[*] MalFamily: "" [*] MalScore: 10.0 [*] File Name: "Exes_1ec766a0a3f569762dc51756f5f5173c.exe" [*] File Size: 1427304 [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows" [*] SHA256: "88d3e15753883a60dabb2f9af45cea64a3db68a0d63dd2e2de8766462a5eee3d" [*] MD5: "1ec766a0a3f569762dc51756f5f5173c" [*] SHA1: "1324be7efe18eee643e015f20b3349acf01909fd" [*] SHA512: "b0d4e2f34731e6a00d13082efbc4134f90bae80737f524ab3bb86d74a2ece5e4102e77c255a76edd2be754b5012108e757f9d4c857d157a697221b47aa2231dd" [*] CRC32: "5DF9A3B0" [*] SSDEEP: "24576:TZuD1ZY4d6WYAVeRzMjt3zVpA6bmyb5hsciQimK/plcl1ZiIo3xa4Mon1FirqEA4:kfkMZ3zPZbmiK6imYKliacnOACbYMDh" [*] Process Execution: [ "Exes_1ec766a0a3f569762dc51756f5f5173c.exe", "svchost.exe", "WmiPrvSE.exe", "svchost.exe", "WMIADAP.exe", "svchost.exe", "taskeng.exe", "KBDGEO.exe", "wshbth.exe", "msoia.exe", "msoia.exe", "taskeng.exe", "taskeng.exe", "taskeng.exe", "taskeng.exe" ] [*] Signatures Detected: [ { "Description": "Attempts to connect to a dead IP:Port (4 unique times)", "Details": [ { "IP": "23.111.11.204:80" }, { "IP": "149.56.132.75:3333" }, { "IP": "5.45.205.244:80" }, { "IP": "151.139.236.246:80" } ] }, { "Description": "Creates RWX memory", "Details": [] }, { "Description": "A process attempted to delay the analysis task.", "Details": [ { "Process": "KBDGEO.exe tried to sleep 300 seconds, actually delayed analysis time by 0 seconds" }, { "Process": "svchost.exe tried to sleep 420 seconds, actually delayed analysis time by 0 seconds" }, { "Process": "taskeng.exe tried to sleep 600 seconds, actually delayed analysis time by 0 seconds" }, { "Process": "WmiPrvSE.exe tried to sleep 540 seconds, actually delayed analysis time by 0 seconds" } ] }, { "Description": "Expresses interest in specific running processes", "Details": [ { "process": "wshbth.exe" } ] }, { "Description": "Repeatedly searches for a not-found process, may want to run with startbrowser=1 option", "Details": [] }, { "Description": "A process created a hidden window", "Details": [ { "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE" } ] }, { "Description": "Drops a binary and executes it", "Details": [ { "binary": "C:\\ProgramData\\amd64_microsoft-windows-c..ache.mobile.cortana_31bf3856ad364e35_10.0.14393.0_none_59653c2c9f496d9b\\wshbth.exe" } ] }, { "Description": "Performs some HTTP requests", "Details": [ { "url": "http://repository.certum.pl/ca.cer" }, { "url": "http://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w%2FsCEQCTkoVAAWVxX5R%2FKI%2FvyZso" }, { "url": "http://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEQDkBUeDDgxkUpdvejVJwN1I" }, { "url": "http://yandex.ocsp-responder.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBStniMGfahyWUWDEeSLUFbNR9JLAgQUN1zjGeCyjqGoTtLPq9Dc4wtcNU0CEGywpuGhg2V0FAGqc%2Bnaovg%3D" }, { "url": "http://yandex.ocsp-responder.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBStniMGfahyWUWDEeSLUFbNR9JLAgQUN1zjGeCyjqGoTtLPq9Dc4wtcNU0CEG1yBbGff04fmWwFZVZ4Xck%3D" } ] }, { "Description": "Deletes its original binary from disk", "Details": [] }, { "Description": "Network activity contains more than one unique useragent.", "Details": [ { "Process": "Exes_1ec766a0a3f569762dc51756f5f5173c.exe" }, { "User-Agent": "AutoIt" }, { "Process": "KBDGEO.exe" }, { "User-Agent": "FTP Client" } ] }, { "Description": "Creates a hidden or system file", "Details": [ { "file": "C:\\ProgramData\\amd64_microsoft-windows-c..ache.mobile.cortana_31bf3856ad364e35_10.0.14393.0_none_59653c2c9f496d9b" }, { "file": "C:\\ProgramData\\amd64_microsoft-windows-c..ache.mobile.cortana_31bf3856ad364e35_10.0.14393.0_none_59653c2c9f496d9b\\KBDGEO.exe" }, { "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low" }, { "file": "C:\\ProgramData\\amd64_microsoft-windows-c..ache.mobile.cortana_31bf3856ad364e35_10.0.14393.0_none_59653c2c9f496d9b\\config.json" }, { "file": "C:\\ProgramData\\amd64_microsoft-windows-c..ache.mobile.cortana_31bf3856ad364e35_10.0.14393.0_none_59653c2c9f496d9b\\wshbth.exe" } ] }, { "Description": "Attempts to modify proxy settings", "Details": [] } ] [*] Started Service: [] [*] Executed Commands: [ "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\syswow64\\WININET.dll\",DispatchAPICall 1", "C:\\ProgramData\\amd64_microsoft-windows-c..ache.mobile.cortana_31bf3856ad364e35_10.0.14393.0_none_59653c2c9f496d9b\\dll.exe", "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R", "taskeng.exe {0309E333-1287-4614-8479-F7446930E269} S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:[1]", "taskeng.exe {4AA63A23-6F71-48C0-A898-7C099BAC87D3} S-1-5-18:NT AUTHORITY\\System:Service:", "taskeng.exe {1074DFAD-7436-4AF3-812C-5403FF44FCA5} S-1-5-18:NT AUTHORITY\\System:Service:", "taskeng.exe {13445AE1-E5FB-4708-A5B9-38C8F7F89213} S-1-5-18:NT AUTHORITY\\System:Service:", "taskeng.exe {3C3C7ACD-CF94-477A-A5A5-ABDC8554BBDA} S-1-5-18:NT AUTHORITY\\System:Service:", "C:\\ProgramData\\amd64_microsoft-windows-c..ache.mobile.cortana_31bf3856ad364e35_10.0.14393.0_none_59653c2c9f496d9b\\KBDGEO.exe", "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880", "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload", "C:\\ProgramData\\amd64_microsoft-windows-c..ache.mobile.cortana_31bf3856ad364e35_10.0.14393.0_none_59653c2c9f496d9b\\wshbth.exe", "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"" ] [*] Mutexes: [ "bazar.servicenewbazar.service:3333NVIDIAMDCPRERROREROPERCHERTFUCKRET123", "Global\\ADAP_WMI_ENTRY", "Global\\RefreshRA_Mutex", "Global\\RefreshRA_Mutex_Lib", "Global\\RefreshRA_Mutex_Flag" ] [*] Modified Files: [ "C:\\ProgramData\\amd64_microsoft-windows-c..ache.mobile.cortana_31bf3856ad364e35_10.0.14393.0_none_59653c2c9f496d9b\\KBDGEO.exe", "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\000F7F8FAB2D96E6F8CBD5C9A3B4EC90", "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\000F7F8FAB2D96E6F8CBD5C9A3B4EC90", "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1B1F4BA66CDBFEC85A20E11BF729AF23_AA85F8F9DAFF33153B5AEC2E983B94B6", "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1B1F4BA66CDBFEC85A20E11BF729AF23_AA85F8F9DAFF33153B5AEC2E983B94B6", "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\68FAF71AF355126BCA00CE2E73CC7374_77B682CF3AAC7B00161DFFF7DEA4CC8C", "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\68FAF71AF355126BCA00CE2E73CC7374_77B682CF3AAC7B00161DFFF7DEA4CC8C", "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\E887E036775F4159E2816B7B9E527E5F_068092D2204C54B317186E43E5CEB1C7", "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\E887E036775F4159E2816B7B9E527E5F_068092D2204C54B317186E43E5CEB1C7", "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\E887E036775F4159E2816B7B9E527E5F_6E4ECE6144113D064D2F39137403C66D", "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\E887E036775F4159E2816B7B9E527E5F_6E4ECE6144113D064D2F39137403C66D", "\\??\\PIPE\\samr", "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST", "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP", "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP", "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP", "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA", "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR", "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER", "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM", "C:\\Windows\\sysnative\\Tasks\\Z-5-3-97-1370568890-1029216412-1210760845-2598\\{MLZFBP6-AGUR-LGI-R7BM-O7ZHXPIIHLWE}", "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf", "C:\\ProgramData\\amd64_microsoft-windows-c..ache.mobile.cortana_31bf3856ad364e35_10.0.14393.0_none_59653c2c9f496d9b\\config.json", "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\X64R[1].CRP", "C:\\ProgramData\\amd64_microsoft-windows-c..ache.mobile.cortana_31bf3856ad364e35_10.0.14393.0_none_59653c2c9f496d9b\\wshbth.exe" ] [*] Deleted Files: [ "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_1ec766a0a3f569762dc51756f5f5173c.exe" ] [*] Modified Registry Keys: [ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\SavedLegacySettings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{FBB02B2F-11A1-471A-8A5E-DE21B745E508}\\Path", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{FBB02B2F-11A1-471A-8A5E-DE21B745E508}\\Hash", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Z-5-3-97-1370568890-1029216412-1210760845-2598\\{MLZFBP6-AGUR-LGI-R7BM-O7ZHXPIIHLWE}\\Id", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Z-5-3-97-1370568890-1029216412-1210760845-2598\\{MLZFBP6-AGUR-LGI-R7BM-O7ZHXPIIHLWE}\\Index", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{FBB02B2F-11A1-471A-8A5E-DE21B745E508}\\Triggers", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{FBB02B2F-11A1-471A-8A5E-DE21B745E508}\\DynamicInfo", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{0309E333-1287-4614-8479-F7446930E269}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05}\\DynamicInfo", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{4AA63A23-6F71-48C0-A898-7C099BAC87D3}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{B17E070E-57E3-43F6-96F5-A9A9C921DEBF}\\DynamicInfo", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{DF000DCA-3FA2-48A6-9E59-C0606F9F8D73}\\DynamicInfo", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{1074DFAD-7436-4AF3-812C-5403FF44FCA5}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{13445AE1-E5FB-4708-A5B9-38C8F7F89213}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{3C3C7ACD-CF94-477A-A5A5-ABDC8554BBDA}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{0309E333-1287-4614-8479-F7446930E269}\\data", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{4AA63A23-6F71-48C0-A898-7C099BAC87D3}\\data", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{1074DFAD-7436-4AF3-812C-5403FF44FCA5}\\data", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{13445AE1-E5FB-4708-A5B9-38C8F7F89213}\\data", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{3C3C7ACD-CF94-477A-A5A5-ABDC8554BBDA}\\data" ] [*] Deleted Registry Keys: [ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyOverride", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL" ] [*] DNS Communications: [ { "type": "A", "request": "clck.ru", "answers": [ { "data": "213.180.204.221", "type": "A" } ] }, { "type": "A", "request": "repository.certum.pl", "answers": [ { "data": "23.111.11.204", "type": "A" }, { "data": "repository.uzto.netdna-cdn.com", "type": "CNAME" } ] }, { "type": "A", "request": "subca.ocsp-certum.com", "answers": [ { "data": "ocsp.certum.pl", "type": "CNAME" }, { "data": "ocsp-services.uzto.netdna-cdn.com", "type": "CNAME" }, { "data": "151.139.236.246", "type": "A" } ] }, { "type": "A", "request": "yandex.ocsp-responder.com", "answers": [ { "data": "5.45.205.241", "type": "A" }, { "data": "cdn.yandex.net", "type": "CNAME" }, { "data": "5.45.205.244", "type": "A" }, { "data": "5.45.205.245", "type": "A" }, { "data": "5.45.205.242", "type": "A" }, { "data": "5.45.205.243", "type": "A" } ] }, { "type": "A", "request": "sba.yandex.net", "answers": [ { "data": "87.250.251.232", "type": "A" }, { "data": "77.88.21.232", "type": "A" }, { "data": "87.250.250.232", "type": "A" }, { "data": "93.158.134.232", "type": "A" }, { "data": "213.180.193.232", "type": "A" }, { "data": "213.180.204.232", "type": "A" } ] }, { "type": "A", "request": "bitbucket.org", "answers": [ { "data": "18.205.93.0", "type": "A" }, { "data": "18.205.93.2", "type": "A" }, { "data": "18.205.93.1", "type": "A" } ] }, { "type": "A", "request": "bestbestftp.club", "answers": [ { "data": "91.227.17.61", "type": "A" } ] }, { "type": "A", "request": "bazar.service", "answers": [ { "data": "", "type": "NXDOMAIN" } ] }, { "type": "A", "request": "bazarweb.club", "answers": [ { "data": "149.56.132.75", "type": "A" } ] } ] [*] Domains: [ { "ip": "213.180.193.232", "domain": "sba.yandex.net" }, { "ip": "149.56.132.75", "domain": "bazarweb.club" }, { "ip": "18.205.93.0", "domain": "bitbucket.org" }, { "ip": "", "domain": "bazar.service" }, { "ip": "151.139.236.246", "domain": "subca.ocsp-certum.com" }, { "ip": "5.45.205.241", "domain": "yandex.ocsp-responder.com" }, { "ip": "213.180.204.221", "domain": "clck.ru" }, { "ip": "91.227.17.61", "domain": "bestbestftp.club" }, { "ip": "23.111.11.204", "domain": "repository.certum.pl" } ] [*] Network Communication - ICMP: [] [*] Network Communication - HTTP: [ { "count": 1, "body": "", "uri": "http://repository.certum.pl/ca.cer", "user-agent": "Microsoft-CryptoAPI/6.1", "method": "GET", "host": "repository.certum.pl", "version": "1.1", "path": "/ca.cer", "data": "GET /ca.cer HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: repository.certum.pl\r\n\r\n", "port": 80 }, { "count": 1, "body": "", "uri": "http://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w%2FsCEQCTkoVAAWVxX5R%2FKI%2FvyZso", "user-agent": "Microsoft-CryptoAPI/6.1", "method": "GET", "host": "subca.ocsp-certum.com", "version": "1.1", "path": "/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w%2FsCEQCTkoVAAWVxX5R%2FKI%2FvyZso", "data": "GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w%2FsCEQCTkoVAAWVxX5R%2FKI%2FvyZso HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: subca.ocsp-certum.com\r\n\r\n", "port": 80 }, { "count": 1, "body": "", "uri": "http://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEQDkBUeDDgxkUpdvejVJwN1I", "user-agent": "Microsoft-CryptoAPI/6.1", "method": "GET", "host": "subca.ocsp-certum.com", "version": "1.1", "path": "/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEQDkBUeDDgxkUpdvejVJwN1I", "data": "GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEQDkBUeDDgxkUpdvejVJwN1I HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: subca.ocsp-certum.com\r\n\r\n", "port": 80 }, { "count": 1, "body": "", "uri": "http://yandex.ocsp-responder.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBStniMGfahyWUWDEeSLUFbNR9JLAgQUN1zjGeCyjqGoTtLPq9Dc4wtcNU0CEGywpuGhg2V0FAGqc%2Bnaovg%3D", "user-agent": "Microsoft-CryptoAPI/6.1", "method": "GET", "host": "yandex.ocsp-responder.com", "version": "1.1", "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBStniMGfahyWUWDEeSLUFbNR9JLAgQUN1zjGeCyjqGoTtLPq9Dc4wtcNU0CEGywpuGhg2V0FAGqc%2Bnaovg%3D", "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBStniMGfahyWUWDEeSLUFbNR9JLAgQUN1zjGeCyjqGoTtLPq9Dc4wtcNU0CEGywpuGhg2V0FAGqc%2Bnaovg%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: yandex.ocsp-responder.com\r\n\r\n", "port": 80 }, { "count": 1, "body": "", "uri": "http://yandex.ocsp-responder.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBStniMGfahyWUWDEeSLUFbNR9JLAgQUN1zjGeCyjqGoTtLPq9Dc4wtcNU0CEG1yBbGff04fmWwFZVZ4Xck%3D", "user-agent": "Microsoft-CryptoAPI/6.1", "method": "GET", "host": "yandex.ocsp-responder.com", "version": "1.1", "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBStniMGfahyWUWDEeSLUFbNR9JLAgQUN1zjGeCyjqGoTtLPq9Dc4wtcNU0CEG1yBbGff04fmWwFZVZ4Xck%3D", "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBStniMGfahyWUWDEeSLUFbNR9JLAgQUN1zjGeCyjqGoTtLPq9Dc4wtcNU0CEG1yBbGff04fmWwFZVZ4Xck%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: yandex.ocsp-responder.com\r\n\r\n", "port": 80 } ] [*] Network Communication - SMTP: [] [*] Network Communication - Hosts: [] [*] Network Communication - IRC: [] [*] Static Analysis: { "pe": { "peid_signatures": null, "imports": [ { "imports": [ { "name": "HeapReAlloc", "address": "0x431000" }, { "name": "GetNativeSystemInfo", "address": "0x431004" }, { "name": "GetDriveTypeW", "address": "0x431008" }, { "name": "GetProfileIntW", "address": "0x43100c" }, { "name": "WaitForSingleObject", "address": "0x431010" }, { "name": "SetTapeParameters", "address": "0x431014" }, { "name": "GetModuleHandleW", "address": "0x431018" }, { "name": "ExpandEnvironmentStringsA", "address": "0x43101c" }, { "name": "WaitNamedPipeW", "address": "0x431020" }, { "name": "EnumTimeFormatsA", "address": "0x431024" }, { "name": "GetConsoleCP", "address": "0x431028" }, { "name": "GetSystemDirectoryW", "address": "0x43102c" }, { "name": "LoadLibraryW", "address": "0x431030" }, { "name": "FormatMessageW", "address": "0x431034" }, { "name": "GetStringTypeExW", "address": "0x431038" }, { "name": "FindNextVolumeW", "address": "0x43103c" }, { "name": "CreateMailslotW", "address": "0x431040" }, { "name": "WritePrivateProfileStringW", "address": "0x431044" }, { "name": "ReplaceFileA", "address": "0x431048" }, { "name": "EnumSystemLocalesA", "address": "0x43104c" }, { "name": "GetLastError", "address": "0x431050" }, { "name": "GetLongPathNameW", "address": "0x431054" }, { "name": "GetProcAddress", "address": "0x431058" }, { "name": "HeapUnlock", "address": "0x43105c" }, { "name": "MoveFileW", "address": "0x431060" }, { "name": "IsValidCodePage", "address": "0x431064" }, { "name": "GetFirmwareEnvironmentVariableW", "address": "0x431068" }, { "name": "DefineDosDeviceA", "address": "0x43106c" }, { "name": "LocalAlloc", "address": "0x431070" }, { "name": "FindFirstVolumeMountPointW", "address": "0x431074" }, { "name": "GetProfileStringA", "address": "0x431078" }, { "name": "HeapLock", "address": "0x43107c" }, { "name": "WaitForMultipleObjects", "address": "0x431080" }, { "name": "GetVolumePathNamesForVolumeNameA", "address": "0x431084" }, { "name": "GetDefaultCommConfigA", "address": "0x431088" }, { "name": "DeleteCriticalSection", "address": "0x43108c" }, { "name": "GetDiskFreeSpaceExW", "address": "0x431090" }, { "name": "MoveFileWithProgressW", "address": "0x431094" }, { "name": "WriteConsoleW", "address": "0x431098" }, { "name": "GetStringTypeW", "address": "0x43109c" }, { "name": "ReadConsoleW", "address": "0x4310a0" }, { "name": "ReadFile", "address": "0x4310a4" }, { "name": "HeapFree", "address": "0x4310a8" }, { "name": "EncodePointer", "address": "0x4310ac" }, { "name": "DecodePointer", "address": "0x4310b0" }, { "name": "GetCommandLineA", "address": "0x4310b4" }, { "name": "RaiseException", "address": "0x4310b8" }, { "name": "RtlUnwind", "address": "0x4310bc" }, { "name": "IsDebuggerPresent", "address": "0x4310c0" }, { "name": "IsProcessorFeaturePresent", "address": "0x4310c4" }, { "name": "EnterCriticalSection", "address": "0x4310c8" }, { "name": "LeaveCriticalSection", "address": "0x4310cc" }, { "name": "GetStdHandle", "address": "0x4310d0" }, { "name": "GetFileType", "address": "0x4310d4" }, { "name": "GetStartupInfoW", "address": "0x4310d8" }, { "name": "GetProcessHeap", "address": "0x4310dc" }, { "name": "HeapAlloc", "address": "0x4310e0" }, { "name": "ExitProcess", "address": "0x4310e4" }, { "name": "GetModuleHandleExW", "address": "0x4310e8" }, { "name": "AreFileApisANSI", "address": "0x4310ec" }, { "name": "MultiByteToWideChar", "address": "0x4310f0" }, { "name": "WideCharToMultiByte", "address": "0x4310f4" }, { "name": "HeapSize", "address": "0x4310f8" }, { "name": "CloseHandle", "address": "0x4310fc" }, { "name": "SetLastError", "address": "0x431100" }, { "name": "GetCurrentThread", "address": "0x431104" }, { "name": "GetCurrentThreadId", "address": "0x431108" }, { "name": "GetModuleFileNameA", "address": "0x43110c" }, { "name": "WriteFile", "address": "0x431110" }, { "name": "GetModuleFileNameW", "address": "0x431114" }, { "name": "QueryPerformanceCounter", "address": "0x431118" }, { "name": "GetCurrentProcessId", "address": "0x43111c" }, { "name": "GetSystemTimeAsFileTime", "address": "0x431120" }, { "name": "GetEnvironmentStringsW", "address": "0x431124" }, { "name": "FreeEnvironmentStringsW", "address": "0x431128" }, { "name": "UnhandledExceptionFilter", "address": "0x43112c" }, { "name": "SetUnhandledExceptionFilter", "address": "0x431130" }, { "name": "InitializeCriticalSectionAndSpinCount", "address": "0x431134" }, { "name": "CreateEventW", "address": "0x431138" }, { "name": "Sleep", "address": "0x43113c" }, { "name": "GetCurrentProcess", "address": "0x431140" }, { "name": "TerminateProcess", "address": "0x431144" }, { "name": "TlsAlloc", "address": "0x431148" }, { "name": "TlsGetValue", "address": "0x43114c" }, { "name": "TlsSetValue", "address": "0x431150" }, { "name": "TlsFree", "address": "0x431154" }, { "name": "GetTickCount", "address": "0x431158" }, { "name": "CreateSemaphoreW", "address": "0x43115c" }, { "name": "FatalAppExitA", "address": "0x431160" }, { "name": "GetACP", "address": "0x431164" }, { "name": "GetOEMCP", "address": "0x431168" }, { "name": "GetCPInfo", "address": "0x43116c" }, { "name": "GetConsoleMode", "address": "0x431170" }, { "name": "SetFilePointerEx", "address": "0x431174" }, { "name": "SetConsoleCtrlHandler", "address": "0x431178" }, { "name": "FreeLibrary", "address": "0x43117c" }, { "name": "LoadLibraryExW", "address": "0x431180" }, { "name": "GetDateFormatW", "address": "0x431184" }, { "name": "GetTimeFormatW", "address": "0x431188" }, { "name": "CompareStringW", "address": "0x43118c" }, { "name": "LCMapStringW", "address": "0x431190" }, { "name": "GetLocaleInfoW", "address": "0x431194" }, { "name": "IsValidLocale", "address": "0x431198" }, { "name": "GetUserDefaultLCID", "address": "0x43119c" }, { "name": "EnumSystemLocalesW", "address": "0x4311a0" }, { "name": "SetStdHandle", "address": "0x4311a4" }, { "name": "FlushFileBuffers", "address": "0x4311a8" }, { "name": "OutputDebugStringW", "address": "0x4311ac" }, { "name": "CreateFileW", "address": "0x4311b0" } ], "dll": "KERNEL32.dll" }, { "imports": [ { "name": "GetScrollBarInfo", "address": "0x4311b8" }, { "name": "GetMessageTime", "address": "0x4311bc" }, { "name": "FindWindowW", "address": "0x4311c0" } ], "dll": "USER32.dll" } ], "digital_signers": null, "exported_dll_name": null, "actual_checksum": "0x0015ce8e", "overlay": { "size": "0x00001b68", "offset": "0x0015ac00" }, "imagebase": "0x00400000", "reported_checksum": "0x0015ce8e", "icon_hash": null, "entrypoint": "0x00408e07", "timestamp": "2018-06-02 14:42:13", "osversion": "5.1", "sections": [ { "name": ".text", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "virtual_address": "0x00001000", "size_of_data": "0x0002fc00", "entropy": "6.72", "raw_address": "0x00000400", "virtual_size": "0x0002faad", "characteristics_raw": "0x60000020" }, { "name": ".rdata", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "virtual_address": "0x00031000", "size_of_data": "0x00121800", "entropy": "6.17", "raw_address": "0x00030000", "virtual_size": "0x00121660", "characteristics_raw": "0x40000040" }, { "name": ".data", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "virtual_address": "0x00153000", "size_of_data": "0x00002400", "entropy": "2.65", "raw_address": "0x00151800", "virtual_size": "0x00014dec", "characteristics_raw": "0xc0000040" }, { "name": ".rsrc", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "virtual_address": "0x00168000", "size_of_data": "0x00004a00", "entropy": "5.44", "raw_address": "0x00153c00", "virtual_size": "0x00004891", "characteristics_raw": "0x40000040" }, { "name": ".reloc", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "virtual_address": "0x0016d000", "size_of_data": "0x00002600", "entropy": "6.53", "raw_address": "0x00158600", "virtual_size": "0x00002448", "characteristics_raw": "0x42000040" } ], "resources": [], "dirents": [ { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_EXPORT", "size": "0x00000000" }, { "virtual_address": "0x00151bec", "name": "IMAGE_DIRECTORY_ENTRY_IMPORT", "size": "0x0000003c" }, { "virtual_address": "0x00168000", "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE", "size": "0x00004891" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_SECURITY", "size": "0x00000000" }, { "virtual_address": "0x0016d000", "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC", "size": "0x00002448" }, { "virtual_address": "0x00031220", "name": "IMAGE_DIRECTORY_ENTRY_DEBUG", "size": "0x00000038" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_TLS", "size": "0x00000000" }, { "virtual_address": "0x001509d0", "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", "size": "0x00000040" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", "size": "0x00000000" }, { "virtual_address": "0x00031000", "name": "IMAGE_DIRECTORY_ENTRY_IAT", "size": "0x000001c8" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_RESERVED", "size": "0x00000000" } ], "exports": [], "guest_signers": {}, "imphash": "9932801f5c0800c84869dbab4ea550aa", "icon_fuzzy": null, "icon": null, "pdbpath": "C:\\jakogotozurum\\womawuwilisasewiceja-cebic3_cawafahohud\\g.pdb\\x00ipe.pdb\\x00\\x00\\x00\\x00\\x00\\x00\\xb9", "imported_dll_count": 2, "versioninfo": [] } } [*] Resolved APIs: [ "kernel32.dll.FlsAlloc", "kernel32.dll.FlsFree", "kernel32.dll.FlsGetValue", "kernel32.dll.FlsSetValue", "kernel32.dll.InitializeCriticalSectionEx", "kernel32.dll.CreateEventExW", "kernel32.dll.CreateSemaphoreExW", "kernel32.dll.SetThreadStackGuarantee", "kernel32.dll.CreateThreadpoolTimer", "kernel32.dll.SetThreadpoolTimer", "kernel32.dll.WaitForThreadpoolTimerCallbacks", "kernel32.dll.CloseThreadpoolTimer", "kernel32.dll.CreateThreadpoolWait", "kernel32.dll.SetThreadpoolWait", "kernel32.dll.CloseThreadpoolWait", "kernel32.dll.FlushProcessWriteBuffers", "kernel32.dll.FreeLibraryWhenCallbackReturns", "kernel32.dll.GetCurrentProcessorNumber", "kernel32.dll.GetLogicalProcessorInformation", "kernel32.dll.CreateSymbolicLinkW", "kernel32.dll.EnumSystemLocalesEx", "kernel32.dll.CompareStringEx", "kernel32.dll.GetDateFormatEx", "kernel32.dll.GetLocaleInfoEx", "kernel32.dll.GetTimeFormatEx", "kernel32.dll.GetUserDefaultLocaleName", "kernel32.dll.IsValidLocaleName", "kernel32.dll.LCMapStringEx", "kernel32.dll.GetTickCount64", "kernel32.dll.VirtualProtect", "kernel32.dll.LoadLibraryA", "kernel32.dll.VirtualAlloc", "kernel32.dll.VirtualFree", "kernel32.dll.GetVersionExA", "kernel32.dll.TerminateProcess", "kernel32.dll.ExitProcess", "kernel32.dll.SetErrorMode", "wsock32.dll.#116", "wsock32.dll.#23", "wsock32.dll.#12", "wsock32.dll.#21", "wsock32.dll.#15", "wsock32.dll.#17", "wsock32.dll.#10", "wsock32.dll.#9", "wsock32.dll.#115", "wsock32.dll.#151", "wsock32.dll.#18", "wsock32.dll.#1", "wsock32.dll.#13", "wsock32.dll.#2", "wsock32.dll.#3", "wsock32.dll.#111", "wsock32.dll.#16", "wsock32.dll.#20", "wsock32.dll.#19", "wsock32.dll.#11", "wsock32.dll.#52", "wsock32.dll.#57", "wsock32.dll.#4", "version.dll.GetFileVersionInfoW", "version.dll.GetFileVersionInfoSizeW", "version.dll.VerQueryValueW", "winmm.dll.timeGetTime", "winmm.dll.waveOutSetVolume", "winmm.dll.mciSendStringW", "comctl32.dll.ImageList_ReplaceIcon", "comctl32.dll.ImageList_Destroy", "comctl32.dll.ImageList_Remove", "comctl32.dll.ImageList_SetDragCursorImage", "comctl32.dll.ImageList_BeginDrag", "comctl32.dll.ImageList_DragEnter", "comctl32.dll.ImageList_DragLeave", "comctl32.dll.ImageList_EndDrag", "comctl32.dll.ImageList_DragMove", "comctl32.dll.InitCommonControlsEx", "comctl32.dll.ImageList_Create", "mpr.dll.WNetUseConnectionW", "mpr.dll.WNetCancelConnection2W", "mpr.dll.WNetGetConnectionW", "mpr.dll.WNetAddConnection2W", "wininet.dll.InternetQueryDataAvailable", "wininet.dll.InternetCloseHandle", "wininet.dll.InternetOpenW", "wininet.dll.InternetSetOptionW", "wininet.dll.InternetCrackUrlW", "wininet.dll.HttpQueryInfoW", "wininet.dll.InternetQueryOptionW", "wininet.dll.HttpOpenRequestW", "wininet.dll.HttpSendRequestW", "wininet.dll.FtpOpenFileW", "wininet.dll.FtpGetFileSize", "wininet.dll.InternetOpenUrlW", "wininet.dll.InternetReadFile", "wininet.dll.InternetConnectW", "psapi.dll.GetProcessMemoryInfo", "iphlpapi.dll.IcmpCreateFile", "iphlpapi.dll.IcmpCloseHandle", "iphlpapi.dll.IcmpSendEcho", "userenv.dll.DestroyEnvironmentBlock", "userenv.dll.UnloadUserProfile", "userenv.dll.CreateEnvironmentBlock", "userenv.dll.LoadUserProfileW", "uxtheme.dll.IsThemeActive", "kernel32.dll.DuplicateHandle", "kernel32.dll.CreateThread", "kernel32.dll.WaitForSingleObject", "kernel32.dll.HeapAlloc", "kernel32.dll.GetProcessHeap", "kernel32.dll.HeapFree", "kernel32.dll.Sleep", "kernel32.dll.GetCurrentThreadId", "kernel32.dll.MultiByteToWideChar", "kernel32.dll.MulDiv", "kernel32.dll.GetVersionExW", "kernel32.dll.IsWow64Process", "kernel32.dll.GetSystemInfo", "kernel32.dll.FreeLibrary", "kernel32.dll.GetProcAddress", "kernel32.dll.GetModuleFileNameW", "kernel32.dll.WideCharToMultiByte", "kernel32.dll.lstrcpyW", "kernel32.dll.lstrlenW", "kernel32.dll.GetModuleHandleW", "kernel32.dll.QueryPerformanceCounter", "kernel32.dll.VirtualFreeEx", "kernel32.dll.OpenProcess", "kernel32.dll.VirtualAllocEx", "kernel32.dll.WriteProcessMemory", "kernel32.dll.ReadProcessMemory", "kernel32.dll.CreateFileW", "kernel32.dll.SetFilePointerEx", "kernel32.dll.SetEndOfFile", "kernel32.dll.ReadFile", "kernel32.dll.WriteFile", "kernel32.dll.FlushFileBuffers", "kernel32.dll.CreateToolhelp32Snapshot", "kernel32.dll.Process32FirstW", "kernel32.dll.Process32NextW", "kernel32.dll.SetFileTime", "kernel32.dll.GetFileAttributesW", "kernel32.dll.FindFirstFileW", "kernel32.dll.SetCurrentDirectoryW", "kernel32.dll.GetLongPathNameW", "kernel32.dll.GetShortPathNameW", "kernel32.dll.DeleteFileW", "kernel32.dll.FindNextFileW", "kernel32.dll.CopyFileExW", "kernel32.dll.MoveFileW", "kernel32.dll.CreateDirectoryW", "kernel32.dll.RemoveDirectoryW", "kernel32.dll.SetSystemPowerState", "kernel32.dll.QueryPerformanceFrequency", "kernel32.dll.FindResourceW", "kernel32.dll.LoadResource", "kernel32.dll.LockResource", "kernel32.dll.SizeofResource", "kernel32.dll.EnumResourceNamesW", "kernel32.dll.OutputDebugStringW", "kernel32.dll.GetTempPathW", "kernel32.dll.GetTempFileNameW", "kernel32.dll.DeviceIoControl", "kernel32.dll.GetLocalTime", "kernel32.dll.CompareStringW", "kernel32.dll.GetCurrentProcess", "kernel32.dll.EnterCriticalSection", "kernel32.dll.LeaveCriticalSection", "kernel32.dll.GetStdHandle", "kernel32.dll.CreatePipe", "kernel32.dll.InterlockedExchange", "kernel32.dll.TerminateThread", "kernel32.dll.LoadLibraryExW", "kernel32.dll.FindResourceExW", "kernel32.dll.CopyFileW", "kernel32.dll.FormatMessageW", "kernel32.dll.GetExitCodeProcess", "kernel32.dll.GetPrivateProfileStringW", "kernel32.dll.WritePrivateProfileStringW", "kernel32.dll.GetPrivateProfileSectionW", "kernel32.dll.WritePrivateProfileSectionW", "kernel32.dll.GetPrivateProfileSectionNamesW", "kernel32.dll.FileTimeToLocalFileTime", "kernel32.dll.FileTimeToSystemTime", "kernel32.dll.SystemTimeToFileTime", "kernel32.dll.LocalFileTimeToFileTime", "kernel32.dll.GetDriveTypeW", "kernel32.dll.GetDiskFreeSpaceExW", "kernel32.dll.GetDiskFreeSpaceW", "kernel32.dll.GetVolumeInformationW", "kernel32.dll.SetVolumeLabelW", "kernel32.dll.CreateHardLinkW", "kernel32.dll.SetFileAttributesW", "kernel32.dll.CreateEventW", "kernel32.dll.SetEvent", "kernel32.dll.GetEnvironmentVariableW", "kernel32.dll.SetEnvironmentVariableW", "kernel32.dll.GlobalLock", "kernel32.dll.GlobalUnlock", "kernel32.dll.GlobalAlloc", "kernel32.dll.GetFileSize", "kernel32.dll.GlobalFree", "kernel32.dll.GlobalMemoryStatusEx", "kernel32.dll.Beep", "kernel32.dll.GetSystemDirectoryW", "kernel32.dll.HeapReAlloc", "kernel32.dll.HeapSize", "kernel32.dll.GetComputerNameW", "kernel32.dll.GetWindowsDirectoryW", "kernel32.dll.GetCurrentProcessId", "kernel32.dll.GetProcessIoCounters", "kernel32.dll.CreateProcessW", "kernel32.dll.GetProcessId", "kernel32.dll.SetPriorityClass", "kernel32.dll.LoadLibraryW", "kernel32.dll.IsDebuggerPresent", "kernel32.dll.GetCurrentDirectoryW", "kernel32.dll.lstrcmpiW", "kernel32.dll.GetLastError", "kernel32.dll.RaiseException", "kernel32.dll.InitializeCriticalSectionAndSpinCount", "kernel32.dll.DeleteCriticalSection", "kernel32.dll.InterlockedDecrement", "kernel32.dll.InterlockedIncrement", "kernel32.dll.GetCurrentThread", "kernel32.dll.CloseHandle", "kernel32.dll.GetFullPathNameW", "kernel32.dll.GetModuleHandleExW", "kernel32.dll.ExitThread", "kernel32.dll.GetSystemTimeAsFileTime", "kernel32.dll.ResumeThread", "kernel32.dll.GetCommandLineW", "kernel32.dll.IsProcessorFeaturePresent", "kernel32.dll.IsValidCodePage", "kernel32.dll.GetACP", "kernel32.dll.GetOEMCP", "kernel32.dll.GetCPInfo", "kernel32.dll.SetLastError", "kernel32.dll.UnhandledExceptionFilter", "kernel32.dll.SetUnhandledExceptionFilter", "kernel32.dll.TlsAlloc", "kernel32.dll.TlsGetValue", "kernel32.dll.TlsSetValue", "kernel32.dll.TlsFree", "kernel32.dll.GetStartupInfoW", "kernel32.dll.GetStringTypeW", "kernel32.dll.SetStdHandle", "kernel32.dll.GetFileType", "kernel32.dll.GetConsoleCP", "kernel32.dll.GetConsoleMode", "kernel32.dll.RtlUnwind", "kernel32.dll.ReadConsoleW", "kernel32.dll.GetTimeZoneInformation", "kernel32.dll.GetDateFormatW", "kernel32.dll.GetTimeFormatW", "kernel32.dll.LCMapStringW", "kernel32.dll.GetEnvironmentStringsW", "kernel32.dll.FreeEnvironmentStringsW", "kernel32.dll.WriteConsoleW", "kernel32.dll.FindClose", "kernel32.dll.SetEnvironmentVariableA", "user32.dll.AdjustWindowRectEx", "user32.dll.CopyImage", "user32.dll.SetWindowPos", "user32.dll.GetCursorInfo", "user32.dll.RegisterHotKey", "user32.dll.ClientToScreen", "user32.dll.GetKeyboardLayoutNameW", "user32.dll.IsCharAlphaW", "user32.dll.IsCharAlphaNumericW", "user32.dll.IsCharLowerW", "user32.dll.IsCharUpperW", "user32.dll.GetMenuStringW", "user32.dll.GetSubMenu", "user32.dll.GetCaretPos", "user32.dll.IsZoomed", "user32.dll.MonitorFromPoint", "user32.dll.GetMonitorInfoW", "user32.dll.SetWindowLongW", "user32.dll.SetLayeredWindowAttributes", "user32.dll.FlashWindow", "user32.dll.GetClassLongW", "user32.dll.TranslateAcceleratorW", "user32.dll.IsDialogMessageW", "user32.dll.GetSysColor", "user32.dll.InflateRect", "user32.dll.DrawFocusRect", "user32.dll.DrawTextW", "user32.dll.FrameRect", "user32.dll.DrawFrameControl", "user32.dll.FillRect", "user32.dll.PtInRect", "user32.dll.DestroyAcceleratorTable", "user32.dll.CreateAcceleratorTableW", "user32.dll.SetCursor", "user32.dll.GetWindowDC", "user32.dll.GetSystemMetrics", "user32.dll.GetActiveWindow", "user32.dll.CharNextW", "user32.dll.wsprintfW", "user32.dll.RedrawWindow", "user32.dll.DrawMenuBar", "user32.dll.DestroyMenu", "user32.dll.SetMenu", "user32.dll.GetWindowTextLengthW", "user32.dll.CreateMenu", "user32.dll.IsDlgButtonChecked", "user32.dll.DefDlgProcW", "user32.dll.CallWindowProcW", "user32.dll.ReleaseCapture", "user32.dll.SetCapture", "user32.dll.CreateIconFromResourceEx", "user32.dll.mouse_event", "user32.dll.ExitWindowsEx", "user32.dll.SetActiveWindow", "user32.dll.FindWindowExW", "user32.dll.EnumThreadWindows", "user32.dll.SetMenuDefaultItem", "user32.dll.InsertMenuItemW", "user32.dll.IsMenu", "user32.dll.TrackPopupMenuEx", "user32.dll.GetCursorPos", "user32.dll.DeleteMenu", "user32.dll.SetRect", "user32.dll.GetMenuItemID", "user32.dll.GetMenuItemCount", "user32.dll.SetMenuItemInfoW", "user32.dll.GetMenuItemInfoW", "user32.dll.SetForegroundWindow", "user32.dll.IsIconic", "user32.dll.FindWindowW", "user32.dll.MonitorFromRect", "user32.dll.keybd_event", "user32.dll.SendInput", "user32.dll.GetAsyncKeyState", "user32.dll.SetKeyboardState", "user32.dll.GetKeyboardState", "user32.dll.GetKeyState", "user32.dll.VkKeyScanW", "user32.dll.LoadStringW", "user32.dll.DialogBoxParamW", "user32.dll.MessageBeep", "user32.dll.EndDialog", "user32.dll.SendDlgItemMessageW", "user32.dll.GetDlgItem", "user32.dll.SetWindowTextW", "user32.dll.CopyRect", "user32.dll.ReleaseDC", "user32.dll.GetDC", "user32.dll.EndPaint", "user32.dll.BeginPaint", "user32.dll.GetClientRect", "user32.dll.GetMenu", "user32.dll.DestroyWindow", "user32.dll.EnumWindows", "user32.dll.GetDesktopWindow", "user32.dll.IsWindow", "user32.dll.IsWindowEnabled", "user32.dll.IsWindowVisible", "user32.dll.EnableWindow", "user32.dll.InvalidateRect", "user32.dll.GetWindowLongW", "user32.dll.GetWindowThreadProcessId", "user32.dll.AttachThreadInput", "user32.dll.GetFocus", "user32.dll.GetWindowTextW", "user32.dll.ScreenToClient", "user32.dll.SendMessageTimeoutW", "user32.dll.EnumChildWindows", "user32.dll.CharUpperBuffW", "user32.dll.GetParent", "user32.dll.GetDlgCtrlID", "user32.dll.SendMessageW", "user32.dll.MapVirtualKeyW", "user32.dll.PostMessageW", "user32.dll.GetWindowRect", "user32.dll.SetUserObjectSecurity", "user32.dll.CloseDesktop", "user32.dll.CloseWindowStation", "user32.dll.OpenDesktopW", "user32.dll.SetProcessWindowStation", "user32.dll.GetProcessWindowStation", "user32.dll.OpenWindowStationW", "user32.dll.GetUserObjectSecurity", "user32.dll.MessageBoxW", "user32.dll.DefWindowProcW", "user32.dll.SetClipboardData", "user32.dll.EmptyClipboard", "user32.dll.CountClipboardFormats", "user32.dll.CloseClipboard", "user32.dll.GetClipboardData", "user32.dll.IsClipboardFormatAvailable", "user32.dll.OpenClipboard", "user32.dll.BlockInput", "user32.dll.GetMessageW", "user32.dll.LockWindowUpdate", "user32.dll.DispatchMessageW", "user32.dll.TranslateMessage", "user32.dll.PeekMessageW", "user32.dll.UnregisterHotKey", "user32.dll.CheckMenuRadioItem", "user32.dll.CharLowerBuffW", "user32.dll.MoveWindow", "user32.dll.SetFocus", "user32.dll.PostQuitMessage", "user32.dll.KillTimer", "user32.dll.CreatePopupMenu", "user32.dll.RegisterWindowMessageW", "user32.dll.SetTimer", "user32.dll.ShowWindow", "user32.dll.CreateWindowExW", "user32.dll.RegisterClassExW", "user32.dll.LoadIconW", "user32.dll.LoadCursorW", "user32.dll.GetSysColorBrush", "user32.dll.GetForegroundWindow", "user32.dll.MessageBoxA", "user32.dll.DestroyIcon", "user32.dll.SystemParametersInfoW", "user32.dll.LoadImageW", "user32.dll.GetClassNameW", "gdi32.dll.StrokePath", "gdi32.dll.DeleteObject", "gdi32.dll.GetTextExtentPoint32W", "gdi32.dll.ExtCreatePen", "gdi32.dll.GetDeviceCaps", "gdi32.dll.EndPath", "gdi32.dll.SetPixel", "gdi32.dll.CloseFigure", "gdi32.dll.CreateCompatibleBitmap", "gdi32.dll.CreateCompatibleDC", "gdi32.dll.SelectObject", "gdi32.dll.StretchBlt", "gdi32.dll.GetDIBits", "gdi32.dll.LineTo", "gdi32.dll.AngleArc", "gdi32.dll.MoveToEx", "gdi32.dll.Ellipse", "gdi32.dll.DeleteDC", "gdi32.dll.GetPixel", "gdi32.dll.CreateDCW", "gdi32.dll.GetStockObject", "gdi32.dll.GetTextFaceW", "gdi32.dll.CreateFontW", "gdi32.dll.SetTextColor", "gdi32.dll.PolyDraw", "gdi32.dll.BeginPath", "gdi32.dll.Rectangle", "gdi32.dll.SetViewportOrgEx", "gdi32.dll.GetObjectW", "gdi32.dll.SetBkMode", "gdi32.dll.RoundRect", "gdi32.dll.SetBkColor", "gdi32.dll.CreatePen", "gdi32.dll.CreateSolidBrush", "gdi32.dll.StrokeAndFillPath", "comdlg32.dll.GetOpenFileNameW", "comdlg32.dll.GetSaveFileNameW", "advapi32.dll.GetAce", "advapi32.dll.RegEnumValueW", "advapi32.dll.RegDeleteValueW", "advapi32.dll.RegDeleteKeyW", "advapi32.dll.RegEnumKeyExW", "advapi32.dll.RegSetValueExW", "advapi32.dll.RegOpenKeyExW", "advapi32.dll.RegCloseKey", "advapi32.dll.RegQueryValueExW", "advapi32.dll.RegConnectRegistryW", "advapi32.dll.InitializeSecurityDescriptor", "advapi32.dll.InitializeAcl", "advapi32.dll.AdjustTokenPrivileges", "advapi32.dll.OpenThreadToken", "advapi32.dll.OpenProcessToken", "advapi32.dll.LookupPrivilegeValueW", "advapi32.dll.DuplicateTokenEx", "advapi32.dll.CreateProcessAsUserW", "advapi32.dll.CreateProcessWithLogonW", "advapi32.dll.GetLengthSid", "advapi32.dll.CopySid", "advapi32.dll.LogonUserW", "advapi32.dll.AllocateAndInitializeSid", "advapi32.dll.CheckTokenMembership", "advapi32.dll.RegCreateKeyExW", "advapi32.dll.FreeSid", "advapi32.dll.GetTokenInformation", "advapi32.dll.GetSecurityDescriptorDacl", "advapi32.dll.GetAclInformation", "advapi32.dll.AddAce", "advapi32.dll.SetSecurityDescriptorDacl", "advapi32.dll.GetUserNameW", "advapi32.dll.InitiateSystemShutdownExW", "shell32.dll.DragQueryPoint", "shell32.dll.ShellExecuteExW", "shell32.dll.DragQueryFileW", "shell32.dll.SHEmptyRecycleBinW", "shell32.dll.SHGetPathFromIDListW", "shell32.dll.SHBrowseForFolderW", "shell32.dll.SHCreateShellItem", "shell32.dll.SHGetDesktopFolder", "shell32.dll.SHGetSpecialFolderLocation", "shell32.dll.SHGetFolderPathW", "shell32.dll.SHFileOperationW", "shell32.dll.ExtractIconExW", "shell32.dll.Shell_NotifyIconW", "shell32.dll.ShellExecuteW", "shell32.dll.DragFinish", "ole32.dll.CoTaskMemAlloc", "ole32.dll.CoTaskMemFree", "ole32.dll.CLSIDFromString", "ole32.dll.ProgIDFromCLSID", "ole32.dll.CLSIDFromProgID", "ole32.dll.OleSetMenuDescriptor", "ole32.dll.MkParseDisplayName", "ole32.dll.OleSetContainedObject", "ole32.dll.CoCreateInstance", "ole32.dll.IIDFromString", "ole32.dll.StringFromGUID2", "ole32.dll.CreateStreamOnHGlobal", "ole32.dll.OleInitialize", "ole32.dll.OleUninitialize", "ole32.dll.CoInitialize", "ole32.dll.CoUninitialize", "ole32.dll.GetRunningObjectTable", "ole32.dll.CoGetInstanceFromFile", "ole32.dll.CoGetObject", "ole32.dll.CoSetProxyBlanket", "ole32.dll.CoCreateInstanceEx", "ole32.dll.CoInitializeSecurity", "oleaut32.dll.#183", "oleaut32.dll.#11", "oleaut32.dll.#3", "oleaut32.dll.#6", "oleaut32.dll.#38", "oleaut32.dll.#39", "oleaut32.dll.#24", "oleaut32.dll.#23", "oleaut32.dll.#37", "oleaut32.dll.#41", "oleaut32.dll.#411", "oleaut32.dll.#163", "oleaut32.dll.#32", "oleaut32.dll.#146", "oleaut32.dll.#12", "oleaut32.dll.#7", "oleaut32.dll.#185", "oleaut32.dll.#220", "oleaut32.dll.#77", "oleaut32.dll.#10", "oleaut32.dll.#9", "oleaut32.dll.#418", "oleaut32.dll.#164", "oleaut32.dll.#442", "oleaut32.dll.#443", "oleaut32.dll.#186", "oleaut32.dll.#31", "oleaut32.dll.#2", "oleaut32.dll.#8", "msvcr100.dll.atexit", "kernel32.dll.GetNativeSystemInfo", "cryptbase.dll.SystemFunction036", "uxtheme.dll.ThemeInitApiHook", "user32.dll.IsProcessDPIAware", "kernel32.dll.Wow64DisableWow64FsRedirection", "kernel32.dll.Wow64RevertWow64FsRedirection", "dwmapi.dll.DwmIsCompositionEnabled", "comctl32.dll.RegisterClassNameW", "kernel32.dll.SortGetHandle", "kernel32.dll.SortCloseHandle", "uxtheme.dll.OpenThemeData", "uxtheme.dll.GetThemeBool", "imm32.dll.ImmGetContext", "imm32.dll.ImmReleaseContext", "imm32.dll.ImmAssociateContext", "imm32.dll.ImmIsIME", "comctl32.dll.HIMAGELIST_QueryInterface", "comctl32.dll.DrawShadowText", "comctl32.dll.DrawSizeBox", "comctl32.dll.DrawScrollBar", "comctl32.dll.SizeBoxHwnd", "comctl32.dll.ScrollBar_MouseMove", "comctl32.dll.ScrollBar_Menu", "comctl32.dll.HandleScrollCmd", "comctl32.dll.DetachScrollBars", "comctl32.dll.AttachScrollBars", "comctl32.dll.CCSetScrollInfo", "comctl32.dll.CCGetScrollInfo", "comctl32.dll.CCEnableScrollBar", "comctl32.dll.QuerySystemGestureStatus", "uxtheme.dll.#49", "kernel32.dll.GetThreadPreferredUILanguages", "kernel32.dll.SetThreadPreferredUILanguages", "kernel32.dll.LocaleNameToLCID", "kernel32.dll.LCIDToLocaleName", "kernel32.dll.GetSystemDefaultLocaleName", "kernel32.dll.CreateMutexW", "sxs.dll.SxsOleAut32RedirectTypeLibrary", "advapi32.dll.RegOpenKeyW", "advapi32.dll.RegQueryValueW", "sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid", "sspicli.dll.GetUserNameExW", "xmllite.dll.CreateXmlWriter", "xmllite.dll.CreateXmlWriterOutputWithEncodingName", "rasapi32.dll.RasConnectionNotificationW", "rasapi32.dll.RasEnumEntriesW", "rtutils.dll.TraceRegisterExA", "rtutils.dll.TracePrintfExA", "sechost.dll.ConvertSidToStringSidW", "profapi.dll.#104", "shlwapi.dll.PathCanonicalizeW", "shlwapi.dll.PathRemoveFileSpecW", "shlwapi.dll.PathFindFileNameW", "sechost.dll.NotifyServiceStatusChangeA", "sensapi.dll.IsNetworkAlive", "rpcrt4.dll.RpcBindingFromStringBindingW", "rpcrt4.dll.RpcBindingSetAuthInfoExW", "rpcrt4.dll.NdrClientCall2", "shell32.dll.#165", "winhttp.dll.WinHttpOpen", "winhttp.dll.WinHttpSetTimeouts", "winhttp.dll.WinHttpSetOption", "winhttp.dll.WinHttpCrackUrl", "shlwapi.dll.StrCmpNW", "winhttp.dll.WinHttpConnect", "winhttp.dll.WinHttpOpenRequest", "winhttp.dll.WinHttpSetStatusCallback", "winhttp.dll.WinHttpGetDefaultProxyConfiguration", "winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser", "winhttp.dll.WinHttpSendRequest", "ws2_32.dll.GetAddrInfoW", "ws2_32.dll.WSASocketW", "ws2_32.dll.#2", "ws2_32.dll.#21", "ws2_32.dll.#9", "ws2_32.dll.WSAIoctl", "ws2_32.dll.FreeAddrInfoW", "ws2_32.dll.#6", "ws2_32.dll.#5", "ws2_32.dll.WSARecv", "ws2_32.dll.WSASend", "winhttp.dll.WinHttpReceiveResponse", "winhttp.dll.WinHttpQueryHeaders", "shlwapi.dll.StrStrIW", "winhttp.dll.WinHttpQueryDataAvailable", "winhttp.dll.WinHttpReadData", "winhttp.dll.WinHttpCloseHandle", "rpcrt4.dll.RpcBindingFree", "ws2_32.dll.#22", "ws2_32.dll.#3", "uxtheme.dll.CloseThemeData", "ntdll.dll.EtwUnregisterTraceGuids", "oleaut32.dll.#500", "ncrypt.dll.SslFreeObject", "ole32.dll.CoGetClassObject", "ole32.dll.CoGetMarshalSizeMax", "ole32.dll.CoMarshalInterface", "ole32.dll.CoUnmarshalInterface", "ole32.dll.StringFromIID", "ole32.dll.CoGetPSClsid", "ole32.dll.CoReleaseMarshalData", "ole32.dll.DcomChannelSetHResult", "vssapi.dll.CreateWriter", "advapi32.dll.LookupAccountNameW", "sechost.dll.LookupAccountNameLocalW", "advapi32.dll.LookupAccountSidW", "samcli.dll.NetLocalGroupGetMembers", "samlib.dll.SamConnect", "rpcrt4.dll.NdrClientCall3", "rpcrt4.dll.RpcStringBindingComposeW", "rpcrt4.dll.RpcStringFreeW", "samlib.dll.SamOpenDomain", "samlib.dll.SamLookupNamesInDomain", "samlib.dll.SamOpenAlias", "samlib.dll.SamFreeMemory", "samlib.dll.SamCloseHandle", "samlib.dll.SamGetMembersInAlias", "netutils.dll.NetApiBufferFree", "samlib.dll.SamEnumerateDomainsInSamServer", "samlib.dll.SamLookupDomainInSamServer", "ole32.dll.CoCreateGuid", "ole32.dll.StringFromCLSID", "oleaut32.dll.#4", "propsys.dll.VariantToPropVariant", "wbemcore.dll.Reinitialize", "wbemsvc.dll.DllGetClassObject", "wbemsvc.dll.DllCanUnloadNow", "authz.dll.AuthzInitializeContextFromToken", "authz.dll.AuthzInitializeObjectAccessAuditEvent2", "authz.dll.AuthzAccessCheck", "authz.dll.AuthzFreeAuditEvent", "authz.dll.AuthzFreeContext", "authz.dll.AuthzInitializeResourceManager", "authz.dll.AuthzFreeResourceManager", "rpcrt4.dll.RpcBindingCreateW", "rpcrt4.dll.RpcBindingBind", "rpcrt4.dll.I_RpcMapWin32Status", "advapi32.dll.EventRegister", "advapi32.dll.EventUnregister", "advapi32.dll.EventWrite", "kernel32.dll.RegCloseKey", "kernel32.dll.RegSetValueExW", "kernel32.dll.RegOpenKeyExW", "kernel32.dll.RegQueryValueExW", "wmisvc.dll.IsImproperShutdownDetected", "wevtapi.dll.EvtRender", "wevtapi.dll.EvtNext", "wevtapi.dll.EvtClose", "wevtapi.dll.EvtQuery", "wevtapi.dll.EvtCreateRenderContext", "rpcrt4.dll.RpcBindingSetOption", "ole32.dll.CoCreateFreeThreadedMarshaler", "cryptsp.dll.CryptAcquireContextW", "cryptsp.dll.CryptGenRandom", "cryptsp.dll.CryptReleaseContext", "kernelbase.dll.InitializeAcl", "kernelbase.dll.AddAce", "sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW", "kernel32.dll.IsThreadAFiber", "kernel32.dll.OpenProcessToken", "kernelbase.dll.GetTokenInformation", "sechost.dll.LookupAccountSidLocalW", "kernelbase.dll.DuplicateTokenEx", "kernelbase.dll.AdjustTokenPrivileges", "kernelbase.dll.AllocateAndInitializeSid", "kernelbase.dll.CheckTokenMembership", "kernel32.dll.SetThreadToken", "oleaut32.dll.#17", "oleaut32.dll.#20", "oleaut32.dll.#19", "oleaut32.dll.#25", "authz.dll.AuthzInitializeContextFromSid", "ole32.dll.CoGetCallContext", "oleaut32.dll.#285", "oleaut32.dll.#286", "ole32.dll.CoImpersonateClient", "ole32.dll.CoRevertToSelf", "ole32.dll.CoSwitchCallContext", "ole32.dll.CoInitializeEx", "advapi32.dll.LogonUserExExW", "sspicli.dll.LogonUserExExW", "oleaut32.dll.#287", "oleaut32.dll.#288", "oleaut32.dll.#289", "oleaut32.dll.#283", "oleaut32.dll.#284", "advapi32.dll.WmiMofEnumerateResourcesW", "advapi32.dll.WmiFreeBuffer", "sechost.dll.OpenSCManagerW", "sechost.dll.OpenServiceW", "sechost.dll.QueryServiceStatus", "rasapi32.dll.RasEnumConnectionsW", "tschannel.dll.DllGetClassObject", "tschannel.dll.DllCanUnloadNow", "advapi32.dll.CryptAcquireContextW", "shlwapi.dll.PathIsDirectoryW", "advapi32.dll.RegNotifyChangeKeyValue", "ole32.dll.NdrOleInitializeExtension", "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint", "ole32.dll.CLSIDFromOle1Class", "clbcatq.dll.GetCatalogObject", "clbcatq.dll.GetCatalogObject2", "shlwapi.dll.PathIsPrefixW", "advapi32.dll.CryptCreateHash", "advapi32.dll.CryptGetHashParam", "cryptsp.dll.CryptGetHashParam", "advapi32.dll.CryptHashData", "cryptsp.dll.CryptHashData", "advapi32.dll.CryptDestroyHash", "cryptsp.dll.CryptDestroyHash", "xmllite.dll.CreateXmlReader", "advapi32.dll.RegEnumKeyW", "psapi.dll.EmptyWorkingSet", "user32.dll.GetLastInputInfo", "kernel32.dll.GetTickCount", "advapi32.dll.CryptAcquireContextA", "cryptsp.dll.CryptAcquireContextA", "cryptsp.dll.CryptCreateHash", "advapi32.dll.CryptDeriveKey", "cryptsp.dll.CryptDeriveKey", "advapi32.dll.CryptDecrypt", "cryptsp.dll.CryptDecrypt", "advapi32.dll.CryptDestroyKey", "cryptsp.dll.CryptDestroyKey", "advapi32.dll.CryptReleaseContext", "kernel32.dll.WerRegisterMemoryBlock", "ntmarta.dll.GetMartaExtensionInterface", "fastprox.dll.DllGetClassObject", "fastprox.dll.DllCanUnloadNow", "oleaut32.dll.#290", "devobj.dll.DevObjCreateDeviceInfoList", "devobj.dll.DevObjGetClassDevs", "devobj.dll.DevObjEnumDeviceInfo", "devobj.dll.DevObjDestroyDeviceInfoList", "setupapi.dll.CM_Open_DevNode_Key_Ex", "devobj.dll.DevObjGetDeviceProperty", "cfgmgr32.dll.CM_Connect_MachineA", "cfgmgr32.dll.CM_Disconnect_Machine", "cfgmgr32.dll.CM_Locate_DevNodeW", "cfgmgr32.dll.CM_Get_DevNode_Registry_PropertyW", "cfgmgr32.dll.CM_Get_Child", "cfgmgr32.dll.CM_Get_Sibling", "cfgmgr32.dll.CM_Get_DevNode_Status", "cfgmgr32.dll.CM_Get_First_Log_Conf", "cfgmgr32.dll.CM_Get_Next_Res_Des", "cfgmgr32.dll.CM_Get_Res_Des_Data", "cfgmgr32.dll.CM_Get_Res_Des_Data_Size", "cfgmgr32.dll.CM_Free_Log_Conf_Handle", "cfgmgr32.dll.CM_Free_Res_Des_Handle", "cfgmgr32.dll.CM_Get_Device_IDA", "cfgmgr32.dll.CM_Get_Device_ID_Size", "cfgmgr32.dll.CM_Get_Parent", "user32.dll.MonitorFromWindow", "user32.dll.EnumDisplayMonitors", "user32.dll.EnumDisplayDevicesW", "dxgi.dll.DXGIReportAdapterConfiguration", "setupapi.dll.SetupDiGetClassDevsW", "setupapi.dll.SetupDiEnumDeviceInterfaces", "setupapi.dll.SetupDiGetDeviceInterfaceDetailW", "setupapi.dll.SetupDiDestroyDeviceInfoList", "gdi32.dll.D3DKMTOpenAdapterFromDeviceName", "gdi32.dll.D3DKMTQueryAdapterInfo", "gdi32.dll.D3DKMTGetDisplayModeList", "gdi32.dll.D3DKMTCloseAdapter", "wintrust.dll.WinVerifyTrust", "ntdll.dll.RtlGetVersion", "ntdll.dll.RtlNtStatusToDosError", "ntdll.dll.NtDeviceIoControlFile", "ntdll.dll.NtQueryInformationFile", "ntdll.dll.NtSetInformationFile", "ntdll.dll.NtQueryVolumeInformationFile", "ntdll.dll.NtQueryDirectoryFile", "ntdll.dll.NtQuerySystemInformation", "kernel32.dll.GetQueuedCompletionStatusEx", "user32.dll.SetWinEventHook", "msvcrt.dll._localtime64_s", "psapi.dll.EnumProcesses", "psapi.dll.EnumProcessModules", "psapi.dll.GetModuleBaseNameW" ] [*] Static Analysis: { "pe": { "peid_signatures": null, "imports": [ { "imports": [ { "name": "HeapReAlloc", "address": "0x431000" }, { "name": "GetNativeSystemInfo", "address": "0x431004" }, { "name": "GetDriveTypeW", "address": "0x431008" }, { "name": "GetProfileIntW", "address": "0x43100c" }, { "name": "WaitForSingleObject", "address": "0x431010" }, { "name": "SetTapeParameters", "address": "0x431014" }, { "name": "GetModuleHandleW", "address": "0x431018" }, { "name": "ExpandEnvironmentStringsA", "address": "0x43101c" }, { "name": "WaitNamedPipeW", "address": "0x431020" }, { "name": "EnumTimeFormatsA", "address": "0x431024" }, { "name": "GetConsoleCP", "address": "0x431028" }, { "name": "GetSystemDirectoryW", "address": "0x43102c" }, { "name": "LoadLibraryW", "address": "0x431030" }, { "name": "FormatMessageW", "address": "0x431034" }, { "name": "GetStringTypeExW", "address": "0x431038" }, { "name": "FindNextVolumeW", "address": "0x43103c" }, { "name": "CreateMailslotW", "address": "0x431040" }, { "name": "WritePrivateProfileStringW", "address": "0x431044" }, { "name": "ReplaceFileA", "address": "0x431048" }, { "name": "EnumSystemLocalesA", "address": "0x43104c" }, { "name": "GetLastError", "address": "0x431050" }, { "name": "GetLongPathNameW", "address": "0x431054" }, { "name": "GetProcAddress", "address": "0x431058" }, { "name": "HeapUnlock", "address": "0x43105c" }, { "name": "MoveFileW", "address": "0x431060" }, { "name": "IsValidCodePage", "address": "0x431064" }, { "name": "GetFirmwareEnvironmentVariableW", "address": "0x431068" }, { "name": "DefineDosDeviceA", "address": "0x43106c" }, { "name": "LocalAlloc", "address": "0x431070" }, { "name": "FindFirstVolumeMountPointW", "address": "0x431074" }, { "name": "GetProfileStringA", "address": "0x431078" }, { "name": "HeapLock", "address": "0x43107c" }, { "name": "WaitForMultipleObjects", "address": "0x431080" }, { "name": "GetVolumePathNamesForVolumeNameA", "address": "0x431084" }, { "name": "GetDefaultCommConfigA", "address": "0x431088" }, { "name": "DeleteCriticalSection", "address": "0x43108c" }, { "name": "GetDiskFreeSpaceExW", "address": "0x431090" }, { "name": "MoveFileWithProgressW", "address": "0x431094" }, { "name": "WriteConsoleW", "address": "0x431098" }, { "name": "GetStringTypeW", "address": "0x43109c" }, { "name": "ReadConsoleW", "address": "0x4310a0" }, { "name": "ReadFile", "address": "0x4310a4" }, { "name": "HeapFree", "address": "0x4310a8" }, { "name": "EncodePointer", "address": "0x4310ac" }, { "name": "DecodePointer", "address": "0x4310b0" }, { "name": "GetCommandLineA", "address": "0x4310b4" }, { "name": "RaiseException", "address": "0x4310b8" }, { "name": "RtlUnwind", "address": "0x4310bc" }, { "name": "IsDebuggerPresent", "address": "0x4310c0" }, { "name": "IsProcessorFeaturePresent", "address": "0x4310c4" }, { "name": "EnterCriticalSection", "address": "0x4310c8" }, { "name": "LeaveCriticalSection", "address": "0x4310cc" }, { "name": "GetStdHandle", "address": "0x4310d0" }, { "name": "GetFileType", "address": "0x4310d4" }, { "name": "GetStartupInfoW", "address": "0x4310d8" }, { "name": "GetProcessHeap", "address": "0x4310dc" }, { "name": "HeapAlloc", "address": "0x4310e0" }, { "name": "ExitProcess", "address": "0x4310e4" }, { "name": "GetModuleHandleExW", "address": "0x4310e8" }, { "name": "AreFileApisANSI", "address": "0x4310ec" }, { "name": "MultiByteToWideChar", "address": "0x4310f0" }, { "name": "WideCharToMultiByte", "address": "0x4310f4" }, { "name": "HeapSize", "address": "0x4310f8" }, { "name": "CloseHandle", "address": "0x4310fc" }, { "name": "SetLastError", "address": "0x431100" }, { "name": "GetCurrentThread", "address": "0x431104" }, { "name": "GetCurrentThreadId", "address": "0x431108" }, { "name": "GetModuleFileNameA", "address": "0x43110c" }, { "name": "WriteFile", "address": "0x431110" }, { "name": "GetModuleFileNameW", "address": "0x431114" }, { "name": "QueryPerformanceCounter", "address": "0x431118" }, { "name": "GetCurrentProcessId", "address": "0x43111c" }, { "name": "GetSystemTimeAsFileTime", "address": "0x431120" }, { "name": "GetEnvironmentStringsW", "address": "0x431124" }, { "name": "FreeEnvironmentStringsW", "address": "0x431128" }, { "name": "UnhandledExceptionFilter", "address": "0x43112c" }, { "name": "SetUnhandledExceptionFilter", "address": "0x431130" }, { "name": "InitializeCriticalSectionAndSpinCount", "address": "0x431134" }, { "name": "CreateEventW", "address": "0x431138" }, { "name": "Sleep", "address": "0x43113c" }, { "name": "GetCurrentProcess", "address": "0x431140" }, { "name": "TerminateProcess", "address": "0x431144" }, { "name": "TlsAlloc", "address": "0x431148" }, { "name": "TlsGetValue", "address": "0x43114c" }, { "name": "TlsSetValue", "address": "0x431150" }, { "name": "TlsFree", "address": "0x431154" }, { "name": "GetTickCount", "address": "0x431158" }, { "name": "CreateSemaphoreW", "address": "0x43115c" }, { "name": "FatalAppExitA", "address": "0x431160" }, { "name": "GetACP", "address": "0x431164" }, { "name": "GetOEMCP", "address": "0x431168" }, { "name": "GetCPInfo", "address": "0x43116c" }, { "name": "GetConsoleMode", "address": "0x431170" }, { "name": "SetFilePointerEx", "address": "0x431174" }, { "name": "SetConsoleCtrlHandler", "address": "0x431178" }, { "name": "FreeLibrary", "address": "0x43117c" }, { "name": "LoadLibraryExW", "address": "0x431180" }, { "name": "GetDateFormatW", "address": "0x431184" }, { "name": "GetTimeFormatW", "address": "0x431188" }, { "name": "CompareStringW", "address": "0x43118c" }, { "name": "LCMapStringW", "address": "0x431190" }, { "name": "GetLocaleInfoW", "address": "0x431194" }, { "name": "IsValidLocale", "address": "0x431198" }, { "name": "GetUserDefaultLCID", "address": "0x43119c" }, { "name": "EnumSystemLocalesW", "address": "0x4311a0" }, { "name": "SetStdHandle", "address": "0x4311a4" }, { "name": "FlushFileBuffers", "address": "0x4311a8" }, { "name": "OutputDebugStringW", "address": "0x4311ac" }, { "name": "CreateFileW", "address": "0x4311b0" } ], "dll": "KERNEL32.dll" }, { "imports": [ { "name": "GetScrollBarInfo", "address": "0x4311b8" }, { "name": "GetMessageTime", "address": "0x4311bc" }, { "name": "FindWindowW", "address": "0x4311c0" } ], "dll": "USER32.dll" } ], "digital_signers": null, "exported_dll_name": null, "actual_checksum": "0x0015ce8e", "overlay": { "size": "0x00001b68", "offset": "0x0015ac00" }, "imagebase": "0x00400000", "reported_checksum": "0x0015ce8e", "icon_hash": null, "entrypoint": "0x00408e07", "timestamp": "2018-06-02 14:42:13", "osversion": "5.1", "sections": [ { "name": ".text", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "virtual_address": "0x00001000", "size_of_data": "0x0002fc00", "entropy": "6.72", "raw_address": "0x00000400", "virtual_size": "0x0002faad", "characteristics_raw": "0x60000020" }, { "name": ".rdata", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "virtual_address": "0x00031000", "size_of_data": "0x00121800", "entropy": "6.17", "raw_address": "0x00030000", "virtual_size": "0x00121660", "characteristics_raw": "0x40000040" }, { "name": ".data", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "virtual_address": "0x00153000", "size_of_data": "0x00002400", "entropy": "2.65", "raw_address": "0x00151800", "virtual_size": "0x00014dec", "characteristics_raw": "0xc0000040" }, { "name": ".rsrc", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "virtual_address": "0x00168000", "size_of_data": "0x00004a00", "entropy": "5.44", "raw_address": "0x00153c00", "virtual_size": "0x00004891", "characteristics_raw": "0x40000040" }, { "name": ".reloc", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "virtual_address": "0x0016d000", "size_of_data": "0x00002600", "entropy": "6.53", "raw_address": "0x00158600", "virtual_size": "0x00002448", "characteristics_raw": "0x42000040" } ], "resources": [], "dirents": [ { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_EXPORT", "size": "0x00000000" }, { "virtual_address": "0x00151bec", "name": "IMAGE_DIRECTORY_ENTRY_IMPORT", "size": "0x0000003c" }, { "virtual_address": "0x00168000", "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE", "size": "0x00004891" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_SECURITY", "size": "0x00000000" }, { "virtual_address": "0x0016d000", "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC", "size": "0x00002448" }, { "virtual_address": "0x00031220", "name": "IMAGE_DIRECTORY_ENTRY_DEBUG", "size": "0x00000038" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_TLS", "size": "0x00000000" }, { "virtual_address": "0x001509d0", "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", "size": "0x00000040" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", "size": "0x00000000" }, { "virtual_address": "0x00031000", "name": "IMAGE_DIRECTORY_ENTRY_IAT", "size": "0x000001c8" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_RESERVED", "size": "0x00000000" } ], "exports": [], "guest_signers": {}, "imphash": "9932801f5c0800c84869dbab4ea550aa", "icon_fuzzy": null, "icon": null, "pdbpath": "C:\\jakogotozurum\\womawuwilisasewiceja-cebic3_cawafahohud\\g.pdb\\x00ipe.pdb\\x00\\x00\\x00\\x00\\x00\\x00\\xb9", "imported_dll_count": 2, "versioninfo": [] } }