Malicious
Classifications
Hacktool
Threat Names
CobaltStrike Mal/Generic-S
Dynamic Analysis Report
Created on 2024-11-20T22:32:28+00:00
kEeJHPmcoLHUHu4w.exe
Windows Exe (x86-64)
Remarks (2/2)
(0x02000008): One or more processes crashed during the analysis. Analysis results may be incomplete.
(0x0200000E): The overall sleep time of all monitored processes was truncated from "14 minutes, 21 seconds" to "3 minutes, 30 seconds" to reveal dormant functionality.
Remarks
(0x0200005D): 240 additional dumps with the reason "Content Changed" and a total of 753 MB were skipped because the respective maximum limit was reached.
(0x0200001E): The maximum size of extracted files was exceeded. Some files may be missing in the report.
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
| Filters: |
There are no files for this filter
There are no files in this analysis
| File Name | Category | Type | Verdict | Actions |
|---|
| C:\Users\RDhJ0CNFevzX\Desktop\kEeJHPmcoLHUHu4w.exe | Sample File | Binary |
Malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 5.93 MB |
| MD5 |
f46369adc3525bf2078d9202b855753d
|
| SHA1 |
b343dc0bfd14bf0b1b96858d407110c2e2193334
|
| SHA256 |
c77276ec6dd1928c6f3d03deeac5bc7b712612b3845adc049fe71770c529014b
|
| SSDeep |
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUp:T+856utgpPF8u/7p
|
| ImpHash |
c782987849999c5ae345a5deafbd73fb
|
File Reputation Information
»
| Verdict |
Malicious
|
| Names | Mal/Generic-S |
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x14009A338 |
| Size Of Code | 0x00044000 |
| Size Of Initialized Data | 0x00001000 |
| Size Of Uninitialized Data | 0x0030B000 |
| File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2019-08-29 00:43 (UTC) |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| UPX0 | 0x140001000 | 0x0030B000 | 0x000B5000 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.49 |
| UPX1 | 0x14030C000 | 0x00044000 | 0x00044000 | 0x000B5400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.49 |
| .rsrc | 0x140350000 | 0x00001000 | 0x00000800 | 0x000F9400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.24 |
| .imports | 0x140351000 | 0x00002000 | 0x00001E00 | 0x000F9C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.81 |
| .reloc | 0x140353000 | 0x00001000 | 0x00000A00 | 0x000FBA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.28 |
Imports (17)
»
ADVAPI32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AdjustTokenPrivileges | - | 0x14009C000 | 0x0009C000 | 0x0009B400 | 0x00000000 |
| OpenProcessToken | - | 0x14009C008 | 0x0009C008 | 0x0009B408 | 0x00000000 |
| GetTokenInformation | - | 0x14009C010 | 0x0009C010 | 0x0009B410 | 0x00000000 |
| LookupPrivilegeValueW | - | 0x14009C018 | 0x0009C018 | 0x0009B418 | 0x00000000 |
| LsaClose | - | 0x14009C020 | 0x0009C020 | 0x0009B420 | 0x00000000 |
| LsaOpenPolicy | - | 0x14009C028 | 0x0009C028 | 0x0009B428 | 0x00000000 |
| LsaAddAccountRights | - | 0x14009C030 | 0x0009C030 | 0x0009B430 | 0x00000000 |
KERNEL32.DLL (113)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WaitForSingleObjectEx | - | 0x14009C040 | 0x0009C040 | 0x0009B440 | 0x00000000 |
| RtlLookupFunctionEntry | - | 0x14009C048 | 0x0009C048 | 0x0009B448 | 0x00000000 |
| RtlVirtualUnwind | - | 0x14009C050 | 0x0009C050 | 0x0009B450 | 0x00000000 |
| UnhandledExceptionFilter | - | 0x14009C058 | 0x0009C058 | 0x0009B458 | 0x00000000 |
| ResetEvent | - | 0x14009C060 | 0x0009C060 | 0x0009B460 | 0x00000000 |
| InitializeCriticalSectionAndSpinCount | - | 0x14009C068 | 0x0009C068 | 0x0009B468 | 0x00000000 |
| RtlCaptureContext | - | 0x14009C070 | 0x0009C070 | 0x0009B470 | 0x00000000 |
| CreateEventW | - | 0x14009C078 | 0x0009C078 | 0x0009B478 | 0x00000000 |
| InitializeSListHead | - | 0x14009C080 | 0x0009C080 | 0x0009B480 | 0x00000000 |
| SetUnhandledExceptionFilter | - | 0x14009C088 | 0x0009C088 | 0x0009B488 | 0x00000000 |
| IsProcessorFeaturePresent | - | 0x14009C090 | 0x0009C090 | 0x0009B490 | 0x00000000 |
| GetStdHandle | - | 0x14009C098 | 0x0009C098 | 0x0009B498 | 0x00000000 |
| GetConsoleMode | - | 0x14009C0A0 | 0x0009C0A0 | 0x0009B4A0 | 0x00000000 |
| SetConsoleMode | - | 0x14009C0A8 | 0x0009C0A8 | 0x0009B4A8 | 0x00000000 |
| GetLastError | - | 0x14009C0B0 | 0x0009C0B0 | 0x0009B4B0 | 0x00000000 |
| CreateMutexW | - | 0x14009C0B8 | 0x0009C0B8 | 0x0009B4B8 | 0x00000000 |
| Sleep | - | 0x14009C0C0 | 0x0009C0C0 | 0x0009B4C0 | 0x00000000 |
| CreateProcessW | - | 0x14009C0C8 | 0x0009C0C8 | 0x0009B4C8 | 0x00000000 |
| MultiByteToWideChar | - | 0x14009C0D0 | 0x0009C0D0 | 0x0009B4D0 | 0x00000000 |
| GetCurrentProcess | - | 0x14009C0D8 | 0x0009C0D8 | 0x0009B4D8 | 0x00000000 |
| GetCurrentThread | - | 0x14009C0E0 | 0x0009C0E0 | 0x0009B4E0 | 0x00000000 |
| SetThreadPriority | - | 0x14009C0E8 | 0x0009C0E8 | 0x0009B4E8 | 0x00000000 |
| SetPriorityClass | - | 0x14009C0F0 | 0x0009C0F0 | 0x0009B4F0 | 0x00000000 |
| GetModuleHandleW | - | 0x14009C0F8 | 0x0009C0F8 | 0x0009B4F8 | 0x00000000 |
| GetProcAddress | - | 0x14009C100 | 0x0009C100 | 0x0009B500 | 0x00000000 |
| SetThreadAffinityMask | - | 0x14009C108 | 0x0009C108 | 0x0009B508 | 0x00000000 |
| CloseHandle | - | 0x14009C110 | 0x0009C110 | 0x0009B510 | 0x00000000 |
| FreeConsole | - | 0x14009C118 | 0x0009C118 | 0x0009B518 | 0x00000000 |
| GetConsoleWindow | - | 0x14009C120 | 0x0009C120 | 0x0009B520 | 0x00000000 |
| FlushInstructionCache | - | 0x14009C128 | 0x0009C128 | 0x0009B528 | 0x00000000 |
| VirtualAlloc | - | 0x14009C130 | 0x0009C130 | 0x0009B530 | 0x00000000 |
| VirtualProtect | - | 0x14009C138 | 0x0009C138 | 0x0009B538 | 0x00000000 |
| VirtualFree | - | 0x14009C140 | 0x0009C140 | 0x0009B540 | 0x00000000 |
| GetLargePageMinimum | - | 0x14009C148 | 0x0009C148 | 0x0009B548 | 0x00000000 |
| LocalAlloc | - | 0x14009C150 | 0x0009C150 | 0x0009B550 | 0x00000000 |
| LocalFree | - | 0x14009C158 | 0x0009C158 | 0x0009B558 | 0x00000000 |
| GetFileType | - | 0x14009C160 | 0x0009C160 | 0x0009B560 | 0x00000000 |
| GetConsoleScreenBufferInfo | - | 0x14009C168 | 0x0009C168 | 0x0009B568 | 0x00000000 |
| SetConsoleTextAttribute | - | 0x14009C170 | 0x0009C170 | 0x0009B570 | 0x00000000 |
| RegisterWaitForSingleObject | - | 0x14009C178 | 0x0009C178 | 0x0009B578 | 0x00000000 |
| UnregisterWait | - | 0x14009C180 | 0x0009C180 | 0x0009B580 | 0x00000000 |
| GetConsoleCursorInfo | - | 0x14009C188 | 0x0009C188 | 0x0009B588 | 0x00000000 |
| CreateFileW | - | 0x14009C190 | 0x0009C190 | 0x0009B590 | 0x00000000 |
| DuplicateHandle | - | 0x14009C198 | 0x0009C198 | 0x0009B598 | 0x00000000 |
| PostQueuedCompletionStatus | - | 0x14009C1A0 | 0x0009C1A0 | 0x0009B5A0 | 0x00000000 |
| QueueUserWorkItem | - | 0x14009C1A8 | 0x0009C1A8 | 0x0009B5A8 | 0x00000000 |
| SetConsoleCursorInfo | - | 0x14009C1B0 | 0x0009C1B0 | 0x0009B5B0 | 0x00000000 |
| FillConsoleOutputCharacterW | - | 0x14009C1B8 | 0x0009C1B8 | 0x0009B5B8 | 0x00000000 |
| ReadConsoleInputW | - | 0x14009C1C0 | 0x0009C1C0 | 0x0009B5C0 | 0x00000000 |
| CreateFileA | - | 0x14009C1C8 | 0x0009C1C8 | 0x0009B5C8 | 0x00000000 |
| ReadConsoleW | - | 0x14009C1D0 | 0x0009C1D0 | 0x0009B5D0 | 0x00000000 |
| WriteConsoleInputW | - | 0x14009C1D8 | 0x0009C1D8 | 0x0009B5D8 | 0x00000000 |
| FillConsoleOutputAttribute | - | 0x14009C1E0 | 0x0009C1E0 | 0x0009B5E0 | 0x00000000 |
| WriteConsoleW | - | 0x14009C1E8 | 0x0009C1E8 | 0x0009B5E8 | 0x00000000 |
| GetNumberOfConsoleInputEvents | - | 0x14009C1F0 | 0x0009C1F0 | 0x0009B5F0 | 0x00000000 |
| WideCharToMultiByte | - | 0x14009C1F8 | 0x0009C1F8 | 0x0009B5F8 | 0x00000000 |
| SetConsoleCursorPosition | - | 0x14009C200 | 0x0009C200 | 0x0009B600 | 0x00000000 |
| EnterCriticalSection | - | 0x14009C208 | 0x0009C208 | 0x0009B608 | 0x00000000 |
| GetModuleFileNameW | - | 0x14009C210 | 0x0009C210 | 0x0009B610 | 0x00000000 |
| LeaveCriticalSection | - | 0x14009C218 | 0x0009C218 | 0x0009B618 | 0x00000000 |
| InitializeCriticalSection | - | 0x14009C220 | 0x0009C220 | 0x0009B620 | 0x00000000 |
| IsDebuggerPresent | - | 0x14009C228 | 0x0009C228 | 0x0009B628 | 0x00000000 |
| GetSystemInfo | - | 0x14009C230 | 0x0009C230 | 0x0009B630 | 0x00000000 |
| GetCurrentDirectoryW | - | 0x14009C238 | 0x0009C238 | 0x0009B638 | 0x00000000 |
| GetCurrentProcessId | - | 0x14009C240 | 0x0009C240 | 0x0009B640 | 0x00000000 |
| GetSystemTimeAsFileTime | - | 0x14009C248 | 0x0009C248 | 0x0009B648 | 0x00000000 |
| QueryPerformanceCounter | - | 0x14009C250 | 0x0009C250 | 0x0009B650 | 0x00000000 |
| SetConsoleCtrlHandler | - | 0x14009C258 | 0x0009C258 | 0x0009B658 | 0x00000000 |
| CancelIo | - | 0x14009C260 | 0x0009C260 | 0x0009B660 | 0x00000000 |
| SetHandleInformation | - | 0x14009C268 | 0x0009C268 | 0x0009B668 | 0x00000000 |
| CreateEventA | - | 0x14009C270 | 0x0009C270 | 0x0009B670 | 0x00000000 |
| CreateIoCompletionPort | - | 0x14009C278 | 0x0009C278 | 0x0009B678 | 0x00000000 |
| SetFileCompletionNotificationModes | - | 0x14009C280 | 0x0009C280 | 0x0009B680 | 0x00000000 |
| SetErrorMode | - | 0x14009C288 | 0x0009C288 | 0x0009B688 | 0x00000000 |
| GetQueuedCompletionStatus | - | 0x14009C290 | 0x0009C290 | 0x0009B690 | 0x00000000 |
| GetQueuedCompletionStatusEx | - | 0x14009C298 | 0x0009C298 | 0x0009B698 | 0x00000000 |
| SleepConditionVariableCS | - | 0x14009C2A0 | 0x0009C2A0 | 0x0009B6A0 | 0x00000000 |
| TlsSetValue | - | 0x14009C2A8 | 0x0009C2A8 | 0x0009B6A8 | 0x00000000 |
| ReleaseSemaphore | - | 0x14009C2B0 | 0x0009C2B0 | 0x0009B6B0 | 0x00000000 |
| WakeConditionVariable | - | 0x14009C2B8 | 0x0009C2B8 | 0x0009B6B8 | 0x00000000 |
| InitializeConditionVariable | - | 0x14009C2C0 | 0x0009C2C0 | 0x0009B6C0 | 0x00000000 |
| WaitForSingleObject | - | 0x14009C2C8 | 0x0009C2C8 | 0x0009B6C8 | 0x00000000 |
| ResumeThread | - | 0x14009C2D0 | 0x0009C2D0 | 0x0009B6D0 | 0x00000000 |
| SetEvent | - | 0x14009C2D8 | 0x0009C2D8 | 0x0009B6D8 | 0x00000000 |
| TlsAlloc | - | 0x14009C2E0 | 0x0009C2E0 | 0x0009B6E0 | 0x00000000 |
| DeleteCriticalSection | - | 0x14009C2E8 | 0x0009C2E8 | 0x0009B6E8 | 0x00000000 |
| CreateSemaphoreW | - | 0x14009C2F0 | 0x0009C2F0 | 0x0009B6F0 | 0x00000000 |
| CreateSemaphoreA | - | 0x14009C2F8 | 0x0009C2F8 | 0x0009B6F8 | 0x00000000 |
| GetLongPathNameW | - | 0x14009C300 | 0x0009C300 | 0x0009B700 | 0x00000000 |
| ReadDirectoryChangesW | - | 0x14009C308 | 0x0009C308 | 0x0009B708 | 0x00000000 |
| ReadFile | - | 0x14009C310 | 0x0009C310 | 0x0009B710 | 0x00000000 |
| SetNamedPipeHandleState | - | 0x14009C318 | 0x0009C318 | 0x0009B718 | 0x00000000 |
| SetLastError | - | 0x14009C320 | 0x0009C320 | 0x0009B720 | 0x00000000 |
| WriteFile | - | 0x14009C328 | 0x0009C328 | 0x0009B728 | 0x00000000 |
| CreateNamedPipeW | - | 0x14009C330 | 0x0009C330 | 0x0009B730 | 0x00000000 |
| PeekNamedPipe | - | 0x14009C338 | 0x0009C338 | 0x0009B738 | 0x00000000 |
| CancelSynchronousIo | - | 0x14009C340 | 0x0009C340 | 0x0009B740 | 0x00000000 |
| GetNamedPipeHandleStateA | - | 0x14009C348 | 0x0009C348 | 0x0009B748 | 0x00000000 |
| CancelIoEx | - | 0x14009C350 | 0x0009C350 | 0x0009B750 | 0x00000000 |
| SwitchToThread | - | 0x14009C358 | 0x0009C358 | 0x0009B758 | 0x00000000 |
| ConnectNamedPipe | - | 0x14009C360 | 0x0009C360 | 0x0009B760 | 0x00000000 |
| FlushFileBuffers | - | 0x14009C368 | 0x0009C368 | 0x0009B768 | 0x00000000 |
| TerminateProcess | - | 0x14009C370 | 0x0009C370 | 0x0009B770 | 0x00000000 |
| UnregisterWaitEx | - | 0x14009C378 | 0x0009C378 | 0x0009B778 | 0x00000000 |
| GetExitCodeProcess | - | 0x14009C380 | 0x0009C380 | 0x0009B780 | 0x00000000 |
| FormatMessageA | - | 0x14009C388 | 0x0009C388 | 0x0009B788 | 0x00000000 |
| DebugBreak | - | 0x14009C390 | 0x0009C390 | 0x0009B790 | 0x00000000 |
| GetModuleHandleA | - | 0x14009C398 | 0x0009C398 | 0x0009B798 | 0x00000000 |
| LoadLibraryA | - | 0x14009C3A0 | 0x0009C3A0 | 0x0009B7A0 | 0x00000000 |
| GetProcessAffinityMask | - | 0x14009C3A8 | 0x0009C3A8 | 0x0009B7A8 | 0x00000000 |
| SetProcessAffinityMask | - | 0x14009C3B0 | 0x0009C3B0 | 0x0009B7B0 | 0x00000000 |
| GetCurrentThreadId | - | 0x14009C3B8 | 0x0009C3B8 | 0x0009B7B8 | 0x00000000 |
| QueryPerformanceFrequency | - | 0x14009C3C0 | 0x0009C3C0 | 0x0009B7C0 | 0x00000000 |
MSVCP140.dll (45)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C3D0 | 0x0009C3D0 | 0x0009B7D0 | 0x00000000 |
| ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3D8 | 0x0009C3D8 | 0x0009B7D8 | 0x00000000 |
| ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ | - | 0x14009C3E0 | 0x0009C3E0 | 0x0009B7E0 | 0x00000000 |
| ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C3E8 | 0x0009C3E8 | 0x0009B7E8 | 0x00000000 |
| ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C3F0 | 0x0009C3F0 | 0x0009B7F0 | 0x00000000 |
| ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3F8 | 0x0009C3F8 | 0x0009B7F8 | 0x00000000 |
| ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C400 | 0x0009C400 | 0x0009B800 | 0x00000000 |
| _Thrd_hardware_concurrency | - | 0x14009C408 | 0x0009C408 | 0x0009B808 | 0x00000000 |
| ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A | - | 0x14009C410 | 0x0009C410 | 0x0009B810 | 0x00000000 |
| ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z | - | 0x14009C418 | 0x0009C418 | 0x0009B818 | 0x00000000 |
| ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z | - | 0x14009C420 | 0x0009C420 | 0x0009B820 | 0x00000000 |
| ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ | - | 0x14009C428 | 0x0009C428 | 0x0009B828 | 0x00000000 |
| ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z | - | 0x14009C430 | 0x0009C430 | 0x0009B830 | 0x00000000 |
| ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z | - | 0x14009C438 | 0x0009C438 | 0x0009B838 | 0x00000000 |
| ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C440 | 0x0009C440 | 0x0009B840 | 0x00000000 |
| ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z | - | 0x14009C448 | 0x0009C448 | 0x0009B848 | 0x00000000 |
| ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C450 | 0x0009C450 | 0x0009B850 | 0x00000000 |
| ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z | - | 0x14009C458 | 0x0009C458 | 0x0009B858 | 0x00000000 |
| ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C460 | 0x0009C460 | 0x0009B860 | 0x00000000 |
| ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z | - | 0x14009C468 | 0x0009C468 | 0x0009B868 | 0x00000000 |
| ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z | - | 0x14009C470 | 0x0009C470 | 0x0009B870 | 0x00000000 |
| ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ | - | 0x14009C478 | 0x0009C478 | 0x0009B878 | 0x00000000 |
| ?_Xlength_error@std@@YAXPEBD@Z | - | 0x14009C480 | 0x0009C480 | 0x0009B880 | 0x00000000 |
| ?_Xout_of_range@std@@YAXPEBD@Z | - | 0x14009C488 | 0x0009C488 | 0x0009B888 | 0x00000000 |
| _Xtime_get_ticks | - | 0x14009C490 | 0x0009C490 | 0x0009B890 | 0x00000000 |
| _Mtx_init_in_situ | - | 0x14009C498 | 0x0009C498 | 0x0009B898 | 0x00000000 |
| _Mtx_destroy_in_situ | - | 0x14009C4A0 | 0x0009C4A0 | 0x0009B8A0 | 0x00000000 |
| _Mtx_lock | - | 0x14009C4A8 | 0x0009C4A8 | 0x0009B8A8 | 0x00000000 |
| _Mtx_unlock | - | 0x14009C4B0 | 0x0009C4B0 | 0x0009B8B0 | 0x00000000 |
| ?_Throw_C_error@std@@YAXH@Z | - | 0x14009C4B8 | 0x0009C4B8 | 0x0009B8B8 | 0x00000000 |
| _Query_perf_counter | - | 0x14009C4C0 | 0x0009C4C0 | 0x0009B8C0 | 0x00000000 |
| _Query_perf_frequency | - | 0x14009C4C8 | 0x0009C4C8 | 0x0009B8C8 | 0x00000000 |
| _Thrd_join | - | 0x14009C4D0 | 0x0009C4D0 | 0x0009B8D0 | 0x00000000 |
| _Thrd_id | - | 0x14009C4D8 | 0x0009C4D8 | 0x0009B8D8 | 0x00000000 |
| _Cnd_do_broadcast_at_thread_exit | - | 0x14009C4E0 | 0x0009C4E0 | 0x0009B8E0 | 0x00000000 |
| ?_Throw_Cpp_error@std@@YAXH@Z | - | 0x14009C4E8 | 0x0009C4E8 | 0x0009B8E8 | 0x00000000 |
| _Thrd_sleep | - | 0x14009C4F0 | 0x0009C4F0 | 0x0009B8F0 | 0x00000000 |
| _Thrd_yield | - | 0x14009C4F8 | 0x0009C4F8 | 0x0009B8F8 | 0x00000000 |
| ??0_Lockit@std@@QEAA@H@Z | - | 0x14009C500 | 0x0009C500 | 0x0009B900 | 0x00000000 |
| ??1_Lockit@std@@QEAA@XZ | - | 0x14009C508 | 0x0009C508 | 0x0009B908 | 0x00000000 |
| ??Bid@locale@std@@QEAA_KXZ | - | 0x14009C510 | 0x0009C510 | 0x0009B910 | 0x00000000 |
| ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ | - | 0x14009C518 | 0x0009C518 | 0x0009B918 | 0x00000000 |
| ?always_noconv@codecvt_base@std@@QEBA_NXZ | - | 0x14009C520 | 0x0009C520 | 0x0009B920 | 0x00000000 |
| ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C528 | 0x0009C528 | 0x0009B928 | 0x00000000 |
| ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C530 | 0x0009C530 | 0x0009B930 | 0x00000000 |
USER32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShowWindow | - | 0x14009C540 | 0x0009C540 | 0x0009B940 | 0x00000000 |
| GetSystemMetrics | - | 0x14009C548 | 0x0009C548 | 0x0009B948 | 0x00000000 |
| GetMessageA | - | 0x14009C550 | 0x0009C550 | 0x0009B950 | 0x00000000 |
| MapVirtualKeyW | - | 0x14009C558 | 0x0009C558 | 0x0009B958 | 0x00000000 |
| DispatchMessageA | - | 0x14009C560 | 0x0009C560 | 0x0009B960 | 0x00000000 |
| TranslateMessage | - | 0x14009C568 | 0x0009C568 | 0x0009B968 | 0x00000000 |
VCRUNTIME140.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __std_exception_destroy | - | 0x14009C578 | 0x0009C578 | 0x0009B978 | 0x00000000 |
| __std_exception_copy | - | 0x14009C580 | 0x0009C580 | 0x0009B980 | 0x00000000 |
| strstr | - | 0x14009C588 | 0x0009C588 | 0x0009B988 | 0x00000000 |
| __C_specific_handler | - | 0x14009C590 | 0x0009C590 | 0x0009B990 | 0x00000000 |
| strchr | - | 0x14009C598 | 0x0009C598 | 0x0009B998 | 0x00000000 |
| memchr | - | 0x14009C5A0 | 0x0009C5A0 | 0x0009B9A0 | 0x00000000 |
| __std_terminate | - | 0x14009C5A8 | 0x0009C5A8 | 0x0009B9A8 | 0x00000000 |
| __CxxFrameHandler3 | - | 0x14009C5B0 | 0x0009C5B0 | 0x0009B9B0 | 0x00000000 |
| _CxxThrowException | - | 0x14009C5B8 | 0x0009C5B8 | 0x0009B9B8 | 0x00000000 |
| memset | - | 0x14009C5C0 | 0x0009C5C0 | 0x0009B9C0 | 0x00000000 |
| strrchr | - | 0x14009C5C8 | 0x0009C5C8 | 0x0009B9C8 | 0x00000000 |
| memcmp | - | 0x14009C5D0 | 0x0009C5D0 | 0x0009B9D0 | 0x00000000 |
| memcpy | - | 0x14009C5D8 | 0x0009C5D8 | 0x0009B9D8 | 0x00000000 |
| _purecall | - | 0x14009C5E0 | 0x0009C5E0 | 0x0009B9E0 | 0x00000000 |
| memmove | - | 0x14009C5E8 | 0x0009C5E8 | 0x0009B9E8 | 0x00000000 |
WS2_32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WSAGetLastError | 0x0000006F | 0x14009C5F8 | 0x0009C5F8 | 0x0009B9F8 | - |
| WSASetLastError | 0x00000070 | 0x14009C600 | 0x0009C600 | 0x0009BA00 | - |
| WSAStartup | 0x00000073 | 0x14009C608 | 0x0009C608 | 0x0009BA08 | - |
| select | 0x00000012 | 0x14009C610 | 0x0009C610 | 0x0009BA10 | - |
| WSARecvFrom | - | 0x14009C618 | 0x0009C618 | 0x0009BA18 | 0x00000000 |
| bind | 0x00000002 | 0x14009C620 | 0x0009C620 | 0x0009BA20 | - |
| WSAIoctl | - | 0x14009C628 | 0x0009C628 | 0x0009BA28 | 0x00000000 |
| closesocket | 0x00000003 | 0x14009C630 | 0x0009C630 | 0x0009BA30 | - |
| WSASend | - | 0x14009C638 | 0x0009C638 | 0x0009BA38 | 0x00000000 |
| shutdown | 0x00000016 | 0x14009C640 | 0x0009C640 | 0x0009BA40 | - |
| WSASocketW | - | 0x14009C648 | 0x0009C648 | 0x0009BA48 | 0x00000000 |
| htonl | 0x00000008 | 0x14009C650 | 0x0009C650 | 0x0009BA50 | - |
| GetAddrInfoW | - | 0x14009C658 | 0x0009C658 | 0x0009BA58 | 0x00000000 |
| FreeAddrInfoW | - | 0x14009C660 | 0x0009C660 | 0x0009BA60 | 0x00000000 |
| setsockopt | 0x00000015 | 0x14009C668 | 0x0009C668 | 0x0009BA68 | - |
| ioctlsocket | 0x0000000A | 0x14009C670 | 0x0009C670 | 0x0009BA70 | - |
| getsockopt | 0x00000007 | 0x14009C678 | 0x0009C678 | 0x0009BA78 | - |
| WSARecv | - | 0x14009C680 | 0x0009C680 | 0x0009BA80 | 0x00000000 |
| socket | 0x00000017 | 0x14009C688 | 0x0009C688 | 0x0009BA88 | - |
| htons | 0x00000009 | 0x14009C690 | 0x0009C690 | 0x0009BA90 | - |
api-ms-win-crt-convert-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| atof | - | 0x14009C6A0 | 0x0009C6A0 | 0x0009BAA0 | 0x00000000 |
| strtoul | - | 0x14009C6A8 | 0x0009C6A8 | 0x0009BAA8 | 0x00000000 |
| _strtoui64 | - | 0x14009C6B0 | 0x0009C6B0 | 0x0009BAB0 | 0x00000000 |
| mbstowcs | - | 0x14009C6B8 | 0x0009C6B8 | 0x0009BAB8 | 0x00000000 |
| strtoull | - | 0x14009C6C0 | 0x0009C6C0 | 0x0009BAC0 | 0x00000000 |
| strtoll | - | 0x14009C6C8 | 0x0009C6C8 | 0x0009BAC8 | 0x00000000 |
| atoi | - | 0x14009C6D0 | 0x0009C6D0 | 0x0009BAD0 | 0x00000000 |
| strtol | - | 0x14009C6D8 | 0x0009C6D8 | 0x0009BAD8 | 0x00000000 |
api-ms-win-crt-environment-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| getenv | - | 0x14009C6E8 | 0x0009C6E8 | 0x0009BAE8 | 0x00000000 |
api-ms-win-crt-filesystem-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _unlock_file | - | 0x14009C6F8 | 0x0009C6F8 | 0x0009BAF8 | 0x00000000 |
| _lock_file | - | 0x14009C700 | 0x0009C700 | 0x0009BB00 | 0x00000000 |
| _fstat64i32 | - | 0x14009C708 | 0x0009C708 | 0x0009BB08 | 0x00000000 |
| _stat64i32 | - | 0x14009C710 | 0x0009C710 | 0x0009BB10 | 0x00000000 |
api-ms-win-crt-heap-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _set_new_mode | - | 0x14009C720 | 0x0009C720 | 0x0009BB20 | 0x00000000 |
| realloc | - | 0x14009C728 | 0x0009C728 | 0x0009BB28 | 0x00000000 |
| _aligned_malloc | - | 0x14009C730 | 0x0009C730 | 0x0009BB30 | 0x00000000 |
| malloc | - | 0x14009C738 | 0x0009C738 | 0x0009BB38 | 0x00000000 |
| free | - | 0x14009C740 | 0x0009C740 | 0x0009BB40 | 0x00000000 |
| calloc | - | 0x14009C748 | 0x0009C748 | 0x0009BB48 | 0x00000000 |
| _callnewh | - | 0x14009C750 | 0x0009C750 | 0x0009BB50 | 0x00000000 |
| _aligned_free | - | 0x14009C758 | 0x0009C758 | 0x0009BB58 | 0x00000000 |
api-ms-win-crt-locale-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _configthreadlocale | - | 0x14009C768 | 0x0009C768 | 0x0009BB68 | 0x00000000 |
api-ms-win-crt-math-l1-1-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| modff | - | 0x14009C778 | 0x0009C778 | 0x0009BB78 | 0x00000000 |
| nan | - | 0x14009C780 | 0x0009C780 | 0x0009BB80 | 0x00000000 |
| _dtest | - | 0x14009C788 | 0x0009C788 | 0x0009BB88 | 0x00000000 |
| __setusermatherr | - | 0x14009C790 | 0x0009C790 | 0x0009BB90 | 0x00000000 |
| fabs | - | 0x14009C798 | 0x0009C798 | 0x0009BB98 | 0x00000000 |
api-ms-win-crt-runtime-l1-1-0.dll (25)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _invalid_parameter_noinfo_noreturn | - | 0x14009C7A8 | 0x0009C7A8 | 0x0009BBA8 | 0x00000000 |
| _control87 | - | 0x14009C7B0 | 0x0009C7B0 | 0x0009BBB0 | 0x00000000 |
| _errno | - | 0x14009C7B8 | 0x0009C7B8 | 0x0009BBB8 | 0x00000000 |
| terminate | - | 0x14009C7C0 | 0x0009C7C0 | 0x0009BBC0 | 0x00000000 |
| abort | - | 0x14009C7C8 | 0x0009C7C8 | 0x0009BBC8 | 0x00000000 |
| _beginthreadex | - | 0x14009C7D0 | 0x0009C7D0 | 0x0009BBD0 | 0x00000000 |
| _register_thread_local_exe_atexit_callback | - | 0x14009C7D8 | 0x0009C7D8 | 0x0009BBD8 | 0x00000000 |
| _c_exit | - | 0x14009C7E0 | 0x0009C7E0 | 0x0009BBE0 | 0x00000000 |
| _set_invalid_parameter_handler | - | 0x14009C7E8 | 0x0009C7E8 | 0x0009BBE8 | 0x00000000 |
| __p___argc | - | 0x14009C7F0 | 0x0009C7F0 | 0x0009BBF0 | 0x00000000 |
| _exit | - | 0x14009C7F8 | 0x0009C7F8 | 0x0009BBF8 | 0x00000000 |
| _initterm_e | - | 0x14009C800 | 0x0009C800 | 0x0009BC00 | 0x00000000 |
| _initterm | - | 0x14009C808 | 0x0009C808 | 0x0009BC08 | 0x00000000 |
| _get_initial_narrow_environment | - | 0x14009C810 | 0x0009C810 | 0x0009BC10 | 0x00000000 |
| _set_app_type | - | 0x14009C818 | 0x0009C818 | 0x0009BC18 | 0x00000000 |
| _seh_filter_exe | - | 0x14009C820 | 0x0009C820 | 0x0009BC20 | 0x00000000 |
| _cexit | - | 0x14009C828 | 0x0009C828 | 0x0009BC28 | 0x00000000 |
| _crt_atexit | - | 0x14009C830 | 0x0009C830 | 0x0009BC30 | 0x00000000 |
| _register_onexit_function | - | 0x14009C838 | 0x0009C838 | 0x0009BC38 | 0x00000000 |
| _initialize_onexit_table | - | 0x14009C840 | 0x0009C840 | 0x0009BC40 | 0x00000000 |
| _initialize_narrow_environment | - | 0x14009C848 | 0x0009C848 | 0x0009BC48 | 0x00000000 |
| _configure_narrow_argv | - | 0x14009C850 | 0x0009C850 | 0x0009BC50 | 0x00000000 |
| strerror | - | 0x14009C858 | 0x0009C858 | 0x0009BC58 | 0x00000000 |
| exit | - | 0x14009C860 | 0x0009C860 | 0x0009BC60 | 0x00000000 |
| __p___argv | - | 0x14009C868 | 0x0009C868 | 0x0009BC68 | 0x00000000 |
api-ms-win-crt-stdio-l1-1-0.dll (29)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __stdio_common_vsscanf | - | 0x14009C878 | 0x0009C878 | 0x0009BC78 | 0x00000000 |
| fflush | - | 0x14009C880 | 0x0009C880 | 0x0009BC80 | 0x00000000 |
| _open | - | 0x14009C888 | 0x0009C888 | 0x0009BC88 | 0x00000000 |
| fwrite | - | 0x14009C890 | 0x0009C890 | 0x0009BC90 | 0x00000000 |
| fputs | - | 0x14009C898 | 0x0009C898 | 0x0009BC98 | 0x00000000 |
| __stdio_common_vsprintf | - | 0x14009C8A0 | 0x0009C8A0 | 0x0009BCA0 | 0x00000000 |
| __acrt_iob_func | - | 0x14009C8A8 | 0x0009C8A8 | 0x0009BCA8 | 0x00000000 |
| ftell | - | 0x14009C8B0 | 0x0009C8B0 | 0x0009BCB0 | 0x00000000 |
| fgetc | - | 0x14009C8B8 | 0x0009C8B8 | 0x0009BCB8 | 0x00000000 |
| fgets | - | 0x14009C8C0 | 0x0009C8C0 | 0x0009BCC0 | 0x00000000 |
| fseek | - | 0x14009C8C8 | 0x0009C8C8 | 0x0009BCC8 | 0x00000000 |
| fgetpos | - | 0x14009C8D0 | 0x0009C8D0 | 0x0009BCD0 | 0x00000000 |
| fputc | - | 0x14009C8D8 | 0x0009C8D8 | 0x0009BCD8 | 0x00000000 |
| __stdio_common_vfprintf | - | 0x14009C8E0 | 0x0009C8E0 | 0x0009BCE0 | 0x00000000 |
| ferror | - | 0x14009C8E8 | 0x0009C8E8 | 0x0009BCE8 | 0x00000000 |
| fsetpos | - | 0x14009C8F0 | 0x0009C8F0 | 0x0009BCF0 | 0x00000000 |
| _fseeki64 | - | 0x14009C8F8 | 0x0009C8F8 | 0x0009BCF8 | 0x00000000 |
| _close | - | 0x14009C900 | 0x0009C900 | 0x0009BD00 | 0x00000000 |
| _read | - | 0x14009C908 | 0x0009C908 | 0x0009BD08 | 0x00000000 |
| setvbuf | - | 0x14009C910 | 0x0009C910 | 0x0009BD10 | 0x00000000 |
| ungetc | - | 0x14009C918 | 0x0009C918 | 0x0009BD18 | 0x00000000 |
| fread | - | 0x14009C920 | 0x0009C920 | 0x0009BD20 | 0x00000000 |
| _get_osfhandle | - | 0x14009C928 | 0x0009C928 | 0x0009BD28 | 0x00000000 |
| __p__commode | - | 0x14009C930 | 0x0009C930 | 0x0009BD30 | 0x00000000 |
| fclose | - | 0x14009C938 | 0x0009C938 | 0x0009BD38 | 0x00000000 |
| _set_fmode | - | 0x14009C940 | 0x0009C940 | 0x0009BD40 | 0x00000000 |
| fopen | - | 0x14009C948 | 0x0009C948 | 0x0009BD48 | 0x00000000 |
| __stdio_common_vswprintf | - | 0x14009C950 | 0x0009C950 | 0x0009BD50 | 0x00000000 |
| _get_stream_buffer_pointers | - | 0x14009C958 | 0x0009C958 | 0x0009BD58 | 0x00000000 |
api-ms-win-crt-string-l1-1-0.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _wcsnicmp | - | 0x14009C968 | 0x0009C968 | 0x0009BD68 | 0x00000000 |
| strlen | - | 0x14009C970 | 0x0009C970 | 0x0009BD70 | 0x00000000 |
| wcslen | - | 0x14009C978 | 0x0009C978 | 0x0009BD78 | 0x00000000 |
| strncmp | - | 0x14009C980 | 0x0009C980 | 0x0009BD80 | 0x00000000 |
| _stricmp | - | 0x14009C988 | 0x0009C988 | 0x0009BD88 | 0x00000000 |
| tolower | - | 0x14009C990 | 0x0009C990 | 0x0009BD90 | 0x00000000 |
| _strnicmp | - | 0x14009C998 | 0x0009C998 | 0x0009BD98 | 0x00000000 |
| strncpy | - | 0x14009C9A0 | 0x0009C9A0 | 0x0009BDA0 | 0x00000000 |
| strcpy | - | 0x14009C9A8 | 0x0009C9A8 | 0x0009BDA8 | 0x00000000 |
| strcmp | - | 0x14009C9B0 | 0x0009C9B0 | 0x0009BDB0 | 0x00000000 |
| strcspn | - | 0x14009C9B8 | 0x0009C9B8 | 0x0009BDB8 | 0x00000000 |
| _strdup | - | 0x14009C9C0 | 0x0009C9C0 | 0x0009BDC0 | 0x00000000 |
| isspace | - | 0x14009C9C8 | 0x0009C9C8 | 0x0009BDC8 | 0x00000000 |
| strspn | - | 0x14009C9D0 | 0x0009C9D0 | 0x0009BDD0 | 0x00000000 |
| wcsncpy | - | 0x14009C9D8 | 0x0009C9D8 | 0x0009BDD8 | 0x00000000 |
api-ms-win-crt-time-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _time64 | - | 0x14009C9E8 | 0x0009C9E8 | 0x0009BDE8 | 0x00000000 |
| _localtime64_s | - | 0x14009C9F0 | 0x0009C9F0 | 0x0009BDF0 | 0x00000000 |
api-ms-win-crt-utility-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| srand | - | 0x14009CA00 | 0x0009CA00 | 0x0009BE00 | 0x00000000 |
| rand | - | 0x14009CA08 | 0x0009CA08 | 0x0009BE08 | 0x00000000 |
| qsort | - | 0x14009CA10 | 0x0009CA10 | 0x0009BE10 | 0x00000000 |
| _rotr | - | 0x14009CA18 | 0x0009CA18 | 0x0009BE18 | 0x00000000 |
Memory Dumps (10)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| keejhpmcolhuhu4w.exe | 1 | 0x7FF6B4E90000 | 0x7FF6B51E3FFF | First Execution |
|
64-bit | 0x7FF6B4F2A338 |
|
...
|
| keejhpmcolhuhu4w.exe | 1 | 0x7FF6B4E90000 | 0x7FF6B51E3FFF | Content Changed |
|
64-bit | 0x7FF6B4F13044 |
|
...
|
| keejhpmcolhuhu4w.exe | 1 | 0x7FF6B4E90000 | 0x7FF6B51E3FFF | Content Changed |
|
64-bit | 0x7FF6B4F0EC3C |
|
...
|
| buffer | 1 | 0x1EEA8210000 | 0x1EEA821FFFF | Content Changed |
|
64-bit | - |
|
...
|
| keejhpmcolhuhu4w.exe | 1 | 0x7FF6B4E90000 | 0x7FF6B51E3FFF | Content Changed |
|
64-bit | 0x7FF6B4F144DC |
|
...
|
| keejhpmcolhuhu4w.exe | 1 | 0x7FF6B4E90000 | 0x7FF6B51E3FFF | Content Changed |
|
64-bit | 0x7FF6B4F1DF6C |
|
...
|
| keejhpmcolhuhu4w.exe | 1 | 0x7FF6B4E90000 | 0x7FF6B51E3FFF | Content Changed |
|
64-bit | 0x7FF6B4F16000 |
|
...
|
| keejhpmcolhuhu4w.exe | 1 | 0x7FF6B4E90000 | 0x7FF6B51E3FFF | Content Changed |
|
64-bit | 0x7FF6B4EA260C |
|
...
|
| buffer | 1 | 0x1EEA996D040 | 0x1EEA9F5D938 | Image In Buffer |
|
64-bit | - |
|
...
|
| keejhpmcolhuhu4w.exe | 1 | 0x7FF6B4E90000 | 0x7FF6B51E3FFF | Process Termination |
|
64-bit | - |
|
...
|
YARA Matches (2)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| CobaltStrike | Cobalt Strike beacon | Hacktool |
5/5
|
...
|
| ReflectiveLoader | Reflective loader usage | - |
3/5
|
...
|
| C:\Windows\System\xXsiXvu.exe | Dropped File | Binary |
Malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 5.94 MB |
| MD5 |
706114ff1e579d995878883369fe9b30
|
| SHA1 |
fc06c2d2ee14c8a404dcd145349ccd5384cc0f2d
|
| SHA256 |
81da66de95dfa0ee38109ddf56059b5ea791c64805fe00a8734a20b7e0e76cd2
|
| SSDeep |
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUq:T+856utgpPF8u/7q
|
| ImpHash |
c782987849999c5ae345a5deafbd73fb
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x14009A338 |
| Size Of Code | 0x00044000 |
| Size Of Initialized Data | 0x00001000 |
| Size Of Uninitialized Data | 0x0030B000 |
| File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2019-08-29 00:43 (UTC) |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| UPX0 | 0x140001000 | 0x0030B000 | 0x000B5000 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.49 |
| UPX1 | 0x14030C000 | 0x00044000 | 0x00044000 | 0x000B5400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.49 |
| .rsrc | 0x140350000 | 0x00001000 | 0x00000800 | 0x000F9400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.24 |
| .imports | 0x140351000 | 0x00002000 | 0x00001E00 | 0x000F9C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.81 |
| .reloc | 0x140353000 | 0x00001000 | 0x00000A00 | 0x000FBA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.28 |
Imports (17)
»
ADVAPI32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AdjustTokenPrivileges | - | 0x14009C000 | 0x0009C000 | 0x0009B400 | 0x00000000 |
| OpenProcessToken | - | 0x14009C008 | 0x0009C008 | 0x0009B408 | 0x00000000 |
| GetTokenInformation | - | 0x14009C010 | 0x0009C010 | 0x0009B410 | 0x00000000 |
| LookupPrivilegeValueW | - | 0x14009C018 | 0x0009C018 | 0x0009B418 | 0x00000000 |
| LsaClose | - | 0x14009C020 | 0x0009C020 | 0x0009B420 | 0x00000000 |
| LsaOpenPolicy | - | 0x14009C028 | 0x0009C028 | 0x0009B428 | 0x00000000 |
| LsaAddAccountRights | - | 0x14009C030 | 0x0009C030 | 0x0009B430 | 0x00000000 |
KERNEL32.DLL (113)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WaitForSingleObjectEx | - | 0x14009C040 | 0x0009C040 | 0x0009B440 | 0x00000000 |
| RtlLookupFunctionEntry | - | 0x14009C048 | 0x0009C048 | 0x0009B448 | 0x00000000 |
| RtlVirtualUnwind | - | 0x14009C050 | 0x0009C050 | 0x0009B450 | 0x00000000 |
| UnhandledExceptionFilter | - | 0x14009C058 | 0x0009C058 | 0x0009B458 | 0x00000000 |
| ResetEvent | - | 0x14009C060 | 0x0009C060 | 0x0009B460 | 0x00000000 |
| InitializeCriticalSectionAndSpinCount | - | 0x14009C068 | 0x0009C068 | 0x0009B468 | 0x00000000 |
| RtlCaptureContext | - | 0x14009C070 | 0x0009C070 | 0x0009B470 | 0x00000000 |
| CreateEventW | - | 0x14009C078 | 0x0009C078 | 0x0009B478 | 0x00000000 |
| InitializeSListHead | - | 0x14009C080 | 0x0009C080 | 0x0009B480 | 0x00000000 |
| SetUnhandledExceptionFilter | - | 0x14009C088 | 0x0009C088 | 0x0009B488 | 0x00000000 |
| IsProcessorFeaturePresent | - | 0x14009C090 | 0x0009C090 | 0x0009B490 | 0x00000000 |
| GetStdHandle | - | 0x14009C098 | 0x0009C098 | 0x0009B498 | 0x00000000 |
| GetConsoleMode | - | 0x14009C0A0 | 0x0009C0A0 | 0x0009B4A0 | 0x00000000 |
| SetConsoleMode | - | 0x14009C0A8 | 0x0009C0A8 | 0x0009B4A8 | 0x00000000 |
| GetLastError | - | 0x14009C0B0 | 0x0009C0B0 | 0x0009B4B0 | 0x00000000 |
| CreateMutexW | - | 0x14009C0B8 | 0x0009C0B8 | 0x0009B4B8 | 0x00000000 |
| Sleep | - | 0x14009C0C0 | 0x0009C0C0 | 0x0009B4C0 | 0x00000000 |
| CreateProcessW | - | 0x14009C0C8 | 0x0009C0C8 | 0x0009B4C8 | 0x00000000 |
| MultiByteToWideChar | - | 0x14009C0D0 | 0x0009C0D0 | 0x0009B4D0 | 0x00000000 |
| GetCurrentProcess | - | 0x14009C0D8 | 0x0009C0D8 | 0x0009B4D8 | 0x00000000 |
| GetCurrentThread | - | 0x14009C0E0 | 0x0009C0E0 | 0x0009B4E0 | 0x00000000 |
| SetThreadPriority | - | 0x14009C0E8 | 0x0009C0E8 | 0x0009B4E8 | 0x00000000 |
| SetPriorityClass | - | 0x14009C0F0 | 0x0009C0F0 | 0x0009B4F0 | 0x00000000 |
| GetModuleHandleW | - | 0x14009C0F8 | 0x0009C0F8 | 0x0009B4F8 | 0x00000000 |
| GetProcAddress | - | 0x14009C100 | 0x0009C100 | 0x0009B500 | 0x00000000 |
| SetThreadAffinityMask | - | 0x14009C108 | 0x0009C108 | 0x0009B508 | 0x00000000 |
| CloseHandle | - | 0x14009C110 | 0x0009C110 | 0x0009B510 | 0x00000000 |
| FreeConsole | - | 0x14009C118 | 0x0009C118 | 0x0009B518 | 0x00000000 |
| GetConsoleWindow | - | 0x14009C120 | 0x0009C120 | 0x0009B520 | 0x00000000 |
| FlushInstructionCache | - | 0x14009C128 | 0x0009C128 | 0x0009B528 | 0x00000000 |
| VirtualAlloc | - | 0x14009C130 | 0x0009C130 | 0x0009B530 | 0x00000000 |
| VirtualProtect | - | 0x14009C138 | 0x0009C138 | 0x0009B538 | 0x00000000 |
| VirtualFree | - | 0x14009C140 | 0x0009C140 | 0x0009B540 | 0x00000000 |
| GetLargePageMinimum | - | 0x14009C148 | 0x0009C148 | 0x0009B548 | 0x00000000 |
| LocalAlloc | - | 0x14009C150 | 0x0009C150 | 0x0009B550 | 0x00000000 |
| LocalFree | - | 0x14009C158 | 0x0009C158 | 0x0009B558 | 0x00000000 |
| GetFileType | - | 0x14009C160 | 0x0009C160 | 0x0009B560 | 0x00000000 |
| GetConsoleScreenBufferInfo | - | 0x14009C168 | 0x0009C168 | 0x0009B568 | 0x00000000 |
| SetConsoleTextAttribute | - | 0x14009C170 | 0x0009C170 | 0x0009B570 | 0x00000000 |
| RegisterWaitForSingleObject | - | 0x14009C178 | 0x0009C178 | 0x0009B578 | 0x00000000 |
| UnregisterWait | - | 0x14009C180 | 0x0009C180 | 0x0009B580 | 0x00000000 |
| GetConsoleCursorInfo | - | 0x14009C188 | 0x0009C188 | 0x0009B588 | 0x00000000 |
| CreateFileW | - | 0x14009C190 | 0x0009C190 | 0x0009B590 | 0x00000000 |
| DuplicateHandle | - | 0x14009C198 | 0x0009C198 | 0x0009B598 | 0x00000000 |
| PostQueuedCompletionStatus | - | 0x14009C1A0 | 0x0009C1A0 | 0x0009B5A0 | 0x00000000 |
| QueueUserWorkItem | - | 0x14009C1A8 | 0x0009C1A8 | 0x0009B5A8 | 0x00000000 |
| SetConsoleCursorInfo | - | 0x14009C1B0 | 0x0009C1B0 | 0x0009B5B0 | 0x00000000 |
| FillConsoleOutputCharacterW | - | 0x14009C1B8 | 0x0009C1B8 | 0x0009B5B8 | 0x00000000 |
| ReadConsoleInputW | - | 0x14009C1C0 | 0x0009C1C0 | 0x0009B5C0 | 0x00000000 |
| CreateFileA | - | 0x14009C1C8 | 0x0009C1C8 | 0x0009B5C8 | 0x00000000 |
| ReadConsoleW | - | 0x14009C1D0 | 0x0009C1D0 | 0x0009B5D0 | 0x00000000 |
| WriteConsoleInputW | - | 0x14009C1D8 | 0x0009C1D8 | 0x0009B5D8 | 0x00000000 |
| FillConsoleOutputAttribute | - | 0x14009C1E0 | 0x0009C1E0 | 0x0009B5E0 | 0x00000000 |
| WriteConsoleW | - | 0x14009C1E8 | 0x0009C1E8 | 0x0009B5E8 | 0x00000000 |
| GetNumberOfConsoleInputEvents | - | 0x14009C1F0 | 0x0009C1F0 | 0x0009B5F0 | 0x00000000 |
| WideCharToMultiByte | - | 0x14009C1F8 | 0x0009C1F8 | 0x0009B5F8 | 0x00000000 |
| SetConsoleCursorPosition | - | 0x14009C200 | 0x0009C200 | 0x0009B600 | 0x00000000 |
| EnterCriticalSection | - | 0x14009C208 | 0x0009C208 | 0x0009B608 | 0x00000000 |
| GetModuleFileNameW | - | 0x14009C210 | 0x0009C210 | 0x0009B610 | 0x00000000 |
| LeaveCriticalSection | - | 0x14009C218 | 0x0009C218 | 0x0009B618 | 0x00000000 |
| InitializeCriticalSection | - | 0x14009C220 | 0x0009C220 | 0x0009B620 | 0x00000000 |
| IsDebuggerPresent | - | 0x14009C228 | 0x0009C228 | 0x0009B628 | 0x00000000 |
| GetSystemInfo | - | 0x14009C230 | 0x0009C230 | 0x0009B630 | 0x00000000 |
| GetCurrentDirectoryW | - | 0x14009C238 | 0x0009C238 | 0x0009B638 | 0x00000000 |
| GetCurrentProcessId | - | 0x14009C240 | 0x0009C240 | 0x0009B640 | 0x00000000 |
| GetSystemTimeAsFileTime | - | 0x14009C248 | 0x0009C248 | 0x0009B648 | 0x00000000 |
| QueryPerformanceCounter | - | 0x14009C250 | 0x0009C250 | 0x0009B650 | 0x00000000 |
| SetConsoleCtrlHandler | - | 0x14009C258 | 0x0009C258 | 0x0009B658 | 0x00000000 |
| CancelIo | - | 0x14009C260 | 0x0009C260 | 0x0009B660 | 0x00000000 |
| SetHandleInformation | - | 0x14009C268 | 0x0009C268 | 0x0009B668 | 0x00000000 |
| CreateEventA | - | 0x14009C270 | 0x0009C270 | 0x0009B670 | 0x00000000 |
| CreateIoCompletionPort | - | 0x14009C278 | 0x0009C278 | 0x0009B678 | 0x00000000 |
| SetFileCompletionNotificationModes | - | 0x14009C280 | 0x0009C280 | 0x0009B680 | 0x00000000 |
| SetErrorMode | - | 0x14009C288 | 0x0009C288 | 0x0009B688 | 0x00000000 |
| GetQueuedCompletionStatus | - | 0x14009C290 | 0x0009C290 | 0x0009B690 | 0x00000000 |
| GetQueuedCompletionStatusEx | - | 0x14009C298 | 0x0009C298 | 0x0009B698 | 0x00000000 |
| SleepConditionVariableCS | - | 0x14009C2A0 | 0x0009C2A0 | 0x0009B6A0 | 0x00000000 |
| TlsSetValue | - | 0x14009C2A8 | 0x0009C2A8 | 0x0009B6A8 | 0x00000000 |
| ReleaseSemaphore | - | 0x14009C2B0 | 0x0009C2B0 | 0x0009B6B0 | 0x00000000 |
| WakeConditionVariable | - | 0x14009C2B8 | 0x0009C2B8 | 0x0009B6B8 | 0x00000000 |
| InitializeConditionVariable | - | 0x14009C2C0 | 0x0009C2C0 | 0x0009B6C0 | 0x00000000 |
| WaitForSingleObject | - | 0x14009C2C8 | 0x0009C2C8 | 0x0009B6C8 | 0x00000000 |
| ResumeThread | - | 0x14009C2D0 | 0x0009C2D0 | 0x0009B6D0 | 0x00000000 |
| SetEvent | - | 0x14009C2D8 | 0x0009C2D8 | 0x0009B6D8 | 0x00000000 |
| TlsAlloc | - | 0x14009C2E0 | 0x0009C2E0 | 0x0009B6E0 | 0x00000000 |
| DeleteCriticalSection | - | 0x14009C2E8 | 0x0009C2E8 | 0x0009B6E8 | 0x00000000 |
| CreateSemaphoreW | - | 0x14009C2F0 | 0x0009C2F0 | 0x0009B6F0 | 0x00000000 |
| CreateSemaphoreA | - | 0x14009C2F8 | 0x0009C2F8 | 0x0009B6F8 | 0x00000000 |
| GetLongPathNameW | - | 0x14009C300 | 0x0009C300 | 0x0009B700 | 0x00000000 |
| ReadDirectoryChangesW | - | 0x14009C308 | 0x0009C308 | 0x0009B708 | 0x00000000 |
| ReadFile | - | 0x14009C310 | 0x0009C310 | 0x0009B710 | 0x00000000 |
| SetNamedPipeHandleState | - | 0x14009C318 | 0x0009C318 | 0x0009B718 | 0x00000000 |
| SetLastError | - | 0x14009C320 | 0x0009C320 | 0x0009B720 | 0x00000000 |
| WriteFile | - | 0x14009C328 | 0x0009C328 | 0x0009B728 | 0x00000000 |
| CreateNamedPipeW | - | 0x14009C330 | 0x0009C330 | 0x0009B730 | 0x00000000 |
| PeekNamedPipe | - | 0x14009C338 | 0x0009C338 | 0x0009B738 | 0x00000000 |
| CancelSynchronousIo | - | 0x14009C340 | 0x0009C340 | 0x0009B740 | 0x00000000 |
| GetNamedPipeHandleStateA | - | 0x14009C348 | 0x0009C348 | 0x0009B748 | 0x00000000 |
| CancelIoEx | - | 0x14009C350 | 0x0009C350 | 0x0009B750 | 0x00000000 |
| SwitchToThread | - | 0x14009C358 | 0x0009C358 | 0x0009B758 | 0x00000000 |
| ConnectNamedPipe | - | 0x14009C360 | 0x0009C360 | 0x0009B760 | 0x00000000 |
| FlushFileBuffers | - | 0x14009C368 | 0x0009C368 | 0x0009B768 | 0x00000000 |
| TerminateProcess | - | 0x14009C370 | 0x0009C370 | 0x0009B770 | 0x00000000 |
| UnregisterWaitEx | - | 0x14009C378 | 0x0009C378 | 0x0009B778 | 0x00000000 |
| GetExitCodeProcess | - | 0x14009C380 | 0x0009C380 | 0x0009B780 | 0x00000000 |
| FormatMessageA | - | 0x14009C388 | 0x0009C388 | 0x0009B788 | 0x00000000 |
| DebugBreak | - | 0x14009C390 | 0x0009C390 | 0x0009B790 | 0x00000000 |
| GetModuleHandleA | - | 0x14009C398 | 0x0009C398 | 0x0009B798 | 0x00000000 |
| LoadLibraryA | - | 0x14009C3A0 | 0x0009C3A0 | 0x0009B7A0 | 0x00000000 |
| GetProcessAffinityMask | - | 0x14009C3A8 | 0x0009C3A8 | 0x0009B7A8 | 0x00000000 |
| SetProcessAffinityMask | - | 0x14009C3B0 | 0x0009C3B0 | 0x0009B7B0 | 0x00000000 |
| GetCurrentThreadId | - | 0x14009C3B8 | 0x0009C3B8 | 0x0009B7B8 | 0x00000000 |
| QueryPerformanceFrequency | - | 0x14009C3C0 | 0x0009C3C0 | 0x0009B7C0 | 0x00000000 |
MSVCP140.dll (45)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C3D0 | 0x0009C3D0 | 0x0009B7D0 | 0x00000000 |
| ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3D8 | 0x0009C3D8 | 0x0009B7D8 | 0x00000000 |
| ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ | - | 0x14009C3E0 | 0x0009C3E0 | 0x0009B7E0 | 0x00000000 |
| ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C3E8 | 0x0009C3E8 | 0x0009B7E8 | 0x00000000 |
| ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C3F0 | 0x0009C3F0 | 0x0009B7F0 | 0x00000000 |
| ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3F8 | 0x0009C3F8 | 0x0009B7F8 | 0x00000000 |
| ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C400 | 0x0009C400 | 0x0009B800 | 0x00000000 |
| _Thrd_hardware_concurrency | - | 0x14009C408 | 0x0009C408 | 0x0009B808 | 0x00000000 |
| ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A | - | 0x14009C410 | 0x0009C410 | 0x0009B810 | 0x00000000 |
| ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z | - | 0x14009C418 | 0x0009C418 | 0x0009B818 | 0x00000000 |
| ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z | - | 0x14009C420 | 0x0009C420 | 0x0009B820 | 0x00000000 |
| ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ | - | 0x14009C428 | 0x0009C428 | 0x0009B828 | 0x00000000 |
| ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z | - | 0x14009C430 | 0x0009C430 | 0x0009B830 | 0x00000000 |
| ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z | - | 0x14009C438 | 0x0009C438 | 0x0009B838 | 0x00000000 |
| ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C440 | 0x0009C440 | 0x0009B840 | 0x00000000 |
| ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z | - | 0x14009C448 | 0x0009C448 | 0x0009B848 | 0x00000000 |
| ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C450 | 0x0009C450 | 0x0009B850 | 0x00000000 |
| ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z | - | 0x14009C458 | 0x0009C458 | 0x0009B858 | 0x00000000 |
| ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C460 | 0x0009C460 | 0x0009B860 | 0x00000000 |
| ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z | - | 0x14009C468 | 0x0009C468 | 0x0009B868 | 0x00000000 |
| ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z | - | 0x14009C470 | 0x0009C470 | 0x0009B870 | 0x00000000 |
| ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ | - | 0x14009C478 | 0x0009C478 | 0x0009B878 | 0x00000000 |
| ?_Xlength_error@std@@YAXPEBD@Z | - | 0x14009C480 | 0x0009C480 | 0x0009B880 | 0x00000000 |
| ?_Xout_of_range@std@@YAXPEBD@Z | - | 0x14009C488 | 0x0009C488 | 0x0009B888 | 0x00000000 |
| _Xtime_get_ticks | - | 0x14009C490 | 0x0009C490 | 0x0009B890 | 0x00000000 |
| _Mtx_init_in_situ | - | 0x14009C498 | 0x0009C498 | 0x0009B898 | 0x00000000 |
| _Mtx_destroy_in_situ | - | 0x14009C4A0 | 0x0009C4A0 | 0x0009B8A0 | 0x00000000 |
| _Mtx_lock | - | 0x14009C4A8 | 0x0009C4A8 | 0x0009B8A8 | 0x00000000 |
| _Mtx_unlock | - | 0x14009C4B0 | 0x0009C4B0 | 0x0009B8B0 | 0x00000000 |
| ?_Throw_C_error@std@@YAXH@Z | - | 0x14009C4B8 | 0x0009C4B8 | 0x0009B8B8 | 0x00000000 |
| _Query_perf_counter | - | 0x14009C4C0 | 0x0009C4C0 | 0x0009B8C0 | 0x00000000 |
| _Query_perf_frequency | - | 0x14009C4C8 | 0x0009C4C8 | 0x0009B8C8 | 0x00000000 |
| _Thrd_join | - | 0x14009C4D0 | 0x0009C4D0 | 0x0009B8D0 | 0x00000000 |
| _Thrd_id | - | 0x14009C4D8 | 0x0009C4D8 | 0x0009B8D8 | 0x00000000 |
| _Cnd_do_broadcast_at_thread_exit | - | 0x14009C4E0 | 0x0009C4E0 | 0x0009B8E0 | 0x00000000 |
| ?_Throw_Cpp_error@std@@YAXH@Z | - | 0x14009C4E8 | 0x0009C4E8 | 0x0009B8E8 | 0x00000000 |
| _Thrd_sleep | - | 0x14009C4F0 | 0x0009C4F0 | 0x0009B8F0 | 0x00000000 |
| _Thrd_yield | - | 0x14009C4F8 | 0x0009C4F8 | 0x0009B8F8 | 0x00000000 |
| ??0_Lockit@std@@QEAA@H@Z | - | 0x14009C500 | 0x0009C500 | 0x0009B900 | 0x00000000 |
| ??1_Lockit@std@@QEAA@XZ | - | 0x14009C508 | 0x0009C508 | 0x0009B908 | 0x00000000 |
| ??Bid@locale@std@@QEAA_KXZ | - | 0x14009C510 | 0x0009C510 | 0x0009B910 | 0x00000000 |
| ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ | - | 0x14009C518 | 0x0009C518 | 0x0009B918 | 0x00000000 |
| ?always_noconv@codecvt_base@std@@QEBA_NXZ | - | 0x14009C520 | 0x0009C520 | 0x0009B920 | 0x00000000 |
| ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C528 | 0x0009C528 | 0x0009B928 | 0x00000000 |
| ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C530 | 0x0009C530 | 0x0009B930 | 0x00000000 |
USER32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShowWindow | - | 0x14009C540 | 0x0009C540 | 0x0009B940 | 0x00000000 |
| GetSystemMetrics | - | 0x14009C548 | 0x0009C548 | 0x0009B948 | 0x00000000 |
| GetMessageA | - | 0x14009C550 | 0x0009C550 | 0x0009B950 | 0x00000000 |
| MapVirtualKeyW | - | 0x14009C558 | 0x0009C558 | 0x0009B958 | 0x00000000 |
| DispatchMessageA | - | 0x14009C560 | 0x0009C560 | 0x0009B960 | 0x00000000 |
| TranslateMessage | - | 0x14009C568 | 0x0009C568 | 0x0009B968 | 0x00000000 |
VCRUNTIME140.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __std_exception_destroy | - | 0x14009C578 | 0x0009C578 | 0x0009B978 | 0x00000000 |
| __std_exception_copy | - | 0x14009C580 | 0x0009C580 | 0x0009B980 | 0x00000000 |
| strstr | - | 0x14009C588 | 0x0009C588 | 0x0009B988 | 0x00000000 |
| __C_specific_handler | - | 0x14009C590 | 0x0009C590 | 0x0009B990 | 0x00000000 |
| strchr | - | 0x14009C598 | 0x0009C598 | 0x0009B998 | 0x00000000 |
| memchr | - | 0x14009C5A0 | 0x0009C5A0 | 0x0009B9A0 | 0x00000000 |
| __std_terminate | - | 0x14009C5A8 | 0x0009C5A8 | 0x0009B9A8 | 0x00000000 |
| __CxxFrameHandler3 | - | 0x14009C5B0 | 0x0009C5B0 | 0x0009B9B0 | 0x00000000 |
| _CxxThrowException | - | 0x14009C5B8 | 0x0009C5B8 | 0x0009B9B8 | 0x00000000 |
| memset | - | 0x14009C5C0 | 0x0009C5C0 | 0x0009B9C0 | 0x00000000 |
| strrchr | - | 0x14009C5C8 | 0x0009C5C8 | 0x0009B9C8 | 0x00000000 |
| memcmp | - | 0x14009C5D0 | 0x0009C5D0 | 0x0009B9D0 | 0x00000000 |
| memcpy | - | 0x14009C5D8 | 0x0009C5D8 | 0x0009B9D8 | 0x00000000 |
| _purecall | - | 0x14009C5E0 | 0x0009C5E0 | 0x0009B9E0 | 0x00000000 |
| memmove | - | 0x14009C5E8 | 0x0009C5E8 | 0x0009B9E8 | 0x00000000 |
WS2_32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WSAGetLastError | 0x0000006F | 0x14009C5F8 | 0x0009C5F8 | 0x0009B9F8 | - |
| WSASetLastError | 0x00000070 | 0x14009C600 | 0x0009C600 | 0x0009BA00 | - |
| WSAStartup | 0x00000073 | 0x14009C608 | 0x0009C608 | 0x0009BA08 | - |
| select | 0x00000012 | 0x14009C610 | 0x0009C610 | 0x0009BA10 | - |
| WSARecvFrom | - | 0x14009C618 | 0x0009C618 | 0x0009BA18 | 0x00000000 |
| bind | 0x00000002 | 0x14009C620 | 0x0009C620 | 0x0009BA20 | - |
| WSAIoctl | - | 0x14009C628 | 0x0009C628 | 0x0009BA28 | 0x00000000 |
| closesocket | 0x00000003 | 0x14009C630 | 0x0009C630 | 0x0009BA30 | - |
| WSASend | - | 0x14009C638 | 0x0009C638 | 0x0009BA38 | 0x00000000 |
| shutdown | 0x00000016 | 0x14009C640 | 0x0009C640 | 0x0009BA40 | - |
| WSASocketW | - | 0x14009C648 | 0x0009C648 | 0x0009BA48 | 0x00000000 |
| htonl | 0x00000008 | 0x14009C650 | 0x0009C650 | 0x0009BA50 | - |
| GetAddrInfoW | - | 0x14009C658 | 0x0009C658 | 0x0009BA58 | 0x00000000 |
| FreeAddrInfoW | - | 0x14009C660 | 0x0009C660 | 0x0009BA60 | 0x00000000 |
| setsockopt | 0x00000015 | 0x14009C668 | 0x0009C668 | 0x0009BA68 | - |
| ioctlsocket | 0x0000000A | 0x14009C670 | 0x0009C670 | 0x0009BA70 | - |
| getsockopt | 0x00000007 | 0x14009C678 | 0x0009C678 | 0x0009BA78 | - |
| WSARecv | - | 0x14009C680 | 0x0009C680 | 0x0009BA80 | 0x00000000 |
| socket | 0x00000017 | 0x14009C688 | 0x0009C688 | 0x0009BA88 | - |
| htons | 0x00000009 | 0x14009C690 | 0x0009C690 | 0x0009BA90 | - |
api-ms-win-crt-convert-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| atof | - | 0x14009C6A0 | 0x0009C6A0 | 0x0009BAA0 | 0x00000000 |
| strtoul | - | 0x14009C6A8 | 0x0009C6A8 | 0x0009BAA8 | 0x00000000 |
| _strtoui64 | - | 0x14009C6B0 | 0x0009C6B0 | 0x0009BAB0 | 0x00000000 |
| mbstowcs | - | 0x14009C6B8 | 0x0009C6B8 | 0x0009BAB8 | 0x00000000 |
| strtoull | - | 0x14009C6C0 | 0x0009C6C0 | 0x0009BAC0 | 0x00000000 |
| strtoll | - | 0x14009C6C8 | 0x0009C6C8 | 0x0009BAC8 | 0x00000000 |
| atoi | - | 0x14009C6D0 | 0x0009C6D0 | 0x0009BAD0 | 0x00000000 |
| strtol | - | 0x14009C6D8 | 0x0009C6D8 | 0x0009BAD8 | 0x00000000 |
api-ms-win-crt-environment-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| getenv | - | 0x14009C6E8 | 0x0009C6E8 | 0x0009BAE8 | 0x00000000 |
api-ms-win-crt-filesystem-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _unlock_file | - | 0x14009C6F8 | 0x0009C6F8 | 0x0009BAF8 | 0x00000000 |
| _lock_file | - | 0x14009C700 | 0x0009C700 | 0x0009BB00 | 0x00000000 |
| _fstat64i32 | - | 0x14009C708 | 0x0009C708 | 0x0009BB08 | 0x00000000 |
| _stat64i32 | - | 0x14009C710 | 0x0009C710 | 0x0009BB10 | 0x00000000 |
api-ms-win-crt-heap-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _set_new_mode | - | 0x14009C720 | 0x0009C720 | 0x0009BB20 | 0x00000000 |
| realloc | - | 0x14009C728 | 0x0009C728 | 0x0009BB28 | 0x00000000 |
| _aligned_malloc | - | 0x14009C730 | 0x0009C730 | 0x0009BB30 | 0x00000000 |
| malloc | - | 0x14009C738 | 0x0009C738 | 0x0009BB38 | 0x00000000 |
| free | - | 0x14009C740 | 0x0009C740 | 0x0009BB40 | 0x00000000 |
| calloc | - | 0x14009C748 | 0x0009C748 | 0x0009BB48 | 0x00000000 |
| _callnewh | - | 0x14009C750 | 0x0009C750 | 0x0009BB50 | 0x00000000 |
| _aligned_free | - | 0x14009C758 | 0x0009C758 | 0x0009BB58 | 0x00000000 |
api-ms-win-crt-locale-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _configthreadlocale | - | 0x14009C768 | 0x0009C768 | 0x0009BB68 | 0x00000000 |
api-ms-win-crt-math-l1-1-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| modff | - | 0x14009C778 | 0x0009C778 | 0x0009BB78 | 0x00000000 |
| nan | - | 0x14009C780 | 0x0009C780 | 0x0009BB80 | 0x00000000 |
| _dtest | - | 0x14009C788 | 0x0009C788 | 0x0009BB88 | 0x00000000 |
| __setusermatherr | - | 0x14009C790 | 0x0009C790 | 0x0009BB90 | 0x00000000 |
| fabs | - | 0x14009C798 | 0x0009C798 | 0x0009BB98 | 0x00000000 |
api-ms-win-crt-runtime-l1-1-0.dll (25)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _invalid_parameter_noinfo_noreturn | - | 0x14009C7A8 | 0x0009C7A8 | 0x0009BBA8 | 0x00000000 |
| _control87 | - | 0x14009C7B0 | 0x0009C7B0 | 0x0009BBB0 | 0x00000000 |
| _errno | - | 0x14009C7B8 | 0x0009C7B8 | 0x0009BBB8 | 0x00000000 |
| terminate | - | 0x14009C7C0 | 0x0009C7C0 | 0x0009BBC0 | 0x00000000 |
| abort | - | 0x14009C7C8 | 0x0009C7C8 | 0x0009BBC8 | 0x00000000 |
| _beginthreadex | - | 0x14009C7D0 | 0x0009C7D0 | 0x0009BBD0 | 0x00000000 |
| _register_thread_local_exe_atexit_callback | - | 0x14009C7D8 | 0x0009C7D8 | 0x0009BBD8 | 0x00000000 |
| _c_exit | - | 0x14009C7E0 | 0x0009C7E0 | 0x0009BBE0 | 0x00000000 |
| _set_invalid_parameter_handler | - | 0x14009C7E8 | 0x0009C7E8 | 0x0009BBE8 | 0x00000000 |
| __p___argc | - | 0x14009C7F0 | 0x0009C7F0 | 0x0009BBF0 | 0x00000000 |
| _exit | - | 0x14009C7F8 | 0x0009C7F8 | 0x0009BBF8 | 0x00000000 |
| _initterm_e | - | 0x14009C800 | 0x0009C800 | 0x0009BC00 | 0x00000000 |
| _initterm | - | 0x14009C808 | 0x0009C808 | 0x0009BC08 | 0x00000000 |
| _get_initial_narrow_environment | - | 0x14009C810 | 0x0009C810 | 0x0009BC10 | 0x00000000 |
| _set_app_type | - | 0x14009C818 | 0x0009C818 | 0x0009BC18 | 0x00000000 |
| _seh_filter_exe | - | 0x14009C820 | 0x0009C820 | 0x0009BC20 | 0x00000000 |
| _cexit | - | 0x14009C828 | 0x0009C828 | 0x0009BC28 | 0x00000000 |
| _crt_atexit | - | 0x14009C830 | 0x0009C830 | 0x0009BC30 | 0x00000000 |
| _register_onexit_function | - | 0x14009C838 | 0x0009C838 | 0x0009BC38 | 0x00000000 |
| _initialize_onexit_table | - | 0x14009C840 | 0x0009C840 | 0x0009BC40 | 0x00000000 |
| _initialize_narrow_environment | - | 0x14009C848 | 0x0009C848 | 0x0009BC48 | 0x00000000 |
| _configure_narrow_argv | - | 0x14009C850 | 0x0009C850 | 0x0009BC50 | 0x00000000 |
| strerror | - | 0x14009C858 | 0x0009C858 | 0x0009BC58 | 0x00000000 |
| exit | - | 0x14009C860 | 0x0009C860 | 0x0009BC60 | 0x00000000 |
| __p___argv | - | 0x14009C868 | 0x0009C868 | 0x0009BC68 | 0x00000000 |
api-ms-win-crt-stdio-l1-1-0.dll (29)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __stdio_common_vsscanf | - | 0x14009C878 | 0x0009C878 | 0x0009BC78 | 0x00000000 |
| fflush | - | 0x14009C880 | 0x0009C880 | 0x0009BC80 | 0x00000000 |
| _open | - | 0x14009C888 | 0x0009C888 | 0x0009BC88 | 0x00000000 |
| fwrite | - | 0x14009C890 | 0x0009C890 | 0x0009BC90 | 0x00000000 |
| fputs | - | 0x14009C898 | 0x0009C898 | 0x0009BC98 | 0x00000000 |
| __stdio_common_vsprintf | - | 0x14009C8A0 | 0x0009C8A0 | 0x0009BCA0 | 0x00000000 |
| __acrt_iob_func | - | 0x14009C8A8 | 0x0009C8A8 | 0x0009BCA8 | 0x00000000 |
| ftell | - | 0x14009C8B0 | 0x0009C8B0 | 0x0009BCB0 | 0x00000000 |
| fgetc | - | 0x14009C8B8 | 0x0009C8B8 | 0x0009BCB8 | 0x00000000 |
| fgets | - | 0x14009C8C0 | 0x0009C8C0 | 0x0009BCC0 | 0x00000000 |
| fseek | - | 0x14009C8C8 | 0x0009C8C8 | 0x0009BCC8 | 0x00000000 |
| fgetpos | - | 0x14009C8D0 | 0x0009C8D0 | 0x0009BCD0 | 0x00000000 |
| fputc | - | 0x14009C8D8 | 0x0009C8D8 | 0x0009BCD8 | 0x00000000 |
| __stdio_common_vfprintf | - | 0x14009C8E0 | 0x0009C8E0 | 0x0009BCE0 | 0x00000000 |
| ferror | - | 0x14009C8E8 | 0x0009C8E8 | 0x0009BCE8 | 0x00000000 |
| fsetpos | - | 0x14009C8F0 | 0x0009C8F0 | 0x0009BCF0 | 0x00000000 |
| _fseeki64 | - | 0x14009C8F8 | 0x0009C8F8 | 0x0009BCF8 | 0x00000000 |
| _close | - | 0x14009C900 | 0x0009C900 | 0x0009BD00 | 0x00000000 |
| _read | - | 0x14009C908 | 0x0009C908 | 0x0009BD08 | 0x00000000 |
| setvbuf | - | 0x14009C910 | 0x0009C910 | 0x0009BD10 | 0x00000000 |
| ungetc | - | 0x14009C918 | 0x0009C918 | 0x0009BD18 | 0x00000000 |
| fread | - | 0x14009C920 | 0x0009C920 | 0x0009BD20 | 0x00000000 |
| _get_osfhandle | - | 0x14009C928 | 0x0009C928 | 0x0009BD28 | 0x00000000 |
| __p__commode | - | 0x14009C930 | 0x0009C930 | 0x0009BD30 | 0x00000000 |
| fclose | - | 0x14009C938 | 0x0009C938 | 0x0009BD38 | 0x00000000 |
| _set_fmode | - | 0x14009C940 | 0x0009C940 | 0x0009BD40 | 0x00000000 |
| fopen | - | 0x14009C948 | 0x0009C948 | 0x0009BD48 | 0x00000000 |
| __stdio_common_vswprintf | - | 0x14009C950 | 0x0009C950 | 0x0009BD50 | 0x00000000 |
| _get_stream_buffer_pointers | - | 0x14009C958 | 0x0009C958 | 0x0009BD58 | 0x00000000 |
api-ms-win-crt-string-l1-1-0.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _wcsnicmp | - | 0x14009C968 | 0x0009C968 | 0x0009BD68 | 0x00000000 |
| strlen | - | 0x14009C970 | 0x0009C970 | 0x0009BD70 | 0x00000000 |
| wcslen | - | 0x14009C978 | 0x0009C978 | 0x0009BD78 | 0x00000000 |
| strncmp | - | 0x14009C980 | 0x0009C980 | 0x0009BD80 | 0x00000000 |
| _stricmp | - | 0x14009C988 | 0x0009C988 | 0x0009BD88 | 0x00000000 |
| tolower | - | 0x14009C990 | 0x0009C990 | 0x0009BD90 | 0x00000000 |
| _strnicmp | - | 0x14009C998 | 0x0009C998 | 0x0009BD98 | 0x00000000 |
| strncpy | - | 0x14009C9A0 | 0x0009C9A0 | 0x0009BDA0 | 0x00000000 |
| strcpy | - | 0x14009C9A8 | 0x0009C9A8 | 0x0009BDA8 | 0x00000000 |
| strcmp | - | 0x14009C9B0 | 0x0009C9B0 | 0x0009BDB0 | 0x00000000 |
| strcspn | - | 0x14009C9B8 | 0x0009C9B8 | 0x0009BDB8 | 0x00000000 |
| _strdup | - | 0x14009C9C0 | 0x0009C9C0 | 0x0009BDC0 | 0x00000000 |
| isspace | - | 0x14009C9C8 | 0x0009C9C8 | 0x0009BDC8 | 0x00000000 |
| strspn | - | 0x14009C9D0 | 0x0009C9D0 | 0x0009BDD0 | 0x00000000 |
| wcsncpy | - | 0x14009C9D8 | 0x0009C9D8 | 0x0009BDD8 | 0x00000000 |
api-ms-win-crt-time-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _time64 | - | 0x14009C9E8 | 0x0009C9E8 | 0x0009BDE8 | 0x00000000 |
| _localtime64_s | - | 0x14009C9F0 | 0x0009C9F0 | 0x0009BDF0 | 0x00000000 |
api-ms-win-crt-utility-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| srand | - | 0x14009CA00 | 0x0009CA00 | 0x0009BE00 | 0x00000000 |
| rand | - | 0x14009CA08 | 0x0009CA08 | 0x0009BE08 | 0x00000000 |
| qsort | - | 0x14009CA10 | 0x0009CA10 | 0x0009BE10 | 0x00000000 |
| _rotr | - | 0x14009CA18 | 0x0009CA18 | 0x0009BE18 | 0x00000000 |
Memory Dumps (4)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| xxsixvu.exe | 18 | 0x7FF75D8A0000 | 0x7FF75DBF3FFF | First Execution |
|
64-bit | 0x7FF75D93A338 |
|
...
|
| xxsixvu.exe | 18 | 0x7FF75D8A0000 | 0x7FF75DBF3FFF | Content Changed |
|
64-bit | 0x7FF75D929014 |
|
...
|
| xxsixvu.exe | 18 | 0x7FF75D8A0000 | 0x7FF75DBF3FFF | Content Changed |
|
64-bit | 0x7FF75D8A11DC |
|
...
|
| buffer | 18 | 0x2B90FB60000 | 0x2B90FB6FFFF | Marked Executable |
|
64-bit | - |
|
...
|
YARA Matches (2)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| CobaltStrike | Cobalt Strike beacon | Hacktool |
5/5
|
...
|
| ReflectiveLoader | Reflective loader usage | - |
3/5
|
...
|
| C:\Windows\System\xvIkWGz.exe | Dropped File | Binary |
Malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 5.94 MB |
| MD5 |
223e966b42aaf4eb55f21bdf53aab091
|
| SHA1 |
6c65e40a3a27afbc3c2063252882568a73c51b31
|
| SHA256 |
a0263de30b6bbb934acbb77096c9fe9effb27a06672e6d2c9770b6f85476e716
|
| SSDeep |
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lU7:T+856utgpPF8u/77
|
| ImpHash |
c782987849999c5ae345a5deafbd73fb
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x14009A338 |
| Size Of Code | 0x00044000 |
| Size Of Initialized Data | 0x00001000 |
| Size Of Uninitialized Data | 0x0030B000 |
| File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2019-08-29 00:43 (UTC) |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| UPX0 | 0x140001000 | 0x0030B000 | 0x000B5000 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.49 |
| UPX1 | 0x14030C000 | 0x00044000 | 0x00044000 | 0x000B5400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.49 |
| .rsrc | 0x140350000 | 0x00001000 | 0x00000800 | 0x000F9400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.24 |
| .imports | 0x140351000 | 0x00002000 | 0x00001E00 | 0x000F9C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.81 |
| .reloc | 0x140353000 | 0x00001000 | 0x00000A00 | 0x000FBA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.28 |
Imports (17)
»
ADVAPI32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AdjustTokenPrivileges | - | 0x14009C000 | 0x0009C000 | 0x0009B400 | 0x00000000 |
| OpenProcessToken | - | 0x14009C008 | 0x0009C008 | 0x0009B408 | 0x00000000 |
| GetTokenInformation | - | 0x14009C010 | 0x0009C010 | 0x0009B410 | 0x00000000 |
| LookupPrivilegeValueW | - | 0x14009C018 | 0x0009C018 | 0x0009B418 | 0x00000000 |
| LsaClose | - | 0x14009C020 | 0x0009C020 | 0x0009B420 | 0x00000000 |
| LsaOpenPolicy | - | 0x14009C028 | 0x0009C028 | 0x0009B428 | 0x00000000 |
| LsaAddAccountRights | - | 0x14009C030 | 0x0009C030 | 0x0009B430 | 0x00000000 |
KERNEL32.DLL (113)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WaitForSingleObjectEx | - | 0x14009C040 | 0x0009C040 | 0x0009B440 | 0x00000000 |
| RtlLookupFunctionEntry | - | 0x14009C048 | 0x0009C048 | 0x0009B448 | 0x00000000 |
| RtlVirtualUnwind | - | 0x14009C050 | 0x0009C050 | 0x0009B450 | 0x00000000 |
| UnhandledExceptionFilter | - | 0x14009C058 | 0x0009C058 | 0x0009B458 | 0x00000000 |
| ResetEvent | - | 0x14009C060 | 0x0009C060 | 0x0009B460 | 0x00000000 |
| InitializeCriticalSectionAndSpinCount | - | 0x14009C068 | 0x0009C068 | 0x0009B468 | 0x00000000 |
| RtlCaptureContext | - | 0x14009C070 | 0x0009C070 | 0x0009B470 | 0x00000000 |
| CreateEventW | - | 0x14009C078 | 0x0009C078 | 0x0009B478 | 0x00000000 |
| InitializeSListHead | - | 0x14009C080 | 0x0009C080 | 0x0009B480 | 0x00000000 |
| SetUnhandledExceptionFilter | - | 0x14009C088 | 0x0009C088 | 0x0009B488 | 0x00000000 |
| IsProcessorFeaturePresent | - | 0x14009C090 | 0x0009C090 | 0x0009B490 | 0x00000000 |
| GetStdHandle | - | 0x14009C098 | 0x0009C098 | 0x0009B498 | 0x00000000 |
| GetConsoleMode | - | 0x14009C0A0 | 0x0009C0A0 | 0x0009B4A0 | 0x00000000 |
| SetConsoleMode | - | 0x14009C0A8 | 0x0009C0A8 | 0x0009B4A8 | 0x00000000 |
| GetLastError | - | 0x14009C0B0 | 0x0009C0B0 | 0x0009B4B0 | 0x00000000 |
| CreateMutexW | - | 0x14009C0B8 | 0x0009C0B8 | 0x0009B4B8 | 0x00000000 |
| Sleep | - | 0x14009C0C0 | 0x0009C0C0 | 0x0009B4C0 | 0x00000000 |
| CreateProcessW | - | 0x14009C0C8 | 0x0009C0C8 | 0x0009B4C8 | 0x00000000 |
| MultiByteToWideChar | - | 0x14009C0D0 | 0x0009C0D0 | 0x0009B4D0 | 0x00000000 |
| GetCurrentProcess | - | 0x14009C0D8 | 0x0009C0D8 | 0x0009B4D8 | 0x00000000 |
| GetCurrentThread | - | 0x14009C0E0 | 0x0009C0E0 | 0x0009B4E0 | 0x00000000 |
| SetThreadPriority | - | 0x14009C0E8 | 0x0009C0E8 | 0x0009B4E8 | 0x00000000 |
| SetPriorityClass | - | 0x14009C0F0 | 0x0009C0F0 | 0x0009B4F0 | 0x00000000 |
| GetModuleHandleW | - | 0x14009C0F8 | 0x0009C0F8 | 0x0009B4F8 | 0x00000000 |
| GetProcAddress | - | 0x14009C100 | 0x0009C100 | 0x0009B500 | 0x00000000 |
| SetThreadAffinityMask | - | 0x14009C108 | 0x0009C108 | 0x0009B508 | 0x00000000 |
| CloseHandle | - | 0x14009C110 | 0x0009C110 | 0x0009B510 | 0x00000000 |
| FreeConsole | - | 0x14009C118 | 0x0009C118 | 0x0009B518 | 0x00000000 |
| GetConsoleWindow | - | 0x14009C120 | 0x0009C120 | 0x0009B520 | 0x00000000 |
| FlushInstructionCache | - | 0x14009C128 | 0x0009C128 | 0x0009B528 | 0x00000000 |
| VirtualAlloc | - | 0x14009C130 | 0x0009C130 | 0x0009B530 | 0x00000000 |
| VirtualProtect | - | 0x14009C138 | 0x0009C138 | 0x0009B538 | 0x00000000 |
| VirtualFree | - | 0x14009C140 | 0x0009C140 | 0x0009B540 | 0x00000000 |
| GetLargePageMinimum | - | 0x14009C148 | 0x0009C148 | 0x0009B548 | 0x00000000 |
| LocalAlloc | - | 0x14009C150 | 0x0009C150 | 0x0009B550 | 0x00000000 |
| LocalFree | - | 0x14009C158 | 0x0009C158 | 0x0009B558 | 0x00000000 |
| GetFileType | - | 0x14009C160 | 0x0009C160 | 0x0009B560 | 0x00000000 |
| GetConsoleScreenBufferInfo | - | 0x14009C168 | 0x0009C168 | 0x0009B568 | 0x00000000 |
| SetConsoleTextAttribute | - | 0x14009C170 | 0x0009C170 | 0x0009B570 | 0x00000000 |
| RegisterWaitForSingleObject | - | 0x14009C178 | 0x0009C178 | 0x0009B578 | 0x00000000 |
| UnregisterWait | - | 0x14009C180 | 0x0009C180 | 0x0009B580 | 0x00000000 |
| GetConsoleCursorInfo | - | 0x14009C188 | 0x0009C188 | 0x0009B588 | 0x00000000 |
| CreateFileW | - | 0x14009C190 | 0x0009C190 | 0x0009B590 | 0x00000000 |
| DuplicateHandle | - | 0x14009C198 | 0x0009C198 | 0x0009B598 | 0x00000000 |
| PostQueuedCompletionStatus | - | 0x14009C1A0 | 0x0009C1A0 | 0x0009B5A0 | 0x00000000 |
| QueueUserWorkItem | - | 0x14009C1A8 | 0x0009C1A8 | 0x0009B5A8 | 0x00000000 |
| SetConsoleCursorInfo | - | 0x14009C1B0 | 0x0009C1B0 | 0x0009B5B0 | 0x00000000 |
| FillConsoleOutputCharacterW | - | 0x14009C1B8 | 0x0009C1B8 | 0x0009B5B8 | 0x00000000 |
| ReadConsoleInputW | - | 0x14009C1C0 | 0x0009C1C0 | 0x0009B5C0 | 0x00000000 |
| CreateFileA | - | 0x14009C1C8 | 0x0009C1C8 | 0x0009B5C8 | 0x00000000 |
| ReadConsoleW | - | 0x14009C1D0 | 0x0009C1D0 | 0x0009B5D0 | 0x00000000 |
| WriteConsoleInputW | - | 0x14009C1D8 | 0x0009C1D8 | 0x0009B5D8 | 0x00000000 |
| FillConsoleOutputAttribute | - | 0x14009C1E0 | 0x0009C1E0 | 0x0009B5E0 | 0x00000000 |
| WriteConsoleW | - | 0x14009C1E8 | 0x0009C1E8 | 0x0009B5E8 | 0x00000000 |
| GetNumberOfConsoleInputEvents | - | 0x14009C1F0 | 0x0009C1F0 | 0x0009B5F0 | 0x00000000 |
| WideCharToMultiByte | - | 0x14009C1F8 | 0x0009C1F8 | 0x0009B5F8 | 0x00000000 |
| SetConsoleCursorPosition | - | 0x14009C200 | 0x0009C200 | 0x0009B600 | 0x00000000 |
| EnterCriticalSection | - | 0x14009C208 | 0x0009C208 | 0x0009B608 | 0x00000000 |
| GetModuleFileNameW | - | 0x14009C210 | 0x0009C210 | 0x0009B610 | 0x00000000 |
| LeaveCriticalSection | - | 0x14009C218 | 0x0009C218 | 0x0009B618 | 0x00000000 |
| InitializeCriticalSection | - | 0x14009C220 | 0x0009C220 | 0x0009B620 | 0x00000000 |
| IsDebuggerPresent | - | 0x14009C228 | 0x0009C228 | 0x0009B628 | 0x00000000 |
| GetSystemInfo | - | 0x14009C230 | 0x0009C230 | 0x0009B630 | 0x00000000 |
| GetCurrentDirectoryW | - | 0x14009C238 | 0x0009C238 | 0x0009B638 | 0x00000000 |
| GetCurrentProcessId | - | 0x14009C240 | 0x0009C240 | 0x0009B640 | 0x00000000 |
| GetSystemTimeAsFileTime | - | 0x14009C248 | 0x0009C248 | 0x0009B648 | 0x00000000 |
| QueryPerformanceCounter | - | 0x14009C250 | 0x0009C250 | 0x0009B650 | 0x00000000 |
| SetConsoleCtrlHandler | - | 0x14009C258 | 0x0009C258 | 0x0009B658 | 0x00000000 |
| CancelIo | - | 0x14009C260 | 0x0009C260 | 0x0009B660 | 0x00000000 |
| SetHandleInformation | - | 0x14009C268 | 0x0009C268 | 0x0009B668 | 0x00000000 |
| CreateEventA | - | 0x14009C270 | 0x0009C270 | 0x0009B670 | 0x00000000 |
| CreateIoCompletionPort | - | 0x14009C278 | 0x0009C278 | 0x0009B678 | 0x00000000 |
| SetFileCompletionNotificationModes | - | 0x14009C280 | 0x0009C280 | 0x0009B680 | 0x00000000 |
| SetErrorMode | - | 0x14009C288 | 0x0009C288 | 0x0009B688 | 0x00000000 |
| GetQueuedCompletionStatus | - | 0x14009C290 | 0x0009C290 | 0x0009B690 | 0x00000000 |
| GetQueuedCompletionStatusEx | - | 0x14009C298 | 0x0009C298 | 0x0009B698 | 0x00000000 |
| SleepConditionVariableCS | - | 0x14009C2A0 | 0x0009C2A0 | 0x0009B6A0 | 0x00000000 |
| TlsSetValue | - | 0x14009C2A8 | 0x0009C2A8 | 0x0009B6A8 | 0x00000000 |
| ReleaseSemaphore | - | 0x14009C2B0 | 0x0009C2B0 | 0x0009B6B0 | 0x00000000 |
| WakeConditionVariable | - | 0x14009C2B8 | 0x0009C2B8 | 0x0009B6B8 | 0x00000000 |
| InitializeConditionVariable | - | 0x14009C2C0 | 0x0009C2C0 | 0x0009B6C0 | 0x00000000 |
| WaitForSingleObject | - | 0x14009C2C8 | 0x0009C2C8 | 0x0009B6C8 | 0x00000000 |
| ResumeThread | - | 0x14009C2D0 | 0x0009C2D0 | 0x0009B6D0 | 0x00000000 |
| SetEvent | - | 0x14009C2D8 | 0x0009C2D8 | 0x0009B6D8 | 0x00000000 |
| TlsAlloc | - | 0x14009C2E0 | 0x0009C2E0 | 0x0009B6E0 | 0x00000000 |
| DeleteCriticalSection | - | 0x14009C2E8 | 0x0009C2E8 | 0x0009B6E8 | 0x00000000 |
| CreateSemaphoreW | - | 0x14009C2F0 | 0x0009C2F0 | 0x0009B6F0 | 0x00000000 |
| CreateSemaphoreA | - | 0x14009C2F8 | 0x0009C2F8 | 0x0009B6F8 | 0x00000000 |
| GetLongPathNameW | - | 0x14009C300 | 0x0009C300 | 0x0009B700 | 0x00000000 |
| ReadDirectoryChangesW | - | 0x14009C308 | 0x0009C308 | 0x0009B708 | 0x00000000 |
| ReadFile | - | 0x14009C310 | 0x0009C310 | 0x0009B710 | 0x00000000 |
| SetNamedPipeHandleState | - | 0x14009C318 | 0x0009C318 | 0x0009B718 | 0x00000000 |
| SetLastError | - | 0x14009C320 | 0x0009C320 | 0x0009B720 | 0x00000000 |
| WriteFile | - | 0x14009C328 | 0x0009C328 | 0x0009B728 | 0x00000000 |
| CreateNamedPipeW | - | 0x14009C330 | 0x0009C330 | 0x0009B730 | 0x00000000 |
| PeekNamedPipe | - | 0x14009C338 | 0x0009C338 | 0x0009B738 | 0x00000000 |
| CancelSynchronousIo | - | 0x14009C340 | 0x0009C340 | 0x0009B740 | 0x00000000 |
| GetNamedPipeHandleStateA | - | 0x14009C348 | 0x0009C348 | 0x0009B748 | 0x00000000 |
| CancelIoEx | - | 0x14009C350 | 0x0009C350 | 0x0009B750 | 0x00000000 |
| SwitchToThread | - | 0x14009C358 | 0x0009C358 | 0x0009B758 | 0x00000000 |
| ConnectNamedPipe | - | 0x14009C360 | 0x0009C360 | 0x0009B760 | 0x00000000 |
| FlushFileBuffers | - | 0x14009C368 | 0x0009C368 | 0x0009B768 | 0x00000000 |
| TerminateProcess | - | 0x14009C370 | 0x0009C370 | 0x0009B770 | 0x00000000 |
| UnregisterWaitEx | - | 0x14009C378 | 0x0009C378 | 0x0009B778 | 0x00000000 |
| GetExitCodeProcess | - | 0x14009C380 | 0x0009C380 | 0x0009B780 | 0x00000000 |
| FormatMessageA | - | 0x14009C388 | 0x0009C388 | 0x0009B788 | 0x00000000 |
| DebugBreak | - | 0x14009C390 | 0x0009C390 | 0x0009B790 | 0x00000000 |
| GetModuleHandleA | - | 0x14009C398 | 0x0009C398 | 0x0009B798 | 0x00000000 |
| LoadLibraryA | - | 0x14009C3A0 | 0x0009C3A0 | 0x0009B7A0 | 0x00000000 |
| GetProcessAffinityMask | - | 0x14009C3A8 | 0x0009C3A8 | 0x0009B7A8 | 0x00000000 |
| SetProcessAffinityMask | - | 0x14009C3B0 | 0x0009C3B0 | 0x0009B7B0 | 0x00000000 |
| GetCurrentThreadId | - | 0x14009C3B8 | 0x0009C3B8 | 0x0009B7B8 | 0x00000000 |
| QueryPerformanceFrequency | - | 0x14009C3C0 | 0x0009C3C0 | 0x0009B7C0 | 0x00000000 |
MSVCP140.dll (45)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C3D0 | 0x0009C3D0 | 0x0009B7D0 | 0x00000000 |
| ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3D8 | 0x0009C3D8 | 0x0009B7D8 | 0x00000000 |
| ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ | - | 0x14009C3E0 | 0x0009C3E0 | 0x0009B7E0 | 0x00000000 |
| ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C3E8 | 0x0009C3E8 | 0x0009B7E8 | 0x00000000 |
| ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C3F0 | 0x0009C3F0 | 0x0009B7F0 | 0x00000000 |
| ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3F8 | 0x0009C3F8 | 0x0009B7F8 | 0x00000000 |
| ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C400 | 0x0009C400 | 0x0009B800 | 0x00000000 |
| _Thrd_hardware_concurrency | - | 0x14009C408 | 0x0009C408 | 0x0009B808 | 0x00000000 |
| ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A | - | 0x14009C410 | 0x0009C410 | 0x0009B810 | 0x00000000 |
| ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z | - | 0x14009C418 | 0x0009C418 | 0x0009B818 | 0x00000000 |
| ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z | - | 0x14009C420 | 0x0009C420 | 0x0009B820 | 0x00000000 |
| ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ | - | 0x14009C428 | 0x0009C428 | 0x0009B828 | 0x00000000 |
| ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z | - | 0x14009C430 | 0x0009C430 | 0x0009B830 | 0x00000000 |
| ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z | - | 0x14009C438 | 0x0009C438 | 0x0009B838 | 0x00000000 |
| ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C440 | 0x0009C440 | 0x0009B840 | 0x00000000 |
| ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z | - | 0x14009C448 | 0x0009C448 | 0x0009B848 | 0x00000000 |
| ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C450 | 0x0009C450 | 0x0009B850 | 0x00000000 |
| ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z | - | 0x14009C458 | 0x0009C458 | 0x0009B858 | 0x00000000 |
| ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C460 | 0x0009C460 | 0x0009B860 | 0x00000000 |
| ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z | - | 0x14009C468 | 0x0009C468 | 0x0009B868 | 0x00000000 |
| ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z | - | 0x14009C470 | 0x0009C470 | 0x0009B870 | 0x00000000 |
| ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ | - | 0x14009C478 | 0x0009C478 | 0x0009B878 | 0x00000000 |
| ?_Xlength_error@std@@YAXPEBD@Z | - | 0x14009C480 | 0x0009C480 | 0x0009B880 | 0x00000000 |
| ?_Xout_of_range@std@@YAXPEBD@Z | - | 0x14009C488 | 0x0009C488 | 0x0009B888 | 0x00000000 |
| _Xtime_get_ticks | - | 0x14009C490 | 0x0009C490 | 0x0009B890 | 0x00000000 |
| _Mtx_init_in_situ | - | 0x14009C498 | 0x0009C498 | 0x0009B898 | 0x00000000 |
| _Mtx_destroy_in_situ | - | 0x14009C4A0 | 0x0009C4A0 | 0x0009B8A0 | 0x00000000 |
| _Mtx_lock | - | 0x14009C4A8 | 0x0009C4A8 | 0x0009B8A8 | 0x00000000 |
| _Mtx_unlock | - | 0x14009C4B0 | 0x0009C4B0 | 0x0009B8B0 | 0x00000000 |
| ?_Throw_C_error@std@@YAXH@Z | - | 0x14009C4B8 | 0x0009C4B8 | 0x0009B8B8 | 0x00000000 |
| _Query_perf_counter | - | 0x14009C4C0 | 0x0009C4C0 | 0x0009B8C0 | 0x00000000 |
| _Query_perf_frequency | - | 0x14009C4C8 | 0x0009C4C8 | 0x0009B8C8 | 0x00000000 |
| _Thrd_join | - | 0x14009C4D0 | 0x0009C4D0 | 0x0009B8D0 | 0x00000000 |
| _Thrd_id | - | 0x14009C4D8 | 0x0009C4D8 | 0x0009B8D8 | 0x00000000 |
| _Cnd_do_broadcast_at_thread_exit | - | 0x14009C4E0 | 0x0009C4E0 | 0x0009B8E0 | 0x00000000 |
| ?_Throw_Cpp_error@std@@YAXH@Z | - | 0x14009C4E8 | 0x0009C4E8 | 0x0009B8E8 | 0x00000000 |
| _Thrd_sleep | - | 0x14009C4F0 | 0x0009C4F0 | 0x0009B8F0 | 0x00000000 |
| _Thrd_yield | - | 0x14009C4F8 | 0x0009C4F8 | 0x0009B8F8 | 0x00000000 |
| ??0_Lockit@std@@QEAA@H@Z | - | 0x14009C500 | 0x0009C500 | 0x0009B900 | 0x00000000 |
| ??1_Lockit@std@@QEAA@XZ | - | 0x14009C508 | 0x0009C508 | 0x0009B908 | 0x00000000 |
| ??Bid@locale@std@@QEAA_KXZ | - | 0x14009C510 | 0x0009C510 | 0x0009B910 | 0x00000000 |
| ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ | - | 0x14009C518 | 0x0009C518 | 0x0009B918 | 0x00000000 |
| ?always_noconv@codecvt_base@std@@QEBA_NXZ | - | 0x14009C520 | 0x0009C520 | 0x0009B920 | 0x00000000 |
| ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C528 | 0x0009C528 | 0x0009B928 | 0x00000000 |
| ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C530 | 0x0009C530 | 0x0009B930 | 0x00000000 |
USER32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShowWindow | - | 0x14009C540 | 0x0009C540 | 0x0009B940 | 0x00000000 |
| GetSystemMetrics | - | 0x14009C548 | 0x0009C548 | 0x0009B948 | 0x00000000 |
| GetMessageA | - | 0x14009C550 | 0x0009C550 | 0x0009B950 | 0x00000000 |
| MapVirtualKeyW | - | 0x14009C558 | 0x0009C558 | 0x0009B958 | 0x00000000 |
| DispatchMessageA | - | 0x14009C560 | 0x0009C560 | 0x0009B960 | 0x00000000 |
| TranslateMessage | - | 0x14009C568 | 0x0009C568 | 0x0009B968 | 0x00000000 |
VCRUNTIME140.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __std_exception_destroy | - | 0x14009C578 | 0x0009C578 | 0x0009B978 | 0x00000000 |
| __std_exception_copy | - | 0x14009C580 | 0x0009C580 | 0x0009B980 | 0x00000000 |
| strstr | - | 0x14009C588 | 0x0009C588 | 0x0009B988 | 0x00000000 |
| __C_specific_handler | - | 0x14009C590 | 0x0009C590 | 0x0009B990 | 0x00000000 |
| strchr | - | 0x14009C598 | 0x0009C598 | 0x0009B998 | 0x00000000 |
| memchr | - | 0x14009C5A0 | 0x0009C5A0 | 0x0009B9A0 | 0x00000000 |
| __std_terminate | - | 0x14009C5A8 | 0x0009C5A8 | 0x0009B9A8 | 0x00000000 |
| __CxxFrameHandler3 | - | 0x14009C5B0 | 0x0009C5B0 | 0x0009B9B0 | 0x00000000 |
| _CxxThrowException | - | 0x14009C5B8 | 0x0009C5B8 | 0x0009B9B8 | 0x00000000 |
| memset | - | 0x14009C5C0 | 0x0009C5C0 | 0x0009B9C0 | 0x00000000 |
| strrchr | - | 0x14009C5C8 | 0x0009C5C8 | 0x0009B9C8 | 0x00000000 |
| memcmp | - | 0x14009C5D0 | 0x0009C5D0 | 0x0009B9D0 | 0x00000000 |
| memcpy | - | 0x14009C5D8 | 0x0009C5D8 | 0x0009B9D8 | 0x00000000 |
| _purecall | - | 0x14009C5E0 | 0x0009C5E0 | 0x0009B9E0 | 0x00000000 |
| memmove | - | 0x14009C5E8 | 0x0009C5E8 | 0x0009B9E8 | 0x00000000 |
WS2_32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WSAGetLastError | 0x0000006F | 0x14009C5F8 | 0x0009C5F8 | 0x0009B9F8 | - |
| WSASetLastError | 0x00000070 | 0x14009C600 | 0x0009C600 | 0x0009BA00 | - |
| WSAStartup | 0x00000073 | 0x14009C608 | 0x0009C608 | 0x0009BA08 | - |
| select | 0x00000012 | 0x14009C610 | 0x0009C610 | 0x0009BA10 | - |
| WSARecvFrom | - | 0x14009C618 | 0x0009C618 | 0x0009BA18 | 0x00000000 |
| bind | 0x00000002 | 0x14009C620 | 0x0009C620 | 0x0009BA20 | - |
| WSAIoctl | - | 0x14009C628 | 0x0009C628 | 0x0009BA28 | 0x00000000 |
| closesocket | 0x00000003 | 0x14009C630 | 0x0009C630 | 0x0009BA30 | - |
| WSASend | - | 0x14009C638 | 0x0009C638 | 0x0009BA38 | 0x00000000 |
| shutdown | 0x00000016 | 0x14009C640 | 0x0009C640 | 0x0009BA40 | - |
| WSASocketW | - | 0x14009C648 | 0x0009C648 | 0x0009BA48 | 0x00000000 |
| htonl | 0x00000008 | 0x14009C650 | 0x0009C650 | 0x0009BA50 | - |
| GetAddrInfoW | - | 0x14009C658 | 0x0009C658 | 0x0009BA58 | 0x00000000 |
| FreeAddrInfoW | - | 0x14009C660 | 0x0009C660 | 0x0009BA60 | 0x00000000 |
| setsockopt | 0x00000015 | 0x14009C668 | 0x0009C668 | 0x0009BA68 | - |
| ioctlsocket | 0x0000000A | 0x14009C670 | 0x0009C670 | 0x0009BA70 | - |
| getsockopt | 0x00000007 | 0x14009C678 | 0x0009C678 | 0x0009BA78 | - |
| WSARecv | - | 0x14009C680 | 0x0009C680 | 0x0009BA80 | 0x00000000 |
| socket | 0x00000017 | 0x14009C688 | 0x0009C688 | 0x0009BA88 | - |
| htons | 0x00000009 | 0x14009C690 | 0x0009C690 | 0x0009BA90 | - |
api-ms-win-crt-convert-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| atof | - | 0x14009C6A0 | 0x0009C6A0 | 0x0009BAA0 | 0x00000000 |
| strtoul | - | 0x14009C6A8 | 0x0009C6A8 | 0x0009BAA8 | 0x00000000 |
| _strtoui64 | - | 0x14009C6B0 | 0x0009C6B0 | 0x0009BAB0 | 0x00000000 |
| mbstowcs | - | 0x14009C6B8 | 0x0009C6B8 | 0x0009BAB8 | 0x00000000 |
| strtoull | - | 0x14009C6C0 | 0x0009C6C0 | 0x0009BAC0 | 0x00000000 |
| strtoll | - | 0x14009C6C8 | 0x0009C6C8 | 0x0009BAC8 | 0x00000000 |
| atoi | - | 0x14009C6D0 | 0x0009C6D0 | 0x0009BAD0 | 0x00000000 |
| strtol | - | 0x14009C6D8 | 0x0009C6D8 | 0x0009BAD8 | 0x00000000 |
api-ms-win-crt-environment-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| getenv | - | 0x14009C6E8 | 0x0009C6E8 | 0x0009BAE8 | 0x00000000 |
api-ms-win-crt-filesystem-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _unlock_file | - | 0x14009C6F8 | 0x0009C6F8 | 0x0009BAF8 | 0x00000000 |
| _lock_file | - | 0x14009C700 | 0x0009C700 | 0x0009BB00 | 0x00000000 |
| _fstat64i32 | - | 0x14009C708 | 0x0009C708 | 0x0009BB08 | 0x00000000 |
| _stat64i32 | - | 0x14009C710 | 0x0009C710 | 0x0009BB10 | 0x00000000 |
api-ms-win-crt-heap-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _set_new_mode | - | 0x14009C720 | 0x0009C720 | 0x0009BB20 | 0x00000000 |
| realloc | - | 0x14009C728 | 0x0009C728 | 0x0009BB28 | 0x00000000 |
| _aligned_malloc | - | 0x14009C730 | 0x0009C730 | 0x0009BB30 | 0x00000000 |
| malloc | - | 0x14009C738 | 0x0009C738 | 0x0009BB38 | 0x00000000 |
| free | - | 0x14009C740 | 0x0009C740 | 0x0009BB40 | 0x00000000 |
| calloc | - | 0x14009C748 | 0x0009C748 | 0x0009BB48 | 0x00000000 |
| _callnewh | - | 0x14009C750 | 0x0009C750 | 0x0009BB50 | 0x00000000 |
| _aligned_free | - | 0x14009C758 | 0x0009C758 | 0x0009BB58 | 0x00000000 |
api-ms-win-crt-locale-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _configthreadlocale | - | 0x14009C768 | 0x0009C768 | 0x0009BB68 | 0x00000000 |
api-ms-win-crt-math-l1-1-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| modff | - | 0x14009C778 | 0x0009C778 | 0x0009BB78 | 0x00000000 |
| nan | - | 0x14009C780 | 0x0009C780 | 0x0009BB80 | 0x00000000 |
| _dtest | - | 0x14009C788 | 0x0009C788 | 0x0009BB88 | 0x00000000 |
| __setusermatherr | - | 0x14009C790 | 0x0009C790 | 0x0009BB90 | 0x00000000 |
| fabs | - | 0x14009C798 | 0x0009C798 | 0x0009BB98 | 0x00000000 |
api-ms-win-crt-runtime-l1-1-0.dll (25)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _invalid_parameter_noinfo_noreturn | - | 0x14009C7A8 | 0x0009C7A8 | 0x0009BBA8 | 0x00000000 |
| _control87 | - | 0x14009C7B0 | 0x0009C7B0 | 0x0009BBB0 | 0x00000000 |
| _errno | - | 0x14009C7B8 | 0x0009C7B8 | 0x0009BBB8 | 0x00000000 |
| terminate | - | 0x14009C7C0 | 0x0009C7C0 | 0x0009BBC0 | 0x00000000 |
| abort | - | 0x14009C7C8 | 0x0009C7C8 | 0x0009BBC8 | 0x00000000 |
| _beginthreadex | - | 0x14009C7D0 | 0x0009C7D0 | 0x0009BBD0 | 0x00000000 |
| _register_thread_local_exe_atexit_callback | - | 0x14009C7D8 | 0x0009C7D8 | 0x0009BBD8 | 0x00000000 |
| _c_exit | - | 0x14009C7E0 | 0x0009C7E0 | 0x0009BBE0 | 0x00000000 |
| _set_invalid_parameter_handler | - | 0x14009C7E8 | 0x0009C7E8 | 0x0009BBE8 | 0x00000000 |
| __p___argc | - | 0x14009C7F0 | 0x0009C7F0 | 0x0009BBF0 | 0x00000000 |
| _exit | - | 0x14009C7F8 | 0x0009C7F8 | 0x0009BBF8 | 0x00000000 |
| _initterm_e | - | 0x14009C800 | 0x0009C800 | 0x0009BC00 | 0x00000000 |
| _initterm | - | 0x14009C808 | 0x0009C808 | 0x0009BC08 | 0x00000000 |
| _get_initial_narrow_environment | - | 0x14009C810 | 0x0009C810 | 0x0009BC10 | 0x00000000 |
| _set_app_type | - | 0x14009C818 | 0x0009C818 | 0x0009BC18 | 0x00000000 |
| _seh_filter_exe | - | 0x14009C820 | 0x0009C820 | 0x0009BC20 | 0x00000000 |
| _cexit | - | 0x14009C828 | 0x0009C828 | 0x0009BC28 | 0x00000000 |
| _crt_atexit | - | 0x14009C830 | 0x0009C830 | 0x0009BC30 | 0x00000000 |
| _register_onexit_function | - | 0x14009C838 | 0x0009C838 | 0x0009BC38 | 0x00000000 |
| _initialize_onexit_table | - | 0x14009C840 | 0x0009C840 | 0x0009BC40 | 0x00000000 |
| _initialize_narrow_environment | - | 0x14009C848 | 0x0009C848 | 0x0009BC48 | 0x00000000 |
| _configure_narrow_argv | - | 0x14009C850 | 0x0009C850 | 0x0009BC50 | 0x00000000 |
| strerror | - | 0x14009C858 | 0x0009C858 | 0x0009BC58 | 0x00000000 |
| exit | - | 0x14009C860 | 0x0009C860 | 0x0009BC60 | 0x00000000 |
| __p___argv | - | 0x14009C868 | 0x0009C868 | 0x0009BC68 | 0x00000000 |
api-ms-win-crt-stdio-l1-1-0.dll (29)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __stdio_common_vsscanf | - | 0x14009C878 | 0x0009C878 | 0x0009BC78 | 0x00000000 |
| fflush | - | 0x14009C880 | 0x0009C880 | 0x0009BC80 | 0x00000000 |
| _open | - | 0x14009C888 | 0x0009C888 | 0x0009BC88 | 0x00000000 |
| fwrite | - | 0x14009C890 | 0x0009C890 | 0x0009BC90 | 0x00000000 |
| fputs | - | 0x14009C898 | 0x0009C898 | 0x0009BC98 | 0x00000000 |
| __stdio_common_vsprintf | - | 0x14009C8A0 | 0x0009C8A0 | 0x0009BCA0 | 0x00000000 |
| __acrt_iob_func | - | 0x14009C8A8 | 0x0009C8A8 | 0x0009BCA8 | 0x00000000 |
| ftell | - | 0x14009C8B0 | 0x0009C8B0 | 0x0009BCB0 | 0x00000000 |
| fgetc | - | 0x14009C8B8 | 0x0009C8B8 | 0x0009BCB8 | 0x00000000 |
| fgets | - | 0x14009C8C0 | 0x0009C8C0 | 0x0009BCC0 | 0x00000000 |
| fseek | - | 0x14009C8C8 | 0x0009C8C8 | 0x0009BCC8 | 0x00000000 |
| fgetpos | - | 0x14009C8D0 | 0x0009C8D0 | 0x0009BCD0 | 0x00000000 |
| fputc | - | 0x14009C8D8 | 0x0009C8D8 | 0x0009BCD8 | 0x00000000 |
| __stdio_common_vfprintf | - | 0x14009C8E0 | 0x0009C8E0 | 0x0009BCE0 | 0x00000000 |
| ferror | - | 0x14009C8E8 | 0x0009C8E8 | 0x0009BCE8 | 0x00000000 |
| fsetpos | - | 0x14009C8F0 | 0x0009C8F0 | 0x0009BCF0 | 0x00000000 |
| _fseeki64 | - | 0x14009C8F8 | 0x0009C8F8 | 0x0009BCF8 | 0x00000000 |
| _close | - | 0x14009C900 | 0x0009C900 | 0x0009BD00 | 0x00000000 |
| _read | - | 0x14009C908 | 0x0009C908 | 0x0009BD08 | 0x00000000 |
| setvbuf | - | 0x14009C910 | 0x0009C910 | 0x0009BD10 | 0x00000000 |
| ungetc | - | 0x14009C918 | 0x0009C918 | 0x0009BD18 | 0x00000000 |
| fread | - | 0x14009C920 | 0x0009C920 | 0x0009BD20 | 0x00000000 |
| _get_osfhandle | - | 0x14009C928 | 0x0009C928 | 0x0009BD28 | 0x00000000 |
| __p__commode | - | 0x14009C930 | 0x0009C930 | 0x0009BD30 | 0x00000000 |
| fclose | - | 0x14009C938 | 0x0009C938 | 0x0009BD38 | 0x00000000 |
| _set_fmode | - | 0x14009C940 | 0x0009C940 | 0x0009BD40 | 0x00000000 |
| fopen | - | 0x14009C948 | 0x0009C948 | 0x0009BD48 | 0x00000000 |
| __stdio_common_vswprintf | - | 0x14009C950 | 0x0009C950 | 0x0009BD50 | 0x00000000 |
| _get_stream_buffer_pointers | - | 0x14009C958 | 0x0009C958 | 0x0009BD58 | 0x00000000 |
api-ms-win-crt-string-l1-1-0.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _wcsnicmp | - | 0x14009C968 | 0x0009C968 | 0x0009BD68 | 0x00000000 |
| strlen | - | 0x14009C970 | 0x0009C970 | 0x0009BD70 | 0x00000000 |
| wcslen | - | 0x14009C978 | 0x0009C978 | 0x0009BD78 | 0x00000000 |
| strncmp | - | 0x14009C980 | 0x0009C980 | 0x0009BD80 | 0x00000000 |
| _stricmp | - | 0x14009C988 | 0x0009C988 | 0x0009BD88 | 0x00000000 |
| tolower | - | 0x14009C990 | 0x0009C990 | 0x0009BD90 | 0x00000000 |
| _strnicmp | - | 0x14009C998 | 0x0009C998 | 0x0009BD98 | 0x00000000 |
| strncpy | - | 0x14009C9A0 | 0x0009C9A0 | 0x0009BDA0 | 0x00000000 |
| strcpy | - | 0x14009C9A8 | 0x0009C9A8 | 0x0009BDA8 | 0x00000000 |
| strcmp | - | 0x14009C9B0 | 0x0009C9B0 | 0x0009BDB0 | 0x00000000 |
| strcspn | - | 0x14009C9B8 | 0x0009C9B8 | 0x0009BDB8 | 0x00000000 |
| _strdup | - | 0x14009C9C0 | 0x0009C9C0 | 0x0009BDC0 | 0x00000000 |
| isspace | - | 0x14009C9C8 | 0x0009C9C8 | 0x0009BDC8 | 0x00000000 |
| strspn | - | 0x14009C9D0 | 0x0009C9D0 | 0x0009BDD0 | 0x00000000 |
| wcsncpy | - | 0x14009C9D8 | 0x0009C9D8 | 0x0009BDD8 | 0x00000000 |
api-ms-win-crt-time-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _time64 | - | 0x14009C9E8 | 0x0009C9E8 | 0x0009BDE8 | 0x00000000 |
| _localtime64_s | - | 0x14009C9F0 | 0x0009C9F0 | 0x0009BDF0 | 0x00000000 |
api-ms-win-crt-utility-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| srand | - | 0x14009CA00 | 0x0009CA00 | 0x0009BE00 | 0x00000000 |
| rand | - | 0x14009CA08 | 0x0009CA08 | 0x0009BE08 | 0x00000000 |
| qsort | - | 0x14009CA10 | 0x0009CA10 | 0x0009BE10 | 0x00000000 |
| _rotr | - | 0x14009CA18 | 0x0009CA18 | 0x0009BE18 | 0x00000000 |
Memory Dumps (5)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| xvikwgz.exe | 17 | 0x7FF783DE0000 | 0x7FF784133FFF | First Execution |
|
64-bit | 0x7FF783E7A338 |
|
...
|
| xvikwgz.exe | 17 | 0x7FF783DE0000 | 0x7FF784133FFF | Content Changed |
|
64-bit | 0x7FF783E69014 |
|
...
|
| xvikwgz.exe | 17 | 0x7FF783DE0000 | 0x7FF784133FFF | Content Changed |
|
64-bit | 0x7FF783DE6730 |
|
...
|
| buffer | 17 | 0x2159DC20000 | 0x2159DC2FFFF | Marked Executable |
|
64-bit | - |
|
...
|
| xvikwgz.exe | 17 | 0x7FF783DE0000 | 0x7FF784133FFF | Process Termination |
|
64-bit | - |
|
...
|
YARA Matches (2)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| ReflectiveLoader | Reflective loader usage | - |
3/5
|
...
|
| CobaltStrike | Cobalt Strike beacon | Hacktool |
5/5
|
...
|
| C:\Windows\System\JWIfQgn.exe | Dropped File | Binary |
Malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 5.94 MB |
| MD5 |
b07b48bf933fb274535955f7cb5fce7d
|
| SHA1 |
7a2362daa2e96effac82aa34fae0f4ecbaf96d75
|
| SHA256 |
08992695757f1c637edb67cf195204b46b4c98a4ff408c3bad417baa2b6d5bb3
|
| SSDeep |
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUD:T+856utgpPF8u/7D
|
| ImpHash |
c782987849999c5ae345a5deafbd73fb
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x14009A338 |
| Size Of Code | 0x00044000 |
| Size Of Initialized Data | 0x00001000 |
| Size Of Uninitialized Data | 0x0030B000 |
| File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2019-08-29 00:43 (UTC) |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| UPX0 | 0x140001000 | 0x0030B000 | 0x000B5000 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.49 |
| UPX1 | 0x14030C000 | 0x00044000 | 0x00044000 | 0x000B5400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.49 |
| .rsrc | 0x140350000 | 0x00001000 | 0x00000800 | 0x000F9400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.24 |
| .imports | 0x140351000 | 0x00002000 | 0x00001E00 | 0x000F9C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.81 |
| .reloc | 0x140353000 | 0x00001000 | 0x00000A00 | 0x000FBA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.28 |
Imports (17)
»
ADVAPI32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AdjustTokenPrivileges | - | 0x14009C000 | 0x0009C000 | 0x0009B400 | 0x00000000 |
| OpenProcessToken | - | 0x14009C008 | 0x0009C008 | 0x0009B408 | 0x00000000 |
| GetTokenInformation | - | 0x14009C010 | 0x0009C010 | 0x0009B410 | 0x00000000 |
| LookupPrivilegeValueW | - | 0x14009C018 | 0x0009C018 | 0x0009B418 | 0x00000000 |
| LsaClose | - | 0x14009C020 | 0x0009C020 | 0x0009B420 | 0x00000000 |
| LsaOpenPolicy | - | 0x14009C028 | 0x0009C028 | 0x0009B428 | 0x00000000 |
| LsaAddAccountRights | - | 0x14009C030 | 0x0009C030 | 0x0009B430 | 0x00000000 |
KERNEL32.DLL (113)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WaitForSingleObjectEx | - | 0x14009C040 | 0x0009C040 | 0x0009B440 | 0x00000000 |
| RtlLookupFunctionEntry | - | 0x14009C048 | 0x0009C048 | 0x0009B448 | 0x00000000 |
| RtlVirtualUnwind | - | 0x14009C050 | 0x0009C050 | 0x0009B450 | 0x00000000 |
| UnhandledExceptionFilter | - | 0x14009C058 | 0x0009C058 | 0x0009B458 | 0x00000000 |
| ResetEvent | - | 0x14009C060 | 0x0009C060 | 0x0009B460 | 0x00000000 |
| InitializeCriticalSectionAndSpinCount | - | 0x14009C068 | 0x0009C068 | 0x0009B468 | 0x00000000 |
| RtlCaptureContext | - | 0x14009C070 | 0x0009C070 | 0x0009B470 | 0x00000000 |
| CreateEventW | - | 0x14009C078 | 0x0009C078 | 0x0009B478 | 0x00000000 |
| InitializeSListHead | - | 0x14009C080 | 0x0009C080 | 0x0009B480 | 0x00000000 |
| SetUnhandledExceptionFilter | - | 0x14009C088 | 0x0009C088 | 0x0009B488 | 0x00000000 |
| IsProcessorFeaturePresent | - | 0x14009C090 | 0x0009C090 | 0x0009B490 | 0x00000000 |
| GetStdHandle | - | 0x14009C098 | 0x0009C098 | 0x0009B498 | 0x00000000 |
| GetConsoleMode | - | 0x14009C0A0 | 0x0009C0A0 | 0x0009B4A0 | 0x00000000 |
| SetConsoleMode | - | 0x14009C0A8 | 0x0009C0A8 | 0x0009B4A8 | 0x00000000 |
| GetLastError | - | 0x14009C0B0 | 0x0009C0B0 | 0x0009B4B0 | 0x00000000 |
| CreateMutexW | - | 0x14009C0B8 | 0x0009C0B8 | 0x0009B4B8 | 0x00000000 |
| Sleep | - | 0x14009C0C0 | 0x0009C0C0 | 0x0009B4C0 | 0x00000000 |
| CreateProcessW | - | 0x14009C0C8 | 0x0009C0C8 | 0x0009B4C8 | 0x00000000 |
| MultiByteToWideChar | - | 0x14009C0D0 | 0x0009C0D0 | 0x0009B4D0 | 0x00000000 |
| GetCurrentProcess | - | 0x14009C0D8 | 0x0009C0D8 | 0x0009B4D8 | 0x00000000 |
| GetCurrentThread | - | 0x14009C0E0 | 0x0009C0E0 | 0x0009B4E0 | 0x00000000 |
| SetThreadPriority | - | 0x14009C0E8 | 0x0009C0E8 | 0x0009B4E8 | 0x00000000 |
| SetPriorityClass | - | 0x14009C0F0 | 0x0009C0F0 | 0x0009B4F0 | 0x00000000 |
| GetModuleHandleW | - | 0x14009C0F8 | 0x0009C0F8 | 0x0009B4F8 | 0x00000000 |
| GetProcAddress | - | 0x14009C100 | 0x0009C100 | 0x0009B500 | 0x00000000 |
| SetThreadAffinityMask | - | 0x14009C108 | 0x0009C108 | 0x0009B508 | 0x00000000 |
| CloseHandle | - | 0x14009C110 | 0x0009C110 | 0x0009B510 | 0x00000000 |
| FreeConsole | - | 0x14009C118 | 0x0009C118 | 0x0009B518 | 0x00000000 |
| GetConsoleWindow | - | 0x14009C120 | 0x0009C120 | 0x0009B520 | 0x00000000 |
| FlushInstructionCache | - | 0x14009C128 | 0x0009C128 | 0x0009B528 | 0x00000000 |
| VirtualAlloc | - | 0x14009C130 | 0x0009C130 | 0x0009B530 | 0x00000000 |
| VirtualProtect | - | 0x14009C138 | 0x0009C138 | 0x0009B538 | 0x00000000 |
| VirtualFree | - | 0x14009C140 | 0x0009C140 | 0x0009B540 | 0x00000000 |
| GetLargePageMinimum | - | 0x14009C148 | 0x0009C148 | 0x0009B548 | 0x00000000 |
| LocalAlloc | - | 0x14009C150 | 0x0009C150 | 0x0009B550 | 0x00000000 |
| LocalFree | - | 0x14009C158 | 0x0009C158 | 0x0009B558 | 0x00000000 |
| GetFileType | - | 0x14009C160 | 0x0009C160 | 0x0009B560 | 0x00000000 |
| GetConsoleScreenBufferInfo | - | 0x14009C168 | 0x0009C168 | 0x0009B568 | 0x00000000 |
| SetConsoleTextAttribute | - | 0x14009C170 | 0x0009C170 | 0x0009B570 | 0x00000000 |
| RegisterWaitForSingleObject | - | 0x14009C178 | 0x0009C178 | 0x0009B578 | 0x00000000 |
| UnregisterWait | - | 0x14009C180 | 0x0009C180 | 0x0009B580 | 0x00000000 |
| GetConsoleCursorInfo | - | 0x14009C188 | 0x0009C188 | 0x0009B588 | 0x00000000 |
| CreateFileW | - | 0x14009C190 | 0x0009C190 | 0x0009B590 | 0x00000000 |
| DuplicateHandle | - | 0x14009C198 | 0x0009C198 | 0x0009B598 | 0x00000000 |
| PostQueuedCompletionStatus | - | 0x14009C1A0 | 0x0009C1A0 | 0x0009B5A0 | 0x00000000 |
| QueueUserWorkItem | - | 0x14009C1A8 | 0x0009C1A8 | 0x0009B5A8 | 0x00000000 |
| SetConsoleCursorInfo | - | 0x14009C1B0 | 0x0009C1B0 | 0x0009B5B0 | 0x00000000 |
| FillConsoleOutputCharacterW | - | 0x14009C1B8 | 0x0009C1B8 | 0x0009B5B8 | 0x00000000 |
| ReadConsoleInputW | - | 0x14009C1C0 | 0x0009C1C0 | 0x0009B5C0 | 0x00000000 |
| CreateFileA | - | 0x14009C1C8 | 0x0009C1C8 | 0x0009B5C8 | 0x00000000 |
| ReadConsoleW | - | 0x14009C1D0 | 0x0009C1D0 | 0x0009B5D0 | 0x00000000 |
| WriteConsoleInputW | - | 0x14009C1D8 | 0x0009C1D8 | 0x0009B5D8 | 0x00000000 |
| FillConsoleOutputAttribute | - | 0x14009C1E0 | 0x0009C1E0 | 0x0009B5E0 | 0x00000000 |
| WriteConsoleW | - | 0x14009C1E8 | 0x0009C1E8 | 0x0009B5E8 | 0x00000000 |
| GetNumberOfConsoleInputEvents | - | 0x14009C1F0 | 0x0009C1F0 | 0x0009B5F0 | 0x00000000 |
| WideCharToMultiByte | - | 0x14009C1F8 | 0x0009C1F8 | 0x0009B5F8 | 0x00000000 |
| SetConsoleCursorPosition | - | 0x14009C200 | 0x0009C200 | 0x0009B600 | 0x00000000 |
| EnterCriticalSection | - | 0x14009C208 | 0x0009C208 | 0x0009B608 | 0x00000000 |
| GetModuleFileNameW | - | 0x14009C210 | 0x0009C210 | 0x0009B610 | 0x00000000 |
| LeaveCriticalSection | - | 0x14009C218 | 0x0009C218 | 0x0009B618 | 0x00000000 |
| InitializeCriticalSection | - | 0x14009C220 | 0x0009C220 | 0x0009B620 | 0x00000000 |
| IsDebuggerPresent | - | 0x14009C228 | 0x0009C228 | 0x0009B628 | 0x00000000 |
| GetSystemInfo | - | 0x14009C230 | 0x0009C230 | 0x0009B630 | 0x00000000 |
| GetCurrentDirectoryW | - | 0x14009C238 | 0x0009C238 | 0x0009B638 | 0x00000000 |
| GetCurrentProcessId | - | 0x14009C240 | 0x0009C240 | 0x0009B640 | 0x00000000 |
| GetSystemTimeAsFileTime | - | 0x14009C248 | 0x0009C248 | 0x0009B648 | 0x00000000 |
| QueryPerformanceCounter | - | 0x14009C250 | 0x0009C250 | 0x0009B650 | 0x00000000 |
| SetConsoleCtrlHandler | - | 0x14009C258 | 0x0009C258 | 0x0009B658 | 0x00000000 |
| CancelIo | - | 0x14009C260 | 0x0009C260 | 0x0009B660 | 0x00000000 |
| SetHandleInformation | - | 0x14009C268 | 0x0009C268 | 0x0009B668 | 0x00000000 |
| CreateEventA | - | 0x14009C270 | 0x0009C270 | 0x0009B670 | 0x00000000 |
| CreateIoCompletionPort | - | 0x14009C278 | 0x0009C278 | 0x0009B678 | 0x00000000 |
| SetFileCompletionNotificationModes | - | 0x14009C280 | 0x0009C280 | 0x0009B680 | 0x00000000 |
| SetErrorMode | - | 0x14009C288 | 0x0009C288 | 0x0009B688 | 0x00000000 |
| GetQueuedCompletionStatus | - | 0x14009C290 | 0x0009C290 | 0x0009B690 | 0x00000000 |
| GetQueuedCompletionStatusEx | - | 0x14009C298 | 0x0009C298 | 0x0009B698 | 0x00000000 |
| SleepConditionVariableCS | - | 0x14009C2A0 | 0x0009C2A0 | 0x0009B6A0 | 0x00000000 |
| TlsSetValue | - | 0x14009C2A8 | 0x0009C2A8 | 0x0009B6A8 | 0x00000000 |
| ReleaseSemaphore | - | 0x14009C2B0 | 0x0009C2B0 | 0x0009B6B0 | 0x00000000 |
| WakeConditionVariable | - | 0x14009C2B8 | 0x0009C2B8 | 0x0009B6B8 | 0x00000000 |
| InitializeConditionVariable | - | 0x14009C2C0 | 0x0009C2C0 | 0x0009B6C0 | 0x00000000 |
| WaitForSingleObject | - | 0x14009C2C8 | 0x0009C2C8 | 0x0009B6C8 | 0x00000000 |
| ResumeThread | - | 0x14009C2D0 | 0x0009C2D0 | 0x0009B6D0 | 0x00000000 |
| SetEvent | - | 0x14009C2D8 | 0x0009C2D8 | 0x0009B6D8 | 0x00000000 |
| TlsAlloc | - | 0x14009C2E0 | 0x0009C2E0 | 0x0009B6E0 | 0x00000000 |
| DeleteCriticalSection | - | 0x14009C2E8 | 0x0009C2E8 | 0x0009B6E8 | 0x00000000 |
| CreateSemaphoreW | - | 0x14009C2F0 | 0x0009C2F0 | 0x0009B6F0 | 0x00000000 |
| CreateSemaphoreA | - | 0x14009C2F8 | 0x0009C2F8 | 0x0009B6F8 | 0x00000000 |
| GetLongPathNameW | - | 0x14009C300 | 0x0009C300 | 0x0009B700 | 0x00000000 |
| ReadDirectoryChangesW | - | 0x14009C308 | 0x0009C308 | 0x0009B708 | 0x00000000 |
| ReadFile | - | 0x14009C310 | 0x0009C310 | 0x0009B710 | 0x00000000 |
| SetNamedPipeHandleState | - | 0x14009C318 | 0x0009C318 | 0x0009B718 | 0x00000000 |
| SetLastError | - | 0x14009C320 | 0x0009C320 | 0x0009B720 | 0x00000000 |
| WriteFile | - | 0x14009C328 | 0x0009C328 | 0x0009B728 | 0x00000000 |
| CreateNamedPipeW | - | 0x14009C330 | 0x0009C330 | 0x0009B730 | 0x00000000 |
| PeekNamedPipe | - | 0x14009C338 | 0x0009C338 | 0x0009B738 | 0x00000000 |
| CancelSynchronousIo | - | 0x14009C340 | 0x0009C340 | 0x0009B740 | 0x00000000 |
| GetNamedPipeHandleStateA | - | 0x14009C348 | 0x0009C348 | 0x0009B748 | 0x00000000 |
| CancelIoEx | - | 0x14009C350 | 0x0009C350 | 0x0009B750 | 0x00000000 |
| SwitchToThread | - | 0x14009C358 | 0x0009C358 | 0x0009B758 | 0x00000000 |
| ConnectNamedPipe | - | 0x14009C360 | 0x0009C360 | 0x0009B760 | 0x00000000 |
| FlushFileBuffers | - | 0x14009C368 | 0x0009C368 | 0x0009B768 | 0x00000000 |
| TerminateProcess | - | 0x14009C370 | 0x0009C370 | 0x0009B770 | 0x00000000 |
| UnregisterWaitEx | - | 0x14009C378 | 0x0009C378 | 0x0009B778 | 0x00000000 |
| GetExitCodeProcess | - | 0x14009C380 | 0x0009C380 | 0x0009B780 | 0x00000000 |
| FormatMessageA | - | 0x14009C388 | 0x0009C388 | 0x0009B788 | 0x00000000 |
| DebugBreak | - | 0x14009C390 | 0x0009C390 | 0x0009B790 | 0x00000000 |
| GetModuleHandleA | - | 0x14009C398 | 0x0009C398 | 0x0009B798 | 0x00000000 |
| LoadLibraryA | - | 0x14009C3A0 | 0x0009C3A0 | 0x0009B7A0 | 0x00000000 |
| GetProcessAffinityMask | - | 0x14009C3A8 | 0x0009C3A8 | 0x0009B7A8 | 0x00000000 |
| SetProcessAffinityMask | - | 0x14009C3B0 | 0x0009C3B0 | 0x0009B7B0 | 0x00000000 |
| GetCurrentThreadId | - | 0x14009C3B8 | 0x0009C3B8 | 0x0009B7B8 | 0x00000000 |
| QueryPerformanceFrequency | - | 0x14009C3C0 | 0x0009C3C0 | 0x0009B7C0 | 0x00000000 |
MSVCP140.dll (45)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C3D0 | 0x0009C3D0 | 0x0009B7D0 | 0x00000000 |
| ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3D8 | 0x0009C3D8 | 0x0009B7D8 | 0x00000000 |
| ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ | - | 0x14009C3E0 | 0x0009C3E0 | 0x0009B7E0 | 0x00000000 |
| ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C3E8 | 0x0009C3E8 | 0x0009B7E8 | 0x00000000 |
| ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C3F0 | 0x0009C3F0 | 0x0009B7F0 | 0x00000000 |
| ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3F8 | 0x0009C3F8 | 0x0009B7F8 | 0x00000000 |
| ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C400 | 0x0009C400 | 0x0009B800 | 0x00000000 |
| _Thrd_hardware_concurrency | - | 0x14009C408 | 0x0009C408 | 0x0009B808 | 0x00000000 |
| ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A | - | 0x14009C410 | 0x0009C410 | 0x0009B810 | 0x00000000 |
| ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z | - | 0x14009C418 | 0x0009C418 | 0x0009B818 | 0x00000000 |
| ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z | - | 0x14009C420 | 0x0009C420 | 0x0009B820 | 0x00000000 |
| ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ | - | 0x14009C428 | 0x0009C428 | 0x0009B828 | 0x00000000 |
| ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z | - | 0x14009C430 | 0x0009C430 | 0x0009B830 | 0x00000000 |
| ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z | - | 0x14009C438 | 0x0009C438 | 0x0009B838 | 0x00000000 |
| ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C440 | 0x0009C440 | 0x0009B840 | 0x00000000 |
| ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z | - | 0x14009C448 | 0x0009C448 | 0x0009B848 | 0x00000000 |
| ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C450 | 0x0009C450 | 0x0009B850 | 0x00000000 |
| ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z | - | 0x14009C458 | 0x0009C458 | 0x0009B858 | 0x00000000 |
| ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C460 | 0x0009C460 | 0x0009B860 | 0x00000000 |
| ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z | - | 0x14009C468 | 0x0009C468 | 0x0009B868 | 0x00000000 |
| ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z | - | 0x14009C470 | 0x0009C470 | 0x0009B870 | 0x00000000 |
| ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ | - | 0x14009C478 | 0x0009C478 | 0x0009B878 | 0x00000000 |
| ?_Xlength_error@std@@YAXPEBD@Z | - | 0x14009C480 | 0x0009C480 | 0x0009B880 | 0x00000000 |
| ?_Xout_of_range@std@@YAXPEBD@Z | - | 0x14009C488 | 0x0009C488 | 0x0009B888 | 0x00000000 |
| _Xtime_get_ticks | - | 0x14009C490 | 0x0009C490 | 0x0009B890 | 0x00000000 |
| _Mtx_init_in_situ | - | 0x14009C498 | 0x0009C498 | 0x0009B898 | 0x00000000 |
| _Mtx_destroy_in_situ | - | 0x14009C4A0 | 0x0009C4A0 | 0x0009B8A0 | 0x00000000 |
| _Mtx_lock | - | 0x14009C4A8 | 0x0009C4A8 | 0x0009B8A8 | 0x00000000 |
| _Mtx_unlock | - | 0x14009C4B0 | 0x0009C4B0 | 0x0009B8B0 | 0x00000000 |
| ?_Throw_C_error@std@@YAXH@Z | - | 0x14009C4B8 | 0x0009C4B8 | 0x0009B8B8 | 0x00000000 |
| _Query_perf_counter | - | 0x14009C4C0 | 0x0009C4C0 | 0x0009B8C0 | 0x00000000 |
| _Query_perf_frequency | - | 0x14009C4C8 | 0x0009C4C8 | 0x0009B8C8 | 0x00000000 |
| _Thrd_join | - | 0x14009C4D0 | 0x0009C4D0 | 0x0009B8D0 | 0x00000000 |
| _Thrd_id | - | 0x14009C4D8 | 0x0009C4D8 | 0x0009B8D8 | 0x00000000 |
| _Cnd_do_broadcast_at_thread_exit | - | 0x14009C4E0 | 0x0009C4E0 | 0x0009B8E0 | 0x00000000 |
| ?_Throw_Cpp_error@std@@YAXH@Z | - | 0x14009C4E8 | 0x0009C4E8 | 0x0009B8E8 | 0x00000000 |
| _Thrd_sleep | - | 0x14009C4F0 | 0x0009C4F0 | 0x0009B8F0 | 0x00000000 |
| _Thrd_yield | - | 0x14009C4F8 | 0x0009C4F8 | 0x0009B8F8 | 0x00000000 |
| ??0_Lockit@std@@QEAA@H@Z | - | 0x14009C500 | 0x0009C500 | 0x0009B900 | 0x00000000 |
| ??1_Lockit@std@@QEAA@XZ | - | 0x14009C508 | 0x0009C508 | 0x0009B908 | 0x00000000 |
| ??Bid@locale@std@@QEAA_KXZ | - | 0x14009C510 | 0x0009C510 | 0x0009B910 | 0x00000000 |
| ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ | - | 0x14009C518 | 0x0009C518 | 0x0009B918 | 0x00000000 |
| ?always_noconv@codecvt_base@std@@QEBA_NXZ | - | 0x14009C520 | 0x0009C520 | 0x0009B920 | 0x00000000 |
| ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C528 | 0x0009C528 | 0x0009B928 | 0x00000000 |
| ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C530 | 0x0009C530 | 0x0009B930 | 0x00000000 |
USER32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShowWindow | - | 0x14009C540 | 0x0009C540 | 0x0009B940 | 0x00000000 |
| GetSystemMetrics | - | 0x14009C548 | 0x0009C548 | 0x0009B948 | 0x00000000 |
| GetMessageA | - | 0x14009C550 | 0x0009C550 | 0x0009B950 | 0x00000000 |
| MapVirtualKeyW | - | 0x14009C558 | 0x0009C558 | 0x0009B958 | 0x00000000 |
| DispatchMessageA | - | 0x14009C560 | 0x0009C560 | 0x0009B960 | 0x00000000 |
| TranslateMessage | - | 0x14009C568 | 0x0009C568 | 0x0009B968 | 0x00000000 |
VCRUNTIME140.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __std_exception_destroy | - | 0x14009C578 | 0x0009C578 | 0x0009B978 | 0x00000000 |
| __std_exception_copy | - | 0x14009C580 | 0x0009C580 | 0x0009B980 | 0x00000000 |
| strstr | - | 0x14009C588 | 0x0009C588 | 0x0009B988 | 0x00000000 |
| __C_specific_handler | - | 0x14009C590 | 0x0009C590 | 0x0009B990 | 0x00000000 |
| strchr | - | 0x14009C598 | 0x0009C598 | 0x0009B998 | 0x00000000 |
| memchr | - | 0x14009C5A0 | 0x0009C5A0 | 0x0009B9A0 | 0x00000000 |
| __std_terminate | - | 0x14009C5A8 | 0x0009C5A8 | 0x0009B9A8 | 0x00000000 |
| __CxxFrameHandler3 | - | 0x14009C5B0 | 0x0009C5B0 | 0x0009B9B0 | 0x00000000 |
| _CxxThrowException | - | 0x14009C5B8 | 0x0009C5B8 | 0x0009B9B8 | 0x00000000 |
| memset | - | 0x14009C5C0 | 0x0009C5C0 | 0x0009B9C0 | 0x00000000 |
| strrchr | - | 0x14009C5C8 | 0x0009C5C8 | 0x0009B9C8 | 0x00000000 |
| memcmp | - | 0x14009C5D0 | 0x0009C5D0 | 0x0009B9D0 | 0x00000000 |
| memcpy | - | 0x14009C5D8 | 0x0009C5D8 | 0x0009B9D8 | 0x00000000 |
| _purecall | - | 0x14009C5E0 | 0x0009C5E0 | 0x0009B9E0 | 0x00000000 |
| memmove | - | 0x14009C5E8 | 0x0009C5E8 | 0x0009B9E8 | 0x00000000 |
WS2_32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WSAGetLastError | 0x0000006F | 0x14009C5F8 | 0x0009C5F8 | 0x0009B9F8 | - |
| WSASetLastError | 0x00000070 | 0x14009C600 | 0x0009C600 | 0x0009BA00 | - |
| WSAStartup | 0x00000073 | 0x14009C608 | 0x0009C608 | 0x0009BA08 | - |
| select | 0x00000012 | 0x14009C610 | 0x0009C610 | 0x0009BA10 | - |
| WSARecvFrom | - | 0x14009C618 | 0x0009C618 | 0x0009BA18 | 0x00000000 |
| bind | 0x00000002 | 0x14009C620 | 0x0009C620 | 0x0009BA20 | - |
| WSAIoctl | - | 0x14009C628 | 0x0009C628 | 0x0009BA28 | 0x00000000 |
| closesocket | 0x00000003 | 0x14009C630 | 0x0009C630 | 0x0009BA30 | - |
| WSASend | - | 0x14009C638 | 0x0009C638 | 0x0009BA38 | 0x00000000 |
| shutdown | 0x00000016 | 0x14009C640 | 0x0009C640 | 0x0009BA40 | - |
| WSASocketW | - | 0x14009C648 | 0x0009C648 | 0x0009BA48 | 0x00000000 |
| htonl | 0x00000008 | 0x14009C650 | 0x0009C650 | 0x0009BA50 | - |
| GetAddrInfoW | - | 0x14009C658 | 0x0009C658 | 0x0009BA58 | 0x00000000 |
| FreeAddrInfoW | - | 0x14009C660 | 0x0009C660 | 0x0009BA60 | 0x00000000 |
| setsockopt | 0x00000015 | 0x14009C668 | 0x0009C668 | 0x0009BA68 | - |
| ioctlsocket | 0x0000000A | 0x14009C670 | 0x0009C670 | 0x0009BA70 | - |
| getsockopt | 0x00000007 | 0x14009C678 | 0x0009C678 | 0x0009BA78 | - |
| WSARecv | - | 0x14009C680 | 0x0009C680 | 0x0009BA80 | 0x00000000 |
| socket | 0x00000017 | 0x14009C688 | 0x0009C688 | 0x0009BA88 | - |
| htons | 0x00000009 | 0x14009C690 | 0x0009C690 | 0x0009BA90 | - |
api-ms-win-crt-convert-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| atof | - | 0x14009C6A0 | 0x0009C6A0 | 0x0009BAA0 | 0x00000000 |
| strtoul | - | 0x14009C6A8 | 0x0009C6A8 | 0x0009BAA8 | 0x00000000 |
| _strtoui64 | - | 0x14009C6B0 | 0x0009C6B0 | 0x0009BAB0 | 0x00000000 |
| mbstowcs | - | 0x14009C6B8 | 0x0009C6B8 | 0x0009BAB8 | 0x00000000 |
| strtoull | - | 0x14009C6C0 | 0x0009C6C0 | 0x0009BAC0 | 0x00000000 |
| strtoll | - | 0x14009C6C8 | 0x0009C6C8 | 0x0009BAC8 | 0x00000000 |
| atoi | - | 0x14009C6D0 | 0x0009C6D0 | 0x0009BAD0 | 0x00000000 |
| strtol | - | 0x14009C6D8 | 0x0009C6D8 | 0x0009BAD8 | 0x00000000 |
api-ms-win-crt-environment-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| getenv | - | 0x14009C6E8 | 0x0009C6E8 | 0x0009BAE8 | 0x00000000 |
api-ms-win-crt-filesystem-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _unlock_file | - | 0x14009C6F8 | 0x0009C6F8 | 0x0009BAF8 | 0x00000000 |
| _lock_file | - | 0x14009C700 | 0x0009C700 | 0x0009BB00 | 0x00000000 |
| _fstat64i32 | - | 0x14009C708 | 0x0009C708 | 0x0009BB08 | 0x00000000 |
| _stat64i32 | - | 0x14009C710 | 0x0009C710 | 0x0009BB10 | 0x00000000 |
api-ms-win-crt-heap-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _set_new_mode | - | 0x14009C720 | 0x0009C720 | 0x0009BB20 | 0x00000000 |
| realloc | - | 0x14009C728 | 0x0009C728 | 0x0009BB28 | 0x00000000 |
| _aligned_malloc | - | 0x14009C730 | 0x0009C730 | 0x0009BB30 | 0x00000000 |
| malloc | - | 0x14009C738 | 0x0009C738 | 0x0009BB38 | 0x00000000 |
| free | - | 0x14009C740 | 0x0009C740 | 0x0009BB40 | 0x00000000 |
| calloc | - | 0x14009C748 | 0x0009C748 | 0x0009BB48 | 0x00000000 |
| _callnewh | - | 0x14009C750 | 0x0009C750 | 0x0009BB50 | 0x00000000 |
| _aligned_free | - | 0x14009C758 | 0x0009C758 | 0x0009BB58 | 0x00000000 |
api-ms-win-crt-locale-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _configthreadlocale | - | 0x14009C768 | 0x0009C768 | 0x0009BB68 | 0x00000000 |
api-ms-win-crt-math-l1-1-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| modff | - | 0x14009C778 | 0x0009C778 | 0x0009BB78 | 0x00000000 |
| nan | - | 0x14009C780 | 0x0009C780 | 0x0009BB80 | 0x00000000 |
| _dtest | - | 0x14009C788 | 0x0009C788 | 0x0009BB88 | 0x00000000 |
| __setusermatherr | - | 0x14009C790 | 0x0009C790 | 0x0009BB90 | 0x00000000 |
| fabs | - | 0x14009C798 | 0x0009C798 | 0x0009BB98 | 0x00000000 |
api-ms-win-crt-runtime-l1-1-0.dll (25)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _invalid_parameter_noinfo_noreturn | - | 0x14009C7A8 | 0x0009C7A8 | 0x0009BBA8 | 0x00000000 |
| _control87 | - | 0x14009C7B0 | 0x0009C7B0 | 0x0009BBB0 | 0x00000000 |
| _errno | - | 0x14009C7B8 | 0x0009C7B8 | 0x0009BBB8 | 0x00000000 |
| terminate | - | 0x14009C7C0 | 0x0009C7C0 | 0x0009BBC0 | 0x00000000 |
| abort | - | 0x14009C7C8 | 0x0009C7C8 | 0x0009BBC8 | 0x00000000 |
| _beginthreadex | - | 0x14009C7D0 | 0x0009C7D0 | 0x0009BBD0 | 0x00000000 |
| _register_thread_local_exe_atexit_callback | - | 0x14009C7D8 | 0x0009C7D8 | 0x0009BBD8 | 0x00000000 |
| _c_exit | - | 0x14009C7E0 | 0x0009C7E0 | 0x0009BBE0 | 0x00000000 |
| _set_invalid_parameter_handler | - | 0x14009C7E8 | 0x0009C7E8 | 0x0009BBE8 | 0x00000000 |
| __p___argc | - | 0x14009C7F0 | 0x0009C7F0 | 0x0009BBF0 | 0x00000000 |
| _exit | - | 0x14009C7F8 | 0x0009C7F8 | 0x0009BBF8 | 0x00000000 |
| _initterm_e | - | 0x14009C800 | 0x0009C800 | 0x0009BC00 | 0x00000000 |
| _initterm | - | 0x14009C808 | 0x0009C808 | 0x0009BC08 | 0x00000000 |
| _get_initial_narrow_environment | - | 0x14009C810 | 0x0009C810 | 0x0009BC10 | 0x00000000 |
| _set_app_type | - | 0x14009C818 | 0x0009C818 | 0x0009BC18 | 0x00000000 |
| _seh_filter_exe | - | 0x14009C820 | 0x0009C820 | 0x0009BC20 | 0x00000000 |
| _cexit | - | 0x14009C828 | 0x0009C828 | 0x0009BC28 | 0x00000000 |
| _crt_atexit | - | 0x14009C830 | 0x0009C830 | 0x0009BC30 | 0x00000000 |
| _register_onexit_function | - | 0x14009C838 | 0x0009C838 | 0x0009BC38 | 0x00000000 |
| _initialize_onexit_table | - | 0x14009C840 | 0x0009C840 | 0x0009BC40 | 0x00000000 |
| _initialize_narrow_environment | - | 0x14009C848 | 0x0009C848 | 0x0009BC48 | 0x00000000 |
| _configure_narrow_argv | - | 0x14009C850 | 0x0009C850 | 0x0009BC50 | 0x00000000 |
| strerror | - | 0x14009C858 | 0x0009C858 | 0x0009BC58 | 0x00000000 |
| exit | - | 0x14009C860 | 0x0009C860 | 0x0009BC60 | 0x00000000 |
| __p___argv | - | 0x14009C868 | 0x0009C868 | 0x0009BC68 | 0x00000000 |
api-ms-win-crt-stdio-l1-1-0.dll (29)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __stdio_common_vsscanf | - | 0x14009C878 | 0x0009C878 | 0x0009BC78 | 0x00000000 |
| fflush | - | 0x14009C880 | 0x0009C880 | 0x0009BC80 | 0x00000000 |
| _open | - | 0x14009C888 | 0x0009C888 | 0x0009BC88 | 0x00000000 |
| fwrite | - | 0x14009C890 | 0x0009C890 | 0x0009BC90 | 0x00000000 |
| fputs | - | 0x14009C898 | 0x0009C898 | 0x0009BC98 | 0x00000000 |
| __stdio_common_vsprintf | - | 0x14009C8A0 | 0x0009C8A0 | 0x0009BCA0 | 0x00000000 |
| __acrt_iob_func | - | 0x14009C8A8 | 0x0009C8A8 | 0x0009BCA8 | 0x00000000 |
| ftell | - | 0x14009C8B0 | 0x0009C8B0 | 0x0009BCB0 | 0x00000000 |
| fgetc | - | 0x14009C8B8 | 0x0009C8B8 | 0x0009BCB8 | 0x00000000 |
| fgets | - | 0x14009C8C0 | 0x0009C8C0 | 0x0009BCC0 | 0x00000000 |
| fseek | - | 0x14009C8C8 | 0x0009C8C8 | 0x0009BCC8 | 0x00000000 |
| fgetpos | - | 0x14009C8D0 | 0x0009C8D0 | 0x0009BCD0 | 0x00000000 |
| fputc | - | 0x14009C8D8 | 0x0009C8D8 | 0x0009BCD8 | 0x00000000 |
| __stdio_common_vfprintf | - | 0x14009C8E0 | 0x0009C8E0 | 0x0009BCE0 | 0x00000000 |
| ferror | - | 0x14009C8E8 | 0x0009C8E8 | 0x0009BCE8 | 0x00000000 |
| fsetpos | - | 0x14009C8F0 | 0x0009C8F0 | 0x0009BCF0 | 0x00000000 |
| _fseeki64 | - | 0x14009C8F8 | 0x0009C8F8 | 0x0009BCF8 | 0x00000000 |
| _close | - | 0x14009C900 | 0x0009C900 | 0x0009BD00 | 0x00000000 |
| _read | - | 0x14009C908 | 0x0009C908 | 0x0009BD08 | 0x00000000 |
| setvbuf | - | 0x14009C910 | 0x0009C910 | 0x0009BD10 | 0x00000000 |
| ungetc | - | 0x14009C918 | 0x0009C918 | 0x0009BD18 | 0x00000000 |
| fread | - | 0x14009C920 | 0x0009C920 | 0x0009BD20 | 0x00000000 |
| _get_osfhandle | - | 0x14009C928 | 0x0009C928 | 0x0009BD28 | 0x00000000 |
| __p__commode | - | 0x14009C930 | 0x0009C930 | 0x0009BD30 | 0x00000000 |
| fclose | - | 0x14009C938 | 0x0009C938 | 0x0009BD38 | 0x00000000 |
| _set_fmode | - | 0x14009C940 | 0x0009C940 | 0x0009BD40 | 0x00000000 |
| fopen | - | 0x14009C948 | 0x0009C948 | 0x0009BD48 | 0x00000000 |
| __stdio_common_vswprintf | - | 0x14009C950 | 0x0009C950 | 0x0009BD50 | 0x00000000 |
| _get_stream_buffer_pointers | - | 0x14009C958 | 0x0009C958 | 0x0009BD58 | 0x00000000 |
api-ms-win-crt-string-l1-1-0.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _wcsnicmp | - | 0x14009C968 | 0x0009C968 | 0x0009BD68 | 0x00000000 |
| strlen | - | 0x14009C970 | 0x0009C970 | 0x0009BD70 | 0x00000000 |
| wcslen | - | 0x14009C978 | 0x0009C978 | 0x0009BD78 | 0x00000000 |
| strncmp | - | 0x14009C980 | 0x0009C980 | 0x0009BD80 | 0x00000000 |
| _stricmp | - | 0x14009C988 | 0x0009C988 | 0x0009BD88 | 0x00000000 |
| tolower | - | 0x14009C990 | 0x0009C990 | 0x0009BD90 | 0x00000000 |
| _strnicmp | - | 0x14009C998 | 0x0009C998 | 0x0009BD98 | 0x00000000 |
| strncpy | - | 0x14009C9A0 | 0x0009C9A0 | 0x0009BDA0 | 0x00000000 |
| strcpy | - | 0x14009C9A8 | 0x0009C9A8 | 0x0009BDA8 | 0x00000000 |
| strcmp | - | 0x14009C9B0 | 0x0009C9B0 | 0x0009BDB0 | 0x00000000 |
| strcspn | - | 0x14009C9B8 | 0x0009C9B8 | 0x0009BDB8 | 0x00000000 |
| _strdup | - | 0x14009C9C0 | 0x0009C9C0 | 0x0009BDC0 | 0x00000000 |
| isspace | - | 0x14009C9C8 | 0x0009C9C8 | 0x0009BDC8 | 0x00000000 |
| strspn | - | 0x14009C9D0 | 0x0009C9D0 | 0x0009BDD0 | 0x00000000 |
| wcsncpy | - | 0x14009C9D8 | 0x0009C9D8 | 0x0009BDD8 | 0x00000000 |
api-ms-win-crt-time-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _time64 | - | 0x14009C9E8 | 0x0009C9E8 | 0x0009BDE8 | 0x00000000 |
| _localtime64_s | - | 0x14009C9F0 | 0x0009C9F0 | 0x0009BDF0 | 0x00000000 |
api-ms-win-crt-utility-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| srand | - | 0x14009CA00 | 0x0009CA00 | 0x0009BE00 | 0x00000000 |
| rand | - | 0x14009CA08 | 0x0009CA08 | 0x0009BE08 | 0x00000000 |
| qsort | - | 0x14009CA10 | 0x0009CA10 | 0x0009BE10 | 0x00000000 |
| _rotr | - | 0x14009CA18 | 0x0009CA18 | 0x0009BE18 | 0x00000000 |
Memory Dumps (4)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| jwifqgn.exe | 16 | 0x7FF6E8390000 | 0x7FF6E86E3FFF | First Execution |
|
64-bit | 0x7FF6E842A338 |
|
...
|
| jwifqgn.exe | 16 | 0x7FF6E8390000 | 0x7FF6E86E3FFF | Content Changed |
|
64-bit | 0x7FF6E8419014 |
|
...
|
| jwifqgn.exe | 16 | 0x7FF6E8390000 | 0x7FF6E86E3FFF | Content Changed |
|
64-bit | 0x7FF6E8396730 |
|
...
|
| buffer | 16 | 0x1995D8F0000 | 0x1995D8FFFFF | Marked Executable |
|
64-bit | - |
|
...
|
YARA Matches (2)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| ReflectiveLoader | Reflective loader usage | - |
3/5
|
...
|
| CobaltStrike | Cobalt Strike beacon | Hacktool |
5/5
|
...
|
| C:\Windows\System\eWbUkFy.exe | Dropped File | Binary |
Malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 5.94 MB |
| MD5 |
b3fe0aa0d6cc0f5281abd78bd780566d
|
| SHA1 |
171aa5bb9b0734a1575f80422b9d6c8b8fca96b2
|
| SHA256 |
38a2204c93753f51b49d22568f36f328af45beb4e4b61860ba8ce63338ca87fe
|
| SSDeep |
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lU+:T+856utgpPF8u/7+
|
| ImpHash |
c782987849999c5ae345a5deafbd73fb
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x14009A338 |
| Size Of Code | 0x00044000 |
| Size Of Initialized Data | 0x00001000 |
| Size Of Uninitialized Data | 0x0030B000 |
| File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2019-08-29 00:43 (UTC) |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| UPX0 | 0x140001000 | 0x0030B000 | 0x000B5000 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.49 |
| UPX1 | 0x14030C000 | 0x00044000 | 0x00044000 | 0x000B5400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.49 |
| .rsrc | 0x140350000 | 0x00001000 | 0x00000800 | 0x000F9400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.24 |
| .imports | 0x140351000 | 0x00002000 | 0x00001E00 | 0x000F9C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.81 |
| .reloc | 0x140353000 | 0x00001000 | 0x00000A00 | 0x000FBA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.28 |
Imports (17)
»
ADVAPI32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AdjustTokenPrivileges | - | 0x14009C000 | 0x0009C000 | 0x0009B400 | 0x00000000 |
| OpenProcessToken | - | 0x14009C008 | 0x0009C008 | 0x0009B408 | 0x00000000 |
| GetTokenInformation | - | 0x14009C010 | 0x0009C010 | 0x0009B410 | 0x00000000 |
| LookupPrivilegeValueW | - | 0x14009C018 | 0x0009C018 | 0x0009B418 | 0x00000000 |
| LsaClose | - | 0x14009C020 | 0x0009C020 | 0x0009B420 | 0x00000000 |
| LsaOpenPolicy | - | 0x14009C028 | 0x0009C028 | 0x0009B428 | 0x00000000 |
| LsaAddAccountRights | - | 0x14009C030 | 0x0009C030 | 0x0009B430 | 0x00000000 |
KERNEL32.DLL (113)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WaitForSingleObjectEx | - | 0x14009C040 | 0x0009C040 | 0x0009B440 | 0x00000000 |
| RtlLookupFunctionEntry | - | 0x14009C048 | 0x0009C048 | 0x0009B448 | 0x00000000 |
| RtlVirtualUnwind | - | 0x14009C050 | 0x0009C050 | 0x0009B450 | 0x00000000 |
| UnhandledExceptionFilter | - | 0x14009C058 | 0x0009C058 | 0x0009B458 | 0x00000000 |
| ResetEvent | - | 0x14009C060 | 0x0009C060 | 0x0009B460 | 0x00000000 |
| InitializeCriticalSectionAndSpinCount | - | 0x14009C068 | 0x0009C068 | 0x0009B468 | 0x00000000 |
| RtlCaptureContext | - | 0x14009C070 | 0x0009C070 | 0x0009B470 | 0x00000000 |
| CreateEventW | - | 0x14009C078 | 0x0009C078 | 0x0009B478 | 0x00000000 |
| InitializeSListHead | - | 0x14009C080 | 0x0009C080 | 0x0009B480 | 0x00000000 |
| SetUnhandledExceptionFilter | - | 0x14009C088 | 0x0009C088 | 0x0009B488 | 0x00000000 |
| IsProcessorFeaturePresent | - | 0x14009C090 | 0x0009C090 | 0x0009B490 | 0x00000000 |
| GetStdHandle | - | 0x14009C098 | 0x0009C098 | 0x0009B498 | 0x00000000 |
| GetConsoleMode | - | 0x14009C0A0 | 0x0009C0A0 | 0x0009B4A0 | 0x00000000 |
| SetConsoleMode | - | 0x14009C0A8 | 0x0009C0A8 | 0x0009B4A8 | 0x00000000 |
| GetLastError | - | 0x14009C0B0 | 0x0009C0B0 | 0x0009B4B0 | 0x00000000 |
| CreateMutexW | - | 0x14009C0B8 | 0x0009C0B8 | 0x0009B4B8 | 0x00000000 |
| Sleep | - | 0x14009C0C0 | 0x0009C0C0 | 0x0009B4C0 | 0x00000000 |
| CreateProcessW | - | 0x14009C0C8 | 0x0009C0C8 | 0x0009B4C8 | 0x00000000 |
| MultiByteToWideChar | - | 0x14009C0D0 | 0x0009C0D0 | 0x0009B4D0 | 0x00000000 |
| GetCurrentProcess | - | 0x14009C0D8 | 0x0009C0D8 | 0x0009B4D8 | 0x00000000 |
| GetCurrentThread | - | 0x14009C0E0 | 0x0009C0E0 | 0x0009B4E0 | 0x00000000 |
| SetThreadPriority | - | 0x14009C0E8 | 0x0009C0E8 | 0x0009B4E8 | 0x00000000 |
| SetPriorityClass | - | 0x14009C0F0 | 0x0009C0F0 | 0x0009B4F0 | 0x00000000 |
| GetModuleHandleW | - | 0x14009C0F8 | 0x0009C0F8 | 0x0009B4F8 | 0x00000000 |
| GetProcAddress | - | 0x14009C100 | 0x0009C100 | 0x0009B500 | 0x00000000 |
| SetThreadAffinityMask | - | 0x14009C108 | 0x0009C108 | 0x0009B508 | 0x00000000 |
| CloseHandle | - | 0x14009C110 | 0x0009C110 | 0x0009B510 | 0x00000000 |
| FreeConsole | - | 0x14009C118 | 0x0009C118 | 0x0009B518 | 0x00000000 |
| GetConsoleWindow | - | 0x14009C120 | 0x0009C120 | 0x0009B520 | 0x00000000 |
| FlushInstructionCache | - | 0x14009C128 | 0x0009C128 | 0x0009B528 | 0x00000000 |
| VirtualAlloc | - | 0x14009C130 | 0x0009C130 | 0x0009B530 | 0x00000000 |
| VirtualProtect | - | 0x14009C138 | 0x0009C138 | 0x0009B538 | 0x00000000 |
| VirtualFree | - | 0x14009C140 | 0x0009C140 | 0x0009B540 | 0x00000000 |
| GetLargePageMinimum | - | 0x14009C148 | 0x0009C148 | 0x0009B548 | 0x00000000 |
| LocalAlloc | - | 0x14009C150 | 0x0009C150 | 0x0009B550 | 0x00000000 |
| LocalFree | - | 0x14009C158 | 0x0009C158 | 0x0009B558 | 0x00000000 |
| GetFileType | - | 0x14009C160 | 0x0009C160 | 0x0009B560 | 0x00000000 |
| GetConsoleScreenBufferInfo | - | 0x14009C168 | 0x0009C168 | 0x0009B568 | 0x00000000 |
| SetConsoleTextAttribute | - | 0x14009C170 | 0x0009C170 | 0x0009B570 | 0x00000000 |
| RegisterWaitForSingleObject | - | 0x14009C178 | 0x0009C178 | 0x0009B578 | 0x00000000 |
| UnregisterWait | - | 0x14009C180 | 0x0009C180 | 0x0009B580 | 0x00000000 |
| GetConsoleCursorInfo | - | 0x14009C188 | 0x0009C188 | 0x0009B588 | 0x00000000 |
| CreateFileW | - | 0x14009C190 | 0x0009C190 | 0x0009B590 | 0x00000000 |
| DuplicateHandle | - | 0x14009C198 | 0x0009C198 | 0x0009B598 | 0x00000000 |
| PostQueuedCompletionStatus | - | 0x14009C1A0 | 0x0009C1A0 | 0x0009B5A0 | 0x00000000 |
| QueueUserWorkItem | - | 0x14009C1A8 | 0x0009C1A8 | 0x0009B5A8 | 0x00000000 |
| SetConsoleCursorInfo | - | 0x14009C1B0 | 0x0009C1B0 | 0x0009B5B0 | 0x00000000 |
| FillConsoleOutputCharacterW | - | 0x14009C1B8 | 0x0009C1B8 | 0x0009B5B8 | 0x00000000 |
| ReadConsoleInputW | - | 0x14009C1C0 | 0x0009C1C0 | 0x0009B5C0 | 0x00000000 |
| CreateFileA | - | 0x14009C1C8 | 0x0009C1C8 | 0x0009B5C8 | 0x00000000 |
| ReadConsoleW | - | 0x14009C1D0 | 0x0009C1D0 | 0x0009B5D0 | 0x00000000 |
| WriteConsoleInputW | - | 0x14009C1D8 | 0x0009C1D8 | 0x0009B5D8 | 0x00000000 |
| FillConsoleOutputAttribute | - | 0x14009C1E0 | 0x0009C1E0 | 0x0009B5E0 | 0x00000000 |
| WriteConsoleW | - | 0x14009C1E8 | 0x0009C1E8 | 0x0009B5E8 | 0x00000000 |
| GetNumberOfConsoleInputEvents | - | 0x14009C1F0 | 0x0009C1F0 | 0x0009B5F0 | 0x00000000 |
| WideCharToMultiByte | - | 0x14009C1F8 | 0x0009C1F8 | 0x0009B5F8 | 0x00000000 |
| SetConsoleCursorPosition | - | 0x14009C200 | 0x0009C200 | 0x0009B600 | 0x00000000 |
| EnterCriticalSection | - | 0x14009C208 | 0x0009C208 | 0x0009B608 | 0x00000000 |
| GetModuleFileNameW | - | 0x14009C210 | 0x0009C210 | 0x0009B610 | 0x00000000 |
| LeaveCriticalSection | - | 0x14009C218 | 0x0009C218 | 0x0009B618 | 0x00000000 |
| InitializeCriticalSection | - | 0x14009C220 | 0x0009C220 | 0x0009B620 | 0x00000000 |
| IsDebuggerPresent | - | 0x14009C228 | 0x0009C228 | 0x0009B628 | 0x00000000 |
| GetSystemInfo | - | 0x14009C230 | 0x0009C230 | 0x0009B630 | 0x00000000 |
| GetCurrentDirectoryW | - | 0x14009C238 | 0x0009C238 | 0x0009B638 | 0x00000000 |
| GetCurrentProcessId | - | 0x14009C240 | 0x0009C240 | 0x0009B640 | 0x00000000 |
| GetSystemTimeAsFileTime | - | 0x14009C248 | 0x0009C248 | 0x0009B648 | 0x00000000 |
| QueryPerformanceCounter | - | 0x14009C250 | 0x0009C250 | 0x0009B650 | 0x00000000 |
| SetConsoleCtrlHandler | - | 0x14009C258 | 0x0009C258 | 0x0009B658 | 0x00000000 |
| CancelIo | - | 0x14009C260 | 0x0009C260 | 0x0009B660 | 0x00000000 |
| SetHandleInformation | - | 0x14009C268 | 0x0009C268 | 0x0009B668 | 0x00000000 |
| CreateEventA | - | 0x14009C270 | 0x0009C270 | 0x0009B670 | 0x00000000 |
| CreateIoCompletionPort | - | 0x14009C278 | 0x0009C278 | 0x0009B678 | 0x00000000 |
| SetFileCompletionNotificationModes | - | 0x14009C280 | 0x0009C280 | 0x0009B680 | 0x00000000 |
| SetErrorMode | - | 0x14009C288 | 0x0009C288 | 0x0009B688 | 0x00000000 |
| GetQueuedCompletionStatus | - | 0x14009C290 | 0x0009C290 | 0x0009B690 | 0x00000000 |
| GetQueuedCompletionStatusEx | - | 0x14009C298 | 0x0009C298 | 0x0009B698 | 0x00000000 |
| SleepConditionVariableCS | - | 0x14009C2A0 | 0x0009C2A0 | 0x0009B6A0 | 0x00000000 |
| TlsSetValue | - | 0x14009C2A8 | 0x0009C2A8 | 0x0009B6A8 | 0x00000000 |
| ReleaseSemaphore | - | 0x14009C2B0 | 0x0009C2B0 | 0x0009B6B0 | 0x00000000 |
| WakeConditionVariable | - | 0x14009C2B8 | 0x0009C2B8 | 0x0009B6B8 | 0x00000000 |
| InitializeConditionVariable | - | 0x14009C2C0 | 0x0009C2C0 | 0x0009B6C0 | 0x00000000 |
| WaitForSingleObject | - | 0x14009C2C8 | 0x0009C2C8 | 0x0009B6C8 | 0x00000000 |
| ResumeThread | - | 0x14009C2D0 | 0x0009C2D0 | 0x0009B6D0 | 0x00000000 |
| SetEvent | - | 0x14009C2D8 | 0x0009C2D8 | 0x0009B6D8 | 0x00000000 |
| TlsAlloc | - | 0x14009C2E0 | 0x0009C2E0 | 0x0009B6E0 | 0x00000000 |
| DeleteCriticalSection | - | 0x14009C2E8 | 0x0009C2E8 | 0x0009B6E8 | 0x00000000 |
| CreateSemaphoreW | - | 0x14009C2F0 | 0x0009C2F0 | 0x0009B6F0 | 0x00000000 |
| CreateSemaphoreA | - | 0x14009C2F8 | 0x0009C2F8 | 0x0009B6F8 | 0x00000000 |
| GetLongPathNameW | - | 0x14009C300 | 0x0009C300 | 0x0009B700 | 0x00000000 |
| ReadDirectoryChangesW | - | 0x14009C308 | 0x0009C308 | 0x0009B708 | 0x00000000 |
| ReadFile | - | 0x14009C310 | 0x0009C310 | 0x0009B710 | 0x00000000 |
| SetNamedPipeHandleState | - | 0x14009C318 | 0x0009C318 | 0x0009B718 | 0x00000000 |
| SetLastError | - | 0x14009C320 | 0x0009C320 | 0x0009B720 | 0x00000000 |
| WriteFile | - | 0x14009C328 | 0x0009C328 | 0x0009B728 | 0x00000000 |
| CreateNamedPipeW | - | 0x14009C330 | 0x0009C330 | 0x0009B730 | 0x00000000 |
| PeekNamedPipe | - | 0x14009C338 | 0x0009C338 | 0x0009B738 | 0x00000000 |
| CancelSynchronousIo | - | 0x14009C340 | 0x0009C340 | 0x0009B740 | 0x00000000 |
| GetNamedPipeHandleStateA | - | 0x14009C348 | 0x0009C348 | 0x0009B748 | 0x00000000 |
| CancelIoEx | - | 0x14009C350 | 0x0009C350 | 0x0009B750 | 0x00000000 |
| SwitchToThread | - | 0x14009C358 | 0x0009C358 | 0x0009B758 | 0x00000000 |
| ConnectNamedPipe | - | 0x14009C360 | 0x0009C360 | 0x0009B760 | 0x00000000 |
| FlushFileBuffers | - | 0x14009C368 | 0x0009C368 | 0x0009B768 | 0x00000000 |
| TerminateProcess | - | 0x14009C370 | 0x0009C370 | 0x0009B770 | 0x00000000 |
| UnregisterWaitEx | - | 0x14009C378 | 0x0009C378 | 0x0009B778 | 0x00000000 |
| GetExitCodeProcess | - | 0x14009C380 | 0x0009C380 | 0x0009B780 | 0x00000000 |
| FormatMessageA | - | 0x14009C388 | 0x0009C388 | 0x0009B788 | 0x00000000 |
| DebugBreak | - | 0x14009C390 | 0x0009C390 | 0x0009B790 | 0x00000000 |
| GetModuleHandleA | - | 0x14009C398 | 0x0009C398 | 0x0009B798 | 0x00000000 |
| LoadLibraryA | - | 0x14009C3A0 | 0x0009C3A0 | 0x0009B7A0 | 0x00000000 |
| GetProcessAffinityMask | - | 0x14009C3A8 | 0x0009C3A8 | 0x0009B7A8 | 0x00000000 |
| SetProcessAffinityMask | - | 0x14009C3B0 | 0x0009C3B0 | 0x0009B7B0 | 0x00000000 |
| GetCurrentThreadId | - | 0x14009C3B8 | 0x0009C3B8 | 0x0009B7B8 | 0x00000000 |
| QueryPerformanceFrequency | - | 0x14009C3C0 | 0x0009C3C0 | 0x0009B7C0 | 0x00000000 |
MSVCP140.dll (45)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C3D0 | 0x0009C3D0 | 0x0009B7D0 | 0x00000000 |
| ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3D8 | 0x0009C3D8 | 0x0009B7D8 | 0x00000000 |
| ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ | - | 0x14009C3E0 | 0x0009C3E0 | 0x0009B7E0 | 0x00000000 |
| ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C3E8 | 0x0009C3E8 | 0x0009B7E8 | 0x00000000 |
| ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C3F0 | 0x0009C3F0 | 0x0009B7F0 | 0x00000000 |
| ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3F8 | 0x0009C3F8 | 0x0009B7F8 | 0x00000000 |
| ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C400 | 0x0009C400 | 0x0009B800 | 0x00000000 |
| _Thrd_hardware_concurrency | - | 0x14009C408 | 0x0009C408 | 0x0009B808 | 0x00000000 |
| ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A | - | 0x14009C410 | 0x0009C410 | 0x0009B810 | 0x00000000 |
| ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z | - | 0x14009C418 | 0x0009C418 | 0x0009B818 | 0x00000000 |
| ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z | - | 0x14009C420 | 0x0009C420 | 0x0009B820 | 0x00000000 |
| ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ | - | 0x14009C428 | 0x0009C428 | 0x0009B828 | 0x00000000 |
| ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z | - | 0x14009C430 | 0x0009C430 | 0x0009B830 | 0x00000000 |
| ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z | - | 0x14009C438 | 0x0009C438 | 0x0009B838 | 0x00000000 |
| ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C440 | 0x0009C440 | 0x0009B840 | 0x00000000 |
| ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z | - | 0x14009C448 | 0x0009C448 | 0x0009B848 | 0x00000000 |
| ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C450 | 0x0009C450 | 0x0009B850 | 0x00000000 |
| ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z | - | 0x14009C458 | 0x0009C458 | 0x0009B858 | 0x00000000 |
| ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C460 | 0x0009C460 | 0x0009B860 | 0x00000000 |
| ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z | - | 0x14009C468 | 0x0009C468 | 0x0009B868 | 0x00000000 |
| ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z | - | 0x14009C470 | 0x0009C470 | 0x0009B870 | 0x00000000 |
| ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ | - | 0x14009C478 | 0x0009C478 | 0x0009B878 | 0x00000000 |
| ?_Xlength_error@std@@YAXPEBD@Z | - | 0x14009C480 | 0x0009C480 | 0x0009B880 | 0x00000000 |
| ?_Xout_of_range@std@@YAXPEBD@Z | - | 0x14009C488 | 0x0009C488 | 0x0009B888 | 0x00000000 |
| _Xtime_get_ticks | - | 0x14009C490 | 0x0009C490 | 0x0009B890 | 0x00000000 |
| _Mtx_init_in_situ | - | 0x14009C498 | 0x0009C498 | 0x0009B898 | 0x00000000 |
| _Mtx_destroy_in_situ | - | 0x14009C4A0 | 0x0009C4A0 | 0x0009B8A0 | 0x00000000 |
| _Mtx_lock | - | 0x14009C4A8 | 0x0009C4A8 | 0x0009B8A8 | 0x00000000 |
| _Mtx_unlock | - | 0x14009C4B0 | 0x0009C4B0 | 0x0009B8B0 | 0x00000000 |
| ?_Throw_C_error@std@@YAXH@Z | - | 0x14009C4B8 | 0x0009C4B8 | 0x0009B8B8 | 0x00000000 |
| _Query_perf_counter | - | 0x14009C4C0 | 0x0009C4C0 | 0x0009B8C0 | 0x00000000 |
| _Query_perf_frequency | - | 0x14009C4C8 | 0x0009C4C8 | 0x0009B8C8 | 0x00000000 |
| _Thrd_join | - | 0x14009C4D0 | 0x0009C4D0 | 0x0009B8D0 | 0x00000000 |
| _Thrd_id | - | 0x14009C4D8 | 0x0009C4D8 | 0x0009B8D8 | 0x00000000 |
| _Cnd_do_broadcast_at_thread_exit | - | 0x14009C4E0 | 0x0009C4E0 | 0x0009B8E0 | 0x00000000 |
| ?_Throw_Cpp_error@std@@YAXH@Z | - | 0x14009C4E8 | 0x0009C4E8 | 0x0009B8E8 | 0x00000000 |
| _Thrd_sleep | - | 0x14009C4F0 | 0x0009C4F0 | 0x0009B8F0 | 0x00000000 |
| _Thrd_yield | - | 0x14009C4F8 | 0x0009C4F8 | 0x0009B8F8 | 0x00000000 |
| ??0_Lockit@std@@QEAA@H@Z | - | 0x14009C500 | 0x0009C500 | 0x0009B900 | 0x00000000 |
| ??1_Lockit@std@@QEAA@XZ | - | 0x14009C508 | 0x0009C508 | 0x0009B908 | 0x00000000 |
| ??Bid@locale@std@@QEAA_KXZ | - | 0x14009C510 | 0x0009C510 | 0x0009B910 | 0x00000000 |
| ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ | - | 0x14009C518 | 0x0009C518 | 0x0009B918 | 0x00000000 |
| ?always_noconv@codecvt_base@std@@QEBA_NXZ | - | 0x14009C520 | 0x0009C520 | 0x0009B920 | 0x00000000 |
| ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C528 | 0x0009C528 | 0x0009B928 | 0x00000000 |
| ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C530 | 0x0009C530 | 0x0009B930 | 0x00000000 |
USER32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShowWindow | - | 0x14009C540 | 0x0009C540 | 0x0009B940 | 0x00000000 |
| GetSystemMetrics | - | 0x14009C548 | 0x0009C548 | 0x0009B948 | 0x00000000 |
| GetMessageA | - | 0x14009C550 | 0x0009C550 | 0x0009B950 | 0x00000000 |
| MapVirtualKeyW | - | 0x14009C558 | 0x0009C558 | 0x0009B958 | 0x00000000 |
| DispatchMessageA | - | 0x14009C560 | 0x0009C560 | 0x0009B960 | 0x00000000 |
| TranslateMessage | - | 0x14009C568 | 0x0009C568 | 0x0009B968 | 0x00000000 |
VCRUNTIME140.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __std_exception_destroy | - | 0x14009C578 | 0x0009C578 | 0x0009B978 | 0x00000000 |
| __std_exception_copy | - | 0x14009C580 | 0x0009C580 | 0x0009B980 | 0x00000000 |
| strstr | - | 0x14009C588 | 0x0009C588 | 0x0009B988 | 0x00000000 |
| __C_specific_handler | - | 0x14009C590 | 0x0009C590 | 0x0009B990 | 0x00000000 |
| strchr | - | 0x14009C598 | 0x0009C598 | 0x0009B998 | 0x00000000 |
| memchr | - | 0x14009C5A0 | 0x0009C5A0 | 0x0009B9A0 | 0x00000000 |
| __std_terminate | - | 0x14009C5A8 | 0x0009C5A8 | 0x0009B9A8 | 0x00000000 |
| __CxxFrameHandler3 | - | 0x14009C5B0 | 0x0009C5B0 | 0x0009B9B0 | 0x00000000 |
| _CxxThrowException | - | 0x14009C5B8 | 0x0009C5B8 | 0x0009B9B8 | 0x00000000 |
| memset | - | 0x14009C5C0 | 0x0009C5C0 | 0x0009B9C0 | 0x00000000 |
| strrchr | - | 0x14009C5C8 | 0x0009C5C8 | 0x0009B9C8 | 0x00000000 |
| memcmp | - | 0x14009C5D0 | 0x0009C5D0 | 0x0009B9D0 | 0x00000000 |
| memcpy | - | 0x14009C5D8 | 0x0009C5D8 | 0x0009B9D8 | 0x00000000 |
| _purecall | - | 0x14009C5E0 | 0x0009C5E0 | 0x0009B9E0 | 0x00000000 |
| memmove | - | 0x14009C5E8 | 0x0009C5E8 | 0x0009B9E8 | 0x00000000 |
WS2_32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WSAGetLastError | 0x0000006F | 0x14009C5F8 | 0x0009C5F8 | 0x0009B9F8 | - |
| WSASetLastError | 0x00000070 | 0x14009C600 | 0x0009C600 | 0x0009BA00 | - |
| WSAStartup | 0x00000073 | 0x14009C608 | 0x0009C608 | 0x0009BA08 | - |
| select | 0x00000012 | 0x14009C610 | 0x0009C610 | 0x0009BA10 | - |
| WSARecvFrom | - | 0x14009C618 | 0x0009C618 | 0x0009BA18 | 0x00000000 |
| bind | 0x00000002 | 0x14009C620 | 0x0009C620 | 0x0009BA20 | - |
| WSAIoctl | - | 0x14009C628 | 0x0009C628 | 0x0009BA28 | 0x00000000 |
| closesocket | 0x00000003 | 0x14009C630 | 0x0009C630 | 0x0009BA30 | - |
| WSASend | - | 0x14009C638 | 0x0009C638 | 0x0009BA38 | 0x00000000 |
| shutdown | 0x00000016 | 0x14009C640 | 0x0009C640 | 0x0009BA40 | - |
| WSASocketW | - | 0x14009C648 | 0x0009C648 | 0x0009BA48 | 0x00000000 |
| htonl | 0x00000008 | 0x14009C650 | 0x0009C650 | 0x0009BA50 | - |
| GetAddrInfoW | - | 0x14009C658 | 0x0009C658 | 0x0009BA58 | 0x00000000 |
| FreeAddrInfoW | - | 0x14009C660 | 0x0009C660 | 0x0009BA60 | 0x00000000 |
| setsockopt | 0x00000015 | 0x14009C668 | 0x0009C668 | 0x0009BA68 | - |
| ioctlsocket | 0x0000000A | 0x14009C670 | 0x0009C670 | 0x0009BA70 | - |
| getsockopt | 0x00000007 | 0x14009C678 | 0x0009C678 | 0x0009BA78 | - |
| WSARecv | - | 0x14009C680 | 0x0009C680 | 0x0009BA80 | 0x00000000 |
| socket | 0x00000017 | 0x14009C688 | 0x0009C688 | 0x0009BA88 | - |
| htons | 0x00000009 | 0x14009C690 | 0x0009C690 | 0x0009BA90 | - |
api-ms-win-crt-convert-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| atof | - | 0x14009C6A0 | 0x0009C6A0 | 0x0009BAA0 | 0x00000000 |
| strtoul | - | 0x14009C6A8 | 0x0009C6A8 | 0x0009BAA8 | 0x00000000 |
| _strtoui64 | - | 0x14009C6B0 | 0x0009C6B0 | 0x0009BAB0 | 0x00000000 |
| mbstowcs | - | 0x14009C6B8 | 0x0009C6B8 | 0x0009BAB8 | 0x00000000 |
| strtoull | - | 0x14009C6C0 | 0x0009C6C0 | 0x0009BAC0 | 0x00000000 |
| strtoll | - | 0x14009C6C8 | 0x0009C6C8 | 0x0009BAC8 | 0x00000000 |
| atoi | - | 0x14009C6D0 | 0x0009C6D0 | 0x0009BAD0 | 0x00000000 |
| strtol | - | 0x14009C6D8 | 0x0009C6D8 | 0x0009BAD8 | 0x00000000 |
api-ms-win-crt-environment-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| getenv | - | 0x14009C6E8 | 0x0009C6E8 | 0x0009BAE8 | 0x00000000 |
api-ms-win-crt-filesystem-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _unlock_file | - | 0x14009C6F8 | 0x0009C6F8 | 0x0009BAF8 | 0x00000000 |
| _lock_file | - | 0x14009C700 | 0x0009C700 | 0x0009BB00 | 0x00000000 |
| _fstat64i32 | - | 0x14009C708 | 0x0009C708 | 0x0009BB08 | 0x00000000 |
| _stat64i32 | - | 0x14009C710 | 0x0009C710 | 0x0009BB10 | 0x00000000 |
api-ms-win-crt-heap-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _set_new_mode | - | 0x14009C720 | 0x0009C720 | 0x0009BB20 | 0x00000000 |
| realloc | - | 0x14009C728 | 0x0009C728 | 0x0009BB28 | 0x00000000 |
| _aligned_malloc | - | 0x14009C730 | 0x0009C730 | 0x0009BB30 | 0x00000000 |
| malloc | - | 0x14009C738 | 0x0009C738 | 0x0009BB38 | 0x00000000 |
| free | - | 0x14009C740 | 0x0009C740 | 0x0009BB40 | 0x00000000 |
| calloc | - | 0x14009C748 | 0x0009C748 | 0x0009BB48 | 0x00000000 |
| _callnewh | - | 0x14009C750 | 0x0009C750 | 0x0009BB50 | 0x00000000 |
| _aligned_free | - | 0x14009C758 | 0x0009C758 | 0x0009BB58 | 0x00000000 |
api-ms-win-crt-locale-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _configthreadlocale | - | 0x14009C768 | 0x0009C768 | 0x0009BB68 | 0x00000000 |
api-ms-win-crt-math-l1-1-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| modff | - | 0x14009C778 | 0x0009C778 | 0x0009BB78 | 0x00000000 |
| nan | - | 0x14009C780 | 0x0009C780 | 0x0009BB80 | 0x00000000 |
| _dtest | - | 0x14009C788 | 0x0009C788 | 0x0009BB88 | 0x00000000 |
| __setusermatherr | - | 0x14009C790 | 0x0009C790 | 0x0009BB90 | 0x00000000 |
| fabs | - | 0x14009C798 | 0x0009C798 | 0x0009BB98 | 0x00000000 |
api-ms-win-crt-runtime-l1-1-0.dll (25)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _invalid_parameter_noinfo_noreturn | - | 0x14009C7A8 | 0x0009C7A8 | 0x0009BBA8 | 0x00000000 |
| _control87 | - | 0x14009C7B0 | 0x0009C7B0 | 0x0009BBB0 | 0x00000000 |
| _errno | - | 0x14009C7B8 | 0x0009C7B8 | 0x0009BBB8 | 0x00000000 |
| terminate | - | 0x14009C7C0 | 0x0009C7C0 | 0x0009BBC0 | 0x00000000 |
| abort | - | 0x14009C7C8 | 0x0009C7C8 | 0x0009BBC8 | 0x00000000 |
| _beginthreadex | - | 0x14009C7D0 | 0x0009C7D0 | 0x0009BBD0 | 0x00000000 |
| _register_thread_local_exe_atexit_callback | - | 0x14009C7D8 | 0x0009C7D8 | 0x0009BBD8 | 0x00000000 |
| _c_exit | - | 0x14009C7E0 | 0x0009C7E0 | 0x0009BBE0 | 0x00000000 |
| _set_invalid_parameter_handler | - | 0x14009C7E8 | 0x0009C7E8 | 0x0009BBE8 | 0x00000000 |
| __p___argc | - | 0x14009C7F0 | 0x0009C7F0 | 0x0009BBF0 | 0x00000000 |
| _exit | - | 0x14009C7F8 | 0x0009C7F8 | 0x0009BBF8 | 0x00000000 |
| _initterm_e | - | 0x14009C800 | 0x0009C800 | 0x0009BC00 | 0x00000000 |
| _initterm | - | 0x14009C808 | 0x0009C808 | 0x0009BC08 | 0x00000000 |
| _get_initial_narrow_environment | - | 0x14009C810 | 0x0009C810 | 0x0009BC10 | 0x00000000 |
| _set_app_type | - | 0x14009C818 | 0x0009C818 | 0x0009BC18 | 0x00000000 |
| _seh_filter_exe | - | 0x14009C820 | 0x0009C820 | 0x0009BC20 | 0x00000000 |
| _cexit | - | 0x14009C828 | 0x0009C828 | 0x0009BC28 | 0x00000000 |
| _crt_atexit | - | 0x14009C830 | 0x0009C830 | 0x0009BC30 | 0x00000000 |
| _register_onexit_function | - | 0x14009C838 | 0x0009C838 | 0x0009BC38 | 0x00000000 |
| _initialize_onexit_table | - | 0x14009C840 | 0x0009C840 | 0x0009BC40 | 0x00000000 |
| _initialize_narrow_environment | - | 0x14009C848 | 0x0009C848 | 0x0009BC48 | 0x00000000 |
| _configure_narrow_argv | - | 0x14009C850 | 0x0009C850 | 0x0009BC50 | 0x00000000 |
| strerror | - | 0x14009C858 | 0x0009C858 | 0x0009BC58 | 0x00000000 |
| exit | - | 0x14009C860 | 0x0009C860 | 0x0009BC60 | 0x00000000 |
| __p___argv | - | 0x14009C868 | 0x0009C868 | 0x0009BC68 | 0x00000000 |
api-ms-win-crt-stdio-l1-1-0.dll (29)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __stdio_common_vsscanf | - | 0x14009C878 | 0x0009C878 | 0x0009BC78 | 0x00000000 |
| fflush | - | 0x14009C880 | 0x0009C880 | 0x0009BC80 | 0x00000000 |
| _open | - | 0x14009C888 | 0x0009C888 | 0x0009BC88 | 0x00000000 |
| fwrite | - | 0x14009C890 | 0x0009C890 | 0x0009BC90 | 0x00000000 |
| fputs | - | 0x14009C898 | 0x0009C898 | 0x0009BC98 | 0x00000000 |
| __stdio_common_vsprintf | - | 0x14009C8A0 | 0x0009C8A0 | 0x0009BCA0 | 0x00000000 |
| __acrt_iob_func | - | 0x14009C8A8 | 0x0009C8A8 | 0x0009BCA8 | 0x00000000 |
| ftell | - | 0x14009C8B0 | 0x0009C8B0 | 0x0009BCB0 | 0x00000000 |
| fgetc | - | 0x14009C8B8 | 0x0009C8B8 | 0x0009BCB8 | 0x00000000 |
| fgets | - | 0x14009C8C0 | 0x0009C8C0 | 0x0009BCC0 | 0x00000000 |
| fseek | - | 0x14009C8C8 | 0x0009C8C8 | 0x0009BCC8 | 0x00000000 |
| fgetpos | - | 0x14009C8D0 | 0x0009C8D0 | 0x0009BCD0 | 0x00000000 |
| fputc | - | 0x14009C8D8 | 0x0009C8D8 | 0x0009BCD8 | 0x00000000 |
| __stdio_common_vfprintf | - | 0x14009C8E0 | 0x0009C8E0 | 0x0009BCE0 | 0x00000000 |
| ferror | - | 0x14009C8E8 | 0x0009C8E8 | 0x0009BCE8 | 0x00000000 |
| fsetpos | - | 0x14009C8F0 | 0x0009C8F0 | 0x0009BCF0 | 0x00000000 |
| _fseeki64 | - | 0x14009C8F8 | 0x0009C8F8 | 0x0009BCF8 | 0x00000000 |
| _close | - | 0x14009C900 | 0x0009C900 | 0x0009BD00 | 0x00000000 |
| _read | - | 0x14009C908 | 0x0009C908 | 0x0009BD08 | 0x00000000 |
| setvbuf | - | 0x14009C910 | 0x0009C910 | 0x0009BD10 | 0x00000000 |
| ungetc | - | 0x14009C918 | 0x0009C918 | 0x0009BD18 | 0x00000000 |
| fread | - | 0x14009C920 | 0x0009C920 | 0x0009BD20 | 0x00000000 |
| _get_osfhandle | - | 0x14009C928 | 0x0009C928 | 0x0009BD28 | 0x00000000 |
| __p__commode | - | 0x14009C930 | 0x0009C930 | 0x0009BD30 | 0x00000000 |
| fclose | - | 0x14009C938 | 0x0009C938 | 0x0009BD38 | 0x00000000 |
| _set_fmode | - | 0x14009C940 | 0x0009C940 | 0x0009BD40 | 0x00000000 |
| fopen | - | 0x14009C948 | 0x0009C948 | 0x0009BD48 | 0x00000000 |
| __stdio_common_vswprintf | - | 0x14009C950 | 0x0009C950 | 0x0009BD50 | 0x00000000 |
| _get_stream_buffer_pointers | - | 0x14009C958 | 0x0009C958 | 0x0009BD58 | 0x00000000 |
api-ms-win-crt-string-l1-1-0.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _wcsnicmp | - | 0x14009C968 | 0x0009C968 | 0x0009BD68 | 0x00000000 |
| strlen | - | 0x14009C970 | 0x0009C970 | 0x0009BD70 | 0x00000000 |
| wcslen | - | 0x14009C978 | 0x0009C978 | 0x0009BD78 | 0x00000000 |
| strncmp | - | 0x14009C980 | 0x0009C980 | 0x0009BD80 | 0x00000000 |
| _stricmp | - | 0x14009C988 | 0x0009C988 | 0x0009BD88 | 0x00000000 |
| tolower | - | 0x14009C990 | 0x0009C990 | 0x0009BD90 | 0x00000000 |
| _strnicmp | - | 0x14009C998 | 0x0009C998 | 0x0009BD98 | 0x00000000 |
| strncpy | - | 0x14009C9A0 | 0x0009C9A0 | 0x0009BDA0 | 0x00000000 |
| strcpy | - | 0x14009C9A8 | 0x0009C9A8 | 0x0009BDA8 | 0x00000000 |
| strcmp | - | 0x14009C9B0 | 0x0009C9B0 | 0x0009BDB0 | 0x00000000 |
| strcspn | - | 0x14009C9B8 | 0x0009C9B8 | 0x0009BDB8 | 0x00000000 |
| _strdup | - | 0x14009C9C0 | 0x0009C9C0 | 0x0009BDC0 | 0x00000000 |
| isspace | - | 0x14009C9C8 | 0x0009C9C8 | 0x0009BDC8 | 0x00000000 |
| strspn | - | 0x14009C9D0 | 0x0009C9D0 | 0x0009BDD0 | 0x00000000 |
| wcsncpy | - | 0x14009C9D8 | 0x0009C9D8 | 0x0009BDD8 | 0x00000000 |
api-ms-win-crt-time-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _time64 | - | 0x14009C9E8 | 0x0009C9E8 | 0x0009BDE8 | 0x00000000 |
| _localtime64_s | - | 0x14009C9F0 | 0x0009C9F0 | 0x0009BDF0 | 0x00000000 |
api-ms-win-crt-utility-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| srand | - | 0x14009CA00 | 0x0009CA00 | 0x0009BE00 | 0x00000000 |
| rand | - | 0x14009CA08 | 0x0009CA08 | 0x0009BE08 | 0x00000000 |
| qsort | - | 0x14009CA10 | 0x0009CA10 | 0x0009BE10 | 0x00000000 |
| _rotr | - | 0x14009CA18 | 0x0009CA18 | 0x0009BE18 | 0x00000000 |
Memory Dumps (4)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| ewbukfy.exe | 15 | 0x7FF6A29A0000 | 0x7FF6A2CF3FFF | First Execution |
|
64-bit | 0x7FF6A2A3A338 |
|
...
|
| ewbukfy.exe | 15 | 0x7FF6A29A0000 | 0x7FF6A2CF3FFF | Content Changed |
|
64-bit | 0x7FF6A29BFE1C |
|
...
|
| buffer | 15 | 0x1CC3F8D0000 | 0x1CC3F8DFFFF | Content Changed |
|
64-bit | - |
|
...
|
| ewbukfy.exe | 15 | 0x7FF6A29A0000 | 0x7FF6A2CF3FFF | Process Termination |
|
64-bit | - |
|
...
|
YARA Matches (2)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| ReflectiveLoader | Reflective loader usage | - |
3/5
|
...
|
| CobaltStrike | Cobalt Strike beacon | Hacktool |
5/5
|
...
|
| C:\Windows\System\qtoXTya.exe | Dropped File | Binary |
Malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 5.94 MB |
| MD5 |
7cdab6028a72323a17f27968e49c0523
|
| SHA1 |
4325e590dfe094afd4a3f7774357a24fea931402
|
| SHA256 |
56f1c22fb4b3ea4a2f3366a32472d0e5569bc6eef6af31909113150d298f9ac6
|
| SSDeep |
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUF:T+856utgpPF8u/7F
|
| ImpHash |
c782987849999c5ae345a5deafbd73fb
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x14009A338 |
| Size Of Code | 0x00044000 |
| Size Of Initialized Data | 0x00001000 |
| Size Of Uninitialized Data | 0x0030B000 |
| File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2019-08-29 00:43 (UTC) |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| UPX0 | 0x140001000 | 0x0030B000 | 0x000B5000 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.49 |
| UPX1 | 0x14030C000 | 0x00044000 | 0x00044000 | 0x000B5400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.49 |
| .rsrc | 0x140350000 | 0x00001000 | 0x00000800 | 0x000F9400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.24 |
| .imports | 0x140351000 | 0x00002000 | 0x00001E00 | 0x000F9C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.81 |
| .reloc | 0x140353000 | 0x00001000 | 0x00000A00 | 0x000FBA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.28 |
Imports (17)
»
ADVAPI32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AdjustTokenPrivileges | - | 0x14009C000 | 0x0009C000 | 0x0009B400 | 0x00000000 |
| OpenProcessToken | - | 0x14009C008 | 0x0009C008 | 0x0009B408 | 0x00000000 |
| GetTokenInformation | - | 0x14009C010 | 0x0009C010 | 0x0009B410 | 0x00000000 |
| LookupPrivilegeValueW | - | 0x14009C018 | 0x0009C018 | 0x0009B418 | 0x00000000 |
| LsaClose | - | 0x14009C020 | 0x0009C020 | 0x0009B420 | 0x00000000 |
| LsaOpenPolicy | - | 0x14009C028 | 0x0009C028 | 0x0009B428 | 0x00000000 |
| LsaAddAccountRights | - | 0x14009C030 | 0x0009C030 | 0x0009B430 | 0x00000000 |
KERNEL32.DLL (113)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WaitForSingleObjectEx | - | 0x14009C040 | 0x0009C040 | 0x0009B440 | 0x00000000 |
| RtlLookupFunctionEntry | - | 0x14009C048 | 0x0009C048 | 0x0009B448 | 0x00000000 |
| RtlVirtualUnwind | - | 0x14009C050 | 0x0009C050 | 0x0009B450 | 0x00000000 |
| UnhandledExceptionFilter | - | 0x14009C058 | 0x0009C058 | 0x0009B458 | 0x00000000 |
| ResetEvent | - | 0x14009C060 | 0x0009C060 | 0x0009B460 | 0x00000000 |
| InitializeCriticalSectionAndSpinCount | - | 0x14009C068 | 0x0009C068 | 0x0009B468 | 0x00000000 |
| RtlCaptureContext | - | 0x14009C070 | 0x0009C070 | 0x0009B470 | 0x00000000 |
| CreateEventW | - | 0x14009C078 | 0x0009C078 | 0x0009B478 | 0x00000000 |
| InitializeSListHead | - | 0x14009C080 | 0x0009C080 | 0x0009B480 | 0x00000000 |
| SetUnhandledExceptionFilter | - | 0x14009C088 | 0x0009C088 | 0x0009B488 | 0x00000000 |
| IsProcessorFeaturePresent | - | 0x14009C090 | 0x0009C090 | 0x0009B490 | 0x00000000 |
| GetStdHandle | - | 0x14009C098 | 0x0009C098 | 0x0009B498 | 0x00000000 |
| GetConsoleMode | - | 0x14009C0A0 | 0x0009C0A0 | 0x0009B4A0 | 0x00000000 |
| SetConsoleMode | - | 0x14009C0A8 | 0x0009C0A8 | 0x0009B4A8 | 0x00000000 |
| GetLastError | - | 0x14009C0B0 | 0x0009C0B0 | 0x0009B4B0 | 0x00000000 |
| CreateMutexW | - | 0x14009C0B8 | 0x0009C0B8 | 0x0009B4B8 | 0x00000000 |
| Sleep | - | 0x14009C0C0 | 0x0009C0C0 | 0x0009B4C0 | 0x00000000 |
| CreateProcessW | - | 0x14009C0C8 | 0x0009C0C8 | 0x0009B4C8 | 0x00000000 |
| MultiByteToWideChar | - | 0x14009C0D0 | 0x0009C0D0 | 0x0009B4D0 | 0x00000000 |
| GetCurrentProcess | - | 0x14009C0D8 | 0x0009C0D8 | 0x0009B4D8 | 0x00000000 |
| GetCurrentThread | - | 0x14009C0E0 | 0x0009C0E0 | 0x0009B4E0 | 0x00000000 |
| SetThreadPriority | - | 0x14009C0E8 | 0x0009C0E8 | 0x0009B4E8 | 0x00000000 |
| SetPriorityClass | - | 0x14009C0F0 | 0x0009C0F0 | 0x0009B4F0 | 0x00000000 |
| GetModuleHandleW | - | 0x14009C0F8 | 0x0009C0F8 | 0x0009B4F8 | 0x00000000 |
| GetProcAddress | - | 0x14009C100 | 0x0009C100 | 0x0009B500 | 0x00000000 |
| SetThreadAffinityMask | - | 0x14009C108 | 0x0009C108 | 0x0009B508 | 0x00000000 |
| CloseHandle | - | 0x14009C110 | 0x0009C110 | 0x0009B510 | 0x00000000 |
| FreeConsole | - | 0x14009C118 | 0x0009C118 | 0x0009B518 | 0x00000000 |
| GetConsoleWindow | - | 0x14009C120 | 0x0009C120 | 0x0009B520 | 0x00000000 |
| FlushInstructionCache | - | 0x14009C128 | 0x0009C128 | 0x0009B528 | 0x00000000 |
| VirtualAlloc | - | 0x14009C130 | 0x0009C130 | 0x0009B530 | 0x00000000 |
| VirtualProtect | - | 0x14009C138 | 0x0009C138 | 0x0009B538 | 0x00000000 |
| VirtualFree | - | 0x14009C140 | 0x0009C140 | 0x0009B540 | 0x00000000 |
| GetLargePageMinimum | - | 0x14009C148 | 0x0009C148 | 0x0009B548 | 0x00000000 |
| LocalAlloc | - | 0x14009C150 | 0x0009C150 | 0x0009B550 | 0x00000000 |
| LocalFree | - | 0x14009C158 | 0x0009C158 | 0x0009B558 | 0x00000000 |
| GetFileType | - | 0x14009C160 | 0x0009C160 | 0x0009B560 | 0x00000000 |
| GetConsoleScreenBufferInfo | - | 0x14009C168 | 0x0009C168 | 0x0009B568 | 0x00000000 |
| SetConsoleTextAttribute | - | 0x14009C170 | 0x0009C170 | 0x0009B570 | 0x00000000 |
| RegisterWaitForSingleObject | - | 0x14009C178 | 0x0009C178 | 0x0009B578 | 0x00000000 |
| UnregisterWait | - | 0x14009C180 | 0x0009C180 | 0x0009B580 | 0x00000000 |
| GetConsoleCursorInfo | - | 0x14009C188 | 0x0009C188 | 0x0009B588 | 0x00000000 |
| CreateFileW | - | 0x14009C190 | 0x0009C190 | 0x0009B590 | 0x00000000 |
| DuplicateHandle | - | 0x14009C198 | 0x0009C198 | 0x0009B598 | 0x00000000 |
| PostQueuedCompletionStatus | - | 0x14009C1A0 | 0x0009C1A0 | 0x0009B5A0 | 0x00000000 |
| QueueUserWorkItem | - | 0x14009C1A8 | 0x0009C1A8 | 0x0009B5A8 | 0x00000000 |
| SetConsoleCursorInfo | - | 0x14009C1B0 | 0x0009C1B0 | 0x0009B5B0 | 0x00000000 |
| FillConsoleOutputCharacterW | - | 0x14009C1B8 | 0x0009C1B8 | 0x0009B5B8 | 0x00000000 |
| ReadConsoleInputW | - | 0x14009C1C0 | 0x0009C1C0 | 0x0009B5C0 | 0x00000000 |
| CreateFileA | - | 0x14009C1C8 | 0x0009C1C8 | 0x0009B5C8 | 0x00000000 |
| ReadConsoleW | - | 0x14009C1D0 | 0x0009C1D0 | 0x0009B5D0 | 0x00000000 |
| WriteConsoleInputW | - | 0x14009C1D8 | 0x0009C1D8 | 0x0009B5D8 | 0x00000000 |
| FillConsoleOutputAttribute | - | 0x14009C1E0 | 0x0009C1E0 | 0x0009B5E0 | 0x00000000 |
| WriteConsoleW | - | 0x14009C1E8 | 0x0009C1E8 | 0x0009B5E8 | 0x00000000 |
| GetNumberOfConsoleInputEvents | - | 0x14009C1F0 | 0x0009C1F0 | 0x0009B5F0 | 0x00000000 |
| WideCharToMultiByte | - | 0x14009C1F8 | 0x0009C1F8 | 0x0009B5F8 | 0x00000000 |
| SetConsoleCursorPosition | - | 0x14009C200 | 0x0009C200 | 0x0009B600 | 0x00000000 |
| EnterCriticalSection | - | 0x14009C208 | 0x0009C208 | 0x0009B608 | 0x00000000 |
| GetModuleFileNameW | - | 0x14009C210 | 0x0009C210 | 0x0009B610 | 0x00000000 |
| LeaveCriticalSection | - | 0x14009C218 | 0x0009C218 | 0x0009B618 | 0x00000000 |
| InitializeCriticalSection | - | 0x14009C220 | 0x0009C220 | 0x0009B620 | 0x00000000 |
| IsDebuggerPresent | - | 0x14009C228 | 0x0009C228 | 0x0009B628 | 0x00000000 |
| GetSystemInfo | - | 0x14009C230 | 0x0009C230 | 0x0009B630 | 0x00000000 |
| GetCurrentDirectoryW | - | 0x14009C238 | 0x0009C238 | 0x0009B638 | 0x00000000 |
| GetCurrentProcessId | - | 0x14009C240 | 0x0009C240 | 0x0009B640 | 0x00000000 |
| GetSystemTimeAsFileTime | - | 0x14009C248 | 0x0009C248 | 0x0009B648 | 0x00000000 |
| QueryPerformanceCounter | - | 0x14009C250 | 0x0009C250 | 0x0009B650 | 0x00000000 |
| SetConsoleCtrlHandler | - | 0x14009C258 | 0x0009C258 | 0x0009B658 | 0x00000000 |
| CancelIo | - | 0x14009C260 | 0x0009C260 | 0x0009B660 | 0x00000000 |
| SetHandleInformation | - | 0x14009C268 | 0x0009C268 | 0x0009B668 | 0x00000000 |
| CreateEventA | - | 0x14009C270 | 0x0009C270 | 0x0009B670 | 0x00000000 |
| CreateIoCompletionPort | - | 0x14009C278 | 0x0009C278 | 0x0009B678 | 0x00000000 |
| SetFileCompletionNotificationModes | - | 0x14009C280 | 0x0009C280 | 0x0009B680 | 0x00000000 |
| SetErrorMode | - | 0x14009C288 | 0x0009C288 | 0x0009B688 | 0x00000000 |
| GetQueuedCompletionStatus | - | 0x14009C290 | 0x0009C290 | 0x0009B690 | 0x00000000 |
| GetQueuedCompletionStatusEx | - | 0x14009C298 | 0x0009C298 | 0x0009B698 | 0x00000000 |
| SleepConditionVariableCS | - | 0x14009C2A0 | 0x0009C2A0 | 0x0009B6A0 | 0x00000000 |
| TlsSetValue | - | 0x14009C2A8 | 0x0009C2A8 | 0x0009B6A8 | 0x00000000 |
| ReleaseSemaphore | - | 0x14009C2B0 | 0x0009C2B0 | 0x0009B6B0 | 0x00000000 |
| WakeConditionVariable | - | 0x14009C2B8 | 0x0009C2B8 | 0x0009B6B8 | 0x00000000 |
| InitializeConditionVariable | - | 0x14009C2C0 | 0x0009C2C0 | 0x0009B6C0 | 0x00000000 |
| WaitForSingleObject | - | 0x14009C2C8 | 0x0009C2C8 | 0x0009B6C8 | 0x00000000 |
| ResumeThread | - | 0x14009C2D0 | 0x0009C2D0 | 0x0009B6D0 | 0x00000000 |
| SetEvent | - | 0x14009C2D8 | 0x0009C2D8 | 0x0009B6D8 | 0x00000000 |
| TlsAlloc | - | 0x14009C2E0 | 0x0009C2E0 | 0x0009B6E0 | 0x00000000 |
| DeleteCriticalSection | - | 0x14009C2E8 | 0x0009C2E8 | 0x0009B6E8 | 0x00000000 |
| CreateSemaphoreW | - | 0x14009C2F0 | 0x0009C2F0 | 0x0009B6F0 | 0x00000000 |
| CreateSemaphoreA | - | 0x14009C2F8 | 0x0009C2F8 | 0x0009B6F8 | 0x00000000 |
| GetLongPathNameW | - | 0x14009C300 | 0x0009C300 | 0x0009B700 | 0x00000000 |
| ReadDirectoryChangesW | - | 0x14009C308 | 0x0009C308 | 0x0009B708 | 0x00000000 |
| ReadFile | - | 0x14009C310 | 0x0009C310 | 0x0009B710 | 0x00000000 |
| SetNamedPipeHandleState | - | 0x14009C318 | 0x0009C318 | 0x0009B718 | 0x00000000 |
| SetLastError | - | 0x14009C320 | 0x0009C320 | 0x0009B720 | 0x00000000 |
| WriteFile | - | 0x14009C328 | 0x0009C328 | 0x0009B728 | 0x00000000 |
| CreateNamedPipeW | - | 0x14009C330 | 0x0009C330 | 0x0009B730 | 0x00000000 |
| PeekNamedPipe | - | 0x14009C338 | 0x0009C338 | 0x0009B738 | 0x00000000 |
| CancelSynchronousIo | - | 0x14009C340 | 0x0009C340 | 0x0009B740 | 0x00000000 |
| GetNamedPipeHandleStateA | - | 0x14009C348 | 0x0009C348 | 0x0009B748 | 0x00000000 |
| CancelIoEx | - | 0x14009C350 | 0x0009C350 | 0x0009B750 | 0x00000000 |
| SwitchToThread | - | 0x14009C358 | 0x0009C358 | 0x0009B758 | 0x00000000 |
| ConnectNamedPipe | - | 0x14009C360 | 0x0009C360 | 0x0009B760 | 0x00000000 |
| FlushFileBuffers | - | 0x14009C368 | 0x0009C368 | 0x0009B768 | 0x00000000 |
| TerminateProcess | - | 0x14009C370 | 0x0009C370 | 0x0009B770 | 0x00000000 |
| UnregisterWaitEx | - | 0x14009C378 | 0x0009C378 | 0x0009B778 | 0x00000000 |
| GetExitCodeProcess | - | 0x14009C380 | 0x0009C380 | 0x0009B780 | 0x00000000 |
| FormatMessageA | - | 0x14009C388 | 0x0009C388 | 0x0009B788 | 0x00000000 |
| DebugBreak | - | 0x14009C390 | 0x0009C390 | 0x0009B790 | 0x00000000 |
| GetModuleHandleA | - | 0x14009C398 | 0x0009C398 | 0x0009B798 | 0x00000000 |
| LoadLibraryA | - | 0x14009C3A0 | 0x0009C3A0 | 0x0009B7A0 | 0x00000000 |
| GetProcessAffinityMask | - | 0x14009C3A8 | 0x0009C3A8 | 0x0009B7A8 | 0x00000000 |
| SetProcessAffinityMask | - | 0x14009C3B0 | 0x0009C3B0 | 0x0009B7B0 | 0x00000000 |
| GetCurrentThreadId | - | 0x14009C3B8 | 0x0009C3B8 | 0x0009B7B8 | 0x00000000 |
| QueryPerformanceFrequency | - | 0x14009C3C0 | 0x0009C3C0 | 0x0009B7C0 | 0x00000000 |
MSVCP140.dll (45)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C3D0 | 0x0009C3D0 | 0x0009B7D0 | 0x00000000 |
| ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3D8 | 0x0009C3D8 | 0x0009B7D8 | 0x00000000 |
| ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ | - | 0x14009C3E0 | 0x0009C3E0 | 0x0009B7E0 | 0x00000000 |
| ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C3E8 | 0x0009C3E8 | 0x0009B7E8 | 0x00000000 |
| ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C3F0 | 0x0009C3F0 | 0x0009B7F0 | 0x00000000 |
| ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3F8 | 0x0009C3F8 | 0x0009B7F8 | 0x00000000 |
| ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C400 | 0x0009C400 | 0x0009B800 | 0x00000000 |
| _Thrd_hardware_concurrency | - | 0x14009C408 | 0x0009C408 | 0x0009B808 | 0x00000000 |
| ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A | - | 0x14009C410 | 0x0009C410 | 0x0009B810 | 0x00000000 |
| ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z | - | 0x14009C418 | 0x0009C418 | 0x0009B818 | 0x00000000 |
| ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z | - | 0x14009C420 | 0x0009C420 | 0x0009B820 | 0x00000000 |
| ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ | - | 0x14009C428 | 0x0009C428 | 0x0009B828 | 0x00000000 |
| ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z | - | 0x14009C430 | 0x0009C430 | 0x0009B830 | 0x00000000 |
| ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z | - | 0x14009C438 | 0x0009C438 | 0x0009B838 | 0x00000000 |
| ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C440 | 0x0009C440 | 0x0009B840 | 0x00000000 |
| ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z | - | 0x14009C448 | 0x0009C448 | 0x0009B848 | 0x00000000 |
| ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C450 | 0x0009C450 | 0x0009B850 | 0x00000000 |
| ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z | - | 0x14009C458 | 0x0009C458 | 0x0009B858 | 0x00000000 |
| ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C460 | 0x0009C460 | 0x0009B860 | 0x00000000 |
| ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z | - | 0x14009C468 | 0x0009C468 | 0x0009B868 | 0x00000000 |
| ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z | - | 0x14009C470 | 0x0009C470 | 0x0009B870 | 0x00000000 |
| ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ | - | 0x14009C478 | 0x0009C478 | 0x0009B878 | 0x00000000 |
| ?_Xlength_error@std@@YAXPEBD@Z | - | 0x14009C480 | 0x0009C480 | 0x0009B880 | 0x00000000 |
| ?_Xout_of_range@std@@YAXPEBD@Z | - | 0x14009C488 | 0x0009C488 | 0x0009B888 | 0x00000000 |
| _Xtime_get_ticks | - | 0x14009C490 | 0x0009C490 | 0x0009B890 | 0x00000000 |
| _Mtx_init_in_situ | - | 0x14009C498 | 0x0009C498 | 0x0009B898 | 0x00000000 |
| _Mtx_destroy_in_situ | - | 0x14009C4A0 | 0x0009C4A0 | 0x0009B8A0 | 0x00000000 |
| _Mtx_lock | - | 0x14009C4A8 | 0x0009C4A8 | 0x0009B8A8 | 0x00000000 |
| _Mtx_unlock | - | 0x14009C4B0 | 0x0009C4B0 | 0x0009B8B0 | 0x00000000 |
| ?_Throw_C_error@std@@YAXH@Z | - | 0x14009C4B8 | 0x0009C4B8 | 0x0009B8B8 | 0x00000000 |
| _Query_perf_counter | - | 0x14009C4C0 | 0x0009C4C0 | 0x0009B8C0 | 0x00000000 |
| _Query_perf_frequency | - | 0x14009C4C8 | 0x0009C4C8 | 0x0009B8C8 | 0x00000000 |
| _Thrd_join | - | 0x14009C4D0 | 0x0009C4D0 | 0x0009B8D0 | 0x00000000 |
| _Thrd_id | - | 0x14009C4D8 | 0x0009C4D8 | 0x0009B8D8 | 0x00000000 |
| _Cnd_do_broadcast_at_thread_exit | - | 0x14009C4E0 | 0x0009C4E0 | 0x0009B8E0 | 0x00000000 |
| ?_Throw_Cpp_error@std@@YAXH@Z | - | 0x14009C4E8 | 0x0009C4E8 | 0x0009B8E8 | 0x00000000 |
| _Thrd_sleep | - | 0x14009C4F0 | 0x0009C4F0 | 0x0009B8F0 | 0x00000000 |
| _Thrd_yield | - | 0x14009C4F8 | 0x0009C4F8 | 0x0009B8F8 | 0x00000000 |
| ??0_Lockit@std@@QEAA@H@Z | - | 0x14009C500 | 0x0009C500 | 0x0009B900 | 0x00000000 |
| ??1_Lockit@std@@QEAA@XZ | - | 0x14009C508 | 0x0009C508 | 0x0009B908 | 0x00000000 |
| ??Bid@locale@std@@QEAA_KXZ | - | 0x14009C510 | 0x0009C510 | 0x0009B910 | 0x00000000 |
| ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ | - | 0x14009C518 | 0x0009C518 | 0x0009B918 | 0x00000000 |
| ?always_noconv@codecvt_base@std@@QEBA_NXZ | - | 0x14009C520 | 0x0009C520 | 0x0009B920 | 0x00000000 |
| ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C528 | 0x0009C528 | 0x0009B928 | 0x00000000 |
| ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C530 | 0x0009C530 | 0x0009B930 | 0x00000000 |
USER32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShowWindow | - | 0x14009C540 | 0x0009C540 | 0x0009B940 | 0x00000000 |
| GetSystemMetrics | - | 0x14009C548 | 0x0009C548 | 0x0009B948 | 0x00000000 |
| GetMessageA | - | 0x14009C550 | 0x0009C550 | 0x0009B950 | 0x00000000 |
| MapVirtualKeyW | - | 0x14009C558 | 0x0009C558 | 0x0009B958 | 0x00000000 |
| DispatchMessageA | - | 0x14009C560 | 0x0009C560 | 0x0009B960 | 0x00000000 |
| TranslateMessage | - | 0x14009C568 | 0x0009C568 | 0x0009B968 | 0x00000000 |
VCRUNTIME140.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __std_exception_destroy | - | 0x14009C578 | 0x0009C578 | 0x0009B978 | 0x00000000 |
| __std_exception_copy | - | 0x14009C580 | 0x0009C580 | 0x0009B980 | 0x00000000 |
| strstr | - | 0x14009C588 | 0x0009C588 | 0x0009B988 | 0x00000000 |
| __C_specific_handler | - | 0x14009C590 | 0x0009C590 | 0x0009B990 | 0x00000000 |
| strchr | - | 0x14009C598 | 0x0009C598 | 0x0009B998 | 0x00000000 |
| memchr | - | 0x14009C5A0 | 0x0009C5A0 | 0x0009B9A0 | 0x00000000 |
| __std_terminate | - | 0x14009C5A8 | 0x0009C5A8 | 0x0009B9A8 | 0x00000000 |
| __CxxFrameHandler3 | - | 0x14009C5B0 | 0x0009C5B0 | 0x0009B9B0 | 0x00000000 |
| _CxxThrowException | - | 0x14009C5B8 | 0x0009C5B8 | 0x0009B9B8 | 0x00000000 |
| memset | - | 0x14009C5C0 | 0x0009C5C0 | 0x0009B9C0 | 0x00000000 |
| strrchr | - | 0x14009C5C8 | 0x0009C5C8 | 0x0009B9C8 | 0x00000000 |
| memcmp | - | 0x14009C5D0 | 0x0009C5D0 | 0x0009B9D0 | 0x00000000 |
| memcpy | - | 0x14009C5D8 | 0x0009C5D8 | 0x0009B9D8 | 0x00000000 |
| _purecall | - | 0x14009C5E0 | 0x0009C5E0 | 0x0009B9E0 | 0x00000000 |
| memmove | - | 0x14009C5E8 | 0x0009C5E8 | 0x0009B9E8 | 0x00000000 |
WS2_32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WSAGetLastError | 0x0000006F | 0x14009C5F8 | 0x0009C5F8 | 0x0009B9F8 | - |
| WSASetLastError | 0x00000070 | 0x14009C600 | 0x0009C600 | 0x0009BA00 | - |
| WSAStartup | 0x00000073 | 0x14009C608 | 0x0009C608 | 0x0009BA08 | - |
| select | 0x00000012 | 0x14009C610 | 0x0009C610 | 0x0009BA10 | - |
| WSARecvFrom | - | 0x14009C618 | 0x0009C618 | 0x0009BA18 | 0x00000000 |
| bind | 0x00000002 | 0x14009C620 | 0x0009C620 | 0x0009BA20 | - |
| WSAIoctl | - | 0x14009C628 | 0x0009C628 | 0x0009BA28 | 0x00000000 |
| closesocket | 0x00000003 | 0x14009C630 | 0x0009C630 | 0x0009BA30 | - |
| WSASend | - | 0x14009C638 | 0x0009C638 | 0x0009BA38 | 0x00000000 |
| shutdown | 0x00000016 | 0x14009C640 | 0x0009C640 | 0x0009BA40 | - |
| WSASocketW | - | 0x14009C648 | 0x0009C648 | 0x0009BA48 | 0x00000000 |
| htonl | 0x00000008 | 0x14009C650 | 0x0009C650 | 0x0009BA50 | - |
| GetAddrInfoW | - | 0x14009C658 | 0x0009C658 | 0x0009BA58 | 0x00000000 |
| FreeAddrInfoW | - | 0x14009C660 | 0x0009C660 | 0x0009BA60 | 0x00000000 |
| setsockopt | 0x00000015 | 0x14009C668 | 0x0009C668 | 0x0009BA68 | - |
| ioctlsocket | 0x0000000A | 0x14009C670 | 0x0009C670 | 0x0009BA70 | - |
| getsockopt | 0x00000007 | 0x14009C678 | 0x0009C678 | 0x0009BA78 | - |
| WSARecv | - | 0x14009C680 | 0x0009C680 | 0x0009BA80 | 0x00000000 |
| socket | 0x00000017 | 0x14009C688 | 0x0009C688 | 0x0009BA88 | - |
| htons | 0x00000009 | 0x14009C690 | 0x0009C690 | 0x0009BA90 | - |
api-ms-win-crt-convert-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| atof | - | 0x14009C6A0 | 0x0009C6A0 | 0x0009BAA0 | 0x00000000 |
| strtoul | - | 0x14009C6A8 | 0x0009C6A8 | 0x0009BAA8 | 0x00000000 |
| _strtoui64 | - | 0x14009C6B0 | 0x0009C6B0 | 0x0009BAB0 | 0x00000000 |
| mbstowcs | - | 0x14009C6B8 | 0x0009C6B8 | 0x0009BAB8 | 0x00000000 |
| strtoull | - | 0x14009C6C0 | 0x0009C6C0 | 0x0009BAC0 | 0x00000000 |
| strtoll | - | 0x14009C6C8 | 0x0009C6C8 | 0x0009BAC8 | 0x00000000 |
| atoi | - | 0x14009C6D0 | 0x0009C6D0 | 0x0009BAD0 | 0x00000000 |
| strtol | - | 0x14009C6D8 | 0x0009C6D8 | 0x0009BAD8 | 0x00000000 |
api-ms-win-crt-environment-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| getenv | - | 0x14009C6E8 | 0x0009C6E8 | 0x0009BAE8 | 0x00000000 |
api-ms-win-crt-filesystem-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _unlock_file | - | 0x14009C6F8 | 0x0009C6F8 | 0x0009BAF8 | 0x00000000 |
| _lock_file | - | 0x14009C700 | 0x0009C700 | 0x0009BB00 | 0x00000000 |
| _fstat64i32 | - | 0x14009C708 | 0x0009C708 | 0x0009BB08 | 0x00000000 |
| _stat64i32 | - | 0x14009C710 | 0x0009C710 | 0x0009BB10 | 0x00000000 |
api-ms-win-crt-heap-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _set_new_mode | - | 0x14009C720 | 0x0009C720 | 0x0009BB20 | 0x00000000 |
| realloc | - | 0x14009C728 | 0x0009C728 | 0x0009BB28 | 0x00000000 |
| _aligned_malloc | - | 0x14009C730 | 0x0009C730 | 0x0009BB30 | 0x00000000 |
| malloc | - | 0x14009C738 | 0x0009C738 | 0x0009BB38 | 0x00000000 |
| free | - | 0x14009C740 | 0x0009C740 | 0x0009BB40 | 0x00000000 |
| calloc | - | 0x14009C748 | 0x0009C748 | 0x0009BB48 | 0x00000000 |
| _callnewh | - | 0x14009C750 | 0x0009C750 | 0x0009BB50 | 0x00000000 |
| _aligned_free | - | 0x14009C758 | 0x0009C758 | 0x0009BB58 | 0x00000000 |
api-ms-win-crt-locale-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _configthreadlocale | - | 0x14009C768 | 0x0009C768 | 0x0009BB68 | 0x00000000 |
api-ms-win-crt-math-l1-1-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| modff | - | 0x14009C778 | 0x0009C778 | 0x0009BB78 | 0x00000000 |
| nan | - | 0x14009C780 | 0x0009C780 | 0x0009BB80 | 0x00000000 |
| _dtest | - | 0x14009C788 | 0x0009C788 | 0x0009BB88 | 0x00000000 |
| __setusermatherr | - | 0x14009C790 | 0x0009C790 | 0x0009BB90 | 0x00000000 |
| fabs | - | 0x14009C798 | 0x0009C798 | 0x0009BB98 | 0x00000000 |
api-ms-win-crt-runtime-l1-1-0.dll (25)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _invalid_parameter_noinfo_noreturn | - | 0x14009C7A8 | 0x0009C7A8 | 0x0009BBA8 | 0x00000000 |
| _control87 | - | 0x14009C7B0 | 0x0009C7B0 | 0x0009BBB0 | 0x00000000 |
| _errno | - | 0x14009C7B8 | 0x0009C7B8 | 0x0009BBB8 | 0x00000000 |
| terminate | - | 0x14009C7C0 | 0x0009C7C0 | 0x0009BBC0 | 0x00000000 |
| abort | - | 0x14009C7C8 | 0x0009C7C8 | 0x0009BBC8 | 0x00000000 |
| _beginthreadex | - | 0x14009C7D0 | 0x0009C7D0 | 0x0009BBD0 | 0x00000000 |
| _register_thread_local_exe_atexit_callback | - | 0x14009C7D8 | 0x0009C7D8 | 0x0009BBD8 | 0x00000000 |
| _c_exit | - | 0x14009C7E0 | 0x0009C7E0 | 0x0009BBE0 | 0x00000000 |
| _set_invalid_parameter_handler | - | 0x14009C7E8 | 0x0009C7E8 | 0x0009BBE8 | 0x00000000 |
| __p___argc | - | 0x14009C7F0 | 0x0009C7F0 | 0x0009BBF0 | 0x00000000 |
| _exit | - | 0x14009C7F8 | 0x0009C7F8 | 0x0009BBF8 | 0x00000000 |
| _initterm_e | - | 0x14009C800 | 0x0009C800 | 0x0009BC00 | 0x00000000 |
| _initterm | - | 0x14009C808 | 0x0009C808 | 0x0009BC08 | 0x00000000 |
| _get_initial_narrow_environment | - | 0x14009C810 | 0x0009C810 | 0x0009BC10 | 0x00000000 |
| _set_app_type | - | 0x14009C818 | 0x0009C818 | 0x0009BC18 | 0x00000000 |
| _seh_filter_exe | - | 0x14009C820 | 0x0009C820 | 0x0009BC20 | 0x00000000 |
| _cexit | - | 0x14009C828 | 0x0009C828 | 0x0009BC28 | 0x00000000 |
| _crt_atexit | - | 0x14009C830 | 0x0009C830 | 0x0009BC30 | 0x00000000 |
| _register_onexit_function | - | 0x14009C838 | 0x0009C838 | 0x0009BC38 | 0x00000000 |
| _initialize_onexit_table | - | 0x14009C840 | 0x0009C840 | 0x0009BC40 | 0x00000000 |
| _initialize_narrow_environment | - | 0x14009C848 | 0x0009C848 | 0x0009BC48 | 0x00000000 |
| _configure_narrow_argv | - | 0x14009C850 | 0x0009C850 | 0x0009BC50 | 0x00000000 |
| strerror | - | 0x14009C858 | 0x0009C858 | 0x0009BC58 | 0x00000000 |
| exit | - | 0x14009C860 | 0x0009C860 | 0x0009BC60 | 0x00000000 |
| __p___argv | - | 0x14009C868 | 0x0009C868 | 0x0009BC68 | 0x00000000 |
api-ms-win-crt-stdio-l1-1-0.dll (29)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __stdio_common_vsscanf | - | 0x14009C878 | 0x0009C878 | 0x0009BC78 | 0x00000000 |
| fflush | - | 0x14009C880 | 0x0009C880 | 0x0009BC80 | 0x00000000 |
| _open | - | 0x14009C888 | 0x0009C888 | 0x0009BC88 | 0x00000000 |
| fwrite | - | 0x14009C890 | 0x0009C890 | 0x0009BC90 | 0x00000000 |
| fputs | - | 0x14009C898 | 0x0009C898 | 0x0009BC98 | 0x00000000 |
| __stdio_common_vsprintf | - | 0x14009C8A0 | 0x0009C8A0 | 0x0009BCA0 | 0x00000000 |
| __acrt_iob_func | - | 0x14009C8A8 | 0x0009C8A8 | 0x0009BCA8 | 0x00000000 |
| ftell | - | 0x14009C8B0 | 0x0009C8B0 | 0x0009BCB0 | 0x00000000 |
| fgetc | - | 0x14009C8B8 | 0x0009C8B8 | 0x0009BCB8 | 0x00000000 |
| fgets | - | 0x14009C8C0 | 0x0009C8C0 | 0x0009BCC0 | 0x00000000 |
| fseek | - | 0x14009C8C8 | 0x0009C8C8 | 0x0009BCC8 | 0x00000000 |
| fgetpos | - | 0x14009C8D0 | 0x0009C8D0 | 0x0009BCD0 | 0x00000000 |
| fputc | - | 0x14009C8D8 | 0x0009C8D8 | 0x0009BCD8 | 0x00000000 |
| __stdio_common_vfprintf | - | 0x14009C8E0 | 0x0009C8E0 | 0x0009BCE0 | 0x00000000 |
| ferror | - | 0x14009C8E8 | 0x0009C8E8 | 0x0009BCE8 | 0x00000000 |
| fsetpos | - | 0x14009C8F0 | 0x0009C8F0 | 0x0009BCF0 | 0x00000000 |
| _fseeki64 | - | 0x14009C8F8 | 0x0009C8F8 | 0x0009BCF8 | 0x00000000 |
| _close | - | 0x14009C900 | 0x0009C900 | 0x0009BD00 | 0x00000000 |
| _read | - | 0x14009C908 | 0x0009C908 | 0x0009BD08 | 0x00000000 |
| setvbuf | - | 0x14009C910 | 0x0009C910 | 0x0009BD10 | 0x00000000 |
| ungetc | - | 0x14009C918 | 0x0009C918 | 0x0009BD18 | 0x00000000 |
| fread | - | 0x14009C920 | 0x0009C920 | 0x0009BD20 | 0x00000000 |
| _get_osfhandle | - | 0x14009C928 | 0x0009C928 | 0x0009BD28 | 0x00000000 |
| __p__commode | - | 0x14009C930 | 0x0009C930 | 0x0009BD30 | 0x00000000 |
| fclose | - | 0x14009C938 | 0x0009C938 | 0x0009BD38 | 0x00000000 |
| _set_fmode | - | 0x14009C940 | 0x0009C940 | 0x0009BD40 | 0x00000000 |
| fopen | - | 0x14009C948 | 0x0009C948 | 0x0009BD48 | 0x00000000 |
| __stdio_common_vswprintf | - | 0x14009C950 | 0x0009C950 | 0x0009BD50 | 0x00000000 |
| _get_stream_buffer_pointers | - | 0x14009C958 | 0x0009C958 | 0x0009BD58 | 0x00000000 |
api-ms-win-crt-string-l1-1-0.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _wcsnicmp | - | 0x14009C968 | 0x0009C968 | 0x0009BD68 | 0x00000000 |
| strlen | - | 0x14009C970 | 0x0009C970 | 0x0009BD70 | 0x00000000 |
| wcslen | - | 0x14009C978 | 0x0009C978 | 0x0009BD78 | 0x00000000 |
| strncmp | - | 0x14009C980 | 0x0009C980 | 0x0009BD80 | 0x00000000 |
| _stricmp | - | 0x14009C988 | 0x0009C988 | 0x0009BD88 | 0x00000000 |
| tolower | - | 0x14009C990 | 0x0009C990 | 0x0009BD90 | 0x00000000 |
| _strnicmp | - | 0x14009C998 | 0x0009C998 | 0x0009BD98 | 0x00000000 |
| strncpy | - | 0x14009C9A0 | 0x0009C9A0 | 0x0009BDA0 | 0x00000000 |
| strcpy | - | 0x14009C9A8 | 0x0009C9A8 | 0x0009BDA8 | 0x00000000 |
| strcmp | - | 0x14009C9B0 | 0x0009C9B0 | 0x0009BDB0 | 0x00000000 |
| strcspn | - | 0x14009C9B8 | 0x0009C9B8 | 0x0009BDB8 | 0x00000000 |
| _strdup | - | 0x14009C9C0 | 0x0009C9C0 | 0x0009BDC0 | 0x00000000 |
| isspace | - | 0x14009C9C8 | 0x0009C9C8 | 0x0009BDC8 | 0x00000000 |
| strspn | - | 0x14009C9D0 | 0x0009C9D0 | 0x0009BDD0 | 0x00000000 |
| wcsncpy | - | 0x14009C9D8 | 0x0009C9D8 | 0x0009BDD8 | 0x00000000 |
api-ms-win-crt-time-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _time64 | - | 0x14009C9E8 | 0x0009C9E8 | 0x0009BDE8 | 0x00000000 |
| _localtime64_s | - | 0x14009C9F0 | 0x0009C9F0 | 0x0009BDF0 | 0x00000000 |
api-ms-win-crt-utility-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| srand | - | 0x14009CA00 | 0x0009CA00 | 0x0009BE00 | 0x00000000 |
| rand | - | 0x14009CA08 | 0x0009CA08 | 0x0009BE08 | 0x00000000 |
| qsort | - | 0x14009CA10 | 0x0009CA10 | 0x0009BE10 | 0x00000000 |
| _rotr | - | 0x14009CA18 | 0x0009CA18 | 0x0009BE18 | 0x00000000 |
Memory Dumps (4)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| qtoxtya.exe | 14 | 0x7FF7947A0000 | 0x7FF794AF3FFF | First Execution |
|
64-bit | 0x7FF79483A338 |
|
...
|
| qtoxtya.exe | 14 | 0x7FF7947A0000 | 0x7FF794AF3FFF | Content Changed |
|
64-bit | 0x7FF79483ACA6 |
|
...
|
| qtoxtya.exe | 14 | 0x7FF7947A0000 | 0x7FF794AF3FFF | Content Changed |
|
64-bit | 0x7FF7947BFE1C |
|
...
|
| buffer | 14 | 0x1295F470000 | 0x1295F47FFFF | Marked Executable |
|
64-bit | - |
|
...
|
YARA Matches (2)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| ReflectiveLoader | Reflective loader usage | - |
3/5
|
...
|
| CobaltStrike | Cobalt Strike beacon | Hacktool |
5/5
|
...
|
| C:\Windows\System\YfDrqtE.exe | Dropped File | Binary |
Malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 5.94 MB |
| MD5 |
44bac28891613b283f5d6a719343ca96
|
| SHA1 |
d9900cf0a7df774dc084a4a5845bcf00ebfe90fb
|
| SHA256 |
5dab1b5009e065b601bc0b9fa3cae738884ad101c1bd21cba901f74ac21919bf
|
| SSDeep |
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUs:T+856utgpPF8u/7s
|
| ImpHash |
c782987849999c5ae345a5deafbd73fb
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x14009A338 |
| Size Of Code | 0x00044000 |
| Size Of Initialized Data | 0x00001000 |
| Size Of Uninitialized Data | 0x0030B000 |
| File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2019-08-29 00:43 (UTC) |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| UPX0 | 0x140001000 | 0x0030B000 | 0x000B5000 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.49 |
| UPX1 | 0x14030C000 | 0x00044000 | 0x00044000 | 0x000B5400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.49 |
| .rsrc | 0x140350000 | 0x00001000 | 0x00000800 | 0x000F9400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.24 |
| .imports | 0x140351000 | 0x00002000 | 0x00001E00 | 0x000F9C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.81 |
| .reloc | 0x140353000 | 0x00001000 | 0x00000A00 | 0x000FBA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.28 |
Imports (17)
»
ADVAPI32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AdjustTokenPrivileges | - | 0x14009C000 | 0x0009C000 | 0x0009B400 | 0x00000000 |
| OpenProcessToken | - | 0x14009C008 | 0x0009C008 | 0x0009B408 | 0x00000000 |
| GetTokenInformation | - | 0x14009C010 | 0x0009C010 | 0x0009B410 | 0x00000000 |
| LookupPrivilegeValueW | - | 0x14009C018 | 0x0009C018 | 0x0009B418 | 0x00000000 |
| LsaClose | - | 0x14009C020 | 0x0009C020 | 0x0009B420 | 0x00000000 |
| LsaOpenPolicy | - | 0x14009C028 | 0x0009C028 | 0x0009B428 | 0x00000000 |
| LsaAddAccountRights | - | 0x14009C030 | 0x0009C030 | 0x0009B430 | 0x00000000 |
KERNEL32.DLL (113)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WaitForSingleObjectEx | - | 0x14009C040 | 0x0009C040 | 0x0009B440 | 0x00000000 |
| RtlLookupFunctionEntry | - | 0x14009C048 | 0x0009C048 | 0x0009B448 | 0x00000000 |
| RtlVirtualUnwind | - | 0x14009C050 | 0x0009C050 | 0x0009B450 | 0x00000000 |
| UnhandledExceptionFilter | - | 0x14009C058 | 0x0009C058 | 0x0009B458 | 0x00000000 |
| ResetEvent | - | 0x14009C060 | 0x0009C060 | 0x0009B460 | 0x00000000 |
| InitializeCriticalSectionAndSpinCount | - | 0x14009C068 | 0x0009C068 | 0x0009B468 | 0x00000000 |
| RtlCaptureContext | - | 0x14009C070 | 0x0009C070 | 0x0009B470 | 0x00000000 |
| CreateEventW | - | 0x14009C078 | 0x0009C078 | 0x0009B478 | 0x00000000 |
| InitializeSListHead | - | 0x14009C080 | 0x0009C080 | 0x0009B480 | 0x00000000 |
| SetUnhandledExceptionFilter | - | 0x14009C088 | 0x0009C088 | 0x0009B488 | 0x00000000 |
| IsProcessorFeaturePresent | - | 0x14009C090 | 0x0009C090 | 0x0009B490 | 0x00000000 |
| GetStdHandle | - | 0x14009C098 | 0x0009C098 | 0x0009B498 | 0x00000000 |
| GetConsoleMode | - | 0x14009C0A0 | 0x0009C0A0 | 0x0009B4A0 | 0x00000000 |
| SetConsoleMode | - | 0x14009C0A8 | 0x0009C0A8 | 0x0009B4A8 | 0x00000000 |
| GetLastError | - | 0x14009C0B0 | 0x0009C0B0 | 0x0009B4B0 | 0x00000000 |
| CreateMutexW | - | 0x14009C0B8 | 0x0009C0B8 | 0x0009B4B8 | 0x00000000 |
| Sleep | - | 0x14009C0C0 | 0x0009C0C0 | 0x0009B4C0 | 0x00000000 |
| CreateProcessW | - | 0x14009C0C8 | 0x0009C0C8 | 0x0009B4C8 | 0x00000000 |
| MultiByteToWideChar | - | 0x14009C0D0 | 0x0009C0D0 | 0x0009B4D0 | 0x00000000 |
| GetCurrentProcess | - | 0x14009C0D8 | 0x0009C0D8 | 0x0009B4D8 | 0x00000000 |
| GetCurrentThread | - | 0x14009C0E0 | 0x0009C0E0 | 0x0009B4E0 | 0x00000000 |
| SetThreadPriority | - | 0x14009C0E8 | 0x0009C0E8 | 0x0009B4E8 | 0x00000000 |
| SetPriorityClass | - | 0x14009C0F0 | 0x0009C0F0 | 0x0009B4F0 | 0x00000000 |
| GetModuleHandleW | - | 0x14009C0F8 | 0x0009C0F8 | 0x0009B4F8 | 0x00000000 |
| GetProcAddress | - | 0x14009C100 | 0x0009C100 | 0x0009B500 | 0x00000000 |
| SetThreadAffinityMask | - | 0x14009C108 | 0x0009C108 | 0x0009B508 | 0x00000000 |
| CloseHandle | - | 0x14009C110 | 0x0009C110 | 0x0009B510 | 0x00000000 |
| FreeConsole | - | 0x14009C118 | 0x0009C118 | 0x0009B518 | 0x00000000 |
| GetConsoleWindow | - | 0x14009C120 | 0x0009C120 | 0x0009B520 | 0x00000000 |
| FlushInstructionCache | - | 0x14009C128 | 0x0009C128 | 0x0009B528 | 0x00000000 |
| VirtualAlloc | - | 0x14009C130 | 0x0009C130 | 0x0009B530 | 0x00000000 |
| VirtualProtect | - | 0x14009C138 | 0x0009C138 | 0x0009B538 | 0x00000000 |
| VirtualFree | - | 0x14009C140 | 0x0009C140 | 0x0009B540 | 0x00000000 |
| GetLargePageMinimum | - | 0x14009C148 | 0x0009C148 | 0x0009B548 | 0x00000000 |
| LocalAlloc | - | 0x14009C150 | 0x0009C150 | 0x0009B550 | 0x00000000 |
| LocalFree | - | 0x14009C158 | 0x0009C158 | 0x0009B558 | 0x00000000 |
| GetFileType | - | 0x14009C160 | 0x0009C160 | 0x0009B560 | 0x00000000 |
| GetConsoleScreenBufferInfo | - | 0x14009C168 | 0x0009C168 | 0x0009B568 | 0x00000000 |
| SetConsoleTextAttribute | - | 0x14009C170 | 0x0009C170 | 0x0009B570 | 0x00000000 |
| RegisterWaitForSingleObject | - | 0x14009C178 | 0x0009C178 | 0x0009B578 | 0x00000000 |
| UnregisterWait | - | 0x14009C180 | 0x0009C180 | 0x0009B580 | 0x00000000 |
| GetConsoleCursorInfo | - | 0x14009C188 | 0x0009C188 | 0x0009B588 | 0x00000000 |
| CreateFileW | - | 0x14009C190 | 0x0009C190 | 0x0009B590 | 0x00000000 |
| DuplicateHandle | - | 0x14009C198 | 0x0009C198 | 0x0009B598 | 0x00000000 |
| PostQueuedCompletionStatus | - | 0x14009C1A0 | 0x0009C1A0 | 0x0009B5A0 | 0x00000000 |
| QueueUserWorkItem | - | 0x14009C1A8 | 0x0009C1A8 | 0x0009B5A8 | 0x00000000 |
| SetConsoleCursorInfo | - | 0x14009C1B0 | 0x0009C1B0 | 0x0009B5B0 | 0x00000000 |
| FillConsoleOutputCharacterW | - | 0x14009C1B8 | 0x0009C1B8 | 0x0009B5B8 | 0x00000000 |
| ReadConsoleInputW | - | 0x14009C1C0 | 0x0009C1C0 | 0x0009B5C0 | 0x00000000 |
| CreateFileA | - | 0x14009C1C8 | 0x0009C1C8 | 0x0009B5C8 | 0x00000000 |
| ReadConsoleW | - | 0x14009C1D0 | 0x0009C1D0 | 0x0009B5D0 | 0x00000000 |
| WriteConsoleInputW | - | 0x14009C1D8 | 0x0009C1D8 | 0x0009B5D8 | 0x00000000 |
| FillConsoleOutputAttribute | - | 0x14009C1E0 | 0x0009C1E0 | 0x0009B5E0 | 0x00000000 |
| WriteConsoleW | - | 0x14009C1E8 | 0x0009C1E8 | 0x0009B5E8 | 0x00000000 |
| GetNumberOfConsoleInputEvents | - | 0x14009C1F0 | 0x0009C1F0 | 0x0009B5F0 | 0x00000000 |
| WideCharToMultiByte | - | 0x14009C1F8 | 0x0009C1F8 | 0x0009B5F8 | 0x00000000 |
| SetConsoleCursorPosition | - | 0x14009C200 | 0x0009C200 | 0x0009B600 | 0x00000000 |
| EnterCriticalSection | - | 0x14009C208 | 0x0009C208 | 0x0009B608 | 0x00000000 |
| GetModuleFileNameW | - | 0x14009C210 | 0x0009C210 | 0x0009B610 | 0x00000000 |
| LeaveCriticalSection | - | 0x14009C218 | 0x0009C218 | 0x0009B618 | 0x00000000 |
| InitializeCriticalSection | - | 0x14009C220 | 0x0009C220 | 0x0009B620 | 0x00000000 |
| IsDebuggerPresent | - | 0x14009C228 | 0x0009C228 | 0x0009B628 | 0x00000000 |
| GetSystemInfo | - | 0x14009C230 | 0x0009C230 | 0x0009B630 | 0x00000000 |
| GetCurrentDirectoryW | - | 0x14009C238 | 0x0009C238 | 0x0009B638 | 0x00000000 |
| GetCurrentProcessId | - | 0x14009C240 | 0x0009C240 | 0x0009B640 | 0x00000000 |
| GetSystemTimeAsFileTime | - | 0x14009C248 | 0x0009C248 | 0x0009B648 | 0x00000000 |
| QueryPerformanceCounter | - | 0x14009C250 | 0x0009C250 | 0x0009B650 | 0x00000000 |
| SetConsoleCtrlHandler | - | 0x14009C258 | 0x0009C258 | 0x0009B658 | 0x00000000 |
| CancelIo | - | 0x14009C260 | 0x0009C260 | 0x0009B660 | 0x00000000 |
| SetHandleInformation | - | 0x14009C268 | 0x0009C268 | 0x0009B668 | 0x00000000 |
| CreateEventA | - | 0x14009C270 | 0x0009C270 | 0x0009B670 | 0x00000000 |
| CreateIoCompletionPort | - | 0x14009C278 | 0x0009C278 | 0x0009B678 | 0x00000000 |
| SetFileCompletionNotificationModes | - | 0x14009C280 | 0x0009C280 | 0x0009B680 | 0x00000000 |
| SetErrorMode | - | 0x14009C288 | 0x0009C288 | 0x0009B688 | 0x00000000 |
| GetQueuedCompletionStatus | - | 0x14009C290 | 0x0009C290 | 0x0009B690 | 0x00000000 |
| GetQueuedCompletionStatusEx | - | 0x14009C298 | 0x0009C298 | 0x0009B698 | 0x00000000 |
| SleepConditionVariableCS | - | 0x14009C2A0 | 0x0009C2A0 | 0x0009B6A0 | 0x00000000 |
| TlsSetValue | - | 0x14009C2A8 | 0x0009C2A8 | 0x0009B6A8 | 0x00000000 |
| ReleaseSemaphore | - | 0x14009C2B0 | 0x0009C2B0 | 0x0009B6B0 | 0x00000000 |
| WakeConditionVariable | - | 0x14009C2B8 | 0x0009C2B8 | 0x0009B6B8 | 0x00000000 |
| InitializeConditionVariable | - | 0x14009C2C0 | 0x0009C2C0 | 0x0009B6C0 | 0x00000000 |
| WaitForSingleObject | - | 0x14009C2C8 | 0x0009C2C8 | 0x0009B6C8 | 0x00000000 |
| ResumeThread | - | 0x14009C2D0 | 0x0009C2D0 | 0x0009B6D0 | 0x00000000 |
| SetEvent | - | 0x14009C2D8 | 0x0009C2D8 | 0x0009B6D8 | 0x00000000 |
| TlsAlloc | - | 0x14009C2E0 | 0x0009C2E0 | 0x0009B6E0 | 0x00000000 |
| DeleteCriticalSection | - | 0x14009C2E8 | 0x0009C2E8 | 0x0009B6E8 | 0x00000000 |
| CreateSemaphoreW | - | 0x14009C2F0 | 0x0009C2F0 | 0x0009B6F0 | 0x00000000 |
| CreateSemaphoreA | - | 0x14009C2F8 | 0x0009C2F8 | 0x0009B6F8 | 0x00000000 |
| GetLongPathNameW | - | 0x14009C300 | 0x0009C300 | 0x0009B700 | 0x00000000 |
| ReadDirectoryChangesW | - | 0x14009C308 | 0x0009C308 | 0x0009B708 | 0x00000000 |
| ReadFile | - | 0x14009C310 | 0x0009C310 | 0x0009B710 | 0x00000000 |
| SetNamedPipeHandleState | - | 0x14009C318 | 0x0009C318 | 0x0009B718 | 0x00000000 |
| SetLastError | - | 0x14009C320 | 0x0009C320 | 0x0009B720 | 0x00000000 |
| WriteFile | - | 0x14009C328 | 0x0009C328 | 0x0009B728 | 0x00000000 |
| CreateNamedPipeW | - | 0x14009C330 | 0x0009C330 | 0x0009B730 | 0x00000000 |
| PeekNamedPipe | - | 0x14009C338 | 0x0009C338 | 0x0009B738 | 0x00000000 |
| CancelSynchronousIo | - | 0x14009C340 | 0x0009C340 | 0x0009B740 | 0x00000000 |
| GetNamedPipeHandleStateA | - | 0x14009C348 | 0x0009C348 | 0x0009B748 | 0x00000000 |
| CancelIoEx | - | 0x14009C350 | 0x0009C350 | 0x0009B750 | 0x00000000 |
| SwitchToThread | - | 0x14009C358 | 0x0009C358 | 0x0009B758 | 0x00000000 |
| ConnectNamedPipe | - | 0x14009C360 | 0x0009C360 | 0x0009B760 | 0x00000000 |
| FlushFileBuffers | - | 0x14009C368 | 0x0009C368 | 0x0009B768 | 0x00000000 |
| TerminateProcess | - | 0x14009C370 | 0x0009C370 | 0x0009B770 | 0x00000000 |
| UnregisterWaitEx | - | 0x14009C378 | 0x0009C378 | 0x0009B778 | 0x00000000 |
| GetExitCodeProcess | - | 0x14009C380 | 0x0009C380 | 0x0009B780 | 0x00000000 |
| FormatMessageA | - | 0x14009C388 | 0x0009C388 | 0x0009B788 | 0x00000000 |
| DebugBreak | - | 0x14009C390 | 0x0009C390 | 0x0009B790 | 0x00000000 |
| GetModuleHandleA | - | 0x14009C398 | 0x0009C398 | 0x0009B798 | 0x00000000 |
| LoadLibraryA | - | 0x14009C3A0 | 0x0009C3A0 | 0x0009B7A0 | 0x00000000 |
| GetProcessAffinityMask | - | 0x14009C3A8 | 0x0009C3A8 | 0x0009B7A8 | 0x00000000 |
| SetProcessAffinityMask | - | 0x14009C3B0 | 0x0009C3B0 | 0x0009B7B0 | 0x00000000 |
| GetCurrentThreadId | - | 0x14009C3B8 | 0x0009C3B8 | 0x0009B7B8 | 0x00000000 |
| QueryPerformanceFrequency | - | 0x14009C3C0 | 0x0009C3C0 | 0x0009B7C0 | 0x00000000 |
MSVCP140.dll (45)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C3D0 | 0x0009C3D0 | 0x0009B7D0 | 0x00000000 |
| ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3D8 | 0x0009C3D8 | 0x0009B7D8 | 0x00000000 |
| ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ | - | 0x14009C3E0 | 0x0009C3E0 | 0x0009B7E0 | 0x00000000 |
| ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C3E8 | 0x0009C3E8 | 0x0009B7E8 | 0x00000000 |
| ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C3F0 | 0x0009C3F0 | 0x0009B7F0 | 0x00000000 |
| ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3F8 | 0x0009C3F8 | 0x0009B7F8 | 0x00000000 |
| ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C400 | 0x0009C400 | 0x0009B800 | 0x00000000 |
| _Thrd_hardware_concurrency | - | 0x14009C408 | 0x0009C408 | 0x0009B808 | 0x00000000 |
| ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A | - | 0x14009C410 | 0x0009C410 | 0x0009B810 | 0x00000000 |
| ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z | - | 0x14009C418 | 0x0009C418 | 0x0009B818 | 0x00000000 |
| ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z | - | 0x14009C420 | 0x0009C420 | 0x0009B820 | 0x00000000 |
| ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ | - | 0x14009C428 | 0x0009C428 | 0x0009B828 | 0x00000000 |
| ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z | - | 0x14009C430 | 0x0009C430 | 0x0009B830 | 0x00000000 |
| ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z | - | 0x14009C438 | 0x0009C438 | 0x0009B838 | 0x00000000 |
| ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C440 | 0x0009C440 | 0x0009B840 | 0x00000000 |
| ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z | - | 0x14009C448 | 0x0009C448 | 0x0009B848 | 0x00000000 |
| ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C450 | 0x0009C450 | 0x0009B850 | 0x00000000 |
| ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z | - | 0x14009C458 | 0x0009C458 | 0x0009B858 | 0x00000000 |
| ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C460 | 0x0009C460 | 0x0009B860 | 0x00000000 |
| ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z | - | 0x14009C468 | 0x0009C468 | 0x0009B868 | 0x00000000 |
| ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z | - | 0x14009C470 | 0x0009C470 | 0x0009B870 | 0x00000000 |
| ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ | - | 0x14009C478 | 0x0009C478 | 0x0009B878 | 0x00000000 |
| ?_Xlength_error@std@@YAXPEBD@Z | - | 0x14009C480 | 0x0009C480 | 0x0009B880 | 0x00000000 |
| ?_Xout_of_range@std@@YAXPEBD@Z | - | 0x14009C488 | 0x0009C488 | 0x0009B888 | 0x00000000 |
| _Xtime_get_ticks | - | 0x14009C490 | 0x0009C490 | 0x0009B890 | 0x00000000 |
| _Mtx_init_in_situ | - | 0x14009C498 | 0x0009C498 | 0x0009B898 | 0x00000000 |
| _Mtx_destroy_in_situ | - | 0x14009C4A0 | 0x0009C4A0 | 0x0009B8A0 | 0x00000000 |
| _Mtx_lock | - | 0x14009C4A8 | 0x0009C4A8 | 0x0009B8A8 | 0x00000000 |
| _Mtx_unlock | - | 0x14009C4B0 | 0x0009C4B0 | 0x0009B8B0 | 0x00000000 |
| ?_Throw_C_error@std@@YAXH@Z | - | 0x14009C4B8 | 0x0009C4B8 | 0x0009B8B8 | 0x00000000 |
| _Query_perf_counter | - | 0x14009C4C0 | 0x0009C4C0 | 0x0009B8C0 | 0x00000000 |
| _Query_perf_frequency | - | 0x14009C4C8 | 0x0009C4C8 | 0x0009B8C8 | 0x00000000 |
| _Thrd_join | - | 0x14009C4D0 | 0x0009C4D0 | 0x0009B8D0 | 0x00000000 |
| _Thrd_id | - | 0x14009C4D8 | 0x0009C4D8 | 0x0009B8D8 | 0x00000000 |
| _Cnd_do_broadcast_at_thread_exit | - | 0x14009C4E0 | 0x0009C4E0 | 0x0009B8E0 | 0x00000000 |
| ?_Throw_Cpp_error@std@@YAXH@Z | - | 0x14009C4E8 | 0x0009C4E8 | 0x0009B8E8 | 0x00000000 |
| _Thrd_sleep | - | 0x14009C4F0 | 0x0009C4F0 | 0x0009B8F0 | 0x00000000 |
| _Thrd_yield | - | 0x14009C4F8 | 0x0009C4F8 | 0x0009B8F8 | 0x00000000 |
| ??0_Lockit@std@@QEAA@H@Z | - | 0x14009C500 | 0x0009C500 | 0x0009B900 | 0x00000000 |
| ??1_Lockit@std@@QEAA@XZ | - | 0x14009C508 | 0x0009C508 | 0x0009B908 | 0x00000000 |
| ??Bid@locale@std@@QEAA_KXZ | - | 0x14009C510 | 0x0009C510 | 0x0009B910 | 0x00000000 |
| ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ | - | 0x14009C518 | 0x0009C518 | 0x0009B918 | 0x00000000 |
| ?always_noconv@codecvt_base@std@@QEBA_NXZ | - | 0x14009C520 | 0x0009C520 | 0x0009B920 | 0x00000000 |
| ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C528 | 0x0009C528 | 0x0009B928 | 0x00000000 |
| ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C530 | 0x0009C530 | 0x0009B930 | 0x00000000 |
USER32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShowWindow | - | 0x14009C540 | 0x0009C540 | 0x0009B940 | 0x00000000 |
| GetSystemMetrics | - | 0x14009C548 | 0x0009C548 | 0x0009B948 | 0x00000000 |
| GetMessageA | - | 0x14009C550 | 0x0009C550 | 0x0009B950 | 0x00000000 |
| MapVirtualKeyW | - | 0x14009C558 | 0x0009C558 | 0x0009B958 | 0x00000000 |
| DispatchMessageA | - | 0x14009C560 | 0x0009C560 | 0x0009B960 | 0x00000000 |
| TranslateMessage | - | 0x14009C568 | 0x0009C568 | 0x0009B968 | 0x00000000 |
VCRUNTIME140.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __std_exception_destroy | - | 0x14009C578 | 0x0009C578 | 0x0009B978 | 0x00000000 |
| __std_exception_copy | - | 0x14009C580 | 0x0009C580 | 0x0009B980 | 0x00000000 |
| strstr | - | 0x14009C588 | 0x0009C588 | 0x0009B988 | 0x00000000 |
| __C_specific_handler | - | 0x14009C590 | 0x0009C590 | 0x0009B990 | 0x00000000 |
| strchr | - | 0x14009C598 | 0x0009C598 | 0x0009B998 | 0x00000000 |
| memchr | - | 0x14009C5A0 | 0x0009C5A0 | 0x0009B9A0 | 0x00000000 |
| __std_terminate | - | 0x14009C5A8 | 0x0009C5A8 | 0x0009B9A8 | 0x00000000 |
| __CxxFrameHandler3 | - | 0x14009C5B0 | 0x0009C5B0 | 0x0009B9B0 | 0x00000000 |
| _CxxThrowException | - | 0x14009C5B8 | 0x0009C5B8 | 0x0009B9B8 | 0x00000000 |
| memset | - | 0x14009C5C0 | 0x0009C5C0 | 0x0009B9C0 | 0x00000000 |
| strrchr | - | 0x14009C5C8 | 0x0009C5C8 | 0x0009B9C8 | 0x00000000 |
| memcmp | - | 0x14009C5D0 | 0x0009C5D0 | 0x0009B9D0 | 0x00000000 |
| memcpy | - | 0x14009C5D8 | 0x0009C5D8 | 0x0009B9D8 | 0x00000000 |
| _purecall | - | 0x14009C5E0 | 0x0009C5E0 | 0x0009B9E0 | 0x00000000 |
| memmove | - | 0x14009C5E8 | 0x0009C5E8 | 0x0009B9E8 | 0x00000000 |
WS2_32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WSAGetLastError | 0x0000006F | 0x14009C5F8 | 0x0009C5F8 | 0x0009B9F8 | - |
| WSASetLastError | 0x00000070 | 0x14009C600 | 0x0009C600 | 0x0009BA00 | - |
| WSAStartup | 0x00000073 | 0x14009C608 | 0x0009C608 | 0x0009BA08 | - |
| select | 0x00000012 | 0x14009C610 | 0x0009C610 | 0x0009BA10 | - |
| WSARecvFrom | - | 0x14009C618 | 0x0009C618 | 0x0009BA18 | 0x00000000 |
| bind | 0x00000002 | 0x14009C620 | 0x0009C620 | 0x0009BA20 | - |
| WSAIoctl | - | 0x14009C628 | 0x0009C628 | 0x0009BA28 | 0x00000000 |
| closesocket | 0x00000003 | 0x14009C630 | 0x0009C630 | 0x0009BA30 | - |
| WSASend | - | 0x14009C638 | 0x0009C638 | 0x0009BA38 | 0x00000000 |
| shutdown | 0x00000016 | 0x14009C640 | 0x0009C640 | 0x0009BA40 | - |
| WSASocketW | - | 0x14009C648 | 0x0009C648 | 0x0009BA48 | 0x00000000 |
| htonl | 0x00000008 | 0x14009C650 | 0x0009C650 | 0x0009BA50 | - |
| GetAddrInfoW | - | 0x14009C658 | 0x0009C658 | 0x0009BA58 | 0x00000000 |
| FreeAddrInfoW | - | 0x14009C660 | 0x0009C660 | 0x0009BA60 | 0x00000000 |
| setsockopt | 0x00000015 | 0x14009C668 | 0x0009C668 | 0x0009BA68 | - |
| ioctlsocket | 0x0000000A | 0x14009C670 | 0x0009C670 | 0x0009BA70 | - |
| getsockopt | 0x00000007 | 0x14009C678 | 0x0009C678 | 0x0009BA78 | - |
| WSARecv | - | 0x14009C680 | 0x0009C680 | 0x0009BA80 | 0x00000000 |
| socket | 0x00000017 | 0x14009C688 | 0x0009C688 | 0x0009BA88 | - |
| htons | 0x00000009 | 0x14009C690 | 0x0009C690 | 0x0009BA90 | - |
api-ms-win-crt-convert-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| atof | - | 0x14009C6A0 | 0x0009C6A0 | 0x0009BAA0 | 0x00000000 |
| strtoul | - | 0x14009C6A8 | 0x0009C6A8 | 0x0009BAA8 | 0x00000000 |
| _strtoui64 | - | 0x14009C6B0 | 0x0009C6B0 | 0x0009BAB0 | 0x00000000 |
| mbstowcs | - | 0x14009C6B8 | 0x0009C6B8 | 0x0009BAB8 | 0x00000000 |
| strtoull | - | 0x14009C6C0 | 0x0009C6C0 | 0x0009BAC0 | 0x00000000 |
| strtoll | - | 0x14009C6C8 | 0x0009C6C8 | 0x0009BAC8 | 0x00000000 |
| atoi | - | 0x14009C6D0 | 0x0009C6D0 | 0x0009BAD0 | 0x00000000 |
| strtol | - | 0x14009C6D8 | 0x0009C6D8 | 0x0009BAD8 | 0x00000000 |
api-ms-win-crt-environment-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| getenv | - | 0x14009C6E8 | 0x0009C6E8 | 0x0009BAE8 | 0x00000000 |
api-ms-win-crt-filesystem-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _unlock_file | - | 0x14009C6F8 | 0x0009C6F8 | 0x0009BAF8 | 0x00000000 |
| _lock_file | - | 0x14009C700 | 0x0009C700 | 0x0009BB00 | 0x00000000 |
| _fstat64i32 | - | 0x14009C708 | 0x0009C708 | 0x0009BB08 | 0x00000000 |
| _stat64i32 | - | 0x14009C710 | 0x0009C710 | 0x0009BB10 | 0x00000000 |
api-ms-win-crt-heap-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _set_new_mode | - | 0x14009C720 | 0x0009C720 | 0x0009BB20 | 0x00000000 |
| realloc | - | 0x14009C728 | 0x0009C728 | 0x0009BB28 | 0x00000000 |
| _aligned_malloc | - | 0x14009C730 | 0x0009C730 | 0x0009BB30 | 0x00000000 |
| malloc | - | 0x14009C738 | 0x0009C738 | 0x0009BB38 | 0x00000000 |
| free | - | 0x14009C740 | 0x0009C740 | 0x0009BB40 | 0x00000000 |
| calloc | - | 0x14009C748 | 0x0009C748 | 0x0009BB48 | 0x00000000 |
| _callnewh | - | 0x14009C750 | 0x0009C750 | 0x0009BB50 | 0x00000000 |
| _aligned_free | - | 0x14009C758 | 0x0009C758 | 0x0009BB58 | 0x00000000 |
api-ms-win-crt-locale-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _configthreadlocale | - | 0x14009C768 | 0x0009C768 | 0x0009BB68 | 0x00000000 |
api-ms-win-crt-math-l1-1-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| modff | - | 0x14009C778 | 0x0009C778 | 0x0009BB78 | 0x00000000 |
| nan | - | 0x14009C780 | 0x0009C780 | 0x0009BB80 | 0x00000000 |
| _dtest | - | 0x14009C788 | 0x0009C788 | 0x0009BB88 | 0x00000000 |
| __setusermatherr | - | 0x14009C790 | 0x0009C790 | 0x0009BB90 | 0x00000000 |
| fabs | - | 0x14009C798 | 0x0009C798 | 0x0009BB98 | 0x00000000 |
api-ms-win-crt-runtime-l1-1-0.dll (25)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _invalid_parameter_noinfo_noreturn | - | 0x14009C7A8 | 0x0009C7A8 | 0x0009BBA8 | 0x00000000 |
| _control87 | - | 0x14009C7B0 | 0x0009C7B0 | 0x0009BBB0 | 0x00000000 |
| _errno | - | 0x14009C7B8 | 0x0009C7B8 | 0x0009BBB8 | 0x00000000 |
| terminate | - | 0x14009C7C0 | 0x0009C7C0 | 0x0009BBC0 | 0x00000000 |
| abort | - | 0x14009C7C8 | 0x0009C7C8 | 0x0009BBC8 | 0x00000000 |
| _beginthreadex | - | 0x14009C7D0 | 0x0009C7D0 | 0x0009BBD0 | 0x00000000 |
| _register_thread_local_exe_atexit_callback | - | 0x14009C7D8 | 0x0009C7D8 | 0x0009BBD8 | 0x00000000 |
| _c_exit | - | 0x14009C7E0 | 0x0009C7E0 | 0x0009BBE0 | 0x00000000 |
| _set_invalid_parameter_handler | - | 0x14009C7E8 | 0x0009C7E8 | 0x0009BBE8 | 0x00000000 |
| __p___argc | - | 0x14009C7F0 | 0x0009C7F0 | 0x0009BBF0 | 0x00000000 |
| _exit | - | 0x14009C7F8 | 0x0009C7F8 | 0x0009BBF8 | 0x00000000 |
| _initterm_e | - | 0x14009C800 | 0x0009C800 | 0x0009BC00 | 0x00000000 |
| _initterm | - | 0x14009C808 | 0x0009C808 | 0x0009BC08 | 0x00000000 |
| _get_initial_narrow_environment | - | 0x14009C810 | 0x0009C810 | 0x0009BC10 | 0x00000000 |
| _set_app_type | - | 0x14009C818 | 0x0009C818 | 0x0009BC18 | 0x00000000 |
| _seh_filter_exe | - | 0x14009C820 | 0x0009C820 | 0x0009BC20 | 0x00000000 |
| _cexit | - | 0x14009C828 | 0x0009C828 | 0x0009BC28 | 0x00000000 |
| _crt_atexit | - | 0x14009C830 | 0x0009C830 | 0x0009BC30 | 0x00000000 |
| _register_onexit_function | - | 0x14009C838 | 0x0009C838 | 0x0009BC38 | 0x00000000 |
| _initialize_onexit_table | - | 0x14009C840 | 0x0009C840 | 0x0009BC40 | 0x00000000 |
| _initialize_narrow_environment | - | 0x14009C848 | 0x0009C848 | 0x0009BC48 | 0x00000000 |
| _configure_narrow_argv | - | 0x14009C850 | 0x0009C850 | 0x0009BC50 | 0x00000000 |
| strerror | - | 0x14009C858 | 0x0009C858 | 0x0009BC58 | 0x00000000 |
| exit | - | 0x14009C860 | 0x0009C860 | 0x0009BC60 | 0x00000000 |
| __p___argv | - | 0x14009C868 | 0x0009C868 | 0x0009BC68 | 0x00000000 |
api-ms-win-crt-stdio-l1-1-0.dll (29)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __stdio_common_vsscanf | - | 0x14009C878 | 0x0009C878 | 0x0009BC78 | 0x00000000 |
| fflush | - | 0x14009C880 | 0x0009C880 | 0x0009BC80 | 0x00000000 |
| _open | - | 0x14009C888 | 0x0009C888 | 0x0009BC88 | 0x00000000 |
| fwrite | - | 0x14009C890 | 0x0009C890 | 0x0009BC90 | 0x00000000 |
| fputs | - | 0x14009C898 | 0x0009C898 | 0x0009BC98 | 0x00000000 |
| __stdio_common_vsprintf | - | 0x14009C8A0 | 0x0009C8A0 | 0x0009BCA0 | 0x00000000 |
| __acrt_iob_func | - | 0x14009C8A8 | 0x0009C8A8 | 0x0009BCA8 | 0x00000000 |
| ftell | - | 0x14009C8B0 | 0x0009C8B0 | 0x0009BCB0 | 0x00000000 |
| fgetc | - | 0x14009C8B8 | 0x0009C8B8 | 0x0009BCB8 | 0x00000000 |
| fgets | - | 0x14009C8C0 | 0x0009C8C0 | 0x0009BCC0 | 0x00000000 |
| fseek | - | 0x14009C8C8 | 0x0009C8C8 | 0x0009BCC8 | 0x00000000 |
| fgetpos | - | 0x14009C8D0 | 0x0009C8D0 | 0x0009BCD0 | 0x00000000 |
| fputc | - | 0x14009C8D8 | 0x0009C8D8 | 0x0009BCD8 | 0x00000000 |
| __stdio_common_vfprintf | - | 0x14009C8E0 | 0x0009C8E0 | 0x0009BCE0 | 0x00000000 |
| ferror | - | 0x14009C8E8 | 0x0009C8E8 | 0x0009BCE8 | 0x00000000 |
| fsetpos | - | 0x14009C8F0 | 0x0009C8F0 | 0x0009BCF0 | 0x00000000 |
| _fseeki64 | - | 0x14009C8F8 | 0x0009C8F8 | 0x0009BCF8 | 0x00000000 |
| _close | - | 0x14009C900 | 0x0009C900 | 0x0009BD00 | 0x00000000 |
| _read | - | 0x14009C908 | 0x0009C908 | 0x0009BD08 | 0x00000000 |
| setvbuf | - | 0x14009C910 | 0x0009C910 | 0x0009BD10 | 0x00000000 |
| ungetc | - | 0x14009C918 | 0x0009C918 | 0x0009BD18 | 0x00000000 |
| fread | - | 0x14009C920 | 0x0009C920 | 0x0009BD20 | 0x00000000 |
| _get_osfhandle | - | 0x14009C928 | 0x0009C928 | 0x0009BD28 | 0x00000000 |
| __p__commode | - | 0x14009C930 | 0x0009C930 | 0x0009BD30 | 0x00000000 |
| fclose | - | 0x14009C938 | 0x0009C938 | 0x0009BD38 | 0x00000000 |
| _set_fmode | - | 0x14009C940 | 0x0009C940 | 0x0009BD40 | 0x00000000 |
| fopen | - | 0x14009C948 | 0x0009C948 | 0x0009BD48 | 0x00000000 |
| __stdio_common_vswprintf | - | 0x14009C950 | 0x0009C950 | 0x0009BD50 | 0x00000000 |
| _get_stream_buffer_pointers | - | 0x14009C958 | 0x0009C958 | 0x0009BD58 | 0x00000000 |
api-ms-win-crt-string-l1-1-0.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _wcsnicmp | - | 0x14009C968 | 0x0009C968 | 0x0009BD68 | 0x00000000 |
| strlen | - | 0x14009C970 | 0x0009C970 | 0x0009BD70 | 0x00000000 |
| wcslen | - | 0x14009C978 | 0x0009C978 | 0x0009BD78 | 0x00000000 |
| strncmp | - | 0x14009C980 | 0x0009C980 | 0x0009BD80 | 0x00000000 |
| _stricmp | - | 0x14009C988 | 0x0009C988 | 0x0009BD88 | 0x00000000 |
| tolower | - | 0x14009C990 | 0x0009C990 | 0x0009BD90 | 0x00000000 |
| _strnicmp | - | 0x14009C998 | 0x0009C998 | 0x0009BD98 | 0x00000000 |
| strncpy | - | 0x14009C9A0 | 0x0009C9A0 | 0x0009BDA0 | 0x00000000 |
| strcpy | - | 0x14009C9A8 | 0x0009C9A8 | 0x0009BDA8 | 0x00000000 |
| strcmp | - | 0x14009C9B0 | 0x0009C9B0 | 0x0009BDB0 | 0x00000000 |
| strcspn | - | 0x14009C9B8 | 0x0009C9B8 | 0x0009BDB8 | 0x00000000 |
| _strdup | - | 0x14009C9C0 | 0x0009C9C0 | 0x0009BDC0 | 0x00000000 |
| isspace | - | 0x14009C9C8 | 0x0009C9C8 | 0x0009BDC8 | 0x00000000 |
| strspn | - | 0x14009C9D0 | 0x0009C9D0 | 0x0009BDD0 | 0x00000000 |
| wcsncpy | - | 0x14009C9D8 | 0x0009C9D8 | 0x0009BDD8 | 0x00000000 |
api-ms-win-crt-time-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _time64 | - | 0x14009C9E8 | 0x0009C9E8 | 0x0009BDE8 | 0x00000000 |
| _localtime64_s | - | 0x14009C9F0 | 0x0009C9F0 | 0x0009BDF0 | 0x00000000 |
api-ms-win-crt-utility-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| srand | - | 0x14009CA00 | 0x0009CA00 | 0x0009BE00 | 0x00000000 |
| rand | - | 0x14009CA08 | 0x0009CA08 | 0x0009BE08 | 0x00000000 |
| qsort | - | 0x14009CA10 | 0x0009CA10 | 0x0009BE10 | 0x00000000 |
| _rotr | - | 0x14009CA18 | 0x0009CA18 | 0x0009BE18 | 0x00000000 |
Memory Dumps (5)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| yfdrqte.exe | 13 | 0x7FF721D60000 | 0x7FF7220B3FFF | First Execution |
|
64-bit | 0x7FF721DFA338 |
|
...
|
| yfdrqte.exe | 13 | 0x7FF721D60000 | 0x7FF7220B3FFF | Content Changed |
|
64-bit | 0x7FF721DFACA6 |
|
...
|
| yfdrqte.exe | 13 | 0x7FF721D60000 | 0x7FF7220B3FFF | Content Changed |
|
64-bit | 0x7FF721D7FE1C |
|
...
|
| buffer | 13 | 0x2AA05140000 | 0x2AA0514FFFF | Content Changed |
|
64-bit | - |
|
...
|
| yfdrqte.exe | 13 | 0x7FF721D60000 | 0x7FF7220B3FFF | Process Termination |
|
64-bit | - |
|
...
|
YARA Matches (2)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| CobaltStrike | Cobalt Strike beacon | Hacktool |
5/5
|
...
|
| ReflectiveLoader | Reflective loader usage | - |
3/5
|
...
|
| C:\Windows\System\pZJsuFJ.exe | Dropped File | Binary |
Malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 5.94 MB |
| MD5 |
14984918058d707ba321a9d8187b6ae4
|
| SHA1 |
c2e5ab40836962169b2c81c97b6dafcc06edf3ab
|
| SHA256 |
1c809d2ef2fe8245648ba6701ebae653cf6d2ffd2c64ec09614ed085f346d64a
|
| SSDeep |
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUJ:T+856utgpPF8u/7J
|
| ImpHash |
c782987849999c5ae345a5deafbd73fb
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x14009A338 |
| Size Of Code | 0x00044000 |
| Size Of Initialized Data | 0x00001000 |
| Size Of Uninitialized Data | 0x0030B000 |
| File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2019-08-29 00:43 (UTC) |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| UPX0 | 0x140001000 | 0x0030B000 | 0x000B5000 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.49 |
| UPX1 | 0x14030C000 | 0x00044000 | 0x00044000 | 0x000B5400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.49 |
| .rsrc | 0x140350000 | 0x00001000 | 0x00000800 | 0x000F9400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.24 |
| .imports | 0x140351000 | 0x00002000 | 0x00001E00 | 0x000F9C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.81 |
| .reloc | 0x140353000 | 0x00001000 | 0x00000A00 | 0x000FBA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.28 |
Imports (17)
»
ADVAPI32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AdjustTokenPrivileges | - | 0x14009C000 | 0x0009C000 | 0x0009B400 | 0x00000000 |
| OpenProcessToken | - | 0x14009C008 | 0x0009C008 | 0x0009B408 | 0x00000000 |
| GetTokenInformation | - | 0x14009C010 | 0x0009C010 | 0x0009B410 | 0x00000000 |
| LookupPrivilegeValueW | - | 0x14009C018 | 0x0009C018 | 0x0009B418 | 0x00000000 |
| LsaClose | - | 0x14009C020 | 0x0009C020 | 0x0009B420 | 0x00000000 |
| LsaOpenPolicy | - | 0x14009C028 | 0x0009C028 | 0x0009B428 | 0x00000000 |
| LsaAddAccountRights | - | 0x14009C030 | 0x0009C030 | 0x0009B430 | 0x00000000 |
KERNEL32.DLL (113)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WaitForSingleObjectEx | - | 0x14009C040 | 0x0009C040 | 0x0009B440 | 0x00000000 |
| RtlLookupFunctionEntry | - | 0x14009C048 | 0x0009C048 | 0x0009B448 | 0x00000000 |
| RtlVirtualUnwind | - | 0x14009C050 | 0x0009C050 | 0x0009B450 | 0x00000000 |
| UnhandledExceptionFilter | - | 0x14009C058 | 0x0009C058 | 0x0009B458 | 0x00000000 |
| ResetEvent | - | 0x14009C060 | 0x0009C060 | 0x0009B460 | 0x00000000 |
| InitializeCriticalSectionAndSpinCount | - | 0x14009C068 | 0x0009C068 | 0x0009B468 | 0x00000000 |
| RtlCaptureContext | - | 0x14009C070 | 0x0009C070 | 0x0009B470 | 0x00000000 |
| CreateEventW | - | 0x14009C078 | 0x0009C078 | 0x0009B478 | 0x00000000 |
| InitializeSListHead | - | 0x14009C080 | 0x0009C080 | 0x0009B480 | 0x00000000 |
| SetUnhandledExceptionFilter | - | 0x14009C088 | 0x0009C088 | 0x0009B488 | 0x00000000 |
| IsProcessorFeaturePresent | - | 0x14009C090 | 0x0009C090 | 0x0009B490 | 0x00000000 |
| GetStdHandle | - | 0x14009C098 | 0x0009C098 | 0x0009B498 | 0x00000000 |
| GetConsoleMode | - | 0x14009C0A0 | 0x0009C0A0 | 0x0009B4A0 | 0x00000000 |
| SetConsoleMode | - | 0x14009C0A8 | 0x0009C0A8 | 0x0009B4A8 | 0x00000000 |
| GetLastError | - | 0x14009C0B0 | 0x0009C0B0 | 0x0009B4B0 | 0x00000000 |
| CreateMutexW | - | 0x14009C0B8 | 0x0009C0B8 | 0x0009B4B8 | 0x00000000 |
| Sleep | - | 0x14009C0C0 | 0x0009C0C0 | 0x0009B4C0 | 0x00000000 |
| CreateProcessW | - | 0x14009C0C8 | 0x0009C0C8 | 0x0009B4C8 | 0x00000000 |
| MultiByteToWideChar | - | 0x14009C0D0 | 0x0009C0D0 | 0x0009B4D0 | 0x00000000 |
| GetCurrentProcess | - | 0x14009C0D8 | 0x0009C0D8 | 0x0009B4D8 | 0x00000000 |
| GetCurrentThread | - | 0x14009C0E0 | 0x0009C0E0 | 0x0009B4E0 | 0x00000000 |
| SetThreadPriority | - | 0x14009C0E8 | 0x0009C0E8 | 0x0009B4E8 | 0x00000000 |
| SetPriorityClass | - | 0x14009C0F0 | 0x0009C0F0 | 0x0009B4F0 | 0x00000000 |
| GetModuleHandleW | - | 0x14009C0F8 | 0x0009C0F8 | 0x0009B4F8 | 0x00000000 |
| GetProcAddress | - | 0x14009C100 | 0x0009C100 | 0x0009B500 | 0x00000000 |
| SetThreadAffinityMask | - | 0x14009C108 | 0x0009C108 | 0x0009B508 | 0x00000000 |
| CloseHandle | - | 0x14009C110 | 0x0009C110 | 0x0009B510 | 0x00000000 |
| FreeConsole | - | 0x14009C118 | 0x0009C118 | 0x0009B518 | 0x00000000 |
| GetConsoleWindow | - | 0x14009C120 | 0x0009C120 | 0x0009B520 | 0x00000000 |
| FlushInstructionCache | - | 0x14009C128 | 0x0009C128 | 0x0009B528 | 0x00000000 |
| VirtualAlloc | - | 0x14009C130 | 0x0009C130 | 0x0009B530 | 0x00000000 |
| VirtualProtect | - | 0x14009C138 | 0x0009C138 | 0x0009B538 | 0x00000000 |
| VirtualFree | - | 0x14009C140 | 0x0009C140 | 0x0009B540 | 0x00000000 |
| GetLargePageMinimum | - | 0x14009C148 | 0x0009C148 | 0x0009B548 | 0x00000000 |
| LocalAlloc | - | 0x14009C150 | 0x0009C150 | 0x0009B550 | 0x00000000 |
| LocalFree | - | 0x14009C158 | 0x0009C158 | 0x0009B558 | 0x00000000 |
| GetFileType | - | 0x14009C160 | 0x0009C160 | 0x0009B560 | 0x00000000 |
| GetConsoleScreenBufferInfo | - | 0x14009C168 | 0x0009C168 | 0x0009B568 | 0x00000000 |
| SetConsoleTextAttribute | - | 0x14009C170 | 0x0009C170 | 0x0009B570 | 0x00000000 |
| RegisterWaitForSingleObject | - | 0x14009C178 | 0x0009C178 | 0x0009B578 | 0x00000000 |
| UnregisterWait | - | 0x14009C180 | 0x0009C180 | 0x0009B580 | 0x00000000 |
| GetConsoleCursorInfo | - | 0x14009C188 | 0x0009C188 | 0x0009B588 | 0x00000000 |
| CreateFileW | - | 0x14009C190 | 0x0009C190 | 0x0009B590 | 0x00000000 |
| DuplicateHandle | - | 0x14009C198 | 0x0009C198 | 0x0009B598 | 0x00000000 |
| PostQueuedCompletionStatus | - | 0x14009C1A0 | 0x0009C1A0 | 0x0009B5A0 | 0x00000000 |
| QueueUserWorkItem | - | 0x14009C1A8 | 0x0009C1A8 | 0x0009B5A8 | 0x00000000 |
| SetConsoleCursorInfo | - | 0x14009C1B0 | 0x0009C1B0 | 0x0009B5B0 | 0x00000000 |
| FillConsoleOutputCharacterW | - | 0x14009C1B8 | 0x0009C1B8 | 0x0009B5B8 | 0x00000000 |
| ReadConsoleInputW | - | 0x14009C1C0 | 0x0009C1C0 | 0x0009B5C0 | 0x00000000 |
| CreateFileA | - | 0x14009C1C8 | 0x0009C1C8 | 0x0009B5C8 | 0x00000000 |
| ReadConsoleW | - | 0x14009C1D0 | 0x0009C1D0 | 0x0009B5D0 | 0x00000000 |
| WriteConsoleInputW | - | 0x14009C1D8 | 0x0009C1D8 | 0x0009B5D8 | 0x00000000 |
| FillConsoleOutputAttribute | - | 0x14009C1E0 | 0x0009C1E0 | 0x0009B5E0 | 0x00000000 |
| WriteConsoleW | - | 0x14009C1E8 | 0x0009C1E8 | 0x0009B5E8 | 0x00000000 |
| GetNumberOfConsoleInputEvents | - | 0x14009C1F0 | 0x0009C1F0 | 0x0009B5F0 | 0x00000000 |
| WideCharToMultiByte | - | 0x14009C1F8 | 0x0009C1F8 | 0x0009B5F8 | 0x00000000 |
| SetConsoleCursorPosition | - | 0x14009C200 | 0x0009C200 | 0x0009B600 | 0x00000000 |
| EnterCriticalSection | - | 0x14009C208 | 0x0009C208 | 0x0009B608 | 0x00000000 |
| GetModuleFileNameW | - | 0x14009C210 | 0x0009C210 | 0x0009B610 | 0x00000000 |
| LeaveCriticalSection | - | 0x14009C218 | 0x0009C218 | 0x0009B618 | 0x00000000 |
| InitializeCriticalSection | - | 0x14009C220 | 0x0009C220 | 0x0009B620 | 0x00000000 |
| IsDebuggerPresent | - | 0x14009C228 | 0x0009C228 | 0x0009B628 | 0x00000000 |
| GetSystemInfo | - | 0x14009C230 | 0x0009C230 | 0x0009B630 | 0x00000000 |
| GetCurrentDirectoryW | - | 0x14009C238 | 0x0009C238 | 0x0009B638 | 0x00000000 |
| GetCurrentProcessId | - | 0x14009C240 | 0x0009C240 | 0x0009B640 | 0x00000000 |
| GetSystemTimeAsFileTime | - | 0x14009C248 | 0x0009C248 | 0x0009B648 | 0x00000000 |
| QueryPerformanceCounter | - | 0x14009C250 | 0x0009C250 | 0x0009B650 | 0x00000000 |
| SetConsoleCtrlHandler | - | 0x14009C258 | 0x0009C258 | 0x0009B658 | 0x00000000 |
| CancelIo | - | 0x14009C260 | 0x0009C260 | 0x0009B660 | 0x00000000 |
| SetHandleInformation | - | 0x14009C268 | 0x0009C268 | 0x0009B668 | 0x00000000 |
| CreateEventA | - | 0x14009C270 | 0x0009C270 | 0x0009B670 | 0x00000000 |
| CreateIoCompletionPort | - | 0x14009C278 | 0x0009C278 | 0x0009B678 | 0x00000000 |
| SetFileCompletionNotificationModes | - | 0x14009C280 | 0x0009C280 | 0x0009B680 | 0x00000000 |
| SetErrorMode | - | 0x14009C288 | 0x0009C288 | 0x0009B688 | 0x00000000 |
| GetQueuedCompletionStatus | - | 0x14009C290 | 0x0009C290 | 0x0009B690 | 0x00000000 |
| GetQueuedCompletionStatusEx | - | 0x14009C298 | 0x0009C298 | 0x0009B698 | 0x00000000 |
| SleepConditionVariableCS | - | 0x14009C2A0 | 0x0009C2A0 | 0x0009B6A0 | 0x00000000 |
| TlsSetValue | - | 0x14009C2A8 | 0x0009C2A8 | 0x0009B6A8 | 0x00000000 |
| ReleaseSemaphore | - | 0x14009C2B0 | 0x0009C2B0 | 0x0009B6B0 | 0x00000000 |
| WakeConditionVariable | - | 0x14009C2B8 | 0x0009C2B8 | 0x0009B6B8 | 0x00000000 |
| InitializeConditionVariable | - | 0x14009C2C0 | 0x0009C2C0 | 0x0009B6C0 | 0x00000000 |
| WaitForSingleObject | - | 0x14009C2C8 | 0x0009C2C8 | 0x0009B6C8 | 0x00000000 |
| ResumeThread | - | 0x14009C2D0 | 0x0009C2D0 | 0x0009B6D0 | 0x00000000 |
| SetEvent | - | 0x14009C2D8 | 0x0009C2D8 | 0x0009B6D8 | 0x00000000 |
| TlsAlloc | - | 0x14009C2E0 | 0x0009C2E0 | 0x0009B6E0 | 0x00000000 |
| DeleteCriticalSection | - | 0x14009C2E8 | 0x0009C2E8 | 0x0009B6E8 | 0x00000000 |
| CreateSemaphoreW | - | 0x14009C2F0 | 0x0009C2F0 | 0x0009B6F0 | 0x00000000 |
| CreateSemaphoreA | - | 0x14009C2F8 | 0x0009C2F8 | 0x0009B6F8 | 0x00000000 |
| GetLongPathNameW | - | 0x14009C300 | 0x0009C300 | 0x0009B700 | 0x00000000 |
| ReadDirectoryChangesW | - | 0x14009C308 | 0x0009C308 | 0x0009B708 | 0x00000000 |
| ReadFile | - | 0x14009C310 | 0x0009C310 | 0x0009B710 | 0x00000000 |
| SetNamedPipeHandleState | - | 0x14009C318 | 0x0009C318 | 0x0009B718 | 0x00000000 |
| SetLastError | - | 0x14009C320 | 0x0009C320 | 0x0009B720 | 0x00000000 |
| WriteFile | - | 0x14009C328 | 0x0009C328 | 0x0009B728 | 0x00000000 |
| CreateNamedPipeW | - | 0x14009C330 | 0x0009C330 | 0x0009B730 | 0x00000000 |
| PeekNamedPipe | - | 0x14009C338 | 0x0009C338 | 0x0009B738 | 0x00000000 |
| CancelSynchronousIo | - | 0x14009C340 | 0x0009C340 | 0x0009B740 | 0x00000000 |
| GetNamedPipeHandleStateA | - | 0x14009C348 | 0x0009C348 | 0x0009B748 | 0x00000000 |
| CancelIoEx | - | 0x14009C350 | 0x0009C350 | 0x0009B750 | 0x00000000 |
| SwitchToThread | - | 0x14009C358 | 0x0009C358 | 0x0009B758 | 0x00000000 |
| ConnectNamedPipe | - | 0x14009C360 | 0x0009C360 | 0x0009B760 | 0x00000000 |
| FlushFileBuffers | - | 0x14009C368 | 0x0009C368 | 0x0009B768 | 0x00000000 |
| TerminateProcess | - | 0x14009C370 | 0x0009C370 | 0x0009B770 | 0x00000000 |
| UnregisterWaitEx | - | 0x14009C378 | 0x0009C378 | 0x0009B778 | 0x00000000 |
| GetExitCodeProcess | - | 0x14009C380 | 0x0009C380 | 0x0009B780 | 0x00000000 |
| FormatMessageA | - | 0x14009C388 | 0x0009C388 | 0x0009B788 | 0x00000000 |
| DebugBreak | - | 0x14009C390 | 0x0009C390 | 0x0009B790 | 0x00000000 |
| GetModuleHandleA | - | 0x14009C398 | 0x0009C398 | 0x0009B798 | 0x00000000 |
| LoadLibraryA | - | 0x14009C3A0 | 0x0009C3A0 | 0x0009B7A0 | 0x00000000 |
| GetProcessAffinityMask | - | 0x14009C3A8 | 0x0009C3A8 | 0x0009B7A8 | 0x00000000 |
| SetProcessAffinityMask | - | 0x14009C3B0 | 0x0009C3B0 | 0x0009B7B0 | 0x00000000 |
| GetCurrentThreadId | - | 0x14009C3B8 | 0x0009C3B8 | 0x0009B7B8 | 0x00000000 |
| QueryPerformanceFrequency | - | 0x14009C3C0 | 0x0009C3C0 | 0x0009B7C0 | 0x00000000 |
MSVCP140.dll (45)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C3D0 | 0x0009C3D0 | 0x0009B7D0 | 0x00000000 |
| ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3D8 | 0x0009C3D8 | 0x0009B7D8 | 0x00000000 |
| ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ | - | 0x14009C3E0 | 0x0009C3E0 | 0x0009B7E0 | 0x00000000 |
| ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C3E8 | 0x0009C3E8 | 0x0009B7E8 | 0x00000000 |
| ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C3F0 | 0x0009C3F0 | 0x0009B7F0 | 0x00000000 |
| ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3F8 | 0x0009C3F8 | 0x0009B7F8 | 0x00000000 |
| ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C400 | 0x0009C400 | 0x0009B800 | 0x00000000 |
| _Thrd_hardware_concurrency | - | 0x14009C408 | 0x0009C408 | 0x0009B808 | 0x00000000 |
| ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A | - | 0x14009C410 | 0x0009C410 | 0x0009B810 | 0x00000000 |
| ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z | - | 0x14009C418 | 0x0009C418 | 0x0009B818 | 0x00000000 |
| ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z | - | 0x14009C420 | 0x0009C420 | 0x0009B820 | 0x00000000 |
| ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ | - | 0x14009C428 | 0x0009C428 | 0x0009B828 | 0x00000000 |
| ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z | - | 0x14009C430 | 0x0009C430 | 0x0009B830 | 0x00000000 |
| ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z | - | 0x14009C438 | 0x0009C438 | 0x0009B838 | 0x00000000 |
| ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C440 | 0x0009C440 | 0x0009B840 | 0x00000000 |
| ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z | - | 0x14009C448 | 0x0009C448 | 0x0009B848 | 0x00000000 |
| ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C450 | 0x0009C450 | 0x0009B850 | 0x00000000 |
| ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z | - | 0x14009C458 | 0x0009C458 | 0x0009B858 | 0x00000000 |
| ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C460 | 0x0009C460 | 0x0009B860 | 0x00000000 |
| ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z | - | 0x14009C468 | 0x0009C468 | 0x0009B868 | 0x00000000 |
| ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z | - | 0x14009C470 | 0x0009C470 | 0x0009B870 | 0x00000000 |
| ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ | - | 0x14009C478 | 0x0009C478 | 0x0009B878 | 0x00000000 |
| ?_Xlength_error@std@@YAXPEBD@Z | - | 0x14009C480 | 0x0009C480 | 0x0009B880 | 0x00000000 |
| ?_Xout_of_range@std@@YAXPEBD@Z | - | 0x14009C488 | 0x0009C488 | 0x0009B888 | 0x00000000 |
| _Xtime_get_ticks | - | 0x14009C490 | 0x0009C490 | 0x0009B890 | 0x00000000 |
| _Mtx_init_in_situ | - | 0x14009C498 | 0x0009C498 | 0x0009B898 | 0x00000000 |
| _Mtx_destroy_in_situ | - | 0x14009C4A0 | 0x0009C4A0 | 0x0009B8A0 | 0x00000000 |
| _Mtx_lock | - | 0x14009C4A8 | 0x0009C4A8 | 0x0009B8A8 | 0x00000000 |
| _Mtx_unlock | - | 0x14009C4B0 | 0x0009C4B0 | 0x0009B8B0 | 0x00000000 |
| ?_Throw_C_error@std@@YAXH@Z | - | 0x14009C4B8 | 0x0009C4B8 | 0x0009B8B8 | 0x00000000 |
| _Query_perf_counter | - | 0x14009C4C0 | 0x0009C4C0 | 0x0009B8C0 | 0x00000000 |
| _Query_perf_frequency | - | 0x14009C4C8 | 0x0009C4C8 | 0x0009B8C8 | 0x00000000 |
| _Thrd_join | - | 0x14009C4D0 | 0x0009C4D0 | 0x0009B8D0 | 0x00000000 |
| _Thrd_id | - | 0x14009C4D8 | 0x0009C4D8 | 0x0009B8D8 | 0x00000000 |
| _Cnd_do_broadcast_at_thread_exit | - | 0x14009C4E0 | 0x0009C4E0 | 0x0009B8E0 | 0x00000000 |
| ?_Throw_Cpp_error@std@@YAXH@Z | - | 0x14009C4E8 | 0x0009C4E8 | 0x0009B8E8 | 0x00000000 |
| _Thrd_sleep | - | 0x14009C4F0 | 0x0009C4F0 | 0x0009B8F0 | 0x00000000 |
| _Thrd_yield | - | 0x14009C4F8 | 0x0009C4F8 | 0x0009B8F8 | 0x00000000 |
| ??0_Lockit@std@@QEAA@H@Z | - | 0x14009C500 | 0x0009C500 | 0x0009B900 | 0x00000000 |
| ??1_Lockit@std@@QEAA@XZ | - | 0x14009C508 | 0x0009C508 | 0x0009B908 | 0x00000000 |
| ??Bid@locale@std@@QEAA_KXZ | - | 0x14009C510 | 0x0009C510 | 0x0009B910 | 0x00000000 |
| ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ | - | 0x14009C518 | 0x0009C518 | 0x0009B918 | 0x00000000 |
| ?always_noconv@codecvt_base@std@@QEBA_NXZ | - | 0x14009C520 | 0x0009C520 | 0x0009B920 | 0x00000000 |
| ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C528 | 0x0009C528 | 0x0009B928 | 0x00000000 |
| ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C530 | 0x0009C530 | 0x0009B930 | 0x00000000 |
USER32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShowWindow | - | 0x14009C540 | 0x0009C540 | 0x0009B940 | 0x00000000 |
| GetSystemMetrics | - | 0x14009C548 | 0x0009C548 | 0x0009B948 | 0x00000000 |
| GetMessageA | - | 0x14009C550 | 0x0009C550 | 0x0009B950 | 0x00000000 |
| MapVirtualKeyW | - | 0x14009C558 | 0x0009C558 | 0x0009B958 | 0x00000000 |
| DispatchMessageA | - | 0x14009C560 | 0x0009C560 | 0x0009B960 | 0x00000000 |
| TranslateMessage | - | 0x14009C568 | 0x0009C568 | 0x0009B968 | 0x00000000 |
VCRUNTIME140.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __std_exception_destroy | - | 0x14009C578 | 0x0009C578 | 0x0009B978 | 0x00000000 |
| __std_exception_copy | - | 0x14009C580 | 0x0009C580 | 0x0009B980 | 0x00000000 |
| strstr | - | 0x14009C588 | 0x0009C588 | 0x0009B988 | 0x00000000 |
| __C_specific_handler | - | 0x14009C590 | 0x0009C590 | 0x0009B990 | 0x00000000 |
| strchr | - | 0x14009C598 | 0x0009C598 | 0x0009B998 | 0x00000000 |
| memchr | - | 0x14009C5A0 | 0x0009C5A0 | 0x0009B9A0 | 0x00000000 |
| __std_terminate | - | 0x14009C5A8 | 0x0009C5A8 | 0x0009B9A8 | 0x00000000 |
| __CxxFrameHandler3 | - | 0x14009C5B0 | 0x0009C5B0 | 0x0009B9B0 | 0x00000000 |
| _CxxThrowException | - | 0x14009C5B8 | 0x0009C5B8 | 0x0009B9B8 | 0x00000000 |
| memset | - | 0x14009C5C0 | 0x0009C5C0 | 0x0009B9C0 | 0x00000000 |
| strrchr | - | 0x14009C5C8 | 0x0009C5C8 | 0x0009B9C8 | 0x00000000 |
| memcmp | - | 0x14009C5D0 | 0x0009C5D0 | 0x0009B9D0 | 0x00000000 |
| memcpy | - | 0x14009C5D8 | 0x0009C5D8 | 0x0009B9D8 | 0x00000000 |
| _purecall | - | 0x14009C5E0 | 0x0009C5E0 | 0x0009B9E0 | 0x00000000 |
| memmove | - | 0x14009C5E8 | 0x0009C5E8 | 0x0009B9E8 | 0x00000000 |
WS2_32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WSAGetLastError | 0x0000006F | 0x14009C5F8 | 0x0009C5F8 | 0x0009B9F8 | - |
| WSASetLastError | 0x00000070 | 0x14009C600 | 0x0009C600 | 0x0009BA00 | - |
| WSAStartup | 0x00000073 | 0x14009C608 | 0x0009C608 | 0x0009BA08 | - |
| select | 0x00000012 | 0x14009C610 | 0x0009C610 | 0x0009BA10 | - |
| WSARecvFrom | - | 0x14009C618 | 0x0009C618 | 0x0009BA18 | 0x00000000 |
| bind | 0x00000002 | 0x14009C620 | 0x0009C620 | 0x0009BA20 | - |
| WSAIoctl | - | 0x14009C628 | 0x0009C628 | 0x0009BA28 | 0x00000000 |
| closesocket | 0x00000003 | 0x14009C630 | 0x0009C630 | 0x0009BA30 | - |
| WSASend | - | 0x14009C638 | 0x0009C638 | 0x0009BA38 | 0x00000000 |
| shutdown | 0x00000016 | 0x14009C640 | 0x0009C640 | 0x0009BA40 | - |
| WSASocketW | - | 0x14009C648 | 0x0009C648 | 0x0009BA48 | 0x00000000 |
| htonl | 0x00000008 | 0x14009C650 | 0x0009C650 | 0x0009BA50 | - |
| GetAddrInfoW | - | 0x14009C658 | 0x0009C658 | 0x0009BA58 | 0x00000000 |
| FreeAddrInfoW | - | 0x14009C660 | 0x0009C660 | 0x0009BA60 | 0x00000000 |
| setsockopt | 0x00000015 | 0x14009C668 | 0x0009C668 | 0x0009BA68 | - |
| ioctlsocket | 0x0000000A | 0x14009C670 | 0x0009C670 | 0x0009BA70 | - |
| getsockopt | 0x00000007 | 0x14009C678 | 0x0009C678 | 0x0009BA78 | - |
| WSARecv | - | 0x14009C680 | 0x0009C680 | 0x0009BA80 | 0x00000000 |
| socket | 0x00000017 | 0x14009C688 | 0x0009C688 | 0x0009BA88 | - |
| htons | 0x00000009 | 0x14009C690 | 0x0009C690 | 0x0009BA90 | - |
api-ms-win-crt-convert-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| atof | - | 0x14009C6A0 | 0x0009C6A0 | 0x0009BAA0 | 0x00000000 |
| strtoul | - | 0x14009C6A8 | 0x0009C6A8 | 0x0009BAA8 | 0x00000000 |
| _strtoui64 | - | 0x14009C6B0 | 0x0009C6B0 | 0x0009BAB0 | 0x00000000 |
| mbstowcs | - | 0x14009C6B8 | 0x0009C6B8 | 0x0009BAB8 | 0x00000000 |
| strtoull | - | 0x14009C6C0 | 0x0009C6C0 | 0x0009BAC0 | 0x00000000 |
| strtoll | - | 0x14009C6C8 | 0x0009C6C8 | 0x0009BAC8 | 0x00000000 |
| atoi | - | 0x14009C6D0 | 0x0009C6D0 | 0x0009BAD0 | 0x00000000 |
| strtol | - | 0x14009C6D8 | 0x0009C6D8 | 0x0009BAD8 | 0x00000000 |
api-ms-win-crt-environment-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| getenv | - | 0x14009C6E8 | 0x0009C6E8 | 0x0009BAE8 | 0x00000000 |
api-ms-win-crt-filesystem-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _unlock_file | - | 0x14009C6F8 | 0x0009C6F8 | 0x0009BAF8 | 0x00000000 |
| _lock_file | - | 0x14009C700 | 0x0009C700 | 0x0009BB00 | 0x00000000 |
| _fstat64i32 | - | 0x14009C708 | 0x0009C708 | 0x0009BB08 | 0x00000000 |
| _stat64i32 | - | 0x14009C710 | 0x0009C710 | 0x0009BB10 | 0x00000000 |
api-ms-win-crt-heap-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _set_new_mode | - | 0x14009C720 | 0x0009C720 | 0x0009BB20 | 0x00000000 |
| realloc | - | 0x14009C728 | 0x0009C728 | 0x0009BB28 | 0x00000000 |
| _aligned_malloc | - | 0x14009C730 | 0x0009C730 | 0x0009BB30 | 0x00000000 |
| malloc | - | 0x14009C738 | 0x0009C738 | 0x0009BB38 | 0x00000000 |
| free | - | 0x14009C740 | 0x0009C740 | 0x0009BB40 | 0x00000000 |
| calloc | - | 0x14009C748 | 0x0009C748 | 0x0009BB48 | 0x00000000 |
| _callnewh | - | 0x14009C750 | 0x0009C750 | 0x0009BB50 | 0x00000000 |
| _aligned_free | - | 0x14009C758 | 0x0009C758 | 0x0009BB58 | 0x00000000 |
api-ms-win-crt-locale-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _configthreadlocale | - | 0x14009C768 | 0x0009C768 | 0x0009BB68 | 0x00000000 |
api-ms-win-crt-math-l1-1-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| modff | - | 0x14009C778 | 0x0009C778 | 0x0009BB78 | 0x00000000 |
| nan | - | 0x14009C780 | 0x0009C780 | 0x0009BB80 | 0x00000000 |
| _dtest | - | 0x14009C788 | 0x0009C788 | 0x0009BB88 | 0x00000000 |
| __setusermatherr | - | 0x14009C790 | 0x0009C790 | 0x0009BB90 | 0x00000000 |
| fabs | - | 0x14009C798 | 0x0009C798 | 0x0009BB98 | 0x00000000 |
api-ms-win-crt-runtime-l1-1-0.dll (25)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _invalid_parameter_noinfo_noreturn | - | 0x14009C7A8 | 0x0009C7A8 | 0x0009BBA8 | 0x00000000 |
| _control87 | - | 0x14009C7B0 | 0x0009C7B0 | 0x0009BBB0 | 0x00000000 |
| _errno | - | 0x14009C7B8 | 0x0009C7B8 | 0x0009BBB8 | 0x00000000 |
| terminate | - | 0x14009C7C0 | 0x0009C7C0 | 0x0009BBC0 | 0x00000000 |
| abort | - | 0x14009C7C8 | 0x0009C7C8 | 0x0009BBC8 | 0x00000000 |
| _beginthreadex | - | 0x14009C7D0 | 0x0009C7D0 | 0x0009BBD0 | 0x00000000 |
| _register_thread_local_exe_atexit_callback | - | 0x14009C7D8 | 0x0009C7D8 | 0x0009BBD8 | 0x00000000 |
| _c_exit | - | 0x14009C7E0 | 0x0009C7E0 | 0x0009BBE0 | 0x00000000 |
| _set_invalid_parameter_handler | - | 0x14009C7E8 | 0x0009C7E8 | 0x0009BBE8 | 0x00000000 |
| __p___argc | - | 0x14009C7F0 | 0x0009C7F0 | 0x0009BBF0 | 0x00000000 |
| _exit | - | 0x14009C7F8 | 0x0009C7F8 | 0x0009BBF8 | 0x00000000 |
| _initterm_e | - | 0x14009C800 | 0x0009C800 | 0x0009BC00 | 0x00000000 |
| _initterm | - | 0x14009C808 | 0x0009C808 | 0x0009BC08 | 0x00000000 |
| _get_initial_narrow_environment | - | 0x14009C810 | 0x0009C810 | 0x0009BC10 | 0x00000000 |
| _set_app_type | - | 0x14009C818 | 0x0009C818 | 0x0009BC18 | 0x00000000 |
| _seh_filter_exe | - | 0x14009C820 | 0x0009C820 | 0x0009BC20 | 0x00000000 |
| _cexit | - | 0x14009C828 | 0x0009C828 | 0x0009BC28 | 0x00000000 |
| _crt_atexit | - | 0x14009C830 | 0x0009C830 | 0x0009BC30 | 0x00000000 |
| _register_onexit_function | - | 0x14009C838 | 0x0009C838 | 0x0009BC38 | 0x00000000 |
| _initialize_onexit_table | - | 0x14009C840 | 0x0009C840 | 0x0009BC40 | 0x00000000 |
| _initialize_narrow_environment | - | 0x14009C848 | 0x0009C848 | 0x0009BC48 | 0x00000000 |
| _configure_narrow_argv | - | 0x14009C850 | 0x0009C850 | 0x0009BC50 | 0x00000000 |
| strerror | - | 0x14009C858 | 0x0009C858 | 0x0009BC58 | 0x00000000 |
| exit | - | 0x14009C860 | 0x0009C860 | 0x0009BC60 | 0x00000000 |
| __p___argv | - | 0x14009C868 | 0x0009C868 | 0x0009BC68 | 0x00000000 |
api-ms-win-crt-stdio-l1-1-0.dll (29)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __stdio_common_vsscanf | - | 0x14009C878 | 0x0009C878 | 0x0009BC78 | 0x00000000 |
| fflush | - | 0x14009C880 | 0x0009C880 | 0x0009BC80 | 0x00000000 |
| _open | - | 0x14009C888 | 0x0009C888 | 0x0009BC88 | 0x00000000 |
| fwrite | - | 0x14009C890 | 0x0009C890 | 0x0009BC90 | 0x00000000 |
| fputs | - | 0x14009C898 | 0x0009C898 | 0x0009BC98 | 0x00000000 |
| __stdio_common_vsprintf | - | 0x14009C8A0 | 0x0009C8A0 | 0x0009BCA0 | 0x00000000 |
| __acrt_iob_func | - | 0x14009C8A8 | 0x0009C8A8 | 0x0009BCA8 | 0x00000000 |
| ftell | - | 0x14009C8B0 | 0x0009C8B0 | 0x0009BCB0 | 0x00000000 |
| fgetc | - | 0x14009C8B8 | 0x0009C8B8 | 0x0009BCB8 | 0x00000000 |
| fgets | - | 0x14009C8C0 | 0x0009C8C0 | 0x0009BCC0 | 0x00000000 |
| fseek | - | 0x14009C8C8 | 0x0009C8C8 | 0x0009BCC8 | 0x00000000 |
| fgetpos | - | 0x14009C8D0 | 0x0009C8D0 | 0x0009BCD0 | 0x00000000 |
| fputc | - | 0x14009C8D8 | 0x0009C8D8 | 0x0009BCD8 | 0x00000000 |
| __stdio_common_vfprintf | - | 0x14009C8E0 | 0x0009C8E0 | 0x0009BCE0 | 0x00000000 |
| ferror | - | 0x14009C8E8 | 0x0009C8E8 | 0x0009BCE8 | 0x00000000 |
| fsetpos | - | 0x14009C8F0 | 0x0009C8F0 | 0x0009BCF0 | 0x00000000 |
| _fseeki64 | - | 0x14009C8F8 | 0x0009C8F8 | 0x0009BCF8 | 0x00000000 |
| _close | - | 0x14009C900 | 0x0009C900 | 0x0009BD00 | 0x00000000 |
| _read | - | 0x14009C908 | 0x0009C908 | 0x0009BD08 | 0x00000000 |
| setvbuf | - | 0x14009C910 | 0x0009C910 | 0x0009BD10 | 0x00000000 |
| ungetc | - | 0x14009C918 | 0x0009C918 | 0x0009BD18 | 0x00000000 |
| fread | - | 0x14009C920 | 0x0009C920 | 0x0009BD20 | 0x00000000 |
| _get_osfhandle | - | 0x14009C928 | 0x0009C928 | 0x0009BD28 | 0x00000000 |
| __p__commode | - | 0x14009C930 | 0x0009C930 | 0x0009BD30 | 0x00000000 |
| fclose | - | 0x14009C938 | 0x0009C938 | 0x0009BD38 | 0x00000000 |
| _set_fmode | - | 0x14009C940 | 0x0009C940 | 0x0009BD40 | 0x00000000 |
| fopen | - | 0x14009C948 | 0x0009C948 | 0x0009BD48 | 0x00000000 |
| __stdio_common_vswprintf | - | 0x14009C950 | 0x0009C950 | 0x0009BD50 | 0x00000000 |
| _get_stream_buffer_pointers | - | 0x14009C958 | 0x0009C958 | 0x0009BD58 | 0x00000000 |
api-ms-win-crt-string-l1-1-0.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _wcsnicmp | - | 0x14009C968 | 0x0009C968 | 0x0009BD68 | 0x00000000 |
| strlen | - | 0x14009C970 | 0x0009C970 | 0x0009BD70 | 0x00000000 |
| wcslen | - | 0x14009C978 | 0x0009C978 | 0x0009BD78 | 0x00000000 |
| strncmp | - | 0x14009C980 | 0x0009C980 | 0x0009BD80 | 0x00000000 |
| _stricmp | - | 0x14009C988 | 0x0009C988 | 0x0009BD88 | 0x00000000 |
| tolower | - | 0x14009C990 | 0x0009C990 | 0x0009BD90 | 0x00000000 |
| _strnicmp | - | 0x14009C998 | 0x0009C998 | 0x0009BD98 | 0x00000000 |
| strncpy | - | 0x14009C9A0 | 0x0009C9A0 | 0x0009BDA0 | 0x00000000 |
| strcpy | - | 0x14009C9A8 | 0x0009C9A8 | 0x0009BDA8 | 0x00000000 |
| strcmp | - | 0x14009C9B0 | 0x0009C9B0 | 0x0009BDB0 | 0x00000000 |
| strcspn | - | 0x14009C9B8 | 0x0009C9B8 | 0x0009BDB8 | 0x00000000 |
| _strdup | - | 0x14009C9C0 | 0x0009C9C0 | 0x0009BDC0 | 0x00000000 |
| isspace | - | 0x14009C9C8 | 0x0009C9C8 | 0x0009BDC8 | 0x00000000 |
| strspn | - | 0x14009C9D0 | 0x0009C9D0 | 0x0009BDD0 | 0x00000000 |
| wcsncpy | - | 0x14009C9D8 | 0x0009C9D8 | 0x0009BDD8 | 0x00000000 |
api-ms-win-crt-time-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _time64 | - | 0x14009C9E8 | 0x0009C9E8 | 0x0009BDE8 | 0x00000000 |
| _localtime64_s | - | 0x14009C9F0 | 0x0009C9F0 | 0x0009BDF0 | 0x00000000 |
api-ms-win-crt-utility-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| srand | - | 0x14009CA00 | 0x0009CA00 | 0x0009BE00 | 0x00000000 |
| rand | - | 0x14009CA08 | 0x0009CA08 | 0x0009BE08 | 0x00000000 |
| qsort | - | 0x14009CA10 | 0x0009CA10 | 0x0009BE10 | 0x00000000 |
| _rotr | - | 0x14009CA18 | 0x0009CA18 | 0x0009BE18 | 0x00000000 |
Memory Dumps (4)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| pzjsufj.exe | 12 | 0x7FF72B3C0000 | 0x7FF72B713FFF | First Execution |
|
64-bit | 0x7FF72B45A338 |
|
...
|
| pzjsufj.exe | 12 | 0x7FF72B3C0000 | 0x7FF72B713FFF | Content Changed |
|
64-bit | 0x7FF72B449014 |
|
...
|
| buffer | 12 | 0x243DB720000 | 0x243DB72FFFF | Marked Executable |
|
64-bit | - |
|
...
|
| pzjsufj.exe | 12 | 0x7FF72B3C0000 | 0x7FF72B713FFF | Process Termination |
|
64-bit | - |
|
...
|
YARA Matches (2)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| CobaltStrike | Cobalt Strike beacon | Hacktool |
5/5
|
...
|
| ReflectiveLoader | Reflective loader usage | - |
3/5
|
...
|
| C:\Windows\System\AEXHwDs.exe | Dropped File | Binary |
Malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 5.94 MB |
| MD5 |
3ee68ce370228b4e5bb16c4875840996
|
| SHA1 |
f2532537ecd54ef8281ae7c26f45b3949e85e591
|
| SHA256 |
64e12d69d1574bd9223c89b02ab90ff576851ee4f27e0df7a30e6249dbd6b78a
|
| SSDeep |
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUN:T+856utgpPF8u/7N
|
| ImpHash |
c782987849999c5ae345a5deafbd73fb
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x14009A338 |
| Size Of Code | 0x00044000 |
| Size Of Initialized Data | 0x00001000 |
| Size Of Uninitialized Data | 0x0030B000 |
| File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2019-08-29 00:43 (UTC) |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| UPX0 | 0x140001000 | 0x0030B000 | 0x000B5000 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.49 |
| UPX1 | 0x14030C000 | 0x00044000 | 0x00044000 | 0x000B5400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.49 |
| .rsrc | 0x140350000 | 0x00001000 | 0x00000800 | 0x000F9400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.24 |
| .imports | 0x140351000 | 0x00002000 | 0x00001E00 | 0x000F9C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.81 |
| .reloc | 0x140353000 | 0x00001000 | 0x00000A00 | 0x000FBA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.28 |
Imports (17)
»
ADVAPI32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AdjustTokenPrivileges | - | 0x14009C000 | 0x0009C000 | 0x0009B400 | 0x00000000 |
| OpenProcessToken | - | 0x14009C008 | 0x0009C008 | 0x0009B408 | 0x00000000 |
| GetTokenInformation | - | 0x14009C010 | 0x0009C010 | 0x0009B410 | 0x00000000 |
| LookupPrivilegeValueW | - | 0x14009C018 | 0x0009C018 | 0x0009B418 | 0x00000000 |
| LsaClose | - | 0x14009C020 | 0x0009C020 | 0x0009B420 | 0x00000000 |
| LsaOpenPolicy | - | 0x14009C028 | 0x0009C028 | 0x0009B428 | 0x00000000 |
| LsaAddAccountRights | - | 0x14009C030 | 0x0009C030 | 0x0009B430 | 0x00000000 |
KERNEL32.DLL (113)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WaitForSingleObjectEx | - | 0x14009C040 | 0x0009C040 | 0x0009B440 | 0x00000000 |
| RtlLookupFunctionEntry | - | 0x14009C048 | 0x0009C048 | 0x0009B448 | 0x00000000 |
| RtlVirtualUnwind | - | 0x14009C050 | 0x0009C050 | 0x0009B450 | 0x00000000 |
| UnhandledExceptionFilter | - | 0x14009C058 | 0x0009C058 | 0x0009B458 | 0x00000000 |
| ResetEvent | - | 0x14009C060 | 0x0009C060 | 0x0009B460 | 0x00000000 |
| InitializeCriticalSectionAndSpinCount | - | 0x14009C068 | 0x0009C068 | 0x0009B468 | 0x00000000 |
| RtlCaptureContext | - | 0x14009C070 | 0x0009C070 | 0x0009B470 | 0x00000000 |
| CreateEventW | - | 0x14009C078 | 0x0009C078 | 0x0009B478 | 0x00000000 |
| InitializeSListHead | - | 0x14009C080 | 0x0009C080 | 0x0009B480 | 0x00000000 |
| SetUnhandledExceptionFilter | - | 0x14009C088 | 0x0009C088 | 0x0009B488 | 0x00000000 |
| IsProcessorFeaturePresent | - | 0x14009C090 | 0x0009C090 | 0x0009B490 | 0x00000000 |
| GetStdHandle | - | 0x14009C098 | 0x0009C098 | 0x0009B498 | 0x00000000 |
| GetConsoleMode | - | 0x14009C0A0 | 0x0009C0A0 | 0x0009B4A0 | 0x00000000 |
| SetConsoleMode | - | 0x14009C0A8 | 0x0009C0A8 | 0x0009B4A8 | 0x00000000 |
| GetLastError | - | 0x14009C0B0 | 0x0009C0B0 | 0x0009B4B0 | 0x00000000 |
| CreateMutexW | - | 0x14009C0B8 | 0x0009C0B8 | 0x0009B4B8 | 0x00000000 |
| Sleep | - | 0x14009C0C0 | 0x0009C0C0 | 0x0009B4C0 | 0x00000000 |
| CreateProcessW | - | 0x14009C0C8 | 0x0009C0C8 | 0x0009B4C8 | 0x00000000 |
| MultiByteToWideChar | - | 0x14009C0D0 | 0x0009C0D0 | 0x0009B4D0 | 0x00000000 |
| GetCurrentProcess | - | 0x14009C0D8 | 0x0009C0D8 | 0x0009B4D8 | 0x00000000 |
| GetCurrentThread | - | 0x14009C0E0 | 0x0009C0E0 | 0x0009B4E0 | 0x00000000 |
| SetThreadPriority | - | 0x14009C0E8 | 0x0009C0E8 | 0x0009B4E8 | 0x00000000 |
| SetPriorityClass | - | 0x14009C0F0 | 0x0009C0F0 | 0x0009B4F0 | 0x00000000 |
| GetModuleHandleW | - | 0x14009C0F8 | 0x0009C0F8 | 0x0009B4F8 | 0x00000000 |
| GetProcAddress | - | 0x14009C100 | 0x0009C100 | 0x0009B500 | 0x00000000 |
| SetThreadAffinityMask | - | 0x14009C108 | 0x0009C108 | 0x0009B508 | 0x00000000 |
| CloseHandle | - | 0x14009C110 | 0x0009C110 | 0x0009B510 | 0x00000000 |
| FreeConsole | - | 0x14009C118 | 0x0009C118 | 0x0009B518 | 0x00000000 |
| GetConsoleWindow | - | 0x14009C120 | 0x0009C120 | 0x0009B520 | 0x00000000 |
| FlushInstructionCache | - | 0x14009C128 | 0x0009C128 | 0x0009B528 | 0x00000000 |
| VirtualAlloc | - | 0x14009C130 | 0x0009C130 | 0x0009B530 | 0x00000000 |
| VirtualProtect | - | 0x14009C138 | 0x0009C138 | 0x0009B538 | 0x00000000 |
| VirtualFree | - | 0x14009C140 | 0x0009C140 | 0x0009B540 | 0x00000000 |
| GetLargePageMinimum | - | 0x14009C148 | 0x0009C148 | 0x0009B548 | 0x00000000 |
| LocalAlloc | - | 0x14009C150 | 0x0009C150 | 0x0009B550 | 0x00000000 |
| LocalFree | - | 0x14009C158 | 0x0009C158 | 0x0009B558 | 0x00000000 |
| GetFileType | - | 0x14009C160 | 0x0009C160 | 0x0009B560 | 0x00000000 |
| GetConsoleScreenBufferInfo | - | 0x14009C168 | 0x0009C168 | 0x0009B568 | 0x00000000 |
| SetConsoleTextAttribute | - | 0x14009C170 | 0x0009C170 | 0x0009B570 | 0x00000000 |
| RegisterWaitForSingleObject | - | 0x14009C178 | 0x0009C178 | 0x0009B578 | 0x00000000 |
| UnregisterWait | - | 0x14009C180 | 0x0009C180 | 0x0009B580 | 0x00000000 |
| GetConsoleCursorInfo | - | 0x14009C188 | 0x0009C188 | 0x0009B588 | 0x00000000 |
| CreateFileW | - | 0x14009C190 | 0x0009C190 | 0x0009B590 | 0x00000000 |
| DuplicateHandle | - | 0x14009C198 | 0x0009C198 | 0x0009B598 | 0x00000000 |
| PostQueuedCompletionStatus | - | 0x14009C1A0 | 0x0009C1A0 | 0x0009B5A0 | 0x00000000 |
| QueueUserWorkItem | - | 0x14009C1A8 | 0x0009C1A8 | 0x0009B5A8 | 0x00000000 |
| SetConsoleCursorInfo | - | 0x14009C1B0 | 0x0009C1B0 | 0x0009B5B0 | 0x00000000 |
| FillConsoleOutputCharacterW | - | 0x14009C1B8 | 0x0009C1B8 | 0x0009B5B8 | 0x00000000 |
| ReadConsoleInputW | - | 0x14009C1C0 | 0x0009C1C0 | 0x0009B5C0 | 0x00000000 |
| CreateFileA | - | 0x14009C1C8 | 0x0009C1C8 | 0x0009B5C8 | 0x00000000 |
| ReadConsoleW | - | 0x14009C1D0 | 0x0009C1D0 | 0x0009B5D0 | 0x00000000 |
| WriteConsoleInputW | - | 0x14009C1D8 | 0x0009C1D8 | 0x0009B5D8 | 0x00000000 |
| FillConsoleOutputAttribute | - | 0x14009C1E0 | 0x0009C1E0 | 0x0009B5E0 | 0x00000000 |
| WriteConsoleW | - | 0x14009C1E8 | 0x0009C1E8 | 0x0009B5E8 | 0x00000000 |
| GetNumberOfConsoleInputEvents | - | 0x14009C1F0 | 0x0009C1F0 | 0x0009B5F0 | 0x00000000 |
| WideCharToMultiByte | - | 0x14009C1F8 | 0x0009C1F8 | 0x0009B5F8 | 0x00000000 |
| SetConsoleCursorPosition | - | 0x14009C200 | 0x0009C200 | 0x0009B600 | 0x00000000 |
| EnterCriticalSection | - | 0x14009C208 | 0x0009C208 | 0x0009B608 | 0x00000000 |
| GetModuleFileNameW | - | 0x14009C210 | 0x0009C210 | 0x0009B610 | 0x00000000 |
| LeaveCriticalSection | - | 0x14009C218 | 0x0009C218 | 0x0009B618 | 0x00000000 |
| InitializeCriticalSection | - | 0x14009C220 | 0x0009C220 | 0x0009B620 | 0x00000000 |
| IsDebuggerPresent | - | 0x14009C228 | 0x0009C228 | 0x0009B628 | 0x00000000 |
| GetSystemInfo | - | 0x14009C230 | 0x0009C230 | 0x0009B630 | 0x00000000 |
| GetCurrentDirectoryW | - | 0x14009C238 | 0x0009C238 | 0x0009B638 | 0x00000000 |
| GetCurrentProcessId | - | 0x14009C240 | 0x0009C240 | 0x0009B640 | 0x00000000 |
| GetSystemTimeAsFileTime | - | 0x14009C248 | 0x0009C248 | 0x0009B648 | 0x00000000 |
| QueryPerformanceCounter | - | 0x14009C250 | 0x0009C250 | 0x0009B650 | 0x00000000 |
| SetConsoleCtrlHandler | - | 0x14009C258 | 0x0009C258 | 0x0009B658 | 0x00000000 |
| CancelIo | - | 0x14009C260 | 0x0009C260 | 0x0009B660 | 0x00000000 |
| SetHandleInformation | - | 0x14009C268 | 0x0009C268 | 0x0009B668 | 0x00000000 |
| CreateEventA | - | 0x14009C270 | 0x0009C270 | 0x0009B670 | 0x00000000 |
| CreateIoCompletionPort | - | 0x14009C278 | 0x0009C278 | 0x0009B678 | 0x00000000 |
| SetFileCompletionNotificationModes | - | 0x14009C280 | 0x0009C280 | 0x0009B680 | 0x00000000 |
| SetErrorMode | - | 0x14009C288 | 0x0009C288 | 0x0009B688 | 0x00000000 |
| GetQueuedCompletionStatus | - | 0x14009C290 | 0x0009C290 | 0x0009B690 | 0x00000000 |
| GetQueuedCompletionStatusEx | - | 0x14009C298 | 0x0009C298 | 0x0009B698 | 0x00000000 |
| SleepConditionVariableCS | - | 0x14009C2A0 | 0x0009C2A0 | 0x0009B6A0 | 0x00000000 |
| TlsSetValue | - | 0x14009C2A8 | 0x0009C2A8 | 0x0009B6A8 | 0x00000000 |
| ReleaseSemaphore | - | 0x14009C2B0 | 0x0009C2B0 | 0x0009B6B0 | 0x00000000 |
| WakeConditionVariable | - | 0x14009C2B8 | 0x0009C2B8 | 0x0009B6B8 | 0x00000000 |
| InitializeConditionVariable | - | 0x14009C2C0 | 0x0009C2C0 | 0x0009B6C0 | 0x00000000 |
| WaitForSingleObject | - | 0x14009C2C8 | 0x0009C2C8 | 0x0009B6C8 | 0x00000000 |
| ResumeThread | - | 0x14009C2D0 | 0x0009C2D0 | 0x0009B6D0 | 0x00000000 |
| SetEvent | - | 0x14009C2D8 | 0x0009C2D8 | 0x0009B6D8 | 0x00000000 |
| TlsAlloc | - | 0x14009C2E0 | 0x0009C2E0 | 0x0009B6E0 | 0x00000000 |
| DeleteCriticalSection | - | 0x14009C2E8 | 0x0009C2E8 | 0x0009B6E8 | 0x00000000 |
| CreateSemaphoreW | - | 0x14009C2F0 | 0x0009C2F0 | 0x0009B6F0 | 0x00000000 |
| CreateSemaphoreA | - | 0x14009C2F8 | 0x0009C2F8 | 0x0009B6F8 | 0x00000000 |
| GetLongPathNameW | - | 0x14009C300 | 0x0009C300 | 0x0009B700 | 0x00000000 |
| ReadDirectoryChangesW | - | 0x14009C308 | 0x0009C308 | 0x0009B708 | 0x00000000 |
| ReadFile | - | 0x14009C310 | 0x0009C310 | 0x0009B710 | 0x00000000 |
| SetNamedPipeHandleState | - | 0x14009C318 | 0x0009C318 | 0x0009B718 | 0x00000000 |
| SetLastError | - | 0x14009C320 | 0x0009C320 | 0x0009B720 | 0x00000000 |
| WriteFile | - | 0x14009C328 | 0x0009C328 | 0x0009B728 | 0x00000000 |
| CreateNamedPipeW | - | 0x14009C330 | 0x0009C330 | 0x0009B730 | 0x00000000 |
| PeekNamedPipe | - | 0x14009C338 | 0x0009C338 | 0x0009B738 | 0x00000000 |
| CancelSynchronousIo | - | 0x14009C340 | 0x0009C340 | 0x0009B740 | 0x00000000 |
| GetNamedPipeHandleStateA | - | 0x14009C348 | 0x0009C348 | 0x0009B748 | 0x00000000 |
| CancelIoEx | - | 0x14009C350 | 0x0009C350 | 0x0009B750 | 0x00000000 |
| SwitchToThread | - | 0x14009C358 | 0x0009C358 | 0x0009B758 | 0x00000000 |
| ConnectNamedPipe | - | 0x14009C360 | 0x0009C360 | 0x0009B760 | 0x00000000 |
| FlushFileBuffers | - | 0x14009C368 | 0x0009C368 | 0x0009B768 | 0x00000000 |
| TerminateProcess | - | 0x14009C370 | 0x0009C370 | 0x0009B770 | 0x00000000 |
| UnregisterWaitEx | - | 0x14009C378 | 0x0009C378 | 0x0009B778 | 0x00000000 |
| GetExitCodeProcess | - | 0x14009C380 | 0x0009C380 | 0x0009B780 | 0x00000000 |
| FormatMessageA | - | 0x14009C388 | 0x0009C388 | 0x0009B788 | 0x00000000 |
| DebugBreak | - | 0x14009C390 | 0x0009C390 | 0x0009B790 | 0x00000000 |
| GetModuleHandleA | - | 0x14009C398 | 0x0009C398 | 0x0009B798 | 0x00000000 |
| LoadLibraryA | - | 0x14009C3A0 | 0x0009C3A0 | 0x0009B7A0 | 0x00000000 |
| GetProcessAffinityMask | - | 0x14009C3A8 | 0x0009C3A8 | 0x0009B7A8 | 0x00000000 |
| SetProcessAffinityMask | - | 0x14009C3B0 | 0x0009C3B0 | 0x0009B7B0 | 0x00000000 |
| GetCurrentThreadId | - | 0x14009C3B8 | 0x0009C3B8 | 0x0009B7B8 | 0x00000000 |
| QueryPerformanceFrequency | - | 0x14009C3C0 | 0x0009C3C0 | 0x0009B7C0 | 0x00000000 |
MSVCP140.dll (45)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C3D0 | 0x0009C3D0 | 0x0009B7D0 | 0x00000000 |
| ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3D8 | 0x0009C3D8 | 0x0009B7D8 | 0x00000000 |
| ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ | - | 0x14009C3E0 | 0x0009C3E0 | 0x0009B7E0 | 0x00000000 |
| ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C3E8 | 0x0009C3E8 | 0x0009B7E8 | 0x00000000 |
| ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C3F0 | 0x0009C3F0 | 0x0009B7F0 | 0x00000000 |
| ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3F8 | 0x0009C3F8 | 0x0009B7F8 | 0x00000000 |
| ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C400 | 0x0009C400 | 0x0009B800 | 0x00000000 |
| _Thrd_hardware_concurrency | - | 0x14009C408 | 0x0009C408 | 0x0009B808 | 0x00000000 |
| ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A | - | 0x14009C410 | 0x0009C410 | 0x0009B810 | 0x00000000 |
| ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z | - | 0x14009C418 | 0x0009C418 | 0x0009B818 | 0x00000000 |
| ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z | - | 0x14009C420 | 0x0009C420 | 0x0009B820 | 0x00000000 |
| ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ | - | 0x14009C428 | 0x0009C428 | 0x0009B828 | 0x00000000 |
| ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z | - | 0x14009C430 | 0x0009C430 | 0x0009B830 | 0x00000000 |
| ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z | - | 0x14009C438 | 0x0009C438 | 0x0009B838 | 0x00000000 |
| ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C440 | 0x0009C440 | 0x0009B840 | 0x00000000 |
| ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z | - | 0x14009C448 | 0x0009C448 | 0x0009B848 | 0x00000000 |
| ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C450 | 0x0009C450 | 0x0009B850 | 0x00000000 |
| ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z | - | 0x14009C458 | 0x0009C458 | 0x0009B858 | 0x00000000 |
| ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C460 | 0x0009C460 | 0x0009B860 | 0x00000000 |
| ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z | - | 0x14009C468 | 0x0009C468 | 0x0009B868 | 0x00000000 |
| ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z | - | 0x14009C470 | 0x0009C470 | 0x0009B870 | 0x00000000 |
| ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ | - | 0x14009C478 | 0x0009C478 | 0x0009B878 | 0x00000000 |
| ?_Xlength_error@std@@YAXPEBD@Z | - | 0x14009C480 | 0x0009C480 | 0x0009B880 | 0x00000000 |
| ?_Xout_of_range@std@@YAXPEBD@Z | - | 0x14009C488 | 0x0009C488 | 0x0009B888 | 0x00000000 |
| _Xtime_get_ticks | - | 0x14009C490 | 0x0009C490 | 0x0009B890 | 0x00000000 |
| _Mtx_init_in_situ | - | 0x14009C498 | 0x0009C498 | 0x0009B898 | 0x00000000 |
| _Mtx_destroy_in_situ | - | 0x14009C4A0 | 0x0009C4A0 | 0x0009B8A0 | 0x00000000 |
| _Mtx_lock | - | 0x14009C4A8 | 0x0009C4A8 | 0x0009B8A8 | 0x00000000 |
| _Mtx_unlock | - | 0x14009C4B0 | 0x0009C4B0 | 0x0009B8B0 | 0x00000000 |
| ?_Throw_C_error@std@@YAXH@Z | - | 0x14009C4B8 | 0x0009C4B8 | 0x0009B8B8 | 0x00000000 |
| _Query_perf_counter | - | 0x14009C4C0 | 0x0009C4C0 | 0x0009B8C0 | 0x00000000 |
| _Query_perf_frequency | - | 0x14009C4C8 | 0x0009C4C8 | 0x0009B8C8 | 0x00000000 |
| _Thrd_join | - | 0x14009C4D0 | 0x0009C4D0 | 0x0009B8D0 | 0x00000000 |
| _Thrd_id | - | 0x14009C4D8 | 0x0009C4D8 | 0x0009B8D8 | 0x00000000 |
| _Cnd_do_broadcast_at_thread_exit | - | 0x14009C4E0 | 0x0009C4E0 | 0x0009B8E0 | 0x00000000 |
| ?_Throw_Cpp_error@std@@YAXH@Z | - | 0x14009C4E8 | 0x0009C4E8 | 0x0009B8E8 | 0x00000000 |
| _Thrd_sleep | - | 0x14009C4F0 | 0x0009C4F0 | 0x0009B8F0 | 0x00000000 |
| _Thrd_yield | - | 0x14009C4F8 | 0x0009C4F8 | 0x0009B8F8 | 0x00000000 |
| ??0_Lockit@std@@QEAA@H@Z | - | 0x14009C500 | 0x0009C500 | 0x0009B900 | 0x00000000 |
| ??1_Lockit@std@@QEAA@XZ | - | 0x14009C508 | 0x0009C508 | 0x0009B908 | 0x00000000 |
| ??Bid@locale@std@@QEAA_KXZ | - | 0x14009C510 | 0x0009C510 | 0x0009B910 | 0x00000000 |
| ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ | - | 0x14009C518 | 0x0009C518 | 0x0009B918 | 0x00000000 |
| ?always_noconv@codecvt_base@std@@QEBA_NXZ | - | 0x14009C520 | 0x0009C520 | 0x0009B920 | 0x00000000 |
| ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C528 | 0x0009C528 | 0x0009B928 | 0x00000000 |
| ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C530 | 0x0009C530 | 0x0009B930 | 0x00000000 |
USER32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShowWindow | - | 0x14009C540 | 0x0009C540 | 0x0009B940 | 0x00000000 |
| GetSystemMetrics | - | 0x14009C548 | 0x0009C548 | 0x0009B948 | 0x00000000 |
| GetMessageA | - | 0x14009C550 | 0x0009C550 | 0x0009B950 | 0x00000000 |
| MapVirtualKeyW | - | 0x14009C558 | 0x0009C558 | 0x0009B958 | 0x00000000 |
| DispatchMessageA | - | 0x14009C560 | 0x0009C560 | 0x0009B960 | 0x00000000 |
| TranslateMessage | - | 0x14009C568 | 0x0009C568 | 0x0009B968 | 0x00000000 |
VCRUNTIME140.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __std_exception_destroy | - | 0x14009C578 | 0x0009C578 | 0x0009B978 | 0x00000000 |
| __std_exception_copy | - | 0x14009C580 | 0x0009C580 | 0x0009B980 | 0x00000000 |
| strstr | - | 0x14009C588 | 0x0009C588 | 0x0009B988 | 0x00000000 |
| __C_specific_handler | - | 0x14009C590 | 0x0009C590 | 0x0009B990 | 0x00000000 |
| strchr | - | 0x14009C598 | 0x0009C598 | 0x0009B998 | 0x00000000 |
| memchr | - | 0x14009C5A0 | 0x0009C5A0 | 0x0009B9A0 | 0x00000000 |
| __std_terminate | - | 0x14009C5A8 | 0x0009C5A8 | 0x0009B9A8 | 0x00000000 |
| __CxxFrameHandler3 | - | 0x14009C5B0 | 0x0009C5B0 | 0x0009B9B0 | 0x00000000 |
| _CxxThrowException | - | 0x14009C5B8 | 0x0009C5B8 | 0x0009B9B8 | 0x00000000 |
| memset | - | 0x14009C5C0 | 0x0009C5C0 | 0x0009B9C0 | 0x00000000 |
| strrchr | - | 0x14009C5C8 | 0x0009C5C8 | 0x0009B9C8 | 0x00000000 |
| memcmp | - | 0x14009C5D0 | 0x0009C5D0 | 0x0009B9D0 | 0x00000000 |
| memcpy | - | 0x14009C5D8 | 0x0009C5D8 | 0x0009B9D8 | 0x00000000 |
| _purecall | - | 0x14009C5E0 | 0x0009C5E0 | 0x0009B9E0 | 0x00000000 |
| memmove | - | 0x14009C5E8 | 0x0009C5E8 | 0x0009B9E8 | 0x00000000 |
WS2_32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WSAGetLastError | 0x0000006F | 0x14009C5F8 | 0x0009C5F8 | 0x0009B9F8 | - |
| WSASetLastError | 0x00000070 | 0x14009C600 | 0x0009C600 | 0x0009BA00 | - |
| WSAStartup | 0x00000073 | 0x14009C608 | 0x0009C608 | 0x0009BA08 | - |
| select | 0x00000012 | 0x14009C610 | 0x0009C610 | 0x0009BA10 | - |
| WSARecvFrom | - | 0x14009C618 | 0x0009C618 | 0x0009BA18 | 0x00000000 |
| bind | 0x00000002 | 0x14009C620 | 0x0009C620 | 0x0009BA20 | - |
| WSAIoctl | - | 0x14009C628 | 0x0009C628 | 0x0009BA28 | 0x00000000 |
| closesocket | 0x00000003 | 0x14009C630 | 0x0009C630 | 0x0009BA30 | - |
| WSASend | - | 0x14009C638 | 0x0009C638 | 0x0009BA38 | 0x00000000 |
| shutdown | 0x00000016 | 0x14009C640 | 0x0009C640 | 0x0009BA40 | - |
| WSASocketW | - | 0x14009C648 | 0x0009C648 | 0x0009BA48 | 0x00000000 |
| htonl | 0x00000008 | 0x14009C650 | 0x0009C650 | 0x0009BA50 | - |
| GetAddrInfoW | - | 0x14009C658 | 0x0009C658 | 0x0009BA58 | 0x00000000 |
| FreeAddrInfoW | - | 0x14009C660 | 0x0009C660 | 0x0009BA60 | 0x00000000 |
| setsockopt | 0x00000015 | 0x14009C668 | 0x0009C668 | 0x0009BA68 | - |
| ioctlsocket | 0x0000000A | 0x14009C670 | 0x0009C670 | 0x0009BA70 | - |
| getsockopt | 0x00000007 | 0x14009C678 | 0x0009C678 | 0x0009BA78 | - |
| WSARecv | - | 0x14009C680 | 0x0009C680 | 0x0009BA80 | 0x00000000 |
| socket | 0x00000017 | 0x14009C688 | 0x0009C688 | 0x0009BA88 | - |
| htons | 0x00000009 | 0x14009C690 | 0x0009C690 | 0x0009BA90 | - |
api-ms-win-crt-convert-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| atof | - | 0x14009C6A0 | 0x0009C6A0 | 0x0009BAA0 | 0x00000000 |
| strtoul | - | 0x14009C6A8 | 0x0009C6A8 | 0x0009BAA8 | 0x00000000 |
| _strtoui64 | - | 0x14009C6B0 | 0x0009C6B0 | 0x0009BAB0 | 0x00000000 |
| mbstowcs | - | 0x14009C6B8 | 0x0009C6B8 | 0x0009BAB8 | 0x00000000 |
| strtoull | - | 0x14009C6C0 | 0x0009C6C0 | 0x0009BAC0 | 0x00000000 |
| strtoll | - | 0x14009C6C8 | 0x0009C6C8 | 0x0009BAC8 | 0x00000000 |
| atoi | - | 0x14009C6D0 | 0x0009C6D0 | 0x0009BAD0 | 0x00000000 |
| strtol | - | 0x14009C6D8 | 0x0009C6D8 | 0x0009BAD8 | 0x00000000 |
api-ms-win-crt-environment-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| getenv | - | 0x14009C6E8 | 0x0009C6E8 | 0x0009BAE8 | 0x00000000 |
api-ms-win-crt-filesystem-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _unlock_file | - | 0x14009C6F8 | 0x0009C6F8 | 0x0009BAF8 | 0x00000000 |
| _lock_file | - | 0x14009C700 | 0x0009C700 | 0x0009BB00 | 0x00000000 |
| _fstat64i32 | - | 0x14009C708 | 0x0009C708 | 0x0009BB08 | 0x00000000 |
| _stat64i32 | - | 0x14009C710 | 0x0009C710 | 0x0009BB10 | 0x00000000 |
api-ms-win-crt-heap-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _set_new_mode | - | 0x14009C720 | 0x0009C720 | 0x0009BB20 | 0x00000000 |
| realloc | - | 0x14009C728 | 0x0009C728 | 0x0009BB28 | 0x00000000 |
| _aligned_malloc | - | 0x14009C730 | 0x0009C730 | 0x0009BB30 | 0x00000000 |
| malloc | - | 0x14009C738 | 0x0009C738 | 0x0009BB38 | 0x00000000 |
| free | - | 0x14009C740 | 0x0009C740 | 0x0009BB40 | 0x00000000 |
| calloc | - | 0x14009C748 | 0x0009C748 | 0x0009BB48 | 0x00000000 |
| _callnewh | - | 0x14009C750 | 0x0009C750 | 0x0009BB50 | 0x00000000 |
| _aligned_free | - | 0x14009C758 | 0x0009C758 | 0x0009BB58 | 0x00000000 |
api-ms-win-crt-locale-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _configthreadlocale | - | 0x14009C768 | 0x0009C768 | 0x0009BB68 | 0x00000000 |
api-ms-win-crt-math-l1-1-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| modff | - | 0x14009C778 | 0x0009C778 | 0x0009BB78 | 0x00000000 |
| nan | - | 0x14009C780 | 0x0009C780 | 0x0009BB80 | 0x00000000 |
| _dtest | - | 0x14009C788 | 0x0009C788 | 0x0009BB88 | 0x00000000 |
| __setusermatherr | - | 0x14009C790 | 0x0009C790 | 0x0009BB90 | 0x00000000 |
| fabs | - | 0x14009C798 | 0x0009C798 | 0x0009BB98 | 0x00000000 |
api-ms-win-crt-runtime-l1-1-0.dll (25)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _invalid_parameter_noinfo_noreturn | - | 0x14009C7A8 | 0x0009C7A8 | 0x0009BBA8 | 0x00000000 |
| _control87 | - | 0x14009C7B0 | 0x0009C7B0 | 0x0009BBB0 | 0x00000000 |
| _errno | - | 0x14009C7B8 | 0x0009C7B8 | 0x0009BBB8 | 0x00000000 |
| terminate | - | 0x14009C7C0 | 0x0009C7C0 | 0x0009BBC0 | 0x00000000 |
| abort | - | 0x14009C7C8 | 0x0009C7C8 | 0x0009BBC8 | 0x00000000 |
| _beginthreadex | - | 0x14009C7D0 | 0x0009C7D0 | 0x0009BBD0 | 0x00000000 |
| _register_thread_local_exe_atexit_callback | - | 0x14009C7D8 | 0x0009C7D8 | 0x0009BBD8 | 0x00000000 |
| _c_exit | - | 0x14009C7E0 | 0x0009C7E0 | 0x0009BBE0 | 0x00000000 |
| _set_invalid_parameter_handler | - | 0x14009C7E8 | 0x0009C7E8 | 0x0009BBE8 | 0x00000000 |
| __p___argc | - | 0x14009C7F0 | 0x0009C7F0 | 0x0009BBF0 | 0x00000000 |
| _exit | - | 0x14009C7F8 | 0x0009C7F8 | 0x0009BBF8 | 0x00000000 |
| _initterm_e | - | 0x14009C800 | 0x0009C800 | 0x0009BC00 | 0x00000000 |
| _initterm | - | 0x14009C808 | 0x0009C808 | 0x0009BC08 | 0x00000000 |
| _get_initial_narrow_environment | - | 0x14009C810 | 0x0009C810 | 0x0009BC10 | 0x00000000 |
| _set_app_type | - | 0x14009C818 | 0x0009C818 | 0x0009BC18 | 0x00000000 |
| _seh_filter_exe | - | 0x14009C820 | 0x0009C820 | 0x0009BC20 | 0x00000000 |
| _cexit | - | 0x14009C828 | 0x0009C828 | 0x0009BC28 | 0x00000000 |
| _crt_atexit | - | 0x14009C830 | 0x0009C830 | 0x0009BC30 | 0x00000000 |
| _register_onexit_function | - | 0x14009C838 | 0x0009C838 | 0x0009BC38 | 0x00000000 |
| _initialize_onexit_table | - | 0x14009C840 | 0x0009C840 | 0x0009BC40 | 0x00000000 |
| _initialize_narrow_environment | - | 0x14009C848 | 0x0009C848 | 0x0009BC48 | 0x00000000 |
| _configure_narrow_argv | - | 0x14009C850 | 0x0009C850 | 0x0009BC50 | 0x00000000 |
| strerror | - | 0x14009C858 | 0x0009C858 | 0x0009BC58 | 0x00000000 |
| exit | - | 0x14009C860 | 0x0009C860 | 0x0009BC60 | 0x00000000 |
| __p___argv | - | 0x14009C868 | 0x0009C868 | 0x0009BC68 | 0x00000000 |
api-ms-win-crt-stdio-l1-1-0.dll (29)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __stdio_common_vsscanf | - | 0x14009C878 | 0x0009C878 | 0x0009BC78 | 0x00000000 |
| fflush | - | 0x14009C880 | 0x0009C880 | 0x0009BC80 | 0x00000000 |
| _open | - | 0x14009C888 | 0x0009C888 | 0x0009BC88 | 0x00000000 |
| fwrite | - | 0x14009C890 | 0x0009C890 | 0x0009BC90 | 0x00000000 |
| fputs | - | 0x14009C898 | 0x0009C898 | 0x0009BC98 | 0x00000000 |
| __stdio_common_vsprintf | - | 0x14009C8A0 | 0x0009C8A0 | 0x0009BCA0 | 0x00000000 |
| __acrt_iob_func | - | 0x14009C8A8 | 0x0009C8A8 | 0x0009BCA8 | 0x00000000 |
| ftell | - | 0x14009C8B0 | 0x0009C8B0 | 0x0009BCB0 | 0x00000000 |
| fgetc | - | 0x14009C8B8 | 0x0009C8B8 | 0x0009BCB8 | 0x00000000 |
| fgets | - | 0x14009C8C0 | 0x0009C8C0 | 0x0009BCC0 | 0x00000000 |
| fseek | - | 0x14009C8C8 | 0x0009C8C8 | 0x0009BCC8 | 0x00000000 |
| fgetpos | - | 0x14009C8D0 | 0x0009C8D0 | 0x0009BCD0 | 0x00000000 |
| fputc | - | 0x14009C8D8 | 0x0009C8D8 | 0x0009BCD8 | 0x00000000 |
| __stdio_common_vfprintf | - | 0x14009C8E0 | 0x0009C8E0 | 0x0009BCE0 | 0x00000000 |
| ferror | - | 0x14009C8E8 | 0x0009C8E8 | 0x0009BCE8 | 0x00000000 |
| fsetpos | - | 0x14009C8F0 | 0x0009C8F0 | 0x0009BCF0 | 0x00000000 |
| _fseeki64 | - | 0x14009C8F8 | 0x0009C8F8 | 0x0009BCF8 | 0x00000000 |
| _close | - | 0x14009C900 | 0x0009C900 | 0x0009BD00 | 0x00000000 |
| _read | - | 0x14009C908 | 0x0009C908 | 0x0009BD08 | 0x00000000 |
| setvbuf | - | 0x14009C910 | 0x0009C910 | 0x0009BD10 | 0x00000000 |
| ungetc | - | 0x14009C918 | 0x0009C918 | 0x0009BD18 | 0x00000000 |
| fread | - | 0x14009C920 | 0x0009C920 | 0x0009BD20 | 0x00000000 |
| _get_osfhandle | - | 0x14009C928 | 0x0009C928 | 0x0009BD28 | 0x00000000 |
| __p__commode | - | 0x14009C930 | 0x0009C930 | 0x0009BD30 | 0x00000000 |
| fclose | - | 0x14009C938 | 0x0009C938 | 0x0009BD38 | 0x00000000 |
| _set_fmode | - | 0x14009C940 | 0x0009C940 | 0x0009BD40 | 0x00000000 |
| fopen | - | 0x14009C948 | 0x0009C948 | 0x0009BD48 | 0x00000000 |
| __stdio_common_vswprintf | - | 0x14009C950 | 0x0009C950 | 0x0009BD50 | 0x00000000 |
| _get_stream_buffer_pointers | - | 0x14009C958 | 0x0009C958 | 0x0009BD58 | 0x00000000 |
api-ms-win-crt-string-l1-1-0.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _wcsnicmp | - | 0x14009C968 | 0x0009C968 | 0x0009BD68 | 0x00000000 |
| strlen | - | 0x14009C970 | 0x0009C970 | 0x0009BD70 | 0x00000000 |
| wcslen | - | 0x14009C978 | 0x0009C978 | 0x0009BD78 | 0x00000000 |
| strncmp | - | 0x14009C980 | 0x0009C980 | 0x0009BD80 | 0x00000000 |
| _stricmp | - | 0x14009C988 | 0x0009C988 | 0x0009BD88 | 0x00000000 |
| tolower | - | 0x14009C990 | 0x0009C990 | 0x0009BD90 | 0x00000000 |
| _strnicmp | - | 0x14009C998 | 0x0009C998 | 0x0009BD98 | 0x00000000 |
| strncpy | - | 0x14009C9A0 | 0x0009C9A0 | 0x0009BDA0 | 0x00000000 |
| strcpy | - | 0x14009C9A8 | 0x0009C9A8 | 0x0009BDA8 | 0x00000000 |
| strcmp | - | 0x14009C9B0 | 0x0009C9B0 | 0x0009BDB0 | 0x00000000 |
| strcspn | - | 0x14009C9B8 | 0x0009C9B8 | 0x0009BDB8 | 0x00000000 |
| _strdup | - | 0x14009C9C0 | 0x0009C9C0 | 0x0009BDC0 | 0x00000000 |
| isspace | - | 0x14009C9C8 | 0x0009C9C8 | 0x0009BDC8 | 0x00000000 |
| strspn | - | 0x14009C9D0 | 0x0009C9D0 | 0x0009BDD0 | 0x00000000 |
| wcsncpy | - | 0x14009C9D8 | 0x0009C9D8 | 0x0009BDD8 | 0x00000000 |
api-ms-win-crt-time-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _time64 | - | 0x14009C9E8 | 0x0009C9E8 | 0x0009BDE8 | 0x00000000 |
| _localtime64_s | - | 0x14009C9F0 | 0x0009C9F0 | 0x0009BDF0 | 0x00000000 |
api-ms-win-crt-utility-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| srand | - | 0x14009CA00 | 0x0009CA00 | 0x0009BE00 | 0x00000000 |
| rand | - | 0x14009CA08 | 0x0009CA08 | 0x0009BE08 | 0x00000000 |
| qsort | - | 0x14009CA10 | 0x0009CA10 | 0x0009BE10 | 0x00000000 |
| _rotr | - | 0x14009CA18 | 0x0009CA18 | 0x0009BE18 | 0x00000000 |
Memory Dumps (3)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| aexhwds.exe | 11 | 0x7FF65FEC0000 | 0x7FF660213FFF | First Execution |
|
64-bit | 0x7FF65FF5A338 |
|
...
|
| aexhwds.exe | 11 | 0x7FF65FEC0000 | 0x7FF660213FFF | Content Changed |
|
64-bit | 0x7FF65FF5ACA6 |
|
...
|
| buffer | 11 | 0x1A127970000 | 0x1A12797FFFF | Marked Executable |
|
64-bit | - |
|
...
|
YARA Matches (2)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| CobaltStrike | Cobalt Strike beacon | Hacktool |
5/5
|
...
|
| ReflectiveLoader | Reflective loader usage | - |
3/5
|
...
|
| C:\Windows\System\PHsHkrf.exe | Dropped File | Binary |
Malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 5.94 MB |
| MD5 |
cfbabcc1951895808b4f8c279dbf0330
|
| SHA1 |
194b5d0b0a9bf4f27f6d216e06c2b6025356d719
|
| SHA256 |
d559e13ed17a5c06c6720feada401ce0ec07c75f0a50f14cb0afb68de7f18dff
|
| SSDeep |
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUF:T+856utgpPF8u/7F
|
| ImpHash |
c782987849999c5ae345a5deafbd73fb
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x14009A338 |
| Size Of Code | 0x00044000 |
| Size Of Initialized Data | 0x00001000 |
| Size Of Uninitialized Data | 0x0030B000 |
| File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2019-08-29 00:43 (UTC) |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| UPX0 | 0x140001000 | 0x0030B000 | 0x000B5000 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.49 |
| UPX1 | 0x14030C000 | 0x00044000 | 0x00044000 | 0x000B5400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.49 |
| .rsrc | 0x140350000 | 0x00001000 | 0x00000800 | 0x000F9400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.24 |
| .imports | 0x140351000 | 0x00002000 | 0x00001E00 | 0x000F9C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.81 |
| .reloc | 0x140353000 | 0x00001000 | 0x00000A00 | 0x000FBA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.28 |
Imports (17)
»
ADVAPI32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AdjustTokenPrivileges | - | 0x14009C000 | 0x0009C000 | 0x0009B400 | 0x00000000 |
| OpenProcessToken | - | 0x14009C008 | 0x0009C008 | 0x0009B408 | 0x00000000 |
| GetTokenInformation | - | 0x14009C010 | 0x0009C010 | 0x0009B410 | 0x00000000 |
| LookupPrivilegeValueW | - | 0x14009C018 | 0x0009C018 | 0x0009B418 | 0x00000000 |
| LsaClose | - | 0x14009C020 | 0x0009C020 | 0x0009B420 | 0x00000000 |
| LsaOpenPolicy | - | 0x14009C028 | 0x0009C028 | 0x0009B428 | 0x00000000 |
| LsaAddAccountRights | - | 0x14009C030 | 0x0009C030 | 0x0009B430 | 0x00000000 |
KERNEL32.DLL (113)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WaitForSingleObjectEx | - | 0x14009C040 | 0x0009C040 | 0x0009B440 | 0x00000000 |
| RtlLookupFunctionEntry | - | 0x14009C048 | 0x0009C048 | 0x0009B448 | 0x00000000 |
| RtlVirtualUnwind | - | 0x14009C050 | 0x0009C050 | 0x0009B450 | 0x00000000 |
| UnhandledExceptionFilter | - | 0x14009C058 | 0x0009C058 | 0x0009B458 | 0x00000000 |
| ResetEvent | - | 0x14009C060 | 0x0009C060 | 0x0009B460 | 0x00000000 |
| InitializeCriticalSectionAndSpinCount | - | 0x14009C068 | 0x0009C068 | 0x0009B468 | 0x00000000 |
| RtlCaptureContext | - | 0x14009C070 | 0x0009C070 | 0x0009B470 | 0x00000000 |
| CreateEventW | - | 0x14009C078 | 0x0009C078 | 0x0009B478 | 0x00000000 |
| InitializeSListHead | - | 0x14009C080 | 0x0009C080 | 0x0009B480 | 0x00000000 |
| SetUnhandledExceptionFilter | - | 0x14009C088 | 0x0009C088 | 0x0009B488 | 0x00000000 |
| IsProcessorFeaturePresent | - | 0x14009C090 | 0x0009C090 | 0x0009B490 | 0x00000000 |
| GetStdHandle | - | 0x14009C098 | 0x0009C098 | 0x0009B498 | 0x00000000 |
| GetConsoleMode | - | 0x14009C0A0 | 0x0009C0A0 | 0x0009B4A0 | 0x00000000 |
| SetConsoleMode | - | 0x14009C0A8 | 0x0009C0A8 | 0x0009B4A8 | 0x00000000 |
| GetLastError | - | 0x14009C0B0 | 0x0009C0B0 | 0x0009B4B0 | 0x00000000 |
| CreateMutexW | - | 0x14009C0B8 | 0x0009C0B8 | 0x0009B4B8 | 0x00000000 |
| Sleep | - | 0x14009C0C0 | 0x0009C0C0 | 0x0009B4C0 | 0x00000000 |
| CreateProcessW | - | 0x14009C0C8 | 0x0009C0C8 | 0x0009B4C8 | 0x00000000 |
| MultiByteToWideChar | - | 0x14009C0D0 | 0x0009C0D0 | 0x0009B4D0 | 0x00000000 |
| GetCurrentProcess | - | 0x14009C0D8 | 0x0009C0D8 | 0x0009B4D8 | 0x00000000 |
| GetCurrentThread | - | 0x14009C0E0 | 0x0009C0E0 | 0x0009B4E0 | 0x00000000 |
| SetThreadPriority | - | 0x14009C0E8 | 0x0009C0E8 | 0x0009B4E8 | 0x00000000 |
| SetPriorityClass | - | 0x14009C0F0 | 0x0009C0F0 | 0x0009B4F0 | 0x00000000 |
| GetModuleHandleW | - | 0x14009C0F8 | 0x0009C0F8 | 0x0009B4F8 | 0x00000000 |
| GetProcAddress | - | 0x14009C100 | 0x0009C100 | 0x0009B500 | 0x00000000 |
| SetThreadAffinityMask | - | 0x14009C108 | 0x0009C108 | 0x0009B508 | 0x00000000 |
| CloseHandle | - | 0x14009C110 | 0x0009C110 | 0x0009B510 | 0x00000000 |
| FreeConsole | - | 0x14009C118 | 0x0009C118 | 0x0009B518 | 0x00000000 |
| GetConsoleWindow | - | 0x14009C120 | 0x0009C120 | 0x0009B520 | 0x00000000 |
| FlushInstructionCache | - | 0x14009C128 | 0x0009C128 | 0x0009B528 | 0x00000000 |
| VirtualAlloc | - | 0x14009C130 | 0x0009C130 | 0x0009B530 | 0x00000000 |
| VirtualProtect | - | 0x14009C138 | 0x0009C138 | 0x0009B538 | 0x00000000 |
| VirtualFree | - | 0x14009C140 | 0x0009C140 | 0x0009B540 | 0x00000000 |
| GetLargePageMinimum | - | 0x14009C148 | 0x0009C148 | 0x0009B548 | 0x00000000 |
| LocalAlloc | - | 0x14009C150 | 0x0009C150 | 0x0009B550 | 0x00000000 |
| LocalFree | - | 0x14009C158 | 0x0009C158 | 0x0009B558 | 0x00000000 |
| GetFileType | - | 0x14009C160 | 0x0009C160 | 0x0009B560 | 0x00000000 |
| GetConsoleScreenBufferInfo | - | 0x14009C168 | 0x0009C168 | 0x0009B568 | 0x00000000 |
| SetConsoleTextAttribute | - | 0x14009C170 | 0x0009C170 | 0x0009B570 | 0x00000000 |
| RegisterWaitForSingleObject | - | 0x14009C178 | 0x0009C178 | 0x0009B578 | 0x00000000 |
| UnregisterWait | - | 0x14009C180 | 0x0009C180 | 0x0009B580 | 0x00000000 |
| GetConsoleCursorInfo | - | 0x14009C188 | 0x0009C188 | 0x0009B588 | 0x00000000 |
| CreateFileW | - | 0x14009C190 | 0x0009C190 | 0x0009B590 | 0x00000000 |
| DuplicateHandle | - | 0x14009C198 | 0x0009C198 | 0x0009B598 | 0x00000000 |
| PostQueuedCompletionStatus | - | 0x14009C1A0 | 0x0009C1A0 | 0x0009B5A0 | 0x00000000 |
| QueueUserWorkItem | - | 0x14009C1A8 | 0x0009C1A8 | 0x0009B5A8 | 0x00000000 |
| SetConsoleCursorInfo | - | 0x14009C1B0 | 0x0009C1B0 | 0x0009B5B0 | 0x00000000 |
| FillConsoleOutputCharacterW | - | 0x14009C1B8 | 0x0009C1B8 | 0x0009B5B8 | 0x00000000 |
| ReadConsoleInputW | - | 0x14009C1C0 | 0x0009C1C0 | 0x0009B5C0 | 0x00000000 |
| CreateFileA | - | 0x14009C1C8 | 0x0009C1C8 | 0x0009B5C8 | 0x00000000 |
| ReadConsoleW | - | 0x14009C1D0 | 0x0009C1D0 | 0x0009B5D0 | 0x00000000 |
| WriteConsoleInputW | - | 0x14009C1D8 | 0x0009C1D8 | 0x0009B5D8 | 0x00000000 |
| FillConsoleOutputAttribute | - | 0x14009C1E0 | 0x0009C1E0 | 0x0009B5E0 | 0x00000000 |
| WriteConsoleW | - | 0x14009C1E8 | 0x0009C1E8 | 0x0009B5E8 | 0x00000000 |
| GetNumberOfConsoleInputEvents | - | 0x14009C1F0 | 0x0009C1F0 | 0x0009B5F0 | 0x00000000 |
| WideCharToMultiByte | - | 0x14009C1F8 | 0x0009C1F8 | 0x0009B5F8 | 0x00000000 |
| SetConsoleCursorPosition | - | 0x14009C200 | 0x0009C200 | 0x0009B600 | 0x00000000 |
| EnterCriticalSection | - | 0x14009C208 | 0x0009C208 | 0x0009B608 | 0x00000000 |
| GetModuleFileNameW | - | 0x14009C210 | 0x0009C210 | 0x0009B610 | 0x00000000 |
| LeaveCriticalSection | - | 0x14009C218 | 0x0009C218 | 0x0009B618 | 0x00000000 |
| InitializeCriticalSection | - | 0x14009C220 | 0x0009C220 | 0x0009B620 | 0x00000000 |
| IsDebuggerPresent | - | 0x14009C228 | 0x0009C228 | 0x0009B628 | 0x00000000 |
| GetSystemInfo | - | 0x14009C230 | 0x0009C230 | 0x0009B630 | 0x00000000 |
| GetCurrentDirectoryW | - | 0x14009C238 | 0x0009C238 | 0x0009B638 | 0x00000000 |
| GetCurrentProcessId | - | 0x14009C240 | 0x0009C240 | 0x0009B640 | 0x00000000 |
| GetSystemTimeAsFileTime | - | 0x14009C248 | 0x0009C248 | 0x0009B648 | 0x00000000 |
| QueryPerformanceCounter | - | 0x14009C250 | 0x0009C250 | 0x0009B650 | 0x00000000 |
| SetConsoleCtrlHandler | - | 0x14009C258 | 0x0009C258 | 0x0009B658 | 0x00000000 |
| CancelIo | - | 0x14009C260 | 0x0009C260 | 0x0009B660 | 0x00000000 |
| SetHandleInformation | - | 0x14009C268 | 0x0009C268 | 0x0009B668 | 0x00000000 |
| CreateEventA | - | 0x14009C270 | 0x0009C270 | 0x0009B670 | 0x00000000 |
| CreateIoCompletionPort | - | 0x14009C278 | 0x0009C278 | 0x0009B678 | 0x00000000 |
| SetFileCompletionNotificationModes | - | 0x14009C280 | 0x0009C280 | 0x0009B680 | 0x00000000 |
| SetErrorMode | - | 0x14009C288 | 0x0009C288 | 0x0009B688 | 0x00000000 |
| GetQueuedCompletionStatus | - | 0x14009C290 | 0x0009C290 | 0x0009B690 | 0x00000000 |
| GetQueuedCompletionStatusEx | - | 0x14009C298 | 0x0009C298 | 0x0009B698 | 0x00000000 |
| SleepConditionVariableCS | - | 0x14009C2A0 | 0x0009C2A0 | 0x0009B6A0 | 0x00000000 |
| TlsSetValue | - | 0x14009C2A8 | 0x0009C2A8 | 0x0009B6A8 | 0x00000000 |
| ReleaseSemaphore | - | 0x14009C2B0 | 0x0009C2B0 | 0x0009B6B0 | 0x00000000 |
| WakeConditionVariable | - | 0x14009C2B8 | 0x0009C2B8 | 0x0009B6B8 | 0x00000000 |
| InitializeConditionVariable | - | 0x14009C2C0 | 0x0009C2C0 | 0x0009B6C0 | 0x00000000 |
| WaitForSingleObject | - | 0x14009C2C8 | 0x0009C2C8 | 0x0009B6C8 | 0x00000000 |
| ResumeThread | - | 0x14009C2D0 | 0x0009C2D0 | 0x0009B6D0 | 0x00000000 |
| SetEvent | - | 0x14009C2D8 | 0x0009C2D8 | 0x0009B6D8 | 0x00000000 |
| TlsAlloc | - | 0x14009C2E0 | 0x0009C2E0 | 0x0009B6E0 | 0x00000000 |
| DeleteCriticalSection | - | 0x14009C2E8 | 0x0009C2E8 | 0x0009B6E8 | 0x00000000 |
| CreateSemaphoreW | - | 0x14009C2F0 | 0x0009C2F0 | 0x0009B6F0 | 0x00000000 |
| CreateSemaphoreA | - | 0x14009C2F8 | 0x0009C2F8 | 0x0009B6F8 | 0x00000000 |
| GetLongPathNameW | - | 0x14009C300 | 0x0009C300 | 0x0009B700 | 0x00000000 |
| ReadDirectoryChangesW | - | 0x14009C308 | 0x0009C308 | 0x0009B708 | 0x00000000 |
| ReadFile | - | 0x14009C310 | 0x0009C310 | 0x0009B710 | 0x00000000 |
| SetNamedPipeHandleState | - | 0x14009C318 | 0x0009C318 | 0x0009B718 | 0x00000000 |
| SetLastError | - | 0x14009C320 | 0x0009C320 | 0x0009B720 | 0x00000000 |
| WriteFile | - | 0x14009C328 | 0x0009C328 | 0x0009B728 | 0x00000000 |
| CreateNamedPipeW | - | 0x14009C330 | 0x0009C330 | 0x0009B730 | 0x00000000 |
| PeekNamedPipe | - | 0x14009C338 | 0x0009C338 | 0x0009B738 | 0x00000000 |
| CancelSynchronousIo | - | 0x14009C340 | 0x0009C340 | 0x0009B740 | 0x00000000 |
| GetNamedPipeHandleStateA | - | 0x14009C348 | 0x0009C348 | 0x0009B748 | 0x00000000 |
| CancelIoEx | - | 0x14009C350 | 0x0009C350 | 0x0009B750 | 0x00000000 |
| SwitchToThread | - | 0x14009C358 | 0x0009C358 | 0x0009B758 | 0x00000000 |
| ConnectNamedPipe | - | 0x14009C360 | 0x0009C360 | 0x0009B760 | 0x00000000 |
| FlushFileBuffers | - | 0x14009C368 | 0x0009C368 | 0x0009B768 | 0x00000000 |
| TerminateProcess | - | 0x14009C370 | 0x0009C370 | 0x0009B770 | 0x00000000 |
| UnregisterWaitEx | - | 0x14009C378 | 0x0009C378 | 0x0009B778 | 0x00000000 |
| GetExitCodeProcess | - | 0x14009C380 | 0x0009C380 | 0x0009B780 | 0x00000000 |
| FormatMessageA | - | 0x14009C388 | 0x0009C388 | 0x0009B788 | 0x00000000 |
| DebugBreak | - | 0x14009C390 | 0x0009C390 | 0x0009B790 | 0x00000000 |
| GetModuleHandleA | - | 0x14009C398 | 0x0009C398 | 0x0009B798 | 0x00000000 |
| LoadLibraryA | - | 0x14009C3A0 | 0x0009C3A0 | 0x0009B7A0 | 0x00000000 |
| GetProcessAffinityMask | - | 0x14009C3A8 | 0x0009C3A8 | 0x0009B7A8 | 0x00000000 |
| SetProcessAffinityMask | - | 0x14009C3B0 | 0x0009C3B0 | 0x0009B7B0 | 0x00000000 |
| GetCurrentThreadId | - | 0x14009C3B8 | 0x0009C3B8 | 0x0009B7B8 | 0x00000000 |
| QueryPerformanceFrequency | - | 0x14009C3C0 | 0x0009C3C0 | 0x0009B7C0 | 0x00000000 |
MSVCP140.dll (45)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C3D0 | 0x0009C3D0 | 0x0009B7D0 | 0x00000000 |
| ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3D8 | 0x0009C3D8 | 0x0009B7D8 | 0x00000000 |
| ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ | - | 0x14009C3E0 | 0x0009C3E0 | 0x0009B7E0 | 0x00000000 |
| ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C3E8 | 0x0009C3E8 | 0x0009B7E8 | 0x00000000 |
| ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C3F0 | 0x0009C3F0 | 0x0009B7F0 | 0x00000000 |
| ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3F8 | 0x0009C3F8 | 0x0009B7F8 | 0x00000000 |
| ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C400 | 0x0009C400 | 0x0009B800 | 0x00000000 |
| _Thrd_hardware_concurrency | - | 0x14009C408 | 0x0009C408 | 0x0009B808 | 0x00000000 |
| ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A | - | 0x14009C410 | 0x0009C410 | 0x0009B810 | 0x00000000 |
| ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z | - | 0x14009C418 | 0x0009C418 | 0x0009B818 | 0x00000000 |
| ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z | - | 0x14009C420 | 0x0009C420 | 0x0009B820 | 0x00000000 |
| ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ | - | 0x14009C428 | 0x0009C428 | 0x0009B828 | 0x00000000 |
| ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z | - | 0x14009C430 | 0x0009C430 | 0x0009B830 | 0x00000000 |
| ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z | - | 0x14009C438 | 0x0009C438 | 0x0009B838 | 0x00000000 |
| ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C440 | 0x0009C440 | 0x0009B840 | 0x00000000 |
| ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z | - | 0x14009C448 | 0x0009C448 | 0x0009B848 | 0x00000000 |
| ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C450 | 0x0009C450 | 0x0009B850 | 0x00000000 |
| ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z | - | 0x14009C458 | 0x0009C458 | 0x0009B858 | 0x00000000 |
| ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C460 | 0x0009C460 | 0x0009B860 | 0x00000000 |
| ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z | - | 0x14009C468 | 0x0009C468 | 0x0009B868 | 0x00000000 |
| ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z | - | 0x14009C470 | 0x0009C470 | 0x0009B870 | 0x00000000 |
| ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ | - | 0x14009C478 | 0x0009C478 | 0x0009B878 | 0x00000000 |
| ?_Xlength_error@std@@YAXPEBD@Z | - | 0x14009C480 | 0x0009C480 | 0x0009B880 | 0x00000000 |
| ?_Xout_of_range@std@@YAXPEBD@Z | - | 0x14009C488 | 0x0009C488 | 0x0009B888 | 0x00000000 |
| _Xtime_get_ticks | - | 0x14009C490 | 0x0009C490 | 0x0009B890 | 0x00000000 |
| _Mtx_init_in_situ | - | 0x14009C498 | 0x0009C498 | 0x0009B898 | 0x00000000 |
| _Mtx_destroy_in_situ | - | 0x14009C4A0 | 0x0009C4A0 | 0x0009B8A0 | 0x00000000 |
| _Mtx_lock | - | 0x14009C4A8 | 0x0009C4A8 | 0x0009B8A8 | 0x00000000 |
| _Mtx_unlock | - | 0x14009C4B0 | 0x0009C4B0 | 0x0009B8B0 | 0x00000000 |
| ?_Throw_C_error@std@@YAXH@Z | - | 0x14009C4B8 | 0x0009C4B8 | 0x0009B8B8 | 0x00000000 |
| _Query_perf_counter | - | 0x14009C4C0 | 0x0009C4C0 | 0x0009B8C0 | 0x00000000 |
| _Query_perf_frequency | - | 0x14009C4C8 | 0x0009C4C8 | 0x0009B8C8 | 0x00000000 |
| _Thrd_join | - | 0x14009C4D0 | 0x0009C4D0 | 0x0009B8D0 | 0x00000000 |
| _Thrd_id | - | 0x14009C4D8 | 0x0009C4D8 | 0x0009B8D8 | 0x00000000 |
| _Cnd_do_broadcast_at_thread_exit | - | 0x14009C4E0 | 0x0009C4E0 | 0x0009B8E0 | 0x00000000 |
| ?_Throw_Cpp_error@std@@YAXH@Z | - | 0x14009C4E8 | 0x0009C4E8 | 0x0009B8E8 | 0x00000000 |
| _Thrd_sleep | - | 0x14009C4F0 | 0x0009C4F0 | 0x0009B8F0 | 0x00000000 |
| _Thrd_yield | - | 0x14009C4F8 | 0x0009C4F8 | 0x0009B8F8 | 0x00000000 |
| ??0_Lockit@std@@QEAA@H@Z | - | 0x14009C500 | 0x0009C500 | 0x0009B900 | 0x00000000 |
| ??1_Lockit@std@@QEAA@XZ | - | 0x14009C508 | 0x0009C508 | 0x0009B908 | 0x00000000 |
| ??Bid@locale@std@@QEAA_KXZ | - | 0x14009C510 | 0x0009C510 | 0x0009B910 | 0x00000000 |
| ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ | - | 0x14009C518 | 0x0009C518 | 0x0009B918 | 0x00000000 |
| ?always_noconv@codecvt_base@std@@QEBA_NXZ | - | 0x14009C520 | 0x0009C520 | 0x0009B920 | 0x00000000 |
| ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C528 | 0x0009C528 | 0x0009B928 | 0x00000000 |
| ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C530 | 0x0009C530 | 0x0009B930 | 0x00000000 |
USER32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShowWindow | - | 0x14009C540 | 0x0009C540 | 0x0009B940 | 0x00000000 |
| GetSystemMetrics | - | 0x14009C548 | 0x0009C548 | 0x0009B948 | 0x00000000 |
| GetMessageA | - | 0x14009C550 | 0x0009C550 | 0x0009B950 | 0x00000000 |
| MapVirtualKeyW | - | 0x14009C558 | 0x0009C558 | 0x0009B958 | 0x00000000 |
| DispatchMessageA | - | 0x14009C560 | 0x0009C560 | 0x0009B960 | 0x00000000 |
| TranslateMessage | - | 0x14009C568 | 0x0009C568 | 0x0009B968 | 0x00000000 |
VCRUNTIME140.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __std_exception_destroy | - | 0x14009C578 | 0x0009C578 | 0x0009B978 | 0x00000000 |
| __std_exception_copy | - | 0x14009C580 | 0x0009C580 | 0x0009B980 | 0x00000000 |
| strstr | - | 0x14009C588 | 0x0009C588 | 0x0009B988 | 0x00000000 |
| __C_specific_handler | - | 0x14009C590 | 0x0009C590 | 0x0009B990 | 0x00000000 |
| strchr | - | 0x14009C598 | 0x0009C598 | 0x0009B998 | 0x00000000 |
| memchr | - | 0x14009C5A0 | 0x0009C5A0 | 0x0009B9A0 | 0x00000000 |
| __std_terminate | - | 0x14009C5A8 | 0x0009C5A8 | 0x0009B9A8 | 0x00000000 |
| __CxxFrameHandler3 | - | 0x14009C5B0 | 0x0009C5B0 | 0x0009B9B0 | 0x00000000 |
| _CxxThrowException | - | 0x14009C5B8 | 0x0009C5B8 | 0x0009B9B8 | 0x00000000 |
| memset | - | 0x14009C5C0 | 0x0009C5C0 | 0x0009B9C0 | 0x00000000 |
| strrchr | - | 0x14009C5C8 | 0x0009C5C8 | 0x0009B9C8 | 0x00000000 |
| memcmp | - | 0x14009C5D0 | 0x0009C5D0 | 0x0009B9D0 | 0x00000000 |
| memcpy | - | 0x14009C5D8 | 0x0009C5D8 | 0x0009B9D8 | 0x00000000 |
| _purecall | - | 0x14009C5E0 | 0x0009C5E0 | 0x0009B9E0 | 0x00000000 |
| memmove | - | 0x14009C5E8 | 0x0009C5E8 | 0x0009B9E8 | 0x00000000 |
WS2_32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WSAGetLastError | 0x0000006F | 0x14009C5F8 | 0x0009C5F8 | 0x0009B9F8 | - |
| WSASetLastError | 0x00000070 | 0x14009C600 | 0x0009C600 | 0x0009BA00 | - |
| WSAStartup | 0x00000073 | 0x14009C608 | 0x0009C608 | 0x0009BA08 | - |
| select | 0x00000012 | 0x14009C610 | 0x0009C610 | 0x0009BA10 | - |
| WSARecvFrom | - | 0x14009C618 | 0x0009C618 | 0x0009BA18 | 0x00000000 |
| bind | 0x00000002 | 0x14009C620 | 0x0009C620 | 0x0009BA20 | - |
| WSAIoctl | - | 0x14009C628 | 0x0009C628 | 0x0009BA28 | 0x00000000 |
| closesocket | 0x00000003 | 0x14009C630 | 0x0009C630 | 0x0009BA30 | - |
| WSASend | - | 0x14009C638 | 0x0009C638 | 0x0009BA38 | 0x00000000 |
| shutdown | 0x00000016 | 0x14009C640 | 0x0009C640 | 0x0009BA40 | - |
| WSASocketW | - | 0x14009C648 | 0x0009C648 | 0x0009BA48 | 0x00000000 |
| htonl | 0x00000008 | 0x14009C650 | 0x0009C650 | 0x0009BA50 | - |
| GetAddrInfoW | - | 0x14009C658 | 0x0009C658 | 0x0009BA58 | 0x00000000 |
| FreeAddrInfoW | - | 0x14009C660 | 0x0009C660 | 0x0009BA60 | 0x00000000 |
| setsockopt | 0x00000015 | 0x14009C668 | 0x0009C668 | 0x0009BA68 | - |
| ioctlsocket | 0x0000000A | 0x14009C670 | 0x0009C670 | 0x0009BA70 | - |
| getsockopt | 0x00000007 | 0x14009C678 | 0x0009C678 | 0x0009BA78 | - |
| WSARecv | - | 0x14009C680 | 0x0009C680 | 0x0009BA80 | 0x00000000 |
| socket | 0x00000017 | 0x14009C688 | 0x0009C688 | 0x0009BA88 | - |
| htons | 0x00000009 | 0x14009C690 | 0x0009C690 | 0x0009BA90 | - |
api-ms-win-crt-convert-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| atof | - | 0x14009C6A0 | 0x0009C6A0 | 0x0009BAA0 | 0x00000000 |
| strtoul | - | 0x14009C6A8 | 0x0009C6A8 | 0x0009BAA8 | 0x00000000 |
| _strtoui64 | - | 0x14009C6B0 | 0x0009C6B0 | 0x0009BAB0 | 0x00000000 |
| mbstowcs | - | 0x14009C6B8 | 0x0009C6B8 | 0x0009BAB8 | 0x00000000 |
| strtoull | - | 0x14009C6C0 | 0x0009C6C0 | 0x0009BAC0 | 0x00000000 |
| strtoll | - | 0x14009C6C8 | 0x0009C6C8 | 0x0009BAC8 | 0x00000000 |
| atoi | - | 0x14009C6D0 | 0x0009C6D0 | 0x0009BAD0 | 0x00000000 |
| strtol | - | 0x14009C6D8 | 0x0009C6D8 | 0x0009BAD8 | 0x00000000 |
api-ms-win-crt-environment-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| getenv | - | 0x14009C6E8 | 0x0009C6E8 | 0x0009BAE8 | 0x00000000 |
api-ms-win-crt-filesystem-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _unlock_file | - | 0x14009C6F8 | 0x0009C6F8 | 0x0009BAF8 | 0x00000000 |
| _lock_file | - | 0x14009C700 | 0x0009C700 | 0x0009BB00 | 0x00000000 |
| _fstat64i32 | - | 0x14009C708 | 0x0009C708 | 0x0009BB08 | 0x00000000 |
| _stat64i32 | - | 0x14009C710 | 0x0009C710 | 0x0009BB10 | 0x00000000 |
api-ms-win-crt-heap-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _set_new_mode | - | 0x14009C720 | 0x0009C720 | 0x0009BB20 | 0x00000000 |
| realloc | - | 0x14009C728 | 0x0009C728 | 0x0009BB28 | 0x00000000 |
| _aligned_malloc | - | 0x14009C730 | 0x0009C730 | 0x0009BB30 | 0x00000000 |
| malloc | - | 0x14009C738 | 0x0009C738 | 0x0009BB38 | 0x00000000 |
| free | - | 0x14009C740 | 0x0009C740 | 0x0009BB40 | 0x00000000 |
| calloc | - | 0x14009C748 | 0x0009C748 | 0x0009BB48 | 0x00000000 |
| _callnewh | - | 0x14009C750 | 0x0009C750 | 0x0009BB50 | 0x00000000 |
| _aligned_free | - | 0x14009C758 | 0x0009C758 | 0x0009BB58 | 0x00000000 |
api-ms-win-crt-locale-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _configthreadlocale | - | 0x14009C768 | 0x0009C768 | 0x0009BB68 | 0x00000000 |
api-ms-win-crt-math-l1-1-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| modff | - | 0x14009C778 | 0x0009C778 | 0x0009BB78 | 0x00000000 |
| nan | - | 0x14009C780 | 0x0009C780 | 0x0009BB80 | 0x00000000 |
| _dtest | - | 0x14009C788 | 0x0009C788 | 0x0009BB88 | 0x00000000 |
| __setusermatherr | - | 0x14009C790 | 0x0009C790 | 0x0009BB90 | 0x00000000 |
| fabs | - | 0x14009C798 | 0x0009C798 | 0x0009BB98 | 0x00000000 |
api-ms-win-crt-runtime-l1-1-0.dll (25)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _invalid_parameter_noinfo_noreturn | - | 0x14009C7A8 | 0x0009C7A8 | 0x0009BBA8 | 0x00000000 |
| _control87 | - | 0x14009C7B0 | 0x0009C7B0 | 0x0009BBB0 | 0x00000000 |
| _errno | - | 0x14009C7B8 | 0x0009C7B8 | 0x0009BBB8 | 0x00000000 |
| terminate | - | 0x14009C7C0 | 0x0009C7C0 | 0x0009BBC0 | 0x00000000 |
| abort | - | 0x14009C7C8 | 0x0009C7C8 | 0x0009BBC8 | 0x00000000 |
| _beginthreadex | - | 0x14009C7D0 | 0x0009C7D0 | 0x0009BBD0 | 0x00000000 |
| _register_thread_local_exe_atexit_callback | - | 0x14009C7D8 | 0x0009C7D8 | 0x0009BBD8 | 0x00000000 |
| _c_exit | - | 0x14009C7E0 | 0x0009C7E0 | 0x0009BBE0 | 0x00000000 |
| _set_invalid_parameter_handler | - | 0x14009C7E8 | 0x0009C7E8 | 0x0009BBE8 | 0x00000000 |
| __p___argc | - | 0x14009C7F0 | 0x0009C7F0 | 0x0009BBF0 | 0x00000000 |
| _exit | - | 0x14009C7F8 | 0x0009C7F8 | 0x0009BBF8 | 0x00000000 |
| _initterm_e | - | 0x14009C800 | 0x0009C800 | 0x0009BC00 | 0x00000000 |
| _initterm | - | 0x14009C808 | 0x0009C808 | 0x0009BC08 | 0x00000000 |
| _get_initial_narrow_environment | - | 0x14009C810 | 0x0009C810 | 0x0009BC10 | 0x00000000 |
| _set_app_type | - | 0x14009C818 | 0x0009C818 | 0x0009BC18 | 0x00000000 |
| _seh_filter_exe | - | 0x14009C820 | 0x0009C820 | 0x0009BC20 | 0x00000000 |
| _cexit | - | 0x14009C828 | 0x0009C828 | 0x0009BC28 | 0x00000000 |
| _crt_atexit | - | 0x14009C830 | 0x0009C830 | 0x0009BC30 | 0x00000000 |
| _register_onexit_function | - | 0x14009C838 | 0x0009C838 | 0x0009BC38 | 0x00000000 |
| _initialize_onexit_table | - | 0x14009C840 | 0x0009C840 | 0x0009BC40 | 0x00000000 |
| _initialize_narrow_environment | - | 0x14009C848 | 0x0009C848 | 0x0009BC48 | 0x00000000 |
| _configure_narrow_argv | - | 0x14009C850 | 0x0009C850 | 0x0009BC50 | 0x00000000 |
| strerror | - | 0x14009C858 | 0x0009C858 | 0x0009BC58 | 0x00000000 |
| exit | - | 0x14009C860 | 0x0009C860 | 0x0009BC60 | 0x00000000 |
| __p___argv | - | 0x14009C868 | 0x0009C868 | 0x0009BC68 | 0x00000000 |
api-ms-win-crt-stdio-l1-1-0.dll (29)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __stdio_common_vsscanf | - | 0x14009C878 | 0x0009C878 | 0x0009BC78 | 0x00000000 |
| fflush | - | 0x14009C880 | 0x0009C880 | 0x0009BC80 | 0x00000000 |
| _open | - | 0x14009C888 | 0x0009C888 | 0x0009BC88 | 0x00000000 |
| fwrite | - | 0x14009C890 | 0x0009C890 | 0x0009BC90 | 0x00000000 |
| fputs | - | 0x14009C898 | 0x0009C898 | 0x0009BC98 | 0x00000000 |
| __stdio_common_vsprintf | - | 0x14009C8A0 | 0x0009C8A0 | 0x0009BCA0 | 0x00000000 |
| __acrt_iob_func | - | 0x14009C8A8 | 0x0009C8A8 | 0x0009BCA8 | 0x00000000 |
| ftell | - | 0x14009C8B0 | 0x0009C8B0 | 0x0009BCB0 | 0x00000000 |
| fgetc | - | 0x14009C8B8 | 0x0009C8B8 | 0x0009BCB8 | 0x00000000 |
| fgets | - | 0x14009C8C0 | 0x0009C8C0 | 0x0009BCC0 | 0x00000000 |
| fseek | - | 0x14009C8C8 | 0x0009C8C8 | 0x0009BCC8 | 0x00000000 |
| fgetpos | - | 0x14009C8D0 | 0x0009C8D0 | 0x0009BCD0 | 0x00000000 |
| fputc | - | 0x14009C8D8 | 0x0009C8D8 | 0x0009BCD8 | 0x00000000 |
| __stdio_common_vfprintf | - | 0x14009C8E0 | 0x0009C8E0 | 0x0009BCE0 | 0x00000000 |
| ferror | - | 0x14009C8E8 | 0x0009C8E8 | 0x0009BCE8 | 0x00000000 |
| fsetpos | - | 0x14009C8F0 | 0x0009C8F0 | 0x0009BCF0 | 0x00000000 |
| _fseeki64 | - | 0x14009C8F8 | 0x0009C8F8 | 0x0009BCF8 | 0x00000000 |
| _close | - | 0x14009C900 | 0x0009C900 | 0x0009BD00 | 0x00000000 |
| _read | - | 0x14009C908 | 0x0009C908 | 0x0009BD08 | 0x00000000 |
| setvbuf | - | 0x14009C910 | 0x0009C910 | 0x0009BD10 | 0x00000000 |
| ungetc | - | 0x14009C918 | 0x0009C918 | 0x0009BD18 | 0x00000000 |
| fread | - | 0x14009C920 | 0x0009C920 | 0x0009BD20 | 0x00000000 |
| _get_osfhandle | - | 0x14009C928 | 0x0009C928 | 0x0009BD28 | 0x00000000 |
| __p__commode | - | 0x14009C930 | 0x0009C930 | 0x0009BD30 | 0x00000000 |
| fclose | - | 0x14009C938 | 0x0009C938 | 0x0009BD38 | 0x00000000 |
| _set_fmode | - | 0x14009C940 | 0x0009C940 | 0x0009BD40 | 0x00000000 |
| fopen | - | 0x14009C948 | 0x0009C948 | 0x0009BD48 | 0x00000000 |
| __stdio_common_vswprintf | - | 0x14009C950 | 0x0009C950 | 0x0009BD50 | 0x00000000 |
| _get_stream_buffer_pointers | - | 0x14009C958 | 0x0009C958 | 0x0009BD58 | 0x00000000 |
api-ms-win-crt-string-l1-1-0.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _wcsnicmp | - | 0x14009C968 | 0x0009C968 | 0x0009BD68 | 0x00000000 |
| strlen | - | 0x14009C970 | 0x0009C970 | 0x0009BD70 | 0x00000000 |
| wcslen | - | 0x14009C978 | 0x0009C978 | 0x0009BD78 | 0x00000000 |
| strncmp | - | 0x14009C980 | 0x0009C980 | 0x0009BD80 | 0x00000000 |
| _stricmp | - | 0x14009C988 | 0x0009C988 | 0x0009BD88 | 0x00000000 |
| tolower | - | 0x14009C990 | 0x0009C990 | 0x0009BD90 | 0x00000000 |
| _strnicmp | - | 0x14009C998 | 0x0009C998 | 0x0009BD98 | 0x00000000 |
| strncpy | - | 0x14009C9A0 | 0x0009C9A0 | 0x0009BDA0 | 0x00000000 |
| strcpy | - | 0x14009C9A8 | 0x0009C9A8 | 0x0009BDA8 | 0x00000000 |
| strcmp | - | 0x14009C9B0 | 0x0009C9B0 | 0x0009BDB0 | 0x00000000 |
| strcspn | - | 0x14009C9B8 | 0x0009C9B8 | 0x0009BDB8 | 0x00000000 |
| _strdup | - | 0x14009C9C0 | 0x0009C9C0 | 0x0009BDC0 | 0x00000000 |
| isspace | - | 0x14009C9C8 | 0x0009C9C8 | 0x0009BDC8 | 0x00000000 |
| strspn | - | 0x14009C9D0 | 0x0009C9D0 | 0x0009BDD0 | 0x00000000 |
| wcsncpy | - | 0x14009C9D8 | 0x0009C9D8 | 0x0009BDD8 | 0x00000000 |
api-ms-win-crt-time-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _time64 | - | 0x14009C9E8 | 0x0009C9E8 | 0x0009BDE8 | 0x00000000 |
| _localtime64_s | - | 0x14009C9F0 | 0x0009C9F0 | 0x0009BDF0 | 0x00000000 |
api-ms-win-crt-utility-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| srand | - | 0x14009CA00 | 0x0009CA00 | 0x0009BE00 | 0x00000000 |
| rand | - | 0x14009CA08 | 0x0009CA08 | 0x0009BE08 | 0x00000000 |
| qsort | - | 0x14009CA10 | 0x0009CA10 | 0x0009BE10 | 0x00000000 |
| _rotr | - | 0x14009CA18 | 0x0009CA18 | 0x0009BE18 | 0x00000000 |
Memory Dumps (2)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| phshkrf.exe | 10 | 0x7FF61CDE0000 | 0x7FF61D133FFF | First Execution |
|
64-bit | 0x7FF61CE7A338 |
|
...
|
| buffer | 10 | 0x1A956530000 | 0x1A95653FFFF | Marked Executable |
|
64-bit | - |
|
...
|
YARA Matches (2)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| CobaltStrike | Cobalt Strike beacon | Hacktool |
5/5
|
...
|
| ReflectiveLoader | Reflective loader usage | - |
3/5
|
...
|
| C:\Windows\System\sOnMXMe.exe | Dropped File | Binary |
Malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 5.94 MB |
| MD5 |
6a0e7def6c7151601d78288c34ab34d7
|
| SHA1 |
e08406367adf42ac13a37fe8897a2990632d25c2
|
| SHA256 |
1d90dfd21452b5fadecf526b5c1c4e903a64c021e1f81ea96f60d5697f89c2f3
|
| SSDeep |
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lU8:T+856utgpPF8u/78
|
| ImpHash |
c782987849999c5ae345a5deafbd73fb
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x14009A338 |
| Size Of Code | 0x00044000 |
| Size Of Initialized Data | 0x00001000 |
| Size Of Uninitialized Data | 0x0030B000 |
| File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2019-08-29 00:43 (UTC) |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| UPX0 | 0x140001000 | 0x0030B000 | 0x000B5000 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.49 |
| UPX1 | 0x14030C000 | 0x00044000 | 0x00044000 | 0x000B5400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.49 |
| .rsrc | 0x140350000 | 0x00001000 | 0x00000800 | 0x000F9400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.24 |
| .imports | 0x140351000 | 0x00002000 | 0x00001E00 | 0x000F9C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.81 |
| .reloc | 0x140353000 | 0x00001000 | 0x00000A00 | 0x000FBA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.28 |
Imports (17)
»
ADVAPI32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AdjustTokenPrivileges | - | 0x14009C000 | 0x0009C000 | 0x0009B400 | 0x00000000 |
| OpenProcessToken | - | 0x14009C008 | 0x0009C008 | 0x0009B408 | 0x00000000 |
| GetTokenInformation | - | 0x14009C010 | 0x0009C010 | 0x0009B410 | 0x00000000 |
| LookupPrivilegeValueW | - | 0x14009C018 | 0x0009C018 | 0x0009B418 | 0x00000000 |
| LsaClose | - | 0x14009C020 | 0x0009C020 | 0x0009B420 | 0x00000000 |
| LsaOpenPolicy | - | 0x14009C028 | 0x0009C028 | 0x0009B428 | 0x00000000 |
| LsaAddAccountRights | - | 0x14009C030 | 0x0009C030 | 0x0009B430 | 0x00000000 |
KERNEL32.DLL (113)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WaitForSingleObjectEx | - | 0x14009C040 | 0x0009C040 | 0x0009B440 | 0x00000000 |
| RtlLookupFunctionEntry | - | 0x14009C048 | 0x0009C048 | 0x0009B448 | 0x00000000 |
| RtlVirtualUnwind | - | 0x14009C050 | 0x0009C050 | 0x0009B450 | 0x00000000 |
| UnhandledExceptionFilter | - | 0x14009C058 | 0x0009C058 | 0x0009B458 | 0x00000000 |
| ResetEvent | - | 0x14009C060 | 0x0009C060 | 0x0009B460 | 0x00000000 |
| InitializeCriticalSectionAndSpinCount | - | 0x14009C068 | 0x0009C068 | 0x0009B468 | 0x00000000 |
| RtlCaptureContext | - | 0x14009C070 | 0x0009C070 | 0x0009B470 | 0x00000000 |
| CreateEventW | - | 0x14009C078 | 0x0009C078 | 0x0009B478 | 0x00000000 |
| InitializeSListHead | - | 0x14009C080 | 0x0009C080 | 0x0009B480 | 0x00000000 |
| SetUnhandledExceptionFilter | - | 0x14009C088 | 0x0009C088 | 0x0009B488 | 0x00000000 |
| IsProcessorFeaturePresent | - | 0x14009C090 | 0x0009C090 | 0x0009B490 | 0x00000000 |
| GetStdHandle | - | 0x14009C098 | 0x0009C098 | 0x0009B498 | 0x00000000 |
| GetConsoleMode | - | 0x14009C0A0 | 0x0009C0A0 | 0x0009B4A0 | 0x00000000 |
| SetConsoleMode | - | 0x14009C0A8 | 0x0009C0A8 | 0x0009B4A8 | 0x00000000 |
| GetLastError | - | 0x14009C0B0 | 0x0009C0B0 | 0x0009B4B0 | 0x00000000 |
| CreateMutexW | - | 0x14009C0B8 | 0x0009C0B8 | 0x0009B4B8 | 0x00000000 |
| Sleep | - | 0x14009C0C0 | 0x0009C0C0 | 0x0009B4C0 | 0x00000000 |
| CreateProcessW | - | 0x14009C0C8 | 0x0009C0C8 | 0x0009B4C8 | 0x00000000 |
| MultiByteToWideChar | - | 0x14009C0D0 | 0x0009C0D0 | 0x0009B4D0 | 0x00000000 |
| GetCurrentProcess | - | 0x14009C0D8 | 0x0009C0D8 | 0x0009B4D8 | 0x00000000 |
| GetCurrentThread | - | 0x14009C0E0 | 0x0009C0E0 | 0x0009B4E0 | 0x00000000 |
| SetThreadPriority | - | 0x14009C0E8 | 0x0009C0E8 | 0x0009B4E8 | 0x00000000 |
| SetPriorityClass | - | 0x14009C0F0 | 0x0009C0F0 | 0x0009B4F0 | 0x00000000 |
| GetModuleHandleW | - | 0x14009C0F8 | 0x0009C0F8 | 0x0009B4F8 | 0x00000000 |
| GetProcAddress | - | 0x14009C100 | 0x0009C100 | 0x0009B500 | 0x00000000 |
| SetThreadAffinityMask | - | 0x14009C108 | 0x0009C108 | 0x0009B508 | 0x00000000 |
| CloseHandle | - | 0x14009C110 | 0x0009C110 | 0x0009B510 | 0x00000000 |
| FreeConsole | - | 0x14009C118 | 0x0009C118 | 0x0009B518 | 0x00000000 |
| GetConsoleWindow | - | 0x14009C120 | 0x0009C120 | 0x0009B520 | 0x00000000 |
| FlushInstructionCache | - | 0x14009C128 | 0x0009C128 | 0x0009B528 | 0x00000000 |
| VirtualAlloc | - | 0x14009C130 | 0x0009C130 | 0x0009B530 | 0x00000000 |
| VirtualProtect | - | 0x14009C138 | 0x0009C138 | 0x0009B538 | 0x00000000 |
| VirtualFree | - | 0x14009C140 | 0x0009C140 | 0x0009B540 | 0x00000000 |
| GetLargePageMinimum | - | 0x14009C148 | 0x0009C148 | 0x0009B548 | 0x00000000 |
| LocalAlloc | - | 0x14009C150 | 0x0009C150 | 0x0009B550 | 0x00000000 |
| LocalFree | - | 0x14009C158 | 0x0009C158 | 0x0009B558 | 0x00000000 |
| GetFileType | - | 0x14009C160 | 0x0009C160 | 0x0009B560 | 0x00000000 |
| GetConsoleScreenBufferInfo | - | 0x14009C168 | 0x0009C168 | 0x0009B568 | 0x00000000 |
| SetConsoleTextAttribute | - | 0x14009C170 | 0x0009C170 | 0x0009B570 | 0x00000000 |
| RegisterWaitForSingleObject | - | 0x14009C178 | 0x0009C178 | 0x0009B578 | 0x00000000 |
| UnregisterWait | - | 0x14009C180 | 0x0009C180 | 0x0009B580 | 0x00000000 |
| GetConsoleCursorInfo | - | 0x14009C188 | 0x0009C188 | 0x0009B588 | 0x00000000 |
| CreateFileW | - | 0x14009C190 | 0x0009C190 | 0x0009B590 | 0x00000000 |
| DuplicateHandle | - | 0x14009C198 | 0x0009C198 | 0x0009B598 | 0x00000000 |
| PostQueuedCompletionStatus | - | 0x14009C1A0 | 0x0009C1A0 | 0x0009B5A0 | 0x00000000 |
| QueueUserWorkItem | - | 0x14009C1A8 | 0x0009C1A8 | 0x0009B5A8 | 0x00000000 |
| SetConsoleCursorInfo | - | 0x14009C1B0 | 0x0009C1B0 | 0x0009B5B0 | 0x00000000 |
| FillConsoleOutputCharacterW | - | 0x14009C1B8 | 0x0009C1B8 | 0x0009B5B8 | 0x00000000 |
| ReadConsoleInputW | - | 0x14009C1C0 | 0x0009C1C0 | 0x0009B5C0 | 0x00000000 |
| CreateFileA | - | 0x14009C1C8 | 0x0009C1C8 | 0x0009B5C8 | 0x00000000 |
| ReadConsoleW | - | 0x14009C1D0 | 0x0009C1D0 | 0x0009B5D0 | 0x00000000 |
| WriteConsoleInputW | - | 0x14009C1D8 | 0x0009C1D8 | 0x0009B5D8 | 0x00000000 |
| FillConsoleOutputAttribute | - | 0x14009C1E0 | 0x0009C1E0 | 0x0009B5E0 | 0x00000000 |
| WriteConsoleW | - | 0x14009C1E8 | 0x0009C1E8 | 0x0009B5E8 | 0x00000000 |
| GetNumberOfConsoleInputEvents | - | 0x14009C1F0 | 0x0009C1F0 | 0x0009B5F0 | 0x00000000 |
| WideCharToMultiByte | - | 0x14009C1F8 | 0x0009C1F8 | 0x0009B5F8 | 0x00000000 |
| SetConsoleCursorPosition | - | 0x14009C200 | 0x0009C200 | 0x0009B600 | 0x00000000 |
| EnterCriticalSection | - | 0x14009C208 | 0x0009C208 | 0x0009B608 | 0x00000000 |
| GetModuleFileNameW | - | 0x14009C210 | 0x0009C210 | 0x0009B610 | 0x00000000 |
| LeaveCriticalSection | - | 0x14009C218 | 0x0009C218 | 0x0009B618 | 0x00000000 |
| InitializeCriticalSection | - | 0x14009C220 | 0x0009C220 | 0x0009B620 | 0x00000000 |
| IsDebuggerPresent | - | 0x14009C228 | 0x0009C228 | 0x0009B628 | 0x00000000 |
| GetSystemInfo | - | 0x14009C230 | 0x0009C230 | 0x0009B630 | 0x00000000 |
| GetCurrentDirectoryW | - | 0x14009C238 | 0x0009C238 | 0x0009B638 | 0x00000000 |
| GetCurrentProcessId | - | 0x14009C240 | 0x0009C240 | 0x0009B640 | 0x00000000 |
| GetSystemTimeAsFileTime | - | 0x14009C248 | 0x0009C248 | 0x0009B648 | 0x00000000 |
| QueryPerformanceCounter | - | 0x14009C250 | 0x0009C250 | 0x0009B650 | 0x00000000 |
| SetConsoleCtrlHandler | - | 0x14009C258 | 0x0009C258 | 0x0009B658 | 0x00000000 |
| CancelIo | - | 0x14009C260 | 0x0009C260 | 0x0009B660 | 0x00000000 |
| SetHandleInformation | - | 0x14009C268 | 0x0009C268 | 0x0009B668 | 0x00000000 |
| CreateEventA | - | 0x14009C270 | 0x0009C270 | 0x0009B670 | 0x00000000 |
| CreateIoCompletionPort | - | 0x14009C278 | 0x0009C278 | 0x0009B678 | 0x00000000 |
| SetFileCompletionNotificationModes | - | 0x14009C280 | 0x0009C280 | 0x0009B680 | 0x00000000 |
| SetErrorMode | - | 0x14009C288 | 0x0009C288 | 0x0009B688 | 0x00000000 |
| GetQueuedCompletionStatus | - | 0x14009C290 | 0x0009C290 | 0x0009B690 | 0x00000000 |
| GetQueuedCompletionStatusEx | - | 0x14009C298 | 0x0009C298 | 0x0009B698 | 0x00000000 |
| SleepConditionVariableCS | - | 0x14009C2A0 | 0x0009C2A0 | 0x0009B6A0 | 0x00000000 |
| TlsSetValue | - | 0x14009C2A8 | 0x0009C2A8 | 0x0009B6A8 | 0x00000000 |
| ReleaseSemaphore | - | 0x14009C2B0 | 0x0009C2B0 | 0x0009B6B0 | 0x00000000 |
| WakeConditionVariable | - | 0x14009C2B8 | 0x0009C2B8 | 0x0009B6B8 | 0x00000000 |
| InitializeConditionVariable | - | 0x14009C2C0 | 0x0009C2C0 | 0x0009B6C0 | 0x00000000 |
| WaitForSingleObject | - | 0x14009C2C8 | 0x0009C2C8 | 0x0009B6C8 | 0x00000000 |
| ResumeThread | - | 0x14009C2D0 | 0x0009C2D0 | 0x0009B6D0 | 0x00000000 |
| SetEvent | - | 0x14009C2D8 | 0x0009C2D8 | 0x0009B6D8 | 0x00000000 |
| TlsAlloc | - | 0x14009C2E0 | 0x0009C2E0 | 0x0009B6E0 | 0x00000000 |
| DeleteCriticalSection | - | 0x14009C2E8 | 0x0009C2E8 | 0x0009B6E8 | 0x00000000 |
| CreateSemaphoreW | - | 0x14009C2F0 | 0x0009C2F0 | 0x0009B6F0 | 0x00000000 |
| CreateSemaphoreA | - | 0x14009C2F8 | 0x0009C2F8 | 0x0009B6F8 | 0x00000000 |
| GetLongPathNameW | - | 0x14009C300 | 0x0009C300 | 0x0009B700 | 0x00000000 |
| ReadDirectoryChangesW | - | 0x14009C308 | 0x0009C308 | 0x0009B708 | 0x00000000 |
| ReadFile | - | 0x14009C310 | 0x0009C310 | 0x0009B710 | 0x00000000 |
| SetNamedPipeHandleState | - | 0x14009C318 | 0x0009C318 | 0x0009B718 | 0x00000000 |
| SetLastError | - | 0x14009C320 | 0x0009C320 | 0x0009B720 | 0x00000000 |
| WriteFile | - | 0x14009C328 | 0x0009C328 | 0x0009B728 | 0x00000000 |
| CreateNamedPipeW | - | 0x14009C330 | 0x0009C330 | 0x0009B730 | 0x00000000 |
| PeekNamedPipe | - | 0x14009C338 | 0x0009C338 | 0x0009B738 | 0x00000000 |
| CancelSynchronousIo | - | 0x14009C340 | 0x0009C340 | 0x0009B740 | 0x00000000 |
| GetNamedPipeHandleStateA | - | 0x14009C348 | 0x0009C348 | 0x0009B748 | 0x00000000 |
| CancelIoEx | - | 0x14009C350 | 0x0009C350 | 0x0009B750 | 0x00000000 |
| SwitchToThread | - | 0x14009C358 | 0x0009C358 | 0x0009B758 | 0x00000000 |
| ConnectNamedPipe | - | 0x14009C360 | 0x0009C360 | 0x0009B760 | 0x00000000 |
| FlushFileBuffers | - | 0x14009C368 | 0x0009C368 | 0x0009B768 | 0x00000000 |
| TerminateProcess | - | 0x14009C370 | 0x0009C370 | 0x0009B770 | 0x00000000 |
| UnregisterWaitEx | - | 0x14009C378 | 0x0009C378 | 0x0009B778 | 0x00000000 |
| GetExitCodeProcess | - | 0x14009C380 | 0x0009C380 | 0x0009B780 | 0x00000000 |
| FormatMessageA | - | 0x14009C388 | 0x0009C388 | 0x0009B788 | 0x00000000 |
| DebugBreak | - | 0x14009C390 | 0x0009C390 | 0x0009B790 | 0x00000000 |
| GetModuleHandleA | - | 0x14009C398 | 0x0009C398 | 0x0009B798 | 0x00000000 |
| LoadLibraryA | - | 0x14009C3A0 | 0x0009C3A0 | 0x0009B7A0 | 0x00000000 |
| GetProcessAffinityMask | - | 0x14009C3A8 | 0x0009C3A8 | 0x0009B7A8 | 0x00000000 |
| SetProcessAffinityMask | - | 0x14009C3B0 | 0x0009C3B0 | 0x0009B7B0 | 0x00000000 |
| GetCurrentThreadId | - | 0x14009C3B8 | 0x0009C3B8 | 0x0009B7B8 | 0x00000000 |
| QueryPerformanceFrequency | - | 0x14009C3C0 | 0x0009C3C0 | 0x0009B7C0 | 0x00000000 |
MSVCP140.dll (45)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C3D0 | 0x0009C3D0 | 0x0009B7D0 | 0x00000000 |
| ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3D8 | 0x0009C3D8 | 0x0009B7D8 | 0x00000000 |
| ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ | - | 0x14009C3E0 | 0x0009C3E0 | 0x0009B7E0 | 0x00000000 |
| ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C3E8 | 0x0009C3E8 | 0x0009B7E8 | 0x00000000 |
| ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C3F0 | 0x0009C3F0 | 0x0009B7F0 | 0x00000000 |
| ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3F8 | 0x0009C3F8 | 0x0009B7F8 | 0x00000000 |
| ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C400 | 0x0009C400 | 0x0009B800 | 0x00000000 |
| _Thrd_hardware_concurrency | - | 0x14009C408 | 0x0009C408 | 0x0009B808 | 0x00000000 |
| ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A | - | 0x14009C410 | 0x0009C410 | 0x0009B810 | 0x00000000 |
| ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z | - | 0x14009C418 | 0x0009C418 | 0x0009B818 | 0x00000000 |
| ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z | - | 0x14009C420 | 0x0009C420 | 0x0009B820 | 0x00000000 |
| ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ | - | 0x14009C428 | 0x0009C428 | 0x0009B828 | 0x00000000 |
| ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z | - | 0x14009C430 | 0x0009C430 | 0x0009B830 | 0x00000000 |
| ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z | - | 0x14009C438 | 0x0009C438 | 0x0009B838 | 0x00000000 |
| ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C440 | 0x0009C440 | 0x0009B840 | 0x00000000 |
| ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z | - | 0x14009C448 | 0x0009C448 | 0x0009B848 | 0x00000000 |
| ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C450 | 0x0009C450 | 0x0009B850 | 0x00000000 |
| ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z | - | 0x14009C458 | 0x0009C458 | 0x0009B858 | 0x00000000 |
| ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C460 | 0x0009C460 | 0x0009B860 | 0x00000000 |
| ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z | - | 0x14009C468 | 0x0009C468 | 0x0009B868 | 0x00000000 |
| ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z | - | 0x14009C470 | 0x0009C470 | 0x0009B870 | 0x00000000 |
| ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ | - | 0x14009C478 | 0x0009C478 | 0x0009B878 | 0x00000000 |
| ?_Xlength_error@std@@YAXPEBD@Z | - | 0x14009C480 | 0x0009C480 | 0x0009B880 | 0x00000000 |
| ?_Xout_of_range@std@@YAXPEBD@Z | - | 0x14009C488 | 0x0009C488 | 0x0009B888 | 0x00000000 |
| _Xtime_get_ticks | - | 0x14009C490 | 0x0009C490 | 0x0009B890 | 0x00000000 |
| _Mtx_init_in_situ | - | 0x14009C498 | 0x0009C498 | 0x0009B898 | 0x00000000 |
| _Mtx_destroy_in_situ | - | 0x14009C4A0 | 0x0009C4A0 | 0x0009B8A0 | 0x00000000 |
| _Mtx_lock | - | 0x14009C4A8 | 0x0009C4A8 | 0x0009B8A8 | 0x00000000 |
| _Mtx_unlock | - | 0x14009C4B0 | 0x0009C4B0 | 0x0009B8B0 | 0x00000000 |
| ?_Throw_C_error@std@@YAXH@Z | - | 0x14009C4B8 | 0x0009C4B8 | 0x0009B8B8 | 0x00000000 |
| _Query_perf_counter | - | 0x14009C4C0 | 0x0009C4C0 | 0x0009B8C0 | 0x00000000 |
| _Query_perf_frequency | - | 0x14009C4C8 | 0x0009C4C8 | 0x0009B8C8 | 0x00000000 |
| _Thrd_join | - | 0x14009C4D0 | 0x0009C4D0 | 0x0009B8D0 | 0x00000000 |
| _Thrd_id | - | 0x14009C4D8 | 0x0009C4D8 | 0x0009B8D8 | 0x00000000 |
| _Cnd_do_broadcast_at_thread_exit | - | 0x14009C4E0 | 0x0009C4E0 | 0x0009B8E0 | 0x00000000 |
| ?_Throw_Cpp_error@std@@YAXH@Z | - | 0x14009C4E8 | 0x0009C4E8 | 0x0009B8E8 | 0x00000000 |
| _Thrd_sleep | - | 0x14009C4F0 | 0x0009C4F0 | 0x0009B8F0 | 0x00000000 |
| _Thrd_yield | - | 0x14009C4F8 | 0x0009C4F8 | 0x0009B8F8 | 0x00000000 |
| ??0_Lockit@std@@QEAA@H@Z | - | 0x14009C500 | 0x0009C500 | 0x0009B900 | 0x00000000 |
| ??1_Lockit@std@@QEAA@XZ | - | 0x14009C508 | 0x0009C508 | 0x0009B908 | 0x00000000 |
| ??Bid@locale@std@@QEAA_KXZ | - | 0x14009C510 | 0x0009C510 | 0x0009B910 | 0x00000000 |
| ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ | - | 0x14009C518 | 0x0009C518 | 0x0009B918 | 0x00000000 |
| ?always_noconv@codecvt_base@std@@QEBA_NXZ | - | 0x14009C520 | 0x0009C520 | 0x0009B920 | 0x00000000 |
| ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C528 | 0x0009C528 | 0x0009B928 | 0x00000000 |
| ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C530 | 0x0009C530 | 0x0009B930 | 0x00000000 |
USER32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShowWindow | - | 0x14009C540 | 0x0009C540 | 0x0009B940 | 0x00000000 |
| GetSystemMetrics | - | 0x14009C548 | 0x0009C548 | 0x0009B948 | 0x00000000 |
| GetMessageA | - | 0x14009C550 | 0x0009C550 | 0x0009B950 | 0x00000000 |
| MapVirtualKeyW | - | 0x14009C558 | 0x0009C558 | 0x0009B958 | 0x00000000 |
| DispatchMessageA | - | 0x14009C560 | 0x0009C560 | 0x0009B960 | 0x00000000 |
| TranslateMessage | - | 0x14009C568 | 0x0009C568 | 0x0009B968 | 0x00000000 |
VCRUNTIME140.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __std_exception_destroy | - | 0x14009C578 | 0x0009C578 | 0x0009B978 | 0x00000000 |
| __std_exception_copy | - | 0x14009C580 | 0x0009C580 | 0x0009B980 | 0x00000000 |
| strstr | - | 0x14009C588 | 0x0009C588 | 0x0009B988 | 0x00000000 |
| __C_specific_handler | - | 0x14009C590 | 0x0009C590 | 0x0009B990 | 0x00000000 |
| strchr | - | 0x14009C598 | 0x0009C598 | 0x0009B998 | 0x00000000 |
| memchr | - | 0x14009C5A0 | 0x0009C5A0 | 0x0009B9A0 | 0x00000000 |
| __std_terminate | - | 0x14009C5A8 | 0x0009C5A8 | 0x0009B9A8 | 0x00000000 |
| __CxxFrameHandler3 | - | 0x14009C5B0 | 0x0009C5B0 | 0x0009B9B0 | 0x00000000 |
| _CxxThrowException | - | 0x14009C5B8 | 0x0009C5B8 | 0x0009B9B8 | 0x00000000 |
| memset | - | 0x14009C5C0 | 0x0009C5C0 | 0x0009B9C0 | 0x00000000 |
| strrchr | - | 0x14009C5C8 | 0x0009C5C8 | 0x0009B9C8 | 0x00000000 |
| memcmp | - | 0x14009C5D0 | 0x0009C5D0 | 0x0009B9D0 | 0x00000000 |
| memcpy | - | 0x14009C5D8 | 0x0009C5D8 | 0x0009B9D8 | 0x00000000 |
| _purecall | - | 0x14009C5E0 | 0x0009C5E0 | 0x0009B9E0 | 0x00000000 |
| memmove | - | 0x14009C5E8 | 0x0009C5E8 | 0x0009B9E8 | 0x00000000 |
WS2_32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WSAGetLastError | 0x0000006F | 0x14009C5F8 | 0x0009C5F8 | 0x0009B9F8 | - |
| WSASetLastError | 0x00000070 | 0x14009C600 | 0x0009C600 | 0x0009BA00 | - |
| WSAStartup | 0x00000073 | 0x14009C608 | 0x0009C608 | 0x0009BA08 | - |
| select | 0x00000012 | 0x14009C610 | 0x0009C610 | 0x0009BA10 | - |
| WSARecvFrom | - | 0x14009C618 | 0x0009C618 | 0x0009BA18 | 0x00000000 |
| bind | 0x00000002 | 0x14009C620 | 0x0009C620 | 0x0009BA20 | - |
| WSAIoctl | - | 0x14009C628 | 0x0009C628 | 0x0009BA28 | 0x00000000 |
| closesocket | 0x00000003 | 0x14009C630 | 0x0009C630 | 0x0009BA30 | - |
| WSASend | - | 0x14009C638 | 0x0009C638 | 0x0009BA38 | 0x00000000 |
| shutdown | 0x00000016 | 0x14009C640 | 0x0009C640 | 0x0009BA40 | - |
| WSASocketW | - | 0x14009C648 | 0x0009C648 | 0x0009BA48 | 0x00000000 |
| htonl | 0x00000008 | 0x14009C650 | 0x0009C650 | 0x0009BA50 | - |
| GetAddrInfoW | - | 0x14009C658 | 0x0009C658 | 0x0009BA58 | 0x00000000 |
| FreeAddrInfoW | - | 0x14009C660 | 0x0009C660 | 0x0009BA60 | 0x00000000 |
| setsockopt | 0x00000015 | 0x14009C668 | 0x0009C668 | 0x0009BA68 | - |
| ioctlsocket | 0x0000000A | 0x14009C670 | 0x0009C670 | 0x0009BA70 | - |
| getsockopt | 0x00000007 | 0x14009C678 | 0x0009C678 | 0x0009BA78 | - |
| WSARecv | - | 0x14009C680 | 0x0009C680 | 0x0009BA80 | 0x00000000 |
| socket | 0x00000017 | 0x14009C688 | 0x0009C688 | 0x0009BA88 | - |
| htons | 0x00000009 | 0x14009C690 | 0x0009C690 | 0x0009BA90 | - |
api-ms-win-crt-convert-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| atof | - | 0x14009C6A0 | 0x0009C6A0 | 0x0009BAA0 | 0x00000000 |
| strtoul | - | 0x14009C6A8 | 0x0009C6A8 | 0x0009BAA8 | 0x00000000 |
| _strtoui64 | - | 0x14009C6B0 | 0x0009C6B0 | 0x0009BAB0 | 0x00000000 |
| mbstowcs | - | 0x14009C6B8 | 0x0009C6B8 | 0x0009BAB8 | 0x00000000 |
| strtoull | - | 0x14009C6C0 | 0x0009C6C0 | 0x0009BAC0 | 0x00000000 |
| strtoll | - | 0x14009C6C8 | 0x0009C6C8 | 0x0009BAC8 | 0x00000000 |
| atoi | - | 0x14009C6D0 | 0x0009C6D0 | 0x0009BAD0 | 0x00000000 |
| strtol | - | 0x14009C6D8 | 0x0009C6D8 | 0x0009BAD8 | 0x00000000 |
api-ms-win-crt-environment-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| getenv | - | 0x14009C6E8 | 0x0009C6E8 | 0x0009BAE8 | 0x00000000 |
api-ms-win-crt-filesystem-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _unlock_file | - | 0x14009C6F8 | 0x0009C6F8 | 0x0009BAF8 | 0x00000000 |
| _lock_file | - | 0x14009C700 | 0x0009C700 | 0x0009BB00 | 0x00000000 |
| _fstat64i32 | - | 0x14009C708 | 0x0009C708 | 0x0009BB08 | 0x00000000 |
| _stat64i32 | - | 0x14009C710 | 0x0009C710 | 0x0009BB10 | 0x00000000 |
api-ms-win-crt-heap-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _set_new_mode | - | 0x14009C720 | 0x0009C720 | 0x0009BB20 | 0x00000000 |
| realloc | - | 0x14009C728 | 0x0009C728 | 0x0009BB28 | 0x00000000 |
| _aligned_malloc | - | 0x14009C730 | 0x0009C730 | 0x0009BB30 | 0x00000000 |
| malloc | - | 0x14009C738 | 0x0009C738 | 0x0009BB38 | 0x00000000 |
| free | - | 0x14009C740 | 0x0009C740 | 0x0009BB40 | 0x00000000 |
| calloc | - | 0x14009C748 | 0x0009C748 | 0x0009BB48 | 0x00000000 |
| _callnewh | - | 0x14009C750 | 0x0009C750 | 0x0009BB50 | 0x00000000 |
| _aligned_free | - | 0x14009C758 | 0x0009C758 | 0x0009BB58 | 0x00000000 |
api-ms-win-crt-locale-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _configthreadlocale | - | 0x14009C768 | 0x0009C768 | 0x0009BB68 | 0x00000000 |
api-ms-win-crt-math-l1-1-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| modff | - | 0x14009C778 | 0x0009C778 | 0x0009BB78 | 0x00000000 |
| nan | - | 0x14009C780 | 0x0009C780 | 0x0009BB80 | 0x00000000 |
| _dtest | - | 0x14009C788 | 0x0009C788 | 0x0009BB88 | 0x00000000 |
| __setusermatherr | - | 0x14009C790 | 0x0009C790 | 0x0009BB90 | 0x00000000 |
| fabs | - | 0x14009C798 | 0x0009C798 | 0x0009BB98 | 0x00000000 |
api-ms-win-crt-runtime-l1-1-0.dll (25)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _invalid_parameter_noinfo_noreturn | - | 0x14009C7A8 | 0x0009C7A8 | 0x0009BBA8 | 0x00000000 |
| _control87 | - | 0x14009C7B0 | 0x0009C7B0 | 0x0009BBB0 | 0x00000000 |
| _errno | - | 0x14009C7B8 | 0x0009C7B8 | 0x0009BBB8 | 0x00000000 |
| terminate | - | 0x14009C7C0 | 0x0009C7C0 | 0x0009BBC0 | 0x00000000 |
| abort | - | 0x14009C7C8 | 0x0009C7C8 | 0x0009BBC8 | 0x00000000 |
| _beginthreadex | - | 0x14009C7D0 | 0x0009C7D0 | 0x0009BBD0 | 0x00000000 |
| _register_thread_local_exe_atexit_callback | - | 0x14009C7D8 | 0x0009C7D8 | 0x0009BBD8 | 0x00000000 |
| _c_exit | - | 0x14009C7E0 | 0x0009C7E0 | 0x0009BBE0 | 0x00000000 |
| _set_invalid_parameter_handler | - | 0x14009C7E8 | 0x0009C7E8 | 0x0009BBE8 | 0x00000000 |
| __p___argc | - | 0x14009C7F0 | 0x0009C7F0 | 0x0009BBF0 | 0x00000000 |
| _exit | - | 0x14009C7F8 | 0x0009C7F8 | 0x0009BBF8 | 0x00000000 |
| _initterm_e | - | 0x14009C800 | 0x0009C800 | 0x0009BC00 | 0x00000000 |
| _initterm | - | 0x14009C808 | 0x0009C808 | 0x0009BC08 | 0x00000000 |
| _get_initial_narrow_environment | - | 0x14009C810 | 0x0009C810 | 0x0009BC10 | 0x00000000 |
| _set_app_type | - | 0x14009C818 | 0x0009C818 | 0x0009BC18 | 0x00000000 |
| _seh_filter_exe | - | 0x14009C820 | 0x0009C820 | 0x0009BC20 | 0x00000000 |
| _cexit | - | 0x14009C828 | 0x0009C828 | 0x0009BC28 | 0x00000000 |
| _crt_atexit | - | 0x14009C830 | 0x0009C830 | 0x0009BC30 | 0x00000000 |
| _register_onexit_function | - | 0x14009C838 | 0x0009C838 | 0x0009BC38 | 0x00000000 |
| _initialize_onexit_table | - | 0x14009C840 | 0x0009C840 | 0x0009BC40 | 0x00000000 |
| _initialize_narrow_environment | - | 0x14009C848 | 0x0009C848 | 0x0009BC48 | 0x00000000 |
| _configure_narrow_argv | - | 0x14009C850 | 0x0009C850 | 0x0009BC50 | 0x00000000 |
| strerror | - | 0x14009C858 | 0x0009C858 | 0x0009BC58 | 0x00000000 |
| exit | - | 0x14009C860 | 0x0009C860 | 0x0009BC60 | 0x00000000 |
| __p___argv | - | 0x14009C868 | 0x0009C868 | 0x0009BC68 | 0x00000000 |
api-ms-win-crt-stdio-l1-1-0.dll (29)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __stdio_common_vsscanf | - | 0x14009C878 | 0x0009C878 | 0x0009BC78 | 0x00000000 |
| fflush | - | 0x14009C880 | 0x0009C880 | 0x0009BC80 | 0x00000000 |
| _open | - | 0x14009C888 | 0x0009C888 | 0x0009BC88 | 0x00000000 |
| fwrite | - | 0x14009C890 | 0x0009C890 | 0x0009BC90 | 0x00000000 |
| fputs | - | 0x14009C898 | 0x0009C898 | 0x0009BC98 | 0x00000000 |
| __stdio_common_vsprintf | - | 0x14009C8A0 | 0x0009C8A0 | 0x0009BCA0 | 0x00000000 |
| __acrt_iob_func | - | 0x14009C8A8 | 0x0009C8A8 | 0x0009BCA8 | 0x00000000 |
| ftell | - | 0x14009C8B0 | 0x0009C8B0 | 0x0009BCB0 | 0x00000000 |
| fgetc | - | 0x14009C8B8 | 0x0009C8B8 | 0x0009BCB8 | 0x00000000 |
| fgets | - | 0x14009C8C0 | 0x0009C8C0 | 0x0009BCC0 | 0x00000000 |
| fseek | - | 0x14009C8C8 | 0x0009C8C8 | 0x0009BCC8 | 0x00000000 |
| fgetpos | - | 0x14009C8D0 | 0x0009C8D0 | 0x0009BCD0 | 0x00000000 |
| fputc | - | 0x14009C8D8 | 0x0009C8D8 | 0x0009BCD8 | 0x00000000 |
| __stdio_common_vfprintf | - | 0x14009C8E0 | 0x0009C8E0 | 0x0009BCE0 | 0x00000000 |
| ferror | - | 0x14009C8E8 | 0x0009C8E8 | 0x0009BCE8 | 0x00000000 |
| fsetpos | - | 0x14009C8F0 | 0x0009C8F0 | 0x0009BCF0 | 0x00000000 |
| _fseeki64 | - | 0x14009C8F8 | 0x0009C8F8 | 0x0009BCF8 | 0x00000000 |
| _close | - | 0x14009C900 | 0x0009C900 | 0x0009BD00 | 0x00000000 |
| _read | - | 0x14009C908 | 0x0009C908 | 0x0009BD08 | 0x00000000 |
| setvbuf | - | 0x14009C910 | 0x0009C910 | 0x0009BD10 | 0x00000000 |
| ungetc | - | 0x14009C918 | 0x0009C918 | 0x0009BD18 | 0x00000000 |
| fread | - | 0x14009C920 | 0x0009C920 | 0x0009BD20 | 0x00000000 |
| _get_osfhandle | - | 0x14009C928 | 0x0009C928 | 0x0009BD28 | 0x00000000 |
| __p__commode | - | 0x14009C930 | 0x0009C930 | 0x0009BD30 | 0x00000000 |
| fclose | - | 0x14009C938 | 0x0009C938 | 0x0009BD38 | 0x00000000 |
| _set_fmode | - | 0x14009C940 | 0x0009C940 | 0x0009BD40 | 0x00000000 |
| fopen | - | 0x14009C948 | 0x0009C948 | 0x0009BD48 | 0x00000000 |
| __stdio_common_vswprintf | - | 0x14009C950 | 0x0009C950 | 0x0009BD50 | 0x00000000 |
| _get_stream_buffer_pointers | - | 0x14009C958 | 0x0009C958 | 0x0009BD58 | 0x00000000 |
api-ms-win-crt-string-l1-1-0.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _wcsnicmp | - | 0x14009C968 | 0x0009C968 | 0x0009BD68 | 0x00000000 |
| strlen | - | 0x14009C970 | 0x0009C970 | 0x0009BD70 | 0x00000000 |
| wcslen | - | 0x14009C978 | 0x0009C978 | 0x0009BD78 | 0x00000000 |
| strncmp | - | 0x14009C980 | 0x0009C980 | 0x0009BD80 | 0x00000000 |
| _stricmp | - | 0x14009C988 | 0x0009C988 | 0x0009BD88 | 0x00000000 |
| tolower | - | 0x14009C990 | 0x0009C990 | 0x0009BD90 | 0x00000000 |
| _strnicmp | - | 0x14009C998 | 0x0009C998 | 0x0009BD98 | 0x00000000 |
| strncpy | - | 0x14009C9A0 | 0x0009C9A0 | 0x0009BDA0 | 0x00000000 |
| strcpy | - | 0x14009C9A8 | 0x0009C9A8 | 0x0009BDA8 | 0x00000000 |
| strcmp | - | 0x14009C9B0 | 0x0009C9B0 | 0x0009BDB0 | 0x00000000 |
| strcspn | - | 0x14009C9B8 | 0x0009C9B8 | 0x0009BDB8 | 0x00000000 |
| _strdup | - | 0x14009C9C0 | 0x0009C9C0 | 0x0009BDC0 | 0x00000000 |
| isspace | - | 0x14009C9C8 | 0x0009C9C8 | 0x0009BDC8 | 0x00000000 |
| strspn | - | 0x14009C9D0 | 0x0009C9D0 | 0x0009BDD0 | 0x00000000 |
| wcsncpy | - | 0x14009C9D8 | 0x0009C9D8 | 0x0009BDD8 | 0x00000000 |
api-ms-win-crt-time-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _time64 | - | 0x14009C9E8 | 0x0009C9E8 | 0x0009BDE8 | 0x00000000 |
| _localtime64_s | - | 0x14009C9F0 | 0x0009C9F0 | 0x0009BDF0 | 0x00000000 |
api-ms-win-crt-utility-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| srand | - | 0x14009CA00 | 0x0009CA00 | 0x0009BE00 | 0x00000000 |
| rand | - | 0x14009CA08 | 0x0009CA08 | 0x0009BE08 | 0x00000000 |
| qsort | - | 0x14009CA10 | 0x0009CA10 | 0x0009BE10 | 0x00000000 |
| _rotr | - | 0x14009CA18 | 0x0009CA18 | 0x0009BE18 | 0x00000000 |
Memory Dumps (4)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| sonmxme.exe | 9 | 0x7FF738960000 | 0x7FF738CB3FFF | First Execution |
|
64-bit | 0x7FF7389FA338 |
|
...
|
| sonmxme.exe | 9 | 0x7FF738960000 | 0x7FF738CB3FFF | Content Changed |
|
64-bit | 0x7FF7389FACA6 |
|
...
|
| buffer | 9 | 0x19F8D610000 | 0x19F8D61FFFF | Content Changed |
|
64-bit | - |
|
...
|
| sonmxme.exe | 9 | 0x7FF738960000 | 0x7FF738CB3FFF | Process Termination |
|
64-bit | - |
|
...
|
YARA Matches (2)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| ReflectiveLoader | Reflective loader usage | - |
3/5
|
...
|
| CobaltStrike | Cobalt Strike beacon | Hacktool |
5/5
|
...
|
| C:\Windows\System\gwdmEuW.exe | Dropped File | Binary |
Malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 5.94 MB |
| MD5 |
f0597e4bdb5b1709fe478a4bc5d254da
|
| SHA1 |
611cf7b6c607d373293fea6d48edaee5686b2925
|
| SHA256 |
2eecd13dab652293f07ba3337aae2630b0e6975ecb40a30bcd41fa7c43fc35dc
|
| SSDeep |
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUn:T+856utgpPF8u/7n
|
| ImpHash |
c782987849999c5ae345a5deafbd73fb
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x14009A338 |
| Size Of Code | 0x00044000 |
| Size Of Initialized Data | 0x00001000 |
| Size Of Uninitialized Data | 0x0030B000 |
| File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2019-08-29 00:43 (UTC) |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| UPX0 | 0x140001000 | 0x0030B000 | 0x000B5000 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.49 |
| UPX1 | 0x14030C000 | 0x00044000 | 0x00044000 | 0x000B5400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.49 |
| .rsrc | 0x140350000 | 0x00001000 | 0x00000800 | 0x000F9400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.24 |
| .imports | 0x140351000 | 0x00002000 | 0x00001E00 | 0x000F9C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.81 |
| .reloc | 0x140353000 | 0x00001000 | 0x00000A00 | 0x000FBA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.28 |
Imports (17)
»
ADVAPI32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AdjustTokenPrivileges | - | 0x14009C000 | 0x0009C000 | 0x0009B400 | 0x00000000 |
| OpenProcessToken | - | 0x14009C008 | 0x0009C008 | 0x0009B408 | 0x00000000 |
| GetTokenInformation | - | 0x14009C010 | 0x0009C010 | 0x0009B410 | 0x00000000 |
| LookupPrivilegeValueW | - | 0x14009C018 | 0x0009C018 | 0x0009B418 | 0x00000000 |
| LsaClose | - | 0x14009C020 | 0x0009C020 | 0x0009B420 | 0x00000000 |
| LsaOpenPolicy | - | 0x14009C028 | 0x0009C028 | 0x0009B428 | 0x00000000 |
| LsaAddAccountRights | - | 0x14009C030 | 0x0009C030 | 0x0009B430 | 0x00000000 |
KERNEL32.DLL (113)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WaitForSingleObjectEx | - | 0x14009C040 | 0x0009C040 | 0x0009B440 | 0x00000000 |
| RtlLookupFunctionEntry | - | 0x14009C048 | 0x0009C048 | 0x0009B448 | 0x00000000 |
| RtlVirtualUnwind | - | 0x14009C050 | 0x0009C050 | 0x0009B450 | 0x00000000 |
| UnhandledExceptionFilter | - | 0x14009C058 | 0x0009C058 | 0x0009B458 | 0x00000000 |
| ResetEvent | - | 0x14009C060 | 0x0009C060 | 0x0009B460 | 0x00000000 |
| InitializeCriticalSectionAndSpinCount | - | 0x14009C068 | 0x0009C068 | 0x0009B468 | 0x00000000 |
| RtlCaptureContext | - | 0x14009C070 | 0x0009C070 | 0x0009B470 | 0x00000000 |
| CreateEventW | - | 0x14009C078 | 0x0009C078 | 0x0009B478 | 0x00000000 |
| InitializeSListHead | - | 0x14009C080 | 0x0009C080 | 0x0009B480 | 0x00000000 |
| SetUnhandledExceptionFilter | - | 0x14009C088 | 0x0009C088 | 0x0009B488 | 0x00000000 |
| IsProcessorFeaturePresent | - | 0x14009C090 | 0x0009C090 | 0x0009B490 | 0x00000000 |
| GetStdHandle | - | 0x14009C098 | 0x0009C098 | 0x0009B498 | 0x00000000 |
| GetConsoleMode | - | 0x14009C0A0 | 0x0009C0A0 | 0x0009B4A0 | 0x00000000 |
| SetConsoleMode | - | 0x14009C0A8 | 0x0009C0A8 | 0x0009B4A8 | 0x00000000 |
| GetLastError | - | 0x14009C0B0 | 0x0009C0B0 | 0x0009B4B0 | 0x00000000 |
| CreateMutexW | - | 0x14009C0B8 | 0x0009C0B8 | 0x0009B4B8 | 0x00000000 |
| Sleep | - | 0x14009C0C0 | 0x0009C0C0 | 0x0009B4C0 | 0x00000000 |
| CreateProcessW | - | 0x14009C0C8 | 0x0009C0C8 | 0x0009B4C8 | 0x00000000 |
| MultiByteToWideChar | - | 0x14009C0D0 | 0x0009C0D0 | 0x0009B4D0 | 0x00000000 |
| GetCurrentProcess | - | 0x14009C0D8 | 0x0009C0D8 | 0x0009B4D8 | 0x00000000 |
| GetCurrentThread | - | 0x14009C0E0 | 0x0009C0E0 | 0x0009B4E0 | 0x00000000 |
| SetThreadPriority | - | 0x14009C0E8 | 0x0009C0E8 | 0x0009B4E8 | 0x00000000 |
| SetPriorityClass | - | 0x14009C0F0 | 0x0009C0F0 | 0x0009B4F0 | 0x00000000 |
| GetModuleHandleW | - | 0x14009C0F8 | 0x0009C0F8 | 0x0009B4F8 | 0x00000000 |
| GetProcAddress | - | 0x14009C100 | 0x0009C100 | 0x0009B500 | 0x00000000 |
| SetThreadAffinityMask | - | 0x14009C108 | 0x0009C108 | 0x0009B508 | 0x00000000 |
| CloseHandle | - | 0x14009C110 | 0x0009C110 | 0x0009B510 | 0x00000000 |
| FreeConsole | - | 0x14009C118 | 0x0009C118 | 0x0009B518 | 0x00000000 |
| GetConsoleWindow | - | 0x14009C120 | 0x0009C120 | 0x0009B520 | 0x00000000 |
| FlushInstructionCache | - | 0x14009C128 | 0x0009C128 | 0x0009B528 | 0x00000000 |
| VirtualAlloc | - | 0x14009C130 | 0x0009C130 | 0x0009B530 | 0x00000000 |
| VirtualProtect | - | 0x14009C138 | 0x0009C138 | 0x0009B538 | 0x00000000 |
| VirtualFree | - | 0x14009C140 | 0x0009C140 | 0x0009B540 | 0x00000000 |
| GetLargePageMinimum | - | 0x14009C148 | 0x0009C148 | 0x0009B548 | 0x00000000 |
| LocalAlloc | - | 0x14009C150 | 0x0009C150 | 0x0009B550 | 0x00000000 |
| LocalFree | - | 0x14009C158 | 0x0009C158 | 0x0009B558 | 0x00000000 |
| GetFileType | - | 0x14009C160 | 0x0009C160 | 0x0009B560 | 0x00000000 |
| GetConsoleScreenBufferInfo | - | 0x14009C168 | 0x0009C168 | 0x0009B568 | 0x00000000 |
| SetConsoleTextAttribute | - | 0x14009C170 | 0x0009C170 | 0x0009B570 | 0x00000000 |
| RegisterWaitForSingleObject | - | 0x14009C178 | 0x0009C178 | 0x0009B578 | 0x00000000 |
| UnregisterWait | - | 0x14009C180 | 0x0009C180 | 0x0009B580 | 0x00000000 |
| GetConsoleCursorInfo | - | 0x14009C188 | 0x0009C188 | 0x0009B588 | 0x00000000 |
| CreateFileW | - | 0x14009C190 | 0x0009C190 | 0x0009B590 | 0x00000000 |
| DuplicateHandle | - | 0x14009C198 | 0x0009C198 | 0x0009B598 | 0x00000000 |
| PostQueuedCompletionStatus | - | 0x14009C1A0 | 0x0009C1A0 | 0x0009B5A0 | 0x00000000 |
| QueueUserWorkItem | - | 0x14009C1A8 | 0x0009C1A8 | 0x0009B5A8 | 0x00000000 |
| SetConsoleCursorInfo | - | 0x14009C1B0 | 0x0009C1B0 | 0x0009B5B0 | 0x00000000 |
| FillConsoleOutputCharacterW | - | 0x14009C1B8 | 0x0009C1B8 | 0x0009B5B8 | 0x00000000 |
| ReadConsoleInputW | - | 0x14009C1C0 | 0x0009C1C0 | 0x0009B5C0 | 0x00000000 |
| CreateFileA | - | 0x14009C1C8 | 0x0009C1C8 | 0x0009B5C8 | 0x00000000 |
| ReadConsoleW | - | 0x14009C1D0 | 0x0009C1D0 | 0x0009B5D0 | 0x00000000 |
| WriteConsoleInputW | - | 0x14009C1D8 | 0x0009C1D8 | 0x0009B5D8 | 0x00000000 |
| FillConsoleOutputAttribute | - | 0x14009C1E0 | 0x0009C1E0 | 0x0009B5E0 | 0x00000000 |
| WriteConsoleW | - | 0x14009C1E8 | 0x0009C1E8 | 0x0009B5E8 | 0x00000000 |
| GetNumberOfConsoleInputEvents | - | 0x14009C1F0 | 0x0009C1F0 | 0x0009B5F0 | 0x00000000 |
| WideCharToMultiByte | - | 0x14009C1F8 | 0x0009C1F8 | 0x0009B5F8 | 0x00000000 |
| SetConsoleCursorPosition | - | 0x14009C200 | 0x0009C200 | 0x0009B600 | 0x00000000 |
| EnterCriticalSection | - | 0x14009C208 | 0x0009C208 | 0x0009B608 | 0x00000000 |
| GetModuleFileNameW | - | 0x14009C210 | 0x0009C210 | 0x0009B610 | 0x00000000 |
| LeaveCriticalSection | - | 0x14009C218 | 0x0009C218 | 0x0009B618 | 0x00000000 |
| InitializeCriticalSection | - | 0x14009C220 | 0x0009C220 | 0x0009B620 | 0x00000000 |
| IsDebuggerPresent | - | 0x14009C228 | 0x0009C228 | 0x0009B628 | 0x00000000 |
| GetSystemInfo | - | 0x14009C230 | 0x0009C230 | 0x0009B630 | 0x00000000 |
| GetCurrentDirectoryW | - | 0x14009C238 | 0x0009C238 | 0x0009B638 | 0x00000000 |
| GetCurrentProcessId | - | 0x14009C240 | 0x0009C240 | 0x0009B640 | 0x00000000 |
| GetSystemTimeAsFileTime | - | 0x14009C248 | 0x0009C248 | 0x0009B648 | 0x00000000 |
| QueryPerformanceCounter | - | 0x14009C250 | 0x0009C250 | 0x0009B650 | 0x00000000 |
| SetConsoleCtrlHandler | - | 0x14009C258 | 0x0009C258 | 0x0009B658 | 0x00000000 |
| CancelIo | - | 0x14009C260 | 0x0009C260 | 0x0009B660 | 0x00000000 |
| SetHandleInformation | - | 0x14009C268 | 0x0009C268 | 0x0009B668 | 0x00000000 |
| CreateEventA | - | 0x14009C270 | 0x0009C270 | 0x0009B670 | 0x00000000 |
| CreateIoCompletionPort | - | 0x14009C278 | 0x0009C278 | 0x0009B678 | 0x00000000 |
| SetFileCompletionNotificationModes | - | 0x14009C280 | 0x0009C280 | 0x0009B680 | 0x00000000 |
| SetErrorMode | - | 0x14009C288 | 0x0009C288 | 0x0009B688 | 0x00000000 |
| GetQueuedCompletionStatus | - | 0x14009C290 | 0x0009C290 | 0x0009B690 | 0x00000000 |
| GetQueuedCompletionStatusEx | - | 0x14009C298 | 0x0009C298 | 0x0009B698 | 0x00000000 |
| SleepConditionVariableCS | - | 0x14009C2A0 | 0x0009C2A0 | 0x0009B6A0 | 0x00000000 |
| TlsSetValue | - | 0x14009C2A8 | 0x0009C2A8 | 0x0009B6A8 | 0x00000000 |
| ReleaseSemaphore | - | 0x14009C2B0 | 0x0009C2B0 | 0x0009B6B0 | 0x00000000 |
| WakeConditionVariable | - | 0x14009C2B8 | 0x0009C2B8 | 0x0009B6B8 | 0x00000000 |
| InitializeConditionVariable | - | 0x14009C2C0 | 0x0009C2C0 | 0x0009B6C0 | 0x00000000 |
| WaitForSingleObject | - | 0x14009C2C8 | 0x0009C2C8 | 0x0009B6C8 | 0x00000000 |
| ResumeThread | - | 0x14009C2D0 | 0x0009C2D0 | 0x0009B6D0 | 0x00000000 |
| SetEvent | - | 0x14009C2D8 | 0x0009C2D8 | 0x0009B6D8 | 0x00000000 |
| TlsAlloc | - | 0x14009C2E0 | 0x0009C2E0 | 0x0009B6E0 | 0x00000000 |
| DeleteCriticalSection | - | 0x14009C2E8 | 0x0009C2E8 | 0x0009B6E8 | 0x00000000 |
| CreateSemaphoreW | - | 0x14009C2F0 | 0x0009C2F0 | 0x0009B6F0 | 0x00000000 |
| CreateSemaphoreA | - | 0x14009C2F8 | 0x0009C2F8 | 0x0009B6F8 | 0x00000000 |
| GetLongPathNameW | - | 0x14009C300 | 0x0009C300 | 0x0009B700 | 0x00000000 |
| ReadDirectoryChangesW | - | 0x14009C308 | 0x0009C308 | 0x0009B708 | 0x00000000 |
| ReadFile | - | 0x14009C310 | 0x0009C310 | 0x0009B710 | 0x00000000 |
| SetNamedPipeHandleState | - | 0x14009C318 | 0x0009C318 | 0x0009B718 | 0x00000000 |
| SetLastError | - | 0x14009C320 | 0x0009C320 | 0x0009B720 | 0x00000000 |
| WriteFile | - | 0x14009C328 | 0x0009C328 | 0x0009B728 | 0x00000000 |
| CreateNamedPipeW | - | 0x14009C330 | 0x0009C330 | 0x0009B730 | 0x00000000 |
| PeekNamedPipe | - | 0x14009C338 | 0x0009C338 | 0x0009B738 | 0x00000000 |
| CancelSynchronousIo | - | 0x14009C340 | 0x0009C340 | 0x0009B740 | 0x00000000 |
| GetNamedPipeHandleStateA | - | 0x14009C348 | 0x0009C348 | 0x0009B748 | 0x00000000 |
| CancelIoEx | - | 0x14009C350 | 0x0009C350 | 0x0009B750 | 0x00000000 |
| SwitchToThread | - | 0x14009C358 | 0x0009C358 | 0x0009B758 | 0x00000000 |
| ConnectNamedPipe | - | 0x14009C360 | 0x0009C360 | 0x0009B760 | 0x00000000 |
| FlushFileBuffers | - | 0x14009C368 | 0x0009C368 | 0x0009B768 | 0x00000000 |
| TerminateProcess | - | 0x14009C370 | 0x0009C370 | 0x0009B770 | 0x00000000 |
| UnregisterWaitEx | - | 0x14009C378 | 0x0009C378 | 0x0009B778 | 0x00000000 |
| GetExitCodeProcess | - | 0x14009C380 | 0x0009C380 | 0x0009B780 | 0x00000000 |
| FormatMessageA | - | 0x14009C388 | 0x0009C388 | 0x0009B788 | 0x00000000 |
| DebugBreak | - | 0x14009C390 | 0x0009C390 | 0x0009B790 | 0x00000000 |
| GetModuleHandleA | - | 0x14009C398 | 0x0009C398 | 0x0009B798 | 0x00000000 |
| LoadLibraryA | - | 0x14009C3A0 | 0x0009C3A0 | 0x0009B7A0 | 0x00000000 |
| GetProcessAffinityMask | - | 0x14009C3A8 | 0x0009C3A8 | 0x0009B7A8 | 0x00000000 |
| SetProcessAffinityMask | - | 0x14009C3B0 | 0x0009C3B0 | 0x0009B7B0 | 0x00000000 |
| GetCurrentThreadId | - | 0x14009C3B8 | 0x0009C3B8 | 0x0009B7B8 | 0x00000000 |
| QueryPerformanceFrequency | - | 0x14009C3C0 | 0x0009C3C0 | 0x0009B7C0 | 0x00000000 |
MSVCP140.dll (45)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C3D0 | 0x0009C3D0 | 0x0009B7D0 | 0x00000000 |
| ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3D8 | 0x0009C3D8 | 0x0009B7D8 | 0x00000000 |
| ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ | - | 0x14009C3E0 | 0x0009C3E0 | 0x0009B7E0 | 0x00000000 |
| ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C3E8 | 0x0009C3E8 | 0x0009B7E8 | 0x00000000 |
| ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C3F0 | 0x0009C3F0 | 0x0009B7F0 | 0x00000000 |
| ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3F8 | 0x0009C3F8 | 0x0009B7F8 | 0x00000000 |
| ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C400 | 0x0009C400 | 0x0009B800 | 0x00000000 |
| _Thrd_hardware_concurrency | - | 0x14009C408 | 0x0009C408 | 0x0009B808 | 0x00000000 |
| ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A | - | 0x14009C410 | 0x0009C410 | 0x0009B810 | 0x00000000 |
| ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z | - | 0x14009C418 | 0x0009C418 | 0x0009B818 | 0x00000000 |
| ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z | - | 0x14009C420 | 0x0009C420 | 0x0009B820 | 0x00000000 |
| ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ | - | 0x14009C428 | 0x0009C428 | 0x0009B828 | 0x00000000 |
| ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z | - | 0x14009C430 | 0x0009C430 | 0x0009B830 | 0x00000000 |
| ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z | - | 0x14009C438 | 0x0009C438 | 0x0009B838 | 0x00000000 |
| ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C440 | 0x0009C440 | 0x0009B840 | 0x00000000 |
| ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z | - | 0x14009C448 | 0x0009C448 | 0x0009B848 | 0x00000000 |
| ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C450 | 0x0009C450 | 0x0009B850 | 0x00000000 |
| ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z | - | 0x14009C458 | 0x0009C458 | 0x0009B858 | 0x00000000 |
| ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C460 | 0x0009C460 | 0x0009B860 | 0x00000000 |
| ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z | - | 0x14009C468 | 0x0009C468 | 0x0009B868 | 0x00000000 |
| ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z | - | 0x14009C470 | 0x0009C470 | 0x0009B870 | 0x00000000 |
| ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ | - | 0x14009C478 | 0x0009C478 | 0x0009B878 | 0x00000000 |
| ?_Xlength_error@std@@YAXPEBD@Z | - | 0x14009C480 | 0x0009C480 | 0x0009B880 | 0x00000000 |
| ?_Xout_of_range@std@@YAXPEBD@Z | - | 0x14009C488 | 0x0009C488 | 0x0009B888 | 0x00000000 |
| _Xtime_get_ticks | - | 0x14009C490 | 0x0009C490 | 0x0009B890 | 0x00000000 |
| _Mtx_init_in_situ | - | 0x14009C498 | 0x0009C498 | 0x0009B898 | 0x00000000 |
| _Mtx_destroy_in_situ | - | 0x14009C4A0 | 0x0009C4A0 | 0x0009B8A0 | 0x00000000 |
| _Mtx_lock | - | 0x14009C4A8 | 0x0009C4A8 | 0x0009B8A8 | 0x00000000 |
| _Mtx_unlock | - | 0x14009C4B0 | 0x0009C4B0 | 0x0009B8B0 | 0x00000000 |
| ?_Throw_C_error@std@@YAXH@Z | - | 0x14009C4B8 | 0x0009C4B8 | 0x0009B8B8 | 0x00000000 |
| _Query_perf_counter | - | 0x14009C4C0 | 0x0009C4C0 | 0x0009B8C0 | 0x00000000 |
| _Query_perf_frequency | - | 0x14009C4C8 | 0x0009C4C8 | 0x0009B8C8 | 0x00000000 |
| _Thrd_join | - | 0x14009C4D0 | 0x0009C4D0 | 0x0009B8D0 | 0x00000000 |
| _Thrd_id | - | 0x14009C4D8 | 0x0009C4D8 | 0x0009B8D8 | 0x00000000 |
| _Cnd_do_broadcast_at_thread_exit | - | 0x14009C4E0 | 0x0009C4E0 | 0x0009B8E0 | 0x00000000 |
| ?_Throw_Cpp_error@std@@YAXH@Z | - | 0x14009C4E8 | 0x0009C4E8 | 0x0009B8E8 | 0x00000000 |
| _Thrd_sleep | - | 0x14009C4F0 | 0x0009C4F0 | 0x0009B8F0 | 0x00000000 |
| _Thrd_yield | - | 0x14009C4F8 | 0x0009C4F8 | 0x0009B8F8 | 0x00000000 |
| ??0_Lockit@std@@QEAA@H@Z | - | 0x14009C500 | 0x0009C500 | 0x0009B900 | 0x00000000 |
| ??1_Lockit@std@@QEAA@XZ | - | 0x14009C508 | 0x0009C508 | 0x0009B908 | 0x00000000 |
| ??Bid@locale@std@@QEAA_KXZ | - | 0x14009C510 | 0x0009C510 | 0x0009B910 | 0x00000000 |
| ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ | - | 0x14009C518 | 0x0009C518 | 0x0009B918 | 0x00000000 |
| ?always_noconv@codecvt_base@std@@QEBA_NXZ | - | 0x14009C520 | 0x0009C520 | 0x0009B920 | 0x00000000 |
| ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C528 | 0x0009C528 | 0x0009B928 | 0x00000000 |
| ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C530 | 0x0009C530 | 0x0009B930 | 0x00000000 |
USER32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShowWindow | - | 0x14009C540 | 0x0009C540 | 0x0009B940 | 0x00000000 |
| GetSystemMetrics | - | 0x14009C548 | 0x0009C548 | 0x0009B948 | 0x00000000 |
| GetMessageA | - | 0x14009C550 | 0x0009C550 | 0x0009B950 | 0x00000000 |
| MapVirtualKeyW | - | 0x14009C558 | 0x0009C558 | 0x0009B958 | 0x00000000 |
| DispatchMessageA | - | 0x14009C560 | 0x0009C560 | 0x0009B960 | 0x00000000 |
| TranslateMessage | - | 0x14009C568 | 0x0009C568 | 0x0009B968 | 0x00000000 |
VCRUNTIME140.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __std_exception_destroy | - | 0x14009C578 | 0x0009C578 | 0x0009B978 | 0x00000000 |
| __std_exception_copy | - | 0x14009C580 | 0x0009C580 | 0x0009B980 | 0x00000000 |
| strstr | - | 0x14009C588 | 0x0009C588 | 0x0009B988 | 0x00000000 |
| __C_specific_handler | - | 0x14009C590 | 0x0009C590 | 0x0009B990 | 0x00000000 |
| strchr | - | 0x14009C598 | 0x0009C598 | 0x0009B998 | 0x00000000 |
| memchr | - | 0x14009C5A0 | 0x0009C5A0 | 0x0009B9A0 | 0x00000000 |
| __std_terminate | - | 0x14009C5A8 | 0x0009C5A8 | 0x0009B9A8 | 0x00000000 |
| __CxxFrameHandler3 | - | 0x14009C5B0 | 0x0009C5B0 | 0x0009B9B0 | 0x00000000 |
| _CxxThrowException | - | 0x14009C5B8 | 0x0009C5B8 | 0x0009B9B8 | 0x00000000 |
| memset | - | 0x14009C5C0 | 0x0009C5C0 | 0x0009B9C0 | 0x00000000 |
| strrchr | - | 0x14009C5C8 | 0x0009C5C8 | 0x0009B9C8 | 0x00000000 |
| memcmp | - | 0x14009C5D0 | 0x0009C5D0 | 0x0009B9D0 | 0x00000000 |
| memcpy | - | 0x14009C5D8 | 0x0009C5D8 | 0x0009B9D8 | 0x00000000 |
| _purecall | - | 0x14009C5E0 | 0x0009C5E0 | 0x0009B9E0 | 0x00000000 |
| memmove | - | 0x14009C5E8 | 0x0009C5E8 | 0x0009B9E8 | 0x00000000 |
WS2_32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WSAGetLastError | 0x0000006F | 0x14009C5F8 | 0x0009C5F8 | 0x0009B9F8 | - |
| WSASetLastError | 0x00000070 | 0x14009C600 | 0x0009C600 | 0x0009BA00 | - |
| WSAStartup | 0x00000073 | 0x14009C608 | 0x0009C608 | 0x0009BA08 | - |
| select | 0x00000012 | 0x14009C610 | 0x0009C610 | 0x0009BA10 | - |
| WSARecvFrom | - | 0x14009C618 | 0x0009C618 | 0x0009BA18 | 0x00000000 |
| bind | 0x00000002 | 0x14009C620 | 0x0009C620 | 0x0009BA20 | - |
| WSAIoctl | - | 0x14009C628 | 0x0009C628 | 0x0009BA28 | 0x00000000 |
| closesocket | 0x00000003 | 0x14009C630 | 0x0009C630 | 0x0009BA30 | - |
| WSASend | - | 0x14009C638 | 0x0009C638 | 0x0009BA38 | 0x00000000 |
| shutdown | 0x00000016 | 0x14009C640 | 0x0009C640 | 0x0009BA40 | - |
| WSASocketW | - | 0x14009C648 | 0x0009C648 | 0x0009BA48 | 0x00000000 |
| htonl | 0x00000008 | 0x14009C650 | 0x0009C650 | 0x0009BA50 | - |
| GetAddrInfoW | - | 0x14009C658 | 0x0009C658 | 0x0009BA58 | 0x00000000 |
| FreeAddrInfoW | - | 0x14009C660 | 0x0009C660 | 0x0009BA60 | 0x00000000 |
| setsockopt | 0x00000015 | 0x14009C668 | 0x0009C668 | 0x0009BA68 | - |
| ioctlsocket | 0x0000000A | 0x14009C670 | 0x0009C670 | 0x0009BA70 | - |
| getsockopt | 0x00000007 | 0x14009C678 | 0x0009C678 | 0x0009BA78 | - |
| WSARecv | - | 0x14009C680 | 0x0009C680 | 0x0009BA80 | 0x00000000 |
| socket | 0x00000017 | 0x14009C688 | 0x0009C688 | 0x0009BA88 | - |
| htons | 0x00000009 | 0x14009C690 | 0x0009C690 | 0x0009BA90 | - |
api-ms-win-crt-convert-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| atof | - | 0x14009C6A0 | 0x0009C6A0 | 0x0009BAA0 | 0x00000000 |
| strtoul | - | 0x14009C6A8 | 0x0009C6A8 | 0x0009BAA8 | 0x00000000 |
| _strtoui64 | - | 0x14009C6B0 | 0x0009C6B0 | 0x0009BAB0 | 0x00000000 |
| mbstowcs | - | 0x14009C6B8 | 0x0009C6B8 | 0x0009BAB8 | 0x00000000 |
| strtoull | - | 0x14009C6C0 | 0x0009C6C0 | 0x0009BAC0 | 0x00000000 |
| strtoll | - | 0x14009C6C8 | 0x0009C6C8 | 0x0009BAC8 | 0x00000000 |
| atoi | - | 0x14009C6D0 | 0x0009C6D0 | 0x0009BAD0 | 0x00000000 |
| strtol | - | 0x14009C6D8 | 0x0009C6D8 | 0x0009BAD8 | 0x00000000 |
api-ms-win-crt-environment-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| getenv | - | 0x14009C6E8 | 0x0009C6E8 | 0x0009BAE8 | 0x00000000 |
api-ms-win-crt-filesystem-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _unlock_file | - | 0x14009C6F8 | 0x0009C6F8 | 0x0009BAF8 | 0x00000000 |
| _lock_file | - | 0x14009C700 | 0x0009C700 | 0x0009BB00 | 0x00000000 |
| _fstat64i32 | - | 0x14009C708 | 0x0009C708 | 0x0009BB08 | 0x00000000 |
| _stat64i32 | - | 0x14009C710 | 0x0009C710 | 0x0009BB10 | 0x00000000 |
api-ms-win-crt-heap-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _set_new_mode | - | 0x14009C720 | 0x0009C720 | 0x0009BB20 | 0x00000000 |
| realloc | - | 0x14009C728 | 0x0009C728 | 0x0009BB28 | 0x00000000 |
| _aligned_malloc | - | 0x14009C730 | 0x0009C730 | 0x0009BB30 | 0x00000000 |
| malloc | - | 0x14009C738 | 0x0009C738 | 0x0009BB38 | 0x00000000 |
| free | - | 0x14009C740 | 0x0009C740 | 0x0009BB40 | 0x00000000 |
| calloc | - | 0x14009C748 | 0x0009C748 | 0x0009BB48 | 0x00000000 |
| _callnewh | - | 0x14009C750 | 0x0009C750 | 0x0009BB50 | 0x00000000 |
| _aligned_free | - | 0x14009C758 | 0x0009C758 | 0x0009BB58 | 0x00000000 |
api-ms-win-crt-locale-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _configthreadlocale | - | 0x14009C768 | 0x0009C768 | 0x0009BB68 | 0x00000000 |
api-ms-win-crt-math-l1-1-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| modff | - | 0x14009C778 | 0x0009C778 | 0x0009BB78 | 0x00000000 |
| nan | - | 0x14009C780 | 0x0009C780 | 0x0009BB80 | 0x00000000 |
| _dtest | - | 0x14009C788 | 0x0009C788 | 0x0009BB88 | 0x00000000 |
| __setusermatherr | - | 0x14009C790 | 0x0009C790 | 0x0009BB90 | 0x00000000 |
| fabs | - | 0x14009C798 | 0x0009C798 | 0x0009BB98 | 0x00000000 |
api-ms-win-crt-runtime-l1-1-0.dll (25)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _invalid_parameter_noinfo_noreturn | - | 0x14009C7A8 | 0x0009C7A8 | 0x0009BBA8 | 0x00000000 |
| _control87 | - | 0x14009C7B0 | 0x0009C7B0 | 0x0009BBB0 | 0x00000000 |
| _errno | - | 0x14009C7B8 | 0x0009C7B8 | 0x0009BBB8 | 0x00000000 |
| terminate | - | 0x14009C7C0 | 0x0009C7C0 | 0x0009BBC0 | 0x00000000 |
| abort | - | 0x14009C7C8 | 0x0009C7C8 | 0x0009BBC8 | 0x00000000 |
| _beginthreadex | - | 0x14009C7D0 | 0x0009C7D0 | 0x0009BBD0 | 0x00000000 |
| _register_thread_local_exe_atexit_callback | - | 0x14009C7D8 | 0x0009C7D8 | 0x0009BBD8 | 0x00000000 |
| _c_exit | - | 0x14009C7E0 | 0x0009C7E0 | 0x0009BBE0 | 0x00000000 |
| _set_invalid_parameter_handler | - | 0x14009C7E8 | 0x0009C7E8 | 0x0009BBE8 | 0x00000000 |
| __p___argc | - | 0x14009C7F0 | 0x0009C7F0 | 0x0009BBF0 | 0x00000000 |
| _exit | - | 0x14009C7F8 | 0x0009C7F8 | 0x0009BBF8 | 0x00000000 |
| _initterm_e | - | 0x14009C800 | 0x0009C800 | 0x0009BC00 | 0x00000000 |
| _initterm | - | 0x14009C808 | 0x0009C808 | 0x0009BC08 | 0x00000000 |
| _get_initial_narrow_environment | - | 0x14009C810 | 0x0009C810 | 0x0009BC10 | 0x00000000 |
| _set_app_type | - | 0x14009C818 | 0x0009C818 | 0x0009BC18 | 0x00000000 |
| _seh_filter_exe | - | 0x14009C820 | 0x0009C820 | 0x0009BC20 | 0x00000000 |
| _cexit | - | 0x14009C828 | 0x0009C828 | 0x0009BC28 | 0x00000000 |
| _crt_atexit | - | 0x14009C830 | 0x0009C830 | 0x0009BC30 | 0x00000000 |
| _register_onexit_function | - | 0x14009C838 | 0x0009C838 | 0x0009BC38 | 0x00000000 |
| _initialize_onexit_table | - | 0x14009C840 | 0x0009C840 | 0x0009BC40 | 0x00000000 |
| _initialize_narrow_environment | - | 0x14009C848 | 0x0009C848 | 0x0009BC48 | 0x00000000 |
| _configure_narrow_argv | - | 0x14009C850 | 0x0009C850 | 0x0009BC50 | 0x00000000 |
| strerror | - | 0x14009C858 | 0x0009C858 | 0x0009BC58 | 0x00000000 |
| exit | - | 0x14009C860 | 0x0009C860 | 0x0009BC60 | 0x00000000 |
| __p___argv | - | 0x14009C868 | 0x0009C868 | 0x0009BC68 | 0x00000000 |
api-ms-win-crt-stdio-l1-1-0.dll (29)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __stdio_common_vsscanf | - | 0x14009C878 | 0x0009C878 | 0x0009BC78 | 0x00000000 |
| fflush | - | 0x14009C880 | 0x0009C880 | 0x0009BC80 | 0x00000000 |
| _open | - | 0x14009C888 | 0x0009C888 | 0x0009BC88 | 0x00000000 |
| fwrite | - | 0x14009C890 | 0x0009C890 | 0x0009BC90 | 0x00000000 |
| fputs | - | 0x14009C898 | 0x0009C898 | 0x0009BC98 | 0x00000000 |
| __stdio_common_vsprintf | - | 0x14009C8A0 | 0x0009C8A0 | 0x0009BCA0 | 0x00000000 |
| __acrt_iob_func | - | 0x14009C8A8 | 0x0009C8A8 | 0x0009BCA8 | 0x00000000 |
| ftell | - | 0x14009C8B0 | 0x0009C8B0 | 0x0009BCB0 | 0x00000000 |
| fgetc | - | 0x14009C8B8 | 0x0009C8B8 | 0x0009BCB8 | 0x00000000 |
| fgets | - | 0x14009C8C0 | 0x0009C8C0 | 0x0009BCC0 | 0x00000000 |
| fseek | - | 0x14009C8C8 | 0x0009C8C8 | 0x0009BCC8 | 0x00000000 |
| fgetpos | - | 0x14009C8D0 | 0x0009C8D0 | 0x0009BCD0 | 0x00000000 |
| fputc | - | 0x14009C8D8 | 0x0009C8D8 | 0x0009BCD8 | 0x00000000 |
| __stdio_common_vfprintf | - | 0x14009C8E0 | 0x0009C8E0 | 0x0009BCE0 | 0x00000000 |
| ferror | - | 0x14009C8E8 | 0x0009C8E8 | 0x0009BCE8 | 0x00000000 |
| fsetpos | - | 0x14009C8F0 | 0x0009C8F0 | 0x0009BCF0 | 0x00000000 |
| _fseeki64 | - | 0x14009C8F8 | 0x0009C8F8 | 0x0009BCF8 | 0x00000000 |
| _close | - | 0x14009C900 | 0x0009C900 | 0x0009BD00 | 0x00000000 |
| _read | - | 0x14009C908 | 0x0009C908 | 0x0009BD08 | 0x00000000 |
| setvbuf | - | 0x14009C910 | 0x0009C910 | 0x0009BD10 | 0x00000000 |
| ungetc | - | 0x14009C918 | 0x0009C918 | 0x0009BD18 | 0x00000000 |
| fread | - | 0x14009C920 | 0x0009C920 | 0x0009BD20 | 0x00000000 |
| _get_osfhandle | - | 0x14009C928 | 0x0009C928 | 0x0009BD28 | 0x00000000 |
| __p__commode | - | 0x14009C930 | 0x0009C930 | 0x0009BD30 | 0x00000000 |
| fclose | - | 0x14009C938 | 0x0009C938 | 0x0009BD38 | 0x00000000 |
| _set_fmode | - | 0x14009C940 | 0x0009C940 | 0x0009BD40 | 0x00000000 |
| fopen | - | 0x14009C948 | 0x0009C948 | 0x0009BD48 | 0x00000000 |
| __stdio_common_vswprintf | - | 0x14009C950 | 0x0009C950 | 0x0009BD50 | 0x00000000 |
| _get_stream_buffer_pointers | - | 0x14009C958 | 0x0009C958 | 0x0009BD58 | 0x00000000 |
api-ms-win-crt-string-l1-1-0.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _wcsnicmp | - | 0x14009C968 | 0x0009C968 | 0x0009BD68 | 0x00000000 |
| strlen | - | 0x14009C970 | 0x0009C970 | 0x0009BD70 | 0x00000000 |
| wcslen | - | 0x14009C978 | 0x0009C978 | 0x0009BD78 | 0x00000000 |
| strncmp | - | 0x14009C980 | 0x0009C980 | 0x0009BD80 | 0x00000000 |
| _stricmp | - | 0x14009C988 | 0x0009C988 | 0x0009BD88 | 0x00000000 |
| tolower | - | 0x14009C990 | 0x0009C990 | 0x0009BD90 | 0x00000000 |
| _strnicmp | - | 0x14009C998 | 0x0009C998 | 0x0009BD98 | 0x00000000 |
| strncpy | - | 0x14009C9A0 | 0x0009C9A0 | 0x0009BDA0 | 0x00000000 |
| strcpy | - | 0x14009C9A8 | 0x0009C9A8 | 0x0009BDA8 | 0x00000000 |
| strcmp | - | 0x14009C9B0 | 0x0009C9B0 | 0x0009BDB0 | 0x00000000 |
| strcspn | - | 0x14009C9B8 | 0x0009C9B8 | 0x0009BDB8 | 0x00000000 |
| _strdup | - | 0x14009C9C0 | 0x0009C9C0 | 0x0009BDC0 | 0x00000000 |
| isspace | - | 0x14009C9C8 | 0x0009C9C8 | 0x0009BDC8 | 0x00000000 |
| strspn | - | 0x14009C9D0 | 0x0009C9D0 | 0x0009BDD0 | 0x00000000 |
| wcsncpy | - | 0x14009C9D8 | 0x0009C9D8 | 0x0009BDD8 | 0x00000000 |
api-ms-win-crt-time-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _time64 | - | 0x14009C9E8 | 0x0009C9E8 | 0x0009BDE8 | 0x00000000 |
| _localtime64_s | - | 0x14009C9F0 | 0x0009C9F0 | 0x0009BDF0 | 0x00000000 |
api-ms-win-crt-utility-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| srand | - | 0x14009CA00 | 0x0009CA00 | 0x0009BE00 | 0x00000000 |
| rand | - | 0x14009CA08 | 0x0009CA08 | 0x0009BE08 | 0x00000000 |
| qsort | - | 0x14009CA10 | 0x0009CA10 | 0x0009BE10 | 0x00000000 |
| _rotr | - | 0x14009CA18 | 0x0009CA18 | 0x0009BE18 | 0x00000000 |
Memory Dumps (5)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| gwdmeuw.exe | 8 | 0x7FF7E8920000 | 0x7FF7E8C73FFF | First Execution |
|
64-bit | 0x7FF7E89BA338 |
|
...
|
| gwdmeuw.exe | 8 | 0x7FF7E8920000 | 0x7FF7E8C73FFF | Content Changed |
|
64-bit | 0x7FF7E89A9014 |
|
...
|
| gwdmeuw.exe | 8 | 0x7FF7E8920000 | 0x7FF7E8C73FFF | Content Changed |
|
64-bit | 0x7FF7E894E130 |
|
...
|
| buffer | 8 | 0x1C03BCC0000 | 0x1C03BCCFFFF | Marked Executable |
|
64-bit | - |
|
...
|
| gwdmeuw.exe | 8 | 0x7FF7E8920000 | 0x7FF7E8C73FFF | Process Termination |
|
64-bit | - |
|
...
|
YARA Matches (2)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| ReflectiveLoader | Reflective loader usage | - |
3/5
|
...
|
| CobaltStrike | Cobalt Strike beacon | Hacktool |
5/5
|
...
|
| C:\Windows\System\tcOFJZo.exe | Dropped File | Binary |
Malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 5.94 MB |
| MD5 |
840afca7b93454388ab509250deb12f1
|
| SHA1 |
c023606f297fa890d7c39c28cbf63bcc34ede75e
|
| SHA256 |
d72ec03f8a4a87c6cffbc6de0fa1d21cd8024a1fe973e7731b78cd063d79fd85
|
| SSDeep |
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUG:T+856utgpPF8u/7G
|
| ImpHash |
c782987849999c5ae345a5deafbd73fb
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x14009A338 |
| Size Of Code | 0x00044000 |
| Size Of Initialized Data | 0x00001000 |
| Size Of Uninitialized Data | 0x0030B000 |
| File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2019-08-29 00:43 (UTC) |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| UPX0 | 0x140001000 | 0x0030B000 | 0x000B5000 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.49 |
| UPX1 | 0x14030C000 | 0x00044000 | 0x00044000 | 0x000B5400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.49 |
| .rsrc | 0x140350000 | 0x00001000 | 0x00000800 | 0x000F9400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.24 |
| .imports | 0x140351000 | 0x00002000 | 0x00001E00 | 0x000F9C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.81 |
| .reloc | 0x140353000 | 0x00001000 | 0x00000A00 | 0x000FBA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.28 |
Imports (17)
»
ADVAPI32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AdjustTokenPrivileges | - | 0x14009C000 | 0x0009C000 | 0x0009B400 | 0x00000000 |
| OpenProcessToken | - | 0x14009C008 | 0x0009C008 | 0x0009B408 | 0x00000000 |
| GetTokenInformation | - | 0x14009C010 | 0x0009C010 | 0x0009B410 | 0x00000000 |
| LookupPrivilegeValueW | - | 0x14009C018 | 0x0009C018 | 0x0009B418 | 0x00000000 |
| LsaClose | - | 0x14009C020 | 0x0009C020 | 0x0009B420 | 0x00000000 |
| LsaOpenPolicy | - | 0x14009C028 | 0x0009C028 | 0x0009B428 | 0x00000000 |
| LsaAddAccountRights | - | 0x14009C030 | 0x0009C030 | 0x0009B430 | 0x00000000 |
KERNEL32.DLL (113)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WaitForSingleObjectEx | - | 0x14009C040 | 0x0009C040 | 0x0009B440 | 0x00000000 |
| RtlLookupFunctionEntry | - | 0x14009C048 | 0x0009C048 | 0x0009B448 | 0x00000000 |
| RtlVirtualUnwind | - | 0x14009C050 | 0x0009C050 | 0x0009B450 | 0x00000000 |
| UnhandledExceptionFilter | - | 0x14009C058 | 0x0009C058 | 0x0009B458 | 0x00000000 |
| ResetEvent | - | 0x14009C060 | 0x0009C060 | 0x0009B460 | 0x00000000 |
| InitializeCriticalSectionAndSpinCount | - | 0x14009C068 | 0x0009C068 | 0x0009B468 | 0x00000000 |
| RtlCaptureContext | - | 0x14009C070 | 0x0009C070 | 0x0009B470 | 0x00000000 |
| CreateEventW | - | 0x14009C078 | 0x0009C078 | 0x0009B478 | 0x00000000 |
| InitializeSListHead | - | 0x14009C080 | 0x0009C080 | 0x0009B480 | 0x00000000 |
| SetUnhandledExceptionFilter | - | 0x14009C088 | 0x0009C088 | 0x0009B488 | 0x00000000 |
| IsProcessorFeaturePresent | - | 0x14009C090 | 0x0009C090 | 0x0009B490 | 0x00000000 |
| GetStdHandle | - | 0x14009C098 | 0x0009C098 | 0x0009B498 | 0x00000000 |
| GetConsoleMode | - | 0x14009C0A0 | 0x0009C0A0 | 0x0009B4A0 | 0x00000000 |
| SetConsoleMode | - | 0x14009C0A8 | 0x0009C0A8 | 0x0009B4A8 | 0x00000000 |
| GetLastError | - | 0x14009C0B0 | 0x0009C0B0 | 0x0009B4B0 | 0x00000000 |
| CreateMutexW | - | 0x14009C0B8 | 0x0009C0B8 | 0x0009B4B8 | 0x00000000 |
| Sleep | - | 0x14009C0C0 | 0x0009C0C0 | 0x0009B4C0 | 0x00000000 |
| CreateProcessW | - | 0x14009C0C8 | 0x0009C0C8 | 0x0009B4C8 | 0x00000000 |
| MultiByteToWideChar | - | 0x14009C0D0 | 0x0009C0D0 | 0x0009B4D0 | 0x00000000 |
| GetCurrentProcess | - | 0x14009C0D8 | 0x0009C0D8 | 0x0009B4D8 | 0x00000000 |
| GetCurrentThread | - | 0x14009C0E0 | 0x0009C0E0 | 0x0009B4E0 | 0x00000000 |
| SetThreadPriority | - | 0x14009C0E8 | 0x0009C0E8 | 0x0009B4E8 | 0x00000000 |
| SetPriorityClass | - | 0x14009C0F0 | 0x0009C0F0 | 0x0009B4F0 | 0x00000000 |
| GetModuleHandleW | - | 0x14009C0F8 | 0x0009C0F8 | 0x0009B4F8 | 0x00000000 |
| GetProcAddress | - | 0x14009C100 | 0x0009C100 | 0x0009B500 | 0x00000000 |
| SetThreadAffinityMask | - | 0x14009C108 | 0x0009C108 | 0x0009B508 | 0x00000000 |
| CloseHandle | - | 0x14009C110 | 0x0009C110 | 0x0009B510 | 0x00000000 |
| FreeConsole | - | 0x14009C118 | 0x0009C118 | 0x0009B518 | 0x00000000 |
| GetConsoleWindow | - | 0x14009C120 | 0x0009C120 | 0x0009B520 | 0x00000000 |
| FlushInstructionCache | - | 0x14009C128 | 0x0009C128 | 0x0009B528 | 0x00000000 |
| VirtualAlloc | - | 0x14009C130 | 0x0009C130 | 0x0009B530 | 0x00000000 |
| VirtualProtect | - | 0x14009C138 | 0x0009C138 | 0x0009B538 | 0x00000000 |
| VirtualFree | - | 0x14009C140 | 0x0009C140 | 0x0009B540 | 0x00000000 |
| GetLargePageMinimum | - | 0x14009C148 | 0x0009C148 | 0x0009B548 | 0x00000000 |
| LocalAlloc | - | 0x14009C150 | 0x0009C150 | 0x0009B550 | 0x00000000 |
| LocalFree | - | 0x14009C158 | 0x0009C158 | 0x0009B558 | 0x00000000 |
| GetFileType | - | 0x14009C160 | 0x0009C160 | 0x0009B560 | 0x00000000 |
| GetConsoleScreenBufferInfo | - | 0x14009C168 | 0x0009C168 | 0x0009B568 | 0x00000000 |
| SetConsoleTextAttribute | - | 0x14009C170 | 0x0009C170 | 0x0009B570 | 0x00000000 |
| RegisterWaitForSingleObject | - | 0x14009C178 | 0x0009C178 | 0x0009B578 | 0x00000000 |
| UnregisterWait | - | 0x14009C180 | 0x0009C180 | 0x0009B580 | 0x00000000 |
| GetConsoleCursorInfo | - | 0x14009C188 | 0x0009C188 | 0x0009B588 | 0x00000000 |
| CreateFileW | - | 0x14009C190 | 0x0009C190 | 0x0009B590 | 0x00000000 |
| DuplicateHandle | - | 0x14009C198 | 0x0009C198 | 0x0009B598 | 0x00000000 |
| PostQueuedCompletionStatus | - | 0x14009C1A0 | 0x0009C1A0 | 0x0009B5A0 | 0x00000000 |
| QueueUserWorkItem | - | 0x14009C1A8 | 0x0009C1A8 | 0x0009B5A8 | 0x00000000 |
| SetConsoleCursorInfo | - | 0x14009C1B0 | 0x0009C1B0 | 0x0009B5B0 | 0x00000000 |
| FillConsoleOutputCharacterW | - | 0x14009C1B8 | 0x0009C1B8 | 0x0009B5B8 | 0x00000000 |
| ReadConsoleInputW | - | 0x14009C1C0 | 0x0009C1C0 | 0x0009B5C0 | 0x00000000 |
| CreateFileA | - | 0x14009C1C8 | 0x0009C1C8 | 0x0009B5C8 | 0x00000000 |
| ReadConsoleW | - | 0x14009C1D0 | 0x0009C1D0 | 0x0009B5D0 | 0x00000000 |
| WriteConsoleInputW | - | 0x14009C1D8 | 0x0009C1D8 | 0x0009B5D8 | 0x00000000 |
| FillConsoleOutputAttribute | - | 0x14009C1E0 | 0x0009C1E0 | 0x0009B5E0 | 0x00000000 |
| WriteConsoleW | - | 0x14009C1E8 | 0x0009C1E8 | 0x0009B5E8 | 0x00000000 |
| GetNumberOfConsoleInputEvents | - | 0x14009C1F0 | 0x0009C1F0 | 0x0009B5F0 | 0x00000000 |
| WideCharToMultiByte | - | 0x14009C1F8 | 0x0009C1F8 | 0x0009B5F8 | 0x00000000 |
| SetConsoleCursorPosition | - | 0x14009C200 | 0x0009C200 | 0x0009B600 | 0x00000000 |
| EnterCriticalSection | - | 0x14009C208 | 0x0009C208 | 0x0009B608 | 0x00000000 |
| GetModuleFileNameW | - | 0x14009C210 | 0x0009C210 | 0x0009B610 | 0x00000000 |
| LeaveCriticalSection | - | 0x14009C218 | 0x0009C218 | 0x0009B618 | 0x00000000 |
| InitializeCriticalSection | - | 0x14009C220 | 0x0009C220 | 0x0009B620 | 0x00000000 |
| IsDebuggerPresent | - | 0x14009C228 | 0x0009C228 | 0x0009B628 | 0x00000000 |
| GetSystemInfo | - | 0x14009C230 | 0x0009C230 | 0x0009B630 | 0x00000000 |
| GetCurrentDirectoryW | - | 0x14009C238 | 0x0009C238 | 0x0009B638 | 0x00000000 |
| GetCurrentProcessId | - | 0x14009C240 | 0x0009C240 | 0x0009B640 | 0x00000000 |
| GetSystemTimeAsFileTime | - | 0x14009C248 | 0x0009C248 | 0x0009B648 | 0x00000000 |
| QueryPerformanceCounter | - | 0x14009C250 | 0x0009C250 | 0x0009B650 | 0x00000000 |
| SetConsoleCtrlHandler | - | 0x14009C258 | 0x0009C258 | 0x0009B658 | 0x00000000 |
| CancelIo | - | 0x14009C260 | 0x0009C260 | 0x0009B660 | 0x00000000 |
| SetHandleInformation | - | 0x14009C268 | 0x0009C268 | 0x0009B668 | 0x00000000 |
| CreateEventA | - | 0x14009C270 | 0x0009C270 | 0x0009B670 | 0x00000000 |
| CreateIoCompletionPort | - | 0x14009C278 | 0x0009C278 | 0x0009B678 | 0x00000000 |
| SetFileCompletionNotificationModes | - | 0x14009C280 | 0x0009C280 | 0x0009B680 | 0x00000000 |
| SetErrorMode | - | 0x14009C288 | 0x0009C288 | 0x0009B688 | 0x00000000 |
| GetQueuedCompletionStatus | - | 0x14009C290 | 0x0009C290 | 0x0009B690 | 0x00000000 |
| GetQueuedCompletionStatusEx | - | 0x14009C298 | 0x0009C298 | 0x0009B698 | 0x00000000 |
| SleepConditionVariableCS | - | 0x14009C2A0 | 0x0009C2A0 | 0x0009B6A0 | 0x00000000 |
| TlsSetValue | - | 0x14009C2A8 | 0x0009C2A8 | 0x0009B6A8 | 0x00000000 |
| ReleaseSemaphore | - | 0x14009C2B0 | 0x0009C2B0 | 0x0009B6B0 | 0x00000000 |
| WakeConditionVariable | - | 0x14009C2B8 | 0x0009C2B8 | 0x0009B6B8 | 0x00000000 |
| InitializeConditionVariable | - | 0x14009C2C0 | 0x0009C2C0 | 0x0009B6C0 | 0x00000000 |
| WaitForSingleObject | - | 0x14009C2C8 | 0x0009C2C8 | 0x0009B6C8 | 0x00000000 |
| ResumeThread | - | 0x14009C2D0 | 0x0009C2D0 | 0x0009B6D0 | 0x00000000 |
| SetEvent | - | 0x14009C2D8 | 0x0009C2D8 | 0x0009B6D8 | 0x00000000 |
| TlsAlloc | - | 0x14009C2E0 | 0x0009C2E0 | 0x0009B6E0 | 0x00000000 |
| DeleteCriticalSection | - | 0x14009C2E8 | 0x0009C2E8 | 0x0009B6E8 | 0x00000000 |
| CreateSemaphoreW | - | 0x14009C2F0 | 0x0009C2F0 | 0x0009B6F0 | 0x00000000 |
| CreateSemaphoreA | - | 0x14009C2F8 | 0x0009C2F8 | 0x0009B6F8 | 0x00000000 |
| GetLongPathNameW | - | 0x14009C300 | 0x0009C300 | 0x0009B700 | 0x00000000 |
| ReadDirectoryChangesW | - | 0x14009C308 | 0x0009C308 | 0x0009B708 | 0x00000000 |
| ReadFile | - | 0x14009C310 | 0x0009C310 | 0x0009B710 | 0x00000000 |
| SetNamedPipeHandleState | - | 0x14009C318 | 0x0009C318 | 0x0009B718 | 0x00000000 |
| SetLastError | - | 0x14009C320 | 0x0009C320 | 0x0009B720 | 0x00000000 |
| WriteFile | - | 0x14009C328 | 0x0009C328 | 0x0009B728 | 0x00000000 |
| CreateNamedPipeW | - | 0x14009C330 | 0x0009C330 | 0x0009B730 | 0x00000000 |
| PeekNamedPipe | - | 0x14009C338 | 0x0009C338 | 0x0009B738 | 0x00000000 |
| CancelSynchronousIo | - | 0x14009C340 | 0x0009C340 | 0x0009B740 | 0x00000000 |
| GetNamedPipeHandleStateA | - | 0x14009C348 | 0x0009C348 | 0x0009B748 | 0x00000000 |
| CancelIoEx | - | 0x14009C350 | 0x0009C350 | 0x0009B750 | 0x00000000 |
| SwitchToThread | - | 0x14009C358 | 0x0009C358 | 0x0009B758 | 0x00000000 |
| ConnectNamedPipe | - | 0x14009C360 | 0x0009C360 | 0x0009B760 | 0x00000000 |
| FlushFileBuffers | - | 0x14009C368 | 0x0009C368 | 0x0009B768 | 0x00000000 |
| TerminateProcess | - | 0x14009C370 | 0x0009C370 | 0x0009B770 | 0x00000000 |
| UnregisterWaitEx | - | 0x14009C378 | 0x0009C378 | 0x0009B778 | 0x00000000 |
| GetExitCodeProcess | - | 0x14009C380 | 0x0009C380 | 0x0009B780 | 0x00000000 |
| FormatMessageA | - | 0x14009C388 | 0x0009C388 | 0x0009B788 | 0x00000000 |
| DebugBreak | - | 0x14009C390 | 0x0009C390 | 0x0009B790 | 0x00000000 |
| GetModuleHandleA | - | 0x14009C398 | 0x0009C398 | 0x0009B798 | 0x00000000 |
| LoadLibraryA | - | 0x14009C3A0 | 0x0009C3A0 | 0x0009B7A0 | 0x00000000 |
| GetProcessAffinityMask | - | 0x14009C3A8 | 0x0009C3A8 | 0x0009B7A8 | 0x00000000 |
| SetProcessAffinityMask | - | 0x14009C3B0 | 0x0009C3B0 | 0x0009B7B0 | 0x00000000 |
| GetCurrentThreadId | - | 0x14009C3B8 | 0x0009C3B8 | 0x0009B7B8 | 0x00000000 |
| QueryPerformanceFrequency | - | 0x14009C3C0 | 0x0009C3C0 | 0x0009B7C0 | 0x00000000 |
MSVCP140.dll (45)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C3D0 | 0x0009C3D0 | 0x0009B7D0 | 0x00000000 |
| ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3D8 | 0x0009C3D8 | 0x0009B7D8 | 0x00000000 |
| ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ | - | 0x14009C3E0 | 0x0009C3E0 | 0x0009B7E0 | 0x00000000 |
| ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C3E8 | 0x0009C3E8 | 0x0009B7E8 | 0x00000000 |
| ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C3F0 | 0x0009C3F0 | 0x0009B7F0 | 0x00000000 |
| ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3F8 | 0x0009C3F8 | 0x0009B7F8 | 0x00000000 |
| ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C400 | 0x0009C400 | 0x0009B800 | 0x00000000 |
| _Thrd_hardware_concurrency | - | 0x14009C408 | 0x0009C408 | 0x0009B808 | 0x00000000 |
| ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A | - | 0x14009C410 | 0x0009C410 | 0x0009B810 | 0x00000000 |
| ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z | - | 0x14009C418 | 0x0009C418 | 0x0009B818 | 0x00000000 |
| ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z | - | 0x14009C420 | 0x0009C420 | 0x0009B820 | 0x00000000 |
| ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ | - | 0x14009C428 | 0x0009C428 | 0x0009B828 | 0x00000000 |
| ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z | - | 0x14009C430 | 0x0009C430 | 0x0009B830 | 0x00000000 |
| ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z | - | 0x14009C438 | 0x0009C438 | 0x0009B838 | 0x00000000 |
| ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C440 | 0x0009C440 | 0x0009B840 | 0x00000000 |
| ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z | - | 0x14009C448 | 0x0009C448 | 0x0009B848 | 0x00000000 |
| ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C450 | 0x0009C450 | 0x0009B850 | 0x00000000 |
| ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z | - | 0x14009C458 | 0x0009C458 | 0x0009B858 | 0x00000000 |
| ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C460 | 0x0009C460 | 0x0009B860 | 0x00000000 |
| ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z | - | 0x14009C468 | 0x0009C468 | 0x0009B868 | 0x00000000 |
| ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z | - | 0x14009C470 | 0x0009C470 | 0x0009B870 | 0x00000000 |
| ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ | - | 0x14009C478 | 0x0009C478 | 0x0009B878 | 0x00000000 |
| ?_Xlength_error@std@@YAXPEBD@Z | - | 0x14009C480 | 0x0009C480 | 0x0009B880 | 0x00000000 |
| ?_Xout_of_range@std@@YAXPEBD@Z | - | 0x14009C488 | 0x0009C488 | 0x0009B888 | 0x00000000 |
| _Xtime_get_ticks | - | 0x14009C490 | 0x0009C490 | 0x0009B890 | 0x00000000 |
| _Mtx_init_in_situ | - | 0x14009C498 | 0x0009C498 | 0x0009B898 | 0x00000000 |
| _Mtx_destroy_in_situ | - | 0x14009C4A0 | 0x0009C4A0 | 0x0009B8A0 | 0x00000000 |
| _Mtx_lock | - | 0x14009C4A8 | 0x0009C4A8 | 0x0009B8A8 | 0x00000000 |
| _Mtx_unlock | - | 0x14009C4B0 | 0x0009C4B0 | 0x0009B8B0 | 0x00000000 |
| ?_Throw_C_error@std@@YAXH@Z | - | 0x14009C4B8 | 0x0009C4B8 | 0x0009B8B8 | 0x00000000 |
| _Query_perf_counter | - | 0x14009C4C0 | 0x0009C4C0 | 0x0009B8C0 | 0x00000000 |
| _Query_perf_frequency | - | 0x14009C4C8 | 0x0009C4C8 | 0x0009B8C8 | 0x00000000 |
| _Thrd_join | - | 0x14009C4D0 | 0x0009C4D0 | 0x0009B8D0 | 0x00000000 |
| _Thrd_id | - | 0x14009C4D8 | 0x0009C4D8 | 0x0009B8D8 | 0x00000000 |
| _Cnd_do_broadcast_at_thread_exit | - | 0x14009C4E0 | 0x0009C4E0 | 0x0009B8E0 | 0x00000000 |
| ?_Throw_Cpp_error@std@@YAXH@Z | - | 0x14009C4E8 | 0x0009C4E8 | 0x0009B8E8 | 0x00000000 |
| _Thrd_sleep | - | 0x14009C4F0 | 0x0009C4F0 | 0x0009B8F0 | 0x00000000 |
| _Thrd_yield | - | 0x14009C4F8 | 0x0009C4F8 | 0x0009B8F8 | 0x00000000 |
| ??0_Lockit@std@@QEAA@H@Z | - | 0x14009C500 | 0x0009C500 | 0x0009B900 | 0x00000000 |
| ??1_Lockit@std@@QEAA@XZ | - | 0x14009C508 | 0x0009C508 | 0x0009B908 | 0x00000000 |
| ??Bid@locale@std@@QEAA_KXZ | - | 0x14009C510 | 0x0009C510 | 0x0009B910 | 0x00000000 |
| ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ | - | 0x14009C518 | 0x0009C518 | 0x0009B918 | 0x00000000 |
| ?always_noconv@codecvt_base@std@@QEBA_NXZ | - | 0x14009C520 | 0x0009C520 | 0x0009B920 | 0x00000000 |
| ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C528 | 0x0009C528 | 0x0009B928 | 0x00000000 |
| ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C530 | 0x0009C530 | 0x0009B930 | 0x00000000 |
USER32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShowWindow | - | 0x14009C540 | 0x0009C540 | 0x0009B940 | 0x00000000 |
| GetSystemMetrics | - | 0x14009C548 | 0x0009C548 | 0x0009B948 | 0x00000000 |
| GetMessageA | - | 0x14009C550 | 0x0009C550 | 0x0009B950 | 0x00000000 |
| MapVirtualKeyW | - | 0x14009C558 | 0x0009C558 | 0x0009B958 | 0x00000000 |
| DispatchMessageA | - | 0x14009C560 | 0x0009C560 | 0x0009B960 | 0x00000000 |
| TranslateMessage | - | 0x14009C568 | 0x0009C568 | 0x0009B968 | 0x00000000 |
VCRUNTIME140.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __std_exception_destroy | - | 0x14009C578 | 0x0009C578 | 0x0009B978 | 0x00000000 |
| __std_exception_copy | - | 0x14009C580 | 0x0009C580 | 0x0009B980 | 0x00000000 |
| strstr | - | 0x14009C588 | 0x0009C588 | 0x0009B988 | 0x00000000 |
| __C_specific_handler | - | 0x14009C590 | 0x0009C590 | 0x0009B990 | 0x00000000 |
| strchr | - | 0x14009C598 | 0x0009C598 | 0x0009B998 | 0x00000000 |
| memchr | - | 0x14009C5A0 | 0x0009C5A0 | 0x0009B9A0 | 0x00000000 |
| __std_terminate | - | 0x14009C5A8 | 0x0009C5A8 | 0x0009B9A8 | 0x00000000 |
| __CxxFrameHandler3 | - | 0x14009C5B0 | 0x0009C5B0 | 0x0009B9B0 | 0x00000000 |
| _CxxThrowException | - | 0x14009C5B8 | 0x0009C5B8 | 0x0009B9B8 | 0x00000000 |
| memset | - | 0x14009C5C0 | 0x0009C5C0 | 0x0009B9C0 | 0x00000000 |
| strrchr | - | 0x14009C5C8 | 0x0009C5C8 | 0x0009B9C8 | 0x00000000 |
| memcmp | - | 0x14009C5D0 | 0x0009C5D0 | 0x0009B9D0 | 0x00000000 |
| memcpy | - | 0x14009C5D8 | 0x0009C5D8 | 0x0009B9D8 | 0x00000000 |
| _purecall | - | 0x14009C5E0 | 0x0009C5E0 | 0x0009B9E0 | 0x00000000 |
| memmove | - | 0x14009C5E8 | 0x0009C5E8 | 0x0009B9E8 | 0x00000000 |
WS2_32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WSAGetLastError | 0x0000006F | 0x14009C5F8 | 0x0009C5F8 | 0x0009B9F8 | - |
| WSASetLastError | 0x00000070 | 0x14009C600 | 0x0009C600 | 0x0009BA00 | - |
| WSAStartup | 0x00000073 | 0x14009C608 | 0x0009C608 | 0x0009BA08 | - |
| select | 0x00000012 | 0x14009C610 | 0x0009C610 | 0x0009BA10 | - |
| WSARecvFrom | - | 0x14009C618 | 0x0009C618 | 0x0009BA18 | 0x00000000 |
| bind | 0x00000002 | 0x14009C620 | 0x0009C620 | 0x0009BA20 | - |
| WSAIoctl | - | 0x14009C628 | 0x0009C628 | 0x0009BA28 | 0x00000000 |
| closesocket | 0x00000003 | 0x14009C630 | 0x0009C630 | 0x0009BA30 | - |
| WSASend | - | 0x14009C638 | 0x0009C638 | 0x0009BA38 | 0x00000000 |
| shutdown | 0x00000016 | 0x14009C640 | 0x0009C640 | 0x0009BA40 | - |
| WSASocketW | - | 0x14009C648 | 0x0009C648 | 0x0009BA48 | 0x00000000 |
| htonl | 0x00000008 | 0x14009C650 | 0x0009C650 | 0x0009BA50 | - |
| GetAddrInfoW | - | 0x14009C658 | 0x0009C658 | 0x0009BA58 | 0x00000000 |
| FreeAddrInfoW | - | 0x14009C660 | 0x0009C660 | 0x0009BA60 | 0x00000000 |
| setsockopt | 0x00000015 | 0x14009C668 | 0x0009C668 | 0x0009BA68 | - |
| ioctlsocket | 0x0000000A | 0x14009C670 | 0x0009C670 | 0x0009BA70 | - |
| getsockopt | 0x00000007 | 0x14009C678 | 0x0009C678 | 0x0009BA78 | - |
| WSARecv | - | 0x14009C680 | 0x0009C680 | 0x0009BA80 | 0x00000000 |
| socket | 0x00000017 | 0x14009C688 | 0x0009C688 | 0x0009BA88 | - |
| htons | 0x00000009 | 0x14009C690 | 0x0009C690 | 0x0009BA90 | - |
api-ms-win-crt-convert-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| atof | - | 0x14009C6A0 | 0x0009C6A0 | 0x0009BAA0 | 0x00000000 |
| strtoul | - | 0x14009C6A8 | 0x0009C6A8 | 0x0009BAA8 | 0x00000000 |
| _strtoui64 | - | 0x14009C6B0 | 0x0009C6B0 | 0x0009BAB0 | 0x00000000 |
| mbstowcs | - | 0x14009C6B8 | 0x0009C6B8 | 0x0009BAB8 | 0x00000000 |
| strtoull | - | 0x14009C6C0 | 0x0009C6C0 | 0x0009BAC0 | 0x00000000 |
| strtoll | - | 0x14009C6C8 | 0x0009C6C8 | 0x0009BAC8 | 0x00000000 |
| atoi | - | 0x14009C6D0 | 0x0009C6D0 | 0x0009BAD0 | 0x00000000 |
| strtol | - | 0x14009C6D8 | 0x0009C6D8 | 0x0009BAD8 | 0x00000000 |
api-ms-win-crt-environment-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| getenv | - | 0x14009C6E8 | 0x0009C6E8 | 0x0009BAE8 | 0x00000000 |
api-ms-win-crt-filesystem-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _unlock_file | - | 0x14009C6F8 | 0x0009C6F8 | 0x0009BAF8 | 0x00000000 |
| _lock_file | - | 0x14009C700 | 0x0009C700 | 0x0009BB00 | 0x00000000 |
| _fstat64i32 | - | 0x14009C708 | 0x0009C708 | 0x0009BB08 | 0x00000000 |
| _stat64i32 | - | 0x14009C710 | 0x0009C710 | 0x0009BB10 | 0x00000000 |
api-ms-win-crt-heap-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _set_new_mode | - | 0x14009C720 | 0x0009C720 | 0x0009BB20 | 0x00000000 |
| realloc | - | 0x14009C728 | 0x0009C728 | 0x0009BB28 | 0x00000000 |
| _aligned_malloc | - | 0x14009C730 | 0x0009C730 | 0x0009BB30 | 0x00000000 |
| malloc | - | 0x14009C738 | 0x0009C738 | 0x0009BB38 | 0x00000000 |
| free | - | 0x14009C740 | 0x0009C740 | 0x0009BB40 | 0x00000000 |
| calloc | - | 0x14009C748 | 0x0009C748 | 0x0009BB48 | 0x00000000 |
| _callnewh | - | 0x14009C750 | 0x0009C750 | 0x0009BB50 | 0x00000000 |
| _aligned_free | - | 0x14009C758 | 0x0009C758 | 0x0009BB58 | 0x00000000 |
api-ms-win-crt-locale-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _configthreadlocale | - | 0x14009C768 | 0x0009C768 | 0x0009BB68 | 0x00000000 |
api-ms-win-crt-math-l1-1-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| modff | - | 0x14009C778 | 0x0009C778 | 0x0009BB78 | 0x00000000 |
| nan | - | 0x14009C780 | 0x0009C780 | 0x0009BB80 | 0x00000000 |
| _dtest | - | 0x14009C788 | 0x0009C788 | 0x0009BB88 | 0x00000000 |
| __setusermatherr | - | 0x14009C790 | 0x0009C790 | 0x0009BB90 | 0x00000000 |
| fabs | - | 0x14009C798 | 0x0009C798 | 0x0009BB98 | 0x00000000 |
api-ms-win-crt-runtime-l1-1-0.dll (25)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _invalid_parameter_noinfo_noreturn | - | 0x14009C7A8 | 0x0009C7A8 | 0x0009BBA8 | 0x00000000 |
| _control87 | - | 0x14009C7B0 | 0x0009C7B0 | 0x0009BBB0 | 0x00000000 |
| _errno | - | 0x14009C7B8 | 0x0009C7B8 | 0x0009BBB8 | 0x00000000 |
| terminate | - | 0x14009C7C0 | 0x0009C7C0 | 0x0009BBC0 | 0x00000000 |
| abort | - | 0x14009C7C8 | 0x0009C7C8 | 0x0009BBC8 | 0x00000000 |
| _beginthreadex | - | 0x14009C7D0 | 0x0009C7D0 | 0x0009BBD0 | 0x00000000 |
| _register_thread_local_exe_atexit_callback | - | 0x14009C7D8 | 0x0009C7D8 | 0x0009BBD8 | 0x00000000 |
| _c_exit | - | 0x14009C7E0 | 0x0009C7E0 | 0x0009BBE0 | 0x00000000 |
| _set_invalid_parameter_handler | - | 0x14009C7E8 | 0x0009C7E8 | 0x0009BBE8 | 0x00000000 |
| __p___argc | - | 0x14009C7F0 | 0x0009C7F0 | 0x0009BBF0 | 0x00000000 |
| _exit | - | 0x14009C7F8 | 0x0009C7F8 | 0x0009BBF8 | 0x00000000 |
| _initterm_e | - | 0x14009C800 | 0x0009C800 | 0x0009BC00 | 0x00000000 |
| _initterm | - | 0x14009C808 | 0x0009C808 | 0x0009BC08 | 0x00000000 |
| _get_initial_narrow_environment | - | 0x14009C810 | 0x0009C810 | 0x0009BC10 | 0x00000000 |
| _set_app_type | - | 0x14009C818 | 0x0009C818 | 0x0009BC18 | 0x00000000 |
| _seh_filter_exe | - | 0x14009C820 | 0x0009C820 | 0x0009BC20 | 0x00000000 |
| _cexit | - | 0x14009C828 | 0x0009C828 | 0x0009BC28 | 0x00000000 |
| _crt_atexit | - | 0x14009C830 | 0x0009C830 | 0x0009BC30 | 0x00000000 |
| _register_onexit_function | - | 0x14009C838 | 0x0009C838 | 0x0009BC38 | 0x00000000 |
| _initialize_onexit_table | - | 0x14009C840 | 0x0009C840 | 0x0009BC40 | 0x00000000 |
| _initialize_narrow_environment | - | 0x14009C848 | 0x0009C848 | 0x0009BC48 | 0x00000000 |
| _configure_narrow_argv | - | 0x14009C850 | 0x0009C850 | 0x0009BC50 | 0x00000000 |
| strerror | - | 0x14009C858 | 0x0009C858 | 0x0009BC58 | 0x00000000 |
| exit | - | 0x14009C860 | 0x0009C860 | 0x0009BC60 | 0x00000000 |
| __p___argv | - | 0x14009C868 | 0x0009C868 | 0x0009BC68 | 0x00000000 |
api-ms-win-crt-stdio-l1-1-0.dll (29)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __stdio_common_vsscanf | - | 0x14009C878 | 0x0009C878 | 0x0009BC78 | 0x00000000 |
| fflush | - | 0x14009C880 | 0x0009C880 | 0x0009BC80 | 0x00000000 |
| _open | - | 0x14009C888 | 0x0009C888 | 0x0009BC88 | 0x00000000 |
| fwrite | - | 0x14009C890 | 0x0009C890 | 0x0009BC90 | 0x00000000 |
| fputs | - | 0x14009C898 | 0x0009C898 | 0x0009BC98 | 0x00000000 |
| __stdio_common_vsprintf | - | 0x14009C8A0 | 0x0009C8A0 | 0x0009BCA0 | 0x00000000 |
| __acrt_iob_func | - | 0x14009C8A8 | 0x0009C8A8 | 0x0009BCA8 | 0x00000000 |
| ftell | - | 0x14009C8B0 | 0x0009C8B0 | 0x0009BCB0 | 0x00000000 |
| fgetc | - | 0x14009C8B8 | 0x0009C8B8 | 0x0009BCB8 | 0x00000000 |
| fgets | - | 0x14009C8C0 | 0x0009C8C0 | 0x0009BCC0 | 0x00000000 |
| fseek | - | 0x14009C8C8 | 0x0009C8C8 | 0x0009BCC8 | 0x00000000 |
| fgetpos | - | 0x14009C8D0 | 0x0009C8D0 | 0x0009BCD0 | 0x00000000 |
| fputc | - | 0x14009C8D8 | 0x0009C8D8 | 0x0009BCD8 | 0x00000000 |
| __stdio_common_vfprintf | - | 0x14009C8E0 | 0x0009C8E0 | 0x0009BCE0 | 0x00000000 |
| ferror | - | 0x14009C8E8 | 0x0009C8E8 | 0x0009BCE8 | 0x00000000 |
| fsetpos | - | 0x14009C8F0 | 0x0009C8F0 | 0x0009BCF0 | 0x00000000 |
| _fseeki64 | - | 0x14009C8F8 | 0x0009C8F8 | 0x0009BCF8 | 0x00000000 |
| _close | - | 0x14009C900 | 0x0009C900 | 0x0009BD00 | 0x00000000 |
| _read | - | 0x14009C908 | 0x0009C908 | 0x0009BD08 | 0x00000000 |
| setvbuf | - | 0x14009C910 | 0x0009C910 | 0x0009BD10 | 0x00000000 |
| ungetc | - | 0x14009C918 | 0x0009C918 | 0x0009BD18 | 0x00000000 |
| fread | - | 0x14009C920 | 0x0009C920 | 0x0009BD20 | 0x00000000 |
| _get_osfhandle | - | 0x14009C928 | 0x0009C928 | 0x0009BD28 | 0x00000000 |
| __p__commode | - | 0x14009C930 | 0x0009C930 | 0x0009BD30 | 0x00000000 |
| fclose | - | 0x14009C938 | 0x0009C938 | 0x0009BD38 | 0x00000000 |
| _set_fmode | - | 0x14009C940 | 0x0009C940 | 0x0009BD40 | 0x00000000 |
| fopen | - | 0x14009C948 | 0x0009C948 | 0x0009BD48 | 0x00000000 |
| __stdio_common_vswprintf | - | 0x14009C950 | 0x0009C950 | 0x0009BD50 | 0x00000000 |
| _get_stream_buffer_pointers | - | 0x14009C958 | 0x0009C958 | 0x0009BD58 | 0x00000000 |
api-ms-win-crt-string-l1-1-0.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _wcsnicmp | - | 0x14009C968 | 0x0009C968 | 0x0009BD68 | 0x00000000 |
| strlen | - | 0x14009C970 | 0x0009C970 | 0x0009BD70 | 0x00000000 |
| wcslen | - | 0x14009C978 | 0x0009C978 | 0x0009BD78 | 0x00000000 |
| strncmp | - | 0x14009C980 | 0x0009C980 | 0x0009BD80 | 0x00000000 |
| _stricmp | - | 0x14009C988 | 0x0009C988 | 0x0009BD88 | 0x00000000 |
| tolower | - | 0x14009C990 | 0x0009C990 | 0x0009BD90 | 0x00000000 |
| _strnicmp | - | 0x14009C998 | 0x0009C998 | 0x0009BD98 | 0x00000000 |
| strncpy | - | 0x14009C9A0 | 0x0009C9A0 | 0x0009BDA0 | 0x00000000 |
| strcpy | - | 0x14009C9A8 | 0x0009C9A8 | 0x0009BDA8 | 0x00000000 |
| strcmp | - | 0x14009C9B0 | 0x0009C9B0 | 0x0009BDB0 | 0x00000000 |
| strcspn | - | 0x14009C9B8 | 0x0009C9B8 | 0x0009BDB8 | 0x00000000 |
| _strdup | - | 0x14009C9C0 | 0x0009C9C0 | 0x0009BDC0 | 0x00000000 |
| isspace | - | 0x14009C9C8 | 0x0009C9C8 | 0x0009BDC8 | 0x00000000 |
| strspn | - | 0x14009C9D0 | 0x0009C9D0 | 0x0009BDD0 | 0x00000000 |
| wcsncpy | - | 0x14009C9D8 | 0x0009C9D8 | 0x0009BDD8 | 0x00000000 |
api-ms-win-crt-time-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _time64 | - | 0x14009C9E8 | 0x0009C9E8 | 0x0009BDE8 | 0x00000000 |
| _localtime64_s | - | 0x14009C9F0 | 0x0009C9F0 | 0x0009BDF0 | 0x00000000 |
api-ms-win-crt-utility-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| srand | - | 0x14009CA00 | 0x0009CA00 | 0x0009BE00 | 0x00000000 |
| rand | - | 0x14009CA08 | 0x0009CA08 | 0x0009BE08 | 0x00000000 |
| qsort | - | 0x14009CA10 | 0x0009CA10 | 0x0009BE10 | 0x00000000 |
| _rotr | - | 0x14009CA18 | 0x0009CA18 | 0x0009BE18 | 0x00000000 |
Memory Dumps (4)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| tcofjzo.exe | 7 | 0x7FF66BF20000 | 0x7FF66C273FFF | First Execution |
|
64-bit | 0x7FF66BFBA338 |
|
...
|
| tcofjzo.exe | 7 | 0x7FF66BF20000 | 0x7FF66C273FFF | Content Changed |
|
64-bit | 0x7FF66BF3FE1C |
|
...
|
| buffer | 7 | 0x1E256E10000 | 0x1E256E1FFFF | Content Changed |
|
64-bit | - |
|
...
|
| tcofjzo.exe | 7 | 0x7FF66BF20000 | 0x7FF66C273FFF | Process Termination |
|
64-bit | - |
|
...
|
YARA Matches (2)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| CobaltStrike | Cobalt Strike beacon | Hacktool |
5/5
|
...
|
| ReflectiveLoader | Reflective loader usage | - |
3/5
|
...
|
| C:\Windows\System\hpWGjNM.exe | Dropped File | Binary |
Malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 5.94 MB |
| MD5 |
9fdd5fea8fe7ee3879c2bf91d2876211
|
| SHA1 |
079943752ae44b35a93c02bf5f82945f206c98e7
|
| SHA256 |
1d4e4a79eca738f331eb709ad71346c2c5325a10c61312f069bc6850b0d8c292
|
| SSDeep |
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUf:T+856utgpPF8u/7f
|
| ImpHash |
c782987849999c5ae345a5deafbd73fb
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x14009A338 |
| Size Of Code | 0x00044000 |
| Size Of Initialized Data | 0x00001000 |
| Size Of Uninitialized Data | 0x0030B000 |
| File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2019-08-29 00:43 (UTC) |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| UPX0 | 0x140001000 | 0x0030B000 | 0x000B5000 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.49 |
| UPX1 | 0x14030C000 | 0x00044000 | 0x00044000 | 0x000B5400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.49 |
| .rsrc | 0x140350000 | 0x00001000 | 0x00000800 | 0x000F9400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.24 |
| .imports | 0x140351000 | 0x00002000 | 0x00001E00 | 0x000F9C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.81 |
| .reloc | 0x140353000 | 0x00001000 | 0x00000A00 | 0x000FBA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.28 |
Imports (17)
»
ADVAPI32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AdjustTokenPrivileges | - | 0x14009C000 | 0x0009C000 | 0x0009B400 | 0x00000000 |
| OpenProcessToken | - | 0x14009C008 | 0x0009C008 | 0x0009B408 | 0x00000000 |
| GetTokenInformation | - | 0x14009C010 | 0x0009C010 | 0x0009B410 | 0x00000000 |
| LookupPrivilegeValueW | - | 0x14009C018 | 0x0009C018 | 0x0009B418 | 0x00000000 |
| LsaClose | - | 0x14009C020 | 0x0009C020 | 0x0009B420 | 0x00000000 |
| LsaOpenPolicy | - | 0x14009C028 | 0x0009C028 | 0x0009B428 | 0x00000000 |
| LsaAddAccountRights | - | 0x14009C030 | 0x0009C030 | 0x0009B430 | 0x00000000 |
KERNEL32.DLL (113)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WaitForSingleObjectEx | - | 0x14009C040 | 0x0009C040 | 0x0009B440 | 0x00000000 |
| RtlLookupFunctionEntry | - | 0x14009C048 | 0x0009C048 | 0x0009B448 | 0x00000000 |
| RtlVirtualUnwind | - | 0x14009C050 | 0x0009C050 | 0x0009B450 | 0x00000000 |
| UnhandledExceptionFilter | - | 0x14009C058 | 0x0009C058 | 0x0009B458 | 0x00000000 |
| ResetEvent | - | 0x14009C060 | 0x0009C060 | 0x0009B460 | 0x00000000 |
| InitializeCriticalSectionAndSpinCount | - | 0x14009C068 | 0x0009C068 | 0x0009B468 | 0x00000000 |
| RtlCaptureContext | - | 0x14009C070 | 0x0009C070 | 0x0009B470 | 0x00000000 |
| CreateEventW | - | 0x14009C078 | 0x0009C078 | 0x0009B478 | 0x00000000 |
| InitializeSListHead | - | 0x14009C080 | 0x0009C080 | 0x0009B480 | 0x00000000 |
| SetUnhandledExceptionFilter | - | 0x14009C088 | 0x0009C088 | 0x0009B488 | 0x00000000 |
| IsProcessorFeaturePresent | - | 0x14009C090 | 0x0009C090 | 0x0009B490 | 0x00000000 |
| GetStdHandle | - | 0x14009C098 | 0x0009C098 | 0x0009B498 | 0x00000000 |
| GetConsoleMode | - | 0x14009C0A0 | 0x0009C0A0 | 0x0009B4A0 | 0x00000000 |
| SetConsoleMode | - | 0x14009C0A8 | 0x0009C0A8 | 0x0009B4A8 | 0x00000000 |
| GetLastError | - | 0x14009C0B0 | 0x0009C0B0 | 0x0009B4B0 | 0x00000000 |
| CreateMutexW | - | 0x14009C0B8 | 0x0009C0B8 | 0x0009B4B8 | 0x00000000 |
| Sleep | - | 0x14009C0C0 | 0x0009C0C0 | 0x0009B4C0 | 0x00000000 |
| CreateProcessW | - | 0x14009C0C8 | 0x0009C0C8 | 0x0009B4C8 | 0x00000000 |
| MultiByteToWideChar | - | 0x14009C0D0 | 0x0009C0D0 | 0x0009B4D0 | 0x00000000 |
| GetCurrentProcess | - | 0x14009C0D8 | 0x0009C0D8 | 0x0009B4D8 | 0x00000000 |
| GetCurrentThread | - | 0x14009C0E0 | 0x0009C0E0 | 0x0009B4E0 | 0x00000000 |
| SetThreadPriority | - | 0x14009C0E8 | 0x0009C0E8 | 0x0009B4E8 | 0x00000000 |
| SetPriorityClass | - | 0x14009C0F0 | 0x0009C0F0 | 0x0009B4F0 | 0x00000000 |
| GetModuleHandleW | - | 0x14009C0F8 | 0x0009C0F8 | 0x0009B4F8 | 0x00000000 |
| GetProcAddress | - | 0x14009C100 | 0x0009C100 | 0x0009B500 | 0x00000000 |
| SetThreadAffinityMask | - | 0x14009C108 | 0x0009C108 | 0x0009B508 | 0x00000000 |
| CloseHandle | - | 0x14009C110 | 0x0009C110 | 0x0009B510 | 0x00000000 |
| FreeConsole | - | 0x14009C118 | 0x0009C118 | 0x0009B518 | 0x00000000 |
| GetConsoleWindow | - | 0x14009C120 | 0x0009C120 | 0x0009B520 | 0x00000000 |
| FlushInstructionCache | - | 0x14009C128 | 0x0009C128 | 0x0009B528 | 0x00000000 |
| VirtualAlloc | - | 0x14009C130 | 0x0009C130 | 0x0009B530 | 0x00000000 |
| VirtualProtect | - | 0x14009C138 | 0x0009C138 | 0x0009B538 | 0x00000000 |
| VirtualFree | - | 0x14009C140 | 0x0009C140 | 0x0009B540 | 0x00000000 |
| GetLargePageMinimum | - | 0x14009C148 | 0x0009C148 | 0x0009B548 | 0x00000000 |
| LocalAlloc | - | 0x14009C150 | 0x0009C150 | 0x0009B550 | 0x00000000 |
| LocalFree | - | 0x14009C158 | 0x0009C158 | 0x0009B558 | 0x00000000 |
| GetFileType | - | 0x14009C160 | 0x0009C160 | 0x0009B560 | 0x00000000 |
| GetConsoleScreenBufferInfo | - | 0x14009C168 | 0x0009C168 | 0x0009B568 | 0x00000000 |
| SetConsoleTextAttribute | - | 0x14009C170 | 0x0009C170 | 0x0009B570 | 0x00000000 |
| RegisterWaitForSingleObject | - | 0x14009C178 | 0x0009C178 | 0x0009B578 | 0x00000000 |
| UnregisterWait | - | 0x14009C180 | 0x0009C180 | 0x0009B580 | 0x00000000 |
| GetConsoleCursorInfo | - | 0x14009C188 | 0x0009C188 | 0x0009B588 | 0x00000000 |
| CreateFileW | - | 0x14009C190 | 0x0009C190 | 0x0009B590 | 0x00000000 |
| DuplicateHandle | - | 0x14009C198 | 0x0009C198 | 0x0009B598 | 0x00000000 |
| PostQueuedCompletionStatus | - | 0x14009C1A0 | 0x0009C1A0 | 0x0009B5A0 | 0x00000000 |
| QueueUserWorkItem | - | 0x14009C1A8 | 0x0009C1A8 | 0x0009B5A8 | 0x00000000 |
| SetConsoleCursorInfo | - | 0x14009C1B0 | 0x0009C1B0 | 0x0009B5B0 | 0x00000000 |
| FillConsoleOutputCharacterW | - | 0x14009C1B8 | 0x0009C1B8 | 0x0009B5B8 | 0x00000000 |
| ReadConsoleInputW | - | 0x14009C1C0 | 0x0009C1C0 | 0x0009B5C0 | 0x00000000 |
| CreateFileA | - | 0x14009C1C8 | 0x0009C1C8 | 0x0009B5C8 | 0x00000000 |
| ReadConsoleW | - | 0x14009C1D0 | 0x0009C1D0 | 0x0009B5D0 | 0x00000000 |
| WriteConsoleInputW | - | 0x14009C1D8 | 0x0009C1D8 | 0x0009B5D8 | 0x00000000 |
| FillConsoleOutputAttribute | - | 0x14009C1E0 | 0x0009C1E0 | 0x0009B5E0 | 0x00000000 |
| WriteConsoleW | - | 0x14009C1E8 | 0x0009C1E8 | 0x0009B5E8 | 0x00000000 |
| GetNumberOfConsoleInputEvents | - | 0x14009C1F0 | 0x0009C1F0 | 0x0009B5F0 | 0x00000000 |
| WideCharToMultiByte | - | 0x14009C1F8 | 0x0009C1F8 | 0x0009B5F8 | 0x00000000 |
| SetConsoleCursorPosition | - | 0x14009C200 | 0x0009C200 | 0x0009B600 | 0x00000000 |
| EnterCriticalSection | - | 0x14009C208 | 0x0009C208 | 0x0009B608 | 0x00000000 |
| GetModuleFileNameW | - | 0x14009C210 | 0x0009C210 | 0x0009B610 | 0x00000000 |
| LeaveCriticalSection | - | 0x14009C218 | 0x0009C218 | 0x0009B618 | 0x00000000 |
| InitializeCriticalSection | - | 0x14009C220 | 0x0009C220 | 0x0009B620 | 0x00000000 |
| IsDebuggerPresent | - | 0x14009C228 | 0x0009C228 | 0x0009B628 | 0x00000000 |
| GetSystemInfo | - | 0x14009C230 | 0x0009C230 | 0x0009B630 | 0x00000000 |
| GetCurrentDirectoryW | - | 0x14009C238 | 0x0009C238 | 0x0009B638 | 0x00000000 |
| GetCurrentProcessId | - | 0x14009C240 | 0x0009C240 | 0x0009B640 | 0x00000000 |
| GetSystemTimeAsFileTime | - | 0x14009C248 | 0x0009C248 | 0x0009B648 | 0x00000000 |
| QueryPerformanceCounter | - | 0x14009C250 | 0x0009C250 | 0x0009B650 | 0x00000000 |
| SetConsoleCtrlHandler | - | 0x14009C258 | 0x0009C258 | 0x0009B658 | 0x00000000 |
| CancelIo | - | 0x14009C260 | 0x0009C260 | 0x0009B660 | 0x00000000 |
| SetHandleInformation | - | 0x14009C268 | 0x0009C268 | 0x0009B668 | 0x00000000 |
| CreateEventA | - | 0x14009C270 | 0x0009C270 | 0x0009B670 | 0x00000000 |
| CreateIoCompletionPort | - | 0x14009C278 | 0x0009C278 | 0x0009B678 | 0x00000000 |
| SetFileCompletionNotificationModes | - | 0x14009C280 | 0x0009C280 | 0x0009B680 | 0x00000000 |
| SetErrorMode | - | 0x14009C288 | 0x0009C288 | 0x0009B688 | 0x00000000 |
| GetQueuedCompletionStatus | - | 0x14009C290 | 0x0009C290 | 0x0009B690 | 0x00000000 |
| GetQueuedCompletionStatusEx | - | 0x14009C298 | 0x0009C298 | 0x0009B698 | 0x00000000 |
| SleepConditionVariableCS | - | 0x14009C2A0 | 0x0009C2A0 | 0x0009B6A0 | 0x00000000 |
| TlsSetValue | - | 0x14009C2A8 | 0x0009C2A8 | 0x0009B6A8 | 0x00000000 |
| ReleaseSemaphore | - | 0x14009C2B0 | 0x0009C2B0 | 0x0009B6B0 | 0x00000000 |
| WakeConditionVariable | - | 0x14009C2B8 | 0x0009C2B8 | 0x0009B6B8 | 0x00000000 |
| InitializeConditionVariable | - | 0x14009C2C0 | 0x0009C2C0 | 0x0009B6C0 | 0x00000000 |
| WaitForSingleObject | - | 0x14009C2C8 | 0x0009C2C8 | 0x0009B6C8 | 0x00000000 |
| ResumeThread | - | 0x14009C2D0 | 0x0009C2D0 | 0x0009B6D0 | 0x00000000 |
| SetEvent | - | 0x14009C2D8 | 0x0009C2D8 | 0x0009B6D8 | 0x00000000 |
| TlsAlloc | - | 0x14009C2E0 | 0x0009C2E0 | 0x0009B6E0 | 0x00000000 |
| DeleteCriticalSection | - | 0x14009C2E8 | 0x0009C2E8 | 0x0009B6E8 | 0x00000000 |
| CreateSemaphoreW | - | 0x14009C2F0 | 0x0009C2F0 | 0x0009B6F0 | 0x00000000 |
| CreateSemaphoreA | - | 0x14009C2F8 | 0x0009C2F8 | 0x0009B6F8 | 0x00000000 |
| GetLongPathNameW | - | 0x14009C300 | 0x0009C300 | 0x0009B700 | 0x00000000 |
| ReadDirectoryChangesW | - | 0x14009C308 | 0x0009C308 | 0x0009B708 | 0x00000000 |
| ReadFile | - | 0x14009C310 | 0x0009C310 | 0x0009B710 | 0x00000000 |
| SetNamedPipeHandleState | - | 0x14009C318 | 0x0009C318 | 0x0009B718 | 0x00000000 |
| SetLastError | - | 0x14009C320 | 0x0009C320 | 0x0009B720 | 0x00000000 |
| WriteFile | - | 0x14009C328 | 0x0009C328 | 0x0009B728 | 0x00000000 |
| CreateNamedPipeW | - | 0x14009C330 | 0x0009C330 | 0x0009B730 | 0x00000000 |
| PeekNamedPipe | - | 0x14009C338 | 0x0009C338 | 0x0009B738 | 0x00000000 |
| CancelSynchronousIo | - | 0x14009C340 | 0x0009C340 | 0x0009B740 | 0x00000000 |
| GetNamedPipeHandleStateA | - | 0x14009C348 | 0x0009C348 | 0x0009B748 | 0x00000000 |
| CancelIoEx | - | 0x14009C350 | 0x0009C350 | 0x0009B750 | 0x00000000 |
| SwitchToThread | - | 0x14009C358 | 0x0009C358 | 0x0009B758 | 0x00000000 |
| ConnectNamedPipe | - | 0x14009C360 | 0x0009C360 | 0x0009B760 | 0x00000000 |
| FlushFileBuffers | - | 0x14009C368 | 0x0009C368 | 0x0009B768 | 0x00000000 |
| TerminateProcess | - | 0x14009C370 | 0x0009C370 | 0x0009B770 | 0x00000000 |
| UnregisterWaitEx | - | 0x14009C378 | 0x0009C378 | 0x0009B778 | 0x00000000 |
| GetExitCodeProcess | - | 0x14009C380 | 0x0009C380 | 0x0009B780 | 0x00000000 |
| FormatMessageA | - | 0x14009C388 | 0x0009C388 | 0x0009B788 | 0x00000000 |
| DebugBreak | - | 0x14009C390 | 0x0009C390 | 0x0009B790 | 0x00000000 |
| GetModuleHandleA | - | 0x14009C398 | 0x0009C398 | 0x0009B798 | 0x00000000 |
| LoadLibraryA | - | 0x14009C3A0 | 0x0009C3A0 | 0x0009B7A0 | 0x00000000 |
| GetProcessAffinityMask | - | 0x14009C3A8 | 0x0009C3A8 | 0x0009B7A8 | 0x00000000 |
| SetProcessAffinityMask | - | 0x14009C3B0 | 0x0009C3B0 | 0x0009B7B0 | 0x00000000 |
| GetCurrentThreadId | - | 0x14009C3B8 | 0x0009C3B8 | 0x0009B7B8 | 0x00000000 |
| QueryPerformanceFrequency | - | 0x14009C3C0 | 0x0009C3C0 | 0x0009B7C0 | 0x00000000 |
MSVCP140.dll (45)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C3D0 | 0x0009C3D0 | 0x0009B7D0 | 0x00000000 |
| ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3D8 | 0x0009C3D8 | 0x0009B7D8 | 0x00000000 |
| ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ | - | 0x14009C3E0 | 0x0009C3E0 | 0x0009B7E0 | 0x00000000 |
| ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C3E8 | 0x0009C3E8 | 0x0009B7E8 | 0x00000000 |
| ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C3F0 | 0x0009C3F0 | 0x0009B7F0 | 0x00000000 |
| ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3F8 | 0x0009C3F8 | 0x0009B7F8 | 0x00000000 |
| ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C400 | 0x0009C400 | 0x0009B800 | 0x00000000 |
| _Thrd_hardware_concurrency | - | 0x14009C408 | 0x0009C408 | 0x0009B808 | 0x00000000 |
| ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A | - | 0x14009C410 | 0x0009C410 | 0x0009B810 | 0x00000000 |
| ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z | - | 0x14009C418 | 0x0009C418 | 0x0009B818 | 0x00000000 |
| ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z | - | 0x14009C420 | 0x0009C420 | 0x0009B820 | 0x00000000 |
| ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ | - | 0x14009C428 | 0x0009C428 | 0x0009B828 | 0x00000000 |
| ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z | - | 0x14009C430 | 0x0009C430 | 0x0009B830 | 0x00000000 |
| ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z | - | 0x14009C438 | 0x0009C438 | 0x0009B838 | 0x00000000 |
| ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C440 | 0x0009C440 | 0x0009B840 | 0x00000000 |
| ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z | - | 0x14009C448 | 0x0009C448 | 0x0009B848 | 0x00000000 |
| ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C450 | 0x0009C450 | 0x0009B850 | 0x00000000 |
| ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z | - | 0x14009C458 | 0x0009C458 | 0x0009B858 | 0x00000000 |
| ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C460 | 0x0009C460 | 0x0009B860 | 0x00000000 |
| ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z | - | 0x14009C468 | 0x0009C468 | 0x0009B868 | 0x00000000 |
| ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z | - | 0x14009C470 | 0x0009C470 | 0x0009B870 | 0x00000000 |
| ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ | - | 0x14009C478 | 0x0009C478 | 0x0009B878 | 0x00000000 |
| ?_Xlength_error@std@@YAXPEBD@Z | - | 0x14009C480 | 0x0009C480 | 0x0009B880 | 0x00000000 |
| ?_Xout_of_range@std@@YAXPEBD@Z | - | 0x14009C488 | 0x0009C488 | 0x0009B888 | 0x00000000 |
| _Xtime_get_ticks | - | 0x14009C490 | 0x0009C490 | 0x0009B890 | 0x00000000 |
| _Mtx_init_in_situ | - | 0x14009C498 | 0x0009C498 | 0x0009B898 | 0x00000000 |
| _Mtx_destroy_in_situ | - | 0x14009C4A0 | 0x0009C4A0 | 0x0009B8A0 | 0x00000000 |
| _Mtx_lock | - | 0x14009C4A8 | 0x0009C4A8 | 0x0009B8A8 | 0x00000000 |
| _Mtx_unlock | - | 0x14009C4B0 | 0x0009C4B0 | 0x0009B8B0 | 0x00000000 |
| ?_Throw_C_error@std@@YAXH@Z | - | 0x14009C4B8 | 0x0009C4B8 | 0x0009B8B8 | 0x00000000 |
| _Query_perf_counter | - | 0x14009C4C0 | 0x0009C4C0 | 0x0009B8C0 | 0x00000000 |
| _Query_perf_frequency | - | 0x14009C4C8 | 0x0009C4C8 | 0x0009B8C8 | 0x00000000 |
| _Thrd_join | - | 0x14009C4D0 | 0x0009C4D0 | 0x0009B8D0 | 0x00000000 |
| _Thrd_id | - | 0x14009C4D8 | 0x0009C4D8 | 0x0009B8D8 | 0x00000000 |
| _Cnd_do_broadcast_at_thread_exit | - | 0x14009C4E0 | 0x0009C4E0 | 0x0009B8E0 | 0x00000000 |
| ?_Throw_Cpp_error@std@@YAXH@Z | - | 0x14009C4E8 | 0x0009C4E8 | 0x0009B8E8 | 0x00000000 |
| _Thrd_sleep | - | 0x14009C4F0 | 0x0009C4F0 | 0x0009B8F0 | 0x00000000 |
| _Thrd_yield | - | 0x14009C4F8 | 0x0009C4F8 | 0x0009B8F8 | 0x00000000 |
| ??0_Lockit@std@@QEAA@H@Z | - | 0x14009C500 | 0x0009C500 | 0x0009B900 | 0x00000000 |
| ??1_Lockit@std@@QEAA@XZ | - | 0x14009C508 | 0x0009C508 | 0x0009B908 | 0x00000000 |
| ??Bid@locale@std@@QEAA_KXZ | - | 0x14009C510 | 0x0009C510 | 0x0009B910 | 0x00000000 |
| ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ | - | 0x14009C518 | 0x0009C518 | 0x0009B918 | 0x00000000 |
| ?always_noconv@codecvt_base@std@@QEBA_NXZ | - | 0x14009C520 | 0x0009C520 | 0x0009B920 | 0x00000000 |
| ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C528 | 0x0009C528 | 0x0009B928 | 0x00000000 |
| ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C530 | 0x0009C530 | 0x0009B930 | 0x00000000 |
USER32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShowWindow | - | 0x14009C540 | 0x0009C540 | 0x0009B940 | 0x00000000 |
| GetSystemMetrics | - | 0x14009C548 | 0x0009C548 | 0x0009B948 | 0x00000000 |
| GetMessageA | - | 0x14009C550 | 0x0009C550 | 0x0009B950 | 0x00000000 |
| MapVirtualKeyW | - | 0x14009C558 | 0x0009C558 | 0x0009B958 | 0x00000000 |
| DispatchMessageA | - | 0x14009C560 | 0x0009C560 | 0x0009B960 | 0x00000000 |
| TranslateMessage | - | 0x14009C568 | 0x0009C568 | 0x0009B968 | 0x00000000 |
VCRUNTIME140.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __std_exception_destroy | - | 0x14009C578 | 0x0009C578 | 0x0009B978 | 0x00000000 |
| __std_exception_copy | - | 0x14009C580 | 0x0009C580 | 0x0009B980 | 0x00000000 |
| strstr | - | 0x14009C588 | 0x0009C588 | 0x0009B988 | 0x00000000 |
| __C_specific_handler | - | 0x14009C590 | 0x0009C590 | 0x0009B990 | 0x00000000 |
| strchr | - | 0x14009C598 | 0x0009C598 | 0x0009B998 | 0x00000000 |
| memchr | - | 0x14009C5A0 | 0x0009C5A0 | 0x0009B9A0 | 0x00000000 |
| __std_terminate | - | 0x14009C5A8 | 0x0009C5A8 | 0x0009B9A8 | 0x00000000 |
| __CxxFrameHandler3 | - | 0x14009C5B0 | 0x0009C5B0 | 0x0009B9B0 | 0x00000000 |
| _CxxThrowException | - | 0x14009C5B8 | 0x0009C5B8 | 0x0009B9B8 | 0x00000000 |
| memset | - | 0x14009C5C0 | 0x0009C5C0 | 0x0009B9C0 | 0x00000000 |
| strrchr | - | 0x14009C5C8 | 0x0009C5C8 | 0x0009B9C8 | 0x00000000 |
| memcmp | - | 0x14009C5D0 | 0x0009C5D0 | 0x0009B9D0 | 0x00000000 |
| memcpy | - | 0x14009C5D8 | 0x0009C5D8 | 0x0009B9D8 | 0x00000000 |
| _purecall | - | 0x14009C5E0 | 0x0009C5E0 | 0x0009B9E0 | 0x00000000 |
| memmove | - | 0x14009C5E8 | 0x0009C5E8 | 0x0009B9E8 | 0x00000000 |
WS2_32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WSAGetLastError | 0x0000006F | 0x14009C5F8 | 0x0009C5F8 | 0x0009B9F8 | - |
| WSASetLastError | 0x00000070 | 0x14009C600 | 0x0009C600 | 0x0009BA00 | - |
| WSAStartup | 0x00000073 | 0x14009C608 | 0x0009C608 | 0x0009BA08 | - |
| select | 0x00000012 | 0x14009C610 | 0x0009C610 | 0x0009BA10 | - |
| WSARecvFrom | - | 0x14009C618 | 0x0009C618 | 0x0009BA18 | 0x00000000 |
| bind | 0x00000002 | 0x14009C620 | 0x0009C620 | 0x0009BA20 | - |
| WSAIoctl | - | 0x14009C628 | 0x0009C628 | 0x0009BA28 | 0x00000000 |
| closesocket | 0x00000003 | 0x14009C630 | 0x0009C630 | 0x0009BA30 | - |
| WSASend | - | 0x14009C638 | 0x0009C638 | 0x0009BA38 | 0x00000000 |
| shutdown | 0x00000016 | 0x14009C640 | 0x0009C640 | 0x0009BA40 | - |
| WSASocketW | - | 0x14009C648 | 0x0009C648 | 0x0009BA48 | 0x00000000 |
| htonl | 0x00000008 | 0x14009C650 | 0x0009C650 | 0x0009BA50 | - |
| GetAddrInfoW | - | 0x14009C658 | 0x0009C658 | 0x0009BA58 | 0x00000000 |
| FreeAddrInfoW | - | 0x14009C660 | 0x0009C660 | 0x0009BA60 | 0x00000000 |
| setsockopt | 0x00000015 | 0x14009C668 | 0x0009C668 | 0x0009BA68 | - |
| ioctlsocket | 0x0000000A | 0x14009C670 | 0x0009C670 | 0x0009BA70 | - |
| getsockopt | 0x00000007 | 0x14009C678 | 0x0009C678 | 0x0009BA78 | - |
| WSARecv | - | 0x14009C680 | 0x0009C680 | 0x0009BA80 | 0x00000000 |
| socket | 0x00000017 | 0x14009C688 | 0x0009C688 | 0x0009BA88 | - |
| htons | 0x00000009 | 0x14009C690 | 0x0009C690 | 0x0009BA90 | - |
api-ms-win-crt-convert-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| atof | - | 0x14009C6A0 | 0x0009C6A0 | 0x0009BAA0 | 0x00000000 |
| strtoul | - | 0x14009C6A8 | 0x0009C6A8 | 0x0009BAA8 | 0x00000000 |
| _strtoui64 | - | 0x14009C6B0 | 0x0009C6B0 | 0x0009BAB0 | 0x00000000 |
| mbstowcs | - | 0x14009C6B8 | 0x0009C6B8 | 0x0009BAB8 | 0x00000000 |
| strtoull | - | 0x14009C6C0 | 0x0009C6C0 | 0x0009BAC0 | 0x00000000 |
| strtoll | - | 0x14009C6C8 | 0x0009C6C8 | 0x0009BAC8 | 0x00000000 |
| atoi | - | 0x14009C6D0 | 0x0009C6D0 | 0x0009BAD0 | 0x00000000 |
| strtol | - | 0x14009C6D8 | 0x0009C6D8 | 0x0009BAD8 | 0x00000000 |
api-ms-win-crt-environment-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| getenv | - | 0x14009C6E8 | 0x0009C6E8 | 0x0009BAE8 | 0x00000000 |
api-ms-win-crt-filesystem-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _unlock_file | - | 0x14009C6F8 | 0x0009C6F8 | 0x0009BAF8 | 0x00000000 |
| _lock_file | - | 0x14009C700 | 0x0009C700 | 0x0009BB00 | 0x00000000 |
| _fstat64i32 | - | 0x14009C708 | 0x0009C708 | 0x0009BB08 | 0x00000000 |
| _stat64i32 | - | 0x14009C710 | 0x0009C710 | 0x0009BB10 | 0x00000000 |
api-ms-win-crt-heap-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _set_new_mode | - | 0x14009C720 | 0x0009C720 | 0x0009BB20 | 0x00000000 |
| realloc | - | 0x14009C728 | 0x0009C728 | 0x0009BB28 | 0x00000000 |
| _aligned_malloc | - | 0x14009C730 | 0x0009C730 | 0x0009BB30 | 0x00000000 |
| malloc | - | 0x14009C738 | 0x0009C738 | 0x0009BB38 | 0x00000000 |
| free | - | 0x14009C740 | 0x0009C740 | 0x0009BB40 | 0x00000000 |
| calloc | - | 0x14009C748 | 0x0009C748 | 0x0009BB48 | 0x00000000 |
| _callnewh | - | 0x14009C750 | 0x0009C750 | 0x0009BB50 | 0x00000000 |
| _aligned_free | - | 0x14009C758 | 0x0009C758 | 0x0009BB58 | 0x00000000 |
api-ms-win-crt-locale-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _configthreadlocale | - | 0x14009C768 | 0x0009C768 | 0x0009BB68 | 0x00000000 |
api-ms-win-crt-math-l1-1-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| modff | - | 0x14009C778 | 0x0009C778 | 0x0009BB78 | 0x00000000 |
| nan | - | 0x14009C780 | 0x0009C780 | 0x0009BB80 | 0x00000000 |
| _dtest | - | 0x14009C788 | 0x0009C788 | 0x0009BB88 | 0x00000000 |
| __setusermatherr | - | 0x14009C790 | 0x0009C790 | 0x0009BB90 | 0x00000000 |
| fabs | - | 0x14009C798 | 0x0009C798 | 0x0009BB98 | 0x00000000 |
api-ms-win-crt-runtime-l1-1-0.dll (25)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _invalid_parameter_noinfo_noreturn | - | 0x14009C7A8 | 0x0009C7A8 | 0x0009BBA8 | 0x00000000 |
| _control87 | - | 0x14009C7B0 | 0x0009C7B0 | 0x0009BBB0 | 0x00000000 |
| _errno | - | 0x14009C7B8 | 0x0009C7B8 | 0x0009BBB8 | 0x00000000 |
| terminate | - | 0x14009C7C0 | 0x0009C7C0 | 0x0009BBC0 | 0x00000000 |
| abort | - | 0x14009C7C8 | 0x0009C7C8 | 0x0009BBC8 | 0x00000000 |
| _beginthreadex | - | 0x14009C7D0 | 0x0009C7D0 | 0x0009BBD0 | 0x00000000 |
| _register_thread_local_exe_atexit_callback | - | 0x14009C7D8 | 0x0009C7D8 | 0x0009BBD8 | 0x00000000 |
| _c_exit | - | 0x14009C7E0 | 0x0009C7E0 | 0x0009BBE0 | 0x00000000 |
| _set_invalid_parameter_handler | - | 0x14009C7E8 | 0x0009C7E8 | 0x0009BBE8 | 0x00000000 |
| __p___argc | - | 0x14009C7F0 | 0x0009C7F0 | 0x0009BBF0 | 0x00000000 |
| _exit | - | 0x14009C7F8 | 0x0009C7F8 | 0x0009BBF8 | 0x00000000 |
| _initterm_e | - | 0x14009C800 | 0x0009C800 | 0x0009BC00 | 0x00000000 |
| _initterm | - | 0x14009C808 | 0x0009C808 | 0x0009BC08 | 0x00000000 |
| _get_initial_narrow_environment | - | 0x14009C810 | 0x0009C810 | 0x0009BC10 | 0x00000000 |
| _set_app_type | - | 0x14009C818 | 0x0009C818 | 0x0009BC18 | 0x00000000 |
| _seh_filter_exe | - | 0x14009C820 | 0x0009C820 | 0x0009BC20 | 0x00000000 |
| _cexit | - | 0x14009C828 | 0x0009C828 | 0x0009BC28 | 0x00000000 |
| _crt_atexit | - | 0x14009C830 | 0x0009C830 | 0x0009BC30 | 0x00000000 |
| _register_onexit_function | - | 0x14009C838 | 0x0009C838 | 0x0009BC38 | 0x00000000 |
| _initialize_onexit_table | - | 0x14009C840 | 0x0009C840 | 0x0009BC40 | 0x00000000 |
| _initialize_narrow_environment | - | 0x14009C848 | 0x0009C848 | 0x0009BC48 | 0x00000000 |
| _configure_narrow_argv | - | 0x14009C850 | 0x0009C850 | 0x0009BC50 | 0x00000000 |
| strerror | - | 0x14009C858 | 0x0009C858 | 0x0009BC58 | 0x00000000 |
| exit | - | 0x14009C860 | 0x0009C860 | 0x0009BC60 | 0x00000000 |
| __p___argv | - | 0x14009C868 | 0x0009C868 | 0x0009BC68 | 0x00000000 |
api-ms-win-crt-stdio-l1-1-0.dll (29)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __stdio_common_vsscanf | - | 0x14009C878 | 0x0009C878 | 0x0009BC78 | 0x00000000 |
| fflush | - | 0x14009C880 | 0x0009C880 | 0x0009BC80 | 0x00000000 |
| _open | - | 0x14009C888 | 0x0009C888 | 0x0009BC88 | 0x00000000 |
| fwrite | - | 0x14009C890 | 0x0009C890 | 0x0009BC90 | 0x00000000 |
| fputs | - | 0x14009C898 | 0x0009C898 | 0x0009BC98 | 0x00000000 |
| __stdio_common_vsprintf | - | 0x14009C8A0 | 0x0009C8A0 | 0x0009BCA0 | 0x00000000 |
| __acrt_iob_func | - | 0x14009C8A8 | 0x0009C8A8 | 0x0009BCA8 | 0x00000000 |
| ftell | - | 0x14009C8B0 | 0x0009C8B0 | 0x0009BCB0 | 0x00000000 |
| fgetc | - | 0x14009C8B8 | 0x0009C8B8 | 0x0009BCB8 | 0x00000000 |
| fgets | - | 0x14009C8C0 | 0x0009C8C0 | 0x0009BCC0 | 0x00000000 |
| fseek | - | 0x14009C8C8 | 0x0009C8C8 | 0x0009BCC8 | 0x00000000 |
| fgetpos | - | 0x14009C8D0 | 0x0009C8D0 | 0x0009BCD0 | 0x00000000 |
| fputc | - | 0x14009C8D8 | 0x0009C8D8 | 0x0009BCD8 | 0x00000000 |
| __stdio_common_vfprintf | - | 0x14009C8E0 | 0x0009C8E0 | 0x0009BCE0 | 0x00000000 |
| ferror | - | 0x14009C8E8 | 0x0009C8E8 | 0x0009BCE8 | 0x00000000 |
| fsetpos | - | 0x14009C8F0 | 0x0009C8F0 | 0x0009BCF0 | 0x00000000 |
| _fseeki64 | - | 0x14009C8F8 | 0x0009C8F8 | 0x0009BCF8 | 0x00000000 |
| _close | - | 0x14009C900 | 0x0009C900 | 0x0009BD00 | 0x00000000 |
| _read | - | 0x14009C908 | 0x0009C908 | 0x0009BD08 | 0x00000000 |
| setvbuf | - | 0x14009C910 | 0x0009C910 | 0x0009BD10 | 0x00000000 |
| ungetc | - | 0x14009C918 | 0x0009C918 | 0x0009BD18 | 0x00000000 |
| fread | - | 0x14009C920 | 0x0009C920 | 0x0009BD20 | 0x00000000 |
| _get_osfhandle | - | 0x14009C928 | 0x0009C928 | 0x0009BD28 | 0x00000000 |
| __p__commode | - | 0x14009C930 | 0x0009C930 | 0x0009BD30 | 0x00000000 |
| fclose | - | 0x14009C938 | 0x0009C938 | 0x0009BD38 | 0x00000000 |
| _set_fmode | - | 0x14009C940 | 0x0009C940 | 0x0009BD40 | 0x00000000 |
| fopen | - | 0x14009C948 | 0x0009C948 | 0x0009BD48 | 0x00000000 |
| __stdio_common_vswprintf | - | 0x14009C950 | 0x0009C950 | 0x0009BD50 | 0x00000000 |
| _get_stream_buffer_pointers | - | 0x14009C958 | 0x0009C958 | 0x0009BD58 | 0x00000000 |
api-ms-win-crt-string-l1-1-0.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _wcsnicmp | - | 0x14009C968 | 0x0009C968 | 0x0009BD68 | 0x00000000 |
| strlen | - | 0x14009C970 | 0x0009C970 | 0x0009BD70 | 0x00000000 |
| wcslen | - | 0x14009C978 | 0x0009C978 | 0x0009BD78 | 0x00000000 |
| strncmp | - | 0x14009C980 | 0x0009C980 | 0x0009BD80 | 0x00000000 |
| _stricmp | - | 0x14009C988 | 0x0009C988 | 0x0009BD88 | 0x00000000 |
| tolower | - | 0x14009C990 | 0x0009C990 | 0x0009BD90 | 0x00000000 |
| _strnicmp | - | 0x14009C998 | 0x0009C998 | 0x0009BD98 | 0x00000000 |
| strncpy | - | 0x14009C9A0 | 0x0009C9A0 | 0x0009BDA0 | 0x00000000 |
| strcpy | - | 0x14009C9A8 | 0x0009C9A8 | 0x0009BDA8 | 0x00000000 |
| strcmp | - | 0x14009C9B0 | 0x0009C9B0 | 0x0009BDB0 | 0x00000000 |
| strcspn | - | 0x14009C9B8 | 0x0009C9B8 | 0x0009BDB8 | 0x00000000 |
| _strdup | - | 0x14009C9C0 | 0x0009C9C0 | 0x0009BDC0 | 0x00000000 |
| isspace | - | 0x14009C9C8 | 0x0009C9C8 | 0x0009BDC8 | 0x00000000 |
| strspn | - | 0x14009C9D0 | 0x0009C9D0 | 0x0009BDD0 | 0x00000000 |
| wcsncpy | - | 0x14009C9D8 | 0x0009C9D8 | 0x0009BDD8 | 0x00000000 |
api-ms-win-crt-time-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _time64 | - | 0x14009C9E8 | 0x0009C9E8 | 0x0009BDE8 | 0x00000000 |
| _localtime64_s | - | 0x14009C9F0 | 0x0009C9F0 | 0x0009BDF0 | 0x00000000 |
api-ms-win-crt-utility-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| srand | - | 0x14009CA00 | 0x0009CA00 | 0x0009BE00 | 0x00000000 |
| rand | - | 0x14009CA08 | 0x0009CA08 | 0x0009BE08 | 0x00000000 |
| qsort | - | 0x14009CA10 | 0x0009CA10 | 0x0009BE10 | 0x00000000 |
| _rotr | - | 0x14009CA18 | 0x0009CA18 | 0x0009BE18 | 0x00000000 |
Memory Dumps (3)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| hpwgjnm.exe | 6 | 0x7FF6C54D0000 | 0x7FF6C5823FFF | First Execution |
|
64-bit | 0x7FF6C556A338 |
|
...
|
| hpwgjnm.exe | 6 | 0x7FF6C54D0000 | 0x7FF6C5823FFF | Content Changed |
|
64-bit | 0x7FF6C556ACA6 |
|
...
|
| buffer | 6 | 0x22673D70000 | 0x22673D7FFFF | Marked Executable |
|
64-bit | - |
|
...
|
YARA Matches (2)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| ReflectiveLoader | Reflective loader usage | - |
3/5
|
...
|
| CobaltStrike | Cobalt Strike beacon | Hacktool |
5/5
|
...
|
| C:\Windows\System\VSliWiO.exe | Dropped File | Binary |
Malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 5.94 MB |
| MD5 |
07a086abe92511e388dca6b2b61e9fbb
|
| SHA1 |
7bb0433f184ab4fed8d15306296da2d72de4317d
|
| SHA256 |
4f497a31cc37bb5ac98789bb8558dfdc362e6f1df8912e4aa296f749550401c8
|
| SSDeep |
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUx:T+856utgpPF8u/7x
|
| ImpHash |
c782987849999c5ae345a5deafbd73fb
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x14009A338 |
| Size Of Code | 0x00044000 |
| Size Of Initialized Data | 0x00001000 |
| Size Of Uninitialized Data | 0x0030B000 |
| File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2019-08-29 00:43 (UTC) |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| UPX0 | 0x140001000 | 0x0030B000 | 0x000B5000 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.49 |
| UPX1 | 0x14030C000 | 0x00044000 | 0x00044000 | 0x000B5400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.49 |
| .rsrc | 0x140350000 | 0x00001000 | 0x00000800 | 0x000F9400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.24 |
| .imports | 0x140351000 | 0x00002000 | 0x00001E00 | 0x000F9C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.81 |
| .reloc | 0x140353000 | 0x00001000 | 0x00000A00 | 0x000FBA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.28 |
Imports (17)
»
ADVAPI32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AdjustTokenPrivileges | - | 0x14009C000 | 0x0009C000 | 0x0009B400 | 0x00000000 |
| OpenProcessToken | - | 0x14009C008 | 0x0009C008 | 0x0009B408 | 0x00000000 |
| GetTokenInformation | - | 0x14009C010 | 0x0009C010 | 0x0009B410 | 0x00000000 |
| LookupPrivilegeValueW | - | 0x14009C018 | 0x0009C018 | 0x0009B418 | 0x00000000 |
| LsaClose | - | 0x14009C020 | 0x0009C020 | 0x0009B420 | 0x00000000 |
| LsaOpenPolicy | - | 0x14009C028 | 0x0009C028 | 0x0009B428 | 0x00000000 |
| LsaAddAccountRights | - | 0x14009C030 | 0x0009C030 | 0x0009B430 | 0x00000000 |
KERNEL32.DLL (113)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WaitForSingleObjectEx | - | 0x14009C040 | 0x0009C040 | 0x0009B440 | 0x00000000 |
| RtlLookupFunctionEntry | - | 0x14009C048 | 0x0009C048 | 0x0009B448 | 0x00000000 |
| RtlVirtualUnwind | - | 0x14009C050 | 0x0009C050 | 0x0009B450 | 0x00000000 |
| UnhandledExceptionFilter | - | 0x14009C058 | 0x0009C058 | 0x0009B458 | 0x00000000 |
| ResetEvent | - | 0x14009C060 | 0x0009C060 | 0x0009B460 | 0x00000000 |
| InitializeCriticalSectionAndSpinCount | - | 0x14009C068 | 0x0009C068 | 0x0009B468 | 0x00000000 |
| RtlCaptureContext | - | 0x14009C070 | 0x0009C070 | 0x0009B470 | 0x00000000 |
| CreateEventW | - | 0x14009C078 | 0x0009C078 | 0x0009B478 | 0x00000000 |
| InitializeSListHead | - | 0x14009C080 | 0x0009C080 | 0x0009B480 | 0x00000000 |
| SetUnhandledExceptionFilter | - | 0x14009C088 | 0x0009C088 | 0x0009B488 | 0x00000000 |
| IsProcessorFeaturePresent | - | 0x14009C090 | 0x0009C090 | 0x0009B490 | 0x00000000 |
| GetStdHandle | - | 0x14009C098 | 0x0009C098 | 0x0009B498 | 0x00000000 |
| GetConsoleMode | - | 0x14009C0A0 | 0x0009C0A0 | 0x0009B4A0 | 0x00000000 |
| SetConsoleMode | - | 0x14009C0A8 | 0x0009C0A8 | 0x0009B4A8 | 0x00000000 |
| GetLastError | - | 0x14009C0B0 | 0x0009C0B0 | 0x0009B4B0 | 0x00000000 |
| CreateMutexW | - | 0x14009C0B8 | 0x0009C0B8 | 0x0009B4B8 | 0x00000000 |
| Sleep | - | 0x14009C0C0 | 0x0009C0C0 | 0x0009B4C0 | 0x00000000 |
| CreateProcessW | - | 0x14009C0C8 | 0x0009C0C8 | 0x0009B4C8 | 0x00000000 |
| MultiByteToWideChar | - | 0x14009C0D0 | 0x0009C0D0 | 0x0009B4D0 | 0x00000000 |
| GetCurrentProcess | - | 0x14009C0D8 | 0x0009C0D8 | 0x0009B4D8 | 0x00000000 |
| GetCurrentThread | - | 0x14009C0E0 | 0x0009C0E0 | 0x0009B4E0 | 0x00000000 |
| SetThreadPriority | - | 0x14009C0E8 | 0x0009C0E8 | 0x0009B4E8 | 0x00000000 |
| SetPriorityClass | - | 0x14009C0F0 | 0x0009C0F0 | 0x0009B4F0 | 0x00000000 |
| GetModuleHandleW | - | 0x14009C0F8 | 0x0009C0F8 | 0x0009B4F8 | 0x00000000 |
| GetProcAddress | - | 0x14009C100 | 0x0009C100 | 0x0009B500 | 0x00000000 |
| SetThreadAffinityMask | - | 0x14009C108 | 0x0009C108 | 0x0009B508 | 0x00000000 |
| CloseHandle | - | 0x14009C110 | 0x0009C110 | 0x0009B510 | 0x00000000 |
| FreeConsole | - | 0x14009C118 | 0x0009C118 | 0x0009B518 | 0x00000000 |
| GetConsoleWindow | - | 0x14009C120 | 0x0009C120 | 0x0009B520 | 0x00000000 |
| FlushInstructionCache | - | 0x14009C128 | 0x0009C128 | 0x0009B528 | 0x00000000 |
| VirtualAlloc | - | 0x14009C130 | 0x0009C130 | 0x0009B530 | 0x00000000 |
| VirtualProtect | - | 0x14009C138 | 0x0009C138 | 0x0009B538 | 0x00000000 |
| VirtualFree | - | 0x14009C140 | 0x0009C140 | 0x0009B540 | 0x00000000 |
| GetLargePageMinimum | - | 0x14009C148 | 0x0009C148 | 0x0009B548 | 0x00000000 |
| LocalAlloc | - | 0x14009C150 | 0x0009C150 | 0x0009B550 | 0x00000000 |
| LocalFree | - | 0x14009C158 | 0x0009C158 | 0x0009B558 | 0x00000000 |
| GetFileType | - | 0x14009C160 | 0x0009C160 | 0x0009B560 | 0x00000000 |
| GetConsoleScreenBufferInfo | - | 0x14009C168 | 0x0009C168 | 0x0009B568 | 0x00000000 |
| SetConsoleTextAttribute | - | 0x14009C170 | 0x0009C170 | 0x0009B570 | 0x00000000 |
| RegisterWaitForSingleObject | - | 0x14009C178 | 0x0009C178 | 0x0009B578 | 0x00000000 |
| UnregisterWait | - | 0x14009C180 | 0x0009C180 | 0x0009B580 | 0x00000000 |
| GetConsoleCursorInfo | - | 0x14009C188 | 0x0009C188 | 0x0009B588 | 0x00000000 |
| CreateFileW | - | 0x14009C190 | 0x0009C190 | 0x0009B590 | 0x00000000 |
| DuplicateHandle | - | 0x14009C198 | 0x0009C198 | 0x0009B598 | 0x00000000 |
| PostQueuedCompletionStatus | - | 0x14009C1A0 | 0x0009C1A0 | 0x0009B5A0 | 0x00000000 |
| QueueUserWorkItem | - | 0x14009C1A8 | 0x0009C1A8 | 0x0009B5A8 | 0x00000000 |
| SetConsoleCursorInfo | - | 0x14009C1B0 | 0x0009C1B0 | 0x0009B5B0 | 0x00000000 |
| FillConsoleOutputCharacterW | - | 0x14009C1B8 | 0x0009C1B8 | 0x0009B5B8 | 0x00000000 |
| ReadConsoleInputW | - | 0x14009C1C0 | 0x0009C1C0 | 0x0009B5C0 | 0x00000000 |
| CreateFileA | - | 0x14009C1C8 | 0x0009C1C8 | 0x0009B5C8 | 0x00000000 |
| ReadConsoleW | - | 0x14009C1D0 | 0x0009C1D0 | 0x0009B5D0 | 0x00000000 |
| WriteConsoleInputW | - | 0x14009C1D8 | 0x0009C1D8 | 0x0009B5D8 | 0x00000000 |
| FillConsoleOutputAttribute | - | 0x14009C1E0 | 0x0009C1E0 | 0x0009B5E0 | 0x00000000 |
| WriteConsoleW | - | 0x14009C1E8 | 0x0009C1E8 | 0x0009B5E8 | 0x00000000 |
| GetNumberOfConsoleInputEvents | - | 0x14009C1F0 | 0x0009C1F0 | 0x0009B5F0 | 0x00000000 |
| WideCharToMultiByte | - | 0x14009C1F8 | 0x0009C1F8 | 0x0009B5F8 | 0x00000000 |
| SetConsoleCursorPosition | - | 0x14009C200 | 0x0009C200 | 0x0009B600 | 0x00000000 |
| EnterCriticalSection | - | 0x14009C208 | 0x0009C208 | 0x0009B608 | 0x00000000 |
| GetModuleFileNameW | - | 0x14009C210 | 0x0009C210 | 0x0009B610 | 0x00000000 |
| LeaveCriticalSection | - | 0x14009C218 | 0x0009C218 | 0x0009B618 | 0x00000000 |
| InitializeCriticalSection | - | 0x14009C220 | 0x0009C220 | 0x0009B620 | 0x00000000 |
| IsDebuggerPresent | - | 0x14009C228 | 0x0009C228 | 0x0009B628 | 0x00000000 |
| GetSystemInfo | - | 0x14009C230 | 0x0009C230 | 0x0009B630 | 0x00000000 |
| GetCurrentDirectoryW | - | 0x14009C238 | 0x0009C238 | 0x0009B638 | 0x00000000 |
| GetCurrentProcessId | - | 0x14009C240 | 0x0009C240 | 0x0009B640 | 0x00000000 |
| GetSystemTimeAsFileTime | - | 0x14009C248 | 0x0009C248 | 0x0009B648 | 0x00000000 |
| QueryPerformanceCounter | - | 0x14009C250 | 0x0009C250 | 0x0009B650 | 0x00000000 |
| SetConsoleCtrlHandler | - | 0x14009C258 | 0x0009C258 | 0x0009B658 | 0x00000000 |
| CancelIo | - | 0x14009C260 | 0x0009C260 | 0x0009B660 | 0x00000000 |
| SetHandleInformation | - | 0x14009C268 | 0x0009C268 | 0x0009B668 | 0x00000000 |
| CreateEventA | - | 0x14009C270 | 0x0009C270 | 0x0009B670 | 0x00000000 |
| CreateIoCompletionPort | - | 0x14009C278 | 0x0009C278 | 0x0009B678 | 0x00000000 |
| SetFileCompletionNotificationModes | - | 0x14009C280 | 0x0009C280 | 0x0009B680 | 0x00000000 |
| SetErrorMode | - | 0x14009C288 | 0x0009C288 | 0x0009B688 | 0x00000000 |
| GetQueuedCompletionStatus | - | 0x14009C290 | 0x0009C290 | 0x0009B690 | 0x00000000 |
| GetQueuedCompletionStatusEx | - | 0x14009C298 | 0x0009C298 | 0x0009B698 | 0x00000000 |
| SleepConditionVariableCS | - | 0x14009C2A0 | 0x0009C2A0 | 0x0009B6A0 | 0x00000000 |
| TlsSetValue | - | 0x14009C2A8 | 0x0009C2A8 | 0x0009B6A8 | 0x00000000 |
| ReleaseSemaphore | - | 0x14009C2B0 | 0x0009C2B0 | 0x0009B6B0 | 0x00000000 |
| WakeConditionVariable | - | 0x14009C2B8 | 0x0009C2B8 | 0x0009B6B8 | 0x00000000 |
| InitializeConditionVariable | - | 0x14009C2C0 | 0x0009C2C0 | 0x0009B6C0 | 0x00000000 |
| WaitForSingleObject | - | 0x14009C2C8 | 0x0009C2C8 | 0x0009B6C8 | 0x00000000 |
| ResumeThread | - | 0x14009C2D0 | 0x0009C2D0 | 0x0009B6D0 | 0x00000000 |
| SetEvent | - | 0x14009C2D8 | 0x0009C2D8 | 0x0009B6D8 | 0x00000000 |
| TlsAlloc | - | 0x14009C2E0 | 0x0009C2E0 | 0x0009B6E0 | 0x00000000 |
| DeleteCriticalSection | - | 0x14009C2E8 | 0x0009C2E8 | 0x0009B6E8 | 0x00000000 |
| CreateSemaphoreW | - | 0x14009C2F0 | 0x0009C2F0 | 0x0009B6F0 | 0x00000000 |
| CreateSemaphoreA | - | 0x14009C2F8 | 0x0009C2F8 | 0x0009B6F8 | 0x00000000 |
| GetLongPathNameW | - | 0x14009C300 | 0x0009C300 | 0x0009B700 | 0x00000000 |
| ReadDirectoryChangesW | - | 0x14009C308 | 0x0009C308 | 0x0009B708 | 0x00000000 |
| ReadFile | - | 0x14009C310 | 0x0009C310 | 0x0009B710 | 0x00000000 |
| SetNamedPipeHandleState | - | 0x14009C318 | 0x0009C318 | 0x0009B718 | 0x00000000 |
| SetLastError | - | 0x14009C320 | 0x0009C320 | 0x0009B720 | 0x00000000 |
| WriteFile | - | 0x14009C328 | 0x0009C328 | 0x0009B728 | 0x00000000 |
| CreateNamedPipeW | - | 0x14009C330 | 0x0009C330 | 0x0009B730 | 0x00000000 |
| PeekNamedPipe | - | 0x14009C338 | 0x0009C338 | 0x0009B738 | 0x00000000 |
| CancelSynchronousIo | - | 0x14009C340 | 0x0009C340 | 0x0009B740 | 0x00000000 |
| GetNamedPipeHandleStateA | - | 0x14009C348 | 0x0009C348 | 0x0009B748 | 0x00000000 |
| CancelIoEx | - | 0x14009C350 | 0x0009C350 | 0x0009B750 | 0x00000000 |
| SwitchToThread | - | 0x14009C358 | 0x0009C358 | 0x0009B758 | 0x00000000 |
| ConnectNamedPipe | - | 0x14009C360 | 0x0009C360 | 0x0009B760 | 0x00000000 |
| FlushFileBuffers | - | 0x14009C368 | 0x0009C368 | 0x0009B768 | 0x00000000 |
| TerminateProcess | - | 0x14009C370 | 0x0009C370 | 0x0009B770 | 0x00000000 |
| UnregisterWaitEx | - | 0x14009C378 | 0x0009C378 | 0x0009B778 | 0x00000000 |
| GetExitCodeProcess | - | 0x14009C380 | 0x0009C380 | 0x0009B780 | 0x00000000 |
| FormatMessageA | - | 0x14009C388 | 0x0009C388 | 0x0009B788 | 0x00000000 |
| DebugBreak | - | 0x14009C390 | 0x0009C390 | 0x0009B790 | 0x00000000 |
| GetModuleHandleA | - | 0x14009C398 | 0x0009C398 | 0x0009B798 | 0x00000000 |
| LoadLibraryA | - | 0x14009C3A0 | 0x0009C3A0 | 0x0009B7A0 | 0x00000000 |
| GetProcessAffinityMask | - | 0x14009C3A8 | 0x0009C3A8 | 0x0009B7A8 | 0x00000000 |
| SetProcessAffinityMask | - | 0x14009C3B0 | 0x0009C3B0 | 0x0009B7B0 | 0x00000000 |
| GetCurrentThreadId | - | 0x14009C3B8 | 0x0009C3B8 | 0x0009B7B8 | 0x00000000 |
| QueryPerformanceFrequency | - | 0x14009C3C0 | 0x0009C3C0 | 0x0009B7C0 | 0x00000000 |
MSVCP140.dll (45)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C3D0 | 0x0009C3D0 | 0x0009B7D0 | 0x00000000 |
| ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3D8 | 0x0009C3D8 | 0x0009B7D8 | 0x00000000 |
| ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ | - | 0x14009C3E0 | 0x0009C3E0 | 0x0009B7E0 | 0x00000000 |
| ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C3E8 | 0x0009C3E8 | 0x0009B7E8 | 0x00000000 |
| ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C3F0 | 0x0009C3F0 | 0x0009B7F0 | 0x00000000 |
| ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3F8 | 0x0009C3F8 | 0x0009B7F8 | 0x00000000 |
| ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C400 | 0x0009C400 | 0x0009B800 | 0x00000000 |
| _Thrd_hardware_concurrency | - | 0x14009C408 | 0x0009C408 | 0x0009B808 | 0x00000000 |
| ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A | - | 0x14009C410 | 0x0009C410 | 0x0009B810 | 0x00000000 |
| ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z | - | 0x14009C418 | 0x0009C418 | 0x0009B818 | 0x00000000 |
| ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z | - | 0x14009C420 | 0x0009C420 | 0x0009B820 | 0x00000000 |
| ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ | - | 0x14009C428 | 0x0009C428 | 0x0009B828 | 0x00000000 |
| ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z | - | 0x14009C430 | 0x0009C430 | 0x0009B830 | 0x00000000 |
| ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z | - | 0x14009C438 | 0x0009C438 | 0x0009B838 | 0x00000000 |
| ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C440 | 0x0009C440 | 0x0009B840 | 0x00000000 |
| ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z | - | 0x14009C448 | 0x0009C448 | 0x0009B848 | 0x00000000 |
| ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C450 | 0x0009C450 | 0x0009B850 | 0x00000000 |
| ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z | - | 0x14009C458 | 0x0009C458 | 0x0009B858 | 0x00000000 |
| ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C460 | 0x0009C460 | 0x0009B860 | 0x00000000 |
| ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z | - | 0x14009C468 | 0x0009C468 | 0x0009B868 | 0x00000000 |
| ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z | - | 0x14009C470 | 0x0009C470 | 0x0009B870 | 0x00000000 |
| ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ | - | 0x14009C478 | 0x0009C478 | 0x0009B878 | 0x00000000 |
| ?_Xlength_error@std@@YAXPEBD@Z | - | 0x14009C480 | 0x0009C480 | 0x0009B880 | 0x00000000 |
| ?_Xout_of_range@std@@YAXPEBD@Z | - | 0x14009C488 | 0x0009C488 | 0x0009B888 | 0x00000000 |
| _Xtime_get_ticks | - | 0x14009C490 | 0x0009C490 | 0x0009B890 | 0x00000000 |
| _Mtx_init_in_situ | - | 0x14009C498 | 0x0009C498 | 0x0009B898 | 0x00000000 |
| _Mtx_destroy_in_situ | - | 0x14009C4A0 | 0x0009C4A0 | 0x0009B8A0 | 0x00000000 |
| _Mtx_lock | - | 0x14009C4A8 | 0x0009C4A8 | 0x0009B8A8 | 0x00000000 |
| _Mtx_unlock | - | 0x14009C4B0 | 0x0009C4B0 | 0x0009B8B0 | 0x00000000 |
| ?_Throw_C_error@std@@YAXH@Z | - | 0x14009C4B8 | 0x0009C4B8 | 0x0009B8B8 | 0x00000000 |
| _Query_perf_counter | - | 0x14009C4C0 | 0x0009C4C0 | 0x0009B8C0 | 0x00000000 |
| _Query_perf_frequency | - | 0x14009C4C8 | 0x0009C4C8 | 0x0009B8C8 | 0x00000000 |
| _Thrd_join | - | 0x14009C4D0 | 0x0009C4D0 | 0x0009B8D0 | 0x00000000 |
| _Thrd_id | - | 0x14009C4D8 | 0x0009C4D8 | 0x0009B8D8 | 0x00000000 |
| _Cnd_do_broadcast_at_thread_exit | - | 0x14009C4E0 | 0x0009C4E0 | 0x0009B8E0 | 0x00000000 |
| ?_Throw_Cpp_error@std@@YAXH@Z | - | 0x14009C4E8 | 0x0009C4E8 | 0x0009B8E8 | 0x00000000 |
| _Thrd_sleep | - | 0x14009C4F0 | 0x0009C4F0 | 0x0009B8F0 | 0x00000000 |
| _Thrd_yield | - | 0x14009C4F8 | 0x0009C4F8 | 0x0009B8F8 | 0x00000000 |
| ??0_Lockit@std@@QEAA@H@Z | - | 0x14009C500 | 0x0009C500 | 0x0009B900 | 0x00000000 |
| ??1_Lockit@std@@QEAA@XZ | - | 0x14009C508 | 0x0009C508 | 0x0009B908 | 0x00000000 |
| ??Bid@locale@std@@QEAA_KXZ | - | 0x14009C510 | 0x0009C510 | 0x0009B910 | 0x00000000 |
| ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ | - | 0x14009C518 | 0x0009C518 | 0x0009B918 | 0x00000000 |
| ?always_noconv@codecvt_base@std@@QEBA_NXZ | - | 0x14009C520 | 0x0009C520 | 0x0009B920 | 0x00000000 |
| ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C528 | 0x0009C528 | 0x0009B928 | 0x00000000 |
| ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C530 | 0x0009C530 | 0x0009B930 | 0x00000000 |
USER32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShowWindow | - | 0x14009C540 | 0x0009C540 | 0x0009B940 | 0x00000000 |
| GetSystemMetrics | - | 0x14009C548 | 0x0009C548 | 0x0009B948 | 0x00000000 |
| GetMessageA | - | 0x14009C550 | 0x0009C550 | 0x0009B950 | 0x00000000 |
| MapVirtualKeyW | - | 0x14009C558 | 0x0009C558 | 0x0009B958 | 0x00000000 |
| DispatchMessageA | - | 0x14009C560 | 0x0009C560 | 0x0009B960 | 0x00000000 |
| TranslateMessage | - | 0x14009C568 | 0x0009C568 | 0x0009B968 | 0x00000000 |
VCRUNTIME140.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __std_exception_destroy | - | 0x14009C578 | 0x0009C578 | 0x0009B978 | 0x00000000 |
| __std_exception_copy | - | 0x14009C580 | 0x0009C580 | 0x0009B980 | 0x00000000 |
| strstr | - | 0x14009C588 | 0x0009C588 | 0x0009B988 | 0x00000000 |
| __C_specific_handler | - | 0x14009C590 | 0x0009C590 | 0x0009B990 | 0x00000000 |
| strchr | - | 0x14009C598 | 0x0009C598 | 0x0009B998 | 0x00000000 |
| memchr | - | 0x14009C5A0 | 0x0009C5A0 | 0x0009B9A0 | 0x00000000 |
| __std_terminate | - | 0x14009C5A8 | 0x0009C5A8 | 0x0009B9A8 | 0x00000000 |
| __CxxFrameHandler3 | - | 0x14009C5B0 | 0x0009C5B0 | 0x0009B9B0 | 0x00000000 |
| _CxxThrowException | - | 0x14009C5B8 | 0x0009C5B8 | 0x0009B9B8 | 0x00000000 |
| memset | - | 0x14009C5C0 | 0x0009C5C0 | 0x0009B9C0 | 0x00000000 |
| strrchr | - | 0x14009C5C8 | 0x0009C5C8 | 0x0009B9C8 | 0x00000000 |
| memcmp | - | 0x14009C5D0 | 0x0009C5D0 | 0x0009B9D0 | 0x00000000 |
| memcpy | - | 0x14009C5D8 | 0x0009C5D8 | 0x0009B9D8 | 0x00000000 |
| _purecall | - | 0x14009C5E0 | 0x0009C5E0 | 0x0009B9E0 | 0x00000000 |
| memmove | - | 0x14009C5E8 | 0x0009C5E8 | 0x0009B9E8 | 0x00000000 |
WS2_32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WSAGetLastError | 0x0000006F | 0x14009C5F8 | 0x0009C5F8 | 0x0009B9F8 | - |
| WSASetLastError | 0x00000070 | 0x14009C600 | 0x0009C600 | 0x0009BA00 | - |
| WSAStartup | 0x00000073 | 0x14009C608 | 0x0009C608 | 0x0009BA08 | - |
| select | 0x00000012 | 0x14009C610 | 0x0009C610 | 0x0009BA10 | - |
| WSARecvFrom | - | 0x14009C618 | 0x0009C618 | 0x0009BA18 | 0x00000000 |
| bind | 0x00000002 | 0x14009C620 | 0x0009C620 | 0x0009BA20 | - |
| WSAIoctl | - | 0x14009C628 | 0x0009C628 | 0x0009BA28 | 0x00000000 |
| closesocket | 0x00000003 | 0x14009C630 | 0x0009C630 | 0x0009BA30 | - |
| WSASend | - | 0x14009C638 | 0x0009C638 | 0x0009BA38 | 0x00000000 |
| shutdown | 0x00000016 | 0x14009C640 | 0x0009C640 | 0x0009BA40 | - |
| WSASocketW | - | 0x14009C648 | 0x0009C648 | 0x0009BA48 | 0x00000000 |
| htonl | 0x00000008 | 0x14009C650 | 0x0009C650 | 0x0009BA50 | - |
| GetAddrInfoW | - | 0x14009C658 | 0x0009C658 | 0x0009BA58 | 0x00000000 |
| FreeAddrInfoW | - | 0x14009C660 | 0x0009C660 | 0x0009BA60 | 0x00000000 |
| setsockopt | 0x00000015 | 0x14009C668 | 0x0009C668 | 0x0009BA68 | - |
| ioctlsocket | 0x0000000A | 0x14009C670 | 0x0009C670 | 0x0009BA70 | - |
| getsockopt | 0x00000007 | 0x14009C678 | 0x0009C678 | 0x0009BA78 | - |
| WSARecv | - | 0x14009C680 | 0x0009C680 | 0x0009BA80 | 0x00000000 |
| socket | 0x00000017 | 0x14009C688 | 0x0009C688 | 0x0009BA88 | - |
| htons | 0x00000009 | 0x14009C690 | 0x0009C690 | 0x0009BA90 | - |
api-ms-win-crt-convert-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| atof | - | 0x14009C6A0 | 0x0009C6A0 | 0x0009BAA0 | 0x00000000 |
| strtoul | - | 0x14009C6A8 | 0x0009C6A8 | 0x0009BAA8 | 0x00000000 |
| _strtoui64 | - | 0x14009C6B0 | 0x0009C6B0 | 0x0009BAB0 | 0x00000000 |
| mbstowcs | - | 0x14009C6B8 | 0x0009C6B8 | 0x0009BAB8 | 0x00000000 |
| strtoull | - | 0x14009C6C0 | 0x0009C6C0 | 0x0009BAC0 | 0x00000000 |
| strtoll | - | 0x14009C6C8 | 0x0009C6C8 | 0x0009BAC8 | 0x00000000 |
| atoi | - | 0x14009C6D0 | 0x0009C6D0 | 0x0009BAD0 | 0x00000000 |
| strtol | - | 0x14009C6D8 | 0x0009C6D8 | 0x0009BAD8 | 0x00000000 |
api-ms-win-crt-environment-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| getenv | - | 0x14009C6E8 | 0x0009C6E8 | 0x0009BAE8 | 0x00000000 |
api-ms-win-crt-filesystem-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _unlock_file | - | 0x14009C6F8 | 0x0009C6F8 | 0x0009BAF8 | 0x00000000 |
| _lock_file | - | 0x14009C700 | 0x0009C700 | 0x0009BB00 | 0x00000000 |
| _fstat64i32 | - | 0x14009C708 | 0x0009C708 | 0x0009BB08 | 0x00000000 |
| _stat64i32 | - | 0x14009C710 | 0x0009C710 | 0x0009BB10 | 0x00000000 |
api-ms-win-crt-heap-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _set_new_mode | - | 0x14009C720 | 0x0009C720 | 0x0009BB20 | 0x00000000 |
| realloc | - | 0x14009C728 | 0x0009C728 | 0x0009BB28 | 0x00000000 |
| _aligned_malloc | - | 0x14009C730 | 0x0009C730 | 0x0009BB30 | 0x00000000 |
| malloc | - | 0x14009C738 | 0x0009C738 | 0x0009BB38 | 0x00000000 |
| free | - | 0x14009C740 | 0x0009C740 | 0x0009BB40 | 0x00000000 |
| calloc | - | 0x14009C748 | 0x0009C748 | 0x0009BB48 | 0x00000000 |
| _callnewh | - | 0x14009C750 | 0x0009C750 | 0x0009BB50 | 0x00000000 |
| _aligned_free | - | 0x14009C758 | 0x0009C758 | 0x0009BB58 | 0x00000000 |
api-ms-win-crt-locale-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _configthreadlocale | - | 0x14009C768 | 0x0009C768 | 0x0009BB68 | 0x00000000 |
api-ms-win-crt-math-l1-1-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| modff | - | 0x14009C778 | 0x0009C778 | 0x0009BB78 | 0x00000000 |
| nan | - | 0x14009C780 | 0x0009C780 | 0x0009BB80 | 0x00000000 |
| _dtest | - | 0x14009C788 | 0x0009C788 | 0x0009BB88 | 0x00000000 |
| __setusermatherr | - | 0x14009C790 | 0x0009C790 | 0x0009BB90 | 0x00000000 |
| fabs | - | 0x14009C798 | 0x0009C798 | 0x0009BB98 | 0x00000000 |
api-ms-win-crt-runtime-l1-1-0.dll (25)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _invalid_parameter_noinfo_noreturn | - | 0x14009C7A8 | 0x0009C7A8 | 0x0009BBA8 | 0x00000000 |
| _control87 | - | 0x14009C7B0 | 0x0009C7B0 | 0x0009BBB0 | 0x00000000 |
| _errno | - | 0x14009C7B8 | 0x0009C7B8 | 0x0009BBB8 | 0x00000000 |
| terminate | - | 0x14009C7C0 | 0x0009C7C0 | 0x0009BBC0 | 0x00000000 |
| abort | - | 0x14009C7C8 | 0x0009C7C8 | 0x0009BBC8 | 0x00000000 |
| _beginthreadex | - | 0x14009C7D0 | 0x0009C7D0 | 0x0009BBD0 | 0x00000000 |
| _register_thread_local_exe_atexit_callback | - | 0x14009C7D8 | 0x0009C7D8 | 0x0009BBD8 | 0x00000000 |
| _c_exit | - | 0x14009C7E0 | 0x0009C7E0 | 0x0009BBE0 | 0x00000000 |
| _set_invalid_parameter_handler | - | 0x14009C7E8 | 0x0009C7E8 | 0x0009BBE8 | 0x00000000 |
| __p___argc | - | 0x14009C7F0 | 0x0009C7F0 | 0x0009BBF0 | 0x00000000 |
| _exit | - | 0x14009C7F8 | 0x0009C7F8 | 0x0009BBF8 | 0x00000000 |
| _initterm_e | - | 0x14009C800 | 0x0009C800 | 0x0009BC00 | 0x00000000 |
| _initterm | - | 0x14009C808 | 0x0009C808 | 0x0009BC08 | 0x00000000 |
| _get_initial_narrow_environment | - | 0x14009C810 | 0x0009C810 | 0x0009BC10 | 0x00000000 |
| _set_app_type | - | 0x14009C818 | 0x0009C818 | 0x0009BC18 | 0x00000000 |
| _seh_filter_exe | - | 0x14009C820 | 0x0009C820 | 0x0009BC20 | 0x00000000 |
| _cexit | - | 0x14009C828 | 0x0009C828 | 0x0009BC28 | 0x00000000 |
| _crt_atexit | - | 0x14009C830 | 0x0009C830 | 0x0009BC30 | 0x00000000 |
| _register_onexit_function | - | 0x14009C838 | 0x0009C838 | 0x0009BC38 | 0x00000000 |
| _initialize_onexit_table | - | 0x14009C840 | 0x0009C840 | 0x0009BC40 | 0x00000000 |
| _initialize_narrow_environment | - | 0x14009C848 | 0x0009C848 | 0x0009BC48 | 0x00000000 |
| _configure_narrow_argv | - | 0x14009C850 | 0x0009C850 | 0x0009BC50 | 0x00000000 |
| strerror | - | 0x14009C858 | 0x0009C858 | 0x0009BC58 | 0x00000000 |
| exit | - | 0x14009C860 | 0x0009C860 | 0x0009BC60 | 0x00000000 |
| __p___argv | - | 0x14009C868 | 0x0009C868 | 0x0009BC68 | 0x00000000 |
api-ms-win-crt-stdio-l1-1-0.dll (29)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __stdio_common_vsscanf | - | 0x14009C878 | 0x0009C878 | 0x0009BC78 | 0x00000000 |
| fflush | - | 0x14009C880 | 0x0009C880 | 0x0009BC80 | 0x00000000 |
| _open | - | 0x14009C888 | 0x0009C888 | 0x0009BC88 | 0x00000000 |
| fwrite | - | 0x14009C890 | 0x0009C890 | 0x0009BC90 | 0x00000000 |
| fputs | - | 0x14009C898 | 0x0009C898 | 0x0009BC98 | 0x00000000 |
| __stdio_common_vsprintf | - | 0x14009C8A0 | 0x0009C8A0 | 0x0009BCA0 | 0x00000000 |
| __acrt_iob_func | - | 0x14009C8A8 | 0x0009C8A8 | 0x0009BCA8 | 0x00000000 |
| ftell | - | 0x14009C8B0 | 0x0009C8B0 | 0x0009BCB0 | 0x00000000 |
| fgetc | - | 0x14009C8B8 | 0x0009C8B8 | 0x0009BCB8 | 0x00000000 |
| fgets | - | 0x14009C8C0 | 0x0009C8C0 | 0x0009BCC0 | 0x00000000 |
| fseek | - | 0x14009C8C8 | 0x0009C8C8 | 0x0009BCC8 | 0x00000000 |
| fgetpos | - | 0x14009C8D0 | 0x0009C8D0 | 0x0009BCD0 | 0x00000000 |
| fputc | - | 0x14009C8D8 | 0x0009C8D8 | 0x0009BCD8 | 0x00000000 |
| __stdio_common_vfprintf | - | 0x14009C8E0 | 0x0009C8E0 | 0x0009BCE0 | 0x00000000 |
| ferror | - | 0x14009C8E8 | 0x0009C8E8 | 0x0009BCE8 | 0x00000000 |
| fsetpos | - | 0x14009C8F0 | 0x0009C8F0 | 0x0009BCF0 | 0x00000000 |
| _fseeki64 | - | 0x14009C8F8 | 0x0009C8F8 | 0x0009BCF8 | 0x00000000 |
| _close | - | 0x14009C900 | 0x0009C900 | 0x0009BD00 | 0x00000000 |
| _read | - | 0x14009C908 | 0x0009C908 | 0x0009BD08 | 0x00000000 |
| setvbuf | - | 0x14009C910 | 0x0009C910 | 0x0009BD10 | 0x00000000 |
| ungetc | - | 0x14009C918 | 0x0009C918 | 0x0009BD18 | 0x00000000 |
| fread | - | 0x14009C920 | 0x0009C920 | 0x0009BD20 | 0x00000000 |
| _get_osfhandle | - | 0x14009C928 | 0x0009C928 | 0x0009BD28 | 0x00000000 |
| __p__commode | - | 0x14009C930 | 0x0009C930 | 0x0009BD30 | 0x00000000 |
| fclose | - | 0x14009C938 | 0x0009C938 | 0x0009BD38 | 0x00000000 |
| _set_fmode | - | 0x14009C940 | 0x0009C940 | 0x0009BD40 | 0x00000000 |
| fopen | - | 0x14009C948 | 0x0009C948 | 0x0009BD48 | 0x00000000 |
| __stdio_common_vswprintf | - | 0x14009C950 | 0x0009C950 | 0x0009BD50 | 0x00000000 |
| _get_stream_buffer_pointers | - | 0x14009C958 | 0x0009C958 | 0x0009BD58 | 0x00000000 |
api-ms-win-crt-string-l1-1-0.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _wcsnicmp | - | 0x14009C968 | 0x0009C968 | 0x0009BD68 | 0x00000000 |
| strlen | - | 0x14009C970 | 0x0009C970 | 0x0009BD70 | 0x00000000 |
| wcslen | - | 0x14009C978 | 0x0009C978 | 0x0009BD78 | 0x00000000 |
| strncmp | - | 0x14009C980 | 0x0009C980 | 0x0009BD80 | 0x00000000 |
| _stricmp | - | 0x14009C988 | 0x0009C988 | 0x0009BD88 | 0x00000000 |
| tolower | - | 0x14009C990 | 0x0009C990 | 0x0009BD90 | 0x00000000 |
| _strnicmp | - | 0x14009C998 | 0x0009C998 | 0x0009BD98 | 0x00000000 |
| strncpy | - | 0x14009C9A0 | 0x0009C9A0 | 0x0009BDA0 | 0x00000000 |
| strcpy | - | 0x14009C9A8 | 0x0009C9A8 | 0x0009BDA8 | 0x00000000 |
| strcmp | - | 0x14009C9B0 | 0x0009C9B0 | 0x0009BDB0 | 0x00000000 |
| strcspn | - | 0x14009C9B8 | 0x0009C9B8 | 0x0009BDB8 | 0x00000000 |
| _strdup | - | 0x14009C9C0 | 0x0009C9C0 | 0x0009BDC0 | 0x00000000 |
| isspace | - | 0x14009C9C8 | 0x0009C9C8 | 0x0009BDC8 | 0x00000000 |
| strspn | - | 0x14009C9D0 | 0x0009C9D0 | 0x0009BDD0 | 0x00000000 |
| wcsncpy | - | 0x14009C9D8 | 0x0009C9D8 | 0x0009BDD8 | 0x00000000 |
api-ms-win-crt-time-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _time64 | - | 0x14009C9E8 | 0x0009C9E8 | 0x0009BDE8 | 0x00000000 |
| _localtime64_s | - | 0x14009C9F0 | 0x0009C9F0 | 0x0009BDF0 | 0x00000000 |
api-ms-win-crt-utility-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| srand | - | 0x14009CA00 | 0x0009CA00 | 0x0009BE00 | 0x00000000 |
| rand | - | 0x14009CA08 | 0x0009CA08 | 0x0009BE08 | 0x00000000 |
| qsort | - | 0x14009CA10 | 0x0009CA10 | 0x0009BE10 | 0x00000000 |
| _rotr | - | 0x14009CA18 | 0x0009CA18 | 0x0009BE18 | 0x00000000 |
Memory Dumps (6)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| vsliwio.exe | 5 | 0x7FF76C830000 | 0x7FF76CB83FFF | First Execution |
|
64-bit | 0x7FF76C8CA338 |
|
...
|
| vsliwio.exe | 5 | 0x7FF76C830000 | 0x7FF76CB83FFF | Content Changed |
|
64-bit | 0x7FF76C8B9014 |
|
...
|
| vsliwio.exe | 5 | 0x7FF76C830000 | 0x7FF76CB83FFF | Content Changed |
|
64-bit | 0x7FF76C8311DC |
|
...
|
| buffer | 5 | 0x1B7B81F0000 | 0x1B7B81FFFFF | Content Changed |
|
64-bit | - |
|
...
|
| vsliwio.exe | 5 | 0x7FF76C830000 | 0x7FF76CB83FFF | Content Changed |
|
64-bit | 0x7FF76C85ADD4 |
|
...
|
| vsliwio.exe | 5 | 0x7FF76C830000 | 0x7FF76CB83FFF | Process Termination |
|
64-bit | - |
|
...
|
YARA Matches (2)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| CobaltStrike | Cobalt Strike beacon | Hacktool |
5/5
|
...
|
| ReflectiveLoader | Reflective loader usage | - |
3/5
|
...
|
| C:\Windows\System\lvgIyZF.exe | Dropped File | Binary |
Malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 5.93 MB |
| MD5 |
ff6177b63a52da11b221494b00d1f79a
|
| SHA1 |
dbba352f3b309e6be443fe285e2770cea9f9d7dd
|
| SHA256 |
979743f3ffd64a15b846baeb3df17b9244dadf7815199df7035cc7cb85304738
|
| SSDeep |
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUm:T+856utgpPF8u/7m
|
| ImpHash |
c782987849999c5ae345a5deafbd73fb
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x14009A338 |
| Size Of Code | 0x00044000 |
| Size Of Initialized Data | 0x00001000 |
| Size Of Uninitialized Data | 0x0030B000 |
| File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2019-08-29 00:43 (UTC) |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| UPX0 | 0x140001000 | 0x0030B000 | 0x000B5000 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.49 |
| UPX1 | 0x14030C000 | 0x00044000 | 0x00044000 | 0x000B5400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.49 |
| .rsrc | 0x140350000 | 0x00001000 | 0x00000800 | 0x000F9400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.24 |
| .imports | 0x140351000 | 0x00002000 | 0x00001E00 | 0x000F9C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.81 |
| .reloc | 0x140353000 | 0x00001000 | 0x00000A00 | 0x000FBA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.28 |
Imports (17)
»
ADVAPI32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AdjustTokenPrivileges | - | 0x14009C000 | 0x0009C000 | 0x0009B400 | 0x00000000 |
| OpenProcessToken | - | 0x14009C008 | 0x0009C008 | 0x0009B408 | 0x00000000 |
| GetTokenInformation | - | 0x14009C010 | 0x0009C010 | 0x0009B410 | 0x00000000 |
| LookupPrivilegeValueW | - | 0x14009C018 | 0x0009C018 | 0x0009B418 | 0x00000000 |
| LsaClose | - | 0x14009C020 | 0x0009C020 | 0x0009B420 | 0x00000000 |
| LsaOpenPolicy | - | 0x14009C028 | 0x0009C028 | 0x0009B428 | 0x00000000 |
| LsaAddAccountRights | - | 0x14009C030 | 0x0009C030 | 0x0009B430 | 0x00000000 |
KERNEL32.DLL (113)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WaitForSingleObjectEx | - | 0x14009C040 | 0x0009C040 | 0x0009B440 | 0x00000000 |
| RtlLookupFunctionEntry | - | 0x14009C048 | 0x0009C048 | 0x0009B448 | 0x00000000 |
| RtlVirtualUnwind | - | 0x14009C050 | 0x0009C050 | 0x0009B450 | 0x00000000 |
| UnhandledExceptionFilter | - | 0x14009C058 | 0x0009C058 | 0x0009B458 | 0x00000000 |
| ResetEvent | - | 0x14009C060 | 0x0009C060 | 0x0009B460 | 0x00000000 |
| InitializeCriticalSectionAndSpinCount | - | 0x14009C068 | 0x0009C068 | 0x0009B468 | 0x00000000 |
| RtlCaptureContext | - | 0x14009C070 | 0x0009C070 | 0x0009B470 | 0x00000000 |
| CreateEventW | - | 0x14009C078 | 0x0009C078 | 0x0009B478 | 0x00000000 |
| InitializeSListHead | - | 0x14009C080 | 0x0009C080 | 0x0009B480 | 0x00000000 |
| SetUnhandledExceptionFilter | - | 0x14009C088 | 0x0009C088 | 0x0009B488 | 0x00000000 |
| IsProcessorFeaturePresent | - | 0x14009C090 | 0x0009C090 | 0x0009B490 | 0x00000000 |
| GetStdHandle | - | 0x14009C098 | 0x0009C098 | 0x0009B498 | 0x00000000 |
| GetConsoleMode | - | 0x14009C0A0 | 0x0009C0A0 | 0x0009B4A0 | 0x00000000 |
| SetConsoleMode | - | 0x14009C0A8 | 0x0009C0A8 | 0x0009B4A8 | 0x00000000 |
| GetLastError | - | 0x14009C0B0 | 0x0009C0B0 | 0x0009B4B0 | 0x00000000 |
| CreateMutexW | - | 0x14009C0B8 | 0x0009C0B8 | 0x0009B4B8 | 0x00000000 |
| Sleep | - | 0x14009C0C0 | 0x0009C0C0 | 0x0009B4C0 | 0x00000000 |
| CreateProcessW | - | 0x14009C0C8 | 0x0009C0C8 | 0x0009B4C8 | 0x00000000 |
| MultiByteToWideChar | - | 0x14009C0D0 | 0x0009C0D0 | 0x0009B4D0 | 0x00000000 |
| GetCurrentProcess | - | 0x14009C0D8 | 0x0009C0D8 | 0x0009B4D8 | 0x00000000 |
| GetCurrentThread | - | 0x14009C0E0 | 0x0009C0E0 | 0x0009B4E0 | 0x00000000 |
| SetThreadPriority | - | 0x14009C0E8 | 0x0009C0E8 | 0x0009B4E8 | 0x00000000 |
| SetPriorityClass | - | 0x14009C0F0 | 0x0009C0F0 | 0x0009B4F0 | 0x00000000 |
| GetModuleHandleW | - | 0x14009C0F8 | 0x0009C0F8 | 0x0009B4F8 | 0x00000000 |
| GetProcAddress | - | 0x14009C100 | 0x0009C100 | 0x0009B500 | 0x00000000 |
| SetThreadAffinityMask | - | 0x14009C108 | 0x0009C108 | 0x0009B508 | 0x00000000 |
| CloseHandle | - | 0x14009C110 | 0x0009C110 | 0x0009B510 | 0x00000000 |
| FreeConsole | - | 0x14009C118 | 0x0009C118 | 0x0009B518 | 0x00000000 |
| GetConsoleWindow | - | 0x14009C120 | 0x0009C120 | 0x0009B520 | 0x00000000 |
| FlushInstructionCache | - | 0x14009C128 | 0x0009C128 | 0x0009B528 | 0x00000000 |
| VirtualAlloc | - | 0x14009C130 | 0x0009C130 | 0x0009B530 | 0x00000000 |
| VirtualProtect | - | 0x14009C138 | 0x0009C138 | 0x0009B538 | 0x00000000 |
| VirtualFree | - | 0x14009C140 | 0x0009C140 | 0x0009B540 | 0x00000000 |
| GetLargePageMinimum | - | 0x14009C148 | 0x0009C148 | 0x0009B548 | 0x00000000 |
| LocalAlloc | - | 0x14009C150 | 0x0009C150 | 0x0009B550 | 0x00000000 |
| LocalFree | - | 0x14009C158 | 0x0009C158 | 0x0009B558 | 0x00000000 |
| GetFileType | - | 0x14009C160 | 0x0009C160 | 0x0009B560 | 0x00000000 |
| GetConsoleScreenBufferInfo | - | 0x14009C168 | 0x0009C168 | 0x0009B568 | 0x00000000 |
| SetConsoleTextAttribute | - | 0x14009C170 | 0x0009C170 | 0x0009B570 | 0x00000000 |
| RegisterWaitForSingleObject | - | 0x14009C178 | 0x0009C178 | 0x0009B578 | 0x00000000 |
| UnregisterWait | - | 0x14009C180 | 0x0009C180 | 0x0009B580 | 0x00000000 |
| GetConsoleCursorInfo | - | 0x14009C188 | 0x0009C188 | 0x0009B588 | 0x00000000 |
| CreateFileW | - | 0x14009C190 | 0x0009C190 | 0x0009B590 | 0x00000000 |
| DuplicateHandle | - | 0x14009C198 | 0x0009C198 | 0x0009B598 | 0x00000000 |
| PostQueuedCompletionStatus | - | 0x14009C1A0 | 0x0009C1A0 | 0x0009B5A0 | 0x00000000 |
| QueueUserWorkItem | - | 0x14009C1A8 | 0x0009C1A8 | 0x0009B5A8 | 0x00000000 |
| SetConsoleCursorInfo | - | 0x14009C1B0 | 0x0009C1B0 | 0x0009B5B0 | 0x00000000 |
| FillConsoleOutputCharacterW | - | 0x14009C1B8 | 0x0009C1B8 | 0x0009B5B8 | 0x00000000 |
| ReadConsoleInputW | - | 0x14009C1C0 | 0x0009C1C0 | 0x0009B5C0 | 0x00000000 |
| CreateFileA | - | 0x14009C1C8 | 0x0009C1C8 | 0x0009B5C8 | 0x00000000 |
| ReadConsoleW | - | 0x14009C1D0 | 0x0009C1D0 | 0x0009B5D0 | 0x00000000 |
| WriteConsoleInputW | - | 0x14009C1D8 | 0x0009C1D8 | 0x0009B5D8 | 0x00000000 |
| FillConsoleOutputAttribute | - | 0x14009C1E0 | 0x0009C1E0 | 0x0009B5E0 | 0x00000000 |
| WriteConsoleW | - | 0x14009C1E8 | 0x0009C1E8 | 0x0009B5E8 | 0x00000000 |
| GetNumberOfConsoleInputEvents | - | 0x14009C1F0 | 0x0009C1F0 | 0x0009B5F0 | 0x00000000 |
| WideCharToMultiByte | - | 0x14009C1F8 | 0x0009C1F8 | 0x0009B5F8 | 0x00000000 |
| SetConsoleCursorPosition | - | 0x14009C200 | 0x0009C200 | 0x0009B600 | 0x00000000 |
| EnterCriticalSection | - | 0x14009C208 | 0x0009C208 | 0x0009B608 | 0x00000000 |
| GetModuleFileNameW | - | 0x14009C210 | 0x0009C210 | 0x0009B610 | 0x00000000 |
| LeaveCriticalSection | - | 0x14009C218 | 0x0009C218 | 0x0009B618 | 0x00000000 |
| InitializeCriticalSection | - | 0x14009C220 | 0x0009C220 | 0x0009B620 | 0x00000000 |
| IsDebuggerPresent | - | 0x14009C228 | 0x0009C228 | 0x0009B628 | 0x00000000 |
| GetSystemInfo | - | 0x14009C230 | 0x0009C230 | 0x0009B630 | 0x00000000 |
| GetCurrentDirectoryW | - | 0x14009C238 | 0x0009C238 | 0x0009B638 | 0x00000000 |
| GetCurrentProcessId | - | 0x14009C240 | 0x0009C240 | 0x0009B640 | 0x00000000 |
| GetSystemTimeAsFileTime | - | 0x14009C248 | 0x0009C248 | 0x0009B648 | 0x00000000 |
| QueryPerformanceCounter | - | 0x14009C250 | 0x0009C250 | 0x0009B650 | 0x00000000 |
| SetConsoleCtrlHandler | - | 0x14009C258 | 0x0009C258 | 0x0009B658 | 0x00000000 |
| CancelIo | - | 0x14009C260 | 0x0009C260 | 0x0009B660 | 0x00000000 |
| SetHandleInformation | - | 0x14009C268 | 0x0009C268 | 0x0009B668 | 0x00000000 |
| CreateEventA | - | 0x14009C270 | 0x0009C270 | 0x0009B670 | 0x00000000 |
| CreateIoCompletionPort | - | 0x14009C278 | 0x0009C278 | 0x0009B678 | 0x00000000 |
| SetFileCompletionNotificationModes | - | 0x14009C280 | 0x0009C280 | 0x0009B680 | 0x00000000 |
| SetErrorMode | - | 0x14009C288 | 0x0009C288 | 0x0009B688 | 0x00000000 |
| GetQueuedCompletionStatus | - | 0x14009C290 | 0x0009C290 | 0x0009B690 | 0x00000000 |
| GetQueuedCompletionStatusEx | - | 0x14009C298 | 0x0009C298 | 0x0009B698 | 0x00000000 |
| SleepConditionVariableCS | - | 0x14009C2A0 | 0x0009C2A0 | 0x0009B6A0 | 0x00000000 |
| TlsSetValue | - | 0x14009C2A8 | 0x0009C2A8 | 0x0009B6A8 | 0x00000000 |
| ReleaseSemaphore | - | 0x14009C2B0 | 0x0009C2B0 | 0x0009B6B0 | 0x00000000 |
| WakeConditionVariable | - | 0x14009C2B8 | 0x0009C2B8 | 0x0009B6B8 | 0x00000000 |
| InitializeConditionVariable | - | 0x14009C2C0 | 0x0009C2C0 | 0x0009B6C0 | 0x00000000 |
| WaitForSingleObject | - | 0x14009C2C8 | 0x0009C2C8 | 0x0009B6C8 | 0x00000000 |
| ResumeThread | - | 0x14009C2D0 | 0x0009C2D0 | 0x0009B6D0 | 0x00000000 |
| SetEvent | - | 0x14009C2D8 | 0x0009C2D8 | 0x0009B6D8 | 0x00000000 |
| TlsAlloc | - | 0x14009C2E0 | 0x0009C2E0 | 0x0009B6E0 | 0x00000000 |
| DeleteCriticalSection | - | 0x14009C2E8 | 0x0009C2E8 | 0x0009B6E8 | 0x00000000 |
| CreateSemaphoreW | - | 0x14009C2F0 | 0x0009C2F0 | 0x0009B6F0 | 0x00000000 |
| CreateSemaphoreA | - | 0x14009C2F8 | 0x0009C2F8 | 0x0009B6F8 | 0x00000000 |
| GetLongPathNameW | - | 0x14009C300 | 0x0009C300 | 0x0009B700 | 0x00000000 |
| ReadDirectoryChangesW | - | 0x14009C308 | 0x0009C308 | 0x0009B708 | 0x00000000 |
| ReadFile | - | 0x14009C310 | 0x0009C310 | 0x0009B710 | 0x00000000 |
| SetNamedPipeHandleState | - | 0x14009C318 | 0x0009C318 | 0x0009B718 | 0x00000000 |
| SetLastError | - | 0x14009C320 | 0x0009C320 | 0x0009B720 | 0x00000000 |
| WriteFile | - | 0x14009C328 | 0x0009C328 | 0x0009B728 | 0x00000000 |
| CreateNamedPipeW | - | 0x14009C330 | 0x0009C330 | 0x0009B730 | 0x00000000 |
| PeekNamedPipe | - | 0x14009C338 | 0x0009C338 | 0x0009B738 | 0x00000000 |
| CancelSynchronousIo | - | 0x14009C340 | 0x0009C340 | 0x0009B740 | 0x00000000 |
| GetNamedPipeHandleStateA | - | 0x14009C348 | 0x0009C348 | 0x0009B748 | 0x00000000 |
| CancelIoEx | - | 0x14009C350 | 0x0009C350 | 0x0009B750 | 0x00000000 |
| SwitchToThread | - | 0x14009C358 | 0x0009C358 | 0x0009B758 | 0x00000000 |
| ConnectNamedPipe | - | 0x14009C360 | 0x0009C360 | 0x0009B760 | 0x00000000 |
| FlushFileBuffers | - | 0x14009C368 | 0x0009C368 | 0x0009B768 | 0x00000000 |
| TerminateProcess | - | 0x14009C370 | 0x0009C370 | 0x0009B770 | 0x00000000 |
| UnregisterWaitEx | - | 0x14009C378 | 0x0009C378 | 0x0009B778 | 0x00000000 |
| GetExitCodeProcess | - | 0x14009C380 | 0x0009C380 | 0x0009B780 | 0x00000000 |
| FormatMessageA | - | 0x14009C388 | 0x0009C388 | 0x0009B788 | 0x00000000 |
| DebugBreak | - | 0x14009C390 | 0x0009C390 | 0x0009B790 | 0x00000000 |
| GetModuleHandleA | - | 0x14009C398 | 0x0009C398 | 0x0009B798 | 0x00000000 |
| LoadLibraryA | - | 0x14009C3A0 | 0x0009C3A0 | 0x0009B7A0 | 0x00000000 |
| GetProcessAffinityMask | - | 0x14009C3A8 | 0x0009C3A8 | 0x0009B7A8 | 0x00000000 |
| SetProcessAffinityMask | - | 0x14009C3B0 | 0x0009C3B0 | 0x0009B7B0 | 0x00000000 |
| GetCurrentThreadId | - | 0x14009C3B8 | 0x0009C3B8 | 0x0009B7B8 | 0x00000000 |
| QueryPerformanceFrequency | - | 0x14009C3C0 | 0x0009C3C0 | 0x0009B7C0 | 0x00000000 |
MSVCP140.dll (45)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C3D0 | 0x0009C3D0 | 0x0009B7D0 | 0x00000000 |
| ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3D8 | 0x0009C3D8 | 0x0009B7D8 | 0x00000000 |
| ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ | - | 0x14009C3E0 | 0x0009C3E0 | 0x0009B7E0 | 0x00000000 |
| ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C3E8 | 0x0009C3E8 | 0x0009B7E8 | 0x00000000 |
| ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C3F0 | 0x0009C3F0 | 0x0009B7F0 | 0x00000000 |
| ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3F8 | 0x0009C3F8 | 0x0009B7F8 | 0x00000000 |
| ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C400 | 0x0009C400 | 0x0009B800 | 0x00000000 |
| _Thrd_hardware_concurrency | - | 0x14009C408 | 0x0009C408 | 0x0009B808 | 0x00000000 |
| ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A | - | 0x14009C410 | 0x0009C410 | 0x0009B810 | 0x00000000 |
| ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z | - | 0x14009C418 | 0x0009C418 | 0x0009B818 | 0x00000000 |
| ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z | - | 0x14009C420 | 0x0009C420 | 0x0009B820 | 0x00000000 |
| ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ | - | 0x14009C428 | 0x0009C428 | 0x0009B828 | 0x00000000 |
| ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z | - | 0x14009C430 | 0x0009C430 | 0x0009B830 | 0x00000000 |
| ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z | - | 0x14009C438 | 0x0009C438 | 0x0009B838 | 0x00000000 |
| ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C440 | 0x0009C440 | 0x0009B840 | 0x00000000 |
| ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z | - | 0x14009C448 | 0x0009C448 | 0x0009B848 | 0x00000000 |
| ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C450 | 0x0009C450 | 0x0009B850 | 0x00000000 |
| ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z | - | 0x14009C458 | 0x0009C458 | 0x0009B858 | 0x00000000 |
| ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C460 | 0x0009C460 | 0x0009B860 | 0x00000000 |
| ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z | - | 0x14009C468 | 0x0009C468 | 0x0009B868 | 0x00000000 |
| ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z | - | 0x14009C470 | 0x0009C470 | 0x0009B870 | 0x00000000 |
| ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ | - | 0x14009C478 | 0x0009C478 | 0x0009B878 | 0x00000000 |
| ?_Xlength_error@std@@YAXPEBD@Z | - | 0x14009C480 | 0x0009C480 | 0x0009B880 | 0x00000000 |
| ?_Xout_of_range@std@@YAXPEBD@Z | - | 0x14009C488 | 0x0009C488 | 0x0009B888 | 0x00000000 |
| _Xtime_get_ticks | - | 0x14009C490 | 0x0009C490 | 0x0009B890 | 0x00000000 |
| _Mtx_init_in_situ | - | 0x14009C498 | 0x0009C498 | 0x0009B898 | 0x00000000 |
| _Mtx_destroy_in_situ | - | 0x14009C4A0 | 0x0009C4A0 | 0x0009B8A0 | 0x00000000 |
| _Mtx_lock | - | 0x14009C4A8 | 0x0009C4A8 | 0x0009B8A8 | 0x00000000 |
| _Mtx_unlock | - | 0x14009C4B0 | 0x0009C4B0 | 0x0009B8B0 | 0x00000000 |
| ?_Throw_C_error@std@@YAXH@Z | - | 0x14009C4B8 | 0x0009C4B8 | 0x0009B8B8 | 0x00000000 |
| _Query_perf_counter | - | 0x14009C4C0 | 0x0009C4C0 | 0x0009B8C0 | 0x00000000 |
| _Query_perf_frequency | - | 0x14009C4C8 | 0x0009C4C8 | 0x0009B8C8 | 0x00000000 |
| _Thrd_join | - | 0x14009C4D0 | 0x0009C4D0 | 0x0009B8D0 | 0x00000000 |
| _Thrd_id | - | 0x14009C4D8 | 0x0009C4D8 | 0x0009B8D8 | 0x00000000 |
| _Cnd_do_broadcast_at_thread_exit | - | 0x14009C4E0 | 0x0009C4E0 | 0x0009B8E0 | 0x00000000 |
| ?_Throw_Cpp_error@std@@YAXH@Z | - | 0x14009C4E8 | 0x0009C4E8 | 0x0009B8E8 | 0x00000000 |
| _Thrd_sleep | - | 0x14009C4F0 | 0x0009C4F0 | 0x0009B8F0 | 0x00000000 |
| _Thrd_yield | - | 0x14009C4F8 | 0x0009C4F8 | 0x0009B8F8 | 0x00000000 |
| ??0_Lockit@std@@QEAA@H@Z | - | 0x14009C500 | 0x0009C500 | 0x0009B900 | 0x00000000 |
| ??1_Lockit@std@@QEAA@XZ | - | 0x14009C508 | 0x0009C508 | 0x0009B908 | 0x00000000 |
| ??Bid@locale@std@@QEAA_KXZ | - | 0x14009C510 | 0x0009C510 | 0x0009B910 | 0x00000000 |
| ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ | - | 0x14009C518 | 0x0009C518 | 0x0009B918 | 0x00000000 |
| ?always_noconv@codecvt_base@std@@QEBA_NXZ | - | 0x14009C520 | 0x0009C520 | 0x0009B920 | 0x00000000 |
| ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C528 | 0x0009C528 | 0x0009B928 | 0x00000000 |
| ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C530 | 0x0009C530 | 0x0009B930 | 0x00000000 |
USER32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShowWindow | - | 0x14009C540 | 0x0009C540 | 0x0009B940 | 0x00000000 |
| GetSystemMetrics | - | 0x14009C548 | 0x0009C548 | 0x0009B948 | 0x00000000 |
| GetMessageA | - | 0x14009C550 | 0x0009C550 | 0x0009B950 | 0x00000000 |
| MapVirtualKeyW | - | 0x14009C558 | 0x0009C558 | 0x0009B958 | 0x00000000 |
| DispatchMessageA | - | 0x14009C560 | 0x0009C560 | 0x0009B960 | 0x00000000 |
| TranslateMessage | - | 0x14009C568 | 0x0009C568 | 0x0009B968 | 0x00000000 |
VCRUNTIME140.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __std_exception_destroy | - | 0x14009C578 | 0x0009C578 | 0x0009B978 | 0x00000000 |
| __std_exception_copy | - | 0x14009C580 | 0x0009C580 | 0x0009B980 | 0x00000000 |
| strstr | - | 0x14009C588 | 0x0009C588 | 0x0009B988 | 0x00000000 |
| __C_specific_handler | - | 0x14009C590 | 0x0009C590 | 0x0009B990 | 0x00000000 |
| strchr | - | 0x14009C598 | 0x0009C598 | 0x0009B998 | 0x00000000 |
| memchr | - | 0x14009C5A0 | 0x0009C5A0 | 0x0009B9A0 | 0x00000000 |
| __std_terminate | - | 0x14009C5A8 | 0x0009C5A8 | 0x0009B9A8 | 0x00000000 |
| __CxxFrameHandler3 | - | 0x14009C5B0 | 0x0009C5B0 | 0x0009B9B0 | 0x00000000 |
| _CxxThrowException | - | 0x14009C5B8 | 0x0009C5B8 | 0x0009B9B8 | 0x00000000 |
| memset | - | 0x14009C5C0 | 0x0009C5C0 | 0x0009B9C0 | 0x00000000 |
| strrchr | - | 0x14009C5C8 | 0x0009C5C8 | 0x0009B9C8 | 0x00000000 |
| memcmp | - | 0x14009C5D0 | 0x0009C5D0 | 0x0009B9D0 | 0x00000000 |
| memcpy | - | 0x14009C5D8 | 0x0009C5D8 | 0x0009B9D8 | 0x00000000 |
| _purecall | - | 0x14009C5E0 | 0x0009C5E0 | 0x0009B9E0 | 0x00000000 |
| memmove | - | 0x14009C5E8 | 0x0009C5E8 | 0x0009B9E8 | 0x00000000 |
WS2_32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WSAGetLastError | 0x0000006F | 0x14009C5F8 | 0x0009C5F8 | 0x0009B9F8 | - |
| WSASetLastError | 0x00000070 | 0x14009C600 | 0x0009C600 | 0x0009BA00 | - |
| WSAStartup | 0x00000073 | 0x14009C608 | 0x0009C608 | 0x0009BA08 | - |
| select | 0x00000012 | 0x14009C610 | 0x0009C610 | 0x0009BA10 | - |
| WSARecvFrom | - | 0x14009C618 | 0x0009C618 | 0x0009BA18 | 0x00000000 |
| bind | 0x00000002 | 0x14009C620 | 0x0009C620 | 0x0009BA20 | - |
| WSAIoctl | - | 0x14009C628 | 0x0009C628 | 0x0009BA28 | 0x00000000 |
| closesocket | 0x00000003 | 0x14009C630 | 0x0009C630 | 0x0009BA30 | - |
| WSASend | - | 0x14009C638 | 0x0009C638 | 0x0009BA38 | 0x00000000 |
| shutdown | 0x00000016 | 0x14009C640 | 0x0009C640 | 0x0009BA40 | - |
| WSASocketW | - | 0x14009C648 | 0x0009C648 | 0x0009BA48 | 0x00000000 |
| htonl | 0x00000008 | 0x14009C650 | 0x0009C650 | 0x0009BA50 | - |
| GetAddrInfoW | - | 0x14009C658 | 0x0009C658 | 0x0009BA58 | 0x00000000 |
| FreeAddrInfoW | - | 0x14009C660 | 0x0009C660 | 0x0009BA60 | 0x00000000 |
| setsockopt | 0x00000015 | 0x14009C668 | 0x0009C668 | 0x0009BA68 | - |
| ioctlsocket | 0x0000000A | 0x14009C670 | 0x0009C670 | 0x0009BA70 | - |
| getsockopt | 0x00000007 | 0x14009C678 | 0x0009C678 | 0x0009BA78 | - |
| WSARecv | - | 0x14009C680 | 0x0009C680 | 0x0009BA80 | 0x00000000 |
| socket | 0x00000017 | 0x14009C688 | 0x0009C688 | 0x0009BA88 | - |
| htons | 0x00000009 | 0x14009C690 | 0x0009C690 | 0x0009BA90 | - |
api-ms-win-crt-convert-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| atof | - | 0x14009C6A0 | 0x0009C6A0 | 0x0009BAA0 | 0x00000000 |
| strtoul | - | 0x14009C6A8 | 0x0009C6A8 | 0x0009BAA8 | 0x00000000 |
| _strtoui64 | - | 0x14009C6B0 | 0x0009C6B0 | 0x0009BAB0 | 0x00000000 |
| mbstowcs | - | 0x14009C6B8 | 0x0009C6B8 | 0x0009BAB8 | 0x00000000 |
| strtoull | - | 0x14009C6C0 | 0x0009C6C0 | 0x0009BAC0 | 0x00000000 |
| strtoll | - | 0x14009C6C8 | 0x0009C6C8 | 0x0009BAC8 | 0x00000000 |
| atoi | - | 0x14009C6D0 | 0x0009C6D0 | 0x0009BAD0 | 0x00000000 |
| strtol | - | 0x14009C6D8 | 0x0009C6D8 | 0x0009BAD8 | 0x00000000 |
api-ms-win-crt-environment-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| getenv | - | 0x14009C6E8 | 0x0009C6E8 | 0x0009BAE8 | 0x00000000 |
api-ms-win-crt-filesystem-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _unlock_file | - | 0x14009C6F8 | 0x0009C6F8 | 0x0009BAF8 | 0x00000000 |
| _lock_file | - | 0x14009C700 | 0x0009C700 | 0x0009BB00 | 0x00000000 |
| _fstat64i32 | - | 0x14009C708 | 0x0009C708 | 0x0009BB08 | 0x00000000 |
| _stat64i32 | - | 0x14009C710 | 0x0009C710 | 0x0009BB10 | 0x00000000 |
api-ms-win-crt-heap-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _set_new_mode | - | 0x14009C720 | 0x0009C720 | 0x0009BB20 | 0x00000000 |
| realloc | - | 0x14009C728 | 0x0009C728 | 0x0009BB28 | 0x00000000 |
| _aligned_malloc | - | 0x14009C730 | 0x0009C730 | 0x0009BB30 | 0x00000000 |
| malloc | - | 0x14009C738 | 0x0009C738 | 0x0009BB38 | 0x00000000 |
| free | - | 0x14009C740 | 0x0009C740 | 0x0009BB40 | 0x00000000 |
| calloc | - | 0x14009C748 | 0x0009C748 | 0x0009BB48 | 0x00000000 |
| _callnewh | - | 0x14009C750 | 0x0009C750 | 0x0009BB50 | 0x00000000 |
| _aligned_free | - | 0x14009C758 | 0x0009C758 | 0x0009BB58 | 0x00000000 |
api-ms-win-crt-locale-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _configthreadlocale | - | 0x14009C768 | 0x0009C768 | 0x0009BB68 | 0x00000000 |
api-ms-win-crt-math-l1-1-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| modff | - | 0x14009C778 | 0x0009C778 | 0x0009BB78 | 0x00000000 |
| nan | - | 0x14009C780 | 0x0009C780 | 0x0009BB80 | 0x00000000 |
| _dtest | - | 0x14009C788 | 0x0009C788 | 0x0009BB88 | 0x00000000 |
| __setusermatherr | - | 0x14009C790 | 0x0009C790 | 0x0009BB90 | 0x00000000 |
| fabs | - | 0x14009C798 | 0x0009C798 | 0x0009BB98 | 0x00000000 |
api-ms-win-crt-runtime-l1-1-0.dll (25)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _invalid_parameter_noinfo_noreturn | - | 0x14009C7A8 | 0x0009C7A8 | 0x0009BBA8 | 0x00000000 |
| _control87 | - | 0x14009C7B0 | 0x0009C7B0 | 0x0009BBB0 | 0x00000000 |
| _errno | - | 0x14009C7B8 | 0x0009C7B8 | 0x0009BBB8 | 0x00000000 |
| terminate | - | 0x14009C7C0 | 0x0009C7C0 | 0x0009BBC0 | 0x00000000 |
| abort | - | 0x14009C7C8 | 0x0009C7C8 | 0x0009BBC8 | 0x00000000 |
| _beginthreadex | - | 0x14009C7D0 | 0x0009C7D0 | 0x0009BBD0 | 0x00000000 |
| _register_thread_local_exe_atexit_callback | - | 0x14009C7D8 | 0x0009C7D8 | 0x0009BBD8 | 0x00000000 |
| _c_exit | - | 0x14009C7E0 | 0x0009C7E0 | 0x0009BBE0 | 0x00000000 |
| _set_invalid_parameter_handler | - | 0x14009C7E8 | 0x0009C7E8 | 0x0009BBE8 | 0x00000000 |
| __p___argc | - | 0x14009C7F0 | 0x0009C7F0 | 0x0009BBF0 | 0x00000000 |
| _exit | - | 0x14009C7F8 | 0x0009C7F8 | 0x0009BBF8 | 0x00000000 |
| _initterm_e | - | 0x14009C800 | 0x0009C800 | 0x0009BC00 | 0x00000000 |
| _initterm | - | 0x14009C808 | 0x0009C808 | 0x0009BC08 | 0x00000000 |
| _get_initial_narrow_environment | - | 0x14009C810 | 0x0009C810 | 0x0009BC10 | 0x00000000 |
| _set_app_type | - | 0x14009C818 | 0x0009C818 | 0x0009BC18 | 0x00000000 |
| _seh_filter_exe | - | 0x14009C820 | 0x0009C820 | 0x0009BC20 | 0x00000000 |
| _cexit | - | 0x14009C828 | 0x0009C828 | 0x0009BC28 | 0x00000000 |
| _crt_atexit | - | 0x14009C830 | 0x0009C830 | 0x0009BC30 | 0x00000000 |
| _register_onexit_function | - | 0x14009C838 | 0x0009C838 | 0x0009BC38 | 0x00000000 |
| _initialize_onexit_table | - | 0x14009C840 | 0x0009C840 | 0x0009BC40 | 0x00000000 |
| _initialize_narrow_environment | - | 0x14009C848 | 0x0009C848 | 0x0009BC48 | 0x00000000 |
| _configure_narrow_argv | - | 0x14009C850 | 0x0009C850 | 0x0009BC50 | 0x00000000 |
| strerror | - | 0x14009C858 | 0x0009C858 | 0x0009BC58 | 0x00000000 |
| exit | - | 0x14009C860 | 0x0009C860 | 0x0009BC60 | 0x00000000 |
| __p___argv | - | 0x14009C868 | 0x0009C868 | 0x0009BC68 | 0x00000000 |
api-ms-win-crt-stdio-l1-1-0.dll (29)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __stdio_common_vsscanf | - | 0x14009C878 | 0x0009C878 | 0x0009BC78 | 0x00000000 |
| fflush | - | 0x14009C880 | 0x0009C880 | 0x0009BC80 | 0x00000000 |
| _open | - | 0x14009C888 | 0x0009C888 | 0x0009BC88 | 0x00000000 |
| fwrite | - | 0x14009C890 | 0x0009C890 | 0x0009BC90 | 0x00000000 |
| fputs | - | 0x14009C898 | 0x0009C898 | 0x0009BC98 | 0x00000000 |
| __stdio_common_vsprintf | - | 0x14009C8A0 | 0x0009C8A0 | 0x0009BCA0 | 0x00000000 |
| __acrt_iob_func | - | 0x14009C8A8 | 0x0009C8A8 | 0x0009BCA8 | 0x00000000 |
| ftell | - | 0x14009C8B0 | 0x0009C8B0 | 0x0009BCB0 | 0x00000000 |
| fgetc | - | 0x14009C8B8 | 0x0009C8B8 | 0x0009BCB8 | 0x00000000 |
| fgets | - | 0x14009C8C0 | 0x0009C8C0 | 0x0009BCC0 | 0x00000000 |
| fseek | - | 0x14009C8C8 | 0x0009C8C8 | 0x0009BCC8 | 0x00000000 |
| fgetpos | - | 0x14009C8D0 | 0x0009C8D0 | 0x0009BCD0 | 0x00000000 |
| fputc | - | 0x14009C8D8 | 0x0009C8D8 | 0x0009BCD8 | 0x00000000 |
| __stdio_common_vfprintf | - | 0x14009C8E0 | 0x0009C8E0 | 0x0009BCE0 | 0x00000000 |
| ferror | - | 0x14009C8E8 | 0x0009C8E8 | 0x0009BCE8 | 0x00000000 |
| fsetpos | - | 0x14009C8F0 | 0x0009C8F0 | 0x0009BCF0 | 0x00000000 |
| _fseeki64 | - | 0x14009C8F8 | 0x0009C8F8 | 0x0009BCF8 | 0x00000000 |
| _close | - | 0x14009C900 | 0x0009C900 | 0x0009BD00 | 0x00000000 |
| _read | - | 0x14009C908 | 0x0009C908 | 0x0009BD08 | 0x00000000 |
| setvbuf | - | 0x14009C910 | 0x0009C910 | 0x0009BD10 | 0x00000000 |
| ungetc | - | 0x14009C918 | 0x0009C918 | 0x0009BD18 | 0x00000000 |
| fread | - | 0x14009C920 | 0x0009C920 | 0x0009BD20 | 0x00000000 |
| _get_osfhandle | - | 0x14009C928 | 0x0009C928 | 0x0009BD28 | 0x00000000 |
| __p__commode | - | 0x14009C930 | 0x0009C930 | 0x0009BD30 | 0x00000000 |
| fclose | - | 0x14009C938 | 0x0009C938 | 0x0009BD38 | 0x00000000 |
| _set_fmode | - | 0x14009C940 | 0x0009C940 | 0x0009BD40 | 0x00000000 |
| fopen | - | 0x14009C948 | 0x0009C948 | 0x0009BD48 | 0x00000000 |
| __stdio_common_vswprintf | - | 0x14009C950 | 0x0009C950 | 0x0009BD50 | 0x00000000 |
| _get_stream_buffer_pointers | - | 0x14009C958 | 0x0009C958 | 0x0009BD58 | 0x00000000 |
api-ms-win-crt-string-l1-1-0.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _wcsnicmp | - | 0x14009C968 | 0x0009C968 | 0x0009BD68 | 0x00000000 |
| strlen | - | 0x14009C970 | 0x0009C970 | 0x0009BD70 | 0x00000000 |
| wcslen | - | 0x14009C978 | 0x0009C978 | 0x0009BD78 | 0x00000000 |
| strncmp | - | 0x14009C980 | 0x0009C980 | 0x0009BD80 | 0x00000000 |
| _stricmp | - | 0x14009C988 | 0x0009C988 | 0x0009BD88 | 0x00000000 |
| tolower | - | 0x14009C990 | 0x0009C990 | 0x0009BD90 | 0x00000000 |
| _strnicmp | - | 0x14009C998 | 0x0009C998 | 0x0009BD98 | 0x00000000 |
| strncpy | - | 0x14009C9A0 | 0x0009C9A0 | 0x0009BDA0 | 0x00000000 |
| strcpy | - | 0x14009C9A8 | 0x0009C9A8 | 0x0009BDA8 | 0x00000000 |
| strcmp | - | 0x14009C9B0 | 0x0009C9B0 | 0x0009BDB0 | 0x00000000 |
| strcspn | - | 0x14009C9B8 | 0x0009C9B8 | 0x0009BDB8 | 0x00000000 |
| _strdup | - | 0x14009C9C0 | 0x0009C9C0 | 0x0009BDC0 | 0x00000000 |
| isspace | - | 0x14009C9C8 | 0x0009C9C8 | 0x0009BDC8 | 0x00000000 |
| strspn | - | 0x14009C9D0 | 0x0009C9D0 | 0x0009BDD0 | 0x00000000 |
| wcsncpy | - | 0x14009C9D8 | 0x0009C9D8 | 0x0009BDD8 | 0x00000000 |
api-ms-win-crt-time-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _time64 | - | 0x14009C9E8 | 0x0009C9E8 | 0x0009BDE8 | 0x00000000 |
| _localtime64_s | - | 0x14009C9F0 | 0x0009C9F0 | 0x0009BDF0 | 0x00000000 |
api-ms-win-crt-utility-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| srand | - | 0x14009CA00 | 0x0009CA00 | 0x0009BE00 | 0x00000000 |
| rand | - | 0x14009CA08 | 0x0009CA08 | 0x0009BE08 | 0x00000000 |
| qsort | - | 0x14009CA10 | 0x0009CA10 | 0x0009BE10 | 0x00000000 |
| _rotr | - | 0x14009CA18 | 0x0009CA18 | 0x0009BE18 | 0x00000000 |
Memory Dumps (3)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| lvgiyzf.exe | 4 | 0x7FF6F5580000 | 0x7FF6F58D3FFF | First Execution |
|
64-bit | 0x7FF6F561A338 |
|
...
|
| lvgiyzf.exe | 4 | 0x7FF6F5580000 | 0x7FF6F58D3FFF | Content Changed |
|
64-bit | 0x7FF6F561ACA6 |
|
...
|
| buffer | 4 | 0x261B0BF0000 | 0x261B0BFFFFF | Content Changed |
|
64-bit | - |
|
...
|
YARA Matches (2)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| CobaltStrike | Cobalt Strike beacon | Hacktool |
5/5
|
...
|
| ReflectiveLoader | Reflective loader usage | - |
3/5
|
...
|
| C:\Windows\System\IJjpUKP.exe | Dropped File | Binary |
Malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 5.93 MB |
| MD5 |
f03a6af1ec037276010c21b3dea72e74
|
| SHA1 |
8de3f90ae019bc0021339f0f86ad7215315cc32d
|
| SHA256 |
c9e0fc63cee3be2005c35beb6c91ce50f06c52b171877b4d78641a9ea6d43ce6
|
| SSDeep |
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUs:T+856utgpPF8u/7s
|
| ImpHash |
c782987849999c5ae345a5deafbd73fb
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x14009A338 |
| Size Of Code | 0x00044000 |
| Size Of Initialized Data | 0x00001000 |
| Size Of Uninitialized Data | 0x0030B000 |
| File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2019-08-29 00:43 (UTC) |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| UPX0 | 0x140001000 | 0x0030B000 | 0x000B5000 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.49 |
| UPX1 | 0x14030C000 | 0x00044000 | 0x00044000 | 0x000B5400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.49 |
| .rsrc | 0x140350000 | 0x00001000 | 0x00000800 | 0x000F9400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.24 |
| .imports | 0x140351000 | 0x00002000 | 0x00001E00 | 0x000F9C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.81 |
| .reloc | 0x140353000 | 0x00001000 | 0x00000A00 | 0x000FBA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.28 |
Imports (17)
»
ADVAPI32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AdjustTokenPrivileges | - | 0x14009C000 | 0x0009C000 | 0x0009B400 | 0x00000000 |
| OpenProcessToken | - | 0x14009C008 | 0x0009C008 | 0x0009B408 | 0x00000000 |
| GetTokenInformation | - | 0x14009C010 | 0x0009C010 | 0x0009B410 | 0x00000000 |
| LookupPrivilegeValueW | - | 0x14009C018 | 0x0009C018 | 0x0009B418 | 0x00000000 |
| LsaClose | - | 0x14009C020 | 0x0009C020 | 0x0009B420 | 0x00000000 |
| LsaOpenPolicy | - | 0x14009C028 | 0x0009C028 | 0x0009B428 | 0x00000000 |
| LsaAddAccountRights | - | 0x14009C030 | 0x0009C030 | 0x0009B430 | 0x00000000 |
KERNEL32.DLL (113)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WaitForSingleObjectEx | - | 0x14009C040 | 0x0009C040 | 0x0009B440 | 0x00000000 |
| RtlLookupFunctionEntry | - | 0x14009C048 | 0x0009C048 | 0x0009B448 | 0x00000000 |
| RtlVirtualUnwind | - | 0x14009C050 | 0x0009C050 | 0x0009B450 | 0x00000000 |
| UnhandledExceptionFilter | - | 0x14009C058 | 0x0009C058 | 0x0009B458 | 0x00000000 |
| ResetEvent | - | 0x14009C060 | 0x0009C060 | 0x0009B460 | 0x00000000 |
| InitializeCriticalSectionAndSpinCount | - | 0x14009C068 | 0x0009C068 | 0x0009B468 | 0x00000000 |
| RtlCaptureContext | - | 0x14009C070 | 0x0009C070 | 0x0009B470 | 0x00000000 |
| CreateEventW | - | 0x14009C078 | 0x0009C078 | 0x0009B478 | 0x00000000 |
| InitializeSListHead | - | 0x14009C080 | 0x0009C080 | 0x0009B480 | 0x00000000 |
| SetUnhandledExceptionFilter | - | 0x14009C088 | 0x0009C088 | 0x0009B488 | 0x00000000 |
| IsProcessorFeaturePresent | - | 0x14009C090 | 0x0009C090 | 0x0009B490 | 0x00000000 |
| GetStdHandle | - | 0x14009C098 | 0x0009C098 | 0x0009B498 | 0x00000000 |
| GetConsoleMode | - | 0x14009C0A0 | 0x0009C0A0 | 0x0009B4A0 | 0x00000000 |
| SetConsoleMode | - | 0x14009C0A8 | 0x0009C0A8 | 0x0009B4A8 | 0x00000000 |
| GetLastError | - | 0x14009C0B0 | 0x0009C0B0 | 0x0009B4B0 | 0x00000000 |
| CreateMutexW | - | 0x14009C0B8 | 0x0009C0B8 | 0x0009B4B8 | 0x00000000 |
| Sleep | - | 0x14009C0C0 | 0x0009C0C0 | 0x0009B4C0 | 0x00000000 |
| CreateProcessW | - | 0x14009C0C8 | 0x0009C0C8 | 0x0009B4C8 | 0x00000000 |
| MultiByteToWideChar | - | 0x14009C0D0 | 0x0009C0D0 | 0x0009B4D0 | 0x00000000 |
| GetCurrentProcess | - | 0x14009C0D8 | 0x0009C0D8 | 0x0009B4D8 | 0x00000000 |
| GetCurrentThread | - | 0x14009C0E0 | 0x0009C0E0 | 0x0009B4E0 | 0x00000000 |
| SetThreadPriority | - | 0x14009C0E8 | 0x0009C0E8 | 0x0009B4E8 | 0x00000000 |
| SetPriorityClass | - | 0x14009C0F0 | 0x0009C0F0 | 0x0009B4F0 | 0x00000000 |
| GetModuleHandleW | - | 0x14009C0F8 | 0x0009C0F8 | 0x0009B4F8 | 0x00000000 |
| GetProcAddress | - | 0x14009C100 | 0x0009C100 | 0x0009B500 | 0x00000000 |
| SetThreadAffinityMask | - | 0x14009C108 | 0x0009C108 | 0x0009B508 | 0x00000000 |
| CloseHandle | - | 0x14009C110 | 0x0009C110 | 0x0009B510 | 0x00000000 |
| FreeConsole | - | 0x14009C118 | 0x0009C118 | 0x0009B518 | 0x00000000 |
| GetConsoleWindow | - | 0x14009C120 | 0x0009C120 | 0x0009B520 | 0x00000000 |
| FlushInstructionCache | - | 0x14009C128 | 0x0009C128 | 0x0009B528 | 0x00000000 |
| VirtualAlloc | - | 0x14009C130 | 0x0009C130 | 0x0009B530 | 0x00000000 |
| VirtualProtect | - | 0x14009C138 | 0x0009C138 | 0x0009B538 | 0x00000000 |
| VirtualFree | - | 0x14009C140 | 0x0009C140 | 0x0009B540 | 0x00000000 |
| GetLargePageMinimum | - | 0x14009C148 | 0x0009C148 | 0x0009B548 | 0x00000000 |
| LocalAlloc | - | 0x14009C150 | 0x0009C150 | 0x0009B550 | 0x00000000 |
| LocalFree | - | 0x14009C158 | 0x0009C158 | 0x0009B558 | 0x00000000 |
| GetFileType | - | 0x14009C160 | 0x0009C160 | 0x0009B560 | 0x00000000 |
| GetConsoleScreenBufferInfo | - | 0x14009C168 | 0x0009C168 | 0x0009B568 | 0x00000000 |
| SetConsoleTextAttribute | - | 0x14009C170 | 0x0009C170 | 0x0009B570 | 0x00000000 |
| RegisterWaitForSingleObject | - | 0x14009C178 | 0x0009C178 | 0x0009B578 | 0x00000000 |
| UnregisterWait | - | 0x14009C180 | 0x0009C180 | 0x0009B580 | 0x00000000 |
| GetConsoleCursorInfo | - | 0x14009C188 | 0x0009C188 | 0x0009B588 | 0x00000000 |
| CreateFileW | - | 0x14009C190 | 0x0009C190 | 0x0009B590 | 0x00000000 |
| DuplicateHandle | - | 0x14009C198 | 0x0009C198 | 0x0009B598 | 0x00000000 |
| PostQueuedCompletionStatus | - | 0x14009C1A0 | 0x0009C1A0 | 0x0009B5A0 | 0x00000000 |
| QueueUserWorkItem | - | 0x14009C1A8 | 0x0009C1A8 | 0x0009B5A8 | 0x00000000 |
| SetConsoleCursorInfo | - | 0x14009C1B0 | 0x0009C1B0 | 0x0009B5B0 | 0x00000000 |
| FillConsoleOutputCharacterW | - | 0x14009C1B8 | 0x0009C1B8 | 0x0009B5B8 | 0x00000000 |
| ReadConsoleInputW | - | 0x14009C1C0 | 0x0009C1C0 | 0x0009B5C0 | 0x00000000 |
| CreateFileA | - | 0x14009C1C8 | 0x0009C1C8 | 0x0009B5C8 | 0x00000000 |
| ReadConsoleW | - | 0x14009C1D0 | 0x0009C1D0 | 0x0009B5D0 | 0x00000000 |
| WriteConsoleInputW | - | 0x14009C1D8 | 0x0009C1D8 | 0x0009B5D8 | 0x00000000 |
| FillConsoleOutputAttribute | - | 0x14009C1E0 | 0x0009C1E0 | 0x0009B5E0 | 0x00000000 |
| WriteConsoleW | - | 0x14009C1E8 | 0x0009C1E8 | 0x0009B5E8 | 0x00000000 |
| GetNumberOfConsoleInputEvents | - | 0x14009C1F0 | 0x0009C1F0 | 0x0009B5F0 | 0x00000000 |
| WideCharToMultiByte | - | 0x14009C1F8 | 0x0009C1F8 | 0x0009B5F8 | 0x00000000 |
| SetConsoleCursorPosition | - | 0x14009C200 | 0x0009C200 | 0x0009B600 | 0x00000000 |
| EnterCriticalSection | - | 0x14009C208 | 0x0009C208 | 0x0009B608 | 0x00000000 |
| GetModuleFileNameW | - | 0x14009C210 | 0x0009C210 | 0x0009B610 | 0x00000000 |
| LeaveCriticalSection | - | 0x14009C218 | 0x0009C218 | 0x0009B618 | 0x00000000 |
| InitializeCriticalSection | - | 0x14009C220 | 0x0009C220 | 0x0009B620 | 0x00000000 |
| IsDebuggerPresent | - | 0x14009C228 | 0x0009C228 | 0x0009B628 | 0x00000000 |
| GetSystemInfo | - | 0x14009C230 | 0x0009C230 | 0x0009B630 | 0x00000000 |
| GetCurrentDirectoryW | - | 0x14009C238 | 0x0009C238 | 0x0009B638 | 0x00000000 |
| GetCurrentProcessId | - | 0x14009C240 | 0x0009C240 | 0x0009B640 | 0x00000000 |
| GetSystemTimeAsFileTime | - | 0x14009C248 | 0x0009C248 | 0x0009B648 | 0x00000000 |
| QueryPerformanceCounter | - | 0x14009C250 | 0x0009C250 | 0x0009B650 | 0x00000000 |
| SetConsoleCtrlHandler | - | 0x14009C258 | 0x0009C258 | 0x0009B658 | 0x00000000 |
| CancelIo | - | 0x14009C260 | 0x0009C260 | 0x0009B660 | 0x00000000 |
| SetHandleInformation | - | 0x14009C268 | 0x0009C268 | 0x0009B668 | 0x00000000 |
| CreateEventA | - | 0x14009C270 | 0x0009C270 | 0x0009B670 | 0x00000000 |
| CreateIoCompletionPort | - | 0x14009C278 | 0x0009C278 | 0x0009B678 | 0x00000000 |
| SetFileCompletionNotificationModes | - | 0x14009C280 | 0x0009C280 | 0x0009B680 | 0x00000000 |
| SetErrorMode | - | 0x14009C288 | 0x0009C288 | 0x0009B688 | 0x00000000 |
| GetQueuedCompletionStatus | - | 0x14009C290 | 0x0009C290 | 0x0009B690 | 0x00000000 |
| GetQueuedCompletionStatusEx | - | 0x14009C298 | 0x0009C298 | 0x0009B698 | 0x00000000 |
| SleepConditionVariableCS | - | 0x14009C2A0 | 0x0009C2A0 | 0x0009B6A0 | 0x00000000 |
| TlsSetValue | - | 0x14009C2A8 | 0x0009C2A8 | 0x0009B6A8 | 0x00000000 |
| ReleaseSemaphore | - | 0x14009C2B0 | 0x0009C2B0 | 0x0009B6B0 | 0x00000000 |
| WakeConditionVariable | - | 0x14009C2B8 | 0x0009C2B8 | 0x0009B6B8 | 0x00000000 |
| InitializeConditionVariable | - | 0x14009C2C0 | 0x0009C2C0 | 0x0009B6C0 | 0x00000000 |
| WaitForSingleObject | - | 0x14009C2C8 | 0x0009C2C8 | 0x0009B6C8 | 0x00000000 |
| ResumeThread | - | 0x14009C2D0 | 0x0009C2D0 | 0x0009B6D0 | 0x00000000 |
| SetEvent | - | 0x14009C2D8 | 0x0009C2D8 | 0x0009B6D8 | 0x00000000 |
| TlsAlloc | - | 0x14009C2E0 | 0x0009C2E0 | 0x0009B6E0 | 0x00000000 |
| DeleteCriticalSection | - | 0x14009C2E8 | 0x0009C2E8 | 0x0009B6E8 | 0x00000000 |
| CreateSemaphoreW | - | 0x14009C2F0 | 0x0009C2F0 | 0x0009B6F0 | 0x00000000 |
| CreateSemaphoreA | - | 0x14009C2F8 | 0x0009C2F8 | 0x0009B6F8 | 0x00000000 |
| GetLongPathNameW | - | 0x14009C300 | 0x0009C300 | 0x0009B700 | 0x00000000 |
| ReadDirectoryChangesW | - | 0x14009C308 | 0x0009C308 | 0x0009B708 | 0x00000000 |
| ReadFile | - | 0x14009C310 | 0x0009C310 | 0x0009B710 | 0x00000000 |
| SetNamedPipeHandleState | - | 0x14009C318 | 0x0009C318 | 0x0009B718 | 0x00000000 |
| SetLastError | - | 0x14009C320 | 0x0009C320 | 0x0009B720 | 0x00000000 |
| WriteFile | - | 0x14009C328 | 0x0009C328 | 0x0009B728 | 0x00000000 |
| CreateNamedPipeW | - | 0x14009C330 | 0x0009C330 | 0x0009B730 | 0x00000000 |
| PeekNamedPipe | - | 0x14009C338 | 0x0009C338 | 0x0009B738 | 0x00000000 |
| CancelSynchronousIo | - | 0x14009C340 | 0x0009C340 | 0x0009B740 | 0x00000000 |
| GetNamedPipeHandleStateA | - | 0x14009C348 | 0x0009C348 | 0x0009B748 | 0x00000000 |
| CancelIoEx | - | 0x14009C350 | 0x0009C350 | 0x0009B750 | 0x00000000 |
| SwitchToThread | - | 0x14009C358 | 0x0009C358 | 0x0009B758 | 0x00000000 |
| ConnectNamedPipe | - | 0x14009C360 | 0x0009C360 | 0x0009B760 | 0x00000000 |
| FlushFileBuffers | - | 0x14009C368 | 0x0009C368 | 0x0009B768 | 0x00000000 |
| TerminateProcess | - | 0x14009C370 | 0x0009C370 | 0x0009B770 | 0x00000000 |
| UnregisterWaitEx | - | 0x14009C378 | 0x0009C378 | 0x0009B778 | 0x00000000 |
| GetExitCodeProcess | - | 0x14009C380 | 0x0009C380 | 0x0009B780 | 0x00000000 |
| FormatMessageA | - | 0x14009C388 | 0x0009C388 | 0x0009B788 | 0x00000000 |
| DebugBreak | - | 0x14009C390 | 0x0009C390 | 0x0009B790 | 0x00000000 |
| GetModuleHandleA | - | 0x14009C398 | 0x0009C398 | 0x0009B798 | 0x00000000 |
| LoadLibraryA | - | 0x14009C3A0 | 0x0009C3A0 | 0x0009B7A0 | 0x00000000 |
| GetProcessAffinityMask | - | 0x14009C3A8 | 0x0009C3A8 | 0x0009B7A8 | 0x00000000 |
| SetProcessAffinityMask | - | 0x14009C3B0 | 0x0009C3B0 | 0x0009B7B0 | 0x00000000 |
| GetCurrentThreadId | - | 0x14009C3B8 | 0x0009C3B8 | 0x0009B7B8 | 0x00000000 |
| QueryPerformanceFrequency | - | 0x14009C3C0 | 0x0009C3C0 | 0x0009B7C0 | 0x00000000 |
MSVCP140.dll (45)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C3D0 | 0x0009C3D0 | 0x0009B7D0 | 0x00000000 |
| ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3D8 | 0x0009C3D8 | 0x0009B7D8 | 0x00000000 |
| ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ | - | 0x14009C3E0 | 0x0009C3E0 | 0x0009B7E0 | 0x00000000 |
| ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C3E8 | 0x0009C3E8 | 0x0009B7E8 | 0x00000000 |
| ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C3F0 | 0x0009C3F0 | 0x0009B7F0 | 0x00000000 |
| ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3F8 | 0x0009C3F8 | 0x0009B7F8 | 0x00000000 |
| ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C400 | 0x0009C400 | 0x0009B800 | 0x00000000 |
| _Thrd_hardware_concurrency | - | 0x14009C408 | 0x0009C408 | 0x0009B808 | 0x00000000 |
| ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A | - | 0x14009C410 | 0x0009C410 | 0x0009B810 | 0x00000000 |
| ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z | - | 0x14009C418 | 0x0009C418 | 0x0009B818 | 0x00000000 |
| ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z | - | 0x14009C420 | 0x0009C420 | 0x0009B820 | 0x00000000 |
| ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ | - | 0x14009C428 | 0x0009C428 | 0x0009B828 | 0x00000000 |
| ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z | - | 0x14009C430 | 0x0009C430 | 0x0009B830 | 0x00000000 |
| ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z | - | 0x14009C438 | 0x0009C438 | 0x0009B838 | 0x00000000 |
| ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C440 | 0x0009C440 | 0x0009B840 | 0x00000000 |
| ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z | - | 0x14009C448 | 0x0009C448 | 0x0009B848 | 0x00000000 |
| ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C450 | 0x0009C450 | 0x0009B850 | 0x00000000 |
| ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z | - | 0x14009C458 | 0x0009C458 | 0x0009B858 | 0x00000000 |
| ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C460 | 0x0009C460 | 0x0009B860 | 0x00000000 |
| ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z | - | 0x14009C468 | 0x0009C468 | 0x0009B868 | 0x00000000 |
| ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z | - | 0x14009C470 | 0x0009C470 | 0x0009B870 | 0x00000000 |
| ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ | - | 0x14009C478 | 0x0009C478 | 0x0009B878 | 0x00000000 |
| ?_Xlength_error@std@@YAXPEBD@Z | - | 0x14009C480 | 0x0009C480 | 0x0009B880 | 0x00000000 |
| ?_Xout_of_range@std@@YAXPEBD@Z | - | 0x14009C488 | 0x0009C488 | 0x0009B888 | 0x00000000 |
| _Xtime_get_ticks | - | 0x14009C490 | 0x0009C490 | 0x0009B890 | 0x00000000 |
| _Mtx_init_in_situ | - | 0x14009C498 | 0x0009C498 | 0x0009B898 | 0x00000000 |
| _Mtx_destroy_in_situ | - | 0x14009C4A0 | 0x0009C4A0 | 0x0009B8A0 | 0x00000000 |
| _Mtx_lock | - | 0x14009C4A8 | 0x0009C4A8 | 0x0009B8A8 | 0x00000000 |
| _Mtx_unlock | - | 0x14009C4B0 | 0x0009C4B0 | 0x0009B8B0 | 0x00000000 |
| ?_Throw_C_error@std@@YAXH@Z | - | 0x14009C4B8 | 0x0009C4B8 | 0x0009B8B8 | 0x00000000 |
| _Query_perf_counter | - | 0x14009C4C0 | 0x0009C4C0 | 0x0009B8C0 | 0x00000000 |
| _Query_perf_frequency | - | 0x14009C4C8 | 0x0009C4C8 | 0x0009B8C8 | 0x00000000 |
| _Thrd_join | - | 0x14009C4D0 | 0x0009C4D0 | 0x0009B8D0 | 0x00000000 |
| _Thrd_id | - | 0x14009C4D8 | 0x0009C4D8 | 0x0009B8D8 | 0x00000000 |
| _Cnd_do_broadcast_at_thread_exit | - | 0x14009C4E0 | 0x0009C4E0 | 0x0009B8E0 | 0x00000000 |
| ?_Throw_Cpp_error@std@@YAXH@Z | - | 0x14009C4E8 | 0x0009C4E8 | 0x0009B8E8 | 0x00000000 |
| _Thrd_sleep | - | 0x14009C4F0 | 0x0009C4F0 | 0x0009B8F0 | 0x00000000 |
| _Thrd_yield | - | 0x14009C4F8 | 0x0009C4F8 | 0x0009B8F8 | 0x00000000 |
| ??0_Lockit@std@@QEAA@H@Z | - | 0x14009C500 | 0x0009C500 | 0x0009B900 | 0x00000000 |
| ??1_Lockit@std@@QEAA@XZ | - | 0x14009C508 | 0x0009C508 | 0x0009B908 | 0x00000000 |
| ??Bid@locale@std@@QEAA_KXZ | - | 0x14009C510 | 0x0009C510 | 0x0009B910 | 0x00000000 |
| ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ | - | 0x14009C518 | 0x0009C518 | 0x0009B918 | 0x00000000 |
| ?always_noconv@codecvt_base@std@@QEBA_NXZ | - | 0x14009C520 | 0x0009C520 | 0x0009B920 | 0x00000000 |
| ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C528 | 0x0009C528 | 0x0009B928 | 0x00000000 |
| ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C530 | 0x0009C530 | 0x0009B930 | 0x00000000 |
USER32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShowWindow | - | 0x14009C540 | 0x0009C540 | 0x0009B940 | 0x00000000 |
| GetSystemMetrics | - | 0x14009C548 | 0x0009C548 | 0x0009B948 | 0x00000000 |
| GetMessageA | - | 0x14009C550 | 0x0009C550 | 0x0009B950 | 0x00000000 |
| MapVirtualKeyW | - | 0x14009C558 | 0x0009C558 | 0x0009B958 | 0x00000000 |
| DispatchMessageA | - | 0x14009C560 | 0x0009C560 | 0x0009B960 | 0x00000000 |
| TranslateMessage | - | 0x14009C568 | 0x0009C568 | 0x0009B968 | 0x00000000 |
VCRUNTIME140.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __std_exception_destroy | - | 0x14009C578 | 0x0009C578 | 0x0009B978 | 0x00000000 |
| __std_exception_copy | - | 0x14009C580 | 0x0009C580 | 0x0009B980 | 0x00000000 |
| strstr | - | 0x14009C588 | 0x0009C588 | 0x0009B988 | 0x00000000 |
| __C_specific_handler | - | 0x14009C590 | 0x0009C590 | 0x0009B990 | 0x00000000 |
| strchr | - | 0x14009C598 | 0x0009C598 | 0x0009B998 | 0x00000000 |
| memchr | - | 0x14009C5A0 | 0x0009C5A0 | 0x0009B9A0 | 0x00000000 |
| __std_terminate | - | 0x14009C5A8 | 0x0009C5A8 | 0x0009B9A8 | 0x00000000 |
| __CxxFrameHandler3 | - | 0x14009C5B0 | 0x0009C5B0 | 0x0009B9B0 | 0x00000000 |
| _CxxThrowException | - | 0x14009C5B8 | 0x0009C5B8 | 0x0009B9B8 | 0x00000000 |
| memset | - | 0x14009C5C0 | 0x0009C5C0 | 0x0009B9C0 | 0x00000000 |
| strrchr | - | 0x14009C5C8 | 0x0009C5C8 | 0x0009B9C8 | 0x00000000 |
| memcmp | - | 0x14009C5D0 | 0x0009C5D0 | 0x0009B9D0 | 0x00000000 |
| memcpy | - | 0x14009C5D8 | 0x0009C5D8 | 0x0009B9D8 | 0x00000000 |
| _purecall | - | 0x14009C5E0 | 0x0009C5E0 | 0x0009B9E0 | 0x00000000 |
| memmove | - | 0x14009C5E8 | 0x0009C5E8 | 0x0009B9E8 | 0x00000000 |
WS2_32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WSAGetLastError | 0x0000006F | 0x14009C5F8 | 0x0009C5F8 | 0x0009B9F8 | - |
| WSASetLastError | 0x00000070 | 0x14009C600 | 0x0009C600 | 0x0009BA00 | - |
| WSAStartup | 0x00000073 | 0x14009C608 | 0x0009C608 | 0x0009BA08 | - |
| select | 0x00000012 | 0x14009C610 | 0x0009C610 | 0x0009BA10 | - |
| WSARecvFrom | - | 0x14009C618 | 0x0009C618 | 0x0009BA18 | 0x00000000 |
| bind | 0x00000002 | 0x14009C620 | 0x0009C620 | 0x0009BA20 | - |
| WSAIoctl | - | 0x14009C628 | 0x0009C628 | 0x0009BA28 | 0x00000000 |
| closesocket | 0x00000003 | 0x14009C630 | 0x0009C630 | 0x0009BA30 | - |
| WSASend | - | 0x14009C638 | 0x0009C638 | 0x0009BA38 | 0x00000000 |
| shutdown | 0x00000016 | 0x14009C640 | 0x0009C640 | 0x0009BA40 | - |
| WSASocketW | - | 0x14009C648 | 0x0009C648 | 0x0009BA48 | 0x00000000 |
| htonl | 0x00000008 | 0x14009C650 | 0x0009C650 | 0x0009BA50 | - |
| GetAddrInfoW | - | 0x14009C658 | 0x0009C658 | 0x0009BA58 | 0x00000000 |
| FreeAddrInfoW | - | 0x14009C660 | 0x0009C660 | 0x0009BA60 | 0x00000000 |
| setsockopt | 0x00000015 | 0x14009C668 | 0x0009C668 | 0x0009BA68 | - |
| ioctlsocket | 0x0000000A | 0x14009C670 | 0x0009C670 | 0x0009BA70 | - |
| getsockopt | 0x00000007 | 0x14009C678 | 0x0009C678 | 0x0009BA78 | - |
| WSARecv | - | 0x14009C680 | 0x0009C680 | 0x0009BA80 | 0x00000000 |
| socket | 0x00000017 | 0x14009C688 | 0x0009C688 | 0x0009BA88 | - |
| htons | 0x00000009 | 0x14009C690 | 0x0009C690 | 0x0009BA90 | - |
api-ms-win-crt-convert-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| atof | - | 0x14009C6A0 | 0x0009C6A0 | 0x0009BAA0 | 0x00000000 |
| strtoul | - | 0x14009C6A8 | 0x0009C6A8 | 0x0009BAA8 | 0x00000000 |
| _strtoui64 | - | 0x14009C6B0 | 0x0009C6B0 | 0x0009BAB0 | 0x00000000 |
| mbstowcs | - | 0x14009C6B8 | 0x0009C6B8 | 0x0009BAB8 | 0x00000000 |
| strtoull | - | 0x14009C6C0 | 0x0009C6C0 | 0x0009BAC0 | 0x00000000 |
| strtoll | - | 0x14009C6C8 | 0x0009C6C8 | 0x0009BAC8 | 0x00000000 |
| atoi | - | 0x14009C6D0 | 0x0009C6D0 | 0x0009BAD0 | 0x00000000 |
| strtol | - | 0x14009C6D8 | 0x0009C6D8 | 0x0009BAD8 | 0x00000000 |
api-ms-win-crt-environment-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| getenv | - | 0x14009C6E8 | 0x0009C6E8 | 0x0009BAE8 | 0x00000000 |
api-ms-win-crt-filesystem-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _unlock_file | - | 0x14009C6F8 | 0x0009C6F8 | 0x0009BAF8 | 0x00000000 |
| _lock_file | - | 0x14009C700 | 0x0009C700 | 0x0009BB00 | 0x00000000 |
| _fstat64i32 | - | 0x14009C708 | 0x0009C708 | 0x0009BB08 | 0x00000000 |
| _stat64i32 | - | 0x14009C710 | 0x0009C710 | 0x0009BB10 | 0x00000000 |
api-ms-win-crt-heap-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _set_new_mode | - | 0x14009C720 | 0x0009C720 | 0x0009BB20 | 0x00000000 |
| realloc | - | 0x14009C728 | 0x0009C728 | 0x0009BB28 | 0x00000000 |
| _aligned_malloc | - | 0x14009C730 | 0x0009C730 | 0x0009BB30 | 0x00000000 |
| malloc | - | 0x14009C738 | 0x0009C738 | 0x0009BB38 | 0x00000000 |
| free | - | 0x14009C740 | 0x0009C740 | 0x0009BB40 | 0x00000000 |
| calloc | - | 0x14009C748 | 0x0009C748 | 0x0009BB48 | 0x00000000 |
| _callnewh | - | 0x14009C750 | 0x0009C750 | 0x0009BB50 | 0x00000000 |
| _aligned_free | - | 0x14009C758 | 0x0009C758 | 0x0009BB58 | 0x00000000 |
api-ms-win-crt-locale-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _configthreadlocale | - | 0x14009C768 | 0x0009C768 | 0x0009BB68 | 0x00000000 |
api-ms-win-crt-math-l1-1-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| modff | - | 0x14009C778 | 0x0009C778 | 0x0009BB78 | 0x00000000 |
| nan | - | 0x14009C780 | 0x0009C780 | 0x0009BB80 | 0x00000000 |
| _dtest | - | 0x14009C788 | 0x0009C788 | 0x0009BB88 | 0x00000000 |
| __setusermatherr | - | 0x14009C790 | 0x0009C790 | 0x0009BB90 | 0x00000000 |
| fabs | - | 0x14009C798 | 0x0009C798 | 0x0009BB98 | 0x00000000 |
api-ms-win-crt-runtime-l1-1-0.dll (25)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _invalid_parameter_noinfo_noreturn | - | 0x14009C7A8 | 0x0009C7A8 | 0x0009BBA8 | 0x00000000 |
| _control87 | - | 0x14009C7B0 | 0x0009C7B0 | 0x0009BBB0 | 0x00000000 |
| _errno | - | 0x14009C7B8 | 0x0009C7B8 | 0x0009BBB8 | 0x00000000 |
| terminate | - | 0x14009C7C0 | 0x0009C7C0 | 0x0009BBC0 | 0x00000000 |
| abort | - | 0x14009C7C8 | 0x0009C7C8 | 0x0009BBC8 | 0x00000000 |
| _beginthreadex | - | 0x14009C7D0 | 0x0009C7D0 | 0x0009BBD0 | 0x00000000 |
| _register_thread_local_exe_atexit_callback | - | 0x14009C7D8 | 0x0009C7D8 | 0x0009BBD8 | 0x00000000 |
| _c_exit | - | 0x14009C7E0 | 0x0009C7E0 | 0x0009BBE0 | 0x00000000 |
| _set_invalid_parameter_handler | - | 0x14009C7E8 | 0x0009C7E8 | 0x0009BBE8 | 0x00000000 |
| __p___argc | - | 0x14009C7F0 | 0x0009C7F0 | 0x0009BBF0 | 0x00000000 |
| _exit | - | 0x14009C7F8 | 0x0009C7F8 | 0x0009BBF8 | 0x00000000 |
| _initterm_e | - | 0x14009C800 | 0x0009C800 | 0x0009BC00 | 0x00000000 |
| _initterm | - | 0x14009C808 | 0x0009C808 | 0x0009BC08 | 0x00000000 |
| _get_initial_narrow_environment | - | 0x14009C810 | 0x0009C810 | 0x0009BC10 | 0x00000000 |
| _set_app_type | - | 0x14009C818 | 0x0009C818 | 0x0009BC18 | 0x00000000 |
| _seh_filter_exe | - | 0x14009C820 | 0x0009C820 | 0x0009BC20 | 0x00000000 |
| _cexit | - | 0x14009C828 | 0x0009C828 | 0x0009BC28 | 0x00000000 |
| _crt_atexit | - | 0x14009C830 | 0x0009C830 | 0x0009BC30 | 0x00000000 |
| _register_onexit_function | - | 0x14009C838 | 0x0009C838 | 0x0009BC38 | 0x00000000 |
| _initialize_onexit_table | - | 0x14009C840 | 0x0009C840 | 0x0009BC40 | 0x00000000 |
| _initialize_narrow_environment | - | 0x14009C848 | 0x0009C848 | 0x0009BC48 | 0x00000000 |
| _configure_narrow_argv | - | 0x14009C850 | 0x0009C850 | 0x0009BC50 | 0x00000000 |
| strerror | - | 0x14009C858 | 0x0009C858 | 0x0009BC58 | 0x00000000 |
| exit | - | 0x14009C860 | 0x0009C860 | 0x0009BC60 | 0x00000000 |
| __p___argv | - | 0x14009C868 | 0x0009C868 | 0x0009BC68 | 0x00000000 |
api-ms-win-crt-stdio-l1-1-0.dll (29)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __stdio_common_vsscanf | - | 0x14009C878 | 0x0009C878 | 0x0009BC78 | 0x00000000 |
| fflush | - | 0x14009C880 | 0x0009C880 | 0x0009BC80 | 0x00000000 |
| _open | - | 0x14009C888 | 0x0009C888 | 0x0009BC88 | 0x00000000 |
| fwrite | - | 0x14009C890 | 0x0009C890 | 0x0009BC90 | 0x00000000 |
| fputs | - | 0x14009C898 | 0x0009C898 | 0x0009BC98 | 0x00000000 |
| __stdio_common_vsprintf | - | 0x14009C8A0 | 0x0009C8A0 | 0x0009BCA0 | 0x00000000 |
| __acrt_iob_func | - | 0x14009C8A8 | 0x0009C8A8 | 0x0009BCA8 | 0x00000000 |
| ftell | - | 0x14009C8B0 | 0x0009C8B0 | 0x0009BCB0 | 0x00000000 |
| fgetc | - | 0x14009C8B8 | 0x0009C8B8 | 0x0009BCB8 | 0x00000000 |
| fgets | - | 0x14009C8C0 | 0x0009C8C0 | 0x0009BCC0 | 0x00000000 |
| fseek | - | 0x14009C8C8 | 0x0009C8C8 | 0x0009BCC8 | 0x00000000 |
| fgetpos | - | 0x14009C8D0 | 0x0009C8D0 | 0x0009BCD0 | 0x00000000 |
| fputc | - | 0x14009C8D8 | 0x0009C8D8 | 0x0009BCD8 | 0x00000000 |
| __stdio_common_vfprintf | - | 0x14009C8E0 | 0x0009C8E0 | 0x0009BCE0 | 0x00000000 |
| ferror | - | 0x14009C8E8 | 0x0009C8E8 | 0x0009BCE8 | 0x00000000 |
| fsetpos | - | 0x14009C8F0 | 0x0009C8F0 | 0x0009BCF0 | 0x00000000 |
| _fseeki64 | - | 0x14009C8F8 | 0x0009C8F8 | 0x0009BCF8 | 0x00000000 |
| _close | - | 0x14009C900 | 0x0009C900 | 0x0009BD00 | 0x00000000 |
| _read | - | 0x14009C908 | 0x0009C908 | 0x0009BD08 | 0x00000000 |
| setvbuf | - | 0x14009C910 | 0x0009C910 | 0x0009BD10 | 0x00000000 |
| ungetc | - | 0x14009C918 | 0x0009C918 | 0x0009BD18 | 0x00000000 |
| fread | - | 0x14009C920 | 0x0009C920 | 0x0009BD20 | 0x00000000 |
| _get_osfhandle | - | 0x14009C928 | 0x0009C928 | 0x0009BD28 | 0x00000000 |
| __p__commode | - | 0x14009C930 | 0x0009C930 | 0x0009BD30 | 0x00000000 |
| fclose | - | 0x14009C938 | 0x0009C938 | 0x0009BD38 | 0x00000000 |
| _set_fmode | - | 0x14009C940 | 0x0009C940 | 0x0009BD40 | 0x00000000 |
| fopen | - | 0x14009C948 | 0x0009C948 | 0x0009BD48 | 0x00000000 |
| __stdio_common_vswprintf | - | 0x14009C950 | 0x0009C950 | 0x0009BD50 | 0x00000000 |
| _get_stream_buffer_pointers | - | 0x14009C958 | 0x0009C958 | 0x0009BD58 | 0x00000000 |
api-ms-win-crt-string-l1-1-0.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _wcsnicmp | - | 0x14009C968 | 0x0009C968 | 0x0009BD68 | 0x00000000 |
| strlen | - | 0x14009C970 | 0x0009C970 | 0x0009BD70 | 0x00000000 |
| wcslen | - | 0x14009C978 | 0x0009C978 | 0x0009BD78 | 0x00000000 |
| strncmp | - | 0x14009C980 | 0x0009C980 | 0x0009BD80 | 0x00000000 |
| _stricmp | - | 0x14009C988 | 0x0009C988 | 0x0009BD88 | 0x00000000 |
| tolower | - | 0x14009C990 | 0x0009C990 | 0x0009BD90 | 0x00000000 |
| _strnicmp | - | 0x14009C998 | 0x0009C998 | 0x0009BD98 | 0x00000000 |
| strncpy | - | 0x14009C9A0 | 0x0009C9A0 | 0x0009BDA0 | 0x00000000 |
| strcpy | - | 0x14009C9A8 | 0x0009C9A8 | 0x0009BDA8 | 0x00000000 |
| strcmp | - | 0x14009C9B0 | 0x0009C9B0 | 0x0009BDB0 | 0x00000000 |
| strcspn | - | 0x14009C9B8 | 0x0009C9B8 | 0x0009BDB8 | 0x00000000 |
| _strdup | - | 0x14009C9C0 | 0x0009C9C0 | 0x0009BDC0 | 0x00000000 |
| isspace | - | 0x14009C9C8 | 0x0009C9C8 | 0x0009BDC8 | 0x00000000 |
| strspn | - | 0x14009C9D0 | 0x0009C9D0 | 0x0009BDD0 | 0x00000000 |
| wcsncpy | - | 0x14009C9D8 | 0x0009C9D8 | 0x0009BDD8 | 0x00000000 |
api-ms-win-crt-time-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _time64 | - | 0x14009C9E8 | 0x0009C9E8 | 0x0009BDE8 | 0x00000000 |
| _localtime64_s | - | 0x14009C9F0 | 0x0009C9F0 | 0x0009BDF0 | 0x00000000 |
api-ms-win-crt-utility-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| srand | - | 0x14009CA00 | 0x0009CA00 | 0x0009BE00 | 0x00000000 |
| rand | - | 0x14009CA08 | 0x0009CA08 | 0x0009BE08 | 0x00000000 |
| qsort | - | 0x14009CA10 | 0x0009CA10 | 0x0009BE10 | 0x00000000 |
| _rotr | - | 0x14009CA18 | 0x0009CA18 | 0x0009BE18 | 0x00000000 |
Memory Dumps (5)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| ijjpukp.exe | 3 | 0x7FF70D4E0000 | 0x7FF70D833FFF | First Execution |
|
64-bit | 0x7FF70D57A338 |
|
...
|
| ijjpukp.exe | 3 | 0x7FF70D4E0000 | 0x7FF70D833FFF | Content Changed |
|
64-bit | 0x7FF70D563044 |
|
...
|
| ijjpukp.exe | 3 | 0x7FF70D4E0000 | 0x7FF70D833FFF | Content Changed |
|
64-bit | 0x7FF70D50E130 |
|
...
|
| ijjpukp.exe | 3 | 0x7FF70D4E0000 | 0x7FF70D833FFF | Content Changed |
|
64-bit | 0x7FF70D55EC3C |
|
...
|
| buffer | 3 | 0x152B8880000 | 0x152B888FFFF | Content Changed |
|
64-bit | - |
|
...
|
YARA Matches (2)
»
| Rule Name | Rule Description | Classification | Score | Actions |
|---|---|---|---|---|
| ReflectiveLoader | Reflective loader usage | - |
3/5
|
...
|
| CobaltStrike | Cobalt Strike beacon | Hacktool |
5/5
|
...
|
| C:\Windows\System\JAQodxz.exe | Dropped File | Binary |
Clean
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 4.93 MB |
| MD5 |
5f94b95bb4e07e032c5016ef0876786c
|
| SHA1 |
146bc6aae9766ceeb0c2a17a5f5d7fd78a1c23a2
|
| SHA256 |
c89a8acb5719dc9bef901efd15c9bc2bd92f2c33409021d18828c01e092b25d8
|
| SSDeep |
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32Q:T+856utgpPF8u/V
|
| ImpHash |
c782987849999c5ae345a5deafbd73fb
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x14009A338 |
| Size Of Code | 0x00044000 |
| Size Of Initialized Data | 0x00001000 |
| Size Of Uninitialized Data | 0x0030B000 |
| File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2019-08-29 00:43 (UTC) |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| UPX0 | 0x140001000 | 0x0030B000 | 0x000B5000 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.49 |
| UPX1 | 0x14030C000 | 0x00044000 | 0x00044000 | 0x000B5400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.49 |
| .rsrc | 0x140350000 | 0x00001000 | 0x00000800 | 0x000F9400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.24 |
| .imports | 0x140351000 | 0x00002000 | 0x00001E00 | 0x000F9C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.81 |
| .reloc | 0x140353000 | 0x00001000 | 0x00000A00 | 0x000FBA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.28 |
Imports (17)
»
ADVAPI32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AdjustTokenPrivileges | - | 0x14009C000 | 0x0009C000 | 0x0009B400 | 0x00000000 |
| OpenProcessToken | - | 0x14009C008 | 0x0009C008 | 0x0009B408 | 0x00000000 |
| GetTokenInformation | - | 0x14009C010 | 0x0009C010 | 0x0009B410 | 0x00000000 |
| LookupPrivilegeValueW | - | 0x14009C018 | 0x0009C018 | 0x0009B418 | 0x00000000 |
| LsaClose | - | 0x14009C020 | 0x0009C020 | 0x0009B420 | 0x00000000 |
| LsaOpenPolicy | - | 0x14009C028 | 0x0009C028 | 0x0009B428 | 0x00000000 |
| LsaAddAccountRights | - | 0x14009C030 | 0x0009C030 | 0x0009B430 | 0x00000000 |
KERNEL32.DLL (113)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WaitForSingleObjectEx | - | 0x14009C040 | 0x0009C040 | 0x0009B440 | 0x00000000 |
| RtlLookupFunctionEntry | - | 0x14009C048 | 0x0009C048 | 0x0009B448 | 0x00000000 |
| RtlVirtualUnwind | - | 0x14009C050 | 0x0009C050 | 0x0009B450 | 0x00000000 |
| UnhandledExceptionFilter | - | 0x14009C058 | 0x0009C058 | 0x0009B458 | 0x00000000 |
| ResetEvent | - | 0x14009C060 | 0x0009C060 | 0x0009B460 | 0x00000000 |
| InitializeCriticalSectionAndSpinCount | - | 0x14009C068 | 0x0009C068 | 0x0009B468 | 0x00000000 |
| RtlCaptureContext | - | 0x14009C070 | 0x0009C070 | 0x0009B470 | 0x00000000 |
| CreateEventW | - | 0x14009C078 | 0x0009C078 | 0x0009B478 | 0x00000000 |
| InitializeSListHead | - | 0x14009C080 | 0x0009C080 | 0x0009B480 | 0x00000000 |
| SetUnhandledExceptionFilter | - | 0x14009C088 | 0x0009C088 | 0x0009B488 | 0x00000000 |
| IsProcessorFeaturePresent | - | 0x14009C090 | 0x0009C090 | 0x0009B490 | 0x00000000 |
| GetStdHandle | - | 0x14009C098 | 0x0009C098 | 0x0009B498 | 0x00000000 |
| GetConsoleMode | - | 0x14009C0A0 | 0x0009C0A0 | 0x0009B4A0 | 0x00000000 |
| SetConsoleMode | - | 0x14009C0A8 | 0x0009C0A8 | 0x0009B4A8 | 0x00000000 |
| GetLastError | - | 0x14009C0B0 | 0x0009C0B0 | 0x0009B4B0 | 0x00000000 |
| CreateMutexW | - | 0x14009C0B8 | 0x0009C0B8 | 0x0009B4B8 | 0x00000000 |
| Sleep | - | 0x14009C0C0 | 0x0009C0C0 | 0x0009B4C0 | 0x00000000 |
| CreateProcessW | - | 0x14009C0C8 | 0x0009C0C8 | 0x0009B4C8 | 0x00000000 |
| MultiByteToWideChar | - | 0x14009C0D0 | 0x0009C0D0 | 0x0009B4D0 | 0x00000000 |
| GetCurrentProcess | - | 0x14009C0D8 | 0x0009C0D8 | 0x0009B4D8 | 0x00000000 |
| GetCurrentThread | - | 0x14009C0E0 | 0x0009C0E0 | 0x0009B4E0 | 0x00000000 |
| SetThreadPriority | - | 0x14009C0E8 | 0x0009C0E8 | 0x0009B4E8 | 0x00000000 |
| SetPriorityClass | - | 0x14009C0F0 | 0x0009C0F0 | 0x0009B4F0 | 0x00000000 |
| GetModuleHandleW | - | 0x14009C0F8 | 0x0009C0F8 | 0x0009B4F8 | 0x00000000 |
| GetProcAddress | - | 0x14009C100 | 0x0009C100 | 0x0009B500 | 0x00000000 |
| SetThreadAffinityMask | - | 0x14009C108 | 0x0009C108 | 0x0009B508 | 0x00000000 |
| CloseHandle | - | 0x14009C110 | 0x0009C110 | 0x0009B510 | 0x00000000 |
| FreeConsole | - | 0x14009C118 | 0x0009C118 | 0x0009B518 | 0x00000000 |
| GetConsoleWindow | - | 0x14009C120 | 0x0009C120 | 0x0009B520 | 0x00000000 |
| FlushInstructionCache | - | 0x14009C128 | 0x0009C128 | 0x0009B528 | 0x00000000 |
| VirtualAlloc | - | 0x14009C130 | 0x0009C130 | 0x0009B530 | 0x00000000 |
| VirtualProtect | - | 0x14009C138 | 0x0009C138 | 0x0009B538 | 0x00000000 |
| VirtualFree | - | 0x14009C140 | 0x0009C140 | 0x0009B540 | 0x00000000 |
| GetLargePageMinimum | - | 0x14009C148 | 0x0009C148 | 0x0009B548 | 0x00000000 |
| LocalAlloc | - | 0x14009C150 | 0x0009C150 | 0x0009B550 | 0x00000000 |
| LocalFree | - | 0x14009C158 | 0x0009C158 | 0x0009B558 | 0x00000000 |
| GetFileType | - | 0x14009C160 | 0x0009C160 | 0x0009B560 | 0x00000000 |
| GetConsoleScreenBufferInfo | - | 0x14009C168 | 0x0009C168 | 0x0009B568 | 0x00000000 |
| SetConsoleTextAttribute | - | 0x14009C170 | 0x0009C170 | 0x0009B570 | 0x00000000 |
| RegisterWaitForSingleObject | - | 0x14009C178 | 0x0009C178 | 0x0009B578 | 0x00000000 |
| UnregisterWait | - | 0x14009C180 | 0x0009C180 | 0x0009B580 | 0x00000000 |
| GetConsoleCursorInfo | - | 0x14009C188 | 0x0009C188 | 0x0009B588 | 0x00000000 |
| CreateFileW | - | 0x14009C190 | 0x0009C190 | 0x0009B590 | 0x00000000 |
| DuplicateHandle | - | 0x14009C198 | 0x0009C198 | 0x0009B598 | 0x00000000 |
| PostQueuedCompletionStatus | - | 0x14009C1A0 | 0x0009C1A0 | 0x0009B5A0 | 0x00000000 |
| QueueUserWorkItem | - | 0x14009C1A8 | 0x0009C1A8 | 0x0009B5A8 | 0x00000000 |
| SetConsoleCursorInfo | - | 0x14009C1B0 | 0x0009C1B0 | 0x0009B5B0 | 0x00000000 |
| FillConsoleOutputCharacterW | - | 0x14009C1B8 | 0x0009C1B8 | 0x0009B5B8 | 0x00000000 |
| ReadConsoleInputW | - | 0x14009C1C0 | 0x0009C1C0 | 0x0009B5C0 | 0x00000000 |
| CreateFileA | - | 0x14009C1C8 | 0x0009C1C8 | 0x0009B5C8 | 0x00000000 |
| ReadConsoleW | - | 0x14009C1D0 | 0x0009C1D0 | 0x0009B5D0 | 0x00000000 |
| WriteConsoleInputW | - | 0x14009C1D8 | 0x0009C1D8 | 0x0009B5D8 | 0x00000000 |
| FillConsoleOutputAttribute | - | 0x14009C1E0 | 0x0009C1E0 | 0x0009B5E0 | 0x00000000 |
| WriteConsoleW | - | 0x14009C1E8 | 0x0009C1E8 | 0x0009B5E8 | 0x00000000 |
| GetNumberOfConsoleInputEvents | - | 0x14009C1F0 | 0x0009C1F0 | 0x0009B5F0 | 0x00000000 |
| WideCharToMultiByte | - | 0x14009C1F8 | 0x0009C1F8 | 0x0009B5F8 | 0x00000000 |
| SetConsoleCursorPosition | - | 0x14009C200 | 0x0009C200 | 0x0009B600 | 0x00000000 |
| EnterCriticalSection | - | 0x14009C208 | 0x0009C208 | 0x0009B608 | 0x00000000 |
| GetModuleFileNameW | - | 0x14009C210 | 0x0009C210 | 0x0009B610 | 0x00000000 |
| LeaveCriticalSection | - | 0x14009C218 | 0x0009C218 | 0x0009B618 | 0x00000000 |
| InitializeCriticalSection | - | 0x14009C220 | 0x0009C220 | 0x0009B620 | 0x00000000 |
| IsDebuggerPresent | - | 0x14009C228 | 0x0009C228 | 0x0009B628 | 0x00000000 |
| GetSystemInfo | - | 0x14009C230 | 0x0009C230 | 0x0009B630 | 0x00000000 |
| GetCurrentDirectoryW | - | 0x14009C238 | 0x0009C238 | 0x0009B638 | 0x00000000 |
| GetCurrentProcessId | - | 0x14009C240 | 0x0009C240 | 0x0009B640 | 0x00000000 |
| GetSystemTimeAsFileTime | - | 0x14009C248 | 0x0009C248 | 0x0009B648 | 0x00000000 |
| QueryPerformanceCounter | - | 0x14009C250 | 0x0009C250 | 0x0009B650 | 0x00000000 |
| SetConsoleCtrlHandler | - | 0x14009C258 | 0x0009C258 | 0x0009B658 | 0x00000000 |
| CancelIo | - | 0x14009C260 | 0x0009C260 | 0x0009B660 | 0x00000000 |
| SetHandleInformation | - | 0x14009C268 | 0x0009C268 | 0x0009B668 | 0x00000000 |
| CreateEventA | - | 0x14009C270 | 0x0009C270 | 0x0009B670 | 0x00000000 |
| CreateIoCompletionPort | - | 0x14009C278 | 0x0009C278 | 0x0009B678 | 0x00000000 |
| SetFileCompletionNotificationModes | - | 0x14009C280 | 0x0009C280 | 0x0009B680 | 0x00000000 |
| SetErrorMode | - | 0x14009C288 | 0x0009C288 | 0x0009B688 | 0x00000000 |
| GetQueuedCompletionStatus | - | 0x14009C290 | 0x0009C290 | 0x0009B690 | 0x00000000 |
| GetQueuedCompletionStatusEx | - | 0x14009C298 | 0x0009C298 | 0x0009B698 | 0x00000000 |
| SleepConditionVariableCS | - | 0x14009C2A0 | 0x0009C2A0 | 0x0009B6A0 | 0x00000000 |
| TlsSetValue | - | 0x14009C2A8 | 0x0009C2A8 | 0x0009B6A8 | 0x00000000 |
| ReleaseSemaphore | - | 0x14009C2B0 | 0x0009C2B0 | 0x0009B6B0 | 0x00000000 |
| WakeConditionVariable | - | 0x14009C2B8 | 0x0009C2B8 | 0x0009B6B8 | 0x00000000 |
| InitializeConditionVariable | - | 0x14009C2C0 | 0x0009C2C0 | 0x0009B6C0 | 0x00000000 |
| WaitForSingleObject | - | 0x14009C2C8 | 0x0009C2C8 | 0x0009B6C8 | 0x00000000 |
| ResumeThread | - | 0x14009C2D0 | 0x0009C2D0 | 0x0009B6D0 | 0x00000000 |
| SetEvent | - | 0x14009C2D8 | 0x0009C2D8 | 0x0009B6D8 | 0x00000000 |
| TlsAlloc | - | 0x14009C2E0 | 0x0009C2E0 | 0x0009B6E0 | 0x00000000 |
| DeleteCriticalSection | - | 0x14009C2E8 | 0x0009C2E8 | 0x0009B6E8 | 0x00000000 |
| CreateSemaphoreW | - | 0x14009C2F0 | 0x0009C2F0 | 0x0009B6F0 | 0x00000000 |
| CreateSemaphoreA | - | 0x14009C2F8 | 0x0009C2F8 | 0x0009B6F8 | 0x00000000 |
| GetLongPathNameW | - | 0x14009C300 | 0x0009C300 | 0x0009B700 | 0x00000000 |
| ReadDirectoryChangesW | - | 0x14009C308 | 0x0009C308 | 0x0009B708 | 0x00000000 |
| ReadFile | - | 0x14009C310 | 0x0009C310 | 0x0009B710 | 0x00000000 |
| SetNamedPipeHandleState | - | 0x14009C318 | 0x0009C318 | 0x0009B718 | 0x00000000 |
| SetLastError | - | 0x14009C320 | 0x0009C320 | 0x0009B720 | 0x00000000 |
| WriteFile | - | 0x14009C328 | 0x0009C328 | 0x0009B728 | 0x00000000 |
| CreateNamedPipeW | - | 0x14009C330 | 0x0009C330 | 0x0009B730 | 0x00000000 |
| PeekNamedPipe | - | 0x14009C338 | 0x0009C338 | 0x0009B738 | 0x00000000 |
| CancelSynchronousIo | - | 0x14009C340 | 0x0009C340 | 0x0009B740 | 0x00000000 |
| GetNamedPipeHandleStateA | - | 0x14009C348 | 0x0009C348 | 0x0009B748 | 0x00000000 |
| CancelIoEx | - | 0x14009C350 | 0x0009C350 | 0x0009B750 | 0x00000000 |
| SwitchToThread | - | 0x14009C358 | 0x0009C358 | 0x0009B758 | 0x00000000 |
| ConnectNamedPipe | - | 0x14009C360 | 0x0009C360 | 0x0009B760 | 0x00000000 |
| FlushFileBuffers | - | 0x14009C368 | 0x0009C368 | 0x0009B768 | 0x00000000 |
| TerminateProcess | - | 0x14009C370 | 0x0009C370 | 0x0009B770 | 0x00000000 |
| UnregisterWaitEx | - | 0x14009C378 | 0x0009C378 | 0x0009B778 | 0x00000000 |
| GetExitCodeProcess | - | 0x14009C380 | 0x0009C380 | 0x0009B780 | 0x00000000 |
| FormatMessageA | - | 0x14009C388 | 0x0009C388 | 0x0009B788 | 0x00000000 |
| DebugBreak | - | 0x14009C390 | 0x0009C390 | 0x0009B790 | 0x00000000 |
| GetModuleHandleA | - | 0x14009C398 | 0x0009C398 | 0x0009B798 | 0x00000000 |
| LoadLibraryA | - | 0x14009C3A0 | 0x0009C3A0 | 0x0009B7A0 | 0x00000000 |
| GetProcessAffinityMask | - | 0x14009C3A8 | 0x0009C3A8 | 0x0009B7A8 | 0x00000000 |
| SetProcessAffinityMask | - | 0x14009C3B0 | 0x0009C3B0 | 0x0009B7B0 | 0x00000000 |
| GetCurrentThreadId | - | 0x14009C3B8 | 0x0009C3B8 | 0x0009B7B8 | 0x00000000 |
| QueryPerformanceFrequency | - | 0x14009C3C0 | 0x0009C3C0 | 0x0009B7C0 | 0x00000000 |
MSVCP140.dll (45)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C3D0 | 0x0009C3D0 | 0x0009B7D0 | 0x00000000 |
| ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3D8 | 0x0009C3D8 | 0x0009B7D8 | 0x00000000 |
| ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ | - | 0x14009C3E0 | 0x0009C3E0 | 0x0009B7E0 | 0x00000000 |
| ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C3E8 | 0x0009C3E8 | 0x0009B7E8 | 0x00000000 |
| ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C3F0 | 0x0009C3F0 | 0x0009B7F0 | 0x00000000 |
| ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z | - | 0x14009C3F8 | 0x0009C3F8 | 0x0009B7F8 | 0x00000000 |
| ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C400 | 0x0009C400 | 0x0009B800 | 0x00000000 |
| _Thrd_hardware_concurrency | - | 0x14009C408 | 0x0009C408 | 0x0009B808 | 0x00000000 |
| ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A | - | 0x14009C410 | 0x0009C410 | 0x0009B810 | 0x00000000 |
| ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z | - | 0x14009C418 | 0x0009C418 | 0x0009B818 | 0x00000000 |
| ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z | - | 0x14009C420 | 0x0009C420 | 0x0009B820 | 0x00000000 |
| ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ | - | 0x14009C428 | 0x0009C428 | 0x0009B828 | 0x00000000 |
| ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z | - | 0x14009C430 | 0x0009C430 | 0x0009B830 | 0x00000000 |
| ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z | - | 0x14009C438 | 0x0009C438 | 0x0009B838 | 0x00000000 |
| ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C440 | 0x0009C440 | 0x0009B840 | 0x00000000 |
| ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z | - | 0x14009C448 | 0x0009C448 | 0x0009B848 | 0x00000000 |
| ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ | - | 0x14009C450 | 0x0009C450 | 0x0009B850 | 0x00000000 |
| ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z | - | 0x14009C458 | 0x0009C458 | 0x0009B858 | 0x00000000 |
| ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ | - | 0x14009C460 | 0x0009C460 | 0x0009B860 | 0x00000000 |
| ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z | - | 0x14009C468 | 0x0009C468 | 0x0009B868 | 0x00000000 |
| ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z | - | 0x14009C470 | 0x0009C470 | 0x0009B870 | 0x00000000 |
| ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ | - | 0x14009C478 | 0x0009C478 | 0x0009B878 | 0x00000000 |
| ?_Xlength_error@std@@YAXPEBD@Z | - | 0x14009C480 | 0x0009C480 | 0x0009B880 | 0x00000000 |
| ?_Xout_of_range@std@@YAXPEBD@Z | - | 0x14009C488 | 0x0009C488 | 0x0009B888 | 0x00000000 |
| _Xtime_get_ticks | - | 0x14009C490 | 0x0009C490 | 0x0009B890 | 0x00000000 |
| _Mtx_init_in_situ | - | 0x14009C498 | 0x0009C498 | 0x0009B898 | 0x00000000 |
| _Mtx_destroy_in_situ | - | 0x14009C4A0 | 0x0009C4A0 | 0x0009B8A0 | 0x00000000 |
| _Mtx_lock | - | 0x14009C4A8 | 0x0009C4A8 | 0x0009B8A8 | 0x00000000 |
| _Mtx_unlock | - | 0x14009C4B0 | 0x0009C4B0 | 0x0009B8B0 | 0x00000000 |
| ?_Throw_C_error@std@@YAXH@Z | - | 0x14009C4B8 | 0x0009C4B8 | 0x0009B8B8 | 0x00000000 |
| _Query_perf_counter | - | 0x14009C4C0 | 0x0009C4C0 | 0x0009B8C0 | 0x00000000 |
| _Query_perf_frequency | - | 0x14009C4C8 | 0x0009C4C8 | 0x0009B8C8 | 0x00000000 |
| _Thrd_join | - | 0x14009C4D0 | 0x0009C4D0 | 0x0009B8D0 | 0x00000000 |
| _Thrd_id | - | 0x14009C4D8 | 0x0009C4D8 | 0x0009B8D8 | 0x00000000 |
| _Cnd_do_broadcast_at_thread_exit | - | 0x14009C4E0 | 0x0009C4E0 | 0x0009B8E0 | 0x00000000 |
| ?_Throw_Cpp_error@std@@YAXH@Z | - | 0x14009C4E8 | 0x0009C4E8 | 0x0009B8E8 | 0x00000000 |
| _Thrd_sleep | - | 0x14009C4F0 | 0x0009C4F0 | 0x0009B8F0 | 0x00000000 |
| _Thrd_yield | - | 0x14009C4F8 | 0x0009C4F8 | 0x0009B8F8 | 0x00000000 |
| ??0_Lockit@std@@QEAA@H@Z | - | 0x14009C500 | 0x0009C500 | 0x0009B900 | 0x00000000 |
| ??1_Lockit@std@@QEAA@XZ | - | 0x14009C508 | 0x0009C508 | 0x0009B908 | 0x00000000 |
| ??Bid@locale@std@@QEAA_KXZ | - | 0x14009C510 | 0x0009C510 | 0x0009B910 | 0x00000000 |
| ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ | - | 0x14009C518 | 0x0009C518 | 0x0009B918 | 0x00000000 |
| ?always_noconv@codecvt_base@std@@QEBA_NXZ | - | 0x14009C520 | 0x0009C520 | 0x0009B920 | 0x00000000 |
| ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z | - | 0x14009C528 | 0x0009C528 | 0x0009B928 | 0x00000000 |
| ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ | - | 0x14009C530 | 0x0009C530 | 0x0009B930 | 0x00000000 |
USER32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ShowWindow | - | 0x14009C540 | 0x0009C540 | 0x0009B940 | 0x00000000 |
| GetSystemMetrics | - | 0x14009C548 | 0x0009C548 | 0x0009B948 | 0x00000000 |
| GetMessageA | - | 0x14009C550 | 0x0009C550 | 0x0009B950 | 0x00000000 |
| MapVirtualKeyW | - | 0x14009C558 | 0x0009C558 | 0x0009B958 | 0x00000000 |
| DispatchMessageA | - | 0x14009C560 | 0x0009C560 | 0x0009B960 | 0x00000000 |
| TranslateMessage | - | 0x14009C568 | 0x0009C568 | 0x0009B968 | 0x00000000 |
VCRUNTIME140.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __std_exception_destroy | - | 0x14009C578 | 0x0009C578 | 0x0009B978 | 0x00000000 |
| __std_exception_copy | - | 0x14009C580 | 0x0009C580 | 0x0009B980 | 0x00000000 |
| strstr | - | 0x14009C588 | 0x0009C588 | 0x0009B988 | 0x00000000 |
| __C_specific_handler | - | 0x14009C590 | 0x0009C590 | 0x0009B990 | 0x00000000 |
| strchr | - | 0x14009C598 | 0x0009C598 | 0x0009B998 | 0x00000000 |
| memchr | - | 0x14009C5A0 | 0x0009C5A0 | 0x0009B9A0 | 0x00000000 |
| __std_terminate | - | 0x14009C5A8 | 0x0009C5A8 | 0x0009B9A8 | 0x00000000 |
| __CxxFrameHandler3 | - | 0x14009C5B0 | 0x0009C5B0 | 0x0009B9B0 | 0x00000000 |
| _CxxThrowException | - | 0x14009C5B8 | 0x0009C5B8 | 0x0009B9B8 | 0x00000000 |
| memset | - | 0x14009C5C0 | 0x0009C5C0 | 0x0009B9C0 | 0x00000000 |
| strrchr | - | 0x14009C5C8 | 0x0009C5C8 | 0x0009B9C8 | 0x00000000 |
| memcmp | - | 0x14009C5D0 | 0x0009C5D0 | 0x0009B9D0 | 0x00000000 |
| memcpy | - | 0x14009C5D8 | 0x0009C5D8 | 0x0009B9D8 | 0x00000000 |
| _purecall | - | 0x14009C5E0 | 0x0009C5E0 | 0x0009B9E0 | 0x00000000 |
| memmove | - | 0x14009C5E8 | 0x0009C5E8 | 0x0009B9E8 | 0x00000000 |
WS2_32.dll (20)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| WSAGetLastError | 0x0000006F | 0x14009C5F8 | 0x0009C5F8 | 0x0009B9F8 | - |
| WSASetLastError | 0x00000070 | 0x14009C600 | 0x0009C600 | 0x0009BA00 | - |
| WSAStartup | 0x00000073 | 0x14009C608 | 0x0009C608 | 0x0009BA08 | - |
| select | 0x00000012 | 0x14009C610 | 0x0009C610 | 0x0009BA10 | - |
| WSARecvFrom | - | 0x14009C618 | 0x0009C618 | 0x0009BA18 | 0x00000000 |
| bind | 0x00000002 | 0x14009C620 | 0x0009C620 | 0x0009BA20 | - |
| WSAIoctl | - | 0x14009C628 | 0x0009C628 | 0x0009BA28 | 0x00000000 |
| closesocket | 0x00000003 | 0x14009C630 | 0x0009C630 | 0x0009BA30 | - |
| WSASend | - | 0x14009C638 | 0x0009C638 | 0x0009BA38 | 0x00000000 |
| shutdown | 0x00000016 | 0x14009C640 | 0x0009C640 | 0x0009BA40 | - |
| WSASocketW | - | 0x14009C648 | 0x0009C648 | 0x0009BA48 | 0x00000000 |
| htonl | 0x00000008 | 0x14009C650 | 0x0009C650 | 0x0009BA50 | - |
| GetAddrInfoW | - | 0x14009C658 | 0x0009C658 | 0x0009BA58 | 0x00000000 |
| FreeAddrInfoW | - | 0x14009C660 | 0x0009C660 | 0x0009BA60 | 0x00000000 |
| setsockopt | 0x00000015 | 0x14009C668 | 0x0009C668 | 0x0009BA68 | - |
| ioctlsocket | 0x0000000A | 0x14009C670 | 0x0009C670 | 0x0009BA70 | - |
| getsockopt | 0x00000007 | 0x14009C678 | 0x0009C678 | 0x0009BA78 | - |
| WSARecv | - | 0x14009C680 | 0x0009C680 | 0x0009BA80 | 0x00000000 |
| socket | 0x00000017 | 0x14009C688 | 0x0009C688 | 0x0009BA88 | - |
| htons | 0x00000009 | 0x14009C690 | 0x0009C690 | 0x0009BA90 | - |
api-ms-win-crt-convert-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| atof | - | 0x14009C6A0 | 0x0009C6A0 | 0x0009BAA0 | 0x00000000 |
| strtoul | - | 0x14009C6A8 | 0x0009C6A8 | 0x0009BAA8 | 0x00000000 |
| _strtoui64 | - | 0x14009C6B0 | 0x0009C6B0 | 0x0009BAB0 | 0x00000000 |
| mbstowcs | - | 0x14009C6B8 | 0x0009C6B8 | 0x0009BAB8 | 0x00000000 |
| strtoull | - | 0x14009C6C0 | 0x0009C6C0 | 0x0009BAC0 | 0x00000000 |
| strtoll | - | 0x14009C6C8 | 0x0009C6C8 | 0x0009BAC8 | 0x00000000 |
| atoi | - | 0x14009C6D0 | 0x0009C6D0 | 0x0009BAD0 | 0x00000000 |
| strtol | - | 0x14009C6D8 | 0x0009C6D8 | 0x0009BAD8 | 0x00000000 |
api-ms-win-crt-environment-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| getenv | - | 0x14009C6E8 | 0x0009C6E8 | 0x0009BAE8 | 0x00000000 |
api-ms-win-crt-filesystem-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _unlock_file | - | 0x14009C6F8 | 0x0009C6F8 | 0x0009BAF8 | 0x00000000 |
| _lock_file | - | 0x14009C700 | 0x0009C700 | 0x0009BB00 | 0x00000000 |
| _fstat64i32 | - | 0x14009C708 | 0x0009C708 | 0x0009BB08 | 0x00000000 |
| _stat64i32 | - | 0x14009C710 | 0x0009C710 | 0x0009BB10 | 0x00000000 |
api-ms-win-crt-heap-l1-1-0.dll (8)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _set_new_mode | - | 0x14009C720 | 0x0009C720 | 0x0009BB20 | 0x00000000 |
| realloc | - | 0x14009C728 | 0x0009C728 | 0x0009BB28 | 0x00000000 |
| _aligned_malloc | - | 0x14009C730 | 0x0009C730 | 0x0009BB30 | 0x00000000 |
| malloc | - | 0x14009C738 | 0x0009C738 | 0x0009BB38 | 0x00000000 |
| free | - | 0x14009C740 | 0x0009C740 | 0x0009BB40 | 0x00000000 |
| calloc | - | 0x14009C748 | 0x0009C748 | 0x0009BB48 | 0x00000000 |
| _callnewh | - | 0x14009C750 | 0x0009C750 | 0x0009BB50 | 0x00000000 |
| _aligned_free | - | 0x14009C758 | 0x0009C758 | 0x0009BB58 | 0x00000000 |
api-ms-win-crt-locale-l1-1-0.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _configthreadlocale | - | 0x14009C768 | 0x0009C768 | 0x0009BB68 | 0x00000000 |
api-ms-win-crt-math-l1-1-0.dll (5)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| modff | - | 0x14009C778 | 0x0009C778 | 0x0009BB78 | 0x00000000 |
| nan | - | 0x14009C780 | 0x0009C780 | 0x0009BB80 | 0x00000000 |
| _dtest | - | 0x14009C788 | 0x0009C788 | 0x0009BB88 | 0x00000000 |
| __setusermatherr | - | 0x14009C790 | 0x0009C790 | 0x0009BB90 | 0x00000000 |
| fabs | - | 0x14009C798 | 0x0009C798 | 0x0009BB98 | 0x00000000 |
api-ms-win-crt-runtime-l1-1-0.dll (25)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _invalid_parameter_noinfo_noreturn | - | 0x14009C7A8 | 0x0009C7A8 | 0x0009BBA8 | 0x00000000 |
| _control87 | - | 0x14009C7B0 | 0x0009C7B0 | 0x0009BBB0 | 0x00000000 |
| _errno | - | 0x14009C7B8 | 0x0009C7B8 | 0x0009BBB8 | 0x00000000 |
| terminate | - | 0x14009C7C0 | 0x0009C7C0 | 0x0009BBC0 | 0x00000000 |
| abort | - | 0x14009C7C8 | 0x0009C7C8 | 0x0009BBC8 | 0x00000000 |
| _beginthreadex | - | 0x14009C7D0 | 0x0009C7D0 | 0x0009BBD0 | 0x00000000 |
| _register_thread_local_exe_atexit_callback | - | 0x14009C7D8 | 0x0009C7D8 | 0x0009BBD8 | 0x00000000 |
| _c_exit | - | 0x14009C7E0 | 0x0009C7E0 | 0x0009BBE0 | 0x00000000 |
| _set_invalid_parameter_handler | - | 0x14009C7E8 | 0x0009C7E8 | 0x0009BBE8 | 0x00000000 |
| __p___argc | - | 0x14009C7F0 | 0x0009C7F0 | 0x0009BBF0 | 0x00000000 |
| _exit | - | 0x14009C7F8 | 0x0009C7F8 | 0x0009BBF8 | 0x00000000 |
| _initterm_e | - | 0x14009C800 | 0x0009C800 | 0x0009BC00 | 0x00000000 |
| _initterm | - | 0x14009C808 | 0x0009C808 | 0x0009BC08 | 0x00000000 |
| _get_initial_narrow_environment | - | 0x14009C810 | 0x0009C810 | 0x0009BC10 | 0x00000000 |
| _set_app_type | - | 0x14009C818 | 0x0009C818 | 0x0009BC18 | 0x00000000 |
| _seh_filter_exe | - | 0x14009C820 | 0x0009C820 | 0x0009BC20 | 0x00000000 |
| _cexit | - | 0x14009C828 | 0x0009C828 | 0x0009BC28 | 0x00000000 |
| _crt_atexit | - | 0x14009C830 | 0x0009C830 | 0x0009BC30 | 0x00000000 |
| _register_onexit_function | - | 0x14009C838 | 0x0009C838 | 0x0009BC38 | 0x00000000 |
| _initialize_onexit_table | - | 0x14009C840 | 0x0009C840 | 0x0009BC40 | 0x00000000 |
| _initialize_narrow_environment | - | 0x14009C848 | 0x0009C848 | 0x0009BC48 | 0x00000000 |
| _configure_narrow_argv | - | 0x14009C850 | 0x0009C850 | 0x0009BC50 | 0x00000000 |
| strerror | - | 0x14009C858 | 0x0009C858 | 0x0009BC58 | 0x00000000 |
| exit | - | 0x14009C860 | 0x0009C860 | 0x0009BC60 | 0x00000000 |
| __p___argv | - | 0x14009C868 | 0x0009C868 | 0x0009BC68 | 0x00000000 |
api-ms-win-crt-stdio-l1-1-0.dll (29)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| __stdio_common_vsscanf | - | 0x14009C878 | 0x0009C878 | 0x0009BC78 | 0x00000000 |
| fflush | - | 0x14009C880 | 0x0009C880 | 0x0009BC80 | 0x00000000 |
| _open | - | 0x14009C888 | 0x0009C888 | 0x0009BC88 | 0x00000000 |
| fwrite | - | 0x14009C890 | 0x0009C890 | 0x0009BC90 | 0x00000000 |
| fputs | - | 0x14009C898 | 0x0009C898 | 0x0009BC98 | 0x00000000 |
| __stdio_common_vsprintf | - | 0x14009C8A0 | 0x0009C8A0 | 0x0009BCA0 | 0x00000000 |
| __acrt_iob_func | - | 0x14009C8A8 | 0x0009C8A8 | 0x0009BCA8 | 0x00000000 |
| ftell | - | 0x14009C8B0 | 0x0009C8B0 | 0x0009BCB0 | 0x00000000 |
| fgetc | - | 0x14009C8B8 | 0x0009C8B8 | 0x0009BCB8 | 0x00000000 |
| fgets | - | 0x14009C8C0 | 0x0009C8C0 | 0x0009BCC0 | 0x00000000 |
| fseek | - | 0x14009C8C8 | 0x0009C8C8 | 0x0009BCC8 | 0x00000000 |
| fgetpos | - | 0x14009C8D0 | 0x0009C8D0 | 0x0009BCD0 | 0x00000000 |
| fputc | - | 0x14009C8D8 | 0x0009C8D8 | 0x0009BCD8 | 0x00000000 |
| __stdio_common_vfprintf | - | 0x14009C8E0 | 0x0009C8E0 | 0x0009BCE0 | 0x00000000 |
| ferror | - | 0x14009C8E8 | 0x0009C8E8 | 0x0009BCE8 | 0x00000000 |
| fsetpos | - | 0x14009C8F0 | 0x0009C8F0 | 0x0009BCF0 | 0x00000000 |
| _fseeki64 | - | 0x14009C8F8 | 0x0009C8F8 | 0x0009BCF8 | 0x00000000 |
| _close | - | 0x14009C900 | 0x0009C900 | 0x0009BD00 | 0x00000000 |
| _read | - | 0x14009C908 | 0x0009C908 | 0x0009BD08 | 0x00000000 |
| setvbuf | - | 0x14009C910 | 0x0009C910 | 0x0009BD10 | 0x00000000 |
| ungetc | - | 0x14009C918 | 0x0009C918 | 0x0009BD18 | 0x00000000 |
| fread | - | 0x14009C920 | 0x0009C920 | 0x0009BD20 | 0x00000000 |
| _get_osfhandle | - | 0x14009C928 | 0x0009C928 | 0x0009BD28 | 0x00000000 |
| __p__commode | - | 0x14009C930 | 0x0009C930 | 0x0009BD30 | 0x00000000 |
| fclose | - | 0x14009C938 | 0x0009C938 | 0x0009BD38 | 0x00000000 |
| _set_fmode | - | 0x14009C940 | 0x0009C940 | 0x0009BD40 | 0x00000000 |
| fopen | - | 0x14009C948 | 0x0009C948 | 0x0009BD48 | 0x00000000 |
| __stdio_common_vswprintf | - | 0x14009C950 | 0x0009C950 | 0x0009BD50 | 0x00000000 |
| _get_stream_buffer_pointers | - | 0x14009C958 | 0x0009C958 | 0x0009BD58 | 0x00000000 |
api-ms-win-crt-string-l1-1-0.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _wcsnicmp | - | 0x14009C968 | 0x0009C968 | 0x0009BD68 | 0x00000000 |
| strlen | - | 0x14009C970 | 0x0009C970 | 0x0009BD70 | 0x00000000 |
| wcslen | - | 0x14009C978 | 0x0009C978 | 0x0009BD78 | 0x00000000 |
| strncmp | - | 0x14009C980 | 0x0009C980 | 0x0009BD80 | 0x00000000 |
| _stricmp | - | 0x14009C988 | 0x0009C988 | 0x0009BD88 | 0x00000000 |
| tolower | - | 0x14009C990 | 0x0009C990 | 0x0009BD90 | 0x00000000 |
| _strnicmp | - | 0x14009C998 | 0x0009C998 | 0x0009BD98 | 0x00000000 |
| strncpy | - | 0x14009C9A0 | 0x0009C9A0 | 0x0009BDA0 | 0x00000000 |
| strcpy | - | 0x14009C9A8 | 0x0009C9A8 | 0x0009BDA8 | 0x00000000 |
| strcmp | - | 0x14009C9B0 | 0x0009C9B0 | 0x0009BDB0 | 0x00000000 |
| strcspn | - | 0x14009C9B8 | 0x0009C9B8 | 0x0009BDB8 | 0x00000000 |
| _strdup | - | 0x14009C9C0 | 0x0009C9C0 | 0x0009BDC0 | 0x00000000 |
| isspace | - | 0x14009C9C8 | 0x0009C9C8 | 0x0009BDC8 | 0x00000000 |
| strspn | - | 0x14009C9D0 | 0x0009C9D0 | 0x0009BDD0 | 0x00000000 |
| wcsncpy | - | 0x14009C9D8 | 0x0009C9D8 | 0x0009BDD8 | 0x00000000 |
api-ms-win-crt-time-l1-1-0.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| _time64 | - | 0x14009C9E8 | 0x0009C9E8 | 0x0009BDE8 | 0x00000000 |
| _localtime64_s | - | 0x14009C9F0 | 0x0009C9F0 | 0x0009BDF0 | 0x00000000 |
api-ms-win-crt-utility-l1-1-0.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| srand | - | 0x14009CA00 | 0x0009CA00 | 0x0009BE00 | 0x00000000 |
| rand | - | 0x14009CA08 | 0x0009CA08 | 0x0009BE08 | 0x00000000 |
| qsort | - | 0x14009CA10 | 0x0009CA10 | 0x0009BE10 | 0x00000000 |
| _rotr | - | 0x14009CA18 | 0x0009CA18 | 0x0009BE18 | 0x00000000 |
Memory Dumps (4)
»
| Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| jaqodxz.exe | 19 | 0x7FF700820000 | 0x7FF700B73FFF | First Execution |
|
64-bit | 0x7FF7008BA338 |
|
...
|
| jaqodxz.exe | 19 | 0x7FF700820000 | 0x7FF700B73FFF | Content Changed |
|
64-bit | 0x7FF7008A9014 |
|
...
|
| buffer | 19 | 0x29374CA0000 | 0x29374CAFFFF | Marked Executable |
|
64-bit | - |
|
...
|
| jaqodxz.exe | 19 | 0x7FF700820000 | 0x7FF700B73FFF | Process Termination |
|
64-bit | - |
|
...
|
