SHARE
TWEET

Exes_6b191ac6e5b5a9c3982cbb7855355523_jpg_json.json

paladin316 Jun 17th, 2019 52 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. [*] MalFamily: ""
  3.  
  4. [*] MalScore: 10.0
  5.  
  6. [*] File Name: "Exes_6b191ac6e5b5a9c3982cbb7855355523.jpg"
  7. [*] File Size: 266240
  8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
  9. [*] SHA256: "e61baf5aaf6a75cfa8da252e8790e3a66b12a97885cbd455a0f1b7bd2b8f1e6a"
  10. [*] MD5: "6b191ac6e5b5a9c3982cbb7855355523"
  11. [*] SHA1: "3bfa45fbd03c1fb9339ed6c2b011f84d5a152573"
  12. [*] SHA512: "08858381e5c9db085fc8b1660291205d157b8e3499fed55d90a665a79f1f322e88d12c955c46fa5a36ddd138052d44e5661181ed4804876d32457d1ffd90ae1b"
  13. [*] CRC32: "522E8E8C"
  14. [*] SSDEEP: "6144:mCSBNNhsOBN7HvBTWkQufYAP0RqJaQ2lHjBSsIbYWl7bBPNTpy8W41rSIesqAkeK:5ONhsOBNrvApcaQik9J"
  15.  
  16. [*] Process Execution: [
  17.     "Exes_6b191ac6e5b5a9c3982cbb7855355523.jpg",
  18.     "akbkdabad.exe",
  19.     "akbkdabad.exe",
  20.     "akbkdabad.exe",
  21.     "services.exe",
  22.     "lsass.exe",
  23.     "GoogleUpdate.exe"
  24. ]
  25.  
  26. [*] Signatures Detected: [
  27.     {
  28.         "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
  29.         "Details": [
  30.             {
  31.                 "IP": "172.217.0.35:443"
  32.             }
  33.         ]
  34.     },
  35.     {
  36.         "Description": "Creates RWX memory",
  37.         "Details": []
  38.     },
  39.     {
  40.         "Description": "A process attempted to delay the analysis task.",
  41.         "Details": [
  42.             {
  43.                 "Process": "akbkdabad.exe tried to sleep 1414 seconds, actually delayed analysis time by 0 seconds"
  44.             }
  45.         ]
  46.     },
  47.     {
  48.         "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
  49.         "Details": [
  50.             {
  51.                 "ioc": "http://crl.globalsign.net/root-r2.crl0"
  52.             }
  53.         ]
  54.     },
  55.     {
  56.         "Description": "Performs some HTTP requests",
  57.         "Details": [
  58.             {
  59.                 "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
  60.             },
  61.             {
  62.                 "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
  63.             },
  64.             {
  65.                 "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
  66.             }
  67.         ]
  68.     },
  69.     {
  70.         "Description": "The binary likely contains encrypted or compressed data.",
  71.         "Details": [
  72.             {
  73.                 "section": "name: UPX1, entropy: 7.95, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0003fa00, virtual_size: 0x00040000"
  74.             }
  75.         ]
  76.     },
  77.     {
  78.         "Description": "The executable is compressed using UPX",
  79.         "Details": [
  80.             {
  81.                 "section": "name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00059000"
  82.             }
  83.         ]
  84.     },
  85.     {
  86.         "Description": "Deletes its original binary from disk",
  87.         "Details": []
  88.     },
  89.     {
  90.         "Description": "Executed a process and injected code into it, probably while unpacking",
  91.         "Details": [
  92.             {
  93.                 "Injection": "akbkdabad.exe(312) -> akbkdabad.exe(2224)"
  94.             }
  95.         ]
  96.     },
  97.     {
  98.         "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  99.         "Details": [
  100.             {
  101.                 "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 11962623 times"
  102.             }
  103.         ]
  104.     },
  105.     {
  106.         "Description": "Steals private information from local Internet browsers",
  107.         "Details": [
  108.             {
  109.                 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  110.             }
  111.         ]
  112.     },
  113.     {
  114.         "Description": "Installs itself for autorun at Windows startup",
  115.         "Details": [
  116.             {
  117.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dnlsknlsiii.vbs"
  118.             },
  119.             {
  120.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dnlsknlsiii.vbs"
  121.             }
  122.         ]
  123.     },
  124.     {
  125.         "Description": "Creates a hidden or system file",
  126.         "Details": [
  127.             {
  128.                 "file": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
  129.             },
  130.             {
  131.                 "file": "C:\\Users\\user\\AppData\\Roaming\\474604"
  132.             }
  133.         ]
  134.     },
  135.     {
  136.         "Description": "Creates a copy of itself",
  137.         "Details": [
  138.             {
  139.                 "copy": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
  140.             }
  141.         ]
  142.     },
  143.     {
  144.         "Description": "Harvests credentials from local FTP client softwares",
  145.         "Details": [
  146.             {
  147.                 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
  148.             },
  149.             {
  150.                 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
  151.             },
  152.             {
  153.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Far Manager\\Profile\\PluginsData\\42E4AEB1-A230-44F4-B33C-F195BB654931.db"
  154.             },
  155.             {
  156.                 "file": "C:\\Program Files (x86)\\FTPGetter\\Profile\\servers.xml"
  157.             },
  158.             {
  159.                 "file": "C:\\Users\\user\\AppData\\Roaming\\FTPGetter\\servers.xml"
  160.             },
  161.             {
  162.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Estsoft\\ALFTP\\ESTdb2.dat"
  163.             },
  164.             {
  165.                 "key": "HKEY_CURRENT_USER\\Software\\Far\\Plugins\\FTP\\Hosts"
  166.             },
  167.             {
  168.                 "key": "HKEY_CURRENT_USER\\Software\\Far2\\Plugins\\FTP\\Hosts"
  169.             },
  170.             {
  171.                 "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
  172.             },
  173.             {
  174.                 "key": "HKEY_CURRENT_USER\\Software\\LinasFTP\\Site Manager"
  175.             }
  176.         ]
  177.     },
  178.     {
  179.         "Description": "Harvests information related to installed instant messenger clients",
  180.         "Details": [
  181.             {
  182.                 "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
  183.             }
  184.         ]
  185.     },
  186.     {
  187.         "Description": "Harvests information related to installed mail clients",
  188.         "Details": [
  189.             {
  190.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
  191.             },
  192.             {
  193.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046\\Email"
  194.             },
  195.             {
  196.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
  197.             },
  198.             {
  199.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
  200.             },
  201.             {
  202.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff\\Email"
  203.             },
  204.             {
  205.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326\\Email"
  206.             },
  207.             {
  208.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
  209.             },
  210.             {
  211.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
  212.             },
  213.             {
  214.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
  215.             },
  216.             {
  217.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e\\Email"
  218.             },
  219.             {
  220.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1\\Email"
  221.             },
  222.             {
  223.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
  224.             },
  225.             {
  226.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
  227.             },
  228.             {
  229.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
  230.             },
  231.             {
  232.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7\\Email"
  233.             },
  234.             {
  235.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
  236.             },
  237.             {
  238.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2\\Email"
  239.             },
  240.             {
  241.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\Email"
  242.             },
  243.             {
  244.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a\\Email"
  245.             },
  246.             {
  247.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001\\Email"
  248.             },
  249.             {
  250.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
  251.             },
  252.             {
  253.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
  254.             },
  255.             {
  256.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
  257.             },
  258.             {
  259.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
  260.             },
  261.             {
  262.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259\\Email"
  263.             },
  264.             {
  265.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
  266.             },
  267.             {
  268.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
  269.             },
  270.             {
  271.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670\\Email"
  272.             },
  273.             {
  274.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604\\Email"
  275.             },
  276.             {
  277.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
  278.             },
  279.             {
  280.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
  281.             },
  282.             {
  283.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
  284.             },
  285.             {
  286.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
  287.             },
  288.             {
  289.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
  290.             },
  291.             {
  292.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046\\Email"
  293.             }
  294.         ]
  295.     },
  296.     {
  297.         "Description": "Attempts to interact with an Alternate Data Stream (ADS)",
  298.         "Details": [
  299.             {
  300.                 "file": "C:\\Users\\user\\AppData\\Roaming\\dnlsknlsiii\\akbkdabad.exe:ZoneIdentifier"
  301.             }
  302.         ]
  303.     },
  304.     {
  305.         "Description": "Collects information to fingerprint the system",
  306.         "Details": []
  307.     },
  308.     {
  309.         "Description": "Anomalous binary characteristics",
  310.         "Details": [
  311.             {
  312.                 "anomaly": "Timestamp on binary predates the release date of the OS version it requires by at least a year"
  313.             }
  314.         ]
  315.     }
  316. ]
  317.  
  318. [*] Started Service: [
  319.     "VaultSvc"
  320. ]
  321.  
  322. [*] Executed Commands: [
  323.     "\"C:\\Users\\user\\AppData\\Roaming\\dnlsknlsiii\\akbkdabad.exe\" 1 \"C:\\Users\\user\\AppData\\Local\\Temp\\Exes_6b191ac6e5b5a9c3982cbb7855355523.jpg\" 1F59C1C",
  324.     "\"C:\\Users\\user\\AppData\\Roaming\\dnlsknlsiii\\akbkdabad.exe\"",
  325.     "C:\\Windows\\system32\\lsass.exe",
  326.     "\"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\" /svc"
  327. ]
  328.  
  329. [*] Mutexes: [
  330.     "1F59C1C",
  331.     "6EFA73A4746045B65DEE781E",
  332.     "Global\\G{D19BAF17-7C87-467E-8D63-6C4B1C836373}",
  333.     "Global\\G{6885AE8E-C070-458d-9711-37B9BEAB65F6}",
  334.     "Global\\G{66CC0160-ABB3-4066-AE47-1CA6AD5065C8}",
  335.     "Global\\G{0A175FBE-AEEC-4fea-855A-2AA549A88846}"
  336. ]
  337.  
  338. [*] Modified Files: [
  339.     "C:\\Users\\user\\AppData\\Roaming\\dnlsknlsiii\\akbkdabad.exe",
  340.     "C:\\Users\\user\\AppData\\Roaming\\dnlsknlsiii\\akbkdabad.exe:ZoneIdentifier",
  341.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dnlsknlsiii.vbs",
  342.     "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
  343.     "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe",
  344.     "\\??\\PIPE\\wkssvc",
  345.     "\\??\\pipe\\GoogleCrashServices\\S-1-5-18"
  346. ]
  347.  
  348. [*] Deleted Files: [
  349.     "C:\\Users\\user\\AppData\\Roaming\\dnlsknlsiii\\akbkdabad.exe",
  350.     "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_6b191ac6e5b5a9c3982cbb7855355523.jpg",
  351.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dnlsknlsiii.vbs",
  352.     "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
  353.     "C:\\Program Files (x86)\\Google\\Update\\Install\\{A01675F1-1F84-4945-B8A9-4E1FDEB013B2}\\74.0.3729.169_73.0.3683.86_chrome_updater.exe",
  354.     "C:\\Program Files (x86)\\Google\\Update\\Install\\{A01675F1-1F84-4945-B8A9-4E1FDEB013B2}"
  355. ]
  356.  
  357. [*] Modified Registry Keys: [
  358.     "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BITS\\Start",
  359.     "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\PersistedPings\\{EDC4B9FC-9CBF-4757-A75A-7160D2D83929}",
  360.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\PersistedPings\\{EDC4B9FC-9CBF-4757-A75A-7160D2D83929}\\PersistedPingString",
  361.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\PersistedPings\\{EDC4B9FC-9CBF-4757-A75A-7160D2D83929}\\PersistedPingTime",
  362.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\pv",
  363.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\pv",
  364.     "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\CurrentState",
  365.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\CurrentState\\StateValue",
  366.     "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000_CLASSES\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
  367.     "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Google\\Update\\proxy\\source",
  368.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\RollCallDayStartSec",
  369.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\DayOfLastRollCall",
  370.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\ping_freshness",
  371.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\(Default)",
  372.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\hint",
  373.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\name",
  374.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\LastCheckSuccess",
  375.     "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\dr",
  376.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\ActivePingDayStartSec",
  377.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\RollCallDayStartSec",
  378.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\DayOfLastActivity",
  379.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\DayOfLastRollCall",
  380.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\ping_freshness",
  381.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\(Default)",
  382.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\hint",
  383.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\name",
  384.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\LastCheckSuccess",
  385.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\LastChecked",
  386.     "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\CurrentState",
  387.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\CurrentState\\StateValue"
  388. ]
  389.  
  390. [*] Deleted Registry Keys: [
  391.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\uid",
  392.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\old-uid",
  393.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\tttoken",
  394.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\UpdateAvailableCount",
  395.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\UpdateAvailableSince",
  396.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\dr",
  397.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\tttoken",
  398.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\UpdateAvailableCount",
  399.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\UpdateAvailableSince"
  400. ]
  401.  
  402. [*] DNS Communications: [
  403.     {
  404.         "type": "A",
  405.         "request": "www.effyqroup.com",
  406.         "answers": [
  407.             {
  408.                 "data": "",
  409.                 "type": "NXDOMAIN"
  410.             }
  411.         ]
  412.     }
  413. ]
  414.  
  415. [*] Domains: [
  416.     {
  417.         "ip": "",
  418.         "domain": "www.effyqroup.com"
  419.     }
  420. ]
  421.  
  422. [*] Network Communication - ICMP: []
  423.  
  424. [*] Network Communication - HTTP: [
  425.     {
  426.         "count": 1,
  427.         "body": "",
  428.         "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
  429.         "user-agent": "Microsoft-CryptoAPI/6.1",
  430.         "method": "GET",
  431.         "host": "ocsp.digicert.com",
  432.         "version": "1.1",
  433.         "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
  434.         "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D HTTP/1.1\r\nCache-Control: max-age = 150849\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 10:50:30 GMT\r\nIf-None-Match: \"5ced1276-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  435.         "port": 80
  436.     },
  437.     {
  438.         "count": 1,
  439.         "body": "",
  440.         "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
  441.         "user-agent": "Microsoft-CryptoAPI/6.1",
  442.         "method": "GET",
  443.         "host": "ocsp.digicert.com",
  444.         "version": "1.1",
  445.         "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
  446.         "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D HTTP/1.1\r\nCache-Control: max-age = 135176\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 05:30:18 GMT\r\nIf-None-Match: \"5cecc76a-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  447.         "port": 80
  448.     },
  449.     {
  450.         "count": 1,
  451.         "body": "",
  452.         "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
  453.         "user-agent": "Microsoft-CryptoAPI/6.1",
  454.         "method": "GET",
  455.         "host": "ocsp.digicert.com",
  456.         "version": "1.1",
  457.         "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
  458.         "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D HTTP/1.1\r\nCache-Control: max-age = 168744\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 15:00:08 GMT\r\nIf-None-Match: \"5ced4cf8-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  459.         "port": 80
  460.     }
  461. ]
  462.  
  463. [*] Network Communication - SMTP: []
  464.  
  465. [*] Network Communication - Hosts: []
  466.  
  467. [*] Network Communication - IRC: []
  468.  
  469. [*] Static Analysis: {
  470.     "pe": {
  471.         "peid_signatures": null,
  472.         "imports": [
  473.             {
  474.                 "imports": [
  475.                     {
  476.                         "name": "LoadLibraryA",
  477.                         "address": "0x49b050"
  478.                     },
  479.                     {
  480.                         "name": "GetProcAddress",
  481.                         "address": "0x49b054"
  482.                     },
  483.                     {
  484.                         "name": "VirtualProtect",
  485.                         "address": "0x49b058"
  486.                     },
  487.                     {
  488.                         "name": "VirtualAlloc",
  489.                         "address": "0x49b05c"
  490.                     },
  491.                     {
  492.                         "name": "VirtualFree",
  493.                         "address": "0x49b060"
  494.                     },
  495.                     {
  496.                         "name": "ExitProcess",
  497.                         "address": "0x49b064"
  498.                     }
  499.                 ],
  500.                 "dll": "KERNEL32.DLL"
  501.             },
  502.             {
  503.                 "imports": [
  504.                     {
  505.                         "name": "RegCloseKey",
  506.                         "address": "0x49b06c"
  507.                     }
  508.                 ],
  509.                 "dll": "advapi32.dll"
  510.             },
  511.             {
  512.                 "imports": [
  513.                     {
  514.                         "name": "ImageList_Add",
  515.                         "address": "0x49b074"
  516.                     }
  517.                 ],
  518.                 "dll": "comctl32.dll"
  519.             },
  520.             {
  521.                 "imports": [
  522.                     {
  523.                         "name": "GetOpenFileNameA",
  524.                         "address": "0x49b07c"
  525.                     }
  526.                 ],
  527.                 "dll": "comdlg32.dll"
  528.             },
  529.             {
  530.                 "imports": [
  531.                     {
  532.                         "name": "SaveDC",
  533.                         "address": "0x49b084"
  534.                     }
  535.                 ],
  536.                 "dll": "gdi32.dll"
  537.             },
  538.             {
  539.                 "imports": [
  540.                     {
  541.                         "name": "VariantCopy",
  542.                         "address": "0x49b08c"
  543.                     }
  544.                 ],
  545.                 "dll": "oleaut32.dll"
  546.             },
  547.             {
  548.                 "imports": [
  549.                     {
  550.                         "name": "GetDC",
  551.                         "address": "0x49b094"
  552.                     }
  553.                 ],
  554.                 "dll": "user32.dll"
  555.             },
  556.             {
  557.                 "imports": [
  558.                     {
  559.                         "name": "VerQueryValueA",
  560.                         "address": "0x49b09c"
  561.                     }
  562.                 ],
  563.                 "dll": "version.dll"
  564.             }
  565.         ],
  566.         "digital_signers": null,
  567.         "exported_dll_name": null,
  568.         "actual_checksum": "0x00050625",
  569.         "overlay": null,
  570.         "imagebase": "0x00400000",
  571.         "reported_checksum": "0x00000000",
  572.         "icon_hash": null,
  573.         "entrypoint": "0x00499640",
  574.         "timestamp": "1992-06-17 20:49:04",
  575.         "osversion": "4.0",
  576.         "sections": [
  577.             {
  578.                 "name": "UPX0",
  579.                 "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  580.                 "virtual_address": "0x00001000",
  581.                 "size_of_data": "0x00000000",
  582.                 "entropy": "0.00",
  583.                 "raw_address": "0x00000400",
  584.                 "virtual_size": "0x00059000",
  585.                 "characteristics_raw": "0xe0000080"
  586.             },
  587.             {
  588.                 "name": "UPX1",
  589.                 "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  590.                 "virtual_address": "0x0005a000",
  591.                 "size_of_data": "0x0003fa00",
  592.                 "entropy": "7.95",
  593.                 "raw_address": "0x00000400",
  594.                 "virtual_size": "0x00040000",
  595.                 "characteristics_raw": "0xe0000040"
  596.             },
  597.             {
  598.                 "name": ".rsrc",
  599.                 "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  600.                 "virtual_address": "0x0009a000",
  601.                 "size_of_data": "0x00001200",
  602.                 "entropy": "3.33",
  603.                 "raw_address": "0x0003fe00",
  604.                 "virtual_size": "0x00002000",
  605.                 "characteristics_raw": "0xc0000040"
  606.             }
  607.         ],
  608.         "resources": [],
  609.         "dirents": [
  610.             {
  611.                 "virtual_address": "0x00000000",
  612.                 "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
  613.                 "size": "0x00000000"
  614.             },
  615.             {
  616.                 "virtual_address": "0x0009af9c",
  617.                 "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
  618.                 "size": "0x00000224"
  619.             },
  620.             {
  621.                 "virtual_address": "0x0009a000",
  622.                 "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
  623.                 "size": "0x00000f9c"
  624.             },
  625.             {
  626.                 "virtual_address": "0x00000000",
  627.                 "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
  628.                 "size": "0x00000000"
  629.             },
  630.             {
  631.                 "virtual_address": "0x00000000",
  632.                 "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
  633.                 "size": "0x00000000"
  634.             },
  635.             {
  636.                 "virtual_address": "0x00000000",
  637.                 "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
  638.                 "size": "0x00000000"
  639.             },
  640.             {
  641.                 "virtual_address": "0x00000000",
  642.                 "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
  643.                 "size": "0x00000000"
  644.             },
  645.             {
  646.                 "virtual_address": "0x00000000",
  647.                 "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
  648.                 "size": "0x00000000"
  649.             },
  650.             {
  651.                 "virtual_address": "0x00000000",
  652.                 "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
  653.                 "size": "0x00000000"
  654.             },
  655.             {
  656.                 "virtual_address": "0x000997f8",
  657.                 "name": "IMAGE_DIRECTORY_ENTRY_TLS",
  658.                 "size": "0x00000018"
  659.             },
  660.             {
  661.                 "virtual_address": "0x00000000",
  662.                 "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
  663.                 "size": "0x00000000"
  664.             },
  665.             {
  666.                 "virtual_address": "0x00000000",
  667.                 "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
  668.                 "size": "0x00000000"
  669.             },
  670.             {
  671.                 "virtual_address": "0x00000000",
  672.                 "name": "IMAGE_DIRECTORY_ENTRY_IAT",
  673.                 "size": "0x00000000"
  674.             },
  675.             {
  676.                 "virtual_address": "0x00000000",
  677.                 "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
  678.                 "size": "0x00000000"
  679.             },
  680.             {
  681.                 "virtual_address": "0x00000000",
  682.                 "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
  683.                 "size": "0x00000000"
  684.             },
  685.             {
  686.                 "virtual_address": "0x00000000",
  687.                 "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
  688.                 "size": "0x00000000"
  689.             }
  690.         ],
  691.         "exports": [],
  692.         "guest_signers": {},
  693.         "imphash": "c458ff2d515beb8f44158cd3636a7400",
  694.         "icon_fuzzy": null,
  695.         "icon": null,
  696.         "pdbpath": null,
  697.         "imported_dll_count": 8,
  698.         "versioninfo": []
  699.     }
  700. }
  701.  
  702. [*] Resolved APIs: [
  703.     "kernel32.dll.lstrcpyA",
  704.     "kernel32.dll.WriteFile",
  705.     "kernel32.dll.WaitForSingleObject",
  706.     "kernel32.dll.VirtualQuery",
  707.     "kernel32.dll.VirtualAlloc",
  708.     "kernel32.dll.Sleep",
  709.     "kernel32.dll.SizeofResource",
  710.     "kernel32.dll.SetThreadLocale",
  711.     "kernel32.dll.SetFilePointer",
  712.     "kernel32.dll.SetEvent",
  713.     "kernel32.dll.SetErrorMode",
  714.     "kernel32.dll.SetEndOfFile",
  715.     "kernel32.dll.ResetEvent",
  716.     "kernel32.dll.ReadFile",
  717.     "kernel32.dll.MulDiv",
  718.     "kernel32.dll.LockResource",
  719.     "kernel32.dll.LoadResource",
  720.     "kernel32.dll.LoadLibraryA",
  721.     "kernel32.dll.LeaveCriticalSection",
  722.     "kernel32.dll.InitializeCriticalSection",
  723.     "kernel32.dll.GlobalUnlock",
  724.     "kernel32.dll.GlobalReAlloc",
  725.     "kernel32.dll.GlobalHandle",
  726.     "kernel32.dll.GlobalLock",
  727.     "kernel32.dll.GlobalFree",
  728.     "kernel32.dll.GlobalFindAtomA",
  729.     "kernel32.dll.GlobalDeleteAtom",
  730.     "kernel32.dll.GlobalAlloc",
  731.     "kernel32.dll.GlobalAddAtomA",
  732.     "kernel32.dll.GetVersionExA",
  733.     "kernel32.dll.GetVersion",
  734.     "kernel32.dll.GetTickCount",
  735.     "kernel32.dll.GetThreadLocale",
  736.     "kernel32.dll.GetSystemInfo",
  737.     "kernel32.dll.GetStringTypeExA",
  738.     "kernel32.dll.GetStdHandle",
  739.     "kernel32.dll.GetProcAddress",
  740.     "kernel32.dll.GetModuleHandleA",
  741.     "kernel32.dll.GetModuleFileNameA",
  742.     "kernel32.dll.GetLocaleInfoA",
  743.     "kernel32.dll.GetLocalTime",
  744.     "kernel32.dll.GetLastError",
  745.     "kernel32.dll.GetFullPathNameA",
  746.     "kernel32.dll.GetFileAttributesA",
  747.     "kernel32.dll.GetDiskFreeSpaceA",
  748.     "kernel32.dll.GetDateFormatA",
  749.     "kernel32.dll.GetCurrentThreadId",
  750.     "kernel32.dll.GetCurrentProcessId",
  751.     "kernel32.dll.GetCPInfo",
  752.     "kernel32.dll.GetACP",
  753.     "kernel32.dll.FreeResource",
  754.     "kernel32.dll.InterlockedExchange",
  755.     "kernel32.dll.FreeLibrary",
  756.     "kernel32.dll.FormatMessageA",
  757.     "kernel32.dll.FindResourceA",
  758.     "kernel32.dll.FindFirstFileA",
  759.     "kernel32.dll.FindClose",
  760.     "kernel32.dll.FileTimeToLocalFileTime",
  761.     "kernel32.dll.FileTimeToDosDateTime",
  762.     "kernel32.dll.EnumCalendarInfoA",
  763.     "kernel32.dll.EnterCriticalSection",
  764.     "kernel32.dll.DeleteCriticalSection",
  765.     "kernel32.dll.CreateThread",
  766.     "kernel32.dll.CreateFileA",
  767.     "kernel32.dll.CreateEventA",
  768.     "kernel32.dll.CompareStringA",
  769.     "kernel32.dll.CloseHandle",
  770.     "kernel32.dll.TlsSetValue",
  771.     "kernel32.dll.TlsGetValue",
  772.     "kernel32.dll.LocalAlloc",
  773.     "kernel32.dll.VirtualFree",
  774.     "kernel32.dll.LocalFree",
  775.     "kernel32.dll.InterlockedDecrement",
  776.     "kernel32.dll.InterlockedIncrement",
  777.     "kernel32.dll.WideCharToMultiByte",
  778.     "kernel32.dll.MultiByteToWideChar",
  779.     "kernel32.dll.lstrlenA",
  780.     "kernel32.dll.lstrcpynA",
  781.     "kernel32.dll.LoadLibraryExA",
  782.     "kernel32.dll.GetStartupInfoA",
  783.     "kernel32.dll.GetCommandLineA",
  784.     "kernel32.dll.ExitProcess",
  785.     "kernel32.dll.UnhandledExceptionFilter",
  786.     "kernel32.dll.RtlUnwind",
  787.     "kernel32.dll.RaiseException",
  788.     "advapi32.dll.RegQueryValueExA",
  789.     "advapi32.dll.RegOpenKeyExA",
  790.     "advapi32.dll.RegCloseKey",
  791.     "comctl32.dll.ImageList_SetIconSize",
  792.     "comctl32.dll.ImageList_GetIconSize",
  793.     "comctl32.dll.ImageList_Write",
  794.     "comctl32.dll.ImageList_Read",
  795.     "comctl32.dll.ImageList_GetDragImage",
  796.     "comctl32.dll.ImageList_DragShowNolock",
  797.     "comctl32.dll.ImageList_SetDragCursorImage",
  798.     "comctl32.dll.ImageList_DragMove",
  799.     "comctl32.dll.ImageList_DragLeave",
  800.     "comctl32.dll.ImageList_DragEnter",
  801.     "comctl32.dll.ImageList_EndDrag",
  802.     "comctl32.dll.ImageList_BeginDrag",
  803.     "comctl32.dll.ImageList_Remove",
  804.     "comctl32.dll.ImageList_DrawEx",
  805.     "comctl32.dll.ImageList_Replace",
  806.     "comctl32.dll.ImageList_Draw",
  807.     "comctl32.dll.ImageList_GetBkColor",
  808.     "comctl32.dll.ImageList_SetBkColor",
  809.     "comctl32.dll.ImageList_ReplaceIcon",
  810.     "comctl32.dll.ImageList_Add",
  811.     "comctl32.dll.ImageList_GetImageCount",
  812.     "comctl32.dll.ImageList_Destroy",
  813.     "comctl32.dll.ImageList_Create",
  814.     "comdlg32.dll.GetOpenFileNameA",
  815.     "gdi32.dll.UnrealizeObject",
  816.     "gdi32.dll.StretchBlt",
  817.     "gdi32.dll.SetWindowOrgEx",
  818.     "gdi32.dll.SetWinMetaFileBits",
  819.     "gdi32.dll.SetViewportOrgEx",
  820.     "gdi32.dll.SetTextColor",
  821.     "gdi32.dll.SetStretchBltMode",
  822.     "gdi32.dll.SetROP2",
  823.     "gdi32.dll.SetPixel",
  824.     "gdi32.dll.SetEnhMetaFileBits",
  825.     "gdi32.dll.SetDIBColorTable",
  826.     "gdi32.dll.SetBrushOrgEx",
  827.     "gdi32.dll.SetBkMode",
  828.     "gdi32.dll.SetBkColor",
  829.     "gdi32.dll.SelectPalette",
  830.     "gdi32.dll.SelectObject",
  831.     "gdi32.dll.SelectClipRgn",
  832.     "gdi32.dll.ScaleWindowExtEx",
  833.     "gdi32.dll.SaveDC",
  834.     "gdi32.dll.RestoreDC",
  835.     "gdi32.dll.Rectangle",
  836.     "gdi32.dll.RectVisible",
  837.     "gdi32.dll.RealizePalette",
  838.     "gdi32.dll.Polyline",
  839.     "gdi32.dll.PlayEnhMetaFile",
  840.     "gdi32.dll.PathToRegion",
  841.     "gdi32.dll.PatBlt",
  842.     "gdi32.dll.MoveToEx",
  843.     "gdi32.dll.MaskBlt",
  844.     "gdi32.dll.LineTo",
  845.     "gdi32.dll.IntersectClipRect",
  846.     "gdi32.dll.GetWindowOrgEx",
  847.     "gdi32.dll.GetWinMetaFileBits",
  848.     "gdi32.dll.GetTextMetricsA",
  849.     "gdi32.dll.GetTextExtentPoint32A",
  850.     "gdi32.dll.GetSystemPaletteEntries",
  851.     "gdi32.dll.GetStockObject",
  852.     "gdi32.dll.GetPixel",
  853.     "gdi32.dll.GetPaletteEntries",
  854.     "gdi32.dll.GetObjectA",
  855.     "gdi32.dll.GetEnhMetaFilePaletteEntries",
  856.     "gdi32.dll.GetEnhMetaFileHeader",
  857.     "gdi32.dll.GetEnhMetaFileBits",
  858.     "gdi32.dll.GetDeviceCaps",
  859.     "gdi32.dll.GetDIBits",
  860.     "gdi32.dll.GetDIBColorTable",
  861.     "gdi32.dll.GetDCOrgEx",
  862.     "gdi32.dll.GetCurrentPositionEx",
  863.     "gdi32.dll.GetClipRgn",
  864.     "gdi32.dll.GetClipBox",
  865.     "gdi32.dll.GetBrushOrgEx",
  866.     "gdi32.dll.GetBitmapBits",
  867.     "gdi32.dll.ExcludeClipRect",
  868.     "gdi32.dll.DeleteObject",
  869.     "gdi32.dll.DeleteEnhMetaFile",
  870.     "gdi32.dll.DeleteDC",
  871.     "gdi32.dll.CreateSolidBrush",
  872.     "gdi32.dll.CreateRectRgn",
  873.     "gdi32.dll.CreatePenIndirect",
  874.     "gdi32.dll.CreatePalette",
  875.     "gdi32.dll.CreateHalftonePalette",
  876.     "gdi32.dll.CreateFontIndirectA",
  877.     "gdi32.dll.CreateDIBitmap",
  878.     "gdi32.dll.CreateDIBSection",
  879.     "gdi32.dll.CreateCompatibleDC",
  880.     "gdi32.dll.CreateCompatibleBitmap",
  881.     "gdi32.dll.CreateBrushIndirect",
  882.     "gdi32.dll.CreateBitmap",
  883.     "gdi32.dll.CopyEnhMetaFileA",
  884.     "gdi32.dll.BitBlt",
  885.     "oleaut32.dll.SafeArrayPtrOfIndex",
  886.     "oleaut32.dll.SafeArrayGetUBound",
  887.     "oleaut32.dll.SafeArrayGetLBound",
  888.     "oleaut32.dll.SafeArrayCreate",
  889.     "oleaut32.dll.VariantChangeType",
  890.     "oleaut32.dll.VariantCopy",
  891.     "oleaut32.dll.VariantClear",
  892.     "oleaut32.dll.VariantInit",
  893.     "oleaut32.dll.SysFreeString",
  894.     "oleaut32.dll.SysReAllocStringLen",
  895.     "oleaut32.dll.SysAllocStringLen",
  896.     "user32.dll.CreateWindowExA",
  897.     "user32.dll.WindowFromPoint",
  898.     "user32.dll.WinHelpA",
  899.     "user32.dll.WaitMessage",
  900.     "user32.dll.UpdateWindow",
  901.     "user32.dll.UnregisterClassA",
  902.     "user32.dll.UnhookWindowsHookEx",
  903.     "user32.dll.TranslateMessage",
  904.     "user32.dll.TranslateMDISysAccel",
  905.     "user32.dll.TrackPopupMenu",
  906.     "user32.dll.SystemParametersInfoA",
  907.     "user32.dll.ShowWindow",
  908.     "user32.dll.ShowScrollBar",
  909.     "user32.dll.ShowOwnedPopups",
  910.     "user32.dll.ShowCursor",
  911.     "user32.dll.SetWindowsHookExA",
  912.     "user32.dll.SetWindowPos",
  913.     "user32.dll.SetWindowPlacement",
  914.     "user32.dll.SetWindowLongA",
  915.     "user32.dll.SetTimer",
  916.     "user32.dll.SetScrollRange",
  917.     "user32.dll.SetScrollPos",
  918.     "user32.dll.SetScrollInfo",
  919.     "user32.dll.SetRect",
  920.     "user32.dll.SetPropA",
  921.     "user32.dll.SetParent",
  922.     "user32.dll.SetMenuItemInfoA",
  923.     "user32.dll.SetMenu",
  924.     "user32.dll.SetForegroundWindow",
  925.     "user32.dll.SetFocus",
  926.     "user32.dll.SetCursor",
  927.     "user32.dll.SetClassLongA",
  928.     "user32.dll.SetCapture",
  929.     "user32.dll.SetActiveWindow",
  930.     "user32.dll.SendMessageA",
  931.     "user32.dll.ScrollWindow",
  932.     "user32.dll.ScreenToClient",
  933.     "user32.dll.RemovePropA",
  934.     "user32.dll.RemoveMenu",
  935.     "user32.dll.ReleaseDC",
  936.     "user32.dll.ReleaseCapture",
  937.     "user32.dll.RegisterWindowMessageA",
  938.     "user32.dll.RegisterClipboardFormatA",
  939.     "user32.dll.RegisterClassA",
  940.     "user32.dll.RedrawWindow",
  941.     "user32.dll.PtInRect",
  942.     "user32.dll.PostQuitMessage",
  943.     "user32.dll.PostMessageA",
  944.     "user32.dll.PeekMessageA",
  945.     "user32.dll.OffsetRect",
  946.     "user32.dll.OemToCharA",
  947.     "user32.dll.MessageBoxA",
  948.     "user32.dll.MapWindowPoints",
  949.     "user32.dll.MapVirtualKeyA",
  950.     "user32.dll.LoadStringA",
  951.     "user32.dll.LoadKeyboardLayoutA",
  952.     "user32.dll.LoadIconA",
  953.     "user32.dll.LoadCursorA",
  954.     "user32.dll.LoadBitmapA",
  955.     "user32.dll.KillTimer",
  956.     "user32.dll.IsZoomed",
  957.     "user32.dll.IsWindowVisible",
  958.     "user32.dll.IsWindowEnabled",
  959.     "user32.dll.IsWindow",
  960.     "user32.dll.IsRectEmpty",
  961.     "user32.dll.IsIconic",
  962.     "user32.dll.IsDialogMessageA",
  963.     "user32.dll.IsChild",
  964.     "user32.dll.InvalidateRect",
  965.     "user32.dll.IntersectRect",
  966.     "user32.dll.InsertMenuItemA",
  967.     "user32.dll.InsertMenuA",
  968.     "user32.dll.InflateRect",
  969.     "user32.dll.GetWindowThreadProcessId",
  970.     "user32.dll.GetWindowTextA",
  971.     "user32.dll.GetWindowRect",
  972.     "user32.dll.GetWindowPlacement",
  973.     "user32.dll.GetWindowLongA",
  974.     "user32.dll.GetWindowDC",
  975.     "user32.dll.GetTopWindow",
  976.     "user32.dll.GetSystemMetrics",
  977.     "user32.dll.GetSystemMenu",
  978.     "user32.dll.GetSysColorBrush",
  979.     "user32.dll.GetSysColor",
  980.     "user32.dll.GetSubMenu",
  981.     "user32.dll.GetScrollRange",
  982.     "user32.dll.GetScrollPos",
  983.     "user32.dll.GetScrollInfo",
  984.     "user32.dll.GetPropA",
  985.     "user32.dll.GetParent",
  986.     "user32.dll.GetWindow",
  987.     "user32.dll.GetMenuStringA",
  988.     "user32.dll.GetMenuState",
  989.     "user32.dll.GetMenuItemInfoA",
  990.     "user32.dll.GetMenuItemID",
  991.     "user32.dll.GetMenuItemCount",
  992.     "user32.dll.GetMenu",
  993.     "user32.dll.GetLastActivePopup",
  994.     "user32.dll.GetKeyboardState",
  995.     "user32.dll.GetKeyboardLayoutList",
  996.     "user32.dll.GetKeyboardLayout",
  997.     "user32.dll.GetKeyState",
  998.     "user32.dll.GetKeyNameTextA",
  999.     "user32.dll.GetIconInfo",
  1000.     "user32.dll.GetForegroundWindow",
  1001.     "user32.dll.GetFocus",
  1002.     "user32.dll.GetDlgItem",
  1003.     "user32.dll.GetDesktopWindow",
  1004.     "user32.dll.GetDCEx",
  1005.     "user32.dll.GetDC",
  1006.     "user32.dll.GetCursorPos",
  1007.     "user32.dll.GetCursor",
  1008.     "user32.dll.GetClipboardData",
  1009.     "user32.dll.GetClientRect",
  1010.     "user32.dll.GetClassNameA",
  1011.     "user32.dll.GetClassInfoA",
  1012.     "user32.dll.GetCapture",
  1013.     "user32.dll.GetActiveWindow",
  1014.     "user32.dll.FrameRect",
  1015.     "user32.dll.FindWindowA",
  1016.     "user32.dll.FillRect",
  1017.     "user32.dll.EqualRect",
  1018.     "user32.dll.EnumWindows",
  1019.     "user32.dll.EnumThreadWindows",
  1020.     "user32.dll.EndPaint",
  1021.     "user32.dll.EnableWindow",
  1022.     "user32.dll.EnableScrollBar",
  1023.     "user32.dll.EnableMenuItem",
  1024.     "user32.dll.DrawTextA",
  1025.     "user32.dll.DrawMenuBar",
  1026.     "user32.dll.DrawIconEx",
  1027.     "user32.dll.DrawIcon",
  1028.     "user32.dll.DrawFrameControl",
  1029.     "user32.dll.DrawFocusRect",
  1030.     "user32.dll.DrawEdge",
  1031.     "user32.dll.DispatchMessageA",
  1032.     "user32.dll.DestroyWindow",
  1033.     "user32.dll.DestroyMenu",
  1034.     "user32.dll.DestroyIcon",
  1035.     "user32.dll.DestroyCursor",
  1036.     "user32.dll.DeleteMenu",
  1037.     "user32.dll.DefWindowProcA",
  1038.     "user32.dll.DefMDIChildProcA",
  1039.     "user32.dll.DefFrameProcA",
  1040.     "user32.dll.CreatePopupMenu",
  1041.     "user32.dll.CreateMenu",
  1042.     "user32.dll.CreateIcon",
  1043.     "user32.dll.ClientToScreen",
  1044.     "user32.dll.CheckMenuItem",
  1045.     "user32.dll.CallWindowProcA",
  1046.     "user32.dll.CallNextHookEx",
  1047.     "user32.dll.BeginPaint",
  1048.     "user32.dll.CharNextA",
  1049.     "user32.dll.CharLowerBuffA",
  1050.     "user32.dll.CharLowerA",
  1051.     "user32.dll.CharToOemA",
  1052.     "user32.dll.AdjustWindowRectEx",
  1053.     "user32.dll.ActivateKeyboardLayout",
  1054.     "user32.dll.GetKeyboardType",
  1055.     "version.dll.VerQueryValueA",
  1056.     "version.dll.GetFileVersionInfoSizeA",
  1057.     "version.dll.GetFileVersionInfoA",
  1058.     "kernel32.dll.GetDiskFreeSpaceExA",
  1059.     "oleaut32.dll.VariantChangeTypeEx",
  1060.     "oleaut32.dll.VarNeg",
  1061.     "oleaut32.dll.VarNot",
  1062.     "oleaut32.dll.VarAdd",
  1063.     "oleaut32.dll.VarSub",
  1064.     "oleaut32.dll.VarMul",
  1065.     "oleaut32.dll.VarDiv",
  1066.     "oleaut32.dll.VarIdiv",
  1067.     "oleaut32.dll.VarMod",
  1068.     "oleaut32.dll.VarAnd",
  1069.     "oleaut32.dll.VarOr",
  1070.     "oleaut32.dll.VarXor",
  1071.     "oleaut32.dll.VarCmp",
  1072.     "oleaut32.dll.VarI4FromStr",
  1073.     "oleaut32.dll.VarR4FromStr",
  1074.     "oleaut32.dll.VarR8FromStr",
  1075.     "oleaut32.dll.VarDateFromStr",
  1076.     "oleaut32.dll.VarCyFromStr",
  1077.     "oleaut32.dll.VarBoolFromStr",
  1078.     "oleaut32.dll.VarBstrFromCy",
  1079.     "oleaut32.dll.VarBstrFromDate",
  1080.     "oleaut32.dll.VarBstrFromBool",
  1081.     "user32.dll.GetMonitorInfoA",
  1082.     "user32.dll.EnumDisplayMonitors",
  1083.     "dwmapi.dll.DwmIsCompositionEnabled",
  1084.     "gdi32.dll.GetLayout",
  1085.     "gdi32.dll.GdiRealizationInfo",
  1086.     "gdi32.dll.FontIsLinked",
  1087.     "advapi32.dll.RegOpenKeyExW",
  1088.     "advapi32.dll.RegQueryInfoKeyW",
  1089.     "gdi32.dll.GetTextFaceAliasW",
  1090.     "advapi32.dll.RegEnumValueW",
  1091.     "advapi32.dll.RegQueryValueExW",
  1092.     "gdi32.dll.GetFontAssocStatus",
  1093.     "advapi32.dll.RegEnumKeyExW",
  1094.     "gdi32.dll.GdiIsMetaPrintDC",
  1095.     "user32.dll.AnimateWindow",
  1096.     "comctl32.dll.InitializeFlatSB",
  1097.     "comctl32.dll.UninitializeFlatSB",
  1098.     "comctl32.dll.FlatSB_GetScrollProp",
  1099.     "comctl32.dll.FlatSB_SetScrollProp",
  1100.     "comctl32.dll.FlatSB_EnableScrollBar",
  1101.     "comctl32.dll.FlatSB_ShowScrollBar",
  1102.     "comctl32.dll.FlatSB_GetScrollRange",
  1103.     "comctl32.dll.FlatSB_GetScrollInfo",
  1104.     "comctl32.dll.FlatSB_GetScrollPos",
  1105.     "comctl32.dll.FlatSB_SetScrollPos",
  1106.     "comctl32.dll.FlatSB_SetScrollInfo",
  1107.     "comctl32.dll.FlatSB_SetScrollRange",
  1108.     "user32.dll.SetLayeredWindowAttributes",
  1109.     "cryptsp.dll.CryptAcquireContextW",
  1110.     "cryptsp.dll.CryptCreateHash",
  1111.     "cryptsp.dll.CryptHashData",
  1112.     "cryptsp.dll.CryptGetHashParam",
  1113.     "cryptsp.dll.CryptDestroyHash",
  1114.     "cryptsp.dll.CryptReleaseContext",
  1115.     "vaultcli.dll.VaultEnumerateItems",
  1116.     "vaultcli.dll.VaultEnumerateVaults",
  1117.     "vaultcli.dll.VaultFree",
  1118.     "vaultcli.dll.VaultGetItem",
  1119.     "vaultcli.dll.VaultOpenVault",
  1120.     "vaultcli.dll.VaultCloseVault",
  1121.     "sechost.dll.LookupAccountSidLocalW",
  1122.     "netapi32.dll.NetUserGetInfo",
  1123.     "cryptsp.dll.CryptImportKey",
  1124.     "cryptsp.dll.CryptSetKeyParam",
  1125.     "cryptsp.dll.CryptDecrypt",
  1126.     "cryptsp.dll.CryptDestroyKey",
  1127.     "kernel32.dll.FlsAlloc",
  1128.     "kernel32.dll.FlsSetValue",
  1129.     "kernel32.dll.FlsGetValue",
  1130.     "kernel32.dll.LCMapStringEx",
  1131.     "kernel32.dll.InitializeCriticalSectionEx",
  1132.     "kernel32.dll.FlsFree",
  1133.     "kernel32.dll.InitOnceExecuteOnce",
  1134.     "kernel32.dll.CreateEventExW",
  1135.     "kernel32.dll.CreateSemaphoreW",
  1136.     "kernel32.dll.CreateSemaphoreExW",
  1137.     "kernel32.dll.CreateThreadpoolTimer",
  1138.     "kernel32.dll.SetThreadpoolTimer",
  1139.     "kernel32.dll.WaitForThreadpoolTimerCallbacks",
  1140.     "kernel32.dll.CloseThreadpoolTimer",
  1141.     "kernel32.dll.CreateThreadpoolWait",
  1142.     "kernel32.dll.SetThreadpoolWait",
  1143.     "kernel32.dll.CloseThreadpoolWait",
  1144.     "kernel32.dll.FlushProcessWriteBuffers",
  1145.     "kernel32.dll.FreeLibraryWhenCallbackReturns",
  1146.     "kernel32.dll.GetCurrentProcessorNumber",
  1147.     "kernel32.dll.CreateSymbolicLinkW",
  1148.     "kernel32.dll.GetTickCount64",
  1149.     "kernel32.dll.GetFileInformationByHandleEx",
  1150.     "kernel32.dll.SetFileInformationByHandle",
  1151.     "kernel32.dll.InitializeConditionVariable",
  1152.     "kernel32.dll.WakeConditionVariable",
  1153.     "kernel32.dll.WakeAllConditionVariable",
  1154.     "kernel32.dll.SleepConditionVariableCS",
  1155.     "kernel32.dll.InitializeSRWLock",
  1156.     "kernel32.dll.AcquireSRWLockExclusive",
  1157.     "kernel32.dll.TryAcquireSRWLockExclusive",
  1158.     "kernel32.dll.ReleaseSRWLockExclusive",
  1159.     "kernel32.dll.SleepConditionVariableSRW",
  1160.     "kernel32.dll.CreateThreadpoolWork",
  1161.     "kernel32.dll.SubmitThreadpoolWork",
  1162.     "kernel32.dll.CloseThreadpoolWork",
  1163.     "kernel32.dll.CompareStringEx",
  1164.     "kernel32.dll.GetLocaleInfoEx",
  1165.     "kernel32.dll.SortGetHandle",
  1166.     "kernel32.dll.SortCloseHandle",
  1167.     "goopdate.dll.DllEntry",
  1168.     "kernel32.dll.RtlCaptureStackBackTrace",
  1169.     "wkscli.dll.NetWkstaGetInfo",
  1170.     "cscapi.dll.CscNetApiGetInterface",
  1171.     "ntmarta.dll.GetMartaExtensionInterface",
  1172.     "kernel32.dll.CreateMutexExW",
  1173.     "dbghelp.dll.MiniDumpWriteDump",
  1174.     "rpcrt4.dll.UuidCreate",
  1175.     "cryptbase.dll.SystemFunction036",
  1176.     "sechost.dll.LookupAccountNameLocalW",
  1177.     "advapi32.dll.LookupAccountSidW",
  1178.     "cryptsp.dll.CryptGenRandom",
  1179.     "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
  1180.     "ole32.dll.CoGetClassObject",
  1181.     "ole32.dll.CoGetMarshalSizeMax",
  1182.     "ole32.dll.CoMarshalInterface",
  1183.     "ole32.dll.CoUnmarshalInterface",
  1184.     "ole32.dll.StringFromIID",
  1185.     "ole32.dll.CoGetPSClsid",
  1186.     "ole32.dll.CoTaskMemAlloc",
  1187.     "ole32.dll.CoTaskMemFree",
  1188.     "ole32.dll.CoCreateInstance",
  1189.     "ole32.dll.CoReleaseMarshalData",
  1190.     "ole32.dll.DcomChannelSetHResult",
  1191.     "psmachine.dll.DllGetClassObject",
  1192.     "psmachine.dll.DllCanUnloadNow",
  1193.     "advapi32.dll.RegOpenKeyW",
  1194.     "ntdll.dll.RtlGetVersion",
  1195.     "kernel32.dll.GetNativeSystemInfo",
  1196.     "winhttp.dll.WinHttpAddRequestHeaders",
  1197.     "winhttp.dll.WinHttpCheckPlatform",
  1198.     "winhttp.dll.WinHttpCloseHandle",
  1199.     "winhttp.dll.WinHttpConnect",
  1200.     "winhttp.dll.WinHttpCrackUrl",
  1201.     "winhttp.dll.WinHttpCreateUrl",
  1202.     "winhttp.dll.WinHttpDetectAutoProxyConfigUrl",
  1203.     "winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser",
  1204.     "winhttp.dll.WinHttpGetDefaultProxyConfiguration",
  1205.     "winhttp.dll.WinHttpGetProxyForUrl",
  1206.     "winhttp.dll.WinHttpOpen",
  1207.     "winhttp.dll.WinHttpOpenRequest",
  1208.     "winhttp.dll.WinHttpQueryAuthSchemes",
  1209.     "winhttp.dll.WinHttpQueryDataAvailable",
  1210.     "winhttp.dll.WinHttpQueryHeaders",
  1211.     "winhttp.dll.WinHttpQueryOption",
  1212.     "winhttp.dll.WinHttpReadData",
  1213.     "winhttp.dll.WinHttpReceiveResponse",
  1214.     "winhttp.dll.WinHttpSendRequest",
  1215.     "winhttp.dll.WinHttpSetDefaultProxyConfiguration",
  1216.     "winhttp.dll.WinHttpSetCredentials",
  1217.     "winhttp.dll.WinHttpSetOption",
  1218.     "winhttp.dll.WinHttpSetStatusCallback",
  1219.     "winhttp.dll.WinHttpSetTimeouts",
  1220.     "winhttp.dll.WinHttpWriteData",
  1221.     "shlwapi.dll.StrCmpNW",
  1222.     "shlwapi.dll.#153",
  1223.     "ws2_32.dll.GetAddrInfoW",
  1224.     "ws2_32.dll.WSASocketW",
  1225.     "ws2_32.dll.#2",
  1226.     "ws2_32.dll.#21",
  1227.     "ws2_32.dll.#9",
  1228.     "ws2_32.dll.WSAIoctl",
  1229.     "ws2_32.dll.FreeAddrInfoW",
  1230.     "ws2_32.dll.#6",
  1231.     "ws2_32.dll.#5",
  1232.     "schannel.dll.SpUserModeInitialize",
  1233.     "advapi32.dll.RegCreateKeyExW",
  1234.     "ws2_32.dll.WSASend",
  1235.     "ws2_32.dll.WSARecv",
  1236.     "advapi32.dll.RevertToSelf",
  1237.     "secur32.dll.FreeContextBuffer",
  1238.     "ncrypt.dll.SslOpenProvider",
  1239.     "ncrypt.dll.GetSChannelInterface",
  1240.     "bcryptprimitives.dll.GetHashInterface",
  1241.     "ncrypt.dll.SslIncrementProviderReferenceCount",
  1242.     "ncrypt.dll.SslImportKey",
  1243.     "bcryptprimitives.dll.GetCipherInterface",
  1244.     "ncrypt.dll.SslLookupCipherSuiteInfo",
  1245.     "user32.dll.LoadStringW",
  1246.     "ncrypt.dll.BCryptOpenAlgorithmProvider",
  1247.     "ncrypt.dll.BCryptGetProperty",
  1248.     "ncrypt.dll.BCryptCreateHash",
  1249.     "ncrypt.dll.BCryptHashData",
  1250.     "ncrypt.dll.BCryptFinishHash",
  1251.     "ncrypt.dll.BCryptDestroyHash",
  1252.     "crypt32.dll.CertGetCertificateChain",
  1253.     "userenv.dll.GetUserProfileDirectoryW",
  1254.     "sechost.dll.ConvertSidToStringSidW",
  1255.     "sechost.dll.ConvertStringSidToSidW",
  1256.     "userenv.dll.RegisterGPNotification",
  1257.     "gpapi.dll.RegisterGPNotificationInternal",
  1258.     "sechost.dll.OpenSCManagerW",
  1259.     "sechost.dll.OpenServiceW",
  1260.     "sechost.dll.CloseServiceHandle",
  1261.     "sechost.dll.QueryServiceConfigW",
  1262.     "winsta.dll.WinStationRegisterNotificationEvent",
  1263.     "advapi32.dll.CreateWellKnownSid",
  1264.     "rpcrt4.dll.RpcStringBindingComposeW",
  1265.     "rpcrt4.dll.RpcBindingFromStringBindingW",
  1266.     "rpcrt4.dll.RpcStringFreeW",
  1267.     "rpcrt4.dll.RpcBindingSetAuthInfoExW",
  1268.     "rpcrt4.dll.RpcAsyncInitializeHandle",
  1269.     "rpcrt4.dll.NdrClientCall2",
  1270.     "rpcrt4.dll.NdrAsyncClientCall",
  1271.     "cryptsp.dll.CryptAcquireContextA",
  1272.     "cryptsp.dll.CryptVerifySignatureA",
  1273.     "bcryptprimitives.dll.GetAsymmetricEncryptionInterface",
  1274.     "ncrypt.dll.BCryptImportKeyPair",
  1275.     "ncrypt.dll.BCryptVerifySignature",
  1276.     "ncrypt.dll.BCryptDestroyKey",
  1277.     "crypt32.dll.CertVerifyCertificateChainPolicy",
  1278.     "crypt32.dll.CertFreeCertificateChain",
  1279.     "crypt32.dll.CertDuplicateCertificateContext",
  1280.     "ncrypt.dll.SslEncryptPacket",
  1281.     "ncrypt.dll.SslDecryptPacket",
  1282.     "kernel32.dll.WTSGetActiveConsoleSessionId",
  1283.     "winsta.dll.WinStationQueryInformationW",
  1284.     "rpcrt4.dll.I_RpcExceptionFilter",
  1285.     "rpcrt4.dll.RpcBindingFree",
  1286.     "kernel32.dll.IsWow64Process",
  1287.     "psapi.dll.GetProcessImageFileNameW",
  1288.     "oleaut32.dll.#500",
  1289.     "crypt32.dll.CertFreeCertificateContext",
  1290.     "ncrypt.dll.SslFreeObject"
  1291. ]
  1292.  
  1293. [*] Static Analysis: {
  1294.     "pe": {
  1295.         "peid_signatures": null,
  1296.         "imports": [
  1297.             {
  1298.                 "imports": [
  1299.                     {
  1300.                         "name": "LoadLibraryA",
  1301.                         "address": "0x49b050"
  1302.                     },
  1303.                     {
  1304.                         "name": "GetProcAddress",
  1305.                         "address": "0x49b054"
  1306.                     },
  1307.                     {
  1308.                         "name": "VirtualProtect",
  1309.                         "address": "0x49b058"
  1310.                     },
  1311.                     {
  1312.                         "name": "VirtualAlloc",
  1313.                         "address": "0x49b05c"
  1314.                     },
  1315.                     {
  1316.                         "name": "VirtualFree",
  1317.                         "address": "0x49b060"
  1318.                     },
  1319.                     {
  1320.                         "name": "ExitProcess",
  1321.                         "address": "0x49b064"
  1322.                     }
  1323.                 ],
  1324.                 "dll": "KERNEL32.DLL"
  1325.             },
  1326.             {
  1327.                 "imports": [
  1328.                     {
  1329.                         "name": "RegCloseKey",
  1330.                         "address": "0x49b06c"
  1331.                     }
  1332.                 ],
  1333.                 "dll": "advapi32.dll"
  1334.             },
  1335.             {
  1336.                 "imports": [
  1337.                     {
  1338.                         "name": "ImageList_Add",
  1339.                         "address": "0x49b074"
  1340.                     }
  1341.                 ],
  1342.                 "dll": "comctl32.dll"
  1343.             },
  1344.             {
  1345.                 "imports": [
  1346.                     {
  1347.                         "name": "GetOpenFileNameA",
  1348.                         "address": "0x49b07c"
  1349.                     }
  1350.                 ],
  1351.                 "dll": "comdlg32.dll"
  1352.             },
  1353.             {
  1354.                 "imports": [
  1355.                     {
  1356.                         "name": "SaveDC",
  1357.                         "address": "0x49b084"
  1358.                     }
  1359.                 ],
  1360.                 "dll": "gdi32.dll"
  1361.             },
  1362.             {
  1363.                 "imports": [
  1364.                     {
  1365.                         "name": "VariantCopy",
  1366.                         "address": "0x49b08c"
  1367.                     }
  1368.                 ],
  1369.                 "dll": "oleaut32.dll"
  1370.             },
  1371.             {
  1372.                 "imports": [
  1373.                     {
  1374.                         "name": "GetDC",
  1375.                         "address": "0x49b094"
  1376.                     }
  1377.                 ],
  1378.                 "dll": "user32.dll"
  1379.             },
  1380.             {
  1381.                 "imports": [
  1382.                     {
  1383.                         "name": "VerQueryValueA",
  1384.                         "address": "0x49b09c"
  1385.                     }
  1386.                 ],
  1387.                 "dll": "version.dll"
  1388.             }
  1389.         ],
  1390.         "digital_signers": null,
  1391.         "exported_dll_name": null,
  1392.         "actual_checksum": "0x00050625",
  1393.         "overlay": null,
  1394.         "imagebase": "0x00400000",
  1395.         "reported_checksum": "0x00000000",
  1396.         "icon_hash": null,
  1397.         "entrypoint": "0x00499640",
  1398.         "timestamp": "1992-06-17 20:49:04",
  1399.         "osversion": "4.0",
  1400.         "sections": [
  1401.             {
  1402.                 "name": "UPX0",
  1403.                 "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  1404.                 "virtual_address": "0x00001000",
  1405.                 "size_of_data": "0x00000000",
  1406.                 "entropy": "0.00",
  1407.                 "raw_address": "0x00000400",
  1408.                 "virtual_size": "0x00059000",
  1409.                 "characteristics_raw": "0xe0000080"
  1410.             },
  1411.             {
  1412.                 "name": "UPX1",
  1413.                 "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  1414.                 "virtual_address": "0x0005a000",
  1415.                 "size_of_data": "0x0003fa00",
  1416.                 "entropy": "7.95",
  1417.                 "raw_address": "0x00000400",
  1418.                 "virtual_size": "0x00040000",
  1419.                 "characteristics_raw": "0xe0000040"
  1420.             },
  1421.             {
  1422.                 "name": ".rsrc",
  1423.                 "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  1424.                 "virtual_address": "0x0009a000",
  1425.                 "size_of_data": "0x00001200",
  1426.                 "entropy": "3.33",
  1427.                 "raw_address": "0x0003fe00",
  1428.                 "virtual_size": "0x00002000",
  1429.                 "characteristics_raw": "0xc0000040"
  1430.             }
  1431.         ],
  1432.         "resources": [],
  1433.         "dirents": [
  1434.             {
  1435.                 "virtual_address": "0x00000000",
  1436.                 "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
  1437.                 "size": "0x00000000"
  1438.             },
  1439.             {
  1440.                 "virtual_address": "0x0009af9c",
  1441.                 "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
  1442.                 "size": "0x00000224"
  1443.             },
  1444.             {
  1445.                 "virtual_address": "0x0009a000",
  1446.                 "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
  1447.                 "size": "0x00000f9c"
  1448.             },
  1449.             {
  1450.                 "virtual_address": "0x00000000",
  1451.                 "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
  1452.                 "size": "0x00000000"
  1453.             },
  1454.             {
  1455.                 "virtual_address": "0x00000000",
  1456.                 "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
  1457.                 "size": "0x00000000"
  1458.             },
  1459.             {
  1460.                 "virtual_address": "0x00000000",
  1461.                 "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
  1462.                 "size": "0x00000000"
  1463.             },
  1464.             {
  1465.                 "virtual_address": "0x00000000",
  1466.                 "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
  1467.                 "size": "0x00000000"
  1468.             },
  1469.             {
  1470.                 "virtual_address": "0x00000000",
  1471.                 "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
  1472.                 "size": "0x00000000"
  1473.             },
  1474.             {
  1475.                 "virtual_address": "0x00000000",
  1476.                 "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
  1477.                 "size": "0x00000000"
  1478.             },
  1479.             {
  1480.                 "virtual_address": "0x000997f8",
  1481.                 "name": "IMAGE_DIRECTORY_ENTRY_TLS",
  1482.                 "size": "0x00000018"
  1483.             },
  1484.             {
  1485.                 "virtual_address": "0x00000000",
  1486.                 "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
  1487.                 "size": "0x00000000"
  1488.             },
  1489.             {
  1490.                 "virtual_address": "0x00000000",
  1491.                 "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
  1492.                 "size": "0x00000000"
  1493.             },
  1494.             {
  1495.                 "virtual_address": "0x00000000",
  1496.                 "name": "IMAGE_DIRECTORY_ENTRY_IAT",
  1497.                 "size": "0x00000000"
  1498.             },
  1499.             {
  1500.                 "virtual_address": "0x00000000",
  1501.                 "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
  1502.                 "size": "0x00000000"
  1503.             },
  1504.             {
  1505.                 "virtual_address": "0x00000000",
  1506.                 "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
  1507.                 "size": "0x00000000"
  1508.             },
  1509.             {
  1510.                 "virtual_address": "0x00000000",
  1511.                 "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
  1512.                 "size": "0x00000000"
  1513.             }
  1514.         ],
  1515.         "exports": [],
  1516.         "guest_signers": {},
  1517.         "imphash": "c458ff2d515beb8f44158cd3636a7400",
  1518.         "icon_fuzzy": null,
  1519.         "icon": null,
  1520.         "pdbpath": null,
  1521.         "imported_dll_count": 8,
  1522.         "versioninfo": []
  1523.     }
  1524. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top