Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
SunloginClient.exe

Overview

General Information

Sample name:SunloginClient.exe
Analysis ID:1476028
MD5:499cd2d1127b41e3169c9c4e57f0dc42
SHA1:c1b11001725acbc886c52fa41a42f5719cbb2f49
SHA256:9df2767ba3bb32dcd0abf293a97d2054c64840b38ef8dd4472092079e3799f0a

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64_ra
  • SunloginClient.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\SunloginClient.exe" MD5: 499CD2D1127B41E3169C9C4E57F0DC42)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: SunloginClient.exeStatic PE information: certificate valid
Source: SunloginClient.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SunloginClient.exeStatic PE information: Number of sections : 11 > 10
Source: classification engineClassification label: clean1.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\SunloginClient.exeMutant created: NULL
Source: C:\Users\user\Desktop\SunloginClient.exeFile created: c:\windows\temp\crash.log
Source: SunloginClient.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SunloginClient.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\SunloginClient.exeSection loaded: winmm.dll
Source: C:\Users\user\Desktop\SunloginClient.exeSection loaded: hid.dll
Source: C:\Users\user\Desktop\SunloginClient.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\SunloginClient.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\SunloginClient.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\SunloginClient.exeSection loaded: msimg32.dll
Source: C:\Users\user\Desktop\SunloginClient.exeSection loaded: dbghelp.dll
Source: C:\Users\user\Desktop\SunloginClient.exeSection loaded: version.dll
Source: C:\Users\user\Desktop\SunloginClient.exeSection loaded: kernel.appcore.dll
Source: SunloginClient.exeStatic PE information: certificate valid
Source: SunloginClient.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: SunloginClient.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: SunloginClient.exeStatic file information: File size 20115824 > 1048576
Source: SunloginClient.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0xcf0200
Source: SunloginClient.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x4c0a00
Source: SunloginClient.exeStatic PE information: More than 200 imports for KERNEL32.dll
Source: SunloginClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SunloginClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SunloginClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SunloginClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SunloginClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SunloginClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SunloginClient.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SunloginClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SunloginClient.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SunloginClient.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SunloginClient.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SunloginClient.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SunloginClient.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: SunloginClient.exeStatic PE information: section name: .rodata
Source: SunloginClient.exeStatic PE information: section name: _RDATA
Source: SunloginClient.exeStatic PE information: section name: .custom
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SunloginClient.exe4%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1476028
Start date and time:2024-07-18 16:14:51 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:13
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample name:SunloginClient.exe
Detection:CLEAN
Classification:clean1.winEXE@1/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: SunloginClient.exe

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):6.79190756771004
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:SunloginClient.exe
File size:20'115'824 bytes
MD5:499cd2d1127b41e3169c9c4e57f0dc42
SHA1:c1b11001725acbc886c52fa41a42f5719cbb2f49
SHA256:9df2767ba3bb32dcd0abf293a97d2054c64840b38ef8dd4472092079e3799f0a
SHA512:e553a4e5e65577f781f0be338cab28f2567694c393bd594c1272e878c715340c2af22dcb563dbf3a2d42cfa0f5ea7f84ded0887100934920cdd2755503a26e20
SSDEEP:196608:7NTBGKbeIJ4/qymfzqEsdxcNq93pPFHQAqiTrHRncxx:htTN5Ps/93p9wfifHJc
TLSH:A517AE0AB26104E9D5ABC038C966D617E770382D43F15BFB6691A6E52F33BD07E3A701
File Content Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$...........]...]...].....$.}.....&.......'.....zRT.\.......^....4..V...f...C...f.......f...w...T.].\...T.V.[...8..._...........]......

File Icon

Icon Hash:51cc5c7864c34c21

Static PE Info

General

Entrypoint:0x1405deaf0
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x64E87CC8 [Fri Aug 25 10:04:56 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:2
File Version Major:5
File Version Minor:2
Subsystem Version Major:5
Subsystem Version Minor:2
Import Hash:f9f00adb1c807d7b4833189f5762e3e2

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 03/04/2023 20:00:00 04/04/2026 19:59:59
Subject Chain
  • CN=, O=, S=, C=CN, SERIALNUMBER=91310110787862412B, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=, OID.1.3.6.1.4.1.311.60.2.1.3=CN
Version:3
Thumbprint MD5:4B9D41932E6196B184C8FD17165354C7
Thumbprint SHA-1:CD22D7228E666132008B90BB8D2D143BFD36D4EF
Thumbprint SHA-256:658F857CE4799274304A975548F10D98F6D693AE108F4ED738317CAE7FDF7583
Serial:04A5A133E7FEDB53C8F16687CFBC4EDB
Instruction
dec eax
sub esp, 28h
call 00007FF38D711720h
dec eax
add esp, 28h
jmp 00007FF38D710F77h
int3
int3
jmp 00007FF38D710CECh
int3
int3
int3
jmp 00007FF38D710E60h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 10h
dec esp
mov dword ptr [esp], edx
dec esp
mov dword ptr [esp+08h], ebx
dec ebp
xor ebx, ebx
dec esp
lea edx, dword ptr [esp+18h]
dec esp
sub edx, eax
dec ebp
cmovb edx, ebx
dec esp
mov ebx, dword ptr [00000010h]
dec ebp
cmp edx, ebx
jnc 00007FF38D71110Ah
inc cx
and edx, 8D4DF000h
wait
add al, dh
Programming Language:
  • [ C ] VS2008 SP1 build 30729
  • [ C ] VS2015 UPD3.1 build 24215
  • [IMP] VS2008 SP1 build 30729
  • [RES] VS2015 UPD3 build 24213
  • [LNK] VS2015 UPD3.1 build 24215
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x11ae8c00x1b8.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x1acc0000xaff70.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1a520000x621e4.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x132a6000x4b70.data
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1b7c0000x13a60.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x11027700x38.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x11028480x28.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x11027b00x94.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xcf20000x1310.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xcf01ee0xcf0200603d292a4842b98493dbbe2e52dfc28eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0xcf20000x4c08860x4c0a00e32db781a038b0128ddf827de6a05d82unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x11b30000x89ef080x3f400cd25198a671520d1fd3f9d1103d80e6funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x1a520000x621e40x622005ecc5c6cbc9f36c06b01ec3b9f089382False0.49471785429936305data6.783199069621397IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rodata0x1ab50000x85800x8600568077383c969fb0256735e2349555d3False0.13803055037313433data5.401526848490211IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gfids0x1abe0000x8b00xa00be2326f7c6b568f7c40c676b4eecff68False0.344921875data3.719074619841043IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls0x1abf0000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA0x1ac00000xaf300xb000899591eece7e353f0c786a6a6268abe2False0.6888760653409091data7.080757285303249IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.custom0x1acb0000x1980x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x1acc0000xaff700xb00006832e6b4674a7c09c114b3fa198821beFalse0.8743924227627841data7.855334555768831IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x1b7c0000x13a600x13c00aa33e45b355ede2fdabae78ff7db1babFalse0.23358386075949367data5.482800662643748IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
AGENTDWM0x1b007380x22415zlib compressed dataChineseChina0.9999144744813233
DDAPRIVSP0x1b22b500x2faf4zlib compressed dataChineseChina0.9980339552315223
DDAPRIVSP0x1b526480x29467zlib compressed dataChineseChina0.999757486854013
RT_ICON0x1acc8400x462dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedChineseChina1.0008906206512664
RT_ICON0x1ad0e700x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152ChineseChina0.4121951219512195
RT_ICON0x1ad14d80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512ChineseChina0.5
RT_ICON0x1ad17c00x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288ChineseChina0.5348360655737705
RT_ICON0x1ad19a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128ChineseChina0.5574324324324325
RT_ICON0x1ad1ad00x7a3dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedChineseChina0.9963570127504554
RT_ICON0x1ad95100xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsChineseChina0.427771855010661
RT_ICON0x1ada3b80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsChineseChina0.4305054151624549
RT_ICON0x1adac600x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsChineseChina0.42914746543778803
RT_ICON0x1adb3280x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsChineseChina0.36127167630057805
RT_ICON0x1adb8900xbf1ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedChineseChina1.0004292196378204
RT_ICON0x1ae77b00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584ChineseChina0.19138175795575535
RT_ICON0x1af7fd80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896ChineseChina0.18865139348134152
RT_ICON0x1afc2000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600ChineseChina0.21732365145228216
RT_ICON0x1afe7a80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224ChineseChina0.26360225140712945
RT_ICON0x1aff8500x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400ChineseChina0.33852459016393444
RT_ICON0x1b001d80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088ChineseChina0.46808510638297873
RT_GROUP_ICON0x1b006400xf4dataChineseChina0.5983606557377049
RT_VERSION0x1acc5200x320dataChineseChina0.47625
RT_MANIFEST0x1b7bab00x4baXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1150), with CRLF line terminatorsEnglishUnited States0.46859504132231405
DLLImport
CRYPT32.dllCertOpenStore, CertEnumCertificatesInStore, CertDuplicateCertificateContext, CertGetNameStringW, CertFindCertificateInStore, CryptMsgGetParam, CertCloseStore, CryptQueryObject, CertFreeCertificateContext, CryptMsgClose, CertGetCertificateContextProperty
WINMM.dlltimeGetTime
WINSPOOL.DRVEnumPrintProcessorsW, ClosePrinter, AddPrinterA, DeletePrinter, EnumPrinterDriversW, OpenPrinterA, GetPrintProcessorDirectoryA
SETUPAPI.dllSetupDiGetDeviceInterfaceDetailA, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW, SetupDiGetDeviceInterfaceDetailW, CM_Get_Device_Interface_ListW, SetupDiEnumDeviceInfo, SetupDiEnumDeviceInterfaces, SetupDiDestroyDeviceInfoList, SetupDiSetClassInstallParamsW, SetupDiChangeState, CM_Get_Device_Interface_List_SizeW
HID.DLLHidD_FreePreparsedData, HidD_GetAttributes, HidP_GetCaps, HidD_GetPreparsedData, HidD_GetHidGuid
KERNEL32.dllVirtualFree, VirtualAlloc, VirtualAllocEx, FlushInstructionCache, CreateRemoteThread, lstrcpyA, GetSystemTime, GetTempFileNameA, ProcessIdToSessionId, GetLocalTime, DeviceIoControl, CreateFileA, GetSystemDirectoryW, TerminateThread, GlobalSize, GetSystemTimes, CompareFileTime, GetDiskFreeSpaceExW, FreeResource, VirtualQuery, GlobalAddAtomW, WaitForSingleObjectEx, GetConsoleMode, WriteConsoleW, GetProcessAffinityMask, GetThreadPriority, ReadConsoleA, GetEnvironmentVariableW, GlobalMemoryStatus, ConvertThreadToFiber, ConvertFiberToThread, CreateFiber, DeleteFiber, SwitchToFiber, SwitchToThread, CreateWaitableTimerW, SetWaitableTimer, HeapQueryInformation, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, IsValidCodePage, FindNextFileA, FindFirstFileExA, SetEndOfFile, SetStdHandle, GetCurrentDirectoryW, ReadConsoleW, FlushFileBuffers, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, VirtualProtect, ExitProcess, SetConsoleCtrlHandler, GetTimeZoneInformation, SetFilePointerEx, GetConsoleCP, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, SetConsoleMode, CreateDirectoryW, GetFileAttributesExW, GetFileType, GetDriveTypeW, LoadLibraryExW, RtlUnwindEx, RtlPcToFileHeader, SetConsoleTextAttribute, GetConsoleScreenBufferInfo, CreateSemaphoreA, CreateEventA, LoadLibraryExA, InterlockedPushEntrySList, InterlockedPopEntrySList, OutputDebugStringW, InitializeSListHead, GetStartupInfoW, IsProcessorFeaturePresent, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, GetLocaleInfoW, LCMapStringW, CompareStringW, GetCPInfo, EncodePointer, GetStringTypeW, DisconnectNamedPipe, PeekNamedPipe, CreateNamedPipeA, SetUnhandledExceptionFilter, RtlCaptureContext, GetLogicalDriveStringsW, GetVolumeInformationW, OpenMutexW, CreateMutexW, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetUserDefaultLangID, FileTimeToDosDateTime, GetFileTime, GetSystemDirectoryA, QueryPerformanceCounter, QueryPerformanceFrequency, WriteProcessMemory, GetProcessId, VerSetConditionMask, VerifyVersionInfoW, MoveFileExW, GetExitCodeThread, OpenEventW, GetNativeSystemInfo, SetProcessShutdownParameters, GetCommandLineW, SetPriorityClass, GetModuleHandleA, GetProcAddress, GetTickCount, HeapFree, EnterCriticalSection, ReleaseSemaphore, WaitForMultipleObjects, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, InitializeCriticalSection, WaitForSingleObject, HeapSize, CreateEventW, GetLastError, SetEvent, HeapReAlloc, CloseHandle, RaiseException, ResetEvent, HeapAlloc, DecodePointer, HeapDestroy, DeleteCriticalSection, GetProcessHeap, CreateSemaphoreW, CreateDirectoryA, GetTempPathW, SetLastError, GetExitCodeProcess, LocalAlloc, WritePrivateProfileStringA, WritePrivateProfileStringW, TryEnterCriticalSection, ConnectNamedPipe, GlobalUnlock, MapViewOfFile, CreateFileMappingW, IsBadReadPtr, WideCharToMultiByte, CopyFileW, GetModuleHandleW, CreateProcessW, GetCurrentProcessId, LocalFree, GlobalLock, FindResourceW, LoadResource, FindResourceExW, GetSystemInfo, GlobalFree, Process32FirstW, DeleteFileW, GlobalAlloc, LockResource, GetCurrentThread, Process32NextW, GetTempPathA, CreateToolhelp32Snapshot, GetCommandLineA, GetVersion, UnmapViewOfFile, OpenFileMappingW, GetFileAttributesW, CreateFileW, FindNextFileW, FindClose, GetModuleFileNameW, TerminateProcess, GetFileSizeEx, FindFirstFileW, SizeofResource, GetModuleFileNameA, ReadFile, ReleaseMutex, CreateMutexA, LoadLibraryA, SystemTimeToFileTime, GetVersionExW, GetCurrentProcess, GetFullPathNameW, GetSystemTimeAsFileTime, TlsFree, TlsGetValue, CreateThread, TlsAlloc, Sleep, ResumeThread, SetThreadPriority, TlsSetValue, MultiByteToWideChar, IsDebuggerPresent, FreeLibrary, LoadLibraryW, GetCurrentThreadId, OutputDebugStringA, WriteFile, GetStdHandle
USER32.dllDrawTextW, GetSysColor, GetIconInfo, GetProcessWindowStation, EnumDisplayDevicesA, GetMonitorInfoA, EnumDisplaySettingsA, UnregisterClassW, GetMonitorInfoW, EnumDisplayMonitors, GetDesktopWindow, SetRectEmpty, EnumDisplayDevicesW, InvalidateRect, SetRect, IntersectRect, IsRectEmpty, WindowFromPoint, GetGUIThreadInfo, SwapMouseButton, GetParent, OpenDesktopW, EnumWindows, BlockInput, GetDoubleClickTime, ClientToScreen, RegisterClassW, VkKeyScanW, SetActiveWindow, OffsetRect, ReleaseDC, SetForegroundWindow, SystemParametersInfoW, SetClipboardData, GetWindowDC, GetClipboardData, GetForegroundWindow, AttachThreadInput, EmptyClipboard, CloseClipboard, OpenClipboard, RegisterDeviceNotificationW, IsWindow, ShowWindow, GetKeyboardState, IsWindowVisible, PostMessageW, GetWindowThreadProcessId, GetWindowLongW, GetDC, MessageBoxW, SetWindowLongW, SetLayeredWindowAttributes, PeekMessageW, SetTimer, DispatchMessageW, GetWindowLongPtrW, MsgWaitForMultipleObjects, SendMessageW, SetWindowLongPtrW, SetWindowPos, DestroyWindow, GetWindowRect, FindWindowExW, DefWindowProcW, GetCursorPos, SendInput, LockWorkStation, GetSystemMetrics, MapVirtualKeyW, DrawIcon, GetClientRect, SetPropW, RemovePropW, GetPropW, DrawIconEx, SendMessageTimeoutW, SetClipboardViewer, GetClipboardOwner, GetKeyState, OpenInputDesktop, CloseDesktop, GetThreadDesktop, SetThreadDesktop, GetUserObjectInformationA, SetCursorPos, PtInRect, KillTimer, GetDialogBaseUnits, DialogBoxIndirectParamW, EndDialog, RegisterClipboardFormatA, GetPriorityClipboardFormat, EnumDisplaySettingsW, ChangeDisplaySettingsExA, EnumDisplaySettingsExA, ExitWindowsEx, EnumDisplaySettingsExW, ChangeDisplaySettingsExW, GetUserObjectInformationW, LoadCursorW, GetClipCursor, GetCursorInfo, UnregisterDeviceNotification, GetClassInfoExW, GetClassInfoW, CloseWindow, GetUpdateRgn, PostThreadMessageW, TranslateMessage, RegisterClassExW, CreateWindowExW, CallWindowProcW, GetMessageW, RegisterWindowMessageW, PostQuitMessage, GetRawInputDeviceInfoA, SetWindowsHookExW, RegisterRawInputDevices, UnhookWindowsHookEx, GetRawInputData, CallNextHookEx, GetOpenClipboardWindow, ChangeClipboardChain, RegisterClipboardFormatW
GDI32.dllMoveToEx, GetDIBits, CreateFontW, LineTo, CreatePen, Rectangle, Ellipse, CreateRectRgn, GetRegionData, BitBlt, StretchBlt, CreateRectRgnIndirect, SelectClipRgn, CombineRgn, GetRgnBox, SetDIBColorTable, GdiFlush, SetDIBitsToDevice, GetBitmapBits, ExtEscape, GetDIBColorTable, CreateDCW, GetPixel, CreateDIBSection, GetStockObject, SetTextColor, SetBkMode, GetObjectW, CreateFontIndirectW, DeleteObject, CreateSolidBrush, GetDeviceCaps, SelectObject, CreateCompatibleDC, DeleteDC
ADVAPI32.dllOpenProcessToken, MakeAbsoluteSD, MakeSelfRelativeSD, GetSecurityDescriptorLength, GetLengthSid, InitializeAcl, InitializeSecurityDescriptor, FreeSid, CryptEnumProvidersW, CryptSignHashW, CryptDecrypt, CryptExportKey, CryptGetUserKey, CryptGetProvParam, CryptSetHashParam, CryptDestroyKey, ReportEventW, RegisterEventSourceW, DeregisterEventSource, RegEnumKeyExW, CryptAcquireContextA, RegQueryInfoKeyW, CryptGenRandom, RegCreateKeyW, EnumServicesStatusW, SetSecurityInfo, BuildTrusteeWithSidW, GetSecurityInfo, QueryServiceStatus, UnlockServiceDatabase, CloseServiceHandle, OpenSCManagerW, LockServiceDatabase, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, QueryServiceStatusEx, LookupPrivilegeValueW, AdjustTokenPrivileges, RegCloseKey, CryptAcquireContextW, SetTokenInformation, SetEntriesInAclW, CreateWellKnownSid, RegCreateKeyExW, CryptCreateHash, RegSetValueExW, CryptDestroyHash, CheckTokenMembership, RegOpenKeyExW, CreateProcessAsUserW, RegDeleteValueW, GetUserNameW, DuplicateTokenEx, RegQueryValueExW, CryptReleaseContext, GetSecurityDescriptorSacl, SetSecurityDescriptorDacl, GetSecurityDescriptorDacl, GetAclInformation, AllocateAndInitializeSid, GetSecurityDescriptorGroup, GetSecurityDescriptorControl, CopySid, GetSecurityDescriptorOwner, IsValidSid, AddAce
SHELL32.dllSHGetSpecialFolderPathW, SHGetFileInfoW, DragQueryPoint, DragQueryFileW, SHCreateDirectoryExA, SHGetFolderPathW, ShellExecuteExW, CommandLineToArgvW
ole32.dllOleSetClipboard, OleUninitialize, DoDragDrop, ReleaseStgMedium, RegisterDragDrop, OleInitialize, CoInitializeSecurity, StringFromGUID2, CoSetProxyBlanket, CoCreateInstance, CoInitializeEx, CoUninitialize, CoInitialize, CoTaskMemFree, CoTaskMemRealloc, CreateStreamOnHGlobal, CoTaskMemAlloc
OLEAUT32.dllVariantClear, SysAllocString, SysAllocStringLen, SysFreeString, VariantInit
SHLWAPI.dllPathFileExistsA, PathFileExistsW, PathRemoveFileSpecW, PathRemoveFileSpecA, StrStrIA, PathStripPathW, PathFindExtensionW, SHCreateStreamOnFileW
USERENV.dllCreateEnvironmentBlock
WS2_32.dllgethostbyname, WSAGetLastError, setsockopt, ioctlsocket, sendto, getsockopt, recv, recvfrom, connect, socket, send, getsockname, shutdown, WSASetLastError, inet_addr, gethostbyaddr, getservbyport, ntohs, inet_ntoa, getservbyname, htonl, htons, __WSAFDIsSet, select, gethostname, WSACleanup, WSAStartup, accept, bind, closesocket, listen, getpeername
WTSAPI32.dllWTSFreeMemory, WTSQuerySessionInformationW
IPHLPAPI.DLLGetAdaptersInfo, GetIpForwardTable
gdiplus.dllGdipFree, GdipAlloc, GdipCloneImage, GdipGetImageHeight, GdiplusStartup, GdiplusShutdown, GdipDrawImageI, GdipDeleteGraphics, GdipGetImageWidth, GdipDisposeImage, GdipCreateBitmapFromScan0, GdipGetImagePalette, GdipGetImageGraphicsContext, GdipBitmapLockBits, GdipGetImagePixelFormat, GdipCreateBitmapFromStream, GdipBitmapUnlockBits, GdipGetImagePaletteSize
MSIMG32.dllTransparentBlt, AlphaBlend
dbghelp.dllSymCleanup, SymGetModuleBase64, SymGetModuleInfo64, SymGetLineFromAddr64, SymFunctionTableAccess64, SymInitialize, StackWalk64, SymGetSymFromAddr64
VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW

Possible Origin

Language of compilation systemCountry where language is spokenMap
ChineseChina
EnglishUnited States