Analysis - Type V Example

File identification

Static PE information

Analysis

Layers & regions

VirusTotal scans

Summary

Visibility	Public
Main file's SHA256	400598f3cec6d03d4b8e5bd23003c0eea18c258d1c03eade9eced77bdaf0f14d
Complexity	Type V
Packer identification (signature based)	beria_v0_07_public_WIP_symbiont
Number of processes	2
Number of layers	2

Click to open on new tab

How do I read the graph?

File identification

General information

SHA256	400598f3cec6d03d4b8e5bd23003c0eea18c258d1c03eade9eced77bdaf0f14d
SHA1	91aa5fb21b0555e7377a8fa2d19bc3b538026976
MD5	1e7d7c48399d56a3de3397e02eee65fb
ssdeep	768:4PQNkhE2uVBQnSf4BMNRy0kdh747k3vwqwKlRxVobY6AxCdy6F6:44eyQnSGvuYey6F6
sdhash	sdbf:03:0::110080:sha1:256:5:7ff:160:7:34:hA9D50oaGXwEJBBBo1APiAAgBo2a6IIRiCSVeYOBMkqgyEOIWByKhAASBRUjfAEbIHJQRyAdg2BgMQRQEMDcpOwDmsBrJQjAEOs/CMsWhNqBFCMKmhGx0iAUgFi8qWhiC0OmZYDbgIAjgAJnABIKFEFITwQJwZ1AghIgY0RgyiUArGyQATYEJUSMElOCHKUEHM6EB4vNjFkA2WxoikAEJCMMARgCosB4S0SpaBLQEBYAgRg0ReiCcKqQJkhRAKQ+NGjkMApykxHAwKhCKAECD4FPNhZQEDIoVI0gAIzgMINFHDKciIRAw8QmARToCAKggBkAMkAE2UbAVDkETAUC+wO0KkagAi4tCmBQhCSKAESJKBAqSCQreCAhIlUDJBAgh6wATWCjhibAtGkiDJgQpEihdgFsizXIgPGg5IBvXYfi44FAoAskAhUwRBhBCGYaQRil6eBlDTAEjwlJIkCJEQVoGFcWGwZUo56xsJJCPcMZYqYGLEIgEqAEZg22Th03CpqBFQURltIQfAKKBAKcmhiAQkMIJJEA6JQUgQaCGAA0TGFIUGVgACkAAmcFQDE2EBQiImgIBQZASCAB1iRgpGgASFKIiCQzIxEYDkDpjgCNocmUycQFUQFiSSZQBIAUCgcSQGIhC4CIgUUoAQiECBMSoNQGBv2CFVkIQhsB4IqkAKAAJTOAjBADAYFiBCAGAFoFGFSABAKplqqACB14CGoKkABg0giBCAFJMCkpRyATMEIa1JDD8QACIbggUEAxggMsQJ0CTqhtJIoAoCFFngQBhaoUTcF040kMdcKjFxgOEoFosghkKbhFs4AJDwhkQDXRq8Aisa+8s8CBJwXEQwjaiIFAZxBK5rFUIQCOiAGggCEeQVClACmSDpCylEBQgSRohQHMcwCaBAJgCOpIk8ExQAlKzxgZJAAgHA6LAsoG6AQUlZAQ5TKUOFjELJBQxRANlIR4JMERE7dJOKCog74ryoHisFYEWDmALEANhoQgpBIIJIF0CHHAwaEAQokAIz+wsBEhiiAydNcgJsCgxSJ3xAzSUbWKREJRgLQo6CIA3QLAPNcmipURxEQGwyEBBCARLHxTKlwoUgIQQCCVI6wcCpIQB8AZAAoqCaCgRRiPA0VoBAEXbgBIBhQBBNEVAiYk+JQBlQmGBFwEJJCaTA9mATPlwjjBIuSCQRQAgJFQjIVBB2giTEIYFUEBGQQAWcGZAAACIiEAAsoQa4oOABE0EzNwhQSSHAIACwQgROzTJtBBWLC7kSAVWCoIIAmMIhBtkA9AAIsYThD1aAyEGDAQEwQwmiYAp0w3DJkBgBCaFmiGGBBmwDNsUwQYEkCwAJUTiMAyLqKBiijsRFEnAoFAA1oH4agIcGAOSSAADigCUgNkOCUBFQR1wBiS0ChLYsEAGGhQyDPVlBB0BCGKbGEgGDsYULJP8LYGIgDA8nLOUGEiIggEVOGAQFEgcPgQCi4SR4UWglAJgCUAEQKyDkBmmIFAoAHAqA64LMyBNAUwJSukwmEsEFBJIB4WQgQUFsFFENpwMiBiSCShMDAZKSljC8AjBfVwBMLJTTjGNIi2bDa0GIaHECCU4kAISIFAQcQDRAK3w9PgoQn8QwgJ1MQEC4bACaoZKIXjTQCgUIpwpUsIQChCChpjjTIkTWgKKvEUnGB2OqCwNc0MTDBmkYSnUAHZBBKYACALVKwGohKDBBSMQWJAiZIQAVCgnUwVBLFbCQBCAZCdO1EESSe4AJ4csyKArLgAAEAioYDAT43ANkwBAHKbooBM8gkCLZohNeiQ8gCrqbgxxxvFAUAYLbAQiTUGDCYNiakCALqiYQ9owGZJFAASpJEscFgIwwoNigLIYCijEjBESIBKEKSMmBQV5CgyRAwpkABCQAOAIgIqplAiJ5ZDpAJiwYEhbKBCKzwTBAfM4URkBedmUEPGMIEmAgCGcSWkSYwiCDATIUGrAAghQ3AM4PENqIiQCVAMYAJijJgCgEpKNhLZqCLaA27BpAAAc4XYvngHFYBAslhZkFACGAAI0AumhLACCVLAAAAAAAAQCAAAAACAAAAAAQAAAABMAgmAhEAAAAFQAA0BAAAAIAAAEgBAAAQCAAAARAAAAQAAAAIIGIECAACAAAQAIgAAQQLAQAECIAAAQAABAAIAgACAAAAAIwABAZAAAAAAAAACIZAAAAQACAQAABAAAASCAAAAAAkgAAAAAAAAgAAgAAAAAABAAAAAAAAASAQIgIADEQAACIAAAAAEAIIABIEACAAQAAFAAAABAIAQAABAABIEEAAAAAgAIAAACAAIBAADIAAQAghAABCBBAQAEgAAAAYAIABAAAwAQhwBYBCBIgAYAAgAgAAIAAAAAIAgAQAAAAAAEAIAACBgAA==
imphash	690605e32c06fee77e385106844c46ca
authentihash	-
File type	PE32 executable (GUI) Intel 80386, for MS Windows
MIME type	application/x-dosexec
First seen	2016-05-10 13:46:10
Size	110080
Known names	1e7d7c48399d56a3de3397e02eee65fb

TrID - File Identifier

Percentage	Type
14.2%	(.DLL) Win32 Dynamic Link Library (generic)
9.7%	(.EXE) Win32 Executable (generic)
4.3%	(.EXE) Generic Win/DOS Executable
4.3%	(.EXE) DOS Executable Generic
67.3%	(.EXE) Win32 Executable MS Visual C++ (generic)

Auxiliary files

None. This submission has not auxiliary files.

Behavioural packer analysis report

Packer analysis

Complexity type	Type V
Granularity	Page
Execution time	1049s
Number of processes	2
Number of layers	2
Number of regions	5
Number of upward transitions	78
Number of downward transitions	78
Number of multiframe layers	1
Number of processes with interprocess communication	2
Number of regions that call special APIs	3

Graph

Click to open on new tab

How do I read the graph?

Last executed region

Process	0
Layer number	0
Region number	0
Address	0x401000
Size	7978
Memory type	Module
Number of API functions called	6415217
Number of different APIs called	260
*Calls APIs of GetVersion family?**	No
*Calls APIs of GetCommandLine family?**	Yes
*Calls APIs of GetModuleHandle family?**	Yes
Modified by external process?	No
Writes an executed region?	Yes

Potential regions with original code

Process

Layer number

Region number

Address

Size

Memory type

Number of API functions called

Number of different APIs called

Calls APIs of GetVersion* family?

Calls APIs of GetCommandLine* family?

Calls APIs of GetModuleHandle* family?

Modified by external process?

Writes an executed region?

0x401000

4097

Module

191756

177

Yes

0x4040d1

1663

Module

31541

Yes

Remote memory writes

NtWriteVirtualMemory
Memory unmap|deallocate
NtReadVirtualMemory
ReadFile

Type	Source address	Dest. address	Source process	Dest. process	Size
NtWriteVirtualMemory	-	0x3b0044	0	1	1
NtWriteVirtualMemory	-	0x12fc50	0	1	4
NtWriteVirtualMemory	-	0x4050f0	0	1	4
NtWriteVirtualMemory	-	0x3b003c	0	1	1
NtWriteVirtualMemory	-	0x405068	0	1	4
NtWriteVirtualMemory	-	0x3b0031	0	1	1
NtWriteVirtualMemory	-	0x3b001a	0	1	1
NtWriteVirtualMemory	-	0x3b0033	0	1	1
NtWriteVirtualMemory	-	0x10000	0	1	1956
NtWriteVirtualMemory	-	0x405054	0	1	4
NtWriteVirtualMemory	-	0x3c0000	0	1	1
NtWriteVirtualMemory	-	0x4050cc	0	1	4
NtWriteVirtualMemory	-	0x12fc64	0	1	4
NtWriteVirtualMemory	-	0x3b003b	0	1	1
NtWriteVirtualMemory	-	0x3b001c	0	1	1
NtWriteVirtualMemory	-	0x405048	0	1	4
NtWriteVirtualMemory	-	0x3b0011	0	1	1
NtWriteVirtualMemory	-	0x4050c0	0	1	4
NtWriteVirtualMemory	-	0x12ffb4	0	1	4
NtWriteVirtualMemory	-	0x3b0045	0	1	1
NtWriteVirtualMemory	-	0x4050b8	0	1	4
NtWriteVirtualMemory	-	0x40502c	0	1	4
NtWriteVirtualMemory	-	0x3b003d	0	1	1
NtWriteVirtualMemory	-	0x3b0026	0	1	1
NtWriteVirtualMemory	-	0x3b001b	0	1	1
NtWriteVirtualMemory	-	0x7ffd4010	0	1	4
NtWriteVirtualMemory	-	0x12ffa8	0	1	4
NtWriteVirtualMemory	-	0x40511c	0	1	4
NtWriteVirtualMemory	-	0x405020	0	1	4
NtWriteVirtualMemory	-	0x12ff94	0	1	4
NtWriteVirtualMemory	-	0x401000	0	1	4096
NtWriteVirtualMemory	-	0x405098	0	1	4
NtWriteVirtualMemory	-	0x3b0028	0	1	1
NtWriteVirtualMemory	-	0x40500c	0	1	4
NtWriteVirtualMemory	-	0x3b001d	0	1	1
NtWriteVirtualMemory	-	0x405110	0	1	4
NtWriteVirtualMemory	-	0x3b0006	0	1	1
NtWriteVirtualMemory	-	0x4050e0	0	1	4
NtWriteVirtualMemory	-	0x405084	0	1	4
NtWriteVirtualMemory	-	0x3b000f	0	1	1
NtWriteVirtualMemory	-	0x12fc5c	0	1	4
NtWriteVirtualMemory	-	0x4050ac	0	1	4
NtWriteVirtualMemory	-	0x405000	0	1	4
NtWriteVirtualMemory	-	0x3b0032	0	1	1
NtWriteVirtualMemory	-	0x3b0027	0	1	1
NtWriteVirtualMemory	-	0x3b0008	0	1	1
NtWriteVirtualMemory	-	0x40506c	0	1	4
NtWriteVirtualMemory	-	0x12fc54	0	1	4
NtWriteVirtualMemory	-	0x4050e4	0	1	4
NtWriteVirtualMemory	-	0x7ffd41e8	0	1	4
NtWriteVirtualMemory	-	0x3b0034	0	1	1
NtWriteVirtualMemory	-	0x405060	0	1	4
NtWriteVirtualMemory	-	0x3b0029	0	1	1
NtWriteVirtualMemory	-	0x3b0012	0	1	1
NtWriteVirtualMemory	-	0x12fc58	0	1	4
NtWriteVirtualMemory	-	0x3b0007	0	1	1
NtWriteVirtualMemory	-	0x40504c	0	1	4
NtWriteVirtualMemory	-	0x12fc24	0	1	4
NtWriteVirtualMemory	-	0x3b003e	0	1	1
NtWriteVirtualMemory	-	0x4050bc	0	1	4
NtWriteVirtualMemory	-	0x3b0043	0	1	1
NtWriteVirtualMemory	-	0x3b0014	0	1	1
NtWriteVirtualMemory	-	0x405040	0	1	4
NtWriteVirtualMemory	-	0x3b0009	0	1	1
NtWriteVirtualMemory	-	0x160000	0	1	26
NtWriteVirtualMemory	-	0x12fc38	0	1	4
NtWriteVirtualMemory	-	0x12ffac	0	1	4
NtWriteVirtualMemory	-	0x4050b0	0	1	4
NtWriteVirtualMemory	-	0x405024	0	1	4
NtWriteVirtualMemory	-	0x3b0035	0	1	1
NtWriteVirtualMemory	-	0x405128	0	1	4
NtWriteVirtualMemory	-	0x3b001e	0	1	1
NtWriteVirtualMemory	-	0x40509c	0	1	4
NtWriteVirtualMemory	-	0x3b0013	0	1	1
NtWriteVirtualMemory	-	0x12ffa0	0	1	4
NtWriteVirtualMemory	-	0x405114	0	1	4
NtWriteVirtualMemory	-	0x404000	0	1	4096
NtWriteVirtualMemory	-	0x4050f8	0	1	4
NtWriteVirtualMemory	-	0x405018	0	1	4
NtWriteVirtualMemory	-	0x12fc44	0	1	4
NtWriteVirtualMemory	-	0x405090	0	1	4
NtWriteVirtualMemory	-	0x3b0020	0	1	1
NtWriteVirtualMemory	-	0x405004	0	1	4
NtWriteVirtualMemory	-	0x3b0015	0	1	1
NtWriteVirtualMemory	-	0x405108	0	1	4
NtWriteVirtualMemory	-	0x4050fc	0	1	4
NtWriteVirtualMemory	-	0x12fc48	0	1	4
NtWriteVirtualMemory	-	0x405078	0	1	4
NtWriteVirtualMemory	-	0x3b002a	0	1	1
NtWriteVirtualMemory	-	0x3b001f	0	1	1
NtWriteVirtualMemory	-	0x3b0000	0	1	1
NtWriteVirtualMemory	-	0x405064	0	1	4
NtWriteVirtualMemory	-	0x4050dc	0	1	4
NtWriteVirtualMemory	-	0x405120	0	1	4
NtWriteVirtualMemory	-	0x402000	0	1	4096
NtWriteVirtualMemory	-	0x12fc2c	0	1	4
NtWriteVirtualMemory	-	0x3b002c	0	1	1
NtWriteVirtualMemory	-	0x405058	0	1	4
NtWriteVirtualMemory	-	0x3b0021	0	1	1
NtWriteVirtualMemory	-	0x40d000	0	1	4096
NtWriteVirtualMemory	-	0x3b000a	0	1	1
NtWriteVirtualMemory	-	0x4050d0	0	1	4
NtWriteVirtualMemory	-	0x401660	0	1	1
NtWriteVirtualMemory	-	0x405044	0	1	4
NtWriteVirtualMemory	-	0x40503c	0	1	4
NtWriteVirtualMemory	-	0x3b0003	0	1	1
NtWriteVirtualMemory	-	0x12ffc0	0	1	4
NtWriteVirtualMemory	-	0x3b0036	0	1	1
NtWriteVirtualMemory	-	0x3b002b	0	1	1
NtWriteVirtualMemory	-	0x4050e8	0	1	4
NtWriteVirtualMemory	-	0x3b000c	0	1	1
NtWriteVirtualMemory	-	0x12ffb8	0	1	4
NtWriteVirtualMemory	-	0x3b0001	0	1	1
NtWriteVirtualMemory	-	0x4050b4	0	1	4
NtWriteVirtualMemory	-	0x405030	0	1	4
NtWriteVirtualMemory	-	0x3b0040	0	1	1
NtWriteVirtualMemory	-	0x12ffa4	0	1	4
NtWriteVirtualMemory	-	0x3b003f	0	1	1
NtWriteVirtualMemory	-	0x4050a8	0	1	4
NtWriteVirtualMemory	-	0x3b0038	0	1	1
NtWriteVirtualMemory	-	0x40501c	0	1	4
NtWriteVirtualMemory	-	0x3b002d	0	1	1
NtWriteVirtualMemory	-	0x150000	0	1	100
NtWriteVirtualMemory	-	0x3b0016	0	1	1
NtWriteVirtualMemory	-	0x3b000b	0	1	1
NtWriteVirtualMemory	-	0x12ff98	0	1	4
NtWriteVirtualMemory	-	0x40510c	0	1	4
NtWriteVirtualMemory	-	0x405010	0	1	4
NtWriteVirtualMemory	-	0x12fc28	0	1	4
NtWriteVirtualMemory	-	0x12fc60	0	1	4
NtWriteVirtualMemory	-	0x3b0037	0	1	1
NtWriteVirtualMemory	-	0x3b0018	0	1	1
NtWriteVirtualMemory	-	0x40507c	0	1	4
NtWriteVirtualMemory	-	0x3b000d	0	1	1
NtWriteVirtualMemory	-	0x405100	0	1	4
NtWriteVirtualMemory	-	0x4050f4	0	1	4
NtWriteVirtualMemory	-	0x12fc34	0	1	4
NtWriteVirtualMemory	-	0x3b0041	0	1	1
NtWriteVirtualMemory	-	0x405070	0	1	4
NtWriteVirtualMemory	-	0x3b0039	0	1	1
NtWriteVirtualMemory	-	0x12fc68	0	1	4
NtWriteVirtualMemory	-	0x3b0022	0	1	1
NtWriteVirtualMemory	-	0x12fc30	0	1	4
NtWriteVirtualMemory	-	0x3b0017	0	1	1
NtWriteVirtualMemory	-	0x40505c	0	1	4
NtWriteVirtualMemory	-	0x4050d4	0	1	4
NtWriteVirtualMemory	-	0x4050d8	0	1	4
NtWriteVirtualMemory	-	0x4050a4	0	1	4
NtWriteVirtualMemory	-	0x3b0024	0	1	1
NtWriteVirtualMemory	-	0x405050	0	1	4
NtWriteVirtualMemory	-	0x3b0019	0	1	1
NtWriteVirtualMemory	-	0x3b0002	0	1	1
NtWriteVirtualMemory	-	0x3b002f	0	1	1
NtWriteVirtualMemory	-	0x4050c8	0	1	4
NtWriteVirtualMemory	-	0x12ffbc	0	1	4
NtWriteVirtualMemory	-	0x12fc4c	0	1	4
NtWriteVirtualMemory	-	0x405034	0	1	4
NtWriteVirtualMemory	-	0x3b002e	0	1	1
NtWriteVirtualMemory	-	0x160000	0	1	66
NtWriteVirtualMemory	-	0x3b0023	0	1	1
NtWriteVirtualMemory	-	0x3b0004	0	1	1
NtWriteVirtualMemory	-	0x12ffb0	0	1	4
NtWriteVirtualMemory	-	0x20000	0	1	1716
NtWriteVirtualMemory	-	0x405028	0	1	4
NtWriteVirtualMemory	-	0x12ff9c	0	1	4
NtWriteVirtualMemory	-	0x405000	0	1	4096
NtWriteVirtualMemory	-	0x4050a0	0	1	4
NtWriteVirtualMemory	-	0x3b0030	0	1	1
NtWriteVirtualMemory	-	0x405014	0	1	4
NtWriteVirtualMemory	-	0x406000	0	1	4096
NtWriteVirtualMemory	-	0x3b0025	0	1	1
NtWriteVirtualMemory	-	0x405118	0	1	4
NtWriteVirtualMemory	-	0x3b000e	0	1	1
NtWriteVirtualMemory	-	0x40508c	0	1	4
NtWriteVirtualMemory	-	0x3b0042	0	1	1
NtWriteVirtualMemory	-	0x140000	0	1	100
NtWriteVirtualMemory	-	0x405008	0	1	4
NtWriteVirtualMemory	-	0x3b003a	0	1	1
NtWriteVirtualMemory	-	0x405080	0	1	4
NtWriteVirtualMemory	-	0x3b0010	0	1	1
NtWriteVirtualMemory	-	0x405074	0	1	4
NtWriteVirtualMemory	-	0x3b0005	0	1	1
NtWriteVirtualMemory	-	0x4050ec	0	1	4
NtWriteVirtualMemory	-	0x405094	0	1	4
Type	Source address	Dest. address	Source process	Dest. process	Size
Memory unmap\|deallocate	-	0x3a0000	0	0	4096
Type	Source address	Dest. address	Source process	Dest. process	Size
NtReadVirtualMemory	-	0x12f6f0	1	0	4
NtReadVirtualMemory	-	0x14da88	1	0	4096
NtReadVirtualMemory	-	0x12ff60	1	0	4
NtReadVirtualMemory	-	0x14dad8	1	0	4096
NtReadVirtualMemory	-	0x12ff38	1	0	4
NtReadVirtualMemory	-	0x12f1b0	1	0	256
Type	Source address	Dest. address	Source process	Dest. process	Size
ReadFile	-	0x3f4448	1	1	4096
ReadFile	-	0x3f4448	1	1	512
ReadFile	-	0x3f4448	1	1	165
ReadFile	-	0x3f4448	1	1	105
ReadFile	-	0x3f4448	1	1	33
ReadFile	-	0x3f4448	1	1	138
ReadFile	-	0x3fdc38	1	1	512
ReadFile	-	0x3fea38	1	1	1536
ReadFile	-	0x3f4448	1	1	66
ReadFile	-	0x3f4448	1	1	171
ReadFile	-	0x3f4448	1	1	204
ReadFile	-	0x3f4448	1	1	198
ReadFile	-	0x3f4448	1	1	350
ReadFile	-	0x3f4448	1	1	39
ReadFile	-	0x3f4448	1	1	72
ReadFile	-	0x3f4448	1	1	6
ReadFile	-	0xa70048	1	1	1024
ReadFile	-	0x3f4448	1	1	99
ReadFile	-	0x3f4448	1	1	132
ReadFile	-	0x3f4448	1	1	310

Loaded modules

By PID	Start address	Size	Name
1144	0x400000	225280	`1e7d7c48399d56a3de3397e02eee65fb`
1140	0x400000	225280	`1e7d7c48399d56a3de3397e02eee65fb`
1144	0x77da0000	704512	`advapi32.dll`
1140	0x77da0000	704512	`advapi32.dll`
1144	0x77ef0000	299008	`gdi32.dll`
1144	0x7c800000	1060864	`kernel32.dll`
1140	0x7c800000	1060864	`kernel32.dll`
1144	0x746b0000	311296	`msctf.dll`
1144	0x77be0000	360448	`msvcrt.dll`
1144	0x7c910000	741376	`ntdll.dll`
1140	0x7c910000	741376	`ntdll.dll`
1144	0x77e50000	598016	`rpcrt4.dll`
1140	0x77e50000	598016	`rpcrt4.dll`
1144	0x77fc0000	69632	`secur32.dll`
1140	0x77fc0000	69632	`secur32.dll`
1144	0x7e390000	593920	`user32.dll`
1144	0x5b150000	229376	`uxtheme.dll`
1144	0x76b00000	188416	`winmm.dll`

Layers and regions

Summary

Layer	Size	Number of regions	Number of frames	Lowest address	Highest address
0	7978 KB	1	0	0x401000	0x401000
1	5797 KB	4	5	0x140000	0x4040d1

API calls

Layer

Number of API calls

6415217

Region number

Address space

Number of API calls

0x401000-0x402f2a

6415217

DLL	Function/s
ADVAPI32.dll	`CheckTokenMembership` `CreateWellKnownSid` `DuplicateToken` `DuplicateTokenEx` `GetSidLengthRequired` `GetTokenInformation` `RegCloseKey` `RegOpenCurrentUser` `RegOpenKeyExW` `RegQueryValueExW` `SaferCloseLevel` `SaferComputeTokenFromLevel` `SaferIdentifyLevel`
ntdll.dll	`_allshl` `_stricmp` `_strnicmp` `_wcsicmp` `bsearch` `CsrClientCallServer` `DbgPrintEx` `DbgUiConnectToDbg` `DbgUiContinue` `DbgUiConvertStateChangeStructure` `DbgUiGetThreadDebugObject` `DbgUiWaitStateChange` `KiFastSystemCall` `KiFastSystemCallRet` `LdrAccessResource` `LdrAlternateResourcesEnabled` `LdrCreateOutOfProcessImage` `LdrDestroyOutOfProcessImage` `LdrDisableThreadCalloutsForDll` `LdrEnumerateLoadedModules` `LdrFindCreateProcessManifest` `LdrFindResource_U` `LdrFindResourceDirectory_U` `LdrGetDllHandle` `LdrGetDllHandleEx` `LdrGetProcedureAddress` `LdrLoadAlternateResourceModule` `LdrLoadDll` `LdrLockLoaderLock` `LdrQueryImageFileExecutionOptions` `LdrUnloadDll` `LdrUnlockLoaderLock` `memmove` `RtlAcquirePebLock` `RtlAcquireResourceExclusive` `RtlActivateActivationContextUnsafeFast` `RtlAddAccessAllowedAce` `RtlAllocateAndInitializeSid` `RtlAllocateHandle` `RtlAllocateHeap` `RtlAnsiStringToUnicodeString` `RtlAppendUnicodeStringToString` `RtlAppendUnicodeToString` `RtlConvertSidToUnicodeString` `RtlCopySid` `RtlCopyUnicodeString` `RtlCreateAcl` `RtlCreateProcessParameters` `RtlCreateSecurityDescriptor` `RtlCreateUnicodeString` `RtlDeactivateActivationContextUnsafeFast` `RtlDeNormalizeProcessParams` `RtlDestroyProcessParameters` `RtlDetermineDosPathNameType_U` `RtlDosApplyFileIsolationRedirection_Ustr` `RtlDosPathNameToNtPathName_U` `RtlDosSearchPath_Ustr` `RtlDuplicateUnicodeString` `RtlEnterCriticalSection` `RtlEnumerateGenericTableWithoutSplaying` `RtlEqualSid` `RtlEqualUnicodeString` `RtlExpandEnvironmentStrings_U` `RtlFindActivationContextSectionString` `RtlFindCharInUnicodeString` `RtlFindClearBits` `RtlFindClearBitsAndSet` `RtlFirstFreeAce` `RtlFormatCurrentUserKeyPath` `RtlFreeHandle` `RtlFreeHeap` `RtlFreeUnicodeString` `RtlGetActiveActivationContext` `RtlGetFullPathName_U` `RtlGetNtGlobalFlags` `RtlGUIDFromString` `RtlHashUnicodeString` `RtlImageDirectoryEntryToData` `RtlImageNtHeader` `RtlInitAnsiString` `RtlInitializeCriticalSection` `RtlInitializeCriticalSectionAndSpinCount` `RtlInitializeGenericTable` `RtlInitializeHandleTable` `RtlInitializeResource` `RtlInitializeSid` `RtlInitString` `RtlInitUnicodeString` `RtlInitUnicodeStringEx` `RtlInsertElementGenericTable` `RtlIntegerToChar` `RtlIntegerToUnicodeString` `RtlIsGenericTableEmpty` `RtlIsValidHandle` `RtlIsValidIndexHandle` `RtlLeaveCriticalSection` `RtlLengthRequiredSid` `RtlLengthSid` `RtlLockHeap` `RtlLogStackBackTrace` `RtlLookupElementGenericTable` `RtlMultiAppendUnicodeStringBuffer` `RtlMultiByteToUnicodeN` `RtlNtStatusToDosError` `RtlNtStatusToDosErrorNoTeb` `RtlOpenCurrentUser` `RtlpEnsureBufferSize` `RtlPrefixUnicodeString` `RtlQueryEnvironmentVariable_U` `RtlReAllocateHeap` `RtlRealSuccessor` `RtlReleasePebLock` `RtlReleaseResource` `RtlSetBits` `RtlSetDaclSecurityDescriptor` `RtlSetGroupSecurityDescriptor` `RtlSetOwnerSecurityDescriptor` `RtlSplay` `RtlSubAuthoritySid` `RtlUnlockHeap` `RtlUpcaseUnicodeChar` `RtlValidAcl` `RtlValidateUnicodeString` `RtlValidSid` `strchr` `strncmp` `vDbgPrintExWithPrefix` `wcscat` `wcschr` `wcscpy` `wcslen` `wcsncmp` `wcsncpy` `wcsrchr` `wcsstr` `ZwAccessCheck` `ZwAllocateVirtualMemory` `ZwClose` `ZwCreateDebugObject` `ZwCreateProcessEx` `ZwCreateSection` `ZwCreateSemaphore` `ZwCreateThread` `ZwDebugContinue` `ZwDuplicateToken` `ZwEnumerateKey` `ZwFlushInstructionCache` `ZwFreeVirtualMemory` `ZwGetContextThread` `ZwMapViewOfSection` `ZwOpenDirectoryObject` `ZwOpenFile` `ZwOpenKey` `ZwOpenMutant` `ZwOpenProcessToken` `ZwOpenProcessTokenEx` `ZwOpenSection` `ZwOpenSymbolicLinkObject` `ZwOpenThread` `ZwOpenThreadToken` `ZwOpenThreadTokenEx` `ZwProtectVirtualMemory` `ZwQueryAttributesFile` `ZwQueryDebugFilterState` `ZwQueryDefaultLocale` `ZwQueryDefaultUILanguage` `ZwQueryInformationFile` `ZwQueryInformationJobObject` `ZwQueryInformationProcess` `ZwQueryInformationThread` `ZwQueryInformationToken` `ZwQueryInstallUILanguage` `ZwQuerySection` `ZwQuerySymbolicLinkObject` `ZwQuerySystemInformation` `ZwQueryValueKey` `ZwQueryVolumeInformationFile` `ZwReadVirtualMemory` `ZwReleaseMutant` `ZwRequestWaitReplyPort` `ZwResumeThread` `ZwSetContextThread` `ZwSetInformationObject` `ZwSetInformationProcess` `ZwUnmapViewOfSection` `ZwWaitForDebugEvent` `ZwWaitForSingleObject` `ZwWriteVirtualMemory`
KERNEL32.DLL	`BaseCheckAppcompatCache` `BaseInitAppcompatCache` `BasepCheckWinSaferRestrictions` `CloseHandle` `ContinueDebugEvent` `CreateFileMappingW` `CreateProcessA` `CreateProcessInternalA` `CreateProcessInternalW` `DisableThreadLibraryCalls` `FindResourceExW` `FlushInstructionCache` `FreeLibrary` `GetCommandLineA` `GetFileAttributesW` `GetFileSizeEx` `GetFullPathNameW` `GetLongPathNameW` `GetModuleHandleA` `GetModuleHandleW` `GetProcAddress` `GetProcessHeap` `GetProcessVersion` `GetSystemInfo` `GetSystemTimeAsFileTime` `GetSystemWindowsDirectoryW` `GetThreadContext` `GetWindowsDirectoryW` `GlobalAlloc` `GlobalFree` `GlobalReAlloc` `InitializeCriticalSection` `InterlockedCompareExchange` `IsBadWritePtr` `LoadLibraryA` `LoadLibraryExA` `LoadLibraryExW` `LoadResource` `LocalAlloc` `LocalFree` `lstrlenW` `MapViewOfFile` `MapViewOfFileEx` `OpenFileMappingW` `OpenMutexW` `OpenThread` `ReadProcessMemory` `ReleaseMutex` `SearchPathW` `SetErrorMode` `SetThreadContext` `TlsAlloc` `UnmapViewOfFile` `VirtualAllocEx` `VirtualProtectEx` `WaitForDebugEvent` `WaitForSingleObject` `WaitForSingleObjectEx` `WriteProcessMemory`

239150

Region number

Address space

Number of API calls

0x140000-0x140011

5296

DLL	Function/s
KERNEL32.DLL	`CompareStringW` `CreateEventW` `DisableThreadLibraryCalls` `FreeEnvironmentStringsW` `GetACP` `GetCommandLineA` `GetCommandLineW` `GetCPInfo` `GetCurrentThreadId` `GetEnvironmentStringsW` `GetEnvironmentVariableA` `GetFileType` `GetModuleFileNameW` `GetModuleHandleA` `GetModuleHandleW` `GetProcAddress` `GetProcessHeap` `GetStartupInfoA` `GetStdHandle` `GetStringTypeW` `GetSystemTimeAsFileTime` `GetThreadLocale` `GetTickCount` `GetVersionExA` `GetVersionExW` `HeapCreate` `InitializeCriticalSection` `InitializeCriticalSectionAndSpinCount` `InterlockedCompareExchange` `IsBadWritePtr` `LCMapStringW` `LoadLibraryA` `LoadLibraryExA` `LoadLibraryExW` `LocalAlloc` `lstrcmpiW` `lstrcpyW` `MultiByteToWideChar` `RegisterWaitForInputIdle` `SetHandleCount` `SetUnhandledExceptionFilter` `TlsAlloc` `TlsSetValue` `VerifyConsoleIoHandle` `VirtualQuery` `VirtualQueryEx` `WideCharToMultiByte`
ADVAPI32.dll	`CreateWellKnownSid` `GetSidLengthRequired` `RegCloseKey` `RegOpenKeyExW` `RegQueryValueExW`
ntdll.dll	`_stricmp` `_strnicmp` `bsearch` `CsrAllocateCaptureBuffer` `CsrAllocateMessagePointer` `CsrClientCallServer` `CsrClientConnectToServer` `CsrFreeCaptureBuffer` `KiFastSystemCall` `KiFastSystemCallRet` `KiUserCallbackDispatcher` `LdrDisableThreadCalloutsForDll` `LdrEnumerateLoadedModules` `LdrFindResourceDirectory_U` `LdrGetDllHandle` `LdrGetDllHandleEx` `LdrGetProcedureAddress` `LdrLoadDll` `LdrLockLoaderLock` `LdrQueryImageFileExecutionOptions` `LdrUnlockLoaderLock` `memmove` `RtlAcquirePebLock` `RtlAcquireResourceExclusive` `RtlActivateActivationContextUnsafeFast` `RtlAllocateHeap` `RtlAnsiStringToUnicodeString` `RtlAppendUnicodeStringToString` `RtlAppendUnicodeToString` `RtlCompareMemory` `RtlCompareMemoryUlong` `RtlConvertSidToUnicodeString` `RtlCopyUnicodeString` `RtlCreateHeap` `RtlDeactivateActivationContextUnsafeFast` `RtlDecodePointer` `RtlDetermineDosPathNameType_U` `RtlDosApplyFileIsolationRedirection_Ustr` `RtlDosPathNameToNtPathName_U` `RtlDosSearchPath_U` `RtlEncodePointer` `RtlEnterCriticalSection` `RtlEqualSid` `RtlEqualUnicodeString` `RtlFillMemoryUlong` `RtlFindActivationContextSectionString` `RtlFindCharInUnicodeString` `RtlFindClearBits` `RtlFindClearBitsAndSet` `RtlFormatCurrentUserKeyPath` `RtlFreeHeap` `RtlFreeUnicodeString` `RtlGetActiveActivationContext` `RtlGetFullPathName_U` `RtlGetNtGlobalFlags` `RtlGetNtProductType` `RtlGetNtVersionNumbers` `RtlGetVersion` `RtlHashUnicodeString` `RtlImageDirectoryEntryToData` `RtlImageNtHeader` `RtlInitAnsiString` `RtlInitializeCriticalSection` `RtlInitializeCriticalSectionAndSpinCount` `RtlInitializeGenericTable` `RtlInitializeHandleTable` `RtlInitializeResource` `RtlInitializeSid` `RtlInitString` `RtlInitUnicodeString` `RtlInitUnicodeStringEx` `RtlLeaveCriticalSection` `RtlLengthRequiredSid` `RtlLogStackBackTrace` `RtlMultiByteToUnicodeN` `RtlNtStatusToDosError` `RtlNtStatusToDosErrorNoTeb` `RtlQueryEnvironmentVariable_U` `RtlReleasePebLock` `RtlReleaseResource` `RtlSetBits` `RtlSubAuthoritySid` `RtlUnicodeStringToAnsiString` `RtlUnicodeToMultiByteN` `RtlUpcaseUnicodeChar` `RtlValidateUnicodeString` `RtlValidSid` `strchr` `strncmp` `wcschr` `wcscpy` `wcslen` `wcsncat` `wcsncmp` `wcsncpy` `wcsrchr` `ZwAllocateVirtualMemory` `ZwCallbackReturn` `ZwClose` `ZwCreateEvent` `ZwCreateSection` `ZwCreateSemaphore` `ZwFsControlFile` `ZwMapViewOfSection` `ZwOpenDirectoryObject` `ZwOpenFile` `ZwOpenKey` `ZwOpenProcessToken` `ZwOpenProcessTokenEx` `ZwOpenSection` `ZwOpenThreadTokenEx` `ZwQueryAttributesFile` `ZwQueryInformationProcess` `ZwQueryInformationToken` `ZwQuerySection` `ZwQuerySystemInformation` `ZwQueryTimerResolution` `ZwQueryValueKey` `ZwQueryVirtualMemory` `ZwRequestWaitReplyPort` `ZwSetInformationObject`
USER32.DLL	`ClientThreadSetup` `GetAppCompatFlags2` `GetSysColor` `LoadCursorW` `RegisterWindowMessageW` `UserClientDllInitialize`

0x150000-0x150014

10557

DLL	Function/s
KERNEL32.DLL	`CloseHandle` `CompareStringA` `CompareStringW` `CreateFileA` `CreateFileMappingA` `CreateFileMappingW` `CreateFileW` `CreateMutexA` `CreateMutexW` `DeleteFileA` `DeleteFileW` `FindResourceA` `FindResourceExA` `FindResourceExW` `FreeLibrary` `GetACP` `GetCurrentProcess` `GetCurrentProcessId` `GetCurrentThreadId` `GetFullPathNameA` `GetLocaleInfoA` `GetLocaleInfoW` `GetModuleFileNameA` `GetModuleFileNameW` `GetModuleHandleA` `GetModuleHandleW` `GetProcAddress` `GetStringTypeW` `GetSystemDirectoryA` `GetThreadLocale` `GetTickCount` `GetUserDefaultUILanguage` `GetVersionExA` `GetVersionExW` `InitializeCriticalSectionAndSpinCount` `InterlockedDecrement` `InterlockedExchange` `InterlockedIncrement` `IsBadReadPtr` `IsBadStringPtrW` `IsBadWritePtr` `IsDebuggerPresent` `IsValidCodePage` `LoadLibraryExW` `LoadLibraryW` `LoadResource` `LocalAlloc` `LocalFree` `lstrcmpA` `lstrcpynA` `lstrlenA` `lstrlenW` `MapViewOfFile` `MapViewOfFileEx` `MulDiv` `OpenFileMappingA` `OpenFileMappingW` `ReleaseMutex` `TlsAlloc` `TlsGetValue` `TlsSetValue` `WaitForSingleObject` `WaitForSingleObjectEx` `WideCharToMultiByte` `WriteFile`
ADVAPI32.dll	`ConvertSidToStringSidA` `ConvertSidToStringSidW` `GetTokenInformation` `OpenProcessToken` `RegCloseKey` `RegOpenCurrentUser` `RegOpenKeyExA` `RegOpenKeyExW` `RegQueryValueExA` `RegQueryValueExW`
ntdll.dll	`_stricmp` `_strnicmp` `_wcsicmp` `bsearch` `CsrClientCallServer` `KiFastSystemCall` `KiFastSystemCallRet` `KiUserCallbackDispatcher` `LdrAccessResource` `LdrAlternateResourcesEnabled` `LdrFindResource_U` `LdrFindResourceDirectory_U` `LdrGetDllHandle` `LdrGetDllHandleEx` `LdrGetProcedureAddress` `LdrLoadAlternateResourceModule` `LdrLoadDll` `LdrLockLoaderLock` `LdrQueryImageFileExecutionOptions` `LdrUnloadDll` `LdrUnlockLoaderLock` `memmove` `RtlAcquirePebLock` `RtlActivateActivationContextUnsafeFast` `RtlAddRefActivationContext` `RtlAllocateHeap` `RtlAnsiStringToUnicodeString` `RtlAppendUnicodeStringToString` `RtlAppendUnicodeToString` `RtlCompareMemory` `RtlCompareMemoryUlong` `RtlConvertSidToUnicodeString` `RtlCopyUnicodeString` `RtlCreateUnicodeString` `RtlCreateUnicodeStringFromAsciiz` `RtlDeactivateActivationContextUnsafeFast` `RtlDetermineDosPathNameType_U` `RtlDosApplyFileIsolationRedirection_Ustr` `RtlDosPathNameToNtPathName_U` `RtlDosSearchPath_U` `RtlEnterCriticalSection` `RtlEqualUnicodeString` `RtlFillMemoryUlong` `RtlFindActivationContextSectionString` `RtlFindCharInUnicodeString` `RtlFindClearBits` `RtlFindClearBitsAndSet` `RtlFormatCurrentUserKeyPath` `RtlFreeHeap` `RtlFreeUnicodeString` `RtlGetActiveActivationContext` `RtlGetFullPathName_U` `RtlGetLastWin32Error` `RtlGetNtGlobalFlags` `RtlGetNtProductType` `RtlGetVersion` `RtlHashUnicodeString` `RtlImageDirectoryEntryToData` `RtlImageNtHeader` `RtlInitAnsiString` `RtlInitializeCriticalSection` `RtlInitializeCriticalSectionAndSpinCount` `RtlInitString` `RtlInitUnicodeString` `RtlInitUnicodeStringEx` `RtlLeaveCriticalSection` `RtlLogStackBackTrace` `RtlMultiAppendUnicodeStringBuffer` `RtlMultiByteToUnicodeN` `RtlNtStatusToDosError` `RtlNtStatusToDosErrorNoTeb` `RtlOpenCurrentUser` `RtlpEnsureBufferSize` `RtlQueryEnvironmentVariable_U` `RtlQueryInformationActivationContext` `RtlQueryInformationActiveActivationContext` `RtlReAllocateHeap` `RtlReleasePebLock` `RtlSetBits` `RtlSetLastWin32Error` `RtlTryEnterCriticalSection` `RtlUnicodeStringToAnsiString` `RtlUnicodeToMultiByteN` `RtlUnicodeToMultiByteSize` `RtlUpcaseUnicodeChar` `RtlValidateUnicodeString` `RtlValidSid` `strchr` `strncmp` `wcschr` `wcscpy` `wcslen` `wcsncmp` `wcsncpy` `wcsrchr` `ZwAllocateVirtualMemory` `ZwClose` `ZwConnectPort` `ZwCreateFile` `ZwCreateMutant` `ZwCreateSection` `ZwFlushInstructionCache` `ZwMapViewOfSection` `ZwOpenFile` `ZwOpenKey` `ZwOpenProcessToken` `ZwOpenProcessTokenEx` `ZwOpenSection` `ZwOpenThreadTokenEx` `ZwProtectVirtualMemory` `ZwQueryAttributesFile` `ZwQueryDefaultLocale` `ZwQueryDefaultUILanguage` `ZwQueryInformationFile` `ZwQueryInformationProcess` `ZwQueryInformationToken` `ZwQueryInstallUILanguage` `ZwQuerySection` `ZwQueryValueKey` `ZwReleaseMutant` `ZwRequestWaitReplyPort` `ZwSetInformationFile` `ZwSetInformationObject` `ZwUnmapViewOfSection` `ZwWaitForSingleObject` `ZwWriteFile`
USER32.DLL	`CallNextHookEx` `CharNextW` `DefDlgProcA` `DefWindowProcA` `DialogBoxIndirectParamAorW` `DialogBoxParamA` `GetAppCompatFlags2` `GetClassLongW` `GetClassNameW` `GetClientRect` `GetDC` `GetDlgItem` `GetForegroundWindow` `GetGUIThreadInfo` `GetKeyboardLayout` `GetProcessWindowStation` `GetPropW` `GetSystemMetrics` `GetThreadDesktop` `GetUserObjectInformationA` `GetUserObjectInformationW` `GetWindowDC` `GetWindowLongW` `GetWindowThreadProcessId` `IsWindow` `LoadBitmapA` `LoadCursorA` `LoadCursorW` `OffsetRect` `RegisterClassExA` `RegisterWindowMessageA` `ReleaseDC` `RemovePropW` `SetCursor` `SetPropW` `SetWindowRgn` `SetWindowsHookExA` `WCSToMBEx`

0x401000-0x402001

191756

DLL	Function/s
KERNEL32.DLL	`CloseHandle` `CompareStringW` `CreateEventW` `DeviceIoControl` `DuplicateHandle` `FindResourceExW` `GetACP` `GetCurrentProcess` `GetCurrentThread` `GetCurrentThreadId` `GetModuleFileNameW` `GetProcessHeap` `GetThreadLocale` `GetTickCount` `GetVersionExA` `GetVersionExW` `GlobalMemoryStatusEx` `InitializeCriticalSection` `InterlockedCompareExchange` `InterlockedDecrement` `InterlockedExchange` `InterlockedIncrement` `IsBadReadPtr` `LoadLibraryExW` `LoadLibraryW` `LoadResource` `lstrcmpiW` `lstrcpyW` `lstrlenW` `MapViewOfFile` `MapViewOfFileEx` `OpenEventW` `OpenFileMappingW` `SetEvent` `TlsGetValue` `WaitForSingleObject` `WaitForSingleObjectEx`
ADVAPI32.dll	`AddAccessAllowedAce` `CloseServiceHandle` `InitializeAcl` `InitializeSecurityDescriptor` `MD4Final` `MD4Init` `MD4Update` `OpenSCManagerW` `OpenServiceW` `QueryServiceStatus` `RegCloseKey` `RegOpenKeyExA` `RegOpenKeyExW` `RegQueryValueExA` `SetSecurityDescriptorDacl` `SystemFunction036`
ntdll.dll	`_allmul` `_chkstk` `_wcsicmp` `bsearch` `KiFastSystemCall` `KiFastSystemCallRet` `KiUserCallbackDispatcher` `LdrAccessResource` `LdrAlternateResourcesEnabled` `LdrFindResource_U` `LdrLoadAlternateResourceModule` `LdrLoadDll` `LdrLockLoaderLock` `LdrUnlockLoaderLock` `memmove` `RtlAcquirePebLock` `RtlAcquireResourceShared` `RtlActivateActivationContextUnsafeFast` `RtlAddAccessAllowedAce` `RtlAddRefActivationContext` `RtlAllocateHeap` `RtlAnsiStringToUnicodeString` `RtlAppendUnicodeToString` `RtlCompareMemory` `RtlCompareMemoryUlong` `RtlConvertSidToUnicodeString` `RtlCopySid` `RtlCopyUnicodeString` `RtlCreateAcl` `RtlCreateSecurityDescriptor` `RtlCreateUnicodeStringFromAsciiz` `RtlDeactivateActivationContextUnsafeFast` `RtlDeleteCriticalSection` `RtlDllShutdownInProgress` `RtlDosApplyFileIsolationRedirection_Ustr` `RtlEnterCriticalSection` `RtlEqualUnicodeString` `RtlExtendedMagicDivide` `RtlFillMemoryUlong` `RtlFindActivationContextSectionString` `RtlFindCharInUnicodeString` `RtlFirstFreeAce` `RtlFormatCurrentUserKeyPath` `RtlFreeHeap` `RtlFreeUnicodeString` `RtlGetNtGlobalFlags` `RtlGetNtProductType` `RtlGetVersion` `RtlHashUnicodeString` `RtlImageDirectoryEntryToData` `RtlImageNtHeader` `RtlInitAnsiString` `RtlInitializeCriticalSection` `RtlInitializeCriticalSectionAndSpinCount` `RtlInitUnicodeString` `RtlInitUnicodeStringEx` `RtlLeaveCriticalSection` `RtlLogStackBackTrace` `RtlMultiByteToUnicodeN` `RtlNtStatusToDosError` `RtlNtStatusToDosErrorNoTeb` `RtlOpenCurrentUser` `RtlQueryEnvironmentVariable_U` `RtlQueryInformationActivationContext` `RtlQueryInformationActiveActivationContext` `RtlReleasePebLock` `RtlReleaseResource` `RtlSetCriticalSectionSpinCount` `RtlSetDaclSecurityDescriptor` `RtlTimeToSecondsSince1980` `RtlUnicodeStringToAnsiString` `RtlUnicodeToMultiByteN` `RtlUpcaseUnicodeChar` `RtlValidAcl` `RtlValidateUnicodeString` `RtlValidSid` `wcschr` `wcscpy` `wcslen` `wcsncat` `wcsncmp` `wcsncpy` `wcsrchr` `ZwAllocateVirtualMemory` `ZwClose` `ZwConnectPort` `ZwCreateEvent` `ZwDeviceIoControlFile` `ZwDuplicateObject` `ZwMapViewOfSection` `ZwOpenEvent` `ZwOpenFile` `ZwOpenKey` `ZwOpenProcessTokenEx` `ZwOpenSection` `ZwOpenThreadTokenEx` `ZwQueryDefaultLocale` `ZwQueryInformationProcess` `ZwQueryInformationToken` `ZwQuerySystemInformation` `ZwQuerySystemTime` `ZwQueryValueKey` `ZwRequestWaitReplyPort` `ZwSetEvent` `ZwWaitForSingleObject`
USER32.DLL	`CallNextHookEx` `DefDlgProcA` `DefWindowProcA` `GetClassLongW` `GetDC` `GetDlgItem` `GetPropW` `GetWindow` `GetWindowLongW` `GetWindowThreadProcessId` `IsServerSideWindow` `IsWindow` `IsWindowInDestroy` `LoadBitmapW` `OffsetRect` `ReleaseDC` `SendMessageW` `SetPropW` `SetWindowPos`

0x4040d1-0x404750

31541

DLL

Function/s

ntdll.dll

KiFastSystemCall
KiFastSystemCallRet
memmove
RtlAcquirePebLock
RtlAllocateHeap
RtlAnsiStringToUnicodeString
RtlCompareMemory
RtlCompareMemoryUlong
RtlDetermineDosPathNameType_U
RtlDosPathNameToNtPathName_U
RtlEnterCriticalSection
RtlEqualUnicodeString
RtlFillMemoryUlong
RtlFreeHeap
RtlGetNtGlobalFlags
RtlInitAnsiString
RtlInitializeCriticalSectionAndSpinCount
RtlInitUnicodeString
RtlInitUnicodeStringEx
RtlLeaveCriticalSection
RtlLogStackBackTrace
RtlMultiByteToUnicodeN
RtlReleasePebLock
wcslen
ZwAllocateVirtualMemory
ZwClose
ZwCreateFile
ZwQueryInformationFile
ZwQueryVolumeInformationFile
ZwReadFile
ZwSetInformationFile

KERNEL32.DLL

CloseHandle
CreateFileA
CreateFileW
GetFileType
InitializeCriticalSectionAndSpinCount
ReadFile
SetFilePointer

Static PE information

General information

Overlay size	No overlay
Target machine	Intel 386 or later processors and compatible processors
Compilation timestamp	2005-08-02 02:24:12
Entry point	0x1660

Imports

KERNEL32.DLL

DLL	Function/s
KERNEL32.DLL	`CloseHandle` `ContinueDebugEvent` `CreateProcessA` `FlushInstructionCache` `GetCommandLineA` `GetProcAddress` `GetSystemInfo` `GetThreadContext` `GlobalAlloc` `GlobalFree` `GlobalReAlloc` `LoadLibraryA` `OpenThread` `ReadProcessMemory` `SetThreadContext` `VirtualAllocEx` `VirtualProtectEx` `WaitForDebugEvent` `WriteProcessMemory`

Exports

None. Without exports.

PE resources

Resource #1

Type	Size	Name
data	744	RT_ICON

SHA256	d31b412c311316d09c182d07e938a09befeb2679583a55d557943e68c26757dc
SHA1	7d527c83faa8abd5297668f7972c9ea675ffa217
MD5	6cc0fde45af1c9ccb49561847fac8622
ssdeep	6:clk8bIz/llt/ixe8//8xd/is/Gl/vfzn/K8uQFMJdVOzr:Uki2jt/Ee8sxWSfJXc
sdhash	sdbf:03:0::744:sha1:256:5:7ff:160:1:8:AAAAAAAAAAAAAAAAAAAAAAAAAAAEAAiAAAAAAAFAAAQAAAAAAAAAAgAAAAQAAAAABAAAAAAAAAAAAAAAAAAAAAAAIgAAAALAQAEAAAAAAAAAAAAAAAAAAAAAAgABARAAAAAAAAAAIBAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAIAAAAAAAACAAAAAAAAAAAAAAAAAAAAAFAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAACAAAQAAAAABABAAQAAgAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAA==

Resource #2

Type	Size	Name
MS Windows icon resource - 1 icon	20	RT_GROUP_ICON

SHA256	a0c9d012e2bf6b2fe05c2d97cb5594d97cf2f539e97935c12abd7a3562f4d9bf
SHA1	a022d5c1cfdd8aace0089f3e72f2eedd41bda464
MD5	42cf62b780813706e75fb9f2b2e8c258
ssdeep	3:wX/sn:9n
sdhash	Not applicable

Resource #3

Type	Size	Name
data	1140	RT_BITMAP

SHA256	87bb1ef8b874b6beff9b72a885cd900ab2d3ed097c7bda0c9a673179199ccf23
SHA1	13af8ada9efca2473ac826acaebd5041e6a91069
MD5	15b385e41ecad9f24a8271cc126dc900
ssdeep	12:KsuNXdaY0xX8Dc9Bu54894T9Ru6Wo1Rtl7uxhnw11X/aCpvTwflwtC9n:puNaYc944894T9I6bv74y9p8qt0n
sdhash	sdbf:03:0::1140:sha1:256:5:7ff:160:1:17:AAAAAAAQCAAAAACAAAAAAQAAAABIAAEABEAAAABQAAkBAAAAAAAAEAAAAAAAAAAAQAAAAAAAAAIIEIACAACAAAQAIAAAAQAAQAACAAAAQAAAAAIAgACAAAAAIQAAAIAAAAAAAAACAAAAAAAACAAAAAAAAASCAAAAAAgAAAAAAAAAgAAgAAAAAABAAAAAAAAACAAAgIAAAQAAAIAAAAAAAIIABIEAAAAQAAAAAAAAAIAQAABAABIAEAAAAAgAIAAAAAAABAABAAAAAAAAAACAAAAAAAAAAAYAIABAAAQAQAwBIAAAIgAYAAAAgAAAAAAAAIAAAQAAAAAAAAIAACAAAA==

Resource #4

Type	Size	Name
data	264	RT_DIALOG

SHA256	1c04daad9c4274c47dc3e8420d1977c9c174760ad076266a30df117fb82a6797
SHA1	3c5e3f06f82ed13f8803ff8168683ff48c88dc1f
MD5	3dfbad02f20537dfb06833a7c2341590
ssdeep	3:axHQXtlzlegWflD8Z/XPlU0rSlizAqknrll/lU0jdlC0L6n2ZllZ/aXlG141JlAI:aUkTND840GLqSxk0zCH2ZD4dAOMkdh
sdhash	Not applicable

Resource #5

Type	Size	Name
data	308	RT_CURSOR

SHA256	6e6953e04665db73b4b9cd7bde438efb1cce408829ccb21d6303b37a611b9458
SHA1	453df630842b2da5d27d9e372c7235f24aeeddeb
MD5	3d75e6cf6962b7f79b89bea9a4257e59
ssdeep	3:Nl/t+lklel/e/illvtEMlt/l2vllUl7N9/Nt/tllRRejqYaeWaWuxaADRaACaARG:sls623yPoqudncW8KF
sdhash	Not applicable

Resource #6

Type	Size	Name
Fasttracker II module sound data Title: "dorak \032FastTracker v2.00 \004\001\024\001"	22115	MUSIC

SHA256	4e58e41f94980d37370dcbcaf939e680db7371b9c30ec6f32591cf7f9fa65a93
SHA1	2816717b9478bad44e86d00476d1628e60cf64b5
MD5	a3248fc1ba6ee74c3e4f1474dd0631a4
ssdeep	384:VQdh747k3vwqwKlRxVo2egi0qZC6A/5sxOouDwNEvp:Odh747k3vwqwKlRxVobY6AxCG
sdhash	sdbf:03:0::22115:sha1:256:5:7ff:160:2:122:Iy+wMBEhiiASdNcgJsCgxSJ3xAzSUbWKREZRgLQg6AAA2wJAONcmipERyEQGwyEABSARBHxTKlwoUgIQQCCVI6wcKtKQB8CZAAoqCaCgRRiPA0VoBAEXagBIBjQBBJEVAiYk+BQAlQmOAFwEJJCaTA9mAbPkwjjBIuSCQRQAgBFQzIVBB2giTMIYFUEBGQQAWcGZAAACIyEAAsoQ64oOAJE0EzNwhRSSHAAAIwSgQO7TJtBBWKS7ESAVWCoIIAmMIphtkA9AAIsYThD9aAyEGDAQEwQwmiaAp0w2DJkBgBGaFmiGGBBmwDNsUwQQEsCwAJQTiMAyLqKRiijsRFEvAgBQE9IF4YAIMGAOCAAACmgCQoEgoCEAFARgwRCSqChiYkQAiExQwCPVlARUBoGBbSEgGChYQKBNgEIAIADAkHIKEGEgIAgEWOEAQFEgMLgQCCYQBwESAhQAAAMQAQByDEAmiInAoQAAqA6oLESBNA0gJSuwY2AsAEBBAAoEQgSUFMAFERpwMABiCDChMSAZCSFhi4ADATRABMLATCiANIg2fDawWIYHEDCWAkgIAAXEAQQDRQC1g9PgsRggSwgAlOQEIIKJCaIJCAWjZGAgFJoQMBoMQCgAChpjhTAMRAAAIpEQhEAyQqCQJNkIXDBkkQQlUAHZJBKIAKAJ1IgDoxI=

Resource #7

Type	Size	Name
Lotus 1-2-3	20	RT_GROUP_CURSOR

SHA256	c53efa8085835ba129c1909beaff8a67b45f50837707f22dfff0f24d8cd26710
SHA1	e8217df98038141ab4e449cb979b1c3bbea12da3
MD5	a2baa01ccdea3190e4998a54dbc202a4
ssdeep	3:GlFlslw3:GlfslO
sdhash	Not applicable

PE sections

Section #1: .text

Name	Type	Entropy	Raw address	Raw size	Virtual address	Virtual size	Flags
.text	Code	6.17616	0x1f3e	8192	0x1000	7998	0x20000000, 0x40, 0x7fffffff, 0x80, 0x20, 0x40000000

SHA256	af7eb3a30599c31941d7fd90e3aae1305aeb026b5c751e59f6f2a012ce383e93
SHA1	c838cbbfbd2354991c32bda77e6fb291086d76f2
MD5	7eb97577b36f3b0fc66380182c6cb541
ssdeep	192:SklPPRpuUv06QJ1Hp/APRJEkhvch75CK:hPRDvKHtkhECK
sdhash	sdbf:03:0::8192:sha1:256:5:7ff:160:1:123:gA8DZ0oaGXwEJABBo1AKiAAgBo2SKIIBiCSFSYIBMkqAyEOIWBgKgAASBBUjfAEbIBIQRQAdA2BgMQBQAMCcpKwDkoBLIQjAAOs8CMkGhMCBFCMIGAChUiAQgAiYqAhgCUOkZYBbgIAjgAAmABICBAFISAQJwZ1AghAAY0RgyiUArGSQATYEJUSMElOCHKUEHM4EBotNDBkA2GwIikAEJCIMAQgCooBYSwSJYABQEBYAgRg0BeiCcAiQIghQAKA+ICjkEApykxHAQChAKAEADYBLEhZQEDIAQAUgAITgMIBBEDKYiIRAQwAkABToCACgAAkAMkAE2EbAUDgERAQC2Q==

Section #2: .rdata

Name	Type	Entropy	Raw address	Raw size	Virtual address	Virtual size	Flags
.rdata	Data	3.20759	0x23e	1024	0x3000	574	0x20000000, 0x40, 0x7fffffff, 0x80, 0x20, 0x40000000

SHA256	d0e9966e67751d5527e997618877c3fb54ac6075a7ab70f1668e0d942d14bd0b
SHA1	feb997d189e0a3c29a39edff5972e5cfe10da6f2
MD5	0793676f7e7fa1358f0e989bb6414db0
ssdeep	12:1r+IUDUr+IUDw39bZ9jeuNERC8SwnFHapqLKGpMujN5:IluNZ9euERvS2HapqWvO5
sdhash	sdbf:03:0::1024:sha1:256:5:7ff:160:1:7:AAAAAAAAAAAAABAAAAABAAAAAAAAQAAQAAAAIAAAAAAAAAAAAACAAAAAAAAAAAAAAABAAiAAAAAAAAQAAABAAAAAAAAABAAAAAAAAAAQAAAAAAAAAAEAAAAEAAAAACAAAAACAACAAAAAAAAAAAAAAAAAAwAAAAAAAAIgAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAABAAAIAAAAAAAAAACAAAAAgAAIAAAAAAAAAAAAAgAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAA==

Section #3: .data

Name	Type	Entropy	Raw address	Raw size	Virtual address	Virtual size	Flags
.data	Data	0.348411	0x41c	512	0x4000	1052	0x20000000, 0x40, 0x7fffffff, 0x80, 0x20, 0x40000000

SHA256	754f28cd5e1333b56597e28202410b742637741bfbfa707accc7029561911a11
SHA1	6a3301333437846fafb59967aa131cc1a5bd42fe
MD5	67207b3ee5126f77b5220e4ade15c3f4
ssdeep	3:PXlll/GJsvtPut:/lPv8t
sdhash	sdbf:03:0::512:sha1:256:5:7ff:160:1:1:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

Section #4: .reloc

Name	Type	Entropy	Raw address	Raw size	Virtual address	Virtual size	Flags
.reloc	Data	0.0	0x3e2	1024	0x5000	994	0x20000000, 0x40, 0x7fffffff, 0x80, 0x20, 0x2000000, 0x40000000

SHA256	5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef
SHA1	60cacbf3d72e1e7834203da608037b1bf83b40e8
MD5	0f343b0931126a20f133d67c2b018a3b
ssdeep	3::
sdhash	sdbf:03:0::1024:sha1:256:5:7ff:160:1:0:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

Section #5: t_sec

Name	Type	Entropy	Raw address	Raw size	Virtual address	Virtual size	Flags
t_sec	Data	5.4583	0x1f000	25600	0x6000	126976	0x20000000, 0x40, 0x7fffffff, 0x80, 0x20, 0x40000000

SHA256	f8f3875b7b5e47fef27cab7bd0e9f2935e3a7c9d477d0e3ae10b3fe6604b0462
SHA1	9e307afa887fd9bba0846d29b8483bf588c24c5e
MD5	52f0b6f6fa53125c5ce30cf511c84e68
ssdeep	384:R0RUTjsYXBQNlEtfsemoKBMTJg4NkmrDs6U:jVBQnSf4BMNRy0
sdhash	sdbf:03:0::25600:sha1:256:5:7ff:160:2:145:A7BqRiACLi0KYFCAJIoARAkoECpIhCt4IAEyVQOkACCjrABNYKWGJsA0aQIMGBCkSKF0QWyLNciA8aBEkGddh2LDgUCgCyQCFTAFGEMIRhpBCCVr4nUNMASPCUkmQYkRBWgYVxYTBlSjnrGxkEItw1hipAYoQqASoARmDTZOHTcKmoEFBRGW0hB8AooEAryaGABCAwgkkUDolBShBoIYADVMYUhQJWAAKUACbxfAITIQFCIiSAgBAqJIJEFXJGSkaABIQoiIJDMjkRgOQOmOAI2gyZTJxAVxAepIJlAEgBMKBxJAYCEJgMgDRSgBCIYIkxKg1AYG/YIRWQlCGwHgqqQEgAClM4CMAAMBhUIEIAaAWAUYVKAAAqmwqpAJHVgIbgiQCGDCCIEIoEEwKahHIBswQhvQgMPgAAAguCBYABHAIwQADQJOKG0gwgDAAWWeBBCFohBMxVTnCQxVwqMWGQ4QgSCyCGYpsEWzgItOGGRBNdMrxCCQi7gzwICnBURDCNiIkUAnEErGtVChAI6IATCAA19BUKQAKZAOkDaUQFABIGiNAUhDAJoEAkAIaliVwRFAKCDPHBxEACAcjIsCygbgABaVkBDgM5QoUMAskFDFEQ2UjGgkQRETL0E4oKCFPiPCAeKwVgRYsYAsQA0GhCCkEgAEgXAIRcDBoQBCiQA=

Section #6: e_sec

Name	Type	Entropy	Raw address	Raw size	Virtual address	Virtual size	Flags
e_sec	Data	4.11236	0x12000	72704	0x25000	73728	0x20000000, 0x40, 0x7fffffff, 0x80, 0x20, 0x40000000

SHA256	91c2f2d807cd7e3aae48b70370cea238ccd71de17eeed9bc5d7c7331e8d486f9
SHA1	cfa149ba0f3c03adbe0f7804db1663cda9c4225b
MD5	60d1de167a69f8a276363931dfe99f0a
ssdeep	384:mQdh747k3vwqwKlRxVo2egi0qZC6A/5sxOouDwNEvOy6F60Jw:1dh747k3vwqwKlRxVobY6AxCdy6F6
sdhash	sdbf:03:0::72704:sha1:256:5:7ff:160:4:61:Iy+wMBEhiiAQVFMgJsCghSJnxAzQUbWKREbQgLQg6AAA2wBAONcmgpERyEQGQyEABSARBDxTKl0oUgMQQCBVI64cKtKQB8KZAA4qCaCgQRiPA8VoBAEXagBIBjQBBJEVAiYk+BQAlQmOAFwEIJGaRAoGAbPkwjnlJuSCQRQEgBFQzoVBB2giTOIYBEEBHQQA2cG5AAACIyEAAsoQ64oOAJE0EzNwhTSSHAAAIwSgAOrTJtBBWqS7ESAVWDoKIAmMIphtkA9AAI8YThDdbAyACDAQAwQwmiaAp0y2DJEAiBOaHmiGGBBmwDNsUwQQAsCwAJATCOAyLqKximjsRFEvAgBQE9IH4YoIcmCOSQCACmgCUoMgqiUBFQRgwRiS+ChrYkQCmGxQyDvVlBR0BqGBbWEgGCtcQKBP4PIEIgDA0HKOUGEgMggEWOGAYFEgMPwQCC4SR4ESglQIACcQAQDyDEAmmInAoRHAqA64LEyBNA01ZSu042AsEFBJIAoEQgSUFMFFEdpwMiBiSDGhMSAZKSlji4ADBbVwBMLITDjENIi2fDayWIYHEDCWQkgICEXEQQQDRQK3g9PgsRnoSwgBlOQEI4aJCaIZKIejbGAgFJoQsFoMQCgCChpjhTAsRWAIKvEQnGA2WqCwJN0IXDBkkQQnUIHZJBKYAKAL1IwHoxKDBBSMAGJgiTIwAVCgmUwVBLFTTBBGAYCdP0EESSe4Ah6NoyKArKgABUACoQTAT4TANkwRAHKbIpDM8gkALbohdejQ8gCrqbwxxxvEAEAYLbIQiRcGDCYNiYkAAJiCYQ8o4GZJFAABpJEMcFyMQwIIiALAYCihGjBESIBeEqSMmBYU5CiyRAwhkABGQAKQIgIrJkhiJ5ZDJAJCwYEhboBAKxwTBAbMoURghedmWEHGMAHmAwCGc2WkQYwiHBASKUGLAAghQ3AM8OEF6ImQgVAMYAdjhJgCwEpKNArbqCvaA27BNAgAd6TYLnkHBYhA8hjZkFACGAAI0AumhLAiC1LAAAAAAEFQCICAAADAAAQAAQAACAFMAgmQlEIQAEFXAA2BEBEAIAAQEgBAIISCAAAJRAAAAQACAIIIHIECAiCAACQAIhAAQQLAUIECIQEAUAABAAIggACAAAAgIwCjIZAAQEAAARACM5AAIAQACIQIBRIACASKAgAAAAkgAAAAAAAAgQAoAkAACBBAAEABACAASqRYgKMDE4AAKIAAAAAkAoIgBIEBCEEQBAHCAAADhICQIABAAhIEEAkAAAggIQABqAAIBAADIAAQCghAABjBBAQAEggAAAYAIBJQAAwAQhwBYJCBIgAdAJwQgBAIAIBAAIAgAwAAAIABFAYAACFgAA==

Virus Total scans

File: 400598f3cec6d03d4b8e5bd23003c0eea18c258d1c03eade9eced77bdaf0f14d

Scan date: 2016-03-04 07:56:32

Antivirus	Result	Update
Ad-Aware	Gen:Variant.Barys.8703	20160304
AegisLab	Goodware	20160304
Agnitum	Backdoor.Ciadoor!QS3zBxgI1k4	20160303
AhnLab-V3	Win-Trojan/Ciadoor.192000	20160303
Alibaba	Goodware	20160304
ALYac	Gen:Variant.Barys.8703	20160304
Antiy-AVL	Trojan[Backdoor]/Win32.Ciadoor	20160304
Arcabit	Trojan.Barys.D21FF	20160304
Avast	Win32:Trojan-gen	20160304
AVG	BackDoor.Generic15.CNAM	20160304
Avira	TR/Dropper.Gen	20160304
AVware	Backdoor.Ciadoor	20160304
Baidu-International	Backdoor.Win32.Ciadoor.cga	20160303
BitDefender	Gen:Variant.Barys.8703	20160304
Bkav	Goodware	20160303
ByteHero	Goodware	20160304
CAT-QuickHeal	Goodware	20160304
ClamAV	Goodware	20160304
CMC	Backdoor.Win32.Ciadoor!O	20160303
Comodo	UnclassifiedMalware	20160304
Cyren	W32/Backdoor.CELZ-2548	20160304
DrWeb	BackDoor.Bifrost.49	20160304
Emsisoft	Gen:Variant.Barys.8703 (B)	20160229
ESET-NOD32	Goodware	20160304
F-Prot	W32/Backdoor2.CSQI	20160304
F-Secure	Gen:Variant.Barys.8703	20160304
Fortinet	W32/Ciadoor.CGA!tr.bdr	20160304
GData	Gen:Variant.Barys.8703	20160304
Ikarus	Backdoor.Win32.Ciadoor	20160304
Jiangmin	Goodware	20160304
K7AntiVirus	Riskware ( 0040eff71 )	20160303
K7GW	Riskware ( 0040eff71 )	20160304
Kaspersky	Backdoor.Win32.Ciadoor.cga	20160304
Malwarebytes	Goodware	20160304
McAfee	Artemis!1E7D7C48399D	20160304
McAfee-GW-Edition	BehavesLike.Win32.Worm.cm	20160304
Microsoft	Trojan:Win32/Malagent!gmb	20160304
MicroWorld-eScan	Gen:Variant.Barys.8703	20160304
NANO-Antivirus	Trojan.Win32.Bifrost.wesor	20160304
nProtect	Backdoor/W32.Ciadoor.110080.B	20160303
Panda	Trj/CI.A	20160303
Qihoo-360	HEUR/Malware.QVM19.Gen	20160304
Rising	PE:Backdoor.Win32.CiaDoor.a!100038176 [F]	20160302
Sophos	Troj/Ciadoor-DP	20160304
SUPERAntiSpyware	Goodware	20160304
Symantec	W32.Rontokbro@mm	20160303
Tencent	Win32.Backdoor.Ciadoor.Eaxx	20160304
TheHacker	Goodware	20160302
TotalDefense	Goodware	20160303
TrendMicro	PAK_Generic.001	20160304
TrendMicro-HouseCall	PAK_Generic.001	20160304
VBA32	Backdoor.Ciadoor.13	20160303
VIPRE	Backdoor.Ciadoor	20160304
ViRobot	Backdoor.Win32.Ciadoor.205312[h]	20160304
Zillya	Goodware	20160303
Zoner	Goodware	20160304

Comments

We haven't comments for this file.