popup

Report - kak.exe

RAT Gen1 Gen2 Lazarus Family Emotet Trojan_PWS_Stealer Generic Malware Themida Packer UltraVNC Credential User Data Malicious Library UPX Malicious Packer ASPack Admin Tool (Sysinternals etc ...) Anti_VM Antivirus SQLite Cookie AntiDebug Ant
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.11.05 09:23 Machine s1_win7_x6403
Filename kak.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
2
 Behavior Score
25.2
ZERO API file : clean
VT API (file) 45 detected (Chebka, malicious, high confidence, DealAlpha, Unsafe, InstallCore, multiple detections, FileRepMalware, Ljub, Generic PUA KN, Siggen15, TRICKBOT, YXBKDZ, AdwareFileTour, Static AI, Suspicious PE, bkpy, AGEN, ai score=87, kcloud, Phonzy, R446742, Csdimonetize, multiple, detections, susgen)
md5 3b25bb47c77da6404c1b75133ccf2b1f
sha256 e9a3c66d5e14cf9e6a50183cbd85e3b2ea157094f7f65c7666a0ff20cf1c73e3
ssdeep 6144:d/QiQXC3tQQ5m+ksmpk3U9j0Im4soxvjFEOTb9WmZX/8shzdsY4CpHPhnTxnV1:VQi3mQc6m6UR0Ilp1hf39Wkv8xwJBn
imphash 884310b1928934402ea6fec1dbd3cf5e
impfuzzy 48:8cfp1rcQX0gebPCDr+ZbldH9AOZGwt+Eu55T/lGB:8cfpdcqNebqDrmrHW2
  Network IP location

Signature (53cnts)

Level Description
danger File has been identified by 45 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
danger Disables Windows Security features
danger Executed a process and injected code into it
warning Generates some ICMP traffic
watch Allocates execute permission to another process indicative of possible code injection
watch Checks for the presence of known windows from debuggers and forensic tools
watch Checks the version of Bios
watch Code injection by writing an executable or DLL to the memory of another process
watch Communicates with host for which no DNS query was performed
watch Detects Virtual Machines through their custom firmware
watch Detects VMWare through the in instruction feature
watch Installs itself for autorun at Windows startup
watch Looks for the Windows Idle Time to determine the uptime
watch Network activity contains more than one unique useragent
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the processes kak.tmp
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Expresses interest in specific running processes
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Potentially malicious URLs were found in the process memory dump
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Repeatedly searches for a not-found process
notice Resolves a suspicious Top Level Domain (TLD)
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (39cnts)

Level Name Description Collection
danger Lazarus_Zero Lazarus Generic Malware binaries (download)
danger Trojan_PWS_Stealer_1_Zero Trojan.PWS.Stealer Zero binaries (download)
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Credential_User_Data_Check_Zero Credential User Data Check binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning themida_packer themida packer binaries (download)
warning UltraVNC_Zero UltraVNC binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch ASPack_Zero ASPack packed file binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch SQLite_cookies_Check_Zero SQLite Cookie Check... select binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info JPEG_Format_Zero JPEG Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (download)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (download)

Network (145cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://htagzdownload.pw/SaveData/SaveData.php?ezzabour=%7B%22NameOffer%22:%22BumperWw%22,%22ip%22:%22%22,%22country%22:%22KR%22,%22DateTime%22:%222021-11-05%2012:47%22,%22Device%22:%22TEST22-PC%22,%22PCName%22:%22test22%22,%22postcheck%22:%22False%22,%22t
whois
No GOOGLE 35.205.61.67 clean
http://www.hzradiant.com/askinstall42.exe
whois
DE PlusServer GmbH 194.163.158.120 7569 clean
http://eguntong.com/pub33.exe
whois
RU Domain names registrar REG.RU, Ltd 194.87.185.127 7568 clean
http://dataonestorage.com/search_hyperfs_204.exe
whois
DE XSServer GmbH 45.142.182.152 clean
http://fouratlinks.com/Widgets/FolderShare.exe
whois
US NAMECHEAP-NET 199.192.17.247 clean
http://45.9.20.156/pub.php?pub=five
whois
Unknown 45.9.20.156 clean
http://fouratlinks.com/installpartners/ShareFolder.exe
whois
US NAMECHEAP-NET 199.192.17.247 clean
http://file.ekkggr3.com/lqosko/p18j/cust51.exe
whois
US CLOUDFLARENET 104.21.66.169 clean
http://staticimg.youtuuee.com/api/fbtime
whois
LV ENZUINC 45.136.151.102 6464 mailcious
http://212.192.241.15/service/communication.php
whois
Unknown 212.192.241.15 clean
http://45.133.1.182/proxies.txt
whois
US DEDIPATH-LLC 45.133.1.182 6139 mailcious
http://fouratlinks.com/stockmerchandise/serious_punch_upd/HttpTwcyK3R6gQj7t7EY.exe
whois
US NAMECHEAP-NET 199.192.17.247 clean
http://186.2.171.3/seemorebty/il.php?e=jg1_1faf
whois
Unknown 186.2.171.3 4715 mailcious
http://www.hzradiant.com/askhelp42/askinstall42.exe
whois
DE PlusServer GmbH 194.163.158.120 clean
http://staticimg.youtuuee.com/api/?sid=578995&key=b4a44f7ae92b9b3dfe2bcb545627cb4d
whois
LV ENZUINC 45.136.151.102 5258 mailcious
http://cloutingservicedb.su/campaign2/autosubplayer.exe
whois
US CLOUDFLARENET 172.67.145.75 clean
http://212.192.241.15/base/api/statistics.php
whois
Unknown 212.192.241.15 clean
http://45.133.1.107/server.txt
whois
US DEDIPATH-LLC 45.133.1.107 7522 clean
http://www.mrwenshen.com/askhelp59/askinstall59.exe
whois
Unknown 103.155.92.29 clean
http://fouratlinks.com/stockmerchandise/zillaCPM/r4XZt5MYHpEdcdmzqr2D.exe
whois
US NAMECHEAP-NET 199.192.17.247 clean
http://45.133.1.107/download/NiceProcessX64.bmp
whois
US DEDIPATH-LLC 45.133.1.107 malware
http://requestimedout.com/xenocrates/zoroaster
whois
US NAMECHEAP-NET 162.255.117.78 clean
http://www.mrwenshen.com/askinstall59.exe
whois
Unknown 103.155.92.29 clean
http://ip-api.com/json/
whois
US TUT-AS 208.95.112.1 clean
http://193.56.146.36/udptest.exe
whois
Unknown 193.56.146.36 malware
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
KR Korea Telecom 119.207.66.26 clean
http://privacytoolzfor-you6000.top/downloads/toolspab2.exe
whois
RU OOO Network of data-centers Selectel 5.8.76.207 clean
http://fouratlinks.com/stockmerchandise/total_out_hand/v8hBqWuKscbjZRqNatPw.exe
whois
US NAMECHEAP-NET 199.192.17.247 clean
http://212.192.241.15/base/api/getData.php
whois
Unknown 212.192.241.15 clean
http://www.google.com/
whois
US GOOGLE 172.217.25.68 clean
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_installrox2_BumperWw
whois
CA ACP 162.0.210.44 clean
https://cdn.discordapp.com/attachments/891006172130345095/905726762028240896/4chee.bmp
whois
Unknown 162.159.135.233 clean
https://connectini.net/Series/publisher/1/KR.json
whois
CA ACP 162.0.210.44 mailcious
https://cdn.discordapp.com/attachments/891006172130345095/905797756076048394/IZI.bmp
whois
Unknown 162.159.135.233 clean
https://connectini.net/ip/check.php?duplicate=kenpachi2_non-search_goodchannel_lyloutta_Traffic
whois
CA ACP 162.0.210.44 clean
https://dumancue.com/dd7c8e90c804f83b712eb175eb0daaef.exe
whois
US CLOUDFLARENET 172.67.134.37 clean
https://cdn.discordapp.com/attachments/891006172130345095/905726625025511474/sloader0401.bmp
whois
Unknown 162.159.135.233 clean
https://d.gogamed.com/userhome/25/any.exe
whois
US CLOUDFLARENET 104.21.59.236 clean
https://source3.boys4dayz.com/installer.exe
whois
US CLOUDFLARENET 172.67.148.61 clean
https://ipinfo.io/widget
whois
US GOOGLE 34.117.59.81 clean
https://iplogger.org/1Xxky7
whois
DE Hetzner Online GmbH 88.99.66.31 clean
https://www.listincode.com/
whois
US AS-CHOOPA 149.28.253.196 2327 mailcious
https://cdn.discordapp.com/attachments/893177342426509335/905791554113912932/uglinesses.jpg
whois
Unknown 162.159.135.233 clean
https://cdn.discordapp.com/attachments/891006172130345095/905757933961359380/wetsetup0401.bmp
whois
Unknown 162.159.135.233 clean
https://cdn.discordapp.com/attachments/891006172130345095/905917017234735184/Topov0402.bmp
whois
Unknown 162.159.135.233 clean
https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
whois
CA ACP 162.0.210.44 1972 mailcious
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_piyyyyWW
whois
CA ACP 162.0.210.44 clean
https://cdn.discordapp.com/attachments/905701898806493199/905826613411864596/BumperWW.exe
whois
Unknown 162.159.135.233 clean
https://cdn.discordapp.com/attachments/891006172130345095/905857242451046431/CKBReFn.bmp
whois
Unknown 162.159.135.233 clean
https://iplogger.org/13LYu7
whois
DE Hetzner Online GmbH 88.99.66.31 clean
https://iplogger.org/1GWfv7
whois
DE Hetzner Online GmbH 88.99.66.31 clean
https://cdn.discordapp.com/attachments/891021838312931420/902505896159113296/PL_Client.bmp
whois
Unknown 162.159.135.233 7575 clean
https://connectini.net/Series/SuperNitouDisc.php
whois
CA ACP 162.0.210.44 clean
https://cdn.discordapp.com/attachments/896617596772839426/897483264074350653/Service.bmp
whois
Unknown 162.159.135.233 clean
https://cdn.discordapp.com/attachments/891006172130345095/905799227140083712/real0402.bmp
whois
Unknown 162.159.135.233 clean
https://connectini.net/S2S/Disc/Disc.php?ezok=folderlyla1&tesla=7
whois
CA ACP 162.0.210.44 clean
https://connectini.net/Series/configPoduct/2/goodchannel.json
whois
CA ACP 162.0.210.44 1973 mailcious
https://cdn.discordapp.com/attachments/905701898806493199/905894437480181790/Setup12.exe
whois
Unknown 162.159.135.233 clean
https://iplogger.org/12AVi7
whois
DE Hetzner Online GmbH 88.99.66.31 clean
https://litidack.com/af016c52b60489b5da52d037a2d6dd6b/dd7c8e90c804f83b712eb175eb0daaef.exe
whois
US CLOUDFLARENET 172.67.128.223 clean
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_adxpertmedia_advancedmanager
whois
CA ACP 162.0.210.44 clean
https://connectini.net/Series/Conumer4Publisher.php
whois
CA ACP 162.0.210.44 1976 mailcious
https://cdn.discordapp.com/attachments/891006172130345095/905750415910514738/5780_0401.bmp
whois
Unknown 162.159.135.233 clean
https://f.gogamef.com/userhome/25/1bec5879a5da641fb388046719b3c83e.exe
whois
US CLOUDFLARENET 104.21.72.228 clean
https://cdn.discordapp.com/attachments/891006172130345095/905919347988508692/Passat0402.bmp
whois
Unknown 162.159.135.233 clean
https://connectini.net/Series/Conumer2kenpachi.php
whois
CA ACP 162.0.210.44 1974 mailcious
https://cdn.discordapp.com/attachments/891006172130345095/905393686618193921/help0301.bmp
whois
Unknown 162.159.135.233 7572 clean
fouratlinks.com
whois
US NAMECHEAP-NET 199.192.17.247 clean
source3.boys4dayz.com
whois
US CLOUDFLARENET 104.21.33.188 clean
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
tambisup.com
whois
RU OOO Network of data-centers Selectel 91.206.15.183 mailcious
ip-api.com
whois
US TUT-AS 208.95.112.1 clean
apps.identrust.com
whois
US CCCH-3 23.216.159.81 clean
requestimedout.com
whois
US NAMECHEAP-NET 162.255.117.78 clean
eguntong.com
whois
RU Domain names registrar REG.RU, Ltd 194.87.185.127 clean
www.hzradiant.com
whois
DE PlusServer GmbH 194.163.158.120 clean
t.gogamec.com
whois
US CLOUDFLARENET 104.21.85.99 clean
file.ekkggr3.com
whois
US CLOUDFLARENET 172.67.162.110 malware
iplogger.org
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious
twitter.com
whois
US TWITTER 104.244.42.65 clean
privacytoolzfor-you6000.top
whois
RU OOO Network of data-centers Selectel 5.8.76.207 clean
cdn.discordapp.com
whois
Unknown 162.159.134.233 malware
telegram.org
whois
GB Telegram Messenger Inc 149.154.167.99 clean
www.mrwenshen.com
whois
Unknown 103.155.92.29 clean
dumancue.com
whois
US CLOUDFLARENET 172.67.134.37 clean
el5en1977834657.s3.ap-south-1.amazonaws.com
whois
Unknown 52.219.158.22 clean
www.listincode.com
whois
US AS-CHOOPA 149.28.253.196 mailcious
d.gogamed.com
whois
US CLOUDFLARENET 104.21.59.236 clean
yandex.ru
whois
RU YANDEX LLC 77.88.55.50 clean
www.google.com
whois
US GOOGLE 172.217.175.228 clean
google.com
whois
US GOOGLE 172.217.161.78 clean
f.gogamef.com
whois
US CLOUDFLARENET 172.67.136.94 clean
htagzdownload.pw
whois
No GOOGLE 35.205.61.67 clean
connectini.net
whois
CA ACP 162.0.210.44 mailcious
www.profitabletrustednetwork.com
whois
US DataWeb Global Group B.V. 192.243.59.12 mailcious
dataonestorage.com
whois
DE XSServer GmbH 45.142.182.152 malware
litidack.com
whois
US CLOUDFLARENET 104.21.2.71 clean
cloutingservicedb.su
whois
US CLOUDFLARENET 104.21.39.127 clean
staticimg.youtuuee.com
whois
LV ENZUINC 45.136.151.102 mailcious
5.8.76.207
whois
RU OOO Network of data-centers Selectel 5.8.76.207 clean
172.67.145.75
whois
US CLOUDFLARENET 172.67.145.75 clean
208.95.112.1
whois
US TUT-AS 208.95.112.1 clean
186.2.171.3
whois
Unknown 186.2.171.3 mailcious
2.56.59.42
whois
US GBTCLOUD 2.56.59.42 mailcious
103.155.92.29
whois
Unknown 103.155.92.29 malware
96.16.99.73
whois
US Akamai International B.V. 96.16.99.73 clean
91.206.15.183
whois
RU OOO Network of data-centers Selectel 91.206.15.183 mailcious
162.159.135.233
whois
Unknown 162.159.135.233 malware
45.9.20.156
whois
Unknown 45.9.20.156 clean
77.88.55.66
whois
RU YANDEX LLC 77.88.55.66 clean
162.255.117.78
whois
US NAMECHEAP-NET 162.255.117.78 clean
52.219.156.18
whois
Unknown 52.219.156.18 clean
142.250.207.78
whois
US GOOGLE 142.250.207.78 clean
172.67.128.223
whois
US CLOUDFLARENET 172.67.128.223 clean
45.142.182.152
whois
DE XSServer GmbH 45.142.182.152 clean
88.99.66.31
whois
DE Hetzner Online GmbH 88.99.66.31 mailcious
212.192.241.15
whois
Unknown 212.192.241.15 clean
162.0.210.44
whois
CA ACP 162.0.210.44 mailcious
45.133.1.107
whois
US DEDIPATH-LLC 45.133.1.107 malware
142.250.204.68
whois
US GOOGLE 142.250.204.68 clean
104.21.72.228
whois
US CLOUDFLARENET 104.21.72.228 clean
194.87.185.127
whois
RU Domain names registrar REG.RU, Ltd 194.87.185.127 clean
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
104.244.42.65
whois
US TWITTER 104.244.42.65 suspicious
45.133.1.182
whois
US DEDIPATH-LLC 45.133.1.182 malware
95.217.123.66
whois
FI Hetzner Online GmbH 95.217.123.66 clean
172.67.134.37
whois
US CLOUDFLARENET 172.67.134.37 clean
35.205.61.67
whois
No GOOGLE 35.205.61.67 mailcious
23.216.159.81
whois
US CCCH-3 23.216.159.81 clean
52.219.66.30
whois
IN AMAZON-02 52.219.66.30 malware
193.56.146.36
whois
Unknown 193.56.146.36 malware
172.67.148.61
whois
US CLOUDFLARENET 172.67.148.61 clean
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 clean
212.193.30.113
whois
RU Anton Mamaev 212.193.30.113 clean
104.21.66.169
whois
US CLOUDFLARENET 104.21.66.169 malware
45.136.151.102
whois
LV ENZUINC 45.136.151.102 mailcious
94.26.249.132
whois
Unknown 94.26.249.132 clean
192.243.59.12
whois
US DataWeb Global Group B.V. 192.243.59.12 clean
194.163.158.120
whois
DE PlusServer GmbH 194.163.158.120 malware
149.28.253.196
whois
US AS-CHOOPA 149.28.253.196 clean
104.244.42.193
whois
US TWITTER 104.244.42.193 suspicious
199.192.17.247
whois
US NAMECHEAP-NET 199.192.17.247 clean
172.67.204.112
whois
US CLOUDFLARENET 172.67.204.112 clean
77.88.55.50
whois
RU YANDEX LLC 77.88.55.50 clean
104.21.59.236
whois
US CLOUDFLARENET 104.21.59.236 clean

Suricata ids

ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET DNS Query to a *.pw domain - Likely Hostile
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
ET INFO EXE - Served Attached HTTP
ET INFO Packed Executable Download
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET INFO Executable Download from dotted-quad Host
ET POLICY External IP Lookup ip-api.com
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO TLS Handshake Failure
ET INFO HTTP Request to a *.pw domain
ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x40d0b4 DeleteCriticalSection
 0x40d0b8 LeaveCriticalSection
 0x40d0bc EnterCriticalSection
 0x40d0c0 InitializeCriticalSection
 0x40d0c4 VirtualFree
 0x40d0c8 VirtualAlloc
 0x40d0cc LocalFree
 0x40d0d0 LocalAlloc
 0x40d0d4 WideCharToMultiByte
 0x40d0d8 TlsSetValue
 0x40d0dc TlsGetValue
 0x40d0e0 MultiByteToWideChar
 0x40d0e4 GetModuleHandleA
 0x40d0e8 GetLastError
 0x40d0ec GetCommandLineA
 0x40d0f0 WriteFile
 0x40d0f4 SetFilePointer
 0x40d0f8 SetEndOfFile
 0x40d0fc RtlUnwind
 0x40d100 ReadFile
 0x40d104 RaiseException
 0x40d108 GetStdHandle
 0x40d10c GetFileSize
 0x40d110 GetSystemTime
 0x40d114 GetFileType
 0x40d118 ExitProcess
 0x40d11c CreateFileA
 0x40d120 CloseHandle
user32.dll
 0x40d128 MessageBoxA
oleaut32.dll
 0x40d130 VariantChangeTypeEx
 0x40d134 VariantCopyInd
 0x40d138 VariantClear
 0x40d13c SysStringLen
 0x40d140 SysAllocStringLen
advapi32.dll
 0x40d148 RegQueryValueExA
 0x40d14c RegOpenKeyExA
 0x40d150 RegCloseKey
 0x40d154 OpenProcessToken
 0x40d158 LookupPrivilegeValueA
kernel32.dll
 0x40d160 WriteFile
 0x40d164 VirtualQuery
 0x40d168 VirtualProtect
 0x40d16c VirtualFree
 0x40d170 VirtualAlloc
 0x40d174 Sleep
 0x40d178 SizeofResource
 0x40d17c SetLastError
 0x40d180 SetFilePointer
 0x40d184 SetErrorMode
 0x40d188 SetEndOfFile
 0x40d18c RemoveDirectoryA
 0x40d190 ReadFile
 0x40d194 LockResource
 0x40d198 LoadResource
 0x40d19c LoadLibraryA
 0x40d1a0 IsDBCSLeadByte
 0x40d1a4 GetWindowsDirectoryA
 0x40d1a8 GetVersionExA
 0x40d1ac GetUserDefaultLangID
 0x40d1b0 GetSystemInfo
 0x40d1b4 GetSystemDefaultLCID
 0x40d1b8 GetProcAddress
 0x40d1bc GetModuleHandleA
 0x40d1c0 GetModuleFileNameA
 0x40d1c4 GetLocaleInfoA
 0x40d1c8 GetLastError
 0x40d1cc GetFullPathNameA
 0x40d1d0 GetFileSize
 0x40d1d4 GetFileAttributesA
 0x40d1d8 GetExitCodeProcess
 0x40d1dc GetEnvironmentVariableA
 0x40d1e0 GetCurrentProcess
 0x40d1e4 GetCommandLineA
 0x40d1e8 GetACP
 0x40d1ec InterlockedExchange
 0x40d1f0 FormatMessageA
 0x40d1f4 FindResourceA
 0x40d1f8 DeleteFileA
 0x40d1fc CreateProcessA
 0x40d200 CreateFileA
 0x40d204 CreateDirectoryA
 0x40d208 CloseHandle
user32.dll
 0x40d210 TranslateMessage
 0x40d214 SetWindowLongA
 0x40d218 PeekMessageA
 0x40d21c MsgWaitForMultipleObjects
 0x40d220 MessageBoxA
 0x40d224 LoadStringA
 0x40d228 ExitWindowsEx
 0x40d22c DispatchMessageA
 0x40d230 DestroyWindow
 0x40d234 CreateWindowExA
 0x40d238 CallWindowProcA
 0x40d23c CharPrevA
comctl32.dll
 0x40d244 InitCommonControls
advapi32.dll
 0x40d24c AdjustTokenPrivileges

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure