+----------------------+----------------------+----------------------+----------------------+----------------------+ | Category | Operation | Information | Success | Count | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MUTEX | CREATE | mutex_name = Global\ | True | 1 | | | | C3819288-93FA-4E29-A | | | | | | 254-BD9476B53C20, in | | | | | | itial_owner = 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | INI | READ | file_name = \\?\glob | True | 1 | | | | alroot\device\000001 | | | | | | a9\0d24eb7c\cfg.ini, | | | | | | section_name = cmd, | | | | | | key_name = bsh, def | | | | | | ault_value = noname, | | | | | | data_out = noname | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MUTEX | RELEASE | mutex_name = Global\ | True | 1 | | | | C3819288-93FA-4E29-A | | | | | | 254-BD9476B53C20 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | INI | READ | file_name = \\?\glob | True | 1 | | | | alroot\device\000001 | | | | | | a9\0d24eb7c\cfg.ini, | | | | | | section_name = main | | | | | | , key_name = aid, de | | | | | | fault_value = 10000, | | | | | | data_out = 66671 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MUTEX | RELEASE | mutex_name = Global\ | True | 1 | | | | C3819288-93FA-4E29-A | | | | | | 254-BD9476B53C20 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | INI | READ | file_name = \\?\glob | True | 1 | | | | alroot\device\000001 | | | | | | a9\0d24eb7c\cfg.ini, | | | | | | section_name = main | | | | | | , key_name = sid, de | | | | | | fault_value = 0, dat | | | | | | a_out = 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MUTEX | RELEASE | mutex_name = Global\ | True | 1 | | | | C3819288-93FA-4E29-A | | | | | | 254-BD9476B53C20 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | INI | READ | file_name = \\?\glob | True | 1 | | | | alroot\device\000001 | | | | | | a9\0d24eb7c\cfg.ini, | | | | | | section_name = main | | | | | | , key_name = version | | | | | | , default_value = 0. | | | | | | 0, data_out = 0.03 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MUTEX | RELEASE | mutex_name = Global\ | True | 1 | | | | C3819288-93FA-4E29-A | | | | | | 254-BD9476B53C20 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | INI | READ | file_name = \\?\glob | True | 1 | | | | alroot\device\000001 | | | | | | a9\0d24eb7c\cfg.ini, | | | | | | section_name = main | | | | | | , key_name = install | | | | | | date, default_value | | | | | | = 0, data_out = 6.12 | | | | | | .2016 9:36:14 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MUTEX | RELEASE | mutex_name = Global\ | True | 1 | | | | C3819288-93FA-4E29-A | | | | | | 254-BD9476B53C20 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | INI | READ | file_name = \\?\glob | True | 1 | | | | alroot\device\000001 | | | | | | a9\0d24eb7c\cfg.ini, | | | | | | section_name = main | | | | | | , key_name = buildda | | | | | | te, default_value = | | | | | | 0, data_out = 351 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MUTEX | RELEASE | mutex_name = Global\ | True | 1 | | | | C3819288-93FA-4E29-A | | | | | | 254-BD9476B53C20 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | INI | READ | file_name = \\?\glob | True | 1 | | | | alroot\device\000001 | | | | | | a9\0d24eb7c\cfg.ini, | | | | | | section_name = main | | | | | | , key_name = rnd, de | | | | | | fault_value = *, dat | | | | | | a_out = 2040373303 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MUTEX | RELEASE | mutex_name = Global\ | True | 1 | | | | C3819288-93FA-4E29-A | | | | | | 254-BD9476B53C20 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | INI | READ | file_name = \\?\glob | True | 1 | | | | alroot\device\000001 | | | | | | a9\0d24eb7c\cfg.ini, | | | | | | section_name = cmd, | | | | | | key_name = nuh, def | | | | | | ault_value = 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MUTEX | RELEASE | mutex_name = Global\ | True | 1 | | | | C3819288-93FA-4E29-A | | | | | | 254-BD9476B53C20 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etNativeSystemInfo, | | | | | | address = 0x763210b5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | READ_VALUE | reg_name = HKEY_LOCA | True | 1 | | | | L_MACHINE\software\c | | | | | | lasses\http\shell\op | | | | | | en\command, data_ide | | | | | | nt_out = "C:\Program | | | | | | Files (x86)\Interne | | | | | | t Explorer\iexplore. | | | | | | exe" -nohome | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, base_address = | | | | | | 0x77e30000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrL | | | | | | ockLoaderLock, addre | | | | | | ss = 0x77e66b95 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, base_address = | | | | | | 0x77e30000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrU | | | | | | nlockLoaderLock, add | | | | | | ress = 0x77e66c3c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | SYS | GET_INFO | type = SYSTEM_PROCES | True | 1 | | | | S_INFORMATION | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | THREAD | OPEN | os_tid = 0x5ac | True | 1 | +----------------------+----------------------+----------------------+----------------------+----------------------+ | THREAD | SUSPEND | os_tid = 0x5ac | True | 1 | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, base_address = | | | | | | 0x77e30000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_FILENAME | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, file_name = C:\ | | | | | | Windows\SysWOW64\ntd | | | | | | ll.dll | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | FILE | CREATE | file_name = c:\windo | True | 1 | | | | ws\syswow64\ntdll.dl | | | | | | l, desired_access = | | | | | | GENERIC_READ, share_ | | | | | | mode = FILE_SHARE_RE | | | | | | AD, create_dispositi | | | | | | on = OPEN_EXISTING | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | CREATE_MAPPING | file_name = c:\windo | True | 1 | | | | ws\syswow64\ntdll.dl | | | | | | l, module_name = Nam | | | | | | eless FileMapping, m | | | | | | aximum_size = 0, pro | | | | | | tection = PAGE_READO | | | | | | NLY | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | MAP | file_name = c:\windo | True | 1 | | | | ws\syswow64\ntdll.dl | | | | | | l, process_name = c: | | | | | | \windows\syswow64\pi | | | | | | ng.exe, os_pid = 0x5 | | | | | | 0c, module_name = Na | | | | | | meless FileMapping, | | | | | | desired_access = FIL | | | | | | E_MAP_READ, file_off | | | | | | set = 0, address = 0 | | | | | | x1020000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | UNMAP | process_name = c:\wi | True | 1 | | | | ndows\syswow64\ping. | | | | | | exe, os_pid = 0x50c, | | | | | | base_address = 0x10 | | | | | | 20000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_FILENAME | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, file_name = | | | | | | C:\Windows\syswow64\ | | | | | | kernel32.dll | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | FILE | CREATE | file_name = c:\windo | True | 1 | | | | ws\syswow64\kernel32 | | | | | | .dll, desired_access | | | | | | = GENERIC_READ, sha | | | | | | re_mode = FILE_SHARE | | | | | | _READ, create_dispos | | | | | | ition = OPEN_EXISTIN | | | | | | G | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | CREATE_MAPPING | file_name = c:\windo | True | 1 | | | | ws\syswow64\kernel32 | | | | | | .dll, module_name = | | | | | | Nameless FileMapping | | | | | | , maximum_size = 0, | | | | | | protection = PAGE_RE | | | | | | ADONLY | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | MAP | file_name = c:\windo | True | 1 | | | | ws\syswow64\kernel32 | | | | | | .dll, process_name = | | | | | | c:\windows\syswow64 | | | | | | \ping.exe, os_pid = | | | | | | 0x50c, module_name = | | | | | | Nameless FileMappin | | | | | | g, desired_access = | | | | | | FILE_MAP_READ, file_ | | | | | | offset = 0, address | | | | | | = 0x1020000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, base_address = | | | | | | 0x77e30000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlU | | | | | | nwind, address = 0x7 | | | | | | 7e76d39 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | aptureContext, addre | | | | | | ss = 0x77e76b2b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | aptureStackBackTrace | | | | | | , address = 0x77e94f | | | | | | 8f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, base_address = | | | | | | 0x77e30000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCr | | | | | | eateEvent, address = | | | | | | 0x77e4ff64 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtDu | | | | | | plicateObject, addre | | | | | | ss = 0x77e4fe34 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | onvertSidToUnicodeSt | | | | | | ring, address = 0x77 | | | | | | e6aec2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtNo | | | | | | tifyChangeKey, addre | | | | | | ss = 0x77e50f60 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | unOnceInitialize, ad | | | | | | dress = 0x77e68456 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtRe | | | | | | setEvent, address = | | | | | | 0x77e51798 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlV | | | | | | alidSecurityDescript | | | | | | or, address = 0x77e9 | | | | | | 5e16 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlO | | | | | | penCurrentUser, addr | | | | | | ess = 0x77e8b06f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = strn | | | | | | cat, address = 0x77e | | | | | | ac570 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = _str | | | | | | lwr, address = 0x77f | | | | | | 04a48 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | eryInstallUILanguage | | | | | | , address = 0x77e514 | | | | | | 04 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = Rtlp | | | | | | ConvertCultureNamesT | | | | | | oLCIDs, address = 0x | | | | | | 77ee9fa8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = Rtlp | | | | | | ConvertLCIDsToCultur | | | | | | eNames, address = 0x | | | | | | 77ee9d5e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwE | | | | | | ventEnabled, address | | | | | | = 0x77e688e2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | etProcessPreferredUI | | | | | | Languages, address = | | | | | | 0x77eeb52a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlE | | | | | | xpandEnvironmentStri | | | | | | ngs_U, address = 0x7 | | | | | | 7e8c9e7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlU | | | | | | nicodeStringToIntege | | | | | | r, address = 0x77e8c | | | | | | b1e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlL | | | | | | CIDToCultureName, ad | | | | | | dress = 0x77e7feff | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | dnToUnicode, address | | | | | | = 0x77ef6e59 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | dnToNameprepUnicode, | | | | | | address = 0x77ef6e3 | | | | | | 5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | dnToAscii, address = | | | | | | 0x77ea0bd5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | sNormalizedString, a | | | | | | ddress = 0x77ef8a72 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlN | | | | | | ormalizeString, addr | | | | | | ess = 0x77e95743 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | ntegerToUnicodeStrin | | | | | | g, address = 0x77e68 | | | | | | aad | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = _ui6 | | | | | | 4tow, address = 0x77 | | | | | | e9dda7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = _wto | | | | | | l, address = 0x77ea8 | | | | | | 706 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = _wcs | | | | | | lwr, address = 0x77f | | | | | | 04b6b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlU | | | | | | nhandledExceptionFil | | | | | | ter, address = 0x77e | | | | | | f8dd3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtTe | | | | | | rminateProcess, addr | | | | | | ess = 0x77e4fca0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = wcsn | | | | | | cpy, address = 0x77f | | | | | | 05755 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = wcsn | | | | | | cmp, address = 0x77e | | | | | | 67f75 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | eadThreadProfilingDa | | | | | | ta, address = 0x77ec | | | | | | f099 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlQ | | | | | | ueryThreadProfiling, | | | | | | address = 0x77ecf07 | | | | | | a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | isableThreadProfilin | | | | | | g, address = 0x77ecf | | | | | | 030 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlE | | | | | | nableThreadProfiling | | | | | | , address = 0x77ecef | | | | | | 5f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | etExtendedFeaturesMa | | | | | | sk, address = 0x77ef | | | | | | 1482 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etExtendedFeaturesMa | | | | | | sk, address = 0x77ef | | | | | | 189d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlL | | | | | | ocateExtendedFeature | | | | | | , address = 0x77ef19 | | | | | | 16 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | opyContext, address | | | | | | = 0x77ef15e6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etEnabledExtendedFea | | | | | | tures, address = 0x7 | | | | | | 7ef4c27 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etExtendedContextLen | | | | | | gth, address = 0x77e | | | | | | f1816 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | nitializeExtendedCon | | | | | | text, address = 0x77 | | | | | | ef1728 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlL | | | | | | ocateLegacyContext, | | | | | | address = 0x77ef1412 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtRa | | | | | | iseException, addres | | | | | | s = 0x77e515dc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwE | | | | | | ventWriteNoRegistrat | | | | | | ion, address = 0x77e | | | | | | a2220 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | egisterWait, address | | | | | | = 0x77ea0852 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | etIoCompletionCallba | | | | | | ck, address = 0x77ea | | | | | | 8a7e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlQ | | | | | | ueueWorkItem, addres | | | | | | s = 0x77e980a6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | eregisterWait, addre | | | | | | ss = 0x77f10663 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtOp | | | | | | enEvent, address = 0 | | | | | | x77e4fe98 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtRe | | | | | | setWriteWatch, addre | | | | | | ss = 0x77e517b4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtGe | | | | | | tWriteWatch, address | | | | | | = 0x77e50d00 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtMa | | | | | | pUserPhysicalPagesSc | | | | | | atter, address = 0x7 | | | | | | 7e4f890 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtMa | | | | | | pUserPhysicalPages, | | | | | | address = 0x77e50efc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtFr | | | | | | eeUserPhysicalPages, | | | | | | address = 0x77e50bd | | | | | | 8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtAl | | | | | | locateUserPhysicalPa | | | | | | ges, address = 0x77e | | | | | | 50344 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtUn | | | | | | lockVirtualMemory, a | | | | | | ddress = 0x77e51ec0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtLo | | | | | | ckVirtualMemory, add | | | | | | ress = 0x77e50e94 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlO | | | | | | emStringToUnicodeStr | | | | | | ing, address = 0x77e | | | | | | 9b955 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | etEnvironmentStrings | | | | | | , address = 0x77ef1e | | | | | | 9a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | omputeImportTableHas | | | | | | h, address = 0x77edc | | | | | | 90d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = bsea | | | | | | rch, address = 0x77e | | | | | | 5ebdc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlE | | | | | | ncodeSystemPointer, | | | | | | address = 0x77e6e058 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlF | | | | | | indCharInUnicodeStri | | | | | | ng, address = 0x77e5 | | | | | | fb37 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlN | | | | | | tPathNameToDosPathNa | | | | | | me, address = 0x77e7 | | | | | | eb6b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtAp | | | | | | phelpCacheControl, a | | | | | | ddress = 0x77e4ffc4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | andom, address = 0x7 | | | | | | 7ef98c3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlF | | | | | | indActivationContext | | | | | | SectionGuid, address | | | | | | = 0x77e93ecb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlF | | | | | | indActivationContext | | | | | | SectionString, addre | | | | | | ss = 0x77e5ec78 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | oesFileExists_U, add | | | | | | ress = 0x77e87ecd | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | reateActivationConte | | | | | | xt, address = 0x77e8 | | | | | | 8aff | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = DbgP | | | | | | rintEx, address = 0x | | | | | | 77ea5af3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | mageNtHeaderEx, addr | | | | | | ess = 0x77e5f495 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | etThreadPreferredUIL | | | | | | anguages, address = | | | | | | 0x77e7d6b7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlQ | | | | | | ueryActivationContex | | | | | | tApplicationSettings | | | | | | , address = 0x77e83a | | | | | | 09 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etThreadPreferredUIL | | | | | | anguages, address = | | | | | | 0x77e7f97c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlQ | | | | | | ueryInformationActiv | | | | | | ationContext, addres | | | | | | s = 0x77e6b988 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlM | | | | | | ultiAppendUnicodeStr | | | | | | ingBuffer, address = | | | | | | 0x77e8a858 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = Rtlp | | | | | | EnsureBufferSize, ad | | | | | | dress = 0x77e92aed | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etLengthWithoutLastF | | | | | | ullDosOrNtPathElemen | | | | | | t, address = 0x77e88 | | | | | | 910 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = Rtlp | | | | | | ApplyLengthFunction, | | | | | | address = 0x77e8889 | | | | | | d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etActiveActivationCo | | | | | | ntext, address = 0x7 | | | | | | 7e6bd84 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | eactivateActivationC | | | | | | ontext, address = 0x | | | | | | 77e94ae8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | ctivateActivationCon | | | | | | text, address = 0x77 | | | | | | e94c86 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlZ | | | | | | ombifyActivationCont | | | | | | ext, address = 0x77e | | | | | | dc027 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | eleaseActivationCont | | | | | | ext, address = 0x77e | | | | | | 6bb43 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | ddRefActivationConte | | | | | | xt, address = 0x77e5 | | | | | | f622 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSe | | | | | | tInformationJobObjec | | | | | | t, address = 0x77e51 | | | | | | a30 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCr | | | | | | eateJobSet, address | | | | | | = 0x77e5072c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | eryInformationJobObj | | | | | | ect, address = 0x77e | | | | | | 51374 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtTe | | | | | | rminateJobObject, ad | | | | | | dress = 0x77e51d94 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtAs | | | | | | signProcessToJobObje | | | | | | ct, address = 0x77e5 | | | | | | 058c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtOp | | | | | | enJobObject, address | | | | | | = 0x77e50ff0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCr | | | | | | eateJobObject, addre | | | | | | ss = 0x77e50714 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = tolo | | | | | | wer, address = 0x77f | | | | | | 0559f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = atol | | | | | | , address = 0x77e7d3 | | | | | | 00 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = isdi | | | | | | git, address = 0x77e | | | | | | 7c3d5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = toup | | | | | | per, address = 0x77e | | | | | | 78bf5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etCurrentDirectory_U | | | | | | , address = 0x77e910 | | | | | | 3d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | opyLuid, address = 0 | | | | | | x77ee2297 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlF | | | | | | reeOemString, addres | | | | | | s = 0x77ececca | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | reateEnvironment, ad | | | | | | dress = 0x77ef1dfe | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | reateEnvironmentEx, | | | | | | address = 0x77e7d3a3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | estroyEnvironment, a | | | | | | ddress = 0x77e7ed9a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | eryEvent, address = | | | | | | 0x77e500bc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = CsrC | | | | | | lientCallServer, add | | | | | | ress = 0x77edcaff | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = CsrA | | | | | | llocateCaptureBuffer | | | | | | , address = 0x77edcb | | | | | | 0f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = CsrA | | | | | | llocateMessagePointe | | | | | | r, address = 0x77edc | | | | | | b2f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = CsrF | | | | | | reeCaptureBuffer, ad | | | | | | dress = 0x77edcb1f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtDe | | | | | | viceIoControlFile, a | | | | | | ddress = 0x77e4f8fc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | reateQueryDebugBuffe | | | | | | r, address = 0x77ea2 | | | | | | 745 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlQ | | | | | | ueryProcessDebugInfo | | | | | | rmation, address = 0 | | | | | | x77ea348c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | estroyQueryDebugBuff | | | | | | er, address = 0x77ea | | | | | | 3380 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtMa | | | | | | pViewOfSection, addr | | | | | | ess = 0x77e4fc40 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtUn | | | | | | mapViewOfSection, ad | | | | | | dress = 0x77e4fc70 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlF | | | | | | reeUserStack, addres | | | | | | s = 0x77e9e710 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlP | | | | | | rocessFlsData, addre | | | | | | ss = 0x77e699a7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | llocateActivationCon | | | | | | textStack, address = | | | | | | 0x77e69f73 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlF | | | | | | reeActivationContext | | | | | | Stack, address = 0x7 | | | | | | 7e8d484 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | reateUserStack, addr | | | | | | ess = 0x77ea0f4f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = TpCa | | | | | | ptureCaller, address | | | | | | = 0x77e7248d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSu | | | | | | spendThread, address | | | | | | = 0x77e51d60 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSe | | | | | | tContextThread, addr | | | | | | ess = 0x77e51910 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtGe | | | | | | tContextThread, addr | | | | | | ess = 0x77e50c20 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | llocateAndInitialize | | | | | | Sid, address = 0x77e | | | | | | 693e2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlF | | | | | | reeSid, address = 0x | | | | | | 77e693b2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSi | | | | | | gnalAndWaitForSingle | | | | | | Object, address = 0x | | | | | | 77e51cd8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | unOnceComplete, addr | | | | | | ess = 0x77e6bfe5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | unOnceBeginInitializ | | | | | | e, address = 0x77e67 | | | | | | e1b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | unOnceExecuteOnce, a | | | | | | ddress = 0x77e67de3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | leepConditionVariabl | | | | | | eSRW, address = 0x77 | | | | | | ed8028 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | leepConditionVariabl | | | | | | eCS, address = 0x77e | | | | | | d7f2b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtOp | | | | | | enPrivateNamespace, | | | | | | address = 0x77e51098 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCr | | | | | | eatePrivateNamespace | | | | | | , address = 0x77e507 | | | | | | ec | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtDe | | | | | | letePrivateNamespace | | | | | | , address = 0x77e50a | | | | | | 1c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | nitializeSRWLock, ad | | | | | | dress = 0x77e68456 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | ddIntegrityLabelToBo | | | | | | undaryDescriptor, ad | | | | | | dress = 0x77ee53cf | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | ddSIDToBoundaryDescr | | | | | | iptor, address = 0x7 | | | | | | 7e9ae93 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | reateBoundaryDescrip | | | | | | tor, address = 0x77e | | | | | | 986f1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | cquireSRWLockShared, | | | | | | address = 0x77e6256 | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | eleaseSRWLockShared, | | | | | | address = 0x77e625a | | | | | | 9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtPr | | | | | | otectVirtualMemory, | | | | | | address = 0x77e50028 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = strc | | | | | | py_s, address = 0x77 | | | | | | e959cd | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtRe | | | | | | placePartitionUnit, | | | | | | address = 0x77e51750 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | ompareUnicodeString, | | | | | | address = 0x77e684b | | | | | | 7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | aiseStatus, address | | | | | | = 0x77e76ea5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | eryInformationToken, | | | | | | address = 0x77e4fb9 | | | | | | 8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | nitializeSid, addres | | | | | | s = 0x77e70f5a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | ubAuthoritySid, addr | | | | | | ess = 0x77e70f42 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrL | | | | | | oadDll, address = 0x | | | | | | 77e6c43a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrG | | | | | | etProcedureAddress, | | | | | | address = 0x77e601aa | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrU | | | | | | nloadDll, address = | | | | | | 0x77e711d7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlQ | | | | | | ueryRegistryValues, | | | | | | address = 0x77ea4b60 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | erySystemInformation | | | | | | Ex, address = 0x77e5 | | | | | | 1590 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | ecodeSystemPointer, | | | | | | address = 0x77e6ad98 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlW | | | | | | ow64LogMessageInEven | | | | | | tLogger, address = 0 | | | | | | x77ede4a3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = Rtlx | | | | | | AnsiStringToUnicodeS | | | | | | ize, address = 0x77e | | | | | | e6262 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtIs | | | | | | SystemResumeAutomati | | | | | | c, address = 0x77e50 | | | | | | d98 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtGe | | | | | | tDevicePowerState, a | | | | | | ddress = 0x77e50c54 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSe | | | | | | tThreadExecutionStat | | | | | | e, address = 0x77e51 | | | | | | c20 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtIn | | | | | | itiatePowerAction, a | | | | | | ddress = 0x77e50d7c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtPo | | | | | | werInformation, addr | | | | | | ess = 0x77e5019c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSe | | | | | | tVolumeInformationFi | | | | | | le, address = 0x77e5 | | | | | | 1c8c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlQ | | | | | | ueryEnvironmentVaria | | | | | | ble_U, address = 0x7 | | | | | | 7e69953 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etFullPathName_U, ad | | | | | | dress = 0x77e8b3e9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | sNameLegalDOS8Dot3, | | | | | | address = 0x77ef45da | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etCurrentProcessorNu | | | | | | mberEx, address = 0x | | | | | | 77e62a31 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = _all | | | | | | shl, address = 0x77e | | | | | | 63140 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtOp | | | | | | enThreadToken, addre | | | | | | ss = 0x77e4fbe0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSe | | | | | | tInformationThread, | | | | | | address = 0x77e4f99c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrL | | | | | | oadAlternateResource | | | | | | ModuleEx, address = | | | | | | 0x77e7399a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrL | | | | | | oadAlternateResource | | | | | | Module, address = 0x | | | | | | 77ea6595 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = Ldrp | | | | | | ResGetMappingSize, a | | | | | | ddress = 0x77e6c9fc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrR | | | | | | scIsTypeExist, addre | | | | | | ss = 0x77e736dd | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrF | | | | | | indResource_U, addre | | | | | | ss = 0x77e71f2d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = _str | | | | | | cmpi, address = 0x77 | | | | | | e6c7b9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = strn | | | | | | cat_s, address = 0x7 | | | | | | 7f08715 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = strc | | | | | | hr, address = 0x77e6 | | | | | | 9c70 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | nitAnsiStringEx, add | | | | | | ress = 0x77e5f79b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | reateUnicodeString, | | | | | | address = 0x77e8bdee | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlU | | | | | | pcaseUnicodeChar, ad | | | | | | dress = 0x77e5e819 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = wcst | | | | | | oul, address = 0x77f | | | | | | 05816 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrG | | | | | | etFileNameFromLoadAs | | | | | | DataTable, address = | | | | | | 0x77edd596 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = wcsr | | | | | | chr, address = 0x77e | | | | | | 67ee9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | eryVirtualMemory, ad | | | | | | dress = 0x77e4fbc8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | ultureNameToLCID, ad | | | | | | dress = 0x77e8a503 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrR | | | | | | esFindResourceDirect | | | | | | ory, address = 0x77e | | | | | | 6da15 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrR | | | | | | esFindResource, addr | | | | | | ess = 0x77e7e29c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrF | | | | | | indResourceEx_U, add | | | | | | ress = 0x77e8b5d5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = Ldrp | | | | | | ResGetResourceDirect | | | | | | ory, address = 0x77e | | | | | | 6cbb8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | mageDirectoryEntryTo | | | | | | Data, address = 0x77 | | | | | | e5f546 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrR | | | | | | esGetRCConfig, addre | | | | | | ss = 0x77e77c5f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlV | | | | | | erifyVersionInfo, ad | | | | | | dress = 0x77ea92fa | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etProductInfo, addre | | | | | | ss = 0x77e7b014 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlL | | | | | | cidToLocaleName, add | | | | | | ress = 0x77e7f816 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etUILanguageInfo, ad | | | | | | dress = 0x77eeb696 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCr | | | | | | eateMailslotFile, ad | | | | | | dress = 0x77e50774 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlE | | | | | | xtendedLargeIntegerD | | | | | | ivide, address = 0x7 | | | | | | 7e72554 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = _str | | | | | | icmp, address = 0x77 | | | | | | e6c7b9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | leanUpTEBLangLists, | | | | | | address = 0x77e8d5fa | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | mageNtHeader, addres | | | | | | s = 0x77e63164 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | etThreadPoolStartFun | | | | | | c, address = 0x77e81 | | | | | | bf7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrS | | | | | | etDllManifestProber, | | | | | | address = 0x77e815f | | | | | | 6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | etUserCallbackExcept | | | | | | ionFilter, address = | | | | | | 0x77e822f4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | etUnhandledException | | | | | | Filter, address = 0x | | | | | | 77e80b8a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlE | | | | | | ncodePointer, addres | | | | | | s = 0x77e70fcb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etNativeSystemInform | | | | | | ation, address = 0x7 | | | | | | 7e520ac | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | cquireSRWLockExclusi | | | | | | ve, address = 0x77e6 | | | | | | 29f1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | eleaseSRWLockExclusi | | | | | | ve, address = 0x77e6 | | | | | | 29ab | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrQ | | | | | | ueryImageFileExecuti | | | | | | onOptions, address = | | | | | | 0x77e7c132 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = _aul | | | | | | ldiv, address = 0x77 | | | | | | e8b140 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | etUserValueHeap, add | | | | | | ress = 0x77e8cff2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | eAllocateHeap, addre | | | | | | ss = 0x77e71f6e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | llocateHandle, addre | | | | | | ss = 0x77e68200 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlF | | | | | | reeHandle, address = | | | | | | 0x77e68242 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | eregisterSecureMemor | | | | | | yCacheCallback, addr | | | | | | ess = 0x77ef2ddb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | egisterSecureMemoryC | | | | | | acheCallback, addres | | | | | | s = 0x77ef2d5d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | ompactHeap, address | | | | | | = 0x77e7cb4d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | izeHeap, address = 0 | | | | | | x77e63002 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etUserInfoHeap, addr | | | | | | ess = 0x77e97c71 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlL | | | | | | ockHeap, address = 0 | | | | | | x77e6814c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | sValidHandle, addres | | | | | | s = 0x77e681cb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlU | | | | | | nlockHeap, address = | | | | | | 0x77e680ee | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | erySystemInformation | | | | | | , address = 0x77e4fd | | | | | | a0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | nitString, address = | | | | | | 0x77e5e198 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSe | | | | | | tSystemEnvironmentVa | | | | | | lueEx, address = 0x7 | | | | | | 7e51bbc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | UIDFromString, addre | | | | | | ss = 0x77e7b755 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | erySystemEnvironment | | | | | | ValueEx, address = 0 | | | | | | x77e51578 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = swpr | | | | | | intf_s, address = 0x | | | | | | 77e9290f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = _all | | | | | | div, address = 0x77e | | | | | | a8d00 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtFl | | | | | | ushBuffersFile, addr | | | | | | ess = 0x77e4ffac | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etLastNtStatus, addr | | | | | | ess = 0x77ef4c46 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | osPathNameToNtPathNa | | | | | | me_U_WithStatus, add | | | | | | ress = 0x77e71660 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlE | | | | | | qualSid, address = 0 | | | | | | x77e694b1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlQ | | | | | | ueryInformationAcl, | | | | | | address = 0x77e96965 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etAce, address = 0x7 | | | | | | 7e8cde6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtRa | | | | | | iseHardError, addres | | | | | | s = 0x77e515f4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | eryVolumeInformation | | | | | | File, address = 0x77 | | | | | | e4ff7c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrA | | | | | | ddRefDll, address = | | | | | | 0x77e6ffdd | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCr | | | | | | eateKeyTransacted, a | | | | | | ddress = 0x77e50744 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | etermineDosPathNameT | | | | | | ype_U, address = 0x7 | | | | | | 7e6a639 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = _vsn | | | | | | wprintf, address = 0 | | | | | | x77e7ef93 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlU | | | | | | nicodeStringToOemStr | | | | | | ing, address = 0x77e | | | | | | 9ba27 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlW | | | | | | ow64EnableFsRedirect | | | | | | ion, address = 0x77e | | | | | | d7bf3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCa | | | | | | ncelIoFile, address | | | | | | = 0x77e5016c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCa | | | | | | ncelSynchronousIoFil | | | | | | e, address = 0x77e50 | | | | | | 5c0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtNo | | | | | | tifyChangeDirectoryF | | | | | | ile, address = 0x77e | | | | | | 50f48 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | ctivateActivationCon | | | | | | textUnsafeFast, addr | | | | | | ess = 0x77e521f1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | eactivateActivationC | | | | | | ontextUnsafeFast, ad | | | | | | dress = 0x77e52159 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | eryDirectoryFile, ad | | | | | | dress = 0x77e4fd88 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtWa | | | | | | itForSingleObject, a | | | | | | ddress = 0x77e4f8ac | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etThreadErrorMode, a | | | | | | ddress = 0x77ea2108 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | etThreadErrorMode, a | | | | | | ddress = 0x77e7a7be | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | etLastWin32ErrorAndN | | | | | | tStatusFromNtStatus, | | | | | | address = 0x77e8c74 | | | | | | e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtOp | | | | | | enProcessToken, addr | | | | | | ess = 0x77e510b0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlN | | | | | | tStatusToDosErrorNoT | | | | | | eb, address = 0x77e6 | | | | | | 622c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwE | | | | | | ventRegister, addres | | | | | | s = 0x77e6f6ba | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwE | | | | | | ventWrite, address = | | | | | | 0x77e90c59 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwE | | | | | | ventUnregister, addr | | | | | | ess = 0x77e89241 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCr | | | | | | eateSection, address | | | | | | = 0x77e4ff94 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | erySection, address | | | | | | = 0x77e50040 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etVersion, address = | | | | | | 0x77e6873a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlQ | | | | | | ueryElevationFlags, | | | | | | address = 0x77e7bc78 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSe | | | | | | tInformationProcess, | | | | | | address = 0x77e4fb1 | | | | | | 8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | harToInteger, addres | | | | | | s = 0x77eaa1d8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = strn | | | | | | cpy_s, address = 0x7 | | | | | | 7ea9eaa | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etLongestNtPathLengt | | | | | | h, address = 0x77e8c | | | | | | dce | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlE | | | | | | qualString, address | | | | | | = 0x77e91dcc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlF | | | | | | reeAnsiString, addre | | | | | | ss = 0x77e5e126 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | opyUnicodeString, ad | | | | | | dress = 0x77e685cb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | osPathNameToNtPathNa | | | | | | me_U, address = 0x77 | | | | | | e8ce41 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtLo | | | | | | ckFile, address = 0x | | | | | | 77e50e44 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtRe | | | | | | adFile, address = 0x | | | | | | 77e4f8e0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | sTextUnicode, addres | | | | | | s = 0x77e7a26d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtDe | | | | | | leteValueKey, addres | | | | | | s = 0x77e50a34 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtEn | | | | | | umerateKey, address | | | | | | = 0x77e4fd3c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlF | | | | | | ormatCurrentUserKeyP | | | | | | ath, address = 0x77e | | | | | | 6b141 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | ppendUnicodeToString | | | | | | , address = 0x77e686 | | | | | | 26 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | ppendUnicodeStringTo | | | | | | String, address = 0x | | | | | | 77e6855f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlP | | | | | | refixUnicodeString, | | | | | | address = 0x77e72799 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = CsrV | | | | | | erifyRegion, address | | | | | | = 0x77edcc64 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtAl | | | | | | locateVirtualMemory, | | | | | | address = 0x77e4fab | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtWr | | | | | | iteFile, address = 0 | | | | | | x77e4f918 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtFr | | | | | | eeVirtualMemory, add | | | | | | ress = 0x77e4fb48 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtUn | | | | | | lockFile, address = | | | | | | 0x77e51ea8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtEn | | | | | | umerateValueKey, add | | | | | | ress = 0x77e4fa30 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlM | | | | | | ultiByteToUnicodeSiz | | | | | | e, address = 0x77eaa | | | | | | 0da | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlU | | | | | | nicodeToMultiByteN, | | | | | | address = 0x77e6692e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlM | | | | | | ultiByteToUnicodeN, | | | | | | address = 0x77e5e545 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlQ | | | | | | ueryAtomInAtomTable, | | | | | | address = 0x77e9781 | | | | | | c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | eryInformationAtom, | | | | | | address = 0x77e51344 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | eleteAtomFromAtomTab | | | | | | le, address = 0x77e9 | | | | | | 5255 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtDe | | | | | | leteAtom, address = | | | | | | 0x77e50988 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlL | | | | | | ookupAtomInAtomTable | | | | | | , address = 0x77e730 | | | | | | 59 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtFi | | | | | | ndAtom, address = 0x | | | | | | 77e4fa48 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | ddAtomToAtomTable, a | | | | | | ddress = 0x77e950a2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtAd | | | | | | dAtom, address = 0x7 | | | | | | 7e4ff48 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | reateAtomTable, addr | | | | | | ess = 0x77e887fe | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | estroyAtomTable, add | | | | | | ress = 0x77ee51ca | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | osPathNameToRelative | | | | | | NtPathName_U, addres | | | | | | s = 0x77e7163a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | eleaseRelativeName, | | | | | | address = 0x77e6a901 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlE | | | | | | qualUnicodeString, a | | | | | | ddress = 0x77e5e7f3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | sDosDeviceName_U, ad | | | | | | dress = 0x77e6a942 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = DbgU | | | | | | iStopDebugging, addr | | | | | | ess = 0x77ecf7c8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = DbgU | | | | | | iContinue, address = | | | | | | 0x77ecf7a3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = DbgU | | | | | | iWaitStateChange, ad | | | | | | dress = 0x77ecf77c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = DbgU | | | | | | iConvertStateChangeS | | | | | | tructure, address = | | | | | | 0x77ecf8cc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtFl | | | | | | ushInstructionCache, | | | | | | address = 0x77e50b5 | | | | | | 4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | eryInformationThread | | | | | | , address = 0x77e4fb | | | | | | f8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = DbgU | | | | | | iGetThreadDebugObjec | | | | | | t, address = 0x77ecf | | | | | | 74d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSe | | | | | | tInformationDebugObj | | | | | | ect, address = 0x77e | | | | | | 51a00 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = DbgU | | | | | | iIssueRemoteBreakin, | | | | | | address = 0x77ecf84 | | | | | | 3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = DbgU | | | | | | iConnectToDbg, addre | | | | | | ss = 0x77ecf6fb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = DbgU | | | | | | iDebugActiveProcess, | | | | | | address = 0x77ecf88 | | | | | | a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = CsrG | | | | | | etProcessId, address | | | | | | = 0x77edcb92 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtOp | | | | | | enProcess, address = | | | | | | 0x77e4fc10 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSe | | | | | | tSystemTime, address | | | | | | = 0x77e51c04 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | eleasePrivilege, add | | | | | | ress = 0x77e79c1c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | cquirePrivilege, add | | | | | | ress = 0x77e79a6d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = _all | | | | | | mul, address = 0x77e | | | | | | 72760 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | utoverTimeToSystemTi | | | | | | me, address = 0x77ea | | | | | | 48b0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSe | | | | | | tSystemInformation, | | | | | | address = 0x77e51bd4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlT | | | | | | imeFieldsToTime, add | | | | | | ress = 0x77e908ca | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlT | | | | | | imeToTimeFields, add | | | | | | ress = 0x77e90535 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | eryInformationProces | | | | | | s, address = 0x77e4f | | | | | | ac8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etCurrentTransaction | | | | | | , address = 0x77e67f | | | | | | f5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | etCurrentTransaction | | | | | | , address = 0x77e680 | | | | | | 26 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = _wcs | | | | | | icmp, address = 0x77 | | | | | | e69337 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = wcsn | | | | | | cpy_s, address = 0x7 | | | | | | 7e9e4de | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = wcsc | | | | | | at_s, address = 0x77 | | | | | | e789aa | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlP | | | | | | refixString, address | | | | | | = 0x77e9e0b4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = wcss | | | | | | tr, address = 0x77e6 | | | | | | 0c87 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = wcsc | | | | | | hr, address = 0x77e6 | | | | | | 7f1c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | reateUnicodeStringFr | | | | | | omAsciiz, address = | | | | | | 0x77e683fc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | nitAnsiString, addre | | | | | | ss = 0x77e5e1d0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | nsiStringToUnicodeSt | | | | | | ring, address = 0x77 | | | | | | e5e6b5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | nitUnicodeStringEx, | | | | | | address = 0x77e67d73 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NlsM | | | | | | bCodePageTag, addres | | | | | | s = 0x77f30003 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = Rtlx | | | | | | UnicodeStringToAnsiS | | | | | | ize, address = 0x77e | | | | | | e623d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlU | | | | | | nicodeStringToAnsiSt | | | | | | ring, address = 0x77 | | | | | | e66ac8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlE | | | | | | nterCriticalSection, | | | | | | address = 0x77e522b | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlL | | | | | | eaveCriticalSection, | | | | | | address = 0x77e5227 | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlN | | | | | | tStatusToDosError, a | | | | | | ddress = 0x77e661ed | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | nsHostNameToComputer | | | | | | Name, address = 0x77 | | | | | | ee66fb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlF | | | | | | reeUnicodeString, ad | | | | | | dress = 0x77e5e126 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlU | | | | | | nicodeToMultiByteSiz | | | | | | e, address = 0x77e8c | | | | | | 9bc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = wcsc | | | | | | spn, address = 0x77e | | | | | | a9eea | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = wcsc | | | | | | py_s, address = 0x77 | | | | | | e686a6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = memm | | | | | | ove, address = 0x77e | | | | | | 68f50 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = _mem | | | | | | icmp, address = 0x77 | | | | | | f04750 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCr | | | | | | eateKey, address = 0 | | | | | | x77e4fb30 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSe | | | | | | tValueKey, address = | | | | | | 0x77e501b4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtFl | | | | | | ushKey, address = 0x | | | | | | 77e50b70 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | nitUnicodeString, ad | | | | | | dress = 0x77e5e208 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtOp | | | | | | enKey, address = 0x7 | | | | | | 7e4fa18 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | eryValueKey, address | | | | | | = 0x77e4fa98 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCl | | | | | | ose, address = 0x77e | | | | | | 4f9d0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | eleteCriticalSection | | | | | | , address = 0x77e645 | | | | | | f5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | nitializeCriticalSec | | | | | | tion, address = 0x77 | | | | | | e62c42 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSe | | | | | | tInformationFile, ad | | | | | | dress = 0x77e4fc28 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSe | | | | | | tSecurityObject, add | | | | | | ress = 0x77e51b8c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSe | | | | | | tEaFile, address = 0 | | | | | | x77e519b0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | erySecurityObject, a | | | | | | ddress = 0x77e51518 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlL | | | | | | engthSecurityDescrip | | | | | | tor, address = 0x77e | | | | | | 95d84 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | eryEaFile, address = | | | | | | 0x77e51314 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | eryInformationFile, | | | | | | address = 0x77e4fa00 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtOp | | | | | | enFile, address = 0x | | | | | | 77e4fd54 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = mems | | | | | | et, address = 0x77e5 | | | | | | df20 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = _wcs | | | | | | nicmp, address = 0x7 | | | | | | 7e5f63b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCr | | | | | | eateFile, address = | | | | | | 0x77e500a4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtFs | | | | | | ControlFile, address | | | | | | = 0x77e4fde8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = memc | | | | | | py, address = 0x77e5 | | | | | | 2340 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | etLastWin32Error, ad | | | | | | dress = 0x77e522ef | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | llocateHeap, address | | | | | | = 0x77e5e026 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | reateAcl, address = | | | | | | 0x77e72d21 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | ddAccessAllowedAce, | | | | | | address = 0x77e72e50 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | reateSecurityDescrip | | | | | | tor, address = 0x77e | | | | | | 72c94 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | etOwnerSecurityDescr | | | | | | iptor, address = 0x7 | | | | | | 7e72e73 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | etGroupSecurityDescr | | | | | | iptor, address = 0x7 | | | | | | 7e72ec1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | etDaclSecurityDescri | | | | | | ptor, address = 0x77 | | | | | | e72cc2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlF | | | | | | reeHeap, address = 0 | | | | | | x77e5df85 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | nitializeExceptionCh | | | | | | ain, address = 0x77e | | | | | | 69e6f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = TpAl | | | | | | locPool, address = 0 | | | | | | x77e8304e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = TpSe | | | | | | tPoolMinThreads, add | | | | | | ress = 0x77e9cf79 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = TpSe | | | | | | tPoolStackInformatio | | | | | | n, address = 0x77e85 | | | | | | f6c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = TpQu | | | | | | eryPoolStackInformat | | | | | | ion, address = 0x77f | | | | | | 0f216 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = TpAl | | | | | | locCleanupGroup, add | | | | | | ress = 0x77e9853e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = TpSi | | | | | | mpleTryPost, address | | | | | | = 0x77e9656e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = TpAl | | | | | | locWork, address = 0 | | | | | | x77e9c5b6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = TpAl | | | | | | locTimer, address = | | | | | | 0x77e89f47 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = TpAl | | | | | | locWait, address = 0 | | | | | | x77e9c7f8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = TpAl | | | | | | locIoCompletion, add | | | | | | ress = 0x77e780cc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = TpCa | | | | | | llbackMayRunLong, ad | | | | | | dress = 0x77e9e162 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlQ | | | | | | ueryEnvironmentVaria | | | | | | ble, address = 0x77e | | | | | | 696ef | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtWr | | | | | | iteVirtualMemory, ad | | | | | | dress = 0x77e4fe04 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtOp | | | | | | enDirectoryObject, a | | | | | | ddress = 0x77e500ec | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | erySymbolicLinkObjec | | | | | | t, address = 0x77e51 | | | | | | 548 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtOp | | | | | | enSymbolicLinkObject | | | | | | , address = 0x77e511 | | | | | | 10 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = wcsp | | | | | | brk, address = 0x77e | | | | | | 8b617 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtWo | | | | | | w64WriteVirtualMemor | | | | | | y64, address = 0x77e | | | | | | 5210c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | estroyProcessParamet | | | | | | ers, address = 0x77e | | | | | | 7bc52 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | reateProcessParamete | | | | | | rsEx, address = 0x77 | | | | | | e7bd9b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtRe | | | | | | sumeThread, address | | | | | | = 0x77e50058 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = DbgP | | | | | | rint, address = 0x77 | | | | | | eaa7a0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtRe | | | | | | moveProcessDebug, ad | | | | | | dress = 0x77e516ec | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrQ | | | | | | ueryImageFileKeyOpti | | | | | | on, address = 0x77e9 | | | | | | 2fd2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCr | | | | | | eateUserProcess, add | | | | | | ress = 0x77e5090c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etFullPathName_UstrE | | | | | | x, address = 0x77e6a | | | | | | af4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | ecodePointer, addres | | | | | | s = 0x77e69d35 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlK | | | | | | nownExceptionFilter, | | | | | | address = 0x77ea212 | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | aiseException, addre | | | | | | ss = 0x77e76e68 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtRe | | | | | | questWaitReplyPort, | | | | | | address = 0x77e4fbb0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtOp | | | | | | enKeyTransacted, add | | | | | | ress = 0x77e51020 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | eryKey, address = 0x | | | | | | 77e4fa80 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtOp | | | | | | enKeyEx, address = 0 | | | | | | x77e51008 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtOp | | | | | | enKeyTransactedEx, a | | | | | | ddress = 0x77e51038 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlV | | | | | | alidRelativeSecurity | | | | | | Descriptor, address | | | | | | = 0x77ea5793 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtDe | | | | | | leteKey, address = 0 | | | | | | x77e509ec | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtLo | | | | | | adKey, address = 0x7 | | | | | | 7e50dfc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtUn | | | | | | loadKey, address = 0 | | | | | | x77e51e60 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtNo | | | | | | tifyChangeMultipleKe | | | | | | ys, address = 0x77e5 | | | | | | 0f78 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtRe | | | | | | storeKey, address = | | | | | | 0x77e517d0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSa | | | | | | veKeyEx, address = 0 | | | | | | x77e5187c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlL | | | | | | engthSid, address = | | | | | | 0x77e6931b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlM | | | | | | akeSelfRelativeSD, a | | | | | | ddress = 0x77e954f3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = _str | | | | | | nicmp, address = 0x7 | | | | | | 7e8c27c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = strn | | | | | | cmp, address = 0x77e | | | | | | 92f65 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtDu | | | | | | plicateToken, addres | | | | | | s = 0x77e4fec8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlT | | | | | | ryAcquirePebLock, ad | | | | | | dress = 0x77e94654 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = _vsn | | | | | | printf, address = 0x | | | | | | 77ea9d88 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtWa | | | | | | itForMultipleObjects | | | | | | , address = 0x77e501 | | | | | | 38 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | eleasePebLock, addre | | | | | | ss = 0x77e67f5e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCl | | | | | | earEvent, address = | | | | | | 0x77e4fe64 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlW | | | | | | erpReportException, | | | | | | address = 0x77ea3ac6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrR | | | | | | esSearchResource, ad | | | | | | dress = 0x77e6cd5c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtWo | | | | | | w64ReadVirtualMemory | | | | | | 64, address = 0x77e5 | | | | | | 20f4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtWo | | | | | | w64QueryInformationP | | | | | | rocess64, address = | | | | | | 0x77e520dc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | ompareMemory, addres | | | | | | s = 0x77e93b00 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = WerR | | | | | | eportSQMEvent, addre | | | | | | ss = 0x77ed94a1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrU | | | | | | nlockLoaderLock, add | | | | | | ress = 0x77e66c3c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = LdrL | | | | | | ockLoaderLock, addre | | | | | | ss = 0x77e66b95 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtAc | | | | | | cessCheck, address = | | | | | | 0x77e50218 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = VerS | | | | | | etConditionMask, add | | | | | | ress = 0x77ea92b9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = WinS | | | | | | qmIsOptedIn, address | | | | | | = 0x77e89b58 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = strc | | | | | | at_s, address = 0x77 | | | | | | e9596f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlE | | | | | | xitUserThread, addre | | | | | | ss = 0x77e8d598 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlE | | | | | | xitUserProcess, addr | | | | | | ess = 0x77e88de8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = _aul | | | | | | lrem, address = 0x77 | | | | | | e70a90 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | BaseReleaseProcessD | | | | | | llPath, address = 0x | | | | | | 7748b5b5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | BaseGetProcessExePa | | | | | | th, address = 0x7748 | | | | | | b54c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | BaseGetProcessDllPa | | | | | | th, address = 0x7748 | | | | | | b515 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LoadStringByReferen | | | | | | ce, address = 0x774b | | | | | | 25de | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InternalLcidToName, | | | | | | address = 0x7749e70 | | | | | | 2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | NlsIsUserDefaultLoc | | | | | | ale, address = 0x774 | | | | | | a3009 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetUserInfo, addres | | | | | | s = 0x774a3c80 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetPtrCalDataArray, | | | | | | address = 0x774a29a | | | | | | 6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetPtrCalData, addr | | | | | | ess = 0x774a296d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetStringTableEntry | | | | | | , address = 0x774a2e | | | | | | 9a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CheckGroupPolicyEna | | | | | | bled, address = 0x77 | | | | | | 4a0025 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | OpenRegKey, address | | | | | | = 0x774b2df3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetCPHashNode, addr | | | | | | ess = 0x7749fd6c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | Internal_EnumSystem | | | | | | CodePages, address = | | | | | | 0x774a906c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | Internal_EnumUILang | | | | | | uages, address = 0x7 | | | | | | 74a8336 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | Internal_EnumLangua | | | | | | geGroupLocales, addr | | | | | | ess = 0x774a8066 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | Internal_EnumSystem | | | | | | LanguageGroups, addr | | | | | | ess = 0x774a7d8d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | Internal_EnumDateFo | | | | | | rmats, address = 0x7 | | | | | | 74aa1de | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | Internal_EnumTimeFo | | | | | | rmats, address = 0x7 | | | | | | 74aa163 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | KernelBaseGetGlobal | | | | | | Data, address = 0x77 | | | | | | 486c21 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InvalidateTzSpecifi | | | | | | cCache, address = 0x | | | | | | 77488ed1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | IsDBCSLeadByte, add | | | | | | ress = 0x774ada61 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateFileMappingNu | | | | | | maW, address = 0x774 | | | | | | 8da5f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CompareStringA, add | | | | | | ress = 0x774a061d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LoadStringBaseExW, | | | | | | address = 0x77493ad9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | BaseInvalidateDllSe | | | | | | archPathCache, addre | | | | | | ss = 0x7748a940 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | BaseInvalidateProce | | | | | | ssSearchPathCache, a | | | | | | ddress = 0x7748a955 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | BaseDllFreeResource | | | | | | Id, address = 0x7749 | | | | | | 1282 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | BaseDllMapResourceI | | | | | | dW, address = 0x7749 | | | | | | 2069 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetUserDefaultUILan | | | | | | guage, address = 0x7 | | | | | | 74b187f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | EnumUILanguagesW, a | | | | | | ddress = 0x774aa036 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | AreFileApisANSI, ad | | | | | | dress = 0x7748b6b6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | EnumCalendarInfoExW | | | | | | , address = 0x774aa0 | | | | | | f2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | EnumCalendarInfoW, | | | | | | address = 0x774aa0c2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | EnumDateFormatsExW, | | | | | | address = 0x774aa2f | | | | | | d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | EnumDateFormatsW, a | | | | | | ddress = 0x774aa2d0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | EnumLanguageGroupLo | | | | | | calesW, address = 0x | | | | | | 774aa015 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | EnumSystemCodePages | | | | | | W, address = 0x774aa | | | | | | 0a7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | EnumSystemLanguageG | | | | | | roupsW, address = 0x | | | | | | 774a9ff7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | EnumSystemLocalesEx | | | | | | , address = 0x774aa0 | | | | | | 74 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | EnumSystemLocalesW, | | | | | | address = 0x774aa05 | | | | | | 4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | EnumTimeFormatsW, a | | | | | | ddress = 0x774aa27a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetLocaleInfoA, add | | | | | | ress = 0x774a07e2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetStringTypeA, add | | | | | | ress = 0x774a055a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetSystemDefaultUIL | | | | | | anguage, address = 0 | | | | | | x774b184a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | IsDBCSLeadByteEx, a | | | | | | ddress = 0x774aefb1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | MapViewOfFileExNuma | | | | | | , address = 0x7748dd | | | | | | 34 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetFileApisToANSI, | | | | | | address = 0x7748b642 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetFileApisToOEM, a | | | | | | ddress = 0x7748b67c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | VirtualAllocExNuma, | | | | | | address = 0x7748e10 | | | | | | 9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | EnumCalendarInfoExE | | | | | | x, address = 0x774aa | | | | | | 122 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | EnumDateFormatsExEx | | | | | | , address = 0x774aa3 | | | | | | 2a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | EnumTimeFormatsEx, | | | | | | address = 0x774aa2a5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetCurrencyFormatEx | | | | | | , address = 0x774b11 | | | | | | 80 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetEraNameCountedSt | | | | | | ring, address = 0x77 | | | | | | 4a29e2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetNumberFormatEx, | | | | | | address = 0x774b0d34 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetSystemDefaultLoc | | | | | | aleName, address = 0 | | | | | | x774a3463 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetUserDefaultLocal | | | | | | eName, address = 0x7 | | | | | | 74a34d0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LCIDToLocaleName, a | | | | | | ddress = 0x774a38c5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetNamedLocaleHashN | | | | | | ode, address = 0x774 | | | | | | 9fad0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetLocaleInfoHelper | | | | | | , address = 0x774a3d | | | | | | 73 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetUserInfoWord, ad | | | | | | dress = 0x774a2f73 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetCalendar, addres | | | | | | s = 0x7749f354 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SpecialMBToWC, addr | | | | | | ess = 0x774ae7a6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | Internal_EnumCalend | | | | | | arInfo, address = 0x | | | | | | 774a928b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | NlsValidateLocale, | | | | | | address = 0x774a2e6c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | BaseReleaseProcessE | | | | | | xePath, address = 0x | | | | | | 7748b5e4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | TlsGetValue, addres | | | | | | s = 0x77492c95 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetThreadPriority, | | | | | | address = 0x7749339f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetProcessShutdownP | | | | | | arameters, address = | | | | | | 0x7748eae7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetPriorityClass, a | | | | | | ddress = 0x7748e886 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ResumeThread, addre | | | | | | ss = 0x77492bbe | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | QueueUserAPC, addre | | | | | | ss = 0x77492d6f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ProcessIdToSessionI | | | | | | d, address = 0x77493 | | | | | | 6d6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | OpenThread, address | | | | | | = 0x7749287e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetThreadPriorityBo | | | | | | ost, address = 0x774 | | | | | | 929d4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetThreadPriority, | | | | | | address = 0x77492950 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetStartupInfoW, ad | | | | | | dress = 0x7748edf4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetProcessTimes, ad | | | | | | dress = 0x7748ea7a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetPriorityClass, a | | | | | | ddress = 0x7748ea14 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetExitCodeThread, | | | | | | address = 0x77492ad2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetCurrentThreadId, | | | | | | address = 0x77492b1 | | | | | | 8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetCurrentThread, a | | | | | | ddress = 0x77492b0f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetProcessId, addre | | | | | | ss = 0x7748e67d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetProcessIdOfThrea | | | | | | d, address = 0x77492 | | | | | | b5c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetThreadId, addres | | | | | | s = 0x77492b27 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetCurrentProcessId | | | | | | , address = 0x7748ee | | | | | | 93 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateRemoteThreadE | | | | | | x, address = 0x77492 | | | | | | ef3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetExitCodeProcess, | | | | | | address = 0x7748e5c | | | | | | 7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | TlsFree, address = | | | | | | 0x77492ce5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | TlsAlloc, address = | | | | | | 0x77493529 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | TerminateThread, ad | | | | | | dress = 0x77492a0e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | TerminateProcess, a | | | | | | ddress = 0x7748e581 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SwitchToThread, add | | | | | | ress = 0x77492edb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SuspendThread, addr | | | | | | ess = 0x77492b91 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetThreadStackGuara | | | | | | ntee, address = 0x77 | | | | | | 48ad25 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetThreadPriorityBo | | | | | | ost, address = 0x774 | | | | | | 92999 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | OpenProcessToken, a | | | | | | ddress = 0x7749b9f7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | TlsSetValue, addres | | | | | | s = 0x774935f5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetProcessAffinityU | | | | | | pdateMode, address = | | | | | | 0x7748e42e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | QueryProcessAffinit | | | | | | yUpdateMode, address | | | | | | = 0x7748e47c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetProcessVersion, | | | | | | address = 0x7748eea2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateRemoteThread, | | | | | | address = 0x774936a | | | | | | c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InitializeProcThrea | | | | | | dAttributeList, addr | | | | | | ess = 0x7748eb9f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | UpdateProcThreadAtt | | | | | | ribute, address = 0x | | | | | | 7748ec13 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | DeleteProcThreadAtt | | | | | | ributeList, address | | | | | | = 0x7748ec0b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetCurrentProcess, | | | | | | address = 0x7748e674 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | HeapCreate, address | | | | | | = 0x77494516 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | HeapSetInformation, | | | | | | address = 0x7749481 | | | | | | 9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | HeapQueryInformatio | | | | | | n, address = 0x77494 | | | | | | 84a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | HeapLock, address = | | | | | | 0x774946ce | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | HeapDestroy, addres | | | | | | s = 0x77494580 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetProcessHeap, add | | | | | | ress = 0x7749469a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetProcessHeaps, ad | | | | | | dress = 0x774946ac | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | HeapWalk, address = | | | | | | 0x77494702 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | HeapValidate, addre | | | | | | ss = 0x7749467a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | HeapUnlock, address | | | | | | = 0x774946e8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | HeapCompact, addres | | | | | | s = 0x774946bd | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | HeapSummary, addres | | | | | | s = 0x774945f9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | MapViewOfFileEx, ad | | | | | | dress = 0x7748df2d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ReadProcessMemory, | | | | | | address = 0x7748dfc8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | UnmapViewOfFile, ad | | | | | | dress = 0x7748de3e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | VirtualAlloc, addre | | | | | | ss = 0x7748e365 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | VirtualAllocEx, add | | | | | | ress = 0x7748e2c8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | VirtualFree, addres | | | | | | s = 0x7748e2aa | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | VirtualFreeEx, addr | | | | | | ess = 0x7748e174 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | VirtualProtect, add | | | | | | ress = 0x7748e326 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | WriteProcessMemory, | | | | | | address = 0x7748e00 | | | | | | 9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | VirtualQueryEx, add | | | | | | ress = 0x7748e273 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | VirtualQuery, addre | | | | | | ss = 0x7748e347 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | VirtualProtectEx, a | | | | | | ddress = 0x7748e1ff | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FlushViewOfFile, ad | | | | | | dress = 0x7748ddf5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateFileMappingW, | | | | | | address = 0x7748db8 | | | | | | e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | OpenFileMappingW, a | | | | | | ddress = 0x7748dc9c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | MapViewOfFile, addr | | | | | | ess = 0x7748de94 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | DuplicateHandle, ad | | | | | | dress = 0x7748b778 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetHandleInformatio | | | | | | n, address = 0x7748b | | | | | | 7fb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetHandleInformatio | | | | | | n, address = 0x7748b | | | | | | 884 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CloseHandle, addres | | | | | | s = 0x7748b730 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | OpenProcess, addres | | | | | | s = 0x7748e505 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | OpenSemaphoreW, add | | | | | | ress = 0x774905dc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | OpenWaitableTimerW, | | | | | | address = 0x774909d | | | | | | 5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ReleaseMutex, addre | | | | | | ss = 0x7749030b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ReleaseSemaphore, a | | | | | | ddress = 0x77490247 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | OpenMutexW, address | | | | | | = 0x774906ea | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetEvent, address = | | | | | | 0x7749013d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetWaitableTimer, a | | | | | | ddress = 0x77490a69 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SleepEx, address = | | | | | | 0x77492beb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | WaitForMultipleObje | | | | | | ctsEx, address = 0x7 | | | | | | 7490862 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | WaitForSingleObject | | | | | | Ex, address = 0x7749 | | | | | | 077e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | OpenEventW, address | | | | | | = 0x77490548 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | OpenEventA, address | | | | | | = 0x77490ae4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InitializeCriticalS | | | | | | ectionEx, address = | | | | | | 0x7749006c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InitializeCriticalS | | | | | | ectionAndSpinCount, | | | | | | address = 0x7749004f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateWaitableTimer | | | | | | ExW, address = 0x774 | | | | | | 90335 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateSemaphoreExW, | | | | | | address = 0x774901b | | | | | | 9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateEventA, addre | | | | | | ss = 0x77490ab4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateEventW, addre | | | | | | ss = 0x77490518 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CancelWaitableTimer | | | | | | , address = 0x774904 | | | | | | 9b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateEventExA, add | | | | | | ress = 0x774904c5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateEventExW, add | | | | | | ress = 0x7749009e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateMutexA, addre | | | | | | ss = 0x77490b34 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateMutexExA, add | | | | | | ress = 0x77490670 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateMutexExW, add | | | | | | ress = 0x77490275 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ResetEvent, address | | | | | | = 0x77490167 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateMutexW, addre | | | | | | ss = 0x774906c3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetFullPathNameW, a | | | | | | ddress = 0x77499e8e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetFullPathNameA, a | | | | | | ddress = 0x77499fbf | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetFileTime, addres | | | | | | s = 0x7748bf09 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | QueryDosDeviceW, ad | | | | | | dress = 0x7748f269 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateFileW, addres | | | | | | s = 0x7749b2d6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LockFile, address = | | | | | | 0x7748bf97 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetFileSize, addres | | | | | | s = 0x7748d35b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetEndOfFile, addre | | | | | | ss = 0x7748bab2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | WriteFile, address | | | | | | = 0x7748d11f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetFilePointer, add | | | | | | ress = 0x7748bb4f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ReadFile, address = | | | | | | 0x7748cfad | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | WriteFileEx, addres | | | | | | s = 0x7748c30a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | WriteFileGather, ad | | | | | | dress = 0x7748c5cf | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetFinalPathNameByH | | | | | | andleA, address = 0x | | | | | | 7748d93f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetFinalPathNameByH | | | | | | andleW, address = 0x | | | | | | 7748d44e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | RemoveDirectoryW, a | | | | | | ddress = 0x7749841a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetDiskFreeSpaceW, | | | | | | address = 0x7749526c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateDirectoryW, a | | | | | | ddress = 0x774982b7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | DefineDosDeviceW, a | | | | | | ddress = 0x7748ef22 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FindFirstFileExA, a | | | | | | ddress = 0x77499d44 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FindFirstFileExW, a | | | | | | ddress = 0x77499554 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FindClose, address | | | | | | = 0x7749947a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetFileType, addres | | | | | | s = 0x7748cece | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FlushFileBuffers, a | | | | | | ddress = 0x7748d280 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetFileAttributesW, | | | | | | address = 0x7749897 | | | | | | c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetFileAttributesEx | | | | | | W, address = 0x77498 | | | | | | bc5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | DeleteFileW, addres | | | | | | s = 0x77498cd5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetFileTime, addres | | | | | | s = 0x7748be88 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | DeleteFileA, addres | | | | | | s = 0x77499022 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetFileAttributesA, | | | | | | address = 0x77498fa | | | | | | 7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FindNextFileW, addr | | | | | | ess = 0x77499280 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FindFirstFileW, add | | | | | | ress = 0x77499c32 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetLogicalDriveStri | | | | | | ngsW, address = 0x77 | | | | | | 4955fa | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetTempFileNameW, a | | | | | | ddress = 0x77494fad | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetVolumeInformatio | | | | | | nW, address = 0x7749 | | | | | | 5fbb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CompareFileTime, ad | | | | | | dress = 0x7748870b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateDirectoryA, a | | | | | | ddress = 0x77498909 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FileTimeToLocalFile | | | | | | Time, address = 0x77 | | | | | | 488d21 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FileTimeToSystemTim | | | | | | e, address = 0x77488 | | | | | | 607 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FindCloseChangeNoti | | | | | | fication, address = | | | | | | 0x774991f0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FindFirstFileA, add | | | | | | ress = 0x77499af0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FindFirstChangeNoti | | | | | | ficationA, address = | | | | | | 0x77499aad | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FindFirstChangeNoti | | | | | | ficationW, address = | | | | | | 0x774990b4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FindNextChangeNotif | | | | | | ication, address = 0 | | | | | | x774991b1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FindNextFileA, addr | | | | | | ess = 0x77499c51 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetDiskFreeSpaceA, | | | | | | address = 0x77495c85 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetDiskFreeSpaceExA | | | | | | , address = 0x77495c | | | | | | d6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetDiskFreeSpaceExW | | | | | | , address = 0x774954 | | | | | | 28 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | UnlockFileEx, addre | | | | | | ss = 0x7748c0d9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetDriveTypeA, addr | | | | | | ess = 0x77495f6f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetDriveTypeW, addr | | | | | | ess = 0x77495870 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetFileAttributesEx | | | | | | A, address = 0x77498 | | | | | | fe4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetFileAttributesW, | | | | | | address = 0x77498b0 | | | | | | e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetFileInformationB | | | | | | yHandle, address = 0 | | | | | | x7748bd62 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetFileSizeEx, addr | | | | | | ess = 0x7748c14e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetVolumeInformatio | | | | | | nByHandleW, address | | | | | | = 0x77495d24 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LocalFileTimeToFile | | | | | | Time, address = 0x77 | | | | | | 488d6e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LockFileEx, address | | | | | | = 0x7748c026 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ReadFileScatter, ad | | | | | | dress = 0x7748c52a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ReadFileEx, address | | | | | | = 0x7748c26a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | RemoveDirectoryA, a | | | | | | ddress = 0x77498944 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetFileAttributesA, | | | | | | address = 0x77498f6 | | | | | | c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetFileInformationB | | | | | | yHandle, address = 0 | | | | | | x7749b229 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetFilePointerEx, a | | | | | | ddress = 0x7748bc71 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetFileValidData, a | | | | | | ddress = 0x7748c671 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | UnlockFile, address | | | | | | = 0x7748d2ef | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | PostQueuedCompletio | | | | | | nStatus, address = 0 | | | | | | x774875ad | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetQueuedCompletion | | | | | | StatusEx, address = | | | | | | 0x77487723 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetQueuedCompletion | | | | | | Status, address = 0x | | | | | | 77487693 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateIoCompletionP | | | | | | ort, address = 0x774 | | | | | | 8751a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CancelIoEx, address | | | | | | = 0x7748c4f1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetOverlappedResult | | | | | | , address = 0x774875 | | | | | | e2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | DeviceIoControl, ad | | | | | | dress = 0x7748c3aa | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ChangeTimerQueueTim | | | | | | er, address = 0x7748 | | | | | | a6c1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateTimerQueue, a | | | | | | ddress = 0x7748a63e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | UnregisterWaitEx, a | | | | | | ddress = 0x7748a563 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | DeleteTimerQueueTim | | | | | | er, address = 0x7748 | | | | | | a70a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | DeleteTimerQueueEx, | | | | | | address = 0x7748a75 | | | | | | d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateTimerQueueTim | | | | | | er, address = 0x7748 | | | | | | a666 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetModuleHandleA, a | | | | | | ddress = 0x77491ef5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetModuleHandleW, a | | | | | | ddress = 0x77491094 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetModuleHandleExA, | | | | | | address = 0x774910c | | | | | | d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetModuleHandleExW, | | | | | | address = 0x7749114 | | | | | | 2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LoadResource, addre | | | | | | ss = 0x774912b6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LockResource, addre | | | | | | ss = 0x7748c71d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SizeofResource, add | | | | | | ress = 0x7749133b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetProcAddress, add | | | | | | ress = 0x77491180 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetModuleFileNameA, | | | | | | address = 0x77491e2 | | | | | | 4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FreeLibraryAndExitT | | | | | | hread, address = 0x7 | | | | | | 7490b76 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FindStringOrdinal, | | | | | | address = 0x774a12a1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | DisableThreadLibrar | | | | | | yCalls, address = 0x | | | | | | 77490bdb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LoadLibraryExA, add | | | | | | ress = 0x77491d54 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetModuleFileNameW, | | | | | | address = 0x77490c0 | | | | | | 5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FindResourceExW, ad | | | | | | dress = 0x774921c1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FreeLibrary, addres | | | | | | s = 0x77491d92 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LoadLibraryExW, add | | | | | | ress = 0x77491bb2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FreeResource, addre | | | | | | ss = 0x774913c0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | PeekNamedPipe, addr | | | | | | ess = 0x774883c8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | DisconnectNamedPipe | | | | | | , address = 0x77487a | | | | | | 50 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreatePipe, address | | | | | | = 0x77487838 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ConnectNamedPipe, a | | | | | | ddress = 0x774879b8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetNamedPipeAttribu | | | | | | te, address = 0x7748 | | | | | | 7d16 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetNamedPipeClientC | | | | | | omputerNameW, addres | | | | | | s = 0x77487de9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | WaitNamedPipeW, add | | | | | | ress = 0x774880b4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetNamedPipeHandleS | | | | | | tate, address = 0x77 | | | | | | 487af3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CreateNamedPipeW, a | | | | | | ddress = 0x77487e34 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | TransactNamedPipe, | | | | | | address = 0x77487bcc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | IsWow64Process, add | | | | | | ress = 0x7748e4c0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LCMapStringA, addre | | | | | | ss = 0x774a09be | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LocalLock, address | | | | | | = 0x7749433d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LocalReAlloc, addre | | | | | | ss = 0x77494a9b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LocalUnlock, addres | | | | | | s = 0x77494439 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GlobalAlloc, addres | | | | | | s = 0x77493fa7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FormatMessageW, add | | | | | | ress = 0x77493e37 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FormatMessageA, add | | | | | | ress = 0x77493c49 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | NeedCurrentDirector | | | | | | yForExePathA, addres | | | | | | s = 0x7748eb4f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | EnumSystemLocalesA, | | | | | | address = 0x774a099 | | | | | | f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | PulseEvent, address | | | | | | = 0x7749018f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | Sleep, address = 0x | | | | | | 77493511 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | Wow64DisableWow64Fs | | | | | | Redirection, address | | | | | | = 0x7748c6c7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | Wow64RevertWow64FsR | | | | | | edirection, address | | | | | | = 0x7748c6f1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | lstrcmpW, address = | | | | | | 0x7748a389 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | lstrcmpiW, address | | | | | | = 0x7748a415 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | lstrcpynA, address | | | | | | = 0x7748a2b0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | lstrcpynW, address | | | | | | = 0x7748a47c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | lstrlenA, address = | | | | | | 0x7748a330 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FatalAppExitA, addr | | | | | | ess = 0x7748ed99 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | NeedCurrentDirector | | | | | | yForExePathW, addres | | | | | | s = 0x7748eb77 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FatalAppExitW, addr | | | | | | ess = 0x7748e604 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LocalAlloc, address | | | | | | = 0x774948f9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GlobalFree, address | | | | | | = 0x77493e61 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | lstrlenW, address = | | | | | | 0x7748a505 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LocalFree, address | | | | | | = 0x77493e61 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | IsProcessInJob, add | | | | | | ress = 0x7749b7c0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetLocalTime, addre | | | | | | ss = 0x77488b39 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetSystemTimeAdjust | | | | | | ment, address = 0x77 | | | | | | 488957 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetSystemTimeAsFile | | | | | | Time, address = 0x77 | | | | | | 488c67 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetTickCount64, add | | | | | | ress = 0x77488ccf | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetTimeZoneInformat | | | | | | ion, address = 0x774 | | | | | | 89730 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetTimeZoneInformat | | | | | | ionForYear, address | | | | | | = 0x77489c18 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetVersion, address | | | | | | = 0x774911fc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetVersionExA, addr | | | | | | ess = 0x77491f41 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetVersionExW, addr | | | | | | ess = 0x77491232 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetWindowsDirectory | | | | | | W, address = 0x77495 | | | | | | c59 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetLocalTime, addre | | | | | | ss = 0x774891f3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SystemTimeToTzSpeci | | | | | | ficLocalTime, addres | | | | | | s = 0x77489c36 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | TzSpecificLocalTime | | | | | | ToSystemTime, addres | | | | | | s = 0x77489f2c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetDynamicTimeZoneI | | | | | | nformation, address | | | | | | = 0x774897de | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetLogicalProcessor | | | | | | Information, address | | | | | | = 0x7748e386 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetSystemInfo, addr | | | | | | ess = 0x7748e6b2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetLogicalProcessor | | | | | | InformationEx, addre | | | | | | ss = 0x7748e3e0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetWindowsDirectory | | | | | | A, address = 0x77495 | | | | | | c2d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GlobalMemoryStatusE | | | | | | x, address = 0x77494 | | | | | | 160 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetTickCount, addre | | | | | | ss = 0x77488c96 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetSystemTime, addr | | | | | | ess = 0x77488be7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SystemTimeToFileTim | | | | | | e, address = 0x77488 | | | | | | 68f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetComputerNameExW, | | | | | | address = 0x77497d1 | | | | | | 7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetComputerNameExA, | | | | | | address = 0x7749819 | | | | | | 7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | VerLanguageNameA, a | | | | | | ddress = 0x774a361a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FindNLSStringEx, ad | | | | | | dress = 0x774b59a5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetThreadLocale, ad | | | | | | dress = 0x774a341f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | NlsWriteEtwEvent, a | | | | | | ddress = 0x774b2bea | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | NlsEventDataDescCre | | | | | | ate, address = 0x774 | | | | | | b2a9d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ConvertDefaultLocal | | | | | | e, address = 0x774a3 | | | | | | 3fb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | VerLanguageNameW, a | | | | | | ddress = 0x774a353b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetLocaleInfoW, add | | | | | | ress = 0x774a68f1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetCalendarInfoW, a | | | | | | ddress = 0x774a36ff | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LCMapStringW, addre | | | | | | ss = 0x774a1e6a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | IsValidLocale, addr | | | | | | ess = 0x774a3168 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | IsValidLanguageGrou | | | | | | p, address = 0x774a2 | | | | | | 5e2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | IsValidCodePage, ad | | | | | | dress = 0x774aecc1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | IsNLSDefinedString, | | | | | | address = 0x774b5a0 | | | | | | 4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetUserDefaultLCID, | | | | | | address = 0x774a270 | | | | | | c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetUserDefaultLangI | | | | | | D, address = 0x774a3 | | | | | | 459 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetThreadLocale, ad | | | | | | dress = 0x774a26bf | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetSystemDefaultLCI | | | | | | D, address = 0x774a2 | | | | | | 6ef | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetSystemDefaultLan | | | | | | gID, address = 0x774 | | | | | | a26d1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetProcessPreferred | | | | | | UILanguages, address | | | | | | = 0x774b1811 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetOEMCP, address = | | | | | | 0x774ada56 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetLocaleInfoW, add | | | | | | ress = 0x774a7304 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetCPInfoExW, addre | | | | | | ss = 0x774aee5f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetCPInfo, address | | | | | | = 0x774aedba | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetACP, address = 0 | | | | | | x774ada4b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetFileMUIPath, add | | | | | | ress = 0x774b172c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FindNLSString, addr | | | | | | ess = 0x774a1f19 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | NlsUpdateSystemLoca | | | | | | le, address = 0x774a | | | | | | 7669 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | NlsUpdateLocale, ad | | | | | | dress = 0x774a771c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | NlsGetCacheUpdateCo | | | | | | unt, address = 0x774 | | | | | | 9ffc6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | NlsCheckPolicy, add | | | | | | ress = 0x774a24a2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetCalendarInfoW, a | | | | | | ddress = 0x774a7264 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetCalendarInfoEx, | | | | | | address = 0x774a72b4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetLocaleInfoEx, ad | | | | | | dress = 0x774a734d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetSystemPreferredU | | | | | | ILanguages, address | | | | | | = 0x774b18b4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetThreadPreferredU | | | | | | ILanguages, address | | | | | | = 0x774b17d8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetThreadUILanguage | | | | | | , address = 0x774b19 | | | | | | 46 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetUILanguageInfo, | | | | | | address = 0x774b1770 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetUserPreferredUIL | | | | | | anguages, address = | | | | | | 0x774b18fd | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | IsValidLocaleName, | | | | | | address = 0x774a2d72 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LCMapStringEx, addr | | | | | | ess = 0x774ad8a6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LocaleNameToLCID, a | | | | | | ddress = 0x774a393a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ResolveLocaleName, | | | | | | address = 0x774a3b6c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetFileMUIInfo, add | | | | | | ress = 0x774b126b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetEnvironmentStrin | | | | | | gs, address = 0x7748 | | | | | | fb3b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetEnvironmentVaria | | | | | | bleW, address = 0x77 | | | | | | 48f9d7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SearchPathW, addres | | | | | | s = 0x77494e2b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetStdHandleEx, add | | | | | | ress = 0x7748ba2c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ExpandEnvironmentSt | | | | | | ringsA, address = 0x | | | | | | 7748fe42 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ExpandEnvironmentSt | | | | | | ringsW, address = 0x | | | | | | 7748faac | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FreeEnvironmentStri | | | | | | ngsA, address = 0x77 | | | | | | 48fb13 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FreeEnvironmentStri | | | | | | ngsW, address = 0x77 | | | | | | 48fb13 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetCommandLineA, ad | | | | | | dress = 0x7748e65e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetCommandLineW, ad | | | | | | dress = 0x7748e669 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetCurrentDirectory | | | | | | A, address = 0x7749a | | | | | | 16b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetCurrentDirectory | | | | | | W, address = 0x77499 | | | | | | ec4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetEnvironmentStrin | | | | | | gsW, address = 0x774 | | | | | | 8fc19 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetEnvironmentStrin | | | | | | gsW, address = 0x774 | | | | | | 8f86a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetEnvironmentVaria | | | | | | bleA, address = 0x77 | | | | | | 48fcad | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetStdHandle, addre | | | | | | ss = 0x7748b92a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetCurrentDirectory | | | | | | A, address = 0x77499 | | | | | | ee3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetCurrentDirectory | | | | | | W, address = 0x77499 | | | | | | f76 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetEnvironmentVaria | | | | | | bleA, address = 0x77 | | | | | | 48f904 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetEnvironmentVaria | | | | | | bleW, address = 0x77 | | | | | | 48fa47 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetStdHandle, addre | | | | | | ss = 0x7748b9c1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetStringTypeW, add | | | | | | ress = 0x774a0c7a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetStringTypeExW, a | | | | | | ddress = 0x774a175d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FoldStringW, addres | | | | | | s = 0x774ad382 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CompareStringW, add | | | | | | ress = 0x774a1ed8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | WideCharToMultiByte | | | | | | , address = 0x774afa | | | | | | 07 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CompareStringOrdina | | | | | | l, address = 0x774a1 | | | | | | e03 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CompareStringEx, ad | | | | | | dress = 0x774b594a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | MultiByteToWideChar | | | | | | , address = 0x774af3 | | | | | | 08 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | DebugBreak, address | | | | | | = 0x7749229f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | OutputDebugStringA, | | | | | | address = 0x7749251 | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | OutputDebugStringW, | | | | | | address = 0x7749281 | | | | | | 7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | IsDebuggerPresent, | | | | | | address = 0x77492804 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetLastError, addre | | | | | | ss = 0x77487829 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetErrorMode, addre | | | | | | ss = 0x7748749b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | RaiseException, add | | | | | | ress = 0x7748b6cf | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetErrorMode, addre | | | | | | ss = 0x774874d7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetLastError, addre | | | | | | ss = 0x77e522ef | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FlsAlloc, address = | | | | | | 0x77492dee | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FlsFree, address = | | | | | | 0x77492eb3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FlsGetValue, addres | | | | | | s = 0x77492e1a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FlsSetValue, addres | | | | | | s = 0x77492e59 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | Beep, address = 0x7 | | | | | | 748854b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | QueryPerformanceFre | | | | | | quency, address = 0x | | | | | | 77e6882c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | QueryPerformanceCou | | | | | | nter, address = 0x77 | | | | | | e68884 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | AllocateAndInitiali | | | | | | zeSid, address = 0x7 | | | | | | 749c06c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FreeSid, address = | | | | | | 0x7749c05b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | DuplicateToken, add | | | | | | ress = 0x7749d749 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | AccessCheck, addres | | | | | | s = 0x7749b8c8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | UNMAP | process_name = c:\wi | True | 1 | | | | ndows\syswow64\ping. | | | | | | exe, os_pid = 0x50c, | | | | | | base_address = 0x10 | | | | | | 20000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = mswsoc | False | 1 | | | | k, base_address = 0x | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | LOAD | module_name = mswsoc | True | 1 | | | | k, base_address = 0x | | | | | | 75740000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_FILENAME | module_name = mswsoc | True | 1 | | | | k, file_name = C:\Wi | | | | | | ndows\SysWOW64\mswso | | | | | | ck.DLL | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | FILE | CREATE | file_name = c:\windo | True | 1 | | | | ws\syswow64\mswsock. | | | | | | dll, desired_access | | | | | | = GENERIC_READ, shar | | | | | | e_mode = FILE_SHARE_ | | | | | | READ, create_disposi | | | | | | tion = OPEN_EXISTING | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | CREATE_MAPPING | file_name = c:\windo | True | 1 | | | | ws\syswow64\mswsock. | | | | | | dll, module_name = N | | | | | | ameless FileMapping, | | | | | | maximum_size = 0, p | | | | | | rotection = PAGE_REA | | | | | | DONLY | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | MAP | file_name = c:\windo | True | 1 | | | | ws\syswow64\mswsock. | | | | | | dll, process_name = | | | | | | c:\windows\syswow64\ | | | | | | ping.exe, os_pid = 0 | | | | | | x50c, module_name = | | | | | | Nameless FileMapping | | | | | | , desired_access = F | | | | | | ILE_MAP_READ, file_o | | | | | | ffset = 0, address = | | | | | | 0x800000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, base_address = | | | | | | 0x75fc0000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = fre | | | | | | e, address = 0x75fc9 | | | | | | 894 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _st | | | | | | rnicmp, address = 0x | | | | | | 75fd0578 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = wcs | | | | | | cat_s, address = 0x7 | | | | | | 5fcfd66 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = wcs | | | | | | ncpy_s, address = 0x | | | | | | 75fcc24b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = mal | | | | | | loc, address = 0x75f | | | | | | c9cee | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = mem | | | | | | set, address = 0x75f | | | | | | c9790 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = mem | | | | | | cpy, address = 0x75f | | | | | | c9910 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = mem | | | | | | move, address = 0x75 | | | | | | fc9e5a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _st | | | | | | ricmp, address = 0x7 | | | | | | 5fcdb38 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _wc | | | | | | sicmp, address = 0x7 | | | | | | 5fca9e9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = ato | | | | | | i, address = 0x75fcd | | | | | | be0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = isd | | | | | | igit, address = 0x75 | | | | | | fcb407 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = wcs | | | | | | chr, address = 0x75f | | | | | | caa61 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = rew | | | | | | ind, address = 0x75f | | | | | | e6e17 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = fcl | | | | | | ose, address = 0x75f | | | | | | d3d79 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = fge | | | | | | ts, address = 0x75fe | | | | | | 4589 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = fop | | | | | | en, address = 0x75fd | | | | | | b2c4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = str | | | | | | len, address = 0x75f | | | | | | d43d3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = wcs | | | | | | len, address = 0x75f | | | | | | dd335 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _vs | | | | | | nwprintf, address = | | | | | | 0x75fcbbce | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _wc | | | | | | snicmp, address = 0x | | | | | | 75fcaae3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = fpr | | | | | | intf, address = 0x75 | | | | | | fd3e00 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _io | | | | | | b, address = 0x76062 | | | | | | 900 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = wcs | | | | | | tol, address = 0x75f | | | | | | cff45 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _Xc | | | | | | ptFilter, address = | | | | | | 0x75fedc75 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _in | | | | | | itterm, address = 0x | | | | | | 75fcc151 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = str | | | | | | toul, address = 0x75 | | | | | | fd012e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _am | | | | | | sg_exit, address = 0 | | | | | | x7602b2ef | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _ex | | | | | | cept_handler4_common | | | | | | , address = 0x75fe3e | | | | | | 27 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, base_address = | | | | | | 0x77e30000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlF | | | | | | reeHeap, address = 0 | | | | | | x77e5df85 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCr | | | | | | eateEvent, address = | | | | | | 0x77e4ff64 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSe | | | | | | tInformationFile, ad | | | | | | dress = 0x77e4fc28 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCl | | | | | | ose, address = 0x77e | | | | | | 4f9d0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtRe | | | | | | moveIoCompletion, ad | | | | | | dress = 0x77e4f934 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSe | | | | | | tIoCompletion, addre | | | | | | ss = 0x77e51af4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtDe | | | | | | viceIoControlFile, a | | | | | | ddress = 0x77e4f8fc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | nitializeCriticalSec | | | | | | tionAndSpinCount, ad | | | | | | dress = 0x77e625e8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtOp | | | | | | enKey, address = 0x7 | | | | | | 7e4fa18 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | nitUnicodeString, ad | | | | | | dress = 0x77e5e208 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | egisterSecureMemoryC | | | | | | acheCallback, addres | | | | | | s = 0x77ef2d5d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlF | | | | | | reeUnicodeString, ad | | | | | | dress = 0x77e5e126 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlS | | | | | | tringFromGUID, addre | | | | | | ss = 0x77e78610 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etNtProductType, add | | | | | | ress = 0x77e68802 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | llocateHeap, address | | | | | | = 0x77e5e026 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCa | | | | | | ncelIoFile, address | | | | | | = 0x77e5016c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | eleteCriticalSection | | | | | | , address = 0x77e645 | | | | | | f5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSe | | | | | | tEvent, address = 0x | | | | | | 77e4f9b4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | aiseStatus, address | | | | | | = 0x77e76ea5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtWa | | | | | | itForSingleObject, a | | | | | | ddress = 0x77e4f8ac | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtDe | | | | | | layExecution, addres | | | | | | s = 0x77e4fd6c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSe | | | | | | tInformationThread, | | | | | | address = 0x77e4f99c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtLo | | | | | | adDriver, address = | | | | | | 0x77e50de4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | djustPrivilege, addr | | | | | | ess = 0x77ee1f40 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | mpersonateSelf, addr | | | | | | ess = 0x77ea242f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | erySystemTime, addre | | | | | | ss = 0x77e5011c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtSe | | | | | | tInformationObject, | | | | | | address = 0x77e50154 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCr | | | | | | eateIoCompletion, ad | | | | | | dress = 0x77e506fc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCr | | | | | | eateFile, address = | | | | | | 0x77e500a4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtAl | | | | | | ertThread, address = | | | | | | 0x77e502f4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | eueApcThread, addres | | | | | | s = 0x77e4ff14 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCl | | | | | | earEvent, address = | | | | | | 0x77e4fe64 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlN | | | | | | tStatusToDosError, a | | | | | | ddress = 0x77e661ed | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtRe | | | | | | adFile, address = 0x | | | | | | 77e4f8e0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtWa | | | | | | itForMultipleObjects | | | | | | , address = 0x77e501 | | | | | | 38 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = Ship | | | | | | Assert, address = 0x | | | | | | 77ed8b96 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | eryEvent, address = | | | | | | 0x77e500bc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | eryInformationFile, | | | | | | address = 0x77e4fa00 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlU | | | | | | nicodeStringToAnsiSt | | | | | | ring, address = 0x77 | | | | | | e66ac8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | nsiStringToUnicodeSt | | | | | | ring, address = 0x77 | | | | | | e5e6b5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | nitAnsiString, addre | | | | | | ss = 0x77e5e1d0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlF | | | | | | reeAnsiString, addre | | | | | | ss = 0x77e5e126 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | estroyHeap, address | | | | | | = 0x77e79d8e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | reateHeap, address = | | | | | | 0x77e70249 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = WinS | | | | | | qmIsOptedIn, address | | | | | | = 0x77e89b58 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv6StringToAddressA, | | | | | | address = 0x77e7c85 | | | | | | 5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv6StringToAddressW, | | | | | | address = 0x77e7ba0 | | | | | | 9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv4StringToAddressA, | | | | | | address = 0x77e7c41 | | | | | | 1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv4StringToAddressW, | | | | | | address = 0x77e7b90 | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv6StringToAddressEx | | | | | | A, address = 0x77ef3 | | | | | | d45 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv6StringToAddressEx | | | | | | W, address = 0x77e7b | | | | | | 9ae | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | nitString, address = | | | | | | 0x77e5e198 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | eryValueKey, address | | | | | | = 0x77e4fa98 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlQ | | | | | | ueryRegistryValues, | | | | | | address = 0x77ea4b60 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, base_address = | | | | | | 0x75a80000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = IsW | | | | | | indow, address = 0x7 | | | | | | 5a97136 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, base_address = | | | | | | 0x76510000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Uui | | | | | | dFromStringW, addres | | | | | | s = 0x7658fd6e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Uui | | | | | | dToStringW, address | | | | | | = 0x76551ee5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Uui | | | | | | dCreate, address = 0 | | | | | | x7652f48b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Rpc | | | | | | StringFreeW, address | | | | | | = 0x76531635 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, base_address = | | | | | | 0x774d0000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = WSC | | | | | | DeinstallProvider, a | | | | | | ddress = 0x774ed775 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = WSC | | | | | | InstallProvider, add | | | | | | ress = 0x774ed751 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 11, | | | | | | address = 0x774d311 | | | | | | b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 57, | | | | | | address = 0x774da05 | | | | | | b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = WSA | | | | | | Recv, address = 0x77 | | | | | | 4d7089 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = Wah | | | | | | DestroyHandleContext | | | | | | Table, address = 0x7 | | | | | | 74df268 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 114 | | | | | | , address = 0x774e53 | | | | | | be | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = WSA | | | | | | Ioctl, address = 0x7 | | | | | | 74d2fe7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 14, | | | | | | address = 0x774d2d5 | | | | | | 7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 9, | | | | | | address = 0x774d2d8b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 12, | | | | | | address = 0x774db13 | | | | | | 1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 15, | | | | | | address = 0x774d2d8 | | | | | | b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = WSC | | | | | | UpdateProvider, addr | | | | | | ess = 0x774ece2d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = get | | | | | | nameinfo, address = | | | | | | 0x774d67b7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = Wah | | | | | | ReferenceContextByHa | | | | | | ndle, address = 0x77 | | | | | | 4d2f20 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = Wah | | | | | | InsertHandleContext, | | | | | | address = 0x774d412 | | | | | | b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = WSC | | | | | | EnumProtocols, addre | | | | | | ss = 0x774db8cf | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = WSC | | | | | | GetProviderPath, add | | | | | | ress = 0x774dc64e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 112 | | | | | | , address = 0x774d37 | | | | | | d9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = Wah | | | | | | CreateHandleContextT | | | | | | able, address = 0x77 | | | | | | 4d7e65 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = Wah | | | | | | EnumerateHandleConte | | | | | | xts, address = 0x774 | | | | | | daa97 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 115 | | | | | | , address = 0x774d3a | | | | | | b2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = WSA | | | | | | SocketW, address = 0 | | | | | | x774d3cd3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 3, | | | | | | address = 0x774d3918 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = WSA | | | | | | ProviderConfigChange | | | | | | , address = 0x774dc2 | | | | | | 2e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 111 | | | | | | , address = 0x774d37 | | | | | | ad | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 116 | | | | | | , address = 0x774d3c | | | | | | 5f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = WSC | | | | | | WriteProviderOrder, | | | | | | address = 0x774ed099 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 56, | | | | | | address = 0x774e6d6 | | | | | | 2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 55, | | | | | | address = 0x774e6ef | | | | | | 3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = Wah | | | | | | RemoveHandleContext, | | | | | | address = 0x774d39b | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = WSA | | | | | | EnumProtocolsW, addr | | | | | | ess = 0x774dc8e1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | OutputDebugStringA, | | | | | | address = 0x7749251 | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etLastError, address | | | | | | = 0x763111c0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = U | | | | | | nhandledExceptionFil | | | | | | ter, address = 0x763 | | | | | | 3772f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etUnhandledException | | | | | | Filter, address = 0x | | | | | | 763187c9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etLastError, address | | | | | | = 0x763111a9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | loseHandle, address | | | | | | = 0x76311410 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = D | | | | | | uplicateHandle, addr | | | | | | ess = 0x76311886 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InterlockedExchange | | | | | | Add, address = 0x774 | | | | | | 86aa0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InterlockedIncremen | | | | | | t, address = 0x77486 | | | | | | a50 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InterlockedCompareE | | | | | | xchange, address = 0 | | | | | | x77486a8c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InterlockedDecremen | | | | | | t, address = 0x77486 | | | | | | a64 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InterlockedExchange | | | | | | , address = 0x77486a | | | | | | 78 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateIoCompletionPor | | | | | | t, address = 0x7632e | | | | | | ef2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = P | | | | | | ostQueuedCompletionS | | | | | | tatus, address = 0x7 | | | | | | 632ef29 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etOverlappedResult, | | | | | | address = 0x7632cc79 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetProcAddress, add | | | | | | ress = 0x77491180 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FreeLibrary, addres | | | | | | s = 0x77491d92 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LoadLibraryExA, add | | | | | | ress = 0x77491d54 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetModuleHandleExA, | | | | | | address = 0x774910c | | | | | | d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LoadLibraryExW, add | | | | | | ress = 0x77491bb2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FreeLibraryAndExitT | | | | | | hread, address = 0x7 | | | | | | 7490b76 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetModuleFileNameW, | | | | | | address = 0x77490c0 | | | | | | 5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LCMapStringW, addre | | | | | | ss = 0x774a1e6a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egOpenKeyExA, addres | | | | | | s = 0x7631472f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egSetValueExA, addre | | | | | | ss = 0x76321441 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egCreateKeyExW, addr | | | | | | ess = 0x7631865b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egCloseKey, address | | | | | | = 0x7631209f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egQueryValueExW, add | | | | | | ress = 0x76311f4e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egOpenKeyExW, addres | | | | | | s = 0x76312311 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egQueryValueExA, add | | | | | | ress = 0x76314a87 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egEnumKeyExW, addres | | | | | | s = 0x76312e9a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egDeleteKeyExW, addr | | | | | | ess = 0x76330725 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egSetValueExW, addre | | | | | | ss = 0x76315be5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | VirtualAlloc, addre | | | | | | ss = 0x7748e365 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | VirtualFree, addres | | | | | | s = 0x7748e2aa | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LocalAlloc, address | | | | | | = 0x774948f9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FormatMessageW, add | | | | | | ress = 0x77493e37 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | lstrcmpW, address = | | | | | | 0x7748a389 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | lstrlenW, address = | | | | | | 0x7748a505 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | Sleep, address = 0x | | | | | | 77493511 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LocalFree, address | | | | | | = 0x77493e61 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetEnvironmentVaria | | | | | | bleA, address = 0x77 | | | | | | 48fcad | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ExpandEnvironmentSt | | | | | | ringsW, address = 0x | | | | | | 7748faac | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ExpandEnvironmentSt | | | | | | ringsA, address = 0x | | | | | | 7748fe42 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | esumeThread, address | | | | | | = 0x763143ef | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = T | | | | | | lsGetValue, address | | | | | | = 0x763111e0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = T | | | | | | lsSetValue, address | | | | | | = 0x763114fb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etThreadPriority, ad | | | | | | dress = 0x763132bb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etCurrentThread, add | | | | | | ress = 0x763117ec | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateThread, address | | | | | | = 0x763134d5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etCurrentProcessId, | | | | | | address = 0x763111f8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etCurrentProcess, ad | | | | | | dress = 0x76311809 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = T | | | | | | erminateThread, addr | | | | | | ess = 0x76317a2f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = T | | | | | | lsFree, address = 0x | | | | | | 76313587 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = T | | | | | | lsAlloc, address = 0 | | | | | | x763149ad | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etCurrentThreadId, a | | | | | | ddress = 0x76311450 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = T | | | | | | erminateProcess, add | | | | | | ress = 0x7632d802 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | QueryPerformanceCou | | | | | | nter, address = 0x77 | | | | | | e68884 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | MultiByteToWideChar | | | | | | , address = 0x774af3 | | | | | | 08 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | WideCharToMultiByte | | | | | | , address = 0x774afa | | | | | | 07 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = W | | | | | | aitForMultipleObject | | | | | | sEx, address = 0x763 | | | | | | 1199e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etEvent, address = 0 | | | | | | x763116c5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = L | | | | | | eaveCriticalSection, | | | | | | address = 0x77e5227 | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = E | | | | | | nterCriticalSection, | | | | | | address = 0x77e522b | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = D | | | | | | eleteCriticalSection | | | | | | , address = 0x77e645 | | | | | | f5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = I | | | | | | nitializeCriticalSec | | | | | | tion, address = 0x77 | | | | | | e62c42 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = W | | | | | | aitForSingleObjectEx | | | | | | , address = 0x763111 | | | | | | 51 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateEventA, address | | | | | | = 0x7631328c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = W | | | | | | aitForSingleObject, | | | | | | address = 0x76311136 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = O | | | | | | penEventW, address = | | | | | | 0x763115d6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | leepEx, address = 0x | | | | | | 76311215 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = I | | | | | | nitializeCriticalSec | | | | | | tionAndSpinCount, ad | | | | | | dress = 0x76311916 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = O | | | | | | penProcess, address | | | | | | = 0x76311986 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateEventW, address | | | | | | = 0x7631183e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetSystemInfo, addr | | | | | | ess = 0x7748e6b2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetSystemTimeAsFile | | | | | | Time, address = 0x77 | | | | | | 488c67 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetTickCount, addre | | | | | | ss = 0x77488c96 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = D | | | | | | elayLoadFailureHook, | | | | | | address = 0x763aec9 | | | | | | d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | UNMAP | process_name = c:\wi | True | 1 | | | | ndows\syswow64\ping. | | | | | | exe, os_pid = 0x50c, | | | | | | base_address = 0x80 | | | | | | 0000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, base_address = | | | | | | 0x774d0000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_FILENAME | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, file_name = C: | | | | | | \Windows\syswow64\WS | | | | | | 2_32.dll | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | FILE | CREATE | file_name = c:\windo | True | 1 | | | | ws\syswow64\ws2_32.d | | | | | | ll, desired_access = | | | | | | GENERIC_READ, share | | | | | | _mode = FILE_SHARE_R | | | | | | EAD, create_disposit | | | | | | ion = OPEN_EXISTING | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | CREATE_MAPPING | file_name = c:\windo | True | 1 | | | | ws\syswow64\ws2_32.d | | | | | | ll, module_name = Na | | | | | | meless FileMapping, | | | | | | maximum_size = 0, pr | | | | | | otection = PAGE_READ | | | | | | ONLY | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | MAP | file_name = c:\windo | True | 1 | | | | ws\syswow64\ws2_32.d | | | | | | ll, process_name = c | | | | | | :\windows\syswow64\p | | | | | | ing.exe, os_pid = 0x | | | | | | 50c, module_name = N | | | | | | ameless FileMapping, | | | | | | desired_access = FI | | | | | | LE_MAP_READ, file_of | | | | | | fset = 0, address = | | | | | | 0x800000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, base_address = | | | | | | 0x75fc0000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = mem | | | | | | set, address = 0x75f | | | | | | c9790 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _wc | | | | | | snicmp, address = 0x | | | | | | 75fcaae3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = wcs | | | | | | chr, address = 0x75f | | | | | | caa61 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = mem | | | | | | cpy, address = 0x75f | | | | | | c9910 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = __i | | | | | | sascii, address = 0x | | | | | | 75fdd57b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = tow | | | | | | upper, address = 0x7 | | | | | | 5fcf670 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = str | | | | | | toul, address = 0x75 | | | | | | fd012e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _on | | | | | | exit, address = 0x75 | | | | | | fd112d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _lo | | | | | | ck, address = 0x75fc | | | | | | a449 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = __d | | | | | | llonexit, address = | | | | | | 0x75fcf509 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _un | | | | | | lock, address = 0x75 | | | | | | fca42d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _ex | | | | | | cept_handler4_common | | | | | | , address = 0x75fe3e | | | | | | 27 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _am | | | | | | sg_exit, address = 0 | | | | | | x7602b2ef | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _in | | | | | | itterm, address = 0x | | | | | | 75fcc151 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = fre | | | | | | e, address = 0x75fc9 | | | | | | 894 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = mal | | | | | | loc, address = 0x75f | | | | | | c9cee | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _Xc | | | | | | ptFilter, address = | | | | | | 0x75fedc75 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _wc | | | | | | sicmp, address = 0x7 | | | | | | 5fca9e9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = wcs | | | | | | ncmp, address = 0x75 | | | | | | fcb05e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = iss | | | | | | pace, address = 0x75 | | | | | | fcc395 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = str | | | | | | cpy_s, address = 0x7 | | | | | | 5fcf574 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = spr | | | | | | intf_s, address = 0x | | | | | | 75fe51da | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _st | | | | | | ricmp, address = 0x7 | | | | | | 5fcdb38 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = fcl | | | | | | ose, address = 0x75f | | | | | | d3d79 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = fop | | | | | | en, address = 0x75fd | | | | | | b2c4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = fge | | | | | | ts, address = 0x75fe | | | | | | 4589 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = ato | | | | | | i, address = 0x75fcd | | | | | | be0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = str | | | | | | chr, address = 0x75f | | | | | | cdbeb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _vs | | | | | | nwprintf, address = | | | | | | 0x75fcbbce | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _vs | | | | | | nprintf, address = 0 | | | | | | x75fcd1a8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = wcs | | | | | | str, address = 0x75f | | | | | | cbf71 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, base_address = | | | | | | 0x77e30000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv4StringToAddressA, | | | | | | address = 0x77e7c41 | | | | | | 1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv6StringToAddressA, | | | | | | address = 0x77e7c85 | | | | | | 5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv4StringToAddressW, | | | | | | address = 0x77e7b90 | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv6StringToAddressW, | | | | | | address = 0x77e7ba0 | | | | | | 9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv4AddressToStringEx | | | | | | A, address = 0x77ef3 | | | | | | c1e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv6AddressToStringEx | | | | | | A, address = 0x77ef3 | | | | | | b06 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv4AddressToStringEx | | | | | | W, address = 0x77e7b | | | | | | b8f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv6AddressToStringEx | | | | | | W, address = 0x77e7d | | | | | | 200 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv6StringToAddressEx | | | | | | W, address = 0x77e7b | | | | | | 9ae | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | ompareMemory, addres | | | | | | s = 0x77e93b00 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlN | | | | | | tStatusToDosError, a | | | | | | ddress = 0x77e661ed | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlU | | | | | | nicodeStringToIntege | | | | | | r, address = 0x77e8c | | | | | | b1e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | nitUnicodeStringEx, | | | | | | address = 0x77e67d73 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwT | | | | | | raceMessage, address | | | | | | = 0x77e979b7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtDe | | | | | | layExecution, addres | | | | | | s = 0x77e4fd6c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCl | | | | | | ose, address = 0x77e | | | | | | 4f9d0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtDe | | | | | | viceIoControlFile, a | | | | | | ddress = 0x77e4f8fc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtLo | | | | | | adDriver, address = | | | | | | 0x77e50de4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | nitUnicodeString, ad | | | | | | dress = 0x77e5e208 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | djustPrivilege, addr | | | | | | ess = 0x77ee1f40 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | mpersonateSelf, addr | | | | | | ess = 0x77ea242f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCr | | | | | | eateFile, address = | | | | | | 0x77e500a4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtWa | | | | | | itForSingleObject, a | | | | | | ddress = 0x77e4f8ac | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtFs | | | | | | ControlFile, address | | | | | | = 0x77e4fde8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtCr | | | | | | eateNamedPipeFile, a | | | | | | ddress = 0x77e507a4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtQu | | | | | | eryDirectoryFile, ad | | | | | | dress = 0x77e4fd88 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = NtOp | | | | | | enFile, address = 0x | | | | | | 77e4fd54 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlF | | | | | | reeHeap, address = 0 | | | | | | x77e5df85 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | llocateHeap, address | | | | | | = 0x77e5e026 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = WinS | | | | | | qmIsOptedIn, address | | | | | | = 0x77e89b58 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlG | | | | | | etNtProductType, add | | | | | | ress = 0x77e68802 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwE | | | | | | ventUnregister, addr | | | | | | ess = 0x77e89241 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwE | | | | | | ventWrite, address = | | | | | | 0x77e90c59 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwE | | | | | | ventRegister, addres | | | | | | s = 0x77e6f6ba | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etUnhandledException | | | | | | Filter, address = 0x | | | | | | 763187c9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etLastError, address | | | | | | = 0x763111a9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = U | | | | | | nhandledExceptionFil | | | | | | ter, address = 0x763 | | | | | | 3772f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etLastError, address | | | | | | = 0x763111c0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etHandleInformation, | | | | | | address = 0x7633cb6 | | | | | | 9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = D | | | | | | uplicateHandle, addr | | | | | | ess = 0x76311886 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | loseHandle, address | | | | | | = 0x76311410 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | HeapDestroy, addres | | | | | | s = 0x77494580 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetProcessHeap, add | | | | | | ress = 0x7749469a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | HeapCreate, address | | | | | | = 0x77494516 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | HeapFree, address = | | | | | | 0x77e5df85 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | HeapAlloc, address | | | | | | = 0x77e5e026 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | HeapReAlloc, addres | | | | | | s = 0x77e71f6e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InterlockedCompareE | | | | | | xchange, address = 0 | | | | | | x77486a8c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InterlockedExchange | | | | | | Add, address = 0x774 | | | | | | 86aa0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InterlockedExchange | | | | | | , address = 0x77486a | | | | | | 78 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InterlockedIncremen | | | | | | t, address = 0x77486 | | | | | | a50 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InterlockedDecremen | | | | | | t, address = 0x77486 | | | | | | a64 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = D | | | | | | eviceIoControl, addr | | | | | | ess = 0x7631322f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FreeLibraryAndExitT | | | | | | hread, address = 0x7 | | | | | | 7490b76 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FreeLibrary, addres | | | | | | s = 0x77491d92 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetModuleHandleA, a | | | | | | ddress = 0x77491ef5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LoadStringA, addres | | | | | | s = 0x77493bbb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetModuleFileNameA, | | | | | | address = 0x77491e2 | | | | | | 4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LoadStringW, addres | | | | | | s = 0x77493c28 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetModuleFileNameW, | | | | | | address = 0x77490c0 | | | | | | 5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LoadLibraryExW, add | | | | | | ress = 0x77491bb2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LoadLibraryExA, add | | | | | | ress = 0x77491d54 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetProcAddress, add | | | | | | ress = 0x77491180 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetModuleHandleExA, | | | | | | address = 0x774910c | | | | | | d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egCreateKeyExA, addr | | | | | | ess = 0x763212c2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egCloseKey, address | | | | | | = 0x7631209f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egOpenKeyExA, addres | | | | | | s = 0x7631472f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egQueryValueExA, add | | | | | | ress = 0x76314a87 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egSetValueExW, addre | | | | | | ss = 0x76315be5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egSetValueExA, addre | | | | | | ss = 0x76321441 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egQueryValueExW, add | | | | | | ress = 0x76311f4e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egDeleteKeyExA, addr | | | | | | ess = 0x763b2e7b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egDeleteTreeA, addre | | | | | | ss = 0x763b31e8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egNotifyChangeKeyVal | | | | | | ue, address = 0x7632 | | | | | | 119e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egGetKeySecurity, ad | | | | | | dress = 0x76332e5c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egEnumKeyExA, addres | | | | | | s = 0x7632f9a6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | Sleep, address = 0x | | | | | | 77493511 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | lstrlenW, address = | | | | | | 0x7748a505 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | lstrlenA, address = | | | | | | 0x7748a330 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | lstrcmpA, address = | | | | | | 0x7748a1b8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LocalAlloc, address | | | | | | = 0x774948f9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | IsWow64Process, add | | | | | | ress = 0x7748e4c0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GlobalFree, address | | | | | | = 0x77493e61 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GlobalAlloc, addres | | | | | | s = 0x77493fa7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | PulseEvent, address | | | | | | = 0x7749018f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LocalFree, address | | | | | | = 0x77493e61 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetEnvironmentVaria | | | | | | bleA, address = 0x77 | | | | | | 48fcad | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetCommandLineW, ad | | | | | | dress = 0x7748e669 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ExpandEnvironmentSt | | | | | | ringsW, address = 0x | | | | | | 7748faac | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ExpandEnvironmentSt | | | | | | ringsA, address = 0x | | | | | | 7748fe42 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateThread, address | | | | | | = 0x763134d5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = T | | | | | | lsFree, address = 0x | | | | | | 76313587 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = T | | | | | | lsAlloc, address = 0 | | | | | | x763149ad | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | witchToThread, addre | | | | | | ss = 0x7632efec | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = T | | | | | | lsSetValue, address | | | | | | = 0x763114fb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etCurrentProcess, ad | | | | | | dress = 0x76311809 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etCurrentThreadId, a | | | | | | ddress = 0x76311450 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = O | | | | | | penThreadToken, addr | | | | | | ess = 0x7749ba25 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etCurrentThread, add | | | | | | ress = 0x763117ec | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = Q | | | | | | ueueUserAPC, address | | | | | | = 0x76339f5d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | esumeThread, address | | | | | | = 0x763143ef | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etCurrentProcessId, | | | | | | address = 0x763111f8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = T | | | | | | erminateProcess, add | | | | | | ress = 0x7632d802 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = O | | | | | | penProcessToken, add | | | | | | ress = 0x7749b9f7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = T | | | | | | lsGetValue, address | | | | | | = 0x763111e0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | QueryPerformanceCou | | | | | | nter, address = 0x77 | | | | | | e68884 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | MultiByteToWideChar | | | | | | , address = 0x774af3 | | | | | | 08 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | WideCharToMultiByte | | | | | | , address = 0x774afa | | | | | | 07 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etEvent, address = 0 | | | | | | x763116c5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = E | | | | | | nterCriticalSection, | | | | | | address = 0x77e522b | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = L | | | | | | eaveCriticalSection, | | | | | | address = 0x77e5227 | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateEventA, address | | | | | | = 0x7631328c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | esetEvent, address = | | | | | | 0x763116dd | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = W | | | | | | aitForMultipleObject | | | | | | sEx, address = 0x763 | | | | | | 1199e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = I | | | | | | nitializeCriticalSec | | | | | | tionAndSpinCount, ad | | | | | | dress = 0x76311916 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateEventW, address | | | | | | = 0x7631183e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = D | | | | | | eleteCriticalSection | | | | | | , address = 0x77e645 | | | | | | f5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = I | | | | | | nitializeCriticalSec | | | | | | tion, address = 0x77 | | | | | | e62c42 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = W | | | | | | aitForSingleObject, | | | | | | address = 0x76311136 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetVersionExA, addr | | | | | | ess = 0x77491f41 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetComputerNameExA, | | | | | | address = 0x7749819 | | | | | | 7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetTickCount, addre | | | | | | ss = 0x77488c96 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetSystemTimeAsFile | | | | | | Time, address = 0x77 | | | | | | 488c67 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetSystemDirectoryA | | | | | | , address = 0x774956 | | | | | | c4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetSystemInfo, addr | | | | | | ess = 0x7748e6b2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetSystemWindowsDir | | | | | | ectoryA, address = 0 | | | | | | x7749577c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | SetSecurityDescript | | | | | | orDacl, address = 0x | | | | | | 7749c69c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | IsValidSid, address | | | | | | = 0x7749bf9d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | AddAccessAllowedAce | | | | | | , address = 0x7749c2 | | | | | | d9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | AddAccessDeniedAce, | | | | | | address = 0x7749c38 | | | | | | 8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InitializeAcl, addr | | | | | | ess = 0x7749c1bc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | ImpersonateLoggedOn | | | | | | User, address = 0x77 | | | | | | 49ce25 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | EqualSid, address = | | | | | | 0x7749bfca | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetAce, address = 0 | | | | | | x7749c2ab | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetAclInformation, | | | | | | address = 0x7749c1ea | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetLengthSid, addre | | | | | | ss = 0x7749c0fd | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FreeSid, address = | | | | | | 0x7749c05b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | AllocateAndInitiali | | | | | | zeSid, address = 0x7 | | | | | | 749c06c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetSecurityDescript | | | | | | orDacl, address = 0x | | | | | | 7749c6cd | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | RevertToSelf, addre | | | | | | ss = 0x7749cdf3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CheckTokenMembershi | | | | | | p, address = 0x7749d | | | | | | 76b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetTokenInformation | | | | | | , address = 0x7749ba | | | | | | 56 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CopySid, address = | | | | | | 0x7749c116 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InitializeSecurityD | | | | | | escriptor, address = | | | | | | 0x7749c5a6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, base_address = | | | | | | 0x76510000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Rpc | | | | | | AsyncCompleteCall, a | | | | | | ddress = 0x765c0d7c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Rpc | | | | | | ServerInqBindings, a | | | | | | ddress = 0x765508c2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Rpc | | | | | | ServerUseProtseqW, a | | | | | | ddress = 0x76550fb5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Rpc | | | | | | EpUnregister, addres | | | | | | s = 0x7654f3af | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Rpc | | | | | | BindingVectorFree, a | | | | | | ddress = 0x7654f33d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Rpc | | | | | | EpRegisterW, address | | | | | | = 0x76550ae1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Rpc | | | | | | ServerListen, addres | | | | | | s = 0x765509e8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Rpc | | | | | | ServerInqCallAttribu | | | | | | tesW, address = 0x76 | | | | | | 546ccd | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Ndr | | | | | | ServerCall2, address | | | | | | = 0x765c1035 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Ndr | | | | | | AsyncServerCall, add | | | | | | ress = 0x765c186e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = I_R | | | | | | pcBindingInqTranspor | | | | | | tType, address = 0x7 | | | | | | 6546d80 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Uui | | | | | | dCreate, address = 0 | | | | | | x7652f48b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Rpc | | | | | | RevertToSelf, addres | | | | | | s = 0x7654f7c3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Rpc | | | | | | RevertToSelfEx, addr | | | | | | ess = 0x76547c9e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Rpc | | | | | | ImpersonateClient, a | | | | | | ddress = 0x76547c3f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Rpc | | | | | | BindingInqObject, ad | | | | | | dress = 0x7654601e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Rpc | | | | | | ServerUnregisterIfEx | | | | | | , address = 0x765792 | | | | | | 18 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Rpc | | | | | | ServerRegisterIfEx, | | | | | | address = 0x76549bc5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\rpcrt4 | | | | | | .dll, function = Rpc | | | | | | ServerUnregisterIf, | | | | | | address = 0x765453f4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\nsi.dl | | | | | | l, base_address = 0x | | | | | | 77260000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\nsi.dl | | | | | | l, function = NsiGet | | | | | | Parameter, address = | | | | | | 0x772616c8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\nsi.dl | | | | | | l, function = NsiGet | | | | | | AllParameters, addre | | | | | | ss = 0x77261640 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\nsi.dl | | | | | | l, function = NsiSet | | | | | | AllParameters, addre | | | | | | ss = 0x77261b28 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = D | | | | | | elayLoadFailureHook, | | | | | | address = 0x763aec9 | | | | | | d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | UNMAP | process_name = c:\wi | True | 1 | | | | ndows\syswow64\ping. | | | | | | exe, os_pid = 0x50c, | | | | | | base_address = 0x80 | | | | | | 0000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = wsock3 | False | 1 | | | | 2, base_address = 0x | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | LOAD | module_name = wsock3 | True | 1 | | | | 2, base_address = 0x | | | | | | 75730000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_FILENAME | module_name = wsock3 | True | 1 | | | | 2, file_name = C:\Wi | | | | | | ndows\SysWOW64\wsock | | | | | | 32.DLL | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | FILE | CREATE | file_name = c:\windo | True | 1 | | | | ws\syswow64\wsock32. | | | | | | dll, desired_access | | | | | | = GENERIC_READ, shar | | | | | | e_mode = FILE_SHARE_ | | | | | | READ, create_disposi | | | | | | tion = OPEN_EXISTING | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | CREATE_MAPPING | file_name = c:\windo | True | 1 | | | | ws\syswow64\wsock32. | | | | | | dll, module_name = N | | | | | | ameless FileMapping, | | | | | | maximum_size = 0, p | | | | | | rotection = PAGE_REA | | | | | | DONLY | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | MAP | file_name = c:\windo | True | 1 | | | | ws\syswow64\wsock32. | | | | | | dll, process_name = | | | | | | c:\windows\syswow64\ | | | | | | ping.exe, os_pid = 0 | | | | | | x50c, module_name = | | | | | | Nameless FileMapping | | | | | | , desired_access = F | | | | | | ILE_MAP_READ, file_o | | | | | | ffset = 0, address = | | | | | | 0x210000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, base_address = | | | | | | 0x774d0000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = WSA | | | | | | Recv, address = 0x77 | | | | | | 4d7089 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 7, | | | | | | address = 0x774d737d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = WSA | | | | | | RecvFrom, address = | | | | | | 0x774dcba6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 21, | | | | | | address = 0x774d41b | | | | | | 6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, base_address = | | | | | | 0x75fc0000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _ex | | | | | | cept_handler4_common | | | | | | , address = 0x75fe3e | | | | | | 27 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _am | | | | | | sg_exit, address = 0 | | | | | | x7602b2ef | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _in | | | | | | itterm, address = 0x | | | | | | 75fcc151 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = fre | | | | | | e, address = 0x75fc9 | | | | | | 894 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = mal | | | | | | loc, address = 0x75f | | | | | | c9cee | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _Xc | | | | | | ptFilter, address = | | | | | | 0x75fedc75 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = I | | | | | | nterlockedExchange, | | | | | | address = 0x76311462 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etLastError, address | | | | | | = 0x763111a9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = I | | | | | | nterlockedCompareExc | | | | | | hange, address = 0x7 | | | | | | 6311484 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = Q | | | | | | ueryPerformanceCount | | | | | | er, address = 0x7631 | | | | | | 1725 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etUnhandledException | | | | | | Filter, address = 0x | | | | | | 763187c9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = U | | | | | | nhandledExceptionFil | | | | | | ter, address = 0x763 | | | | | | 3772f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etCurrentProcess, ad | | | | | | dress = 0x76311809 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = T | | | | | | erminateProcess, add | | | | | | ress = 0x7632d802 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etSystemTimeAsFileTi | | | | | | me, address = 0x7631 | | | | | | 3509 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etCurrentProcessId, | | | | | | address = 0x763111f8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etCurrentThreadId, a | | | | | | ddress = 0x76311450 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etTickCount, address | | | | | | = 0x7631110c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | leep, address = 0x76 | | | | | | 3110ff | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | UNMAP | process_name = c:\wi | True | 1 | | | | ndows\syswow64\ping. | | | | | | exe, os_pid = 0x50c, | | | | | | base_address = 0x21 | | | | | | 0000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = dnsapi | False | 1 | | | | , base_address = 0x0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | LOAD | module_name = dnsapi | True | 1 | | | | , base_address = 0x7 | | | | | | 56e0000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_FILENAME | module_name = dnsapi | True | 1 | | | | , file_name = C:\Win | | | | | | dows\SysWOW64\dnsapi | | | | | | .DLL | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | FILE | CREATE | file_name = c:\windo | True | 1 | | | | ws\syswow64\dnsapi.d | | | | | | ll, desired_access = | | | | | | GENERIC_READ, share | | | | | | _mode = FILE_SHARE_R | | | | | | EAD, create_disposit | | | | | | ion = OPEN_EXISTING | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | CREATE_MAPPING | file_name = c:\windo | True | 1 | | | | ws\syswow64\dnsapi.d | | | | | | ll, module_name = Na | | | | | | meless FileMapping, | | | | | | maximum_size = 0, pr | | | | | | otection = PAGE_READ | | | | | | ONLY | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | MAP | file_name = c:\windo | True | 1 | | | | ws\syswow64\dnsapi.d | | | | | | ll, process_name = c | | | | | | :\windows\syswow64\p | | | | | | ing.exe, os_pid = 0x | | | | | | 50c, module_name = N | | | | | | ameless FileMapping, | | | | | | desired_access = FI | | | | | | LE_MAP_READ, file_of | | | | | | fset = 0, address = | | | | | | 0x800000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, base_address = | | | | | | 0x75fc0000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = fre | | | | | | e, address = 0x75fc9 | | | | | | 894 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = mal | | | | | | loc, address = 0x75f | | | | | | c9cee | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _Xc | | | | | | ptFilter, address = | | | | | | 0x75fedc75 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _in | | | | | | itterm, address = 0x | | | | | | 75fcc151 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = tow | | | | | | lower, address = 0x7 | | | | | | 5fcad52 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _ex | | | | | | cept_handler4_common | | | | | | , address = 0x75fe3e | | | | | | 27 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = wcs | | | | | | chr, address = 0x75f | | | | | | caa61 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = wcs | | | | | | toul, address = 0x75 | | | | | | fcb319 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = ato | | | | | | i, address = 0x75fcd | | | | | | be0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = ssc | | | | | | anf, address = 0x75f | | | | | | ded4c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = str | | | | | | toul, address = 0x75 | | | | | | fd012e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _st | | | | | | rlwr, address = 0x75 | | | | | | fdca0b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = str | | | | | | ncmp, address = 0x75 | | | | | | fcb443 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _st | | | | | | rupr, address = 0x75 | | | | | | fdd49e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _am | | | | | | sg_exit, address = 0 | | | | | | x7602b2ef | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = mem | | | | | | cpy, address = 0x75f | | | | | | c9910 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _st | | | | | | ricmp, address = 0x7 | | | | | | 5fcdb38 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = ran | | | | | | d, address = 0x75fcc | | | | | | 070 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = sra | | | | | | nd, address = 0x75fc | | | | | | f757 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _st | | | | | | rnicmp, address = 0x | | | | | | 75fd0578 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _wc | | | | | | snicmp, address = 0x | | | | | | 75fcaae3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _wc | | | | | | sicmp, address = 0x7 | | | | | | 5fca9e9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = fpu | | | | | | ts, address = 0x75fe | | | | | | 6c38 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = tim | | | | | | e, address = 0x75fcf | | | | | | 708 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = loc | | | | | | altime, address = 0x | | | | | | 75fd7511 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = fpr | | | | | | intf, address = 0x75 | | | | | | fd3e00 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = fge | | | | | | ts, address = 0x75fe | | | | | | 4589 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = rew | | | | | | ind, address = 0x75f | | | | | | e6e17 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = fop | | | | | | en, address = 0x75fd | | | | | | b2c4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = str | | | | | | pbrk, address = 0x75 | | | | | | fcf7b6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = fcl | | | | | | ose, address = 0x75f | | | | | | d3d79 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _vs | | | | | | nwprintf, address = | | | | | | 0x75fcbbce | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _vs | | | | | | nprintf, address = 0 | | | | | | x75fcd1a8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = mem | | | | | | set, address = 0x75f | | | | | | c9790 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etLastError, address | | | | | | = 0x763111a9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etLastError, address | | | | | | = 0x763111c0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = U | | | | | | nhandledExceptionFil | | | | | | ter, address = 0x763 | | | | | | 3772f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etUnhandledException | | | | | | Filter, address = 0x | | | | | | 763187c9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | loseHandle, address | | | | | | = 0x76311410 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InterlockedDecremen | | | | | | t, address = 0x77486 | | | | | | a64 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InterlockedCompareE | | | | | | xchange, address = 0 | | | | | | x77486a8c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InterlockedExchange | | | | | | , address = 0x77486a | | | | | | 78 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | InterlockedIncremen | | | | | | t, address = 0x77486 | | | | | | a50 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetProcAddress, add | | | | | | ress = 0x77491180 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | FreeLibrary, addres | | | | | | s = 0x77491d92 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LoadLibraryExW, add | | | | | | ress = 0x77491bb2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | DisableThreadLibrar | | | | | | yCalls, address = 0x | | | | | | 77490bdb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetModuleFileNameW, | | | | | | address = 0x77490c0 | | | | | | 5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetModuleHandleW, a | | | | | | ddress = 0x77491094 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LoadLibraryExA, add | | | | | | ress = 0x77491d54 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egEnumKeyExW, addres | | | | | | s = 0x76312e9a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egCloseKey, address | | | | | | = 0x7631209f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egOpenKeyExW, addres | | | | | | s = 0x76312311 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egDeleteKeyExW, addr | | | | | | ess = 0x76330725 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egSetValueExW, addre | | | | | | ss = 0x76315be5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egQueryValueExW, add | | | | | | ress = 0x76311f4e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | egCreateKeyExW, addr | | | | | | ess = 0x7631865b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LocalReAlloc, addre | | | | | | ss = 0x77494a9b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | Sleep, address = 0x | | | | | | 77493511 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LocalAlloc, address | | | | | | = 0x774948f9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LocalFree, address | | | | | | = 0x77493e61 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetEnvironmentVaria | | | | | | bleW, address = 0x77 | | | | | | 48f9d7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateThread, address | | | | | | = 0x763134d5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etCurrentProcess, ad | | | | | | dress = 0x76311809 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = T | | | | | | erminateProcess, add | | | | | | ress = 0x7632d802 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etCurrentProcessId, | | | | | | address = 0x763111f8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etCurrentThreadId, a | | | | | | ddress = 0x76311450 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | QueryPerformanceCou | | | | | | nter, address = 0x77 | | | | | | e68884 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | MultiByteToWideChar | | | | | | , address = 0x774af3 | | | | | | 08 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | WideCharToMultiByte | | | | | | , address = 0x774afa | | | | | | 07 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CompareStringW, add | | | | | | ress = 0x774a1ed8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetSystemTimeAsFile | | | | | | Time, address = 0x77 | | | | | | 488c67 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetVersionExW, addr | | | | | | ess = 0x77491232 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetTickCount, addre | | | | | | ss = 0x77488c96 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetSystemDirectoryA | | | | | | , address = 0x774956 | | | | | | c4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | GetTickCount64, add | | | | | | ress = 0x77488ccf | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | eleaseMutex, address | | | | | | = 0x7631111e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = A | | | | | | cquireSRWLockShared, | | | | | | address = 0x77e6256 | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateEventA, address | | | | | | = 0x7631328c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = I | | | | | | nitializeCriticalSec | | | | | | tion, address = 0x77 | | | | | | e62c42 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | eleaseSRWLockShared, | | | | | | address = 0x77e625a | | | | | | 9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = I | | | | | | nitializeSRWLock, ad | | | | | | dress = 0x77e68456 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = A | | | | | | cquireSRWLockExclusi | | | | | | ve, address = 0x77e6 | | | | | | 29f1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | eleaseSRWLockExclusi | | | | | | ve, address = 0x77e6 | | | | | | 29ab | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | leepEx, address = 0x | | | | | | 76311215 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | eleaseSemaphore, add | | | | | | ress = 0x7632d3ab | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateEventW, address | | | | | | = 0x7631183e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateSemaphoreExW, a | | | | | | ddress = 0x76394195 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = W | | | | | | aitForMultipleObject | | | | | | sEx, address = 0x763 | | | | | | 1199e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = W | | | | | | aitForSingleObject, | | | | | | address = 0x76311136 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etEvent, address = 0 | | | | | | x763116c5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = L | | | | | | eaveCriticalSection, | | | | | | address = 0x77e5227 | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = E | | | | | | nterCriticalSection, | | | | | | address = 0x77e522b | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = D | | | | | | eleteCriticalSection | | | | | | , address = 0x77e645 | | | | | | f5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, base_address = | | | | | | 0x774d0000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 15, | | | | | | address = 0x774d2d8 | | | | | | b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 16, | | | | | | address = 0x774d6b0 | | | | | | e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 20, | | | | | | address = 0x774d34b | | | | | | 5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 19, | | | | | | address = 0x774d6f0 | | | | | | 1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 4, | | | | | | address = 0x774d6bdd | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 21, | | | | | | address = 0x774d41b | | | | | | 6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = WSA | | | | | | Ioctl, address = 0x7 | | | | | | 74d2fe7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 13, | | | | | | address = 0x774db00 | | | | | | 1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 3, | | | | | | address = 0x774d3918 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 22, | | | | | | address = 0x774d449 | | | | | | d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 2, | | | | | | address = 0x774d4582 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 6, | | | | | | address = 0x774d30af | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = WSA | | | | | | JoinLeaf, address = | | | | | | 0x774eca7d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 54, | | | | | | address = 0x774e67c | | | | | | 4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 56, | | | | | | address = 0x774e6d6 | | | | | | 2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 14, | | | | | | address = 0x774d2d5 | | | | | | 7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 53, | | | | | | address = 0x774e68b | | | | | | 3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 11, | | | | | | address = 0x774d311 | | | | | | b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 115 | | | | | | , address = 0x774d3a | | | | | | b2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 116 | | | | | | , address = 0x774d3c | | | | | | 5f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = Get | | | | | | AddrInfoW, address = | | | | | | 0x774d4889 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = Fre | | | | | | eAddrInfoW, address | | | | | | = 0x774d4b1b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 12, | | | | | | address = 0x774db13 | | | | | | 1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 111 | | | | | | , address = 0x774d37 | | | | | | ad | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 151 | | | | | | , address = 0x774d6a | | | | | | 8a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 8, | | | | | | address = 0x774d2d57 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = WSA | | | | | | SocketW, address = 0 | | | | | | x774d3cd3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 9, | | | | | | address = 0x774d2d8b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = 18, | | | | | | address = 0x774d698 | | | | | | 9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, base_address = | | | | | | 0x77e30000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv6StringToAddressW, | | | | | | address = 0x77e7ba0 | | | | | | 9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv4StringToAddressW, | | | | | | address = 0x77e7b90 | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = WinS | | | | | | qmIsOptedIn, address | | | | | | = 0x77e89b58 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = WinS | | | | | | qmSetDWORD, address | | | | | | = 0x77e984ce | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwL | | | | | | ogTraceEvent, addres | | | | | | s = 0x77f0b4c7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwE | | | | | | ventEnabled, address | | | | | | = 0x77e688e2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwE | | | | | | ventWrite, address = | | | | | | 0x77e90c59 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EvtI | | | | | | ntReportEventAndSour | | | | | | ceAsync, address = 0 | | | | | | x77f0eb43 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwE | | | | | | ventRegister, addres | | | | | | s = 0x77e6f6ba | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwE | | | | | | ventUnregister, addr | | | | | | ess = 0x77e89241 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwU | | | | | | nregisterTraceGuids, | | | | | | address = 0x77e8928 | | | | | | 6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwR | | | | | | egisterTraceGuidsW, | | | | | | address = 0x77e6f843 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwG | | | | | | etTraceLoggerHandle, | | | | | | address = 0x77e9168 | | | | | | a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwG | | | | | | etTraceEnableLevel, | | | | | | address = 0x77e916f3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwG | | | | | | etTraceEnableFlags, | | | | | | address = 0x77e91729 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | nitializeCriticalSec | | | | | | tion, address = 0x77 | | | | | | e62c42 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = EtwT | | | | | | raceMessage, address | | | | | | = 0x77e979b7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv6StringToAddressA, | | | | | | address = 0x77e7c85 | | | | | | 5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv4StringToAddressA, | | | | | | address = 0x77e7c41 | | | | | | 1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv6AddressToStringA, | | | | | | address = 0x77ef38e | | | | | | d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv6StringToAddressEx | | | | | | A, address = 0x77ef3 | | | | | | d45 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlI | | | | | | pv6StringToAddressEx | | | | | | W, address = 0x77e7b | | | | | | 9ae | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | eleteCriticalSection | | | | | | , address = 0x77e645 | | | | | | f5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlD | | | | | | estroyHeap, address | | | | | | = 0x77e79d8e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlA | | | | | | llocateHeap, address | | | | | | = 0x77e5e026 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlR | | | | | | eAllocateHeap, addre | | | | | | ss = 0x77e71f6e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlF | | | | | | reeHeap, address = 0 | | | | | | x77e5df85 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | reateHeap, address = | | | | | | 0x77e70249 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\nsi.dl | | | | | | l, base_address = 0x | | | | | | 77260000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\nsi.dl | | | | | | l, function = NsiAll | | | | | | ocateAndGetTable, ad | | | | | | dress = 0x77261949 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\nsi.dl | | | | | | l, function = NsiGet | | | | | | Parameter, address = | | | | | | 0x772616c8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\nsi.dl | | | | | | l, function = NsiFre | | | | | | eTable, address = 0x | | | | | | 772618f4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = D | | | | | | elayLoadFailureHook, | | | | | | address = 0x763aec9 | | | | | | d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | CompareStringA, add | | | | | | ress = 0x774a061d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | OutputDebugStringA, | | | | | | address = 0x7749251 | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, base_addre | | | | | | ss = 0x77480000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | base.dll, function = | | | | | | LCMapStringW, addre | | | | | | ss = 0x774a1e6a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | UNMAP | process_name = c:\wi | True | 1 | | | | ndows\syswow64\ping. | | | | | | exe, os_pid = 0x50c, | | | | | | base_address = 0x80 | | | | | | 0000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\winine | | | | | | t.dll, base_address | | | | | | = 0x75ec0000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_FILENAME | module_name = c:\win | True | 1 | | | | dows\syswow64\winine | | | | | | t.dll, file_name = C | | | | | | :\Windows\syswow64\W | | | | | | ININET.dll | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | FILE | CREATE | file_name = c:\windo | True | 1 | | | | ws\syswow64\wininet. | | | | | | dll, desired_access | | | | | | = GENERIC_READ, shar | | | | | | e_mode = FILE_SHARE_ | | | | | | READ, create_disposi | | | | | | tion = OPEN_EXISTING | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | CREATE_MAPPING | file_name = c:\windo | True | 1 | | | | ws\syswow64\wininet. | | | | | | dll, module_name = N | | | | | | ameless FileMapping, | | | | | | maximum_size = 0, p | | | | | | rotection = PAGE_REA | | | | | | DONLY | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | MAP | file_name = c:\windo | True | 1 | | | | ws\syswow64\wininet. | | | | | | dll, process_name = | | | | | | c:\windows\syswow64\ | | | | | | ping.exe, os_pid = 0 | | | | | | x50c, module_name = | | | | | | Nameless FileMapping | | | | | | , desired_access = F | | | | | | ILE_MAP_READ, file_o | | | | | | ffset = 0, address = | | | | | | 0x1020000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, base_address = | | | | | | 0x75fc0000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _wc | | | | | | sicmp, address = 0x7 | | | | | | 5fca9e9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = isu | | | | | | pper, address = 0x75 | | | | | | fdc1ca | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = wcs | | | | | | str, address = 0x75f | | | | | | cbf71 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _pu | | | | | | recall, address = 0x | | | | | | 76026ea9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _mb | | | | | | stok, address = 0x76 | | | | | | 025615 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = isc | | | | | | ntrl, address = 0x75 | | | | | | fdd592 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = isp | | | | | | unct, address = 0x75 | | | | | | fe860e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = str | | | | | | cpy_s, address = 0x7 | | | | | | 5fcf574 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _st | | | | | | rtoui64, address = 0 | | | | | | x75fe225d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = tim | | | | | | e, address = 0x75fcf | | | | | | 708 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = isw | | | | | | digit, address = 0x7 | | | | | | 5fcc02c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = isa | | | | | | lpha, address = 0x75 | | | | | | fd0fa8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = ato | | | | | | l, address = 0x75fcd | | | | | | df4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _wt | | | | | | oi, address = 0x75fc | | | | | | c823 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = iss | | | | | | pace, address = 0x75 | | | | | | fcc395 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = str | | | | | | pbrk, address = 0x75 | | | | | | fcf7b6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = isd | | | | | | igit, address = 0x75 | | | | | | fcb407 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = isx | | | | | | digit, address = 0x7 | | | | | | 5fd1070 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = mem | | | | | | chr, address = 0x75f | | | | | | de134 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _vs | | | | | | nprintf, address = 0 | | | | | | x75fcd1a8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _wc | | | | | | snicmp, address = 0x | | | | | | 75fcaae3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = wcs | | | | | | tok, address = 0x75f | | | | | | d076e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = isw | | | | | | lower, address = 0x7 | | | | | | 5fef796 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = qso | | | | | | rt, address = 0x75fc | | | | | | d3e6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _vs | | | | | | nprintf_s, address = | | | | | | 0x7602a6e1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _Xc | | | | | | ptFilter, address = | | | | | | 0x75fedc75 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _in | | | | | | itterm, address = 0x | | | | | | 75fcc151 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _am | | | | | | sg_exit, address = 0 | | | | | | x7602b2ef | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _ex | | | | | | cept_handler4_common | | | | | | , address = 0x75fe3e | | | | | | 27 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _un | | | | | | lock, address = 0x75 | | | | | | fca42d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = __d | | | | | | llonexit, address = | | | | | | 0x75fcf509 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _lo | | | | | | ck, address = 0x75fc | | | | | | a449 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _on | | | | | | exit, address = 0x75 | | | | | | fd112d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = mem | | | | | | cpy, address = 0x75f | | | | | | c9910 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = mem | | | | | | set, address = 0x75f | | | | | | c9790 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _vs | | | | | | nwprintf, address = | | | | | | 0x75fcbbce | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = mal | | | | | | loc, address = 0x75f | | | | | | c9cee | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = fre | | | | | | e, address = 0x75fc9 | | | | | | 894 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = rea | | | | | | lloc, address = 0x75 | | | | | | fcb10d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = ato | | | | | | i, address = 0x75fcd | | | | | | be0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = str | | | | | | rchr, address = 0x75 | | | | | | fcdbae | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = str | | | | | | tok_s, address = 0x7 | | | | | | 6040db3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = wcs | | | | | | rchr, address = 0x75 | | | | | | fca73f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = isw | | | | | | space, address = 0x7 | | | | | | 5fcaacb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = wcs | | | | | | tok_s, address = 0x7 | | | | | | 5ff00b3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = mem | | | | | | move, address = 0x75 | | | | | | fc9e5a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = str | | | | | | tol, address = 0x75f | | | | | | ee8f0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = __i | | | | | | sascii, address = 0x | | | | | | 75fdd57b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = isl | | | | | | ower, address = 0x75 | | | | | | fef0f7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = spr | | | | | | intf_s, address = 0x | | | | | | 75fe51da | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = swp | | | | | | rintf_s, address = 0 | | | | | | x75fcecf8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = wcs | | | | | | tol, address = 0x75f | | | | | | cff45 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = isw | | | | | | xdigit, address = 0x | | | | | | 75fd1029 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = isw | | | | | | ascii, address = 0x7 | | | | | | 5fd1010 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = _st | | | | | | rnicmp, address = 0x | | | | | | 75fd0578 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = wcs | | | | | | cat_s, address = 0x7 | | | | | | 5fcfd66 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = ??_ | | | | | | U@YAPAXI@Z, address | | | | | | = 0x75fcb100 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = ??_ | | | | | | V@YAXPAX@Z, address | | | | | | = 0x75fcb0f3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = qso | | | | | | rt_s, address = 0x76 | | | | | | 029380 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = bse | | | | | | arch, address = 0x75 | | | | | | fcb34a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = wcs | | | | | | ncmp, address = 0x75 | | | | | | fcb05e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\msvcrt | | | | | | .dll, function = isa | | | | | | lnum, address = 0x75 | | | | | | fd0fdc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, base_address = | | | | | | 0x77e30000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlC | | | | | | onvertSidToUnicodeSt | | | | | | ring, address = 0x77 | | | | | | e6aec2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, function = RtlM | | | | | | oveMemory, address = | | | | | | 0x77e93c40 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, base_address | | | | | | = 0x76210000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = SH | | | | | | RegGetValueW, addres | | | | | | s = 0x7622b8ba | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = 15 | | | | | | 8, address = 0x7622b | | | | | | b2d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = SH | | | | | | RegGetValueA, addres | | | | | | s = 0x7621ce33 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = Pa | | | | | | thAddBackslashW, add | | | | | | ress = 0x7622c177 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = Pa | | | | | | thFindFileNameW, add | | | | | | ress = 0x7622bb71 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = St | | | | | | rRChrW, address = 0x | | | | | | 76223ef0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = Pa | | | | | | thRemoveBackslashA, | | | | | | address = 0x76248d1a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = Pa | | | | | | thRemoveFileSpecA, a | | | | | | ddress = 0x7623e20b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = 15 | | | | | | 5, address = 0x7621d | | | | | | 2ac | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = Pa | | | | | | thRemoveBlanksA, add | | | | | | ress = 0x7621d8bc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = Pa | | | | | | thAddBackslashA, add | | | | | | ress = 0x7621cf33 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = Pa | | | | | | thAppendA, address = | | | | | | 0x7621d65e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = 21 | | | | | | 5, address = 0x7622a | | | | | | d74 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = Pa | | | | | | thUnExpandEnvStrings | | | | | | A, address = 0x7623a | | | | | | b7b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = 15 | | | | | | 7, address = 0x76229 | | | | | | 47e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = Pa | | | | | | thRenameExtensionA, | | | | | | address = 0x76249cdd | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = SH | | | | | | DeleteKeyA, address | | | | | | = 0x7623d9f6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = SH | | | | | | DeleteValueW, addres | | | | | | s = 0x7621fcca | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = St | | | | | | rCmpNIW, address = 0 | | | | | | x76224745 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = St | | | | | | rCmpNIA, address = 0 | | | | | | x7621d11c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = St | | | | | | rStrIA, address = 0x | | | | | | 7621d250 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = St | | | | | | rStrA, address = 0x7 | | | | | | 623c45b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = 15 | | | | | | 1, address = 0x7623c | | | | | | b3d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = St | | | | | | rChrW, address = 0x7 | | | | | | 6224640 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = St | | | | | | rChrA, address = 0x7 | | | | | | 621c5e6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = 15 | | | | | | 4, address = 0x76225 | | | | | | 605 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = 21 | | | | | | 7, address = 0x76227 | | | | | | 173 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = Ur | | | | | | lCombineW, address = | | | | | | 0x762275fb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = Ur | | | | | | lCanonicalizeW, addr | | | | | | ess = 0x76227472 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = 15 | | | | | | 3, address = 0x7621c | | | | | | dae | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = Pa | | | | | | thCreateFromUrlW, ad | | | | | | dress = 0x76226ce1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = Ur | | | | | | lUnescapeA, address | | | | | | = 0x7623c6fb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = Ur | | | | | | lCombineA, address = | | | | | | 0x762561c7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = Ur | | | | | | lCanonicalizeA, addr | | | | | | ess = 0x76256577 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = St | | | | | | rToIntW, address = 0 | | | | | | x762250be | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = St | | | | | | rCmpW, address = 0x7 | | | | | | 6228277 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = St | | | | | | rCmpNA, address = 0x | | | | | | 7623c57c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = St | | | | | | rRChrA, address = 0x | | | | | | 7621ccf5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = St | | | | | | rToIntA, address = 0 | | | | | | x7623cd65 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = St | | | | | | rStrIW, address = 0x | | | | | | 762246e9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = SH | | | | | | GetValueA, address = | | | | | | 0x7621cf09 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = SH | | | | | | SetValueA, address = | | | | | | 0x7624b0ef | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = SH | | | | | | GetValueW, address = | | | | | | 0x7622a955 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = SH | | | | | | SetValueW, address = | | | | | | 0x7622170c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = 43 | | | | | | 7, address = 0x7622b | | | | | | ee6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = St | | | | | | rChrNW, address = 0x | | | | | | 7623d5fd | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = St | | | | | | rTrimW, address = 0x | | | | | | 762231bc | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = 12 | | | | | | , address = 0x762215 | | | | | | 8a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\shlwap | | | | | | i.dll, function = Pa | | | | | | thCombineW, address | | | | | | = 0x7622c39c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, base_address | | | | | | = 0x772d0000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egEnumKeyExW, addres | | | | | | s = 0x772e46c8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egQueryInfoKeyW, add | | | | | | ress = 0x772e46e7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egCreateKeyExW, addr | | | | | | ess = 0x772e40fe | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = C | | | | | | redReadDomainCredent | | | | | | ialsW, address = 0x7 | | | | | | 7317841 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egDeleteValueW, addr | | | | | | ess = 0x772dcf31 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egSetValueExW, addre | | | | | | ss = 0x772e14d6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egQueryValueExW, add | | | | | | ress = 0x772e46ad | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = E | | | | | | ventUnregister, addr | | | | | | ess = 0x77e89241 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = E | | | | | | ventRegister, addres | | | | | | s = 0x77e6f6ba | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = C | | | | | | redReadW, address = | | | | | | 0x773172a1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = C | | | | | | redFree, address = 0 | | | | | | x772db2ec | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = C | | | | | | redWriteW, address = | | | | | | 0x77317109 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = C | | | | | | redDeleteW, address | | | | | | = 0x773179f1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = C | | | | | | ryptAcquireContextA, | | | | | | address = 0x772d91d | | | | | | d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = C | | | | | | ryptGenRandom, addre | | | | | | ss = 0x772ddfc8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = C | | | | | | ryptReleaseContext, | | | | | | address = 0x772de124 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = S | | | | | | ystemFunction041, ad | | | | | | dress = 0x772da06a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = S | | | | | | ystemFunction040, ad | | | | | | dress = 0x772da0af | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egOpenKeyA, address | | | | | | = 0x772dcc15 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egEnumKeyA, address | | | | | | = 0x772fa299 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = T | | | | | | raceEvent, address = | | | | | | 0x77f0b4c7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = D | | | | | | uplicateTokenEx, add | | | | | | ress = 0x772dca24 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = C | | | | | | reateWellKnownSid, a | | | | | | ddress = 0x772e481e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = S | | | | | | etTokenInformation, | | | | | | address = 0x772d9a92 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = C | | | | | | reateProcessAsUserA, | | | | | | address = 0x7731253 | | | | | | 8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = C | | | | | | onvertStringSecurity | | | | | | DescriptorToSecurity | | | | | | DescriptorA, address | | | | | | = 0x772dca94 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = G | | | | | | etSidSubAuthorityCou | | | | | | nt, address = 0x772e | | | | | | 0e0c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = G | | | | | | etSidSubAuthority, a | | | | | | ddress = 0x772e0e24 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = A | | | | | | llocateAndInitialize | | | | | | Sid, address = 0x772 | | | | | | e40e6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = C | | | | | | heckTokenMembership, | | | | | | address = 0x772ddf0 | | | | | | 4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = F | | | | | | reeSid, address = 0x | | | | | | 772e412e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egDeleteValueA, addr | | | | | | ess = 0x772fa4ea | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = C | | | | | | onvertSidToStringSid | | | | | | W, address = 0x772e4 | | | | | | 344 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = C | | | | | | onvertStringSecurity | | | | | | DescriptorToSecurity | | | | | | DescriptorW, address | | | | | | = 0x772e1f59 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egGetValueW, address | | | | | | = 0x772e0e47 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = C | | | | | | ryptAcquireContextW, | | | | | | address = 0x772ddf1 | | | | | | 4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = C | | | | | | ryptGetProvParam, ad | | | | | | dress = 0x77313218 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = O | | | | | | penThreadToken, addr | | | | | | ess = 0x772e432c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = O | | | | | | penProcessToken, add | | | | | | ress = 0x772e4304 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = G | | | | | | etTokenInformation, | | | | | | address = 0x772e431c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = E | | | | | | ventWrite, address = | | | | | | 0x77e90c59 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egOpenKeyExW, addres | | | | | | s = 0x772e468d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = U | | | | | | nregisterTraceGuids, | | | | | | address = 0x77e8928 | | | | | | 6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egisterTraceGuidsA, | | | | | | address = 0x77e9848f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = G | | | | | | etTraceLoggerHandle, | | | | | | address = 0x77e9168 | | | | | | a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = G | | | | | | etTraceEnableLevel, | | | | | | address = 0x77e916f3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = G | | | | | | etTraceEnableFlags, | | | | | | address = 0x77e91729 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egDeleteKeyA, addres | | | | | | s = 0x772fa8b7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egCreateKeyExA, addr | | | | | | ess = 0x772e1469 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egSetValueExA, addre | | | | | | ss = 0x772e14b3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egOpenKeyExA, addres | | | | | | s = 0x772e4907 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egQueryValueExA, add | | | | | | ress = 0x772e48ef | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egQueryInfoKeyA, add | | | | | | ress = 0x772de143 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egEnumKeyExA, addres | | | | | | s = 0x772e1481 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = R | | | | | | egCloseKey, address | | | | | | = 0x772e469d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = G | | | | | | etUserNameA, address | | | | | | = 0x772fa4b4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = O | | | | | | penSCManagerA, addre | | | | | | ss = 0x772e2bd8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = O | | | | | | penServiceA, address | | | | | | = 0x772e2bf0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = C | | | | | | loseServiceHandle, a | | | | | | ddress = 0x772e369c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\advapi | | | | | | 32.dll, function = Q | | | | | | ueryServiceStatus, a | | | | | | ddress = 0x772e2a86 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, base_address | | | | | | = 0x76300000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etShortPathNameA, ad | | | | | | dress = 0x7633594d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etShortPathNameW, ad | | | | | | dress = 0x7631d2f9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = F | | | | | | indFirstFileA, addre | | | | | | ss = 0x7631e2ce | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | emoveDirectoryA, add | | | | | | ress = 0x763944bf | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = F | | | | | | indNextFileA, addres | | | | | | s = 0x7633d53e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = F | | | | | | indClose, address = | | | | | | 0x76314442 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etDiskFreeSpaceExA, | | | | | | address = 0x7639434f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | opyFileA, address = | | | | | | 0x763358e5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etFileTime, address | | | | | | = 0x7632ecbb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateDirectoryA, add | | | | | | ress = 0x7633d526 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etWindowsDirectoryA, | | | | | | address = 0x76332b0 | | | | | | a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etPrivateProfileStri | | | | | | ngA, address = 0x763 | | | | | | 2184c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etFileAttributesA, a | | | | | | ddress = 0x76315414 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = L | | | | | | CMapStringA, address | | | | | | = 0x7633bc39 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etFileAttributesExA, | | | | | | address = 0x7633cc1 | | | | | | 4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = F | | | | | | ileTimeToDosDateTime | | | | | | , address = 0x7632c8 | | | | | | 6d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etFileSizeEx, addres | | | | | | s = 0x763159e2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = l | | | | | | strcmpW, address = 0 | | | | | | x76315929 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | aiseException, addre | | | | | | ss = 0x763158a6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etEnvironmentVariabl | | | | | | eA, address = 0x7631 | | | | | | 33a0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = M | | | | | | oveFileExW, address | | | | | | = 0x76329b2d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = M | | | | | | oveFileW, address = | | | | | | 0x76329af0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = M | | | | | | oveFileA, address = | | | | | | 0x7638d911 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etFilePointerEx, add | | | | | | ress = 0x7632c807 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = L | | | | | | ocalFileTimeToFileTi | | | | | | me, address = 0x7633 | | | | | | d50e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateSemaphoreA, add | | | | | | ress = 0x7633d172 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | eleaseSemaphore, add | | | | | | ress = 0x7632d3ab | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etFileAttributesA, a | | | | | | ddress = 0x7632ecd3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etCurrentProcessId, | | | | | | address = 0x763111f8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etFileTime, address | | | | | | = 0x76314407 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = l | | | | | | strcmpA, address = 0 | | | | | | x7632eceb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etModuleHandleExA, a | | | | | | ddress = 0x7632caa8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | esumeThread, address | | | | | | = 0x763143ef | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = F | | | | | | reeLibraryAndExitThr | | | | | | ead, address = 0x763 | | | | | | 2d582 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | esetEvent, address = | | | | | | 0x763116dd | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = E | | | | | | xpandEnvironmentStri | | | | | | ngsA, address = 0x76 | | | | | | 32eb39 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etSystemTimeAsFileTi | | | | | | me, address = 0x7631 | | | | | | 3509 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = D | | | | | | eleteFileW, address | | | | | | = 0x763189b3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etACP, address = 0x7 | | | | | | 631179c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = I | | | | | | nterlockedExchangeAd | | | | | | d, address = 0x7632d | | | | | | 39b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = F | | | | | | indResourceW, addres | | | | | | s = 0x76315971 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | leep, address = 0x76 | | | | | | 3110ff | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = O | | | | | | penMutexA, address = | | | | | | 0x7632ec6f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etSystemDirectoryA, | | | | | | address = 0x7632b66c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = F | | | | | | ormatMessageA, addre | | | | | | ss = 0x76335fbd | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etErrorMode, address | | | | | | = 0x76311b00 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = l | | | | | | strcmpiW, address = | | | | | | 0x7632d5cd | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = D | | | | | | osDateTimeToFileTime | | | | | | , address = 0x7632ef | | | | | | fe | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = U | | | | | | nmapViewOfFile, addr | | | | | | ess = 0x76311826 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etEndOfFile, address | | | | | | = 0x7632ce2e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = F | | | | | | lushViewOfFile, addr | | | | | | ess = 0x7633b909 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = M | | | | | | apViewOfFileEx, addr | | | | | | ess = 0x76314c83 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateFileMappingA, a | | | | | | ddress = 0x76315506 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = O | | | | | | penFileMappingA, add | | | | | | ress = 0x76314c1b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = L | | | | | | oadLibraryW, address | | | | | | = 0x7631492b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = H | | | | | | eapFree, address = 0 | | | | | | x763114c9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = H | | | | | | eapAlloc, address = | | | | | | 0x77e5e026 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etProcessHeap, addre | | | | | | ss = 0x763114e9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etTimeFormatW, addre | | | | | | ss = 0x7632f481 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etDateFormatW, addre | | | | | | ss = 0x763334d7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etComputerNameA, add | | | | | | ress = 0x7632b6e0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | lobalUnlock, address | | | | | | = 0x7632cfdf | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | lobalLock, address = | | | | | | 0x7632d0a7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = Q | | | | | | ueryPerformanceCount | | | | | | er, address = 0x7631 | | | | | | 1725 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = T | | | | | | erminateProcess, add | | | | | | ress = 0x7632d802 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = U | | | | | | nhandledExceptionFil | | | | | | ter, address = 0x763 | | | | | | 3772f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etUnhandledException | | | | | | Filter, address = 0x | | | | | | 763187c9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = F | | | | | | indResourceExW, addr | | | | | | ess = 0x76313299 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = L | | | | | | oadResource, address | | | | | | = 0x7631594c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = L | | | | | | oadLibraryExW, addre | | | | | | ss = 0x7631495d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = M | | | | | | apViewOfFile, addres | | | | | | s = 0x763118f1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateFileMappingW, a | | | | | | ddress = 0x76311909 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etVersionExW, addres | | | | | | s = 0x76311ae5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etSystemDefaultUILan | | | | | | guage, address = 0x7 | | | | | | 6332b22 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etUserDefaultUILangu | | | | | | age, address = 0x763 | | | | | | 144ab | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | earchPathW, address | | | | | | = 0x7632cd70 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateActCtxW, addres | | | | | | s = 0x76319247 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | eleaseActCtx, addres | | | | | | s = 0x763154c1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = A | | | | | | ctivateActCtx, addre | | | | | | ss = 0x76315490 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = D | | | | | | eactivateActCtx, add | | | | | | ress = 0x7631545c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etFileAttributesW, a | | | | | | ddress = 0x7632d4f7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | ompareFileTime, addr | | | | | | ess = 0x76311b25 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = W | | | | | | ritePrivateProfileSt | | | | | | ringW, address = 0x7 | | | | | | 633640c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etFileAttributesW, a | | | | | | ddress = 0x76311b18 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etOverlappedResult, | | | | | | address = 0x7632cc79 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateEventW, address | | | | | | = 0x7631183e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etSystemDirectoryW, | | | | | | address = 0x76315063 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etQueuedCompletionSt | | | | | | atus, address = 0x76 | | | | | | 32d3c3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etModuleHandleExW, a | | | | | | ddress = 0x76314a6f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateIoCompletionPor | | | | | | t, address = 0x7632e | | | | | | ef2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | witchToThread, addre | | | | | | ss = 0x7632efec | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = P | | | | | | ostQueuedCompletionS | | | | | | tatus, address = 0x7 | | | | | | 632ef29 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateMutexW, address | | | | | | = 0x7631424c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = D | | | | | | uplicateHandle, addr | | | | | | ess = 0x76311886 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = O | | | | | | penMutexW, address = | | | | | | 0x76315151 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = O | | | | | | penEventW, address = | | | | | | 0x763115d6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = L | | | | | | ockResource, address | | | | | | = 0x76315959 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | izeofResource, addre | | | | | | ss = 0x76315ac9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = M | | | | | | oveFileExA, address | | | | | | = 0x7633ccc1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateThread, address | | | | | | = 0x763134d5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etProcAddress, addre | | | | | | ss = 0x76311222 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = L | | | | | | oadLibraryA, address | | | | | | = 0x763149d7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = F | | | | | | reeLibrary, address | | | | | | = 0x763134c8 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = I | | | | | | nterlockedExchange, | | | | | | address = 0x76311462 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | loseHandle, address | | | | | | = 0x76311410 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etLastError, address | | | | | | = 0x763111c0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etLastError, address | | | | | | = 0x763111a9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = E | | | | | | nterCriticalSection, | | | | | | address = 0x77e522b | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = L | | | | | | eaveCriticalSection, | | | | | | address = 0x77e5227 | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | ompareStringW, addre | | | | | | ss = 0x76313bca | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = W | | | | | | aitForSingleObject, | | | | | | address = 0x76311136 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = W | | | | | | ideCharToMultiByte, | | | | | | address = 0x7631170d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = M | | | | | | ultiByteToWideChar, | | | | | | address = 0x7631192e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateEventA, address | | | | | | = 0x7631328c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateMutexA, address | | | | | | = 0x76314c6b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | ompareStringA, addre | | | | | | ss = 0x76313c5a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | eleaseMutex, address | | | | | | = 0x7631111e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etCurrentThreadId, a | | | | | | ddress = 0x76311450 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = L | | | | | | ocalFree, address = | | | | | | 0x76312d3c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = L | | | | | | ocalAlloc, address = | | | | | | 0x7631168c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = D | | | | | | eleteCriticalSection | | | | | | , address = 0x77e645 | | | | | | f5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etEvent, address = 0 | | | | | | x763116c5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = I | | | | | | nterlockedIncrement, | | | | | | address = 0x7631140 | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = l | | | | | | strcmpiA, address = | | | | | | 0x76313e8e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = l | | | | | | strlenA, address = 0 | | | | | | x76315a4b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = I | | | | | | nterlockedDecrement, | | | | | | address = 0x763113f | | | | | | 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etModuleFileNameW, a | | | | | | ddress = 0x76314950 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = I | | | | | | nitializeCriticalSec | | | | | | tionAndSpinCount, ad | | | | | | dress = 0x76311916 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = L | | | | | | ocalReAlloc, address | | | | | | = 0x763159bf | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = F | | | | | | ileTimeToSystemTime, | | | | | | address = 0x7631542 | | | | | | c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = R | | | | | | eadFile, address = 0 | | | | | | x76313ed3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etFileSize, address | | | | | | = 0x7631196e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateFileA, address | | | | | | = 0x763153c6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = C | | | | | | reateFileW, address | | | | | | = 0x76313f5c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | etFilePointer, addre | | | | | | ss = 0x763117d1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = W | | | | | | riteFile, address = | | | | | | 0x76311282 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etModuleFileNameA, a | | | | | | ddress = 0x763114b1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etVersionExA, addres | | | | | | s = 0x76313519 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = W | | | | | | ritePrivateProfileSt | | | | | | ringA, address = 0x7 | | | | | | 6337048 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etModuleHandleA, add | | | | | | ress = 0x76311245 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etSystemTime, addres | | | | | | s = 0x76315a96 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etModuleHandleW, add | | | | | | ress = 0x763134b0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = F | | | | | | ormatMessageW, addre | | | | | | ss = 0x76314620 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = D | | | | | | eleteFileA, address | | | | | | = 0x76315444 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etLongPathNameA, add | | | | | | ress = 0x7639437f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = l | | | | | | strlenW, address = 0 | | | | | | x76311700 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etLongPathNameW, add | | | | | | ress = 0x7631a315 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | lobalFree, address = | | | | | | 0x76315558 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = I | | | | | | sValidCodePage, addr | | | | | | ess = 0x76314493 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = I | | | | | | sDBCSLeadByte, addre | | | | | | ss = 0x76311748 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etCurrentProcess, ad | | | | | | dress = 0x76311809 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etCurrentThread, add | | | | | | ress = 0x763117ec | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = I | | | | | | nterlockedCompareExc | | | | | | hange, address = 0x7 | | | | | | 6311484 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | lobalAlloc, address | | | | | | = 0x7631588e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etLocaleInfoW, addre | | | | | | ss = 0x76313c42 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etUserDefaultLCID, a | | | | | | ddress = 0x76313da5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etCPInfoExW, address | | | | | | = 0x7633af0b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etTimeFormatA, addre | | | | | | ss = 0x7633a842 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etDateFormatA, addre | | | | | | ss = 0x7633a959 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = T | | | | | | lsAlloc, address = 0 | | | | | | x763149ad | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = T | | | | | | lsSetValue, address | | | | | | = 0x763114fb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = T | | | | | | lsGetValue, address | | | | | | = 0x763111e0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = T | | | | | | lsFree, address = 0x | | | | | | 76313587 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = G | | | | | | etTickCount, address | | | | | | = 0x7631110c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = S | | | | | | ystemTimeToFileTime, | | | | | | address = 0x76315a7 | | | | | | e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\kernel | | | | | | 32.dll, function = I | | | | | | sDBCSLeadByteEx, add | | | | | | ress = 0x7633cf4e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, base_address = | | | | | | 0x75a80000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Fin | | | | | | dWindowW, address = | | | | | | 0x75a998fd | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Pos | | | | | | tMessageW, address = | | | | | | 0x75aa12a5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Reg | | | | | | isterWindowMessageW, | | | | | | address = 0x75a99eb | | | | | | d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Loa | | | | | | dStringW, address = | | | | | | 0x75a98eb9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Dia | | | | | | logBoxParamW, addres | | | | | | s = 0x75abcfca | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Get | | | | | | DesktopWindow, addre | | | | | | ss = 0x75aa0a19 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Sen | | | | | | dDlgItemMessageA, ad | | | | | | dress = 0x75abc112 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Loa | | | | | | dIconA, address = 0x | | | | | | 75a9dafb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Loa | | | | | | dImageA, address = 0 | | | | | | x75aa8455 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Loa | | | | | | dStringA, address = | | | | | | 0x75a9db21 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Cha | | | | | | rLowerA, address = 0 | | | | | | x75aa3e75 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Des | | | | | | troyWindow, address | | | | | | = 0x75a99a55 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Kil | | | | | | lTimer, address = 0x | | | | | | 75a979db | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Ena | | | | | | bleWindow, address = | | | | | | 0x75aa2da4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Set | | | | | | WindowTextW, address | | | | | | = 0x75aa20ec | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Get | | | | | | DlgItem, address = 0 | | | | | | x75abf1ba | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Set | | | | | | Focus, address = 0x7 | | | | | | 5aa2175 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = End | | | | | | Dialog, address = 0x | | | | | | 75abb99c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Che | | | | | | ckDlgButton, address | | | | | | = 0x75abbe9a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Sen | | | | | | dMessageW, address = | | | | | | 0x75a99679 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Sen | | | | | | dMessageA, address = | | | | | | 0x75aa612e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = IsD | | | | | | lgButtonChecked, add | | | | | | ress = 0x75abc0a6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Def | | | | | | WindowProcA, address | | | | | | = 0x77e724e0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Set | | | | | | WindowLongA, address | | | | | | = 0x75aa6110 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Get | | | | | | WindowLongA, address | | | | | | = 0x75a9d156 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Reg | | | | | | isterClassW, address | | | | | | = 0x75a98a65 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Cre | | | | | | ateWindowExW, addres | | | | | | s = 0x75a98a29 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Set | | | | | | Timer, address = 0x7 | | | | | | 5a979fb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Get | | | | | | WindowTextW, address | | | | | | = 0x75aa205e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Mes | | | | | | sageBoxW, address = | | | | | | 0x75aefd3f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Cha | | | | | | rNextA, address = 0x | | | | | | 75a97a1b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Get | | | | | | WindowInfo, address | | | | | | = 0x75aa1bbf | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Cha | | | | | | rToOemA, address = 0 | | | | | | x75aa4fee | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Cha | | | | | | rUpperA, address = 0 | | | | | | x75a9fdca | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Cha | | | | | | rLowerW, address = 0 | | | | | | x75a97647 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = IsC | | | | | | harAlphaNumericA, ad | | | | | | dress = 0x75aa6867 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Get | | | | | | WindowThreadProcessI | | | | | | d, address = 0x75a99 | | | | | | 1b4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Enu | | | | | | mChildWindows, addre | | | | | | ss = 0x75aa0e94 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = IsW | | | | | | indowVisible, addres | | | | | | s = 0x75aa112d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Get | | | | | | Ancestor, address = | | | | | | 0x75a99785 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Enu | | | | | | mWindows, address = | | | | | | 0x75a9d1cf | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Cha | | | | | | rNextExA, address = | | | | | | 0x75af4da0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Pos | | | | | | tMessageA, address = | | | | | | 0x75aa3baa | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = IsW | | | | | | indow, address = 0x7 | | | | | | 5a97136 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Set | | | | | | WindowPos, address = | | | | | | 0x75a98e4e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Set | | | | | | DlgItemTextW, addres | | | | | | s = 0x75abcfa0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Des | | | | | | troyIcon, address = | | | | | | 0x75aa49b2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Set | | | | | | ForegroundWindow, ad | | | | | | dress = 0x75abf170 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Get | | | | | | Window, address = 0x | | | | | | 75a9926e | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Get | | | | | | WindowRect, address | | | | | | = 0x75a97f34 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Equ | | | | | | alRect, address = 0x | | | | | | 75aa0988 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Int | | | | | | ersectRect, address | | | | | | = 0x75aa0903 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Rel | | | | | | easeDC, address = 0x | | | | | | 75a97446 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Get | | | | | | DC, address = 0x75a9 | | | | | | 72c4 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Sen | | | | | | dDlgItemMessageW, ad | | | | | | dress = 0x75abd0f5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Loa | | | | | | dImageW, address = 0 | | | | | | x75a9fbd1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\user32 | | | | | | .dll, function = Get | | | | | | SystemMetrics, addre | | | | | | ss = 0x75a97d2f | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\urlmon | | | | | | .dll, base_address = | | | | | | 0x777e0000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\urlmon | | | | | | .dll, function = 423 | | | | | | , address = 0x778136 | | | | | | ad | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\urlmon | | | | | | .dll, function = 416 | | | | | | , address = 0x77802d | | | | | | 27 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\urlmon | | | | | | .dll, function = 422 | | | | | | , address = 0x77802d | | | | | | 5d | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\urlmon | | | | | | .dll, function = 407 | | | | | | , address = 0x778885 | | | | | | 07 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\urlmon | | | | | | .dll, function = 414 | | | | | | , address = 0x777ebf | | | | | | f9 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\urlmon | | | | | | .dll, function = 410 | | | | | | , address = 0x777f61 | | | | | | 69 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\urlmon | | | | | | .dll, function = 408 | | | | | | , address = 0x778136 | | | | | | 69 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\urlmon | | | | | | .dll, function = 421 | | | | | | , address = 0x77802d | | | | | | 77 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\iertut | | | | | | il.dll, base_address | | | | | | = 0x77510000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\iertut | | | | | | il.dll, function = 3 | | | | | | 2, address = 0x77512 | | | | | | add | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\iertut | | | | | | il.dll, function = 3 | | | | | | 3, address = 0x7767c | | | | | | b97 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\iertut | | | | | | il.dll, function = 3 | | | | | | 7, address = 0x7767e | | | | | | 410 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\iertut | | | | | | il.dll, function = 5 | | | | | | 0, address = 0x77653 | | | | | | baf | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\iertut | | | | | | il.dll, function = 5 | | | | | | 8, address = 0x77681 | | | | | | b29 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\iertut | | | | | | il.dll, function = 9 | | | | | | , address = 0x776d61 | | | | | | 36 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\iertut | | | | | | il.dll, function = 1 | | | | | | 6, address = 0x776db | | | | | | 761 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\iertut | | | | | | il.dll, function = 6 | | | | | | 70, address = 0x7767 | | | | | | d975 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\iertut | | | | | | il.dll, function = 6 | | | | | | 54, address = 0x7767 | | | | | | 5abb | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\iertut | | | | | | il.dll, function = 6 | | | | | | 51, address = 0x7765 | | | | | | 30d5 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\iertut | | | | | | il.dll, function = 6 | | | | | | 50, address = 0x7761 | | | | | | f1e6 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\iertut | | | | | | il.dll, function = 1 | | | | | | 7, address = 0x7765f | | | | | | 6e7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\iertut | | | | | | il.dll, function = 6 | | | | | | 85, address = 0x776e | | | | | | 00e2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | UNMAP | process_name = c:\wi | True | 1 | | | | ndows\syswow64\ping. | | | | | | exe, os_pid = 0x50c, | | | | | | base_address = 0x10 | | | | | | 20000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\ntdll. | | | | | | dll, base_address = | | | | | | 0x77e30000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | SYS | GET_INFO | type = SYSTEM_PROCES | True | 1 | | | | S_INFORMATION | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | INI | WRITE | file_name = \\?\glob | True | 1 | | | | alroot\device\000001 | | | | | | a9\0d24eb7c\cfg.ini, | | | | | | section_name = cmd, | | | | | | key_name = version, | | | | | | data = 0.31 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MUTEX | RELEASE | mutex_name = Global\ | True | 1 | | | | C3819288-93FA-4E29-A | | | | | | 254-BD9476B53C20 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MUTEX | CREATE | mutex_name = Global\ | True | 1 | | | | 6C29A0C8-62C6-415C-9 | | | | | | 538-B87690BC58D2, in | | | | | | itial_owner = 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | WRITE_VALUE | reg_name = HKEY_CURR | True | 1 | | | | ENT_USER\software\mi | | | | | | crosoft\internet exp | | | | | | lorer\main\featureco | | | | | | ntrol\FEATURE_BROWSE | | | | | | R_EMULATION, value_n | | | | | | ame = ping.exe, data | | | | | | = 8888 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | WRITE_VALUE | reg_name = HKEY_CURR | True | 1 | | | | ENT_USER\software\mi | | | | | | crosoft\windows\curr | | | | | | entversion\internet | | | | | | settings, value_name | | | | | | = maxhttpredirects, | | | | | | data = 9999 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | WRITE_VALUE | reg_name = HKEY_CURR | True | 1 | | | | ENT_USER\software\mi | | | | | | crosoft\windows\curr | | | | | | entversion\internet | | | | | | settings, value_name | | | | | | = enablehttp1_1, da | | | | | | ta = 1 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | WRITE_VALUE | reg_name = HKEY_CURR | True | 1 | | | | ENT_USER\software\mi | | | | | | crosoft\windows\curr | | | | | | entversion\internet | | | | | | settings\zones\3, va | | | | | | lue_name = currentle | | | | | | vel, data = 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | WRITE_VALUE | reg_name = HKEY_CURR | True | 1 | | | | ENT_USER\software\mi | | | | | | crosoft\windows\curr | | | | | | entversion\internet | | | | | | settings\zones\3, va | | | | | | lue_name = 1601, dat | | | | | | a = 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | WRITE_VALUE | reg_name = HKEY_CURR | True | 1 | | | | ENT_USER\software\mi | | | | | | crosoft\windows\curr | | | | | | entversion\internet | | | | | | settings\zones\3, va | | | | | | lue_name = 1400, dat | | | | | | a = 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | WRITE_VALUE | reg_name = HKEY_CURR | True | 1 | | | | ENT_USER\software\mi | | | | | | crosoft\windows\curr | | | | | | entversion\internet | | | | | | settings\zones\3, va | | | | | | lue_name = 1A10, dat | | | | | | a = 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | WRITE_VALUE | reg_name = HKEY_CURR | True | 1 | | | | ENT_USER\software\mi | | | | | | crosoft\windows\curr | | | | | | entversion\internet | | | | | | settings\zones\3, va | | | | | | lue_name = {AEBA21FA | | | | | | -782A-4A90-978D-B721 | | | | | | 64C80120} | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | WRITE_VALUE | reg_name = HKEY_CURR | True | 1 | | | | ENT_USER\software\mi | | | | | | crosoft\windows\curr | | | | | | entversion\internet | | | | | | settings\zones\3, va | | | | | | lue_name = {A8A88C49 | | | | | | -5EB2-4990-A1A2-0876 | | | | | | 022C854F} | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | WRITE_VALUE | reg_name = HKEY_CURR | True | 1 | | | | ENT_USER\software\mi | | | | | | crosoft\windows\curr | | | | | | entversion\internet | | | | | | settings\zones\3, va | | | | | | lue_name = 1001, dat | | | | | | a = 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | WRITE_VALUE | reg_name = HKEY_CURR | True | 1 | | | | ENT_USER\software\mi | | | | | | crosoft\windows\curr | | | | | | entversion\internet | | | | | | settings\zones\3, va | | | | | | lue_name = 1200, dat | | | | | | a = 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | WRITE_VALUE | reg_name = HKEY_CURR | True | 1 | | | | ENT_USER\software\mi | | | | | | crosoft\windows\curr | | | | | | entversion\internet | | | | | | settings\zones\3, va | | | | | | lue_name = 1208, dat | | | | | | a = 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | WRITE_VALUE | reg_name = HKEY_CURR | True | 1 | | | | ENT_USER\software\mi | | | | | | crosoft\windows\curr | | | | | | entversion\internet | | | | | | settings\zones\3, va | | | | | | lue_name = 1209, dat | | | | | | a = 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | WRITE_VALUE | reg_name = HKEY_CURR | True | 1 | | | | ENT_USER\software\mi | | | | | | crosoft\windows\curr | | | | | | entversion\internet | | | | | | settings\zones\3, va | | | | | | lue_name = 1405, dat | | | | | | a = 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | WRITE_VALUE | reg_name = HKEY_CURR | True | 1 | | | | ENT_USER\software\mi | | | | | | crosoft\windows\curr | | | | | | entversion\internet | | | | | | settings\zones\3, va | | | | | | lue_name = 2000, dat | | | | | | a = 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | READ_VALUE | reg_name = HKEY_USER | False | 1 | | | | S\.DEFAULT\software\ | | | | | | microsoft\internet e | | | | | | xplorer\internationa | | | | | | l, value_name = acce | | | | | | ptlanguage | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | READ_VALUE | reg_name = HKEY_USER | False | 1 | | | | S\S-1-5-19\software\ | | | | | | microsoft\internet e | | | | | | xplorer\internationa | | | | | | l, value_name = acce | | | | | | ptlanguage | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | READ_VALUE | reg_name = HKEY_USER | False | 1 | | | | S\S-1-5-20\software\ | | | | | | microsoft\internet e | | | | | | xplorer\internationa | | | | | | l, value_name = acce | | | | | | ptlanguage | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | READ_VALUE | reg_name = HKEY_USER | False | 1 | | | | S\S-1-5-21-146384378 | | | | | | 9-3877896393-3178144 | | | | | | 628-1000\software\mi | | | | | | crosoft\internet exp | | | | | | lorer\international, | | | | | | value_name = accept | | | | | | language | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | READ_VALUE | reg_name = HKEY_USER | False | 1 | | | | S\S-1-5-21-146384378 | | | | | | 9-3877896393-3178144 | | | | | | 628-1000_Classes\sof | | | | | | tware\microsoft\inte | | | | | | rnet explorer\intern | | | | | | ational, value_name | | | | | | = acceptlanguage | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | READ_VALUE | reg_name = HKEY_USER | False | 1 | | | | S\S-1-5-18\software\ | | | | | | microsoft\internet e | | | | | | xplorer\internationa | | | | | | l, value_name = acce | | | | | | ptlanguage | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | REG | WRITE_VALUE | reg_name = HKEY_CURR | True | 1 | | | | ENT_USER\software\mi | | | | | | crosoft\internet exp | | | | | | lorer\international, | | | | | | value_name = accept | | | | | | language, data = en- | | | | | | us | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | THREAD | CREATE_WORKITEM | | True | 1 | +----------------------+----------------------+----------------------+----------------------+----------------------+ | SYS | SLEEP | duration = 600000 mi | True | 1 | | | | lliseconds (600.000 | | | | | | seconds) | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | INI | READ | file_name = \\?\glob | True | 1 | | | | alroot\device\000001 | | | | | | a9\0d24eb7c\cfg.ini, | | | | | | section_name = cmd, | | | | | | key_name = dlc_sran | | | | | | d, default_value = 0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MUTEX | RELEASE | mutex_name = Global\ | True | 1 | | | | C3819288-93FA-4E29-A | | | | | | 254-BD9476B53C20 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | INI | READ | file_name = \\?\glob | True | 1 | | | | alroot\device\000001 | | | | | | a9\0d24eb7c\cfg.ini, | | | | | | section_name = cmd, | | | | | | key_name = ns_conf, | | | | | | default_value = 3 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MUTEX | RELEASE | mutex_name = Global\ | True | 1 | | | | C3819288-93FA-4E29-A | | | | | | 254-BD9476B53C20 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | FILE | CREATE | file_name = \device\ | True | 3 | | | | 000001a9\0d24eb7c\bc | | | | | | kfg.tmp, desired_acc | | | | | | ess = GENERIC_READ, | | | | | | create_disposition = | | | | | | OPEN_EXISTING | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | FILE | READ | file_name = \device\ | True | 1 | | | | 000001a9\0d24eb7c\bc | | | | | | kfg.tmp, size = 538 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | INI | READ | file_name = \\?\glob | False | 1 | | | | alroot\device\000001 | | | | | | a9\0d24eb7c\cfg.ini, | | | | | | section_name = cmd, | | | | | | key_name = csrv, de | | | | | | fault_value = , data | | | | | | _out = | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MUTEX | RELEASE | mutex_name = Global\ | True | 1 | | | | C3819288-93FA-4E29-A | | | | | | 254-BD9476B53C20 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | LOAD | module_name = atl.dl | True | 1 | | | | l, base_address = 0x | | | | | | 75850000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | LOAD | module_name = oleaut | True | 1 | | | | 32.dll, base_address | | | | | | = 0x77950000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\atl.dl | | | | | | l, function = AtlAdv | | | | | | ise, address = 0x758 | | | | | | 54ea7 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\atl.dl | | | | | | l, function = AtlUna | | | | | | dvise, address = 0x7 | | | | | | 5854f25 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\atl.dl | | | | | | l, function = AtlAxC | | | | | | reateControlEx, addr | | | | | | ess = 0x7585c58c | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\oleaut | | | | | | 32.dll, function = S | | | | | | ysFreeString, addres | | | | | | s = 0x77953e59 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\mswsoc | | | | | | k.dll, base_address | | | | | | = 0x75740000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, base_address = | | | | | | 0x774d0000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = WSA | | | | | | Startup, address = 0 | | | | | | x774d3ab2 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\ws2_32 | | | | | | .dll, function = WSA | | | | | | SocketA, address = 0 | | | | | | x774dc82a | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | SCK | CREATE | address_family = AF_ | True | 1 | | | | INET, type = SOCK_ST | | | | | | REAM, protocol = IPP | | | | | | ROTO_TCP | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\mswsoc | | | | | | k.dll, function = WS | | | | | | PStartup, address = | | | | | | 0x75748a9b | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | THREAD | CREATE_WORKITEM | | True | 1 | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = winmm. | False | 1 | | | | dll, base_address = | | | | | | 0x0 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | LOAD | module_name = winmm. | True | 1 | | | | dll, base_address = | | | | | | 0x75810000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 1 | | | | dows\syswow64\ole32. | | | | | | dll, base_address = | | | | | | 0x75d60000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_HANDLE | module_name = c:\win | True | 3 | | | | dows\syswow64\user32 | | | | | | .dll, base_address = | | | | | | 0x75a80000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | INI | READ | file_name = \\?\glob | True | 1 | | | | alroot\device\000001 | | | | | | a9\0d24eb7c\cfg.ini, | | | | | | section_name = cmd, | | | | | | key_name = bsh, def | | | | | | ault_value = noname, | | | | | | data_out = noname | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MUTEX | RELEASE | mutex_name = Global\ | True | 1 | | | | C3819288-93FA-4E29-A | | | | | | 254-BD9476B53C20 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | LOAD | module_name = urlmon | True | 1 | | | | .dll, base_address = | | | | | | 0x777e0000 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | MOD | GET_PROC_ADDRESS | module_name = c:\win | True | 1 | | | | dows\syswow64\urlmon | | | | | | .dll, function = Obt | | | | | | ainUserAgentString, | | | | | | address = 0x77811d76 | | | +----------------------+----------------------+----------------------+----------------------+----------------------+ | INET | OPEN_CONNECTION | | True | 1 | +----------------------+----------------------+----------------------+----------------------+----------------------+ | INET | OPEN_SESSION | | True | 1 | +----------------------+----------------------+----------------------+----------------------+----------------------+ | INET | OPEN_HTTP_REQUEST | | True | 1 | +----------------------+----------------------+----------------------+----------------------+----------------------+ | INET | SEND_HTTP_REQUEST | | False | 1 | +----------------------+----------------------+----------------------+----------------------+----------------------+