API tools faq
paste
Advertisement
paladin316

Exes_e20264435aec9a9c68a91dd6b3a9fd80_exe_2019-06-26_14_30.json

paladin316
Jun 26th, 2019
1,360
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 100.23 KB | None | 0 0
raw download clone embed print report
  1.  
  2. [*] MalFamily: "Dyzu"
  3.  
  4. [*] MalScore: 10.0
  5.  
  6. [*] File Name: "Exes_e20264435aec9a9c68a91dd6b3a9fd80.exe"
  7. [*] File Size: 614400
  8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. [*] SHA256: "2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd"
  10. [*] MD5: "e20264435aec9a9c68a91dd6b3a9fd80"
  11. [*] SHA1: "96ba4fa0a8c136975b67875fe3c1fa1012a41513"
  12. [*] SHA512: "291978910b3ca2c91040bf76a3718fceb5647a2e678b323672c725f7d6a9028325204cc42d2c2788f0919821bfd924f508a2b90531b9932d6969ddb84c3ea4af"
  13. [*] CRC32: "31DB4324"
  14. [*] SSDEEP: "12288:gF5t9X90+gUebLGtrzPVELs8c0uAVGB7SLCY1J1kGl8V3eZsemDhkJn7:G79XKL+CLs8lVG96r1/kGlVZshDhw7"
  15.  
  16. [*] Process Execution: [
  17. "Exes_e20264435aec9a9c68a91dd6b3a9fd80.exe",
  18. "cmd.exe",
  19. "mfgmjjch.exe",
  20. "svchost.exe",
  21. "mobsync.exe",
  22. "WmiPrvSE.exe"
  23. ]
  24.  
  25. [*] Signatures Detected: [
  26. {
  27. "Description": "A process attempted to delay the analysis task.",
  28. "Details": [
  29. {
  30. "Process": "WmiPrvSE.exe tried to sleep 480 seconds, actually delayed analysis time by 0 seconds"
  31. },
  32. {
  33. "Process": "mfgmjjch.exe tried to sleep 270 seconds, actually delayed analysis time by 0 seconds"
  34. }
  35. ]
  36. },
  37. {
  38. "Description": "Reads data out of its own binary image",
  39. "Details": [
  40. {
  41. "self_read": "process: Exes_e20264435aec9a9c68a91dd6b3a9fd80.exe, pid: 3064, offset: 0x00000000, length: 0x00096000"
  42. }
  43. ]
  44. },
  45. {
  46. "Description": "Drops a binary and executes it",
  47. "Details": [
  48. {
  49. "binary": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mfgmjjch.exe"
  50. }
  51. ]
  52. },
  53. {
  54. "Description": "The binary likely contains encrypted or compressed data.",
  55. "Details": [
  56. {
  57. "section": "name: .rsrc, entropy: 7.94, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00045000, virtual_size: 0x00044ee4"
  58. }
  59. ]
  60. },
  61. {
  62. "Description": "Sniffs keystrokes",
  63. "Details": [
  64. {
  65. "GetAsyncKeyState": "Process: Exes_e20264435aec9a9c68a91dd6b3a9fd80.exe(3064)"
  66. }
  67. ]
  68. },
  69. {
  70. "Description": "Installs itself for autorun at Windows startup",
  71. "Details": [
  72. {
  73. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mfgmjjch.exe"
  74. },
  75. {
  76. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mfgmjjch.exe"
  77. }
  78. ]
  79. },
  80. {
  81. "Description": "Retrieves Windows ProductID, probably to fingerprint the sandbox",
  82. "Details": []
  83. },
  84. {
  85. "Description": "File has been identified by 33 Antiviruses on VirusTotal as malicious",
  86. "Details": [
  87. {
  88. "MicroWorld-eScan": "Trojan.Agent.DYZU"
  89. },
  90. {
  91. "FireEye": "Generic.mg.e20264435aec9a9c"
  92. },
  93. {
  94. "Cylance": "Unsafe"
  95. },
  96. {
  97. "BitDefender": "Trojan.Agent.DYZU"
  98. },
  99. {
  100. "Cybereason": "malicious.0a8c13"
  101. },
  102. {
  103. "Arcabit": "Trojan.Agent.DYZU"
  104. },
  105. {
  106. "Invincea": "heuristic"
  107. },
  108. {
  109. "APEX": "Malicious"
  110. },
  111. {
  112. "ClamAV": "Win.Malware.Dyzu-7001129-0"
  113. },
  114. {
  115. "Kaspersky": "Trojan.Win32.Agent.xaamjo"
  116. },
  117. {
  118. "Rising": "Spyware.KeyLogger!8.12F (TFE:dGZlOgQRfMoFLoqvng)"
  119. },
  120. {
  121. "Ad-Aware": "Trojan.Agent.DYZU"
  122. },
  123. {
  124. "F-Secure": "Trojan.TR/Dropper.Gen"
  125. },
  126. {
  127. "TrendMicro": "TSPY_VBKEYLOG.SM"
  128. },
  129. {
  130. "Fortinet": "W32/KeyLogger.NJK!tr"
  131. },
  132. {
  133. "Trapmine": "suspicious.low.ml.score"
  134. },
  135. {
  136. "Emsisoft": "Trojan.Agent.DYZU (B)"
  137. },
  138. {
  139. "Ikarus": "Trojan-Spy.Agent"
  140. },
  141. {
  142. "Jiangmin": "Trojan.Agent.bznr"
  143. },
  144. {
  145. "Avira": "TR/Dropper.Gen"
  146. },
  147. {
  148. "MAX": "malware (ai score=86)"
  149. },
  150. {
  151. "Antiy-AVL": "Trojan/Win32.Agent"
  152. },
  153. {
  154. "ZoneAlarm": "Trojan.Win32.Agent.xaamjo"
  155. },
  156. {
  157. "AhnLab-V3": "Malware/Win32.RL_Generic.R267888"
  158. },
  159. {
  160. "VBA32": "Trojan.Sonbokli"
  161. },
  162. {
  163. "ALYac": "Trojan.Agent.DYZU"
  164. },
  165. {
  166. "Malwarebytes": "Trojan.KeyLogger"
  167. },
  168. {
  169. "ESET-NOD32": "a variant of Win32/Spy.KeyLogger.ODN"
  170. },
  171. {
  172. "TrendMicro-HouseCall": "TSPY_VBKEYLOG.SM"
  173. },
  174. {
  175. "SentinelOne": "DFI - Malicious PE"
  176. },
  177. {
  178. "eGambit": "Unsafe.AI_Score_65%"
  179. },
  180. {
  181. "GData": "Trojan.Agent.DYZU"
  182. },
  183. {
  184. "CrowdStrike": "win/malicious_confidence_100% (D)"
  185. }
  186. ]
  187. },
  188. {
  189. "Description": "Checks the version of Bios, possibly for anti-virtualization",
  190. "Details": []
  191. },
  192. {
  193. "Description": "Checks the presence of disk drives in the registry, possibly for anti-virtualization",
  194. "Details": []
  195. },
  196. {
  197. "Description": "Attempts to modify proxy settings",
  198. "Details": []
  199. },
  200. {
  201. "Description": "Creates a copy of itself",
  202. "Details": [
  203. {
  204. "copy": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mfgmjjch.exe"
  205. }
  206. ]
  207. },
  208. {
  209. "Description": "Collects information to fingerprint the system",
  210. "Details": []
  211. },
  212. {
  213. "Description": "Anomalous binary characteristics",
  214. "Details": [
  215. {
  216. "anomaly": "Actual checksum does not match that reported in PE header"
  217. }
  218. ]
  219. }
  220. ]
  221.  
  222. [*] Started Service: []
  223.  
  224. [*] Executed Commands: [
  225. "cmd.exe /c C:\\Users\\user\\AppData\\Local\\Temp\\",
  226. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mfgmjjch.exe",
  227. "C:\\Windows\\System32\\mobsync.exe -Embedding",
  228. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding"
  229. ]
  230.  
  231. [*] Mutexes: [
  232. "Local\\WininetStartupMutex",
  233. "Local\\ZonesCounterMutex",
  234. "Local\\ZoneAttributeCacheCounterMutex",
  235. "Local\\ZonesCacheCounterMutex",
  236. "Local\\ZonesLockedCacheCounterMutex",
  237. "Local\\_!MSFTHISTORY!_",
  238. "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
  239. "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
  240. "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
  241. "Local\\WininetConnectionMutex",
  242. "Local\\WininetProxyRegistryMutex",
  243. "Local\\!IETld!Mutex",
  244. "Local\\SyncServiceThread",
  245. "CB35EF5D-4591-41d9-BBA2-0363342F3783"
  246. ]
  247.  
  248. [*] Modified Files: [
  249. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF9C234FEC3C7ED892.TMP",
  250. "C:\\Users\\user\\AppData\\Local\\Temp\\",
  251. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
  252. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
  253. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
  254. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\dnserrordiagoff_webOC[1]",
  255. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\PA320MG8\\dnserrordiagoff_webOC[1]",
  256. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\ErrorPageTemplate[1]",
  257. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\ErrorPageTemplate[2]",
  258. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\errorPageStrings[1]",
  259. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\ErrorPageTemplate[1]",
  260. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\errorPageStrings[2]",
  261. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\errorPageStrings[1]",
  262. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\httpErrorPagesScripts[1]",
  263. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\httpErrorPagesScripts[2]",
  264. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\background_gradient[1]",
  265. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\8BGZLQBV\\httpErrorPagesScripts[1]",
  266. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\background_gradient[2]",
  267. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\info_48[1]",
  268. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\info_48[2]",
  269. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\bullet[1]",
  270. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\8BGZLQBV\\background_gradient[1]",
  271. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\8BGZLQBV\\info_48[1]",
  272. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\bullet[2]",
  273. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\down[1]",
  274. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\down[2]",
  275. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mfgmjjch.exe",
  276. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
  277. "\\??\\PIPE\\wkssvc",
  278. "\\??\\PIPE\\srvsvc",
  279. "\\??\\PHYSICALDRIVE0",
  280. "\\??\\CDROM0",
  281. "\\??\\WMIDataDevice",
  282. "\\??\\PIPE\\lsarpc",
  283. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF568DA6D9FC11E368.TMP",
  284. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\dnserrordiagoff_webOC[1]",
  285. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\httpErrorPagesScripts[1]",
  286. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\bullet[1]",
  287. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\down[1]"
  288. ]
  289.  
  290. [*] Deleted Files: [
  291. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\dnserrordiagoff_webOC[1]",
  292. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\PA320MG8\\dnserrordiagoff_webOC[1]",
  293. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\ErrorPageTemplate[1]",
  294. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\errorPageStrings[2]",
  295. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\ErrorPageTemplate[2]",
  296. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\errorPageStrings[1]",
  297. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\ErrorPageTemplate[1]",
  298. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\errorPageStrings[2]",
  299. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\errorPageStrings[1]",
  300. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\httpErrorPagesScripts[1]",
  301. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\httpErrorPagesScripts[2]",
  302. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\8BGZLQBV\\background_gradient[1]",
  303. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\background_gradient[1]",
  304. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\info_48[1]",
  305. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\background_gradient[2]",
  306. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\info_48[2]",
  307. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\bullet[1]",
  308. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\down[1]",
  309. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\bullet[2]",
  310. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\down[2]",
  311. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF9C234FEC3C7ED892.TMP",
  312. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\dnserrordiagoff_webOC[1]",
  313. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\8BGZLQBV\\httpErrorPagesScripts[1]",
  314. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\8BGZLQBV\\info_48[1]",
  315. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\httpErrorPagesScripts[1]",
  316. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\bullet[1]",
  317. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\down[1]"
  318. ]
  319.  
  320. [*] Modified Registry Keys: [
  321. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Local\\Temp\\namebro",
  322. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Local\\Temp\\namebro\\namebro",
  323. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  324. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  325. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\Exes_e20264435aec9a9c68a91dd6b3a9fd80_RASAPI32",
  326. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\Exes_e20264435aec9a9c68a91dd6b3a9fd80_RASAPI32\\EnableFileTracing",
  327. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\Exes_e20264435aec9a9c68a91dd6b3a9fd80_RASAPI32\\EnableConsoleTracing",
  328. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\Exes_e20264435aec9a9c68a91dd6b3a9fd80_RASAPI32\\FileTracingMask",
  329. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\Exes_e20264435aec9a9c68a91dd6b3a9fd80_RASAPI32\\ConsoleTracingMask",
  330. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\Exes_e20264435aec9a9c68a91dd6b3a9fd80_RASAPI32\\MaxFileSize",
  331. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\Exes_e20264435aec9a9c68a91dd6b3a9fd80_RASAPI32\\FileDirectory",
  332. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable",
  333. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer",
  334. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\SavedLegacySettings",
  335. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Local\\Temp\\Text1",
  336. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Local\\Temp\\Text1\\Text1",
  337. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\SyncMgr\\HandlerInstances\\{750FDF10-2A26-11D1-A3EA-080036587F03}\\SyncTime",
  338. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\SyncMgr\\HandlerInstances\\{750FDF10-2A26-11D1-A3EA-080036587F03}\\Enabled",
  339. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\SyncMgr\\HandlerInstances\\{750FDF10-2A26-11D1-A3EA-080036587F03}\\Connected",
  340. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\SyncMgr\\StartAtLogin",
  341. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\namebro",
  342. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\namebro\\namebro",
  343. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\mfgmjjch_RASAPI32",
  344. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\mfgmjjch_RASAPI32\\EnableFileTracing",
  345. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\mfgmjjch_RASAPI32\\EnableConsoleTracing",
  346. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\mfgmjjch_RASAPI32\\FileTracingMask",
  347. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\mfgmjjch_RASAPI32\\ConsoleTracingMask",
  348. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\mfgmjjch_RASAPI32\\MaxFileSize",
  349. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\mfgmjjch_RASAPI32\\FileDirectory",
  350. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\asdsww",
  351. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\asdsww\\asdsww",
  352. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\bweqwqe",
  353. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\bweqwqe\\bweqwqe",
  354. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\cqweqwe",
  355. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\cqweqwe\\cqweqwe",
  356. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dqweqweqwe",
  357. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dqweqweqwe\\dqweqweqwe"
  358. ]
  359.  
  360. [*] Deleted Registry Keys: [
  361. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  362. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  363. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  364. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  365. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyOverride",
  366. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL",
  367. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\SW\\{eeab7790-c514-11d1-b42b-00805fc1270e}\\asyncmac\\CustomPropertyHwIdKey",
  368. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\SW\\{EEAB7790-C514-11D1-B42B-00805FC1270E}\\ASYNCMAC\\CustomPropertyHwIdKey"
  369. ]
  370.  
  371. [*] DNS Communications: []
  372.  
  373. [*] Domains: []
  374.  
  375. [*] Network Communication - ICMP: []
  376.  
  377. [*] Network Communication - HTTP: []
  378.  
  379. [*] Network Communication - SMTP: []
  380.  
  381. [*] Network Communication - Hosts: []
  382.  
  383. [*] Network Communication - IRC: []
  384.  
  385. [*] Static Analysis: {
  386. "pe": {
  387. "peid_signatures": null,
  388. "imports": [
  389. {
  390. "imports": [
  391. {
  392. "name": "__vbaVarSub",
  393. "address": "0x401000"
  394. },
  395. {
  396. "name": "__vbaVarTstGt",
  397. "address": "0x401004"
  398. },
  399. {
  400. "name": null,
  401. "address": "0x401008"
  402. },
  403. {
  404. "name": "__vbaStrI2",
  405. "address": "0x40100c"
  406. },
  407. {
  408. "name": "_CIcos",
  409. "address": "0x401010"
  410. },
  411. {
  412. "name": "_adj_fptan",
  413. "address": "0x401014"
  414. },
  415. {
  416. "name": "__vbaStrI4",
  417. "address": "0x401018"
  418. },
  419. {
  420. "name": "__vbaHresultCheck",
  421. "address": "0x40101c"
  422. },
  423. {
  424. "name": "__vbaVarMove",
  425. "address": "0x401020"
  426. },
  427. {
  428. "name": "__vbaVarVargNofree",
  429. "address": "0x401024"
  430. },
  431. {
  432. "name": "__vbaAryMove",
  433. "address": "0x401028"
  434. },
  435. {
  436. "name": "__vbaFreeVar",
  437. "address": "0x40102c"
  438. },
  439. {
  440. "name": "__vbaLateIdCall",
  441. "address": "0x401030"
  442. },
  443. {
  444. "name": null,
  445. "address": "0x401034"
  446. },
  447. {
  448. "name": "__vbaLenBstr",
  449. "address": "0x401038"
  450. },
  451. {
  452. "name": "__vbaStrVarMove",
  453. "address": "0x40103c"
  454. },
  455. {
  456. "name": null,
  457. "address": "0x401040"
  458. },
  459. {
  460. "name": "__vbaPut3",
  461. "address": "0x401044"
  462. },
  463. {
  464. "name": "__vbaFreeVarList",
  465. "address": "0x401048"
  466. },
  467. {
  468. "name": "__vbaEnd",
  469. "address": "0x40104c"
  470. },
  471. {
  472. "name": "_adj_fdiv_m64",
  473. "address": "0x401050"
  474. },
  475. {
  476. "name": null,
  477. "address": "0x401054"
  478. },
  479. {
  480. "name": "__vbaNextEachVar",
  481. "address": "0x401058"
  482. },
  483. {
  484. "name": "__vbaRaiseEvent",
  485. "address": "0x40105c"
  486. },
  487. {
  488. "name": "__vbaFreeObjList",
  489. "address": "0x401060"
  490. },
  491. {
  492. "name": null,
  493. "address": "0x401064"
  494. },
  495. {
  496. "name": "__vbaVarIndexLoadRef",
  497. "address": "0x401068"
  498. },
  499. {
  500. "name": "__vbaStrErrVarCopy",
  501. "address": "0x40106c"
  502. },
  503. {
  504. "name": null,
  505. "address": "0x401070"
  506. },
  507. {
  508. "name": "_adj_fprem1",
  509. "address": "0x401074"
  510. },
  511. {
  512. "name": "__vbaRecAnsiToUni",
  513. "address": "0x401078"
  514. },
  515. {
  516. "name": null,
  517. "address": "0x40107c"
  518. },
  519. {
  520. "name": null,
  521. "address": "0x401080"
  522. },
  523. {
  524. "name": null,
  525. "address": "0x401084"
  526. },
  527. {
  528. "name": "__vbaForEachCollAd",
  529. "address": "0x401088"
  530. },
  531. {
  532. "name": "__vbaVarCmpNe",
  533. "address": "0x40108c"
  534. },
  535. {
  536. "name": "__vbaStrCat",
  537. "address": "0x401090"
  538. },
  539. {
  540. "name": "__vbaLsetFixstr",
  541. "address": "0x401094"
  542. },
  543. {
  544. "name": "__vbaSetSystemError",
  545. "address": "0x401098"
  546. },
  547. {
  548. "name": "__vbaLenBstrB",
  549. "address": "0x40109c"
  550. },
  551. {
  552. "name": "__vbaHresultCheckObj",
  553. "address": "0x4010a0"
  554. },
  555. {
  556. "name": "__vbaLenVar",
  557. "address": "0x4010a4"
  558. },
  559. {
  560. "name": "_adj_fdiv_m32",
  561. "address": "0x4010a8"
  562. },
  563. {
  564. "name": null,
  565. "address": "0x4010ac"
  566. },
  567. {
  568. "name": "__vbaAryVar",
  569. "address": "0x4010b0"
  570. },
  571. {
  572. "name": null,
  573. "address": "0x4010b4"
  574. },
  575. {
  576. "name": "__vbaAryDestruct",
  577. "address": "0x4010b8"
  578. },
  579. {
  580. "name": null,
  581. "address": "0x4010bc"
  582. },
  583. {
  584. "name": "__vbaVarIndexLoadRefLock",
  585. "address": "0x4010c0"
  586. },
  587. {
  588. "name": null,
  589. "address": "0x4010c4"
  590. },
  591. {
  592. "name": "__vbaVarForInit",
  593. "address": "0x4010c8"
  594. },
  595. {
  596. "name": null,
  597. "address": "0x4010cc"
  598. },
  599. {
  600. "name": "__vbaStrLike",
  601. "address": "0x4010d0"
  602. },
  603. {
  604. "name": "__vbaOnError",
  605. "address": "0x4010d4"
  606. },
  607. {
  608. "name": "__vbaObjSet",
  609. "address": "0x4010d8"
  610. },
  611. {
  612. "name": null,
  613. "address": "0x4010dc"
  614. },
  615. {
  616. "name": null,
  617. "address": "0x4010e0"
  618. },
  619. {
  620. "name": "_adj_fdiv_m16i",
  621. "address": "0x4010e4"
  622. },
  623. {
  624. "name": "__vbaObjSetAddref",
  625. "address": "0x4010e8"
  626. },
  627. {
  628. "name": "_adj_fdivr_m16i",
  629. "address": "0x4010ec"
  630. },
  631. {
  632. "name": "__vbaVarIndexLoad",
  633. "address": "0x4010f0"
  634. },
  635. {
  636. "name": null,
  637. "address": "0x4010f4"
  638. },
  639. {
  640. "name": null,
  641. "address": "0x4010f8"
  642. },
  643. {
  644. "name": "__vbaForEachCollVar",
  645. "address": "0x4010fc"
  646. },
  647. {
  648. "name": "__vbaStrFixstr",
  649. "address": "0x401100"
  650. },
  651. {
  652. "name": null,
  653. "address": "0x401104"
  654. },
  655. {
  656. "name": "__vbaBoolVar",
  657. "address": "0x401108"
  658. },
  659. {
  660. "name": "__vbaBoolVarNull",
  661. "address": "0x40110c"
  662. },
  663. {
  664. "name": "__vbaRefVarAry",
  665. "address": "0x401110"
  666. },
  667. {
  668. "name": "__vbaFpR8",
  669. "address": "0x401114"
  670. },
  671. {
  672. "name": "_CIsin",
  673. "address": "0x401118"
  674. },
  675. {
  676. "name": "__vbaErase",
  677. "address": "0x40111c"
  678. },
  679. {
  680. "name": null,
  681. "address": "0x401120"
  682. },
  683. {
  684. "name": "__vbaVarCmpGt",
  685. "address": "0x401124"
  686. },
  687. {
  688. "name": "__vbaVargVarMove",
  689. "address": "0x401128"
  690. },
  691. {
  692. "name": null,
  693. "address": "0x40112c"
  694. },
  695. {
  696. "name": null,
  697. "address": "0x401130"
  698. },
  699. {
  700. "name": "__vbaChkstk",
  701. "address": "0x401134"
  702. },
  703. {
  704. "name": null,
  705. "address": "0x401138"
  706. },
  707. {
  708. "name": "__vbaFileClose",
  709. "address": "0x40113c"
  710. },
  711. {
  712. "name": "EVENT_SINK_AddRef",
  713. "address": "0x401140"
  714. },
  715. {
  716. "name": null,
  717. "address": "0x401144"
  718. },
  719. {
  720. "name": "__vbaGenerateBoundsError",
  721. "address": "0x401148"
  722. },
  723. {
  724. "name": null,
  725. "address": "0x40114c"
  726. },
  727. {
  728. "name": "__vbaGet3",
  729. "address": "0x401150"
  730. },
  731. {
  732. "name": "__vbaStrCmp",
  733. "address": "0x401154"
  734. },
  735. {
  736. "name": "__vbaAryConstruct2",
  737. "address": "0x401158"
  738. },
  739. {
  740. "name": "__vbaVarTstEq",
  741. "address": "0x40115c"
  742. },
  743. {
  744. "name": "__vbaPutOwner4",
  745. "address": "0x401160"
  746. },
  747. {
  748. "name": "__vbaNextEachCollVar",
  749. "address": "0x401164"
  750. },
  751. {
  752. "name": null,
  753. "address": "0x401168"
  754. },
  755. {
  756. "name": "__vbaObjVar",
  757. "address": "0x40116c"
  758. },
  759. {
  760. "name": "DllFunctionCall",
  761. "address": "0x401170"
  762. },
  763. {
  764. "name": null,
  765. "address": "0x401174"
  766. },
  767. {
  768. "name": "__vbaVarOr",
  769. "address": "0x401178"
  770. },
  771. {
  772. "name": null,
  773. "address": "0x40117c"
  774. },
  775. {
  776. "name": null,
  777. "address": "0x401180"
  778. },
  779. {
  780. "name": "__vbaCastObjVar",
  781. "address": "0x401184"
  782. },
  783. {
  784. "name": "__vbaLbound",
  785. "address": "0x401188"
  786. },
  787. {
  788. "name": "_adj_fpatan",
  789. "address": "0x40118c"
  790. },
  791. {
  792. "name": "__vbaFixstrConstruct",
  793. "address": "0x401190"
  794. },
  795. {
  796. "name": "__vbaLateIdCallLd",
  797. "address": "0x401194"
  798. },
  799. {
  800. "name": "__vbaR8Cy",
  801. "address": "0x401198"
  802. },
  803. {
  804. "name": "__vbaRedim",
  805. "address": "0x40119c"
  806. },
  807. {
  808. "name": "__vbaStrR8",
  809. "address": "0x4011a0"
  810. },
  811. {
  812. "name": "__vbaRecUniToAnsi",
  813. "address": "0x4011a4"
  814. },
  815. {
  816. "name": "EVENT_SINK_Release",
  817. "address": "0x4011a8"
  818. },
  819. {
  820. "name": "__vbaNew",
  821. "address": "0x4011ac"
  822. },
  823. {
  824. "name": null,
  825. "address": "0x4011b0"
  826. },
  827. {
  828. "name": null,
  829. "address": "0x4011b4"
  830. },
  831. {
  832. "name": "_CIsqrt",
  833. "address": "0x4011b8"
  834. },
  835. {
  836. "name": "__vbaObjIs",
  837. "address": "0x4011bc"
  838. },
  839. {
  840. "name": "__vbaVarAnd",
  841. "address": "0x4011c0"
  842. },
  843. {
  844. "name": "EVENT_SINK_QueryInterface",
  845. "address": "0x4011c4"
  846. },
  847. {
  848. "name": "__vbaStr2Vec",
  849. "address": "0x4011c8"
  850. },
  851. {
  852. "name": "__vbaVarMul",
  853. "address": "0x4011cc"
  854. },
  855. {
  856. "name": "__vbaExceptHandler",
  857. "address": "0x4011d0"
  858. },
  859. {
  860. "name": null,
  861. "address": "0x4011d4"
  862. },
  863. {
  864. "name": null,
  865. "address": "0x4011d8"
  866. },
  867. {
  868. "name": "__vbaPrintFile",
  869. "address": "0x4011dc"
  870. },
  871. {
  872. "name": "__vbaStrToUnicode",
  873. "address": "0x4011e0"
  874. },
  875. {
  876. "name": null,
  877. "address": "0x4011e4"
  878. },
  879. {
  880. "name": "_adj_fprem",
  881. "address": "0x4011e8"
  882. },
  883. {
  884. "name": "_adj_fdivr_m64",
  885. "address": "0x4011ec"
  886. },
  887. {
  888. "name": null,
  889. "address": "0x4011f0"
  890. },
  891. {
  892. "name": null,
  893. "address": "0x4011f4"
  894. },
  895. {
  896. "name": null,
  897. "address": "0x4011f8"
  898. },
  899. {
  900. "name": null,
  901. "address": "0x4011fc"
  902. },
  903. {
  904. "name": "__vbaFPException",
  905. "address": "0x401200"
  906. },
  907. {
  908. "name": "__vbaInStrVar",
  909. "address": "0x401204"
  910. },
  911. {
  912. "name": null,
  913. "address": "0x401208"
  914. },
  915. {
  916. "name": "__vbaUbound",
  917. "address": "0x40120c"
  918. },
  919. {
  920. "name": "__vbaStrVarVal",
  921. "address": "0x401210"
  922. },
  923. {
  924. "name": "__vbaVarCat",
  925. "address": "0x401214"
  926. },
  927. {
  928. "name": "__vbaI2Var",
  929. "address": "0x401218"
  930. },
  931. {
  932. "name": null,
  933. "address": "0x40121c"
  934. },
  935. {
  936. "name": null,
  937. "address": "0x401220"
  938. },
  939. {
  940. "name": null,
  941. "address": "0x401224"
  942. },
  943. {
  944. "name": "_CIlog",
  945. "address": "0x401228"
  946. },
  947. {
  948. "name": "__vbaFileOpen",
  949. "address": "0x40122c"
  950. },
  951. {
  952. "name": "__vbaVarLateMemCallLdRf",
  953. "address": "0x401230"
  954. },
  955. {
  956. "name": "__vbaVar2Vec",
  957. "address": "0x401234"
  958. },
  959. {
  960. "name": null,
  961. "address": "0x401238"
  962. },
  963. {
  964. "name": null,
  965. "address": "0x40123c"
  966. },
  967. {
  968. "name": "__vbaNew2",
  969. "address": "0x401240"
  970. },
  971. {
  972. "name": "__vbaR8Str",
  973. "address": "0x401244"
  974. },
  975. {
  976. "name": "__vbaInStr",
  977. "address": "0x401248"
  978. },
  979. {
  980. "name": "_adj_fdiv_m32i",
  981. "address": "0x40124c"
  982. },
  983. {
  984. "name": "_adj_fdivr_m32i",
  985. "address": "0x401250"
  986. },
  987. {
  988. "name": "__vbaVarSetObj",
  989. "address": "0x401254"
  990. },
  991. {
  992. "name": null,
  993. "address": "0x401258"
  994. },
  995. {
  996. "name": "__vbaStrCopy",
  997. "address": "0x40125c"
  998. },
  999. {
  1000. "name": "__vbaI4Str",
  1001. "address": "0x401260"
  1002. },
  1003. {
  1004. "name": null,
  1005. "address": "0x401264"
  1006. },
  1007. {
  1008. "name": "__vbaVarCmpLt",
  1009. "address": "0x401268"
  1010. },
  1011. {
  1012. "name": "__vbaFreeStrList",
  1013. "address": "0x40126c"
  1014. },
  1015. {
  1016. "name": null,
  1017. "address": "0x401270"
  1018. },
  1019. {
  1020. "name": "_adj_fdivr_m32",
  1021. "address": "0x401274"
  1022. },
  1023. {
  1024. "name": "__vbaPowerR8",
  1025. "address": "0x401278"
  1026. },
  1027. {
  1028. "name": "__vbaR8Var",
  1029. "address": "0x40127c"
  1030. },
  1031. {
  1032. "name": "_adj_fdiv_r",
  1033. "address": "0x401280"
  1034. },
  1035. {
  1036. "name": null,
  1037. "address": "0x401284"
  1038. },
  1039. {
  1040. "name": null,
  1041. "address": "0x401288"
  1042. },
  1043. {
  1044. "name": "__vbaVarTstNe",
  1045. "address": "0x40128c"
  1046. },
  1047. {
  1048. "name": "__vbaVarSetVar",
  1049. "address": "0x401290"
  1050. },
  1051. {
  1052. "name": "__vbaI4Var",
  1053. "address": "0x401294"
  1054. },
  1055. {
  1056. "name": "__vbaVarCmpEq",
  1057. "address": "0x401298"
  1058. },
  1059. {
  1060. "name": null,
  1061. "address": "0x40129c"
  1062. },
  1063. {
  1064. "name": "__vbaFpCy",
  1065. "address": "0x4012a0"
  1066. },
  1067. {
  1068. "name": null,
  1069. "address": "0x4012a4"
  1070. },
  1071. {
  1072. "name": "__vbaAryLock",
  1073. "address": "0x4012a8"
  1074. },
  1075. {
  1076. "name": "__vbaVarAdd",
  1077. "address": "0x4012ac"
  1078. },
  1079. {
  1080. "name": "__vbaStrComp",
  1081. "address": "0x4012b0"
  1082. },
  1083. {
  1084. "name": "__vbaStrToAnsi",
  1085. "address": "0x4012b4"
  1086. },
  1087. {
  1088. "name": null,
  1089. "address": "0x4012b8"
  1090. },
  1091. {
  1092. "name": "__vbaVarDup",
  1093. "address": "0x4012bc"
  1094. },
  1095. {
  1096. "name": "__vbaFpI2",
  1097. "address": "0x4012c0"
  1098. },
  1099. {
  1100. "name": "__vbaVarMod",
  1101. "address": "0x4012c4"
  1102. },
  1103. {
  1104. "name": "__vbaVarLateMemCallLd",
  1105. "address": "0x4012c8"
  1106. },
  1107. {
  1108. "name": null,
  1109. "address": "0x4012cc"
  1110. },
  1111. {
  1112. "name": "__vbaFpI4",
  1113. "address": "0x4012d0"
  1114. },
  1115. {
  1116. "name": "__vbaLateMemCallLd",
  1117. "address": "0x4012d4"
  1118. },
  1119. {
  1120. "name": null,
  1121. "address": "0x4012d8"
  1122. },
  1123. {
  1124. "name": "_CIatan",
  1125. "address": "0x4012dc"
  1126. },
  1127. {
  1128. "name": "__vbaCastObj",
  1129. "address": "0x4012e0"
  1130. },
  1131. {
  1132. "name": null,
  1133. "address": "0x4012e4"
  1134. },
  1135. {
  1136. "name": "__vbaAryCopy",
  1137. "address": "0x4012e8"
  1138. },
  1139. {
  1140. "name": "__vbaStrMove",
  1141. "address": "0x4012ec"
  1142. },
  1143. {
  1144. "name": "__vbaForEachVar",
  1145. "address": "0x4012f0"
  1146. },
  1147. {
  1148. "name": null,
  1149. "address": "0x4012f4"
  1150. },
  1151. {
  1152. "name": "__vbaStrVarCopy",
  1153. "address": "0x4012f8"
  1154. },
  1155. {
  1156. "name": "__vbaR8IntI4",
  1157. "address": "0x4012fc"
  1158. },
  1159. {
  1160. "name": "_allmul",
  1161. "address": "0x401300"
  1162. },
  1163. {
  1164. "name": "__vbaLateIdSt",
  1165. "address": "0x401304"
  1166. },
  1167. {
  1168. "name": "_CItan",
  1169. "address": "0x401308"
  1170. },
  1171. {
  1172. "name": "__vbaNextEachCollAd",
  1173. "address": "0x40130c"
  1174. },
  1175. {
  1176. "name": "__vbaAryUnlock",
  1177. "address": "0x401310"
  1178. },
  1179. {
  1180. "name": "__vbaUI1Var",
  1181. "address": "0x401314"
  1182. },
  1183. {
  1184. "name": "__vbaFPInt",
  1185. "address": "0x401318"
  1186. },
  1187. {
  1188. "name": "__vbaVarForNext",
  1189. "address": "0x40131c"
  1190. },
  1191. {
  1192. "name": "_CIexp",
  1193. "address": "0x401320"
  1194. },
  1195. {
  1196. "name": "__vbaFreeStr",
  1197. "address": "0x401324"
  1198. },
  1199. {
  1200. "name": "__vbaFreeObj",
  1201. "address": "0x401328"
  1202. },
  1203. {
  1204. "name": null,
  1205. "address": "0x40132c"
  1206. }
  1207. ],
  1208. "dll": "MSVBVM60.DLL"
  1209. }
  1210. ],
  1211. "digital_signers": null,
  1212. "exported_dll_name": null,
  1213. "actual_checksum": "0x00097835",
  1214. "overlay": null,
  1215. "imagebase": "0x00400000",
  1216. "reported_checksum": "0x00060842",
  1217. "icon_hash": null,
  1218. "entrypoint": "0x00403668",
  1219. "timestamp": "2019-06-23 14:57:07",
  1220. "osversion": "4.0",
  1221. "sections": [
  1222. {
  1223. "name": ".text",
  1224. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
  1225. "virtual_address": "0x00001000",
  1226. "size_of_data": "0x0004f000",
  1227. "entropy": "6.15",
  1228. "raw_address": "0x00001000",
  1229. "virtual_size": "0x0004e634",
  1230. "characteristics_raw": "0x60000020"
  1231. },
  1232. {
  1233. "name": ".data",
  1234. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  1235. "virtual_address": "0x00050000",
  1236. "size_of_data": "0x00001000",
  1237. "entropy": "0.00",
  1238. "raw_address": "0x00050000",
  1239. "virtual_size": "0x0000424c",
  1240. "characteristics_raw": "0xc0000040"
  1241. },
  1242. {
  1243. "name": ".rsrc",
  1244. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  1245. "virtual_address": "0x00055000",
  1246. "size_of_data": "0x00045000",
  1247. "entropy": "7.94",
  1248. "raw_address": "0x00051000",
  1249. "virtual_size": "0x00044ee4",
  1250. "characteristics_raw": "0x40000040"
  1251. }
  1252. ],
  1253. "resources": [],
  1254. "dirents": [
  1255. {
  1256. "virtual_address": "0x00000000",
  1257. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
  1258. "size": "0x00000000"
  1259. },
  1260. {
  1261. "virtual_address": "0x0004e934",
  1262. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
  1263. "size": "0x00000028"
  1264. },
  1265. {
  1266. "virtual_address": "0x00055000",
  1267. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
  1268. "size": "0x00044ee4"
  1269. },
  1270. {
  1271. "virtual_address": "0x00000000",
  1272. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
  1273. "size": "0x00000000"
  1274. },
  1275. {
  1276. "virtual_address": "0x00000000",
  1277. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
  1278. "size": "0x00000000"
  1279. },
  1280. {
  1281. "virtual_address": "0x00000000",
  1282. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
  1283. "size": "0x00000000"
  1284. },
  1285. {
  1286. "virtual_address": "0x00000000",
  1287. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
  1288. "size": "0x00000000"
  1289. },
  1290. {
  1291. "virtual_address": "0x00000000",
  1292. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
  1293. "size": "0x00000000"
  1294. },
  1295. {
  1296. "virtual_address": "0x00000000",
  1297. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
  1298. "size": "0x00000000"
  1299. },
  1300. {
  1301. "virtual_address": "0x00000000",
  1302. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
  1303. "size": "0x00000000"
  1304. },
  1305. {
  1306. "virtual_address": "0x00000000",
  1307. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
  1308. "size": "0x00000000"
  1309. },
  1310. {
  1311. "virtual_address": "0x00000228",
  1312. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
  1313. "size": "0x00000020"
  1314. },
  1315. {
  1316. "virtual_address": "0x00001000",
  1317. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
  1318. "size": "0x00000334"
  1319. },
  1320. {
  1321. "virtual_address": "0x00000000",
  1322. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
  1323. "size": "0x00000000"
  1324. },
  1325. {
  1326. "virtual_address": "0x00000000",
  1327. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
  1328. "size": "0x00000000"
  1329. },
  1330. {
  1331. "virtual_address": "0x00000000",
  1332. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
  1333. "size": "0x00000000"
  1334. }
  1335. ],
  1336. "exports": [],
  1337. "guest_signers": {},
  1338. "imphash": "8b4b00a271719e03c25e04affc535ce8",
  1339. "icon_fuzzy": null,
  1340. "icon": null,
  1341. "pdbpath": null,
  1342. "imported_dll_count": 1,
  1343. "versioninfo": []
  1344. }
  1345. }
  1346.  
  1347. [*] Resolved APIs: [
  1348. "cryptbase.dll.SystemFunction036",
  1349. "uxtheme.dll.ThemeInitApiHook",
  1350. "user32.dll.IsProcessDPIAware",
  1351. "oleaut32.dll.OleLoadPictureEx",
  1352. "oleaut32.dll.DispCallFunc",
  1353. "oleaut32.dll.LoadTypeLibEx",
  1354. "oleaut32.dll.UnRegisterTypeLib",
  1355. "oleaut32.dll.CreateTypeLib2",
  1356. "oleaut32.dll.VarDateFromUdate",
  1357. "oleaut32.dll.VarUdateFromDate",
  1358. "oleaut32.dll.GetAltMonthNames",
  1359. "oleaut32.dll.VarNumFromParseNum",
  1360. "oleaut32.dll.VarParseNumFromStr",
  1361. "oleaut32.dll.VarDecFromR4",
  1362. "oleaut32.dll.VarDecFromR8",
  1363. "oleaut32.dll.VarDecFromDate",
  1364. "oleaut32.dll.VarDecFromI4",
  1365. "oleaut32.dll.VarDecFromCy",
  1366. "oleaut32.dll.VarR4FromDec",
  1367. "oleaut32.dll.GetRecordInfoFromTypeInfo",
  1368. "oleaut32.dll.GetRecordInfoFromGuids",
  1369. "oleaut32.dll.SafeArrayGetRecordInfo",
  1370. "oleaut32.dll.SafeArraySetRecordInfo",
  1371. "oleaut32.dll.SafeArrayGetIID",
  1372. "oleaut32.dll.SafeArraySetIID",
  1373. "oleaut32.dll.SafeArrayCopyData",
  1374. "oleaut32.dll.SafeArrayAllocDescriptorEx",
  1375. "oleaut32.dll.SafeArrayCreateEx",
  1376. "oleaut32.dll.VarFormat",
  1377. "oleaut32.dll.VarFormatDateTime",
  1378. "oleaut32.dll.VarFormatNumber",
  1379. "oleaut32.dll.VarFormatPercent",
  1380. "oleaut32.dll.VarFormatCurrency",
  1381. "oleaut32.dll.VarWeekdayName",
  1382. "oleaut32.dll.VarMonthName",
  1383. "oleaut32.dll.VarAdd",
  1384. "oleaut32.dll.VarAnd",
  1385. "oleaut32.dll.VarCat",
  1386. "oleaut32.dll.VarDiv",
  1387. "oleaut32.dll.VarEqv",
  1388. "oleaut32.dll.VarIdiv",
  1389. "oleaut32.dll.VarImp",
  1390. "oleaut32.dll.VarMod",
  1391. "oleaut32.dll.VarMul",
  1392. "oleaut32.dll.VarOr",
  1393. "oleaut32.dll.VarPow",
  1394. "oleaut32.dll.VarSub",
  1395. "oleaut32.dll.VarXor",
  1396. "oleaut32.dll.VarAbs",
  1397. "oleaut32.dll.VarFix",
  1398. "oleaut32.dll.VarInt",
  1399. "oleaut32.dll.VarNeg",
  1400. "oleaut32.dll.VarNot",
  1401. "oleaut32.dll.VarRound",
  1402. "oleaut32.dll.VarCmp",
  1403. "oleaut32.dll.VarDecAdd",
  1404. "oleaut32.dll.VarDecCmp",
  1405. "oleaut32.dll.VarBstrCat",
  1406. "oleaut32.dll.VarCyMulI4",
  1407. "oleaut32.dll.VarBstrCmp",
  1408. "ole32.dll.CoCreateInstanceEx",
  1409. "ole32.dll.CLSIDFromProgIDEx",
  1410. "sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary",
  1411. "user32.dll.GetSystemMetrics",
  1412. "user32.dll.MonitorFromWindow",
  1413. "user32.dll.MonitorFromRect",
  1414. "user32.dll.MonitorFromPoint",
  1415. "user32.dll.EnumDisplayMonitors",
  1416. "user32.dll.GetMonitorInfoA",
  1417. "ole32.dll.CLSIDFromOle1Class",
  1418. "clbcatq.dll.GetCatalogObject",
  1419. "clbcatq.dll.GetCatalogObject2",
  1420. "cryptsp.dll.CryptAcquireContextW",
  1421. "cryptsp.dll.CryptGenRandom",
  1422. "dwmapi.dll.DwmIsCompositionEnabled",
  1423. "gdi32.dll.GetLayout",
  1424. "gdi32.dll.GdiRealizationInfo",
  1425. "gdi32.dll.FontIsLinked",
  1426. "advapi32.dll.RegOpenKeyExW",
  1427. "advapi32.dll.RegQueryInfoKeyW",
  1428. "gdi32.dll.GetTextFaceAliasW",
  1429. "advapi32.dll.RegEnumValueW",
  1430. "advapi32.dll.RegCloseKey",
  1431. "advapi32.dll.RegQueryValueExW",
  1432. "gdi32.dll.GetFontAssocStatus",
  1433. "advapi32.dll.RegQueryValueExA",
  1434. "advapi32.dll.RegEnumKeyExW",
  1435. "gdi32.dll.GdiIsMetaPrintDC",
  1436. "lpk.dll.LpkEditControl",
  1437. "comctl32.dll.HIMAGELIST_QueryInterface",
  1438. "comctl32.dll.DrawShadowText",
  1439. "comctl32.dll.DrawSizeBox",
  1440. "comctl32.dll.DrawScrollBar",
  1441. "comctl32.dll.SizeBoxHwnd",
  1442. "comctl32.dll.ScrollBar_MouseMove",
  1443. "comctl32.dll.ScrollBar_Menu",
  1444. "comctl32.dll.HandleScrollCmd",
  1445. "comctl32.dll.DetachScrollBars",
  1446. "comctl32.dll.AttachScrollBars",
  1447. "comctl32.dll.CCSetScrollInfo",
  1448. "comctl32.dll.CCGetScrollInfo",
  1449. "comctl32.dll.CCEnableScrollBar",
  1450. "comctl32.dll.QuerySystemGestureStatus",
  1451. "uxtheme.dll.#49",
  1452. "uxtheme.dll.CloseThemeData",
  1453. "ole32.dll.CoTaskMemAlloc",
  1454. "ole32.dll.CreateBindCtx",
  1455. "comctl32.dll.#328",
  1456. "comctl32.dll.#334",
  1457. "ole32.dll.CoGetMalloc",
  1458. "ole32.dll.CoGetApartmentType",
  1459. "ole32.dll.CoRegisterInitializeSpy",
  1460. "comctl32.dll.#236",
  1461. "oleaut32.dll.#6",
  1462. "comctl32.dll.#332",
  1463. "comctl32.dll.#320",
  1464. "ole32.dll.StringFromGUID2",
  1465. "comctl32.dll.#324",
  1466. "comctl32.dll.#323",
  1467. "apphelp.dll.ApphelpCheckShellObject",
  1468. "ole32.dll.CoCreateInstance",
  1469. "ntdll.dll.RtlDllShutdownInProgress",
  1470. "comctl32.dll.#386",
  1471. "comctl32.dll.#329",
  1472. "propsys.dll.#417",
  1473. "propsys.dll.PSGetNameFromPropertyKey",
  1474. "propsys.dll.PSStringFromPropertyKey",
  1475. "propsys.dll.InitVariantFromBuffer",
  1476. "oleaut32.dll.#9",
  1477. "propsys.dll.PropVariantToGUID",
  1478. "ole32.dll.PropVariantClear",
  1479. "ole32.dll.CoInitializeEx",
  1480. "ole32.dll.CoTaskMemFree",
  1481. "ole32.dll.CoUninitialize",
  1482. "kernel32.dll.InitializeSRWLock",
  1483. "kernel32.dll.AcquireSRWLockExclusive",
  1484. "kernel32.dll.AcquireSRWLockShared",
  1485. "kernel32.dll.ReleaseSRWLockExclusive",
  1486. "kernel32.dll.ReleaseSRWLockShared",
  1487. "uxtheme.dll.DrawThemeBackground",
  1488. "oleaut32.dll.#2",
  1489. "kernel32.dll.GetThreadPreferredUILanguages",
  1490. "kernel32.dll.SetThreadPreferredUILanguages",
  1491. "kernel32.dll.LocaleNameToLCID",
  1492. "kernel32.dll.GetLocaleInfoEx",
  1493. "kernel32.dll.LCIDToLocaleName",
  1494. "kernel32.dll.GetSystemDefaultLocaleName",
  1495. "advapi32.dll.RegEnumKeyW",
  1496. "oleaut32.dll.#283",
  1497. "oleaut32.dll.#284",
  1498. "kernel32.dll.GetComputerNameA",
  1499. "kernel32.dll.NlsGetCacheUpdateCount",
  1500. "kernel32.dll.GlobalMemoryStatusEx",
  1501. "kernel32.dll.Sleep",
  1502. "advapi32.dll.OpenThreadToken",
  1503. "advapi32.dll.InitializeSecurityDescriptor",
  1504. "advapi32.dll.SetEntriesInAclW",
  1505. "ntmarta.dll.GetMartaExtensionInterface",
  1506. "advapi32.dll.SetSecurityDescriptorDacl",
  1507. "advapi32.dll.IsTextUnicode",
  1508. "comctl32.dll.#338",
  1509. "comctl32.dll.#339",
  1510. "shell32.dll.#102",
  1511. "shell32.dll.SHGetPathFromIDListW",
  1512. "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
  1513. "setupapi.dll.CM_Get_Device_Interface_List_ExW",
  1514. "sechost.dll.ConvertSidToStringSidW",
  1515. "profapi.dll.#104",
  1516. "propsys.dll.PSCreateMemoryPropertyStore",
  1517. "propsys.dll.PSPropertyBag_WriteStr",
  1518. "propsys.dll.PSPropertyBag_WriteGUID",
  1519. "propsys.dll.PSPropertyBag_ReadGUID",
  1520. "urlmon.dll.CreateUri",
  1521. "urlmon.dll.CreateURLMonikerEx",
  1522. "urlmon.dll.CreateAsyncBindCtxEx",
  1523. "urlmon.dll.RegisterBindStatusCallback",
  1524. "urlmon.dll.CreateFormatEnumerator",
  1525. "urlmon.dll.UrlMkGetSessionOption",
  1526. "urlmon.dll.CoInternetCreateSecurityManager",
  1527. "advapi32.dll.EventActivityIdControl",
  1528. "advapi32.dll.EventWriteTransfer",
  1529. "kernel32.dll.SetFileInformationByHandle",
  1530. "shell32.dll.SHGetFolderPathW",
  1531. "kernel32.dll.GetModuleHandleW",
  1532. "advapi32.dll.AddMandatoryAce",
  1533. "ws2_32.dll.accept",
  1534. "ws2_32.dll.bind",
  1535. "ws2_32.dll.closesocket",
  1536. "ws2_32.dll.connect",
  1537. "ws2_32.dll.getpeername",
  1538. "ws2_32.dll.getsockname",
  1539. "ws2_32.dll.getsockopt",
  1540. "ws2_32.dll.ntohl",
  1541. "ws2_32.dll.htonl",
  1542. "ws2_32.dll.htons",
  1543. "ws2_32.dll.inet_addr",
  1544. "ws2_32.dll.inet_ntoa",
  1545. "ws2_32.dll.ioctlsocket",
  1546. "ws2_32.dll.listen",
  1547. "ws2_32.dll.ntohs",
  1548. "ws2_32.dll.recv",
  1549. "ws2_32.dll.recvfrom",
  1550. "ws2_32.dll.select",
  1551. "ws2_32.dll.send",
  1552. "ws2_32.dll.sendto",
  1553. "ws2_32.dll.setsockopt",
  1554. "ws2_32.dll.shutdown",
  1555. "ws2_32.dll.socket",
  1556. "ws2_32.dll.gethostbyname",
  1557. "ws2_32.dll.gethostname",
  1558. "ws2_32.dll.WSAIoctl",
  1559. "ws2_32.dll.WSAGetLastError",
  1560. "ws2_32.dll.WSASetLastError",
  1561. "ws2_32.dll.WSAStartup",
  1562. "ws2_32.dll.WSACleanup",
  1563. "ws2_32.dll.__WSAFDIsSet",
  1564. "ws2_32.dll.getaddrinfo",
  1565. "ws2_32.dll.freeaddrinfo",
  1566. "ws2_32.dll.getnameinfo",
  1567. "ws2_32.dll.WSALookupServiceBeginW",
  1568. "ws2_32.dll.WSALookupServiceNextW",
  1569. "ws2_32.dll.WSALookupServiceEnd",
  1570. "ws2_32.dll.WSANSPIoctl",
  1571. "ws2_32.dll.WSAStringToAddressA",
  1572. "ws2_32.dll.WSAStringToAddressW",
  1573. "ws2_32.dll.WSAAddressToStringA",
  1574. "dnsapi.dll.DnsGetProxyInformation",
  1575. "dnsapi.dll.DnsFreeProxyName",
  1576. "iphlpapi.dll.GetIpForwardTable2",
  1577. "iphlpapi.dll.FreeMibTable",
  1578. "iphlpapi.dll.GetIfEntry2",
  1579. "iphlpapi.dll.ConvertInterfaceGuidToLuid",
  1580. "iphlpapi.dll.ResolveIpNetEntry2",
  1581. "iphlpapi.dll.GetIpNetEntry2",
  1582. "shlwapi.dll.#260",
  1583. "rasapi32.dll.RasEnumEntriesW",
  1584. "rtutils.dll.TraceRegisterExA",
  1585. "rtutils.dll.TracePrintfExA",
  1586. "shlwapi.dll.PathCanonicalizeW",
  1587. "shlwapi.dll.PathRemoveFileSpecW",
  1588. "shlwapi.dll.PathFindFileNameW",
  1589. "sensapi.dll.IsNetworkAlive",
  1590. "rpcrt4.dll.RpcBindingFromStringBindingW",
  1591. "rpcrt4.dll.RpcBindingSetAuthInfoExW",
  1592. "rpcrt4.dll.NdrClientCall2",
  1593. "rasapi32.dll.RasConnectionNotificationW",
  1594. "sechost.dll.NotifyServiceStatusChangeA",
  1595. "nlaapi.dll.NSPStartup",
  1596. "iphlpapi.dll.GetAdapterIndex",
  1597. "rasadhlp.dll.WSAttemptAutodialAddr",
  1598. "rasadhlp.dll.WSAttemptAutodialName",
  1599. "rasadhlp.dll.WSNoteSuccessfulHostentLookup",
  1600. "kernel32.dll.IsWow64Process",
  1601. "urlmon.dll.RevokeBindStatusCallback",
  1602. "wininet.dll.InternetQueryOptionA",
  1603. "urlmon.dll.CreateIUriBuilder",
  1604. "version.dll.GetFileVersionInfoSizeW",
  1605. "version.dll.GetFileVersionInfoW",
  1606. "version.dll.VerQueryValueW",
  1607. "urlmon.dll.#330",
  1608. "urlmon.dll.#414",
  1609. "urlmon.dll.RegisterFormatEnumerator",
  1610. "oleaut32.dll.#3",
  1611. "urlmon.dll.CoInternetIsFeatureEnabled",
  1612. "oleaut32.dll.#201",
  1613. "wininet.dll.CreateUrlCacheEntryA",
  1614. "wininet.dll.CommitUrlCacheEntryA",
  1615. "oleaut32.dll.#7",
  1616. "oleaut32.dll.#8",
  1617. "ieframe.dll.#302",
  1618. "urlmon.dll.#101",
  1619. "oleaut32.dll.VariantClear",
  1620. "mlang.dll.#112",
  1621. "wininet.dll.GetUrlCacheEntryInfoA",
  1622. "ole32.dll.CoGetObjectContext",
  1623. "imgutil.dll.DecodeImage",
  1624. "oleaut32.dll.#147",
  1625. "oleaut32.dll.#4",
  1626. "comctl32.dll.ImageList_Create",
  1627. "comctl32.dll.ImageList_ReplaceIcon",
  1628. "wininet.dll.GetUrlCacheEntryInfoExW",
  1629. "user32.dll.GetAsyncKeyState",
  1630. "comctl32.dll.ImageList_Destroy",
  1631. "oleaut32.dll.#500",
  1632. "ole32.dll.CoRevokeInitializeSpy",
  1633. "comctl32.dll.#388",
  1634. "advapi32.dll.UnregisterTraceGuids",
  1635. "ntdll.dll.EtwUnregisterTraceGuids",
  1636. "rpcrt4.dll.RpcBindingFree",
  1637. "comctl32.dll.#321",
  1638. "cryptsp.dll.CryptReleaseContext",
  1639. "comctl32.dll.#322",
  1640. "user32.dll.IsWindow",
  1641. "user32.dll.GetWindowThreadProcessId",
  1642. "winsta.dll.WinStationRegisterConsoleNotification",
  1643. "advapi32.dll.LookupAccountSidW",
  1644. "advapi32.dll.CreateWellKnownSid",
  1645. "rpcrt4.dll.RpcStringBindingComposeW",
  1646. "rpcrt4.dll.RpcStringFreeW",
  1647. "rpcrt4.dll.RpcAsyncInitializeHandle",
  1648. "rpcrt4.dll.NdrClientCall3",
  1649. "rpcrt4.dll.Ndr64AsyncClientCall",
  1650. "ole32.dll.CoCreateGuid",
  1651. "kernel32.dll.SortGetHandle",
  1652. "kernel32.dll.SortCloseHandle",
  1653. "sechost.dll.LookupAccountNameLocalW",
  1654. "sechost.dll.LookupAccountSidLocalW",
  1655. "fastprox.dll.DllGetClassObject",
  1656. "fastprox.dll.DllCanUnloadNow",
  1657. "kernel32.dll.RegOpenKeyExW",
  1658. "kernel32.dll.RegQueryValueExW",
  1659. "kernel32.dll.RegCloseKey",
  1660. "sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
  1661. "oleaut32.dll.#289",
  1662. "advapi32.dll.RegOpenKeyW",
  1663. "oleaut32.dll.#287",
  1664. "oleaut32.dll.#288",
  1665. "oleaut32.dll.#290",
  1666. "oleaut32.dll.#285",
  1667. "iphlpapi.dll.GetAdaptersAddresses",
  1668. "iphlpapi.dll.ConvertLengthToIpv4Mask",
  1669. "oleaut32.dll.#15",
  1670. "oleaut32.dll.#26",
  1671. "oleaut32.dll.#16",
  1672. "dnsapi.dll.DnsQueryConfigAllocEx",
  1673. "iphlpapi.dll.GetCurrentThreadCompartmentId",
  1674. "dnsapi.dll.DnsFreeConfigStructure",
  1675. "dnsapi.dll.DnsQueryConfigDword",
  1676. "oleaut32.dll.#286",
  1677. "winbrand.dll.BrandingLoadString",
  1678. "security.dll.InitSecurityInterfaceW",
  1679. "cryptsp.dll.SystemFunction035",
  1680. "schannel.dll.SpUserModeInitialize",
  1681. "advapi32.dll.RegCreateKeyExW",
  1682. "ntdll.dll.RtlInitUnicodeString",
  1683. "ntdll.dll.RtlFreeUnicodeString",
  1684. "ntdll.dll.NtSetSystemEnvironmentValue",
  1685. "ntdll.dll.NtQuerySystemEnvironmentValue",
  1686. "ntdll.dll.NtCreateFile",
  1687. "ntdll.dll.NtQuerySystemInformation",
  1688. "ntdll.dll.NtQueryDirectoryObject",
  1689. "ntdll.dll.NtQueryObject",
  1690. "ntdll.dll.NtOpenDirectoryObject",
  1691. "ntdll.dll.NtQueryInformationProcess",
  1692. "ntdll.dll.NtQueryInformationToken",
  1693. "ntdll.dll.NtOpenFile",
  1694. "ntdll.dll.NtClose",
  1695. "ntdll.dll.NtFsControlFile",
  1696. "ntdll.dll.NtQueryVolumeInformationFile",
  1697. "advapi32.dll.LookupPrivilegeValueW",
  1698. "netapi32.dll.NetGroupEnum",
  1699. "netapi32.dll.NetGroupGetInfo",
  1700. "netapi32.dll.NetGroupSetInfo",
  1701. "netapi32.dll.NetLocalGroupGetInfo",
  1702. "netapi32.dll.NetLocalGroupSetInfo",
  1703. "netapi32.dll.NetGroupGetUsers",
  1704. "netapi32.dll.NetLocalGroupGetMembers",
  1705. "netapi32.dll.NetLocalGroupEnum",
  1706. "netapi32.dll.NetShareEnum",
  1707. "netapi32.dll.NetShareGetInfo",
  1708. "netapi32.dll.NetShareAdd",
  1709. "netapi32.dll.NetShareEnumSticky",
  1710. "netapi32.dll.NetShareSetInfo",
  1711. "netapi32.dll.NetShareDel",
  1712. "netapi32.dll.NetShareDelSticky",
  1713. "netapi32.dll.NetShareCheck",
  1714. "netapi32.dll.NetUserEnum",
  1715. "netapi32.dll.NetUserGetInfo",
  1716. "netapi32.dll.NetUserSetInfo",
  1717. "netapi32.dll.NetApiBufferFree",
  1718. "netapi32.dll.NetQueryDisplayInformation",
  1719. "netapi32.dll.NetServerSetInfo",
  1720. "netapi32.dll.NetServerGetInfo",
  1721. "netapi32.dll.NetGetDCName",
  1722. "netapi32.dll.NetWkstaGetInfo",
  1723. "netapi32.dll.NetGetAnyDCName",
  1724. "netapi32.dll.NetServerEnum",
  1725. "netapi32.dll.NetUserModalsGet",
  1726. "netapi32.dll.NetScheduleJobAdd",
  1727. "netapi32.dll.NetScheduleJobDel",
  1728. "netapi32.dll.NetScheduleJobEnum",
  1729. "netapi32.dll.NetScheduleJobGetInfo",
  1730. "netapi32.dll.NetUseGetInfo",
  1731. "netapi32.dll.NetEnumerateTrustedDomains",
  1732. "netapi32.dll.DsGetDcNameW",
  1733. "netapi32.dll.DsRoleGetPrimaryDomainInformation",
  1734. "netapi32.dll.DsRoleFreeMemory",
  1735. "netapi32.dll.NetRenameMachineInDomain",
  1736. "netapi32.dll.NetJoinDomain",
  1737. "netapi32.dll.NetUnjoinDomain",
  1738. "wkscli.dll.NetWkstaGetInfo",
  1739. "cscapi.dll.CscNetApiGetInterface",
  1740. "kernel32.dll.GetDiskFreeSpaceExW",
  1741. "kernel32.dll.GetVolumePathNameW",
  1742. "kernel32.dll.CreateToolhelp32Snapshot",
  1743. "kernel32.dll.Thread32First",
  1744. "kernel32.dll.Thread32Next",
  1745. "kernel32.dll.Process32First",
  1746. "kernel32.dll.Process32Next",
  1747. "kernel32.dll.Module32First",
  1748. "kernel32.dll.Module32Next",
  1749. "kernel32.dll.Heap32ListFirst",
  1750. "kernel32.dll.GetSystemDefaultUILanguage",
  1751. "wmi.dll.WmiQueryAllDataW",
  1752. "wmi.dll.WmiQuerySingleInstanceW",
  1753. "wmi.dll.WmiSetSingleItemW",
  1754. "wmi.dll.WmiSetSingleInstanceW",
  1755. "wmi.dll.WmiExecuteMethodW",
  1756. "wmi.dll.WmiNotificationRegistrationW",
  1757. "wmi.dll.WmiMofEnumerateResourcesW",
  1758. "wmi.dll.WmiFileHandleToInstanceNameW",
  1759. "wmi.dll.WmiDevInstToInstanceNameW",
  1760. "wmi.dll.WmiQueryGuidInformation",
  1761. "wmi.dll.WmiOpenBlock",
  1762. "wmi.dll.WmiCloseBlock",
  1763. "wmi.dll.WmiFreeBuffer",
  1764. "wmi.dll.WmiEnumerateGuids",
  1765. "oleaut32.dll.#150",
  1766. "wtsapi32.dll.WTSEnumerateSessionsW",
  1767. "winsta.dll.WinStationEnumerateW",
  1768. "rpcrt4.dll.I_RpcExceptionFilter",
  1769. "winsta.dll.WinStationFreeMemory",
  1770. "wtsapi32.dll.WTSQuerySessionInformationW",
  1771. "winsta.dll.WinStationQueryInformationW",
  1772. "advapi32.dll.LookupAccountNameW",
  1773. "wtsapi32.dll.WTSFreeMemory",
  1774. "devobj.dll.DevObjCreateDeviceInfoList",
  1775. "devobj.dll.DevObjGetClassDevs",
  1776. "devobj.dll.DevObjEnumDeviceInfo",
  1777. "devobj.dll.DevObjDestroyDeviceInfoList",
  1778. "powrprof.dll.PowerDeterminePlatformRole",
  1779. "oleaut32.dll.#40",
  1780. "oleaut32.dll.#23",
  1781. "oleaut32.dll.#24",
  1782. "ole32.dll.StringFromCLSID",
  1783. "kernel32.dll.SetThreadUILanguage",
  1784. "kernel32.dll.CopyFileExW",
  1785. "kernel32.dll.IsDebuggerPresent",
  1786. "kernel32.dll.SetConsoleInputExeNameW",
  1787. "advapi32.dll.RegOpenKeyExA",
  1788. "kernel32.dll.GetCurrentProcessId",
  1789. "kernel32.dll.CloseHandle"
  1790. ]
  1791.  
  1792. [*] Static Analysis: {
  1793. "pe": {
  1794. "peid_signatures": null,
  1795. "imports": [
  1796. {
  1797. "imports": [
  1798. {
  1799. "name": "__vbaVarSub",
  1800. "address": "0x401000"
  1801. },
  1802. {
  1803. "name": "__vbaVarTstGt",
  1804. "address": "0x401004"
  1805. },
  1806. {
  1807. "name": null,
  1808. "address": "0x401008"
  1809. },
  1810. {
  1811. "name": "__vbaStrI2",
  1812. "address": "0x40100c"
  1813. },
  1814. {
  1815. "name": "_CIcos",
  1816. "address": "0x401010"
  1817. },
  1818. {
  1819. "name": "_adj_fptan",
  1820. "address": "0x401014"
  1821. },
  1822. {
  1823. "name": "__vbaStrI4",
  1824. "address": "0x401018"
  1825. },
  1826. {
  1827. "name": "__vbaHresultCheck",
  1828. "address": "0x40101c"
  1829. },
  1830. {
  1831. "name": "__vbaVarMove",
  1832. "address": "0x401020"
  1833. },
  1834. {
  1835. "name": "__vbaVarVargNofree",
  1836. "address": "0x401024"
  1837. },
  1838. {
  1839. "name": "__vbaAryMove",
  1840. "address": "0x401028"
  1841. },
  1842. {
  1843. "name": "__vbaFreeVar",
  1844. "address": "0x40102c"
  1845. },
  1846. {
  1847. "name": "__vbaLateIdCall",
  1848. "address": "0x401030"
  1849. },
  1850. {
  1851. "name": null,
  1852. "address": "0x401034"
  1853. },
  1854. {
  1855. "name": "__vbaLenBstr",
  1856. "address": "0x401038"
  1857. },
  1858. {
  1859. "name": "__vbaStrVarMove",
  1860. "address": "0x40103c"
  1861. },
  1862. {
  1863. "name": null,
  1864. "address": "0x401040"
  1865. },
  1866. {
  1867. "name": "__vbaPut3",
  1868. "address": "0x401044"
  1869. },
  1870. {
  1871. "name": "__vbaFreeVarList",
  1872. "address": "0x401048"
  1873. },
  1874. {
  1875. "name": "__vbaEnd",
  1876. "address": "0x40104c"
  1877. },
  1878. {
  1879. "name": "_adj_fdiv_m64",
  1880. "address": "0x401050"
  1881. },
  1882. {
  1883. "name": null,
  1884. "address": "0x401054"
  1885. },
  1886. {
  1887. "name": "__vbaNextEachVar",
  1888. "address": "0x401058"
  1889. },
  1890. {
  1891. "name": "__vbaRaiseEvent",
  1892. "address": "0x40105c"
  1893. },
  1894. {
  1895. "name": "__vbaFreeObjList",
  1896. "address": "0x401060"
  1897. },
  1898. {
  1899. "name": null,
  1900. "address": "0x401064"
  1901. },
  1902. {
  1903. "name": "__vbaVarIndexLoadRef",
  1904. "address": "0x401068"
  1905. },
  1906. {
  1907. "name": "__vbaStrErrVarCopy",
  1908. "address": "0x40106c"
  1909. },
  1910. {
  1911. "name": null,
  1912. "address": "0x401070"
  1913. },
  1914. {
  1915. "name": "_adj_fprem1",
  1916. "address": "0x401074"
  1917. },
  1918. {
  1919. "name": "__vbaRecAnsiToUni",
  1920. "address": "0x401078"
  1921. },
  1922. {
  1923. "name": null,
  1924. "address": "0x40107c"
  1925. },
  1926. {
  1927. "name": null,
  1928. "address": "0x401080"
  1929. },
  1930. {
  1931. "name": null,
  1932. "address": "0x401084"
  1933. },
  1934. {
  1935. "name": "__vbaForEachCollAd",
  1936. "address": "0x401088"
  1937. },
  1938. {
  1939. "name": "__vbaVarCmpNe",
  1940. "address": "0x40108c"
  1941. },
  1942. {
  1943. "name": "__vbaStrCat",
  1944. "address": "0x401090"
  1945. },
  1946. {
  1947. "name": "__vbaLsetFixstr",
  1948. "address": "0x401094"
  1949. },
  1950. {
  1951. "name": "__vbaSetSystemError",
  1952. "address": "0x401098"
  1953. },
  1954. {
  1955. "name": "__vbaLenBstrB",
  1956. "address": "0x40109c"
  1957. },
  1958. {
  1959. "name": "__vbaHresultCheckObj",
  1960. "address": "0x4010a0"
  1961. },
  1962. {
  1963. "name": "__vbaLenVar",
  1964. "address": "0x4010a4"
  1965. },
  1966. {
  1967. "name": "_adj_fdiv_m32",
  1968. "address": "0x4010a8"
  1969. },
  1970. {
  1971. "name": null,
  1972. "address": "0x4010ac"
  1973. },
  1974. {
  1975. "name": "__vbaAryVar",
  1976. "address": "0x4010b0"
  1977. },
  1978. {
  1979. "name": null,
  1980. "address": "0x4010b4"
  1981. },
  1982. {
  1983. "name": "__vbaAryDestruct",
  1984. "address": "0x4010b8"
  1985. },
  1986. {
  1987. "name": null,
  1988. "address": "0x4010bc"
  1989. },
  1990. {
  1991. "name": "__vbaVarIndexLoadRefLock",
  1992. "address": "0x4010c0"
  1993. },
  1994. {
  1995. "name": null,
  1996. "address": "0x4010c4"
  1997. },
  1998. {
  1999. "name": "__vbaVarForInit",
  2000. "address": "0x4010c8"
  2001. },
  2002. {
  2003. "name": null,
  2004. "address": "0x4010cc"
  2005. },
  2006. {
  2007. "name": "__vbaStrLike",
  2008. "address": "0x4010d0"
  2009. },
  2010. {
  2011. "name": "__vbaOnError",
  2012. "address": "0x4010d4"
  2013. },
  2014. {
  2015. "name": "__vbaObjSet",
  2016. "address": "0x4010d8"
  2017. },
  2018. {
  2019. "name": null,
  2020. "address": "0x4010dc"
  2021. },
  2022. {
  2023. "name": null,
  2024. "address": "0x4010e0"
  2025. },
  2026. {
  2027. "name": "_adj_fdiv_m16i",
  2028. "address": "0x4010e4"
  2029. },
  2030. {
  2031. "name": "__vbaObjSetAddref",
  2032. "address": "0x4010e8"
  2033. },
  2034. {
  2035. "name": "_adj_fdivr_m16i",
  2036. "address": "0x4010ec"
  2037. },
  2038. {
  2039. "name": "__vbaVarIndexLoad",
  2040. "address": "0x4010f0"
  2041. },
  2042. {
  2043. "name": null,
  2044. "address": "0x4010f4"
  2045. },
  2046. {
  2047. "name": null,
  2048. "address": "0x4010f8"
  2049. },
  2050. {
  2051. "name": "__vbaForEachCollVar",
  2052. "address": "0x4010fc"
  2053. },
  2054. {
  2055. "name": "__vbaStrFixstr",
  2056. "address": "0x401100"
  2057. },
  2058. {
  2059. "name": null,
  2060. "address": "0x401104"
  2061. },
  2062. {
  2063. "name": "__vbaBoolVar",
  2064. "address": "0x401108"
  2065. },
  2066. {
  2067. "name": "__vbaBoolVarNull",
  2068. "address": "0x40110c"
  2069. },
  2070. {
  2071. "name": "__vbaRefVarAry",
  2072. "address": "0x401110"
  2073. },
  2074. {
  2075. "name": "__vbaFpR8",
  2076. "address": "0x401114"
  2077. },
  2078. {
  2079. "name": "_CIsin",
  2080. "address": "0x401118"
  2081. },
  2082. {
  2083. "name": "__vbaErase",
  2084. "address": "0x40111c"
  2085. },
  2086. {
  2087. "name": null,
  2088. "address": "0x401120"
  2089. },
  2090. {
  2091. "name": "__vbaVarCmpGt",
  2092. "address": "0x401124"
  2093. },
  2094. {
  2095. "name": "__vbaVargVarMove",
  2096. "address": "0x401128"
  2097. },
  2098. {
  2099. "name": null,
  2100. "address": "0x40112c"
  2101. },
  2102. {
  2103. "name": null,
  2104. "address": "0x401130"
  2105. },
  2106. {
  2107. "name": "__vbaChkstk",
  2108. "address": "0x401134"
  2109. },
  2110. {
  2111. "name": null,
  2112. "address": "0x401138"
  2113. },
  2114. {
  2115. "name": "__vbaFileClose",
  2116. "address": "0x40113c"
  2117. },
  2118. {
  2119. "name": "EVENT_SINK_AddRef",
  2120. "address": "0x401140"
  2121. },
  2122. {
  2123. "name": null,
  2124. "address": "0x401144"
  2125. },
  2126. {
  2127. "name": "__vbaGenerateBoundsError",
  2128. "address": "0x401148"
  2129. },
  2130. {
  2131. "name": null,
  2132. "address": "0x40114c"
  2133. },
  2134. {
  2135. "name": "__vbaGet3",
  2136. "address": "0x401150"
  2137. },
  2138. {
  2139. "name": "__vbaStrCmp",
  2140. "address": "0x401154"
  2141. },
  2142. {
  2143. "name": "__vbaAryConstruct2",
  2144. "address": "0x401158"
  2145. },
  2146. {
  2147. "name": "__vbaVarTstEq",
  2148. "address": "0x40115c"
  2149. },
  2150. {
  2151. "name": "__vbaPutOwner4",
  2152. "address": "0x401160"
  2153. },
  2154. {
  2155. "name": "__vbaNextEachCollVar",
  2156. "address": "0x401164"
  2157. },
  2158. {
  2159. "name": null,
  2160. "address": "0x401168"
  2161. },
  2162. {
  2163. "name": "__vbaObjVar",
  2164. "address": "0x40116c"
  2165. },
  2166. {
  2167. "name": "DllFunctionCall",
  2168. "address": "0x401170"
  2169. },
  2170. {
  2171. "name": null,
  2172. "address": "0x401174"
  2173. },
  2174. {
  2175. "name": "__vbaVarOr",
  2176. "address": "0x401178"
  2177. },
  2178. {
  2179. "name": null,
  2180. "address": "0x40117c"
  2181. },
  2182. {
  2183. "name": null,
  2184. "address": "0x401180"
  2185. },
  2186. {
  2187. "name": "__vbaCastObjVar",
  2188. "address": "0x401184"
  2189. },
  2190. {
  2191. "name": "__vbaLbound",
  2192. "address": "0x401188"
  2193. },
  2194. {
  2195. "name": "_adj_fpatan",
  2196. "address": "0x40118c"
  2197. },
  2198. {
  2199. "name": "__vbaFixstrConstruct",
  2200. "address": "0x401190"
  2201. },
  2202. {
  2203. "name": "__vbaLateIdCallLd",
  2204. "address": "0x401194"
  2205. },
  2206. {
  2207. "name": "__vbaR8Cy",
  2208. "address": "0x401198"
  2209. },
  2210. {
  2211. "name": "__vbaRedim",
  2212. "address": "0x40119c"
  2213. },
  2214. {
  2215. "name": "__vbaStrR8",
  2216. "address": "0x4011a0"
  2217. },
  2218. {
  2219. "name": "__vbaRecUniToAnsi",
  2220. "address": "0x4011a4"
  2221. },
  2222. {
  2223. "name": "EVENT_SINK_Release",
  2224. "address": "0x4011a8"
  2225. },
  2226. {
  2227. "name": "__vbaNew",
  2228. "address": "0x4011ac"
  2229. },
  2230. {
  2231. "name": null,
  2232. "address": "0x4011b0"
  2233. },
  2234. {
  2235. "name": null,
  2236. "address": "0x4011b4"
  2237. },
  2238. {
  2239. "name": "_CIsqrt",
  2240. "address": "0x4011b8"
  2241. },
  2242. {
  2243. "name": "__vbaObjIs",
  2244. "address": "0x4011bc"
  2245. },
  2246. {
  2247. "name": "__vbaVarAnd",
  2248. "address": "0x4011c0"
  2249. },
  2250. {
  2251. "name": "EVENT_SINK_QueryInterface",
  2252. "address": "0x4011c4"
  2253. },
  2254. {
  2255. "name": "__vbaStr2Vec",
  2256. "address": "0x4011c8"
  2257. },
  2258. {
  2259. "name": "__vbaVarMul",
  2260. "address": "0x4011cc"
  2261. },
  2262. {
  2263. "name": "__vbaExceptHandler",
  2264. "address": "0x4011d0"
  2265. },
  2266. {
  2267. "name": null,
  2268. "address": "0x4011d4"
  2269. },
  2270. {
  2271. "name": null,
  2272. "address": "0x4011d8"
  2273. },
  2274. {
  2275. "name": "__vbaPrintFile",
  2276. "address": "0x4011dc"
  2277. },
  2278. {
  2279. "name": "__vbaStrToUnicode",
  2280. "address": "0x4011e0"
  2281. },
  2282. {
  2283. "name": null,
  2284. "address": "0x4011e4"
  2285. },
  2286. {
  2287. "name": "_adj_fprem",
  2288. "address": "0x4011e8"
  2289. },
  2290. {
  2291. "name": "_adj_fdivr_m64",
  2292. "address": "0x4011ec"
  2293. },
  2294. {
  2295. "name": null,
  2296. "address": "0x4011f0"
  2297. },
  2298. {
  2299. "name": null,
  2300. "address": "0x4011f4"
  2301. },
  2302. {
  2303. "name": null,
  2304. "address": "0x4011f8"
  2305. },
  2306. {
  2307. "name": null,
  2308. "address": "0x4011fc"
  2309. },
  2310. {
  2311. "name": "__vbaFPException",
  2312. "address": "0x401200"
  2313. },
  2314. {
  2315. "name": "__vbaInStrVar",
  2316. "address": "0x401204"
  2317. },
  2318. {
  2319. "name": null,
  2320. "address": "0x401208"
  2321. },
  2322. {
  2323. "name": "__vbaUbound",
  2324. "address": "0x40120c"
  2325. },
  2326. {
  2327. "name": "__vbaStrVarVal",
  2328. "address": "0x401210"
  2329. },
  2330. {
  2331. "name": "__vbaVarCat",
  2332. "address": "0x401214"
  2333. },
  2334. {
  2335. "name": "__vbaI2Var",
  2336. "address": "0x401218"
  2337. },
  2338. {
  2339. "name": null,
  2340. "address": "0x40121c"
  2341. },
  2342. {
  2343. "name": null,
  2344. "address": "0x401220"
  2345. },
  2346. {
  2347. "name": null,
  2348. "address": "0x401224"
  2349. },
  2350. {
  2351. "name": "_CIlog",
  2352. "address": "0x401228"
  2353. },
  2354. {
  2355. "name": "__vbaFileOpen",
  2356. "address": "0x40122c"
  2357. },
  2358. {
  2359. "name": "__vbaVarLateMemCallLdRf",
  2360. "address": "0x401230"
  2361. },
  2362. {
  2363. "name": "__vbaVar2Vec",
  2364. "address": "0x401234"
  2365. },
  2366. {
  2367. "name": null,
  2368. "address": "0x401238"
  2369. },
  2370. {
  2371. "name": null,
  2372. "address": "0x40123c"
  2373. },
  2374. {
  2375. "name": "__vbaNew2",
  2376. "address": "0x401240"
  2377. },
  2378. {
  2379. "name": "__vbaR8Str",
  2380. "address": "0x401244"
  2381. },
  2382. {
  2383. "name": "__vbaInStr",
  2384. "address": "0x401248"
  2385. },
  2386. {
  2387. "name": "_adj_fdiv_m32i",
  2388. "address": "0x40124c"
  2389. },
  2390. {
  2391. "name": "_adj_fdivr_m32i",
  2392. "address": "0x401250"
  2393. },
  2394. {
  2395. "name": "__vbaVarSetObj",
  2396. "address": "0x401254"
  2397. },
  2398. {
  2399. "name": null,
  2400. "address": "0x401258"
  2401. },
  2402. {
  2403. "name": "__vbaStrCopy",
  2404. "address": "0x40125c"
  2405. },
  2406. {
  2407. "name": "__vbaI4Str",
  2408. "address": "0x401260"
  2409. },
  2410. {
  2411. "name": null,
  2412. "address": "0x401264"
  2413. },
  2414. {
  2415. "name": "__vbaVarCmpLt",
  2416. "address": "0x401268"
  2417. },
  2418. {
  2419. "name": "__vbaFreeStrList",
  2420. "address": "0x40126c"
  2421. },
  2422. {
  2423. "name": null,
  2424. "address": "0x401270"
  2425. },
  2426. {
  2427. "name": "_adj_fdivr_m32",
  2428. "address": "0x401274"
  2429. },
  2430. {
  2431. "name": "__vbaPowerR8",
  2432. "address": "0x401278"
  2433. },
  2434. {
  2435. "name": "__vbaR8Var",
  2436. "address": "0x40127c"
  2437. },
  2438. {
  2439. "name": "_adj_fdiv_r",
  2440. "address": "0x401280"
  2441. },
  2442. {
  2443. "name": null,
  2444. "address": "0x401284"
  2445. },
  2446. {
  2447. "name": null,
  2448. "address": "0x401288"
  2449. },
  2450. {
  2451. "name": "__vbaVarTstNe",
  2452. "address": "0x40128c"
  2453. },
  2454. {
  2455. "name": "__vbaVarSetVar",
  2456. "address": "0x401290"
  2457. },
  2458. {
  2459. "name": "__vbaI4Var",
  2460. "address": "0x401294"
  2461. },
  2462. {
  2463. "name": "__vbaVarCmpEq",
  2464. "address": "0x401298"
  2465. },
  2466. {
  2467. "name": null,
  2468. "address": "0x40129c"
  2469. },
  2470. {
  2471. "name": "__vbaFpCy",
  2472. "address": "0x4012a0"
  2473. },
  2474. {
  2475. "name": null,
  2476. "address": "0x4012a4"
  2477. },
  2478. {
  2479. "name": "__vbaAryLock",
  2480. "address": "0x4012a8"
  2481. },
  2482. {
  2483. "name": "__vbaVarAdd",
  2484. "address": "0x4012ac"
  2485. },
  2486. {
  2487. "name": "__vbaStrComp",
  2488. "address": "0x4012b0"
  2489. },
  2490. {
  2491. "name": "__vbaStrToAnsi",
  2492. "address": "0x4012b4"
  2493. },
  2494. {
  2495. "name": null,
  2496. "address": "0x4012b8"
  2497. },
  2498. {
  2499. "name": "__vbaVarDup",
  2500. "address": "0x4012bc"
  2501. },
  2502. {
  2503. "name": "__vbaFpI2",
  2504. "address": "0x4012c0"
  2505. },
  2506. {
  2507. "name": "__vbaVarMod",
  2508. "address": "0x4012c4"
  2509. },
  2510. {
  2511. "name": "__vbaVarLateMemCallLd",
  2512. "address": "0x4012c8"
  2513. },
  2514. {
  2515. "name": null,
  2516. "address": "0x4012cc"
  2517. },
  2518. {
  2519. "name": "__vbaFpI4",
  2520. "address": "0x4012d0"
  2521. },
  2522. {
  2523. "name": "__vbaLateMemCallLd",
  2524. "address": "0x4012d4"
  2525. },
  2526. {
  2527. "name": null,
  2528. "address": "0x4012d8"
  2529. },
  2530. {
  2531. "name": "_CIatan",
  2532. "address": "0x4012dc"
  2533. },
  2534. {
  2535. "name": "__vbaCastObj",
  2536. "address": "0x4012e0"
  2537. },
  2538. {
  2539. "name": null,
  2540. "address": "0x4012e4"
  2541. },
  2542. {
  2543. "name": "__vbaAryCopy",
  2544. "address": "0x4012e8"
  2545. },
  2546. {
  2547. "name": "__vbaStrMove",
  2548. "address": "0x4012ec"
  2549. },
  2550. {
  2551. "name": "__vbaForEachVar",
  2552. "address": "0x4012f0"
  2553. },
  2554. {
  2555. "name": null,
  2556. "address": "0x4012f4"
  2557. },
  2558. {
  2559. "name": "__vbaStrVarCopy",
  2560. "address": "0x4012f8"
  2561. },
  2562. {
  2563. "name": "__vbaR8IntI4",
  2564. "address": "0x4012fc"
  2565. },
  2566. {
  2567. "name": "_allmul",
  2568. "address": "0x401300"
  2569. },
  2570. {
  2571. "name": "__vbaLateIdSt",
  2572. "address": "0x401304"
  2573. },
  2574. {
  2575. "name": "_CItan",
  2576. "address": "0x401308"
  2577. },
  2578. {
  2579. "name": "__vbaNextEachCollAd",
  2580. "address": "0x40130c"
  2581. },
  2582. {
  2583. "name": "__vbaAryUnlock",
  2584. "address": "0x401310"
  2585. },
  2586. {
  2587. "name": "__vbaUI1Var",
  2588. "address": "0x401314"
  2589. },
  2590. {
  2591. "name": "__vbaFPInt",
  2592. "address": "0x401318"
  2593. },
  2594. {
  2595. "name": "__vbaVarForNext",
  2596. "address": "0x40131c"
  2597. },
  2598. {
  2599. "name": "_CIexp",
  2600. "address": "0x401320"
  2601. },
  2602. {
  2603. "name": "__vbaFreeStr",
  2604. "address": "0x401324"
  2605. },
  2606. {
  2607. "name": "__vbaFreeObj",
  2608. "address": "0x401328"
  2609. },
  2610. {
  2611. "name": null,
  2612. "address": "0x40132c"
  2613. }
  2614. ],
  2615. "dll": "MSVBVM60.DLL"
  2616. }
  2617. ],
  2618. "digital_signers": null,
  2619. "exported_dll_name": null,
  2620. "actual_checksum": "0x00097835",
  2621. "overlay": null,
  2622. "imagebase": "0x00400000",
  2623. "reported_checksum": "0x00060842",
  2624. "icon_hash": null,
  2625. "entrypoint": "0x00403668",
  2626. "timestamp": "2019-06-23 14:57:07",
  2627. "osversion": "4.0",
  2628. "sections": [
  2629. {
  2630. "name": ".text",
  2631. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
  2632. "virtual_address": "0x00001000",
  2633. "size_of_data": "0x0004f000",
  2634. "entropy": "6.15",
  2635. "raw_address": "0x00001000",
  2636. "virtual_size": "0x0004e634",
  2637. "characteristics_raw": "0x60000020"
  2638. },
  2639. {
  2640. "name": ".data",
  2641. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  2642. "virtual_address": "0x00050000",
  2643. "size_of_data": "0x00001000",
  2644. "entropy": "0.00",
  2645. "raw_address": "0x00050000",
  2646. "virtual_size": "0x0000424c",
  2647. "characteristics_raw": "0xc0000040"
  2648. },
  2649. {
  2650. "name": ".rsrc",
  2651. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  2652. "virtual_address": "0x00055000",
  2653. "size_of_data": "0x00045000",
  2654. "entropy": "7.94",
  2655. "raw_address": "0x00051000",
  2656. "virtual_size": "0x00044ee4",
  2657. "characteristics_raw": "0x40000040"
  2658. }
  2659. ],
  2660. "resources": [],
  2661. "dirents": [
  2662. {
  2663. "virtual_address": "0x00000000",
  2664. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
  2665. "size": "0x00000000"
  2666. },
  2667. {
  2668. "virtual_address": "0x0004e934",
  2669. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
  2670. "size": "0x00000028"
  2671. },
  2672. {
  2673. "virtual_address": "0x00055000",
  2674. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
  2675. "size": "0x00044ee4"
  2676. },
  2677. {
  2678. "virtual_address": "0x00000000",
  2679. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
  2680. "size": "0x00000000"
  2681. },
  2682. {
  2683. "virtual_address": "0x00000000",
  2684. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
  2685. "size": "0x00000000"
  2686. },
  2687. {
  2688. "virtual_address": "0x00000000",
  2689. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
  2690. "size": "0x00000000"
  2691. },
  2692. {
  2693. "virtual_address": "0x00000000",
  2694. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
  2695. "size": "0x00000000"
  2696. },
  2697. {
  2698. "virtual_address": "0x00000000",
  2699. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
  2700. "size": "0x00000000"
  2701. },
  2702. {
  2703. "virtual_address": "0x00000000",
  2704. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
  2705. "size": "0x00000000"
  2706. },
  2707. {
  2708. "virtual_address": "0x00000000",
  2709. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
  2710. "size": "0x00000000"
  2711. },
  2712. {
  2713. "virtual_address": "0x00000000",
  2714. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
  2715. "size": "0x00000000"
  2716. },
  2717. {
  2718. "virtual_address": "0x00000228",
  2719. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
  2720. "size": "0x00000020"
  2721. },
  2722. {
  2723. "virtual_address": "0x00001000",
  2724. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
  2725. "size": "0x00000334"
  2726. },
  2727. {
  2728. "virtual_address": "0x00000000",
  2729. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
  2730. "size": "0x00000000"
  2731. },
  2732. {
  2733. "virtual_address": "0x00000000",
  2734. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
  2735. "size": "0x00000000"
  2736. },
  2737. {
  2738. "virtual_address": "0x00000000",
  2739. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
  2740. "size": "0x00000000"
  2741. }
  2742. ],
  2743. "exports": [],
  2744. "guest_signers": {},
  2745. "imphash": "8b4b00a271719e03c25e04affc535ce8",
  2746. "icon_fuzzy": null,
  2747. "icon": null,
  2748. "pdbpath": null,
  2749. "imported_dll_count": 1,
  2750. "versioninfo": []
  2751. }
  2752. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!