API tools faq
paste
paladin316

Zips_b2c42bcef78d843acf24cbfd425dd554_php_2019-06-26_21_30.json

paladin316
Jun 26th, 2019
1,306
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 29.93 KB | None | 0 0
raw download clone embed print report
  1.  
  2. [*] MalFamily: ""
  3.  
  4. [*] MalScore: 10.0
  5.  
  6. [*] File Name: "Zips_b2c42bcef78d843acf24cbfd425dd554.php"
  7. [*] File Size: 348303
  8. [*] File Type: "Zip archive data, at least v2.0 to extract"
  9. [*] SHA256: "749435ea7c7c978cb794a66881857364a4a906506d09e8c89d1abc271f064775"
  10. [*] MD5: "b2c42bcef78d843acf24cbfd425dd554"
  11. [*] SHA1: "34a817bd0569c5136e4b03d7f467d83d5da5e05d"
  12. [*] SHA512: "4395ec57830c33ba5187b3bf8fc4bf8c8d585ed24fc20646051ad60adbac8ceb7a30a987bef6303827a5edcd4ac22d2cdee185cfc31b9bf904ea9b20e6d53f68"
  13. [*] CRC32: "03EA02D9"
  14. [*] SSDEEP: "6144:koA/iiiSz6uFiffdEju7TQK101xtrOT179l5cSSUvWZsfwCiJbHbDM0wLA:ZA/iq6ldiu7TJ101xM1L5cSnJfvGbHsq"
  15.  
  16. [*] Process Execution: [
  17. "wscript.exe",
  18. "tmp1.exe",
  19. "cmd.exe",
  20. "powershell.exe",
  21. "cmd.exe",
  22. "sc.exe",
  23. "cmd.exe",
  24. "sc.exe",
  25. "cmd.exe",
  26. "sc.exe",
  27. "cmd.exe",
  28. "sc.exe",
  29. "cmd.exe",
  30. "powershell.exe",
  31. "svchost.exe",
  32. "services.exe",
  33. "lsass.exe",
  34. "taskhost.exe",
  35. "sc.exe",
  36. "svchost.exe",
  37. "svchost.exe",
  38. "WerFault.exe",
  39. "wermgr.exe"
  40. ]
  41.  
  42. [*] Signatures Detected: [
  43. {
  44. "Description": "At least one process apparently crashed during execution",
  45. "Details": []
  46. },
  47. {
  48. "Description": "Creates RWX memory",
  49. "Details": []
  50. },
  51. {
  52. "Description": "Possible date expiration check, exits too soon after checking local time",
  53. "Details": [
  54. {
  55. "process": "cmd.exe, PID 1820"
  56. }
  57. ]
  58. },
  59. {
  60. "Description": "A process created a hidden window",
  61. "Details": [
  62. {
  63. "Process": "tmp1.exe -> cmd"
  64. },
  65. {
  66. "Process": "tmp1.exe -> cmd"
  67. },
  68. {
  69. "Process": "tmp1.exe -> cmd"
  70. }
  71. ]
  72. },
  73. {
  74. "Description": "Drops a binary and executes it",
  75. "Details": [
  76. {
  77. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\tmp1.exe"
  78. }
  79. ]
  80. },
  81. {
  82. "Description": "Attempts to stop active services",
  83. "Details": [
  84. {
  85. "servicename": "WinDefend"
  86. }
  87. ]
  88. },
  89. {
  90. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  91. "Details": [
  92. {
  93. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 13399770 times"
  94. }
  95. ]
  96. },
  97. {
  98. "Description": "Spoofs its process name and/or associated pathname to appear as a legitimate process",
  99. "Details": [
  100. {
  101. "modified_name": "svchost.exe",
  102. "modified_path": "C:\\Users\\user\\AppData\\Local\\Temp\\tmp1.exe",
  103. "original_name": "svchost.exe",
  104. "original_path": "C:\\Windows\\system32\\svchost.exe"
  105. }
  106. ]
  107. },
  108. {
  109. "Description": "Creates a hidden or system file",
  110. "Details": [
  111. {
  112. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF95b9c5.TMP"
  113. }
  114. ]
  115. },
  116. {
  117. "Description": "Checks the system manufacturer, likely for anti-virtualization",
  118. "Details": []
  119. },
  120. {
  121. "Description": "Attempts to disable Windows Defender",
  122. "Details": []
  123. }
  124. ]
  125.  
  126. [*] Started Service: [
  127. "KeyIso",
  128. "WerSvc",
  129. "W32Time"
  130. ]
  131.  
  132. [*] Executed Commands: [
  133. "C:\\Users\\user\\AppData\\Local\\Temp\\tmp1.exe",
  134. "\"C:\\Windows\\System32\\cmd.exe\" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
  135. "cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
  136. "\"C:\\Windows\\System32\\cmd.exe\" /c sc stop WinDefend",
  137. "cmd /c sc stop WinDefend",
  138. "\"C:\\Windows\\System32\\cmd.exe\" /c sc delete WinDefend",
  139. "cmd /c sc delete WinDefend",
  140. "C:\\Windows\\system32\\cmd.exe /c sc stop WinDefend",
  141. "C:\\Windows\\system32\\cmd.exe /c sc delete WinDefend",
  142. "C:\\Windows\\system32\\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
  143. "C:\\Windows\\system32\\svchost.exe",
  144. "powershell Set-MpPreference -DisableRealtimeMonitoring $true",
  145. "sc stop WinDefend",
  146. "sc delete WinDefend",
  147. "C:\\Windows\\system32\\lsass.exe",
  148. "taskhost.exe $(Arg0)",
  149. "C:\\Windows\\system32\\sc.exe start w32time task_started",
  150. "C:\\Windows\\system32\\svchost.exe -k LocalService",
  151. "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
  152. "C:\\Windows\\system32\\WerFault.exe -u -p 1852 -s 292",
  153. "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_06a4cb1f\""
  154. ]
  155.  
  156. [*] Mutexes: [
  157. "Local\\ZoneAttributeCacheCounterMutex",
  158. "Local\\ZonesCacheCounterMutex",
  159. "Local\\ZonesLockedCacheCounterMutex",
  160. "Global\\CLR_CASOFF_MUTEX",
  161. "Global\\838B6C9EB27932960",
  162. "Local\\WERReportingForProcess1852",
  163. "Global\\\\xe5\\x88\\x90\\xc2\\x96",
  164. "Global\\\\xe1\\x9f\\xa0\\xc6\\xbb",
  165. "WERUI_BEX64-e0bfc78dc22baf57413d9e3a2494cb68424d695b"
  166. ]
  167.  
  168. [*] Modified Files: [
  169. "C:\\Users\\user\\AppData\\Local\\Temp\\tmp1.exe",
  170. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-0000000000-0000000000-0000000000-1000\\00000000-0000-0000-0000-000000000000b_00000000-0000-0000-0000-000000000000",
  171. "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
  172. "\\??\\PIPE\\srvsvc",
  173. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\DO5N1QATOOOFI7A0K4WO.temp",
  174. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF95b9c5.TMP",
  175. "C:\\Windows\\SysWOW64\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
  176. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ZPJ24E8WPWZVVRYY5PXE.temp",
  177. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms",
  178. "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
  179. "C:\\Windows\\sysnative\\LogFiles\\Scm\\7bbc503c-5977-4798-a4ae-61483a7e030d",
  180. "\\??\\PIPE\\lsarpc",
  181. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WER9FEC.tmp.appcompat.txt",
  182. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB058.tmp.WERInternalMetadata.xml",
  183. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB078.tmp.hdmp",
  184. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB8E5.tmp.mdmp",
  185. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_06a4cb1f\\WER9FEC.tmp.appcompat.txt",
  186. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_06a4cb1f\\WERB058.tmp.WERInternalMetadata.xml",
  187. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_06a4cb1f\\WERB078.tmp.hdmp",
  188. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_06a4cb1f\\WERB8E5.tmp.mdmp",
  189. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_06a4cb1f\\Report.wer",
  190. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_06a4cb1f\\Report.wer.tmp"
  191. ]
  192.  
  193. [*] Deleted Files: [
  194. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF95b9c5.TMP",
  195. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.2604.9812765",
  196. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2604.9812765",
  197. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.2604.9812765",
  198. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ZPJ24E8WPWZVVRYY5PXE.temp",
  199. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2224.9814828",
  200. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2224.9814828",
  201. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2224.9814828",
  202. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WER9FEC.tmp",
  203. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WER9FEC.tmp.appcompat.txt",
  204. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB058.tmp",
  205. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB058.tmp.WERInternalMetadata.xml",
  206. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB078.tmp",
  207. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB078.tmp.hdmp",
  208. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB8E5.tmp",
  209. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB8E5.tmp.mdmp",
  210. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_06a4cb1f\\Report.wer.tmp"
  211. ]
  212.  
  213. [*] Modified Registry Keys: [
  214. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  215. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  216. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender",
  217. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware",
  218. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection",
  219. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring",
  220. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection",
  221. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnRealtimeEnable",
  222. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection",
  223. "DisableNotifications",
  224. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
  225. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\Type",
  226. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
  227. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\TimeProviders\\NtpClient\\SpecialPollTimeRemaining",
  228. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
  229. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
  230. ]
  231.  
  232. [*] Deleted Registry Keys: [
  233. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  234. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  235. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  236. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
  237. ]
  238.  
  239. [*] DNS Communications: []
  240.  
  241. [*] Domains: []
  242.  
  243. [*] Network Communication - ICMP: []
  244.  
  245. [*] Network Communication - HTTP: []
  246.  
  247. [*] Network Communication - SMTP: []
  248.  
  249. [*] Network Communication - Hosts: []
  250.  
  251. [*] Network Communication - IRC: []
  252.  
  253. [*] Static Analysis: {
  254. "office": {
  255. "Metadata": {
  256. "HasMacros": "No"
  257. }
  258. }
  259. }
  260.  
  261. [*] Resolved APIs: [
  262. "advapi32.dll.SaferIdentifyLevel",
  263. "advapi32.dll.SaferComputeTokenFromLevel",
  264. "advapi32.dll.SaferCloseLevel",
  265. "ole32.dll.CLSIDFromProgIDEx",
  266. "ole32.dll.CoGetClassObject",
  267. "wscript.exe.#1",
  268. "urlmon.dll.#326",
  269. "urlmon.dll.#327",
  270. "shell32.dll.#685",
  271. "shell32.dll.#688",
  272. "urlmon.dll.#395",
  273. "cryptsp.dll.CryptAcquireContextW",
  274. "cryptsp.dll.CryptGenRandom",
  275. "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
  276. "oleaut32.dll.#500",
  277. "cryptsp.dll.CryptReleaseContext",
  278. "cryptsp.dll.CryptAcquireContextA",
  279. "kernel32.dll.VirtualAlloc",
  280. "ntdll.dll.memcpy",
  281. "kernel32.dll.GetCurrentProcess",
  282. "kernel32.dll.CloseHandle",
  283. "advapi32.dll.OpenProcessToken",
  284. "advapi32.dll.GetTokenInformation",
  285. "kernel32.dll.Wow64EnableWow64FsRedirection",
  286. "advapi32.dll.RegCloseKey",
  287. "advapi32.dll.RegCreateKeyW",
  288. "advapi32.dll.RegOpenKeyExW",
  289. "advapi32.dll.RegSetValueExW",
  290. "shell32.dll.ShellExecuteA",
  291. "ole32.dll.OleInitialize",
  292. "cryptbase.dll.SystemFunction036",
  293. "ole32.dll.CreateBindCtx",
  294. "ole32.dll.CoTaskMemAlloc",
  295. "propsys.dll.PSCreateMemoryPropertyStore",
  296. "propsys.dll.PSPropertyBag_WriteDWORD",
  297. "ole32.dll.CoGetApartmentType",
  298. "ole32.dll.CoRegisterInitializeSpy",
  299. "ole32.dll.CoTaskMemFree",
  300. "comctl32.dll.#236",
  301. "oleaut32.dll.#6",
  302. "ole32.dll.CoGetMalloc",
  303. "propsys.dll.PSPropertyBag_ReadDWORD",
  304. "propsys.dll.PSPropertyBag_ReadGUID",
  305. "comctl32.dll.#320",
  306. "comctl32.dll.#324",
  307. "comctl32.dll.#323",
  308. "advapi32.dll.RegEnumKeyW",
  309. "advapi32.dll.OpenThreadToken",
  310. "ole32.dll.StringFromGUID2",
  311. "apphelp.dll.ApphelpCheckShellObject",
  312. "ole32.dll.CoCreateInstance",
  313. "urlmon.dll.CreateUri",
  314. "kernel32.dll.InitializeSRWLock",
  315. "kernel32.dll.AcquireSRWLockExclusive",
  316. "kernel32.dll.AcquireSRWLockShared",
  317. "kernel32.dll.ReleaseSRWLockExclusive",
  318. "kernel32.dll.ReleaseSRWLockShared",
  319. "comctl32.dll.#328",
  320. "comctl32.dll.#334",
  321. "oleaut32.dll.#2",
  322. "shell32.dll.#102",
  323. "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
  324. "propsys.dll.PSPropertyBag_ReadStrAlloc",
  325. "ole32.dll.CoInitializeEx",
  326. "advapi32.dll.InitializeSecurityDescriptor",
  327. "advapi32.dll.SetEntriesInAclW",
  328. "ntmarta.dll.GetMartaExtensionInterface",
  329. "advapi32.dll.SetSecurityDescriptorDacl",
  330. "advapi32.dll.IsTextUnicode",
  331. "comctl32.dll.#332",
  332. "comctl32.dll.#338",
  333. "comctl32.dll.#339",
  334. "ole32.dll.CoUninitialize",
  335. "setupapi.dll.CM_Get_Device_Interface_List_ExW",
  336. "sechost.dll.ConvertSidToStringSidW",
  337. "profapi.dll.#104",
  338. "propsys.dll.#430",
  339. "advapi32.dll.RegGetValueW",
  340. "ole32.dll.CoTaskMemRealloc",
  341. "propsys.dll.InitPropVariantFromStringAsVector",
  342. "propsys.dll.PSCoerceToCanonicalValue",
  343. "propsys.dll.PropVariantToStringAlloc",
  344. "ole32.dll.PropVariantClear",
  345. "ole32.dll.CoAllowSetForegroundWindow",
  346. "comctl32.dll.#386",
  347. "shell32.dll.SHGetFolderPathW",
  348. "advapi32.dll.SaferGetPolicyInformation",
  349. "ntdll.dll.RtlDllShutdownInProgress",
  350. "comctl32.dll.#329",
  351. "ole32.dll.OleUninitialize",
  352. "ole32.dll.CoRevokeInitializeSpy",
  353. "comctl32.dll.#388",
  354. "advapi32.dll.CryptAcquireContextA",
  355. "advapi32.dll.CryptImportKey",
  356. "advapi32.dll.CryptEncrypt",
  357. "cryptsp.dll.CryptImportKey",
  358. "cryptbase.dll.SystemFunction040",
  359. "cryptbase.dll.SystemFunction041",
  360. "cryptsp.dll.CryptEncrypt",
  361. "advapi32.dll.UnregisterTraceGuids",
  362. "comctl32.dll.#321",
  363. "kernel32.dll.SetThreadUILanguage",
  364. "kernel32.dll.CopyFileExW",
  365. "kernel32.dll.IsDebuggerPresent",
  366. "kernel32.dll.SetConsoleInputExeNameW",
  367. "kernel32.dll.SortGetHandle",
  368. "kernel32.dll.SortCloseHandle",
  369. "uxtheme.dll.ThemeInitApiHook",
  370. "user32.dll.IsProcessDPIAware",
  371. "shell32.dll.#66",
  372. "comctl32.dll.#385",
  373. "comctl32.dll.#336",
  374. "comctl32.dll.#333",
  375. "linkinfo.dll.IsValidLinkInfo",
  376. "propsys.dll.#417",
  377. "propsys.dll.PSGetNameFromPropertyKey",
  378. "propsys.dll.PSStringFromPropertyKey",
  379. "propsys.dll.InitVariantFromBuffer",
  380. "oleaut32.dll.#9",
  381. "propsys.dll.PropVariantToGUID",
  382. "linkinfo.dll.CreateLinkInfoW",
  383. "user32.dll.IsCharAlphaW",
  384. "user32.dll.CharPrevW",
  385. "ntshrui.dll.GetNetResourceFromLocalPathW",
  386. "srvcli.dll.NetShareEnum",
  387. "cscapi.dll.CscNetApiGetInterface",
  388. "slc.dll.SLGetWindowsInformationDWORD",
  389. "shlwapi.dll.PathRemoveFileSpecW",
  390. "linkinfo.dll.DestroyLinkInfo",
  391. "propsys.dll.PropVariantToBoolean",
  392. "advapi32.dll.GetSecurityInfo",
  393. "advapi32.dll.SetSecurityInfo",
  394. "advapi32.dll.GetSecurityDescriptorControl",
  395. "advapi32.dll.RegQueryInfoKeyW",
  396. "advapi32.dll.RegEnumKeyExW",
  397. "advapi32.dll.RegEnumValueW",
  398. "advapi32.dll.RegQueryValueExW",
  399. "shlwapi.dll.UrlIsW",
  400. "kernel32.dll.InitializeCriticalSectionAndSpinCount",
  401. "msvcrt.dll._set_error_mode",
  402. "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z",
  403. "kernel32.dll.FindActCtxSectionStringW",
  404. "kernel32.dll.GetSystemWindowsDirectoryW",
  405. "mscoree.dll.GetProcessExecutableHeap",
  406. "mscorwks.dll.DllGetClassObjectInternal",
  407. "mscorwks.dll.GetCLRFunction",
  408. "advapi32.dll.RegisterTraceGuidsW",
  409. "advapi32.dll.GetTraceLoggerHandle",
  410. "advapi32.dll.GetTraceEnableLevel",
  411. "advapi32.dll.GetTraceEnableFlags",
  412. "advapi32.dll.TraceEvent",
  413. "mscoree.dll.IEE",
  414. "mscorwks.dll.IEE",
  415. "mscoree.dll.GetStartupFlags",
  416. "mscoree.dll.GetHostConfigurationFile",
  417. "mscoree.dll.GetCORSystemDirectory",
  418. "ntdll.dll.RtlVirtualUnwind",
  419. "kernel32.dll.IsWow64Process",
  420. "advapi32.dll.AllocateAndInitializeSid",
  421. "advapi32.dll.InitializeAcl",
  422. "advapi32.dll.AddAccessAllowedAce",
  423. "advapi32.dll.FreeSid",
  424. "kernel32.dll.SetThreadStackGuarantee",
  425. "kernel32.dll.FlsSetValue",
  426. "kernel32.dll.FlsGetValue",
  427. "kernel32.dll.FlsAlloc",
  428. "kernel32.dll.FlsFree",
  429. "kernel32.dll.AddVectoredContinueHandler",
  430. "kernel32.dll.RemoveVectoredContinueHandler",
  431. "advapi32.dll.ConvertSidToStringSidW",
  432. "kernel32.dll.FlushProcessWriteBuffers",
  433. "kernel32.dll.GetWriteWatch",
  434. "kernel32.dll.ResetWriteWatch",
  435. "kernel32.dll.CreateMemoryResourceNotification",
  436. "kernel32.dll.QueryMemoryResourceNotification",
  437. "kernel32.dll.GlobalMemoryStatusEx",
  438. "ole32.dll.CoGetContextToken",
  439. "oleaut32.dll.#149",
  440. "kernel32.dll.GetUserDefaultUILanguage",
  441. "kernel32.dll.GetVersionExW",
  442. "kernel32.dll.GetFullPathNameW",
  443. "kernel32.dll.SetErrorMode",
  444. "kernel32.dll.GetFileAttributesExW",
  445. "version.dll.GetFileVersionInfoSizeW",
  446. "version.dll.GetFileVersionInfoW",
  447. "version.dll.VerQueryValueW",
  448. "kernel32.dll.lstrlen",
  449. "kernel32.dll.lstrlenW",
  450. "mscoree.dll.ND_RI2",
  451. "kernel32.dll.lstrcpy",
  452. "kernel32.dll.lstrcpyW",
  453. "version.dll.VerLanguageNameW",
  454. "kernel32.dll.GetCurrentProcessId",
  455. "advapi32.dll.LookupPrivilegeValueW",
  456. "advapi32.dll.AdjustTokenPrivileges",
  457. "kernel32.dll.OpenProcess",
  458. "psapi.dll.EnumProcessModules",
  459. "psapi.dll.GetModuleInformation",
  460. "psapi.dll.GetModuleBaseNameW",
  461. "psapi.dll.GetModuleFileNameExW",
  462. "kernel32.dll.GetExitCodeProcess",
  463. "ntdll.dll.NtQuerySystemInformation",
  464. "user32.dll.EnumWindows",
  465. "user32.dll.GetWindowThreadProcessId",
  466. "kernel32.dll.WerSetFlags",
  467. "kernel32.dll.SetThreadPreferredUILanguages",
  468. "kernel32.dll.GetThreadPreferredUILanguages",
  469. "kernel32.dll.GetUserDefaultLocaleName",
  470. "kernel32.dll.GetEnvironmentVariableW",
  471. "advapi32.dll.CryptReleaseContext",
  472. "advapi32.dll.CryptCreateHash",
  473. "advapi32.dll.CryptDestroyHash",
  474. "advapi32.dll.CryptHashData",
  475. "advapi32.dll.CryptGetHashParam",
  476. "advapi32.dll.CryptExportKey",
  477. "advapi32.dll.CryptGenKey",
  478. "advapi32.dll.CryptGetKeyParam",
  479. "advapi32.dll.CryptDestroyKey",
  480. "advapi32.dll.CryptVerifySignatureA",
  481. "advapi32.dll.CryptSignHashA",
  482. "advapi32.dll.CryptGetProvParam",
  483. "advapi32.dll.CryptGetUserKey",
  484. "advapi32.dll.CryptEnumProvidersA",
  485. "cryptsp.dll.CryptHashData",
  486. "cryptsp.dll.CryptGetHashParam",
  487. "cryptsp.dll.CryptDestroyHash",
  488. "cryptsp.dll.CryptDestroyKey",
  489. "mscoree.dll.GetTokenForVTableEntry",
  490. "mscoree.dll.SetTargetForVTableEntry",
  491. "mscoree.dll.GetTargetForVTableEntry",
  492. "culture.dll.ConvertLangIdToCultureName",
  493. "ole32.dll.CoCreateGuid",
  494. "kernel32.dll.CreateFileW",
  495. "kernel32.dll.GetConsoleScreenBufferInfo",
  496. "kernel32.dll.LocalFree",
  497. "kernel32.dll.LocalAlloc",
  498. "mscoree.dll.ND_RI4",
  499. "advapi32.dll.DuplicateTokenEx",
  500. "advapi32.dll.CheckTokenMembership",
  501. "kernel32.dll.GetConsoleTitleW",
  502. "mscorjit.dll.getJit",
  503. "kernel32.dll.SetConsoleTitleW",
  504. "kernel32.dll.SetConsoleCtrlHandler",
  505. "kernel32.dll.CreateEventW",
  506. "ntdll.dll.WinSqmIsOptedIn",
  507. "kernel32.dll.ExpandEnvironmentStringsW",
  508. "shfolder.dll.SHGetFolderPathW",
  509. "kernel32.dll.SetEnvironmentVariableW",
  510. "kernel32.dll.GetACP",
  511. "kernel32.dll.UnmapViewOfFile",
  512. "kernel32.dll.GetFileType",
  513. "kernel32.dll.ReadFile",
  514. "kernel32.dll.GetSystemInfo",
  515. "kernel32.dll.VirtualQuery",
  516. "secur32.dll.GetUserNameExW",
  517. "advapi32.dll.GetUserNameW",
  518. "kernel32.dll.ReleaseMutex",
  519. "advapi32.dll.RegisterEventSourceW",
  520. "advapi32.dll.DeregisterEventSource",
  521. "advapi32.dll.ReportEventW",
  522. "kernel32.dll.GetLogicalDrives",
  523. "kernel32.dll.GetDriveTypeW",
  524. "kernel32.dll.GetVolumeInformationW",
  525. "kernel32.dll.GetCurrentDirectoryW",
  526. "kernel32.dll.GetLastError",
  527. "kernel32.dll.GetStdHandle",
  528. "kernel32.dll.GetConsoleMode",
  529. "kernel32.dll.SetEvent",
  530. "kernel32.dll.FindFirstFileW",
  531. "kernel32.dll.FindClose",
  532. "mscoree.dll.DllGetClassObject",
  533. "diasymreader.dll.DllGetClassObjectInternal",
  534. "kernel32.dll.GetConsoleOutputCP",
  535. "gdi32.dll.TranslateCharsetInfo",
  536. "kernel32.dll.SetConsoleTextAttribute",
  537. "kernel32.dll.WriteConsoleW",
  538. "mscoree.dll.CorExitProcess",
  539. "mscorwks.dll.CorExitProcess",
  540. "mscorwks.dll._CorDllMain",
  541. "kernel32.dll.CreateActCtxW",
  542. "kernel32.dll.AddRefActCtx",
  543. "kernel32.dll.ReleaseActCtx",
  544. "kernel32.dll.ActivateActCtx",
  545. "kernel32.dll.DeactivateActCtx",
  546. "kernel32.dll.GetCurrentActCtx",
  547. "kernel32.dll.QueryActCtxW",
  548. "netutils.dll.NetApiBufferFree",
  549. "kernel32.dll.IsProcessorFeaturePresent",
  550. "ntdll.dll.RtlUnwind",
  551. "mscoree.dll._CorExeMain",
  552. "mscoree.dll._CorImageUnloading",
  553. "mscoree.dll._CorValidateImage",
  554. "cryptsp.dll.CryptExportKey",
  555. "cryptsp.dll.CryptCreateHash",
  556. "kernel32.dll.SwitchToThread",
  557. "rpcrt4.dll.UuidFromStringW",
  558. "rpcrt4.dll.RpcBindingCreateW",
  559. "rpcrt4.dll.RpcBindingBind",
  560. "sechost.dll.OpenSCManagerW",
  561. "sechost.dll.OpenServiceW",
  562. "sechost.dll.StartServiceW",
  563. "sechost.dll.CloseServiceHandle",
  564. "sechost.dll.LookupAccountNameLocalW",
  565. "advapi32.dll.LookupAccountSidW",
  566. "sechost.dll.LookupAccountSidLocalW",
  567. "ole32.dll.CoInitializeSecurity",
  568. "w32time.dll.SvchostEntry_W32Time",
  569. "w32time.dll.SvchostPushServiceGlobals",
  570. "sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
  571. "ws2_32.dll.#115",
  572. "ws2_32.dll.WSASocketW",
  573. "ws2_32.dll.WSAIoctl",
  574. "ws2_32.dll.#111",
  575. "userenv.dll.RegisterGPNotification",
  576. "gpapi.dll.RegisterGPNotificationInternal",
  577. "sechost.dll.QueryServiceConfigW",
  578. "dsrole.dll.DsRoleGetPrimaryDomainInformation",
  579. "dsrole.dll.DsRoleFreeMemory",
  580. "sspicli.dll.LsaRegisterPolicyChangeNotification",
  581. "w32time.dll.TimeProvClose",
  582. "w32time.dll.TimeProvCommand",
  583. "w32time.dll.TimeProvOpen",
  584. "ws2_32.dll.getaddrinfo",
  585. "ws2_32.dll.freeaddrinfo",
  586. "ws2_32.dll.#23",
  587. "ws2_32.dll.#21",
  588. "ws2_32.dll.#2",
  589. "ws2_32.dll.WSAEventSelect",
  590. "ws2_32.dll.GetAddrInfoW",
  591. "vmictimeprovider.dll.TimeProvClose",
  592. "vmictimeprovider.dll.TimeProvCommand",
  593. "vmictimeprovider.dll.TimeProvOpen",
  594. "advapi32.dll.EventRegister",
  595. "advapi32.dll.EventEnabled",
  596. "advapi32.dll.EventWrite",
  597. "ws2_32.dll.FreeAddrInfoW",
  598. "ws2_32.dll.WSAAddressToStringW",
  599. "ws2_32.dll.#3",
  600. "ws2_32.dll.#116",
  601. "advapi32.dll.EventUnregister",
  602. "sspicli.dll.LsaUnregisterPolicyChangeNotification",
  603. "userenv.dll.UnregisterGPNotification",
  604. "gpapi.dll.UnregisterGPNotificationInternal",
  605. "wersvc.dll.ServiceMain",
  606. "wersvc.dll.SvchostPushServiceGlobals",
  607. "faultrep.dll.WerpInitiateCrashReporting",
  608. "wer.dll.WerpCreateMachineStore",
  609. "shell32.dll.SHGetFolderPathEx",
  610. "userenv.dll.CreateEnvironmentBlock",
  611. "sspicli.dll.GetUserNameExW",
  612. "userenv.dll.DestroyEnvironmentBlock",
  613. "wer.dll.WerpSvcReportFromMachineQueue",
  614. "advapi32.dll.DuplicateToken",
  615. "wtsapi32.dll.WTSQueryUserToken",
  616. "winsta.dll.WinStationQueryInformationW",
  617. "advapi32.dll.CreateWellKnownSid",
  618. "rpcrt4.dll.RpcStringBindingComposeW",
  619. "rpcrt4.dll.RpcBindingFromStringBindingW",
  620. "rpcrt4.dll.RpcStringFreeW",
  621. "rpcrt4.dll.RpcBindingSetAuthInfoExW",
  622. "rpcrt4.dll.NdrClientCall3",
  623. "rpcrt4.dll.RpcBindingFree",
  624. "advapi32.dll.ImpersonateLoggedOnUser",
  625. "advapi32.dll.CreateProcessAsUserW",
  626. "advapi32.dll.RevertToSelf",
  627. "imm32.dll.ImmDisableIME",
  628. "wer.dll.WerpCreateIntegratorReportId",
  629. "wer.dll.WerReportCreate",
  630. "wer.dll.WerpSetIntegratorReportId",
  631. "wer.dll.WerReportSetParameter",
  632. "dbgeng.dll.DebugCreate",
  633. "ntdll.dll.CsrGetProcessId",
  634. "ntdll.dll.DbgBreakPoint",
  635. "ntdll.dll.DbgPrint",
  636. "ntdll.dll.DbgPrompt",
  637. "ntdll.dll.DbgUiConvertStateChangeStructure",
  638. "ntdll.dll.DbgUiGetThreadDebugObject",
  639. "ntdll.dll.DbgUiIssueRemoteBreakin",
  640. "ntdll.dll.DbgUiSetThreadDebugObject",
  641. "ntdll.dll.NtAllocateVirtualMemory",
  642. "ntdll.dll.NtClose",
  643. "ntdll.dll.NtCreateDebugObject",
  644. "ntdll.dll.NtCreateFile",
  645. "ntdll.dll.NtDebugActiveProcess",
  646. "ntdll.dll.NtDebugContinue",
  647. "ntdll.dll.NtFreeVirtualMemory",
  648. "ntdll.dll.NtOpenProcess",
  649. "ntdll.dll.NtOpenThread",
  650. "ntdll.dll.NtQueryInformationProcess",
  651. "ntdll.dll.NtQueryInformationThread",
  652. "ntdll.dll.NtQueryMutant",
  653. "ntdll.dll.NtQueryObject",
  654. "ntdll.dll.NtRemoveProcessDebug",
  655. "ntdll.dll.NtResumeThread",
  656. "ntdll.dll.NtSetInformationDebugObject",
  657. "ntdll.dll.NtSetInformationProcess",
  658. "ntdll.dll.NtSystemDebugControl",
  659. "ntdll.dll.NtWaitForDebugEvent",
  660. "ntdll.dll.RtlAnsiStringToUnicodeString",
  661. "ntdll.dll.RtlCreateProcessParameters",
  662. "ntdll.dll.RtlCreateUserProcess",
  663. "ntdll.dll.RtlDestroyProcessParameters",
  664. "ntdll.dll.RtlDosPathNameToNtPathName_U",
  665. "ntdll.dll.RtlFindMessage",
  666. "ntdll.dll.RtlFreeHeap",
  667. "ntdll.dll.RtlFreeUnicodeString",
  668. "ntdll.dll.RtlGetFunctionTableListHead",
  669. "ntdll.dll.RtlGetUnloadEventTrace",
  670. "ntdll.dll.RtlGetUnloadEventTraceEx",
  671. "ntdll.dll.RtlInitAnsiString",
  672. "ntdll.dll.RtlInitUnicodeString",
  673. "ntdll.dll.RtlTryEnterCriticalSection",
  674. "ntdll.dll.RtlUnicodeStringToAnsiString",
  675. "ntdll.dll.NtOpenProcessToken",
  676. "ntdll.dll.NtOpenThreadToken",
  677. "ntdll.dll.NtQueryInformationToken",
  678. "kernel32.dll.CloseProfileUserMapping",
  679. "kernel32.dll.CreateToolhelp32Snapshot",
  680. "kernel32.dll.DebugActiveProcessStop",
  681. "kernel32.dll.DebugBreak",
  682. "kernel32.dll.DebugBreakProcess",
  683. "kernel32.dll.DebugSetProcessKillOnExit",
  684. "kernel32.dll.Module32First",
  685. "kernel32.dll.Module32FirstW",
  686. "kernel32.dll.Module32Next",
  687. "kernel32.dll.Module32NextW",
  688. "kernel32.dll.OpenThread",
  689. "kernel32.dll.Process32First",
  690. "kernel32.dll.Process32FirstW",
  691. "kernel32.dll.Process32Next",
  692. "kernel32.dll.Process32NextW",
  693. "kernel32.dll.ProcessIdToSessionId",
  694. "kernel32.dll.SetProcessShutdownParameters",
  695. "kernel32.dll.Thread32First",
  696. "kernel32.dll.Thread32Next",
  697. "kernel32.dll.GetTimeZoneInformation",
  698. "kernel32.dll.DuplicateHandle",
  699. "kernel32.dll.Wow64GetThreadSelectorEntry",
  700. "advapi32.dll.CloseServiceHandle",
  701. "advapi32.dll.ControlService",
  702. "advapi32.dll.CreateServiceA",
  703. "advapi32.dll.CreateServiceW",
  704. "advapi32.dll.DeleteService",
  705. "advapi32.dll.EnumServicesStatusExA",
  706. "advapi32.dll.EnumServicesStatusExW",
  707. "advapi32.dll.GetEventLogInformation",
  708. "advapi32.dll.OpenSCManagerA",
  709. "advapi32.dll.OpenSCManagerW",
  710. "advapi32.dll.OpenServiceA",
  711. "advapi32.dll.OpenServiceW",
  712. "advapi32.dll.StartServiceA",
  713. "advapi32.dll.StartServiceW",
  714. "advapi32.dll.GetSidSubAuthority",
  715. "advapi32.dll.GetSidSubAuthorityCount",
  716. "version.dll.GetFileVersionInfoSizeExW",
  717. "version.dll.GetFileVersionInfoExW",
  718. "dbghelp.dll.WinDbgExtensionDllInit",
  719. "dbghelp.dll.ExtensionApiVersion",
  720. "wer.dll.WerpSetDynamicParameter",
  721. "wer.dll.WerReportAddDump",
  722. "wer.dll.WerpSetCallBack",
  723. "wer.dll.WerReportSetUIOption",
  724. "wer.dll.WerpAddRegisteredDataToReport",
  725. "wer.dll.WerReportSubmit",
  726. "user32.dll.LoadStringW",
  727. "advapi32.dll.RegCreateKeyExW",
  728. "sensapi.dll.IsNetworkAlive",
  729. "user32.dll.CharUpperW",
  730. "wer.dll.WerpAddAppCompatData",
  731. "apphelp.dll.SdbGetFileAttributes",
  732. "apphelp.dll.SdbFormatAttribute",
  733. "apphelp.dll.SdbFreeFileAttributes",
  734. "dbghelp.dll.MiniDumpWriteDump",
  735. "kernel32.dll.GetLongPathNameA",
  736. "kernel32.dll.GetLongPathNameW",
  737. "kernel32.dll.GetProcessTimes",
  738. "advapi32.dll.RegOpenKeyExA",
  739. "advapi32.dll.RegQueryValueExA",
  740. "powrprof.dll.CallNtPowerInformation",
  741. "version.dll.GetFileVersionInfoSizeA",
  742. "version.dll.GetFileVersionInfoA",
  743. "version.dll.VerQueryValueA",
  744. "verifier.dll.VerifierEnumerateResource",
  745. "ntdll.dll.NtSuspendProcess",
  746. "ntdll.dll.NtResumeProcess",
  747. "advapi32.dll.QueryTraceW",
  748. "advapi32.dll.IsValidSid",
  749. "advapi32.dll.GetLengthSid",
  750. "advapi32.dll.CopySid",
  751. "advapi32.dll.AddAccessAllowedAceEx",
  752. "wer.dll.WerpGetStoreLocation",
  753. "wer.dll.WerpGetStoreType",
  754. "wer.dll.WerReportCloseHandle",
  755. "user32.dll.MsgWaitForMultipleObjects",
  756. "wer.dll.WerpFreeString",
  757. "user32.dll.GetProcessWindowStation",
  758. "user32.dll.GetThreadDesktop",
  759. "user32.dll.GetUserObjectInformationW",
  760. "werui.dll.WerUICreate",
  761. "werui.dll.WerUIStart",
  762. "werui.dll.WerUITerminate",
  763. "werui.dll.WerUIDelete"
  764. ]
  765.  
  766. [*] Static Analysis: {
  767. "office": {
  768. "Metadata": {
  769. "HasMacros": "No"
  770. }
  771. }
  772. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!