API tools faq
paste
paladin316

Zips_72d563bec2e31aed66140f673dc12bba_php_2019-06-26_10_30.json

paladin316
Jun 26th, 2019
1,327
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.73 KB | None | 0 0
raw download clone embed print report
  1.  
  2. [*] MalFamily: ""
  3.  
  4. [*] MalScore: 7.5
  5.  
  6. [*] File Name: "Zips_72d563bec2e31aed66140f673dc12bba.php"
  7. [*] File Size: 362953
  8. [*] File Type: "Zip archive data, at least v2.0 to extract"
  9. [*] SHA256: "3f8ce9cbd11734f4fe63da8d2b0a3460f678ab047fc03b8b0bc9bc9f0a2dcdc4"
  10. [*] MD5: "72d563bec2e31aed66140f673dc12bba"
  11. [*] SHA1: "4e7707301f4801283e67ab0bdb0d68757acaf3a5"
  12. [*] SHA512: "d29cce5bcecb288c31514f6b4ec2418029264b8c5be165ca77c5f9545c0ef35ac2c770ee7a1d3fc45c346f7f90351dde7f52c98d4562d2d119ae4ac6430380b3"
  13. [*] CRC32: "2A23DEDD"
  14. [*] SSDEEP: "6144:woA/iiiSz6uFiffdEju7TQK101xtrOT179l5cSSig8t9+ovdLwdwWILhh7Hv:VA/iq6ldiu7TJ101xM1L5cSjFvdxb"
  15.  
  16. [*] Process Execution: [
  17. "wscript.exe",
  18. "tmp1.exe",
  19. "cmd.exe",
  20. "powershell.exe",
  21. "cmd.exe",
  22. "sc.exe",
  23. "cmd.exe",
  24. "sc.exe",
  25. "cmd.exe",
  26. "sc.exe",
  27. "cmd.exe",
  28. "sc.exe",
  29. "cmd.exe",
  30. "powershell.exe"
  31. ]
  32.  
  33. [*] Signatures Detected: [
  34. {
  35. "Description": "Creates RWX memory",
  36. "Details": []
  37. },
  38. {
  39. "Description": "Possible date expiration check, exits too soon after checking local time",
  40. "Details": [
  41. {
  42. "process": "cmd.exe, PID 2740"
  43. }
  44. ]
  45. },
  46. {
  47. "Description": "A process created a hidden window",
  48. "Details": [
  49. {
  50. "Process": "tmp1.exe -> cmd"
  51. },
  52. {
  53. "Process": "tmp1.exe -> cmd"
  54. },
  55. {
  56. "Process": "tmp1.exe -> cmd"
  57. }
  58. ]
  59. },
  60. {
  61. "Description": "Drops a binary and executes it",
  62. "Details": [
  63. {
  64. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\tmp1.exe"
  65. }
  66. ]
  67. },
  68. {
  69. "Description": "Attempts to stop active services",
  70. "Details": [
  71. {
  72. "servicename": "WinDefend"
  73. }
  74. ]
  75. },
  76. {
  77. "Description": "Creates a hidden or system file",
  78. "Details": [
  79. {
  80. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1a32b40.TMP"
  81. }
  82. ]
  83. },
  84. {
  85. "Description": "Attempts to disable Windows Defender",
  86. "Details": []
  87. }
  88. ]
  89.  
  90. [*] Started Service: []
  91.  
  92. [*] Executed Commands: [
  93. "C:\\Users\\user\\AppData\\Local\\Temp\\tmp1.exe",
  94. "\"C:\\Windows\\System32\\cmd.exe\" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
  95. "cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
  96. "\"C:\\Windows\\System32\\cmd.exe\" /c sc stop WinDefend",
  97. "cmd /c sc stop WinDefend",
  98. "\"C:\\Windows\\System32\\cmd.exe\" /c sc delete WinDefend",
  99. "cmd /c sc delete WinDefend",
  100. "C:\\Windows\\system32\\cmd.exe /c sc stop WinDefend",
  101. "C:\\Windows\\system32\\cmd.exe /c sc delete WinDefend",
  102. "C:\\Windows\\system32\\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
  103. "powershell Set-MpPreference -DisableRealtimeMonitoring $true",
  104. "sc stop WinDefend",
  105. "sc delete WinDefend"
  106. ]
  107.  
  108. [*] Mutexes: [
  109. "Local\\ZoneAttributeCacheCounterMutex",
  110. "Local\\ZonesCacheCounterMutex",
  111. "Local\\ZonesLockedCacheCounterMutex",
  112. "Global\\CLR_CASOFF_MUTEX"
  113. ]
  114.  
  115. [*] Modified Files: [
  116. "C:\\Users\\user\\AppData\\Local\\Temp\\tmp1.exe",
  117. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-0000000000-0000000000-0000000000-1000\\00000000-0000-0000-0000-000000000000b_00000000-0000-0000-0000-000000000000",
  118. "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
  119. "\\??\\PIPE\\srvsvc",
  120. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\7NIKZPM3OUQBF4VP07EQ.temp",
  121. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1a32b40.TMP",
  122. "C:\\Windows\\SysWOW64\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
  123. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\C3B3HKPWHGT8OQ2RZUT9.temp",
  124. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms"
  125. ]
  126.  
  127. [*] Deleted Files: [
  128. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1a32b40.TMP",
  129. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.2924.27520265",
  130. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2924.27520265",
  131. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.2924.27520265",
  132. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\C3B3HKPWHGT8OQ2RZUT9.temp",
  133. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2868.26670265",
  134. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2868.26670265",
  135. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2868.26670265"
  136. ]
  137.  
  138. [*] Modified Registry Keys: [
  139. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  140. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  141. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender",
  142. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware",
  143. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection",
  144. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring",
  145. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection",
  146. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnRealtimeEnable",
  147. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection",
  148. "DisableNotifications",
  149. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList"
  150. ]
  151.  
  152. [*] Deleted Registry Keys: [
  153. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  154. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  155. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  156. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
  157. ]
  158.  
  159. [*] DNS Communications: []
  160.  
  161. [*] Domains: []
  162.  
  163. [*] Network Communication - ICMP: []
  164.  
  165. [*] Network Communication - HTTP: []
  166.  
  167. [*] Network Communication - SMTP: []
  168.  
  169. [*] Network Communication - Hosts: []
  170.  
  171. [*] Network Communication - IRC: []
  172.  
  173. [*] Static Analysis: {
  174. "office": {
  175. "Metadata": {
  176. "HasMacros": "No"
  177. }
  178. }
  179. }
  180.  
  181. [*] Resolved APIs: [
  182. "advapi32.dll.SaferIdentifyLevel",
  183. "advapi32.dll.SaferComputeTokenFromLevel",
  184. "advapi32.dll.SaferCloseLevel",
  185. "ole32.dll.CLSIDFromProgIDEx",
  186. "ole32.dll.CoGetClassObject",
  187. "wscript.exe.#1",
  188. "urlmon.dll.#326",
  189. "urlmon.dll.#327",
  190. "shell32.dll.#685",
  191. "shell32.dll.#688",
  192. "urlmon.dll.#395",
  193. "cryptsp.dll.CryptAcquireContextW",
  194. "cryptsp.dll.CryptGenRandom",
  195. "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
  196. "oleaut32.dll.#500",
  197. "cryptsp.dll.CryptReleaseContext",
  198. "cryptsp.dll.CryptAcquireContextA",
  199. "kernel32.dll.VirtualAlloc",
  200. "ntdll.dll.memcpy",
  201. "kernel32.dll.GetCurrentProcess",
  202. "kernel32.dll.CloseHandle",
  203. "advapi32.dll.OpenProcessToken",
  204. "advapi32.dll.GetTokenInformation",
  205. "kernel32.dll.Wow64EnableWow64FsRedirection",
  206. "advapi32.dll.RegCloseKey",
  207. "advapi32.dll.RegCreateKeyW",
  208. "advapi32.dll.RegOpenKeyExW",
  209. "advapi32.dll.RegSetValueExW",
  210. "shell32.dll.ShellExecuteA",
  211. "ole32.dll.OleInitialize",
  212. "cryptbase.dll.SystemFunction036",
  213. "ole32.dll.CreateBindCtx",
  214. "ole32.dll.CoTaskMemAlloc",
  215. "propsys.dll.PSCreateMemoryPropertyStore",
  216. "propsys.dll.PSPropertyBag_WriteDWORD",
  217. "ole32.dll.CoGetApartmentType",
  218. "ole32.dll.CoRegisterInitializeSpy",
  219. "ole32.dll.CoTaskMemFree",
  220. "comctl32.dll.#236",
  221. "oleaut32.dll.#6",
  222. "ole32.dll.CoGetMalloc",
  223. "propsys.dll.PSPropertyBag_ReadDWORD",
  224. "propsys.dll.PSPropertyBag_ReadGUID",
  225. "comctl32.dll.#320",
  226. "comctl32.dll.#324",
  227. "comctl32.dll.#323",
  228. "advapi32.dll.RegEnumKeyW",
  229. "advapi32.dll.OpenThreadToken",
  230. "ole32.dll.StringFromGUID2",
  231. "apphelp.dll.ApphelpCheckShellObject",
  232. "ole32.dll.CoCreateInstance",
  233. "urlmon.dll.CreateUri",
  234. "kernel32.dll.InitializeSRWLock",
  235. "kernel32.dll.AcquireSRWLockExclusive",
  236. "kernel32.dll.AcquireSRWLockShared",
  237. "kernel32.dll.ReleaseSRWLockExclusive",
  238. "kernel32.dll.ReleaseSRWLockShared",
  239. "comctl32.dll.#328",
  240. "comctl32.dll.#334",
  241. "oleaut32.dll.#2",
  242. "shell32.dll.#102",
  243. "propsys.dll.PSPropertyBag_ReadStrAlloc",
  244. "ole32.dll.CoInitializeEx",
  245. "advapi32.dll.InitializeSecurityDescriptor",
  246. "advapi32.dll.SetEntriesInAclW",
  247. "ntmarta.dll.GetMartaExtensionInterface",
  248. "advapi32.dll.SetSecurityDescriptorDacl",
  249. "advapi32.dll.IsTextUnicode",
  250. "comctl32.dll.#332",
  251. "comctl32.dll.#338",
  252. "comctl32.dll.#339",
  253. "ole32.dll.CoUninitialize",
  254. "sechost.dll.ConvertSidToStringSidW",
  255. "profapi.dll.#104",
  256. "propsys.dll.#430",
  257. "advapi32.dll.RegGetValueW",
  258. "ole32.dll.CoTaskMemRealloc",
  259. "propsys.dll.InitPropVariantFromStringAsVector",
  260. "propsys.dll.PSCoerceToCanonicalValue",
  261. "propsys.dll.PropVariantToStringAlloc",
  262. "ole32.dll.PropVariantClear",
  263. "ole32.dll.CoAllowSetForegroundWindow",
  264. "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
  265. "setupapi.dll.CM_Get_Device_Interface_List_ExW",
  266. "shell32.dll.SHGetFolderPathW",
  267. "advapi32.dll.SaferGetPolicyInformation",
  268. "comctl32.dll.#386",
  269. "ntdll.dll.RtlDllShutdownInProgress",
  270. "comctl32.dll.#329",
  271. "ole32.dll.OleUninitialize",
  272. "ole32.dll.CoRevokeInitializeSpy",
  273. "comctl32.dll.#388",
  274. "advapi32.dll.CryptAcquireContextA",
  275. "advapi32.dll.CryptImportKey",
  276. "advapi32.dll.CryptEncrypt",
  277. "cryptsp.dll.CryptImportKey",
  278. "cryptbase.dll.SystemFunction040",
  279. "cryptbase.dll.SystemFunction041",
  280. "cryptsp.dll.CryptEncrypt",
  281. "kernel32.dll.SetThreadUILanguage",
  282. "kernel32.dll.CopyFileExW",
  283. "kernel32.dll.IsDebuggerPresent",
  284. "kernel32.dll.SetConsoleInputExeNameW",
  285. "kernel32.dll.SortGetHandle",
  286. "kernel32.dll.SortCloseHandle",
  287. "uxtheme.dll.ThemeInitApiHook",
  288. "user32.dll.IsProcessDPIAware",
  289. "shell32.dll.#66",
  290. "comctl32.dll.#385",
  291. "comctl32.dll.#336",
  292. "comctl32.dll.#321",
  293. "comctl32.dll.#333",
  294. "linkinfo.dll.IsValidLinkInfo",
  295. "propsys.dll.#417",
  296. "propsys.dll.PSGetNameFromPropertyKey",
  297. "propsys.dll.PSStringFromPropertyKey",
  298. "propsys.dll.InitVariantFromBuffer",
  299. "oleaut32.dll.#9",
  300. "propsys.dll.PropVariantToGUID",
  301. "linkinfo.dll.CreateLinkInfoW",
  302. "user32.dll.IsCharAlphaW",
  303. "user32.dll.CharPrevW",
  304. "ntshrui.dll.GetNetResourceFromLocalPathW",
  305. "srvcli.dll.NetShareEnum",
  306. "cscapi.dll.CscNetApiGetInterface",
  307. "slc.dll.SLGetWindowsInformationDWORD",
  308. "shlwapi.dll.PathRemoveFileSpecW",
  309. "linkinfo.dll.DestroyLinkInfo",
  310. "propsys.dll.PropVariantToBoolean",
  311. "advapi32.dll.GetSecurityInfo",
  312. "advapi32.dll.SetSecurityInfo",
  313. "advapi32.dll.GetSecurityDescriptorControl",
  314. "advapi32.dll.RegQueryInfoKeyW",
  315. "advapi32.dll.RegEnumKeyExW",
  316. "advapi32.dll.RegEnumValueW",
  317. "advapi32.dll.RegQueryValueExW",
  318. "shlwapi.dll.UrlIsW",
  319. "kernel32.dll.InitializeCriticalSectionAndSpinCount",
  320. "msvcrt.dll._set_error_mode",
  321. "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z",
  322. "kernel32.dll.FindActCtxSectionStringW",
  323. "kernel32.dll.GetSystemWindowsDirectoryW",
  324. "mscoree.dll.GetProcessExecutableHeap",
  325. "mscorwks.dll.DllGetClassObjectInternal",
  326. "mscorwks.dll.GetCLRFunction",
  327. "advapi32.dll.RegisterTraceGuidsW",
  328. "advapi32.dll.UnregisterTraceGuids",
  329. "advapi32.dll.GetTraceLoggerHandle",
  330. "advapi32.dll.GetTraceEnableLevel",
  331. "advapi32.dll.GetTraceEnableFlags",
  332. "advapi32.dll.TraceEvent",
  333. "mscoree.dll.IEE",
  334. "mscorwks.dll.IEE",
  335. "mscoree.dll.GetStartupFlags",
  336. "mscoree.dll.GetHostConfigurationFile",
  337. "mscoree.dll.GetCORSystemDirectory",
  338. "ntdll.dll.RtlVirtualUnwind",
  339. "kernel32.dll.IsWow64Process",
  340. "advapi32.dll.AllocateAndInitializeSid",
  341. "advapi32.dll.InitializeAcl",
  342. "advapi32.dll.AddAccessAllowedAce",
  343. "advapi32.dll.FreeSid",
  344. "kernel32.dll.SetThreadStackGuarantee",
  345. "kernel32.dll.FlsSetValue",
  346. "kernel32.dll.FlsGetValue",
  347. "kernel32.dll.FlsAlloc",
  348. "kernel32.dll.FlsFree",
  349. "kernel32.dll.AddVectoredContinueHandler",
  350. "kernel32.dll.RemoveVectoredContinueHandler",
  351. "advapi32.dll.ConvertSidToStringSidW",
  352. "kernel32.dll.FlushProcessWriteBuffers",
  353. "kernel32.dll.GetWriteWatch",
  354. "kernel32.dll.ResetWriteWatch",
  355. "kernel32.dll.CreateMemoryResourceNotification",
  356. "kernel32.dll.QueryMemoryResourceNotification",
  357. "kernel32.dll.GlobalMemoryStatusEx",
  358. "oleaut32.dll.#149",
  359. "kernel32.dll.GetUserDefaultUILanguage",
  360. "kernel32.dll.GetVersionExW",
  361. "kernel32.dll.GetFullPathNameW",
  362. "kernel32.dll.SetErrorMode",
  363. "kernel32.dll.GetFileAttributesExW",
  364. "version.dll.GetFileVersionInfoSizeW",
  365. "version.dll.GetFileVersionInfoW",
  366. "version.dll.VerQueryValueW",
  367. "kernel32.dll.lstrlen",
  368. "kernel32.dll.lstrlenW",
  369. "mscoree.dll.ND_RI2",
  370. "kernel32.dll.lstrcpy",
  371. "kernel32.dll.lstrcpyW",
  372. "version.dll.VerLanguageNameW",
  373. "kernel32.dll.GetCurrentProcessId",
  374. "advapi32.dll.LookupPrivilegeValueW",
  375. "advapi32.dll.AdjustTokenPrivileges",
  376. "kernel32.dll.OpenProcess",
  377. "psapi.dll.EnumProcessModules",
  378. "psapi.dll.GetModuleInformation",
  379. "psapi.dll.GetModuleBaseNameW",
  380. "psapi.dll.GetModuleFileNameExW",
  381. "kernel32.dll.GetExitCodeProcess",
  382. "ntdll.dll.NtQuerySystemInformation",
  383. "user32.dll.EnumWindows",
  384. "user32.dll.GetWindowThreadProcessId",
  385. "kernel32.dll.WerSetFlags",
  386. "kernel32.dll.SetThreadPreferredUILanguages",
  387. "kernel32.dll.GetThreadPreferredUILanguages",
  388. "kernel32.dll.GetUserDefaultLocaleName",
  389. "kernel32.dll.GetEnvironmentVariableW",
  390. "advapi32.dll.CryptReleaseContext",
  391. "advapi32.dll.CryptCreateHash",
  392. "advapi32.dll.CryptDestroyHash",
  393. "advapi32.dll.CryptHashData",
  394. "advapi32.dll.CryptGetHashParam",
  395. "advapi32.dll.CryptExportKey",
  396. "advapi32.dll.CryptGenKey",
  397. "advapi32.dll.CryptGetKeyParam",
  398. "advapi32.dll.CryptDestroyKey",
  399. "advapi32.dll.CryptVerifySignatureA",
  400. "advapi32.dll.CryptSignHashA",
  401. "advapi32.dll.CryptGetProvParam",
  402. "advapi32.dll.CryptGetUserKey",
  403. "advapi32.dll.CryptEnumProvidersA",
  404. "cryptsp.dll.CryptHashData",
  405. "cryptsp.dll.CryptGetHashParam",
  406. "cryptsp.dll.CryptDestroyHash",
  407. "cryptsp.dll.CryptDestroyKey",
  408. "mscoree.dll.GetTokenForVTableEntry",
  409. "mscoree.dll.SetTargetForVTableEntry",
  410. "mscoree.dll.GetTargetForVTableEntry",
  411. "culture.dll.ConvertLangIdToCultureName",
  412. "ole32.dll.CoCreateGuid",
  413. "kernel32.dll.CreateFileW",
  414. "kernel32.dll.GetConsoleScreenBufferInfo",
  415. "kernel32.dll.LocalFree",
  416. "kernel32.dll.LocalAlloc",
  417. "mscoree.dll.ND_RI4",
  418. "advapi32.dll.DuplicateTokenEx",
  419. "advapi32.dll.CheckTokenMembership",
  420. "kernel32.dll.GetConsoleTitleW",
  421. "mscorjit.dll.getJit",
  422. "kernel32.dll.SetConsoleTitleW",
  423. "kernel32.dll.SetConsoleCtrlHandler",
  424. "kernel32.dll.CreateEventW",
  425. "ntdll.dll.WinSqmIsOptedIn",
  426. "kernel32.dll.ExpandEnvironmentStringsW",
  427. "shfolder.dll.SHGetFolderPathW",
  428. "kernel32.dll.SetEnvironmentVariableW",
  429. "kernel32.dll.GetACP",
  430. "kernel32.dll.UnmapViewOfFile",
  431. "kernel32.dll.GetFileType",
  432. "kernel32.dll.ReadFile",
  433. "kernel32.dll.GetSystemInfo",
  434. "kernel32.dll.VirtualQuery",
  435. "secur32.dll.GetUserNameExW",
  436. "advapi32.dll.GetUserNameW",
  437. "kernel32.dll.ReleaseMutex",
  438. "advapi32.dll.RegisterEventSourceW",
  439. "advapi32.dll.DeregisterEventSource",
  440. "advapi32.dll.ReportEventW",
  441. "kernel32.dll.GetLogicalDrives",
  442. "kernel32.dll.GetDriveTypeW",
  443. "kernel32.dll.GetVolumeInformationW",
  444. "kernel32.dll.GetCurrentDirectoryW",
  445. "kernel32.dll.GetLastError",
  446. "kernel32.dll.GetStdHandle",
  447. "kernel32.dll.GetConsoleMode",
  448. "kernel32.dll.SetEvent",
  449. "kernel32.dll.FindFirstFileW",
  450. "kernel32.dll.FindClose",
  451. "mscoree.dll.DllGetClassObject",
  452. "diasymreader.dll.DllGetClassObjectInternal",
  453. "kernel32.dll.GetConsoleOutputCP",
  454. "gdi32.dll.TranslateCharsetInfo",
  455. "kernel32.dll.SetConsoleTextAttribute",
  456. "kernel32.dll.WriteConsoleW",
  457. "mscoree.dll.CorExitProcess",
  458. "mscorwks.dll.CorExitProcess",
  459. "ole32.dll.CoGetContextToken",
  460. "mscorwks.dll._CorDllMain",
  461. "kernel32.dll.CreateActCtxW",
  462. "kernel32.dll.AddRefActCtx",
  463. "kernel32.dll.ReleaseActCtx",
  464. "kernel32.dll.ActivateActCtx",
  465. "kernel32.dll.DeactivateActCtx",
  466. "kernel32.dll.GetCurrentActCtx",
  467. "kernel32.dll.QueryActCtxW",
  468. "netutils.dll.NetApiBufferFree",
  469. "kernel32.dll.IsProcessorFeaturePresent",
  470. "ntdll.dll.RtlUnwind",
  471. "kernel32.dll.SwitchToThread",
  472. "mscoree.dll._CorExeMain",
  473. "mscoree.dll._CorImageUnloading",
  474. "mscoree.dll._CorValidateImage",
  475. "cryptsp.dll.CryptExportKey",
  476. "cryptsp.dll.CryptCreateHash"
  477. ]
  478.  
  479. [*] Static Analysis: {
  480. "office": {
  481. "Metadata": {
  482. "HasMacros": "No"
  483. }
  484. }
  485. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!