Exes_4827c80107aec68951afebab76916c54_exe_2019-06-26_07_30.json

1.  
2. [*] MalFamily: ""
3.  
4. [*] MalScore: 2.5
5.  
6. [*] File Name: "Exes_4827c80107aec68951afebab76916c54.exe"
7. [*] File Size: 843776
8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. [*] SHA256: "2589cf3d0029fcda8b3e7965281443300dd933dfed1a297160457ef9285f966a"
10. [*] MD5: "4827c80107aec68951afebab76916c54"
11. [*] SHA1: "9e3d5f77339024e6f26113bfec83192d85859f82"
12. [*] SHA512: "314f818250e616bb2b593a377c69b155fa43dda0abd4b2c472eeb934e0ebbcb1538079a36584ccfdfc609e998194b257f9e1174ab84b3b9dba39e94caa515731"
13. [*] CRC32: "BBC65CBD"
14. [*] SSDEEP: "3072:Y5F/kGR6Qm51VW5jfaBmNYCev3qqqqqqqqsS+IOHdDL4IZ:Y/hRGZwaBm1evqqqqqqqqs"
15.  
16. [*] Process Execution: [
17. "Exes_4827c80107aec68951afebab76916c54.exe"
18. ]
19.  
20. [*] Signatures Detected: [
21. {
22. "Description": "Creates RWX memory",
23. "Details": []
24. },
25. {
26. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
27. "Details": [
28. {
29. "Spam": "Exes_4827c80107aec68951afebab76916c54.exe (2372) called API CreateProcessInternalW 47620 times"
30. }
31. ]
32. }
33. ]
34.  
35. [*] Started Service: []
36.  
37. [*] Executed Commands: [
38. "\\x01C:\\Users\\user\\AppData\\Local\\Temp\\Exes_4827c80107aec68951afebab76916c54.exe\""
39. ]
40.  
41. [*] Mutexes: []
42.  
43. [*] Modified Files: [
44. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF37D822A21A45143A.TMP"
45. ]
46.  
47. [*] Deleted Files: []
48.  
49. [*] Modified Registry Keys: []
50.  
51. [*] Deleted Registry Keys: []
52.  
53. [*] DNS Communications: []
54.  
55. [*] Domains: []
56.  
57. [*] Network Communication - ICMP: []
58.  
59. [*] Network Communication - HTTP: []
60.  
61. [*] Network Communication - SMTP: []
62.  
63. [*] Network Communication - Hosts: []
64.  
65. [*] Network Communication - IRC: []
66.  
67. [*] Static Analysis: {
68. "pe": {
69. "peid_signatures": null,
70. "imports": [
71. {
72. "imports": [
73. {
74. "name": "__vbaVarTstGt",
75. "address": "0x401000"
76. },
77. {
78. "name": "__vbaVarSub",
79. "address": "0x401004"
80. },
81. {
82. "name": null,
83. "address": "0x401008"
84. },
85. {
86. "name": "_CIcos",
87. "address": "0x40100c"
88. },
89. {
90. "name": "_adj_fptan",
91. "address": "0x401010"
92. },
93. {
94. "name": "__vbaVarMove",
95. "address": "0x401014"
96. },
97. {
98. "name": "__vbaStrI4",
99. "address": "0x401018"
100. },
101. {
102. "name": null,
103. "address": "0x40101c"
104. },
105. {
106. "name": null,
107. "address": "0x401020"
108. },
109. {
110. "name": null,
111. "address": "0x401024"
112. },
113. {
114. "name": "__vbaFreeVar",
115. "address": "0x401028"
116. },
117. {
118. "name": "__vbaStrVarMove",
119. "address": "0x40102c"
120. },
121. {
122. "name": "__vbaFreeVarList",
123. "address": "0x401030"
124. },
125. {
126. "name": "__vbaEnd",
127. "address": "0x401034"
128. },
129. {
130. "name": "_adj_fdiv_m64",
131. "address": "0x401038"
132. },
133. {
134. "name": null,
135. "address": "0x40103c"
136. },
137. {
138. "name": null,
139. "address": "0x401040"
140. },
141. {
142. "name": null,
143. "address": "0x401044"
144. },
145. {
146. "name": "_adj_fprem1",
147. "address": "0x401048"
148. },
149. {
150. "name": "__vbaStrCat",
151. "address": "0x40104c"
152. },
153. {
154. "name": null,
155. "address": "0x401050"
156. },
157. {
158. "name": null,
159. "address": "0x401054"
160. },
161. {
162. "name": "__vbaSetSystemError",
163. "address": "0x401058"
164. },
165. {
166. "name": null,
167. "address": "0x40105c"
168. },
169. {
170. "name": "__vbaHresultCheckObj",
171. "address": "0x401060"
172. },
173. {
174. "name": "_adj_fdiv_m32",
175. "address": "0x401064"
176. },
177. {
178. "name": "__vbaAryVar",
179. "address": "0x401068"
180. },
181. {
182. "name": null,
183. "address": "0x40106c"
184. },
185. {
186. "name": "__vbaAryDestruct",
187. "address": "0x401070"
188. },
189. {
190. "name": null,
191. "address": "0x401074"
192. },
193. {
194. "name": null,
195. "address": "0x401078"
196. },
197. {
198. "name": "__vbaFileCloseAll",
199. "address": "0x40107c"
200. },
201. {
202. "name": "__vbaObjSet",
203. "address": "0x401080"
204. },
205. {
206. "name": null,
207. "address": "0x401084"
208. },
209. {
210. "name": null,
211. "address": "0x401088"
212. },
213. {
214. "name": "_adj_fdiv_m16i",
215. "address": "0x40108c"
216. },
217. {
218. "name": null,
219. "address": "0x401090"
220. },
221. {
222. "name": "__vbaObjSetAddref",
223. "address": "0x401094"
224. },
225. {
226. "name": "_adj_fdivr_m16i",
227. "address": "0x401098"
228. },
229. {
230. "name": null,
231. "address": "0x40109c"
232. },
233. {
234. "name": null,
235. "address": "0x4010a0"
236. },
237. {
238. "name": "__vbaFpR8",
239. "address": "0x4010a4"
240. },
241. {
242. "name": null,
243. "address": "0x4010a8"
244. },
245. {
246. "name": "_CIsin",
247. "address": "0x4010ac"
248. },
249. {
250. "name": null,
251. "address": "0x4010b0"
252. },
253. {
254. "name": "__vbaChkstk",
255. "address": "0x4010b4"
256. },
257. {
258. "name": null,
259. "address": "0x4010b8"
260. },
261. {
262. "name": "__vbaFileClose",
263. "address": "0x4010bc"
264. },
265. {
266. "name": "EVENT_SINK_AddRef",
267. "address": "0x4010c0"
268. },
269. {
270. "name": "__vbaStrCmp",
271. "address": "0x4010c4"
272. },
273. {
274. "name": "__vbaVarTstEq",
275. "address": "0x4010c8"
276. },
277. {
278. "name": "__vbaCyI4",
279. "address": "0x4010cc"
280. },
281. {
282. "name": "__vbaI2I4",
283. "address": "0x4010d0"
284. },
285. {
286. "name": null,
287. "address": "0x4010d4"
288. },
289. {
290. "name": "__vbaObjVar",
291. "address": "0x4010d8"
292. },
293. {
294. "name": "DllFunctionCall",
295. "address": "0x4010dc"
296. },
297. {
298. "name": null,
299. "address": "0x4010e0"
300. },
301. {
302. "name": null,
303. "address": "0x4010e4"
304. },
305. {
306. "name": "_adj_fpatan",
307. "address": "0x4010e8"
308. },
309. {
310. "name": null,
311. "address": "0x4010ec"
312. },
313. {
314. "name": "__vbaLateIdCallLd",
315. "address": "0x4010f0"
316. },
317. {
318. "name": "EVENT_SINK_Release",
319. "address": "0x4010f4"
320. },
321. {
322. "name": null,
323. "address": "0x4010f8"
324. },
325. {
326. "name": "_CIsqrt",
327. "address": "0x4010fc"
328. },
329. {
330. "name": "EVENT_SINK_QueryInterface",
331. "address": "0x401100"
332. },
333. {
334. "name": "__vbaVarMul",
335. "address": "0x401104"
336. },
337. {
338. "name": "__vbaExceptHandler",
339. "address": "0x401108"
340. },
341. {
342. "name": null,
343. "address": "0x40110c"
344. },
345. {
346. "name": "__vbaStrToUnicode",
347. "address": "0x401110"
348. },
349. {
350. "name": "_adj_fprem",
351. "address": "0x401114"
352. },
353. {
354. "name": "_adj_fdivr_m64",
355. "address": "0x401118"
356. },
357. {
358. "name": null,
359. "address": "0x40111c"
360. },
361. {
362. "name": null,
363. "address": "0x401120"
364. },
365. {
366. "name": "__vbaFPException",
367. "address": "0x401124"
368. },
369. {
370. "name": null,
371. "address": "0x401128"
372. },
373. {
374. "name": "__vbaStrVarVal",
375. "address": "0x40112c"
376. },
377. {
378. "name": "__vbaVarCat",
379. "address": "0x401130"
380. },
381. {
382. "name": "_CIlog",
383. "address": "0x401134"
384. },
385. {
386. "name": "__vbaFileOpen",
387. "address": "0x401138"
388. },
389. {
390. "name": "__vbaNew2",
391. "address": "0x40113c"
392. },
393. {
394. "name": "_adj_fdiv_m32i",
395. "address": "0x401140"
396. },
397. {
398. "name": "_adj_fdivr_m32i",
399. "address": "0x401144"
400. },
401. {
402. "name": "__vbaStrCopy",
403. "address": "0x401148"
404. },
405. {
406. "name": null,
407. "address": "0x40114c"
408. },
409. {
410. "name": null,
411. "address": "0x401150"
412. },
413. {
414. "name": "__vbaFreeStrList",
415. "address": "0x401154"
416. },
417. {
418. "name": "__vbaDerefAry1",
419. "address": "0x401158"
420. },
421. {
422. "name": "_adj_fdivr_m32",
423. "address": "0x40115c"
424. },
425. {
426. "name": "_adj_fdiv_r",
427. "address": "0x401160"
428. },
429. {
430. "name": null,
431. "address": "0x401164"
432. },
433. {
434. "name": null,
435. "address": "0x401168"
436. },
437. {
438. "name": "__vbaVarTstNe",
439. "address": "0x40116c"
440. },
441. {
442. "name": "__vbaI4Var",
443. "address": "0x401170"
444. },
445. {
446. "name": null,
447. "address": "0x401174"
448. },
449. {
450. "name": "__vbaVarAdd",
451. "address": "0x401178"
452. },
453. {
454. "name": "__vbaLateMemCall",
455. "address": "0x40117c"
456. },
457. {
458. "name": "__vbaInStrB",
459. "address": "0x401180"
460. },
461. {
462. "name": "__vbaStrComp",
463. "address": "0x401184"
464. },
465. {
466. "name": "__vbaVarDup",
467. "address": "0x401188"
468. },
469. {
470. "name": "__vbaStrToAnsi",
471. "address": "0x40118c"
472. },
473. {
474. "name": "__vbaVarLateMemCallLd",
475. "address": "0x401190"
476. },
477. {
478. "name": null,
479. "address": "0x401194"
480. },
481. {
482. "name": "_CIatan",
483. "address": "0x401198"
484. },
485. {
486. "name": "__vbaStrMove",
487. "address": "0x40119c"
488. },
489. {
490. "name": "__vbaAryCopy",
491. "address": "0x4011a0"
492. },
493. {
494. "name": "__vbaR8IntI4",
495. "address": "0x4011a4"
496. },
497. {
498. "name": "__vbaI4Cy",
499. "address": "0x4011a8"
500. },
501. {
502. "name": null,
503. "address": "0x4011ac"
504. },
505. {
506. "name": "_allmul",
507. "address": "0x4011b0"
508. },
509. {
510. "name": null,
511. "address": "0x4011b4"
512. },
513. {
514. "name": null,
515. "address": "0x4011b8"
516. },
517. {
518. "name": null,
519. "address": "0x4011bc"
520. },
521. {
522. "name": "_CItan",
523. "address": "0x4011c0"
524. },
525. {
526. "name": null,
527. "address": "0x4011c4"
528. },
529. {
530. "name": "_CIexp",
531. "address": "0x4011c8"
532. },
533. {
534. "name": "__vbaFreeStr",
535. "address": "0x4011cc"
536. },
537. {
538. "name": "__vbaFreeObj",
539. "address": "0x4011d0"
540. },
541. {
542. "name": null,
543. "address": "0x4011d4"
544. },
545. {
546. "name": null,
547. "address": "0x4011d8"
548. }
549. ],
550. "dll": "MSVBVM60.DLL"
551. }
552. ],
553. "digital_signers": null,
554. "exported_dll_name": null,
555. "actual_checksum": "0x000dc196",
556. "overlay": null,
557. "imagebase": "0x00400000",
558. "reported_checksum": "0x000dc196",
559. "icon_hash": null,
560. "entrypoint": "0x0040154c",
561. "timestamp": "2009-04-21 17:44:45",
562. "osversion": "4.0",
563. "sections": [
564. {
565. "name": ".text",
566. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
567. "virtual_address": "0x00001000",
568. "size_of_data": "0x000c8000",
569. "entropy": "2.46",
570. "raw_address": "0x00001000",
571. "virtual_size": "0x000c7e9c",
572. "characteristics_raw": "0x60000020"
573. },
574. {
575. "name": ".data",
576. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
577. "virtual_address": "0x000c9000",
578. "size_of_data": "0x00001000",
579. "entropy": "0.00",
580. "raw_address": "0x000c9000",
581. "virtual_size": "0x00000b54",
582. "characteristics_raw": "0xc0000040"
583. },
584. {
585. "name": ".rsrc",
586. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
587. "virtual_address": "0x000ca000",
588. "size_of_data": "0x00004000",
589. "entropy": "3.94",
590. "raw_address": "0x000ca000",
591. "virtual_size": "0x00003f94",
592. "characteristics_raw": "0x40000040"
593. }
594. ],
595. "resources": [],
596. "dirents": [
597. {
598. "virtual_address": "0x00000000",
599. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
600. "size": "0x00000000"
601. },
602. {
603. "virtual_address": "0x000c87c4",
604. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
605. "size": "0x00000028"
606. },
607. {
608. "virtual_address": "0x000ca000",
609. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
610. "size": "0x00003f94"
611. },
612. {
613. "virtual_address": "0x00000000",
614. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
615. "size": "0x00000000"
616. },
617. {
618. "virtual_address": "0x00000000",
619. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
620. "size": "0x00000000"
621. },
622. {
623. "virtual_address": "0x00000000",
624. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
625. "size": "0x00000000"
626. },
627. {
628. "virtual_address": "0x00000000",
629. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
630. "size": "0x00000000"
631. },
632. {
633. "virtual_address": "0x00000000",
634. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
635. "size": "0x00000000"
636. },
637. {
638. "virtual_address": "0x00000000",
639. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
640. "size": "0x00000000"
641. },
642. {
643. "virtual_address": "0x00000000",
644. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
645. "size": "0x00000000"
646. },
647. {
648. "virtual_address": "0x00000000",
649. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
650. "size": "0x00000000"
651. },
652. {
653. "virtual_address": "0x00000228",
654. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
655. "size": "0x00000020"
656. },
657. {
658. "virtual_address": "0x00001000",
659. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
660. "size": "0x000001e0"
661. },
662. {
663. "virtual_address": "0x00000000",
664. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
665. "size": "0x00000000"
666. },
667. {
668. "virtual_address": "0x00000000",
669. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
670. "size": "0x00000000"
671. },
672. {
673. "virtual_address": "0x00000000",
674. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
675. "size": "0x00000000"
676. }
677. ],
678. "exports": [],
679. "guest_signers": {},
680. "imphash": "7052924d0f4fd20c0f5f147093d0c85a",
681. "icon_fuzzy": null,
682. "icon": null,
683. "pdbpath": null,
684. "imported_dll_count": 1,
685. "versioninfo": []
686. }
687. }
688.  
689. [*] Resolved APIs: [
690. "cryptbase.dll.SystemFunction036",
691. "uxtheme.dll.ThemeInitApiHook",
692. "user32.dll.IsProcessDPIAware",
693. "oleaut32.dll.OleLoadPictureEx",
694. "oleaut32.dll.DispCallFunc",
695. "oleaut32.dll.LoadTypeLibEx",
696. "oleaut32.dll.UnRegisterTypeLib",
697. "oleaut32.dll.CreateTypeLib2",
698. "oleaut32.dll.VarDateFromUdate",
699. "oleaut32.dll.VarUdateFromDate",
700. "oleaut32.dll.GetAltMonthNames",
701. "oleaut32.dll.VarNumFromParseNum",
702. "oleaut32.dll.VarParseNumFromStr",
703. "oleaut32.dll.VarDecFromR4",
704. "oleaut32.dll.VarDecFromR8",
705. "oleaut32.dll.VarDecFromDate",
706. "oleaut32.dll.VarDecFromI4",
707. "oleaut32.dll.VarDecFromCy",
708. "oleaut32.dll.VarR4FromDec",
709. "oleaut32.dll.GetRecordInfoFromTypeInfo",
710. "oleaut32.dll.GetRecordInfoFromGuids",
711. "oleaut32.dll.SafeArrayGetRecordInfo",
712. "oleaut32.dll.SafeArraySetRecordInfo",
713. "oleaut32.dll.SafeArrayGetIID",
714. "oleaut32.dll.SafeArraySetIID",
715. "oleaut32.dll.SafeArrayCopyData",
716. "oleaut32.dll.SafeArrayAllocDescriptorEx",
717. "oleaut32.dll.SafeArrayCreateEx",
718. "oleaut32.dll.VarFormat",
719. "oleaut32.dll.VarFormatDateTime",
720. "oleaut32.dll.VarFormatNumber",
721. "oleaut32.dll.VarFormatPercent",
722. "oleaut32.dll.VarFormatCurrency",
723. "oleaut32.dll.VarWeekdayName",
724. "oleaut32.dll.VarMonthName",
725. "oleaut32.dll.VarAdd",
726. "oleaut32.dll.VarAnd",
727. "oleaut32.dll.VarCat",
728. "oleaut32.dll.VarDiv",
729. "oleaut32.dll.VarEqv",
730. "oleaut32.dll.VarIdiv",
731. "oleaut32.dll.VarImp",
732. "oleaut32.dll.VarMod",
733. "oleaut32.dll.VarMul",
734. "oleaut32.dll.VarOr",
735. "oleaut32.dll.VarPow",
736. "oleaut32.dll.VarSub",
737. "oleaut32.dll.VarXor",
738. "oleaut32.dll.VarAbs",
739. "oleaut32.dll.VarFix",
740. "oleaut32.dll.VarInt",
741. "oleaut32.dll.VarNeg",
742. "oleaut32.dll.VarNot",
743. "oleaut32.dll.VarRound",
744. "oleaut32.dll.VarCmp",
745. "oleaut32.dll.VarDecAdd",
746. "oleaut32.dll.VarDecCmp",
747. "oleaut32.dll.VarBstrCat",
748. "oleaut32.dll.VarCyMulI4",
749. "oleaut32.dll.VarBstrCmp",
750. "ole32.dll.CoCreateInstanceEx",
751. "ole32.dll.CLSIDFromProgIDEx",
752. "sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary",
753. "user32.dll.GetSystemMetrics",
754. "user32.dll.MonitorFromWindow",
755. "user32.dll.MonitorFromRect",
756. "user32.dll.MonitorFromPoint",
757. "user32.dll.EnumDisplayMonitors",
758. "user32.dll.GetMonitorInfoA",
759. "kernel32.dll.NlsGetCacheUpdateCount",
760. "kernel32.dll.GetCalendarInfoW",
761. "cryptsp.dll.CryptAcquireContextW",
762. "cryptsp.dll.CryptGenRandom",
763. "dwmapi.dll.DwmIsCompositionEnabled",
764. "gdi32.dll.GetLayout",
765. "gdi32.dll.GdiRealizationInfo",
766. "gdi32.dll.FontIsLinked",
767. "advapi32.dll.RegOpenKeyExW",
768. "advapi32.dll.RegQueryInfoKeyW",
769. "gdi32.dll.GetTextFaceAliasW",
770. "advapi32.dll.RegEnumValueW",
771. "advapi32.dll.RegCloseKey",
772. "advapi32.dll.RegQueryValueExW",
773. "gdi32.dll.GetFontAssocStatus",
774. "advapi32.dll.RegQueryValueExA",
775. "advapi32.dll.RegEnumKeyExW",
776. "gdi32.dll.GdiIsMetaPrintDC",
777. "kernel32.dll.ReadProcessMemory",
778. "psapi.dll.EnumPageFilesA",
779. "kernel32.dll.GetTickCount",
780. "kernel32.dll.Sleep",
781. "user32.dll.GetCursorPos",
782. "user32.dll.EnumWindows",
783. "kernel32.dll.SetErrorMode",
784. "kernel32.dll.SetLastError",
785. "kernel32.dll.VirtualAllocEx",
786. "kernel32.dll.CloseHandle",
787. "shell32.dll.ShellExecuteW",
788. "kernel32.dll.WriteFile",
789. "kernel32.dll.UnmapViewOfFile",
790. "kernel32.dll.CreateFileW",
791. "kernel32.dll.TerminateProcess",
792. "kernel32.dll.VirtualProtectEx",
793. "kernel32.dll.CreateProcessInternalW",
794. "kernel32.dll.GetTempPathW",
795. "kernel32.dll.GetLongPathNameW",
796. "kernel32.dll.GetFileSize",
797. "kernel32.dll.ReadFile",
798. "ntdll.dll.NtProtectVirtualMemory",
799. "kernel32.dll.GetCommandLineW"
800. ]
801.  
802. [*] Static Analysis: {
803. "pe": {
804. "peid_signatures": null,
805. "imports": [
806. {
807. "imports": [
808. {
809. "name": "__vbaVarTstGt",
810. "address": "0x401000"
811. },
812. {
813. "name": "__vbaVarSub",
814. "address": "0x401004"
815. },
816. {
817. "name": null,
818. "address": "0x401008"
819. },
820. {
821. "name": "_CIcos",
822. "address": "0x40100c"
823. },
824. {
825. "name": "_adj_fptan",
826. "address": "0x401010"
827. },
828. {
829. "name": "__vbaVarMove",
830. "address": "0x401014"
831. },
832. {
833. "name": "__vbaStrI4",
834. "address": "0x401018"
835. },
836. {
837. "name": null,
838. "address": "0x40101c"
839. },
840. {
841. "name": null,
842. "address": "0x401020"
843. },
844. {
845. "name": null,
846. "address": "0x401024"
847. },
848. {
849. "name": "__vbaFreeVar",
850. "address": "0x401028"
851. },
852. {
853. "name": "__vbaStrVarMove",
854. "address": "0x40102c"
855. },
856. {
857. "name": "__vbaFreeVarList",
858. "address": "0x401030"
859. },
860. {
861. "name": "__vbaEnd",
862. "address": "0x401034"
863. },
864. {
865. "name": "_adj_fdiv_m64",
866. "address": "0x401038"
867. },
868. {
869. "name": null,
870. "address": "0x40103c"
871. },
872. {
873. "name": null,
874. "address": "0x401040"
875. },
876. {
877. "name": null,
878. "address": "0x401044"
879. },
880. {
881. "name": "_adj_fprem1",
882. "address": "0x401048"
883. },
884. {
885. "name": "__vbaStrCat",
886. "address": "0x40104c"
887. },
888. {
889. "name": null,
890. "address": "0x401050"
891. },
892. {
893. "name": null,
894. "address": "0x401054"
895. },
896. {
897. "name": "__vbaSetSystemError",
898. "address": "0x401058"
899. },
900. {
901. "name": null,
902. "address": "0x40105c"
903. },
904. {
905. "name": "__vbaHresultCheckObj",
906. "address": "0x401060"
907. },
908. {
909. "name": "_adj_fdiv_m32",
910. "address": "0x401064"
911. },
912. {
913. "name": "__vbaAryVar",
914. "address": "0x401068"
915. },
916. {
917. "name": null,
918. "address": "0x40106c"
919. },
920. {
921. "name": "__vbaAryDestruct",
922. "address": "0x401070"
923. },
924. {
925. "name": null,
926. "address": "0x401074"
927. },
928. {
929. "name": null,
930. "address": "0x401078"
931. },
932. {
933. "name": "__vbaFileCloseAll",
934. "address": "0x40107c"
935. },
936. {
937. "name": "__vbaObjSet",
938. "address": "0x401080"
939. },
940. {
941. "name": null,
942. "address": "0x401084"
943. },
944. {
945. "name": null,
946. "address": "0x401088"
947. },
948. {
949. "name": "_adj_fdiv_m16i",
950. "address": "0x40108c"
951. },
952. {
953. "name": null,
954. "address": "0x401090"
955. },
956. {
957. "name": "__vbaObjSetAddref",
958. "address": "0x401094"
959. },
960. {
961. "name": "_adj_fdivr_m16i",
962. "address": "0x401098"
963. },
964. {
965. "name": null,
966. "address": "0x40109c"
967. },
968. {
969. "name": null,
970. "address": "0x4010a0"
971. },
972. {
973. "name": "__vbaFpR8",
974. "address": "0x4010a4"
975. },
976. {
977. "name": null,
978. "address": "0x4010a8"
979. },
980. {
981. "name": "_CIsin",
982. "address": "0x4010ac"
983. },
984. {
985. "name": null,
986. "address": "0x4010b0"
987. },
988. {
989. "name": "__vbaChkstk",
990. "address": "0x4010b4"
991. },
992. {
993. "name": null,
994. "address": "0x4010b8"
995. },
996. {
997. "name": "__vbaFileClose",
998. "address": "0x4010bc"
999. },
1000. {
1001. "name": "EVENT_SINK_AddRef",
1002. "address": "0x4010c0"
1003. },
1004. {
1005. "name": "__vbaStrCmp",
1006. "address": "0x4010c4"
1007. },
1008. {
1009. "name": "__vbaVarTstEq",
1010. "address": "0x4010c8"
1011. },
1012. {
1013. "name": "__vbaCyI4",
1014. "address": "0x4010cc"
1015. },
1016. {
1017. "name": "__vbaI2I4",
1018. "address": "0x4010d0"
1019. },
1020. {
1021. "name": null,
1022. "address": "0x4010d4"
1023. },
1024. {
1025. "name": "__vbaObjVar",
1026. "address": "0x4010d8"
1027. },
1028. {
1029. "name": "DllFunctionCall",
1030. "address": "0x4010dc"
1031. },
1032. {
1033. "name": null,
1034. "address": "0x4010e0"
1035. },
1036. {
1037. "name": null,
1038. "address": "0x4010e4"
1039. },
1040. {
1041. "name": "_adj_fpatan",
1042. "address": "0x4010e8"
1043. },
1044. {
1045. "name": null,
1046. "address": "0x4010ec"
1047. },
1048. {
1049. "name": "__vbaLateIdCallLd",
1050. "address": "0x4010f0"
1051. },
1052. {
1053. "name": "EVENT_SINK_Release",
1054. "address": "0x4010f4"
1055. },
1056. {
1057. "name": null,
1058. "address": "0x4010f8"
1059. },
1060. {
1061. "name": "_CIsqrt",
1062. "address": "0x4010fc"
1063. },
1064. {
1065. "name": "EVENT_SINK_QueryInterface",
1066. "address": "0x401100"
1067. },
1068. {
1069. "name": "__vbaVarMul",
1070. "address": "0x401104"
1071. },
1072. {
1073. "name": "__vbaExceptHandler",
1074. "address": "0x401108"
1075. },
1076. {
1077. "name": null,
1078. "address": "0x40110c"
1079. },
1080. {
1081. "name": "__vbaStrToUnicode",
1082. "address": "0x401110"
1083. },
1084. {
1085. "name": "_adj_fprem",
1086. "address": "0x401114"
1087. },
1088. {
1089. "name": "_adj_fdivr_m64",
1090. "address": "0x401118"
1091. },
1092. {
1093. "name": null,
1094. "address": "0x40111c"
1095. },
1096. {
1097. "name": null,
1098. "address": "0x401120"
1099. },
1100. {
1101. "name": "__vbaFPException",
1102. "address": "0x401124"
1103. },
1104. {
1105. "name": null,
1106. "address": "0x401128"
1107. },
1108. {
1109. "name": "__vbaStrVarVal",
1110. "address": "0x40112c"
1111. },
1112. {
1113. "name": "__vbaVarCat",
1114. "address": "0x401130"
1115. },
1116. {
1117. "name": "_CIlog",
1118. "address": "0x401134"
1119. },
1120. {
1121. "name": "__vbaFileOpen",
1122. "address": "0x401138"
1123. },
1124. {
1125. "name": "__vbaNew2",
1126. "address": "0x40113c"
1127. },
1128. {
1129. "name": "_adj_fdiv_m32i",
1130. "address": "0x401140"
1131. },
1132. {
1133. "name": "_adj_fdivr_m32i",
1134. "address": "0x401144"
1135. },
1136. {
1137. "name": "__vbaStrCopy",
1138. "address": "0x401148"
1139. },
1140. {
1141. "name": null,
1142. "address": "0x40114c"
1143. },
1144. {
1145. "name": null,
1146. "address": "0x401150"
1147. },
1148. {
1149. "name": "__vbaFreeStrList",
1150. "address": "0x401154"
1151. },
1152. {
1153. "name": "__vbaDerefAry1",
1154. "address": "0x401158"
1155. },
1156. {
1157. "name": "_adj_fdivr_m32",
1158. "address": "0x40115c"
1159. },
1160. {
1161. "name": "_adj_fdiv_r",
1162. "address": "0x401160"
1163. },
1164. {
1165. "name": null,
1166. "address": "0x401164"
1167. },
1168. {
1169. "name": null,
1170. "address": "0x401168"
1171. },
1172. {
1173. "name": "__vbaVarTstNe",
1174. "address": "0x40116c"
1175. },
1176. {
1177. "name": "__vbaI4Var",
1178. "address": "0x401170"
1179. },
1180. {
1181. "name": null,
1182. "address": "0x401174"
1183. },
1184. {
1185. "name": "__vbaVarAdd",
1186. "address": "0x401178"
1187. },
1188. {
1189. "name": "__vbaLateMemCall",
1190. "address": "0x40117c"
1191. },
1192. {
1193. "name": "__vbaInStrB",
1194. "address": "0x401180"
1195. },
1196. {
1197. "name": "__vbaStrComp",
1198. "address": "0x401184"
1199. },
1200. {
1201. "name": "__vbaVarDup",
1202. "address": "0x401188"
1203. },
1204. {
1205. "name": "__vbaStrToAnsi",
1206. "address": "0x40118c"
1207. },
1208. {
1209. "name": "__vbaVarLateMemCallLd",
1210. "address": "0x401190"
1211. },
1212. {
1213. "name": null,
1214. "address": "0x401194"
1215. },
1216. {
1217. "name": "_CIatan",
1218. "address": "0x401198"
1219. },
1220. {
1221. "name": "__vbaStrMove",
1222. "address": "0x40119c"
1223. },
1224. {
1225. "name": "__vbaAryCopy",
1226. "address": "0x4011a0"
1227. },
1228. {
1229. "name": "__vbaR8IntI4",
1230. "address": "0x4011a4"
1231. },
1232. {
1233. "name": "__vbaI4Cy",
1234. "address": "0x4011a8"
1235. },
1236. {
1237. "name": null,
1238. "address": "0x4011ac"
1239. },
1240. {
1241. "name": "_allmul",
1242. "address": "0x4011b0"
1243. },
1244. {
1245. "name": null,
1246. "address": "0x4011b4"
1247. },
1248. {
1249. "name": null,
1250. "address": "0x4011b8"
1251. },
1252. {
1253. "name": null,
1254. "address": "0x4011bc"
1255. },
1256. {
1257. "name": "_CItan",
1258. "address": "0x4011c0"
1259. },
1260. {
1261. "name": null,
1262. "address": "0x4011c4"
1263. },
1264. {
1265. "name": "_CIexp",
1266. "address": "0x4011c8"
1267. },
1268. {
1269. "name": "__vbaFreeStr",
1270. "address": "0x4011cc"
1271. },
1272. {
1273. "name": "__vbaFreeObj",
1274. "address": "0x4011d0"
1275. },
1276. {
1277. "name": null,
1278. "address": "0x4011d4"
1279. },
1280. {
1281. "name": null,
1282. "address": "0x4011d8"
1283. }
1284. ],
1285. "dll": "MSVBVM60.DLL"
1286. }
1287. ],
1288. "digital_signers": null,
1289. "exported_dll_name": null,
1290. "actual_checksum": "0x000dc196",
1291. "overlay": null,
1292. "imagebase": "0x00400000",
1293. "reported_checksum": "0x000dc196",
1294. "icon_hash": null,
1295. "entrypoint": "0x0040154c",
1296. "timestamp": "2009-04-21 17:44:45",
1297. "osversion": "4.0",
1298. "sections": [
1299. {
1300. "name": ".text",
1301. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
1302. "virtual_address": "0x00001000",
1303. "size_of_data": "0x000c8000",
1304. "entropy": "2.46",
1305. "raw_address": "0x00001000",
1306. "virtual_size": "0x000c7e9c",
1307. "characteristics_raw": "0x60000020"
1308. },
1309. {
1310. "name": ".data",
1311. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1312. "virtual_address": "0x000c9000",
1313. "size_of_data": "0x00001000",
1314. "entropy": "0.00",
1315. "raw_address": "0x000c9000",
1316. "virtual_size": "0x00000b54",
1317. "characteristics_raw": "0xc0000040"
1318. },
1319. {
1320. "name": ".rsrc",
1321. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1322. "virtual_address": "0x000ca000",
1323. "size_of_data": "0x00004000",
1324. "entropy": "3.94",
1325. "raw_address": "0x000ca000",
1326. "virtual_size": "0x00003f94",
1327. "characteristics_raw": "0x40000040"
1328. }
1329. ],
1330. "resources": [],
1331. "dirents": [
1332. {
1333. "virtual_address": "0x00000000",
1334. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1335. "size": "0x00000000"
1336. },
1337. {
1338. "virtual_address": "0x000c87c4",
1339. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1340. "size": "0x00000028"
1341. },
1342. {
1343. "virtual_address": "0x000ca000",
1344. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1345. "size": "0x00003f94"
1346. },
1347. {
1348. "virtual_address": "0x00000000",
1349. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1350. "size": "0x00000000"
1351. },
1352. {
1353. "virtual_address": "0x00000000",
1354. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1355. "size": "0x00000000"
1356. },
1357. {
1358. "virtual_address": "0x00000000",
1359. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1360. "size": "0x00000000"
1361. },
1362. {
1363. "virtual_address": "0x00000000",
1364. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1365. "size": "0x00000000"
1366. },
1367. {
1368. "virtual_address": "0x00000000",
1369. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1370. "size": "0x00000000"
1371. },
1372. {
1373. "virtual_address": "0x00000000",
1374. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1375. "size": "0x00000000"
1376. },
1377. {
1378. "virtual_address": "0x00000000",
1379. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1380. "size": "0x00000000"
1381. },
1382. {
1383. "virtual_address": "0x00000000",
1384. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1385. "size": "0x00000000"
1386. },
1387. {
1388. "virtual_address": "0x00000228",
1389. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1390. "size": "0x00000020"
1391. },
1392. {
1393. "virtual_address": "0x00001000",
1394. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1395. "size": "0x000001e0"
1396. },
1397. {
1398. "virtual_address": "0x00000000",
1399. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1400. "size": "0x00000000"
1401. },
1402. {
1403. "virtual_address": "0x00000000",
1404. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1405. "size": "0x00000000"
1406. },
1407. {
1408. "virtual_address": "0x00000000",
1409. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1410. "size": "0x00000000"
1411. }
1412. ],
1413. "exports": [],
1414. "guest_signers": {},
1415. "imphash": "7052924d0f4fd20c0f5f147093d0c85a",
1416. "icon_fuzzy": null,
1417. "icon": null,
1418. "pdbpath": null,
1419. "imported_dll_count": 1,
1420. "versioninfo": []
1421. }
1422. }