Description
Idetification
|
packed
|
unpacked
|
MD5
|
d281c0a66c24d46b2412f5c80c77711a
|
a5a5ed26f73d974ade21f9a215a124d5
|
SHA1
|
805794a0260a2d9d64ed26e86e4cc4263da7a048
|
5a12fd9c34c6ee239aeafd2141d71cec84bac8cf
|
SHA256
|
018bb573ce4414e3db8078dc3b942c08d60ad9be5731adbdd2d43d548f187026
|
859082e7f389991bfabb050b37f3c398a67f6d92b950026fa7e65e6d7d05c9d6
|
ssdeep
|
768:CyYATzZ1dN7Vy/DHLCe5uehwKyA0eF5PmWLrgPtQrzC6dCj+cR0+JruK+RhT6u:CXixmTjuv9m1mWLcPtQ5K+cR0auK+b
|
1536:CyMDtXdmkiZyIidcORB4VJazcRf7Q7S+0vhCCUeDk3urI:1MD5dmkQyIVOHm7h7tGF8I
|
imphash
|
e9589c23987a4ed41385f34bc7051ea1
|
bc3e8ebed1995e5267a5199146b9eddb
|
File size
|
47.4 KB ( 48540 bytes )
|
80.9 KB ( 82844 bytes )
|
File type
|
Win32 EXE
|
Win32 EXE
|
Magic literal
|
PE32 executable for MS Windows (GUI) Intel 80386 32-bit
|
PE32 executable for MS Windows (GUI) Intel 80386 32-bit
|
Antivirus detection
Antivirus
|
Result (packed)
|
Result (unpacked)
|
Update
|
Ad-Aware
|
Dropped:Trojan.PWS.OnlineGames.KEDO
|
Dropped:Trojan.PWS.OnlineGames.KEDO
|
20140221
|
Agnitum
|
Trojan.PWS.OnLineGames!x3W9GkIuZjc
|
Trojan.PWS.OnLineGames!x3W9GkIuZjc
|
20140221
|
AhnLab-V3
|
Trojan/Win32.Genome
|
Trojan/Win32.WOW
|
20140221
|
AntiVir
|
TR/Kazy.39008.8
|
TR/Kazy.39008.8
|
20140221
|
Antiy-AVL
|
Trojan[GameThief]/Win32.WOW
|
Trojan[GameThief]/Win32.WOW
|
20140219
|
Avast
|
Win32:Spyware-gen [Spy]
|
Win32:Spyware-gen [Spy]
|
20140221
|
AVG
|
Win32/Cryptor.dropper
|
PSW.OnlineGames
|
20140221
|
Baidu-International
|
Trojan.Win32.OnLineGames.Asia
|
|
20140221
|
BitDefender
|
Dropped:Trojan.PWS.OnlineGames.KEDO
|
Dropped:Trojan.PWS.OnlineGames.KEDO
|
20140221
|
Bkav
|
W32.Clod2d2.Trojan.ba92
|
|
20140221
|
ByteHero
|
|
|
20140221
|
CAT-QuickHeal
|
TrojanPWS.OnLineGame.LP5
|
TrojanPWS.OnLineGame.LP5
|
20140221
|
ClamAV
|
|
W32.Trojan.Onlinegames-19
|
20140221
|
CMC
|
Trojan.Win32.GenK!O
|
Trojan.Win32.GenK!O
|
20140220
|
Commtouch
|
W32/Zuten.B.gen!Eldorado
|
W32/Zuten.B.gen!Eldorado
|
20140221
|
Comodo
|
|
TrojWare.Win32.Downloader.Agent.KAC
|
20140221
|
DrWeb
|
Trojan.MulDrop4.17429
|
Trojan.MulDrop4.17429
|
20140221
|
Emsisoft
|
Dropped:Trojan.PWS.OnlineGames.KEDO (B)
|
Dropped:Trojan.PWS.OnlineGames.KEDO (B)
|
20140221
|
ESET-NOD32
|
a variant of Win32/PSW.OnLineGames.QNW
|
a variant of Win32/PSW.OnLineGames.PXO
|
20140221
|
Fortinet
|
W32/Onlinegames.QNW!tr
|
W32/Onlinegames.QNW!tr
|
20140221
|
F-Prot
|
W32/Zuten.B.gen!Eldorado
|
W32/Zuten.B.gen!Eldorado
|
20140221
|
F-Secure
|
Dropped:Trojan.PWS.OnlineGames.KEDO
|
Dropped:Trojan.PWS.OnlineGames.KEDO
|
20140221
|
GData
|
Dropped:Trojan.PWS.OnlineGames.KEDO
|
Dropped:Trojan.PWS.OnlineGames.KEDO
|
20140221
|
Ikarus
|
Virus.Win32.Cryptor
|
Trojan-PWS.Win32.Kykymber
|
20140221
|
Jiangmin
|
TrojanDropper.Agent.ccaz
|
TrojanDropper.Agent.ccaz
|
20140221
|
K7AntiVirus
|
Password-Stealer ( 0040f0db1 )
|
Password-Stealer ( 0040f0db1 )
|
20140221
|
K7GW
|
Riskware ( 0040f0f51 )
|
Password-Stealer ( 0040f0db1 )
|
20140220
|
Kaspersky
|
Trojan-GameThief.Win32.WOW.sukt
|
Trojan-GameThief.Win32.WOW.sukt
|
20140221
|
Kingsoft
|
Win32.PSWTroj.WOW.su.(kcloud)
|
|
20140221
|
Malwarebytes
|
Trojan.Agent
|
|
20140221
|
McAfee
|
Artemis!D281C0A66C24
|
PWS-OnlineGames.lx
|
20140221
|
McAfee-GW-Edition
|
Artemis!D281C0A66C24
|
PWS-OnlineGames.lw
|
20140221
|
Microsoft
|
PWS:Win32/OnLineGames.LP
|
PWS:Win32/OnLineGames.LP
|
20140221
|
MicroWorld-eScan
|
Dropped:Trojan.PWS.OnlineGames.KEDO
|
Dropped:Trojan.PWS.OnlineGames.KEDO
|
20140221
|
NANO-Antivirus
|
Trojan.Win32.Siggen.bobzsj
|
Trojan.Win32.Siggen.bobzsj
|
20140221
|
Norman
|
Troj_Generic.ERTZM
|
Troj_Generic.ERTZM
|
20140221
|
nProtect
|
Trojan-PWS/W32.WebGame.48540.D
|
Dropped:Trojan.PWS.OnlineGames.KEDO
|
20140221
|
Panda
|
Adware/SecurityProtection
|
Trj/Genetic.gen
|
20140221
|
Qihoo-360
|
|
|
20140220
|
Rising
|
PE:Trojan.Win32.Generic.14505F82!340811650
|
PE:Stealer.Zuten!1.64CA
|
20140221
|
Sophos
|
Mal/PWS-AL
|
Mal/GamerPWS-G
|
20140221
|
SUPERAntiSpyware
|
Trojan.Agent/Gen-FakeAV[LZI]
|
|
20140221
|
Symantec
|
Infostealer
|
|
20140221
|
TheHacker
|
Posible_Worm32
|
|
20140220
|
TotalDefense
|
Win32/Gamepass.QEP!generic
|
Win32/Gamepass.QEP!generic
|
20140221
|
TrendMicro-HouseCall
|
TSPY_ONLINEG.NUR
|
TSPY_ONLINEG.NUR
|
20140221
|
TrendMicro
|
TROJ_GEN.R3OCCEM
|
TROJ_GEN.R3OCCEM
|
20140221
|
VBA32
|
TrojanPSW.OnLineGames2
|
Heur.Trojan.Hlux
|
20140221
|
VIPRE
|
Trojan-PWS.Win32.OnLineGames.lpk (v)
|
Trojan-PWS.Win32.OnLineGames.lpk (v)
|
20140221
|
ViRobot
|
Trojan.Win32.A.PSW-Wow.48540.B
|
|
20140221
|
Defensive capabilities
Packer
The malware is packed with UPX.
$ ./upx -d /data/tmp/1.exe -o /data/tmp/1-unpacked.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2013
UPX 3.09 Markus Oberhumer, Laszlo Molnar & John Reiser Feb 18th 2013
File size Ratio Format Name
-------------------- ------ ----------- -----------
82844 <- 48540 58.59% win32/pe 1-unpacked.exe
Unpacked 1 file.
Dynamic Analysis
Network indicators
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Files
Embedded PE
ResourceHacker and pescanner confirm the presence of 3 executable resources in the executable:
$ ./pescanner.py /data/tmp/1-unpacked.exe
[SNIP]
Signature scans
================================================================================
YARA: embedded_exe
0x4e => This program cannot be run in DOS mode
0x175e => This program cannot be run in DOS mode
0x4f5e => This program cannot be run in DOS mode
0x775e => This program cannot be run in DOS mode
Resource entries
================================================================================
Name RVA Size Lang Sublang Type
--------------------------------------------------------------------------------
TLS 0x20b110 0xc800 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
TLS 0x205110 0x3800 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
TLS 0x208910 0x2800 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
RT_MANIFEST 0x217910 0x292 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED XML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
[SNIP]
whhfd028.ocx
The following file is created:
File name
|
whhfd028.ocx
|
Path
|
C:\WINDOWS\system32\whhfd028.ocx
|
MD5
|
90eb3aa19541b367388fd5f79ae5d36c
|
SHA1
|
7b80f7ea7a2dfe4baf43d1940e6f5f29af544427
|
SHA256
|
9a3ad8dbda43a10f7856a0c22a8bdeab6d20cc5f81f72b08a182ae794c2b21da
|
ssdeep
|
192:VvRzbkHGhz07lOgHs71Dbkkm6EsjJ5ihHbr:FRz8Ghz09Y1D3rhm
|
File size
|
14.0 KB ( 14336 bytes )
|
File type
|
Win32 DLL
|
Magic literal
|
PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
|
00178B47ce.dll
MD5
|
f1f49fb85ab029ad86c02ebecb892b12
|
SHA1
|
664a602f8e843218c1158571714cd0adee1da939
|
SHA256
|
f8f3abcf8d43377b49d1edce23a667c9efd9cde86e9afee228e8c3b093013f13
|
ssdeep
|
192:cjbjEyfon/ZtXNfKpF+vXXxbI/86uyvdo:H+on/ZLIsfhbIl
|
imphash
|
2ae87a1a4975ba37b3c2dc836fea332d
|
File size
|
10.0 KB ( 10240 bytes )
|
File type
|
Win32 DLL
|
Magic literal
|
PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
|
Registry keys
Following keys are created:
HKLM\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804
|
Ime File
|
WHHFD028.OCX
|
Layout Text
|
US
|
Layout File
|
kbdus.dll
|
HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E0200804
|
Ime File
|
WHHFD028.OCX
|
Layout Text
|
US
|
Layout File
|
kbdus.dll
|
Static Analysis
Sections (unpacked version)
Name VirtAddr VirtSize RawSize Entropy
--------------------------------------------------------------------------------
.text 0x1000 0x9e0 0xa00 5.971897
.bss 0x2000 0x2005f0 0x0 0.000000
.data 0x203000 0x514 0x600 4.316239
.CRT 0x204000 0x4 0x200 0.061163
.rsrc 0x205000 0x12ba8 0x12c00 6.332730
Strings (unpacked version)
[email protected]
5h0`
5p0`
>SSj
_^[]
h<1`
FGKJ
_^[]
FGKJ
_^[]
QQS3
WSSj
5$0`
=l0`
PWVS
VhX$`
5`0`
X_^[
PRRh
[email protected]
5x0`
jfPS
jgPS
jiPS
hx1`
hl1`
hP1`
X_^[
.ocx
whh27018
SeDebugPrivilege
kernel32
IsWow64Process
ConsentPromptBehaviorAdmin
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
\system32\
CSOL
%s "%s" pfjaoidjglkajd %s
%s "%s" m3
%s "%s" pfjieaoidjglkajd
%08Xce.dll
whh98%s.ocx
whhfd%s.ocx
CloseHandle
ReadFile
CreateFileA
GetTickCount
WriteFile
FindClose
FindFirstFileA
GetWindowsDirectoryA
SetFilePointer
SetFileTime
GetFileTime
GetFileSize
GetModuleFileNameA
GetModuleHandleA
FreeResource
LoadResource
SizeofResource
FindResourceA
GetProcAddress
GetCurrentProcess
CreateProcessA
ExitProcess
KERNEL32.DLL
wsprintfA
USER32.dll
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegSetValueExA
RegOpenKeyExA
ADVAPI32.dll
SHELL32.dll
sprintf
strchr
strlen
memcpy
MSVCRT.dll
WSOCK32.dll
!This program cannot be run in DOS mode.
Rich=
.text
`.bss
.data
.rsrc
@.reloc
[email protected]
SVWj
X_^[
YYWS
[email protected]~>
t<~:
[email protected]
h4A
[email protected]
[email protected]
h<A
[email protected]
[email protected]
[email protected]
SVW3
hHA
VWj>Y3
[email protected]
[email protected]
hXA
H_^t
hXA
PhpA
[email protected]
%|@
%[email protected]
% @
.ocx
IME File
%s%s
System\CurrentControlSet\Control\Keyboard Layouts\
Keyboard Layout\Preload
whhfd*
%02x*
win39%08x.dll
MSGO
Chinese( PRC )
SeDebugPrivilege
\system32\
CloseHandle
CopyFileA
GetTickCount
FindClose
FindNextFileA
FindFirstFileA
GetWindowsDirectoryA
GetProcAddress
LoadLibraryA
LocalAlloc
lstrcpyA
lstrcatA
TerminateProcess
GetCurrentProcess
GetModuleFileNameA
MultiByteToWideChar
GetTempPathA
KERNEL32.dll
ActivateKeyboardLayout
SystemParametersInfoA
GetKeyboardLayoutList
GetKeyboardLayout
RegisterClassExA
LoadCursorA
UnregisterClassA
MessageBoxA
USER32.dll
RegSetValueExA
RegCloseKey
RegQueryValueExA
RegOpenKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
ADVAPI32.dll
SHELL32.dll
sprintf
memset
strcpy
strlen
strrchr
strcat
strchr
MSVCRT.dll
ImmIsIME
IMM32.dll
IMEHost.dll
CandWndProc
CompWndProc
IMEClearPubString
IMESetPubString
ImeConversionList
ImeEnumRegisterWord
ImeInquire
ImeRegisterWord
ImeUnregisterWord
StatusWndProc
UIWndProc
pfjieaoidjglkajd
ImeConfigure
ImeDestroy
ImeEscape
ImeGetRegisterWordStyle
ImeProcessKey
ImeSelect
ImeSetActiveContext
ImeSetCompositionString
ImeToAsciiEx
NotifyIME
1)101C1u1
1#2T2r2
2h3o3
4&4T4a4
8%838
8e:q:x:
0^0i0
0v2|2
!This program cannot be run in DOS mode.
Rich
.bss
.data
.reloc
.ocx
SeDebugPrivilege
WSPStartup
%02x*
win%08x.dll
[email protected]
5$
SVWj/3
[email protected]!
[email protected]
SVWj
h !
[email protected]
h,!
SVW3
=\
h4!
Hu8V
=D
%t
%x
%|
%l
%d
%`
CloseHandle
CopyFileA
GetTickCount
FindClose
FindNextFileA
FindFirstFileA
GetWindowsDirectoryA
GetModuleFileNameA
LoadLibraryA
MultiByteToWideChar
GetProcAddress
GetLastError
GlobalAlloc
GlobalFree
LoadLibraryW
ExpandEnvironmentStringsW
GetModuleFileNameW
KERNEL32.dll
wsprintfW
USER32.dll
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
ADVAPI32.dll
SHELL32.dll
sprintf
memset
strcpy
_except_handler3
strchr
swprintf
memcmp
wcscpy
memcpy
strcat
strstr
MSVCRT.dll
WSCWriteProviderOrder
WSCInstallProvider
WSCEnumProtocols
WSCGetProviderPath
WS2_32.dll
UuidCreate
RPCRT4.dll
LSP.dll
WSPStartup
D1H1Z1
2=2M2\2
6P7v7
7<8M8V8]8
9&9A9~9 :
;D<i<o<y<
<,=2=B=H=N=T=
!This program cannot be run in DOS mode.
Rich
.bss
.data
.CRT
.vmp0
`.reloc
SeDebugPrivilege
InternetCloseHandle
InternetReadFile
InternetOpenUrlA
InternetOpenA
WININET.dll
%02X
CSOL
%s_%d.jpg
WinInet
POST
HttpSendRequestEx
other
Type
Option
action=getRate
%02X%02X%02X%02X%02X%02X
CSOL_%s.tmp
%s%s
\\.\
ServiceName
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
cstrike-online.exe
hw.dll
nmconew.dll
jahCSOL27018_rel_regamle_%08d_
Counter-Strike Online
Value001
QQVh
t?Ht*Ht
:MZu
WVVV
=40
t$$VV
}"j(V
t$ j
t$$VV
580
SVWh
5<0
H_H^
u8!E
QQSVW3
Xf9E
HH_^][
FGKJ
_^[]
QQS3
WSSj
5t0
=p0
PWVS
<1&u
1|A;
t[BS
QZ^&
jxY+
WQhD:
FYYj
[email protected]
=4
[email protected]
VPPPhSU
WSSj
SQVPW
SVWj
D$ hKk
[email protected]/f!
SVWj?3
Phd
h<:
@_^[
VVVVh
t$Vh
QSV3
VVVVV
tOWVh
t.9u
SVWj?3
5<0
SSSSh
jPXSSj
tgSh
=4
=4
_u.9]
=
=
Yv;V
=T1
Y~!V
[email protected]
5T1
=4
Y_^[
[email protected]
j PSh
h ;
Yu&;
t'Ht
Hu7h
5d0
Yt>8
=X
PPPh
SVW3
u+WP
SVWj
h(
[email protected]
Ph$;
[email protected]
5T1
SVW3
QQSVW3
Vh4;
95P
F;5P
=\
5<0
=\
=\
=<
D$$P
%D
=<
D$$P
%L
[email protected]
h\;
[email protected]
hh;
[email protected]
hh;
[email protected]
5t1
ht;
hl;
[email protected];
[email protected];
hd
Shd
VWj?
hd
h,!
Vh|!
%|#
5D"
VVVhv}
PPPhc}
5D"
5d0
VWhH<
=,<
[email protected]<
h <
=L<
_^t-Ht"Ht
8MZu
FF9]
X_^[
s<[email protected]
vTSP
QQS3
tXVWSP
SPVW
SVW
=(0
etAS
X_^[
YYt
[u&3
5x1
5d0
SWj>3
=(0
Yt&S
Yt&S
[email protected]
[email protected]
tAj\
%`0
% 1
%$1
%(1
%,1
%X1
AddVectoredExceptionHandler
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
Thread32Next
CloseHandle
SetThreadContext
GetThreadContext
OpenThread
GetCurrentProcessId
Thread32First
CreateToolhelp32Snapshot
VirtualProtect
GetProcessHeap
HeapAlloc
Process32Next
Process32First
GetFileSize
CreateFileA
GetModuleFileNameA
LoadLibraryA
GetModuleHandleA
WideCharToMultiByte
MultiByteToWideChar
GetProcAddress
FindClose
FindFirstFileA
OpenProcess
GetTempPathA
GetCurrentProcess
ReleaseMutex
GetLastError
CreateMutexA
Sleep
DeleteFileA
GetLocalTime
ReadFile
SetFilePointer
IsBadReadPtr
VirtualFree
VirtualAlloc
SetThreadPriority
CreateThread
GetTickCount
GetPrivateProfileStringA
ExitProcess
TerminateProcess
WritePrivateProfileStringA
DeviceIoControl
lstrcmpiA
SetUnhandledExceptionFilter
KERNEL32.dll
wsprintfA
GetWindow
PostMessageA
GetClassNameA
GetWindowTextA
GetDesktopWindow
FindWindowA
USER32.dll
GDI32.dll
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegEnumKeyExA
ADVAPI32.dll
SHELL32.dll
memset
memcpy
_except_handler3
strcat
strlen
_itoa
_stricmp
free
malloc
strchr
sprintf
strncpy
isspace
isalnum
atoi
strcpy
[email protected]@Z
[email protected]@Z
strstr
sscanf
_vsnprintf
rand
srand
strrchr
_strlwr
MSVCRT.dll
WSOCK32.dll
gdiplus.dll
_strupr
_strcmpi
Stolor.dll
pfjaoidjgfdjkj
pfjaoidjglkajd
t)at
$}ve]
GPh/
l$(Qf
${+`f
h;q:
l$ Yf
D$0R
|$Lf
D$$`
l$$C
WhfhW
T$(P
5Y6q
hz50b
59;
SThZ
ha=g
L$(f
#$A8
l]tV
@\l[
x4[I
/\l1
L!,
c-7X
StQYI
ihA'
i1X&
Xq+
$&~D
\-\.
-}@TW`h>
D$(Jh
#"'!S
DCge
h0A (d
A-L)
0s=wvS
FT! *6
@<;/+
h[;v
}\@jbEL
L]S#
[email protected]
hp*~ d
wSl$
!l[_3>
P8K~DE
6]:O
[email protected])
f!gH:
kFED
D$<J
J->/J
}ZO2
<JRw
qH0z
_,N60H"/
UV&{.W
$\l1
],3|
gDc>+
65(Z
NG$M,
HRMm
{XQZLd
#.;(
-83T
NQc+
E#6w2
D*"\l
B|U!
ny/k
"\l0
WV4L
s'N;&
zj?)Q`
D$$J(g
Rn|X
~F$!X=ZS
/835
g x.,p
u~0l
1&CS
uu{K
4u82
) Ai
\l|w
o7sY
wrYP
I8V`{C
UG~-
D$<J
D$<5
AuU \
C8Kwr
A?8nRx
XrG6
a50V$W
2]Dw
\l}C'
Qyal
I|-V
>xYP
wvT"n
H%eLK?
D$ Jh
eamXS
x.l
(GG>
582|Y1M
5q9p
|<v<-
[email protected]
]lcd
Ta9ox
hJ(5
H}-l}
0}|.
54vy,
Cw``
`ZZ8rc
+c9P
7TY!
\Z4C
$j(8
u3|6
NI>Y6
[email protected]@
`k%2
D$ J
D$$7A
[email protected]
e%P9
|,["
Q8)O\$
:-l>9
x&$
>|*@
.' Z
Ut]M
axa$
4?fA
^maXX
"IBE
61v.
$J(5
M}uT}
D$ J
@ueK
[email protected]
k=COyz
D$$}
a]vq
*N<9P
-X<B
x1R<
l>lbh
yp[s
Ls$0
)a14#
L9K?z
[email protected]^D
#xZ0
AIIj32
9QY0Y
Cdb/K
[email protected]
yKbe
XNKW$
qXNOs$
&F&_!0X
8NGw$
yPzA
qhNFS$2
,odF
(NKf$
P{fd
S?YO
!J{vA
[email protected]
Upfl
J^v+
;hugH
]/dQ
NC_$
[{fY
GE]Y,
s| ]6.n
OM!l
%?Lm}~
[email protected]
Dw>h
R}fC
=%=9=H=^=k=v=
>.>3>9>
>g?p?
0d0k0
102=2D2s2
2&353;3E3J3W3d3v3
334?4c4
6M6m7
7\8t8
535y5
9~9-:4:;:z:
?!?(?I?b?
L0b0v0
0$1[1o1
[email protected]
4%4,4[4t4{4
5E5k5w5
616]6
8,92:E:P:W:\:r:
>V>^>g>m>s>y>
? ?*?[?
2&3:3a3p3x3
5$5E5O5\5
5f6q6}6
747?7F7
8/848:8a8
:[:`:f:|:
;1;:;I;
<$<><L<R<]<p<z<
='=9=A=H=V=^=d=y=
>;>B>Q>^>e>y>
?0?E?Z?
0"1k1k2
3)3/3A3R3h3
3#4(4D4W4
4B5H5N5T5c5o5v5
6?6E6S6o6
6c7t7
8?8T8a8
:!:':2:::B:L:V:^:s:z:
;,;4;;;O;T;
<*<J<`<~<
="=(=.=4=:[email protected]=F=L=
6+:7:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0"
processorArchitecture="X86"
name="IsUserAdmin"
type="win32"/>
<description>Description of your application</description>
<!-- Identify the application security requirements. -->
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges>
<requestedExecutionLevel
level="highestAvailable"
uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
IAT (unpacked version)
ADVAPI32
- OpenProcessToken
- AdjustTokenPrivileges
- RegCloseKey
- RegSetValueExA
- RegOpenKeyExA
- LookupPrivilegeValueA
|
KERNEL32
- FindFirstFileA
- GetWindowsDirectoryA
- SetFilePointer
- SetFileTime
- GetFileTime
- GetFileSize
- GetModuleFileNameA
- GetModuleHandleA
- FreeResource
- LoadResource
- SizeofResource
- FindResourceA
- GetProcAddress
- FindClose
- GetCurrentProcess
- CreateProcessA
- ExitProcess
- WriteFile
- GetTickCount
- CreateFileA
- ReadFile
- CloseHandle
|
MSVCRT
- sprintf
- strchr
- strlen
- memcpy
- wsprintfA
|