魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2020-11-30 10:34:20 | 2020-11-30 10:36:26 | 126 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-shaapp03-1 | win7-sp1-x64-shaapp03-1 | KVM | 2020-11-30 10:34:20 | 2020-11-30 10:36:27 |
| 魔盾分数 |
|---|
10.0Trik |
文件详细信息
| 文件名 | 123.exe |
|---|---|
| 文件大小 | 198656 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | 3F01637A |
| MD5 | 6286813e23f3d047d8fb7038c9191990 |
| SHA1 | a2f0c6c05225e4b10afc2c92ca24ab86df81d776 |
| SHA256 | c16b53acd39eec526698c8e4e90956880b1cdd30554d08086fe94b833ee3a5b3 |
| SHA512 | 7c3e17211c2cd1c46f76deea2fffc05a6356a2ce37c987a78e1308970d1d000acfc9e556005e387aab1eb24d27e2be23ec72236b0e1d7058e7af2bdc57cdf7f6 |
| Ssdeep | 3072:JARzrYec4BUlCKpwwza0u4BNSAx1n5ez+x6k:25ce7SCKpRwgrOCkk |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2020-09-23 18:52:20 扫描结果: 64/71 |
特征
创建RWX内存
魔盾安全Yara检测结果 - 普通
二进制文件可能包含加密或压缩数据
section: name: .text, entropy: 6.98, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x0001a200, virtual_size: 0x0001a0a2
对一个无法找到的进程进行重复搜索,可能希望以startbrowser=1选项运行
创建一个隐藏文件或系统文件
file: C:\Windows\1681859112631159
file: C:\Windows\1681859112631159\winrvbb.exe
file: C:\Users\test\AppData\Roaming\winsvcs.txt
通过库文件检测是否存在Sandboxie系统
通过库文件检测是否存在SunBelt沙盒系统
将自己装载到Windows开机自动启动项目
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
data: C:\Windows\1681859112631159\winrvbb.exe
key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
data: C:\Windows\1681859112631159\winrvbb.exe
通过进程尝试长时间延迟分析任务
Process: winrvbb.exe tried to sleep 208 seconds, actually delayed analysis time by 0 seconds
尝试与一个交换数据流Alternate Data Stream (ADS)交互
file: C:\Users\test\AppData\Local\Temp\123.exe:Zone.Iduentifier
file: C:\Windows\1681859112631159\winrvbb.exe:Zone.Iduentifier
对本地防火墙的策略和设置进行操作
尝试禁止系统恢复
尝试更改或禁止安全中心报警
文件已被至少一个VirusTotal上的反病毒引擎检测为病毒
Bkav: W32.AIDetectVM.malware1
Elastic: malicious (high confidence)
MicroWorld-eScan: Trojan.GenericKD.31994196
FireEye: Generic.mg.6286813e23f3d047
CAT-QuickHeal: Trojan.Mauvaise.SL1
ALYac: Trojan.GenericKD.31994196
Cylance: Unsafe
VIPRE: Trojan.Win32.Generic!BT
AegisLab: Trojan.Win32.Trik.a!c
Sangfor: Malware
K7AntiVirus: Trojan ( 0054e5481 )
BitDefender: Trojan.GenericKD.31994196
K7GW: Trojan ( 0054e5481 )
Cybereason: malicious.e23f3d
TrendMicro: TROJ_GEN.R022C0DF220
BitDefenderTheta: Gen:NN.ZexaF.34254.mu0@aWM0iTc
Cyren: W32/Kryptik.ZE.gen!Eldorado
Symantec: Packed.Generic.525
APEX: Malicious
Avast: Other:Malware-gen [Trj]
ClamAV: Win.Packed.Os40444-7361867-0
Kaspersky: Trojan-Downloader.Win32.Trik.ed
Alibaba: TrojanDownloader:Win32/Skeeyah.b8842e98
NANO-Antivirus: Trojan.Win32.Trik.fqjewx
Rising: Worm.Phorpiex!8.48D (KTSE)
Ad-Aware: Trojan.GenericKD.31994196
Emsisoft: Trojan.GenericKD.31994196 (B)
Comodo: Malware@#2lni1nnzq9j9v
F-Secure: Trojan.TR/AD.Phorpiex.btjzy
DrWeb: Win32.HLLW.Autoruner2.49693
Zillya: Downloader.Trik.Win32.2
Invincea: Mal/Generic-R + Troj/AutoG-BO
McAfee-GW-Edition: BehavesLike.Win32.Sodinokibi.cm
Sophos: Troj/AutoG-BO
Ikarus: Trojan.Win32.Crypt
GData: Win32.Worm.Phorpiex.IPQWRG
Jiangmin: TrojanDownloader.Trik.t
Webroot: W32.Malware.gen
Avira: TR/AD.Phorpiex.btjzy
MAX: malware (ai score=100)
Antiy-AVL: Trojan/Win32.Fuerboos
Arcabit: Trojan.Generic.D1E83154
ZoneAlarm: Trojan-Downloader.Win32.Trik.ed
Microsoft: Trojan:Win32/CryptInject.YJ!MTB
Cynet: Malicious (score: 100)
AhnLab-V3: Trojan/Win32.Ransomcrypt.R272328
Acronis: suspicious
McAfee: Generic.bto
VBA32: TrojanDownloader.Trik
Malwarebytes: Trojan.MalPack.GS.Generic
Panda: Trj/WLT.E
Zoner: Trojan.Win32.80447
ESET-NOD32: Win32/Phorpiex.J
TrendMicro-HouseCall: TROJ_GEN.R022C0DF220
Tencent: Malware.Win32.Gencirc.116b3a34
Yandex: Trojan.DL.Trik!
SentinelOne: DFI - Suspicious PE
eGambit: Unsafe.AI_Score_94%
Fortinet: W32/Trik.ED!tr
MaxSecure: Trojan.Malware.74316719.susgen
AVG: Other:Malware-gen [Trj]
Paloalto: generic.ml
CrowdStrike: win/malicious_confidence_100% (W)
Qihoo-360: Win32/Trojan.Downloader.e47
魔盾wping.org 域名信誉系统
Badlist: bafaejidjaiehfgsf.su
Badlist: agnediuaeuidhegsf.su
Badlist: nfbaeiudhaiedhhgf.su
Badlist: bafaejidjaiehfgso.su
Badlist: gaeuhaiuhfihehfsx.su
运行截图
网络分析
域名解析
| 域名 | 响应 |
|---|---|
| acroipm.adobe.com |
CNAME acroipm.adobe.com.edgesuite.net
A 104.123.71.146 CNAME a1983.dscd.akamai.net A 104.123.71.144 |
| ofhhusrugsrhgurhf.su | NXDOMAIN |
| usifusurfbbuguruf.su | |
| ohsufsiuesiuhuhgf.su | |
| bafaejidjaiehfgsf.su | |
| gaeuhaiuhfihehfsf.su | |
| gaeifiuheiuhauhdf.su | |
| gnnaneieaojoagisf.su | |
| iaefiazefgizagdgf.su | |
| agnediuaeuidhegsf.su | |
| aehfiaheifuedhgsf.su | |
| nfbaeiudhaiedhhgf.su | |
| ofhhusrugsrhgurhg.su | |
| usifusurfbbugurug.su | |
| ohsufsiuesiuhuhgg.su | |
| bafaejidjaiehfgsg.su | |
| gaeuhaiuhfihehfsg.su | |
| gaeifiuheiuhauhdg.su | |
| gnnaneieaojoagisg.su | |
| iaefiazefgizagdgg.su | |
| agnediuaeuidhegsg.su | |
| aehfiaheifuedhgsg.su | |
| ofhhusrugsrhgurho.su | |
| usifusurfbbuguruo.su | |
| ohsufsiuesiuhuhgo.su | |
| bafaejidjaiehfgso.su | |
| gaeuhaiuhfihehfso.su | |
| gaeifiuheiuhauhdo.su | |
| gnnaneieaojoagiso.su | |
| iaefiazefgizagdgo.su | |
| agnediuaeuidhegso.su | |
| aehfiaheifuedhgso.su | |
| ofhhusrugsrhgurhx.su | |
| usifusurfbbugurux.su | |
| ohsufsiuesiuhuhgx.su | |
| bafaejidjaiehfgsx.su | |
| gaeuhaiuhfihehfsx.su | |
| gaeifiuheiuhauhdx.su | |
| gnnaneieaojoagisx.su | |
| iaefiazefgizagdgx.su | |
| agnediuaeuidhegsx.su |
TCP连接
| IP地址 | 端口 |
|---|---|
| 104.123.71.144 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
ICMP请求
| 源地址 | 目标地址 | ICMP类型 | ICMP数据 |
|---|---|---|---|
| 95.81.1.43 | 192.168.122.201 | 3 |
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x00404d3d |
| 声明校验值 | 0x00031b52 |
| 实际校验值 | 0x00031b52 |
| 最低操作系统版本要求 | 5.0 |
| 编译时间 | 2018-03-23 17:38:04 |
| 载入哈希 | 5b00d590482218bc14b27f2e39c85e2c |
| 图标 |  |
| 图标精确哈希值 | f31cb7ab73a020bb48c60bc27a08415a |
| 图标相似性哈希值 | 9726c6f81782494b62c96defde1f1d66 |
版本信息
| LegalCopyright: | Copyright (C) 2019, zfgdhg |
| InternalName: | twugga6o.uxe |
| ProductVersion: | 1.0.2.13 |
| Translation: | 0x00c9 0x00a6 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x0001a0a2 | 0x0001a200 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.98 |
| .rdata | 0x0001c000 | 0x00005cec | 0x00005e00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.03 |
| .data | 0x00022000 | 0x02bff7e0 | 0x00002600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 2.74 |
| .rsrc | 0x02c22000 | 0x00002e30 | 0x00003000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.37 |
| .reloc | 0x02c25000 | 0x0000ac50 | 0x0000ae00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 1.20 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| AFX_DIALOG_LAYOUT | 0x02c24c78 | 0x00000002 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 1.00 | data |
| FASANOMOVEGISOVUCI | 0x02c24398 | 0x000008d0 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.58 | ASCII text, with very long lines, with no line terminators |
| RT_ICON | 0x02c239e0 | 0x00000988 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.84 | dBase III DBT, version number 0, next free block index 40 |
| RT_ICON | 0x02c239e0 | 0x00000988 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.84 | dBase III DBT, version number 0, next free block index 40 |
| RT_ICON | 0x02c239e0 | 0x00000988 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.84 | dBase III DBT, version number 0, next free block index 40 |
| RT_GROUP_ICON | 0x02c24368 | 0x00000030 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 2.55 | MS Windows icon resource - 3 icons, 24x24 |
| RT_VERSION | 0x02c24c80 | 0x000001b0 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.33 | data |
| None | 0x02c24c68 | 0x0000000a | LANG_NEUTRAL | SUBLANG_NEUTRAL | 2.32 | data |
导入
库 KERNEL32.dll:
• 0x41c000 - CreateFileA
• 0x41c004 - WriteConsoleOutputW
• 0x41c008 - GetCurrentProcess
• 0x41c00c - GetLocaleInfoW
• 0x41c010 - IsBadStringPtrA
• 0x41c014 - GetStringTypeExA
• 0x41c018 - GetProcAddress
• 0x41c01c - LoadLibraryA
• 0x41c020 - LocalAlloc
• 0x41c024 - GetModuleFileNameA
• 0x41c028 - GetModuleHandleA
• 0x41c02c - IsDebuggerPresent
• 0x41c030 - WriteConsoleOutputAttribute
• 0x41c034 - QueryDepthSList
• 0x41c038 - InterlockedIncrement
• 0x41c03c - InterlockedDecrement
• 0x41c040 - Sleep
• 0x41c044 - InitializeCriticalSection
• 0x41c048 - DeleteCriticalSection
• 0x41c04c - EnterCriticalSection
• 0x41c050 - LeaveCriticalSection
• 0x41c054 - GetLastError
• 0x41c058 - HeapFree
• 0x41c05c - HeapAlloc
• 0x41c060 - TerminateProcess
• 0x41c064 - UnhandledExceptionFilter
• 0x41c068 - SetUnhandledExceptionFilter
• 0x41c06c - GetCommandLineA
• 0x41c070 - GetStartupInfoA
• 0x41c074 - RtlUnwind
• 0x41c078 - RaiseException
• 0x41c07c - LCMapStringA
• 0x41c080 - WideCharToMultiByte
• 0x41c084 - MultiByteToWideChar
• 0x41c088 - LCMapStringW
• 0x41c08c - GetCPInfo
• 0x41c090 - HeapCreate
• 0x41c094 - VirtualFree
• 0x41c098 - VirtualAlloc
• 0x41c09c - HeapReAlloc
• 0x41c0a0 - GetModuleHandleW
• 0x41c0a4 - ExitProcess
• 0x41c0a8 - WriteFile
• 0x41c0ac - GetStdHandle
• 0x41c0b0 - TlsGetValue
• 0x41c0b4 - TlsAlloc
• 0x41c0b8 - TlsSetValue
• 0x41c0bc - TlsFree
• 0x41c0c0 - SetLastError
• 0x41c0c4 - GetCurrentThreadId
• 0x41c0c8 - HeapSize
• 0x41c0cc - FreeEnvironmentStringsA
• 0x41c0d0 - GetEnvironmentStrings
• 0x41c0d4 - FreeEnvironmentStringsW
• 0x41c0d8 - GetEnvironmentStringsW
• 0x41c0dc - SetHandleCount
• 0x41c0e0 - GetFileType
• 0x41c0e4 - QueryPerformanceCounter
• 0x41c0e8 - GetTickCount
• 0x41c0ec - GetCurrentProcessId
• 0x41c0f0 - GetSystemTimeAsFileTime
• 0x41c0f4 - GetACP
• 0x41c0f8 - GetOEMCP
• 0x41c0fc - IsValidCodePage
• 0x41c100 - GetUserDefaultLCID
• 0x41c104 - GetLocaleInfoA
• 0x41c108 - EnumSystemLocalesA
• 0x41c10c - IsValidLocale
• 0x41c110 - GetStringTypeA
• 0x41c114 - GetStringTypeW
• 0x41c118 - InitializeCriticalSectionAndSpinCount
库 MSIMG32.dll:
• 0x41c120 - AlphaBlend
• 0x41c124 - GradientFill
投放文件
行为分析
互斥量(Mutexes)
- 959505030340
执行的命令
- C:\Windows\1681859112631159\winrvbb.exe
创建的服务
无信息
启动的服务
无信息
进程
123.exe PID: 2316, 上一级进程 PID: 2160
winrvbb.exe PID: 2472, 上一级进程 PID: 2316
访问的文件
- C:\Users\test\AppData\Local\Temp\123.exe:Zone.Iduentifier
- C:\Windows\1681859112631159
- C:\Users\test\AppData\Local\Temp\123.exe
- C:\Windows\1681859112631159\winrvbb.exe
- C:\Windows\1681859112631159\winrvbb.exe:Zone.Iduentifier
- C:\Users\test\AppData\Roaming\winsvcs.txt
- \Device\KsecDD
读取的文件
- C:\Users\test\AppData\Local\Temp\123.exe
- C:\Windows\1681859112631159\winrvbb.exe
- \Device\KsecDD
修改的文件
- C:\Windows\1681859112631159\winrvbb.exe
- C:\Users\test\AppData\Roaming\winsvcs.txt
删除的文件
- C:\Users\test\AppData\Local\Temp\123.exe:Zone.Iduentifier
- C:\Windows\1681859112631159\winrvbb.exe:Zone.Iduentifier
注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
读取的注册表键
无信息
修改的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
删除的注册表键
无信息
API解析
- kernel32.dll.FlsAlloc
- kernel32.dll.FlsGetValue
- kernel32.dll.FlsSetValue
- kernel32.dll.FlsFree
- kernel32.dll.IsProcessorFeaturePresent
- kernel32.dll.GlobalAlloc
- kernel32.dll.VirtualProtect
- kernel32.dll.LoadLibraryA
- kernel32.dll.VirtualAlloc
- kernel32.dll.VirtualFree
- kernel32.dll.GetVersionExA
- kernel32.dll.TerminateProcess
- kernel32.dll.ExitProcess
- kernel32.dll.SetErrorMode
- msvcrt.dll._controlfp
- msvcrt.dll._except_handler3
- msvcrt.dll.__set_app_type
- msvcrt.dll.__p__fmode
- msvcrt.dll.isalpha
- msvcrt.dll.__p__commode
- msvcrt.dll._adjust_fdiv
- msvcrt.dll.__setusermatherr
- msvcrt.dll._initterm
- msvcrt.dll.__getmainargs
- msvcrt.dll._acmdln
- msvcrt.dll.exit
- msvcrt.dll._XcptFilter
- msvcrt.dll._exit
- msvcrt.dll._snprintf
- msvcrt.dll.fclose
- msvcrt.dll.fseek
- msvcrt.dll.ftell
- msvcrt.dll.wcsstr
- msvcrt.dll._wfopen
- msvcrt.dll.srand
- msvcrt.dll.rand
- msvcrt.dll._snwprintf
- msvcrt.dll.isdigit
- msvcrt.dll.memset
- msvcrt.dll.memcpy
- wininet.dll.InternetOpenUrlA
- wininet.dll.HttpQueryInfoA
- wininet.dll.InternetCloseHandle
- wininet.dll.InternetReadFile
- wininet.dll.InternetOpenUrlW
- wininet.dll.InternetOpenW
- wininet.dll.InternetOpenA
- urlmon.dll.URLDownloadToFileW
- shlwapi.dll.PathFileExistsW
- shlwapi.dll.PathFindFileNameA
- shlwapi.dll.PathFindFileNameW
- kernel32.dll.GetModuleFileNameW
- kernel32.dll.GetFileAttributesW
- kernel32.dll.CopyFileW
- kernel32.dll.CreateDirectoryW
- kernel32.dll.GetLogicalDriveStringsW
- kernel32.dll.GetDriveTypeW
- kernel32.dll.FindFirstFileW
- kernel32.dll.ExpandEnvironmentStringsW
- kernel32.dll.DeleteFileW
- kernel32.dll.CloseHandle
- kernel32.dll.FindClose
- kernel32.dll.WriteFile
- kernel32.dll.GetTickCount
- kernel32.dll.GlobalUnlock
- kernel32.dll.Sleep
- kernel32.dll.GlobalLock
- kernel32.dll.IsDebuggerPresent
- kernel32.dll.GetModuleHandleA
- kernel32.dll.Process32First
- kernel32.dll.Process32Next
- kernel32.dll.FindNextFileW
- kernel32.dll.SetFileAttributesW
- kernel32.dll.GetVolumeInformationW
- kernel32.dll.CreateFileW
- kernel32.dll.ExitThread
- kernel32.dll.GetStartupInfoA
- kernel32.dll.CreateThread
- kernel32.dll.CreateMutexA
- kernel32.dll.GetLastError
- kernel32.dll.CreateToolhelp32Snapshot
- kernel32.dll.CreateProcessW
- user32.dll.SetClipboardData
- user32.dll.OpenClipboard
- user32.dll.EmptyClipboard
- user32.dll.GetClipboardData
- user32.dll.CloseClipboard
- user32.dll.CharUpperA
- advapi32.dll.RegCreateKeyExA
- advapi32.dll.RegCloseKey
- advapi32.dll.RegSetValueExW
- advapi32.dll.RegOpenKeyExW
- shell32.dll.ShellExecuteW
- ole32.dll.CoInitialize
- ole32.dll.CoCreateInstance
- msvcr100.dll.atexit
- rasapi32.dll.RasConnectionNotificationW
- sechost.dll.NotifyServiceStatusChangeA
- cryptbase.dll.SystemFunction036