Analysis - Type IV Example

File identification

Static PE information

Analysis

Layers & regions

VirusTotal scans

Summary

Visibility	Public
Main file's SHA256	ecae6a2f3690f1b7ce565c2b2ac19ad37ade638cc75f04b275595d86d5d9e679
Complexity	Type IV
Packer identification (signature based)	Upack_v0_39_final_Dwing, Upack_V0_37_Dwing
Number of processes	1
Number of layers	3

Click to open on new tab

How do I read the graph?

File identification

General information

SHA256	ecae6a2f3690f1b7ce565c2b2ac19ad37ade638cc75f04b275595d86d5d9e679
SHA1	b1b784356e5681ebda9b4379f5b30520c35a4447
MD5	a5ac6e69ce2e16841e8ca044fbf7ca5a
ssdeep	3072:J0tum+/BgjLA8Hc8OyAFGO4hwZUFcqJY2ZL4jy12+j9/ouG/o4YXOauj:SLFPAOc8Tc7Uu4Cs2+u/Fzj
sdhash	sdbf:03:0::185776:sha1:256:5:7ff:160:19:116:gJCgj1GRSAAGUuFgogAAAGYsKQlBIiQAcGXPPgASAGwj7aSauSKQkQAAcdIbitkzSShoBMGJiaRbCCMDESxQIIgsXgsEmcABSAGmACCCgykCBAjKAZdwQAeAOaSwhh0Q4ICgEJ1BOALpwmDoFQAnEsjhDYBMoCpYseQQkEgUowxBAofAsJMEJCRSIAISYhGQhQBhhDDGJCCJhCNZQNkUESAixaBKGgaKAqG0YcwkKERELg61aAGQIBRCCDBcKCFOqULUBAsMAaABZHsF4DxM0JTYAhNJWFkvWzIii3IACGEbJQCO8DE6q8AIrAZcsBUjJCAn0HfDEA4CHEICYMfD6AyRQxQGt0IAAhIO+cCPBTeg5/oA6xAY+I0CwI1AwWhgUBACAbIFMBAlCgAAnqACyIIAIQpoEy6KLQITiEYLzgoIAAiAAXQQAUZAEA00EkVicFHAEMiwmsdC0MiAEcoilJLaSpU4YBIyqSAGEMCQlKAhoA2MiCASIyUKktIAk1AICsgGqxpAFAI4wgxynikGaJjDEAwIqQTAxiCCWuAAOEAeBCkB1iiASJChUgRMhxRaAWaDAUbymIgzOAEBZIUgTcoY1AI0BTKcZGEbaUIhiWUdaimMwsJA4AkhQAWNqISGKEahNghsHsYWWgTkkSIwShGSQECGBCgkpyWhRykhAhAtSSCQukCHJAiSHhvcTwqWFhKIkS4kgEQgCj6qpIADLCWR5CqlvRAExiChOdosQhtiJMkwQ5lVQBEUQQOCyAMJhKqSaIJAAgQ5YQI49ZgkemjQcRrhTAADNGAUVFUgKgCRwMvEYQyAzGRAQaEGKAgQY4FJxUjyAMyAOkQWhhvEmEq1BBTAAAABKmEeWCAnFLAZUgiMEgKmQFMgAQdngAACGHigL4DmjQIYDgAhFImCAkGhAZmGGIKJKVVEIyA2s8QAFGLZIgWUrEmSe5HHAYEKSmjAEoKBYhNE6QRDJCmQIQohzoETEFQNEEwC0SSWIKo0MEQgqViAlVBYsNQUIZIAClEEAY6KgFITmGopGUpEgYCqkhAYRBDBgibOoQy4GCjOEAjmBUiOAIyMCZgYoUwIDBlGEIK0g2Uh4sgBII09oA1MJMQAgAHBhAwAwHZwqhBECgRIPKIYiCsABCAANJIgyJgBpAQCIz0Q8BieoEARpoQsQ6EKEVFFB0IYJoGFWsnkR7TQDQONCZMPwEvrEPQNAygSIkiVlFCB1RpgInSfkCCijYaAQCKxEEMkEYCgiNhQJUhSE1FSRA2MHMDhhIcgEIOEjBCCBAQQjA7QAii8WCFEEYAPR2M9EBkZLJjAKUEXIFFFpAFEDBYBGTRSADMUAaAZGRVlNrQAIhNEYgMEhI7QRAVRAICvoHwyDQnAwyDkOwBiFTJahQClaFGgKhWBgAMAWkr14FgwIFXs0IAJGNIMWgEAGAFERbAA2QVViGkm6BAElAOBmMRSUwqZFIsgAUOYECgSIJzAKAlJCAgUVCYCsAIMEARTGc9QhEEH0SPrIEEqr1MTSuSn0KP0uigAGW8ICGATlIECoREBIIyRYQkQBJDANU0JGUMIGfAIEyhfVkCIGQYNQKAjpIQHEBZPGGFAFMNAAYFIc6IMFCNBESL5GQQgAxKAGrGRUqFgRiwAupCHhuGGAjgANYAUAMSQkRKEgvMgNhFTBQ2DJbII0gYkMbBGRGnQwASE2Agku8A3ZApwFAv4AcsADI61EcAMTNSyEKANx6yYtQiBJyqAQyD6CsYMBhsAAaHAAIDCoZAMAAQMCBCvPglwE5yGMlHLEmEjthwI2Q4EBSgAUOViD4whkAHMABNR0KBKAJUCCI4uIICKAxoIkyIBDGUi0BoAcjkoA3EAUikSRGO0HZAsDhSwDwFICD5GEABhmBwWIAGM8tGCZcCzhOQAACAEEJIYQSKrSCmOkocwgFRkUCEACZ4EoRCRIeJQ3jgJQAoE9NBupoIyWBTMAo6uBgiMAYYISBGGw0maAJB8XAOEkTGSMLgu4EbEAWIJoGQCcDgUAAEOIJbCQbAgCgpcg9KRDcAAAYCSAVAwECBARw1ACuxmqf8AAG2FOYQmAIVAkikQjDVgIGcoiwAAJRArCHRWGAyMpyxBYi5woIiUUBp8aeQB8tyJAIxXUMJgSERkAIKQ4CTAQgAAlWluQQBgWJEOBRxkiAeCAdJZYgDTEp0gCMBoNIYBATFODkQPOBQQQHskQlhATBoBXmJcxlFAioC9GAAdQjATBCBjkQEjFRP2VFTAHaVDAOGC0AC6dk7c2mCAkICYPQiBA0BAAh0QJQlE4FrrBBXFIgCBGglAJGE2FCBNXICyMoDgWRCTAcTLirUGIoNLAz6SgS4SB6DSApHYBnxCEmIREpAFAiQpmC2QzkURYFMDjgCSujPCARcAI+VAwThuO1lqZsNBEGMScTAF8AICuIYpJJhhgAX5ZmBsaIAhkIgBY1QgQSlAlMAKOZAg4lhhCACSBAZAAEV4a8EQYUQAFSRBVAKgdGdKQtcAFwAACq6bCDA4BIwI5AJodW2EaBRGARCSyQGKwkxIiFSJEUCR6JaA2XGDVKEM6cAMAAIJxcIywYCAowqoRAwAUnADtOsZEMBWAgAACsPI0CBQQAX1m8BuAEIABGgE1CQxuAmBUDQAZKQQZqhAQIB8HQnGIMChQKAhAOCeFEVcJYpUTRlAlKu1t4gAaQDSaFnPIAwesSGCVlhFwA5AATrAZY1KsXgJCTGdyFBJAEACDEQST0ZcgSFIJLBJCh2cpCqAKPDDquLVRgLKowESEYmCqVUEIQkpSAz7QSYkFq0MKGWkgWQZEMgIABkGQUOTsA21RAUACkV8KRCA1wQlrYINoismcIDsKAjaCmxsHC9XZBAkKJcIGiaEPyImkoBlGEEADpWEKT3hwSIphgkKiAOYAjIJECAAREDGckSCSWC4YhPHOHJxORUIAIkUeCgJIBZ9AYEDgABhBIIkRQBkGkANDgBUsGARJolGAok0ABjC80mNHBAfuKkAwIIaUmzBQKyCdooDDLJYcFxIyiZIDBMBwyoYAEYVOIUwIEjRgAgBiUAQAiAF0Gqc7ApvjIwEgwZIJgaVAzKg3YQVAUEwCKWAjBHRIgI36A9CiHEHLERQIDaUEA0whRpAQEhsCALLKCBI1DLNTmQEjwTQg8LSkAchhIEytSGAdFYAMGAFCovABEaoMIQydILFggAEQlBAyJiFAQyAGKEC4lUQAxvsbKBCzB0gCAAEIVXQAdEIQQpy4YJJaQw+BUKjAIXTSHSpKHBTwUBCEgUAQw+g4lABE4AMgFZgYSgwh6QBbFLDeDHSoAiaIgRSFAAImUIdIIGaQmF5KBilBKAYaABgApJZOKAxElJugQsD0BTRBEQHDmIRAIhoqcBgSDgUJZQAQIQM+JToc1GAQcRmx4MIwANNlgCQAIAkAIpOCiTE2AICOWYoSiobFiGHGUkKOEQUBQIAYUQFKGXp0nD9AQIMVGsBSFiSkABAYAQMWAAAU1gKncAC7YVAQMxY5TDeFBASqCEEqkgyBBiwP1YAjujDgQZgAJIQ5EijqERwPxYACKaiS8gghCMBECbESyMjBvjFD0AHRCSMBiKhSEBMlUlBIIhIIpCO2CgoCJAwijLNBkAnmICgjA2ATIhgRIAz2GgAdpBMBCFSHKBAYDFAlPaGIA6wiIgLNgAMhZDpIVDwkYMEZ8yPgKUlApgBBJSihHNSGgjdMxC8CEAzVcgAEgoIzcClFEJi9JYtapAAFSwpAruSlBAIQkMsAjgM+URwIcA1oiFRkoSAVCuHah2plcQDEtOJoECAqmCiKIiqDQ5AB+08ACFUooIKAVUksIGFWEAvALgLCEi1RRAET4uEBDAOQBO/zB5wJGQjzMiQBQHwRCBAA0sUGEx4RuJHPUKCPWMDDBPIUCDABbBSAaMsLQAlRAzcwkQNqoBIl8AZiaFACs0IABjIgAKoXjFAIJRCwlsAEdRpwgIgAHgEEWRT8UaCgCQJYpURJRTYDwADSCdABAoI3M50EDlAlNBgQBGseQgAYyGA0KAgEBsGioACQAQnAwCgRNDUQ8EoYoPVa0YYDQZaPj6RBKDNtREqUHMgBlFAVr5sQhAwkWhQBMZDCSAYAS2BqKFhJhkjIgogDIJqIoRAoSJKIvRbIAqElEgnI5QUiAq8DCAFlobAC1AEBQgwK2SixyYEgIZiuLogQTAYWAYa1DPIUp3wgKaAJKO8rhwwAGEAwIgh0CGM0LgCSAAIjNTFgRbgJggizSlCgxAljIFsCWYXKy0QkpArC0EAAGSFE5VUA2wlgzIcAIMQQcgBIhINxALlYQ4QRwBkuEoEUFgSRhMjiCLjQxkiiqAILlEUVEIEpCxIOJeAwiQEo4R0ilQALaRCITAwR4BHIJIDtBtGp4BG8IB5RAMEedLIpzipgFkwQABghHROGFkal4MIQByBUZViYYAwhJAE0AAAJJAQEcABwQSpYj8sJQgQgTorCkGDtsyhtEA41lVhDJSnIJDKrYEcVxIq2ARcFDozBiOQACuBC+gkiYyFVQsIOCwIAw4QHeAehAoBoRBlAIACwEIQhj8YeYkBiAwBzhRgSnPYADoAzOFuY0BBWoUAGLDiEsHWQCDCQWDCSJ6AFzSMIeYCYIQdL1hMCXWqtjG4gF0AQW6IKgyAY0KgDkAAwwCKlU4RA4CQAUCCNiA6mkUBZEQZhrAQScgUhBgAQJcYYAUIMIKVlAQDgCgISmAmIF5IF2FSAQCIZBKhoSgigSBkEAAtiiAAGiG+gIG1QEGICIMhuA2AjCNVRyAOwaYC0hCyGCFBAkNJKSiBRSOeAARicASVCySlbAhMgCG+yagQoADAKkCADi3dWCo0gYoggkCAAMN/RACJBJVBYUyBCmREWwpiP+gM4MuACBj5HJA8MBCQYJVEHukitgyoAbmIRlLCiRiSULBEYcgBBmsRoREIKNK4qCCCAIWEAgE0gGGQZKBEM1woIQRUhiALOIxoF4uEIC4HKIUQDJBRSWEYAAROUpSSjGmMgBcAMkR6kAo6IoSS+BgM6BASFwRIYQcTpgZgKlSwAlKQEsASFGZMiCAVZFEPBBCkLQIBQaego6qBYQ8UDBWCQRBg0lIAABDgJQAQiUBABMQCiVeGcAKCAIEtAZAqInZMcBLT4CrEBoAQmAYhLAAgBQwo4gAKQMQXEGkJCDyCCWgeMymAqKhG8ABDJBgDYD6GTfYAAJpBGgqxCzgBgeDVg2MoBBCmoMYA3CEC2EBGaUkSEmUWjQcSFQQGKRGQSCe6MoCGqYuXwGwMzIfE9O0HkpIFHwgxEANXspwOBQABRIJUGUgG5EMwEjDI2HDAUZJDsZIRQAFzgx5aDIAEqLEzTyMFgMAARzH6xsUIEESKC5EEEVSE4O5S0gEfJwEbhIpwiiITUIwDBRQYGG4hQhATwGsepErEFgDA5CRCAhMQMSYBEnWAAGYBECAqKE0paUJVAhARjRNkQMABQmByApgjJBCECQQuGNRgBsOylQqBBYDrEsGXcaDrgC5HhgJQVDGiFiCGGBiIEEhpAgAIgBIUYYhhBVEEZin8iEqRCIQskJEJooIRiCCxC0AaBBUhAD2MvQAT0cmMsGEAA9SNIF+BQQBIC1CJigDgKBANP8gWjpIHKg2BDQO2EQDIQeIq0RgfyHgRBMkAChSrFINVu6IlmmoDhZDGPgKSsjEEkONHAwSIzhiBwhZsYoQVMiYBEE2LCDwIYKEXMpOEAUIRAABA4AIQIGZKjAAtBQIOYEqEFUCABEbYFKoiMANApnC4qCwFbEbqSNhAu4Q5EouWPRRMLILBOF0QE1gkSVBqloP1AmAtETyaCCIClgZwCioa6rKxySEAsgAkUJwIGwgKTCjqIQ61MBMwwQAAhNlApLIZMTVAKIBIUBjmALDCgASaAm8MSZmGZaCgR2dJVXusUCQASAAJCgkQYSIABIOBQ0cawQAEAADSkCAAAEFRSBBJAJWbpAzRVlRxECRQEKMAQBAiASeOKBjttrLSEEk2whUoAhIIA+JCAwQYoB4EMuTNMgQgbiIRdUhAIAsK4mGlSIjQwJkVhAIEZATBbEppYfAmgQFKClBhtCOOgoo0NBYCCgAIkoJWAU7FIk6IE4EBAEgirAeHBCSHKhAAGYAACEggUMEgEAggkLMhYAWAAALIxgkVIEE4wgYgkhIJMAKAJgACgIHwQElJEMUQAFzAAgwAI0IEAwh7KNiDAAGAgAARYEScAgACxAhKECBCAItUhIjKcQE4OKNgIgAwWCAJYkQgwAORJkAZAAQARA8AwkQiJEggBAHCYAUSxxAxB5DAAAwEGgFgCBpEFKAFwaCeKphApUASBACBAgABJREIBSOBARIFLkWABCAwYgABQRKqGABABRMKDAABTSRUwECIAR4zQRBCTSAJGZUAFAcQQhYYCBiAQIAMRgQUkAgFUkFFjIDAjiKC0DCEgsEqmlCADXQAKRoQUAAoGA==
imphash	-
authentihash	-
File type	MS-DOS executable, MZ for MS-DOS
MIME type	application/x-dosexec
First seen	2016-06-27 09:18:35
Size	185776
Known names	a5ac6e69ce2e16841e8ca044fbf7ca5a

TrID - File Identifier

Percentage	Type
100.0%	(.EXE) DOS Executable Generic

Auxiliary files

None. This submission has not auxiliary files.

Behavioural packer analysis report

Packer analysis

Complexity type	Type IV
Granularity	Not applicable
Execution time	302s
Number of processes	1
Number of layers	3
Number of regions	22
Number of upward transitions	462116
Number of downward transitions	462114
Number of multiframe layers	2
Number of processes with interprocess communication	0
Number of regions that call special APIs	7

Graph

Click to open on new tab

How do I read the graph?

Last executed region

Process	0
Layer number	2
Region number	3
Address	0x40d73e
Size	7478
Memory type	Module
Number of API functions called	7709
Number of different APIs called	268
*Calls APIs of GetVersion family?**	No
*Calls APIs of GetCommandLine family?**	No
*Calls APIs of GetModuleHandle family?**	Yes
Modified by external process?	No
Writes an executed region?	Yes

Potential regions with original code

Process

Layer number

Region number

Address

Size

Memory type

Number of API functions called

Different APIs called

Calls APIs of GetVersion* family?

Calls APIs of GetCommandLine* family?

Calls APIs of GetModuleHandle* family?

Modified by external process?

Writes an executed region?

0x46b000

1318

Module

363

Remote memory writes

Memory unmap|deallocate

Type	Source address	Dest. address	Size
Memory unmap\|deallocate	-	0xfd0000	4096
Memory unmap\|deallocate	-	0xfe0000	4096
Memory unmap\|deallocate	-	0x1070000	4096
Memory unmap\|deallocate	-	0x1080000	4096

Loaded modules

By PID	Start address	Size	Name
724	0x400000	671744	`a5ac6e69ce2e16841e8ca044fbf7ca5a`
724	0x77da0000	704512	`advapi32.dll`
724	0x58c30000	630784	`comctl32.dll`
724	0x76360000	303104	`comdlg32.dll`
724	0x77ef0000	299008	`gdi32.dll`
724	0x7c800000	1060864	`kernel32.dll`
724	0x746b0000	311296	`msctf.dll`
724	0x77be0000	360448	`msvcrt.dll`
724	0x7c910000	741376	`ntdll.dll`
724	0x774b0000	1298432	`ole32.dll`
724	0x770f0000	569344	`oleaut32.dll`
724	0x7e1e0000	139264	`oledlg.dll`
724	0x74dc0000	446464	`riched20.dll`
724	0x73260000	20480	`riched32.dll`
724	0x77e50000	598016	`rpcrt4.dll`
724	0x77fc0000	69632	`secur32.dll`
724	0x7e6a0000	8523776	`shell32.dll`
724	0x77f40000	483328	`shlwapi.dll`
724	0x7e390000	593920	`user32.dll`
724	0x5b150000	229376	`uxtheme.dll`
724	0x76b00000	188416	`winmm.dll`
724	0x72f80000	155648	`winspool.drv`

Layers and regions

Summary

Layer	Size	Number of regions	Number of frames	Lowest address	Highest address
0	609 KB	2	0	0x401018	0x49b220
1	143 KB	1	1	0x49b3a9	0x49b3a9
2	94340 KB	19	19	0x402516	0x46b000

API calls

Layer

Number of API calls

Region number

Address space

Number of API calls

0x401018-0x4010f0

DLL	Function/s
	We couldn't retrieve the functions.	-

0x49b220-0x49b3a9

DLL	Function/s
	We couldn't retrieve the functions.	-

21224

Region number

Address space

Number of API calls

0x49b3a9-0x49b438

21224

DLL	Function/s
KERNEL32.DLL	`ActivateActCtx` `CloseHandle` `CompareStringW` `CreateActCtxW` `CreateEventW` `CreateFileMappingW` `CreateFileW` `CreateSemaphoreA` `CreateSemaphoreW` `DeactivateActCtx` `DeviceIoControl` `DisableThreadLibraryCalls` `FindResourceExW` `FreeEnvironmentStringsW` `GetACP` `GetCommandLineA` `GetCommandLineW` `GetCPInfo` `GetCurrentDirectoryW` `GetCurrentProcess` `GetCurrentProcessId` `GetCurrentThreadId` `GetEnvironmentStringsW` `GetEnvironmentVariableA` `GetFileType` `GetModuleFileNameA` `GetModuleFileNameW` `GetModuleHandleA` `GetModuleHandleW` `GetProcAddress` `GetProcessHeap` `GetProcessVersion` `GetStartupInfoA` `GetStdHandle` `GetStringTypeW` `GetSystemDirectoryA` `GetSystemDirectoryW` `GetSystemInfo` `GetSystemTimeAsFileTime` `GetSystemWindowsDirectoryW` `GetThreadLocale` `GetTickCount` `GetUserDefaultUILanguage` `GetVersion` `GetVersionExA` `GetVersionExW` `GlobalAddAtomW` `HeapCreate` `InitializeCriticalSection` `InitializeCriticalSectionAndSpinCount` `InterlockedCompareExchange` `InterlockedDecrement` `InterlockedIncrement` `IsBadWritePtr` `IsDBCSLeadByte` `IsProcessorFeaturePresent` `LCMapStringW` `LoadLibraryA` `LoadLibraryExA` `LoadLibraryExW` `LoadLibraryW` `LoadResource` `LocalAlloc` `LocalFree` `lstrcmpiW` `lstrcpynW` `lstrcpyW` `lstrlenW` `MapViewOfFileEx` `MultiByteToWideChar` `OpenEventA` `OpenEventW` `ProcessIdToSessionId` `RegisterWaitForInputIdle` `SearchPathW` `SetHandleCount` `SetUnhandledExceptionFilter` `TlsAlloc` `TlsGetValue` `TlsSetValue` `UnmapViewOfFile` `VerifyConsoleIoHandle` `VirtualQuery` `VirtualQueryEx` `WideCharToMultiByte`
ADVAPI32.dll	`AddAccessAllowedAce` `AllocateAndInitializeSid` `CheckTokenMembership` `CreateWellKnownSid` `FreeSid` `GetLengthSid` `GetSidLengthRequired` `InitializeAcl` `InitializeSecurityDescriptor` `MD4Final` `MD4Init` `MD4Update` `OpenProcessToken` `RegCloseKey` `RegEnumValueW` `RegNotifyChangeKeyValue` `RegOpenCurrentUser` `RegOpenKeyExA` `RegOpenKeyExW` `RegOpenKeyW` `RegQueryValueExA` `RegQueryValueExW` `SetSecurityDescriptorDacl` `SystemFunction036`
ntdll.dll	`_aulldvrm` `_snwprintf` `_stricmp` `_strnicmp` `_wcsicmp` `bsearch` `CsrAllocateCaptureBuffer` `CsrAllocateMessagePointer` `CsrCaptureMessageMultiUnicodeStringsInPlace` `CsrCaptureMessageString` `CsrClientCallServer` `CsrClientConnectToServer` `CsrFreeCaptureBuffer` `DbgPrintEx` `KiFastSystemCall` `KiFastSystemCallRet` `KiUserCallbackDispatcher` `LdrAccessOutOfProcessResource` `LdrAccessResource` `LdrAlternateResourcesEnabled` `LdrCreateOutOfProcessImage` `LdrDestroyOutOfProcessImage` `LdrDisableThreadCalloutsForDll` `LdrEnumerateLoadedModules` `LdrFindCreateProcessManifest` `LdrFindResource_U` `LdrFindResourceDirectory_U` `LdrGetDllHandle` `LdrGetDllHandleEx` `LdrGetProcedureAddress` `LdrLoadAlternateResourceModule` `LdrLoadDll` `LdrLockLoaderLock` `LdrQueryImageFileExecutionOptions` `LdrUnlockLoaderLock` `memmove` `RtlAcquirePebLock` `RtlAcquireResourceExclusive` `RtlActivateActivationContext` `RtlActivateActivationContextEx` `RtlActivateActivationContextUnsafeFast` `RtlAddAccessAllowedAce` `RtlAddRefActivationContext` `RtlAddressInSectionTable` `RtlAllocateAndInitializeSid` `RtlAllocateHeap` `RtlAnsiCharToUnicodeChar` `RtlAnsiStringToUnicodeString` `RtlAppendUnicodeStringToString` `RtlAppendUnicodeToString` `RtlCompareUnicodeString` `RtlConvertSidToUnicodeString` `RtlCopySid` `RtlCopyUnicodeString` `RtlCreateAcl` `RtlCreateActivationContext` `RtlCreateHeap` `RtlCreateSecurityDescriptor` `RtlCreateUnicodeStringFromAsciiz` `RtlDeactivateActivationContext` `RtlDeactivateActivationContextUnsafeFast` `RtlDecodePointer` `RtlDetermineDosPathNameType_U` `RtlDoesFileExists_U` `RtlDosApplyFileIsolationRedirection_Ustr` `RtlDosPathNameToNtPathName_U` `RtlDosSearchPath_U` `RtlDosSearchPath_Ustr` `RtlEncodePointer` `RtlEnterCriticalSection` `RtlEqualSid` `RtlEqualUnicodeString` `RtlExpandEnvironmentStrings_U` `RtlFindActivationContextSectionString` `RtlFindCharInUnicodeString` `RtlFindClearBits` `RtlFindClearBitsAndSet` `RtlFirstFreeAce` `RtlFormatCurrentUserKeyPath` `RtlFreeHeap` `RtlFreeSid` `RtlFreeUnicodeString` `RtlGetActiveActivationContext` `RtlGetCurrentDirectory_U` `RtlGetFullPathName_U` `RtlGetLastWin32Error` `RtlGetLengthWithoutLastFullDosOrNtPathElement` `RtlGetNtGlobalFlags` `RtlGetNtProductType` `RtlGetNtVersionNumbers` `RtlGetVersion` `RtlHashUnicodeString` `RtlImageDirectoryEntryToData` `RtlImageNtHeader` `RtlImageRvaToSection` `RtlInitAnsiString` `RtlInitializeCriticalSection` `RtlInitializeCriticalSectionAndSpinCount` `RtlInitializeGenericTable` `RtlInitializeHandleTable` `RtlInitializeResource` `RtlInitializeSid` `RtlInitString` `RtlInitUnicodeString` `RtlInitUnicodeStringEx` `RtlIsDosDeviceName_U` `RtlLeaveCriticalSection` `RtlLengthRequiredSid` `RtlLengthSid` `RtlLogStackBackTrace` `RtlMultiAppendUnicodeStringBuffer` `RtlMultiByteToUnicodeN` `RtlNtStatusToDosError` `RtlNtStatusToDosErrorNoTeb` `RtlOpenCurrentUser` `RtlpApplyLengthFunction` `RtlPrefixUnicodeString` `RtlQueryEnvironmentVariable_U` `RtlReAllocateHeap` `RtlReleaseActivationContext` `RtlReleasePebLock` `RtlReleaseResource` `RtlSetBits` `RtlSetDaclSecurityDescriptor` `RtlSetGroupSecurityDescriptor` `RtlSetLastWin32Error` `RtlSetOwnerSecurityDescriptor` `RtlSizeHeap` `RtlSubAuthoritySid` `RtlUnicodeStringToAnsiString` `RtlUnicodeToMultiByteN` `RtlUnicodeToMultiByteSize` `RtlUpcaseUnicodeChar` `RtlValidAcl` `RtlValidateUnicodeString` `RtlValidSid` `strchr` `strncmp` `vDbgPrintExWithPrefix` `wcschr` `wcscpy` `wcslen` `wcsncat` `wcsncmp` `wcsncpy` `wcsrchr` `ZwAccessCheck` `ZwAddAtom` `ZwAllocateVirtualMemory` `ZwCallbackReturn` `ZwClose` `ZwCreateEvent` `ZwCreateFile` `ZwCreateSection` `ZwCreateSemaphore` `ZwDeviceIoControlFile` `ZwEnumerateValueKey` `ZwFlushInstructionCache` `ZwMapViewOfSection` `ZwNotifyChangeMultipleKeys` `ZwOpenDirectoryObject` `ZwOpenEvent` `ZwOpenFile` `ZwOpenKey` `ZwOpenProcess` `ZwOpenProcessToken` `ZwOpenProcessTokenEx` `ZwOpenSection` `ZwOpenThreadTokenEx` `ZwProtectVirtualMemory` `ZwQueryAttributesFile` `ZwQueryDebugFilterState` `ZwQueryDefaultLocale` `ZwQueryDefaultUILanguage` `ZwQueryInformationFile` `ZwQueryInformationProcess` `ZwQueryInformationToken` `ZwQueryInstallUILanguage` `ZwQueryKey` `ZwQuerySection` `ZwQuerySystemInformation` `ZwQueryTimerResolution` `ZwQueryValueKey` `ZwQueryVirtualMemory` `ZwRequestWaitReplyPort` `ZwSetInformationObject` `ZwUnmapViewOfSection`
USER32.DLL	`ClientThreadSetup` `GetAppCompatFlags2` `GetDC` `GetSysColor` `GetSysColorBrush` `GetSystemMetrics` `LoadBitmapW` `LoadCursorW` `RegisterClassExW` `RegisterClassW` `RegisterWindowMessageA` `RegisterWindowMessageW` `ReleaseDC` `SystemParametersInfoW` `UserClientDllInitialize` `wsprintfA` `wvsprintfA`

19374

Region number

Address space

Number of API calls

0x402516-0x4029af

DLL	Function/s
	We couldn't retrieve the functions.	-

0x40575c-0x4089e8

150

DLL	Function/s
ntdll.dll	`KiFastSystemCall` `KiFastSystemCallRet` `LdrAccessResource` `LdrAlternateResourcesEnabled` `LdrFindResource_U` `LdrLoadAlternateResourceModule` `LdrLockLoaderLock` `LdrUnlockLoaderLock` `memmove` `RtlAllocateHeap` `RtlEnterCriticalSection` `RtlFreeHeap` `RtlGetNtGlobalFlags` `RtlImageDirectoryEntryToData` `RtlImageNtHeader` `RtlInitUnicodeString` `RtlLeaveCriticalSection` `ZwQueryDefaultLocale`
KERNEL32.DLL	`FindResourceExW` `GetModuleFileNameW` `GetModuleHandleA` `LoadResource`
USER32.DLL	`GetDC` `LoadCursorA` `LoadCursorW` `LoadIconA` `LoadIconW` `LookupIconIdFromDirectoryEx` `ReleaseDC`

0x40af48-0x40b1e6

DLL	Function/s
	We couldn't retrieve the functions.	-

0x40d73e-0x40f474

7709

DLL	Function/s
KERNEL32.DLL	`CloseHandle` `CompareStringA` `CompareStringW` `CreateFileMappingA` `CreateFileMappingW` `CreateMutexA` `CreateMutexW` `FindResourceA` `FindResourceExW` `FlushViewOfFile` `GetCurrentThreadId` `GetLocaleInfoW` `GetModuleFileNameW` `GetModuleHandleA` `GetModuleHandleW` `GetProcAddress` `GetStringTypeW` `GetSystemDefaultUILanguage` `GetSystemDirectoryA` `GetThreadLocale` `GetTickCount` `GetUserDefaultLCID` `GetUserDefaultUILanguage` `InterlockedCompareExchange` `InterlockedDecrement` `InterlockedExchange` `InterlockedIncrement` `IsBadReadPtr` `IsBadStringPtrW` `IsBadWritePtr` `LoadResource` `LocalAlloc` `LocalFree` `LocalReAlloc` `lstrcmpA` `lstrcmpiW` `lstrcpynA` `lstrlenA` `lstrlenW` `MapViewOfFile` `MapViewOfFileEx` `MulDiv` `OpenEventA` `OpenEventW` `OpenFileMappingA` `OpenFileMappingW` `ReleaseMutex` `SetEvent` `SetHandleCount` `TlsGetValue` `UnmapViewOfFile` `WaitForSingleObject` `WaitForSingleObjectEx` `WideCharToMultiByte`
ADVAPI32.dll	`AllocateAndInitializeSid` `CheckTokenMembership` `DuplicateToken` `DuplicateTokenEx` `FreeSid` `RegCloseKey` `RegOpenKeyExA` `RegQueryValueExA`
ntdll.dll	`bsearch` `CsrClientCallServer` `KiFastSystemCall` `KiFastSystemCallRet` `KiUserCallbackDispatcher` `LdrAccessResource` `LdrAlternateResourcesEnabled` `LdrFindResource_U` `LdrGetDllHandle` `LdrGetDllHandleEx` `LdrGetProcedureAddress` `LdrLoadAlternateResourceModule` `LdrLockLoaderLock` `LdrUnlockLoaderLock` `memmove` `RtlAcquirePebLock` `RtlActivateActivationContextUnsafeFast` `RtlAddAccessAllowedAce` `RtlAddRefActivationContext` `RtlAllocateAndInitializeSid` `RtlAllocateHeap` `RtlAnsiStringToUnicodeString` `RtlCopySid` `RtlCreateAcl` `RtlCreateSecurityDescriptor` `RtlCreateUnicodeStringFromAsciiz` `RtlDeactivateActivationContextUnsafeFast` `RtlDetermineDosPathNameType_U` `RtlDllShutdownInProgress` `RtlDosApplyFileIsolationRedirection_Ustr` `RtlDosSearchPath_U` `RtlEnterCriticalSection` `RtlEqualUnicodeString` `RtlFindActivationContextSectionString` `RtlFindCharInUnicodeString` `RtlFirstFreeAce` `RtlFreeHeap` `RtlFreeSid` `RtlFreeUnicodeString` `RtlGetFullPathName_U` `RtlGetNtGlobalFlags` `RtlHashUnicodeString` `RtlImageDirectoryEntryToData` `RtlImageNtHeader` `RtlInitAnsiString` `RtlInitializeCriticalSection` `RtlInitializeCriticalSectionAndSpinCount` `RtlInitString` `RtlInitUnicodeString` `RtlInitUnicodeStringEx` `RtlLeaveCriticalSection` `RtlLengthSid` `RtlLockHeap` `RtlLogStackBackTrace` `RtlMultiByteToUnicodeN` `RtlNtStatusToDosError` `RtlNtStatusToDosErrorNoTeb` `RtlQueryEnvironmentVariable_U` `RtlQueryInformationActivationContext` `RtlQueryInformationActiveActivationContext` `RtlReAllocateHeap` `RtlReleasePebLock` `RtlSetDaclSecurityDescriptor` `RtlSetGroupSecurityDescriptor` `RtlSetLastWin32Error` `RtlSetOwnerSecurityDescriptor` `RtlUnicodeStringToAnsiString` `RtlUnicodeToMultiByteN` `RtlUnicodeToMultiByteSize` `RtlUnlockHeap` `RtlUpcaseUnicodeChar` `RtlValidAcl` `RtlValidateUnicodeString` `RtlValidSid` `wcschr` `wcslen` `wcsncmp` `wcsncpy` `wcsrchr` `ZwAccessCheck` `ZwAllocateVirtualMemory` `ZwClose` `ZwCreateMutant` `ZwCreateSection` `ZwDuplicateToken` `ZwFlushVirtualMemory` `ZwMapViewOfSection` `ZwOpenEvent` `ZwOpenKey` `ZwOpenProcessToken` `ZwOpenSection` `ZwOpenThreadToken` `ZwQueryAttributesFile` `ZwQueryDefaultLocale` `ZwQueryDefaultUILanguage` `ZwQueryInstallUILanguage` `ZwQueryValueKey` `ZwReleaseMutant` `ZwRequestWaitReplyPort` `ZwSetEvent` `ZwUnmapViewOfSection` `ZwWaitForSingleObject`
USER32.DLL	`BeginPaint` `CalcMenuBar` `CallMsgFilterW` `CallNextHookEx` `CharNextW` `CopyIcon` `CreateIconIndirect` `CreateWindowExA` `DefDlgProcW` `DefWindowProcA` `DefWindowProcW` `DestroyIcon` `DispatchMessageW` `DrawEdge` `DrawFocusRect` `DrawFrame` `DrawIconEx` `DrawStateW` `DrawTextA` `DrawTextExA` `DrawTextExW` `EndPaint` `EnumChildWindows` `FillRect` `FindWindowA` `GetActiveWindow` `GetAncestor` `GetAppCompatFlags2` `GetCapture` `GetClassLongA` `GetClassLongW` `GetClassNameA` `GetClassNameW` `GetCursorFrameInfo` `GetDC` `GetDCEx` `GetDesktopWindow` `GetDlgItem` `GetFocus` `GetForegroundWindow` `GetIconInfo` `GetKeyboardLayout` `GetKeyboardLayoutList` `GetParent` `GetPropW` `GetSysColor` `GetSystemMetrics` `GetThreadDesktop` `GetTitleBarInfo` `GetUserObjectInformationW` `GetWindow` `GetWindowDC` `GetWindowInfo` `GetWindowLongW` `GetWindowRect` `GetWindowRgnBox` `GetWindowThreadProcessId` `InflateRect` `InternalGetWindowText` `IsDialogMessageW` `IsIconic` `IsRectEmpty` `IsServerSideWindow` `IsWindow` `IsWindowInDestroy` `IsWindowVisible` `IsZoomed` `LoadCursorW` `LoadIconW` `LoadImageA` `LoadImageW` `LookupIconIdFromDirectoryEx` `MapWindowPoints` `MBToWCSEx` `MessageBoxA` `MessageBoxExA` `MessageBoxTimeoutA` `MessageBoxTimeoutW` `NotifyWinEvent` `OffsetRect` `PeekMessageW` `PostThreadMessageA` `PtInRect` `ReleaseDC` `RemovePropW` `SendMessageTimeoutW` `SendMessageW` `SetCursor` `SetFocus` `SetPropW` `SetRect` `SetRectEmpty` `SetWindowLongW` `SetWindowPos` `SetWindowRgn` `ShowWindow` `SoftModalMessageBox` `SystemParametersInfoA` `TranslateMessage` `TranslateMessageEx` `UpdateWindow` `UserLpkPSMTextOut` `WaitMessage` `WCSToMBEx`

0x410bf1-0x411e3f

DLL	Function/s
KERNEL32.DLL	`lstrcpynA`

0x41bb18-0x41d016

4287

DLL	Function/s
KERNEL32.DLL	`CloseHandle` `CompareStringA` `CompareStringW` `CreateFileMappingA` `CreateFileMappingW` `CreateMutexA` `CreateMutexW` `DeviceIoControl` `DisableThreadLibraryCalls` `FindResourceA` `GetACP` `GetCurrentProcess` `GetCurrentProcessId` `GetCurrentThreadId` `GetFullPathNameA` `GetLocaleInfoA` `GetLocaleInfoW` `GetModuleFileNameA` `GetModuleFileNameW` `GetModuleHandleA` `GetModuleHandleExW` `GetModuleHandleW` `GetProcAddress` `GetSystemDefaultLCID` `GetSystemDirectoryA` `GetSystemTimeAsFileTime` `GetSystemWindowsDirectoryW` `GetThreadLocale` `GetTickCount` `GetUserDefaultUILanguage` `GetVersionExA` `GetVersionExW` `GlobalAddAtomW` `InitializeCriticalSection` `InitializeCriticalSectionAndSpinCount` `InterlockedCompareExchange` `InterlockedDecrement` `InterlockedIncrement` `IsValidCodePage` `LoadLibraryA` `LoadLibraryExA` `LoadLibraryExW` `LoadResource` `LocalAlloc` `LocalFree` `lstrcatW` `lstrcmpA` `lstrcmpiW` `lstrcpynA` `lstrlenA` `MapViewOfFile` `MapViewOfFileEx` `OpenFileMappingA` `OpenFileMappingW` `QueryPerformanceCounter` `ReleaseMutex` `SetHandleCount` `SizeofResource` `TlsAlloc` `TlsGetValue` `TlsSetValue` `WaitForSingleObject` `WaitForSingleObjectEx` `WideCharToMultiByte`
ADVAPI32.dll	`ConvertSidToStringSidA` `ConvertSidToStringSidW` `GetTokenInformation` `MD4Final` `MD4Init` `MD4Update` `OpenProcessToken` `RegCloseKey` `RegOpenKeyExA` `RegQueryValueExA` `SystemFunction036`
ntdll.dll	`_stricmp` `_strnicmp` `bsearch` `CsrClientCallServer` `KiFastSystemCall` `KiFastSystemCallRet` `KiUserCallbackDispatcher` `LdrAccessResource` `LdrAlternateResourcesEnabled` `LdrDisableThreadCalloutsForDll` `LdrFindResource_U` `LdrFindResourceDirectory_U` `LdrGetDllHandle` `LdrGetDllHandleEx` `LdrGetProcedureAddress` `LdrLoadAlternateResourceModule` `LdrLoadDll` `LdrLockLoaderLock` `LdrQueryImageFileExecutionOptions` `LdrUnlockLoaderLock` `memmove` `RtlAcquirePebLock` `RtlActivateActivationContextUnsafeFast` `RtlAddRefActivationContext` `RtlAllocateHeap` `RtlAnsiStringToUnicodeString` `RtlAppendUnicodeStringToString` `RtlAppendUnicodeToString` `RtlConvertSidToUnicodeString` `RtlCopyUnicodeString` `RtlCreateUnicodeString` `RtlCreateUnicodeStringFromAsciiz` `RtlDeactivateActivationContextUnsafeFast` `RtlDetermineDosPathNameType_U` `RtlDosApplyFileIsolationRedirection_Ustr` `RtlDosPathNameToNtPathName_U` `RtlDosSearchPath_U` `RtlEnterCriticalSection` `RtlEqualUnicodeString` `RtlFindActivationContextSectionString` `RtlFindCharInUnicodeString` `RtlFindClearBits` `RtlFindClearBitsAndSet` `RtlFormatCurrentUserKeyPath` `RtlFreeHeap` `RtlFreeUnicodeString` `RtlGetActiveActivationContext` `RtlGetFullPathName_U` `RtlGetLastWin32Error` `RtlGetNtGlobalFlags` `RtlGetNtProductType` `RtlGetVersion` `RtlHashUnicodeString` `RtlImageDirectoryEntryToData` `RtlImageNtHeader` `RtlInitAnsiString` `RtlInitializeCriticalSection` `RtlInitializeCriticalSectionAndSpinCount` `RtlInitString` `RtlInitUnicodeString` `RtlInitUnicodeStringEx` `RtlLeaveCriticalSection` `RtlLogStackBackTrace` `RtlMultiAppendUnicodeStringBuffer` `RtlMultiByteToUnicodeN` `RtlNtStatusToDosError` `RtlNtStatusToDosErrorNoTeb` `RtlOpenCurrentUser` `RtlpEnsureBufferSize` `RtlQueryEnvironmentVariable_U` `RtlQueryInformationActivationContext` `RtlQueryInformationActiveActivationContext` `RtlReleasePebLock` `RtlSetBits` `RtlSetLastWin32Error` `RtlTryEnterCriticalSection` `RtlUnicodeStringToAnsiString` `RtlUnicodeToMultiByteN` `RtlUnicodeToMultiByteSize` `RtlUpcaseUnicodeChar` `RtlValidateUnicodeString` `RtlValidSid` `strchr` `strncmp` `wcscat` `wcschr` `wcscpy` `wcslen` `wcsncmp` `wcsncpy` `wcsrchr` `ZwAddAtom` `ZwAllocateVirtualMemory` `ZwClose` `ZwCreateMutant` `ZwCreateSection` `ZwDeviceIoControlFile` `ZwFlushInstructionCache` `ZwMapViewOfSection` `ZwOpenFile` `ZwOpenKey` `ZwOpenProcessToken` `ZwOpenProcessTokenEx` `ZwOpenSection` `ZwOpenThreadTokenEx` `ZwProtectVirtualMemory` `ZwQueryAttributesFile` `ZwQueryDefaultLocale` `ZwQueryDefaultUILanguage` `ZwQueryInformationProcess` `ZwQueryInformationToken` `ZwQueryPerformanceCounter` `ZwQuerySection` `ZwQuerySystemInformation` `ZwQueryValueKey` `ZwReleaseMutant` `ZwRequestWaitReplyPort` `ZwSetInformationObject` `ZwUnmapViewOfSection` `ZwWaitForSingleObject`
USER32.DLL	`CallNextHookEx` `CreateWindowExW` `DefWindowProcW` `GetClassLongW` `GetKeyboardLayout` `GetPropW` `GetSystemMetrics` `GetThreadDesktop` `GetUserObjectInformationA` `GetUserObjectInformationW` `GetWindowLongW` `GetWindowThreadProcessId` `IsWindow` `LoadCursorA` `LoadCursorW` `RegisterClassA` `RegisterClassExA` `RegisterClassW` `RegisterWindowMessageA` `RegisterWindowMessageW` `SetPropW` `SetWindowsHookExA` `WCSToMBEx`

0x4223a0-0x42541c

DLL	Function/s
ntdll.dll	`KiFastSystemCall` `KiFastSystemCallRet` `memmove` `RtlAllocateHeap` `RtlEnterCriticalSection` `RtlExtendedMagicDivide` `RtlFreeHeap` `RtlGetNtGlobalFlags` `RtlLeaveCriticalSection` `RtlTimeToTimeFields` `ZwAllocateVirtualMemory` `ZwQuerySystemInformation`
KERNEL32.DLL	`GetLocalTime` `GetSystemTime` `GetTimeZoneInformation`

0x426ff0-0x42a2ea

456

DLL

Function/s

ntdll.dll

bsearch
KiFastSystemCall
KiFastSystemCallRet
LdrGetDllHandle
LdrGetDllHandleEx
LdrGetProcedureAddress
LdrLockLoaderLock
LdrUnlockLoaderLock
memmove
RtlAcquirePebLock
RtlAllocateHeap
RtlAnsiStringToUnicodeString
RtlCreateHeap
RtlDosApplyFileIsolationRedirection_Ustr
RtlEnterCriticalSection
RtlEqualUnicodeString
RtlFindActivationContextSectionString
RtlFindCharInUnicodeString
RtlFindClearBits
RtlFindClearBitsAndSet
RtlFreeUnicodeString
RtlGetLastWin32Error
RtlGetNtGlobalFlags
RtlHashUnicodeString
RtlImageDirectoryEntryToData
RtlInitAnsiString
RtlInitializeCriticalSection
RtlInitializeCriticalSectionAndSpinCount
RtlInitString
RtlInitUnicodeString
RtlLeaveCriticalSection
RtlLogStackBackTrace
RtlMultiAppendUnicodeStringBuffer
RtlMultiByteToUnicodeN
RtlNtStatusToDosError
RtlNtStatusToDosErrorNoTeb
RtlReleasePebLock
RtlSetBits
RtlSetLastWin32Error
RtlUpcaseUnicodeChar
RtlValidateUnicodeString
ZwAllocateVirtualMemory
ZwQuerySystemInformation

KERNEL32.DLL

GetACP
GetCommandLineA
GetCPInfo
GetCurrentThreadId
GetFileType
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetStartupInfoA
GetStdHandle
GetVersion
HeapCreate
InitializeCriticalSection
IsProcessorFeaturePresent
SetHandleCount
TlsAlloc
TlsGetValue
TlsSetValue
VerifyConsoleIoHandle
VirtualAlloc
VirtualAllocEx

0x42bd20-0x42bd39

DLL	Function/s
	We couldn't retrieve the functions.	-

0x42dbf0-0x42de3b

DLL	Function/s
ntdll.dll	`KiFastSystemCall` `KiFastSystemCallRet` `memmove` `ZwQuerySystemInformation`
KERNEL32.DLL	`GetTimeZoneInformation`

0x4302e0-0x431611

DLL	Function/s
ntdll.dll	`KiFastSystemCall` `KiFastSystemCallRet` `LdrLockLoaderLock` `LdrUnlockLoaderLock` `memmove` `RtlAllocateHeap` `RtlDecodePointer` `RtlEncodePointer` `RtlEnterCriticalSection` `RtlFreeHeap` `RtlFreeUnicodeString` `RtlGetNtGlobalFlags` `RtlLeaveCriticalSection` `RtlUnicodeStringToAnsiString` `RtlUnicodeToMultiByteN` `ZwQueryInformationProcess` `ZwQueryVirtualMemory`
KERNEL32.DLL	`FreeEnvironmentStringsW` `GetEnvironmentStringsW` `GetModuleFileNameA` `GetModuleFileNameW` `SetUnhandledExceptionFilter` `VirtualQuery` `VirtualQueryEx` `WideCharToMultiByte`

0x4341d0-0x4344fc

DLL	Function/s
KERNEL32.DLL	`InterlockedDecrement` `InterlockedIncrement`

0x435590-0x438be6

174

DLL	Function/s
ntdll.dll	`bsearch` `KiFastSystemCall` `KiFastSystemCallRet` `RtlAllocateHeap` `RtlEnterCriticalSection` `RtlFindActivationContextSectionString` `RtlFreeHeap` `RtlGetNtGlobalFlags` `RtlImageNtHeader` `RtlInitUnicodeString` `RtlLeaveCriticalSection` `RtlMultiByteToUnicodeN` `ZwClose` `ZwOpenProcessToken` `ZwQueryInformationToken`
KERNEL32.DLL	`CompareStringA` `CompareStringW` `GetUserDefaultLCID` `lstrcatA`
USER32.DLL	`GetClassInfoA` `RegisterClassA` `RegisterWindowMessageA` `wsprintfA` `wvsprintfA`

0x43a66a-0x43c1f8

DLL	Function/s
KERNEL32.DLL	`InterlockedDecrement` `InterlockedIncrement` `lstrlenA`

0x43d880-0x43d91c

5770

DLL	Function/s
KERNEL32.DLL	`FreeLibrary` `GetCurrentProcessId` `GetCurrentThreadId` `GetModuleFileNameW` `GetStringTypeW` `InitializeCriticalSectionAndSpinCount` `InterlockedDecrement` `InterlockedExchange` `InterlockedIncrement` `IsBadReadPtr` `IsBadStringPtrW` `IsBadWritePtr` `IsDebuggerPresent` `LoadLibraryExW` `LoadLibraryW` `lstrlenW` `MapViewOfFile` `MapViewOfFileEx` `MulDiv` `TlsAlloc`
ADVAPI32.dll	`RegCloseKey` `RegOpenCurrentUser` `RegOpenKeyExW` `RegQueryValueExW`
ntdll.dll	`_stricmp` `_strnicmp` `bsearch` `KiFastSystemCall` `KiFastSystemCallRet` `KiUserCallbackDispatcher` `LdrFindResourceDirectory_U` `LdrLoadDll` `LdrLockLoaderLock` `LdrQueryImageFileExecutionOptions` `LdrUnloadDll` `LdrUnlockLoaderLock` `memmove` `RtlAcquirePebLock` `RtlActivateActivationContextUnsafeFast` `RtlAllocateHeap` `RtlAnsiStringToUnicodeString` `RtlAppendUnicodeStringToString` `RtlAppendUnicodeToString` `RtlConvertSidToUnicodeString` `RtlCopyUnicodeString` `RtlDeactivateActivationContextUnsafeFast` `RtlDetermineDosPathNameType_U` `RtlDosApplyFileIsolationRedirection_Ustr` `RtlDosPathNameToNtPathName_U` `RtlDosSearchPath_U` `RtlEnterCriticalSection` `RtlEqualUnicodeString` `RtlFindActivationContextSectionString` `RtlFindCharInUnicodeString` `RtlFindClearBits` `RtlFindClearBitsAndSet` `RtlFormatCurrentUserKeyPath` `RtlFreeHeap` `RtlFreeUnicodeString` `RtlGetActiveActivationContext` `RtlGetFullPathName_U` `RtlGetNtGlobalFlags` `RtlHashUnicodeString` `RtlImageDirectoryEntryToData` `RtlImageNtHeader` `RtlInitAnsiString` `RtlInitializeCriticalSectionAndSpinCount` `RtlInitUnicodeString` `RtlInitUnicodeStringEx` `RtlLeaveCriticalSection` `RtlLogStackBackTrace` `RtlMultiByteToUnicodeN` `RtlNtStatusToDosError` `RtlNtStatusToDosErrorNoTeb` `RtlOpenCurrentUser` `RtlQueryEnvironmentVariable_U` `RtlReAllocateHeap` `RtlReleasePebLock` `RtlSetBits` `RtlSetLastWin32Error` `RtlUpcaseUnicodeChar` `RtlValidateUnicodeString` `RtlValidSid` `strchr` `strncmp` `wcschr` `wcscpy` `wcslen` `wcsncmp` `wcsrchr` `ZwAllocateVirtualMemory` `ZwClose` `ZwConnectPort` `ZwCreateSection` `ZwFlushInstructionCache` `ZwMapViewOfSection` `ZwOpenFile` `ZwOpenKey` `ZwOpenProcessTokenEx` `ZwOpenThreadTokenEx` `ZwProtectVirtualMemory` `ZwQueryAttributesFile` `ZwQueryInformationToken` `ZwQuerySection` `ZwQueryValueKey` `ZwRequestWaitReplyPort` `ZwUnmapViewOfSection`
USER32.DLL	`CharNextW` `GetAppCompatFlags2` `GetDC` `GetGUIThreadInfo` `GetProcessWindowStation` `GetSysColor` `GetSysColorBrush` `GetSystemMetrics` `GetUserObjectInformationW` `GetWindowDC` `ReleaseDC`

0x44141c-0x441665

DLL	Function/s
ntdll.dll	`KiFastSystemCall` `KiFastSystemCallRet` `RtlAllocateHeap` `RtlFreeHeap` `RtlGetNtGlobalFlags` `RtlMultiByteToUnicodeN`
USER32.DLL	`RegisterWindowMessageA`

0x442bc1-0x442c3e

DLL	Function/s
KERNEL32.DLL	`GetVersion`

0x444e59-0x4469f5

298

DLL	Function/s
ntdll.dll	`KiFastSystemCall` `KiFastSystemCallRet` `RtlAcquirePebLock` `RtlAllocateHandle` `RtlAllocateHeap` `RtlEnterCriticalSection` `RtlFindClearBits` `RtlFindClearBitsAndSet` `RtlFreeHeap` `RtlGetNtGlobalFlags` `RtlImageNtHeader` `RtlInitializeCriticalSection` `RtlInitializeCriticalSectionAndSpinCount` `RtlInitUnicodeString` `RtlIsValidHandle` `RtlLeaveCriticalSection` `RtlLockHeap` `RtlLogStackBackTrace` `RtlMultiByteToUnicodeN` `RtlReAllocateHeap` `RtlReleasePebLock` `RtlSetBits` `RtlSetUserValueHeap` `RtlUnlockHeap` `ZwAllocateVirtualMemory` `ZwQueryInformationProcess` `ZwSetInformationProcess`
KERNEL32.DLL	`GetCPInfo` `GetCurrentThread` `GetCurrentThreadId` `GetOEMCP` `GetProcessVersion` `GetVersion` `GlobalAlloc` `GlobalLock` `InitializeCriticalSection` `InterlockedDecrement` `InterlockedIncrement` `LocalAlloc` `LocalReAlloc` `SetErrorMode` `TlsAlloc` `TlsGetValue` `TlsSetValue`
USER32.DLL	`GetCursorPos` `GetSystemMetrics` `LoadCursorA` `LoadCursorW` `RegisterWindowMessageA`

0x46b000-0x46b526

363

DLL	Function/s
ntdll.dll	`_stricmp` `bsearch` `KiFastSystemCall` `KiFastSystemCallRet` `LdrLoadDll` `LdrLockLoaderLock` `LdrUnlockLoaderLock` `memmove` `RtlAcquirePebLock` `RtlActivateActivationContextUnsafeFast` `RtlAllocateHeap` `RtlAnsiStringToUnicodeString` `RtlDeactivateActivationContextUnsafeFast` `RtlDetermineDosPathNameType_U` `RtlDosApplyFileIsolationRedirection_Ustr` `RtlDosPathNameToNtPathName_U` `RtlEnterCriticalSection` `RtlEqualUnicodeString` `RtlFindActivationContextSectionString` `RtlFindCharInUnicodeString` `RtlFreeHeap` `RtlFreeUnicodeString` `RtlGetNtGlobalFlags` `RtlHashUnicodeString` `RtlImageDirectoryEntryToData` `RtlInitAnsiString` `RtlInitUnicodeString` `RtlInitUnicodeStringEx` `RtlIsDosDeviceName_U` `RtlLeaveCriticalSection` `RtlMultiAppendUnicodeStringBuffer` `RtlMultiByteToUnicodeN` `RtlNtStatusToDosError` `RtlNtStatusToDosErrorNoTeb` `RtlQueryEnvironmentVariable_U` `RtlReleasePebLock` `RtlUpcaseUnicodeChar` `RtlValidateUnicodeString` `wcschr` `wcslen` `wcsncmp` `wcsrchr` `ZwCreateFile`
KERNEL32.DLL	`CreateFileA` `CreateFileW` `IsDebuggerPresent` `LoadLibraryA` `LoadLibraryExA` `LoadLibraryExW`
USER32.DLL	`FindWindowA`

Static PE information

General information

Overlay size	No overlay
Target machine	Intel 386 or later processors and compatible processors
Compilation timestamp	2004-01-24 00:39:42
Entry point	0x401018

Imports

None. Without imports.

Exports

None. Without exports.

PE resources

Resource #1

Type	Size	Name
empty	184	RT_RCDATA

SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
MD5	d41d8cd98f00b204e9800998ecf8427e
ssdeep	3::
sdhash	Not applicable

Resource #2

Type	Size	Name
GLS_BINARY_LSB_FIRST	1128	RT_ICON

SHA256	a601f901dda1ec5422264b7c08fe8fd0f5654ba358802c2b1da331c8507ac77a
SHA1	dd1b3f4b879b07df52d94646ae5d11a3f6a5ad4c
MD5	b23f741c4627640d11a5477ba464c265
ssdeep	24:tYSm6Zq6KWRx19X0uyCd3UvTmw3hyLbe64tsUHn:OW5KWRx1JBz3VbeGUH
sdhash	sdbf:03:0::1128:sha1:256:5:7ff:160:1:17:BAAAACgAAAQAAIgABAAAAAAAAAACBAAAIAgEAAAAAAAAAAQCAAAAAAAAAAAIAAAYYAAAAgAAAUAAAAAAAIgAAAAAAGCAAAAAAEAAAACIACAAAAAIgUAAAgAAAAAEAAAAAAADAAAAIAAAAACAAAAAAAAAAAAAQAAAAAgAAAAgAAAIAAAAAAAAAAAAAgAgAAAAAAAABBACIAAAAAABAAAAAAAQACAAAAgAAAAAAAAAEAAAAACIAAAAAAAAAAAAAAAEAAAASAAEBCABAAAAAAAACgBAAAAAgAAAAAAAAgAAAAAAAIAAEAAABQBEAAAAEAAIABAEACAAgAAAAABABAAAAA==

Resource #3

Type	Size	Name
MS Windows icon resource - 12 icons, 48x48, 16-colors	174	RT_GROUP_ICON

SHA256	d2d8ccd68849e94ea6b84f6835d0fe98ffa5c11e74a1138529e3c0b8d8edfe60
SHA1	92235b3d49fd27218a58fbfad27ad6a619b54ffb
MD5	9f09cf7bb38a28604b82294714b5aff8
ssdeep	3:wVwgSX/l99wPFszNIPPlk0/klX6mvG3wX5sffaf/vHlXluO1:gFszWPm0/klX6mujCfxH
sdhash	Not applicable

PE sections

Section #1: PS???

Name	Type	Entropy	Raw address	Raw size	Virtual address	Virtual size	Flags
PS???	Data	5.51753	0x6d000	496	0x1000	446464	0x20000000, 0x40, 0x7fffffff, 0x20, 0x40000000

SHA256	2bdd23dc97b6a5cfcc0a99639ec874fd35450f24358a343ab05d2462548c697c
SHA1	d9e2de62ad038ca23540afa885ee0cdf8ee6ea99
MD5	c65987bafc892e9dcb87950e79dee885
ssdeep	6:yc1HkpKSlsgYptpUcVrkoZ3QBlcVa2kjI/Vg0lUlSG2l3ETHlHX2XvslIB:yskk2ct7FJUSwZ3c8SG2l3ETuElIB
sdhash	Not applicable

Section #2:

Name	Type	Entropy	Raw address	Raw size	Virtual address	Virtual size	Flags
	Data	7.83474	0x35000	185264	0x6e000	217088	0x20000000, 0x40, 0x7fffffff, 0x20, 0x40000000

SHA256	e8449b4714351ad3d3c009dc4063c1bcf3084c0ee6382f2e9e4047ee6ec1ba09
SHA1	bc8f5d2323e4c6eb637168157af1d8534b799216
MD5	782a70071ad8041c309f9e1d0d3922c7
ssdeep	3072:Ntum+/BgjLA8Hc8OyAFGO4hwZUFcqJY2ZL4jy12+j9/ouG/o4YXOauj:NLFPAOc8Tc7Uu4Cs2+u/Fzj
sdhash	sdbf:03:0::185264:sha1:256:5:7ff:160:19:111:gJCiD1G1SAAGUmNgogAAAmYsKQlBIiQAcGXPvgASAGwj7aSSuSKQkQAAcdILitkzSShoBIGIiaRbCCMDEQxAIIgsXgsEmcABSAGmACCCgykCBAjKAYdwQAeAOaSwhh0Q4ICgFJ1BOgLpwmDoFQAnEsjhBYBMoCpYseQQkEgUowxBAofAsIMEJCRSIBKSYBGQhQBhhDDGJCCJhCNZANkUESAiwaBKGgaKAqHwYcwkKEZELg61aAGQIBRCCDBcqCFOKULUBAsMAahBZHsF4D1M0JTYApNJWlkvWzIii3IACGEbJQCO8DE6q8AIrAZcsBUjJCAn0HeBEA4CHEICQMfD6AyRQRQGl0IAAhIM+cCPBTWg5/oA6xCY+I0CQA1AwWhgUBACAbIFMBQlCgABnqACyIIAIQpoEy6KLQITiEYLzgoMIAiAAXQQAUZAEA10EkVicFHAEMiwmsdC0MiAEcoilJLaSpE4YBCyqSAGEMCQlKAhoA2MiDISIyUKksIAk1AICsgGqxpAFAI4wgxiHikGaJjDEAwIqQTAxiCCWuAAOEAeBCkB1iiASJChUgRMh5RYAWaDAUbymIgzOAEhZAUgTcoY1AI0BTKUJGE7aUIgiWUdaikMwsBA4AkhQAWNqISGKEahNghsHsYWWgTkkaIwShGSQECGBCgkpyGhRykhAhAvSSCQukCHJAiSHhvcTwqWFhKIkS4kAEQgCj6qpIADLCWR5CqlvRgAwiChOdosQhtiJMkwQ5lVQBEWQQOCyAMJgKqSbIJAAgQ5YQI4tZgkemzQcRrhTAALNGAUVFUgKgCRgMvEYQyATERASaEGKAgQY4FJxUjgAMyAOkQWhhvMmEq3BBTAAAABCmEeWCInELAZUgiMEgKmQFNkAQdngAACGHigL4DmjQIYDgAhFAkCAkGhAZmGGJKJKVVMAyA2s8QAFGLZIgWUrEmSe5HHAYEKSmjAEgKBYhNE6QRDJCmQIQshzoETEFQNEEwC0SQWIKo0MAQgqViAlVBYsNQUIZIACNEEAY6KgFITmGooGUpEgYCqkhAYRBDBgibOoQy4GCjOEAjkBUiGEIyMCZgYoUwYDBlGEIC0g2Uh4sgBIJ09oA1EJMAAggHBhAwAwHZwqhBACgRIPKIYgCsABCAINJIgyJgBpAQCIz0Q8BieoEARpqQsQ6EKEVFFh0IYJ4GFUsmkZ7TQDQONCZMPwEvpEPQNAygSIkiVFFCBkRpgInyfkCCijYaAQCKxEEMkEYCgiNhQJUhCE1FCRA2MFMDhhIcgEIOEjBCCBAQQjI7QAii8WCFEEYAPR2M9GBkZLJjAKUEWIFFFpAFEDRcBGTRSADMUAaAZGRVlNrQAIhNEagMEhI5QQAVRAMCt4HQyDQnAwyDkOwBiFTJbhQClaFGgKhWBgAMAWkr14FgwIFXs0IAJCNoMWgEAGAFERTAA2QdFiOsm6BAElAOBmMRSUwqZFIsggUOYECgSIJzQqAlJAAgUVCYCsAoMEARTGc9QhGEH0SPLIEkqr1MTSmSn0KL0uigAGUsICGATlIECoREBIIyRYQkQFJDANU0JGUMIOfAAEihfVkCIGQYNRKAjpIQHEBZPGGFAFMNAAYFIc6IMFCNhESL5GQQgA1KAGrWRUqFgRiwAupCHhuGGAjAANYQUAMSQmRKEgvMgNhBTBQ2DJbII0gYkMbBGRGnQwASE2gAlu8A3ZApwFAu4AcsADI61EcAMTNSyEKANx6yYtQiBJyqAQyD6CsYMBhsAAaHAAIDCoZAFAAQMCDCvPglwE7ykMlFLEmEjthwY2Q4EBSgAUOViDwwhkAHMABdRwOBKAJUCDI4uIICKAxoIkyIBDGUi0BoA8jkoA3EAUikSRGO0HZAsDhS0DwFICj7GUADhmBwWIAGM4sGCZcCzhOQAABAEEJIYQSKrSCmOkoMwgFRkUCEACZ4EoRCRIeJQnjgJQAoE1tBupoIyWBTMAo6qBgiMAYYISBGGw0maAJB8XAOGkTGSMLAu4EbEAWIJoGQCcDgUAAEOIJbCQbAgCgpcg9CRTMAAAYCSAVAwECBARw1Ajuxmof8AAG2FOsQmAIVAkikQjDVgIG8oiwAAJRArCHRWGAyMpyxBYi5woIiUUBp8ScQB8tyJAIxXQMJgSERkAIKQ4CTAQgEAlWluQQBgWJEOBRxkiAeCAdJZYgDTEp0gCMBoNAYBATFODkQPOBQQQHskQlhASBoBXmBcRhFAioC9GABdQjATBCBjkAEjFRPmVFTAHaVDAOGC0AC6dk7c2mCAkICYPQiBA0BAAh0QJQlE4VrrBBXFIgCBGglAJGE2FCBNXICyMqDgWRSTAcTLiLUGIoNLAz6SgS4SB+DSQpHYBnxCEmIREpAFCiQpiC2QzgURYFMDjgCSujPCARMAI2FEwXhuO1lqZskBEeMScTAF8AICuJYgJJBhgAX5ZmBsaIAhkIgBY1QgQSlAlMwKPZAg4lhhCACSBAZAAEV4a8EQYUQAFSRAVAKgcGdLQtcAFwAACq6bCDA4BIwIpAJodW2EYBRGARCSyQGKwkxIiFSJEUCR6JaA2XGHVKEM6UAMAAIJhcIywYCAoQqoRAwAUnALtOsZEMBWAgAACsPIkCBQQAX1G8BuAEIABGgE1CQxuAmRUDQAZKQQZqhAQIBcHQnGIMihQKBhAOiaFMVcJYpUTRlAlKu1t8gIaQDSaBnPIAwesSGCVlhFwAZAATrAZY1KsXgJCTG9yFBJAEACDEQSS0ccgSFIJLBBCjycpCqAKHDDquLFRgLKowESEYmCrVUEISkpSAz7QSYkFqkAKGWkgWQZEMgIABkGQUOTsA21RAUACkV8KRCg1wQlrYINoismcIDsKAjaCmxsHC9XZBElKJcIGiaEPyImkoBlGEEAD7WEKT3hwSIpggkKiAOYAjIJECAAREDGckSCSWC4YhPHOHJzORUIAIkUeCgZIBZ9A4EDgABhBIIkRwBkGkANDgBUoGARJolGAok0ABjC80mNHBAXuKkAgIISUmxBQKyCdooDDLJYcFxIwiZIDBMBwyoYAEYVOIUwIEjRgAgBiUAQAiAF0GqezApvjIwEgwZIpgaVAzKg/YQVAUEQCKGAjBHRIgI36A9CiHEHLkRQIDKUEE1whZpAQEhsCALKKKBI1DLNTmQEjwTQg8KSkAchhIEytSGAdFYAEGAFCo/IBEaoMIQydILFggAEAlBAyJiFAAyAHKEC4lUQAxvsbKBCzB0ACAAEIVXQAdEIQQp24YJJaQw+BUKjAIXTSHSpKHBTwUBCEAUAQw+g4lABAoAMgFRgYSgwh6QBbFDDeDHSoAieIgRSFEAImUYdIIGaQmB5KBilBKAYaEBgApJZOKAxElJugAsD0BTRBkQHDmMRAIhoocBgSDgUJZQAQIQM+JToc1GAQcRmxYMIwANNlgCQAAAkAIhOCgTE2AICOWY4SiobFiGHGUkKOEQUBQAAYUQFKGXpknD9AQIMVGsBSFiSkABAYAQMWAAAU1gKjcgC7YVAQMxY5TDeFBASqCkAqkgyBBiwP1YAj+jDgQZgAJIQ5EijqkBQPxYACKaiS8gghCMBECbESycnBvjFD0AHQCSuBiKhSEBMlUlBpIhIIpCO2CgoCJAwijLNBkAnmICgjA2ATIhgRIBz2GgAdpBMBSFSGOBAYDEAlPaCIA6wyIgLNgAMhdDpIVDwkYMEZ8yPgKUlApgBBJSihHFSGgjcMxC8CEAzVcgAEgoIzcClFEJitJY9apAAFSwpAruSlBAIQmMsAjgM+URwIcA1ogFRgoSCVCuHah2pleQDEtOJoECAqmCiKIiqDQ5AB+08ACFUooIKAVUksIGFWEAvBLCLCEi1RRAET4uEBDAOQBO37B5wJGQjzMiQBQBwRCBAA0sUGEx4RuBHPULCPWMDTBPIVCDABbBSAaMsKQAlRCzcwkQNjoBIl+AZiaFACkkIABjIwAKoXjFAIJRCwlsAEdRtwgIgAHgEEWTTsUaCgCRJYpQRJRTYDwADSCdABQoI3I50EDlAlNAgQBGsOQgAYyGA0KAgEBkGioACwAQnAwCgRNT0Q8EoYoPVa0YYDQZaPj6RBKDNpREqUHMgBlFAVr5sQhAwkWhQBMZDCSAYAS2BqKFhJBkjOg4gDIJKIoRAoSJKIvRbIAqElGgnI5UUiAq8DCAFlobAC1AEBQgwK2SixyYEgIZiuLogQTAYWAYa1hPIUp3wiKaAJKO8rhwwAGEA0Igh0CGM0LgCCAAIjNTFgRLgJggizSlCgxAljIFMCWYXKykQkpALC0EAAGSFE5VEAywlgzIcQIMUQcgBIhINxILlYQ4QRwBkOEoEUFgSDhMjiCLjQxkiiqAILlAUVEIEpCxIOJeAwiQEo4x0ilQALaRCITIwR4hHIJIDtBtGp4BC0IB5RAMEedLIp3ipgFkwQABghHROGFkal4MIQhyBUZViYYAwhJAE0AAAJJAQEcADwQSpYC8sJQgQgTorCkGDtsyhtEA41lFBDJSmIJDKrYEcVxIq2ARcFDozRiGQACuBC+gkiYzFVQsIOCwIAQwSHeAexAoBoRBlAIACwEIQhj8YeakBiAwBzhRgSnPYADoAzOFuY0BBWoUAGLDqEsHWQCDCQWBCSJ6AFzSMIeYCYIQdL1hMCXWqsjG4gF0AQWoIKgyAc0KgDkgAwwCKlU4RA4CQAUCCNiA6mkcBYEQZhrAQScgUhBgAQJcYYAUIMIKVlAQBgCgQSmAmIF5IF2FSAYCMZBKhoSgioyAlEAAtiyAAGiG+gIG1QEGICIEhuA2AjCNVRyAOw6YC0hCyGCFBBEdZKSiBRSOeAARCcASVCySlbAhMgCG+yagQoAHAKkCADi3dWCo0gY4ggkCAAMN/RACJBJVBYUyBCmREWwpiP+gM4IuACBj5HJA8MBCQYJVEXukCthyoAbmIRlLCiZiSUbBEYcgBBmsRoREIINK4qCSCAIWEAgE0gGGQZKREM1xoIQQUhiILOIx4F4uEIC4HKIUQDJBRSWEYAAROUpSSjGmMghcAMkR+kAp4IoSS8BgM6BASFwRIYQcTpgZkKlSwAlKQEsASBGZMiCAVZFEPBBCkKQIBSaegg4iBYA8UDBWCQQBA0lIAABDgJQAQiUBABMQCiVeGcACCAIEtAZAqInZIcBLb4CrEBsAQmAYhLAAgBYwo4gAKQMQXIGkJCDyCCWgeMyuAqKhG8ABDJBgDYD6GTfYAAJpBGg6xCzgBgeDVg2MoBBCmoMYI3CEC2EBGbQkSEmUHjQcSFQQHKRGQSCa6MoCGqYuXwGwMzIfE9O0DkpYFHwgxEANXspwKBQABRIJUGUgE7EMwEjDM2HDIUZJDsZIRQAFzgx5aDIAAqLEzTyEFkMAAQzH6hsUIFESKC5EEEVSE4e5S0AEdIwEbhIpwiiITUIwHBRQYGC4hQhATwGsepkLEFgDA5CRCQhMQMSYBEnWAAGYBECAqKE0paUJVAhARjRNkQMABQmByApgjJBCEAQQuGNRgBsOylQqBBYDrEsGXcaDrgA5HhgJQVDGiFiCEGBiIEEhpAgAIgBIUYYhhBVEEZin4iEqRDIQskJEJq4IRiCCxA0AaBBUxADmMvQAT0cmMsGEAAtSNIF+BQQBIC1CJigDgKBANP8gWjpIDKgWBDQO2FQDIQeIq0TgfyHgRBOkAChSrFINVs6IlmmoDhZDGPgKSsjEEkONHAwSKzgiBwhZsYoQRMiIBEE2LCTwIYKEXMpOEAUIRAABA4AIYIGZKqAAtBQIOYEqEFUCCBETYFKoiMANApjC4qCwFbEbqSNhAu4Q5EouWPRRMLILBKFwAE1gkSVBqloP1AGAtETyaCCIClgZwCioa6rKxySEAsgAkUJwIGQgKTCjrAQ6VOBswwQAAhNlApLIZMTVAKIBIUBjmALDCgACaAm8MSZCGZaCgR2YJVXusQCQASAAJCggQZSIABIOBQ0c6wSAEAIDSkCAAAEFRSBBJAJWbpAzRVlRxECBREKMCQBAiASeOKBjNtrLSEEk2whUoEhIIA+JCIwQYoB4EMuTNMgQgbCIZdUhAIAsK4mGlSIjQwJkVhAIEZATBbEppcfAmiQFKClBltCeOioo0MBYCCgAIkoJWAc7FIk6IE4EBAEgirAeHBCQHKhAAGYAACEggUMEgEAggkLMhYAWAAALIxgkVIEEwwgYgkhIJMAKAJgACgIHwQElJEMUQAFzAAggAIkIEAwBzKNiDAAGAgAARYEScAgACxAhKECBCAItUhIjKcQE4OKNgIgAwWCAJYkQgwAORJkAZAAQARA8AwkQiBEgABAFCYAUSxxAxB5DAAAwEGgFgCBpEFKAFwKCeKJhApUASBACBAgABJREIBSOBARIFLkWABAAwYgABQRKqGABABRMKBAABTQRUwECIAR4zQRBCTSAJGZEAFAMQQgYYCBCAQIAMQgAQkAAFUkFFjIDAjiKC0DAEgsEqmlCADXQAKRoQUAAoGA==

Section #3:

Name	Type	Entropy	Raw address	Raw size	Virtual address	Virtual size	Flags
	Data	5.51753	0x1000	496	0xa3000	4096	0x20000000, 0x40, 0x7fffffff, 0x20, 0x40000000

SHA256	2bdd23dc97b6a5cfcc0a99639ec874fd35450f24358a343ab05d2462548c697c
SHA1	d9e2de62ad038ca23540afa885ee0cdf8ee6ea99
MD5	c65987bafc892e9dcb87950e79dee885
ssdeep	6:yc1HkpKSlsgYptpUcVrkoZ3QBlcVa2kjI/Vg0lUlSG2l3ETHlHX2XvslIB:yskk2ct7FJUSwZ3c8SG2l3ETuElIB
sdhash	Not applicable

Virus Total scans

File: ecae6a2f3690f1b7ce565c2b2ac19ad37ade638cc75f04b275595d86d5d9e679

Scan date: 2016-04-05 09:08:21

Antivirus	Result	Update
Ad-Aware	Gen:Packer.Generic.lmGeaiJk7xhG	20160405
AegisLab	Backdoor.W32.Rbot	20160405
AhnLab-V3	Packed/Upack	20160404
Alibaba	Goodware	20160405
ALYac	Gen:Packer.Generic.lmGeaiJk7xhG	20160405
Antiy-AVL	Trojan/Win32.TSGeneric	20160405
Arcabit	Gen:Packer.Generic.lmGeaiJk7xhG	20160405
Avast	Win32:Crypt-AIS [Trj]	20160405
AVG	Win32/Ngvck.AO	20160405
Avira	TR/Bumat.A.1519	20160405
AVware	Trojan.Win32.Packer.Upack0.3.9 (ep)	20160405
Baidu	Goodware	20160405
Baidu-International	Goodware	20160405
BitDefender	Gen:Packer.Generic.lmGeaiJk7xhG	20160405
Bkav	W32.OnGamesLT180912HKGHAAI.Trojan	20160405
CAT-QuickHeal	W32.Seppuku.2764	20160405
ClamAV	Goodware	20160404
CMC	Trojan-GameThief.Win32.OnLineGames!O	20160404
Comodo	Packed.Win32.MUPACK.~KW	20160404
Cyren	W32/SuspPack.CY.gen!Eldorado	20160405
DrWeb	Goodware	20160405
Emsisoft	Gen:Packer.Generic.lmGeaiJk7xhG (B)	20160405
ESET-NOD32	Goodware	20160405
F-Prot	W32/SuspPack.CY.gen!Eldorado	20160405
F-Secure	Gen:Packer.Generic.lmGeaiJk7xhG	20160405
Fortinet	Goodware	20160404
GData	Gen:Packer.Generic.lmGeaiJk7xhG	20160405
Ikarus	Backdoor.Win32.Rbot	20160405
Jiangmin	Trojan/DiskAutorun.bgq	20160405
K7AntiVirus	Goodware	20160405
K7GW	Goodware	20160404
Kaspersky	UDS:DangerousObject.Multi.Generic	20160405
Kingsoft	Goodware	20160405
Malwarebytes	Goodware	20160405
McAfee	Artemis!A5AC6E69CE2E	20160405
McAfee-GW-Edition	BehavesLike.Win32.Backdoor.cc	20160405
Microsoft	Goodware	20160405
MicroWorld-eScan	Gen:Packer.Generic.lmGeaiJk7xhG	20160405
NANO-Antivirus	Trojan.Win32.AutoRun.omay	20160405
nProtect	Trojan/W32.Agent.185776	20160404
Panda	Trj/Pupack.A	20160404
Qihoo-360	Win32/Trojan.b4e	20160405
Rising	Goodware	20160405
Sophos	Mal/Generic-S	20160405
SUPERAntiSpyware	Goodware	20160405
Symantec	W32.Small.gen	20160331
Tencent	Goodware	20160405
TheHacker	W32/Behav-Heuristic-060	20160405
TotalDefense	Goodware	20160404
TrendMicro	Cryp_Xed-12	20160405
TrendMicro-HouseCall	Goodware	20160405
VBA32	Goodware	20160404
VIPRE	Trojan.Win32.Packer.Upack0.3.9 (ep)	20160405
ViRobot	Goodware	20160405
Yandex	Packed/Upack	20160316
Zillya	Trojan.Genome.Win32.85357	20160404
Zoner	Goodware	20160405

Comments

We haven't comments for this file.