AZORult_feef0d74_exe.json

1.  
2. [*] MalFamily: "Malicious"
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "AZORult_feef0d74.exe"
7. [*] File Size: 438272
8. [*] File Type: "PE32 executable (console) Intel 80386, for MS Windows"
9. [*] SHA256: "c24a44ad7a2cccc0b48c881087bbcacca2754321110bacd9eb7e71687117a75d"
10. [*] MD5: "4397e615d317a9645c9f1b95f50509bf"
11. [*] SHA1: "9a37b97ce2b76b2a4b5a82c03f7e1f615824f76b"
12. [*] SHA512: "ed40f1419f41e710c141156769eb51d957ee2d47d3f01eb95506039ff2655ceb2a46822f00c6e081b45991f0619a6d617b16ae71f89d6bb54f07e4e5351999a4"
13. [*] CRC32: "FEEF0D74"
14. [*] SSDEEP: "6144:G8afWfuCiCEfwdciYYx8+W5dF/u+wBkfzBYqVKtplV4UszE7hvriKi:G6ueEMPvWc+6bqVKQUszE7hvxi"
15.  
16. [*] Process Execution: [
17. "AZORult_feef0d74.exe",
18. "AZORult_feef0d74.exe"
19. ]
20.  
21. [*] Signatures Detected: [
22. {
23. "Description": "Creates RWX memory",
24. "Details": []
25. },
26. {
27. "Description": "A process created a hidden window",
28. "Details": [
29. {
30. "Process": "AZORult_feef0d74.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\AZORult_feef0d74.exe"
31. }
32. ]
33. },
34. {
35. "Description": "The binary likely contains encrypted or compressed data.",
36. "Details": [
37. {
38. "section": "name: .rsrc, entropy: 6.98, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00038e00, virtual_size: 0x00038cd5"
39. }
40. ]
41. },
42. {
43. "Description": "File has been identified by 29 Antiviruses on VirusTotal as malicious",
44. "Details": [
45. {
46. "MicroWorld-eScan": "Gen:Variant.Ser.Mikey.443"
47. },
48. {
49. "FireEye": "Generic.mg.4397e615d317a964"
50. },
51. {
52. "Cylance": "Unsafe"
53. },
54. {
55. "K7GW": "Trojan ( 0054ff161 )"
56. },
57. {
58. "Arcabit": "Trojan.Ser.Mikey.443"
59. },
60. {
61. "Invincea": "heuristic"
62. },
63. {
64. "APEX": "Malicious"
65. },
66. {
67. "GData": "Gen:Variant.Ser.Mikey.443"
68. },
69. {
70. "Kaspersky": "Trojan-PSW.Win32.Azorult.vny"
71. },
72. {
73. "BitDefender": "Gen:Variant.Ser.Mikey.443"
74. },
75. {
76. "Avast": "Win32:PWSX-gen [Trj]"
77. },
78. {
79. "Rising": "Malware.Heuristic.MLite(84%) (AI-LITE:Gq/p8d8pLCKS2zQB3rl/nA)"
80. },
81. {
82. "Ad-Aware": "Gen:Variant.Ser.Mikey.443"
83. },
84. {
85. "Emsisoft": "Gen:Variant.Ser.Mikey.443 (B)"
86. },
87. {
88. "F-Secure": "Trojan.TR/Crypt.Agent.bjamp"
89. },
90. {
91. "Ikarus": "Trojan.MSIL.Inject"
92. },
93. {
94. "ESET-NOD32": "a variant of Win32/Kryptik.GTXI"
95. },
96. {
97. "Avira": "TR/Crypt.Agent.bjamp"
98. },
99. {
100. "Microsoft": "TrojanSpy:Win32/Banload.AAA!bit"
101. },
102. {
103. "Endgame": "malicious (high confidence)"
104. },
105. {
106. "ZoneAlarm": "Trojan-PSW.Win32.Azorult.vny"
107. },
108. {
109. "Acronis": "suspicious"
110. },
111. {
112. "Malwarebytes": "Trojan.MalPack.RES"
113. },
114. {
115. "SentinelOne": "DFI - Suspicious PE"
116. },
117. {
118. "Fortinet": "W32/Kryptik.GTWJ!tr"
119. },
120. {
121. "AVG": "Win32:PWSX-gen [Trj]"
122. },
123. {
124. "Cybereason": "malicious.ce2b76"
125. },
126. {
127. "CrowdStrike": "win/malicious_confidence_100% (W)"
128. },
129. {
130. "Qihoo-360": "HEUR/QVM10.1.D565.Malware.Gen"
131. }
132. ]
133. },
134. {
135. "Description": "Collects information to fingerprint the system",
136. "Details": []
137. }
138. ]
139.  
140. [*] Started Service: []
141.  
142. [*] Executed Commands: [
143. "\"C:\\Users\\user\\AppData\\Local\\Temp\\AZORult_feef0d74.exe\""
144. ]
145.  
146. [*] Mutexes: [
147. "DBWinMutex",
148. "A81FB8C60-BBE6E186-FC9B5DB5-36DA4559-33946726"
149. ]
150.  
151. [*] Modified Files: []
152.  
153. [*] Deleted Files: []
154.  
155. [*] Modified Registry Keys: []
156.  
157. [*] Deleted Registry Keys: []
158.  
159. [*] DNS Communications: [
160. {
161. "type": "A",
162. "request": "fdghfghdfghj.ru",
163. "answers": [
164. {
165. "data": "",
166. "type": "NXDOMAIN"
167. }
168. ]
169. }
170. ]
171.  
172. [*] Domains: [
173. {
174. "ip": "92.242.140.2",
175. "domain": "fdghfghdfghj.ru"
176. }
177. ]
178.  
179. [*] Network Communication - ICMP: []
180.  
181. [*] Network Communication - HTTP: []
182.  
183. [*] Network Communication - SMTP: []
184.  
185. [*] Network Communication - Hosts: []
186.  
187. [*] Network Communication - IRC: []
188.  
189. [*] Static Analysis: {
190. "pe": {
191. "peid_signatures": null,
192. "imports": [
193. {
194. "imports": [
195. {
196. "name": "GetProcessHeap",
197. "address": "0x41c078"
198. },
199. {
200. "name": "FreeEnvironmentStringsW",
201. "address": "0x41c07c"
202. },
203. {
204. "name": "GetEnvironmentStringsW",
205. "address": "0x41c080"
206. },
207. {
208. "name": "GetCPInfo",
209. "address": "0x41c084"
210. },
211. {
212. "name": "GetOEMCP",
213. "address": "0x41c088"
214. },
215. {
216. "name": "IsValidCodePage",
217. "address": "0x41c08c"
218. },
219. {
220. "name": "GetConsoleCP",
221. "address": "0x41c090"
222. },
223. {
224. "name": "FindNextFileA",
225. "address": "0x41c094"
226. },
227. {
228. "name": "FindFirstFileExA",
229. "address": "0x41c098"
230. },
231. {
232. "name": "DecodePointer",
233. "address": "0x41c09c"
234. },
235. {
236. "name": "GetFileAttributesA",
237. "address": "0x41c0a0"
238. },
239. {
240. "name": "WriteConsoleW",
241. "address": "0x41c0a4"
242. },
243. {
244. "name": "HeapSize",
245. "address": "0x41c0a8"
246. },
247. {
248. "name": "HeapReAlloc",
249. "address": "0x41c0ac"
250. },
251. {
252. "name": "FlushFileBuffers",
253. "address": "0x41c0b0"
254. },
255. {
256. "name": "SetEndOfFile",
257. "address": "0x41c0b4"
258. },
259. {
260. "name": "ReadFile",
261. "address": "0x41c0b8"
262. },
263. {
264. "name": "LoadLibraryA",
265. "address": "0x41c0bc"
266. },
267. {
268. "name": "VirtualAlloc",
269. "address": "0x41c0c0"
270. },
271. {
272. "name": "VirtualFree",
273. "address": "0x41c0c4"
274. },
275. {
276. "name": "VirtualProtect",
277. "address": "0x41c0c8"
278. },
279. {
280. "name": "GetPrivateProfileStructA",
281. "address": "0x41c0cc"
282. },
283. {
284. "name": "GetEnvironmentVariableW",
285. "address": "0x41c0d0"
286. },
287. {
288. "name": "FindClose",
289. "address": "0x41c0d4"
290. },
291. {
292. "name": "GetConsoleAliasExesLengthW",
293. "address": "0x41c0d8"
294. },
295. {
296. "name": "SetComputerNameA",
297. "address": "0x41c0dc"
298. },
299. {
300. "name": "_hread",
301. "address": "0x41c0e0"
302. },
303. {
304. "name": "CopyFileExW",
305. "address": "0x41c0e4"
306. },
307. {
308. "name": "TlsFree",
309. "address": "0x41c0e8"
310. },
311. {
312. "name": "UnregisterWait",
313. "address": "0x41c0ec"
314. },
315. {
316. "name": "FillConsoleOutputCharacterW",
317. "address": "0x41c0f0"
318. },
319. {
320. "name": "SetConsoleTitleW",
321. "address": "0x41c0f4"
322. },
323. {
324. "name": "Process32First",
325. "address": "0x41c0f8"
326. },
327. {
328. "name": "RequestWakeupLatency",
329. "address": "0x41c0fc"
330. },
331. {
332. "name": "FindNextChangeNotification",
333. "address": "0x41c100"
334. },
335. {
336. "name": "SetLocaleInfoA",
337. "address": "0x41c104"
338. },
339. {
340. "name": "DisableThreadLibraryCalls",
341. "address": "0x41c108"
342. },
343. {
344. "name": "LCMapStringW",
345. "address": "0x41c10c"
346. },
347. {
348. "name": "CompareStringW",
349. "address": "0x41c110"
350. },
351. {
352. "name": "QueryPerformanceCounter",
353. "address": "0x41c114"
354. },
355. {
356. "name": "GetCurrentProcessId",
357. "address": "0x41c118"
358. },
359. {
360. "name": "GetCurrentThreadId",
361. "address": "0x41c11c"
362. },
363. {
364. "name": "GetSystemTimeAsFileTime",
365. "address": "0x41c120"
366. },
367. {
368. "name": "InitializeSListHead",
369. "address": "0x41c124"
370. },
371. {
372. "name": "IsDebuggerPresent",
373. "address": "0x41c128"
374. },
375. {
376. "name": "UnhandledExceptionFilter",
377. "address": "0x41c12c"
378. },
379. {
380. "name": "SetUnhandledExceptionFilter",
381. "address": "0x41c130"
382. },
383. {
384. "name": "GetStartupInfoW",
385. "address": "0x41c134"
386. },
387. {
388. "name": "IsProcessorFeaturePresent",
389. "address": "0x41c138"
390. },
391. {
392. "name": "GetModuleHandleW",
393. "address": "0x41c13c"
394. },
395. {
396. "name": "GetCurrentProcess",
397. "address": "0x41c140"
398. },
399. {
400. "name": "TerminateProcess",
401. "address": "0x41c144"
402. },
403. {
404. "name": "RtlUnwind",
405. "address": "0x41c148"
406. },
407. {
408. "name": "VirtualQuery",
409. "address": "0x41c14c"
410. },
411. {
412. "name": "GetLastError",
413. "address": "0x41c150"
414. },
415. {
416. "name": "SetLastError",
417. "address": "0x41c154"
418. },
419. {
420. "name": "EnterCriticalSection",
421. "address": "0x41c158"
422. },
423. {
424. "name": "LeaveCriticalSection",
425. "address": "0x41c15c"
426. },
427. {
428. "name": "DeleteCriticalSection",
429. "address": "0x41c160"
430. },
431. {
432. "name": "InitializeCriticalSectionAndSpinCount",
433. "address": "0x41c164"
434. },
435. {
436. "name": "TlsAlloc",
437. "address": "0x41c168"
438. },
439. {
440. "name": "TlsGetValue",
441. "address": "0x41c16c"
442. },
443. {
444. "name": "TlsSetValue",
445. "address": "0x41c170"
446. },
447. {
448. "name": "FreeLibrary",
449. "address": "0x41c174"
450. },
451. {
452. "name": "GetProcAddress",
453. "address": "0x41c178"
454. },
455. {
456. "name": "LoadLibraryExW",
457. "address": "0x41c17c"
458. },
459. {
460. "name": "SetEnvironmentVariableA",
461. "address": "0x41c180"
462. },
463. {
464. "name": "SetEnvironmentVariableW",
465. "address": "0x41c184"
466. },
467. {
468. "name": "SetCurrentDirectoryW",
469. "address": "0x41c188"
470. },
471. {
472. "name": "GetCurrentDirectoryW",
473. "address": "0x41c18c"
474. },
475. {
476. "name": "SetFilePointerEx",
477. "address": "0x41c190"
478. },
479. {
480. "name": "GetConsoleMode",
481. "address": "0x41c194"
482. },
483. {
484. "name": "ReadConsoleInputA",
485. "address": "0x41c198"
486. },
487. {
488. "name": "SetConsoleMode",
489. "address": "0x41c19c"
490. },
491. {
492. "name": "CloseHandle",
493. "address": "0x41c1a0"
494. },
495. {
496. "name": "WaitForSingleObject",
497. "address": "0x41c1a4"
498. },
499. {
500. "name": "GetExitCodeProcess",
501. "address": "0x41c1a8"
502. },
503. {
504. "name": "CreateProcessA",
505. "address": "0x41c1ac"
506. },
507. {
508. "name": "GetLocalTime",
509. "address": "0x41c1b0"
510. },
511. {
512. "name": "SetStdHandle",
513. "address": "0x41c1b4"
514. },
515. {
516. "name": "GetFileType",
517. "address": "0x41c1b8"
518. },
519. {
520. "name": "GetStdHandle",
521. "address": "0x41c1bc"
522. },
523. {
524. "name": "WriteFile",
525. "address": "0x41c1c0"
526. },
527. {
528. "name": "GetModuleFileNameA",
529. "address": "0x41c1c4"
530. },
531. {
532. "name": "MultiByteToWideChar",
533. "address": "0x41c1c8"
534. },
535. {
536. "name": "WideCharToMultiByte",
537. "address": "0x41c1cc"
538. },
539. {
540. "name": "ExitProcess",
541. "address": "0x41c1d0"
542. },
543. {
544. "name": "GetModuleHandleExW",
545. "address": "0x41c1d4"
546. },
547. {
548. "name": "GetCommandLineA",
549. "address": "0x41c1d8"
550. },
551. {
552. "name": "GetCommandLineW",
553. "address": "0x41c1dc"
554. },
555. {
556. "name": "GetACP",
557. "address": "0x41c1e0"
558. },
559. {
560. "name": "HeapFree",
561. "address": "0x41c1e4"
562. },
563. {
564. "name": "HeapAlloc",
565. "address": "0x41c1e8"
566. },
567. {
568. "name": "GetStringTypeW",
569. "address": "0x41c1ec"
570. },
571. {
572. "name": "RaiseException",
573. "address": "0x41c1f0"
574. },
575. {
576. "name": "CreateFileW",
577. "address": "0x41c1f4"
578. },
579. {
580. "name": "GetFileAttributesExW",
581. "address": "0x41c1f8"
582. },
583. {
584. "name": "ReadConsoleW",
585. "address": "0x41c1fc"
586. }
587. ],
588. "dll": "KERNEL32.dll"
589. },
590. {
591. "imports": [
592. {
593. "name": "GetUpdateRect",
594. "address": "0x41c204"
595. },
596. {
597. "name": "GetSystemMenu",
598. "address": "0x41c208"
599. },
600. {
601. "name": "SetMenuItemBitmaps",
602. "address": "0x41c20c"
603. },
604. {
605. "name": "MoveWindow",
606. "address": "0x41c210"
607. },
608. {
609. "name": "CallNextHookEx",
610. "address": "0x41c214"
611. },
612. {
613. "name": "SetProcessWindowStation",
614. "address": "0x41c218"
615. },
616. {
617. "name": "PostThreadMessageW",
618. "address": "0x41c21c"
619. },
620. {
621. "name": "GetTabbedTextExtentW",
622. "address": "0x41c220"
623. },
624. {
625. "name": "DeleteMenu",
626. "address": "0x41c224"
627. },
628. {
629. "name": "RealGetWindowClass",
630. "address": "0x41c228"
631. },
632. {
633. "name": "BroadcastSystemMessageW",
634. "address": "0x41c22c"
635. },
636. {
637. "name": "GetClassInfoExW",
638. "address": "0x41c230"
639. },
640. {
641. "name": "WINNLSEnableIME",
642. "address": "0x41c234"
643. },
644. {
645. "name": "SetWindowsHookA",
646. "address": "0x41c238"
647. },
648. {
649. "name": "WaitForInputIdle",
650. "address": "0x41c23c"
651. },
652. {
653. "name": "DdeDisconnect",
654. "address": "0x41c240"
655. },
656. {
657. "name": "FlashWindowEx",
658. "address": "0x41c244"
659. },
660. {
661. "name": "InSendMessage",
662. "address": "0x41c248"
663. },
664. {
665. "name": "GetNextDlgTabItem",
666. "address": "0x41c24c"
667. }
668. ],
669. "dll": "USER32.dll"
670. },
671. {
672. "imports": [
673. {
674. "name": "CreateFontIndirectExA",
675. "address": "0x41c038"
676. },
677. {
678. "name": "GetColorSpace",
679. "address": "0x41c03c"
680. },
681. {
682. "name": "UpdateColors",
683. "address": "0x41c040"
684. },
685. {
686. "name": "CreatePalette",
687. "address": "0x41c044"
688. },
689. {
690. "name": "EqualRgn",
691. "address": "0x41c048"
692. },
693. {
694. "name": "GetRgnBox",
695. "address": "0x41c04c"
696. },
697. {
698. "name": "SetPixel",
699. "address": "0x41c050"
700. },
701. {
702. "name": "RemoveFontResourceExW",
703. "address": "0x41c054"
704. },
705. {
706. "name": "GetTextFaceW",
707. "address": "0x41c058"
708. },
709. {
710. "name": "GetGraphicsMode",
711. "address": "0x41c05c"
712. },
713. {
714. "name": "SelectObject",
715. "address": "0x41c060"
716. },
717. {
718. "name": "GetGlyphOutlineA",
719. "address": "0x41c064"
720. },
721. {
722. "name": "SetWindowExtEx",
723. "address": "0x41c068"
724. },
725. {
726. "name": "GdiGetPageHandle",
727. "address": "0x41c06c"
728. },
729. {
730. "name": "GetFontLanguageInfo",
731. "address": "0x41c070"
732. }
733. ],
734. "dll": "GDI32.dll"
735. },
736. {
737. "imports": [
738. {
739. "name": "SetPrinterW",
740. "address": "0x41c254"
741. },
742. {
743. "name": "GetPrinterDataExW",
744. "address": "0x41c258"
745. },
746. {
747. "name": "EnumPortsW",
748. "address": "0x41c25c"
749. }
750. ],
751. "dll": "WINSPOOL.DRV"
752. },
753. {
754. "imports": [
755. {
756. "name": "GetOpenFileNameA",
757. "address": "0x41c030"
758. }
759. ],
760. "dll": "COMDLG32.dll"
761. },
762. {
763. "imports": [
764. {
765. "name": "LsaOpenTrustedDomain",
766. "address": "0x41c000"
767. },
768. {
769. "name": "AreAnyAccessesGranted",
770. "address": "0x41c004"
771. },
772. {
773. "name": "LsaLookupPrivilegeName",
774. "address": "0x41c008"
775. },
776. {
777. "name": "QueryServiceConfigA",
778. "address": "0x41c00c"
779. },
780. {
781. "name": "LookupAccountNameW",
782. "address": "0x41c010"
783. },
784. {
785. "name": "SystemFunction031",
786. "address": "0x41c014"
787. },
788. {
789. "name": "AllocateAndInitializeSid",
790. "address": "0x41c018"
791. },
792. {
793. "name": "RegSaveKeyA",
794. "address": "0x41c01c"
795. },
796. {
797. "name": "BuildExplicitAccessWithNameW",
798. "address": "0x41c020"
799. },
800. {
801. "name": "CryptEnumProvidersA",
802. "address": "0x41c024"
803. },
804. {
805. "name": "AddUsersToEncryptedFile",
806. "address": "0x41c028"
807. }
808. ],
809. "dll": "ADVAPI32.dll"
810. },
811. {
812. "imports": [
813. {
814. "name": "CLSIDFromString",
815. "address": "0x41c264"
816. },
817. {
818. "name": "HWND_UserUnmarshal",
819. "address": "0x41c268"
820. },
821. {
822. "name": "OleCreateFromData",
823. "address": "0x41c26c"
824. },
825. {
826. "name": "CoAddRefServerProcess",
827. "address": "0x41c270"
828. },
829. {
830. "name": "ReadClassStg",
831. "address": "0x41c274"
832. },
833. {
834. "name": "WriteClassStg",
835. "address": "0x41c278"
836. }
837. ],
838. "dll": "ole32.dll"
839. }
840. ],
841. "digital_signers": null,
842. "exported_dll_name": null,
843. "actual_checksum": "0x00079b31",
844. "overlay": null,
845. "imagebase": "0x00400000",
846. "reported_checksum": "0x00000000",
847. "icon_hash": null,
848. "entrypoint": "0x00403bf9",
849. "timestamp": "2019-06-11 13:23:14",
850. "osversion": "5.1",
851. "sections": [
852. {
853. "name": ".text",
854. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
855. "virtual_address": "0x00001000",
856. "size_of_data": "0x0001b000",
857. "entropy": "6.69",
858. "raw_address": "0x00000400",
859. "virtual_size": "0x0001af27",
860. "characteristics_raw": "0x60000020"
861. },
862. {
863. "name": ".rdata",
864. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
865. "virtual_address": "0x0001c000",
866. "size_of_data": "0x00008c00",
867. "entropy": "5.16",
868. "raw_address": "0x0001b400",
869. "virtual_size": "0x00008b96",
870. "characteristics_raw": "0x40000040"
871. },
872. {
873. "name": ".data",
874. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
875. "virtual_address": "0x00025000",
876. "size_of_data": "0x0000b800",
877. "entropy": "6.27",
878. "raw_address": "0x00024000",
879. "virtual_size": "0x0000c280",
880. "characteristics_raw": "0xc0000040"
881. },
882. {
883. "name": ".gfids",
884. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
885. "virtual_address": "0x00032000",
886. "size_of_data": "0x00000600",
887. "entropy": "2.89",
888. "raw_address": "0x0002f800",
889. "virtual_size": "0x000004b0",
890. "characteristics_raw": "0x40000040"
891. },
892. {
893. "name": ".rsrc",
894. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
895. "virtual_address": "0x00033000",
896. "size_of_data": "0x00038e00",
897. "entropy": "6.98",
898. "raw_address": "0x0002fe00",
899. "virtual_size": "0x00038cd5",
900. "characteristics_raw": "0x40000040"
901. },
902. {
903. "name": ".reloc",
904. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
905. "virtual_address": "0x0006c000",
906. "size_of_data": "0x00002400",
907. "entropy": "6.62",
908. "raw_address": "0x00068c00",
909. "virtual_size": "0x00002300",
910. "characteristics_raw": "0x42000040"
911. }
912. ],
913. "resources": [],
914. "dirents": [
915. {
916. "virtual_address": "0x00000000",
917. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
918. "size": "0x00000000"
919. },
920. {
921. "virtual_address": "0x00023c9c",
922. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
923. "size": "0x000000a0"
924. },
925. {
926. "virtual_address": "0x00033000",
927. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
928. "size": "0x00038cd5"
929. },
930. {
931. "virtual_address": "0x00000000",
932. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
933. "size": "0x00000000"
934. },
935. {
936. "virtual_address": "0x00000000",
937. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
938. "size": "0x00000000"
939. },
940. {
941. "virtual_address": "0x0006c000",
942. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
943. "size": "0x00002300"
944. },
945. {
946. "virtual_address": "0x00023410",
947. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
948. "size": "0x0000001c"
949. },
950. {
951. "virtual_address": "0x00000000",
952. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
953. "size": "0x00000000"
954. },
955. {
956. "virtual_address": "0x00000000",
957. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
958. "size": "0x00000000"
959. },
960. {
961. "virtual_address": "0x00000000",
962. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
963. "size": "0x00000000"
964. },
965. {
966. "virtual_address": "0x00023430",
967. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
968. "size": "0x00000040"
969. },
970. {
971. "virtual_address": "0x00000000",
972. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
973. "size": "0x00000000"
974. },
975. {
976. "virtual_address": "0x0001c000",
977. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
978. "size": "0x00000280"
979. },
980. {
981. "virtual_address": "0x00000000",
982. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
983. "size": "0x00000000"
984. },
985. {
986. "virtual_address": "0x00000000",
987. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
988. "size": "0x00000000"
989. },
990. {
991. "virtual_address": "0x00000000",
992. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
993. "size": "0x00000000"
994. }
995. ],
996. "exports": [],
997. "guest_signers": {},
998. "imphash": "f9828a7115467336fc1f5ae8124ddad0",
999. "icon_fuzzy": null,
1000. "icon": null,
1001. "pdbpath": null,
1002. "imported_dll_count": 7,
1003. "versioninfo": []
1004. }
1005. }
1006.  
1007. [*] Resolved APIs: [
1008. "kernel32.dll.FlsAlloc",
1009. "kernel32.dll.FlsSetValue",
1010. "kernel32.dll.FlsGetValue",
1011. "kernel32.dll.LCMapStringEx",
1012. "crypt32.dll.CryptUnprotectData",
1013. "crtdll.dll.wcscmp",
1014. "gdiplus.dll.GdiplusStartup",
1015. "gdiplus.dll.GdiplusShutdown",
1016. "gdiplus.dll.GdipCreateBitmapFromHBITMAP",
1017. "gdiplus.dll.GdipGetImageEncodersSize",
1018. "gdiplus.dll.GdipGetImageEncoders",
1019. "gdiplus.dll.GdipDisposeImage",
1020. "gdiplus.dll.GdipSaveImageToStream",
1021. "ole32.dll.CreateStreamOnHGlobal",
1022. "ole32.dll.GetHGlobalFromStream",
1023. "kernel32.dll.ExpandEnvironmentStringsW",
1024. "kernel32.dll.GetComputerNameW",
1025. "kernel32.dll.GlobalMemoryStatus",
1026. "kernel32.dll.CreateFileW",
1027. "kernel32.dll.GetFileSize",
1028. "kernel32.dll.CloseHandle",
1029. "kernel32.dll.ReadFile",
1030. "kernel32.dll.GetFileAttributesW",
1031. "kernel32.dll.CreateMutexA",
1032. "kernel32.dll.ReleaseMutex",
1033. "kernel32.dll.GetLastError",
1034. "kernel32.dll.GetCurrentDirectoryW",
1035. "kernel32.dll.SetEnvironmentVariableW",
1036. "kernel32.dll.GetEnvironmentVariableW",
1037. "kernel32.dll.SetCurrentDirectoryW",
1038. "kernel32.dll.FindFirstFileW",
1039. "kernel32.dll.FindNextFileW",
1040. "kernel32.dll.LocalFree",
1041. "kernel32.dll.GetTickCount",
1042. "kernel32.dll.CopyFileW",
1043. "kernel32.dll.FindClose",
1044. "kernel32.dll.GlobalMemoryStatusEx",
1045. "kernel32.dll.CreateToolhelp32Snapshot",
1046. "kernel32.dll.Process32FirstW",
1047. "kernel32.dll.Process32NextW",
1048. "kernel32.dll.GetModuleFileNameW",
1049. "kernel32.dll.SetDllDirectoryW",
1050. "kernel32.dll.GetLocaleInfoA",
1051. "kernel32.dll.GetLocalTime",
1052. "kernel32.dll.GetTimeZoneInformation",
1053. "kernel32.dll.RemoveDirectoryW",
1054. "kernel32.dll.DeleteFileW",
1055. "kernel32.dll.GetLogicalDriveStringsA",
1056. "kernel32.dll.GetDriveTypeA",
1057. "kernel32.dll.CreateProcessW",
1058. "advapi32.dll.GetUserNameW",
1059. "advapi32.dll.RegCreateKeyExW",
1060. "advapi32.dll.RegQueryValueExW",
1061. "advapi32.dll.RegCloseKey",
1062. "advapi32.dll.RegOpenKeyExW",
1063. "advapi32.dll.AllocateAndInitializeSid",
1064. "advapi32.dll.LookupAccountSidA",
1065. "advapi32.dll.CreateProcessAsUserW",
1066. "advapi32.dll.CheckTokenMembership",
1067. "advapi32.dll.RegOpenKeyW",
1068. "advapi32.dll.RegEnumKeyW",
1069. "advapi32.dll.RegEnumValueW",
1070. "advapi32.dll.CryptAcquireContextA",
1071. "advapi32.dll.CryptCreateHash",
1072. "advapi32.dll.CryptHashData",
1073. "advapi32.dll.CryptGetHashParam",
1074. "advapi32.dll.CryptDestroyHash",
1075. "advapi32.dll.CryptReleaseContext",
1076. "user32.dll.EnumDisplayDevicesW",
1077. "user32.dll.wvsprintfA",
1078. "user32.dll.GetKeyboardLayoutList",
1079. "shell32.dll.ShellExecuteExW",
1080. "ntdll.dll.RtlComputeCrc32",
1081. "sechost.dll.LookupAccountSidLocalA",
1082. "wininet.dll.InternetOpenA",
1083. "wininet.dll.InternetConnectA",
1084. "wininet.dll.HttpOpenRequestA",
1085. "wininet.dll.HttpAddRequestHeadersA",
1086. "wininet.dll.HttpSendRequestA",
1087. "wininet.dll.InternetReadFile",
1088. "wininet.dll.InternetCloseHandle",
1089. "wininet.dll.InternetCrackUrlA",
1090. "wininet.dll.InternetSetOptionA",
1091. "rasapi32.dll.RasConnectionNotificationW",
1092. "sechost.dll.NotifyServiceStatusChangeA",
1093. "cryptbase.dll.SystemFunction036",
1094. "wsock32.dll.WSAStartup",
1095. "wsock32.dll.gethostbyname",
1096. "wsock32.dll.socket",
1097. "wsock32.dll.send",
1098. "wsock32.dll.recv",
1099. "wsock32.dll.htons",
1100. "wsock32.dll.connect",
1101. "wsock32.dll.closesocket",
1102. "rpcrt4.dll.RpcBindingFree"
1103. ]
1104.  
1105. [*] Static Analysis: {
1106. "pe": {
1107. "peid_signatures": null,
1108. "imports": [
1109. {
1110. "imports": [
1111. {
1112. "name": "GetProcessHeap",
1113. "address": "0x41c078"
1114. },
1115. {
1116. "name": "FreeEnvironmentStringsW",
1117. "address": "0x41c07c"
1118. },
1119. {
1120. "name": "GetEnvironmentStringsW",
1121. "address": "0x41c080"
1122. },
1123. {
1124. "name": "GetCPInfo",
1125. "address": "0x41c084"
1126. },
1127. {
1128. "name": "GetOEMCP",
1129. "address": "0x41c088"
1130. },
1131. {
1132. "name": "IsValidCodePage",
1133. "address": "0x41c08c"
1134. },
1135. {
1136. "name": "GetConsoleCP",
1137. "address": "0x41c090"
1138. },
1139. {
1140. "name": "FindNextFileA",
1141. "address": "0x41c094"
1142. },
1143. {
1144. "name": "FindFirstFileExA",
1145. "address": "0x41c098"
1146. },
1147. {
1148. "name": "DecodePointer",
1149. "address": "0x41c09c"
1150. },
1151. {
1152. "name": "GetFileAttributesA",
1153. "address": "0x41c0a0"
1154. },
1155. {
1156. "name": "WriteConsoleW",
1157. "address": "0x41c0a4"
1158. },
1159. {
1160. "name": "HeapSize",
1161. "address": "0x41c0a8"
1162. },
1163. {
1164. "name": "HeapReAlloc",
1165. "address": "0x41c0ac"
1166. },
1167. {
1168. "name": "FlushFileBuffers",
1169. "address": "0x41c0b0"
1170. },
1171. {
1172. "name": "SetEndOfFile",
1173. "address": "0x41c0b4"
1174. },
1175. {
1176. "name": "ReadFile",
1177. "address": "0x41c0b8"
1178. },
1179. {
1180. "name": "LoadLibraryA",
1181. "address": "0x41c0bc"
1182. },
1183. {
1184. "name": "VirtualAlloc",
1185. "address": "0x41c0c0"
1186. },
1187. {
1188. "name": "VirtualFree",
1189. "address": "0x41c0c4"
1190. },
1191. {
1192. "name": "VirtualProtect",
1193. "address": "0x41c0c8"
1194. },
1195. {
1196. "name": "GetPrivateProfileStructA",
1197. "address": "0x41c0cc"
1198. },
1199. {
1200. "name": "GetEnvironmentVariableW",
1201. "address": "0x41c0d0"
1202. },
1203. {
1204. "name": "FindClose",
1205. "address": "0x41c0d4"
1206. },
1207. {
1208. "name": "GetConsoleAliasExesLengthW",
1209. "address": "0x41c0d8"
1210. },
1211. {
1212. "name": "SetComputerNameA",
1213. "address": "0x41c0dc"
1214. },
1215. {
1216. "name": "_hread",
1217. "address": "0x41c0e0"
1218. },
1219. {
1220. "name": "CopyFileExW",
1221. "address": "0x41c0e4"
1222. },
1223. {
1224. "name": "TlsFree",
1225. "address": "0x41c0e8"
1226. },
1227. {
1228. "name": "UnregisterWait",
1229. "address": "0x41c0ec"
1230. },
1231. {
1232. "name": "FillConsoleOutputCharacterW",
1233. "address": "0x41c0f0"
1234. },
1235. {
1236. "name": "SetConsoleTitleW",
1237. "address": "0x41c0f4"
1238. },
1239. {
1240. "name": "Process32First",
1241. "address": "0x41c0f8"
1242. },
1243. {
1244. "name": "RequestWakeupLatency",
1245. "address": "0x41c0fc"
1246. },
1247. {
1248. "name": "FindNextChangeNotification",
1249. "address": "0x41c100"
1250. },
1251. {
1252. "name": "SetLocaleInfoA",
1253. "address": "0x41c104"
1254. },
1255. {
1256. "name": "DisableThreadLibraryCalls",
1257. "address": "0x41c108"
1258. },
1259. {
1260. "name": "LCMapStringW",
1261. "address": "0x41c10c"
1262. },
1263. {
1264. "name": "CompareStringW",
1265. "address": "0x41c110"
1266. },
1267. {
1268. "name": "QueryPerformanceCounter",
1269. "address": "0x41c114"
1270. },
1271. {
1272. "name": "GetCurrentProcessId",
1273. "address": "0x41c118"
1274. },
1275. {
1276. "name": "GetCurrentThreadId",
1277. "address": "0x41c11c"
1278. },
1279. {
1280. "name": "GetSystemTimeAsFileTime",
1281. "address": "0x41c120"
1282. },
1283. {
1284. "name": "InitializeSListHead",
1285. "address": "0x41c124"
1286. },
1287. {
1288. "name": "IsDebuggerPresent",
1289. "address": "0x41c128"
1290. },
1291. {
1292. "name": "UnhandledExceptionFilter",
1293. "address": "0x41c12c"
1294. },
1295. {
1296. "name": "SetUnhandledExceptionFilter",
1297. "address": "0x41c130"
1298. },
1299. {
1300. "name": "GetStartupInfoW",
1301. "address": "0x41c134"
1302. },
1303. {
1304. "name": "IsProcessorFeaturePresent",
1305. "address": "0x41c138"
1306. },
1307. {
1308. "name": "GetModuleHandleW",
1309. "address": "0x41c13c"
1310. },
1311. {
1312. "name": "GetCurrentProcess",
1313. "address": "0x41c140"
1314. },
1315. {
1316. "name": "TerminateProcess",
1317. "address": "0x41c144"
1318. },
1319. {
1320. "name": "RtlUnwind",
1321. "address": "0x41c148"
1322. },
1323. {
1324. "name": "VirtualQuery",
1325. "address": "0x41c14c"
1326. },
1327. {
1328. "name": "GetLastError",
1329. "address": "0x41c150"
1330. },
1331. {
1332. "name": "SetLastError",
1333. "address": "0x41c154"
1334. },
1335. {
1336. "name": "EnterCriticalSection",
1337. "address": "0x41c158"
1338. },
1339. {
1340. "name": "LeaveCriticalSection",
1341. "address": "0x41c15c"
1342. },
1343. {
1344. "name": "DeleteCriticalSection",
1345. "address": "0x41c160"
1346. },
1347. {
1348. "name": "InitializeCriticalSectionAndSpinCount",
1349. "address": "0x41c164"
1350. },
1351. {
1352. "name": "TlsAlloc",
1353. "address": "0x41c168"
1354. },
1355. {
1356. "name": "TlsGetValue",
1357. "address": "0x41c16c"
1358. },
1359. {
1360. "name": "TlsSetValue",
1361. "address": "0x41c170"
1362. },
1363. {
1364. "name": "FreeLibrary",
1365. "address": "0x41c174"
1366. },
1367. {
1368. "name": "GetProcAddress",
1369. "address": "0x41c178"
1370. },
1371. {
1372. "name": "LoadLibraryExW",
1373. "address": "0x41c17c"
1374. },
1375. {
1376. "name": "SetEnvironmentVariableA",
1377. "address": "0x41c180"
1378. },
1379. {
1380. "name": "SetEnvironmentVariableW",
1381. "address": "0x41c184"
1382. },
1383. {
1384. "name": "SetCurrentDirectoryW",
1385. "address": "0x41c188"
1386. },
1387. {
1388. "name": "GetCurrentDirectoryW",
1389. "address": "0x41c18c"
1390. },
1391. {
1392. "name": "SetFilePointerEx",
1393. "address": "0x41c190"
1394. },
1395. {
1396. "name": "GetConsoleMode",
1397. "address": "0x41c194"
1398. },
1399. {
1400. "name": "ReadConsoleInputA",
1401. "address": "0x41c198"
1402. },
1403. {
1404. "name": "SetConsoleMode",
1405. "address": "0x41c19c"
1406. },
1407. {
1408. "name": "CloseHandle",
1409. "address": "0x41c1a0"
1410. },
1411. {
1412. "name": "WaitForSingleObject",
1413. "address": "0x41c1a4"
1414. },
1415. {
1416. "name": "GetExitCodeProcess",
1417. "address": "0x41c1a8"
1418. },
1419. {
1420. "name": "CreateProcessA",
1421. "address": "0x41c1ac"
1422. },
1423. {
1424. "name": "GetLocalTime",
1425. "address": "0x41c1b0"
1426. },
1427. {
1428. "name": "SetStdHandle",
1429. "address": "0x41c1b4"
1430. },
1431. {
1432. "name": "GetFileType",
1433. "address": "0x41c1b8"
1434. },
1435. {
1436. "name": "GetStdHandle",
1437. "address": "0x41c1bc"
1438. },
1439. {
1440. "name": "WriteFile",
1441. "address": "0x41c1c0"
1442. },
1443. {
1444. "name": "GetModuleFileNameA",
1445. "address": "0x41c1c4"
1446. },
1447. {
1448. "name": "MultiByteToWideChar",
1449. "address": "0x41c1c8"
1450. },
1451. {
1452. "name": "WideCharToMultiByte",
1453. "address": "0x41c1cc"
1454. },
1455. {
1456. "name": "ExitProcess",
1457. "address": "0x41c1d0"
1458. },
1459. {
1460. "name": "GetModuleHandleExW",
1461. "address": "0x41c1d4"
1462. },
1463. {
1464. "name": "GetCommandLineA",
1465. "address": "0x41c1d8"
1466. },
1467. {
1468. "name": "GetCommandLineW",
1469. "address": "0x41c1dc"
1470. },
1471. {
1472. "name": "GetACP",
1473. "address": "0x41c1e0"
1474. },
1475. {
1476. "name": "HeapFree",
1477. "address": "0x41c1e4"
1478. },
1479. {
1480. "name": "HeapAlloc",
1481. "address": "0x41c1e8"
1482. },
1483. {
1484. "name": "GetStringTypeW",
1485. "address": "0x41c1ec"
1486. },
1487. {
1488. "name": "RaiseException",
1489. "address": "0x41c1f0"
1490. },
1491. {
1492. "name": "CreateFileW",
1493. "address": "0x41c1f4"
1494. },
1495. {
1496. "name": "GetFileAttributesExW",
1497. "address": "0x41c1f8"
1498. },
1499. {
1500. "name": "ReadConsoleW",
1501. "address": "0x41c1fc"
1502. }
1503. ],
1504. "dll": "KERNEL32.dll"
1505. },
1506. {
1507. "imports": [
1508. {
1509. "name": "GetUpdateRect",
1510. "address": "0x41c204"
1511. },
1512. {
1513. "name": "GetSystemMenu",
1514. "address": "0x41c208"
1515. },
1516. {
1517. "name": "SetMenuItemBitmaps",
1518. "address": "0x41c20c"
1519. },
1520. {
1521. "name": "MoveWindow",
1522. "address": "0x41c210"
1523. },
1524. {
1525. "name": "CallNextHookEx",
1526. "address": "0x41c214"
1527. },
1528. {
1529. "name": "SetProcessWindowStation",
1530. "address": "0x41c218"
1531. },
1532. {
1533. "name": "PostThreadMessageW",
1534. "address": "0x41c21c"
1535. },
1536. {
1537. "name": "GetTabbedTextExtentW",
1538. "address": "0x41c220"
1539. },
1540. {
1541. "name": "DeleteMenu",
1542. "address": "0x41c224"
1543. },
1544. {
1545. "name": "RealGetWindowClass",
1546. "address": "0x41c228"
1547. },
1548. {
1549. "name": "BroadcastSystemMessageW",
1550. "address": "0x41c22c"
1551. },
1552. {
1553. "name": "GetClassInfoExW",
1554. "address": "0x41c230"
1555. },
1556. {
1557. "name": "WINNLSEnableIME",
1558. "address": "0x41c234"
1559. },
1560. {
1561. "name": "SetWindowsHookA",
1562. "address": "0x41c238"
1563. },
1564. {
1565. "name": "WaitForInputIdle",
1566. "address": "0x41c23c"
1567. },
1568. {
1569. "name": "DdeDisconnect",
1570. "address": "0x41c240"
1571. },
1572. {
1573. "name": "FlashWindowEx",
1574. "address": "0x41c244"
1575. },
1576. {
1577. "name": "InSendMessage",
1578. "address": "0x41c248"
1579. },
1580. {
1581. "name": "GetNextDlgTabItem",
1582. "address": "0x41c24c"
1583. }
1584. ],
1585. "dll": "USER32.dll"
1586. },
1587. {
1588. "imports": [
1589. {
1590. "name": "CreateFontIndirectExA",
1591. "address": "0x41c038"
1592. },
1593. {
1594. "name": "GetColorSpace",
1595. "address": "0x41c03c"
1596. },
1597. {
1598. "name": "UpdateColors",
1599. "address": "0x41c040"
1600. },
1601. {
1602. "name": "CreatePalette",
1603. "address": "0x41c044"
1604. },
1605. {
1606. "name": "EqualRgn",
1607. "address": "0x41c048"
1608. },
1609. {
1610. "name": "GetRgnBox",
1611. "address": "0x41c04c"
1612. },
1613. {
1614. "name": "SetPixel",
1615. "address": "0x41c050"
1616. },
1617. {
1618. "name": "RemoveFontResourceExW",
1619. "address": "0x41c054"
1620. },
1621. {
1622. "name": "GetTextFaceW",
1623. "address": "0x41c058"
1624. },
1625. {
1626. "name": "GetGraphicsMode",
1627. "address": "0x41c05c"
1628. },
1629. {
1630. "name": "SelectObject",
1631. "address": "0x41c060"
1632. },
1633. {
1634. "name": "GetGlyphOutlineA",
1635. "address": "0x41c064"
1636. },
1637. {
1638. "name": "SetWindowExtEx",
1639. "address": "0x41c068"
1640. },
1641. {
1642. "name": "GdiGetPageHandle",
1643. "address": "0x41c06c"
1644. },
1645. {
1646. "name": "GetFontLanguageInfo",
1647. "address": "0x41c070"
1648. }
1649. ],
1650. "dll": "GDI32.dll"
1651. },
1652. {
1653. "imports": [
1654. {
1655. "name": "SetPrinterW",
1656. "address": "0x41c254"
1657. },
1658. {
1659. "name": "GetPrinterDataExW",
1660. "address": "0x41c258"
1661. },
1662. {
1663. "name": "EnumPortsW",
1664. "address": "0x41c25c"
1665. }
1666. ],
1667. "dll": "WINSPOOL.DRV"
1668. },
1669. {
1670. "imports": [
1671. {
1672. "name": "GetOpenFileNameA",
1673. "address": "0x41c030"
1674. }
1675. ],
1676. "dll": "COMDLG32.dll"
1677. },
1678. {
1679. "imports": [
1680. {
1681. "name": "LsaOpenTrustedDomain",
1682. "address": "0x41c000"
1683. },
1684. {
1685. "name": "AreAnyAccessesGranted",
1686. "address": "0x41c004"
1687. },
1688. {
1689. "name": "LsaLookupPrivilegeName",
1690. "address": "0x41c008"
1691. },
1692. {
1693. "name": "QueryServiceConfigA",
1694. "address": "0x41c00c"
1695. },
1696. {
1697. "name": "LookupAccountNameW",
1698. "address": "0x41c010"
1699. },
1700. {
1701. "name": "SystemFunction031",
1702. "address": "0x41c014"
1703. },
1704. {
1705. "name": "AllocateAndInitializeSid",
1706. "address": "0x41c018"
1707. },
1708. {
1709. "name": "RegSaveKeyA",
1710. "address": "0x41c01c"
1711. },
1712. {
1713. "name": "BuildExplicitAccessWithNameW",
1714. "address": "0x41c020"
1715. },
1716. {
1717. "name": "CryptEnumProvidersA",
1718. "address": "0x41c024"
1719. },
1720. {
1721. "name": "AddUsersToEncryptedFile",
1722. "address": "0x41c028"
1723. }
1724. ],
1725. "dll": "ADVAPI32.dll"
1726. },
1727. {
1728. "imports": [
1729. {
1730. "name": "CLSIDFromString",
1731. "address": "0x41c264"
1732. },
1733. {
1734. "name": "HWND_UserUnmarshal",
1735. "address": "0x41c268"
1736. },
1737. {
1738. "name": "OleCreateFromData",
1739. "address": "0x41c26c"
1740. },
1741. {
1742. "name": "CoAddRefServerProcess",
1743. "address": "0x41c270"
1744. },
1745. {
1746. "name": "ReadClassStg",
1747. "address": "0x41c274"
1748. },
1749. {
1750. "name": "WriteClassStg",
1751. "address": "0x41c278"
1752. }
1753. ],
1754. "dll": "ole32.dll"
1755. }
1756. ],
1757. "digital_signers": null,
1758. "exported_dll_name": null,
1759. "actual_checksum": "0x00079b31",
1760. "overlay": null,
1761. "imagebase": "0x00400000",
1762. "reported_checksum": "0x00000000",
1763. "icon_hash": null,
1764. "entrypoint": "0x00403bf9",
1765. "timestamp": "2019-06-11 13:23:14",
1766. "osversion": "5.1",
1767. "sections": [
1768. {
1769. "name": ".text",
1770. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
1771. "virtual_address": "0x00001000",
1772. "size_of_data": "0x0001b000",
1773. "entropy": "6.69",
1774. "raw_address": "0x00000400",
1775. "virtual_size": "0x0001af27",
1776. "characteristics_raw": "0x60000020"
1777. },
1778. {
1779. "name": ".rdata",
1780. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1781. "virtual_address": "0x0001c000",
1782. "size_of_data": "0x00008c00",
1783. "entropy": "5.16",
1784. "raw_address": "0x0001b400",
1785. "virtual_size": "0x00008b96",
1786. "characteristics_raw": "0x40000040"
1787. },
1788. {
1789. "name": ".data",
1790. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1791. "virtual_address": "0x00025000",
1792. "size_of_data": "0x0000b800",
1793. "entropy": "6.27",
1794. "raw_address": "0x00024000",
1795. "virtual_size": "0x0000c280",
1796. "characteristics_raw": "0xc0000040"
1797. },
1798. {
1799. "name": ".gfids",
1800. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1801. "virtual_address": "0x00032000",
1802. "size_of_data": "0x00000600",
1803. "entropy": "2.89",
1804. "raw_address": "0x0002f800",
1805. "virtual_size": "0x000004b0",
1806. "characteristics_raw": "0x40000040"
1807. },
1808. {
1809. "name": ".rsrc",
1810. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1811. "virtual_address": "0x00033000",
1812. "size_of_data": "0x00038e00",
1813. "entropy": "6.98",
1814. "raw_address": "0x0002fe00",
1815. "virtual_size": "0x00038cd5",
1816. "characteristics_raw": "0x40000040"
1817. },
1818. {
1819. "name": ".reloc",
1820. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
1821. "virtual_address": "0x0006c000",
1822. "size_of_data": "0x00002400",
1823. "entropy": "6.62",
1824. "raw_address": "0x00068c00",
1825. "virtual_size": "0x00002300",
1826. "characteristics_raw": "0x42000040"
1827. }
1828. ],
1829. "resources": [],
1830. "dirents": [
1831. {
1832. "virtual_address": "0x00000000",
1833. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1834. "size": "0x00000000"
1835. },
1836. {
1837. "virtual_address": "0x00023c9c",
1838. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1839. "size": "0x000000a0"
1840. },
1841. {
1842. "virtual_address": "0x00033000",
1843. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1844. "size": "0x00038cd5"
1845. },
1846. {
1847. "virtual_address": "0x00000000",
1848. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1849. "size": "0x00000000"
1850. },
1851. {
1852. "virtual_address": "0x00000000",
1853. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1854. "size": "0x00000000"
1855. },
1856. {
1857. "virtual_address": "0x0006c000",
1858. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1859. "size": "0x00002300"
1860. },
1861. {
1862. "virtual_address": "0x00023410",
1863. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1864. "size": "0x0000001c"
1865. },
1866. {
1867. "virtual_address": "0x00000000",
1868. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1869. "size": "0x00000000"
1870. },
1871. {
1872. "virtual_address": "0x00000000",
1873. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1874. "size": "0x00000000"
1875. },
1876. {
1877. "virtual_address": "0x00000000",
1878. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1879. "size": "0x00000000"
1880. },
1881. {
1882. "virtual_address": "0x00023430",
1883. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1884. "size": "0x00000040"
1885. },
1886. {
1887. "virtual_address": "0x00000000",
1888. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1889. "size": "0x00000000"
1890. },
1891. {
1892. "virtual_address": "0x0001c000",
1893. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1894. "size": "0x00000280"
1895. },
1896. {
1897. "virtual_address": "0x00000000",
1898. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1899. "size": "0x00000000"
1900. },
1901. {
1902. "virtual_address": "0x00000000",
1903. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1904. "size": "0x00000000"
1905. },
1906. {
1907. "virtual_address": "0x00000000",
1908. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1909. "size": "0x00000000"
1910. }
1911. ],
1912. "exports": [],
1913. "guest_signers": {},
1914. "imphash": "f9828a7115467336fc1f5ae8124ddad0",
1915. "icon_fuzzy": null,
1916. "icon": null,
1917. "pdbpath": null,
1918. "imported_dll_count": 7,
1919. "versioninfo": []
1920. }
1921. }