rdp_dll_2019-06-24_20_30.json

1.  
2. [*] MalFamily: ""
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "rdp.dll"
7. [*] File Size: 692736
8. [*] File Type: "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
9. [*] SHA256: "289676a9f765bb76e644a91ad2bcc1412fa62138dc025a28bc4e3fec2d8aa96d"
10. [*] MD5: "78bf017381b6488ab7282e5af8bda9cd"
11. [*] SHA1: "bf4c9aebb58421194e3f6e19cbc5cee2de1499b3"
12. [*] SHA512: "af53db798d997e3b373b1898cb19733e30c5230b32b0e8a370483d3e0c50f483c53ceb7ad0609afa43f06723991eee269c49cbe28e89e655f3bd9f40b73bcf84"
13. [*] CRC32: "0A2C0BAC"
14. [*] SSDEEP: "12288:Cn7lv2NmRxsTE4ycC5xS0tgo8yZ1AVEw0D8eBUpPuC8PhyQk2:KvnRxsTTycC9Cor+VEwihBUpPuxhJ"
15.  
16. [*] Process Execution: [
17. "rundll32.exe"
18. ]
19.  
20. [*] Signatures Detected: [
21. {
22. "Description": "Creates RWX memory",
23. "Details": []
24. },
25. {
26. "Description": "File has been identified by 44 Antiviruses on VirusTotal as malicious",
27. "Details": [
28. {
29. "Bkav": "W32.CalremyLTM.Trojan"
30. },
31. {
32. "MicroWorld-eScan": "Trojan.Generic.6658377"
33. },
34. {
35. "nProtect": "Backdoor/W32.Agent.692736.F"
36. },
37. {
38. "McAfee": "Artemis!78BF017381B6"
39. },
40. {
41. "Malwarebytes": "Trojan.SpyEyes"
42. },
43. {
44. "VIPRE": "Trojan.Win32.Generic!BT"
45. },
46. {
47. "TheHacker": "Trojan/Agent.hnmn"
48. },
49. {
50. "BitDefender": "Trojan.Generic.6658377"
51. },
52. {
53. "K7GW": "Trojan ( 0022ce641 )"
54. },
55. {
56. "K7AntiVirus": "Trojan ( 0022ce641 )"
57. },
58. {
59. "Baidu": "Win32.Trojan.WisdomEyes.151026.9950.9991"
60. },
61. {
62. "Symantec": "Trojan.Gen"
63. },
64. {
65. "ESET-NOD32": "Win32/TrojanDownloader.Carberp.AS"
66. },
67. {
68. "Avast": "Win32:SpyeyePlugin-E [Trj]"
69. },
70. {
71. "ClamAV": "Win.Trojan.Agent-983883"
72. },
73. {
74. "Kaspersky": "UDS:DangerousObject.Multi.Generic"
75. },
76. {
77. "NANO-Antivirus": "Trojan.Win32.Agent.xeauv"
78. },
79. {
80. "Tencent": "Win32.Trojan.Hijacker.btsx"
81. },
82. {
83. "Ad-Aware": "Trojan.Generic.6658377"
84. },
85. {
86. "Sophos": "Mal/Behav-010"
87. },
88. {
89. "Comodo": "UnclassifiedMalware"
90. },
91. {
92. "F-Secure": "Trojan.Generic.6658377"
93. },
94. {
95. "DrWeb": "Trojan.Siggen4.16780"
96. },
97. {
98. "Zillya": "Trojan.Agent.Win32.180949"
99. },
100. {
101. "McAfee-GW-Edition": "BehavesLike.Win32.PWSZbot.jh"
102. },
103. {
104. "Emsisoft": "Trojan.Generic.6658377 (B)"
105. },
106. {
107. "Jiangmin": "Trojan/Agent.emrv"
108. },
109. {
110. "Avira": "TR/Hijacker.Gen"
111. },
112. {
113. "Fortinet": "W32/Agent.HNMN!tr"
114. },
115. {
116. "Antiy-AVL": "Trojan/Win32.SGeneric"
117. },
118. {
119. "Kingsoft": "Win32.Troj.Undef.(kcloud)"
120. },
121. {
122. "Arcabit": "Trojan.Generic.D659949"
123. },
124. {
125. "Microsoft": "Trojan:Win32/EyeStye.plugin"
126. },
127. {
128. "AhnLab-V3": "Trojan/Win32.Agent"
129. },
130. {
131. "ALYac": "Trojan.Generic.6658377"
132. },
133. {
134. "AVware": "Trojan.Win32.Generic!BT"
135. },
136. {
137. "Panda": "Trj/Genetic.gen"
138. },
139. {
140. "Rising": "PE:Malware.Generic(Thunder)!1.A1C4 [F]"
141. },
142. {
143. "Yandex": "Trojan.Agent!eOSN0NWHXas"
144. },
145. {
146. "Ikarus": "Trojan.Win32.Agent"
147. },
148. {
149. "GData": "Trojan.Generic.6658377"
150. },
151. {
152. "AVG": "Agent2.CJFH"
153. },
154. {
155. "Baidu-International": "Trojan.Win32.Carberp.AS"
156. },
157. {
158. "Qihoo-360": "Win32/Trojan.Spy.7b3"
159. }
160. ]
161. }
162. ]
163.  
164. [*] Started Service: []
165.  
166. [*] Executed Commands: []
167.  
168. [*] Mutexes: []
169.  
170. [*] Modified Files: []
171.  
172. [*] Deleted Files: []
173.  
174. [*] Modified Registry Keys: []
175.  
176. [*] Deleted Registry Keys: []
177.  
178. [*] DNS Communications: []
179.  
180. [*] Domains: []
181.  
182. [*] Network Communication - ICMP: []
183.  
184. [*] Network Communication - HTTP: []
185.  
186. [*] Network Communication - SMTP: []
187.  
188. [*] Network Communication - Hosts: []
189.  
190. [*] Network Communication - IRC: []
191.  
192. [*] Static Analysis: {
193. "pe": {
194. "peid_signatures": null,
195. "imports": [
196. {
197. "imports": [
198. {
199. "name": "_errno",
200. "address": "0x10077318"
201. },
202. {
203. "name": "_initterm",
204. "address": "0x1007731c"
205. },
206. {
207. "name": "_amsg_exit",
208. "address": "0x10077320"
209. },
210. {
211. "name": "_adjust_fdiv",
212. "address": "0x10077324"
213. },
214. {
215. "name": "isdigit",
216. "address": "0x10077328"
217. },
218. {
219. "name": "isxdigit",
220. "address": "0x1007732c"
221. },
222. {
223. "name": "_XcptFilter",
224. "address": "0x10077330"
225. },
226. {
227. "name": "isspace",
228. "address": "0x10077334"
229. },
230. {
231. "name": "free",
232. "address": "0x10077338"
233. },
234. {
235. "name": "malloc",
236. "address": "0x1007733c"
237. },
238. {
239. "name": "memmove",
240. "address": "0x10077340"
241. },
242. {
243. "name": "atoi",
244. "address": "0x10077344"
245. },
246. {
247. "name": "_snprintf",
248. "address": "0x10077348"
249. },
250. {
251. "name": "strcat",
252. "address": "0x1007734c"
253. },
254. {
255. "name": "memset",
256. "address": "0x10077350"
257. },
258. {
259. "name": "strcpy",
260. "address": "0x10077354"
261. },
262. {
263. "name": "strstr",
264. "address": "0x10077358"
265. },
266. {
267. "name": "strlen",
268. "address": "0x1007735c"
269. },
270. {
271. "name": "memcpy",
272. "address": "0x10077360"
273. },
274. {
275. "name": "_iob",
276. "address": "0x10077364"
277. },
278. {
279. "name": "strchr",
280. "address": "0x10077368"
281. },
282. {
283. "name": "_vsnprintf",
284. "address": "0x1007736c"
285. },
286. {
287. "name": "_getch",
288. "address": "0x10077370"
289. },
290. {
291. "name": "signal",
292. "address": "0x10077374"
293. },
294. {
295. "name": "fputs",
296. "address": "0x10077378"
297. },
298. {
299. "name": "_gmtime64",
300. "address": "0x1007737c"
301. },
302. {
303. "name": "raise",
304. "address": "0x10077380"
305. },
306. {
307. "name": "_exit",
308. "address": "0x10077384"
309. },
310. {
311. "name": "vfprintf",
312. "address": "0x10077388"
313. },
314. {
315. "name": "getenv",
316. "address": "0x1007738c"
317. },
318. {
319. "name": "fprintf",
320. "address": "0x10077390"
321. },
322. {
323. "name": "_wfopen",
324. "address": "0x10077394"
325. },
326. {
327. "name": "fgets",
328. "address": "0x10077398"
329. },
330. {
331. "name": "fseek",
332. "address": "0x1007739c"
333. },
334. {
335. "name": "ftell",
336. "address": "0x100773a0"
337. },
338. {
339. "name": "_setmode",
340. "address": "0x100773a4"
341. },
342. {
343. "name": "fflush",
344. "address": "0x100773a8"
345. },
346. {
347. "name": "fwrite",
348. "address": "0x100773ac"
349. },
350. {
351. "name": "_time64",
352. "address": "0x100773b0"
353. },
354. {
355. "name": "fopen",
356. "address": "0x100773b4"
357. },
358. {
359. "name": "feof",
360. "address": "0x100773b8"
361. },
362. {
363. "name": "fclose",
364. "address": "0x100773bc"
365. },
366. {
367. "name": "fread",
368. "address": "0x100773c0"
369. },
370. {
371. "name": "ferror",
372. "address": "0x100773c4"
373. },
374. {
375. "name": "realloc",
376. "address": "0x100773c8"
377. },
378. {
379. "name": "_fileno",
380. "address": "0x100773cc"
381. }
382. ],
383. "dll": "msvcrt.dll"
384. },
385. {
386. "imports": [
387. {
388. "name": "SetBitmapBits",
389. "address": "0x10077070"
390. },
391. {
392. "name": "CreateDIBSection",
393. "address": "0x10077074"
394. },
395. {
396. "name": "DeleteObject",
397. "address": "0x10077078"
398. },
399. {
400. "name": "GetDeviceCaps",
401. "address": "0x1007707c"
402. }
403. ],
404. "dll": "GDI32.dll"
405. },
406. {
407. "imports": [
408. {
409. "name": "GetOpenFileNameA",
410. "address": "0x10077310"
411. }
412. ],
413. "dll": "comdlg32.dll"
414. },
415. {
416. "imports": [
417. {
418. "name": "CoGetObject",
419. "address": "0x1007745c"
420. },
421. {
422. "name": "CoInitialize",
423. "address": "0x10077460"
424. },
425. {
426. "name": "CoUninitialize",
427. "address": "0x10077464"
428. },
429. {
430. "name": "CoCreateInstance",
431. "address": "0x10077468"
432. },
433. {
434. "name": "CoInitializeEx",
435. "address": "0x1007746c"
436. }
437. ],
438. "dll": "ole32.dll"
439. },
440. {
441. "imports": [
442. {
443. "name": "SetupDiCreateDeviceInfoW",
444. "address": "0x100771bc"
445. },
446. {
447. "name": "SetupDiCallClassInstaller",
448. "address": "0x100771c0"
449. },
450. {
451. "name": "SetupDiGetDeviceRegistryPropertyW",
452. "address": "0x100771c4"
453. },
454. {
455. "name": "SetupDiDestroyDeviceInfoList",
456. "address": "0x100771c8"
457. },
458. {
459. "name": "SetupDiEnumDeviceInfo",
460. "address": "0x100771cc"
461. },
462. {
463. "name": "SetupDiGetINFClassW",
464. "address": "0x100771d0"
465. },
466. {
467. "name": "SetupDiSetDeviceRegistryPropertyW",
468. "address": "0x100771d4"
469. },
470. {
471. "name": "SetupDiGetClassDevsW",
472. "address": "0x100771d8"
473. },
474. {
475. "name": "SetupDiCreateDeviceInfoList",
476. "address": "0x100771dc"
477. }
478. ],
479. "dll": "SETUPAPI.dll"
480. },
481. {
482. "imports": [
483. {
484. "name": "StrPBrkA",
485. "address": "0x100771f8"
486. },
487. {
488. "name": "StrSpnA",
489. "address": "0x100771fc"
490. },
491. {
492. "name": "StrRStrIA",
493. "address": "0x10077200"
494. }
495. ],
496. "dll": "SHLWAPI.dll"
497. },
498. {
499. "imports": [
500. {
501. "name": "inet_addr",
502. "address": "0x100772bc"
503. },
504. {
505. "name": "gethostbyaddr",
506. "address": "0x100772c0"
507. },
508. {
509. "name": "closesocket",
510. "address": "0x100772c4"
511. },
512. {
513. "name": "__WSAFDIsSet",
514. "address": "0x100772c8"
515. },
516. {
517. "name": "socket",
518. "address": "0x100772cc"
519. },
520. {
521. "name": "getsockopt",
522. "address": "0x100772d0"
523. },
524. {
525. "name": "ioctlsocket",
526. "address": "0x100772d4"
527. },
528. {
529. "name": "connect",
530. "address": "0x100772d8"
531. },
532. {
533. "name": "WSAStartup",
534. "address": "0x100772dc"
535. },
536. {
537. "name": "send",
538. "address": "0x100772e0"
539. },
540. {
541. "name": "select",
542. "address": "0x100772e4"
543. },
544. {
545. "name": "WSAGetLastError",
546. "address": "0x100772e8"
547. },
548. {
549. "name": "htons",
550. "address": "0x100772ec"
551. },
552. {
553. "name": "recv",
554. "address": "0x100772f0"
555. }
556. ],
557. "dll": "WS2_32.dll"
558. },
559. {
560. "imports": [
561. {
562. "name": "SHFileOperationA",
563. "address": "0x100771e4"
564. },
565. {
566. "name": "ShellExecuteExW",
567. "address": "0x100771e8"
568. },
569. {
570. "name": "DragAcceptFiles",
571. "address": "0x100771ec"
572. },
573. {
574. "name": "DragQueryFileA",
575. "address": "0x100771f0"
576. }
577. ],
578. "dll": "SHELL32.dll"
579. },
580. {
581. "imports": [
582. {
583. "name": "WTSEnumerateSessionsA",
584. "address": "0x100772f8"
585. },
586. {
587. "name": "WTSQueryUserToken",
588. "address": "0x100772fc"
589. },
590. {
591. "name": "WTSFreeMemory",
592. "address": "0x10077300"
593. },
594. {
595. "name": "WTSQuerySessionInformationA",
596. "address": "0x10077304"
597. },
598. {
599. "name": "WTSLogoffSession",
600. "address": "0x10077308"
601. }
602. ],
603. "dll": "WTSAPI32.dll"
604. },
605. {
606. "imports": [
607. {
608. "name": "GetProfilesDirectoryA",
609. "address": "0x10077280"
610. },
611. {
612. "name": "CreateEnvironmentBlock",
613. "address": "0x10077284"
614. },
615. {
616. "name": "DestroyEnvironmentBlock",
617. "address": "0x10077288"
618. }
619. ],
620. "dll": "USERENV.dll"
621. },
622. {
623. "imports": [
624. {
625. "name": "NetUserDel",
626. "address": "0x100771a4"
627. },
628. {
629. "name": "NetLocalGroupEnum",
630. "address": "0x100771a8"
631. },
632. {
633. "name": "NetApiBufferFree",
634. "address": "0x100771ac"
635. },
636. {
637. "name": "NetUserAdd",
638. "address": "0x100771b0"
639. },
640. {
641. "name": "NetLocalGroupAddMembers",
642. "address": "0x100771b4"
643. }
644. ],
645. "dll": "NETAPI32.dll"
646. },
647. {
648. "imports": [
649. {
650. "name": "GetSystemTimeAsFileTime",
651. "address": "0x10077084"
652. },
653. {
654. "name": "GetTickCount",
655. "address": "0x10077088"
656. },
657. {
658. "name": "QueryPerformanceCounter",
659. "address": "0x1007708c"
660. },
661. {
662. "name": "SetUnhandledExceptionFilter",
663. "address": "0x10077090"
664. },
665. {
666. "name": "UnhandledExceptionFilter",
667. "address": "0x10077094"
668. },
669. {
670. "name": "InterlockedCompareExchange",
671. "address": "0x10077098"
672. },
673. {
674. "name": "InterlockedExchange",
675. "address": "0x1007709c"
676. },
677. {
678. "name": "RtlUnwind",
679. "address": "0x100770a0"
680. },
681. {
682. "name": "lstrcatA",
683. "address": "0x100770a4"
684. },
685. {
686. "name": "TerminateThread",
687. "address": "0x100770a8"
688. },
689. {
690. "name": "WriteProcessMemory",
691. "address": "0x100770ac"
692. },
693. {
694. "name": "VirtualAllocEx",
695. "address": "0x100770b0"
696. },
697. {
698. "name": "GetTempPathW",
699. "address": "0x100770b4"
700. },
701. {
702. "name": "TerminateProcess",
703. "address": "0x100770b8"
704. },
705. {
706. "name": "lstrcpynW",
707. "address": "0x100770bc"
708. },
709. {
710. "name": "CopyFileW",
711. "address": "0x100770c0"
712. },
713. {
714. "name": "VirtualFreeEx",
715. "address": "0x100770c4"
716. },
717. {
718. "name": "OpenProcess",
719. "address": "0x100770c8"
720. },
721. {
722. "name": "CreateRemoteThread",
723. "address": "0x100770cc"
724. },
725. {
726. "name": "VirtualFree",
727. "address": "0x100770d0"
728. },
729. {
730. "name": "WaitForSingleObject",
731. "address": "0x100770d4"
732. },
733. {
734. "name": "ProcessIdToSessionId",
735. "address": "0x100770d8"
736. },
737. {
738. "name": "GetStdHandle",
739. "address": "0x100770dc"
740. },
741. {
742. "name": "GlobalMemoryStatus",
743. "address": "0x100770e0"
744. },
745. {
746. "name": "FlushConsoleInputBuffer",
747. "address": "0x100770e4"
748. },
749. {
750. "name": "GetFileType",
751. "address": "0x100770e8"
752. },
753. {
754. "name": "lstrcmpiA",
755. "address": "0x100770ec"
756. },
757. {
758. "name": "MultiByteToWideChar",
759. "address": "0x100770f0"
760. },
761. {
762. "name": "LeaveCriticalSection",
763. "address": "0x100770f4"
764. },
765. {
766. "name": "InitializeCriticalSection",
767. "address": "0x100770f8"
768. },
769. {
770. "name": "lstrcpynA",
771. "address": "0x100770fc"
772. },
773. {
774. "name": "TryEnterCriticalSection",
775. "address": "0x10077100"
776. },
777. {
778. "name": "LocalFree",
779. "address": "0x10077104"
780. },
781. {
782. "name": "lstrcmpiW",
783. "address": "0x10077108"
784. },
785. {
786. "name": "LocalAlloc",
787. "address": "0x1007710c"
788. },
789. {
790. "name": "lstrlenW",
791. "address": "0x10077110"
792. },
793. {
794. "name": "FreeLibrary",
795. "address": "0x10077114"
796. },
797. {
798. "name": "LoadLibraryA",
799. "address": "0x10077118"
800. },
801. {
802. "name": "lstrcpyA",
803. "address": "0x1007711c"
804. },
805. {
806. "name": "CreateThread",
807. "address": "0x10077120"
808. },
809. {
810. "name": "lstrcpyW",
811. "address": "0x10077124"
812. },
813. {
814. "name": "GetWindowsDirectoryW",
815. "address": "0x10077128"
816. },
817. {
818. "name": "CloseHandle",
819. "address": "0x1007712c"
820. },
821. {
822. "name": "GetVersionExA",
823. "address": "0x10077130"
824. },
825. {
826. "name": "CreateMutexA",
827. "address": "0x10077134"
828. },
829. {
830. "name": "lstrcatW",
831. "address": "0x10077138"
832. },
833. {
834. "name": "GetModuleHandleA",
835. "address": "0x1007713c"
836. },
837. {
838. "name": "GetModuleFileNameA",
839. "address": "0x10077140"
840. },
841. {
842. "name": "CreateFileMappingA",
843. "address": "0x10077144"
844. },
845. {
846. "name": "SetLastError",
847. "address": "0x10077148"
848. },
849. {
850. "name": "ExitThread",
851. "address": "0x1007714c"
852. },
853. {
854. "name": "CreateFileW",
855. "address": "0x10077150"
856. },
857. {
858. "name": "Sleep",
859. "address": "0x10077154"
860. },
861. {
862. "name": "GetCurrentProcess",
863. "address": "0x10077158"
864. },
865. {
866. "name": "UnmapViewOfFile",
867. "address": "0x1007715c"
868. },
869. {
870. "name": "MapViewOfFile",
871. "address": "0x10077160"
872. },
873. {
874. "name": "lstrlenA",
875. "address": "0x10077164"
876. },
877. {
878. "name": "ExitProcess",
879. "address": "0x10077168"
880. },
881. {
882. "name": "GetCurrentProcessId",
883. "address": "0x1007716c"
884. },
885. {
886. "name": "OutputDebugStringA",
887. "address": "0x10077170"
888. },
889. {
890. "name": "GetCurrentThreadId",
891. "address": "0x10077174"
892. },
893. {
894. "name": "GetLastError",
895. "address": "0x10077178"
896. },
897. {
898. "name": "HeapValidate",
899. "address": "0x1007717c"
900. },
901. {
902. "name": "GetVersion",
903. "address": "0x10077180"
904. },
905. {
906. "name": "VirtualQuery",
907. "address": "0x10077184"
908. },
909. {
910. "name": "GetProcAddress",
911. "address": "0x10077188"
912. },
913. {
914. "name": "VirtualAlloc",
915. "address": "0x1007718c"
916. },
917. {
918. "name": "VirtualProtect",
919. "address": "0x10077190"
920. },
921. {
922. "name": "GetProcessHeap",
923. "address": "0x10077194"
924. },
925. {
926. "name": "HeapFree",
927. "address": "0x10077198"
928. },
929. {
930. "name": "HeapAlloc",
931. "address": "0x1007719c"
932. }
933. ],
934. "dll": "KERNEL32.dll"
935. },
936. {
937. "imports": [
938. {
939. "name": "TranslateMessage",
940. "address": "0x10077208"
941. },
942. {
943. "name": "GetWindowTextA",
944. "address": "0x1007720c"
945. },
946. {
947. "name": "RegisterClassExA",
948. "address": "0x10077210"
949. },
950. {
951. "name": "MessageBoxA",
952. "address": "0x10077214"
953. },
954. {
955. "name": "CreateWindowExA",
956. "address": "0x10077218"
957. },
958. {
959. "name": "DefWindowProcA",
960. "address": "0x1007721c"
961. },
962. {
963. "name": "ShowWindow",
964. "address": "0x10077220"
965. },
966. {
967. "name": "DispatchMessageA",
968. "address": "0x10077224"
969. },
970. {
971. "name": "SetWindowTextA",
972. "address": "0x10077228"
973. },
974. {
975. "name": "UpdateWindow",
976. "address": "0x1007722c"
977. },
978. {
979. "name": "SendMessageA",
980. "address": "0x10077230"
981. },
982. {
983. "name": "SetFocus",
984. "address": "0x10077234"
985. },
986. {
987. "name": "LoadIconA",
988. "address": "0x10077238"
989. },
990. {
991. "name": "PostQuitMessage",
992. "address": "0x1007723c"
993. },
994. {
995. "name": "SetWindowLongA",
996. "address": "0x10077240"
997. },
998. {
999. "name": "GetMessageA",
1000. "address": "0x10077244"
1001. },
1002. {
1003. "name": "CharLowerW",
1004. "address": "0x10077248"
1005. },
1006. {
1007. "name": "GetUserObjectInformationW",
1008. "address": "0x1007724c"
1009. },
1010. {
1011. "name": "GetProcessWindowStation",
1012. "address": "0x10077250"
1013. },
1014. {
1015. "name": "GetDC",
1016. "address": "0x10077254"
1017. },
1018. {
1019. "name": "ReleaseDC",
1020. "address": "0x10077258"
1021. },
1022. {
1023. "name": "GetDesktopWindow",
1024. "address": "0x1007725c"
1025. },
1026. {
1027. "name": "wsprintfA",
1028. "address": "0x10077260"
1029. },
1030. {
1031. "name": "IsDialogMessageA",
1032. "address": "0x10077264"
1033. },
1034. {
1035. "name": "CallWindowProcA",
1036. "address": "0x10077268"
1037. },
1038. {
1039. "name": "LoadCursorA",
1040. "address": "0x1007726c"
1041. },
1042. {
1043. "name": "MoveWindow",
1044. "address": "0x10077270"
1045. },
1046. {
1047. "name": "wsprintfW",
1048. "address": "0x10077274"
1049. },
1050. {
1051. "name": "wvsprintfA",
1052. "address": "0x10077278"
1053. }
1054. ],
1055. "dll": "USER32.dll"
1056. },
1057. {
1058. "imports": [
1059. {
1060. "name": "RegQueryValueExA",
1061. "address": "0x10077000"
1062. },
1063. {
1064. "name": "SetSecurityDescriptorDacl",
1065. "address": "0x10077004"
1066. },
1067. {
1068. "name": "RegOpenKeyExA",
1069. "address": "0x10077008"
1070. },
1071. {
1072. "name": "RegCloseKey",
1073. "address": "0x1007700c"
1074. },
1075. {
1076. "name": "OpenServiceA",
1077. "address": "0x10077010"
1078. },
1079. {
1080. "name": "LookupAccountNameA",
1081. "address": "0x10077014"
1082. },
1083. {
1084. "name": "GetTokenInformation",
1085. "address": "0x10077018"
1086. },
1087. {
1088. "name": "RegisterEventSourceA",
1089. "address": "0x1007701c"
1090. },
1091. {
1092. "name": "ReportEventA",
1093. "address": "0x10077020"
1094. },
1095. {
1096. "name": "DeregisterEventSource",
1097. "address": "0x10077024"
1098. },
1099. {
1100. "name": "GetLengthSid",
1101. "address": "0x10077028"
1102. },
1103. {
1104. "name": "GetUserNameA",
1105. "address": "0x1007702c"
1106. },
1107. {
1108. "name": "QueryServiceConfigA",
1109. "address": "0x10077030"
1110. },
1111. {
1112. "name": "RevertToSelf",
1113. "address": "0x10077034"
1114. },
1115. {
1116. "name": "OpenSCManagerA",
1117. "address": "0x10077038"
1118. },
1119. {
1120. "name": "AllocateLocallyUniqueId",
1121. "address": "0x1007703c"
1122. },
1123. {
1124. "name": "RegDeleteValueA",
1125. "address": "0x10077040"
1126. },
1127. {
1128. "name": "ChangeServiceConfigW",
1129. "address": "0x10077044"
1130. },
1131. {
1132. "name": "ImpersonateLoggedOnUser",
1133. "address": "0x10077048"
1134. },
1135. {
1136. "name": "QueryServiceStatus",
1137. "address": "0x1007704c"
1138. },
1139. {
1140. "name": "RegCreateKeyExA",
1141. "address": "0x10077050"
1142. },
1143. {
1144. "name": "StartServiceA",
1145. "address": "0x10077054"
1146. },
1147. {
1148. "name": "SetTokenInformation",
1149. "address": "0x10077058"
1150. },
1151. {
1152. "name": "CreateProcessAsUserW",
1153. "address": "0x1007705c"
1154. },
1155. {
1156. "name": "RegSetValueExA",
1157. "address": "0x10077060"
1158. },
1159. {
1160. "name": "CopySid",
1161. "address": "0x10077064"
1162. },
1163. {
1164. "name": "InitializeSecurityDescriptor",
1165. "address": "0x10077068"
1166. }
1167. ],
1168. "dll": "ADVAPI32.dll"
1169. },
1170. {
1171. "imports": [
1172. {
1173. "name": "sscanf",
1174. "address": "0x100773d4"
1175. },
1176. {
1177. "name": "isupper",
1178. "address": "0x100773d8"
1179. },
1180. {
1181. "name": "_strnicmp",
1182. "address": "0x100773dc"
1183. },
1184. {
1185. "name": "tolower",
1186. "address": "0x100773e0"
1187. },
1188. {
1189. "name": "_aullshr",
1190. "address": "0x100773e4"
1191. },
1192. {
1193. "name": "qsort",
1194. "address": "0x100773e8"
1195. },
1196. {
1197. "name": "strncpy",
1198. "address": "0x100773ec"
1199. },
1200. {
1201. "name": "wcsstr",
1202. "address": "0x100773f0"
1203. },
1204. {
1205. "name": "strtoul",
1206. "address": "0x100773f4"
1207. },
1208. {
1209. "name": "strcmp",
1210. "address": "0x100773f8"
1211. },
1212. {
1213. "name": "memcmp",
1214. "address": "0x100773fc"
1215. },
1216. {
1217. "name": "_aulldiv",
1218. "address": "0x10077400"
1219. },
1220. {
1221. "name": "_aullrem",
1222. "address": "0x10077404"
1223. },
1224. {
1225. "name": "strncmp",
1226. "address": "0x10077408"
1227. },
1228. {
1229. "name": "sprintf",
1230. "address": "0x1007740c"
1231. },
1232. {
1233. "name": "NtCreateToken",
1234. "address": "0x10077410"
1235. },
1236. {
1237. "name": "RtlCompareMemory",
1238. "address": "0x10077414"
1239. },
1240. {
1241. "name": "RtlCreateUserThread",
1242. "address": "0x10077418"
1243. },
1244. {
1245. "name": "NtOpenProcess",
1246. "address": "0x1007741c"
1247. },
1248. {
1249. "name": "NtReadVirtualMemory",
1250. "address": "0x10077420"
1251. },
1252. {
1253. "name": "NtQuerySystemInformation",
1254. "address": "0x10077424"
1255. },
1256. {
1257. "name": "NtAllocateVirtualMemory",
1258. "address": "0x10077428"
1259. },
1260. {
1261. "name": "NtFreeVirtualMemory",
1262. "address": "0x1007742c"
1263. },
1264. {
1265. "name": "LdrLoadDll",
1266. "address": "0x10077430"
1267. },
1268. {
1269. "name": "NtDelayExecution",
1270. "address": "0x10077434"
1271. },
1272. {
1273. "name": "RtlAdjustPrivilege",
1274. "address": "0x10077438"
1275. },
1276. {
1277. "name": "NtClose",
1278. "address": "0x1007743c"
1279. },
1280. {
1281. "name": "RtlFreeUnicodeString",
1282. "address": "0x10077440"
1283. },
1284. {
1285. "name": "LdrGetProcedureAddress",
1286. "address": "0x10077444"
1287. },
1288. {
1289. "name": "RtlInitAnsiString",
1290. "address": "0x10077448"
1291. },
1292. {
1293. "name": "RtlAnsiStringToUnicodeString",
1294. "address": "0x1007744c"
1295. },
1296. {
1297. "name": "NtProtectVirtualMemory",
1298. "address": "0x10077450"
1299. },
1300. {
1301. "name": "RtlExitUserThread",
1302. "address": "0x10077454"
1303. }
1304. ],
1305. "dll": "ntdll.dll"
1306. },
1307. {
1308. "imports": [
1309. {
1310. "name": "InternetCanonicalizeUrlA",
1311. "address": "0x10077290"
1312. },
1313. {
1314. "name": "InternetConnectA",
1315. "address": "0x10077294"
1316. },
1317. {
1318. "name": "InternetQueryDataAvailable",
1319. "address": "0x10077298"
1320. },
1321. {
1322. "name": "InternetCrackUrlA",
1323. "address": "0x1007729c"
1324. },
1325. {
1326. "name": "InternetReadFile",
1327. "address": "0x100772a0"
1328. },
1329. {
1330. "name": "InternetSetOptionA",
1331. "address": "0x100772a4"
1332. },
1333. {
1334. "name": "HttpOpenRequestA",
1335. "address": "0x100772a8"
1336. },
1337. {
1338. "name": "HttpSendRequestA",
1339. "address": "0x100772ac"
1340. },
1341. {
1342. "name": "InternetOpenA",
1343. "address": "0x100772b0"
1344. },
1345. {
1346. "name": "InternetCloseHandle",
1347. "address": "0x100772b4"
1348. }
1349. ],
1350. "dll": "WININET.dll"
1351. }
1352. ],
1353. "digital_signers": null,
1354. "exported_dll_name": "rdp.dll",
1355. "actual_checksum": "0x000ad933",
1356. "overlay": null,
1357. "imagebase": "0x10000000",
1358. "reported_checksum": "0x00000000",
1359. "icon_hash": null,
1360. "entrypoint": "0x10001840",
1361. "timestamp": "2011-02-07 01:14:47",
1362. "osversion": "5.1",
1363. "sections": [
1364. {
1365. "name": ".text",
1366. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
1367. "virtual_address": "0x00001000",
1368. "size_of_data": "0x00075a00",
1369. "entropy": "6.71",
1370. "raw_address": "0x00000400",
1371. "virtual_size": "0x00075850",
1372. "characteristics_raw": "0x60000020"
1373. },
1374. {
1375. "name": ".rdata",
1376. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1377. "virtual_address": "0x00077000",
1378. "size_of_data": "0x00028800",
1379. "entropy": "6.02",
1380. "raw_address": "0x00075e00",
1381. "virtual_size": "0x000286d4",
1382. "characteristics_raw": "0x40000040"
1383. },
1384. {
1385. "name": ".data",
1386. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1387. "virtual_address": "0x000a0000",
1388. "size_of_data": "0x00002c00",
1389. "entropy": "5.11",
1390. "raw_address": "0x0009e600",
1391. "virtual_size": "0x00005fb8",
1392. "characteristics_raw": "0xc0000040"
1393. },
1394. {
1395. "name": ".reloc",
1396. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
1397. "virtual_address": "0x000a6000",
1398. "size_of_data": "0x00008000",
1399. "entropy": "5.67",
1400. "raw_address": "0x000a1200",
1401. "virtual_size": "0x00007f50",
1402. "characteristics_raw": "0x42000040"
1403. }
1404. ],
1405. "resources": [],
1406. "dirents": [
1407. {
1408. "virtual_address": "0x0009f630",
1409. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1410. "size": "0x000000a4"
1411. },
1412. {
1413. "virtual_address": "0x0009deb4",
1414. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1415. "size": "0x00000154"
1416. },
1417. {
1418. "virtual_address": "0x00000000",
1419. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1420. "size": "0x00000000"
1421. },
1422. {
1423. "virtual_address": "0x00000000",
1424. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1425. "size": "0x00000000"
1426. },
1427. {
1428. "virtual_address": "0x00000000",
1429. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1430. "size": "0x00000000"
1431. },
1432. {
1433. "virtual_address": "0x000a6000",
1434. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1435. "size": "0x00006104"
1436. },
1437. {
1438. "virtual_address": "0x00000000",
1439. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1440. "size": "0x00000000"
1441. },
1442. {
1443. "virtual_address": "0x00000000",
1444. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1445. "size": "0x00000000"
1446. },
1447. {
1448. "virtual_address": "0x00000000",
1449. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1450. "size": "0x00000000"
1451. },
1452. {
1453. "virtual_address": "0x00000000",
1454. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1455. "size": "0x00000000"
1456. },
1457. {
1458. "virtual_address": "0x00000000",
1459. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1460. "size": "0x00000000"
1461. },
1462. {
1463. "virtual_address": "0x00000000",
1464. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1465. "size": "0x00000000"
1466. },
1467. {
1468. "virtual_address": "0x00077000",
1469. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1470. "size": "0x00000474"
1471. },
1472. {
1473. "virtual_address": "0x00000000",
1474. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1475. "size": "0x00000000"
1476. },
1477. {
1478. "virtual_address": "0x00000000",
1479. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1480. "size": "0x00000000"
1481. },
1482. {
1483. "virtual_address": "0x00000000",
1484. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1485. "size": "0x00000000"
1486. }
1487. ],
1488. "exports": [
1489. {
1490. "ordinal": 1,
1491. "name": "GetPluginId",
1492. "address": "0x1006528b"
1493. },
1494. {
1495. "ordinal": 2,
1496. "name": "Init",
1497. "address": "0x10065962"
1498. },
1499. {
1500. "ordinal": 3,
1501. "name": "RdpGetLastError",
1502. "address": "0x100652a3"
1503. },
1504. {
1505. "ordinal": 4,
1506. "name": "Start",
1507. "address": "0x1006574d"
1508. },
1509. {
1510. "ordinal": 5,
1511. "name": "Stop",
1512. "address": "0x10065739"
1513. },
1514. {
1515. "ordinal": 6,
1516. "name": "TakeBotGuid",
1517. "address": "0x1006528e"
1518. }
1519. ],
1520. "guest_signers": {},
1521. "imphash": "1029db349f713aef4385f023c10d8e2e",
1522. "icon_fuzzy": null,
1523. "icon": null,
1524. "pdbpath": null,
1525. "imported_dll_count": 16,
1526. "versioninfo": []
1527. }
1528. }
1529.  
1530. [*] Resolved APIs: []
1531.  
1532. [*] Static Analysis: {
1533. "pe": {
1534. "peid_signatures": null,
1535. "imports": [
1536. {
1537. "imports": [
1538. {
1539. "name": "_errno",
1540. "address": "0x10077318"
1541. },
1542. {
1543. "name": "_initterm",
1544. "address": "0x1007731c"
1545. },
1546. {
1547. "name": "_amsg_exit",
1548. "address": "0x10077320"
1549. },
1550. {
1551. "name": "_adjust_fdiv",
1552. "address": "0x10077324"
1553. },
1554. {
1555. "name": "isdigit",
1556. "address": "0x10077328"
1557. },
1558. {
1559. "name": "isxdigit",
1560. "address": "0x1007732c"
1561. },
1562. {
1563. "name": "_XcptFilter",
1564. "address": "0x10077330"
1565. },
1566. {
1567. "name": "isspace",
1568. "address": "0x10077334"
1569. },
1570. {
1571. "name": "free",
1572. "address": "0x10077338"
1573. },
1574. {
1575. "name": "malloc",
1576. "address": "0x1007733c"
1577. },
1578. {
1579. "name": "memmove",
1580. "address": "0x10077340"
1581. },
1582. {
1583. "name": "atoi",
1584. "address": "0x10077344"
1585. },
1586. {
1587. "name": "_snprintf",
1588. "address": "0x10077348"
1589. },
1590. {
1591. "name": "strcat",
1592. "address": "0x1007734c"
1593. },
1594. {
1595. "name": "memset",
1596. "address": "0x10077350"
1597. },
1598. {
1599. "name": "strcpy",
1600. "address": "0x10077354"
1601. },
1602. {
1603. "name": "strstr",
1604. "address": "0x10077358"
1605. },
1606. {
1607. "name": "strlen",
1608. "address": "0x1007735c"
1609. },
1610. {
1611. "name": "memcpy",
1612. "address": "0x10077360"
1613. },
1614. {
1615. "name": "_iob",
1616. "address": "0x10077364"
1617. },
1618. {
1619. "name": "strchr",
1620. "address": "0x10077368"
1621. },
1622. {
1623. "name": "_vsnprintf",
1624. "address": "0x1007736c"
1625. },
1626. {
1627. "name": "_getch",
1628. "address": "0x10077370"
1629. },
1630. {
1631. "name": "signal",
1632. "address": "0x10077374"
1633. },
1634. {
1635. "name": "fputs",
1636. "address": "0x10077378"
1637. },
1638. {
1639. "name": "_gmtime64",
1640. "address": "0x1007737c"
1641. },
1642. {
1643. "name": "raise",
1644. "address": "0x10077380"
1645. },
1646. {
1647. "name": "_exit",
1648. "address": "0x10077384"
1649. },
1650. {
1651. "name": "vfprintf",
1652. "address": "0x10077388"
1653. },
1654. {
1655. "name": "getenv",
1656. "address": "0x1007738c"
1657. },
1658. {
1659. "name": "fprintf",
1660. "address": "0x10077390"
1661. },
1662. {
1663. "name": "_wfopen",
1664. "address": "0x10077394"
1665. },
1666. {
1667. "name": "fgets",
1668. "address": "0x10077398"
1669. },
1670. {
1671. "name": "fseek",
1672. "address": "0x1007739c"
1673. },
1674. {
1675. "name": "ftell",
1676. "address": "0x100773a0"
1677. },
1678. {
1679. "name": "_setmode",
1680. "address": "0x100773a4"
1681. },
1682. {
1683. "name": "fflush",
1684. "address": "0x100773a8"
1685. },
1686. {
1687. "name": "fwrite",
1688. "address": "0x100773ac"
1689. },
1690. {
1691. "name": "_time64",
1692. "address": "0x100773b0"
1693. },
1694. {
1695. "name": "fopen",
1696. "address": "0x100773b4"
1697. },
1698. {
1699. "name": "feof",
1700. "address": "0x100773b8"
1701. },
1702. {
1703. "name": "fclose",
1704. "address": "0x100773bc"
1705. },
1706. {
1707. "name": "fread",
1708. "address": "0x100773c0"
1709. },
1710. {
1711. "name": "ferror",
1712. "address": "0x100773c4"
1713. },
1714. {
1715. "name": "realloc",
1716. "address": "0x100773c8"
1717. },
1718. {
1719. "name": "_fileno",
1720. "address": "0x100773cc"
1721. }
1722. ],
1723. "dll": "msvcrt.dll"
1724. },
1725. {
1726. "imports": [
1727. {
1728. "name": "SetBitmapBits",
1729. "address": "0x10077070"
1730. },
1731. {
1732. "name": "CreateDIBSection",
1733. "address": "0x10077074"
1734. },
1735. {
1736. "name": "DeleteObject",
1737. "address": "0x10077078"
1738. },
1739. {
1740. "name": "GetDeviceCaps",
1741. "address": "0x1007707c"
1742. }
1743. ],
1744. "dll": "GDI32.dll"
1745. },
1746. {
1747. "imports": [
1748. {
1749. "name": "GetOpenFileNameA",
1750. "address": "0x10077310"
1751. }
1752. ],
1753. "dll": "comdlg32.dll"
1754. },
1755. {
1756. "imports": [
1757. {
1758. "name": "CoGetObject",
1759. "address": "0x1007745c"
1760. },
1761. {
1762. "name": "CoInitialize",
1763. "address": "0x10077460"
1764. },
1765. {
1766. "name": "CoUninitialize",
1767. "address": "0x10077464"
1768. },
1769. {
1770. "name": "CoCreateInstance",
1771. "address": "0x10077468"
1772. },
1773. {
1774. "name": "CoInitializeEx",
1775. "address": "0x1007746c"
1776. }
1777. ],
1778. "dll": "ole32.dll"
1779. },
1780. {
1781. "imports": [
1782. {
1783. "name": "SetupDiCreateDeviceInfoW",
1784. "address": "0x100771bc"
1785. },
1786. {
1787. "name": "SetupDiCallClassInstaller",
1788. "address": "0x100771c0"
1789. },
1790. {
1791. "name": "SetupDiGetDeviceRegistryPropertyW",
1792. "address": "0x100771c4"
1793. },
1794. {
1795. "name": "SetupDiDestroyDeviceInfoList",
1796. "address": "0x100771c8"
1797. },
1798. {
1799. "name": "SetupDiEnumDeviceInfo",
1800. "address": "0x100771cc"
1801. },
1802. {
1803. "name": "SetupDiGetINFClassW",
1804. "address": "0x100771d0"
1805. },
1806. {
1807. "name": "SetupDiSetDeviceRegistryPropertyW",
1808. "address": "0x100771d4"
1809. },
1810. {
1811. "name": "SetupDiGetClassDevsW",
1812. "address": "0x100771d8"
1813. },
1814. {
1815. "name": "SetupDiCreateDeviceInfoList",
1816. "address": "0x100771dc"
1817. }
1818. ],
1819. "dll": "SETUPAPI.dll"
1820. },
1821. {
1822. "imports": [
1823. {
1824. "name": "StrPBrkA",
1825. "address": "0x100771f8"
1826. },
1827. {
1828. "name": "StrSpnA",
1829. "address": "0x100771fc"
1830. },
1831. {
1832. "name": "StrRStrIA",
1833. "address": "0x10077200"
1834. }
1835. ],
1836. "dll": "SHLWAPI.dll"
1837. },
1838. {
1839. "imports": [
1840. {
1841. "name": "inet_addr",
1842. "address": "0x100772bc"
1843. },
1844. {
1845. "name": "gethostbyaddr",
1846. "address": "0x100772c0"
1847. },
1848. {
1849. "name": "closesocket",
1850. "address": "0x100772c4"
1851. },
1852. {
1853. "name": "__WSAFDIsSet",
1854. "address": "0x100772c8"
1855. },
1856. {
1857. "name": "socket",
1858. "address": "0x100772cc"
1859. },
1860. {
1861. "name": "getsockopt",
1862. "address": "0x100772d0"
1863. },
1864. {
1865. "name": "ioctlsocket",
1866. "address": "0x100772d4"
1867. },
1868. {
1869. "name": "connect",
1870. "address": "0x100772d8"
1871. },
1872. {
1873. "name": "WSAStartup",
1874. "address": "0x100772dc"
1875. },
1876. {
1877. "name": "send",
1878. "address": "0x100772e0"
1879. },
1880. {
1881. "name": "select",
1882. "address": "0x100772e4"
1883. },
1884. {
1885. "name": "WSAGetLastError",
1886. "address": "0x100772e8"
1887. },
1888. {
1889. "name": "htons",
1890. "address": "0x100772ec"
1891. },
1892. {
1893. "name": "recv",
1894. "address": "0x100772f0"
1895. }
1896. ],
1897. "dll": "WS2_32.dll"
1898. },
1899. {
1900. "imports": [
1901. {
1902. "name": "SHFileOperationA",
1903. "address": "0x100771e4"
1904. },
1905. {
1906. "name": "ShellExecuteExW",
1907. "address": "0x100771e8"
1908. },
1909. {
1910. "name": "DragAcceptFiles",
1911. "address": "0x100771ec"
1912. },
1913. {
1914. "name": "DragQueryFileA",
1915. "address": "0x100771f0"
1916. }
1917. ],
1918. "dll": "SHELL32.dll"
1919. },
1920. {
1921. "imports": [
1922. {
1923. "name": "WTSEnumerateSessionsA",
1924. "address": "0x100772f8"
1925. },
1926. {
1927. "name": "WTSQueryUserToken",
1928. "address": "0x100772fc"
1929. },
1930. {
1931. "name": "WTSFreeMemory",
1932. "address": "0x10077300"
1933. },
1934. {
1935. "name": "WTSQuerySessionInformationA",
1936. "address": "0x10077304"
1937. },
1938. {
1939. "name": "WTSLogoffSession",
1940. "address": "0x10077308"
1941. }
1942. ],
1943. "dll": "WTSAPI32.dll"
1944. },
1945. {
1946. "imports": [
1947. {
1948. "name": "GetProfilesDirectoryA",
1949. "address": "0x10077280"
1950. },
1951. {
1952. "name": "CreateEnvironmentBlock",
1953. "address": "0x10077284"
1954. },
1955. {
1956. "name": "DestroyEnvironmentBlock",
1957. "address": "0x10077288"
1958. }
1959. ],
1960. "dll": "USERENV.dll"
1961. },
1962. {
1963. "imports": [
1964. {
1965. "name": "NetUserDel",
1966. "address": "0x100771a4"
1967. },
1968. {
1969. "name": "NetLocalGroupEnum",
1970. "address": "0x100771a8"
1971. },
1972. {
1973. "name": "NetApiBufferFree",
1974. "address": "0x100771ac"
1975. },
1976. {
1977. "name": "NetUserAdd",
1978. "address": "0x100771b0"
1979. },
1980. {
1981. "name": "NetLocalGroupAddMembers",
1982. "address": "0x100771b4"
1983. }
1984. ],
1985. "dll": "NETAPI32.dll"
1986. },
1987. {
1988. "imports": [
1989. {
1990. "name": "GetSystemTimeAsFileTime",
1991. "address": "0x10077084"
1992. },
1993. {
1994. "name": "GetTickCount",
1995. "address": "0x10077088"
1996. },
1997. {
1998. "name": "QueryPerformanceCounter",
1999. "address": "0x1007708c"
2000. },
2001. {
2002. "name": "SetUnhandledExceptionFilter",
2003. "address": "0x10077090"
2004. },
2005. {
2006. "name": "UnhandledExceptionFilter",
2007. "address": "0x10077094"
2008. },
2009. {
2010. "name": "InterlockedCompareExchange",
2011. "address": "0x10077098"
2012. },
2013. {
2014. "name": "InterlockedExchange",
2015. "address": "0x1007709c"
2016. },
2017. {
2018. "name": "RtlUnwind",
2019. "address": "0x100770a0"
2020. },
2021. {
2022. "name": "lstrcatA",
2023. "address": "0x100770a4"
2024. },
2025. {
2026. "name": "TerminateThread",
2027. "address": "0x100770a8"
2028. },
2029. {
2030. "name": "WriteProcessMemory",
2031. "address": "0x100770ac"
2032. },
2033. {
2034. "name": "VirtualAllocEx",
2035. "address": "0x100770b0"
2036. },
2037. {
2038. "name": "GetTempPathW",
2039. "address": "0x100770b4"
2040. },
2041. {
2042. "name": "TerminateProcess",
2043. "address": "0x100770b8"
2044. },
2045. {
2046. "name": "lstrcpynW",
2047. "address": "0x100770bc"
2048. },
2049. {
2050. "name": "CopyFileW",
2051. "address": "0x100770c0"
2052. },
2053. {
2054. "name": "VirtualFreeEx",
2055. "address": "0x100770c4"
2056. },
2057. {
2058. "name": "OpenProcess",
2059. "address": "0x100770c8"
2060. },
2061. {
2062. "name": "CreateRemoteThread",
2063. "address": "0x100770cc"
2064. },
2065. {
2066. "name": "VirtualFree",
2067. "address": "0x100770d0"
2068. },
2069. {
2070. "name": "WaitForSingleObject",
2071. "address": "0x100770d4"
2072. },
2073. {
2074. "name": "ProcessIdToSessionId",
2075. "address": "0x100770d8"
2076. },
2077. {
2078. "name": "GetStdHandle",
2079. "address": "0x100770dc"
2080. },
2081. {
2082. "name": "GlobalMemoryStatus",
2083. "address": "0x100770e0"
2084. },
2085. {
2086. "name": "FlushConsoleInputBuffer",
2087. "address": "0x100770e4"
2088. },
2089. {
2090. "name": "GetFileType",
2091. "address": "0x100770e8"
2092. },
2093. {
2094. "name": "lstrcmpiA",
2095. "address": "0x100770ec"
2096. },
2097. {
2098. "name": "MultiByteToWideChar",
2099. "address": "0x100770f0"
2100. },
2101. {
2102. "name": "LeaveCriticalSection",
2103. "address": "0x100770f4"
2104. },
2105. {
2106. "name": "InitializeCriticalSection",
2107. "address": "0x100770f8"
2108. },
2109. {
2110. "name": "lstrcpynA",
2111. "address": "0x100770fc"
2112. },
2113. {
2114. "name": "TryEnterCriticalSection",
2115. "address": "0x10077100"
2116. },
2117. {
2118. "name": "LocalFree",
2119. "address": "0x10077104"
2120. },
2121. {
2122. "name": "lstrcmpiW",
2123. "address": "0x10077108"
2124. },
2125. {
2126. "name": "LocalAlloc",
2127. "address": "0x1007710c"
2128. },
2129. {
2130. "name": "lstrlenW",
2131. "address": "0x10077110"
2132. },
2133. {
2134. "name": "FreeLibrary",
2135. "address": "0x10077114"
2136. },
2137. {
2138. "name": "LoadLibraryA",
2139. "address": "0x10077118"
2140. },
2141. {
2142. "name": "lstrcpyA",
2143. "address": "0x1007711c"
2144. },
2145. {
2146. "name": "CreateThread",
2147. "address": "0x10077120"
2148. },
2149. {
2150. "name": "lstrcpyW",
2151. "address": "0x10077124"
2152. },
2153. {
2154. "name": "GetWindowsDirectoryW",
2155. "address": "0x10077128"
2156. },
2157. {
2158. "name": "CloseHandle",
2159. "address": "0x1007712c"
2160. },
2161. {
2162. "name": "GetVersionExA",
2163. "address": "0x10077130"
2164. },
2165. {
2166. "name": "CreateMutexA",
2167. "address": "0x10077134"
2168. },
2169. {
2170. "name": "lstrcatW",
2171. "address": "0x10077138"
2172. },
2173. {
2174. "name": "GetModuleHandleA",
2175. "address": "0x1007713c"
2176. },
2177. {
2178. "name": "GetModuleFileNameA",
2179. "address": "0x10077140"
2180. },
2181. {
2182. "name": "CreateFileMappingA",
2183. "address": "0x10077144"
2184. },
2185. {
2186. "name": "SetLastError",
2187. "address": "0x10077148"
2188. },
2189. {
2190. "name": "ExitThread",
2191. "address": "0x1007714c"
2192. },
2193. {
2194. "name": "CreateFileW",
2195. "address": "0x10077150"
2196. },
2197. {
2198. "name": "Sleep",
2199. "address": "0x10077154"
2200. },
2201. {
2202. "name": "GetCurrentProcess",
2203. "address": "0x10077158"
2204. },
2205. {
2206. "name": "UnmapViewOfFile",
2207. "address": "0x1007715c"
2208. },
2209. {
2210. "name": "MapViewOfFile",
2211. "address": "0x10077160"
2212. },
2213. {
2214. "name": "lstrlenA",
2215. "address": "0x10077164"
2216. },
2217. {
2218. "name": "ExitProcess",
2219. "address": "0x10077168"
2220. },
2221. {
2222. "name": "GetCurrentProcessId",
2223. "address": "0x1007716c"
2224. },
2225. {
2226. "name": "OutputDebugStringA",
2227. "address": "0x10077170"
2228. },
2229. {
2230. "name": "GetCurrentThreadId",
2231. "address": "0x10077174"
2232. },
2233. {
2234. "name": "GetLastError",
2235. "address": "0x10077178"
2236. },
2237. {
2238. "name": "HeapValidate",
2239. "address": "0x1007717c"
2240. },
2241. {
2242. "name": "GetVersion",
2243. "address": "0x10077180"
2244. },
2245. {
2246. "name": "VirtualQuery",
2247. "address": "0x10077184"
2248. },
2249. {
2250. "name": "GetProcAddress",
2251. "address": "0x10077188"
2252. },
2253. {
2254. "name": "VirtualAlloc",
2255. "address": "0x1007718c"
2256. },
2257. {
2258. "name": "VirtualProtect",
2259. "address": "0x10077190"
2260. },
2261. {
2262. "name": "GetProcessHeap",
2263. "address": "0x10077194"
2264. },
2265. {
2266. "name": "HeapFree",
2267. "address": "0x10077198"
2268. },
2269. {
2270. "name": "HeapAlloc",
2271. "address": "0x1007719c"
2272. }
2273. ],
2274. "dll": "KERNEL32.dll"
2275. },
2276. {
2277. "imports": [
2278. {
2279. "name": "TranslateMessage",
2280. "address": "0x10077208"
2281. },
2282. {
2283. "name": "GetWindowTextA",
2284. "address": "0x1007720c"
2285. },
2286. {
2287. "name": "RegisterClassExA",
2288. "address": "0x10077210"
2289. },
2290. {
2291. "name": "MessageBoxA",
2292. "address": "0x10077214"
2293. },
2294. {
2295. "name": "CreateWindowExA",
2296. "address": "0x10077218"
2297. },
2298. {
2299. "name": "DefWindowProcA",
2300. "address": "0x1007721c"
2301. },
2302. {
2303. "name": "ShowWindow",
2304. "address": "0x10077220"
2305. },
2306. {
2307. "name": "DispatchMessageA",
2308. "address": "0x10077224"
2309. },
2310. {
2311. "name": "SetWindowTextA",
2312. "address": "0x10077228"
2313. },
2314. {
2315. "name": "UpdateWindow",
2316. "address": "0x1007722c"
2317. },
2318. {
2319. "name": "SendMessageA",
2320. "address": "0x10077230"
2321. },
2322. {
2323. "name": "SetFocus",
2324. "address": "0x10077234"
2325. },
2326. {
2327. "name": "LoadIconA",
2328. "address": "0x10077238"
2329. },
2330. {
2331. "name": "PostQuitMessage",
2332. "address": "0x1007723c"
2333. },
2334. {
2335. "name": "SetWindowLongA",
2336. "address": "0x10077240"
2337. },
2338. {
2339. "name": "GetMessageA",
2340. "address": "0x10077244"
2341. },
2342. {
2343. "name": "CharLowerW",
2344. "address": "0x10077248"
2345. },
2346. {
2347. "name": "GetUserObjectInformationW",
2348. "address": "0x1007724c"
2349. },
2350. {
2351. "name": "GetProcessWindowStation",
2352. "address": "0x10077250"
2353. },
2354. {
2355. "name": "GetDC",
2356. "address": "0x10077254"
2357. },
2358. {
2359. "name": "ReleaseDC",
2360. "address": "0x10077258"
2361. },
2362. {
2363. "name": "GetDesktopWindow",
2364. "address": "0x1007725c"
2365. },
2366. {
2367. "name": "wsprintfA",
2368. "address": "0x10077260"
2369. },
2370. {
2371. "name": "IsDialogMessageA",
2372. "address": "0x10077264"
2373. },
2374. {
2375. "name": "CallWindowProcA",
2376. "address": "0x10077268"
2377. },
2378. {
2379. "name": "LoadCursorA",
2380. "address": "0x1007726c"
2381. },
2382. {
2383. "name": "MoveWindow",
2384. "address": "0x10077270"
2385. },
2386. {
2387. "name": "wsprintfW",
2388. "address": "0x10077274"
2389. },
2390. {
2391. "name": "wvsprintfA",
2392. "address": "0x10077278"
2393. }
2394. ],
2395. "dll": "USER32.dll"
2396. },
2397. {
2398. "imports": [
2399. {
2400. "name": "RegQueryValueExA",
2401. "address": "0x10077000"
2402. },
2403. {
2404. "name": "SetSecurityDescriptorDacl",
2405. "address": "0x10077004"
2406. },
2407. {
2408. "name": "RegOpenKeyExA",
2409. "address": "0x10077008"
2410. },
2411. {
2412. "name": "RegCloseKey",
2413. "address": "0x1007700c"
2414. },
2415. {
2416. "name": "OpenServiceA",
2417. "address": "0x10077010"
2418. },
2419. {
2420. "name": "LookupAccountNameA",
2421. "address": "0x10077014"
2422. },
2423. {
2424. "name": "GetTokenInformation",
2425. "address": "0x10077018"
2426. },
2427. {
2428. "name": "RegisterEventSourceA",
2429. "address": "0x1007701c"
2430. },
2431. {
2432. "name": "ReportEventA",
2433. "address": "0x10077020"
2434. },
2435. {
2436. "name": "DeregisterEventSource",
2437. "address": "0x10077024"
2438. },
2439. {
2440. "name": "GetLengthSid",
2441. "address": "0x10077028"
2442. },
2443. {
2444. "name": "GetUserNameA",
2445. "address": "0x1007702c"
2446. },
2447. {
2448. "name": "QueryServiceConfigA",
2449. "address": "0x10077030"
2450. },
2451. {
2452. "name": "RevertToSelf",
2453. "address": "0x10077034"
2454. },
2455. {
2456. "name": "OpenSCManagerA",
2457. "address": "0x10077038"
2458. },
2459. {
2460. "name": "AllocateLocallyUniqueId",
2461. "address": "0x1007703c"
2462. },
2463. {
2464. "name": "RegDeleteValueA",
2465. "address": "0x10077040"
2466. },
2467. {
2468. "name": "ChangeServiceConfigW",
2469. "address": "0x10077044"
2470. },
2471. {
2472. "name": "ImpersonateLoggedOnUser",
2473. "address": "0x10077048"
2474. },
2475. {
2476. "name": "QueryServiceStatus",
2477. "address": "0x1007704c"
2478. },
2479. {
2480. "name": "RegCreateKeyExA",
2481. "address": "0x10077050"
2482. },
2483. {
2484. "name": "StartServiceA",
2485. "address": "0x10077054"
2486. },
2487. {
2488. "name": "SetTokenInformation",
2489. "address": "0x10077058"
2490. },
2491. {
2492. "name": "CreateProcessAsUserW",
2493. "address": "0x1007705c"
2494. },
2495. {
2496. "name": "RegSetValueExA",
2497. "address": "0x10077060"
2498. },
2499. {
2500. "name": "CopySid",
2501. "address": "0x10077064"
2502. },
2503. {
2504. "name": "InitializeSecurityDescriptor",
2505. "address": "0x10077068"
2506. }
2507. ],
2508. "dll": "ADVAPI32.dll"
2509. },
2510. {
2511. "imports": [
2512. {
2513. "name": "sscanf",
2514. "address": "0x100773d4"
2515. },
2516. {
2517. "name": "isupper",
2518. "address": "0x100773d8"
2519. },
2520. {
2521. "name": "_strnicmp",
2522. "address": "0x100773dc"
2523. },
2524. {
2525. "name": "tolower",
2526. "address": "0x100773e0"
2527. },
2528. {
2529. "name": "_aullshr",
2530. "address": "0x100773e4"
2531. },
2532. {
2533. "name": "qsort",
2534. "address": "0x100773e8"
2535. },
2536. {
2537. "name": "strncpy",
2538. "address": "0x100773ec"
2539. },
2540. {
2541. "name": "wcsstr",
2542. "address": "0x100773f0"
2543. },
2544. {
2545. "name": "strtoul",
2546. "address": "0x100773f4"
2547. },
2548. {
2549. "name": "strcmp",
2550. "address": "0x100773f8"
2551. },
2552. {
2553. "name": "memcmp",
2554. "address": "0x100773fc"
2555. },
2556. {
2557. "name": "_aulldiv",
2558. "address": "0x10077400"
2559. },
2560. {
2561. "name": "_aullrem",
2562. "address": "0x10077404"
2563. },
2564. {
2565. "name": "strncmp",
2566. "address": "0x10077408"
2567. },
2568. {
2569. "name": "sprintf",
2570. "address": "0x1007740c"
2571. },
2572. {
2573. "name": "NtCreateToken",
2574. "address": "0x10077410"
2575. },
2576. {
2577. "name": "RtlCompareMemory",
2578. "address": "0x10077414"
2579. },
2580. {
2581. "name": "RtlCreateUserThread",
2582. "address": "0x10077418"
2583. },
2584. {
2585. "name": "NtOpenProcess",
2586. "address": "0x1007741c"
2587. },
2588. {
2589. "name": "NtReadVirtualMemory",
2590. "address": "0x10077420"
2591. },
2592. {
2593. "name": "NtQuerySystemInformation",
2594. "address": "0x10077424"
2595. },
2596. {
2597. "name": "NtAllocateVirtualMemory",
2598. "address": "0x10077428"
2599. },
2600. {
2601. "name": "NtFreeVirtualMemory",
2602. "address": "0x1007742c"
2603. },
2604. {
2605. "name": "LdrLoadDll",
2606. "address": "0x10077430"
2607. },
2608. {
2609. "name": "NtDelayExecution",
2610. "address": "0x10077434"
2611. },
2612. {
2613. "name": "RtlAdjustPrivilege",
2614. "address": "0x10077438"
2615. },
2616. {
2617. "name": "NtClose",
2618. "address": "0x1007743c"
2619. },
2620. {
2621. "name": "RtlFreeUnicodeString",
2622. "address": "0x10077440"
2623. },
2624. {
2625. "name": "LdrGetProcedureAddress",
2626. "address": "0x10077444"
2627. },
2628. {
2629. "name": "RtlInitAnsiString",
2630. "address": "0x10077448"
2631. },
2632. {
2633. "name": "RtlAnsiStringToUnicodeString",
2634. "address": "0x1007744c"
2635. },
2636. {
2637. "name": "NtProtectVirtualMemory",
2638. "address": "0x10077450"
2639. },
2640. {
2641. "name": "RtlExitUserThread",
2642. "address": "0x10077454"
2643. }
2644. ],
2645. "dll": "ntdll.dll"
2646. },
2647. {
2648. "imports": [
2649. {
2650. "name": "InternetCanonicalizeUrlA",
2651. "address": "0x10077290"
2652. },
2653. {
2654. "name": "InternetConnectA",
2655. "address": "0x10077294"
2656. },
2657. {
2658. "name": "InternetQueryDataAvailable",
2659. "address": "0x10077298"
2660. },
2661. {
2662. "name": "InternetCrackUrlA",
2663. "address": "0x1007729c"
2664. },
2665. {
2666. "name": "InternetReadFile",
2667. "address": "0x100772a0"
2668. },
2669. {
2670. "name": "InternetSetOptionA",
2671. "address": "0x100772a4"
2672. },
2673. {
2674. "name": "HttpOpenRequestA",
2675. "address": "0x100772a8"
2676. },
2677. {
2678. "name": "HttpSendRequestA",
2679. "address": "0x100772ac"
2680. },
2681. {
2682. "name": "InternetOpenA",
2683. "address": "0x100772b0"
2684. },
2685. {
2686. "name": "InternetCloseHandle",
2687. "address": "0x100772b4"
2688. }
2689. ],
2690. "dll": "WININET.dll"
2691. }
2692. ],
2693. "digital_signers": null,
2694. "exported_dll_name": "rdp.dll",
2695. "actual_checksum": "0x000ad933",
2696. "overlay": null,
2697. "imagebase": "0x10000000",
2698. "reported_checksum": "0x00000000",
2699. "icon_hash": null,
2700. "entrypoint": "0x10001840",
2701. "timestamp": "2011-02-07 01:14:47",
2702. "osversion": "5.1",
2703. "sections": [
2704. {
2705. "name": ".text",
2706. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
2707. "virtual_address": "0x00001000",
2708. "size_of_data": "0x00075a00",
2709. "entropy": "6.71",
2710. "raw_address": "0x00000400",
2711. "virtual_size": "0x00075850",
2712. "characteristics_raw": "0x60000020"
2713. },
2714. {
2715. "name": ".rdata",
2716. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2717. "virtual_address": "0x00077000",
2718. "size_of_data": "0x00028800",
2719. "entropy": "6.02",
2720. "raw_address": "0x00075e00",
2721. "virtual_size": "0x000286d4",
2722. "characteristics_raw": "0x40000040"
2723. },
2724. {
2725. "name": ".data",
2726. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
2727. "virtual_address": "0x000a0000",
2728. "size_of_data": "0x00002c00",
2729. "entropy": "5.11",
2730. "raw_address": "0x0009e600",
2731. "virtual_size": "0x00005fb8",
2732. "characteristics_raw": "0xc0000040"
2733. },
2734. {
2735. "name": ".reloc",
2736. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
2737. "virtual_address": "0x000a6000",
2738. "size_of_data": "0x00008000",
2739. "entropy": "5.67",
2740. "raw_address": "0x000a1200",
2741. "virtual_size": "0x00007f50",
2742. "characteristics_raw": "0x42000040"
2743. }
2744. ],
2745. "resources": [],
2746. "dirents": [
2747. {
2748. "virtual_address": "0x0009f630",
2749. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
2750. "size": "0x000000a4"
2751. },
2752. {
2753. "virtual_address": "0x0009deb4",
2754. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
2755. "size": "0x00000154"
2756. },
2757. {
2758. "virtual_address": "0x00000000",
2759. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
2760. "size": "0x00000000"
2761. },
2762. {
2763. "virtual_address": "0x00000000",
2764. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
2765. "size": "0x00000000"
2766. },
2767. {
2768. "virtual_address": "0x00000000",
2769. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
2770. "size": "0x00000000"
2771. },
2772. {
2773. "virtual_address": "0x000a6000",
2774. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
2775. "size": "0x00006104"
2776. },
2777. {
2778. "virtual_address": "0x00000000",
2779. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
2780. "size": "0x00000000"
2781. },
2782. {
2783. "virtual_address": "0x00000000",
2784. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
2785. "size": "0x00000000"
2786. },
2787. {
2788. "virtual_address": "0x00000000",
2789. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
2790. "size": "0x00000000"
2791. },
2792. {
2793. "virtual_address": "0x00000000",
2794. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
2795. "size": "0x00000000"
2796. },
2797. {
2798. "virtual_address": "0x00000000",
2799. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
2800. "size": "0x00000000"
2801. },
2802. {
2803. "virtual_address": "0x00000000",
2804. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
2805. "size": "0x00000000"
2806. },
2807. {
2808. "virtual_address": "0x00077000",
2809. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
2810. "size": "0x00000474"
2811. },
2812. {
2813. "virtual_address": "0x00000000",
2814. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
2815. "size": "0x00000000"
2816. },
2817. {
2818. "virtual_address": "0x00000000",
2819. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
2820. "size": "0x00000000"
2821. },
2822. {
2823. "virtual_address": "0x00000000",
2824. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
2825. "size": "0x00000000"
2826. }
2827. ],
2828. "exports": [
2829. {
2830. "ordinal": 1,
2831. "name": "GetPluginId",
2832. "address": "0x1006528b"
2833. },
2834. {
2835. "ordinal": 2,
2836. "name": "Init",
2837. "address": "0x10065962"
2838. },
2839. {
2840. "ordinal": 3,
2841. "name": "RdpGetLastError",
2842. "address": "0x100652a3"
2843. },
2844. {
2845. "ordinal": 4,
2846. "name": "Start",
2847. "address": "0x1006574d"
2848. },
2849. {
2850. "ordinal": 5,
2851. "name": "Stop",
2852. "address": "0x10065739"
2853. },
2854. {
2855. "ordinal": 6,
2856. "name": "TakeBotGuid",
2857. "address": "0x1006528e"
2858. }
2859. ],
2860. "guest_signers": {},
2861. "imphash": "1029db349f713aef4385f023c10d8e2e",
2862. "icon_fuzzy": null,
2863. "icon": null,
2864. "pdbpath": null,
2865. "imported_dll_count": 16,
2866. "versioninfo": []
2867. }
2868. }