Petya/NotPetya/ExPetr | Files
Try VMRay Analyzer
| Sample files count | 1 |
| Created files count | 5 |
| Modified files count | 1 |
| File Properties | |
|---|---|
| Names | c:\users\hjrd1koky ds8lujv\desktop\Petya.dll (Sample File) |
| Size | 353.87 KB (362360 bytes) |
| Hash Values |
MD5: 71b6a493388e7d0b40c83ce903bc6b04
SHA1: 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d SHA256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 |
| Actions |
|
| File Properties | |
|---|---|
| Image Base | 0x10000000 |
| Entry Point | 0x10007d39 |
| Size Of Code | 0xbe00 |
| Size Of Initialized Data | 0x4ae00 |
| Size Of Uninitialized Data | 0x0 |
| Format | x86 |
| Type | Dll |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_I386 |
| Compile Timestamp | 2017-06-18 09:14:36 |
| Compiler/Packer | Unknown |
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x10001000 | 0xbd63 | 0xbe00 | 0x400 | CNT_CODE, MEM_EXECUTE, MEM_READ | 6.55 |
| .rdata | 0x1000d000 | 0x8546 | 0x8600 | 0xc200 | CNT_INITIALIZED_DATA, MEM_READ | 6.99 |
| .data | 0x10016000 | 0x9b4a | 0x5200 | 0x14800 | CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE | 5.43 |
| .rsrc | 0x10020000 | 0x3c738 | 0x3c800 | 0x19a00 | CNT_INITIALIZED_DATA, MEM_READ | 8.0 |
| .reloc | 0x1005d000 | 0xc02 | 0xe00 | 0x56200 | CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ | 4.77 |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| ConnectNamedPipe | 0x0 | 0x1000d09c | 0x147a4 | 0x139a4 |
| GetModuleHandleW | 0x0 | 0x1000d0a0 | 0x147a8 | 0x139a8 |
| CreateNamedPipeW | 0x0 | 0x1000d0a4 | 0x147ac | 0x139ac |
| TerminateThread | 0x0 | 0x1000d0a8 | 0x147b0 | 0x139b0 |
| DisconnectNamedPipe | 0x0 | 0x1000d0ac | 0x147b4 | 0x139b4 |
| FlushFileBuffers | 0x0 | 0x1000d0b0 | 0x147b8 | 0x139b8 |
| GetTempPathW | 0x0 | 0x1000d0b4 | 0x147bc | 0x139bc |
| GetProcAddress | 0x0 | 0x1000d0b8 | 0x147c0 | 0x139c0 |
| DeleteFileW | 0x0 | 0x1000d0bc | 0x147c4 | 0x139c4 |
| FreeLibrary | 0x0 | 0x1000d0c0 | 0x147c8 | 0x139c8 |
| GlobalAlloc | 0x0 | 0x1000d0c4 | 0x147cc | 0x139cc |
| LoadLibraryW | 0x0 | 0x1000d0c8 | 0x147d0 | 0x139d0 |
| GetComputerNameExW | 0x0 | 0x1000d0cc | 0x147d4 | 0x139d4 |
| GlobalFree | 0x0 | 0x1000d0d0 | 0x147d8 | 0x139d8 |
| ExitProcess | 0x0 | 0x1000d0d4 | 0x147dc | 0x139dc |
| GetVersionExW | 0x0 | 0x1000d0d8 | 0x147e0 | 0x139e0 |
| GetModuleFileNameW | 0x0 | 0x1000d0dc | 0x147e4 | 0x139e4 |
| DisableThreadLibraryCalls | 0x0 | 0x1000d0e0 | 0x147e8 | 0x139e8 |
| ResumeThread | 0x0 | 0x1000d0e4 | 0x147ec | 0x139ec |
| GetEnvironmentVariableW | 0x0 | 0x1000d0e8 | 0x147f0 | 0x139f0 |
| GetFileSize | 0x0 | 0x1000d0ec | 0x147f4 | 0x139f4 |
| SetFilePointer | 0x0 | 0x1000d0f0 | 0x147f8 | 0x139f8 |
| SetLastError | 0x0 | 0x1000d0f4 | 0x147fc | 0x139fc |
| LoadResource | 0x0 | 0x1000d0f8 | 0x14800 | 0x13a00 |
| GetCurrentThread | 0x0 | 0x1000d0fc | 0x14804 | 0x13a04 |
| OpenProcess | 0x0 | 0x1000d100 | 0x14808 | 0x13a08 |
| GetSystemDirectoryW | 0x0 | 0x1000d104 | 0x1480c | 0x13a0c |
| SizeofResource | 0x0 | 0x1000d108 | 0x14810 | 0x13a10 |
| GetLocalTime | 0x0 | 0x1000d10c | 0x14814 | 0x13a14 |
| Process32FirstW | 0x0 | 0x1000d110 | 0x14818 | 0x13a18 |
| LockResource | 0x0 | 0x1000d114 | 0x1481c | 0x13a1c |
| Process32NextW | 0x0 | 0x1000d118 | 0x14820 | 0x13a20 |
| GetModuleHandleA | 0x0 | 0x1000d11c | 0x14824 | 0x13a24 |
| lstrcatW | 0x0 | 0x1000d120 | 0x14828 | 0x13a28 |
| CreateToolhelp32Snapshot | 0x0 | 0x1000d124 | 0x1482c | 0x13a2c |
| GetCurrentProcess | 0x0 | 0x1000d128 | 0x14830 | 0x13a30 |
| VirtualFree | 0x0 | 0x1000d12c | 0x14834 | 0x13a34 |
| VirtualAlloc | 0x0 | 0x1000d130 | 0x14838 | 0x13a38 |
| LoadLibraryA | 0x0 | 0x1000d134 | 0x1483c | 0x13a3c |
| VirtualProtect | 0x0 | 0x1000d138 | 0x14840 | 0x13a40 |
| WideCharToMultiByte | 0x0 | 0x1000d13c | 0x14844 | 0x13a44 |
| GetExitCodeProcess | 0x0 | 0x1000d140 | 0x14848 | 0x13a48 |
| WaitForMultipleObjects | 0x0 | 0x1000d144 | 0x1484c | 0x13a4c |
| CreateProcessW | 0x0 | 0x1000d148 | 0x14850 | 0x13a50 |
| PeekNamedPipe | 0x0 | 0x1000d14c | 0x14854 | 0x13a54 |
| GetTempFileNameW | 0x0 | 0x1000d150 | 0x14858 | 0x13a58 |
| InterlockedExchange | 0x0 | 0x1000d154 | 0x1485c | 0x13a5c |
| LeaveCriticalSection | 0x0 | 0x1000d158 | 0x14860 | 0x13a60 |
| MultiByteToWideChar | 0x0 | 0x1000d15c | 0x14864 | 0x13a64 |
| CreateFileA | 0x0 | 0x1000d160 | 0x14868 | 0x13a68 |
| GetTickCount | 0x0 | 0x1000d164 | 0x1486c | 0x13a6c |
| CreateThread | 0x0 | 0x1000d168 | 0x14870 | 0x13a70 |
| LocalFree | 0x0 | 0x1000d16c | 0x14874 | 0x13a74 |
| FindNextFileW | 0x0 | 0x1000d170 | 0x14878 | 0x13a78 |
| CreateFileMappingW | 0x0 | 0x1000d174 | 0x1487c | 0x13a7c |
| LocalAlloc | 0x0 | 0x1000d178 | 0x14880 | 0x13a80 |
| FindClose | 0x0 | 0x1000d17c | 0x14884 | 0x13a84 |
| GetFileSizeEx | 0x0 | 0x1000d180 | 0x14888 | 0x13a88 |
| CreateFileW | 0x0 | 0x1000d184 | 0x1488c | 0x13a8c |
| Sleep | 0x0 | 0x1000d188 | 0x14890 | 0x13a90 |
| FlushViewOfFile | 0x0 | 0x1000d18c | 0x14894 | 0x13a94 |
| GetLogicalDrives | 0x0 | 0x1000d190 | 0x14898 | 0x13a98 |
| WaitForSingleObject | 0x0 | 0x1000d194 | 0x1489c | 0x13a9c |
| GetDriveTypeW | 0x0 | 0x1000d198 | 0x148a0 | 0x13aa0 |
| UnmapViewOfFile | 0x0 | 0x1000d19c | 0x148a4 | 0x13aa4 |
| MapViewOfFile | 0x0 | 0x1000d1a0 | 0x148a8 | 0x13aa8 |
| FindFirstFileW | 0x0 | 0x1000d1a4 | 0x148ac | 0x13aac |
| CloseHandle | 0x0 | 0x1000d1a8 | 0x148b0 | 0x13ab0 |
| DeviceIoControl | 0x0 | 0x1000d1ac | 0x148b4 | 0x13ab4 |
| GetLastError | 0x0 | 0x1000d1b0 | 0x148b8 | 0x13ab8 |
| GetSystemDirectoryA | 0x0 | 0x1000d1b4 | 0x148bc | 0x13abc |
| ReadFile | 0x0 | 0x1000d1b8 | 0x148c0 | 0x13ac0 |
| WriteFile | 0x0 | 0x1000d1bc | 0x148c4 | 0x13ac4 |
| GetProcessHeap | 0x0 | 0x1000d1c0 | 0x148c8 | 0x13ac8 |
| InitializeCriticalSection | 0x0 | 0x1000d1c4 | 0x148cc | 0x13acc |
| HeapReAlloc | 0x0 | 0x1000d1c8 | 0x148d0 | 0x13ad0 |
| GetWindowsDirectoryW | 0x0 | 0x1000d1cc | 0x148d4 | 0x13ad4 |
| EnterCriticalSection | 0x0 | 0x1000d1d0 | 0x148d8 | 0x13ad8 |
| HeapFree | 0x0 | 0x1000d1d4 | 0x148dc | 0x13adc |
| SetFilePointerEx | 0x0 | 0x1000d1d8 | 0x148e0 | 0x13ae0 |
| HeapAlloc | 0x0 | 0x1000d1dc | 0x148e4 | 0x13ae4 |
| FindResourceW | 0x0 | 0x1000d1e0 | 0x148e8 | 0x13ae8 |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| ExitWindowsEx | 0x0 | 0x1000d250 | 0x14958 | 0x13b58 |
| wsprintfA | 0x0 | 0x1000d254 | 0x1495c | 0x13b5c |
| wsprintfW | 0x0 | 0x1000d258 | 0x14960 | 0x13b60 |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| CryptGenRandom | 0x0 | 0x1000d000 | 0x14708 | 0x13908 |
| CryptAcquireContextA | 0x0 | 0x1000d004 | 0x1470c | 0x1390c |
| CryptExportKey | 0x0 | 0x1000d008 | 0x14710 | 0x13910 |
| CryptAcquireContextW | 0x0 | 0x1000d00c | 0x14714 | 0x13914 |
| CreateProcessAsUserW | 0x0 | 0x1000d010 | 0x14718 | 0x13918 |
| InitiateSystemShutdownExW | 0x0 | 0x1000d014 | 0x1471c | 0x1391c |
| DuplicateTokenEx | 0x0 | 0x1000d018 | 0x14720 | 0x13920 |
| SetTokenInformation | 0x0 | 0x1000d01c | 0x14724 | 0x13924 |
| GetTokenInformation | 0x0 | 0x1000d020 | 0x14728 | 0x13928 |
| GetSidSubAuthorityCount | 0x0 | 0x1000d024 | 0x1472c | 0x1392c |
| OpenThreadToken | 0x0 | 0x1000d028 | 0x14730 | 0x13930 |
| GetSidSubAuthority | 0x0 | 0x1000d02c | 0x14734 | 0x13934 |
| AdjustTokenPrivileges | 0x0 | 0x1000d030 | 0x14738 | 0x13938 |
| LookupPrivilegeValueW | 0x0 | 0x1000d034 | 0x1473c | 0x1393c |
| OpenProcessToken | 0x0 | 0x1000d038 | 0x14740 | 0x13940 |
| SetThreadToken | 0x0 | 0x1000d03c | 0x14744 | 0x13944 |
| CredEnumerateW | 0x0 | 0x1000d040 | 0x14748 | 0x13948 |
| CredFree | 0x0 | 0x1000d044 | 0x1474c | 0x1394c |
| SetSecurityDescriptorDacl | 0x0 | 0x1000d048 | 0x14750 | 0x13950 |
| InitializeSecurityDescriptor | 0x0 | 0x1000d04c | 0x14754 | 0x13954 |
| CryptDestroyKey | 0x0 | 0x1000d050 | 0x14758 | 0x13958 |
| CryptGenKey | 0x0 | 0x1000d054 | 0x1475c | 0x1395c |
| CryptEncrypt | 0x0 | 0x1000d058 | 0x14760 | 0x13960 |
| CryptImportKey | 0x0 | 0x1000d05c | 0x14764 | 0x13964 |
| CryptSetKeyParam | 0x0 | 0x1000d060 | 0x14768 | 0x13968 |
| CryptReleaseContext | 0x0 | 0x1000d064 | 0x1476c | 0x1396c |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| CommandLineToArgvW | 0x0 | 0x1000d210 | 0x14918 | 0x13b18 |
| SHGetFolderPathW | 0x0 | 0x1000d214 | 0x1491c | 0x13b1c |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| CoCreateGuid | 0x0 | 0x1000d2b8 | 0x149c0 | 0x13bc0 |
| CoTaskMemFree | 0x0 | 0x1000d2bc | 0x149c4 | 0x13bc4 |
| StringFromCLSID | 0x0 | 0x1000d2c0 | 0x149c8 | 0x13bc8 |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| CryptStringToBinaryW | 0x0 | 0x1000d06c | 0x14774 | 0x13974 |
| CryptBinaryToStringW | 0x0 | 0x1000d070 | 0x14778 | 0x13978 |
| CryptDecodeObjectEx | 0x0 | 0x1000d074 | 0x1477c | 0x1397c |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| PathAppendW | 0x0 | 0x1000d21c | 0x14924 | 0x13b24 |
| StrToIntW | 0x0 | 0x1000d220 | 0x14928 | 0x13b28 |
| PathFindFileNameW | 0x0 | 0x1000d224 | 0x1492c | 0x13b2c |
| PathFileExistsW | 0x0 | 0x1000d228 | 0x14930 | 0x13b30 |
| StrCmpW | 0x0 | 0x1000d22c | 0x14934 | 0x13b34 |
| StrCmpIW | 0x0 | 0x1000d230 | 0x14938 | 0x13b38 |
| StrChrW | 0x0 | 0x1000d234 | 0x1493c | 0x13b3c |
| StrCatW | 0x0 | 0x1000d238 | 0x14940 | 0x13b40 |
| StrStrW | 0x0 | 0x1000d23c | 0x14944 | 0x13b44 |
| PathFindExtensionW | 0x0 | 0x1000d240 | 0x14948 | 0x13b48 |
| PathCombineW | 0x0 | 0x1000d244 | 0x1494c | 0x13b4c |
| StrStrIW | 0x0 | 0x1000d248 | 0x14950 | 0x13b50 |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| GetIpNetTable | 0x0 | 0x1000d090 | 0x14798 | 0x13998 |
| GetAdaptersInfo | 0x0 | 0x1000d094 | 0x1479c | 0x1399c |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| inet_ntoa | 0xc | 0x1000d260 | 0x14968 | 0x13b68 |
| gethostbyname | 0x34 | 0x1000d264 | 0x1496c | 0x13b6c |
| __WSAFDIsSet | 0x97 | 0x1000d268 | 0x14970 | 0x13b70 |
| ntohl | 0xe | 0x1000d26c | 0x14974 | 0x13b74 |
| ioctlsocket | 0xa | 0x1000d270 | 0x14978 | 0x13b78 |
| connect | 0x4 | 0x1000d274 | 0x1497c | 0x13b7c |
| inet_addr | 0xb | 0x1000d278 | 0x14980 | 0x13b80 |
| select | 0x12 | 0x1000d27c | 0x14984 | 0x13b84 |
| recv | 0x10 | 0x1000d280 | 0x14988 | 0x13b88 |
| send | 0x13 | 0x1000d284 | 0x1498c | 0x13b8c |
| htons | 0x9 | 0x1000d288 | 0x14990 | 0x13b90 |
| closesocket | 0x3 | 0x1000d28c | 0x14994 | 0x13b94 |
| socket | 0x17 | 0x1000d290 | 0x14998 | 0x13b98 |
| WSAStartup | 0x73 | 0x1000d294 | 0x1499c | 0x13b9c |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| WNetOpenEnumW | 0x0 | 0x1000d1e8 | 0x148f0 | 0x13af0 |
| WNetEnumResourceW | 0x0 | 0x1000d1ec | 0x148f4 | 0x13af4 |
| WNetCancelConnection2W | 0x0 | 0x1000d1f0 | 0x148f8 | 0x13af8 |
| WNetAddConnection2W | 0x0 | 0x1000d1f4 | 0x148fc | 0x13afc |
| WNetCloseEnum | 0x0 | 0x1000d1f8 | 0x14900 | 0x13b00 |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| NetServerEnum | 0x0 | 0x1000d200 | 0x14908 | 0x13b08 |
| NetApiBufferFree | 0x0 | 0x1000d204 | 0x1490c | 0x13b0c |
| NetServerGetInfo | 0x0 | 0x1000d208 | 0x14910 | 0x13b10 |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| DhcpEnumSubnetClients | 0x0 | 0x1000d07c | 0x14784 | 0x13984 |
| DhcpRpcFreeMemory | 0x0 | 0x1000d080 | 0x14788 | 0x13988 |
| DhcpGetSubnetInfo | 0x0 | 0x1000d084 | 0x1478c | 0x1398c |
| DhcpEnumSubnets | 0x0 | 0x1000d088 | 0x14790 | 0x13990 |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| malloc | 0x0 | 0x1000d29c | 0x149a4 | 0x13ba4 |
| _itoa | 0x0 | 0x1000d2a0 | 0x149a8 | 0x13ba8 |
| free | 0x0 | 0x1000d2a4 | 0x149ac | 0x13bac |
| memset | 0x0 | 0x1000d2a8 | 0x149b0 | 0x13bb0 |
| rand | 0x0 | 0x1000d2ac | 0x149b4 | 0x13bb4 |
| memcpy | 0x0 | 0x1000d2b0 | 0x149b8 | 0x13bb8 |
| Signature Properties | |
|---|---|
| Signature verification |
|
| Certificate Properties | |
|---|---|
| Issued by | Microsoft Code Signing PCA |
| Valid from | 2009-12-07 22:40 |
| Valid to | 2011-03-07 22:40 |
| Algorithm | SHA-1 with RSA Encryption |
| Serial number | 61 01 CF 3E 00 00 00 00 00 0F |
| Certificate Properties | |
|---|---|
| Issued by | Microsoft Root Authority |
| Valid from | 2007-08-22 22:31 |
| Valid to | 2012-08-25 07:00 |
| Algorithm | 1, 3, 14, 3, 2, 29 |
| Serial number | 2E AB 11 DC 50 FF 5C 9D CB C0 |
| Signature Properties | |
|---|---|
| Signature verification |
|
| Certificate Properties | |
|---|---|
| Issued by | Microsoft Timestamping PCA |
| Valid from | 2008-07-25 19:01 |
| Valid to | 2013-07-25 19:11 |
| Algorithm | SHA-1 with RSA Encryption |
| Serial number | 61 05 A2 30 00 00 00 00 00 08 |
| Certificate Properties | |
|---|---|
| Issued by | Microsoft Root Authority |
| Valid from | 2006-09-16 01:04 |
| Valid to | 2019-09-15 07:00 |
| Algorithm | SHA-1 with RSA Encryption |
| Serial number | 6A 0B 99 4F C0 00 25 AB 11 DB 45 1F 58 7A 67 A2 |
| File Properties | |
|---|---|
| Names | c:\users\hjrd1k~1\desktop\petya.dll (Modified File) |
| Size | 353.87 KB (362360 bytes) |
| Hash Values |
MD5: 9a7ffe65e0912f9379ba6e8e0b079fde
SHA1: 532bea84179e2336caed26e31805ceaa7eec53dd SHA256: 4b336c3cc9b6c691fe581077e3dd9ea7df3bf48f79e35b05cf87e079ec8e0651 |
| Actions |
|
| File Properties | |
|---|---|
| Names | c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp (Created File) |
| Size | 0.00 KB (0 bytes) |
| Hash Values |
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| File Properties | |
|---|---|
| Names | c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp (Created File) |
| Size | 55.00 KB (56320 bytes) |
| Hash Values |
MD5: 7e37ab34ecdcc3e77e24522ddfd4852d
SHA1: 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf SHA256: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f |
| Actions |
|
| File Properties | |
|---|---|
| Image Base | 0x140000000 |
| Entry Point | 0x1400045b4 |
| Size Of Code | 0x8400 |
| Size Of Initialized Data | 0x6a00 |
| Size Of Uninitialized Data | 0x0 |
| Format | x64 |
| Type | Executable |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2017-06-06 15:32:49 |
| Compiler/Packer | Unknown |
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x140001000 | 0x8322 | 0x8400 | 0x400 | CNT_CODE, MEM_EXECUTE, MEM_READ | 6.24 |
| .rdata | 0x14000a000 | 0x31c4 | 0x3200 | 0x8800 | CNT_INITIALIZED_DATA, MEM_READ | 4.63 |
| .data | 0x14000e000 | 0x2ad4 | 0x1600 | 0xba00 | CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE | 2.22 |
| .pdata | 0x140011000 | 0x6e4 | 0x800 | 0xd000 | CNT_INITIALIZED_DATA, MEM_READ | 3.97 |
| .reloc | 0x140012000 | 0x308 | 0x400 | 0xd800 | CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ | 2.96 |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| InitializeSecurityDescriptor | 0x0 | 0x14000a000 | 0xc898 | 0xb098 |
| SetSecurityDescriptorDacl | 0x0 | 0x14000a008 | 0xc8a0 | 0xb0a0 |
| IsTextUnicode | 0x0 | 0x14000a010 | 0xc8a8 | 0xb0a8 |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| StrChrW | 0x0 | 0x14000a258 | 0xcaf0 | 0xb2f0 |
| StrCmpIW | 0x0 | 0x14000a260 | 0xcaf8 | 0xb2f8 |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| IsCharAlphaNumericW | 0x0 | 0x14000a270 | 0xcb08 | 0xb308 |
| wsprintfW | 0x0 | 0x14000a278 | 0xcb10 | 0xb310 |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| NtQuerySystemInformation | 0x0 | 0x14000a288 | 0xcb20 | 0xb320 |
| RtlEqualUnicodeString | 0x0 | 0x14000a290 | 0xcb28 | 0xb328 |
| RtlGetNtVersionNumbers | 0x0 | 0x14000a298 | 0xcb30 | 0xb330 |
| RtlGetCurrentPeb | 0x0 | 0x14000a2a0 | 0xcb38 | 0xb338 |
| NtQueryInformationProcess | 0x0 | 0x14000a2a8 | 0xcb40 | 0xb340 |
| RtlAdjustPrivilege | 0x0 | 0x14000a2b0 | 0xcb48 | 0xb348 |
| RtlInitUnicodeString | 0x0 | 0x14000a2b8 | 0xcb50 | 0xb350 |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| HeapSize | 0x0 | 0x14000a020 | 0xc8b8 | 0xb0b8 |
| HeapReAlloc | 0x0 | 0x14000a028 | 0xc8c0 | 0xb0c0 |
| LoadLibraryW | 0x0 | 0x14000a030 | 0xc8c8 | 0xb0c8 |
| HeapFree | 0x0 | 0x14000a038 | 0xc8d0 | 0xb0d0 |
| EnterCriticalSection | 0x0 | 0x14000a040 | 0xc8d8 | 0xb0d8 |
| LeaveCriticalSection | 0x0 | 0x14000a048 | 0xc8e0 | 0xb0e0 |
| GetStringTypeW | 0x0 | 0x14000a050 | 0xc8e8 | 0xb0e8 |
| MultiByteToWideChar | 0x0 | 0x14000a058 | 0xc8f0 | 0xb0f0 |
| GetModuleHandleW | 0x0 | 0x14000a060 | 0xc8f8 | 0xb0f8 |
| GetProcAddress | 0x0 | 0x14000a068 | 0xc900 | 0xb100 |
| DeviceIoControl | 0x0 | 0x14000a070 | 0xc908 | 0xb108 |
| LocalFree | 0x0 | 0x14000a078 | 0xc910 | 0xb110 |
| SetFilePointer | 0x0 | 0x14000a080 | 0xc918 | 0xb118 |
| ReadProcessMemory | 0x0 | 0x14000a088 | 0xc920 | 0xb120 |
| WriteProcessMemory | 0x0 | 0x14000a090 | 0xc928 | 0xb128 |
| MapViewOfFile | 0x0 | 0x14000a098 | 0xc930 | 0xb130 |
| UnmapViewOfFile | 0x0 | 0x14000a0a0 | 0xc938 | 0xb138 |
| CreateFileMappingW | 0x0 | 0x14000a0a8 | 0xc940 | 0xb140 |
| CloseHandle | 0x0 | 0x14000a0b0 | 0xc948 | 0xb148 |
| GetCurrentProcess | 0x0 | 0x14000a0b8 | 0xc950 | 0xb150 |
| HeapAlloc | 0x0 | 0x14000a0c0 | 0xc958 | 0xb158 |
| GetProcessHeap | 0x0 | 0x14000a0c8 | 0xc960 | 0xb160 |
| WaitNamedPipeW | 0x0 | 0x14000a0d0 | 0xc968 | 0xb168 |
| Sleep | 0x0 | 0x14000a0d8 | 0xc970 | 0xb170 |
| CreateFileW | 0x0 | 0x14000a0e0 | 0xc978 | 0xb178 |
| FreeLibrary | 0x0 | 0x14000a0e8 | 0xc980 | 0xb180 |
| GetComputerNameW | 0x0 | 0x14000a0f0 | 0xc988 | 0xb188 |
| OpenProcess | 0x0 | 0x14000a0f8 | 0xc990 | 0xb190 |
| GetCommandLineW | 0x0 | 0x14000a100 | 0xc998 | 0xb198 |
| GetCPInfo | 0x0 | 0x14000a108 | 0xc9a0 | 0xb1a0 |
| GetACP | 0x0 | 0x14000a110 | 0xc9a8 | 0xb1a8 |
| GetOEMCP | 0x0 | 0x14000a118 | 0xc9b0 | 0xb1b0 |
| IsValidCodePage | 0x0 | 0x14000a120 | 0xc9b8 | 0xb1b8 |
| EncodePointer | 0x0 | 0x14000a128 | 0xc9c0 | 0xb1c0 |
| FlsGetValue | 0x0 | 0x14000a130 | 0xc9c8 | 0xb1c8 |
| FlsSetValue | 0x0 | 0x14000a138 | 0xc9d0 | 0xb1d0 |
| FlsFree | 0x0 | 0x14000a140 | 0xc9d8 | 0xb1d8 |
| SetLastError | 0x0 | 0x14000a148 | 0xc9e0 | 0xb1e0 |
| GetCurrentThreadId | 0x0 | 0x14000a150 | 0xc9e8 | 0xb1e8 |
| GetLastError | 0x0 | 0x14000a158 | 0xc9f0 | 0xb1f0 |
| FlsAlloc | 0x0 | 0x14000a160 | 0xc9f8 | 0xb1f8 |
| UnhandledExceptionFilter | 0x0 | 0x14000a168 | 0xca00 | 0xb200 |
| SetUnhandledExceptionFilter | 0x0 | 0x14000a170 | 0xca08 | 0xb208 |
| IsDebuggerPresent | 0x0 | 0x14000a178 | 0xca10 | 0xb210 |
| RtlVirtualUnwind | 0x0 | 0x14000a180 | 0xca18 | 0xb218 |
| RtlLookupFunctionEntry | 0x0 | 0x14000a188 | 0xca20 | 0xb220 |
| RtlCaptureContext | 0x0 | 0x14000a190 | 0xca28 | 0xb228 |
| DecodePointer | 0x0 | 0x14000a198 | 0xca30 | 0xb230 |
| TerminateProcess | 0x0 | 0x14000a1a0 | 0xca38 | 0xb238 |
| ExitProcess | 0x0 | 0x14000a1a8 | 0xca40 | 0xb240 |
| WriteFile | 0x0 | 0x14000a1b0 | 0xca48 | 0xb248 |
| GetStdHandle | 0x0 | 0x14000a1b8 | 0xca50 | 0xb250 |
| GetModuleFileNameW | 0x0 | 0x14000a1c0 | 0xca58 | 0xb258 |
| RtlUnwindEx | 0x0 | 0x14000a1c8 | 0xca60 | 0xb260 |
| FreeEnvironmentStringsW | 0x0 | 0x14000a1d0 | 0xca68 | 0xb268 |
| GetEnvironmentStringsW | 0x0 | 0x14000a1d8 | 0xca70 | 0xb270 |
| SetHandleCount | 0x0 | 0x14000a1e0 | 0xca78 | 0xb278 |
| InitializeCriticalSectionAndSpinCount | 0x0 | 0x14000a1e8 | 0xca80 | 0xb280 |
| GetFileType | 0x0 | 0x14000a1f0 | 0xca88 | 0xb288 |
| GetStartupInfoW | 0x0 | 0x14000a1f8 | 0xca90 | 0xb290 |
| DeleteCriticalSection | 0x0 | 0x14000a200 | 0xca98 | 0xb298 |
| HeapSetInformation | 0x0 | 0x14000a208 | 0xcaa0 | 0xb2a0 |
| GetVersion | 0x0 | 0x14000a210 | 0xcaa8 | 0xb2a8 |
| HeapCreate | 0x0 | 0x14000a218 | 0xcab0 | 0xb2b0 |
| QueryPerformanceCounter | 0x0 | 0x14000a220 | 0xcab8 | 0xb2b8 |
| GetTickCount | 0x0 | 0x14000a228 | 0xcac0 | 0xb2c0 |
| GetCurrentProcessId | 0x0 | 0x14000a230 | 0xcac8 | 0xb2c8 |
| GetSystemTimeAsFileTime | 0x0 | 0x14000a238 | 0xcad0 | 0xb2d0 |
| WideCharToMultiByte | 0x0 | 0x14000a240 | 0xcad8 | 0xb2d8 |
| LCMapStringW | 0x0 | 0x14000a248 | 0xcae0 | 0xb2e0 |
| File Properties | |
|---|---|
| Names | c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp (Created File) |
| Size | 55.00 KB (56320 bytes) |
| Hash Values |
MD5: bfd70118226e2e6391b6a0992f8b5b22
SHA1: 4f9e3810d346b368b7c2437eb4bb040d3f6daed3 SHA256: f8d214080544676394eea8dda1cbd79db436414860e1809cccd56b2da039c724 |
| Actions |
|
| File Properties | |
|---|---|
| Names | c:\windows\dllhost.dat (Created File) |
| Size | 372.87 KB (381816 bytes) |
| Hash Values |
MD5: aeee996fd3484f28e5cd85fe26b6bdcd
SHA1: cd23b7c9e0edef184930bc8e0ca2264f0608bcb3 SHA256: f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5 |
| Actions |
|
| File Properties | |
|---|---|
| Image Base | 0x400000 |
| Entry Point | 0x408a55 |
| Size Of Code | 0x24800 |
| Size Of Initialized Data | 0x37000 |
| Size Of Uninitialized Data | 0x0 |
| Format | x86 |
| Type | Executable |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_I386 |
| Compile Timestamp | 2010-04-27 02:23:59 |
| Compiler/Packer | Unknown |
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x401000 | 0x2477a | 0x24800 | 0x400 | CNT_CODE, MEM_EXECUTE, MEM_READ | 6.57 |
| .rdata | 0x426000 | 0x85de | 0x8600 | 0x24c00 | CNT_INITIALIZED_DATA, MEM_READ | 5.32 |
| .data | 0x42f000 | 0x2d6e4 | 0x2000 | 0x2d200 | CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE | 1.5 |
| .rsrc | 0x45d000 | 0x2c8d8 | 0x2ca00 | 0x2f200 | CNT_INITIALIZED_DATA, MEM_READ | 6.59 |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| GetFileVersionInfoW | 0x0 | 0x4262f8 | 0x2d804 | 0x2c404 |
| GetFileVersionInfoSizeW | 0x0 | 0x4262fc | 0x2d808 | 0x2c408 |
| VerQueryValueW | 0x0 | 0x426300 | 0x2d80c | 0x2c40c |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| NetApiBufferFree | 0x0 | 0x4262c4 | 0x2d7d0 | 0x2c3d0 |
| NetServerEnum | 0x0 | 0x4262c8 | 0x2d7d4 | 0x2c3d4 |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| WSAStartup | 0x73 | 0x426308 | 0x2d814 | 0x2c414 |
| gethostname | 0x39 | 0x42630c | 0x2d818 | 0x2c418 |
| inet_ntoa | 0xc | 0x426310 | 0x2d81c | 0x2c41c |
| gethostbyname | 0x34 | 0x426314 | 0x2d820 | 0x2c420 |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| WNetAddConnection2W | 0x0 | 0x4262b8 | 0x2d7c4 | 0x2c3c4 |
| WNetCancelConnection2W | 0x0 | 0x4262bc | 0x2d7c8 | 0x2c3c8 |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| GetModuleFileNameW | 0x0 | 0x4260b4 | 0x2d5c0 | 0x2c1c0 |
| SetEvent | 0x0 | 0x4260b8 | 0x2d5c4 | 0x2c1c4 |
| ConnectNamedPipe | 0x0 | 0x4260bc | 0x2d5c8 | 0x2c1c8 |
| GetFileAttributesW | 0x0 | 0x4260c0 | 0x2d5cc | 0x2c1cc |
| DisconnectNamedPipe | 0x0 | 0x4260c4 | 0x2d5d0 | 0x2c1d0 |
| ReadConsoleW | 0x0 | 0x4260c8 | 0x2d5d4 | 0x2c1d4 |
| ReadFile | 0x0 | 0x4260cc | 0x2d5d8 | 0x2c1d8 |
| GetFileTime | 0x0 | 0x4260d0 | 0x2d5dc | 0x2c1dc |
| WaitNamedPipeW | 0x0 | 0x4260d4 | 0x2d5e0 | 0x2c1e0 |
| SetFileAttributesW | 0x0 | 0x4260d8 | 0x2d5e4 | 0x2c1e4 |
| CopyFileW | 0x0 | 0x4260dc | 0x2d5e8 | 0x2c1e8 |
| WaitForMultipleObjects | 0x0 | 0x4260e0 | 0x2d5ec | 0x2c1ec |
| SetConsoleTitleW | 0x0 | 0x4260e4 | 0x2d5f0 | 0x2c1f0 |
| DuplicateHandle | 0x0 | 0x4260e8 | 0x2d5f4 | 0x2c1f4 |
| GetCurrentProcessId | 0x0 | 0x4260ec | 0x2d5f8 | 0x2c1f8 |
| TransactNamedPipe | 0x0 | 0x4260f0 | 0x2d5fc | 0x2c1fc |
| SetNamedPipeHandleState | 0x0 | 0x4260f4 | 0x2d600 | 0x2c200 |
| GetVersion | 0x0 | 0x4260f8 | 0x2d604 | 0x2c204 |
| CreateEventW | 0x0 | 0x4260fc | 0x2d608 | 0x2c208 |
| GetExitCodeProcess | 0x0 | 0x426100 | 0x2d60c | 0x2c20c |
| ResumeThread | 0x0 | 0x426104 | 0x2d610 | 0x2c210 |
| SetProcessAffinityMask | 0x0 | 0x426108 | 0x2d614 | 0x2c214 |
| GetEnvironmentVariableW | 0x0 | 0x42610c | 0x2d618 | 0x2c218 |
| GetFullPathNameW | 0x0 | 0x426110 | 0x2d61c | 0x2c21c |
| GetUserDefaultLCID | 0x0 | 0x426114 | 0x2d620 | 0x2c220 |
| GetDateFormatA | 0x0 | 0x426118 | 0x2d624 | 0x2c224 |
| GetTimeFormatA | 0x0 | 0x42611c | 0x2d628 | 0x2c228 |
| GetStringTypeA | 0x0 | 0x426120 | 0x2d62c | 0x2c22c |
| SetFilePointer | 0x0 | 0x426124 | 0x2d630 | 0x2c230 |
| GetSystemTimeAsFileTime | 0x0 | 0x426128 | 0x2d634 | 0x2c234 |
| QueryPerformanceCounter | 0x0 | 0x42612c | 0x2d638 | 0x2c238 |
| GetEnvironmentStringsW | 0x0 | 0x426130 | 0x2d63c | 0x2c23c |
| FreeEnvironmentStringsW | 0x0 | 0x426134 | 0x2d640 | 0x2c240 |
| LCMapStringW | 0x0 | 0x426138 | 0x2d644 | 0x2c244 |
| LoadResource | 0x0 | 0x42613c | 0x2d648 | 0x2c248 |
| GetCurrentProcess | 0x0 | 0x426140 | 0x2d64c | 0x2c24c |
| MultiByteToWideChar | 0x0 | 0x426144 | 0x2d650 | 0x2c250 |
| WaitForSingleObject | 0x0 | 0x426148 | 0x2d654 | 0x2c254 |
| GetComputerNameW | 0x0 | 0x42614c | 0x2d658 | 0x2c258 |
| GetSystemDirectoryW | 0x0 | 0x426150 | 0x2d65c | 0x2c25c |
| DeleteFileW | 0x0 | 0x426154 | 0x2d660 | 0x2c260 |
| FindResourceW | 0x0 | 0x426158 | 0x2d664 | 0x2c264 |
| SizeofResource | 0x0 | 0x42615c | 0x2d668 | 0x2c268 |
| LockResource | 0x0 | 0x426160 | 0x2d66c | 0x2c26c |
| GetConsoleScreenBufferInfo | 0x0 | 0x426164 | 0x2d670 | 0x2c270 |
| LoadLibraryExW | 0x0 | 0x426168 | 0x2d674 | 0x2c274 |
| FormatMessageA | 0x0 | 0x42616c | 0x2d678 | 0x2c278 |
| GetStdHandle | 0x0 | 0x426170 | 0x2d67c | 0x2c27c |
| WriteFile | 0x0 | 0x426174 | 0x2d680 | 0x2c280 |
| FreeLibrary | 0x0 | 0x426178 | 0x2d684 | 0x2c284 |
| CreateFileW | 0x0 | 0x42617c | 0x2d688 | 0x2c288 |
| CloseHandle | 0x0 | 0x426180 | 0x2d68c | 0x2c28c |
| GetTickCount | 0x0 | 0x426184 | 0x2d690 | 0x2c290 |
| SetEnvironmentVariableA | 0x0 | 0x426188 | 0x2d694 | 0x2c294 |
| Sleep | 0x0 | 0x42618c | 0x2d698 | 0x2c298 |
| SetLastError | 0x0 | 0x426190 | 0x2d69c | 0x2c29c |
| GetLastError | 0x0 | 0x426194 | 0x2d6a0 | 0x2c2a0 |
| GetCommandLineW | 0x0 | 0x426198 | 0x2d6a4 | 0x2c2a4 |
| LocalAlloc | 0x0 | 0x42619c | 0x2d6a8 | 0x2c2a8 |
| GetModuleHandleW | 0x0 | 0x4261a0 | 0x2d6ac | 0x2c2ac |
| LocalFree | 0x0 | 0x4261a4 | 0x2d6b0 | 0x2c2b0 |
| SetPriorityClass | 0x0 | 0x4261a8 | 0x2d6b4 | 0x2c2b4 |
| LoadLibraryW | 0x0 | 0x4261ac | 0x2d6b8 | 0x2c2b8 |
| GetProcAddress | 0x0 | 0x4261b0 | 0x2d6bc | 0x2c2bc |
| GetLocaleInfoA | 0x0 | 0x4261b4 | 0x2d6c0 | 0x2c2c0 |
| EnumSystemLocalesA | 0x0 | 0x4261b8 | 0x2d6c4 | 0x2c2c4 |
| IsValidLocale | 0x0 | 0x4261bc | 0x2d6c8 | 0x2c2c8 |
| SetStdHandle | 0x0 | 0x4261c0 | 0x2d6cc | 0x2c2cc |
| WriteConsoleA | 0x0 | 0x4261c4 | 0x2d6d0 | 0x2c2d0 |
| GetConsoleOutputCP | 0x0 | 0x4261c8 | 0x2d6d4 | 0x2c2d4 |
| WriteConsoleW | 0x0 | 0x4261cc | 0x2d6d8 | 0x2c2d8 |
| HeapSize | 0x0 | 0x4261d0 | 0x2d6dc | 0x2c2dc |
| GetLocaleInfoW | 0x0 | 0x4261d4 | 0x2d6e0 | 0x2c2e0 |
| GetTimeZoneInformation | 0x0 | 0x4261d8 | 0x2d6e4 | 0x2c2e4 |
| SetEndOfFile | 0x0 | 0x4261dc | 0x2d6e8 | 0x2c2e8 |
| GetProcessHeap | 0x0 | 0x4261e0 | 0x2d6ec | 0x2c2ec |
| CompareStringA | 0x0 | 0x4261e4 | 0x2d6f0 | 0x2c2f0 |
| CompareStringW | 0x0 | 0x4261e8 | 0x2d6f4 | 0x2c2f4 |
| SetConsoleCtrlHandler | 0x0 | 0x4261ec | 0x2d6f8 | 0x2c2f8 |
| HeapAlloc | 0x0 | 0x4261f0 | 0x2d6fc | 0x2c2fc |
| HeapFree | 0x0 | 0x4261f4 | 0x2d700 | 0x2c300 |
| EnterCriticalSection | 0x0 | 0x4261f8 | 0x2d704 | 0x2c304 |
| LeaveCriticalSection | 0x0 | 0x4261fc | 0x2d708 | 0x2c308 |
| ExitThread | 0x0 | 0x426200 | 0x2d70c | 0x2c30c |
| GetCurrentThreadId | 0x0 | 0x426204 | 0x2d710 | 0x2c310 |
| CreateThread | 0x0 | 0x426208 | 0x2d714 | 0x2c314 |
| ReadConsoleInputA | 0x0 | 0x42620c | 0x2d718 | 0x2c318 |
| SetConsoleMode | 0x0 | 0x426210 | 0x2d71c | 0x2c31c |
| GetConsoleMode | 0x0 | 0x426214 | 0x2d720 | 0x2c320 |
| PeekConsoleInputA | 0x0 | 0x426218 | 0x2d724 | 0x2c324 |
| GetNumberOfConsoleInputEvents | 0x0 | 0x42621c | 0x2d728 | 0x2c328 |
| ExitProcess | 0x0 | 0x426220 | 0x2d72c | 0x2c32c |
| DeleteCriticalSection | 0x0 | 0x426224 | 0x2d730 | 0x2c330 |
| FatalAppExitA | 0x0 | 0x426228 | 0x2d734 | 0x2c334 |
| VirtualFree | 0x0 | 0x42622c | 0x2d738 | 0x2c338 |
| VirtualAlloc | 0x0 | 0x426230 | 0x2d73c | 0x2c33c |
| HeapReAlloc | 0x0 | 0x426234 | 0x2d740 | 0x2c340 |
| HeapCreate | 0x0 | 0x426238 | 0x2d744 | 0x2c344 |
| HeapDestroy | 0x0 | 0x42623c | 0x2d748 | 0x2c348 |
| GetModuleFileNameA | 0x0 | 0x426240 | 0x2d74c | 0x2c34c |
| TerminateProcess | 0x0 | 0x426244 | 0x2d750 | 0x2c350 |
| UnhandledExceptionFilter | 0x0 | 0x426248 | 0x2d754 | 0x2c354 |
| SetUnhandledExceptionFilter | 0x0 | 0x42624c | 0x2d758 | 0x2c358 |
| IsDebuggerPresent | 0x0 | 0x426250 | 0x2d75c | 0x2c35c |
| GetCPInfo | 0x0 | 0x426254 | 0x2d760 | 0x2c360 |
| InterlockedIncrement | 0x0 | 0x426258 | 0x2d764 | 0x2c364 |
| InterlockedDecrement | 0x0 | 0x42625c | 0x2d768 | 0x2c368 |
| GetACP | 0x0 | 0x426260 | 0x2d76c | 0x2c36c |
| GetOEMCP | 0x0 | 0x426264 | 0x2d770 | 0x2c370 |
| IsValidCodePage | 0x0 | 0x426268 | 0x2d774 | 0x2c374 |
| TlsGetValue | 0x0 | 0x42626c | 0x2d778 | 0x2c378 |
| TlsAlloc | 0x0 | 0x426270 | 0x2d77c | 0x2c37c |
| TlsSetValue | 0x0 | 0x426274 | 0x2d780 | 0x2c380 |
| TlsFree | 0x0 | 0x426278 | 0x2d784 | 0x2c384 |
| GetCurrentThread | 0x0 | 0x42627c | 0x2d788 | 0x2c388 |
| SetHandleCount | 0x0 | 0x426280 | 0x2d78c | 0x2c38c |
| GetFileType | 0x0 | 0x426284 | 0x2d790 | 0x2c390 |
| GetStartupInfoA | 0x0 | 0x426288 | 0x2d794 | 0x2c394 |
| WideCharToMultiByte | 0x0 | 0x42628c | 0x2d798 | 0x2c398 |
| GetConsoleCP | 0x0 | 0x426290 | 0x2d79c | 0x2c39c |
| RtlUnwind | 0x0 | 0x426294 | 0x2d7a0 | 0x2c3a0 |
| CreateFileA | 0x0 | 0x426298 | 0x2d7a4 | 0x2c3a4 |
| FlushFileBuffers | 0x0 | 0x42629c | 0x2d7a8 | 0x2c3a8 |
| InterlockedExchange | 0x0 | 0x4262a0 | 0x2d7ac | 0x2c3ac |
| LoadLibraryA | 0x0 | 0x4262a4 | 0x2d7b0 | 0x2c3b0 |
| InitializeCriticalSectionAndSpinCount | 0x0 | 0x4262a8 | 0x2d7b4 | 0x2c3b4 |
| GetStringTypeW | 0x0 | 0x4262ac | 0x2d7b8 | 0x2c3b8 |
| LCMapStringA | 0x0 | 0x4262b0 | 0x2d7bc | 0x2c3bc |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| LoadCursorW | 0x0 | 0x4262d0 | 0x2d7dc | 0x2c3dc |
| SetCursor | 0x0 | 0x4262d4 | 0x2d7e0 | 0x2c3e0 |
| SetWindowTextW | 0x0 | 0x4262d8 | 0x2d7e4 | 0x2c3e4 |
| SendMessageW | 0x0 | 0x4262dc | 0x2d7e8 | 0x2c3e8 |
| EndDialog | 0x0 | 0x4262e0 | 0x2d7ec | 0x2c3ec |
| GetSysColorBrush | 0x0 | 0x4262e4 | 0x2d7f0 | 0x2c3f0 |
| GetDlgItem | 0x0 | 0x4262e8 | 0x2d7f4 | 0x2c3f4 |
| DialogBoxIndirectParamW | 0x0 | 0x4262ec | 0x2d7f8 | 0x2c3f8 |
| InflateRect | 0x0 | 0x4262f0 | 0x2d7fc | 0x2c3fc |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| GetDeviceCaps | 0x0 | 0x426098 | 0x2d5a4 | 0x2c1a4 |
| SetMapMode | 0x0 | 0x42609c | 0x2d5a8 | 0x2c1a8 |
| StartDocW | 0x0 | 0x4260a0 | 0x2d5ac | 0x2c1ac |
| StartPage | 0x0 | 0x4260a4 | 0x2d5b0 | 0x2c1b0 |
| EndPage | 0x0 | 0x4260a8 | 0x2d5b4 | 0x2c1b4 |
| EndDoc | 0x0 | 0x4260ac | 0x2d5b8 | 0x2c1b8 |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| PrintDlgW | 0x0 | 0x426090 | 0x2d59c | 0x2c19c |
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| InitializeAcl | 0x0 | 0x426000 | 0x2d50c | 0x2c10c |
| CreateProcessAsUserW | 0x0 | 0x426004 | 0x2d510 | 0x2c110 |
| OpenProcessToken | 0x0 | 0x426008 | 0x2d514 | 0x2c114 |
| AdjustTokenPrivileges | 0x0 | 0x42600c | 0x2d518 | 0x2c118 |
| LogonUserW | 0x0 | 0x426010 | 0x2d51c | 0x2c11c |
| ImpersonateLoggedOnUser | 0x0 | 0x426014 | 0x2d520 | 0x2c120 |
| RegConnectRegistryW | 0x0 | 0x426018 | 0x2d524 | 0x2c124 |
| RevertToSelf | 0x0 | 0x42601c | 0x2d528 | 0x2c128 |
| DeleteService | 0x0 | 0x426020 | 0x2d52c | 0x2c12c |
| ControlService | 0x0 | 0x426024 | 0x2d530 | 0x2c130 |
| OpenSCManagerW | 0x0 | 0x426028 | 0x2d534 | 0x2c134 |
| OpenServiceW | 0x0 | 0x42602c | 0x2d538 | 0x2c138 |
| StartServiceW | 0x0 | 0x426030 | 0x2d53c | 0x2c13c |
| QueryServiceStatus | 0x0 | 0x426034 | 0x2d540 | 0x2c140 |
| CreateServiceW | 0x0 | 0x426038 | 0x2d544 | 0x2c144 |
| CloseServiceHandle | 0x0 | 0x42603c | 0x2d548 | 0x2c148 |
| RegCreateKeyW | 0x0 | 0x426040 | 0x2d54c | 0x2c14c |
| RegQueryValueExW | 0x0 | 0x426044 | 0x2d550 | 0x2c150 |
| RegSetValueExW | 0x0 | 0x426048 | 0x2d554 | 0x2c154 |
| RegCloseKey | 0x0 | 0x42604c | 0x2d558 | 0x2c158 |
| AllocateAndInitializeSid | 0x0 | 0x426050 | 0x2d55c | 0x2c15c |
| GetTokenInformation | 0x0 | 0x426054 | 0x2d560 | 0x2c160 |
| GetLengthSid | 0x0 | 0x426058 | 0x2d564 | 0x2c164 |
| SetTokenInformation | 0x0 | 0x42605c | 0x2d568 | 0x2c168 |
| GetSecurityInfo | 0x0 | 0x426060 | 0x2d56c | 0x2c16c |
| GetAce | 0x0 | 0x426064 | 0x2d570 | 0x2c170 |
| AddAce | 0x0 | 0x426068 | 0x2d574 | 0x2c174 |
| AddAccessAllowedAce | 0x0 | 0x42606c | 0x2d578 | 0x2c178 |
| SetSecurityInfo | 0x0 | 0x426070 | 0x2d57c | 0x2c17c |
| FreeSid | 0x0 | 0x426074 | 0x2d580 | 0x2c180 |
| LsaOpenPolicy | 0x0 | 0x426078 | 0x2d584 | 0x2c184 |
| LsaEnumerateAccountRights | 0x0 | 0x42607c | 0x2d588 | 0x2c188 |
| LookupPrivilegeValueW | 0x0 | 0x426080 | 0x2d58c | 0x2c18c |
| LsaFreeMemory | 0x0 | 0x426084 | 0x2d590 | 0x2c190 |
| LsaClose | 0x0 | 0x426088 | 0x2d594 | 0x2c194 |
| Signature Properties | |
|---|---|
| LegalCopyright | Copyright (C) 2001-2010 Mark Russinovich |
| InternalName | PsExec |
| FileVersion | 1.98 |
| CompanyName | Sysinternals - www.sysinternals.com |
| ProductName | Sysinternals PsExec |
| ProductVersion | 1.98 |
| FileDescription | Execute processes remotely |
| OriginalFilename | psexec.c |
| Signature verification |
|
| Certificate Properties | |
|---|---|
| Issued by | Microsoft Code Signing PCA |
| Valid from | 2009-12-07 22:40 |
| Valid to | 2011-03-07 22:40 |
| Algorithm | SHA-1 with RSA Encryption |
| Serial number | 61 01 CF 3E 00 00 00 00 00 0F |
| Certificate Properties | |
|---|---|
| Issued by | Microsoft Root Authority |
| Valid from | 2007-08-22 22:31 |
| Valid to | 2012-08-25 07:00 |
| Algorithm | 1, 3, 14, 3, 2, 29 |
| Serial number | 2E AB 11 DC 50 FF 5C 9D CB C0 |
| Signature Properties | |
|---|---|
| LegalCopyright | Copyright (C) 2001-2010 Mark Russinovich |
| InternalName | PsExec |
| FileVersion | 1.98 |
| CompanyName | Sysinternals - www.sysinternals.com |
| ProductName | Sysinternals PsExec |
| ProductVersion | 1.98 |
| FileDescription | Execute processes remotely |
| OriginalFilename | psexec.c |
| Signature verification |
|
| Certificate Properties | |
|---|---|
| Issued by | Microsoft Timestamping PCA |
| Valid from | 2008-07-25 19:01 |
| Valid to | 2013-07-25 19:11 |
| Algorithm | SHA-1 with RSA Encryption |
| Serial number | 61 05 A2 30 00 00 00 00 00 08 |
| Certificate Properties | |
|---|---|
| Issued by | Microsoft Root Authority |
| Valid from | 2006-09-16 01:04 |
| Valid to | 2019-09-15 07:00 |
| Algorithm | SHA-1 with RSA Encryption |
| Serial number | 6A 0B 99 4F C0 00 25 AB 11 DB 45 1F 58 7A 67 A2 |
| File Properties | |
|---|---|
| Names | c:\readme.txt (Created File) |
| Size | 2.11 KB (2164 bytes) |
| Hash Values |
MD5: e0e4d4e05040bae07d42939024791284
SHA1: 4cc56bb43bb7fc38b3640a819e49161b03ec2924 SHA256: d42dffe59c922d99fb0531e9f47e7f4d091d3848318fb0dd89b1e928b43f2785 |
| Actions |
|
This feature requires an online-connection to the VMRay backend.
An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox
with deactivated setting "security.fileuri.strict_origin_policy".
