b59011f4f29f

Remarks

Maximum Dump Total Size Reached (0x0200005D): 896 additional dumps with the reason "Content Changed" and a total of 4995 MB were skipped because the respective maximum limit was reached.

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\RDhJ0CNFevzX\Desktop\file.exe

Sample File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	2.28 MB
MD5	39300d60c352533e0fc09615c4110af4
SHA1	d462d806241798d4c02f2f7296300812dd55eadf
SHA256	b59011f4f29f6cc7daf08ce24825c37adec3a20a91cd2e12ab2caa72349da14e
SSDeep	49152:ctNjudw+TeIsz5y48CU+1VvWlLt0YiO7N+9k/tm5lxMTGiR9X:jCTy48CU+1VIJ0XO8uVm5/uGiH
ImpHash	2eabe9054cad5152567f0699947a2c5b

PE Information

Image Base	0x00400000
Entry Point	0x009C4000
Size Of Code	0x0010A800
Size Of Initialized Data	0x00042C00
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2024-02-09 07:51 (UTC)

Version Information (8)

CompanyName	Au3
FileDescription	Ay3Info
FileVersion	3.3.16.1
InternalName	Ay3Info.exe
LegalCopyright	(c) 1999-2022 Jonathan Bennett
OriginalFilename	Ay3Info.exe
ProductName	Ay3Info
ProductVersion	3.3.16.1

Sections (7)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
	0x00401000	0x00136000	0x0008EE00	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.98
.rsrc	0x00537000	0x000110A0	0x00002000	0x0008FE00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.9
.idata	0x00549000	0x00001000	0x00000200	0x00091E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.98
	0x0054A000	0x002C3000	0x00000200	0x00092000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.26
zcmtppku	0x0080D000	0x001B6000	0x001B5400	0x00092200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.92
kmucpvwr	0x009C3000	0x00001000	0x00000400	0x00247600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	6.29
.taggant	0x009C4000	0x00003000	0x00002200	0x00247A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.68

Imports (1)

kernel32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
lstrcpy	-	0x00549032	0x0014902A	0x00091E2A	0x00000000

Memory Dumps (93)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
file.exe	1	0x00E30000	0x013F6FFF	First Execution	32-bit	0x013F4000	... Actions Go to Process Download Dump
file.exe	1	0x00E30000	0x013F6FFF	Content Changed	32-bit	0x00F7C360	... Actions Go to Process Download Dump
file.exe	1	0x00E30000	0x013F6FFF	Content Changed	32-bit	0x00F7D000	... Actions Go to Process Download Dump
file.exe	1	0x00E30000	0x013F6FFF	Content Changed	32-bit	0x00F7F4B6	... Actions Go to Process Download Dump
file.exe	1	0x00E30000	0x013F6FFF	Content Changed	32-bit	0x00F80496	... Actions Go to Process Download Dump
file.exe	1	0x00E30000	0x013F6FFF	Content Changed	32-bit	0x00FAA383	... Actions Go to Process Download Dump
file.exe	1	0x00E30000	0x013F6FFF	Content Changed	32-bit	0x01095339	... Actions Go to Process Download Dump
file.exe	1	0x00E30000	0x013F6FFF	Content Changed	32-bit	0x0123D095	... Actions Go to Process Download Dump
file.exe	1	0x00E30000	0x013F6FFF	Content Changed	32-bit	0x010FB24A	... Actions Go to Process Download Dump
file.exe	1	0x00E30000	0x013F6FFF	Content Changed	32-bit	0x010FC000	... Actions Go to Process Download Dump
file.exe	1	0x00E30000	0x013F6FFF	Content Changed	32-bit	0x010FE36B	... Actions Go to Process Download Dump
file.exe	1	0x00E30000	0x013F6FFF	Content Changed	32-bit	0x010FF25B	... Actions Go to Process Download Dump
file.exe	1	0x00E30000	0x013F6FFF	Content Changed	32-bit	0x0110C580	... Actions Go to Process Download Dump
file.exe	1	0x00E30000	0x013F6FFF	Content Changed	32-bit	0x01110AF4	... Actions Go to Process Download Dump
file.exe	1	0x00E30000	0x013F6FFF	Content Changed	32-bit	0x01116009	... Actions Go to Process Download Dump
ntdll.dll	1	0x77840000	0x779BAFFF	First Execution	32-bit	0x778CB9E2	... Actions Go to Process Download Dump
buffer	1	0x04920000	0x04920FFF	First Execution	32-bit	0x04920EF3	... Actions Go to Process Download Dump
buffer	1	0x04900000	0x04900FFF	First Execution	32-bit	0x049003DE	... Actions Go to Process Download Dump
buffer	1	0x04930000	0x04930FFF	First Execution	32-bit	0x04930000	... Actions Go to Process Download Dump
buffer	1	0x04960000	0x04960FFF	First Execution	32-bit	0x0496073F	... Actions Go to Process Download Dump
buffer	1	0x048F0000	0x048F0FFF	First Execution	32-bit	0x048F0E50	... Actions Go to Process Download Dump
buffer	1	0x048E0000	0x048E0FFF	First Execution	32-bit	0x048E07E3	... Actions Go to Process Download Dump
buffer	1	0x04980000	0x04980FFF	First Execution	32-bit	0x049804E0	... Actions Go to Process Download Dump
buffer	1	0x04940000	0x04940FFF	First Execution	32-bit	0x0494047A	... Actions Go to Process Download Dump
buffer	1	0x04970000	0x04970FFF	First Execution	32-bit	0x04970973	... Actions Go to Process Download Dump
buffer	1	0x048D0000	0x048D0FFF	First Execution	32-bit	0x048D0D26	... Actions Go to Process Download Dump
buffer	1	0x04990000	0x04991FFF	First Execution	32-bit	0x0499189C	... Actions Go to Process Download Dump
buffer	1	0x04950000	0x04950FFF	First Execution	32-bit	0x04950EB5	... Actions Go to Process Download Dump
buffer	1	0x049B0000	0x049B0FFF	First Execution	32-bit	0x049B08D6	... Actions Go to Process Download Dump
buffer	1	0x049A0000	0x049A0FFF	First Execution	32-bit	0x049A05CB	... Actions Go to Process Download Dump
file.exe	1	0x00E30000	0x013F6FFF	Final Dump	32-bit	0x00EA5790	... Actions Go to Process Download Dump
buffer	1	0x048C0000	0x048C0FFF	First Execution	32-bit	0x048C0139	... Actions Go to Process Download Dump
buffer	1	0x04CAE000	0x04CAFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x0486F000	0x0486FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x0427F000	0x0427FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x0413F000	0x0413FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x03FFF000	0x03FFFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x03EBF000	0x03EBFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x03D7F000	0x03D7FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x03C3F000	0x03C3FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x03AFF000	0x03AFFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x039BF000	0x039BFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x0387F000	0x0387FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x0373F000	0x0373FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x035FF000	0x035FFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x034BF000	0x034BFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x0337F000	0x0337FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x0323F000	0x0323FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x030FF000	0x030FFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x02FBF000	0x02FBFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x02E7F000	0x02E7FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x02D3F000	0x02D3FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x02BFF000	0x02BFFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x02AFF000	0x02AFFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x029FF000	0x029FFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x028FF000	0x028FFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00DBF000	0x00DBFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00A4F000	0x00A4FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x0018C000	0x0018FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00BA9030	0x00BA90BF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00BB0118	0x00BB047B	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00BB0488	0x00BB1287	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00BB1290	0x00BB14AF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00BB14B8	0x00BB1559	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00BB1638	0x00BB1E37	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00BB2288	0x00BB233F	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00BB2408	0x00BB2607	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00BB2D20	0x00BB2D9F	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00C90000	0x00C90FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00CA0000	0x00CA0FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00CB0000	0x00CB0FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00E20000	0x00E2FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x04710000	0x04721FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x04870000	0x04870FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x048C0000	0x048C0FFF	First Network Behavior	32-bit	0x048C0018	... Actions Go to Process Download Dump
buffer	1	0x048D0000	0x048D0FFF	First Network Behavior	32-bit	0x048D0D26	... Actions Go to Process Download Dump
buffer	1	0x048E0000	0x048E0FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x048F0000	0x048F0FFF	First Network Behavior	32-bit	0x048F0E50	... Actions Go to Process Download Dump
buffer	1	0x04900000	0x04900FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x04910000	0x04910FFF	First Execution	32-bit	0x0491082A	... Actions Go to Process Download Dump
buffer	1	0x04920000	0x04920FFF	First Network Behavior	32-bit	0x04920D39	... Actions Go to Process Download Dump
buffer	1	0x04930000	0x04930FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x04940000	0x04940FFF	First Network Behavior	32-bit	0x049406F2	... Actions Go to Process Download Dump
buffer	1	0x04950000	0x04950FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x04960000	0x04960FFF	First Network Behavior	32-bit	0x04960A9D	... Actions Go to Process Download Dump
buffer	1	0x04970000	0x04970FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x04980000	0x04980FFF	First Network Behavior	32-bit	0x04980000	... Actions Go to Process Download Dump
buffer	1	0x04990000	0x04991FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x049A0000	0x049A0FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x049B0000	0x049B0FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x049C4020	0x04BAC4D2	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
file.exe	1	0x00E30000	0x013F6FFF	First Network Behavior	32-bit	0x00E3A3D0	... Actions Go to Process Download Dump
file.exe	1	0x00E30000	0x013F6FFF	Process Termination	32-bit	-	... Actions Go to Process Download Dump

C:\Users\RDHJ0C~1\AppData\Local\Temp\U54yztDk3rpEOcdejOiUzCm.zip

Dropped File

ZIP

MIME Type	application/zip
File Size	2.25 KB
MD5	8f719996e841ca6e67047bf8229753e2
SHA1	9eb638227febafdd17a980bdf749a60cb938ef6c
SHA256	06f0d1b3616428cc39bc4d2714c23df621c8892074fd9c1af30b9a401468465a
SSDeep	48:9EFRqLOEeU9b/IkvDgshfjMy2gtGP1gSkZ/MtPjRGgoEOI7EiFelu0SFw:Iqp3Wtsh7My2fOZEtPjRGgo1I936
ImpHash	-

Archive Information

Number of Files	2
Number of Folders	0
Size of Packed Archive Contents	1.98 KB
Size of Unpacked Archive Contents	8.86 KB
File Format	zip

Contents (2)

File Name	Packed Size	Unpacked Size	Compression	Is Encrypted	Modify Time	Verdict	Recursively Submitted	Actions
passwords.txt	340 Bytes	4.87 KB	Deflate	False	2024-02-12 14:48 (UTC)	Clean	-	... Actions Show File Submit File Download File
information.txt	1.65 KB	3.98 KB	Deflate	False	2024-02-12 14:48 (UTC)	Clean	-	... Actions Show File Submit File Download File

C:\Users\RDHJ0C~1\AppData\Local\Temp\adobeMoYl0OBFozQa\passwords.txt

Dropped File

Text

Also Known As	C:/Users/RDHJ0C~1/AppData/Local/Temp/adobeMoYl0OBFozQa/passwords.txt (Accessed File) passwords.txt (Archive File, Miscellaneous File)
Parent File	C:\Users\RDHJ0C~1\AppData\Local\Temp\U54yztDk3rpEOcdejOiUzCm.zip
MIME Type	text/plain
File Size	4.87 KB
MD5	cc5050be91cf7ce639a627dd873f542a
SHA1	784246dffecbf4e4dad4497b46ee423694a86452
SHA256	c03797fa3fdade0dfc0b54dd39927fe99c564acbaeb79deb5912366a30c4b217
SSDeep	48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMMV:u3
ImpHash	-

C:\Users\RDHJ0C~1\AppData\Local\Temp\adobeMoYl0OBFozQa\information.txt

Dropped File

Text

Also Known As	C:/Users/RDHJ0C~1/AppData/Local/Temp/adobeMoYl0OBFozQa/information.txt (Accessed File) information.txt (Archive File, Miscellaneous File)
Parent File	C:\Users\RDHJ0C~1\AppData\Local\Temp\U54yztDk3rpEOcdejOiUzCm.zip
MIME Type	text/plain
File Size	3.98 KB
MD5	fa6a2c23fad14286abeb16b3d963da42
SHA1	3d0eff7695f4b28daea64c75c7ef15f74dbaf97f
SHA256	d13583b99d7dddbc8a993ae0c0ca276a12ae0ee6084707beac460ad4599d2b55
SSDeep	96:x9y0TRSciNp1ZBBUIKahV/s/Fzzcpz8tdVNpOZDpO8IzMuxul0Xy08LS5epm8czf:xzo3Np1ZEIKajs/upzr1ors6Xp830LBN
ImpHash	-

C:\Users\RDHJ0C~1\AppData\Local\Temp\adobeMoYl0OBFozQa\information.txt

Dropped File

Text

Also Known As	C:/Users/RDHJ0C~1/AppData/Local/Temp/adobeMoYl0OBFozQa/information.txt (Accessed File)
MIME Type	text/plain
File Size	3.98 KB
MD5	c2a12d5fb5ad59f0e119de0f3898e967
SHA1	f147a03b17259c6731939f617997b975232f003b
SHA256	62db5ce627d0dedb3cdfd16530ec52a9c3803eeaf5b0ab2e2800447994509685
SSDeep	96:x9y0+RSciNp1ZBBUIKahV/s/Fzzcpz8tdVNpOZDpO8IzMuxul0Xy08LS5epm8czf:xeo3Np1ZEIKajs/upzr1ors6Xp830LBN
ImpHash	-

C:\Users\RDHJ0C~1\AppData\Local\Temp\rage131MP.tmp

Dropped File

Text

MIME Type	text/plain
File Size	13 Bytes
MD5	e5990c1973589d1b45857c65df8cefe1
SHA1	9cc552c78ad9ec7f13bcbc701eccece946ba79d9
SHA256	0f10e0279661db6706f4609698dd541f2d7926c3e1ec32304029003b565428fa
SSDeep	3:L4STSRFen:7O8n
ImpHash	-

C:\Users\RDHJ0C~1\AppData\Local\Temp\rage131MP.tmp

Dropped File

Text

MIME Type	text/plain
File Size	13 Bytes
MD5	580dacfd5d8a7fc55a141631f96653a8
SHA1	5a007fd400cd2ccd398ee1c3f37150f61d6a09e2
SHA256	cae820ebecfbf59457e13f96fa373ca4561eb422c56dace3227fe3b6434bc546
SSDeep	3:L4STSTYn:7MYn
ImpHash	-

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\4bcqp0y1\amert[1].exe

Dropped File

Empty

Also Known As	c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\9a1z5zf0\fu[1].exe (Dropped File, Not Extracted, Modified File)
MIME Type	application/x-empty
File Size	0 Bytes (not extracted)
MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep	3::
ImpHash	-

C:\Users\RDHJ0C~1\AppData\Local\Temp\heidiMoYl0OBFozQa\qsuLRF2ZOs8Jt6Io1DTI.exe

Downloaded File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	1.78 MB
MD5	4a9551a8de4333c9311395b2b69bb438
SHA1	d6a5cf754fdb78d03138d9a902fc3522d90a9c52
SHA256	026af1599341ece79f6af5c4b7253f0f056461402a4bfcb85cb83def75f8c8f0
SSDeep	49152:ancOv9mYQxA330SNTtvLVX6rlChJp++vC:YcaUY8irxd6Ub+wC
ImpHash	2eabe9054cad5152567f0699947a2c5b

PE Information

Image Base	0x00400000
Entry Point	0x008A0000
Size Of Code	0x0004DC00
Size Of Initialized Data	0x00019A00
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2024-02-04 15:51 (UTC)

Sections (7)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
	0x00401000	0x00065000	0x0002D600	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.98
.rsrc	0x00466000	0x000004D8	0x00000400	0x0002E600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.94
.idata	0x00467000	0x00001000	0x00000200	0x0002EA00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	1.02
	0x00468000	0x0029F000	0x00000200	0x0002EC00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.26
fivejifu	0x00707000	0x00198000	0x00197600	0x0002EE00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.96
profuuur	0x0089F000	0x00001000	0x00000400	0x001C6400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	6.12
.taggant	0x008A0000	0x00003000	0x00002200	0x001C6800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.79

Imports (1)

kernel32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
lstrcpy	-	0x00467034	0x0006702C	0x0002EA2C	0x00000000

C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\heidiMoYl0OBFozQa\5RbhgNCpHznF2VbeZqxC.exe

Downloaded File

Binary

Also Known As	C:\Users\RDHJ0C~1\AppData\Local\Temp\heidiMoYl0OBFozQa\5RbhgNCpHznF2VbeZqxC.exe (Downloaded File, Accessed File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	896.00 KB
MD5	2d858f65791fbe6c11aade4450f91beb
SHA1	9cb61f92012956f5fc4394885a73bce477a0dd92
SHA256	f3bf7d5029a17d9569c00edb44e7e8d741c9f5fec144c6e9fa03fb64d92a9f26
SSDeep	12288:GqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaGT/:GqDEvCTbMWu7rQYlBQcBiT6rprG8ae/
ImpHash	948cc502fe9226992dce9417f952fce3

PE Information

Image Base	0x00400000
Entry Point	0x00420577
Size Of Code	0x0009AC00
Size Of Initialized Data	0x00045000
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2024-02-12 12:48 (UTC)

Sections (5)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00401000	0x0009AB1D	0x0009AC00	0x00000400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.67
.rdata	0x0049C000	0x0002FB82	0x0002FC00	0x0009B000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.69
.data	0x004CC000	0x0000706C	0x00004800	0x000CAC00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.58
.rsrc	0x004D4000	0x00009590	0x00009600	0x000CF400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.16
.reloc	0x004DE000	0x00007594	0x00007600	0x000D8A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	6.8

Imports (18)

WSOCK32.dll (23)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
gethostbyname	0x00000034	0x0049C7D8	0x000C97B8	0x000C87B8	-
recv	0x00000010	0x0049C7DC	0x000C97BC	0x000C87BC	-
send	0x00000013	0x0049C7E0	0x000C97C0	0x000C87C0	-
socket	0x00000017	0x0049C7E4	0x000C97C4	0x000C87C4	-
inet_ntoa	0x0000000C	0x0049C7E8	0x000C97C8	0x000C87C8	-
setsockopt	0x00000015	0x0049C7EC	0x000C97CC	0x000C87CC	-
ntohs	0x0000000F	0x0049C7F0	0x000C97D0	0x000C87D0	-
WSACleanup	0x00000074	0x0049C7F4	0x000C97D4	0x000C87D4	-
WSAStartup	0x00000073	0x0049C7F8	0x000C97D8	0x000C87D8	-
sendto	0x00000014	0x0049C7FC	0x000C97DC	0x000C87DC	-
htons	0x00000009	0x0049C800	0x000C97E0	0x000C87E0	-
__WSAFDIsSet	0x00000097	0x0049C804	0x000C97E4	0x000C87E4	-
select	0x00000012	0x0049C808	0x000C97E8	0x000C87E8	-
accept	0x00000001	0x0049C80C	0x000C97EC	0x000C87EC	-
listen	0x0000000D	0x0049C810	0x000C97F0	0x000C87F0	-
bind	0x00000002	0x0049C814	0x000C97F4	0x000C87F4	-
inet_addr	0x0000000B	0x0049C818	0x000C97F8	0x000C87F8	-
ioctlsocket	0x0000000A	0x0049C81C	0x000C97FC	0x000C87FC	-
recvfrom	0x00000011	0x0049C820	0x000C9800	0x000C8800	-
WSAGetLastError	0x0000006F	0x0049C824	0x000C9804	0x000C8804	-
closesocket	0x00000003	0x0049C828	0x000C9808	0x000C8808	-
gethostname	0x00000039	0x0049C82C	0x000C980C	0x000C880C	-
connect	0x00000004	0x0049C830	0x000C9810	0x000C8810	-

VERSION.dll (3)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetFileVersionInfoW	-	0x0049C77C	0x000C975C	0x000C875C	0x00000006
VerQueryValueW	-	0x0049C780	0x000C9760	0x000C8760	0x0000000E
GetFileVersionInfoSizeW	-	0x0049C784	0x000C9764	0x000C8764	0x00000005

WINMM.dll (3)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
timeGetTime	-	0x0049C7C8	0x000C97A8	0x000C87A8	0x00000094
waveOutSetVolume	-	0x0049C7CC	0x000C97AC	0x000C87AC	0x000000BB
mciSendStringW	-	0x0049C7D0	0x000C97B0	0x000C87B0	0x00000032

COMCTL32.dll (11)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
ImageList_ReplaceIcon	-	0x0049C088	0x000C9068	0x000C8068	0x0000006F
ImageList_Destroy	-	0x0049C08C	0x000C906C	0x000C806C	0x00000054
ImageList_Remove	-	0x0049C090	0x000C9070	0x000C8070	0x0000006D
ImageList_SetDragCursorImage	-	0x0049C094	0x000C9074	0x000C8074	0x00000072
ImageList_BeginDrag	-	0x0049C098	0x000C9078	0x000C8078	0x00000050
ImageList_DragEnter	-	0x0049C09C	0x000C907C	0x000C807C	0x00000056
ImageList_DragLeave	-	0x0049C0A0	0x000C9080	0x000C8080	0x00000057
ImageList_EndDrag	-	0x0049C0A4	0x000C9084	0x000C8084	0x0000005E
ImageList_DragMove	-	0x0049C0A8	0x000C9088	0x000C8088	0x00000058
InitCommonControlsEx	-	0x0049C0AC	0x000C908C	0x000C808C	0x0000007B
ImageList_Create	-	0x0049C0B0	0x000C9090	0x000C8090	0x00000053

MPR.dll (4)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
WNetGetConnectionW	-	0x0049C408	0x000C93E8	0x000C83E8	0x00000024
WNetCancelConnection2W	-	0x0049C40C	0x000C93EC	0x000C83EC	0x0000000C
WNetUseConnectionW	-	0x0049C410	0x000C93F0	0x000C83F0	0x00000049
WNetAddConnection2W	-	0x0049C414	0x000C93F4	0x000C83F4	0x00000006

WININET.dll (14)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
HttpOpenRequestW	-	0x0049C78C	0x000C976C	0x000C876C	0x00000058
InternetCloseHandle	-	0x0049C790	0x000C9770	0x000C8770	0x0000006B
InternetOpenW	-	0x0049C794	0x000C9774	0x000C8774	0x0000009A
InternetSetOptionW	-	0x0049C798	0x000C9778	0x000C8778	0x000000AF
InternetCrackUrlW	-	0x0049C79C	0x000C977C	0x000C877C	0x00000074
HttpQueryInfoW	-	0x0049C7A0	0x000C9780	0x000C8780	0x0000005A
InternetQueryOptionW	-	0x0049C7A4	0x000C9784	0x000C8784	0x0000009E
InternetConnectW	-	0x0049C7A8	0x000C9788	0x000C8788	0x00000072
HttpSendRequestW	-	0x0049C7AC	0x000C978C	0x000C878C	0x0000005E
FtpOpenFileW	-	0x0049C7B0	0x000C9790	0x000C8790	0x00000035
FtpGetFileSize	-	0x0049C7B4	0x000C9794	0x000C8794	0x00000032
InternetOpenUrlW	-	0x0049C7B8	0x000C9798	0x000C8798	0x00000099
InternetReadFile	-	0x0049C7BC	0x000C979C	0x000C879C	0x0000009F
InternetQueryDataAvailable	-	0x0049C7C0	0x000C97A0	0x000C87A0	0x0000009B

PSAPI.DLL (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetProcessMemoryInfo	-	0x0049C494	0x000C9474	0x000C8474	0x00000015

IPHLPAPI.DLL (3)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
IcmpSendEcho	-	0x0049C154	0x000C9134	0x000C8134	0x00000087
IcmpCloseHandle	-	0x0049C158	0x000C9138	0x000C8138	0x00000084
IcmpCreateFile	-	0x0049C15C	0x000C913C	0x000C813C	0x00000085

USERENV.dll (4)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
DestroyEnvironmentBlock	-	0x0049C760	0x000C9740	0x000C8740	0x00000004
LoadUserProfileW	-	0x0049C764	0x000C9744	0x000C8744	0x00000021
CreateEnvironmentBlock	-	0x0049C768	0x000C9748	0x000C8748	0x00000000
UnloadUserProfile	-	0x0049C76C	0x000C974C	0x000C874C	0x0000002C

UxTheme.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
IsThemeActive	-	0x0049C774	0x000C9754	0x000C8754	0x0000003F

KERNEL32.dll (168)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
DuplicateHandle	-	0x0049C164	0x000C9144	0x000C8144	0x000000E8
CreateThread	-	0x0049C168	0x000C9148	0x000C8148	0x000000B5
WaitForSingleObject	-	0x0049C16C	0x000C914C	0x000C814C	0x000004F9
HeapAlloc	-	0x0049C170	0x000C9150	0x000C8150	0x000002CB
GetProcessHeap	-	0x0049C174	0x000C9154	0x000C8154	0x0000024A
HeapFree	-	0x0049C178	0x000C9158	0x000C8158	0x000002CF
Sleep	-	0x0049C17C	0x000C915C	0x000C815C	0x000004B2
GetCurrentThreadId	-	0x0049C180	0x000C9160	0x000C8160	0x000001C5
MultiByteToWideChar	-	0x0049C184	0x000C9164	0x000C8164	0x00000367
MulDiv	-	0x0049C188	0x000C9168	0x000C8168	0x00000366
GetVersionExW	-	0x0049C18C	0x000C916C	0x000C816C	0x000002A4
IsWow64Process	-	0x0049C190	0x000C9170	0x000C8170	0x0000030E
GetSystemInfo	-	0x0049C194	0x000C9174	0x000C8174	0x00000273
FreeLibrary	-	0x0049C198	0x000C9178	0x000C8178	0x00000162
LoadLibraryA	-	0x0049C19C	0x000C917C	0x000C817C	0x0000033C
GetProcAddress	-	0x0049C1A0	0x000C9180	0x000C8180	0x00000245
SetErrorMode	-	0x0049C1A4	0x000C9184	0x000C8184	0x00000458
GetModuleFileNameW	-	0x0049C1A8	0x000C9188	0x000C8188	0x00000214
WideCharToMultiByte	-	0x0049C1AC	0x000C918C	0x000C818C	0x00000511
lstrcpyW	-	0x0049C1B0	0x000C9190	0x000C8190	0x00000548
lstrlenW	-	0x0049C1B4	0x000C9194	0x000C8194	0x0000054E
GetModuleHandleW	-	0x0049C1B8	0x000C9198	0x000C8198	0x00000218
QueryPerformanceCounter	-	0x0049C1BC	0x000C919C	0x000C819C	0x000003A7
VirtualFreeEx	-	0x0049C1C0	0x000C91A0	0x000C81A0	0x000004ED
OpenProcess	-	0x0049C1C4	0x000C91A4	0x000C81A4	0x00000380
VirtualAllocEx	-	0x0049C1C8	0x000C91A8	0x000C81A8	0x000004EA
WriteProcessMemory	-	0x0049C1CC	0x000C91AC	0x000C81AC	0x0000052E
ReadProcessMemory	-	0x0049C1D0	0x000C91B0	0x000C81B0	0x000003C3
CreateFileW	-	0x0049C1D4	0x000C91B4	0x000C81B4	0x0000008F
SetFilePointerEx	-	0x0049C1D8	0x000C91B8	0x000C81B8	0x00000467
SetEndOfFile	-	0x0049C1DC	0x000C91BC	0x000C81BC	0x00000453
ReadFile	-	0x0049C1E0	0x000C91C0	0x000C81C0	0x000003C0
WriteFile	-	0x0049C1E4	0x000C91C4	0x000C81C4	0x00000525
FlushFileBuffers	-	0x0049C1E8	0x000C91C8	0x000C81C8	0x00000157
TerminateProcess	-	0x0049C1EC	0x000C91CC	0x000C81CC	0x000004C0
CreateToolhelp32Snapshot	-	0x0049C1F0	0x000C91D0	0x000C81D0	0x000000BE
Process32FirstW	-	0x0049C1F4	0x000C91D4	0x000C81D4	0x00000396
Process32NextW	-	0x0049C1F8	0x000C91D8	0x000C81D8	0x00000398
SetFileTime	-	0x0049C1FC	0x000C91DC	0x000C81DC	0x0000046A
GetFileAttributesW	-	0x0049C200	0x000C91E0	0x000C81E0	0x000001EA
FindFirstFileW	-	0x0049C204	0x000C91E4	0x000C81E4	0x00000139
FindClose	-	0x0049C208	0x000C91E8	0x000C81E8	0x0000012E
GetLongPathNameW	-	0x0049C20C	0x000C91EC	0x000C81EC	0x0000020F
GetShortPathNameW	-	0x0049C210	0x000C91F0	0x000C81F0	0x00000261
DeleteFileW	-	0x0049C214	0x000C91F4	0x000C81F4	0x000000D6
IsDebuggerPresent	-	0x0049C218	0x000C91F8	0x000C81F8	0x00000300
CopyFileExW	-	0x0049C21C	0x000C91FC	0x000C81FC	0x00000072
MoveFileW	-	0x0049C220	0x000C9200	0x000C8200	0x00000363
CreateDirectoryW	-	0x0049C224	0x000C9204	0x000C8204	0x00000081
RemoveDirectoryW	-	0x0049C228	0x000C9208	0x000C8208	0x00000403
SetSystemPowerState	-	0x0049C22C	0x000C920C	0x000C820C	0x0000048A
QueryPerformanceFrequency	-	0x0049C230	0x000C9210	0x000C8210	0x000003A8
LoadResource	-	0x0049C234	0x000C9214	0x000C8214	0x00000341
LockResource	-	0x0049C238	0x000C9218	0x000C8218	0x00000354
SizeofResource	-	0x0049C23C	0x000C921C	0x000C821C	0x000004B1
OutputDebugStringW	-	0x0049C240	0x000C9220	0x000C8220	0x0000038A
GetTempPathW	-	0x0049C244	0x000C9224	0x000C8224	0x00000285
GetTempFileNameW	-	0x0049C248	0x000C9228	0x000C8228	0x00000283
DeviceIoControl	-	0x0049C24C	0x000C922C	0x000C822C	0x000000DD
LoadLibraryW	-	0x0049C250	0x000C9230	0x000C8230	0x0000033F
GetLocalTime	-	0x0049C254	0x000C9234	0x000C8234	0x00000203
CompareStringW	-	0x0049C258	0x000C9238	0x000C8238	0x00000064
GetCurrentThread	-	0x0049C25C	0x000C923C	0x000C823C	0x000001C4
EnterCriticalSection	-	0x0049C260	0x000C9240	0x000C8240	0x000000EE
LeaveCriticalSection	-	0x0049C264	0x000C9244	0x000C8244	0x00000339
GetStdHandle	-	0x0049C268	0x000C9248	0x000C8248	0x00000264
CreatePipe	-	0x0049C26C	0x000C924C	0x000C824C	0x000000A1
InterlockedExchange	-	0x0049C270	0x000C9250	0x000C8250	0x000002EC
TerminateThread	-	0x0049C274	0x000C9254	0x000C8254	0x000004C1
LoadLibraryExW	-	0x0049C278	0x000C9258	0x000C8258	0x0000033E
FindResourceExW	-	0x0049C27C	0x000C925C	0x000C825C	0x0000014D
CopyFileW	-	0x0049C280	0x000C9260	0x000C8260	0x00000075
VirtualFree	-	0x0049C284	0x000C9264	0x000C8264	0x000004EC
FormatMessageW	-	0x0049C288	0x000C9268	0x000C8268	0x0000015E
GetExitCodeProcess	-	0x0049C28C	0x000C926C	0x000C826C	0x000001DF
GetPrivateProfileStringW	-	0x0049C290	0x000C9270	0x000C8270	0x00000242
WritePrivateProfileStringW	-	0x0049C294	0x000C9274	0x000C8274	0x0000052B
GetPrivateProfileSectionW	-	0x0049C298	0x000C9278	0x000C8278	0x00000240
WritePrivateProfileSectionW	-	0x0049C29C	0x000C927C	0x000C827C	0x00000529
GetPrivateProfileSectionNamesW	-	0x0049C2A0	0x000C9280	0x000C8280	0x0000023F
FileTimeToLocalFileTime	-	0x0049C2A4	0x000C9284	0x000C8284	0x00000124
FileTimeToSystemTime	-	0x0049C2A8	0x000C9288	0x000C8288	0x00000125
SystemTimeToFileTime	-	0x0049C2AC	0x000C928C	0x000C828C	0x000004BD
LocalFileTimeToFileTime	-	0x0049C2B0	0x000C9290	0x000C8290	0x00000346
GetDriveTypeW	-	0x0049C2B4	0x000C9294	0x000C8294	0x000001D3
GetDiskFreeSpaceExW	-	0x0049C2B8	0x000C9298	0x000C8298	0x000001CE
GetDiskFreeSpaceW	-	0x0049C2BC	0x000C929C	0x000C829C	0x000001CF
GetVolumeInformationW	-	0x0049C2C0	0x000C92A0	0x000C82A0	0x000002A7
SetVolumeLabelW	-	0x0049C2C4	0x000C92A4	0x000C82A4	0x000004A9
CreateHardLinkW	-	0x0049C2C8	0x000C92A8	0x000C82A8	0x00000093
SetFileAttributesW	-	0x0049C2CC	0x000C92AC	0x000C82AC	0x00000461
CreateEventW	-	0x0049C2D0	0x000C92B0	0x000C82B0	0x00000085
SetEvent	-	0x0049C2D4	0x000C92B4	0x000C82B4	0x00000459
GetEnvironmentVariableW	-	0x0049C2D8	0x000C92B8	0x000C82B8	0x000001DC
SetEnvironmentVariableW	-	0x0049C2DC	0x000C92BC	0x000C82BC	0x00000457
GlobalLock	-	0x0049C2E0	0x000C92C0	0x000C82C0	0x000002BE
GlobalUnlock	-	0x0049C2E4	0x000C92C4	0x000C82C4	0x000002C5
GlobalAlloc	-	0x0049C2E8	0x000C92C8	0x000C82C8	0x000002B3
GetFileSize	-	0x0049C2EC	0x000C92CC	0x000C82CC	0x000001F0
GlobalFree	-	0x0049C2F0	0x000C92D0	0x000C82D0	0x000002BA
GlobalMemoryStatusEx	-	0x0049C2F4	0x000C92D4	0x000C82D4	0x000002C0
Beep	-	0x0049C2F8	0x000C92D8	0x000C82D8	0x00000036
GetSystemDirectoryW	-	0x0049C2FC	0x000C92DC	0x000C82DC	0x00000270
HeapReAlloc	-	0x0049C300	0x000C92E0	0x000C82E0	0x000002D2
HeapSize	-	0x0049C304	0x000C92E4	0x000C82E4	0x000002D4
GetComputerNameW	-	0x0049C308	0x000C92E8	0x000C82E8	0x0000018F
GetWindowsDirectoryW	-	0x0049C30C	0x000C92EC	0x000C82EC	0x000002AF
GetCurrentProcessId	-	0x0049C310	0x000C92F0	0x000C82F0	0x000001C1
GetProcessIoCounters	-	0x0049C314	0x000C92F4	0x000C82F4	0x0000024E
CreateProcessW	-	0x0049C318	0x000C92F8	0x000C82F8	0x000000A8
GetProcessId	-	0x0049C31C	0x000C92FC	0x000C82FC	0x0000024C
SetPriorityClass	-	0x0049C320	0x000C9300	0x000C8300	0x0000047D
VirtualAlloc	-	0x0049C324	0x000C9304	0x000C8304	0x000004E9
GetCurrentDirectoryW	-	0x0049C328	0x000C9308	0x000C8308	0x000001BF
lstrcmpiW	-	0x0049C32C	0x000C930C	0x000C830C	0x00000545
DecodePointer	-	0x0049C330	0x000C9310	0x000C8310	0x000000CA
GetLastError	-	0x0049C334	0x000C9314	0x000C8314	0x00000202
RaiseException	-	0x0049C338	0x000C9318	0x000C8318	0x000003B1
InitializeCriticalSectionAndSpinCount	-	0x0049C33C	0x000C931C	0x000C831C	0x000002E3
DeleteCriticalSection	-	0x0049C340	0x000C9320	0x000C8320	0x000000D1
InterlockedDecrement	-	0x0049C344	0x000C9324	0x000C8324	0x000002EB
InterlockedIncrement	-	0x0049C348	0x000C9328	0x000C8328	0x000002EF
ResetEvent	-	0x0049C34C	0x000C932C	0x000C832C	0x0000040F
WaitForSingleObjectEx	-	0x0049C350	0x000C9330	0x000C8330	0x000004FA
IsProcessorFeaturePresent	-	0x0049C354	0x000C9334	0x000C8334	0x00000304
UnhandledExceptionFilter	-	0x0049C358	0x000C9338	0x000C8338	0x000004D3
SetUnhandledExceptionFilter	-	0x0049C35C	0x000C933C	0x000C833C	0x000004A5
GetCurrentProcess	-	0x0049C360	0x000C9340	0x000C8340	0x000001C0
CloseHandle	-	0x0049C364	0x000C9344	0x000C8344	0x00000052
GetFullPathNameW	-	0x0049C368	0x000C9348	0x000C8348	0x000001FB
GetStartupInfoW	-	0x0049C36C	0x000C934C	0x000C834C	0x00000263
GetSystemTimeAsFileTime	-	0x0049C370	0x000C9350	0x000C8350	0x00000279
InitializeSListHead	-	0x0049C374	0x000C9354	0x000C8354	0x000002E7
RtlUnwind	-	0x0049C378	0x000C9358	0x000C8358	0x00000418
SetLastError	-	0x0049C37C	0x000C935C	0x000C835C	0x00000473
TlsAlloc	-	0x0049C380	0x000C9360	0x000C8360	0x000004C5
TlsGetValue	-	0x0049C384	0x000C9364	0x000C8364	0x000004C7
TlsSetValue	-	0x0049C388	0x000C9368	0x000C8368	0x000004C8
TlsFree	-	0x0049C38C	0x000C936C	0x000C836C	0x000004C6
EncodePointer	-	0x0049C390	0x000C9370	0x000C8370	0x000000EA
ExitProcess	-	0x0049C394	0x000C9374	0x000C8374	0x00000119
GetModuleHandleExW	-	0x0049C398	0x000C9378	0x000C8378	0x00000217
ExitThread	-	0x0049C39C	0x000C937C	0x000C837C	0x0000011A
ResumeThread	-	0x0049C3A0	0x000C9380	0x000C8380	0x00000413
FreeLibraryAndExitThread	-	0x0049C3A4	0x000C9384	0x000C8384	0x00000163
GetACP	-	0x0049C3A8	0x000C9388	0x000C8388	0x00000168
GetDateFormatW	-	0x0049C3AC	0x000C938C	0x000C838C	0x000001C8
GetTimeFormatW	-	0x0049C3B0	0x000C9390	0x000C8390	0x00000297
LCMapStringW	-	0x0049C3B4	0x000C9394	0x000C8394	0x0000032D
GetStringTypeW	-	0x0049C3B8	0x000C9398	0x000C8398	0x00000269
GetFileType	-	0x0049C3BC	0x000C939C	0x000C839C	0x000001F3
SetStdHandle	-	0x0049C3C0	0x000C93A0	0x000C83A0	0x00000487
GetConsoleCP	-	0x0049C3C4	0x000C93A4	0x000C83A4	0x0000019A
GetConsoleMode	-	0x0049C3C8	0x000C93A8	0x000C83A8	0x000001AC
ReadConsoleW	-	0x0049C3CC	0x000C93AC	0x000C83AC	0x000003BE
GetTimeZoneInformation	-	0x0049C3D0	0x000C93B0	0x000C83B0	0x00000298
FindFirstFileExW	-	0x0049C3D4	0x000C93B4	0x000C83B4	0x00000134
IsValidCodePage	-	0x0049C3D8	0x000C93B8	0x000C83B8	0x0000030A
GetOEMCP	-	0x0049C3DC	0x000C93BC	0x000C83BC	0x00000237
GetCPInfo	-	0x0049C3E0	0x000C93C0	0x000C83C0	0x00000172
GetCommandLineA	-	0x0049C3E4	0x000C93C4	0x000C83C4	0x00000186
GetCommandLineW	-	0x0049C3E8	0x000C93C8	0x000C83C8	0x00000187
GetEnvironmentStringsW	-	0x0049C3EC	0x000C93CC	0x000C83CC	0x000001DA
FreeEnvironmentStringsW	-	0x0049C3F0	0x000C93D0	0x000C83D0	0x00000161
SetEnvironmentVariableA	-	0x0049C3F4	0x000C93D4	0x000C83D4	0x00000456
SetCurrentDirectoryW	-	0x0049C3F8	0x000C93D8	0x000C83D8	0x0000044D
FindNextFileW	-	0x0049C3FC	0x000C93DC	0x000C83DC	0x00000145
WriteConsoleW	-	0x0049C400	0x000C93E0	0x000C83E0	0x00000524

USER32.dll (160)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetKeyboardLayoutNameW	-	0x0049C4DC	0x000C94BC	0x000C84BC	0x00000141
IsCharAlphaW	-	0x0049C4E0	0x000C94C0	0x000C84C0	0x000001C4
IsCharAlphaNumericW	-	0x0049C4E4	0x000C94C4	0x000C84C4	0x000001C3
IsCharLowerW	-	0x0049C4E8	0x000C94C8	0x000C84C8	0x000001C6
IsCharUpperW	-	0x0049C4EC	0x000C94CC	0x000C84CC	0x000001C8
GetMenuStringW	-	0x0049C4F0	0x000C94D0	0x000C84D0	0x00000158
GetSubMenu	-	0x0049C4F4	0x000C94D4	0x000C84D4	0x0000017A
GetCaretPos	-	0x0049C4F8	0x000C94D8	0x000C84D8	0x0000010A
IsZoomed	-	0x0049C4FC	0x000C94DC	0x000C84DC	0x000001E2
GetMonitorInfoW	-	0x0049C500	0x000C94E0	0x000C84E0	0x0000015F
SetWindowLongW	-	0x0049C504	0x000C94E4	0x000C84E4	0x000002C4
SetLayeredWindowAttributes	-	0x0049C508	0x000C94E8	0x000C84E8	0x00000298
FlashWindow	-	0x0049C50C	0x000C94EC	0x000C84EC	0x000000FB
GetClassLongW	-	0x0049C510	0x000C94F0	0x000C84F0	0x00000110
TranslateAcceleratorW	-	0x0049C514	0x000C94F4	0x000C84F4	0x000002FA
IsDialogMessageW	-	0x0049C518	0x000C94F8	0x000C84F8	0x000001CD
GetSysColor	-	0x0049C51C	0x000C94FC	0x000C84FC	0x0000017B
InflateRect	-	0x0049C520	0x000C9500	0x000C8500	0x000001B5
DrawFocusRect	-	0x0049C524	0x000C9504	0x000C8504	0x000000C4
DrawTextW	-	0x0049C528	0x000C9508	0x000C8508	0x000000D0
FrameRect	-	0x0049C52C	0x000C950C	0x000C850C	0x000000FD
DrawFrameControl	-	0x0049C530	0x000C9510	0x000C8510	0x000000C6
FillRect	-	0x0049C534	0x000C9514	0x000C8514	0x000000F6
PtInRect	-	0x0049C538	0x000C9518	0x000C8518	0x00000240
DestroyAcceleratorTable	-	0x0049C53C	0x000C951C	0x000C851C	0x000000A0
CreateAcceleratorTableW	-	0x0049C540	0x000C9520	0x000C8520	0x00000058
SetCursor	-	0x0049C544	0x000C9524	0x000C8524	0x00000288
GetWindowDC	-	0x0049C548	0x000C9528	0x000C8528	0x00000192
GetSystemMetrics	-	0x0049C54C	0x000C952C	0x000C852C	0x0000017E
GetActiveWindow	-	0x0049C550	0x000C9530	0x000C8530	0x00000100
CharNextW	-	0x0049C554	0x000C9534	0x000C8534	0x00000031
wsprintfW	-	0x0049C558	0x000C9538	0x000C8538	0x00000333
RedrawWindow	-	0x0049C55C	0x000C953C	0x000C853C	0x0000024A
DrawMenuBar	-	0x0049C560	0x000C9540	0x000C8540	0x000000C9
DestroyMenu	-	0x0049C564	0x000C9544	0x000C8544	0x000000A4
SetMenu	-	0x0049C568	0x000C9548	0x000C8548	0x0000029C
GetWindowTextLengthW	-	0x0049C56C	0x000C954C	0x000C854C	0x000001A2
CreateMenu	-	0x0049C570	0x000C9550	0x000C8550	0x0000006A
IsDlgButtonChecked	-	0x0049C574	0x000C9554	0x000C8554	0x000001CE
DefDlgProcW	-	0x0049C578	0x000C9558	0x000C8558	0x00000095
CallWindowProcW	-	0x0049C57C	0x000C955C	0x000C855C	0x0000001E
ReleaseCapture	-	0x0049C580	0x000C9560	0x000C8560	0x00000264
SetCapture	-	0x0049C584	0x000C9564	0x000C8564	0x00000280
PeekMessageW	-	0x0049C588	0x000C9568	0x000C8568	0x00000233
GetInputState	-	0x0049C58C	0x000C956C	0x000C856C	0x00000138
UnregisterHotKey	-	0x0049C590	0x000C9570	0x000C8570	0x00000308
CharLowerBuffW	-	0x0049C594	0x000C9574	0x000C8574	0x0000002D
MonitorFromPoint	-	0x0049C598	0x000C9578	0x000C8578	0x00000218
MonitorFromRect	-	0x0049C59C	0x000C957C	0x000C857C	0x00000219
LoadImageW	-	0x0049C5A0	0x000C9580	0x000C8580	0x000001EF
mouse_event	-	0x0049C5A4	0x000C9584	0x000C8584	0x00000331
ExitWindowsEx	-	0x0049C5A8	0x000C9588	0x000C8588	0x000000F5
SetActiveWindow	-	0x0049C5AC	0x000C958C	0x000C858C	0x0000027F
FindWindowExW	-	0x0049C5B0	0x000C9590	0x000C8590	0x000000F9
EnumThreadWindows	-	0x0049C5B4	0x000C9594	0x000C8594	0x000000EF
SetMenuDefaultItem	-	0x0049C5B8	0x000C9598	0x000C8598	0x0000029E
InsertMenuItemW	-	0x0049C5BC	0x000C959C	0x000C859C	0x000001B9
IsMenu	-	0x0049C5C0	0x000C95A0	0x000C85A0	0x000001D2
ClientToScreen	-	0x0049C5C4	0x000C95A4	0x000C85A4	0x00000047
GetCursorPos	-	0x0049C5C8	0x000C95A8	0x000C85A8	0x00000120
DeleteMenu	-	0x0049C5CC	0x000C95AC	0x000C85AC	0x0000009E
CheckMenuRadioItem	-	0x0049C5D0	0x000C95B0	0x000C85B0	0x00000040
GetMenuItemID	-	0x0049C5D4	0x000C95B4	0x000C85B4	0x00000152
GetMenuItemCount	-	0x0049C5D8	0x000C95B8	0x000C85B8	0x00000151
SetMenuItemInfoW	-	0x0049C5DC	0x000C95BC	0x000C85BC	0x000002A2
GetMenuItemInfoW	-	0x0049C5E0	0x000C95C0	0x000C85C0	0x00000154
SetForegroundWindow	-	0x0049C5E4	0x000C95C4	0x000C85C4	0x00000293
IsIconic	-	0x0049C5E8	0x000C95C8	0x000C85C8	0x000001D1
FindWindowW	-	0x0049C5EC	0x000C95CC	0x000C85CC	0x000000FA
SystemParametersInfoW	-	0x0049C5F0	0x000C95D0	0x000C85D0	0x000002EC
LockWindowUpdate	-	0x0049C5F4	0x000C95D4	0x000C85D4	0x000001FD
SendInput	-	0x0049C5F8	0x000C95D8	0x000C85D8	0x00000276
GetAsyncKeyState	-	0x0049C5FC	0x000C95DC	0x000C85DC	0x00000107
SetKeyboardState	-	0x0049C600	0x000C95E0	0x000C85E0	0x00000296
GetKeyboardState	-	0x0049C604	0x000C95E4	0x000C85E4	0x00000142
GetKeyState	-	0x0049C608	0x000C95E8	0x000C85E8	0x0000013D
VkKeyScanW	-	0x0049C60C	0x000C95EC	0x000C85EC	0x00000321
LoadStringW	-	0x0049C610	0x000C95F0	0x000C85F0	0x000001FA
DialogBoxParamW	-	0x0049C614	0x000C95F4	0x000C85F4	0x000000AC
MessageBeep	-	0x0049C618	0x000C95F8	0x000C85F8	0x0000020D
EndDialog	-	0x0049C61C	0x000C95FC	0x000C85FC	0x000000DA
SendDlgItemMessageW	-	0x0049C620	0x000C9600	0x000C8600	0x00000273
GetDlgItem	-	0x0049C624	0x000C9604	0x000C8604	0x00000127
SetWindowTextW	-	0x0049C628	0x000C9608	0x000C8608	0x000002CB
CopyRect	-	0x0049C62C	0x000C960C	0x000C860C	0x00000055
ReleaseDC	-	0x0049C630	0x000C9610	0x000C8610	0x00000265
GetDC	-	0x0049C634	0x000C9614	0x000C8614	0x00000121
EndPaint	-	0x0049C638	0x000C9618	0x000C8618	0x000000DC
BeginPaint	-	0x0049C63C	0x000C961C	0x000C861C	0x0000000E
GetClientRect	-	0x0049C640	0x000C9620	0x000C8620	0x00000114
GetMenu	-	0x0049C644	0x000C9624	0x000C8624	0x0000014B
DestroyWindow	-	0x0049C648	0x000C9628	0x000C8628	0x000000A6
EnumWindows	-	0x0049C64C	0x000C962C	0x000C862C	0x000000F2
GetDesktopWindow	-	0x0049C650	0x000C9630	0x000C8630	0x00000123
IsWindow	-	0x0049C654	0x000C9634	0x000C8634	0x000001DB
IsWindowEnabled	-	0x0049C658	0x000C9638	0x000C8638	0x000001DC
IsWindowVisible	-	0x0049C65C	0x000C963C	0x000C863C	0x000001E0
EnableWindow	-	0x0049C660	0x000C9640	0x000C8640	0x000000D8
InvalidateRect	-	0x0049C664	0x000C9644	0x000C8644	0x000001BE
GetWindowLongW	-	0x0049C668	0x000C9648	0x000C8648	0x00000196
GetWindowThreadProcessId	-	0x0049C66C	0x000C964C	0x000C864C	0x000001A4
AttachThreadInput	-	0x0049C670	0x000C9650	0x000C8650	0x0000000C
GetFocus	-	0x0049C674	0x000C9654	0x000C8654	0x0000012C
GetWindowTextW	-	0x0049C678	0x000C9658	0x000C8658	0x000001A3
SendMessageTimeoutW	-	0x0049C67C	0x000C965C	0x000C865C	0x0000027B
EnumChildWindows	-	0x0049C680	0x000C9660	0x000C8660	0x000000DF
CharUpperBuffW	-	0x0049C684	0x000C9664	0x000C8664	0x0000003B
GetClassNameW	-	0x0049C688	0x000C9668	0x000C8668	0x00000112
GetParent	-	0x0049C68C	0x000C966C	0x000C866C	0x00000164
GetDlgCtrlID	-	0x0049C690	0x000C9670	0x000C8670	0x00000126
SendMessageW	-	0x0049C694	0x000C9674	0x000C8674	0x0000027C
MapVirtualKeyW	-	0x0049C698	0x000C9678	0x000C8678	0x00000208
PostMessageW	-	0x0049C69C	0x000C967C	0x000C867C	0x00000236
GetWindowRect	-	0x0049C6A0	0x000C9680	0x000C8680	0x0000019C
SetUserObjectSecurity	-	0x0049C6A4	0x000C9684	0x000C8684	0x000002BE
CloseDesktop	-	0x0049C6A8	0x000C9688	0x000C8688	0x0000004A
CloseWindowStation	-	0x0049C6AC	0x000C968C	0x000C868C	0x0000004E
OpenDesktopW	-	0x0049C6B0	0x000C9690	0x000C8690	0x00000228
RegisterHotKey	-	0x0049C6B4	0x000C9694	0x000C8694	0x00000256
GetCursorInfo	-	0x0049C6B8	0x000C9698	0x000C8698	0x0000011F
SetWindowPos	-	0x0049C6BC	0x000C969C	0x000C869C	0x000002C6
CopyImage	-	0x0049C6C0	0x000C96A0	0x000C86A0	0x00000054
AdjustWindowRectEx	-	0x0049C6C4	0x000C96A4	0x000C86A4	0x00000003
SetRect	-	0x0049C6C8	0x000C96A8	0x000C86A8	0x000002AE
SetClipboardData	-	0x0049C6CC	0x000C96AC	0x000C86AC	0x00000286
EmptyClipboard	-	0x0049C6D0	0x000C96B0	0x000C86B0	0x000000D5
CountClipboardFormats	-	0x0049C6D4	0x000C96B4	0x000C86B4	0x00000056
CloseClipboard	-	0x0049C6D8	0x000C96B8	0x000C86B8	0x00000049
GetClipboardData	-	0x0049C6DC	0x000C96BC	0x000C86BC	0x00000116
IsClipboardFormatAvailable	-	0x0049C6E0	0x000C96C0	0x000C86C0	0x000001CA
OpenClipboard	-	0x0049C6E4	0x000C96C4	0x000C86C4	0x00000226
BlockInput	-	0x0049C6E8	0x000C96C8	0x000C86C8	0x0000000F
TrackPopupMenuEx	-	0x0049C6EC	0x000C96CC	0x000C86CC	0x000002F7
GetMessageW	-	0x0049C6F0	0x000C96D0	0x000C86D0	0x0000015D
SetProcessWindowStation	-	0x0049C6F4	0x000C96D4	0x000C86D4	0x000002AA
GetProcessWindowStation	-	0x0049C6F8	0x000C96D8	0x000C86D8	0x00000168
OpenWindowStationW	-	0x0049C6FC	0x000C96DC	0x000C86DC	0x0000022D
GetUserObjectSecurity	-	0x0049C700	0x000C96E0	0x000C86E0	0x0000018C
MessageBoxW	-	0x0049C704	0x000C96E4	0x000C86E4	0x00000215
DefWindowProcW	-	0x0049C708	0x000C96E8	0x000C86E8	0x0000009C
MoveWindow	-	0x0049C70C	0x000C96EC	0x000C86EC	0x0000021B
SetFocus	-	0x0049C710	0x000C96F0	0x000C86F0	0x00000292
PostQuitMessage	-	0x0049C714	0x000C96F4	0x000C86F4	0x00000237
KillTimer	-	0x0049C718	0x000C96F8	0x000C86F8	0x000001E3
CreatePopupMenu	-	0x0049C71C	0x000C96FC	0x000C86FC	0x0000006B
RegisterWindowMessageW	-	0x0049C720	0x000C9700	0x000C8700	0x00000263
SetTimer	-	0x0049C724	0x000C9704	0x000C8704	0x000002BB
ShowWindow	-	0x0049C728	0x000C9708	0x000C8708	0x000002DF
CreateWindowExW	-	0x0049C72C	0x000C970C	0x000C870C	0x0000006E
RegisterClassExW	-	0x0049C730	0x000C9710	0x000C8710	0x0000024D
LoadIconW	-	0x0049C734	0x000C9714	0x000C8714	0x000001ED
LoadCursorW	-	0x0049C738	0x000C9718	0x000C8718	0x000001EB
GetSysColorBrush	-	0x0049C73C	0x000C971C	0x000C871C	0x0000017C
GetForegroundWindow	-	0x0049C740	0x000C9720	0x000C8720	0x0000012D
MessageBoxA	-	0x0049C744	0x000C9724	0x000C8724	0x0000020E
DestroyIcon	-	0x0049C748	0x000C9728	0x000C8728	0x000000A3
DispatchMessageW	-	0x0049C74C	0x000C972C	0x000C872C	0x000000AF
keybd_event	-	0x0049C750	0x000C9730	0x000C8730	0x00000330
TranslateMessage	-	0x0049C754	0x000C9734	0x000C8734	0x000002FC
ScreenToClient	-	0x0049C758	0x000C9738	0x000C8738	0x0000026D

GDI32.dll (35)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
EndPath	-	0x0049C0C4	0x000C90A4	0x000C80A4	0x000000F3
DeleteObject	-	0x0049C0C8	0x000C90A8	0x000C80A8	0x000000E6
GetTextExtentPoint32W	-	0x0049C0CC	0x000C90AC	0x000C80AC	0x0000021E
ExtCreatePen	-	0x0049C0D0	0x000C90B0	0x000C80B0	0x00000132
StrokeAndFillPath	-	0x0049C0D4	0x000C90B4	0x000C80B4	0x000002B5
GetDeviceCaps	-	0x0049C0D8	0x000C90B8	0x000C80B8	0x000001CB
SetPixel	-	0x0049C0DC	0x000C90BC	0x000C80BC	0x0000029B
CloseFigure	-	0x0049C0E0	0x000C90C0	0x000C80C0	0x0000001E
LineTo	-	0x0049C0E4	0x000C90C4	0x000C80C4	0x00000236
AngleArc	-	0x0049C0E8	0x000C90C8	0x000C80C8	0x00000008
MoveToEx	-	0x0049C0EC	0x000C90CC	0x000C80CC	0x0000023A
Ellipse	-	0x0049C0F0	0x000C90D0	0x000C80D0	0x000000ED
CreateCompatibleBitmap	-	0x0049C0F4	0x000C90D4	0x000C80D4	0x0000002F
CreateCompatibleDC	-	0x0049C0F8	0x000C90D8	0x000C80D8	0x00000030
PolyDraw	-	0x0049C0FC	0x000C90DC	0x000C80DC	0x00000250
BeginPath	-	0x0049C100	0x000C90E0	0x000C80E0	0x00000012
Rectangle	-	0x0049C104	0x000C90E4	0x000C80E4	0x0000025F
SetViewportOrgEx	-	0x0049C108	0x000C90E8	0x000C80E8	0x000002A9
GetObjectW	-	0x0049C10C	0x000C90EC	0x000C80EC	0x000001FD
SetBkMode	-	0x0049C110	0x000C90F0	0x000C80F0	0x0000027F
RoundRect	-	0x0049C114	0x000C90F4	0x000C80F4	0x0000026A
SetBkColor	-	0x0049C118	0x000C90F8	0x000C80F8	0x0000027E
CreatePen	-	0x0049C11C	0x000C90FC	0x000C80FC	0x0000004B
SelectObject	-	0x0049C120	0x000C9100	0x000C8100	0x00000277
StretchBlt	-	0x0049C124	0x000C9104	0x000C8104	0x000002B3
CreateSolidBrush	-	0x0049C128	0x000C9108	0x000C8108	0x00000054
SetTextColor	-	0x0049C12C	0x000C910C	0x000C810C	0x000002A6
CreateFontW	-	0x0049C130	0x000C9110	0x000C8110	0x00000041
GetTextFaceW	-	0x0049C134	0x000C9114	0x000C8114	0x00000224
GetStockObject	-	0x0049C138	0x000C9118	0x000C8118	0x0000020D
CreateDCW	-	0x0049C13C	0x000C911C	0x000C811C	0x00000032
GetPixel	-	0x0049C140	0x000C9120	0x000C8120	0x00000204
DeleteDC	-	0x0049C144	0x000C9124	0x000C8124	0x000000E3
GetDIBits	-	0x0049C148	0x000C9128	0x000C8128	0x000001CA
StrokePath	-	0x0049C14C	0x000C912C	0x000C812C	0x000002B6

COMDLG32.dll (2)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetSaveFileNameW	-	0x0049C0B8	0x000C9098	0x000C8098	0x0000000E
GetOpenFileNameW	-	0x0049C0BC	0x000C909C	0x000C809C	0x0000000C

ADVAPI32.dll (33)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetAce	-	0x0049C000	0x000C8FE0	0x000C7FE0	0x00000123
RegEnumValueW	-	0x0049C004	0x000C8FE4	0x000C7FE4	0x00000252
RegDeleteValueW	-	0x0049C008	0x000C8FE8	0x000C7FE8	0x00000248
RegDeleteKeyW	-	0x0049C00C	0x000C8FEC	0x000C7FEC	0x00000244
RegEnumKeyExW	-	0x0049C010	0x000C8FF0	0x000C7FF0	0x0000024F
RegSetValueExW	-	0x0049C014	0x000C8FF4	0x000C7FF4	0x0000027E
RegOpenKeyExW	-	0x0049C018	0x000C8FF8	0x000C7FF8	0x00000261
RegCloseKey	-	0x0049C01C	0x000C8FFC	0x000C7FFC	0x00000230
RegQueryValueExW	-	0x0049C020	0x000C9000	0x000C8000	0x0000026E
RegConnectRegistryW	-	0x0049C024	0x000C9004	0x000C8004	0x00000234
InitializeSecurityDescriptor	-	0x0049C028	0x000C9008	0x000C8008	0x00000177
InitializeAcl	-	0x0049C02C	0x000C900C	0x000C800C	0x00000176
AdjustTokenPrivileges	-	0x0049C030	0x000C9010	0x000C8010	0x0000001F
OpenThreadToken	-	0x0049C034	0x000C9014	0x000C8014	0x000001FC
OpenProcessToken	-	0x0049C038	0x000C9018	0x000C8018	0x000001F7
LookupPrivilegeValueW	-	0x0049C03C	0x000C901C	0x000C801C	0x00000197
DuplicateTokenEx	-	0x0049C040	0x000C9020	0x000C8020	0x000000DF
CreateProcessAsUserW	-	0x0049C044	0x000C9024	0x000C8024	0x0000007C
CreateProcessWithLogonW	-	0x0049C048	0x000C9028	0x000C8028	0x0000007D
GetLengthSid	-	0x0049C04C	0x000C902C	0x000C802C	0x00000136
CopySid	-	0x0049C050	0x000C9030	0x000C8030	0x00000076
LogonUserW	-	0x0049C054	0x000C9034	0x000C8034	0x0000018D
AllocateAndInitializeSid	-	0x0049C058	0x000C9038	0x000C8038	0x00000020
CheckTokenMembership	-	0x0049C05C	0x000C903C	0x000C803C	0x00000051
FreeSid	-	0x0049C060	0x000C9040	0x000C8040	0x00000120
GetTokenInformation	-	0x0049C064	0x000C9044	0x000C8044	0x0000015A
RegCreateKeyExW	-	0x0049C068	0x000C9048	0x000C8048	0x00000239
GetSecurityDescriptorDacl	-	0x0049C06C	0x000C904C	0x000C804C	0x00000148
GetAclInformation	-	0x0049C070	0x000C9050	0x000C8050	0x00000124
GetUserNameW	-	0x0049C074	0x000C9054	0x000C8054	0x00000165
AddAce	-	0x0049C078	0x000C9058	0x000C8058	0x00000016
SetSecurityDescriptorDacl	-	0x0049C07C	0x000C905C	0x000C805C	0x000002B6
InitiateSystemShutdownExW	-	0x0049C080	0x000C9060	0x000C8060	0x0000017D

SHELL32.dll (15)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
DragFinish	-	0x0049C49C	0x000C947C	0x000C847C	0x0000001B
DragQueryPoint	-	0x0049C4A0	0x000C9480	0x000C8480	0x00000020
ShellExecuteExW	-	0x0049C4A4	0x000C9484	0x000C8484	0x00000121
DragQueryFileW	-	0x0049C4A8	0x000C9488	0x000C8488	0x0000001F
SHEmptyRecycleBinW	-	0x0049C4AC	0x000C948C	0x000C848C	0x000000A5
SHGetPathFromIDListW	-	0x0049C4B0	0x000C9490	0x000C8490	0x000000D7
SHBrowseForFolderW	-	0x0049C4B4	0x000C9494	0x000C8494	0x0000007B
SHCreateShellItem	-	0x0049C4B8	0x000C9498	0x000C8498	0x0000009A
SHGetDesktopFolder	-	0x0049C4BC	0x000C949C	0x000C849C	0x000000B6
SHGetSpecialFolderLocation	-	0x0049C4C0	0x000C94A0	0x000C84A0	0x000000DF
SHGetFolderPathW	-	0x0049C4C4	0x000C94A4	0x000C84A4	0x000000C3
SHFileOperationW	-	0x0049C4C8	0x000C94A8	0x000C84A8	0x000000AC
ExtractIconExW	-	0x0049C4CC	0x000C94AC	0x000C84AC	0x0000002A
Shell_NotifyIconW	-	0x0049C4D0	0x000C94B0	0x000C84B0	0x0000012E
ShellExecuteW	-	0x0049C4D4	0x000C94B4	0x000C84B4	0x00000122

ole32.dll (22)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CoTaskMemAlloc	-	0x0049C838	0x000C9818	0x000C8818	0x00000067
CoTaskMemFree	-	0x0049C83C	0x000C981C	0x000C881C	0x00000068
CLSIDFromString	-	0x0049C840	0x000C9820	0x000C8820	0x00000008
ProgIDFromCLSID	-	0x0049C844	0x000C9824	0x000C8824	0x0000014B
CLSIDFromProgID	-	0x0049C848	0x000C9828	0x000C8828	0x00000006
OleSetMenuDescriptor	-	0x0049C84C	0x000C982C	0x000C882C	0x00000147
MkParseDisplayName	-	0x0049C850	0x000C9830	0x000C8830	0x000000D4
OleSetContainedObject	-	0x0049C854	0x000C9834	0x000C8834	0x00000146
CoCreateInstance	-	0x0049C858	0x000C9838	0x000C8838	0x00000010
IIDFromString	-	0x0049C85C	0x000C983C	0x000C883C	0x000000CD
StringFromGUID2	-	0x0049C860	0x000C9840	0x000C8840	0x00000179
CreateStreamOnHGlobal	-	0x0049C864	0x000C9844	0x000C8844	0x00000086
OleInitialize	-	0x0049C868	0x000C9848	0x000C8848	0x00000132
OleUninitialize	-	0x0049C86C	0x000C984C	0x000C884C	0x00000149
CoInitialize	-	0x0049C870	0x000C9850	0x000C8850	0x0000003E
CoUninitialize	-	0x0049C874	0x000C9854	0x000C8854	0x0000006C
GetRunningObjectTable	-	0x0049C878	0x000C9858	0x000C8858	0x00000097
CoGetInstanceFromFile	-	0x0049C87C	0x000C985C	0x000C885C	0x0000002D
CoGetObject	-	0x0049C880	0x000C9860	0x000C8860	0x00000035
CoInitializeSecurity	-	0x0049C884	0x000C9864	0x000C8864	0x00000040
CoCreateInstanceEx	-	0x0049C888	0x000C9868	0x000C8868	0x00000011
CoSetProxyBlanket	-	0x0049C88C	0x000C986C	0x000C886C	0x00000063

OLEAUT32.dll (29)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CreateStdDispatch	0x00000020	0x0049C41C	0x000C93FC	0x000C83FC	-
CreateDispTypeInfo	0x0000001F	0x0049C420	0x000C9400	0x000C8400	-
UnRegisterTypeLib	0x000000BA	0x0049C424	0x000C9404	0x000C8404	-
UnRegisterTypeLibForUser	0x000001BB	0x0049C428	0x000C9408	0x000C8408	-
RegisterTypeLibForUser	0x000001BA	0x0049C42C	0x000C940C	0x000C840C	-
RegisterTypeLib	0x000000A3	0x0049C430	0x000C9410	0x000C8410	-
LoadTypeLibEx	0x000000B7	0x0049C434	0x000C9414	0x000C8414	-
VariantCopyInd	0x0000000B	0x0049C438	0x000C9418	0x000C8418	-
SysReAllocString	0x00000003	0x0049C43C	0x000C941C	0x000C841C	-
SysFreeString	0x00000006	0x0049C440	0x000C9420	0x000C8420	-
VariantChangeType	0x0000000C	0x0049C444	0x000C9424	0x000C8424	-
SafeArrayDestroyData	0x00000027	0x0049C448	0x000C9428	0x000C8428	-
SafeArrayUnaccessData	0x00000018	0x0049C44C	0x000C942C	0x000C842C	-
SafeArrayAccessData	0x00000017	0x0049C450	0x000C9430	0x000C8430	-
SafeArrayAllocData	0x00000025	0x0049C454	0x000C9434	0x000C8434	-
SafeArrayAllocDescriptorEx	0x00000029	0x0049C458	0x000C9438	0x000C8438	-
SafeArrayCreateVector	0x0000019B	0x0049C45C	0x000C943C	0x000C843C	-
SysStringLen	0x00000007	0x0049C460	0x000C9440	0x000C8440	-
QueryPathOfRegTypeLib	0x000000A4	0x0049C464	0x000C9444	0x000C8444	-
SysAllocString	0x00000002	0x0049C468	0x000C9448	0x000C8448	-
VariantInit	0x00000008	0x0049C46C	0x000C944C	0x000C844C	-
VariantClear	0x00000009	0x0049C470	0x000C9450	0x000C8450	-
DispCallFunc	0x00000092	0x0049C474	0x000C9454	0x000C8454	-
VariantTimeToSystemTime	0x000000B9	0x0049C478	0x000C9458	0x000C8458	-
VarR8FromDec	0x000000DC	0x0049C47C	0x000C945C	0x000C845C	-
SafeArrayGetVartype	0x0000004D	0x0049C480	0x000C9460	0x000C8460	-
SafeArrayDestroyDescriptor	0x00000026	0x0049C484	0x000C9464	0x000C8464	-
VariantCopy	0x0000000A	0x0049C488	0x000C9468	0x000C8468	-
OleLoadPicture	0x000001A2	0x0049C48C	0x000C946C	0x000C846C	-

Memory Dumps (1)

Name	Process ID	Start VA	End VA	Dump Reason	PE Rebuild	Bitness	Entry Point	YARA	Actions
5rbhgncphznf2vbezqxc.exe	8	0x00E70000	0x00F55FFF	Relevant Image		32-bit	0x00E92C94		... Actions Go to Process Download Dump

019454cac761f03b19db075d7ee9654611076087584e93bb0025b0e87b63e100

Downloaded File

Unknown

MIME Type	application/json
File Size	1002 Bytes
MD5	680d3f16897380ae489eeb8e4fe57c8f
SHA1	a503bf690845f5685f276a2e0f112fb5b67a92d5
SHA256	019454cac761f03b19db075d7ee9654611076087584e93bb0025b0e87b63e100
SSDeep	12:uUpRW8kPPUMKBE8VEpJco2gY5VFg/HwCgopcqDpoW56Ylwywp+rHfg/UQSAH61U+:udcM/8C52gsFg4CtSo1lwfQHoMbAI37
ImpHash	-

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat

Modified File

Stream

MIME Type	application/octet-stream
File Size	128 Bytes
MD5	cc90851958032b8c8bbb7b24ec6271dd
SHA1	e027ad2ea4049374a3b01af2e3626b667dc816bc
SHA256	c2d814a34b184b7cdf10e4e7a4311ff15db99326d6dd8d328b53bf9e19ccf858
SSDeep	3:Fl:
ImpHash	-

Remarks (2/2)

Remarks

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information