Exes_0e298012_exe.json

1.  
2. [*] MalFamily: "Malicious"
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "Exes_0e298012.exe"
7. [*] File Size: 982016
8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. [*] SHA256: "5aaed2fc51f080c89338fbb2f2f6818ac81c171e741b1aa8cec594498257f041"
10. [*] MD5: "38db6ceee8a5492b7dbdf4047148e86d"
11. [*] SHA1: "cdf04f1b4dda97d49d95d4fc561b9f06dd35dad8"
12. [*] SHA512: "89c34c051ddb27b8aaa794e6d704f4480fd0104990948fe66ab2f34edad8776d2a50a8efe6392736c44743d6fae7238b01139aa548ed01d6e95346ea65bd0148"
13. [*] CRC32: "0E298012"
14. [*] SSDEEP: "24576:DJZqSp5CT781CWBMtSCm30NtdTfnl0Bu7O4GWiRv:lZXXAOCWQSCm30NtdDnl0BX4Hcv"
15.  
16. [*] Process Execution: [
17. "Exes_0e298012.exe",
18. "InstallUtil.exe",
19. "services.exe",
20. "svchost.exe",
21. "WmiPrvSE.exe",
22. "svchost.exe",
23. "svchost.exe",
24. "WMIADAP.exe"
25. ]
26.  
27. [*] Signatures Detected: [
28. {
29. "Description": "Creates RWX memory",
30. "Details": []
31. },
32. {
33. "Description": "A process attempted to delay the analysis task.",
34. "Details": [
35. {
36. "Process": "InstallUtil.exe tried to sleep 643 seconds, actually delayed analysis time by 0 seconds"
37. }
38. ]
39. },
40. {
41. "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
42. "Details": [
43. {
44. "ioc": "2.0.0.0"
45. },
46. {
47. "ioc": "v2.0.50727"
48. }
49. ]
50. },
51. {
52. "Description": "A process created a hidden window",
53. "Details": [
54. {
55. "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
56. }
57. ]
58. },
59. {
60. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
61. "Details": [
62. {
63. "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
64. },
65. {
66. "suspicious_request": "http://checkip.amazonaws.com/"
67. }
68. ]
69. },
70. {
71. "Description": "Performs some HTTP requests",
72. "Details": [
73. {
74. "url": "http://checkip.amazonaws.com/"
75. }
76. ]
77. },
78. {
79. "Description": "The binary likely contains encrypted or compressed data.",
80. "Details": [
81. {
82. "section": "name: .rsrc, entropy: 7.44, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00064e00, virtual_size: 0x00064d08"
83. }
84. ]
85. },
86. {
87. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
88. "Details": [
89. {
90. "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 12591048 times"
91. }
92. ]
93. },
94. {
95. "Description": "Steals private information from local Internet browsers",
96. "Details": [
97. {
98. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
99. }
100. ]
101. },
102. {
103. "Description": "Installs itself for autorun at Windows startup",
104. "Details": [
105. {
106. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DuxyMxa.exe"
107. },
108. {
109. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\BIT8E9A.tmp"
110. },
111. {
112. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DuxyMxa.exe"
113. }
114. ]
115. },
116. {
117. "Description": "Creates a hidden or system file",
118. "Details": [
119. {
120. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\BIT8E9A.tmp"
121. }
122. ]
123. },
124. {
125. "Description": "Retrieves Windows ProductID, probably to fingerprint the sandbox",
126. "Details": []
127. },
128. {
129. "Description": "File has been identified by 47 Antiviruses on VirusTotal as malicious",
130. "Details": [
131. {
132. "MicroWorld-eScan": "Trojan.Injector.DEN"
133. },
134. {
135. "FireEye": "Generic.mg.38db6ceee8a5492b"
136. },
137. {
138. "McAfee": "RDN/Generic.dx"
139. },
140. {
141. "Malwarebytes": "Trojan.MalPack.RVRS"
142. },
143. {
144. "Alibaba": "Backdoor:Win32/Androm.611a547c"
145. },
146. {
147. "K7GW": "Trojan ( 0054fe271 )"
148. },
149. {
150. "K7AntiVirus": "Trojan ( 0054fe271 )"
151. },
152. {
153. "Arcabit": "Trojan.Injector.DEN"
154. },
155. {
156. "Invincea": "heuristic"
157. },
158. {
159. "NANO-Antivirus": "Trojan.Win32.GenKryptik.fregry"
160. },
161. {
162. "Symantec": "Trojan.Gen.MBT"
163. },
164. {
165. "APEX": "Malicious"
166. },
167. {
168. "Avast": "Win32:Malware-gen"
169. },
170. {
171. "Kaspersky": "Backdoor.Win32.Androm.snpx"
172. },
173. {
174. "BitDefender": "Trojan.Injector.DEN"
175. },
176. {
177. "Paloalto": "generic.ml"
178. },
179. {
180. "AegisLab": "Trojan.Win32.Generic.4!c"
181. },
182. {
183. "Tencent": "Win32.Backdoor.Androm.Lmvb"
184. },
185. {
186. "Ad-Aware": "Trojan.Injector.DEN"
187. },
188. {
189. "Emsisoft": "Trojan.Injector.DEN (B)"
190. },
191. {
192. "F-Secure": "Trojan.TR/Kryptik.mlipd"
193. },
194. {
195. "DrWeb": "Trojan.DownLoader28.47155"
196. },
197. {
198. "TrendMicro": "TROJ_GEN.R002C0WFB19"
199. },
200. {
201. "McAfee-GW-Edition": "BehavesLike.Win32.MultiPlug.dc"
202. },
203. {
204. "Trapmine": "suspicious.low.ml.score"
205. },
206. {
207. "Sophos": "Mal/Generic-S"
208. },
209. {
210. "SentinelOne": "DFI - Malicious PE"
211. },
212. {
213. "Cyren": "W32/Trojan.AWDC-2417"
214. },
215. {
216. "ESET-NOD32": "a variant of Win32/GenKryptik.DKIK"
217. },
218. {
219. "Avira": "TR/Kryptik.mlipd"
220. },
221. {
222. "Microsoft": "Trojan:Win32/Tiggre!plock"
223. },
224. {
225. "Endgame": "malicious (high confidence)"
226. },
227. {
228. "ZoneAlarm": "Backdoor.Win32.Androm.snpx"
229. },
230. {
231. "GData": "Win32.Trojan-Stealer.Brilik.F2820Q"
232. },
233. {
234. "TACHYON": "Trojan/W32.Inject.982016.B"
235. },
236. {
237. "AhnLab-V3": "Malware/Win32.RL_Generic.R275588"
238. },
239. {
240. "Acronis": "suspicious"
241. },
242. {
243. "VBA32": "Trojan.Downloader"
244. },
245. {
246. "ALYac": "Trojan.Injector.DEN"
247. },
248. {
249. "TrendMicro-HouseCall": "TROJ_GEN.R002C0WFB19"
250. },
251. {
252. "Rising": "Trojan.GenKryptik!8.AA55 (CLOUD)"
253. },
254. {
255. "Ikarus": "Trojan.Win32.Krypt"
256. },
257. {
258. "Fortinet": "W32/GenKryptik.DKIK!tr"
259. },
260. {
261. "AVG": "Win32:Malware-gen"
262. },
263. {
264. "Panda": "Trj/GdSda.A"
265. },
266. {
267. "CrowdStrike": "win/malicious_confidence_90% (W)"
268. },
269. {
270. "Qihoo-360": "HEUR/QVM10.2.C747.Malware.Gen"
271. }
272. ]
273. },
274. {
275. "Description": "Checks the version of Bios, possibly for anti-virtualization",
276. "Details": []
277. },
278. {
279. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
280. "Details": []
281. },
282. {
283. "Description": "Creates a copy of itself",
284. "Details": [
285. {
286. "copy": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DuxyMxa.exe"
287. }
288. ]
289. },
290. {
291. "Description": "Harvests information related to installed mail clients",
292. "Details": [
293. {
294. "file": "C:\\Users\\user\\AppData\\Roaming\\Thunderbird\\profiles.ini"
295. },
296. {
297. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676"
298. },
299. {
300. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
301. },
302. {
303. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Password"
304. },
305. {
306. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
307. },
308. {
309. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTP Password"
310. },
311. {
312. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
313. },
314. {
315. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTP Password"
316. },
317. {
318. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
319. },
320. {
321. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Password"
322. },
323. {
324. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
325. },
326. {
327. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Password"
328. },
329. {
330. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Password"
331. },
332. {
333. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
334. },
335. {
336. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Password"
337. },
338. {
339. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Password"
340. },
341. {
342. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
343. }
344. ]
345. },
346. {
347. "Description": "Collects information to fingerprint the system",
348. "Details": []
349. }
350. ]
351.  
352. [*] Started Service: [
353. "VaultSvc"
354. ]
355.  
356. [*] Executed Commands: [
357. "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\InstallUtil.exe\"",
358. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
359. "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
360. "C:\\Windows\\system32\\lsass.exe"
361. ]
362.  
363. [*] Mutexes: [
364. "Global\\CLR_CASOFF_MUTEX",
365. "Local\\_!MSFTHISTORY!_",
366. "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
367. "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
368. "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
369. "Global\\.net clr networking",
370. "Global\\ADAP_WMI_ENTRY"
371. ]
372.  
373. [*] Modified Files: [
374. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\BIT8E9A.tmp",
375. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DuxyMxa.exe",
376. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
377. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
378. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
379. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
380. "\\??\\PIPE\\wkssvc",
381. "\\??\\PIPE\\srvsvc",
382. "\\??\\PHYSICALDRIVE0",
383. "\\??\\CDROM0",
384. "\\??\\WMIDataDevice",
385. "\\??\\PIPE\\lsarpc"
386. ]
387.  
388. [*] Deleted Files: [
389. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\BIT8E9A.tmp"
390. ]
391.  
392. [*] Modified Registry Keys: [
393. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS\\StateIndex",
394. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\InstallUtil_RASAPI32",
395. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\InstallUtil_RASAPI32\\EnableFileTracing",
396. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\InstallUtil_RASAPI32\\EnableConsoleTracing",
397. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\InstallUtil_RASAPI32\\FileTracingMask",
398. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\InstallUtil_RASAPI32\\ConsoleTracingMask",
399. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\InstallUtil_RASAPI32\\MaxFileSize",
400. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\InstallUtil_RASAPI32\\FileDirectory"
401. ]
402.  
403. [*] Deleted Registry Keys: []
404.  
405. [*] DNS Communications: [
406. {
407. "type": "A",
408. "request": "checkip.amazonaws.com",
409. "answers": [
410. {
411. "data": "52.206.161.133",
412. "type": "A"
413. },
414. {
415. "data": "52.200.125.74",
416. "type": "A"
417. },
418. {
419. "data": "checkip.check-ip.aws.a2z.com",
420. "type": "CNAME"
421. },
422. {
423. "data": "52.6.79.229",
424. "type": "A"
425. },
426. {
427. "data": "checkip.us-east-1.prod.check-ip.aws.a2z.com",
428. "type": "CNAME"
429. },
430. {
431. "data": "34.233.102.38",
432. "type": "A"
433. },
434. {
435. "data": "52.202.139.131",
436. "type": "A"
437. },
438. {
439. "data": "18.211.215.84",
440. "type": "A"
441. }
442. ]
443. }
444. ]
445.  
446. [*] Domains: [
447. {
448. "ip": "52.202.139.131",
449. "domain": "checkip.amazonaws.com"
450. }
451. ]
452.  
453. [*] Network Communication - ICMP: []
454.  
455. [*] Network Communication - HTTP: [
456. {
457. "count": 1,
458. "body": "",
459. "uri": "http://checkip.amazonaws.com/",
460. "user-agent": "",
461. "method": "GET",
462. "host": "checkip.amazonaws.com",
463. "version": "1.1",
464. "path": "/",
465. "data": "GET / HTTP/1.1\r\nHost: checkip.amazonaws.com\r\nConnection: Keep-Alive\r\n\r\n",
466. "port": 80
467. }
468. ]
469.  
470. [*] Network Communication - SMTP: []
471.  
472. [*] Network Communication - Hosts: []
473.  
474. [*] Network Communication - IRC: []
475.  
476. [*] Static Analysis: {
477. "pe": {
478. "peid_signatures": null,
479. "imports": [
480. {
481. "imports": [
482. {
483. "name": "GetModuleFileNameA",
484. "address": "0x473000"
485. },
486. {
487. "name": "VirtualAlloc",
488. "address": "0x473004"
489. },
490. {
491. "name": "GetProcAddress",
492. "address": "0x473008"
493. },
494. {
495. "name": "GetConsoleWindow",
496. "address": "0x47300c"
497. },
498. {
499. "name": "SetEndOfFile",
500. "address": "0x473010"
501. },
502. {
503. "name": "WriteConsoleW",
504. "address": "0x473014"
505. },
506. {
507. "name": "HeapSize",
508. "address": "0x473018"
509. },
510. {
511. "name": "CloseHandle",
512. "address": "0x47301c"
513. },
514. {
515. "name": "GetCurrentProcess",
516. "address": "0x473020"
517. },
518. {
519. "name": "SwitchToThread",
520. "address": "0x473024"
521. },
522. {
523. "name": "GetCurrentThread",
524. "address": "0x473028"
525. },
526. {
527. "name": "GetCurrentThreadId",
528. "address": "0x47302c"
529. },
530. {
531. "name": "GetNativeSystemInfo",
532. "address": "0x473030"
533. },
534. {
535. "name": "GetLastError",
536. "address": "0x473034"
537. },
538. {
539. "name": "WideCharToMultiByte",
540. "address": "0x473038"
541. },
542. {
543. "name": "QueryPerformanceCounter",
544. "address": "0x47303c"
545. },
546. {
547. "name": "EnterCriticalSection",
548. "address": "0x473040"
549. },
550. {
551. "name": "LeaveCriticalSection",
552. "address": "0x473044"
553. },
554. {
555. "name": "DeleteCriticalSection",
556. "address": "0x473048"
557. },
558. {
559. "name": "SetLastError",
560. "address": "0x47304c"
561. },
562. {
563. "name": "InitializeCriticalSectionAndSpinCount",
564. "address": "0x473050"
565. },
566. {
567. "name": "TlsAlloc",
568. "address": "0x473054"
569. },
570. {
571. "name": "TlsGetValue",
572. "address": "0x473058"
573. },
574. {
575. "name": "TlsSetValue",
576. "address": "0x47305c"
577. },
578. {
579. "name": "TlsFree",
580. "address": "0x473060"
581. },
582. {
583. "name": "GetSystemTimeAsFileTime",
584. "address": "0x473064"
585. },
586. {
587. "name": "GetModuleHandleW",
588. "address": "0x473068"
589. },
590. {
591. "name": "EncodePointer",
592. "address": "0x47306c"
593. },
594. {
595. "name": "DecodePointer",
596. "address": "0x473070"
597. },
598. {
599. "name": "MultiByteToWideChar",
600. "address": "0x473074"
601. },
602. {
603. "name": "GetStringTypeW",
604. "address": "0x473078"
605. },
606. {
607. "name": "CompareStringW",
608. "address": "0x47307c"
609. },
610. {
611. "name": "LCMapStringW",
612. "address": "0x473080"
613. },
614. {
615. "name": "GetLocaleInfoW",
616. "address": "0x473084"
617. },
618. {
619. "name": "GetCPInfo",
620. "address": "0x473088"
621. },
622. {
623. "name": "UnhandledExceptionFilter",
624. "address": "0x47308c"
625. },
626. {
627. "name": "SetUnhandledExceptionFilter",
628. "address": "0x473090"
629. },
630. {
631. "name": "TerminateProcess",
632. "address": "0x473094"
633. },
634. {
635. "name": "IsProcessorFeaturePresent",
636. "address": "0x473098"
637. },
638. {
639. "name": "GetCurrentProcessId",
640. "address": "0x47309c"
641. },
642. {
643. "name": "InitializeSListHead",
644. "address": "0x4730a0"
645. },
646. {
647. "name": "IsDebuggerPresent",
648. "address": "0x4730a4"
649. },
650. {
651. "name": "GetStartupInfoW",
652. "address": "0x4730a8"
653. },
654. {
655. "name": "SetEvent",
656. "address": "0x4730ac"
657. },
658. {
659. "name": "GetThreadTimes",
660. "address": "0x4730b0"
661. },
662. {
663. "name": "FreeLibrary",
664. "address": "0x4730b4"
665. },
666. {
667. "name": "GetModuleFileNameW",
668. "address": "0x4730b8"
669. },
670. {
671. "name": "LoadLibraryExW",
672. "address": "0x4730bc"
673. },
674. {
675. "name": "RtlUnwind",
676. "address": "0x4730c0"
677. },
678. {
679. "name": "RaiseException",
680. "address": "0x4730c4"
681. },
682. {
683. "name": "ExitProcess",
684. "address": "0x4730c8"
685. },
686. {
687. "name": "GetModuleHandleExW",
688. "address": "0x4730cc"
689. },
690. {
691. "name": "GetStdHandle",
692. "address": "0x4730d0"
693. },
694. {
695. "name": "WriteFile",
696. "address": "0x4730d4"
697. },
698. {
699. "name": "GetFileSizeEx",
700. "address": "0x4730d8"
701. },
702. {
703. "name": "SetFilePointerEx",
704. "address": "0x4730dc"
705. },
706. {
707. "name": "GetFileType",
708. "address": "0x4730e0"
709. },
710. {
711. "name": "HeapAlloc",
712. "address": "0x4730e4"
713. },
714. {
715. "name": "FlushFileBuffers",
716. "address": "0x4730e8"
717. },
718. {
719. "name": "GetConsoleCP",
720. "address": "0x4730ec"
721. },
722. {
723. "name": "GetConsoleMode",
724. "address": "0x4730f0"
725. },
726. {
727. "name": "HeapFree",
728. "address": "0x4730f4"
729. },
730. {
731. "name": "GetDateFormatW",
732. "address": "0x4730f8"
733. },
734. {
735. "name": "GetTimeFormatW",
736. "address": "0x4730fc"
737. },
738. {
739. "name": "IsValidLocale",
740. "address": "0x473100"
741. },
742. {
743. "name": "GetUserDefaultLCID",
744. "address": "0x473104"
745. },
746. {
747. "name": "EnumSystemLocalesW",
748. "address": "0x473108"
749. },
750. {
751. "name": "ReadFile",
752. "address": "0x47310c"
753. },
754. {
755. "name": "ReadConsoleW",
756. "address": "0x473110"
757. },
758. {
759. "name": "HeapReAlloc",
760. "address": "0x473114"
761. },
762. {
763. "name": "GetTimeZoneInformation",
764. "address": "0x473118"
765. },
766. {
767. "name": "FindClose",
768. "address": "0x47311c"
769. },
770. {
771. "name": "FindFirstFileExW",
772. "address": "0x473120"
773. },
774. {
775. "name": "FindNextFileW",
776. "address": "0x473124"
777. },
778. {
779. "name": "IsValidCodePage",
780. "address": "0x473128"
781. },
782. {
783. "name": "GetACP",
784. "address": "0x47312c"
785. },
786. {
787. "name": "GetOEMCP",
788. "address": "0x473130"
789. },
790. {
791. "name": "GetCommandLineA",
792. "address": "0x473134"
793. },
794. {
795. "name": "GetCommandLineW",
796. "address": "0x473138"
797. },
798. {
799. "name": "GetEnvironmentStringsW",
800. "address": "0x47313c"
801. },
802. {
803. "name": "FreeEnvironmentStringsW",
804. "address": "0x473140"
805. },
806. {
807. "name": "SetEnvironmentVariableW",
808. "address": "0x473144"
809. },
810. {
811. "name": "SetStdHandle",
812. "address": "0x473148"
813. },
814. {
815. "name": "GetProcessHeap",
816. "address": "0x47314c"
817. },
818. {
819. "name": "CreateFileW",
820. "address": "0x473150"
821. }
822. ],
823. "dll": "KERNEL32.dll"
824. },
825. {
826. "imports": [
827. {
828. "name": "LoadBitmapA",
829. "address": "0x473158"
830. }
831. ],
832. "dll": "USER32.dll"
833. }
834. ],
835. "digital_signers": null,
836. "exported_dll_name": null,
837. "actual_checksum": "0x000ffbab",
838. "overlay": null,
839. "imagebase": "0x00400000",
840. "reported_checksum": "0x00000000",
841. "icon_hash": null,
842. "entrypoint": "0x0044d730",
843. "timestamp": "2019-06-10 02:39:53",
844. "osversion": "6.0",
845. "sections": [
846. {
847. "name": ".text",
848. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
849. "virtual_address": "0x00001000",
850. "size_of_data": "0x00071800",
851. "entropy": "6.42",
852. "raw_address": "0x00000400",
853. "virtual_size": "0x0007167d",
854. "characteristics_raw": "0x60000020"
855. },
856. {
857. "name": ".rdata",
858. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
859. "virtual_address": "0x00073000",
860. "size_of_data": "0x00013e00",
861. "entropy": "5.31",
862. "raw_address": "0x00071c00",
863. "virtual_size": "0x00013cd8",
864. "characteristics_raw": "0x40000040"
865. },
866. {
867. "name": ".data",
868. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
869. "virtual_address": "0x00087000",
870. "size_of_data": "0x00001a00",
871. "entropy": "4.04",
872. "raw_address": "0x00085a00",
873. "virtual_size": "0x00002c28",
874. "characteristics_raw": "0xc0000040"
875. },
876. {
877. "name": ".rsrc",
878. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
879. "virtual_address": "0x0008a000",
880. "size_of_data": "0x00064e00",
881. "entropy": "7.44",
882. "raw_address": "0x00087400",
883. "virtual_size": "0x00064d08",
884. "characteristics_raw": "0x40000040"
885. },
886. {
887. "name": ".reloc",
888. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
889. "virtual_address": "0x000ef000",
890. "size_of_data": "0x00003a00",
891. "entropy": "6.52",
892. "raw_address": "0x000ec200",
893. "virtual_size": "0x00003850",
894. "characteristics_raw": "0x42000040"
895. }
896. ],
897. "resources": [],
898. "dirents": [
899. {
900. "virtual_address": "0x00000000",
901. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
902. "size": "0x00000000"
903. },
904. {
905. "virtual_address": "0x000864f4",
906. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
907. "size": "0x0000003c"
908. },
909. {
910. "virtual_address": "0x0008a000",
911. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
912. "size": "0x00064d08"
913. },
914. {
915. "virtual_address": "0x00000000",
916. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
917. "size": "0x00000000"
918. },
919. {
920. "virtual_address": "0x00000000",
921. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
922. "size": "0x00000000"
923. },
924. {
925. "virtual_address": "0x000ef000",
926. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
927. "size": "0x00003850"
928. },
929. {
930. "virtual_address": "0x00081e40",
931. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
932. "size": "0x00000038"
933. },
934. {
935. "virtual_address": "0x00000000",
936. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
937. "size": "0x00000000"
938. },
939. {
940. "virtual_address": "0x00000000",
941. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
942. "size": "0x00000000"
943. },
944. {
945. "virtual_address": "0x00000000",
946. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
947. "size": "0x00000000"
948. },
949. {
950. "virtual_address": "0x00081e78",
951. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
952. "size": "0x00000040"
953. },
954. {
955. "virtual_address": "0x00000000",
956. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
957. "size": "0x00000000"
958. },
959. {
960. "virtual_address": "0x00073000",
961. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
962. "size": "0x00000160"
963. },
964. {
965. "virtual_address": "0x00000000",
966. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
967. "size": "0x00000000"
968. },
969. {
970. "virtual_address": "0x00000000",
971. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
972. "size": "0x00000000"
973. },
974. {
975. "virtual_address": "0x00000000",
976. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
977. "size": "0x00000000"
978. }
979. ],
980. "exports": [],
981. "guest_signers": {},
982. "imphash": "c3ac486b6c4c66c65b2f01bed393cd46",
983. "icon_fuzzy": null,
984. "icon": null,
985. "pdbpath": null,
986. "imported_dll_count": 2,
987. "versioninfo": []
988. }
989. }
990.  
991. [*] Resolved APIs: [
992. "kernel32.dll.InitializeCriticalSectionEx",
993. "kernel32.dll.FlsAlloc",
994. "kernel32.dll.FlsSetValue",
995. "kernel32.dll.FlsGetValue",
996. "kernel32.dll.LCMapStringEx",
997. "kernel32.dll.AreFileApisANSI",
998. "kernel32.dll.FlsFree",
999. "kernel32.dll.InitOnceExecuteOnce",
1000. "kernel32.dll.CreateEventExW",
1001. "kernel32.dll.CreateSemaphoreW",
1002. "kernel32.dll.CreateSemaphoreExW",
1003. "kernel32.dll.CreateThreadpoolTimer",
1004. "kernel32.dll.SetThreadpoolTimer",
1005. "kernel32.dll.WaitForThreadpoolTimerCallbacks",
1006. "kernel32.dll.CloseThreadpoolTimer",
1007. "kernel32.dll.CreateThreadpoolWait",
1008. "kernel32.dll.SetThreadpoolWait",
1009. "kernel32.dll.CloseThreadpoolWait",
1010. "kernel32.dll.FlushProcessWriteBuffers",
1011. "kernel32.dll.FreeLibraryWhenCallbackReturns",
1012. "kernel32.dll.GetCurrentProcessorNumber",
1013. "kernel32.dll.CreateSymbolicLinkW",
1014. "kernel32.dll.GetTickCount64",
1015. "kernel32.dll.GetFileInformationByHandleEx",
1016. "kernel32.dll.SetFileInformationByHandle",
1017. "kernel32.dll.InitializeConditionVariable",
1018. "kernel32.dll.WakeConditionVariable",
1019. "kernel32.dll.WakeAllConditionVariable",
1020. "kernel32.dll.SleepConditionVariableCS",
1021. "kernel32.dll.InitializeSRWLock",
1022. "kernel32.dll.AcquireSRWLockExclusive",
1023. "kernel32.dll.TryAcquireSRWLockExclusive",
1024. "kernel32.dll.ReleaseSRWLockExclusive",
1025. "kernel32.dll.SleepConditionVariableSRW",
1026. "kernel32.dll.CreateThreadpoolWork",
1027. "kernel32.dll.SubmitThreadpoolWork",
1028. "kernel32.dll.CloseThreadpoolWork",
1029. "kernel32.dll.CompareStringEx",
1030. "kernel32.dll.GetLocaleInfoEx",
1031. "kernel32.dll.EnumSystemLocalesEx",
1032. "kernel32.dll.GetDateFormatEx",
1033. "kernel32.dll.GetTimeFormatEx",
1034. "kernel32.dll.GetUserDefaultLocaleName",
1035. "kernel32.dll.IsValidLocaleName",
1036. "kernel32.dll.LCIDToLocaleName",
1037. "kernel32.dll.LocaleNameToLCID",
1038. "advapi32.dll.CryptAcquireContextW",
1039. "advapi32.dll.CryptCreateHash",
1040. "advapi32.dll.CryptDecrypt",
1041. "advapi32.dll.CryptDeriveKey",
1042. "advapi32.dll.CryptDestroyHash",
1043. "advapi32.dll.CryptDestroyKey",
1044. "advapi32.dll.CryptHashData",
1045. "advapi32.dll.CryptReleaseContext",
1046. "user32.dll.MessageBoxA",
1047. "ole32.dll.CoInitializeEx",
1048. "ole32.dll.CoCreateInstance",
1049. "cryptbase.dll.SystemFunction036",
1050. "uxtheme.dll.ThemeInitApiHook",
1051. "user32.dll.IsProcessDPIAware",
1052. "cryptsp.dll.CryptAcquireContextW",
1053. "cryptsp.dll.CryptCreateHash",
1054. "cryptsp.dll.CryptHashData",
1055. "cryptsp.dll.CryptDeriveKey",
1056. "cryptsp.dll.CryptDecrypt",
1057. "apphelp.dll.ApphelpCheckRunAppEx",
1058. "apphelp.dll.ApphelpQueryModuleDataEx",
1059. "apphelp.dll.ApphelpParseModuleData",
1060. "apphelp.dll.ApphelpCreateAppcompatData",
1061. "apphelp.dll.SdbInitDatabaseEx",
1062. "apphelp.dll.SdbReleaseDatabase",
1063. "apphelp.dll.SdbUnpackAppCompatData",
1064. "apphelp.dll.SdbQueryContext",
1065. "qmgrprxy.dll.DllGetClassObject",
1066. "qmgrprxy.dll.DllCanUnloadNow",
1067. "ole32.dll.CoImpersonateClient",
1068. "ole32.dll.CoRevertToSelf",
1069. "rpcrt4.dll.UuidCreate",
1070. "sechost.dll.ConvertSidToStringSidW",
1071. "advapi32.dll.LookupAccountSidW",
1072. "oleaut32.dll.#500",
1073. "rpcrt4.dll.RpcBindingFree",
1074. "mpr.dll.WNetGetConnectionW",
1075. "cfgmgr32.dll.CMP_RegisterNotification",
1076. "sechost.dll.I_ScPnPGetServiceName",
1077. "cfgmgr32.dll.CM_MapCrToWin32Err",
1078. "kernel32.dll.GetProductInfo",
1079. "advapi32.dll.RegOpenKeyExW",
1080. "advapi32.dll.RegQueryInfoKeyW",
1081. "advapi32.dll.RegEnumKeyExW",
1082. "advapi32.dll.RegEnumValueW",
1083. "advapi32.dll.RegCloseKey",
1084. "advapi32.dll.RegQueryValueExW",
1085. "kernel32.dll.QueryActCtxW",
1086. "shlwapi.dll.UrlIsW",
1087. "kernel32.dll.InitializeCriticalSectionAndSpinCount",
1088. "kernel32.dll.IsProcessorFeaturePresent",
1089. "msvcrt.dll._set_error_mode",
1090. "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z",
1091. "kernel32.dll.FindActCtxSectionStringW",
1092. "kernel32.dll.GetSystemWindowsDirectoryW",
1093. "mscoree.dll.GetProcessExecutableHeap",
1094. "mscorwks.dll._CorExeMain",
1095. "mscorwks.dll.GetCLRFunction",
1096. "advapi32.dll.RegisterTraceGuidsW",
1097. "advapi32.dll.UnregisterTraceGuids",
1098. "advapi32.dll.GetTraceLoggerHandle",
1099. "advapi32.dll.GetTraceEnableLevel",
1100. "advapi32.dll.GetTraceEnableFlags",
1101. "advapi32.dll.TraceEvent",
1102. "mscoree.dll.IEE",
1103. "mscorwks.dll.IEE",
1104. "mscoree.dll.GetStartupFlags",
1105. "mscoree.dll.GetHostConfigurationFile",
1106. "mscoree.dll.GetCORSystemDirectory",
1107. "ntdll.dll.RtlUnwind",
1108. "kernel32.dll.IsWow64Process",
1109. "advapi32.dll.AllocateAndInitializeSid",
1110. "advapi32.dll.OpenProcessToken",
1111. "advapi32.dll.GetTokenInformation",
1112. "advapi32.dll.InitializeAcl",
1113. "advapi32.dll.AddAccessAllowedAce",
1114. "advapi32.dll.FreeSid",
1115. "kernel32.dll.SetThreadStackGuarantee",
1116. "kernel32.dll.AddVectoredContinueHandler",
1117. "kernel32.dll.RemoveVectoredContinueHandler",
1118. "advapi32.dll.ConvertSidToStringSidW",
1119. "shell32.dll.SHGetFolderPathW",
1120. "kernel32.dll.GetWriteWatch",
1121. "kernel32.dll.ResetWriteWatch",
1122. "kernel32.dll.CreateMemoryResourceNotification",
1123. "kernel32.dll.QueryMemoryResourceNotification",
1124. "ole32.dll.CoGetContextToken",
1125. "kernel32.dll.GetFullPathNameW",
1126. "kernel32.dll.GetVersionExW",
1127. "advapi32.dll.CryptAcquireContextA",
1128. "advapi32.dll.CryptGetHashParam",
1129. "advapi32.dll.CryptImportKey",
1130. "advapi32.dll.CryptExportKey",
1131. "advapi32.dll.CryptGenKey",
1132. "advapi32.dll.CryptGetKeyParam",
1133. "advapi32.dll.CryptVerifySignatureA",
1134. "advapi32.dll.CryptSignHashA",
1135. "advapi32.dll.CryptGetProvParam",
1136. "advapi32.dll.CryptGetUserKey",
1137. "advapi32.dll.CryptEnumProvidersA",
1138. "mscoree.dll.GetMetaDataInternalInterface",
1139. "mscorwks.dll.GetMetaDataInternalInterface",
1140. "cryptsp.dll.CryptAcquireContextA",
1141. "cryptsp.dll.CryptImportKey",
1142. "cryptsp.dll.CryptVerifySignatureA",
1143. "cryptsp.dll.CryptDestroyHash",
1144. "cryptsp.dll.CryptDestroyKey",
1145. "mscorjit.dll.getJit",
1146. "kernel32.dll.VirtualProtect",
1147. "kernel32.dll.GetEnvironmentVariableW",
1148. "kernel32.dll.SwitchToThread",
1149. "kernel32.dll.lstrlen",
1150. "kernel32.dll.lstrlenW",
1151. "kernel32.dll.GetUserDefaultUILanguage",
1152. "kernel32.dll.SetErrorMode",
1153. "kernel32.dll.GetFileAttributesExW",
1154. "bcrypt.dll.BCryptGetFipsAlgorithmMode",
1155. "ole32.dll.CreateBindCtx",
1156. "ole32.dll.CoGetObjectContext",
1157. "sechost.dll.LookupAccountNameLocalW",
1158. "sechost.dll.LookupAccountSidLocalW",
1159. "cryptsp.dll.CryptGenRandom",
1160. "ole32.dll.NdrOleInitializeExtension",
1161. "ole32.dll.CoGetClassObject",
1162. "ole32.dll.CoGetMarshalSizeMax",
1163. "ole32.dll.CoMarshalInterface",
1164. "ole32.dll.CoUnmarshalInterface",
1165. "ole32.dll.StringFromIID",
1166. "ole32.dll.CoGetPSClsid",
1167. "ole32.dll.CoTaskMemAlloc",
1168. "ole32.dll.CoTaskMemFree",
1169. "ole32.dll.CoReleaseMarshalData",
1170. "ole32.dll.DcomChannelSetHResult",
1171. "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
1172. "ole32.dll.MkParseDisplayName",
1173. "oleaut32.dll.#2",
1174. "oleaut32.dll.#6",
1175. "kernel32.dll.GetThreadPreferredUILanguages",
1176. "kernel32.dll.SetThreadPreferredUILanguages",
1177. "kernel32.dll.GetSystemDefaultLocaleName",
1178. "ole32.dll.BindMoniker",
1179. "sxs.dll.SxsOleAut32RedirectTypeLibrary",
1180. "advapi32.dll.RegOpenKeyW",
1181. "advapi32.dll.RegEnumKeyW",
1182. "advapi32.dll.RegQueryValueW",
1183. "sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid",
1184. "sxs.dll.SxsLookupClrGuid",
1185. "kernel32.dll.ReleaseActCtx",
1186. "oleaut32.dll.#9",
1187. "oleaut32.dll.#4",
1188. "oleaut32.dll.#283",
1189. "oleaut32.dll.#284",
1190. "mscoree.dll.GetTokenForVTableEntry",
1191. "mscoree.dll.SetTargetForVTableEntry",
1192. "mscoree.dll.GetTargetForVTableEntry",
1193. "kernel32.dll.GetLastError",
1194. "kernel32.dll.LocalAlloc",
1195. "oleaut32.dll.VariantInit",
1196. "oleaut32.dll.VariantClear",
1197. "oleaut32.dll.#7",
1198. "kernel32.dll.CreateEventW",
1199. "kernel32.dll.CloseHandle",
1200. "kernel32.dll.SetEvent",
1201. "ole32.dll.CoWaitForMultipleHandles",
1202. "ole32.dll.IIDFromString",
1203. "kernel32.dll.LoadLibraryA",
1204. "kernel32.dll.GetProcAddress",
1205. "wminet_utils.dll.ResetSecurity",
1206. "wminet_utils.dll.SetSecurity",
1207. "wminet_utils.dll.BlessIWbemServices",
1208. "wminet_utils.dll.BlessIWbemServicesObject",
1209. "wminet_utils.dll.GetPropertyHandle",
1210. "wminet_utils.dll.WritePropertyValue",
1211. "wminet_utils.dll.Clone",
1212. "wminet_utils.dll.VerifyClientKey",
1213. "wminet_utils.dll.GetQualifierSet",
1214. "wminet_utils.dll.Get",
1215. "wminet_utils.dll.Put",
1216. "wminet_utils.dll.Delete",
1217. "wminet_utils.dll.GetNames",
1218. "wminet_utils.dll.BeginEnumeration",
1219. "wminet_utils.dll.Next",
1220. "wminet_utils.dll.EndEnumeration",
1221. "wminet_utils.dll.GetPropertyQualifierSet",
1222. "wminet_utils.dll.GetObjectText",
1223. "wminet_utils.dll.SpawnDerivedClass",
1224. "wminet_utils.dll.SpawnInstance",
1225. "wminet_utils.dll.CompareTo",
1226. "wminet_utils.dll.GetPropertyOrigin",
1227. "wminet_utils.dll.InheritsFrom",
1228. "wminet_utils.dll.GetMethod",
1229. "wminet_utils.dll.PutMethod",
1230. "wminet_utils.dll.DeleteMethod",
1231. "wminet_utils.dll.BeginMethodEnumeration",
1232. "wminet_utils.dll.NextMethod",
1233. "wminet_utils.dll.EndMethodEnumeration",
1234. "wminet_utils.dll.GetMethodQualifierSet",
1235. "wminet_utils.dll.GetMethodOrigin",
1236. "wminet_utils.dll.QualifierSet_Get",
1237. "wminet_utils.dll.QualifierSet_Put",
1238. "wminet_utils.dll.QualifierSet_Delete",
1239. "wminet_utils.dll.QualifierSet_GetNames",
1240. "wminet_utils.dll.QualifierSet_BeginEnumeration",
1241. "wminet_utils.dll.QualifierSet_Next",
1242. "wminet_utils.dll.QualifierSet_EndEnumeration",
1243. "wminet_utils.dll.GetCurrentApartmentType",
1244. "wminet_utils.dll.GetDemultiplexedStub",
1245. "wminet_utils.dll.CreateInstanceEnumWmi",
1246. "wminet_utils.dll.CreateClassEnumWmi",
1247. "wminet_utils.dll.ExecQueryWmi",
1248. "wminet_utils.dll.ExecNotificationQueryWmi",
1249. "wminet_utils.dll.PutInstanceWmi",
1250. "wminet_utils.dll.PutClassWmi",
1251. "wminet_utils.dll.CloneEnumWbemClassObject",
1252. "wminet_utils.dll.ConnectServerWmi",
1253. "ole32.dll.CoUninitialize",
1254. "oleaut32.dll.SysStringLen",
1255. "kernel32.dll.RtlZeroMemory",
1256. "kernel32.dll.RegOpenKeyExW",
1257. "advapi32.dll.GetUserNameW",
1258. "kernel32.dll.GetComputerNameW",
1259. "kernel32.dll.GetModuleHandleW",
1260. "user32.dll.DefWindowProcW",
1261. "gdi32.dll.GetStockObject",
1262. "user32.dll.RegisterClassW",
1263. "user32.dll.CreateWindowExW",
1264. "user32.dll.SetWindowLongW",
1265. "user32.dll.GetWindowLongW",
1266. "kernel32.dll.GetCurrentProcess",
1267. "kernel32.dll.GetCurrentThread",
1268. "kernel32.dll.DuplicateHandle",
1269. "kernel32.dll.GetCurrentThreadId",
1270. "user32.dll.CallWindowProcW",
1271. "user32.dll.RegisterWindowMessageW",
1272. "dwmapi.dll.DwmIsCompositionEnabled",
1273. "kernel32.dll.GetCurrentProcessId",
1274. "advapi32.dll.LookupPrivilegeValueW",
1275. "advapi32.dll.AdjustTokenPrivileges",
1276. "ntdll.dll.NtQuerySystemInformation",
1277. "kernel32.dll.CreateIoCompletionPort",
1278. "kernel32.dll.PostQueuedCompletionStatus",
1279. "ntdll.dll.NtQueryInformationThread",
1280. "ntdll.dll.NtGetCurrentProcessorNumber",
1281. "shfolder.dll.SHGetFolderPathW",
1282. "kernel32.dll.FindFirstFileW",
1283. "kernel32.dll.FindClose",
1284. "kernel32.dll.FindNextFileW",
1285. "kernel32.dll.CreateFileW",
1286. "kernel32.dll.GetFileType",
1287. "kernel32.dll.GetACP",
1288. "kernel32.dll.UnmapViewOfFile",
1289. "kernel32.dll.GetFileSize",
1290. "kernel32.dll.ReadFile",
1291. "oleaut32.dll.#204",
1292. "oleaut32.dll.#203",
1293. "culture.dll.ConvertLangIdToCultureName",
1294. "mlang.dll.#112",
1295. "wininet.dll.FindFirstUrlCacheEntryA",
1296. "urlmon.dll.CreateUri",
1297. "kernel32.dll.AcquireSRWLockShared",
1298. "kernel32.dll.ReleaseSRWLockShared",
1299. "wininet.dll.FindNextUrlCacheEntryA",
1300. "urlmon.dll.CreateIUriBuilder",
1301. "urlmon.dll.IntlPercentEncodeNormalize",
1302. "wininet.dll.FindCloseUrlCache",
1303. "cryptsp.dll.CryptGetHashParam",
1304. "cryptsp.dll.CryptReleaseContext",
1305. "vaultcli.dll.VaultEnumerateVaults",
1306. "kernel32.dll.GetSystemTimeAsFileTime",
1307. "user32.dll.GetLastInputInfo",
1308. "user32.dll.GetSystemMetrics",
1309. "user32.dll.GetClientRect",
1310. "user32.dll.GetWindowRect",
1311. "user32.dll.GetParent",
1312. "ole32.dll.OleInitialize",
1313. "ole32.dll.CoRegisterMessageFilter",
1314. "user32.dll.PeekMessageW",
1315. "user32.dll.WaitMessage",
1316. "mscoree.dll.ND_RI2",
1317. "rasapi32.dll.RasEnumConnectionsW",
1318. "rtutils.dll.TraceRegisterExA",
1319. "rtutils.dll.TracePrintfExA",
1320. "sechost.dll.OpenSCManagerW",
1321. "sechost.dll.OpenServiceW",
1322. "sechost.dll.QueryServiceStatus",
1323. "sechost.dll.CloseServiceHandle",
1324. "ws2_32.dll.WSAStartup",
1325. "ws2_32.dll.WSASocketW",
1326. "ws2_32.dll.setsockopt",
1327. "ws2_32.dll.WSAEventSelect",
1328. "ws2_32.dll.ioctlsocket",
1329. "ws2_32.dll.closesocket",
1330. "advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
1331. "kernel32.dll.LocalFree",
1332. "kernel32.dll.CreateFileMappingW",
1333. "kernel32.dll.MapViewOfFile",
1334. "kernel32.dll.VirtualQuery",
1335. "kernel32.dll.ReleaseMutex",
1336. "advapi32.dll.CreateWellKnownSid",
1337. "kernel32.dll.CreateMutexW",
1338. "kernel32.dll.WaitForSingleObject",
1339. "kernel32.dll.OpenMutexW",
1340. "kernel32.dll.OpenProcess",
1341. "kernel32.dll.GetProcessTimes",
1342. "ws2_32.dll.WSAIoctl",
1343. "kernel32.dll.FormatMessageW",
1344. "rasapi32.dll.RasConnectionNotificationW",
1345. "sechost.dll.NotifyServiceStatusChangeA",
1346. "advapi32.dll.RegOpenCurrentUser",
1347. "advapi32.dll.RegNotifyChangeKeyValue",
1348. "winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser",
1349. "kernel32.dll.ResetEvent",
1350. "iphlpapi.dll.GetNetworkParams",
1351. "dnsapi.dll.DnsQueryConfig",
1352. "iphlpapi.dll.GetAdaptersAddresses",
1353. "iphlpapi.dll.GetIpInterfaceEntry",
1354. "iphlpapi.dll.GetBestInterfaceEx",
1355. "ws2_32.dll.inet_addr",
1356. "ws2_32.dll.getaddrinfo",
1357. "ws2_32.dll.freeaddrinfo",
1358. "ws2_32.dll.WSAConnect",
1359. "ws2_32.dll.send",
1360. "ws2_32.dll.recv",
1361. "kernel32.dll.SortGetHandle",
1362. "kernel32.dll.SortCloseHandle",
1363. "ntmarta.dll.GetMartaExtensionInterface",
1364. "fastprox.dll.DllGetClassObject",
1365. "fastprox.dll.DllCanUnloadNow",
1366. "kernel32.dll.RegQueryValueExW",
1367. "kernel32.dll.RegCloseKey",
1368. "oleaut32.dll.#289",
1369. "oleaut32.dll.#287",
1370. "oleaut32.dll.#288",
1371. "oleaut32.dll.#290",
1372. "oleaut32.dll.#285",
1373. "winbrand.dll.BrandingLoadString",
1374. "security.dll.InitSecurityInterfaceW",
1375. "cryptsp.dll.SystemFunction035",
1376. "schannel.dll.SpUserModeInitialize",
1377. "advapi32.dll.RegCreateKeyExW",
1378. "ntdll.dll.RtlInitUnicodeString",
1379. "ntdll.dll.RtlFreeUnicodeString",
1380. "ntdll.dll.NtSetSystemEnvironmentValue",
1381. "ntdll.dll.NtQuerySystemEnvironmentValue",
1382. "ntdll.dll.NtCreateFile",
1383. "ntdll.dll.NtQueryDirectoryObject",
1384. "ntdll.dll.NtQueryObject",
1385. "ntdll.dll.NtOpenDirectoryObject",
1386. "ntdll.dll.NtQueryInformationProcess",
1387. "ntdll.dll.NtQueryInformationToken",
1388. "ntdll.dll.NtOpenFile",
1389. "ntdll.dll.NtClose",
1390. "ntdll.dll.NtFsControlFile",
1391. "ntdll.dll.NtQueryVolumeInformationFile",
1392. "oleaut32.dll.#286",
1393. "netapi32.dll.NetGroupEnum",
1394. "netapi32.dll.NetGroupGetInfo",
1395. "netapi32.dll.NetGroupSetInfo",
1396. "netapi32.dll.NetLocalGroupGetInfo",
1397. "netapi32.dll.NetLocalGroupSetInfo",
1398. "netapi32.dll.NetGroupGetUsers",
1399. "netapi32.dll.NetLocalGroupGetMembers",
1400. "netapi32.dll.NetLocalGroupEnum",
1401. "netapi32.dll.NetShareEnum",
1402. "netapi32.dll.NetShareGetInfo",
1403. "netapi32.dll.NetShareAdd",
1404. "netapi32.dll.NetShareEnumSticky",
1405. "netapi32.dll.NetShareSetInfo",
1406. "netapi32.dll.NetShareDel",
1407. "netapi32.dll.NetShareDelSticky",
1408. "netapi32.dll.NetShareCheck",
1409. "netapi32.dll.NetUserEnum",
1410. "netapi32.dll.NetUserGetInfo",
1411. "netapi32.dll.NetUserSetInfo",
1412. "netapi32.dll.NetApiBufferFree",
1413. "netapi32.dll.NetQueryDisplayInformation",
1414. "netapi32.dll.NetServerSetInfo",
1415. "netapi32.dll.NetServerGetInfo",
1416. "netapi32.dll.NetGetDCName",
1417. "netapi32.dll.NetWkstaGetInfo",
1418. "netapi32.dll.NetGetAnyDCName",
1419. "netapi32.dll.NetServerEnum",
1420. "netapi32.dll.NetUserModalsGet",
1421. "netapi32.dll.NetScheduleJobAdd",
1422. "netapi32.dll.NetScheduleJobDel",
1423. "netapi32.dll.NetScheduleJobEnum",
1424. "netapi32.dll.NetScheduleJobGetInfo",
1425. "netapi32.dll.NetUseGetInfo",
1426. "netapi32.dll.NetEnumerateTrustedDomains",
1427. "netapi32.dll.DsGetDcNameW",
1428. "netapi32.dll.DsRoleGetPrimaryDomainInformation",
1429. "netapi32.dll.DsRoleFreeMemory",
1430. "netapi32.dll.NetRenameMachineInDomain",
1431. "netapi32.dll.NetJoinDomain",
1432. "netapi32.dll.NetUnjoinDomain",
1433. "wkscli.dll.NetWkstaGetInfo",
1434. "cscapi.dll.CscNetApiGetInterface",
1435. "kernel32.dll.GetDiskFreeSpaceExW",
1436. "kernel32.dll.GetVolumePathNameW",
1437. "kernel32.dll.CreateToolhelp32Snapshot",
1438. "kernel32.dll.Thread32First",
1439. "kernel32.dll.Thread32Next",
1440. "kernel32.dll.Process32First",
1441. "kernel32.dll.Process32Next",
1442. "kernel32.dll.Module32First",
1443. "kernel32.dll.Module32Next",
1444. "kernel32.dll.Heap32ListFirst",
1445. "kernel32.dll.GlobalMemoryStatusEx",
1446. "kernel32.dll.GetSystemDefaultUILanguage",
1447. "oleaut32.dll.#8",
1448. "oleaut32.dll.#15",
1449. "oleaut32.dll.#26",
1450. "wmi.dll.WmiQueryAllDataW",
1451. "wmi.dll.WmiQuerySingleInstanceW",
1452. "wmi.dll.WmiSetSingleItemW",
1453. "wmi.dll.WmiSetSingleInstanceW",
1454. "wmi.dll.WmiExecuteMethodW",
1455. "wmi.dll.WmiNotificationRegistrationW",
1456. "wmi.dll.WmiMofEnumerateResourcesW",
1457. "wmi.dll.WmiFileHandleToInstanceNameW",
1458. "wmi.dll.WmiDevInstToInstanceNameW",
1459. "wmi.dll.WmiQueryGuidInformation",
1460. "wmi.dll.WmiOpenBlock",
1461. "wmi.dll.WmiCloseBlock",
1462. "wmi.dll.WmiFreeBuffer",
1463. "wmi.dll.WmiEnumerateGuids",
1464. "oleaut32.dll.#150",
1465. "wtsapi32.dll.WTSEnumerateSessionsW",
1466. "winsta.dll.WinStationEnumerateW",
1467. "rpcrt4.dll.RpcStringBindingComposeW",
1468. "rpcrt4.dll.RpcBindingFromStringBindingW",
1469. "rpcrt4.dll.RpcStringFreeW",
1470. "rpcrt4.dll.RpcBindingSetAuthInfoExW",
1471. "rpcrt4.dll.NdrClientCall3",
1472. "rpcrt4.dll.I_RpcExceptionFilter",
1473. "winsta.dll.WinStationFreeMemory",
1474. "wtsapi32.dll.WTSQuerySessionInformationW",
1475. "winsta.dll.WinStationQueryInformationW",
1476. "advapi32.dll.LookupAccountNameW",
1477. "wtsapi32.dll.WTSFreeMemory",
1478. "devobj.dll.DevObjCreateDeviceInfoList",
1479. "devobj.dll.DevObjGetClassDevs",
1480. "devobj.dll.DevObjEnumDeviceInfo",
1481. "devobj.dll.DevObjDestroyDeviceInfoList",
1482. "powrprof.dll.PowerDeterminePlatformRole",
1483. "oleaut32.dll.#40",
1484. "oleaut32.dll.#23",
1485. "oleaut32.dll.#24",
1486. "oleaut32.dll.#16",
1487. "wbemcore.dll.Reinitialize",
1488. "oleaut32.dll.#12",
1489. "advapi32.dll.WmiMofEnumerateResourcesW",
1490. "advapi32.dll.WmiFreeBuffer"
1491. ]
1492.  
1493. [*] Static Analysis: {
1494. "pe": {
1495. "peid_signatures": null,
1496. "imports": [
1497. {
1498. "imports": [
1499. {
1500. "name": "GetModuleFileNameA",
1501. "address": "0x473000"
1502. },
1503. {
1504. "name": "VirtualAlloc",
1505. "address": "0x473004"
1506. },
1507. {
1508. "name": "GetProcAddress",
1509. "address": "0x473008"
1510. },
1511. {
1512. "name": "GetConsoleWindow",
1513. "address": "0x47300c"
1514. },
1515. {
1516. "name": "SetEndOfFile",
1517. "address": "0x473010"
1518. },
1519. {
1520. "name": "WriteConsoleW",
1521. "address": "0x473014"
1522. },
1523. {
1524. "name": "HeapSize",
1525. "address": "0x473018"
1526. },
1527. {
1528. "name": "CloseHandle",
1529. "address": "0x47301c"
1530. },
1531. {
1532. "name": "GetCurrentProcess",
1533. "address": "0x473020"
1534. },
1535. {
1536. "name": "SwitchToThread",
1537. "address": "0x473024"
1538. },
1539. {
1540. "name": "GetCurrentThread",
1541. "address": "0x473028"
1542. },
1543. {
1544. "name": "GetCurrentThreadId",
1545. "address": "0x47302c"
1546. },
1547. {
1548. "name": "GetNativeSystemInfo",
1549. "address": "0x473030"
1550. },
1551. {
1552. "name": "GetLastError",
1553. "address": "0x473034"
1554. },
1555. {
1556. "name": "WideCharToMultiByte",
1557. "address": "0x473038"
1558. },
1559. {
1560. "name": "QueryPerformanceCounter",
1561. "address": "0x47303c"
1562. },
1563. {
1564. "name": "EnterCriticalSection",
1565. "address": "0x473040"
1566. },
1567. {
1568. "name": "LeaveCriticalSection",
1569. "address": "0x473044"
1570. },
1571. {
1572. "name": "DeleteCriticalSection",
1573. "address": "0x473048"
1574. },
1575. {
1576. "name": "SetLastError",
1577. "address": "0x47304c"
1578. },
1579. {
1580. "name": "InitializeCriticalSectionAndSpinCount",
1581. "address": "0x473050"
1582. },
1583. {
1584. "name": "TlsAlloc",
1585. "address": "0x473054"
1586. },
1587. {
1588. "name": "TlsGetValue",
1589. "address": "0x473058"
1590. },
1591. {
1592. "name": "TlsSetValue",
1593. "address": "0x47305c"
1594. },
1595. {
1596. "name": "TlsFree",
1597. "address": "0x473060"
1598. },
1599. {
1600. "name": "GetSystemTimeAsFileTime",
1601. "address": "0x473064"
1602. },
1603. {
1604. "name": "GetModuleHandleW",
1605. "address": "0x473068"
1606. },
1607. {
1608. "name": "EncodePointer",
1609. "address": "0x47306c"
1610. },
1611. {
1612. "name": "DecodePointer",
1613. "address": "0x473070"
1614. },
1615. {
1616. "name": "MultiByteToWideChar",
1617. "address": "0x473074"
1618. },
1619. {
1620. "name": "GetStringTypeW",
1621. "address": "0x473078"
1622. },
1623. {
1624. "name": "CompareStringW",
1625. "address": "0x47307c"
1626. },
1627. {
1628. "name": "LCMapStringW",
1629. "address": "0x473080"
1630. },
1631. {
1632. "name": "GetLocaleInfoW",
1633. "address": "0x473084"
1634. },
1635. {
1636. "name": "GetCPInfo",
1637. "address": "0x473088"
1638. },
1639. {
1640. "name": "UnhandledExceptionFilter",
1641. "address": "0x47308c"
1642. },
1643. {
1644. "name": "SetUnhandledExceptionFilter",
1645. "address": "0x473090"
1646. },
1647. {
1648. "name": "TerminateProcess",
1649. "address": "0x473094"
1650. },
1651. {
1652. "name": "IsProcessorFeaturePresent",
1653. "address": "0x473098"
1654. },
1655. {
1656. "name": "GetCurrentProcessId",
1657. "address": "0x47309c"
1658. },
1659. {
1660. "name": "InitializeSListHead",
1661. "address": "0x4730a0"
1662. },
1663. {
1664. "name": "IsDebuggerPresent",
1665. "address": "0x4730a4"
1666. },
1667. {
1668. "name": "GetStartupInfoW",
1669. "address": "0x4730a8"
1670. },
1671. {
1672. "name": "SetEvent",
1673. "address": "0x4730ac"
1674. },
1675. {
1676. "name": "GetThreadTimes",
1677. "address": "0x4730b0"
1678. },
1679. {
1680. "name": "FreeLibrary",
1681. "address": "0x4730b4"
1682. },
1683. {
1684. "name": "GetModuleFileNameW",
1685. "address": "0x4730b8"
1686. },
1687. {
1688. "name": "LoadLibraryExW",
1689. "address": "0x4730bc"
1690. },
1691. {
1692. "name": "RtlUnwind",
1693. "address": "0x4730c0"
1694. },
1695. {
1696. "name": "RaiseException",
1697. "address": "0x4730c4"
1698. },
1699. {
1700. "name": "ExitProcess",
1701. "address": "0x4730c8"
1702. },
1703. {
1704. "name": "GetModuleHandleExW",
1705. "address": "0x4730cc"
1706. },
1707. {
1708. "name": "GetStdHandle",
1709. "address": "0x4730d0"
1710. },
1711. {
1712. "name": "WriteFile",
1713. "address": "0x4730d4"
1714. },
1715. {
1716. "name": "GetFileSizeEx",
1717. "address": "0x4730d8"
1718. },
1719. {
1720. "name": "SetFilePointerEx",
1721. "address": "0x4730dc"
1722. },
1723. {
1724. "name": "GetFileType",
1725. "address": "0x4730e0"
1726. },
1727. {
1728. "name": "HeapAlloc",
1729. "address": "0x4730e4"
1730. },
1731. {
1732. "name": "FlushFileBuffers",
1733. "address": "0x4730e8"
1734. },
1735. {
1736. "name": "GetConsoleCP",
1737. "address": "0x4730ec"
1738. },
1739. {
1740. "name": "GetConsoleMode",
1741. "address": "0x4730f0"
1742. },
1743. {
1744. "name": "HeapFree",
1745. "address": "0x4730f4"
1746. },
1747. {
1748. "name": "GetDateFormatW",
1749. "address": "0x4730f8"
1750. },
1751. {
1752. "name": "GetTimeFormatW",
1753. "address": "0x4730fc"
1754. },
1755. {
1756. "name": "IsValidLocale",
1757. "address": "0x473100"
1758. },
1759. {
1760. "name": "GetUserDefaultLCID",
1761. "address": "0x473104"
1762. },
1763. {
1764. "name": "EnumSystemLocalesW",
1765. "address": "0x473108"
1766. },
1767. {
1768. "name": "ReadFile",
1769. "address": "0x47310c"
1770. },
1771. {
1772. "name": "ReadConsoleW",
1773. "address": "0x473110"
1774. },
1775. {
1776. "name": "HeapReAlloc",
1777. "address": "0x473114"
1778. },
1779. {
1780. "name": "GetTimeZoneInformation",
1781. "address": "0x473118"
1782. },
1783. {
1784. "name": "FindClose",
1785. "address": "0x47311c"
1786. },
1787. {
1788. "name": "FindFirstFileExW",
1789. "address": "0x473120"
1790. },
1791. {
1792. "name": "FindNextFileW",
1793. "address": "0x473124"
1794. },
1795. {
1796. "name": "IsValidCodePage",
1797. "address": "0x473128"
1798. },
1799. {
1800. "name": "GetACP",
1801. "address": "0x47312c"
1802. },
1803. {
1804. "name": "GetOEMCP",
1805. "address": "0x473130"
1806. },
1807. {
1808. "name": "GetCommandLineA",
1809. "address": "0x473134"
1810. },
1811. {
1812. "name": "GetCommandLineW",
1813. "address": "0x473138"
1814. },
1815. {
1816. "name": "GetEnvironmentStringsW",
1817. "address": "0x47313c"
1818. },
1819. {
1820. "name": "FreeEnvironmentStringsW",
1821. "address": "0x473140"
1822. },
1823. {
1824. "name": "SetEnvironmentVariableW",
1825. "address": "0x473144"
1826. },
1827. {
1828. "name": "SetStdHandle",
1829. "address": "0x473148"
1830. },
1831. {
1832. "name": "GetProcessHeap",
1833. "address": "0x47314c"
1834. },
1835. {
1836. "name": "CreateFileW",
1837. "address": "0x473150"
1838. }
1839. ],
1840. "dll": "KERNEL32.dll"
1841. },
1842. {
1843. "imports": [
1844. {
1845. "name": "LoadBitmapA",
1846. "address": "0x473158"
1847. }
1848. ],
1849. "dll": "USER32.dll"
1850. }
1851. ],
1852. "digital_signers": null,
1853. "exported_dll_name": null,
1854. "actual_checksum": "0x000ffbab",
1855. "overlay": null,
1856. "imagebase": "0x00400000",
1857. "reported_checksum": "0x00000000",
1858. "icon_hash": null,
1859. "entrypoint": "0x0044d730",
1860. "timestamp": "2019-06-10 02:39:53",
1861. "osversion": "6.0",
1862. "sections": [
1863. {
1864. "name": ".text",
1865. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
1866. "virtual_address": "0x00001000",
1867. "size_of_data": "0x00071800",
1868. "entropy": "6.42",
1869. "raw_address": "0x00000400",
1870. "virtual_size": "0x0007167d",
1871. "characteristics_raw": "0x60000020"
1872. },
1873. {
1874. "name": ".rdata",
1875. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1876. "virtual_address": "0x00073000",
1877. "size_of_data": "0x00013e00",
1878. "entropy": "5.31",
1879. "raw_address": "0x00071c00",
1880. "virtual_size": "0x00013cd8",
1881. "characteristics_raw": "0x40000040"
1882. },
1883. {
1884. "name": ".data",
1885. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1886. "virtual_address": "0x00087000",
1887. "size_of_data": "0x00001a00",
1888. "entropy": "4.04",
1889. "raw_address": "0x00085a00",
1890. "virtual_size": "0x00002c28",
1891. "characteristics_raw": "0xc0000040"
1892. },
1893. {
1894. "name": ".rsrc",
1895. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1896. "virtual_address": "0x0008a000",
1897. "size_of_data": "0x00064e00",
1898. "entropy": "7.44",
1899. "raw_address": "0x00087400",
1900. "virtual_size": "0x00064d08",
1901. "characteristics_raw": "0x40000040"
1902. },
1903. {
1904. "name": ".reloc",
1905. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
1906. "virtual_address": "0x000ef000",
1907. "size_of_data": "0x00003a00",
1908. "entropy": "6.52",
1909. "raw_address": "0x000ec200",
1910. "virtual_size": "0x00003850",
1911. "characteristics_raw": "0x42000040"
1912. }
1913. ],
1914. "resources": [],
1915. "dirents": [
1916. {
1917. "virtual_address": "0x00000000",
1918. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1919. "size": "0x00000000"
1920. },
1921. {
1922. "virtual_address": "0x000864f4",
1923. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1924. "size": "0x0000003c"
1925. },
1926. {
1927. "virtual_address": "0x0008a000",
1928. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1929. "size": "0x00064d08"
1930. },
1931. {
1932. "virtual_address": "0x00000000",
1933. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1934. "size": "0x00000000"
1935. },
1936. {
1937. "virtual_address": "0x00000000",
1938. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1939. "size": "0x00000000"
1940. },
1941. {
1942. "virtual_address": "0x000ef000",
1943. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1944. "size": "0x00003850"
1945. },
1946. {
1947. "virtual_address": "0x00081e40",
1948. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1949. "size": "0x00000038"
1950. },
1951. {
1952. "virtual_address": "0x00000000",
1953. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1954. "size": "0x00000000"
1955. },
1956. {
1957. "virtual_address": "0x00000000",
1958. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1959. "size": "0x00000000"
1960. },
1961. {
1962. "virtual_address": "0x00000000",
1963. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1964. "size": "0x00000000"
1965. },
1966. {
1967. "virtual_address": "0x00081e78",
1968. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1969. "size": "0x00000040"
1970. },
1971. {
1972. "virtual_address": "0x00000000",
1973. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1974. "size": "0x00000000"
1975. },
1976. {
1977. "virtual_address": "0x00073000",
1978. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1979. "size": "0x00000160"
1980. },
1981. {
1982. "virtual_address": "0x00000000",
1983. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1984. "size": "0x00000000"
1985. },
1986. {
1987. "virtual_address": "0x00000000",
1988. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1989. "size": "0x00000000"
1990. },
1991. {
1992. "virtual_address": "0x00000000",
1993. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1994. "size": "0x00000000"
1995. }
1996. ],
1997. "exports": [],
1998. "guest_signers": {},
1999. "imphash": "c3ac486b6c4c66c65b2f01bed393cd46",
2000. "icon_fuzzy": null,
2001. "icon": null,
2002. "pdbpath": null,
2003. "imported_dll_count": 2,
2004. "versioninfo": []
2005. }
2006. }