Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [*] MalFamily: "Dyzu"
- [*] MalScore: 10.0
- [*] File Name: "Exes_e20264435aec9a9c68a91dd6b3a9fd80.exe"
- [*] File Size: 614400
- [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- [*] SHA256: "2f6131a0a3ffe5a26c75eccadeedafd20fd2b252cc21ba9ef7445c21b4d47efd"
- [*] MD5: "e20264435aec9a9c68a91dd6b3a9fd80"
- [*] SHA1: "96ba4fa0a8c136975b67875fe3c1fa1012a41513"
- [*] SHA512: "291978910b3ca2c91040bf76a3718fceb5647a2e678b323672c725f7d6a9028325204cc42d2c2788f0919821bfd924f508a2b90531b9932d6969ddb84c3ea4af"
- [*] CRC32: "31DB4324"
- [*] SSDEEP: "12288:gF5t9X90+gUebLGtrzPVELs8c0uAVGB7SLCY1J1kGl8V3eZsemDhkJn7:G79XKL+CLs8lVG96r1/kGlVZshDhw7"
- [*] Process Execution: [
- "Exes_e20264435aec9a9c68a91dd6b3a9fd80.exe",
- "cmd.exe",
- "mfgmjjch.exe",
- "svchost.exe",
- "mobsync.exe",
- "WmiPrvSE.exe"
- ]
- [*] Signatures Detected: [
- {
- "Description": "A process attempted to delay the analysis task.",
- "Details": [
- {
- "Process": "WmiPrvSE.exe tried to sleep 480 seconds, actually delayed analysis time by 0 seconds"
- },
- {
- "Process": "mfgmjjch.exe tried to sleep 270 seconds, actually delayed analysis time by 0 seconds"
- }
- ]
- },
- {
- "Description": "Reads data out of its own binary image",
- "Details": [
- {
- "self_read": "process: Exes_e20264435aec9a9c68a91dd6b3a9fd80.exe, pid: 3064, offset: 0x00000000, length: 0x00096000"
- }
- ]
- },
- {
- "Description": "Drops a binary and executes it",
- "Details": [
- {
- "binary": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mfgmjjch.exe"
- }
- ]
- },
- {
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details": [
- {
- "section": "name: .rsrc, entropy: 7.94, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00045000, virtual_size: 0x00044ee4"
- }
- ]
- },
- {
- "Description": "Sniffs keystrokes",
- "Details": [
- {
- "GetAsyncKeyState": "Process: Exes_e20264435aec9a9c68a91dd6b3a9fd80.exe(3064)"
- }
- ]
- },
- {
- "Description": "Installs itself for autorun at Windows startup",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mfgmjjch.exe"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mfgmjjch.exe"
- }
- ]
- },
- {
- "Description": "Retrieves Windows ProductID, probably to fingerprint the sandbox",
- "Details": []
- },
- {
- "Description": "File has been identified by 33 Antiviruses on VirusTotal as malicious",
- "Details": [
- {
- "MicroWorld-eScan": "Trojan.Agent.DYZU"
- },
- {
- "FireEye": "Generic.mg.e20264435aec9a9c"
- },
- {
- "Cylance": "Unsafe"
- },
- {
- "BitDefender": "Trojan.Agent.DYZU"
- },
- {
- "Cybereason": "malicious.0a8c13"
- },
- {
- "Arcabit": "Trojan.Agent.DYZU"
- },
- {
- "Invincea": "heuristic"
- },
- {
- "APEX": "Malicious"
- },
- {
- "ClamAV": "Win.Malware.Dyzu-7001129-0"
- },
- {
- "Kaspersky": "Trojan.Win32.Agent.xaamjo"
- },
- {
- "Rising": "Spyware.KeyLogger!8.12F (TFE:dGZlOgQRfMoFLoqvng)"
- },
- {
- "Ad-Aware": "Trojan.Agent.DYZU"
- },
- {
- "F-Secure": "Trojan.TR/Dropper.Gen"
- },
- {
- "TrendMicro": "TSPY_VBKEYLOG.SM"
- },
- {
- "Fortinet": "W32/KeyLogger.NJK!tr"
- },
- {
- "Trapmine": "suspicious.low.ml.score"
- },
- {
- "Emsisoft": "Trojan.Agent.DYZU (B)"
- },
- {
- "Ikarus": "Trojan-Spy.Agent"
- },
- {
- "Jiangmin": "Trojan.Agent.bznr"
- },
- {
- "Avira": "TR/Dropper.Gen"
- },
- {
- "MAX": "malware (ai score=86)"
- },
- {
- "Antiy-AVL": "Trojan/Win32.Agent"
- },
- {
- "ZoneAlarm": "Trojan.Win32.Agent.xaamjo"
- },
- {
- "AhnLab-V3": "Malware/Win32.RL_Generic.R267888"
- },
- {
- "VBA32": "Trojan.Sonbokli"
- },
- {
- "ALYac": "Trojan.Agent.DYZU"
- },
- {
- "Malwarebytes": "Trojan.KeyLogger"
- },
- {
- "ESET-NOD32": "a variant of Win32/Spy.KeyLogger.ODN"
- },
- {
- "TrendMicro-HouseCall": "TSPY_VBKEYLOG.SM"
- },
- {
- "SentinelOne": "DFI - Malicious PE"
- },
- {
- "eGambit": "Unsafe.AI_Score_65%"
- },
- {
- "GData": "Trojan.Agent.DYZU"
- },
- {
- "CrowdStrike": "win/malicious_confidence_100% (D)"
- }
- ]
- },
- {
- "Description": "Checks the version of Bios, possibly for anti-virtualization",
- "Details": []
- },
- {
- "Description": "Checks the presence of disk drives in the registry, possibly for anti-virtualization",
- "Details": []
- },
- {
- "Description": "Attempts to modify proxy settings",
- "Details": []
- },
- {
- "Description": "Creates a copy of itself",
- "Details": [
- {
- "copy": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mfgmjjch.exe"
- }
- ]
- },
- {
- "Description": "Collects information to fingerprint the system",
- "Details": []
- },
- {
- "Description": "Anomalous binary characteristics",
- "Details": [
- {
- "anomaly": "Actual checksum does not match that reported in PE header"
- }
- ]
- }
- ]
- [*] Started Service: []
- [*] Executed Commands: [
- "cmd.exe /c C:\\Users\\user\\AppData\\Local\\Temp\\",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mfgmjjch.exe",
- "C:\\Windows\\System32\\mobsync.exe -Embedding",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding"
- ]
- [*] Mutexes: [
- "Local\\WininetStartupMutex",
- "Local\\ZonesCounterMutex",
- "Local\\ZoneAttributeCacheCounterMutex",
- "Local\\ZonesCacheCounterMutex",
- "Local\\ZonesLockedCacheCounterMutex",
- "Local\\_!MSFTHISTORY!_",
- "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
- "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
- "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
- "Local\\WininetConnectionMutex",
- "Local\\WininetProxyRegistryMutex",
- "Local\\!IETld!Mutex",
- "Local\\SyncServiceThread",
- "CB35EF5D-4591-41d9-BBA2-0363342F3783"
- ]
- [*] Modified Files: [
- "C:\\Users\\user\\AppData\\Local\\Temp\\~DF9C234FEC3C7ED892.TMP",
- "C:\\Users\\user\\AppData\\Local\\Temp\\",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\dnserrordiagoff_webOC[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\PA320MG8\\dnserrordiagoff_webOC[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\ErrorPageTemplate[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\ErrorPageTemplate[2]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\errorPageStrings[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\ErrorPageTemplate[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\errorPageStrings[2]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\errorPageStrings[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\httpErrorPagesScripts[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\httpErrorPagesScripts[2]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\background_gradient[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\8BGZLQBV\\httpErrorPagesScripts[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\background_gradient[2]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\info_48[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\info_48[2]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\bullet[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\8BGZLQBV\\background_gradient[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\8BGZLQBV\\info_48[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\bullet[2]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\down[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\down[2]",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mfgmjjch.exe",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "\\??\\PIPE\\wkssvc",
- "\\??\\PIPE\\srvsvc",
- "\\??\\PHYSICALDRIVE0",
- "\\??\\CDROM0",
- "\\??\\WMIDataDevice",
- "\\??\\PIPE\\lsarpc",
- "C:\\Users\\user\\AppData\\Local\\Temp\\~DF568DA6D9FC11E368.TMP",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\dnserrordiagoff_webOC[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\httpErrorPagesScripts[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\bullet[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\down[1]"
- ]
- [*] Deleted Files: [
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\dnserrordiagoff_webOC[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\PA320MG8\\dnserrordiagoff_webOC[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\ErrorPageTemplate[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\errorPageStrings[2]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\ErrorPageTemplate[2]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\errorPageStrings[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\ErrorPageTemplate[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\errorPageStrings[2]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\errorPageStrings[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\httpErrorPagesScripts[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\httpErrorPagesScripts[2]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\8BGZLQBV\\background_gradient[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\background_gradient[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\info_48[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\background_gradient[2]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\info_48[2]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\bullet[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\down[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\bullet[2]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\down[2]",
- "C:\\Users\\user\\AppData\\Local\\Temp\\~DF9C234FEC3C7ED892.TMP",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\dnserrordiagoff_webOC[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\8BGZLQBV\\httpErrorPagesScripts[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\8BGZLQBV\\info_48[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\httpErrorPagesScripts[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\bullet[1]",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\down[1]"
- ]
- [*] Modified Registry Keys: [
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Local\\Temp\\namebro",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Local\\Temp\\namebro\\namebro",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\Exes_e20264435aec9a9c68a91dd6b3a9fd80_RASAPI32",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\Exes_e20264435aec9a9c68a91dd6b3a9fd80_RASAPI32\\EnableFileTracing",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\Exes_e20264435aec9a9c68a91dd6b3a9fd80_RASAPI32\\EnableConsoleTracing",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\Exes_e20264435aec9a9c68a91dd6b3a9fd80_RASAPI32\\FileTracingMask",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\Exes_e20264435aec9a9c68a91dd6b3a9fd80_RASAPI32\\ConsoleTracingMask",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\Exes_e20264435aec9a9c68a91dd6b3a9fd80_RASAPI32\\MaxFileSize",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\Exes_e20264435aec9a9c68a91dd6b3a9fd80_RASAPI32\\FileDirectory",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\SavedLegacySettings",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Local\\Temp\\Text1",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Local\\Temp\\Text1\\Text1",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\SyncMgr\\HandlerInstances\\{750FDF10-2A26-11D1-A3EA-080036587F03}\\SyncTime",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\SyncMgr\\HandlerInstances\\{750FDF10-2A26-11D1-A3EA-080036587F03}\\Enabled",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\SyncMgr\\HandlerInstances\\{750FDF10-2A26-11D1-A3EA-080036587F03}\\Connected",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\SyncMgr\\StartAtLogin",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\namebro",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\namebro\\namebro",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\mfgmjjch_RASAPI32",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\mfgmjjch_RASAPI32\\EnableFileTracing",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\mfgmjjch_RASAPI32\\EnableConsoleTracing",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\mfgmjjch_RASAPI32\\FileTracingMask",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\mfgmjjch_RASAPI32\\ConsoleTracingMask",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\mfgmjjch_RASAPI32\\MaxFileSize",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\mfgmjjch_RASAPI32\\FileDirectory",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\asdsww",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\asdsww\\asdsww",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\bweqwqe",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\bweqwqe\\bweqwqe",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\cqweqwe",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\cqweqwe\\cqweqwe",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dqweqweqwe",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dqweqweqwe\\dqweqweqwe"
- ]
- [*] Deleted Registry Keys: [
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyOverride",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\SW\\{eeab7790-c514-11d1-b42b-00805fc1270e}\\asyncmac\\CustomPropertyHwIdKey",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\SW\\{EEAB7790-C514-11D1-B42B-00805FC1270E}\\ASYNCMAC\\CustomPropertyHwIdKey"
- ]
- [*] DNS Communications: []
- [*] Domains: []
- [*] Network Communication - ICMP: []
- [*] Network Communication - HTTP: []
- [*] Network Communication - SMTP: []
- [*] Network Communication - Hosts: []
- [*] Network Communication - IRC: []
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "__vbaVarSub",
- "address": "0x401000"
- },
- {
- "name": "__vbaVarTstGt",
- "address": "0x401004"
- },
- {
- "name": null,
- "address": "0x401008"
- },
- {
- "name": "__vbaStrI2",
- "address": "0x40100c"
- },
- {
- "name": "_CIcos",
- "address": "0x401010"
- },
- {
- "name": "_adj_fptan",
- "address": "0x401014"
- },
- {
- "name": "__vbaStrI4",
- "address": "0x401018"
- },
- {
- "name": "__vbaHresultCheck",
- "address": "0x40101c"
- },
- {
- "name": "__vbaVarMove",
- "address": "0x401020"
- },
- {
- "name": "__vbaVarVargNofree",
- "address": "0x401024"
- },
- {
- "name": "__vbaAryMove",
- "address": "0x401028"
- },
- {
- "name": "__vbaFreeVar",
- "address": "0x40102c"
- },
- {
- "name": "__vbaLateIdCall",
- "address": "0x401030"
- },
- {
- "name": null,
- "address": "0x401034"
- },
- {
- "name": "__vbaLenBstr",
- "address": "0x401038"
- },
- {
- "name": "__vbaStrVarMove",
- "address": "0x40103c"
- },
- {
- "name": null,
- "address": "0x401040"
- },
- {
- "name": "__vbaPut3",
- "address": "0x401044"
- },
- {
- "name": "__vbaFreeVarList",
- "address": "0x401048"
- },
- {
- "name": "__vbaEnd",
- "address": "0x40104c"
- },
- {
- "name": "_adj_fdiv_m64",
- "address": "0x401050"
- },
- {
- "name": null,
- "address": "0x401054"
- },
- {
- "name": "__vbaNextEachVar",
- "address": "0x401058"
- },
- {
- "name": "__vbaRaiseEvent",
- "address": "0x40105c"
- },
- {
- "name": "__vbaFreeObjList",
- "address": "0x401060"
- },
- {
- "name": null,
- "address": "0x401064"
- },
- {
- "name": "__vbaVarIndexLoadRef",
- "address": "0x401068"
- },
- {
- "name": "__vbaStrErrVarCopy",
- "address": "0x40106c"
- },
- {
- "name": null,
- "address": "0x401070"
- },
- {
- "name": "_adj_fprem1",
- "address": "0x401074"
- },
- {
- "name": "__vbaRecAnsiToUni",
- "address": "0x401078"
- },
- {
- "name": null,
- "address": "0x40107c"
- },
- {
- "name": null,
- "address": "0x401080"
- },
- {
- "name": null,
- "address": "0x401084"
- },
- {
- "name": "__vbaForEachCollAd",
- "address": "0x401088"
- },
- {
- "name": "__vbaVarCmpNe",
- "address": "0x40108c"
- },
- {
- "name": "__vbaStrCat",
- "address": "0x401090"
- },
- {
- "name": "__vbaLsetFixstr",
- "address": "0x401094"
- },
- {
- "name": "__vbaSetSystemError",
- "address": "0x401098"
- },
- {
- "name": "__vbaLenBstrB",
- "address": "0x40109c"
- },
- {
- "name": "__vbaHresultCheckObj",
- "address": "0x4010a0"
- },
- {
- "name": "__vbaLenVar",
- "address": "0x4010a4"
- },
- {
- "name": "_adj_fdiv_m32",
- "address": "0x4010a8"
- },
- {
- "name": null,
- "address": "0x4010ac"
- },
- {
- "name": "__vbaAryVar",
- "address": "0x4010b0"
- },
- {
- "name": null,
- "address": "0x4010b4"
- },
- {
- "name": "__vbaAryDestruct",
- "address": "0x4010b8"
- },
- {
- "name": null,
- "address": "0x4010bc"
- },
- {
- "name": "__vbaVarIndexLoadRefLock",
- "address": "0x4010c0"
- },
- {
- "name": null,
- "address": "0x4010c4"
- },
- {
- "name": "__vbaVarForInit",
- "address": "0x4010c8"
- },
- {
- "name": null,
- "address": "0x4010cc"
- },
- {
- "name": "__vbaStrLike",
- "address": "0x4010d0"
- },
- {
- "name": "__vbaOnError",
- "address": "0x4010d4"
- },
- {
- "name": "__vbaObjSet",
- "address": "0x4010d8"
- },
- {
- "name": null,
- "address": "0x4010dc"
- },
- {
- "name": null,
- "address": "0x4010e0"
- },
- {
- "name": "_adj_fdiv_m16i",
- "address": "0x4010e4"
- },
- {
- "name": "__vbaObjSetAddref",
- "address": "0x4010e8"
- },
- {
- "name": "_adj_fdivr_m16i",
- "address": "0x4010ec"
- },
- {
- "name": "__vbaVarIndexLoad",
- "address": "0x4010f0"
- },
- {
- "name": null,
- "address": "0x4010f4"
- },
- {
- "name": null,
- "address": "0x4010f8"
- },
- {
- "name": "__vbaForEachCollVar",
- "address": "0x4010fc"
- },
- {
- "name": "__vbaStrFixstr",
- "address": "0x401100"
- },
- {
- "name": null,
- "address": "0x401104"
- },
- {
- "name": "__vbaBoolVar",
- "address": "0x401108"
- },
- {
- "name": "__vbaBoolVarNull",
- "address": "0x40110c"
- },
- {
- "name": "__vbaRefVarAry",
- "address": "0x401110"
- },
- {
- "name": "__vbaFpR8",
- "address": "0x401114"
- },
- {
- "name": "_CIsin",
- "address": "0x401118"
- },
- {
- "name": "__vbaErase",
- "address": "0x40111c"
- },
- {
- "name": null,
- "address": "0x401120"
- },
- {
- "name": "__vbaVarCmpGt",
- "address": "0x401124"
- },
- {
- "name": "__vbaVargVarMove",
- "address": "0x401128"
- },
- {
- "name": null,
- "address": "0x40112c"
- },
- {
- "name": null,
- "address": "0x401130"
- },
- {
- "name": "__vbaChkstk",
- "address": "0x401134"
- },
- {
- "name": null,
- "address": "0x401138"
- },
- {
- "name": "__vbaFileClose",
- "address": "0x40113c"
- },
- {
- "name": "EVENT_SINK_AddRef",
- "address": "0x401140"
- },
- {
- "name": null,
- "address": "0x401144"
- },
- {
- "name": "__vbaGenerateBoundsError",
- "address": "0x401148"
- },
- {
- "name": null,
- "address": "0x40114c"
- },
- {
- "name": "__vbaGet3",
- "address": "0x401150"
- },
- {
- "name": "__vbaStrCmp",
- "address": "0x401154"
- },
- {
- "name": "__vbaAryConstruct2",
- "address": "0x401158"
- },
- {
- "name": "__vbaVarTstEq",
- "address": "0x40115c"
- },
- {
- "name": "__vbaPutOwner4",
- "address": "0x401160"
- },
- {
- "name": "__vbaNextEachCollVar",
- "address": "0x401164"
- },
- {
- "name": null,
- "address": "0x401168"
- },
- {
- "name": "__vbaObjVar",
- "address": "0x40116c"
- },
- {
- "name": "DllFunctionCall",
- "address": "0x401170"
- },
- {
- "name": null,
- "address": "0x401174"
- },
- {
- "name": "__vbaVarOr",
- "address": "0x401178"
- },
- {
- "name": null,
- "address": "0x40117c"
- },
- {
- "name": null,
- "address": "0x401180"
- },
- {
- "name": "__vbaCastObjVar",
- "address": "0x401184"
- },
- {
- "name": "__vbaLbound",
- "address": "0x401188"
- },
- {
- "name": "_adj_fpatan",
- "address": "0x40118c"
- },
- {
- "name": "__vbaFixstrConstruct",
- "address": "0x401190"
- },
- {
- "name": "__vbaLateIdCallLd",
- "address": "0x401194"
- },
- {
- "name": "__vbaR8Cy",
- "address": "0x401198"
- },
- {
- "name": "__vbaRedim",
- "address": "0x40119c"
- },
- {
- "name": "__vbaStrR8",
- "address": "0x4011a0"
- },
- {
- "name": "__vbaRecUniToAnsi",
- "address": "0x4011a4"
- },
- {
- "name": "EVENT_SINK_Release",
- "address": "0x4011a8"
- },
- {
- "name": "__vbaNew",
- "address": "0x4011ac"
- },
- {
- "name": null,
- "address": "0x4011b0"
- },
- {
- "name": null,
- "address": "0x4011b4"
- },
- {
- "name": "_CIsqrt",
- "address": "0x4011b8"
- },
- {
- "name": "__vbaObjIs",
- "address": "0x4011bc"
- },
- {
- "name": "__vbaVarAnd",
- "address": "0x4011c0"
- },
- {
- "name": "EVENT_SINK_QueryInterface",
- "address": "0x4011c4"
- },
- {
- "name": "__vbaStr2Vec",
- "address": "0x4011c8"
- },
- {
- "name": "__vbaVarMul",
- "address": "0x4011cc"
- },
- {
- "name": "__vbaExceptHandler",
- "address": "0x4011d0"
- },
- {
- "name": null,
- "address": "0x4011d4"
- },
- {
- "name": null,
- "address": "0x4011d8"
- },
- {
- "name": "__vbaPrintFile",
- "address": "0x4011dc"
- },
- {
- "name": "__vbaStrToUnicode",
- "address": "0x4011e0"
- },
- {
- "name": null,
- "address": "0x4011e4"
- },
- {
- "name": "_adj_fprem",
- "address": "0x4011e8"
- },
- {
- "name": "_adj_fdivr_m64",
- "address": "0x4011ec"
- },
- {
- "name": null,
- "address": "0x4011f0"
- },
- {
- "name": null,
- "address": "0x4011f4"
- },
- {
- "name": null,
- "address": "0x4011f8"
- },
- {
- "name": null,
- "address": "0x4011fc"
- },
- {
- "name": "__vbaFPException",
- "address": "0x401200"
- },
- {
- "name": "__vbaInStrVar",
- "address": "0x401204"
- },
- {
- "name": null,
- "address": "0x401208"
- },
- {
- "name": "__vbaUbound",
- "address": "0x40120c"
- },
- {
- "name": "__vbaStrVarVal",
- "address": "0x401210"
- },
- {
- "name": "__vbaVarCat",
- "address": "0x401214"
- },
- {
- "name": "__vbaI2Var",
- "address": "0x401218"
- },
- {
- "name": null,
- "address": "0x40121c"
- },
- {
- "name": null,
- "address": "0x401220"
- },
- {
- "name": null,
- "address": "0x401224"
- },
- {
- "name": "_CIlog",
- "address": "0x401228"
- },
- {
- "name": "__vbaFileOpen",
- "address": "0x40122c"
- },
- {
- "name": "__vbaVarLateMemCallLdRf",
- "address": "0x401230"
- },
- {
- "name": "__vbaVar2Vec",
- "address": "0x401234"
- },
- {
- "name": null,
- "address": "0x401238"
- },
- {
- "name": null,
- "address": "0x40123c"
- },
- {
- "name": "__vbaNew2",
- "address": "0x401240"
- },
- {
- "name": "__vbaR8Str",
- "address": "0x401244"
- },
- {
- "name": "__vbaInStr",
- "address": "0x401248"
- },
- {
- "name": "_adj_fdiv_m32i",
- "address": "0x40124c"
- },
- {
- "name": "_adj_fdivr_m32i",
- "address": "0x401250"
- },
- {
- "name": "__vbaVarSetObj",
- "address": "0x401254"
- },
- {
- "name": null,
- "address": "0x401258"
- },
- {
- "name": "__vbaStrCopy",
- "address": "0x40125c"
- },
- {
- "name": "__vbaI4Str",
- "address": "0x401260"
- },
- {
- "name": null,
- "address": "0x401264"
- },
- {
- "name": "__vbaVarCmpLt",
- "address": "0x401268"
- },
- {
- "name": "__vbaFreeStrList",
- "address": "0x40126c"
- },
- {
- "name": null,
- "address": "0x401270"
- },
- {
- "name": "_adj_fdivr_m32",
- "address": "0x401274"
- },
- {
- "name": "__vbaPowerR8",
- "address": "0x401278"
- },
- {
- "name": "__vbaR8Var",
- "address": "0x40127c"
- },
- {
- "name": "_adj_fdiv_r",
- "address": "0x401280"
- },
- {
- "name": null,
- "address": "0x401284"
- },
- {
- "name": null,
- "address": "0x401288"
- },
- {
- "name": "__vbaVarTstNe",
- "address": "0x40128c"
- },
- {
- "name": "__vbaVarSetVar",
- "address": "0x401290"
- },
- {
- "name": "__vbaI4Var",
- "address": "0x401294"
- },
- {
- "name": "__vbaVarCmpEq",
- "address": "0x401298"
- },
- {
- "name": null,
- "address": "0x40129c"
- },
- {
- "name": "__vbaFpCy",
- "address": "0x4012a0"
- },
- {
- "name": null,
- "address": "0x4012a4"
- },
- {
- "name": "__vbaAryLock",
- "address": "0x4012a8"
- },
- {
- "name": "__vbaVarAdd",
- "address": "0x4012ac"
- },
- {
- "name": "__vbaStrComp",
- "address": "0x4012b0"
- },
- {
- "name": "__vbaStrToAnsi",
- "address": "0x4012b4"
- },
- {
- "name": null,
- "address": "0x4012b8"
- },
- {
- "name": "__vbaVarDup",
- "address": "0x4012bc"
- },
- {
- "name": "__vbaFpI2",
- "address": "0x4012c0"
- },
- {
- "name": "__vbaVarMod",
- "address": "0x4012c4"
- },
- {
- "name": "__vbaVarLateMemCallLd",
- "address": "0x4012c8"
- },
- {
- "name": null,
- "address": "0x4012cc"
- },
- {
- "name": "__vbaFpI4",
- "address": "0x4012d0"
- },
- {
- "name": "__vbaLateMemCallLd",
- "address": "0x4012d4"
- },
- {
- "name": null,
- "address": "0x4012d8"
- },
- {
- "name": "_CIatan",
- "address": "0x4012dc"
- },
- {
- "name": "__vbaCastObj",
- "address": "0x4012e0"
- },
- {
- "name": null,
- "address": "0x4012e4"
- },
- {
- "name": "__vbaAryCopy",
- "address": "0x4012e8"
- },
- {
- "name": "__vbaStrMove",
- "address": "0x4012ec"
- },
- {
- "name": "__vbaForEachVar",
- "address": "0x4012f0"
- },
- {
- "name": null,
- "address": "0x4012f4"
- },
- {
- "name": "__vbaStrVarCopy",
- "address": "0x4012f8"
- },
- {
- "name": "__vbaR8IntI4",
- "address": "0x4012fc"
- },
- {
- "name": "_allmul",
- "address": "0x401300"
- },
- {
- "name": "__vbaLateIdSt",
- "address": "0x401304"
- },
- {
- "name": "_CItan",
- "address": "0x401308"
- },
- {
- "name": "__vbaNextEachCollAd",
- "address": "0x40130c"
- },
- {
- "name": "__vbaAryUnlock",
- "address": "0x401310"
- },
- {
- "name": "__vbaUI1Var",
- "address": "0x401314"
- },
- {
- "name": "__vbaFPInt",
- "address": "0x401318"
- },
- {
- "name": "__vbaVarForNext",
- "address": "0x40131c"
- },
- {
- "name": "_CIexp",
- "address": "0x401320"
- },
- {
- "name": "__vbaFreeStr",
- "address": "0x401324"
- },
- {
- "name": "__vbaFreeObj",
- "address": "0x401328"
- },
- {
- "name": null,
- "address": "0x40132c"
- }
- ],
- "dll": "MSVBVM60.DLL"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x00097835",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x00060842",
- "icon_hash": null,
- "entrypoint": "0x00403668",
- "timestamp": "2019-06-23 14:57:07",
- "osversion": "4.0",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x0004f000",
- "entropy": "6.15",
- "raw_address": "0x00001000",
- "virtual_size": "0x0004e634",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00050000",
- "size_of_data": "0x00001000",
- "entropy": "0.00",
- "raw_address": "0x00050000",
- "virtual_size": "0x0000424c",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00055000",
- "size_of_data": "0x00045000",
- "entropy": "7.94",
- "raw_address": "0x00051000",
- "virtual_size": "0x00044ee4",
- "characteristics_raw": "0x40000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0004e934",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x00000028"
- },
- {
- "virtual_address": "0x00055000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00044ee4"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000228",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000020"
- },
- {
- "virtual_address": "0x00001000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x00000334"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "8b4b00a271719e03c25e04affc535ce8",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 1,
- "versioninfo": []
- }
- }
- [*] Resolved APIs: [
- "cryptbase.dll.SystemFunction036",
- "uxtheme.dll.ThemeInitApiHook",
- "user32.dll.IsProcessDPIAware",
- "oleaut32.dll.OleLoadPictureEx",
- "oleaut32.dll.DispCallFunc",
- "oleaut32.dll.LoadTypeLibEx",
- "oleaut32.dll.UnRegisterTypeLib",
- "oleaut32.dll.CreateTypeLib2",
- "oleaut32.dll.VarDateFromUdate",
- "oleaut32.dll.VarUdateFromDate",
- "oleaut32.dll.GetAltMonthNames",
- "oleaut32.dll.VarNumFromParseNum",
- "oleaut32.dll.VarParseNumFromStr",
- "oleaut32.dll.VarDecFromR4",
- "oleaut32.dll.VarDecFromR8",
- "oleaut32.dll.VarDecFromDate",
- "oleaut32.dll.VarDecFromI4",
- "oleaut32.dll.VarDecFromCy",
- "oleaut32.dll.VarR4FromDec",
- "oleaut32.dll.GetRecordInfoFromTypeInfo",
- "oleaut32.dll.GetRecordInfoFromGuids",
- "oleaut32.dll.SafeArrayGetRecordInfo",
- "oleaut32.dll.SafeArraySetRecordInfo",
- "oleaut32.dll.SafeArrayGetIID",
- "oleaut32.dll.SafeArraySetIID",
- "oleaut32.dll.SafeArrayCopyData",
- "oleaut32.dll.SafeArrayAllocDescriptorEx",
- "oleaut32.dll.SafeArrayCreateEx",
- "oleaut32.dll.VarFormat",
- "oleaut32.dll.VarFormatDateTime",
- "oleaut32.dll.VarFormatNumber",
- "oleaut32.dll.VarFormatPercent",
- "oleaut32.dll.VarFormatCurrency",
- "oleaut32.dll.VarWeekdayName",
- "oleaut32.dll.VarMonthName",
- "oleaut32.dll.VarAdd",
- "oleaut32.dll.VarAnd",
- "oleaut32.dll.VarCat",
- "oleaut32.dll.VarDiv",
- "oleaut32.dll.VarEqv",
- "oleaut32.dll.VarIdiv",
- "oleaut32.dll.VarImp",
- "oleaut32.dll.VarMod",
- "oleaut32.dll.VarMul",
- "oleaut32.dll.VarOr",
- "oleaut32.dll.VarPow",
- "oleaut32.dll.VarSub",
- "oleaut32.dll.VarXor",
- "oleaut32.dll.VarAbs",
- "oleaut32.dll.VarFix",
- "oleaut32.dll.VarInt",
- "oleaut32.dll.VarNeg",
- "oleaut32.dll.VarNot",
- "oleaut32.dll.VarRound",
- "oleaut32.dll.VarCmp",
- "oleaut32.dll.VarDecAdd",
- "oleaut32.dll.VarDecCmp",
- "oleaut32.dll.VarBstrCat",
- "oleaut32.dll.VarCyMulI4",
- "oleaut32.dll.VarBstrCmp",
- "ole32.dll.CoCreateInstanceEx",
- "ole32.dll.CLSIDFromProgIDEx",
- "sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary",
- "user32.dll.GetSystemMetrics",
- "user32.dll.MonitorFromWindow",
- "user32.dll.MonitorFromRect",
- "user32.dll.MonitorFromPoint",
- "user32.dll.EnumDisplayMonitors",
- "user32.dll.GetMonitorInfoA",
- "ole32.dll.CLSIDFromOle1Class",
- "clbcatq.dll.GetCatalogObject",
- "clbcatq.dll.GetCatalogObject2",
- "cryptsp.dll.CryptAcquireContextW",
- "cryptsp.dll.CryptGenRandom",
- "dwmapi.dll.DwmIsCompositionEnabled",
- "gdi32.dll.GetLayout",
- "gdi32.dll.GdiRealizationInfo",
- "gdi32.dll.FontIsLinked",
- "advapi32.dll.RegOpenKeyExW",
- "advapi32.dll.RegQueryInfoKeyW",
- "gdi32.dll.GetTextFaceAliasW",
- "advapi32.dll.RegEnumValueW",
- "advapi32.dll.RegCloseKey",
- "advapi32.dll.RegQueryValueExW",
- "gdi32.dll.GetFontAssocStatus",
- "advapi32.dll.RegQueryValueExA",
- "advapi32.dll.RegEnumKeyExW",
- "gdi32.dll.GdiIsMetaPrintDC",
- "lpk.dll.LpkEditControl",
- "comctl32.dll.HIMAGELIST_QueryInterface",
- "comctl32.dll.DrawShadowText",
- "comctl32.dll.DrawSizeBox",
- "comctl32.dll.DrawScrollBar",
- "comctl32.dll.SizeBoxHwnd",
- "comctl32.dll.ScrollBar_MouseMove",
- "comctl32.dll.ScrollBar_Menu",
- "comctl32.dll.HandleScrollCmd",
- "comctl32.dll.DetachScrollBars",
- "comctl32.dll.AttachScrollBars",
- "comctl32.dll.CCSetScrollInfo",
- "comctl32.dll.CCGetScrollInfo",
- "comctl32.dll.CCEnableScrollBar",
- "comctl32.dll.QuerySystemGestureStatus",
- "uxtheme.dll.#49",
- "uxtheme.dll.CloseThemeData",
- "ole32.dll.CoTaskMemAlloc",
- "ole32.dll.CreateBindCtx",
- "comctl32.dll.#328",
- "comctl32.dll.#334",
- "ole32.dll.CoGetMalloc",
- "ole32.dll.CoGetApartmentType",
- "ole32.dll.CoRegisterInitializeSpy",
- "comctl32.dll.#236",
- "oleaut32.dll.#6",
- "comctl32.dll.#332",
- "comctl32.dll.#320",
- "ole32.dll.StringFromGUID2",
- "comctl32.dll.#324",
- "comctl32.dll.#323",
- "apphelp.dll.ApphelpCheckShellObject",
- "ole32.dll.CoCreateInstance",
- "ntdll.dll.RtlDllShutdownInProgress",
- "comctl32.dll.#386",
- "comctl32.dll.#329",
- "propsys.dll.#417",
- "propsys.dll.PSGetNameFromPropertyKey",
- "propsys.dll.PSStringFromPropertyKey",
- "propsys.dll.InitVariantFromBuffer",
- "oleaut32.dll.#9",
- "propsys.dll.PropVariantToGUID",
- "ole32.dll.PropVariantClear",
- "ole32.dll.CoInitializeEx",
- "ole32.dll.CoTaskMemFree",
- "ole32.dll.CoUninitialize",
- "kernel32.dll.InitializeSRWLock",
- "kernel32.dll.AcquireSRWLockExclusive",
- "kernel32.dll.AcquireSRWLockShared",
- "kernel32.dll.ReleaseSRWLockExclusive",
- "kernel32.dll.ReleaseSRWLockShared",
- "uxtheme.dll.DrawThemeBackground",
- "oleaut32.dll.#2",
- "kernel32.dll.GetThreadPreferredUILanguages",
- "kernel32.dll.SetThreadPreferredUILanguages",
- "kernel32.dll.LocaleNameToLCID",
- "kernel32.dll.GetLocaleInfoEx",
- "kernel32.dll.LCIDToLocaleName",
- "kernel32.dll.GetSystemDefaultLocaleName",
- "advapi32.dll.RegEnumKeyW",
- "oleaut32.dll.#283",
- "oleaut32.dll.#284",
- "kernel32.dll.GetComputerNameA",
- "kernel32.dll.NlsGetCacheUpdateCount",
- "kernel32.dll.GlobalMemoryStatusEx",
- "kernel32.dll.Sleep",
- "advapi32.dll.OpenThreadToken",
- "advapi32.dll.InitializeSecurityDescriptor",
- "advapi32.dll.SetEntriesInAclW",
- "ntmarta.dll.GetMartaExtensionInterface",
- "advapi32.dll.SetSecurityDescriptorDacl",
- "advapi32.dll.IsTextUnicode",
- "comctl32.dll.#338",
- "comctl32.dll.#339",
- "shell32.dll.#102",
- "shell32.dll.SHGetPathFromIDListW",
- "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
- "setupapi.dll.CM_Get_Device_Interface_List_ExW",
- "sechost.dll.ConvertSidToStringSidW",
- "profapi.dll.#104",
- "propsys.dll.PSCreateMemoryPropertyStore",
- "propsys.dll.PSPropertyBag_WriteStr",
- "propsys.dll.PSPropertyBag_WriteGUID",
- "propsys.dll.PSPropertyBag_ReadGUID",
- "urlmon.dll.CreateUri",
- "urlmon.dll.CreateURLMonikerEx",
- "urlmon.dll.CreateAsyncBindCtxEx",
- "urlmon.dll.RegisterBindStatusCallback",
- "urlmon.dll.CreateFormatEnumerator",
- "urlmon.dll.UrlMkGetSessionOption",
- "urlmon.dll.CoInternetCreateSecurityManager",
- "advapi32.dll.EventActivityIdControl",
- "advapi32.dll.EventWriteTransfer",
- "kernel32.dll.SetFileInformationByHandle",
- "shell32.dll.SHGetFolderPathW",
- "kernel32.dll.GetModuleHandleW",
- "advapi32.dll.AddMandatoryAce",
- "ws2_32.dll.accept",
- "ws2_32.dll.bind",
- "ws2_32.dll.closesocket",
- "ws2_32.dll.connect",
- "ws2_32.dll.getpeername",
- "ws2_32.dll.getsockname",
- "ws2_32.dll.getsockopt",
- "ws2_32.dll.ntohl",
- "ws2_32.dll.htonl",
- "ws2_32.dll.htons",
- "ws2_32.dll.inet_addr",
- "ws2_32.dll.inet_ntoa",
- "ws2_32.dll.ioctlsocket",
- "ws2_32.dll.listen",
- "ws2_32.dll.ntohs",
- "ws2_32.dll.recv",
- "ws2_32.dll.recvfrom",
- "ws2_32.dll.select",
- "ws2_32.dll.send",
- "ws2_32.dll.sendto",
- "ws2_32.dll.setsockopt",
- "ws2_32.dll.shutdown",
- "ws2_32.dll.socket",
- "ws2_32.dll.gethostbyname",
- "ws2_32.dll.gethostname",
- "ws2_32.dll.WSAIoctl",
- "ws2_32.dll.WSAGetLastError",
- "ws2_32.dll.WSASetLastError",
- "ws2_32.dll.WSAStartup",
- "ws2_32.dll.WSACleanup",
- "ws2_32.dll.__WSAFDIsSet",
- "ws2_32.dll.getaddrinfo",
- "ws2_32.dll.freeaddrinfo",
- "ws2_32.dll.getnameinfo",
- "ws2_32.dll.WSALookupServiceBeginW",
- "ws2_32.dll.WSALookupServiceNextW",
- "ws2_32.dll.WSALookupServiceEnd",
- "ws2_32.dll.WSANSPIoctl",
- "ws2_32.dll.WSAStringToAddressA",
- "ws2_32.dll.WSAStringToAddressW",
- "ws2_32.dll.WSAAddressToStringA",
- "dnsapi.dll.DnsGetProxyInformation",
- "dnsapi.dll.DnsFreeProxyName",
- "iphlpapi.dll.GetIpForwardTable2",
- "iphlpapi.dll.FreeMibTable",
- "iphlpapi.dll.GetIfEntry2",
- "iphlpapi.dll.ConvertInterfaceGuidToLuid",
- "iphlpapi.dll.ResolveIpNetEntry2",
- "iphlpapi.dll.GetIpNetEntry2",
- "shlwapi.dll.#260",
- "rasapi32.dll.RasEnumEntriesW",
- "rtutils.dll.TraceRegisterExA",
- "rtutils.dll.TracePrintfExA",
- "shlwapi.dll.PathCanonicalizeW",
- "shlwapi.dll.PathRemoveFileSpecW",
- "shlwapi.dll.PathFindFileNameW",
- "sensapi.dll.IsNetworkAlive",
- "rpcrt4.dll.RpcBindingFromStringBindingW",
- "rpcrt4.dll.RpcBindingSetAuthInfoExW",
- "rpcrt4.dll.NdrClientCall2",
- "rasapi32.dll.RasConnectionNotificationW",
- "sechost.dll.NotifyServiceStatusChangeA",
- "nlaapi.dll.NSPStartup",
- "iphlpapi.dll.GetAdapterIndex",
- "rasadhlp.dll.WSAttemptAutodialAddr",
- "rasadhlp.dll.WSAttemptAutodialName",
- "rasadhlp.dll.WSNoteSuccessfulHostentLookup",
- "kernel32.dll.IsWow64Process",
- "urlmon.dll.RevokeBindStatusCallback",
- "wininet.dll.InternetQueryOptionA",
- "urlmon.dll.CreateIUriBuilder",
- "version.dll.GetFileVersionInfoSizeW",
- "version.dll.GetFileVersionInfoW",
- "version.dll.VerQueryValueW",
- "urlmon.dll.#330",
- "urlmon.dll.#414",
- "urlmon.dll.RegisterFormatEnumerator",
- "oleaut32.dll.#3",
- "urlmon.dll.CoInternetIsFeatureEnabled",
- "oleaut32.dll.#201",
- "wininet.dll.CreateUrlCacheEntryA",
- "wininet.dll.CommitUrlCacheEntryA",
- "oleaut32.dll.#7",
- "oleaut32.dll.#8",
- "ieframe.dll.#302",
- "urlmon.dll.#101",
- "oleaut32.dll.VariantClear",
- "mlang.dll.#112",
- "wininet.dll.GetUrlCacheEntryInfoA",
- "ole32.dll.CoGetObjectContext",
- "imgutil.dll.DecodeImage",
- "oleaut32.dll.#147",
- "oleaut32.dll.#4",
- "comctl32.dll.ImageList_Create",
- "comctl32.dll.ImageList_ReplaceIcon",
- "wininet.dll.GetUrlCacheEntryInfoExW",
- "user32.dll.GetAsyncKeyState",
- "comctl32.dll.ImageList_Destroy",
- "oleaut32.dll.#500",
- "ole32.dll.CoRevokeInitializeSpy",
- "comctl32.dll.#388",
- "advapi32.dll.UnregisterTraceGuids",
- "ntdll.dll.EtwUnregisterTraceGuids",
- "rpcrt4.dll.RpcBindingFree",
- "comctl32.dll.#321",
- "cryptsp.dll.CryptReleaseContext",
- "comctl32.dll.#322",
- "user32.dll.IsWindow",
- "user32.dll.GetWindowThreadProcessId",
- "winsta.dll.WinStationRegisterConsoleNotification",
- "advapi32.dll.LookupAccountSidW",
- "advapi32.dll.CreateWellKnownSid",
- "rpcrt4.dll.RpcStringBindingComposeW",
- "rpcrt4.dll.RpcStringFreeW",
- "rpcrt4.dll.RpcAsyncInitializeHandle",
- "rpcrt4.dll.NdrClientCall3",
- "rpcrt4.dll.Ndr64AsyncClientCall",
- "ole32.dll.CoCreateGuid",
- "kernel32.dll.SortGetHandle",
- "kernel32.dll.SortCloseHandle",
- "sechost.dll.LookupAccountNameLocalW",
- "sechost.dll.LookupAccountSidLocalW",
- "fastprox.dll.DllGetClassObject",
- "fastprox.dll.DllCanUnloadNow",
- "kernel32.dll.RegOpenKeyExW",
- "kernel32.dll.RegQueryValueExW",
- "kernel32.dll.RegCloseKey",
- "sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
- "oleaut32.dll.#289",
- "advapi32.dll.RegOpenKeyW",
- "oleaut32.dll.#287",
- "oleaut32.dll.#288",
- "oleaut32.dll.#290",
- "oleaut32.dll.#285",
- "iphlpapi.dll.GetAdaptersAddresses",
- "iphlpapi.dll.ConvertLengthToIpv4Mask",
- "oleaut32.dll.#15",
- "oleaut32.dll.#26",
- "oleaut32.dll.#16",
- "dnsapi.dll.DnsQueryConfigAllocEx",
- "iphlpapi.dll.GetCurrentThreadCompartmentId",
- "dnsapi.dll.DnsFreeConfigStructure",
- "dnsapi.dll.DnsQueryConfigDword",
- "oleaut32.dll.#286",
- "winbrand.dll.BrandingLoadString",
- "security.dll.InitSecurityInterfaceW",
- "cryptsp.dll.SystemFunction035",
- "schannel.dll.SpUserModeInitialize",
- "advapi32.dll.RegCreateKeyExW",
- "ntdll.dll.RtlInitUnicodeString",
- "ntdll.dll.RtlFreeUnicodeString",
- "ntdll.dll.NtSetSystemEnvironmentValue",
- "ntdll.dll.NtQuerySystemEnvironmentValue",
- "ntdll.dll.NtCreateFile",
- "ntdll.dll.NtQuerySystemInformation",
- "ntdll.dll.NtQueryDirectoryObject",
- "ntdll.dll.NtQueryObject",
- "ntdll.dll.NtOpenDirectoryObject",
- "ntdll.dll.NtQueryInformationProcess",
- "ntdll.dll.NtQueryInformationToken",
- "ntdll.dll.NtOpenFile",
- "ntdll.dll.NtClose",
- "ntdll.dll.NtFsControlFile",
- "ntdll.dll.NtQueryVolumeInformationFile",
- "advapi32.dll.LookupPrivilegeValueW",
- "netapi32.dll.NetGroupEnum",
- "netapi32.dll.NetGroupGetInfo",
- "netapi32.dll.NetGroupSetInfo",
- "netapi32.dll.NetLocalGroupGetInfo",
- "netapi32.dll.NetLocalGroupSetInfo",
- "netapi32.dll.NetGroupGetUsers",
- "netapi32.dll.NetLocalGroupGetMembers",
- "netapi32.dll.NetLocalGroupEnum",
- "netapi32.dll.NetShareEnum",
- "netapi32.dll.NetShareGetInfo",
- "netapi32.dll.NetShareAdd",
- "netapi32.dll.NetShareEnumSticky",
- "netapi32.dll.NetShareSetInfo",
- "netapi32.dll.NetShareDel",
- "netapi32.dll.NetShareDelSticky",
- "netapi32.dll.NetShareCheck",
- "netapi32.dll.NetUserEnum",
- "netapi32.dll.NetUserGetInfo",
- "netapi32.dll.NetUserSetInfo",
- "netapi32.dll.NetApiBufferFree",
- "netapi32.dll.NetQueryDisplayInformation",
- "netapi32.dll.NetServerSetInfo",
- "netapi32.dll.NetServerGetInfo",
- "netapi32.dll.NetGetDCName",
- "netapi32.dll.NetWkstaGetInfo",
- "netapi32.dll.NetGetAnyDCName",
- "netapi32.dll.NetServerEnum",
- "netapi32.dll.NetUserModalsGet",
- "netapi32.dll.NetScheduleJobAdd",
- "netapi32.dll.NetScheduleJobDel",
- "netapi32.dll.NetScheduleJobEnum",
- "netapi32.dll.NetScheduleJobGetInfo",
- "netapi32.dll.NetUseGetInfo",
- "netapi32.dll.NetEnumerateTrustedDomains",
- "netapi32.dll.DsGetDcNameW",
- "netapi32.dll.DsRoleGetPrimaryDomainInformation",
- "netapi32.dll.DsRoleFreeMemory",
- "netapi32.dll.NetRenameMachineInDomain",
- "netapi32.dll.NetJoinDomain",
- "netapi32.dll.NetUnjoinDomain",
- "wkscli.dll.NetWkstaGetInfo",
- "cscapi.dll.CscNetApiGetInterface",
- "kernel32.dll.GetDiskFreeSpaceExW",
- "kernel32.dll.GetVolumePathNameW",
- "kernel32.dll.CreateToolhelp32Snapshot",
- "kernel32.dll.Thread32First",
- "kernel32.dll.Thread32Next",
- "kernel32.dll.Process32First",
- "kernel32.dll.Process32Next",
- "kernel32.dll.Module32First",
- "kernel32.dll.Module32Next",
- "kernel32.dll.Heap32ListFirst",
- "kernel32.dll.GetSystemDefaultUILanguage",
- "wmi.dll.WmiQueryAllDataW",
- "wmi.dll.WmiQuerySingleInstanceW",
- "wmi.dll.WmiSetSingleItemW",
- "wmi.dll.WmiSetSingleInstanceW",
- "wmi.dll.WmiExecuteMethodW",
- "wmi.dll.WmiNotificationRegistrationW",
- "wmi.dll.WmiMofEnumerateResourcesW",
- "wmi.dll.WmiFileHandleToInstanceNameW",
- "wmi.dll.WmiDevInstToInstanceNameW",
- "wmi.dll.WmiQueryGuidInformation",
- "wmi.dll.WmiOpenBlock",
- "wmi.dll.WmiCloseBlock",
- "wmi.dll.WmiFreeBuffer",
- "wmi.dll.WmiEnumerateGuids",
- "oleaut32.dll.#150",
- "wtsapi32.dll.WTSEnumerateSessionsW",
- "winsta.dll.WinStationEnumerateW",
- "rpcrt4.dll.I_RpcExceptionFilter",
- "winsta.dll.WinStationFreeMemory",
- "wtsapi32.dll.WTSQuerySessionInformationW",
- "winsta.dll.WinStationQueryInformationW",
- "advapi32.dll.LookupAccountNameW",
- "wtsapi32.dll.WTSFreeMemory",
- "devobj.dll.DevObjCreateDeviceInfoList",
- "devobj.dll.DevObjGetClassDevs",
- "devobj.dll.DevObjEnumDeviceInfo",
- "devobj.dll.DevObjDestroyDeviceInfoList",
- "powrprof.dll.PowerDeterminePlatformRole",
- "oleaut32.dll.#40",
- "oleaut32.dll.#23",
- "oleaut32.dll.#24",
- "ole32.dll.StringFromCLSID",
- "kernel32.dll.SetThreadUILanguage",
- "kernel32.dll.CopyFileExW",
- "kernel32.dll.IsDebuggerPresent",
- "kernel32.dll.SetConsoleInputExeNameW",
- "advapi32.dll.RegOpenKeyExA",
- "kernel32.dll.GetCurrentProcessId",
- "kernel32.dll.CloseHandle"
- ]
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "__vbaVarSub",
- "address": "0x401000"
- },
- {
- "name": "__vbaVarTstGt",
- "address": "0x401004"
- },
- {
- "name": null,
- "address": "0x401008"
- },
- {
- "name": "__vbaStrI2",
- "address": "0x40100c"
- },
- {
- "name": "_CIcos",
- "address": "0x401010"
- },
- {
- "name": "_adj_fptan",
- "address": "0x401014"
- },
- {
- "name": "__vbaStrI4",
- "address": "0x401018"
- },
- {
- "name": "__vbaHresultCheck",
- "address": "0x40101c"
- },
- {
- "name": "__vbaVarMove",
- "address": "0x401020"
- },
- {
- "name": "__vbaVarVargNofree",
- "address": "0x401024"
- },
- {
- "name": "__vbaAryMove",
- "address": "0x401028"
- },
- {
- "name": "__vbaFreeVar",
- "address": "0x40102c"
- },
- {
- "name": "__vbaLateIdCall",
- "address": "0x401030"
- },
- {
- "name": null,
- "address": "0x401034"
- },
- {
- "name": "__vbaLenBstr",
- "address": "0x401038"
- },
- {
- "name": "__vbaStrVarMove",
- "address": "0x40103c"
- },
- {
- "name": null,
- "address": "0x401040"
- },
- {
- "name": "__vbaPut3",
- "address": "0x401044"
- },
- {
- "name": "__vbaFreeVarList",
- "address": "0x401048"
- },
- {
- "name": "__vbaEnd",
- "address": "0x40104c"
- },
- {
- "name": "_adj_fdiv_m64",
- "address": "0x401050"
- },
- {
- "name": null,
- "address": "0x401054"
- },
- {
- "name": "__vbaNextEachVar",
- "address": "0x401058"
- },
- {
- "name": "__vbaRaiseEvent",
- "address": "0x40105c"
- },
- {
- "name": "__vbaFreeObjList",
- "address": "0x401060"
- },
- {
- "name": null,
- "address": "0x401064"
- },
- {
- "name": "__vbaVarIndexLoadRef",
- "address": "0x401068"
- },
- {
- "name": "__vbaStrErrVarCopy",
- "address": "0x40106c"
- },
- {
- "name": null,
- "address": "0x401070"
- },
- {
- "name": "_adj_fprem1",
- "address": "0x401074"
- },
- {
- "name": "__vbaRecAnsiToUni",
- "address": "0x401078"
- },
- {
- "name": null,
- "address": "0x40107c"
- },
- {
- "name": null,
- "address": "0x401080"
- },
- {
- "name": null,
- "address": "0x401084"
- },
- {
- "name": "__vbaForEachCollAd",
- "address": "0x401088"
- },
- {
- "name": "__vbaVarCmpNe",
- "address": "0x40108c"
- },
- {
- "name": "__vbaStrCat",
- "address": "0x401090"
- },
- {
- "name": "__vbaLsetFixstr",
- "address": "0x401094"
- },
- {
- "name": "__vbaSetSystemError",
- "address": "0x401098"
- },
- {
- "name": "__vbaLenBstrB",
- "address": "0x40109c"
- },
- {
- "name": "__vbaHresultCheckObj",
- "address": "0x4010a0"
- },
- {
- "name": "__vbaLenVar",
- "address": "0x4010a4"
- },
- {
- "name": "_adj_fdiv_m32",
- "address": "0x4010a8"
- },
- {
- "name": null,
- "address": "0x4010ac"
- },
- {
- "name": "__vbaAryVar",
- "address": "0x4010b0"
- },
- {
- "name": null,
- "address": "0x4010b4"
- },
- {
- "name": "__vbaAryDestruct",
- "address": "0x4010b8"
- },
- {
- "name": null,
- "address": "0x4010bc"
- },
- {
- "name": "__vbaVarIndexLoadRefLock",
- "address": "0x4010c0"
- },
- {
- "name": null,
- "address": "0x4010c4"
- },
- {
- "name": "__vbaVarForInit",
- "address": "0x4010c8"
- },
- {
- "name": null,
- "address": "0x4010cc"
- },
- {
- "name": "__vbaStrLike",
- "address": "0x4010d0"
- },
- {
- "name": "__vbaOnError",
- "address": "0x4010d4"
- },
- {
- "name": "__vbaObjSet",
- "address": "0x4010d8"
- },
- {
- "name": null,
- "address": "0x4010dc"
- },
- {
- "name": null,
- "address": "0x4010e0"
- },
- {
- "name": "_adj_fdiv_m16i",
- "address": "0x4010e4"
- },
- {
- "name": "__vbaObjSetAddref",
- "address": "0x4010e8"
- },
- {
- "name": "_adj_fdivr_m16i",
- "address": "0x4010ec"
- },
- {
- "name": "__vbaVarIndexLoad",
- "address": "0x4010f0"
- },
- {
- "name": null,
- "address": "0x4010f4"
- },
- {
- "name": null,
- "address": "0x4010f8"
- },
- {
- "name": "__vbaForEachCollVar",
- "address": "0x4010fc"
- },
- {
- "name": "__vbaStrFixstr",
- "address": "0x401100"
- },
- {
- "name": null,
- "address": "0x401104"
- },
- {
- "name": "__vbaBoolVar",
- "address": "0x401108"
- },
- {
- "name": "__vbaBoolVarNull",
- "address": "0x40110c"
- },
- {
- "name": "__vbaRefVarAry",
- "address": "0x401110"
- },
- {
- "name": "__vbaFpR8",
- "address": "0x401114"
- },
- {
- "name": "_CIsin",
- "address": "0x401118"
- },
- {
- "name": "__vbaErase",
- "address": "0x40111c"
- },
- {
- "name": null,
- "address": "0x401120"
- },
- {
- "name": "__vbaVarCmpGt",
- "address": "0x401124"
- },
- {
- "name": "__vbaVargVarMove",
- "address": "0x401128"
- },
- {
- "name": null,
- "address": "0x40112c"
- },
- {
- "name": null,
- "address": "0x401130"
- },
- {
- "name": "__vbaChkstk",
- "address": "0x401134"
- },
- {
- "name": null,
- "address": "0x401138"
- },
- {
- "name": "__vbaFileClose",
- "address": "0x40113c"
- },
- {
- "name": "EVENT_SINK_AddRef",
- "address": "0x401140"
- },
- {
- "name": null,
- "address": "0x401144"
- },
- {
- "name": "__vbaGenerateBoundsError",
- "address": "0x401148"
- },
- {
- "name": null,
- "address": "0x40114c"
- },
- {
- "name": "__vbaGet3",
- "address": "0x401150"
- },
- {
- "name": "__vbaStrCmp",
- "address": "0x401154"
- },
- {
- "name": "__vbaAryConstruct2",
- "address": "0x401158"
- },
- {
- "name": "__vbaVarTstEq",
- "address": "0x40115c"
- },
- {
- "name": "__vbaPutOwner4",
- "address": "0x401160"
- },
- {
- "name": "__vbaNextEachCollVar",
- "address": "0x401164"
- },
- {
- "name": null,
- "address": "0x401168"
- },
- {
- "name": "__vbaObjVar",
- "address": "0x40116c"
- },
- {
- "name": "DllFunctionCall",
- "address": "0x401170"
- },
- {
- "name": null,
- "address": "0x401174"
- },
- {
- "name": "__vbaVarOr",
- "address": "0x401178"
- },
- {
- "name": null,
- "address": "0x40117c"
- },
- {
- "name": null,
- "address": "0x401180"
- },
- {
- "name": "__vbaCastObjVar",
- "address": "0x401184"
- },
- {
- "name": "__vbaLbound",
- "address": "0x401188"
- },
- {
- "name": "_adj_fpatan",
- "address": "0x40118c"
- },
- {
- "name": "__vbaFixstrConstruct",
- "address": "0x401190"
- },
- {
- "name": "__vbaLateIdCallLd",
- "address": "0x401194"
- },
- {
- "name": "__vbaR8Cy",
- "address": "0x401198"
- },
- {
- "name": "__vbaRedim",
- "address": "0x40119c"
- },
- {
- "name": "__vbaStrR8",
- "address": "0x4011a0"
- },
- {
- "name": "__vbaRecUniToAnsi",
- "address": "0x4011a4"
- },
- {
- "name": "EVENT_SINK_Release",
- "address": "0x4011a8"
- },
- {
- "name": "__vbaNew",
- "address": "0x4011ac"
- },
- {
- "name": null,
- "address": "0x4011b0"
- },
- {
- "name": null,
- "address": "0x4011b4"
- },
- {
- "name": "_CIsqrt",
- "address": "0x4011b8"
- },
- {
- "name": "__vbaObjIs",
- "address": "0x4011bc"
- },
- {
- "name": "__vbaVarAnd",
- "address": "0x4011c0"
- },
- {
- "name": "EVENT_SINK_QueryInterface",
- "address": "0x4011c4"
- },
- {
- "name": "__vbaStr2Vec",
- "address": "0x4011c8"
- },
- {
- "name": "__vbaVarMul",
- "address": "0x4011cc"
- },
- {
- "name": "__vbaExceptHandler",
- "address": "0x4011d0"
- },
- {
- "name": null,
- "address": "0x4011d4"
- },
- {
- "name": null,
- "address": "0x4011d8"
- },
- {
- "name": "__vbaPrintFile",
- "address": "0x4011dc"
- },
- {
- "name": "__vbaStrToUnicode",
- "address": "0x4011e0"
- },
- {
- "name": null,
- "address": "0x4011e4"
- },
- {
- "name": "_adj_fprem",
- "address": "0x4011e8"
- },
- {
- "name": "_adj_fdivr_m64",
- "address": "0x4011ec"
- },
- {
- "name": null,
- "address": "0x4011f0"
- },
- {
- "name": null,
- "address": "0x4011f4"
- },
- {
- "name": null,
- "address": "0x4011f8"
- },
- {
- "name": null,
- "address": "0x4011fc"
- },
- {
- "name": "__vbaFPException",
- "address": "0x401200"
- },
- {
- "name": "__vbaInStrVar",
- "address": "0x401204"
- },
- {
- "name": null,
- "address": "0x401208"
- },
- {
- "name": "__vbaUbound",
- "address": "0x40120c"
- },
- {
- "name": "__vbaStrVarVal",
- "address": "0x401210"
- },
- {
- "name": "__vbaVarCat",
- "address": "0x401214"
- },
- {
- "name": "__vbaI2Var",
- "address": "0x401218"
- },
- {
- "name": null,
- "address": "0x40121c"
- },
- {
- "name": null,
- "address": "0x401220"
- },
- {
- "name": null,
- "address": "0x401224"
- },
- {
- "name": "_CIlog",
- "address": "0x401228"
- },
- {
- "name": "__vbaFileOpen",
- "address": "0x40122c"
- },
- {
- "name": "__vbaVarLateMemCallLdRf",
- "address": "0x401230"
- },
- {
- "name": "__vbaVar2Vec",
- "address": "0x401234"
- },
- {
- "name": null,
- "address": "0x401238"
- },
- {
- "name": null,
- "address": "0x40123c"
- },
- {
- "name": "__vbaNew2",
- "address": "0x401240"
- },
- {
- "name": "__vbaR8Str",
- "address": "0x401244"
- },
- {
- "name": "__vbaInStr",
- "address": "0x401248"
- },
- {
- "name": "_adj_fdiv_m32i",
- "address": "0x40124c"
- },
- {
- "name": "_adj_fdivr_m32i",
- "address": "0x401250"
- },
- {
- "name": "__vbaVarSetObj",
- "address": "0x401254"
- },
- {
- "name": null,
- "address": "0x401258"
- },
- {
- "name": "__vbaStrCopy",
- "address": "0x40125c"
- },
- {
- "name": "__vbaI4Str",
- "address": "0x401260"
- },
- {
- "name": null,
- "address": "0x401264"
- },
- {
- "name": "__vbaVarCmpLt",
- "address": "0x401268"
- },
- {
- "name": "__vbaFreeStrList",
- "address": "0x40126c"
- },
- {
- "name": null,
- "address": "0x401270"
- },
- {
- "name": "_adj_fdivr_m32",
- "address": "0x401274"
- },
- {
- "name": "__vbaPowerR8",
- "address": "0x401278"
- },
- {
- "name": "__vbaR8Var",
- "address": "0x40127c"
- },
- {
- "name": "_adj_fdiv_r",
- "address": "0x401280"
- },
- {
- "name": null,
- "address": "0x401284"
- },
- {
- "name": null,
- "address": "0x401288"
- },
- {
- "name": "__vbaVarTstNe",
- "address": "0x40128c"
- },
- {
- "name": "__vbaVarSetVar",
- "address": "0x401290"
- },
- {
- "name": "__vbaI4Var",
- "address": "0x401294"
- },
- {
- "name": "__vbaVarCmpEq",
- "address": "0x401298"
- },
- {
- "name": null,
- "address": "0x40129c"
- },
- {
- "name": "__vbaFpCy",
- "address": "0x4012a0"
- },
- {
- "name": null,
- "address": "0x4012a4"
- },
- {
- "name": "__vbaAryLock",
- "address": "0x4012a8"
- },
- {
- "name": "__vbaVarAdd",
- "address": "0x4012ac"
- },
- {
- "name": "__vbaStrComp",
- "address": "0x4012b0"
- },
- {
- "name": "__vbaStrToAnsi",
- "address": "0x4012b4"
- },
- {
- "name": null,
- "address": "0x4012b8"
- },
- {
- "name": "__vbaVarDup",
- "address": "0x4012bc"
- },
- {
- "name": "__vbaFpI2",
- "address": "0x4012c0"
- },
- {
- "name": "__vbaVarMod",
- "address": "0x4012c4"
- },
- {
- "name": "__vbaVarLateMemCallLd",
- "address": "0x4012c8"
- },
- {
- "name": null,
- "address": "0x4012cc"
- },
- {
- "name": "__vbaFpI4",
- "address": "0x4012d0"
- },
- {
- "name": "__vbaLateMemCallLd",
- "address": "0x4012d4"
- },
- {
- "name": null,
- "address": "0x4012d8"
- },
- {
- "name": "_CIatan",
- "address": "0x4012dc"
- },
- {
- "name": "__vbaCastObj",
- "address": "0x4012e0"
- },
- {
- "name": null,
- "address": "0x4012e4"
- },
- {
- "name": "__vbaAryCopy",
- "address": "0x4012e8"
- },
- {
- "name": "__vbaStrMove",
- "address": "0x4012ec"
- },
- {
- "name": "__vbaForEachVar",
- "address": "0x4012f0"
- },
- {
- "name": null,
- "address": "0x4012f4"
- },
- {
- "name": "__vbaStrVarCopy",
- "address": "0x4012f8"
- },
- {
- "name": "__vbaR8IntI4",
- "address": "0x4012fc"
- },
- {
- "name": "_allmul",
- "address": "0x401300"
- },
- {
- "name": "__vbaLateIdSt",
- "address": "0x401304"
- },
- {
- "name": "_CItan",
- "address": "0x401308"
- },
- {
- "name": "__vbaNextEachCollAd",
- "address": "0x40130c"
- },
- {
- "name": "__vbaAryUnlock",
- "address": "0x401310"
- },
- {
- "name": "__vbaUI1Var",
- "address": "0x401314"
- },
- {
- "name": "__vbaFPInt",
- "address": "0x401318"
- },
- {
- "name": "__vbaVarForNext",
- "address": "0x40131c"
- },
- {
- "name": "_CIexp",
- "address": "0x401320"
- },
- {
- "name": "__vbaFreeStr",
- "address": "0x401324"
- },
- {
- "name": "__vbaFreeObj",
- "address": "0x401328"
- },
- {
- "name": null,
- "address": "0x40132c"
- }
- ],
- "dll": "MSVBVM60.DLL"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x00097835",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x00060842",
- "icon_hash": null,
- "entrypoint": "0x00403668",
- "timestamp": "2019-06-23 14:57:07",
- "osversion": "4.0",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x0004f000",
- "entropy": "6.15",
- "raw_address": "0x00001000",
- "virtual_size": "0x0004e634",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00050000",
- "size_of_data": "0x00001000",
- "entropy": "0.00",
- "raw_address": "0x00050000",
- "virtual_size": "0x0000424c",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00055000",
- "size_of_data": "0x00045000",
- "entropy": "7.94",
- "raw_address": "0x00051000",
- "virtual_size": "0x00044ee4",
- "characteristics_raw": "0x40000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0004e934",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x00000028"
- },
- {
- "virtual_address": "0x00055000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00044ee4"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000228",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000020"
- },
- {
- "virtual_address": "0x00001000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x00000334"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "8b4b00a271719e03c25e04affc535ce8",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 1,
- "versioninfo": []
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement