Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [*] MalFamily: ""
- [*] MalScore: 10.0
- [*] File Name: "Ursnif_7c3f801620ea1cebd29889400ec9af67.exe"
- [*] File Size: 284160
- [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- [*] SHA256: "98ec340830dcbc3535c88612fa0c40caa7a4c0ad656bf8aa232b3b35d4a7a028"
- [*] MD5: "7c3f801620ea1cebd29889400ec9af67"
- [*] SHA1: "b0d226574d6d7fb4ec46fcf0afea08d6e8f91674"
- [*] SHA512: "b81e6dd0bf79ef853b2cbe09dddea946f87f901fbe3e66cad838684cdd4104bb454483fdfaf115a5c9203e7cd512547ec53a3c99fa2eb109c05403637352a6b6"
- [*] CRC32: "E81D16F6"
- [*] SSDEEP: "6144:5sOKPyyl3yr4yJ0hlNM0NZfxZRggbgH5o:5NvmfyJuM4Zpc5o"
- [*] Process Execution: [
- "Ursnif_7c3f801620ea1cebd29889400ec9af67.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "iexplore.exe",
- "iexplore.exe",
- "iexplore.exe",
- "iexplore.exe",
- "iexplore.exe",
- "WmiPrvSE.exe",
- "svchost.exe"
- ]
- [*] Signatures Detected: [
- {
- "Description": "Attempts to connect to a dead IP:Port (2 unique times)",
- "Details": [
- {
- "IP": "204.79.197.200:80"
- },
- {
- "IP": "31.214.157.89:80"
- }
- ]
- },
- {
- "Description": "Creates RWX memory",
- "Details": []
- },
- {
- "Description": "A process attempted to delay the analysis task.",
- "Details": [
- {
- "Process": "Ursnif_7c3f801620ea1cebd29889400ec9af67.exe tried to sleep 369 seconds, actually delayed analysis time by 0 seconds"
- }
- ]
- },
- {
- "Description": "Performs some HTTP requests",
- "Details": [
- {
- "url": "http://www.bing.com/favicon.ico"
- },
- {
- "url": "http://velooiisd.club/images/iWjLmuDOy7/XYiI3c6Yc19H1pj6z/yUcuhaYMcFBs/ejPJyvBSAs2/pW3zzAX33_2FoR/sxHF6Y7EnPJ8UYYYXNVEt/jMewly5dYMgnIL5V/npy03O8g7LI4tHw/Ousy_2FKTPs0diteQV/IAnCjVXqpXbzas7uY/4Wu.avi"
- },
- {
- "url": "http://velooiisd.club/favicon.ico"
- },
- {
- "url": "http://velooiisd.club/images/lG5rXDwsB/Aw3WlunARss02DIXzHLr/PnFtwdMnTEABSpElmjc/68sb4A9Xn2sV4YWSShBzje/bCTn4QyDShm1I/ZAsNBIsn/IcyO5MhDHc1myAdXvIRWYcP/JpCn_2B5I_/2F_2FXDnTkDhsW7rj/ocbe8wkKW7op/8sYVjeQng_2/BaMrr61wC6HC/c8n.avi"
- },
- {
- "url": "http://velooiisd.club/images/y2Ayo90JrxkGKuKrLyUL/Jf94GGgp90duCciJVtJ/SxpQcYpulyWorK9gasq8pC/eA1zLn2Gk25Xo/7SZ5lOda/l3o0nKemRPltQmZeOcxqkKB/I7KEDNIPfW/eIos19ENohv9Op9_2/FN9MLbvdOLs4YHwT/YhET.avi"
- }
- ]
- },
- {
- "Description": "Crashed cuckoomon during analysis. Report this error to the Github repo.",
- "Details": [
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x1967e in cuckoomon itself while accessing 0x3ed0c4 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19681 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19681 in cuckoomon itself while accessing 0x3ed0c8 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19684 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19684 in cuckoomon itself while accessing 0x3ed0c0 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19687 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19687 in cuckoomon itself while accessing 0x3ed0bc from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19689 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19699 in cuckoomon itself while accessing 0x3ed0cc from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x1969b in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x1969f in cuckoomon itself while accessing 0x3ed0d0 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x196a2 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x196aa in cuckoomon itself while accessing 0x3ed0d4 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x196ad in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x196bd in cuckoomon itself while accessing 0x3ed0d8 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x196c0 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19bfc in cuckoomon itself while accessing 0x3ed0bc from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19bfe in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19bfe in cuckoomon itself while accessing 0x3ed0c0 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19c01 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19c01 in cuckoomon itself while accessing 0x3ed0c4 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19c04 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19c04 in cuckoomon itself while accessing 0x3ed0c8 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19c07 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x1967e in cuckoomon itself while accessing 0x3ed030 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19681 in cuckoomon itself while accessing 0x3ed034 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19684 in cuckoomon itself while accessing 0x3ed02c from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19687 in cuckoomon itself while accessing 0x3ed028 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19699 in cuckoomon itself while accessing 0x3ed048 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x1969f in cuckoomon itself while accessing 0x3ed04c from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x196aa in cuckoomon itself while accessing 0x3ed050 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x196bd in cuckoomon itself while accessing 0x3ed054 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19bfc in cuckoomon itself while accessing 0x3ed028 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19bfe in cuckoomon itself while accessing 0x3ed02c from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19c01 in cuckoomon itself while accessing 0x3ed030 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19c04 in cuckoomon itself while accessing 0x3ed034 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x1967e in cuckoomon itself while accessing 0x3ed0e4 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19681 in cuckoomon itself while accessing 0x3ed0e8 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19684 in cuckoomon itself while accessing 0x3ed0e0 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19687 in cuckoomon itself while accessing 0x3ed0dc from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19699 in cuckoomon itself while accessing 0x3ed0ec from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x1969f in cuckoomon itself while accessing 0x3ed0f0 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x196aa in cuckoomon itself while accessing 0x3ed0f4 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x196bd in cuckoomon itself while accessing 0x3ed0f8 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19bfc in cuckoomon itself while accessing 0x3ed0dc from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19bfe in cuckoomon itself while accessing 0x3ed0e0 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19c01 in cuckoomon itself while accessing 0x3ed0e4 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19c04 in cuckoomon itself while accessing 0x3ed0e8 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x1967e in cuckoomon itself while accessing 0x3ed404 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19681 in cuckoomon itself while accessing 0x3ed408 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19684 in cuckoomon itself while accessing 0x3ed400 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19687 in cuckoomon itself while accessing 0x3ed3fc from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19699 in cuckoomon itself while accessing 0x3ed40c from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x1969f in cuckoomon itself while accessing 0x3ed410 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x196aa in cuckoomon itself while accessing 0x3ed414 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x196bd in cuckoomon itself while accessing 0x3ed418 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19bfc in cuckoomon itself while accessing 0x3ed3fc from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19bfe in cuckoomon itself while accessing 0x3ed400 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19c01 in cuckoomon itself while accessing 0x3ed404 from hook RtlDispatchException"
- },
- {
- "pid": 2316
- },
- {
- "message": "Exception reported at offset 0x19c04 in cuckoomon itself while accessing 0x3ed408 from hook RtlDispatchException"
- }
- ]
- },
- {
- "Description": "Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config",
- "Details": [
- {
- "regkeyval": "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18\\Client64"
- },
- {
- "regkeyval": "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18\\Client32"
- },
- {
- "regkeyval": "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18\\aeevpisp"
- }
- ]
- },
- {
- "Description": "Creates a hidden or system file",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF6ceb49.TMP"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF70538f.TMP"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF71123f.TMP"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF69f3f6.TMP"
- }
- ]
- },
- {
- "Description": "File has been identified by 11 Antiviruses on VirusTotal as malicious",
- "Details": [
- {
- "Qihoo-360": "HEUR/QVM10.1.1B6D.Malware.Gen"
- },
- {
- "Rising": "Trojan.Kryptik!8.8/N3#81% (RDM+:cmRtazrMN+HcdgjA3UJWadTAgDki)"
- },
- {
- "Endgame": "malicious (high confidence)"
- },
- {
- "Invincea": "heuristic"
- },
- {
- "Trapmine": "malicious.high.ml.score"
- },
- {
- "FireEye": "Generic.mg.7c3f801620ea1ceb"
- },
- {
- "Microsoft": "Trojan:Win32/Wacatac.B!ml"
- },
- {
- "Acronis": "suspicious"
- },
- {
- "Cylance": "Unsafe"
- },
- {
- "SentinelOne": "DFI - Suspicious PE"
- },
- {
- "CrowdStrike": "win/malicious_confidence_60% (W)"
- }
- ]
- },
- {
- "Description": "Attempts to modify proxy settings",
- "Details": []
- }
- ]
- [*] Started Service: []
- [*] Executed Commands: [
- "C:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding",
- "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" -Embedding",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
- "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" SCODEF:2932 CREDAT:79873",
- "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" SCODEF:2932 CREDAT:145409",
- "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" SCODEF:2992 CREDAT:79873"
- ]
- [*] Mutexes: [
- "Local\\_!MSFTHISTORY!_",
- "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
- "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
- "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
- "Local\\WininetStartupMutex",
- "Local\\WininetConnectionMutex",
- "Local\\WininetProxyRegistryMutex",
- "Local\\!IETld!Mutex",
- "Local\\!BrowserEmulation!SharedMemory!Mutex",
- "Local\\ZoneAttributeCacheCounterMutex",
- "Local\\ZonesCacheCounterMutex",
- "Local\\ZonesLockedCacheCounterMutex",
- "ConnHashTable<2932>_HashTable_Mutex",
- "Local\\ZonesCounterMutex",
- "Local\\RSS Eventing Connection Database Mutex 00000b74",
- "Local\\Feed Eventing Shared Memory Mutex S-1-5-21-0000000000-0000000000-0000000000-1000",
- "Local\\c:!users!user!appdata!local!microsoft!feeds cache!",
- "_!SHMSFTHISTORY!_",
- "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!mshist012019062520190626!",
- "ConnHashTable<2992>_HashTable_Mutex",
- "Local\\RSS Eventing Connection Database Mutex 00000bb0"
- ]
- [*] Modified Files: [
- "\\??\\PIPE\\samr",
- "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
- "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{5F9138ED-9782-11E9-9533-18C086CD4731}.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\~DFCE2FB227258F575C.TMP",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{5F9138EE-9782-11E9-9533-18C086CD4731}.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\~DFA116D974D1210C25.TMP",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\favicon[1].ico",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\favicon[2].ico",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\favicon[3].ico",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\favicon[4].ico",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{5F9138F0-9782-11E9-9533-18C086CD4731}.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\~DF3CF0D875615E9E14.TMP",
- "\\??\\pipe\\MsFteWds",
- "\\??\\PIPE\\srvsvc",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\PGGAV721ZC0LZCCBOXWS.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF6ceb49.TMP",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q8H2MS75\\favicon[1].ico",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{66162702-9782-11E9-9533-18C086CD4731}.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\~DFC66976D32514B763.TMP",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\YE5W28TO57VOUNRI1MX1.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF70538f.TMP",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\WCD9L9R2LIHPBMMLLFJV.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF71123f.TMP",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@velooiisd[1].txt",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019062520190626\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\PA320MG8\\favicon[1].ico",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\PA320MG8\\favicon[2].ico",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\PA320MG8\\favicon[3].ico",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\PA320MG8\\favicon[4].ico",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{7238BF1B-9782-11E9-9533-18C086CD4731}.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\~DFAFA824AEFB40D173.TMP",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{7238BF1C-9782-11E9-9533-18C086CD4731}.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\~DF2FB7F43C7AE842A6.TMP",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\8BGZLQBV\\favicon[1].ico",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\8BGZLQBV\\favicon[2].ico",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\9YO2UCN0Q7F8BR46OLX7.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF69f3f6.TMP"
- ]
- [*] Deleted Files: [
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF6ceb49.TMP",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF70538f.TMP",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF71123f.TMP",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{66162702-9782-11E9-9533-18C086CD4731}.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{5F9138F0-9782-11E9-9533-18C086CD4731}.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{5F9138EE-9782-11E9-9533-18C086CD4731}.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{5F9138ED-9782-11E9-9533-18C086CD4731}.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019052620190527\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019052620190527\\",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF69f3f6.TMP",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{7238BF1C-9782-11E9-9533-18C086CD4731}.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{7238BF1B-9782-11E9-9533-18C086CD4731}.dat"
- ]
- [*] Modified Registry Keys: [
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Microsoft\\Internet Explorer\\Main\\IE10RunOnceLastShown",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Microsoft\\Internet Explorer\\Main\\IE10RunOnceLastShown_TIMESTAMP",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Microsoft\\Internet Explorer\\Main\\IE8RunOnceLastShown",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Microsoft\\Internet Explorer\\Main\\IE8RunOnceLastShown_TIMESTAMP",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Microsoft\\Internet Explorer\\Main\\Check_Associations",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\VerCache",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\\VerCache",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\\VerCache",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\CompatibilityFlags",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\SecuritySafe",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\SavedLegacySettings",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery\\AdminActive\\{5F9138ED-9782-11E9-9533-18C086CD4731}",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{2670000A-7350-4F3C-8081-5663EE0C6C49}\\iexplore\\Type",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{2670000A-7350-4F3C-8081-5663EE0C6C49}\\iexplore\\Count",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{2670000A-7350-4F3C-8081-5663EE0C6C49}\\iexplore\\Time",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\iexplore\\Type",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\iexplore\\Count",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\iexplore\\Time",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\\iexplore\\Type",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\\iexplore\\Count",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\\iexplore\\Time",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FullScreen",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder\\Favorites\\Links\\Order",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\WindowsSearch\\UpgradeTime",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\Window_Placement",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\User Preferences\\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\SearchScopes\\DefaultScope",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\User Preferences\\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\iexplore\\LoadTime",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\\iexplore\\Type",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\\iexplore\\Count",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\\iexplore\\Time",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\\iexplore\\LoadTime",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\\iexplore\\Type",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\\iexplore\\Count",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\\iexplore\\Time",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\\iexplore\\LoadTime",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019062520190626",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019062520190626\\CachePath",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019062520190626\\CachePrefix",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019062520190626\\CacheLimit",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019062520190626\\CacheOptions",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019062520190626\\CacheRepair",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery\\AdminActive\\{7238BF1B-9782-11E9-9533-18C086CD4731}",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18\\Client32",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18\\Client64",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18\\aeevpisp",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18\\ApiMM1M0",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\AppDataLow\\Software\\Microsoft\\0EEC6689-1584-7006-0F22-19A4B3765D18\\aecaM1M0"
- ]
- [*] Deleted Registry Keys: [
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyOverride",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery\\AdminActive\\{5F9138ED-9782-11E9-9533-18C086CD4731}",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\AddToFavoritesInitialSelection",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\AddToFeedsInitialSelection",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery\\AdminActive\\{7238BF1B-9782-11E9-9533-18C086CD4731}"
- ]
- [*] DNS Communications: [
- {
- "type": "A",
- "request": "www.bing.com",
- "answers": [
- {
- "data": "dual-a-0001.a-msedge.net",
- "type": "CNAME"
- },
- {
- "data": "a-0001.a-afdentry.net.trafficmanager.net",
- "type": "CNAME"
- },
- {
- "data": "204.79.197.200",
- "type": "A"
- },
- {
- "data": "13.107.21.200",
- "type": "A"
- }
- ]
- },
- {
- "type": "A",
- "request": "velooiisd.club",
- "answers": [
- {
- "data": "31.214.157.89",
- "type": "A"
- }
- ]
- }
- ]
- [*] Domains: [
- {
- "ip": "31.214.157.89",
- "domain": "velooiisd.club"
- },
- {
- "ip": "13.107.21.200",
- "domain": "www.bing.com"
- }
- ]
- [*] Network Communication - ICMP: []
- [*] Network Communication - HTTP: [
- {
- "count": 3,
- "body": "",
- "uri": "http://www.bing.com/favicon.ico",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
- "method": "GET",
- "host": "www.bing.com",
- "version": "1.1",
- "path": "/favicon.ico",
- "data": "GET /favicon.ico HTTP/1.1\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nHost: www.bing.com\r\nConnection: Keep-Alive\r\nCookie: MUID=055643067C21678412144E247D39664A; SRCHD=AF=NOFORM; SRCHUID=V=2&GUID=5262DC06BBB54635AC9D8A0AD382875E&dmnchg=1; SRCHUSR=DOB=20190317\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://velooiisd.club/images/iWjLmuDOy7/XYiI3c6Yc19H1pj6z/yUcuhaYMcFBs/ejPJyvBSAs2/pW3zzAX33_2FoR/sxHF6Y7EnPJ8UYYYXNVEt/jMewly5dYMgnIL5V/npy03O8g7LI4tHw/Ousy_2FKTPs0diteQV/IAnCjVXqpXbzas7uY/4Wu.avi",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
- "method": "GET",
- "host": "velooiisd.club",
- "version": "1.1",
- "path": "/images/iWjLmuDOy7/XYiI3c6Yc19H1pj6z/yUcuhaYMcFBs/ejPJyvBSAs2/pW3zzAX33_2FoR/sxHF6Y7EnPJ8UYYYXNVEt/jMewly5dYMgnIL5V/npy03O8g7LI4tHw/Ousy_2FKTPs0diteQV/IAnCjVXqpXbzas7uY/4Wu.avi",
- "data": "GET /images/iWjLmuDOy7/XYiI3c6Yc19H1pj6z/yUcuhaYMcFBs/ejPJyvBSAs2/pW3zzAX33_2FoR/sxHF6Y7EnPJ8UYYYXNVEt/jMewly5dYMgnIL5V/npy03O8g7LI4tHw/Ousy_2FKTPs0diteQV/IAnCjVXqpXbzas7uY/4Wu.avi HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nAccept-Encoding: gzip, deflate\r\nHost: velooiisd.club\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://velooiisd.club/favicon.ico",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
- "method": "GET",
- "host": "velooiisd.club",
- "version": "1.1",
- "path": "/favicon.ico",
- "data": "GET /favicon.ico HTTP/1.1\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nHost: velooiisd.club\r\nConnection: Keep-Alive\r\nCookie: PHPSESSID=eqsu21lgh525ssr9cmaua9kkk5; lang=en\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://velooiisd.club/images/lG5rXDwsB/Aw3WlunARss02DIXzHLr/PnFtwdMnTEABSpElmjc/68sb4A9Xn2sV4YWSShBzje/bCTn4QyDShm1I/ZAsNBIsn/IcyO5MhDHc1myAdXvIRWYcP/JpCn_2B5I_/2F_2FXDnTkDhsW7rj/ocbe8wkKW7op/8sYVjeQng_2/BaMrr61wC6HC/c8n.avi",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
- "method": "GET",
- "host": "velooiisd.club",
- "version": "1.1",
- "path": "/images/lG5rXDwsB/Aw3WlunARss02DIXzHLr/PnFtwdMnTEABSpElmjc/68sb4A9Xn2sV4YWSShBzje/bCTn4QyDShm1I/ZAsNBIsn/IcyO5MhDHc1myAdXvIRWYcP/JpCn_2B5I_/2F_2FXDnTkDhsW7rj/ocbe8wkKW7op/8sYVjeQng_2/BaMrr61wC6HC/c8n.avi",
- "data": "GET /images/lG5rXDwsB/Aw3WlunARss02DIXzHLr/PnFtwdMnTEABSpElmjc/68sb4A9Xn2sV4YWSShBzje/bCTn4QyDShm1I/ZAsNBIsn/IcyO5MhDHc1myAdXvIRWYcP/JpCn_2B5I_/2F_2FXDnTkDhsW7rj/ocbe8wkKW7op/8sYVjeQng_2/BaMrr61wC6HC/c8n.avi HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nAccept-Encoding: gzip, deflate\r\nHost: velooiisd.club\r\nConnection: Keep-Alive\r\nCookie: lang=en\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://velooiisd.club/images/y2Ayo90JrxkGKuKrLyUL/Jf94GGgp90duCciJVtJ/SxpQcYpulyWorK9gasq8pC/eA1zLn2Gk25Xo/7SZ5lOda/l3o0nKemRPltQmZeOcxqkKB/I7KEDNIPfW/eIos19ENohv9Op9_2/FN9MLbvdOLs4YHwT/YhET.avi",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
- "method": "GET",
- "host": "velooiisd.club",
- "version": "1.1",
- "path": "/images/y2Ayo90JrxkGKuKrLyUL/Jf94GGgp90duCciJVtJ/SxpQcYpulyWorK9gasq8pC/eA1zLn2Gk25Xo/7SZ5lOda/l3o0nKemRPltQmZeOcxqkKB/I7KEDNIPfW/eIos19ENohv9Op9_2/FN9MLbvdOLs4YHwT/YhET.avi",
- "data": "GET /images/y2Ayo90JrxkGKuKrLyUL/Jf94GGgp90duCciJVtJ/SxpQcYpulyWorK9gasq8pC/eA1zLn2Gk25Xo/7SZ5lOda/l3o0nKemRPltQmZeOcxqkKB/I7KEDNIPfW/eIos19ENohv9Op9_2/FN9MLbvdOLs4YHwT/YhET.avi HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nAccept-Encoding: gzip, deflate\r\nHost: velooiisd.club\r\nConnection: Keep-Alive\r\nCookie: lang=en\r\n\r\n",
- "port": 80
- }
- ]
- [*] Network Communication - SMTP: []
- [*] Network Communication - Hosts: []
- [*] Network Communication - IRC: []
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "CreateToolhelp32Snapshot",
- "address": "0x425028"
- },
- {
- "name": "VirtualProtect",
- "address": "0x42502c"
- },
- {
- "name": "LocalAlloc",
- "address": "0x425030"
- },
- {
- "name": "PeekConsoleInputW",
- "address": "0x425034"
- },
- {
- "name": "GetLastError",
- "address": "0x425038"
- },
- {
- "name": "GetHandleInformation",
- "address": "0x42503c"
- },
- {
- "name": "GetBinaryTypeW",
- "address": "0x425040"
- },
- {
- "name": "GetNumberFormatA",
- "address": "0x425044"
- },
- {
- "name": "GetFileAttributesExA",
- "address": "0x425048"
- },
- {
- "name": "DebugActiveProcessStop",
- "address": "0x42504c"
- },
- {
- "name": "DuplicateHandle",
- "address": "0x425050"
- },
- {
- "name": "lstrlenA",
- "address": "0x425054"
- },
- {
- "name": "EncodePointer",
- "address": "0x425058"
- },
- {
- "name": "DecodePointer",
- "address": "0x42505c"
- },
- {
- "name": "GetCommandLineW",
- "address": "0x425060"
- },
- {
- "name": "RaiseException",
- "address": "0x425064"
- },
- {
- "name": "RtlUnwind",
- "address": "0x425068"
- },
- {
- "name": "IsDebuggerPresent",
- "address": "0x42506c"
- },
- {
- "name": "IsProcessorFeaturePresent",
- "address": "0x425070"
- },
- {
- "name": "EnterCriticalSection",
- "address": "0x425074"
- },
- {
- "name": "LeaveCriticalSection",
- "address": "0x425078"
- },
- {
- "name": "FlushFileBuffers",
- "address": "0x42507c"
- },
- {
- "name": "WriteFile",
- "address": "0x425080"
- },
- {
- "name": "WideCharToMultiByte",
- "address": "0x425084"
- },
- {
- "name": "GetConsoleCP",
- "address": "0x425088"
- },
- {
- "name": "GetConsoleMode",
- "address": "0x42508c"
- },
- {
- "name": "DeleteCriticalSection",
- "address": "0x425090"
- },
- {
- "name": "FatalAppExitA",
- "address": "0x425094"
- },
- {
- "name": "ExitProcess",
- "address": "0x425098"
- },
- {
- "name": "GetModuleHandleExW",
- "address": "0x42509c"
- },
- {
- "name": "GetProcAddress",
- "address": "0x4250a0"
- },
- {
- "name": "AreFileApisANSI",
- "address": "0x4250a4"
- },
- {
- "name": "MultiByteToWideChar",
- "address": "0x4250a8"
- },
- {
- "name": "HeapSize",
- "address": "0x4250ac"
- },
- {
- "name": "ReadFile",
- "address": "0x4250b0"
- },
- {
- "name": "ReadConsoleW",
- "address": "0x4250b4"
- },
- {
- "name": "HeapFree",
- "address": "0x4250b8"
- },
- {
- "name": "HeapAlloc",
- "address": "0x4250bc"
- },
- {
- "name": "SetLastError",
- "address": "0x4250c0"
- },
- {
- "name": "GetCurrentThread",
- "address": "0x4250c4"
- },
- {
- "name": "GetCurrentThreadId",
- "address": "0x4250c8"
- },
- {
- "name": "GetProcessHeap",
- "address": "0x4250cc"
- },
- {
- "name": "GetStdHandle",
- "address": "0x4250d0"
- },
- {
- "name": "GetFileType",
- "address": "0x4250d4"
- },
- {
- "name": "GetStartupInfoW",
- "address": "0x4250d8"
- },
- {
- "name": "GetModuleFileNameW",
- "address": "0x4250dc"
- },
- {
- "name": "QueryPerformanceCounter",
- "address": "0x4250e0"
- },
- {
- "name": "GetCurrentProcessId",
- "address": "0x4250e4"
- },
- {
- "name": "GetSystemTimeAsFileTime",
- "address": "0x4250e8"
- },
- {
- "name": "GetEnvironmentStringsW",
- "address": "0x4250ec"
- },
- {
- "name": "FreeEnvironmentStringsW",
- "address": "0x4250f0"
- },
- {
- "name": "UnhandledExceptionFilter",
- "address": "0x4250f4"
- },
- {
- "name": "SetUnhandledExceptionFilter",
- "address": "0x4250f8"
- },
- {
- "name": "InitializeCriticalSectionAndSpinCount",
- "address": "0x4250fc"
- },
- {
- "name": "CreateEventW",
- "address": "0x425100"
- },
- {
- "name": "Sleep",
- "address": "0x425104"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x425108"
- },
- {
- "name": "TerminateProcess",
- "address": "0x42510c"
- },
- {
- "name": "TlsAlloc",
- "address": "0x425110"
- },
- {
- "name": "TlsGetValue",
- "address": "0x425114"
- },
- {
- "name": "TlsSetValue",
- "address": "0x425118"
- },
- {
- "name": "TlsFree",
- "address": "0x42511c"
- },
- {
- "name": "GetTickCount",
- "address": "0x425120"
- },
- {
- "name": "GetModuleHandleW",
- "address": "0x425124"
- },
- {
- "name": "CreateSemaphoreW",
- "address": "0x425128"
- },
- {
- "name": "SetStdHandle",
- "address": "0x42512c"
- },
- {
- "name": "SetFilePointerEx",
- "address": "0x425130"
- },
- {
- "name": "WriteConsoleW",
- "address": "0x425134"
- },
- {
- "name": "SetConsoleCtrlHandler",
- "address": "0x425138"
- },
- {
- "name": "FreeLibrary",
- "address": "0x42513c"
- },
- {
- "name": "LoadLibraryExW",
- "address": "0x425140"
- },
- {
- "name": "IsValidCodePage",
- "address": "0x425144"
- },
- {
- "name": "GetACP",
- "address": "0x425148"
- },
- {
- "name": "GetOEMCP",
- "address": "0x42514c"
- },
- {
- "name": "GetCPInfo",
- "address": "0x425150"
- },
- {
- "name": "HeapReAlloc",
- "address": "0x425154"
- },
- {
- "name": "GetDateFormatW",
- "address": "0x425158"
- },
- {
- "name": "GetTimeFormatW",
- "address": "0x42515c"
- },
- {
- "name": "CompareStringW",
- "address": "0x425160"
- },
- {
- "name": "LCMapStringW",
- "address": "0x425164"
- },
- {
- "name": "GetLocaleInfoW",
- "address": "0x425168"
- },
- {
- "name": "IsValidLocale",
- "address": "0x42516c"
- },
- {
- "name": "GetUserDefaultLCID",
- "address": "0x425170"
- },
- {
- "name": "EnumSystemLocalesW",
- "address": "0x425174"
- },
- {
- "name": "OutputDebugStringW",
- "address": "0x425178"
- },
- {
- "name": "GetStringTypeW",
- "address": "0x42517c"
- },
- {
- "name": "CreateFileW",
- "address": "0x425180"
- },
- {
- "name": "CloseHandle",
- "address": "0x425184"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "ReadEventLogW",
- "address": "0x425000"
- },
- {
- "name": "ImpersonateSelf",
- "address": "0x425004"
- },
- {
- "name": "RegSaveKeyW",
- "address": "0x425008"
- },
- {
- "name": "OpenBackupEventLogA",
- "address": "0x42500c"
- },
- {
- "name": "RegDeleteKeyA",
- "address": "0x425010"
- },
- {
- "name": "RegCreateKeyExW",
- "address": "0x425014"
- },
- {
- "name": "RegQueryMultipleValuesW",
- "address": "0x425018"
- },
- {
- "name": "SetThreadToken",
- "address": "0x42501c"
- },
- {
- "name": "AreAnyAccessesGranted",
- "address": "0x425020"
- }
- ],
- "dll": "ADVAPI32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x0004efaa",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x0004efaa",
- "icon_hash": null,
- "entrypoint": "0x00403d4a",
- "timestamp": "2018-06-30 14:33:43",
- "osversion": "5.1",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00023a00",
- "entropy": "6.66",
- "raw_address": "0x00000400",
- "virtual_size": "0x0002388d",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00025000",
- "size_of_data": "0x0001b000",
- "entropy": "6.44",
- "raw_address": "0x00023e00",
- "virtual_size": "0x0001afd6",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00040000",
- "size_of_data": "0x00001e00",
- "entropy": "3.08",
- "raw_address": "0x0003ee00",
- "virtual_size": "0x04e5ebec",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x04e9f000",
- "size_of_data": "0x00002800",
- "entropy": "4.72",
- "raw_address": "0x00040c00",
- "virtual_size": "0x00002660",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".reloc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x04ea2000",
- "size_of_data": "0x00002200",
- "entropy": "6.53",
- "raw_address": "0x00043400",
- "virtual_size": "0x00002074",
- "characteristics_raw": "0x42000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0003f6e8",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x0000003c"
- },
- {
- "virtual_address": "0x04e9f000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00002660"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x04ea2000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00002074"
- },
- {
- "virtual_address": "0x000251e0",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000038"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00025000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x0000018c"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "baea1ffde5e1170431fb06c7b2816acd",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": "C:\\sibonifanijuvi.pdb\\x00er\\runtime\\crypt\\tmp_2004838590\\bin\\dibuxigef.pdb\\x00\\x00\\x00\\x00\\x00\\xa1\\x00\\x00\\x00\\xa1\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x17D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\xb8\\xe5C",
- "imported_dll_count": 2,
- "versioninfo": []
- }
- }
- [*] Resolved APIs: [
- "kernel32.dll.FlsAlloc",
- "kernel32.dll.FlsFree",
- "kernel32.dll.FlsGetValue",
- "kernel32.dll.FlsSetValue",
- "kernel32.dll.InitializeCriticalSectionEx",
- "kernel32.dll.CreateEventExW",
- "kernel32.dll.CreateSemaphoreExW",
- "kernel32.dll.SetThreadStackGuarantee",
- "kernel32.dll.CreateThreadpoolTimer",
- "kernel32.dll.SetThreadpoolTimer",
- "kernel32.dll.WaitForThreadpoolTimerCallbacks",
- "kernel32.dll.CloseThreadpoolTimer",
- "kernel32.dll.CreateThreadpoolWait",
- "kernel32.dll.SetThreadpoolWait",
- "kernel32.dll.CloseThreadpoolWait",
- "kernel32.dll.FlushProcessWriteBuffers",
- "kernel32.dll.FreeLibraryWhenCallbackReturns",
- "kernel32.dll.GetCurrentProcessorNumber",
- "kernel32.dll.GetLogicalProcessorInformation",
- "kernel32.dll.CreateSymbolicLinkW",
- "kernel32.dll.EnumSystemLocalesEx",
- "kernel32.dll.CompareStringEx",
- "kernel32.dll.GetDateFormatEx",
- "kernel32.dll.GetLocaleInfoEx",
- "kernel32.dll.GetTimeFormatEx",
- "kernel32.dll.GetUserDefaultLocaleName",
- "kernel32.dll.IsValidLocaleName",
- "kernel32.dll.LCMapStringEx",
- "kernel32.dll.GetTickCount64",
- "kernel32.dll.GlobalAlloc",
- "kernel32.dll.GetLastError",
- "kernel32.dll.Sleep",
- "kernel32.dll.CreateToolhelp32Snapshot",
- "kernel32.dll.Module32First",
- "kernel32.dll.CloseHandle",
- "kernel32.dll.LoadLibraryA",
- "kernel32.dll.VirtualAlloc",
- "kernel32.dll.VirtualProtect",
- "kernel32.dll.VirtualFree",
- "kernel32.dll.GetVersionExA",
- "kernel32.dll.TerminateProcess",
- "kernel32.dll.ExitProcess",
- "kernel32.dll.SetErrorMode",
- "kernel32.dll.GetModuleHandleA",
- "kernel32.dll.GetCommandLineW",
- "kernel32.dll.HeapDestroy",
- "kernel32.dll.HeapCreate",
- "kernel32.dll.AddVectoredExceptionHandler",
- "kernel32.dll.RemoveVectoredExceptionHandler",
- "kernel32.dll.lstrlenW",
- "kernel32.dll.MapViewOfFile",
- "kernel32.dll.UnmapViewOfFile",
- "kernel32.dll.GetCurrentProcessId",
- "kernel32.dll.lstrcpyW",
- "kernel32.dll.HeapAlloc",
- "kernel32.dll.HeapFree",
- "kernel32.dll.CreateFileMappingW",
- "kernel32.dll.TlsGetValue",
- "kernel32.dll.GetModuleFileNameW",
- "kernel32.dll.OpenProcess",
- "kernel32.dll.GetVersion",
- "kernel32.dll.CreateEventA",
- "kernel32.dll.GetLongPathNameW",
- "kernel32.dll.lstrlenA",
- "kernel32.dll.GetProcAddress",
- "kernel32.dll.DeleteCriticalSection",
- "kernel32.dll.InitializeCriticalSection",
- "kernel32.dll.TlsAlloc",
- "kernel32.dll.TlsSetValue",
- "kernel32.dll.TlsFree",
- "kernel32.dll.LeaveCriticalSection",
- "kernel32.dll.EnterCriticalSection",
- "user32.dll.wsprintfW",
- "ntdll.dll.memcpy",
- "ntdll.dll.memset",
- "msvcr100.dll.atexit",
- "ntdll.dll.ZwQueryInformationToken",
- "ntdll.dll.wcstombs",
- "ntdll.dll.ZwOpenProcessToken",
- "ntdll.dll.ZwOpenProcess",
- "ntdll.dll.ZwClose",
- "ntdll.dll.strcpy",
- "ntdll.dll.mbstowcs",
- "ntdll.dll._snprintf",
- "ntdll.dll.sprintf",
- "ntdll.dll._aulldiv",
- "ntdll.dll._allmul",
- "ntdll.dll.RtlUnwind",
- "ntdll.dll.NtQueryVirtualMemory",
- "kernel32.dll.InterlockedExchange",
- "kernel32.dll.LocalAlloc",
- "kernel32.dll.InterlockedIncrement",
- "kernel32.dll.InterlockedDecrement",
- "kernel32.dll.SetEvent",
- "kernel32.dll.GetTickCount",
- "kernel32.dll.WaitForSingleObject",
- "kernel32.dll.SleepEx",
- "kernel32.dll.CreateWaitableTimerA",
- "kernel32.dll.lstrcpyA",
- "kernel32.dll.GetSystemTimeAsFileTime",
- "kernel32.dll.SetWaitableTimer",
- "kernel32.dll.WaitForMultipleObjects",
- "kernel32.dll.OpenFileMappingW",
- "kernel32.dll.lstrcmpW",
- "kernel32.dll.ResetEvent",
- "kernel32.dll.GetComputerNameW",
- "kernel32.dll.FreeLibrary",
- "kernel32.dll.GetFileTime",
- "kernel32.dll.FindNextFileA",
- "kernel32.dll.CompareFileTime",
- "kernel32.dll.FindClose",
- "kernel32.dll.QueryPerformanceCounter",
- "kernel32.dll.CreateFileA",
- "kernel32.dll.lstrcatA",
- "kernel32.dll.QueryPerformanceFrequency",
- "kernel32.dll.lstrcmpA",
- "kernel32.dll.ExpandEnvironmentStringsA",
- "kernel32.dll.FindFirstFileA",
- "kernel32.dll.RaiseException",
- "oleaut32.dll.#2",
- "oleaut32.dll.#16",
- "oleaut32.dll.#15",
- "oleaut32.dll.#6",
- "kernel32.dll.IsWow64Process",
- "ole32.dll.CoInitializeEx",
- "cryptbase.dll.SystemFunction036",
- "uxtheme.dll.ThemeInitApiHook",
- "user32.dll.IsProcessDPIAware",
- "user32.dll.wsprintfA",
- "advapi32.dll.GetUserNameW",
- "shlwapi.dll.StrToIntExA",
- "shlwapi.dll.StrChrA",
- "shlwapi.dll.StrTrimA",
- "ole32.dll.CoCreateInstance",
- "kernel32.dll.GetThreadPreferredUILanguages",
- "kernel32.dll.SetThreadPreferredUILanguages",
- "kernel32.dll.LocaleNameToLCID",
- "kernel32.dll.LCIDToLocaleName",
- "kernel32.dll.GetSystemDefaultLocaleName",
- "ole32.dll.CoSetProxyBlanket",
- "oleaut32.dll.#283",
- "oleaut32.dll.#284",
- "kernel32.dll.RegOpenKeyExW",
- "oleaut32.dll.BSTR_UserSize",
- "oleaut32.dll.BSTR_UserMarshal",
- "oleaut32.dll.BSTR_UserUnmarshal",
- "oleaut32.dll.BSTR_UserFree",
- "oleaut32.dll.VARIANT_UserSize",
- "oleaut32.dll.VARIANT_UserMarshal",
- "oleaut32.dll.VARIANT_UserUnmarshal",
- "oleaut32.dll.VARIANT_UserFree",
- "oleaut32.dll.LPSAFEARRAY_UserSize",
- "oleaut32.dll.LPSAFEARRAY_UserMarshal",
- "oleaut32.dll.LPSAFEARRAY_UserUnmarshal",
- "oleaut32.dll.LPSAFEARRAY_UserFree",
- "shlwapi.dll.StrStrIW",
- "kernel32.dll.Wow64EnableWow64FsRedirection",
- "shlwapi.dll.StrRChrA",
- "advapi32.dll.OpenProcessToken",
- "advapi32.dll.GetTokenInformation",
- "advapi32.dll.GetSidSubAuthorityCount",
- "advapi32.dll.GetSidSubAuthority",
- "shlwapi.dll.StrStrA",
- "advapi32.dll.RegOpenKeyExA",
- "advapi32.dll.RegEnumKeyExA",
- "advapi32.dll.RegCloseKey",
- "shlwapi.dll.StrChrW",
- "shlwapi.dll.#176",
- "ieproxy.dll.DllGetClassObject",
- "ieproxy.dll.DllCanUnloadNow",
- "actxprxy.dll.DllGetClassObject",
- "actxprxy.dll.DllCanUnloadNow",
- "ole32.dll.CoUninitialize",
- "ntdll.dll.EtwUnregisterTraceGuids",
- "oleaut32.dll.#500",
- "ole32.dll.CoGetClassObject",
- "ole32.dll.CoGetMarshalSizeMax",
- "ole32.dll.CoMarshalInterface",
- "ole32.dll.CoUnmarshalInterface",
- "ole32.dll.StringFromIID",
- "ole32.dll.CoGetPSClsid",
- "ole32.dll.CoTaskMemAlloc",
- "ole32.dll.CoTaskMemFree",
- "ole32.dll.CoReleaseMarshalData",
- "ole32.dll.DcomChannelSetHResult",
- "vssapi.dll.CreateWriter",
- "advapi32.dll.LookupAccountNameW",
- "sechost.dll.LookupAccountNameLocalW",
- "advapi32.dll.LookupAccountSidW",
- "samcli.dll.NetLocalGroupGetMembers",
- "samlib.dll.SamConnect",
- "rpcrt4.dll.NdrClientCall3",
- "rpcrt4.dll.RpcStringBindingComposeW",
- "rpcrt4.dll.RpcBindingFromStringBindingW",
- "rpcrt4.dll.RpcStringFreeW",
- "rpcrt4.dll.RpcBindingFree",
- "samlib.dll.SamOpenDomain",
- "samlib.dll.SamLookupNamesInDomain",
- "samlib.dll.SamOpenAlias",
- "samlib.dll.SamFreeMemory",
- "samlib.dll.SamCloseHandle",
- "samlib.dll.SamGetMembersInAlias",
- "netutils.dll.NetApiBufferFree",
- "samlib.dll.SamEnumerateDomainsInSamServer",
- "samlib.dll.SamLookupDomainInSamServer",
- "ole32.dll.CoCreateGuid",
- "ole32.dll.StringFromCLSID",
- "oleaut32.dll.#4",
- "oleaut32.dll.#7",
- "propsys.dll.VariantToPropVariant",
- "wbemcore.dll.Reinitialize",
- "wbemsvc.dll.DllGetClassObject",
- "wbemsvc.dll.DllCanUnloadNow",
- "authz.dll.AuthzInitializeContextFromToken",
- "authz.dll.AuthzInitializeObjectAccessAuditEvent2",
- "authz.dll.AuthzAccessCheck",
- "authz.dll.AuthzFreeAuditEvent",
- "authz.dll.AuthzFreeContext",
- "authz.dll.AuthzInitializeResourceManager",
- "authz.dll.AuthzFreeResourceManager",
- "rpcrt4.dll.RpcBindingCreateW",
- "rpcrt4.dll.RpcBindingBind",
- "rpcrt4.dll.I_RpcMapWin32Status",
- "advapi32.dll.EventRegister",
- "advapi32.dll.EventUnregister",
- "advapi32.dll.EventWrite",
- "kernel32.dll.RegCloseKey",
- "kernel32.dll.RegSetValueExW",
- "kernel32.dll.RegQueryValueExW",
- "wmisvc.dll.IsImproperShutdownDetected",
- "wevtapi.dll.EvtRender",
- "wevtapi.dll.EvtNext",
- "wevtapi.dll.EvtClose",
- "wevtapi.dll.EvtQuery",
- "wevtapi.dll.EvtCreateRenderContext",
- "rpcrt4.dll.RpcBindingSetAuthInfoExW",
- "rpcrt4.dll.RpcBindingSetOption",
- "ole32.dll.CoCreateFreeThreadedMarshaler",
- "ole32.dll.CreateStreamOnHGlobal",
- "advapi32.dll.RegCreateKeyExW",
- "advapi32.dll.RegSetValueExW",
- "cryptsp.dll.CryptAcquireContextW",
- "cryptsp.dll.CryptGenRandom",
- "cryptsp.dll.CryptReleaseContext",
- "kernelbase.dll.InitializeAcl",
- "kernelbase.dll.AddAce",
- "sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
- "kernel32.dll.IsThreadAFiber",
- "kernel32.dll.OpenProcessToken",
- "kernelbase.dll.GetTokenInformation",
- "kernelbase.dll.DuplicateTokenEx",
- "kernelbase.dll.AdjustTokenPrivileges",
- "sechost.dll.LookupAccountSidLocalW",
- "kernelbase.dll.AllocateAndInitializeSid",
- "kernelbase.dll.CheckTokenMembership",
- "kernel32.dll.SetThreadToken",
- "oleaut32.dll.#285",
- "advapi32.dll.RegOpenKeyW",
- "oleaut32.dll.#12",
- "oleaut32.dll.#286",
- "ole32.dll.CLSIDFromString",
- "oleaut32.dll.#17",
- "oleaut32.dll.#20",
- "oleaut32.dll.#19",
- "oleaut32.dll.#25",
- "ole32.dll.CoRevertToSelf",
- "advapi32.dll.LogonUserExExW",
- "sspicli.dll.LogonUserExExW",
- "authz.dll.AuthzInitializeContextFromSid",
- "ole32.dll.CoGetCallContext",
- "ole32.dll.CoImpersonateClient",
- "advapi32.dll.OpenThreadToken",
- "oleaut32.dll.#8",
- "oleaut32.dll.#9",
- "ole32.dll.CoSwitchCallContext",
- "kernel32.dll.SortGetHandle",
- "kernel32.dll.SortCloseHandle",
- "ntmarta.dll.GetMartaExtensionInterface",
- "sechost.dll.ConvertSidToStringSidW",
- "kernel32.dll.InitializeSRWLock",
- "kernel32.dll.AcquireSRWLockExclusive",
- "kernel32.dll.AcquireSRWLockShared",
- "kernel32.dll.ReleaseSRWLockExclusive",
- "kernel32.dll.ReleaseSRWLockShared",
- "kernel32.dll.SetProcessDEPPolicy",
- "user32.dll.SetProcessDPIAware",
- "shell32.dll.SetCurrentProcessExplicitAppUserModelID",
- "user32.dll.GetShellWindow",
- "user32.dll.GetWindowThreadProcessId",
- "ieframe.dll.#250",
- "wininet.dll.InternetQueryOptionW",
- "advapi32.dll.EventActivityIdControl",
- "advapi32.dll.EventWriteTransfer",
- "kernel32.dll.SetFileInformationByHandle",
- "shell32.dll.SHGetFolderPathW",
- "kernel32.dll.GetModuleHandleW",
- "advapi32.dll.AddMandatoryAce",
- "ws2_32.dll.accept",
- "ws2_32.dll.bind",
- "ws2_32.dll.closesocket",
- "ws2_32.dll.connect",
- "ws2_32.dll.getpeername",
- "ws2_32.dll.getsockname",
- "ws2_32.dll.getsockopt",
- "ws2_32.dll.ntohl",
- "ws2_32.dll.htonl",
- "ws2_32.dll.htons",
- "ws2_32.dll.inet_addr",
- "ws2_32.dll.inet_ntoa",
- "ws2_32.dll.ioctlsocket",
- "ws2_32.dll.listen",
- "ws2_32.dll.ntohs",
- "ws2_32.dll.recv",
- "ws2_32.dll.recvfrom",
- "ws2_32.dll.select",
- "ws2_32.dll.send",
- "ws2_32.dll.sendto",
- "ws2_32.dll.setsockopt",
- "ws2_32.dll.shutdown",
- "ws2_32.dll.socket",
- "ws2_32.dll.gethostbyname",
- "ws2_32.dll.gethostname",
- "ws2_32.dll.WSAIoctl",
- "ws2_32.dll.WSAGetLastError",
- "ws2_32.dll.WSASetLastError",
- "ws2_32.dll.WSAStartup",
- "ws2_32.dll.WSACleanup",
- "ws2_32.dll.__WSAFDIsSet",
- "ws2_32.dll.getaddrinfo",
- "ws2_32.dll.freeaddrinfo",
- "ws2_32.dll.getnameinfo",
- "ws2_32.dll.WSALookupServiceBeginW",
- "ws2_32.dll.WSALookupServiceNextW",
- "ws2_32.dll.WSALookupServiceEnd",
- "ws2_32.dll.WSANSPIoctl",
- "ws2_32.dll.WSAStringToAddressA",
- "ws2_32.dll.WSAStringToAddressW",
- "ws2_32.dll.WSAAddressToStringA",
- "dnsapi.dll.DnsGetProxyInformation",
- "dnsapi.dll.DnsFreeProxyName",
- "iphlpapi.dll.GetIpForwardTable2",
- "iphlpapi.dll.FreeMibTable",
- "iphlpapi.dll.GetIfEntry2",
- "iphlpapi.dll.ConvertInterfaceGuidToLuid",
- "iphlpapi.dll.ResolveIpNetEntry2",
- "iphlpapi.dll.GetIpNetEntry2",
- "shlwapi.dll.#260",
- "ws2_32.dll.#115",
- "urlmon.dll.CreateUri",
- "version.dll.GetFileVersionInfoSizeW",
- "version.dll.GetFileVersionInfoW",
- "version.dll.VerQueryValueW",
- "ws2_32.dll.GetAddrInfoW",
- "comctl32.dll.PropertySheetW",
- "comctl32.dll.PropertySheetA",
- "comdlg32.dll.PageSetupDlgW",
- "comdlg32.dll.PrintDlgW",
- "urlmon.dll.#101",
- "urlmon.dll.#400",
- "advapi32.dll.TraceMessage",
- "advapi32.dll.TraceMessageVa",
- "sqmapi.dll.SqmGetSession",
- "sqmapi.dll.SqmEndSession",
- "sqmapi.dll.SqmStartSession",
- "sqmapi.dll.SqmStartUpload",
- "sqmapi.dll.SqmWaitForUploadComplete",
- "sqmapi.dll.SqmSet",
- "sqmapi.dll.SqmSetBool",
- "sqmapi.dll.SqmSetBits",
- "sqmapi.dll.SqmSetString",
- "sqmapi.dll.SqmIncrement",
- "sqmapi.dll.SqmSetIfMax",
- "sqmapi.dll.SqmSetIfMin",
- "sqmapi.dll.SqmAddToAverage",
- "sqmapi.dll.SqmAddToStreamDWord",
- "sqmapi.dll.SqmAddToStreamString",
- "sqmapi.dll.SqmSetAppId",
- "sqmapi.dll.SqmSetAppVersion",
- "sqmapi.dll.SqmSetMachineId",
- "sqmapi.dll.SqmSetUserId",
- "sqmapi.dll.SqmCreateNewId",
- "sqmapi.dll.SqmReadSharedMachineId",
- "sqmapi.dll.SqmReadSharedUserId",
- "sqmapi.dll.SqmWriteSharedMachineId",
- "sqmapi.dll.SqmWriteSharedUserId",
- "sqmapi.dll.SqmIsWindowsOptedIn",
- "urlmon.dll.#442",
- "kernel32.dll.WerRegisterMemoryBlock",
- "kernel32.dll.WerUnregisterMemoryBlock",
- "user32.dll.RegisterWindowMessageW",
- "rpcrt4.dll.UuidCreateSequential",
- "rpcrt4.dll.RpcServerUseProtseqW",
- "rpcrt4.dll.RpcServerRegisterIfEx",
- "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
- "rpcrt4.dll.RpcServerInqBindings",
- "rpcrt4.dll.RpcEpRegisterW",
- "rpcrt4.dll.RpcServerListen",
- "ntdll.dll.NtQuerySystemInformation",
- "user32.dll.RegisterClassExW",
- "user32.dll.CreateWindowExW",
- "user32.dll.DefWindowProcW",
- "user32.dll.SetWindowLongW",
- "dwmapi.dll.DwmIsCompositionEnabled",
- "urlmon.dll.#416",
- "kernel32.dll.RegisterApplicationRestart",
- "shell32.dll.#165",
- "urlmon.dll.CoInternetCreateZoneManager",
- "ws2_32.dll.FreeAddrInfoW",
- "user32.dll.AllowSetForegroundWindow",
- "wininet.dll.InternetInitializeAutoProxyDll",
- "rasapi32.dll.RasEnumEntriesW",
- "rasapi32.dll.RasConnectionNotificationW",
- "rtutils.dll.TraceRegisterExA",
- "rtutils.dll.TracePrintfExA",
- "profapi.dll.#104",
- "shlwapi.dll.PathCanonicalizeW",
- "shlwapi.dll.PathRemoveFileSpecW",
- "shlwapi.dll.PathFindFileNameW",
- "sensapi.dll.IsNetworkAlive",
- "rpcrt4.dll.NdrClientCall2",
- "nlaapi.dll.NSPStartup",
- "sechost.dll.NotifyServiceStatusChangeA",
- "iphlpapi.dll.GetAdapterIndex",
- "user32.dll.PostThreadMessageW",
- "comctl32.dll.LoadIconWithScaleDown",
- "ieui.dll.InitGadgets",
- "user32.dll.MsgWaitForMultipleObjectsEx",
- "gdi32.dll.GetLayout",
- "gdi32.dll.GdiRealizationInfo",
- "gdi32.dll.FontIsLinked",
- "advapi32.dll.RegOpenKeyExW",
- "advapi32.dll.RegQueryInfoKeyW",
- "gdi32.dll.GetTextFaceAliasW",
- "advapi32.dll.RegEnumValueW",
- "advapi32.dll.RegQueryValueExW",
- "gdi32.dll.GetFontAssocStatus",
- "advapi32.dll.RegQueryValueExA",
- "advapi32.dll.RegEnumKeyExW",
- "gdi32.dll.GdiIsMetaPrintDC",
- "uxtheme.dll.OpenThemeData",
- "uxtheme.dll.GetThemeMargins",
- "uxtheme.dll.GetThemePartSize",
- "uxtheme.dll.GetThemeTextMetrics",
- "uxtheme.dll.GetThemeBool",
- "comctl32.dll.#410",
- "comctl32.dll.#413",
- "uxtheme.dll.IsAppThemed",
- "uxtheme.dll.GetThemeBackgroundExtent",
- "comctl32.dll.ImageList_LoadImageW",
- "comctl32.dll.ImageList_GetIconSize",
- "uxtheme.dll.GetThemeFont",
- "uxtheme.dll.IsCompositionActive",
- "uxtheme.dll.SetWindowTheme",
- "comctl32.dll.ImageList_Create",
- "comctl32.dll.ImageList_ReplaceIcon",
- "oleaut32.dll.#10",
- "comctl32.dll.ImageList_AddMasked",
- "uxtheme.dll.IsThemePartDefined",
- "uxtheme.dll.GetThemeColor",
- "imm32.dll.ImmIsIME",
- "urlmon.dll.CoInternetCreateSecurityManager",
- "msctf.dll.SetInputScopes2",
- "uxtheme.dll.CloseThemeData",
- "uxtheme.dll.GetThemeBackgroundContentRect",
- "uxtheme.dll.GetThemeTextExtent",
- "uxtheme.dll.EnableThemeDialogTexture",
- "urlmon.dll.#408",
- "uxtheme.dll.IsThemeActive",
- "ieui.dll.CreateGadget",
- "ieui.dll.SetGadgetMessageFilter",
- "ieui.dll.SetGadgetStyle",
- "ole32.dll.CreateBindCtx",
- "ieui.dll.SetGadgetRootInfo",
- "ole32.dll.CoGetApartmentType",
- "ole32.dll.CoRegisterInitializeSpy",
- "uxtheme.dll.GetThemeAppProperties",
- "comctl32.dll.#236",
- "ole32.dll.CoGetMalloc",
- "comctl32.dll.#320",
- "comctl32.dll.#324",
- "comctl32.dll.#323",
- "comctl32.dll.#328",
- "comctl32.dll.#334",
- "advapi32.dll.RegEnumKeyW",
- "advapi32.dll.InitializeSecurityDescriptor",
- "advapi32.dll.SetEntriesInAclW",
- "advapi32.dll.SetSecurityDescriptorDacl",
- "advapi32.dll.IsTextUnicode",
- "comctl32.dll.#332",
- "comctl32.dll.#338",
- "comctl32.dll.#339",
- "shell32.dll.#102",
- "propsys.dll.PSCreateMemoryPropertyStore",
- "propsys.dll.PSPropertyBag_WriteStr",
- "ole32.dll.PropVariantClear",
- "propsys.dll.PSPropertyBag_WriteGUID",
- "propsys.dll.PSPropertyBag_ReadGUID",
- "xmllite.dll.CreateXmlReader",
- "xmllite.dll.CreateXmlReaderInputWithEncodingName",
- "comctl32.dll.ImageList_Read",
- "comctl32.dll.ImageList_GetImageCount",
- "ole32.dll.CoRevokeInitializeSpy",
- "comctl32.dll.#388",
- "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
- "setupapi.dll.CM_Get_Device_Interface_List_ExW",
- "ieui.dll.FindStdColor",
- "ieui.dll.InvalidateGadget",
- "ieui.dll.SetGadgetParent",
- "ieui.dll.GetGadgetTicket",
- "ieui.dll.SetGadgetRect",
- "urlmon.dll.#103",
- "urlmon.dll.#105",
- "kernel32.dll.GetThreadUILanguage",
- "comctl32.dll.#386",
- "shell32.dll.SHGetInstanceExplorer",
- "wininet.dll.InternetSetOptionW",
- "rpcrt4.dll.RpcBindingToStringBindingW",
- "rpcrt4.dll.RpcStringBindingParseW",
- "rpcrt4.dll.I_RpcBindingInqLocalClientPID",
- "rpcrt4.dll.RpcServerInqCallAttributesW",
- "rpcrt4.dll.RpcImpersonateClient",
- "rpcrt4.dll.RpcRevertToSelf",
- "rpcrt4.dll.NdrServerCall2",
- "rpcrt4.dll.RpcBindingInqObject",
- "user32.dll.PostMessageW",
- "oleaut32.dll.DllGetClassObject",
- "oleaut32.dll.DllCanUnloadNow",
- "sxs.dll.SxsOleAut32MapIIDToProxyStubCLSID",
- "advapi32.dll.RegQueryValueW",
- "sxs.dll.SxsOleAut32MapIIDToTLBPath",
- "sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid",
- "sxs.dll.SxsOleAut32RedirectTypeLibrary",
- "ieui.dll.PeekMessageExW",
- "ole32.dll.CoInitialize",
- "ole32.dll.RegisterDragDrop",
- "msfeeds.dll.MsfeedsCreateInstance",
- "shell32.dll.SHGetSpecialFolderPathW",
- "shell32.dll.#66",
- "shell32.dll.SHCreateDirectoryExW",
- "wininet.dll.FindFirstUrlCacheContainerW",
- "wininet.dll.FindNextUrlCacheContainerW",
- "wininet.dll.FindCloseUrlCache",
- "user32.dll.GetWindowLongW",
- "user32.dll.IsWindow",
- "user32.dll.SendMessageW",
- "user32.dll.PeekMessageW",
- "propsys.dll.PSStringFromPropertyKey",
- "propsys.dll.PSGetPropertyDescription",
- "propsys.dll.PropVariantToString",
- "propsys.dll.InitPropVariantFromStringAsVector",
- "propsys.dll.PSCoerceToCanonicalValue",
- "shell32.dll.SHGetKnownFolderPath",
- "urlmon.dll.#458",
- "urlmon.dll.URLDownloadToFileW",
- "urlmon.dll.CoInternetIsFeatureEnabledForUrl",
- "ieui.dll.WaitMessageEx",
- "user32.dll.TranslateMessage",
- "user32.dll.DispatchMessageW",
- "oleaut32.dll.#23",
- "oleaut32.dll.#22",
- "urlmon.dll.#441",
- "urlmon.dll.#395",
- "urlmon.dll.#351",
- "mlang.dll.#112",
- "wininet.dll.GetUrlCacheEntryInfoA",
- "urlmon.dll.#325",
- "wininet.dll.GetUrlCacheEntryInfoExW",
- "wininet.dll.GetUrlCacheEntryInfoExA",
- "wininet.dll.CommitUrlCacheEntryA",
- "uxtheme.dll.BufferedPaintInit",
- "uxtheme.dll.BeginBufferedPaint",
- "uxtheme.dll.DrawThemeParentBackgroundEx",
- "uxtheme.dll.DrawThemeParentBackground",
- "uxtheme.dll.IsThemeBackgroundPartiallyTransparent",
- "uxtheme.dll.DrawThemeBackground",
- "uxtheme.dll.EndBufferedPaint",
- "usp10.dll.ScriptIsComplex",
- "urlmon.dll.#420",
- "propsys.dll.PSGetPropertyKeyFromName",
- "urlmon.dll.CoInternetQueryInfo",
- "comctl32.dll.HIMAGELIST_QueryInterface",
- "comctl32.dll.ImageList_Remove",
- "ieui.dll.DUserPostEvent",
- "ieui.dll.DeleteHandle",
- "comctl32.dll.#412",
- "uxtheme.dll.BufferedPaintUnInit",
- "ieui.dll.DUserFlushMessages",
- "ieui.dll.DUserFlushDeferredMessages",
- "comctl32.dll.ImageList_Destroy",
- "ole32.dll.RevokeDragDrop",
- "ieui.dll.DisableContainerHwnd",
- "ole32.dll.CoWaitForMultipleHandles",
- "comctl32.dll.#326",
- "urlmon.dll.#412",
- "urlmon.dll.#414",
- "ntdll.dll.RtlDllShutdownInProgress",
- "comctl32.dll.#329",
- "linkinfo.dll.IsValidLinkInfo",
- "propsys.dll.#417",
- "propsys.dll.PSGetNameFromPropertyKey",
- "propsys.dll.InitVariantFromBuffer",
- "propsys.dll.PropVariantToGUID",
- "apphelp.dll.ApphelpCheckShellObject",
- "propsys.dll.PSGetPropertyDescriptionByName",
- "sechost.dll.ConvertStringSidToSidW",
- "samcli.dll.NetUserGetLocalGroups",
- "advapi32.dll.LsaOpenPolicy",
- "advapi32.dll.LsaLookupNames2",
- "advapi32.dll.LsaClose",
- "advapi32.dll.LsaFreeMemory",
- "samlib.dll.SamGetAliasMembership",
- "samlib.dll.SamLookupIdsInDomain",
- "linkinfo.dll.CreateLinkInfoW",
- "user32.dll.IsCharAlphaW",
- "user32.dll.CharPrevW",
- "ntshrui.dll.GetNetResourceFromLocalPathW",
- "srvcli.dll.NetShareEnum",
- "cscapi.dll.CscNetApiGetInterface",
- "slc.dll.SLGetWindowsInformationDWORD",
- "linkinfo.dll.DestroyLinkInfo",
- "propsys.dll.PropVariantToBoolean",
- "urlmon.dll.#364",
- "shell32.dll.SHCreateShellItemArrayFromIDLists",
- "ole32.dll.CoTaskMemRealloc",
- "shell32.dll.SHAssocEnumHandlersForProtocolByApplication",
- "urlmon.dll.#397",
- "urlmon.dll.#398",
- "propsys.dll.PSPropertyBag_ReadBOOL",
- "advapi32.dll.GetSecurityInfo",
- "advapi32.dll.SetSecurityInfo",
- "advapi32.dll.GetSecurityDescriptorControl",
- "urlmon.dll.#327",
- "user32.dll.CharLowerW",
- "cryptsp.dll.CryptCreateHash",
- "cryptsp.dll.CryptHashData",
- "cryptsp.dll.CryptGetHashParam",
- "cryptsp.dll.CryptDestroyHash",
- "crypt32.dll.CryptUnprotectData",
- "crypt32.dll.CryptProtectData",
- "cryptbase.dll.SystemFunction040",
- "cryptbase.dll.SystemFunction041",
- "comctl32.dll.#321",
- "user32.dll.DestroyWindow",
- "user32.dll.PostQuitMessage",
- "urlmon.dll.#456",
- "urlmon.dll.#451",
- "user32.dll.UnregisterClassW",
- "rpcrt4.dll.RpcEpUnregister",
- "rpcrt4.dll.RpcBindingVectorFree",
- "rpcrt4.dll.RpcServerUnregisterIf",
- "urlmon.dll.#401",
- "ws2_32.dll.#116",
- "advapi32.dll.UnregisterTraceGuids",
- "ieframe.dll.#251",
- "kernel32.dll.WerSetFlags",
- "ieshims.dll.IEShims_Initialize",
- "user32.dll.SetWindowsHookExW",
- "user32.dll.FindWindowExA",
- "kernel32.dll.CreateProcessW",
- "kernel32.dll.CreateProcessA",
- "advapi32.dll.RegQueryValueA",
- "ntdll.dll.LdrRegisterDllNotification",
- "ole32.dll.NdrOleInitializeExtension",
- "shell32.dll.SHChangeNotifyRegisterThread",
- "comctl32.dll.#4",
- "comctl32.dll.ImageList_Add",
- "wininet.dll.InternetQueryOptionA",
- "gdi32.dll.GetTextExtentExPointWPri",
- "urlmon.dll.#104",
- "user32.dll.LoadCursorW",
- "user32.dll.GetClassInfoExW",
- "kernel32.dll.QueryActCtxW",
- "kernel32.dll.ActivateActCtx",
- "kernel32.dll.FindActCtxSectionStringW",
- "kernel32.dll.DeactivateActCtx",
- "user32.dll.CallWindowProcW",
- "user32.dll.ChangeWindowMessageFilter",
- "dwmapi.dll.DwmSetWindowAttribute",
- "urlmon.dll.#111",
- "wininet.dll.GetUrlCacheEntryInfoW",
- "shlwapi.dll.AssocQueryStringW",
- "propsys.dll.#430",
- "advapi32.dll.RegGetValueW",
- "propsys.dll.PropVariantToStringAlloc",
- "oleaut32.dll.#11",
- "ieshims.dll.IEShims_SetRedirectRegistryForThread",
- "comctl32.dll.#8",
- "uxtheme.dll.GetThemeInt",
- "urlmon.dll.CreateURLMonikerEx",
- "urlmon.dll.CreateAsyncBindCtxEx",
- "urlmon.dll.RegisterBindStatusCallback",
- "urlmon.dll.CreateFormatEnumerator",
- "urlmon.dll.UrlMkGetSessionOption",
- "rasadhlp.dll.WSAttemptAutodialAddr",
- "rasadhlp.dll.WSAttemptAutodialName",
- "rasadhlp.dll.WSNoteSuccessfulHostentLookup",
- "mlang.dll.#121",
- "urlmon.dll.#444",
- "urlmon.dll.#445",
- "dwmapi.dll.DwmInvalidateIconicBitmaps",
- "ieframe.dll.#302",
- "urlmon.dll.RegisterFormatEnumerator",
- "urlmon.dll.RevokeBindStatusCallback",
- "urlmon.dll.CreateIUriBuilder",
- "urlmon.dll.IntlPercentEncodeNormalize",
- "urlmon.dll.CoInternetIsFeatureEnabled",
- "oleaut32.dll.VariantClear",
- "shlwapi.dll.PathGetDriveNumberW",
- "urlmon.dll.#335",
- "urlmon.dll.#330",
- "wininet.dll.FindFirstUrlCacheContainerA",
- "wininet.dll.FindNextUrlCacheContainerA",
- "wininet.dll.CreateUrlCacheContainerA",
- "wininet.dll.DeleteUrlCacheContainerA",
- "wininet.dll.FindFirstUrlCacheEntryA",
- "wininet.dll.DeleteUrlCacheEntryW",
- "wininet.dll.FindNextUrlCacheEntryA",
- "wininet.dll.CommitUrlCacheEntryW",
- "wininet.dll.InternetGetConnectedState",
- "urlmon.dll.URLDownloadToCacheFileW",
- "wininet.dll.SetUrlCacheEntryGroupW",
- "oleaut32.dll.#201",
- "ieshims.dll.IEShims_GetOriginatingThreadId",
- "user32.dll.UnregisterClassA",
- "wininet.dll.InternetSetCookieExW",
- "ieshims.dll.IEShims_Uninitialize",
- "ntdll.dll.LdrUnregisterDllNotification",
- "fastprox.dll.DllGetClassObject",
- "fastprox.dll.DllCanUnloadNow"
- ]
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "CreateToolhelp32Snapshot",
- "address": "0x425028"
- },
- {
- "name": "VirtualProtect",
- "address": "0x42502c"
- },
- {
- "name": "LocalAlloc",
- "address": "0x425030"
- },
- {
- "name": "PeekConsoleInputW",
- "address": "0x425034"
- },
- {
- "name": "GetLastError",
- "address": "0x425038"
- },
- {
- "name": "GetHandleInformation",
- "address": "0x42503c"
- },
- {
- "name": "GetBinaryTypeW",
- "address": "0x425040"
- },
- {
- "name": "GetNumberFormatA",
- "address": "0x425044"
- },
- {
- "name": "GetFileAttributesExA",
- "address": "0x425048"
- },
- {
- "name": "DebugActiveProcessStop",
- "address": "0x42504c"
- },
- {
- "name": "DuplicateHandle",
- "address": "0x425050"
- },
- {
- "name": "lstrlenA",
- "address": "0x425054"
- },
- {
- "name": "EncodePointer",
- "address": "0x425058"
- },
- {
- "name": "DecodePointer",
- "address": "0x42505c"
- },
- {
- "name": "GetCommandLineW",
- "address": "0x425060"
- },
- {
- "name": "RaiseException",
- "address": "0x425064"
- },
- {
- "name": "RtlUnwind",
- "address": "0x425068"
- },
- {
- "name": "IsDebuggerPresent",
- "address": "0x42506c"
- },
- {
- "name": "IsProcessorFeaturePresent",
- "address": "0x425070"
- },
- {
- "name": "EnterCriticalSection",
- "address": "0x425074"
- },
- {
- "name": "LeaveCriticalSection",
- "address": "0x425078"
- },
- {
- "name": "FlushFileBuffers",
- "address": "0x42507c"
- },
- {
- "name": "WriteFile",
- "address": "0x425080"
- },
- {
- "name": "WideCharToMultiByte",
- "address": "0x425084"
- },
- {
- "name": "GetConsoleCP",
- "address": "0x425088"
- },
- {
- "name": "GetConsoleMode",
- "address": "0x42508c"
- },
- {
- "name": "DeleteCriticalSection",
- "address": "0x425090"
- },
- {
- "name": "FatalAppExitA",
- "address": "0x425094"
- },
- {
- "name": "ExitProcess",
- "address": "0x425098"
- },
- {
- "name": "GetModuleHandleExW",
- "address": "0x42509c"
- },
- {
- "name": "GetProcAddress",
- "address": "0x4250a0"
- },
- {
- "name": "AreFileApisANSI",
- "address": "0x4250a4"
- },
- {
- "name": "MultiByteToWideChar",
- "address": "0x4250a8"
- },
- {
- "name": "HeapSize",
- "address": "0x4250ac"
- },
- {
- "name": "ReadFile",
- "address": "0x4250b0"
- },
- {
- "name": "ReadConsoleW",
- "address": "0x4250b4"
- },
- {
- "name": "HeapFree",
- "address": "0x4250b8"
- },
- {
- "name": "HeapAlloc",
- "address": "0x4250bc"
- },
- {
- "name": "SetLastError",
- "address": "0x4250c0"
- },
- {
- "name": "GetCurrentThread",
- "address": "0x4250c4"
- },
- {
- "name": "GetCurrentThreadId",
- "address": "0x4250c8"
- },
- {
- "name": "GetProcessHeap",
- "address": "0x4250cc"
- },
- {
- "name": "GetStdHandle",
- "address": "0x4250d0"
- },
- {
- "name": "GetFileType",
- "address": "0x4250d4"
- },
- {
- "name": "GetStartupInfoW",
- "address": "0x4250d8"
- },
- {
- "name": "GetModuleFileNameW",
- "address": "0x4250dc"
- },
- {
- "name": "QueryPerformanceCounter",
- "address": "0x4250e0"
- },
- {
- "name": "GetCurrentProcessId",
- "address": "0x4250e4"
- },
- {
- "name": "GetSystemTimeAsFileTime",
- "address": "0x4250e8"
- },
- {
- "name": "GetEnvironmentStringsW",
- "address": "0x4250ec"
- },
- {
- "name": "FreeEnvironmentStringsW",
- "address": "0x4250f0"
- },
- {
- "name": "UnhandledExceptionFilter",
- "address": "0x4250f4"
- },
- {
- "name": "SetUnhandledExceptionFilter",
- "address": "0x4250f8"
- },
- {
- "name": "InitializeCriticalSectionAndSpinCount",
- "address": "0x4250fc"
- },
- {
- "name": "CreateEventW",
- "address": "0x425100"
- },
- {
- "name": "Sleep",
- "address": "0x425104"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x425108"
- },
- {
- "name": "TerminateProcess",
- "address": "0x42510c"
- },
- {
- "name": "TlsAlloc",
- "address": "0x425110"
- },
- {
- "name": "TlsGetValue",
- "address": "0x425114"
- },
- {
- "name": "TlsSetValue",
- "address": "0x425118"
- },
- {
- "name": "TlsFree",
- "address": "0x42511c"
- },
- {
- "name": "GetTickCount",
- "address": "0x425120"
- },
- {
- "name": "GetModuleHandleW",
- "address": "0x425124"
- },
- {
- "name": "CreateSemaphoreW",
- "address": "0x425128"
- },
- {
- "name": "SetStdHandle",
- "address": "0x42512c"
- },
- {
- "name": "SetFilePointerEx",
- "address": "0x425130"
- },
- {
- "name": "WriteConsoleW",
- "address": "0x425134"
- },
- {
- "name": "SetConsoleCtrlHandler",
- "address": "0x425138"
- },
- {
- "name": "FreeLibrary",
- "address": "0x42513c"
- },
- {
- "name": "LoadLibraryExW",
- "address": "0x425140"
- },
- {
- "name": "IsValidCodePage",
- "address": "0x425144"
- },
- {
- "name": "GetACP",
- "address": "0x425148"
- },
- {
- "name": "GetOEMCP",
- "address": "0x42514c"
- },
- {
- "name": "GetCPInfo",
- "address": "0x425150"
- },
- {
- "name": "HeapReAlloc",
- "address": "0x425154"
- },
- {
- "name": "GetDateFormatW",
- "address": "0x425158"
- },
- {
- "name": "GetTimeFormatW",
- "address": "0x42515c"
- },
- {
- "name": "CompareStringW",
- "address": "0x425160"
- },
- {
- "name": "LCMapStringW",
- "address": "0x425164"
- },
- {
- "name": "GetLocaleInfoW",
- "address": "0x425168"
- },
- {
- "name": "IsValidLocale",
- "address": "0x42516c"
- },
- {
- "name": "GetUserDefaultLCID",
- "address": "0x425170"
- },
- {
- "name": "EnumSystemLocalesW",
- "address": "0x425174"
- },
- {
- "name": "OutputDebugStringW",
- "address": "0x425178"
- },
- {
- "name": "GetStringTypeW",
- "address": "0x42517c"
- },
- {
- "name": "CreateFileW",
- "address": "0x425180"
- },
- {
- "name": "CloseHandle",
- "address": "0x425184"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "ReadEventLogW",
- "address": "0x425000"
- },
- {
- "name": "ImpersonateSelf",
- "address": "0x425004"
- },
- {
- "name": "RegSaveKeyW",
- "address": "0x425008"
- },
- {
- "name": "OpenBackupEventLogA",
- "address": "0x42500c"
- },
- {
- "name": "RegDeleteKeyA",
- "address": "0x425010"
- },
- {
- "name": "RegCreateKeyExW",
- "address": "0x425014"
- },
- {
- "name": "RegQueryMultipleValuesW",
- "address": "0x425018"
- },
- {
- "name": "SetThreadToken",
- "address": "0x42501c"
- },
- {
- "name": "AreAnyAccessesGranted",
- "address": "0x425020"
- }
- ],
- "dll": "ADVAPI32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x0004efaa",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x0004efaa",
- "icon_hash": null,
- "entrypoint": "0x00403d4a",
- "timestamp": "2018-06-30 14:33:43",
- "osversion": "5.1",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00023a00",
- "entropy": "6.66",
- "raw_address": "0x00000400",
- "virtual_size": "0x0002388d",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00025000",
- "size_of_data": "0x0001b000",
- "entropy": "6.44",
- "raw_address": "0x00023e00",
- "virtual_size": "0x0001afd6",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00040000",
- "size_of_data": "0x00001e00",
- "entropy": "3.08",
- "raw_address": "0x0003ee00",
- "virtual_size": "0x04e5ebec",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x04e9f000",
- "size_of_data": "0x00002800",
- "entropy": "4.72",
- "raw_address": "0x00040c00",
- "virtual_size": "0x00002660",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".reloc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x04ea2000",
- "size_of_data": "0x00002200",
- "entropy": "6.53",
- "raw_address": "0x00043400",
- "virtual_size": "0x00002074",
- "characteristics_raw": "0x42000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0003f6e8",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x0000003c"
- },
- {
- "virtual_address": "0x04e9f000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00002660"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x04ea2000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00002074"
- },
- {
- "virtual_address": "0x000251e0",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000038"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00025000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x0000018c"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "baea1ffde5e1170431fb06c7b2816acd",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": "C:\\sibonifanijuvi.pdb\\x00er\\runtime\\crypt\\tmp_2004838590\\bin\\dibuxigef.pdb\\x00\\x00\\x00\\x00\\x00\\xa1\\x00\\x00\\x00\\xa1\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x17D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\xb8\\xe5C",
- "imported_dll_count": 2,
- "versioninfo": []
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement