Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2019-02-11 18:50:54 2019-02-11 18:54:37 223 seconds Show Options Show Log
route = internet
procdump = 0
2019-02-11 18:50:55,015 [root] INFO: Date set to: 02-11-19, time set to: 18:50:55, timeout set to: 200
2019-02-11 18:50:55,062 [root] DEBUG: Starting analyzer from: C:\aaqhws
2019-02-11 18:50:55,062 [root] DEBUG: Storing results at: C:\nbzrHZAwu
2019-02-11 18:50:55,062 [root] DEBUG: Pipe server name: \\.\PIPE\VnzIIKqN
2019-02-11 18:50:55,062 [root] INFO: Analysis package "Extraction" has been specified.
2019-02-11 18:50:56,216 [root] DEBUG: Started auxiliary module Browser
2019-02-11 18:50:56,216 [root] DEBUG: Started auxiliary module Curtain
2019-02-11 18:50:56,216 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/
2019-02-11 18:50:56,216 [root] DEBUG: Started auxiliary module DigiSig
2019-02-11 18:50:56,216 [root] DEBUG: Started auxiliary module Disguise
2019-02-11 18:50:56,216 [root] DEBUG: Started auxiliary module Human
2019-02-11 18:50:56,216 [root] DEBUG: Started auxiliary module Screenshots
2019-02-11 18:50:56,232 [root] DEBUG: Started auxiliary module Sysmon
2019-02-11 18:50:56,232 [root] DEBUG: Started auxiliary module Usage
2019-02-11 18:50:56,232 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2019-02-11 18:50:56,232 [root] INFO: Analyzer: Package modules.packages.Extraction does not specify a DLL_64 option
2019-02-11 18:50:56,434 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\wknNsu5ogbM.exe" with arguments "" with pid 1544
2019-02-11 18:50:56,434 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 18:50:56,450 [lib.api.process] INFO: 32-bit DLL to inject is C:\aaqhws\dll\khPFswO.dll, loader C:\aaqhws\bin\nGLCPdi.exe
2019-02-11 18:50:56,466 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1544
2019-02-11 18:50:58,477 [lib.api.process] INFO: Successfully resumed process with pid 1544
2019-02-11 18:50:58,477 [root] INFO: Added new process to list with pid: 1544
2019-02-11 18:50:58,572 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-02-11 18:50:58,572 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x300000
2019-02-11 18:50:58,572 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 18:50:58,618 [root] INFO: Monitor successfully loaded in process with pid 1544.
2019-02-11 18:50:58,634 [root] DEBUG: ProtectionHandler: Address: 0x401000, RegionSize: 0x1b8000
2019-02-11 18:50:58,634 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x5b9000.
2019-02-11 18:50:58,634 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-02-11 18:50:58,650 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:50:58,650 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-02-11 18:50:58,650 [root] DEBUG: DumpProcess: Module entry point VA is 0x61a001
2019-02-11 18:50:58,680 [root] INFO: Added new CAPE file to list with path: C:\aaqhws\CAPE\1544_65058302211122019
2019-02-11 18:50:58,680 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:50:58,680 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-02-11 18:50:58,680 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x5b9000.
2019-02-11 18:50:58,680 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-02-11 18:50:58,680 [root] DEBUG: ProtectionHandler: Address: 0x5b9000, RegionSize: 0x4000
2019-02-11 18:50:58,697 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x5bd000.
2019-02-11 18:50:58,697 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-02-11 18:50:58,697 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 18:50:58,697 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-02-11 18:50:58,697 [root] DEBUG: DumpProcess: Module entry point VA is 0x61a001
2019-02-11 18:50:58,711 [root] INFO: Added new CAPE file to list with path: C:\aaqhws\CAPE\1544_69758302211122019
2019-02-11 18:50:58,711 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 18:50:58,711 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-02-11 18:50:58,711 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x5bd000.
2019-02-11 18:50:58,711 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-02-11 18:50:58,930 [root] INFO: Disabling sleep skipping.
2019-02-11 18:54:20,265 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-02-11 18:54:20,265 [root] INFO: Created shutdown mutex.
2019-02-11 18:54:21,279 [root] INFO: Setting terminate event for process 1544.
2019-02-11 18:54:21,792 [root] INFO: Shutting down package.
2019-02-11 18:54:21,792 [root] INFO: Stopping auxiliary modules.
2019-02-11 18:54:21,792 [root] INFO: Finishing auxiliary modules.
2019-02-11 18:54:21,792 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-02-11 18:54:21,792 [root] INFO: Analysis completed.

MalScore

2.5

Suspicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-02-11 18:50:54 2019-02-11 18:54:37

File Details

File Name 299c58650d0fcd7f281e316d5585faab.exe
File Size 710656 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 299c58650d0fcd7f281e316d5585faab
SHA1 79b485580bbb72f6bcbb2248458381b4a4809ecc
SHA256 2257c495901da6125d0435514be4a52d3a551c0fc0ba3e08346a147ed8b880e8
SHA512 bcafe53c54782b23d08aa0f124e411d982c666fdaf44c0103dfe149978a6fd6d039b974ca231d72aa914d5700a09db87300a6fdd0fd779cc643db0c2227c5f6c
CRC32 CC00ABEF
Ssdeep 12288:vGzxX4a3+rAnPC8BLptsxl2HKhxg+3pJPUvpO/2zYJeRaUzzY:kp4kiASCMpJ0pO/Rgng
TrID
  • 35.7% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 16.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
  • 16.0% (.EXE) OS/2 Executable (generic) (2029/13)
  • 15.8% (.EXE) Generic Win/DOS Executable (2002/3)
  • 15.8% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: comctl32.dll/InitializeFlatSB
DynamicLoader: comctl32.dll/UninitializeFlatSB
DynamicLoader: comctl32.dll/FlatSB_GetScrollProp
DynamicLoader: comctl32.dll/FlatSB_SetScrollProp
DynamicLoader: comctl32.dll/FlatSB_EnableScrollBar
DynamicLoader: comctl32.dll/FlatSB_ShowScrollBar
DynamicLoader: comctl32.dll/FlatSB_GetScrollRange
DynamicLoader: comctl32.dll/FlatSB_GetScrollInfo
DynamicLoader: comctl32.dll/FlatSB_GetScrollPos
DynamicLoader: comctl32.dll/FlatSB_SetScrollPos
DynamicLoader: comctl32.dll/FlatSB_SetScrollInfo
DynamicLoader: comctl32.dll/FlatSB_SetScrollRange
DynamicLoader: USER32.dll/SetLayeredWindowAttributes
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoAddRefServerProcess
DynamicLoader: ole32.dll/CoReleaseServerProcess
DynamicLoader: ole32.dll/CoResumeClassObjects
DynamicLoader: ole32.dll/CoSuspendClassObjects
DynamicLoader: Wship6.dll/getaddrinfo
DynamicLoader: ADVAPI32.dll/OpenSCManagerA
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/OpenServiceA
DynamicLoader: ADVAPI32.dll/EnumServicesStatusA
DynamicLoader: ADVAPI32.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/StartServiceA
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: netapi32.dll/NetServerEnum
DynamicLoader: netapi32.dll/NetApiBufferFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: uxtheme.dll/OpenThemeData
DynamicLoader: uxtheme.dll/CloseThemeData
DynamicLoader: uxtheme.dll/DrawThemeBackground
DynamicLoader: uxtheme.dll/DrawThemeText
DynamicLoader: uxtheme.dll/GetThemeBackgroundContentRect
DynamicLoader: uxtheme.dll/GetThemePartSize
DynamicLoader: uxtheme.dll/GetThemeTextExtent
DynamicLoader: uxtheme.dll/GetThemeTextMetrics
DynamicLoader: uxtheme.dll/GetThemeBackgroundRegion
DynamicLoader: uxtheme.dll/HitTestThemeBackground
DynamicLoader: uxtheme.dll/DrawThemeEdge
DynamicLoader: uxtheme.dll/DrawThemeIcon
DynamicLoader: uxtheme.dll/IsThemePartDefined
DynamicLoader: uxtheme.dll/IsThemeBackgroundPartiallyTransparent
DynamicLoader: uxtheme.dll/GetThemeColor
DynamicLoader: uxtheme.dll/GetThemeMetric
DynamicLoader: uxtheme.dll/GetThemeString
DynamicLoader: uxtheme.dll/GetThemeBool
DynamicLoader: uxtheme.dll/GetThemeInt
DynamicLoader: uxtheme.dll/GetThemeEnumValue
DynamicLoader: uxtheme.dll/GetThemePosition
DynamicLoader: uxtheme.dll/GetThemeFont
DynamicLoader: uxtheme.dll/GetThemeRect
DynamicLoader: uxtheme.dll/GetThemeMargins
DynamicLoader: uxtheme.dll/GetThemeIntList
DynamicLoader: uxtheme.dll/GetThemePropertyOrigin
DynamicLoader: uxtheme.dll/SetWindowTheme
DynamicLoader: uxtheme.dll/GetThemeFilename
DynamicLoader: uxtheme.dll/GetThemeSysColor
DynamicLoader: uxtheme.dll/GetThemeSysColorBrush
DynamicLoader: uxtheme.dll/GetThemeSysBool
DynamicLoader: uxtheme.dll/GetThemeSysSize
DynamicLoader: uxtheme.dll/GetThemeSysFont
DynamicLoader: uxtheme.dll/GetThemeSysString
DynamicLoader: uxtheme.dll/GetThemeSysInt
DynamicLoader: uxtheme.dll/IsThemeActive
DynamicLoader: uxtheme.dll/IsAppThemed
DynamicLoader: uxtheme.dll/GetWindowTheme
DynamicLoader: uxtheme.dll/EnableThemeDialogTexture
DynamicLoader: uxtheme.dll/IsThemeDialogTextureEnabled
DynamicLoader: uxtheme.dll/GetThemeAppProperties
DynamicLoader: uxtheme.dll/SetThemeAppProperties
DynamicLoader: uxtheme.dll/GetCurrentThemeName
DynamicLoader: uxtheme.dll/GetThemeDocumentationProperty
DynamicLoader: uxtheme.dll/DrawThemeParentBackground
DynamicLoader: uxtheme.dll/EnableTheming
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: comctl32.dll/InitCommonControlsEx
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: uxtheme.dll/OpenThemeData
DynamicLoader: IMM32.DLL/ImmIsIME
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: comctl32.dll/RegisterClassNameW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: IMM32.DLL/ImmLockIMC
DynamicLoader: IMM32.DLL/ImmUnlockIMC
DynamicLoader: IMM32.DLL/ImmSetCompositionFontW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: IMM32.DLL/ImmGetCompositionWindow
DynamicLoader: IMM32.DLL/ImmSetCompositionWindow
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryInfoKeyA
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: kernel32.dll/RegCreateKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: kernel32.dll/WerRegisterMemoryBlock
DynamicLoader: uxtheme.dll/BufferedPaintInit
DynamicLoader: uxtheme.dll/BeginBufferedPaint
DynamicLoader: uxtheme.dll/EndBufferedPaint
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 8.00, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00096000, virtual_size: 0x001b8000
section: name: .itext, entropy: 7.79, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00001800, virtual_size: 0x00004000
section: name: .data, entropy: 7.98, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00006e00, virtual_size: 0x0000c000
section: name: .idata, entropy: 7.88, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00001200, virtual_size: 0x00004000
section: name: .rsrc, entropy: 7.41, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00007a00, virtual_size: 0x00025000

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Users\user\AppData\Local\Temp\wknNsu5ogbM.ENG
C:\Users\user\AppData\Local\Temp\wknNsu5ogbM.ENG.DLL
C:\Users\user\AppData\Local\Temp\wknNsu5ogbM.EN
C:\Users\user\AppData\Local\Temp\wknNsu5ogbM.EN.DLL
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\ahronbd.ttf
C:\Windows\Fonts\tahoma.ttf
C:\Windows\Fonts\tahomabd.ttf
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\tahoma.ttf
C:\Windows\Fonts\tahomabd.ttf
C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
HKEY_CURRENT_USER\Software\Borland\Locales
HKEY_LOCAL_MACHINE\Software\Borland\Locales
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Tahoma
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Sans Serif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\wknNsu5ogbM.exe
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualFree
kernel32.dll.VirtualProtect
oleaut32.dll.SysFreeString
oleaut32.dll.SysReAllocStringLen
oleaut32.dll.SysAllocStringLen
advapi32.dll.RegQueryValueExA
advapi32.dll.RegOpenKeyExA
advapi32.dll.RegCloseKey
user32.dll.GetKeyboardType
user32.dll.DestroyWindow
user32.dll.LoadStringA
user32.dll.MessageBoxA
user32.dll.CharNextA
kernel32.dll.GetACP
kernel32.dll.Sleep
kernel32.dll.GetTickCount
kernel32.dll.QueryPerformanceCounter
kernel32.dll.GetCurrentThreadId
kernel32.dll.InterlockedDecrement
kernel32.dll.InterlockedIncrement
kernel32.dll.VirtualQuery
kernel32.dll.WideCharToMultiByte
kernel32.dll.MultiByteToWideChar
kernel32.dll.lstrlenA
kernel32.dll.lstrcpynA
kernel32.dll.LoadLibraryExA
kernel32.dll.GetThreadLocale
kernel32.dll.GetStartupInfoA
kernel32.dll.GetProcAddress
kernel32.dll.GetModuleHandleA
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetLocaleInfoA
kernel32.dll.GetCommandLineA
kernel32.dll.FreeLibrary
kernel32.dll.FindFirstFileA
kernel32.dll.FindClose
kernel32.dll.ExitProcess
kernel32.dll.ExitThread
kernel32.dll.CreateThread
kernel32.dll.CompareStringA
kernel32.dll.WriteFile
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.RtlUnwind
kernel32.dll.RaiseException
kernel32.dll.GetStdHandle
kernel32.dll.TlsSetValue
kernel32.dll.TlsGetValue
kernel32.dll.LocalAlloc
user32.dll.CreateWindowExA
user32.dll.WindowFromPoint
user32.dll.WaitMessage
user32.dll.UpdateWindow
user32.dll.UnregisterClassA
user32.dll.UnhookWindowsHookEx
user32.dll.TranslateMessage
user32.dll.TranslateMDISysAccel
user32.dll.TrackPopupMenu
user32.dll.SystemParametersInfoA
user32.dll.ShowWindow
user32.dll.ShowScrollBar
user32.dll.ShowOwnedPopups
user32.dll.SetWindowsHookExA
user32.dll.SetWindowTextA
user32.dll.SetWindowPos
user32.dll.SetWindowPlacement
user32.dll.SetWindowLongW
user32.dll.SetWindowLongA
user32.dll.SetTimer
user32.dll.SetScrollRange
user32.dll.SetScrollPos
user32.dll.SetScrollInfo
user32.dll.SetRect
user32.dll.SetPropA
user32.dll.SetParent
user32.dll.SetMenuItemInfoA
user32.dll.SetMenu
user32.dll.SetForegroundWindow
user32.dll.SetFocus
user32.dll.SetCursor
user32.dll.SetClassLongA
user32.dll.SetCapture
user32.dll.SetActiveWindow
user32.dll.SendMessageW
user32.dll.SendMessageA
user32.dll.ScrollWindow
user32.dll.ScreenToClient
user32.dll.RemovePropA
user32.dll.RemoveMenu
user32.dll.ReleaseDC
user32.dll.ReleaseCapture
user32.dll.RegisterWindowMessageA
user32.dll.RegisterClipboardFormatA
user32.dll.RegisterClassA
user32.dll.RedrawWindow
user32.dll.PtInRect
user32.dll.PostQuitMessage
user32.dll.PostMessageA
user32.dll.PeekMessageW
user32.dll.PeekMessageA
user32.dll.OffsetRect
user32.dll.OemToCharA
user32.dll.MsgWaitForMultipleObjectsEx
user32.dll.MsgWaitForMultipleObjects
user32.dll.MapWindowPoints
user32.dll.MapVirtualKeyA
user32.dll.LoadKeyboardLayoutA
user32.dll.LoadIconA
user32.dll.LoadCursorA
user32.dll.LoadBitmapA
user32.dll.KillTimer
user32.dll.IsZoomed
user32.dll.IsWindowVisible
user32.dll.IsWindowUnicode
user32.dll.IsWindowEnabled
user32.dll.IsWindow
user32.dll.IsRectEmpty
user32.dll.IsIconic
user32.dll.IsDialogMessageW
user32.dll.IsDialogMessageA
user32.dll.IsChild
user32.dll.InvalidateRect
user32.dll.IntersectRect
user32.dll.InsertMenuItemA
user32.dll.InsertMenuA
user32.dll.InflateRect
user32.dll.GetWindowThreadProcessId
user32.dll.GetWindowTextA
user32.dll.GetWindowRect
user32.dll.GetWindowPlacement
user32.dll.GetWindowLongW
user32.dll.GetWindowLongA
user32.dll.GetWindowDC
user32.dll.GetTopWindow
user32.dll.GetSystemMetrics
user32.dll.GetSystemMenu
user32.dll.GetSysColorBrush
user32.dll.GetSysColor
user32.dll.GetSubMenu
user32.dll.GetScrollRange
user32.dll.GetScrollPos
user32.dll.GetScrollInfo
user32.dll.GetPropA
user32.dll.GetParent
user32.dll.GetWindow
user32.dll.GetMessagePos
user32.dll.GetMenuStringA
user32.dll.GetMenuState
user32.dll.GetMenuItemInfoA
user32.dll.GetMenuItemID
user32.dll.GetMenuItemCount
user32.dll.GetMenu
user32.dll.GetLastActivePopup
user32.dll.GetKeyboardState
user32.dll.GetKeyboardLayoutNameA
user32.dll.GetKeyboardLayoutList
user32.dll.GetKeyboardLayout
user32.dll.GetKeyState
user32.dll.GetKeyNameTextA
user32.dll.GetIconInfo
user32.dll.GetForegroundWindow
user32.dll.GetFocus
user32.dll.GetDlgItem
user32.dll.GetDesktopWindow
user32.dll.GetDCEx
user32.dll.GetDC
user32.dll.GetCursorPos
user32.dll.GetCursor
user32.dll.GetClipboardData
user32.dll.GetClientRect
user32.dll.GetClassNameA
user32.dll.GetClassLongA
user32.dll.GetClassInfoA
user32.dll.GetCapture
user32.dll.GetAsyncKeyState
user32.dll.GetActiveWindow
user32.dll.FrameRect
user32.dll.FlashWindow
user32.dll.FindWindowExA
user32.dll.FindWindowA
user32.dll.FillRect
user32.dll.EqualRect
user32.dll.EnumWindows
user32.dll.EnumThreadWindows
user32.dll.EnumChildWindows
user32.dll.EndPaint
user32.dll.EnableWindow
user32.dll.EnableScrollBar
user32.dll.EnableMenuItem
user32.dll.DrawTextW
user32.dll.DrawTextA
user32.dll.DrawMenuBar
user32.dll.DrawIconEx
user32.dll.DrawIcon
user32.dll.DrawFrameControl
user32.dll.DrawEdge
user32.dll.DispatchMessageW
user32.dll.DispatchMessageA
user32.dll.DestroyMenu
user32.dll.DestroyIcon
user32.dll.DestroyCursor
user32.dll.DeleteMenu
user32.dll.DefWindowProcA
user32.dll.DefMDIChildProcA
user32.dll.DefFrameProcA
user32.dll.CreatePopupMenu
user32.dll.CreateMenu
user32.dll.CreateIcon
user32.dll.ClientToScreen
user32.dll.ChildWindowFromPoint
user32.dll.CheckMenuItem
user32.dll.CharUpperBuffW
user32.dll.CharNextW
user32.dll.CallWindowProcA
user32.dll.CallNextHookEx
user32.dll.BeginPaint
user32.dll.CharLowerBuffA
user32.dll.CharLowerA
user32.dll.CharUpperBuffA
user32.dll.CharToOemA
user32.dll.AdjustWindowRectEx
user32.dll.ActivateKeyboardLayout
gdi32.dll.UnrealizeObject
gdi32.dll.StretchBlt
gdi32.dll.SetWindowOrgEx
gdi32.dll.SetWinMetaFileBits
gdi32.dll.SetViewportOrgEx
gdi32.dll.SetTextColor
gdi32.dll.SetStretchBltMode
gdi32.dll.SetROP2
gdi32.dll.SetPixel
gdi32.dll.SetEnhMetaFileBits
gdi32.dll.SetDIBColorTable
gdi32.dll.SetBrushOrgEx
gdi32.dll.SetBkMode
gdi32.dll.SetBkColor
gdi32.dll.SelectPalette
gdi32.dll.SelectObject
gdi32.dll.SelectClipRgn
gdi32.dll.SaveDC
gdi32.dll.RestoreDC
gdi32.dll.Rectangle
gdi32.dll.RectVisible
gdi32.dll.RealizePalette
gdi32.dll.Polyline
gdi32.dll.PlayEnhMetaFile
gdi32.dll.PatBlt
gdi32.dll.MoveToEx
gdi32.dll.MaskBlt
gdi32.dll.LineTo
gdi32.dll.IntersectClipRect
gdi32.dll.GetWindowOrgEx
gdi32.dll.GetWinMetaFileBits
gdi32.dll.GetTextMetricsA
gdi32.dll.GetTextExtentPointA
gdi32.dll.GetTextExtentPoint32A
gdi32.dll.GetSystemPaletteEntries
gdi32.dll.GetStockObject
gdi32.dll.GetRgnBox
gdi32.dll.GetPixel
gdi32.dll.GetPaletteEntries
gdi32.dll.GetObjectA
gdi32.dll.GetEnhMetaFilePaletteEntries
gdi32.dll.GetEnhMetaFileHeader
gdi32.dll.GetEnhMetaFileBits
gdi32.dll.GetDeviceCaps
gdi32.dll.GetDIBits
gdi32.dll.GetDIBColorTable
gdi32.dll.GetDCOrgEx
gdi32.dll.GetCurrentPositionEx
gdi32.dll.GetClipBox
gdi32.dll.GetBrushOrgEx
gdi32.dll.GetBitmapBits
gdi32.dll.ExtTextOutA
gdi32.dll.ExcludeClipRect
gdi32.dll.EnumFontFamiliesExA
gdi32.dll.DeleteObject
gdi32.dll.DeleteEnhMetaFile
gdi32.dll.DeleteDC
gdi32.dll.CreateSolidBrush
gdi32.dll.CreateRectRgn
gdi32.dll.CreatePenIndirect
gdi32.dll.CreatePalette
gdi32.dll.CreateHalftonePalette
gdi32.dll.CreateFontIndirectA
gdi32.dll.CreateDIBitmap
gdi32.dll.CreateDIBSection
gdi32.dll.CreateCompatibleDC
gdi32.dll.CreateCompatibleBitmap
gdi32.dll.CreateBrushIndirect
gdi32.dll.CreateBitmap
gdi32.dll.CopyEnhMetaFileA
gdi32.dll.CombineRgn
gdi32.dll.BitBlt
version.dll.VerQueryValueA
version.dll.GetFileVersionInfoSizeA
version.dll.GetFileVersionInfoA
kernel32.dll.lstrcpyA
kernel32.dll.lstrcmpiA
kernel32.dll.lstrcmpA
kernel32.dll.WriteProcessMemory
kernel32.dll.WaitNamedPipeA
kernel32.dll.WaitForSingleObject
kernel32.dll.WaitForMultipleObjectsEx
kernel32.dll.VirtualProtectEx
kernel32.dll.TerminateThread
kernel32.dll.SizeofResource
kernel32.dll.SetThreadPriority
kernel32.dll.SetThreadLocale
kernel32.dll.SetNamedPipeHandleState
kernel32.dll.SetLastError
kernel32.dll.SetFilePointer
kernel32.dll.SetEvent
kernel32.dll.SetErrorMode
kernel32.dll.SetEndOfFile
kernel32.dll.ResumeThread
kernel32.dll.ResetEvent
kernel32.dll.ReleaseMutex
kernel32.dll.ReadFile
kernel32.dll.QueryPerformanceFrequency
kernel32.dll.MulDiv
kernel32.dll.LockResource
kernel32.dll.LoadResource
kernel32.dll.LoadLibraryA
kernel32.dll.LeaveCriticalSection
kernel32.dll.InitializeCriticalSection
kernel32.dll.GlobalFree
kernel32.dll.GlobalFindAtomA
kernel32.dll.GlobalDeleteAtom
kernel32.dll.GlobalAlloc
kernel32.dll.GlobalAddAtomA
kernel32.dll.GetVersionExA
kernel32.dll.GetVersion
kernel32.dll.GetTimeZoneInformation
kernel32.dll.GetTempPathA
kernel32.dll.GetLocalTime
kernel32.dll.GetLastError
kernel32.dll.GetFullPathNameA
kernel32.dll.GetFileSize
kernel32.dll.GetFileAttributesA
kernel32.dll.GetExitCodeThread
kernel32.dll.GetDiskFreeSpaceA
kernel32.dll.GetDateFormatA
kernel32.dll.GetCurrentProcessId
kernel32.dll.GetCurrentProcess
kernel32.dll.GetCPInfo
kernel32.dll.FreeResource
kernel32.dll.InterlockedExchange
kernel32.dll.FormatMessageA
kernel32.dll.FindResourceA
kernel32.dll.EnumCalendarInfoA
kernel32.dll.EnterCriticalSection
kernel32.dll.DeleteCriticalSection
kernel32.dll.CreateMutexA
kernel32.dll.CreateFileA
kernel32.dll.CreateEventA
kernel32.dll.CompareStringW
kernel32.dll.CloseHandle
advapi32.dll.RegSetValueExA
advapi32.dll.RegFlushKey
advapi32.dll.RegCreateKeyExA
oleaut32.dll.GetErrorInfo
ole32.dll.CreateStreamOnHGlobal
ole32.dll.CoTaskMemFree
ole32.dll.CoTaskMemAlloc
ole32.dll.CoCreateInstance
ole32.dll.CoUninitialize
ole32.dll.CoInitialize
imagehlp.dll.ImageDirectoryEntryToData
ole32.dll.IsEqualGUID
ole32.dll.CLSIDFromString
oleaut32.dll.SafeArrayPtrOfIndex
oleaut32.dll.SafeArrayPutElement
oleaut32.dll.SafeArrayGetElement
oleaut32.dll.SafeArrayUnaccessData
oleaut32.dll.SafeArrayAccessData
oleaut32.dll.SafeArrayGetUBound
oleaut32.dll.SafeArrayGetLBound
oleaut32.dll.SafeArrayCreate
oleaut32.dll.VariantChangeType
oleaut32.dll.VariantCopyInd
oleaut32.dll.VariantCopy
oleaut32.dll.VariantClear
oleaut32.dll.VariantInit
comctl32.dll._TrackMouseEvent
comctl32.dll.ImageList_SetIconSize
comctl32.dll.ImageList_GetIconSize
comctl32.dll.ImageList_Write
comctl32.dll.ImageList_Read
comctl32.dll.ImageList_GetDragImage
comctl32.dll.ImageList_DragShowNolock
comctl32.dll.ImageList_DragMove
comctl32.dll.ImageList_DragLeave
comctl32.dll.ImageList_DragEnter
comctl32.dll.ImageList_EndDrag
comctl32.dll.ImageList_BeginDrag
comctl32.dll.ImageList_Remove
comctl32.dll.ImageList_DrawEx
comctl32.dll.ImageList_Draw
comctl32.dll.ImageList_GetBkColor
comctl32.dll.ImageList_SetBkColor
comctl32.dll.ImageList_Add
comctl32.dll.ImageList_GetImageCount
comctl32.dll.ImageList_Destroy
comctl32.dll.ImageList_Create
comctl32.dll.InitCommonControls
comdlg32.dll.GetSaveFileNameA
comdlg32.dll.GetOpenFileNameA
gdiplus.dll.GdipSetImageAttributesColorKeys
gdiplus.dll.GdipDisposeImageAttributes
gdiplus.dll.GdipCreateImageAttributes
gdiplus.dll.GdipBitmapGetPixel
gdiplus.dll.GdipCreateBitmapFromStream
gdiplus.dll.GdipCreateBitmapFromStreamICM
gdiplus.dll.GdipSetStringFormatHotkeyPrefix
gdiplus.dll.GdipSetPenDashStyle
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipDisposeImage
gdiplus.dll.GdipLoadImageFromStreamICM
gdiplus.dll.GdipLoadImageFromStream
gdiplus.dll.GdipDrawRectangle
gdiplus.dll.GdipDrawImageRectRect
gdiplus.dll.GdipDrawImageRect
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipSetStringFormatTrimming
gdiplus.dll.GdipSetStringFormatLineAlign
gdiplus.dll.GdipSetStringFormatAlign
gdiplus.dll.GdipDeleteStringFormat
gdiplus.dll.GdipCreateStringFormat
gdiplus.dll.GdipMeasureString
gdiplus.dll.GdipDrawString
gdiplus.dll.GdipDeleteFont
gdiplus.dll.GdipCreateFont
gdiplus.dll.GdipDeleteFontFamily
gdiplus.dll.GdipCreateFontFamilyFromName
gdiplus.dll.GdipFillRectangle
gdiplus.dll.GdipDrawPath
gdiplus.dll.GdipSetTextRenderingHint
gdiplus.dll.GdipSetSmoothingMode
gdiplus.dll.GdipDeleteGraphics
gdiplus.dll.GdipCreateFromHDC
gdiplus.dll.GdipDeletePen
gdiplus.dll.GdipCreatePen1
gdiplus.dll.GdipGetPathGradientPointCount
gdiplus.dll.GdipSetPathGradientCenterPointI
gdiplus.dll.GdipSetPathGradientSurroundColorsWithCount
gdiplus.dll.GdipSetPathGradientCenterColor
gdiplus.dll.GdipCreatePathGradientFromPath
gdiplus.dll.GdipCreateLineBrushFromRect
gdiplus.dll.GdipCreateSolidFill
gdiplus.dll.GdipDeleteBrush
gdiplus.dll.GdipAddPathEllipse
gdiplus.dll.GdipAddPathArc
gdiplus.dll.GdipAddPathLine
gdiplus.dll.GdipClosePathFigure
gdiplus.dll.GdipDeletePath
gdiplus.dll.GdipCreatePath
gdiplus.dll.GdiplusShutdown
gdiplus.dll.GdiplusStartup
gdiplus.dll.GdipFree
gdiplus.dll.GdipAlloc
wsock32.dll.__WSAFDIsSet
wsock32.dll.WSACleanup
wsock32.dll.WSAStartup
wsock32.dll.WSAGetLastError
wsock32.dll.WSACancelAsyncRequest
wsock32.dll.WSAAsyncGetServByName
wsock32.dll.WSAAsyncGetHostByName
wsock32.dll.WSAAsyncSelect
wsock32.dll.getservbyname
wsock32.dll.gethostbyname
wsock32.dll.socket
wsock32.dll.shutdown
wsock32.dll.setsockopt
wsock32.dll.send
wsock32.dll.select
wsock32.dll.recv
wsock32.dll.ntohs
wsock32.dll.listen
wsock32.dll.ioctlsocket
wsock32.dll.inet_ntoa
wsock32.dll.inet_addr
wsock32.dll.htons
wsock32.dll.getsockopt
wsock32.dll.getpeername
wsock32.dll.connect
wsock32.dll.closesocket
wsock32.dll.bind
wsock32.dll.accept
winmm.dll.sndPlaySoundA
kernel32.dll.GetDiskFreeSpaceExA
oleaut32.dll.VariantChangeTypeEx
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarAdd
oleaut32.dll.VarSub
oleaut32.dll.VarMul
oleaut32.dll.VarDiv
oleaut32.dll.VarIdiv
oleaut32.dll.VarMod
oleaut32.dll.VarAnd
oleaut32.dll.VarOr
oleaut32.dll.VarXor
oleaut32.dll.VarCmp
oleaut32.dll.VarI4FromStr
oleaut32.dll.VarR4FromStr
oleaut32.dll.VarR8FromStr
oleaut32.dll.VarDateFromStr
oleaut32.dll.VarCyFromStr
oleaut32.dll.VarBoolFromStr
oleaut32.dll.VarBstrFromCy
oleaut32.dll.VarBstrFromDate
oleaut32.dll.VarBstrFromBool
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.AnimateWindow
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
comctl32.dll.InitializeFlatSB
comctl32.dll.UninitializeFlatSB
comctl32.dll.FlatSB_GetScrollProp
comctl32.dll.FlatSB_SetScrollProp
comctl32.dll.FlatSB_EnableScrollBar
comctl32.dll.FlatSB_ShowScrollBar
comctl32.dll.FlatSB_GetScrollRange
comctl32.dll.FlatSB_GetScrollInfo
comctl32.dll.FlatSB_GetScrollPos
comctl32.dll.FlatSB_SetScrollPos
comctl32.dll.FlatSB_SetScrollInfo
comctl32.dll.FlatSB_SetScrollRange
user32.dll.SetLayeredWindowAttributes
ole32.dll.CoCreateInstanceEx
ole32.dll.CoInitializeEx
ole32.dll.CoAddRefServerProcess
ole32.dll.CoReleaseServerProcess
ole32.dll.CoResumeClassObjects
ole32.dll.CoSuspendClassObjects
advapi32.dll.OpenSCManagerA
advapi32.dll.CloseServiceHandle
advapi32.dll.OpenServiceA
advapi32.dll.EnumServicesStatusA
advapi32.dll.QueryServiceStatus
advapi32.dll.StartServiceA
advapi32.dll.ControlService
netapi32.dll.NetServerEnum
netapi32.dll.NetApiBufferFree
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
cryptbase.dll.SystemFunction036
uxtheme.dll.OpenThemeData
uxtheme.dll.CloseThemeData
uxtheme.dll.DrawThemeBackground
uxtheme.dll.DrawThemeText
uxtheme.dll.GetThemeBackgroundContentRect
uxtheme.dll.GetThemePartSize
uxtheme.dll.GetThemeTextExtent
uxtheme.dll.GetThemeTextMetrics
uxtheme.dll.GetThemeBackgroundRegion
uxtheme.dll.HitTestThemeBackground
uxtheme.dll.DrawThemeEdge
uxtheme.dll.DrawThemeIcon
uxtheme.dll.IsThemePartDefined
uxtheme.dll.IsThemeBackgroundPartiallyTransparent
uxtheme.dll.GetThemeColor
uxtheme.dll.GetThemeMetric
uxtheme.dll.GetThemeString
uxtheme.dll.GetThemeBool
uxtheme.dll.GetThemeInt
uxtheme.dll.GetThemeEnumValue
uxtheme.dll.GetThemePosition
uxtheme.dll.GetThemeFont
uxtheme.dll.GetThemeRect
uxtheme.dll.GetThemeMargins
uxtheme.dll.GetThemeIntList
uxtheme.dll.GetThemePropertyOrigin
uxtheme.dll.SetWindowTheme
uxtheme.dll.GetThemeFilename
uxtheme.dll.GetThemeSysColor
uxtheme.dll.GetThemeSysColorBrush
uxtheme.dll.GetThemeSysBool
uxtheme.dll.GetThemeSysSize
uxtheme.dll.GetThemeSysFont
uxtheme.dll.GetThemeSysString
uxtheme.dll.GetThemeSysInt
uxtheme.dll.IsThemeActive
uxtheme.dll.IsAppThemed
uxtheme.dll.GetWindowTheme
uxtheme.dll.EnableThemeDialogTexture
uxtheme.dll.IsThemeDialogTextureEnabled
uxtheme.dll.GetThemeAppProperties
uxtheme.dll.SetThemeAppProperties
uxtheme.dll.GetCurrentThemeName
uxtheme.dll.GetThemeDocumentationProperty
uxtheme.dll.DrawThemeParentBackground
uxtheme.dll.EnableTheming
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegQueryValueExW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegEnumKeyExW
kernel32.dll.GetLocaleInfoEx
comctl32.dll.InitCommonControlsEx
gdi32.dll.GetTextExtentExPointWPri
user32.dll.MonitorFromWindow
comctl32.dll.RegisterClassNameW
imm32.dll.ImmIsIME
imm32.dll.ImmGetContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmAssociateContext
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
imm32.dll.ImmLockIMC
imm32.dll.ImmUnlockIMC
imm32.dll.ImmSetCompositionFontW
imm32.dll.ImmGetCompositionWindow
imm32.dll.ImmSetCompositionWindow
kernel32.dll.RegOpenKeyExW
kernel32.dll.RegQueryInfoKeyA
kernel32.dll.RegCloseKey
kernel32.dll.RegCreateKeyExW
kernel32.dll.RegQueryValueExW
windowscodecs.dll.DllGetClassObject
kernel32.dll.WerRegisterMemoryBlock
uxtheme.dll.BufferedPaintInit
uxtheme.dll.BeginBufferedPaint
uxtheme.dll.EndBufferedPaint
Local\MSCTF.Asm.MutexDefault1

PE Information

Image Base 0x00400000
Entry Point 0x0061a001
Reported Checksum 0x00000000
Actual Checksum 0x000b8b90
Minimum OS Version 4.0
Compile Time 2018-05-31 13:19:44
Import Hash c5c2b726ee544b773de63ef7ebde94fb

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x001b8000 0x00096000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 8.00
.itext 0x001b9000 0x00004000 0x00001800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.79
.data 0x001bd000 0x0000c000 0x00006e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.98
.bss 0x001c9000 0x00008000 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x001d1000 0x00004000 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.88
.tls 0x001d5000 0x00001000 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rdata 0x001d6000 0x00001000 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.21
.reloc 0x001d7000 0x0001e000 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x001f5000 0x00025000 0x00007a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.41
.aspack 0x0021a000 0x00006000 0x00006000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.14
.adata 0x00220000 0x00001000 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00

Resources

Name Offset Size Language Sub-language Entropy File type
RT_DIALOG 0x002000f0 0x00000052 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_DIALOG 0x002000f0 0x00000052 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_STRING 0x00207f54 0x00000348 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_RCDATA 0x0020d64c 0x0000bc96 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_RCDATA 0x0020d64c 0x0000bc96 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_RCDATA 0x0020d64c 0x0000bc96 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_RCDATA 0x0020d64c 0x0000bc96 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_RCDATA 0x0020d64c 0x0000bc96 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_RCDATA 0x0020d64c 0x0000bc96 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_RCDATA 0x0020d64c 0x0000bc96 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_RCDATA 0x0020d64c 0x0000bc96 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_RCDATA 0x0020d64c 0x0000bc96 LANG_NEUTRAL SUBLANG_NEUTRAL 0.00 None
RT_GROUP_CURSOR 0x0021935c 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_GROUP_CURSOR 0x0021935c 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_GROUP_CURSOR 0x0021935c 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_GROUP_CURSOR 0x0021935c 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_GROUP_CURSOR 0x0021935c 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_GROUP_CURSOR 0x0021935c 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_GROUP_CURSOR 0x0021935c 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None

Imports

Library kernel32.dll:
0x61afb8 GetProcAddress
0x61afbc GetModuleHandleA
0x61afc0 LoadLibraryA
Library oleaut32.dll:
0x61b26e SysFreeString
Library advapi32.dll:
0x61b276 RegQueryValueExA
Library user32.dll:
0x61b27e GetKeyboardType
Library user32.dll:
0x61b286 CreateWindowExA
Library gdi32.dll:
0x61b28e UnrealizeObject
Library version.dll:
0x61b296 VerQueryValueA
Library advapi32.dll:
0x61b29e RegSetValueExA
Library oleaut32.dll:
0x61b2a6 GetErrorInfo
Library ole32.dll:
Library imagehlp.dll:
Library ole32.dll:
0x61b2be IsEqualGUID
Library oleaut32.dll:
0x61b2c6 SafeArrayPtrOfIndex
Library comctl32.dll:
0x61b2ce _TrackMouseEvent
Library comdlg32.dll:
0x61b2d6 GetSaveFileNameA
Library gdiplus.dll:
Library wsock32.dll:
0x61b2e6 __WSAFDIsSet
Library wsock32.dll:
0x61b2ee WSACleanup
Library winmm.dll:
0x61b2f6 sndPlaySoundA

.text
.itext
.data
.idata
.rdata
.reloc
.rsrc
.aspack
.adata
+$3-W
-H-L#
voJp>
#2fj?n
o9\Rq
]zboI
4{wU
b'zMT
QTpPI
}X~Fc
&J%.L%
7ptT32
VirtualAlloc
VirtualFree
VirtualProtect
kernel32.dll
ExitProcess
user32.dll
MessageBoxA
wsprintfA
LOADER ERROR
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
kernel32.dll
GetProcAddress
GetModuleHandleA
LoadLibraryA
oleaut32.dll
advapi32.dll
user32.dll
user32.dll
gdi32.dll
version.dll
advapi32.dll
oleaut32.dll
ole32.dll
imagehlp.dll
ole32.dll
oleaut32.dll
comctl32.dll
comdlg32.dll
gdiplus.dll
wsock32.dll
wsock32.dll
winmm.dll
SysFreeString
RegQueryValueExA
GetKeyboardType
CreateWindowExA
UnrealizeObject
VerQueryValueA
RegSetValueExA
GetErrorInfo
CreateStreamOnHGlobal
ImageDirectoryEntryToData
IsEqualGUID
SafeArrayPtrOfIndex
_TrackMouseEvent
GetSaveFileNameA
GdipSetImageAttributesColorKeys
__WSAFDIsSet
WSACleanup
sndPlaySoundA
</assembly>
MAINICON
VS_VERSION_INFO
StringFileInfo
041604E4
CompanyName
Deploy Team
FileDescription
Acesso Remoto
FileVersion
1.1.4.49
InternalName
Access PC
LegalCopyright
Deploy Team
LegalTrademarks
Deploy Team
OriginalFilename
Access PC
ProductName
Access PC
ProductVersion
1.0.0.0
Comments
Acesso Remoto
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


wknNsu5ogbM.exe, PID: 1544, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\wknNsu5ogbM.exe
Command Line: "C:\Users\user\AppData\Local\Temp\wknNsu5ogbM.exe"

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name GDIPFONTCACHEV1.DAT
Associated Filenames
C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
File Size 86096 bytes
File Type data
MD5 1bba2e8a1b56ec52dd7805093b4839d3
SHA1 8d507ec6e5c4af348304f38c85227cbdca17a1f3
SHA256 2df0e9bc46893be214dc9da3ce78ba97b4176ee761ec3f38f0139297490f5341
CRC32 AEF024B5
Ssdeep 768:3v4h0tHgTlF1AphohIqrT43MTxK8PU/NBxZysNAp:Qh0tHgTlF1AphADhTxK8PU/NBD6p
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
Type Extracted PE Image: 32-bit executable
Size 2050560 bytes
Virtual Address 0x400000
Process wknNsu5ogbM.exe
PID 1544
Path C:\Users\user\AppData\Local\Temp\wknNsu5ogbM.exe
MD5 de4e5fd273300d2148e71c86e461627a
SHA1 b92c69fd738071416ea473f5be98a319926ad4b3
SHA256 fe656a89006b12b1df8030c5c1787cea1439d7e7d196fed012357a4d340859dd
CRC32 89B90CE2
Ssdeep 24576:pbAwLaWzRWLMNZoP8MUPNm2+FMseG0zsiaOvJV3+IkhDjKrzsfluaHudK8TrPn72:iWVMpO7X3ZkhDjKrcutdK837iRiuws5
Yara None matched
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 3.858 seconds )

  • 2.174 CAPE
  • 0.523 Static
  • 0.425 BehaviorAnalysis
  • 0.403 TargetInfo
  • 0.153 TrID
  • 0.065 Deduplicate
  • 0.054 Dropped
  • 0.045 Strings
  • 0.007 NetworkAnalysis
  • 0.004 AnalysisInfo
  • 0.003 config_decoder
  • 0.002 Debug

Signatures ( 0.144 seconds )

  • 0.02 stealth_timeout
  • 0.019 PlugX
  • 0.014 decoy_document
  • 0.013 api_spamming
  • 0.013 antiav_detectreg
  • 0.005 infostealer_ftp
  • 0.004 antiemu_wine_func
  • 0.004 antidbg_windows
  • 0.004 persistence_autorun
  • 0.004 kovter_behavior
  • 0.004 ransomware_files
  • 0.003 infostealer_browser_password
  • 0.003 antiav_detectfile
  • 0.003 infostealer_im
  • 0.003 ransomware_extensions
  • 0.002 malicious_dynamic_function_loading
  • 0.002 exploit_getbasekerneladdress
  • 0.002 dynamic_function_loading
  • 0.002 antianalysis_detectreg
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 Doppelganging
  • 0.001 betabot_behavior
  • 0.001 exploit_gethaldispatchtable
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 modify_proxy
  • 0.001 disables_browser_warn

Reporting ( 0.19 seconds )

  • 0.19 CompressResults
Task ID 36416
Mongo ID 5c61c8c7f284884f68b2c714
Cuckoo release 1.3-CAPE
Delete