popup

Report - Amadey.exe

Amadey RedLine stealer Browser Login Data Stealer RedlineStealer RedLine Infostealer Gen1 Emotet Generic Malware Hide_EXE Malicious Library UPX Malicious Packer .NET framework(MSIL) ScreenShot PWS Anti_VM Javascript_B
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.11.03 18:29 Machine s1_win7_x6401
Filename Amadey.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
25.8
ZERO API file : clean
VT API (file)
md5 5d0310efbb0ea7ead8624b0335b21b7b
sha256 a43f3cf974c02ae797b15d908b0ce1253781e9523a3a5831c199cb4d5dcbda4a
ssdeep 6144:Rb6w2ysktItqrvJ8oGJJWfZRXIjqGlG4u67+lAOHziULb:RNtmqjJ8xJmRGltu67sfL
imphash f722e751a647e22fa4d7e966bdaa4f04
impfuzzy 48:9eRHXc3ncGOKZTc+JyNtSS1jGoZcc6g3GAF57fwwRLP2HN+5TPg:IZXlGjTc+JEtSS1jGoZc9c7RLCSzg
  Network IP location

Signature (54cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger Disables Windows Security features
danger Executed a process and injected code into it
watch A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations.
watch Allocates execute permission to another process indicative of possible code injection
watch Attempts to access Bitcoin/ALTCoin wallets
watch Attempts to disable Windows Auto Updates
watch Attempts to identify installed AV products by installation directory
watch Attempts to stop active services
watch Code injection by writing an executable or DLL to the memory of another process
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Creates an Alternate Data Stream (ADS)
watch Detects Avast Antivirus through the presence of a library
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
watch Installs itself for autorun at Windows startup
watch Network activity contains more than one unique useragent
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
watch Uses suspicious command line tools or Windows utilities
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process utsysc.exe
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Checks whether any human activity is being performed by constantly checking whether the foreground window changed
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info This executable has a PDB path
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (43cnts)

Level Name Description Collection
danger detect_Redline_Stealer_V2 (no description) binaries (download)
danger infoStealer_browser_b_Zero browser info stealer binaries (download)
danger MALWARE_Win_VT_RedLine Detects RedLine infostealer binaries (download)
danger RedLine_Stealer_b_Zero RedLine stealer binaries (download)
danger RedLine_Stealer_m_Zero RedLine stealer memory
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
danger Win_Amadey_Zero Amadey bot binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning hide_executable_file Hide executable file binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
notice Generic_PWS_Memory_Zero PWS Memory memory
notice Javascript_Blob use blob(Binary Large Objec) javascript binaries (download)
notice ScreenShot Take ScreenShot memory
info anti_dbg Checks if being debugged memory
info CAB_file_format CAB archive file binaries (download)
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info JPEG_Format_Zero JPEG Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (113cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://167.235.20.126/bjdm32DP/Plugins/cred64.dll
whois
Unknown 167.235.20.126 malware
http://185.196.8.176/7jshasdS/index.php?scr=1
whois
US Simple Carrier LLC 185.196.8.176 37683 mailcious
http://5.182.86.30/TEST32.exe
whois
Unknown 5.182.86.30 clean
http://185.196.9.171/abd.exe
whois
CH Simple Carrier LLC 185.196.9.171 mailcious
http://185.196.8.176/7jshasdS/index.php
whois
US Simple Carrier LLC 185.196.8.176 37683 mailcious
http://193.233.255.73/loghub/master
whois
RU OOO FREEnet Group 193.233.255.73 37500 mailcious
http://194.169.175.118/trafico.exe
whois
Unknown 194.169.175.118 mailcious
http://185.196.8.176/7jshasdS/Plugins/clip64.dll
whois
US Simple Carrier LLC 185.196.8.176 37685 malware
http://185.196.9.171/amers.exe
whois
CH Simple Carrier LLC 185.196.9.171 malware
http://167.235.20.126/bjdm32DP/index.php
whois
Unknown 167.235.20.126 37786 mailcious
http://167.235.20.126/bjdm32DP/Plugins/clip64.dll
whois
Unknown 167.235.20.126 malware
http://167.235.20.126/bjdm32DP/index.php?scr=1
whois
Unknown 167.235.20.126 37786 mailcious
http://185.196.9.171/haloup.exe
whois
CH Simple Carrier LLC 185.196.9.171 malware
http://171.22.28.213/build2.exe
whois
DE CMCS 171.22.28.213 clean
http://185.196.8.176/7jshasdS/Plugins/cred64.dll
whois
US Simple Carrier LLC 185.196.8.176 37684 malware
http://171.22.28.213/1.exe
whois
DE CMCS 171.22.28.213 malware
http://171.22.28.213/TEST32.exe
whois
DE CMCS 171.22.28.213 clean
http://109.107.182.2/race/lom30.exe
whois
RU Teleport-TV Ltd 109.107.182.2 clean
http://77.91.124.1/theme/index.php
whois
RU Foton Telecom CJSC 77.91.124.1 37040 mailcious
https://www.google.com/favicon.ico
whois
US GOOGLE 142.250.76.132 clean
https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=english&_cdn=cloudflare
whois
US CLOUDFLARENET 172.64.145.151 clean
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
whois
US GOOGLE 142.250.206.205 clean
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Regular.ttf?v=4.015
whois
US CLOUDFLARENET 172.64.145.151 clean
https://community.cloudflare.steamstatic.com/public/shared/css/login.css?v=0H1th98etnSV&l=english&_cdn=cloudflare
whois
US CLOUDFLARENET 172.64.145.151 clean
https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png
whois
US GOOGLE 142.250.207.46 clean
https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL&l=english&_cdn=cloudflare&load=effects,controls,slider,dragdrop
whois
US CLOUDFLARENET 172.64.145.151 clean
https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=english&_cdn=cloudflare
whois
US CLOUDFLARENET 172.64.145.151 clean
https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&_cdn=cloudflare
whois
US CLOUDFLARENET 172.64.145.151 clean
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
whois
US GOOGLE 142.250.207.99 clean
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
whois
US CLOUDFLARENET 172.64.145.151 clean
https://fonts.googleapis.com/css?family=Roboto:400,500
whois
US GOOGLE 142.251.222.42 clean
https://fonts.gstatic.com/s/youtubesans/v22/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff
whois
US GOOGLE 142.250.207.99 clean
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Bold.ttf?v=4.015
whois
US CLOUDFLARENET 172.64.145.151 clean
https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Fd2aj_zaBVQV&l=english&_cdn=cloudflare
whois
US CLOUDFLARENET 172.64.145.151 clean
https://static-assets-prod.unrealengine.com/account-portal/static/static/js/main.10a25667.chunk.js
whois
Unknown 18.64.8.109 clean
https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=RL7hpFRFPE4A&l=english&_cdn=cloudflare
whois
US CLOUDFLARENET 172.64.145.151 clean
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
whois
US CLOUDFLARENET 172.64.145.151 clean
https://www.youtube.com/
whois
US GOOGLE 142.250.207.46 clean
https://accounts.google.com/generate_204?dap48w
whois
US GOOGLE 142.250.206.205 clean
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Thin.ttf?v=4.015
whois
US CLOUDFLARENET 172.64.145.151 clean
https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&_cdn=cloudflare
whois
US CLOUDFLARENET 172.64.145.151 clean
https://www.youtube.com/img/desktop/supported_browsers/chrome.png
whois
US GOOGLE 142.250.207.46 clean
https://www.epicgames.com/id/login
whois
US AMAZON-AES 54.175.89.124 clean
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Medium.ttf?v=4.015
whois
US CLOUDFLARENET 172.64.145.151 clean
https://www.youtube.com/img/desktop/supported_browsers/firefox.png
whois
US GOOGLE 142.250.207.46 clean
https://www.youtube.com/img/desktop/supported_browsers/opera.png
whois
US GOOGLE 142.250.207.46 clean
https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=uR_4hRD_HUln&l=english&_cdn=cloudflare
whois
US CLOUDFLARENET 172.64.145.151 clean
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
whois
US CLOUDFLARENET 172.64.145.151 clean
https://www.youtube.com/img/desktop/supported_browsers/edgium.png
whois
US GOOGLE 142.250.207.46 clean
https://static-assets-prod.unrealengine.com/account-portal/static/static/js/3.520a7eda.chunk.js
whois
Unknown 18.64.8.109 clean
https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F
whois
US GOOGLE 142.250.207.46 clean
https://accounts.google.com/_/bscframe
whois
US GOOGLE 142.250.206.205 clean
https://fonts.googleapis.com/css?family=YouTube+Sans:500
whois
US GOOGLE 142.251.222.42 clean
https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=E78TCC6Eu4d1&l=english&_cdn=cloudflare
whois
US CLOUDFLARENET 172.64.145.151 clean
https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff
whois
US GOOGLE 142.250.207.99 clean
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywXMRymWtXksqblJvlUYJFlJpIBYOvVGbAuX2Ek1p_KKsKWal2mSwVOyZ7Kxhsq7qREHNHDmw
whois
US GOOGLE 142.250.206.205 clean
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
whois
US CLOUDFLARENET 172.64.145.151 clean
https://steamcommunity.com/openid/loginform/
whois
US Akamai International B.V. 104.76.78.101 clean
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-RegularItalic.ttf?v=4.015
whois
US CLOUDFLARENET 172.64.145.151 clean
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=F9Ougyu-CyG3&l=english&_cdn=cloudflare
whois
US CLOUDFLARENET 172.64.145.151 clean
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Light.ttf?v=4.015
whois
US CLOUDFLARENET 172.64.145.151 clean
https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=eYJYuhv32ILn&l=english&_cdn=cloudflare
whois
US CLOUDFLARENET 172.64.145.151 clean
https://community.cloudflare.steamstatic.com/public/css/skin_1/home.css?v=-6qQi3rZclGf&l=english&_cdn=cloudflare
whois
US CLOUDFLARENET 172.64.145.151 clean
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyzuEIb-UEcUXM-N1dV2w2UTTKTYT6Y4L2bfCbNf3HMq8VmgW-zlcvm_lgIXTMSD6nIc8SElCQ&passive=1209600&flowName=WebLi
whois
US GOOGLE 142.250.206.205 clean
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=3Pb1f2YLp788&l=english&_cdn=cloudflare
whois
US CLOUDFLARENET 172.64.145.151 clean
https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff
whois
US GOOGLE 142.250.207.99 clean
https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png
whois
US GOOGLE 142.250.207.46 clean
https://static-assets-prod.unrealengine.com/account-portal/static/epic-favicon-96x96.png
whois
Unknown 18.64.8.109 clean
https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=KrKRjQbCfNh0&l=english&_cdn=cloudflare
whois
US CLOUDFLARENET 172.64.145.151 clean
https://community.cloudflare.steamstatic.com/public/shared/javascript/login.js?v=gYtbaAKt6bwQ&l=english&_cdn=cloudflare
whois
US CLOUDFLARENET 172.64.145.151 clean
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&_cdn=cloudflare
whois
US CLOUDFLARENET 172.64.145.151 clean
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvIAKtunfWg&l=english&_cdn=cloudflare
whois
US CLOUDFLARENET 172.64.145.151 clean
www.paypal.com
whois
US FASTLY 151.101.193.21 clean
ssl.gstatic.com
whois
US GOOGLE 142.250.207.99 clean
www.google.com
whois
US GOOGLE 142.250.76.132 clean
store.steampowered.com
whois
US AKAMAI-AS 23.40.44.77 clean
steamcommunity.com
whois
US Akamai International B.V. 104.76.78.101 mailcious
www.youtube.com
whois
US GOOGLE 172.217.175.238 mailcious
fonts.googleapis.com
whois
US GOOGLE 142.251.222.42 clean
api.ipify.org
whois
US WEBNX 173.231.16.77 clean
static-assets-prod.unrealengine.com
whois
Unknown 18.64.8.108 clean
twitter.com
whois
US TWITTER 104.244.42.65 clean
accounts.google.com
whois
US GOOGLE 142.250.206.205 clean
community.cloudflare.steamstatic.com
whois
US CLOUDFLARENET 172.64.145.151 clean
fonts.gstatic.com
whois
US GOOGLE 142.250.207.99 clean
www.epicgames.com
whois
US AMAZON-AES 34.198.71.3 clean
149.40.62.171
whois
US COGENT-174 149.40.62.171 clean
142.250.207.99
whois
US GOOGLE 142.250.207.99 clean
23.40.44.77
whois
US AKAMAI-AS 23.40.44.77 clean
167.235.20.126
whois
Unknown 167.235.20.126 malware
18.64.8.109
whois
Unknown 18.64.8.109 clean
77.91.124.1
whois
RU Foton Telecom CJSC 77.91.124.1 malware
64.185.227.156
whois
US WEBNX 64.185.227.156 clean
193.233.255.73
whois
RU OOO FREEnet Group 193.233.255.73 mailcious
104.244.42.129
whois
US TWITTER 104.244.42.129 suspicious
142.250.76.132
whois
US GOOGLE 142.250.76.132 clean
142.251.222.42
whois
US GOOGLE 142.251.222.42 clean
85.209.176.171
whois
GB Digital Energy Technologies Ltd. 85.209.176.171 clean
172.64.145.151
whois
US CLOUDFLARENET 172.64.145.151 clean
77.91.124.86
whois
RU Foton Telecom CJSC 77.91.124.86 clean
194.169.175.118
whois
Unknown 194.169.175.118 mailcious
194.169.175.235
whois
Unknown 194.169.175.235 clean
185.196.9.171
whois
CH Simple Carrier LLC 185.196.9.171 mailcious
192.229.232.89
whois
US EDGECAST 192.229.232.89 clean
142.250.206.205
whois
US GOOGLE 142.250.206.205 suspicious
142.250.207.46
whois
US GOOGLE 142.250.207.46 clean
171.22.28.239
whois
DE CMCS 171.22.28.239 mailcious
104.76.78.101
whois
US Akamai International B.V. 104.76.78.101 mailcious
5.182.86.30
whois
Unknown 5.182.86.30 clean
185.196.8.176
whois
US Simple Carrier LLC 185.196.8.176 malware
54.175.89.124
whois
US AMAZON-AES 54.175.89.124 clean
109.107.182.2
whois
RU Teleport-TV Ltd 109.107.182.2 malware
171.22.28.213
whois
DE CMCS 171.22.28.213 malware

Suricata ids

ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Possible Kelihos.F EXE Download Common Structure
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Amadey Bot Activity (POST) M1
ET INFO Dotted Quad Host DLL Request
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Amadey Bot Activity (POST)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO TLS Handshake Failure

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x439044 Sleep
 0x439048 GetTempPathA
 0x43904c Wow64RevertWow64FsRedirection
 0x439050 GetLastError
 0x439054 GetFileAttributesA
 0x439058 CreateFileA
 0x43905c CloseHandle
 0x439060 GetSystemInfo
 0x439064 CreateThread
 0x439068 GetThreadContext
 0x43906c SetCurrentDirectoryA
 0x439070 VirtualAllocEx
 0x439074 RemoveDirectoryA
 0x439078 ReadProcessMemory
 0x43907c CreateProcessA
 0x439080 CreateDirectoryA
 0x439084 SetThreadContext
 0x439088 ReadConsoleW
 0x43908c SetEndOfFile
 0x439090 HeapSize
 0x439094 SetFilePointerEx
 0x439098 GetModuleHandleA
 0x43909c ResumeThread
 0x4390a0 GetComputerNameExW
 0x4390a4 GetVersionExW
 0x4390a8 CreateMutexA
 0x4390ac WaitForSingleObject
 0x4390b0 PeekNamedPipe
 0x4390b4 CreatePipe
 0x4390b8 VirtualAlloc
 0x4390bc Wow64DisableWow64FsRedirection
 0x4390c0 WriteFile
 0x4390c4 VirtualFree
 0x4390c8 SetHandleInformation
 0x4390cc WriteProcessMemory
 0x4390d0 GetModuleFileNameA
 0x4390d4 GetProcAddress
 0x4390d8 ReadFile
 0x4390dc GetConsoleMode
 0x4390e0 GetConsoleCP
 0x4390e4 FlushFileBuffers
 0x4390e8 GetProcessHeap
 0x4390ec SetEnvironmentVariableW
 0x4390f0 FreeEnvironmentStringsW
 0x4390f4 GetEnvironmentStringsW
 0x4390f8 GetOEMCP
 0x4390fc GetACP
 0x439100 IsValidCodePage
 0x439104 FindNextFileW
 0x439108 FindFirstFileExW
 0x43910c FindClose
 0x439110 GetTimeZoneInformation
 0x439114 HeapReAlloc
 0x439118 SetStdHandle
 0x43911c GetFullPathNameW
 0x439120 GetCurrentDirectoryW
 0x439124 DeleteFileW
 0x439128 EnumSystemLocalesW
 0x43912c GetUserDefaultLCID
 0x439130 IsValidLocale
 0x439134 HeapAlloc
 0x439138 HeapFree
 0x43913c WideCharToMultiByte
 0x439140 EnterCriticalSection
 0x439144 LeaveCriticalSection
 0x439148 DeleteCriticalSection
 0x43914c SetLastError
 0x439150 InitializeCriticalSectionAndSpinCount
 0x439154 CreateEventW
 0x439158 SwitchToThread
 0x43915c TlsAlloc
 0x439160 TlsGetValue
 0x439164 TlsSetValue
 0x439168 TlsFree
 0x43916c GetSystemTimeAsFileTime
 0x439170 GetModuleHandleW
 0x439174 EncodePointer
 0x439178 DecodePointer
 0x43917c MultiByteToWideChar
 0x439180 CompareStringW
 0x439184 LCMapStringW
 0x439188 GetLocaleInfoW
 0x43918c GetStringTypeW
 0x439190 GetCPInfo
 0x439194 SetEvent
 0x439198 ResetEvent
 0x43919c WaitForSingleObjectEx
 0x4391a0 IsDebuggerPresent
 0x4391a4 UnhandledExceptionFilter
 0x4391a8 SetUnhandledExceptionFilter
 0x4391ac GetStartupInfoW
 0x4391b0 IsProcessorFeaturePresent
 0x4391b4 QueryPerformanceCounter
 0x4391b8 GetCurrentProcessId
 0x4391bc GetCurrentThreadId
 0x4391c0 InitializeSListHead
 0x4391c4 GetCurrentProcess
 0x4391c8 TerminateProcess
 0x4391cc RaiseException
 0x4391d0 RtlUnwind
 0x4391d4 FreeLibrary
 0x4391d8 LoadLibraryExW
 0x4391dc ExitProcess
 0x4391e0 GetModuleHandleExW
 0x4391e4 CreateFileW
 0x4391e8 GetDriveTypeW
 0x4391ec GetFileInformationByHandle
 0x4391f0 GetFileType
 0x4391f4 SystemTimeToTzSpecificLocalTime
 0x4391f8 FileTimeToSystemTime
 0x4391fc GetModuleFileNameW
 0x439200 GetStdHandle
 0x439204 GetCommandLineA
 0x439208 GetCommandLineW
 0x43920c WriteConsoleW
USER32.dll
 0x439228 GetSystemMetrics
 0x43922c ReleaseDC
 0x439230 GetDC
GDI32.dll
 0x43902c CreateCompatibleBitmap
 0x439030 SelectObject
 0x439034 CreateCompatibleDC
 0x439038 DeleteObject
 0x43903c BitBlt
ADVAPI32.dll
 0x439000 RegCloseKey
 0x439004 RegGetValueA
 0x439008 RegQueryValueExA
 0x43900c GetSidSubAuthorityCount
 0x439010 GetSidSubAuthority
 0x439014 GetUserNameA
 0x439018 LookupAccountNameA
 0x43901c RegSetValueExA
 0x439020 RegOpenKeyExA
 0x439024 GetSidIdentifierAuthority
SHELL32.dll
 0x439214 SHGetFolderPathA
 0x439218 ShellExecuteA
 0x43921c None
 0x439220 SHFileOperationA
WININET.dll
 0x439238 HttpOpenRequestA
 0x43923c InternetReadFile
 0x439240 InternetConnectA
 0x439244 HttpSendRequestA
 0x439248 InternetCloseHandle
 0x43924c InternetOpenA
 0x439250 HttpSendRequestExA
 0x439254 HttpAddRequestHeadersA
 0x439258 HttpEndRequestA
 0x43925c InternetOpenW
 0x439260 InternetOpenUrlA
 0x439264 InternetWriteFile
gdiplus.dll
 0x43926c GdipSaveImageToFile
 0x439270 GdipGetImageEncodersSize
 0x439274 GdipDisposeImage
 0x439278 GdipCreateBitmapFromHBITMAP
 0x43927c GdipGetImageEncoders
 0x439280 GdiplusShutdown
 0x439284 GdiplusStartup

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure