Exes_005e942c_exe.json

1.  
2. [*] MalFamily: ""
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "Exes_005e942c.exe"
7. [*] File Size: 638976
8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. [*] SHA256: "7ccd050f5e9f7e9c368e55a61a40531efdb5bc53511bf83527b2397df35815f4"
10. [*] MD5: "8c47b65450bbcfbbbf0be86ae33a5218"
11. [*] SHA1: "30b79b42cf09987d1e4d40dedcd6eb5d457302ba"
12. [*] SHA512: "558add095c9d7503382d567f5188c26326df286ae8adb30ba0b8a91e7e2cbfe4b31a9a70b2242ed415215b6ac526312916efdc69daa0d4b6c43003645a832014"
13. [*] CRC32: "005E942C"
14. [*] SSDEEP: "6144:VQ8oufWtVjM1Er81OWW07SryaqE8VkZQSzHDQ7KsV79nN+2g+AS:V7+tVjsRfSrrFmkykHDQ7KEDr"
15.  
16. [*] Process Execution: [
17. "Exes_005e942c.exe"
18. ]
19.  
20. [*] Signatures Detected: [
21. {
22. "Description": "Creates RWX memory",
23. "Details": []
24. },
25. {
26. "Description": "The binary likely contains encrypted or compressed data.",
27. "Details": [
28. {
29. "section": "name: .text, entropy: 7.85, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00099000, virtual_size: 0x00098f54"
30. }
31. ]
32. },
33. {
34. "Description": "Installs itself for autorun at Windows startup",
35. "Details": [
36. {
37. "file": "C:\\Windows\\win.ini"
38. },
39. {
40. "file": "C:\\Windows\\win.ini"
41. }
42. ]
43. },
44. {
45. "Description": "File has been identified by 38 Antiviruses on VirusTotal as malicious",
46. "Details": [
47. {
48. "MicroWorld-eScan": "Trojan.GenericKD.41362517"
49. },
50. {
51. "FireEye": "Generic.mg.8c47b65450bbcfbb"
52. },
53. {
54. "ALYac": "Trojan.GenericKD.41362517"
55. },
56. {
57. "Cylance": "Unsafe"
58. },
59. {
60. "Alibaba": "TrojanSpy:Win32/Noon.cbb16507"
61. },
62. {
63. "K7GW": "Trojan ( 0054fef91 )"
64. },
65. {
66. "K7AntiVirus": "Trojan ( 0054fef91 )"
67. },
68. {
69. "Arcabit": "Trojan.Generic.D2772455"
70. },
71. {
72. "Invincea": "heuristic"
73. },
74. {
75. "Symantec": "Trojan.Gen.MBT"
76. },
77. {
78. "APEX": "Malicious"
79. },
80. {
81. "Paloalto": "generic.ml"
82. },
83. {
84. "Kaspersky": "Trojan-Spy.Win32.Noon.agnx"
85. },
86. {
87. "BitDefender": "Trojan.GenericKD.41362517"
88. },
89. {
90. "Avast": "Win32:Trojan-gen"
91. },
92. {
93. "Tencent": "Win32.Trojan.Inject.Auto"
94. },
95. {
96. "Ad-Aware": "Trojan.GenericKD.41362517"
97. },
98. {
99. "Emsisoft": "Trojan.GenericKD.41362517 (B)"
100. },
101. {
102. "TrendMicro": "TROJ_GEN.R03BC0WFC19"
103. },
104. {
105. "McAfee-GW-Edition": "BehavesLike.Win32.Trojan.jc"
106. },
107. {
108. "Trapmine": "suspicious.low.ml.score"
109. },
110. {
111. "Sophos": "Mal/FareitVB-N"
112. },
113. {
114. "Ikarus": "Trojan.VB.Crypt"
115. },
116. {
117. "ESET-NOD32": "a variant of Win32/Injector.EFXT"
118. },
119. {
120. "Microsoft": "Trojan:Win32/Dynamer!rfn"
121. },
122. {
123. "ZoneAlarm": "Trojan-Spy.Win32.Noon.agnx"
124. },
125. {
126. "GData": "Win32.Trojan-Stealer.FormBook.S6Q4G1"
127. },
128. {
129. "AhnLab-V3": "Trojan/Win32.Injector.R275286"
130. },
131. {
132. "McAfee": "Fareit-FOA!8C47B65450BB"
133. },
134. {
135. "TrendMicro-HouseCall": "TROJ_GEN.R03BC0WFC19"
136. },
137. {
138. "Rising": "Trojan.Injector!1.B459 (CLASSIC)"
139. },
140. {
141. "SentinelOne": "DFI - Malicious PE"
142. },
143. {
144. "Fortinet": "W32/Malicious_Behavior.VEX"
145. },
146. {
147. "AVG": "Win32:Trojan-gen"
148. },
149. {
150. "Cybereason": "malicious.450bbc"
151. },
152. {
153. "Panda": "Trj/CI.A"
154. },
155. {
156. "CrowdStrike": "win/malicious_confidence_100% (W)"
157. },
158. {
159. "Qihoo-360": "HEUR/QVM03.0.C44B.Malware.Gen"
160. }
161. ]
162. },
163. {
164. "Description": "Anomalous binary characteristics",
165. "Details": [
166. {
167. "anomaly": "Actual checksum does not match that reported in PE header"
168. }
169. ]
170. }
171. ]
172.  
173. [*] Started Service: []
174.  
175. [*] Executed Commands: [
176. "\"C:\\Users\\user\\AppData\\Local\\Temp\\Exes_005e942c.exe\""
177. ]
178.  
179. [*] Mutexes: [
180. "CicLoadWinStaWinSta0",
181. "Local\\MSCTF.CtfMonitorInstMutexDefault1"
182. ]
183.  
184. [*] Modified Files: [
185. "C:\\Windows\\win.ini"
186. ]
187.  
188. [*] Deleted Files: []
189.  
190. [*] Modified Registry Keys: []
191.  
192. [*] Deleted Registry Keys: []
193.  
194. [*] DNS Communications: []
195.  
196. [*] Domains: []
197.  
198. [*] Network Communication - ICMP: []
199.  
200. [*] Network Communication - HTTP: []
201.  
202. [*] Network Communication - SMTP: []
203.  
204. [*] Network Communication - Hosts: []
205.  
206. [*] Network Communication - IRC: []
207.  
208. [*] Static Analysis: {
209. "pe": {
210. "peid_signatures": null,
211. "imports": [
212. {
213. "imports": [
214. {
215. "name": "_CIcos",
216. "address": "0x401000"
217. },
218. {
219. "name": "_adj_fptan",
220. "address": "0x401004"
221. },
222. {
223. "name": "__vbaVarMove",
224. "address": "0x401008"
225. },
226. {
227. "name": null,
228. "address": "0x40100c"
229. },
230. {
231. "name": "__vbaFreeVar",
232. "address": "0x401010"
233. },
234. {
235. "name": "__vbaStrVarMove",
236. "address": "0x401014"
237. },
238. {
239. "name": null,
240. "address": "0x401018"
241. },
242. {
243. "name": "__vbaFreeVarList",
244. "address": "0x40101c"
245. },
246. {
247. "name": "__vbaVarIdiv",
248. "address": "0x401020"
249. },
250. {
251. "name": "_adj_fdiv_m64",
252. "address": "0x401024"
253. },
254. {
255. "name": null,
256. "address": "0x401028"
257. },
258. {
259. "name": "__vbaFreeObjList",
260. "address": "0x40102c"
261. },
262. {
263. "name": null,
264. "address": "0x401030"
265. },
266. {
267. "name": "_adj_fprem1",
268. "address": "0x401034"
269. },
270. {
271. "name": "__vbaInStrVarB",
272. "address": "0x401038"
273. },
274. {
275. "name": "__vbaRecDestruct",
276. "address": "0x40103c"
277. },
278. {
279. "name": "__vbaSetSystemError",
280. "address": "0x401040"
281. },
282. {
283. "name": "__vbaHresultCheckObj",
284. "address": "0x401044"
285. },
286. {
287. "name": null,
288. "address": "0x401048"
289. },
290. {
291. "name": null,
292. "address": "0x40104c"
293. },
294. {
295. "name": null,
296. "address": "0x401050"
297. },
298. {
299. "name": null,
300. "address": "0x401054"
301. },
302. {
303. "name": "_adj_fdiv_m32",
304. "address": "0x401058"
305. },
306. {
307. "name": "__vbaAryVar",
308. "address": "0x40105c"
309. },
310. {
311. "name": null,
312. "address": "0x401060"
313. },
314. {
315. "name": "__vbaAryDestruct",
316. "address": "0x401064"
317. },
318. {
319. "name": null,
320. "address": "0x401068"
321. },
322. {
323. "name": "__vbaBoolStr",
324. "address": "0x40106c"
325. },
326. {
327. "name": null,
328. "address": "0x401070"
329. },
330. {
331. "name": "__vbaObjSet",
332. "address": "0x401074"
333. },
334. {
335. "name": null,
336. "address": "0x401078"
337. },
338. {
339. "name": "_adj_fdiv_m16i",
340. "address": "0x40107c"
341. },
342. {
343. "name": "__vbaObjSetAddref",
344. "address": "0x401080"
345. },
346. {
347. "name": "_adj_fdivr_m16i",
348. "address": "0x401084"
349. },
350. {
351. "name": null,
352. "address": "0x401088"
353. },
354. {
355. "name": null,
356. "address": "0x40108c"
357. },
358. {
359. "name": "__vbaFPFix",
360. "address": "0x401090"
361. },
362. {
363. "name": "__vbaFpR8",
364. "address": "0x401094"
365. },
366. {
367. "name": "_CIsin",
368. "address": "0x401098"
369. },
370. {
371. "name": "__vbaErase",
372. "address": "0x40109c"
373. },
374. {
375. "name": "__vbaChkstk",
376. "address": "0x4010a0"
377. },
378. {
379. "name": null,
380. "address": "0x4010a4"
381. },
382. {
383. "name": "EVENT_SINK_AddRef",
384. "address": "0x4010a8"
385. },
386. {
387. "name": "__vbaGenerateBoundsError",
388. "address": "0x4010ac"
389. },
390. {
391. "name": "__vbaStrCmp",
392. "address": "0x4010b0"
393. },
394. {
395. "name": "__vbaAryConstruct2",
396. "address": "0x4010b4"
397. },
398. {
399. "name": "__vbaVarTstEq",
400. "address": "0x4010b8"
401. },
402. {
403. "name": null,
404. "address": "0x4010bc"
405. },
406. {
407. "name": "__vbaObjVar",
408. "address": "0x4010c0"
409. },
410. {
411. "name": "DllFunctionCall",
412. "address": "0x4010c4"
413. },
414. {
415. "name": null,
416. "address": "0x4010c8"
417. },
418. {
419. "name": null,
420. "address": "0x4010cc"
421. },
422. {
423. "name": "_adj_fpatan",
424. "address": "0x4010d0"
425. },
426. {
427. "name": null,
428. "address": "0x4010d4"
429. },
430. {
431. "name": "__vbaLateIdCallLd",
432. "address": "0x4010d8"
433. },
434. {
435. "name": "__vbaRedim",
436. "address": "0x4010dc"
437. },
438. {
439. "name": "EVENT_SINK_Release",
440. "address": "0x4010e0"
441. },
442. {
443. "name": null,
444. "address": "0x4010e4"
445. },
446. {
447. "name": "_CIsqrt",
448. "address": "0x4010e8"
449. },
450. {
451. "name": "EVENT_SINK_QueryInterface",
452. "address": "0x4010ec"
453. },
454. {
455. "name": null,
456. "address": "0x4010f0"
457. },
458. {
459. "name": "__vbaExceptHandler",
460. "address": "0x4010f4"
461. },
462. {
463. "name": null,
464. "address": "0x4010f8"
465. },
466. {
467. "name": "__vbaStrToUnicode",
468. "address": "0x4010fc"
469. },
470. {
471. "name": null,
472. "address": "0x401100"
473. },
474. {
475. "name": "_adj_fprem",
476. "address": "0x401104"
477. },
478. {
479. "name": "_adj_fdivr_m64",
480. "address": "0x401108"
481. },
482. {
483. "name": null,
484. "address": "0x40110c"
485. },
486. {
487. "name": null,
488. "address": "0x401110"
489. },
490. {
491. "name": null,
492. "address": "0x401114"
493. },
494. {
495. "name": null,
496. "address": "0x401118"
497. },
498. {
499. "name": null,
500. "address": "0x40111c"
501. },
502. {
503. "name": null,
504. "address": "0x401120"
505. },
506. {
507. "name": "__vbaFPException",
508. "address": "0x401124"
509. },
510. {
511. "name": null,
512. "address": "0x401128"
513. },
514. {
515. "name": "__vbaStrVarVal",
516. "address": "0x40112c"
517. },
518. {
519. "name": null,
520. "address": "0x401130"
521. },
522. {
523. "name": null,
524. "address": "0x401134"
525. },
526. {
527. "name": "_CIlog",
528. "address": "0x401138"
529. },
530. {
531. "name": "__vbaErrorOverflow",
532. "address": "0x40113c"
533. },
534. {
535. "name": null,
536. "address": "0x401140"
537. },
538. {
539. "name": "__vbaNew2",
540. "address": "0x401144"
541. },
542. {
543. "name": "__vbaR8Str",
544. "address": "0x401148"
545. },
546. {
547. "name": null,
548. "address": "0x40114c"
549. },
550. {
551. "name": null,
552. "address": "0x401150"
553. },
554. {
555. "name": "_adj_fdiv_m32i",
556. "address": "0x401154"
557. },
558. {
559. "name": "_adj_fdivr_m32i",
560. "address": "0x401158"
561. },
562. {
563. "name": "__vbaStrCopy",
564. "address": "0x40115c"
565. },
566. {
567. "name": "__vbaI4Str",
568. "address": "0x401160"
569. },
570. {
571. "name": null,
572. "address": "0x401164"
573. },
574. {
575. "name": "__vbaFreeStrList",
576. "address": "0x401168"
577. },
578. {
579. "name": null,
580. "address": "0x40116c"
581. },
582. {
583. "name": null,
584. "address": "0x401170"
585. },
586. {
587. "name": "__vbaDerefAry1",
588. "address": "0x401174"
589. },
590. {
591. "name": null,
592. "address": "0x401178"
593. },
594. {
595. "name": "_adj_fdivr_m32",
596. "address": "0x40117c"
597. },
598. {
599. "name": "_adj_fdiv_r",
600. "address": "0x401180"
601. },
602. {
603. "name": null,
604. "address": "0x401184"
605. },
606. {
607. "name": null,
608. "address": "0x401188"
609. },
610. {
611. "name": "__vbaVarTstNe",
612. "address": "0x40118c"
613. },
614. {
615. "name": "__vbaI4Var",
616. "address": "0x401190"
617. },
618. {
619. "name": null,
620. "address": "0x401194"
621. },
622. {
623. "name": "__vbaVarAdd",
624. "address": "0x401198"
625. },
626. {
627. "name": "__vbaStrToAnsi",
628. "address": "0x40119c"
629. },
630. {
631. "name": "__vbaVarDup",
632. "address": "0x4011a0"
633. },
634. {
635. "name": null,
636. "address": "0x4011a4"
637. },
638. {
639. "name": null,
640. "address": "0x4011a8"
641. },
642. {
643. "name": "__vbaVarCopy",
644. "address": "0x4011ac"
645. },
646. {
647. "name": "_CIatan",
648. "address": "0x4011b0"
649. },
650. {
651. "name": null,
652. "address": "0x4011b4"
653. },
654. {
655. "name": "__vbaStrMove",
656. "address": "0x4011b8"
657. },
658. {
659. "name": "__vbaAryCopy",
660. "address": "0x4011bc"
661. },
662. {
663. "name": null,
664. "address": "0x4011c0"
665. },
666. {
667. "name": "_allmul",
668. "address": "0x4011c4"
669. },
670. {
671. "name": null,
672. "address": "0x4011c8"
673. },
674. {
675. "name": "_CItan",
676. "address": "0x4011cc"
677. },
678. {
679. "name": "_CIexp",
680. "address": "0x4011d0"
681. },
682. {
683. "name": "__vbaFreeObj",
684. "address": "0x4011d4"
685. },
686. {
687. "name": "__vbaFreeStr",
688. "address": "0x4011d8"
689. },
690. {
691. "name": null,
692. "address": "0x4011dc"
693. },
694. {
695. "name": null,
696. "address": "0x4011e0"
697. }
698. ],
699. "dll": "MSVBVM60.DLL"
700. }
701. ],
702. "digital_signers": null,
703. "exported_dll_name": null,
704. "actual_checksum": "0x0009d56b",
705. "overlay": null,
706. "imagebase": "0x00400000",
707. "reported_checksum": "0x000a0178",
708. "icon_hash": null,
709. "entrypoint": "0x00401558",
710. "timestamp": "2008-08-01 05:08:00",
711. "osversion": "4.0",
712. "sections": [
713. {
714. "name": ".text",
715. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
716. "virtual_address": "0x00001000",
717. "size_of_data": "0x00099000",
718. "entropy": "7.85",
719. "raw_address": "0x00001000",
720. "virtual_size": "0x00098f54",
721. "characteristics_raw": "0x60000020"
722. },
723. {
724. "name": ".data",
725. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
726. "virtual_address": "0x0009a000",
727. "size_of_data": "0x00001000",
728. "entropy": "0.00",
729. "raw_address": "0x0009a000",
730. "virtual_size": "0x00005530",
731. "characteristics_raw": "0xc0000040"
732. },
733. {
734. "name": ".rsrc",
735. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
736. "virtual_address": "0x000a0000",
737. "size_of_data": "0x00001000",
738. "entropy": "3.46",
739. "raw_address": "0x0009b000",
740. "virtual_size": "0x00000e58",
741. "characteristics_raw": "0x40000040"
742. }
743. ],
744. "resources": [],
745. "dirents": [
746. {
747. "virtual_address": "0x00000000",
748. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
749. "size": "0x00000000"
750. },
751. {
752. "virtual_address": "0x00099894",
753. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
754. "size": "0x00000028"
755. },
756. {
757. "virtual_address": "0x000a0000",
758. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
759. "size": "0x00000e58"
760. },
761. {
762. "virtual_address": "0x00000000",
763. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
764. "size": "0x00000000"
765. },
766. {
767. "virtual_address": "0x00000000",
768. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
769. "size": "0x00000000"
770. },
771. {
772. "virtual_address": "0x00000000",
773. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
774. "size": "0x00000000"
775. },
776. {
777. "virtual_address": "0x00000000",
778. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
779. "size": "0x00000000"
780. },
781. {
782. "virtual_address": "0x00000000",
783. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
784. "size": "0x00000000"
785. },
786. {
787. "virtual_address": "0x00000000",
788. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
789. "size": "0x00000000"
790. },
791. {
792. "virtual_address": "0x00000000",
793. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
794. "size": "0x00000000"
795. },
796. {
797. "virtual_address": "0x00000000",
798. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
799. "size": "0x00000000"
800. },
801. {
802. "virtual_address": "0x00000238",
803. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
804. "size": "0x00000020"
805. },
806. {
807. "virtual_address": "0x00001000",
808. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
809. "size": "0x000001e8"
810. },
811. {
812. "virtual_address": "0x00000000",
813. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
814. "size": "0x00000000"
815. },
816. {
817. "virtual_address": "0x00000000",
818. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
819. "size": "0x00000000"
820. },
821. {
822. "virtual_address": "0x00000000",
823. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
824. "size": "0x00000000"
825. }
826. ],
827. "exports": [],
828. "guest_signers": {},
829. "imphash": "9148078ae78bba505b83bb73096b0dc6",
830. "icon_fuzzy": null,
831. "icon": null,
832. "pdbpath": null,
833. "imported_dll_count": 1,
834. "versioninfo": []
835. }
836. }
837.  
838. [*] Resolved APIs: [
839. "cryptbase.dll.SystemFunction036",
840. "uxtheme.dll.ThemeInitApiHook",
841. "user32.dll.IsProcessDPIAware",
842. "oleaut32.dll.OleLoadPictureEx",
843. "oleaut32.dll.DispCallFunc",
844. "oleaut32.dll.LoadTypeLibEx",
845. "oleaut32.dll.UnRegisterTypeLib",
846. "oleaut32.dll.CreateTypeLib2",
847. "oleaut32.dll.VarDateFromUdate",
848. "oleaut32.dll.VarUdateFromDate",
849. "oleaut32.dll.GetAltMonthNames",
850. "oleaut32.dll.VarNumFromParseNum",
851. "oleaut32.dll.VarParseNumFromStr",
852. "oleaut32.dll.VarDecFromR4",
853. "oleaut32.dll.VarDecFromR8",
854. "oleaut32.dll.VarDecFromDate",
855. "oleaut32.dll.VarDecFromI4",
856. "oleaut32.dll.VarDecFromCy",
857. "oleaut32.dll.VarR4FromDec",
858. "oleaut32.dll.GetRecordInfoFromTypeInfo",
859. "oleaut32.dll.GetRecordInfoFromGuids",
860. "oleaut32.dll.SafeArrayGetRecordInfo",
861. "oleaut32.dll.SafeArraySetRecordInfo",
862. "oleaut32.dll.SafeArrayGetIID",
863. "oleaut32.dll.SafeArraySetIID",
864. "oleaut32.dll.SafeArrayCopyData",
865. "oleaut32.dll.SafeArrayAllocDescriptorEx",
866. "oleaut32.dll.SafeArrayCreateEx",
867. "oleaut32.dll.VarFormat",
868. "oleaut32.dll.VarFormatDateTime",
869. "oleaut32.dll.VarFormatNumber",
870. "oleaut32.dll.VarFormatPercent",
871. "oleaut32.dll.VarFormatCurrency",
872. "oleaut32.dll.VarWeekdayName",
873. "oleaut32.dll.VarMonthName",
874. "oleaut32.dll.VarAdd",
875. "oleaut32.dll.VarAnd",
876. "oleaut32.dll.VarCat",
877. "oleaut32.dll.VarDiv",
878. "oleaut32.dll.VarEqv",
879. "oleaut32.dll.VarIdiv",
880. "oleaut32.dll.VarImp",
881. "oleaut32.dll.VarMod",
882. "oleaut32.dll.VarMul",
883. "oleaut32.dll.VarOr",
884. "oleaut32.dll.VarPow",
885. "oleaut32.dll.VarSub",
886. "oleaut32.dll.VarXor",
887. "oleaut32.dll.VarAbs",
888. "oleaut32.dll.VarFix",
889. "oleaut32.dll.VarInt",
890. "oleaut32.dll.VarNeg",
891. "oleaut32.dll.VarNot",
892. "oleaut32.dll.VarRound",
893. "oleaut32.dll.VarCmp",
894. "oleaut32.dll.VarDecAdd",
895. "oleaut32.dll.VarDecCmp",
896. "oleaut32.dll.VarBstrCat",
897. "oleaut32.dll.VarCyMulI4",
898. "oleaut32.dll.VarBstrCmp",
899. "ole32.dll.CoCreateInstanceEx",
900. "ole32.dll.CLSIDFromProgIDEx",
901. "sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary",
902. "user32.dll.GetSystemMetrics",
903. "user32.dll.MonitorFromWindow",
904. "user32.dll.MonitorFromRect",
905. "user32.dll.MonitorFromPoint",
906. "user32.dll.EnumDisplayMonitors",
907. "user32.dll.GetMonitorInfoA",
908. "kernel32.dll.NlsGetCacheUpdateCount",
909. "kernel32.dll.GetCalendarInfoW",
910. "dwmapi.dll.DwmIsCompositionEnabled",
911. "lpk.dll.LpkEditControl",
912. "comctl32.dll.HIMAGELIST_QueryInterface",
913. "comctl32.dll.DrawShadowText",
914. "comctl32.dll.DrawSizeBox",
915. "comctl32.dll.DrawScrollBar",
916. "comctl32.dll.SizeBoxHwnd",
917. "comctl32.dll.ScrollBar_MouseMove",
918. "comctl32.dll.ScrollBar_Menu",
919. "comctl32.dll.HandleScrollCmd",
920. "comctl32.dll.DetachScrollBars",
921. "comctl32.dll.AttachScrollBars",
922. "comctl32.dll.CCSetScrollInfo",
923. "comctl32.dll.CCGetScrollInfo",
924. "comctl32.dll.CCEnableScrollBar",
925. "comctl32.dll.QuerySystemGestureStatus",
926. "uxtheme.dll.#49",
927. "uxtheme.dll.CloseThemeData",
928. "uxtheme.dll.DrawThemeBackground",
929. "uxtheme.dll.GetThemeBackgroundContentRect",
930. "uxtheme.dll.GetThemePartSize",
931. "gdi32.dll.GetLayout",
932. "gdi32.dll.GdiRealizationInfo",
933. "gdi32.dll.FontIsLinked",
934. "advapi32.dll.RegOpenKeyExW",
935. "advapi32.dll.RegQueryInfoKeyW",
936. "gdi32.dll.GetTextFaceAliasW",
937. "advapi32.dll.RegEnumValueW",
938. "advapi32.dll.RegCloseKey",
939. "advapi32.dll.RegQueryValueExW",
940. "gdi32.dll.GetFontAssocStatus",
941. "advapi32.dll.RegQueryValueExA",
942. "advapi32.dll.RegEnumKeyExW",
943. "gdi32.dll.GdiIsMetaPrintDC",
944. "ole32.dll.CoInitializeEx",
945. "ole32.dll.CoUninitialize",
946. "ole32.dll.CoRegisterInitializeSpy",
947. "ole32.dll.CoRevokeInitializeSpy",
948. "user32.dll.EnumChildWindows",
949. "shell32.dll.Shell_NotifyIconA",
950. "ntdll.dll.ZwSetInformationProcess",
951. "kernel32.dll.Sleep",
952. "kernel32.dll.WriteProfileStringA",
953. "ntdll.dll.NtProtectVirtualMemory",
954. "kernel32.dll.CreateFileA",
955. "kernel32.dll.WriteFile",
956. "kernel32.dll.CloseHandle",
957. "kernel32.dll.ReadFile",
958. "kernel32.dll.GetFileSize",
959. "kernel32.dll.UnmapViewOfFile",
960. "kernel32.dll.VirtualProtectEx",
961. "kernel32.dll.GetLongPathNameA",
962. "kernel32.dll.TerminateProcess",
963. "iphlpapi.dll.GetAdaptersInfo",
964. "kernel32.dll.VirtualAllocEx",
965. "kernel32.dll.CreateProcessW",
966. "shell32.dll.ShellExecuteA",
967. "advapi32.dll.RegCreateKeyExA",
968. "advapi32.dll.RegSetValueExA",
969. "kernel32.dll.WaitForDebugEvent",
970. "kernel32.dll.ContinueDebugEvent",
971. "kernel32.dll.DebugActiveProcessStop",
972. "kernel32.dll.OutputDebugStringW"
973. ]
974.  
975. [*] Static Analysis: {
976. "pe": {
977. "peid_signatures": null,
978. "imports": [
979. {
980. "imports": [
981. {
982. "name": "_CIcos",
983. "address": "0x401000"
984. },
985. {
986. "name": "_adj_fptan",
987. "address": "0x401004"
988. },
989. {
990. "name": "__vbaVarMove",
991. "address": "0x401008"
992. },
993. {
994. "name": null,
995. "address": "0x40100c"
996. },
997. {
998. "name": "__vbaFreeVar",
999. "address": "0x401010"
1000. },
1001. {
1002. "name": "__vbaStrVarMove",
1003. "address": "0x401014"
1004. },
1005. {
1006. "name": null,
1007. "address": "0x401018"
1008. },
1009. {
1010. "name": "__vbaFreeVarList",
1011. "address": "0x40101c"
1012. },
1013. {
1014. "name": "__vbaVarIdiv",
1015. "address": "0x401020"
1016. },
1017. {
1018. "name": "_adj_fdiv_m64",
1019. "address": "0x401024"
1020. },
1021. {
1022. "name": null,
1023. "address": "0x401028"
1024. },
1025. {
1026. "name": "__vbaFreeObjList",
1027. "address": "0x40102c"
1028. },
1029. {
1030. "name": null,
1031. "address": "0x401030"
1032. },
1033. {
1034. "name": "_adj_fprem1",
1035. "address": "0x401034"
1036. },
1037. {
1038. "name": "__vbaInStrVarB",
1039. "address": "0x401038"
1040. },
1041. {
1042. "name": "__vbaRecDestruct",
1043. "address": "0x40103c"
1044. },
1045. {
1046. "name": "__vbaSetSystemError",
1047. "address": "0x401040"
1048. },
1049. {
1050. "name": "__vbaHresultCheckObj",
1051. "address": "0x401044"
1052. },
1053. {
1054. "name": null,
1055. "address": "0x401048"
1056. },
1057. {
1058. "name": null,
1059. "address": "0x40104c"
1060. },
1061. {
1062. "name": null,
1063. "address": "0x401050"
1064. },
1065. {
1066. "name": null,
1067. "address": "0x401054"
1068. },
1069. {
1070. "name": "_adj_fdiv_m32",
1071. "address": "0x401058"
1072. },
1073. {
1074. "name": "__vbaAryVar",
1075. "address": "0x40105c"
1076. },
1077. {
1078. "name": null,
1079. "address": "0x401060"
1080. },
1081. {
1082. "name": "__vbaAryDestruct",
1083. "address": "0x401064"
1084. },
1085. {
1086. "name": null,
1087. "address": "0x401068"
1088. },
1089. {
1090. "name": "__vbaBoolStr",
1091. "address": "0x40106c"
1092. },
1093. {
1094. "name": null,
1095. "address": "0x401070"
1096. },
1097. {
1098. "name": "__vbaObjSet",
1099. "address": "0x401074"
1100. },
1101. {
1102. "name": null,
1103. "address": "0x401078"
1104. },
1105. {
1106. "name": "_adj_fdiv_m16i",
1107. "address": "0x40107c"
1108. },
1109. {
1110. "name": "__vbaObjSetAddref",
1111. "address": "0x401080"
1112. },
1113. {
1114. "name": "_adj_fdivr_m16i",
1115. "address": "0x401084"
1116. },
1117. {
1118. "name": null,
1119. "address": "0x401088"
1120. },
1121. {
1122. "name": null,
1123. "address": "0x40108c"
1124. },
1125. {
1126. "name": "__vbaFPFix",
1127. "address": "0x401090"
1128. },
1129. {
1130. "name": "__vbaFpR8",
1131. "address": "0x401094"
1132. },
1133. {
1134. "name": "_CIsin",
1135. "address": "0x401098"
1136. },
1137. {
1138. "name": "__vbaErase",
1139. "address": "0x40109c"
1140. },
1141. {
1142. "name": "__vbaChkstk",
1143. "address": "0x4010a0"
1144. },
1145. {
1146. "name": null,
1147. "address": "0x4010a4"
1148. },
1149. {
1150. "name": "EVENT_SINK_AddRef",
1151. "address": "0x4010a8"
1152. },
1153. {
1154. "name": "__vbaGenerateBoundsError",
1155. "address": "0x4010ac"
1156. },
1157. {
1158. "name": "__vbaStrCmp",
1159. "address": "0x4010b0"
1160. },
1161. {
1162. "name": "__vbaAryConstruct2",
1163. "address": "0x4010b4"
1164. },
1165. {
1166. "name": "__vbaVarTstEq",
1167. "address": "0x4010b8"
1168. },
1169. {
1170. "name": null,
1171. "address": "0x4010bc"
1172. },
1173. {
1174. "name": "__vbaObjVar",
1175. "address": "0x4010c0"
1176. },
1177. {
1178. "name": "DllFunctionCall",
1179. "address": "0x4010c4"
1180. },
1181. {
1182. "name": null,
1183. "address": "0x4010c8"
1184. },
1185. {
1186. "name": null,
1187. "address": "0x4010cc"
1188. },
1189. {
1190. "name": "_adj_fpatan",
1191. "address": "0x4010d0"
1192. },
1193. {
1194. "name": null,
1195. "address": "0x4010d4"
1196. },
1197. {
1198. "name": "__vbaLateIdCallLd",
1199. "address": "0x4010d8"
1200. },
1201. {
1202. "name": "__vbaRedim",
1203. "address": "0x4010dc"
1204. },
1205. {
1206. "name": "EVENT_SINK_Release",
1207. "address": "0x4010e0"
1208. },
1209. {
1210. "name": null,
1211. "address": "0x4010e4"
1212. },
1213. {
1214. "name": "_CIsqrt",
1215. "address": "0x4010e8"
1216. },
1217. {
1218. "name": "EVENT_SINK_QueryInterface",
1219. "address": "0x4010ec"
1220. },
1221. {
1222. "name": null,
1223. "address": "0x4010f0"
1224. },
1225. {
1226. "name": "__vbaExceptHandler",
1227. "address": "0x4010f4"
1228. },
1229. {
1230. "name": null,
1231. "address": "0x4010f8"
1232. },
1233. {
1234. "name": "__vbaStrToUnicode",
1235. "address": "0x4010fc"
1236. },
1237. {
1238. "name": null,
1239. "address": "0x401100"
1240. },
1241. {
1242. "name": "_adj_fprem",
1243. "address": "0x401104"
1244. },
1245. {
1246. "name": "_adj_fdivr_m64",
1247. "address": "0x401108"
1248. },
1249. {
1250. "name": null,
1251. "address": "0x40110c"
1252. },
1253. {
1254. "name": null,
1255. "address": "0x401110"
1256. },
1257. {
1258. "name": null,
1259. "address": "0x401114"
1260. },
1261. {
1262. "name": null,
1263. "address": "0x401118"
1264. },
1265. {
1266. "name": null,
1267. "address": "0x40111c"
1268. },
1269. {
1270. "name": null,
1271. "address": "0x401120"
1272. },
1273. {
1274. "name": "__vbaFPException",
1275. "address": "0x401124"
1276. },
1277. {
1278. "name": null,
1279. "address": "0x401128"
1280. },
1281. {
1282. "name": "__vbaStrVarVal",
1283. "address": "0x40112c"
1284. },
1285. {
1286. "name": null,
1287. "address": "0x401130"
1288. },
1289. {
1290. "name": null,
1291. "address": "0x401134"
1292. },
1293. {
1294. "name": "_CIlog",
1295. "address": "0x401138"
1296. },
1297. {
1298. "name": "__vbaErrorOverflow",
1299. "address": "0x40113c"
1300. },
1301. {
1302. "name": null,
1303. "address": "0x401140"
1304. },
1305. {
1306. "name": "__vbaNew2",
1307. "address": "0x401144"
1308. },
1309. {
1310. "name": "__vbaR8Str",
1311. "address": "0x401148"
1312. },
1313. {
1314. "name": null,
1315. "address": "0x40114c"
1316. },
1317. {
1318. "name": null,
1319. "address": "0x401150"
1320. },
1321. {
1322. "name": "_adj_fdiv_m32i",
1323. "address": "0x401154"
1324. },
1325. {
1326. "name": "_adj_fdivr_m32i",
1327. "address": "0x401158"
1328. },
1329. {
1330. "name": "__vbaStrCopy",
1331. "address": "0x40115c"
1332. },
1333. {
1334. "name": "__vbaI4Str",
1335. "address": "0x401160"
1336. },
1337. {
1338. "name": null,
1339. "address": "0x401164"
1340. },
1341. {
1342. "name": "__vbaFreeStrList",
1343. "address": "0x401168"
1344. },
1345. {
1346. "name": null,
1347. "address": "0x40116c"
1348. },
1349. {
1350. "name": null,
1351. "address": "0x401170"
1352. },
1353. {
1354. "name": "__vbaDerefAry1",
1355. "address": "0x401174"
1356. },
1357. {
1358. "name": null,
1359. "address": "0x401178"
1360. },
1361. {
1362. "name": "_adj_fdivr_m32",
1363. "address": "0x40117c"
1364. },
1365. {
1366. "name": "_adj_fdiv_r",
1367. "address": "0x401180"
1368. },
1369. {
1370. "name": null,
1371. "address": "0x401184"
1372. },
1373. {
1374. "name": null,
1375. "address": "0x401188"
1376. },
1377. {
1378. "name": "__vbaVarTstNe",
1379. "address": "0x40118c"
1380. },
1381. {
1382. "name": "__vbaI4Var",
1383. "address": "0x401190"
1384. },
1385. {
1386. "name": null,
1387. "address": "0x401194"
1388. },
1389. {
1390. "name": "__vbaVarAdd",
1391. "address": "0x401198"
1392. },
1393. {
1394. "name": "__vbaStrToAnsi",
1395. "address": "0x40119c"
1396. },
1397. {
1398. "name": "__vbaVarDup",
1399. "address": "0x4011a0"
1400. },
1401. {
1402. "name": null,
1403. "address": "0x4011a4"
1404. },
1405. {
1406. "name": null,
1407. "address": "0x4011a8"
1408. },
1409. {
1410. "name": "__vbaVarCopy",
1411. "address": "0x4011ac"
1412. },
1413. {
1414. "name": "_CIatan",
1415. "address": "0x4011b0"
1416. },
1417. {
1418. "name": null,
1419. "address": "0x4011b4"
1420. },
1421. {
1422. "name": "__vbaStrMove",
1423. "address": "0x4011b8"
1424. },
1425. {
1426. "name": "__vbaAryCopy",
1427. "address": "0x4011bc"
1428. },
1429. {
1430. "name": null,
1431. "address": "0x4011c0"
1432. },
1433. {
1434. "name": "_allmul",
1435. "address": "0x4011c4"
1436. },
1437. {
1438. "name": null,
1439. "address": "0x4011c8"
1440. },
1441. {
1442. "name": "_CItan",
1443. "address": "0x4011cc"
1444. },
1445. {
1446. "name": "_CIexp",
1447. "address": "0x4011d0"
1448. },
1449. {
1450. "name": "__vbaFreeObj",
1451. "address": "0x4011d4"
1452. },
1453. {
1454. "name": "__vbaFreeStr",
1455. "address": "0x4011d8"
1456. },
1457. {
1458. "name": null,
1459. "address": "0x4011dc"
1460. },
1461. {
1462. "name": null,
1463. "address": "0x4011e0"
1464. }
1465. ],
1466. "dll": "MSVBVM60.DLL"
1467. }
1468. ],
1469. "digital_signers": null,
1470. "exported_dll_name": null,
1471. "actual_checksum": "0x0009d56b",
1472. "overlay": null,
1473. "imagebase": "0x00400000",
1474. "reported_checksum": "0x000a0178",
1475. "icon_hash": null,
1476. "entrypoint": "0x00401558",
1477. "timestamp": "2008-08-01 05:08:00",
1478. "osversion": "4.0",
1479. "sections": [
1480. {
1481. "name": ".text",
1482. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
1483. "virtual_address": "0x00001000",
1484. "size_of_data": "0x00099000",
1485. "entropy": "7.85",
1486. "raw_address": "0x00001000",
1487. "virtual_size": "0x00098f54",
1488. "characteristics_raw": "0x60000020"
1489. },
1490. {
1491. "name": ".data",
1492. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1493. "virtual_address": "0x0009a000",
1494. "size_of_data": "0x00001000",
1495. "entropy": "0.00",
1496. "raw_address": "0x0009a000",
1497. "virtual_size": "0x00005530",
1498. "characteristics_raw": "0xc0000040"
1499. },
1500. {
1501. "name": ".rsrc",
1502. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1503. "virtual_address": "0x000a0000",
1504. "size_of_data": "0x00001000",
1505. "entropy": "3.46",
1506. "raw_address": "0x0009b000",
1507. "virtual_size": "0x00000e58",
1508. "characteristics_raw": "0x40000040"
1509. }
1510. ],
1511. "resources": [],
1512. "dirents": [
1513. {
1514. "virtual_address": "0x00000000",
1515. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1516. "size": "0x00000000"
1517. },
1518. {
1519. "virtual_address": "0x00099894",
1520. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1521. "size": "0x00000028"
1522. },
1523. {
1524. "virtual_address": "0x000a0000",
1525. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1526. "size": "0x00000e58"
1527. },
1528. {
1529. "virtual_address": "0x00000000",
1530. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1531. "size": "0x00000000"
1532. },
1533. {
1534. "virtual_address": "0x00000000",
1535. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1536. "size": "0x00000000"
1537. },
1538. {
1539. "virtual_address": "0x00000000",
1540. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1541. "size": "0x00000000"
1542. },
1543. {
1544. "virtual_address": "0x00000000",
1545. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1546. "size": "0x00000000"
1547. },
1548. {
1549. "virtual_address": "0x00000000",
1550. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1551. "size": "0x00000000"
1552. },
1553. {
1554. "virtual_address": "0x00000000",
1555. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1556. "size": "0x00000000"
1557. },
1558. {
1559. "virtual_address": "0x00000000",
1560. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1561. "size": "0x00000000"
1562. },
1563. {
1564. "virtual_address": "0x00000000",
1565. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1566. "size": "0x00000000"
1567. },
1568. {
1569. "virtual_address": "0x00000238",
1570. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1571. "size": "0x00000020"
1572. },
1573. {
1574. "virtual_address": "0x00001000",
1575. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1576. "size": "0x000001e8"
1577. },
1578. {
1579. "virtual_address": "0x00000000",
1580. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1581. "size": "0x00000000"
1582. },
1583. {
1584. "virtual_address": "0x00000000",
1585. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1586. "size": "0x00000000"
1587. },
1588. {
1589. "virtual_address": "0x00000000",
1590. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1591. "size": "0x00000000"
1592. }
1593. ],
1594. "exports": [],
1595. "guest_signers": {},
1596. "imphash": "9148078ae78bba505b83bb73096b0dc6",
1597. "icon_fuzzy": null,
1598. "icon": null,
1599. "pdbpath": null,
1600. "imported_dll_count": 1,
1601. "versioninfo": []
1602. }
1603. }