Page 1
Summary
File Name: None File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
SHA1: 6861de29ec5dbf90d70e4a5775dd49db4bda27b5 MALWARE
MD5: 5826adee56d18c0a8338551f4d40cf0f Valkyrie Final Verdict
DETECTION SECTION CLASSIFICATION
Backdoor(0.77%) Ransomware(0.00%) Bot(0.86%)
83% Worm(0.80%) Exploit(0.00%) 67%
50%
Trojan 33% Pua(5.31%) Password Stealer(4.14%) 17%
Rootkit(0.00%) Trojan Severity: High Generic(5.07%) Verdict: Malware Spyware(0.00%) Trojan Downloader(2.62%)
Remote Trojan Access Dropper(1.83%) Trojan(0.00%V)irus(78.26%)Rogue(0.34%)
HIGH LEVEL BEHAVIOR DISTRIBUTION
Hooking (7) Network (156) Windows (11) Process (103490) 14.1% __notification__ (21) 31.2% Misc (1066) System (80119) 17.2% Crypto (136) Threading (465) Synchronization (106125) Services (136) 18.7% 18.3% Registry (97719) File System (176892) Device (402) Com (300)
ACTIVITY OVERVIEW
Malware Analysis System Evasion 7 (38.89%) Hooking and other Techniques for Hiding Protection 3 (16.67%) Networking 2 (11.11%) HIPS/ PFW/ Operating System Protection Evasion 2 (11.11%) Information Discovery 1 (5.56%) Static Anomaly 1 (5.56%) Persistence and Installation Behavior 1 (5.56%) Lowering of HIPS/ PFW/ Operating System Security Settings 1 (5.56%) Page 2
Activity Details
INFORMATION DISCOVERY
Expresses interest in specific running processes Show sources
NETWORKING
Attempts to connect to a dead IP:Port (4 unique times) Show sources
Starts servers listening on 0.0.0.0:21
HIPS/ PFW/ OPERATING SYSTEM PROTECTION EVASION
Attempts to identify installed AV products by installation directory Show sources
Attempts to stop active services Show sources
STATIC ANOMALY
Anomalous binary characteristics Show sources
HOOKING AND OTHER TECHNIQUES FOR HIDING PROTECTION
Creates RWX memory Show sources
Code injection with CreateRemoteThread in a remote process Show sources
Likely virus infection of existing system binary Show sources
PERSISTENCE AND INSTALLATION BEHAVIOR
Installs itself for autorun at Windows startup Show sources Page 3
MALWARE ANALYSIS SYSTEM EVASION
A process attempted to delay the analysis task. Show sources
Tries to suspend Cuckoo threads to prevent logging of malicious activity Show sources
Attempts to modify or disable Security Center warnings Show sources
Tries to unhook or modify Windows functions monitored by Cuckoo Show sources
Detects VirtualBox through the presence of a file Show sources
Attempts to repeatedly call a single API many times in order to delay analysis time Show sources
Creates a hidden or system file Show sources
LOWERING OF HIPS/ PFW/ OPERATING SYSTEM SECURITY SETTINGS
Attempts to block SafeBoot use by removing registry keys Show sources Page 4
Behavior Graph
01:16:59 01:20:04 01:23:09
PID 3060 01:16:59 Create Process The malicious file created a child process as rundll32.exe (PPID 3008)
01:16:59 NtProtectVirtualMemory
01:16:59 Create Process
PID 2112 01:16:59 Create Process The malicious file created a child process as rundll32mgr.exe (PPID 3060)
01:16:59 NtSuspendThread
01:16:59 Create Process
01:16:59 Create Process
01:17:01 __anomaly__ 01:17:01 [ 3 times ]
PID 1636 01:16:59 Create Process The malicious file created a child process as firefox.exe (PPID 2112)
01:16:59 NtSetInformationFile
01:16:59 NtDelayExecution
01:16:59 connect 01:16:59 [ 2 times ]
01:17:02 NtWriteFile 01:17:02 [ 4 times ]
01:17:10 connect 01:18:50 [ 6 times ]
01:19:16 NtCreateFile
01:19:16 NtQueryAttributesFile
01:19:16 NtOpenFile
01:19:16 NtCreateFile
01:19:16 NtOpenFile
01:19:16 NtCreateFile
01:19:16 NtQueryAttributesFile
01:19:16 NtOpenFile
01:19:16 NtCreateFile
01:19:17 NtOpenFile
01:19:17 NtCreateFile
01:19:17 NtQueryAttributesFile
01:19:17 NtOpenFile
01:19:17 NtCreateFile
01:19:17 NtOpenFile
01:19:17 NtCreateFile
01:19:17 NtQueryAttributesFile Page 5
01:19:17 NtOpenFile
01:19:17 NtCreateFile
01:19:17 NtOpenFile
01:19:17 NtCreateFile
01:19:17 NtQueryAttributesFile
01:19:17 NtOpenFile
01:19:17 NtCreateFile
01:19:18 NtOpenFile
01:19:18 NtCreateFile
01:19:18 NtQueryAttributesFile
01:19:18 NtOpenFile
01:19:18 NtCreateFile
01:19:18 NtOpenFile
01:19:18 NtCreateFile
01:19:18 NtQueryAttributesFile
01:19:18 NtOpenFile
01:19:18 NtCreateFile
01:19:19 NtOpenFile
01:19:19 NtCreateFile
01:19:19 NtQueryAttributesFile
01:19:19 NtOpenFile
01:19:19 NtCreateFile
01:19:19 NtOpenFile
01:19:19 NtCreateFile
01:19:19 NtQueryAttributesFile
01:19:19 NtOpenFile
01:19:19 NtCreateFile
01:19:19 NtOpenFile
01:19:19 NtCreateFile
01:19:19 NtQueryAttributesFile
01:19:19 NtOpenFile
01:19:19 NtCreateFile
01:19:20 NtOpenFile
01:19:20 NtCreateFile
01:19:20 NtQueryAttributesFile
01:19:20 NtOpenFile
01:19:20 NtCreateFile
01:19:20 NtOpenFile
01:19:20 NtCreateFile
01:19:20 NtQueryAttributesFile Page 6
01:19:20 NtOpenFile
01:19:20 NtCreateFile
01:19:20 NtOpenFile
01:19:20 NtCreateFile
01:19:20 NtQueryAttributesFile
01:19:20 NtOpenFile
01:19:20 NtCreateFile
01:19:21 NtOpenFile
01:19:21 NtCreateFile
01:19:21 NtQueryAttributesFile
01:19:21 NtOpenFile
01:19:21 NtCreateFile
01:19:21 NtOpenFile
01:19:21 NtCreateFile
01:19:21 NtQueryAttributesFile
01:19:21 NtOpenFile
01:19:21 NtCreateFile
01:19:21 NtOpenFile
01:19:21 NtCreateFile
01:19:21 NtQueryAttributesFile
01:19:21 NtOpenFile
01:19:21 NtCreateFile
01:19:22 NtOpenFile
01:19:22 NtCreateFile
01:19:22 NtQueryAttributesFile
01:19:22 NtOpenFile
01:19:22 NtCreateFile
01:19:22 NtOpenFile
01:19:22 NtCreateFile
01:19:22 NtQueryAttributesFile
01:19:22 NtOpenFile
01:19:22 NtCreateFile
01:19:22 NtOpenFile
01:19:22 NtCreateFile
01:19:22 NtQueryAttributesFile
01:19:22 NtOpenFile
01:19:22 NtCreateFile
01:19:23 NtOpenFile
01:19:23 NtCreateFile
01:19:23 NtQueryAttributesFile Page 7
01:19:23 NtOpenFile
01:19:23 NtCreateFile
01:19:23 NtOpenFile
01:19:23 NtCreateFile
01:19:23 NtQueryAttributesFile
01:19:23 NtOpenFile
01:19:23 NtCreateFile
01:19:24 NtOpenFile
01:19:24 NtCreateFile
01:19:24 NtQueryAttributesFile
01:19:24 NtOpenFile
01:19:24 NtCreateFile
01:19:24 NtOpenFile
01:19:24 NtCreateFile
01:19:24 NtQueryAttributesFile
01:19:24 NtOpenFile
01:19:24 NtCreateFile
01:19:24 NtOpenFile
01:19:24 NtCreateFile
01:19:24 NtQueryAttributesFile
01:19:24 NtOpenFile
01:19:24 NtCreateFile
01:19:25 NtOpenFile
01:19:25 NtCreateFile
01:19:25 NtQueryAttributesFile
01:19:25 NtOpenFile
01:19:25 NtCreateFile
01:19:25 NtOpenFile
01:19:25 NtCreateFile
01:19:25 NtQueryAttributesFile
01:19:25 NtOpenFile
01:19:25 NtCreateFile
01:19:25 NtOpenFile
01:19:25 NtCreateFile
01:19:25 NtQueryAttributesFile
01:19:25 NtOpenFile
01:19:25 NtCreateFile
01:19:26 NtOpenFile
01:19:32 FindFirstFileExW 01:19:32 [ 2 times ]
01:19:32 NtCreateFile Page 8
01:19:32 NtQueryAttributesFile
01:19:32 NtOpenFile
01:19:32 NtCreateFile
01:19:32 NtOpenFile
01:19:32 NtCreateFile
01:19:32 NtQueryAttributesFile
01:19:32 NtOpenFile
01:19:32 NtCreateFile
01:19:32 NtOpenFile
01:19:32 NtCreateFile
01:19:32 NtQueryAttributesFile
01:19:32 NtOpenFile
01:19:32 NtCreateFile
01:19:33 NtOpenFile
01:19:33 NtCreateFile
01:19:33 NtQueryAttributesFile
01:19:33 NtOpenFile
01:19:33 NtCreateFile
01:19:33 NtOpenFile
01:19:33 NtCreateFile
01:19:33 NtQueryAttributesFile
01:19:33 NtOpenFile
01:19:33 NtCreateFile
01:19:33 NtOpenFile
01:19:33 NtCreateFile
01:19:33 NtQueryAttributesFile
01:19:33 NtOpenFile
01:19:33 NtCreateFile
01:19:34 NtOpenFile
01:19:34 NtCreateFile
01:19:34 NtQueryAttributesFile
01:19:34 NtOpenFile
01:19:34 NtCreateFile
01:19:34 NtOpenFile
01:19:34 NtCreateFile
01:19:34 NtQueryAttributesFile
01:19:34 NtOpenFile
01:19:34 NtCreateFile
01:19:34 NtOpenFile
01:19:34 NtCreateFile Page 9
01:19:34 NtQueryAttributesFile
01:19:34 NtOpenFile
01:19:34 NtCreateFile
01:19:40 NtOpenFile
01:19:40 NtCreateFile
01:19:40 NtQueryAttributesFile
01:19:40 NtOpenFile
01:19:40 NtCreateFile
01:19:40 connect
01:19:40 NtCreateFile
01:19:40 NtQueryAttributesFile
01:19:40 NtOpenFile
01:19:40 NtCreateFile
01:19:40 NtOpenFile
01:19:40 NtCreateFile
01:19:40 NtQueryAttributesFile
01:19:40 NtOpenFile
01:19:40 NtCreateFile
01:19:41 NtOpenFile
01:19:41 NtCreateFile
01:19:41 NtQueryAttributesFile
01:19:41 NtOpenFile
01:19:41 NtCreateFile 01:19:41 [ 2 times ]
01:19:41 NtQueryAttributesFile
01:19:41 NtOpenFile
01:19:41 NtCreateFile
01:19:41 NtOpenFile
01:19:41 NtCreateFile
01:19:41 NtQueryAttributesFile
01:19:41 NtOpenFile
01:19:41 NtCreateFile
01:19:41 NtOpenFile
01:21:10 connect 01:23:09 [ 5 times ]
PID 1704 01:16:59 Create Process The malicious file created a child process as firefox.exe (PPID 2112)
01:16:59 CreateRemoteThread
01:17:00 __anomaly__ 01:17:00 [ 3 times ] Page 10
PID 352 01:17:00 Create Process The malicious file created a child process as wininit.exe (PPID 304)
PID 460 01:17:00 Create Process The malicious file created a child process as services.exe (PPID 352)
01:17:37 Create Process
01:17:46 Create Process
01:18:04 Create Process
01:18:35 Create Process
01:18:47 Create Process
01:18:49 Create Process
PID 2184 01:17:47 Create Process The malicious file created a child process as mscorsvw.exe (PPID 460)
PID 1588 01:17:56 Create Process The malicious file created a child process as mscorsvw.exe (PPID 460)
PID 1660 01:18:14 Create Process The malicious file created a child process as sppsvc.exe (PPID 460)
01:19:46 RegOpenKeyExW
PID 892 01:18:50 Create Process The malicious file created a child process as sc.exe (PPID 460)
PID 2628 01:18:57 Create Process The malicious file created a child process as taskhost.exe (PPID 460)
PID 960 01:18:59 Create Process The malicious file created a child process as svchost.exe (PPID 460)
PID 576 01:17:00 Create Process The malicious file created a child process as svchost.exe (PPID 460)
PID 2152 01:17:01 Create Process The malicious file created a child process as WmiPrvSE.exe (PPID 576)
PID 692 01:17:00 Create Process The malicious file created a child process as svchost.exe (PPID 460)
PID 760 01:17:00 Create Process The malicious file created a child process as svchost.exe (PPID 460)
01:18:18 RegCreateKeyExW
01:18:18 NtDelayExecution
01:18:34 GetLocalTime Page 11
01:18:38 GetSystemTimeAsFileTime
01:18:39 GetLocalTime 01:18:40 [ 2 times ]
01:18:41 GetSystemTimeAsFileTime
01:18:42 GetLocalTime 01:18:51 [ 4 times ]
01:18:51 GetSystemTimeAsFileTime 01:18:56 [ 3 times ]
01:19:00 GetLocalTime
01:19:02 GetSystemTimeAsFileTime 01:19:05 [ 3 times ]
01:19:07 NtQuerySystemTime 01:19:09 [ 2 times ]
01:19:10 GetLocalTime 01:19:12 [ 2 times ]
01:19:12 GetSystemTimeAsFileTime
01:19:15 GetLocalTime
01:19:16 GetSystemTimeAsFileTime 01:19:17 [ 2 times ]
01:19:19 GetLocalTime 01:19:26 [ 4 times ]
01:19:27 NtQuerySystemTime
01:19:29 GetLocalTime 01:19:33 [ 4 times ]
PID 844 01:17:00 Create Process The malicious file created a child process as svchost.exe (PPID 460)
PID 1192 01:17:00 Create Process The malicious file created a child process as dwm.exe (PPID 844)
PID 872 01:17:00 Create Process The malicious file created a child process as svchost.exe (PPID 460)
01:19:46 Create Process
PID 1892 01:19:56 Create Process The malicious file created a child process as WMIADAP.exe (PPID 872)
01:20:00 NtDelayExecution
PID 1016 01:17:00 Create Process The malicious file created a child process as svchost.exe (PPID 460)
PID 288 01:17:00 Create Process The malicious file created a child process as SbieSvc.exe (PPID 460)
PID 1056 01:17:00 Create Process The malicious file created a child process as svchost.exe (PPID 460) Page 12
PID 1248 01:17:00 Create Process The malicious file created a child process as spoolsv.exe (PPID 460)
PID 1280 01:17:00 Create Process The malicious file created a child process as taskhost.exe (PPID 460)
PID 1296 01:17:00 Create Process The malicious file created a child process as svchost.exe (PPID 460)
PID 1456 01:17:00 Create Process The malicious file created a child process as svchost.exe (PPID 460)
PID 1628 01:17:00 Create Process The malicious file created a child process as svchost.exe (PPID 460)
PID 2040 01:17:00 Create Process The malicious file created a child process as svchost.exe (PPID 460)
PID 636 01:17:04 Create Process The malicious file created a child process as VBoxService.exe (PPID 460)
PID 468 01:17:00 Create Process The malicious file created a child process as lsass.exe (PPID 352)
01:17:38 NtClose 01:19:20 [ 6 times ]
PID 476 01:17:00 Create Process The malicious file created a child process as lsm.exe (PPID 352)
PID 400 01:17:00 Create Process The malicious file created a child process as winlogon.exe (PPID 344)
PID 2196 01:17:01 Create Process The malicious file created a child process as explorer.exe (PPID 1600)
PID 2748 01:17:24 Create Process The malicious file created a child process as net.exe (PPID 3008)
01:17:25 __anomaly__ 01:17:25 [ 3 times ]
PID 980 01:17:26 Create Process The malicious file created a child process as net1.exe (PPID 2748)
01:17:26 __anomaly__ 01:17:26 [ 12 times ]
01:17:32 ControlService
PID 2744 01:17:25 Create Process The malicious file created a child process as conhost.exe (PPID 364) Page 13 Page 14
Behavior Summary
ACCESSED FILES
C:\Users\user\AppData\Local\Temp\6861de29ec5dbf90d70e4a5775dd49db4bda27b5.dll
C:\Users\user\AppData\Local\Temp\6861de29ec5dbf90d70e4a5775dd49db4bda27b5.dll.123.Manifest
C:\Users\user\AppData\Local\Temp\6861de29ec5dbf90d70e4a5775dd49db4bda27b5.dll.124.Manifest
C:\Users\user\AppData\Local\Temp\MSIMG32.dll
C:\Windows\System32\msimg32.dll
C:\Windows\SysWOW64\rundll32.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
C:\Windows\WindowsShell.Manifest
C:\
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yjhojifs.exe
C:\Program Files (x86)\Mozilla Firefox\complete.dat
D:\
C:\Program Files (x86)\Mozilla Firefox\dmlconf.dat
E:\
C:\*.*
C:\$Recycle.Bin\*.*
C:\$Recycle.Bin\S-1-5-21-2298303332-66077612-2598613238-1000\*.*
C:\Documents and Settings\*.*
C:\Program Files\*.*
C:\Program Files\7-Zip\*.*
C:\Program Files\7-Zip\7-zip.dll
C:\Program Files\7-Zip\7-zip32.dll
C:\Program Files\7-Zip\7z.dll
C:\Program Files\7-Zip\7z.exe
C:\Program Files\7-Zip\7zFM.exe
C:\Program Files\7-Zip\7zG.exe
C:\Program Files\7-Zip\Lang\*.*
C:\Program Files\7-Zip\Uninstall.exe
C:\Program Files\Application Verifier\*.* Page 15
C:\Program Files\Application Verifier\vrfauto.dll
C:\Program Files\Common Files\*.*
C:\Program Files\Common Files\Microsoft Shared\*.*
C:\Program Files\Common Files\Microsoft Shared\Filters\*.*
C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll
C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll
C:\Program Files\Common Files\Microsoft Shared\ink\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe
C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\en-US\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe
C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll Page 16
C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll
C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe
C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll
C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll
C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll
C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\*.*
C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
READ REGISTRY KEYS
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\6861de29ec5dbf90d70e4a5775dd49db4bda27b5.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName
HKEY_CURRENT_USER\Software\Classes\http\shell\open\command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\DependOnGroup Page 17
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ObjectName Page 18
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20\ProfileImagePath
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ObjectName
MODIFIED FILES
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yjhojifs.exe
C:\Program Files (x86)\Mozilla Firefox\dmlconf.dat
C:\Program Files\7-Zip\7-zip.dll
C:\Program Files\7-Zip\7-zip32.dll
C:\Program Files\7-Zip\7z.dll
C:\Program Files\7-Zip\7z.exe
C:\Program Files\7-Zip\7zFM.exe
C:\Program Files\7-Zip\7zG.exe
C:\Program Files\7-Zip\Uninstall.exe
C:\Program Files\Application Verifier\vrfauto.dll
C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll
C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll
C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe
C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe Page 19
C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll
C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll
C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe
C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll
C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll
C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll
C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll
C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll
C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll
C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll
C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll
C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll
C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll
C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll
C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe
C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll
C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll
C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll
C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll
C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll
C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll
C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\1033\msxml5r.dll
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll
C:\Program Files\Common Files\Microsoft Shared\OFFICE12\msoshext.dll
C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXEV.DLL
C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLED.EXE
C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm Page 20
C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm
C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll
C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll
C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSEngine.dll
C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll
C:\Program Files\Common Files\System\ado\msader15.dll
C:\Program Files\Common Files\System\ado\msado15.dll
C:\Program Files\Common Files\System\ado\msadomd.dll
C:\Program Files\Common Files\System\ado\msador15.dll
C:\Program Files\Common Files\System\ado\msadox.dll
C:\Program Files\Common Files\System\ado\msadrh15.dll
C:\Program Files\Common Files\System\DirectDB.dll
C:\Program Files\Common Files\System\msadc\msadce.dll
C:\Program Files\Common Files\System\msadc\msadcer.dll
C:\Program Files\Common Files\System\msadc\msadcf.dll
C:\Program Files\Common Files\System\msadc\msadcfr.dll
C:\Program Files\Common Files\System\msadc\msadco.dll
C:\Program Files\Common Files\System\msadc\msadcor.dll
C:\Program Files\Common Files\System\msadc\msadcs.dll
RESOLVED APIS lpk.dll.LpkEditControl kernel32.dll.GetModuleHandleA kernel32.dll.FreeLibrary kernel32.dll.OpenMutexA kernel32.dll.CloseHandle kernel32.dll.CreateFileA kernel32.dll.WriteFile Page 21
kernel32.dll.GetModuleFileNameA kernel32.dll.CreateProcessA kernel32.dll.GetWindowsDirectoryA kernel32.dll.GetVolumeInformationA kernel32.dll.FlsAlloc kernel32.dll.FlsGetValue kernel32.dll.FlsSetValue kernel32.dll.FlsFree kernel32.dll.IsProcessorFeaturePresent kernel32.dll.VirtualFreeEx kernel32.dll.lstrlenA kernel32.dll.GetProcAddress kernel32.dll.GetCommandLineA kernel32.dll.MultiByteToWideChar user32.dll.EndDeferWindowPos user32.dll.ClientThreadSetup user32.dll.SetParent kernel32.dll.VirtualAlloc ntdll.dll.ZwQuerySystemInformation kernel32.dll.LoadLibraryA kernel32.dll.VirtualProtect kernel32.dll.VirtualFree kernel32.dll.ExitProcess advapi32.dll.RegOpenKeyA user32.dll.wsprintfA kernel32.dll.FindFirstFileA kernel32.dll.GetCurrentProcess kernel32.dll.GetCurrentProcessId kernel32.dll.GetCurrentThreadId kernel32.dll.GlobalAlloc kernel32.dll.MapViewOfFile kernel32.dll.OpenFileMappingA kernel32.dll.OpenThread kernel32.dll.FindClose kernel32.dll.ResumeThread Page 22
kernel32.dll.Sleep kernel32.dll.SuspendThread kernel32.dll.Thread32First kernel32.dll.Thread32Next kernel32.dll.UnmapViewOfFile kernel32.dll.VirtualAllocEx kernel32.dll.VirtualProtectEx kernel32.dll.WriteProcessMemory kernel32.dll.lstrcpyA kernel32.dll.ExpandEnvironmentStringsA kernel32.dll.CreateToolhelp32Snapshot kernel32.dll.CreateFileMappingA kernel32.dll.ReadProcessMemory advapi32.dll.OpenProcessToken advapi32.dll.LookupPrivilegeValueA advapi32.dll.AdjustTokenPrivileges advapi32.dll.RegQueryValueExA advapi32.dll.RegCloseKey ntdll.dll.LdrLoadDll ntdll.dll.LdrGetDllHandle ntdll.dll.LdrGetProcedureAddress ntdll.dll.RtlInitUnicodeString ntdll.dll.RtlUnicodeStringToAnsiString ntdll.dll.RtlFreeAnsiString ntdll.dll.RtlInitString ntdll.dll.RtlAnsiStringToUnicodeString ntdll.dll.RtlFreeUnicodeString ntdll.dll.ZwProtectVirtualMemory ntdll.dll.RtlCreateUserThread ntdll.dll.ZwFreeVirtualMemory ntdll.dll.ZwDelayExecution ntdll.dll.ZwQueryInformationProcess ntdll.dll.ZwWriteVirtualMemory kernel32.dll.EnterCriticalSection Page 23
DELETED FILES
C:\Windows\SoftwareDistribution\DataStore\Logs\edbtmp.log
C:\Windows\SoftwareDistribution\DataStore\Logs\res1.log
C:\Windows\SoftwareDistribution\DataStore\Logs\res2.log
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
C:\Windows\Microsoft.NET\ngenserviceclientlock.dat
C:\Windows\Microsoft.NET\ngenservice_pri0_lock.dat
C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat
C:\Windows\Microsoft.NET\ngenservice_pri2_lock.dat
REGISTRY KEYS
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\6861de29ec5dbf90d70e4a5775dd49db4bda27b5.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName
HKEY_CLASSES_ROOT\http\shell\open\command
HKEY_CURRENT_USER\Software\Classes\http\shell\open\command\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup
HKEY_LOCAL_MACHINE\Software\WASAntidot
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Group Page 24
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment Page 25
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\WOW64
EXECUTED COMMANDS
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sc.exe start w32time task_started
C:\Windows\system32\svchost.exe -k LocalService
\\?\C:\Windows\system32\wbem\WMIADAP.EXE wmiadap.exe /F /T /R
READ FILES
C:\Users\user\AppData\Local\Temp\6861de29ec5dbf90d70e4a5775dd49db4bda27b5.dll
C:\Users\user\AppData\Local\Temp\6861de29ec5dbf90d70e4a5775dd49db4bda27b5.dll.123.Manifest
C:\Users\user\AppData\Local\Temp\6861de29ec5dbf90d70e4a5775dd49db4bda27b5.dll.124.Manifest
C:\Windows\System32\msimg32.dll
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
C:\Windows\WindowsShell.Manifest Page 26
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Program Files (x86)\Mozilla Firefox\complete.dat
C:\Program Files (x86)\Mozilla Firefox\dmlconf.dat
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yjhojifs.exe
C:\Program Files\7-Zip\7-zip.dll
C:\Program Files\7-Zip\7-zip32.dll
C:\Program Files\7-Zip\7z.dll
C:\Program Files\7-Zip\7z.exe
C:\Program Files\7-Zip\7zFM.exe
C:\Program Files\7-Zip\7zG.exe
C:\Program Files\7-Zip\Uninstall.exe
C:\Program Files\Application Verifier\vrfauto.dll
C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll
C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll
C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe
C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe
C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll
C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll
C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe
C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll
C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll
C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll
C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll
C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll
C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll
C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll
C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll
C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll
C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll
C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll Page 27
C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe
C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll
C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll
C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll
C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll
C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll
C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll
C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\1033\msxml5r.dll
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll
C:\Program Files\Common Files\Microsoft Shared\OFFICE12\msoshext.dll
C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXEV.DLL
C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLED.EXE
C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm
C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll
C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll
C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSEngine.dll
C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll
C:\Program Files\Common Files\System\ado\msader15.dll
C:\Program Files\Common Files\System\ado\msado15.dll
C:\Program Files\Common Files\System\ado\msadomd.dll
C:\Program Files\Common Files\System\ado\msador15.dll
C:\Program Files\Common Files\System\ado\msadox.dll
C:\Program Files\Common Files\System\ado\msadrh15.dll Page 28
C:\Program Files\Common Files\System\DirectDB.dll
MUTEXES
{7323EF67-E5EA-AF88-4B99-3490899FBDE9}
{7323F55E-E5EA-AF88-4B99-3490899FBDE9}
{7323FB75-E5EA-AF88-4B99-349091DFBDE9}
{7323F244-E5EA-AF88-4B99-3490899FBDE9}
{7323FB75-E5EA-AF88-4B99-34909003BDE9}
{7323FB75-E5EA-AF88-4B99-34909047BDE9}
{732400A8-E5EA-AF88-4B99-3490899FBDE9}
{7323FB75-E5EA-AF88-4B99-3490899FBDE9}
{732400A8-E5EA-AF88-4B99-349089A3BDE9}
{7323FB75-E5EA-AF88-4B99-349089A3BDE9}
{732400A8-E5EA-AF88-4B99-34908A77BDE9}
{7323FB75-E5EA-AF88-4B99-34908A77BDE9}
{732400A8-E5EA-AF88-4B99-34908AD7BDE9}
{7323FB75-E5EA-AF88-4B99-34908AD7BDE9}
{732400A8-E5EA-AF88-4B99-34908AFFBDE9}
{7323FB75-E5EA-AF88-4B99-34908AFFBDE9}
{732400A8-E5EA-AF88-4B99-34908B0BBDE9}
{7323FB75-E5EA-AF88-4B99-34908B0BBDE9}
{732400A8-E5EA-AF88-4B99-34908B2FBDE9}
{7323FB75-E5EA-AF88-4B99-34908B2FBDE9}
{732400A8-E5EA-AF88-4B99-34908B6BBDE9}
{7323FB75-E5EA-AF88-4B99-34908B6BBDE9}
{732400A8-E5EA-AF88-4B99-34908B73BDE9}
{7323FB75-E5EA-AF88-4B99-34908B73BDE9}
{732400A8-E5EA-AF88-4B99-34908B7BBDE9}
{7323FB75-E5EA-AF88-4B99-34908B7BBDE9}
{732400A8-E5EA-AF88-4B99-34908BDFBDE9}
{7323FB75-E5EA-AF88-4B99-34908BDFBDE9}
{732400A8-E5EA-AF88-4B99-34908C53BDE9}
{7323FB75-E5EA-AF88-4B99-34908C53BDE9}
{732400A8-E5EA-AF88-4B99-34908C97BDE9}
{7323FB75-E5EA-AF88-4B99-34908C97BDE9} Page 29
{732400A8-E5EA-AF88-4B99-34908CEBBDE9}
{7323FB75-E5EA-AF88-4B99-34908CEBBDE9}
{732400A8-E5EA-AF88-4B99-34908D07BDE9}
{7323FB75-E5EA-AF88-4B99-34908D07BDE9}
{732400A8-E5EA-AF88-4B99-34908D57BDE9}
{7323FB75-E5EA-AF88-4B99-34908D57BDE9}
{732400A8-E5EA-AF88-4B99-34908D97BDE9}
{7323FB75-E5EA-AF88-4B99-34908D97BDE9}
{732400A8-E5EA-AF88-4B99-34908ABFBDE9}
{7323FB75-E5EA-AF88-4B99-34908ABFBDE9}
{732400A8-E5EA-AF88-4B99-34908DBFBDE9}
{7323FB75-E5EA-AF88-4B99-34908DBFBDE9}
{732400A8-E5EA-AF88-4B99-34908E47BDE9}
{7323FB75-E5EA-AF88-4B99-34908E47BDE9}
{732400A8-E5EA-AF88-4B99-34908E7FBDE9}
{7323FB75-E5EA-AF88-4B99-34908E7FBDE9}
{732400A8-E5EA-AF88-4B99-34908E9FBDE9}
{7323FB75-E5EA-AF88-4B99-34908E9FBDE9}
{732400A8-E5EA-AF88-4B99-34908EAFBDE9}
{7323FB75-E5EA-AF88-4B99-34908EAFBDE9}
{732400A8-E5EA-AF88-4B99-34908F4FBDE9}
{7323FB75-E5EA-AF88-4B99-34908F4FBDE9}
{732400A8-E5EA-AF88-4B99-34908FFBBDE9}
{7323FB75-E5EA-AF88-4B99-34908FFBBDE9}
{732400A8-E5EA-AF88-4B99-34909197BDE9}
{7323FB75-E5EA-AF88-4B99-34909197BDE9}
{732400A8-E5EA-AF88-4B99-34909207BDE9}
{7323FB75-E5EA-AF88-4B99-34909207BDE9}
{732400A8-E5EA-AF88-4B99-34909233BDE9}
{7323FB75-E5EA-AF88-4B99-34909233BDE9}
{732400A8-E5EA-AF88-4B99-34909593BDE9}
{7323FB75-E5EA-AF88-4B99-34909593BDE9}
{732400A8-E5EA-AF88-4B99-349091DFBDE9}
{732400A8-E5EA-AF88-4B99-34909003BDE9}
{732400A8-E5EA-AF88-4B99-3490945BBDE9} Page 30
{7323FB75-E5EA-AF88-4B99-3490945BBDE9}
{732400A8-E5EA-AF88-4B99-34909457BDE9}
{7323FB75-E5EA-AF88-4B99-34909457BDE9}
{732400A8-E5EA-AF88-4B99-34908D73BDE9}
{7323FB75-E5EA-AF88-4B99-34908D73BDE9}
{732400A8-E5EA-AF88-4B99-34909227BDE9}
{7323FB75-E5EA-AF88-4B99-34909227BDE9}
{732400A8-E5EA-AF88-4B99-34908FD3BDE9}
{7323FB75-E5EA-AF88-4B99-34908FD3BDE9}
MODIFIED REGISTRY KEYS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time\Type
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\cval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiSpywareOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{88A68406-5E7C-4414-964E- 1D6D4748182C}\Connection\PnpInstanceID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\SelfUpdateStatus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\SelfupdateUnmanaged
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\RebootWatch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\NextSqmReportTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\{88A68406-5E7C-4414-964E-1D6D4748182C}
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\6D\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E- 7C330F8807C2}.check.100\CheckSetting
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E- 7C330F8807C2}.check.101\CheckSetting
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100\CheckSetting
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0\CheckSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ServiceSessionId Page 31
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time\TimeProviders\NtpClient\SpecialPollTimeRemaining Page 32
Network Behavior
CONTACTED IPS NETWORK PORT DISTRIBUTION
5.6% 5.6%
16.7% 3702 (UDP) 5.56% 5355 (UDP) 16.67% 137 (UDP) 5.56% 53 (UDP) 72.22%
72.2%
Name IP Country ASN ASN Name Trigger Process Type
8.8.4.4 United States 15169 Level 3 Parent, LLC Malware Process
8.8.8.8 United States 15169 Level 3 Parent, LLC Malware Process
172.217.7.206 United States 15169 Google LLC Malware Process
rtvwerjyuver.com 45.55.36.236 United States 14061 DigitalOcean, LLC Malware Process
supnewdmn.com 82.112.184.197 Russian Federation 43267 "Vysokie tehnologii" LLC, our… Malware Process
tvrstrynyvwstrtve.com 130.211.22.95 United States 15169 Google LLC Malware Process
google.com 172.217.10.78 United States 15169 Google LLC Malware Process Page 33
DNS QUERIES
Request Type
google.com A
Answers - 172.217.7.206 (A)
supnewdmn.com A
Answers - 82.112.184.197 (A)
tvrstrynyvwstrtve.com A
Answers - 130.211.22.95 (A)
rtvwerjyuver.com A
Answers - 45.55.36.236 (A)
wqerveybrstyhcerveantbe.com A
UDP PACKETS
Call Time During Execution(sec) Source IP Dest IP Dest Port
3.25094199181 Sandbox 192.168.56.255 137
3.29575896263 Sandbox 224.0.0.252 5355
3.29668283463 Sandbox 224.0.0.252 5355
3.74676179886 Sandbox 239.255.255.250 3702
5.85957193375 Sandbox 224.0.0.252 5355
7.01392388344 Sandbox 8.8.4.4 53
7.03043484688 Sandbox 8.8.4.4 53
17.5350430012 Sandbox 8.8.4.4 53
39.5401949883 Sandbox 8.8.4.4 53
86.2801599503 Sandbox 8.8.4.4 53
107.607426882 Sandbox 8.8.4.4 53
140.601098776 Sandbox 8.8.4.4 53
140.698531866 Sandbox 8.8.8.8 53
143.873055935 Sandbox 8.8.4.4 53
144.87298584 Sandbox 8.8.8.8 53
167.421141863 Sandbox 8.8.4.4 53
327.545978785 Sandbox 8.8.4.4 53
376.56030488 Sandbox 8.8.4.4 53 Page 34
DETAILED FILE INFO
CREATED / DROPPED FILES
FILE PATH TYPE AND HASHES
MATCH YARA RULES
MATCH RULES
anti_dbg
screenshot
keylogger
win_registry
win_files_operation
win_hook
STATIC FILE INFO
File Name: None
File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
SHA1: 6861de29ec5dbf90d70e4a5775dd49db4bda27b5
MD5: 5826adee56d18c0a8338551f4d40cf0f
First Seen Date: 2018-11-30 15:09:47.472816 ( 3 months ago )
Number Of Clients Seen: 1
Last Analysis Date: 2018-11-30 15:09:47.472816 ( 3 months ago )
Human Expert Analysis Result: No human expert analysis verdict given to this sample yet. Page 35
DETAILED FILE INFO
ADDITIONAL FILE INFORMATION
PE Headers Page 36
PROPERTY VALUE
Magic Literal 22 Enum
File Type Enum 6
Debug Artifacts [{u'Path': u'C:\\projects\\newblue\\ReworkedSKU\\NBCustomUI\\Release\\NBCustomUI.pdb\x00', u'GUID': u'{db93b8c3- cdcd-455c-b57e-64ed0e8ed169}', u'timestamp': u'2016-06-02 11:49:25'}]
Number Of 6 Sections
Trid [[46.3, u'Win32 Executable MS Visual C++ (generic)'], [41.0, u'Win64 Executable (generic)'], [6.6, u'Win32 Executable (generic)'], [2.9, u'Generic Win/DOS Executable'], [2.9, u'DOS Executable Generic']]
Compilation 0x57501D45 [Thu Jun 2 11:49:25 2016 UTC] Time Stamp
LegalCopyright TODO: (c)
InternalName NBCustomUI.dll
FileVersion 1.0.0.1
CompanyName TODO:
ProductName TODO:
ProductVersion 1.0.0.1
FileDescription TODO:
OriginalFilename NBCustomUI.dll
Translation 0x0409 0x04e4
Entry Point 0x10bc3000 (.text)
Machine Type Intel 386 or later - 32Bit
File Size 12415863
Ssdeep 196608:biDM9EXnYJz0nrvCccc/Y7y9+asp2qYiLCqdE+H1EyHbISIIhfleq+ltajNSzbXg:bM8EXnYJz0nrvK47qdE+H1EyHbISIIhR
Sha256 378249e4dde5046f4cb71d5b2c22a169d38fa0c01220982a6ff06396db6d47f4
Exifinfo [{u'EXE:FileSubtype': 0, u'File:FilePermissions': u'rw-r--r--', u'SourceFile': u'/nfs/fvs/valkyrie_shared/core/valkyrie_files/6/8/6/1/6861de29ec5dbf90d70e4a5775dd49db4bda27b5', u'EXE:OriginalFileName': u'NBCustomUI.dll', u'EXE:ProductName': u'TODO:
Mime Type application/x-dosexec
Imphash dd2dccb0394b43efde55a45c1c6a6c67
PE Sections Page 37
NAME VIRTUAL ADDRESS VIRTUAL SIZE RAW SIZE ENTROPY MD5
.text 0x1000 0xa1af10 0xa1b000 6.58314349046 b73711462e8c07e228cfbffee68f8c4a
.rdata 0xa1c000 0x20100 0x20200 5.7112727938 03e7e4ba8c1cb726af36edd693fce710
.data 0xa3d000 0x1100c 0xf400 5.86806099391 723223ff2965f1336751fe5e16b60b26
.rsrc 0xa4f000 0x15ada8 0x15ae00 5.43105959589 c5799d7ab0e43a9ed5198f6c28ca7336
.reloc 0xbaa000 0x180c4 0x18200 5.45918541223 ecaaed0c4d97edc96ea63350873e28f3
.text 0xbc3000 0x1a000 0x19800 7.91657979549 b1867882ef0e97bf3bdc78c69761a94e
PE Imports GDI32.dll GetTextExtentPointW SetBkColor CreateFontIndirectW SetDIBits CreateCompatibleBitmap LineTo MoveToEx TextOutW CreatePen CreateFontIndirectA GetDeviceCaps GetTextExtentPoint32A CreateFontW CreateBitmapIndirect GetDIBits BitBlt GetPixel Rectangle RoundRect SetTextColor SetBkMode GetTextExtentExPointW GetTextExtentPoint32W DeleteDC DeleteObject SelectObject CreateCompatibleDC GetObjectW GetStockObject TextOutA CreateSolidBrush USER32.dll MessageBeep MessageBoxA UpdateWindow CloseClipboard DialogBoxParamW IsClipboardFormatAvailable CallNextHookEx IsWindowEnabled TranslateMessage LoadIconW GetAsyncKeyState GetScrollInfo GetClipboardData SystemParametersInfoW GetClassNameW EmptyClipboard ScrollWindow EndDialog LoadBitmapW SetWindowsHookExW OpenClipboard UnhookWindowsHookEx GetSystemMetrics IsWindowVisible Page 38
SetClipboardData UnregisterHotKey DestroyIcon RegisterHotKey GetWindow SendMessageA SetScrollRange GetCapture SetScrollPos FrameRect SetScrollInfo GetScrollPos GetDesktopWindow GetClassInfoExW RegisterClassExW ShowWindow ScreenToClient LoadImageW TrackPopupMenuEx GetSysColor GetCursorPos CreatePopupMenu SetDlgItemTextW DestroyMenu GetDlgCtrlID CallWindowProcW ClientToScreen SetCursor SetTimer KillTimer GetDoubleClickTime GetDlgItemTextW MoveWindow DrawTextW GetParent GetWindowTextW IsWindow SetWindowTextW EndPaint DestroyWindow GetWindowRect FillRect SetCapture PostMessageW GetFocus LoadCursorW GetClientRect SetFocus BeginPaint PtInRect GetDC InvalidateRect GetWindowLongW ReleaseDC GetDlgItem SetWindowLongW SetWindowPos CreateWindowExW ReleaseCapture RegisterClassW SendMessageW EnableWindow DefWindowProcW AppendMenuW MSIMG32.dll AlphaBlend COMCTL32.dll _TrackMouseEvent InitCommonControlsEx KERNEL32.dll SetStdHandle WriteConsoleW GetConsoleOutputCP WriteConsoleA CreateFileA Page 39
InitializeCriticalSectionAndSpinCount GetLocaleInfoA LoadLibraryA SetFilePointer GetSystemTimeAsFileTime GetCurrentProcessId GetEnvironmentStringsW FlushFileBuffers GetEnvironmentStrings FreeEnvironmentStringsA GetStartupInfoA GetFileType SetHandleCount HeapReAlloc VirtualAlloc VirtualFree HeapDestroy HeapCreate LCMapStringW LCMapStringA IsValidCodePage GetOEMCP GetACP GetCPInfo GetConsoleMode GetConsoleCP RtlUnwind ExitProcess HeapSize RaiseException GetModuleFileNameA GetStdHandle WriteFile SetLastError TlsFree TlsSetValue TlsAlloc TlsGetValue GetProcAddress GetModuleHandleW GetCommandLineA HeapAlloc HeapFree CreateThread ResumeThread GetLastError CloseHandle ExitThread IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter TerminateProcess GetStringTypeA GetStringTypeW ReadFile GetModuleHandleA FreeEnvironmentStringsW InterlockedIncrement InterlockedDecrement GetTickCount InitializeCriticalSection Sleep LeaveCriticalSection EnterCriticalSection DeleteCriticalSection MulDiv GlobalLock GlobalAlloc GlobalUnlock GlobalFree LocalAlloc GetCurrentThreadId GetCurrentProcess QueryPerformanceCounter lstrcpyA Page 40
MultiByteToWideChar WideCharToMultiByte COMDLG32.dll ChooseColorW ADVAPI32.dll RegCloseKey RegOpenKeyExA RegCreateKeyExA RegQueryValueExA RegSetValueExA
PE Exports
CanUnloadDLLNow GetCustomUIInterface
PE Resources
{u'lang': u'LANG_ENGLISH', u'name': u'RT_CURSOR', u'offset': 10814376, u'sha256': u'e097bb5d2b1f701942f9d8362e7555eb8a88cf0aa1a4d37f22cf84b5b6b77605', u'type': u'AmigaOS bitmap font', u'size': 308} {u'lang': u'LANG_ENGLISH', u'name': u'RT_CURSOR', u'offset': 10814684, u'sha256': u'fbeb3be87e80cb8e1d2af3d8140796c1bb80c6c7056f60897088ff9e355c3867', u'type': u'data', u'size': 308} {u'lang': u'LANG_ENGLISH', u'name': u'RT_CURSOR', u'offset': 10814992, u'sha256': u'f64ccc0582bc7c66af8b40049e485e8e241335261ec95ace909293ba50b2e4a3', u'type': u'data', u'size': 180} {u'lang': u'LANG_ENGLISH', u'name': u'RT_CURSOR', u'offset': 10815172, u'sha256': u'652988945185cf5d604d9b48de66288d82d8ed0acdd134398e90d002d2d9fc72', u'type': u'AmigaOS bitmap font', u'size': 308} {u'lang': u'LANG_ENGLISH', u'name': u'RT_CURSOR', u'offset': 10815480, u'sha256': u'0b0e16c38a3d5a85566e67b1d9a7e720e4dee27e163b06099d3d7dfa5dbed9ee', u'type': u'data', u'size': 308} {u'lang': u'LANG_ENGLISH', u'name': u'RT_CURSOR', u'offset': 10815788, u'sha256': u'368f9cb089d206a8b61251f0c85eeda97ee08a56b33be8579246e964d3af6169', u'type': u'data', u'size': 308} {u'lang': u'LANG_ENGLISH', u'name': u'RT_CURSOR', u'offset': 10816096, u'sha256': u'6440c3a38dcfb81d45bc6be31b776fdae116dd7a2933b407b67132f6cfa0e6eb', u'type': u'data', u'size': 308} {u'lang': u'LANG_ENGLISH', u'name': u'RT_CURSOR', u'offset': 10816404, u'sha256': u'9882a8462ce9de3cc9a5d0ca48c8c4f7ca97f1f846f0c10e6655e33c9734b152', u'type': u'data', u'size': 308} {u'lang': u'LANG_ENGLISH', u'name': u'RT_CURSOR', u'offset': 10816712, u'sha256': u'322e92d75b3fec9e16b81466f4cf111d298b80812d5b238f4ee032c025a02050', u'type': u'data', u'size': 308} {u'lang': u'LANG_ENGLISH', u'name': u'RT_CURSOR', u'offset': 10817020, u'sha256': u'8db6df648274a0fc3d28430367216e1c17c364ca613066cbb0e133637e92ba62', u'type': u'data', u'size': 308} {u'lang': u'LANG_ENGLISH', u'name': u'RT_CURSOR', u'offset': 10817328, u'sha256': u'f9c81ce9b4176b305c554a15f0ca2b98b11be76c1f13ef22169999aa07e9612f', u'type': u'data', u'size': 308} {u'lang': u'LANG_ENGLISH', u'name': u'RT_CURSOR', u'offset': 10817636, u'sha256': u'601635482a9b1864ea0c61ce0282c5c9fe1d014aa95dbb4f60770f1c2b6df3da', u'type': u'data', u'size': 308} {u'lang': u'LANG_ENGLISH', u'name': u'RT_CURSOR', u'offset': 10817944, u'sha256': u'2bf742d2beb4c56dd6eb68347dd8ee28da85bed9e6d165b36c6edb91da01d5d6', u'type': u'data', u'size': 308} {u'lang': u'LANG_ENGLISH', u'name': u'RT_CURSOR', u'offset': 10818252, u'sha256': u'cfc4ff9e46fbb61f61b68f36adc6593b137233d1cbaa50fe37e5653f0cb20396', u'type': u'AmigaOS bitmap font', u'size': 308} {u'lang': u'LANG_ENGLISH', u'name': u'RT_CURSOR', u'offset': 10818560, u'sha256': u'c4a6e3a7a346baecb09a0c49268eb44f388382a7866a4e912b53d48fa3b34c26', u'type': u'data', u'size': 308} {u'lang': u'LANG_ENGLISH', u'name': u'RT_CURSOR', u'offset': 10818868, u'sha256': u'f273e554605a89aa0994c9d42bc2569be3db5b19b2900dacb30f3218ed1174a0', u'type': u'data', u'size': 308} {u'lang': u'LANG_ENGLISH', u'name': u'RT_CURSOR', u'offset': 10819176, u'sha256': u'ebaf4bcc0f0d7ca9a3458ea52520d2dd10811069241940b9b2e79ac1a4c3ca5c', u'type': u'data', u'size': 308} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 10819484, u'sha256': u'994820eb032a4713ad4c85c1a646cfee17f409c97fca687840725c9e3222c5ba', u'type': u'data', u'size': 16168} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 10835652, u'sha256': u'ada7a35b8424e3249555e01d8325c1a8ae946b432c07b01efe04b95a66d36f18', u'type': u'data', u'size': 9448} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 10845100, u'sha256': u'1ce78d02f9570b39daded830e793d47b9d12f3b9531d5c73a1187b3a37287059', u'type': u'data', u'size': 9448} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 10854548, u'sha256': u'f0e47948e8a5ffb6a8a2ff2a700b2c7b72131000e18ce7f42a4f3608d5543799', u'type': u'data', u'size': 89142} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 10943692, u'sha256': u'2f7f8fc0b84ca914c1b633de352d0ec40b7f4b9083bfebb6c60161dd9e11588f', u'type': u'data', u'size': 78322} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 11022016, u'sha256': u'f9c0943f13bd060aa86dfa970b17da69b10bb5dd9834bdcdc2df619fb04432e5', u'type': u'data', u'size': 24232} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 11046248, u'sha256': u'4825ceef4d3af7c3dcd9fdfdecdbc49006441bd338082479dcf0bf61fedf2fba', u'type': u'data', u'size': 75690} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 11121940, u'sha256': u'1394e62313f7766f6b6dae81d0adccaefb2938aa4513d111b3a90f89839e8c79', u'type': u'data', u'size': 414762} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 11536704, u'sha256': u'e696da1f7f10075ffcab9c6a93cf1f45b281a193d72dbdd24920e55fa905668d', u'type': u'data', u'size': 30952} Page 41
{u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 11567656, u'sha256': u'92332c429ca677b7390b107333a9655e66020060564c9e8b108b9c71f770ad67', u'type': u'data', u'size': 3928} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 11571584, u'sha256': u'333e710a9cc08ca69b27027c5c3e7d15fb06e3a7cd0f227fc23e8c58d34db216', u'type': u'data', u'size': 41224} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 11612808, u'sha256': u'a29fde99eec21b9976c987b8d9e639864f071c021c367b7d20dd31827d3ce7a7', u'type': u'data', u'size': 9450} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 11622260, u'sha256': u'2548f0c54010a8793af3db71fa561651e55d6140a150e65bbc38208b4e0feba8', u'type': u'data', u'size': 9450} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 11631712, u'sha256': u'0011546890d970f211bca962d3bc3ca50251ba9837c090bbf5381c1ae6ceb52d', u'type': u'data', u'size': 7096} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 11638808, u'sha256': u'9d65f5e318647259af278afa4065deee19ceee19343b86edcdb80b75dde4a57b', u'type': u'data', u'size': 90040} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 11728848, u'sha256': u'a55e2ad8ce03285bf0a9a47bd49e8fbc8d0ea7541b1874d149e02c3dc0b9f37c', u'type': u'data', u'size': 90040} {u'lang': u'LANG_RUSSIAN', u'name': u'RT_BITMAP', u'offset': 11818888, u'sha256': u'5e488554f91af172a647eee15f5a90851e475626b1ce6dd7d6a30a9dfef618b7', u'type': u'data', u'size': 65322} {u'lang': u'LANG_RUSSIAN', u'name': u'RT_BITMAP', u'offset': 11884212, u'sha256': u'ccb4e5f15df677840348705b5fa3488a84d83c6542913ea122d4190cbf6f5b95', u'type': u'data', u'size': 28456} {u'lang': u'LANG_RUSSIAN', u'name': u'RT_BITMAP', u'offset': 11912668, u'sha256': u'bea766d080c425062768a7fae87956baf588f95ee78d799b91c8c9fcbdd7061d', u'type': u'data', u'size': 28456} {u'lang': u'LANG_RUSSIAN', u'name': u'RT_BITMAP', u'offset': 11941124, u'sha256': u'b06c4f1b4c94d691bc610015dac2d98bb852a3b7b95bed9b03b9cb271b021395', u'type': u'data', u'size': 9450} {u'lang': u'LANG_RUSSIAN', u'name': u'RT_BITMAP', u'offset': 11950576, u'sha256': u'aa927b455375fbf091f2cba138302c4adb21b8d9ff927bec6655604102542f4f', u'type': u'data', u'size': 9450} {u'lang': u'LANG_RUSSIAN', u'name': u'RT_BITMAP', u'offset': 11960028, u'sha256': u'9429c8df15d229ee3039cb4535933d181fa4163f16b7969f5c32f17d07f391a6', u'type': u'data', u'size': 9450} {u'lang': u'LANG_RUSSIAN', u'name': u'RT_BITMAP', u'offset': 11969480, u'sha256': u'9bd26c951d763c0d66b0fdebe888d202c2186d9423967e84283625e12f6c8c20', u'type': u'data', u'size': 7818} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 11977300, u'sha256': u'ab628c81b4dee2a3e3cb11ff7b38733756db9955e7cc0f544f3b89912f7adc9f', u'type': u'data', u'size': 18798} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 11996100, u'sha256': u'7dfe1fd453a15205d847eb5ca60058b5031dc0596610c6bacd97e8079faa9659', u'type': u'data', u'size': 382} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 11996484, u'sha256': u'2eb3e6c636397f3fcad46606916469ed0e666ada477c32b1f0b6e344738a190b', u'type': u'data', u'size': 382} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 11996868, u'sha256': u'c78cbfcf4bd90aba69bd3f60a68351db8741642075baee5e6b5d4bb5dbbdb8f4', u'type': u'data', u'size': 382} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 11997252, u'sha256': u'1775e82470026cc92d69a040808c71b193954541c28b2e12c7104b7d2d97f2b6', u'type': u'data', u'size': 9450} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 12006704, u'sha256': u'2b7cce4814e111639a9a428cae542c94fb1d2b893f2deb5091cfb09ceb9fac40', u'type': u'data', u'size': 9450} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 12016156, u'sha256': u'f46e77fb8e70418d4ca025790e3e2d9906c7e13f8f839e41f13bb004f8ff587c', u'type': u'data', u'size': 9450} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 12025608, u'sha256': u'817ada73cfd182bca9915f4a48f82e3fbb969c531095019e970f32a0b0b7ba72', u'type': u'data', u'size': 9450} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 12035060, u'sha256': u'580ddd9c767b682e54f80dbcc6f12bd0032d5ba7a4d4c980f22a85316426741b', u'type': u'data', u'size': 9450} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 12044512, u'sha256': u'6e6a2dbafa3197face0f958c3123ec77c75ad37ff0657b6b91ced2c785d3deb5', u'type': u'data', u'size': 9450} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 12053964, u'sha256': u'e9938113f31bbc89ffd4ae471c564903eaf82ba150473421f24f04d77f230205', u'type': u'data', u'size': 9450} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 12063416, u'sha256': u'9bfb233630efa69d0f34608553fbb16fc8c3a84b9e2058b7ed171eeb2df627cb', u'type': u'data', u'size': 18858} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 12082276, u'sha256': u'841e0d699f14bede102ac4ed8c38df9cf26803bbfb7a0eaaa3c3735e39f31374', u'type': u'data', u'size': 9450} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 12091728, u'sha256': u'3b36c8ec6757d0147a6d11224efdb7484ae52ef3a0f792a9546f28c722a350a8', u'type': u'data', u'size': 9450} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 12101180, u'sha256': u'bb19ab6f54c48a58918132440d94363174062d3768ba523f882b2e89b14aca23', u'type': u'data', u'size': 9450} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 12110632, u'sha256': u'46ff1983e50152fe48032b3d08a930acef8bf83755eb6f1623fc8f8792088481', u'type': u'data', u'size': 9450} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 12120084, u'sha256': u'8754cc34b2622154ba1c13e08daafe3418738896af64d17e1fa398e853ff3d4c', u'type': u'data', u'size': 6940} {u'lang': u'LANG_RUSSIAN', u'name': u'RT_BITMAP', u'offset': 12127024, u'sha256': u'e3001c95972907616fa3c1e6ce7175fa2745d74fbe1bd05ae9c53b6bb5fe7612', u'type': u'data', u'size': 28458} {u'lang': u'LANG_RUSSIAN', u'name': u'RT_BITMAP', u'offset': 12155484, u'sha256': u'8087cc21a4de7ac841b55aab64b8153903adb454824e434322aaae1de8981cd2', u'type': u'data', u'size': 28458} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 12183944, u'sha256': u'8a70c121335eb7eb844b3bff4f345be97d797ea8a33bbccb381c0f0fc66fa8f4', u'type': u'data', u'size': 1062} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 12185008, u'sha256': Page 42
u'53552f4be289b17c8074a6c4c334653b2622873b640298f59668835ad2fd4739', u'type': u'data', u'size': 1062} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 12186072, u'sha256': u'058daabff8fe34aad0058277d813bf188f28c58cac74ff11b283f222ed753f6c', u'type': u'data', u'size': 18798} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 12204872, u'sha256': u'e7c0005285d1ab59732d5f99f77a9bdd6342b01cf44437ebd7a07611a227e272', u'type': u'data', u'size': 184} {u'lang': u'LANG_ENGLISH', u'name': u'RT_BITMAP', u'offset': 12205056, u'sha256': u'abdf36bde89a26349f5741c17c235dacea88d441d8662ba16a598dc50c3c4864', u'type': u'data', u'size': 324} {u'lang': u'LANG_RUSSIAN', u'name': u'RT_ICON', u'offset': 12205380, u'sha256': u'46d42d3af0cf88de6c0e2e53313fe71adf78ded28b1bdcf85bec5b3fc5344d4a', u'type': u'data', u'size': 16936} {u'lang': u'LANG_RUSSIAN', u'name': u'RT_DIALOG', u'offset': 12222316, u'sha256': u'a0ef160e3de004fd973dfbd4e488516fe7fe65185b213a0f6280c7dea1136610', u'type': u'data', u'size': 92} {u'lang': u'LANG_ENGLISH', u'name': u'RT_DIALOG', u'offset': 12222408, u'sha256': u'6e113fd8e9f3156ae68251c6076beb9b59fe29e589d06398e7019802521f69d3', u'type': u'data', u'size': 232} {u'lang': u'LANG_ENGLISH', u'name': u'RT_DIALOG', u'offset': 12222640, u'sha256': u'4cf716efaf68e0cb2ec45ec55d291050b5712b05653cae68edbb999f803d2a98', u'type': u'data', u'size': 52} {u'lang': u'LANG_ENGLISH', u'name': u'RT_STRING', u'offset': 12222692, u'sha256': u'd91dc4e26fd86def5ee907c72f32457bea07d21fa618012245f641d08501548d', u'type': u'data', u'size': 130} {u'lang': u'LANG_ENGLISH', u'name': u'RT_STRING', u'offset': 12222824, u'sha256': u'05e0d5787611ed4f643733e3e6e62d00f426422b5d3e443ceebac22e9d294bc4', u'type': u'data', u'size': 42} {u'lang': u'LANG_ENGLISH', u'name': u'RT_STRING', u'offset': 12222868, u'sha256': u'9665348f07508c6c2a568fc90ec4c04736668adc3521e311a4c7659973d92313', u'type': u'data', u'size': 388} {u'lang': u'LANG_ENGLISH', u'name': u'RT_STRING', u'offset': 12223256, u'sha256': u'0519d7704cb64bab3aeca7c3b96affd55641099a2a162e88537cb1b8dbfcd540', u'type': u'data', u'size': 1254} {u'lang': u'LANG_ENGLISH', u'name': u'RT_STRING', u'offset': 12224512, u'sha256': u'eaa0b4fe4704e193dd2ed1f8de1cb20e1001034fdb30307ee44aa664966d4ffc', u'type': u'data', u'size': 612} {u'lang': u'LANG_ENGLISH', u'name': u'RT_STRING', u'offset': 12225124, u'sha256': u'cffcd4956911b3d50eef378cb051e598baba0db48246b07780af03b01c67c64d', u'type': u'data', u'size': 730} {u'lang': u'LANG_ENGLISH', u'name': u'RT_STRING', u'offset': 12225856, u'sha256': u'35b5abb90316b4017d5531e031cbf15bae6e8dd46f6dd221701693a22a7795be', u'type': u'data', u'size': 138} {u'lang': u'LANG_ENGLISH', u'name': u'RT_STRING', u'offset': 12225996, u'sha256': u'1b8660b0c53b94f3e029de58e56d08c8097a080244e9dc65d4155a9b603820d8', u'type': u'data', u'size': 172} {u'lang': u'LANG_ENGLISH', u'name': u'RT_STRING', u'offset': 12226168, u'sha256': u'31bff9afbf08a8869318cd946a1d73a4425afefc5693c6e06671bde1e86de1dc', u'type': u'data', u'size': 222} {u'lang': u'LANG_ENGLISH', u'name': u'RT_STRING', u'offset': 12226392, u'sha256': u'2b5551644093e58a4af74928fb744bd735fa2ef5f99824e6918ff9f6a33a3803', u'type': u'data', u'size': 1192} {u'lang': u'LANG_ENGLISH', u'name': u'RT_STRING', u'offset': 12227584, u'sha256': u'e9212b16f2d3292d0b0eb67134a70778ff1b0aede4918831e5bdba3f950db2a7', u'type': u'data', u'size': 552} {u'lang': u'LANG_ENGLISH', u'name': u'RT_STRING', u'offset': 12228136, u'sha256': u'0714c554acd308b38c3d6319f7e470f76a16d712f696545eacac2bdc725dfb95', u'type': u'data', u'size': 44} {u'lang': u'LANG_ENGLISH', u'name': u'RT_STRING', u'offset': 12228180, u'sha256': u'1f1b61a7f04edc3691a6c9350132b09929d5bfa1c900f6ff500e55c5ebc63212', u'type': u'data', u'size': 66} {u'lang': u'LANG_ENGLISH', u'name': u'RT_GROUP_CURSOR', u'offset': 12228248, u'sha256': u'b07e022f8ef0a8e5fd3f56986b2e5bf06df07054e9ea9177996b0a6c27d74d7c', u'type': u'MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1', u'size': 20} {u'lang': u'LANG_ENGLISH', u'name': u'RT_GROUP_CURSOR', u'offset': 12228268, u'sha256': u'58531242c8bcc3c5858701ac8b7e50aa34a2fcedaad81ce5dc0aa99effb79a7d', u'type': u'MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1', u'size': 34} {u'lang': u'LANG_ENGLISH', u'name': u'RT_GROUP_CURSOR', u'offset': 12228304, u'sha256': u'a92f60b25322592e7ddd13d88e4006c097666f4d87c8cb0c21ffdccd53b31d78', u'type': u'MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1', u'size': 20} {u'lang': u'LANG_ENGLISH', u'name': u'RT_GROUP_CURSOR', u'offset': 12228324, u'sha256': u'a0adcedb82b57089f64e2857f97cefd6cf25f4d27eefc6648bda83fd5fef66bb', u'type': u'MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1', u'size': 20} {u'lang': u'LANG_ENGLISH', u'name': u'RT_GROUP_CURSOR', u'offset': 12228344, u'sha256': u'9c17b4621412d6ded24a76aed74d4425ae61f86b6d4092ca1e28ca66b7c71399', u'type': u'MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1', u'size': 20} {u'lang': u'LANG_ENGLISH', u'name': u'RT_GROUP_CURSOR', u'offset': 12228364, u'sha256': u'ec26c438d10e3e84ec855c47f07a176e6c11bbfae1557d526490711b80f087fe', u'type': u'MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1', u'size': 20} {u'lang': u'LANG_ENGLISH', u'name': u'RT_GROUP_CURSOR', u'offset': 12228384, u'sha256': u'4ecc7f2578fd7b137c04f85ffcbd67d6eab0bc8b1df4246cebd2a2aa517f3c60', u'type': u'MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1', u'size': 20} {u'lang': u'LANG_ENGLISH', u'name': u'RT_GROUP_CURSOR', u'offset': 12228404, u'sha256': u'326c048595bbc72e3f989cb3b95fbf09dc83739ced3cb13eb6f03336f95d74f1', u'type': u'MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1', u'size': 20} {u'lang': u'LANG_ENGLISH', u'name': u'RT_GROUP_CURSOR', u'offset': 12228424, u'sha256': u'8a495f17bc472bfc5e6923d9efa687848fac027ad60694f9c3f10a4f7b194924', u'type': u'MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1', u'size': 20} {u'lang': u'LANG_ENGLISH', u'name': u'RT_GROUP_CURSOR', u'offset': 12228444, u'sha256': u'6e1e7738a1b6373d8829f817915822ef415a1727bb5bb7cfe809e31b3c143ac5', u'type': u'MS Windows cursor resource - 1 icon, 32x256, hotspot Page 43
@1x1', u'size': 20} {u'lang': u'LANG_ENGLISH', u'name': u'RT_GROUP_CURSOR', u'offset': 12228464, u'sha256': u'28b8110695851e5280ff55cb78507b03e8b74dd370b8e122179c82b56f7e5f37', u'type': u'MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1', u'size': 20} {u'lang': u'LANG_ENGLISH', u'name': u'RT_GROUP_CURSOR', u'offset': 12228484, u'sha256': u'a2f0549cca7170ae03ba042464efe62365fba38c20049e439871c9e5ce0f914f', u'type': u'MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1', u'size': 20} {u'lang': u'LANG_ENGLISH', u'name': u'RT_GROUP_CURSOR', u'offset': 12228504, u'sha256': u'ef309b720f166673cad840a88e7636e9161ad91415cc7c176010cebba07757e5', u'type': u'MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1', u'size': 20} {u'lang': u'LANG_ENGLISH', u'name': u'RT_GROUP_CURSOR', u'offset': 12228524, u'sha256': u'12a5b9052dd16bed260343bc4352d436167c991c54497c5af441304646549386', u'type': u'MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1', u'size': 20} {u'lang': u'LANG_ENGLISH', u'name': u'RT_GROUP_CURSOR', u'offset': 12228544, u'sha256': u'ee63d4681e7622067fd29005c6cc67b456031eb723c7239f05f1cb097af0ef98', u'type': u'MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1', u'size': 20} {u'lang': u'LANG_ENGLISH', u'name': u'RT_GROUP_CURSOR', u'offset': 12228564, u'sha256': u'da738753c27f2708bd2257f8cac3385a4ccb0df1341b76acfda07fa980cfb4bd', u'type': u'MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1', u'size': 20} {u'lang': u'LANG_RUSSIAN', u'name': u'RT_GROUP_ICON', u'offset': 12228584, u'sha256': u'027e12c81d53ebb492d0e1ce8166c0c004e135274105fb79465b6b97bc6c71cd', u'type': u'MS Windows icon resource - 1 icon, 64x64', u'size': 20} {u'lang': u'LANG_ENGLISH', u'name': u'RT_VERSION', u'offset': 12228604, u'sha256': u'7635221c9ca9b562373e17d95ba5aad17d8b4ee63872a95560ceb1436a2684cd', u'type': u'data', u'size': 832} {u'lang': u'LANG_ENGLISH', u'name': u'RT_MANIFEST', u'offset': 12229436, u'sha256': u'd9e9362080b827810db09aa7091f2a82a4b0b874018a131707f572454649484e', u'type': u'ASCII text, with CRLF line terminators', u'size': 620}
CERTIFICATE VALIDATION
- Certificate Validation is not Applicable
SCREENSHOTS