Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [*] MalFamily: ""
- [*] MalScore: 10.0
- [*] File Name: "Exes_c2025b7bb472b92617bd8f09a20bcca7.exe"
- [*] File Size: 2469496
- [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive"
- [*] SHA256: "24e37a0321bb7a598ddd6a5dc30affb4755e34ecf3e237b0b9845694b34c448a"
- [*] MD5: "c2025b7bb472b92617bd8f09a20bcca7"
- [*] SHA1: "e9ace2450ab08c40e4033ba516881c03999b5859"
- [*] SHA512: "c72b45b8a16bf6dbb549891ad221e2d329db681184f39faae3fe92482c779869ed2bdbd64bfcf0ca3bfebe07273fe93a8b9f330b0cd135e33411062a7d435422"
- [*] CRC32: "79C18F96"
- [*] SSDEEP: "24576:J1wazgr1xh6lbkFTKkkVg+aeedQMkhMq7bACMgVy/iyq8vqdR4Q/A+aFPRBiEV41:Ug2xUWR+k+MVCMhiyUaFbRQDgczX4VWl"
- [*] Process Execution: [
- "Exes_c2025b7bb472b92617bd8f09a20bcca7.exe",
- "cmd.exe",
- "wscript.exe",
- "cmd.exe",
- "timeout.exe",
- "powershell.exe",
- "takeown.exe",
- "icacls.exe",
- "icacls.exe",
- "icacls.exe",
- "icacls.exe",
- "icacls.exe",
- "icacls.exe",
- "icacls.exe",
- "reg.exe",
- "reg.exe",
- "net.exe",
- "net1.exe",
- "cmd.exe",
- "cmd.exe",
- "services.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "WmiPrvSE.exe",
- "svchost.exe",
- "taskeng.exe",
- "taskeng.exe",
- "msoia.exe",
- "AdobeARM.exe",
- "msoia.exe",
- "FlashUtil32_29_0_0_171_Plugin.exe",
- "taskeng.exe",
- "taskeng.exe",
- "WMIADAP.exe",
- "taskeng.exe",
- "svchost.exe",
- "svchost.exe",
- "WerFault.exe",
- "WerFault.exe",
- "wermgr.exe",
- "svchost.exe",
- "cmd.exe",
- "rundll32.exe",
- "svchost.exe",
- "svchost.exe",
- "rundll32.exe",
- "cmd.exe",
- "rundll32.exe",
- "rundll32.exe",
- "UI0Detect.exe",
- "UI0Detect.exe",
- "svchost.exe",
- "lsm.exe"
- ]
- [*] Signatures Detected: [
- {
- "Description": "At least one process apparently crashed during execution",
- "Details": []
- },
- {
- "Description": "Attempts to connect to a dead IP:Port (3 unique times)",
- "Details": [
- {
- "IP": "72.21.81.240:80"
- },
- {
- "IP": "185.225.17.150:443"
- },
- {
- "IP": "192.35.177.64:80"
- }
- ]
- },
- {
- "Description": "Creates RWX memory",
- "Details": []
- },
- {
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details": [
- {
- "process": "net.exe, PID 2640"
- }
- ]
- },
- {
- "Description": "Detected script timer window indicative of sleep style evasion",
- "Details": [
- {
- "Window": "WSH-Timer"
- }
- ]
- },
- {
- "Description": "Loads a driver",
- "Details": [
- {
- "driver service name": "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\RDPDR"
- }
- ]
- },
- {
- "Description": "Expresses interest in specific running processes",
- "Details": [
- {
- "process": "winlogon.exe"
- },
- {
- "process": "explorer.exe"
- }
- ]
- },
- {
- "Description": "Reads data out of its own binary image",
- "Details": [
- {
- "self_read": "process: Exes_c2025b7bb472b92617bd8f09a20bcca7.exe, pid: 620, offset: 0x00000000, length: 0x00259aa2"
- },
- {
- "self_read": "process: Exes_c2025b7bb472b92617bd8f09a20bcca7.exe, pid: 620, offset: 0x0003a21c, length: 0x000c2420"
- },
- {
- "self_read": "process: Exes_c2025b7bb472b92617bd8f09a20bcca7.exe, pid: 620, offset: 0x00259aa2, length: 0x00000004"
- },
- {
- "self_read": "process: wscript.exe, pid: 572, offset: 0x00000000, length: 0x00000040"
- },
- {
- "self_read": "process: wscript.exe, pid: 572, offset: 0x000000f8, length: 0x00000018"
- },
- {
- "self_read": "process: wscript.exe, pid: 572, offset: 0x00000200, length: 0x7fe00000028"
- },
- {
- "self_read": "process: wscript.exe, pid: 572, offset: 0x0001f200, length: 0x00000020"
- },
- {
- "self_read": "process: wscript.exe, pid: 572, offset: 0x0001f258, length: 0x00000018"
- },
- {
- "self_read": "process: wscript.exe, pid: 572, offset: 0x0001f3a8, length: 0x7fe00000018"
- },
- {
- "self_read": "process: wscript.exe, pid: 572, offset: 0x0001f670, length: 0x00000010"
- },
- {
- "self_read": "process: wscript.exe, pid: 572, offset: 0x0001f840, length: 0x00000012"
- },
- {
- "self_read": "process: wscript.exe, pid: 572, offset: 0x7fe00000228, length: 0x7fe00000078"
- }
- ]
- },
- {
- "Description": "A process created a hidden window",
- "Details": [
- {
- "Process": "wscript.exe -> cmd"
- },
- {
- "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
- }
- ]
- },
- {
- "Description": "Performs some HTTP requests",
- "Details": [
- {
- "url": "http://apps.identrust.com/roots/dstrootcax3.p7c"
- },
- {
- "url": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab"
- }
- ]
- },
- {
- "Description": "Deletes its original binary from disk",
- "Details": []
- },
- {
- "Description": "Attempts to restart the guest VM",
- "Details": []
- },
- {
- "Description": "Tries to suspend Cuckoo threads to prevent logging of malicious activity",
- "Details": [
- {
- "Process": "svchost.exe (2824)"
- }
- ]
- },
- {
- "Description": "Attempts to stop active services",
- "Details": [
- {
- "servicename": "UmRdpService"
- }
- ]
- },
- {
- "Description": "A process attempted to delay the analysis task by a long amount of time.",
- "Details": [
- {
- "Process": "lsm.exe tried to sleep 380 seconds, actually delayed analysis time by 0 seconds"
- },
- {
- "Process": "taskeng.exe tried to sleep 600 seconds, actually delayed analysis time by 0 seconds"
- },
- {
- "Process": "WmiPrvSE.exe tried to sleep 480 seconds, actually delayed analysis time by 0 seconds"
- },
- {
- "Process": "svchost.exe tried to sleep 4893 seconds, actually delayed analysis time by 0 seconds"
- }
- ]
- },
- {
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details": [
- {
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 10646484 times"
- }
- ]
- },
- {
- "Description": "Installs itself for autorun at Windows startup",
- "Details": [
- {
- "service name": "RunAsSystem1224"
- },
- {
- "service path": "C:\\Windows\\system32\\rundll32.exe C:\\windows\\help\\help32.bin, wrk 0"
- },
- {
- "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\ImagePath"
- },
- {
- "data": "C:\\Windows\\system32\\rundll32.exe C:\\windows\\help\\help32.bin, wrk 0"
- },
- {
- "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDLL"
- },
- {
- "data": "%SystemRoot%\\help\\mshelp.dll"
- }
- ]
- },
- {
- "Description": "Attempts to execute a powershell command with suspicious parameter/s",
- "Details": [
- {
- "execution_policy": "Attempts to bypass execution policy"
- }
- ]
- },
- {
- "Description": "Creates a hidden or system file",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF3eeca4.TMP"
- },
- {
- "file": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft"
- },
- {
- "file": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache"
- },
- {
- "file": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData"
- },
- {
- "file": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content"
- }
- ]
- },
- {
- "Description": "Checks the system manufacturer, likely for anti-virtualization",
- "Details": []
- },
- {
- "Description": "Attempts to create or modify system certificates",
- "Details": []
- }
- ]
- [*] Started Service: [
- "TermService",
- "WerSvc",
- "UmRdpService",
- "RunAsSystem1224"
- ]
- [*] Executed Commands: [
- "\"cmd\" /c copy %temp%\\log_settup0.txt + %temp%\\log_settup1.txt+%temp%\\log_settup2.txt+%temp%\\log_settup3.txt+%temp%\\log_settup4.txt+%temp%\\log_settup5.txt+%temp%\\log_settup6.txt %temp%\\12444.txt",
- "\"wscript\" C:\\Users\\user\\AppData\\Local\\Temp\\klot.vbs",
- "\"C:\\Windows\\System32\\cmd.exe\" /c rename C:\\Users\\user\\AppData\\Local\\Temp\\klot.txt klot.ps1&timeout -t 5& powershell.exe -ep bypass -f C:\\Users\\user\\AppData\\Local\\Temp\\klot.ps1",
- "cmd /c rename C:\\Users\\user\\AppData\\Local\\Temp\\klot.txt klot.ps1&timeout -t 5& powershell.exe -ep bypass -f C:\\Users\\user\\AppData\\Local\\Temp\\klot.ps1",
- "timeout -t 5",
- "powershell.exe -ep bypass -f C:\\Users\\user\\AppData\\Local\\Temp\\klot.ps1",
- "\"C:\\Windows\\system32\\takeown.exe\" /A /F rfxvmt.dll",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /inheritance:d",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /setowner \"NT SERVICE\\TrustedInstaller\"",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /grant \"NT SERVICE\\TrustedInstaller:F\"",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /remove \"NT AUTHORITY\\SYSTEM\"",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /grant \"NT AUTHORITY\\SYSTEM:RX\"",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /remove BUILTIN\\Administrators",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /grant BUILTIN\\Administrators:RX",
- "\"C:\\Windows\\system32\\reg.exe\" ADD \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v PortNumber /t REG_DWORD /d 0x1C21 /f",
- "\"C:\\Windows\\system32\\reg.exe\" add HKLM\\system\\currentcontrolset\\services\\TermService\\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %SystemRoot%\\help\\mshelp.dll /f",
- "\"C:\\Windows\\system32\\net.exe\" localgroup Administrators \"NT AUTHORITY\\NETWORK SERVICE\" /add",
- "\"C:\\Windows\\system32\\cmd.exe\" /c del %temp%\\*.ps1 /f",
- "\"C:\\Windows\\system32\\cmd.exe\" /c del %temp%\\*.txt /f",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding",
- "taskeng.exe {DFBA8228-0A44-4434-9E8F-1E37458351DC} S-1-5-18:NT AUTHORITY\\System:Service:",
- "taskeng.exe {C122849E-6427-49A8-84A6-1F77C8B1775A} S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:[1]",
- "taskeng.exe {59EA5948-9BB6-4EA3-8C3D-2D8AF76DFC23} S-1-5-18:NT AUTHORITY\\System:Service:",
- "taskeng.exe {F5036579-3C14-4158-B73C-64124BDF21C1} S-1-5-18:NT AUTHORITY\\System:Service:",
- "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
- "taskeng.exe {EEB04517-C957-4A51-AF3A-AF23D31C95AA} S-1-5-18:NT AUTHORITY\\System:Service:",
- "C:\\Windows\\system32\\net1 localgroup Administrators \"NT AUTHORITY\\NETWORK SERVICE\" /add",
- "C:\\Windows\\System32\\svchost.exe -k NetworkService",
- "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
- "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted",
- "C:\\Windows\\system32\\rundll32.exe C:\\windows\\help\\help32.bin, wrk 0",
- "C:\\Windows\\system32\\UI0Detect.exe",
- "C:\\Windows\\System32\\svchost.exe -k netsvcs",
- "C:\\Windows\\system32\\WerFault.exe -u -p 2824 -s 788",
- "C:\\Windows\\system32\\WerFault.exe -u -p 2824 -s 784",
- "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_Term_545562a19b34aea52149da55e86e24e1cafec981_cab_04c3f52b\"",
- "cmd.exe /c rundll32.exe C:\\windows\\help\\help32.bin, wrk 0",
- "rundll32.exe C:\\windows\\help\\help32.bin, wrk 0",
- "cmd.exe /c C:\\Windows\\system32\\rundll32.exe C:\\windows\\help\\help32.bin, wrk launch",
- "C:\\Windows\\system32\\rundll32.exe C:\\windows\\help\\help32.bin, wrk launch",
- "UI0Detect.exe 304",
- "C:\\Windows\\sysnative\\rundll32.exe C:\\windows\\help\\help32.bin, wrk chrome",
- "\"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\" /ua /installsource scheduler",
- "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
- "\"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\" /c",
- "\"C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe\"",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload",
- "C:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_29_0_0_171_Plugin.exe -check plugin"
- ]
- [*] Mutexes: [
- "Local\\ZoneAttributeCacheCounterMutex",
- "Local\\ZonesCacheCounterMutex",
- "Local\\ZonesLockedCacheCounterMutex",
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Local\\WERReportingForProcess2824",
- "DBWinMutex",
- "Global\\\\xe5\\x88\\x90\\xc2\\x9a",
- "Global\\\\xe4\\x82\\x80\\xc7\\xb3",
- "WERUI_APPCRASH-545562a19b34aea52149da55e86e24e1cafec981",
- "TSLicensingLock",
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1",
- "Local\\_!MSFTHISTORY!_",
- "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
- "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
- "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
- "Global\\ADAP_WMI_ENTRY",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex_Flag"
- ]
- [*] Modified Files: [
- "C:\\Users\\user\\AppData\\Local\\Temp\\nsuE51F.tmp\\System.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\722666222.log",
- "C:\\Users\\user\\AppData\\Local\\Temp\\log_986225.log",
- "C:\\Users\\user\\AppData\\Local\\Temp\\65336777.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\log_settup0.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\log_settup1.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\log_settup2.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\log_settup3.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\log_settup4.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\log_settup5.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\log_settup6.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\46771222.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9887742.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\klot.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\changes_765543.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\klot.vbs",
- "C:\\Users\\user\\AppData\\Local\\Temp\\nsuE51F.tmp\\nsExec.dll",
- "\\Device\\NamedPipe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\12444.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\klot.ps1",
- "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
- "\\??\\PIPE\\srvsvc",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\QB1UG595D4CXCL25FA80.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF3eeca4.TMP",
- "C:\\Windows\\Help\\mshelp.dll",
- "C:\\Windows\\Help\\help32.bin",
- "C:\\Windows\\Help\\portable.dat",
- "C:\\Windows\\sysnative\\rfxvmt.dll",
- "C:\\Windows\\Temp\\desk.txt",
- "C:\\Windows\\inf\\setupapi.dev.log",
- "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
- "\\Device\\LanmanDatagramReceiver",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "\\??\\PIPE\\samr",
- "\\??\\PIPE\\lsarpc",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\daasdfasfaf3.dat",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERB678.tmp.appcompat.txt",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERB7B1.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERB82F.tmp.WERDataCollectionFailure.txt",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_Term_545562a19b34aea52149da55e86e24e1cafec981_cab_04c3f52b\\WERB678.tmp.appcompat.txt",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_Term_545562a19b34aea52149da55e86e24e1cafec981_cab_04c3f52b\\WERB7B1.tmp.WERInternalMetadata.xml",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_Term_545562a19b34aea52149da55e86e24e1cafec981_cab_04c3f52b\\WERB82F.tmp.WERDataCollectionFailure.txt",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_Term_545562a19b34aea52149da55e86e24e1cafec981_cab_04c3f52b\\Report.wer",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_Term_545562a19b34aea52149da55e86e24e1cafec981_cab_04c3f52b\\Report.wer.tmp",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\aa.txt",
- "\\Device\\Termdd",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\CabF843.tmp",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\TarF844.tmp",
- "C:\\Windows\\Help\\44075.ps1",
- "\\Device\\RdpDr",
- "\\??\\root#umbus#0000#{65a9a6cf-64cd-480b-843e-32c86e1ba19f}",
- "C:\\Users\\user\\AppData\\Local\\Temp\\AdobeARM.log",
- "\\??\\pipe\\32B6B37A-4A7D-4e00-95F2-6F0BF3DE3E001599590523thsnYaVieBoda",
- "C:\\Users\\user\\AppData\\Local\\Temp\\ArmUI.ini",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
- "C:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashInstall32.log",
- "C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat",
- "C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat",
- "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.h",
- "\\??\\WMIDataDevice"
- ]
- [*] Deleted Files: [
- "C:\\Users\\user\\AppData\\Local\\Temp\\nsuE482.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\nsuE51F.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\nsuE51F.tmp\\nsExec.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\nsuE51F.tmp\\System.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\nsuE51F.tmp\\",
- "C:\\Users\\user\\AppData\\Local\\Temp\\klot.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF3eeca4.TMP",
- "C:\\Users\\user\\AppData\\Local\\Temp\\12444.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\46771222.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\65336777.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9887742.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\changes_765543.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\log_settup0.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\log_settup1.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\log_settup2.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\log_settup3.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\log_settup4.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\log_settup5.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\log_settup6.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\klot.ps1",
- "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_c2025b7bb472b92617bd8f09a20bcca7.exe",
- "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.1136.4135968",
- "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1136.4135968",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.1136.4135968",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERB678.tmp",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERB678.tmp.appcompat.txt",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERB7B1.tmp",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERB7B1.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERB82F.tmp",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERB82F.tmp.WERDataCollectionFailure.txt",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_Term_545562a19b34aea52149da55e86e24e1cafec981_cab_04c3f52b\\Report.wer.tmp",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\CabF843.tmp",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\TarF844.tmp",
- "C:\\Windows\\SysWOW64\\Macromed\\Temp",
- "C:\\Windows\\System32\\Macromed\\Temp\\{BEAA664F-D208-474B-8F5A-20BAB1BF1193}"
- ]
- [*] Modified Registry Keys: [
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Device Installer\\CurrentStatus",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Device Installer\\CurrentStatus\\StartTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Device Installer\\CurrentStatus\\Progress",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\UMB\\UMB\\1&841921d&0&TSBUS\\Properties",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\UMB\\UMB\\1&841921d&0&TSBUS\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\UMB\\UMB\\1&841921d&0&TSBUS\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\00000009",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\UMB\\UMB\\1&841921d&0&TSBUS\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\00000009\\00000000",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\UMB\\UMB\\1&841921d&0&TSBUS\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\00000009\\00000000\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\UMB\\UMB\\1&841921d&0&TSBUS\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\00000009\\00000000\\Data",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SetupapiLogStatus\\setupapi.dev.log",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{26CEE9A6-18F5-4F69-8C4D-2467328655EB}\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{DFBA8228-0A44-4434-9E8F-1E37458351DC}",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{BA11F2B3-0190-41C3-95F6-1F6B8FEBB2E1}\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{C122849E-6427-49A8-84A6-1F77C8B1775A}",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{B17E070E-57E3-43F6-96F5-A9A9C921DEBF}\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{DF000DCA-3FA2-48A6-9E59-C0606F9F8D73}\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05}\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{F3F786D2-6E05-49FA-8A99-53C51C984120}\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{74B32FB8-1950-4398-8528-773F64305286}\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{59EA5948-9BB6-4EA3-8C3D-2D8AF76DFC23}",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{F5036579-3C14-4158-B73C-64124BDF21C1}",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{EEB04517-C957-4A51-AF3A-AF23D31C95AA}",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDLL",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\UmRdpService\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\Start",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\ErrorControl",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\ImagePath",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\DisplayName",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\ObjectName",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\DeleteFlag",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BITS\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BITS\\Start",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\fDenyTSConnections",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\FSingleSessionPerUser",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\LimitBlankPasswordUse",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\Licensing Core\\EnableConcurrentSessions",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AllowMultipleTSSessions",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\WgaUtilAcc",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\fAllowToGetHelp",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\ExceptionRecord",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\StoreLocation",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\StoreLocation",
- "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Terminal Server\\RCM\\Secrets",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\Secrets\\L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\Certificate",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\Secrets\\L$HYDRAENCKEY_52d1ad03-4565-44f3-8bfd-bbb0591f4b9d",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\CertificateOld",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\\Blob",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{DFBA8228-0A44-4434-9E8F-1E37458351DC}\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{C122849E-6427-49A8-84A6-1F77C8B1775A}\\data",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BITS\\Performance\\PerfMMFileName",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\BackupRestore\\FilesNotToBackup\\BITS_LOG",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\BackupRestore\\FilesNotToBackup\\BITS_BAK",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{59EA5948-9BB6-4EA3-8C3D-2D8AF76DFC23}\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{F5036579-3C14-4158-B73C-64124BDF21C1}\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\IDE\\DiskVBOX_HARDDISK___________________________1.0_____\\5&33d1638a&0&0.0.0_0-{05901221-D566-11d1-B2F0-00A0C9062910}",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\advapi32.dll[MofResourceName]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\en-US\\advapi32.dll.mui[MofResourceName]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ACPI.sys[ACPIMOFResource]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ACPI.sys.mui[ACPIMOFResource]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ndis.sys[MofResourceName]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ndis.sys.mui[MofResourceName]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\mssmbios.sys[MofResource]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\mssmbios.sys.mui[MofResource]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\HDAudBus.sys[HDAudioMofName]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\HDAudBus.sys.mui[HDAudioMofName]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\intelppm.sys[PROCESSORWMI]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\intelppm.sys.mui[PROCESSORWMI]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\portcls.SYS[PortclsMof]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\en-US\\portcls.SYS.mui[PortclsMof]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sys[MonitorWMI]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{EEB04517-C957-4A51-AF3A-AF23D31C95AA}\\data"
- ]
- [*] Deleted Registry Keys: [
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BITS\\Performance\\PerfMMFileName",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\OverrideProtocol_Object",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe ARM\\1.0\\ARM\\iNotify",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sys[MonitorWMI]"
- ]
- [*] DNS Communications: [
- {
- "type": "A",
- "request": "gidjshrvz.xyz",
- "answers": [
- {
- "data": "185.225.17.150",
- "type": "A"
- }
- ]
- },
- {
- "type": "A",
- "request": "apps.identrust.com",
- "answers": [
- {
- "data": "192.35.177.64",
- "type": "A"
- },
- {
- "data": "apps.digsigtrust.com",
- "type": "CNAME"
- }
- ]
- }
- ]
- [*] Domains: [
- {
- "ip": "185.225.17.150",
- "domain": "gidjshrvz.xyz"
- },
- {
- "ip": "192.35.177.64",
- "domain": "apps.identrust.com"
- }
- ]
- [*] Network Communication - ICMP: []
- [*] Network Communication - HTTP: [
- {
- "count": 1,
- "body": "",
- "uri": "http://apps.identrust.com/roots/dstrootcax3.p7c",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "apps.identrust.com",
- "version": "1.1",
- "path": "/roots/dstrootcax3.p7c",
- "data": "GET /roots/dstrootcax3.p7c HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: apps.identrust.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "www.download.windowsupdate.com",
- "version": "1.1",
- "path": "/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
- "data": "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1\r\nCache-Control: max-age = 89991\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: www.download.windowsupdate.com\r\n\r\n",
- "port": 80
- }
- ]
- [*] Network Communication - SMTP: []
- [*] Network Communication - Hosts: []
- [*] Network Communication - IRC: []
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "GetTempPathA",
- "address": "0x407070"
- },
- {
- "name": "GetFileSize",
- "address": "0x407074"
- },
- {
- "name": "GetModuleFileNameA",
- "address": "0x407078"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x40707c"
- },
- {
- "name": "CopyFileA",
- "address": "0x407080"
- },
- {
- "name": "ExitProcess",
- "address": "0x407084"
- },
- {
- "name": "SetEnvironmentVariableA",
- "address": "0x407088"
- },
- {
- "name": "Sleep",
- "address": "0x40708c"
- },
- {
- "name": "GetTickCount",
- "address": "0x407090"
- },
- {
- "name": "GetCommandLineA",
- "address": "0x407094"
- },
- {
- "name": "lstrlenA",
- "address": "0x407098"
- },
- {
- "name": "GetVersion",
- "address": "0x40709c"
- },
- {
- "name": "SetErrorMode",
- "address": "0x4070a0"
- },
- {
- "name": "lstrcpynA",
- "address": "0x4070a4"
- },
- {
- "name": "GetDiskFreeSpaceA",
- "address": "0x4070a8"
- },
- {
- "name": "GlobalUnlock",
- "address": "0x4070ac"
- },
- {
- "name": "GetWindowsDirectoryA",
- "address": "0x4070b0"
- },
- {
- "name": "SetCurrentDirectoryA",
- "address": "0x4070b4"
- },
- {
- "name": "GetLastError",
- "address": "0x4070b8"
- },
- {
- "name": "CreateDirectoryA",
- "address": "0x4070bc"
- },
- {
- "name": "CreateProcessA",
- "address": "0x4070c0"
- },
- {
- "name": "RemoveDirectoryA",
- "address": "0x4070c4"
- },
- {
- "name": "CreateFileA",
- "address": "0x4070c8"
- },
- {
- "name": "GetTempFileNameA",
- "address": "0x4070cc"
- },
- {
- "name": "ReadFile",
- "address": "0x4070d0"
- },
- {
- "name": "WriteFile",
- "address": "0x4070d4"
- },
- {
- "name": "lstrcpyA",
- "address": "0x4070d8"
- },
- {
- "name": "MoveFileExA",
- "address": "0x4070dc"
- },
- {
- "name": "lstrcatA",
- "address": "0x4070e0"
- },
- {
- "name": "GetSystemDirectoryA",
- "address": "0x4070e4"
- },
- {
- "name": "GetProcAddress",
- "address": "0x4070e8"
- },
- {
- "name": "GetExitCodeProcess",
- "address": "0x4070ec"
- },
- {
- "name": "WaitForSingleObject",
- "address": "0x4070f0"
- },
- {
- "name": "CompareFileTime",
- "address": "0x4070f4"
- },
- {
- "name": "SetFileAttributesA",
- "address": "0x4070f8"
- },
- {
- "name": "GetFileAttributesA",
- "address": "0x4070fc"
- },
- {
- "name": "GetShortPathNameA",
- "address": "0x407100"
- },
- {
- "name": "MoveFileA",
- "address": "0x407104"
- },
- {
- "name": "GetFullPathNameA",
- "address": "0x407108"
- },
- {
- "name": "SetFileTime",
- "address": "0x40710c"
- },
- {
- "name": "SearchPathA",
- "address": "0x407110"
- },
- {
- "name": "CloseHandle",
- "address": "0x407114"
- },
- {
- "name": "lstrcmpiA",
- "address": "0x407118"
- },
- {
- "name": "CreateThread",
- "address": "0x40711c"
- },
- {
- "name": "GlobalLock",
- "address": "0x407120"
- },
- {
- "name": "lstrcmpA",
- "address": "0x407124"
- },
- {
- "name": "FindFirstFileA",
- "address": "0x407128"
- },
- {
- "name": "FindNextFileA",
- "address": "0x40712c"
- },
- {
- "name": "DeleteFileA",
- "address": "0x407130"
- },
- {
- "name": "SetFilePointer",
- "address": "0x407134"
- },
- {
- "name": "GetPrivateProfileStringA",
- "address": "0x407138"
- },
- {
- "name": "FindClose",
- "address": "0x40713c"
- },
- {
- "name": "MultiByteToWideChar",
- "address": "0x407140"
- },
- {
- "name": "FreeLibrary",
- "address": "0x407144"
- },
- {
- "name": "MulDiv",
- "address": "0x407148"
- },
- {
- "name": "WritePrivateProfileStringA",
- "address": "0x40714c"
- },
- {
- "name": "LoadLibraryExA",
- "address": "0x407150"
- },
- {
- "name": "GetModuleHandleA",
- "address": "0x407154"
- },
- {
- "name": "GlobalAlloc",
- "address": "0x407158"
- },
- {
- "name": "GlobalFree",
- "address": "0x40715c"
- },
- {
- "name": "ExpandEnvironmentStringsA",
- "address": "0x407160"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "ScreenToClient",
- "address": "0x407184"
- },
- {
- "name": "GetSystemMenu",
- "address": "0x407188"
- },
- {
- "name": "SetClassLongA",
- "address": "0x40718c"
- },
- {
- "name": "IsWindowEnabled",
- "address": "0x407190"
- },
- {
- "name": "SetWindowPos",
- "address": "0x407194"
- },
- {
- "name": "GetSysColor",
- "address": "0x407198"
- },
- {
- "name": "GetWindowLongA",
- "address": "0x40719c"
- },
- {
- "name": "SetCursor",
- "address": "0x4071a0"
- },
- {
- "name": "LoadCursorA",
- "address": "0x4071a4"
- },
- {
- "name": "CheckDlgButton",
- "address": "0x4071a8"
- },
- {
- "name": "GetMessagePos",
- "address": "0x4071ac"
- },
- {
- "name": "LoadBitmapA",
- "address": "0x4071b0"
- },
- {
- "name": "CallWindowProcA",
- "address": "0x4071b4"
- },
- {
- "name": "IsWindowVisible",
- "address": "0x4071b8"
- },
- {
- "name": "CloseClipboard",
- "address": "0x4071bc"
- },
- {
- "name": "SetClipboardData",
- "address": "0x4071c0"
- },
- {
- "name": "EmptyClipboard",
- "address": "0x4071c4"
- },
- {
- "name": "PostQuitMessage",
- "address": "0x4071c8"
- },
- {
- "name": "GetWindowRect",
- "address": "0x4071cc"
- },
- {
- "name": "EnableMenuItem",
- "address": "0x4071d0"
- },
- {
- "name": "CreatePopupMenu",
- "address": "0x4071d4"
- },
- {
- "name": "GetSystemMetrics",
- "address": "0x4071d8"
- },
- {
- "name": "SetDlgItemTextA",
- "address": "0x4071dc"
- },
- {
- "name": "GetDlgItemTextA",
- "address": "0x4071e0"
- },
- {
- "name": "MessageBoxIndirectA",
- "address": "0x4071e4"
- },
- {
- "name": "CharPrevA",
- "address": "0x4071e8"
- },
- {
- "name": "DispatchMessageA",
- "address": "0x4071ec"
- },
- {
- "name": "PeekMessageA",
- "address": "0x4071f0"
- },
- {
- "name": "ReleaseDC",
- "address": "0x4071f4"
- },
- {
- "name": "EnableWindow",
- "address": "0x4071f8"
- },
- {
- "name": "InvalidateRect",
- "address": "0x4071fc"
- },
- {
- "name": "SendMessageA",
- "address": "0x407200"
- },
- {
- "name": "DefWindowProcA",
- "address": "0x407204"
- },
- {
- "name": "BeginPaint",
- "address": "0x407208"
- },
- {
- "name": "GetClientRect",
- "address": "0x40720c"
- },
- {
- "name": "FillRect",
- "address": "0x407210"
- },
- {
- "name": "DrawTextA",
- "address": "0x407214"
- },
- {
- "name": "EndDialog",
- "address": "0x407218"
- },
- {
- "name": "RegisterClassA",
- "address": "0x40721c"
- },
- {
- "name": "SystemParametersInfoA",
- "address": "0x407220"
- },
- {
- "name": "CreateWindowExA",
- "address": "0x407224"
- },
- {
- "name": "GetClassInfoA",
- "address": "0x407228"
- },
- {
- "name": "DialogBoxParamA",
- "address": "0x40722c"
- },
- {
- "name": "CharNextA",
- "address": "0x407230"
- },
- {
- "name": "ExitWindowsEx",
- "address": "0x407234"
- },
- {
- "name": "GetDC",
- "address": "0x407238"
- },
- {
- "name": "CreateDialogParamA",
- "address": "0x40723c"
- },
- {
- "name": "SetTimer",
- "address": "0x407240"
- },
- {
- "name": "GetDlgItem",
- "address": "0x407244"
- },
- {
- "name": "SetWindowLongA",
- "address": "0x407248"
- },
- {
- "name": "SetForegroundWindow",
- "address": "0x40724c"
- },
- {
- "name": "LoadImageA",
- "address": "0x407250"
- },
- {
- "name": "IsWindow",
- "address": "0x407254"
- },
- {
- "name": "SendMessageTimeoutA",
- "address": "0x407258"
- },
- {
- "name": "FindWindowExA",
- "address": "0x40725c"
- },
- {
- "name": "OpenClipboard",
- "address": "0x407260"
- },
- {
- "name": "TrackPopupMenu",
- "address": "0x407264"
- },
- {
- "name": "AppendMenuA",
- "address": "0x407268"
- },
- {
- "name": "EndPaint",
- "address": "0x40726c"
- },
- {
- "name": "DestroyWindow",
- "address": "0x407270"
- },
- {
- "name": "wsprintfA",
- "address": "0x407274"
- },
- {
- "name": "ShowWindow",
- "address": "0x407278"
- },
- {
- "name": "SetWindowTextA",
- "address": "0x40727c"
- }
- ],
- "dll": "USER32.dll"
- },
- {
- "imports": [
- {
- "name": "SelectObject",
- "address": "0x40704c"
- },
- {
- "name": "SetBkMode",
- "address": "0x407050"
- },
- {
- "name": "CreateFontIndirectA",
- "address": "0x407054"
- },
- {
- "name": "SetTextColor",
- "address": "0x407058"
- },
- {
- "name": "DeleteObject",
- "address": "0x40705c"
- },
- {
- "name": "GetDeviceCaps",
- "address": "0x407060"
- },
- {
- "name": "CreateBrushIndirect",
- "address": "0x407064"
- },
- {
- "name": "SetBkColor",
- "address": "0x407068"
- }
- ],
- "dll": "GDI32.dll"
- },
- {
- "imports": [
- {
- "name": "SHGetSpecialFolderLocation",
- "address": "0x407168"
- },
- {
- "name": "ShellExecuteExA",
- "address": "0x40716c"
- },
- {
- "name": "SHGetPathFromIDListA",
- "address": "0x407170"
- },
- {
- "name": "SHBrowseForFolderA",
- "address": "0x407174"
- },
- {
- "name": "SHGetFileInfoA",
- "address": "0x407178"
- },
- {
- "name": "SHFileOperationA",
- "address": "0x40717c"
- }
- ],
- "dll": "SHELL32.dll"
- },
- {
- "imports": [
- {
- "name": "AdjustTokenPrivileges",
- "address": "0x407000"
- },
- {
- "name": "RegCreateKeyExA",
- "address": "0x407004"
- },
- {
- "name": "RegOpenKeyExA",
- "address": "0x407008"
- },
- {
- "name": "SetFileSecurityA",
- "address": "0x40700c"
- },
- {
- "name": "OpenProcessToken",
- "address": "0x407010"
- },
- {
- "name": "LookupPrivilegeValueA",
- "address": "0x407014"
- },
- {
- "name": "RegEnumValueA",
- "address": "0x407018"
- },
- {
- "name": "RegDeleteKeyA",
- "address": "0x40701c"
- },
- {
- "name": "RegDeleteValueA",
- "address": "0x407020"
- },
- {
- "name": "RegCloseKey",
- "address": "0x407024"
- },
- {
- "name": "RegSetValueExA",
- "address": "0x407028"
- },
- {
- "name": "RegQueryValueExA",
- "address": "0x40702c"
- },
- {
- "name": "RegEnumKeyA",
- "address": "0x407030"
- }
- ],
- "dll": "ADVAPI32.dll"
- },
- {
- "imports": [
- {
- "name": "ImageList_Create",
- "address": "0x407038"
- },
- {
- "name": "ImageList_AddMasked",
- "address": "0x40703c"
- },
- {
- "name": "ImageList_Destroy",
- "address": "0x407040"
- },
- {
- "name": null,
- "address": "0x407044"
- }
- ],
- "dll": "COMCTL32.dll"
- },
- {
- "imports": [
- {
- "name": "OleUninitialize",
- "address": "0x407284"
- },
- {
- "name": "OleInitialize",
- "address": "0x407288"
- },
- {
- "name": "CoTaskMemFree",
- "address": "0x40728c"
- },
- {
- "name": "CoCreateInstance",
- "address": "0x407290"
- }
- ],
- "dll": "ole32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x00268849",
- "overlay": {
- "size": "0x00220c78",
- "offset": "0x0003a200"
- },
- "imagebase": "0x00400000",
- "reported_checksum": "0x00268849",
- "icon_hash": null,
- "entrypoint": "0x004031d6",
- "timestamp": "2018-12-15 22:24:22",
- "osversion": "4.0",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00006000",
- "entropy": "6.45",
- "raw_address": "0x00000400",
- "virtual_size": "0x00005f0d",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00007000",
- "size_of_data": "0x00001400",
- "entropy": "5.00",
- "raw_address": "0x00006400",
- "virtual_size": "0x00001250",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00009000",
- "size_of_data": "0x00000400",
- "entropy": "5.13",
- "raw_address": "0x00007800",
- "virtual_size": "0x0001a818",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".ndata",
- "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00024000",
- "size_of_data": "0x00000000",
- "entropy": "0.00",
- "raw_address": "0x00000000",
- "virtual_size": "0x00009000",
- "characteristics_raw": "0xc0000080"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x0002d000",
- "size_of_data": "0x00032600",
- "entropy": "5.65",
- "raw_address": "0x00007c00",
- "virtual_size": "0x000324a8",
- "characteristics_raw": "0x40000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00007430",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x000000a0"
- },
- {
- "virtual_address": "0x0002d000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x000324a8"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00259aa8",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x000013d0"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00007000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x00000298"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "3abe302b6d9a1256e6a915429af4ffd2",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 7,
- "versioninfo": []
- }
- }
- [*] Resolved APIs: [
- "version.dll.GetFileVersionInfoA",
- "shfolder.dll.SHGetFolderPathA",
- "shlwapi.dll.#437",
- "cryptbase.dll.SystemFunction036",
- "uxtheme.dll.ThemeInitApiHook",
- "user32.dll.IsProcessDPIAware",
- "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
- "setupapi.dll.CM_Get_Device_Interface_List_ExW",
- "kernel32.dll.GetUserDefaultUILanguage",
- "shell32.dll.#680",
- "system.dll.Call",
- "kernel32.dll.GetCurrentProcess",
- "kernel32.dll.IsWow64Process",
- "system.dll.Int64Op",
- "kernel32.dll.SetEnvironmentVariableA",
- "kernel32.dll.Wow64EnableWow64FsRedirection",
- "nsexec.dll.Exec",
- "ole32.dll.CoRevokeInitializeSpy",
- "comctl32.dll.#388",
- "ole32.dll.NdrOleInitializeExtension",
- "ole32.dll.CoGetClassObject",
- "ole32.dll.CoGetMarshalSizeMax",
- "ole32.dll.CoMarshalInterface",
- "ole32.dll.CoUnmarshalInterface",
- "ole32.dll.StringFromIID",
- "ole32.dll.CoGetPSClsid",
- "ole32.dll.CoTaskMemAlloc",
- "ole32.dll.CoTaskMemFree",
- "ole32.dll.CoCreateInstance",
- "ole32.dll.CoReleaseMarshalData",
- "ole32.dll.DcomChannelSetHResult",
- "oleaut32.dll.#500",
- "advapi32.dll.UnregisterTraceGuids",
- "comctl32.dll.#321",
- "kernel32.dll.SetThreadUILanguage",
- "kernel32.dll.CopyFileExW",
- "kernel32.dll.IsDebuggerPresent",
- "kernel32.dll.SetConsoleInputExeNameW",
- "sechost.dll.LookupAccountNameLocalW",
- "advapi32.dll.LookupAccountSidW",
- "sechost.dll.LookupAccountSidLocalW",
- "kernel32.dll.HeapSetInformation",
- "kernel32.dll.SortGetHandle",
- "kernel32.dll.SortCloseHandle",
- "sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid",
- "dwmapi.dll.DwmIsCompositionEnabled",
- "advapi32.dll.SaferIdentifyLevel",
- "advapi32.dll.SaferComputeTokenFromLevel",
- "advapi32.dll.SaferCloseLevel",
- "ole32.dll.CLSIDFromProgIDEx",
- "wscript.exe.#1",
- "sxs.dll.SxsOleAut32RedirectTypeLibrary",
- "advapi32.dll.RegOpenKeyW",
- "advapi32.dll.RegQueryValueW",
- "shell32.dll.ShellExecuteExW",
- "ole32.dll.OleInitialize",
- "ole32.dll.CreateBindCtx",
- "propsys.dll.PSCreateMemoryPropertyStore",
- "propsys.dll.PSPropertyBag_WriteDWORD",
- "ole32.dll.CoGetApartmentType",
- "ole32.dll.CoRegisterInitializeSpy",
- "comctl32.dll.#236",
- "oleaut32.dll.#6",
- "ole32.dll.CoGetMalloc",
- "propsys.dll.PSPropertyBag_ReadDWORD",
- "propsys.dll.PSPropertyBag_ReadGUID",
- "comctl32.dll.#320",
- "comctl32.dll.#324",
- "comctl32.dll.#323",
- "advapi32.dll.RegEnumKeyW",
- "advapi32.dll.OpenThreadToken",
- "ole32.dll.StringFromGUID2",
- "apphelp.dll.ApphelpCheckShellObject",
- "urlmon.dll.CreateUri",
- "kernel32.dll.InitializeSRWLock",
- "kernel32.dll.AcquireSRWLockExclusive",
- "kernel32.dll.AcquireSRWLockShared",
- "kernel32.dll.ReleaseSRWLockExclusive",
- "kernel32.dll.ReleaseSRWLockShared",
- "comctl32.dll.#328",
- "comctl32.dll.#334",
- "oleaut32.dll.#2",
- "shell32.dll.#102",
- "propsys.dll.PSPropertyBag_ReadStrAlloc",
- "ole32.dll.CoInitializeEx",
- "advapi32.dll.InitializeSecurityDescriptor",
- "advapi32.dll.SetEntriesInAclW",
- "ntmarta.dll.GetMartaExtensionInterface",
- "advapi32.dll.SetSecurityDescriptorDacl",
- "advapi32.dll.IsTextUnicode",
- "comctl32.dll.#332",
- "comctl32.dll.#338",
- "ole32.dll.CoUninitialize",
- "sechost.dll.ConvertSidToStringSidW",
- "profapi.dll.#104",
- "comctl32.dll.#386",
- "propsys.dll.#430",
- "advapi32.dll.RegOpenKeyExW",
- "advapi32.dll.RegGetValueW",
- "advapi32.dll.RegCloseKey",
- "ole32.dll.CoTaskMemRealloc",
- "propsys.dll.InitPropVariantFromStringAsVector",
- "propsys.dll.PSCoerceToCanonicalValue",
- "propsys.dll.PropVariantToStringAlloc",
- "ole32.dll.PropVariantClear",
- "ole32.dll.CoAllowSetForegroundWindow",
- "shell32.dll.SHGetFolderPathW",
- "advapi32.dll.SaferGetPolicyInformation",
- "ntdll.dll.RtlDllShutdownInProgress",
- "comctl32.dll.#329",
- "ole32.dll.OleUninitialize",
- "shell32.dll.#66",
- "comctl32.dll.#339",
- "comctl32.dll.#385",
- "comctl32.dll.#336",
- "comctl32.dll.#333",
- "linkinfo.dll.IsValidLinkInfo",
- "propsys.dll.#417",
- "propsys.dll.PSGetNameFromPropertyKey",
- "propsys.dll.PSStringFromPropertyKey",
- "propsys.dll.InitVariantFromBuffer",
- "oleaut32.dll.#9",
- "propsys.dll.PropVariantToGUID",
- "linkinfo.dll.CreateLinkInfoW",
- "user32.dll.IsCharAlphaW",
- "user32.dll.CharPrevW",
- "ntshrui.dll.GetNetResourceFromLocalPathW",
- "srvcli.dll.NetShareEnum",
- "cscapi.dll.CscNetApiGetInterface",
- "slc.dll.SLGetWindowsInformationDWORD",
- "shlwapi.dll.PathRemoveFileSpecW",
- "linkinfo.dll.DestroyLinkInfo",
- "propsys.dll.PropVariantToBoolean",
- "cryptsp.dll.CryptAcquireContextW",
- "cryptsp.dll.CryptGenRandom",
- "cryptsp.dll.CryptReleaseContext",
- "advapi32.dll.GetSecurityInfo",
- "advapi32.dll.SetSecurityInfo",
- "advapi32.dll.GetSecurityDescriptorControl",
- "advapi32.dll.RegQueryInfoKeyW",
- "advapi32.dll.RegEnumKeyExW",
- "advapi32.dll.RegEnumValueW",
- "advapi32.dll.RegQueryValueExW",
- "shlwapi.dll.UrlIsW",
- "kernel32.dll.InitializeCriticalSectionAndSpinCount",
- "msvcrt.dll._set_error_mode",
- "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z",
- "kernel32.dll.FindActCtxSectionStringW",
- "kernel32.dll.GetSystemWindowsDirectoryW",
- "mscoree.dll.GetProcessExecutableHeap",
- "mscorwks.dll.DllGetClassObjectInternal",
- "mscorwks.dll.GetCLRFunction",
- "advapi32.dll.RegisterTraceGuidsW",
- "advapi32.dll.GetTraceLoggerHandle",
- "advapi32.dll.GetTraceEnableLevel",
- "advapi32.dll.GetTraceEnableFlags",
- "advapi32.dll.TraceEvent",
- "mscoree.dll.IEE",
- "mscorwks.dll.IEE",
- "mscoree.dll.GetStartupFlags",
- "mscoree.dll.GetHostConfigurationFile",
- "mscoree.dll.GetCORSystemDirectory",
- "ntdll.dll.RtlVirtualUnwind",
- "advapi32.dll.AllocateAndInitializeSid",
- "advapi32.dll.OpenProcessToken",
- "advapi32.dll.GetTokenInformation",
- "advapi32.dll.InitializeAcl",
- "advapi32.dll.AddAccessAllowedAce",
- "advapi32.dll.FreeSid",
- "kernel32.dll.SetThreadStackGuarantee",
- "kernel32.dll.FlsSetValue",
- "kernel32.dll.FlsGetValue",
- "kernel32.dll.FlsAlloc",
- "kernel32.dll.FlsFree",
- "kernel32.dll.AddVectoredContinueHandler",
- "kernel32.dll.RemoveVectoredContinueHandler",
- "advapi32.dll.ConvertSidToStringSidW",
- "kernel32.dll.FlushProcessWriteBuffers",
- "kernel32.dll.GetWriteWatch",
- "kernel32.dll.ResetWriteWatch",
- "kernel32.dll.CreateMemoryResourceNotification",
- "kernel32.dll.QueryMemoryResourceNotification",
- "kernel32.dll.GlobalMemoryStatusEx",
- "ole32.dll.CoGetContextToken",
- "oleaut32.dll.#149",
- "kernel32.dll.GetVersionExW",
- "kernel32.dll.GetFullPathNameW",
- "kernel32.dll.SetErrorMode",
- "kernel32.dll.GetFileAttributesExW",
- "version.dll.GetFileVersionInfoSizeW",
- "version.dll.GetFileVersionInfoW",
- "version.dll.VerQueryValueW",
- "kernel32.dll.lstrlen",
- "kernel32.dll.lstrlenW",
- "mscoree.dll.ND_RI2",
- "kernel32.dll.lstrcpy",
- "kernel32.dll.lstrcpyW",
- "version.dll.VerLanguageNameW",
- "kernel32.dll.CloseHandle",
- "kernel32.dll.GetCurrentProcessId",
- "advapi32.dll.LookupPrivilegeValueW",
- "advapi32.dll.AdjustTokenPrivileges",
- "kernel32.dll.OpenProcess",
- "psapi.dll.EnumProcessModules",
- "psapi.dll.GetModuleInformation",
- "psapi.dll.GetModuleBaseNameW",
- "psapi.dll.GetModuleFileNameExW",
- "kernel32.dll.GetExitCodeProcess",
- "ntdll.dll.NtQuerySystemInformation",
- "user32.dll.EnumWindows",
- "user32.dll.GetWindowThreadProcessId",
- "kernel32.dll.WerSetFlags",
- "kernel32.dll.SetThreadPreferredUILanguages",
- "kernel32.dll.GetThreadPreferredUILanguages",
- "kernel32.dll.GetUserDefaultLocaleName",
- "kernel32.dll.GetEnvironmentVariableW",
- "advapi32.dll.CryptAcquireContextA",
- "advapi32.dll.CryptReleaseContext",
- "advapi32.dll.CryptCreateHash",
- "advapi32.dll.CryptDestroyHash",
- "advapi32.dll.CryptHashData",
- "advapi32.dll.CryptGetHashParam",
- "advapi32.dll.CryptImportKey",
- "advapi32.dll.CryptExportKey",
- "advapi32.dll.CryptGenKey",
- "advapi32.dll.CryptGetKeyParam",
- "advapi32.dll.CryptDestroyKey",
- "advapi32.dll.CryptVerifySignatureA",
- "advapi32.dll.CryptSignHashA",
- "advapi32.dll.CryptGetProvParam",
- "advapi32.dll.CryptGetUserKey",
- "advapi32.dll.CryptEnumProvidersA",
- "cryptsp.dll.CryptImportKey",
- "cryptsp.dll.CryptHashData",
- "cryptsp.dll.CryptGetHashParam",
- "cryptsp.dll.CryptDestroyHash",
- "cryptsp.dll.CryptDestroyKey",
- "mscoree.dll.GetTokenForVTableEntry",
- "mscoree.dll.SetTargetForVTableEntry",
- "mscoree.dll.GetTargetForVTableEntry",
- "culture.dll.ConvertLangIdToCultureName",
- "ole32.dll.CoCreateGuid",
- "kernel32.dll.CreateFileW",
- "kernel32.dll.GetConsoleScreenBufferInfo",
- "kernel32.dll.LocalFree",
- "kernel32.dll.LocalAlloc",
- "mscoree.dll.ND_RI4",
- "advapi32.dll.DuplicateTokenEx",
- "advapi32.dll.CheckTokenMembership",
- "kernel32.dll.GetConsoleTitleW",
- "mscorjit.dll.getJit",
- "kernel32.dll.SetConsoleTitleW",
- "kernel32.dll.SetConsoleCtrlHandler",
- "kernel32.dll.SetEnvironmentVariableW",
- "kernel32.dll.CreateEventW",
- "ntdll.dll.WinSqmIsOptedIn",
- "kernel32.dll.ExpandEnvironmentStringsW",
- "shfolder.dll.SHGetFolderPathW",
- "kernel32.dll.GetACP",
- "kernel32.dll.UnmapViewOfFile",
- "kernel32.dll.GetFileType",
- "kernel32.dll.ReadFile",
- "kernel32.dll.GetSystemInfo",
- "kernel32.dll.VirtualQuery",
- "secur32.dll.GetUserNameExW",
- "advapi32.dll.GetUserNameW",
- "kernel32.dll.ReleaseMutex",
- "advapi32.dll.RegisterEventSourceW",
- "advapi32.dll.DeregisterEventSource",
- "advapi32.dll.ReportEventW",
- "kernel32.dll.GetLogicalDrives",
- "kernel32.dll.GetDriveTypeW",
- "kernel32.dll.GetVolumeInformationW",
- "kernel32.dll.GetCurrentDirectoryW",
- "kernel32.dll.GetLastError",
- "kernel32.dll.GetStdHandle",
- "kernel32.dll.GetConsoleMode",
- "kernel32.dll.SetEvent",
- "ole32.dll.CoGetObjectContext",
- "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
- "kernel32.dll.LoadLibraryA",
- "kernel32.dll.GetProcAddress",
- "wminet_utils.dll.ResetSecurity",
- "wminet_utils.dll.SetSecurity",
- "wminet_utils.dll.BlessIWbemServices",
- "wminet_utils.dll.BlessIWbemServicesObject",
- "wminet_utils.dll.GetPropertyHandle",
- "wminet_utils.dll.WritePropertyValue",
- "wminet_utils.dll.Clone",
- "wminet_utils.dll.VerifyClientKey",
- "wminet_utils.dll.GetQualifierSet",
- "wminet_utils.dll.Get",
- "wminet_utils.dll.Put",
- "wminet_utils.dll.Delete",
- "wminet_utils.dll.GetNames",
- "wminet_utils.dll.BeginEnumeration",
- "wminet_utils.dll.Next",
- "wminet_utils.dll.EndEnumeration",
- "wminet_utils.dll.GetPropertyQualifierSet",
- "wminet_utils.dll.GetObjectText",
- "wminet_utils.dll.SpawnDerivedClass",
- "wminet_utils.dll.SpawnInstance",
- "wminet_utils.dll.CompareTo",
- "wminet_utils.dll.GetPropertyOrigin",
- "wminet_utils.dll.InheritsFrom",
- "wminet_utils.dll.GetMethod",
- "wminet_utils.dll.PutMethod",
- "wminet_utils.dll.DeleteMethod",
- "wminet_utils.dll.BeginMethodEnumeration",
- "wminet_utils.dll.NextMethod",
- "wminet_utils.dll.EndMethodEnumeration",
- "wminet_utils.dll.GetMethodQualifierSet",
- "wminet_utils.dll.GetMethodOrigin",
- "wminet_utils.dll.QualifierSet_Get",
- "wminet_utils.dll.QualifierSet_Put",
- "wminet_utils.dll.QualifierSet_Delete",
- "wminet_utils.dll.QualifierSet_GetNames",
- "wminet_utils.dll.QualifierSet_BeginEnumeration",
- "wminet_utils.dll.QualifierSet_Next",
- "wminet_utils.dll.QualifierSet_EndEnumeration",
- "wminet_utils.dll.GetCurrentApartmentType",
- "wminet_utils.dll.GetDemultiplexedStub",
- "wminet_utils.dll.CreateInstanceEnumWmi",
- "wminet_utils.dll.CreateClassEnumWmi",
- "wminet_utils.dll.ExecQueryWmi",
- "wminet_utils.dll.ExecNotificationQueryWmi",
- "wminet_utils.dll.PutInstanceWmi",
- "wminet_utils.dll.PutClassWmi",
- "wminet_utils.dll.CloneEnumWbemClassObject",
- "wminet_utils.dll.ConnectServerWmi",
- "ole32.dll.IIDFromString",
- "ole32.dll.CoCreateFreeThreadedMarshaler",
- "oleaut32.dll.SysAllocStringLen",
- "kernel32.dll.LocaleNameToLCID",
- "kernel32.dll.GetLocaleInfoEx",
- "kernel32.dll.LCIDToLocaleName",
- "kernel32.dll.GetSystemDefaultLocaleName",
- "fastprox.dll.DllGetClassObject",
- "fastprox.dll.DllCanUnloadNow",
- "dnsapi.dll.DnsApiFree",
- "oleaut32.dll.SysFreeString",
- "oleaut32.dll.#283",
- "oleaut32.dll.#284",
- "oleaut32.dll.#7",
- "oleaut32.dll.#17",
- "oleaut32.dll.#16",
- "psapi.dll.EnumProcesses",
- "kernel32.dll.FormatMessageW",
- "kernel32.dll.GetConsoleOutputCP",
- "gdi32.dll.TranslateCharsetInfo",
- "kernel32.dll.SetConsoleTextAttribute",
- "kernel32.dll.WriteConsoleW",
- "kernel32.dll.WriteFile",
- "kernel32.dll.FindFirstFileW",
- "kernel32.dll.FindClose",
- "kernel32.dll.FindNextFileW",
- "shell32.dll.SHGetFileInfo",
- "kernel32.dll.GetConsoleWindow",
- "shell32.dll.CommandLineToArgvW",
- "mscoree.dll.ND_RI8",
- "kernel32.dll.RtlMoveMemory",
- "kernel32.dll.CreateProcessW",
- "kernel32.dll.DuplicateHandle",
- "advapi32.dll.OpenSCManagerW",
- "advapi32.dll.GetServiceKeyNameW",
- "rpcrt4.dll.I_RpcSNCHOption",
- "advapi32.dll.GetServiceDisplayNameW",
- "advapi32.dll.OpenServiceW",
- "advapi32.dll.ChangeServiceConfigW",
- "advapi32.dll.ChangeServiceConfig2W",
- "advapi32.dll.CloseServiceHandle",
- "oleaut32.dll.GetErrorInfo",
- "oleaut32.dll.SysStringLen",
- "kernel32.dll.RegOpenKeyExW",
- "advapi32.dll.ConvertStringSidToSidW",
- "mscoree.dll.ND_RU1",
- "advapi32.dll.LsaClose",
- "advapi32.dll.LsaFreeMemory",
- "advapi32.dll.LsaOpenPolicy",
- "advapi32.dll.LsaLookupSids",
- "advapi32.dll.QueryServiceStatus",
- "advapi32.dll.StartServiceW",
- "kernel32.dll.DeleteFileW",
- "mscoree.dll.CorExitProcess",
- "mscorwks.dll.CorExitProcess",
- "ntdll.dll.EtwUnregisterTraceGuids",
- "mscorwks.dll._CorDllMain",
- "kernel32.dll.CreateActCtxW",
- "kernel32.dll.AddRefActCtx",
- "kernel32.dll.ReleaseActCtx",
- "kernel32.dll.ActivateActCtx",
- "kernel32.dll.DeactivateActCtx",
- "kernel32.dll.GetCurrentActCtx",
- "kernel32.dll.QueryActCtxW",
- "netutils.dll.NetApiBufferFree",
- "kernel32.dll.RegCreateKeyExW",
- "kernel32.dll.RegSetValueExW",
- "winsta.dll.WinStationQueryInformationW",
- "wbemcore.dll.Reinitialize",
- "tschannel.dll.DllGetClassObject",
- "tschannel.dll.DllCanUnloadNow",
- "propsys.dll.PropVariantToVariant",
- "ole32.dll.CoRevokeClassObject",
- "ole32.dll.CoDisconnectContext",
- "ws2_32.dll.#3",
- "bitsigd.dll.UninitializeEx",
- "ws2_32.dll.#116",
- "advapi32.dll.WmiMofEnumerateResourcesW",
- "advapi32.dll.WmiFreeBuffer",
- "kernel32.dll.RegQueryValueExW",
- "kernel32.dll.RegCloseKey",
- "oleaut32.dll.#289",
- "oleaut32.dll.#287",
- "oleaut32.dll.#288",
- "oleaut32.dll.#290",
- "oleaut32.dll.#285",
- "advapi32.dll.EnumServicesStatusExW",
- "advapi32.dll.LsaEnumerateTrustedDomains",
- "advapi32.dll.LsaQueryInformationPolicy",
- "advapi32.dll.LsaNtStatusToWinError",
- "advapi32.dll.QueryServiceStatusEx",
- "advapi32.dll.SetSecurityDescriptorControl",
- "advapi32.dll.ConvertToAutoInheritPrivateObjectSecurity",
- "advapi32.dll.DestroyPrivateObjectSecurity",
- "advapi32.dll.AddAccessAllowedObjectAce",
- "advapi32.dll.AddAccessDeniedObjectAce",
- "advapi32.dll.AddAuditAccessObjectAce",
- "advapi32.dll.SetNamedSecurityInfoW",
- "advapi32.dll.GetNamedSecurityInfoW",
- "advapi32.dll.SetNamedSecurityInfoExW",
- "advapi32.dll.GetExplicitEntriesFromAclW",
- "advapi32.dll.GetEffectiveRightsFromAclW",
- "oleaut32.dll.#286",
- "ws2_32.dll.#115",
- "iphlpapi.dll.GetAdaptersAddresses",
- "ws2_32.dll.getaddrinfo",
- "ws2_32.dll.freeaddrinfo",
- "advapi32.dll.CreateWellKnownSid",
- "rpcrt4.dll.RpcStringBindingComposeW",
- "rpcrt4.dll.RpcBindingFromStringBindingW",
- "rpcrt4.dll.RpcStringFreeW",
- "rpcrt4.dll.RpcBindingSetAuthInfoExW",
- "rpcrt4.dll.NdrClientCall3",
- "rpcrt4.dll.RpcBindingFree",
- "netapi32.dll.NetGroupEnum",
- "netapi32.dll.NetGroupGetInfo",
- "netapi32.dll.NetGroupSetInfo",
- "netapi32.dll.NetLocalGroupGetInfo",
- "netapi32.dll.NetLocalGroupSetInfo",
- "netapi32.dll.NetGroupGetUsers",
- "netapi32.dll.NetLocalGroupGetMembers",
- "netapi32.dll.NetLocalGroupEnum",
- "netapi32.dll.NetShareEnum",
- "netapi32.dll.NetShareGetInfo",
- "netapi32.dll.NetShareAdd",
- "netapi32.dll.NetShareEnumSticky",
- "netapi32.dll.NetShareSetInfo",
- "netapi32.dll.NetShareDel",
- "netapi32.dll.NetShareDelSticky",
- "netapi32.dll.NetShareCheck",
- "netapi32.dll.NetUserEnum",
- "netapi32.dll.NetUserGetInfo",
- "netapi32.dll.NetUserSetInfo",
- "netapi32.dll.NetApiBufferFree",
- "netapi32.dll.NetQueryDisplayInformation",
- "netapi32.dll.NetServerSetInfo",
- "netapi32.dll.NetServerGetInfo",
- "netapi32.dll.NetGetDCName",
- "netapi32.dll.NetWkstaGetInfo",
- "netapi32.dll.NetGetAnyDCName",
- "netapi32.dll.NetServerEnum",
- "netapi32.dll.NetUserModalsGet",
- "netapi32.dll.NetScheduleJobAdd",
- "netapi32.dll.NetScheduleJobDel",
- "netapi32.dll.NetScheduleJobEnum",
- "netapi32.dll.NetScheduleJobGetInfo",
- "netapi32.dll.NetUseGetInfo",
- "netapi32.dll.NetEnumerateTrustedDomains",
- "netapi32.dll.DsGetDcNameW",
- "netapi32.dll.DsRoleGetPrimaryDomainInformation",
- "netapi32.dll.DsRoleFreeMemory",
- "netapi32.dll.NetRenameMachineInDomain",
- "netapi32.dll.NetJoinDomain",
- "netapi32.dll.NetUnjoinDomain",
- "oleaut32.dll.#150",
- "samlib.dll.SamConnect",
- "samlib.dll.SamOpenDomain",
- "samlib.dll.SamEnumerateDomainsInSamServer",
- "samlib.dll.SamLookupDomainInSamServer",
- "samlib.dll.SamFreeMemory",
- "samlib.dll.SamQueryInformationDomain",
- "samlib.dll.SamEnumerateAliasesInDomain",
- "samlib.dll.SamOpenAlias",
- "samlib.dll.SamQueryInformationAlias",
- "samlib.dll.SamCloseHandle",
- "advapi32.dll.LookupAccountNameW",
- "ole32.dll.StringFromCLSID",
- "advapi32.dll.InitiateSystemShutdownExW",
- "ole32.dll.CoInitializeSecurity",
- "kernel32.dll.GetFileSize",
- "kernel32.dll.SetLastError",
- "kernel32.dll.GetModuleHandleExW",
- "kernel32.dll.GetCurrentThreadId",
- "kernel32.dll.CreateToolhelp32Snapshot",
- "kernel32.dll.Thread32First",
- "kernel32.dll.OpenThread",
- "kernel32.dll.ResumeThread",
- "kernel32.dll.SuspendThread",
- "kernel32.dll.Thread32Next",
- "kernel32.dll.GetModuleHandleW",
- "kernel32.dll.FindResourceW",
- "kernel32.dll.LoadResource",
- "kernel32.dll.LoadLibraryExW",
- "kernel32.dll.WriteProcessMemory",
- "kernel32.dll.GetModuleFileNameW",
- "kernel32.dll.LoadLibraryW",
- "kernel32.dll.ReadProcessMemory",
- "kernel32.dll.SetFilePointerEx",
- "kernel32.dll.SetStdHandle",
- "kernel32.dll.WideCharToMultiByte",
- "kernel32.dll.GetCommandLineA",
- "kernel32.dll.IsProcessorFeaturePresent",
- "kernel32.dll.HeapAlloc",
- "kernel32.dll.RtlPcToFileHeader",
- "kernel32.dll.RaiseException",
- "kernel32.dll.HeapFree",
- "kernel32.dll.IsValidCodePage",
- "kernel32.dll.GetOEMCP",
- "kernel32.dll.GetCPInfo",
- "kernel32.dll.MultiByteToWideChar",
- "kernel32.dll.ExitProcess",
- "kernel32.dll.HeapSize",
- "kernel32.dll.RtlUnwindEx",
- "kernel32.dll.GetProcessHeap",
- "kernel32.dll.DeleteCriticalSection",
- "kernel32.dll.GetStartupInfoW",
- "kernel32.dll.GetModuleFileNameA",
- "kernel32.dll.QueryPerformanceCounter",
- "kernel32.dll.GetSystemTimeAsFileTime",
- "kernel32.dll.GetEnvironmentStringsW",
- "kernel32.dll.FreeEnvironmentStringsW",
- "kernel32.dll.RtlCaptureContext",
- "kernel32.dll.RtlLookupFunctionEntry",
- "kernel32.dll.RtlVirtualUnwind",
- "kernel32.dll.UnhandledExceptionFilter",
- "kernel32.dll.SetUnhandledExceptionFilter",
- "kernel32.dll.Sleep",
- "kernel32.dll.TerminateProcess",
- "kernel32.dll.TlsAlloc",
- "kernel32.dll.TlsGetValue",
- "kernel32.dll.TlsSetValue",
- "kernel32.dll.TlsFree",
- "kernel32.dll.EnterCriticalSection",
- "kernel32.dll.LeaveCriticalSection",
- "kernel32.dll.GetStringTypeW",
- "kernel32.dll.LCMapStringW",
- "kernel32.dll.HeapReAlloc",
- "kernel32.dll.OutputDebugStringW",
- "kernel32.dll.FlushFileBuffers",
- "kernel32.dll.GetConsoleCP",
- "user32.dll.wsprintfA",
- "kernel32.dll.InitializeCriticalSectionEx",
- "kernel32.dll.CreateEventExW",
- "kernel32.dll.CreateSemaphoreExW",
- "kernel32.dll.CreateThreadpoolTimer",
- "kernel32.dll.SetThreadpoolTimer",
- "kernel32.dll.WaitForThreadpoolTimerCallbacks",
- "kernel32.dll.CloseThreadpoolTimer",
- "kernel32.dll.CreateThreadpoolWait",
- "kernel32.dll.SetThreadpoolWait",
- "kernel32.dll.CloseThreadpoolWait",
- "kernel32.dll.FreeLibraryWhenCallbackReturns",
- "kernel32.dll.GetCurrentProcessorNumber",
- "kernel32.dll.GetLogicalProcessorInformation",
- "kernel32.dll.CreateSymbolicLinkW",
- "kernel32.dll.EnumSystemLocalesEx",
- "kernel32.dll.CompareStringEx",
- "kernel32.dll.GetDateFormatEx",
- "kernel32.dll.GetTimeFormatEx",
- "kernel32.dll.IsValidLocaleName",
- "kernel32.dll.LCMapStringEx",
- "kernel32.dll.GetTickCount64",
- "mshelp.dll.ServiceMain",
- "mshelp.dll.SvchostPushServiceGlobals",
- "termsrv.dll.ServiceMain",
- "termsrv.dll.SvchostPushServiceGlobals",
- "kernel32.dll.SetFileAttributesW",
- "kernel32.dll.SetFileTime",
- "kernel32.dll.QueryDosDeviceW",
- "kernel32.dll.SizeofResource",
- "kernel32.dll.VirtualProtect",
- "kernel32.dll.TerminateThread",
- "kernel32.dll.QueryPerformanceFrequency",
- "kernel32.dll.VirtualFree",
- "kernel32.dll.GetCPInfoExW",
- "kernel32.dll.RtlUnwind",
- "kernel32.dll.GetTimeZoneInformation",
- "kernel32.dll.FileTimeToLocalFileTime",
- "kernel32.dll.FreeLibrary",
- "kernel32.dll.HeapDestroy",
- "kernel32.dll.FileTimeToDosDateTime",
- "kernel32.dll.GlobalAlloc",
- "kernel32.dll.GlobalUnlock",
- "kernel32.dll.CreateThread",
- "kernel32.dll.CompareStringW",
- "kernel32.dll.CopyFileW",
- "kernel32.dll.MapViewOfFile",
- "kernel32.dll.ResetEvent",
- "kernel32.dll.MulDiv",
- "kernel32.dll.FreeResource",
- "kernel32.dll.GetVersion",
- "kernel32.dll.MoveFileW",
- "kernel32.dll.GlobalAddAtomW",
- "kernel32.dll.SwitchToThread",
- "kernel32.dll.GetExitCodeThread",
- "kernel32.dll.GetCurrentThread",
- "kernel32.dll.LockResource",
- "kernel32.dll.FileTimeToSystemTime",
- "kernel32.dll.GlobalFindAtomW",
- "kernel32.dll.GlobalFree",
- "kernel32.dll.VirtualQueryEx",
- "kernel32.dll.SetFilePointer",
- "kernel32.dll.GetTickCount",
- "kernel32.dll.GlobalDeleteAtom",
- "kernel32.dll.GetFileAttributesW",
- "kernel32.dll.InitializeCriticalSection",
- "kernel32.dll.GetThreadPriority",
- "kernel32.dll.GlobalLock",
- "kernel32.dll.SetThreadPriority",
- "kernel32.dll.VirtualAlloc",
- "kernel32.dll.GetCommandLineW",
- "kernel32.dll.GetLogicalDriveStringsW",
- "kernel32.dll.VerifyVersionInfoW",
- "kernel32.dll.HeapCreate",
- "kernel32.dll.GetDiskFreeSpaceW",
- "kernel32.dll.VerSetConditionMask",
- "kernel32.dll.SetEndOfFile",
- "kernel32.dll.ProcessIdToSessionId",
- "kernel32.dll.GetLocaleInfoW",
- "kernel32.dll.SystemTimeToFileTime",
- "kernel32.dll.IsDBCSLeadByteEx",
- "kernel32.dll.ConnectNamedPipe",
- "kernel32.dll.GetLocalTime",
- "kernel32.dll.WaitForSingleObject",
- "kernel32.dll.CreateFileMappingW",
- "kernel32.dll.CreateNamedPipeW",
- "kernel32.dll.ExitThread",
- "kernel32.dll.CreatePipe",
- "kernel32.dll.GetDateFormatW",
- "kernel32.dll.TzSpecificLocalTimeToSystemTime",
- "kernel32.dll.IsValidLocale",
- "kernel32.dll.CreateDirectoryW",
- "kernel32.dll.GetSystemDefaultUILanguage",
- "kernel32.dll.EnumCalendarInfoW",
- "kernel32.dll.GlobalMemoryStatus",
- "kernel32.dll.WaitForMultipleObjectsEx",
- "kernel32.dll.GetThreadLocale",
- "kernel32.dll.SetThreadLocale",
- "advapi32.dll.RegSetValueExW",
- "advapi32.dll.GetAce",
- "advapi32.dll.CreateServiceW",
- "advapi32.dll.StartServiceCtrlDispatcherW",
- "advapi32.dll.AddAce",
- "advapi32.dll.SetServiceStatus",
- "advapi32.dll.DeleteService",
- "advapi32.dll.GetLengthSid",
- "advapi32.dll.SetTokenInformation",
- "advapi32.dll.RegCreateKeyExW",
- "advapi32.dll.CreateProcessAsUserW",
- "advapi32.dll.GetSecurityDescriptorDacl",
- "advapi32.dll.RegisterServiceCtrlHandlerW",
- "advapi32.dll.CopySid",
- "advapi32.dll.GetAclInformation",
- "advapi32.dll.RegFlushKey",
- "comctl32.dll.FlatSB_SetScrollInfo",
- "comctl32.dll.InitCommonControls",
- "comctl32.dll.ImageList_DragMove",
- "comctl32.dll.ImageList_Destroy",
- "comctl32.dll._TrackMouseEvent",
- "comctl32.dll.ImageList_DragShowNolock",
- "comctl32.dll.ImageList_Add",
- "comctl32.dll.ImageList_GetDragImage",
- "comctl32.dll.FlatSB_SetScrollProp",
- "comctl32.dll.ImageList_Create",
- "comctl32.dll.ImageList_EndDrag",
- "comctl32.dll.ImageList_DrawEx",
- "comctl32.dll.ImageList_SetImageCount",
- "comctl32.dll.FlatSB_GetScrollPos",
- "comctl32.dll.FlatSB_SetScrollPos",
- "comctl32.dll.InitializeFlatSB",
- "comctl32.dll.FlatSB_GetScrollInfo",
- "comctl32.dll.ImageList_Write",
- "comctl32.dll.ImageList_GetBkColor",
- "comctl32.dll.ImageList_SetBkColor",
- "comctl32.dll.ImageList_BeginDrag",
- "comctl32.dll.ImageList_GetIcon",
- "comctl32.dll.ImageList_GetImageCount",
- "comctl32.dll.ImageList_DragEnter",
- "comctl32.dll.ImageList_GetIconSize",
- "comctl32.dll.ImageList_SetIconSize",
- "comctl32.dll.ImageList_Read",
- "comctl32.dll.ImageList_DragLeave",
- "comctl32.dll.ImageList_Draw",
- "comctl32.dll.ImageList_Remove",
- "comdlg32.dll.GetOpenFileNameW",
- "gdi32.dll.Arc",
- "gdi32.dll.Pie",
- "gdi32.dll.SetBkMode",
- "gdi32.dll.SelectPalette",
- "gdi32.dll.CreateCompatibleBitmap",
- "gdi32.dll.GetEnhMetaFileHeader",
- "gdi32.dll.ExcludeClipRect",
- "gdi32.dll.RectVisible",
- "gdi32.dll.SetWindowOrgEx",
- "gdi32.dll.MaskBlt",
- "gdi32.dll.AngleArc",
- "gdi32.dll.DeleteEnhMetaFile",
- "gdi32.dll.Chord",
- "gdi32.dll.SetTextColor",
- "gdi32.dll.StretchBlt",
- "gdi32.dll.SetDIBits",
- "gdi32.dll.SetViewportOrgEx",
- "gdi32.dll.CreateRectRgn",
- "gdi32.dll.RealizePalette",
- "gdi32.dll.GetDIBColorTable",
- "gdi32.dll.SetDIBColorTable",
- "gdi32.dll.RoundRect",
- "gdi32.dll.RestoreDC",
- "gdi32.dll.SetRectRgn",
- "gdi32.dll.GetTextMetricsW",
- "gdi32.dll.GetWindowOrgEx",
- "gdi32.dll.CreatePalette",
- "gdi32.dll.CreateBrushIndirect",
- "gdi32.dll.PatBlt",
- "gdi32.dll.SetEnhMetaFileBits",
- "gdi32.dll.PolyBezierTo",
- "gdi32.dll.GetStockObject",
- "gdi32.dll.CreateSolidBrush",
- "gdi32.dll.Polygon",
- "gdi32.dll.Rectangle",
- "gdi32.dll.MoveToEx",
- "gdi32.dll.DeleteDC",
- "gdi32.dll.SaveDC",
- "gdi32.dll.PlayEnhMetaFile",
- "gdi32.dll.BitBlt",
- "gdi32.dll.Ellipse",
- "gdi32.dll.FrameRgn",
- "gdi32.dll.GetDeviceCaps",
- "gdi32.dll.GetBitmapBits",
- "gdi32.dll.GetTextExtentPoint32W",
- "gdi32.dll.GetClipBox",
- "gdi32.dll.Polyline",
- "gdi32.dll.IntersectClipRect",
- "gdi32.dll.GetEnhMetaFileBits",
- "gdi32.dll.GetSystemPaletteEntries",
- "gdi32.dll.CreateBitmap",
- "gdi32.dll.SetWinMetaFileBits",
- "gdi32.dll.CreateDIBitmap",
- "gdi32.dll.GetStretchBltMode",
- "gdi32.dll.CreateDIBSection",
- "gdi32.dll.CreatePenIndirect",
- "gdi32.dll.GetDIBits",
- "gdi32.dll.SetStretchBltMode",
- "gdi32.dll.GetEnhMetaFilePaletteEntries",
- "gdi32.dll.CreateFontIndirectW",
- "gdi32.dll.PolyBezier",
- "gdi32.dll.LineTo",
- "gdi32.dll.GetRgnBox",
- "gdi32.dll.CreateHalftonePalette",
- "gdi32.dll.DeleteObject",
- "gdi32.dll.SelectObject",
- "gdi32.dll.ExtFloodFill",
- "gdi32.dll.UnrealizeObject",
- "gdi32.dll.CopyEnhMetaFileW",
- "gdi32.dll.SetBkColor",
- "gdi32.dll.CreateCompatibleDC",
- "gdi32.dll.GetObjectW",
- "gdi32.dll.GetBrushOrgEx",
- "gdi32.dll.GetCurrentPositionEx",
- "gdi32.dll.GetWinMetaFileBits",
- "gdi32.dll.SetROP2",
- "gdi32.dll.GetTextExtentPointW",
- "gdi32.dll.ExtTextOutW",
- "gdi32.dll.SetBrushOrgEx",
- "gdi32.dll.GetEnhMetaFileDescriptionW",
- "gdi32.dll.GetPixel",
- "gdi32.dll.ArcTo",
- "gdi32.dll.GdiFlush",
- "gdi32.dll.SetPixel",
- "gdi32.dll.EnumFontFamiliesExW",
- "gdi32.dll.GetPaletteEntries",
- "msvcrt.dll.memcpy",
- "msvcrt.dll.memset",
- "ole32.dll.IsEqualGUID",
- "ole32.dll.CLSIDFromProgID",
- "ole32.dll.CoInitialize",
- "oleaut32.dll.VariantClear",
- "oleaut32.dll.VariantInit",
- "oleaut32.dll.SysReAllocStringLen",
- "oleaut32.dll.SafeArrayCreate",
- "oleaut32.dll.SafeArrayPtrOfIndex",
- "oleaut32.dll.SafeArrayGetUBound",
- "oleaut32.dll.SafeArrayGetLBound",
- "oleaut32.dll.VariantCopy",
- "oleaut32.dll.VariantChangeType",
- "shell32.dll.IsUserAnAdmin",
- "shell32.dll.Shell_NotifyIconW",
- "shell32.dll.ShellExecuteW",
- "user32.dll.CopyImage",
- "user32.dll.CreateWindowExW",
- "user32.dll.GetMenuItemInfoW",
- "user32.dll.SetMenuItemInfoW",
- "user32.dll.DefFrameProcW",
- "user32.dll.GetDCEx",
- "user32.dll.GetMessageW",
- "user32.dll.OpenDesktopW",
- "user32.dll.SetProcessWindowStation",
- "user32.dll.PeekMessageW",
- "user32.dll.MonitorFromWindow",
- "user32.dll.GetDlgCtrlID",
- "user32.dll.SetTimer",
- "user32.dll.WindowFromPoint",
- "user32.dll.BeginPaint",
- "user32.dll.RegisterClipboardFormatW",
- "user32.dll.FrameRect",
- "user32.dll.MapVirtualKeyW",
- "user32.dll.IsWindowUnicode",
- "user32.dll.RegisterWindowMessageW",
- "user32.dll.FillRect",
- "user32.dll.GetMenuStringW",
- "user32.dll.DispatchMessageW",
- "user32.dll.SendMessageA",
- "user32.dll.DefMDIChildProcW",
- "user32.dll.GetClassInfoW",
- "user32.dll.GetSystemMenu",
- "user32.dll.ShowOwnedPopups",
- "user32.dll.GetScrollRange",
- "user32.dll.GetScrollPos",
- "user32.dll.SetScrollPos",
- "user32.dll.GetActiveWindow",
- "user32.dll.SetActiveWindow",
- "user32.dll.OpenWindowStationW",
- "user32.dll.DrawEdge",
- "user32.dll.GetKeyboardLayoutList",
- "user32.dll.LoadBitmapW",
- "user32.dll.DrawFocusRect",
- "user32.dll.EnumChildWindows",
- "user32.dll.GetScrollBarInfo",
- "user32.dll.ReleaseCapture",
- "user32.dll.UnhookWindowsHookEx",
- "user32.dll.LoadCursorW",
- "user32.dll.GetCapture",
- "user32.dll.SetCapture",
- "user32.dll.CreatePopupMenu",
- "user32.dll.ScrollWindow",
- "user32.dll.ShowCaret",
- "user32.dll.GetMenuItemID",
- "user32.dll.GetLastActivePopup",
- "user32.dll.CharLowerBuffW",
- "user32.dll.GetSystemMetrics",
- "user32.dll.PostMessageW",
- "user32.dll.DrawMenuBar",
- "user32.dll.SetParent",
- "user32.dll.IsZoomed",
- "user32.dll.CharUpperBuffW",
- "user32.dll.GetClientRect",
- "user32.dll.IsChild",
- "user32.dll.GetClassLongPtrW",
- "user32.dll.SetClassLongPtrW",
- "user32.dll.ClientToScreen",
- "user32.dll.GetClipboardData",
- "user32.dll.SetClipboardData",
- "user32.dll.SetWindowPlacement",
- "user32.dll.IsIconic",
- "user32.dll.CallNextHookEx",
- "user32.dll.GetMonitorInfoW",
- "user32.dll.ShowWindow",
- "user32.dll.CheckMenuItem",
- "user32.dll.CharUpperW",
- "user32.dll.DefWindowProcW",
- "user32.dll.GetForegroundWindow",
- "user32.dll.SetForegroundWindow",
- "user32.dll.GetWindowTextW",
- "user32.dll.EnableWindow",
- "user32.dll.DestroyWindow",
- "user32.dll.IsDialogMessageW",
- "user32.dll.EndMenu",
- "user32.dll.RegisterClassW",
- "user32.dll.CharNextW",
- "user32.dll.RedrawWindow",
- "user32.dll.GetDC",
- "user32.dll.GetFocus",
- "user32.dll.SetFocus",
- "user32.dll.EndPaint",
- "user32.dll.ReleaseDC",
- "user32.dll.MsgWaitForMultipleObjectsEx",
- "user32.dll.LoadKeyboardLayoutW",
- "user32.dll.ActivateKeyboardLayout",
- "user32.dll.GetParent",
- "user32.dll.DrawTextW",
- "user32.dll.SetScrollRange",
- "user32.dll.InsertMenuItemW",
- "user32.dll.PeekMessageA",
- "user32.dll.GetPropW",
- "user32.dll.MessageBoxW",
- "user32.dll.MessageBeep",
- "user32.dll.SetPropW",
- "user32.dll.RemovePropW",
- "user32.dll.UpdateWindow",
- "user32.dll.GetSubMenu",
- "user32.dll.MsgWaitForMultipleObjects",
- "user32.dll.DestroyMenu",
- "user32.dll.OemToCharA",
- "user32.dll.DestroyIcon",
- "user32.dll.SetWindowsHookExW",
- "user32.dll.EmptyClipboard",
- "user32.dll.IsWindowVisible",
- "user32.dll.GetDlgItem",
- "user32.dll.DispatchMessageA",
- "user32.dll.UnregisterClassW",
- "user32.dll.GetTopWindow",
- "user32.dll.SendMessageW",
- "user32.dll.AdjustWindowRectEx",
- "user32.dll.DrawIcon",
- "user32.dll.IsWindow",
- "user32.dll.EnumThreadWindows",
- "user32.dll.InvalidateRect",
- "user32.dll.GetKeyboardState",
- "user32.dll.DrawFrameControl",
- "user32.dll.ScreenToClient",
- "user32.dll.GetWindowLongPtrW",
- "user32.dll.SetWindowLongPtrW",
- "user32.dll.SetCursor",
- "user32.dll.CreateIcon",
- "user32.dll.CreateMenu",
- "user32.dll.LoadStringW",
- "user32.dll.CharLowerW",
- "user32.dll.SetWindowRgn",
- "user32.dll.SetWindowPos",
- "user32.dll.GetMenuItemCount",
- "user32.dll.RemoveMenu",
- "user32.dll.GetSysColorBrush",
- "user32.dll.GetKeyboardLayoutNameW",
- "user32.dll.GetWindowDC",
- "user32.dll.TranslateMessage",
- "user32.dll.OpenClipboard",
- "user32.dll.DrawTextExW",
- "user32.dll.MapWindowPoints",
- "user32.dll.EnumDisplayMonitors",
- "user32.dll.CallWindowProcW",
- "user32.dll.CloseClipboard",
- "user32.dll.DestroyCursor",
- "user32.dll.GetScrollInfo",
- "user32.dll.SetWindowTextW",
- "user32.dll.GetMessageExtraInfo",
- "user32.dll.EnableScrollBar",
- "user32.dll.GetSysColor",
- "user32.dll.TrackPopupMenu",
- "user32.dll.DrawIconEx",
- "user32.dll.PostQuitMessage",
- "user32.dll.GetClassNameW",
- "user32.dll.GetProcessWindowStation",
- "user32.dll.SetUserObjectSecurity",
- "user32.dll.GetUserObjectSecurity",
- "user32.dll.ShowScrollBar",
- "user32.dll.EnableMenuItem",
- "user32.dll.GetIconInfo",
- "user32.dll.GetMessagePos",
- "user32.dll.SetScrollInfo",
- "user32.dll.GetKeyNameTextW",
- "user32.dll.GetDesktopWindow",
- "user32.dll.GetCursorPos",
- "user32.dll.SetCursorPos",
- "user32.dll.HideCaret",
- "user32.dll.GetMenu",
- "user32.dll.GetMenuState",
- "user32.dll.SetMenu",
- "user32.dll.SetRect",
- "user32.dll.GetKeyState",
- "user32.dll.FindWindowExW",
- "user32.dll.MonitorFromPoint",
- "user32.dll.SystemParametersInfoW",
- "user32.dll.LoadIconW",
- "user32.dll.GetCursor",
- "user32.dll.GetWindow",
- "user32.dll.GetWindowRect",
- "user32.dll.InsertMenuW",
- "user32.dll.KillTimer",
- "user32.dll.PostThreadMessageW",
- "user32.dll.WaitMessage",
- "user32.dll.IsWindowEnabled",
- "user32.dll.IsDialogMessageA",
- "user32.dll.TranslateMDISysAccel",
- "user32.dll.GetWindowPlacement",
- "user32.dll.FindWindowW",
- "user32.dll.DeleteMenu",
- "user32.dll.GetKeyboardLayout",
- "userenv.dll.CreateEnvironmentBlock",
- "userenv.dll.DestroyEnvironmentBlock",
- "winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser",
- "winhttp.dll.WinHttpSetTimeouts",
- "winhttp.dll.WinHttpSetStatusCallback",
- "winhttp.dll.WinHttpConnect",
- "winhttp.dll.WinHttpReceiveResponse",
- "winhttp.dll.WinHttpQueryAuthSchemes",
- "winhttp.dll.WinHttpGetProxyForUrl",
- "winhttp.dll.WinHttpReadData",
- "winhttp.dll.WinHttpCloseHandle",
- "winhttp.dll.WinHttpQueryHeaders",
- "winhttp.dll.WinHttpOpenRequest",
- "winhttp.dll.WinHttpAddRequestHeaders",
- "winhttp.dll.WinHttpOpen",
- "winhttp.dll.WinHttpWriteData",
- "winhttp.dll.WinHttpSetCredentials",
- "winhttp.dll.WinHttpQueryDataAvailable",
- "winhttp.dll.WinHttpSetOption",
- "winhttp.dll.WinHttpSendRequest",
- "winhttp.dll.WinHttpQueryOption",
- "wtsapi32.dll.WTSQuerySessionInformationW",
- "wtsapi32.dll.WTSFreeMemory",
- "wtsapi32.dll.WTSEnumerateSessionsW",
- "kernel32.dll.GetThreadUILanguage",
- "kernel32.dll.GetNativeSystemInfo",
- "oleaut32.dll.VariantChangeTypeEx",
- "oleaut32.dll.VarNeg",
- "oleaut32.dll.VarNot",
- "oleaut32.dll.VarAdd",
- "oleaut32.dll.VarSub",
- "oleaut32.dll.VarMul",
- "oleaut32.dll.VarDiv",
- "oleaut32.dll.VarIdiv",
- "oleaut32.dll.VarMod",
- "oleaut32.dll.VarAnd",
- "oleaut32.dll.VarOr",
- "oleaut32.dll.VarXor",
- "oleaut32.dll.VarCmp",
- "oleaut32.dll.VarI4FromStr",
- "oleaut32.dll.VarR4FromStr",
- "oleaut32.dll.VarR8FromStr",
- "oleaut32.dll.VarDateFromStr",
- "oleaut32.dll.VarCyFromStr",
- "oleaut32.dll.VarBoolFromStr",
- "oleaut32.dll.VarBstrFromCy",
- "oleaut32.dll.VarBstrFromDate",
- "oleaut32.dll.VarBstrFromBool",
- "ole32.dll.CoCreateInstanceEx",
- "ole32.dll.CoAddRefServerProcess",
- "ole32.dll.CoReleaseServerProcess",
- "ole32.dll.CoResumeClassObjects",
- "ole32.dll.CoSuspendClassObjects",
- "kernel32.dll.InitializeConditionVariable",
- "kernel32.dll.WakeConditionVariable",
- "kernel32.dll.WakeAllConditionVariable",
- "kernel32.dll.SleepConditionVariableCS",
- "user32.dll.AnimateWindow",
- "comctl32.dll.UninitializeFlatSB",
- "comctl32.dll.FlatSB_GetScrollProp",
- "comctl32.dll.FlatSB_EnableScrollBar",
- "comctl32.dll.FlatSB_ShowScrollBar",
- "comctl32.dll.FlatSB_GetScrollRange",
- "comctl32.dll.FlatSB_SetScrollRange",
- "user32.dll.SetLayeredWindowAttributes",
- "ole32.dll.CoFreeUnusedLibrariesEx",
- "ole32.dll.CoRegisterClassObject",
- "wersvc.dll.ServiceMain",
- "wersvc.dll.SvchostPushServiceGlobals",
- "sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
- "faultrep.dll.WerpInitiateCrashReporting",
- "wer.dll.WerpCreateMachineStore",
- "shell32.dll.SHGetFolderPathEx",
- "sspicli.dll.GetUserNameExW",
- "wer.dll.WerpSvcReportFromMachineQueue",
- "advapi32.dll.DuplicateToken",
- "wtsapi32.dll.WTSQueryUserToken",
- "advapi32.dll.ImpersonateLoggedOnUser",
- "advapi32.dll.RevertToSelf",
- "imm32.dll.ImmDisableIME",
- "advapi32.dll.I_QueryTagInformation",
- "wer.dll.WerpCreateIntegratorReportId",
- "wer.dll.WerReportCreate",
- "wer.dll.WerpSetIntegratorReportId",
- "wer.dll.WerReportSetParameter",
- "dbgeng.dll.DebugCreate",
- "ntdll.dll.CsrGetProcessId",
- "ntdll.dll.DbgBreakPoint",
- "ntdll.dll.DbgPrint",
- "ntdll.dll.DbgPrompt",
- "ntdll.dll.DbgUiConvertStateChangeStructure",
- "ntdll.dll.DbgUiGetThreadDebugObject",
- "ntdll.dll.DbgUiIssueRemoteBreakin",
- "ntdll.dll.DbgUiSetThreadDebugObject",
- "ntdll.dll.NtAllocateVirtualMemory",
- "ntdll.dll.NtClose",
- "ntdll.dll.NtCreateDebugObject",
- "ntdll.dll.NtCreateFile",
- "ntdll.dll.NtDebugActiveProcess",
- "ntdll.dll.NtDebugContinue",
- "ntdll.dll.NtFreeVirtualMemory",
- "ntdll.dll.NtOpenProcess",
- "ntdll.dll.NtOpenThread",
- "ntdll.dll.NtQueryInformationProcess",
- "ntdll.dll.NtQueryInformationThread",
- "ntdll.dll.NtQueryMutant",
- "ntdll.dll.NtQueryObject",
- "ntdll.dll.NtRemoveProcessDebug",
- "ntdll.dll.NtResumeThread",
- "ntdll.dll.NtSetInformationDebugObject",
- "ntdll.dll.NtSetInformationProcess",
- "ntdll.dll.NtSystemDebugControl",
- "ntdll.dll.NtWaitForDebugEvent",
- "ntdll.dll.RtlAnsiStringToUnicodeString",
- "ntdll.dll.RtlCreateProcessParameters",
- "ntdll.dll.RtlCreateUserProcess",
- "ntdll.dll.RtlDestroyProcessParameters",
- "ntdll.dll.RtlDosPathNameToNtPathName_U",
- "ntdll.dll.RtlFindMessage",
- "ntdll.dll.RtlFreeHeap",
- "ntdll.dll.RtlFreeUnicodeString",
- "ntdll.dll.RtlGetFunctionTableListHead",
- "ntdll.dll.RtlGetUnloadEventTrace",
- "ntdll.dll.RtlGetUnloadEventTraceEx",
- "ntdll.dll.RtlInitAnsiString",
- "ntdll.dll.RtlInitUnicodeString",
- "ntdll.dll.RtlTryEnterCriticalSection",
- "ntdll.dll.RtlUnicodeStringToAnsiString",
- "ntdll.dll.NtOpenProcessToken",
- "ntdll.dll.NtOpenThreadToken",
- "ntdll.dll.NtQueryInformationToken",
- "kernel32.dll.CloseProfileUserMapping",
- "kernel32.dll.DebugActiveProcessStop",
- "kernel32.dll.DebugBreak",
- "kernel32.dll.DebugBreakProcess",
- "kernel32.dll.DebugSetProcessKillOnExit",
- "kernel32.dll.Module32First",
- "kernel32.dll.Module32FirstW",
- "kernel32.dll.Module32Next",
- "kernel32.dll.Module32NextW",
- "kernel32.dll.Process32First",
- "kernel32.dll.Process32FirstW",
- "kernel32.dll.Process32Next",
- "kernel32.dll.Process32NextW",
- "kernel32.dll.SetProcessShutdownParameters",
- "kernel32.dll.Wow64GetThreadSelectorEntry",
- "advapi32.dll.ControlService",
- "advapi32.dll.CreateServiceA",
- "advapi32.dll.EnumServicesStatusExA",
- "advapi32.dll.GetEventLogInformation",
- "advapi32.dll.OpenSCManagerA",
- "advapi32.dll.OpenServiceA",
- "advapi32.dll.StartServiceA",
- "advapi32.dll.GetSidSubAuthority",
- "advapi32.dll.GetSidSubAuthorityCount",
- "version.dll.GetFileVersionInfoSizeExW",
- "version.dll.GetFileVersionInfoExW",
- "wer.dll.WerReportAddDump",
- "wer.dll.WerpSetCallBack",
- "wer.dll.WerReportSetUIOption",
- "wer.dll.WerpAddRegisteredDataToReport",
- "wer.dll.WerReportSubmit",
- "sensapi.dll.IsNetworkAlive",
- "wer.dll.WerpAddAppCompatData",
- "apphelp.dll.SdbGetFileAttributes",
- "apphelp.dll.SdbFormatAttribute",
- "apphelp.dll.SdbFreeFileAttributes",
- "cryptsp.dll.CryptCreateHash",
- "advapi32.dll.QueryTraceW",
- "advapi32.dll.IsValidSid",
- "advapi32.dll.AddAccessAllowedAceEx",
- "shlwapi.dll.PathIsDirectoryW",
- "wer.dll.WerpGetStoreLocation",
- "wer.dll.WerpGetStoreType",
- "wer.dll.WerReportCloseHandle",
- "wer.dll.WerpFreeString",
- "user32.dll.GetThreadDesktop",
- "user32.dll.GetUserObjectInformationW",
- "werui.dll.WerUICreate",
- "werui.dll.WerUIStart",
- "werui.dll.WerUITerminate",
- "werui.dll.WerUIDelete",
- "winsta.dll.WinStationEnumerateW",
- "rpcrt4.dll.I_RpcExceptionFilter",
- "ole32.dll.CoImpersonateClient",
- "ole32.dll.CoRevertToSelf",
- "winsta.dll.WinStationFreeMemory",
- "advapi32.dll.RegDeleteValueW",
- "lsmproxy.dll.DllGetClassObject",
- "lsmproxy.dll.DllCanUnloadNow",
- "advapi32.dll.RegDeleteTreeA",
- "advapi32.dll.RegDeleteTreeW",
- "nsi.dll.NsiAllocateAndGetTable",
- "cfgmgr32.dll.CM_Open_Class_Key_ExW",
- "iphlpapi.dll.ConvertInterfaceGuidToLuid",
- "iphlpapi.dll.GetIfEntry2",
- "iphlpapi.dll.GetIpForwardTable2",
- "iphlpapi.dll.GetIpNetEntry2",
- "iphlpapi.dll.FreeMibTable",
- "nsi.dll.NsiFreeTable",
- "ws2_32.dll.GetAddrInfoW",
- "regapi.dll.RegGetMachinePolicyEx",
- "secur32.dll.InitSecurityInterfaceW",
- "ole32.dll.CLSIDFromString",
- "regapi.dll.RegQueryListenerStart",
- "rdpwsx.dll.WsxInitialize",
- "rdpwsx.dll.WsxDestroy",
- "rdpwsx.dll.WsxConnect",
- "rdpwsx.dll.WsxDisconnect",
- "rdpwsx.dll.WsxInitializeClientData",
- "rdpwsx.dll.WsxConvertPublishedApp",
- "rdpwsx.dll.WsxWinStationInitialize",
- "rdpwsx.dll.WsxWinStationRundown",
- "rdpwsx.dll.WsxVirtualChannelSecurity",
- "rdpwsx.dll.WsxIcaStackIoControl",
- "rdpwsx.dll.WsxBrokenConnection",
- "rdpwsx.dll.WsxLogonNotify",
- "rdpwsx.dll.WsxSetErrorInfo",
- "rdpwsx.dll.WsxSendAutoReconnectStatus",
- "rdpwsx.dll.WsxEscape",
- "rdpwsx.dll.WsxOpenVirtualChannel",
- "rdpwsx.dll.WsxCanLogonProceed",
- "rdpwsx.dll.WsxGetConnectionProperty",
- "rdpwsx.dll.WsxAutomationVerification",
- "rdpwsx.dll.WsxVerify",
- "rdpwsx.dll.WsxExchangeStackConfig",
- "rdpwsx.dll.WsxQueryGatewayPolicies",
- "sechost.dll.OpenSCManagerW",
- "sechost.dll.OpenServiceW",
- "sechost.dll.StartServiceW",
- "ws2_32.dll.WSASocketW",
- "ws2_32.dll.#2",
- "ws2_32.dll.#21",
- "ws2_32.dll.#9",
- "ws2_32.dll.WSAIoctl",
- "ws2_32.dll.FreeAddrInfoW",
- "ws2_32.dll.#6",
- "ws2_32.dll.#5",
- "schannel.dll.SpUserModeInitialize",
- "ws2_32.dll.WSASend",
- "ws2_32.dll.WSARecv",
- "secur32.dll.FreeContextBuffer",
- "ncrypt.dll.SslOpenProvider",
- "ncrypt.dll.GetSChannelInterface",
- "bcryptprimitives.dll.GetHashInterface",
- "ncrypt.dll.SslIncrementProviderReferenceCount",
- "ncrypt.dll.SslImportKey",
- "bcryptprimitives.dll.GetCipherInterface",
- "ncrypt.dll.SslLookupCipherSuiteInfo",
- "ncrypt.dll.BCryptOpenAlgorithmProvider",
- "ncrypt.dll.BCryptGetProperty",
- "ncrypt.dll.BCryptCreateHash",
- "ncrypt.dll.BCryptHashData",
- "ncrypt.dll.BCryptFinishHash",
- "ncrypt.dll.BCryptDestroyHash",
- "crypt32.dll.CertGetCertificateChain",
- "userenv.dll.GetUserProfileDirectoryW",
- "sechost.dll.ConvertStringSidToSidW",
- "userenv.dll.RegisterGPNotification",
- "gpapi.dll.RegisterGPNotificationInternal",
- "sechost.dll.CloseServiceHandle",
- "sechost.dll.QueryServiceConfigW",
- "cryptnet.dll.CryptGetObjectUrl",
- "cryptnet.dll.CryptRetrieveObjectByUrlW",
- "cryptnet.dll.I_CryptNetGetConnectivity",
- "winhttp.dll.WinHttpCrackUrl",
- "winhttp.dll.WinHttpGetDefaultProxyConfiguration",
- "crypt32.dll.CryptProtectData",
- "cryptbase.dll.SystemFunction040",
- "sechost.dll.ControlService",
- "shlwapi.dll.StrStrIW",
- "cryptsp.dll.CryptAcquireContextA",
- "cryptsp.dll.CryptVerifySignatureA",
- "crypt32.dll.CryptUnprotectData",
- "cryptbase.dll.SystemFunction041",
- "cryptnet.dll.I_CryptNetSetUrlCacheFlushInfo",
- "setupapi.dll.SetupIterateCabinetW",
- "cabinet.dll.#20",
- "cabinet.dll.#22",
- "devrtl.dll.DevRtlGetThreadLogToken",
- "sechost.dll.QueryServiceConfigA",
- "sechost.dll.QueryServiceStatus",
- "rpcrt4.dll.RpcStringBindingComposeA",
- "rpcrt4.dll.RpcBindingFromStringBindingA",
- "rpcrt4.dll.RpcEpResolveBinding",
- "rpcrt4.dll.RpcStringFreeA",
- "cryptsp.dll.CryptSetHashParam",
- "cryptnet.dll.I_CryptNetSetUrlCachePreFetchInfo",
- "bcryptprimitives.dll.GetAsymmetricEncryptionInterface",
- "ncrypt.dll.BCryptImportKeyPair",
- "ncrypt.dll.BCryptVerifySignature",
- "ncrypt.dll.BCryptDestroyKey",
- "crypt32.dll.CertVerifyCertificateChainPolicy",
- "crypt32.dll.CertFreeCertificateChain",
- "crypt32.dll.CertDuplicateCertificateContext",
- "ncrypt.dll.SslEncryptPacket",
- "ncrypt.dll.SslDecryptPacket",
- "crypt32.dll.CertFreeCertificateContext",
- "umrdp.dll.ServiceMain",
- "umrdp.dll.SvchostPushServiceGlobals",
- "sechost.dll.RegisterServiceCtrlHandlerExW",
- "sechost.dll.SetServiceStatus",
- "setupapi.dll.SetupDiGetClassDevsW",
- "setupapi.dll.SetupDiEnumDeviceInterfaces",
- "setupapi.dll.SetupDiEnumDeviceInfo",
- "setupapi.dll.SetupDiGetDeviceRegistryPropertyW",
- "setupapi.dll.SetupDiGetDeviceInterfaceDetailW",
- "setupapi.dll.SetupDiDestroyDeviceInfoList",
- "wintrust.dll.WinVerifyTrust",
- "rpcrt4.dll.RpcServerUseProtseqEpW",
- "rpcrt4.dll.RpcServerRegisterIfEx",
- "rpcrt4.dll.RpcServerListen",
- "rpcrt4.dll.RpcServerUnregisterIfEx",
- "setupapi.dll.SetupDiOpenDevRegKey",
- "rpcrt4.dll.RpcServerUnregisterIf",
- "help32.bin.wrk",
- "kernel32.dll.WTSGetActiveConsoleSessionId",
- "kernel32.dll.Heap32ListFirst",
- "kernel32.dll.Heap32ListNext",
- "kernel32.dll.Heap32First",
- "kernel32.dll.Heap32Next",
- "kernel32.dll.Toolhelp32ReadProcessMemory",
- "winsta.dll.WinStationRegisterConsoleNotification",
- "rpcrt4.dll.RpcAsyncInitializeHandle",
- "rpcrt4.dll.Ndr64AsyncClientCall",
- "comctl32.dll.#345",
- "comctl32.dll.LoadIconWithScaleDown",
- "ntdll.dll.RtlRunEncodeUnicodeString",
- "ntdll.dll.RtlRunDecodeUnicodeString",
- "duser.dll.InitGadgets",
- "user32.dll.RegisterMessagePumpHook",
- "uxtheme.dll.IsThemeActive",
- "duser.dll.CreateGadget",
- "duser.dll.SetGadgetMessageFilter",
- "duser.dll.SetGadgetStyle",
- "duser.dll.SetGadgetRootInfo",
- "uxtheme.dll.IsAppThemed",
- "ole32.dll.CreateStreamOnHGlobal",
- "xmllite.dll.CreateXmlReader",
- "xmllite.dll.CreateXmlReaderInputWithEncodingName",
- "duser.dll.FindStdColor",
- "duser.dll.SetGadgetParent",
- "duser.dll.GetDUserModule",
- "duser.dll.AttachWndProcW",
- "comctl32.dll.RegisterClassNameW",
- "uxtheme.dll.OpenThemeData",
- "duser.dll.GetGadgetRect",
- "duser.dll.GetGadgetRgn",
- "duser.dll.GetGadgetTicket",
- "uxtheme.dll.EnableThemeDialogTexture",
- "duser.dll.InvalidateGadget",
- "duser.dll.DUserPostEvent",
- "duser.dll.GetGadgetFocus",
- "gdi32.dll.GetLayout",
- "gdi32.dll.GdiRealizationInfo",
- "gdi32.dll.FontIsLinked",
- "gdi32.dll.GetTextFaceAliasW",
- "gdi32.dll.GetFontAssocStatus",
- "advapi32.dll.RegQueryValueExA",
- "duser.dll.SetGadgetFocus",
- "duser.dll.DUserSendEvent",
- "duser.dll.SetGadgetRect",
- "duser.dll.DeleteHandle",
- "uxtheme.dll.BufferedPaintInit",
- "uxtheme.dll.BeginBufferedPaint",
- "gdi32.dll.GdiIsMetaPrintDC",
- "uxtheme.dll.GetBufferedPaintDC",
- "uxtheme.dll.GetBufferedPaintTargetDC",
- "uxtheme.dll.EndBufferedPaint",
- "duser.dll.ForwardGadgetMessage",
- "rpcrt4.dll.RpcAsyncCompleteCall",
- "uxtheme.dll.CloseThemeData",
- "uxtheme.dll.DrawThemeBackground",
- "uxtheme.dll.DrawThemeText",
- "uxtheme.dll.GetThemeBackgroundContentRect",
- "uxtheme.dll.GetThemeBackgroundExtent",
- "uxtheme.dll.GetThemePartSize",
- "uxtheme.dll.GetThemeTextExtent",
- "uxtheme.dll.GetThemeTextMetrics",
- "uxtheme.dll.GetThemeBackgroundRegion",
- "uxtheme.dll.HitTestThemeBackground",
- "uxtheme.dll.DrawThemeEdge",
- "uxtheme.dll.DrawThemeIcon",
- "uxtheme.dll.IsThemePartDefined",
- "uxtheme.dll.IsThemeBackgroundPartiallyTransparent",
- "uxtheme.dll.GetThemeColor",
- "uxtheme.dll.GetThemeMetric",
- "uxtheme.dll.GetThemeString",
- "uxtheme.dll.GetThemeBool",
- "uxtheme.dll.GetThemeInt",
- "uxtheme.dll.GetThemeEnumValue",
- "uxtheme.dll.GetThemePosition",
- "uxtheme.dll.GetThemeFont",
- "uxtheme.dll.GetThemeRect",
- "uxtheme.dll.GetThemeMargins",
- "uxtheme.dll.GetThemeIntList",
- "uxtheme.dll.GetThemePropertyOrigin",
- "uxtheme.dll.SetWindowTheme",
- "uxtheme.dll.GetThemeFilename",
- "uxtheme.dll.GetThemeSysColor",
- "uxtheme.dll.GetThemeSysColorBrush",
- "uxtheme.dll.GetThemeSysBool",
- "uxtheme.dll.GetThemeSysSize",
- "uxtheme.dll.GetThemeSysFont",
- "uxtheme.dll.GetThemeSysString",
- "uxtheme.dll.GetThemeSysInt",
- "uxtheme.dll.GetWindowTheme",
- "uxtheme.dll.IsThemeDialogTextureEnabled",
- "uxtheme.dll.GetThemeAppProperties",
- "uxtheme.dll.SetThemeAppProperties",
- "uxtheme.dll.GetCurrentThemeName",
- "uxtheme.dll.GetThemeDocumentationProperty",
- "uxtheme.dll.DrawThemeParentBackground",
- "uxtheme.dll.EnableTheming",
- "comctl32.dll.InitCommonControlsEx",
- "user32.dll.NotifyWinEvent",
- "imm32.dll.ImmAssociateContextEx",
- "propsys.dll.#420",
- "kernel32.dll.GetTimeZoneInformationForYear",
- "uxtheme.dll.#47",
- "duser.dll.DisableContainerHwnd",
- "duser.dll.DUserFlushMessages",
- "duser.dll.DUserFlushDeferredMessages",
- "user32.dll.UnregisterMessagePumpHook",
- "advapi32.dll.CryptAcquireContextW",
- "advapi32.dll.RegNotifyChangeKeyValue",
- "ole32.dll.CLSIDFromOle1Class",
- "clbcatq.dll.GetCatalogObject",
- "clbcatq.dll.GetCatalogObject2",
- "shlwapi.dll.PathIsPrefixW",
- "kernel32.dll.WerRegisterMemoryBlock",
- "advapi32.dll.EventWrite",
- "advapi32.dll.EventRegister",
- "advapi32.dll.EventUnregister",
- "rpcrt4.dll.NdrClientCall2",
- "kernel32.dll.SetFileInformationByHandle",
- "kernel32.dll.GetSystemWow64DirectoryW",
- "kernel32.dll.QueryFullProcessImageNameW",
- "flashutil32_29_0_0_171_plugin.dll.#1",
- "kernel32.dll.MoveFileExA",
- "kernel32.dll.MoveFileExW",
- "kernel32.dll.RemoveDirectoryW",
- "kernel32.dll.GetSystemDirectoryW",
- "kernel32.dll.SetCurrentDirectoryW",
- "kernel32.dll.GetTempPathW",
- "kernel32.dll.GetTempFileNameW",
- "qmgr.dll.ServiceMain",
- "ws2_32.dll.#111",
- "bitsigd.dll.InitializeEx",
- "upnp.dll.DllGetClassObject",
- "upnp.dll.DllCanUnloadNow",
- "oleaut32.dll.DllGetClassObject",
- "oleaut32.dll.DllCanUnloadNow",
- "sxs.dll.SxsOleAut32MapIIDToProxyStubCLSID",
- "oleaut32.dll.BSTR_UserSize",
- "oleaut32.dll.BSTR_UserMarshal",
- "oleaut32.dll.BSTR_UserUnmarshal",
- "oleaut32.dll.BSTR_UserFree",
- "oleaut32.dll.VARIANT_UserSize",
- "oleaut32.dll.VARIANT_UserMarshal",
- "oleaut32.dll.VARIANT_UserUnmarshal",
- "oleaut32.dll.VARIANT_UserFree",
- "oleaut32.dll.LPSAFEARRAY_UserSize",
- "oleaut32.dll.LPSAFEARRAY_UserMarshal",
- "oleaut32.dll.LPSAFEARRAY_UserUnmarshal",
- "oleaut32.dll.LPSAFEARRAY_UserFree",
- "advapi32.dll.LogonUserW",
- "sspicli.dll.LogonUserExExW",
- "advapi32.dll.QueryAllTracesW",
- "vssapi.dll.CreateWriter",
- "samcli.dll.NetLocalGroupGetMembers",
- "samlib.dll.SamLookupNamesInDomain",
- "samlib.dll.SamGetMembersInAlias",
- "oleaut32.dll.#4",
- "propsys.dll.VariantToPropVariant",
- "oleaut32.dll.#8",
- "ole32.dll.CoGetCallContext"
- ]
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "GetTempPathA",
- "address": "0x407070"
- },
- {
- "name": "GetFileSize",
- "address": "0x407074"
- },
- {
- "name": "GetModuleFileNameA",
- "address": "0x407078"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x40707c"
- },
- {
- "name": "CopyFileA",
- "address": "0x407080"
- },
- {
- "name": "ExitProcess",
- "address": "0x407084"
- },
- {
- "name": "SetEnvironmentVariableA",
- "address": "0x407088"
- },
- {
- "name": "Sleep",
- "address": "0x40708c"
- },
- {
- "name": "GetTickCount",
- "address": "0x407090"
- },
- {
- "name": "GetCommandLineA",
- "address": "0x407094"
- },
- {
- "name": "lstrlenA",
- "address": "0x407098"
- },
- {
- "name": "GetVersion",
- "address": "0x40709c"
- },
- {
- "name": "SetErrorMode",
- "address": "0x4070a0"
- },
- {
- "name": "lstrcpynA",
- "address": "0x4070a4"
- },
- {
- "name": "GetDiskFreeSpaceA",
- "address": "0x4070a8"
- },
- {
- "name": "GlobalUnlock",
- "address": "0x4070ac"
- },
- {
- "name": "GetWindowsDirectoryA",
- "address": "0x4070b0"
- },
- {
- "name": "SetCurrentDirectoryA",
- "address": "0x4070b4"
- },
- {
- "name": "GetLastError",
- "address": "0x4070b8"
- },
- {
- "name": "CreateDirectoryA",
- "address": "0x4070bc"
- },
- {
- "name": "CreateProcessA",
- "address": "0x4070c0"
- },
- {
- "name": "RemoveDirectoryA",
- "address": "0x4070c4"
- },
- {
- "name": "CreateFileA",
- "address": "0x4070c8"
- },
- {
- "name": "GetTempFileNameA",
- "address": "0x4070cc"
- },
- {
- "name": "ReadFile",
- "address": "0x4070d0"
- },
- {
- "name": "WriteFile",
- "address": "0x4070d4"
- },
- {
- "name": "lstrcpyA",
- "address": "0x4070d8"
- },
- {
- "name": "MoveFileExA",
- "address": "0x4070dc"
- },
- {
- "name": "lstrcatA",
- "address": "0x4070e0"
- },
- {
- "name": "GetSystemDirectoryA",
- "address": "0x4070e4"
- },
- {
- "name": "GetProcAddress",
- "address": "0x4070e8"
- },
- {
- "name": "GetExitCodeProcess",
- "address": "0x4070ec"
- },
- {
- "name": "WaitForSingleObject",
- "address": "0x4070f0"
- },
- {
- "name": "CompareFileTime",
- "address": "0x4070f4"
- },
- {
- "name": "SetFileAttributesA",
- "address": "0x4070f8"
- },
- {
- "name": "GetFileAttributesA",
- "address": "0x4070fc"
- },
- {
- "name": "GetShortPathNameA",
- "address": "0x407100"
- },
- {
- "name": "MoveFileA",
- "address": "0x407104"
- },
- {
- "name": "GetFullPathNameA",
- "address": "0x407108"
- },
- {
- "name": "SetFileTime",
- "address": "0x40710c"
- },
- {
- "name": "SearchPathA",
- "address": "0x407110"
- },
- {
- "name": "CloseHandle",
- "address": "0x407114"
- },
- {
- "name": "lstrcmpiA",
- "address": "0x407118"
- },
- {
- "name": "CreateThread",
- "address": "0x40711c"
- },
- {
- "name": "GlobalLock",
- "address": "0x407120"
- },
- {
- "name": "lstrcmpA",
- "address": "0x407124"
- },
- {
- "name": "FindFirstFileA",
- "address": "0x407128"
- },
- {
- "name": "FindNextFileA",
- "address": "0x40712c"
- },
- {
- "name": "DeleteFileA",
- "address": "0x407130"
- },
- {
- "name": "SetFilePointer",
- "address": "0x407134"
- },
- {
- "name": "GetPrivateProfileStringA",
- "address": "0x407138"
- },
- {
- "name": "FindClose",
- "address": "0x40713c"
- },
- {
- "name": "MultiByteToWideChar",
- "address": "0x407140"
- },
- {
- "name": "FreeLibrary",
- "address": "0x407144"
- },
- {
- "name": "MulDiv",
- "address": "0x407148"
- },
- {
- "name": "WritePrivateProfileStringA",
- "address": "0x40714c"
- },
- {
- "name": "LoadLibraryExA",
- "address": "0x407150"
- },
- {
- "name": "GetModuleHandleA",
- "address": "0x407154"
- },
- {
- "name": "GlobalAlloc",
- "address": "0x407158"
- },
- {
- "name": "GlobalFree",
- "address": "0x40715c"
- },
- {
- "name": "ExpandEnvironmentStringsA",
- "address": "0x407160"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "ScreenToClient",
- "address": "0x407184"
- },
- {
- "name": "GetSystemMenu",
- "address": "0x407188"
- },
- {
- "name": "SetClassLongA",
- "address": "0x40718c"
- },
- {
- "name": "IsWindowEnabled",
- "address": "0x407190"
- },
- {
- "name": "SetWindowPos",
- "address": "0x407194"
- },
- {
- "name": "GetSysColor",
- "address": "0x407198"
- },
- {
- "name": "GetWindowLongA",
- "address": "0x40719c"
- },
- {
- "name": "SetCursor",
- "address": "0x4071a0"
- },
- {
- "name": "LoadCursorA",
- "address": "0x4071a4"
- },
- {
- "name": "CheckDlgButton",
- "address": "0x4071a8"
- },
- {
- "name": "GetMessagePos",
- "address": "0x4071ac"
- },
- {
- "name": "LoadBitmapA",
- "address": "0x4071b0"
- },
- {
- "name": "CallWindowProcA",
- "address": "0x4071b4"
- },
- {
- "name": "IsWindowVisible",
- "address": "0x4071b8"
- },
- {
- "name": "CloseClipboard",
- "address": "0x4071bc"
- },
- {
- "name": "SetClipboardData",
- "address": "0x4071c0"
- },
- {
- "name": "EmptyClipboard",
- "address": "0x4071c4"
- },
- {
- "name": "PostQuitMessage",
- "address": "0x4071c8"
- },
- {
- "name": "GetWindowRect",
- "address": "0x4071cc"
- },
- {
- "name": "EnableMenuItem",
- "address": "0x4071d0"
- },
- {
- "name": "CreatePopupMenu",
- "address": "0x4071d4"
- },
- {
- "name": "GetSystemMetrics",
- "address": "0x4071d8"
- },
- {
- "name": "SetDlgItemTextA",
- "address": "0x4071dc"
- },
- {
- "name": "GetDlgItemTextA",
- "address": "0x4071e0"
- },
- {
- "name": "MessageBoxIndirectA",
- "address": "0x4071e4"
- },
- {
- "name": "CharPrevA",
- "address": "0x4071e8"
- },
- {
- "name": "DispatchMessageA",
- "address": "0x4071ec"
- },
- {
- "name": "PeekMessageA",
- "address": "0x4071f0"
- },
- {
- "name": "ReleaseDC",
- "address": "0x4071f4"
- },
- {
- "name": "EnableWindow",
- "address": "0x4071f8"
- },
- {
- "name": "InvalidateRect",
- "address": "0x4071fc"
- },
- {
- "name": "SendMessageA",
- "address": "0x407200"
- },
- {
- "name": "DefWindowProcA",
- "address": "0x407204"
- },
- {
- "name": "BeginPaint",
- "address": "0x407208"
- },
- {
- "name": "GetClientRect",
- "address": "0x40720c"
- },
- {
- "name": "FillRect",
- "address": "0x407210"
- },
- {
- "name": "DrawTextA",
- "address": "0x407214"
- },
- {
- "name": "EndDialog",
- "address": "0x407218"
- },
- {
- "name": "RegisterClassA",
- "address": "0x40721c"
- },
- {
- "name": "SystemParametersInfoA",
- "address": "0x407220"
- },
- {
- "name": "CreateWindowExA",
- "address": "0x407224"
- },
- {
- "name": "GetClassInfoA",
- "address": "0x407228"
- },
- {
- "name": "DialogBoxParamA",
- "address": "0x40722c"
- },
- {
- "name": "CharNextA",
- "address": "0x407230"
- },
- {
- "name": "ExitWindowsEx",
- "address": "0x407234"
- },
- {
- "name": "GetDC",
- "address": "0x407238"
- },
- {
- "name": "CreateDialogParamA",
- "address": "0x40723c"
- },
- {
- "name": "SetTimer",
- "address": "0x407240"
- },
- {
- "name": "GetDlgItem",
- "address": "0x407244"
- },
- {
- "name": "SetWindowLongA",
- "address": "0x407248"
- },
- {
- "name": "SetForegroundWindow",
- "address": "0x40724c"
- },
- {
- "name": "LoadImageA",
- "address": "0x407250"
- },
- {
- "name": "IsWindow",
- "address": "0x407254"
- },
- {
- "name": "SendMessageTimeoutA",
- "address": "0x407258"
- },
- {
- "name": "FindWindowExA",
- "address": "0x40725c"
- },
- {
- "name": "OpenClipboard",
- "address": "0x407260"
- },
- {
- "name": "TrackPopupMenu",
- "address": "0x407264"
- },
- {
- "name": "AppendMenuA",
- "address": "0x407268"
- },
- {
- "name": "EndPaint",
- "address": "0x40726c"
- },
- {
- "name": "DestroyWindow",
- "address": "0x407270"
- },
- {
- "name": "wsprintfA",
- "address": "0x407274"
- },
- {
- "name": "ShowWindow",
- "address": "0x407278"
- },
- {
- "name": "SetWindowTextA",
- "address": "0x40727c"
- }
- ],
- "dll": "USER32.dll"
- },
- {
- "imports": [
- {
- "name": "SelectObject",
- "address": "0x40704c"
- },
- {
- "name": "SetBkMode",
- "address": "0x407050"
- },
- {
- "name": "CreateFontIndirectA",
- "address": "0x407054"
- },
- {
- "name": "SetTextColor",
- "address": "0x407058"
- },
- {
- "name": "DeleteObject",
- "address": "0x40705c"
- },
- {
- "name": "GetDeviceCaps",
- "address": "0x407060"
- },
- {
- "name": "CreateBrushIndirect",
- "address": "0x407064"
- },
- {
- "name": "SetBkColor",
- "address": "0x407068"
- }
- ],
- "dll": "GDI32.dll"
- },
- {
- "imports": [
- {
- "name": "SHGetSpecialFolderLocation",
- "address": "0x407168"
- },
- {
- "name": "ShellExecuteExA",
- "address": "0x40716c"
- },
- {
- "name": "SHGetPathFromIDListA",
- "address": "0x407170"
- },
- {
- "name": "SHBrowseForFolderA",
- "address": "0x407174"
- },
- {
- "name": "SHGetFileInfoA",
- "address": "0x407178"
- },
- {
- "name": "SHFileOperationA",
- "address": "0x40717c"
- }
- ],
- "dll": "SHELL32.dll"
- },
- {
- "imports": [
- {
- "name": "AdjustTokenPrivileges",
- "address": "0x407000"
- },
- {
- "name": "RegCreateKeyExA",
- "address": "0x407004"
- },
- {
- "name": "RegOpenKeyExA",
- "address": "0x407008"
- },
- {
- "name": "SetFileSecurityA",
- "address": "0x40700c"
- },
- {
- "name": "OpenProcessToken",
- "address": "0x407010"
- },
- {
- "name": "LookupPrivilegeValueA",
- "address": "0x407014"
- },
- {
- "name": "RegEnumValueA",
- "address": "0x407018"
- },
- {
- "name": "RegDeleteKeyA",
- "address": "0x40701c"
- },
- {
- "name": "RegDeleteValueA",
- "address": "0x407020"
- },
- {
- "name": "RegCloseKey",
- "address": "0x407024"
- },
- {
- "name": "RegSetValueExA",
- "address": "0x407028"
- },
- {
- "name": "RegQueryValueExA",
- "address": "0x40702c"
- },
- {
- "name": "RegEnumKeyA",
- "address": "0x407030"
- }
- ],
- "dll": "ADVAPI32.dll"
- },
- {
- "imports": [
- {
- "name": "ImageList_Create",
- "address": "0x407038"
- },
- {
- "name": "ImageList_AddMasked",
- "address": "0x40703c"
- },
- {
- "name": "ImageList_Destroy",
- "address": "0x407040"
- },
- {
- "name": null,
- "address": "0x407044"
- }
- ],
- "dll": "COMCTL32.dll"
- },
- {
- "imports": [
- {
- "name": "OleUninitialize",
- "address": "0x407284"
- },
- {
- "name": "OleInitialize",
- "address": "0x407288"
- },
- {
- "name": "CoTaskMemFree",
- "address": "0x40728c"
- },
- {
- "name": "CoCreateInstance",
- "address": "0x407290"
- }
- ],
- "dll": "ole32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x00268849",
- "overlay": {
- "size": "0x00220c78",
- "offset": "0x0003a200"
- },
- "imagebase": "0x00400000",
- "reported_checksum": "0x00268849",
- "icon_hash": null,
- "entrypoint": "0x004031d6",
- "timestamp": "2018-12-15 22:24:22",
- "osversion": "4.0",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00006000",
- "entropy": "6.45",
- "raw_address": "0x00000400",
- "virtual_size": "0x00005f0d",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00007000",
- "size_of_data": "0x00001400",
- "entropy": "5.00",
- "raw_address": "0x00006400",
- "virtual_size": "0x00001250",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00009000",
- "size_of_data": "0x00000400",
- "entropy": "5.13",
- "raw_address": "0x00007800",
- "virtual_size": "0x0001a818",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".ndata",
- "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00024000",
- "size_of_data": "0x00000000",
- "entropy": "0.00",
- "raw_address": "0x00000000",
- "virtual_size": "0x00009000",
- "characteristics_raw": "0xc0000080"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x0002d000",
- "size_of_data": "0x00032600",
- "entropy": "5.65",
- "raw_address": "0x00007c00",
- "virtual_size": "0x000324a8",
- "characteristics_raw": "0x40000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00007430",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x000000a0"
- },
- {
- "virtual_address": "0x0002d000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x000324a8"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00259aa8",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x000013d0"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00007000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x00000298"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "3abe302b6d9a1256e6a915429af4ffd2",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 7,
- "versioninfo": []
- }
- }
Add Comment
Please, Sign In to add comment