Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [*] MalFamily: "Icedid"
- [*] MalScore: 10.0
- [*] File Name: "Exes_a36b52c9b4a33691b5caa7809525858c.jpg"
- [*] File Size: 65536
- [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- [*] SHA256: "18f32d000404292cfdb95fade8e5138af87377240fdd37b0d21bf460d5ea0f63"
- [*] MD5: "a36b52c9b4a33691b5caa7809525858c"
- [*] SHA1: "f308a4293eafd2f97435476559e4967ce76bb154"
- [*] SHA512: "7ba550118563147f12165ab32e361ede93e8b5bb9aa0a9f44a11c46b25c8aedcff80aaf916f66fc440a4da48cc412813d721c1f0838ab984726d7e2963b26f8a"
- [*] CRC32: "F383820B"
- [*] SSDEEP: "1536:2wZCkwcab1ULG6I1OGYKsTDecmIeP3Xlm85ppm21Owk:2db1FN1DYKsPUIOXlmglOwk"
- [*] Process Execution: [
- "Exes_a36b52c9b4a33691b5caa7809525858c.jpg",
- "Exes_a36b52c9b4a33691b5caa7809525858c.jpg",
- "Exes_a36b52c9b4a33691b5caa7809525858c.jpg",
- "Exes_a36b52c9b4a33691b5caa7809525858c.jpg",
- "svchost.exe",
- "meaykdxuvtfy.exe",
- "cmd.exe",
- "powershell.exe",
- "svchost.exe",
- "svchost.exe",
- "reayx.exe",
- "cmd.exe",
- "powershell.exe",
- "cmd.exe",
- "sc.exe",
- "cmd.exe",
- "sc.exe",
- "cmd.exe",
- "sc.exe",
- "cmd.exe",
- "sc.exe",
- "cmd.exe",
- "powershell.exe",
- "teayx.exe",
- "cmd.exe",
- "powershell.exe",
- "cmd.exe",
- "sc.exe",
- "cmd.exe",
- "sc.exe",
- "svchost.exe",
- "fykqg.exe",
- "fykqg.exe",
- "cmd.exe",
- "timeout.exe",
- "svchost.exe",
- "svchost.exe",
- "services.exe",
- "svchost.exe",
- "WMIADAP.exe",
- "taskeng.exe",
- "taskeng.exe",
- "msoia.exe",
- "msoia.exe",
- "lsass.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "svchost.exe"
- ]
- [*] Signatures Detected: [
- {
- "Description": "Creates RWX memory",
- "Details": []
- },
- {
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details": [
- {
- "process": "cmd.exe, PID 2252"
- }
- ]
- },
- {
- "Description": "A process attempted to delay the analysis task.",
- "Details": [
- {
- "Process": "svchost.exe tried to sleep 1353 seconds, actually delayed analysis time by 0 seconds"
- },
- {
- "Process": "WmiPrvSE.exe tried to sleep 300 seconds, actually delayed analysis time by 0 seconds"
- }
- ]
- },
- {
- "Description": "Attempts to connect to a dead IP:Port (259 unique times)",
- "Details": [
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "93.189.149.176:443"
- },
- {
- "IP": "141.255.166.157:443"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "185.143.145.90:443"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "205.185.216.10:80"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- },
- {
- "IP": "169.254.255.254:445"
- }
- ]
- },
- {
- "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
- "Details": [
- {
- "ioc": "mechangerous.space"
- },
- {
- "ioc": "bandstreat.pro"
- },
- {
- "ioc": "rolescene.xyz"
- },
- {
- "ioc": "therlanding.xyz"
- },
- {
- "ioc": "saudienter.pw"
- },
- {
- "ioc": "forsynanchyv.com"
- },
- {
- "ioc": "hipponexunam.org"
- },
- {
- "ioc": "charactic.pro"
- },
- {
- "ioc": "egainvisit.pw"
- },
- {
- "ioc": "thussailled.pw"
- },
- {
- "ioc": "tradication.pw"
- },
- {
- "ioc": "minoriticipal.pw"
- },
- {
- "ioc": "seconominist.com"
- },
- {
- "ioc": "importional.com"
- }
- ]
- },
- {
- "Description": "Starts servers listening on 127.0.0.1:63953",
- "Details": []
- },
- {
- "Description": "Expresses interest in specific running processes",
- "Details": [
- {
- "process": "lsass.exe"
- }
- ]
- },
- {
- "Description": "A process created a hidden window",
- "Details": [
- {
- "Process": "Exes_a36b52c9b4a33691b5caa7809525858c.jpg -> C:\\Users\\user\\AppData\\Local\\Temp\\Exes_a36b52c9b4a33691b5caa7809525858c.jpg"
- },
- {
- "Process": "Exes_a36b52c9b4a33691b5caa7809525858c.jpg -> C:\\Users\\user\\AppData\\Local\\Temp\\Exes_a36b52c9b4a33691b5caa7809525858c.jpg"
- },
- {
- "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
- },
- {
- "Process": "reayx.exe -> cmd"
- },
- {
- "Process": "reayx.exe -> cmd"
- },
- {
- "Process": "reayx.exe -> cmd"
- },
- {
- "Process": "fykqg.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\fykqg.exe"
- },
- {
- "Process": "fykqg.exe -> cmd.exe cmd.exe /c timeout 1 && del C:\\Users\\user\\AppData\\Local\\Temp\\fykqg.exe\""
- },
- {
- "Process": "teayx.exe -> cmd"
- },
- {
- "Process": "teayx.exe -> cmd"
- },
- {
- "Process": "teayx.exe -> cmd"
- }
- ]
- },
- {
- "Description": "Drops a binary and executes it",
- "Details": [
- {
- "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\fykqg.exe"
- },
- {
- "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\reayx.exe"
- },
- {
- "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\meaykdxuvtfy.exe"
- },
- {
- "binary": "C:\\Users\\user\\AppData\\Roaming\\diskram\\teayx.exe"
- }
- ]
- },
- {
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details": [
- {
- "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
- },
- {
- "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
- },
- {
- "suspicious_request": "http://91.235.129.55/Tini86_cr.exe"
- },
- {
- "suspicious_request": "http://91.235.129.55/SWKLPFVBDX.exe"
- },
- {
- "suspicious_request": "http://91.235.129.55/tin.exe"
- },
- {
- "suspicious_request": "http://91.235.129.55/sin.png"
- },
- {
- "suspicious_request": "http://thussailled.pw/data2.php?AC4DF4415831AF68"
- },
- {
- "suspicious_request": "http://91.235.129.55/tin.png"
- },
- {
- "suspicious_request": "http://91.235.129.55/win.png"
- }
- ]
- },
- {
- "Description": "Performs some HTTP requests",
- "Details": [
- {
- "url": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab"
- },
- {
- "url": "http://91.235.129.55/Tini86_cr.exe"
- },
- {
- "url": "http://91.235.129.55/SWKLPFVBDX.exe"
- },
- {
- "url": "http://91.235.129.55/tin.exe"
- },
- {
- "url": "http://91.235.129.55/sin.png"
- },
- {
- "url": "http://thussailled.pw/data2.php?AC4DF4415831AF68"
- },
- {
- "url": "http://91.235.129.55/tin.png"
- },
- {
- "url": "http://91.235.129.55/win.png"
- }
- ]
- },
- {
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details": [
- {
- "Injection": "Exes_a36b52c9b4a33691b5caa7809525858c.jpg(1464) -> Exes_a36b52c9b4a33691b5caa7809525858c.jpg(2208)"
- }
- ]
- },
- {
- "Description": "Attempts to stop active services",
- "Details": [
- {
- "servicename": "WinDefend"
- }
- ]
- },
- {
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details": [
- {
- "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 4574800 times"
- }
- ]
- },
- {
- "Description": "Steals private information from local Internet browsers",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick[1].txt"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising[1].txt"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google[4].txt"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google[1].txt"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\Web Data"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media[2].txt"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch[2].txt"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn[2].txt"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn[1].txt"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing[2].txt"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift[1].txt"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Local\\Chromium\\User Data\\Default\\Web Data"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google[3].txt"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn[2].txt"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Local\\Chromium\\User Data\\Default\\Login Data"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola[2].txt"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing[2].txt"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google[1].txt"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google[5].txt"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\Login Data"
- }
- ]
- },
- {
- "Description": "Spoofs its process name and/or associated pathname to appear as a legitimate process",
- "Details": [
- {
- "modified_name": "svchost.exe",
- "modified_path": "C:\\Users\\user\\AppData\\Roaming\\diskram\\teayx.exe",
- "original_name": "svchost.exe",
- "original_path": "C:\\Windows\\system32\\svchost.exe"
- }
- ]
- },
- {
- "Description": "Creates a hidden or system file",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12ade02.TMP"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12b38b5.TMP"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF12b7a32.TMP"
- }
- ]
- },
- {
- "Description": "File has been identified by 36 Antiviruses on VirusTotal as malicious",
- "Details": [
- {
- "FireEye": "Generic.mg.a36b52c9b4a33691"
- },
- {
- "McAfee": "RDN/Generic.cf"
- },
- {
- "Malwarebytes": "Trojan.Banker"
- },
- {
- "CrowdStrike": "win/malicious_confidence_60% (D)"
- },
- {
- "Alibaba": "TrojanBanker:Win32/IcedID.ae58612b"
- },
- {
- "NANO-Antivirus": "Trojan.Win32.IcedID.frqgbq"
- },
- {
- "Symantec": "Trojan.Gen.MBT"
- },
- {
- "ESET-NOD32": "a variant of Win32/GenKryptik.DLAC"
- },
- {
- "APEX": "Malicious"
- },
- {
- "Avast": "Win32:Malware-gen"
- },
- {
- "Kaspersky": "Trojan-Banker.Win32.IcedID.tsxr"
- },
- {
- "Paloalto": "generic.ml"
- },
- {
- "Tencent": "Win32.Trojan.Inject.Auto"
- },
- {
- "Endgame": "malicious (high confidence)"
- },
- {
- "Emsisoft": "Trojan-Banker.Trickster (A)"
- },
- {
- "Comodo": "TrojWare.Win32.IcedID.VP@896nhl"
- },
- {
- "F-Secure": "Trojan.TR/AD.IcedId.guhcl"
- },
- {
- "DrWeb": "Trojan.Inject3.17374"
- },
- {
- "Zillya": "Trojan.GenKryptik.Win32.31136"
- },
- {
- "McAfee-GW-Edition": "RDN/Generic.cf"
- },
- {
- "Sophos": "Mal/Generic-S"
- },
- {
- "Webroot": "W32.Adware.Gen"
- },
- {
- "Avira": "TR/AD.IcedId.guhcl"
- },
- {
- "Antiy-AVL": "Trojan[Banker]/Win32.IcedID"
- },
- {
- "Microsoft": "Trojan:Win32/Tiggre!plock"
- },
- {
- "ZoneAlarm": "Trojan-Banker.Win32.IcedID.tsxr"
- },
- {
- "GData": "Win32.Trojan.Agent.O3FHA9"
- },
- {
- "AhnLab-V3": "Malware/Win32.Generic.C3294845"
- },
- {
- "Acronis": "suspicious"
- },
- {
- "VBA32": "BScope.Trojan.Iceid"
- },
- {
- "TrendMicro-HouseCall": "TROJ_GEN.R03BC0PFL19"
- },
- {
- "Rising": "Trojan.GenKryptik!8.AA55 (CLOUD)"
- },
- {
- "Ikarus": "Trojan.Win32.Trickbot"
- },
- {
- "Fortinet": "W32/Kryptik.GUBD!tr"
- },
- {
- "AVG": "Win32:Malware-gen"
- },
- {
- "Panda": "Trj/GdSda.A"
- }
- ]
- },
- {
- "Description": "Attempts to disable Windows Defender",
- "Details": []
- },
- {
- "Description": "Harvests information related to installed mail clients",
- "Details": [
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\12.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\11.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\13.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
- }
- ]
- },
- {
- "Description": "Creates a slightly modified copy of itself",
- "Details": [
- {
- "file": "C:\\ProgramData\\{D62673F0-37F0-46DA-BFC0-5B9596B01F09}\\{562673F1-37F1-46DA-BFC1-5B959AB01F09}\\jaykd.exe"
- },
- {
- "percent_match": 97
- }
- ]
- },
- {
- "Description": "Created network traffic indicative of malicious activity",
- "Details": [
- {
- "signature": "ET DNS Query to a *.pw domain - Likely Hostile"
- },
- {
- "signature": "ET TROJAN Observed Malicious SSL Cert (IcedID CnC)"
- },
- {
- "signature": "ET TROJAN IcedID WebSocket Request"
- },
- {
- "signature": "ET USER_AGENTS Suspicious User-Agent (contains loader)"
- },
- {
- "signature": "ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"
- }
- ]
- }
- ]
- [*] Started Service: [
- "VaultSvc"
- ]
- [*] Executed Commands: [
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\Exes_a36b52c9b4a33691b5caa7809525858c.jpg\"",
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\Exes_a36b52c9b4a33691b5caa7809525858c.jpg\" -q=3495182083",
- "C:\\Windows\\system32\\svchost.exe",
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\meaykdxuvtfy.exe\"",
- "svchost.exe",
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\reayx.exe\"",
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\fykqg.exe\"",
- "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
- "taskeng.exe {ECF6766C-2A67-4495-AB29-07508A8B88E1} S-1-5-18:NT AUTHORITY\\System:Service:",
- "taskeng.exe {EF0E2588-90B9-412E-A552-5B4B15D00033} S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:[1]",
- "C:\\Windows\\system32\\cmd.exe /C PowerShell \"Start-Sleep 10; Remove-Item C:\\Users\\user\\AppData\\Local\\Temp\\meaykdxuvtfy.exe\"",
- "\"C:\\Windows\\System32\\cmd.exe\" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
- "cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
- "\"C:\\Windows\\System32\\cmd.exe\" /c sc stop WinDefend",
- "cmd /c sc stop WinDefend",
- "\"C:\\Windows\\System32\\cmd.exe\" /c sc delete WinDefend",
- "cmd /c sc delete WinDefend",
- "C:\\Windows\\system32\\cmd.exe /c sc stop WinDefend",
- "C:\\Windows\\system32\\cmd.exe /c sc delete WinDefend",
- "C:\\Windows\\system32\\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
- "C:\\Users\\user\\AppData\\Roaming\\diskram\\teayx.exe",
- "powershell Set-MpPreference -DisableRealtimeMonitoring $true",
- "sc stop WinDefend",
- "sc delete WinDefend",
- "cmd.exe cmd.exe /c timeout 1 && del C:\\Users\\user\\AppData\\Local\\Temp\\fykqg.exe\"",
- "timeout 1",
- "C:\\Windows\\system32\\lsass.exe",
- "C:\\Windows\\system32\\svchost.exe -k netsvcs",
- "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe PowerShell \"Start-Sleep 10; Remove-Item C:\\Users\\user\\AppData\\Local\\Temp\\meaykdxuvtfy.exe\"",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding",
- "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload"
- ]
- [*] Mutexes: [
- "Local\\ZoneAttributeCacheCounterMutex",
- "Local\\ZonesCacheCounterMutex",
- "Local\\ZonesLockedCacheCounterMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Global\\838B6C9EB27932960",
- "Global\\ADAP_WMI_ENTRY",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex_Flag"
- ]
- [*] Modified Files: [
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-0000000000-0000000000-0000000000-1000\\00000000-0000-0000-0000-000000000000b_00000000-0000-0000-0000-000000000000",
- "C:\\ProgramData\\{D62673F0-37F0-46DA-BFC0-5B9596B01F09}\\{562673F1-37F1-46DA-BFC1-5B959AB01F09}\\jaykd.exe",
- "\\??\\PIPE\\wkssvc",
- "C:\\Users\\user\\AppData\\Local\\Temp\\CabCB27.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\TarCB28.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\CabCBF4.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\TarCBF5.tmp",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
- "C:\\Users\\user\\AppData\\Local\\Temp\\CabCEC5.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\TarCEC6.tmp",
- "C:\\ProgramData\\xuicz\\bwwwjneb.dat",
- "C:\\ProgramData\\xuicz\\reayxhec.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\meaykdxuvtfy.exe",
- "C:\\ProgramData\\xuicz\\vgoshzcb.dat",
- "C:\\ProgramData\\xuicz\\losuvtcc.dat",
- "C:\\ProgramData\\xuicz\\zicmrrbc.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\reayx.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\fykqg.exe",
- "C:\\ProgramData\\xuicz\\pqgoflgc.dat",
- "C:\\ProgramData\\xuicz\\hmealbdb.dat",
- "C:\\Windows\\sysnative\\Tasks\\{D6266B5F-EE5F-44B6-BEAC-5B0C0EB01EC5}",
- "\\Device\\LanmanDatagramReceiver",
- "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
- "C:\\Windows\\sysnative\\Tasks\\BrowserDatStorage",
- "\\??\\PIPE\\srvsvc",
- "C:\\Windows\\sysnative\\Tasks\\MNU Net libraries",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
- "\\??\\PIPE\\browser",
- "C:\\Users\\user\\AppData\\Local\\Temp\\AC4DF441.tmp",
- "C:\\Users\\user\\AppData\\Roaming\\diskram\\teayx.exe",
- "C:\\Windows\\sysnative\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\13KJKCMY2LWCHOD40HJV.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12ade02.TMP",
- "C:\\Windows\\SysWOW64\\log_install.tmp",
- "\\??\\PIPE\\DAV RPC SERVICE",
- "C:\\Windows\\SysWOW64\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\A6YPJ2CZOO169M663GHM.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms",
- "C:\\Users\\user\\AppData\\Roaming\\diskram\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\QMFTAW2QICMY2DNPY213.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12b38b5.TMP",
- "C:\\Users\\user\\AppData\\Local\\Temp\\CabFFD3.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\TarFFD4.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\sqlite3.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\meaykdxuvtfy.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\reayx.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\fykqg.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\reayxh.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\reaykd.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\ipqgbwj.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\qtsuicz.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\wjayxhzv.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\czicmrrr.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\vtsuvgosh.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\vtsuicmea.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\npqgbjayxu.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\dxuiczicme.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\wwjalofyxhm.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\kqtsuipqgbj.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\menczvtshzic.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\qgbwwjncmren.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\fyxuv.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\bwjay.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\jalofl.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\hmreal.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\gbjalof.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\yxhmeal.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\czvgbjnp.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\albwwjnp.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\vtfyxuicm.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\hzvgosuip.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\rrrenpqgos.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\pdxuipqgbj.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\cmenpqtsuvg.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\osuvgofyxui.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\uiczvtfykdxu.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\wwwjalbwjayx.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tsuvt.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\ziczi.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\hmenpd.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\ncmren.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\kdkdxuv.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\mrencmr.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\ipqtflbj.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\mrenczvt.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\npqtfykqt.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\vtshmeayk.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\zvgbjncmrr.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\pdkdkdkqgb.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\iczvtshmren.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\ealbwwjaykq.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\wwjnpdxuvgbw.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\qgbjalbwwwja.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\bwjnp.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\zipdk.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\xuvtfl.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\pqtfyx.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\shzvtsh.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\ipdxuip.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\gbjnpdxh.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\kdxhmrrr.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\vtflbwwww.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\jnpdkqgof.tmp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\QW90F9X06C112UFDY56Y.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF12b7a32.TMP",
- "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.h",
- "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl.h",
- "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.ini",
- "\\??\\WMIDataDevice",
- "\\??\\PIPE\\samr",
- "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
- "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
- ]
- [*] Deleted Files: [
- "C:\\Users\\user\\AppData\\Local\\Temp\\CabCB27.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\TarCB28.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\CabCBF4.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\TarCBF5.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\CabCEC5.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\TarCEC6.tmp",
- "C:\\Windows\\Tasks\\{D6266B5F-EE5F-44B6-BEAC-5B0C0EB01EC5}.job",
- "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MpIdleTask",
- "C:\\Windows\\Tasks\\BrowserDatStorage.job",
- "C:\\Windows\\Tasks\\MNU Net libraries.job",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12ade02.TMP",
- "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.1936.19586921",
- "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1936.19586921",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.1936.19586921",
- "C:\\Windows\\System32\\log_install.tmp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\A6YPJ2CZOO169M663GHM.temp",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2644.19608968",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2644.19608968",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2644.19608968",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF12b38b5.TMP",
- "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.852.19609859",
- "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.852.19609859",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.852.19609859",
- "C:\\Users\\user\\AppData\\Local\\Temp\\CabFFD3.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\TarFFD4.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\meaykdxuvtfy.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\reayx.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\osuvgofyxui.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\fykqg.exe",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF12b7a32.TMP",
- "C:\\Users\\user\\AppData\\Local\\Temp\\meaykdxuvtfy.exe",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2068.19626656",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2068.19626656",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2068.19626656",
- "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl.h",
- "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.h"
- ]
- [*] Modified Registry Keys: [
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94DE636A-CEDF-4E97-888F-46B0B9CAAB47}\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94DE636A-CEDF-4E97-888F-46B0B9CAAB47}\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\{D6266B5F-EE5F-44B6-BEAC-5B0C0EB01EC5}\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\{D6266B5F-EE5F-44B6-BEAC-5B0C0EB01EC5}\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94DE636A-CEDF-4E97-888F-46B0B9CAAB47}\\Triggers",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94DE636A-CEDF-4E97-888F-46B0B9CAAB47}\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{844E0DFC-7472-4CA9-96DC-9859ED19B312}\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{844E0DFC-7472-4CA9-96DC-9859ED19B312}\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\BrowserDatStorage\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\BrowserDatStorage\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{844E0DFC-7472-4CA9-96DC-9859ED19B312}\\Triggers",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{844E0DFC-7472-4CA9-96DC-9859ED19B312}\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{C6CC84E0-74E0-4E01-AEB1-2B270F857772}\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{C6CC84E0-74E0-4E01-AEB1-2B270F857772}\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\MNU Net libraries\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\MNU Net libraries\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{C6CC84E0-74E0-4E01-AEB1-2B270F857772}\\Triggers",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{C6CC84E0-74E0-4E01-AEB1-2B270F857772}\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\PreviousServiceShutdown",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05}\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{ECF6766C-2A67-4495-AB29-07508A8B88E1}",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{B17E070E-57E3-43F6-96F5-A9A9C921DEBF}\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{EF0E2588-90B9-412E-A552-5B4B15D00033}",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{DF000DCA-3FA2-48A6-9E59-C0606F9F8D73}\\DynamicInfo",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnRealtimeEnable",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection",
- "DisableNotifications",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\WDigest\\UseLogonCredential",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ThrottleDrege",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Parameters\\ServiceDllUnloadOnStop",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\IDE\\DiskVBOX_HARDDISK___________________________1.0_____\\5&33d1638a&0&0.0.0_0-{00000000-0000-0000-0000-000000000000}",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\advapi32.dll[MofResourceName]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\en-US\\advapi32.dll.mui[MofResourceName]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ACPI.sys[ACPIMOFResource]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ACPI.sys.mui[ACPIMOFResource]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ndis.sys[MofResourceName]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ndis.sys.mui[MofResourceName]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\mssmbios.sys[MofResource]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\mssmbios.sys.mui[MofResource]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\HDAudBus.sys[HDAudioMofName]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\HDAudBus.sys.mui[HDAudioMofName]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\intelppm.sys[PROCESSORWMI]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\intelppm.sys.mui[PROCESSORWMI]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\portcls.SYS[PortclsMof]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\en-US\\portcls.SYS.mui[PortclsMof]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sys[MonitorWMI]",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{ECF6766C-2A67-4495-AB29-07508A8B88E1}\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{EF0E2588-90B9-412E-A552-5B4B15D00033}\\data"
- ]
- [*] Deleted Registry Keys: [
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\{D6266B5F-EE5F-44B6-BEAC-5B0C0EB01EC5}.job",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\{D6266B5F-EE5F-44B6-BEAC-5B0C0EB01EC5}.job.fp",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\BrowserDatStorage.job",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\BrowserDatStorage.job.fp",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\MNU Net libraries.job",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\MNU Net libraries.job.fp",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sys[MonitorWMI]"
- ]
- [*] DNS Communications: [
- {
- "type": "A",
- "request": "mozambiquest.pw",
- "answers": []
- },
- {
- "type": "A",
- "request": "ransmittend.club",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "summerch.xyz",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "ignorepairs.pro",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- },
- {
- "type": "A",
- "request": "consequencycle.pw",
- "answers": [
- {
- "data": "141.255.166.157",
- "type": "A"
- }
- ]
- },
- {
- "type": "A",
- "request": "harbournal.club",
- "answers": [
- {
- "data": "141.255.166.157",
- "type": "A"
- }
- ]
- },
- {
- "type": "A",
- "request": "thussailled.pw",
- "answers": [
- {
- "data": "141.255.166.157",
- "type": "A"
- }
- ]
- },
- {
- "type": "A",
- "request": "tradication.pw",
- "answers": [
- {
- "data": "141.255.166.157",
- "type": "A"
- }
- ]
- },
- {
- "type": "A",
- "request": "minoriticipal.pw",
- "answers": [
- {
- "data": "141.255.166.157",
- "type": "A"
- }
- ]
- },
- {
- "type": "A",
- "request": "seconominist.com",
- "answers": [
- {
- "data": "93.189.149.176",
- "type": "A"
- }
- ]
- },
- {
- "type": "A",
- "request": "importional.com",
- "answers": [
- {
- "data": "93.189.149.176",
- "type": "A"
- }
- ]
- },
- {
- "type": "A",
- "request": "mechangerous.space",
- "answers": [
- {
- "data": "185.143.145.90",
- "type": "A"
- }
- ]
- }
- ]
- [*] Domains: [
- {
- "ip": "",
- "domain": "ransmittend.club"
- },
- {
- "ip": "",
- "domain": "ignorepairs.pro"
- },
- {
- "ip": "93.189.149.176",
- "domain": "mechangerous.space"
- },
- {
- "ip": "141.255.166.157",
- "domain": "thussailled.pw"
- },
- {
- "ip": "",
- "domain": "mozambiquest.pw"
- },
- {
- "ip": "141.255.166.157",
- "domain": "minoriticipal.pw"
- },
- {
- "ip": "141.255.166.157",
- "domain": "tradication.pw"
- },
- {
- "ip": "93.189.149.176",
- "domain": "seconominist.com"
- },
- {
- "ip": "",
- "domain": "summerch.xyz"
- },
- {
- "ip": "141.255.166.157",
- "domain": "consequencycle.pw"
- },
- {
- "ip": "141.255.166.157",
- "domain": "harbournal.club"
- },
- {
- "ip": "93.189.149.176",
- "domain": "importional.com"
- }
- ]
- [*] Network Communication - ICMP: [
- {
- "src": "91.197.184.246",
- "dst": "169.254.255.254
- "type": 3,
- "data": ""
- },
- {
- "src": "91.197.184.246",
- "dst": "169.254.255.254
- "type": 3,
- "data": ""
- },
- {
- "src": "91.197.184.246",
- "dst": "169.254.255.254
- "type": 3,
- "data": ""
- }
- ]
- [*] Network Communication - HTTP: [
- {
- "count": 1,
- "body": "",
- "uri": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "www.download.windowsupdate.com",
- "version": "1.1",
- "path": "/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
- "data": "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1\r\nCache-Control: max-age = 86403\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Fri, 22 Feb 2019 16:53:13 GMT\r\nIf-None-Match: \"80e22c19cfcad41:0\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: www.download.windowsupdate.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://91.235.129.55/Tini86_cr.exe",
- "user-agent": "",
- "method": "GET",
- "host": "91.235.129.55",
- "version": "1.1",
- "path": "/Tini86_cr.exe",
- "data": "GET /Tini86_cr.exe HTTP/1.1\r\nConnection: Keep-Alive\r\nHost: 91.235.129.55\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://91.235.129.55/SWKLPFVBDX.exe",
- "user-agent": "",
- "method": "GET",
- "host": "91.235.129.55",
- "version": "1.1",
- "path": "/SWKLPFVBDX.exe",
- "data": "GET /SWKLPFVBDX.exe HTTP/1.1\r\nConnection: Keep-Alive\r\nHost: 91.235.129.55\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://91.235.129.55/tin.exe",
- "user-agent": "",
- "method": "GET",
- "host": "91.235.129.55",
- "version": "1.1",
- "path": "/tin.exe",
- "data": "GET /tin.exe HTTP/1.1\r\nConnection: Keep-Alive\r\nHost: 91.235.129.55\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://91.235.129.55/sin.png",
- "user-agent": "",
- "method": "GET",
- "host": "91.235.129.55",
- "version": "1.1",
- "path": "/sin.png",
- "data": "GET /sin.png HTTP/1.1\r\nConnection: Keep-Alive\r\nHost: 91.235.129.55\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://thussailled.pw/data2.php?AC4DF4415831AF68",
- "user-agent": "",
- "method": "GET",
- "host": "thussailled.pw",
- "version": "1.1",
- "path": "/data2.php?AC4DF4415831AF68",
- "data": "GET /data2.php?AC4DF4415831AF68 HTTP/1.1\r\nHost: thussailled.pw\r\nUpgrade: websocket\r\nConnection: Upgrade\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://91.235.129.55/tin.png",
- "user-agent": "WinHTTP loader/1.0",
- "method": "GET",
- "host": "91.235.129.55",
- "version": "1.1",
- "path": "/tin.png",
- "data": "GET /tin.png HTTP/1.1\r\nCache-Control: no-cache\r\nConnection: Keep-Alive\r\nPragma: no-cache\r\nUser-Agent: WinHTTP loader/1.0\r\nHost: 91.235.129.55\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://91.235.129.55/sin.png",
- "user-agent": "WinHTTP loader/1.0",
- "method": "GET",
- "host": "91.235.129.55",
- "version": "1.1",
- "path": "/sin.png",
- "data": "GET /sin.png HTTP/1.1\r\nCache-Control: no-cache\r\nConnection: Keep-Alive\r\nPragma: no-cache\r\nUser-Agent: WinHTTP loader/1.0\r\nHost: 91.235.129.55\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://91.235.129.55/win.png",
- "user-agent": "",
- "method": "GET",
- "host": "91.235.129.55",
- "version": "1.1",
- "path": "/win.png",
- "data": "GET /win.png HTTP/1.1\r\nConnection: Keep-Alive\r\nHost: 91.235.129.55\r\n\r\n",
- "port": 80
- }
- ]
- [*] Network Communication - SMTP: []
- [*] Network Communication - Hosts: []
- [*] Network Communication - IRC: []
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "VirtualAlloc",
- "address": "0x40505c"
- },
- {
- "name": "InterlockedCompareExchange",
- "address": "0x405060"
- },
- {
- "name": "GetStartupInfoA",
- "address": "0x405064"
- },
- {
- "name": "TerminateProcess",
- "address": "0x405068"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x40506c"
- },
- {
- "name": "UnhandledExceptionFilter",
- "address": "0x405070"
- },
- {
- "name": "SetUnhandledExceptionFilter",
- "address": "0x405074"
- },
- {
- "name": "IsDebuggerPresent",
- "address": "0x405078"
- },
- {
- "name": "QueryPerformanceCounter",
- "address": "0x40507c"
- },
- {
- "name": "GetTickCount",
- "address": "0x405080"
- },
- {
- "name": "GetCurrentThreadId",
- "address": "0x405084"
- },
- {
- "name": "GetCurrentProcessId",
- "address": "0x405088"
- },
- {
- "name": "GetCurrentDirectoryA",
- "address": "0x40508c"
- },
- {
- "name": "GetModuleHandleA",
- "address": "0x405090"
- },
- {
- "name": "Sleep",
- "address": "0x405094"
- },
- {
- "name": "LoadLibraryW",
- "address": "0x405098"
- },
- {
- "name": "GetProcAddress",
- "address": "0x40509c"
- },
- {
- "name": "CreateFileMappingW",
- "address": "0x4050a0"
- },
- {
- "name": "MapViewOfFile",
- "address": "0x4050a4"
- },
- {
- "name": "InterlockedExchange",
- "address": "0x4050a8"
- },
- {
- "name": "GetSystemTimeAsFileTime",
- "address": "0x4050ac"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "LoadImageA",
- "address": "0x405174"
- },
- {
- "name": "GetDC",
- "address": "0x405178"
- },
- {
- "name": "UpdateWindow",
- "address": "0x40517c"
- },
- {
- "name": "SetWindowRgn",
- "address": "0x405180"
- },
- {
- "name": "MoveWindow",
- "address": "0x405184"
- },
- {
- "name": "GetWindowRgn",
- "address": "0x405188"
- },
- {
- "name": "DrawIconEx",
- "address": "0x40518c"
- },
- {
- "name": "GetClientRect",
- "address": "0x405190"
- },
- {
- "name": "GetWindowTextA",
- "address": "0x405194"
- },
- {
- "name": "DestroyIcon",
- "address": "0x405198"
- },
- {
- "name": "EndPaint",
- "address": "0x40519c"
- },
- {
- "name": "BeginPaint",
- "address": "0x4051a0"
- },
- {
- "name": "SetCapture",
- "address": "0x4051a4"
- },
- {
- "name": "SendMessageA",
- "address": "0x4051a8"
- },
- {
- "name": "GetParent",
- "address": "0x4051ac"
- },
- {
- "name": "GetWindowLongA",
- "address": "0x4051b0"
- },
- {
- "name": "ReleaseCapture",
- "address": "0x4051b4"
- },
- {
- "name": "GetWindowRect",
- "address": "0x4051b8"
- },
- {
- "name": "SetWindowLongA",
- "address": "0x4051bc"
- },
- {
- "name": "CreateDialogParamA",
- "address": "0x4051c0"
- },
- {
- "name": "GetDlgItem",
- "address": "0x4051c4"
- },
- {
- "name": "ReleaseDC",
- "address": "0x4051c8"
- },
- {
- "name": "PostQuitMessage",
- "address": "0x4051cc"
- },
- {
- "name": "MessageBoxA",
- "address": "0x4051d0"
- },
- {
- "name": "DefWindowProcA",
- "address": "0x4051d4"
- },
- {
- "name": "LoadCursorA",
- "address": "0x4051d8"
- },
- {
- "name": "LoadIconA",
- "address": "0x4051dc"
- },
- {
- "name": "RegisterClassA",
- "address": "0x4051e0"
- },
- {
- "name": "CreateWindowExA",
- "address": "0x4051e4"
- },
- {
- "name": "ShowWindow",
- "address": "0x4051e8"
- },
- {
- "name": "GetMessageA",
- "address": "0x4051ec"
- },
- {
- "name": "TranslateMessage",
- "address": "0x4051f0"
- },
- {
- "name": "DispatchMessageA",
- "address": "0x4051f4"
- }
- ],
- "dll": "USER32.dll"
- },
- {
- "imports": [
- {
- "name": "CreateCompatibleBitmap",
- "address": "0x405000"
- },
- {
- "name": "GetRegionData",
- "address": "0x405004"
- },
- {
- "name": "DeleteDC",
- "address": "0x405008"
- },
- {
- "name": "DeleteObject",
- "address": "0x40500c"
- },
- {
- "name": "CombineRgn",
- "address": "0x405010"
- },
- {
- "name": "CreateRectRgn",
- "address": "0x405014"
- },
- {
- "name": "GetPixel",
- "address": "0x405018"
- },
- {
- "name": "SelectObject",
- "address": "0x40501c"
- },
- {
- "name": "SaveDC",
- "address": "0x405020"
- },
- {
- "name": "GetObjectA",
- "address": "0x405024"
- },
- {
- "name": "CreateCompatibleDC",
- "address": "0x405028"
- },
- {
- "name": "GetRgnBox",
- "address": "0x40502c"
- },
- {
- "name": "CreateRectRgnIndirect",
- "address": "0x405030"
- },
- {
- "name": "BitBlt",
- "address": "0x405034"
- },
- {
- "name": "FrameRgn",
- "address": "0x405038"
- },
- {
- "name": "TextOutA",
- "address": "0x40503c"
- },
- {
- "name": "SetTextColor",
- "address": "0x405040"
- },
- {
- "name": "GetTextExtentPoint32A",
- "address": "0x405044"
- },
- {
- "name": "SetBkMode",
- "address": "0x405048"
- },
- {
- "name": "CreateFontA",
- "address": "0x40504c"
- },
- {
- "name": "PtInRegion",
- "address": "0x405050"
- },
- {
- "name": "GetStockObject",
- "address": "0x405054"
- }
- ],
- "dll": "GDI32.dll"
- },
- {
- "imports": [
- {
- "name": "??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ",
- "address": "0x4050b4"
- },
- {
- "name": "??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z",
- "address": "0x4050b8"
- },
- {
- "name": "??$?HDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z",
- "address": "0x4050bc"
- },
- {
- "name": "??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z",
- "address": "0x4050c0"
- },
- {
- "name": "??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ",
- "address": "0x4050c4"
- },
- {
- "name": "?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ",
- "address": "0x4050c8"
- },
- {
- "name": "?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ",
- "address": "0x4050cc"
- }
- ],
- "dll": "MSVCP90.dll"
- },
- {
- "imports": [
- {
- "name": "__p__fmode",
- "address": "0x4050d4"
- },
- {
- "name": "__p__commode",
- "address": "0x4050d8"
- },
- {
- "name": "_adjust_fdiv",
- "address": "0x4050dc"
- },
- {
- "name": "__setusermatherr",
- "address": "0x4050e0"
- },
- {
- "name": "_configthreadlocale",
- "address": "0x4050e4"
- },
- {
- "name": "_initterm_e",
- "address": "0x4050e8"
- },
- {
- "name": "__set_app_type",
- "address": "0x4050ec"
- },
- {
- "name": "_acmdln",
- "address": "0x4050f0"
- },
- {
- "name": "exit",
- "address": "0x4050f4"
- },
- {
- "name": "_ismbblead",
- "address": "0x4050f8"
- },
- {
- "name": "_XcptFilter",
- "address": "0x4050fc"
- },
- {
- "name": "_exit",
- "address": "0x405100"
- },
- {
- "name": "_cexit",
- "address": "0x405104"
- },
- {
- "name": "_crt_debugger_hook",
- "address": "0x405108"
- },
- {
- "name": "_except_handler4_common",
- "address": "0x40510c"
- },
- {
- "name": "?terminate@@YAXXZ",
- "address": "0x405110"
- },
- {
- "name": "?_type_info_dtor_internal_method@type_info@@QAEXXZ",
- "address": "0x405114"
- },
- {
- "name": "_invoke_watson",
- "address": "0x405118"
- },
- {
- "name": "_controlfp_s",
- "address": "0x40511c"
- },
- {
- "name": "_initterm",
- "address": "0x405120"
- },
- {
- "name": "malloc",
- "address": "0x405124"
- },
- {
- "name": "strlen",
- "address": "0x405128"
- },
- {
- "name": "fclose",
- "address": "0x40512c"
- },
- {
- "name": "fwrite",
- "address": "0x405130"
- },
- {
- "name": "fopen",
- "address": "0x405134"
- },
- {
- "name": "free",
- "address": "0x405138"
- },
- {
- "name": "??3@YAXPAX@Z",
- "address": "0x40513c"
- },
- {
- "name": "strcat",
- "address": "0x405140"
- },
- {
- "name": "fread",
- "address": "0x405144"
- },
- {
- "name": "feof",
- "address": "0x405148"
- },
- {
- "name": "strcmp",
- "address": "0x40514c"
- },
- {
- "name": "_unlock",
- "address": "0x405150"
- },
- {
- "name": "__dllonexit",
- "address": "0x405154"
- },
- {
- "name": "_encode_pointer",
- "address": "0x405158"
- },
- {
- "name": "_lock",
- "address": "0x40515c"
- },
- {
- "name": "_onexit",
- "address": "0x405160"
- },
- {
- "name": "_decode_pointer",
- "address": "0x405164"
- },
- {
- "name": "_amsg_exit",
- "address": "0x405168"
- },
- {
- "name": "__getmainargs",
- "address": "0x40516c"
- }
- ],
- "dll": "MSVCR90.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x000159b5",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x000159b5",
- "icon_hash": null,
- "entrypoint": "0x00403ceb",
- "timestamp": "2019-06-18 14:23:08",
- "osversion": "5.0",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00003400",
- "entropy": "5.92",
- "raw_address": "0x00000400",
- "virtual_size": "0x000033af",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00005000",
- "size_of_data": "0x0000c200",
- "entropy": "6.18",
- "raw_address": "0x00003800",
- "virtual_size": "0x0000c1c8",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00012000",
- "size_of_data": "0x00000200",
- "entropy": "1.51",
- "raw_address": "0x0000fa00",
- "virtual_size": "0x000004b4",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00013000",
- "size_of_data": "0x00000400",
- "entropy": "5.19",
- "raw_address": "0x0000fc00",
- "virtual_size": "0x000002b0",
- "characteristics_raw": "0x40000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0001057c",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x00000078"
- },
- {
- "virtual_address": "0x00013000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x000002b0"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00005230",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x0000001c"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00010330",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000040"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00005000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x000001fc"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "a5e07b9d885d7be2b11371ae68839d0c",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": "c:\\Users\\User\\Desktop\\DReY_Shape1667871152003\\Release\\ShapeGradientButton.pdb",
- "imported_dll_count": 5,
- "versioninfo": []
- }
- }
- [*] Resolved APIs: [
- "uxtheme.dll.ThemeInitApiHook",
- "user32.dll.IsProcessDPIAware",
- "dwmapi.dll.DwmIsCompositionEnabled",
- "advapi32.dll.CryptAcquireContextA",
- "cryptsp.dll.CryptAcquireContextA",
- "advapi32.dll.CryptImportKey",
- "advapi32.dll.CryptEncrypt",
- "cryptsp.dll.CryptImportKey",
- "cryptbase.dll.SystemFunction040",
- "cryptbase.dll.SystemFunction041",
- "cryptsp.dll.CryptEncrypt",
- "kernel32.dll.SortGetHandle",
- "kernel32.dll.SortCloseHandle",
- "crypt32.dll.CryptProtectData",
- "kernel32.dll.LoadLibraryA",
- "kernel32.dll.GetProcAddress",
- "secur32.dll.GetUserNameExW",
- "userenv.dll.CreateEnvironmentBlock",
- "user32.dll.wsprintfA",
- "user32.dll.wsprintfW",
- "wtsapi32.dll.WTSQueryUserToken",
- "shlwapi.dll.StrStrA",
- "shlwapi.dll.StrStrIW",
- "shlwapi.dll.StrChrA",
- "shlwapi.dll.StrStrIA",
- "netapi32.dll.NetApiBufferFree",
- "netapi32.dll.NetWkstaGetInfo",
- "netapi32.dll.NetGetDCName",
- "dnsapi.dll.DnsFree",
- "dnsapi.dll.DnsQuery_A",
- "msvcrt.dll.memcpy",
- "msvcrt.dll.memset",
- "msvcrt.dll._vsnprintf",
- "kernel32.dll.lstrcpyA",
- "kernel32.dll.Sleep",
- "kernel32.dll.CreateThread",
- "kernel32.dll.SetErrorMode",
- "kernel32.dll.SetEvent",
- "kernel32.dll.WaitForSingleObject",
- "kernel32.dll.CreateEventW",
- "kernel32.dll.GetComputerNameExW",
- "kernel32.dll.lstrlenW",
- "kernel32.dll.CreateProcessA",
- "kernel32.dll.OpenEventW",
- "kernel32.dll.lstrcpyW",
- "kernel32.dll.SetUnhandledExceptionFilter",
- "kernel32.dll.ExitProcess",
- "kernel32.dll.CreateProcessW",
- "kernel32.dll.GetSystemTimeAsFileTime",
- "kernel32.dll.lstrcatW",
- "kernel32.dll.CopyFileW",
- "kernel32.dll.ExpandEnvironmentStringsA",
- "kernel32.dll.CreateFileA",
- "kernel32.dll.CreateFileW",
- "kernel32.dll.GetFileSize",
- "kernel32.dll.ReadFile",
- "kernel32.dll.WriteFile",
- "kernel32.dll.HeapReAlloc",
- "kernel32.dll.QueryPerformanceCounter",
- "kernel32.dll.QueryPerformanceFrequency",
- "kernel32.dll.GetTickCount",
- "kernel32.dll.GetNativeSystemInfo",
- "kernel32.dll.GetCurrentProcessId",
- "kernel32.dll.GetLocalTime",
- "kernel32.dll.GetCurrentProcess",
- "kernel32.dll.WTSGetActiveConsoleSessionId",
- "kernel32.dll.WideCharToMultiByte",
- "kernel32.dll.CreateFileMappingW",
- "kernel32.dll.MapViewOfFile",
- "kernel32.dll.UnmapViewOfFile",
- "kernel32.dll.MultiByteToWideChar",
- "kernel32.dll.GetExitCodeProcess",
- "kernel32.dll.ResumeThread",
- "kernel32.dll.DeleteFileW",
- "kernel32.dll.CreateDirectoryW",
- "kernel32.dll.GetTempPathA",
- "kernel32.dll.HeapAlloc",
- "kernel32.dll.CloseHandle",
- "kernel32.dll.lstrlenA",
- "kernel32.dll.GetProcessHeap",
- "kernel32.dll.HeapFree",
- "kernel32.dll.lstrcatA",
- "kernel32.dll.GetLastError",
- "ws2_32.dll.#12",
- "ntdll.dll.RtlGetVersion",
- "ntdll.dll.ZwQuerySystemInformation",
- "ntdll.dll.RtlLargeIntegerDivide",
- "shell32.dll.SHGetFolderPathW",
- "iphlpapi.dll.GetAdaptersInfo",
- "ole32.dll.CoCreateInstance",
- "ole32.dll.CoInitializeEx",
- "winhttp.dll.WinHttpOpen",
- "winhttp.dll.WinHttpCrackUrl",
- "winhttp.dll.WinHttpReceiveResponse",
- "winhttp.dll.WinHttpCloseHandle",
- "winhttp.dll.WinHttpSendRequest",
- "winhttp.dll.WinHttpConnect",
- "winhttp.dll.WinHttpOpenRequest",
- "winhttp.dll.WinHttpSetOption",
- "winhttp.dll.WinHttpQueryDataAvailable",
- "winhttp.dll.WinHttpReadData",
- "winhttp.dll.WinHttpQueryHeaders",
- "advapi32.dll.GetSidSubAuthority",
- "advapi32.dll.RegSetValueExA",
- "advapi32.dll.RegQueryValueExA",
- "advapi32.dll.RegOpenKeyA",
- "advapi32.dll.RegDeleteKeyA",
- "advapi32.dll.RegCreateKeyA",
- "advapi32.dll.RegCloseKey",
- "advapi32.dll.CryptVerifySignatureA",
- "advapi32.dll.CryptDestroyKey",
- "advapi32.dll.LookupPrivilegeValueA",
- "advapi32.dll.AdjustTokenPrivileges",
- "advapi32.dll.CreateProcessAsUserW",
- "advapi32.dll.GetTokenInformation",
- "advapi32.dll.GetSidSubAuthorityCount",
- "advapi32.dll.CryptReleaseContext",
- "advapi32.dll.GetSidIdentifierAuthority",
- "advapi32.dll.OpenProcessToken",
- "advapi32.dll.CryptAcquireContextW",
- "advapi32.dll.LookupAccountNameW",
- "advapi32.dll.GetUserNameW",
- "advapi32.dll.CryptDestroyHash",
- "advapi32.dll.CryptHashData",
- "advapi32.dll.CryptCreateHash",
- "advapi32.dll.CryptGetHashParam",
- "advapi32.dll.InitiateSystemShutdownExA",
- "sechost.dll.LookupAccountNameLocalW",
- "advapi32.dll.LsaOpenPolicy",
- "advapi32.dll.LsaQueryInformationPolicy",
- "netutils.dll.NetApiBufferAllocate",
- "advapi32.dll.LsaFreeMemory",
- "advapi32.dll.LsaClose",
- "netutils.dll.NetApiBufferFree",
- "cryptbase.dll.SystemFunction036",
- "sspicli.dll.GetUserNameExW",
- "xmllite.dll.CreateXmlWriter",
- "xmllite.dll.CreateXmlWriterOutputWithEncodingName",
- "oleaut32.dll.#500",
- "wkscli.dll.NetWkstaGetInfo",
- "cscapi.dll.CscNetApiGetInterface",
- "ws2_32.dll.GetAddrInfoW",
- "rpcrt4.dll.RpcBindingFree",
- "ws2_32.dll.WSASocketW",
- "ws2_32.dll.#2",
- "ws2_32.dll.#21",
- "ws2_32.dll.#9",
- "ws2_32.dll.WSAIoctl",
- "ws2_32.dll.FreeAddrInfoW",
- "ws2_32.dll.WSAGetOverlappedResult",
- "ws2_32.dll.#6",
- "ws2_32.dll.#5",
- "schannel.dll.SpUserModeInitialize",
- "advapi32.dll.RegCreateKeyExW",
- "advapi32.dll.RegQueryValueExW",
- "ws2_32.dll.WSASend",
- "ws2_32.dll.WSARecv",
- "secur32.dll.FreeContextBuffer",
- "ncrypt.dll.SslOpenProvider",
- "ncrypt.dll.GetSChannelInterface",
- "bcryptprimitives.dll.GetHashInterface",
- "ncrypt.dll.SslIncrementProviderReferenceCount",
- "ncrypt.dll.SslImportKey",
- "bcryptprimitives.dll.GetCipherInterface",
- "ncrypt.dll.SslLookupCipherSuiteInfo",
- "user32.dll.LoadStringW",
- "ncrypt.dll.BCryptOpenAlgorithmProvider",
- "ncrypt.dll.BCryptGetProperty",
- "ncrypt.dll.BCryptCreateHash",
- "ncrypt.dll.BCryptHashData",
- "ncrypt.dll.BCryptFinishHash",
- "ncrypt.dll.BCryptDestroyHash",
- "crypt32.dll.CertGetCertificateChain",
- "userenv.dll.GetUserProfileDirectoryW",
- "sechost.dll.ConvertSidToStringSidW",
- "sechost.dll.ConvertStringSidToSidW",
- "userenv.dll.RegisterGPNotification",
- "gpapi.dll.RegisterGPNotificationInternal",
- "sechost.dll.OpenSCManagerW",
- "sechost.dll.OpenServiceW",
- "sechost.dll.CloseServiceHandle",
- "sechost.dll.QueryServiceConfigW",
- "bcryptprimitives.dll.GetAsymmetricEncryptionInterface",
- "ncrypt.dll.BCryptImportKeyPair",
- "ncrypt.dll.BCryptVerifySignature",
- "ncrypt.dll.BCryptDestroyKey",
- "cryptnet.dll.CryptRetrieveObjectByUrlW",
- "setupapi.dll.SetupIterateCabinetW",
- "kernel32.dll.RegOpenKeyExW",
- "kernel32.dll.RegCloseKey",
- "cabinet.dll.#20",
- "cabinet.dll.#22",
- "devrtl.dll.DevRtlGetThreadLogToken",
- "cabinet.dll.#23",
- "cryptsp.dll.CryptCreateHash",
- "cryptsp.dll.CryptSetHashParam",
- "cryptsp.dll.CryptVerifySignatureA",
- "cryptsp.dll.CryptDestroyKey",
- "cryptsp.dll.CryptDestroyHash",
- "cryptsp.dll.CryptHashData",
- "sechost.dll.QueryServiceConfigA",
- "sechost.dll.QueryServiceStatus",
- "rpcrt4.dll.RpcStringBindingComposeA",
- "rpcrt4.dll.RpcBindingFromStringBindingA",
- "rpcrt4.dll.RpcEpResolveBinding",
- "sechost.dll.LookupAccountSidLocalW",
- "rpcrt4.dll.RpcBindingSetAuthInfoExW",
- "rpcrt4.dll.RpcStringFreeA",
- "rpcrt4.dll.NdrClientCall2",
- "cryptnet.dll.I_CryptNetGetConnectivity",
- "sensapi.dll.IsNetworkAlive",
- "rpcrt4.dll.RpcBindingFromStringBindingW",
- "winhttp.dll.WinHttpSetTimeouts",
- "winhttp.dll.WinHttpGetDefaultProxyConfiguration",
- "winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser",
- "winhttp.dll.WinHttpTimeFromSystemTime",
- "cryptnet.dll.I_CryptNetSetUrlCacheFlushInfo",
- "cryptnet.dll.I_CryptNetSetUrlCachePreFetchInfo",
- "crypt32.dll.CertVerifyCertificateChainPolicy",
- "crypt32.dll.CertFreeCertificateChain",
- "crypt32.dll.CertDuplicateCertificateContext",
- "ncrypt.dll.SslEncryptPacket",
- "ncrypt.dll.SslDecryptPacket",
- "crypt32.dll.CertFreeCertificateContext",
- "cryptsp.dll.CryptAcquireContextW",
- "cryptsp.dll.CryptReleaseContext",
- "ws2_32.dll.#116",
- "ole32.dll.CoUninitialize",
- "rasapi32.dll.RasEnumConnectionsW",
- "rasapi32.dll.RasConnectionNotificationW",
- "advapi32.dll.WmiMofEnumerateResourcesW",
- "advapi32.dll.WmiFreeBuffer",
- "advapi32.dll.WmiCloseBlock",
- "propsys.dll.PropVariantToVariant",
- "wbemcore.dll.Shutdown",
- "advapi32.dll.UnregisterTraceGuids",
- "tschannel.dll.DllGetClassObject",
- "tschannel.dll.DllCanUnloadNow",
- "kernel32.dll.FlsAlloc",
- "kernel32.dll.FlsGetValue",
- "kernel32.dll.FlsSetValue",
- "kernel32.dll.FlsFree",
- "kernel32.dll.IsProcessorFeaturePresent",
- "kernel32.dll.VirtualAlloc",
- "ntdll.dll.memcpy",
- "ole32.dll.CLSIDFromProgID",
- "oleaut32.dll.#9",
- "oleaut32.dll.#6",
- "oleaut32.dll.#15",
- "oleaut32.dll.#26",
- "oleaut32.dll.#19",
- "oleaut32.dll.#20",
- "netapi32.dll.DsGetDcNameW",
- "oleaut32.dll.#16",
- "ws2_32.dll.#52",
- "ws2_32.dll.#23",
- "ws2_32.dll.#11",
- "ws2_32.dll.#4",
- "ws2_32.dll.#115",
- "ws2_32.dll.#22",
- "ws2_32.dll.#16",
- "ws2_32.dll.#10",
- "ws2_32.dll.#111",
- "ws2_32.dll.#19",
- "ws2_32.dll.#18",
- "ws2_32.dll.#3",
- "ws2_32.dll.#112",
- "advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorA",
- "kernel32.dll.OpenFileMappingW",
- "kernel32.dll.WaitForMultipleObjects",
- "kernel32.dll.TerminateProcess",
- "kernel32.dll.SetEnvironmentVariableA",
- "kernel32.dll.GetTickCount64",
- "kernel32.dll.TerminateThread",
- "kernel32.dll.CreatePipe",
- "advapi32.dll.CryptGenKey",
- "shlwapi.dll.StrCmpNIA",
- "shlwapi.dll.StrToIntA",
- "shlwapi.dll.PathFindFileNameA",
- "shlwapi.dll.StrToIntExA",
- "oleaut32.dll.#4",
- "oleaut32.dll.#7",
- "gdi32.dll.SelectObject",
- "gdi32.dll.GetStockObject",
- "gdi32.dll.Ellipse",
- "gdi32.dll.DeleteObject",
- "gdi32.dll.DeleteDC",
- "gdi32.dll.CreatePen",
- "gdi32.dll.CreateCompatibleDC",
- "gdi32.dll.BitBlt",
- "gdi32.dll.CreateCompatibleBitmap",
- "crypt32.dll.CryptSignAndEncodeCertificate",
- "crypt32.dll.CertGetCertificateContextProperty",
- "crypt32.dll.CertSetCertificateContextProperty",
- "crypt32.dll.CertCreateCertificateContext",
- "crypt32.dll.CertStrToNameA",
- "crypt32.dll.CryptExportPublicKeyInfoEx",
- "crypt32.dll.CryptEncodeObject",
- "crypt32.dll.CertCreateSelfSignCertificate",
- "crypt32.dll.CertGetNameStringA",
- "crypt32.dll.CertGetIntendedKeyUsage",
- "crypt32.dll.CertControlStore",
- "crypt32.dll.CertAddCertificateContextToStore",
- "crypt32.dll.CertEnumCertificatesInStore",
- "crypt32.dll.CertCloseStore",
- "crypt32.dll.CertOpenStore",
- "ws2_32.dll.WSACreateEvent",
- "ws2_32.dll.#13",
- "ws2_32.dll.#1",
- "ws2_32.dll.WSAEnumNetworkEvents",
- "ws2_32.dll.WSAEventSelect",
- "ntdll.dll.RtlTimeToSecondsSince1970",
- "ntdll.dll.NtQueryInformationProcess",
- "user32.dll.GetWindowRect",
- "user32.dll.GetDesktopWindow",
- "user32.dll.GetForegroundWindow",
- "user32.dll.GetCursorPos",
- "user32.dll.ReleaseDC",
- "user32.dll.GetWindowDC",
- "user32.dll.CharLowerA",
- "kernel32.dll.OpenProcess",
- "kernel32.dll.lstrcmpiA",
- "kernel32.dll.OpenEventA",
- "kernel32.dll.SystemTimeToFileTime",
- "kernel32.dll.SleepEx",
- "kernel32.dll.QueueUserAPC",
- "kernel32.dll.RegisterWaitForSingleObject",
- "kernel32.dll.UnregisterWait",
- "kernel32.dll.GetSystemTime",
- "kernel32.dll.GetTempPathW",
- "kernel32.dll.GetModuleHandleA",
- "kernel32.dll.CreateEventA",
- "kernel32.dll.DeleteCriticalSection",
- "kernel32.dll.LeaveCriticalSection",
- "kernel32.dll.EnterCriticalSection",
- "kernel32.dll.InitializeCriticalSection",
- "kernel32.dll.IsWow64Process",
- "kernel32.dll.ReadProcessMemory",
- "gdiplus.dll.GdipDisposeImage",
- "gdiplus.dll.GdipSaveImageToFile",
- "gdiplus.dll.GdipCreateBitmapFromHBITMAP",
- "gdiplus.dll.GdiplusStartup",
- "secur32.dll.InitSecurityInterfaceA",
- "cryptsp.dll.CryptGetHashParam",
- "cryptsp.dll.CryptGenKey",
- "ole32.dll.CoGetClassObject",
- "ole32.dll.CoGetMarshalSizeMax",
- "ole32.dll.CoMarshalInterface",
- "ole32.dll.CoUnmarshalInterface",
- "ole32.dll.StringFromIID",
- "ole32.dll.CoGetPSClsid",
- "ole32.dll.CoTaskMemAlloc",
- "ole32.dll.CoTaskMemFree",
- "ole32.dll.CoReleaseMarshalData",
- "ole32.dll.DcomChannelSetHResult",
- "vbscript.dll.DllGetClassObject",
- "vbscript.dll.DllCanUnloadNow",
- "sxs.dll.SxsOleAut32RedirectTypeLibrary",
- "advapi32.dll.RegOpenKeyW",
- "advapi32.dll.RegQueryValueW",
- "sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid",
- "oleaut32.dll.DllGetClassObject",
- "oleaut32.dll.DllCanUnloadNow",
- "sxs.dll.SxsOleAut32MapIIDToProxyStubCLSID",
- "oleaut32.dll.BSTR_UserSize",
- "oleaut32.dll.BSTR_UserMarshal",
- "oleaut32.dll.BSTR_UserUnmarshal",
- "oleaut32.dll.BSTR_UserFree",
- "oleaut32.dll.VARIANT_UserSize",
- "oleaut32.dll.VARIANT_UserMarshal",
- "oleaut32.dll.VARIANT_UserUnmarshal",
- "oleaut32.dll.VARIANT_UserFree",
- "oleaut32.dll.LPSAFEARRAY_UserSize",
- "oleaut32.dll.LPSAFEARRAY_UserMarshal",
- "oleaut32.dll.LPSAFEARRAY_UserUnmarshal",
- "oleaut32.dll.LPSAFEARRAY_UserFree",
- "cryptsp.dll.CryptGetUserKey",
- "ncrypt.dll.NCryptIsKeyHandle",
- "cryptsp.dll.CryptExportKey",
- "rpcrt4.dll.UuidCreate",
- "cryptsp.dll.CryptSignHashA",
- "kernel32.dll.InitializeCriticalSectionAndSpinCount",
- "user32.dll.NotifyWinEvent",
- "kernel32.dll.CreateFileMappingA",
- "kernel32.dll.Wow64EnableWow64FsRedirection",
- "advapi32.dll.RegCreateKeyW",
- "advapi32.dll.RegOpenKeyExW",
- "advapi32.dll.RegSetValueExW",
- "shell32.dll.ShellExecuteA",
- "ole32.dll.OleInitialize",
- "ole32.dll.CreateBindCtx",
- "propsys.dll.PSCreateMemoryPropertyStore",
- "propsys.dll.PSPropertyBag_WriteDWORD",
- "ole32.dll.CoGetApartmentType",
- "ole32.dll.CoRegisterInitializeSpy",
- "comctl32.dll.#236",
- "ole32.dll.CoGetMalloc",
- "propsys.dll.PSPropertyBag_ReadDWORD",
- "propsys.dll.PSPropertyBag_ReadGUID",
- "comctl32.dll.#320",
- "comctl32.dll.#324",
- "comctl32.dll.#323",
- "advapi32.dll.RegEnumKeyW",
- "advapi32.dll.OpenThreadToken",
- "ole32.dll.StringFromGUID2",
- "apphelp.dll.ApphelpCheckShellObject",
- "urlmon.dll.CreateUri",
- "kernel32.dll.InitializeSRWLock",
- "kernel32.dll.AcquireSRWLockExclusive",
- "kernel32.dll.AcquireSRWLockShared",
- "kernel32.dll.ReleaseSRWLockExclusive",
- "kernel32.dll.ReleaseSRWLockShared",
- "comctl32.dll.#328",
- "comctl32.dll.#334",
- "oleaut32.dll.#2",
- "shell32.dll.#102",
- "propsys.dll.PSPropertyBag_ReadStrAlloc",
- "advapi32.dll.InitializeSecurityDescriptor",
- "advapi32.dll.SetEntriesInAclW",
- "ntmarta.dll.GetMartaExtensionInterface",
- "advapi32.dll.SetSecurityDescriptorDacl",
- "advapi32.dll.IsTextUnicode",
- "comctl32.dll.#332",
- "comctl32.dll.#338",
- "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
- "comctl32.dll.#339",
- "setupapi.dll.CM_Get_Device_Interface_List_ExW",
- "comctl32.dll.#386",
- "profapi.dll.#104",
- "propsys.dll.#430",
- "advapi32.dll.RegGetValueW",
- "ole32.dll.CoTaskMemRealloc",
- "propsys.dll.InitPropVariantFromStringAsVector",
- "propsys.dll.PSCoerceToCanonicalValue",
- "propsys.dll.PropVariantToStringAlloc",
- "ole32.dll.PropVariantClear",
- "ole32.dll.CoAllowSetForegroundWindow",
- "advapi32.dll.SaferGetPolicyInformation",
- "ntdll.dll.RtlDllShutdownInProgress",
- "comctl32.dll.#329",
- "ole32.dll.OleUninitialize",
- "ole32.dll.CoRevokeInitializeSpy",
- "comctl32.dll.#388",
- "comctl32.dll.#321",
- "kernel32.dll.SetThreadUILanguage",
- "kernel32.dll.CopyFileExW",
- "kernel32.dll.IsDebuggerPresent",
- "kernel32.dll.SetConsoleInputExeNameW",
- "shell32.dll.#66",
- "comctl32.dll.#385",
- "comctl32.dll.#336",
- "comctl32.dll.#333",
- "linkinfo.dll.IsValidLinkInfo",
- "propsys.dll.#417",
- "propsys.dll.PSGetNameFromPropertyKey",
- "propsys.dll.PSStringFromPropertyKey",
- "propsys.dll.InitVariantFromBuffer",
- "propsys.dll.PropVariantToGUID",
- "linkinfo.dll.CreateLinkInfoW",
- "user32.dll.IsCharAlphaW",
- "user32.dll.CharPrevW",
- "ntshrui.dll.GetNetResourceFromLocalPathW",
- "srvcli.dll.NetShareEnum",
- "slc.dll.SLGetWindowsInformationDWORD",
- "shlwapi.dll.PathRemoveFileSpecW",
- "linkinfo.dll.DestroyLinkInfo",
- "propsys.dll.PropVariantToBoolean",
- "cryptsp.dll.CryptGenRandom",
- "advapi32.dll.GetSecurityInfo",
- "advapi32.dll.SetSecurityInfo",
- "advapi32.dll.GetSecurityDescriptorControl",
- "advapi32.dll.RegQueryInfoKeyW",
- "advapi32.dll.RegEnumKeyExW",
- "advapi32.dll.RegEnumValueW",
- "shlwapi.dll.UrlIsW",
- "msvcrt.dll._set_error_mode",
- "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z",
- "kernel32.dll.FindActCtxSectionStringW",
- "kernel32.dll.GetSystemWindowsDirectoryW",
- "mscoree.dll.GetProcessExecutableHeap",
- "mscorwks.dll.DllGetClassObjectInternal",
- "mscorwks.dll.GetCLRFunction",
- "advapi32.dll.RegisterTraceGuidsW",
- "advapi32.dll.GetTraceLoggerHandle",
- "advapi32.dll.GetTraceEnableLevel",
- "advapi32.dll.GetTraceEnableFlags",
- "advapi32.dll.TraceEvent",
- "mscoree.dll.IEE",
- "mscorwks.dll.IEE",
- "mscoree.dll.GetStartupFlags",
- "mscoree.dll.GetHostConfigurationFile",
- "mscoree.dll.GetCORSystemDirectory",
- "ntdll.dll.RtlVirtualUnwind",
- "advapi32.dll.AllocateAndInitializeSid",
- "advapi32.dll.InitializeAcl",
- "advapi32.dll.AddAccessAllowedAce",
- "advapi32.dll.FreeSid",
- "kernel32.dll.SetThreadStackGuarantee",
- "kernel32.dll.AddVectoredContinueHandler",
- "kernel32.dll.RemoveVectoredContinueHandler",
- "advapi32.dll.ConvertSidToStringSidW",
- "kernel32.dll.FlushProcessWriteBuffers",
- "kernel32.dll.GetWriteWatch",
- "kernel32.dll.ResetWriteWatch",
- "kernel32.dll.CreateMemoryResourceNotification",
- "kernel32.dll.QueryMemoryResourceNotification",
- "kernel32.dll.GlobalMemoryStatusEx",
- "ole32.dll.CoGetContextToken",
- "oleaut32.dll.#149",
- "kernel32.dll.GetUserDefaultUILanguage",
- "kernel32.dll.GetVersionExW",
- "kernel32.dll.GetFullPathNameW",
- "kernel32.dll.GetFileAttributesExW",
- "version.dll.GetFileVersionInfoSizeW",
- "version.dll.GetFileVersionInfoW",
- "version.dll.VerQueryValueW",
- "kernel32.dll.lstrlen",
- "mscoree.dll.ND_RI2",
- "kernel32.dll.lstrcpy",
- "version.dll.VerLanguageNameW",
- "advapi32.dll.LookupPrivilegeValueW",
- "psapi.dll.EnumProcessModules",
- "psapi.dll.GetModuleInformation",
- "psapi.dll.GetModuleBaseNameW",
- "psapi.dll.GetModuleFileNameExW",
- "ntdll.dll.NtQuerySystemInformation",
- "user32.dll.EnumWindows",
- "user32.dll.GetWindowThreadProcessId",
- "kernel32.dll.WerSetFlags",
- "kernel32.dll.SetThreadPreferredUILanguages",
- "kernel32.dll.GetThreadPreferredUILanguages",
- "kernel32.dll.GetUserDefaultLocaleName",
- "kernel32.dll.GetEnvironmentVariableW",
- "advapi32.dll.CryptExportKey",
- "advapi32.dll.CryptGetKeyParam",
- "advapi32.dll.CryptSignHashA",
- "advapi32.dll.CryptGetProvParam",
- "advapi32.dll.CryptGetUserKey",
- "advapi32.dll.CryptEnumProvidersA",
- "mscoree.dll.GetTokenForVTableEntry",
- "mscoree.dll.SetTargetForVTableEntry",
- "mscoree.dll.GetTargetForVTableEntry",
- "culture.dll.ConvertLangIdToCultureName",
- "ole32.dll.CoCreateGuid",
- "kernel32.dll.GetConsoleScreenBufferInfo",
- "kernel32.dll.LocalFree",
- "kernel32.dll.LocalAlloc",
- "mscoree.dll.ND_RI4",
- "advapi32.dll.DuplicateTokenEx",
- "advapi32.dll.CheckTokenMembership",
- "kernel32.dll.GetConsoleTitleW",
- "mscorjit.dll.getJit",
- "kernel32.dll.SetConsoleTitleW",
- "kernel32.dll.SetConsoleCtrlHandler",
- "ntdll.dll.WinSqmIsOptedIn",
- "kernel32.dll.ExpandEnvironmentStringsW",
- "shfolder.dll.SHGetFolderPathW",
- "kernel32.dll.SetEnvironmentVariableW",
- "kernel32.dll.GetACP",
- "kernel32.dll.GetFileType",
- "kernel32.dll.GetSystemInfo",
- "kernel32.dll.VirtualQuery",
- "kernel32.dll.ReleaseMutex",
- "advapi32.dll.RegisterEventSourceW",
- "advapi32.dll.DeregisterEventSource",
- "advapi32.dll.ReportEventW",
- "kernel32.dll.GetLogicalDrives",
- "kernel32.dll.GetDriveTypeW",
- "kernel32.dll.GetVolumeInformationW",
- "kernel32.dll.GetCurrentDirectoryW",
- "kernel32.dll.GetStdHandle",
- "kernel32.dll.GetConsoleMode",
- "kernel32.dll.FindFirstFileW",
- "kernel32.dll.FindClose",
- "mscoree.dll.DllGetClassObject",
- "diasymreader.dll.DllGetClassObjectInternal",
- "kernel32.dll.GetConsoleOutputCP",
- "gdi32.dll.TranslateCharsetInfo",
- "kernel32.dll.SetConsoleTextAttribute",
- "kernel32.dll.WriteConsoleW",
- "mscoree.dll.CorExitProcess",
- "mscorwks.dll.CorExitProcess",
- "mscorwks.dll._CorDllMain",
- "kernel32.dll.CreateActCtxW",
- "kernel32.dll.AddRefActCtx",
- "kernel32.dll.ReleaseActCtx",
- "kernel32.dll.ActivateActCtx",
- "kernel32.dll.DeactivateActCtx",
- "kernel32.dll.GetCurrentActCtx",
- "kernel32.dll.QueryActCtxW",
- "kernel32.dll.VirtualFree",
- "kernel32.dll.VirtualProtect",
- "kernel32.dll.LCMapStringEx",
- "kernel32.dll.InitializeConditionVariable",
- "kernel32.dll.SleepConditionVariableCS",
- "kernel32.dll.WakeAllConditionVariable",
- "kernelbase.dll.CompareStringEx",
- "kernel32.dll.GetLocaleInfoEx",
- "ntdll.dll.RtlGetNtVersionNumbers",
- "drprov.dll.NPGetCaps",
- "drprov.dll.NPAddConnection",
- "drprov.dll.NPAddConnection3",
- "drprov.dll.NPCancelConnection",
- "drprov.dll.NPGetConnection",
- "drprov.dll.NPGetUniversalName",
- "drprov.dll.NPOpenEnum",
- "drprov.dll.NPEnumResource",
- "drprov.dll.NPCloseEnum",
- "drprov.dll.NPGetResourceParent",
- "drprov.dll.NPGetResourceInformation",
- "ntlanman.dll.NPGetCaps",
- "ntlanman.dll.NPGetUser",
- "ntlanman.dll.NPAddConnection",
- "ntlanman.dll.NPAddConnection3",
- "ntlanman.dll.NPGetReconnectFlags",
- "ntlanman.dll.NPCancelConnection",
- "ntlanman.dll.NPGetConnection",
- "ntlanman.dll.NPGetConnection3",
- "ntlanman.dll.NPGetUniversalName",
- "ntlanman.dll.NPGetConnectionPerformance",
- "ntlanman.dll.NPOpenEnum",
- "ntlanman.dll.NPEnumResource",
- "ntlanman.dll.NPCloseEnum",
- "ntlanman.dll.NPFormatNetworkName",
- "ntlanman.dll.NPGetResourceParent",
- "ntlanman.dll.NPGetResourceInformation",
- "davclnt.dll.NPGetCaps",
- "davclnt.dll.NPGetUser",
- "davclnt.dll.NPAddConnection",
- "davclnt.dll.NPAddConnection3",
- "davclnt.dll.NPCancelConnection",
- "davclnt.dll.NPGetConnection",
- "davclnt.dll.NPGetUniversalName",
- "davclnt.dll.NPOpenEnum",
- "davclnt.dll.NPEnumResource",
- "davclnt.dll.NPCloseEnum",
- "davclnt.dll.NPFormatNetworkName",
- "davclnt.dll.NPGetResourceParent",
- "davclnt.dll.NPGetResourceInformation",
- "advapi32.dll.LookupAccountSidW",
- "advapi32.dll.CreateWellKnownSid",
- "rpcrt4.dll.RpcStringBindingComposeW",
- "rpcrt4.dll.RpcStringFreeW",
- "browcli.dll.NetServerEnum",
- "wkscli.dll.NetWkstaUserGetInfo",
- "netutils.dll.NetpwNameCompare",
- "netutils.dll.NetpwNameCanonicalize",
- "netutils.dll.NetpwNameValidate",
- "rpcrt4.dll.I_RpcExceptionFilter",
- "ntdll.dll.RtlUnwind",
- "mscoree.dll._CorExeMain",
- "mscoree.dll._CorImageUnloading",
- "mscoree.dll._CorValidateImage",
- "kernel32.dll.SwitchToThread",
- "shlwapi.dll.PathFindFileNameW",
- "ole32.dll.CoInitialize",
- "shell32.dll.SHGetFolderPathA",
- "kernel32.dll.DeleteFileA",
- "kernel32.dll.CopyFileA",
- "kernel32.dll.FindNextFileA",
- "kernel32.dll.SetFilePointer",
- "kernel32.dll.FreeLibrary",
- "kernel32.dll.FindFirstFileA",
- "advapi32.dll.RegOpenKeyExA",
- "advapi32.dll.CredFree",
- "advapi32.dll.CredEnumerateW",
- "advapi32.dll.RegEnumKeyExA",
- "crypt32.dll.CryptUnprotectData",
- "propsys.dll.#407",
- "sqlite3.dll.sqlite3_open",
- "sqlite3.dll.sqlite3_exec",
- "sqlite3.dll.sqlite3_close",
- "sqlite3.dll.sqlite3_free",
- "vaultcli.dll.VaultEnumerateVaults",
- "vaultcli.dll.VaultOpenVault",
- "vaultcli.dll.VaultCloseVault",
- "vaultcli.dll.VaultEnumerateItems",
- "vaultcli.dll.VaultGetItem",
- "vaultcli.dll.VaultFree",
- "ncrypt.dll.SslDecrementProviderReferenceCount",
- "ncrypt.dll.SslFreeObject",
- "kernel32.dll.FormatMessageW",
- "kernel32.dll.LocaleNameToLCID",
- "kernel32.dll.LCIDToLocaleName",
- "kernel32.dll.GetSystemDefaultLocaleName",
- "fastprox.dll.DllGetClassObject",
- "fastprox.dll.DllCanUnloadNow",
- "oleaut32.dll.#283",
- "oleaut32.dll.#284",
- "psapi.dll.EnumProcesses",
- "ole32.dll.CoInitializeSecurity",
- "wmisvc.dll.ServiceMain",
- "sechost.dll.RegisterServiceCtrlHandlerExW",
- "sechost.dll.SetServiceStatus",
- "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
- "advapi32.dll.WmiOpenBlock",
- "vssapi.dll.CreateWriter",
- "samcli.dll.NetLocalGroupGetMembers",
- "samlib.dll.SamConnect",
- "rpcrt4.dll.NdrClientCall3",
- "samlib.dll.SamOpenDomain",
- "samlib.dll.SamLookupNamesInDomain",
- "samlib.dll.SamOpenAlias",
- "samlib.dll.SamFreeMemory",
- "samlib.dll.SamCloseHandle",
- "samlib.dll.SamGetMembersInAlias",
- "samlib.dll.SamEnumerateDomainsInSamServer",
- "samlib.dll.SamLookupDomainInSamServer",
- "ole32.dll.StringFromCLSID",
- "propsys.dll.VariantToPropVariant",
- "wbemcore.dll.Reinitialize",
- "wbemsvc.dll.DllGetClassObject",
- "wbemsvc.dll.DllCanUnloadNow",
- "authz.dll.AuthzInitializeContextFromToken",
- "authz.dll.AuthzInitializeObjectAccessAuditEvent2",
- "authz.dll.AuthzAccessCheck",
- "authz.dll.AuthzFreeAuditEvent",
- "authz.dll.AuthzFreeContext",
- "authz.dll.AuthzInitializeResourceManager",
- "authz.dll.AuthzFreeResourceManager",
- "rpcrt4.dll.RpcBindingCreateW",
- "rpcrt4.dll.RpcBindingBind",
- "rpcrt4.dll.I_RpcMapWin32Status",
- "advapi32.dll.EventRegister",
- "advapi32.dll.EventUnregister",
- "advapi32.dll.EventWrite",
- "kernel32.dll.RegSetValueExW",
- "kernel32.dll.RegQueryValueExW",
- "wmisvc.dll.IsImproperShutdownDetected",
- "wevtapi.dll.EvtRender",
- "wevtapi.dll.EvtNext",
- "wevtapi.dll.EvtClose",
- "wevtapi.dll.EvtQuery",
- "wevtapi.dll.EvtCreateRenderContext",
- "rpcrt4.dll.RpcBindingSetOption",
- "ole32.dll.CoCreateFreeThreadedMarshaler",
- "ole32.dll.CreateStreamOnHGlobal",
- "kernelbase.dll.InitializeAcl",
- "kernelbase.dll.AddAce",
- "sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
- "kernel32.dll.IsThreadAFiber",
- "kernel32.dll.OpenProcessToken",
- "kernelbase.dll.GetTokenInformation",
- "kernelbase.dll.DuplicateTokenEx",
- "kernelbase.dll.AdjustTokenPrivileges",
- "kernelbase.dll.AllocateAndInitializeSid",
- "kernelbase.dll.CheckTokenMembership",
- "oleaut32.dll.#285",
- "kernel32.dll.SetThreadToken",
- "ole32.dll.CLSIDFromString",
- "oleaut32.dll.#17",
- "oleaut32.dll.#25",
- "oleaut32.dll.#286",
- "authz.dll.AuthzInitializeContextFromSid",
- "ole32.dll.CoGetCallContext",
- "ole32.dll.CoImpersonateClient",
- "ole32.dll.CoRevertToSelf",
- "oleaut32.dll.#8",
- "ole32.dll.CoSwitchCallContext",
- "ntdll.dll.EtwUnregisterTraceGuids",
- "shlwapi.dll.PathIsDirectoryW",
- "advapi32.dll.RegNotifyChangeKeyValue",
- "ole32.dll.NdrOleInitializeExtension",
- "ole32.dll.CLSIDFromOle1Class",
- "clbcatq.dll.GetCatalogObject",
- "clbcatq.dll.GetCatalogObject2",
- "shlwapi.dll.PathIsPrefixW",
- "xmllite.dll.CreateXmlReader",
- "kernel32.dll.WerRegisterMemoryBlock"
- ]
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "VirtualAlloc",
- "address": "0x40505c"
- },
- {
- "name": "InterlockedCompareExchange",
- "address": "0x405060"
- },
- {
- "name": "GetStartupInfoA",
- "address": "0x405064"
- },
- {
- "name": "TerminateProcess",
- "address": "0x405068"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x40506c"
- },
- {
- "name": "UnhandledExceptionFilter",
- "address": "0x405070"
- },
- {
- "name": "SetUnhandledExceptionFilter",
- "address": "0x405074"
- },
- {
- "name": "IsDebuggerPresent",
- "address": "0x405078"
- },
- {
- "name": "QueryPerformanceCounter",
- "address": "0x40507c"
- },
- {
- "name": "GetTickCount",
- "address": "0x405080"
- },
- {
- "name": "GetCurrentThreadId",
- "address": "0x405084"
- },
- {
- "name": "GetCurrentProcessId",
- "address": "0x405088"
- },
- {
- "name": "GetCurrentDirectoryA",
- "address": "0x40508c"
- },
- {
- "name": "GetModuleHandleA",
- "address": "0x405090"
- },
- {
- "name": "Sleep",
- "address": "0x405094"
- },
- {
- "name": "LoadLibraryW",
- "address": "0x405098"
- },
- {
- "name": "GetProcAddress",
- "address": "0x40509c"
- },
- {
- "name": "CreateFileMappingW",
- "address": "0x4050a0"
- },
- {
- "name": "MapViewOfFile",
- "address": "0x4050a4"
- },
- {
- "name": "InterlockedExchange",
- "address": "0x4050a8"
- },
- {
- "name": "GetSystemTimeAsFileTime",
- "address": "0x4050ac"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "LoadImageA",
- "address": "0x405174"
- },
- {
- "name": "GetDC",
- "address": "0x405178"
- },
- {
- "name": "UpdateWindow",
- "address": "0x40517c"
- },
- {
- "name": "SetWindowRgn",
- "address": "0x405180"
- },
- {
- "name": "MoveWindow",
- "address": "0x405184"
- },
- {
- "name": "GetWindowRgn",
- "address": "0x405188"
- },
- {
- "name": "DrawIconEx",
- "address": "0x40518c"
- },
- {
- "name": "GetClientRect",
- "address": "0x405190"
- },
- {
- "name": "GetWindowTextA",
- "address": "0x405194"
- },
- {
- "name": "DestroyIcon",
- "address": "0x405198"
- },
- {
- "name": "EndPaint",
- "address": "0x40519c"
- },
- {
- "name": "BeginPaint",
- "address": "0x4051a0"
- },
- {
- "name": "SetCapture",
- "address": "0x4051a4"
- },
- {
- "name": "SendMessageA",
- "address": "0x4051a8"
- },
- {
- "name": "GetParent",
- "address": "0x4051ac"
- },
- {
- "name": "GetWindowLongA",
- "address": "0x4051b0"
- },
- {
- "name": "ReleaseCapture",
- "address": "0x4051b4"
- },
- {
- "name": "GetWindowRect",
- "address": "0x4051b8"
- },
- {
- "name": "SetWindowLongA",
- "address": "0x4051bc"
- },
- {
- "name": "CreateDialogParamA",
- "address": "0x4051c0"
- },
- {
- "name": "GetDlgItem",
- "address": "0x4051c4"
- },
- {
- "name": "ReleaseDC",
- "address": "0x4051c8"
- },
- {
- "name": "PostQuitMessage",
- "address": "0x4051cc"
- },
- {
- "name": "MessageBoxA",
- "address": "0x4051d0"
- },
- {
- "name": "DefWindowProcA",
- "address": "0x4051d4"
- },
- {
- "name": "LoadCursorA",
- "address": "0x4051d8"
- },
- {
- "name": "LoadIconA",
- "address": "0x4051dc"
- },
- {
- "name": "RegisterClassA",
- "address": "0x4051e0"
- },
- {
- "name": "CreateWindowExA",
- "address": "0x4051e4"
- },
- {
- "name": "ShowWindow",
- "address": "0x4051e8"
- },
- {
- "name": "GetMessageA",
- "address": "0x4051ec"
- },
- {
- "name": "TranslateMessage",
- "address": "0x4051f0"
- },
- {
- "name": "DispatchMessageA",
- "address": "0x4051f4"
- }
- ],
- "dll": "USER32.dll"
- },
- {
- "imports": [
- {
- "name": "CreateCompatibleBitmap",
- "address": "0x405000"
- },
- {
- "name": "GetRegionData",
- "address": "0x405004"
- },
- {
- "name": "DeleteDC",
- "address": "0x405008"
- },
- {
- "name": "DeleteObject",
- "address": "0x40500c"
- },
- {
- "name": "CombineRgn",
- "address": "0x405010"
- },
- {
- "name": "CreateRectRgn",
- "address": "0x405014"
- },
- {
- "name": "GetPixel",
- "address": "0x405018"
- },
- {
- "name": "SelectObject",
- "address": "0x40501c"
- },
- {
- "name": "SaveDC",
- "address": "0x405020"
- },
- {
- "name": "GetObjectA",
- "address": "0x405024"
- },
- {
- "name": "CreateCompatibleDC",
- "address": "0x405028"
- },
- {
- "name": "GetRgnBox",
- "address": "0x40502c"
- },
- {
- "name": "CreateRectRgnIndirect",
- "address": "0x405030"
- },
- {
- "name": "BitBlt",
- "address": "0x405034"
- },
- {
- "name": "FrameRgn",
- "address": "0x405038"
- },
- {
- "name": "TextOutA",
- "address": "0x40503c"
- },
- {
- "name": "SetTextColor",
- "address": "0x405040"
- },
- {
- "name": "GetTextExtentPoint32A",
- "address": "0x405044"
- },
- {
- "name": "SetBkMode",
- "address": "0x405048"
- },
- {
- "name": "CreateFontA",
- "address": "0x40504c"
- },
- {
- "name": "PtInRegion",
- "address": "0x405050"
- },
- {
- "name": "GetStockObject",
- "address": "0x405054"
- }
- ],
- "dll": "GDI32.dll"
- },
- {
- "imports": [
- {
- "name": "??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ",
- "address": "0x4050b4"
- },
- {
- "name": "??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z",
- "address": "0x4050b8"
- },
- {
- "name": "??$?HDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z",
- "address": "0x4050bc"
- },
- {
- "name": "??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z",
- "address": "0x4050c0"
- },
- {
- "name": "??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ",
- "address": "0x4050c4"
- },
- {
- "name": "?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ",
- "address": "0x4050c8"
- },
- {
- "name": "?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ",
- "address": "0x4050cc"
- }
- ],
- "dll": "MSVCP90.dll"
- },
- {
- "imports": [
- {
- "name": "__p__fmode",
- "address": "0x4050d4"
- },
- {
- "name": "__p__commode",
- "address": "0x4050d8"
- },
- {
- "name": "_adjust_fdiv",
- "address": "0x4050dc"
- },
- {
- "name": "__setusermatherr",
- "address": "0x4050e0"
- },
- {
- "name": "_configthreadlocale",
- "address": "0x4050e4"
- },
- {
- "name": "_initterm_e",
- "address": "0x4050e8"
- },
- {
- "name": "__set_app_type",
- "address": "0x4050ec"
- },
- {
- "name": "_acmdln",
- "address": "0x4050f0"
- },
- {
- "name": "exit",
- "address": "0x4050f4"
- },
- {
- "name": "_ismbblead",
- "address": "0x4050f8"
- },
- {
- "name": "_XcptFilter",
- "address": "0x4050fc"
- },
- {
- "name": "_exit",
- "address": "0x405100"
- },
- {
- "name": "_cexit",
- "address": "0x405104"
- },
- {
- "name": "_crt_debugger_hook",
- "address": "0x405108"
- },
- {
- "name": "_except_handler4_common",
- "address": "0x40510c"
- },
- {
- "name": "?terminate@@YAXXZ",
- "address": "0x405110"
- },
- {
- "name": "?_type_info_dtor_internal_method@type_info@@QAEXXZ",
- "address": "0x405114"
- },
- {
- "name": "_invoke_watson",
- "address": "0x405118"
- },
- {
- "name": "_controlfp_s",
- "address": "0x40511c"
- },
- {
- "name": "_initterm",
- "address": "0x405120"
- },
- {
- "name": "malloc",
- "address": "0x405124"
- },
- {
- "name": "strlen",
- "address": "0x405128"
- },
- {
- "name": "fclose",
- "address": "0x40512c"
- },
- {
- "name": "fwrite",
- "address": "0x405130"
- },
- {
- "name": "fopen",
- "address": "0x405134"
- },
- {
- "name": "free",
- "address": "0x405138"
- },
- {
- "name": "??3@YAXPAX@Z",
- "address": "0x40513c"
- },
- {
- "name": "strcat",
- "address": "0x405140"
- },
- {
- "name": "fread",
- "address": "0x405144"
- },
- {
- "name": "feof",
- "address": "0x405148"
- },
- {
- "name": "strcmp",
- "address": "0x40514c"
- },
- {
- "name": "_unlock",
- "address": "0x405150"
- },
- {
- "name": "__dllonexit",
- "address": "0x405154"
- },
- {
- "name": "_encode_pointer",
- "address": "0x405158"
- },
- {
- "name": "_lock",
- "address": "0x40515c"
- },
- {
- "name": "_onexit",
- "address": "0x405160"
- },
- {
- "name": "_decode_pointer",
- "address": "0x405164"
- },
- {
- "name": "_amsg_exit",
- "address": "0x405168"
- },
- {
- "name": "__getmainargs",
- "address": "0x40516c"
- }
- ],
- "dll": "MSVCR90.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x000159b5",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x000159b5",
- "icon_hash": null,
- "entrypoint": "0x00403ceb",
- "timestamp": "2019-06-18 14:23:08",
- "osversion": "5.0",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00003400",
- "entropy": "5.92",
- "raw_address": "0x00000400",
- "virtual_size": "0x000033af",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00005000",
- "size_of_data": "0x0000c200",
- "entropy": "6.18",
- "raw_address": "0x00003800",
- "virtual_size": "0x0000c1c8",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00012000",
- "size_of_data": "0x00000200",
- "entropy": "1.51",
- "raw_address": "0x0000fa00",
- "virtual_size": "0x000004b4",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00013000",
- "size_of_data": "0x00000400",
- "entropy": "5.19",
- "raw_address": "0x0000fc00",
- "virtual_size": "0x000002b0",
- "characteristics_raw": "0x40000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0001057c",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x00000078"
- },
- {
- "virtual_address": "0x00013000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x000002b0"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00005230",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x0000001c"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00010330",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000040"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00005000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x000001fc"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "a5e07b9d885d7be2b11371ae68839d0c",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": "c:\\Users\\User\\Desktop\\DReY_Shape1667871152003\\Release\\ShapeGradientButton.pdb",
- "imported_dll_count": 5,
- "versioninfo": []
- }
- }
Add Comment
Please, Sign In to add comment