AA_v3.exe

First submission 2024-10-16 17:54:03 Last sumbission 2024-10-18 04:57:03

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	782.12 KB (800888 bytes)
Compile time:	2020-03-15 13:46:43
MD5:	390ddaff20160396e7490b239b4cad9b
SHA1:	44c10c691fc2639b3436abe8dc25542ff5a73067
SHA256:	357230056c30b4d7a7d697114d3d90ddc9a13dcb174a9a6d1f74c950e5bcd570
Import Hash :	6659a18bc9d4bed93b5b952214262347
Sections 4	.text .rdata .data .rsrc
Directories 3	import resource security

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	54/76 VT report date: 2024-10-14 05:19:15
Malware Type 3	hacktool trojan pua
Threat Type 3	ammyy ammyyadmin deamv

URLs, FQDN and IP indicators 2

URL	Host (FQDN/IP)	Date Added
hXXp://artemka.spb.ru/AA_v3.exe	artemka.spb.ru	2024-10-18 04:57:09
hXXp://178.130.39.138/AA_v3.exe	178.130.39.138	2024-10-16 17:54:03

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x8718a	557056	b266113d457022382c4e0aa4f47bd9ad4772505e	93ad55f505e0a74dcd68b7d5dbf86218
.rdata	0x89000	0x1979e	106496	f288571a7b4e6e327e79f57eabad9c25099e3ccd	11cb44a391a5a990c4c881cfa5a3cb2a
.data	0xa3000	0x1ad90	81920	a50e1a6ba29c6f58179b01485be61f599a370142	0d66141168e17f4a47a82f764805b966
.rsrc	0xbe000	0xa648	45056	cb89a66921a23f46f609a150fd37a592e25087c1	2ff37c4dfb41e162965966c2dd39eeb5

PE Resources 11

Name	Language	Sublanguage	Offset	Size	Data
BINARY	LANG_NEUTRAL	SUBLANG_NEUTRAL	0xc48c0	1
RT_CURSOR	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xc6068	308
RT_BITMAP	LANG_NEUTRAL	SUBLANG_NEUTRAL	0xc5638	1194	PE Resource: RT_BITMAP - Data (VJVJVJVJVJVJVJ!=B;g;g;g;g;g99=B=;g;g;g;g;g/%9F=/%;g;g;g;g;g5F9F/%/%;g;g;g;g;g;g;guNgsBF/%/%w6wF/%/%/%/%V{"u_F/%VVV"""CF/%\|o\|o\|o"""""""""&F/%VVV{+&&&&&&&&&&""F/%\|o\|o\|o"/+++++++++'C3F/%VVV733`/ +@+@/@/@/@+OF/%\|o\|o\|owb;`/7gF/%VVVVVVVVV{GK{F/%VVVVVVVVV[kowUJ!TJ!
RT_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0xc37e8	4264	PE Resource: RT_ICON - Data ( @ 1?LRdrxVMaekqvuI4y{npdhZ]IL[_aPSPRKNGJBE9=~\|F /{}!eca.1YWZ#!h97xXVg%!'!'"'"(#(#("'&,1RP%$rxFJ%(%($($(!{yc)'l&$kb20v#""(!'!'"'"'!&%),1XV/-yb_b%(%($($("uxd(n(o%#n/-u!39!(!'!'"(#().05XV/-{A%($($(#'$bee)'o(q'$o(&rrw!"&+'-(-.449XV/-}&%($($("' #X\bhige 'DJ"+1.4398=XV/-~$'$($("'"%CGq#FL(/$<A>CWW.-&)$'$($("'&&+5:KPQWW]]`af\`\bSY"+2%${~]b).38XW.-79 #$($(#("'!&$""""###'+3074;29$6<04ZX--{EG $($($)%)$)&+'-0+1-3/507193;4;6=8?;A>D18$^bPO.-e_a'+(,)-.487;495;4:5:5;6=7=7?9@;B=D?F?DCITYCH%KK.-=-0-1.304CF8==C9>280639;ACIGMELAGAGAGSXeiVZBGfjJI.-1526387;:?gj~_dFL/6AFU[glRW;AvzSR-, !$598;9=;@AEqtB?^\geusTXRWW\AGqvPS"'ZY-,/27:=@>B@DHLW[j rssnU^a(.DH-2UW^aYX-,EG7:BFDGEHNRMQ$!q)'x+)z+)\|vT>C.4OTdhru`cYX-,vWX79ILILILW[NS,v'%v(z({ux:@49VYimimhjtwcgYX-,Stu25OROQMQ`cRV:8~#!u(z({"!x76#\`koloknlompy}fjYX-,-UWTWSVadORVTp+)z({)}vlk=AqulpoqpsrurujlYX,+ORAD^`[]^aSUjmo%#v+)\|*)}xRP;?uxrusvuxxzx{moVU==-0UVdgachj<?86russvNR{}wzy\|{~}}rtON<E(+^`lnjlgi26tvxv:?xz}}tv[57WYuwwytvGJDFilpr_b>CqubdATV@Bfhxz~fh_bhjQTKvwSTSUUWrtJMlM~STQSX[npsvGHe%H~{}giVXWYYZde6/\M?
RT_MENU	LANG_NEUTRAL	SUBLANG_NEUTRAL	0xbea00	250
RT_DIALOG	LANG_NEUTRAL	SUBLANG_NEUTRAL	0xc0860	156
RT_GROUP_CURSOR	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xc61a0	20
RT_GROUP_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0xc4890	48
RT_VERSION	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xc5ae8	736	PE Resource: RT_VERSION - Data 4VS_VERSION_INFO ?@StringFileInfo040904b0Comments4 CompanyNameAmmyy LLC@FileDescriptionAmmyy Admin(FileVersion3.98InternalNameAmmyy Admin$LegalCopyright(LegalTrademarks(OriginalFilename PrivateBuild8ProductNameAmmyy Admin,ProductVersion3.9 SpecialBuildDVarFileInfo$Translation
RT_MANIFEST	LANG_NEUTRAL	SUBLANG_NEUTRAL	0xc0910	1474	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity name="Ammyy" processorArchitecture="x86" version="1.0.0.1" type="win32"/> <description>Ammyy Admin</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"> <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>True/PM</dpiAware> </asmv3:windowsSettings> </asmv3:application> <compat:compatibility xmlns:compat="urn:schemas-microsoft-com:compatibility.v1"> <compat:application> <compat:supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></compat:supportedOS> <compat:supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></compat:supportedOS> <compat:supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></compat:supportedOS> <compat:supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></compat:supportedOS> <compat:supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></compat:supportedOS> </compat:application> </compat:compatibility> </assembly>
None	LANG_NEUTRAL	SUBLANG_NEUTRAL	0xc0900	11

Meta infos 13

LegalCopyright:
InternalName:	Ammyy Admin
FileVersion:	3.9
FileDescription:	Ammyy Admin
SpecialBuild:
CompanyName:	Ammyy LLC
LegalTrademarks:
Comments:
ProductName:	Ammyy Admin
ProductVersion:	3.9
PrivateBuild:
Translation:	0x0409 0x04b0
OriginalFilename:

Packers detected 3

Microsoft Visual C++ v6.0
Microsoft Visual C++ 5.0
Microsoft Visual C++

Anti debug functions 7

FindWindowA
FindWindowW
GetLastError
GetWindowThreadProcessId
Process32First
Process32Next
TerminateProcess

Anti debug functions 1

VMCheck.dll

File signature

MD5	SHA1	Block size	Virtual Address
a0b57baec9c3ff3000cfd714e456c32a	cabe482153b0ebb735b9e3c8692ea3bee67f6b18	6264	794624

Strings analysis - File found

Binary
Ammyy_Contact_Book.bin
*.bin
contacts3.bin
_tmp\AMMYY_Admin.bin
settings3.bin
settings.bin
contacts.bin
sessions.bin
Log
eAMMYY_service.log
ammyy.log
ammyy_id.log
Temporary
%sAmmyy_%X.tmp
Object
hhctrl.ocx
Data
%u-%u-%u-%u.dat
Library
W\winsta.dll
Shcore.dll
ewmsgapi.dll
ADVAPI32.dll
SHLWAPI.dll
dwmapi.dll
WTSAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll
COMCTL32.dll
secur32.dll
WININET.dll
USER32.dll
USERENV.dll
SETUPAPI.dll
GDI32.dll
KERNEL32.dll
DSOUND.dll
COMDLG32.dll
IPHLPAPI.DLL

Strings analysis - Possible IPs found 2

1.0.0.1
127.0.0.1

Strings analysis - Possible URLs found 17

http://www.ammyy.com/?lang=
http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
http://ts-ocsp.ws.symantec.com07
http://ocsp.sectigo.com0
http://crl.thawte.com/ThawteTimestampingCA.crl0
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%
http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
https://sectigo.com/CPS0C
http://ocsp.thawte.com0
http://www.ammyy.com/
http://ocsp.usertrust.com0
http://www.ammyy.com
http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://rl.ammyy.com
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<

Import functions

SETUPAPI.dll 5 COMCTL32.dll 12 comdlg32.dll 2 iphlpapi.dll 1 WININET.dll 8 GDI32.dll 44 ADVAPI32.dll 39 KERNEL32.dll 123 MSVCRT.dll 101 Secur32.dll 6 SHELL32.dll 12 DSOUND.dll 4 SHLWAPI.dll 1 WS2_32.dll 27 USER32.dll 165 USERENV.dll 2

Function	Address	Souspicious	Anti Debug
SetupDiDestroyDeviceInfoList	0x489524
SetupDiEnumDeviceInfo	0x489528
SetupDiGetClassDevsA	0x48952c
SetupDiClassGuidsFromNameA	0x489530
SetupDiGetDeviceRegistryPropertyA	0x489534

Function	Address	Souspicious	Anti Debug
CreateToolbarEx	0x4890a0
ImageList_Create	0x4890a4
ImageList_Draw	0x4890a8
ImageList_Destroy	0x4890ac
None	0x4890b0
ImageList_GetIconSize	0x4890b4
ImageList_ReplaceIcon	0x4890b8
ImageList_Add	0x4890bc
ImageList_Duplicate	0x4890c0
_TrackMouseEvent	0x4890c4
CreatePropertySheetPageW	0x4890c8
PropertySheetW	0x4890cc

Function	Address	Souspicious	Anti Debug
GetOpenFileNameW	0x4898cc
GetSaveFileNameW	0x4898d0

Function	Address	Souspicious	Anti Debug
GetAdaptersInfo	0x4898d8

Function	Address	Souspicious	Anti Debug
HttpSendRequestA	0x489838
HttpQueryInfoA	0x48983c
InternetConnectA	0x489840
InternetSetOptionA	0x489844
InternetCloseHandle	0x489848
InternetReadFile	0x48984c
InternetOpenA	0x489850
HttpOpenRequestA	0x489854

Function	Address	Souspicious	Anti Debug
SetStretchBltMode	0x4890e8
LineTo	0x4890ec
MoveToEx	0x4890f0
Ellipse	0x4890f4
GetDIBits	0x4890f8
CreateCompatibleBitmap	0x4890fc
RealizePalette	0x489100
SelectPalette	0x489104
CreatePalette	0x489108
GetSystemPaletteEntries	0x48910c
GdiFlush	0x489110
CombineRgn	0x489114
StretchBlt	0x489118
CreateDIBitmap	0x48911c
DeleteDC	0x489120
SetBkMode	0x489124
SelectObject	0x489128
CreateCompatibleDC	0x48912c
CreatePatternBrush	0x489130
GetBitmapBits	0x489134
GetObjectA	0x489138
BitBlt	0x48913c
CreateFontIndirectA	0x489140
DPtoLP	0x489144
CreateRectRgn	0x489148
ExtTextOutA	0x48914c
CreateDIBSection	0x489150
SetBitmapBits	0x489154
CreateRectRgnIndirect	0x489158
SelectClipRgn	0x48915c
TextOutW	0x489160
SetTextAlign	0x489164
SetBrushOrgEx	0x489168
ExtTextOutW	0x48916c
SetTextColor	0x489170
SetBkColor	0x489174
GetTextExtentPoint32W	0x489178
CreateFontA	0x48917c
CreateFontIndirectW	0x489180
GetStockObject	0x489184
GetRegionData	0x489188
CreateSolidBrush	0x48918c
DeleteObject	0x489190
GetDeviceCaps	0x489194

Function	Address	Souspicious	Anti Debug
ConvertSidToStringSidA	0x489000
GetTokenInformation	0x489004
OpenProcessToken	0x489008
RegCloseKey	0x48900c
RegQueryValueExA	0x489010
RegOpenKeyExA	0x489014
FreeSid	0x489018
SetFileSecurityW	0x48901c
SetSecurityDescriptorDacl	0x489020
InitializeSecurityDescriptor	0x489024
AllocateAndInitializeSid	0x489028
ImpersonateLoggedOnUser	0x48902c
RevertToSelf	0x489030
GetUserNameA	0x489034
StartServiceCtrlDispatcherW	0x489038
RegisterServiceCtrlHandlerExA	0x48903c
SetServiceStatus	0x489040
SetTokenInformation	0x489044
DuplicateTokenEx	0x489048
CreateProcessAsUserW	0x48904c
QueryServiceStatus	0x489050
CloseServiceHandle	0x489054
OpenServiceA	0x489058
OpenSCManagerA	0x48905c
CreateServiceW	0x489060
DeleteService	0x489064
ControlService	0x489068
StartServiceA	0x48906c
StartServiceW	0x489070
RegCreateKeyExA	0x489074
RegQueryValueExW	0x489078
RegSetValueExW	0x48907c
RegSetValueExA	0x489080
RegDeleteKeyA	0x489084
RegDeleteValueW	0x489088
RegCreateKeyExW	0x48908c
RegEnumKeyExW	0x489090
RegOpenKeyExW	0x489094
SetEntriesInAclA	0x489098

Function	Address	Souspicious	Anti Debug
SizeofResource	0x48919c
LoadResource	0x4891a0
LockResource	0x4891a4
GetLocalTime	0x4891a8
TryEnterCriticalSection	0x4891ac
LeaveCriticalSection	0x4891b0
EnterCriticalSection	0x4891b4
DeleteCriticalSection	0x4891b8
InitializeCriticalSection	0x4891bc
SetFileTime	0x4891c0
GetFileTime	0x4891c4
OpenMutexA	0x4891c8
CreateMutexA	0x4891cc
FindResourceExA	0x4891d0
SetEvent	0x4891d4
OpenEventA	0x4891d8
CreateEventA	0x4891dc
ExitProcess	0x4891e0
SetUnhandledExceptionFilter	0x4891e4
GetSystemDirectoryA	0x4891e8
CompareFileTime	0x4891ec
GetSystemTimeAsFileTime	0x4891f0
GetSystemDirectoryW	0x4891f4
lstrcatW	0x4891f8
FileTimeToSystemTime	0x4891fc
WaitNamedPipeW	0x489200
ReadFile	0x489204
SetLastError	0x489208
GetExitCodeProcess	0x48920c
WaitForSingleObject	0x489210
BeginUpdateResourceW	0x489214
EndUpdateResourceW	0x489218
UpdateResourceA	0x48921c
CreateThread	0x489220
OpenProcess	0x489224
CreateToolhelp32Snapshot	0x489228
Process32First	0x48922c
Process32Next	0x489230
LoadLibraryA	0x489234
FreeLibrary	0x489238
GetFileSize	0x48923c
SetFilePointer	0x489240
WriteFile	0x489244
GetFileAttributesW	0x489248
lstrcmpiW	0x48924c
lstrcmpW	0x489250
MulDiv	0x489254
FormatMessageW	0x489258
MultiByteToWideChar	0x48925c
WideCharToMultiByte	0x489260
GetModuleFileNameW	0x489264
GetComputerNameA	0x489268
LocalAlloc	0x48926c
GetExitCodeThread	0x489270
SystemTimeToFileTime	0x489274
MoveFileW	0x489278
DeleteFileW	0x48927c
GetTempPathW	0x489280
CreateFileW	0x489284
FindFirstFileW	0x489288
FindClose	0x48928c
GetUserDefaultUILanguage	0x489290
GetLocaleInfoA	0x489294
CreateDirectoryW	0x489298
SetCurrentDirectoryW	0x48929c
GetStartupInfoW	0x4892a0
CreateProcessW	0x4892a4
GetModuleHandleA	0x4892a8
GetProcAddress	0x4892ac
SetProcessShutdownParameters	0x4892b0
GetVersionExA	0x4892b4
GetCurrentProcess	0x4892b8
LocalFree	0x4892bc
GetCurrentThreadId	0x4892c0
CloseHandle	0x4892c4
DeviceIoControl	0x4892c8
CreateFileA	0x4892cc
GetLastError	0x4892d0
GetCurrentProcessId	0x4892d4
Sleep	0x4892d8
GetTickCount	0x4892dc
QueryPerformanceFrequency	0x4892e0
QueryPerformanceCounter	0x4892e4
InterlockedIncrement	0x4892e8
InterlockedDecrement	0x4892ec
lstrlenA	0x4892f0
lstrlenW	0x4892f4
TerminateProcess	0x4892f8
SystemTimeToTzSpecificLocalTime	0x4892fc
GetFileSizeEx	0x489300
SetEndOfFile	0x489304
SetFilePointerEx	0x489308
GlobalUnlock	0x48930c
GlobalLock	0x489310
GlobalAlloc	0x489314
GetDriveTypeW	0x489318
RemoveDirectoryW	0x48931c
FindNextFileW	0x489320
SetFileAttributesW	0x489324
GetLogicalDrives	0x489328
ProcessIdToSessionId	0x48932c
SleepEx	0x489330
CreateDirectoryA	0x489334
DeleteFileA	0x489338
GlobalFree	0x48933c
IsBadReadPtr	0x489340
lstrcmpA	0x489344
LocalFileTimeToFileTime	0x489348
LoadLibraryW	0x48934c
lstrcpyA	0x489350
GetCurrentDirectoryA	0x489354
FindResourceA	0x489358
DuplicateHandle	0x48935c
CreateSemaphoreA	0x489360
SetThreadPriority	0x489364
TlsSetValue	0x489368
GetCurrentThread	0x48936c
TlsAlloc	0x489370
ResumeThread	0x489374
TlsGetValue	0x489378
InterlockedExchange	0x48937c
GetStartupInfoA	0x489380
ResetEvent	0x489384

Function	Address	Souspicious	Anti Debug
_strnicmp	0x48938c
_strupr	0x489390
_strlwr	0x489394
_wcsicmp	0x489398
strchr	0x48939c
_controlfp	0x4893a0
_iob	0x4893a4
__set_app_type	0x4893a8
__p__fmode	0x4893ac
__p__commode	0x4893b0
_adjust_fdiv	0x4893b4
__setusermatherr	0x4893b8
_initterm	0x4893bc
__getmainargs	0x4893c0
_acmdln	0x4893c4
_XcptFilter	0x4893c8
__CxxFrameHandler	0x4893cc
strlen	0x4893d0
isspace	0x4893d4
memchr	0x4893d8
_errno	0x4893dc
strtol	0x4893e0
isdigit	0x4893e4
strstr	0x4893e8
memcpy	0x4893ec
??2@YAPAXI@Z	0x4893f0
_purecall	0x4893f4
free	0x4893f8
memset	0x4893fc
malloc	0x489400
sprintf	0x489404
printf	0x489408
fwrite	0x48940c
srand	0x489410
time	0x489414
_CxxThrowException	0x489418
rand	0x48941c
atol	0x489420
memcmp	0x489424
isprint	0x489428
tolower	0x48942c
strncpy	0x489430
_stricmp	0x489434
wcslen	0x489438
atoi	0x48943c
abs	0x489440
wcscpy	0x489444
strcmp	0x489448
strcpy	0x48944c
iswspace	0x489450
wcsncmp	0x489454
_wtoi	0x489458
_ultow	0x48945c
wcschr	0x489460
_stat	0x489464
swprintf	0x489468
_ftol	0x48946c
strcat	0x489470
strtoul	0x489474
calloc	0x489478
_rotl	0x48947c
_rotr	0x489480
fopen	0x489484
fread	0x489488
fclose	0x48948c
fseek	0x489490
ftell	0x489494
fflush	0x489498
wcsncpy	0x48949c
wcsrchr	0x4894a0
vsprintf	0x4894a4
memmove	0x4894a8
strrchr	0x4894ac
strncmp	0x4894b0
mbstowcs	0x4894b4
wcscmp	0x4894b8
wcsstr	0x4894bc
vswprintf	0x4894c0
iswdigit	0x4894c4
_beginthreadex	0x4894c8
_endthreadex	0x4894cc
cos	0x4894d0
floor	0x4894d4
sin	0x4894d8
atof	0x4894dc
_i64tow	0x4894e0
wcscat	0x4894e4
realloc	0x4894e8
exit	0x4894ec
fprintf	0x4894f0
sscanf	0x4894f4
getenv	0x4894f8
fputc	0x4894fc
_CIpow	0x489500
_CIacos	0x489504
??1type_info@@UAE@XZ	0x489508
__dllonexit	0x48950c
_onexit	0x489510
_except_handler3	0x489514
?terminate@@YAXXZ	0x489518
_exit	0x48951c

Function	Address	Souspicious	Anti Debug
FreeCredentialsHandle	0x489578
InitializeSecurityContextA	0x48957c
QuerySecurityPackageInfoA	0x489580
AcquireCredentialsHandleA	0x489584
FreeContextBuffer	0x489588
CompleteAuthToken	0x48958c

Function	Address	Souspicious	Anti Debug
SHBrowseForFolderW	0x48953c
SHGetPathFromIDListW	0x489540
ShellExecuteA	0x489544
SHGetMalloc	0x489548
SHGetFolderPathW	0x48954c
SHGetFolderPathA	0x489550
ShellExecuteExW	0x489554
SHGetFileInfoW	0x489558
ShellExecuteW	0x48955c
None	0x489560
SHGetSpecialFolderPathW	0x489564
Shell_NotifyIconA	0x489568

Function	Address	Souspicious	Anti Debug
None	0x4890d4
None	0x4890d8
None	0x4890dc
None	0x4890e0

Function	Address	Souspicious	Anti Debug
PathGetDriveNumberA	0x489570

Function	Address	Souspicious	Anti Debug
WSAGetLastError	0x48985c
send	0x489860
recv	0x489864
select	0x489868
WSAStartup	0x48986c
getpeername	0x489870
getservbyport	0x489874
ntohs	0x489878
gethostbyaddr	0x48987c
gethostbyname	0x489880
inet_addr	0x489884
getservbyname	0x489888
htonl	0x48988c
inet_ntoa	0x489890
WSAIoctl	0x489894
connect	0x489898
accept	0x48989c
htons	0x4898a0
bind	0x4898a4
listen	0x4898a8
socket	0x4898ac
__WSAFDIsSet	0x4898b0
shutdown	0x4898b4
setsockopt	0x4898b8
ioctlsocket	0x4898bc
WSACleanup	0x4898c0
closesocket	0x4898c4

Function	Address	Souspicious	Anti Debug
LoadIconA	0x489594
FindWindowA	0x489598
OpenDesktopA	0x48959c
SendMessageTimeoutA	0x4895a0
IntersectRect	0x4895a4
IsWindowVisible	0x4895a8
EqualRect	0x4895ac
EnumDisplaySettingsExW	0x4895b0
EnumDisplayDevicesW	0x4895b4
GetCursorInfo	0x4895b8
OpenInputDesktop	0x4895bc
CloseDesktop	0x4895c0
GetUserObjectInformationA	0x4895c4
GetThreadDesktop	0x4895c8
GetClipboardData	0x4895cc
OpenClipboard	0x4895d0
EmptyClipboard	0x4895d4
CloseClipboard	0x4895d8
SetClipboardData	0x4895dc
RegisterClassExA	0x4895e0
PeekMessageA	0x4895e4
MsgWaitForMultipleObjects	0x4895e8
MapVirtualKeyW	0x4895ec
SendInput	0x4895f0
LockWorkStation	0x4895f4
SetThreadDesktop	0x4895f8
SetDlgItemTextA	0x4895fc
SetDlgItemInt	0x489600
CallNextHookEx	0x489604
SetWindowsHookExA	0x489608
UnhookWindowsHookEx	0x48960c
DestroyAcceleratorTable	0x489610
TranslateAcceleratorA	0x489614
CreateAcceleratorTableA	0x489618
SetWindowTextA	0x48961c
ReleaseCapture	0x489620
SetCapture	0x489624
GetAsyncKeyState	0x489628
SwitchToThisWindow	0x48962c
SendMessageA	0x489630
FindWindowW	0x489634
MessageBoxA	0x489638
ShowWindow	0x48963c
wsprintfA	0x489640
RegisterClassExW	0x489644
DestroyCursor	0x489648
MessageBeep	0x48964c
wsprintfW	0x489650
SetCursorPos	0x489654
ShowWindowAsync	0x489658
GetClipboardOwner	0x48965c
GetWindowDC	0x489660
SetScrollInfo	0x489664
GetWindow	0x489668
WindowFromPoint	0x48966c
SetClassLongW	0x489670
ChangeClipboardChain	0x489674
ReleaseDC	0x489678
GetDC	0x48967c
DestroyIcon	0x489680
LoadImageA	0x489684
GetIconInfo	0x489688
EnableWindow	0x48968c
SetDlgItemTextW	0x489690
DestroyWindow	0x489694
SetWindowPos	0x489698
MapWindowPoints	0x48969c
InsertMenuItemW	0x4896a0
InsertMenuItemA	0x4896a4
EnumWindows	0x4896a8
GetClassNameA	0x4896ac
GetWindowTextA	0x4896b0
KillTimer	0x4896b4
GetWindowLongW	0x4896b8
PostMessageA	0x4896bc
DrawTextW	0x4896c0
SetRect	0x4896c4
ShowScrollBar	0x4896c8
IsIconic	0x4896cc
ScrollWindowEx	0x4896d0
AdjustWindowRectEx	0x4896d4
GetMenuState	0x4896d8
GetWindowPlacement	0x4896dc
SetWindowPlacement	0x4896e0
GetSysColorBrush	0x4896e4
AppendMenuW	0x4896e8
SetClipboardViewer	0x4896ec
DrawTextA	0x4896f0
EndDialog	0x4896f4
CreateDialogParamW	0x4896f8
DialogBoxParamA	0x4896fc
CallWindowProcW	0x489700
CallWindowProcA	0x489704
DefWindowProcA	0x489708
IsWindowUnicode	0x48970c
GetSystemMenu	0x489710
RedrawWindow	0x489714
ScreenToClient	0x489718
DrawStateA	0x48971c
DrawEdge	0x489720
GetClientRect	0x489724
CreateWindowExA	0x489728
IsWindow	0x48972c
GetParent	0x489730
GetWindowLongA	0x489734
MonitorFromWindow	0x489738
GetMonitorInfoW	0x48973c
EnumDisplaySettingsW	0x489740
GetForegroundWindow	0x489744
GetWindowThreadProcessId	0x489748
AttachThreadInput	0x48974c
SetActiveWindow	0x489750
SetCursor	0x489754
SetTimer	0x489758
PostThreadMessageA	0x48975c
MoveWindow	0x489760
BeginPaint	0x489764
EndPaint	0x489768
GetDlgItemInt	0x48976c
SendDlgItemMessageA	0x489770
MapDialogRect	0x489774
SetWindowLongA	0x489778
ClientToScreen	0x48977c
LoadCursorA	0x489780
RegisterClassW	0x489784
CreateWindowExW	0x489788
SetWindowLongW	0x48978c
GetMessageA	0x489790
IsDialogMessageA	0x489794
TranslateMessage	0x489798
DispatchMessageA	0x48979c
SetWindowTextW	0x4897a0
SetMenu	0x4897a4
LoadMenuA	0x4897a8
GetMenuItemInfoA	0x4897ac
SetMenuItemInfoA	0x4897b0
GetSubMenu	0x4897b4
SetMenuItemInfoW	0x4897b8
GetMenuItemID	0x4897bc
EnableMenuItem	0x4897c0
GetMenuItemCount	0x4897c4
CheckMenuItem	0x4897c8
GetKeyState	0x4897cc
InvalidateRect	0x4897d0
UpdateWindow	0x4897d4
SetForegroundWindow	0x4897d8
SetFocus	0x4897dc
GetFocus	0x4897e0
PostQuitMessage	0x4897e4
DefWindowProcW	0x4897e8
CreatePopupMenu	0x4897ec
GetCursorPos	0x4897f0
TrackPopupMenu	0x4897f4
GetSysColor	0x4897f8
GetSystemMetrics	0x4897fc
GetMenuItemInfoW	0x489800
DrawMenuBar	0x489804
AppendMenuA	0x489808
SystemParametersInfoW	0x48980c
DestroyMenu	0x489810
GetDlgItem	0x489814
MessageBoxW	0x489818
SendMessageW	0x48981c
GetWindowRect	0x489820
SystemParametersInfoA	0x489824

Function	Address	Souspicious	Anti Debug
LoadUserProfileA	0x48982c
UnloadUserProfile	0x489830