Macro-less Word Doc. uses DDE to Execute Powershell, Download DLL | Files
Try VMRay Analyzer
File Information
Sample files count 1
Created files count 7
Modified files count 0
c:\users\bgc6u8oy yxgxkr\desktop\exaai.doc
-
File Properties
Names c:\users\bgc6u8oy yxgxkr\desktop\exaai.doc (Sample File)
Size 19.98 KB (20457 bytes)
Hash Values MD5: 292843976600e8ad2130224d70356bfc
SHA1: 31bad7ea8606e3e6d98692fa9f4b3f18ebb3c809
SHA256: d5c27308f50a9c6d8ccd01269ca09a7a13e1615945b8047c4e55c610718e317e
Actions
c:\users\bgc6u8oy yxgxkr\appdata\local\tempdebug.dll
-
File Properties
Names c:\users\bgc6u8oy yxgxkr\appdata\local\tempdebug.dll (Created File)
Size 519.00 KB (531456 bytes)
Hash Values MD5: 64b2ac701a0d67da134e13b2efc46900
SHA1: 1bb516d70591a5a0eb55ee71f9f38597f3640b14
SHA256: f3f55c3df39b85d934121355bed439b53501f996e9b39d4abed14c7fe8081d92
Actions
PE Information
+
File Properties
Image Base 0x10000000
Entry Point 0x1000780b
Size Of Code 0x15a00
Size Of Initialized Data 0x6c800
Size Of Uninitialized Data 0x0
Format x86
Type Dll
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2017-07-06 10:50:10
Compiler/Packer Unknown
Sections (7)
+
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x10001000 0x159db 0x15a00 0x400 CNT_CODE, MEM_EXECUTE, MEM_READ 6.72
.rdata 0x10017000 0x9bd6 0x9c00 0x15e00 CNT_INITIALIZED_DATA, MEM_READ 6.16
.data 0x10021000 0x370c 0x2e00 0x1fa00 CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE 5.55
.gfids 0x10025000 0xa0 0x200 0x22800 CNT_INITIALIZED_DATA, MEM_READ 1.42
.Init 0x10026000 0x1000 0x1000 0x22a00 CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE 0.17
.rsrc 0x10027000 0x5cd50 0x5ce00 0x23a00 CNT_INITIALIZED_DATA, MEM_READ 8.0
.reloc 0x10084000 0x1240 0x1400 0x80800 CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ 6.33
Imports (65)
+
KERNEL32.dll (65)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
GetLastError 0x0 0x10017000 0x20610 0x1f410
LockResource 0x0 0x10017004 0x20614 0x1f414
UnhandledExceptionFilter 0x0 0x10017008 0x20618 0x1f418
SetUnhandledExceptionFilter 0x0 0x1001700c 0x2061c 0x1f41c
GetCurrentProcess 0x0 0x10017010 0x20620 0x1f420
TerminateProcess 0x0 0x10017014 0x20624 0x1f424
IsProcessorFeaturePresent 0x0 0x10017018 0x20628 0x1f428
QueryPerformanceCounter 0x0 0x1001701c 0x2062c 0x1f42c
GetCurrentProcessId 0x0 0x10017020 0x20630 0x1f430
GetCurrentThreadId 0x0 0x10017024 0x20634 0x1f434
GetSystemTimeAsFileTime 0x0 0x10017028 0x20638 0x1f438
InitializeSListHead 0x0 0x1001702c 0x2063c 0x1f43c
IsDebuggerPresent 0x0 0x10017030 0x20640 0x1f440
GetStartupInfoW 0x0 0x10017034 0x20644 0x1f444
GetModuleHandleW 0x0 0x10017038 0x20648 0x1f448
InterlockedFlushSList 0x0 0x1001703c 0x2064c 0x1f44c
RtlUnwind 0x0 0x10017040 0x20650 0x1f450
SetLastError 0x0 0x10017044 0x20654 0x1f454
EnterCriticalSection 0x0 0x10017048 0x20658 0x1f458
LeaveCriticalSection 0x0 0x1001704c 0x2065c 0x1f45c
DeleteCriticalSection 0x0 0x10017050 0x20660 0x1f460
InitializeCriticalSectionAndSpinCount 0x0 0x10017054 0x20664 0x1f464
TlsAlloc 0x0 0x10017058 0x20668 0x1f468
TlsGetValue 0x0 0x1001705c 0x2066c 0x1f46c
TlsSetValue 0x0 0x10017060 0x20670 0x1f470
TlsFree 0x0 0x10017064 0x20674 0x1f474
FreeLibrary 0x0 0x10017068 0x20678 0x1f478
GetProcAddress 0x0 0x1001706c 0x2067c 0x1f47c
LoadLibraryExW 0x0 0x10017070 0x20680 0x1f480
ExitProcess 0x0 0x10017074 0x20684 0x1f484
GetModuleHandleExW 0x0 0x10017078 0x20688 0x1f488
GetModuleFileNameA 0x0 0x1001707c 0x2068c 0x1f48c
MultiByteToWideChar 0x0 0x10017080 0x20690 0x1f490
WideCharToMultiByte 0x0 0x10017084 0x20694 0x1f494
HeapFree 0x0 0x10017088 0x20698 0x1f498
HeapAlloc 0x0 0x1001708c 0x2069c 0x1f49c
GetACP 0x0 0x10017090 0x206a0 0x1f4a0
GetStdHandle 0x0 0x10017094 0x206a4 0x1f4a4
GetFileType 0x0 0x10017098 0x206a8 0x1f4a8
LCMapStringW 0x0 0x1001709c 0x206ac 0x1f4ac
FindClose 0x0 0x100170a0 0x206b0 0x1f4b0
FindFirstFileExA 0x0 0x100170a4 0x206b4 0x1f4b4
FindNextFileA 0x0 0x100170a8 0x206b8 0x1f4b8
IsValidCodePage 0x0 0x100170ac 0x206bc 0x1f4bc
GetOEMCP 0x0 0x100170b0 0x206c0 0x1f4c0
GetCPInfo 0x0 0x100170b4 0x206c4 0x1f4c4
GetCommandLineA 0x0 0x100170b8 0x206c8 0x1f4c8
GetCommandLineW 0x0 0x100170bc 0x206cc 0x1f4cc
GetEnvironmentStringsW 0x0 0x100170c0 0x206d0 0x1f4d0
FreeEnvironmentStringsW 0x0 0x100170c4 0x206d4 0x1f4d4
GetProcessHeap 0x0 0x100170c8 0x206d8 0x1f4d8
GetStringTypeW 0x0 0x100170cc 0x206dc 0x1f4dc
SetStdHandle 0x0 0x100170d0 0x206e0 0x1f4e0
FlushFileBuffers 0x0 0x100170d4 0x206e4 0x1f4e4
WriteFile 0x0 0x100170d8 0x206e8 0x1f4e8
GetConsoleCP 0x0 0x100170dc 0x206ec 0x1f4ec
GetConsoleMode 0x0 0x100170e0 0x206f0 0x1f4f0
HeapSize 0x0 0x100170e4 0x206f4 0x1f4f4
HeapReAlloc 0x0 0x100170e8 0x206f8 0x1f4f8
SetFilePointerEx 0x0 0x100170ec 0x206fc 0x1f4fc
CloseHandle 0x0 0x100170f0 0x20700 0x1f500
WriteConsoleW 0x0 0x100170f4 0x20704 0x1f504
DecodePointer 0x0 0x100170f8 0x20708 0x1f508
CreateFileW 0x0 0x100170fc 0x2070c 0x1f50c
RaiseException 0x0 0x10017100 0x20710 0x1f510
Exports (2)
+
Api name EAT Address Ordinal
HOK 0x10001584 0x1
SSSS 0x10001572 0x2
c:\windows\system32\sensr9.dat
-
File Properties
Names c:\windows\system32\sensr9.dat (Created File)
Size 4.00 KB (4096 bytes)
Hash Values MD5: 422a9797a40f1b1c3a72e9674adffedb
SHA1: 92e351c5e1cc5abc36fb003b435acbc018253f56
SHA256: e002a93f45a9c9577b3f5edd5a018b2d0ad68783db483b77b23cf56016824fac
Actions
c:\windows\system32\sensr3.dat
-
File Properties
Names c:\windows\system32\sensr3.dat (Created File)
Size 97.43 KB (99767 bytes)
Hash Values MD5: 6317421e5b20c3df65bf66b4ec472187
SHA1: c6ed48d2daf396178b1840a1877532c429d85cd0
SHA256: 2f64a87596e52aea3579fd696b472480e90c275d1cdef7e6ac44fea8ea8b4be1
Actions
c:\windows\system32\ikeext.dll
-
File Properties
Names c:\windows\system32\ikeext.dll (Created File)
Size 132.50 KB (135680 bytes)
Hash Values MD5: c3217cf9789f2b7a41f8ce54692d18fd
SHA1: f5bc9b2373201b214b3d0d248c95716023bc0c14
SHA256: f29d6f95c7ae0724bcd4aa64b41c4dc6c88479610dc14272af77376b4b5a26de
Actions
PE Information
+
File Properties
Image Base 0x10000000
Entry Point 0x10002963
Size Of Code 0x14c00
Size Of Initialized Data 0xce00
Size Of Uninitialized Data 0x0
Format x86
Type Dll
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2017-07-06 10:40:28
Compiler/Packer Unknown
Sections (6)
+
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x10001000 0x14b3b 0x14c00 0x400 CNT_CODE, MEM_EXECUTE, MEM_READ 6.71
.rdata 0x10016000 0x9a64 0x9c00 0x15000 CNT_INITIALIZED_DATA, MEM_READ 6.12
.data 0x10020000 0x1368 0x800 0x1ec00 CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE 2.19
.gfids 0x10022000 0xa0 0x200 0x1f400 CNT_INITIALIZED_DATA, MEM_READ 1.43
.rsrc 0x10023000 0x710 0x800 0x1f600 CNT_INITIALIZED_DATA, MEM_READ 3.63
.reloc 0x10024000 0x122c 0x1400 0x1fe00 CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ 6.34
Imports (67)
+
KERNEL32.dll (66)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
Sleep 0x0 0x10016000 0x1f46c 0x1e46c
GetLastError 0x0 0x10016004 0x1f470 0x1e470
GetModuleHandleA 0x0 0x10016008 0x1f474 0x1e474
CreateFileW 0x0 0x1001600c 0x1f478 0x1e478
UnhandledExceptionFilter 0x0 0x10016010 0x1f47c 0x1e47c
SetUnhandledExceptionFilter 0x0 0x10016014 0x1f480 0x1e480
GetCurrentProcess 0x0 0x10016018 0x1f484 0x1e484
TerminateProcess 0x0 0x1001601c 0x1f488 0x1e488
IsProcessorFeaturePresent 0x0 0x10016020 0x1f48c 0x1e48c
QueryPerformanceCounter 0x0 0x10016024 0x1f490 0x1e490
GetCurrentProcessId 0x0 0x10016028 0x1f494 0x1e494
GetCurrentThreadId 0x0 0x1001602c 0x1f498 0x1e498
GetSystemTimeAsFileTime 0x0 0x10016030 0x1f49c 0x1e49c
InitializeSListHead 0x0 0x10016034 0x1f4a0 0x1e4a0
IsDebuggerPresent 0x0 0x10016038 0x1f4a4 0x1e4a4
GetStartupInfoW 0x0 0x1001603c 0x1f4a8 0x1e4a8
GetModuleHandleW 0x0 0x10016040 0x1f4ac 0x1e4ac
InterlockedFlushSList 0x0 0x10016044 0x1f4b0 0x1e4b0
RtlUnwind 0x0 0x10016048 0x1f4b4 0x1e4b4
SetLastError 0x0 0x1001604c 0x1f4b8 0x1e4b8
EnterCriticalSection 0x0 0x10016050 0x1f4bc 0x1e4bc
LeaveCriticalSection 0x0 0x10016054 0x1f4c0 0x1e4c0
DeleteCriticalSection 0x0 0x10016058 0x1f4c4 0x1e4c4
InitializeCriticalSectionAndSpinCount 0x0 0x1001605c 0x1f4c8 0x1e4c8
TlsAlloc 0x0 0x10016060 0x1f4cc 0x1e4cc
TlsGetValue 0x0 0x10016064 0x1f4d0 0x1e4d0
TlsSetValue 0x0 0x10016068 0x1f4d4 0x1e4d4
TlsFree 0x0 0x1001606c 0x1f4d8 0x1e4d8
FreeLibrary 0x0 0x10016070 0x1f4dc 0x1e4dc
GetProcAddress 0x0 0x10016074 0x1f4e0 0x1e4e0
LoadLibraryExW 0x0 0x10016078 0x1f4e4 0x1e4e4
ExitProcess 0x0 0x1001607c 0x1f4e8 0x1e4e8
GetModuleHandleExW 0x0 0x10016080 0x1f4ec 0x1e4ec
GetModuleFileNameA 0x0 0x10016084 0x1f4f0 0x1e4f0
MultiByteToWideChar 0x0 0x10016088 0x1f4f4 0x1e4f4
WideCharToMultiByte 0x0 0x1001608c 0x1f4f8 0x1e4f8
HeapFree 0x0 0x10016090 0x1f4fc 0x1e4fc
HeapAlloc 0x0 0x10016094 0x1f500 0x1e500
GetACP 0x0 0x10016098 0x1f504 0x1e504
GetStdHandle 0x0 0x1001609c 0x1f508 0x1e508
GetFileType 0x0 0x100160a0 0x1f50c 0x1e50c
LCMapStringW 0x0 0x100160a4 0x1f510 0x1e510
FindClose 0x0 0x100160a8 0x1f514 0x1e514
FindFirstFileExA 0x0 0x100160ac 0x1f518 0x1e518
FindNextFileA 0x0 0x100160b0 0x1f51c 0x1e51c
IsValidCodePage 0x0 0x100160b4 0x1f520 0x1e520
GetOEMCP 0x0 0x100160b8 0x1f524 0x1e524
GetCPInfo 0x0 0x100160bc 0x1f528 0x1e528
GetCommandLineA 0x0 0x100160c0 0x1f52c 0x1e52c
GetCommandLineW 0x0 0x100160c4 0x1f530 0x1e530
GetEnvironmentStringsW 0x0 0x100160c8 0x1f534 0x1e534
FreeEnvironmentStringsW 0x0 0x100160cc 0x1f538 0x1e538
GetProcessHeap 0x0 0x100160d0 0x1f53c 0x1e53c
GetStringTypeW 0x0 0x100160d4 0x1f540 0x1e540
SetStdHandle 0x0 0x100160d8 0x1f544 0x1e544
FlushFileBuffers 0x0 0x100160dc 0x1f548 0x1e548
WriteFile 0x0 0x100160e0 0x1f54c 0x1e54c
GetConsoleCP 0x0 0x100160e4 0x1f550 0x1e550
GetConsoleMode 0x0 0x100160e8 0x1f554 0x1e554
HeapSize 0x0 0x100160ec 0x1f558 0x1e558
HeapReAlloc 0x0 0x100160f0 0x1f55c 0x1e55c
SetFilePointerEx 0x0 0x100160f4 0x1f560 0x1e560
CloseHandle 0x0 0x100160f8 0x1f564 0x1e564
WriteConsoleW 0x0 0x100160fc 0x1f568 0x1e568
DecodePointer 0x0 0x10016100 0x1f56c 0x1e56c
RaiseException 0x0 0x10016104 0x1f570 0x1e570
USER32.dll (1)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
IsRectEmpty 0x0 0x1001610c 0x1f578 0x1e578
Exports (4)
+
Api name EAT Address Ordinal
IkeServiceMain 0x1001f3da 0x1
SSSS 0x100016fc 0x3
StartWork 0x100013c6 0x4
SvchostPushServiceGlobals 0x1001f40c 0x2
c:\users\bgc6u8~1\appdata\local\temp\iun4816.tmp
-
File Properties
Names c:\users\bgc6u8~1\appdata\local\temp\iun4816.tmp (Created File)
Size 0.00 KB (0 bytes)
Hash Values MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
c:\users\bgc6u8~1\appdata\local\temp\iun4816.bat
-
File Properties
Names c:\users\bgc6u8~1\appdata\local\temp\iun4816.bat (Created File)
Size 0.24 KB (245 bytes)
Hash Values MD5: 9cc8f01a19e5c00ef42c554b2aef38fd
SHA1: ac464faa791113edc96cc061835dcf5b698d5b01
SHA256: f7a647b095d8948d42f34958dc73fc9ca569399d81251336a59a1a3dcb6fe908
Actions
c:\windows\system32\ikeext32.dll
-
File Properties
Names c:\windows\system32\ikeext32.dll (Created File)
Size 658.50 KB (674304 bytes)
Hash Values MD5: f95622f161474511b8d80d6b093aa610
SHA1: 691848e306566c63f5dfe1edcca7c7e8882c4caa
SHA256: f2320e25eb9b4aa9a8366bd3aa23eabebe111a5610d3a62eba47d90427d5bc26
Actions
PE Information
+
File Properties
Image Base 0x70060000
Entry Point 0x70084400
Size Of Code 0x8c400
Size Of Initialized Data 0x19400
Size Of Uninitialized Data 0x0
Format x86
Type Dll
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2010-11-20 12:59:52
Compiler/Packer Unknown
Sections (4)
+
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x70061000 0x8c24b 0x8c400 0x600 CNT_CODE, MEM_EXECUTE, MEM_READ 6.43
.data 0x700ee000 0x13dc4 0x12a00 0x8ca00 CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE 0.46
.rsrc 0x70102000 0x500 0x600 0x9f400 CNT_INITIALIZED_DATA, MEM_READ 2.96
.reloc 0x70103000 0x4ebc 0x5000 0x9fa00 CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ 6.76
Imports (283)
+
msvcrt.dll (16)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
memcpy 0x0 0x70061000 0x8b520 0x8ab20
swprintf_s 0x0 0x70061004 0x8b524 0x8ab24
time 0x0 0x70061008 0x8b528 0x8ab28
memcpy_s 0x0 0x7006100c 0x8b52c 0x8ab2c
sprintf_s 0x0 0x70061010 0x8b530 0x8ab30
_ultow_s 0x0 0x70061014 0x8b534 0x8ab34
_vsnprintf 0x0 0x70061018 0x8b538 0x8ab38
_vsnwprintf 0x0 0x7006101c 0x8b53c 0x8ab3c
bsearch 0x0 0x70061020 0x8b540 0x8ab40
_XcptFilter 0x0 0x70061024 0x8b544 0x8ab44
malloc 0x0 0x70061028 0x8b548 0x8ab48
free 0x0 0x7006102c 0x8b54c 0x8ab4c
_initterm 0x0 0x70061030 0x8b550 0x8ab50
_amsg_exit 0x0 0x70061034 0x8b554 0x8ab54
_except_handler4_common 0x0 0x70061038 0x8b558 0x8ab58
memset 0x0 0x7006103c 0x8b55c 0x8ab5c
ntdll.dll (43)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
RtlTimeToTimeFields 0x0 0x70061044 0x8b564 0x8ab64
RtlConvertSidToUnicodeString 0x0 0x70061048 0x8b568 0x8ab68
RtlFreeUnicodeString 0x0 0x7006104c 0x8b56c 0x8ab6c
RtlIntegerToUnicodeString 0x0 0x70061050 0x8b570 0x8ab70
RtlIpv6AddressToStringW 0x0 0x70061054 0x8b574 0x8ab74
RtlIpv4AddressToStringW 0x0 0x70061058 0x8b578 0x8ab78
RtlExpandHashTable 0x0 0x7006105c 0x8b57c 0x8ab7c
RtlContractHashTable 0x0 0x70061060 0x8b580 0x8ab80
RtlDeleteHashTable 0x0 0x70061064 0x8b584 0x8ab84
RtlEndEnumerationHashTable 0x0 0x70061068 0x8b588 0x8ab88
RtlEnumerateEntryHashTable 0x0 0x7006106c 0x8b58c 0x8ab8c
RtlInitEnumerationHashTable 0x0 0x70061070 0x8b590 0x8ab90
RtlGetNextEntryHashTable 0x0 0x70061074 0x8b594 0x8ab94
RtlLookupEntryHashTable 0x0 0x70061078 0x8b598 0x8ab98
RtlRemoveEntryHashTable 0x0 0x7006107c 0x8b59c 0x8ab9c
RtlInsertEntryHashTable 0x0 0x70061080 0x8b5a0 0x8aba0
RtlCreateHashTable 0x0 0x70061084 0x8b5a4 0x8aba4
EtwEventActivityIdControl 0x0 0x70061088 0x8b5a8 0x8aba8
EtwEventUnregister 0x0 0x7006108c 0x8b5ac 0x8abac
EtwEventRegister 0x0 0x70061090 0x8b5b0 0x8abb0
RtlAllocateHeap 0x0 0x70061094 0x8b5b4 0x8abb4
RtlValidRelativeSecurityDescriptor 0x0 0x70061098 0x8b5b8 0x8abb8
EtwEventWrite 0x0 0x7006109c 0x8b5bc 0x8abbc
WinSqmEndSession 0x0 0x700610a0 0x8b5c0 0x8abc0
WinSqmStartSession 0x0 0x700610a4 0x8b5c4 0x8abc4
WinSqmSetDWORD 0x0 0x700610a8 0x8b5c8 0x8abc8
EtwEventEnabled 0x0 0x700610ac 0x8b5cc 0x8abcc
RtlCompareMemory 0x0 0x700610b0 0x8b5d0 0x8abd0
NtQueryInformationToken 0x0 0x700610b4 0x8b5d4 0x8abd4
RtlInitString 0x0 0x700610b8 0x8b5d8 0x8abd8
RtlNtStatusToDosError 0x0 0x700610bc 0x8b5dc 0x8abdc
RtlExtendedLargeIntegerDivide 0x0 0x700610c0 0x8b5e0 0x8abe0
RtlLengthSecurityDescriptor 0x0 0x700610c4 0x8b5e4 0x8abe4
EtwTraceMessage 0x0 0x700610c8 0x8b5e8 0x8abe8
EtwUnregisterTraceGuids 0x0 0x700610cc 0x8b5ec 0x8abec
EtwRegisterTraceGuidsW 0x0 0x700610d0 0x8b5f0 0x8abf0
EtwGetTraceLoggerHandle 0x0 0x700610d4 0x8b5f4 0x8abf4
EtwGetTraceEnableLevel 0x0 0x700610d8 0x8b5f8 0x8abf8
EtwGetTraceEnableFlags 0x0 0x700610dc 0x8b5fc 0x8abfc
RtlAdjustPrivilege 0x0 0x700610e0 0x8b600 0x8ac00
RtlInterlockedPopEntrySList 0x0 0x700610e4 0x8b604 0x8ac04
RtlInterlockedPushEntrySList 0x0 0x700610e8 0x8b608 0x8ac08
RtlInitializeSListHead 0x0 0x700610ec 0x8b60c 0x8ac0c
API-MS-Win-Security-Base-L1-1-0.dll (13)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
DuplicateToken 0x0 0x700610f4 0x8b614 0x8ac14
CreatePrivateObjectSecurityEx 0x0 0x700610f8 0x8b618 0x8ac18
MapGenericMask 0x0 0x700610fc 0x8b61c 0x8ac1c
EqualSid 0x0 0x70061100 0x8b620 0x8ac20
ImpersonateLoggedOnUser 0x0 0x70061104 0x8b624 0x8ac24
GetTokenInformation 0x0 0x70061108 0x8b628 0x8ac28
GetLengthSid 0x0 0x7006110c 0x8b62c 0x8ac2c
ImpersonateAnonymousToken 0x0 0x70061110 0x8b630 0x8ac30
CopySid 0x0 0x70061114 0x8b634 0x8ac34
DestroyPrivateObjectSecurity 0x0 0x70061118 0x8b638 0x8ac38
SetPrivateObjectSecurityEx 0x0 0x7006111c 0x8b63c 0x8ac3c
GetPrivateObjectSecurity 0x0 0x70061120 0x8b640 0x8ac40
RevertToSelf 0x0 0x70061124 0x8b644 0x8ac44
API-MS-WIN-Service-Core-L1-1-0.dll (2)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
RegisterServiceCtrlHandlerExW 0x0 0x7006112c 0x8b64c 0x8ac4c
SetServiceStatus 0x0 0x70061130 0x8b650 0x8ac50
API-MS-WIN-Service-Management-L1-1-0.dll (3)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
CloseServiceHandle 0x0 0x70061138 0x8b658 0x8ac58
OpenServiceW 0x0 0x7006113c 0x8b65c 0x8ac5c
OpenSCManagerW 0x0 0x70061140 0x8b660 0x8ac60
API-MS-WIN-Service-Management-L2-1-0.dll (2)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
QueryServiceConfigW 0x0 0x70061148 0x8b668 0x8ac68
ChangeServiceConfigW 0x0 0x7006114c 0x8b66c 0x8ac6c
pcwum.dll (6)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
PerfSetCounterSetInfo 0x0 0x70061154 0x8b674 0x8ac74
PerfSetCounterRefValue 0x0 0x70061158 0x8b678 0x8ac78
PerfSetULongCounterValue 0x0 0x7006115c 0x8b67c 0x8ac7c
PerfStartProvider 0x0 0x70061160 0x8b680 0x8ac80
PerfCreateInstance 0x0 0x70061164 0x8b684 0x8ac84
PerfStopProvider 0x0 0x70061168 0x8b688 0x8ac88
WS2_32.dll (15)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
WSASocketA 0x0 0x70061170 0x8b690 0x8ac90
ntohs 0xf 0x70061174 0x8b694 0x8ac94
htonl 0x8 0x70061178 0x8b698 0x8ac98
ntohl 0xe 0x7006117c 0x8b69c 0x8ac9c
WSCEnumProtocols 0x0 0x70061180 0x8b6a0 0x8aca0
closesocket 0x3 0x70061184 0x8b6a4 0x8aca4
bind 0x2 0x70061188 0x8b6a8 0x8aca8
setsockopt 0x15 0x7006118c 0x8b6ac 0x8acac
WSASocketW 0x0 0x70061190 0x8b6b0 0x8acb0
WSAEventSelect 0x0 0x70061194 0x8b6b4 0x8acb4
WSAIoctl 0x0 0x70061198 0x8b6b8 0x8acb8
WSAStartup 0x73 0x7006119c 0x8b6bc 0x8acbc
WSACleanup 0x74 0x700611a0 0x8b6c0 0x8acc0
WSAGetLastError 0x6f 0x700611a4 0x8b6c4 0x8acc4
htons 0x9 0x700611a8 0x8b6c8 0x8acc8
RPCRT4.dll (26)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
RpcEpRegisterW 0x0 0x700611b0 0x8b6d0 0x8acd0
RpcServerInqBindings 0x0 0x700611b4 0x8b6d4 0x8acd4
RpcServerRegisterIfEx 0x0 0x700611b8 0x8b6d8 0x8acd8
RpcServerUseProtseqW 0x0 0x700611bc 0x8b6dc 0x8acdc
RpcGetAuthorizationContextForClient 0x0 0x700611c0 0x8b6e0 0x8ace0
RpcFreeAuthorizationContext 0x0 0x700611c4 0x8b6e4 0x8ace4
RpcRevertToSelf 0x0 0x700611c8 0x8b6e8 0x8ace8
RpcImpersonateClient 0x0 0x700611cc 0x8b6ec 0x8acec
UuidCreate 0x0 0x700611d0 0x8b6f0 0x8acf0
RpcRaiseException 0x0 0x700611d4 0x8b6f4 0x8acf4
I_RpcExceptionFilter 0x0 0x700611d8 0x8b6f8 0x8acf8
MesEncodeDynBufferHandleCreate 0x0 0x700611dc 0x8b6fc 0x8acfc
MesDecodeBufferHandleCreate 0x0 0x700611e0 0x8b700 0x8ad00
NdrMesTypeEncode2 0x0 0x700611e4 0x8b704 0x8ad04
RpcBindingVectorFree 0x0 0x700611e8 0x8b708 0x8ad08
NdrMesTypeFree2 0x0 0x700611ec 0x8b70c 0x8ad0c
RpcStringFreeW 0x0 0x700611f0 0x8b710 0x8ad10
UuidToStringW 0x0 0x700611f4 0x8b714 0x8ad14
RpcServerInqCallAttributesW 0x0 0x700611f8 0x8b718 0x8ad18
MesHandleFree 0x0 0x700611fc 0x8b71c 0x8ad1c
RpcEpUnregister 0x0 0x70061200 0x8b720 0x8ad20
NdrMesTypeDecode2 0x0 0x70061204 0x8b724 0x8ad24
NdrAsyncServerCall 0x0 0x70061208 0x8b728 0x8ad28
NdrServerCall2 0x0 0x7006120c 0x8b72c 0x8ad2c
RpcAsyncCompleteCall 0x0 0x70061210 0x8b730 0x8ad30
RpcServerUnregisterIfEx 0x0 0x70061214 0x8b734 0x8ad34
SspiCli.dll (20)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
QueryContextAttributesW 0x0 0x7006121c 0x8b73c 0x8ad3c
LsaFreeReturnBuffer 0x0 0x70061220 0x8b740 0x8ad40
LsaLogonUser 0x0 0x70061224 0x8b744 0x8ad44
FreeCredentialsHandle 0x0 0x70061228 0x8b748 0x8ad48
InitializeSecurityContextW 0x0 0x7006122c 0x8b74c 0x8ad4c
AcceptSecurityContext 0x0 0x70061230 0x8b750 0x8ad50
DeleteSecurityContext 0x0 0x70061234 0x8b754 0x8ad54
AcquireCredentialsHandleW 0x0 0x70061238 0x8b758 0x8ad58
EncryptMessage 0x0 0x7006123c 0x8b75c 0x8ad5c
DecryptMessage 0x0 0x70061240 0x8b760 0x8ad60
LsaUnregisterPolicyChangeNotification 0x0 0x70061244 0x8b764 0x8ad64
LsaRegisterPolicyChangeNotification 0x0 0x70061248 0x8b768 0x8ad68
QuerySecurityPackageInfoW 0x0 0x7006124c 0x8b76c 0x8ad6c
QueryCredentialsAttributesW 0x0 0x70061250 0x8b770 0x8ad70
FreeContextBuffer 0x0 0x70061254 0x8b774 0x8ad74
QuerySecurityContextToken 0x0 0x70061258 0x8b778 0x8ad78
LsaLookupAuthenticationPackage 0x0 0x7006125c 0x8b77c 0x8ad7c
LsaDeregisterLogonProcess 0x0 0x70061260 0x8b780 0x8ad80
LsaCallAuthenticationPackage 0x0 0x70061264 0x8b784 0x8ad84
LsaRegisterLogonProcess 0x0 0x70061268 0x8b788 0x8ad88
AUTHZ.dll (9)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
AuthzInitializeResourceManager 0x0 0x70061270 0x8b790 0x8ad90
AuthzAccessCheck 0x0 0x70061274 0x8b794 0x8ad94
AuthzFreeResourceManager 0x0 0x70061278 0x8b798 0x8ad98
AuthziFreeAuditEventType 0x0 0x7006127c 0x8b79c 0x8ad9c
AuthzFreeAuditEvent 0x0 0x70061280 0x8b7a0 0x8ada0
AuthziLogAuditEvent 0x0 0x70061284 0x8b7a4 0x8ada4
AuthziInitializeAuditEvent 0x0 0x70061288 0x8b7a8 0x8ada8
AuthziInitializeAuditParamsFromArray 0x0 0x7006128c 0x8b7ac 0x8adac
AuthziInitializeAuditEventType 0x0 0x70061290 0x8b7b0 0x8adb0
fwpuclnt.dll (33)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
FwpsLayerReleaseInProcReplica0 0x0 0x70061298 0x8b7b8 0x8adb8
FwpsClassifyUser0 0x0 0x7006129c 0x8b7bc 0x8adbc
IPsecKeyModuleUpdateAcquire0 0x0 0x700612a0 0x8b7c0 0x8adc0
IPsecSaContextExpire0 0x0 0x700612a4 0x8b7c4 0x8adc4
FwpsQueryIPsecOffloadDone0 0x0 0x700612a8 0x8b7c8 0x8adc8
FwpsQueryIPsecDosFWUsed0 0x0 0x700612ac 0x8b7cc 0x8adcc
FwpmFilterDestroyEnumHandle0 0x0 0x700612b0 0x8b7d0 0x8add0
FwpmFilterEnum0 0x0 0x700612b4 0x8b7d4 0x8add4
FwpmFilterCreateEnumHandle0 0x0 0x700612b8 0x8b7d8 0x8add8
FwpsLayerCreateInProcReplica0 0x0 0x700612bc 0x8b7dc 0x8addc
FwpsOpenToken0 0x0 0x700612c0 0x8b7e0 0x8ade0
IPsecSaContextCreate1 0x0 0x700612c4 0x8b7e4 0x8ade4
FwpmProviderContextGetByKey1 0x0 0x700612c8 0x8b7e8 0x8ade8
FwpmEventProviderFireNetEvent0 0x0 0x700612cc 0x8b7ec 0x8adec
FwpmEventProviderIsNetEventTypeEnabled0 0x0 0x700612d0 0x8b7f0 0x8adf0
IPsecSaContextGetSpi1 0x0 0x700612d4 0x8b7f4 0x8adf4
IPsecSaContextAddInbound1 0x0 0x700612d8 0x8b7f8 0x8adf8
IPsecSaContextAddOutbound1 0x0 0x700612dc 0x8b7fc 0x8adfc
IPsecSaContextUpdate0 0x0 0x700612e0 0x8b800 0x8ae00
FwpmFreeMemory0 0x0 0x700612e4 0x8b804 0x8ae04
FwpsAleExplicitCredentialsQuery0 0x0 0x700612e8 0x8b808 0x8ae08
IkeextGetConfigParameters0 0x0 0x700612ec 0x8b80c 0x8ae0c
FwpmEventProviderDestroy0 0x0 0x700612f0 0x8b810 0x8ae10
FwpmEngineClose0 0x0 0x700612f4 0x8b814 0x8ae14
IPsecKeyModuleDelete0 0x0 0x700612f8 0x8b818 0x8ae18
FwpmFilterUnsubscribeChanges0 0x0 0x700612fc 0x8b81c 0x8ae1c
FwpmProviderContextUnsubscribeChanges0 0x0 0x70061300 0x8b820 0x8ae20
FwpmEngineOpen0 0x0 0x70061304 0x8b824 0x8ae24
FwpmEventProviderCreate0 0x0 0x70061308 0x8b828 0x8ae28
FwpmFilterSubscribeChanges0 0x0 0x7006130c 0x8b82c 0x8ae2c
FwpmProviderContextSubscribeChanges0 0x0 0x70061310 0x8b830 0x8ae30
IPsecKeyModuleAdd0 0x0 0x70061314 0x8b834 0x8ae34
FwpmFilterAdd0 0x0 0x70061318 0x8b838 0x8ae38
NSI.dll (2)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
NsiGetParameter 0x0 0x70061320 0x8b840 0x8ae40
NsiSetParameter 0x0 0x70061324 0x8b844 0x8ae44
MSASN1.dll (14)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
ASN1_Decode 0x0 0x7006132c 0x8b84c 0x8ae4c
ASN1_FreeDecoded 0x0 0x70061330 0x8b850 0x8ae50
ASN1_CloseDecoder 0x0 0x70061334 0x8b854 0x8ae54
ASN1_CloseModule 0x0 0x70061338 0x8b858 0x8ae58
ASN1_CreateModule 0x0 0x7006133c 0x8b85c 0x8ae5c
ASN1Free 0x0 0x70061340 0x8b860 0x8ae60
ASN1DecRealloc 0x0 0x70061344 0x8b864 0x8ae64
ASN1_CreateDecoder 0x0 0x70061348 0x8b868 0x8ae68
ASN1BERDecEndOfContents 0x0 0x7006134c 0x8b86c 0x8ae6c
ASN1BERDecPeekTag 0x0 0x70061350 0x8b870 0x8ae70
ASN1DecSetError 0x0 0x70061354 0x8b874 0x8ae74
ASN1BERDecExplicitTag 0x0 0x70061358 0x8b878 0x8ae78
ASN1BERDecOpenType2 0x0 0x7006135c 0x8b87c 0x8ae7c
ASN1BERDecNotEndOfContents 0x0 0x70061360 0x8b880 0x8ae80
KERNEL32.dll (79)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
SetEvent 0x0 0x70061368 0x8b888 0x8ae88
WaitForThreadpoolWaitCallbacks 0x0 0x7006136c 0x8b88c 0x8ae8c
SetThreadpoolWait 0x0 0x70061370 0x8b890 0x8ae90
TrySubmitThreadpoolCallback 0x0 0x70061374 0x8b894 0x8ae94
GetSystemTimeAsFileTime 0x0 0x70061378 0x8b898 0x8ae98
CompareFileTime 0x0 0x7006137c 0x8b89c 0x8ae9c
GetCurrentProcess 0x0 0x70061380 0x8b8a0 0x8aea0
DuplicateHandle 0x0 0x70061384 0x8b8a4 0x8aea4
LocalFree 0x0 0x70061388 0x8b8a8 0x8aea8
GetComputerNameExW 0x0 0x7006138c 0x8b8ac 0x8aeac
FormatMessageW 0x0 0x70061390 0x8b8b0 0x8aeb0
GetSystemTime 0x0 0x70061394 0x8b8b4 0x8aeb4
SystemTimeToFileTime 0x0 0x70061398 0x8b8b8 0x8aeb8
CreateEventW 0x0 0x7006139c 0x8b8bc 0x8aebc
RegisterWaitForSingleObject 0x0 0x700613a0 0x8b8c0 0x8aec0
UnregisterWaitEx 0x0 0x700613a4 0x8b8c4 0x8aec4
InterlockedCompareExchange64 0x0 0x700613a8 0x8b8c8 0x8aec8
InterlockedExchange 0x0 0x700613ac 0x8b8cc 0x8aecc
InterlockedIncrement 0x0 0x700613b0 0x8b8d0 0x8aed0
InterlockedDecrement 0x0 0x700613b4 0x8b8d4 0x8aed4
GetTickCount 0x0 0x700613b8 0x8b8d8 0x8aed8
OutputDebugStringA 0x0 0x700613bc 0x8b8dc 0x8aedc
TlsSetValue 0x0 0x700613c0 0x8b8e0 0x8aee0
TlsGetValue 0x0 0x700613c4 0x8b8e4 0x8aee4
EncodePointer 0x0 0x700613c8 0x8b8e8 0x8aee8
TlsAlloc 0x0 0x700613cc 0x8b8ec 0x8aeec
GetCurrentThread 0x0 0x700613d0 0x8b8f0 0x8aef0
CreateThreadpoolWait 0x0 0x700613d4 0x8b8f4 0x8aef4
CreateThreadpool 0x0 0x700613d8 0x8b8f8 0x8aef8
SetThreadpoolThreadMaximum 0x0 0x700613dc 0x8b8fc 0x8aefc
SetThreadpoolThreadMinimum 0x0 0x700613e0 0x8b900 0x8af00
GetSystemInfo 0x0 0x700613e4 0x8b904 0x8af04
LoadLibraryW 0x0 0x700613e8 0x8b908 0x8af08
CloseHandle 0x0 0x700613ec 0x8b90c 0x8af0c
TlsFree 0x0 0x700613f0 0x8b910 0x8af10
CloseThreadpool 0x0 0x700613f4 0x8b914 0x8af14
CloseThreadpoolWait 0x0 0x700613f8 0x8b918 0x8af18
Sleep 0x0 0x700613fc 0x8b91c 0x8af1c
LoadLibraryExA 0x0 0x70061400 0x8b920 0x8af20
InterlockedCompareExchange 0x0 0x70061404 0x8b924 0x8af24
FreeLibrary 0x0 0x70061408 0x8b928 0x8af28
GetLastError 0x0 0x7006140c 0x8b92c 0x8af2c
OpenEventW 0x0 0x70061410 0x8b930 0x8af30
SetThreadPriority 0x0 0x70061414 0x8b934 0x8af34
GetThreadPriority 0x0 0x70061418 0x8b938 0x8af38
DecodePointer 0x0 0x7006141c 0x8b93c 0x8af3c
UnregisterWait 0x0 0x70061420 0x8b940 0x8af40
HeapCreate 0x0 0x70061424 0x8b944 0x8af44
HeapDestroy 0x0 0x70061428 0x8b948 0x8af48
HeapReAlloc 0x0 0x7006142c 0x8b94c 0x8af4c
HeapAlloc 0x0 0x70061430 0x8b950 0x8af50
HeapFree 0x0 0x70061434 0x8b954 0x8af54
MultiByteToWideChar 0x0 0x70061438 0x8b958 0x8af58
WideCharToMultiByte 0x0 0x7006143c 0x8b95c 0x8af5c
InitializeCriticalSectionAndSpinCount 0x0 0x70061440 0x8b960 0x8af60
DeleteCriticalSection 0x0 0x70061444 0x8b964 0x8af64
EnterCriticalSection 0x0 0x70061448 0x8b968 0x8af68
TryEnterCriticalSection 0x0 0x7006144c 0x8b96c 0x8af6c
LeaveCriticalSection 0x0 0x70061450 0x8b970 0x8af70
InterlockedExchangeAdd 0x0 0x70061454 0x8b974 0x8af74
CreateEventA 0x0 0x70061458 0x8b978 0x8af78
WaitForSingleObject 0x0 0x7006145c 0x8b97c 0x8af7c
ReleaseSemaphore 0x0 0x70061460 0x8b980 0x8af80
CreateSemaphoreW 0x0 0x70061464 0x8b984 0x8af84
CreateTimerQueue 0x0 0x70061468 0x8b988 0x8af88
DeleteTimerQueueEx 0x0 0x7006146c 0x8b98c 0x8af8c
DeleteTimerQueueTimer 0x0 0x70061470 0x8b990 0x8af90
CreateTimerQueueTimer 0x0 0x70061474 0x8b994 0x8af94
GetProcAddress 0x0 0x70061478 0x8b998 0x8af98
DelayLoadFailureHook 0x0 0x7006147c 0x8b99c 0x8af9c
DisableThreadLibraryCalls 0x0 0x70061480 0x8b9a0 0x8afa0
SetUnhandledExceptionFilter 0x0 0x70061484 0x8b9a4 0x8afa4
UnhandledExceptionFilter 0x0 0x70061488 0x8b9a8 0x8afa8
TerminateProcess 0x0 0x7006148c 0x8b9ac 0x8afac
GetCurrentProcessId 0x0 0x70061490 0x8b9b0 0x8afb0
GetCurrentThreadId 0x0 0x70061494 0x8b9b4 0x8afb4
QueryPerformanceCounter 0x0 0x70061498 0x8b9b8 0x8afb8
CompareStringW 0x0 0x7006149c 0x8b9bc 0x8afbc
GetProcessHeap 0x0 0x700614a0 0x8b9c0 0x8afc0
Exports (2)
+
Api name EAT Address Ordinal
IkeServiceMain 0x70080c1d 0x1
SvchostPushServiceGlobals 0x700856c9 0x2
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image