Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) |
|---|---|---|---|---|---|---|
| FILE | exe | 2025-06-13 12:52:33 | 2025-06-13 13:23:17 | 1844 seconds | Show Options | Show Analysis Log |
procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1
2024-11-25 13:37:15,131 [root] INFO: Date set to: 20250613T09:55:22, timeout set to: 1800 2025-06-13 10:55:22,627 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8 2025-06-13 10:55:22,627 [root] DEBUG: Storing results at: C:\uyHCokWh 2025-06-13 10:55:22,627 [root] DEBUG: Pipe server name: \\.\PIPE\IpEgLKC 2025-06-13 10:55:22,627 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32 2025-06-13 10:55:22,627 [root] INFO: analysis running as an admin 2025-06-13 10:55:22,627 [root] INFO: analysis package specified: "exe" 2025-06-13 10:55:22,627 [root] DEBUG: importing analysis package module: "modules.packages.exe"... 2025-06-13 10:55:23,080 [root] DEBUG: imported analysis package "exe" 2025-06-13 10:55:23,080 [root] DEBUG: initializing analysis package "exe"... 2025-06-13 10:55:23,080 [lib.common.common] INFO: wrapping 2025-06-13 10:55:23,080 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation 2025-06-13 10:55:23,080 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\eudcedit.exe 2025-06-13 10:55:23,080 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option 2025-06-13 10:55:23,080 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option 2025-06-13 10:55:23,080 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option 2025-06-13 10:55:23,096 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option 2025-06-13 10:55:23,314 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2025-06-13 10:55:23,408 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2025-06-13 10:55:23,424 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2025-06-13 10:55:23,439 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2025-06-13 10:55:23,455 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-06-13 10:55:23,455 [lib.api.screenshot] ERROR: No module named 'PIL' 2025-06-13 10:55:23,455 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2025-06-13 10:55:23,455 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2025-06-13 10:55:23,455 [root] DEBUG: Initialized auxiliary module "Browser" 2025-06-13 10:55:23,455 [root] DEBUG: attempting to configure 'Browser' from data 2025-06-13 10:55:23,455 [root] DEBUG: module Browser does not support data configuration, ignoring 2025-06-13 10:55:23,455 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2025-06-13 10:55:23,455 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2025-06-13 10:55:23,455 [root] DEBUG: Initialized auxiliary module "DigiSig" 2025-06-13 10:55:23,455 [root] DEBUG: attempting to configure 'DigiSig' from data 2025-06-13 10:55:23,455 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2025-06-13 10:55:23,471 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2025-06-13 10:55:23,471 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2025-06-13 10:55:23,611 [modules.auxiliary.digisig] DEBUG: File is not signed 2025-06-13 10:55:23,611 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2025-06-13 10:55:23,611 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2025-06-13 10:55:23,611 [root] DEBUG: Initialized auxiliary module "Disguise" 2025-06-13 10:55:23,611 [root] DEBUG: attempting to configure 'Disguise' from data 2025-06-13 10:55:23,611 [root] DEBUG: module Disguise does not support data configuration, ignoring 2025-06-13 10:55:23,611 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2025-06-13 10:55:23,611 [modules.auxiliary.disguise] INFO: Disguising GUID to 9b7cdcea-e4d9-4c24-8a0c-bc615bd315ed 2025-06-13 10:55:23,611 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2025-06-13 10:55:23,611 [root] DEBUG: Initialized auxiliary module "Human" 2025-06-13 10:55:23,611 [root] DEBUG: attempting to configure 'Human' from data 2025-06-13 10:55:23,611 [root] DEBUG: module Human does not support data configuration, ignoring 2025-06-13 10:55:23,611 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2025-06-13 10:55:23,611 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2025-06-13 10:55:23,611 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-06-13 10:55:23,627 [root] DEBUG: attempting to configure 'Screenshots' from data 2025-06-13 10:55:23,627 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2025-06-13 10:55:23,627 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2025-06-13 10:55:23,627 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled 2025-06-13 10:55:23,627 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2025-06-13 10:55:23,627 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2025-06-13 10:55:23,627 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2025-06-13 10:55:23,627 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2025-06-13 10:55:23,627 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2025-06-13 10:55:23,627 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696 2025-06-13 10:55:23,658 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini 2025-06-13 10:55:23,658 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor 2025-06-13 10:55:23,658 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor 2025-06-13 10:55:23,658 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor 2025-06-13 10:55:23,658 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor 2025-06-13 10:55:23,658 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor 2025-06-13 10:55:23,658 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2025-06-13 10:55:23,658 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\pQxbIz.dll, loader C:\tmp_gell1p8\bin\EPCPTrhb.exe 2025-06-13 10:55:23,705 [root] DEBUG: Loader: IAT patching disabled. 2025-06-13 10:55:23,721 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\pQxbIz.dll. 2025-06-13 10:55:23,736 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'. 2025-06-13 10:55:23,736 [root] INFO: Disabling sleep skipping. 2025-06-13 10:55:23,736 [root] DEBUG: 696: Full process memory dumps enabled. 2025-06-13 10:55:23,736 [root] DEBUG: 696: Import reconstruction of process dumps enabled. 2025-06-13 10:55:23,736 [root] DEBUG: 696: Active unpacking of payloads enabled 2025-06-13 10:55:23,736 [root] DEBUG: 696: CAPE debug - unrecognised key norefer. 2025-06-13 10:55:23,736 [root] DEBUG: 696: TLS secret dump mode enabled. 2025-06-13 10:55:23,752 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542 2025-06-13 10:55:23,752 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable 2025-06-13 10:55:23,768 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0 2025-06-13 10:55:23,768 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 4024, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000 2025-06-13 10:55:23,768 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe 2025-06-13 10:55:23,768 [root] DEBUG: 696: Hooked 5 out of 5 functions 2025-06-13 10:55:23,768 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2025-06-13 10:55:23,783 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\pQxbIz.dll. 2025-06-13 10:55:23,783 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe> 2025-06-13 10:55:23,783 [root] DEB <truncated>
Machine
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win10-2 | win10-2 | KVM | 2025-06-13 12:52:33 | 2025-06-13 13:22:58 | none |
File Details
| File Name |
eudcedit.exe
|
|---|---|
| File Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| File Size | 303616 bytes |
| MD5 | d306b9780453df3fc0b8ff2538efc064 |
| SHA1 | 736dcc0a6bfa7df04131a909ad5b95705bbfeec5 |
| SHA256 | 4541091e0f28f0fe29a1c3ed9086922f0fca4910ac3bd4178064b3cb8097ad20 [VT] [MWDB] [Bazaar] |
| SHA3-384 | cf0121ebe0b67518f4a975f690755427d73c368d92a0c5c1a89c273e2a7209c733d641ea18ae59b2fe04bc3f5ec18f16 |
| CRC32 | 49860F9A |
| TLSH | T15A547B53BA408CBAC86E117558DE67B9502EAC319F0416F76360AB2E78713E37C3529F |
| Ssdeep | 6144:HCYgQlque35j+HeQ9kwFQ5TXHGLNIfqKoTJMGsWz3x1PZSqtYVmI:HqKxe3J+HvfKoTJMGj13tYEI |
| PE | File Strings BinGraph Vba2Graph VirusTotal |
=*=A=
2W3d3y3
SelectObject
181D1d1p1
464D4U4u4
GetTextExtentExPointW
ImmEnumRegisterWordW
MSCTF.dll
5!5B5Y5k5q5
ReleaseMutex
GetStartupInfoW
50~W5&0a
6)666V6n6|6
=&=;=L=a=y=
8$8-8S8X8v8
UnionRect
CreateSemaphoreExW
6$696@6T6Z6j6q6
QQSVW
u%RRV
SetRectEmpty
8?8w8
?-?N?n?
Windows EUDC Editor Bitmap File (Uni-Code)
CreateWindowExW
>.>I>Z>}>
1=2E2
EndDialog
IVRHQP
SetCursor
RegSetValueExW
0#131?1M1X1a1v1
EudcEdit
t"h\U@
5!6*6K6`6r6
<<=Q=[=e=q=z=
:):::C:O:c:
</security>
$:v,Ro
1#1.1H1P1]1f1
2,2D2\2t2
PhpU@
727w7
CEditWnd
>av4x
9*9I9j9
`.data
> >$>(>,>0>4>8><>@>D>H>L>P>h>
.?AVCRefrWnd@@
2D=D<<$$J
4p@cOHt
Microsoft Corporation
CGuideBar
memcmp
2(282<2@2D2H2L2P2X2\2`2d2l2p2t2x2|2
type="win32"
?&?0???
_XcptFilter
2D<<=<<$$J,)HG
MinMaxFlag
_lock
2/2R2[2e2n2x2
UnmapViewOfFile
:,:D:\:t:
ClientToScreen
4j5)6;6G6
: ;Z;
Software\Microsoft\EUDCEdit
7(7-767=7C7I7O7U7[7a7w7
DrawIcon
sx@pc
>">~>
1U2o2
_initterm
.?AVCMenu@@
.idata$5
;";A;M;W;d;w;
CreateSolidBrush
F jnP
5,5E5_5
processorArchitecture="x86"
wwwwwwwwwxwww
8!8'8h8w8
)N*2h{
wcschr
Microsoft
wwwwww
8*8>8
VmrLo
wwwwwwwwwwwy
949<9D9P9p9|9
;[;s;
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwy
1'1A1G1U1`1i1q1x1
FillRect
9/kPl
2C3a3w3
6&6W6_6
.data$r$brc
CharacterCode
707=7T7`7j7y7
_exit
<$=O=c=p=
<4G`)
AhpQ@
959[9
8,8@8J8g8p8
RegisterClipboardFormatW
@h<X@
.?AVCEditWnd@@
ImmGetConversionStatus
MoveFileExW
wxwwwwwwwx
7(7B7M7W7b7
Microsoft Sans Serif
QQSVWj
^Rz)C
:':4:D:N:[:e:o:
%hs!%p:
:":&:,:0:6:::A:Q:W:\:q:w:|:
:(;4;F;
>+>6>@>T>a>y>
GetBitmapBits
jSALd(y0Q{sb
.?AVCGuideBar@@
:/:9:T:h:o:y:~:
;=;M;b;r;
HSVSh
6$6-6<6C6J6
CoCreateInstance
E000-F8FF
MS PGothic
8CMEXu
4!4l4
040:0
3,393G3S3l3w3
Unicode
t-h\U@
VCLWP
2&2l2{2
.?AVCRefInfoFrame@@
;%;1;=;E;N;X;f;s;
=,=p=
.CRT$XIA
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" >
959>9G9b9l9x9~9
FF$/%
DispatchMessageW
777F7U7_7x7
.?AVCMDIFrameWnd@@
:":6:<:R:i:
1014181<1@1T1d1h1l1p1t1x1|1
>)>;>H>a>m>t>
.?AVCFrameWnd@@
LoadMenuW
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
9$9<9T9l9
FileDescription
8!:9:H:Q:Z:c:
7,7:7F7L7t7
u3iyLc
0c0z0
A8 _6
*.TBL
c&tsB
7$$8888888888":
1!1'1+11171;1Q1W1a1g1q1w1
N$@Gr
</asmv3:application>
BeginPaint
L$$_^[3
ntdll.dll
pp1+Lg%
8glyftL
<+<0<I<
T^Ot@>
10.0.17763.1
0)1J1Z1k1
VWj7Y
;A;R;t;};
<O>z>
PhTX@
= ='=E=e=w=
REFERWINDOW
SetWindowLongW
processorArchitecture="x86"
.?AVCRgn@@
4$404P4\4|4
:#;Z;f;
.rdata$r$brc
version="6.0.0.0"
=(=1=G=P=
7$7*707K7Y7
;*;2;C;I;r;
q``y!9Y
.?AVCFont@@
3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
message
WINEUDC2Standard
originatingContextName
<$<<<T<l<
.?AVTraceLoggingProvider@wil@@
uM$&B
l0Id#
??0exception@@QAE@ABV0@@Z
odTg)
.rdata$zETW9
<)<A<N<U<d<
GetSysColor
CharacterSaved
.?AVCImportDlg@@
6-6D6P6\6h6q6
?$?g?~?
<1<@<O<e<w<
t%VVh
N"_^f
CmhmhmhmhmhmhhInb
.?AVCEudcApp@@
.PAVCException@@
TerminateProcess
)fYt}uJ
wwwxw
DrawEdge
StretchBlt
.?AVCGdiObject@@
w#?!#?
4%414=4j4z4
.?AVCListBox@@
5 5$5(5,5054585T5l5
CompareStringW
ymc__cmyy
4%4.4:4B4R4g4
;(;?;H;Q;\;e;n;
#SVSh
SVWj7Y
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
?*?0?C?T?e?
name="Microsoft.Windows.EUDCEdit"
>7?=?c?
.text$x
rJ+DM
I<p../
_wtoi
W3'Bu
=1=8=B=U=a=
SetDlgItemTextW
838]8m8s8}8
ZFRW\
.xdata$x
?1?T?p?
GetModuleHandleW
FailedToCreateTextServiceLink
7A8h8p8
.giats
kernelbase.dll
W_yU-
2S2d2j2v2
PQSVW
ImmRegisterWordW
7 7$7(7,7074787@7D7H7L7P7X7\7`7d7h7p7
8$808P8\8|8
OriginalFilename
1B1V1]1c1i1n1
<"<7<I<R<a<~<
E?:_I
3B3Z3
>D?O?f?z?
>]]}c
686>6S6X6o6
151\1r1~1
;#;0;>;I;X;f;l;
.?AVCRefrDlg@@
.?AVCBitmap@@
7K7l7s7
CreateCompatibleBitmap
5E5N5V5d5x5
'`->7s
<!<:<C<M<a<r<
wwwwp
kpP1^
Y__^[
EnableWindow
SystemDefaultEUDCFont
wwwwwwwwwxwwwww
&A@qmI
n}Fdi
GG$$JJJ)
7!7`7k7
0.0U0
CloseHandle
656?6H6[6i6t6|6
GXf;GTvm3
@.reloc
;$;1;B;O;a;n;
;X<a<
.?AVCGageDlg@@
:W;l;w;
D$(SVW
AAA1-AFFE,A140-A7A0,F8A1-FEFE
8*9;9^9
GetSystemTimeAsFileTime
failureCount
</<5<B<K<l<r<
.?AVCControlBar@@
__p__fmode
RegEnumValueW
IsIconic
GB2312
FH_+~l
.?AVCDialog@@
:(:I:e:n:w:}:
Ph,W@
WindowSize
u=m}-y
128 128 128
hname
dhIG<+IR
SetUnhandledExceptionFilter
CreateCaret
6*80858:8?8D8J8O8_8d8t8|8
pS{U'
L9\7kT
.text
4.434=4B4u637
.rdata$brc
originatingContextId
+fA@\?
GetDlgItemTextW
A%K&=]
586B6Q6\6j6
;!;/;9;[;b;h;n;s;
; ;$;(;,;0;4;8;<;@;\;t;
878y8
LocalAlloc
3'3A3I3Z3
<D=M=W=c=u=
.idata$4
565@5T5h5
255 0 0
GetACP
>%>,>9>F>c>t>
4&464;4@4E4T4g4w4|4
4IDATx^
__dllonexit
1k2p2
wwwxwwwww
CMEX_PTN
<<<H<h<p<x<
lstrcmpA
MFC42u.dll
x27dg
9(9.949>9J9h9
303H3`3x3
60J0V0b0n0w0
COMCTL32.dll
Regular
LE:'QI9
7Z7c7p7u7
$$$$$$$$$$$$$"
x#Vj Z
ShowCaret
pnXL$
CreateBitmap
;";2;B;R;b;r;
> >$>(>8>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
5S6\6
\r)\u
SVSh8W@
9#:.:B:P:f:t:z:
eR]E}Cp
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:x:
>">'>m>}>
DeleteObject
EmptyClipboard
SetLastError
wwwwwwxw
.rsrc$01
CallContext:[%hs]
%d %d %d %d
DebugBreak
7&737?7X7]7r7x7
InvertRect
5(5/5<5E5V5{5
RegDeleteValueW
<DDD$$J,
.idata
D$4WS
OffsetRect
MessageBeep
616:6C6O6Y6g6|6
>&>6>h>r>
.?AVCCustomInfoFrame@@
GetCapture
CoInitialize
GetWindowRect
=P=a=p=~=
;7<@<r<
2:2K2V2_2x2
1:1G1]1x1
_CxxThrowException
GetSystemWindowsDirectoryW
EndPaint
IsWindow
1G2t2{2
.?AVCButton@@
ia$-H
=">'>7>=>C>I>z>
_U(|G
V4iC,X
SetClipboardData
<(<1<E<e<l<
Microsoft Corporation. All rights reserved.
.?AVexception@@
callContext
L10@P
;);5;A;d;z;
?$?0?P?\?|?
8-8J8g8
_controlfp
1#1@1e1
SHGetSpecialFolderPathW
.text$yd
IsWindowVisible
fLx:0
2#2@2F2V2d2w2
wwwwwwwwwxwwwy
>head
:+:<:F:W:\:a:j:p:~:
CRefrList
~];5F
b4h]l
80G0b0r0
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
^$cqg#U
VWjmj
SetCapture
.?AVCViewEdit@@
@.rsrc
<1<<<C<I<
wwwpwwwww
FHQWQ
;(;2;>;L;c;l;u;~;
<autoElevate>true</autoElevate>
9!9*939V9_9s9
:$:,:4:<:H:h:t:
Uiym_cyy
LegalCopyright
SVWj
&JJ0>
CMainFrame
function
4$424;4A4S4e4z4
GetLayout
GetTextExtentPointW
`~P2pl
>!?.?E?\?
GetSaveFileNameW
TF_CreateInputProcessorProfiles
version="1.0.0.0"
<dependentAssembly>
SSSSS
L$4_^[3
2#3(3F3
V/RL *
<D<W<o<
wwwwwwwwwwwwwwww
Microsoft.Windows.Desktop.Shell.EUDCEditor
74898M8U8Z8u8
8jj4d
PQhTQ@
0h1o1
? ?|?
8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8t8|8
EUDCEDIT.EXE
Private Character Editor
161I1P1b1t1
.rdata$zzzdbg
_vsnprintf_s
wwwwwwwwwwwwwwwwww
LoadStringW
3Gm6"
.rdata
=(>7>>>K>^>j>y>
9):9:W:e:u:
5:5F5\5l5x5
;A;Q;a;q;y;
: :E:
`8$PC
7m8"929D9c9z9
EnumFontFamiliesW
ShellAboutW
wcsstr
7'8_8
293P3c3w3
Windows95 EUDC
.?AVCStatusBar@@
<assemblyIdentity
0/0[0k0
,)31[
0"000G0P0Y0b0k0u0
WaitForSingleObject
lstrlenW
qsort
B.Lc!{
GetClassInfoExW
D$$Pj
GetModuleFileNameA
=.>7>@>I>V>h>
%d %d %d
8%8-898B8G8M8W8a8q8
MessageBoxW
<7<H<
3"3,3=3M3]3q3w3}3
LocalLock
DeleteMenu
ImmSetConversionStatus
.?AVCRefListFrame@@
1!1L1s1|1
2'292A2m2
memcpy
SetForegroundWindow
.idata$3
.?AVCWnd@@
\$(+|$,
5>5L5S5
151K1n1
JN~bu#
>K?s?
526B6r6y6
3$3a3p3}3
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
ImmAssociateContext
9'9-9<9D9J9^9c9r9~9
RtlDllShutdownInProgress
9"9*929:9B9_9i9u9|9
5 5'5-5D5P5V5]5z5
4?4y4
%;r7c]
Yj hL
TranslateCharsetInfo
0$020;0Q0_0h0~0
>(>7>A>S>
EnableEUDC
ExpandEnvironmentStringsW
2(2D2\2t2
=T3*}G
.?AVCCmdTarget@@
__setusermatherr
??0exception@@QAE@XZ
3!h#5
GetRgnBox
HeapFree
_except_handler4_common
currentContextId
u"WWh
GetTickCount
;`;n;
5#575A5L5\5d5r5
5#545\5e5j5{5
<#<0<C<i<o<u<
fpnnpfpppppfpppppppppnnnnnpffpf~
4Y4a4s4
0!1.1W1\1
.CRT$XIY
ImmSetCompositionStringW
1"121B1R1b1r1
PostMessageW
EUF.tmp
3)3/3`3q3
wwxwwwy
/>
; ;F;j;r;
515\5m5
Xd(d8dDdP
<OHB 'O
GetSystemDefaultLCID
3'373C3U3m3z3
.?AVCMainFrame@@
MultiByteToWideChar
<description>Private Character Editor</description>
1!2b2
r#]c}
EventSetInformation
9 91979;9@9F9J9U9f9
EudD3f/
7$8T8]8>9[9
5$5<5T5p5
979>9w9
OutputDebugStringW
2~2z"
7.8?8K8W8c8o8{8
%SystemRoot%
<4<E<^<l<x<
>F>R>
ReturnHr
>;>Q>
SHELL32.dll
!.,Q]@
4#424C4R4`4n4
VQPWV
GetKeyboardLayout
:!:9:V:
.rdata$sxdata
ImmConfigureIMEW
2#212;2D2l2
.?AVCWinApp@@
:#:::C:
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<p<
wwwwwwwwwwwwww
: :0:4:D:H:L:d:h:l:
LocalUnlock
= =$=(=,=0=4=8=<=@=D=H=L=P=T=l=
;4;L;d;|;
_TBLt
PM89m
:&:,:8:>:G:\:
;,;4;<;D;L;T;\;d;p;
GetTextExtentPoint32A
?1?8?H?l?
.CRT$XCAA
>3?<?k?
727>7J7Z7f7s7}7
=>=D=J=Q=m=v=
0!010D0Y0s0
ADVAPI32.dll
.?AVCWinThread@@
.00cfg
+D$ @PV
;bpy9
DialogBoxParamW
0%0.040:0D0P0k0
3 383L3T3\3h3
GetWindowTextW
9#9)909:9D9K9Q9X9^9e9k9r9x9
1*1E1`1
FailFast
A0o0v0
7(7W7]7
|XFRV
0P0]0
wwwwwwwwwwwwwy
3(3:3Z3~3
CompanyName
><>D>L>X>x>
GetCurrentThreadId
6!6J6O6Z6e6q6}6
tQj.XP
:C:Q:q:
>">2>B>R>b>r>
F040-F9FC
9 :c:
=-=6=?=I=b=j=
<=<Q<W<
6<6H6h6t6
SetBitmapBits
xyYlhL
GetProcessHeap
7$7<7T7l7
(0[0v0
Sleep
u>ShHW@
PQRVV
:!;1;D;J;T;
;U<k<
GetTextExtentPoint32W
Ph`V@
GlobalFree
0?4G4O4X4{4
;L<y<
0!1/1o1}1
ChooseFontW
s(F/q$
GetKeyboardLayoutList
4,4D4V4
A8o@m
KJf@f
RegOpenKeyExW
ReleaseSemaphore
=,=D=\=t=
SetBkColor
CopyRect
9G u@
GetObjectW
4$4<4P4h4
x^SFK
404@4D4H4L4P4T4X4`4d4h4l4p4x4
2/2k2
8!8'828:8r8~8
ShowScrollBar
edIY
0!0-02080?0N0
.?AVCStatic@@
9CWINu
t$pVQ
9+9:9@9F9Y9e9k9q9|9
ImmIsIME
RegisterClassExW
6%6+696c6h6n6t6{6
_ftol2_sse
wcsrchr
L$D_^[3
7'787E7M7e7
: ;(;r;z;
EnableScrollBar
2"222B2R2b2r2
<*</<=<
wwwwwwwww
4]9&k
= =8=<=T=X=p=t=
ErrorCode
uUyPw
uiAccess="false"
(caller: %p)
> >2>:>E>K>Q>`>
:$:):.:3:8:=:I:Q:W:]:c:i:o:}:
8-8?8E8Q8b8u8
_callnewh
__set_app_type
Assssssssssssss8
epKo5
8C9x9
=>=i=s=
Curve
Y+e$P
>">+>F>P>\>b>m>w>
0:0S0n0}0
$FN^=
0"020B0R0b0r0
5-555W5`5z5
LoadIconW
XPQSh
ImmGetCompositionStringW
wwwwwwwwwxw
9$91979I9U9g9s9
040904B0
MTUUUUUUUUUUTTTUUUUMLUL
u$WSQ
.rdata$zETW2
.?AVEUDCEditorTelemetry@@
wcstol
CreateFileMappingW
8)8I8a8y8
lstrcmpiW
ReleaseDC
5R6{6
?-?I?R?[?a?g?q?}?
wwwww
xwvvwx
PeekMessageW
3 3$3<3L3\3l3|3
3!4C4r4y4
ZwVS~O
="=2=B=R=b=r=
:!:*:H:U:m:s:}:g;
TranslateMessage
.?AVCRegistListBox@@
3A4W4n4w4
0!0d0
;3;O;\;m;
I SVh2
GetClientRect
6LaqBX
.~Rz/&
InitOnceComplete
PatBlt
;!;m;v;{;
3/3C3
>+?1?D?I?R?
=)=4=A=I=b=j=
u8f9{Lt2
u8f9^Xt2
ReadFile
nbs!"
4$4,444<4P4X4\4
mshelp://windows/?id=d602e711-2373-4823-81ea-834edd1a82f6
WideCharToMultiByte
RegQueryValueExW
VarFileInfo
"HbB;
=}xDd
<$<(<,<4<8<@<H<L<T<\<`<h<l<p<t<x<|<
AZx4b
1W1g1m1
3BDD<$$J
gvwvg
PPWSQ
7n*L[
3.3>3R3q3w3
9\7du]
888@8W8z8
_vsnwprintf
5 5$5,5054585@5X5\5t5x5
*@k%S
d(e[P1
CreateFileW
GlobalAlloc
.?AVCComboBox@@
4+4p4
Local\SM0:%d:%d:%hs
9)9F9R9
ActivateKeyboardLayout
7!7*7]7h7}7
8$9>9D9[9l9q9
SetRect
? ?$?(?,?0?4?8?<?@?D?H?L?d?|?
FormatMessageW
module
<security>
<!-- Copyright (c) Microsoft Corporation -->
CRefrWnd
<requestedExecutionLevel
;-;3;8;O;_;h;s;
10.0.17763.1 (WinBuild.160101.0800)
Simsun
2 2,282T2~2
0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
262;2M2g2~2
=A=Y=o=
L$$WQ
GetWindowLongW
9.:6:G:`:m:z:
3 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
$$$$$$$$$$$$$$$$$GGDD27D<<<<<<<$$GGD'
AS~{1$
.?AVCBrush@@
.?AVCCustomListFrame@@
GetFileSize
GetCursorPos
9,9S9r9
5D6\6
*.TTE
GetWindow
:k"Kx.,
B|Ex5,^
.?AUIFailureCallback@details@wil@@
9 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9p9t9x9|9
GetDialogBaseUnits
j Phk
DrawMenuBar
publicKeyToken="6595b64144ccf1df"
:&:2:S:q:z:
^KinV
8(8,8084888<8@8D8L8d8t8
ImmEscapeW
WriteFile
2G$$JGGGGGJGG";+
9$939C9O9]9h9q9
GetClipboardData
scrollbar
839<9S9\9e9m9v9
4&4,4
=5=R=k=x=
n7</
X+Flk
?*?j?
7/7:7M7j7s7|7
PQQSVW
.?AVEUDCEditorTelemetryProvider@@
2-2<2J2
wPxM{
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
0?0J0e0t0
4R4Y4
ExtTextOutW
IntersectRect
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
SetWindowTextW
2(3B3N3
?(?,?0?H?L?P?T?h?x?|?
DeleteDC
.?AVCColumnHeading@@
[%oSOW_
?%?/?>?H?[?a?q?
3B3O3\3e3l3
2E2S2m2
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2
__wgetmainargs
<P=f=n=x=~=
3F3S3k3
uNPPV
LoadCursorW
SVWj@3
545:5\5d5
internal\sdk\inc\wil\resource.h
[%hs(%hs)]
PQRV3
QueryPerformanceCounter
BitBlt
2,282X2`2l2
threadId
ExtTextOutA
>/?B?i?
2F5vdW
_PTNu
msvcrt.dll
StringFileInfo
RQPVj
0%0G0M0U0b0h0p0
040@0`0h0t0
wwwwwwwwwwwwwwwwwwwwwwww
ole32.dll
617:7V7w7
:$:5:S:`:s:
747L7h7l7p7|7
?*?V?o?
GetOpenFileNameW
737F7T7i7z7
6=7q7
.text$mn
.?AVCBLinkDlg@@
failureId
GlobalUnlock
:%:9:O:a:u:
4a^\'p
ShhQ@
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
=$=3=<=E=Z=o=~=
3$3*3k3}3
CEudcList
h_<A|
EventWriteTransfer
InitCommonControlsEx
A,PRRj
Gulim
] Cs
TextServiceLinkCreated
6#6:6A6X6{6
trQQj
<&<8<B<O<]<g<t<
010U0m0
4:5}5
</asmv3:windowsSettings>
353U3c3
<8<v<
BitmapSize
UpdateWindow
L:9\
9I:N:t:
nDw6
t$<WP
wwwwwww
IsDebuggerPresent
wwwwy
0,151
.rdata$zETW1
3(4G4Y4
Z(C&p
ReleaseCapture
_wcmdln
Qjfh@
0 0$0(0,0004080<0@0D0H0L0P0l0
<$=3=F=T=`=l=
3$3,383X3`3l3
<2<=<C<]<c<
5$5,545<5D5L5T5t5
:':7:Y:i:s:
<0<><K<\<i<v<
:":]:m:
RaiseFailFastException
System
4"424B4R4h4t4z4
.CRT$XCA
|8oiH
Bf99u
2-292E2P2[2h2x2
lstrcmpW
eudcedit.pdb
KERNEL32.dll
7Z7f7
151O1`1
Sh,W@
= =)=?=r=
9Q9b9r9
7'737>7J7\7t7
:1:7:<:T:\:p:v:{:
ImeLinkDlg
??1type_info@@UAE@XZ
UnhandledExceptionFilter
5*565T5d5w5
DefWindowProcW
EventUnregister
6,6D6\6t6
currentContextName
001J1[1c1h1z1
5!_)Z
MapViewOfFile
3D<D<<<<$$JG%4!
SwSt[
6o6~6
y\Kv2
FA40-FEFE,8E40-A0FE,8140-8DFE,C6A1-C8FE,F9D6-F9FE
VS_VERSION_INFO
>2?E?z?
818D8j8p8v8
8#80868<8B8P8V8\8r8x8~8
6+6Z677D7M7l7
</dependency>
<#<2<T<b<o<w<
ImmCreateContext
IsUnicodeMode
5=5i5v5|5
.CRT$XCZ
4$4+4E4W4f4t4
PhHW@
434O4
currentContextMessage
Exception
-!8'i
2NVRw
0 0@0F0d0
SendMessageW
<>=\=
S{fGl
)ZD!V>"
.data
? ?)?T?j?
:z84&
IMM32.dll
OpenClipboard
656_6j6s6
COMDLG32.dll
MainWindowSize
memset
FillRgn
Color
[%hs]
GetActiveWindow
9#vJF
.?AVCAssocDlg@@
SetFocus
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7
level="requireAdministrator"
1.1F1Y1d1
GetProcAddress
525;5P5Y5
wwwwwwwxwxw
</trustInfo>
IsWindowEnabled
ProductName
CreateCompatibleDC
8Y9i9
.idata$6
;";,;6;J;P;e;o;
242j2z2
3=3L3]3
GetParent
.?AVCRotateDlg@@
>2>\>e>
!n&P!W
1)1;1O1
type="win32"
5)535<5C5J5O5
wwwwwwwwwwwwwx
`*c+m
MoveFileW
FileVersion
272_2l2
6M6W6]6g6
wwwwpwwwwxw
;!;+;;;G;S;_;
CWINu
VVPQWRV
9!9Y9|9
x #MJ
wwwwwwwwwwwwwwwwwww
*Z,*}W
u)h$R@
ppppppppppppppppppppnebQPLGE>>EEGLOQbbenpp
343L3d3|3
Ellipse
wilResult
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
b Z9H
0"0,080D0M0
?5?X?e?
8*8d8~8
:,:=:T:X:\:`:d:h:l:p:
252;2N2i2o2
<-<B<R<
memcpy_s
</dependentAssembly>
SetFilePointer
<requestedPrivileges>
1 2(2Z2l2u2
;(;8;^;o;y;
nD<iqW
<dpiAware>true</dpiAware>
vx-)Q
5B6e6
="=2=7=}=
j.[f;
/>
8)8O8U8Z8
?"?2?B?R?b?r?
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
EnumClipboardFormats
wcstok
7#767F7R7g7t7~7
CreateMutexExW
SetActiveWindow
5'585\5d5
EventRegister
8*80878H8S8g8q8
9 9$9(9,90949<9T9d9t9x9
1$151S1`1s1
GlobalLock
8V9]9y9
DeleteFileW
~h_^]
wwxwwwww
9%919<9A9F9L9V9`9p9y9
5,6:6`6n6
GDI32.dll
7^8d8x8
2-2<2F2f2n2w2
InvalidateRect
%_&Y'
GetStockObject
HeapAlloc
.?AVCPen@@
8 8$8(8,808L8d8|8
TF_CreateThreadMgr
%4X (%s - %4X)
PtInRect
#;B7y
3(4r4
3+3A3w3
2M2[2d2v2
.data$brc
Ca/n/
8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8
$3&),
InternalName
GetFontData
4#4P4g4x4
N!>y{J
CreatePen
malloc
wnwL=
~W5(|
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
.?AVCEudcList@@
DInt
0&0P0p0
.rsrc$02
9%91979R9X9|9
_unlock
9~(s2Wj
IsZoomed
GetDC
3"323B3R3b3r3
SetTextColor
;(;,;0;D;H;`;d;x;|;
Radical
\FONTS\
RegisterApplicationRestart
\Microsoft\Windows\EUDC\
en-US
< <%<+<:<p<
OLEAUT32.dll
.?AVCEdit@@
k}&`\8
:*:Y:i:q:
<'<O<U<j<
.text$di
:B:K:
originatingContextMessage
</requestedPrivileges>
GetTempPathW
X+Fpk
.?AVCRefrList@@
=3=A=Q=W=a=m=
040L0a0v0
84999M9U9Z9u9
GetCurrentProcessId
=#=,=5=\=y=
RegCreateKeyExW
DestroyCaret
.rdata$zETW0
<assemblyIdentity
0(00080@0H0`0x0
.?AVCObject@@
9%9-999>9J9R9f9p9}9
language="*"
6,6H6L6P6T6X6\6`6d6h6l6p6t6x6|6
H$'hC
WaitForSingleObjectEx
wwpwwww
J0W0u0
2&2+20262<2C2M2p2
>N>`>f>l>
PMingLiU
828U8
9CMEXu
GetSystemMetrics
D$,VW
/hL^@
wwwwwwwwwwwwwwwwwwwww
:/:@:M:]:l:y:
EUDCEdit
UUUUUUUUUUTL?<84168:<=KLLTTUk
1(1.1G1]1c1k1~1
;(;C;];f;o;y;
6(6,6064686<6@6D6L6P6T6X6\6d6|6
7=7Q7a7q7
L$<_^3
CreatePolygonRgn
0 080<0@0T0d0h0l0p0t0x0|0
GetDlgItem
CloseClipboard
_CCCCCCCCCCCCCCC;k8(A_
DDD$$JJ
.CRT$XIZ
<"<2<B<R<b<r<
1#2)2U2
!This program cannot be run in DOS mode.
<%<4<A<N<r<
wwwwwwwwwwwwwwy
Msg:[%ws]
J^u+N
wwwwwwxwwwww
5#555F5o5x5
OffsetRgn
mRLNRcyy
1?1E1
^%NeP
wwwwwwww
mSVSh
>,>1>6>C>m>y>
hhheaW
1(2[2
D$$9D$
USER32.dll
.?AVCEditGage@@
-0)P4A
w}O2c
7,7K7m7
=[=t=
5-5O5Z5l5t5y5~5
eudc.tte
=+>C>S>_>m>x>
: :':
2%3P3[3
.?AVCBitmapButton@@
OpenSemaphoreW
.?AV?$CArray@VCPoint@@V1@@@
6o6v6
Fh,^@
CreateFontIndirectW
FallbackError
HeapSetInformation
.CRT$XCU
6a%q/
ev6"
?)?v?
<.?I2
SetScrollInfo
=1>D>`>
%hs(%d) tid(%x) %08X %ws
?)?u?
<asmv3:application>
GetCurrentProcess
P/v,q8
2 2(242T2\2d2p2
fileName
LocalFree
3.4f4
.?AVResultException@wil@@
</assembly>
Version 1.00
PPPhname
Translation
;!;3;N;T;^;f;n;
ScreenToClient
v?SPj
Y*98i
1!1G1
FindWindowW
eudcadm.tte
.?AVCMDIChildWnd@@
4$434<4B4P4Z4m4z4
84989<9@9D9L9P9T9X9\9d9h9l9p9
WilError_02
Rectangle
101H1`1
>?>F>c>n>
6>7T7e7
GetTempFileNameW
ProductVersion
__p__commode
8#8d8
d>+Dg@
__CxxFrameHandler3
_onexit
.CRT$XIAA
?!?&?
zgk=U
failureType
Windows
hresult
>$>4>D>T>d>t>x>
0X0u0
C9A1-C9FE,FEA1-FEFE
.idata$2
8E8P8W8
GetTextMetricsW
UNICODE
9=:N:j:
.CRT$XCL
=$=0=P=\=|=
EDITWINDOW
>8%xT]E
.gfids
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
%hs(%d)\%hs!%p:
Operating System
?(?D?M?r?x?
Fitting
5F5N5V5x5
GetModuleHandleExW
wwwwx
60686>6F6U6\6a6l6
_cexit
616S6l6
>=?C?I?O?e?{?
?>?s?
=Q'*vg
.?AVCEudcDlg@@
USERFONT.FON
2 2;2U2^2g2q2
>3><>A>O>
GetLastError
wwwwwwwwwy
8D8W8
l",3 K
3%323P3e3r3
,]y!H
LogHr
wwwwwwwwww
_amsg_exit
D$09D$ ~
EqualRect
4!4*494K4]4n4
HideCaret
?terminate@@YAXXZ
K wKV
5B5e5
o4eya
ImmDestroyContext
<dependency>
;@;[;a;
5$5H5X5j5r5
?4?L?d?|?
yQMP?O
>!>*>L>`>n>|>
+nnnnp
SetCaretPos
;%;0;;;e;r;
Bitmap
hheadQ
7a?VH
1m]=c
/,[`2
name="Microsoft.Windows.Common-Controls"
D$,9D$
>9qaT
??1exception@@UAE@XZ
InitOnceBeginInitialize
Richmz
=,><>G>m>3???P?j?
4L4d4
ZCCCCCCCCCBA/,)),-ABCN
RegCloseKey
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
SHCreateDirectoryExW
7(70787D7d7l7x7
lineNumber
QB:|":p
wwwxwwwy
PE Information
| Image Base | Entry Point | Reported Checksum | Actual Checksum | Minimum OS Version | PDB Path | Compile Time | Import Hash | Icon | Icon Exact Hash | Icon Similarity Hash | Icon DHash |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 0x00400000 | 0x00029770 | 0x00053776 | 0x00053776 | 10.0 | eudcedit.pdb | 2096-03-10 12:49:08 | eef3646dfc23e3a1e483ea3447f6d23f |  |
18754d3ed7604d9869024676b6872f35 | db2990a6b8487bb5a4c3da17385dfb88 | c0a692c9ada68e98 |
Version Infos
| CompanyName | Microsoft Corporation |
|---|---|
| FileDescription | Private Character Editor |
| FileVersion | 10.0.17763.1 (WinBuild.160101.0800) |
| InternalName | EUDCEdit |
| LegalCopyright | รยฉ Microsoft Corporation. All rights reserved. |
| OriginalFilename | EUDCEDIT.EXE |
| ProductName | Microsoftรยฎ Windowsรยฎ Operating System |
| ProductVersion | 10.0.17763.1 |
| Translation | 0x0409 0x04b0 |
Sections
| Name | RAW Address | Virtual Address | Virtual Size | Size of Raw Data | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x0002b460 | 0x0002b600 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.28 |
| .data | 0x0002ba00 | 0x0002d000 | 0x00003904 | 0x00000a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 3.65 |
| .idata | 0x0002c400 | 0x00031000 | 0x00002528 | 0x00002600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.76 |
| .rsrc | 0x0002ea00 | 0x00034000 | 0x00017638 | 0x00017800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.92 |
| .reloc | 0x00046200 | 0x0004c000 | 0x00003eec | 0x00004000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 6.71 |
| Name | Offset | Size | Language | Sub-language | Entropy | File type |
|---|---|---|---|---|---|---|
| MUI | 0x0004b538 | 0x00000100 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.58 | None |
| RT_CURSOR | 0x0004ac58 | 0x00000134 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.24 | None |
| RT_CURSOR | 0x0004ada8 | 0x00000134 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.55 | None |
| RT_CURSOR | 0x0004aef8 | 0x00000134 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.92 | None |
| RT_CURSOR | 0x0004b048 | 0x00000134 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 1.22 | None |
| RT_BITMAP | 0x0004a590 | 0x00000518 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 1.85 | None |
| RT_BITMAP | 0x0004aaa8 | 0x000000d8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.64 | None |
| RT_BITMAP | 0x0004ab80 | 0x000000d8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.78 | None |
| RT_ICON | 0x00034ea0 | 0x00000668 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.05 | None |
| RT_ICON | 0x00035508 | 0x000002e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.22 | None |
| RT_ICON | 0x000357f0 | 0x000001e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.19 | None |
| RT_ICON | 0x000359d8 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.86 | None |
| RT_ICON | 0x00035b00 | 0x00000ea8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.20 | None |
| RT_ICON | 0x000369a8 | 0x000008a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.29 | None |
| RT_ICON | 0x00037250 | 0x000006c8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.54 | None |
| RT_ICON | 0x00037918 | 0x00000568 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.04 | None |
| RT_ICON | 0x00037e80 | 0x0000c79f | LANG_ENGLISH | SUBLANG_ENGLISH_US | 7.96 | None |
| RT_ICON | 0x00044620 | 0x000025a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.83 | None |
| RT_ICON | 0x00046bc8 | 0x000010a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.08 | None |
| RT_ICON | 0x00047c70 | 0x00000988 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.17 | None |
| RT_ICON | 0x000485f8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.71 | None |
| RT_ICON | 0x00048b20 | 0x000002e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.08 | None |
| RT_ICON | 0x00048e20 | 0x000002e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.29 | None |
| RT_ICON | 0x00049120 | 0x000002e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.31 | None |
| RT_ICON | 0x00049420 | 0x000002e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.13 | None |
| RT_ICON | 0x00049720 | 0x000002e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.27 | None |
| RT_ICON | 0x00049a20 | 0x000002e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 1.53 | None |
| RT_ICON | 0x00049d08 | 0x00000130 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 1.15 | None |
| RT_ICON | 0x00049e38 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 1.09 | None |
| RT_ICON | 0x00049f90 | 0x000002e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 1.48 | None |
| RT_ICON | 0x0004a290 | 0x000002e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 1.90 | None |
| RT_GROUP_CURSOR | 0x0004ad90 | 0x00000014 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.02 | None |
| RT_GROUP_CURSOR | 0x0004aee0 | 0x00000014 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.02 | None |
| RT_GROUP_CURSOR | 0x0004b030 | 0x00000014 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.02 | None |
| RT_GROUP_CURSOR | 0x0004b180 | 0x00000014 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.02 | None |
| RT_GROUP_ICON | 0x00048a60 | 0x000000bc | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.07 | None |
| RT_GROUP_ICON | 0x00048e08 | 0x00000014 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.32 | None |
| RT_GROUP_ICON | 0x00049108 | 0x00000014 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.32 | None |
| RT_GROUP_ICON | 0x00049408 | 0x00000014 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.22 | None |
| RT_GROUP_ICON | 0x00049708 | 0x00000014 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.32 | None |
| RT_GROUP_ICON | 0x00049a08 | 0x00000014 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.32 | None |
| RT_GROUP_ICON | 0x00049f60 | 0x00000030 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.71 | None |
| RT_GROUP_ICON | 0x0004a278 | 0x00000014 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.32 | None |
| RT_GROUP_ICON | 0x0004a578 | 0x00000014 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.32 | None |
| RT_VERSION | 0x0004b198 | 0x000003a0 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.46 | None |
| RT_MANIFEST | 0x00034980 | 0x0000051e | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.92 | None |
Imports
| Name | Address |
|---|---|
| GetOpenFileNameW | 0x431038 |
| ChooseFontW | 0x43103c |
| GetSaveFileNameW | 0x431040 |
| Name | Address |
|---|---|
| InitCommonControlsEx | 0x431030 |
| Name | Address |
|---|---|
| SHCreateDirectoryExW | 0x4316cc |
| SHGetSpecialFolderPathW | 0x4316d0 |
| ShellAboutW | 0x4316d4 |
| Name | Address |
|---|---|
| CreateSolidBrush | 0x431048 |
| GetObjectW | 0x43104c |
| GetTextExtentPoint32W | 0x431050 |
| DeleteDC | 0x431054 |
| CreateCompatibleDC | 0x431058 |
| CreateBitmap | 0x43105c |
| GetStockObject | 0x431060 |
| GetBitmapBits | 0x431064 |
| SetBitmapBits | 0x431068 |
| BitBlt | 0x43106c |
| StretchBlt | 0x431070 |
| Rectangle | 0x431074 |
| CreateCompatibleBitmap | 0x431078 |
| PatBlt | 0x43107c |
| CreatePolygonRgn | 0x431080 |
| CreatePen | 0x431084 |
| Ellipse | 0x431088 |
| GetRgnBox | 0x43108c |
| FillRgn | 0x431090 |
| GetTextExtentExPointW | 0x431094 |
| TranslateCharsetInfo | 0x431098 |
| GetTextExtentPoint32A | 0x43109c |
| ExtTextOutA | 0x4310a0 |
| ExtTextOutW | 0x4310a4 |
| OffsetRgn | 0x4310a8 |
| GetTextMetricsW | 0x4310ac |
| GetLayout | 0x4310b0 |
| DeleteObject | 0x4310b4 |
| SetBkColor | 0x4310b8 |
| SetTextColor | 0x4310bc |
| GetTextExtentPointW | 0x4310c0 |
| EnumFontFamiliesW | 0x4310c4 |
| EnableEUDC | 0x4310c8 |
| CreateFontIndirectW | 0x4310cc |
| SelectObject | 0x4310d0 |
| GetFontData | 0x4310d4 |
| Name | Address |
|---|---|
| ImmConfigureIMEW | 0x4310dc |
| ImmEscapeW | 0x4310e0 |
| ImmIsIME | 0x4310e4 |
| ImmSetConversionStatus | 0x4310e8 |
| ImmSetCompositionStringW | 0x4310ec |
| ImmDestroyContext | 0x4310f0 |
| ImmGetConversionStatus | 0x4310f4 |
| ImmCreateContext | 0x4310f8 |
| ImmEnumRegisterWordW | 0x4310fc |
| ImmGetCompositionStringW | 0x431100 |
| ImmAssociateContext | 0x431104 |
| ImmRegisterWordW | 0x431108 |
| Name | Address |
|---|---|
| CoInitialize | 0x4318e8 |
| CoCreateInstance | 0x4318ec |
| Name | Address |
|---|---|
| TF_CreateInputProcessorProfiles | 0x4316b4 |
| TF_CreateThreadMgr | 0x4316b8 |
| Name | Address |
|---|---|
| SysAllocString | 0x4316c0 |
| SysFreeString | 0x4316c4 |
| Name | Address |
|---|---|
| RegCloseKey | 0x431000 |
| EventRegister | 0x431004 |
| EventSetInformation | 0x431008 |
| EventWriteTransfer | 0x43100c |
| RegOpenKeyExW | 0x431010 |
| RegQueryValueExW | 0x431014 |
| RegEnumValueW | 0x431018 |
| RegCreateKeyExW | 0x43101c |
| RegDeleteValueW | 0x431020 |
| RegSetValueExW | 0x431024 |
| EventUnregister | 0x431028 |
| Name | Address |
|---|---|
| qsort | 0x43183c |
| _callnewh | 0x431840 |
| _XcptFilter | 0x431844 |
| __p__commode | 0x431848 |
| _amsg_exit | 0x43184c |
| __wgetmainargs | 0x431850 |
| __set_app_type | 0x431854 |
| exit | 0x431858 |
| _exit | 0x43185c |
| _cexit | 0x431860 |
| __p__fmode | 0x431864 |
| __setusermatherr | 0x431868 |
| _initterm | 0x43186c |
| _wcmdln | 0x431870 |
| ?terminate@@YAXXZ | 0x431874 |
| ??1type_info@@UAE@XZ | 0x431878 |
| _lock | 0x43187c |
| _unlock | 0x431880 |
| __dllonexit | 0x431884 |
| _onexit | 0x431888 |
| _controlfp | 0x43188c |
| _except_handler4_common | 0x431890 |
| memcpy | 0x431894 |
| wcsstr | 0x431898 |
| wcschr | 0x43189c |
| wcstol | 0x4318a0 |
| _wtoi | 0x4318a4 |
| wcstok | 0x4318a8 |
| _vsnprintf_s | 0x4318ac |
| memcpy_s | 0x4318b0 |
| ??0exception@@QAE@XZ | 0x4318b4 |
| ??0exception@@QAE@ABV0@@Z | 0x4318b8 |
| ??1exception@@UAE@XZ | 0x4318bc |
| malloc | 0x4318c0 |
| memcmp | 0x4318c4 |
| _ftol2_sse | 0x4318c8 |
| _CxxThrowException | 0x4318cc |
| free | 0x4318d0 |
| wcsrchr | 0x4318d4 |
| __CxxFrameHandler3 | 0x4318d8 |
| _vsnwprintf | 0x4318dc |
| memset | 0x4318e0 |
Usage
Processing ( 9.79 seconds )
- 9.134 ProcessMemory
- 0.644 CAPE
- 0.008 AnalysisInfo
- 0.008 BehaviorAnalysis
- 0.001 Debug
Signatures ( 0.05 seconds )
- 0.008 ransomware_files
- 0.005 antianalysis_detectfile
- 0.005 antiav_detectreg
- 0.005 ransomware_extensions
- 0.003 ursnif_behavior
- 0.002 antiav_detectfile
- 0.002 infostealer_ftp
- 0.002 infostealer_im
- 0.002 poullight_files
- 0.002 territorial_disputes_sigs
- 0.001 antianalysis_detectreg
- 0.001 antivm_vbox_files
- 0.001 antivm_vbox_keys
- 0.001 geodo_banking_trojan
- 0.001 browser_security
- 0.001 disables_backups
- 0.001 disables_browser_warn
- 0.001 disables_power_options
- 0.001 azorult_mutexes
- 0.001 infostealer_bitcoin
- 0.001 cryptbot_files
- 0.001 echelon_files
- 0.001 infostealer_mail
- 0.001 masquerade_process_name
- 0.001 revil_mutexes
- 0.001 modirat_behavior
Reporting ( 0.00 seconds )
- 0.003 CAPASummary
- 0.001 JsonDump
Signatures
The PE file contains a PDB path
pdbpath: eudcedit.pdb
SetUnhandledExceptionFilter detected (possible anti-debug)
The binary likely contains encrypted or compressed data
section: {'name': '.rsrc', 'raw_address': '0x0002ea00', 'virtual_address': '0x00034000', 'virtual_size': '0x00017638', 'size_of_data': '0x00017800', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '6.92'}
Yara detections observed in process dumps, payloads or dropped files
Hit: PID 4728 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections
Binary compilation timestomping detected
anomaly: Compilation timestamp is in the future
Screenshots
No screenshots available.Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
C:\Users\Packager\AppData\Local\Temp\eudcedit.exe
C:\Windows\SystemResources\MFC42u.dll.mun
C:\Windows\SystemResources\MFC42u.dll.mun
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
Sorry! No behavior.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.
Sorry! No process dumps.