VBS_2e6692158176a6dd3b22c5af592dee33_php_2019-06-26_21_30.json

1.  
2. [*] MalFamily: ""
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "VBS_2e6692158176a6dd3b22c5af592dee33.php"
7. [*] File Size: 355175
8. [*] File Type: "Zip archive data, at least v2.0 to extract"
9. [*] SHA256: "c85d3591a12cfd82a7983e976398cfabbde313cfabb68015777afd587f3053f3"
10. [*] MD5: "2e6692158176a6dd3b22c5af592dee33"
11. [*] SHA1: "b687f22bac958718c37c7f8962d83c18eb55c5ea"
12. [*] SHA512: "ec0b77a02682116f7bb3a96f46ca3b11412b879213f578e0245cb519d52b15e5b331f5b301cfe79ab9e75b0d8bf37d49ed2ec97ff75cc60b944eadd9ba32c651"
13. [*] CRC32: "9999C43D"
14. [*] SSDEEP: "6144:boA/iiiSz6uFiffdEju7TQK101xtrOT179l5cSSqEfQLjqLtg6/0bctiHZi:MA/iq6ldiu7TJ101xM1L5cSp+UqLSDQx"
15.  
16. [*] Process Execution: [
17. "wscript.exe",
18. "tmp1.exe",
19. "cmd.exe",
20. "powershell.exe",
21. "cmd.exe",
22. "sc.exe",
23. "cmd.exe",
24. "sc.exe",
25. "cmd.exe",
26. "sc.exe",
27. "cmd.exe",
28. "sc.exe",
29. "cmd.exe",
30. "powershell.exe",
31. "svchost.exe",
32. "services.exe",
33. "lsass.exe"
34. ]
35.  
36. [*] Signatures Detected: [
37. {
38. "Description": "Creates RWX memory",
39. "Details": []
40. },
41. {
42. "Description": "Possible date expiration check, exits too soon after checking local time",
43. "Details": [
44. {
45. "process": "cmd.exe, PID 2252"
46. }
47. ]
48. },
49. {
50. "Description": "A process created a hidden window",
51. "Details": [
52. {
53. "Process": "tmp1.exe -> cmd"
54. },
55. {
56. "Process": "tmp1.exe -> cmd"
57. },
58. {
59. "Process": "tmp1.exe -> cmd"
60. }
61. ]
62. },
63. {
64. "Description": "Drops a binary and executes it",
65. "Details": [
66. {
67. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\tmp1.exe"
68. }
69. ]
70. },
71. {
72. "Description": "Attempts to stop active services",
73. "Details": [
74. {
75. "servicename": "WinDefend"
76. }
77. ]
78. },
79. {
80. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
81. "Details": [
82. {
83. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 6301646 times"
84. }
85. ]
86. },
87. {
88. "Description": "Spoofs its process name and/or associated pathname to appear as a legitimate process",
89. "Details": [
90. {
91. "modified_name": "svchost.exe",
92. "modified_path": "C:\\Users\\user\\AppData\\Local\\Temp\\tmp1.exe",
93. "original_name": "svchost.exe",
94. "original_path": "C:\\Windows\\system32\\svchost.exe"
95. }
96. ]
97. },
98. {
99. "Description": "Creates a hidden or system file",
100. "Details": [
101. {
102. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1c05cb3.TMP"
103. }
104. ]
105. },
106. {
107. "Description": "Attempts to disable Windows Defender",
108. "Details": []
109. }
110. ]
111.  
112. [*] Started Service: [
113. "KeyIso"
114. ]
115.  
116. [*] Executed Commands: [
117. "C:\\Users\\user\\AppData\\Local\\Temp\\tmp1.exe",
118. "\"C:\\Windows\\System32\\cmd.exe\" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
119. "cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
120. "\"C:\\Windows\\System32\\cmd.exe\" /c sc stop WinDefend",
121. "cmd /c sc stop WinDefend",
122. "\"C:\\Windows\\System32\\cmd.exe\" /c sc delete WinDefend",
123. "cmd /c sc delete WinDefend",
124. "C:\\Windows\\system32\\cmd.exe /c sc stop WinDefend",
125. "C:\\Windows\\system32\\cmd.exe /c sc delete WinDefend",
126. "C:\\Windows\\system32\\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
127. "C:\\Windows\\system32\\svchost.exe",
128. "powershell Set-MpPreference -DisableRealtimeMonitoring $true",
129. "sc stop WinDefend",
130. "sc delete WinDefend",
131. "C:\\Windows\\system32\\lsass.exe"
132. ]
133.  
134. [*] Mutexes: [
135. "Local\\ZoneAttributeCacheCounterMutex",
136. "Local\\ZonesCacheCounterMutex",
137. "Local\\ZonesLockedCacheCounterMutex",
138. "Global\\CLR_CASOFF_MUTEX",
139. "Global\\838B6C9EB27932960"
140. ]
141.  
142. [*] Modified Files: [
143. "C:\\Users\\user\\AppData\\Local\\Temp\\tmp1.exe",
144. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-0000000000-0000000000-0000000000-1000\\00000000-0000-0000-0000-000000000000b_00000000-0000-0000-0000-000000000000",
145. "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
146. "\\??\\PIPE\\srvsvc",
147. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\2SY56ZUVOKR9XU4K9J40.temp",
148. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1c05cb3.TMP",
149. "C:\\Windows\\SysWOW64\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
150. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\IB9NPG0WGFIMPFH2WBH4.temp",
151. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms"
152. ]
153.  
154. [*] Deleted Files: [
155. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1c05cb3.TMP",
156. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.2284.29384125",
157. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2284.29384125",
158. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.2284.29384140",
159. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\IB9NPG0WGFIMPFH2WBH4.temp",
160. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1728.29405593",
161. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1728.29405593",
162. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1728.29405593"
163. ]
164.  
165. [*] Modified Registry Keys: [
166. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
167. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
168. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender",
169. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware",
170. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection",
171. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring",
172. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection",
173. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnRealtimeEnable",
174. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection",
175. "DisableNotifications",
176. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList"
177. ]
178.  
179. [*] Deleted Registry Keys: [
180. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
181. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
182. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
183. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
184. ]
185.  
186. [*] DNS Communications: []
187.  
188. [*] Domains: []
189.  
190. [*] Network Communication - ICMP: []
191.  
192. [*] Network Communication - HTTP: []
193.  
194. [*] Network Communication - SMTP: []
195.  
196. [*] Network Communication - Hosts: []
197.  
198. [*] Network Communication - IRC: []
199.  
200. [*] Static Analysis: {
201. "office": {
202. "Metadata": {
203. "HasMacros": "No"
204. }
205. }
206. }
207.  
208. [*] Resolved APIs: [
209. "advapi32.dll.SaferIdentifyLevel",
210. "advapi32.dll.SaferComputeTokenFromLevel",
211. "advapi32.dll.SaferCloseLevel",
212. "ole32.dll.CLSIDFromProgIDEx",
213. "ole32.dll.CoGetClassObject",
214. "wscript.exe.#1",
215. "urlmon.dll.#326",
216. "urlmon.dll.#327",
217. "shell32.dll.#685",
218. "shell32.dll.#688",
219. "urlmon.dll.#395",
220. "cryptsp.dll.CryptAcquireContextW",
221. "cryptsp.dll.CryptGenRandom",
222. "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
223. "oleaut32.dll.#500",
224. "cryptsp.dll.CryptReleaseContext",
225. "cryptsp.dll.CryptAcquireContextA",
226. "kernel32.dll.VirtualAlloc",
227. "ntdll.dll.memcpy",
228. "kernel32.dll.GetCurrentProcess",
229. "kernel32.dll.CloseHandle",
230. "advapi32.dll.OpenProcessToken",
231. "advapi32.dll.GetTokenInformation",
232. "kernel32.dll.Wow64EnableWow64FsRedirection",
233. "advapi32.dll.RegCloseKey",
234. "advapi32.dll.RegCreateKeyW",
235. "advapi32.dll.RegOpenKeyExW",
236. "advapi32.dll.RegSetValueExW",
237. "shell32.dll.ShellExecuteA",
238. "ole32.dll.OleInitialize",
239. "cryptbase.dll.SystemFunction036",
240. "ole32.dll.CreateBindCtx",
241. "ole32.dll.CoTaskMemAlloc",
242. "propsys.dll.PSCreateMemoryPropertyStore",
243. "propsys.dll.PSPropertyBag_WriteDWORD",
244. "ole32.dll.CoGetApartmentType",
245. "ole32.dll.CoRegisterInitializeSpy",
246. "ole32.dll.CoTaskMemFree",
247. "comctl32.dll.#236",
248. "oleaut32.dll.#6",
249. "ole32.dll.CoGetMalloc",
250. "propsys.dll.PSPropertyBag_ReadDWORD",
251. "propsys.dll.PSPropertyBag_ReadGUID",
252. "comctl32.dll.#320",
253. "comctl32.dll.#324",
254. "comctl32.dll.#323",
255. "advapi32.dll.RegEnumKeyW",
256. "advapi32.dll.OpenThreadToken",
257. "ole32.dll.StringFromGUID2",
258. "apphelp.dll.ApphelpCheckShellObject",
259. "ole32.dll.CoCreateInstance",
260. "urlmon.dll.CreateUri",
261. "kernel32.dll.InitializeSRWLock",
262. "kernel32.dll.AcquireSRWLockExclusive",
263. "kernel32.dll.AcquireSRWLockShared",
264. "kernel32.dll.ReleaseSRWLockExclusive",
265. "kernel32.dll.ReleaseSRWLockShared",
266. "comctl32.dll.#328",
267. "comctl32.dll.#334",
268. "oleaut32.dll.#2",
269. "shell32.dll.#102",
270. "propsys.dll.PSPropertyBag_ReadStrAlloc",
271. "ole32.dll.CoInitializeEx",
272. "advapi32.dll.InitializeSecurityDescriptor",
273. "advapi32.dll.SetEntriesInAclW",
274. "ntmarta.dll.GetMartaExtensionInterface",
275. "advapi32.dll.SetSecurityDescriptorDacl",
276. "advapi32.dll.IsTextUnicode",
277. "comctl32.dll.#332",
278. "comctl32.dll.#338",
279. "comctl32.dll.#339",
280. "ole32.dll.CoUninitialize",
281. "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
282. "sechost.dll.ConvertSidToStringSidW",
283. "profapi.dll.#104",
284. "propsys.dll.#430",
285. "advapi32.dll.RegGetValueW",
286. "ole32.dll.CoTaskMemRealloc",
287. "propsys.dll.InitPropVariantFromStringAsVector",
288. "propsys.dll.PSCoerceToCanonicalValue",
289. "propsys.dll.PropVariantToStringAlloc",
290. "ole32.dll.PropVariantClear",
291. "ole32.dll.CoAllowSetForegroundWindow",
292. "setupapi.dll.CM_Get_Device_Interface_List_ExW",
293. "comctl32.dll.#386",
294. "shell32.dll.SHGetFolderPathW",
295. "advapi32.dll.SaferGetPolicyInformation",
296. "ntdll.dll.RtlDllShutdownInProgress",
297. "comctl32.dll.#329",
298. "ole32.dll.OleUninitialize",
299. "ole32.dll.CoRevokeInitializeSpy",
300. "comctl32.dll.#388",
301. "advapi32.dll.CryptAcquireContextA",
302. "advapi32.dll.CryptImportKey",
303. "advapi32.dll.CryptEncrypt",
304. "cryptsp.dll.CryptImportKey",
305. "cryptbase.dll.SystemFunction040",
306. "cryptbase.dll.SystemFunction041",
307. "cryptsp.dll.CryptEncrypt",
308. "advapi32.dll.UnregisterTraceGuids",
309. "comctl32.dll.#321",
310. "kernel32.dll.SetThreadUILanguage",
311. "kernel32.dll.CopyFileExW",
312. "kernel32.dll.IsDebuggerPresent",
313. "kernel32.dll.SetConsoleInputExeNameW",
314. "kernel32.dll.SortGetHandle",
315. "kernel32.dll.SortCloseHandle",
316. "uxtheme.dll.ThemeInitApiHook",
317. "user32.dll.IsProcessDPIAware",
318. "shell32.dll.#66",
319. "comctl32.dll.#385",
320. "comctl32.dll.#336",
321. "comctl32.dll.#333",
322. "linkinfo.dll.IsValidLinkInfo",
323. "propsys.dll.#417",
324. "propsys.dll.PSGetNameFromPropertyKey",
325. "propsys.dll.PSStringFromPropertyKey",
326. "propsys.dll.InitVariantFromBuffer",
327. "oleaut32.dll.#9",
328. "propsys.dll.PropVariantToGUID",
329. "linkinfo.dll.CreateLinkInfoW",
330. "user32.dll.IsCharAlphaW",
331. "user32.dll.CharPrevW",
332. "ntshrui.dll.GetNetResourceFromLocalPathW",
333. "srvcli.dll.NetShareEnum",
334. "cscapi.dll.CscNetApiGetInterface",
335. "slc.dll.SLGetWindowsInformationDWORD",
336. "shlwapi.dll.PathRemoveFileSpecW",
337. "linkinfo.dll.DestroyLinkInfo",
338. "propsys.dll.PropVariantToBoolean",
339. "advapi32.dll.GetSecurityInfo",
340. "advapi32.dll.SetSecurityInfo",
341. "advapi32.dll.GetSecurityDescriptorControl",
342. "advapi32.dll.RegQueryInfoKeyW",
343. "advapi32.dll.RegEnumKeyExW",
344. "advapi32.dll.RegEnumValueW",
345. "advapi32.dll.RegQueryValueExW",
346. "shlwapi.dll.UrlIsW",
347. "kernel32.dll.InitializeCriticalSectionAndSpinCount",
348. "msvcrt.dll._set_error_mode",
349. "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z",
350. "kernel32.dll.FindActCtxSectionStringW",
351. "kernel32.dll.GetSystemWindowsDirectoryW",
352. "mscoree.dll.GetProcessExecutableHeap",
353. "mscorwks.dll.DllGetClassObjectInternal",
354. "mscorwks.dll.GetCLRFunction",
355. "advapi32.dll.RegisterTraceGuidsW",
356. "advapi32.dll.GetTraceLoggerHandle",
357. "advapi32.dll.GetTraceEnableLevel",
358. "advapi32.dll.GetTraceEnableFlags",
359. "advapi32.dll.TraceEvent",
360. "mscoree.dll.IEE",
361. "mscorwks.dll.IEE",
362. "mscoree.dll.GetStartupFlags",
363. "mscoree.dll.GetHostConfigurationFile",
364. "mscoree.dll.GetCORSystemDirectory",
365. "ntdll.dll.RtlVirtualUnwind",
366. "kernel32.dll.IsWow64Process",
367. "advapi32.dll.AllocateAndInitializeSid",
368. "advapi32.dll.InitializeAcl",
369. "advapi32.dll.AddAccessAllowedAce",
370. "advapi32.dll.FreeSid",
371. "kernel32.dll.SetThreadStackGuarantee",
372. "kernel32.dll.FlsSetValue",
373. "kernel32.dll.FlsGetValue",
374. "kernel32.dll.FlsAlloc",
375. "kernel32.dll.FlsFree",
376. "kernel32.dll.AddVectoredContinueHandler",
377. "kernel32.dll.RemoveVectoredContinueHandler",
378. "advapi32.dll.ConvertSidToStringSidW",
379. "kernel32.dll.FlushProcessWriteBuffers",
380. "kernel32.dll.GetWriteWatch",
381. "kernel32.dll.ResetWriteWatch",
382. "kernel32.dll.CreateMemoryResourceNotification",
383. "kernel32.dll.QueryMemoryResourceNotification",
384. "kernel32.dll.GlobalMemoryStatusEx",
385. "ole32.dll.CoGetContextToken",
386. "oleaut32.dll.#149",
387. "kernel32.dll.GetUserDefaultUILanguage",
388. "kernel32.dll.GetVersionExW",
389. "kernel32.dll.GetFullPathNameW",
390. "kernel32.dll.SetErrorMode",
391. "kernel32.dll.GetFileAttributesExW",
392. "version.dll.GetFileVersionInfoSizeW",
393. "version.dll.GetFileVersionInfoW",
394. "version.dll.VerQueryValueW",
395. "kernel32.dll.lstrlen",
396. "kernel32.dll.lstrlenW",
397. "mscoree.dll.ND_RI2",
398. "kernel32.dll.lstrcpy",
399. "kernel32.dll.lstrcpyW",
400. "version.dll.VerLanguageNameW",
401. "kernel32.dll.GetCurrentProcessId",
402. "advapi32.dll.LookupPrivilegeValueW",
403. "advapi32.dll.AdjustTokenPrivileges",
404. "kernel32.dll.OpenProcess",
405. "psapi.dll.EnumProcessModules",
406. "psapi.dll.GetModuleInformation",
407. "psapi.dll.GetModuleBaseNameW",
408. "psapi.dll.GetModuleFileNameExW",
409. "kernel32.dll.GetExitCodeProcess",
410. "ntdll.dll.NtQuerySystemInformation",
411. "user32.dll.EnumWindows",
412. "user32.dll.GetWindowThreadProcessId",
413. "kernel32.dll.WerSetFlags",
414. "kernel32.dll.SetThreadPreferredUILanguages",
415. "kernel32.dll.GetThreadPreferredUILanguages",
416. "kernel32.dll.GetUserDefaultLocaleName",
417. "kernel32.dll.GetEnvironmentVariableW",
418. "advapi32.dll.CryptReleaseContext",
419. "advapi32.dll.CryptCreateHash",
420. "advapi32.dll.CryptDestroyHash",
421. "advapi32.dll.CryptHashData",
422. "advapi32.dll.CryptGetHashParam",
423. "advapi32.dll.CryptExportKey",
424. "advapi32.dll.CryptGenKey",
425. "advapi32.dll.CryptGetKeyParam",
426. "advapi32.dll.CryptDestroyKey",
427. "advapi32.dll.CryptVerifySignatureA",
428. "advapi32.dll.CryptSignHashA",
429. "advapi32.dll.CryptGetProvParam",
430. "advapi32.dll.CryptGetUserKey",
431. "advapi32.dll.CryptEnumProvidersA",
432. "cryptsp.dll.CryptHashData",
433. "cryptsp.dll.CryptGetHashParam",
434. "cryptsp.dll.CryptDestroyHash",
435. "cryptsp.dll.CryptDestroyKey",
436. "mscoree.dll.GetTokenForVTableEntry",
437. "mscoree.dll.SetTargetForVTableEntry",
438. "mscoree.dll.GetTargetForVTableEntry",
439. "culture.dll.ConvertLangIdToCultureName",
440. "ole32.dll.CoCreateGuid",
441. "kernel32.dll.CreateFileW",
442. "kernel32.dll.GetConsoleScreenBufferInfo",
443. "kernel32.dll.LocalFree",
444. "kernel32.dll.LocalAlloc",
445. "mscoree.dll.ND_RI4",
446. "advapi32.dll.DuplicateTokenEx",
447. "advapi32.dll.CheckTokenMembership",
448. "kernel32.dll.GetConsoleTitleW",
449. "mscorjit.dll.getJit",
450. "kernel32.dll.SetConsoleTitleW",
451. "kernel32.dll.SetConsoleCtrlHandler",
452. "kernel32.dll.CreateEventW",
453. "ntdll.dll.WinSqmIsOptedIn",
454. "kernel32.dll.ExpandEnvironmentStringsW",
455. "shfolder.dll.SHGetFolderPathW",
456. "kernel32.dll.SetEnvironmentVariableW",
457. "kernel32.dll.GetACP",
458. "kernel32.dll.UnmapViewOfFile",
459. "kernel32.dll.GetFileType",
460. "kernel32.dll.ReadFile",
461. "kernel32.dll.GetSystemInfo",
462. "kernel32.dll.VirtualQuery",
463. "secur32.dll.GetUserNameExW",
464. "advapi32.dll.GetUserNameW",
465. "kernel32.dll.ReleaseMutex",
466. "advapi32.dll.RegisterEventSourceW",
467. "advapi32.dll.DeregisterEventSource",
468. "advapi32.dll.ReportEventW",
469. "kernel32.dll.GetLogicalDrives",
470. "kernel32.dll.GetDriveTypeW",
471. "kernel32.dll.GetVolumeInformationW",
472. "kernel32.dll.GetCurrentDirectoryW",
473. "kernel32.dll.GetLastError",
474. "kernel32.dll.GetStdHandle",
475. "kernel32.dll.GetConsoleMode",
476. "kernel32.dll.SetEvent",
477. "kernel32.dll.FindFirstFileW",
478. "kernel32.dll.FindClose",
479. "mscoree.dll.DllGetClassObject",
480. "diasymreader.dll.DllGetClassObjectInternal",
481. "kernel32.dll.GetConsoleOutputCP",
482. "gdi32.dll.TranslateCharsetInfo",
483. "kernel32.dll.SetConsoleTextAttribute",
484. "kernel32.dll.WriteConsoleW",
485. "mscoree.dll.CorExitProcess",
486. "mscorwks.dll.CorExitProcess",
487. "mscorwks.dll._CorDllMain",
488. "kernel32.dll.CreateActCtxW",
489. "kernel32.dll.AddRefActCtx",
490. "kernel32.dll.ReleaseActCtx",
491. "kernel32.dll.ActivateActCtx",
492. "kernel32.dll.DeactivateActCtx",
493. "kernel32.dll.GetCurrentActCtx",
494. "kernel32.dll.QueryActCtxW",
495. "netutils.dll.NetApiBufferFree",
496. "kernel32.dll.IsProcessorFeaturePresent",
497. "ntdll.dll.RtlUnwind",
498. "mscoree.dll._CorExeMain",
499. "mscoree.dll._CorImageUnloading",
500. "mscoree.dll._CorValidateImage",
501. "cryptsp.dll.CryptExportKey",
502. "cryptsp.dll.CryptCreateHash",
503. "kernel32.dll.SwitchToThread",
504. "rpcrt4.dll.UuidFromStringW",
505. "rpcrt4.dll.RpcBindingCreateW",
506. "rpcrt4.dll.RpcBindingBind",
507. "sechost.dll.OpenSCManagerW",
508. "sechost.dll.OpenServiceW",
509. "sechost.dll.StartServiceW",
510. "sechost.dll.CloseServiceHandle"
511. ]
512.  
513. [*] Static Analysis: {
514. "office": {
515. "Metadata": {
516. "HasMacros": "No"
517. }
518. }
519. }