word28-01-2019_doc_exe_2019-06-24_20_30.json

1.  
2. [*] MalFamily: ""
3.  
4. [*] MalScore: 8.3
5.  
6. [*] File Name: "word28-01-2019.doc.exe"
7. [*] File Size: 83968
8. [*] File Type: "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
9. [*] SHA256: "0284b1144191db3726db5c00dacb19f2a760defc740b006bca80c2e06239b37f"
10. [*] MD5: "03364237e1b1201385dfc0f79c8c2fab"
11. [*] SHA1: "cd2d695e63ba01f4b24c2aa9f39bf8da01a409a6"
12. [*] SHA512: "ce178801a06cf890c1f8ab5a87efe4cae503baf78a2b8f4ec91f4c700244e56424dd16672e61aa6d935ff77e085dbee32f86fa54daf865e1f5493889b46e70a4"
13. [*] CRC32: "21C6AA8A"
14. [*] SSDEEP: "1536:5/NNjBJia0IazMOxBQDh+W/Rf0Sc8IRsvc8Ke2dOLEpvWNSXj8BRbG:fNtJiaQQt+m0Sgs6e2MLEpvJsG"
15.  
16. [*] Process Execution: [
17. "word28-01-2019.doc.exe",
18. "doc.exe",
19. "netsh.exe"
20. ]
21.  
22. [*] Signatures Detected: [
23. {
24. "Description": "Creates RWX memory",
25. "Details": []
26. },
27. {
28. "Description": "Reads data out of its own binary image",
29. "Details": [
30. {
31. "self_read": "process: word28-01-2019.doc.exe, pid: 1728, offset: 0x00000000, length: 0x00014800"
32. }
33. ]
34. },
35. {
36. "Description": "Drops a binary and executes it",
37. "Details": [
38. {
39. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\doc.exe"
40. }
41. ]
42. },
43. {
44. "Description": "Attempts to mimic the file extension of a Word 97-2003 document by having 'doc' in the file name.",
45. "Details": []
46. },
47. {
48. "Description": "Sniffs keystrokes",
49. "Details": [
50. {
51. "GetAsyncKeyState": "Process: doc.exe(3060)"
52. }
53. ]
54. },
55. {
56. "Description": "Installs itself for autorun at Windows startup",
57. "Details": [
58. {
59. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\f062a1be715f108d3fc891dc39c27c52"
60. },
61. {
62. "data": "\"C:\\Users\\user\\AppData\\Local\\Temp\\doc.exe\" .."
63. },
64. {
65. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\f062a1be715f108d3fc891dc39c27c52"
66. },
67. {
68. "data": "\"C:\\Users\\user\\AppData\\Local\\Temp\\doc.exe\" .."
69. },
70. {
71. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\f062a1be715f108d3fc891dc39c27c52.exe"
72. },
73. {
74. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\f062a1be715f108d3fc891dc39c27c52.exe"
75. }
76. ]
77. },
78. {
79. "Description": "Creates a copy of itself",
80. "Details": [
81. {
82. "copy": "C:\\Users\\user\\AppData\\Local\\Temp\\doc.exe"
83. },
84. {
85. "copy": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\f062a1be715f108d3fc891dc39c27c52.exe"
86. }
87. ]
88. }
89. ]
90.  
91. [*] Started Service: []
92.  
93. [*] Executed Commands: [
94. "C:\\Users\\user\\AppData\\Local\\Temp\\doc.exe ",
95. "netsh firewall add allowedprogram \"C:\\Users\\user\\AppData\\Local\\Temp\\doc.exe\" \"doc.exe\" ENABLE"
96. ]
97.  
98. [*] Mutexes: [
99. "Global\\CLR_CASOFF_MUTEX",
100. "f062a1be715f108d3fc891dc39c27c52",
101. "Global\\.net clr networking"
102. ]
103.  
104. [*] Modified Files: [
105. "C:\\Users\\user\\AppData\\Local\\GDIPFONTCACHEV1.DAT",
106. "C:\\Users\\user\\AppData\\Local\\Temp\\doc.exe",
107. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\f062a1be715f108d3fc891dc39c27c52.exe",
108. "\\Device\\Http\\Communication"
109. ]
110.  
111. [*] Deleted Files: [
112. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1728.25783171",
113. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1728.25783171",
114. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1728.25783171"
115. ]
116.  
117. [*] Modified Registry Keys: [
118. "HKEY_CURRENT_USER\\di",
119. "HKEY_CURRENT_USER\\Environment\\SEE_MASK_NOZONECHECKS",
120. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\f062a1be715f108d3fc891dc39c27c52",
121. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\f062a1be715f108d3fc891dc39c27c52",
122. "HKEY_CURRENT_USER\\Software\\f062a1be715f108d3fc891dc39c27c52",
123. "HKEY_CURRENT_USER\\Software\\f062a1be715f108d3fc891dc39c27c52\\[kl]",
124. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
125. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100",
126. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101",
127. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103",
128. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102",
129. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1",
130. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2",
131. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4",
132. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3",
133. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100",
134. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101",
135. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102",
136. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103",
137. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100",
138. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101",
139. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102",
140. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103"
141. ]
142.  
143. [*] Deleted Registry Keys: []
144.  
145. [*] DNS Communications: [
146. {
147. "type": "A",
148. "request": "secureisrael.ddns.net",
149. "answers": []
150. }
151. ]
152.  
153. [*] Domains: [
154. {
155. "ip": "",
156. "domain": "secureisrael.ddns.net"
157. }
158. ]
159.  
160. [*] Network Communication - ICMP: []
161.  
162. [*] Network Communication - HTTP: []
163.  
164. [*] Network Communication - SMTP: []
165.  
166. [*] Network Communication - Hosts: []
167.  
168. [*] Network Communication - IRC: []
169.  
170. [*] Static Analysis: {
171. "dotnet": {
172. "customattrs": null,
173. "assemblyinfo": {
174. "version": "1.0.0.0",
175. "name": "word"
176. },
177. "assemblyrefs": [
178. {
179. "version": "2.0.0.0",
180. "name": "mscorlib"
181. },
182. {
183. "version": "8.0.0.0",
184. "name": "Microsoft.VisualBasic"
185. },
186. {
187. "version": "2.0.0.0",
188. "name": "System.Windows.Forms"
189. },
190. {
191. "version": "2.0.0.0",
192. "name": "System"
193. },
194. {
195. "version": "2.0.0.0",
196. "name": "System.Drawing"
197. }
198. ],
199. "typerefs": [
200. {
201. "typename": "Microsoft.VisualBasic.ApplicationServices.AuthenticationMode",
202. "assembly": "Microsoft.VisualBasic"
203. },
204. {
205. "typename": "Microsoft.VisualBasic.ApplicationServices.ShutdownEventHandler",
206. "assembly": "Microsoft.VisualBasic"
207. },
208. {
209. "typename": "Microsoft.VisualBasic.ApplicationServices.ShutdownMode",
210. "assembly": "Microsoft.VisualBasic"
211. },
212. {
213. "typename": "Microsoft.VisualBasic.ApplicationServices.User",
214. "assembly": "Microsoft.VisualBasic"
215. },
216. {
217. "typename": "Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase",
218. "assembly": "Microsoft.VisualBasic"
219. },
220. {
221. "typename": "Microsoft.VisualBasic.CompilerServices.Conversions",
222. "assembly": "Microsoft.VisualBasic"
223. },
224. {
225. "typename": "Microsoft.VisualBasic.CompilerServices.DesignerGeneratedAttribute",
226. "assembly": "Microsoft.VisualBasic"
227. },
228. {
229. "typename": "Microsoft.VisualBasic.CompilerServices.NewLateBinding",
230. "assembly": "Microsoft.VisualBasic"
231. },
232. {
233. "typename": "Microsoft.VisualBasic.CompilerServices.ObjectFlowControl",
234. "assembly": "Microsoft.VisualBasic"
235. },
236. {
237. "typename": "Microsoft.VisualBasic.CompilerServices.ProjectData",
238. "assembly": "Microsoft.VisualBasic"
239. },
240. {
241. "typename": "Microsoft.VisualBasic.CompilerServices.StandardModuleAttribute",
242. "assembly": "Microsoft.VisualBasic"
243. },
244. {
245. "typename": "Microsoft.VisualBasic.CompilerServices.Utils",
246. "assembly": "Microsoft.VisualBasic"
247. },
248. {
249. "typename": "Microsoft.VisualBasic.Devices.Computer",
250. "assembly": "Microsoft.VisualBasic"
251. },
252. {
253. "typename": "Microsoft.VisualBasic.HideModuleNameAttribute",
254. "assembly": "Microsoft.VisualBasic"
255. },
256. {
257. "typename": "Microsoft.VisualBasic.MyGroupCollectionAttribute",
258. "assembly": "Microsoft.VisualBasic"
259. },
260. {
261. "typename": "Microsoft.VisualBasic.Strings",
262. "assembly": "Microsoft.VisualBasic"
263. },
264. {
265. "typename": "System.CodeDom.Compiler.GeneratedCodeAttribute",
266. "assembly": "System"
267. },
268. {
269. "typename": "System.ComponentModel.Component",
270. "assembly": "System"
271. },
272. {
273. "typename": "System.ComponentModel.Design.HelpKeywordAttribute",
274. "assembly": "System"
275. },
276. {
277. "typename": "System.ComponentModel.EditorBrowsableAttribute",
278. "assembly": "System"
279. },
280. {
281. "typename": "System.ComponentModel.EditorBrowsableState",
282. "assembly": "System"
283. },
284. {
285. "typename": "System.ComponentModel.IContainer",
286. "assembly": "System"
287. },
288. {
289. "typename": "System.Configuration.ApplicationSettingsBase",
290. "assembly": "System"
291. },
292. {
293. "typename": "System.Configuration.SettingsBase",
294. "assembly": "System"
295. },
296. {
297. "typename": "System.Drawing.Size",
298. "assembly": "System.Drawing"
299. },
300. {
301. "typename": "System.Drawing.SizeF",
302. "assembly": "System.Drawing"
303. },
304. {
305. "typename": "System.Windows.Forms.Application",
306. "assembly": "System.Windows.Forms"
307. },
308. {
309. "typename": "System.Windows.Forms.AutoScaleMode",
310. "assembly": "System.Windows.Forms"
311. },
312. {
313. "typename": "System.Windows.Forms.ContainerControl",
314. "assembly": "System.Windows.Forms"
315. },
316. {
317. "typename": "System.Windows.Forms.Control",
318. "assembly": "System.Windows.Forms"
319. },
320. {
321. "typename": "System.Windows.Forms.Form",
322. "assembly": "System.Windows.Forms"
323. },
324. {
325. "typename": "System.Activator",
326. "assembly": "mscorlib"
327. },
328. {
329. "typename": "System.AppDomain",
330. "assembly": "mscorlib"
331. },
332. {
333. "typename": "System.ArgumentException",
334. "assembly": "mscorlib"
335. },
336. {
337. "typename": "System.Boolean",
338. "assembly": "mscorlib"
339. },
340. {
341. "typename": "System.Byte",
342. "assembly": "mscorlib"
343. },
344. {
345. "typename": "System.Collections.Generic.List`1",
346. "assembly": "mscorlib"
347. },
348. {
349. "typename": "System.Collections.Hashtable",
350. "assembly": "mscorlib"
351. },
352. {
353. "typename": "System.Convert",
354. "assembly": "mscorlib"
355. },
356. {
357. "typename": "System.Diagnostics.DebuggableAttribute",
358. "assembly": "mscorlib"
359. },
360. {
361. "typename": "System.Diagnostics.DebuggableAttribute/DebuggingModes",
362. "assembly": "mscorlib"
363. },
364. {
365. "typename": "System.Diagnostics.DebuggerHiddenAttribute",
366. "assembly": "mscorlib"
367. },
368. {
369. "typename": "System.Diagnostics.DebuggerNonUserCodeAttribute",
370. "assembly": "mscorlib"
371. },
372. {
373. "typename": "System.Diagnostics.DebuggerStepThroughAttribute",
374. "assembly": "mscorlib"
375. },
376. {
377. "typename": "System.Double",
378. "assembly": "mscorlib"
379. },
380. {
381. "typename": "System.EventArgs",
382. "assembly": "mscorlib"
383. },
384. {
385. "typename": "System.EventHandler",
386. "assembly": "mscorlib"
387. },
388. {
389. "typename": "System.Exception",
390. "assembly": "mscorlib"
391. },
392. {
393. "typename": "System.Globalization.CultureInfo",
394. "assembly": "mscorlib"
395. },
396. {
397. "typename": "System.IDisposable",
398. "assembly": "mscorlib"
399. },
400. {
401. "typename": "System.Int32",
402. "assembly": "mscorlib"
403. },
404. {
405. "typename": "System.IntPtr",
406. "assembly": "mscorlib"
407. },
408. {
409. "typename": "System.InvalidOperationException",
410. "assembly": "mscorlib"
411. },
412. {
413. "typename": "System.Object",
414. "assembly": "mscorlib"
415. },
416. {
417. "typename": "System.Reflection.Assembly",
418. "assembly": "mscorlib"
419. },
420. {
421. "typename": "System.Reflection.AssemblyCompanyAttribute",
422. "assembly": "mscorlib"
423. },
424. {
425. "typename": "System.Reflection.AssemblyCopyrightAttribute",
426. "assembly": "mscorlib"
427. },
428. {
429. "typename": "System.Reflection.AssemblyDescriptionAttribute",
430. "assembly": "mscorlib"
431. },
432. {
433. "typename": "System.Reflection.AssemblyFileVersionAttribute",
434. "assembly": "mscorlib"
435. },
436. {
437. "typename": "System.Reflection.AssemblyProductAttribute",
438. "assembly": "mscorlib"
439. },
440. {
441. "typename": "System.Reflection.AssemblyTitleAttribute",
442. "assembly": "mscorlib"
443. },
444. {
445. "typename": "System.Reflection.AssemblyTrademarkAttribute",
446. "assembly": "mscorlib"
447. },
448. {
449. "typename": "System.Reflection.TargetInvocationException",
450. "assembly": "mscorlib"
451. },
452. {
453. "typename": "System.Resources.ResourceManager",
454. "assembly": "mscorlib"
455. },
456. {
457. "typename": "System.Runtime.CompilerServices.CompilationRelaxationsAttribute",
458. "assembly": "mscorlib"
459. },
460. {
461. "typename": "System.Runtime.CompilerServices.CompilerGeneratedAttribute",
462. "assembly": "mscorlib"
463. },
464. {
465. "typename": "System.Runtime.CompilerServices.RuntimeCompatibilityAttribute",
466. "assembly": "mscorlib"
467. },
468. {
469. "typename": "System.Runtime.CompilerServices.RuntimeHelpers",
470. "assembly": "mscorlib"
471. },
472. {
473. "typename": "System.Runtime.InteropServices.ComVisibleAttribute",
474. "assembly": "mscorlib"
475. },
476. {
477. "typename": "System.Runtime.InteropServices.GuidAttribute",
478. "assembly": "mscorlib"
479. },
480. {
481. "typename": "System.RuntimeTypeHandle",
482. "assembly": "mscorlib"
483. },
484. {
485. "typename": "System.STAThreadAttribute",
486. "assembly": "mscorlib"
487. },
488. {
489. "typename": "System.Security.Cryptography.CipherMode",
490. "assembly": "mscorlib"
491. },
492. {
493. "typename": "System.Security.Cryptography.HashAlgorithm",
494. "assembly": "mscorlib"
495. },
496. {
497. "typename": "System.Security.Cryptography.ICryptoTransform",
498. "assembly": "mscorlib"
499. },
500. {
501. "typename": "System.Security.Cryptography.MD5CryptoServiceProvider",
502. "assembly": "mscorlib"
503. },
504. {
505. "typename": "System.Security.Cryptography.PaddingMode",
506. "assembly": "mscorlib"
507. },
508. {
509. "typename": "System.Security.Cryptography.SymmetricAlgorithm",
510. "assembly": "mscorlib"
511. },
512. {
513. "typename": "System.Security.Cryptography.TripleDES",
514. "assembly": "mscorlib"
515. },
516. {
517. "typename": "System.Security.Cryptography.TripleDESCryptoServiceProvider",
518. "assembly": "mscorlib"
519. },
520. {
521. "typename": "System.Single",
522. "assembly": "mscorlib"
523. },
524. {
525. "typename": "System.String",
526. "assembly": "mscorlib"
527. },
528. {
529. "typename": "System.Text.Encoding",
530. "assembly": "mscorlib"
531. },
532. {
533. "typename": "System.ThreadStaticAttribute",
534. "assembly": "mscorlib"
535. },
536. {
537. "typename": "System.Threading.Monitor",
538. "assembly": "mscorlib"
539. },
540. {
541. "typename": "System.Type",
542. "assembly": "mscorlib"
543. },
544. {
545. "typename": "System.Void",
546. "assembly": "mscorlib"
547. },
548. {
549. "typename": "System.WeakReference",
550. "assembly": "mscorlib"
551. }
552. ]
553. },
554. "pe": {
555. "peid_signatures": null,
556. "imports": [
557. {
558. "imports": [
559. {
560. "name": "_CorExeMain",
561. "address": "0x402000"
562. }
563. ],
564. "dll": "mscoree.dll"
565. }
566. ],
567. "digital_signers": null,
568. "exported_dll_name": null,
569. "actual_checksum": "0x00018eac",
570. "overlay": null,
571. "imagebase": "0x00400000",
572. "reported_checksum": "0x00000000",
573. "icon_hash": null,
574. "entrypoint": "0x004157ce",
575. "timestamp": "2019-01-28 04:04:03",
576. "osversion": "4.0",
577. "sections": [
578. {
579. "name": ".text",
580. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
581. "virtual_address": "0x00002000",
582. "size_of_data": "0x00013800",
583. "entropy": "4.61",
584. "raw_address": "0x00000200",
585. "virtual_size": "0x000137d4",
586. "characteristics_raw": "0x60000020"
587. },
588. {
589. "name": ".rsrc",
590. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
591. "virtual_address": "0x00016000",
592. "size_of_data": "0x00000c00",
593. "entropy": "3.71",
594. "raw_address": "0x00013a00",
595. "virtual_size": "0x00000a90",
596. "characteristics_raw": "0x40000040"
597. },
598. {
599. "name": ".reloc",
600. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
601. "virtual_address": "0x00018000",
602. "size_of_data": "0x00000200",
603. "entropy": "0.10",
604. "raw_address": "0x00014600",
605. "virtual_size": "0x0000000c",
606. "characteristics_raw": "0x42000040"
607. }
608. ],
609. "resources": [],
610. "dirents": [
611. {
612. "virtual_address": "0x00000000",
613. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
614. "size": "0x00000000"
615. },
616. {
617. "virtual_address": "0x00015780",
618. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
619. "size": "0x0000004b"
620. },
621. {
622. "virtual_address": "0x00016000",
623. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
624. "size": "0x00000a90"
625. },
626. {
627. "virtual_address": "0x00000000",
628. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
629. "size": "0x00000000"
630. },
631. {
632. "virtual_address": "0x00000000",
633. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
634. "size": "0x00000000"
635. },
636. {
637. "virtual_address": "0x00018000",
638. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
639. "size": "0x0000000c"
640. },
641. {
642. "virtual_address": "0x00000000",
643. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
644. "size": "0x00000000"
645. },
646. {
647. "virtual_address": "0x00000000",
648. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
649. "size": "0x00000000"
650. },
651. {
652. "virtual_address": "0x00000000",
653. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
654. "size": "0x00000000"
655. },
656. {
657. "virtual_address": "0x00000000",
658. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
659. "size": "0x00000000"
660. },
661. {
662. "virtual_address": "0x00000000",
663. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
664. "size": "0x00000000"
665. },
666. {
667. "virtual_address": "0x00000000",
668. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
669. "size": "0x00000000"
670. },
671. {
672. "virtual_address": "0x00002000",
673. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
674. "size": "0x00000008"
675. },
676. {
677. "virtual_address": "0x00000000",
678. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
679. "size": "0x00000000"
680. },
681. {
682. "virtual_address": "0x00002008",
683. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
684. "size": "0x00000048"
685. },
686. {
687. "virtual_address": "0x00000000",
688. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
689. "size": "0x00000000"
690. }
691. ],
692. "exports": [],
693. "guest_signers": {},
694. "imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
695. "icon_fuzzy": null,
696. "icon": null,
697. "pdbpath": null,
698. "imported_dll_count": 1,
699. "versioninfo": []
700. }
701. }
702.  
703. [*] Resolved APIs: [
704. "advapi32.dll.RegOpenKeyExW",
705. "advapi32.dll.RegQueryInfoKeyW",
706. "advapi32.dll.RegEnumKeyExW",
707. "advapi32.dll.RegEnumValueW",
708. "advapi32.dll.RegCloseKey",
709. "advapi32.dll.RegQueryValueExW",
710. "kernel32.dll.QueryActCtxW",
711. "shlwapi.dll.UrlIsW",
712. "kernel32.dll.FlsAlloc",
713. "kernel32.dll.FlsGetValue",
714. "kernel32.dll.FlsSetValue",
715. "kernel32.dll.FlsFree",
716. "kernel32.dll.InitializeCriticalSectionAndSpinCount",
717. "kernel32.dll.IsProcessorFeaturePresent",
718. "msvcrt.dll._set_error_mode",
719. "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z",
720. "kernel32.dll.FindActCtxSectionStringW",
721. "kernel32.dll.GetSystemWindowsDirectoryW",
722. "mscoree.dll.GetProcessExecutableHeap",
723. "mscorwks.dll._CorExeMain",
724. "mscorwks.dll.GetCLRFunction",
725. "advapi32.dll.RegisterTraceGuidsW",
726. "advapi32.dll.UnregisterTraceGuids",
727. "advapi32.dll.GetTraceLoggerHandle",
728. "advapi32.dll.GetTraceEnableLevel",
729. "advapi32.dll.GetTraceEnableFlags",
730. "advapi32.dll.TraceEvent",
731. "mscoree.dll.IEE",
732. "mscorwks.dll.IEE",
733. "mscoree.dll.GetStartupFlags",
734. "mscoree.dll.GetHostConfigurationFile",
735. "mscoree.dll.GetCORSystemDirectory",
736. "ntdll.dll.RtlUnwind",
737. "kernel32.dll.IsWow64Process",
738. "advapi32.dll.AllocateAndInitializeSid",
739. "advapi32.dll.OpenProcessToken",
740. "advapi32.dll.GetTokenInformation",
741. "advapi32.dll.InitializeAcl",
742. "advapi32.dll.AddAccessAllowedAce",
743. "advapi32.dll.FreeSid",
744. "kernel32.dll.SetThreadStackGuarantee",
745. "kernel32.dll.AddVectoredContinueHandler",
746. "kernel32.dll.RemoveVectoredContinueHandler",
747. "advapi32.dll.ConvertSidToStringSidW",
748. "shell32.dll.SHGetFolderPathW",
749. "kernel32.dll.FlushProcessWriteBuffers",
750. "kernel32.dll.GetWriteWatch",
751. "kernel32.dll.ResetWriteWatch",
752. "kernel32.dll.CreateMemoryResourceNotification",
753. "kernel32.dll.QueryMemoryResourceNotification",
754. "ole32.dll.CoInitializeEx",
755. "cryptbase.dll.SystemFunction036",
756. "uxtheme.dll.ThemeInitApiHook",
757. "user32.dll.IsProcessDPIAware",
758. "ole32.dll.CoGetContextToken",
759. "kernel32.dll.GetFullPathNameW",
760. "kernel32.dll.GetVersionExW",
761. "advapi32.dll.CryptAcquireContextA",
762. "advapi32.dll.CryptReleaseContext",
763. "advapi32.dll.CryptCreateHash",
764. "advapi32.dll.CryptDestroyHash",
765. "advapi32.dll.CryptHashData",
766. "advapi32.dll.CryptGetHashParam",
767. "advapi32.dll.CryptImportKey",
768. "advapi32.dll.CryptExportKey",
769. "advapi32.dll.CryptGenKey",
770. "advapi32.dll.CryptGetKeyParam",
771. "advapi32.dll.CryptDestroyKey",
772. "advapi32.dll.CryptVerifySignatureA",
773. "advapi32.dll.CryptSignHashA",
774. "advapi32.dll.CryptGetProvParam",
775. "advapi32.dll.CryptGetUserKey",
776. "advapi32.dll.CryptEnumProvidersA",
777. "mscoree.dll.GetMetaDataInternalInterface",
778. "mscorwks.dll.GetMetaDataInternalInterface",
779. "mscorjit.dll.getJit",
780. "user32.dll.RegisterWindowMessageW",
781. "kernel32.dll.CloseHandle",
782. "kernel32.dll.GetCurrentProcess",
783. "kernel32.dll.GetCurrentThread",
784. "kernel32.dll.DuplicateHandle",
785. "kernel32.dll.GetCurrentThreadId",
786. "user32.dll.GetSystemMetrics",
787. "kernel32.dll.lstrlen",
788. "kernel32.dll.lstrlenW",
789. "kernel32.dll.GetModuleHandleW",
790. "kernel32.dll.GetProcAddress",
791. "user32.dll.DefWindowProcW",
792. "gdi32.dll.GetStockObject",
793. "kernel32.dll.GetUserDefaultUILanguage",
794. "user32.dll.RegisterClassW",
795. "ole32.dll.CoTaskMemAlloc",
796. "ole32.dll.CoTaskMemFree",
797. "user32.dll.CreateWindowExW",
798. "user32.dll.SetWindowLongW",
799. "user32.dll.GetWindowLongW",
800. "user32.dll.CallWindowProcW",
801. "user32.dll.GetClientRect",
802. "user32.dll.GetWindowRect",
803. "user32.dll.GetParent",
804. "uxtheme.dll.IsAppThemed",
805. "kernel32.dll.CreateActCtxA",
806. "user32.dll.AdjustWindowRectEx",
807. "gdi32.dll.CreateCompatibleDC",
808. "kernel32.dll.GetSystemDefaultLCID",
809. "gdi32.dll.GetObjectW",
810. "user32.dll.GetDC",
811. "kernel32.dll.GetCurrentProcessId",
812. "kernel32.dll.FindAtomW",
813. "kernel32.dll.AddAtomW",
814. "mscoree.dll.LoadLibraryShim",
815. "gdiplus.dll.GdiplusStartup",
816. "user32.dll.GetWindowInfo",
817. "user32.dll.GetAncestor",
818. "user32.dll.GetMonitorInfoA",
819. "user32.dll.EnumDisplayMonitors",
820. "user32.dll.EnumDisplayDevicesA",
821. "gdi32.dll.ExtTextOutW",
822. "gdi32.dll.GdiIsMetaPrintDC",
823. "gdiplus.dll.GdipCreateFontFromLogfontW",
824. "kernel32.dll.RegOpenKeyExW",
825. "kernel32.dll.RegQueryInfoKeyA",
826. "kernel32.dll.RegCloseKey",
827. "kernel32.dll.RegCreateKeyExW",
828. "kernel32.dll.RegQueryValueExW",
829. "kernel32.dll.RegEnumValueW",
830. "kernel32.dll.RegQueryInfoKeyW",
831. "mscoree.dll.ND_RI2",
832. "mscoree.dll.ND_RU1",
833. "gdiplus.dll.GdipGetFontUnit",
834. "gdiplus.dll.GdipGetFontSize",
835. "gdiplus.dll.GdipGetFontStyle",
836. "gdiplus.dll.GdipGetFamily",
837. "user32.dll.ReleaseDC",
838. "gdiplus.dll.GdipCreateFromHDC",
839. "gdiplus.dll.GdipGetDpiY",
840. "gdiplus.dll.GdipGetFontHeight",
841. "gdiplus.dll.GdipGetEmHeight",
842. "gdiplus.dll.GdipGetLineSpacing",
843. "gdiplus.dll.GdipDeleteGraphics",
844. "gdiplus.dll.GdipCreateFont",
845. "gdiplus.dll.GdipDeleteFont",
846. "gdiplus.dll.GdipGetLogFontW",
847. "mscoree.dll.ND_WU1",
848. "gdi32.dll.CreateFontIndirectW",
849. "gdi32.dll.SelectObject",
850. "gdi32.dll.GetTextMetricsW",
851. "gdi32.dll.GetTextExtentPoint32W",
852. "gdi32.dll.DeleteDC",
853. "kernel32.dll.GetCurrentActCtx",
854. "kernel32.dll.ActivateActCtx",
855. "dwmapi.dll.DwmIsCompositionEnabled",
856. "user32.dll.SetWindowTextW",
857. "user32.dll.GetProcessWindowStation",
858. "user32.dll.GetUserObjectInformationA",
859. "kernel32.dll.SetConsoleCtrlHandler",
860. "user32.dll.GetClassInfoW",
861. "kernel32.dll.GetStartupInfoW",
862. "gdi32.dll.GetDeviceCaps",
863. "user32.dll.CreateIconFromResourceEx",
864. "user32.dll.SendMessageW",
865. "gdi32.dll.GetLayout",
866. "gdi32.dll.GdiRealizationInfo",
867. "gdi32.dll.FontIsLinked",
868. "gdi32.dll.GetTextFaceAliasW",
869. "gdi32.dll.GetFontAssocStatus",
870. "advapi32.dll.RegQueryValueExA",
871. "user32.dll.GetSystemMenu",
872. "user32.dll.GetWindowPlacement",
873. "user32.dll.EnableMenuItem",
874. "user32.dll.GetWindowTextLengthW",
875. "user32.dll.GetWindowTextW",
876. "user32.dll.SetWindowPos",
877. "user32.dll.RedrawWindow",
878. "user32.dll.ShowWindow",
879. "user32.dll.GetFocus",
880. "user32.dll.EnumThreadWindows",
881. "user32.dll.DestroyWindow",
882. "user32.dll.SetLayeredWindowAttributes",
883. "kernel32.dll.SwitchToThread",
884. "bcrypt.dll.BCryptGetFipsAlgorithmMode",
885. "cryptsp.dll.CryptAcquireContextW",
886. "cryptsp.dll.CryptCreateHash",
887. "cryptsp.dll.CryptHashData",
888. "cryptsp.dll.CryptGetHashParam",
889. "cryptsp.dll.CryptDestroyHash",
890. "cryptsp.dll.CryptGetProvParam",
891. "cryptsp.dll.CryptGenRandom",
892. "cryptsp.dll.CryptImportKey",
893. "cryptsp.dll.CryptSetKeyParam",
894. "cryptsp.dll.CryptDecrypt",
895. "cryptsp.dll.CryptEncrypt",
896. "advapi32.dll.RegSetValueExW",
897. "kernel32.dll.ReleaseMutex",
898. "kernel32.dll.CreateMutexW",
899. "kernel32.dll.GetEnvironmentVariableW",
900. "kernel32.dll.SetErrorMode",
901. "kernel32.dll.GetFileAttributesExW",
902. "kernel32.dll.CreateFileW",
903. "kernel32.dll.GetFileType",
904. "kernel32.dll.GetFileSize",
905. "kernel32.dll.ReadFile",
906. "kernel32.dll.WriteFile",
907. "kernel32.dll.LocalAlloc",
908. "kernel32.dll.RtlMoveMemory",
909. "shell32.dll.ShellExecuteEx",
910. "shell32.dll.ShellExecuteExW",
911. "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
912. "setupapi.dll.CM_Get_Device_Interface_List_ExW",
913. "comctl32.dll.#386",
914. "kernel32.dll.LocalFree",
915. "ole32.dll.CoWaitForMultipleHandles",
916. "sechost.dll.LookupAccountNameLocalW",
917. "user32.dll.SetClassLongW",
918. "user32.dll.PostMessageW",
919. "user32.dll.UnregisterClassW",
920. "kernel32.dll.DeleteAtom",
921. "user32.dll.IsWindow",
922. "user32.dll.DestroyIcon",
923. "gdi32.dll.DeleteObject",
924. "cryptsp.dll.CryptDestroyKey",
925. "cryptsp.dll.CryptReleaseContext",
926. "advapi32.dll.LookupAccountSidW",
927. "sechost.dll.LookupAccountSidLocalW",
928. "ole32.dll.NdrOleInitializeExtension",
929. "ole32.dll.CoGetClassObject",
930. "ole32.dll.CoGetMarshalSizeMax",
931. "ole32.dll.CoMarshalInterface",
932. "ole32.dll.CoUnmarshalInterface",
933. "ole32.dll.StringFromIID",
934. "ole32.dll.CoGetPSClsid",
935. "ole32.dll.CoCreateInstance",
936. "ole32.dll.CoReleaseMarshalData",
937. "ole32.dll.DcomChannelSetHResult",
938. "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
939. "comctl32.dll.#321",
940. "kernel32.dll.CreateActCtxW",
941. "kernel32.dll.AddRefActCtx",
942. "kernel32.dll.ReleaseActCtx",
943. "kernel32.dll.DeactivateActCtx",
944. "user32.dll.SendMessageTimeoutA",
945. "user32.dll.SystemParametersInfoW",
946. "kernel32.dll.lstrcpy",
947. "kernel32.dll.lstrcpyW",
948. "kernel32.dll.CreateProcessW",
949. "kernel32.dll.WaitForSingleObject",
950. "shfolder.dll.SHGetFolderPathW",
951. "kernel32.dll.CopyFileW",
952. "user32.dll.GetAsyncKeyState",
953. "user32.dll.GetKeyState",
954. "ole32.dll.OleInitialize",
955. "ole32.dll.CoRegisterMessageFilter",
956. "user32.dll.PeekMessageW",
957. "user32.dll.IsWindowUnicode",
958. "user32.dll.GetMessageW",
959. "user32.dll.TranslateMessage",
960. "user32.dll.DispatchMessageW",
961. "version.dll.GetFileVersionInfoSizeW",
962. "version.dll.GetFileVersionInfoW",
963. "version.dll.VerQueryValueW",
964. "version.dll.VerLanguageNameW",
965. "user32.dll.GetWindowThreadProcessId",
966. "user32.dll.BeginPaint",
967. "gdiplus.dll.GdipCreateHalftonePalette",
968. "gdi32.dll.SelectPalette",
969. "user32.dll.EndPaint",
970. "ws2_32.dll.WSAStartup",
971. "ws2_32.dll.WSASocketW",
972. "ws2_32.dll.setsockopt",
973. "ws2_32.dll.WSAEventSelect",
974. "ws2_32.dll.ioctlsocket",
975. "ws2_32.dll.closesocket",
976. "kernel32.dll.GetComputerNameW",
977. "advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
978. "kernel32.dll.CreateFileMappingW",
979. "kernel32.dll.MapViewOfFile",
980. "kernel32.dll.UnmapViewOfFile",
981. "kernel32.dll.VirtualQuery",
982. "advapi32.dll.CreateWellKnownSid",
983. "kernel32.dll.OpenMutexW",
984. "kernel32.dll.OpenProcess",
985. "kernel32.dll.GetProcessTimes",
986. "ws2_32.dll.getaddrinfo",
987. "ws2_32.dll.freeaddrinfo",
988. "kernel32.dll.FormatMessageW",
989. "user32.dll.GetKeyboardState",
990. "user32.dll.MapVirtualKeyA",
991. "user32.dll.GetForegroundWindow",
992. "user32.dll.GetKeyboardLayout",
993. "user32.dll.ToUnicodeEx",
994. "ws2_32.dll.shutdown",
995. "advapi32.dll.LookupPrivilegeValueW",
996. "advapi32.dll.AdjustTokenPrivileges",
997. "kernel32.dll.GetExitCodeProcess",
998. "kernel32.dll.GetProcessWorkingSetSize",
999. "kernel32.dll.SetProcessWorkingSetSize",
1000. "user32.dll.GetWindowTextLengthA",
1001. "user32.dll.GetWindowTextA",
1002. "advapi32.dll.RegCreateKeyExW",
1003. "rasmontr.dll.InitHelperDll",
1004. "nshwfp.dll.InitHelperDll",
1005. "dhcpcmonitor.dll.InitHelperDll",
1006. "wshelper.dll.InitHelperDll",
1007. "nshhttp.dll.InitHelperDll",
1008. "fwcfg.dll.InitHelperDll",
1009. "authfwcfg.dll.InitHelperDll",
1010. "ifmon.dll.InitHelperDll",
1011. "netiohlp.dll.InitHelperDll",
1012. "whhelper.dll.InitHelperDll",
1013. "hnetmon.dll.InitHelperDll",
1014. "rpcnsh.dll.InitHelperDll",
1015. "dot3cfg.dll.InitHelperDll",
1016. "napmontr.dll.InitHelperDll",
1017. "nshipsec.dll.InitHelperDll",
1018. "p2pnetsh.dll.InitHelperDll",
1019. "wlancfg.dll.InitHelperDll",
1020. "peerdistsh.dll.InitHelperDll",
1021. "cryptsp.dll.CryptEnumProvidersW",
1022. "user32.dll.LoadStringW",
1023. "sechost.dll.OpenSCManagerW",
1024. "sechost.dll.OpenServiceW",
1025. "sechost.dll.QueryServiceConfigW",
1026. "sechost.dll.CloseServiceHandle",
1027. "sechost.dll.QueryServiceStatus",
1028. "httpapi.dll.HttpInitialize",
1029. "userenv.dll.RegisterGPNotification",
1030. "userenv.dll.UnregisterGPNotification",
1031. "gpapi.dll.RegisterGPNotificationInternal",
1032. "bcryptprimitives.dll.GetHashInterface",
1033. "bcryptprimitives.dll.GetCipherInterface",
1034. "kernel32.dll.SetThreadUILanguage",
1035. "oleaut32.dll.#7",
1036. "shlwapi.dll.PathCanonicalizeW",
1037. "ole32.dll.CoCreateGuid",
1038. "ole32.dll.StringFromGUID2",
1039. "ole32.dll.CoUninitialize",
1040. "oleaut32.dll.#500",
1041. "httpapi.dll.HttpTerminate",
1042. "gpapi.dll.UnregisterGPNotificationInternal",
1043. "oleaut32.dll.#9",
1044. "comctl32.dll.#388"
1045. ]
1046.  
1047. [*] Static Analysis: {
1048. "dotnet": {
1049. "customattrs": null,
1050. "assemblyinfo": {
1051. "version": "1.0.0.0",
1052. "name": "word"
1053. },
1054. "assemblyrefs": [
1055. {
1056. "version": "2.0.0.0",
1057. "name": "mscorlib"
1058. },
1059. {
1060. "version": "8.0.0.0",
1061. "name": "Microsoft.VisualBasic"
1062. },
1063. {
1064. "version": "2.0.0.0",
1065. "name": "System.Windows.Forms"
1066. },
1067. {
1068. "version": "2.0.0.0",
1069. "name": "System"
1070. },
1071. {
1072. "version": "2.0.0.0",
1073. "name": "System.Drawing"
1074. }
1075. ],
1076. "typerefs": [
1077. {
1078. "typename": "Microsoft.VisualBasic.ApplicationServices.AuthenticationMode",
1079. "assembly": "Microsoft.VisualBasic"
1080. },
1081. {
1082. "typename": "Microsoft.VisualBasic.ApplicationServices.ShutdownEventHandler",
1083. "assembly": "Microsoft.VisualBasic"
1084. },
1085. {
1086. "typename": "Microsoft.VisualBasic.ApplicationServices.ShutdownMode",
1087. "assembly": "Microsoft.VisualBasic"
1088. },
1089. {
1090. "typename": "Microsoft.VisualBasic.ApplicationServices.User",
1091. "assembly": "Microsoft.VisualBasic"
1092. },
1093. {
1094. "typename": "Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase",
1095. "assembly": "Microsoft.VisualBasic"
1096. },
1097. {
1098. "typename": "Microsoft.VisualBasic.CompilerServices.Conversions",
1099. "assembly": "Microsoft.VisualBasic"
1100. },
1101. {
1102. "typename": "Microsoft.VisualBasic.CompilerServices.DesignerGeneratedAttribute",
1103. "assembly": "Microsoft.VisualBasic"
1104. },
1105. {
1106. "typename": "Microsoft.VisualBasic.CompilerServices.NewLateBinding",
1107. "assembly": "Microsoft.VisualBasic"
1108. },
1109. {
1110. "typename": "Microsoft.VisualBasic.CompilerServices.ObjectFlowControl",
1111. "assembly": "Microsoft.VisualBasic"
1112. },
1113. {
1114. "typename": "Microsoft.VisualBasic.CompilerServices.ProjectData",
1115. "assembly": "Microsoft.VisualBasic"
1116. },
1117. {
1118. "typename": "Microsoft.VisualBasic.CompilerServices.StandardModuleAttribute",
1119. "assembly": "Microsoft.VisualBasic"
1120. },
1121. {
1122. "typename": "Microsoft.VisualBasic.CompilerServices.Utils",
1123. "assembly": "Microsoft.VisualBasic"
1124. },
1125. {
1126. "typename": "Microsoft.VisualBasic.Devices.Computer",
1127. "assembly": "Microsoft.VisualBasic"
1128. },
1129. {
1130. "typename": "Microsoft.VisualBasic.HideModuleNameAttribute",
1131. "assembly": "Microsoft.VisualBasic"
1132. },
1133. {
1134. "typename": "Microsoft.VisualBasic.MyGroupCollectionAttribute",
1135. "assembly": "Microsoft.VisualBasic"
1136. },
1137. {
1138. "typename": "Microsoft.VisualBasic.Strings",
1139. "assembly": "Microsoft.VisualBasic"
1140. },
1141. {
1142. "typename": "System.CodeDom.Compiler.GeneratedCodeAttribute",
1143. "assembly": "System"
1144. },
1145. {
1146. "typename": "System.ComponentModel.Component",
1147. "assembly": "System"
1148. },
1149. {
1150. "typename": "System.ComponentModel.Design.HelpKeywordAttribute",
1151. "assembly": "System"
1152. },
1153. {
1154. "typename": "System.ComponentModel.EditorBrowsableAttribute",
1155. "assembly": "System"
1156. },
1157. {
1158. "typename": "System.ComponentModel.EditorBrowsableState",
1159. "assembly": "System"
1160. },
1161. {
1162. "typename": "System.ComponentModel.IContainer",
1163. "assembly": "System"
1164. },
1165. {
1166. "typename": "System.Configuration.ApplicationSettingsBase",
1167. "assembly": "System"
1168. },
1169. {
1170. "typename": "System.Configuration.SettingsBase",
1171. "assembly": "System"
1172. },
1173. {
1174. "typename": "System.Drawing.Size",
1175. "assembly": "System.Drawing"
1176. },
1177. {
1178. "typename": "System.Drawing.SizeF",
1179. "assembly": "System.Drawing"
1180. },
1181. {
1182. "typename": "System.Windows.Forms.Application",
1183. "assembly": "System.Windows.Forms"
1184. },
1185. {
1186. "typename": "System.Windows.Forms.AutoScaleMode",
1187. "assembly": "System.Windows.Forms"
1188. },
1189. {
1190. "typename": "System.Windows.Forms.ContainerControl",
1191. "assembly": "System.Windows.Forms"
1192. },
1193. {
1194. "typename": "System.Windows.Forms.Control",
1195. "assembly": "System.Windows.Forms"
1196. },
1197. {
1198. "typename": "System.Windows.Forms.Form",
1199. "assembly": "System.Windows.Forms"
1200. },
1201. {
1202. "typename": "System.Activator",
1203. "assembly": "mscorlib"
1204. },
1205. {
1206. "typename": "System.AppDomain",
1207. "assembly": "mscorlib"
1208. },
1209. {
1210. "typename": "System.ArgumentException",
1211. "assembly": "mscorlib"
1212. },
1213. {
1214. "typename": "System.Boolean",
1215. "assembly": "mscorlib"
1216. },
1217. {
1218. "typename": "System.Byte",
1219. "assembly": "mscorlib"
1220. },
1221. {
1222. "typename": "System.Collections.Generic.List`1",
1223. "assembly": "mscorlib"
1224. },
1225. {
1226. "typename": "System.Collections.Hashtable",
1227. "assembly": "mscorlib"
1228. },
1229. {
1230. "typename": "System.Convert",
1231. "assembly": "mscorlib"
1232. },
1233. {
1234. "typename": "System.Diagnostics.DebuggableAttribute",
1235. "assembly": "mscorlib"
1236. },
1237. {
1238. "typename": "System.Diagnostics.DebuggableAttribute/DebuggingModes",
1239. "assembly": "mscorlib"
1240. },
1241. {
1242. "typename": "System.Diagnostics.DebuggerHiddenAttribute",
1243. "assembly": "mscorlib"
1244. },
1245. {
1246. "typename": "System.Diagnostics.DebuggerNonUserCodeAttribute",
1247. "assembly": "mscorlib"
1248. },
1249. {
1250. "typename": "System.Diagnostics.DebuggerStepThroughAttribute",
1251. "assembly": "mscorlib"
1252. },
1253. {
1254. "typename": "System.Double",
1255. "assembly": "mscorlib"
1256. },
1257. {
1258. "typename": "System.EventArgs",
1259. "assembly": "mscorlib"
1260. },
1261. {
1262. "typename": "System.EventHandler",
1263. "assembly": "mscorlib"
1264. },
1265. {
1266. "typename": "System.Exception",
1267. "assembly": "mscorlib"
1268. },
1269. {
1270. "typename": "System.Globalization.CultureInfo",
1271. "assembly": "mscorlib"
1272. },
1273. {
1274. "typename": "System.IDisposable",
1275. "assembly": "mscorlib"
1276. },
1277. {
1278. "typename": "System.Int32",
1279. "assembly": "mscorlib"
1280. },
1281. {
1282. "typename": "System.IntPtr",
1283. "assembly": "mscorlib"
1284. },
1285. {
1286. "typename": "System.InvalidOperationException",
1287. "assembly": "mscorlib"
1288. },
1289. {
1290. "typename": "System.Object",
1291. "assembly": "mscorlib"
1292. },
1293. {
1294. "typename": "System.Reflection.Assembly",
1295. "assembly": "mscorlib"
1296. },
1297. {
1298. "typename": "System.Reflection.AssemblyCompanyAttribute",
1299. "assembly": "mscorlib"
1300. },
1301. {
1302. "typename": "System.Reflection.AssemblyCopyrightAttribute",
1303. "assembly": "mscorlib"
1304. },
1305. {
1306. "typename": "System.Reflection.AssemblyDescriptionAttribute",
1307. "assembly": "mscorlib"
1308. },
1309. {
1310. "typename": "System.Reflection.AssemblyFileVersionAttribute",
1311. "assembly": "mscorlib"
1312. },
1313. {
1314. "typename": "System.Reflection.AssemblyProductAttribute",
1315. "assembly": "mscorlib"
1316. },
1317. {
1318. "typename": "System.Reflection.AssemblyTitleAttribute",
1319. "assembly": "mscorlib"
1320. },
1321. {
1322. "typename": "System.Reflection.AssemblyTrademarkAttribute",
1323. "assembly": "mscorlib"
1324. },
1325. {
1326. "typename": "System.Reflection.TargetInvocationException",
1327. "assembly": "mscorlib"
1328. },
1329. {
1330. "typename": "System.Resources.ResourceManager",
1331. "assembly": "mscorlib"
1332. },
1333. {
1334. "typename": "System.Runtime.CompilerServices.CompilationRelaxationsAttribute",
1335. "assembly": "mscorlib"
1336. },
1337. {
1338. "typename": "System.Runtime.CompilerServices.CompilerGeneratedAttribute",
1339. "assembly": "mscorlib"
1340. },
1341. {
1342. "typename": "System.Runtime.CompilerServices.RuntimeCompatibilityAttribute",
1343. "assembly": "mscorlib"
1344. },
1345. {
1346. "typename": "System.Runtime.CompilerServices.RuntimeHelpers",
1347. "assembly": "mscorlib"
1348. },
1349. {
1350. "typename": "System.Runtime.InteropServices.ComVisibleAttribute",
1351. "assembly": "mscorlib"
1352. },
1353. {
1354. "typename": "System.Runtime.InteropServices.GuidAttribute",
1355. "assembly": "mscorlib"
1356. },
1357. {
1358. "typename": "System.RuntimeTypeHandle",
1359. "assembly": "mscorlib"
1360. },
1361. {
1362. "typename": "System.STAThreadAttribute",
1363. "assembly": "mscorlib"
1364. },
1365. {
1366. "typename": "System.Security.Cryptography.CipherMode",
1367. "assembly": "mscorlib"
1368. },
1369. {
1370. "typename": "System.Security.Cryptography.HashAlgorithm",
1371. "assembly": "mscorlib"
1372. },
1373. {
1374. "typename": "System.Security.Cryptography.ICryptoTransform",
1375. "assembly": "mscorlib"
1376. },
1377. {
1378. "typename": "System.Security.Cryptography.MD5CryptoServiceProvider",
1379. "assembly": "mscorlib"
1380. },
1381. {
1382. "typename": "System.Security.Cryptography.PaddingMode",
1383. "assembly": "mscorlib"
1384. },
1385. {
1386. "typename": "System.Security.Cryptography.SymmetricAlgorithm",
1387. "assembly": "mscorlib"
1388. },
1389. {
1390. "typename": "System.Security.Cryptography.TripleDES",
1391. "assembly": "mscorlib"
1392. },
1393. {
1394. "typename": "System.Security.Cryptography.TripleDESCryptoServiceProvider",
1395. "assembly": "mscorlib"
1396. },
1397. {
1398. "typename": "System.Single",
1399. "assembly": "mscorlib"
1400. },
1401. {
1402. "typename": "System.String",
1403. "assembly": "mscorlib"
1404. },
1405. {
1406. "typename": "System.Text.Encoding",
1407. "assembly": "mscorlib"
1408. },
1409. {
1410. "typename": "System.ThreadStaticAttribute",
1411. "assembly": "mscorlib"
1412. },
1413. {
1414. "typename": "System.Threading.Monitor",
1415. "assembly": "mscorlib"
1416. },
1417. {
1418. "typename": "System.Type",
1419. "assembly": "mscorlib"
1420. },
1421. {
1422. "typename": "System.Void",
1423. "assembly": "mscorlib"
1424. },
1425. {
1426. "typename": "System.WeakReference",
1427. "assembly": "mscorlib"
1428. }
1429. ]
1430. },
1431. "pe": {
1432. "peid_signatures": null,
1433. "imports": [
1434. {
1435. "imports": [
1436. {
1437. "name": "_CorExeMain",
1438. "address": "0x402000"
1439. }
1440. ],
1441. "dll": "mscoree.dll"
1442. }
1443. ],
1444. "digital_signers": null,
1445. "exported_dll_name": null,
1446. "actual_checksum": "0x00018eac",
1447. "overlay": null,
1448. "imagebase": "0x00400000",
1449. "reported_checksum": "0x00000000",
1450. "icon_hash": null,
1451. "entrypoint": "0x004157ce",
1452. "timestamp": "2019-01-28 04:04:03",
1453. "osversion": "4.0",
1454. "sections": [
1455. {
1456. "name": ".text",
1457. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
1458. "virtual_address": "0x00002000",
1459. "size_of_data": "0x00013800",
1460. "entropy": "4.61",
1461. "raw_address": "0x00000200",
1462. "virtual_size": "0x000137d4",
1463. "characteristics_raw": "0x60000020"
1464. },
1465. {
1466. "name": ".rsrc",
1467. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1468. "virtual_address": "0x00016000",
1469. "size_of_data": "0x00000c00",
1470. "entropy": "3.71",
1471. "raw_address": "0x00013a00",
1472. "virtual_size": "0x00000a90",
1473. "characteristics_raw": "0x40000040"
1474. },
1475. {
1476. "name": ".reloc",
1477. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
1478. "virtual_address": "0x00018000",
1479. "size_of_data": "0x00000200",
1480. "entropy": "0.10",
1481. "raw_address": "0x00014600",
1482. "virtual_size": "0x0000000c",
1483. "characteristics_raw": "0x42000040"
1484. }
1485. ],
1486. "resources": [],
1487. "dirents": [
1488. {
1489. "virtual_address": "0x00000000",
1490. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1491. "size": "0x00000000"
1492. },
1493. {
1494. "virtual_address": "0x00015780",
1495. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1496. "size": "0x0000004b"
1497. },
1498. {
1499. "virtual_address": "0x00016000",
1500. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1501. "size": "0x00000a90"
1502. },
1503. {
1504. "virtual_address": "0x00000000",
1505. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1506. "size": "0x00000000"
1507. },
1508. {
1509. "virtual_address": "0x00000000",
1510. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1511. "size": "0x00000000"
1512. },
1513. {
1514. "virtual_address": "0x00018000",
1515. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1516. "size": "0x0000000c"
1517. },
1518. {
1519. "virtual_address": "0x00000000",
1520. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1521. "size": "0x00000000"
1522. },
1523. {
1524. "virtual_address": "0x00000000",
1525. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1526. "size": "0x00000000"
1527. },
1528. {
1529. "virtual_address": "0x00000000",
1530. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1531. "size": "0x00000000"
1532. },
1533. {
1534. "virtual_address": "0x00000000",
1535. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1536. "size": "0x00000000"
1537. },
1538. {
1539. "virtual_address": "0x00000000",
1540. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1541. "size": "0x00000000"
1542. },
1543. {
1544. "virtual_address": "0x00000000",
1545. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1546. "size": "0x00000000"
1547. },
1548. {
1549. "virtual_address": "0x00002000",
1550. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1551. "size": "0x00000008"
1552. },
1553. {
1554. "virtual_address": "0x00000000",
1555. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1556. "size": "0x00000000"
1557. },
1558. {
1559. "virtual_address": "0x00002008",
1560. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1561. "size": "0x00000048"
1562. },
1563. {
1564. "virtual_address": "0x00000000",
1565. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1566. "size": "0x00000000"
1567. }
1568. ],
1569. "exports": [],
1570. "guest_signers": {},
1571. "imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
1572. "icon_fuzzy": null,
1573. "icon": null,
1574. "pdbpath": null,
1575. "imported_dll_count": 1,
1576. "versioninfo": []
1577. }
1578. }