General

Malware Config

Signatures

Files

• 77b4650847cb0c0389bcbe8feda2807d42d3f59cdd3f2b0b07f8dcc04e904fa4

  .zip
• APT-Hunter-master/APTHunter.pdf

  .pdf

  • https://github.com/apthunting/APT-Hunter

    Analyze

  • https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdfhttps://github.com/mandiant/ShimCacheParserhttp://binaryforay.blogspot.com/2015/05/introducing-appcompatcacheparser.htmlwww.woanware.co.uk/forensics/shimcacheparser.htmlHunting

    Analyze

  • http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.htmlhttps://github.com/williballenthin/python-registry/blob/master/samples/amcache.pyhttp://binaryforay.blogspot.com/2015/07/amcacheparser-reducing-noise-finding.html13AmCache

    Analyze

  • http://journeyintoir.blogspot.in/2013/12/revealing-recentfilecachebcf-file.htmlhttps://github.com/sysforensics/RecentFileCacheParser15RecentFileCache

    Analyze

  • http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.htmlhttp://zachgrace.com/2015/03/23/hunting-sticky-keys-backdoors.htmlhttp://www.crowdstrike.com/blog/registry-analysis-with-crowdresponse/17Sticky

    Analyze

  • http://la.trendmicro.com/media/misc/understanding-wmi-malware-research-paper-en.pdfhttps://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdfhttps://dl.mandiant.com/EE/library/MIRcon2014/MIRcon_2014_IR_Track_There%27s_Something_About_WMI.pdfhttps://github.com/PowerShellEmpire/Empire

    Analyze

  • https://github.com/PowerShellMafia/PowerSploit

    Analyze

  • https://www.secureworks.com/blog/wmi-persistence23WMI

    Analyze

  • https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1https://adsecurity.org/?p=55926WDigest

    Analyze

  • https://www.blackhat.com/docs/webcast/09172015-leveraging-proactive-defense-rsa.pdfhttps://github.com/sans-dfir/sift-files/blob/master/scripts/jobparse.pl29Scheduled

    Analyze

  • https://digital-forensics.sans.org/media/poster_2014_find_evil.pdfIntrusion

    Analyze

  • https://github.com/apthunting/APT-HunterHaoWang:

    Analyze
  • Show all
• APT-Hunter-master/APT_Hunter.vbs

  .vbs
• APT-Hunter-master/MD5.txt
• APT-Hunter-master/README.md
• APT-Hunter-master/Tools/AmCacheParser/AmcacheParser.exe

  .exe windows x86

  f34d5f2d4577ed6d9ceec516c1f5a744

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_NO_SEH

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  Imports

  mscoree

  _CorExeMain

  Sections

  .text

  Size: 451KB - Virtual size: 450KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 174KB - Virtual size: 173KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 512B - Virtual size: 12B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• APT-Hunter-master/Tools/AppCompatCacheParser/AppCompatCacheParser.exe

  .exe windows x86

  f34d5f2d4577ed6d9ceec516c1f5a744

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_NO_SEH

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  Imports

  mscoree

  _CorExeMain

  Sections

  .text

  Size: 498KB - Virtual size: 498KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 99KB - Virtual size: 99KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 512B - Virtual size: 12B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• APT-Hunter-master/Tools/HCTOOLS/jobparse.exe

  .exe windows x86

  d500a089a47a57866dfaffcefa42dfc5

  
  

  Headers

  File Characteristics

  IMAGE_FILE_RELOCS_STRIPPED

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LINE_NUMS_STRIPPED

  IMAGE_FILE_LOCAL_SYMS_STRIPPED

  IMAGE_FILE_32BIT_MACHINE

  Imports

  kernel32

  GetModuleFileNameA

  FreeLibrary

  GetProcAddress

  LoadLibraryA

  GetVersionExA

  GetLastError

  GetConsoleTitleA

  SetLastError

  user32

  MessageBoxA

  msvcrt

  _controlfp

  strcat

  strcpy

  strlen

  strstr

  remove

  printf

  malloc

  sscanf

  free

  _errno

  calloc

  strncpy

  exit

  getenv

  memset

  _getpid

  sprintf

  fflush

  _iob

  vsprintf

  memcmp

  atol

  _mkdir

  _rmdir

  _close

  _read

  _lseek

  _open

  _write

  _stat

  _exit

  _XcptFilter

  __p___initenv

  __getmainargs

  _initterm

  __setusermatherr

  _adjust_fdiv

  __p__commode

  __p__fmode

  __set_app_type

  _except_handler3

  Sections

  .text

  Size: 8KB - Virtual size: 4KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 4KB - Virtual size: 2KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 4KB - Virtual size: 656B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 8KB - Virtual size: 4KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

• APT-Hunter-master/Tools/HCTOOLS/p2x5124.dll

  .dll windows x86

  
  

  Headers

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LINE_NUMS_STRIPPED

  IMAGE_FILE_LOCAL_SYMS_STRIPPED

  IMAGE_FILE_32BIT_MACHINE

  Exports

  Exports

  PL_bincompat_options

  PL_check

  PL_fold

  PL_fold_locale

  PL_freq

  PL_keyword_plugin

  PL_memory_wrap

  PL_no_aelem

  PL_no_dir_func

  PL_no_func

  PL_no_helem_sv

  PL_no_localize_ref

  PL_no_mem

  PL_no_modify

  PL_no_myglob

  PL_no_security

  PL_no_sock_func

  PL_no_symref

  PL_no_usym

  PL_no_wrongref

  PL_op_desc

  PL_op_name

  PL_opargs

  PL_perlio_mutex

  PL_ppaddr

  PL_reg_extflags_name

  PL_reg_name

  PL_regkind

  PL_sig_name

  PL_sig_num

  PL_simple

  PL_utf8skip

  PL_uuemap

  PL_varies

  PL_vtbl_amagic

  PL_vtbl_amagicelem

  PL_vtbl_arylen

  PL_vtbl_backref

  PL_vtbl_bm

  PL_vtbl_collxfrm

  PL_vtbl_dbline

  PL_vtbl_defelem

  PL_vtbl_env

  PL_vtbl_envelem

  PL_vtbl_fm

  PL_vtbl_isa

  PL_vtbl_isaelem

  PL_vtbl_mglob

  PL_vtbl_nkeys

  PL_vtbl_pack

  PL_vtbl_packelem

  PL_vtbl_pos

  PL_vtbl_regdata

  PL_vtbl_regdatum

  PL_vtbl_regexp

  PL_vtbl_sig

  PL_vtbl_sigelem

  PL_vtbl_substr

  PL_vtbl_sv

  PL_vtbl_taint

  PL_vtbl_utf8

  PL_vtbl_uvar

  PL_vtbl_vec

  PL_warn_nl

  PL_warn_nosemi

  PL_warn_reserved

  PL_warn_uninit

  PerlIOBase_binmode

  PerlIOBase_clearerr

  PerlIOBase_close

  PerlIOBase_dup

  PerlIOBase_eof

  PerlIOBase_error

  PerlIOBase_fileno

  PerlIOBase_noop_fail

  PerlIOBase_noop_ok

  PerlIOBase_popped

  PerlIOBase_pushed

  PerlIOBase_read

  PerlIOBase_setlinebuf

  PerlIOBase_unread

  PerlIOBuf_bufsiz

  PerlIOBuf_close

  PerlIOBuf_dup

  PerlIOBuf_fill

  PerlIOBuf_flush

  PerlIOBuf_get_base

  PerlIOBuf_get_cnt

  PerlIOBuf_get_ptr

  PerlIOBuf_open

  PerlIOBuf_popped

  PerlIOBuf_pushed

  PerlIOBuf_read

  PerlIOBuf_seek

  PerlIOBuf_set_ptrcnt

  PerlIOBuf_tell

  PerlIOBuf_unread

  PerlIOBuf_write

  PerlIO_allocate

  PerlIO_apply_layera

  PerlIO_apply_layers

  PerlIO_arg_fetch

  PerlIO_binmode

  PerlIO_byte

  PerlIO_canset_cnt

  PerlIO_crlf

  PerlIO_debug

  PerlIO_define_layer

  PerlIO_exportFILE

  PerlIO_fast_gets

  PerlIO_fdopen

  PerlIO_findFILE

  PerlIO_find_layer

  PerlIO_getc

  PerlIO_getname

  PerlIO_getpos

  PerlIO_has_base

  PerlIO_has_cntptr

  PerlIO_importFILE

  PerlIO_init

  PerlIO_isutf8

  PerlIO_layer_fetch

  PerlIO_list_alloc

  PerlIO_list_free

  PerlIO_modestr

  PerlIO_open

  PerlIO_parse_layers

  PerlIO_pending

  PerlIO_perlio

  PerlIO_pop

  PerlIO_printf

  PerlIO_push

  PerlIO_putc

  PerlIO_puts

  PerlIO_raw

  PerlIO_releaseFILE

  PerlIO_reopen

  PerlIO_rewind

  PerlIO_setpos

  PerlIO_sprintf

  PerlIO_stdio

  PerlIO_stdoutf

  PerlIO_sv_dup

  PerlIO_teardown

  PerlIO_tmpfile

  PerlIO_ungetc

  PerlIO_unix

  PerlIO_utf8

  PerlIO_vprintf

  PerlIO_vsprintf

  PerlIO_win32

  Perl_GNo_ptr

  Perl_GYes_ptr

  Perl_Gcheck_ptr

  Perl_Gcsighandlerp_ptr

  Perl_Gcurinterp_ptr

  Perl_Gdo_undump_ptr

  Perl_Gdollarzero_mutex_ptr

  Perl_Gfold_locale_ptr

  Perl_Ghexdigit_ptr

  Perl_Ghints_mutex_ptr

  Perl_Ginterp_size_5_10_0_ptr

  Perl_Ginterp_size_ptr

  Perl_Gkeyword_plugin_ptr

  Perl_Gmy_ctx_mutex_ptr

  Perl_Gmy_cxt_index_ptr

  Perl_Gop_mutex_ptr

  Perl_Gop_seq_ptr

  Perl_Gop_sequence_ptr

  Perl_Gpatleave_ptr

  Perl_Gperlio_debug_fd_ptr

  Perl_Gperlio_fd_refcnt_ptr

  Perl_Gperlio_fd_refcnt_size_ptr

  Perl_Gperlio_mutex_ptr

  Perl_Gppaddr_ptr

  Perl_Grevision_ptr

  Perl_Grunops_dbg_ptr

  Perl_Grunops_std_ptr

  Perl_Gsh_path_ptr

  Perl_Gsig_trapped_ptr

  Perl_Gsigfpe_saved_ptr

  Perl_Gsubversion_ptr

  Perl_Gsv_placeholder_ptr

  Perl_Gthr_key_ptr

  Perl_Guse_safe_putenv_ptr

  Perl_Gv_AMupdate

  Perl_Gversion_ptr

  Perl_Gveto_cleanup_ptr

  Perl_IArgv_ptr

  Perl_ICmd_ptr

  Perl_IDBgv_ptr

  Perl_IDBline_ptr

  Perl_IDBsignal_ptr

  Perl_IDBsingle_ptr

  Perl_IDBsub_ptr

  Perl_IDBtrace_ptr

  Perl_IDir_ptr

  Perl_IEnv_ptr

  Perl_ILIO_ptr

  Perl_IMemParse_ptr

  Perl_IMemShared_ptr

  Perl_IMem_ptr

  Perl_IOpPtr_ptr

  Perl_IOpSlab_ptr

  Perl_IOpSpace_ptr

  Perl_IProc_ptr

  Perl_ISock_ptr

  Perl_IStdIO_ptr

  Perl_ISv_ptr

  Perl_IXpv_ptr

  Perl_Iamagic_generation_ptr

  Perl_Ian_ptr

  Perl_Iargvgv_ptr

  Perl_Iargvout_stack_ptr

  Perl_Iargvoutgv_ptr

  Perl_Ibasetime_ptr

  Perl_Ibeginav_ptr

  Perl_Ibeginav_save_ptr

  Perl_Ibody_arenas_ptr

  Perl_Ibody_roots_ptr

  Perl_Ibodytarget_ptr

  Perl_Ibreakable_sub_gen_ptr

  Perl_Icheckav_ptr

  Perl_Icheckav_save_ptr

  Perl_Ichopset_ptr

  Perl_Iclocktick_ptr

  Perl_Icollation_ix_ptr

  Perl_Icollation_name_ptr

  Perl_Icollation_standard_ptr

  Perl_Icollxfrm_base_ptr

  Perl_Icollxfrm_mult_ptr

  Perl_Icolors_ptr

  Perl_Icolorset_ptr

  Perl_Icompcv_ptr

  Perl_Icompiling_ptr

  Perl_Icomppad_name_fill_ptr

  Perl_Icomppad_name_floor_ptr

  Perl_Icomppad_name_ptr

  Perl_Icomppad_ptr

  Perl_Icop_seqmax_ptr

  Perl_Icurcop_ptr

  Perl_Icurcopdb_ptr

  Perl_Icurpad_ptr

  Perl_Icurpm_ptr

  Perl_Icurstack_ptr

  Perl_Icurstackinfo_ptr

  Perl_Icurstash_ptr

  Perl_Icurstname_ptr

  Perl_Icustom_op_descs_ptr

  Perl_Icustom_op_names_ptr

  Perl_Icv_has_eval_ptr

  Perl_Idbargs_ptr

  Perl_Idebstash_ptr

  Perl_Idebug_pad_ptr

  Perl_Idebug_ptr

  Perl_Idef_layerlist_ptr

  Perl_Idefgv_ptr

  Perl_Idefoutgv_ptr

  Perl_Idefstash_ptr

  Perl_Idelaymagic_ptr

  Perl_Idestroyhook_ptr

  Perl_Idiehook_ptr

  Perl_Idirty_ptr

  Perl_Idoextract_ptr

  Perl_Idoswitches_ptr

  Perl_Idowarn_ptr

  Perl_Idumpindent_ptr

  Perl_Ie_script_ptr

  Perl_Iefloatbuf_ptr

  Perl_Iefloatsize_ptr

  Perl_Iegid_ptr

  Perl_Iencoding_ptr

  Perl_Iendav_ptr

  Perl_Ienvgv_ptr

  Perl_Ierrgv_ptr

  Perl_Ierrors_ptr

  Perl_Ieuid_ptr

  Perl_Ieval_root_ptr

  Perl_Ieval_start_ptr

  Perl_Ievalseq_ptr

  Perl_Iexit_flags_ptr

  Perl_Iexitlist_ptr

  Perl_Iexitlistlen_ptr

  Perl_Ifdpid_ptr

  Perl_Ifilemode_ptr

  Perl_Ifirstgv_ptr

  Perl_Iforkprocess_ptr

  Perl_Iformfeed_ptr

  Perl_Iformtarget_ptr

  Perl_Igensym_ptr

  Perl_Igid_ptr

  Perl_Iglob_index_ptr

  Perl_Iglobalstash_ptr

  Perl_Ihash_seed_ptr

  Perl_Ihintgv_ptr

  Perl_Ihints_ptr

  Perl_Ihv_fetch_ent_mh_ptr

  Perl_Iin_clean_all_ptr

  Perl_Iin_clean_objs_ptr

  Perl_Iin_eval_ptr

  Perl_Iin_load_module_ptr

  Perl_Iincgv_ptr

  Perl_Iinitav_ptr

  Perl_Iinplace_ptr

  Perl_Iisarev_ptr

  Perl_Iknown_layers_ptr

  Perl_Ilast_in_gv_ptr

  Perl_Ilast_swash_hv_ptr

  Perl_Ilast_swash_key_ptr

  Perl_Ilast_swash_klen_ptr

  Perl_Ilast_swash_slen_ptr

  Perl_Ilast_swash_tmps_ptr

  Perl_Ilastfd_ptr

  Perl_Ilastscream_ptr

  Perl_Ilaststatval_ptr

  Perl_Ilaststype_ptr

  Perl_Ilocalizing_ptr

  Perl_Ilocalpatches_ptr

  Perl_Ilockhook_ptr

  Perl_Imain_cv_ptr

  Perl_Imain_root_ptr

  Perl_Imain_start_ptr

  Perl_Imainstack_ptr

  Perl_Imarkstack_max_ptr

  Perl_Imarkstack_ptr

  Perl_Imarkstack_ptr_ptr

  Perl_Imax_intro_pending_ptr

  Perl_Imaxo_ptr

  Perl_Imaxscream_ptr

  Perl_Imaxsysfd_ptr

  Perl_Imess_sv_ptr

  Perl_Imin_intro_pending_ptr

  Perl_Iminus_E_ptr

  Perl_Iminus_F_ptr

  Perl_Iminus_a_ptr

  Perl_Iminus_c_ptr

  Perl_Iminus_l_ptr

  Perl_Iminus_n_ptr

  Perl_Iminus_p_ptr

  Perl_Imodglobal_ptr

  Perl_Imy_cxt_list_ptr

  Perl_Imy_cxt_size_ptr

  Perl_Ina_ptr

  Perl_Inice_chunk_ptr

  Perl_Inice_chunk_size_ptr

  Perl_Inomemok_ptr

  Perl_Inumeric_local_ptr

  Perl_Inumeric_name_ptr

  Perl_Inumeric_radix_sv_ptr

  Perl_Inumeric_standard_ptr

  Perl_Iofsgv_ptr

  Perl_Ioldname_ptr

  Perl_Iop_mask_ptr

  Perl_Iop_ptr

  Perl_Iopfreehook_ptr

  Perl_Iorigalen_ptr

  Perl_Iorigargc_ptr

  Perl_Iorigargv_ptr

  Perl_Iorigenviron_ptr

  Perl_Iorigfilename_ptr

  Perl_Iors_sv_ptr

  Perl_Iosname_ptr

  Perl_Ipad_reset_pending_ptr

  Perl_Ipadix_floor_ptr

  Perl_Ipadix_ptr

  Perl_Iparser_ptr

  Perl_Ipatchlevel_ptr

  Perl_Ipeepp_ptr

  Perl_Iperl_destruct_level_ptr

  Perl_Iperldb_ptr

  Perl_Iperlio_ptr

  Perl_Ipreambleav_ptr

  Perl_Iprofiledata_ptr

  Perl_Ipsig_name_ptr

  Perl_Ipsig_pend_ptr

  Perl_Ipsig_ptr_ptr

  Perl_Iptr_table_ptr

  Perl_Ireentrant_retint_ptr

  Perl_Ireg_state_ptr

  Perl_Iregdummy_ptr

  Perl_Iregex_pad_ptr

  Perl_Iregex_padav_ptr

  Perl_Ireginterp_cnt_ptr

  Perl_Iregistered_mros_ptr

  Perl_Iregmatch_slab_ptr

  Perl_Iregmatch_state_ptr

  Perl_Irehash_seed_ptr

  Perl_Irehash_seed_set_ptr

  Perl_Ireplgv_ptr

  Perl_Irestartop_ptr

  Perl_Irs_ptr

  Perl_Irunops_ptr

  Perl_Isavebegin_ptr

  Perl_Isavestack_ix_ptr

  Perl_Isavestack_max_ptr

  Perl_Isavestack_ptr

  Perl_Isawampersand_ptr

  Perl_Iscopestack_ix_ptr

  Perl_Iscopestack_max_ptr

  Perl_Iscopestack_name_ptr

  Perl_Iscopestack_ptr

  Perl_Iscreamfirst_ptr

  Perl_Iscreamnext_ptr

  Perl_Isecondgv_ptr

  Perl_Isharehook_ptr

  Perl_Isig_pending_ptr

  Perl_Isighandlerp_ptr

  Perl_Isignals_ptr

  Perl_Isort_RealCmp_ptr

  Perl_Isortcop_ptr

  Perl_Isortstash_ptr

  Perl_Isplitstr_ptr

  Perl_Isrand_called_ptr

  Perl_Istack_base_ptr

  Perl_Istack_max_ptr

  Perl_Istack_sp_ptr

  Perl_Istart_env_ptr

  Perl_Istashcache_ptr

  Perl_Istatbuf_ptr

  Perl_Istatcache_ptr

  Perl_Istatgv_ptr

  Perl_Istatname_ptr

  Perl_Istatusvalue_posix_ptr

  Perl_Istatusvalue_ptr

  Perl_Istderrgv_ptr

  Perl_Istdingv_ptr

  Perl_Istrtab_ptr

  Perl_Isub_generation_ptr

  Perl_Isubline_ptr

  Perl_Isubname_ptr

  Perl_Isv_arenaroot_ptr

  Perl_Isv_count_ptr

  Perl_Isv_no_ptr

  Perl_Isv_objcount_ptr

  Perl_Isv_root_ptr

  Perl_Isv_undef_ptr

  Perl_Isv_yes_ptr

  Perl_Isys_intern_ptr

  Perl_Itaint_warn_ptr

  Perl_Itainted_ptr

  Perl_Itainting_ptr

  Perl_Ithreadhook_ptr

  Perl_Itmps_floor_ptr

  Perl_Itmps_ix_ptr

  Perl_Itmps_max_ptr

  Perl_Itmps_stack_ptr

  Perl_Itop_env_ptr

  Perl_Itoptarget_ptr

  Perl_Iuid_ptr

  Perl_Iunicode_ptr

  Perl_Iunitcheckav_ptr

  Perl_Iunitcheckav_save_ptr

  Perl_Iunlockhook_ptr

  Perl_Iunsafe_ptr

  Perl_Iutf8_X_LVT_ptr

  Perl_Iutf8_X_LV_LVT_V_ptr

  Perl_Iutf8_X_LV_ptr

  Perl_Iutf8_X_L_ptr

  Perl_Iutf8_X_T_ptr

  Perl_Iutf8_X_V_ptr

  Perl_Iutf8_X_begin_ptr

  Perl_Iutf8_X_extend_ptr

  Perl_Iutf8_X_non_hangul_ptr

  Perl_Iutf8_X_prepend_ptr

  Perl_Iutf8_alnum_ptr

  Perl_Iutf8_alpha_ptr

  Perl_Iutf8_ascii_ptr

  Perl_Iutf8_cntrl_ptr

  Perl_Iutf8_digit_ptr

  Perl_Iutf8_graph_ptr

  Perl_Iutf8_idcont_ptr

  Perl_Iutf8_idstart_ptr

  Perl_Iutf8_lower_ptr

  Perl_Iutf8_mark_ptr

  Perl_Iutf8_perl_space_ptr

  Perl_Iutf8_perl_word_ptr

  Perl_Iutf8_posix_digit_ptr

  Perl_Iutf8_print_ptr

  Perl_Iutf8_punct_ptr

  Perl_Iutf8_space_ptr

  Perl_Iutf8_tofold_ptr

  Perl_Iutf8_tolower_ptr

  Perl_Iutf8_totitle_ptr

  Perl_Iutf8_toupper_ptr

  Perl_Iutf8_upper_ptr

  Perl_Iutf8_xdigit_ptr

  Perl_Iutf8cache_ptr

  Perl_Iutf8locale_ptr

  Perl_Iwarnhook_ptr

  Perl_PerlIO_clearerr

  Perl_PerlIO_close

  Perl_PerlIO_context_layers

  Perl_PerlIO_eof

  Perl_PerlIO_error

  Perl_PerlIO_fileno

  Perl_PerlIO_fill

  Perl_PerlIO_flush

  Perl_PerlIO_get_base

  Perl_PerlIO_get_bufsiz

  Perl_PerlIO_get_cnt

  Sections

  UPX0

  Size: - Virtual size: 528KB

  IMAGE_SCN_CNT_UNINITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  UPX1

  Size: 375KB - Virtual size: 376KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 41KB - Virtual size: 44KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

• APT-Hunter-master/Tools/HCTOOLS/rfc.exe

  .exe windows x86

  d500a089a47a57866dfaffcefa42dfc5

  
  

  Headers

  File Characteristics

  IMAGE_FILE_RELOCS_STRIPPED

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LINE_NUMS_STRIPPED

  IMAGE_FILE_LOCAL_SYMS_STRIPPED

  IMAGE_FILE_32BIT_MACHINE

  Imports

  kernel32

  GetModuleFileNameA

  FreeLibrary

  GetProcAddress

  LoadLibraryA

  GetVersionExA

  GetLastError

  GetConsoleTitleA

  SetLastError

  user32

  MessageBoxA

  msvcrt

  _controlfp

  strcat

  strcpy

  strlen

  strstr

  remove

  printf

  malloc

  sscanf

  free

  _errno

  calloc

  strncpy

  exit

  getenv

  memset

  _getpid

  sprintf

  fflush

  _iob

  vsprintf

  memcmp

  atol

  _mkdir

  _rmdir

  _close

  _read

  _lseek

  _open

  _write

  _stat

  _exit

  _XcptFilter

  __p___initenv

  __getmainargs

  _initterm

  __setusermatherr

  _adjust_fdiv

  __p__commode

  __p__fmode

  __set_app_type

  _except_handler3

  Sections

  .text

  Size: 8KB - Virtual size: 4KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 4KB - Virtual size: 2KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 4KB - Virtual size: 656B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 8KB - Virtual size: 4KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

• APT-Hunter-master/Tools/HCTOOLS/source/JumpList.pm
• APT-Hunter-master/Tools/HCTOOLS/source/LNK.pm
• APT-Hunter-master/Tools/HCTOOLS/source/bodyfile.pl
• APT-Hunter-master/Tools/HCTOOLS/source/evtparse.pl
• APT-Hunter-master/Tools/HCTOOLS/source/evtrpt.pl
• APT-Hunter-master/Tools/HCTOOLS/source/evtxparse.pl
• APT-Hunter-master/Tools/HCTOOLS/source/ftkparse.pl
• APT-Hunter-master/Tools/HCTOOLS/source/idx.pl
• APT-Hunter-master/Tools/HCTOOLS/source/jl.pl
• APT-Hunter-master/Tools/HCTOOLS/source/jobparse.pl
• APT-Hunter-master/Tools/HCTOOLS/source/lnk.pl
• APT-Hunter-master/Tools/HCTOOLS/source/mft.pl
• APT-Hunter-master/Tools/HCTOOLS/source/parse.pl
• APT-Hunter-master/Tools/HCTOOLS/source/parseie.pl
• APT-Hunter-master/Tools/HCTOOLS/source/pie.pl
• APT-Hunter-master/Tools/HCTOOLS/source/pref.pl
• APT-Hunter-master/Tools/HCTOOLS/source/pref.pm
• APT-Hunter-master/Tools/HCTOOLS/source/rawie.pl
• APT-Hunter-master/Tools/HCTOOLS/source/recbin.pl
• APT-Hunter-master/Tools/HCTOOLS/source/regtime.pl
• APT-Hunter-master/Tools/HCTOOLS/source/rfc.pl
• APT-Hunter-master/Tools/HCTOOLS/source/tln.pl
• APT-Hunter-master/Tools/HCTOOLS/source/usnj.pl
• APT-Hunter-master/Tools/Rawcopy/RawCopy.exe

  .exe windows x86

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LARGE_ADDRESS_AWARE

  IMAGE_FILE_32BIT_MACHINE

  Sections

  UPX0

  Size: - Virtual size: 876KB

  IMAGE_SCN_CNT_UNINITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  UPX1

  Size: 343KB - Virtual size: 344KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 359KB - Virtual size: 360KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

• APT-Hunter-master/Tools/Rawcopy/RawCopy64.exe

  .exe windows x64

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LARGE_ADDRESS_AWARE

  Sections

  UPX0

  Size: - Virtual size: 952KB

  IMAGE_SCN_CNT_UNINITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  UPX1

  Size: 378KB - Virtual size: 380KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 359KB - Virtual size: 360KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

• APT-Hunter-master/Tools/ShimCacheParser/CommandLine.dll

  .dll windows x86

  dae02f32a21e03ce65412f6e56942daa

  
  

  Headers

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LINE_NUMS_STRIPPED

  IMAGE_FILE_LOCAL_SYMS_STRIPPED

  IMAGE_FILE_32BIT_MACHINE

  Imports

  mscoree

  _CorDllMain

  Sections

  .text

  Size: 37KB - Virtual size: 37KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 1024B - Virtual size: 980B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 512B - Virtual size: 12B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• APT-Hunter-master/Tools/ShimCacheParser/CsvHelper.dll

  .dll windows x86

  dae02f32a21e03ce65412f6e56942daa

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_NO_SEH

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  Imports

  mscoree

  _CorDllMain

  Sections

  .text

  Size: 20KB - Virtual size: 19KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 1024B - Virtual size: 968B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 512B - Virtual size: 12B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• APT-Hunter-master/Tools/ShimCacheParser/Network.dll

  .dll windows x86

  dae02f32a21e03ce65412f6e56942daa

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_NO_SEH

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  Imports

  mscoree

  _CorDllMain

  Sections

  .text

  Size: 5KB - Virtual size: 5KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 1024B - Virtual size: 928B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 512B - Virtual size: 12B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• APT-Hunter-master/Tools/ShimCacheParser/Registry.dll

  .dll windows x86

  dae02f32a21e03ce65412f6e56942daa

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_NO_SEH

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  Imports

  mscoree

  _CorDllMain

  Sections

  .text

  Size: 23KB - Virtual size: 23KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 1024B - Virtual size: 928B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 512B - Virtual size: 12B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• APT-Hunter-master/Tools/ShimCacheParser/Utility.dll

  .dll windows x86

  dae02f32a21e03ce65412f6e56942daa

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_NO_SEH

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  Imports

  mscoree

  _CorDllMain

  Sections

  .text

  Size: 76KB - Virtual size: 76KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 1024B - Virtual size: 936B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 512B - Virtual size: 12B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• APT-Hunter-master/Tools/ShimCacheParser/shimcacheparser.exe

  .exe windows x86

  f34d5f2d4577ed6d9ceec516c1f5a744

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_NO_SEH

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  Imports

  mscoree

  _CorExeMain

  Sections

  .text

  Size: 19KB - Virtual size: 18KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 1KB - Virtual size: 1KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 512B - Virtual size: 12B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• APT-Hunter-master/Tools/ShimCacheParser/shimcacheparser.exe.config

  .xml
• APT-Hunter-master/Tools/Tcpvcon.exe

  .exe windows x86

  c510dea76f6096f5cfe2c672a3e799c1

  
  

  Code Sign

  2e:ab:11:dc:50:ff:5c:9d:cb:c0

  Certificate

  Issuer

  CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

  Not Before

  22-08-2007 22:31

  Not After

  25-08-2012 07:00

  Subject

  CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  61:01:cf:3e:00:00:00:00:00:0f

  Certificate

  Issuer

  CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  Not Before

  07-12-2009 22:40

  Not After

  07-03-2011 22:40

  Subject

  CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2

  Certificate

  Issuer

  CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

  Not Before

  16-09-2006 01:04

  Not After

  15-09-2019 07:00

  Subject

  CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  61:06:94:2d:00:00:00:00:00:09

  Certificate

  Issuer

  CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  Not Before

  25-07-2008 19:02

  Not After

  25-07-2013 19:12

  Subject

  CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:7A82-688A-9F92,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageContentCommitment

  77:31:21:69:14:9d:38:20:cf:41:d8:27:44:1c:7d:97:d4:58:32:b4

  Signer

  Actual PE Digest

  77:31:21:69:14:9d:38:20:cf:41:d8:27:44:1c:7d:97:d4:58:32:b4

  Digest Algorithm

  sha1

  PE Digest Matches

  true

  Signature Validations

  Trusted

  false

  Verification

  Signing Certificate

  CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  28-07-2010 22:48

  Valid: false

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_RELOCS_STRIPPED

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  Imports

  version

  VerQueryValueA

  GetFileVersionInfoA

  GetFileVersionInfoSizeA

  ws2_32

  socket

  closesocket

  gethostbyname

  send

  gethostname

  recv

  ntohl

  htonl

  htons

  ntohs

  getservbyport

  gethostbyaddr

  WSAGetLastError

  connect

  WSAStartup

  iphlpapi

  GetTcpTable

  GetUdpTable

  SetTcpEntry

  comctl32

  CreateToolbarEx

  ord17

  ImageList_ReplaceIcon

  ImageList_Create

  ord6

  psapi

  GetModuleFileNameExA

  kernel32

  CreateEventA

  GetSystemDirectoryA

  DeviceIoControl

  GetModuleFileNameA

  DuplicateHandle

  GetVersion

  GetCurrentProcessId

  DeleteFileA

  GetLocaleInfoA

  InterlockedIncrement

  InterlockedDecrement

  HeapFree

  GlobalLock

  WaitForSingleObject

  SetEvent

  GetTickCount

  GetProcessHeap

  GetNumberFormatA

  FormatMessageA

  GetUserDefaultLangID

  InitializeCriticalSection

  GlobalAlloc

  LeaveCriticalSection

  TerminateProcess

  GlobalUnlock

  EnterCriticalSection

  GlobalReAlloc

  ExpandEnvironmentStringsA

  GetStringTypeW

  GetStringTypeA

  SetStdHandle

  WriteConsoleW

  WriteConsoleA

  InitializeCriticalSectionAndSpinCount

  SetFilePointer

  GetSystemTimeAsFileTime

  QueryPerformanceCounter

  GetEnvironmentStringsW

  FreeEnvironmentStringsW

  GetEnvironmentStrings

  FreeEnvironmentStringsA

  RaiseException

  ReadProcessMemory

  FlushFileBuffers

  GetStartupInfoA

  GetFileType

  SetHandleCount

  GetStdHandle

  ExitProcess

  Sleep

  VirtualAlloc

  DeleteCriticalSection

  VirtualFree

  HeapCreate

  LCMapStringW

  MultiByteToWideChar

  LCMapStringA

  GetCurrentThreadId

  TlsFree

  TlsSetValue

  TlsAlloc

  TlsGetValue

  GetModuleHandleW

  IsValidCodePage

  GetOEMCP

  GetACP

  GetCPInfo

  GetConsoleMode

  GetConsoleCP

  WideCharToMultiByte

  WriteFile

  RtlUnwind

  GetCommandLineA

  HeapReAlloc

  IsDebuggerPresent

  SetUnhandledExceptionFilter

  UnhandledExceptionFilter

  CreateThread

  ResumeThread

  ExitThread

  HeapAlloc

  SetEndOfFile

  ReadFile

  OpenProcess

  LocalFree

  LocalAlloc

  LoadLibraryA

  GetCommandLineW

  CloseHandle

  GetModuleHandleA

  LockResource

  GetProcAddress

  SetLastError

  GetLastError

  SizeofResource

  GetCurrentProcess

  LoadResource

  FindResourceA

  CreateFileA

  HeapSize

  lstrlenA

  GetConsoleOutputCP

  user32

  ScreenToClient

  SetTimer

  CloseClipboard

  DestroyWindow

  GetWindowRect

  PostQuitMessage

  TrackPopupMenu

  IsIconic

  FillRect

  SetCapture

  KillTimer

  IsZoomed

  DrawTextA

  GetSubMenu

  DrawIconEx

  LoadStringA

  GetFocus

  LoadMenuA

  LoadIconA

  InvalidateRgn

  GetClientRect

  CreateMenu

  SetFocus

  GetDC

  ChildWindowFromPoint

  GetMenu

  SetWindowLongA

  InvalidateRect

  GetWindowLongA

  ClientToScreen

  ReleaseDC

  EnableMenuItem

  EmptyClipboard

  DefWindowProcA

  GetSysColor

  SetWindowPos

  GetCursorPos

  ShowWindow

  DrawMenuBar

  PostMessageA

  OpenClipboard

  ReleaseCapture

  GetSystemMetrics

  InsertMenuA

  SetClipboardData

  CallWindowProcA

  SetMenuItemInfoA

  DialogBoxParamA

  DestroyIcon

  SetDlgItemTextA

  CheckMenuItem

  MoveWindow

  MessageBoxA

  SetCursor

  SendMessageA

  InflateRect

  GetDlgItem

  EndDialog

  GetSysColorBrush

  SetWindowTextA

  DialogBoxIndirectParamA

  LoadCursorA

  CreateWindowExA

  GetParent

  gdi32

  StartDocA

  SetMapMode

  GetDeviceCaps

  SetTextColor

  CreateFontIndirectA

  SetBkColor

  SetBkMode

  DeleteObject

  SelectObject

  CreateCompatibleDC

  GetBkColor

  GetTextMetricsA

  GetObjectA

  GetStockObject

  CreateSolidBrush

  EndPage

  StartPage

  EndDoc

  comdlg32

  ChooseFontA

  PrintDlgA

  GetSaveFileNameA

  advapi32

  GetTokenInformation

  RegQueryValueExA

  RegCloseKey

  AdjustTokenPrivileges

  LookupPrivilegeValueA

  RegCreateKeyA

  RegDeleteKeyA

  RegSetValueExA

  OpenProcessToken

  EqualSid

  AllocateAndInitializeSid

  FreeSid

  RegOpenKeyA

  RegOpenKeyExA

  shell32

  ShellExecuteExA

  SHGetFileInfoA

  ShellExecuteA

  oleaut32

  VariantClear

  SysAllocString

  SysFreeString

  Sections

  .text

  Size: 130KB - Virtual size: 129KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 20KB - Virtual size: 19KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 15KB - Virtual size: 26KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 22KB - Virtual size: 22KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ