Ursnif_7c3f801620ea1cebd29889400ec9af67_exe_2019-06-25_20_30.json

1.  
2. [*] MalFamily: ""
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "Ursnif_7c3f801620ea1cebd29889400ec9af67.exe"
7. [*] File Size: 284160
8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. [*] SHA256: "98ec340830dcbc3535c88612fa0c40caa7a4c0ad656bf8aa232b3b35d4a7a028"
10. [*] MD5: "7c3f801620ea1cebd29889400ec9af67"
11. [*] SHA1: "b0d226574d6d7fb4ec46fcf0afea08d6e8f91674"
12. [*] SHA512: "b81e6dd0bf79ef853b2cbe09dddea946f87f901fbe3e66cad838684cdd4104bb454483fdfaf115a5c9203e7cd512547ec53a3c99fa2eb109c05403637352a6b6"
13. [*] CRC32: "E81D16F6"
14. [*] SSDEEP: "6144:5sOKPyyl3yr4yJ0hlNM0NZfxZRggbgH5o:5NvmfyJuM4Zpc5o"
15.  
16. [*] Process Execution: [
17. "Ursnif_7c3f801620ea1cebd29889400ec9af67.exe",
18. "svchost.exe",
19. "WmiPrvSE.exe",
20. "iexplore.exe",
21. "iexplore.exe",
22. "iexplore.exe",
23. "iexplore.exe",
24. "iexplore.exe",
25. "WmiPrvSE.exe",
26. "svchost.exe"
27. ]
28.  
29. [*] Signatures Detected: [
30. {
31. "Description": "Attempts to connect to a dead IP:Port (2 unique times)",
32. "Details": [
33. {
34. "IP": "204.79.197.200:80"
35. },
36. {
37. "IP": "31.214.157.89:80"
38. }
39. ]
40. },
41. {
42. "Description": "Creates RWX memory",
43. "Details": []
44. },
45. {
46. "Description": "A process attempted to delay the analysis task.",
47. "Details": [
48. {
49. "Process": "Ursnif_7c3f801620ea1cebd29889400ec9af67.exe tried to sleep 369 seconds, actually delayed analysis time by 0 seconds"
50. }
51. ]
52. },
53. {
54. "Description": "Performs some HTTP requests",
55. "Details": [
56. {
57. "url": "http://www.bing.com/favicon.ico"
58. },
59. {
60. "url": "http://velooiisd.club/images/iWjLmuDOy7/XYiI3c6Yc19H1pj6z/yUcuhaYMcFBs/ejPJyvBSAs2/pW3zzAX33_2FoR/sxHF6Y7EnPJ8UYYYXNVEt/jMewly5dYMgnIL5V/npy03O8g7LI4tHw/Ousy_2FKTPs0diteQV/IAnCjVXqpXbzas7uY/4Wu.avi"
61. },
62. {
63. "url": "http://velooiisd.club/favicon.ico"
64. },
65. {
66. "url": "http://velooiisd.club/images/lG5rXDwsB/Aw3WlunARss02DIXzHLr/PnFtwdMnTEABSpElmjc/68sb4A9Xn2sV4YWSShBzje/bCTn4QyDShm1I/ZAsNBIsn/IcyO5MhDHc1myAdXvIRWYcP/JpCn_2B5I_/2F_2FXDnTkDhsW7rj/ocbe8wkKW7op/8sYVjeQng_2/BaMrr61wC6HC/c8n.avi"
67. },
68. {
69. "url": "http://velooiisd.club/images/y2Ayo90JrxkGKuKrLyUL/Jf94GGgp90duCciJVtJ/SxpQcYpulyWorK9gasq8pC/eA1zLn2Gk25Xo/7SZ5lOda/l3o0nKemRPltQmZeOcxqkKB/I7KEDNIPfW/eIos19ENohv9Op9_2/FN9MLbvdOLs4YHwT/YhET.avi"
70. }
71. ]
72. },
73. {
74. "Description": "Crashed cuckoomon during analysis. Report this error to the Github repo.",
75. "Details": [
76. {
77. "pid": 2316
78. },
79. {
80. "message": "Exception reported at offset 0x1967e in cuckoomon itself while accessing 0x3ed0c4 from hook RtlDispatchException"
81. },
82. {
83. "pid": 2316
84. },
85. {
86. "message": "Exception reported at offset 0x19681 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
87. },
88. {
89. "pid": 2316
90. },
91. {
92. "message": "Exception reported at offset 0x19681 in cuckoomon itself while accessing 0x3ed0c8 from hook RtlDispatchException"
93. },
94. {
95. "pid": 2316
96. },
97. {
98. "message": "Exception reported at offset 0x19684 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
99. },
100. {
101. "pid": 2316
102. },
103. {
104. "message": "Exception reported at offset 0x19684 in cuckoomon itself while accessing 0x3ed0c0 from hook RtlDispatchException"
105. },
106. {
107. "pid": 2316
108. },
109. {
110. "message": "Exception reported at offset 0x19687 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
111. },
112. {
113. "pid": 2316
114. },
115. {
116. "message": "Exception reported at offset 0x19687 in cuckoomon itself while accessing 0x3ed0bc from hook RtlDispatchException"
117. },
118. {
119. "pid": 2316
120. },
121. {
122. "message": "Exception reported at offset 0x19689 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
123. },
124. {
125. "pid": 2316
126. },
127. {
128. "message": "Exception reported at offset 0x19699 in cuckoomon itself while accessing 0x3ed0cc from hook RtlDispatchException"
129. },
130. {
131. "pid": 2316
132. },
133. {
134. "message": "Exception reported at offset 0x1969b in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
135. },
136. {
137. "pid": 2316
138. },
139. {
140. "message": "Exception reported at offset 0x1969f in cuckoomon itself while accessing 0x3ed0d0 from hook RtlDispatchException"
141. },
142. {
143. "pid": 2316
144. },
145. {
146. "message": "Exception reported at offset 0x196a2 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
147. },
148. {
149. "pid": 2316
150. },
151. {
152. "message": "Exception reported at offset 0x196aa in cuckoomon itself while accessing 0x3ed0d4 from hook RtlDispatchException"
153. },
154. {
155. "pid": 2316
156. },
157. {
158. "message": "Exception reported at offset 0x196ad in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
159. },
160. {
161. "pid": 2316
162. },
163. {
164. "message": "Exception reported at offset 0x196bd in cuckoomon itself while accessing 0x3ed0d8 from hook RtlDispatchException"
165. },
166. {
167. "pid": 2316
168. },
169. {
170. "message": "Exception reported at offset 0x196c0 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
171. },
172. {
173. "pid": 2316
174. },
175. {
176. "message": "Exception reported at offset 0x19bfc in cuckoomon itself while accessing 0x3ed0bc from hook RtlDispatchException"
177. },
178. {
179. "pid": 2316
180. },
181. {
182. "message": "Exception reported at offset 0x19bfe in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
183. },
184. {
185. "pid": 2316
186. },
187. {
188. "message": "Exception reported at offset 0x19bfe in cuckoomon itself while accessing 0x3ed0c0 from hook RtlDispatchException"
189. },
190. {
191. "pid": 2316
192. },
193. {
194. "message": "Exception reported at offset 0x19c01 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
195. },
196. {
197. "pid": 2316
198. },
199. {
200. "message": "Exception reported at offset 0x19c01 in cuckoomon itself while accessing 0x3ed0c4 from hook RtlDispatchException"
201. },
202. {
203. "pid": 2316
204. },
205. {
206. "message": "Exception reported at offset 0x19c04 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
207. },
208. {
209. "pid": 2316
210. },
211. {
212. "message": "Exception reported at offset 0x19c04 in cuckoomon itself while accessing 0x3ed0c8 from hook RtlDispatchException"
213. },
214. {
215. "pid": 2316
216. },
217. {
218. "message": "Exception reported at offset 0x19c07 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
219. },
220. {
221. "pid": 2316
222. },
223. {
224. "message": "Exception reported at offset 0x1967e in cuckoomon itself while accessing 0x3ed030 from hook RtlDispatchException"
225. },
226. {
227. "pid": 2316
228. },
229. {
230. "message": "Exception reported at offset 0x19681 in cuckoomon itself while accessing 0x3ed034 from hook RtlDispatchException"
231. },
232. {
233. "pid": 2316
234. },
235. {
236. "message": "Exception reported at offset 0x19684 in cuckoomon itself while accessing 0x3ed02c from hook RtlDispatchException"
237. },
238. {
239. "pid": 2316
240. },
241. {
242. "message": "Exception reported at offset 0x19687 in cuckoomon itself while accessing 0x3ed028 from hook RtlDispatchException"
243. },
244. {
245. "pid": 2316
246. },
247. {
248. "message": "Exception reported at offset 0x19699 in cuckoomon itself while accessing 0x3ed048 from hook RtlDispatchException"
249. },
250. {
251. "pid": 2316
252. },
253. {
254. "message": "Exception reported at offset 0x1969f in cuckoomon itself while accessing 0x3ed04c from hook RtlDispatchException"
255. },
256. {
257. "pid": 2316
258. },
259. {
260. "message": "Exception reported at offset 0x196aa in cuckoomon itself while accessing 0x3ed050 from hook RtlDispatchException"
261. },
262. {
263. "pid": 2316
264. },
265. {
266. "message": "Exception reported at offset 0x196bd in cuckoomon itself while accessing 0x3ed054 from hook RtlDispatchException"
267. },
268. {
269. "pid": 2316
270. },
271. {
272. "message": "Exception reported at offset 0x19bfc in cuckoomon itself while accessing 0x3ed028 from hook RtlDispatchException"
273. },
274. {
275. "pid": 2316
276. },
277. {
278. "message": "Exception reported at offset 0x19bfe in cuckoomon itself while accessing 0x3ed02c from hook RtlDispatchException"
279. },
280. {
281. "pid": 2316
282. },
283. {
284. "message": "Exception reported at offset 0x19c01 in cuckoomon itself while accessing 0x3ed030 from hook RtlDispatchException"
285. },
286. {
287. "pid": 2316
288. },
289. {
290. "message": "Exception reported at offset 0x19c04 in cuckoomon itself while accessing 0x3ed034 from hook RtlDispatchException"
291. },
292. {
293. "pid": 2316
294. },
295. {
296. "message": "Exception reported at offset 0x1967e in cuckoomon itself while accessing 0x3ed0e4 from hook RtlDispatchException"
297. },
298. {
299. "pid": 2316
300. },
301. {
302. "message": "Exception reported at offset 0x19681 in cuckoomon itself while accessing 0x3ed0e8 from hook RtlDispatchException"
303. },
304. {
305. "pid": 2316
306. },
307. {
308. "message": "Exception reported at offset 0x19684 in cuckoomon itself while accessing 0x3ed0e0 from hook RtlDispatchException"
309. },
310. {
311. "pid": 2316
312. },
313. {
314. "message": "Exception reported at offset 0x19687 in cuckoomon itself while accessing 0x3ed0dc from hook RtlDispatchException"
315. },
316. {
317. "pid": 2316
318. },
319. {
320. "message": "Exception reported at offset 0x19699 in cuckoomon itself while accessing 0x3ed0ec from hook RtlDispatchException"
321. },
322. {
323. "pid": 2316
324. },
325. {
326. "message": "Exception reported at offset 0x1969f in cuckoomon itself while accessing 0x3ed0f0 from hook RtlDispatchException"
327. },
328. {
329. "pid": 2316
330. },
331. {
332. "message": "Exception reported at offset 0x196aa in cuckoomon itself while accessing 0x3ed0f4 from hook RtlDispatchException"
333. },
334. {
335. "pid": 2316
336. },
337. {
338. "message": "Exception reported at offset 0x196bd in cuckoomon itself while accessing 0x3ed0f8 from hook RtlDispatchException"
339. },
340. {
341. "pid": 2316
342. },
343. {
344. "message": "Exception reported at offset 0x19bfc in cuckoomon itself while accessing 0x3ed0dc from hook RtlDispatchException"
345. },
346. {
347. "pid": 2316
348. },
349. {
350. "message": "Exception reported at offset 0x19bfe in cuckoomon itself while accessing 0x3ed0e0 from hook RtlDispatchException"
351. },
352. {
353. "pid": 2316
354. },
355. {
356. "message": "Exception reported at offset 0x19c01 in cuckoomon itself while accessing 0x3ed0e4 from hook RtlDispatchException"
357. },
358. {
359. "pid": 2316
360. },
361. {
362. "message": "Exception reported at offset 0x19c04 in cuckoomon itself while accessing 0x3ed0e8 from hook RtlDispatchException"
363. },
364. {
365. "pid": 2316
366. },
367. {
368. "message": "Exception reported at offset 0x1967e in cuckoomon itself while accessing 0x3ed404 from hook RtlDispatchException"
369. },
370. {
371. "pid": 2316
372. },
373. {
374. "message": "Exception reported at offset 0x19681 in cuckoomon itself while accessing 0x3ed408 from hook RtlDispatchException"
375. },
376. {
377. "pid": 2316
378. },
379. {
380. "message": "Exception reported at offset 0x19684 in cuckoomon itself while accessing 0x3ed400 from hook RtlDispatchException"
381. },
382. {
383. "pid": 2316
384. },
385. {
386. "message": "Exception reported at offset 0x19687 in cuckoomon itself while accessing 0x3ed3fc from hook RtlDispatchException"
387. },
388. {
389. "pid": 2316
390. },
391. {
392. "message": "Exception reported at offset 0x19699 in cuckoomon itself while accessing 0x3ed40c from hook RtlDispatchException"
393. },
394. {
395. "pid": 2316
396. },
397. {
398. "message": "Exception reported at offset 0x1969f in cuckoomon itself while accessing 0x3ed410 from hook RtlDispatchException"
399. },
400. {
401. "pid": 2316
402. },
403. {
404. "message": "Exception reported at offset 0x196aa in cuckoomon itself while accessing 0x3ed414 from hook RtlDispatchException"
405. },
406. {
407. "pid": 2316
408. },
409. {
410. "message": "Exception reported at offset 0x196bd in cuckoomon itself while accessing 0x3ed418 from hook RtlDispatchException"
411. },
412. {
413. "pid": 2316
414. },
415. {
416. "message": "Exception reported at offset 0x19bfc in cuckoomon itself while accessing 0x3ed3fc from hook RtlDispatchException"
417. },
418. {
419. "pid": 2316
420. },
421. {
422. "message": "Exception reported at offset 0x19bfe in cuckoomon itself while accessing 0x3ed400 from hook RtlDispatchException"
423. },
424. {
425. "pid": 2316
426. },
427. {
428. "message": "Exception reported at offset 0x19c01 in cuckoomon itself while accessing 0x3ed404 from hook RtlDispatchException"
429. },
430. {
431. "pid": 2316
432. },
433. {
434. "message": "Exception reported at offset 0x19c04 in cuckoomon itself while accessing 0x3ed408 from hook RtlDispatchException"
435. }
436. ]
437. },
438. {
439. "Description": "Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config",
440. "Details": [
441. {
442. "regkeyval": "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18\\Client64"
443. },
444. {
445. "regkeyval": "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18\\Client32"
446. },
447. {
448. "regkeyval": "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18\\aeevpisp"
449. }
450. ]
451. },
452. {
453. "Description": "Creates a hidden or system file",
454. "Details": [
455. {
456. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low"
457. },
458. {
459. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF6ceb49.TMP"
460. },
461. {
462. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF70538f.TMP"
463. },
464. {
465. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF71123f.TMP"
466. },
467. {
468. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF69f3f6.TMP"
469. }
470. ]
471. },
472. {
473. "Description": "File has been identified by 11 Antiviruses on VirusTotal as malicious",
474. "Details": [
475. {
476. "Qihoo-360": "HEUR/QVM10.1.1B6D.Malware.Gen"
477. },
478. {
479. "Rising": "Trojan.Kryptik!8.8/N3#81% (RDM+:cmRtazrMN+HcdgjA3UJWadTAgDki)"
480. },
481. {
482. "Endgame": "malicious (high confidence)"
483. },
484. {
485. "Invincea": "heuristic"
486. },
487. {
488. "Trapmine": "malicious.high.ml.score"
489. },
490. {
491. "FireEye": "Generic.mg.7c3f801620ea1ceb"
492. },
493. {
494. "Microsoft": "Trojan:Win32/Wacatac.B!ml"
495. },
496. {
497. "Acronis": "suspicious"
498. },
499. {
500. "Cylance": "Unsafe"
501. },
502. {
503. "SentinelOne": "DFI - Suspicious PE"
504. },
505. {
506. "CrowdStrike": "win/malicious_confidence_60% (W)"
507. }
508. ]
509. },
510. {
511. "Description": "Attempts to modify proxy settings",
512. "Details": []
513. }
514. ]
515.  
516. [*] Started Service: []
517.  
518. [*] Executed Commands: [
519. "C:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding",
520. "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" -Embedding",
521. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
522. "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" SCODEF:2932 CREDAT:79873",
523. "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" SCODEF:2932 CREDAT:145409",
524. "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" SCODEF:2992 CREDAT:79873"
525. ]
526.  
527. [*] Mutexes: [
528. "Local\\_!MSFTHISTORY!_",
529. "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
530. "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
531. "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
532. "Local\\WininetStartupMutex",
533. "Local\\WininetConnectionMutex",
534. "Local\\WininetProxyRegistryMutex",
535. "Local\\!IETld!Mutex",
536. "Local\\!BrowserEmulation!SharedMemory!Mutex",
537. "Local\\ZoneAttributeCacheCounterMutex",
538. "Local\\ZonesCacheCounterMutex",
539. "Local\\ZonesLockedCacheCounterMutex",
540. "ConnHashTable<2932>_HashTable_Mutex",
541. "Local\\ZonesCounterMutex",
542. "Local\\RSS Eventing Connection Database Mutex 00000b74",
543. "Local\\Feed Eventing Shared Memory Mutex S-1-5-21-0000000000-0000000000-0000000000-1000",
544. "Local\\c:!users!user!appdata!local!microsoft!feeds cache!",
545. "_!SHMSFTHISTORY!_",
546. "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!mshist012019062520190626!",
547. "ConnHashTable<2992>_HashTable_Mutex",
548. "Local\\RSS Eventing Connection Database Mutex 00000bb0"
549. ]
550.  
551. [*] Modified Files: [
552. "\\??\\PIPE\\samr",
553. "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
554. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
555. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
556. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
557. "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
558. "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
559. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
560. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
561. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
562. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
563. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
564. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{5F9138ED-9782-11E9-9533-18C086CD4731}.dat",
565. "C:\\Users\\user\\AppData\\Local\\Temp\\~DFCE2FB227258F575C.TMP",
566. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{5F9138EE-9782-11E9-9533-18C086CD4731}.dat",
567. "C:\\Users\\user\\AppData\\Local\\Temp\\~DFA116D974D1210C25.TMP",
568. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\favicon[1].ico",
569. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\favicon[2].ico",
570. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\favicon[3].ico",
571. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\favicon[4].ico",
572. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{5F9138F0-9782-11E9-9533-18C086CD4731}.dat",
573. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF3CF0D875615E9E14.TMP",
574. "\\??\\pipe\\MsFteWds",
575. "\\??\\PIPE\\srvsvc",
576. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\PGGAV721ZC0LZCCBOXWS.temp",
577. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF6ceb49.TMP",
578. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\favicon[1].ico",
579. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{66162702-9782-11E9-9533-18C086CD4731}.dat",
580. "C:\\Users\\user\\AppData\\Local\\Temp\\~DFC66976D32514B763.TMP",
581. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\YE5W28TO57VOUNRI1MX1.temp",
582. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF70538f.TMP",
583. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\WCD9L9R2LIHPBMMLLFJV.temp",
584. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF71123f.TMP",
585. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat",
586. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@velooiisd[1].txt",
587. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019062520190626\\index.dat",
588. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\PA320MG8\\favicon[1].ico",
589. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\PA320MG8\\favicon[2].ico",
590. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\PA320MG8\\favicon[3].ico",
591. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\PA320MG8\\favicon[4].ico",
592. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{7238BF1B-9782-11E9-9533-18C086CD4731}.dat",
593. "C:\\Users\\user\\AppData\\Local\\Temp\\~DFAFA824AEFB40D173.TMP",
594. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{7238BF1C-9782-11E9-9533-18C086CD4731}.dat",
595. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF2FB7F43C7AE842A6.TMP",
596. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\8BGZLQBV\\favicon[1].ico",
597. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\8BGZLQBV\\favicon[2].ico",
598. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\9YO2UCN0Q7F8BR46OLX7.temp",
599. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF69f3f6.TMP"
600. ]
601.  
602. [*] Deleted Files: [
603. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico",
604. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF6ceb49.TMP",
605. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF70538f.TMP",
606. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF71123f.TMP",
607. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{66162702-9782-11E9-9533-18C086CD4731}.dat",
608. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{5F9138F0-9782-11E9-9533-18C086CD4731}.dat",
609. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{5F9138EE-9782-11E9-9533-18C086CD4731}.dat",
610. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{5F9138ED-9782-11E9-9533-18C086CD4731}.dat",
611. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019052620190527\\index.dat",
612. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019052620190527\\",
613. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF69f3f6.TMP",
614. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{7238BF1C-9782-11E9-9533-18C086CD4731}.dat",
615. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{7238BF1B-9782-11E9-9533-18C086CD4731}.dat"
616. ]
617.  
618. [*] Modified Registry Keys: [
619. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
620. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
621. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
622. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
623. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
624. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
625. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
626. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider",
627. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Microsoft\\Internet Explorer\\Main\\IE10RunOnceLastShown",
628. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Microsoft\\Internet Explorer\\Main\\IE10RunOnceLastShown_TIMESTAMP",
629. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Microsoft\\Internet Explorer\\Main\\IE8RunOnceLastShown",
630. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Microsoft\\Internet Explorer\\Main\\IE8RunOnceLastShown_TIMESTAMP",
631. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Microsoft\\Internet Explorer\\Main\\Check_Associations",
632. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\VerCache",
633. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\\VerCache",
634. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\\VerCache",
635. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\CompatibilityFlags",
636. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
637. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
638. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\SecuritySafe",
639. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable",
640. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer",
641. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\SavedLegacySettings",
642. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery\\AdminActive\\{5F9138ED-9782-11E9-9533-18C086CD4731}",
643. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{2670000A-7350-4F3C-8081-5663EE0C6C49}\\iexplore\\Type",
644. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{2670000A-7350-4F3C-8081-5663EE0C6C49}\\iexplore\\Count",
645. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{2670000A-7350-4F3C-8081-5663EE0C6C49}\\iexplore\\Time",
646. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\iexplore\\Type",
647. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\iexplore\\Count",
648. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\iexplore\\Time",
649. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\\iexplore\\Type",
650. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\\iexplore\\Count",
651. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\\iexplore\\Time",
652. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FullScreen",
653. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder\\Favorites\\Links\\Order",
654. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\WindowsSearch\\UpgradeTime",
655. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\Window_Placement",
656. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\User Preferences\\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977",
657. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\SearchScopes\\DefaultScope",
658. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\User Preferences\\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81",
659. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\iexplore\\LoadTime",
660. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\\iexplore\\Type",
661. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\\iexplore\\Count",
662. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\\iexplore\\Time",
663. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\\iexplore\\LoadTime",
664. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\\iexplore\\Type",
665. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\\iexplore\\Count",
666. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\\iexplore\\Time",
667. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\\iexplore\\LoadTime",
668. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019062520190626",
669. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019062520190626\\CachePath",
670. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019062520190626\\CachePrefix",
671. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019062520190626\\CacheLimit",
672. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019062520190626\\CacheOptions",
673. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019062520190626\\CacheRepair",
674. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery\\AdminActive\\{7238BF1B-9782-11E9-9533-18C086CD4731}",
675. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18",
676. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18\\Client32",
677. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18\\Client64",
678. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18\\aeevpisp",
679. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18\\ApiMM1M0",
680. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18\\aecaM1M0"
681. ]
682.  
683. [*] Deleted Registry Keys: [
684. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
685. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
686. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
687. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
688. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyOverride",
689. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL",
690. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery\\AdminActive\\{5F9138ED-9782-11E9-9533-18C086CD4731}",
691. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\AddToFavoritesInitialSelection",
692. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\AddToFeedsInitialSelection",
693. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery\\AdminActive\\{7238BF1B-9782-11E9-9533-18C086CD4731}"
694. ]
695.  
696. [*] DNS Communications: [
697. {
698. "type": "A",
699. "request": "www.bing.com",
700. "answers": [
701. {
702. "data": "dual-a-0001.a-msedge.net",
703. "type": "CNAME"
704. },
705. {
706. "data": "a-0001.a-afdentry.net.trafficmanager.net",
707. "type": "CNAME"
708. },
709. {
710. "data": "204.79.197.200",
711. "type": "A"
712. },
713. {
714. "data": "13.107.21.200",
715. "type": "A"
716. }
717. ]
718. },
719. {
720. "type": "A",
721. "request": "velooiisd.club",
722. "answers": [
723. {
724. "data": "31.214.157.89",
725. "type": "A"
726. }
727. ]
728. }
729. ]
730.  
731. [*] Domains: [
732. {
733. "ip": "31.214.157.89",
734. "domain": "velooiisd.club"
735. },
736. {
737. "ip": "13.107.21.200",
738. "domain": "www.bing.com"
739. }
740. ]
741.  
742. [*] Network Communication - ICMP: []
743.  
744. [*] Network Communication - HTTP: [
745. {
746. "count": 3,
747. "body": "",
748. "uri": "http://www.bing.com/favicon.ico",
749. "user-agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
750. "method": "GET",
751. "host": "www.bing.com",
752. "version": "1.1",
753. "path": "/favicon.ico",
754. "data": "GET /favicon.ico HTTP/1.1\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nHost: www.bing.com\r\nConnection: Keep-Alive\r\nCookie: MUID=055643067C21678412144E247D39664A; SRCHD=AF=NOFORM; SRCHUID=V=2&GUID=5262DC06BBB54635AC9D8A0AD382875E&dmnchg=1; SRCHUSR=DOB=20190317\r\n\r\n",
755. "port": 80
756. },
757. {
758. "count": 1,
759. "body": "",
760. "uri": "http://velooiisd.club/images/iWjLmuDOy7/XYiI3c6Yc19H1pj6z/yUcuhaYMcFBs/ejPJyvBSAs2/pW3zzAX33_2FoR/sxHF6Y7EnPJ8UYYYXNVEt/jMewly5dYMgnIL5V/npy03O8g7LI4tHw/Ousy_2FKTPs0diteQV/IAnCjVXqpXbzas7uY/4Wu.avi",
761. "user-agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
762. "method": "GET",
763. "host": "velooiisd.club",
764. "version": "1.1",
765. "path": "/images/iWjLmuDOy7/XYiI3c6Yc19H1pj6z/yUcuhaYMcFBs/ejPJyvBSAs2/pW3zzAX33_2FoR/sxHF6Y7EnPJ8UYYYXNVEt/jMewly5dYMgnIL5V/npy03O8g7LI4tHw/Ousy_2FKTPs0diteQV/IAnCjVXqpXbzas7uY/4Wu.avi",
766. "data": "GET /images/iWjLmuDOy7/XYiI3c6Yc19H1pj6z/yUcuhaYMcFBs/ejPJyvBSAs2/pW3zzAX33_2FoR/sxHF6Y7EnPJ8UYYYXNVEt/jMewly5dYMgnIL5V/npy03O8g7LI4tHw/Ousy_2FKTPs0diteQV/IAnCjVXqpXbzas7uY/4Wu.avi HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nAccept-Encoding: gzip, deflate\r\nHost: velooiisd.club\r\nConnection: Keep-Alive\r\n\r\n",
767. "port": 80
768. },
769. {
770. "count": 1,
771. "body": "",
772. "uri": "http://velooiisd.club/favicon.ico",
773. "user-agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
774. "method": "GET",
775. "host": "velooiisd.club",
776. "version": "1.1",
777. "path": "/favicon.ico",
778. "data": "GET /favicon.ico HTTP/1.1\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nHost: velooiisd.club\r\nConnection: Keep-Alive\r\nCookie: PHPSESSID=eqsu21lgh525ssr9cmaua9kkk5; lang=en\r\n\r\n",
779. "port": 80
780. },
781. {
782. "count": 1,
783. "body": "",
784. "uri": "http://velooiisd.club/images/lG5rXDwsB/Aw3WlunARss02DIXzHLr/PnFtwdMnTEABSpElmjc/68sb4A9Xn2sV4YWSShBzje/bCTn4QyDShm1I/ZAsNBIsn/IcyO5MhDHc1myAdXvIRWYcP/JpCn_2B5I_/2F_2FXDnTkDhsW7rj/ocbe8wkKW7op/8sYVjeQng_2/BaMrr61wC6HC/c8n.avi",
785. "user-agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
786. "method": "GET",
787. "host": "velooiisd.club",
788. "version": "1.1",
789. "path": "/images/lG5rXDwsB/Aw3WlunARss02DIXzHLr/PnFtwdMnTEABSpElmjc/68sb4A9Xn2sV4YWSShBzje/bCTn4QyDShm1I/ZAsNBIsn/IcyO5MhDHc1myAdXvIRWYcP/JpCn_2B5I_/2F_2FXDnTkDhsW7rj/ocbe8wkKW7op/8sYVjeQng_2/BaMrr61wC6HC/c8n.avi",
790. "data": "GET /images/lG5rXDwsB/Aw3WlunARss02DIXzHLr/PnFtwdMnTEABSpElmjc/68sb4A9Xn2sV4YWSShBzje/bCTn4QyDShm1I/ZAsNBIsn/IcyO5MhDHc1myAdXvIRWYcP/JpCn_2B5I_/2F_2FXDnTkDhsW7rj/ocbe8wkKW7op/8sYVjeQng_2/BaMrr61wC6HC/c8n.avi HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nAccept-Encoding: gzip, deflate\r\nHost: velooiisd.club\r\nConnection: Keep-Alive\r\nCookie: lang=en\r\n\r\n",
791. "port": 80
792. },
793. {
794. "count": 1,
795. "body": "",
796. "uri": "http://velooiisd.club/images/y2Ayo90JrxkGKuKrLyUL/Jf94GGgp90duCciJVtJ/SxpQcYpulyWorK9gasq8pC/eA1zLn2Gk25Xo/7SZ5lOda/l3o0nKemRPltQmZeOcxqkKB/I7KEDNIPfW/eIos19ENohv9Op9_2/FN9MLbvdOLs4YHwT/YhET.avi",
797. "user-agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
798. "method": "GET",
799. "host": "velooiisd.club",
800. "version": "1.1",
801. "path": "/images/y2Ayo90JrxkGKuKrLyUL/Jf94GGgp90duCciJVtJ/SxpQcYpulyWorK9gasq8pC/eA1zLn2Gk25Xo/7SZ5lOda/l3o0nKemRPltQmZeOcxqkKB/I7KEDNIPfW/eIos19ENohv9Op9_2/FN9MLbvdOLs4YHwT/YhET.avi",
802. "data": "GET /images/y2Ayo90JrxkGKuKrLyUL/Jf94GGgp90duCciJVtJ/SxpQcYpulyWorK9gasq8pC/eA1zLn2Gk25Xo/7SZ5lOda/l3o0nKemRPltQmZeOcxqkKB/I7KEDNIPfW/eIos19ENohv9Op9_2/FN9MLbvdOLs4YHwT/YhET.avi HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nAccept-Encoding: gzip, deflate\r\nHost: velooiisd.club\r\nConnection: Keep-Alive\r\nCookie: lang=en\r\n\r\n",
803. "port": 80
804. }
805. ]
806.  
807. [*] Network Communication - SMTP: []
808.  
809. [*] Network Communication - Hosts: []
810.  
811. [*] Network Communication - IRC: []
812.  
813. [*] Static Analysis: {
814. "pe": {
815. "peid_signatures": null,
816. "imports": [
817. {
818. "imports": [
819. {
820. "name": "CreateToolhelp32Snapshot",
821. "address": "0x425028"
822. },
823. {
824. "name": "VirtualProtect",
825. "address": "0x42502c"
826. },
827. {
828. "name": "LocalAlloc",
829. "address": "0x425030"
830. },
831. {
832. "name": "PeekConsoleInputW",
833. "address": "0x425034"
834. },
835. {
836. "name": "GetLastError",
837. "address": "0x425038"
838. },
839. {
840. "name": "GetHandleInformation",
841. "address": "0x42503c"
842. },
843. {
844. "name": "GetBinaryTypeW",
845. "address": "0x425040"
846. },
847. {
848. "name": "GetNumberFormatA",
849. "address": "0x425044"
850. },
851. {
852. "name": "GetFileAttributesExA",
853. "address": "0x425048"
854. },
855. {
856. "name": "DebugActiveProcessStop",
857. "address": "0x42504c"
858. },
859. {
860. "name": "DuplicateHandle",
861. "address": "0x425050"
862. },
863. {
864. "name": "lstrlenA",
865. "address": "0x425054"
866. },
867. {
868. "name": "EncodePointer",
869. "address": "0x425058"
870. },
871. {
872. "name": "DecodePointer",
873. "address": "0x42505c"
874. },
875. {
876. "name": "GetCommandLineW",
877. "address": "0x425060"
878. },
879. {
880. "name": "RaiseException",
881. "address": "0x425064"
882. },
883. {
884. "name": "RtlUnwind",
885. "address": "0x425068"
886. },
887. {
888. "name": "IsDebuggerPresent",
889. "address": "0x42506c"
890. },
891. {
892. "name": "IsProcessorFeaturePresent",
893. "address": "0x425070"
894. },
895. {
896. "name": "EnterCriticalSection",
897. "address": "0x425074"
898. },
899. {
900. "name": "LeaveCriticalSection",
901. "address": "0x425078"
902. },
903. {
904. "name": "FlushFileBuffers",
905. "address": "0x42507c"
906. },
907. {
908. "name": "WriteFile",
909. "address": "0x425080"
910. },
911. {
912. "name": "WideCharToMultiByte",
913. "address": "0x425084"
914. },
915. {
916. "name": "GetConsoleCP",
917. "address": "0x425088"
918. },
919. {
920. "name": "GetConsoleMode",
921. "address": "0x42508c"
922. },
923. {
924. "name": "DeleteCriticalSection",
925. "address": "0x425090"
926. },
927. {
928. "name": "FatalAppExitA",
929. "address": "0x425094"
930. },
931. {
932. "name": "ExitProcess",
933. "address": "0x425098"
934. },
935. {
936. "name": "GetModuleHandleExW",
937. "address": "0x42509c"
938. },
939. {
940. "name": "GetProcAddress",
941. "address": "0x4250a0"
942. },
943. {
944. "name": "AreFileApisANSI",
945. "address": "0x4250a4"
946. },
947. {
948. "name": "MultiByteToWideChar",
949. "address": "0x4250a8"
950. },
951. {
952. "name": "HeapSize",
953. "address": "0x4250ac"
954. },
955. {
956. "name": "ReadFile",
957. "address": "0x4250b0"
958. },
959. {
960. "name": "ReadConsoleW",
961. "address": "0x4250b4"
962. },
963. {
964. "name": "HeapFree",
965. "address": "0x4250b8"
966. },
967. {
968. "name": "HeapAlloc",
969. "address": "0x4250bc"
970. },
971. {
972. "name": "SetLastError",
973. "address": "0x4250c0"
974. },
975. {
976. "name": "GetCurrentThread",
977. "address": "0x4250c4"
978. },
979. {
980. "name": "GetCurrentThreadId",
981. "address": "0x4250c8"
982. },
983. {
984. "name": "GetProcessHeap",
985. "address": "0x4250cc"
986. },
987. {
988. "name": "GetStdHandle",
989. "address": "0x4250d0"
990. },
991. {
992. "name": "GetFileType",
993. "address": "0x4250d4"
994. },
995. {
996. "name": "GetStartupInfoW",
997. "address": "0x4250d8"
998. },
999. {
1000. "name": "GetModuleFileNameW",
1001. "address": "0x4250dc"
1002. },
1003. {
1004. "name": "QueryPerformanceCounter",
1005. "address": "0x4250e0"
1006. },
1007. {
1008. "name": "GetCurrentProcessId",
1009. "address": "0x4250e4"
1010. },
1011. {
1012. "name": "GetSystemTimeAsFileTime",
1013. "address": "0x4250e8"
1014. },
1015. {
1016. "name": "GetEnvironmentStringsW",
1017. "address": "0x4250ec"
1018. },
1019. {
1020. "name": "FreeEnvironmentStringsW",
1021. "address": "0x4250f0"
1022. },
1023. {
1024. "name": "UnhandledExceptionFilter",
1025. "address": "0x4250f4"
1026. },
1027. {
1028. "name": "SetUnhandledExceptionFilter",
1029. "address": "0x4250f8"
1030. },
1031. {
1032. "name": "InitializeCriticalSectionAndSpinCount",
1033. "address": "0x4250fc"
1034. },
1035. {
1036. "name": "CreateEventW",
1037. "address": "0x425100"
1038. },
1039. {
1040. "name": "Sleep",
1041. "address": "0x425104"
1042. },
1043. {
1044. "name": "GetCurrentProcess",
1045. "address": "0x425108"
1046. },
1047. {
1048. "name": "TerminateProcess",
1049. "address": "0x42510c"
1050. },
1051. {
1052. "name": "TlsAlloc",
1053. "address": "0x425110"
1054. },
1055. {
1056. "name": "TlsGetValue",
1057. "address": "0x425114"
1058. },
1059. {
1060. "name": "TlsSetValue",
1061. "address": "0x425118"
1062. },
1063. {
1064. "name": "TlsFree",
1065. "address": "0x42511c"
1066. },
1067. {
1068. "name": "GetTickCount",
1069. "address": "0x425120"
1070. },
1071. {
1072. "name": "GetModuleHandleW",
1073. "address": "0x425124"
1074. },
1075. {
1076. "name": "CreateSemaphoreW",
1077. "address": "0x425128"
1078. },
1079. {
1080. "name": "SetStdHandle",
1081. "address": "0x42512c"
1082. },
1083. {
1084. "name": "SetFilePointerEx",
1085. "address": "0x425130"
1086. },
1087. {
1088. "name": "WriteConsoleW",
1089. "address": "0x425134"
1090. },
1091. {
1092. "name": "SetConsoleCtrlHandler",
1093. "address": "0x425138"
1094. },
1095. {
1096. "name": "FreeLibrary",
1097. "address": "0x42513c"
1098. },
1099. {
1100. "name": "LoadLibraryExW",
1101. "address": "0x425140"
1102. },
1103. {
1104. "name": "IsValidCodePage",
1105. "address": "0x425144"
1106. },
1107. {
1108. "name": "GetACP",
1109. "address": "0x425148"
1110. },
1111. {
1112. "name": "GetOEMCP",
1113. "address": "0x42514c"
1114. },
1115. {
1116. "name": "GetCPInfo",
1117. "address": "0x425150"
1118. },
1119. {
1120. "name": "HeapReAlloc",
1121. "address": "0x425154"
1122. },
1123. {
1124. "name": "GetDateFormatW",
1125. "address": "0x425158"
1126. },
1127. {
1128. "name": "GetTimeFormatW",
1129. "address": "0x42515c"
1130. },
1131. {
1132. "name": "CompareStringW",
1133. "address": "0x425160"
1134. },
1135. {
1136. "name": "LCMapStringW",
1137. "address": "0x425164"
1138. },
1139. {
1140. "name": "GetLocaleInfoW",
1141. "address": "0x425168"
1142. },
1143. {
1144. "name": "IsValidLocale",
1145. "address": "0x42516c"
1146. },
1147. {
1148. "name": "GetUserDefaultLCID",
1149. "address": "0x425170"
1150. },
1151. {
1152. "name": "EnumSystemLocalesW",
1153. "address": "0x425174"
1154. },
1155. {
1156. "name": "OutputDebugStringW",
1157. "address": "0x425178"
1158. },
1159. {
1160. "name": "GetStringTypeW",
1161. "address": "0x42517c"
1162. },
1163. {
1164. "name": "CreateFileW",
1165. "address": "0x425180"
1166. },
1167. {
1168. "name": "CloseHandle",
1169. "address": "0x425184"
1170. }
1171. ],
1172. "dll": "KERNEL32.dll"
1173. },
1174. {
1175. "imports": [
1176. {
1177. "name": "ReadEventLogW",
1178. "address": "0x425000"
1179. },
1180. {
1181. "name": "ImpersonateSelf",
1182. "address": "0x425004"
1183. },
1184. {
1185. "name": "RegSaveKeyW",
1186. "address": "0x425008"
1187. },
1188. {
1189. "name": "OpenBackupEventLogA",
1190. "address": "0x42500c"
1191. },
1192. {
1193. "name": "RegDeleteKeyA",
1194. "address": "0x425010"
1195. },
1196. {
1197. "name": "RegCreateKeyExW",
1198. "address": "0x425014"
1199. },
1200. {
1201. "name": "RegQueryMultipleValuesW",
1202. "address": "0x425018"
1203. },
1204. {
1205. "name": "SetThreadToken",
1206. "address": "0x42501c"
1207. },
1208. {
1209. "name": "AreAnyAccessesGranted",
1210. "address": "0x425020"
1211. }
1212. ],
1213. "dll": "ADVAPI32.dll"
1214. }
1215. ],
1216. "digital_signers": null,
1217. "exported_dll_name": null,
1218. "actual_checksum": "0x0004efaa",
1219. "overlay": null,
1220. "imagebase": "0x00400000",
1221. "reported_checksum": "0x0004efaa",
1222. "icon_hash": null,
1223. "entrypoint": "0x00403d4a",
1224. "timestamp": "2018-06-30 14:33:43",
1225. "osversion": "5.1",
1226. "sections": [
1227. {
1228. "name": ".text",
1229. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
1230. "virtual_address": "0x00001000",
1231. "size_of_data": "0x00023a00",
1232. "entropy": "6.66",
1233. "raw_address": "0x00000400",
1234. "virtual_size": "0x0002388d",
1235. "characteristics_raw": "0x60000020"
1236. },
1237. {
1238. "name": ".rdata",
1239. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1240. "virtual_address": "0x00025000",
1241. "size_of_data": "0x0001b000",
1242. "entropy": "6.44",
1243. "raw_address": "0x00023e00",
1244. "virtual_size": "0x0001afd6",
1245. "characteristics_raw": "0x40000040"
1246. },
1247. {
1248. "name": ".data",
1249. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1250. "virtual_address": "0x00040000",
1251. "size_of_data": "0x00001e00",
1252. "entropy": "3.08",
1253. "raw_address": "0x0003ee00",
1254. "virtual_size": "0x04e5ebec",
1255. "characteristics_raw": "0xc0000040"
1256. },
1257. {
1258. "name": ".rsrc",
1259. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1260. "virtual_address": "0x04e9f000",
1261. "size_of_data": "0x00002800",
1262. "entropy": "4.72",
1263. "raw_address": "0x00040c00",
1264. "virtual_size": "0x00002660",
1265. "characteristics_raw": "0x40000040"
1266. },
1267. {
1268. "name": ".reloc",
1269. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
1270. "virtual_address": "0x04ea2000",
1271. "size_of_data": "0x00002200",
1272. "entropy": "6.53",
1273. "raw_address": "0x00043400",
1274. "virtual_size": "0x00002074",
1275. "characteristics_raw": "0x42000040"
1276. }
1277. ],
1278. "resources": [],
1279. "dirents": [
1280. {
1281. "virtual_address": "0x00000000",
1282. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1283. "size": "0x00000000"
1284. },
1285. {
1286. "virtual_address": "0x0003f6e8",
1287. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1288. "size": "0x0000003c"
1289. },
1290. {
1291. "virtual_address": "0x04e9f000",
1292. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1293. "size": "0x00002660"
1294. },
1295. {
1296. "virtual_address": "0x00000000",
1297. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1298. "size": "0x00000000"
1299. },
1300. {
1301. "virtual_address": "0x00000000",
1302. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1303. "size": "0x00000000"
1304. },
1305. {
1306. "virtual_address": "0x04ea2000",
1307. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1308. "size": "0x00002074"
1309. },
1310. {
1311. "virtual_address": "0x000251e0",
1312. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1313. "size": "0x00000038"
1314. },
1315. {
1316. "virtual_address": "0x00000000",
1317. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1318. "size": "0x00000000"
1319. },
1320. {
1321. "virtual_address": "0x00000000",
1322. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1323. "size": "0x00000000"
1324. },
1325. {
1326. "virtual_address": "0x00000000",
1327. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1328. "size": "0x00000000"
1329. },
1330. {
1331. "virtual_address": "0x00000000",
1332. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1333. "size": "0x00000000"
1334. },
1335. {
1336. "virtual_address": "0x00000000",
1337. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1338. "size": "0x00000000"
1339. },
1340. {
1341. "virtual_address": "0x00025000",
1342. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1343. "size": "0x0000018c"
1344. },
1345. {
1346. "virtual_address": "0x00000000",
1347. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1348. "size": "0x00000000"
1349. },
1350. {
1351. "virtual_address": "0x00000000",
1352. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1353. "size": "0x00000000"
1354. },
1355. {
1356. "virtual_address": "0x00000000",
1357. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1358. "size": "0x00000000"
1359. }
1360. ],
1361. "exports": [],
1362. "guest_signers": {},
1363. "imphash": "baea1ffde5e1170431fb06c7b2816acd",
1364. "icon_fuzzy": null,
1365. "icon": null,
1366. "pdbpath": "C:\\sibonifanijuvi.pdb\\x00er\\runtime\\crypt\\tmp_2004838590\\bin\\dibuxigef.pdb\\x00\\x00\\x00\\x00\\x00\\xa1\\x00\\x00\\x00\\xa1\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x17D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\xb8\\xe5C",
1367. "imported_dll_count": 2,
1368. "versioninfo": []
1369. }
1370. }
1371.  
1372. [*] Resolved APIs: [
1373. "kernel32.dll.FlsAlloc",
1374. "kernel32.dll.FlsFree",
1375. "kernel32.dll.FlsGetValue",
1376. "kernel32.dll.FlsSetValue",
1377. "kernel32.dll.InitializeCriticalSectionEx",
1378. "kernel32.dll.CreateEventExW",
1379. "kernel32.dll.CreateSemaphoreExW",
1380. "kernel32.dll.SetThreadStackGuarantee",
1381. "kernel32.dll.CreateThreadpoolTimer",
1382. "kernel32.dll.SetThreadpoolTimer",
1383. "kernel32.dll.WaitForThreadpoolTimerCallbacks",
1384. "kernel32.dll.CloseThreadpoolTimer",
1385. "kernel32.dll.CreateThreadpoolWait",
1386. "kernel32.dll.SetThreadpoolWait",
1387. "kernel32.dll.CloseThreadpoolWait",
1388. "kernel32.dll.FlushProcessWriteBuffers",
1389. "kernel32.dll.FreeLibraryWhenCallbackReturns",
1390. "kernel32.dll.GetCurrentProcessorNumber",
1391. "kernel32.dll.GetLogicalProcessorInformation",
1392. "kernel32.dll.CreateSymbolicLinkW",
1393. "kernel32.dll.EnumSystemLocalesEx",
1394. "kernel32.dll.CompareStringEx",
1395. "kernel32.dll.GetDateFormatEx",
1396. "kernel32.dll.GetLocaleInfoEx",
1397. "kernel32.dll.GetTimeFormatEx",
1398. "kernel32.dll.GetUserDefaultLocaleName",
1399. "kernel32.dll.IsValidLocaleName",
1400. "kernel32.dll.LCMapStringEx",
1401. "kernel32.dll.GetTickCount64",
1402. "kernel32.dll.GlobalAlloc",
1403. "kernel32.dll.GetLastError",
1404. "kernel32.dll.Sleep",
1405. "kernel32.dll.CreateToolhelp32Snapshot",
1406. "kernel32.dll.Module32First",
1407. "kernel32.dll.CloseHandle",
1408. "kernel32.dll.LoadLibraryA",
1409. "kernel32.dll.VirtualAlloc",
1410. "kernel32.dll.VirtualProtect",
1411. "kernel32.dll.VirtualFree",
1412. "kernel32.dll.GetVersionExA",
1413. "kernel32.dll.TerminateProcess",
1414. "kernel32.dll.ExitProcess",
1415. "kernel32.dll.SetErrorMode",
1416. "kernel32.dll.GetModuleHandleA",
1417. "kernel32.dll.GetCommandLineW",
1418. "kernel32.dll.HeapDestroy",
1419. "kernel32.dll.HeapCreate",
1420. "kernel32.dll.AddVectoredExceptionHandler",
1421. "kernel32.dll.RemoveVectoredExceptionHandler",
1422. "kernel32.dll.lstrlenW",
1423. "kernel32.dll.MapViewOfFile",
1424. "kernel32.dll.UnmapViewOfFile",
1425. "kernel32.dll.GetCurrentProcessId",
1426. "kernel32.dll.lstrcpyW",
1427. "kernel32.dll.HeapAlloc",
1428. "kernel32.dll.HeapFree",
1429. "kernel32.dll.CreateFileMappingW",
1430. "kernel32.dll.TlsGetValue",
1431. "kernel32.dll.GetModuleFileNameW",
1432. "kernel32.dll.OpenProcess",
1433. "kernel32.dll.GetVersion",
1434. "kernel32.dll.CreateEventA",
1435. "kernel32.dll.GetLongPathNameW",
1436. "kernel32.dll.lstrlenA",
1437. "kernel32.dll.GetProcAddress",
1438. "kernel32.dll.DeleteCriticalSection",
1439. "kernel32.dll.InitializeCriticalSection",
1440. "kernel32.dll.TlsAlloc",
1441. "kernel32.dll.TlsSetValue",
1442. "kernel32.dll.TlsFree",
1443. "kernel32.dll.LeaveCriticalSection",
1444. "kernel32.dll.EnterCriticalSection",
1445. "user32.dll.wsprintfW",
1446. "ntdll.dll.memcpy",
1447. "ntdll.dll.memset",
1448. "msvcr100.dll.atexit",
1449. "ntdll.dll.ZwQueryInformationToken",
1450. "ntdll.dll.wcstombs",
1451. "ntdll.dll.ZwOpenProcessToken",
1452. "ntdll.dll.ZwOpenProcess",
1453. "ntdll.dll.ZwClose",
1454. "ntdll.dll.strcpy",
1455. "ntdll.dll.mbstowcs",
1456. "ntdll.dll._snprintf",
1457. "ntdll.dll.sprintf",
1458. "ntdll.dll._aulldiv",
1459. "ntdll.dll._allmul",
1460. "ntdll.dll.RtlUnwind",
1461. "ntdll.dll.NtQueryVirtualMemory",
1462. "kernel32.dll.InterlockedExchange",
1463. "kernel32.dll.LocalAlloc",
1464. "kernel32.dll.InterlockedIncrement",
1465. "kernel32.dll.InterlockedDecrement",
1466. "kernel32.dll.SetEvent",
1467. "kernel32.dll.GetTickCount",
1468. "kernel32.dll.WaitForSingleObject",
1469. "kernel32.dll.SleepEx",
1470. "kernel32.dll.CreateWaitableTimerA",
1471. "kernel32.dll.lstrcpyA",
1472. "kernel32.dll.GetSystemTimeAsFileTime",
1473. "kernel32.dll.SetWaitableTimer",
1474. "kernel32.dll.WaitForMultipleObjects",
1475. "kernel32.dll.OpenFileMappingW",
1476. "kernel32.dll.lstrcmpW",
1477. "kernel32.dll.ResetEvent",
1478. "kernel32.dll.GetComputerNameW",
1479. "kernel32.dll.FreeLibrary",
1480. "kernel32.dll.GetFileTime",
1481. "kernel32.dll.FindNextFileA",
1482. "kernel32.dll.CompareFileTime",
1483. "kernel32.dll.FindClose",
1484. "kernel32.dll.QueryPerformanceCounter",
1485. "kernel32.dll.CreateFileA",
1486. "kernel32.dll.lstrcatA",
1487. "kernel32.dll.QueryPerformanceFrequency",
1488. "kernel32.dll.lstrcmpA",
1489. "kernel32.dll.ExpandEnvironmentStringsA",
1490. "kernel32.dll.FindFirstFileA",
1491. "kernel32.dll.RaiseException",
1492. "oleaut32.dll.#2",
1493. "oleaut32.dll.#16",
1494. "oleaut32.dll.#15",
1495. "oleaut32.dll.#6",
1496. "kernel32.dll.IsWow64Process",
1497. "ole32.dll.CoInitializeEx",
1498. "cryptbase.dll.SystemFunction036",
1499. "uxtheme.dll.ThemeInitApiHook",
1500. "user32.dll.IsProcessDPIAware",
1501. "user32.dll.wsprintfA",
1502. "advapi32.dll.GetUserNameW",
1503. "shlwapi.dll.StrToIntExA",
1504. "shlwapi.dll.StrChrA",
1505. "shlwapi.dll.StrTrimA",
1506. "ole32.dll.CoCreateInstance",
1507. "kernel32.dll.GetThreadPreferredUILanguages",
1508. "kernel32.dll.SetThreadPreferredUILanguages",
1509. "kernel32.dll.LocaleNameToLCID",
1510. "kernel32.dll.LCIDToLocaleName",
1511. "kernel32.dll.GetSystemDefaultLocaleName",
1512. "ole32.dll.CoSetProxyBlanket",
1513. "oleaut32.dll.#283",
1514. "oleaut32.dll.#284",
1515. "kernel32.dll.RegOpenKeyExW",
1516. "oleaut32.dll.BSTR_UserSize",
1517. "oleaut32.dll.BSTR_UserMarshal",
1518. "oleaut32.dll.BSTR_UserUnmarshal",
1519. "oleaut32.dll.BSTR_UserFree",
1520. "oleaut32.dll.VARIANT_UserSize",
1521. "oleaut32.dll.VARIANT_UserMarshal",
1522. "oleaut32.dll.VARIANT_UserUnmarshal",
1523. "oleaut32.dll.VARIANT_UserFree",
1524. "oleaut32.dll.LPSAFEARRAY_UserSize",
1525. "oleaut32.dll.LPSAFEARRAY_UserMarshal",
1526. "oleaut32.dll.LPSAFEARRAY_UserUnmarshal",
1527. "oleaut32.dll.LPSAFEARRAY_UserFree",
1528. "shlwapi.dll.StrStrIW",
1529. "kernel32.dll.Wow64EnableWow64FsRedirection",
1530. "shlwapi.dll.StrRChrA",
1531. "advapi32.dll.OpenProcessToken",
1532. "advapi32.dll.GetTokenInformation",
1533. "advapi32.dll.GetSidSubAuthorityCount",
1534. "advapi32.dll.GetSidSubAuthority",
1535. "shlwapi.dll.StrStrA",
1536. "advapi32.dll.RegOpenKeyExA",
1537. "advapi32.dll.RegEnumKeyExA",
1538. "advapi32.dll.RegCloseKey",
1539. "shlwapi.dll.StrChrW",
1540. "shlwapi.dll.#176",
1541. "ieproxy.dll.DllGetClassObject",
1542. "ieproxy.dll.DllCanUnloadNow",
1543. "actxprxy.dll.DllGetClassObject",
1544. "actxprxy.dll.DllCanUnloadNow",
1545. "ole32.dll.CoUninitialize",
1546. "ntdll.dll.EtwUnregisterTraceGuids",
1547. "oleaut32.dll.#500",
1548. "ole32.dll.CoGetClassObject",
1549. "ole32.dll.CoGetMarshalSizeMax",
1550. "ole32.dll.CoMarshalInterface",
1551. "ole32.dll.CoUnmarshalInterface",
1552. "ole32.dll.StringFromIID",
1553. "ole32.dll.CoGetPSClsid",
1554. "ole32.dll.CoTaskMemAlloc",
1555. "ole32.dll.CoTaskMemFree",
1556. "ole32.dll.CoReleaseMarshalData",
1557. "ole32.dll.DcomChannelSetHResult",
1558. "vssapi.dll.CreateWriter",
1559. "advapi32.dll.LookupAccountNameW",
1560. "sechost.dll.LookupAccountNameLocalW",
1561. "advapi32.dll.LookupAccountSidW",
1562. "samcli.dll.NetLocalGroupGetMembers",
1563. "samlib.dll.SamConnect",
1564. "rpcrt4.dll.NdrClientCall3",
1565. "rpcrt4.dll.RpcStringBindingComposeW",
1566. "rpcrt4.dll.RpcBindingFromStringBindingW",
1567. "rpcrt4.dll.RpcStringFreeW",
1568. "rpcrt4.dll.RpcBindingFree",
1569. "samlib.dll.SamOpenDomain",
1570. "samlib.dll.SamLookupNamesInDomain",
1571. "samlib.dll.SamOpenAlias",
1572. "samlib.dll.SamFreeMemory",
1573. "samlib.dll.SamCloseHandle",
1574. "samlib.dll.SamGetMembersInAlias",
1575. "netutils.dll.NetApiBufferFree",
1576. "samlib.dll.SamEnumerateDomainsInSamServer",
1577. "samlib.dll.SamLookupDomainInSamServer",
1578. "ole32.dll.CoCreateGuid",
1579. "ole32.dll.StringFromCLSID",
1580. "oleaut32.dll.#4",
1581. "oleaut32.dll.#7",
1582. "propsys.dll.VariantToPropVariant",
1583. "wbemcore.dll.Reinitialize",
1584. "wbemsvc.dll.DllGetClassObject",
1585. "wbemsvc.dll.DllCanUnloadNow",
1586. "authz.dll.AuthzInitializeContextFromToken",
1587. "authz.dll.AuthzInitializeObjectAccessAuditEvent2",
1588. "authz.dll.AuthzAccessCheck",
1589. "authz.dll.AuthzFreeAuditEvent",
1590. "authz.dll.AuthzFreeContext",
1591. "authz.dll.AuthzInitializeResourceManager",
1592. "authz.dll.AuthzFreeResourceManager",
1593. "rpcrt4.dll.RpcBindingCreateW",
1594. "rpcrt4.dll.RpcBindingBind",
1595. "rpcrt4.dll.I_RpcMapWin32Status",
1596. "advapi32.dll.EventRegister",
1597. "advapi32.dll.EventUnregister",
1598. "advapi32.dll.EventWrite",
1599. "kernel32.dll.RegCloseKey",
1600. "kernel32.dll.RegSetValueExW",
1601. "kernel32.dll.RegQueryValueExW",
1602. "wmisvc.dll.IsImproperShutdownDetected",
1603. "wevtapi.dll.EvtRender",
1604. "wevtapi.dll.EvtNext",
1605. "wevtapi.dll.EvtClose",
1606. "wevtapi.dll.EvtQuery",
1607. "wevtapi.dll.EvtCreateRenderContext",
1608. "rpcrt4.dll.RpcBindingSetAuthInfoExW",
1609. "rpcrt4.dll.RpcBindingSetOption",
1610. "ole32.dll.CoCreateFreeThreadedMarshaler",
1611. "ole32.dll.CreateStreamOnHGlobal",
1612. "advapi32.dll.RegCreateKeyExW",
1613. "advapi32.dll.RegSetValueExW",
1614. "cryptsp.dll.CryptAcquireContextW",
1615. "cryptsp.dll.CryptGenRandom",
1616. "cryptsp.dll.CryptReleaseContext",
1617. "kernelbase.dll.InitializeAcl",
1618. "kernelbase.dll.AddAce",
1619. "sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
1620. "kernel32.dll.IsThreadAFiber",
1621. "kernel32.dll.OpenProcessToken",
1622. "kernelbase.dll.GetTokenInformation",
1623. "kernelbase.dll.DuplicateTokenEx",
1624. "kernelbase.dll.AdjustTokenPrivileges",
1625. "sechost.dll.LookupAccountSidLocalW",
1626. "kernelbase.dll.AllocateAndInitializeSid",
1627. "kernelbase.dll.CheckTokenMembership",
1628. "kernel32.dll.SetThreadToken",
1629. "oleaut32.dll.#285",
1630. "advapi32.dll.RegOpenKeyW",
1631. "oleaut32.dll.#12",
1632. "oleaut32.dll.#286",
1633. "ole32.dll.CLSIDFromString",
1634. "oleaut32.dll.#17",
1635. "oleaut32.dll.#20",
1636. "oleaut32.dll.#19",
1637. "oleaut32.dll.#25",
1638. "ole32.dll.CoRevertToSelf",
1639. "advapi32.dll.LogonUserExExW",
1640. "sspicli.dll.LogonUserExExW",
1641. "authz.dll.AuthzInitializeContextFromSid",
1642. "ole32.dll.CoGetCallContext",
1643. "ole32.dll.CoImpersonateClient",
1644. "advapi32.dll.OpenThreadToken",
1645. "oleaut32.dll.#8",
1646. "oleaut32.dll.#9",
1647. "ole32.dll.CoSwitchCallContext",
1648. "kernel32.dll.SortGetHandle",
1649. "kernel32.dll.SortCloseHandle",
1650. "ntmarta.dll.GetMartaExtensionInterface",
1651. "sechost.dll.ConvertSidToStringSidW",
1652. "kernel32.dll.InitializeSRWLock",
1653. "kernel32.dll.AcquireSRWLockExclusive",
1654. "kernel32.dll.AcquireSRWLockShared",
1655. "kernel32.dll.ReleaseSRWLockExclusive",
1656. "kernel32.dll.ReleaseSRWLockShared",
1657. "kernel32.dll.SetProcessDEPPolicy",
1658. "user32.dll.SetProcessDPIAware",
1659. "shell32.dll.SetCurrentProcessExplicitAppUserModelID",
1660. "user32.dll.GetShellWindow",
1661. "user32.dll.GetWindowThreadProcessId",
1662. "ieframe.dll.#250",
1663. "wininet.dll.InternetQueryOptionW",
1664. "advapi32.dll.EventActivityIdControl",
1665. "advapi32.dll.EventWriteTransfer",
1666. "kernel32.dll.SetFileInformationByHandle",
1667. "shell32.dll.SHGetFolderPathW",
1668. "kernel32.dll.GetModuleHandleW",
1669. "advapi32.dll.AddMandatoryAce",
1670. "ws2_32.dll.accept",
1671. "ws2_32.dll.bind",
1672. "ws2_32.dll.closesocket",
1673. "ws2_32.dll.connect",
1674. "ws2_32.dll.getpeername",
1675. "ws2_32.dll.getsockname",
1676. "ws2_32.dll.getsockopt",
1677. "ws2_32.dll.ntohl",
1678. "ws2_32.dll.htonl",
1679. "ws2_32.dll.htons",
1680. "ws2_32.dll.inet_addr",
1681. "ws2_32.dll.inet_ntoa",
1682. "ws2_32.dll.ioctlsocket",
1683. "ws2_32.dll.listen",
1684. "ws2_32.dll.ntohs",
1685. "ws2_32.dll.recv",
1686. "ws2_32.dll.recvfrom",
1687. "ws2_32.dll.select",
1688. "ws2_32.dll.send",
1689. "ws2_32.dll.sendto",
1690. "ws2_32.dll.setsockopt",
1691. "ws2_32.dll.shutdown",
1692. "ws2_32.dll.socket",
1693. "ws2_32.dll.gethostbyname",
1694. "ws2_32.dll.gethostname",
1695. "ws2_32.dll.WSAIoctl",
1696. "ws2_32.dll.WSAGetLastError",
1697. "ws2_32.dll.WSASetLastError",
1698. "ws2_32.dll.WSAStartup",
1699. "ws2_32.dll.WSACleanup",
1700. "ws2_32.dll.__WSAFDIsSet",
1701. "ws2_32.dll.getaddrinfo",
1702. "ws2_32.dll.freeaddrinfo",
1703. "ws2_32.dll.getnameinfo",
1704. "ws2_32.dll.WSALookupServiceBeginW",
1705. "ws2_32.dll.WSALookupServiceNextW",
1706. "ws2_32.dll.WSALookupServiceEnd",
1707. "ws2_32.dll.WSANSPIoctl",
1708. "ws2_32.dll.WSAStringToAddressA",
1709. "ws2_32.dll.WSAStringToAddressW",
1710. "ws2_32.dll.WSAAddressToStringA",
1711. "dnsapi.dll.DnsGetProxyInformation",
1712. "dnsapi.dll.DnsFreeProxyName",
1713. "iphlpapi.dll.GetIpForwardTable2",
1714. "iphlpapi.dll.FreeMibTable",
1715. "iphlpapi.dll.GetIfEntry2",
1716. "iphlpapi.dll.ConvertInterfaceGuidToLuid",
1717. "iphlpapi.dll.ResolveIpNetEntry2",
1718. "iphlpapi.dll.GetIpNetEntry2",
1719. "shlwapi.dll.#260",
1720. "ws2_32.dll.#115",
1721. "urlmon.dll.CreateUri",
1722. "version.dll.GetFileVersionInfoSizeW",
1723. "version.dll.GetFileVersionInfoW",
1724. "version.dll.VerQueryValueW",
1725. "ws2_32.dll.GetAddrInfoW",
1726. "comctl32.dll.PropertySheetW",
1727. "comctl32.dll.PropertySheetA",
1728. "comdlg32.dll.PageSetupDlgW",
1729. "comdlg32.dll.PrintDlgW",
1730. "urlmon.dll.#101",
1731. "urlmon.dll.#400",
1732. "advapi32.dll.TraceMessage",
1733. "advapi32.dll.TraceMessageVa",
1734. "sqmapi.dll.SqmGetSession",
1735. "sqmapi.dll.SqmEndSession",
1736. "sqmapi.dll.SqmStartSession",
1737. "sqmapi.dll.SqmStartUpload",
1738. "sqmapi.dll.SqmWaitForUploadComplete",
1739. "sqmapi.dll.SqmSet",
1740. "sqmapi.dll.SqmSetBool",
1741. "sqmapi.dll.SqmSetBits",
1742. "sqmapi.dll.SqmSetString",
1743. "sqmapi.dll.SqmIncrement",
1744. "sqmapi.dll.SqmSetIfMax",
1745. "sqmapi.dll.SqmSetIfMin",
1746. "sqmapi.dll.SqmAddToAverage",
1747. "sqmapi.dll.SqmAddToStreamDWord",
1748. "sqmapi.dll.SqmAddToStreamString",
1749. "sqmapi.dll.SqmSetAppId",
1750. "sqmapi.dll.SqmSetAppVersion",
1751. "sqmapi.dll.SqmSetMachineId",
1752. "sqmapi.dll.SqmSetUserId",
1753. "sqmapi.dll.SqmCreateNewId",
1754. "sqmapi.dll.SqmReadSharedMachineId",
1755. "sqmapi.dll.SqmReadSharedUserId",
1756. "sqmapi.dll.SqmWriteSharedMachineId",
1757. "sqmapi.dll.SqmWriteSharedUserId",
1758. "sqmapi.dll.SqmIsWindowsOptedIn",
1759. "urlmon.dll.#442",
1760. "kernel32.dll.WerRegisterMemoryBlock",
1761. "kernel32.dll.WerUnregisterMemoryBlock",
1762. "user32.dll.RegisterWindowMessageW",
1763. "rpcrt4.dll.UuidCreateSequential",
1764. "rpcrt4.dll.RpcServerUseProtseqW",
1765. "rpcrt4.dll.RpcServerRegisterIfEx",
1766. "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
1767. "rpcrt4.dll.RpcServerInqBindings",
1768. "rpcrt4.dll.RpcEpRegisterW",
1769. "rpcrt4.dll.RpcServerListen",
1770. "ntdll.dll.NtQuerySystemInformation",
1771. "user32.dll.RegisterClassExW",
1772. "user32.dll.CreateWindowExW",
1773. "user32.dll.DefWindowProcW",
1774. "user32.dll.SetWindowLongW",
1775. "dwmapi.dll.DwmIsCompositionEnabled",
1776. "urlmon.dll.#416",
1777. "kernel32.dll.RegisterApplicationRestart",
1778. "shell32.dll.#165",
1779. "urlmon.dll.CoInternetCreateZoneManager",
1780. "ws2_32.dll.FreeAddrInfoW",
1781. "user32.dll.AllowSetForegroundWindow",
1782. "wininet.dll.InternetInitializeAutoProxyDll",
1783. "rasapi32.dll.RasEnumEntriesW",
1784. "rasapi32.dll.RasConnectionNotificationW",
1785. "rtutils.dll.TraceRegisterExA",
1786. "rtutils.dll.TracePrintfExA",
1787. "profapi.dll.#104",
1788. "shlwapi.dll.PathCanonicalizeW",
1789. "shlwapi.dll.PathRemoveFileSpecW",
1790. "shlwapi.dll.PathFindFileNameW",
1791. "sensapi.dll.IsNetworkAlive",
1792. "rpcrt4.dll.NdrClientCall2",
1793. "nlaapi.dll.NSPStartup",
1794. "sechost.dll.NotifyServiceStatusChangeA",
1795. "iphlpapi.dll.GetAdapterIndex",
1796. "user32.dll.PostThreadMessageW",
1797. "comctl32.dll.LoadIconWithScaleDown",
1798. "ieui.dll.InitGadgets",
1799. "user32.dll.MsgWaitForMultipleObjectsEx",
1800. "gdi32.dll.GetLayout",
1801. "gdi32.dll.GdiRealizationInfo",
1802. "gdi32.dll.FontIsLinked",
1803. "advapi32.dll.RegOpenKeyExW",
1804. "advapi32.dll.RegQueryInfoKeyW",
1805. "gdi32.dll.GetTextFaceAliasW",
1806. "advapi32.dll.RegEnumValueW",
1807. "advapi32.dll.RegQueryValueExW",
1808. "gdi32.dll.GetFontAssocStatus",
1809. "advapi32.dll.RegQueryValueExA",
1810. "advapi32.dll.RegEnumKeyExW",
1811. "gdi32.dll.GdiIsMetaPrintDC",
1812. "uxtheme.dll.OpenThemeData",
1813. "uxtheme.dll.GetThemeMargins",
1814. "uxtheme.dll.GetThemePartSize",
1815. "uxtheme.dll.GetThemeTextMetrics",
1816. "uxtheme.dll.GetThemeBool",
1817. "comctl32.dll.#410",
1818. "comctl32.dll.#413",
1819. "uxtheme.dll.IsAppThemed",
1820. "uxtheme.dll.GetThemeBackgroundExtent",
1821. "comctl32.dll.ImageList_LoadImageW",
1822. "comctl32.dll.ImageList_GetIconSize",
1823. "uxtheme.dll.GetThemeFont",
1824. "uxtheme.dll.IsCompositionActive",
1825. "uxtheme.dll.SetWindowTheme",
1826. "comctl32.dll.ImageList_Create",
1827. "comctl32.dll.ImageList_ReplaceIcon",
1828. "oleaut32.dll.#10",
1829. "comctl32.dll.ImageList_AddMasked",
1830. "uxtheme.dll.IsThemePartDefined",
1831. "uxtheme.dll.GetThemeColor",
1832. "imm32.dll.ImmIsIME",
1833. "urlmon.dll.CoInternetCreateSecurityManager",
1834. "msctf.dll.SetInputScopes2",
1835. "uxtheme.dll.CloseThemeData",
1836. "uxtheme.dll.GetThemeBackgroundContentRect",
1837. "uxtheme.dll.GetThemeTextExtent",
1838. "uxtheme.dll.EnableThemeDialogTexture",
1839. "urlmon.dll.#408",
1840. "uxtheme.dll.IsThemeActive",
1841. "ieui.dll.CreateGadget",
1842. "ieui.dll.SetGadgetMessageFilter",
1843. "ieui.dll.SetGadgetStyle",
1844. "ole32.dll.CreateBindCtx",
1845. "ieui.dll.SetGadgetRootInfo",
1846. "ole32.dll.CoGetApartmentType",
1847. "ole32.dll.CoRegisterInitializeSpy",
1848. "uxtheme.dll.GetThemeAppProperties",
1849. "comctl32.dll.#236",
1850. "ole32.dll.CoGetMalloc",
1851. "comctl32.dll.#320",
1852. "comctl32.dll.#324",
1853. "comctl32.dll.#323",
1854. "comctl32.dll.#328",
1855. "comctl32.dll.#334",
1856. "advapi32.dll.RegEnumKeyW",
1857. "advapi32.dll.InitializeSecurityDescriptor",
1858. "advapi32.dll.SetEntriesInAclW",
1859. "advapi32.dll.SetSecurityDescriptorDacl",
1860. "advapi32.dll.IsTextUnicode",
1861. "comctl32.dll.#332",
1862. "comctl32.dll.#338",
1863. "comctl32.dll.#339",
1864. "shell32.dll.#102",
1865. "propsys.dll.PSCreateMemoryPropertyStore",
1866. "propsys.dll.PSPropertyBag_WriteStr",
1867. "ole32.dll.PropVariantClear",
1868. "propsys.dll.PSPropertyBag_WriteGUID",
1869. "propsys.dll.PSPropertyBag_ReadGUID",
1870. "xmllite.dll.CreateXmlReader",
1871. "xmllite.dll.CreateXmlReaderInputWithEncodingName",
1872. "comctl32.dll.ImageList_Read",
1873. "comctl32.dll.ImageList_GetImageCount",
1874. "ole32.dll.CoRevokeInitializeSpy",
1875. "comctl32.dll.#388",
1876. "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
1877. "setupapi.dll.CM_Get_Device_Interface_List_ExW",
1878. "ieui.dll.FindStdColor",
1879. "ieui.dll.InvalidateGadget",
1880. "ieui.dll.SetGadgetParent",
1881. "ieui.dll.GetGadgetTicket",
1882. "ieui.dll.SetGadgetRect",
1883. "urlmon.dll.#103",
1884. "urlmon.dll.#105",
1885. "kernel32.dll.GetThreadUILanguage",
1886. "comctl32.dll.#386",
1887. "shell32.dll.SHGetInstanceExplorer",
1888. "wininet.dll.InternetSetOptionW",
1889. "rpcrt4.dll.RpcBindingToStringBindingW",
1890. "rpcrt4.dll.RpcStringBindingParseW",
1891. "rpcrt4.dll.I_RpcBindingInqLocalClientPID",
1892. "rpcrt4.dll.RpcServerInqCallAttributesW",
1893. "rpcrt4.dll.RpcImpersonateClient",
1894. "rpcrt4.dll.RpcRevertToSelf",
1895. "rpcrt4.dll.NdrServerCall2",
1896. "rpcrt4.dll.RpcBindingInqObject",
1897. "user32.dll.PostMessageW",
1898. "oleaut32.dll.DllGetClassObject",
1899. "oleaut32.dll.DllCanUnloadNow",
1900. "sxs.dll.SxsOleAut32MapIIDToProxyStubCLSID",
1901. "advapi32.dll.RegQueryValueW",
1902. "sxs.dll.SxsOleAut32MapIIDToTLBPath",
1903. "sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid",
1904. "sxs.dll.SxsOleAut32RedirectTypeLibrary",
1905. "ieui.dll.PeekMessageExW",
1906. "ole32.dll.CoInitialize",
1907. "ole32.dll.RegisterDragDrop",
1908. "msfeeds.dll.MsfeedsCreateInstance",
1909. "shell32.dll.SHGetSpecialFolderPathW",
1910. "shell32.dll.#66",
1911. "shell32.dll.SHCreateDirectoryExW",
1912. "wininet.dll.FindFirstUrlCacheContainerW",
1913. "wininet.dll.FindNextUrlCacheContainerW",
1914. "wininet.dll.FindCloseUrlCache",
1915. "user32.dll.GetWindowLongW",
1916. "user32.dll.IsWindow",
1917. "user32.dll.SendMessageW",
1918. "user32.dll.PeekMessageW",
1919. "propsys.dll.PSStringFromPropertyKey",
1920. "propsys.dll.PSGetPropertyDescription",
1921. "propsys.dll.PropVariantToString",
1922. "propsys.dll.InitPropVariantFromStringAsVector",
1923. "propsys.dll.PSCoerceToCanonicalValue",
1924. "shell32.dll.SHGetKnownFolderPath",
1925. "urlmon.dll.#458",
1926. "urlmon.dll.URLDownloadToFileW",
1927. "urlmon.dll.CoInternetIsFeatureEnabledForUrl",
1928. "ieui.dll.WaitMessageEx",
1929. "user32.dll.TranslateMessage",
1930. "user32.dll.DispatchMessageW",
1931. "oleaut32.dll.#23",
1932. "oleaut32.dll.#22",
1933. "urlmon.dll.#441",
1934. "urlmon.dll.#395",
1935. "urlmon.dll.#351",
1936. "mlang.dll.#112",
1937. "wininet.dll.GetUrlCacheEntryInfoA",
1938. "urlmon.dll.#325",
1939. "wininet.dll.GetUrlCacheEntryInfoExW",
1940. "wininet.dll.GetUrlCacheEntryInfoExA",
1941. "wininet.dll.CommitUrlCacheEntryA",
1942. "uxtheme.dll.BufferedPaintInit",
1943. "uxtheme.dll.BeginBufferedPaint",
1944. "uxtheme.dll.DrawThemeParentBackgroundEx",
1945. "uxtheme.dll.DrawThemeParentBackground",
1946. "uxtheme.dll.IsThemeBackgroundPartiallyTransparent",
1947. "uxtheme.dll.DrawThemeBackground",
1948. "uxtheme.dll.EndBufferedPaint",
1949. "usp10.dll.ScriptIsComplex",
1950. "urlmon.dll.#420",
1951. "propsys.dll.PSGetPropertyKeyFromName",
1952. "urlmon.dll.CoInternetQueryInfo",
1953. "comctl32.dll.HIMAGELIST_QueryInterface",
1954. "comctl32.dll.ImageList_Remove",
1955. "ieui.dll.DUserPostEvent",
1956. "ieui.dll.DeleteHandle",
1957. "comctl32.dll.#412",
1958. "uxtheme.dll.BufferedPaintUnInit",
1959. "ieui.dll.DUserFlushMessages",
1960. "ieui.dll.DUserFlushDeferredMessages",
1961. "comctl32.dll.ImageList_Destroy",
1962. "ole32.dll.RevokeDragDrop",
1963. "ieui.dll.DisableContainerHwnd",
1964. "ole32.dll.CoWaitForMultipleHandles",
1965. "comctl32.dll.#326",
1966. "urlmon.dll.#412",
1967. "urlmon.dll.#414",
1968. "ntdll.dll.RtlDllShutdownInProgress",
1969. "comctl32.dll.#329",
1970. "linkinfo.dll.IsValidLinkInfo",
1971. "propsys.dll.#417",
1972. "propsys.dll.PSGetNameFromPropertyKey",
1973. "propsys.dll.InitVariantFromBuffer",
1974. "propsys.dll.PropVariantToGUID",
1975. "apphelp.dll.ApphelpCheckShellObject",
1976. "propsys.dll.PSGetPropertyDescriptionByName",
1977. "sechost.dll.ConvertStringSidToSidW",
1978. "samcli.dll.NetUserGetLocalGroups",
1979. "advapi32.dll.LsaOpenPolicy",
1980. "advapi32.dll.LsaLookupNames2",
1981. "advapi32.dll.LsaClose",
1982. "advapi32.dll.LsaFreeMemory",
1983. "samlib.dll.SamGetAliasMembership",
1984. "samlib.dll.SamLookupIdsInDomain",
1985. "linkinfo.dll.CreateLinkInfoW",
1986. "user32.dll.IsCharAlphaW",
1987. "user32.dll.CharPrevW",
1988. "ntshrui.dll.GetNetResourceFromLocalPathW",
1989. "srvcli.dll.NetShareEnum",
1990. "cscapi.dll.CscNetApiGetInterface",
1991. "slc.dll.SLGetWindowsInformationDWORD",
1992. "linkinfo.dll.DestroyLinkInfo",
1993. "propsys.dll.PropVariantToBoolean",
1994. "urlmon.dll.#364",
1995. "shell32.dll.SHCreateShellItemArrayFromIDLists",
1996. "ole32.dll.CoTaskMemRealloc",
1997. "shell32.dll.SHAssocEnumHandlersForProtocolByApplication",
1998. "urlmon.dll.#397",
1999. "urlmon.dll.#398",
2000. "propsys.dll.PSPropertyBag_ReadBOOL",
2001. "advapi32.dll.GetSecurityInfo",
2002. "advapi32.dll.SetSecurityInfo",
2003. "advapi32.dll.GetSecurityDescriptorControl",
2004. "urlmon.dll.#327",
2005. "user32.dll.CharLowerW",
2006. "cryptsp.dll.CryptCreateHash",
2007. "cryptsp.dll.CryptHashData",
2008. "cryptsp.dll.CryptGetHashParam",
2009. "cryptsp.dll.CryptDestroyHash",
2010. "crypt32.dll.CryptUnprotectData",
2011. "crypt32.dll.CryptProtectData",
2012. "cryptbase.dll.SystemFunction040",
2013. "cryptbase.dll.SystemFunction041",
2014. "comctl32.dll.#321",
2015. "user32.dll.DestroyWindow",
2016. "user32.dll.PostQuitMessage",
2017. "urlmon.dll.#456",
2018. "urlmon.dll.#451",
2019. "user32.dll.UnregisterClassW",
2020. "rpcrt4.dll.RpcEpUnregister",
2021. "rpcrt4.dll.RpcBindingVectorFree",
2022. "rpcrt4.dll.RpcServerUnregisterIf",
2023. "urlmon.dll.#401",
2024. "ws2_32.dll.#116",
2025. "advapi32.dll.UnregisterTraceGuids",
2026. "ieframe.dll.#251",
2027. "kernel32.dll.WerSetFlags",
2028. "ieshims.dll.IEShims_Initialize",
2029. "user32.dll.SetWindowsHookExW",
2030. "user32.dll.FindWindowExA",
2031. "kernel32.dll.CreateProcessW",
2032. "kernel32.dll.CreateProcessA",
2033. "advapi32.dll.RegQueryValueA",
2034. "ntdll.dll.LdrRegisterDllNotification",
2035. "ole32.dll.NdrOleInitializeExtension",
2036. "shell32.dll.SHChangeNotifyRegisterThread",
2037. "comctl32.dll.#4",
2038. "comctl32.dll.ImageList_Add",
2039. "wininet.dll.InternetQueryOptionA",
2040. "gdi32.dll.GetTextExtentExPointWPri",
2041. "urlmon.dll.#104",
2042. "user32.dll.LoadCursorW",
2043. "user32.dll.GetClassInfoExW",
2044. "kernel32.dll.QueryActCtxW",
2045. "kernel32.dll.ActivateActCtx",
2046. "kernel32.dll.FindActCtxSectionStringW",
2047. "kernel32.dll.DeactivateActCtx",
2048. "user32.dll.CallWindowProcW",
2049. "user32.dll.ChangeWindowMessageFilter",
2050. "dwmapi.dll.DwmSetWindowAttribute",
2051. "urlmon.dll.#111",
2052. "wininet.dll.GetUrlCacheEntryInfoW",
2053. "shlwapi.dll.AssocQueryStringW",
2054. "propsys.dll.#430",
2055. "advapi32.dll.RegGetValueW",
2056. "propsys.dll.PropVariantToStringAlloc",
2057. "oleaut32.dll.#11",
2058. "ieshims.dll.IEShims_SetRedirectRegistryForThread",
2059. "comctl32.dll.#8",
2060. "uxtheme.dll.GetThemeInt",
2061. "urlmon.dll.CreateURLMonikerEx",
2062. "urlmon.dll.CreateAsyncBindCtxEx",
2063. "urlmon.dll.RegisterBindStatusCallback",
2064. "urlmon.dll.CreateFormatEnumerator",
2065. "urlmon.dll.UrlMkGetSessionOption",
2066. "rasadhlp.dll.WSAttemptAutodialAddr",
2067. "rasadhlp.dll.WSAttemptAutodialName",
2068. "rasadhlp.dll.WSNoteSuccessfulHostentLookup",
2069. "mlang.dll.#121",
2070. "urlmon.dll.#444",
2071. "urlmon.dll.#445",
2072. "dwmapi.dll.DwmInvalidateIconicBitmaps",
2073. "ieframe.dll.#302",
2074. "urlmon.dll.RegisterFormatEnumerator",
2075. "urlmon.dll.RevokeBindStatusCallback",
2076. "urlmon.dll.CreateIUriBuilder",
2077. "urlmon.dll.IntlPercentEncodeNormalize",
2078. "urlmon.dll.CoInternetIsFeatureEnabled",
2079. "oleaut32.dll.VariantClear",
2080. "shlwapi.dll.PathGetDriveNumberW",
2081. "urlmon.dll.#335",
2082. "urlmon.dll.#330",
2083. "wininet.dll.FindFirstUrlCacheContainerA",
2084. "wininet.dll.FindNextUrlCacheContainerA",
2085. "wininet.dll.CreateUrlCacheContainerA",
2086. "wininet.dll.DeleteUrlCacheContainerA",
2087. "wininet.dll.FindFirstUrlCacheEntryA",
2088. "wininet.dll.DeleteUrlCacheEntryW",
2089. "wininet.dll.FindNextUrlCacheEntryA",
2090. "wininet.dll.CommitUrlCacheEntryW",
2091. "wininet.dll.InternetGetConnectedState",
2092. "urlmon.dll.URLDownloadToCacheFileW",
2093. "wininet.dll.SetUrlCacheEntryGroupW",
2094. "oleaut32.dll.#201",
2095. "ieshims.dll.IEShims_GetOriginatingThreadId",
2096. "user32.dll.UnregisterClassA",
2097. "wininet.dll.InternetSetCookieExW",
2098. "ieshims.dll.IEShims_Uninitialize",
2099. "ntdll.dll.LdrUnregisterDllNotification",
2100. "fastprox.dll.DllGetClassObject",
2101. "fastprox.dll.DllCanUnloadNow"
2102. ]
2103.  
2104. [*] Static Analysis: {
2105. "pe": {
2106. "peid_signatures": null,
2107. "imports": [
2108. {
2109. "imports": [
2110. {
2111. "name": "CreateToolhelp32Snapshot",
2112. "address": "0x425028"
2113. },
2114. {
2115. "name": "VirtualProtect",
2116. "address": "0x42502c"
2117. },
2118. {
2119. "name": "LocalAlloc",
2120. "address": "0x425030"
2121. },
2122. {
2123. "name": "PeekConsoleInputW",
2124. "address": "0x425034"
2125. },
2126. {
2127. "name": "GetLastError",
2128. "address": "0x425038"
2129. },
2130. {
2131. "name": "GetHandleInformation",
2132. "address": "0x42503c"
2133. },
2134. {
2135. "name": "GetBinaryTypeW",
2136. "address": "0x425040"
2137. },
2138. {
2139. "name": "GetNumberFormatA",
2140. "address": "0x425044"
2141. },
2142. {
2143. "name": "GetFileAttributesExA",
2144. "address": "0x425048"
2145. },
2146. {
2147. "name": "DebugActiveProcessStop",
2148. "address": "0x42504c"
2149. },
2150. {
2151. "name": "DuplicateHandle",
2152. "address": "0x425050"
2153. },
2154. {
2155. "name": "lstrlenA",
2156. "address": "0x425054"
2157. },
2158. {
2159. "name": "EncodePointer",
2160. "address": "0x425058"
2161. },
2162. {
2163. "name": "DecodePointer",
2164. "address": "0x42505c"
2165. },
2166. {
2167. "name": "GetCommandLineW",
2168. "address": "0x425060"
2169. },
2170. {
2171. "name": "RaiseException",
2172. "address": "0x425064"
2173. },
2174. {
2175. "name": "RtlUnwind",
2176. "address": "0x425068"
2177. },
2178. {
2179. "name": "IsDebuggerPresent",
2180. "address": "0x42506c"
2181. },
2182. {
2183. "name": "IsProcessorFeaturePresent",
2184. "address": "0x425070"
2185. },
2186. {
2187. "name": "EnterCriticalSection",
2188. "address": "0x425074"
2189. },
2190. {
2191. "name": "LeaveCriticalSection",
2192. "address": "0x425078"
2193. },
2194. {
2195. "name": "FlushFileBuffers",
2196. "address": "0x42507c"
2197. },
2198. {
2199. "name": "WriteFile",
2200. "address": "0x425080"
2201. },
2202. {
2203. "name": "WideCharToMultiByte",
2204. "address": "0x425084"
2205. },
2206. {
2207. "name": "GetConsoleCP",
2208. "address": "0x425088"
2209. },
2210. {
2211. "name": "GetConsoleMode",
2212. "address": "0x42508c"
2213. },
2214. {
2215. "name": "DeleteCriticalSection",
2216. "address": "0x425090"
2217. },
2218. {
2219. "name": "FatalAppExitA",
2220. "address": "0x425094"
2221. },
2222. {
2223. "name": "ExitProcess",
2224. "address": "0x425098"
2225. },
2226. {
2227. "name": "GetModuleHandleExW",
2228. "address": "0x42509c"
2229. },
2230. {
2231. "name": "GetProcAddress",
2232. "address": "0x4250a0"
2233. },
2234. {
2235. "name": "AreFileApisANSI",
2236. "address": "0x4250a4"
2237. },
2238. {
2239. "name": "MultiByteToWideChar",
2240. "address": "0x4250a8"
2241. },
2242. {
2243. "name": "HeapSize",
2244. "address": "0x4250ac"
2245. },
2246. {
2247. "name": "ReadFile",
2248. "address": "0x4250b0"
2249. },
2250. {
2251. "name": "ReadConsoleW",
2252. "address": "0x4250b4"
2253. },
2254. {
2255. "name": "HeapFree",
2256. "address": "0x4250b8"
2257. },
2258. {
2259. "name": "HeapAlloc",
2260. "address": "0x4250bc"
2261. },
2262. {
2263. "name": "SetLastError",
2264. "address": "0x4250c0"
2265. },
2266. {
2267. "name": "GetCurrentThread",
2268. "address": "0x4250c4"
2269. },
2270. {
2271. "name": "GetCurrentThreadId",
2272. "address": "0x4250c8"
2273. },
2274. {
2275. "name": "GetProcessHeap",
2276. "address": "0x4250cc"
2277. },
2278. {
2279. "name": "GetStdHandle",
2280. "address": "0x4250d0"
2281. },
2282. {
2283. "name": "GetFileType",
2284. "address": "0x4250d4"
2285. },
2286. {
2287. "name": "GetStartupInfoW",
2288. "address": "0x4250d8"
2289. },
2290. {
2291. "name": "GetModuleFileNameW",
2292. "address": "0x4250dc"
2293. },
2294. {
2295. "name": "QueryPerformanceCounter",
2296. "address": "0x4250e0"
2297. },
2298. {
2299. "name": "GetCurrentProcessId",
2300. "address": "0x4250e4"
2301. },
2302. {
2303. "name": "GetSystemTimeAsFileTime",
2304. "address": "0x4250e8"
2305. },
2306. {
2307. "name": "GetEnvironmentStringsW",
2308. "address": "0x4250ec"
2309. },
2310. {
2311. "name": "FreeEnvironmentStringsW",
2312. "address": "0x4250f0"
2313. },
2314. {
2315. "name": "UnhandledExceptionFilter",
2316. "address": "0x4250f4"
2317. },
2318. {
2319. "name": "SetUnhandledExceptionFilter",
2320. "address": "0x4250f8"
2321. },
2322. {
2323. "name": "InitializeCriticalSectionAndSpinCount",
2324. "address": "0x4250fc"
2325. },
2326. {
2327. "name": "CreateEventW",
2328. "address": "0x425100"
2329. },
2330. {
2331. "name": "Sleep",
2332. "address": "0x425104"
2333. },
2334. {
2335. "name": "GetCurrentProcess",
2336. "address": "0x425108"
2337. },
2338. {
2339. "name": "TerminateProcess",
2340. "address": "0x42510c"
2341. },
2342. {
2343. "name": "TlsAlloc",
2344. "address": "0x425110"
2345. },
2346. {
2347. "name": "TlsGetValue",
2348. "address": "0x425114"
2349. },
2350. {
2351. "name": "TlsSetValue",
2352. "address": "0x425118"
2353. },
2354. {
2355. "name": "TlsFree",
2356. "address": "0x42511c"
2357. },
2358. {
2359. "name": "GetTickCount",
2360. "address": "0x425120"
2361. },
2362. {
2363. "name": "GetModuleHandleW",
2364. "address": "0x425124"
2365. },
2366. {
2367. "name": "CreateSemaphoreW",
2368. "address": "0x425128"
2369. },
2370. {
2371. "name": "SetStdHandle",
2372. "address": "0x42512c"
2373. },
2374. {
2375. "name": "SetFilePointerEx",
2376. "address": "0x425130"
2377. },
2378. {
2379. "name": "WriteConsoleW",
2380. "address": "0x425134"
2381. },
2382. {
2383. "name": "SetConsoleCtrlHandler",
2384. "address": "0x425138"
2385. },
2386. {
2387. "name": "FreeLibrary",
2388. "address": "0x42513c"
2389. },
2390. {
2391. "name": "LoadLibraryExW",
2392. "address": "0x425140"
2393. },
2394. {
2395. "name": "IsValidCodePage",
2396. "address": "0x425144"
2397. },
2398. {
2399. "name": "GetACP",
2400. "address": "0x425148"
2401. },
2402. {
2403. "name": "GetOEMCP",
2404. "address": "0x42514c"
2405. },
2406. {
2407. "name": "GetCPInfo",
2408. "address": "0x425150"
2409. },
2410. {
2411. "name": "HeapReAlloc",
2412. "address": "0x425154"
2413. },
2414. {
2415. "name": "GetDateFormatW",
2416. "address": "0x425158"
2417. },
2418. {
2419. "name": "GetTimeFormatW",
2420. "address": "0x42515c"
2421. },
2422. {
2423. "name": "CompareStringW",
2424. "address": "0x425160"
2425. },
2426. {
2427. "name": "LCMapStringW",
2428. "address": "0x425164"
2429. },
2430. {
2431. "name": "GetLocaleInfoW",
2432. "address": "0x425168"
2433. },
2434. {
2435. "name": "IsValidLocale",
2436. "address": "0x42516c"
2437. },
2438. {
2439. "name": "GetUserDefaultLCID",
2440. "address": "0x425170"
2441. },
2442. {
2443. "name": "EnumSystemLocalesW",
2444. "address": "0x425174"
2445. },
2446. {
2447. "name": "OutputDebugStringW",
2448. "address": "0x425178"
2449. },
2450. {
2451. "name": "GetStringTypeW",
2452. "address": "0x42517c"
2453. },
2454. {
2455. "name": "CreateFileW",
2456. "address": "0x425180"
2457. },
2458. {
2459. "name": "CloseHandle",
2460. "address": "0x425184"
2461. }
2462. ],
2463. "dll": "KERNEL32.dll"
2464. },
2465. {
2466. "imports": [
2467. {
2468. "name": "ReadEventLogW",
2469. "address": "0x425000"
2470. },
2471. {
2472. "name": "ImpersonateSelf",
2473. "address": "0x425004"
2474. },
2475. {
2476. "name": "RegSaveKeyW",
2477. "address": "0x425008"
2478. },
2479. {
2480. "name": "OpenBackupEventLogA",
2481. "address": "0x42500c"
2482. },
2483. {
2484. "name": "RegDeleteKeyA",
2485. "address": "0x425010"
2486. },
2487. {
2488. "name": "RegCreateKeyExW",
2489. "address": "0x425014"
2490. },
2491. {
2492. "name": "RegQueryMultipleValuesW",
2493. "address": "0x425018"
2494. },
2495. {
2496. "name": "SetThreadToken",
2497. "address": "0x42501c"
2498. },
2499. {
2500. "name": "AreAnyAccessesGranted",
2501. "address": "0x425020"
2502. }
2503. ],
2504. "dll": "ADVAPI32.dll"
2505. }
2506. ],
2507. "digital_signers": null,
2508. "exported_dll_name": null,
2509. "actual_checksum": "0x0004efaa",
2510. "overlay": null,
2511. "imagebase": "0x00400000",
2512. "reported_checksum": "0x0004efaa",
2513. "icon_hash": null,
2514. "entrypoint": "0x00403d4a",
2515. "timestamp": "2018-06-30 14:33:43",
2516. "osversion": "5.1",
2517. "sections": [
2518. {
2519. "name": ".text",
2520. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
2521. "virtual_address": "0x00001000",
2522. "size_of_data": "0x00023a00",
2523. "entropy": "6.66",
2524. "raw_address": "0x00000400",
2525. "virtual_size": "0x0002388d",
2526. "characteristics_raw": "0x60000020"
2527. },
2528. {
2529. "name": ".rdata",
2530. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2531. "virtual_address": "0x00025000",
2532. "size_of_data": "0x0001b000",
2533. "entropy": "6.44",
2534. "raw_address": "0x00023e00",
2535. "virtual_size": "0x0001afd6",
2536. "characteristics_raw": "0x40000040"
2537. },
2538. {
2539. "name": ".data",
2540. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
2541. "virtual_address": "0x00040000",
2542. "size_of_data": "0x00001e00",
2543. "entropy": "3.08",
2544. "raw_address": "0x0003ee00",
2545. "virtual_size": "0x04e5ebec",
2546. "characteristics_raw": "0xc0000040"
2547. },
2548. {
2549. "name": ".rsrc",
2550. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2551. "virtual_address": "0x04e9f000",
2552. "size_of_data": "0x00002800",
2553. "entropy": "4.72",
2554. "raw_address": "0x00040c00",
2555. "virtual_size": "0x00002660",
2556. "characteristics_raw": "0x40000040"
2557. },
2558. {
2559. "name": ".reloc",
2560. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
2561. "virtual_address": "0x04ea2000",
2562. "size_of_data": "0x00002200",
2563. "entropy": "6.53",
2564. "raw_address": "0x00043400",
2565. "virtual_size": "0x00002074",
2566. "characteristics_raw": "0x42000040"
2567. }
2568. ],
2569. "resources": [],
2570. "dirents": [
2571. {
2572. "virtual_address": "0x00000000",
2573. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
2574. "size": "0x00000000"
2575. },
2576. {
2577. "virtual_address": "0x0003f6e8",
2578. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
2579. "size": "0x0000003c"
2580. },
2581. {
2582. "virtual_address": "0x04e9f000",
2583. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
2584. "size": "0x00002660"
2585. },
2586. {
2587. "virtual_address": "0x00000000",
2588. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
2589. "size": "0x00000000"
2590. },
2591. {
2592. "virtual_address": "0x00000000",
2593. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
2594. "size": "0x00000000"
2595. },
2596. {
2597. "virtual_address": "0x04ea2000",
2598. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
2599. "size": "0x00002074"
2600. },
2601. {
2602. "virtual_address": "0x000251e0",
2603. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
2604. "size": "0x00000038"
2605. },
2606. {
2607. "virtual_address": "0x00000000",
2608. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
2609. "size": "0x00000000"
2610. },
2611. {
2612. "virtual_address": "0x00000000",
2613. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
2614. "size": "0x00000000"
2615. },
2616. {
2617. "virtual_address": "0x00000000",
2618. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
2619. "size": "0x00000000"
2620. },
2621. {
2622. "virtual_address": "0x00000000",
2623. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
2624. "size": "0x00000000"
2625. },
2626. {
2627. "virtual_address": "0x00000000",
2628. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
2629. "size": "0x00000000"
2630. },
2631. {
2632. "virtual_address": "0x00025000",
2633. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
2634. "size": "0x0000018c"
2635. },
2636. {
2637. "virtual_address": "0x00000000",
2638. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
2639. "size": "0x00000000"
2640. },
2641. {
2642. "virtual_address": "0x00000000",
2643. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
2644. "size": "0x00000000"
2645. },
2646. {
2647. "virtual_address": "0x00000000",
2648. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
2649. "size": "0x00000000"
2650. }
2651. ],
2652. "exports": [],
2653. "guest_signers": {},
2654. "imphash": "baea1ffde5e1170431fb06c7b2816acd",
2655. "icon_fuzzy": null,
2656. "icon": null,
2657. "pdbpath": "C:\\sibonifanijuvi.pdb\\x00er\\runtime\\crypt\\tmp_2004838590\\bin\\dibuxigef.pdb\\x00\\x00\\x00\\x00\\x00\\xa1\\x00\\x00\\x00\\xa1\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x17D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\xb8\\xe5C",
2658. "imported_dll_count": 2,
2659. "versioninfo": []
2660. }
2661. }