cabalmain.exe

First submission 2024-10-15 19:23:15

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	38527.0 KB (39451648 bytes)
Compile time:	2012-09-05 07:39:48
MD5:	12ebc1ac491e6ba72fb2d57e22d9a916
SHA1:	aca86b37ded0c84655d799f69d5be8b016fae8bb
SHA256:	684d279c12834092808e212bbbdab69308da260917ac135e962cfc90afbf44f5
Import Hash :	57467bbebe360712f0cc6be70ccffc3b
Sections 23	.text .rdata .data .rsrc .idata .edata .NewIT .NewIT .NewIT .NewIT .NewIT .NewIT .NewIT .NewIT .NewIT .NewIT .NewIT .NewIT .NewIT .newimp .NewIT .enigma1 .enigma2
Directories 4	import export resource tls

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	22/76 VT report date: 2024-10-14 14:34:40
Malware Type 1	trojan

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://vps-5fc33f45.vps.ovh.ca/output/client/cabalmain.exe	vps-5fc33f45.vps.ovh.ca	2024-10-15 19:23:15

PE Sections 6 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x6c4000	7094272	6bab3a14c91dbe64eeca9f5337c083347104b6c8	c6953eff491bd70c6da05d18da1baa61
.rdata	0x6c5000	0x9c000	638976	b6d80d3cedcb217cd9a62b0759f123a8caded993	ebba6d81ff776c16cd882bdfdb173de8
.data	0x761000	0x589000	5804032	1dfd8399757df8458bf1cde5c6694e6a24581696	92022bf655a5f0dda0f1e4687588b3e7
.rsrc	0xcea000	0x4ad8	19456	33c41d5dc4ea66ce576d906cf2e613d832e9bda9	f1f0b03cfa880c0ca90f9d0e9bdfe023
.idata	0xcef000	0x3000	12288	53420575c59773785a403cd119c19abc9c54ee2c	0b60376bf65fb636400e8ba44132735a
.edata	0xcf2000	0x1200	4608	21e4bda26b1b39d6733655aca125c2f3dfd0392c	46822c0cd404725d71c7441a076f7572
.NewIT	0xcf4000	0x200	512	344ea10bc2261e9a23478d506681bc5b56ce6fb5	4911bf421c71c030304a54daa2e827d7
.NewIT	0xcf5000	0x200	512	f53580bcbef907e1c7641a50067f019b45ec372f	356c6579f30d25d8ed60b64135df0da7
.NewIT	0xcf6000	0x200	512	5778332504d4f63ad07809429d2f94f7efc6f1f7	308fcf4325cee8fc490409c79d264f4b
.NewIT	0xcf7000	0x1200	4608	afd3d39ea3b7b69b8700dd9e672f4cd838f23839	7dd447f0a0319f5454d6c24d1b1414a4
.NewIT	0xcf9000	0x200	512	1bee8bc0d7bf5ad081746e33469d5948acee3870	a839aa0f4bc94755e7eef292e24fe8df
.NewIT	0xcfa000	0x200	512	94b13afeeb6ffdc2651b0b902c64e5ca21157b14	6e7a3130518588bd987b3579a769e998
.NewIT	0xcfb000	0x200	512	3215cbd7e12f16d49c02caacf6b90d515ab970cc	e91b95e1b1b043a6d1204550a773e6f9
.NewIT	0xcfc000	0x200	512	568ede179b13c350eea608af5529a23254065b46	6af8bad11e54c8d9b5aea1c9ed9b3d3a
.NewIT	0xcfd000	0x200	512	539fbb18b745f98298c1aaf3f09092f40a488c39	e499108c3c22877e863b1f13e30a0968
.NewIT	0xcfe000	0x200	512	575a0395653df831072b7420098c6fb1d0b3c1f1	564bfcad8b9602e35f31d8cdcc411a1b
.NewIT	0xcff000	0x200	512	c3145e855adf4fec1f5a6efdbb7ee2b244be6d27	2c0dccca25e9f203742cd0cbae2812c7
.NewIT	0xd00000	0x200	512	3373a8ead13f5bafc3d7099a82239fdea184dbe8	720b1cd3035582895e702179669ecf09
.NewIT	0xd01000	0x400	1024	5826f84c4c049583b008915b5513f4c49486c997	8ebc312fac9deb66746876d16926c4a3
.newimp	0xd02000	0x1000	4096	e8efb3692ea8c88f21105e8410a745ddfd96d38f	cc17126e304a009a32d0ba06df761d46
.NewIT	0xd03000	0x21ff	8704	a005b327b7314377a38fe99fec0f32ddb4b979c7	96e341bc502b5d0d084a090fa59e98d9
.enigma1	0xd06000	0x1000	25563136	3365da712c94658a08071f084d00074aeab6778c	f2778b86555a71940fd24e3551fabb86
.enigma2	0xd07000	0x46000	286720	df2a638a460c386497b394fc96b3aade21f27749	34ed7166689af1fcc37e2bacb1ae015c

PE Resources 5

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xcec0a0	9640	PE Resource: RT_ICON - Data (0` %e^hahbicicicjctokgjchchcickfmhnhpjqlrmrlokokokokokokoknj;A3""""""# """""## # # # # # $ $ $$$$ $ 5#k($ $"tpLCNFc]\U\U\U\T\T\SZSYQZRZSYQYQYQYQYPWPWPXPXOWOWNWNZQNF" MC81$b' 7;-4#`\|w aW?.D5D6F7F8G8H:I;I;H9QETIPCTHUHVIVKVKZNZOZNZO`Y# {w!j^ '" bW!QGOdp A0#%&&!%"-("$4 210'#! 5$1#7&V5UN&phqiumxpxy+-) (pv{)!# ]V$}G<-) 2sM>ka UL0YR3-) 1\|qg! :+/9LGTJ: $* 1z0! %WN&0hN& 1z(J:tk YQvuWM/ylc @/,<-B6K?=wEGMN=x.! (PG'o Y0pKw0G7}w ]VPLV9bFvh^ F7}?18. p 7p&GFt,! J@)USBgMFFs7D4b[~_NBre[G9})B50{eeo~wFiF?qE:RD0E:nTc-p>uoto\^KNT-&hK2e0r#\|w$so&*oq1ZvQvH[&iaa~KIG$GH;oW#6?x"!ONq@H; $lk[44pbKKvu~}L`r4Jjj>s]Q^a= 2O1 LD NOMMMMMNL{jZ822u]L,3= x1z1zGYi>wdB18,S.k]12m]Kk}`hZ83561L&74-gSxvwABd'2CcvQ$`wg>xdB0831bGxeS.09l_A}edbRQk}\|L?c_@1hZ8348.; H!J' BK _7)G[=xdB086,T3wopcjYZDesca<_F2C`}Z734910qR=%O+;-sD_H3<tbA087-@6,/\?A2QU6n`I67/694,bFnc+.7fVHSe9.8gMWVJ5888/4D)/F!`~`U?r\=260T-\D586+J%0-2YBr$;-L5YtM(17/D= 53-t][J/<sh/\|I)0/?FdI418?:9+0M.ObQ5/8fWJ=13S2{s+.5_NV{D'y,H-ikL+N4/B\|mSGG(+\|3LK".V<=m\<$+{_IZ=(n)leb;{EHR;3 ApT` !mqpx
RT_ACCELERATOR	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xcee648	8
RT_GROUP_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xcee650	62
RT_VERSION	LANG_KOREAN	SUBLANG_KOREAN	0xcee690	652	PE Resource: RT_VERSION - Data 4VS_VERSION_INFO4v(#?StringFileInfo041204B0DFileDescriptionCABAL Online4FileVersion1.0.0.374,InternalNameSnakeL&LegalCopyrightCopyright (C) 2004<OriginalFilenameSnake.exeD$ProductNameSnake Application@ProductVersion1. 0. 0. 9000DVarFileInfo$Translation
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xcee91c	444	PE Resource: RT_MANIFEST - Data <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2"> <ms_asmv2:security> <ms_asmv2:requestedPrivileges> <ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false"></ms_asmv2:requestedExecutionLevel> </ms_asmv2:requestedPrivileges> </ms_asmv2:security> </ms_asmv2:trustInfo> </assembly>

Meta infos 8

LegalCopyright:	Copyright (C) 2004
InternalName:	Snake
FileVersion:	1.0.0.374
FileDescription:	CABAL Online
Translation:	0x0412 0x04b0
ProductName:	Snake Application
OriginalFilename:	Snake.exe
ProductVersion:	1. 0. 0. 9000

Anti debug functions 3

GetLastError
RaiseException
UnhandledExceptionFilter

Anti debug functions 4

Virtual Box
VMware trick
VMCheck.dll
Bochs & QEmu CPUID Trick

Strings analysis - File found

Log
TempFileLog_%d.log
\Agreement.log
.log
RandomWarp.log
CabalError.log
Memory.log
Temporary
evb*.tmp
Data
>\mainEX.dat
maplink_%d.dat
%s\UI\Map\HField%02d.dat
%s\UserData\dlog.dat
\ui.dat
keymap_%d.dat
\usersetting.dat
ui_%d.dat
\mainex.dat
\main.dat
macrosay_%d.dat
XML
http://twitter.com/saved_searches/create.xml
http://twitter.com/saved_searches.xml
http://twitter.com/statuses/friends.xml
http://twitter.com/statuses/featured.xml
http://twitter.com/favorites.xml
http://twitter.com/friends/ids.xml
http://api.twitpic.com/1/uploadAndPost.xml
http://twitter.com/account/rate_limit_status.xml
StaticsInfo.xml
http://twitter.com/statuses/friends_timeline.xml
http://twitter.com/friendships/create.xml
http://twitter.com/account/end_session.xml
http://twitter.com/friendships/show.xml
http://twitter.com/statuses/mentions.xml
http://twitter.com/users/show.xml
http://twitter.com/direct_messages/new.xml
http://twitter.com/direct_messages/sent.xml
http://twitter.com/statuses/followers.xml
http://twitter.com/statuses/update.xml
http://twitter.com/account/verify_credentials.xml
http://twitter.com/statuses/public_timeline.xml
http://twitter.com/direct_messages.xml
http://twitter.com/friendships/destroy.xml
http://twitter.com/followers/ids.xml
http://twitter.com/statuses/user_timeline.xml
Database
'P.dB
Text
\CheckFileLog.txt
zeeLog.txt
1Hardware_Banlist.txt
internal.txt
GameGuard/Log.txt
StaticsInfo.txt
Library
DevUno.dll
d3dx10_43.dll
GilasCabal.dll
1zDisplay1.dll
d3d9.dll
api-ms-win-core-synch-l1-2-0.dll
D3DX10.dll
auom.dll
dbghelp.dll
atl90.dll
Codex.dll
mscoree.dll
d3dx11_43.dll
raw4d.dll
d3dx9_30.dll
Se7eN.dll
raw5d.dll
6thSe7eN.dll
ntdll.dll
USER32.dll
KERNEL32.dll
D3DX11.dll
zDisplay1.dll
zDisplay.dll
raw3d.dll
d3dx9_43.dll
D3DX9D.dll
rawHd.dll
test.dll
speedhack.dll
WS2_32.dll
Dll1.dll
SenpaiNicky.dll
d3dx9_31.dll
Libfiles.dll
macro.dll
D3DCompiler_43.dll
WININET.dll
hack-speed.dll
GDI32.dll
GameGuard/Minimizer.dll
CabalDiscordRPC.dll
ole32.dll
hackspeed.dll
api-ms-win-crt-runtime-l1-1-0.dll
speed_hack.dll
usp10.dll
neo.dll
fmodex.dll
OLEAUT32.dll
CheatEngine.dll
CabalDev.dll
shfolder.dll
api-ms-win-crt-time-l1-1-0.dll
xpva06.dll
ADVAPI32.dll
game.dll
unknown.dll
SHLWAPI.dll
bike.dll
IMM32.dll
Azura.dll
msvcp140.dll
SHELL32.dll
speed-hack.dll
c.e.dll
GameGuard.dll
XTrapVa.dll
IPHLPAPI.DLL
XPva03.dll
wpepro.dll
Glow.dll
DDRAW.dll
Cr4ck3r.dll
DINPUT8.dll
Skill_Passive.dll
*.dll
hack_speed.dll
d3d10.dll
dream.dll
urlmon.dll
cConfig.dll
WINMM.dll
api-ms-win-crt-stdio-l1-1-0.dll
System.dll
ViMD3DLib.dll
\imm32.dll
sxs.dll
custom.dll
RDR.dll
blau.dll
zDisplay2.dll
Engine.dll
Rework.dll
loaderx86.dll
custom_protected.dll
vcruntime140.dll
wpeprospy.dll
d3d9d.dll
MSVCRT.dll
PSAPI.DLL
WindowsCodecs.dll
smoll.dll
hack.dll
api-ms-win-crt-heap-l1-1-0.dll
VERSION.dll
Cheat.dll
d3d10_1.dll
Fd3dcompiler_43.dll
Web Page
Codex/ServerSideBan/Renew.php
http://localhost:8090/Codex/HackSplash/Splash.php

Strings analysis - Possible IPs found 4

1.0.0.1
211.115.86.66
139.99.88.173
121.14.13.139

Strings analysis - Possible URLs found 98

http://s.symcb.com/universal-root.crl0
http://twitter.com/friendships/show.xml
http://pki-ocsp.symauth.com0
http://twitter.com/direct_messages/sent.xml
http://www.microsoft.com/PKI/docs/CPS/default.htm0@
http://www.w3.org/2001/XMLSchema-instance
http://localhost:8090/Codex/HackSplash/Splash.php
http://twitter.com/statuses/friends_timeline.xml
http://www.cabal.co.kr/Helper/InsertHackingUserLog
http://www.cabal.co.kr/Helper/InsertSAS
http://twitter.com/account/end_session.xml
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
http://www.w3.org/2005/08/addressing
http://twitter.com/saved_searches/create.xml
http://www.cabal.co.kr/Helper/SetGmsLicenseAlertLog
http://www.cabal.co.kr/Helper/InsertHackingUserLog2
http://twitter.com/friendships/destroy.xml
http://api.twitter.com/oauth/access_token
http://twitter.com/friends/ids.xml
http://twitter.com/statuses/mentions.xml
http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
http://sns.cabal.co.kr/board/InsertBoard
https://devblogs.microsoft.com/directx/
http://cabalclose/
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType
https://gilas-cabal.online/#!download
http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
https://d.symcb.com/cps0%
http://
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
http://www.w3.org/2003/05/soap-envelope/role/next
http://www.cabal.co.kr/Helper/CabalClientHelper.asmx
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0
http://twitter.com/saved_searches.xml
http://api.twitter.com/oauth/authorize
http://twitter.com/favorites/destroy/
http://search.twitter.com/search.atom
http://twitter.com/saved_searches/destroy/
http://schemas.xmlsoap.org/soap/actor/next
http://twitter.com/favorites.xml
http://www.cabal.co.kr/Helper/InsertRPTLog
http://twitter.com/statuses/public_timeline.xml
http://www.w3.org/2001/XMLSchema
http://twitter.com/friendships/create.xml
http://twitter.com/statuses/featured.xml
http://twitter.com/statuses/followers.xml
http://twitter.com/favorites/create/
http://twitter.com/blocks/destroy/
http://twitter.com/statuses/update.xml
http://schemas.xmlsoap.org/ws/2005/02/sc
http://www.w3.org/2003/05/soap-encoding
http://schemas.xmlsoap.org/soap/encoding/
http://twitter.com/saved_searches/show/
http://schemas.microsoft.com/Passport/SoapServices/PPCRL
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
https://www.facebook.com/antii93
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
http://crl.verisign.com/ThawteTimestampingCA.crl0
http://s.symcd.com06
http://twitter.com/statuses/friends.xml
http://icanhazip.com/
https://d.symcb.com/rpa0@
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0
http://twitter.com/account/rate_limit_status.xml
https://api.twitter.com/oauth/access_token
https://d.symcb.com/rpa0.
http://api.twitter.com/oauth/request_token
http://www.w3.org/2003/05/soap-envelope
http://www.w3.org/
http://www.microsoft.com/pkiops/docs/primarycps.htm0@
http://twitter.com/followers/ids.xml
https://dsc.gg/GilasCabal
http://ts-ocsp.ws.symantec.com0;
http://twitter.com/direct_messages/new.xml
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
http://ocsp.verisign.com0
http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType
http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
http://twitter.com/statuses/show/
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action
http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
http://schemas.microsoft.com/LiveID/SoapServices/v1
http://schemas.xmlsoap.org/soap/envelope/
http://api.twitpic.com/1/uploadAndPost.xml
http://twitter.com/account/verify_credentials.xml
http://twitter.com/statuses/user_timeline.xml
http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
http://twitter.com/direct_messages.xml
http://twitter.com/users/show.xml
http://twitter.com/direct_messages/destroy/
http://schemas.xmlsoap.org/ws/2005/02/trust
http://twitter.com/statuses/destroy/
http://schemas.xmlsoap.org/ws/2004/09/policy
http://www.w3.org/2003/05/soap-rpc
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z
http://twitter.com/blocks/create/
http://www.cabal.co.kr/Helper/

Import functions

kernel32.dll 154 SHFolder.dll 2 oleaut32.dll 13 advapi32.dll 4 ntdll.dll 5 ole32.dll 3 shlwapi.dll 1 user32.dll 16

Function	Address	Souspicious	Anti Debug
DeleteCriticalSection	0x1144168
LeaveCriticalSection	0x114416c
EnterCriticalSection	0x1144170
InitializeCriticalSection	0x1144174
VirtualFree	0x1144178
VirtualAlloc	0x114417c
LocalFree	0x1144180
LocalAlloc	0x1144184
GetTickCount	0x1144188
QueryPerformanceCounter	0x114418c
GetVersion	0x1144190
GetCurrentThreadId	0x1144194
InterlockedDecrement	0x1144198
InterlockedIncrement	0x114419c
VirtualQuery	0x11441a0
WideCharToMultiByte	0x11441a4
MultiByteToWideChar	0x11441a8
lstrlenA	0x11441ac
lstrcpynA	0x11441b0
LoadLibraryExA	0x11441b4
GetThreadLocale	0x11441b8
GetStartupInfoA	0x11441bc
GetProcAddress	0x11441c0
GetModuleHandleA	0x11441c4
GetModuleFileNameA	0x11441c8
GetLocaleInfoA	0x11441cc
GetCommandLineA	0x11441d0
FreeLibrary	0x11441d4
FindFirstFileA	0x11441d8
FindClose	0x11441dc
ExitProcess	0x11441e0
ExitThread	0x11441e4
WriteFile	0x11441e8
UnhandledExceptionFilter	0x11441ec
RtlUnwind	0x11441f0
RaiseException	0x11441f4
GetStdHandle	0x11441f8
TlsSetValue	0x1144234
TlsGetValue	0x1144238
TlsFree	0x114423c
TlsAlloc	0x1144240
LocalFree	0x1144244
LocalAlloc	0x1144248
WriteProcessMemory	0x1144258
WriteFile	0x114425c
WideCharToMultiByte	0x1144260
WaitForSingleObject	0x1144264
VirtualQuery	0x1144268
VirtualProtectEx	0x114426c
VirtualProtect	0x1144270
VirtualFree	0x1144274
VirtualAllocEx	0x1144278
VirtualAlloc	0x114427c
SystemTimeToFileTime	0x1144280
SizeofResource	0x1144284
SetThreadContext	0x1144288
SetLastError	0x114428c
SetFilePointer	0x1144290
SetFileAttributesW	0x1144294
SetFileAttributesA	0x1144298
SetEvent	0x114429c
SetErrorMode	0x11442a0
SetEndOfFile	0x11442a4
SetCurrentDirectoryW	0x11442a8
SetCurrentDirectoryA	0x11442ac
ResetEvent	0x11442b0
RemoveDirectoryW	0x11442b4
RemoveDirectoryA	0x11442b8
ReadProcessMemory	0x11442bc
ReadFile	0x11442c0
RaiseException	0x11442c4
QueryDosDeviceW	0x11442c8
PostQueuedCompletionStatus	0x11442cc
MultiByteToWideChar	0x11442d0
LockResource	0x11442d4
LoadResource	0x11442d8
LoadLibraryW	0x11442dc
LoadLibraryA	0x11442e0
LeaveCriticalSection	0x11442e4
IsBadWritePtr	0x11442e8
IsBadStringPtrW	0x11442ec
IsBadReadPtr	0x11442f0
InitializeCriticalSection	0x11442f4
GetWindowsDirectoryW	0x11442f8
GetWindowsDirectoryA	0x11442fc
GetVersionExA	0x1144300
GetVersion	0x1144304
GetThreadLocale	0x1144308
GetThreadContext	0x114430c
GetTempPathW	0x1144310
GetTempPathA	0x1144314
GetTempFileNameW	0x1144318
GetTempFileNameA	0x114431c
GetSystemDirectoryW	0x1144320
GetSystemDirectoryA	0x1144324
GetStringTypeExW	0x1144328
GetStringTypeExA	0x114432c
GetStdHandle	0x1144330
GetProcAddress	0x1144334
GetModuleHandleA	0x1144338
GetModuleFileNameW	0x114433c
GetModuleFileNameA	0x1144340
GetLogicalDriveStringsW	0x1144344
GetLocaleInfoW	0x1144348
GetLocaleInfoA	0x114434c
GetLocalTime	0x1144350
GetLastError	0x1144354
GetFullPathNameW	0x1144358
GetFullPathNameA	0x114435c
GetFileSize	0x1144360
GetFileAttributesW	0x1144364
GetFileAttributesA	0x1144368
GetDiskFreeSpaceA	0x114436c
GetDateFormatA	0x1144370
GetCurrentThreadId	0x1144374
GetCurrentProcessId	0x1144378
GetCurrentProcess	0x114437c
GetCurrentDirectoryW	0x1144380
GetCurrentDirectoryA	0x1144384
GetCPInfo	0x1144388
GetACP	0x114438c
FreeResource	0x1144390
FreeLibrary	0x1144394
FormatMessageA	0x1144398
FlushInstructionCache	0x114439c
FlushFileBuffers	0x11443a0
FindResourceW	0x11443a4
FindNextFileW	0x11443a8
FindNextFileA	0x11443ac
FindFirstFileW	0x11443b0
FindFirstFileA	0x11443b4
FindClose	0x11443b8
FileTimeToLocalFileTime	0x11443bc
FileTimeToDosDateTime	0x11443c0
ExitProcess	0x11443c4
EnumCalendarInfoA	0x11443c8
EnterCriticalSection	0x11443cc
DeleteFileW	0x11443d0
DeleteFileA	0x11443d4
DeleteCriticalSection	0x11443d8
CreateRemoteThread	0x11443dc
CreateFileW	0x11443e0
CreateFileA	0x11443e4
CreateEventA	0x11443e8
CreateDirectoryW	0x11443ec
CreateDirectoryA	0x11443f0
CompareStringW	0x11443f4
CompareStringA	0x11443f8
CloseHandle	0x11443fc
Sleep	0x1144438
CreateActCtxW	0x1144440
QueryDosDeviceW	0x1144444
GetModuleHandleA	0x1144448
GetProcAddress	0x114444c

Function	Address	Souspicious	Anti Debug
SHGetFolderPathW	0x11444a8
SHGetFolderPathA	0x11444ac

Function	Address	Souspicious	Anti Debug
SysFreeString	0x1144224
SysReAllocStringLen	0x1144228
SysAllocStringLen	0x114422c
GetErrorInfo	0x1144464
SysFreeString	0x1144468
SafeArrayPtrOfIndex	0x1144470
SafeArrayGetUBound	0x1144474
SafeArrayGetLBound	0x1144478
SafeArrayCreate	0x114447c
VariantChangeType	0x1144480
VariantCopy	0x1144484
VariantClear	0x1144488
VariantInit	0x114448c

Function	Address	Souspicious	Anti Debug
RegQueryValueExA	0x1144214
RegOpenKeyExA	0x1144218
RegCloseKey	0x114421c
RegOpenKeyA	0x1144250

Function	Address	Souspicious	Anti Debug
RtlInitUnicodeString	0x1144494
RtlFreeUnicodeString	0x1144498
RtlFormatCurrentUserKeyPath	0x114449c
RtlDosPathNameToNtPathName_U	0x11444a0
ZwProtectVirtualMemory	0x11444b4

Function	Address	Souspicious	Anti Debug
CreateStreamOnHGlobal	0x1144454
CoUninitialize	0x1144458
CoInitialize	0x114445c

Function	Address	Souspicious	Anti Debug
PathMatchSpecW	0x11444bc

Function	Address	Souspicious	Anti Debug
GetKeyboardType	0x1144200
LoadStringA	0x1144204
MessageBoxA	0x1144208
CharNextA	0x114420c
MessageBoxW	0x1144404
MessageBoxA	0x1144408
LoadStringA	0x114440c
GetSystemMetrics	0x1144410
CharUpperBuffW	0x1144414
CharUpperW	0x1144418
CharLowerBuffW	0x114441c
CharLowerW	0x1144420
CharNextA	0x1144424
CharLowerA	0x1144428
CharUpperA	0x114442c
CharToOemA	0x1144430

PE Exports 1 suspicious

Function	Address
fcEXP	0xa0d850