Exes_d9c6a67478f115a18d4a1091ed69bec4_exe.json

1.  
2. [*] MalFamily: "Psdownload"
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "Exes_d9c6a67478f115a18d4a1091ed69bec4.exe"
7. [*] File Size: 2572376
8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive"
9. [*] SHA256: "f54c918db990d89caac14f8aecf465d56267300adce0abca8a5514f6e255c12d"
10. [*] MD5: "d9c6a67478f115a18d4a1091ed69bec4"
11. [*] SHA1: "72f325b29009cd6701202c26d7e6f71e5cf49770"
12. [*] SHA512: "2cb244a8e1e97bba933b6c1993ecfa7a15a920d96f16a3a1549833536646287c8f2b7c5e03fe66ca4522161e63425ccd815ee7958fd54218c50574105a11dab0"
13. [*] CRC32: "18CAE714"
14. [*] SSDEEP: "49152:s02xUWRNg4aIWzh74MUArNbY/jCBBdsPgFYogBQFV+5Cn8INchQkxQKry:cxFRKTjzdUkUSsVGcIWhhry"
15.  
16. [*] Process Execution: [
17. "Exes_d9c6a67478f115a18d4a1091ed69bec4.exe",
18. "cmd.exe",
19. "wscript.exe",
20. "cmd.exe",
21. "powershell.exe",
22. "takeown.exe",
23. "icacls.exe",
24. "icacls.exe",
25. "icacls.exe",
26. "icacls.exe",
27. "icacls.exe",
28. "icacls.exe",
29. "icacls.exe",
30. "reg.exe",
31. "net.exe",
32. "net1.exe",
33. "cmd.exe",
34. "services.exe",
35. "svchost.exe",
36. "WmiPrvSE.exe",
37. "svchost.exe",
38. "svchost.exe",
39. "taskhost.exe",
40. "lsm.exe"
41. ]
42.  
43. [*] Signatures Detected: [
44. {
45. "Description": "Creates RWX memory",
46. "Details": []
47. },
48. {
49. "Description": "Possible date expiration check, exits too soon after checking local time",
50. "Details": [
51. {
52. "process": "cmd.exe, PID 2476"
53. }
54. ]
55. },
56. {
57. "Description": "Detected script timer window indicative of sleep style evasion",
58. "Details": [
59. {
60. "Window": "WSH-Timer"
61. }
62. ]
63. },
64. {
65. "Description": "A process attempted to delay the analysis task.",
66. "Details": [
67. {
68. "Process": "WmiPrvSE.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
69. },
70. {
71. "Process": "powershell.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
72. }
73. ]
74. },
75. {
76. "Description": "Reads data out of its own binary image",
77. "Details": [
78. {
79. "self_read": "process: Exes_d9c6a67478f115a18d4a1091ed69bec4.exe, pid: 3244, offset: 0x00000000, length: 0x00272c7f"
80. },
81. {
82. "self_read": "process: Exes_d9c6a67478f115a18d4a1091ed69bec4.exe, pid: 3244, offset: 0x0001901c, length: 0x0014bab3"
83. },
84. {
85. "self_read": "process: Exes_d9c6a67478f115a18d4a1091ed69bec4.exe, pid: 3244, offset: 0x00272c7f, length: 0x00000004"
86. },
87. {
88. "self_read": "process: wscript.exe, pid: 3908, offset: 0x00000000, length: 0x00000040"
89. },
90. {
91. "self_read": "process: wscript.exe, pid: 3908, offset: 0x000000f8, length: 0x00000018"
92. },
93. {
94. "self_read": "process: wscript.exe, pid: 3908, offset: 0x00000200, length: 0x7fe00000028"
95. },
96. {
97. "self_read": "process: wscript.exe, pid: 3908, offset: 0x0001f200, length: 0x00000020"
98. },
99. {
100. "self_read": "process: wscript.exe, pid: 3908, offset: 0x0001f258, length: 0x00000018"
101. },
102. {
103. "self_read": "process: wscript.exe, pid: 3908, offset: 0x0001f3a8, length: 0x7fe00000018"
104. },
105. {
106. "self_read": "process: wscript.exe, pid: 3908, offset: 0x0001f670, length: 0x00000010"
107. },
108. {
109. "self_read": "process: wscript.exe, pid: 3908, offset: 0x0001f840, length: 0x00000012"
110. },
111. {
112. "self_read": "process: wscript.exe, pid: 3908, offset: 0x7fe00000228, length: 0x7fe00000078"
113. }
114. ]
115. },
116. {
117. "Description": "A process created a hidden window",
118. "Details": [
119. {
120. "Process": "wscript.exe -> cmd"
121. }
122. ]
123. },
124. {
125. "Description": "Performs some HTTP requests",
126. "Details": [
127. {
128. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
129. },
130. {
131. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
132. },
133. {
134. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
135. }
136. ]
137. },
138. {
139. "Description": "Deletes its original binary from disk",
140. "Details": []
141. },
142. {
143. "Description": "Attempts to restart the guest VM",
144. "Details": []
145. },
146. {
147. "Description": "Tries to suspend Cuckoo threads to prevent logging of malicious activity",
148. "Details": [
149. {
150. "Process": "svchost.exe (104)"
151. }
152. ]
153. },
154. {
155. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
156. "Details": [
157. {
158. "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 7117002 times"
159. }
160. ]
161. },
162. {
163. "Description": "Installs itself for autorun at Windows startup",
164. "Details": [
165. {
166. "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDLL"
167. },
168. {
169. "data": "%SystemRoot%\\help\\servicedll.dll"
170. }
171. ]
172. },
173. {
174. "Description": "Attempts to execute a powershell command with suspicious parameter/s",
175. "Details": [
176. {
177. "execution_policy": "Attempts to bypass execution policy"
178. }
179. ]
180. },
181. {
182. "Description": "Creates a hidden or system file",
183. "Details": [
184. {
185. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFf91b1e.TMP"
186. }
187. ]
188. },
189. {
190. "Description": "File has been identified by 29 Antiviruses on VirusTotal as malicious",
191. "Details": [
192. {
193. "Bkav": "HW32.Packed."
194. },
195. {
196. "CAT-QuickHeal": "Trojandownloader.Psdownload"
197. },
198. {
199. "McAfee": "Artemis!D9C6A67478F1"
200. },
201. {
202. "Alibaba": "TrojanDownloader:Win32/PsDownload.98174c72"
203. },
204. {
205. "Arcabit": "Trojan.Barys.DF047"
206. },
207. {
208. "Symantec": "W97M.Downloader"
209. },
210. {
211. "Paloalto": "generic.ml"
212. },
213. {
214. "Kaspersky": "HEUR:Trojan-Downloader.Win32.PsDownload.gen"
215. },
216. {
217. "BitDefender": "Gen:Variant.Ursu.481402"
218. },
219. {
220. "NANO-Antivirus": "Trojan.Win32.PsDownload.frcxyy"
221. },
222. {
223. "AegisLab": "Trojan.Win32.PsDownload.4!c"
224. },
225. {
226. "Avast": "Win32:Malware-gen"
227. },
228. {
229. "Sophos": "Mal/Generic-S"
230. },
231. {
232. "F-Secure": "Trojan.TR/Dldr.PsDownload.twazw"
233. },
234. {
235. "DrWeb": "BackDoor.HRDP.12"
236. },
237. {
238. "Emsisoft": "Gen:Variant.Ursu.481402 (B)"
239. },
240. {
241. "Cyren": "W32/Trojan.KODO-0437"
242. },
243. {
244. "Avira": "TR/Dldr.PsDownload.twazw"
245. },
246. {
247. "Microsoft": "Trojan:Win32/Tiggre!rfn"
248. },
249. {
250. "ViRobot": "Trojan.Win32.Z.Psdownload.2572376"
251. },
252. {
253. "ZoneAlarm": "HEUR:Trojan-Downloader.Win32.PsDownload.gen"
254. },
255. {
256. "GData": "Gen:Variant.Barys.61511"
257. },
258. {
259. "VBA32": "TrojanDownloader.PsDownload"
260. },
261. {
262. "Cylance": "Unsafe"
263. },
264. {
265. "ESET-NOD32": "a variant of Generik.HHGEYXI"
266. },
267. {
268. "TrendMicro-HouseCall": "TROJ_GEN.R002H0CF919"
269. },
270. {
271. "AVG": "Win32:Malware-gen"
272. },
273. {
274. "Cybereason": "malicious.478f11"
275. },
276. {
277. "Qihoo-360": "Win32/Trojan.ddb"
278. }
279. ]
280. }
281. ]
282.  
283. [*] Started Service: [
284. "TermService"
285. ]
286.  
287. [*] Executed Commands: [
288. "\"cmd.exe\" /c wscript C:\\Users\\user\\AppData\\Local\\Temp\\runnable.vbs",
289. "wscript C:\\Users\\user\\AppData\\Local\\Temp\\runnable.vbs",
290. "\"C:\\Windows\\System32\\cmd.exe\" /c rename C:\\Users\\user\\AppData\\Local\\Temp\\runnable.txt runnable.ps1& powershell.exe -ep bypass -f C:\\Users\\user\\AppData\\Local\\Temp\\runnable.ps1",
291. "cmd /c rename C:\\Users\\user\\AppData\\Local\\Temp\\runnable.txt runnable.ps1& powershell.exe -ep bypass -f C:\\Users\\user\\AppData\\Local\\Temp\\runnable.ps1",
292. "powershell.exe -ep bypass -f C:\\Users\\user\\AppData\\Local\\Temp\\runnable.ps1",
293. "\"C:\\Windows\\system32\\takeown.exe\" /A /F rfxvmt.dll",
294. "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /inheritance:d",
295. "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /setowner \"NT SERVICE\\TrustedInstaller\"",
296. "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /grant \"NT SERVICE\\TrustedInstaller:F\"",
297. "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /remove \"NT AUTHORITY\\SYSTEM\"",
298. "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /grant \"NT AUTHORITY\\SYSTEM:RX\"",
299. "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /remove BUILTIN\\Administrators",
300. "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /grant BUILTIN\\Administrators:RX",
301. "\"C:\\Windows\\system32\\reg.exe\" add HKLM\\system\\currentcontrolset\\services\\TermService\\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %SystemRoot%\\help\\servicedll.dll /f",
302. "\"C:\\Windows\\system32\\net.exe\" localgroup Administrators \"NT AUTHORITY\\NETWORK SERVICE\" /add",
303. "\"C:\\Windows\\system32\\cmd.exe\" /c del %temp%\\*.ps1 /f",
304. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
305. "C:\\Windows\\system32\\net1 localgroup Administrators \"NT AUTHORITY\\NETWORK SERVICE\" /add",
306. "C:\\Windows\\System32\\svchost.exe -k NetworkService"
307. ]
308.  
309. [*] Mutexes: [
310. "Local\\ZoneAttributeCacheCounterMutex",
311. "Local\\ZonesCacheCounterMutex",
312. "Local\\ZonesLockedCacheCounterMutex",
313. "Global\\CLR_PerfMon_WrapMutex",
314. "Global\\CLR_CASOFF_MUTEX"
315. ]
316.  
317. [*] Modified Files: [
318. "C:\\Users\\user\\AppData\\Local\\Temp\\log_4043.txt",
319. "C:\\Users\\user\\AppData\\Local\\Temp\\install_776644.log",
320. "C:\\Users\\user\\AppData\\Local\\Temp\\log_986225.log",
321. "C:\\Users\\user\\AppData\\Local\\Temp\\runnable.txt",
322. "C:\\Users\\user\\AppData\\Local\\Temp\\nsyBB3.tmp\\System.dll",
323. "C:\\Users\\user\\AppData\\Local\\Temp\\readme_88755.txt",
324. "C:\\Users\\user\\AppData\\Local\\Temp\\changelog_66663.txt",
325. "C:\\Users\\user\\AppData\\Local\\Temp\\terminal.txt",
326. "C:\\Users\\user\\AppData\\Local\\Temp\\changes_765543.txt",
327. "C:\\Users\\user\\AppData\\Local\\Temp\\runnable.vbs",
328. "C:\\Users\\user\\AppData\\Local\\Temp\\runnable.ps1",
329. "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
330. "\\??\\PIPE\\srvsvc",
331. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\P76M9IKTLS2SWNQ7412A.temp",
332. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFf91b1e.TMP",
333. "C:\\Windows\\Help\\servicedll.dll",
334. "C:\\Windows\\Help\\lababa.bin",
335. "C:\\Windows\\Help\\portable.dat",
336. "C:\\Windows\\sysnative\\rfxvmt.dll",
337. "C:\\Windows\\Temp\\desk.txt",
338. "\\??\\PIPE\\samr",
339. "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
340. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
341. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
342. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
343. "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
344. "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
345. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
346. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
347. "\\??\\PIPE\\lsarpc",
348. "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8"
349. ]
350.  
351. [*] Deleted Files: [
352. "C:\\Users\\user\\AppData\\Local\\Temp\\nsdAE7.tmp",
353. "C:\\Users\\user\\AppData\\Local\\Temp\\nsyBB3.tmp",
354. "C:\\Users\\user\\AppData\\Local\\Temp\\nsyBB3.tmp\\System.dll",
355. "C:\\Users\\user\\AppData\\Local\\Temp\\nsyBB3.tmp\\",
356. "C:\\Users\\user\\AppData\\Local\\Temp\\runnable.txt",
357. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFf91b1e.TMP",
358. "C:\\Users\\user\\AppData\\Local\\Temp\\changelog_66663.txt",
359. "C:\\Users\\user\\AppData\\Local\\Temp\\changes_765543.txt",
360. "C:\\Users\\user\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt",
361. "C:\\Users\\user\\AppData\\Local\\Temp\\log_4043.txt",
362. "C:\\Users\\user\\AppData\\Local\\Temp\\readme_88755.txt",
363. "C:\\Users\\user\\AppData\\Local\\Temp\\terminal.txt",
364. "C:\\Users\\user\\AppData\\Local\\Temp\\runnable.ps1",
365. "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_d9c6a67478f115a18d4a1091ed69bec4.exe",
366. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.988.16337562",
367. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.988.16337562",
368. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.988.16337562"
369. ]
370.  
371. [*] Modified Registry Keys: [
372. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
373. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
374. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
375. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
376. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
377. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
378. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
379. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
380. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
381. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
382. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider",
383. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDLL"
384. ]
385.  
386. [*] Deleted Registry Keys: [
387. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
388. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
389. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
390. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
391. ]
392.  
393. [*] DNS Communications: []
394.  
395. [*] Domains: []
396.  
397. [*] Network Communication - ICMP: []
398.  
399. [*] Network Communication - HTTP: [
400. {
401. "count": 1,
402. "body": "",
403. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
404. "user-agent": "Microsoft-CryptoAPI/6.1",
405. "method": "GET",
406. "host": "ocsp.digicert.com",
407. "version": "1.1",
408. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
409. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D HTTP/1.1\r\nCache-Control: max-age = 128165\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 11:02:13 GMT\r\nIf-None-Match: \"5c961235-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
410. "port": 80
411. },
412. {
413. "count": 1,
414. "body": "",
415. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
416. "user-agent": "Microsoft-CryptoAPI/6.1",
417. "method": "GET",
418. "host": "ocsp.digicert.com",
419. "version": "1.1",
420. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
421. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
422. "port": 80
423. },
424. {
425. "count": 1,
426. "body": "",
427. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
428. "user-agent": "Microsoft-CryptoAPI/6.1",
429. "method": "GET",
430. "host": "ocsp.digicert.com",
431. "version": "1.1",
432. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
433. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D HTTP/1.1\r\nCache-Control: max-age = 143038\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 15:00:07 GMT\r\nIf-None-Match: \"5c9649f7-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
434. "port": 80
435. }
436. ]
437.  
438. [*] Network Communication - SMTP: []
439.  
440. [*] Network Communication - Hosts: []
441.  
442. [*] Network Communication - IRC: []
443.  
444. [*] Static Analysis: {
445. "pe": {
446. "peid_signatures": null,
447. "imports": [
448. {
449. "imports": [
450. {
451. "name": "GetTempPathA",
452. "address": "0x407070"
453. },
454. {
455. "name": "GetFileSize",
456. "address": "0x407074"
457. },
458. {
459. "name": "GetModuleFileNameA",
460. "address": "0x407078"
461. },
462. {
463. "name": "GetCurrentProcess",
464. "address": "0x40707c"
465. },
466. {
467. "name": "CopyFileA",
468. "address": "0x407080"
469. },
470. {
471. "name": "ExitProcess",
472. "address": "0x407084"
473. },
474. {
475. "name": "SetEnvironmentVariableA",
476. "address": "0x407088"
477. },
478. {
479. "name": "Sleep",
480. "address": "0x40708c"
481. },
482. {
483. "name": "GetTickCount",
484. "address": "0x407090"
485. },
486. {
487. "name": "GetCommandLineA",
488. "address": "0x407094"
489. },
490. {
491. "name": "lstrlenA",
492. "address": "0x407098"
493. },
494. {
495. "name": "GetVersion",
496. "address": "0x40709c"
497. },
498. {
499. "name": "SetErrorMode",
500. "address": "0x4070a0"
501. },
502. {
503. "name": "lstrcpynA",
504. "address": "0x4070a4"
505. },
506. {
507. "name": "GetDiskFreeSpaceA",
508. "address": "0x4070a8"
509. },
510. {
511. "name": "GlobalUnlock",
512. "address": "0x4070ac"
513. },
514. {
515. "name": "GetWindowsDirectoryA",
516. "address": "0x4070b0"
517. },
518. {
519. "name": "SetCurrentDirectoryA",
520. "address": "0x4070b4"
521. },
522. {
523. "name": "GetLastError",
524. "address": "0x4070b8"
525. },
526. {
527. "name": "CreateDirectoryA",
528. "address": "0x4070bc"
529. },
530. {
531. "name": "CreateProcessA",
532. "address": "0x4070c0"
533. },
534. {
535. "name": "RemoveDirectoryA",
536. "address": "0x4070c4"
537. },
538. {
539. "name": "CreateFileA",
540. "address": "0x4070c8"
541. },
542. {
543. "name": "GetTempFileNameA",
544. "address": "0x4070cc"
545. },
546. {
547. "name": "ReadFile",
548. "address": "0x4070d0"
549. },
550. {
551. "name": "WriteFile",
552. "address": "0x4070d4"
553. },
554. {
555. "name": "lstrcpyA",
556. "address": "0x4070d8"
557. },
558. {
559. "name": "MoveFileExA",
560. "address": "0x4070dc"
561. },
562. {
563. "name": "lstrcatA",
564. "address": "0x4070e0"
565. },
566. {
567. "name": "GetSystemDirectoryA",
568. "address": "0x4070e4"
569. },
570. {
571. "name": "GetProcAddress",
572. "address": "0x4070e8"
573. },
574. {
575. "name": "GetExitCodeProcess",
576. "address": "0x4070ec"
577. },
578. {
579. "name": "WaitForSingleObject",
580. "address": "0x4070f0"
581. },
582. {
583. "name": "CompareFileTime",
584. "address": "0x4070f4"
585. },
586. {
587. "name": "SetFileAttributesA",
588. "address": "0x4070f8"
589. },
590. {
591. "name": "GetFileAttributesA",
592. "address": "0x4070fc"
593. },
594. {
595. "name": "GetShortPathNameA",
596. "address": "0x407100"
597. },
598. {
599. "name": "MoveFileA",
600. "address": "0x407104"
601. },
602. {
603. "name": "GetFullPathNameA",
604. "address": "0x407108"
605. },
606. {
607. "name": "SetFileTime",
608. "address": "0x40710c"
609. },
610. {
611. "name": "SearchPathA",
612. "address": "0x407110"
613. },
614. {
615. "name": "CloseHandle",
616. "address": "0x407114"
617. },
618. {
619. "name": "lstrcmpiA",
620. "address": "0x407118"
621. },
622. {
623. "name": "CreateThread",
624. "address": "0x40711c"
625. },
626. {
627. "name": "GlobalLock",
628. "address": "0x407120"
629. },
630. {
631. "name": "lstrcmpA",
632. "address": "0x407124"
633. },
634. {
635. "name": "FindFirstFileA",
636. "address": "0x407128"
637. },
638. {
639. "name": "FindNextFileA",
640. "address": "0x40712c"
641. },
642. {
643. "name": "DeleteFileA",
644. "address": "0x407130"
645. },
646. {
647. "name": "SetFilePointer",
648. "address": "0x407134"
649. },
650. {
651. "name": "GetPrivateProfileStringA",
652. "address": "0x407138"
653. },
654. {
655. "name": "FindClose",
656. "address": "0x40713c"
657. },
658. {
659. "name": "MultiByteToWideChar",
660. "address": "0x407140"
661. },
662. {
663. "name": "FreeLibrary",
664. "address": "0x407144"
665. },
666. {
667. "name": "MulDiv",
668. "address": "0x407148"
669. },
670. {
671. "name": "WritePrivateProfileStringA",
672. "address": "0x40714c"
673. },
674. {
675. "name": "LoadLibraryExA",
676. "address": "0x407150"
677. },
678. {
679. "name": "GetModuleHandleA",
680. "address": "0x407154"
681. },
682. {
683. "name": "GlobalAlloc",
684. "address": "0x407158"
685. },
686. {
687. "name": "GlobalFree",
688. "address": "0x40715c"
689. },
690. {
691. "name": "ExpandEnvironmentStringsA",
692. "address": "0x407160"
693. }
694. ],
695. "dll": "KERNEL32.dll"
696. },
697. {
698. "imports": [
699. {
700. "name": "ScreenToClient",
701. "address": "0x407184"
702. },
703. {
704. "name": "GetSystemMenu",
705. "address": "0x407188"
706. },
707. {
708. "name": "SetClassLongA",
709. "address": "0x40718c"
710. },
711. {
712. "name": "IsWindowEnabled",
713. "address": "0x407190"
714. },
715. {
716. "name": "SetWindowPos",
717. "address": "0x407194"
718. },
719. {
720. "name": "GetSysColor",
721. "address": "0x407198"
722. },
723. {
724. "name": "GetWindowLongA",
725. "address": "0x40719c"
726. },
727. {
728. "name": "SetCursor",
729. "address": "0x4071a0"
730. },
731. {
732. "name": "LoadCursorA",
733. "address": "0x4071a4"
734. },
735. {
736. "name": "CheckDlgButton",
737. "address": "0x4071a8"
738. },
739. {
740. "name": "GetMessagePos",
741. "address": "0x4071ac"
742. },
743. {
744. "name": "LoadBitmapA",
745. "address": "0x4071b0"
746. },
747. {
748. "name": "CallWindowProcA",
749. "address": "0x4071b4"
750. },
751. {
752. "name": "IsWindowVisible",
753. "address": "0x4071b8"
754. },
755. {
756. "name": "CloseClipboard",
757. "address": "0x4071bc"
758. },
759. {
760. "name": "SetClipboardData",
761. "address": "0x4071c0"
762. },
763. {
764. "name": "EmptyClipboard",
765. "address": "0x4071c4"
766. },
767. {
768. "name": "PostQuitMessage",
769. "address": "0x4071c8"
770. },
771. {
772. "name": "GetWindowRect",
773. "address": "0x4071cc"
774. },
775. {
776. "name": "EnableMenuItem",
777. "address": "0x4071d0"
778. },
779. {
780. "name": "CreatePopupMenu",
781. "address": "0x4071d4"
782. },
783. {
784. "name": "GetSystemMetrics",
785. "address": "0x4071d8"
786. },
787. {
788. "name": "SetDlgItemTextA",
789. "address": "0x4071dc"
790. },
791. {
792. "name": "GetDlgItemTextA",
793. "address": "0x4071e0"
794. },
795. {
796. "name": "MessageBoxIndirectA",
797. "address": "0x4071e4"
798. },
799. {
800. "name": "CharPrevA",
801. "address": "0x4071e8"
802. },
803. {
804. "name": "DispatchMessageA",
805. "address": "0x4071ec"
806. },
807. {
808. "name": "PeekMessageA",
809. "address": "0x4071f0"
810. },
811. {
812. "name": "ReleaseDC",
813. "address": "0x4071f4"
814. },
815. {
816. "name": "EnableWindow",
817. "address": "0x4071f8"
818. },
819. {
820. "name": "InvalidateRect",
821. "address": "0x4071fc"
822. },
823. {
824. "name": "SendMessageA",
825. "address": "0x407200"
826. },
827. {
828. "name": "DefWindowProcA",
829. "address": "0x407204"
830. },
831. {
832. "name": "BeginPaint",
833. "address": "0x407208"
834. },
835. {
836. "name": "GetClientRect",
837. "address": "0x40720c"
838. },
839. {
840. "name": "FillRect",
841. "address": "0x407210"
842. },
843. {
844. "name": "DrawTextA",
845. "address": "0x407214"
846. },
847. {
848. "name": "EndDialog",
849. "address": "0x407218"
850. },
851. {
852. "name": "RegisterClassA",
853. "address": "0x40721c"
854. },
855. {
856. "name": "SystemParametersInfoA",
857. "address": "0x407220"
858. },
859. {
860. "name": "CreateWindowExA",
861. "address": "0x407224"
862. },
863. {
864. "name": "GetClassInfoA",
865. "address": "0x407228"
866. },
867. {
868. "name": "DialogBoxParamA",
869. "address": "0x40722c"
870. },
871. {
872. "name": "CharNextA",
873. "address": "0x407230"
874. },
875. {
876. "name": "ExitWindowsEx",
877. "address": "0x407234"
878. },
879. {
880. "name": "GetDC",
881. "address": "0x407238"
882. },
883. {
884. "name": "CreateDialogParamA",
885. "address": "0x40723c"
886. },
887. {
888. "name": "SetTimer",
889. "address": "0x407240"
890. },
891. {
892. "name": "GetDlgItem",
893. "address": "0x407244"
894. },
895. {
896. "name": "SetWindowLongA",
897. "address": "0x407248"
898. },
899. {
900. "name": "SetForegroundWindow",
901. "address": "0x40724c"
902. },
903. {
904. "name": "LoadImageA",
905. "address": "0x407250"
906. },
907. {
908. "name": "IsWindow",
909. "address": "0x407254"
910. },
911. {
912. "name": "SendMessageTimeoutA",
913. "address": "0x407258"
914. },
915. {
916. "name": "FindWindowExA",
917. "address": "0x40725c"
918. },
919. {
920. "name": "OpenClipboard",
921. "address": "0x407260"
922. },
923. {
924. "name": "TrackPopupMenu",
925. "address": "0x407264"
926. },
927. {
928. "name": "AppendMenuA",
929. "address": "0x407268"
930. },
931. {
932. "name": "EndPaint",
933. "address": "0x40726c"
934. },
935. {
936. "name": "DestroyWindow",
937. "address": "0x407270"
938. },
939. {
940. "name": "wsprintfA",
941. "address": "0x407274"
942. },
943. {
944. "name": "ShowWindow",
945. "address": "0x407278"
946. },
947. {
948. "name": "SetWindowTextA",
949. "address": "0x40727c"
950. }
951. ],
952. "dll": "USER32.dll"
953. },
954. {
955. "imports": [
956. {
957. "name": "SelectObject",
958. "address": "0x40704c"
959. },
960. {
961. "name": "SetBkMode",
962. "address": "0x407050"
963. },
964. {
965. "name": "CreateFontIndirectA",
966. "address": "0x407054"
967. },
968. {
969. "name": "SetTextColor",
970. "address": "0x407058"
971. },
972. {
973. "name": "DeleteObject",
974. "address": "0x40705c"
975. },
976. {
977. "name": "GetDeviceCaps",
978. "address": "0x407060"
979. },
980. {
981. "name": "CreateBrushIndirect",
982. "address": "0x407064"
983. },
984. {
985. "name": "SetBkColor",
986. "address": "0x407068"
987. }
988. ],
989. "dll": "GDI32.dll"
990. },
991. {
992. "imports": [
993. {
994. "name": "SHGetSpecialFolderLocation",
995. "address": "0x407168"
996. },
997. {
998. "name": "ShellExecuteExA",
999. "address": "0x40716c"
1000. },
1001. {
1002. "name": "SHGetPathFromIDListA",
1003. "address": "0x407170"
1004. },
1005. {
1006. "name": "SHBrowseForFolderA",
1007. "address": "0x407174"
1008. },
1009. {
1010. "name": "SHGetFileInfoA",
1011. "address": "0x407178"
1012. },
1013. {
1014. "name": "SHFileOperationA",
1015. "address": "0x40717c"
1016. }
1017. ],
1018. "dll": "SHELL32.dll"
1019. },
1020. {
1021. "imports": [
1022. {
1023. "name": "AdjustTokenPrivileges",
1024. "address": "0x407000"
1025. },
1026. {
1027. "name": "RegCreateKeyExA",
1028. "address": "0x407004"
1029. },
1030. {
1031. "name": "RegOpenKeyExA",
1032. "address": "0x407008"
1033. },
1034. {
1035. "name": "SetFileSecurityA",
1036. "address": "0x40700c"
1037. },
1038. {
1039. "name": "OpenProcessToken",
1040. "address": "0x407010"
1041. },
1042. {
1043. "name": "LookupPrivilegeValueA",
1044. "address": "0x407014"
1045. },
1046. {
1047. "name": "RegEnumValueA",
1048. "address": "0x407018"
1049. },
1050. {
1051. "name": "RegDeleteKeyA",
1052. "address": "0x40701c"
1053. },
1054. {
1055. "name": "RegDeleteValueA",
1056. "address": "0x407020"
1057. },
1058. {
1059. "name": "RegCloseKey",
1060. "address": "0x407024"
1061. },
1062. {
1063. "name": "RegSetValueExA",
1064. "address": "0x407028"
1065. },
1066. {
1067. "name": "RegQueryValueExA",
1068. "address": "0x40702c"
1069. },
1070. {
1071. "name": "RegEnumKeyA",
1072. "address": "0x407030"
1073. }
1074. ],
1075. "dll": "ADVAPI32.dll"
1076. },
1077. {
1078. "imports": [
1079. {
1080. "name": "ImageList_Create",
1081. "address": "0x407038"
1082. },
1083. {
1084. "name": "ImageList_AddMasked",
1085. "address": "0x40703c"
1086. },
1087. {
1088. "name": "ImageList_Destroy",
1089. "address": "0x407040"
1090. },
1091. {
1092. "name": null,
1093. "address": "0x407044"
1094. }
1095. ],
1096. "dll": "COMCTL32.dll"
1097. },
1098. {
1099. "imports": [
1100. {
1101. "name": "OleUninitialize",
1102. "address": "0x407284"
1103. },
1104. {
1105. "name": "OleInitialize",
1106. "address": "0x407288"
1107. },
1108. {
1109. "name": "CoTaskMemFree",
1110. "address": "0x40728c"
1111. },
1112. {
1113. "name": "CoCreateInstance",
1114. "address": "0x407290"
1115. }
1116. ],
1117. "dll": "ole32.dll"
1118. }
1119. ],
1120. "digital_signers": null,
1121. "exported_dll_name": null,
1122. "actual_checksum": "0x0027b04c",
1123. "overlay": {
1124. "size": "0x0025b058",
1125. "offset": "0x00019000"
1126. },
1127. "imagebase": "0x00400000",
1128. "reported_checksum": "0x0027b04c",
1129. "icon_hash": null,
1130. "entrypoint": "0x004031d6",
1131. "timestamp": "2018-12-15 22:24:22",
1132. "osversion": "4.0",
1133. "sections": [
1134. {
1135. "name": ".text",
1136. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
1137. "virtual_address": "0x00001000",
1138. "size_of_data": "0x00006000",
1139. "entropy": "6.45",
1140. "raw_address": "0x00000400",
1141. "virtual_size": "0x00005f0d",
1142. "characteristics_raw": "0x60000020"
1143. },
1144. {
1145. "name": ".rdata",
1146. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1147. "virtual_address": "0x00007000",
1148. "size_of_data": "0x00001400",
1149. "entropy": "5.00",
1150. "raw_address": "0x00006400",
1151. "virtual_size": "0x00001250",
1152. "characteristics_raw": "0x40000040"
1153. },
1154. {
1155. "name": ".data",
1156. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1157. "virtual_address": "0x00009000",
1158. "size_of_data": "0x00000400",
1159. "entropy": "5.13",
1160. "raw_address": "0x00007800",
1161. "virtual_size": "0x0001a818",
1162. "characteristics_raw": "0xc0000040"
1163. },
1164. {
1165. "name": ".ndata",
1166. "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1167. "virtual_address": "0x00024000",
1168. "size_of_data": "0x00000000",
1169. "entropy": "0.00",
1170. "raw_address": "0x00000000",
1171. "virtual_size": "0x00009000",
1172. "characteristics_raw": "0xc0000080"
1173. },
1174. {
1175. "name": ".rsrc",
1176. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1177. "virtual_address": "0x0002d000",
1178. "size_of_data": "0x00011400",
1179. "entropy": "1.13",
1180. "raw_address": "0x00007c00",
1181. "virtual_size": "0x000112b8",
1182. "characteristics_raw": "0x40000040"
1183. }
1184. ],
1185. "resources": [],
1186. "dirents": [
1187. {
1188. "virtual_address": "0x00000000",
1189. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1190. "size": "0x00000000"
1191. },
1192. {
1193. "virtual_address": "0x00007430",
1194. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1195. "size": "0x000000a0"
1196. },
1197. {
1198. "virtual_address": "0x0002d000",
1199. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1200. "size": "0x000112b8"
1201. },
1202. {
1203. "virtual_address": "0x00000000",
1204. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1205. "size": "0x00000000"
1206. },
1207. {
1208. "virtual_address": "0x00272c88",
1209. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1210. "size": "0x000013d0"
1211. },
1212. {
1213. "virtual_address": "0x00000000",
1214. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1215. "size": "0x00000000"
1216. },
1217. {
1218. "virtual_address": "0x00000000",
1219. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1220. "size": "0x00000000"
1221. },
1222. {
1223. "virtual_address": "0x00000000",
1224. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1225. "size": "0x00000000"
1226. },
1227. {
1228. "virtual_address": "0x00000000",
1229. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1230. "size": "0x00000000"
1231. },
1232. {
1233. "virtual_address": "0x00000000",
1234. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1235. "size": "0x00000000"
1236. },
1237. {
1238. "virtual_address": "0x00000000",
1239. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1240. "size": "0x00000000"
1241. },
1242. {
1243. "virtual_address": "0x00000000",
1244. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1245. "size": "0x00000000"
1246. },
1247. {
1248. "virtual_address": "0x00007000",
1249. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1250. "size": "0x00000298"
1251. },
1252. {
1253. "virtual_address": "0x00000000",
1254. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1255. "size": "0x00000000"
1256. },
1257. {
1258. "virtual_address": "0x00000000",
1259. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1260. "size": "0x00000000"
1261. },
1262. {
1263. "virtual_address": "0x00000000",
1264. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1265. "size": "0x00000000"
1266. }
1267. ],
1268. "exports": [],
1269. "guest_signers": {},
1270. "imphash": "3abe302b6d9a1256e6a915429af4ffd2",
1271. "icon_fuzzy": null,
1272. "icon": null,
1273. "pdbpath": null,
1274. "imported_dll_count": 7,
1275. "versioninfo": []
1276. }
1277. }
1278.  
1279. [*] Resolved APIs: [
1280. "version.dll.GetFileVersionInfoA",
1281. "shfolder.dll.SHGetFolderPathA",
1282. "shlwapi.dll.#437",
1283. "cryptbase.dll.SystemFunction036",
1284. "uxtheme.dll.ThemeInitApiHook",
1285. "user32.dll.IsProcessDPIAware",
1286. "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
1287. "setupapi.dll.CM_Get_Device_Interface_List_ExW",
1288. "comctl32.dll.#386",
1289. "kernel32.dll.GetUserDefaultUILanguage",
1290. "shell32.dll.#680",
1291. "system.dll.Call",
1292. "kernel32.dll.GetCurrentProcess",
1293. "kernel32.dll.IsWow64Process",
1294. "system.dll.Int64Op",
1295. "kernel32.dll.SetEnvironmentVariableA",
1296. "kernel32.dll.Wow64EnableWow64FsRedirection",
1297. "ole32.dll.CoRevokeInitializeSpy",
1298. "comctl32.dll.#388",
1299. "ole32.dll.NdrOleInitializeExtension",
1300. "ole32.dll.CoGetClassObject",
1301. "ole32.dll.CoGetMarshalSizeMax",
1302. "ole32.dll.CoMarshalInterface",
1303. "ole32.dll.CoUnmarshalInterface",
1304. "ole32.dll.StringFromIID",
1305. "ole32.dll.CoGetPSClsid",
1306. "ole32.dll.CoTaskMemAlloc",
1307. "ole32.dll.CoTaskMemFree",
1308. "ole32.dll.CoCreateInstance",
1309. "ole32.dll.CoReleaseMarshalData",
1310. "ole32.dll.DcomChannelSetHResult",
1311. "oleaut32.dll.#500",
1312. "advapi32.dll.UnregisterTraceGuids",
1313. "comctl32.dll.#321",
1314. "kernel32.dll.SetThreadUILanguage",
1315. "kernel32.dll.CopyFileExW",
1316. "kernel32.dll.IsDebuggerPresent",
1317. "kernel32.dll.SetConsoleInputExeNameW",
1318. "kernel32.dll.SortGetHandle",
1319. "kernel32.dll.SortCloseHandle",
1320. "sechost.dll.LookupAccountNameLocalW",
1321. "advapi32.dll.LookupAccountSidW",
1322. "sechost.dll.LookupAccountSidLocalW",
1323. "kernel32.dll.HeapSetInformation",
1324. "sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid",
1325. "dwmapi.dll.DwmIsCompositionEnabled",
1326. "advapi32.dll.SaferIdentifyLevel",
1327. "advapi32.dll.SaferComputeTokenFromLevel",
1328. "advapi32.dll.SaferCloseLevel",
1329. "ole32.dll.CLSIDFromProgIDEx",
1330. "wscript.exe.#1",
1331. "sxs.dll.SxsOleAut32RedirectTypeLibrary",
1332. "advapi32.dll.RegOpenKeyW",
1333. "advapi32.dll.RegQueryValueW",
1334. "shell32.dll.ShellExecuteExW",
1335. "ole32.dll.OleInitialize",
1336. "ole32.dll.CreateBindCtx",
1337. "propsys.dll.PSCreateMemoryPropertyStore",
1338. "propsys.dll.PSPropertyBag_WriteDWORD",
1339. "ole32.dll.CoGetApartmentType",
1340. "ole32.dll.CoRegisterInitializeSpy",
1341. "comctl32.dll.#236",
1342. "oleaut32.dll.#6",
1343. "ole32.dll.CoGetMalloc",
1344. "propsys.dll.PSPropertyBag_ReadDWORD",
1345. "propsys.dll.PSPropertyBag_ReadGUID",
1346. "comctl32.dll.#320",
1347. "comctl32.dll.#324",
1348. "comctl32.dll.#323",
1349. "advapi32.dll.RegEnumKeyW",
1350. "advapi32.dll.OpenThreadToken",
1351. "ole32.dll.StringFromGUID2",
1352. "apphelp.dll.ApphelpCheckShellObject",
1353. "urlmon.dll.CreateUri",
1354. "kernel32.dll.InitializeSRWLock",
1355. "kernel32.dll.AcquireSRWLockExclusive",
1356. "kernel32.dll.AcquireSRWLockShared",
1357. "kernel32.dll.ReleaseSRWLockExclusive",
1358. "kernel32.dll.ReleaseSRWLockShared",
1359. "comctl32.dll.#328",
1360. "comctl32.dll.#334",
1361. "oleaut32.dll.#2",
1362. "shell32.dll.#102",
1363. "propsys.dll.PSPropertyBag_ReadStrAlloc",
1364. "ole32.dll.CoInitializeEx",
1365. "advapi32.dll.InitializeSecurityDescriptor",
1366. "advapi32.dll.SetEntriesInAclW",
1367. "ntmarta.dll.GetMartaExtensionInterface",
1368. "advapi32.dll.SetSecurityDescriptorDacl",
1369. "advapi32.dll.IsTextUnicode",
1370. "comctl32.dll.#332",
1371. "comctl32.dll.#338",
1372. "ole32.dll.CoUninitialize",
1373. "sechost.dll.ConvertSidToStringSidW",
1374. "profapi.dll.#104",
1375. "propsys.dll.#430",
1376. "advapi32.dll.RegOpenKeyExW",
1377. "advapi32.dll.RegGetValueW",
1378. "advapi32.dll.RegCloseKey",
1379. "ole32.dll.CoTaskMemRealloc",
1380. "propsys.dll.InitPropVariantFromStringAsVector",
1381. "propsys.dll.PSCoerceToCanonicalValue",
1382. "propsys.dll.PropVariantToStringAlloc",
1383. "ole32.dll.PropVariantClear",
1384. "ole32.dll.CoAllowSetForegroundWindow",
1385. "shell32.dll.SHGetFolderPathW",
1386. "advapi32.dll.SaferGetPolicyInformation",
1387. "ntdll.dll.RtlDllShutdownInProgress",
1388. "comctl32.dll.#329",
1389. "ole32.dll.OleUninitialize",
1390. "shell32.dll.#66",
1391. "comctl32.dll.#339",
1392. "comctl32.dll.#385",
1393. "comctl32.dll.#336",
1394. "comctl32.dll.#333",
1395. "linkinfo.dll.IsValidLinkInfo",
1396. "propsys.dll.#417",
1397. "propsys.dll.PSGetNameFromPropertyKey",
1398. "propsys.dll.PSStringFromPropertyKey",
1399. "propsys.dll.InitVariantFromBuffer",
1400. "oleaut32.dll.#9",
1401. "propsys.dll.PropVariantToGUID",
1402. "linkinfo.dll.CreateLinkInfoW",
1403. "user32.dll.IsCharAlphaW",
1404. "user32.dll.CharPrevW",
1405. "ntshrui.dll.GetNetResourceFromLocalPathW",
1406. "srvcli.dll.NetShareEnum",
1407. "cscapi.dll.CscNetApiGetInterface",
1408. "slc.dll.SLGetWindowsInformationDWORD",
1409. "shlwapi.dll.PathRemoveFileSpecW",
1410. "linkinfo.dll.DestroyLinkInfo",
1411. "propsys.dll.PropVariantToBoolean",
1412. "cryptsp.dll.CryptAcquireContextW",
1413. "cryptsp.dll.CryptGenRandom",
1414. "cryptsp.dll.CryptReleaseContext",
1415. "advapi32.dll.GetSecurityInfo",
1416. "advapi32.dll.SetSecurityInfo",
1417. "advapi32.dll.GetSecurityDescriptorControl",
1418. "advapi32.dll.RegQueryInfoKeyW",
1419. "advapi32.dll.RegEnumKeyExW",
1420. "advapi32.dll.RegEnumValueW",
1421. "advapi32.dll.RegQueryValueExW",
1422. "shlwapi.dll.UrlIsW",
1423. "kernel32.dll.InitializeCriticalSectionAndSpinCount",
1424. "msvcrt.dll._set_error_mode",
1425. "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z",
1426. "kernel32.dll.FindActCtxSectionStringW",
1427. "kernel32.dll.GetSystemWindowsDirectoryW",
1428. "mscoree.dll.GetProcessExecutableHeap",
1429. "mscorwks.dll.DllGetClassObjectInternal",
1430. "mscorwks.dll.GetCLRFunction",
1431. "advapi32.dll.RegisterTraceGuidsW",
1432. "advapi32.dll.GetTraceLoggerHandle",
1433. "advapi32.dll.GetTraceEnableLevel",
1434. "advapi32.dll.GetTraceEnableFlags",
1435. "advapi32.dll.TraceEvent",
1436. "mscoree.dll.IEE",
1437. "mscorwks.dll.IEE",
1438. "mscoree.dll.GetStartupFlags",
1439. "mscoree.dll.GetHostConfigurationFile",
1440. "mscoree.dll.GetCORSystemDirectory",
1441. "ntdll.dll.RtlVirtualUnwind",
1442. "advapi32.dll.AllocateAndInitializeSid",
1443. "advapi32.dll.OpenProcessToken",
1444. "advapi32.dll.GetTokenInformation",
1445. "advapi32.dll.InitializeAcl",
1446. "advapi32.dll.AddAccessAllowedAce",
1447. "advapi32.dll.FreeSid",
1448. "kernel32.dll.SetThreadStackGuarantee",
1449. "kernel32.dll.FlsSetValue",
1450. "kernel32.dll.FlsGetValue",
1451. "kernel32.dll.FlsAlloc",
1452. "kernel32.dll.FlsFree",
1453. "kernel32.dll.AddVectoredContinueHandler",
1454. "kernel32.dll.RemoveVectoredContinueHandler",
1455. "advapi32.dll.ConvertSidToStringSidW",
1456. "kernel32.dll.FlushProcessWriteBuffers",
1457. "kernel32.dll.GetWriteWatch",
1458. "kernel32.dll.ResetWriteWatch",
1459. "kernel32.dll.CreateMemoryResourceNotification",
1460. "kernel32.dll.QueryMemoryResourceNotification",
1461. "kernel32.dll.GlobalMemoryStatusEx",
1462. "ole32.dll.CoGetContextToken",
1463. "oleaut32.dll.#149",
1464. "kernel32.dll.GetVersionExW",
1465. "kernel32.dll.GetFullPathNameW",
1466. "kernel32.dll.SetErrorMode",
1467. "kernel32.dll.GetFileAttributesExW",
1468. "version.dll.GetFileVersionInfoSizeW",
1469. "version.dll.GetFileVersionInfoW",
1470. "version.dll.VerQueryValueW",
1471. "kernel32.dll.lstrlen",
1472. "kernel32.dll.lstrlenW",
1473. "mscoree.dll.ND_RI2",
1474. "kernel32.dll.lstrcpy",
1475. "kernel32.dll.lstrcpyW",
1476. "version.dll.VerLanguageNameW",
1477. "kernel32.dll.CloseHandle",
1478. "kernel32.dll.GetCurrentProcessId",
1479. "advapi32.dll.LookupPrivilegeValueW",
1480. "advapi32.dll.AdjustTokenPrivileges",
1481. "kernel32.dll.OpenProcess",
1482. "psapi.dll.EnumProcessModules",
1483. "psapi.dll.GetModuleInformation",
1484. "psapi.dll.GetModuleBaseNameW",
1485. "psapi.dll.GetModuleFileNameExW",
1486. "kernel32.dll.GetExitCodeProcess",
1487. "ntdll.dll.NtQuerySystemInformation",
1488. "user32.dll.EnumWindows",
1489. "user32.dll.GetWindowThreadProcessId",
1490. "kernel32.dll.WerSetFlags",
1491. "kernel32.dll.SetThreadPreferredUILanguages",
1492. "kernel32.dll.GetThreadPreferredUILanguages",
1493. "kernel32.dll.GetUserDefaultLocaleName",
1494. "kernel32.dll.GetEnvironmentVariableW",
1495. "advapi32.dll.CryptAcquireContextA",
1496. "advapi32.dll.CryptReleaseContext",
1497. "advapi32.dll.CryptCreateHash",
1498. "advapi32.dll.CryptDestroyHash",
1499. "advapi32.dll.CryptHashData",
1500. "advapi32.dll.CryptGetHashParam",
1501. "advapi32.dll.CryptImportKey",
1502. "advapi32.dll.CryptExportKey",
1503. "advapi32.dll.CryptGenKey",
1504. "advapi32.dll.CryptGetKeyParam",
1505. "advapi32.dll.CryptDestroyKey",
1506. "advapi32.dll.CryptVerifySignatureA",
1507. "advapi32.dll.CryptSignHashA",
1508. "advapi32.dll.CryptGetProvParam",
1509. "advapi32.dll.CryptGetUserKey",
1510. "advapi32.dll.CryptEnumProvidersA",
1511. "cryptsp.dll.CryptImportKey",
1512. "cryptsp.dll.CryptHashData",
1513. "cryptsp.dll.CryptGetHashParam",
1514. "cryptsp.dll.CryptDestroyHash",
1515. "cryptsp.dll.CryptDestroyKey",
1516. "mscoree.dll.GetTokenForVTableEntry",
1517. "mscoree.dll.SetTargetForVTableEntry",
1518. "mscoree.dll.GetTargetForVTableEntry",
1519. "culture.dll.ConvertLangIdToCultureName",
1520. "ole32.dll.CoCreateGuid",
1521. "kernel32.dll.CreateFileW",
1522. "kernel32.dll.GetConsoleScreenBufferInfo",
1523. "kernel32.dll.LocalFree",
1524. "kernel32.dll.LocalAlloc",
1525. "mscoree.dll.ND_RI4",
1526. "advapi32.dll.DuplicateTokenEx",
1527. "advapi32.dll.CheckTokenMembership",
1528. "kernel32.dll.GetConsoleTitleW",
1529. "mscorjit.dll.getJit",
1530. "kernel32.dll.SetConsoleTitleW",
1531. "kernel32.dll.SetConsoleCtrlHandler",
1532. "kernel32.dll.SetEnvironmentVariableW",
1533. "kernel32.dll.CreateEventW",
1534. "ntdll.dll.WinSqmIsOptedIn",
1535. "kernel32.dll.ExpandEnvironmentStringsW",
1536. "shfolder.dll.SHGetFolderPathW",
1537. "kernel32.dll.GetACP",
1538. "kernel32.dll.UnmapViewOfFile",
1539. "kernel32.dll.GetFileType",
1540. "kernel32.dll.ReadFile",
1541. "kernel32.dll.GetSystemInfo",
1542. "kernel32.dll.VirtualQuery",
1543. "secur32.dll.GetUserNameExW",
1544. "advapi32.dll.GetUserNameW",
1545. "kernel32.dll.ReleaseMutex",
1546. "advapi32.dll.RegisterEventSourceW",
1547. "advapi32.dll.DeregisterEventSource",
1548. "advapi32.dll.ReportEventW",
1549. "kernel32.dll.GetLogicalDrives",
1550. "kernel32.dll.GetDriveTypeW",
1551. "kernel32.dll.GetVolumeInformationW",
1552. "kernel32.dll.GetCurrentDirectoryW",
1553. "kernel32.dll.GetLastError",
1554. "kernel32.dll.GetStdHandle",
1555. "kernel32.dll.GetConsoleMode",
1556. "kernel32.dll.SetEvent",
1557. "ole32.dll.CoGetObjectContext",
1558. "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
1559. "kernel32.dll.LoadLibraryA",
1560. "kernel32.dll.GetProcAddress",
1561. "wminet_utils.dll.ResetSecurity",
1562. "wminet_utils.dll.SetSecurity",
1563. "wminet_utils.dll.BlessIWbemServices",
1564. "wminet_utils.dll.BlessIWbemServicesObject",
1565. "wminet_utils.dll.GetPropertyHandle",
1566. "wminet_utils.dll.WritePropertyValue",
1567. "wminet_utils.dll.Clone",
1568. "wminet_utils.dll.VerifyClientKey",
1569. "wminet_utils.dll.GetQualifierSet",
1570. "wminet_utils.dll.Get",
1571. "wminet_utils.dll.Put",
1572. "wminet_utils.dll.Delete",
1573. "wminet_utils.dll.GetNames",
1574. "wminet_utils.dll.BeginEnumeration",
1575. "wminet_utils.dll.Next",
1576. "wminet_utils.dll.EndEnumeration",
1577. "wminet_utils.dll.GetPropertyQualifierSet",
1578. "wminet_utils.dll.GetObjectText",
1579. "wminet_utils.dll.SpawnDerivedClass",
1580. "wminet_utils.dll.SpawnInstance",
1581. "wminet_utils.dll.CompareTo",
1582. "wminet_utils.dll.GetPropertyOrigin",
1583. "wminet_utils.dll.InheritsFrom",
1584. "wminet_utils.dll.GetMethod",
1585. "wminet_utils.dll.PutMethod",
1586. "wminet_utils.dll.DeleteMethod",
1587. "wminet_utils.dll.BeginMethodEnumeration",
1588. "wminet_utils.dll.NextMethod",
1589. "wminet_utils.dll.EndMethodEnumeration",
1590. "wminet_utils.dll.GetMethodQualifierSet",
1591. "wminet_utils.dll.GetMethodOrigin",
1592. "wminet_utils.dll.QualifierSet_Get",
1593. "wminet_utils.dll.QualifierSet_Put",
1594. "wminet_utils.dll.QualifierSet_Delete",
1595. "wminet_utils.dll.QualifierSet_GetNames",
1596. "wminet_utils.dll.QualifierSet_BeginEnumeration",
1597. "wminet_utils.dll.QualifierSet_Next",
1598. "wminet_utils.dll.QualifierSet_EndEnumeration",
1599. "wminet_utils.dll.GetCurrentApartmentType",
1600. "wminet_utils.dll.GetDemultiplexedStub",
1601. "wminet_utils.dll.CreateInstanceEnumWmi",
1602. "wminet_utils.dll.CreateClassEnumWmi",
1603. "wminet_utils.dll.ExecQueryWmi",
1604. "wminet_utils.dll.ExecNotificationQueryWmi",
1605. "wminet_utils.dll.PutInstanceWmi",
1606. "wminet_utils.dll.PutClassWmi",
1607. "wminet_utils.dll.CloneEnumWbemClassObject",
1608. "wminet_utils.dll.ConnectServerWmi",
1609. "ole32.dll.IIDFromString",
1610. "ole32.dll.CoCreateFreeThreadedMarshaler",
1611. "oleaut32.dll.SysAllocStringLen",
1612. "kernel32.dll.LocaleNameToLCID",
1613. "kernel32.dll.GetLocaleInfoEx",
1614. "kernel32.dll.LCIDToLocaleName",
1615. "kernel32.dll.GetSystemDefaultLocaleName",
1616. "fastprox.dll.DllGetClassObject",
1617. "fastprox.dll.DllCanUnloadNow",
1618. "dnsapi.dll.DnsApiFree",
1619. "oleaut32.dll.SysFreeString",
1620. "oleaut32.dll.#283",
1621. "oleaut32.dll.#284",
1622. "oleaut32.dll.#7",
1623. "oleaut32.dll.#17",
1624. "oleaut32.dll.#16",
1625. "psapi.dll.EnumProcesses",
1626. "kernel32.dll.FormatMessageW",
1627. "kernel32.dll.GetConsoleOutputCP",
1628. "gdi32.dll.TranslateCharsetInfo",
1629. "kernel32.dll.SetConsoleTextAttribute",
1630. "kernel32.dll.WriteConsoleW",
1631. "kernel32.dll.WriteFile",
1632. "kernel32.dll.FindFirstFileW",
1633. "kernel32.dll.FindClose",
1634. "kernel32.dll.FindNextFileW",
1635. "shell32.dll.SHGetFileInfo",
1636. "kernel32.dll.GetConsoleWindow",
1637. "shell32.dll.CommandLineToArgvW",
1638. "mscoree.dll.ND_RI8",
1639. "kernel32.dll.RtlMoveMemory",
1640. "kernel32.dll.CreateProcessW",
1641. "kernel32.dll.DuplicateHandle",
1642. "advapi32.dll.OpenSCManagerW",
1643. "advapi32.dll.GetServiceKeyNameW",
1644. "rpcrt4.dll.I_RpcSNCHOption",
1645. "advapi32.dll.GetServiceDisplayNameW",
1646. "advapi32.dll.OpenServiceW",
1647. "advapi32.dll.ChangeServiceConfigW",
1648. "advapi32.dll.ChangeServiceConfig2W",
1649. "advapi32.dll.CloseServiceHandle",
1650. "oleaut32.dll.GetErrorInfo",
1651. "oleaut32.dll.SysStringLen",
1652. "kernel32.dll.RegOpenKeyExW",
1653. "advapi32.dll.ConvertStringSidToSidW",
1654. "mscoree.dll.ND_RU1",
1655. "advapi32.dll.LsaClose",
1656. "advapi32.dll.LsaFreeMemory",
1657. "advapi32.dll.LsaOpenPolicy",
1658. "advapi32.dll.LsaLookupSids",
1659. "advapi32.dll.QueryServiceStatus",
1660. "advapi32.dll.StartServiceW",
1661. "kernel32.dll.DeleteFileW",
1662. "mscoree.dll.CorExitProcess",
1663. "mscorwks.dll.CorExitProcess",
1664. "ntdll.dll.EtwUnregisterTraceGuids",
1665. "mscorwks.dll._CorDllMain",
1666. "kernel32.dll.CreateActCtxW",
1667. "kernel32.dll.AddRefActCtx",
1668. "kernel32.dll.ReleaseActCtx",
1669. "kernel32.dll.ActivateActCtx",
1670. "kernel32.dll.DeactivateActCtx",
1671. "kernel32.dll.GetCurrentActCtx",
1672. "kernel32.dll.QueryActCtxW",
1673. "netutils.dll.NetApiBufferFree",
1674. "vssapi.dll.CreateWriter",
1675. "advapi32.dll.LookupAccountNameW",
1676. "samcli.dll.NetLocalGroupGetMembers",
1677. "samlib.dll.SamConnect",
1678. "rpcrt4.dll.NdrClientCall3",
1679. "rpcrt4.dll.RpcStringBindingComposeW",
1680. "rpcrt4.dll.RpcBindingFromStringBindingW",
1681. "rpcrt4.dll.RpcStringFreeW",
1682. "rpcrt4.dll.RpcBindingFree",
1683. "samlib.dll.SamOpenDomain",
1684. "samlib.dll.SamLookupNamesInDomain",
1685. "samlib.dll.SamOpenAlias",
1686. "samlib.dll.SamFreeMemory",
1687. "samlib.dll.SamCloseHandle",
1688. "samlib.dll.SamGetMembersInAlias",
1689. "samlib.dll.SamEnumerateDomainsInSamServer",
1690. "samlib.dll.SamLookupDomainInSamServer",
1691. "ole32.dll.StringFromCLSID",
1692. "oleaut32.dll.#4",
1693. "propsys.dll.VariantToPropVariant",
1694. "wbemcore.dll.Reinitialize",
1695. "wbemsvc.dll.DllGetClassObject",
1696. "wbemsvc.dll.DllCanUnloadNow",
1697. "authz.dll.AuthzInitializeContextFromToken",
1698. "authz.dll.AuthzInitializeObjectAccessAuditEvent2",
1699. "authz.dll.AuthzAccessCheck",
1700. "authz.dll.AuthzFreeAuditEvent",
1701. "authz.dll.AuthzFreeContext",
1702. "authz.dll.AuthzInitializeResourceManager",
1703. "authz.dll.AuthzFreeResourceManager",
1704. "rpcrt4.dll.RpcBindingCreateW",
1705. "rpcrt4.dll.RpcBindingBind",
1706. "rpcrt4.dll.I_RpcMapWin32Status",
1707. "advapi32.dll.EventRegister",
1708. "advapi32.dll.EventUnregister",
1709. "advapi32.dll.EventWrite",
1710. "kernel32.dll.RegCloseKey",
1711. "kernel32.dll.RegSetValueExW",
1712. "kernel32.dll.RegQueryValueExW",
1713. "wmisvc.dll.IsImproperShutdownDetected",
1714. "wevtapi.dll.EvtRender",
1715. "wevtapi.dll.EvtNext",
1716. "wevtapi.dll.EvtClose",
1717. "wevtapi.dll.EvtQuery",
1718. "wevtapi.dll.EvtCreateRenderContext",
1719. "rpcrt4.dll.RpcBindingSetAuthInfoExW",
1720. "rpcrt4.dll.RpcBindingSetOption",
1721. "ole32.dll.CreateStreamOnHGlobal",
1722. "advapi32.dll.RegCreateKeyExW",
1723. "advapi32.dll.RegSetValueExW",
1724. "kernelbase.dll.InitializeAcl",
1725. "kernelbase.dll.AddAce",
1726. "sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
1727. "kernel32.dll.IsThreadAFiber",
1728. "kernel32.dll.OpenProcessToken",
1729. "kernelbase.dll.GetTokenInformation",
1730. "kernelbase.dll.DuplicateTokenEx",
1731. "kernelbase.dll.AdjustTokenPrivileges",
1732. "kernelbase.dll.AllocateAndInitializeSid",
1733. "kernelbase.dll.CheckTokenMembership",
1734. "kernel32.dll.SetThreadToken",
1735. "oleaut32.dll.#285",
1736. "oleaut32.dll.#286",
1737. "ole32.dll.CLSIDFromString",
1738. "oleaut32.dll.#20",
1739. "oleaut32.dll.#19",
1740. "oleaut32.dll.#25",
1741. "authz.dll.AuthzInitializeContextFromSid",
1742. "ole32.dll.CoRevertToSelf",
1743. "advapi32.dll.LogonUserExExW",
1744. "sspicli.dll.LogonUserExExW",
1745. "ole32.dll.CoGetCallContext",
1746. "ole32.dll.CoImpersonateClient",
1747. "ole32.dll.CoSwitchCallContext",
1748. "oleaut32.dll.#8",
1749. "oleaut32.dll.#287",
1750. "oleaut32.dll.#288",
1751. "oleaut32.dll.#289",
1752. "oleaut32.dll.#290",
1753. "advapi32.dll.EnumServicesStatusExW",
1754. "advapi32.dll.LsaEnumerateTrustedDomains",
1755. "advapi32.dll.LsaQueryInformationPolicy",
1756. "advapi32.dll.LsaNtStatusToWinError",
1757. "advapi32.dll.QueryServiceStatusEx",
1758. "advapi32.dll.SetSecurityDescriptorControl",
1759. "advapi32.dll.ConvertToAutoInheritPrivateObjectSecurity",
1760. "advapi32.dll.DestroyPrivateObjectSecurity",
1761. "advapi32.dll.AddAccessAllowedObjectAce",
1762. "advapi32.dll.AddAccessDeniedObjectAce",
1763. "advapi32.dll.AddAuditAccessObjectAce",
1764. "advapi32.dll.SetNamedSecurityInfoW",
1765. "advapi32.dll.GetNamedSecurityInfoW",
1766. "advapi32.dll.SetNamedSecurityInfoExW",
1767. "advapi32.dll.GetExplicitEntriesFromAclW",
1768. "advapi32.dll.GetEffectiveRightsFromAclW",
1769. "ws2_32.dll.#115",
1770. "iphlpapi.dll.GetAdaptersAddresses",
1771. "ws2_32.dll.getaddrinfo",
1772. "ws2_32.dll.freeaddrinfo",
1773. "ws2_32.dll.#116",
1774. "advapi32.dll.CreateWellKnownSid",
1775. "netapi32.dll.NetGroupEnum",
1776. "netapi32.dll.NetGroupGetInfo",
1777. "netapi32.dll.NetGroupSetInfo",
1778. "netapi32.dll.NetLocalGroupGetInfo",
1779. "netapi32.dll.NetLocalGroupSetInfo",
1780. "netapi32.dll.NetGroupGetUsers",
1781. "netapi32.dll.NetLocalGroupGetMembers",
1782. "netapi32.dll.NetLocalGroupEnum",
1783. "netapi32.dll.NetShareEnum",
1784. "netapi32.dll.NetShareGetInfo",
1785. "netapi32.dll.NetShareAdd",
1786. "netapi32.dll.NetShareEnumSticky",
1787. "netapi32.dll.NetShareSetInfo",
1788. "netapi32.dll.NetShareDel",
1789. "netapi32.dll.NetShareDelSticky",
1790. "netapi32.dll.NetShareCheck",
1791. "netapi32.dll.NetUserEnum",
1792. "netapi32.dll.NetUserGetInfo",
1793. "netapi32.dll.NetUserSetInfo",
1794. "netapi32.dll.NetApiBufferFree",
1795. "netapi32.dll.NetQueryDisplayInformation",
1796. "netapi32.dll.NetServerSetInfo",
1797. "netapi32.dll.NetServerGetInfo",
1798. "netapi32.dll.NetGetDCName",
1799. "netapi32.dll.NetWkstaGetInfo",
1800. "netapi32.dll.NetGetAnyDCName",
1801. "netapi32.dll.NetServerEnum",
1802. "netapi32.dll.NetUserModalsGet",
1803. "netapi32.dll.NetScheduleJobAdd",
1804. "netapi32.dll.NetScheduleJobDel",
1805. "netapi32.dll.NetScheduleJobEnum",
1806. "netapi32.dll.NetScheduleJobGetInfo",
1807. "netapi32.dll.NetUseGetInfo",
1808. "netapi32.dll.NetEnumerateTrustedDomains",
1809. "netapi32.dll.DsGetDcNameW",
1810. "netapi32.dll.DsRoleGetPrimaryDomainInformation",
1811. "netapi32.dll.DsRoleFreeMemory",
1812. "netapi32.dll.NetRenameMachineInDomain",
1813. "netapi32.dll.NetJoinDomain",
1814. "netapi32.dll.NetUnjoinDomain",
1815. "oleaut32.dll.#150",
1816. "samlib.dll.SamQueryInformationDomain",
1817. "samlib.dll.SamEnumerateAliasesInDomain",
1818. "samlib.dll.SamQueryInformationAlias",
1819. "advapi32.dll.InitiateSystemShutdownExW",
1820. "ole32.dll.CoInitializeSecurity",
1821. "kernel32.dll.GetFileSize",
1822. "kernel32.dll.SetLastError",
1823. "kernel32.dll.GetModuleHandleExW",
1824. "kernel32.dll.GetCurrentThreadId",
1825. "kernel32.dll.CreateToolhelp32Snapshot",
1826. "kernel32.dll.Thread32First",
1827. "kernel32.dll.OpenThread",
1828. "kernel32.dll.ResumeThread",
1829. "kernel32.dll.SuspendThread",
1830. "kernel32.dll.Thread32Next",
1831. "kernel32.dll.GetModuleHandleW",
1832. "kernel32.dll.FindResourceW",
1833. "kernel32.dll.LoadResource",
1834. "kernel32.dll.LoadLibraryExW",
1835. "kernel32.dll.WriteProcessMemory",
1836. "kernel32.dll.GetModuleFileNameW",
1837. "kernel32.dll.LoadLibraryW",
1838. "kernel32.dll.ReadProcessMemory",
1839. "kernel32.dll.SetFilePointerEx",
1840. "kernel32.dll.SetStdHandle",
1841. "kernel32.dll.WideCharToMultiByte",
1842. "kernel32.dll.GetCommandLineA",
1843. "kernel32.dll.IsProcessorFeaturePresent",
1844. "kernel32.dll.HeapAlloc",
1845. "kernel32.dll.RtlPcToFileHeader",
1846. "kernel32.dll.RaiseException",
1847. "kernel32.dll.HeapFree",
1848. "kernel32.dll.IsValidCodePage",
1849. "kernel32.dll.GetOEMCP",
1850. "kernel32.dll.GetCPInfo",
1851. "kernel32.dll.MultiByteToWideChar",
1852. "kernel32.dll.ExitProcess",
1853. "kernel32.dll.HeapSize",
1854. "kernel32.dll.RtlUnwindEx",
1855. "kernel32.dll.GetProcessHeap",
1856. "kernel32.dll.DeleteCriticalSection",
1857. "kernel32.dll.GetStartupInfoW",
1858. "kernel32.dll.GetModuleFileNameA",
1859. "kernel32.dll.QueryPerformanceCounter",
1860. "kernel32.dll.GetSystemTimeAsFileTime",
1861. "kernel32.dll.GetEnvironmentStringsW",
1862. "kernel32.dll.FreeEnvironmentStringsW",
1863. "kernel32.dll.RtlCaptureContext",
1864. "kernel32.dll.RtlLookupFunctionEntry",
1865. "kernel32.dll.RtlVirtualUnwind",
1866. "kernel32.dll.UnhandledExceptionFilter",
1867. "kernel32.dll.SetUnhandledExceptionFilter",
1868. "kernel32.dll.Sleep",
1869. "kernel32.dll.TerminateProcess",
1870. "kernel32.dll.TlsAlloc",
1871. "kernel32.dll.TlsGetValue",
1872. "kernel32.dll.TlsSetValue",
1873. "kernel32.dll.TlsFree",
1874. "kernel32.dll.EnterCriticalSection",
1875. "kernel32.dll.LeaveCriticalSection",
1876. "kernel32.dll.GetStringTypeW",
1877. "kernel32.dll.LCMapStringW",
1878. "kernel32.dll.HeapReAlloc",
1879. "kernel32.dll.OutputDebugStringW",
1880. "kernel32.dll.FlushFileBuffers",
1881. "kernel32.dll.GetConsoleCP",
1882. "user32.dll.wsprintfA",
1883. "kernel32.dll.InitializeCriticalSectionEx",
1884. "kernel32.dll.CreateEventExW",
1885. "kernel32.dll.CreateSemaphoreExW",
1886. "kernel32.dll.CreateThreadpoolTimer",
1887. "kernel32.dll.SetThreadpoolTimer",
1888. "kernel32.dll.WaitForThreadpoolTimerCallbacks",
1889. "kernel32.dll.CloseThreadpoolTimer",
1890. "kernel32.dll.CreateThreadpoolWait",
1891. "kernel32.dll.SetThreadpoolWait",
1892. "kernel32.dll.CloseThreadpoolWait",
1893. "kernel32.dll.FreeLibraryWhenCallbackReturns",
1894. "kernel32.dll.GetCurrentProcessorNumber",
1895. "kernel32.dll.GetLogicalProcessorInformation",
1896. "kernel32.dll.CreateSymbolicLinkW",
1897. "kernel32.dll.EnumSystemLocalesEx",
1898. "kernel32.dll.CompareStringEx",
1899. "kernel32.dll.GetDateFormatEx",
1900. "kernel32.dll.GetTimeFormatEx",
1901. "kernel32.dll.IsValidLocaleName",
1902. "kernel32.dll.LCMapStringEx",
1903. "kernel32.dll.GetTickCount64",
1904. "servicedll.dll.ServiceMain",
1905. "servicedll.dll.SvchostPushServiceGlobals",
1906. "termsrv.dll.ServiceMain",
1907. "termsrv.dll.SvchostPushServiceGlobals",
1908. "ole32.dll.CoFreeUnusedLibrariesEx",
1909. "ole32.dll.CoRegisterClassObject",
1910. "rpcrt4.dll.UuidFromStringW",
1911. "radarrs.dll.WdiDiagnosticModuleMain",
1912. "radarrs.dll.WdiHandleInstance",
1913. "radarrs.dll.WdiGetDiagnosticModuleInterfaceVersion",
1914. "advapi32.dll.DuplicateToken"
1915. ]
1916.  
1917. [*] Static Analysis: {
1918. "pe": {
1919. "peid_signatures": null,
1920. "imports": [
1921. {
1922. "imports": [
1923. {
1924. "name": "GetTempPathA",
1925. "address": "0x407070"
1926. },
1927. {
1928. "name": "GetFileSize",
1929. "address": "0x407074"
1930. },
1931. {
1932. "name": "GetModuleFileNameA",
1933. "address": "0x407078"
1934. },
1935. {
1936. "name": "GetCurrentProcess",
1937. "address": "0x40707c"
1938. },
1939. {
1940. "name": "CopyFileA",
1941. "address": "0x407080"
1942. },
1943. {
1944. "name": "ExitProcess",
1945. "address": "0x407084"
1946. },
1947. {
1948. "name": "SetEnvironmentVariableA",
1949. "address": "0x407088"
1950. },
1951. {
1952. "name": "Sleep",
1953. "address": "0x40708c"
1954. },
1955. {
1956. "name": "GetTickCount",
1957. "address": "0x407090"
1958. },
1959. {
1960. "name": "GetCommandLineA",
1961. "address": "0x407094"
1962. },
1963. {
1964. "name": "lstrlenA",
1965. "address": "0x407098"
1966. },
1967. {
1968. "name": "GetVersion",
1969. "address": "0x40709c"
1970. },
1971. {
1972. "name": "SetErrorMode",
1973. "address": "0x4070a0"
1974. },
1975. {
1976. "name": "lstrcpynA",
1977. "address": "0x4070a4"
1978. },
1979. {
1980. "name": "GetDiskFreeSpaceA",
1981. "address": "0x4070a8"
1982. },
1983. {
1984. "name": "GlobalUnlock",
1985. "address": "0x4070ac"
1986. },
1987. {
1988. "name": "GetWindowsDirectoryA",
1989. "address": "0x4070b0"
1990. },
1991. {
1992. "name": "SetCurrentDirectoryA",
1993. "address": "0x4070b4"
1994. },
1995. {
1996. "name": "GetLastError",
1997. "address": "0x4070b8"
1998. },
1999. {
2000. "name": "CreateDirectoryA",
2001. "address": "0x4070bc"
2002. },
2003. {
2004. "name": "CreateProcessA",
2005. "address": "0x4070c0"
2006. },
2007. {
2008. "name": "RemoveDirectoryA",
2009. "address": "0x4070c4"
2010. },
2011. {
2012. "name": "CreateFileA",
2013. "address": "0x4070c8"
2014. },
2015. {
2016. "name": "GetTempFileNameA",
2017. "address": "0x4070cc"
2018. },
2019. {
2020. "name": "ReadFile",
2021. "address": "0x4070d0"
2022. },
2023. {
2024. "name": "WriteFile",
2025. "address": "0x4070d4"
2026. },
2027. {
2028. "name": "lstrcpyA",
2029. "address": "0x4070d8"
2030. },
2031. {
2032. "name": "MoveFileExA",
2033. "address": "0x4070dc"
2034. },
2035. {
2036. "name": "lstrcatA",
2037. "address": "0x4070e0"
2038. },
2039. {
2040. "name": "GetSystemDirectoryA",
2041. "address": "0x4070e4"
2042. },
2043. {
2044. "name": "GetProcAddress",
2045. "address": "0x4070e8"
2046. },
2047. {
2048. "name": "GetExitCodeProcess",
2049. "address": "0x4070ec"
2050. },
2051. {
2052. "name": "WaitForSingleObject",
2053. "address": "0x4070f0"
2054. },
2055. {
2056. "name": "CompareFileTime",
2057. "address": "0x4070f4"
2058. },
2059. {
2060. "name": "SetFileAttributesA",
2061. "address": "0x4070f8"
2062. },
2063. {
2064. "name": "GetFileAttributesA",
2065. "address": "0x4070fc"
2066. },
2067. {
2068. "name": "GetShortPathNameA",
2069. "address": "0x407100"
2070. },
2071. {
2072. "name": "MoveFileA",
2073. "address": "0x407104"
2074. },
2075. {
2076. "name": "GetFullPathNameA",
2077. "address": "0x407108"
2078. },
2079. {
2080. "name": "SetFileTime",
2081. "address": "0x40710c"
2082. },
2083. {
2084. "name": "SearchPathA",
2085. "address": "0x407110"
2086. },
2087. {
2088. "name": "CloseHandle",
2089. "address": "0x407114"
2090. },
2091. {
2092. "name": "lstrcmpiA",
2093. "address": "0x407118"
2094. },
2095. {
2096. "name": "CreateThread",
2097. "address": "0x40711c"
2098. },
2099. {
2100. "name": "GlobalLock",
2101. "address": "0x407120"
2102. },
2103. {
2104. "name": "lstrcmpA",
2105. "address": "0x407124"
2106. },
2107. {
2108. "name": "FindFirstFileA",
2109. "address": "0x407128"
2110. },
2111. {
2112. "name": "FindNextFileA",
2113. "address": "0x40712c"
2114. },
2115. {
2116. "name": "DeleteFileA",
2117. "address": "0x407130"
2118. },
2119. {
2120. "name": "SetFilePointer",
2121. "address": "0x407134"
2122. },
2123. {
2124. "name": "GetPrivateProfileStringA",
2125. "address": "0x407138"
2126. },
2127. {
2128. "name": "FindClose",
2129. "address": "0x40713c"
2130. },
2131. {
2132. "name": "MultiByteToWideChar",
2133. "address": "0x407140"
2134. },
2135. {
2136. "name": "FreeLibrary",
2137. "address": "0x407144"
2138. },
2139. {
2140. "name": "MulDiv",
2141. "address": "0x407148"
2142. },
2143. {
2144. "name": "WritePrivateProfileStringA",
2145. "address": "0x40714c"
2146. },
2147. {
2148. "name": "LoadLibraryExA",
2149. "address": "0x407150"
2150. },
2151. {
2152. "name": "GetModuleHandleA",
2153. "address": "0x407154"
2154. },
2155. {
2156. "name": "GlobalAlloc",
2157. "address": "0x407158"
2158. },
2159. {
2160. "name": "GlobalFree",
2161. "address": "0x40715c"
2162. },
2163. {
2164. "name": "ExpandEnvironmentStringsA",
2165. "address": "0x407160"
2166. }
2167. ],
2168. "dll": "KERNEL32.dll"
2169. },
2170. {
2171. "imports": [
2172. {
2173. "name": "ScreenToClient",
2174. "address": "0x407184"
2175. },
2176. {
2177. "name": "GetSystemMenu",
2178. "address": "0x407188"
2179. },
2180. {
2181. "name": "SetClassLongA",
2182. "address": "0x40718c"
2183. },
2184. {
2185. "name": "IsWindowEnabled",
2186. "address": "0x407190"
2187. },
2188. {
2189. "name": "SetWindowPos",
2190. "address": "0x407194"
2191. },
2192. {
2193. "name": "GetSysColor",
2194. "address": "0x407198"
2195. },
2196. {
2197. "name": "GetWindowLongA",
2198. "address": "0x40719c"
2199. },
2200. {
2201. "name": "SetCursor",
2202. "address": "0x4071a0"
2203. },
2204. {
2205. "name": "LoadCursorA",
2206. "address": "0x4071a4"
2207. },
2208. {
2209. "name": "CheckDlgButton",
2210. "address": "0x4071a8"
2211. },
2212. {
2213. "name": "GetMessagePos",
2214. "address": "0x4071ac"
2215. },
2216. {
2217. "name": "LoadBitmapA",
2218. "address": "0x4071b0"
2219. },
2220. {
2221. "name": "CallWindowProcA",
2222. "address": "0x4071b4"
2223. },
2224. {
2225. "name": "IsWindowVisible",
2226. "address": "0x4071b8"
2227. },
2228. {
2229. "name": "CloseClipboard",
2230. "address": "0x4071bc"
2231. },
2232. {
2233. "name": "SetClipboardData",
2234. "address": "0x4071c0"
2235. },
2236. {
2237. "name": "EmptyClipboard",
2238. "address": "0x4071c4"
2239. },
2240. {
2241. "name": "PostQuitMessage",
2242. "address": "0x4071c8"
2243. },
2244. {
2245. "name": "GetWindowRect",
2246. "address": "0x4071cc"
2247. },
2248. {
2249. "name": "EnableMenuItem",
2250. "address": "0x4071d0"
2251. },
2252. {
2253. "name": "CreatePopupMenu",
2254. "address": "0x4071d4"
2255. },
2256. {
2257. "name": "GetSystemMetrics",
2258. "address": "0x4071d8"
2259. },
2260. {
2261. "name": "SetDlgItemTextA",
2262. "address": "0x4071dc"
2263. },
2264. {
2265. "name": "GetDlgItemTextA",
2266. "address": "0x4071e0"
2267. },
2268. {
2269. "name": "MessageBoxIndirectA",
2270. "address": "0x4071e4"
2271. },
2272. {
2273. "name": "CharPrevA",
2274. "address": "0x4071e8"
2275. },
2276. {
2277. "name": "DispatchMessageA",
2278. "address": "0x4071ec"
2279. },
2280. {
2281. "name": "PeekMessageA",
2282. "address": "0x4071f0"
2283. },
2284. {
2285. "name": "ReleaseDC",
2286. "address": "0x4071f4"
2287. },
2288. {
2289. "name": "EnableWindow",
2290. "address": "0x4071f8"
2291. },
2292. {
2293. "name": "InvalidateRect",
2294. "address": "0x4071fc"
2295. },
2296. {
2297. "name": "SendMessageA",
2298. "address": "0x407200"
2299. },
2300. {
2301. "name": "DefWindowProcA",
2302. "address": "0x407204"
2303. },
2304. {
2305. "name": "BeginPaint",
2306. "address": "0x407208"
2307. },
2308. {
2309. "name": "GetClientRect",
2310. "address": "0x40720c"
2311. },
2312. {
2313. "name": "FillRect",
2314. "address": "0x407210"
2315. },
2316. {
2317. "name": "DrawTextA",
2318. "address": "0x407214"
2319. },
2320. {
2321. "name": "EndDialog",
2322. "address": "0x407218"
2323. },
2324. {
2325. "name": "RegisterClassA",
2326. "address": "0x40721c"
2327. },
2328. {
2329. "name": "SystemParametersInfoA",
2330. "address": "0x407220"
2331. },
2332. {
2333. "name": "CreateWindowExA",
2334. "address": "0x407224"
2335. },
2336. {
2337. "name": "GetClassInfoA",
2338. "address": "0x407228"
2339. },
2340. {
2341. "name": "DialogBoxParamA",
2342. "address": "0x40722c"
2343. },
2344. {
2345. "name": "CharNextA",
2346. "address": "0x407230"
2347. },
2348. {
2349. "name": "ExitWindowsEx",
2350. "address": "0x407234"
2351. },
2352. {
2353. "name": "GetDC",
2354. "address": "0x407238"
2355. },
2356. {
2357. "name": "CreateDialogParamA",
2358. "address": "0x40723c"
2359. },
2360. {
2361. "name": "SetTimer",
2362. "address": "0x407240"
2363. },
2364. {
2365. "name": "GetDlgItem",
2366. "address": "0x407244"
2367. },
2368. {
2369. "name": "SetWindowLongA",
2370. "address": "0x407248"
2371. },
2372. {
2373. "name": "SetForegroundWindow",
2374. "address": "0x40724c"
2375. },
2376. {
2377. "name": "LoadImageA",
2378. "address": "0x407250"
2379. },
2380. {
2381. "name": "IsWindow",
2382. "address": "0x407254"
2383. },
2384. {
2385. "name": "SendMessageTimeoutA",
2386. "address": "0x407258"
2387. },
2388. {
2389. "name": "FindWindowExA",
2390. "address": "0x40725c"
2391. },
2392. {
2393. "name": "OpenClipboard",
2394. "address": "0x407260"
2395. },
2396. {
2397. "name": "TrackPopupMenu",
2398. "address": "0x407264"
2399. },
2400. {
2401. "name": "AppendMenuA",
2402. "address": "0x407268"
2403. },
2404. {
2405. "name": "EndPaint",
2406. "address": "0x40726c"
2407. },
2408. {
2409. "name": "DestroyWindow",
2410. "address": "0x407270"
2411. },
2412. {
2413. "name": "wsprintfA",
2414. "address": "0x407274"
2415. },
2416. {
2417. "name": "ShowWindow",
2418. "address": "0x407278"
2419. },
2420. {
2421. "name": "SetWindowTextA",
2422. "address": "0x40727c"
2423. }
2424. ],
2425. "dll": "USER32.dll"
2426. },
2427. {
2428. "imports": [
2429. {
2430. "name": "SelectObject",
2431. "address": "0x40704c"
2432. },
2433. {
2434. "name": "SetBkMode",
2435. "address": "0x407050"
2436. },
2437. {
2438. "name": "CreateFontIndirectA",
2439. "address": "0x407054"
2440. },
2441. {
2442. "name": "SetTextColor",
2443. "address": "0x407058"
2444. },
2445. {
2446. "name": "DeleteObject",
2447. "address": "0x40705c"
2448. },
2449. {
2450. "name": "GetDeviceCaps",
2451. "address": "0x407060"
2452. },
2453. {
2454. "name": "CreateBrushIndirect",
2455. "address": "0x407064"
2456. },
2457. {
2458. "name": "SetBkColor",
2459. "address": "0x407068"
2460. }
2461. ],
2462. "dll": "GDI32.dll"
2463. },
2464. {
2465. "imports": [
2466. {
2467. "name": "SHGetSpecialFolderLocation",
2468. "address": "0x407168"
2469. },
2470. {
2471. "name": "ShellExecuteExA",
2472. "address": "0x40716c"
2473. },
2474. {
2475. "name": "SHGetPathFromIDListA",
2476. "address": "0x407170"
2477. },
2478. {
2479. "name": "SHBrowseForFolderA",
2480. "address": "0x407174"
2481. },
2482. {
2483. "name": "SHGetFileInfoA",
2484. "address": "0x407178"
2485. },
2486. {
2487. "name": "SHFileOperationA",
2488. "address": "0x40717c"
2489. }
2490. ],
2491. "dll": "SHELL32.dll"
2492. },
2493. {
2494. "imports": [
2495. {
2496. "name": "AdjustTokenPrivileges",
2497. "address": "0x407000"
2498. },
2499. {
2500. "name": "RegCreateKeyExA",
2501. "address": "0x407004"
2502. },
2503. {
2504. "name": "RegOpenKeyExA",
2505. "address": "0x407008"
2506. },
2507. {
2508. "name": "SetFileSecurityA",
2509. "address": "0x40700c"
2510. },
2511. {
2512. "name": "OpenProcessToken",
2513. "address": "0x407010"
2514. },
2515. {
2516. "name": "LookupPrivilegeValueA",
2517. "address": "0x407014"
2518. },
2519. {
2520. "name": "RegEnumValueA",
2521. "address": "0x407018"
2522. },
2523. {
2524. "name": "RegDeleteKeyA",
2525. "address": "0x40701c"
2526. },
2527. {
2528. "name": "RegDeleteValueA",
2529. "address": "0x407020"
2530. },
2531. {
2532. "name": "RegCloseKey",
2533. "address": "0x407024"
2534. },
2535. {
2536. "name": "RegSetValueExA",
2537. "address": "0x407028"
2538. },
2539. {
2540. "name": "RegQueryValueExA",
2541. "address": "0x40702c"
2542. },
2543. {
2544. "name": "RegEnumKeyA",
2545. "address": "0x407030"
2546. }
2547. ],
2548. "dll": "ADVAPI32.dll"
2549. },
2550. {
2551. "imports": [
2552. {
2553. "name": "ImageList_Create",
2554. "address": "0x407038"
2555. },
2556. {
2557. "name": "ImageList_AddMasked",
2558. "address": "0x40703c"
2559. },
2560. {
2561. "name": "ImageList_Destroy",
2562. "address": "0x407040"
2563. },
2564. {
2565. "name": null,
2566. "address": "0x407044"
2567. }
2568. ],
2569. "dll": "COMCTL32.dll"
2570. },
2571. {
2572. "imports": [
2573. {
2574. "name": "OleUninitialize",
2575. "address": "0x407284"
2576. },
2577. {
2578. "name": "OleInitialize",
2579. "address": "0x407288"
2580. },
2581. {
2582. "name": "CoTaskMemFree",
2583. "address": "0x40728c"
2584. },
2585. {
2586. "name": "CoCreateInstance",
2587. "address": "0x407290"
2588. }
2589. ],
2590. "dll": "ole32.dll"
2591. }
2592. ],
2593. "digital_signers": null,
2594. "exported_dll_name": null,
2595. "actual_checksum": "0x0027b04c",
2596. "overlay": {
2597. "size": "0x0025b058",
2598. "offset": "0x00019000"
2599. },
2600. "imagebase": "0x00400000",
2601. "reported_checksum": "0x0027b04c",
2602. "icon_hash": null,
2603. "entrypoint": "0x004031d6",
2604. "timestamp": "2018-12-15 22:24:22",
2605. "osversion": "4.0",
2606. "sections": [
2607. {
2608. "name": ".text",
2609. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
2610. "virtual_address": "0x00001000",
2611. "size_of_data": "0x00006000",
2612. "entropy": "6.45",
2613. "raw_address": "0x00000400",
2614. "virtual_size": "0x00005f0d",
2615. "characteristics_raw": "0x60000020"
2616. },
2617. {
2618. "name": ".rdata",
2619. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2620. "virtual_address": "0x00007000",
2621. "size_of_data": "0x00001400",
2622. "entropy": "5.00",
2623. "raw_address": "0x00006400",
2624. "virtual_size": "0x00001250",
2625. "characteristics_raw": "0x40000040"
2626. },
2627. {
2628. "name": ".data",
2629. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
2630. "virtual_address": "0x00009000",
2631. "size_of_data": "0x00000400",
2632. "entropy": "5.13",
2633. "raw_address": "0x00007800",
2634. "virtual_size": "0x0001a818",
2635. "characteristics_raw": "0xc0000040"
2636. },
2637. {
2638. "name": ".ndata",
2639. "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
2640. "virtual_address": "0x00024000",
2641. "size_of_data": "0x00000000",
2642. "entropy": "0.00",
2643. "raw_address": "0x00000000",
2644. "virtual_size": "0x00009000",
2645. "characteristics_raw": "0xc0000080"
2646. },
2647. {
2648. "name": ".rsrc",
2649. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2650. "virtual_address": "0x0002d000",
2651. "size_of_data": "0x00011400",
2652. "entropy": "1.13",
2653. "raw_address": "0x00007c00",
2654. "virtual_size": "0x000112b8",
2655. "characteristics_raw": "0x40000040"
2656. }
2657. ],
2658. "resources": [],
2659. "dirents": [
2660. {
2661. "virtual_address": "0x00000000",
2662. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
2663. "size": "0x00000000"
2664. },
2665. {
2666. "virtual_address": "0x00007430",
2667. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
2668. "size": "0x000000a0"
2669. },
2670. {
2671. "virtual_address": "0x0002d000",
2672. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
2673. "size": "0x000112b8"
2674. },
2675. {
2676. "virtual_address": "0x00000000",
2677. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
2678. "size": "0x00000000"
2679. },
2680. {
2681. "virtual_address": "0x00272c88",
2682. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
2683. "size": "0x000013d0"
2684. },
2685. {
2686. "virtual_address": "0x00000000",
2687. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
2688. "size": "0x00000000"
2689. },
2690. {
2691. "virtual_address": "0x00000000",
2692. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
2693. "size": "0x00000000"
2694. },
2695. {
2696. "virtual_address": "0x00000000",
2697. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
2698. "size": "0x00000000"
2699. },
2700. {
2701. "virtual_address": "0x00000000",
2702. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
2703. "size": "0x00000000"
2704. },
2705. {
2706. "virtual_address": "0x00000000",
2707. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
2708. "size": "0x00000000"
2709. },
2710. {
2711. "virtual_address": "0x00000000",
2712. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
2713. "size": "0x00000000"
2714. },
2715. {
2716. "virtual_address": "0x00000000",
2717. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
2718. "size": "0x00000000"
2719. },
2720. {
2721. "virtual_address": "0x00007000",
2722. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
2723. "size": "0x00000298"
2724. },
2725. {
2726. "virtual_address": "0x00000000",
2727. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
2728. "size": "0x00000000"
2729. },
2730. {
2731. "virtual_address": "0x00000000",
2732. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
2733. "size": "0x00000000"
2734. },
2735. {
2736. "virtual_address": "0x00000000",
2737. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
2738. "size": "0x00000000"
2739. }
2740. ],
2741. "exports": [],
2742. "guest_signers": {},
2743. "imphash": "3abe302b6d9a1256e6a915429af4ffd2",
2744. "icon_fuzzy": null,
2745. "icon": null,
2746. "pdbpath": null,
2747. "imported_dll_count": 7,
2748. "versioninfo": []
2749. }
2750. }