 | 0x930f4 |
| closesocket | 0x3 | 0x4776bc | 0x942f8 | 0x930f8 |
| select | 0x12 | 0x4776c0 | 0x942fc | 0x930fc |
| getaddrinfo | 0x0 | 0x4776c4 | 0x94300 | 0x93100 |
| inet_addr | 0xb | 0x4776c8 | 0x94304 | 0x93104 |
| socket | 0x17 | 0x4776cc | 0x94308 | 0x93108 |
| connect | 0x4 | 0x4776d0 | 0x9430c | 0x9310c |
| htons | 0x9 | 0x4776d4 | 0x94310 | 0x93110 |
| freeaddrinfo | 0x0 | 0x4776d8 | 0x94314 | 0x93114 |
| setsockopt | 0x15 | 0x4776dc | 0x94318 | 0x93118 |
| send | 0x13 | 0x4776e0 | 0x9431c | 0x9311c |
| recv | 0x10 | 0x4776e4 | 0x94320 | 0x93120 |
| ioctlsocket | 0xa | 0x4776e8 | 0x94324 | 0x93124 |
| WSAGetLastError | 0x6f | 0x4776ec | 0x94328 | 0x93128 |
| WSACleanup | 0x74 | 0x4776f0 | 0x9432c | 0x9312c |
USERENV.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| DestroyEnvironmentBlock | 0x0 | 0x4776a4 | 0x942e0 | 0x930e0 |
| CreateEnvironmentBlock | 0x0 | 0x4776a8 | 0x942e4 | 0x930e4 |
dbghelp.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| MiniDumpWriteDump | 0x0 | 0x477714 | 0x94350 | 0x93150 |
WTSAPI32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| WTSEnumerateSessionsW | 0x0 | 0x4776f8 | 0x94334 | 0x93134 |
ole32.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| CoCreateInstance | 0x0 | 0x47771c | 0x94358 | 0x93158 |
| CoSetProxyBlanket | 0x0 | 0x477720 | 0x9435c | 0x9315c |
| CoInitializeSecurity | 0x0 | 0x477724 | 0x94360 | 0x93160 |
| CoInitializeEx | 0x0 | 0x477728 | 0x94364 | 0x93164 |
| CoUninitialize | 0x0 | 0x47772c | 0x94368 | 0x93168 |
KERNEL32.dll (187)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| CreateFileW | 0x0 | 0x477170 | 0x93dac | 0x92bac |
| GetCurrentThreadId | 0x0 | 0x477174 | 0x93db0 | 0x92bb0 |
| FreeEnvironmentStringsW | 0x0 | 0x477178 | 0x93db4 | 0x92bb4 |
| GetCurrentDirectoryA | 0x0 | 0x47717c | 0x93db8 | 0x92bb8 |
| ResumeThread | 0x0 | 0x477180 | 0x93dbc | 0x92bbc |
| ExitThread | 0x0 | 0x477184 | 0x93dc0 | 0x92bc0 |
| GetModuleHandleA | 0x0 | 0x477188 | 0x93dc4 | 0x92bc4 |
| GetACP | 0x0 | 0x47718c | 0x93dc8 | 0x92bc8 |
| HeapSize | 0x0 | 0x477190 | 0x93dcc | 0x92bcc |
| GetVersion | 0x0 | 0x477194 | 0x93dd0 | 0x92bd0 |
| GetCommandLineA | 0x0 | 0x477198 | 0x93dd4 | 0x92bd4 |
| ClosePrivateNamespace | 0x0 | 0x47719c | 0x93dd8 | 0x92bd8 |
| MultiByteToWideChar | 0x0 | 0x4771a0 | 0x93ddc | 0x92bdc |
| Sleep | 0x0 | 0x4771a4 | 0x93de0 | 0x92be0 |
| GetFileInformationByHandle | 0x0 | 0x4771a8 | 0x93de4 | 0x92be4 |
| CompareStringA | 0x0 | 0x4771ac | 0x93de8 | 0x92be8 |
| GetLastError | 0x0 | 0x4771b0 | 0x93dec | 0x92bec |
| OpenMutexA | 0x0 | 0x4771b4 | 0x93df0 | 0x92bf0 |
| FatalAppExitA | 0x0 | 0x4771b8 | 0x93df4 | 0x92bf4 |
| GlobalSize | 0x0 | 0x4771bc | 0x93df8 | 0x92bf8 |
| CreateFileA | 0x0 | 0x4771c0 | 0x93dfc | 0x92bfc |
| SetEvent | 0x0 | 0x4771c4 | 0x93e00 | 0x92c00 |
| FileTimeToSystemTime | 0x0 | 0x4771c8 | 0x93e04 | 0x92c04 |
| GetCurrentThread | 0x0 | 0x4771cc | 0x93e08 | 0x92c08 |
| TerminateThread | 0x0 | 0x4771d0 | 0x93e0c | 0x92c0c |
| LoadLibraryA | 0x0 | 0x4771d4 | 0x93e10 | 0x92c10 |
| lstrcatW | 0x0 | 0x4771d8 | 0x93e14 | 0x92c14 |
| TlsAlloc | 0x0 | 0x4771dc | 0x93e18 | 0x92c18 |
| DeleteFileW | 0x0 | 0x4771e0 | 0x93e1c | 0x92c1c |
| GlobalFree | 0x0 | 0x4771e4 | 0x93e20 | 0x92c20 |
| RaiseException | 0x0 | 0x4771e8 | 0x93e24 | 0x92c24 |
| CreateThread | 0x0 | 0x4771ec | 0x93e28 | 0x92c28 |
| ResetEvent | 0x0 | 0x4771f0 | 0x93e2c | 0x92c2c |
| HeapAlloc | 0x0 | 0x4771f4 | 0x93e30 | 0x92c30 |
| GetLocalTime | 0x0 | 0x4771f8 | 0x93e34 | 0x92c34 |
| SetStdHandle | 0x0 | 0x4771fc | 0x93e38 | 0x92c38 |
| LocalSize | 0x0 | 0x477200 | 0x93e3c | 0x92c3c |
| WriteConsoleW | 0x0 | 0x477204 | 0x93e40 | 0x92c40 |
| FindAtomA | 0x0 | 0x477208 | 0x93e44 | 0x92c44 |
| GetProcAddress | 0x0 | 0x47720c | 0x93e48 | 0x92c48 |
| GlobalLock | 0x0 | 0x477210 | 0x93e4c | 0x92c4c |
| GetTimeFormatW | 0x0 | 0x477214 | 0x93e50 | 0x92c50 |
| GetFileSize | 0x0 | 0x477218 | 0x93e54 | 0x92c54 |
| DeleteCriticalSection | 0x0 | 0x47721c | 0x93e58 | 0x92c58 |
| GetCurrentProcessId | 0x0 | 0x477220 | 0x93e5c | 0x92c5c |
| GetProcessHeap | 0x0 | 0x477224 | 0x93e60 | 0x92c60 |
| FreeLibrary | 0x0 | 0x477228 | 0x93e64 | 0x92c64 |
| GetProfileStringW | 0x0 | 0x47722c | 0x93e68 | 0x92c68 |
| lstrcpyW | 0x0 | 0x477230 | 0x93e6c | 0x92c6c |
| SleepEx | 0x0 | 0x477234 | 0x93e70 | 0x92c70 |
| TlsGetValue | 0x0 | 0x477238 | 0x93e74 | 0x92c74 |
| LocalReAlloc | 0x0 | 0x47723c | 0x93e78 | 0x92c78 |
| GetSystemTimeAsFileTime | 0x0 | 0x477240 | 0x93e7c | 0x92c7c |
| GetFileType | 0x0 | 0x477244 | 0x93e80 | 0x92c80 |
| TlsFree | 0x0 | 0x477248 | 0x93e84 | 0x92c84 |
| GlobalMemoryStatus | 0x0 | 0x47724c | 0x93e88 | 0x92c88 |
| CreateFileMappingW | 0x0 | 0x477250 | 0x93e8c | 0x92c8c |
| DosDateTimeToFileTime | 0x0 | 0x477254 | 0x93e90 | 0x92c90 |
| lstrcmpiW | 0x0 | 0x477258 | 0x93e94 | 0x92c94 |
| GetEnvironmentStringsW | 0x0 | 0x47725c | 0x93e98 | 0x92c98 |
| GlobalUnlock | 0x0 | 0x477260 | 0x93e9c | 0x92c9c |
| GetEnvironmentVariableA | 0x0 | 0x477264 | 0x93ea0 | 0x92ca0 |
| MulDiv | 0x0 | 0x477268 | 0x93ea4 | 0x92ca4 |
| LocalUnlock | 0x0 | 0x47726c | 0x93ea8 | 0x92ca8 |
| GlobalReAlloc | 0x0 | 0x477270 | 0x93eac | 0x92cac |
| SetUnhandledExceptionFilter | 0x0 | 0x477274 | 0x93eb0 | 0x92cb0 |
| ReadFile | 0x0 | 0x477278 | 0x93eb4 | 0x92cb4 |
| GetCurrentProcess | 0x0 | 0x47727c | 0x93eb8 | 0x92cb8 |
| GetSystemDirectoryW | 0x0 | 0x477280 | 0x93ebc | 0x92cbc |
| OpenProcess | 0x0 | 0x477284 | 0x93ec0 | 0x92cc0 |
| CloseHandle | 0x0 | 0x477288 | 0x93ec4 | 0x92cc4 |
| LoadLibraryW | 0x0 | 0x47728c | 0x93ec8 | 0x92cc8 |
| WaitNamedPipeW | 0x0 | 0x477290 | 0x93ecc | 0x92ccc |
| GetExitCodeProcess | 0x0 | 0x477294 | 0x93ed0 | 0x92cd0 |
| GetTickCount | 0x0 | 0x477298 | 0x93ed4 | 0x92cd4 |
| GetModuleHandleW | 0x0 | 0x47729c | 0x93ed8 | 0x92cd8 |
| SetFileTime | 0x0 | 0x4772a0 | 0x93edc | 0x92cdc |
| ProcessIdToSessionId | 0x0 | 0x4772a4 | 0x93ee0 | 0x92ce0 |
| GetFileTime | 0x0 | 0x4772a8 | 0x93ee4 | 0x92ce4 |
| WideCharToMultiByte | 0x0 | 0x4772ac | 0x93ee8 | 0x92ce8 |
| GetVersionExW | 0x0 | 0x4772b0 | 0x93eec | 0x92cec |
| LocalFree | 0x0 | 0x4772b4 | 0x93ef0 | 0x92cf0 |
| GetModuleFileNameW | 0x0 | 0x4772b8 | 0x93ef4 | 0x92cf4 |
| SizeofResource | 0x0 | 0x4772bc | 0x93ef8 | 0x92cf8 |
| LockResource | 0x0 | 0x4772c0 | 0x93efc | 0x92cfc |
| LoadResource | 0x0 | 0x4772c4 | 0x93f00 | 0x92d00 |
| FindResourceW | 0x0 | 0x4772c8 | 0x93f04 | 0x92d04 |
| LocalAlloc | 0x0 | 0x4772cc | 0x93f08 | 0x92d08 |
| LoadLibraryExW | 0x0 | 0x4772d0 | 0x93f0c | 0x92d0c |
| SetHandleInformation | 0x0 | 0x4772d4 | 0x93f10 | 0x92d10 |
| ExpandEnvironmentStringsW | 0x0 | 0x4772d8 | 0x93f14 | 0x92d14 |
| InterlockedDecrement | 0x0 | 0x4772dc | 0x93f18 | 0x92d18 |
| TerminateProcess | 0x0 | 0x4772e0 | 0x93f1c | 0x92d1c |
| CreatePipe | 0x0 | 0x4772e4 | 0x93f20 | 0x92d20 |
| PeekNamedPipe | 0x0 | 0x4772e8 | 0x93f24 | 0x92d24 |
| GetTimeFormatA | 0x0 | 0x4772ec | 0x93f28 | 0x92d28 |
| FreeResource | 0x0 | 0x4772f0 | 0x93f2c | 0x92d2c |
| GetDateFormatA | 0x0 | 0x4772f4 | 0x93f30 | 0x92d30 |
| MoveFileExW | 0x0 | 0x4772f8 | 0x93f34 | 0x92d34 |
| ExitProcess | 0x0 | 0x4772fc | 0x93f38 | 0x92d38 |
| CreateProcessW | 0x0 | 0x477300 | 0x93f3c | 0x92d3c |
| lstrcmpA | 0x0 | 0x477304 | 0x93f40 | 0x92d40 |
| lstrcmpiA | 0x0 | 0x477308 | 0x93f44 | 0x92d44 |
| GlobalAlloc | 0x0 | 0x47730c | 0x93f48 | 0x92d48 |
| InterlockedIncrement | 0x0 | 0x477310 | 0x93f4c | 0x92d4c |
| CreateDirectoryW | 0x0 | 0x477314 | 0x93f50 | 0x92d50 |
| GetFileSizeEx | 0x0 | 0x477318 | 0x93f54 | 0x92d54 |
| MoveFileW | 0x0 | 0x47731c | 0x93f58 | 0x92d58 |
| GetDriveTypeW | 0x0 | 0x477320 | 0x93f5c | 0x92d5c |
| CreateToolhelp32Snapshot | 0x0 | 0x477324 | 0x93f60 | 0x92d60 |
| Process32NextW | 0x0 | 0x477328 | 0x93f64 | 0x92d64 |
| Process32FirstW | 0x0 | 0x47732c | 0x93f68 | 0x92d68 |
| lstrcmpW | 0x0 | 0x477330 | 0x93f6c | 0x92d6c |
| GetLogicalDrives | 0x0 | 0x477334 | 0x93f70 | 0x92d70 |
| FindNextFileW | 0x0 | 0x477338 | 0x93f74 | 0x92d74 |
| RemoveDirectoryW | 0x0 | 0x47733c | 0x93f78 | 0x92d78 |
| FindClose | 0x0 | 0x477340 | 0x93f7c | 0x92d7c |
| SetFileAttributesW | 0x0 | 0x477344 | 0x93f80 | 0x92d80 |
| OpenEventW | 0x0 | 0x477348 | 0x93f84 | 0x92d84 |
| CreateEventW | 0x0 | 0x47734c | 0x93f88 | 0x92d88 |
| QueryPerformanceFrequency | 0x0 | 0x477350 | 0x93f8c | 0x92d8c |
| QueryPerformanceCounter | 0x0 | 0x477354 | 0x93f90 | 0x92d90 |
| lstrlenW | 0x0 | 0x477358 | 0x93f94 | 0x92d94 |
| lstrlenA | 0x0 | 0x47735c | 0x93f98 | 0x92d98 |
| TryEnterCriticalSection | 0x0 | 0x477360 | 0x93f9c | 0x92d9c |
| GetSystemInfo | 0x0 | 0x477364 | 0x93fa0 | 0x92da0 |
| GetComputerNameW | 0x0 | 0x477368 | 0x93fa4 | 0x92da4 |
| GetComputerNameA | 0x0 | 0x47736c | 0x93fa8 | 0x92da8 |
| GetModuleFileNameA | 0x0 | 0x477370 | 0x93fac | 0x92dac |
| TlsSetValue | 0x0 | 0x477374 | 0x93fb0 | 0x92db0 |
| SetThreadPriority | 0x0 | 0x477378 | 0x93fb4 | 0x92db4 |
| DuplicateHandle | 0x0 | 0x47737c | 0x93fb8 | 0x92db8 |
| CreateSemaphoreW | 0x0 | 0x477380 | 0x93fbc | 0x92dbc |
| FindResourceA | 0x0 | 0x477384 | 0x93fc0 | 0x92dc0 |
| SetEndOfFile | 0x0 | 0x477388 | 0x93fc4 | 0x92dc4 |
| GetFullPathNameA | 0x0 | 0x47738c | 0x93fc8 | 0x92dc8 |
| ExpandEnvironmentStringsA | 0x0 | 0x477390 | 0x93fcc | 0x92dcc |
| InitializeCriticalSection | 0x0 | 0x477394 | 0x93fd0 | 0x92dd0 |
| FoldStringW | 0x0 | 0x477398 | 0x93fd4 | 0x92dd4 |
| LeaveCriticalSection | 0x0 | 0x47739c | 0x93fd8 | 0x92dd8 |
| InitializeCriticalSectionAndSpinCount | 0x0 | 0x4773a0 | 0x93fdc | 0x92ddc |
| GetThreadLocale | 0x0 | 0x4773a4 | 0x93fe0 | 0x92de0 |
| GetConsoleCP | 0x0 | 0x4773a8 | 0x93fe4 | 0x92de4 |
| GetProfileIntW | 0x0 | 0x4773ac | 0x93fe8 | 0x92de8 |
| WriteFile | 0x0 | 0x4773b0 | 0x93fec | 0x92dec |
| GetStdHandle | 0x0 | 0x4773b4 | 0x93ff0 | 0x92df0 |
| GetCommandLineW | 0x0 | 0x4773b8 | 0x93ff4 | 0x92df4 |
| VirtualFree | 0x0 | 0x4773bc | 0x93ff8 | 0x92df8 |
| EnterCriticalSection | 0x0 | 0x4773c0 | 0x93ffc | 0x92dfc |
| SetLastError | 0x0 | 0x4773c4 | 0x94000 | 0x92e00 |
| SetHandleCount | 0x0 | 0x4773c8 | 0x94004 | 0x92e04 |
| CompareStringW | 0x0 | 0x4773cc | 0x94008 | 0x92e08 |
| HeapCreate | 0x0 | 0x4773d0 | 0x9400c | 0x92e0c |
| FindFirstFileA | 0x0 | 0x4773d4 | 0x94010 | 0x92e10 |
| FindFirstFileW | 0x0 | 0x4773d8 | 0x94014 | 0x92e14 |
| GetOEMCP | 0x0 | 0x4773dc | 0x94018 | 0x92e18 |
| LocalLock | 0x0 | 0x4773e0 | 0x9401c | 0x92e1c |
| WaitForSingleObject | 0x0 | 0x4773e4 | 0x94020 | 0x92e20 |
| GetLocaleInfoW | 0x0 | 0x4773e8 | 0x94024 | 0x92e24 |
| GetStringTypeW | 0x0 | 0x4773ec | 0x94028 | 0x92e28 |
| EncodePointer | 0x0 | 0x4773f0 | 0x9402c | 0x92e2c |
| DecodePointer | 0x0 | 0x4773f4 | 0x94030 | 0x92e30 |
| LCMapStringW | 0x0 | 0x4773f8 | 0x94034 | 0x92e34 |
| GetCPInfo | 0x0 | 0x4773fc | 0x94038 | 0x92e38 |
| UnhandledExceptionFilter | 0x0 | 0x477400 | 0x9403c | 0x92e3c |
| IsProcessorFeaturePresent | 0x0 | 0x477404 | 0x94040 | 0x92e40 |
| WaitForSingleObjectEx | 0x0 | 0x477408 | 0x94044 | 0x92e44 |
| IsDebuggerPresent | 0x0 | 0x47740c | 0x94048 | 0x92e48 |
| GetStartupInfoW | 0x0 | 0x477410 | 0x9404c | 0x92e4c |
| InitializeSListHead | 0x0 | 0x477414 | 0x94050 | 0x92e50 |
| RtlUnwind | 0x0 | 0x477418 | 0x94054 | 0x92e54 |
| GetModuleHandleExW | 0x0 | 0x47741c | 0x94058 | 0x92e58 |
| FreeLibraryAndExitThread | 0x0 | 0x477420 | 0x9405c | 0x92e5c |
| HeapReAlloc | 0x0 | 0x477424 | 0x94060 | 0x92e60 |
| HeapFree | 0x0 | 0x477428 | 0x94064 | 0x92e64 |
| FlushFileBuffers | 0x0 | 0x47742c | 0x94068 | 0x92e68 |
| GetConsoleMode | 0x0 | 0x477430 | 0x9406c | 0x92e6c |
| IsValidLocale | 0x0 | 0x477434 | 0x94070 | 0x92e70 |
| GetUserDefaultLCID | 0x0 | 0x477438 | 0x94074 | 0x92e74 |
| EnumSystemLocalesW | 0x0 | 0x47743c | 0x94078 | 0x92e78 |
| SetFilePointerEx | 0x0 | 0x477440 | 0x9407c | 0x92e7c |
| ReadConsoleW | 0x0 | 0x477444 | 0x94080 | 0x92e80 |
| FindFirstFileExA | 0x0 | 0x477448 | 0x94084 | 0x92e84 |
| FindNextFileA | 0x0 | 0x47744c | 0x94088 | 0x92e88 |
| IsValidCodePage | 0x0 | 0x477450 | 0x9408c | 0x92e8c |
| SetEnvironmentVariableA | 0x0 | 0x477454 | 0x94090 | 0x92e90 |
| GetStringTypeA | 0x0 | 0x477458 | 0x94094 | 0x92e94 |
USER32.dll (128)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| SetThreadDesktop | 0x0 | 0x4774a0 | 0x940dc | 0x92edc |
| PostMessageW | 0x0 | 0x4774a4 | 0x940e0 | 0x92ee0 |
| DefWindowProcA | 0x0 | 0x4774a8 | 0x940e4 | 0x92ee4 |
| PeekMessageW | 0x0 | 0x4774ac | 0x940e8 | 0x92ee8 |
| RegisterClassExW | 0x0 | 0x4774b0 | 0x940ec | 0x92eec |
| CreateWindowExW | 0x0 | 0x4774b4 | 0x940f0 | 0x92ef0 |
| mouse_event | 0x0 | 0x4774b8 | 0x940f4 | 0x92ef4 |
| ExitWindowsEx | 0x0 | 0x4774bc | 0x940f8 | 0x92ef8 |
| GetKeyboardState | 0x0 | 0x4774c0 | 0x940fc | 0x92efc |
| keybd_event | 0x0 | 0x4774c4 | 0x94100 | 0x92f00 |
| SendMessageTimeoutW | 0x0 | 0x4774c8 | 0x94104 | 0x92f04 |
| LoadKeyboardLayoutW | 0x0 | 0x4774cc | 0x94108 | 0x92f08 |
| GetAsyncKeyState | 0x0 | 0x4774d0 | 0x9410c | 0x92f0c |
| MapVirtualKeyW | 0x0 | 0x4774d4 | 0x94110 | 0x92f10 |
| VkKeyScanExW | 0x0 | 0x4774d8 | 0x94114 | 0x92f14 |
| GetDesktopWindow | 0x0 | 0x4774dc | 0x94118 | 0x92f18 |
| SetWindowLongW | 0x0 | 0x4774e0 | 0x9411c | 0x92f1c |
| GetUserObjectInformationW | 0x0 | 0x4774e4 | 0x94120 | 0x92f20 |
| OpenInputDesktop | 0x0 | 0x4774e8 | 0x94124 | 0x92f24 |
| ChangeClipboardChain | 0x0 | 0x4774ec | 0x94128 | 0x92f28 |
| GetCursorInfo | 0x0 | 0x4774f0 | 0x9412c | 0x92f2c |
| DispatchMessageW | 0x0 | 0x4774f4 | 0x94130 | 0x92f30 |
| MsgWaitForMultipleObjects | 0x0 | 0x4774f8 | 0x94134 | 0x92f34 |
| GetIconInfo | 0x0 | 0x4774fc | 0x94138 | 0x92f38 |
| GetClipboardOwner | 0x0 | 0x477500 | 0x9413c | 0x92f3c |
| SetClipboardViewer | 0x0 | 0x477504 | 0x94140 | 0x92f40 |
| EqualRect | 0x0 | 0x477508 | 0x94144 | 0x92f44 |
| GetWindowLongW | 0x0 | 0x47750c | 0x94148 | 0x92f48 |
| IntersectRect | 0x0 | 0x477510 | 0x9414c | 0x92f4c |
| EnumWindows | 0x0 | 0x477514 | 0x94150 | 0x92f50 |
| IsWindowVisible | 0x0 | 0x477518 | 0x94154 | 0x92f54 |
| SetMenuItemBitmaps | 0x0 | 0x47751c | 0x94158 | 0x92f58 |
| DialogBoxParamA | 0x0 | 0x477520 | 0x9415c | 0x92f5c |
| LoadAcceleratorsW | 0x0 | 0x477524 | 0x94160 | 0x92f60 |
| ShowWindow | 0x0 | 0x477528 | 0x94164 | 0x92f64 |
| IsWindow | 0x0 | 0x47752c | 0x94168 | 0x92f68 |
| DialogBoxIndirectParamA | 0x0 | 0x477530 | 0x9416c | 0x92f6c |
| InvalidateRgn | 0x0 | 0x477534 | 0x94170 | 0x92f70 |
| OpenClipboard | 0x0 | 0x477538 | 0x94174 | 0x92f74 |
| OffsetRect | 0x0 | 0x47753c | 0x94178 | 0x92f78 |
| RegisterWindowMessageA | 0x0 | 0x477540 | 0x9417c | 0x92f7c |
| GetDlgItemTextA | 0x0 | 0x477544 | 0x94180 | 0x92f80 |
| SetTimer | 0x0 | 0x477548 | 0x94184 | 0x92f84 |
| IsDialogMessageW | 0x0 | 0x47754c | 0x94188 | 0x92f88 |
| IsDialogMessageA | 0x0 | 0x477550 | 0x9418c | 0x92f8c |
| DrawTextA | 0x0 | 0x477554 | 0x94190 | 0x92f90 |
| CloseClipboard | 0x0 | 0x477558 | 0x94194 | 0x92f94 |
| GetMenuState | 0x0 | 0x47755c | 0x94198 | 0x92f98 |
| GetWindowTextA | 0x0 | 0x477560 | 0x9419c | 0x92f9c |
| IsChild | 0x0 | 0x477564 | 0x941a0 | 0x92fa0 |
| SetDlgItemTextW | 0x0 | 0x477568 | 0x941a4 | 0x92fa4 |
| SetWindowPlacement | 0x0 | 0x47756c | 0x941a8 | 0x92fa8 |
| GetKeyboardLayout | 0x0 | 0x477570 | 0x941ac | 0x92fac |
| GetThreadDesktop | 0x0 | 0x477574 | 0x941b0 | 0x92fb0 |
| AttachThreadInput | 0x0 | 0x477578 | 0x941b4 | 0x92fb4 |
| GetDlgItemTextW | 0x0 | 0x47757c | 0x941b8 | 0x92fb8 |
| SendDlgItemMessageW | 0x0 | 0x477580 | 0x941bc | 0x92fbc |
| MessageBoxA | 0x0 | 0x477584 | 0x941c0 | 0x92fc0 |
| MoveWindow | 0x0 | 0x477588 | 0x941c4 | 0x92fc4 |
| IsDlgButtonChecked | 0x0 | 0x47758c | 0x941c8 | 0x92fc8 |
| RegisterClassA | 0x0 | 0x477590 | 0x941cc | 0x92fcc |
| DrawTextExW | 0x0 | 0x477594 | 0x941d0 | 0x92fd0 |
| CharNextW | 0x0 | 0x477598 | 0x941d4 | 0x92fd4 |
| TranslateMessage | 0x0 | 0x47759c | 0x941d8 | 0x92fd8 |
| GetClipboardData | 0x0 | 0x4775a0 | 0x941dc | 0x92fdc |
| LoadIconW | 0x0 | 0x4775a4 | 0x941e0 | 0x92fe0 |
| LoadCursorW | 0x0 | 0x4775a8 | 0x941e4 | 0x92fe4 |
| SetDlgItemTextA | 0x0 | 0x4775ac | 0x941e8 | 0x92fe8 |
| SendMessageA | 0x0 | 0x4775b0 | 0x941ec | 0x92fec |
| SetClipboardData | 0x0 | 0x4775b4 | 0x941f0 | 0x92ff0 |
| SetCursor | 0x0 | 0x4775b8 | 0x941f4 | 0x92ff4 |
| wsprintfW | 0x0 | 0x4775bc | 0x941f8 | 0x92ff8 |
| CreateDialogParamA | 0x0 | 0x4775c0 | 0x941fc | 0x92ffc |
| TrackPopupMenuEx | 0x0 | 0x4775c4 | 0x94200 | 0x93000 |
| AppendMenuA | 0x0 | 0x4775c8 | 0x94204 | 0x93004 |
| GetClientRect | 0x0 | 0x4775cc | 0x94208 | 0x93008 |
| IsZoomed | 0x0 | 0x4775d0 | 0x9420c | 0x9300c |
| GetDlgItem | 0x0 | 0x4775d4 | 0x94210 | 0x93010 |
| PeekMessageA | 0x0 | 0x4775d8 | 0x94214 | 0x93014 |
| IsClipboardFormatAvailable | 0x0 | 0x4775dc | 0x94218 | 0x93018 |
| DrawTextW | 0x0 | 0x4775e0 | 0x9421c | 0x9301c |
| PostQuitMessage | 0x0 | 0x4775e4 | 0x94220 | 0x93020 |
| GetSysColorBrush | 0x0 | 0x4775e8 | 0x94224 | 0x93024 |
| SetScrollPos | 0x0 | 0x4775ec | 0x94228 | 0x93028 |
| EnableMenuItem | 0x0 | 0x4775f0 | 0x9422c | 0x9302c |
| SystemParametersInfoW | 0x0 | 0x4775f4 | 0x94230 | 0x93030 |
| GetParent | 0x0 | 0x4775f8 | 0x94234 | 0x93034 |
| DialogBoxParamW | 0x0 | 0x4775fc | 0x94238 | 0x93038 |
| FindWindowA | 0x0 | 0x477600 | 0x9423c | 0x9303c |
| RegisterClassExA | 0x0 | 0x477604 | 0x94240 | 0x93040 |
| UnhookWinEvent | 0x0 | 0x477608 | 0x94244 | 0x93044 |
| ReleaseCapture | 0x0 | 0x47760c | 0x94248 | 0x93048 |
| SetForegroundWindow | 0x0 | 0x477610 | 0x9424c | 0x9304c |
| InvalidateRect | 0x0 | 0x477614 | 0x94250 | 0x93050 |
| ChildWindowFromPoint | 0x0 | 0x477618 | 0x94254 | 0x93054 |
| ReleaseDC | 0x0 | 0x47761c | 0x94258 | 0x93058 |
| GetCursorPos | 0x0 | 0x477620 | 0x9425c | 0x9305c |
| BeginPaint | 0x0 | 0x477624 | 0x94260 | 0x93060 |
| EndPaint | 0x0 | 0x477628 | 0x94264 | 0x93064 |
| GetWindowTextW | 0x0 | 0x47762c | 0x94268 | 0x93068 |
| CharUpperW | 0x0 | 0x477630 | 0x9426c | 0x9306c |
| CharLowerW | 0x0 | 0x477634 | 0x94270 | 0x93070 |
| LoadMenuW | 0x0 | 0x477638 | 0x94274 | 0x93074 |
| CallWindowProcW | 0x0 | 0x47763c | 0x94278 | 0x93078 |
| CheckMenuRadioItem | 0x0 | 0x477640 | 0x9427c | 0x9307c |
| DispatchMessageA | 0x0 | 0x477644 | 0x94280 | 0x93080 |
| GetWindowRect | 0x0 | 0x477648 | 0x94284 | 0x93084 |
| GetFocus | 0x0 | 0x47764c | 0x94288 | 0x93088 |
| DestroyWindow | 0x0 | 0x477650 | 0x9428c | 0x9308c |
| GetDC | 0x0 | 0x477654 | 0x94290 | 0x93090 |
| SetWindowPos | 0x0 | 0x477658 | 0x94294 | 0x93094 |
| MessageBoxW | 0x0 | 0x47765c | 0x94298 | 0x93098 |
| CloseDesktop | 0x0 | 0x477660 | 0x9429c | 0x9309c |
| FindWindowW | 0x0 | 0x477664 | 0x942a0 | 0x930a0 |
| OpenDesktopW | 0x0 | 0x477668 | 0x942a4 | 0x930a4 |
| GetMessageW | 0x0 | 0x47766c | 0x942a8 | 0x930a8 |
| PostThreadMessageW | 0x0 | 0x477670 | 0x942ac | 0x930ac |
| CreateDialogParamW | 0x0 | 0x477674 | 0x942b0 | 0x930b0 |
| DefWindowProcW | 0x0 | 0x477678 | 0x942b4 | 0x930b4 |
| SetWindowTextA | 0x0 | 0x47767c | 0x942b8 | 0x930b8 |
| GetSystemMenu | 0x0 | 0x477680 | 0x942bc | 0x930bc |
| SetActiveWindow | 0x0 | 0x477684 | 0x942c0 | 0x930c0 |
| GetMenuItemCount | 0x0 | 0x477688 | 0x942c4 | 0x930c4 |
| HideCaret | 0x0 | 0x47768c | 0x942c8 | 0x930c8 |
| SendMessageW | 0x0 | 0x477690 | 0x942cc | 0x930cc |
| GetSystemMetrics | 0x0 | 0x477694 | 0x942d0 | 0x930d0 |
| EmptyClipboard | 0x0 | 0x477698 | 0x942d4 | 0x930d4 |
| MessageBeep | 0x0 | 0x47769c | 0x942d8 | 0x930d8 |
GDI32.dll (35)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| BitBlt | 0x0 | 0x4770e0 | 0x93d1c | 0x92b1c |
| CreateCompatibleBitmap | 0x0 | 0x4770e4 | 0x93d20 | 0x92b20 |
| GdiFlush | 0x0 | 0x4770e8 | 0x93d24 | 0x92b24 |
| RealizePalette | 0x0 | 0x4770ec | 0x93d28 | 0x92b28 |
| GetDIBits | 0x0 | 0x4770f0 | 0x93d2c | 0x92b2c |
| GetSystemPaletteEntries | 0x0 | 0x4770f4 | 0x93d30 | 0x92b30 |
| SelectPalette | 0x0 | 0x4770f8 | 0x93d34 | 0x92b34 |
| CreatePalette | 0x0 | 0x4770fc | 0x93d38 | 0x92b38 |
| CreateRectRgnIndirect | 0x0 | 0x477100 | 0x93d3c | 0x92b3c |
| GetRegionData | 0x0 | 0x477104 | 0x93d40 | 0x92b40 |
| CombineRgn | 0x0 | 0x477108 | 0x93d44 | 0x92b44 |
| GetBitmapBits | 0x0 | 0x47710c | 0x93d48 | 0x92b48 |
| ExtTextOutA | 0x0 | 0x477110 | 0x93d4c | 0x92b4c |
| SelectObject | 0x0 | 0x477114 | 0x93d50 | 0x92b50 |
| CreateCompatibleDC | 0x0 | 0x477118 | 0x93d54 | 0x92b54 |
| StartDocA | 0x0 | 0x47711c | 0x93d58 | 0x92b58 |
| EndDoc | 0x0 | 0x477120 | 0x93d5c | 0x92b5c |
| CreateDCW | 0x0 | 0x477124 | 0x93d60 | 0x92b60 |
| SetWindowExtEx | 0x0 | 0x477128 | 0x93d64 | 0x92b64 |
| SetViewportExtEx | 0x0 | 0x47712c | 0x93d68 | 0x92b68 |
| GetDeviceCaps | 0x0 | 0x477130 | 0x93d6c | 0x92b6c |
| GetTextMetricsW | 0x0 | 0x477134 | 0x93d70 | 0x92b70 |
| DeleteDC | 0x0 | 0x477138 | 0x93d74 | 0x92b74 |
| SetTextColor | 0x0 | 0x47713c | 0x93d78 | 0x92b78 |
| GetTextExtentPointA | 0x0 | 0x477140 | 0x93d7c | 0x92b7c |
| SetBkMode | 0x0 | 0x477144 | 0x93d80 | 0x92b80 |
| GetObjectW | 0x0 | 0x477148 | 0x93d84 | 0x92b84 |
| SetBkColor | 0x0 | 0x47714c | 0x93d88 | 0x92b88 |
| DeleteObject | 0x0 | 0x477150 | 0x93d8c | 0x92b8c |
| SetMapMode | 0x0 | 0x477154 | 0x93d90 | 0x92b90 |
| SetAbortProc | 0x0 | 0x477158 | 0x93d94 | 0x92b94 |
| StartDocW | 0x0 | 0x47715c | 0x93d98 | 0x92b98 |
| CreateDIBSection | 0x0 | 0x477160 | 0x93d9c | 0x92b9c |
| EndPage | 0x0 | 0x477164 | 0x93da0 | 0x92ba0 |
| GetObjectA | 0x0 | 0x477168 | 0x93da4 | 0x92ba4 |
ADVAPI32.dll (55)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| EnumServicesStatusExW | 0x0 | 0x477000 | 0x93c3c | 0x92a3c |
| OpenServiceW | 0x0 | 0x477004 | 0x93c40 | 0x92a40 |
| ConvertSidToStringSidW | 0x0 | 0x477008 | 0x93c44 | 0x92a44 |
| GetTokenInformation | 0x0 | 0x47700c | 0x93c48 | 0x92a48 |
| SetSecurityDescriptorDacl | 0x0 | 0x477010 | 0x93c4c | 0x92a4c |
| RegCreateKeyExW | 0x0 | 0x477014 | 0x93c50 | 0x92a50 |
| RegEnumKeyExW | 0x0 | 0x477018 | 0x93c54 | 0x92a54 |
| RegDeleteValueW | 0x0 | 0x47701c | 0x93c58 | 0x92a58 |
| AccessCheck | 0x0 | 0x477020 | 0x93c5c | 0x92a5c |
| SetSecurityDescriptorOwner | 0x0 | 0x477024 | 0x93c60 | 0x92a60 |
| AllocateAndInitializeSid | 0x0 | 0x477028 | 0x93c64 | 0x92a64 |
| RegisterServiceCtrlHandlerExW | 0x0 | 0x47702c | 0x93c68 | 0x92a68 |
| GetSidSubAuthority | 0x0 | 0x477030 | 0x93c6c | 0x92a6c |
| IsValidSecurityDescriptor | 0x0 | 0x477034 | 0x93c70 | 0x92a70 |
| FreeSid | 0x0 | 0x477038 | 0x93c74 | 0x92a74 |
| InitializeAcl | 0x0 | 0x47703c | 0x93c78 | 0x92a78 |
| DuplicateToken | 0x0 | 0x477040 | 0x93c7c | 0x92a7c |
| GetLengthSid | 0x0 | 0x477044 | 0x93c80 | 0x92a80 |
| SetTokenInformation | 0x0 | 0x477048 | 0x93c84 | 0x92a84 |
| SetServiceStatus | 0x0 | 0x47704c | 0x93c88 | 0x92a88 |
| OpenProcessToken | 0x0 | 0x477050 | 0x93c8c | 0x92a8c |
| AddAccessAllowedAce | 0x0 | 0x477054 | 0x93c90 | 0x92a90 |
| CreateProcessAsUserW | 0x0 | 0x477058 | 0x93c94 | 0x92a94 |
| OpenThreadToken | 0x0 | 0x47705c | 0x93c98 | 0x92a98 |
| SetSecurityDescriptorGroup | 0x0 | 0x477060 | 0x93c9c | 0x92a9c |
| StartServiceCtrlDispatcherW | 0x0 | 0x477064 | 0x93ca0 | 0x92aa0 |
| DuplicateTokenEx | 0x0 | 0x477068 | 0x93ca4 | 0x92aa4 |
| RegSetValueExA | 0x0 | 0x47706c | 0x93ca8 | 0x92aa8 |
| RegOpenKeyExW | 0x0 | 0x477070 | 0x93cac | 0x92aac |
| CreateServiceA | 0x0 | 0x477074 | 0x93cb0 | 0x92ab0 |
| AdjustTokenPrivileges | 0x0 | 0x477078 | 0x93cb4 | 0x92ab4 |
| RegCloseKey | 0x0 | 0x47707c | 0x93cb8 | 0x92ab8 |
| QueryServiceStatus | 0x0 | 0x477080 | 0x93cbc | 0x92abc |
| RegDeleteKeyA | 0x0 | 0x477084 | 0x93cc0 | 0x92ac0 |
| RegQueryValueExA | 0x0 | 0x477088 | 0x93cc4 | 0x92ac4 |
| StartServiceW | 0x0 | 0x47708c | 0x93cc8 | 0x92ac8 |
| ControlService | 0x0 | 0x477090 | 0x93ccc | 0x92acc |
| OpenSCManagerW | 0x0 | 0x477094 | 0x93cd0 | 0x92ad0 |
| CloseServiceHandle | 0x0 | 0x477098 | 0x93cd4 | 0x92ad4 |
| CreateServiceW | 0x0 | 0x47709c | 0x93cd8 | 0x92ad8 |
| InitiateSystemShutdownExW | 0x0 | 0x4770a0 | 0x93cdc | 0x92adc |
| LookupPrivilegeValueW | 0x0 | 0x4770a4 | 0x93ce0 | 0x92ae0 |
| ImpersonateLoggedOnUser | 0x0 | 0x4770a8 | 0x93ce4 | 0x92ae4 |
| QueryServiceConfigW | 0x0 | 0x4770ac | 0x93ce8 | 0x92ae8 |
| RevertToSelf | 0x0 | 0x4770b0 | 0x93cec | 0x92aec |
| OpenSCManagerA | 0x0 | 0x4770b4 | 0x93cf0 | 0x92af0 |
| DeleteService | 0x0 | 0x4770b8 | 0x93cf4 | 0x92af4 |
| OpenServiceA | 0x0 | 0x4770bc | 0x93cf8 | 0x92af8 |
| RegQueryValueExW | 0x0 | 0x4770c0 | 0x93cfc | 0x92afc |
| RegDeleteValueA | 0x0 | 0x4770c4 | 0x93d00 | 0x92b00 |
| RegCreateKeyW | 0x0 | 0x4770c8 | 0x93d04 | 0x92b04 |
| InitializeSecurityDescriptor | 0x0 | 0x4770cc | 0x93d08 | 0x92b08 |
| RegCreateKeyExA | 0x0 | 0x4770d0 | 0x93d0c | 0x92b0c |
| RegOpenKeyExA | 0x0 | 0x4770d4 | 0x93d10 | 0x92b10 |
| RegSetValueExW | 0x0 | 0x4770d8 | 0x93d14 | 0x92b14 |
SHELL32.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| SHGetSpecialFolderPathW | 0x0 | 0x477470 | 0x940ac | 0x92eac |
| ShellExecuteW | 0x0 | 0x477474 | 0x940b0 | 0x92eb0 |
OLEAUT32.dll (3)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| SysAllocString | 0x2 | 0x477460 | 0x9409c | 0x92e9c |
| SysFreeString | 0x6 | 0x477464 | 0x940a0 | 0x92ea0 |
| VariantClear | 0x9 | 0x477468 | 0x940a4 | 0x92ea4 |
c:\users\qj4sukboe\desktop\Sales invoice Z12_01 copy.iqy.iqy
»
| File Properties | |
|---|---|
| Names | c:\users\qj4sukboe\desktop\Sales invoice Z12_01 copy.iqy.iqy (Sample File) |
| Size | 0.06 KB |
| Hash Values |
MD5: b9fdcd230f07ac2e62987fd620e42ca8
SHA1: c1973ccf7000a0e45f501cb31ca37e9c10084f62 SHA256: ca0da220f7691059b3174b2de14bd41ddb96bf3f02a2824b2b8c103215c7403c |
| Actions |
...
|
c:\windows\tasks\microsoft system protect.job
»
| File Properties | |
|---|---|
| Names | c:\windows\tasks\microsoft system protect.job (Created File) |
| Size | 0.27 KB |
| Hash Values |
MD5: 3a50aa02030ff89e645423598c8e06fa
SHA1: 0b131b052a57672aab55874a1106703cfcd6163a SHA256: 83a96ed03808a9b12426d9d770f2a4b37d100f66cd271be8ea9c5b814be878e7 |
| Actions |
...
|
c:\windows\tasks\microsoft system protect.job
»
| File Properties | |
|---|---|
| Names | c:\windows\tasks\microsoft system protect.job (Created File) |
| Size | 0.27 KB |
| Hash Values |
MD5: 5803c2d1a7f6a381cbf58b3ce1429dae
SHA1: c038ab19f0df090fb7778042be6c17ddfd585c16 SHA256: 2a8e0c425456503344bd480c83e7151147b474783e1d6d74e3b6d1d5d5b34ed9 |
| Actions |
...
|
c:\programdata\settings\wsus_41a480.tmp
»
| File Properties | |
|---|---|
| Names | c:\programdata\settings\wsus_41a480.tmp (Created File) |
| Size | 646.50 KB |
| Hash Values |
MD5: 192aead1e464431f616fc210ab18a6af
SHA1: 84e0756eef6e66bd8cc9a42fee4fa69ab21964ca SHA256: ac3fb7067fed4e4db651f8261553d379a980eaa8756202b4a8daa8e88299a2ef |
| Actions |
...
|
