Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
downloader.exe

Overview

General Information

Sample name:downloader.exe
Analysis ID:1629736
MD5:9ac29dbe885b401e47708481f442391c
SHA1:65f5c19c07d57fbd529c4db888a856512e4f0fad
SHA256:a05131f470b86c1e7794c42ee64e53dec014d03d6d8b04c037a103f2dfa4207d
Infos:

Detection

Score:56
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Drops PE files
Found dropped PE file which has not been started or loaded
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64_ra
  • downloader.exe (PID: 4176 cmdline: "C:\Users\user\Desktop\downloader.exe" MD5: 9AC29DBE885B401E47708481F442391C)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-05T05:11:17.961290+010020103481A Network Trojan was detected192.168.2.1649700140.82.121.4443TCP
2025-03-05T05:11:18.921988+010020103481A Network Trojan was detected192.168.2.1649702185.199.110.133443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-05T05:11:17.961290+010020180521A Network Trojan was detected192.168.2.1649700140.82.121.4443TCP
2025-03-05T05:11:18.921988+010020180521A Network Trojan was detected192.168.2.1649702185.199.110.133443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: downloader.exeReversingLabs: Detection: 65%
Source: downloader.exeVirustotal: Detection: 68%Perma Link
Source: downloader.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.16:49700 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.16:49702 version: TLS 1.2

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.16:49702 -> 185.199.110.133:443
Source: Network trafficSuricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.16:49700 -> 140.82.121.4:443
Source: Network trafficSuricata IDS: 2010348 - Severity 1 - ET MALWARE - Possible Zeus/Perkesh (.bin) configuration download : 192.168.2.16:49702 -> 185.199.110.133:443
Source: Network trafficSuricata IDS: 2010348 - Severity 1 - ET MALWARE - Possible Zeus/Perkesh (.bin) configuration download : 192.168.2.16:49700 -> 140.82.121.4:443
Source: global trafficHTTP traffic detected: GET /AllsafeCyberSecurity/download_bin/raw/master/hello.bin HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: github.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /AllsafeCyberSecurity/download_bin/master/hello.bin HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: raw.githubusercontent.com
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /AllsafeCyberSecurity/download_bin/raw/master/hello.bin HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: github.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /AllsafeCyberSecurity/download_bin/master/hello.bin HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: allsafe.local
Source: global trafficDNS traffic detected: DNS query: github.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.16:49700 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.16:49702 version: TLS 1.2
Source: downloader.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal56.winEXE@2/1@3/26
Source: C:\Users\user\Desktop\downloader.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\hello[1].bin
Source: downloader.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\downloader.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: downloader.exeReversingLabs: Detection: 65%
Source: downloader.exeVirustotal: Detection: 68%
Source: C:\Users\user\Desktop\downloader.exeSection loaded: apphelp.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: urlmon.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: iertutil.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: srvcli.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: netutils.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: windows.storage.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: wldp.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: profapi.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: wininet.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: sspicli.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: winhttp.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: mswsock.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: winnsi.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: dnsapi.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: schannel.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: ntasn1.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: msasn1.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: dpapi.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: cryptsp.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: rsaenh.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: cryptbase.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: gpapi.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: ncrypt.dll
Source: C:\Users\user\Desktop\downloader.exeSection loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\downloader.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
Source: downloader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C:\Users\user\Desktop\downloader.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\hello[1].binJump to dropped file
Source: C:\Users\user\Desktop\downloader.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\hello[1].binJump to dropped file

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
Masquerading		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive13
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
Ingress Tool Transfer		Traffic DuplicationData Destruction

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
downloader.exe65%ReversingLabsWin32.Trojan.Ymacco
downloader.exe68%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://raw.githubusercontent.com/AllsafeCyberSecurity/download_bin/master/hello.bin0%Avira URL Cloudsafe
https://github.com/AllsafeCyberSecurity/download_bin/raw/master/hello.bin0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
github.com
140.82.121.4
truefalse
    		high
    raw.githubusercontent.com
    		185.199.110.133
    		truefalse
      		high
      allsafe.local
      		unknown
      		unknownfalse
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://github.com/AllsafeCyberSecurity/download_bin/raw/master/hello.bintrue
        • Avira URL Cloud: safe
        		unknown
        https://raw.githubusercontent.com/AllsafeCyberSecurity/download_bin/master/hello.bintrue
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        140.82.121.4
        		github.comUnited States
        		36459GITHUBUSfalse
        185.199.110.133
        		raw.githubusercontent.comNetherlands
        		54113FASTLYUSfalse

        General Information

        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1629736
        Start date and time:2025-03-05 05:10:43 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsinteractivecookbook.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:12
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        Analysis Mode:stream
        Analysis stop reason:Timeout
        Sample name:downloader.exe
        Detection:MAL
        Classification:mal56.winEXE@2/1@3/26
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, SgrmBroker.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 23.60.203.209
        • Excluded domains from analysis (whitelisted): fs.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
        • VT rate limit hit for: allsafe.local

        Created / dropped Files

        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\hello[1].bin

        Download File
        Process:C:\Users\user\Desktop\downloader.exe
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):375903
        Entropy (8bit):5.797800361799165
        Encrypted:false
        SSDEEP:
        MD5:8C624679D84C88CDCB91488EAF692C25
        SHA1:FB08196955F4D962FEBB4F021AD5F836D508268E
        SHA-256:E349E7E672AAA539C2B090E360FF0E28EF8E0D23772A1757572C017BE44FBC52
        SHA-512:56521056A622F7D724197FE8D3CBE129D16C38C6FAD26E47C4E5FF7DD36E07992E3DBA75D2CE74B8DB67895E0004FDD036BA7F6DD59226D7C38DDA4D68A982E4
        Malicious:false
        Reputation:unknown
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a.....^...^...^.h._...^.h._=..^.h._...^cm._...^cm._...^cm._...^.h._...^...^...^,n._...^,n._...^Rich...^........PE..L...%..].................r..........J/............@............................................................................<...................................P'..8............................'..@............................................text...=q.......r.................. ..`.rdata...............v..............@..@.data....$...P.......(..............@....idata...............6..............@..@.00cfg...............B..............@..@........................................................................................................................................................................................................................................................................................................................

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):6.370543723516723
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.96%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:downloader.exe
        File size:94'208 bytes
        MD5:9ac29dbe885b401e47708481f442391c
        SHA1:65f5c19c07d57fbd529c4db888a856512e4f0fad
        SHA256:a05131f470b86c1e7794c42ee64e53dec014d03d6d8b04c037a103f2dfa4207d
        SHA512:209394d8ef11b6e10d74ebd42873b5c12dc6e58e87c5a4f9fc565d569170938e25e4763567281c61f2d67962b102b1c649820d8eaec5ab298e559ac7a68bae34
        SSDEEP:1536:paWVbiosTYxlJvI7fA7aq2Ik5tFFNhd71b6PQQ/tjSFC34L+mf8z4u6HjFPZ9ps0:XVeosTYz9I7fA7N2nzNhR1b6b/tjSFCW
        TLSH:A4936C0175C1C472E9762D3114B0DAB19A3DFA711E909EAF2788163E4F706C29A36DBB
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2...v..Av..Av..A-.|@|..A-.z@...A-.{@d..A..z@S..A..{@g..A..|@g..A-.~@...Av.~A#..A..{@w..A..}@w..ARichv..A........PE..L......^...

        File Icon

        Icon Hash:90cececece8e8eb0

        Static PE Info

        General

        Entrypoint:0x401437
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        DLL Characteristics:TERMINAL_SERVER_AWARE
        Time Stamp:0x5EA4F019 [Sun Apr 26 02:21:13 2020 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:6
        OS Version Minor:0
        File Version Major:6
        File Version Minor:0
        Subsystem Version Major:6
        Subsystem Version Minor:0
        Import Hash:a542a1fd390f2beb453e84695b07d40c

        Entrypoint Preview

        Instruction
        call 00007FF9A4E350B8h
        jmp 00007FF9A4E34C8Fh
        push ebp
        mov ebp, esp
        mov eax, dword ptr [ebp+08h]
        push esi
        mov ecx, dword ptr [eax+3Ch]
        add ecx, eax
        movzx eax, word ptr [ecx+14h]
        lea edx, dword ptr [ecx+18h]
        add edx, eax
        movzx eax, word ptr [ecx+06h]
        imul esi, eax, 28h
        add esi, edx
        cmp edx, esi
        je 00007FF9A4E34E2Bh
        mov ecx, dword ptr [ebp+0Ch]
        cmp ecx, dword ptr [edx+0Ch]
        jc 00007FF9A4E34E1Ch
        mov eax, dword ptr [edx+08h]
        add eax, dword ptr [edx+0Ch]
        cmp ecx, eax
        jc 00007FF9A4E34E1Eh
        add edx, 28h
        cmp edx, esi
        jne 00007FF9A4E34DFCh
        xor eax, eax
        pop esi
        pop ebp
        ret
        mov eax, edx
        jmp 00007FF9A4E34E0Bh
        push esi
        call 00007FF9A4E355B5h
        test eax, eax
        je 00007FF9A4E34E32h
        mov eax, dword ptr fs:[00000018h]
        mov esi, 00418934h
        mov edx, dword ptr [eax+04h]
        jmp 00007FF9A4E34E16h
        cmp edx, eax
        je 00007FF9A4E34E22h
        xor eax, eax
        mov ecx, edx
        lock cmpxchg dword ptr [esi], ecx
        test eax, eax
        jne 00007FF9A4E34E02h
        xor al, al
        pop esi
        ret
        mov al, 01h
        pop esi
        ret
        push ebp
        mov ebp, esp
        cmp dword ptr [ebp+08h], 00000000h
        jne 00007FF9A4E34E19h
        mov byte ptr [00418938h], 00000001h
        call 00007FF9A4E353A4h
        call 00007FF9A4E35852h
        test al, al
        jne 00007FF9A4E34E16h
        xor al, al
        pop ebp
        ret
        call 00007FF9A4E38FD7h
        test al, al
        jne 00007FF9A4E34E1Ch
        push 00000000h
        call 00007FF9A4E35859h
        pop ecx
        jmp 00007FF9A4E34DFBh
        mov al, 01h
        pop ebp
        ret
        push ebp
        mov ebp, esp
        cmp byte ptr [00418939h], 00000000h
        je 00007FF9A4E34E16h
        mov al, 01h

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x16e040x64.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
        IMAGE_DIRECTORY_ENTRY_DEBUG0x166f00x1c.rdata
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x167100x40.rdata
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x110000x120.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000xfac30xfc0012d70f775ae1c26bba834f31e72ed68fFalse0.5969122023809523data6.649330509930081IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x110000x64a80x66001614d83e3654c2bbaf309c13727cab7cFalse0.47771139705882354data5.1659426596243065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x180000x13640xa00758ca63a51c2a8b75ffe4f454ee059ffFalse0.1890625data2.3068318080813563IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

        Imports

        DLLImport
        SHLWAPI.dllPathFileExistsA
        SHELL32.dllSHGetSpecialFolderPathA
        urlmon.dllURLDownloadToFileA
        KERNEL32.dllGetModuleHandleExW, CreateFileW, CloseHandle, DecodePointer, CreateProcessA, GetStartupInfoA, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, GetConsoleMode, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, WriteConsoleW, HeapFree, HeapAlloc, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetStringTypeW, LCMapStringW, GetProcessHeap, SetFilePointerEx, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP