[*] MalFamily: "" [*] MalScore: 10.0 [*] File Name: "Exes_78782970c80b0512cda1a4b0e000e831.exe" [*] File Size: 5319680 [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows" [*] SHA256: "8705eb0ed7c1bd84a67b1788acfdb166a4f1d6a26c1da6e4b6349cc4f451085b" [*] MD5: "78782970c80b0512cda1a4b0e000e831" [*] SHA1: "04c28c7a7d81ab98ccf35ccc0466d9236615c175" [*] SHA512: "9cf0a9bb0a0b211e8d3f2331131b48c6856534b618e9d8c77b1976d4f4c85dd9d792790ae885238463c0f64921fffa2399b15fdb67ceb081827240d5f1f1b7df" [*] CRC32: "7F4356C9" [*] SSDEEP: "98304:vWOld+o/QqR5UIW4oPMprEYhlNORbHsiCkTus/xr0r37evs0XM1uTLYU:v5dftUX9JHsiCkTu0xrM37eE0KuTL7" [*] Process Execution: [ "Exes_78782970c80b0512cda1a4b0e000e831.exe", "services.exe", "svchost.exe", "WmiPrvSE.exe", "svchost.exe", "TrustedInstaller.exe", "taskhost.exe" ] [*] Signatures Detected: [ { "Description": "Attempts to connect to a dead IP:Port (1 unique times)", "Details": [ { "IP": "104.26.15.130:443" } ] }, { "Description": "Creates RWX memory", "Details": [] }, { "Description": "Possible date expiration check, exits too soon after checking local time", "Details": [ { "process": "Exes_78782970c80b0512cda1a4b0e000e831.exe, PID 2360" } ] }, { "Description": "A process attempted to delay the analysis task.", "Details": [ { "Process": "Exes_78782970c80b0512cda1a4b0e000e831.exe tried to sleep 305 seconds, actually delayed analysis time by 0 seconds" }, { "Process": "WmiPrvSE.exe tried to sleep 420 seconds, actually delayed analysis time by 0 seconds" } ] }, { "Description": "Expresses interest in specific running processes", "Details": [ { "process": "Exes_78782970c80b0512cda1a4b0e000e831.exe" }, { "process": "winlogon.exe" } ] }, { "Description": "Attempts to restart the guest VM", "Details": [] }, { "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time", "Details": [ { "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 5874780 times" } ] }, { "Description": "Retrieves Windows ProductID, probably to fingerprint the sandbox", "Details": [] }, { "Description": "File has been identified by 16 Antiviruses on VirusTotal as malicious", "Details": [ { "FireEye": "Generic.mg.78782970c80b0512" }, { "Symantec": "ML.Attribute.HighConfidence" }, { "APEX": "Malicious" }, { "Paloalto": "generic.ml" }, { "Rising": "Malware.Obscure/Heur!1.9E03 (CLASSIC)" }, { "Comodo": "TrojWare.Win32.Fakecsrss.AV@88nqyj" }, { "F-Secure": "Trojan.TR/Crypt.ZPACK.Gen2" }, { "Invincea": "heuristic" }, { "Avira": "TR/Crypt.ZPACK.Gen2" }, { "Microsoft": "Trojan:Win32/Wacatac.B!ml" }, { "Endgame": "malicious (high confidence)" }, { "Acronis": "suspicious" }, { "Cylance": "Unsafe" }, { "eGambit": "Unsafe.AI_Score_66%" }, { "CrowdStrike": "win/malicious_confidence_100% (D)" }, { "Qihoo-360": "HEUR/QVM10.1.25B9.Malware.Gen" } ] }, { "Description": "Checks the CPU name from registry, possibly for anti-virtualization", "Details": [] }, { "Description": "Collects information to fingerprint the system", "Details": [] } ] [*] Started Service: [ "TrustedInstaller", "Winmgmt" ] [*] Executed Commands: [ "\"C:\\Users\\user\\AppData\\Local\\Temp\\Exes_78782970c80b0512cda1a4b0e000e831.exe\"", "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "C:\\Windows\\system32\\svchost.exe -k netsvcs", "C:\\Windows\\servicing\\TrustedInstaller.exe", "C:\\Windows\\System32\\sdclt.exe /CONFIGNOTIFICATION" ] [*] Mutexes: [ "Global\\WdsSetupLogInit", "Global\\SetupLog", "CicLoadWinStaWinSta0", "Local\\MSCTF.CtfMonitorInstMutexDefault1" ] [*] Modified Files: [ "\\??\\PIPE\\samr", "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST", "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP", "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP", "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP", "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA", "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR", "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8", "C:\\Windows\\sysnative\\LogFiles\\Scm\\2ce1541b-c7b1-4ba0-8974-722d18a3c54d", "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM", "\\??\\PIPE\\wkssvc", "\\??\\PIPE\\srvsvc", "\\??\\WMIDataDevice", "C:\\Windows\\Logs\\CBS\\CBS.log", "C:\\BVTBin\\Tests\\installpackage\\csilogfile.log", "C:\\Windows\\winsxs\\ManifestCache\\ee9f676b8aa4122b_blobs.bin" ] [*] Deleted Files: [] [*] Modified Registry Keys: [ "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Microsoft\\TestApp", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\Name", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\Firewall", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\Defender", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\Servers", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\UUID", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\Command", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\FirstInstallDate", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\CloudnetFileURL", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\ServiceVersion", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\SC", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\PGDSE", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\VC", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\ServersVersion", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\CDN", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\PP", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\OSCaption", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\OSArchitecture", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\IsAdmin", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\AV", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\PatchTime", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\CPU", "HKEY_CURRENT_USER\\Software\\Microsoft\\TestApp\\GPU", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TrustedInstaller\\Type", "HKEY_LOCAL_MACHINE\\COMPONENTS\\ServicingStackVersions\\6.1.7601.17514 (win7sp1_rtm.101119-1850)" ] [*] Deleted Registry Keys: [ "HKEY_LOCAL_MACHINE\\COMPONENTS\\PendingXmlIdentifier", "HKEY_LOCAL_MACHINE\\COMPONENTS\\PoqexecFailure", "HKEY_LOCAL_MACHINE\\COMPONENTS\\ExecutionState", "HKEY_LOCAL_MACHINE\\COMPONENTS\\RepairTransactionPended" ] [*] DNS Communications: [ { "type": "A", "request": "venoxcontrol.com", "answers": [ { "data": "104.26.15.130", "type": "A" }, { "data": "104.26.14.130", "type": "A" } ] } ] [*] Domains: [ { "ip": "104.26.15.130", "domain": "venoxcontrol.com" } ] [*] Network Communication - ICMP: [] [*] Network Communication - HTTP: [] [*] Network Communication - SMTP: [] [*] Network Communication - Hosts: [] [*] Network Communication - IRC: [] [*] Static Analysis: { "pe": { "peid_signatures": null, "imports": [ { "imports": [ { "name": "HeapReAlloc", "address": "0x431000" }, { "name": "GetNativeSystemInfo", "address": "0x431004" }, { "name": "GetDriveTypeW", "address": "0x431008" }, { "name": "GetProfileIntW", "address": "0x43100c" }, { "name": "GetProfileStringW", "address": "0x431010" }, { "name": "WaitForSingleObject", "address": "0x431014" }, { "name": "SetTapeParameters", "address": "0x431018" }, { "name": "GetModuleHandleW", "address": "0x43101c" }, { "name": "ExpandEnvironmentStringsA", "address": "0x431020" }, { "name": "WaitNamedPipeW", "address": "0x431024" }, { "name": "EnumTimeFormatsA", "address": "0x431028" }, { "name": "GetSystemDirectoryW", "address": "0x43102c" }, { "name": "LoadLibraryW", "address": "0x431030" }, { "name": "FormatMessageW", "address": "0x431034" }, { "name": "GetStringTypeExW", "address": "0x431038" }, { "name": "IsBadWritePtr", "address": "0x43103c" }, { "name": "GetModuleFileNameW", "address": "0x431040" }, { "name": "CreateMailslotW", "address": "0x431044" }, { "name": "WritePrivateProfileStringW", "address": "0x431048" }, { "name": "ReplaceFileA", "address": "0x43104c" }, { "name": "EnumSystemLocalesA", "address": "0x431050" }, { "name": "GetLastError", "address": "0x431054" }, { "name": "GetLongPathNameW", "address": "0x431058" }, { "name": "GetProcAddress", "address": "0x43105c" }, { "name": "MoveFileW", "address": "0x431060" }, { "name": "GetFirmwareEnvironmentVariableW", "address": "0x431064" }, { "name": "DefineDosDeviceA", "address": "0x431068" }, { "name": "LocalAlloc", "address": "0x43106c" }, { "name": "FindFirstVolumeMountPointW", "address": "0x431070" }, { "name": "HeapLock", "address": "0x431074" }, { "name": "WaitForMultipleObjects", "address": "0x431078" }, { "name": "GetVolumePathNamesForVolumeNameA", "address": "0x43107c" }, { "name": "GetDefaultCommConfigA", "address": "0x431080" }, { "name": "SetLocaleInfoW", "address": "0x431084" }, { "name": "DeleteCriticalSection", "address": "0x431088" }, { "name": "MoveFileWithProgressW", "address": "0x43108c" }, { "name": "GetStringTypeW", "address": "0x431090" }, { "name": "ReadConsoleW", "address": "0x431094" }, { "name": "ReadFile", "address": "0x431098" }, { "name": "OutputDebugStringW", "address": "0x43109c" }, { "name": "EnumSystemLocalesW", "address": "0x4310a0" }, { "name": "GetUserDefaultLCID", "address": "0x4310a4" }, { "name": "IsValidLocale", "address": "0x4310a8" }, { "name": "GetLocaleInfoW", "address": "0x4310ac" }, { "name": "HeapFree", "address": "0x4310b0" }, { "name": "EncodePointer", "address": "0x4310b4" }, { "name": "DecodePointer", "address": "0x4310b8" }, { "name": "GetCommandLineA", "address": "0x4310bc" }, { "name": "RaiseException", "address": "0x4310c0" }, { "name": "RtlUnwind", "address": "0x4310c4" }, { "name": "IsDebuggerPresent", "address": "0x4310c8" }, { "name": "IsProcessorFeaturePresent", "address": "0x4310cc" }, { "name": "EnterCriticalSection", "address": "0x4310d0" }, { "name": "LeaveCriticalSection", "address": "0x4310d4" }, { "name": "GetStdHandle", "address": "0x4310d8" }, { "name": "GetFileType", "address": "0x4310dc" }, { "name": "GetStartupInfoW", "address": "0x4310e0" }, { "name": "GetProcessHeap", "address": "0x4310e4" }, { "name": "HeapAlloc", "address": "0x4310e8" }, { "name": "FlushFileBuffers", "address": "0x4310ec" }, { "name": "WriteFile", "address": "0x4310f0" }, { "name": "WideCharToMultiByte", "address": "0x4310f4" }, { "name": "GetConsoleCP", "address": "0x4310f8" }, { "name": "GetConsoleMode", "address": "0x4310fc" }, { "name": "FatalAppExitA", "address": "0x431100" }, { "name": "ExitProcess", "address": "0x431104" }, { "name": "GetModuleHandleExW", "address": "0x431108" }, { "name": "AreFileApisANSI", "address": "0x43110c" }, { "name": "MultiByteToWideChar", "address": "0x431110" }, { "name": "HeapSize", "address": "0x431114" }, { "name": "CloseHandle", "address": "0x431118" }, { "name": "SetLastError", "address": "0x43111c" }, { "name": "GetCurrentThread", "address": "0x431120" }, { "name": "GetCurrentThreadId", "address": "0x431124" }, { "name": "GetModuleFileNameA", "address": "0x431128" }, { "name": "QueryPerformanceCounter", "address": "0x43112c" }, { "name": "GetCurrentProcessId", "address": "0x431130" }, { "name": "GetSystemTimeAsFileTime", "address": "0x431134" }, { "name": "GetEnvironmentStringsW", "address": "0x431138" }, { "name": "FreeEnvironmentStringsW", "address": "0x43113c" }, { "name": "UnhandledExceptionFilter", "address": "0x431140" }, { "name": "SetUnhandledExceptionFilter", "address": "0x431144" }, { "name": "InitializeCriticalSectionAndSpinCount", "address": "0x431148" }, { "name": "CreateEventW", "address": "0x43114c" }, { "name": "Sleep", "address": "0x431150" }, { "name": "GetCurrentProcess", "address": "0x431154" }, { "name": "TerminateProcess", "address": "0x431158" }, { "name": "TlsAlloc", "address": "0x43115c" }, { "name": "TlsGetValue", "address": "0x431160" }, { "name": "TlsSetValue", "address": "0x431164" }, { "name": "TlsFree", "address": "0x431168" }, { "name": "GetTickCount", "address": "0x43116c" }, { "name": "CreateSemaphoreW", "address": "0x431170" }, { "name": "IsValidCodePage", "address": "0x431174" }, { "name": "GetACP", "address": "0x431178" }, { "name": "GetOEMCP", "address": "0x43117c" }, { "name": "GetCPInfo", "address": "0x431180" }, { "name": "SetFilePointerEx", "address": "0x431184" }, { "name": "SetStdHandle", "address": "0x431188" }, { "name": "WriteConsoleW", "address": "0x43118c" }, { "name": "SetConsoleCtrlHandler", "address": "0x431190" }, { "name": "FreeLibrary", "address": "0x431194" }, { "name": "LoadLibraryExW", "address": "0x431198" }, { "name": "GetDateFormatW", "address": "0x43119c" }, { "name": "GetTimeFormatW", "address": "0x4311a0" }, { "name": "CompareStringW", "address": "0x4311a4" }, { "name": "LCMapStringW", "address": "0x4311a8" }, { "name": "CreateFileW", "address": "0x4311ac" } ], "dll": "KERNEL32.dll" }, { "imports": [ { "name": "DrawIcon", "address": "0x4311b4" }, { "name": "CharPrevA", "address": "0x4311b8" }, { "name": "GetScrollBarInfo", "address": "0x4311bc" }, { "name": "SetWindowLongA", "address": "0x4311c0" }, { "name": "EnableMenuItem", "address": "0x4311c4" }, { "name": "DeferWindowPos", "address": "0x4311c8" }, { "name": "GetMessageTime", "address": "0x4311cc" } ], "dll": "USER32.dll" } ], "digital_signers": null, "exported_dll_name": null, "actual_checksum": "0x0051d5b6", "overlay": null, "imagebase": "0x00400000", "reported_checksum": "0x0051d5b6", "icon_hash": null, "entrypoint": "0x00409387", "timestamp": "2018-02-02 12:28:41", "osversion": "5.1", "sections": [ { "name": ".text", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "virtual_address": "0x00001000", "size_of_data": "0x0002fe00", "entropy": "6.74", "raw_address": "0x00000400", "virtual_size": "0x0002fcfd", "characteristics_raw": "0x60000020" }, { "name": ".rdata", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "virtual_address": "0x00031000", "size_of_data": "0x004d9c00", "entropy": "6.06", "raw_address": "0x00030200", "virtual_size": "0x004d9ac8", "characteristics_raw": "0x40000040" }, { "name": ".data", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "virtual_address": "0x0050b000", "size_of_data": "0x00002400", "entropy": "2.66", "raw_address": "0x00509e00", "virtual_size": "0x00014dec", "characteristics_raw": "0xc0000040" }, { "name": ".rsrc", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "virtual_address": "0x00520000", "size_of_data": "0x00004400", "entropy": "5.29", "raw_address": "0x0050c200", "virtual_size": "0x001c53c0", "characteristics_raw": "0x40000040" }, { "name": ".reloc", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "virtual_address": "0x006e6000", "size_of_data": "0x00002600", "entropy": "6.55", "raw_address": "0x00510600", "virtual_size": "0x0000246c", "characteristics_raw": "0x42000040" } ], "resources": [], "dirents": [ { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_EXPORT", "size": "0x00000000" }, { "virtual_address": "0x0050a01c", "name": "IMAGE_DIRECTORY_ENTRY_IMPORT", "size": "0x0000003c" }, { "virtual_address": "0x00520000", "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE", "size": "0x000043c0" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_SECURITY", "size": "0x00000000" }, { "virtual_address": "0x006e6000", "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC", "size": "0x0000246c" }, { "virtual_address": "0x00031230", "name": "IMAGE_DIRECTORY_ENTRY_DEBUG", "size": "0x00000038" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_TLS", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", "size": "0x00000000" }, { "virtual_address": "0x00031000", "name": "IMAGE_DIRECTORY_ENTRY_IAT", "size": "0x000001d4" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_RESERVED", "size": "0x00000000" } ], "exports": [], "guest_signers": {}, "imphash": "84b23d7a94e31adec3dd4f21570b43d3", "icon_fuzzy": null, "icon": null, "pdbpath": "C:\\wizol.pdb\\x00rypt_server\\runtime\\crypt\\tmp_139563554\\bin\\tifaduta.pdb\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xba\\x00\\x00\\x00\\xb9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\xcd\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\xd0\\x8e\\x90", "imported_dll_count": 2, "versioninfo": [] } } [*] Resolved APIs: [ "kernel32.dll.FlsAlloc", "kernel32.dll.FlsFree", "kernel32.dll.FlsGetValue", "kernel32.dll.FlsSetValue", "kernel32.dll.InitializeCriticalSectionEx", "kernel32.dll.CreateEventExW", "kernel32.dll.CreateSemaphoreExW", "kernel32.dll.SetThreadStackGuarantee", "kernel32.dll.CreateThreadpoolTimer", "kernel32.dll.SetThreadpoolTimer", "kernel32.dll.WaitForThreadpoolTimerCallbacks", "kernel32.dll.CloseThreadpoolTimer", "kernel32.dll.CreateThreadpoolWait", "kernel32.dll.SetThreadpoolWait", "kernel32.dll.CloseThreadpoolWait", "kernel32.dll.FlushProcessWriteBuffers", "kernel32.dll.FreeLibraryWhenCallbackReturns", "kernel32.dll.GetCurrentProcessorNumber", "kernel32.dll.GetLogicalProcessorInformation", "kernel32.dll.CreateSymbolicLinkW", "kernel32.dll.EnumSystemLocalesEx", "kernel32.dll.CompareStringEx", "kernel32.dll.GetDateFormatEx", "kernel32.dll.GetLocaleInfoEx", "kernel32.dll.GetTimeFormatEx", "kernel32.dll.GetUserDefaultLocaleName", "kernel32.dll.IsValidLocaleName", "kernel32.dll.LCMapStringEx", "kernel32.dll.GetTickCount64", "kernel32.dll.VirtualProtect", "kernel32.dll.LoadLibraryA", "kernel32.dll.VirtualAlloc", "kernel32.dll.VirtualFree", "kernel32.dll.GetVersionExA", "kernel32.dll.TerminateProcess", "kernel32.dll.ExitProcess", "kernel32.dll.SetErrorMode", "kernel32.dll.WriteFile", "kernel32.dll.WriteConsoleW", "kernel32.dll.WaitForSingleObject", "kernel32.dll.VirtualQuery", "kernel32.dll.SwitchToThread", "kernel32.dll.SetWaitableTimer", "kernel32.dll.SetUnhandledExceptionFilter", "kernel32.dll.SetProcessPriorityBoost", "kernel32.dll.SetEvent", "kernel32.dll.SetConsoleCtrlHandler", "kernel32.dll.LoadLibraryW", "kernel32.dll.GetSystemInfo", "kernel32.dll.GetSystemDirectoryA", "kernel32.dll.GetStdHandle", "kernel32.dll.GetQueuedCompletionStatus", "kernel32.dll.GetProcessAffinityMask", "kernel32.dll.GetProcAddress", "kernel32.dll.GetEnvironmentStringsW", "kernel32.dll.GetConsoleMode", "kernel32.dll.FreeEnvironmentStringsW", "kernel32.dll.DuplicateHandle", "kernel32.dll.CreateThread", "kernel32.dll.CreateIoCompletionPort", "kernel32.dll.CreateEventA", "kernel32.dll.CloseHandle", "kernel32.dll.AddVectoredExceptionHandler", "msvcr100.dll.atexit", "kernel32.dll.AddVectoredContinueHandler", "kernel32.dll.GetQueuedCompletionStatusEx", "kernel32.dll.LoadLibraryExA", "kernel32.dll.LoadLibraryExW", "advapi32.dll.SystemFunction036", "ntdll.dll.NtWaitForSingleObject", "winmm.dll.timeBeginPeriod", "winmm.dll.timeEndPeriod", "ws2_32.dll.WSAGetOverlappedResult", "cryptbase.dll.SystemFunction001", "cryptbase.dll.SystemFunction002", "cryptbase.dll.SystemFunction003", "cryptbase.dll.SystemFunction004", "cryptbase.dll.SystemFunction005", "cryptbase.dll.SystemFunction028", "cryptbase.dll.SystemFunction029", "cryptbase.dll.SystemFunction034", "cryptbase.dll.SystemFunction036", "cryptbase.dll.SystemFunction040", "cryptbase.dll.SystemFunction041", "kernel32.dll.SetHandleInformation", "kernel32.dll.GetSystemDirectoryW", "ws2_32.dll.WSAStartup", "kernel32.dll.CancelIoEx", "kernel32.dll.SetFileCompletionNotificationModes", "ws2_32.dll.WSAEnumProtocolsW", "kernel32.dll.GetCommandLineW", "kernel32.dll.GetEnvironmentVariableW", "ole32.dll.CoInitialize", "ole32.dll.CoInitializeEx", "ole32.dll.CoUninitialize", "ole32.dll.CoCreateInstance", "ole32.dll.CoTaskMemFree", "ole32.dll.CLSIDFromProgID", "ole32.dll.CLSIDFromString", "ole32.dll.StringFromCLSID", "ole32.dll.StringFromIID", "ole32.dll.IIDFromString", "ole32.dll.CoGetObject", "kernel32.dll.GetUserDefaultLCID", "kernel32.dll.RtlMoveMemory", "oleaut32.dll.VariantInit", "oleaut32.dll.VariantClear", "oleaut32.dll.VariantTimeToSystemTime", "oleaut32.dll.SysAllocString", "oleaut32.dll.SysAllocStringLen", "oleaut32.dll.SysFreeString", "oleaut32.dll.SysStringLen", "oleaut32.dll.CreateDispTypeInfo", "oleaut32.dll.CreateStdDispatch", "oleaut32.dll.GetActiveObject", "user32.dll.GetMessageW", "user32.dll.DispatchMessageW", "oleaut32.dll.SafeArrayAccessData", "oleaut32.dll.SafeArrayAllocData", "oleaut32.dll.SafeArrayAllocDescriptor", "oleaut32.dll.SafeArrayAllocDescriptorEx", "oleaut32.dll.SafeArrayCopy", "oleaut32.dll.SafeArrayCopyData", "oleaut32.dll.SafeArrayCreate", "oleaut32.dll.SafeArrayCreateEx", "oleaut32.dll.SafeArrayCreateVector", "oleaut32.dll.SafeArrayCreateVectorEx", "oleaut32.dll.SafeArrayDestroy", "oleaut32.dll.SafeArrayDestroyData", "oleaut32.dll.SafeArrayDestroyDescriptor", "oleaut32.dll.SafeArrayGetDim", "oleaut32.dll.SafeArrayGetElement", "oleaut32.dll.SafeArrayGetElemsize", "oleaut32.dll.SafeArrayGetIID", "oleaut32.dll.SafeArrayGetLBound", "oleaut32.dll.SafeArrayGetUBound", "oleaut32.dll.SafeArrayGetVartype", "oleaut32.dll.SafeArrayLock", "oleaut32.dll.SafeArrayPtrOfIndex", "oleaut32.dll.SafeArrayUnaccessData", "oleaut32.dll.SafeArrayUnlock", "oleaut32.dll.SafeArrayPutElement", "oleaut32.dll.SafeArrayGetRecordInfo", "oleaut32.dll.SafeArraySetRecordInfo", "kernel32.dll.WTSGetActiveConsoleSessionId", "kernel32.dll.FormatMessageW", "wtsapi32.dll.WTSQuerySessionInformationW", "winsta.dll.WinStationQueryInformationW", "advapi32.dll.LookupAccountSidW", "sechost.dll.LookupAccountSidLocalW", "advapi32.dll.CreateWellKnownSid", "rpcrt4.dll.RpcStringBindingComposeW", "rpcrt4.dll.RpcBindingFromStringBindingW", "rpcrt4.dll.RpcStringFreeW", "rpcrt4.dll.RpcBindingSetAuthInfoExW", "sechost.dll.LookupAccountNameLocalW", "rpcrt4.dll.NdrClientCall2", "rpcrt4.dll.I_RpcExceptionFilter", "rpcrt4.dll.RpcBindingFree", "advapi32.dll.LookupAccountNameW", "advapi32.dll.ConvertSidToStringSidW", "kernel32.dll.LocalFree", "kernel32.dll.GetModuleFileNameW", "kernel32.dll.SetCurrentDirectoryW", "advapi32.dll.RegCreateKeyExW", "advapi32.dll.RegCloseKey", "advapi32.dll.RegOpenKeyExW", "advapi32.dll.RegQueryValueExW", "advapi32.dll.RegSetValueExW", "uxtheme.dll.ThemeInitApiHook", "user32.dll.IsProcessDPIAware", "ole32.dll.CoGetClassObject", "ole32.dll.CoGetMarshalSizeMax", "ole32.dll.CoMarshalInterface", "ole32.dll.CoUnmarshalInterface", "ole32.dll.CoGetPSClsid", "ole32.dll.CoTaskMemAlloc", "ole32.dll.CoReleaseMarshalData", "ole32.dll.DcomChannelSetHResult", "wbemdisp.dll.DllGetClassObject", "wbemdisp.dll.DllCanUnloadNow", "advapi32.dll.DuplicateTokenEx", "oleaut32.dll.DllGetClassObject", "oleaut32.dll.DllCanUnloadNow", "sxs.dll.SxsOleAut32RedirectTypeLibrary", "advapi32.dll.RegOpenKeyW", "advapi32.dll.RegEnumKeyW", "advapi32.dll.RegQueryValueW", "sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid", "oleaut32.dll.#2", "oleaut32.dll.#6", "kernel32.dll.GetThreadPreferredUILanguages", "kernel32.dll.SetThreadPreferredUILanguages", "kernel32.dll.LocaleNameToLCID", "kernel32.dll.LCIDToLocaleName", "kernel32.dll.GetSystemDefaultLocaleName", "oleaut32.dll.#283", "oleaut32.dll.#284", "oleaut32.dll.#500", "ntdll.dll.EtwUnregisterTraceGuids", "netapi32.dll.NetUserGetInfo", "netapi32.dll.NetApiBufferFree", "kernel32.dll.GetCurrentProcessId", "kernel32.dll.OpenProcess", "kernel32.dll.QueryFullProcessImageNameW", "kernel32.dll.CreateToolhelp32Snapshot", "kernel32.dll.Process32FirstW", "kernel32.dll.Process32NextW", "advapi32.dll.CryptAcquireContextW", "cryptsp.dll.CryptAcquireContextW", "advapi32.dll.CryptGenRandom", "cryptsp.dll.CryptGenRandom", "ws2_32.dll.GetAddrInfoW", "ws2_32.dll.FreeAddrInfoW", "ws2_32.dll.WSASocketW", "ws2_32.dll.setsockopt", "ws2_32.dll.bind", "ws2_32.dll.socket", "ws2_32.dll.WSAIoctl", "ws2_32.dll.getsockname", "ws2_32.dll.getpeername", "ws2_32.dll.WSASend", "ws2_32.dll.WSARecv", "crypt32.dll.CertCreateCertificateContext", "crypt32.dll.CertOpenStore", "crypt32.dll.CertAddCertificateContextToStore", "crypt32.dll.CertFreeCertificateContext", "crypt32.dll.CertCloseStore", "crypt32.dll.CertGetCertificateChain", "userenv.dll.GetUserProfileDirectoryW", "sechost.dll.ConvertSidToStringSidW", "sechost.dll.ConvertStringSidToSidW", "userenv.dll.RegisterGPNotification", "gpapi.dll.RegisterGPNotificationInternal", "sechost.dll.OpenSCManagerW", "sechost.dll.OpenServiceW", "sechost.dll.CloseServiceHandle", "sechost.dll.QueryServiceConfigW", "user32.dll.LoadStringW", "ncrypt.dll.BCryptOpenAlgorithmProvider", "bcryptprimitives.dll.GetHashInterface", "ncrypt.dll.BCryptGetProperty", "ncrypt.dll.BCryptCreateHash", "ncrypt.dll.BCryptHashData", "ncrypt.dll.BCryptFinishHash", "ncrypt.dll.BCryptDestroyHash", "cryptsp.dll.CryptAcquireContextA", "cryptsp.dll.CryptCreateHash", "cryptsp.dll.CryptHashData", "cryptsp.dll.CryptVerifySignatureA", "cryptsp.dll.CryptDestroyKey", "cryptsp.dll.CryptDestroyHash", "bcryptprimitives.dll.GetAsymmetricEncryptionInterface", "ncrypt.dll.BCryptImportKeyPair", "ncrypt.dll.BCryptVerifySignature", "ncrypt.dll.BCryptDestroyKey", "bcryptprimitives.dll.GetSignatureInterface", "crypt32.dll.CertVerifyCertificateChainPolicy", "crypt32.dll.CertFreeCertificateChain", "kernel32.dll.GetCurrentProcess", "advapi32.dll.OpenProcessToken", "advapi32.dll.GetTokenInformation", "advapi32.dll.OpenSCManagerW", "advapi32.dll.OpenServiceW", "advapi32.dll.QueryServiceConfigW", "advapi32.dll.QueryServiceStatusEx", "advapi32.dll.StartServiceW", "advapi32.dll.CloseServiceHandle", "kernel32.dll.GetTimeZoneInformation", "advapi32.dll.LookupPrivilegeValueW", "advapi32.dll.AdjustTokenPrivileges", "advapi32.dll.ImpersonateLoggedOnUser", "advapi32.dll.CreateProcessWithTokenW", "vssapi.dll.CreateWriter", "samcli.dll.NetLocalGroupGetMembers", "samlib.dll.SamConnect", "rpcrt4.dll.NdrClientCall3", "samlib.dll.SamOpenDomain", "samlib.dll.SamLookupNamesInDomain", "samlib.dll.SamOpenAlias", "samlib.dll.SamFreeMemory", "samlib.dll.SamCloseHandle", "samlib.dll.SamGetMembersInAlias", "netutils.dll.NetApiBufferFree", "ole32.dll.CoCreateGuid", "oleaut32.dll.#4", "oleaut32.dll.#7", "propsys.dll.VariantToPropVariant", "wbemcore.dll.Reinitialize", "wbemsvc.dll.DllGetClassObject", "wbemsvc.dll.DllCanUnloadNow", "authz.dll.AuthzInitializeContextFromToken", "authz.dll.AuthzInitializeObjectAccessAuditEvent2", "authz.dll.AuthzAccessCheck", "authz.dll.AuthzFreeAuditEvent", "authz.dll.AuthzFreeContext", "authz.dll.AuthzInitializeResourceManager", "authz.dll.AuthzFreeResourceManager", "rpcrt4.dll.RpcBindingCreateW", "rpcrt4.dll.RpcBindingBind", "rpcrt4.dll.I_RpcMapWin32Status", "advapi32.dll.EventRegister", "advapi32.dll.EventUnregister", "advapi32.dll.EventWrite", "kernel32.dll.RegCloseKey", "kernel32.dll.RegSetValueExW", "kernel32.dll.RegOpenKeyExW", "kernel32.dll.RegQueryValueExW", "wmisvc.dll.IsImproperShutdownDetected", "wevtapi.dll.EvtRender", "wevtapi.dll.EvtNext", "wevtapi.dll.EvtClose", "wevtapi.dll.EvtQuery", "wevtapi.dll.EvtCreateRenderContext", "rpcrt4.dll.RpcBindingSetOption", "ole32.dll.CoCreateFreeThreadedMarshaler", "ole32.dll.CreateStreamOnHGlobal", "cryptsp.dll.CryptReleaseContext", "kernelbase.dll.InitializeAcl", "kernelbase.dll.AddAce", "sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW", "kernel32.dll.IsThreadAFiber", "advapi32.dll.InitiateSystemShutdownExW", "kernel32.dll.SortGetHandle", "kernel32.dll.SortCloseHandle", "ntmarta.dll.GetMartaExtensionInterface", "fastprox.dll.DllGetClassObject", "fastprox.dll.DllCanUnloadNow", "oleaut32.dll.#289", "oleaut32.dll.#287", "oleaut32.dll.#288", "oleaut32.dll.#290", "oleaut32.dll.#285", "winbrand.dll.BrandingLoadString", "security.dll.InitSecurityInterfaceW", "cryptsp.dll.SystemFunction035", "schannel.dll.SpUserModeInitialize", "user32.dll.GetSystemMetrics", "ntdll.dll.RtlInitUnicodeString", "ntdll.dll.RtlFreeUnicodeString", "ntdll.dll.NtSetSystemEnvironmentValue", "ntdll.dll.NtQuerySystemEnvironmentValue", "ntdll.dll.NtCreateFile", "ntdll.dll.NtQuerySystemInformation", "ntdll.dll.NtQueryDirectoryObject", "ntdll.dll.NtQueryObject", "ntdll.dll.NtOpenDirectoryObject", "ntdll.dll.NtQueryInformationProcess", "ntdll.dll.NtQueryInformationToken", "ntdll.dll.NtOpenFile", "ntdll.dll.NtClose", "ntdll.dll.NtFsControlFile", "ntdll.dll.NtQueryVolumeInformationFile", "netapi32.dll.NetGroupEnum", "netapi32.dll.NetGroupGetInfo", "netapi32.dll.NetGroupSetInfo", "netapi32.dll.NetLocalGroupGetInfo", "netapi32.dll.NetLocalGroupSetInfo", "netapi32.dll.NetGroupGetUsers", "netapi32.dll.NetLocalGroupGetMembers", "netapi32.dll.NetLocalGroupEnum", "netapi32.dll.NetShareEnum", "netapi32.dll.NetShareGetInfo", "netapi32.dll.NetShareAdd", "netapi32.dll.NetShareEnumSticky", "netapi32.dll.NetShareSetInfo", "netapi32.dll.NetShareDel", "netapi32.dll.NetShareDelSticky", "netapi32.dll.NetShareCheck", "netapi32.dll.NetUserEnum", "netapi32.dll.NetUserSetInfo", "netapi32.dll.NetQueryDisplayInformation", "netapi32.dll.NetServerSetInfo", "netapi32.dll.NetServerGetInfo", "netapi32.dll.NetGetDCName", "netapi32.dll.NetWkstaGetInfo", "netapi32.dll.NetGetAnyDCName", "netapi32.dll.NetServerEnum", "netapi32.dll.NetUserModalsGet", "netapi32.dll.NetScheduleJobAdd", "netapi32.dll.NetScheduleJobDel", "netapi32.dll.NetScheduleJobEnum", "netapi32.dll.NetScheduleJobGetInfo", "netapi32.dll.NetUseGetInfo", "netapi32.dll.NetEnumerateTrustedDomains", "netapi32.dll.DsGetDcNameW", "netapi32.dll.DsRoleGetPrimaryDomainInformation", "netapi32.dll.DsRoleFreeMemory", "netapi32.dll.NetRenameMachineInDomain", "netapi32.dll.NetJoinDomain", "netapi32.dll.NetUnjoinDomain", "wkscli.dll.NetWkstaGetInfo", "cscapi.dll.CscNetApiGetInterface", "kernel32.dll.GetDiskFreeSpaceExW", "kernel32.dll.GetVolumePathNameW", "kernel32.dll.Thread32First", "kernel32.dll.Thread32Next", "kernel32.dll.Process32First", "kernel32.dll.Process32Next", "kernel32.dll.Module32First", "kernel32.dll.Module32Next", "kernel32.dll.Heap32ListFirst", "kernel32.dll.GlobalMemoryStatusEx", "kernel32.dll.GetSystemDefaultUILanguage", "oleaut32.dll.#8", "oleaut32.dll.#15", "oleaut32.dll.#26", "oleaut32.dll.#9", "oleaut32.dll.#286", "wmi.dll.WmiQueryAllDataW", "wmi.dll.WmiQuerySingleInstanceW", "wmi.dll.WmiSetSingleItemW", "wmi.dll.WmiSetSingleInstanceW", "wmi.dll.WmiExecuteMethodW", "wmi.dll.WmiNotificationRegistrationW", "wmi.dll.WmiMofEnumerateResourcesW", "wmi.dll.WmiFileHandleToInstanceNameW", "wmi.dll.WmiDevInstToInstanceNameW", "wmi.dll.WmiQueryGuidInformation", "wmi.dll.WmiOpenBlock", "wmi.dll.WmiCloseBlock", "wmi.dll.WmiFreeBuffer", "wmi.dll.WmiEnumerateGuids", "devobj.dll.DevObjCreateDeviceInfoList", "devobj.dll.DevObjGetClassDevs", "devobj.dll.DevObjEnumDeviceInfo", "devobj.dll.DevObjDestroyDeviceInfoList", "setupapi.dll.CM_Open_DevNode_Key_Ex", "devobj.dll.DevObjGetDeviceProperty", "cfgmgr32.dll.CM_Connect_MachineA", "cfgmgr32.dll.CM_Disconnect_Machine", "cfgmgr32.dll.CM_Locate_DevNodeW", "cfgmgr32.dll.CM_Get_DevNode_Registry_PropertyW", "cfgmgr32.dll.CM_Get_Child", "cfgmgr32.dll.CM_Get_Sibling", "cfgmgr32.dll.CM_Get_DevNode_Status", "cfgmgr32.dll.CM_Get_First_Log_Conf", "cfgmgr32.dll.CM_Get_Next_Res_Des", "cfgmgr32.dll.CM_Get_Res_Des_Data", "cfgmgr32.dll.CM_Get_Res_Des_Data_Size", "cfgmgr32.dll.CM_Free_Log_Conf_Handle", "cfgmgr32.dll.CM_Free_Res_Des_Handle", "cfgmgr32.dll.CM_Get_Device_IDA", "cfgmgr32.dll.CM_Get_Device_ID_Size", "cfgmgr32.dll.CM_Get_Parent", "user32.dll.MonitorFromWindow", "user32.dll.MonitorFromRect", "user32.dll.MonitorFromPoint", "user32.dll.EnumDisplayMonitors", "user32.dll.EnumDisplayDevicesW", "user32.dll.GetMonitorInfoW", "dxgi.dll.DXGIReportAdapterConfiguration", "setupapi.dll.SetupDiGetClassDevsW", "setupapi.dll.SetupDiEnumDeviceInterfaces", "setupapi.dll.SetupDiGetDeviceInterfaceDetailW", "setupapi.dll.SetupDiDestroyDeviceInfoList", "gdi32.dll.D3DKMTOpenAdapterFromDeviceName", "gdi32.dll.D3DKMTQueryAdapterInfo", "gdi32.dll.D3DKMTGetDisplayModeList", "gdi32.dll.D3DKMTCloseAdapter", "wintrust.dll.WinVerifyTrust", "wdscore.dll.WdsSetupLogInit", "wdscore.dll.WdsGenericSetupLogInit", "wdscore.dll.WdsSetupLogDestroy", "wdscore.dll.WdsSetupLogMessageA", "wdscore.dll.ConstructPartialMsgVA", "wdscore.dll.CurrentIP", "cbscore.dll.CbsCoreInitialize", "cbscore.dll.CbsCoreInitializeDelayedPortion", "cbscore.dll.CbsCoreStartupProcessing", "cbscore.dll.CbsCoreEnsureNoStartupProcessing", "cbscore.dll.CbsCoreShutdownProcessing", "cbscore.dll.CbsCoreFinalize", "cbscore.dll.CbsCoreServiceIdleProcessing", "cbscore.dll.CbsCoreSetState", "cbscore.dll.CbsCoreUnregisterWinlogonNotification", "cbscore.dll.CbsCoreIsExecutionEngineIdle", "cbscore.dll.CbsCorePrepareShutdownProcessing", "cbscore.dll.CbsCoreFinalizeShutdownProcessing", "ktmw32.dll.CreateTransaction", "ktmw32.dll.CommitTransaction", "ktmw32.dll.RollbackTransaction", "dpx.dll.DpxNewJob", "wcp.dll.SetIsolationIMalloc", "wcp.dll.GetIdentityAuthority", "wcp.dll.GetSystemStore", "wcp.dll.OpenExistingOfflineStore", "wcp.dll.WcpInitialize", "wcp.dll.WcpShutdown", "wcp.dll.WcpSetErrorReportCallback", "ntdll.dll.EtwRegisterTraceGuidsW", "ntdll.dll.EtwGetTraceLoggerHandle", "ntdll.dll.EtwLogTraceEvent", "drupdate.dll.DriverUpdateOpenContext", "drupdate.dll.DriverUpdateCloseContext", "drupdate.dll.DriverUpdateStageUpdates", "drupdate.dll.DriverUpdateUnstageUpdates", "drupdate.dll.DriverUpdateInstallUpdates", "drupdate.dll.DriverUpdateUninstallUpdates", "drupdate.dll.DriverUpdateEnableDeviceInstall", "cfgmgr32.dll.CMP_WaitNoPendingInstallEvents", "cfgmgr32.dll.CMP_GetServerSideDeviceInstallFlags", "srclient.dll.SRSetRestorePointW", "wcp.dll.RtlReportErrorOrigination", "wcp.dll.RtlReportErrorPropagation", "wcp.dll.ConvertHResultToNtStatus", "wcp.dll.ConvertNtStatusToHResult", "wcp.dll.RtlRegisterErrorOriginationCallback", "wcp.dll.CreateNewOfflineStore", "wcp.dll.CreateNewPseudoWindows", "wcp.dll.GetAppIdAuthority", "wcp.dll.ParseManifest", "wcp.dll.ParseManifestFromXML", "wcp.dll.RtlGetCharacterSetEncoder", "wcp.dll.RtlGetCharacterSetDecoder", "wcp.dll.RtlCreateCdfBuilder", "wcp.dll.RtlAllocateLBlob", "wcp.dll.RtlAllocateLUnicodeString", "wcp.dll.RtlAllocateLUtf8String", "wcp.dll.RtlAllocateUnicodeString", "wcp.dll.RtlAppendLBlobToLBlob", "wcp.dll.RtlAppendLUnicodeStringToLUnicodeString", "wcp.dll.RtlAppendLUtf8StringToLUtf8String", "wcp.dll.RtlAppendUcsCharacterToLUnicodeString", "wcp.dll.RtlAppendUcsCharactersToLUnicodeString", "wcp.dll.RtlAppendUcsCharacterToLUtf8String", "wcp.dll.RtlLengthOfUcsCharacterEncodedAsUtf8", "wcp.dll.RtlBase64EncodeLBlobToLUnicodeString", "wcp.dll.RtlBase64EncodeLBlobToLUtf8String", "wcp.dll.RtlCalculateUtf16StringLengthFromLUtf8String", "wcp.dll.RtlCommitSmartLBlobUcsWritingContext", "wcp.dll.RtlCommitSmartLBlobWritingContext", "wcp.dll.RtlCompareEncodedLBlobs", "wcp.dll.RtlCompareLUnicodeStrings", "wcp.dll.RtlCompareLUtf8Strings", "wcp.dll.RtlCompareLUtf8StringToLUnicodeString", "wcp.dll.RtlConcatenateLUnicodeStrings", "wcp.dll.RtlConcatenateLUtf8Strings", "wcp.dll.RtlConvertNtFilePathToWin32FilePath", "wcp.dll.RtlSplitWin32RegistryPathIntoRootAndLeaves", "wcp.dll.RtlConvertNtRegistryPathToWin32RegistryPath", "wcp.dll.RtlConvertWin32FilePathToNtFilePath", "wcp.dll.RtlConvertWin32RegistryPathToNtRegistryPath", "wcp.dll.RtlCopyLBlob", "wcp.dll.RtlCopyLUnicodeString", "wcp.dll.RtlCopyLUtf8StringToLUnicodeString", "wcp.dll.RtlCreateCdfEx", "wcp.dll.RtlCreateComponentStore", "wcp.dll.RtlCreateMicrodom", "wcp.dll.RtlShutdownMicrodomSystem", "wcp.dll.RtlCreateDefaultMicrodomXmlWriter", "wcp.dll.RtlCreateDefaultXmlWriter", "wcp.dll.RtlCreateFilteringMicrodomWriter", "wcp.dll.RtlCreateUtf8UCSStringBuilder", "wcp.dll.RtlCreateUtf16LEUCSStringBuilder", "wcp.dll.RtlDecodeBase64LUnicodeStringToLBlob", "wcp.dll.RtlDecodeBase64LUtf8StringToLBlob", "wcp.dll.RtlDecodeUtf16LE", "wcp.dll.RtlDecodeUtf8", "wcp.dll.RtlDetermineTranscodedLBlobSize", "wcp.dll.RtlDoesLUnicodeStringMatchExpression", "wcp.dll.RtlDowncaseUCSCharacter", "wcp.dll.RtlDuplicateCountedStringToLUnicodeString", "wcp.dll.RtlDuplicateLBlob", "wcp.dll.RtlDuplicateLUnicodeString", "wcp.dll.RtlDuplicateLUtf8String", "wcp.dll.RtlDuplicateLUtf8StringToLUnicodeString", "wcp.dll.RtlDuplicateLUnicodeStringToLUtf8String", "wcp.dll.RtlDuplicateNullTerminatedStringToLUnicodeString", "wcp.dll.RtlEncodeUtf16LE", "wcp.dll.RtlEncodeUtf8", "wcp.dll.RtlEqualLUnicodeStrings", "wcp.dll.RtlEqualLUtf8Strings", "wcp.dll.RtlEqualLUnicodeStringPrefix", "wcp.dll.RtlEqualLUnicodeStringSuffix", "wcp.dll.RtlFinalizeSmartLBlobUcsWritingContext", "wcp.dll.RtlFinalizeSmartLBlobWritingContext", "wcp.dll.RtlInitializeSmartLUnicodeStringWritingContext", "wcp.dll.RtlFreeLBlob", "wcp.dll.RtlFreeLUnicodeString", "wcp.dll.RtlFreeLUtf8String", "wcp.dll.RtlDeallocateUnicodeString", "wcp.dll.RtlGetAppIdAuthority", "wcp.dll.RtlGetEncodingSizeUtf8", "wcp.dll.RtlGetEncodingSizeUtf16", "wcp.dll.RtlGetEncodingSizeUtf32", "wcp.dll.RtlGetEncodingSizeUcs2", "wcp.dll.RtlGetEncodingSizeUcs4", "wcp.dll.RtlGetHashAlgorithmHashLength", "wcp.dll.RtlGetIdentityAuthority", "wcp.dll.RtlGetSystem", "wcp.dll.RtlHashEncodedLBlob", "wcp.dll.RtlHashLBlob", "wcp.dll.RtlHashLUnicodeString", "wcp.dll.RtlHashLUtf8String", "wcp.dll.RtlInitializeSmartLBlobWritingContext", "wcp.dll.RtlInitLUnicodeStringFromNullTerminatedString", "wcp.dll.RtlInitLUnicodeStringFromUnicodeString", "wcp.dll.RtlInitUnicodeStringFromLUnicodeString", "wcp.dll.RtlIsLBlobValid", "wcp.dll.RtlIsLUnicodeStringValid", "wcp.dll.RtlIsLUtf8StringValid", "wcp.dll.RtlIsUnicodeStringValid", "wcp.dll.RtlMatchLUnicodeStringAgainstList", "wcp.dll.RtlMatchLUnicodeStringAgainstLUtf8StringList", "wcp.dll.RtlMatchLUnicodeStringAgainstLUtf8StringPointerList", "wcp.dll.RtlMatchLUnicodeStringAgainstPointerList", "wcp.dll.RtlMatchLUtf8StringAgainstList", "wcp.dll.RtlMatchLUtf8StringAgainstLUnicodeStringList", "wcp.dll.RtlMatchLUtf8StringAgainstLUnicodeStringPointerList", "wcp.dll.RtlMatchLUtf8StringAgainstPointerList", "wcp.dll.RtlParseManifestMicrodomIntoCdf", "wcp.dll.RtlPreInitializeSmartLBlobUcsWritingContext", "wcp.dll.RtlPreInitializeSmartLBlobWritingContext", "wcp.dll.RtlReallocateLBlob", "wcp.dll.RtlReallocateLUnicodeString", "wcp.dll.RtlReallocateUnicodeString", "wcp.dll.RtlRunPrimitiveOperationsInXmlAgainstSil", "wcp.dll.RtlRunPrimitiveOperationsInXml", "wcp.dll.RtlSplitEncodedLBlob", "wcp.dll.RtlSplitLUnicodeString", "wcp.dll.RtlSplitLUtf8String", "wcp.dll.RtlTranscodeLBlobs", "wcp.dll.RtlUpcaseUCSCharacter", "wcp.dll.RtlWcpDllDebugEntrypoint", "wcp.dll.RtlWriteDataIntoSmartLBlobWritingContext", "wcp.dll.RtlWriteDecodedUcsDataIntoSmartLBlobUcsWritingContext", "wcp.dll.CreateCdfFromBinary", "wcp.dll.RtlDetermineFilteredLUnicodeStringLength", "wcp.dll.RtlFilterLUnicodeString", "wcp.dll.RtlSmartMultiUcsEncoder_Utf16LE", "wcp.dll.RtlSmartUcsEncoder_Utf16LE", "wcp.dll.RtlSmartMultiUcsEncoder_Utf8", "wcp.dll.RtlSmartUcsEncoder_Utf8", "wcp.dll.RtlWriteUcsDataIntoSmartLBlobUcsWritingContext", "wcp.dll.RtlCreateCdf", "wcp.dll.RtlDuplicateAnsiStringToLUnicodeString", "wcp.dll.RtlDuplicateCountedAnsiStringToLUnicodeString", "wcp.dll.RtlDuplicateNullTerminatedAnsiStringToLUnicodeString", "wcp.dll.InitializeCSI_BROKEN_COMPONENT", "wcp.dll.FreeAndZeroCSI_BROKEN_COMPONENT", "wcp.dll.InitializeCSI_REPAIRED_COMPONENT", "wcp.dll.FreeAndZeroCSI_REPAIRED_COMPONENT", "wcp.dll.RtlDecodeLUtf8StringToCharacter", "wcp.dll.RtlDuplicateUnicodeStringToLUnicodeString", "wcp.dll.RtlWriteMicrodomXml", "wrpint.dll.SfpInitialize", "sxsstore.dll.SxsStoreInitialize", "sxsstore.dll.SxsStoreFinalize", "sqmapi.dll.SqmIsWindowsOptedIn", "sqmapi.dll.SqmStartUpload", "sensapi.dll.IsNetworkAlive", "ntdll.dll.NtCreateKeyTransacted", "ntdll.dll.NtOpenKeyTransacted", "ntdll.dll.NtOpenKeyEx", "ntdll.dll.NtOpenKeyTransactedEx", "ntdll.dll.NtCreateTransaction", "ntdll.dll.NtCommitTransaction", "ntdll.dll.NtRollbackTransaction", "ntdll.dll.RtlSetCurrentTransaction", "ntdll.dll.RtlGetCurrentTransaction", "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint", "dwmapi.dll.DwmIsCompositionEnabled", "rpcrt4.dll.UuidFromStringW", "radarrs.dll.WdiDiagnosticModuleMain", "radarrs.dll.WdiHandleInstance", "radarrs.dll.WdiGetDiagnosticModuleInterfaceVersion", "comctl32.dll.LoadIconWithScaleDown", "ntdll.dll.RtlRunEncodeUnicodeString", "ntdll.dll.RtlRunDecodeUnicodeString", "duser.dll.InitGadgets", "user32.dll.RegisterMessagePumpHook", "uxtheme.dll.IsThemeActive", "duser.dll.CreateGadget", "duser.dll.SetGadgetMessageFilter", "duser.dll.SetGadgetStyle", "duser.dll.SetGadgetRootInfo", "uxtheme.dll.IsAppThemed", "uxtheme.dll.GetThemeAppProperties", "xmllite.dll.CreateXmlReader", "xmllite.dll.CreateXmlReaderInputWithEncodingName", "uxtheme.dll.OpenThemeData", "uxtheme.dll.GetThemeMargins", "uxtheme.dll.GetThemeFont", "uxtheme.dll.GetThemeColor", "uxtheme.dll.GetThemeMetric", "duser.dll.SetGadgetParent", "duser.dll.GetDUserModule", "duser.dll.FindStdColor", "duser.dll.AttachWndProcW", "comctl32.dll.RegisterClassNameW", "duser.dll.GetGadgetRect", "duser.dll.GetGadgetRgn", "duser.dll.GetGadgetTicket", "gdi32.dll.GetLayout", "gdi32.dll.GdiRealizationInfo", "gdi32.dll.FontIsLinked", "advapi32.dll.RegQueryInfoKeyW", "gdi32.dll.GetTextFaceAliasW", "advapi32.dll.RegEnumValueW", "gdi32.dll.GetFontAssocStatus", "advapi32.dll.RegQueryValueExA", "advapi32.dll.RegEnumKeyExW", "gdi32.dll.GdiIsMetaPrintDC", "uxtheme.dll.EnableThemeDialogTexture", "uxtheme.dll.GetThemeBool", "duser.dll.InvalidateGadget", "duser.dll.GetGadgetFocus", "uxtheme.dll.GetThemeBackgroundContentRect", "uxtheme.dll.GetThemeTextExtent", "uxtheme.dll.GetThemeBackgroundExtent", "uxtheme.dll.CloseThemeData", "ole32.dll.CoRegisterInitializeSpy", "ole32.dll.CoRevokeInitializeSpy", "duser.dll.SetGadgetFocus", "duser.dll.DUserSendEvent", "duser.dll.SetGadgetRect", "uxtheme.dll.#47", "uxtheme.dll.BufferedPaintInit", "uxtheme.dll.BeginBufferedPaint", "uxtheme.dll.BufferedPaintRenderAnimation", "uxtheme.dll.GetThemeTransitionDuration", "uxtheme.dll.BeginBufferedAnimation", "uxtheme.dll.IsThemeBackgroundPartiallyTransparent", "uxtheme.dll.DrawThemeParentBackground", "uxtheme.dll.DrawThemeBackground", "uxtheme.dll.DrawThemeText", "uxtheme.dll.EndBufferedAnimation", "uxtheme.dll.GetBufferedPaintDC", "uxtheme.dll.GetBufferedPaintTargetDC", "uxtheme.dll.EndBufferedPaint", "duser.dll.ForwardGadgetMessage", "duser.dll.SetGadgetFocusEx", "uxtheme.dll.BufferedPaintStopAllAnimations", "uxtheme.dll.BufferedPaintUnInit", "duser.dll.DisableContainerHwnd", "duser.dll.DUserFlushMessages", "duser.dll.DUserFlushDeferredMessages", "duser.dll.DeleteHandle", "user32.dll.UnregisterMessagePumpHook" ] [*] Static Analysis: { "pe": { "peid_signatures": null, "imports": [ { "imports": [ { "name": "HeapReAlloc", "address": "0x431000" }, { "name": "GetNativeSystemInfo", "address": "0x431004" }, { "name": "GetDriveTypeW", "address": "0x431008" }, { "name": "GetProfileIntW", "address": "0x43100c" }, { "name": "GetProfileStringW", "address": "0x431010" }, { "name": "WaitForSingleObject", "address": "0x431014" }, { "name": "SetTapeParameters", "address": "0x431018" }, { "name": "GetModuleHandleW", "address": "0x43101c" }, { "name": "ExpandEnvironmentStringsA", "address": "0x431020" }, { "name": "WaitNamedPipeW", "address": "0x431024" }, { "name": "EnumTimeFormatsA", "address": "0x431028" }, { "name": "GetSystemDirectoryW", "address": "0x43102c" }, { "name": "LoadLibraryW", "address": "0x431030" }, { "name": "FormatMessageW", "address": "0x431034" }, { "name": "GetStringTypeExW", "address": "0x431038" }, { "name": "IsBadWritePtr", "address": "0x43103c" }, { "name": "GetModuleFileNameW", "address": "0x431040" }, { "name": "CreateMailslotW", "address": "0x431044" }, { "name": "WritePrivateProfileStringW", "address": "0x431048" }, { "name": "ReplaceFileA", "address": "0x43104c" }, { "name": "EnumSystemLocalesA", "address": "0x431050" }, { "name": "GetLastError", "address": "0x431054" }, { "name": "GetLongPathNameW", "address": "0x431058" }, { "name": "GetProcAddress", "address": "0x43105c" }, { "name": "MoveFileW", "address": "0x431060" }, { "name": "GetFirmwareEnvironmentVariableW", "address": "0x431064" }, { "name": "DefineDosDeviceA", "address": "0x431068" }, { "name": "LocalAlloc", "address": "0x43106c" }, { "name": "FindFirstVolumeMountPointW", "address": "0x431070" }, { "name": "HeapLock", "address": "0x431074" }, { "name": "WaitForMultipleObjects", "address": "0x431078" }, { "name": "GetVolumePathNamesForVolumeNameA", "address": "0x43107c" }, { "name": "GetDefaultCommConfigA", "address": "0x431080" }, { "name": "SetLocaleInfoW", "address": "0x431084" }, { "name": "DeleteCriticalSection", "address": "0x431088" }, { "name": "MoveFileWithProgressW", "address": "0x43108c" }, { "name": "GetStringTypeW", "address": "0x431090" }, { "name": "ReadConsoleW", "address": "0x431094" }, { "name": "ReadFile", "address": "0x431098" }, { "name": "OutputDebugStringW", "address": "0x43109c" }, { "name": "EnumSystemLocalesW", "address": "0x4310a0" }, { "name": "GetUserDefaultLCID", "address": "0x4310a4" }, { "name": "IsValidLocale", "address": "0x4310a8" }, { "name": "GetLocaleInfoW", "address": "0x4310ac" }, { "name": "HeapFree", "address": "0x4310b0" }, { "name": "EncodePointer", "address": "0x4310b4" }, { "name": "DecodePointer", "address": "0x4310b8" }, { "name": "GetCommandLineA", "address": "0x4310bc" }, { "name": "RaiseException", "address": "0x4310c0" }, { "name": "RtlUnwind", "address": "0x4310c4" }, { "name": "IsDebuggerPresent", "address": "0x4310c8" }, { "name": "IsProcessorFeaturePresent", "address": "0x4310cc" }, { "name": "EnterCriticalSection", "address": "0x4310d0" }, { "name": "LeaveCriticalSection", "address": "0x4310d4" }, { "name": "GetStdHandle", "address": "0x4310d8" }, { "name": "GetFileType", "address": "0x4310dc" }, { "name": "GetStartupInfoW", "address": "0x4310e0" }, { "name": "GetProcessHeap", "address": "0x4310e4" }, { "name": "HeapAlloc", "address": "0x4310e8" }, { "name": "FlushFileBuffers", "address": "0x4310ec" }, { "name": "WriteFile", "address": "0x4310f0" }, { "name": "WideCharToMultiByte", "address": "0x4310f4" }, { "name": "GetConsoleCP", "address": "0x4310f8" }, { "name": "GetConsoleMode", "address": "0x4310fc" }, { "name": "FatalAppExitA", "address": "0x431100" }, { "name": "ExitProcess", "address": "0x431104" }, { "name": "GetModuleHandleExW", "address": "0x431108" }, { "name": "AreFileApisANSI", "address": "0x43110c" }, { "name": "MultiByteToWideChar", "address": "0x431110" }, { "name": "HeapSize", "address": "0x431114" }, { "name": "CloseHandle", "address": "0x431118" }, { "name": "SetLastError", "address": "0x43111c" }, { "name": "GetCurrentThread", "address": "0x431120" }, { "name": "GetCurrentThreadId", "address": "0x431124" }, { "name": "GetModuleFileNameA", "address": "0x431128" }, { "name": "QueryPerformanceCounter", "address": "0x43112c" }, { "name": "GetCurrentProcessId", "address": "0x431130" }, { "name": "GetSystemTimeAsFileTime", "address": "0x431134" }, { "name": "GetEnvironmentStringsW", "address": "0x431138" }, { "name": "FreeEnvironmentStringsW", "address": "0x43113c" }, { "name": "UnhandledExceptionFilter", "address": "0x431140" }, { "name": "SetUnhandledExceptionFilter", "address": "0x431144" }, { "name": "InitializeCriticalSectionAndSpinCount", "address": "0x431148" }, { "name": "CreateEventW", "address": "0x43114c" }, { "name": "Sleep", "address": "0x431150" }, { "name": "GetCurrentProcess", "address": "0x431154" }, { "name": "TerminateProcess", "address": "0x431158" }, { "name": "TlsAlloc", "address": "0x43115c" }, { "name": "TlsGetValue", "address": "0x431160" }, { "name": "TlsSetValue", "address": "0x431164" }, { "name": "TlsFree", "address": "0x431168" }, { "name": "GetTickCount", "address": "0x43116c" }, { "name": "CreateSemaphoreW", "address": "0x431170" }, { "name": "IsValidCodePage", "address": "0x431174" }, { "name": "GetACP", "address": "0x431178" }, { "name": "GetOEMCP", "address": "0x43117c" }, { "name": "GetCPInfo", "address": "0x431180" }, { "name": "SetFilePointerEx", "address": "0x431184" }, { "name": "SetStdHandle", "address": "0x431188" }, { "name": "WriteConsoleW", "address": "0x43118c" }, { "name": "SetConsoleCtrlHandler", "address": "0x431190" }, { "name": "FreeLibrary", "address": "0x431194" }, { "name": "LoadLibraryExW", "address": "0x431198" }, { "name": "GetDateFormatW", "address": "0x43119c" }, { "name": "GetTimeFormatW", "address": "0x4311a0" }, { "name": "CompareStringW", "address": "0x4311a4" }, { "name": "LCMapStringW", "address": "0x4311a8" }, { "name": "CreateFileW", "address": "0x4311ac" } ], "dll": "KERNEL32.dll" }, { "imports": [ { "name": "DrawIcon", "address": "0x4311b4" }, { "name": "CharPrevA", "address": "0x4311b8" }, { "name": "GetScrollBarInfo", "address": "0x4311bc" }, { "name": "SetWindowLongA", "address": "0x4311c0" }, { "name": "EnableMenuItem", "address": "0x4311c4" }, { "name": "DeferWindowPos", "address": "0x4311c8" }, { "name": "GetMessageTime", "address": "0x4311cc" } ], "dll": "USER32.dll" } ], "digital_signers": null, "exported_dll_name": null, "actual_checksum": "0x0051d5b6", "overlay": null, "imagebase": "0x00400000", "reported_checksum": "0x0051d5b6", "icon_hash": null, "entrypoint": "0x00409387", "timestamp": "2018-02-02 12:28:41", "osversion": "5.1", "sections": [ { "name": ".text", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "virtual_address": "0x00001000", "size_of_data": "0x0002fe00", "entropy": "6.74", "raw_address": "0x00000400", "virtual_size": "0x0002fcfd", "characteristics_raw": "0x60000020" }, { "name": ".rdata", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "virtual_address": "0x00031000", "size_of_data": "0x004d9c00", "entropy": "6.06", "raw_address": "0x00030200", "virtual_size": "0x004d9ac8", "characteristics_raw": "0x40000040" }, { "name": ".data", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "virtual_address": "0x0050b000", "size_of_data": "0x00002400", "entropy": "2.66", "raw_address": "0x00509e00", "virtual_size": "0x00014dec", "characteristics_raw": "0xc0000040" }, { "name": ".rsrc", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "virtual_address": "0x00520000", "size_of_data": "0x00004400", "entropy": "5.29", "raw_address": "0x0050c200", "virtual_size": "0x001c53c0", "characteristics_raw": "0x40000040" }, { "name": ".reloc", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "virtual_address": "0x006e6000", "size_of_data": "0x00002600", "entropy": "6.55", "raw_address": "0x00510600", "virtual_size": "0x0000246c", "characteristics_raw": "0x42000040" } ], "resources": [], "dirents": [ { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_EXPORT", "size": "0x00000000" }, { "virtual_address": "0x0050a01c", "name": "IMAGE_DIRECTORY_ENTRY_IMPORT", "size": "0x0000003c" }, { "virtual_address": "0x00520000", "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE", "size": "0x000043c0" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_SECURITY", "size": "0x00000000" }, { "virtual_address": "0x006e6000", "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC", "size": "0x0000246c" }, { "virtual_address": "0x00031230", "name": "IMAGE_DIRECTORY_ENTRY_DEBUG", "size": "0x00000038" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_TLS", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", "size": "0x00000000" }, { "virtual_address": "0x00031000", "name": "IMAGE_DIRECTORY_ENTRY_IAT", "size": "0x000001d4" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_RESERVED", "size": "0x00000000" } ], "exports": [], "guest_signers": {}, "imphash": "84b23d7a94e31adec3dd4f21570b43d3", "icon_fuzzy": null, "icon": null, "pdbpath": "C:\\wizol.pdb\\x00rypt_server\\runtime\\crypt\\tmp_139563554\\bin\\tifaduta.pdb\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xba\\x00\\x00\\x00\\xb9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\xcd\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\xd0\\x8e\\x90", "imported_dll_count": 2, "versioninfo": [] } }