Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [*] MalFamily: "Malicious"
- [*] MalScore: 10.0
- [*] File Name: "Exes_0e298012.exe"
- [*] File Size: 982016
- [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- [*] SHA256: "5aaed2fc51f080c89338fbb2f2f6818ac81c171e741b1aa8cec594498257f041"
- [*] MD5: "38db6ceee8a5492b7dbdf4047148e86d"
- [*] SHA1: "cdf04f1b4dda97d49d95d4fc561b9f06dd35dad8"
- [*] SHA512: "89c34c051ddb27b8aaa794e6d704f4480fd0104990948fe66ab2f34edad8776d2a50a8efe6392736c44743d6fae7238b01139aa548ed01d6e95346ea65bd0148"
- [*] CRC32: "0E298012"
- [*] SSDEEP: "24576:DJZqSp5CT781CWBMtSCm30NtdTfnl0Bu7O4GWiRv:lZXXAOCWQSCm30NtdDnl0BX4Hcv"
- [*] Process Execution: [
- "Exes_0e298012.exe",
- "InstallUtil.exe",
- "services.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "svchost.exe",
- "svchost.exe",
- "WMIADAP.exe"
- ]
- [*] Signatures Detected: [
- {
- "Description": "Creates RWX memory",
- "Details": []
- },
- {
- "Description": "A process attempted to delay the analysis task.",
- "Details": [
- {
- "Process": "InstallUtil.exe tried to sleep 643 seconds, actually delayed analysis time by 0 seconds"
- }
- ]
- },
- {
- "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
- "Details": [
- {
- "ioc": "2.0.0.0"
- },
- {
- "ioc": "v2.0.50727"
- }
- ]
- },
- {
- "Description": "A process created a hidden window",
- "Details": [
- {
- "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
- }
- ]
- },
- {
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details": [
- {
- "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
- },
- {
- "suspicious_request": "http://checkip.amazonaws.com/"
- }
- ]
- },
- {
- "Description": "Performs some HTTP requests",
- "Details": [
- {
- "url": "http://checkip.amazonaws.com/"
- }
- ]
- },
- {
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details": [
- {
- "section": "name: .rsrc, entropy: 7.44, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00064e00, virtual_size: 0x00064d08"
- }
- ]
- },
- {
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details": [
- {
- "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 12591048 times"
- }
- ]
- },
- {
- "Description": "Steals private information from local Internet browsers",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- }
- ]
- },
- {
- "Description": "Installs itself for autorun at Windows startup",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DuxyMxa.exe"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\BIT8E9A.tmp"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DuxyMxa.exe"
- }
- ]
- },
- {
- "Description": "Creates a hidden or system file",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\BIT8E9A.tmp"
- }
- ]
- },
- {
- "Description": "Retrieves Windows ProductID, probably to fingerprint the sandbox",
- "Details": []
- },
- {
- "Description": "File has been identified by 47 Antiviruses on VirusTotal as malicious",
- "Details": [
- {
- "MicroWorld-eScan": "Trojan.Injector.DEN"
- },
- {
- "FireEye": "Generic.mg.38db6ceee8a5492b"
- },
- {
- "McAfee": "RDN/Generic.dx"
- },
- {
- "Malwarebytes": "Trojan.MalPack.RVRS"
- },
- {
- "Alibaba": "Backdoor:Win32/Androm.611a547c"
- },
- {
- "K7GW": "Trojan ( 0054fe271 )"
- },
- {
- "K7AntiVirus": "Trojan ( 0054fe271 )"
- },
- {
- "Arcabit": "Trojan.Injector.DEN"
- },
- {
- "Invincea": "heuristic"
- },
- {
- "NANO-Antivirus": "Trojan.Win32.GenKryptik.fregry"
- },
- {
- "Symantec": "Trojan.Gen.MBT"
- },
- {
- "APEX": "Malicious"
- },
- {
- "Avast": "Win32:Malware-gen"
- },
- {
- "Kaspersky": "Backdoor.Win32.Androm.snpx"
- },
- {
- "BitDefender": "Trojan.Injector.DEN"
- },
- {
- "Paloalto": "generic.ml"
- },
- {
- "AegisLab": "Trojan.Win32.Generic.4!c"
- },
- {
- "Tencent": "Win32.Backdoor.Androm.Lmvb"
- },
- {
- "Ad-Aware": "Trojan.Injector.DEN"
- },
- {
- "Emsisoft": "Trojan.Injector.DEN (B)"
- },
- {
- "F-Secure": "Trojan.TR/Kryptik.mlipd"
- },
- {
- "DrWeb": "Trojan.DownLoader28.47155"
- },
- {
- "TrendMicro": "TROJ_GEN.R002C0WFB19"
- },
- {
- "McAfee-GW-Edition": "BehavesLike.Win32.MultiPlug.dc"
- },
- {
- "Trapmine": "suspicious.low.ml.score"
- },
- {
- "Sophos": "Mal/Generic-S"
- },
- {
- "SentinelOne": "DFI - Malicious PE"
- },
- {
- "Cyren": "W32/Trojan.AWDC-2417"
- },
- {
- "ESET-NOD32": "a variant of Win32/GenKryptik.DKIK"
- },
- {
- "Avira": "TR/Kryptik.mlipd"
- },
- {
- "Microsoft": "Trojan:Win32/Tiggre!plock"
- },
- {
- "Endgame": "malicious (high confidence)"
- },
- {
- "ZoneAlarm": "Backdoor.Win32.Androm.snpx"
- },
- {
- "GData": "Win32.Trojan-Stealer.Brilik.F2820Q"
- },
- {
- "TACHYON": "Trojan/W32.Inject.982016.B"
- },
- {
- "AhnLab-V3": "Malware/Win32.RL_Generic.R275588"
- },
- {
- "Acronis": "suspicious"
- },
- {
- "VBA32": "Trojan.Downloader"
- },
- {
- "ALYac": "Trojan.Injector.DEN"
- },
- {
- "TrendMicro-HouseCall": "TROJ_GEN.R002C0WFB19"
- },
- {
- "Rising": "Trojan.GenKryptik!8.AA55 (CLOUD)"
- },
- {
- "Ikarus": "Trojan.Win32.Krypt"
- },
- {
- "Fortinet": "W32/GenKryptik.DKIK!tr"
- },
- {
- "AVG": "Win32:Malware-gen"
- },
- {
- "Panda": "Trj/GdSda.A"
- },
- {
- "CrowdStrike": "win/malicious_confidence_90% (W)"
- },
- {
- "Qihoo-360": "HEUR/QVM10.2.C747.Malware.Gen"
- }
- ]
- },
- {
- "Description": "Checks the version of Bios, possibly for anti-virtualization",
- "Details": []
- },
- {
- "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
- "Details": []
- },
- {
- "Description": "Creates a copy of itself",
- "Details": [
- {
- "copy": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DuxyMxa.exe"
- }
- ]
- },
- {
- "Description": "Harvests information related to installed mail clients",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Thunderbird\\profiles.ini"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Password"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTP Password"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTP Password"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Password"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Password"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Password"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Password"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Password"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
- }
- ]
- },
- {
- "Description": "Collects information to fingerprint the system",
- "Details": []
- }
- ]
- [*] Started Service: [
- "VaultSvc"
- ]
- [*] Executed Commands: [
- "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\InstallUtil.exe\"",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
- "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
- "C:\\Windows\\system32\\lsass.exe"
- ]
- [*] Mutexes: [
- "Global\\CLR_CASOFF_MUTEX",
- "Local\\_!MSFTHISTORY!_",
- "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
- "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
- "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
- "Global\\.net clr networking",
- "Global\\ADAP_WMI_ENTRY"
- ]
- [*] Modified Files: [
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\BIT8E9A.tmp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DuxyMxa.exe",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "\\??\\PIPE\\wkssvc",
- "\\??\\PIPE\\srvsvc",
- "\\??\\PHYSICALDRIVE0",
- "\\??\\CDROM0",
- "\\??\\WMIDataDevice",
- "\\??\\PIPE\\lsarpc"
- ]
- [*] Deleted Files: [
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\BIT8E9A.tmp"
- ]
- [*] Modified Registry Keys: [
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS\\StateIndex",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\InstallUtil_RASAPI32",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\InstallUtil_RASAPI32\\EnableFileTracing",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\InstallUtil_RASAPI32\\EnableConsoleTracing",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\InstallUtil_RASAPI32\\FileTracingMask",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\InstallUtil_RASAPI32\\ConsoleTracingMask",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\InstallUtil_RASAPI32\\MaxFileSize",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\InstallUtil_RASAPI32\\FileDirectory"
- ]
- [*] Deleted Registry Keys: []
- [*] DNS Communications: [
- {
- "type": "A",
- "request": "checkip.amazonaws.com",
- "answers": [
- {
- "data": "52.206.161.133",
- "type": "A"
- },
- {
- "data": "52.200.125.74",
- "type": "A"
- },
- {
- "data": "checkip.check-ip.aws.a2z.com",
- "type": "CNAME"
- },
- {
- "data": "52.6.79.229",
- "type": "A"
- },
- {
- "data": "checkip.us-east-1.prod.check-ip.aws.a2z.com",
- "type": "CNAME"
- },
- {
- "data": "34.233.102.38",
- "type": "A"
- },
- {
- "data": "52.202.139.131",
- "type": "A"
- },
- {
- "data": "18.211.215.84",
- "type": "A"
- }
- ]
- }
- ]
- [*] Domains: [
- {
- "ip": "52.202.139.131",
- "domain": "checkip.amazonaws.com"
- }
- ]
- [*] Network Communication - ICMP: []
- [*] Network Communication - HTTP: [
- {
- "count": 1,
- "body": "",
- "uri": "http://checkip.amazonaws.com/",
- "user-agent": "",
- "method": "GET",
- "host": "checkip.amazonaws.com",
- "version": "1.1",
- "path": "/",
- "data": "GET / HTTP/1.1\r\nHost: checkip.amazonaws.com\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- }
- ]
- [*] Network Communication - SMTP: []
- [*] Network Communication - Hosts: []
- [*] Network Communication - IRC: []
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "GetModuleFileNameA",
- "address": "0x473000"
- },
- {
- "name": "VirtualAlloc",
- "address": "0x473004"
- },
- {
- "name": "GetProcAddress",
- "address": "0x473008"
- },
- {
- "name": "GetConsoleWindow",
- "address": "0x47300c"
- },
- {
- "name": "SetEndOfFile",
- "address": "0x473010"
- },
- {
- "name": "WriteConsoleW",
- "address": "0x473014"
- },
- {
- "name": "HeapSize",
- "address": "0x473018"
- },
- {
- "name": "CloseHandle",
- "address": "0x47301c"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x473020"
- },
- {
- "name": "SwitchToThread",
- "address": "0x473024"
- },
- {
- "name": "GetCurrentThread",
- "address": "0x473028"
- },
- {
- "name": "GetCurrentThreadId",
- "address": "0x47302c"
- },
- {
- "name": "GetNativeSystemInfo",
- "address": "0x473030"
- },
- {
- "name": "GetLastError",
- "address": "0x473034"
- },
- {
- "name": "WideCharToMultiByte",
- "address": "0x473038"
- },
- {
- "name": "QueryPerformanceCounter",
- "address": "0x47303c"
- },
- {
- "name": "EnterCriticalSection",
- "address": "0x473040"
- },
- {
- "name": "LeaveCriticalSection",
- "address": "0x473044"
- },
- {
- "name": "DeleteCriticalSection",
- "address": "0x473048"
- },
- {
- "name": "SetLastError",
- "address": "0x47304c"
- },
- {
- "name": "InitializeCriticalSectionAndSpinCount",
- "address": "0x473050"
- },
- {
- "name": "TlsAlloc",
- "address": "0x473054"
- },
- {
- "name": "TlsGetValue",
- "address": "0x473058"
- },
- {
- "name": "TlsSetValue",
- "address": "0x47305c"
- },
- {
- "name": "TlsFree",
- "address": "0x473060"
- },
- {
- "name": "GetSystemTimeAsFileTime",
- "address": "0x473064"
- },
- {
- "name": "GetModuleHandleW",
- "address": "0x473068"
- },
- {
- "name": "EncodePointer",
- "address": "0x47306c"
- },
- {
- "name": "DecodePointer",
- "address": "0x473070"
- },
- {
- "name": "MultiByteToWideChar",
- "address": "0x473074"
- },
- {
- "name": "GetStringTypeW",
- "address": "0x473078"
- },
- {
- "name": "CompareStringW",
- "address": "0x47307c"
- },
- {
- "name": "LCMapStringW",
- "address": "0x473080"
- },
- {
- "name": "GetLocaleInfoW",
- "address": "0x473084"
- },
- {
- "name": "GetCPInfo",
- "address": "0x473088"
- },
- {
- "name": "UnhandledExceptionFilter",
- "address": "0x47308c"
- },
- {
- "name": "SetUnhandledExceptionFilter",
- "address": "0x473090"
- },
- {
- "name": "TerminateProcess",
- "address": "0x473094"
- },
- {
- "name": "IsProcessorFeaturePresent",
- "address": "0x473098"
- },
- {
- "name": "GetCurrentProcessId",
- "address": "0x47309c"
- },
- {
- "name": "InitializeSListHead",
- "address": "0x4730a0"
- },
- {
- "name": "IsDebuggerPresent",
- "address": "0x4730a4"
- },
- {
- "name": "GetStartupInfoW",
- "address": "0x4730a8"
- },
- {
- "name": "SetEvent",
- "address": "0x4730ac"
- },
- {
- "name": "GetThreadTimes",
- "address": "0x4730b0"
- },
- {
- "name": "FreeLibrary",
- "address": "0x4730b4"
- },
- {
- "name": "GetModuleFileNameW",
- "address": "0x4730b8"
- },
- {
- "name": "LoadLibraryExW",
- "address": "0x4730bc"
- },
- {
- "name": "RtlUnwind",
- "address": "0x4730c0"
- },
- {
- "name": "RaiseException",
- "address": "0x4730c4"
- },
- {
- "name": "ExitProcess",
- "address": "0x4730c8"
- },
- {
- "name": "GetModuleHandleExW",
- "address": "0x4730cc"
- },
- {
- "name": "GetStdHandle",
- "address": "0x4730d0"
- },
- {
- "name": "WriteFile",
- "address": "0x4730d4"
- },
- {
- "name": "GetFileSizeEx",
- "address": "0x4730d8"
- },
- {
- "name": "SetFilePointerEx",
- "address": "0x4730dc"
- },
- {
- "name": "GetFileType",
- "address": "0x4730e0"
- },
- {
- "name": "HeapAlloc",
- "address": "0x4730e4"
- },
- {
- "name": "FlushFileBuffers",
- "address": "0x4730e8"
- },
- {
- "name": "GetConsoleCP",
- "address": "0x4730ec"
- },
- {
- "name": "GetConsoleMode",
- "address": "0x4730f0"
- },
- {
- "name": "HeapFree",
- "address": "0x4730f4"
- },
- {
- "name": "GetDateFormatW",
- "address": "0x4730f8"
- },
- {
- "name": "GetTimeFormatW",
- "address": "0x4730fc"
- },
- {
- "name": "IsValidLocale",
- "address": "0x473100"
- },
- {
- "name": "GetUserDefaultLCID",
- "address": "0x473104"
- },
- {
- "name": "EnumSystemLocalesW",
- "address": "0x473108"
- },
- {
- "name": "ReadFile",
- "address": "0x47310c"
- },
- {
- "name": "ReadConsoleW",
- "address": "0x473110"
- },
- {
- "name": "HeapReAlloc",
- "address": "0x473114"
- },
- {
- "name": "GetTimeZoneInformation",
- "address": "0x473118"
- },
- {
- "name": "FindClose",
- "address": "0x47311c"
- },
- {
- "name": "FindFirstFileExW",
- "address": "0x473120"
- },
- {
- "name": "FindNextFileW",
- "address": "0x473124"
- },
- {
- "name": "IsValidCodePage",
- "address": "0x473128"
- },
- {
- "name": "GetACP",
- "address": "0x47312c"
- },
- {
- "name": "GetOEMCP",
- "address": "0x473130"
- },
- {
- "name": "GetCommandLineA",
- "address": "0x473134"
- },
- {
- "name": "GetCommandLineW",
- "address": "0x473138"
- },
- {
- "name": "GetEnvironmentStringsW",
- "address": "0x47313c"
- },
- {
- "name": "FreeEnvironmentStringsW",
- "address": "0x473140"
- },
- {
- "name": "SetEnvironmentVariableW",
- "address": "0x473144"
- },
- {
- "name": "SetStdHandle",
- "address": "0x473148"
- },
- {
- "name": "GetProcessHeap",
- "address": "0x47314c"
- },
- {
- "name": "CreateFileW",
- "address": "0x473150"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "LoadBitmapA",
- "address": "0x473158"
- }
- ],
- "dll": "USER32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x000ffbab",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x00000000",
- "icon_hash": null,
- "entrypoint": "0x0044d730",
- "timestamp": "2019-06-10 02:39:53",
- "osversion": "6.0",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00071800",
- "entropy": "6.42",
- "raw_address": "0x00000400",
- "virtual_size": "0x0007167d",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00073000",
- "size_of_data": "0x00013e00",
- "entropy": "5.31",
- "raw_address": "0x00071c00",
- "virtual_size": "0x00013cd8",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00087000",
- "size_of_data": "0x00001a00",
- "entropy": "4.04",
- "raw_address": "0x00085a00",
- "virtual_size": "0x00002c28",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x0008a000",
- "size_of_data": "0x00064e00",
- "entropy": "7.44",
- "raw_address": "0x00087400",
- "virtual_size": "0x00064d08",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".reloc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x000ef000",
- "size_of_data": "0x00003a00",
- "entropy": "6.52",
- "raw_address": "0x000ec200",
- "virtual_size": "0x00003850",
- "characteristics_raw": "0x42000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x000864f4",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x0000003c"
- },
- {
- "virtual_address": "0x0008a000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00064d08"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x000ef000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00003850"
- },
- {
- "virtual_address": "0x00081e40",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000038"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00081e78",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000040"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00073000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x00000160"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "c3ac486b6c4c66c65b2f01bed393cd46",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 2,
- "versioninfo": []
- }
- }
- [*] Resolved APIs: [
- "kernel32.dll.InitializeCriticalSectionEx",
- "kernel32.dll.FlsAlloc",
- "kernel32.dll.FlsSetValue",
- "kernel32.dll.FlsGetValue",
- "kernel32.dll.LCMapStringEx",
- "kernel32.dll.AreFileApisANSI",
- "kernel32.dll.FlsFree",
- "kernel32.dll.InitOnceExecuteOnce",
- "kernel32.dll.CreateEventExW",
- "kernel32.dll.CreateSemaphoreW",
- "kernel32.dll.CreateSemaphoreExW",
- "kernel32.dll.CreateThreadpoolTimer",
- "kernel32.dll.SetThreadpoolTimer",
- "kernel32.dll.WaitForThreadpoolTimerCallbacks",
- "kernel32.dll.CloseThreadpoolTimer",
- "kernel32.dll.CreateThreadpoolWait",
- "kernel32.dll.SetThreadpoolWait",
- "kernel32.dll.CloseThreadpoolWait",
- "kernel32.dll.FlushProcessWriteBuffers",
- "kernel32.dll.FreeLibraryWhenCallbackReturns",
- "kernel32.dll.GetCurrentProcessorNumber",
- "kernel32.dll.CreateSymbolicLinkW",
- "kernel32.dll.GetTickCount64",
- "kernel32.dll.GetFileInformationByHandleEx",
- "kernel32.dll.SetFileInformationByHandle",
- "kernel32.dll.InitializeConditionVariable",
- "kernel32.dll.WakeConditionVariable",
- "kernel32.dll.WakeAllConditionVariable",
- "kernel32.dll.SleepConditionVariableCS",
- "kernel32.dll.InitializeSRWLock",
- "kernel32.dll.AcquireSRWLockExclusive",
- "kernel32.dll.TryAcquireSRWLockExclusive",
- "kernel32.dll.ReleaseSRWLockExclusive",
- "kernel32.dll.SleepConditionVariableSRW",
- "kernel32.dll.CreateThreadpoolWork",
- "kernel32.dll.SubmitThreadpoolWork",
- "kernel32.dll.CloseThreadpoolWork",
- "kernel32.dll.CompareStringEx",
- "kernel32.dll.GetLocaleInfoEx",
- "kernel32.dll.EnumSystemLocalesEx",
- "kernel32.dll.GetDateFormatEx",
- "kernel32.dll.GetTimeFormatEx",
- "kernel32.dll.GetUserDefaultLocaleName",
- "kernel32.dll.IsValidLocaleName",
- "kernel32.dll.LCIDToLocaleName",
- "kernel32.dll.LocaleNameToLCID",
- "advapi32.dll.CryptAcquireContextW",
- "advapi32.dll.CryptCreateHash",
- "advapi32.dll.CryptDecrypt",
- "advapi32.dll.CryptDeriveKey",
- "advapi32.dll.CryptDestroyHash",
- "advapi32.dll.CryptDestroyKey",
- "advapi32.dll.CryptHashData",
- "advapi32.dll.CryptReleaseContext",
- "user32.dll.MessageBoxA",
- "ole32.dll.CoInitializeEx",
- "ole32.dll.CoCreateInstance",
- "cryptbase.dll.SystemFunction036",
- "uxtheme.dll.ThemeInitApiHook",
- "user32.dll.IsProcessDPIAware",
- "cryptsp.dll.CryptAcquireContextW",
- "cryptsp.dll.CryptCreateHash",
- "cryptsp.dll.CryptHashData",
- "cryptsp.dll.CryptDeriveKey",
- "cryptsp.dll.CryptDecrypt",
- "apphelp.dll.ApphelpCheckRunAppEx",
- "apphelp.dll.ApphelpQueryModuleDataEx",
- "apphelp.dll.ApphelpParseModuleData",
- "apphelp.dll.ApphelpCreateAppcompatData",
- "apphelp.dll.SdbInitDatabaseEx",
- "apphelp.dll.SdbReleaseDatabase",
- "apphelp.dll.SdbUnpackAppCompatData",
- "apphelp.dll.SdbQueryContext",
- "qmgrprxy.dll.DllGetClassObject",
- "qmgrprxy.dll.DllCanUnloadNow",
- "ole32.dll.CoImpersonateClient",
- "ole32.dll.CoRevertToSelf",
- "rpcrt4.dll.UuidCreate",
- "sechost.dll.ConvertSidToStringSidW",
- "advapi32.dll.LookupAccountSidW",
- "oleaut32.dll.#500",
- "rpcrt4.dll.RpcBindingFree",
- "mpr.dll.WNetGetConnectionW",
- "cfgmgr32.dll.CMP_RegisterNotification",
- "sechost.dll.I_ScPnPGetServiceName",
- "cfgmgr32.dll.CM_MapCrToWin32Err",
- "kernel32.dll.GetProductInfo",
- "advapi32.dll.RegOpenKeyExW",
- "advapi32.dll.RegQueryInfoKeyW",
- "advapi32.dll.RegEnumKeyExW",
- "advapi32.dll.RegEnumValueW",
- "advapi32.dll.RegCloseKey",
- "advapi32.dll.RegQueryValueExW",
- "kernel32.dll.QueryActCtxW",
- "shlwapi.dll.UrlIsW",
- "kernel32.dll.InitializeCriticalSectionAndSpinCount",
- "kernel32.dll.IsProcessorFeaturePresent",
- "msvcrt.dll._set_error_mode",
- "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z",
- "kernel32.dll.FindActCtxSectionStringW",
- "kernel32.dll.GetSystemWindowsDirectoryW",
- "mscoree.dll.GetProcessExecutableHeap",
- "mscorwks.dll._CorExeMain",
- "mscorwks.dll.GetCLRFunction",
- "advapi32.dll.RegisterTraceGuidsW",
- "advapi32.dll.UnregisterTraceGuids",
- "advapi32.dll.GetTraceLoggerHandle",
- "advapi32.dll.GetTraceEnableLevel",
- "advapi32.dll.GetTraceEnableFlags",
- "advapi32.dll.TraceEvent",
- "mscoree.dll.IEE",
- "mscorwks.dll.IEE",
- "mscoree.dll.GetStartupFlags",
- "mscoree.dll.GetHostConfigurationFile",
- "mscoree.dll.GetCORSystemDirectory",
- "ntdll.dll.RtlUnwind",
- "kernel32.dll.IsWow64Process",
- "advapi32.dll.AllocateAndInitializeSid",
- "advapi32.dll.OpenProcessToken",
- "advapi32.dll.GetTokenInformation",
- "advapi32.dll.InitializeAcl",
- "advapi32.dll.AddAccessAllowedAce",
- "advapi32.dll.FreeSid",
- "kernel32.dll.SetThreadStackGuarantee",
- "kernel32.dll.AddVectoredContinueHandler",
- "kernel32.dll.RemoveVectoredContinueHandler",
- "advapi32.dll.ConvertSidToStringSidW",
- "shell32.dll.SHGetFolderPathW",
- "kernel32.dll.GetWriteWatch",
- "kernel32.dll.ResetWriteWatch",
- "kernel32.dll.CreateMemoryResourceNotification",
- "kernel32.dll.QueryMemoryResourceNotification",
- "ole32.dll.CoGetContextToken",
- "kernel32.dll.GetFullPathNameW",
- "kernel32.dll.GetVersionExW",
- "advapi32.dll.CryptAcquireContextA",
- "advapi32.dll.CryptGetHashParam",
- "advapi32.dll.CryptImportKey",
- "advapi32.dll.CryptExportKey",
- "advapi32.dll.CryptGenKey",
- "advapi32.dll.CryptGetKeyParam",
- "advapi32.dll.CryptVerifySignatureA",
- "advapi32.dll.CryptSignHashA",
- "advapi32.dll.CryptGetProvParam",
- "advapi32.dll.CryptGetUserKey",
- "advapi32.dll.CryptEnumProvidersA",
- "mscoree.dll.GetMetaDataInternalInterface",
- "mscorwks.dll.GetMetaDataInternalInterface",
- "cryptsp.dll.CryptAcquireContextA",
- "cryptsp.dll.CryptImportKey",
- "cryptsp.dll.CryptVerifySignatureA",
- "cryptsp.dll.CryptDestroyHash",
- "cryptsp.dll.CryptDestroyKey",
- "mscorjit.dll.getJit",
- "kernel32.dll.VirtualProtect",
- "kernel32.dll.GetEnvironmentVariableW",
- "kernel32.dll.SwitchToThread",
- "kernel32.dll.lstrlen",
- "kernel32.dll.lstrlenW",
- "kernel32.dll.GetUserDefaultUILanguage",
- "kernel32.dll.SetErrorMode",
- "kernel32.dll.GetFileAttributesExW",
- "bcrypt.dll.BCryptGetFipsAlgorithmMode",
- "ole32.dll.CreateBindCtx",
- "ole32.dll.CoGetObjectContext",
- "sechost.dll.LookupAccountNameLocalW",
- "sechost.dll.LookupAccountSidLocalW",
- "cryptsp.dll.CryptGenRandom",
- "ole32.dll.NdrOleInitializeExtension",
- "ole32.dll.CoGetClassObject",
- "ole32.dll.CoGetMarshalSizeMax",
- "ole32.dll.CoMarshalInterface",
- "ole32.dll.CoUnmarshalInterface",
- "ole32.dll.StringFromIID",
- "ole32.dll.CoGetPSClsid",
- "ole32.dll.CoTaskMemAlloc",
- "ole32.dll.CoTaskMemFree",
- "ole32.dll.CoReleaseMarshalData",
- "ole32.dll.DcomChannelSetHResult",
- "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
- "ole32.dll.MkParseDisplayName",
- "oleaut32.dll.#2",
- "oleaut32.dll.#6",
- "kernel32.dll.GetThreadPreferredUILanguages",
- "kernel32.dll.SetThreadPreferredUILanguages",
- "kernel32.dll.GetSystemDefaultLocaleName",
- "ole32.dll.BindMoniker",
- "sxs.dll.SxsOleAut32RedirectTypeLibrary",
- "advapi32.dll.RegOpenKeyW",
- "advapi32.dll.RegEnumKeyW",
- "advapi32.dll.RegQueryValueW",
- "sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid",
- "sxs.dll.SxsLookupClrGuid",
- "kernel32.dll.ReleaseActCtx",
- "oleaut32.dll.#9",
- "oleaut32.dll.#4",
- "oleaut32.dll.#283",
- "oleaut32.dll.#284",
- "mscoree.dll.GetTokenForVTableEntry",
- "mscoree.dll.SetTargetForVTableEntry",
- "mscoree.dll.GetTargetForVTableEntry",
- "kernel32.dll.GetLastError",
- "kernel32.dll.LocalAlloc",
- "oleaut32.dll.VariantInit",
- "oleaut32.dll.VariantClear",
- "oleaut32.dll.#7",
- "kernel32.dll.CreateEventW",
- "kernel32.dll.CloseHandle",
- "kernel32.dll.SetEvent",
- "ole32.dll.CoWaitForMultipleHandles",
- "ole32.dll.IIDFromString",
- "kernel32.dll.LoadLibraryA",
- "kernel32.dll.GetProcAddress",
- "wminet_utils.dll.ResetSecurity",
- "wminet_utils.dll.SetSecurity",
- "wminet_utils.dll.BlessIWbemServices",
- "wminet_utils.dll.BlessIWbemServicesObject",
- "wminet_utils.dll.GetPropertyHandle",
- "wminet_utils.dll.WritePropertyValue",
- "wminet_utils.dll.Clone",
- "wminet_utils.dll.VerifyClientKey",
- "wminet_utils.dll.GetQualifierSet",
- "wminet_utils.dll.Get",
- "wminet_utils.dll.Put",
- "wminet_utils.dll.Delete",
- "wminet_utils.dll.GetNames",
- "wminet_utils.dll.BeginEnumeration",
- "wminet_utils.dll.Next",
- "wminet_utils.dll.EndEnumeration",
- "wminet_utils.dll.GetPropertyQualifierSet",
- "wminet_utils.dll.GetObjectText",
- "wminet_utils.dll.SpawnDerivedClass",
- "wminet_utils.dll.SpawnInstance",
- "wminet_utils.dll.CompareTo",
- "wminet_utils.dll.GetPropertyOrigin",
- "wminet_utils.dll.InheritsFrom",
- "wminet_utils.dll.GetMethod",
- "wminet_utils.dll.PutMethod",
- "wminet_utils.dll.DeleteMethod",
- "wminet_utils.dll.BeginMethodEnumeration",
- "wminet_utils.dll.NextMethod",
- "wminet_utils.dll.EndMethodEnumeration",
- "wminet_utils.dll.GetMethodQualifierSet",
- "wminet_utils.dll.GetMethodOrigin",
- "wminet_utils.dll.QualifierSet_Get",
- "wminet_utils.dll.QualifierSet_Put",
- "wminet_utils.dll.QualifierSet_Delete",
- "wminet_utils.dll.QualifierSet_GetNames",
- "wminet_utils.dll.QualifierSet_BeginEnumeration",
- "wminet_utils.dll.QualifierSet_Next",
- "wminet_utils.dll.QualifierSet_EndEnumeration",
- "wminet_utils.dll.GetCurrentApartmentType",
- "wminet_utils.dll.GetDemultiplexedStub",
- "wminet_utils.dll.CreateInstanceEnumWmi",
- "wminet_utils.dll.CreateClassEnumWmi",
- "wminet_utils.dll.ExecQueryWmi",
- "wminet_utils.dll.ExecNotificationQueryWmi",
- "wminet_utils.dll.PutInstanceWmi",
- "wminet_utils.dll.PutClassWmi",
- "wminet_utils.dll.CloneEnumWbemClassObject",
- "wminet_utils.dll.ConnectServerWmi",
- "ole32.dll.CoUninitialize",
- "oleaut32.dll.SysStringLen",
- "kernel32.dll.RtlZeroMemory",
- "kernel32.dll.RegOpenKeyExW",
- "advapi32.dll.GetUserNameW",
- "kernel32.dll.GetComputerNameW",
- "kernel32.dll.GetModuleHandleW",
- "user32.dll.DefWindowProcW",
- "gdi32.dll.GetStockObject",
- "user32.dll.RegisterClassW",
- "user32.dll.CreateWindowExW",
- "user32.dll.SetWindowLongW",
- "user32.dll.GetWindowLongW",
- "kernel32.dll.GetCurrentProcess",
- "kernel32.dll.GetCurrentThread",
- "kernel32.dll.DuplicateHandle",
- "kernel32.dll.GetCurrentThreadId",
- "user32.dll.CallWindowProcW",
- "user32.dll.RegisterWindowMessageW",
- "dwmapi.dll.DwmIsCompositionEnabled",
- "kernel32.dll.GetCurrentProcessId",
- "advapi32.dll.LookupPrivilegeValueW",
- "advapi32.dll.AdjustTokenPrivileges",
- "ntdll.dll.NtQuerySystemInformation",
- "kernel32.dll.CreateIoCompletionPort",
- "kernel32.dll.PostQueuedCompletionStatus",
- "ntdll.dll.NtQueryInformationThread",
- "ntdll.dll.NtGetCurrentProcessorNumber",
- "shfolder.dll.SHGetFolderPathW",
- "kernel32.dll.FindFirstFileW",
- "kernel32.dll.FindClose",
- "kernel32.dll.FindNextFileW",
- "kernel32.dll.CreateFileW",
- "kernel32.dll.GetFileType",
- "kernel32.dll.GetACP",
- "kernel32.dll.UnmapViewOfFile",
- "kernel32.dll.GetFileSize",
- "kernel32.dll.ReadFile",
- "oleaut32.dll.#204",
- "oleaut32.dll.#203",
- "culture.dll.ConvertLangIdToCultureName",
- "mlang.dll.#112",
- "wininet.dll.FindFirstUrlCacheEntryA",
- "urlmon.dll.CreateUri",
- "kernel32.dll.AcquireSRWLockShared",
- "kernel32.dll.ReleaseSRWLockShared",
- "wininet.dll.FindNextUrlCacheEntryA",
- "urlmon.dll.CreateIUriBuilder",
- "urlmon.dll.IntlPercentEncodeNormalize",
- "wininet.dll.FindCloseUrlCache",
- "cryptsp.dll.CryptGetHashParam",
- "cryptsp.dll.CryptReleaseContext",
- "vaultcli.dll.VaultEnumerateVaults",
- "kernel32.dll.GetSystemTimeAsFileTime",
- "user32.dll.GetLastInputInfo",
- "user32.dll.GetSystemMetrics",
- "user32.dll.GetClientRect",
- "user32.dll.GetWindowRect",
- "user32.dll.GetParent",
- "ole32.dll.OleInitialize",
- "ole32.dll.CoRegisterMessageFilter",
- "user32.dll.PeekMessageW",
- "user32.dll.WaitMessage",
- "mscoree.dll.ND_RI2",
- "rasapi32.dll.RasEnumConnectionsW",
- "rtutils.dll.TraceRegisterExA",
- "rtutils.dll.TracePrintfExA",
- "sechost.dll.OpenSCManagerW",
- "sechost.dll.OpenServiceW",
- "sechost.dll.QueryServiceStatus",
- "sechost.dll.CloseServiceHandle",
- "ws2_32.dll.WSAStartup",
- "ws2_32.dll.WSASocketW",
- "ws2_32.dll.setsockopt",
- "ws2_32.dll.WSAEventSelect",
- "ws2_32.dll.ioctlsocket",
- "ws2_32.dll.closesocket",
- "advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
- "kernel32.dll.LocalFree",
- "kernel32.dll.CreateFileMappingW",
- "kernel32.dll.MapViewOfFile",
- "kernel32.dll.VirtualQuery",
- "kernel32.dll.ReleaseMutex",
- "advapi32.dll.CreateWellKnownSid",
- "kernel32.dll.CreateMutexW",
- "kernel32.dll.WaitForSingleObject",
- "kernel32.dll.OpenMutexW",
- "kernel32.dll.OpenProcess",
- "kernel32.dll.GetProcessTimes",
- "ws2_32.dll.WSAIoctl",
- "kernel32.dll.FormatMessageW",
- "rasapi32.dll.RasConnectionNotificationW",
- "sechost.dll.NotifyServiceStatusChangeA",
- "advapi32.dll.RegOpenCurrentUser",
- "advapi32.dll.RegNotifyChangeKeyValue",
- "winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser",
- "kernel32.dll.ResetEvent",
- "iphlpapi.dll.GetNetworkParams",
- "dnsapi.dll.DnsQueryConfig",
- "iphlpapi.dll.GetAdaptersAddresses",
- "iphlpapi.dll.GetIpInterfaceEntry",
- "iphlpapi.dll.GetBestInterfaceEx",
- "ws2_32.dll.inet_addr",
- "ws2_32.dll.getaddrinfo",
- "ws2_32.dll.freeaddrinfo",
- "ws2_32.dll.WSAConnect",
- "ws2_32.dll.send",
- "ws2_32.dll.recv",
- "kernel32.dll.SortGetHandle",
- "kernel32.dll.SortCloseHandle",
- "ntmarta.dll.GetMartaExtensionInterface",
- "fastprox.dll.DllGetClassObject",
- "fastprox.dll.DllCanUnloadNow",
- "kernel32.dll.RegQueryValueExW",
- "kernel32.dll.RegCloseKey",
- "oleaut32.dll.#289",
- "oleaut32.dll.#287",
- "oleaut32.dll.#288",
- "oleaut32.dll.#290",
- "oleaut32.dll.#285",
- "winbrand.dll.BrandingLoadString",
- "security.dll.InitSecurityInterfaceW",
- "cryptsp.dll.SystemFunction035",
- "schannel.dll.SpUserModeInitialize",
- "advapi32.dll.RegCreateKeyExW",
- "ntdll.dll.RtlInitUnicodeString",
- "ntdll.dll.RtlFreeUnicodeString",
- "ntdll.dll.NtSetSystemEnvironmentValue",
- "ntdll.dll.NtQuerySystemEnvironmentValue",
- "ntdll.dll.NtCreateFile",
- "ntdll.dll.NtQueryDirectoryObject",
- "ntdll.dll.NtQueryObject",
- "ntdll.dll.NtOpenDirectoryObject",
- "ntdll.dll.NtQueryInformationProcess",
- "ntdll.dll.NtQueryInformationToken",
- "ntdll.dll.NtOpenFile",
- "ntdll.dll.NtClose",
- "ntdll.dll.NtFsControlFile",
- "ntdll.dll.NtQueryVolumeInformationFile",
- "oleaut32.dll.#286",
- "netapi32.dll.NetGroupEnum",
- "netapi32.dll.NetGroupGetInfo",
- "netapi32.dll.NetGroupSetInfo",
- "netapi32.dll.NetLocalGroupGetInfo",
- "netapi32.dll.NetLocalGroupSetInfo",
- "netapi32.dll.NetGroupGetUsers",
- "netapi32.dll.NetLocalGroupGetMembers",
- "netapi32.dll.NetLocalGroupEnum",
- "netapi32.dll.NetShareEnum",
- "netapi32.dll.NetShareGetInfo",
- "netapi32.dll.NetShareAdd",
- "netapi32.dll.NetShareEnumSticky",
- "netapi32.dll.NetShareSetInfo",
- "netapi32.dll.NetShareDel",
- "netapi32.dll.NetShareDelSticky",
- "netapi32.dll.NetShareCheck",
- "netapi32.dll.NetUserEnum",
- "netapi32.dll.NetUserGetInfo",
- "netapi32.dll.NetUserSetInfo",
- "netapi32.dll.NetApiBufferFree",
- "netapi32.dll.NetQueryDisplayInformation",
- "netapi32.dll.NetServerSetInfo",
- "netapi32.dll.NetServerGetInfo",
- "netapi32.dll.NetGetDCName",
- "netapi32.dll.NetWkstaGetInfo",
- "netapi32.dll.NetGetAnyDCName",
- "netapi32.dll.NetServerEnum",
- "netapi32.dll.NetUserModalsGet",
- "netapi32.dll.NetScheduleJobAdd",
- "netapi32.dll.NetScheduleJobDel",
- "netapi32.dll.NetScheduleJobEnum",
- "netapi32.dll.NetScheduleJobGetInfo",
- "netapi32.dll.NetUseGetInfo",
- "netapi32.dll.NetEnumerateTrustedDomains",
- "netapi32.dll.DsGetDcNameW",
- "netapi32.dll.DsRoleGetPrimaryDomainInformation",
- "netapi32.dll.DsRoleFreeMemory",
- "netapi32.dll.NetRenameMachineInDomain",
- "netapi32.dll.NetJoinDomain",
- "netapi32.dll.NetUnjoinDomain",
- "wkscli.dll.NetWkstaGetInfo",
- "cscapi.dll.CscNetApiGetInterface",
- "kernel32.dll.GetDiskFreeSpaceExW",
- "kernel32.dll.GetVolumePathNameW",
- "kernel32.dll.CreateToolhelp32Snapshot",
- "kernel32.dll.Thread32First",
- "kernel32.dll.Thread32Next",
- "kernel32.dll.Process32First",
- "kernel32.dll.Process32Next",
- "kernel32.dll.Module32First",
- "kernel32.dll.Module32Next",
- "kernel32.dll.Heap32ListFirst",
- "kernel32.dll.GlobalMemoryStatusEx",
- "kernel32.dll.GetSystemDefaultUILanguage",
- "oleaut32.dll.#8",
- "oleaut32.dll.#15",
- "oleaut32.dll.#26",
- "wmi.dll.WmiQueryAllDataW",
- "wmi.dll.WmiQuerySingleInstanceW",
- "wmi.dll.WmiSetSingleItemW",
- "wmi.dll.WmiSetSingleInstanceW",
- "wmi.dll.WmiExecuteMethodW",
- "wmi.dll.WmiNotificationRegistrationW",
- "wmi.dll.WmiMofEnumerateResourcesW",
- "wmi.dll.WmiFileHandleToInstanceNameW",
- "wmi.dll.WmiDevInstToInstanceNameW",
- "wmi.dll.WmiQueryGuidInformation",
- "wmi.dll.WmiOpenBlock",
- "wmi.dll.WmiCloseBlock",
- "wmi.dll.WmiFreeBuffer",
- "wmi.dll.WmiEnumerateGuids",
- "oleaut32.dll.#150",
- "wtsapi32.dll.WTSEnumerateSessionsW",
- "winsta.dll.WinStationEnumerateW",
- "rpcrt4.dll.RpcStringBindingComposeW",
- "rpcrt4.dll.RpcBindingFromStringBindingW",
- "rpcrt4.dll.RpcStringFreeW",
- "rpcrt4.dll.RpcBindingSetAuthInfoExW",
- "rpcrt4.dll.NdrClientCall3",
- "rpcrt4.dll.I_RpcExceptionFilter",
- "winsta.dll.WinStationFreeMemory",
- "wtsapi32.dll.WTSQuerySessionInformationW",
- "winsta.dll.WinStationQueryInformationW",
- "advapi32.dll.LookupAccountNameW",
- "wtsapi32.dll.WTSFreeMemory",
- "devobj.dll.DevObjCreateDeviceInfoList",
- "devobj.dll.DevObjGetClassDevs",
- "devobj.dll.DevObjEnumDeviceInfo",
- "devobj.dll.DevObjDestroyDeviceInfoList",
- "powrprof.dll.PowerDeterminePlatformRole",
- "oleaut32.dll.#40",
- "oleaut32.dll.#23",
- "oleaut32.dll.#24",
- "oleaut32.dll.#16",
- "wbemcore.dll.Reinitialize",
- "oleaut32.dll.#12",
- "advapi32.dll.WmiMofEnumerateResourcesW",
- "advapi32.dll.WmiFreeBuffer"
- ]
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "GetModuleFileNameA",
- "address": "0x473000"
- },
- {
- "name": "VirtualAlloc",
- "address": "0x473004"
- },
- {
- "name": "GetProcAddress",
- "address": "0x473008"
- },
- {
- "name": "GetConsoleWindow",
- "address": "0x47300c"
- },
- {
- "name": "SetEndOfFile",
- "address": "0x473010"
- },
- {
- "name": "WriteConsoleW",
- "address": "0x473014"
- },
- {
- "name": "HeapSize",
- "address": "0x473018"
- },
- {
- "name": "CloseHandle",
- "address": "0x47301c"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x473020"
- },
- {
- "name": "SwitchToThread",
- "address": "0x473024"
- },
- {
- "name": "GetCurrentThread",
- "address": "0x473028"
- },
- {
- "name": "GetCurrentThreadId",
- "address": "0x47302c"
- },
- {
- "name": "GetNativeSystemInfo",
- "address": "0x473030"
- },
- {
- "name": "GetLastError",
- "address": "0x473034"
- },
- {
- "name": "WideCharToMultiByte",
- "address": "0x473038"
- },
- {
- "name": "QueryPerformanceCounter",
- "address": "0x47303c"
- },
- {
- "name": "EnterCriticalSection",
- "address": "0x473040"
- },
- {
- "name": "LeaveCriticalSection",
- "address": "0x473044"
- },
- {
- "name": "DeleteCriticalSection",
- "address": "0x473048"
- },
- {
- "name": "SetLastError",
- "address": "0x47304c"
- },
- {
- "name": "InitializeCriticalSectionAndSpinCount",
- "address": "0x473050"
- },
- {
- "name": "TlsAlloc",
- "address": "0x473054"
- },
- {
- "name": "TlsGetValue",
- "address": "0x473058"
- },
- {
- "name": "TlsSetValue",
- "address": "0x47305c"
- },
- {
- "name": "TlsFree",
- "address": "0x473060"
- },
- {
- "name": "GetSystemTimeAsFileTime",
- "address": "0x473064"
- },
- {
- "name": "GetModuleHandleW",
- "address": "0x473068"
- },
- {
- "name": "EncodePointer",
- "address": "0x47306c"
- },
- {
- "name": "DecodePointer",
- "address": "0x473070"
- },
- {
- "name": "MultiByteToWideChar",
- "address": "0x473074"
- },
- {
- "name": "GetStringTypeW",
- "address": "0x473078"
- },
- {
- "name": "CompareStringW",
- "address": "0x47307c"
- },
- {
- "name": "LCMapStringW",
- "address": "0x473080"
- },
- {
- "name": "GetLocaleInfoW",
- "address": "0x473084"
- },
- {
- "name": "GetCPInfo",
- "address": "0x473088"
- },
- {
- "name": "UnhandledExceptionFilter",
- "address": "0x47308c"
- },
- {
- "name": "SetUnhandledExceptionFilter",
- "address": "0x473090"
- },
- {
- "name": "TerminateProcess",
- "address": "0x473094"
- },
- {
- "name": "IsProcessorFeaturePresent",
- "address": "0x473098"
- },
- {
- "name": "GetCurrentProcessId",
- "address": "0x47309c"
- },
- {
- "name": "InitializeSListHead",
- "address": "0x4730a0"
- },
- {
- "name": "IsDebuggerPresent",
- "address": "0x4730a4"
- },
- {
- "name": "GetStartupInfoW",
- "address": "0x4730a8"
- },
- {
- "name": "SetEvent",
- "address": "0x4730ac"
- },
- {
- "name": "GetThreadTimes",
- "address": "0x4730b0"
- },
- {
- "name": "FreeLibrary",
- "address": "0x4730b4"
- },
- {
- "name": "GetModuleFileNameW",
- "address": "0x4730b8"
- },
- {
- "name": "LoadLibraryExW",
- "address": "0x4730bc"
- },
- {
- "name": "RtlUnwind",
- "address": "0x4730c0"
- },
- {
- "name": "RaiseException",
- "address": "0x4730c4"
- },
- {
- "name": "ExitProcess",
- "address": "0x4730c8"
- },
- {
- "name": "GetModuleHandleExW",
- "address": "0x4730cc"
- },
- {
- "name": "GetStdHandle",
- "address": "0x4730d0"
- },
- {
- "name": "WriteFile",
- "address": "0x4730d4"
- },
- {
- "name": "GetFileSizeEx",
- "address": "0x4730d8"
- },
- {
- "name": "SetFilePointerEx",
- "address": "0x4730dc"
- },
- {
- "name": "GetFileType",
- "address": "0x4730e0"
- },
- {
- "name": "HeapAlloc",
- "address": "0x4730e4"
- },
- {
- "name": "FlushFileBuffers",
- "address": "0x4730e8"
- },
- {
- "name": "GetConsoleCP",
- "address": "0x4730ec"
- },
- {
- "name": "GetConsoleMode",
- "address": "0x4730f0"
- },
- {
- "name": "HeapFree",
- "address": "0x4730f4"
- },
- {
- "name": "GetDateFormatW",
- "address": "0x4730f8"
- },
- {
- "name": "GetTimeFormatW",
- "address": "0x4730fc"
- },
- {
- "name": "IsValidLocale",
- "address": "0x473100"
- },
- {
- "name": "GetUserDefaultLCID",
- "address": "0x473104"
- },
- {
- "name": "EnumSystemLocalesW",
- "address": "0x473108"
- },
- {
- "name": "ReadFile",
- "address": "0x47310c"
- },
- {
- "name": "ReadConsoleW",
- "address": "0x473110"
- },
- {
- "name": "HeapReAlloc",
- "address": "0x473114"
- },
- {
- "name": "GetTimeZoneInformation",
- "address": "0x473118"
- },
- {
- "name": "FindClose",
- "address": "0x47311c"
- },
- {
- "name": "FindFirstFileExW",
- "address": "0x473120"
- },
- {
- "name": "FindNextFileW",
- "address": "0x473124"
- },
- {
- "name": "IsValidCodePage",
- "address": "0x473128"
- },
- {
- "name": "GetACP",
- "address": "0x47312c"
- },
- {
- "name": "GetOEMCP",
- "address": "0x473130"
- },
- {
- "name": "GetCommandLineA",
- "address": "0x473134"
- },
- {
- "name": "GetCommandLineW",
- "address": "0x473138"
- },
- {
- "name": "GetEnvironmentStringsW",
- "address": "0x47313c"
- },
- {
- "name": "FreeEnvironmentStringsW",
- "address": "0x473140"
- },
- {
- "name": "SetEnvironmentVariableW",
- "address": "0x473144"
- },
- {
- "name": "SetStdHandle",
- "address": "0x473148"
- },
- {
- "name": "GetProcessHeap",
- "address": "0x47314c"
- },
- {
- "name": "CreateFileW",
- "address": "0x473150"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "LoadBitmapA",
- "address": "0x473158"
- }
- ],
- "dll": "USER32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x000ffbab",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x00000000",
- "icon_hash": null,
- "entrypoint": "0x0044d730",
- "timestamp": "2019-06-10 02:39:53",
- "osversion": "6.0",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00071800",
- "entropy": "6.42",
- "raw_address": "0x00000400",
- "virtual_size": "0x0007167d",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00073000",
- "size_of_data": "0x00013e00",
- "entropy": "5.31",
- "raw_address": "0x00071c00",
- "virtual_size": "0x00013cd8",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00087000",
- "size_of_data": "0x00001a00",
- "entropy": "4.04",
- "raw_address": "0x00085a00",
- "virtual_size": "0x00002c28",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x0008a000",
- "size_of_data": "0x00064e00",
- "entropy": "7.44",
- "raw_address": "0x00087400",
- "virtual_size": "0x00064d08",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".reloc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x000ef000",
- "size_of_data": "0x00003a00",
- "entropy": "6.52",
- "raw_address": "0x000ec200",
- "virtual_size": "0x00003850",
- "characteristics_raw": "0x42000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x000864f4",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x0000003c"
- },
- {
- "virtual_address": "0x0008a000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00064d08"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x000ef000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00003850"
- },
- {
- "virtual_address": "0x00081e40",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000038"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00081e78",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000040"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00073000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x00000160"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "c3ac486b6c4c66c65b2f01bed393cd46",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 2,
- "versioninfo": []
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement