Exes_7d50f7081b905e6c4fdbfad3a0dc2605_exe_2019-06-24_06_30.json

1.  
2. [*] MalFamily: ""
3.  
4. [*] MalScore: 2.8
5.  
6. [*] File Name: "Exes_7d50f7081b905e6c4fdbfad3a0dc2605.exe"
7. [*] File Size: 277808
8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive"
9. [*] SHA256: "cf8c607146506b9711269912856909a03f019817bd7ca4dadf73046e6ebcd1c8"
10. [*] MD5: "7d50f7081b905e6c4fdbfad3a0dc2605"
11. [*] SHA1: "7f40788f57760fd65aa07b6904cb9bd307de7f8b"
12. [*] SHA512: "08dfdf434c5660b257d4b9dabcd80c6ac7f96bc3bb07e7b8a81421bf0985f7b893808ef8e6470aba8ab61df369956c26d590216273ec92cac16ac82e3234b8c3"
13. [*] CRC32: "E5F5EE37"
14. [*] SSDEEP: "6144:L5FK1ZNXq0y7sC2QHr9nWgdf9O9No0aYIKoe1gsm3:jKzNTyH5ntdEvoNY1gn3"
15.  
16. [*] Process Execution: [
17. "Exes_7d50f7081b905e6c4fdbfad3a0dc2605.exe"
18. ]
19.  
20. [*] Signatures Detected: [
21. {
22. "Description": "Creates RWX memory",
23. "Details": []
24. },
25. {
26. "Description": "Reads data out of its own binary image",
27. "Details": [
28. {
29. "self_read": "process: Exes_7d50f7081b905e6c4fdbfad3a0dc2605.exe, pid: 3060, offset: 0x00000000, length: 0x00043d2c"
30. },
31. {
32. "self_read": "process: Exes_7d50f7081b905e6c4fdbfad3a0dc2605.exe, pid: 3060, offset: 0x00008c1c, length: 0x0003b114"
33. }
34. ]
35. },
36. {
37. "Description": "Installs itself for autorun at Windows startup",
38. "Details": [
39. {
40. "file": "C:\\Windows\\win.ini"
41. },
42. {
43. "file": "C:\\Windows\\win.ini"
44. }
45. ]
46. }
47. ]
48.  
49. [*] Started Service: []
50.  
51. [*] Executed Commands: []
52.  
53. [*] Mutexes: [
54. "OpenMetaverseInstaller"
55. ]
56.  
57. [*] Modified Files: [
58. "C:\\Users\\user\\AppData\\Local\\Temp\\nsiDBE5.tmp",
59. "C:\\Users\\user\\AppData\\Local\\Temp\\GetStartedStoreLogo.scale-100.png",
60. "C:\\Users\\user\\AppData\\Local\\Temp\\OFFREL.DLL",
61. "C:\\Users\\user\\AppData\\Local\\Temp\\prod-pgm.vpx",
62. "C:\\Users\\user\\AppData\\Local\\Temp\\Tamarau",
63. "C:\\Users\\user\\AppData\\Local\\Temp\\enamellists.dll",
64. "C:\\Users\\user\\AppData\\Local\\Temp\\nsxDC43.tmp\\System.dll",
65. "C:\\Users\\user\\AppData\\Local\\Temp\\nsxDC43.tmp\\Splash.dll",
66. "C:\\Windows\\win.ini"
67. ]
68.  
69. [*] Deleted Files: [
70. "C:\\Users\\user\\AppData\\Local\\Temp\\nssDBD4.tmp",
71. "C:\\Users\\user\\AppData\\Local\\Temp\\nsxDC43.tmp"
72. ]
73.  
74. [*] Modified Registry Keys: []
75.  
76. [*] Deleted Registry Keys: []
77.  
78. [*] DNS Communications: []
79.  
80. [*] Domains: []
81.  
82. [*] Network Communication - ICMP: []
83.  
84. [*] Network Communication - HTTP: []
85.  
86. [*] Network Communication - SMTP: []
87.  
88. [*] Network Communication - Hosts: []
89.  
90. [*] Network Communication - IRC: []
91.  
92. [*] Static Analysis: {
93. "pe": {
94. "peid_signatures": null,
95. "imports": [
96. {
97. "imports": [
98. {
99. "name": "SetEnvironmentVariableA",
100. "address": "0x408070"
101. },
102. {
103. "name": "CreateFileA",
104. "address": "0x408074"
105. },
106. {
107. "name": "GetFileSize",
108. "address": "0x408078"
109. },
110. {
111. "name": "GetModuleFileNameA",
112. "address": "0x40807c"
113. },
114. {
115. "name": "ReadFile",
116. "address": "0x408080"
117. },
118. {
119. "name": "GetCurrentProcess",
120. "address": "0x408084"
121. },
122. {
123. "name": "CopyFileA",
124. "address": "0x408088"
125. },
126. {
127. "name": "Sleep",
128. "address": "0x40808c"
129. },
130. {
131. "name": "GetTickCount",
132. "address": "0x408090"
133. },
134. {
135. "name": "GetWindowsDirectoryA",
136. "address": "0x408094"
137. },
138. {
139. "name": "GetTempPathA",
140. "address": "0x408098"
141. },
142. {
143. "name": "GetCommandLineA",
144. "address": "0x40809c"
145. },
146. {
147. "name": "lstrlenA",
148. "address": "0x4080a0"
149. },
150. {
151. "name": "GetVersion",
152. "address": "0x4080a4"
153. },
154. {
155. "name": "SetErrorMode",
156. "address": "0x4080a8"
157. },
158. {
159. "name": "lstrcpynA",
160. "address": "0x4080ac"
161. },
162. {
163. "name": "ExitProcess",
164. "address": "0x4080b0"
165. },
166. {
167. "name": "SetCurrentDirectoryA",
168. "address": "0x4080b4"
169. },
170. {
171. "name": "GlobalLock",
172. "address": "0x4080b8"
173. },
174. {
175. "name": "CreateThread",
176. "address": "0x4080bc"
177. },
178. {
179. "name": "GetLastError",
180. "address": "0x4080c0"
181. },
182. {
183. "name": "CreateDirectoryA",
184. "address": "0x4080c4"
185. },
186. {
187. "name": "CreateProcessA",
188. "address": "0x4080c8"
189. },
190. {
191. "name": "RemoveDirectoryA",
192. "address": "0x4080cc"
193. },
194. {
195. "name": "GetTempFileNameA",
196. "address": "0x4080d0"
197. },
198. {
199. "name": "WriteFile",
200. "address": "0x4080d4"
201. },
202. {
203. "name": "lstrcpyA",
204. "address": "0x4080d8"
205. },
206. {
207. "name": "MoveFileExA",
208. "address": "0x4080dc"
209. },
210. {
211. "name": "lstrcatA",
212. "address": "0x4080e0"
213. },
214. {
215. "name": "GetSystemDirectoryA",
216. "address": "0x4080e4"
217. },
218. {
219. "name": "GetProcAddress",
220. "address": "0x4080e8"
221. },
222. {
223. "name": "GetExitCodeProcess",
224. "address": "0x4080ec"
225. },
226. {
227. "name": "WaitForSingleObject",
228. "address": "0x4080f0"
229. },
230. {
231. "name": "CompareFileTime",
232. "address": "0x4080f4"
233. },
234. {
235. "name": "SetFileAttributesA",
236. "address": "0x4080f8"
237. },
238. {
239. "name": "GetFileAttributesA",
240. "address": "0x4080fc"
241. },
242. {
243. "name": "GetShortPathNameA",
244. "address": "0x408100"
245. },
246. {
247. "name": "MoveFileA",
248. "address": "0x408104"
249. },
250. {
251. "name": "GetFullPathNameA",
252. "address": "0x408108"
253. },
254. {
255. "name": "SetFileTime",
256. "address": "0x40810c"
257. },
258. {
259. "name": "SearchPathA",
260. "address": "0x408110"
261. },
262. {
263. "name": "CloseHandle",
264. "address": "0x408114"
265. },
266. {
267. "name": "lstrcmpiA",
268. "address": "0x408118"
269. },
270. {
271. "name": "GlobalUnlock",
272. "address": "0x40811c"
273. },
274. {
275. "name": "GetDiskFreeSpaceA",
276. "address": "0x408120"
277. },
278. {
279. "name": "lstrcmpA",
280. "address": "0x408124"
281. },
282. {
283. "name": "FindFirstFileA",
284. "address": "0x408128"
285. },
286. {
287. "name": "FindNextFileA",
288. "address": "0x40812c"
289. },
290. {
291. "name": "DeleteFileA",
292. "address": "0x408130"
293. },
294. {
295. "name": "SetFilePointer",
296. "address": "0x408134"
297. },
298. {
299. "name": "GetPrivateProfileStringA",
300. "address": "0x408138"
301. },
302. {
303. "name": "FindClose",
304. "address": "0x40813c"
305. },
306. {
307. "name": "MultiByteToWideChar",
308. "address": "0x408140"
309. },
310. {
311. "name": "FreeLibrary",
312. "address": "0x408144"
313. },
314. {
315. "name": "MulDiv",
316. "address": "0x408148"
317. },
318. {
319. "name": "WritePrivateProfileStringA",
320. "address": "0x40814c"
321. },
322. {
323. "name": "LoadLibraryExA",
324. "address": "0x408150"
325. },
326. {
327. "name": "GetModuleHandleA",
328. "address": "0x408154"
329. },
330. {
331. "name": "GlobalAlloc",
332. "address": "0x408158"
333. },
334. {
335. "name": "GlobalFree",
336. "address": "0x40815c"
337. },
338. {
339. "name": "ExpandEnvironmentStringsA",
340. "address": "0x408160"
341. }
342. ],
343. "dll": "KERNEL32.dll"
344. },
345. {
346. "imports": [
347. {
348. "name": "ScreenToClient",
349. "address": "0x408184"
350. },
351. {
352. "name": "GetSystemMenu",
353. "address": "0x408188"
354. },
355. {
356. "name": "SetClassLongA",
357. "address": "0x40818c"
358. },
359. {
360. "name": "IsWindowEnabled",
361. "address": "0x408190"
362. },
363. {
364. "name": "SetWindowPos",
365. "address": "0x408194"
366. },
367. {
368. "name": "GetSysColor",
369. "address": "0x408198"
370. },
371. {
372. "name": "GetWindowLongA",
373. "address": "0x40819c"
374. },
375. {
376. "name": "SetCursor",
377. "address": "0x4081a0"
378. },
379. {
380. "name": "LoadCursorA",
381. "address": "0x4081a4"
382. },
383. {
384. "name": "CheckDlgButton",
385. "address": "0x4081a8"
386. },
387. {
388. "name": "GetMessagePos",
389. "address": "0x4081ac"
390. },
391. {
392. "name": "LoadBitmapA",
393. "address": "0x4081b0"
394. },
395. {
396. "name": "CallWindowProcA",
397. "address": "0x4081b4"
398. },
399. {
400. "name": "IsWindowVisible",
401. "address": "0x4081b8"
402. },
403. {
404. "name": "CloseClipboard",
405. "address": "0x4081bc"
406. },
407. {
408. "name": "SetClipboardData",
409. "address": "0x4081c0"
410. },
411. {
412. "name": "EmptyClipboard",
413. "address": "0x4081c4"
414. },
415. {
416. "name": "PostQuitMessage",
417. "address": "0x4081c8"
418. },
419. {
420. "name": "GetWindowRect",
421. "address": "0x4081cc"
422. },
423. {
424. "name": "EnableMenuItem",
425. "address": "0x4081d0"
426. },
427. {
428. "name": "CreatePopupMenu",
429. "address": "0x4081d4"
430. },
431. {
432. "name": "GetSystemMetrics",
433. "address": "0x4081d8"
434. },
435. {
436. "name": "SetDlgItemTextA",
437. "address": "0x4081dc"
438. },
439. {
440. "name": "GetDlgItemTextA",
441. "address": "0x4081e0"
442. },
443. {
444. "name": "MessageBoxIndirectA",
445. "address": "0x4081e4"
446. },
447. {
448. "name": "CharPrevA",
449. "address": "0x4081e8"
450. },
451. {
452. "name": "DispatchMessageA",
453. "address": "0x4081ec"
454. },
455. {
456. "name": "PeekMessageA",
457. "address": "0x4081f0"
458. },
459. {
460. "name": "ReleaseDC",
461. "address": "0x4081f4"
462. },
463. {
464. "name": "EnableWindow",
465. "address": "0x4081f8"
466. },
467. {
468. "name": "InvalidateRect",
469. "address": "0x4081fc"
470. },
471. {
472. "name": "SendMessageA",
473. "address": "0x408200"
474. },
475. {
476. "name": "DefWindowProcA",
477. "address": "0x408204"
478. },
479. {
480. "name": "BeginPaint",
481. "address": "0x408208"
482. },
483. {
484. "name": "GetClientRect",
485. "address": "0x40820c"
486. },
487. {
488. "name": "FillRect",
489. "address": "0x408210"
490. },
491. {
492. "name": "DrawTextA",
493. "address": "0x408214"
494. },
495. {
496. "name": "EndDialog",
497. "address": "0x408218"
498. },
499. {
500. "name": "RegisterClassA",
501. "address": "0x40821c"
502. },
503. {
504. "name": "SystemParametersInfoA",
505. "address": "0x408220"
506. },
507. {
508. "name": "CreateWindowExA",
509. "address": "0x408224"
510. },
511. {
512. "name": "GetClassInfoA",
513. "address": "0x408228"
514. },
515. {
516. "name": "DialogBoxParamA",
517. "address": "0x40822c"
518. },
519. {
520. "name": "CharNextA",
521. "address": "0x408230"
522. },
523. {
524. "name": "ExitWindowsEx",
525. "address": "0x408234"
526. },
527. {
528. "name": "GetDC",
529. "address": "0x408238"
530. },
531. {
532. "name": "CreateDialogParamA",
533. "address": "0x40823c"
534. },
535. {
536. "name": "SetTimer",
537. "address": "0x408240"
538. },
539. {
540. "name": "GetDlgItem",
541. "address": "0x408244"
542. },
543. {
544. "name": "SetWindowLongA",
545. "address": "0x408248"
546. },
547. {
548. "name": "SetForegroundWindow",
549. "address": "0x40824c"
550. },
551. {
552. "name": "LoadImageA",
553. "address": "0x408250"
554. },
555. {
556. "name": "IsWindow",
557. "address": "0x408254"
558. },
559. {
560. "name": "SendMessageTimeoutA",
561. "address": "0x408258"
562. },
563. {
564. "name": "FindWindowExA",
565. "address": "0x40825c"
566. },
567. {
568. "name": "OpenClipboard",
569. "address": "0x408260"
570. },
571. {
572. "name": "TrackPopupMenu",
573. "address": "0x408264"
574. },
575. {
576. "name": "AppendMenuA",
577. "address": "0x408268"
578. },
579. {
580. "name": "EndPaint",
581. "address": "0x40826c"
582. },
583. {
584. "name": "DestroyWindow",
585. "address": "0x408270"
586. },
587. {
588. "name": "wsprintfA",
589. "address": "0x408274"
590. },
591. {
592. "name": "ShowWindow",
593. "address": "0x408278"
594. },
595. {
596. "name": "SetWindowTextA",
597. "address": "0x40827c"
598. }
599. ],
600. "dll": "USER32.dll"
601. },
602. {
603. "imports": [
604. {
605. "name": "SelectObject",
606. "address": "0x40804c"
607. },
608. {
609. "name": "SetBkMode",
610. "address": "0x408050"
611. },
612. {
613. "name": "CreateFontIndirectA",
614. "address": "0x408054"
615. },
616. {
617. "name": "SetTextColor",
618. "address": "0x408058"
619. },
620. {
621. "name": "DeleteObject",
622. "address": "0x40805c"
623. },
624. {
625. "name": "GetDeviceCaps",
626. "address": "0x408060"
627. },
628. {
629. "name": "CreateBrushIndirect",
630. "address": "0x408064"
631. },
632. {
633. "name": "SetBkColor",
634. "address": "0x408068"
635. }
636. ],
637. "dll": "GDI32.dll"
638. },
639. {
640. "imports": [
641. {
642. "name": "SHGetSpecialFolderLocation",
643. "address": "0x408168"
644. },
645. {
646. "name": "ShellExecuteExA",
647. "address": "0x40816c"
648. },
649. {
650. "name": "SHGetPathFromIDListA",
651. "address": "0x408170"
652. },
653. {
654. "name": "SHBrowseForFolderA",
655. "address": "0x408174"
656. },
657. {
658. "name": "SHGetFileInfoA",
659. "address": "0x408178"
660. },
661. {
662. "name": "SHFileOperationA",
663. "address": "0x40817c"
664. }
665. ],
666. "dll": "SHELL32.dll"
667. },
668. {
669. "imports": [
670. {
671. "name": "AdjustTokenPrivileges",
672. "address": "0x408000"
673. },
674. {
675. "name": "RegCreateKeyExA",
676. "address": "0x408004"
677. },
678. {
679. "name": "RegOpenKeyExA",
680. "address": "0x408008"
681. },
682. {
683. "name": "SetFileSecurityA",
684. "address": "0x40800c"
685. },
686. {
687. "name": "OpenProcessToken",
688. "address": "0x408010"
689. },
690. {
691. "name": "LookupPrivilegeValueA",
692. "address": "0x408014"
693. },
694. {
695. "name": "RegEnumValueA",
696. "address": "0x408018"
697. },
698. {
699. "name": "RegDeleteKeyA",
700. "address": "0x40801c"
701. },
702. {
703. "name": "RegDeleteValueA",
704. "address": "0x408020"
705. },
706. {
707. "name": "RegCloseKey",
708. "address": "0x408024"
709. },
710. {
711. "name": "RegSetValueExA",
712. "address": "0x408028"
713. },
714. {
715. "name": "RegQueryValueExA",
716. "address": "0x40802c"
717. },
718. {
719. "name": "RegEnumKeyA",
720. "address": "0x408030"
721. }
722. ],
723. "dll": "ADVAPI32.dll"
724. },
725. {
726. "imports": [
727. {
728. "name": "ImageList_Create",
729. "address": "0x408038"
730. },
731. {
732. "name": "ImageList_AddMasked",
733. "address": "0x40803c"
734. },
735. {
736. "name": "ImageList_Destroy",
737. "address": "0x408040"
738. },
739. {
740. "name": null,
741. "address": "0x408044"
742. }
743. ],
744. "dll": "COMCTL32.dll"
745. },
746. {
747. "imports": [
748. {
749. "name": "OleUninitialize",
750. "address": "0x408284"
751. },
752. {
753. "name": "OleInitialize",
754. "address": "0x408288"
755. },
756. {
757. "name": "CoTaskMemFree",
758. "address": "0x40828c"
759. },
760. {
761. "name": "CoCreateInstance",
762. "address": "0x408290"
763. }
764. ],
765. "dll": "ole32.dll"
766. }
767. ],
768. "digital_signers": null,
769. "exported_dll_name": null,
770. "actual_checksum": "0x00045498",
771. "overlay": {
772. "size": "0x0003b130",
773. "offset": "0x00008c00"
774. },
775. "imagebase": "0x00400000",
776. "reported_checksum": "0x00000000",
777. "icon_hash": null,
778. "entrypoint": "0x00403328",
779. "timestamp": "2018-12-15 22:24:32",
780. "osversion": "4.0",
781. "sections": [
782. {
783. "name": ".text",
784. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
785. "virtual_address": "0x00001000",
786. "size_of_data": "0x00006200",
787. "entropy": "6.40",
788. "raw_address": "0x00000400",
789. "virtual_size": "0x00006077",
790. "characteristics_raw": "0x60000020"
791. },
792. {
793. "name": ".rdata",
794. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
795. "virtual_address": "0x00008000",
796. "size_of_data": "0x00001400",
797. "entropy": "5.04",
798. "raw_address": "0x00006600",
799. "virtual_size": "0x00001250",
800. "characteristics_raw": "0x40000040"
801. },
802. {
803. "name": ".data",
804. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
805. "virtual_address": "0x0000a000",
806. "size_of_data": "0x00000400",
807. "entropy": "5.22",
808. "raw_address": "0x00007a00",
809. "virtual_size": "0x0001a838",
810. "characteristics_raw": "0xc0000040"
811. },
812. {
813. "name": ".ndata",
814. "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
815. "virtual_address": "0x00025000",
816. "size_of_data": "0x00000000",
817. "entropy": "0.00",
818. "raw_address": "0x00000000",
819. "virtual_size": "0x00008000",
820. "characteristics_raw": "0xc0000080"
821. },
822. {
823. "name": ".rsrc",
824. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
825. "virtual_address": "0x0002d000",
826. "size_of_data": "0x00000e00",
827. "entropy": "4.13",
828. "raw_address": "0x00007e00",
829. "virtual_size": "0x00000cc0",
830. "characteristics_raw": "0x40000040"
831. }
832. ],
833. "resources": [],
834. "dirents": [
835. {
836. "virtual_address": "0x00000000",
837. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
838. "size": "0x00000000"
839. },
840. {
841. "virtual_address": "0x00008430",
842. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
843. "size": "0x000000a0"
844. },
845. {
846. "virtual_address": "0x0002d000",
847. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
848. "size": "0x00000cc0"
849. },
850. {
851. "virtual_address": "0x00000000",
852. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
853. "size": "0x00000000"
854. },
855. {
856. "virtual_address": "0x00000000",
857. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
858. "size": "0x00000000"
859. },
860. {
861. "virtual_address": "0x00000000",
862. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
863. "size": "0x00000000"
864. },
865. {
866. "virtual_address": "0x00000000",
867. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
868. "size": "0x00000000"
869. },
870. {
871. "virtual_address": "0x00000000",
872. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
873. "size": "0x00000000"
874. },
875. {
876. "virtual_address": "0x00000000",
877. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
878. "size": "0x00000000"
879. },
880. {
881. "virtual_address": "0x00000000",
882. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
883. "size": "0x00000000"
884. },
885. {
886. "virtual_address": "0x00000000",
887. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
888. "size": "0x00000000"
889. },
890. {
891. "virtual_address": "0x00000000",
892. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
893. "size": "0x00000000"
894. },
895. {
896. "virtual_address": "0x00008000",
897. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
898. "size": "0x00000298"
899. },
900. {
901. "virtual_address": "0x00000000",
902. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
903. "size": "0x00000000"
904. },
905. {
906. "virtual_address": "0x00000000",
907. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
908. "size": "0x00000000"
909. },
910. {
911. "virtual_address": "0x00000000",
912. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
913. "size": "0x00000000"
914. }
915. ],
916. "exports": [],
917. "guest_signers": {},
918. "imphash": "57e98d9a5a72c8d7ad8fb7a6a58b3daf",
919. "icon_fuzzy": null,
920. "icon": null,
921. "pdbpath": null,
922. "imported_dll_count": 7,
923. "versioninfo": []
924. }
925. }
926.  
927. [*] Resolved APIs: [
928. "version.dll.GetFileVersionInfoA",
929. "shfolder.dll.SHGetFolderPathA",
930. "shlwapi.dll.#437",
931. "cryptbase.dll.SystemFunction036",
932. "uxtheme.dll.ThemeInitApiHook",
933. "user32.dll.IsProcessDPIAware",
934. "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
935. "setupapi.dll.CM_Get_Device_Interface_List_ExW",
936. "comctl32.dll.#386",
937. "kernel32.dll.GetUserDefaultUILanguage",
938. "shell32.dll.#680",
939. "system.dll.Alloc",
940. "system.dll.Call",
941. "splash.dll.show",
942. "kernel32.dll.CreateMutexA",
943. "enamellists.dll.q",
944. "kernel32.dll.VirtualAlloc",
945. "kernel32.dll.CloseHandle",
946. "kernel32.dll.GetFileSize",
947. "kernel32.dll.GlobalAlloc",
948. "kernel32.dll.ReadFile",
949. "kernel32.dll.CreateFileA",
950. "kernel32.dll.LoadLibraryA",
951. "user32.dll.MessageBoxA",
952. "user32.dll.DialogBoxIndirectParamA",
953. "advapi32.dll.CryptDecrypt",
954. "kernel32.dll.GetCurrentDirectoryA",
955. "kernel32.dll.SetThreadPriorityBoost",
956. "kernel32.dll.WriteProfileStringA",
957. "kernel32.dll.SwitchToThread",
958. "kernel32.dll.GetCurrentProcessId",
959. "kernel32.dll.GetTimeZoneInformation",
960. "cryptsp.dll.CryptDecrypt"
961. ]
962.  
963. [*] Static Analysis: {
964. "pe": {
965. "peid_signatures": null,
966. "imports": [
967. {
968. "imports": [
969. {
970. "name": "SetEnvironmentVariableA",
971. "address": "0x408070"
972. },
973. {
974. "name": "CreateFileA",
975. "address": "0x408074"
976. },
977. {
978. "name": "GetFileSize",
979. "address": "0x408078"
980. },
981. {
982. "name": "GetModuleFileNameA",
983. "address": "0x40807c"
984. },
985. {
986. "name": "ReadFile",
987. "address": "0x408080"
988. },
989. {
990. "name": "GetCurrentProcess",
991. "address": "0x408084"
992. },
993. {
994. "name": "CopyFileA",
995. "address": "0x408088"
996. },
997. {
998. "name": "Sleep",
999. "address": "0x40808c"
1000. },
1001. {
1002. "name": "GetTickCount",
1003. "address": "0x408090"
1004. },
1005. {
1006. "name": "GetWindowsDirectoryA",
1007. "address": "0x408094"
1008. },
1009. {
1010. "name": "GetTempPathA",
1011. "address": "0x408098"
1012. },
1013. {
1014. "name": "GetCommandLineA",
1015. "address": "0x40809c"
1016. },
1017. {
1018. "name": "lstrlenA",
1019. "address": "0x4080a0"
1020. },
1021. {
1022. "name": "GetVersion",
1023. "address": "0x4080a4"
1024. },
1025. {
1026. "name": "SetErrorMode",
1027. "address": "0x4080a8"
1028. },
1029. {
1030. "name": "lstrcpynA",
1031. "address": "0x4080ac"
1032. },
1033. {
1034. "name": "ExitProcess",
1035. "address": "0x4080b0"
1036. },
1037. {
1038. "name": "SetCurrentDirectoryA",
1039. "address": "0x4080b4"
1040. },
1041. {
1042. "name": "GlobalLock",
1043. "address": "0x4080b8"
1044. },
1045. {
1046. "name": "CreateThread",
1047. "address": "0x4080bc"
1048. },
1049. {
1050. "name": "GetLastError",
1051. "address": "0x4080c0"
1052. },
1053. {
1054. "name": "CreateDirectoryA",
1055. "address": "0x4080c4"
1056. },
1057. {
1058. "name": "CreateProcessA",
1059. "address": "0x4080c8"
1060. },
1061. {
1062. "name": "RemoveDirectoryA",
1063. "address": "0x4080cc"
1064. },
1065. {
1066. "name": "GetTempFileNameA",
1067. "address": "0x4080d0"
1068. },
1069. {
1070. "name": "WriteFile",
1071. "address": "0x4080d4"
1072. },
1073. {
1074. "name": "lstrcpyA",
1075. "address": "0x4080d8"
1076. },
1077. {
1078. "name": "MoveFileExA",
1079. "address": "0x4080dc"
1080. },
1081. {
1082. "name": "lstrcatA",
1083. "address": "0x4080e0"
1084. },
1085. {
1086. "name": "GetSystemDirectoryA",
1087. "address": "0x4080e4"
1088. },
1089. {
1090. "name": "GetProcAddress",
1091. "address": "0x4080e8"
1092. },
1093. {
1094. "name": "GetExitCodeProcess",
1095. "address": "0x4080ec"
1096. },
1097. {
1098. "name": "WaitForSingleObject",
1099. "address": "0x4080f0"
1100. },
1101. {
1102. "name": "CompareFileTime",
1103. "address": "0x4080f4"
1104. },
1105. {
1106. "name": "SetFileAttributesA",
1107. "address": "0x4080f8"
1108. },
1109. {
1110. "name": "GetFileAttributesA",
1111. "address": "0x4080fc"
1112. },
1113. {
1114. "name": "GetShortPathNameA",
1115. "address": "0x408100"
1116. },
1117. {
1118. "name": "MoveFileA",
1119. "address": "0x408104"
1120. },
1121. {
1122. "name": "GetFullPathNameA",
1123. "address": "0x408108"
1124. },
1125. {
1126. "name": "SetFileTime",
1127. "address": "0x40810c"
1128. },
1129. {
1130. "name": "SearchPathA",
1131. "address": "0x408110"
1132. },
1133. {
1134. "name": "CloseHandle",
1135. "address": "0x408114"
1136. },
1137. {
1138. "name": "lstrcmpiA",
1139. "address": "0x408118"
1140. },
1141. {
1142. "name": "GlobalUnlock",
1143. "address": "0x40811c"
1144. },
1145. {
1146. "name": "GetDiskFreeSpaceA",
1147. "address": "0x408120"
1148. },
1149. {
1150. "name": "lstrcmpA",
1151. "address": "0x408124"
1152. },
1153. {
1154. "name": "FindFirstFileA",
1155. "address": "0x408128"
1156. },
1157. {
1158. "name": "FindNextFileA",
1159. "address": "0x40812c"
1160. },
1161. {
1162. "name": "DeleteFileA",
1163. "address": "0x408130"
1164. },
1165. {
1166. "name": "SetFilePointer",
1167. "address": "0x408134"
1168. },
1169. {
1170. "name": "GetPrivateProfileStringA",
1171. "address": "0x408138"
1172. },
1173. {
1174. "name": "FindClose",
1175. "address": "0x40813c"
1176. },
1177. {
1178. "name": "MultiByteToWideChar",
1179. "address": "0x408140"
1180. },
1181. {
1182. "name": "FreeLibrary",
1183. "address": "0x408144"
1184. },
1185. {
1186. "name": "MulDiv",
1187. "address": "0x408148"
1188. },
1189. {
1190. "name": "WritePrivateProfileStringA",
1191. "address": "0x40814c"
1192. },
1193. {
1194. "name": "LoadLibraryExA",
1195. "address": "0x408150"
1196. },
1197. {
1198. "name": "GetModuleHandleA",
1199. "address": "0x408154"
1200. },
1201. {
1202. "name": "GlobalAlloc",
1203. "address": "0x408158"
1204. },
1205. {
1206. "name": "GlobalFree",
1207. "address": "0x40815c"
1208. },
1209. {
1210. "name": "ExpandEnvironmentStringsA",
1211. "address": "0x408160"
1212. }
1213. ],
1214. "dll": "KERNEL32.dll"
1215. },
1216. {
1217. "imports": [
1218. {
1219. "name": "ScreenToClient",
1220. "address": "0x408184"
1221. },
1222. {
1223. "name": "GetSystemMenu",
1224. "address": "0x408188"
1225. },
1226. {
1227. "name": "SetClassLongA",
1228. "address": "0x40818c"
1229. },
1230. {
1231. "name": "IsWindowEnabled",
1232. "address": "0x408190"
1233. },
1234. {
1235. "name": "SetWindowPos",
1236. "address": "0x408194"
1237. },
1238. {
1239. "name": "GetSysColor",
1240. "address": "0x408198"
1241. },
1242. {
1243. "name": "GetWindowLongA",
1244. "address": "0x40819c"
1245. },
1246. {
1247. "name": "SetCursor",
1248. "address": "0x4081a0"
1249. },
1250. {
1251. "name": "LoadCursorA",
1252. "address": "0x4081a4"
1253. },
1254. {
1255. "name": "CheckDlgButton",
1256. "address": "0x4081a8"
1257. },
1258. {
1259. "name": "GetMessagePos",
1260. "address": "0x4081ac"
1261. },
1262. {
1263. "name": "LoadBitmapA",
1264. "address": "0x4081b0"
1265. },
1266. {
1267. "name": "CallWindowProcA",
1268. "address": "0x4081b4"
1269. },
1270. {
1271. "name": "IsWindowVisible",
1272. "address": "0x4081b8"
1273. },
1274. {
1275. "name": "CloseClipboard",
1276. "address": "0x4081bc"
1277. },
1278. {
1279. "name": "SetClipboardData",
1280. "address": "0x4081c0"
1281. },
1282. {
1283. "name": "EmptyClipboard",
1284. "address": "0x4081c4"
1285. },
1286. {
1287. "name": "PostQuitMessage",
1288. "address": "0x4081c8"
1289. },
1290. {
1291. "name": "GetWindowRect",
1292. "address": "0x4081cc"
1293. },
1294. {
1295. "name": "EnableMenuItem",
1296. "address": "0x4081d0"
1297. },
1298. {
1299. "name": "CreatePopupMenu",
1300. "address": "0x4081d4"
1301. },
1302. {
1303. "name": "GetSystemMetrics",
1304. "address": "0x4081d8"
1305. },
1306. {
1307. "name": "SetDlgItemTextA",
1308. "address": "0x4081dc"
1309. },
1310. {
1311. "name": "GetDlgItemTextA",
1312. "address": "0x4081e0"
1313. },
1314. {
1315. "name": "MessageBoxIndirectA",
1316. "address": "0x4081e4"
1317. },
1318. {
1319. "name": "CharPrevA",
1320. "address": "0x4081e8"
1321. },
1322. {
1323. "name": "DispatchMessageA",
1324. "address": "0x4081ec"
1325. },
1326. {
1327. "name": "PeekMessageA",
1328. "address": "0x4081f0"
1329. },
1330. {
1331. "name": "ReleaseDC",
1332. "address": "0x4081f4"
1333. },
1334. {
1335. "name": "EnableWindow",
1336. "address": "0x4081f8"
1337. },
1338. {
1339. "name": "InvalidateRect",
1340. "address": "0x4081fc"
1341. },
1342. {
1343. "name": "SendMessageA",
1344. "address": "0x408200"
1345. },
1346. {
1347. "name": "DefWindowProcA",
1348. "address": "0x408204"
1349. },
1350. {
1351. "name": "BeginPaint",
1352. "address": "0x408208"
1353. },
1354. {
1355. "name": "GetClientRect",
1356. "address": "0x40820c"
1357. },
1358. {
1359. "name": "FillRect",
1360. "address": "0x408210"
1361. },
1362. {
1363. "name": "DrawTextA",
1364. "address": "0x408214"
1365. },
1366. {
1367. "name": "EndDialog",
1368. "address": "0x408218"
1369. },
1370. {
1371. "name": "RegisterClassA",
1372. "address": "0x40821c"
1373. },
1374. {
1375. "name": "SystemParametersInfoA",
1376. "address": "0x408220"
1377. },
1378. {
1379. "name": "CreateWindowExA",
1380. "address": "0x408224"
1381. },
1382. {
1383. "name": "GetClassInfoA",
1384. "address": "0x408228"
1385. },
1386. {
1387. "name": "DialogBoxParamA",
1388. "address": "0x40822c"
1389. },
1390. {
1391. "name": "CharNextA",
1392. "address": "0x408230"
1393. },
1394. {
1395. "name": "ExitWindowsEx",
1396. "address": "0x408234"
1397. },
1398. {
1399. "name": "GetDC",
1400. "address": "0x408238"
1401. },
1402. {
1403. "name": "CreateDialogParamA",
1404. "address": "0x40823c"
1405. },
1406. {
1407. "name": "SetTimer",
1408. "address": "0x408240"
1409. },
1410. {
1411. "name": "GetDlgItem",
1412. "address": "0x408244"
1413. },
1414. {
1415. "name": "SetWindowLongA",
1416. "address": "0x408248"
1417. },
1418. {
1419. "name": "SetForegroundWindow",
1420. "address": "0x40824c"
1421. },
1422. {
1423. "name": "LoadImageA",
1424. "address": "0x408250"
1425. },
1426. {
1427. "name": "IsWindow",
1428. "address": "0x408254"
1429. },
1430. {
1431. "name": "SendMessageTimeoutA",
1432. "address": "0x408258"
1433. },
1434. {
1435. "name": "FindWindowExA",
1436. "address": "0x40825c"
1437. },
1438. {
1439. "name": "OpenClipboard",
1440. "address": "0x408260"
1441. },
1442. {
1443. "name": "TrackPopupMenu",
1444. "address": "0x408264"
1445. },
1446. {
1447. "name": "AppendMenuA",
1448. "address": "0x408268"
1449. },
1450. {
1451. "name": "EndPaint",
1452. "address": "0x40826c"
1453. },
1454. {
1455. "name": "DestroyWindow",
1456. "address": "0x408270"
1457. },
1458. {
1459. "name": "wsprintfA",
1460. "address": "0x408274"
1461. },
1462. {
1463. "name": "ShowWindow",
1464. "address": "0x408278"
1465. },
1466. {
1467. "name": "SetWindowTextA",
1468. "address": "0x40827c"
1469. }
1470. ],
1471. "dll": "USER32.dll"
1472. },
1473. {
1474. "imports": [
1475. {
1476. "name": "SelectObject",
1477. "address": "0x40804c"
1478. },
1479. {
1480. "name": "SetBkMode",
1481. "address": "0x408050"
1482. },
1483. {
1484. "name": "CreateFontIndirectA",
1485. "address": "0x408054"
1486. },
1487. {
1488. "name": "SetTextColor",
1489. "address": "0x408058"
1490. },
1491. {
1492. "name": "DeleteObject",
1493. "address": "0x40805c"
1494. },
1495. {
1496. "name": "GetDeviceCaps",
1497. "address": "0x408060"
1498. },
1499. {
1500. "name": "CreateBrushIndirect",
1501. "address": "0x408064"
1502. },
1503. {
1504. "name": "SetBkColor",
1505. "address": "0x408068"
1506. }
1507. ],
1508. "dll": "GDI32.dll"
1509. },
1510. {
1511. "imports": [
1512. {
1513. "name": "SHGetSpecialFolderLocation",
1514. "address": "0x408168"
1515. },
1516. {
1517. "name": "ShellExecuteExA",
1518. "address": "0x40816c"
1519. },
1520. {
1521. "name": "SHGetPathFromIDListA",
1522. "address": "0x408170"
1523. },
1524. {
1525. "name": "SHBrowseForFolderA",
1526. "address": "0x408174"
1527. },
1528. {
1529. "name": "SHGetFileInfoA",
1530. "address": "0x408178"
1531. },
1532. {
1533. "name": "SHFileOperationA",
1534. "address": "0x40817c"
1535. }
1536. ],
1537. "dll": "SHELL32.dll"
1538. },
1539. {
1540. "imports": [
1541. {
1542. "name": "AdjustTokenPrivileges",
1543. "address": "0x408000"
1544. },
1545. {
1546. "name": "RegCreateKeyExA",
1547. "address": "0x408004"
1548. },
1549. {
1550. "name": "RegOpenKeyExA",
1551. "address": "0x408008"
1552. },
1553. {
1554. "name": "SetFileSecurityA",
1555. "address": "0x40800c"
1556. },
1557. {
1558. "name": "OpenProcessToken",
1559. "address": "0x408010"
1560. },
1561. {
1562. "name": "LookupPrivilegeValueA",
1563. "address": "0x408014"
1564. },
1565. {
1566. "name": "RegEnumValueA",
1567. "address": "0x408018"
1568. },
1569. {
1570. "name": "RegDeleteKeyA",
1571. "address": "0x40801c"
1572. },
1573. {
1574. "name": "RegDeleteValueA",
1575. "address": "0x408020"
1576. },
1577. {
1578. "name": "RegCloseKey",
1579. "address": "0x408024"
1580. },
1581. {
1582. "name": "RegSetValueExA",
1583. "address": "0x408028"
1584. },
1585. {
1586. "name": "RegQueryValueExA",
1587. "address": "0x40802c"
1588. },
1589. {
1590. "name": "RegEnumKeyA",
1591. "address": "0x408030"
1592. }
1593. ],
1594. "dll": "ADVAPI32.dll"
1595. },
1596. {
1597. "imports": [
1598. {
1599. "name": "ImageList_Create",
1600. "address": "0x408038"
1601. },
1602. {
1603. "name": "ImageList_AddMasked",
1604. "address": "0x40803c"
1605. },
1606. {
1607. "name": "ImageList_Destroy",
1608. "address": "0x408040"
1609. },
1610. {
1611. "name": null,
1612. "address": "0x408044"
1613. }
1614. ],
1615. "dll": "COMCTL32.dll"
1616. },
1617. {
1618. "imports": [
1619. {
1620. "name": "OleUninitialize",
1621. "address": "0x408284"
1622. },
1623. {
1624. "name": "OleInitialize",
1625. "address": "0x408288"
1626. },
1627. {
1628. "name": "CoTaskMemFree",
1629. "address": "0x40828c"
1630. },
1631. {
1632. "name": "CoCreateInstance",
1633. "address": "0x408290"
1634. }
1635. ],
1636. "dll": "ole32.dll"
1637. }
1638. ],
1639. "digital_signers": null,
1640. "exported_dll_name": null,
1641. "actual_checksum": "0x00045498",
1642. "overlay": {
1643. "size": "0x0003b130",
1644. "offset": "0x00008c00"
1645. },
1646. "imagebase": "0x00400000",
1647. "reported_checksum": "0x00000000",
1648. "icon_hash": null,
1649. "entrypoint": "0x00403328",
1650. "timestamp": "2018-12-15 22:24:32",
1651. "osversion": "4.0",
1652. "sections": [
1653. {
1654. "name": ".text",
1655. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
1656. "virtual_address": "0x00001000",
1657. "size_of_data": "0x00006200",
1658. "entropy": "6.40",
1659. "raw_address": "0x00000400",
1660. "virtual_size": "0x00006077",
1661. "characteristics_raw": "0x60000020"
1662. },
1663. {
1664. "name": ".rdata",
1665. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1666. "virtual_address": "0x00008000",
1667. "size_of_data": "0x00001400",
1668. "entropy": "5.04",
1669. "raw_address": "0x00006600",
1670. "virtual_size": "0x00001250",
1671. "characteristics_raw": "0x40000040"
1672. },
1673. {
1674. "name": ".data",
1675. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1676. "virtual_address": "0x0000a000",
1677. "size_of_data": "0x00000400",
1678. "entropy": "5.22",
1679. "raw_address": "0x00007a00",
1680. "virtual_size": "0x0001a838",
1681. "characteristics_raw": "0xc0000040"
1682. },
1683. {
1684. "name": ".ndata",
1685. "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1686. "virtual_address": "0x00025000",
1687. "size_of_data": "0x00000000",
1688. "entropy": "0.00",
1689. "raw_address": "0x00000000",
1690. "virtual_size": "0x00008000",
1691. "characteristics_raw": "0xc0000080"
1692. },
1693. {
1694. "name": ".rsrc",
1695. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1696. "virtual_address": "0x0002d000",
1697. "size_of_data": "0x00000e00",
1698. "entropy": "4.13",
1699. "raw_address": "0x00007e00",
1700. "virtual_size": "0x00000cc0",
1701. "characteristics_raw": "0x40000040"
1702. }
1703. ],
1704. "resources": [],
1705. "dirents": [
1706. {
1707. "virtual_address": "0x00000000",
1708. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1709. "size": "0x00000000"
1710. },
1711. {
1712. "virtual_address": "0x00008430",
1713. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1714. "size": "0x000000a0"
1715. },
1716. {
1717. "virtual_address": "0x0002d000",
1718. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1719. "size": "0x00000cc0"
1720. },
1721. {
1722. "virtual_address": "0x00000000",
1723. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1724. "size": "0x00000000"
1725. },
1726. {
1727. "virtual_address": "0x00000000",
1728. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1729. "size": "0x00000000"
1730. },
1731. {
1732. "virtual_address": "0x00000000",
1733. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1734. "size": "0x00000000"
1735. },
1736. {
1737. "virtual_address": "0x00000000",
1738. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1739. "size": "0x00000000"
1740. },
1741. {
1742. "virtual_address": "0x00000000",
1743. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1744. "size": "0x00000000"
1745. },
1746. {
1747. "virtual_address": "0x00000000",
1748. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1749. "size": "0x00000000"
1750. },
1751. {
1752. "virtual_address": "0x00000000",
1753. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1754. "size": "0x00000000"
1755. },
1756. {
1757. "virtual_address": "0x00000000",
1758. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1759. "size": "0x00000000"
1760. },
1761. {
1762. "virtual_address": "0x00000000",
1763. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1764. "size": "0x00000000"
1765. },
1766. {
1767. "virtual_address": "0x00008000",
1768. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1769. "size": "0x00000298"
1770. },
1771. {
1772. "virtual_address": "0x00000000",
1773. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1774. "size": "0x00000000"
1775. },
1776. {
1777. "virtual_address": "0x00000000",
1778. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1779. "size": "0x00000000"
1780. },
1781. {
1782. "virtual_address": "0x00000000",
1783. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1784. "size": "0x00000000"
1785. }
1786. ],
1787. "exports": [],
1788. "guest_signers": {},
1789. "imphash": "57e98d9a5a72c8d7ad8fb7a6a58b3daf",
1790. "icon_fuzzy": null,
1791. "icon": null,
1792. "pdbpath": null,
1793. "imported_dll_count": 7,
1794. "versioninfo": []
1795. }
1796. }