API tools faq
paste
paladin316

Exes_d5384db2d7070b0675d3872fbd5130a8_JPG_2019-06-26_10_30.json

paladin316
Jun 26th, 2019
2,276
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 59.83 KB | None | 0 0
raw download clone embed print report
  1.  
  2. [*] MalFamily: ""
  3.  
  4. [*] MalScore: 10.0
  5.  
  6. [*] File Name: "Exes_d5384db2d7070b0675d3872fbd5130a8.JPG"
  7. [*] File Size: 328192
  8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. [*] SHA256: "12bce5d73f70581d648ac76c8ffa428c34c05a3a84d084818c2c774f86689d1b"
  10. [*] MD5: "d5384db2d7070b0675d3872fbd5130a8"
  11. [*] SHA1: "6e76c96282502c103e026777ba1442ec237e3038"
  12. [*] SHA512: "2231d489367de5c7713fb405cc7cb8532ae2b27b3a6d0e112e7c26ece80b3c6368bf72bcdec7423e8a4b2f4b83de8de25b99a2026e05a020ab5a435d4ae2817f"
  13. [*] CRC32: "3EB28CB0"
  14. [*] SSDEEP: "6144:B8Y5+t42g3Ylic00IEANOsgoElx+6E+pFE5EI3DlzLrF:lE4TC00IEnhH5E+pFE5EIzdd"
  15.  
  16. [*] Process Execution: [
  17. "Exes_d5384db2d7070b0675d3872fbd5130a8.JPG",
  18. "cmd.exe",
  19. "powershell.exe",
  20. "cmd.exe",
  21. "sc.exe",
  22. "cmd.exe",
  23. "sc.exe",
  24. "cmd.exe",
  25. "sc.exe",
  26. "cmd.exe",
  27. "sc.exe",
  28. "cmd.exe",
  29. "powershell.exe",
  30. "svchost.exe",
  31. "services.exe",
  32. "lsass.exe"
  33. ]
  34.  
  35. [*] Signatures Detected: [
  36. {
  37. "Description": "Creates RWX memory",
  38. "Details": []
  39. },
  40. {
  41. "Description": "Possible date expiration check, exits too soon after checking local time",
  42. "Details": [
  43. {
  44. "process": "cmd.exe, PID 2468"
  45. }
  46. ]
  47. },
  48. {
  49. "Description": "A process created a hidden window",
  50. "Details": [
  51. {
  52. "Process": "Exes_d5384db2d7070b0675d3872fbd5130a8.JPG -> cmd"
  53. },
  54. {
  55. "Process": "Exes_d5384db2d7070b0675d3872fbd5130a8.JPG -> cmd"
  56. },
  57. {
  58. "Process": "Exes_d5384db2d7070b0675d3872fbd5130a8.JPG -> cmd"
  59. }
  60. ]
  61. },
  62. {
  63. "Description": "Attempts to stop active services",
  64. "Details": [
  65. {
  66. "servicename": "WinDefend"
  67. }
  68. ]
  69. },
  70. {
  71. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  72. "Details": [
  73. {
  74. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 7172859 times"
  75. }
  76. ]
  77. },
  78. {
  79. "Description": "Spoofs its process name and/or associated pathname to appear as a legitimate process",
  80. "Details": [
  81. {
  82. "modified_name": "svchost.exe",
  83. "modified_path": "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_d5384db2d7070b0675d3872fbd5130a8.JPG",
  84. "original_name": "svchost.exe",
  85. "original_path": "C:\\Windows\\system32\\svchost.exe"
  86. }
  87. ]
  88. },
  89. {
  90. "Description": "Creates a hidden or system file",
  91. "Details": [
  92. {
  93. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF2d8ac0.TMP"
  94. }
  95. ]
  96. },
  97. {
  98. "Description": "File has been identified by 11 Antiviruses on VirusTotal as malicious",
  99. "Details": [
  100. {
  101. "APEX": "Malicious"
  102. },
  103. {
  104. "Paloalto": "generic.ml"
  105. },
  106. {
  107. "Kaspersky": "UDS:DangerousObject.Multi.Generic"
  108. },
  109. {
  110. "Endgame": "malicious (high confidence)"
  111. },
  112. {
  113. "McAfee-GW-Edition": "BehavesLike.Win32.PWSZbot.fh"
  114. },
  115. {
  116. "FireEye": "Generic.mg.d5384db2d7070b06"
  117. },
  118. {
  119. "Webroot": "W32.Trojan.Gen"
  120. },
  121. {
  122. "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
  123. },
  124. {
  125. "AVG": "FileRepMalware"
  126. },
  127. {
  128. "Avast": "FileRepMalware"
  129. },
  130. {
  131. "Qihoo-360": "HEUR/QVM41.1.1B03.Malware.Gen"
  132. }
  133. ]
  134. },
  135. {
  136. "Description": "Attempts to disable Windows Defender",
  137. "Details": []
  138. }
  139. ]
  140.  
  141. [*] Started Service: [
  142. "KeyIso"
  143. ]
  144.  
  145. [*] Executed Commands: [
  146. "\"C:\\Windows\\System32\\cmd.exe\" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
  147. "cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
  148. "\"C:\\Windows\\System32\\cmd.exe\" /c sc stop WinDefend",
  149. "cmd /c sc stop WinDefend",
  150. "\"C:\\Windows\\System32\\cmd.exe\" /c sc delete WinDefend",
  151. "cmd /c sc delete WinDefend",
  152. "C:\\Windows\\system32\\cmd.exe /c sc stop WinDefend",
  153. "C:\\Windows\\system32\\cmd.exe /c sc delete WinDefend",
  154. "C:\\Windows\\system32\\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true",
  155. "C:\\Windows\\system32\\svchost.exe",
  156. "powershell Set-MpPreference -DisableRealtimeMonitoring $true",
  157. "sc stop WinDefend",
  158. "sc delete WinDefend",
  159. "C:\\Windows\\system32\\lsass.exe"
  160. ]
  161.  
  162. [*] Mutexes: [
  163. "Local\\ZoneAttributeCacheCounterMutex",
  164. "Local\\ZonesCacheCounterMutex",
  165. "Local\\ZonesLockedCacheCounterMutex",
  166. "Global\\CLR_CASOFF_MUTEX",
  167. "Global\\838B6C9EB27932960"
  168. ]
  169.  
  170. [*] Modified Files: [
  171. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-0000000000-0000000000-0000000000-1000\\00000000-0000-0000-0000-000000000000b_00000000-0000-0000-0000-000000000000",
  172. "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
  173. "\\??\\PIPE\\srvsvc",
  174. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\WRQWGDBMYTMRCUSWV26C.temp",
  175. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF2d8ac0.TMP",
  176. "C:\\Windows\\SysWOW64\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
  177. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\UUXBZ3GDDUYBH6EOMW6G.temp",
  178. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms"
  179. ]
  180.  
  181. [*] Deleted Files: [
  182. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF2d8ac0.TMP",
  183. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.372.2993859",
  184. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.372.2993859",
  185. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.372.2993859",
  186. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\UUXBZ3GDDUYBH6EOMW6G.temp",
  187. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2392.3015343",
  188. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2392.3015343",
  189. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2392.3015343"
  190. ]
  191.  
  192. [*] Modified Registry Keys: [
  193. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  194. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  195. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender",
  196. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware",
  197. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection",
  198. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring",
  199. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection",
  200. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnRealtimeEnable",
  201. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection",
  202. "DisableNotifications",
  203. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList"
  204. ]
  205.  
  206. [*] Deleted Registry Keys: [
  207. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  208. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  209. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  210. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
  211. ]
  212.  
  213. [*] DNS Communications: []
  214.  
  215. [*] Domains: []
  216.  
  217. [*] Network Communication - ICMP: []
  218.  
  219. [*] Network Communication - HTTP: []
  220.  
  221. [*] Network Communication - SMTP: []
  222.  
  223. [*] Network Communication - Hosts: []
  224.  
  225. [*] Network Communication - IRC: []
  226.  
  227. [*] Static Analysis: {
  228. "pe": {
  229. "peid_signatures": null,
  230. "imports": [
  231. {
  232. "imports": [
  233. {
  234. "name": "InitCommonControlsEx",
  235. "address": "0x404008"
  236. },
  237. {
  238. "name": null,
  239. "address": "0x40400c"
  240. }
  241. ],
  242. "dll": "COMCTL32.dll"
  243. },
  244. {
  245. "imports": [
  246. {
  247. "name": "IsDebuggerPresent",
  248. "address": "0x404044"
  249. },
  250. {
  251. "name": "SetUnhandledExceptionFilter",
  252. "address": "0x404048"
  253. },
  254. {
  255. "name": "UnhandledExceptionFilter",
  256. "address": "0x40404c"
  257. },
  258. {
  259. "name": "GetCurrentProcess",
  260. "address": "0x404050"
  261. },
  262. {
  263. "name": "TerminateProcess",
  264. "address": "0x404054"
  265. },
  266. {
  267. "name": "GetStartupInfoA",
  268. "address": "0x404058"
  269. },
  270. {
  271. "name": "QueryPerformanceCounter",
  272. "address": "0x40405c"
  273. },
  274. {
  275. "name": "Sleep",
  276. "address": "0x404060"
  277. },
  278. {
  279. "name": "InterlockedExchange",
  280. "address": "0x404064"
  281. },
  282. {
  283. "name": "GetSystemTimeAsFileTime",
  284. "address": "0x404068"
  285. },
  286. {
  287. "name": "LocalFree",
  288. "address": "0x40406c"
  289. },
  290. {
  291. "name": "FormatMessageA",
  292. "address": "0x404070"
  293. },
  294. {
  295. "name": "GetLastError",
  296. "address": "0x404074"
  297. },
  298. {
  299. "name": "ReadFile",
  300. "address": "0x404078"
  301. },
  302. {
  303. "name": "GetTickCount",
  304. "address": "0x40407c"
  305. },
  306. {
  307. "name": "GetCurrentThreadId",
  308. "address": "0x404080"
  309. },
  310. {
  311. "name": "GetCurrentProcessId",
  312. "address": "0x404084"
  313. },
  314. {
  315. "name": "CreateFileMappingW",
  316. "address": "0x404088"
  317. },
  318. {
  319. "name": "MapViewOfFile",
  320. "address": "0x40408c"
  321. },
  322. {
  323. "name": "CreateFileA",
  324. "address": "0x404090"
  325. },
  326. {
  327. "name": "GetFileSize",
  328. "address": "0x404094"
  329. },
  330. {
  331. "name": "InterlockedCompareExchange",
  332. "address": "0x404098"
  333. },
  334. {
  335. "name": "CloseHandle",
  336. "address": "0x40409c"
  337. }
  338. ],
  339. "dll": "KERNEL32.dll"
  340. },
  341. {
  342. "imports": [
  343. {
  344. "name": "ShowCursor",
  345. "address": "0x40413c"
  346. },
  347. {
  348. "name": "SetCursor",
  349. "address": "0x404140"
  350. },
  351. {
  352. "name": "LoadCursorA",
  353. "address": "0x404144"
  354. },
  355. {
  356. "name": "InvalidateRect",
  357. "address": "0x404148"
  358. },
  359. {
  360. "name": "MoveWindow",
  361. "address": "0x40414c"
  362. },
  363. {
  364. "name": "SetWindowTextA",
  365. "address": "0x404150"
  366. },
  367. {
  368. "name": "SendMessageA",
  369. "address": "0x404154"
  370. },
  371. {
  372. "name": "GetSystemMetrics",
  373. "address": "0x404158"
  374. },
  375. {
  376. "name": "CreateWindowExA",
  377. "address": "0x40415c"
  378. },
  379. {
  380. "name": "GetWindowLongA",
  381. "address": "0x404160"
  382. },
  383. {
  384. "name": "PostQuitMessage",
  385. "address": "0x404164"
  386. },
  387. {
  388. "name": "RegisterClassA",
  389. "address": "0x404168"
  390. },
  391. {
  392. "name": "LoadIconA",
  393. "address": "0x40416c"
  394. },
  395. {
  396. "name": "ShowWindow",
  397. "address": "0x404170"
  398. },
  399. {
  400. "name": "TranslateMessage",
  401. "address": "0x404174"
  402. },
  403. {
  404. "name": "GetMessageA",
  405. "address": "0x404178"
  406. },
  407. {
  408. "name": "GetDC",
  409. "address": "0x40417c"
  410. },
  411. {
  412. "name": "CreateMenu",
  413. "address": "0x404180"
  414. },
  415. {
  416. "name": "AppendMenuA",
  417. "address": "0x404184"
  418. },
  419. {
  420. "name": "SetMenu",
  421. "address": "0x404188"
  422. },
  423. {
  424. "name": "SetScrollInfo",
  425. "address": "0x40418c"
  426. },
  427. {
  428. "name": "UpdateWindow",
  429. "address": "0x404190"
  430. },
  431. {
  432. "name": "BeginPaint",
  433. "address": "0x404194"
  434. },
  435. {
  436. "name": "GetClientRect",
  437. "address": "0x404198"
  438. },
  439. {
  440. "name": "FillRect",
  441. "address": "0x40419c"
  442. },
  443. {
  444. "name": "EndPaint",
  445. "address": "0x4041a0"
  446. },
  447. {
  448. "name": "ScrollWindowEx",
  449. "address": "0x4041a4"
  450. },
  451. {
  452. "name": "DefWindowProcA",
  453. "address": "0x4041a8"
  454. },
  455. {
  456. "name": "MessageBoxA",
  457. "address": "0x4041ac"
  458. },
  459. {
  460. "name": "DispatchMessageA",
  461. "address": "0x4041b0"
  462. }
  463. ],
  464. "dll": "USER32.dll"
  465. },
  466. {
  467. "imports": [
  468. {
  469. "name": "BitBlt",
  470. "address": "0x40401c"
  471. },
  472. {
  473. "name": "CreateSolidBrush",
  474. "address": "0x404020"
  475. },
  476. {
  477. "name": "SetDIBitsToDevice",
  478. "address": "0x404024"
  479. },
  480. {
  481. "name": "SelectObject",
  482. "address": "0x404028"
  483. },
  484. {
  485. "name": "CreateCompatibleBitmap",
  486. "address": "0x40402c"
  487. },
  488. {
  489. "name": "CreateCompatibleDC",
  490. "address": "0x404030"
  491. },
  492. {
  493. "name": "DeleteDC",
  494. "address": "0x404034"
  495. },
  496. {
  497. "name": "GetStockObject",
  498. "address": "0x404038"
  499. },
  500. {
  501. "name": "DeleteObject",
  502. "address": "0x40403c"
  503. }
  504. ],
  505. "dll": "GDI32.dll"
  506. },
  507. {
  508. "imports": [
  509. {
  510. "name": "GetOpenFileNameA",
  511. "address": "0x404014"
  512. }
  513. ],
  514. "dll": "COMDLG32.dll"
  515. },
  516. {
  517. "imports": [
  518. {
  519. "name": "CryptAcquireContextA",
  520. "address": "0x404000"
  521. }
  522. ],
  523. "dll": "ADVAPI32.dll"
  524. },
  525. {
  526. "imports": [
  527. {
  528. "name": "??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ",
  529. "address": "0x4040a4"
  530. },
  531. {
  532. "name": "??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ",
  533. "address": "0x4040a8"
  534. },
  535. {
  536. "name": "??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z",
  537. "address": "0x4040ac"
  538. },
  539. {
  540. "name": "??$?HDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z",
  541. "address": "0x4040b0"
  542. },
  543. {
  544. "name": "??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z",
  545. "address": "0x4040b4"
  546. }
  547. ],
  548. "dll": "MSVCP90.dll"
  549. },
  550. {
  551. "imports": [
  552. {
  553. "name": "_lock",
  554. "address": "0x4040bc"
  555. },
  556. {
  557. "name": "__dllonexit",
  558. "address": "0x4040c0"
  559. },
  560. {
  561. "name": "_unlock",
  562. "address": "0x4040c4"
  563. },
  564. {
  565. "name": "?terminate@@YAXXZ",
  566. "address": "0x4040c8"
  567. },
  568. {
  569. "name": "_crt_debugger_hook",
  570. "address": "0x4040cc"
  571. },
  572. {
  573. "name": "_onexit",
  574. "address": "0x4040d0"
  575. },
  576. {
  577. "name": "__set_app_type",
  578. "address": "0x4040d4"
  579. },
  580. {
  581. "name": "_encode_pointer",
  582. "address": "0x4040d8"
  583. },
  584. {
  585. "name": "__p__fmode",
  586. "address": "0x4040dc"
  587. },
  588. {
  589. "name": "__p__commode",
  590. "address": "0x4040e0"
  591. },
  592. {
  593. "name": "_adjust_fdiv",
  594. "address": "0x4040e4"
  595. },
  596. {
  597. "name": "__setusermatherr",
  598. "address": "0x4040e8"
  599. },
  600. {
  601. "name": "_decode_pointer",
  602. "address": "0x4040ec"
  603. },
  604. {
  605. "name": "_except_handler4_common",
  606. "address": "0x4040f0"
  607. },
  608. {
  609. "name": "_invoke_watson",
  610. "address": "0x4040f4"
  611. },
  612. {
  613. "name": "_controlfp_s",
  614. "address": "0x4040f8"
  615. },
  616. {
  617. "name": "malloc",
  618. "address": "0x4040fc"
  619. },
  620. {
  621. "name": "free",
  622. "address": "0x404100"
  623. },
  624. {
  625. "name": "sprintf",
  626. "address": "0x404104"
  627. },
  628. {
  629. "name": "__CxxFrameHandler3",
  630. "address": "0x404108"
  631. },
  632. {
  633. "name": "_amsg_exit",
  634. "address": "0x40410c"
  635. },
  636. {
  637. "name": "__getmainargs",
  638. "address": "0x404110"
  639. },
  640. {
  641. "name": "_cexit",
  642. "address": "0x404114"
  643. },
  644. {
  645. "name": "_exit",
  646. "address": "0x404118"
  647. },
  648. {
  649. "name": "_XcptFilter",
  650. "address": "0x40411c"
  651. },
  652. {
  653. "name": "_ismbblead",
  654. "address": "0x404120"
  655. },
  656. {
  657. "name": "exit",
  658. "address": "0x404124"
  659. },
  660. {
  661. "name": "_acmdln",
  662. "address": "0x404128"
  663. },
  664. {
  665. "name": "_initterm",
  666. "address": "0x40412c"
  667. },
  668. {
  669. "name": "_initterm_e",
  670. "address": "0x404130"
  671. },
  672. {
  673. "name": "_configthreadlocale",
  674. "address": "0x404134"
  675. }
  676. ],
  677. "dll": "MSVCR90.dll"
  678. }
  679. ],
  680. "digital_signers": null,
  681. "exported_dll_name": null,
  682. "actual_checksum": "0x00057a06",
  683. "overlay": null,
  684. "imagebase": "0x00400000",
  685. "reported_checksum": "0x00057a06",
  686. "icon_hash": null,
  687. "entrypoint": "0x00402a57",
  688. "timestamp": "2019-06-25 13:41:15",
  689. "osversion": "5.0",
  690. "sections": [
  691. {
  692. "name": ".text",
  693. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
  694. "virtual_address": "0x00001000",
  695. "size_of_data": "0x00002200",
  696. "entropy": "6.20",
  697. "raw_address": "0x00000400",
  698. "virtual_size": "0x00002164",
  699. "characteristics_raw": "0x60000020"
  700. },
  701. {
  702. "name": ".rdata",
  703. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  704. "virtual_address": "0x00004000",
  705. "size_of_data": "0x00039e00",
  706. "entropy": "6.06",
  707. "raw_address": "0x00002600",
  708. "virtual_size": "0x00039c8e",
  709. "characteristics_raw": "0x40000040"
  710. },
  711. {
  712. "name": ".data",
  713. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  714. "virtual_address": "0x0003e000",
  715. "size_of_data": "0x00000200",
  716. "entropy": "0.81",
  717. "raw_address": "0x0003c400",
  718. "virtual_size": "0x00000744",
  719. "characteristics_raw": "0xc0000040"
  720. },
  721. {
  722. "name": ".rsrc",
  723. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  724. "virtual_address": "0x0003f000",
  725. "size_of_data": "0x00013c00",
  726. "entropy": "4.81",
  727. "raw_address": "0x0003c600",
  728. "virtual_size": "0x00013a42",
  729. "characteristics_raw": "0x40000040"
  730. }
  731. ],
  732. "resources": [],
  733. "dirents": [
  734. {
  735. "virtual_address": "0x00000000",
  736. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
  737. "size": "0x00000000"
  738. },
  739. {
  740. "virtual_address": "0x0003d1cc",
  741. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
  742. "size": "0x000000b4"
  743. },
  744. {
  745. "virtual_address": "0x0003f000",
  746. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
  747. "size": "0x00013a42"
  748. },
  749. {
  750. "virtual_address": "0x00000000",
  751. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
  752. "size": "0x00000000"
  753. },
  754. {
  755. "virtual_address": "0x00000000",
  756. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
  757. "size": "0x00000000"
  758. },
  759. {
  760. "virtual_address": "0x00000000",
  761. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
  762. "size": "0x00000000"
  763. },
  764. {
  765. "virtual_address": "0x000041e0",
  766. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
  767. "size": "0x0000001c"
  768. },
  769. {
  770. "virtual_address": "0x00000000",
  771. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
  772. "size": "0x00000000"
  773. },
  774. {
  775. "virtual_address": "0x00000000",
  776. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
  777. "size": "0x00000000"
  778. },
  779. {
  780. "virtual_address": "0x00000000",
  781. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
  782. "size": "0x00000000"
  783. },
  784. {
  785. "virtual_address": "0x0003cff8",
  786. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
  787. "size": "0x00000040"
  788. },
  789. {
  790. "virtual_address": "0x00000000",
  791. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
  792. "size": "0x00000000"
  793. },
  794. {
  795. "virtual_address": "0x00004000",
  796. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
  797. "size": "0x000001b8"
  798. },
  799. {
  800. "virtual_address": "0x00000000",
  801. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
  802. "size": "0x00000000"
  803. },
  804. {
  805. "virtual_address": "0x00000000",
  806. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
  807. "size": "0x00000000"
  808. },
  809. {
  810. "virtual_address": "0x00000000",
  811. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
  812. "size": "0x00000000"
  813. }
  814. ],
  815. "exports": [],
  816. "guest_signers": {},
  817. "imphash": "e7090938ed62dc17f7da4646537d15ac",
  818. "icon_fuzzy": null,
  819. "icon": null,
  820. "pdbpath": "000000000000000000000000000000000000000000000000000000000000",
  821. "imported_dll_count": 8,
  822. "versioninfo": []
  823. }
  824. }
  825.  
  826. [*] Resolved APIs: [
  827. "cryptsp.dll.CryptAcquireContextA",
  828. "kernel32.dll.VirtualAlloc",
  829. "ntdll.dll.memcpy",
  830. "kernel32.dll.GetCurrentProcess",
  831. "kernel32.dll.CloseHandle",
  832. "advapi32.dll.OpenProcessToken",
  833. "advapi32.dll.GetTokenInformation",
  834. "kernel32.dll.Wow64EnableWow64FsRedirection",
  835. "advapi32.dll.RegCloseKey",
  836. "advapi32.dll.RegCreateKeyW",
  837. "advapi32.dll.RegOpenKeyExW",
  838. "advapi32.dll.RegSetValueExW",
  839. "shell32.dll.ShellExecuteA",
  840. "ole32.dll.OleInitialize",
  841. "cryptbase.dll.SystemFunction036",
  842. "ole32.dll.CreateBindCtx",
  843. "ole32.dll.CoTaskMemAlloc",
  844. "propsys.dll.PSCreateMemoryPropertyStore",
  845. "propsys.dll.PSPropertyBag_WriteDWORD",
  846. "ole32.dll.CoGetApartmentType",
  847. "ole32.dll.CoRegisterInitializeSpy",
  848. "ole32.dll.CoTaskMemFree",
  849. "comctl32.dll.#236",
  850. "oleaut32.dll.#6",
  851. "ole32.dll.CoGetMalloc",
  852. "propsys.dll.PSPropertyBag_ReadDWORD",
  853. "propsys.dll.PSPropertyBag_ReadGUID",
  854. "comctl32.dll.#320",
  855. "comctl32.dll.#324",
  856. "comctl32.dll.#323",
  857. "advapi32.dll.RegEnumKeyW",
  858. "advapi32.dll.OpenThreadToken",
  859. "ole32.dll.StringFromGUID2",
  860. "apphelp.dll.ApphelpCheckShellObject",
  861. "ole32.dll.CoCreateInstance",
  862. "urlmon.dll.CreateUri",
  863. "kernel32.dll.InitializeSRWLock",
  864. "kernel32.dll.AcquireSRWLockExclusive",
  865. "kernel32.dll.AcquireSRWLockShared",
  866. "kernel32.dll.ReleaseSRWLockExclusive",
  867. "kernel32.dll.ReleaseSRWLockShared",
  868. "comctl32.dll.#328",
  869. "comctl32.dll.#334",
  870. "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
  871. "oleaut32.dll.#2",
  872. "setupapi.dll.CM_Get_Device_Interface_List_ExW",
  873. "shell32.dll.#102",
  874. "propsys.dll.PSPropertyBag_ReadStrAlloc",
  875. "comctl32.dll.#332",
  876. "ole32.dll.CoInitializeEx",
  877. "comctl32.dll.#386",
  878. "advapi32.dll.InitializeSecurityDescriptor",
  879. "advapi32.dll.SetEntriesInAclW",
  880. "ntmarta.dll.GetMartaExtensionInterface",
  881. "advapi32.dll.SetSecurityDescriptorDacl",
  882. "advapi32.dll.IsTextUnicode",
  883. "comctl32.dll.#338",
  884. "comctl32.dll.#339",
  885. "ole32.dll.CoUninitialize",
  886. "sechost.dll.ConvertSidToStringSidW",
  887. "profapi.dll.#104",
  888. "propsys.dll.#430",
  889. "advapi32.dll.RegGetValueW",
  890. "ole32.dll.CoTaskMemRealloc",
  891. "propsys.dll.InitPropVariantFromStringAsVector",
  892. "propsys.dll.PSCoerceToCanonicalValue",
  893. "propsys.dll.PropVariantToStringAlloc",
  894. "ole32.dll.PropVariantClear",
  895. "ole32.dll.CoAllowSetForegroundWindow",
  896. "shell32.dll.SHGetFolderPathW",
  897. "advapi32.dll.SaferGetPolicyInformation",
  898. "ntdll.dll.RtlDllShutdownInProgress",
  899. "comctl32.dll.#329",
  900. "ole32.dll.OleUninitialize",
  901. "ole32.dll.CoRevokeInitializeSpy",
  902. "comctl32.dll.#388",
  903. "oleaut32.dll.#500",
  904. "advapi32.dll.CryptAcquireContextA",
  905. "advapi32.dll.CryptImportKey",
  906. "advapi32.dll.CryptEncrypt",
  907. "cryptsp.dll.CryptImportKey",
  908. "cryptbase.dll.SystemFunction040",
  909. "cryptbase.dll.SystemFunction041",
  910. "cryptsp.dll.CryptEncrypt",
  911. "advapi32.dll.UnregisterTraceGuids",
  912. "comctl32.dll.#321",
  913. "kernel32.dll.SetThreadUILanguage",
  914. "kernel32.dll.CopyFileExW",
  915. "kernel32.dll.IsDebuggerPresent",
  916. "kernel32.dll.SetConsoleInputExeNameW",
  917. "kernel32.dll.SortGetHandle",
  918. "kernel32.dll.SortCloseHandle",
  919. "uxtheme.dll.ThemeInitApiHook",
  920. "user32.dll.IsProcessDPIAware",
  921. "shell32.dll.#66",
  922. "comctl32.dll.#385",
  923. "comctl32.dll.#336",
  924. "linkinfo.dll.IsValidLinkInfo",
  925. "propsys.dll.#417",
  926. "propsys.dll.PSGetNameFromPropertyKey",
  927. "propsys.dll.PSStringFromPropertyKey",
  928. "propsys.dll.InitVariantFromBuffer",
  929. "oleaut32.dll.#9",
  930. "propsys.dll.PropVariantToGUID",
  931. "comctl32.dll.#333",
  932. "linkinfo.dll.CreateLinkInfoW",
  933. "user32.dll.IsCharAlphaW",
  934. "user32.dll.CharPrevW",
  935. "ntshrui.dll.GetNetResourceFromLocalPathW",
  936. "srvcli.dll.NetShareEnum",
  937. "cscapi.dll.CscNetApiGetInterface",
  938. "slc.dll.SLGetWindowsInformationDWORD",
  939. "shlwapi.dll.PathRemoveFileSpecW",
  940. "linkinfo.dll.DestroyLinkInfo",
  941. "propsys.dll.PropVariantToBoolean",
  942. "cryptsp.dll.CryptAcquireContextW",
  943. "cryptsp.dll.CryptGenRandom",
  944. "cryptsp.dll.CryptReleaseContext",
  945. "advapi32.dll.GetSecurityInfo",
  946. "advapi32.dll.SetSecurityInfo",
  947. "advapi32.dll.GetSecurityDescriptorControl",
  948. "advapi32.dll.RegQueryInfoKeyW",
  949. "advapi32.dll.RegEnumKeyExW",
  950. "advapi32.dll.RegEnumValueW",
  951. "advapi32.dll.RegQueryValueExW",
  952. "shlwapi.dll.UrlIsW",
  953. "kernel32.dll.InitializeCriticalSectionAndSpinCount",
  954. "msvcrt.dll._set_error_mode",
  955. "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z",
  956. "kernel32.dll.FindActCtxSectionStringW",
  957. "kernel32.dll.GetSystemWindowsDirectoryW",
  958. "mscoree.dll.GetProcessExecutableHeap",
  959. "mscorwks.dll.DllGetClassObjectInternal",
  960. "mscorwks.dll.GetCLRFunction",
  961. "advapi32.dll.RegisterTraceGuidsW",
  962. "advapi32.dll.GetTraceLoggerHandle",
  963. "advapi32.dll.GetTraceEnableLevel",
  964. "advapi32.dll.GetTraceEnableFlags",
  965. "advapi32.dll.TraceEvent",
  966. "mscoree.dll.IEE",
  967. "mscorwks.dll.IEE",
  968. "mscoree.dll.GetStartupFlags",
  969. "mscoree.dll.GetHostConfigurationFile",
  970. "mscoree.dll.GetCORSystemDirectory",
  971. "ntdll.dll.RtlVirtualUnwind",
  972. "kernel32.dll.IsWow64Process",
  973. "advapi32.dll.AllocateAndInitializeSid",
  974. "advapi32.dll.InitializeAcl",
  975. "advapi32.dll.AddAccessAllowedAce",
  976. "advapi32.dll.FreeSid",
  977. "kernel32.dll.SetThreadStackGuarantee",
  978. "kernel32.dll.FlsSetValue",
  979. "kernel32.dll.FlsGetValue",
  980. "kernel32.dll.FlsAlloc",
  981. "kernel32.dll.FlsFree",
  982. "kernel32.dll.AddVectoredContinueHandler",
  983. "kernel32.dll.RemoveVectoredContinueHandler",
  984. "advapi32.dll.ConvertSidToStringSidW",
  985. "kernel32.dll.FlushProcessWriteBuffers",
  986. "kernel32.dll.GetWriteWatch",
  987. "kernel32.dll.ResetWriteWatch",
  988. "kernel32.dll.CreateMemoryResourceNotification",
  989. "kernel32.dll.QueryMemoryResourceNotification",
  990. "kernel32.dll.GlobalMemoryStatusEx",
  991. "ole32.dll.CoGetContextToken",
  992. "oleaut32.dll.#149",
  993. "kernel32.dll.GetUserDefaultUILanguage",
  994. "kernel32.dll.GetVersionExW",
  995. "kernel32.dll.GetFullPathNameW",
  996. "kernel32.dll.SetErrorMode",
  997. "kernel32.dll.GetFileAttributesExW",
  998. "version.dll.GetFileVersionInfoSizeW",
  999. "version.dll.GetFileVersionInfoW",
  1000. "version.dll.VerQueryValueW",
  1001. "kernel32.dll.lstrlen",
  1002. "kernel32.dll.lstrlenW",
  1003. "mscoree.dll.ND_RI2",
  1004. "kernel32.dll.lstrcpy",
  1005. "kernel32.dll.lstrcpyW",
  1006. "version.dll.VerLanguageNameW",
  1007. "kernel32.dll.GetCurrentProcessId",
  1008. "advapi32.dll.LookupPrivilegeValueW",
  1009. "advapi32.dll.AdjustTokenPrivileges",
  1010. "kernel32.dll.OpenProcess",
  1011. "psapi.dll.EnumProcessModules",
  1012. "psapi.dll.GetModuleInformation",
  1013. "psapi.dll.GetModuleBaseNameW",
  1014. "psapi.dll.GetModuleFileNameExW",
  1015. "kernel32.dll.GetExitCodeProcess",
  1016. "ntdll.dll.NtQuerySystemInformation",
  1017. "user32.dll.EnumWindows",
  1018. "user32.dll.GetWindowThreadProcessId",
  1019. "kernel32.dll.WerSetFlags",
  1020. "kernel32.dll.SetThreadPreferredUILanguages",
  1021. "kernel32.dll.GetThreadPreferredUILanguages",
  1022. "kernel32.dll.GetUserDefaultLocaleName",
  1023. "kernel32.dll.GetEnvironmentVariableW",
  1024. "advapi32.dll.CryptReleaseContext",
  1025. "advapi32.dll.CryptCreateHash",
  1026. "advapi32.dll.CryptDestroyHash",
  1027. "advapi32.dll.CryptHashData",
  1028. "advapi32.dll.CryptGetHashParam",
  1029. "advapi32.dll.CryptExportKey",
  1030. "advapi32.dll.CryptGenKey",
  1031. "advapi32.dll.CryptGetKeyParam",
  1032. "advapi32.dll.CryptDestroyKey",
  1033. "advapi32.dll.CryptVerifySignatureA",
  1034. "advapi32.dll.CryptSignHashA",
  1035. "advapi32.dll.CryptGetProvParam",
  1036. "advapi32.dll.CryptGetUserKey",
  1037. "advapi32.dll.CryptEnumProvidersA",
  1038. "cryptsp.dll.CryptHashData",
  1039. "cryptsp.dll.CryptGetHashParam",
  1040. "cryptsp.dll.CryptDestroyHash",
  1041. "cryptsp.dll.CryptDestroyKey",
  1042. "mscoree.dll.GetTokenForVTableEntry",
  1043. "mscoree.dll.SetTargetForVTableEntry",
  1044. "mscoree.dll.GetTargetForVTableEntry",
  1045. "culture.dll.ConvertLangIdToCultureName",
  1046. "ole32.dll.CoCreateGuid",
  1047. "kernel32.dll.CreateFileW",
  1048. "kernel32.dll.GetConsoleScreenBufferInfo",
  1049. "kernel32.dll.LocalFree",
  1050. "kernel32.dll.LocalAlloc",
  1051. "mscoree.dll.ND_RI4",
  1052. "advapi32.dll.DuplicateTokenEx",
  1053. "advapi32.dll.CheckTokenMembership",
  1054. "kernel32.dll.GetConsoleTitleW",
  1055. "mscorjit.dll.getJit",
  1056. "kernel32.dll.SetConsoleTitleW",
  1057. "kernel32.dll.SetConsoleCtrlHandler",
  1058. "kernel32.dll.CreateEventW",
  1059. "ntdll.dll.WinSqmIsOptedIn",
  1060. "kernel32.dll.ExpandEnvironmentStringsW",
  1061. "shfolder.dll.SHGetFolderPathW",
  1062. "kernel32.dll.SetEnvironmentVariableW",
  1063. "kernel32.dll.GetACP",
  1064. "kernel32.dll.UnmapViewOfFile",
  1065. "kernel32.dll.GetFileType",
  1066. "kernel32.dll.ReadFile",
  1067. "kernel32.dll.GetSystemInfo",
  1068. "kernel32.dll.VirtualQuery",
  1069. "secur32.dll.GetUserNameExW",
  1070. "advapi32.dll.GetUserNameW",
  1071. "kernel32.dll.ReleaseMutex",
  1072. "advapi32.dll.RegisterEventSourceW",
  1073. "advapi32.dll.DeregisterEventSource",
  1074. "advapi32.dll.ReportEventW",
  1075. "kernel32.dll.GetLogicalDrives",
  1076. "kernel32.dll.GetDriveTypeW",
  1077. "kernel32.dll.GetVolumeInformationW",
  1078. "kernel32.dll.GetCurrentDirectoryW",
  1079. "kernel32.dll.GetLastError",
  1080. "kernel32.dll.GetStdHandle",
  1081. "kernel32.dll.GetConsoleMode",
  1082. "kernel32.dll.SetEvent",
  1083. "kernel32.dll.FindFirstFileW",
  1084. "kernel32.dll.FindClose",
  1085. "mscoree.dll.DllGetClassObject",
  1086. "diasymreader.dll.DllGetClassObjectInternal",
  1087. "kernel32.dll.GetConsoleOutputCP",
  1088. "gdi32.dll.TranslateCharsetInfo",
  1089. "kernel32.dll.SetConsoleTextAttribute",
  1090. "kernel32.dll.WriteConsoleW",
  1091. "mscoree.dll.CorExitProcess",
  1092. "mscorwks.dll.CorExitProcess",
  1093. "mscorwks.dll._CorDllMain",
  1094. "kernel32.dll.CreateActCtxW",
  1095. "kernel32.dll.AddRefActCtx",
  1096. "kernel32.dll.ReleaseActCtx",
  1097. "kernel32.dll.ActivateActCtx",
  1098. "kernel32.dll.DeactivateActCtx",
  1099. "kernel32.dll.GetCurrentActCtx",
  1100. "kernel32.dll.QueryActCtxW",
  1101. "netutils.dll.NetApiBufferFree",
  1102. "kernel32.dll.IsProcessorFeaturePresent",
  1103. "ntdll.dll.RtlUnwind",
  1104. "mscoree.dll._CorExeMain",
  1105. "mscoree.dll._CorImageUnloading",
  1106. "mscoree.dll._CorValidateImage",
  1107. "cryptsp.dll.CryptExportKey",
  1108. "cryptsp.dll.CryptCreateHash",
  1109. "kernel32.dll.SwitchToThread",
  1110. "rpcrt4.dll.UuidFromStringW",
  1111. "rpcrt4.dll.RpcBindingCreateW",
  1112. "rpcrt4.dll.RpcBindingBind",
  1113. "sechost.dll.OpenSCManagerW",
  1114. "sechost.dll.OpenServiceW",
  1115. "sechost.dll.StartServiceW",
  1116. "sechost.dll.CloseServiceHandle"
  1117. ]
  1118.  
  1119. [*] Static Analysis: {
  1120. "pe": {
  1121. "peid_signatures": null,
  1122. "imports": [
  1123. {
  1124. "imports": [
  1125. {
  1126. "name": "InitCommonControlsEx",
  1127. "address": "0x404008"
  1128. },
  1129. {
  1130. "name": null,
  1131. "address": "0x40400c"
  1132. }
  1133. ],
  1134. "dll": "COMCTL32.dll"
  1135. },
  1136. {
  1137. "imports": [
  1138. {
  1139. "name": "IsDebuggerPresent",
  1140. "address": "0x404044"
  1141. },
  1142. {
  1143. "name": "SetUnhandledExceptionFilter",
  1144. "address": "0x404048"
  1145. },
  1146. {
  1147. "name": "UnhandledExceptionFilter",
  1148. "address": "0x40404c"
  1149. },
  1150. {
  1151. "name": "GetCurrentProcess",
  1152. "address": "0x404050"
  1153. },
  1154. {
  1155. "name": "TerminateProcess",
  1156. "address": "0x404054"
  1157. },
  1158. {
  1159. "name": "GetStartupInfoA",
  1160. "address": "0x404058"
  1161. },
  1162. {
  1163. "name": "QueryPerformanceCounter",
  1164. "address": "0x40405c"
  1165. },
  1166. {
  1167. "name": "Sleep",
  1168. "address": "0x404060"
  1169. },
  1170. {
  1171. "name": "InterlockedExchange",
  1172. "address": "0x404064"
  1173. },
  1174. {
  1175. "name": "GetSystemTimeAsFileTime",
  1176. "address": "0x404068"
  1177. },
  1178. {
  1179. "name": "LocalFree",
  1180. "address": "0x40406c"
  1181. },
  1182. {
  1183. "name": "FormatMessageA",
  1184. "address": "0x404070"
  1185. },
  1186. {
  1187. "name": "GetLastError",
  1188. "address": "0x404074"
  1189. },
  1190. {
  1191. "name": "ReadFile",
  1192. "address": "0x404078"
  1193. },
  1194. {
  1195. "name": "GetTickCount",
  1196. "address": "0x40407c"
  1197. },
  1198. {
  1199. "name": "GetCurrentThreadId",
  1200. "address": "0x404080"
  1201. },
  1202. {
  1203. "name": "GetCurrentProcessId",
  1204. "address": "0x404084"
  1205. },
  1206. {
  1207. "name": "CreateFileMappingW",
  1208. "address": "0x404088"
  1209. },
  1210. {
  1211. "name": "MapViewOfFile",
  1212. "address": "0x40408c"
  1213. },
  1214. {
  1215. "name": "CreateFileA",
  1216. "address": "0x404090"
  1217. },
  1218. {
  1219. "name": "GetFileSize",
  1220. "address": "0x404094"
  1221. },
  1222. {
  1223. "name": "InterlockedCompareExchange",
  1224. "address": "0x404098"
  1225. },
  1226. {
  1227. "name": "CloseHandle",
  1228. "address": "0x40409c"
  1229. }
  1230. ],
  1231. "dll": "KERNEL32.dll"
  1232. },
  1233. {
  1234. "imports": [
  1235. {
  1236. "name": "ShowCursor",
  1237. "address": "0x40413c"
  1238. },
  1239. {
  1240. "name": "SetCursor",
  1241. "address": "0x404140"
  1242. },
  1243. {
  1244. "name": "LoadCursorA",
  1245. "address": "0x404144"
  1246. },
  1247. {
  1248. "name": "InvalidateRect",
  1249. "address": "0x404148"
  1250. },
  1251. {
  1252. "name": "MoveWindow",
  1253. "address": "0x40414c"
  1254. },
  1255. {
  1256. "name": "SetWindowTextA",
  1257. "address": "0x404150"
  1258. },
  1259. {
  1260. "name": "SendMessageA",
  1261. "address": "0x404154"
  1262. },
  1263. {
  1264. "name": "GetSystemMetrics",
  1265. "address": "0x404158"
  1266. },
  1267. {
  1268. "name": "CreateWindowExA",
  1269. "address": "0x40415c"
  1270. },
  1271. {
  1272. "name": "GetWindowLongA",
  1273. "address": "0x404160"
  1274. },
  1275. {
  1276. "name": "PostQuitMessage",
  1277. "address": "0x404164"
  1278. },
  1279. {
  1280. "name": "RegisterClassA",
  1281. "address": "0x404168"
  1282. },
  1283. {
  1284. "name": "LoadIconA",
  1285. "address": "0x40416c"
  1286. },
  1287. {
  1288. "name": "ShowWindow",
  1289. "address": "0x404170"
  1290. },
  1291. {
  1292. "name": "TranslateMessage",
  1293. "address": "0x404174"
  1294. },
  1295. {
  1296. "name": "GetMessageA",
  1297. "address": "0x404178"
  1298. },
  1299. {
  1300. "name": "GetDC",
  1301. "address": "0x40417c"
  1302. },
  1303. {
  1304. "name": "CreateMenu",
  1305. "address": "0x404180"
  1306. },
  1307. {
  1308. "name": "AppendMenuA",
  1309. "address": "0x404184"
  1310. },
  1311. {
  1312. "name": "SetMenu",
  1313. "address": "0x404188"
  1314. },
  1315. {
  1316. "name": "SetScrollInfo",
  1317. "address": "0x40418c"
  1318. },
  1319. {
  1320. "name": "UpdateWindow",
  1321. "address": "0x404190"
  1322. },
  1323. {
  1324. "name": "BeginPaint",
  1325. "address": "0x404194"
  1326. },
  1327. {
  1328. "name": "GetClientRect",
  1329. "address": "0x404198"
  1330. },
  1331. {
  1332. "name": "FillRect",
  1333. "address": "0x40419c"
  1334. },
  1335. {
  1336. "name": "EndPaint",
  1337. "address": "0x4041a0"
  1338. },
  1339. {
  1340. "name": "ScrollWindowEx",
  1341. "address": "0x4041a4"
  1342. },
  1343. {
  1344. "name": "DefWindowProcA",
  1345. "address": "0x4041a8"
  1346. },
  1347. {
  1348. "name": "MessageBoxA",
  1349. "address": "0x4041ac"
  1350. },
  1351. {
  1352. "name": "DispatchMessageA",
  1353. "address": "0x4041b0"
  1354. }
  1355. ],
  1356. "dll": "USER32.dll"
  1357. },
  1358. {
  1359. "imports": [
  1360. {
  1361. "name": "BitBlt",
  1362. "address": "0x40401c"
  1363. },
  1364. {
  1365. "name": "CreateSolidBrush",
  1366. "address": "0x404020"
  1367. },
  1368. {
  1369. "name": "SetDIBitsToDevice",
  1370. "address": "0x404024"
  1371. },
  1372. {
  1373. "name": "SelectObject",
  1374. "address": "0x404028"
  1375. },
  1376. {
  1377. "name": "CreateCompatibleBitmap",
  1378. "address": "0x40402c"
  1379. },
  1380. {
  1381. "name": "CreateCompatibleDC",
  1382. "address": "0x404030"
  1383. },
  1384. {
  1385. "name": "DeleteDC",
  1386. "address": "0x404034"
  1387. },
  1388. {
  1389. "name": "GetStockObject",
  1390. "address": "0x404038"
  1391. },
  1392. {
  1393. "name": "DeleteObject",
  1394. "address": "0x40403c"
  1395. }
  1396. ],
  1397. "dll": "GDI32.dll"
  1398. },
  1399. {
  1400. "imports": [
  1401. {
  1402. "name": "GetOpenFileNameA",
  1403. "address": "0x404014"
  1404. }
  1405. ],
  1406. "dll": "COMDLG32.dll"
  1407. },
  1408. {
  1409. "imports": [
  1410. {
  1411. "name": "CryptAcquireContextA",
  1412. "address": "0x404000"
  1413. }
  1414. ],
  1415. "dll": "ADVAPI32.dll"
  1416. },
  1417. {
  1418. "imports": [
  1419. {
  1420. "name": "??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ",
  1421. "address": "0x4040a4"
  1422. },
  1423. {
  1424. "name": "??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ",
  1425. "address": "0x4040a8"
  1426. },
  1427. {
  1428. "name": "??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z",
  1429. "address": "0x4040ac"
  1430. },
  1431. {
  1432. "name": "??$?HDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z",
  1433. "address": "0x4040b0"
  1434. },
  1435. {
  1436. "name": "??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z",
  1437. "address": "0x4040b4"
  1438. }
  1439. ],
  1440. "dll": "MSVCP90.dll"
  1441. },
  1442. {
  1443. "imports": [
  1444. {
  1445. "name": "_lock",
  1446. "address": "0x4040bc"
  1447. },
  1448. {
  1449. "name": "__dllonexit",
  1450. "address": "0x4040c0"
  1451. },
  1452. {
  1453. "name": "_unlock",
  1454. "address": "0x4040c4"
  1455. },
  1456. {
  1457. "name": "?terminate@@YAXXZ",
  1458. "address": "0x4040c8"
  1459. },
  1460. {
  1461. "name": "_crt_debugger_hook",
  1462. "address": "0x4040cc"
  1463. },
  1464. {
  1465. "name": "_onexit",
  1466. "address": "0x4040d0"
  1467. },
  1468. {
  1469. "name": "__set_app_type",
  1470. "address": "0x4040d4"
  1471. },
  1472. {
  1473. "name": "_encode_pointer",
  1474. "address": "0x4040d8"
  1475. },
  1476. {
  1477. "name": "__p__fmode",
  1478. "address": "0x4040dc"
  1479. },
  1480. {
  1481. "name": "__p__commode",
  1482. "address": "0x4040e0"
  1483. },
  1484. {
  1485. "name": "_adjust_fdiv",
  1486. "address": "0x4040e4"
  1487. },
  1488. {
  1489. "name": "__setusermatherr",
  1490. "address": "0x4040e8"
  1491. },
  1492. {
  1493. "name": "_decode_pointer",
  1494. "address": "0x4040ec"
  1495. },
  1496. {
  1497. "name": "_except_handler4_common",
  1498. "address": "0x4040f0"
  1499. },
  1500. {
  1501. "name": "_invoke_watson",
  1502. "address": "0x4040f4"
  1503. },
  1504. {
  1505. "name": "_controlfp_s",
  1506. "address": "0x4040f8"
  1507. },
  1508. {
  1509. "name": "malloc",
  1510. "address": "0x4040fc"
  1511. },
  1512. {
  1513. "name": "free",
  1514. "address": "0x404100"
  1515. },
  1516. {
  1517. "name": "sprintf",
  1518. "address": "0x404104"
  1519. },
  1520. {
  1521. "name": "__CxxFrameHandler3",
  1522. "address": "0x404108"
  1523. },
  1524. {
  1525. "name": "_amsg_exit",
  1526. "address": "0x40410c"
  1527. },
  1528. {
  1529. "name": "__getmainargs",
  1530. "address": "0x404110"
  1531. },
  1532. {
  1533. "name": "_cexit",
  1534. "address": "0x404114"
  1535. },
  1536. {
  1537. "name": "_exit",
  1538. "address": "0x404118"
  1539. },
  1540. {
  1541. "name": "_XcptFilter",
  1542. "address": "0x40411c"
  1543. },
  1544. {
  1545. "name": "_ismbblead",
  1546. "address": "0x404120"
  1547. },
  1548. {
  1549. "name": "exit",
  1550. "address": "0x404124"
  1551. },
  1552. {
  1553. "name": "_acmdln",
  1554. "address": "0x404128"
  1555. },
  1556. {
  1557. "name": "_initterm",
  1558. "address": "0x40412c"
  1559. },
  1560. {
  1561. "name": "_initterm_e",
  1562. "address": "0x404130"
  1563. },
  1564. {
  1565. "name": "_configthreadlocale",
  1566. "address": "0x404134"
  1567. }
  1568. ],
  1569. "dll": "MSVCR90.dll"
  1570. }
  1571. ],
  1572. "digital_signers": null,
  1573. "exported_dll_name": null,
  1574. "actual_checksum": "0x00057a06",
  1575. "overlay": null,
  1576. "imagebase": "0x00400000",
  1577. "reported_checksum": "0x00057a06",
  1578. "icon_hash": null,
  1579. "entrypoint": "0x00402a57",
  1580. "timestamp": "2019-06-25 13:41:15",
  1581. "osversion": "5.0",
  1582. "sections": [
  1583. {
  1584. "name": ".text",
  1585. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
  1586. "virtual_address": "0x00001000",
  1587. "size_of_data": "0x00002200",
  1588. "entropy": "6.20",
  1589. "raw_address": "0x00000400",
  1590. "virtual_size": "0x00002164",
  1591. "characteristics_raw": "0x60000020"
  1592. },
  1593. {
  1594. "name": ".rdata",
  1595. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  1596. "virtual_address": "0x00004000",
  1597. "size_of_data": "0x00039e00",
  1598. "entropy": "6.06",
  1599. "raw_address": "0x00002600",
  1600. "virtual_size": "0x00039c8e",
  1601. "characteristics_raw": "0x40000040"
  1602. },
  1603. {
  1604. "name": ".data",
  1605. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  1606. "virtual_address": "0x0003e000",
  1607. "size_of_data": "0x00000200",
  1608. "entropy": "0.81",
  1609. "raw_address": "0x0003c400",
  1610. "virtual_size": "0x00000744",
  1611. "characteristics_raw": "0xc0000040"
  1612. },
  1613. {
  1614. "name": ".rsrc",
  1615. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  1616. "virtual_address": "0x0003f000",
  1617. "size_of_data": "0x00013c00",
  1618. "entropy": "4.81",
  1619. "raw_address": "0x0003c600",
  1620. "virtual_size": "0x00013a42",
  1621. "characteristics_raw": "0x40000040"
  1622. }
  1623. ],
  1624. "resources": [],
  1625. "dirents": [
  1626. {
  1627. "virtual_address": "0x00000000",
  1628. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
  1629. "size": "0x00000000"
  1630. },
  1631. {
  1632. "virtual_address": "0x0003d1cc",
  1633. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
  1634. "size": "0x000000b4"
  1635. },
  1636. {
  1637. "virtual_address": "0x0003f000",
  1638. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
  1639. "size": "0x00013a42"
  1640. },
  1641. {
  1642. "virtual_address": "0x00000000",
  1643. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
  1644. "size": "0x00000000"
  1645. },
  1646. {
  1647. "virtual_address": "0x00000000",
  1648. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
  1649. "size": "0x00000000"
  1650. },
  1651. {
  1652. "virtual_address": "0x00000000",
  1653. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
  1654. "size": "0x00000000"
  1655. },
  1656. {
  1657. "virtual_address": "0x000041e0",
  1658. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
  1659. "size": "0x0000001c"
  1660. },
  1661. {
  1662. "virtual_address": "0x00000000",
  1663. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
  1664. "size": "0x00000000"
  1665. },
  1666. {
  1667. "virtual_address": "0x00000000",
  1668. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
  1669. "size": "0x00000000"
  1670. },
  1671. {
  1672. "virtual_address": "0x00000000",
  1673. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
  1674. "size": "0x00000000"
  1675. },
  1676. {
  1677. "virtual_address": "0x0003cff8",
  1678. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
  1679. "size": "0x00000040"
  1680. },
  1681. {
  1682. "virtual_address": "0x00000000",
  1683. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
  1684. "size": "0x00000000"
  1685. },
  1686. {
  1687. "virtual_address": "0x00004000",
  1688. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
  1689. "size": "0x000001b8"
  1690. },
  1691. {
  1692. "virtual_address": "0x00000000",
  1693. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
  1694. "size": "0x00000000"
  1695. },
  1696. {
  1697. "virtual_address": "0x00000000",
  1698. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
  1699. "size": "0x00000000"
  1700. },
  1701. {
  1702. "virtual_address": "0x00000000",
  1703. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
  1704. "size": "0x00000000"
  1705. }
  1706. ],
  1707. "exports": [],
  1708. "guest_signers": {},
  1709. "imphash": "e7090938ed62dc17f7da4646537d15ac",
  1710. "icon_fuzzy": null,
  1711. "icon": null,
  1712. "pdbpath": "000000000000000000000000000000000000000000000000000000000000",
  1713. "imported_dll_count": 8,
  1714. "versioninfo": []
  1715. }
  1716. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!